From 3e8233ea5374c9f6ac4bc51167408c47c313a2bc Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 30 May 2025 18:55:19 -0700
Subject: [PATCH 01/25] [v18][vnet] feat: TCP dial to SSH targets

Backport #55087 to branch/v18
---
 .../vnet/v1/client_application_service.pb.go  | 483 ++++++++++++++----
 .../v1/client_application_service_grpc.pb.go  |  80 +++
 lib/teleterm/vnet/service.go                  |  45 +-
 lib/vnet/admin_process_common.go              |   2 +
 lib/vnet/app_handler.go                       |  12 +-
 lib/vnet/app_provider.go                      |  62 +--
 lib/vnet/client_application_service.go        |  86 +++-
 lib/vnet/client_application_service_client.go |  54 ++
 lib/vnet/fqdn_resolver.go                     |   5 +
 lib/vnet/ssh_handler.go                       |  73 +++
 lib/vnet/ssh_provider.go                      | 182 +++++++
 lib/vnet/tcp_handler_resolver.go              |  65 ++-
 lib/vnet/user_process.go                      |   3 +
 lib/vnet/vnet_test.go                         | 133 ++++-
 .../vnet/v1/client_application_service.proto  |  61 ++-
 tool/tsh/common/vnet_client_application.go    |  24 +-
 16 files changed, 1157 insertions(+), 213 deletions(-)
 create mode 100644 lib/vnet/ssh_handler.go
 create mode 100644 lib/vnet/ssh_provider.go

diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
index 685a31f2b4358..1869b69ce9159 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
@@ -649,7 +649,15 @@ type MatchedCluster struct {
 	Ipv4CidrRange string `protobuf:"bytes,1,opt,name=ipv4_cidr_range,json=ipv4CidrRange,proto3" json:"ipv4_cidr_range,omitempty"`
 	// WebProxyAddr is the web proxy address of the root cluster that matched the
 	// query.
-	WebProxyAddr  string `protobuf:"bytes,2,opt,name=web_proxy_addr,json=webProxyAddr,proto3" json:"web_proxy_addr,omitempty"`
+	WebProxyAddr string `protobuf:"bytes,2,opt,name=web_proxy_addr,json=webProxyAddr,proto3" json:"web_proxy_addr,omitempty"`
+	// Profile is the profile the matched cluster was found in.
+	Profile string `protobuf:"bytes,3,opt,name=profile,proto3" json:"profile,omitempty"`
+	// RootCluster will always be set to the name of the root cluster that matched
+	// the query.
+	RootCluster string `protobuf:"bytes,4,opt,name=root_cluster,json=rootCluster,proto3" json:"root_cluster,omitempty"`
+	// LeafCluster will be set only when the query matched a leaf cluster of
+	// RootCluster, or else it will be empty.
+	LeafCluster   string `protobuf:"bytes,5,opt,name=leaf_cluster,json=leafCluster,proto3" json:"leaf_cluster,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -698,6 +706,27 @@ func (x *MatchedCluster) GetWebProxyAddr() string {
 	return ""
 }
 
+func (x *MatchedCluster) GetProfile() string {
+	if x != nil {
+		return x.Profile
+	}
+	return ""
+}
+
+func (x *MatchedCluster) GetRootCluster() string {
+	if x != nil {
+		return x.RootCluster
+	}
+	return ""
+}
+
+func (x *MatchedCluster) GetLeafCluster() string {
+	if x != nil {
+		return x.LeafCluster
+	}
+	return ""
+}
+
 // AppInfo holds all necessary info for making connections to VNet TCP apps.
 type AppInfo struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
@@ -860,8 +889,10 @@ type DialOptions struct {
 	Sni string `protobuf:"bytes,3,opt,name=sni,proto3" json:"sni,omitempty"`
 	// InsecureSkipVerify turns off verification for x509 upstream ALPN proxy service certificate.
 	InsecureSkipVerify bool `protobuf:"varint,4,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
-	// RootClusterCaCertPool overrides the x509 certificate pool used to verify the server.
-	// It is a PEM-encoded X509 certificate pool.
+	// RootClusterCaCertPool is the host CA TLS certificate pool for the root
+	// cluster. It is a PEM-encoded X509 certificate pool. It should be used when
+	// dialing the proxy and AlpnConnUpgradeRequired is true or when dialing the
+	// transport service.
 	RootClusterCaCertPool []byte `protobuf:"bytes,5,opt,name=root_cluster_ca_cert_pool,json=rootClusterCaCertPool,proto3" json:"root_cluster_ca_cert_pool,omitempty"`
 	unknownFields         protoimpl.UnknownFields
 	sizeCache             protoimpl.SizeCache
@@ -1048,13 +1079,8 @@ type SignForAppRequest struct {
 	// TargetPort of a previous successful call to ReissueAppCert for an app
 	// matching AppKey.
 	TargetPort uint32 `protobuf:"varint,2,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
-	// Digest is the bytes to sign.
-	Digest []byte `protobuf:"bytes,3,opt,name=digest,proto3" json:"digest,omitempty"`
-	// Hash is the hash function used to compute digest.
-	Hash Hash `protobuf:"varint,4,opt,name=hash,proto3,enum=teleport.lib.vnet.v1.Hash" json:"hash,omitempty"`
-	// PssSaltLength specifies the length of the salt added to the digest before a
-	// signature. Only used and required for RSA PSS signatures.
-	PssSaltLength *int32 `protobuf:"varint,5,opt,name=pss_salt_length,json=pssSaltLength,proto3,oneof" json:"pss_salt_length,omitempty"`
+	// Sign holds signature request details.
+	Sign          *SignRequest `protobuf:"bytes,6,opt,name=sign,proto3" json:"sign,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1103,21 +1129,72 @@ func (x *SignForAppRequest) GetTargetPort() uint32 {
 	return 0
 }
 
-func (x *SignForAppRequest) GetDigest() []byte {
+func (x *SignForAppRequest) GetSign() *SignRequest {
+	if x != nil {
+		return x.Sign
+	}
+	return nil
+}
+
+// SignRequest holds signature request details.
+type SignRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Digest is the bytes to sign.
+	Digest []byte `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"`
+	// Hash is the hash function used to compute digest.
+	Hash Hash `protobuf:"varint,2,opt,name=hash,proto3,enum=teleport.lib.vnet.v1.Hash" json:"hash,omitempty"`
+	// PssSaltLength specifies the length of the salt added to the digest before a
+	// signature. Only used and required for RSA PSS signatures.
+	PssSaltLength *int32 `protobuf:"varint,3,opt,name=pss_salt_length,json=pssSaltLength,proto3,oneof" json:"pss_salt_length,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignRequest) Reset() {
+	*x = SignRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[18]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignRequest) ProtoMessage() {}
+
+func (x *SignRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[18]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignRequest.ProtoReflect.Descriptor instead.
+func (*SignRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{18}
+}
+
+func (x *SignRequest) GetDigest() []byte {
 	if x != nil {
 		return x.Digest
 	}
 	return nil
 }
 
-func (x *SignForAppRequest) GetHash() Hash {
+func (x *SignRequest) GetHash() Hash {
 	if x != nil {
 		return x.Hash
 	}
 	return Hash_HASH_UNSPECIFIED
 }
 
-func (x *SignForAppRequest) GetPssSaltLength() int32 {
+func (x *SignRequest) GetPssSaltLength() int32 {
 	if x != nil && x.PssSaltLength != nil {
 		return *x.PssSaltLength
 	}
@@ -1135,7 +1212,7 @@ type SignForAppResponse struct {
 
 func (x *SignForAppResponse) Reset() {
 	*x = SignForAppResponse{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[18]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1147,7 +1224,7 @@ func (x *SignForAppResponse) String() string {
 func (*SignForAppResponse) ProtoMessage() {}
 
 func (x *SignForAppResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[18]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1160,7 +1237,7 @@ func (x *SignForAppResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SignForAppResponse.ProtoReflect.Descriptor instead.
 func (*SignForAppResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{18}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{19}
 }
 
 func (x *SignForAppResponse) GetSignature() []byte {
@@ -1181,7 +1258,7 @@ type OnNewConnectionRequest struct {
 
 func (x *OnNewConnectionRequest) Reset() {
 	*x = OnNewConnectionRequest{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[19]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1193,7 +1270,7 @@ func (x *OnNewConnectionRequest) String() string {
 func (*OnNewConnectionRequest) ProtoMessage() {}
 
 func (x *OnNewConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[19]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1206,7 +1283,7 @@ func (x *OnNewConnectionRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use OnNewConnectionRequest.ProtoReflect.Descriptor instead.
 func (*OnNewConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{19}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{20}
 }
 
 func (x *OnNewConnectionRequest) GetAppKey() *AppKey {
@@ -1225,7 +1302,7 @@ type OnNewConnectionResponse struct {
 
 func (x *OnNewConnectionResponse) Reset() {
 	*x = OnNewConnectionResponse{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1237,7 +1314,7 @@ func (x *OnNewConnectionResponse) String() string {
 func (*OnNewConnectionResponse) ProtoMessage() {}
 
 func (x *OnNewConnectionResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1250,7 +1327,7 @@ func (x *OnNewConnectionResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use OnNewConnectionResponse.ProtoReflect.Descriptor instead.
 func (*OnNewConnectionResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{20}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{21}
 }
 
 // OnInvalidLocalPortRequest is a request for OnInvalidLocalPort.
@@ -1269,7 +1346,7 @@ type OnInvalidLocalPortRequest struct {
 
 func (x *OnInvalidLocalPortRequest) Reset() {
 	*x = OnInvalidLocalPortRequest{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1281,7 +1358,7 @@ func (x *OnInvalidLocalPortRequest) String() string {
 func (*OnInvalidLocalPortRequest) ProtoMessage() {}
 
 func (x *OnInvalidLocalPortRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1294,7 +1371,7 @@ func (x *OnInvalidLocalPortRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use OnInvalidLocalPortRequest.ProtoReflect.Descriptor instead.
 func (*OnInvalidLocalPortRequest) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{21}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *OnInvalidLocalPortRequest) GetAppInfo() *AppInfo {
@@ -1320,7 +1397,7 @@ type OnInvalidLocalPortResponse struct {
 
 func (x *OnInvalidLocalPortResponse) Reset() {
 	*x = OnInvalidLocalPortResponse{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[22]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1332,7 +1409,7 @@ func (x *OnInvalidLocalPortResponse) String() string {
 func (*OnInvalidLocalPortResponse) ProtoMessage() {}
 
 func (x *OnInvalidLocalPortResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[22]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1345,7 +1422,7 @@ func (x *OnInvalidLocalPortResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use OnInvalidLocalPortResponse.ProtoReflect.Descriptor instead.
 func (*OnInvalidLocalPortResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{22}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{23}
 }
 
 // GetTargetOSConfigurationRequest is a request for the target host OS configuration.
@@ -1357,7 +1434,7 @@ type GetTargetOSConfigurationRequest struct {
 
 func (x *GetTargetOSConfigurationRequest) Reset() {
 	*x = GetTargetOSConfigurationRequest{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[23]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1369,7 +1446,7 @@ func (x *GetTargetOSConfigurationRequest) String() string {
 func (*GetTargetOSConfigurationRequest) ProtoMessage() {}
 
 func (x *GetTargetOSConfigurationRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[23]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1382,7 +1459,7 @@ func (x *GetTargetOSConfigurationRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetTargetOSConfigurationRequest.ProtoReflect.Descriptor instead.
 func (*GetTargetOSConfigurationRequest) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{23}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{24}
 }
 
 // GetTargetOSConfigurationResponse is a response including the target host OS configuration.
@@ -1396,7 +1473,7 @@ type GetTargetOSConfigurationResponse struct {
 
 func (x *GetTargetOSConfigurationResponse) Reset() {
 	*x = GetTargetOSConfigurationResponse{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[24]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1408,7 +1485,7 @@ func (x *GetTargetOSConfigurationResponse) String() string {
 func (*GetTargetOSConfigurationResponse) ProtoMessage() {}
 
 func (x *GetTargetOSConfigurationResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[24]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1421,7 +1498,7 @@ func (x *GetTargetOSConfigurationResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetTargetOSConfigurationResponse.ProtoReflect.Descriptor instead.
 func (*GetTargetOSConfigurationResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{24}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{25}
 }
 
 func (x *GetTargetOSConfigurationResponse) GetTargetOsConfiguration() *TargetOSConfiguration {
@@ -1451,7 +1528,7 @@ type TargetOSConfiguration struct {
 
 func (x *TargetOSConfiguration) Reset() {
 	*x = TargetOSConfiguration{}
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[25]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[26]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1463,7 +1540,7 @@ func (x *TargetOSConfiguration) String() string {
 func (*TargetOSConfiguration) ProtoMessage() {}
 
 func (x *TargetOSConfiguration) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[25]
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[26]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1476,7 +1553,7 @@ func (x *TargetOSConfiguration) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use TargetOSConfiguration.ProtoReflect.Descriptor instead.
 func (*TargetOSConfiguration) Descriptor() ([]byte, []int) {
-	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{25}
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{26}
 }
 
 func (x *TargetOSConfiguration) GetDnsZones() []string {
@@ -1493,6 +1570,209 @@ func (x *TargetOSConfiguration) GetIpv4CidrRanges() []string {
 	return nil
 }
 
+// UserTLSCertRequest is a request for UserTLSCert.
+type UserTLSCertRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Profile is the profile to retrieve the certificate for.
+	Profile       string `protobuf:"bytes,1,opt,name=profile,proto3" json:"profile,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UserTLSCertRequest) Reset() {
+	*x = UserTLSCertRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[27]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UserTLSCertRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UserTLSCertRequest) ProtoMessage() {}
+
+func (x *UserTLSCertRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[27]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UserTLSCertRequest.ProtoReflect.Descriptor instead.
+func (*UserTLSCertRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{27}
+}
+
+func (x *UserTLSCertRequest) GetProfile() string {
+	if x != nil {
+		return x.Profile
+	}
+	return ""
+}
+
+// UserTLSCertResponse is a response for UserTLSCert.
+type UserTLSCertResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Cert is the user TLS certificate in X.509 ASN.1 DER format.
+	Cert []byte `protobuf:"bytes,1,opt,name=cert,proto3" json:"cert,omitempty"`
+	// DialOptions holds options that should be used when dialing the root cluster
+	// proxy.
+	DialOptions   *DialOptions `protobuf:"bytes,2,opt,name=dial_options,json=dialOptions,proto3" json:"dial_options,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UserTLSCertResponse) Reset() {
+	*x = UserTLSCertResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[28]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UserTLSCertResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UserTLSCertResponse) ProtoMessage() {}
+
+func (x *UserTLSCertResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[28]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UserTLSCertResponse.ProtoReflect.Descriptor instead.
+func (*UserTLSCertResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{28}
+}
+
+func (x *UserTLSCertResponse) GetCert() []byte {
+	if x != nil {
+		return x.Cert
+	}
+	return nil
+}
+
+func (x *UserTLSCertResponse) GetDialOptions() *DialOptions {
+	if x != nil {
+		return x.DialOptions
+	}
+	return nil
+}
+
+// SignForUserTLSRequest is a request for SignForUserTLS.
+type SignForUserTLSRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Profile is the user profile to sign for.
+	Profile string `protobuf:"bytes,1,opt,name=profile,proto3" json:"profile,omitempty"`
+	// Sign holds signature request details.
+	Sign          *SignRequest `protobuf:"bytes,2,opt,name=sign,proto3" json:"sign,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForUserTLSRequest) Reset() {
+	*x = SignForUserTLSRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[29]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForUserTLSRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForUserTLSRequest) ProtoMessage() {}
+
+func (x *SignForUserTLSRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[29]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForUserTLSRequest.ProtoReflect.Descriptor instead.
+func (*SignForUserTLSRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{29}
+}
+
+func (x *SignForUserTLSRequest) GetProfile() string {
+	if x != nil {
+		return x.Profile
+	}
+	return ""
+}
+
+func (x *SignForUserTLSRequest) GetSign() *SignRequest {
+	if x != nil {
+		return x.Sign
+	}
+	return nil
+}
+
+// SignForUserTLSResponse is a response for SignForUserTLS.
+type SignForUserTLSResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Signature is the signature.
+	Signature     []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForUserTLSResponse) Reset() {
+	*x = SignForUserTLSResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[30]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForUserTLSResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForUserTLSResponse) ProtoMessage() {}
+
+func (x *SignForUserTLSResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[30]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForUserTLSResponse.ProtoReflect.Descriptor instead.
+func (*SignForUserTLSResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{30}
+}
+
+func (x *SignForUserTLSResponse) GetSignature() []byte {
+	if x != nil {
+		return x.Signature
+	}
+	return nil
+}
+
 var File_teleport_lib_vnet_v1_client_application_service_proto protoreflect.FileDescriptor
 
 const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
@@ -1521,10 +1801,13 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\x05match\"I\n" +
 	"\rMatchedTCPApp\x128\n" +
 	"\bapp_info\x18\x01 \x01(\v2\x1d.teleport.lib.vnet.v1.AppInfoR\aappInfo\"\x0f\n" +
-	"\rMatchedWebApp\"^\n" +
+	"\rMatchedWebApp\"\xbe\x01\n" +
 	"\x0eMatchedCluster\x12&\n" +
 	"\x0fipv4_cidr_range\x18\x01 \x01(\tR\ripv4CidrRange\x12$\n" +
-	"\x0eweb_proxy_addr\x18\x02 \x01(\tR\fwebProxyAddr\"\xe8\x01\n" +
+	"\x0eweb_proxy_addr\x18\x02 \x01(\tR\fwebProxyAddr\x12\x18\n" +
+	"\aprofile\x18\x03 \x01(\tR\aprofile\x12!\n" +
+	"\froot_cluster\x18\x04 \x01(\tR\vrootCluster\x12!\n" +
+	"\fleaf_cluster\x18\x05 \x01(\tR\vleafCluster\"\xe8\x01\n" +
 	"\aAppInfo\x125\n" +
 	"\aapp_key\x18\x01 \x01(\v2\x1c.teleport.lib.vnet.v1.AppKeyR\x06appKey\x12\x18\n" +
 	"\acluster\x18\x02 \x01(\tR\acluster\x12\x1e\n" +
@@ -1546,14 +1829,16 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\vtarget_port\x18\x02 \x01(\rR\n" +
 	"targetPort\",\n" +
 	"\x16ReissueAppCertResponse\x12\x12\n" +
-	"\x04cert\x18\x01 \x01(\fR\x04cert\"\xf4\x01\n" +
+	"\x04cert\x18\x01 \x01(\fR\x04cert\"\xd3\x01\n" +
 	"\x11SignForAppRequest\x125\n" +
 	"\aapp_key\x18\x01 \x01(\v2\x1c.teleport.lib.vnet.v1.AppKeyR\x06appKey\x12\x1f\n" +
 	"\vtarget_port\x18\x02 \x01(\rR\n" +
-	"targetPort\x12\x16\n" +
-	"\x06digest\x18\x03 \x01(\fR\x06digest\x12.\n" +
-	"\x04hash\x18\x04 \x01(\x0e2\x1a.teleport.lib.vnet.v1.HashR\x04hash\x12+\n" +
-	"\x0fpss_salt_length\x18\x05 \x01(\x05H\x00R\rpssSaltLength\x88\x01\x01B\x12\n" +
+	"targetPort\x125\n" +
+	"\x04sign\x18\x06 \x01(\v2!.teleport.lib.vnet.v1.SignRequestR\x04signJ\x04\b\x03\x10\x04J\x04\b\x04\x10\x05J\x04\b\x05\x10\x06R\x06digestR\x04hashR\x0fpss_salt_length\"\x96\x01\n" +
+	"\vSignRequest\x12\x16\n" +
+	"\x06digest\x18\x01 \x01(\fR\x06digest\x12.\n" +
+	"\x04hash\x18\x02 \x01(\x0e2\x1a.teleport.lib.vnet.v1.HashR\x04hash\x12+\n" +
+	"\x0fpss_salt_length\x18\x03 \x01(\x05H\x00R\rpssSaltLength\x88\x01\x01B\x12\n" +
 	"\x10_pss_salt_length\"2\n" +
 	"\x12SignForAppResponse\x12\x1c\n" +
 	"\tsignature\x18\x01 \x01(\fR\tsignature\"O\n" +
@@ -1570,11 +1855,21 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\x17target_os_configuration\x18\x01 \x01(\v2+.teleport.lib.vnet.v1.TargetOSConfigurationR\x15targetOsConfiguration\"^\n" +
 	"\x15TargetOSConfiguration\x12\x1b\n" +
 	"\tdns_zones\x18\x01 \x03(\tR\bdnsZones\x12(\n" +
-	"\x10ipv4_cidr_ranges\x18\x02 \x03(\tR\x0eipv4CidrRanges*<\n" +
+	"\x10ipv4_cidr_ranges\x18\x02 \x03(\tR\x0eipv4CidrRanges\".\n" +
+	"\x12UserTLSCertRequest\x12\x18\n" +
+	"\aprofile\x18\x01 \x01(\tR\aprofile\"o\n" +
+	"\x13UserTLSCertResponse\x12\x12\n" +
+	"\x04cert\x18\x01 \x01(\fR\x04cert\x12D\n" +
+	"\fdial_options\x18\x02 \x01(\v2!.teleport.lib.vnet.v1.DialOptionsR\vdialOptions\"h\n" +
+	"\x15SignForUserTLSRequest\x12\x18\n" +
+	"\aprofile\x18\x01 \x01(\tR\aprofile\x125\n" +
+	"\x04sign\x18\x02 \x01(\v2!.teleport.lib.vnet.v1.SignRequestR\x04sign\"6\n" +
+	"\x16SignForUserTLSResponse\x12\x1c\n" +
+	"\tsignature\x18\x01 \x01(\fR\tsignature*<\n" +
 	"\x04Hash\x12\x14\n" +
 	"\x10HASH_UNSPECIFIED\x10\x00\x12\r\n" +
 	"\tHASH_NONE\x10\x01\x12\x0f\n" +
-	"\vHASH_SHA256\x10\x022\x92\b\n" +
+	"\vHASH_SHA256\x10\x022\xe3\t\n" +
 	"\x18ClientApplicationService\x12z\n" +
 	"\x13AuthenticateProcess\x120.teleport.lib.vnet.v1.AuthenticateProcessRequest\x1a1.teleport.lib.vnet.v1.AuthenticateProcessResponse\x12\x83\x01\n" +
 	"\x16ReportNetworkStackInfo\x123.teleport.lib.vnet.v1.ReportNetworkStackInfoRequest\x1a4.teleport.lib.vnet.v1.ReportNetworkStackInfoResponse\x12M\n" +
@@ -1585,7 +1880,9 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"SignForApp\x12'.teleport.lib.vnet.v1.SignForAppRequest\x1a(.teleport.lib.vnet.v1.SignForAppResponse\x12n\n" +
 	"\x0fOnNewConnection\x12,.teleport.lib.vnet.v1.OnNewConnectionRequest\x1a-.teleport.lib.vnet.v1.OnNewConnectionResponse\x12w\n" +
 	"\x12OnInvalidLocalPort\x12/.teleport.lib.vnet.v1.OnInvalidLocalPortRequest\x1a0.teleport.lib.vnet.v1.OnInvalidLocalPortResponse\x12\x89\x01\n" +
-	"\x18GetTargetOSConfiguration\x125.teleport.lib.vnet.v1.GetTargetOSConfigurationRequest\x1a6.teleport.lib.vnet.v1.GetTargetOSConfigurationResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
+	"\x18GetTargetOSConfiguration\x125.teleport.lib.vnet.v1.GetTargetOSConfigurationRequest\x1a6.teleport.lib.vnet.v1.GetTargetOSConfigurationResponse\x12b\n" +
+	"\vUserTLSCert\x12(.teleport.lib.vnet.v1.UserTLSCertRequest\x1a).teleport.lib.vnet.v1.UserTLSCertResponse\x12k\n" +
+	"\x0eSignForUserTLS\x12+.teleport.lib.vnet.v1.SignForUserTLSRequest\x1a,.teleport.lib.vnet.v1.SignForUserTLSResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
 
 var (
 	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescOnce sync.Once
@@ -1600,7 +1897,7 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP() []
 }
 
 var file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 26)
+var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 31)
 var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(Hash)(0),                                // 0: teleport.lib.vnet.v1.Hash
 	(*AuthenticateProcessRequest)(nil),       // 1: teleport.lib.vnet.v1.AuthenticateProcessRequest
@@ -1621,15 +1918,20 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(*ReissueAppCertRequest)(nil),            // 16: teleport.lib.vnet.v1.ReissueAppCertRequest
 	(*ReissueAppCertResponse)(nil),           // 17: teleport.lib.vnet.v1.ReissueAppCertResponse
 	(*SignForAppRequest)(nil),                // 18: teleport.lib.vnet.v1.SignForAppRequest
-	(*SignForAppResponse)(nil),               // 19: teleport.lib.vnet.v1.SignForAppResponse
-	(*OnNewConnectionRequest)(nil),           // 20: teleport.lib.vnet.v1.OnNewConnectionRequest
-	(*OnNewConnectionResponse)(nil),          // 21: teleport.lib.vnet.v1.OnNewConnectionResponse
-	(*OnInvalidLocalPortRequest)(nil),        // 22: teleport.lib.vnet.v1.OnInvalidLocalPortRequest
-	(*OnInvalidLocalPortResponse)(nil),       // 23: teleport.lib.vnet.v1.OnInvalidLocalPortResponse
-	(*GetTargetOSConfigurationRequest)(nil),  // 24: teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
-	(*GetTargetOSConfigurationResponse)(nil), // 25: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
-	(*TargetOSConfiguration)(nil),            // 26: teleport.lib.vnet.v1.TargetOSConfiguration
-	(*types.AppV3)(nil),                      // 27: types.AppV3
+	(*SignRequest)(nil),                      // 19: teleport.lib.vnet.v1.SignRequest
+	(*SignForAppResponse)(nil),               // 20: teleport.lib.vnet.v1.SignForAppResponse
+	(*OnNewConnectionRequest)(nil),           // 21: teleport.lib.vnet.v1.OnNewConnectionRequest
+	(*OnNewConnectionResponse)(nil),          // 22: teleport.lib.vnet.v1.OnNewConnectionResponse
+	(*OnInvalidLocalPortRequest)(nil),        // 23: teleport.lib.vnet.v1.OnInvalidLocalPortRequest
+	(*OnInvalidLocalPortResponse)(nil),       // 24: teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	(*GetTargetOSConfigurationRequest)(nil),  // 25: teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
+	(*GetTargetOSConfigurationResponse)(nil), // 26: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
+	(*TargetOSConfiguration)(nil),            // 27: teleport.lib.vnet.v1.TargetOSConfiguration
+	(*UserTLSCertRequest)(nil),               // 28: teleport.lib.vnet.v1.UserTLSCertRequest
+	(*UserTLSCertResponse)(nil),              // 29: teleport.lib.vnet.v1.UserTLSCertResponse
+	(*SignForUserTLSRequest)(nil),            // 30: teleport.lib.vnet.v1.SignForUserTLSRequest
+	(*SignForUserTLSResponse)(nil),           // 31: teleport.lib.vnet.v1.SignForUserTLSResponse
+	(*types.AppV3)(nil),                      // 32: types.AppV3
 }
 var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32{
 	4,  // 0: teleport.lib.vnet.v1.ReportNetworkStackInfoRequest.network_stack_info:type_name -> teleport.lib.vnet.v1.NetworkStackInfo
@@ -1638,37 +1940,44 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	12, // 3: teleport.lib.vnet.v1.ResolveFQDNResponse.matched_cluster:type_name -> teleport.lib.vnet.v1.MatchedCluster
 	13, // 4: teleport.lib.vnet.v1.MatchedTCPApp.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 5: teleport.lib.vnet.v1.AppInfo.app_key:type_name -> teleport.lib.vnet.v1.AppKey
-	27, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
+	32, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
 	15, // 7: teleport.lib.vnet.v1.AppInfo.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
 	13, // 8: teleport.lib.vnet.v1.ReissueAppCertRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 9: teleport.lib.vnet.v1.SignForAppRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
-	0,  // 10: teleport.lib.vnet.v1.SignForAppRequest.hash:type_name -> teleport.lib.vnet.v1.Hash
-	14, // 11: teleport.lib.vnet.v1.OnNewConnectionRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
-	13, // 12: teleport.lib.vnet.v1.OnInvalidLocalPortRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
-	26, // 13: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse.target_os_configuration:type_name -> teleport.lib.vnet.v1.TargetOSConfiguration
-	1,  // 14: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:input_type -> teleport.lib.vnet.v1.AuthenticateProcessRequest
-	3,  // 15: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:input_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoRequest
-	6,  // 16: teleport.lib.vnet.v1.ClientApplicationService.Ping:input_type -> teleport.lib.vnet.v1.PingRequest
-	8,  // 17: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:input_type -> teleport.lib.vnet.v1.ResolveFQDNRequest
-	16, // 18: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
-	18, // 19: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
-	20, // 20: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
-	22, // 21: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
-	24, // 22: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:input_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
-	2,  // 23: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
-	5,  // 24: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
-	7,  // 25: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
-	9,  // 26: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
-	17, // 27: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
-	19, // 28: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
-	21, // 29: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
-	23, // 30: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
-	25, // 31: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
-	23, // [23:32] is the sub-list for method output_type
-	14, // [14:23] is the sub-list for method input_type
-	14, // [14:14] is the sub-list for extension type_name
-	14, // [14:14] is the sub-list for extension extendee
-	0,  // [0:14] is the sub-list for field type_name
+	19, // 10: teleport.lib.vnet.v1.SignForAppRequest.sign:type_name -> teleport.lib.vnet.v1.SignRequest
+	0,  // 11: teleport.lib.vnet.v1.SignRequest.hash:type_name -> teleport.lib.vnet.v1.Hash
+	14, // 12: teleport.lib.vnet.v1.OnNewConnectionRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
+	13, // 13: teleport.lib.vnet.v1.OnInvalidLocalPortRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
+	27, // 14: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse.target_os_configuration:type_name -> teleport.lib.vnet.v1.TargetOSConfiguration
+	15, // 15: teleport.lib.vnet.v1.UserTLSCertResponse.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
+	19, // 16: teleport.lib.vnet.v1.SignForUserTLSRequest.sign:type_name -> teleport.lib.vnet.v1.SignRequest
+	1,  // 17: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:input_type -> teleport.lib.vnet.v1.AuthenticateProcessRequest
+	3,  // 18: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:input_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoRequest
+	6,  // 19: teleport.lib.vnet.v1.ClientApplicationService.Ping:input_type -> teleport.lib.vnet.v1.PingRequest
+	8,  // 20: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:input_type -> teleport.lib.vnet.v1.ResolveFQDNRequest
+	16, // 21: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
+	18, // 22: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
+	21, // 23: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
+	23, // 24: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
+	25, // 25: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:input_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
+	28, // 26: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:input_type -> teleport.lib.vnet.v1.UserTLSCertRequest
+	30, // 27: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:input_type -> teleport.lib.vnet.v1.SignForUserTLSRequest
+	2,  // 28: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
+	5,  // 29: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
+	7,  // 30: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
+	9,  // 31: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
+	17, // 32: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
+	20, // 33: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
+	22, // 34: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
+	24, // 35: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	26, // 36: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
+	29, // 37: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
+	31, // 38: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:output_type -> teleport.lib.vnet.v1.SignForUserTLSResponse
+	28, // [28:39] is the sub-list for method output_type
+	17, // [17:28] is the sub-list for method input_type
+	17, // [17:17] is the sub-list for extension type_name
+	17, // [17:17] is the sub-list for extension extendee
+	0,  // [0:17] is the sub-list for field type_name
 }
 
 func init() { file_teleport_lib_vnet_v1_client_application_service_proto_init() }
@@ -1681,14 +1990,14 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_init() {
 		(*ResolveFQDNResponse_MatchedWebApp)(nil),
 		(*ResolveFQDNResponse_MatchedCluster)(nil),
 	}
-	file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[17].OneofWrappers = []any{}
+	file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[18].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc), len(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   26,
+			NumMessages:   31,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
index 57af12d216082..8af306472da9f 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
@@ -44,6 +44,8 @@ const (
 	ClientApplicationService_OnNewConnection_FullMethodName          = "/teleport.lib.vnet.v1.ClientApplicationService/OnNewConnection"
 	ClientApplicationService_OnInvalidLocalPort_FullMethodName       = "/teleport.lib.vnet.v1.ClientApplicationService/OnInvalidLocalPort"
 	ClientApplicationService_GetTargetOSConfiguration_FullMethodName = "/teleport.lib.vnet.v1.ClientApplicationService/GetTargetOSConfiguration"
+	ClientApplicationService_UserTLSCert_FullMethodName              = "/teleport.lib.vnet.v1.ClientApplicationService/UserTLSCert"
+	ClientApplicationService_SignForUserTLS_FullMethodName           = "/teleport.lib.vnet.v1.ClientApplicationService/SignForUserTLS"
 )
 
 // ClientApplicationServiceClient is the client API for ClientApplicationService service.
@@ -81,6 +83,10 @@ type ClientApplicationServiceClient interface {
 	OnInvalidLocalPort(ctx context.Context, in *OnInvalidLocalPortRequest, opts ...grpc.CallOption) (*OnInvalidLocalPortResponse, error)
 	// GetTargetOSConfiguration gets the target OS configuration.
 	GetTargetOSConfiguration(ctx context.Context, in *GetTargetOSConfigurationRequest, opts ...grpc.CallOption) (*GetTargetOSConfigurationResponse, error)
+	// UserTLSCert returns the user TLS certificate for a specific profile.
+	UserTLSCert(ctx context.Context, in *UserTLSCertRequest, opts ...grpc.CallOption) (*UserTLSCertResponse, error)
+	// SignForUserTLS signs a digest with the user TLS private key.
+	SignForUserTLS(ctx context.Context, in *SignForUserTLSRequest, opts ...grpc.CallOption) (*SignForUserTLSResponse, error)
 }
 
 type clientApplicationServiceClient struct {
@@ -181,6 +187,26 @@ func (c *clientApplicationServiceClient) GetTargetOSConfiguration(ctx context.Co
 	return out, nil
 }
 
+func (c *clientApplicationServiceClient) UserTLSCert(ctx context.Context, in *UserTLSCertRequest, opts ...grpc.CallOption) (*UserTLSCertResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(UserTLSCertResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_UserTLSCert_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) SignForUserTLS(ctx context.Context, in *SignForUserTLSRequest, opts ...grpc.CallOption) (*SignForUserTLSResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SignForUserTLSResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_SignForUserTLS_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ClientApplicationServiceServer is the server API for ClientApplicationService service.
 // All implementations must embed UnimplementedClientApplicationServiceServer
 // for forward compatibility.
@@ -216,6 +242,10 @@ type ClientApplicationServiceServer interface {
 	OnInvalidLocalPort(context.Context, *OnInvalidLocalPortRequest) (*OnInvalidLocalPortResponse, error)
 	// GetTargetOSConfiguration gets the target OS configuration.
 	GetTargetOSConfiguration(context.Context, *GetTargetOSConfigurationRequest) (*GetTargetOSConfigurationResponse, error)
+	// UserTLSCert returns the user TLS certificate for a specific profile.
+	UserTLSCert(context.Context, *UserTLSCertRequest) (*UserTLSCertResponse, error)
+	// SignForUserTLS signs a digest with the user TLS private key.
+	SignForUserTLS(context.Context, *SignForUserTLSRequest) (*SignForUserTLSResponse, error)
 	mustEmbedUnimplementedClientApplicationServiceServer()
 }
 
@@ -253,6 +283,12 @@ func (UnimplementedClientApplicationServiceServer) OnInvalidLocalPort(context.Co
 func (UnimplementedClientApplicationServiceServer) GetTargetOSConfiguration(context.Context, *GetTargetOSConfigurationRequest) (*GetTargetOSConfigurationResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetTargetOSConfiguration not implemented")
 }
+func (UnimplementedClientApplicationServiceServer) UserTLSCert(context.Context, *UserTLSCertRequest) (*UserTLSCertResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UserTLSCert not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) SignForUserTLS(context.Context, *SignForUserTLSRequest) (*SignForUserTLSResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignForUserTLS not implemented")
+}
 func (UnimplementedClientApplicationServiceServer) mustEmbedUnimplementedClientApplicationServiceServer() {
 }
 func (UnimplementedClientApplicationServiceServer) testEmbeddedByValue() {}
@@ -437,6 +473,42 @@ func _ClientApplicationService_GetTargetOSConfiguration_Handler(srv interface{},
 	return interceptor(ctx, in, info, handler)
 }
 
+func _ClientApplicationService_UserTLSCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UserTLSCertRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).UserTLSCert(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_UserTLSCert_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).UserTLSCert(ctx, req.(*UserTLSCertRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_SignForUserTLS_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignForUserTLSRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).SignForUserTLS(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_SignForUserTLS_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).SignForUserTLS(ctx, req.(*SignForUserTLSRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ClientApplicationService_ServiceDesc is the grpc.ServiceDesc for ClientApplicationService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -480,6 +552,14 @@ var ClientApplicationService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetTargetOSConfiguration",
 			Handler:    _ClientApplicationService_GetTargetOSConfiguration_Handler,
 		},
+		{
+			MethodName: "UserTLSCert",
+			Handler:    _ClientApplicationService_UserTLSCert_Handler,
+		},
+		{
+			MethodName: "SignForUserTLS",
+			Handler:    _ClientApplicationService_SignForUserTLS_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "teleport/lib/vnet/v1/client_application_service.proto",
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index 0233a2c6da798..cef2749ee8ab4 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -390,6 +390,43 @@ func (p *clientApplication) ReissueAppCert(ctx context.Context, appInfo *vnetv1.
 	return cert, nil
 }
 
+// UserTLSCert returns the user TLS certificate for the given profile.
+func (p *clientApplication) UserTLSCert(ctx context.Context, profileName string) (tls.Certificate, error) {
+	// We don't have easy access to the user TLS cert from here, the only way
+	// I've found is to reach through the ProxyClient as this does below.
+	clusterClient, err := p.getCachedClient(ctx, profileName, "")
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+	clientConfig, err := clusterClient.ProxyClient.ClientConfig(ctx, "")
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err, "getting user client config")
+	}
+	if len(clientConfig.Credentials) < 1 {
+		return tls.Certificate{}, trace.Errorf("user client config has no credentials")
+	}
+	cred := clientConfig.Credentials[0]
+	tlsConfig, err := cred.TLSConfig()
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err, "getting user TLS config")
+	}
+	switch {
+	case len(tlsConfig.Certificates) > 0:
+		return tlsConfig.Certificates[0], nil
+	case tlsConfig.GetClientCertificate != nil:
+		// This is the actual path we currently take at the time of writing,
+		// api/client.configureTLS always sets tlsConfig.GetClientCertificate
+		// and unsets tlsConfig.Certificates.
+		tlsCert, err := tlsConfig.GetClientCertificate(nil)
+		if err != nil {
+			return tls.Certificate{}, trace.Wrap(err, "getting client TLS certificate")
+		}
+		return *tlsCert, nil
+	default:
+		return tls.Certificate{}, trace.Errorf("user TLS config has no certificates")
+	}
+}
+
 // GetDialOptions returns ALPN dial options for the profile.
 func (p *clientApplication) GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error) {
 	cluster, tc, err := p.daemonService.ResolveClusterURI(uri.NewClusterURI(profileName))
@@ -402,11 +439,9 @@ func (p *clientApplication) GetDialOptions(ctx context.Context, profileName stri
 		AlpnConnUpgradeRequired: tc.TLSRoutingConnUpgradeRequired,
 		InsecureSkipVerify:      p.insecureSkipVerify,
 	}
-	if dialOpts.AlpnConnUpgradeRequired {
-		dialOpts.RootClusterCaCertPool, err = tc.RootClusterCACertPoolPEM(ctx)
-		if err != nil {
-			return nil, trace.Wrap(err, "loading root cluster CA cert pool")
-		}
+	dialOpts.RootClusterCaCertPool, err = tc.RootClusterCACertPoolPEM(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err, "loading root cluster CA cert pool")
 	}
 	return dialOpts, nil
 }
diff --git a/lib/vnet/admin_process_common.go b/lib/vnet/admin_process_common.go
index bf4574aae01f1..47c1793dbe70f 100644
--- a/lib/vnet/admin_process_common.go
+++ b/lib/vnet/admin_process_common.go
@@ -22,9 +22,11 @@ import (
 )
 
 func newNetworkStackConfig(tun tunDevice, clt *clientApplicationServiceClient) (*networkStackConfig, error) {
+	sshProvider := newSSHProvider(sshProviderConfig{clt: clt})
 	tcpHandlerResolver := newTCPHandlerResolver(&tcpHandlerResolverConfig{
 		clt:         clt,
 		appProvider: newAppProvider(clt),
+		sshProvider: sshProvider,
 		clock:       clockwork.NewRealClock(),
 	})
 	ipv6Prefix, err := newIPv6Prefix()
diff --git a/lib/vnet/app_handler.go b/lib/vnet/app_handler.go
index 09322d52bb264..aa0e2d7fee8b7 100644
--- a/lib/vnet/app_handler.go
+++ b/lib/vnet/app_handler.go
@@ -49,6 +49,10 @@ type tcpAppHandlerConfig struct {
 	appInfo     *vnetv1.AppInfo
 	appProvider *appProvider
 	clock       clockwork.Clock
+	// alwaysTrustRootClusterCA can be set in tests so that TLS dials to the
+	// proxy always trust the root cluster CA rather than the system cert pool,
+	// even when ALPN conn upgrades are not required.
+	alwaysTrustRootClusterCA bool
 }
 
 func newTCPAppHandler(cfg *tcpAppHandlerConfig) *tcpAppHandler {
@@ -102,9 +106,13 @@ func (h *tcpAppHandler) getOrInitializeLocalProxy(ctx context.Context, localPort
 		InsecureSkipVerify:      dialOptions.GetInsecureSkipVerify(),
 		Clock:                   h.cfg.clock,
 	}
-	if certPoolPEM := dialOptions.GetRootClusterCaCertPool(); len(certPoolPEM) > 0 {
+	if dialOptions.GetAlpnConnUpgradeRequired() || h.cfg.alwaysTrustRootClusterCA {
+		certPoolPEM := dialOptions.GetRootClusterCaCertPool()
+		if len(certPoolPEM) == 0 {
+			return nil, trace.BadParameter("ALPN conn upgrade required but no root CA cert pool provided")
+		}
 		caPool := x509.NewCertPool()
-		if !caPool.AppendCertsFromPEM(dialOptions.GetRootClusterCaCertPool()) {
+		if !caPool.AppendCertsFromPEM(certPoolPEM) {
 			return nil, trace.Errorf("failed to parse root cluster CA certs")
 		}
 		localProxyConfig.RootCAs = caPool
diff --git a/lib/vnet/app_provider.go b/lib/vnet/app_provider.go
index e4828d99ff38f..113b0cbafc38d 100644
--- a/lib/vnet/app_provider.go
+++ b/lib/vnet/app_provider.go
@@ -18,11 +18,8 @@ package vnet
 
 import (
 	"context"
-	"crypto"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"io"
 
 	"github.com/gravitational/trace"
 
@@ -59,61 +56,24 @@ func (p *appProvider) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInf
 	return tlsCert, nil
 }
 
-func (p *appProvider) newAppCertSigner(cert []byte, appKey *vnetv1.AppKey, targetPort uint16) (*rpcAppCertSigner, error) {
+func (p *appProvider) newAppCertSigner(cert []byte, appKey *vnetv1.AppKey, targetPort uint16) (*rpcSigner, error) {
 	x509Cert, err := x509.ParseCertificate(cert)
 	if err != nil {
 		return nil, trace.Wrap(err, "parsing x509 certificate")
 	}
-	return &rpcAppCertSigner{
-		clt:        p.clt,
-		pub:        x509Cert.PublicKey,
-		appKey:     appKey,
-		targetPort: targetPort,
+	pub := x509Cert.PublicKey
+	return &rpcSigner{
+		pub: pub,
+		sendRequest: func(req *vnetv1.SignRequest) ([]byte, error) {
+			return p.clt.SignForApp(context.TODO(), &vnetv1.SignForAppRequest{
+				AppKey:     appKey,
+				TargetPort: uint32(targetPort),
+				Sign:       req,
+			})
+		},
 	}, nil
 }
 
-// rpcAppCertSigner implements [crypto.Signer] for app TLS signatures that are
-// issued by the client application over gRPC.
-type rpcAppCertSigner struct {
-	clt        *clientApplicationServiceClient
-	pub        crypto.PublicKey
-	appKey     *vnetv1.AppKey
-	targetPort uint16
-}
-
-// Public implements [crypto.Signer.Public] and returns the public key
-// associated with the signer.
-func (s *rpcAppCertSigner) Public() crypto.PublicKey {
-	return s.pub
-}
-
-// Sign implements [crypto.Signer.Sign] and issues a signature over digest for
-// the associated app.
-func (s *rpcAppCertSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
-	req := &vnetv1.SignForAppRequest{
-		AppKey:     s.appKey,
-		TargetPort: uint32(s.targetPort),
-		Digest:     digest,
-	}
-	switch opts.HashFunc() {
-	case 0:
-		req.Hash = vnetv1.Hash_HASH_NONE
-	case crypto.SHA256:
-		req.Hash = vnetv1.Hash_HASH_SHA256
-	default:
-		return nil, trace.BadParameter("unsupported signature hash func %v", opts.HashFunc())
-	}
-	if pssOpts, ok := opts.(*rsa.PSSOptions); ok {
-		saltLen := int32(pssOpts.SaltLength)
-		req.PssSaltLength = &saltLen
-	}
-	signature, err := s.clt.SignForApp(context.TODO(), req)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	return signature, nil
-}
-
 // OnNewConnection reports a new TCP connection to the target app.
 func (p *appProvider) OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
 	if err := p.clt.OnNewConnection(ctx, appKey); err != nil {
diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index 1f1b17a0e35d8..898089ebc3a6d 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -132,29 +132,14 @@ func (s *clientApplicationService) ReissueAppCert(ctx context.Context, req *vnet
 // It uses a cached signer for the requested app, which must have previously
 // been issued a certificate via [clientApplicationService.ReissueAppCert].
 func (s *clientApplicationService) SignForApp(ctx context.Context, req *vnetv1.SignForAppRequest) (*vnetv1.SignForAppResponse, error) {
+	signReq := req.GetSign()
 	log.DebugContext(ctx, "Got SignForApp request",
 		"app", req.GetAppKey(),
-		"hash", req.GetHash(),
-		"is_rsa_pss", req.PssSaltLength != nil,
-		"pss_salt_len", req.GetPssSaltLength(),
-		"digest_len", len(req.GetDigest()),
+		"hash", signReq.GetHash(),
+		"is_rsa_pss", signReq.PssSaltLength != nil,
+		"pss_salt_len", signReq.GetPssSaltLength(),
+		"digest_len", len(signReq.GetDigest()),
 	)
-	var hash crypto.Hash
-	switch req.GetHash() {
-	case vnetv1.Hash_HASH_NONE:
-		hash = crypto.Hash(0)
-	case vnetv1.Hash_HASH_SHA256:
-		hash = crypto.SHA256
-	default:
-		return nil, trace.BadParameter("unsupported hash %v", req.GetHash())
-	}
-	opts := crypto.SignerOpts(hash)
-	if req.PssSaltLength != nil {
-		opts = &rsa.PSSOptions{
-			Hash:       hash,
-			SaltLength: int(*req.PssSaltLength),
-		}
-	}
 
 	appKey := req.GetAppKey()
 	if err := checkAppKey(appKey); err != nil {
@@ -165,7 +150,7 @@ func (s *clientApplicationService) SignForApp(ctx context.Context, req *vnetv1.S
 		return nil, trace.BadParameter("no signer for app %v", appKey)
 	}
 
-	signature, err := signer.Sign(rand.Reader, req.GetDigest(), opts)
+	signature, err := sign(signer, signReq)
 	if err != nil {
 		return nil, trace.Wrap(err, "signing for app %v", appKey)
 	}
@@ -174,6 +159,27 @@ func (s *clientApplicationService) SignForApp(ctx context.Context, req *vnetv1.S
 	}, nil
 }
 
+func sign(signer crypto.Signer, signReq *vnetv1.SignRequest) ([]byte, error) {
+	var hash crypto.Hash
+	switch signReq.GetHash() {
+	case vnetv1.Hash_HASH_NONE:
+		hash = crypto.Hash(0)
+	case vnetv1.Hash_HASH_SHA256:
+		hash = crypto.SHA256
+	default:
+		return nil, trace.BadParameter("unsupported hash %v", signReq.GetHash())
+	}
+	opts := crypto.SignerOpts(hash)
+	if signReq.PssSaltLength != nil {
+		opts = &rsa.PSSOptions{
+			Hash:       hash,
+			SaltLength: int(*signReq.PssSaltLength),
+		}
+	}
+	signature, err := signer.Sign(rand.Reader, signReq.GetDigest(), opts)
+	return signature, trace.Wrap(err)
+}
+
 func (s *clientApplicationService) setSignerForApp(appKey *vnetv1.AppKey, targetPort uint16, signer crypto.Signer) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -234,6 +240,44 @@ func (s *clientApplicationService) GetTargetOSConfiguration(ctx context.Context,
 	}, nil
 }
 
+// UserTLSCert returns the user TLS certificate for a specific profile.
+func (s *clientApplicationService) UserTLSCert(ctx context.Context, req *vnetv1.UserTLSCertRequest) (*vnetv1.UserTLSCertResponse, error) {
+	tlsCert, err := s.cfg.clientApplication.UserTLSCert(ctx, req.GetProfile())
+	if err != nil {
+		return nil, trace.Wrap(err, "getting user TLS cert")
+	}
+	if len(tlsCert.Certificate) == 0 {
+		return nil, trace.Errorf("user TLS cert has no certificate")
+	}
+	dialOpts, err := s.cfg.clientApplication.GetDialOptions(ctx, req.GetProfile())
+	if err != nil {
+		return nil, trace.Wrap(err, "getting TLS dial options")
+	}
+	return &vnetv1.UserTLSCertResponse{
+		Cert:        tlsCert.Certificate[0],
+		DialOptions: dialOpts,
+	}, nil
+}
+
+// SignForUserTLS signs a digest with the user TLS private key.
+func (s *clientApplicationService) SignForUserTLS(ctx context.Context, req *vnetv1.SignForUserTLSRequest) (*vnetv1.SignForUserTLSResponse, error) {
+	tlsCert, err := s.cfg.clientApplication.UserTLSCert(ctx, req.GetProfile())
+	if err != nil {
+		return nil, trace.Wrap(err, "getting user TLS config")
+	}
+	signer, ok := tlsCert.PrivateKey.(crypto.Signer)
+	if !ok {
+		return nil, trace.Errorf("user TLS private key does not implement crypto.Signer")
+	}
+	signature, err := sign(signer, req.GetSign())
+	if err != nil {
+		return nil, trace.Wrap(err, "signing for user TLS certificate")
+	}
+	return &vnetv1.SignForUserTLSResponse{
+		Signature: signature,
+	}, nil
+}
+
 // checkAppKey checks that at least the app profile and name are set, which are
 // necessary to to disambiguate apps. LeafCluster is expected to be empty if the
 // app is in a root cluster.
diff --git a/lib/vnet/client_application_service_client.go b/lib/vnet/client_application_service_client.go
index 06b8d109b8f9b..394e327a28158 100644
--- a/lib/vnet/client_application_service_client.go
+++ b/lib/vnet/client_application_service_client.go
@@ -18,6 +18,9 @@ package vnet
 
 import (
 	"context"
+	"crypto"
+	"crypto/rsa"
+	"io"
 
 	"github.com/gravitational/trace"
 	"google.golang.org/grpc"
@@ -165,3 +168,54 @@ func (c *clientApplicationServiceClient) GetTargetOSConfiguration(ctx context.Co
 	}
 	return resp.GetTargetOsConfiguration(), nil
 }
+
+// UserTLSCert returns the user TLS certificate for the given profile.
+func (c *clientApplicationServiceClient) UserTLSCert(ctx context.Context, profileName string) (*vnetv1.UserTLSCertResponse, error) {
+	resp, err := c.clt.UserTLSCert(ctx, &vnetv1.UserTLSCertRequest{
+		Profile: profileName,
+	})
+	return resp, trace.Wrap(err, "calling UserTLSCert rpc")
+}
+
+// SignForUserTLS returns a cryptographic signature with the key associated with
+// the user TLS key for the requested profile.
+func (c *clientApplicationServiceClient) SignForUserTLS(ctx context.Context, req *vnetv1.SignForUserTLSRequest) ([]byte, error) {
+	resp, err := c.clt.SignForUserTLS(ctx, req)
+	if err != nil {
+		return nil, trace.Wrap(err, "calling SignForUserTLS rpc")
+	}
+	return resp.GetSignature(), nil
+}
+
+// rpcSigner implements [crypto.Signer] for signatures that are issued by the
+// client application over gRPC.
+type rpcSigner struct {
+	pub         crypto.PublicKey
+	sendRequest func(signReq *vnetv1.SignRequest) ([]byte, error)
+}
+
+// Public implements [crypto.Signer.Public] and returns the public key
+// associated with the signer.
+func (s *rpcSigner) Public() crypto.PublicKey {
+	return s.pub
+}
+
+// Sign implements [crypto.Signer.Sign] and issues a signature over digest.
+func (s *rpcSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	req := &vnetv1.SignRequest{
+		Digest: digest,
+	}
+	switch opts.HashFunc() {
+	case 0:
+		req.Hash = vnetv1.Hash_HASH_NONE
+	case crypto.SHA256:
+		req.Hash = vnetv1.Hash_HASH_SHA256
+	default:
+		return nil, trace.BadParameter("unsupported signature hash func %v", opts.HashFunc())
+	}
+	if pssOpts, ok := opts.(*rsa.PSSOptions); ok {
+		saltLen := int32(pssOpts.SaltLength)
+		req.PssSaltLength = &saltLen
+	}
+	return s.sendRequest(req)
+}
diff --git a/lib/vnet/fqdn_resolver.go b/lib/vnet/fqdn_resolver.go
index 553cf97e1ebbf..c204ae7047f1e 100644
--- a/lib/vnet/fqdn_resolver.go
+++ b/lib/vnet/fqdn_resolver.go
@@ -275,6 +275,9 @@ func (r *fqdnResolver) tryResolveSSH(ctx context.Context, profileNames []string,
 					MatchedCluster: &vnetv1.MatchedCluster{
 						WebProxyAddr:  rootDialOpts.GetWebProxyAddr(),
 						Ipv4CidrRange: clusterConfig.IPv4CIDRRange,
+						Profile:       profileName,
+						RootCluster:   rootClusterName,
+						LeafCluster:   leafClusterName,
 					},
 				},
 			}, nil
@@ -292,6 +295,8 @@ func (r *fqdnResolver) tryResolveSSH(ctx context.Context, profileNames []string,
 				MatchedCluster: &vnetv1.MatchedCluster{
 					WebProxyAddr:  rootDialOpts.GetWebProxyAddr(),
 					Ipv4CidrRange: clusterConfig.IPv4CIDRRange,
+					Profile:       profileName,
+					RootCluster:   rootClusterName,
 				},
 			},
 		}, nil
diff --git a/lib/vnet/ssh_handler.go b/lib/vnet/ssh_handler.go
new file mode 100644
index 0000000000000..627665913abaf
--- /dev/null
+++ b/lib/vnet/ssh_handler.go
@@ -0,0 +1,73 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"net"
+
+	"github.com/gravitational/trace"
+)
+
+// sshHandler handles incoming VNet SSH connections.
+type sshHandler struct {
+	cfg sshHandlerConfig
+}
+
+type sshHandlerConfig struct {
+	sshProvider *sshProvider
+	target      dialTarget
+}
+
+func newSSHHandler(cfg sshHandlerConfig) *sshHandler {
+	return &sshHandler{
+		cfg: cfg,
+	}
+}
+
+// handleTCPConnector handles an incoming TCP connection from VNet and proxies
+// the connection to a target SSH node.
+func (h *sshHandler) handleTCPConnector(ctx context.Context, localPort uint16, connector func() (net.Conn, error)) error {
+	if localPort != 22 {
+		return trace.BadParameter("SSH is only handled on port 22")
+	}
+	targetConn, err := h.cfg.sshProvider.dial(ctx, h.cfg.target)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	defer targetConn.Close()
+	return trace.Wrap(h.handleTCPConnectorWithTargetConn(ctx, localPort, connector, targetConn))
+}
+
+// handleTCPConnectorWithTargetTCPConn handles an incoming TCP connection from
+// VNet when a TCP connection to the target host has already been established.
+func (h *sshHandler) handleTCPConnectorWithTargetConn(
+	ctx context.Context,
+	localPort uint16,
+	connector func() (net.Conn, error),
+	targetConn net.Conn,
+) error {
+	// For now we accept the incoming TCP conn to indicate that the node exists,
+	// but SSH connection forwarding is not implemented yet so we immediately
+	// close it.
+	localConn, err := connector()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	localConn.Close()
+	return trace.NotImplemented("VNet SSH connection forwarding is not yet implemented")
+}
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
new file mode 100644
index 0000000000000..ace2db9bf17a5
--- /dev/null
+++ b/lib/vnet/ssh_provider.go
@@ -0,0 +1,182 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"strings"
+
+	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
+
+	proxyclient "github.com/gravitational/teleport/api/client/proxy"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
+)
+
+// sshProvider provides methods necessary for VNet SSH access.
+type sshProvider struct {
+	cfg sshProviderConfig
+}
+
+type sshProviderConfig struct {
+	clt *clientApplicationServiceClient
+	// overrideNodeDialer can be used in tests to dial SSH nodes with the real
+	// TLS configuration but without setting up the proxy transport service.
+	overrideNodeDialer func(
+		ctx context.Context,
+		target dialTarget,
+		tlsConfig *tls.Config,
+		dialOpts *vnetv1.DialOptions,
+	) (net.Conn, error)
+}
+
+func newSSHProvider(cfg sshProviderConfig) *sshProvider {
+	return &sshProvider{
+		cfg: cfg,
+	}
+}
+
+// dial dials the target SSH host.
+func (p *sshProvider) dial(ctx context.Context, target dialTarget) (net.Conn, error) {
+	userTLSCertResp, err := p.cfg.clt.UserTLSCert(ctx, target.profile)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	rawCert := userTLSCertResp.GetCert()
+	dialOpts := userTLSCertResp.GetDialOptions()
+	tlsConfig, err := p.userTLSConfig(ctx, target.profile, rawCert, dialOpts)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if p.cfg.overrideNodeDialer != nil {
+		return p.cfg.overrideNodeDialer(ctx, target, tlsConfig, dialOpts)
+	}
+	return p.dialViaProxy(ctx, target, tlsConfig, dialOpts)
+}
+
+// dialViaProxy dials the target SSH host via the proxy transport service.
+func (p *sshProvider) dialViaProxy(
+	ctx context.Context,
+	target dialTarget,
+	tlsConfig *tls.Config,
+	dialOpts *vnetv1.DialOptions,
+) (net.Conn, error) {
+	// TODO(nklaassen): consider reusing proxy clients, need to figure out when
+	// it's necessary to make a new client e.g. if the user's TLS credentials
+	// are replaced by a relogin. For now it's simpler to make a new client for
+	// every SSH dial.
+	pclt, err := proxyclient.NewClient(ctx, proxyclient.ClientConfig{
+		ProxyAddress:            dialOpts.GetWebProxyAddr(),
+		TLSConfigFunc:           func(cluster string) (*tls.Config, error) { return tlsConfig, nil },
+		ALPNConnUpgradeRequired: dialOpts.GetAlpnConnUpgradeRequired(),
+		InsecureSkipVerify:      dialOpts.GetInsecureSkipVerify(),
+		// This empty SSH client config should never be used, we dial to the
+		// proxy over TLS only.
+		SSHConfig: &ssh.ClientConfig{},
+	})
+	if err != nil {
+		return nil, trace.Wrap(err, "building proxy client")
+	}
+	// TODO(nklaassen): pass an SSH keyring to support proxy recording mode.
+	conn, _, err := pclt.DialHost(ctx, target.host, target.cluster, nil /*keyRing*/)
+	if err != nil {
+		pclt.Close()
+		return nil, trace.Wrap(err, "dialing target via proxy")
+	}
+	// Make sure to close the proxy client, but not until we're done with the
+	// target connection or else it would close the underlying gRPC stream.
+	conn = newConnWithExtraCloser(conn, pclt.Close)
+	return conn, nil
+}
+
+func (p *sshProvider) userTLSConfig(
+	ctx context.Context,
+	profile string,
+	rawCert []byte,
+	dialOpts *vnetv1.DialOptions,
+) (*tls.Config, error) {
+	parsedCert, err := x509.ParseCertificate(rawCert)
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing user TLS certificate")
+	}
+	signer := &rpcSigner{
+		pub: parsedCert.PublicKey,
+		sendRequest: func(req *vnetv1.SignRequest) ([]byte, error) {
+			return p.cfg.clt.SignForUserTLS(ctx, &vnetv1.SignForUserTLSRequest{
+				Profile: profile,
+				Sign:    req,
+			})
+		},
+	}
+	tlsCert := tls.Certificate{
+		Certificate: [][]byte{rawCert},
+		PrivateKey:  signer,
+	}
+	caPool := x509.NewCertPool()
+	if !caPool.AppendCertsFromPEM(dialOpts.GetRootClusterCaCertPool()) {
+		return nil, trace.Errorf("failed to parse root cluster CA cert pool")
+	}
+	return &tls.Config{
+		Certificates:       []tls.Certificate{tlsCert},
+		RootCAs:            caPool,
+		ServerName:         dialOpts.GetSni(),
+		InsecureSkipVerify: dialOpts.GetInsecureSkipVerify(),
+	}, nil
+}
+
+type dialTarget struct {
+	profile, cluster, host string
+}
+
+func computeDialTarget(matchedCluster *vnetv1.MatchedCluster, fqdn string) dialTarget {
+	targetProfile := matchedCluster.GetProfile()
+	targetCluster := matchedCluster.GetRootCluster()
+	targetHost := strings.TrimSuffix(fqdn, "."+matchedCluster.GetRootCluster()+".")
+	if leafCluster := matchedCluster.GetLeafCluster(); leafCluster != "" {
+		targetCluster = leafCluster
+		targetHost = strings.TrimSuffix(targetHost, "."+leafCluster)
+	}
+	targetHost = targetHost + ":0"
+	return dialTarget{
+		profile: targetProfile,
+		cluster: targetCluster,
+		host:    targetHost,
+	}
+}
+
+// connWithExtraCloser embeds a net.Conn and overrides the Close method to close
+// an extra closer. Useful when the lifetime of a client providing the net.Conn
+// must be tied to the lifetime of the Conn.
+type connWithExtraCloser struct {
+	net.Conn
+	extraCloser func() error
+}
+
+func newConnWithExtraCloser(conn net.Conn, extraCloser func() error) *connWithExtraCloser {
+	return &connWithExtraCloser{
+		Conn:        conn,
+		extraCloser: extraCloser,
+	}
+}
+
+// Close closes the net.Conn and the extra closer.
+func (c *connWithExtraCloser) Close() error {
+	return trace.NewAggregate(c.Conn.Close(), c.extraCloser())
+}
diff --git a/lib/vnet/tcp_handler_resolver.go b/lib/vnet/tcp_handler_resolver.go
index 6274e42eb19f2..47791a6b4e30c 100644
--- a/lib/vnet/tcp_handler_resolver.go
+++ b/lib/vnet/tcp_handler_resolver.go
@@ -37,9 +37,11 @@ type tcpHandlerResolver struct {
 }
 
 type tcpHandlerResolverConfig struct {
-	clt         *clientApplicationServiceClient
-	appProvider *appProvider
-	clock       clockwork.Clock
+	clt                      *clientApplicationServiceClient
+	appProvider              *appProvider
+	sshProvider              *sshProvider
+	clock                    clockwork.Clock
+	alwaysTrustRootClusterCA bool
 }
 
 func newTCPHandlerResolver(cfg *tcpHandlerResolverConfig) *tcpHandlerResolver {
@@ -67,9 +69,10 @@ func (r *tcpHandlerResolver) resolveTCPHandler(ctx context.Context, fqdn string)
 		return &tcpHandlerSpec{
 			ipv4CIDRRange: appInfo.GetIpv4CidrRange(),
 			tcpHandler: newTCPAppHandler(&tcpAppHandlerConfig{
-				appInfo:     appInfo,
-				appProvider: r.cfg.appProvider,
-				clock:       r.cfg.clock,
+				appInfo:                  appInfo,
+				appProvider:              r.cfg.appProvider,
+				clock:                    r.cfg.clock,
+				alwaysTrustRootClusterCA: r.cfg.alwaysTrustRootClusterCA,
 			}),
 		}, nil
 	}
@@ -85,11 +88,9 @@ func (r *tcpHandlerResolver) resolveTCPHandler(ctx context.Context, fqdn string)
 		// TCP connection if this may match an SSH node or an app that may be
 		// added later so we return an undecidedHandler.
 		handler, err := newUndecidedHandler(&undecidedHandlerConfig{
-			clt:          r.cfg.clt,
-			appProvider:  r.cfg.appProvider,
-			clock:        r.cfg.clock,
-			fqdn:         fqdn,
-			webProxyAddr: matchedCluster.GetWebProxyAddr(),
+			tcpHandlerResolverConfig: r.cfg,
+			fqdn:                     fqdn,
+			webProxyAddr:             matchedCluster.GetWebProxyAddr(),
 		})
 		if err != nil {
 			return nil, trace.Wrap(err)
@@ -118,9 +119,7 @@ type undecidedHandler struct {
 }
 
 type undecidedHandlerConfig struct {
-	clt          *clientApplicationServiceClient
-	appProvider  *appProvider
-	clock        clockwork.Clock
+	*tcpHandlerResolverConfig
 	fqdn         string
 	webProxyAddr string
 }
@@ -163,14 +162,16 @@ func (h *undecidedHandler) handleTCPConnector(ctx context.Context, localPort uin
 	if err != nil {
 		return trace.Wrap(err, "resolving target in undecidedHandler")
 	}
+	log := log.With("fqdn", h.cfg.fqdn)
 	if matchedTCPApp := resp.GetMatchedTcpApp(); matchedTCPApp != nil {
 		// If matched a TCP app, build a tcpAppHandler that will be used for this
 		// and all subsequent connections to this address.
-		log.DebugContext(ctx, "Resolved FQDN to a matched TCP app", "fqdn", h.cfg.fqdn)
+		log.DebugContext(ctx, "Resolved FQDN to a matched TCP app")
 		tcpAppHandler := newTCPAppHandler(&tcpAppHandlerConfig{
-			appInfo:     matchedTCPApp.GetAppInfo(),
-			appProvider: h.cfg.appProvider,
-			clock:       h.cfg.clock,
+			appInfo:                  matchedTCPApp.GetAppInfo(),
+			appProvider:              h.cfg.appProvider,
+			clock:                    h.cfg.clock,
+			alwaysTrustRootClusterCA: h.cfg.alwaysTrustRootClusterCA,
 		})
 		h.setDecidedHandler(tcpAppHandler)
 		return tcpAppHandler.handleTCPConnector(ctx, localPort, connector)
@@ -178,13 +179,37 @@ func (h *undecidedHandler) handleTCPConnector(ctx context.Context, localPort uin
 	if matchedWebApp := resp.GetMatchedWebApp(); matchedWebApp != nil && localPort == h.webProxyPort {
 		// If matched a web app, build a webAppHandler that will be used for this
 		// and all subsequent connections to this address.
-		log.DebugContext(ctx, "Resolved FQDN to a matched web app", "fqdn", h.cfg.fqdn)
+		log.DebugContext(ctx, "Resolved FQDN to a matched web app")
 		webAppHandler := newWebAppHandler(h.cfg.webProxyAddr, h.webProxyPort)
 		h.setDecidedHandler(webAppHandler)
 		return webAppHandler.handleTCPConnector(ctx, localPort, connector)
 	}
 	if matchedCluster := resp.GetMatchedCluster(); matchedCluster != nil && localPort == 22 {
-		return trace.NotImplemented("SSH connection forwarding not yet implemented")
+		// Matched a cluster, this FQDN could potentially match an SSH node.
+		log.DebugContext(ctx, "Resolved FQDN to a matched cluster")
+		// Attempt a dial to the target SSH node to see if it exists.
+		target := computeDialTarget(matchedCluster, h.cfg.fqdn)
+		targetConn, err := h.cfg.sshProvider.dial(ctx, target)
+		if err != nil {
+			if trace.IsConnectionProblem(err) {
+				log.DebugContext(ctx, "Failed TCP dial to target, node might be offline")
+				return nil
+			}
+			return trace.Wrap(err, "unexpected error TCP dialing to target node at %s", h.cfg.fqdn)
+		}
+		defer targetConn.Close()
+		log.DebugContext(ctx, "TCP dial to target SSH node succeeded", "fqdn", h.cfg.fqdn)
+		// Now that we know there is a matching SSH node, this handler will
+		// permanently handle SSH connections at this address and avoid app
+		// queries on subsequent connections.
+		sshHandler := newSSHHandler(sshHandlerConfig{
+			sshProvider: h.cfg.sshProvider,
+			target:      target,
+		})
+		h.setDecidedHandler(sshHandler)
+		// Handle the incoming connection with the TCP connection to the target
+		// SSH node that has already been established.
+		return sshHandler.handleTCPConnectorWithTargetConn(ctx, localPort, connector, targetConn)
 	}
 	return trace.Errorf("rejecting connection to %s:%d", h.cfg.fqdn, localPort)
 }
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index e490a8c639405..acaa234a7cd1f 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -45,6 +45,9 @@ type ClientApplication interface {
 	// ReissueAppCert issues a new cert for the target app.
 	ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error)
 
+	// UserTLSCert returns the user TLS certificate for the given profile.
+	UserTLSCert(ctx context.Context, profileName string) (tls.Certificate, error)
+
 	// GetDialOptions returns ALPN dial options for the profile.
 	GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error)
 
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 004f017eea66b..d5a64a67a3bea 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -52,6 +52,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 
 	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/defaults"
 	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
 	"github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1"
 	"github.com/gravitational/teleport/api/types"
@@ -144,10 +145,16 @@ func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPac
 	// interface with fakeClientApp via the gRPC client.
 	clt := runTestClientApplicationService(t, ctx, cfg.clock, cfg.fakeClientApp)
 	appProvider := newAppProvider(clt)
+	sshProvider := newSSHProvider(sshProviderConfig{
+		clt:                clt,
+		overrideNodeDialer: cfg.fakeClientApp.dialSSHNode,
+	})
 	tcpHandlerResolver := newTCPHandlerResolver(&tcpHandlerResolverConfig{
-		clt:         clt,
-		appProvider: appProvider,
-		clock:       cfg.clock,
+		clt:                      clt,
+		appProvider:              appProvider,
+		sshProvider:              sshProvider,
+		clock:                    cfg.clock,
+		alwaysTrustRootClusterCA: true,
 	})
 
 	// Create the VNet and connect it to the other side of the TUN.
@@ -318,8 +325,11 @@ type appSpec struct {
 	tcpPorts   []*types.PortRange
 }
 
+type nodeSpec struct{}
+
 type testClusterSpec struct {
 	apps           []appSpec
+	nodes          map[string]nodeSpec
 	cidrRange      string
 	customDNSZones []string
 	leafClusters   map[string]testClusterSpec
@@ -328,8 +338,9 @@ type testClusterSpec struct {
 type fakeClientApp struct {
 	cfg *fakeClientAppConfig
 
-	tlsCA    tls.Certificate
-	dialOpts *vnetv1.DialOptions
+	tlsCA       tls.Certificate
+	userTLSCert tls.Certificate
+	dialOpts    *vnetv1.DialOptions
 
 	onNewConnectionCallCount    atomic.Uint32
 	onInvalidLocalPortCallCount atomic.Uint32
@@ -351,9 +362,17 @@ type fakeClientAppConfig struct {
 func newFakeClientApp(ctx context.Context, t *testing.T, cfg *fakeClientAppConfig) *fakeClientApp {
 	tlsCA := newSelfSignedCA(t)
 	dialOpts := mustStartFakeWebProxy(ctx, t, tlsCA, cfg.clock, cfg.signatureAlgorithmSuite)
+	userTLSCert, err := newClientCert(ctx,
+		tlsCA,
+		"testuser",
+		cfg.clock.Now().Add(defaults.CertDuration),
+		cfg.signatureAlgorithmSuite,
+		cryptosuites.UserTLS)
+	require.NoError(t, err)
 	return &fakeClientApp{
 		cfg:                  cfg,
 		tlsCA:                tlsCA,
+		userTLSCert:          userTLSCert,
 		dialOpts:             dialOpts,
 		requestedRouteToApps: make(map[string][]*proto.RouteToApp),
 	}
@@ -409,6 +428,10 @@ func (p *fakeClientApp) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppI
 		cryptosuites.UserTLS)
 }
 
+func (p *fakeClientApp) UserTLSCert(ctx context.Context, profileName string) (tls.Certificate, error) {
+	return p.userTLSCert, nil
+}
+
 func (p *fakeClientApp) RequestedRouteToApps(publicAddr string) []*proto.RouteToApp {
 	p.requestedRouteToAppsMu.RLock()
 	defer p.requestedRouteToAppsMu.RUnlock()
@@ -484,6 +507,30 @@ func (p *fakeClientApp) OnInvalidLocalPort(_ context.Context, _ *vnetv1.AppInfo,
 	p.onInvalidLocalPortCallCount.Add(1)
 }
 
+func (p *fakeClientApp) dialSSHNode(
+	ctx context.Context,
+	target dialTarget,
+	tlsConfig *tls.Config,
+	dialOpts *vnetv1.DialOptions,
+) (net.Conn, error) {
+	targetCluster, ok := p.cfg.clusters[target.profile]
+	if !ok {
+		return nil, trace.NotFound("no such profile")
+	}
+	if target.cluster != target.profile {
+		targetCluster, ok = targetCluster.leafClusters[target.cluster]
+		if !ok {
+			return nil, trace.NotFound("no such cluster")
+		}
+	}
+	if _, ok := targetCluster.nodes[strings.TrimSuffix(target.host, ":0")]; !ok {
+		return nil, trace.NotFound("no such host")
+	}
+	// For now just let it dial the fake web proxy, later we'll need to set up a
+	// fake SSH server for the test to dial to.
+	return tls.Dial("tcp", dialOpts.GetWebProxyAddr(), tlsConfig)
+}
+
 type fakeClusterClient struct {
 	authClient *fakeAuthClient
 }
@@ -1010,17 +1057,29 @@ func TestSSH(t *testing.T) {
 		clusters: map[string]testClusterSpec{
 			"root1.example.com": {
 				cidrRange: root1CIDR,
+				nodes: map[string]nodeSpec{
+					"node": {},
+				},
 				leafClusters: map[string]testClusterSpec{
 					"leaf1.example.com": {
 						cidrRange: leaf1CIDR,
+						nodes: map[string]nodeSpec{
+							"node": {},
+						},
 					},
 				},
 			},
 			"root2.example.com": {
 				cidrRange: root2CIDR,
+				nodes: map[string]nodeSpec{
+					"node": {},
+				},
 				leafClusters: map[string]testClusterSpec{
 					"leaf2.example.com": {
 						cidrRange: leaf2CIDR,
+						nodes: map[string]nodeSpec{
+							"node": {},
+						},
 					},
 				},
 			},
@@ -1035,32 +1094,67 @@ func TestSSH(t *testing.T) {
 	})
 
 	for _, tc := range []struct {
-		addr       string
-		expectCIDR string
+		dialAddr           string
+		dialPort           int
+		expectCIDR         string
+		expectLookupToFail bool
+		expectDialToFail   bool
 	}{
 		{
-			addr:       "node.root1.example.com",
+			dialAddr:   "node.root1.example.com",
+			dialPort:   22,
 			expectCIDR: root1CIDR,
 		},
 		{
-			addr:       "node.leaf1.example.com.root1.example.com",
+			// Dial should fail on non-standard SSH port.
+			dialAddr:         "node.root1.example.com",
+			dialPort:         23,
+			expectCIDR:       root1CIDR,
+			expectDialToFail: true,
+		},
+		{
+			dialAddr:   "node.leaf1.example.com.root1.example.com",
+			dialPort:   22,
 			expectCIDR: leaf1CIDR,
 		},
 		{
-			addr:       "node.root2.example.com",
+			dialAddr:   "node.root2.example.com",
+			dialPort:   22,
 			expectCIDR: root2CIDR,
 		},
 		{
-			addr:       "node.leaf2.example.com.root2.example.com",
+			dialAddr:   "node.leaf2.example.com.root2.example.com",
+			dialPort:   22,
 			expectCIDR: leaf2CIDR,
 		},
+		{
+			// DNS lookup should fail if the FQDN doesn't match any cluster.
+			dialAddr:           "node.bogus.example.com.",
+			dialPort:           22,
+			expectLookupToFail: true,
+		},
+		{
+			// If the FQDN matches a cluster but no node, the DNS lookup should
+			// succeed but the TCP dial should fail.
+			dialAddr:         "bogus.root1.example.com",
+			dialPort:         22,
+			expectCIDR:       root1CIDR,
+			expectDialToFail: true,
+		},
 	} {
-		t.Run(tc.addr, func(t *testing.T) {
+		t.Run(fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), func(t *testing.T) {
 			t.Parallel()
+
+			lookupCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+			defer cancel()
 			// SSH access isn't fully implemented yet, at this point the DNS
 			// lookup for *.<cluster-name> should resolve to an IP in the
 			// expected CIDR range for the cluster.
-			resolvedAddrs, err := p.lookupHost(ctx, tc.addr)
+			resolvedAddrs, err := p.lookupHost(lookupCtx, tc.dialAddr)
+			if tc.expectLookupToFail {
+				require.Error(t, err)
+				return
+			}
 			require.NoError(t, err)
 
 			_, expectNet, err := net.ParseCIDR(tc.expectCIDR)
@@ -1076,10 +1170,15 @@ func TestSSH(t *testing.T) {
 					"expected CIDR range %s does not include resolved IP %s", expectNet, resolvedIPSuffix)
 			}
 
-			// Actually dialing the address should still fail until VNet SSH is
-			// implemented.
-			_, err = p.dialHost(ctx, tc.addr, 22)
-			require.Error(t, err)
+			dialCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+			defer cancel()
+			conn, err := p.dialHost(dialCtx, tc.dialAddr, tc.dialPort)
+			if tc.expectDialToFail {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			conn.Close()
 		})
 	}
 }
diff --git a/proto/teleport/lib/vnet/v1/client_application_service.proto b/proto/teleport/lib/vnet/v1/client_application_service.proto
index e552e5bd0b277..4552204c8a483 100644
--- a/proto/teleport/lib/vnet/v1/client_application_service.proto
+++ b/proto/teleport/lib/vnet/v1/client_application_service.proto
@@ -53,6 +53,10 @@ service ClientApplicationService {
   rpc OnInvalidLocalPort(OnInvalidLocalPortRequest) returns (OnInvalidLocalPortResponse);
   // GetTargetOSConfiguration gets the target OS configuration.
   rpc GetTargetOSConfiguration(GetTargetOSConfigurationRequest) returns (GetTargetOSConfigurationResponse);
+  // UserTLSCert returns the user TLS certificate for a specific profile.
+  rpc UserTLSCert(UserTLSCertRequest) returns (UserTLSCertResponse);
+  // SignForUserTLS signs a digest with the user TLS private key.
+  rpc SignForUserTLS(SignForUserTLSRequest) returns (SignForUserTLSResponse);
 }
 
 // AuthenticateProcessRequest is a request for AuthenticateProcess.
@@ -131,6 +135,14 @@ message MatchedCluster {
   // WebProxyAddr is the web proxy address of the root cluster that matched the
   // query.
   string web_proxy_addr = 2;
+  // Profile is the profile the matched cluster was found in.
+  string profile = 3;
+  // RootCluster will always be set to the name of the root cluster that matched
+  // the query.
+  string root_cluster = 4;
+  // LeafCluster will be set only when the query matched a leaf cluster of
+  // RootCluster, or else it will be empty.
+  string leaf_cluster = 5;
 }
 
 // AppInfo holds all necessary info for making connections to VNet TCP apps.
@@ -172,8 +184,10 @@ message DialOptions {
   string sni = 3;
   // InsecureSkipVerify turns off verification for x509 upstream ALPN proxy service certificate.
   bool insecure_skip_verify = 4;
-  // RootClusterCaCertPool overrides the x509 certificate pool used to verify the server.
-  // It is a PEM-encoded X509 certificate pool.
+  // RootClusterCaCertPool is the host CA TLS certificate pool for the root
+  // cluster. It is a PEM-encoded X509 certificate pool. It should be used when
+  // dialing the proxy and AlpnConnUpgradeRequired is true or when dialing the
+  // transport service.
   bytes root_cluster_ca_cert_pool = 5;
 }
 
@@ -198,6 +212,8 @@ message ReissueAppCertResponse {
 // ReissueAppCert. The private key used for the signature will match the subject
 // public key of the issued x509 certificate.
 message SignForAppRequest {
+  reserved 3, 4, 5;
+  reserved "digest", "hash", "pss_salt_length";
   // AppKey uniquely identifies a TCP app, it must match the key of an app from
   // a previous successful call to ReissueAppCert.
   AppKey app_key = 1;
@@ -205,13 +221,19 @@ message SignForAppRequest {
   // TargetPort of a previous successful call to ReissueAppCert for an app
   // matching AppKey.
   uint32 target_port = 2;
+  // Sign holds signature request details.
+  SignRequest sign = 6;
+}
+
+// SignRequest holds signature request details.
+message SignRequest {
   // Digest is the bytes to sign.
-  bytes digest = 3;
+  bytes digest = 1;
   // Hash is the hash function used to compute digest.
-  Hash hash = 4;
+  Hash hash = 2;
   // PssSaltLength specifies the length of the salt added to the digest before a
   // signature. Only used and required for RSA PSS signatures.
-  optional int32 pss_salt_length = 5;
+  optional int32 pss_salt_length = 3;
 }
 
 // Hash specifies a cryptographic hash function.
@@ -278,3 +300,32 @@ message TargetOSConfiguration {
   // should also include the default range.
   repeated string ipv4_cidr_ranges = 2;
 }
+
+// UserTLSCertRequest is a request for UserTLSCert.
+message UserTLSCertRequest {
+  // Profile is the profile to retrieve the certificate for.
+  string profile = 1;
+}
+
+// UserTLSCertResponse is a response for UserTLSCert.
+message UserTLSCertResponse {
+  // Cert is the user TLS certificate in X.509 ASN.1 DER format.
+  bytes cert = 1;
+  // DialOptions holds options that should be used when dialing the root cluster
+  // proxy.
+  DialOptions dial_options = 2;
+}
+
+// SignForUserTLSRequest is a request for SignForUserTLS.
+message SignForUserTLSRequest {
+  // Profile is the user profile to sign for.
+  string profile = 1;
+  // Sign holds signature request details.
+  SignRequest sign = 2;
+}
+
+// SignForUserTLSResponse is a response for SignForUserTLS.
+message SignForUserTLSResponse {
+  // Signature is the signature.
+  bytes signature = 1;
+}
diff --git a/tool/tsh/common/vnet_client_application.go b/tool/tsh/common/vnet_client_application.go
index b9ee5c1ed4103..cbffa21f90fd1 100644
--- a/tool/tsh/common/vnet_client_application.go
+++ b/tool/tsh/common/vnet_client_application.go
@@ -100,6 +100,22 @@ func (p *vnetClientApplication) ReissueAppCert(ctx context.Context, appInfo *vne
 	return cert, trace.Wrap(err)
 }
 
+// UserTLSCert returns the user TLS certificate for the given profile.
+func (p *vnetClientApplication) UserTLSCert(ctx context.Context, profileName string) (tls.Certificate, error) {
+	profile, err := p.clientStore.GetProfile(profileName)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err, "loading user profile %s", profileName)
+	}
+	tlsConfig, err := profile.TLSConfig()
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err, "loading TLS config for profile")
+	}
+	if len(tlsConfig.Certificates) == 0 {
+		return tls.Certificate{}, trace.Errorf("user tls config has no certificates")
+	}
+	return tlsConfig.Certificates[0], nil
+}
+
 // GetDialOptions returns ALPN dial options for the profile.
 func (p *vnetClientApplication) GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error) {
 	profile, err := p.clientStore.GetProfile(profileName)
@@ -111,11 +127,9 @@ func (p *vnetClientApplication) GetDialOptions(ctx context.Context, profileName
 		AlpnConnUpgradeRequired: profile.TLSRoutingConnUpgradeRequired,
 		InsecureSkipVerify:      p.cf.InsecureSkipVerify,
 	}
-	if dialOpts.AlpnConnUpgradeRequired {
-		dialOpts.RootClusterCaCertPool, err = p.getRootClusterCACertPoolPEM(ctx, profileName)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+	dialOpts.RootClusterCaCertPool, err = p.getRootClusterCACertPoolPEM(ctx, profileName)
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
 	return dialOpts, nil
 }

From 19f5dceab1b18d762d0bc44d41d6d676124d5782 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Sat, 31 May 2025 08:04:23 -0700
Subject: [PATCH 02/25] [v18][vnet] feat: accept incoming SSH connections

Backport #55155 to branch/v18
---
 lib/vnet/admin_process_common.go |  11 ++-
 lib/vnet/ssh_handler.go          |  84 +++++++++++++++-
 lib/vnet/ssh_provider.go         |  54 ++++++++++-
 lib/vnet/vnet_test.go            | 160 +++++++++++++++++++++++++------
 4 files changed, 269 insertions(+), 40 deletions(-)

diff --git a/lib/vnet/admin_process_common.go b/lib/vnet/admin_process_common.go
index 47c1793dbe70f..2aad6c5b1967f 100644
--- a/lib/vnet/admin_process_common.go
+++ b/lib/vnet/admin_process_common.go
@@ -22,12 +22,19 @@ import (
 )
 
 func newNetworkStackConfig(tun tunDevice, clt *clientApplicationServiceClient) (*networkStackConfig, error) {
-	sshProvider := newSSHProvider(sshProviderConfig{clt: clt})
+	clock := clockwork.NewRealClock()
+	sshProvider, err := newSSHProvider(sshProviderConfig{
+		clt:   clt,
+		clock: clock,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	tcpHandlerResolver := newTCPHandlerResolver(&tcpHandlerResolverConfig{
 		clt:         clt,
 		appProvider: newAppProvider(clt),
 		sshProvider: sshProvider,
-		clock:       clockwork.NewRealClock(),
+		clock:       clock,
 	})
 	ipv6Prefix, err := newIPv6Prefix()
 	if err != nil {
diff --git a/lib/vnet/ssh_handler.go b/lib/vnet/ssh_handler.go
index 627665913abaf..f8e8e831ea24b 100644
--- a/lib/vnet/ssh_handler.go
+++ b/lib/vnet/ssh_handler.go
@@ -18,9 +18,15 @@ package vnet
 
 import (
 	"context"
+	"crypto/rand"
 	"net"
+	"strings"
 
 	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/gravitational/teleport/api/utils/sshutils"
+	"github.com/gravitational/teleport/lib/cryptosuites"
 )
 
 // sshHandler handles incoming VNet SSH connections.
@@ -61,13 +67,83 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	connector func() (net.Conn, error),
 	targetConn net.Conn,
 ) error {
-	// For now we accept the incoming TCP conn to indicate that the node exists,
-	// but SSH connection forwarding is not implemented yet so we immediately
-	// close it.
+	hostCert, err := h.newHostCert(ctx)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
 	localConn, err := connector()
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	localConn.Close()
+	defer localConn.Close()
+
+	// For now we accept the incoming SSH connection but forwarding to the
+	// target is not implemented yet so we immediately close it.
+	serverConfig := &ssh.ServerConfig{
+		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+			if !sshutils.KeysEqual(h.cfg.sshProvider.trustedUserPublicKey, key) {
+				return nil, trace.AccessDenied("SSH client public key is not trusted")
+			}
+			return nil, nil
+		},
+	}
+	serverConfig.AddHostKey(hostCert)
+	serverConn, chans, reqs, err := ssh.NewServerConn(localConn, serverConfig)
+	if err != nil {
+		return trace.Wrap(err, "accepting incoming SSH connection")
+	}
+	// Immediately close the connection but make sure to drain the channels.
+	serverConn.Close()
+	go ssh.DiscardRequests(reqs)
+	go func() {
+		for newChan := range chans {
+			_ = newChan.Reject(0, "")
+		}
+	}()
+	target := h.cfg.target
+	log.DebugContext(ctx, "Accepted incoming SSH connection",
+		"profile", target.profile,
+		"cluster", target.cluster,
+		"host", target.host,
+		"user", serverConn.User(),
+	)
 	return trace.NotImplemented("VNet SSH connection forwarding is not yet implemented")
 }
+
+func (h *sshHandler) newHostCert(ctx context.Context) (ssh.Signer, error) {
+	// If the user typed "ssh host.com" or "ssh host.com." our DNS handler will
+	// only see the fully-qualified variant with the trailing "." but the SSH
+	// client treats them differently, we need both in the principals if we want
+	// the cert to be trusted in both cases.
+	validPrincipals := []string{
+		h.cfg.target.fqdn,
+		strings.TrimSuffix(h.cfg.target.fqdn, "."),
+	}
+	// We generate an ephemeral key for every connection, Ed25519 is fast and
+	// well supported.
+	hostKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	if err != nil {
+		return nil, trace.Wrap(err, "generating SSH host key")
+	}
+	hostSigner, err := ssh.NewSignerFromSigner(hostKey)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	cert := &ssh.Certificate{
+		Key:             hostSigner.PublicKey(),
+		Serial:          1,
+		CertType:        ssh.HostCert,
+		ValidPrincipals: validPrincipals,
+		// This cert will only ever be used to handle this one SSH connection,
+		// the private key is held only in memory, the issuing CA is regenerated
+		// every time this process restarts and will only be trusted on this one
+		// host. The expiry doesn't matter.
+		ValidBefore: ssh.CertTimeInfinity,
+	}
+	if err := cert.SignCert(rand.Reader, h.cfg.sshProvider.hostCASigner); err != nil {
+		return nil, trace.Wrap(err, "signing SSH host cert")
+	}
+	certSigner, err := ssh.NewCertSigner(cert, hostSigner)
+	return certSigner, trace.Wrap(err)
+}
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
index ace2db9bf17a5..1e0cc00e2ebd1 100644
--- a/lib/vnet/ssh_provider.go
+++ b/lib/vnet/ssh_provider.go
@@ -24,19 +24,26 @@ import (
 	"strings"
 
 	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
 	"golang.org/x/crypto/ssh"
 
 	proxyclient "github.com/gravitational/teleport/api/client/proxy"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
+	"github.com/gravitational/teleport/lib/cryptosuites"
 )
 
 // sshProvider provides methods necessary for VNet SSH access.
 type sshProvider struct {
 	cfg sshProviderConfig
+	// hostCASigner is the host CA key used internally in VNet to terminate
+	// connections from clients, it is not a Teleport CA used by any cluster.
+	hostCASigner         ssh.Signer
+	trustedUserPublicKey ssh.PublicKey
 }
 
 type sshProviderConfig struct {
-	clt *clientApplicationServiceClient
+	clt   *clientApplicationServiceClient
+	clock clockwork.Clock
 	// overrideNodeDialer can be used in tests to dial SSH nodes with the real
 	// TLS configuration but without setting up the proxy transport service.
 	overrideNodeDialer func(
@@ -45,12 +52,45 @@ type sshProviderConfig struct {
 		tlsConfig *tls.Config,
 		dialOpts *vnetv1.DialOptions,
 	) (net.Conn, error)
+	// hostCASigner can be used in tests to set a specific key for the SSH host CA.
+	hostCASigner ssh.Signer
+	// trustedUserPublicKey can be used in tests to set a specific trusted user
+	// SSH key.
+	trustedUserPublicKey ssh.PublicKey
 }
 
-func newSSHProvider(cfg sshProviderConfig) *sshProvider {
-	return &sshProvider{
-		cfg: cfg,
+func newSSHProvider(cfg sshProviderConfig) (*sshProvider, error) {
+	hostCASigner := cfg.hostCASigner
+	if hostCASigner == nil {
+		// TODO(nklaassen): write host CA public key to $TELEPORT_HOME/vnet_known_hosts
+		hostKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		hostCASigner, err = ssh.NewSignerFromSigner(hostKey)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+	trustedUserPublicKey := cfg.trustedUserPublicKey
+	if trustedUserPublicKey == nil {
+		// TODO(nklaassen): check if $TELEPORT_HOME/id_vnet.pub exists.
+		// If it does, read that file and trust it.
+		// If not, generate the keypair and write it to $TELEPORT_HOME/id_vnet.
+		userKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		trustedUserPublicKey, err = ssh.NewPublicKey(userKey.Public())
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
+	return &sshProvider{
+		cfg:                  cfg,
+		hostCASigner:         hostCASigner,
+		trustedUserPublicKey: trustedUserPublicKey,
+	}, nil
 }
 
 // dial dials the target SSH host.
@@ -142,7 +182,10 @@ func (p *sshProvider) userTLSConfig(
 }
 
 type dialTarget struct {
-	profile, cluster, host string
+	fqdn    string
+	profile string
+	cluster string
+	host    string
 }
 
 func computeDialTarget(matchedCluster *vnetv1.MatchedCluster, fqdn string) dialTarget {
@@ -155,6 +198,7 @@ func computeDialTarget(matchedCluster *vnetv1.MatchedCluster, fqdn string) dialT
 	}
 	targetHost = targetHost + ":0"
 	return dialTarget{
+		fqdn:    fqdn,
 		profile: targetProfile,
 		cluster: targetCluster,
 		host:    targetHost,
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index d5a64a67a3bea..3063f7d1a288a 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -43,6 +43,7 @@ import (
 	"github.com/jonboulle/clockwork"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
 	"google.golang.org/grpc"
 	grpccredentials "google.golang.org/grpc/credentials"
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -58,6 +59,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	typesvnet "github.com/gravitational/teleport/api/types/vnet"
 	"github.com/gravitational/teleport/api/utils/grpc/interceptors"
+	"github.com/gravitational/teleport/api/utils/sshutils"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/cryptosuites"
@@ -85,8 +87,10 @@ type testPack struct {
 }
 
 type testPackConfig struct {
-	clock         clockwork.Clock
-	fakeClientApp *fakeClientApp
+	clock                   clockwork.Clock
+	fakeClientApp           *fakeClientApp
+	sshHostCASigner         ssh.Signer
+	sshTrustedUserPublicKey ssh.PublicKey
 }
 
 func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPack {
@@ -145,10 +149,14 @@ func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPac
 	// interface with fakeClientApp via the gRPC client.
 	clt := runTestClientApplicationService(t, ctx, cfg.clock, cfg.fakeClientApp)
 	appProvider := newAppProvider(clt)
-	sshProvider := newSSHProvider(sshProviderConfig{
-		clt:                clt,
-		overrideNodeDialer: cfg.fakeClientApp.dialSSHNode,
+	sshProvider, err := newSSHProvider(sshProviderConfig{
+		clt:                  clt,
+		clock:                cfg.clock,
+		overrideNodeDialer:   cfg.fakeClientApp.dialSSHNode,
+		hostCASigner:         cfg.sshHostCASigner,
+		trustedUserPublicKey: cfg.sshTrustedUserPublicKey,
 	})
+	require.NoError(t, err)
 	tcpHandlerResolver := newTCPHandlerResolver(&tcpHandlerResolverConfig{
 		clt:                      clt,
 		appProvider:              appProvider,
@@ -1088,22 +1096,52 @@ func TestSSH(t *testing.T) {
 		signatureAlgorithmSuite: types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_BALANCED_V1,
 	})
 
+	sshHostKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	require.NoError(t, err)
+	sshHostCASigner, err := ssh.NewSignerFromSigner(sshHostKey)
+	require.NoError(t, err)
+
+	sshUserKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	require.NoError(t, err)
+	sshUserSigner, err := ssh.NewSignerFromSigner(sshUserKey)
+	require.NoError(t, err)
+
+	badUserKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	require.NoError(t, err)
+	badUserSigner, err := ssh.NewSignerFromSigner(badUserKey)
+	require.NoError(t, err)
+
 	p := newTestPack(t, ctx, testPackConfig{
-		fakeClientApp: clientApp,
-		clock:         clock,
+		fakeClientApp:           clientApp,
+		clock:                   clock,
+		sshHostCASigner:         sshHostCASigner,
+		sshTrustedUserPublicKey: sshUserSigner.PublicKey(),
 	})
 
 	for _, tc := range []struct {
-		dialAddr           string
-		dialPort           int
-		expectCIDR         string
-		expectLookupToFail bool
-		expectDialToFail   bool
+		dialAddr                 string
+		dialPort                 int
+		expectCIDR               string
+		expectLookupToFail       bool
+		expectDialToFail         bool
+		sshUser                  string
+		sshUserSigner            ssh.Signer
+		expectSSHHandshakeToFail bool
 	}{
 		{
-			dialAddr:   "node.root1.example.com",
-			dialPort:   22,
-			expectCIDR: root1CIDR,
+			dialAddr:      "node.root1.example.com",
+			dialPort:      22,
+			expectCIDR:    root1CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
+		},
+		{
+			// Fully-qualified hostname should also work.
+			dialAddr:      "node.root1.example.com.",
+			dialPort:      22,
+			expectCIDR:    root1CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
 		},
 		{
 			// Dial should fail on non-standard SSH port.
@@ -1113,19 +1151,33 @@ func TestSSH(t *testing.T) {
 			expectDialToFail: true,
 		},
 		{
-			dialAddr:   "node.leaf1.example.com.root1.example.com",
-			dialPort:   22,
-			expectCIDR: leaf1CIDR,
+			dialAddr:                 "node.root1.example.com",
+			dialPort:                 22,
+			expectCIDR:               root1CIDR,
+			sshUser:                  "baduser",
+			sshUserSigner:            badUserSigner,
+			expectSSHHandshakeToFail: true,
 		},
 		{
-			dialAddr:   "node.root2.example.com",
-			dialPort:   22,
-			expectCIDR: root2CIDR,
+			dialAddr:      "node.leaf1.example.com.root1.example.com",
+			dialPort:      22,
+			expectCIDR:    leaf1CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
 		},
 		{
-			dialAddr:   "node.leaf2.example.com.root2.example.com",
-			dialPort:   22,
-			expectCIDR: leaf2CIDR,
+			dialAddr:      "node.root2.example.com",
+			dialPort:      22,
+			expectCIDR:    root2CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
+		},
+		{
+			dialAddr:      "node.leaf2.example.com.root2.example.com",
+			dialPort:      22,
+			expectCIDR:    leaf2CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
 		},
 		{
 			// DNS lookup should fail if the FQDN doesn't match any cluster.
@@ -1142,14 +1194,13 @@ func TestSSH(t *testing.T) {
 			expectDialToFail: true,
 		},
 	} {
-		t.Run(fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), func(t *testing.T) {
+		t.Run(fmt.Sprintf("%s@%s:%d", tc.sshUser, tc.dialAddr, tc.dialPort), func(t *testing.T) {
 			t.Parallel()
 
 			lookupCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
 			defer cancel()
-			// SSH access isn't fully implemented yet, at this point the DNS
-			// lookup for *.<cluster-name> should resolve to an IP in the
-			// expected CIDR range for the cluster.
+			// The DNS lookup for *.<cluster-name> should resolve to an IP in
+			// the expected CIDR range for the cluster.
 			resolvedAddrs, err := p.lookupHost(lookupCtx, tc.dialAddr)
 			if tc.expectLookupToFail {
 				require.Error(t, err)
@@ -1170,6 +1221,8 @@ func TestSSH(t *testing.T) {
 					"expected CIDR range %s does not include resolved IP %s", expectNet, resolvedIPSuffix)
 			}
 
+			// TCP dial the target address, it should fail if the node doesn't
+			// exist.
 			dialCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
 			defer cancel()
 			conn, err := p.dialHost(dialCtx, tc.dialAddr, tc.dialPort)
@@ -1178,9 +1231,58 @@ func TestSSH(t *testing.T) {
 				return
 			}
 			require.NoError(t, err)
-			conn.Close()
+			defer conn.Close()
+
+			// Initiate an SSH connection to the target. At this point the
+			// handshake should complete successfully as long as the right keys
+			// are used, but the SSH connection will be immediately closed by
+			// the server.
+			certChecker := ssh.CertChecker{
+				IsHostAuthority: func(auth ssh.PublicKey, address string) bool {
+					return sshutils.KeysEqual(auth, sshHostCASigner.PublicKey())
+				},
+				Clock: clock.Now,
+			}
+			clientConfig := &ssh.ClientConfig{
+				User:            tc.sshUser,
+				Auth:            []ssh.AuthMethod{ssh.PublicKeys(tc.sshUserSigner)},
+				HostKeyCallback: certChecker.CheckHostKey,
+			}
+			sshConn, _, _, err := ssh.NewClientConn(conn, fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), clientConfig)
+			if tc.expectSSHHandshakeToFail {
+				require.Error(t, err, "expected SSH handshake to fail")
+				return
+			}
+			require.NoError(t, err)
+			defer sshConn.Close()
 		})
 	}
+
+	// Test that a fresh SSH host cert is used on each connection.
+	t.Run("ephemeral certs", func(t *testing.T) {
+		// Set up the SSH client config to capture the host certs it sees.
+		var checkedHostCerts []*ssh.Certificate
+		clientConfig := &ssh.ClientConfig{
+			User: "testuser",
+			Auth: []ssh.AuthMethod{ssh.PublicKeys(sshUserSigner)},
+			HostKeyCallback: func(addr string, remote net.Addr, key ssh.PublicKey) error {
+				checkedHostCerts = append(checkedHostCerts, key.(*ssh.Certificate))
+				return nil
+			},
+		}
+		const connections = 3
+		for range connections {
+			conn, err := p.dialHost(ctx, "node.root1.example.com", 22)
+			require.NoError(t, err)
+			sshConn, _, _, err := ssh.NewClientConn(conn, "node.root1.example.com:22", clientConfig)
+			require.NoError(t, err)
+			sshConn.Close()
+		}
+		require.Len(t, checkedHostCerts, connections)
+		for i := range connections - 1 {
+			require.NotEqual(t, checkedHostCerts[i], checkedHostCerts[i+1])
+		}
+	})
 }
 
 func randomULAAddress() (tcpip.Address, error) {

From 4517ec58c7954117feeb39303cd8ed0de84c4e43 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Sat, 31 May 2025 09:24:04 -0700
Subject: [PATCH 03/25] [v18][vnet] feat: forward SSH connections to target

Backport #55156 to branch/v18
---
 .../vnet/v1/client_application_service.pb.go  | 347 ++++++++++++++++--
 .../v1/client_application_service_grpc.pb.go  |  82 +++++
 lib/client/cluster_client.go                  |  67 +++-
 lib/vnet/client_application_service.go        | 138 ++++++-
 lib/vnet/client_application_service_client.go |  25 ++
 lib/vnet/ssh_handler.go                       | 112 +++++-
 lib/vnet/ssh_provider.go                      |  97 ++++-
 lib/vnet/ssh_proxy.go                         |  15 +-
 lib/vnet/ssh_proxy_test.go                    |   5 +
 lib/vnet/user_process.go                      |   8 +-
 lib/vnet/vnet_test.go                         | 266 ++++++++++++--
 .../vnet/v1/client_application_service.proto  |  48 +++
 12 files changed, 1084 insertions(+), 126 deletions(-)

diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
index 1869b69ce9159..921832bda2b01 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
@@ -1773,6 +1773,258 @@ func (x *SignForUserTLSResponse) GetSignature() []byte {
 	return nil
 }
 
+// SessionSSHConfigRequest is a request for SessionSSHConfig.
+type SessionSSHConfigRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Profile is the profile in which the SSH server is found.
+	Profile string `protobuf:"bytes,1,opt,name=profile,proto3" json:"profile,omitempty"`
+	// RootCluster is the cluster in which the SSH server is found.
+	RootCluster string `protobuf:"bytes,2,opt,name=root_cluster,json=rootCluster,proto3" json:"root_cluster,omitempty"`
+	// LeafCluster is the leaf cluster in which the SSH server is found.
+	// If empty, the SSH server is in the root cluster.
+	LeafCluster string `protobuf:"bytes,3,opt,name=leaf_cluster,json=leafCluster,proto3" json:"leaf_cluster,omitempty"`
+	// Address is the address of the SSH server.
+	Address string `protobuf:"bytes,4,opt,name=address,proto3" json:"address,omitempty"`
+	// User is the SSH user the session is for.
+	User          string `protobuf:"bytes,5,opt,name=user,proto3" json:"user,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SessionSSHConfigRequest) Reset() {
+	*x = SessionSSHConfigRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[31]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SessionSSHConfigRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SessionSSHConfigRequest) ProtoMessage() {}
+
+func (x *SessionSSHConfigRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[31]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SessionSSHConfigRequest.ProtoReflect.Descriptor instead.
+func (*SessionSSHConfigRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{31}
+}
+
+func (x *SessionSSHConfigRequest) GetProfile() string {
+	if x != nil {
+		return x.Profile
+	}
+	return ""
+}
+
+func (x *SessionSSHConfigRequest) GetRootCluster() string {
+	if x != nil {
+		return x.RootCluster
+	}
+	return ""
+}
+
+func (x *SessionSSHConfigRequest) GetLeafCluster() string {
+	if x != nil {
+		return x.LeafCluster
+	}
+	return ""
+}
+
+func (x *SessionSSHConfigRequest) GetAddress() string {
+	if x != nil {
+		return x.Address
+	}
+	return ""
+}
+
+func (x *SessionSSHConfigRequest) GetUser() string {
+	if x != nil {
+		return x.User
+	}
+	return ""
+}
+
+// SessionSSHConfigResponse is a response for SessionSSHConfig.
+type SessionSSHConfigResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// SessionId is an opaque identifier for the session, it should be passed to
+	// SignForSSHSession to issue signatures with the private key associated with
+	// the session.
+	SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"`
+	// Cert is the session SSH certificate in SSH wire format.
+	Cert []byte `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"`
+	// TrustedCas is a list of trusted SSH certificate authorities in SSH wire
+	// format.
+	TrustedCas    [][]byte `protobuf:"bytes,3,rep,name=trusted_cas,json=trustedCas,proto3" json:"trusted_cas,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SessionSSHConfigResponse) Reset() {
+	*x = SessionSSHConfigResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[32]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SessionSSHConfigResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SessionSSHConfigResponse) ProtoMessage() {}
+
+func (x *SessionSSHConfigResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[32]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SessionSSHConfigResponse.ProtoReflect.Descriptor instead.
+func (*SessionSSHConfigResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{32}
+}
+
+func (x *SessionSSHConfigResponse) GetSessionId() string {
+	if x != nil {
+		return x.SessionId
+	}
+	return ""
+}
+
+func (x *SessionSSHConfigResponse) GetCert() []byte {
+	if x != nil {
+		return x.Cert
+	}
+	return nil
+}
+
+func (x *SessionSSHConfigResponse) GetTrustedCas() [][]byte {
+	if x != nil {
+		return x.TrustedCas
+	}
+	return nil
+}
+
+// SignForSSHSessionRequest is a request for SignForSSHSession.
+type SignForSSHSessionRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// SessionId is an opaque identifier for the session returned from a previous
+	// call to SessionSSHConfig.
+	SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"`
+	// Sign holds signature request details.
+	Sign          *SignRequest `protobuf:"bytes,2,opt,name=sign,proto3" json:"sign,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForSSHSessionRequest) Reset() {
+	*x = SignForSSHSessionRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[33]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForSSHSessionRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForSSHSessionRequest) ProtoMessage() {}
+
+func (x *SignForSSHSessionRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[33]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForSSHSessionRequest.ProtoReflect.Descriptor instead.
+func (*SignForSSHSessionRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{33}
+}
+
+func (x *SignForSSHSessionRequest) GetSessionId() string {
+	if x != nil {
+		return x.SessionId
+	}
+	return ""
+}
+
+func (x *SignForSSHSessionRequest) GetSign() *SignRequest {
+	if x != nil {
+		return x.Sign
+	}
+	return nil
+}
+
+// SignForSSHSessionResponse is a response for SignForSSHSession.
+type SignForSSHSessionResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Signature is the signature.
+	Signature     []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForSSHSessionResponse) Reset() {
+	*x = SignForSSHSessionResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[34]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForSSHSessionResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForSSHSessionResponse) ProtoMessage() {}
+
+func (x *SignForSSHSessionResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[34]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForSSHSessionResponse.ProtoReflect.Descriptor instead.
+func (*SignForSSHSessionResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{34}
+}
+
+func (x *SignForSSHSessionResponse) GetSignature() []byte {
+	if x != nil {
+		return x.Signature
+	}
+	return nil
+}
+
 var File_teleport_lib_vnet_v1_client_application_service_proto protoreflect.FileDescriptor
 
 const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
@@ -1865,11 +2117,29 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\aprofile\x18\x01 \x01(\tR\aprofile\x125\n" +
 	"\x04sign\x18\x02 \x01(\v2!.teleport.lib.vnet.v1.SignRequestR\x04sign\"6\n" +
 	"\x16SignForUserTLSResponse\x12\x1c\n" +
+	"\tsignature\x18\x01 \x01(\fR\tsignature\"\xa7\x01\n" +
+	"\x17SessionSSHConfigRequest\x12\x18\n" +
+	"\aprofile\x18\x01 \x01(\tR\aprofile\x12!\n" +
+	"\froot_cluster\x18\x02 \x01(\tR\vrootCluster\x12!\n" +
+	"\fleaf_cluster\x18\x03 \x01(\tR\vleafCluster\x12\x18\n" +
+	"\aaddress\x18\x04 \x01(\tR\aaddress\x12\x12\n" +
+	"\x04user\x18\x05 \x01(\tR\x04user\"n\n" +
+	"\x18SessionSSHConfigResponse\x12\x1d\n" +
+	"\n" +
+	"session_id\x18\x01 \x01(\tR\tsessionId\x12\x12\n" +
+	"\x04cert\x18\x02 \x01(\fR\x04cert\x12\x1f\n" +
+	"\vtrusted_cas\x18\x03 \x03(\fR\n" +
+	"trustedCas\"p\n" +
+	"\x18SignForSSHSessionRequest\x12\x1d\n" +
+	"\n" +
+	"session_id\x18\x01 \x01(\tR\tsessionId\x125\n" +
+	"\x04sign\x18\x02 \x01(\v2!.teleport.lib.vnet.v1.SignRequestR\x04sign\"9\n" +
+	"\x19SignForSSHSessionResponse\x12\x1c\n" +
 	"\tsignature\x18\x01 \x01(\fR\tsignature*<\n" +
 	"\x04Hash\x12\x14\n" +
 	"\x10HASH_UNSPECIFIED\x10\x00\x12\r\n" +
 	"\tHASH_NONE\x10\x01\x12\x0f\n" +
-	"\vHASH_SHA256\x10\x022\xe3\t\n" +
+	"\vHASH_SHA256\x10\x022\xcc\v\n" +
 	"\x18ClientApplicationService\x12z\n" +
 	"\x13AuthenticateProcess\x120.teleport.lib.vnet.v1.AuthenticateProcessRequest\x1a1.teleport.lib.vnet.v1.AuthenticateProcessResponse\x12\x83\x01\n" +
 	"\x16ReportNetworkStackInfo\x123.teleport.lib.vnet.v1.ReportNetworkStackInfoRequest\x1a4.teleport.lib.vnet.v1.ReportNetworkStackInfoResponse\x12M\n" +
@@ -1882,7 +2152,9 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\x12OnInvalidLocalPort\x12/.teleport.lib.vnet.v1.OnInvalidLocalPortRequest\x1a0.teleport.lib.vnet.v1.OnInvalidLocalPortResponse\x12\x89\x01\n" +
 	"\x18GetTargetOSConfiguration\x125.teleport.lib.vnet.v1.GetTargetOSConfigurationRequest\x1a6.teleport.lib.vnet.v1.GetTargetOSConfigurationResponse\x12b\n" +
 	"\vUserTLSCert\x12(.teleport.lib.vnet.v1.UserTLSCertRequest\x1a).teleport.lib.vnet.v1.UserTLSCertResponse\x12k\n" +
-	"\x0eSignForUserTLS\x12+.teleport.lib.vnet.v1.SignForUserTLSRequest\x1a,.teleport.lib.vnet.v1.SignForUserTLSResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
+	"\x0eSignForUserTLS\x12+.teleport.lib.vnet.v1.SignForUserTLSRequest\x1a,.teleport.lib.vnet.v1.SignForUserTLSResponse\x12q\n" +
+	"\x10SessionSSHConfig\x12-.teleport.lib.vnet.v1.SessionSSHConfigRequest\x1a..teleport.lib.vnet.v1.SessionSSHConfigResponse\x12t\n" +
+	"\x11SignForSSHSession\x12..teleport.lib.vnet.v1.SignForSSHSessionRequest\x1a/.teleport.lib.vnet.v1.SignForSSHSessionResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
 
 var (
 	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescOnce sync.Once
@@ -1897,7 +2169,7 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP() []
 }
 
 var file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 31)
+var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 35)
 var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(Hash)(0),                                // 0: teleport.lib.vnet.v1.Hash
 	(*AuthenticateProcessRequest)(nil),       // 1: teleport.lib.vnet.v1.AuthenticateProcessRequest
@@ -1931,7 +2203,11 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(*UserTLSCertResponse)(nil),              // 29: teleport.lib.vnet.v1.UserTLSCertResponse
 	(*SignForUserTLSRequest)(nil),            // 30: teleport.lib.vnet.v1.SignForUserTLSRequest
 	(*SignForUserTLSResponse)(nil),           // 31: teleport.lib.vnet.v1.SignForUserTLSResponse
-	(*types.AppV3)(nil),                      // 32: types.AppV3
+	(*SessionSSHConfigRequest)(nil),          // 32: teleport.lib.vnet.v1.SessionSSHConfigRequest
+	(*SessionSSHConfigResponse)(nil),         // 33: teleport.lib.vnet.v1.SessionSSHConfigResponse
+	(*SignForSSHSessionRequest)(nil),         // 34: teleport.lib.vnet.v1.SignForSSHSessionRequest
+	(*SignForSSHSessionResponse)(nil),        // 35: teleport.lib.vnet.v1.SignForSSHSessionResponse
+	(*types.AppV3)(nil),                      // 36: types.AppV3
 }
 var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32{
 	4,  // 0: teleport.lib.vnet.v1.ReportNetworkStackInfoRequest.network_stack_info:type_name -> teleport.lib.vnet.v1.NetworkStackInfo
@@ -1940,7 +2216,7 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	12, // 3: teleport.lib.vnet.v1.ResolveFQDNResponse.matched_cluster:type_name -> teleport.lib.vnet.v1.MatchedCluster
 	13, // 4: teleport.lib.vnet.v1.MatchedTCPApp.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 5: teleport.lib.vnet.v1.AppInfo.app_key:type_name -> teleport.lib.vnet.v1.AppKey
-	32, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
+	36, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
 	15, // 7: teleport.lib.vnet.v1.AppInfo.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
 	13, // 8: teleport.lib.vnet.v1.ReissueAppCertRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 9: teleport.lib.vnet.v1.SignForAppRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
@@ -1951,33 +2227,38 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	27, // 14: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse.target_os_configuration:type_name -> teleport.lib.vnet.v1.TargetOSConfiguration
 	15, // 15: teleport.lib.vnet.v1.UserTLSCertResponse.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
 	19, // 16: teleport.lib.vnet.v1.SignForUserTLSRequest.sign:type_name -> teleport.lib.vnet.v1.SignRequest
-	1,  // 17: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:input_type -> teleport.lib.vnet.v1.AuthenticateProcessRequest
-	3,  // 18: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:input_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoRequest
-	6,  // 19: teleport.lib.vnet.v1.ClientApplicationService.Ping:input_type -> teleport.lib.vnet.v1.PingRequest
-	8,  // 20: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:input_type -> teleport.lib.vnet.v1.ResolveFQDNRequest
-	16, // 21: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
-	18, // 22: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
-	21, // 23: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
-	23, // 24: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
-	25, // 25: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:input_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
-	28, // 26: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:input_type -> teleport.lib.vnet.v1.UserTLSCertRequest
-	30, // 27: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:input_type -> teleport.lib.vnet.v1.SignForUserTLSRequest
-	2,  // 28: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
-	5,  // 29: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
-	7,  // 30: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
-	9,  // 31: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
-	17, // 32: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
-	20, // 33: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
-	22, // 34: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
-	24, // 35: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
-	26, // 36: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
-	29, // 37: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
-	31, // 38: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:output_type -> teleport.lib.vnet.v1.SignForUserTLSResponse
-	28, // [28:39] is the sub-list for method output_type
-	17, // [17:28] is the sub-list for method input_type
-	17, // [17:17] is the sub-list for extension type_name
-	17, // [17:17] is the sub-list for extension extendee
-	0,  // [0:17] is the sub-list for field type_name
+	19, // 17: teleport.lib.vnet.v1.SignForSSHSessionRequest.sign:type_name -> teleport.lib.vnet.v1.SignRequest
+	1,  // 18: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:input_type -> teleport.lib.vnet.v1.AuthenticateProcessRequest
+	3,  // 19: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:input_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoRequest
+	6,  // 20: teleport.lib.vnet.v1.ClientApplicationService.Ping:input_type -> teleport.lib.vnet.v1.PingRequest
+	8,  // 21: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:input_type -> teleport.lib.vnet.v1.ResolveFQDNRequest
+	16, // 22: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
+	18, // 23: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
+	21, // 24: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
+	23, // 25: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
+	25, // 26: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:input_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
+	28, // 27: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:input_type -> teleport.lib.vnet.v1.UserTLSCertRequest
+	30, // 28: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:input_type -> teleport.lib.vnet.v1.SignForUserTLSRequest
+	32, // 29: teleport.lib.vnet.v1.ClientApplicationService.SessionSSHConfig:input_type -> teleport.lib.vnet.v1.SessionSSHConfigRequest
+	34, // 30: teleport.lib.vnet.v1.ClientApplicationService.SignForSSHSession:input_type -> teleport.lib.vnet.v1.SignForSSHSessionRequest
+	2,  // 31: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
+	5,  // 32: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
+	7,  // 33: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
+	9,  // 34: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
+	17, // 35: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
+	20, // 36: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
+	22, // 37: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
+	24, // 38: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	26, // 39: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
+	29, // 40: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
+	31, // 41: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:output_type -> teleport.lib.vnet.v1.SignForUserTLSResponse
+	33, // 42: teleport.lib.vnet.v1.ClientApplicationService.SessionSSHConfig:output_type -> teleport.lib.vnet.v1.SessionSSHConfigResponse
+	35, // 43: teleport.lib.vnet.v1.ClientApplicationService.SignForSSHSession:output_type -> teleport.lib.vnet.v1.SignForSSHSessionResponse
+	31, // [31:44] is the sub-list for method output_type
+	18, // [18:31] is the sub-list for method input_type
+	18, // [18:18] is the sub-list for extension type_name
+	18, // [18:18] is the sub-list for extension extendee
+	0,  // [0:18] is the sub-list for field type_name
 }
 
 func init() { file_teleport_lib_vnet_v1_client_application_service_proto_init() }
@@ -1997,7 +2278,7 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc), len(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   31,
+			NumMessages:   35,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
index 8af306472da9f..d1b5e481447ce 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
@@ -46,6 +46,8 @@ const (
 	ClientApplicationService_GetTargetOSConfiguration_FullMethodName = "/teleport.lib.vnet.v1.ClientApplicationService/GetTargetOSConfiguration"
 	ClientApplicationService_UserTLSCert_FullMethodName              = "/teleport.lib.vnet.v1.ClientApplicationService/UserTLSCert"
 	ClientApplicationService_SignForUserTLS_FullMethodName           = "/teleport.lib.vnet.v1.ClientApplicationService/SignForUserTLS"
+	ClientApplicationService_SessionSSHConfig_FullMethodName         = "/teleport.lib.vnet.v1.ClientApplicationService/SessionSSHConfig"
+	ClientApplicationService_SignForSSHSession_FullMethodName        = "/teleport.lib.vnet.v1.ClientApplicationService/SignForSSHSession"
 )
 
 // ClientApplicationServiceClient is the client API for ClientApplicationService service.
@@ -87,6 +89,11 @@ type ClientApplicationServiceClient interface {
 	UserTLSCert(ctx context.Context, in *UserTLSCertRequest, opts ...grpc.CallOption) (*UserTLSCertResponse, error)
 	// SignForUserTLS signs a digest with the user TLS private key.
 	SignForUserTLS(ctx context.Context, in *SignForUserTLSRequest, opts ...grpc.CallOption) (*SignForUserTLSResponse, error)
+	// SessionSSHConfig returns the user SSH configuration for an SSH session.
+	SessionSSHConfig(ctx context.Context, in *SessionSSHConfigRequest, opts ...grpc.CallOption) (*SessionSSHConfigResponse, error)
+	// SignForSSHSession signs a digest with the SSH private key associated with the
+	// session from a previous call to SessionSSHConfig.
+	SignForSSHSession(ctx context.Context, in *SignForSSHSessionRequest, opts ...grpc.CallOption) (*SignForSSHSessionResponse, error)
 }
 
 type clientApplicationServiceClient struct {
@@ -207,6 +214,26 @@ func (c *clientApplicationServiceClient) SignForUserTLS(ctx context.Context, in
 	return out, nil
 }
 
+func (c *clientApplicationServiceClient) SessionSSHConfig(ctx context.Context, in *SessionSSHConfigRequest, opts ...grpc.CallOption) (*SessionSSHConfigResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SessionSSHConfigResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_SessionSSHConfig_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) SignForSSHSession(ctx context.Context, in *SignForSSHSessionRequest, opts ...grpc.CallOption) (*SignForSSHSessionResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SignForSSHSessionResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_SignForSSHSession_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ClientApplicationServiceServer is the server API for ClientApplicationService service.
 // All implementations must embed UnimplementedClientApplicationServiceServer
 // for forward compatibility.
@@ -246,6 +273,11 @@ type ClientApplicationServiceServer interface {
 	UserTLSCert(context.Context, *UserTLSCertRequest) (*UserTLSCertResponse, error)
 	// SignForUserTLS signs a digest with the user TLS private key.
 	SignForUserTLS(context.Context, *SignForUserTLSRequest) (*SignForUserTLSResponse, error)
+	// SessionSSHConfig returns the user SSH configuration for an SSH session.
+	SessionSSHConfig(context.Context, *SessionSSHConfigRequest) (*SessionSSHConfigResponse, error)
+	// SignForSSHSession signs a digest with the SSH private key associated with the
+	// session from a previous call to SessionSSHConfig.
+	SignForSSHSession(context.Context, *SignForSSHSessionRequest) (*SignForSSHSessionResponse, error)
 	mustEmbedUnimplementedClientApplicationServiceServer()
 }
 
@@ -289,6 +321,12 @@ func (UnimplementedClientApplicationServiceServer) UserTLSCert(context.Context,
 func (UnimplementedClientApplicationServiceServer) SignForUserTLS(context.Context, *SignForUserTLSRequest) (*SignForUserTLSResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SignForUserTLS not implemented")
 }
+func (UnimplementedClientApplicationServiceServer) SessionSSHConfig(context.Context, *SessionSSHConfigRequest) (*SessionSSHConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SessionSSHConfig not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) SignForSSHSession(context.Context, *SignForSSHSessionRequest) (*SignForSSHSessionResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignForSSHSession not implemented")
+}
 func (UnimplementedClientApplicationServiceServer) mustEmbedUnimplementedClientApplicationServiceServer() {
 }
 func (UnimplementedClientApplicationServiceServer) testEmbeddedByValue() {}
@@ -509,6 +547,42 @@ func _ClientApplicationService_SignForUserTLS_Handler(srv interface{}, ctx conte
 	return interceptor(ctx, in, info, handler)
 }
 
+func _ClientApplicationService_SessionSSHConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SessionSSHConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).SessionSSHConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_SessionSSHConfig_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).SessionSSHConfig(ctx, req.(*SessionSSHConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_SignForSSHSession_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignForSSHSessionRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).SignForSSHSession(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_SignForSSHSession_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).SignForSSHSession(ctx, req.(*SignForSSHSessionRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ClientApplicationService_ServiceDesc is the grpc.ServiceDesc for ClientApplicationService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -560,6 +634,14 @@ var ClientApplicationService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SignForUserTLS",
 			Handler:    _ClientApplicationService_SignForUserTLS_Handler,
 		},
+		{
+			MethodName: "SessionSSHConfig",
+			Handler:    _ClientApplicationService_SessionSSHConfig_Handler,
+		},
+		{
+			MethodName: "SignForSSHSession",
+			Handler:    _ClientApplicationService_SignForSSHSession_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "teleport/lib/vnet/v1/client_application_service.proto",
diff --git a/lib/client/cluster_client.go b/lib/client/cluster_client.go
index f636c5d19d32b..40962d53ccc74 100644
--- a/lib/client/cluster_client.go
+++ b/lib/client/cluster_client.go
@@ -282,28 +282,66 @@ func (c *ClusterClient) SessionSSHConfig(ctx context.Context, user string, targe
 		return sshConfig, nil
 	}
 
-	keyRing, err := c.tc.localAgent.GetKeyRing(target.Cluster, WithAllCerts...)
+	newKeyRing, completedMFA, err := c.SessionSSHKeyRing(ctx, user, target)
 	if err != nil {
-		return nil, trace.Wrap(MFARequiredUnknown(err))
+		return nil, trace.Wrap(err)
+	}
+	if !completedMFA {
+		// The caller relies on this function returning an error if
+		// target.MFACheck is nil and session MFA was not actually required.
+		return nil, trace.Wrap(services.ErrSessionMFANotRequired)
+	}
+
+	am, err := newKeyRing.AsAuthMethod()
+	if err != nil {
+		return nil, trace.Wrap(ceremonyFailedErr{err})
+	}
+
+	sshConfig.Auth = []ssh.AuthMethod{am}
+	return sshConfig, nil
+}
+
+// SessionSSHKeyRing returns a KeyRing valid for an SSH session to the target.
+// If per session MFA is required to establish the connection, then the MFA
+// ceremony will be performed. If per session MFA is not required, the user's
+// base KeyRing for the cluster will be returned.
+func (c *ClusterClient) SessionSSHKeyRing(ctx context.Context, user string, target NodeDetails) (keyRing *KeyRing, completedMFA bool, err error) {
+	ctx, span := c.Tracer.Start(
+		ctx,
+		"clusterClient/SessionSSHKeyRing",
+		oteltrace.WithSpanKind(oteltrace.SpanKindClient),
+		oteltrace.WithAttributes(
+			attribute.String("cluster", c.tc.SiteName),
+		),
+	)
+	defer span.End()
+
+	baseKeyRing, err := c.tc.localAgent.GetKeyRing(target.Cluster, WithSSHCerts{})
+	if err != nil {
+		return nil, false, trace.Wrap(MFARequiredUnknown(err))
+	}
+
+	if target.MFACheck != nil && !target.MFACheck.Required {
+		return baseKeyRing, false, nil
 	}
 
 	// Always connect to root for getting new credentials, but attempt to reuse
 	// the existing client if possible.
-	rootClusterName, err := keyRing.RootClusterName()
+	rootClusterName, err := baseKeyRing.RootClusterName()
 	if err != nil {
-		return nil, trace.Wrap(MFARequiredUnknown(err))
+		return nil, false, trace.Wrap(MFARequiredUnknown(err))
 	}
 
 	mfaClt := c
 	if target.Cluster != rootClusterName {
 		cfg, err := c.ProxyClient.ClientConfig(ctx, rootClusterName)
 		if err != nil {
-			return nil, trace.Wrap(err)
+			return nil, false, trace.Wrap(err)
 		}
 
 		authClient, err := authclient.NewClient(cfg)
 		if err != nil {
-			return nil, trace.Wrap(MFARequiredUnknown(err))
+			return nil, false, trace.Wrap(MFARequiredUnknown(err))
 		}
 
 		mfaClt = &ClusterClient{
@@ -326,20 +364,19 @@ func (c *ClusterClient) SessionSSHConfig(ctx context.Context, user string, targe
 			RouteToCluster: target.Cluster,
 			MFACheck:       target.MFACheck,
 		},
-		keyRing,
+		baseKeyRing.Copy(),
 	)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		if errors.Is(err, services.ErrSessionMFANotRequired) {
+			log.DebugContext(ctx, "Session MFA was not required, returning original KeyRing")
+			return baseKeyRing, false, nil
+		}
+		log.DebugContext(ctx, "Error performing session MFA ceremony", "error", err)
+		return nil, false, trace.Wrap(err)
 	}
 
 	log.DebugContext(ctx, "Issued single-use user certificate after an MFA check")
-	am, err := result.KeyRing.AsAuthMethod()
-	if err != nil {
-		return nil, trace.Wrap(ceremonyFailedErr{err})
-	}
-
-	sshConfig.Auth = []ssh.AuthMethod{am}
-	return sshConfig, nil
+	return result.KeyRing, true, nil
 }
 
 // prepareUserCertsRequest creates a [proto.UserCertsRequest] with the fields
diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index 898089ebc3a6d..8be84e5d61ac5 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -17,16 +17,24 @@
 package vnet
 
 import (
+	"cmp"
 	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"sync"
+	"time"
 
+	"github.com/google/uuid"
 	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api"
+	"github.com/gravitational/teleport/api/client/proto"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
+	"github.com/gravitational/teleport/lib/client"
+	"github.com/gravitational/teleport/lib/utils"
 )
 
 // clientApplicationService implements the gRPC
@@ -43,8 +51,8 @@ type clientApplicationService struct {
 	// ReportNetworkStackInfo.
 	networkStackInfo chan *vnetv1.NetworkStackInfo
 
-	// mu protects appSignerCache
-	mu sync.Mutex
+	// appSignerMu protects appSignerCache.
+	appSignerMu sync.Mutex
 	// appSignerCache caches the crypto.Signer for each certificate issued by
 	// ReissueAppCert so that SignForApp can later use that signer.
 	//
@@ -53,20 +61,35 @@ type clientApplicationService struct {
 	// ReissueAppCert, which will overwrite the signer for the app with a new
 	// one.
 	appSignerCache map[appKey]crypto.Signer
+
+	// sshSigners is a cache containing [crypto.Signer]s keyed by SSH session
+	// ID. This "session ID" is a concept only used here for retrieving a signer
+	// previously associated with the same session, it is not some Teleport
+	// session identifier.
+	sshSigners *utils.FnCache
 }
 
 type clientApplicationServiceConfig struct {
 	fqdnResolver          *fqdnResolver
 	localOSConfigProvider *LocalOSConfigProvider
 	clientApplication     ClientApplication
+	clock                 clockwork.Clock
 }
 
-func newClientApplicationService(cfg *clientApplicationServiceConfig) *clientApplicationService {
+func newClientApplicationService(cfg *clientApplicationServiceConfig) (*clientApplicationService, error) {
+	sshSigners, err := utils.NewFnCache(utils.FnCacheConfig{
+		TTL:   time.Minute,
+		Clock: cfg.clock,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	return &clientApplicationService{
 		cfg:              cfg,
 		networkStackInfo: make(chan *vnetv1.NetworkStackInfo, 1),
 		appSignerCache:   make(map[appKey]crypto.Signer),
-	}
+		sshSigners:       sshSigners,
+	}, nil
 }
 
 // AuthenticateProcess implements [vnetv1.ClientApplicationServiceServer.AuthenticateProcess].
@@ -181,14 +204,14 @@ func sign(signer crypto.Signer, signReq *vnetv1.SignRequest) ([]byte, error) {
 }
 
 func (s *clientApplicationService) setSignerForApp(appKey *vnetv1.AppKey, targetPort uint16, signer crypto.Signer) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.appSignerMu.Lock()
+	defer s.appSignerMu.Unlock()
 	s.appSignerCache[newAppKey(appKey, targetPort)] = signer
 }
 
 func (s *clientApplicationService) getSignerForApp(appKey *vnetv1.AppKey, targetPort uint16) (crypto.Signer, bool) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.appSignerMu.Lock()
+	defer s.appSignerMu.Unlock()
 	signer, ok := s.appSignerCache[newAppKey(appKey, targetPort)]
 	return signer, ok
 }
@@ -278,6 +301,105 @@ func (s *clientApplicationService) SignForUserTLS(ctx context.Context, req *vnet
 	}, nil
 }
 
+// SessionSSHConfig returns user SSH configuration values for an SSH session.
+func (s *clientApplicationService) SessionSSHConfig(ctx context.Context, req *vnetv1.SessionSSHConfigRequest) (*vnetv1.SessionSSHConfigResponse, error) {
+	clusterClient, err := s.cfg.clientApplication.GetCachedClient(ctx, req.GetProfile(), req.GetLeafCluster())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	// If req.LeafCluster is not empty the node is in the leaf cluster, else it
+	// is in the root cluster.
+	targetCluster := cmp.Or(req.GetLeafCluster(), req.GetRootCluster())
+	target := client.NodeDetails{
+		Addr:    req.GetAddress(),
+		Cluster: targetCluster,
+	}
+	keyRing, completedMFA, err := clusterClient.SessionSSHKeyRing(ctx, req.GetUser(), target)
+	if err != nil {
+		return nil, trace.Wrap(err, "getting KeyRing for SSH session")
+	}
+	if !completedMFA && keyRing.Cert == nil && targetCluster == req.GetLeafCluster() {
+		// It's possible/likely the user doesn't have an SSH cert specifically
+		// for the leaf cluster. Luckily if MFA was not required, the root
+		// cluster cert should work.
+		log.DebugContext(ctx, "Leaf cluster KeyRing had no SSH cert, using root cluster KeyRing")
+		rootClusterClient, err := s.cfg.clientApplication.GetCachedClient(ctx, req.GetProfile(), "")
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		// Set the target cluster to the root cluster and disable the MFA check
+		// so that SessionSSHKeyRing will just return the base root cluster
+		// keyring.
+		target.Cluster = req.GetRootCluster()
+		target.MFACheck = &proto.IsMFARequiredResponse{
+			Required:    false,
+			MFARequired: proto.MFARequired_MFA_REQUIRED_NO,
+		}
+		keyRing, _, err = rootClusterClient.SessionSSHKeyRing(ctx, req.GetUser(), target)
+		if err != nil {
+			return nil, trace.Wrap(err, "getting root cluster KeyRing for SSH session")
+		}
+	}
+	if len(keyRing.Cert) == 0 {
+		return nil, trace.Errorf("user KeyRing has no SSH cert")
+	}
+	sshCert, _, _, _, err := ssh.ParseAuthorizedKey(keyRing.Cert)
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing user SSH certificate")
+	}
+	var trustedCAs [][]byte
+	for _, trustedCert := range keyRing.TrustedCerts {
+		if trustedCert.ClusterName != targetCluster {
+			continue
+		}
+		for _, authorizedKey := range trustedCert.AuthorizedKeys {
+			trustedCA, _, _, _, err := ssh.ParseAuthorizedKey(authorizedKey)
+			if err != nil {
+				return nil, trace.Wrap(err, "parsing CA cert")
+			}
+			trustedCAs = append(trustedCAs, trustedCA.Marshal())
+		}
+	}
+	if len(trustedCAs) == 0 {
+		return nil, trace.Errorf("user KeyRing host no trusted SSH CAs for cluster %s", targetCluster)
+	}
+	sessionID := s.setSignerForSSHSession(keyRing.SSHPrivateKey)
+	return &vnetv1.SessionSSHConfigResponse{
+		SessionId:  sessionID,
+		Cert:       sshCert.Marshal(),
+		TrustedCas: trustedCAs,
+	}, nil
+}
+
+// SignForSSHSession signs a digest with the SSH private key associated with the
+// session from a previous call to SessionSSHConfig.
+func (s *clientApplicationService) SignForSSHSession(ctx context.Context, req *vnetv1.SignForSSHSessionRequest) (*vnetv1.SignForSSHSessionResponse, error) {
+	signer, err := s.getSignerForSSHSession(ctx, req.GetSessionId())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	signature, err := sign(signer, req.GetSign())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &vnetv1.SignForSSHSessionResponse{
+		Signature: signature,
+	}, nil
+}
+
+func (s *clientApplicationService) setSignerForSSHSession(signer crypto.Signer) string {
+	sessionID := uuid.NewString()
+	s.sshSigners.Set(sessionID, signer)
+	return sessionID
+}
+
+func (s *clientApplicationService) getSignerForSSHSession(ctx context.Context, sessionID string) (crypto.Signer, error) {
+	signer, err := utils.FnCacheGet(ctx, s.sshSigners, sessionID, func(ctx context.Context) (crypto.Signer, error) {
+		return nil, trace.NotFound("session key expired")
+	})
+	return signer, trace.Wrap(err)
+}
+
 // checkAppKey checks that at least the app profile and name are set, which are
 // necessary to to disambiguate apps. LeafCluster is expected to be empty if the
 // app is in a root cluster.
diff --git a/lib/vnet/client_application_service_client.go b/lib/vnet/client_application_service_client.go
index 394e327a28158..bf8149a5a2e7d 100644
--- a/lib/vnet/client_application_service_client.go
+++ b/lib/vnet/client_application_service_client.go
@@ -187,6 +187,31 @@ func (c *clientApplicationServiceClient) SignForUserTLS(ctx context.Context, req
 	return resp.GetSignature(), nil
 }
 
+// SessionSSHConfig returns user SSH configuration values for an SSH session.
+func (c *clientApplicationServiceClient) SessionSSHConfig(ctx context.Context, target dialTarget, user string) (*vnetv1.SessionSSHConfigResponse, error) {
+	resp, err := c.clt.SessionSSHConfig(ctx, &vnetv1.SessionSSHConfigRequest{
+		Profile:     target.profile,
+		RootCluster: target.rootCluster,
+		LeafCluster: target.leafCluster,
+		Address:     target.addr,
+		User:        user,
+	})
+	return resp, trace.Wrap(err, "calling SessionSSHConfig rpc")
+}
+
+// SignForSSHSession signs a digest with the SSH private key associated with the
+// session from a previous call to SessionSSHConfig.
+func (c *clientApplicationServiceClient) SignForSSHSession(ctx context.Context, sessionID string, sign *vnetv1.SignRequest) ([]byte, error) {
+	resp, err := c.clt.SignForSSHSession(ctx, &vnetv1.SignForSSHSessionRequest{
+		SessionId: sessionID,
+		Sign:      sign,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err, "calling SignForSSHSession rpc")
+	}
+	return resp.GetSignature(), nil
+}
+
 // rpcSigner implements [crypto.Signer] for signatures that are issued by the
 // client application over gRPC.
 type rpcSigner struct {
diff --git a/lib/vnet/ssh_handler.go b/lib/vnet/ssh_handler.go
index f8e8e831ea24b..02b95f548d325 100644
--- a/lib/vnet/ssh_handler.go
+++ b/lib/vnet/ssh_handler.go
@@ -19,14 +19,17 @@ package vnet
 import (
 	"context"
 	"crypto/rand"
+	"fmt"
 	"net"
 	"strings"
 
 	"github.com/gravitational/trace"
 	"golang.org/x/crypto/ssh"
 
+	tracessh "github.com/gravitational/teleport/api/observability/tracing/ssh"
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/cryptosuites"
+	"github.com/gravitational/teleport/lib/utils"
 )
 
 // sshHandler handles incoming VNet SSH connections.
@@ -67,7 +70,8 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	connector func() (net.Conn, error),
 	targetConn net.Conn,
 ) error {
-	hostCert, err := h.newHostCert(ctx)
+	target := h.cfg.target
+	hostCert, err := newHostCert(target.fqdn, h.cfg.sshProvider.hostCASigner)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -78,47 +82,111 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	}
 	defer localConn.Close()
 
-	// For now we accept the incoming SSH connection but forwarding to the
-	// target is not implemented yet so we immediately close it.
+	var (
+		clientConn       *sshConn
+		clientConnErr    error
+		initiatedSSHConn bool
+	)
 	serverConfig := &ssh.ServerConfig{
+		// We attempt to initiate an SSH connection with the target server in
+		// PublicKeyCallback in order to fail the SSH authentication phase with
+		// the client if SSH authentication to the target fails. Otherwise, when
+		// connection to an SSH node the user is not allowed to access, they
+		// would just see an succesfull SSH handshake and then an immediately
+		// closed connection.
+		//
+		// TODO(nklaassen): if https://github.com/golang/go/issues/70795 ever
+		// gets implemented we should do this in VerifiedPublicKeyCallback
+		// instead.
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			if !sshutils.KeysEqual(h.cfg.sshProvider.trustedUserPublicKey, key) {
-				return nil, trace.AccessDenied("SSH client public key is not trusted")
+				return nil, trace.AccessDenied("client public key is not trusted")
+			}
+			// Make sure to only initiate the SSH connection once in case
+			// PublicKeyCallback is called multiple times.
+			if initiatedSSHConn {
+				return nil, clientConnErr
+			}
+			initiatedSSHConn = true
+			clientConn, clientConnErr = h.initiateSSHConn(ctx, targetConn, conn.User())
+			if clientConnErr != nil {
+				// Attempt to send a friendlier errer message if we failed to
+				// initiate the SSH connection to the target by sending an auth
+				// banner message.
+				if utils.IsHandshakeFailedError(clientConnErr) {
+					// We don't have much real information about the error in
+					// this case, this is the same message tsh prints.
+					return nil, &ssh.BannerError{
+						Err:     clientConnErr,
+						Message: formatBannerMessage(fmt.Sprintf("access denied to %s connecting to %s", conn.User(), target.hostname)),
+					}
+				}
+				return nil, &ssh.BannerError{
+					Err:     clientConnErr,
+					Message: formatBannerMessage(trace.UserMessage(clientConnErr)),
+				}
 			}
 			return nil, nil
 		},
 	}
 	serverConfig.AddHostKey(hostCert)
-	serverConn, chans, reqs, err := ssh.NewServerConn(localConn, serverConfig)
+
+	serverConn, serverChans, serverReqs, err := ssh.NewServerConn(localConn, serverConfig)
 	if err != nil {
+		// Make sure to close the client conn if we already accepted it.
+		if clientConn != nil {
+			clientConn.Close()
+		}
 		return trace.Wrap(err, "accepting incoming SSH connection")
 	}
-	// Immediately close the connection but make sure to drain the channels.
-	serverConn.Close()
-	go ssh.DiscardRequests(reqs)
-	go func() {
-		for newChan := range chans {
-			_ = newChan.Reject(0, "")
-		}
-	}()
-	target := h.cfg.target
 	log.DebugContext(ctx, "Accepted incoming SSH connection",
 		"profile", target.profile,
 		"cluster", target.cluster,
-		"host", target.host,
+		"host", target.hostname,
 		"user", serverConn.User(),
 	)
-	return trace.NotImplemented("VNet SSH connection forwarding is not yet implemented")
+
+	// proxySSHConnection transparently proxies the SSH connection from the
+	// client to the target. It will handle closing the connections before it
+	// returns.
+	proxySSHConnection(ctx,
+		sshConn{
+			conn:  serverConn,
+			chans: serverChans,
+			reqs:  serverReqs,
+		},
+		*clientConn,
+	)
+	return nil
+}
+
+func (h *sshHandler) initiateSSHConn(ctx context.Context, targetConn net.Conn, user string) (*sshConn, error) {
+	target := h.cfg.target
+	clientConfig, err := h.cfg.sshProvider.sessionSSHConfig(ctx, target, user)
+	if err != nil {
+		return nil, trace.Wrap(err, "building SSH client config")
+	}
+	clientConn, clientChans, clientReqs, err := tracessh.NewClientConn(ctx, targetConn, target.addr, clientConfig)
+	if err != nil {
+		return nil, trace.Wrap(err, "initiating SSH connection to %s@%s", user, target.addr)
+	}
+	log.DebugContext(ctx, "Initiated SSH connection to target", "root_cluster", target.rootCluster,
+		"leaf_cluster", target.leafCluster, "host", target.addr)
+	return &sshConn{
+		conn:  clientConn,
+		chans: clientChans,
+		reqs:  clientReqs,
+	}, nil
 }
 
-func (h *sshHandler) newHostCert(ctx context.Context) (ssh.Signer, error) {
+func newHostCert(fqdn string, ca ssh.Signer) (ssh.Signer, error) {
 	// If the user typed "ssh host.com" or "ssh host.com." our DNS handler will
 	// only see the fully-qualified variant with the trailing "." but the SSH
 	// client treats them differently, we need both in the principals if we want
 	// the cert to be trusted in both cases.
 	validPrincipals := []string{
-		h.cfg.target.fqdn,
-		strings.TrimSuffix(h.cfg.target.fqdn, "."),
+		fqdn,
+		strings.TrimSuffix(fqdn, "."),
 	}
 	// We generate an ephemeral key for every connection, Ed25519 is fast and
 	// well supported.
@@ -141,9 +209,13 @@ func (h *sshHandler) newHostCert(ctx context.Context) (ssh.Signer, error) {
 		// host. The expiry doesn't matter.
 		ValidBefore: ssh.CertTimeInfinity,
 	}
-	if err := cert.SignCert(rand.Reader, h.cfg.sshProvider.hostCASigner); err != nil {
+	if err := cert.SignCert(rand.Reader, ca); err != nil {
 		return nil, trace.Wrap(err, "signing SSH host cert")
 	}
 	certSigner, err := ssh.NewCertSigner(cert, hostSigner)
 	return certSigner, trace.Wrap(err)
 }
+
+func formatBannerMessage(msg string) string {
+	return "VNet: " + msg + "\n"
+}
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
index 1e0cc00e2ebd1..9bdc302a50b38 100644
--- a/lib/vnet/ssh_provider.go
+++ b/lib/vnet/ssh_provider.go
@@ -28,6 +28,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	proxyclient "github.com/gravitational/teleport/api/client/proxy"
+	"github.com/gravitational/teleport/api/utils/sshutils"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 )
@@ -135,7 +136,7 @@ func (p *sshProvider) dialViaProxy(
 		return nil, trace.Wrap(err, "building proxy client")
 	}
 	// TODO(nklaassen): pass an SSH keyring to support proxy recording mode.
-	conn, _, err := pclt.DialHost(ctx, target.host, target.cluster, nil /*keyRing*/)
+	conn, _, err := pclt.DialHost(ctx, target.addr, target.cluster, nil /*keyRing*/)
 	if err != nil {
 		pclt.Close()
 		return nil, trace.Wrap(err, "dialing target via proxy")
@@ -181,27 +182,99 @@ func (p *sshProvider) userTLSConfig(
 	}, nil
 }
 
+func (p *sshProvider) sessionSSHConfig(
+	ctx context.Context,
+	target dialTarget,
+	user string,
+) (*ssh.ClientConfig, error) {
+	// TODO(nklaassen): cache session SSH configs so we don't have to regenerate
+	// every time.
+	resp, err := p.cfg.clt.SessionSSHConfig(ctx, target, user)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	sshPub, err := ssh.ParsePublicKey(resp.GetCert())
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing session SSH cert")
+	}
+	sshCert, ok := sshPub.(*ssh.Certificate)
+	if !ok {
+		return nil, trace.BadParameter("expected ssh.Certificate, got %T", sshCert)
+	}
+	cryptoPub, ok := sshCert.Key.(ssh.CryptoPublicKey)
+	if !ok {
+		return nil, trace.BadParameter("expected SSH key to implement CryptoPublicKey, got %T", sshCert.Key)
+	}
+	sessionID := resp.GetSessionId()
+	signer := &rpcSigner{
+		pub: cryptoPub.CryptoPublicKey(),
+		sendRequest: func(req *vnetv1.SignRequest) ([]byte, error) {
+			return p.cfg.clt.SignForSSHSession(ctx, sessionID, req)
+		},
+	}
+	sshSigner, err := ssh.NewSignerFromSigner(signer)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	certSigner, err := ssh.NewCertSigner(sshCert, sshSigner)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	hostKeyCallback, err := buildHostKeyCallback(resp.GetTrustedCas(), p.cfg.clock)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &ssh.ClientConfig{
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(certSigner)},
+		User:            user,
+		HostKeyCallback: hostKeyCallback,
+	}, nil
+}
+
+func buildHostKeyCallback(trustedCAs [][]byte, clock clockwork.Clock) (ssh.HostKeyCallback, error) {
+	var caKeys []ssh.PublicKey
+	for _, trustedCA := range trustedCAs {
+		caKey, err := ssh.ParsePublicKey(trustedCA)
+		if err != nil {
+			return nil, trace.Wrap(err, "parsing trusted CA key")
+		}
+		caKeys = append(caKeys, caKey)
+	}
+	hostKeyCallback, err := sshutils.NewHostKeyCallback(sshutils.HostKeyCallbackConfig{
+		GetHostCheckers: func() ([]ssh.PublicKey, error) {
+			return caKeys, nil
+		},
+		Clock: clock,
+	})
+	return hostKeyCallback, trace.Wrap(err, "building host key callback")
+}
+
 type dialTarget struct {
-	fqdn    string
-	profile string
-	cluster string
-	host    string
+	fqdn        string
+	profile     string
+	rootCluster string
+	leafCluster string
+	cluster     string
+	hostname    string
+	addr        string
 }
 
 func computeDialTarget(matchedCluster *vnetv1.MatchedCluster, fqdn string) dialTarget {
-	targetProfile := matchedCluster.GetProfile()
 	targetCluster := matchedCluster.GetRootCluster()
 	targetHost := strings.TrimSuffix(fqdn, "."+matchedCluster.GetRootCluster()+".")
-	if leafCluster := matchedCluster.GetLeafCluster(); leafCluster != "" {
+	leafCluster := matchedCluster.GetLeafCluster()
+	if leafCluster != "" {
 		targetCluster = leafCluster
 		targetHost = strings.TrimSuffix(targetHost, "."+leafCluster)
 	}
-	targetHost = targetHost + ":0"
 	return dialTarget{
-		fqdn:    fqdn,
-		profile: targetProfile,
-		cluster: targetCluster,
-		host:    targetHost,
+		fqdn:        fqdn,
+		profile:     matchedCluster.GetProfile(),
+		rootCluster: matchedCluster.GetRootCluster(),
+		leafCluster: leafCluster,
+		cluster:     targetCluster,
+		hostname:    targetHost,
+		addr:        targetHost + ":0",
 	}
 }
 
diff --git a/lib/vnet/ssh_proxy.go b/lib/vnet/ssh_proxy.go
index 35c1f44e17b13..9dd2c2a0235e6 100644
--- a/lib/vnet/ssh_proxy.go
+++ b/lib/vnet/ssh_proxy.go
@@ -22,6 +22,7 @@ import (
 	"log/slog"
 	"sync"
 
+	"github.com/gravitational/trace"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/lib/utils"
@@ -34,6 +35,16 @@ type sshConn struct {
 	reqs  <-chan *ssh.Request
 }
 
+// Close closes the connection and drains all channels.
+func (c *sshConn) Close() error {
+	err := trace.Wrap(c.conn.Close())
+	go ssh.DiscardRequests(c.reqs)
+	for newChan := range c.chans {
+		newChan.Reject(0, "")
+	}
+	return err
+}
+
 // proxySSHConnection transparently proxies SSH channels and requests
 // between 2 established SSH connections. serverConn represents an incoming SSH
 // connection where this proxy acts as a server, client represents an outgoing
@@ -44,8 +55,8 @@ func proxySSHConnection(
 	clientConn sshConn,
 ) {
 	closeConnections := sync.OnceFunc(func() {
-		clientConn.conn.Close()
-		serverConn.conn.Close()
+		clientConn.Close()
+		serverConn.Close()
 	})
 	// Close both connections if the context is canceled.
 	stop := context.AfterFunc(ctx, closeConnections)
diff --git a/lib/vnet/ssh_proxy_test.go b/lib/vnet/ssh_proxy_test.go
index cca3f6a72862a..154d74ae0458b 100644
--- a/lib/vnet/ssh_proxy_test.go
+++ b/lib/vnet/ssh_proxy_test.go
@@ -103,6 +103,11 @@ func testSSHConnection(t *testing.T, dial dialer) {
 	sshConn, chans, reqs, err := ssh.NewClientConn(tcpConn, "localhost", clientConfig)
 	require.NoError(t, err)
 	defer sshConn.Close()
+
+	testConnectionToSshEchoServer(t, sshConn, chans, reqs)
+}
+
+func testConnectionToSshEchoServer(t *testing.T, sshConn ssh.Conn, chans <-chan ssh.NewChannel, reqs <-chan *ssh.Request) {
 	go ssh.DiscardRequests(reqs)
 	go func() {
 		for newChan := range chans {
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index acaa234a7cd1f..75df45f7fd196 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -25,6 +25,7 @@ import (
 
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/auth/authclient"
+	"github.com/gravitational/teleport/lib/client"
 )
 
 // ClientApplication is the common interface implemented by each VNet client
@@ -70,6 +71,7 @@ type ClusterClient interface {
 	CurrentCluster() authclient.ClientI
 	ClusterName() string
 	RootClusterName() string
+	SessionSSHKeyRing(ctx context.Context, user string, target client.NodeDetails) (keyRing *client.KeyRing, completedMFA bool, err error)
 }
 
 // RunUserProcess is the entry point called by all VNet client applications
@@ -101,11 +103,15 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 		clusterConfigCache: clusterConfigCache,
 		leafClusterCache:   leafClusterCache,
 	})
-	clientApplicationService := newClientApplicationService(&clientApplicationServiceConfig{
+	clientApplicationService, err := newClientApplicationService(&clientApplicationServiceConfig{
 		clientApplication:     clientApplication,
 		fqdnResolver:          fqdnResolver,
 		localOSConfigProvider: osConfigProvider,
+		clock:                 clock,
 	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	userProcess := &UserProcess{
 		clientApplication:        clientApplication,
 		osConfigProvider:         osConfigProvider,
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 3063f7d1a288a..e01ad78feebc1 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -62,7 +62,9 @@ import (
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/auth/authclient"
+	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/cryptosuites"
+	alpncommon "github.com/gravitational/teleport/lib/srv/alpnproxy/common"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -277,11 +279,13 @@ func runTestClientApplicationService(t *testing.T, ctx context.Context, clock cl
 		clusterConfigCache: clusterConfigCache,
 		leafClusterCache:   leafClusterCache,
 	})
-	clientApplicationService := newClientApplicationService(&clientApplicationServiceConfig{
+	clientApplicationService, err := newClientApplicationService(&clientApplicationServiceConfig{
 		clientApplication:     clientApp,
 		fqdnResolver:          fqdnResolver,
 		localOSConfigProvider: nil, // OS configuration is not needed in tests.
+		clock:                 clock,
 	})
+	require.NoError(t, err)
 
 	ipcCredentials, err := newIPCCredentials()
 	require.NoError(t, err)
@@ -333,7 +337,9 @@ type appSpec struct {
 	tcpPorts   []*types.PortRange
 }
 
-type nodeSpec struct{}
+type nodeSpec struct {
+	denyAccess bool
+}
 
 type testClusterSpec struct {
 	apps           []appSpec
@@ -346,9 +352,15 @@ type testClusterSpec struct {
 type fakeClientApp struct {
 	cfg *fakeClientAppConfig
 
-	tlsCA       tls.Certificate
-	userTLSCert tls.Certificate
-	dialOpts    *vnetv1.DialOptions
+	tlsCA    tls.Certificate
+	dialOpts *vnetv1.DialOptions
+
+	userTLSCertMu      sync.Mutex
+	userTLSCert        tls.Certificate
+	userTLSCertExpires time.Time
+
+	teleportHostCA ssh.Signer
+	teleportUserCA ssh.Signer
 
 	onNewConnectionCallCount    atomic.Uint32
 	onInvalidLocalPortCallCount atomic.Uint32
@@ -368,20 +380,31 @@ type fakeClientAppConfig struct {
 // able to run with any implementation of [ClientApplication] and little to no
 // other configuration.
 func newFakeClientApp(ctx context.Context, t *testing.T, cfg *fakeClientAppConfig) *fakeClientApp {
-	tlsCA := newSelfSignedCA(t)
-	dialOpts := mustStartFakeWebProxy(ctx, t, tlsCA, cfg.clock, cfg.signatureAlgorithmSuite)
-	userTLSCert, err := newClientCert(ctx,
-		tlsCA,
-		"testuser",
-		cfg.clock.Now().Add(defaults.CertDuration),
-		cfg.signatureAlgorithmSuite,
-		cryptosuites.UserTLS)
+	teleportHostCAKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	require.NoError(t, err)
+	teleportHostCA, err := ssh.NewSignerFromSigner(teleportHostCAKey)
+	require.NoError(t, err)
+
+	teleportUserCAKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
 	require.NoError(t, err)
+	teleportUserCA, err := ssh.NewSignerFromSigner(teleportUserCAKey)
+	require.NoError(t, err)
+
+	tlsCA := newSelfSignedCA(t)
+	dialOpts := mustStartFakeWebProxy(ctx, t, fakeWebProxyConfig{
+		tlsCA:  tlsCA,
+		hostCA: teleportHostCA,
+		userCA: teleportUserCA,
+		clock:  cfg.clock,
+		suite:  cfg.signatureAlgorithmSuite,
+	})
+
 	return &fakeClientApp{
 		cfg:                  cfg,
 		tlsCA:                tlsCA,
-		userTLSCert:          userTLSCert,
 		dialOpts:             dialOpts,
+		teleportHostCA:       teleportHostCA,
+		teleportUserCA:       teleportUserCA,
 		requestedRouteToApps: make(map[string][]*proto.RouteToApp),
 	}
 }
@@ -406,6 +429,10 @@ func (p *fakeClientApp) GetCachedClient(ctx context.Context, profileName, leafCl
 				clusterName:     profileName,
 				rootClusterName: profileName,
 			},
+			clusterSpec:    &rootCluster,
+			teleportHostCA: p.teleportHostCA,
+			teleportUserCA: p.teleportUserCA,
+			clock:          p.cfg.clock,
 		}, nil
 	}
 	leafCluster, ok := rootCluster.leafClusters[leafClusterName]
@@ -418,6 +445,10 @@ func (p *fakeClientApp) GetCachedClient(ctx context.Context, profileName, leafCl
 			clusterName:     leafClusterName,
 			rootClusterName: profileName,
 		},
+		clusterSpec:    &leafCluster,
+		teleportHostCA: p.teleportHostCA,
+		teleportUserCA: p.teleportUserCA,
+		clock:          p.cfg.clock,
 	}, nil
 }
 
@@ -437,7 +468,26 @@ func (p *fakeClientApp) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppI
 }
 
 func (p *fakeClientApp) UserTLSCert(ctx context.Context, profileName string) (tls.Certificate, error) {
-	return p.userTLSCert, nil
+	p.userTLSCertMu.Lock()
+	defer p.userTLSCertMu.Unlock()
+
+	now := p.cfg.clock.Now()
+	if now.Before(p.userTLSCertExpires) {
+		return p.userTLSCert, nil
+	}
+	expiry := now.Add(defaults.CertDuration)
+	userTLSCert, err := newClientCert(ctx,
+		p.tlsCA,
+		"testuser",
+		expiry,
+		p.cfg.signatureAlgorithmSuite,
+		cryptosuites.UserTLS)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+	p.userTLSCert = userTLSCert
+	p.userTLSCertExpires = expiry
+	return userTLSCert, nil
 }
 
 func (p *fakeClientApp) RequestedRouteToApps(publicAddr string) []*proto.RouteToApp {
@@ -531,16 +581,19 @@ func (p *fakeClientApp) dialSSHNode(
 			return nil, trace.NotFound("no such cluster")
 		}
 	}
-	if _, ok := targetCluster.nodes[strings.TrimSuffix(target.host, ":0")]; !ok {
+	if _, ok := targetCluster.nodes[target.hostname]; !ok {
 		return nil, trace.NotFound("no such host")
 	}
-	// For now just let it dial the fake web proxy, later we'll need to set up a
-	// fake SSH server for the test to dial to.
+	tlsConfig.NextProtos = []string{string(alpncommon.ProtocolProxySSH)}
 	return tls.Dial("tcp", dialOpts.GetWebProxyAddr(), tlsConfig)
 }
 
 type fakeClusterClient struct {
-	authClient *fakeAuthClient
+	authClient     *fakeAuthClient
+	clusterSpec    *testClusterSpec
+	teleportHostCA ssh.Signer
+	teleportUserCA ssh.Signer
+	clock          clockwork.Clock
 }
 
 func (c *fakeClusterClient) CurrentCluster() authclient.ClientI {
@@ -555,6 +608,52 @@ func (c *fakeClusterClient) RootClusterName() string {
 	return c.authClient.rootClusterName
 }
 
+func (c *fakeClusterClient) SessionSSHKeyRing(ctx context.Context, user string, target client.NodeDetails) (*client.KeyRing, bool, error) {
+	targetHost, _, err := net.SplitHostPort(target.Addr)
+	if err != nil {
+		return nil, false, trace.Wrap(err)
+	}
+	nodeSpec, ok := c.clusterSpec.nodes[targetHost]
+	if !ok {
+		return nil, false, trace.NotFound("no such node")
+	}
+	if nodeSpec.denyAccess {
+		return nil, false, trace.AccessDenied("access denied to %s", targetHost)
+	}
+	userSSHKey, err := cryptosuites.GeneratePrivateKeyWithAlgorithm(cryptosuites.Ed25519)
+	if err != nil {
+		return nil, false, trace.Wrap(err)
+	}
+	userSSHSigner, err := ssh.NewSignerFromSigner(userSSHKey)
+	if err != nil {
+		return nil, false, trace.Wrap(err)
+	}
+	now := c.clock.Now()
+	cert := &ssh.Certificate{
+		Key:             userSSHSigner.PublicKey(),
+		Serial:          1,
+		CertType:        ssh.UserCert,
+		ValidPrincipals: []string{user},
+		ValidAfter:      uint64(now.Add(-1 * time.Minute).Unix()),
+		ValidBefore:     uint64(now.Add(time.Minute).Unix()),
+	}
+	if err := cert.SignCert(rand.Reader, c.teleportUserCA); err != nil {
+		return nil, false, trace.Wrap(err)
+	}
+	trustedCert := ssh.MarshalAuthorizedKey(c.teleportHostCA.PublicKey())
+	k := &client.KeyRing{
+		SSHPrivateKey: userSSHKey,
+		Cert:          ssh.MarshalAuthorizedKey(cert),
+		TrustedCerts: []authclient.TrustedCerts{
+			{
+				ClusterName:    c.ClusterName(),
+				AuthorizedKeys: [][]byte{trustedCert},
+			},
+		},
+	}
+	return k, false, nil
+}
+
 // fakeAuthClient is a fake auth client that answers GetResources requests with a static list of apps and
 // basic/faked predicate filtering.
 type fakeAuthClient struct {
@@ -1066,7 +1165,8 @@ func TestSSH(t *testing.T) {
 			"root1.example.com": {
 				cidrRange: root1CIDR,
 				nodes: map[string]nodeSpec{
-					"node": {},
+					"node":     {},
+					"denynode": {denyAccess: true},
 				},
 				leafClusters: map[string]testClusterSpec{
 					"leaf1.example.com": {
@@ -1127,8 +1227,10 @@ func TestSSH(t *testing.T) {
 		sshUser                  string
 		sshUserSigner            ssh.Signer
 		expectSSHHandshakeToFail bool
+		expectBannerMessages     []string
 	}{
 		{
+			// Connection to node in root cluster should work.
 			dialAddr:      "node.root1.example.com",
 			dialPort:      22,
 			expectCIDR:    root1CIDR,
@@ -1151,6 +1253,7 @@ func TestSSH(t *testing.T) {
 			expectDialToFail: true,
 		},
 		{
+			// SSH handshake should fail if using the wrong user key.
 			dialAddr:                 "node.root1.example.com",
 			dialPort:                 22,
 			expectCIDR:               root1CIDR,
@@ -1159,6 +1262,32 @@ func TestSSH(t *testing.T) {
 			expectSSHHandshakeToFail: true,
 		},
 		{
+			// Access to denied node should be denied with appropriate banner
+			// messages.
+			dialAddr:      "denynode.root1.example.com",
+			dialPort:      22,
+			expectCIDR:    root1CIDR,
+			sshUser:       "testuser",
+			sshUserSigner: sshUserSigner,
+			expectBannerMessages: []string{
+				"VNet: building SSH client config\n\tcalling SessionSSHConfig rpc\n\t\tgetting KeyRing for SSH session\n\taccess denied to denynode\n",
+			},
+			expectSSHHandshakeToFail: true,
+		},
+		{
+			// username "denyuser" is hardcoded to be denied.
+			dialAddr:      "node.root1.example.com",
+			dialPort:      22,
+			expectCIDR:    root1CIDR,
+			sshUser:       "denyuser",
+			sshUserSigner: sshUserSigner,
+			expectBannerMessages: []string{
+				"VNet: access denied to denyuser connecting to node\n",
+			},
+			expectSSHHandshakeToFail: true,
+		},
+		{
+			// Connection to node in leaf cluster should work.
 			dialAddr:      "node.leaf1.example.com.root1.example.com",
 			dialPort:      22,
 			expectCIDR:    leaf1CIDR,
@@ -1166,6 +1295,8 @@ func TestSSH(t *testing.T) {
 			sshUserSigner: sshUserSigner,
 		},
 		{
+			// Connection to node in root cluster in alternate profile should
+			// work.
 			dialAddr:      "node.root2.example.com",
 			dialPort:      22,
 			expectCIDR:    root2CIDR,
@@ -1173,6 +1304,8 @@ func TestSSH(t *testing.T) {
 			sshUserSigner: sshUserSigner,
 		},
 		{
+			// Connection to node in leaf cluster in alternate profile should
+			// work.
 			dialAddr:      "node.leaf2.example.com.root2.example.com",
 			dialPort:      22,
 			expectCIDR:    leaf2CIDR,
@@ -1243,18 +1376,26 @@ func TestSSH(t *testing.T) {
 				},
 				Clock: clock.Now,
 			}
+			var bannerMessages []string
 			clientConfig := &ssh.ClientConfig{
 				User:            tc.sshUser,
 				Auth:            []ssh.AuthMethod{ssh.PublicKeys(tc.sshUserSigner)},
 				HostKeyCallback: certChecker.CheckHostKey,
+				BannerCallback: func(msg string) error {
+					bannerMessages = append(bannerMessages, msg)
+					return nil
+				},
 			}
-			sshConn, _, _, err := ssh.NewClientConn(conn, fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), clientConfig)
+			sshConn, chans, reqs, err := ssh.NewClientConn(conn, fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), clientConfig)
+			assert.Equal(t, tc.expectBannerMessages, bannerMessages, "actual banner messages did not match the expected")
 			if tc.expectSSHHandshakeToFail {
-				require.Error(t, err, "expected SSH handshake to fail")
+				assert.Error(t, err, "expected SSH handshake to fail")
 				return
 			}
 			require.NoError(t, err)
 			defer sshConn.Close()
+
+			testConnectionToSshEchoServer(t, sshConn, chans, reqs)
 		})
 	}
 
@@ -1456,27 +1597,33 @@ func newLeafCert(
 	}, nil
 }
 
+type fakeWebProxyConfig struct {
+	tlsCA  tls.Certificate
+	hostCA ssh.Signer
+	userCA ssh.Signer
+	clock  clockwork.Clock
+	suite  types.SignatureAlgorithmSuite
+}
+
 func mustStartFakeWebProxy(
 	ctx context.Context,
 	t *testing.T,
-	ca tls.Certificate,
-	clock clockwork.Clock,
-	suite types.SignatureAlgorithmSuite,
+	cfg fakeWebProxyConfig,
 ) *vnetv1.DialOptions {
 	t.Helper()
 
 	roots := x509.NewCertPool()
-	caX509, err := x509.ParseCertificate(ca.Certificate[0])
+	caX509, err := x509.ParseCertificate(cfg.tlsCA.Certificate[0])
 	require.NoError(t, err)
 	roots.AddCert(caX509)
 
 	const proxyCN = "testproxy"
 	proxyCert, err := newServerCert(
 		ctx,
-		ca,
+		cfg.tlsCA,
 		proxyCN,
-		clock.Now().Add(365*24*time.Hour),
-		suite,
+		cfg.clock.Now().Add(365*24*time.Hour),
+		cfg.suite,
 		cryptosuites.HostIdentity,
 	)
 	require.NoError(t, err)
@@ -1485,12 +1632,56 @@ func mustStartFakeWebProxy(
 		Certificates: []tls.Certificate{proxyCert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    roots,
+		NextProtos: []string{
+			string(alpncommon.ProtocolProxySSH),
+			string(alpncommon.ProtocolTCP),
+		},
+	}
+
+	tcpAppHandler := func(conn net.Conn) error {
+		// All fake TCP apps for the tests get routed to this handler which
+		// simply echos any input back on the tcp connection.
+		_, err := io.Copy(conn, conn)
+		return trace.Wrap(err, "io.Copy error in proxy echo server")
+	}
+	sshHandler := func(conn net.Conn) error {
+		// All fake SSH nodes for the tests get routed to this handler which
+		// terminates the incoming SSH connection with an ephemeral host cert.
+		// It trusts cfg.userCA for incoming SSH connections but always denies
+		// access for SSH users named "denyuser". After completing the handshake
+		// it runs a test "echo" SSH server implemented in
+		// runTestSSHServerInstance.
+		hostCert, err := newHostCert("node", cfg.hostCA)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		certChecker := ssh.CertChecker{
+			IsUserAuthority: func(auth ssh.PublicKey) bool {
+				return sshutils.KeysEqual(auth, cfg.userCA.PublicKey())
+			},
+			Clock: cfg.clock.Now,
+		}
+		serverConfig := &ssh.ServerConfig{
+			PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
+				if conn.User() == "denyuser" {
+					return nil, trace.AccessDenied("access denied for denyuser")
+				}
+				return certChecker.Authenticate(conn, pubKey)
+			},
+		}
+		serverConfig.AddHostKey(hostCert)
+		return trace.Wrap(runTestSSHServerInstance(conn, serverConfig))
+	}
+
+	// Run a simplified TLS router for the test.
+	protocolHandlers := map[alpncommon.Protocol]func(net.Conn) error{
+		alpncommon.ProtocolTCP:      tcpAppHandler,
+		alpncommon.ProtocolProxySSH: sshHandler,
 	}
 
 	listener, err := tls.Listen("tcp", "localhost:0", proxyTLSConfig)
 	require.NoError(t, err)
 
-	// Run a fake web proxy that will accept any client connection and echo the input back.
 	utils.RunTestBackgroundTask(ctx, t, &utils.TestBackgroundTask{
 		Name: "web proxy",
 		Task: func(ctx context.Context) error {
@@ -1526,14 +1717,19 @@ func mustStartFakeWebProxy(
 					// It's important that the fake clock is never far behind the real clock, and that the
 					// cert NotBefore is always at/before the real current time, so the TLS library is
 					// satisfied.
-					if clock.Now().After(clientCerts[0].NotAfter) {
-						t.Logf("client cert is expired: currentTime=%s expiry=%s", clock.Now(), clientCerts[0].NotAfter)
+					if cfg.clock.Now().After(clientCerts[0].NotAfter) {
+						t.Logf("client cert is expired: currentTime=%s expiry=%s", cfg.clock.Now(), clientCerts[0].NotAfter)
 						return
 					}
 
-					_, err := io.Copy(conn, conn)
-					if err != nil && !utils.IsOKNetworkError(err) {
-						t.Logf("error in io.Copy for echo proxy server: %v", err)
+					protocol := tlsConn.ConnectionState().NegotiatedProtocol
+					handler, ok := protocolHandlers[alpncommon.Protocol(protocol)]
+					if !ok {
+						t.Logf("unhandled proxy protocol %s", protocol)
+						return
+					}
+					if err := handler(conn); err != nil {
+						t.Logf("error in protocol handler: %v", err)
 					}
 				}()
 			}
diff --git a/proto/teleport/lib/vnet/v1/client_application_service.proto b/proto/teleport/lib/vnet/v1/client_application_service.proto
index 4552204c8a483..340a36d4f0a12 100644
--- a/proto/teleport/lib/vnet/v1/client_application_service.proto
+++ b/proto/teleport/lib/vnet/v1/client_application_service.proto
@@ -57,6 +57,11 @@ service ClientApplicationService {
   rpc UserTLSCert(UserTLSCertRequest) returns (UserTLSCertResponse);
   // SignForUserTLS signs a digest with the user TLS private key.
   rpc SignForUserTLS(SignForUserTLSRequest) returns (SignForUserTLSResponse);
+  // SessionSSHConfig returns the user SSH configuration for an SSH session.
+  rpc SessionSSHConfig(SessionSSHConfigRequest) returns (SessionSSHConfigResponse);
+  // SignForSSHSession signs a digest with the SSH private key associated with the
+  // session from a previous call to SessionSSHConfig.
+  rpc SignForSSHSession(SignForSSHSessionRequest) returns (SignForSSHSessionResponse);
 }
 
 // AuthenticateProcessRequest is a request for AuthenticateProcess.
@@ -329,3 +334,46 @@ message SignForUserTLSResponse {
   // Signature is the signature.
   bytes signature = 1;
 }
+
+// SessionSSHConfigRequest is a request for SessionSSHConfig.
+message SessionSSHConfigRequest {
+  // Profile is the profile in which the SSH server is found.
+  string profile = 1;
+  // RootCluster is the cluster in which the SSH server is found.
+  string root_cluster = 2;
+  // LeafCluster is the leaf cluster in which the SSH server is found.
+  // If empty, the SSH server is in the root cluster.
+  string leaf_cluster = 3;
+  // Address is the address of the SSH server.
+  string address = 4;
+  // User is the SSH user the session is for.
+  string user = 5;
+}
+
+// SessionSSHConfigResponse is a response for SessionSSHConfig.
+message SessionSSHConfigResponse {
+  // SessionId is an opaque identifier for the session, it should be passed to
+  // SignForSSHSession to issue signatures with the private key associated with
+  // the session.
+  string session_id = 1;
+  // Cert is the session SSH certificate in SSH wire format.
+  bytes cert = 2;
+  // TrustedCas is a list of trusted SSH certificate authorities in SSH wire
+  // format.
+  repeated bytes trusted_cas = 3;
+}
+
+// SignForSSHSessionRequest is a request for SignForSSHSession.
+message SignForSSHSessionRequest {
+  // SessionId is an opaque identifier for the session returned from a previous
+  // call to SessionSSHConfig.
+  string session_id = 1;
+  // Sign holds signature request details.
+  SignRequest sign = 2;
+}
+
+// SignForSSHSessionResponse is a response for SignForSSHSession.
+message SignForSSHSessionResponse {
+  // Signature is the signature.
+  bytes signature = 1;
+}

From ab0fb8c2de7c9a885e337661fa6f1c99a27ae112 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Sat, 31 May 2025 22:50:10 -0700
Subject: [PATCH 04/25] [v18][vnet] feat: write VNet SSH keys to TELEPORT_HOME

Backport #55228 to branch/v18
---
 api/utils/keypaths/keypaths.go                |  27 ++++
 .../vnet/v1/client_application_service.pb.go  | 147 +++++++++++++++---
 .../v1/client_application_service_grpc.pb.go  |  42 +++++
 lib/client/keystore.go                        |  26 ++--
 lib/vnet/admin_process_common.go              |   6 +-
 lib/vnet/admin_process_darwin.go              |   2 +-
 lib/vnet/admin_process_windows.go             |   2 +-
 lib/vnet/client_application_service.go        |  20 +++
 lib/vnet/client_application_service_client.go |  19 +++
 lib/vnet/opensshconfig.go                     | 123 +++++++++++++++
 lib/vnet/ssh_provider.go                      |  41 ++---
 lib/vnet/vnet_test.go                         |  66 ++++----
 .../vnet/v1/client_application_service.proto  |  17 ++
 13 files changed, 441 insertions(+), 97 deletions(-)
 create mode 100644 lib/vnet/opensshconfig.go

diff --git a/api/utils/keypaths/keypaths.go b/api/utils/keypaths/keypaths.go
index 6e0bc36d1e3c7..f1853313f67fe 100644
--- a/api/utils/keypaths/keypaths.go
+++ b/api/utils/keypaths/keypaths.go
@@ -73,6 +73,15 @@ const (
 	profileFileExt = ".yaml"
 	// oracleWalletDirSuffix is the suffix of the oracle wallet database directory.
 	oracleWalletDirSuffix = "-wallet"
+	// VNetClientSSHKey is the file name of the SSH key used by third-party SSH
+	// clients to connect to VNet SSH.
+	VNetClientSSHKey = "id_vnet"
+	// VNetClientSSHKeyPub is the file name of the SSH public key matching
+	// VNetClientSSHKey.
+	VNetClientSSHKeyPub = VNetClientSSHKey + fileExtPub
+	// vnetKnownHosts is the file name of the known_hosts file trusted by
+	// third-party SSH clients connecting to VNet SSH.
+	vnetKnownHosts = "vnet_known_hosts"
 )
 
 // Here's the file layout of all these keypaths.
@@ -81,6 +90,9 @@ const (
 // ├── one.example.com.yaml            --> file containing profile details for proxy "one.example.com"
 // ├── two.example.com.yaml            --> file containing profile details for proxy "two.example.com"
 // ├── known_hosts                     --> trusted certificate authorities (their keys) in a format similar to known_hosts
+// ├── id_vnet                         --> SSH Private Key for third-party clients of VNet SSH
+// ├── id_vnet.pub                     --> SSH Public Key for third-party clients of VNet SSH
+// ├── vnet_known_hosts                --> trusted certificate authorities (their keys) for third-party clients of VNet SSH
 // └── keys							   --> session keys directory
 //    ├── one.example.com              --> Proxy hostname
 //    │   ├── certs.pem                --> TLS CA certs for the Teleport CA
@@ -429,6 +441,21 @@ func IdentitySSHCertPath(path string) string {
 	return path + fileExtSSHCert
 }
 
+// VNetClientSSHKeyPath returns the path to the VNet client SSH private key.
+func VNetClientSSHKeyPath(baseDir string) string {
+	return filepath.Join(baseDir, VNetClientSSHKey)
+}
+
+// VNetClientSSHKeyPubPath returns the path to the VNet client SSH public key.
+func VNetClientSSHKeyPubPath(baseDir string) string {
+	return filepath.Join(baseDir, VNetClientSSHKeyPub)
+}
+
+// VNetKnownHostsPath returns the path to the VNet known_hosts file.
+func VNetKnownHostsPath(baseDir string) string {
+	return filepath.Join(baseDir, vnetKnownHosts)
+}
+
 // TrimKeyPathSuffix returns the given path with any key suffix/extension trimmed off.
 func TrimKeyPathSuffix(path string) string {
 	return strings.TrimSuffix(path, fileExtTLSKey)
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
index 921832bda2b01..a30d0cece9171 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
@@ -2025,6 +2025,100 @@ func (x *SignForSSHSessionResponse) GetSignature() []byte {
 	return nil
 }
 
+// ExchangeSSHKeysRequest is a request to exchange SSH keys for VNet SSH.
+type ExchangeSSHKeysRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// HostPublicKey is the host key that should be trusted by clients connecting
+	// to VNet SSH addresses. It is encoded in OpenSSH wire format.
+	HostPublicKey []byte `protobuf:"bytes,1,opt,name=host_public_key,json=hostPublicKey,proto3" json:"host_public_key,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExchangeSSHKeysRequest) Reset() {
+	*x = ExchangeSSHKeysRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[35]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExchangeSSHKeysRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExchangeSSHKeysRequest) ProtoMessage() {}
+
+func (x *ExchangeSSHKeysRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[35]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExchangeSSHKeysRequest.ProtoReflect.Descriptor instead.
+func (*ExchangeSSHKeysRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{35}
+}
+
+func (x *ExchangeSSHKeysRequest) GetHostPublicKey() []byte {
+	if x != nil {
+		return x.HostPublicKey
+	}
+	return nil
+}
+
+// ExchangeSSHKeysResponse is a response for ExchangeSSHKeys.
+type ExchangeSSHKeysResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// UserPublicKey is the user key that should be trusted by VNet for incoming
+	// connections from SSH clients. It is encoded in OpenSSH wire format.
+	UserPublicKey []byte `protobuf:"bytes,1,opt,name=user_public_key,json=userPublicKey,proto3" json:"user_public_key,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExchangeSSHKeysResponse) Reset() {
+	*x = ExchangeSSHKeysResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[36]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExchangeSSHKeysResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExchangeSSHKeysResponse) ProtoMessage() {}
+
+func (x *ExchangeSSHKeysResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[36]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExchangeSSHKeysResponse.ProtoReflect.Descriptor instead.
+func (*ExchangeSSHKeysResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{36}
+}
+
+func (x *ExchangeSSHKeysResponse) GetUserPublicKey() []byte {
+	if x != nil {
+		return x.UserPublicKey
+	}
+	return nil
+}
+
 var File_teleport_lib_vnet_v1_client_application_service_proto protoreflect.FileDescriptor
 
 const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
@@ -2135,11 +2229,15 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"session_id\x18\x01 \x01(\tR\tsessionId\x125\n" +
 	"\x04sign\x18\x02 \x01(\v2!.teleport.lib.vnet.v1.SignRequestR\x04sign\"9\n" +
 	"\x19SignForSSHSessionResponse\x12\x1c\n" +
-	"\tsignature\x18\x01 \x01(\fR\tsignature*<\n" +
+	"\tsignature\x18\x01 \x01(\fR\tsignature\"@\n" +
+	"\x16ExchangeSSHKeysRequest\x12&\n" +
+	"\x0fhost_public_key\x18\x01 \x01(\fR\rhostPublicKey\"A\n" +
+	"\x17ExchangeSSHKeysResponse\x12&\n" +
+	"\x0fuser_public_key\x18\x01 \x01(\fR\ruserPublicKey*<\n" +
 	"\x04Hash\x12\x14\n" +
 	"\x10HASH_UNSPECIFIED\x10\x00\x12\r\n" +
 	"\tHASH_NONE\x10\x01\x12\x0f\n" +
-	"\vHASH_SHA256\x10\x022\xcc\v\n" +
+	"\vHASH_SHA256\x10\x022\xbc\f\n" +
 	"\x18ClientApplicationService\x12z\n" +
 	"\x13AuthenticateProcess\x120.teleport.lib.vnet.v1.AuthenticateProcessRequest\x1a1.teleport.lib.vnet.v1.AuthenticateProcessResponse\x12\x83\x01\n" +
 	"\x16ReportNetworkStackInfo\x123.teleport.lib.vnet.v1.ReportNetworkStackInfoRequest\x1a4.teleport.lib.vnet.v1.ReportNetworkStackInfoResponse\x12M\n" +
@@ -2154,7 +2252,8 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\vUserTLSCert\x12(.teleport.lib.vnet.v1.UserTLSCertRequest\x1a).teleport.lib.vnet.v1.UserTLSCertResponse\x12k\n" +
 	"\x0eSignForUserTLS\x12+.teleport.lib.vnet.v1.SignForUserTLSRequest\x1a,.teleport.lib.vnet.v1.SignForUserTLSResponse\x12q\n" +
 	"\x10SessionSSHConfig\x12-.teleport.lib.vnet.v1.SessionSSHConfigRequest\x1a..teleport.lib.vnet.v1.SessionSSHConfigResponse\x12t\n" +
-	"\x11SignForSSHSession\x12..teleport.lib.vnet.v1.SignForSSHSessionRequest\x1a/.teleport.lib.vnet.v1.SignForSSHSessionResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
+	"\x11SignForSSHSession\x12..teleport.lib.vnet.v1.SignForSSHSessionRequest\x1a/.teleport.lib.vnet.v1.SignForSSHSessionResponse\x12n\n" +
+	"\x0fExchangeSSHKeys\x12,.teleport.lib.vnet.v1.ExchangeSSHKeysRequest\x1a-.teleport.lib.vnet.v1.ExchangeSSHKeysResponseBLZJgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1b\x06proto3"
 
 var (
 	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescOnce sync.Once
@@ -2169,7 +2268,7 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP() []
 }
 
 var file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 35)
+var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 37)
 var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(Hash)(0),                                // 0: teleport.lib.vnet.v1.Hash
 	(*AuthenticateProcessRequest)(nil),       // 1: teleport.lib.vnet.v1.AuthenticateProcessRequest
@@ -2207,7 +2306,9 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(*SessionSSHConfigResponse)(nil),         // 33: teleport.lib.vnet.v1.SessionSSHConfigResponse
 	(*SignForSSHSessionRequest)(nil),         // 34: teleport.lib.vnet.v1.SignForSSHSessionRequest
 	(*SignForSSHSessionResponse)(nil),        // 35: teleport.lib.vnet.v1.SignForSSHSessionResponse
-	(*types.AppV3)(nil),                      // 36: types.AppV3
+	(*ExchangeSSHKeysRequest)(nil),           // 36: teleport.lib.vnet.v1.ExchangeSSHKeysRequest
+	(*ExchangeSSHKeysResponse)(nil),          // 37: teleport.lib.vnet.v1.ExchangeSSHKeysResponse
+	(*types.AppV3)(nil),                      // 38: types.AppV3
 }
 var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32{
 	4,  // 0: teleport.lib.vnet.v1.ReportNetworkStackInfoRequest.network_stack_info:type_name -> teleport.lib.vnet.v1.NetworkStackInfo
@@ -2216,7 +2317,7 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	12, // 3: teleport.lib.vnet.v1.ResolveFQDNResponse.matched_cluster:type_name -> teleport.lib.vnet.v1.MatchedCluster
 	13, // 4: teleport.lib.vnet.v1.MatchedTCPApp.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 5: teleport.lib.vnet.v1.AppInfo.app_key:type_name -> teleport.lib.vnet.v1.AppKey
-	36, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
+	38, // 6: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
 	15, // 7: teleport.lib.vnet.v1.AppInfo.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
 	13, // 8: teleport.lib.vnet.v1.ReissueAppCertRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	14, // 9: teleport.lib.vnet.v1.SignForAppRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
@@ -2241,21 +2342,23 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	30, // 28: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:input_type -> teleport.lib.vnet.v1.SignForUserTLSRequest
 	32, // 29: teleport.lib.vnet.v1.ClientApplicationService.SessionSSHConfig:input_type -> teleport.lib.vnet.v1.SessionSSHConfigRequest
 	34, // 30: teleport.lib.vnet.v1.ClientApplicationService.SignForSSHSession:input_type -> teleport.lib.vnet.v1.SignForSSHSessionRequest
-	2,  // 31: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
-	5,  // 32: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
-	7,  // 33: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
-	9,  // 34: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
-	17, // 35: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
-	20, // 36: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
-	22, // 37: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
-	24, // 38: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
-	26, // 39: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
-	29, // 40: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
-	31, // 41: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:output_type -> teleport.lib.vnet.v1.SignForUserTLSResponse
-	33, // 42: teleport.lib.vnet.v1.ClientApplicationService.SessionSSHConfig:output_type -> teleport.lib.vnet.v1.SessionSSHConfigResponse
-	35, // 43: teleport.lib.vnet.v1.ClientApplicationService.SignForSSHSession:output_type -> teleport.lib.vnet.v1.SignForSSHSessionResponse
-	31, // [31:44] is the sub-list for method output_type
-	18, // [18:31] is the sub-list for method input_type
+	36, // 31: teleport.lib.vnet.v1.ClientApplicationService.ExchangeSSHKeys:input_type -> teleport.lib.vnet.v1.ExchangeSSHKeysRequest
+	2,  // 32: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
+	5,  // 33: teleport.lib.vnet.v1.ClientApplicationService.ReportNetworkStackInfo:output_type -> teleport.lib.vnet.v1.ReportNetworkStackInfoResponse
+	7,  // 34: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
+	9,  // 35: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
+	17, // 36: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
+	20, // 37: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
+	22, // 38: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
+	24, // 39: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	26, // 40: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
+	29, // 41: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
+	31, // 42: teleport.lib.vnet.v1.ClientApplicationService.SignForUserTLS:output_type -> teleport.lib.vnet.v1.SignForUserTLSResponse
+	33, // 43: teleport.lib.vnet.v1.ClientApplicationService.SessionSSHConfig:output_type -> teleport.lib.vnet.v1.SessionSSHConfigResponse
+	35, // 44: teleport.lib.vnet.v1.ClientApplicationService.SignForSSHSession:output_type -> teleport.lib.vnet.v1.SignForSSHSessionResponse
+	37, // 45: teleport.lib.vnet.v1.ClientApplicationService.ExchangeSSHKeys:output_type -> teleport.lib.vnet.v1.ExchangeSSHKeysResponse
+	32, // [32:46] is the sub-list for method output_type
+	18, // [18:32] is the sub-list for method input_type
 	18, // [18:18] is the sub-list for extension type_name
 	18, // [18:18] is the sub-list for extension extendee
 	0,  // [0:18] is the sub-list for field type_name
@@ -2278,7 +2381,7 @@ func file_teleport_lib_vnet_v1_client_application_service_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc), len(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   35,
+			NumMessages:   37,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
index d1b5e481447ce..e153a98dd6646 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
@@ -48,6 +48,7 @@ const (
 	ClientApplicationService_SignForUserTLS_FullMethodName           = "/teleport.lib.vnet.v1.ClientApplicationService/SignForUserTLS"
 	ClientApplicationService_SessionSSHConfig_FullMethodName         = "/teleport.lib.vnet.v1.ClientApplicationService/SessionSSHConfig"
 	ClientApplicationService_SignForSSHSession_FullMethodName        = "/teleport.lib.vnet.v1.ClientApplicationService/SignForSSHSession"
+	ClientApplicationService_ExchangeSSHKeys_FullMethodName          = "/teleport.lib.vnet.v1.ClientApplicationService/ExchangeSSHKeys"
 )
 
 // ClientApplicationServiceClient is the client API for ClientApplicationService service.
@@ -94,6 +95,9 @@ type ClientApplicationServiceClient interface {
 	// SignForSSHSession signs a digest with the SSH private key associated with the
 	// session from a previous call to SessionSSHConfig.
 	SignForSSHSession(ctx context.Context, in *SignForSSHSessionRequest, opts ...grpc.CallOption) (*SignForSSHSessionResponse, error)
+	// ExchangeSSHKeys sends VNet's SSH host CA key to the client application and
+	// returns the user public key.
+	ExchangeSSHKeys(ctx context.Context, in *ExchangeSSHKeysRequest, opts ...grpc.CallOption) (*ExchangeSSHKeysResponse, error)
 }
 
 type clientApplicationServiceClient struct {
@@ -234,6 +238,16 @@ func (c *clientApplicationServiceClient) SignForSSHSession(ctx context.Context,
 	return out, nil
 }
 
+func (c *clientApplicationServiceClient) ExchangeSSHKeys(ctx context.Context, in *ExchangeSSHKeysRequest, opts ...grpc.CallOption) (*ExchangeSSHKeysResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ExchangeSSHKeysResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_ExchangeSSHKeys_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ClientApplicationServiceServer is the server API for ClientApplicationService service.
 // All implementations must embed UnimplementedClientApplicationServiceServer
 // for forward compatibility.
@@ -278,6 +292,9 @@ type ClientApplicationServiceServer interface {
 	// SignForSSHSession signs a digest with the SSH private key associated with the
 	// session from a previous call to SessionSSHConfig.
 	SignForSSHSession(context.Context, *SignForSSHSessionRequest) (*SignForSSHSessionResponse, error)
+	// ExchangeSSHKeys sends VNet's SSH host CA key to the client application and
+	// returns the user public key.
+	ExchangeSSHKeys(context.Context, *ExchangeSSHKeysRequest) (*ExchangeSSHKeysResponse, error)
 	mustEmbedUnimplementedClientApplicationServiceServer()
 }
 
@@ -327,6 +344,9 @@ func (UnimplementedClientApplicationServiceServer) SessionSSHConfig(context.Cont
 func (UnimplementedClientApplicationServiceServer) SignForSSHSession(context.Context, *SignForSSHSessionRequest) (*SignForSSHSessionResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SignForSSHSession not implemented")
 }
+func (UnimplementedClientApplicationServiceServer) ExchangeSSHKeys(context.Context, *ExchangeSSHKeysRequest) (*ExchangeSSHKeysResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ExchangeSSHKeys not implemented")
+}
 func (UnimplementedClientApplicationServiceServer) mustEmbedUnimplementedClientApplicationServiceServer() {
 }
 func (UnimplementedClientApplicationServiceServer) testEmbeddedByValue() {}
@@ -583,6 +603,24 @@ func _ClientApplicationService_SignForSSHSession_Handler(srv interface{}, ctx co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _ClientApplicationService_ExchangeSSHKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ExchangeSSHKeysRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).ExchangeSSHKeys(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_ExchangeSSHKeys_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).ExchangeSSHKeys(ctx, req.(*ExchangeSSHKeysRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ClientApplicationService_ServiceDesc is the grpc.ServiceDesc for ClientApplicationService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -642,6 +680,10 @@ var ClientApplicationService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SignForSSHSession",
 			Handler:    _ClientApplicationService_SignForSSHSession_Handler,
 		},
+		{
+			MethodName: "ExchangeSSHKeys",
+			Handler:    _ClientApplicationService_ExchangeSSHKeys_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "teleport/lib/vnet/v1/client_application_service.proto",
diff --git a/lib/client/keystore.go b/lib/client/keystore.go
index d7823b330ee75..06f930286705b 100644
--- a/lib/client/keystore.go
+++ b/lib/client/keystore.go
@@ -53,9 +53,9 @@ const (
 	// under ~/.tsh
 	keyFilePerms os.FileMode = 0600
 
-	// tshConfigFileName is the name of the directory containing the
+	// tshConfigDirName is the name of the directory containing the
 	// tsh config file.
-	tshConfigFileName = "config"
+	tshConfigDirName = "config"
 
 	// tshAzureDirName is the name of the directory containing the
 	// az cli app-specific profiles.
@@ -474,19 +474,21 @@ func (fs *FSKeyStore) DeleteKeys() error {
 	if err != nil {
 		return trace.ConvertSystemError(err)
 	}
-	ignoreDirs := map[string]struct{}{tshConfigFileName: {}, tshAzureDirName: {}, tshBin: {}}
 	for _, file := range files {
-		// Don't delete 'config', 'azure' and 'bin' directories.
-		// TODO: this is hackish and really shouldn't be needed, but fs.KeyDir is `~/.tsh` while it probably should be `~/.tsh/keys` instead.
-		if _, ok := ignoreDirs[file.Name()]; ok && file.IsDir() {
-			continue
-		}
 		if file.IsDir() {
-			err := utils.RemoveAllSecure(filepath.Join(fs.KeyDir, file.Name()))
-			if err != nil {
-				return trace.ConvertSystemError(err)
+			switch file.Name() {
+			case tshConfigDirName, tshAzureDirName, tshBin:
+				// Don't delete 'config', 'azure' and 'bin' directories.
+				// TODO: this is hackish and really shouldn't be needed, but fs.KeyDir is `~/.tsh` while it probably should be `~/.tsh/keys` instead.
+				continue
+			}
+		} else {
+			switch file.Name() {
+			case keypaths.VNetClientSSHKey, keypaths.VNetClientSSHKeyPub:
+				// Don't delete VNet client SSH keys on logout in case a user wants to
+				// set these to their own key compatible with their third-party SSH client.
+				continue
 			}
-			continue
 		}
 		err := utils.RemoveAllSecure(filepath.Join(fs.KeyDir, file.Name()))
 		if err != nil {
diff --git a/lib/vnet/admin_process_common.go b/lib/vnet/admin_process_common.go
index 2aad6c5b1967f..7ec69dae0b07f 100644
--- a/lib/vnet/admin_process_common.go
+++ b/lib/vnet/admin_process_common.go
@@ -17,13 +17,15 @@
 package vnet
 
 import (
+	"context"
+
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 )
 
-func newNetworkStackConfig(tun tunDevice, clt *clientApplicationServiceClient) (*networkStackConfig, error) {
+func newNetworkStackConfig(ctx context.Context, tun tunDevice, clt *clientApplicationServiceClient) (*networkStackConfig, error) {
 	clock := clockwork.NewRealClock()
-	sshProvider, err := newSSHProvider(sshProviderConfig{
+	sshProvider, err := newSSHProvider(ctx, sshProviderConfig{
 		clt:   clt,
 		clock: clock,
 	})
diff --git a/lib/vnet/admin_process_darwin.go b/lib/vnet/admin_process_darwin.go
index 90355bc85588b..c91bddbdbcb45 100644
--- a/lib/vnet/admin_process_darwin.go
+++ b/lib/vnet/admin_process_darwin.go
@@ -59,7 +59,7 @@ func RunDarwinAdminProcess(ctx context.Context, config daemon.Config) error {
 	}
 	defer tun.Close()
 
-	networkStackConfig, err := newNetworkStackConfig(tun, clt)
+	networkStackConfig, err := newNetworkStackConfig(ctx, tun, clt)
 	if err != nil {
 		return trace.Wrap(err, "creating network stack config")
 	}
diff --git a/lib/vnet/admin_process_windows.go b/lib/vnet/admin_process_windows.go
index e4f1112f2b0be..2f6532ace2a26 100644
--- a/lib/vnet/admin_process_windows.go
+++ b/lib/vnet/admin_process_windows.go
@@ -100,7 +100,7 @@ func runWindowsAdminProcess(ctx context.Context, cfg *windowsAdminProcessConfig)
 	}
 	log.InfoContext(ctx, "Created TUN interface", "tun", tunName)
 
-	networkStackConfig, err := newNetworkStackConfig(device, clt)
+	networkStackConfig, err := newNetworkStackConfig(ctx, device, clt)
 	if err != nil {
 		return trace.Wrap(err, "creating network stack config")
 	}
diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index 8be84e5d61ac5..37a3cc86e8c0c 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -73,6 +73,7 @@ type clientApplicationServiceConfig struct {
 	fqdnResolver          *fqdnResolver
 	localOSConfigProvider *LocalOSConfigProvider
 	clientApplication     ClientApplication
+	homePath              string
 	clock                 clockwork.Clock
 }
 
@@ -400,6 +401,25 @@ func (s *clientApplicationService) getSignerForSSHSession(ctx context.Context, s
 	return signer, trace.Wrap(err)
 }
 
+// ExchangeSSHKeys recevies the VNet service host CA public key and writes it to
+// ${TELEPORT_HOME}/vnet_known_hosts so that third-party SSH clients can trust
+// it. It then reads or generates ${TELEPORT_HOME}/id_vnet(.pub) which SSH
+// clients should be configured to use for connections to VNet SSH. It returns
+// id_vnet.pub so that VNet SSH can trust it for incoming connections.
+func (s *clientApplicationService) ExchangeSSHKeys(ctx context.Context, req *vnetv1.ExchangeSSHKeysRequest) (*vnetv1.ExchangeSSHKeysResponse, error) {
+	hostPublicKey, err := ssh.ParsePublicKey(req.GetHostPublicKey())
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing host public key")
+	}
+	userPublicKey, err := writeSSHKeys(s.cfg.homePath, hostPublicKey)
+	if err != nil {
+		return nil, trace.Wrap(err, "writing SSH keys")
+	}
+	return &vnetv1.ExchangeSSHKeysResponse{
+		UserPublicKey: userPublicKey.Marshal(),
+	}, nil
+}
+
 // checkAppKey checks that at least the app profile and name are set, which are
 // necessary to to disambiguate apps. LeafCluster is expected to be empty if the
 // app is in a root cluster.
diff --git a/lib/vnet/client_application_service_client.go b/lib/vnet/client_application_service_client.go
index bf8149a5a2e7d..72d6c33b68f53 100644
--- a/lib/vnet/client_application_service_client.go
+++ b/lib/vnet/client_application_service_client.go
@@ -23,6 +23,7 @@ import (
 	"io"
 
 	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
 	"google.golang.org/grpc"
 	grpccredentials "google.golang.org/grpc/credentials"
 
@@ -212,6 +213,24 @@ func (c *clientApplicationServiceClient) SignForSSHSession(ctx context.Context,
 	return resp.GetSignature(), nil
 }
 
+// ExchangeSSHKeys sends hostPublicKey to the client application so that it
+// can write an OpenSSH-compatible configuration file. It returns the user
+// public key that should be trusted for incoming connections from third-party
+// SSH clients.
+func (c *clientApplicationServiceClient) ExchangeSSHKeys(ctx context.Context, hostPublicKey ssh.PublicKey) (ssh.PublicKey, error) {
+	resp, err := c.clt.ExchangeSSHKeys(ctx, &vnetv1.ExchangeSSHKeysRequest{
+		HostPublicKey: hostPublicKey.Marshal(),
+	})
+	if err != nil {
+		return nil, trace.Wrap(err, "calling ExchangeSSHKeys rpc")
+	}
+	userPublicKey, err := ssh.ParsePublicKey(resp.GetUserPublicKey())
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing trusted user public key")
+	}
+	return userPublicKey, nil
+}
+
 // rpcSigner implements [crypto.Signer] for signatures that are issued by the
 // client application over gRPC.
 type rpcSigner struct {
diff --git a/lib/vnet/opensshconfig.go b/lib/vnet/opensshconfig.go
new file mode 100644
index 0000000000000..3bd5176729b9a
--- /dev/null
+++ b/lib/vnet/opensshconfig.go
@@ -0,0 +1,123 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"encoding/pem"
+	"io"
+	"os"
+	"path/filepath"
+
+	renameio "github.com/google/renameio/v2/maybe" // Writes aren't guaranteed to be atomic on Windows.
+	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/gravitational/teleport/api/profile"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keypaths"
+	"github.com/gravitational/teleport/lib/cryptosuites"
+)
+
+const (
+	filePerms os.FileMode = 0o600
+)
+
+// writeSSHKeys writes hostCAKey to ${TELEPORT_HOME}/vnet_known_hosts so that
+// third-party SSH clients can trust it. It then reads or generates
+// ${TELEPORT_HOME}/id_vnet(.pub) which SSH clients should be configured to use
+// for connections to VNet SSH. It returns id_vnet.pub so that VNet SSH can
+// trust it for incoming connections.
+func writeSSHKeys(homePath string, hostCAKey ssh.PublicKey) (ssh.PublicKey, error) {
+	profilePath := fullProfilePath(homePath)
+	if err := writeKnownHosts(profilePath, hostCAKey); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	userPubKey, err := readUserPubKey(profilePath)
+	if trace.IsNotFound(err) {
+		userPubKey, err = generateAndWriteUserKey(profilePath)
+	}
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return userPubKey, nil
+}
+
+func fullProfilePath(homePath string) string {
+	if homePath == "" {
+		if homeDir := os.Getenv(types.HomeEnvVar); homeDir != "" {
+			homePath = filepath.Clean(homeDir)
+		}
+	}
+	return profile.FullProfilePath(homePath)
+}
+
+func writeKnownHosts(profilePath string, hostCAKey ssh.PublicKey) error {
+	// MarshalAuthorizedKey serializes the key for inclusion in an
+	// authorized_keys file, we need to add the @cert-authority prefix and the
+	// wildcard so this CA is trusted for all hosts. The SSH configuration file
+	// should only load this vnet_known_hosts file for hosts matching
+	// appropriate subdomains, there is no need to keep that list of domains
+	// updated in both the SSH config file and the vnet_known_hosts file.
+	authorizedKey := ssh.MarshalAuthorizedKey(hostCAKey)
+	authorizedCA := "@cert-authority * " + string(authorizedKey)
+	p := keypaths.VNetKnownHostsPath(profilePath)
+	err := renameio.WriteFile(p, []byte(authorizedCA), filePerms)
+	return trace.Wrap(trace.ConvertSystemError(err), "writing host CA to %s", p)
+}
+
+func readUserPubKey(profilePath string) (ssh.PublicKey, error) {
+	p := keypaths.VNetClientSSHKeyPubPath(profilePath)
+	f, err := os.Open(p)
+	if err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "opening %s for reading", p)
+	}
+	defer f.Close()
+	const maxPubKeyFileSize = 10000 // RSA 4096 pub key files are ~750 bytes, ~10x to be safe.
+	pubKeyBytes, err := io.ReadAll(io.LimitReader(f, maxPubKeyFileSize))
+	if err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "reading user public key from %s", p)
+	}
+	userPubKey, _, _, _, err := ssh.ParseAuthorizedKey(pubKeyBytes)
+	return userPubKey, trace.Wrap(err, "parsing user public key from %s", p)
+}
+
+func generateAndWriteUserKey(profilePath string) (ssh.PublicKey, error) {
+	userKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	if err != nil {
+		return nil, trace.Wrap(err, "generating SSH user key")
+	}
+
+	privPemBlock, err := ssh.MarshalPrivateKey(userKey, "")
+	if err != nil {
+		return nil, trace.Wrap(err, "marshaling SSH user key")
+	}
+	privKeyBytes := pem.EncodeToMemory(privPemBlock)
+	privKeyPath := keypaths.VNetClientSSHKeyPath(profilePath)
+	if err := renameio.WriteFile(privKeyPath, privKeyBytes, filePerms); err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "writing user private key to %s", privKeyPath)
+	}
+
+	userPubKey, err := ssh.NewPublicKey(userKey.Public())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	pubKeyPath := keypaths.VNetClientSSHKeyPubPath(profilePath)
+	if err := renameio.WriteFile(pubKeyPath, ssh.MarshalAuthorizedKey(userPubKey), filePerms); err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "writing user public key to %s", pubKeyPath)
+	}
+	return userPubKey, nil
+}
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
index 9bdc302a50b38..dd964b4967f04 100644
--- a/lib/vnet/ssh_provider.go
+++ b/lib/vnet/ssh_provider.go
@@ -53,39 +53,20 @@ type sshProviderConfig struct {
 		tlsConfig *tls.Config,
 		dialOpts *vnetv1.DialOptions,
 	) (net.Conn, error)
-	// hostCASigner can be used in tests to set a specific key for the SSH host CA.
-	hostCASigner ssh.Signer
-	// trustedUserPublicKey can be used in tests to set a specific trusted user
-	// SSH key.
-	trustedUserPublicKey ssh.PublicKey
 }
 
-func newSSHProvider(cfg sshProviderConfig) (*sshProvider, error) {
-	hostCASigner := cfg.hostCASigner
-	if hostCASigner == nil {
-		// TODO(nklaassen): write host CA public key to $TELEPORT_HOME/vnet_known_hosts
-		hostKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		hostCASigner, err = ssh.NewSignerFromSigner(hostKey)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+func newSSHProvider(ctx context.Context, cfg sshProviderConfig) (*sshProvider, error) {
+	hostCAKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
-	trustedUserPublicKey := cfg.trustedUserPublicKey
-	if trustedUserPublicKey == nil {
-		// TODO(nklaassen): check if $TELEPORT_HOME/id_vnet.pub exists.
-		// If it does, read that file and trust it.
-		// If not, generate the keypair and write it to $TELEPORT_HOME/id_vnet.
-		userKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		trustedUserPublicKey, err = ssh.NewPublicKey(userKey.Public())
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+	hostCASigner, err := ssh.NewSignerFromSigner(hostCAKey)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	trustedUserPublicKey, err := cfg.clt.ExchangeSSHKeys(ctx, hostCASigner.PublicKey())
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
 	return &sshProvider{
 		cfg:                  cfg,
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index e01ad78feebc1..72674a59edad3 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -59,6 +59,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	typesvnet "github.com/gravitational/teleport/api/types/vnet"
 	"github.com/gravitational/teleport/api/utils/grpc/interceptors"
+	"github.com/gravitational/teleport/api/utils/keypaths"
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/auth/authclient"
@@ -89,13 +90,16 @@ type testPack struct {
 }
 
 type testPackConfig struct {
-	clock                   clockwork.Clock
-	fakeClientApp           *fakeClientApp
-	sshHostCASigner         ssh.Signer
-	sshTrustedUserPublicKey ssh.PublicKey
+	clock         clockwork.Clock
+	fakeClientApp *fakeClientApp
+	homePath      string
 }
 
 func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPack {
+	if cfg.homePath == "" {
+		cfg.homePath = t.TempDir()
+	}
+
 	// Create two sides of an emulated TUN interface: writes to one can be read on the other, and vice versa.
 	tun1, tun2 := newSplitTUN()
 
@@ -149,14 +153,12 @@ func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPac
 	// client application and communicates over gRPC. For the test, everything
 	// runs in a single process, but we still set up the gRPC service and only
 	// interface with fakeClientApp via the gRPC client.
-	clt := runTestClientApplicationService(t, ctx, cfg.clock, cfg.fakeClientApp)
+	clt := runTestClientApplicationService(t, ctx, cfg)
 	appProvider := newAppProvider(clt)
-	sshProvider, err := newSSHProvider(sshProviderConfig{
-		clt:                  clt,
-		clock:                cfg.clock,
-		overrideNodeDialer:   cfg.fakeClientApp.dialSSHNode,
-		hostCASigner:         cfg.sshHostCASigner,
-		trustedUserPublicKey: cfg.sshTrustedUserPublicKey,
+	sshProvider, err := newSSHProvider(ctx, sshProviderConfig{
+		clt:                clt,
+		clock:              cfg.clock,
+		overrideNodeDialer: cfg.fakeClientApp.dialSSHNode,
 	})
 	require.NoError(t, err)
 	tcpHandlerResolver := newTCPHandlerResolver(&tcpHandlerResolverConfig{
@@ -270,20 +272,21 @@ func (p *testPack) dialHost(ctx context.Context, host string, port int) (net.Con
 // runTestClientApplicationService runs the gRPC service that's normally used to
 // expose the client application and Teleport client methods to the VNet
 // admin/networking process over gRPC. It returns a client of the gRPC service.
-func runTestClientApplicationService(t *testing.T, ctx context.Context, clock clockwork.Clock, clientApp *fakeClientApp) *clientApplicationServiceClient {
-	clusterConfigCache := NewClusterConfigCache(clock)
-	leafClusterCache, err := newLeafClusterCache(clock)
+func runTestClientApplicationService(t *testing.T, ctx context.Context, cfg testPackConfig) *clientApplicationServiceClient {
+	clusterConfigCache := NewClusterConfigCache(cfg.clock)
+	leafClusterCache, err := newLeafClusterCache(cfg.clock)
 	require.NoError(t, err)
 	fqdnResolver := newFQDNResolver(&fqdnResolverConfig{
-		clientApplication:  clientApp,
+		clientApplication:  cfg.fakeClientApp,
 		clusterConfigCache: clusterConfigCache,
 		leafClusterCache:   leafClusterCache,
 	})
 	clientApplicationService, err := newClientApplicationService(&clientApplicationServiceConfig{
-		clientApplication:     clientApp,
+		clientApplication:     cfg.fakeClientApp,
 		fqdnResolver:          fqdnResolver,
 		localOSConfigProvider: nil, // OS configuration is not needed in tests.
-		clock:                 clock,
+		homePath:              cfg.homePath,
+		clock:                 cfg.clock,
 	})
 	require.NoError(t, err)
 
@@ -1153,6 +1156,7 @@ func TestSSH(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 	clock := clockwork.NewRealClock()
+	homePath := t.TempDir()
 
 	const (
 		root1CIDR = "192.168.1.0/24"
@@ -1196,28 +1200,32 @@ func TestSSH(t *testing.T) {
 		signatureAlgorithmSuite: types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_BALANCED_V1,
 	})
 
-	sshHostKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	p := newTestPack(t, ctx, testPackConfig{
+		fakeClientApp: clientApp,
+		clock:         clock,
+		homePath:      homePath,
+	})
+
+	// Read the generated vnet_known_hosts file to get the trusted host CA key.
+	knownHosts, err := os.ReadFile(keypaths.VNetKnownHostsPath(homePath))
 	require.NoError(t, err)
-	sshHostCASigner, err := ssh.NewSignerFromSigner(sshHostKey)
+	marker, hosts, hostCAPubKey, _, _, err := ssh.ParseKnownHosts(knownHosts)
 	require.NoError(t, err)
+	require.Equal(t, "cert-authority", marker)
+	require.Equal(t, []string{"*"}, hosts)
 
-	sshUserKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
+	// Read the generated id_vnet file to get the user key.
+	sshUserKey, err := os.ReadFile(keypaths.VNetClientSSHKeyPath(homePath))
 	require.NoError(t, err)
-	sshUserSigner, err := ssh.NewSignerFromSigner(sshUserKey)
+	sshUserSigner, err := ssh.ParsePrivateKey(sshUserKey)
 	require.NoError(t, err)
 
+	// Create a fake user key to test failed authentication.
 	badUserKey, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.Ed25519)
 	require.NoError(t, err)
 	badUserSigner, err := ssh.NewSignerFromSigner(badUserKey)
 	require.NoError(t, err)
 
-	p := newTestPack(t, ctx, testPackConfig{
-		fakeClientApp:           clientApp,
-		clock:                   clock,
-		sshHostCASigner:         sshHostCASigner,
-		sshTrustedUserPublicKey: sshUserSigner.PublicKey(),
-	})
-
 	for _, tc := range []struct {
 		dialAddr                 string
 		dialPort                 int
@@ -1372,7 +1380,7 @@ func TestSSH(t *testing.T) {
 			// the server.
 			certChecker := ssh.CertChecker{
 				IsHostAuthority: func(auth ssh.PublicKey, address string) bool {
-					return sshutils.KeysEqual(auth, sshHostCASigner.PublicKey())
+					return sshutils.KeysEqual(auth, hostCAPubKey)
 				},
 				Clock: clock.Now,
 			}
diff --git a/proto/teleport/lib/vnet/v1/client_application_service.proto b/proto/teleport/lib/vnet/v1/client_application_service.proto
index 340a36d4f0a12..85625f7b693cc 100644
--- a/proto/teleport/lib/vnet/v1/client_application_service.proto
+++ b/proto/teleport/lib/vnet/v1/client_application_service.proto
@@ -62,6 +62,9 @@ service ClientApplicationService {
   // SignForSSHSession signs a digest with the SSH private key associated with the
   // session from a previous call to SessionSSHConfig.
   rpc SignForSSHSession(SignForSSHSessionRequest) returns (SignForSSHSessionResponse);
+  // ExchangeSSHKeys sends VNet's SSH host CA key to the client application and
+  // returns the user public key.
+  rpc ExchangeSSHKeys(ExchangeSSHKeysRequest) returns (ExchangeSSHKeysResponse);
 }
 
 // AuthenticateProcessRequest is a request for AuthenticateProcess.
@@ -377,3 +380,17 @@ message SignForSSHSessionResponse {
   // Signature is the signature.
   bytes signature = 1;
 }
+
+// ExchangeSSHKeysRequest is a request to exchange SSH keys for VNet SSH.
+message ExchangeSSHKeysRequest {
+  // HostPublicKey is the host key that should be trusted by clients connecting
+  // to VNet SSH addresses. It is encoded in OpenSSH wire format.
+  bytes host_public_key = 1;
+}
+
+// ExchangeSSHKeysResponse is a response for ExchangeSSHKeys.
+message ExchangeSSHKeysResponse {
+  // UserPublicKey is the user key that should be trusted by VNet for incoming
+  // connections from SSH clients. It is encoded in OpenSSH wire format.
+  bytes user_public_key = 1;
+}

From 87080113f945fca5ca147ed566da39a02d254877 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Sun, 1 Jun 2025 00:07:02 -0700
Subject: [PATCH 05/25] [v18][vnet] feat: write OpenSSH-compatible config file
 for VNet SSH

Backport #55239 to branch/v18
---
 api/utils/keypaths/keypaths.go   |  10 +++
 lib/vnet/opensshconfig.go        | 131 ++++++++++++++++++++++++++++++-
 lib/vnet/opensshconfig_test.go   | 104 ++++++++++++++++++++++++
 lib/vnet/user_process.go         |  12 ++-
 lib/vnet/user_process_darwin.go  |  16 ++--
 lib/vnet/user_process_windows.go |  16 ++--
 6 files changed, 269 insertions(+), 20 deletions(-)
 create mode 100644 lib/vnet/opensshconfig_test.go

diff --git a/api/utils/keypaths/keypaths.go b/api/utils/keypaths/keypaths.go
index f1853313f67fe..60b2c472f8df5 100644
--- a/api/utils/keypaths/keypaths.go
+++ b/api/utils/keypaths/keypaths.go
@@ -82,6 +82,9 @@ const (
 	// vnetKnownHosts is the file name of the known_hosts file trusted by
 	// third-party SSH clients connecting to VNet SSH.
 	vnetKnownHosts = "vnet_known_hosts"
+	// vnetSSHConfig is the file name of the generated OpenSSH-compatible config
+	// file to be used by third-party SSH clients connecting to VNet SSH.
+	vnetSSHConfig = "vnet_ssh_config"
 )
 
 // Here's the file layout of all these keypaths.
@@ -93,6 +96,7 @@ const (
 // ├── id_vnet                         --> SSH Private Key for third-party clients of VNet SSH
 // ├── id_vnet.pub                     --> SSH Public Key for third-party clients of VNet SSH
 // ├── vnet_known_hosts                --> trusted certificate authorities (their keys) for third-party clients of VNet SSH
+// ├── vnet_ssh_config                 --> OpenSSH-compatible config file for third-party clients of VNet SSH
 // └── keys							   --> session keys directory
 //    ├── one.example.com              --> Proxy hostname
 //    │   ├── certs.pem                --> TLS CA certs for the Teleport CA
@@ -456,6 +460,12 @@ func VNetKnownHostsPath(baseDir string) string {
 	return filepath.Join(baseDir, vnetKnownHosts)
 }
 
+// VNetSSHConfigPath returns the path to VNet's generated OpenSSH-compatible
+// config file.
+func VNetSSHConfigPath(baseDir string) string {
+	return filepath.Join(baseDir, vnetSSHConfig)
+}
+
 // TrimKeyPathSuffix returns the given path with any key suffix/extension trimmed off.
 func TrimKeyPathSuffix(path string) string {
 	return strings.TrimSuffix(path, fileExtTLSKey)
diff --git a/lib/vnet/opensshconfig.go b/lib/vnet/opensshconfig.go
index 3bd5176729b9a..bd7ce4f50d3cc 100644
--- a/lib/vnet/opensshconfig.go
+++ b/lib/vnet/opensshconfig.go
@@ -17,23 +17,34 @@
 package vnet
 
 import (
+	"bytes"
+	"cmp"
+	"context"
 	"encoding/pem"
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
+	"strconv"
+	"strings"
+	"text/template"
+	"time"
 
 	renameio "github.com/google/renameio/v2/maybe" // Writes aren't guaranteed to be atomic on Windows.
 	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/keypaths"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 )
 
 const (
-	filePerms os.FileMode = 0o600
+	filePerms                      os.FileMode = 0o600
+	sshConfigurationUpdateInterval             = 30 * time.Second
 )
 
 // writeSSHKeys writes hostCAKey to ${TELEPORT_HOME}/vnet_known_hosts so that
@@ -121,3 +132,121 @@ func generateAndWriteUserKey(profilePath string) (ssh.PublicKey, error) {
 	}
 	return userPubKey, nil
 }
+
+// sshConfigurator writes an OpenSSH-compatible config file to
+// TELEPORT_HOME/vnet_ssh_config, and keeps it up to date with the list of
+// clusters that should match.
+type sshConfigurator struct {
+	cfg         sshConfiguratorConfig
+	profilePath string
+	clock       clockwork.Clock
+}
+
+type sshConfiguratorConfig struct {
+	clientApplication ClientApplication
+	homePath          string
+	clock             clockwork.Clock
+}
+
+func newSSHConfigurator(cfg sshConfiguratorConfig) *sshConfigurator {
+	return &sshConfigurator{
+		cfg:         cfg,
+		profilePath: fullProfilePath(cfg.homePath),
+		clock:       cmp.Or(cfg.clock, clockwork.NewRealClock()),
+	}
+}
+
+func (c *sshConfigurator) runConfigurationLoop(ctx context.Context) error {
+	if err := c.updateSSHConfiguration(ctx); err != nil {
+		return trace.Wrap(err, "generating vnet_ssh_config")
+	}
+	// Delete the configuration file before exiting, if it is imported by the
+	// default SSH config file it will just stop taking effect.
+	defer func() {
+		if err := deleteSSHConfigFile(c.profilePath); err != nil {
+			log.WarnContext(ctx, "Failed to delete vnet_ssh_config while shutting down", "error", err)
+		}
+	}()
+	// clock.After is intentionally used in the loop instead of a ticker simply
+	// for more reliable testing. In the test I use clock.BlockUntilContext(1)
+	// to block until the loop is stuck waiting on the clock. If I used
+	// clock.NewTicker instead, the ticker always counts as a waiter, and that
+	// strategy doesn't work. In go 1.25 we can use testing/synctest instead.
+	for {
+		select {
+		case <-c.clock.After(sshConfigurationUpdateInterval):
+			if err := c.updateSSHConfiguration(ctx); err != nil {
+				return trace.Wrap(err, "updating vnet_ssh_config")
+			}
+		case <-ctx.Done():
+			return trace.Wrap(ctx.Err(), "context canceled, shutting down vnet_ssh_config update loop")
+		}
+	}
+}
+
+func (c *sshConfigurator) updateSSHConfiguration(ctx context.Context) error {
+	profileNames, err := c.cfg.clientApplication.ListProfiles()
+	if err != nil {
+		return trace.Wrap(err, "listing profiles")
+	}
+	hostMatchers := make([]string, 0, len(profileNames))
+	for _, profileName := range profileNames {
+		rootClient, err := c.cfg.clientApplication.GetCachedClient(ctx, profileName, "" /*leafClusterName*/)
+		if err != nil {
+			log.WarnContext(ctx,
+				"Failed to get root cluster client from cache, profile may be expired, not configuring VNet SSH for this cluster",
+				"profile", profileName, "error", err)
+			continue
+		}
+		hostMatchers = append(hostMatchers, hostMatcher(rootClient.RootClusterName()))
+	}
+	hostMatchers = utils.Deduplicate(hostMatchers)
+	slices.Sort(hostMatchers)
+	hostMatchersString := strings.Join(hostMatchers, " ")
+	return trace.Wrap(writeSSHConfigFile(c.profilePath, hostMatchersString))
+}
+
+func hostMatcher(clusterName string) string {
+	return "*." + strings.Trim(clusterName, ".")
+}
+
+func deleteSSHConfigFile(profilePath string) error {
+	p := keypaths.VNetSSHConfigPath(profilePath)
+	if err := os.Remove(p); err != nil {
+		err = trace.ConvertSystemError(err)
+		if trace.IsNotFound(err) {
+			return nil
+		}
+		return trace.Wrap(err, "deleting %s", p)
+	}
+	return nil
+}
+
+func writeSSHConfigFile(profilePath, hostMatchers string) error {
+	t := template.Must(template.New("ssh_config").Parse(configFileTemplate))
+	var b bytes.Buffer
+	if err := t.Execute(&b, configFileTemplateInput{
+		Hosts:          hostMatchers,
+		PrivateKeyPath: strconv.Quote(keypaths.VNetClientSSHKeyPath(profilePath)),
+		KnownHostsPath: strconv.Quote(keypaths.VNetKnownHostsPath(profilePath)),
+	}); err != nil {
+		return trace.Wrap(err, "generating SSH config file")
+	}
+	p := keypaths.VNetSSHConfigPath(profilePath)
+	err := renameio.WriteFile(p, b.Bytes(), filePerms)
+	return trace.Wrap(trace.ConvertSystemError(err), "writing SSH config file to %s", p)
+}
+
+const configFileTemplate = `Host {{ .Hosts }}
+    IdentityFile {{ .PrivateKeyPath }}
+    GlobalKnownHostsFile {{ .KnownHostsPath }}
+    UserKnownHostsFile /dev/null
+    StrictHostKeyChecking yes
+    IdentitiesOnly yes
+`
+
+type configFileTemplateInput struct {
+	Hosts          string
+	PrivateKeyPath string
+	KnownHostsPath string
+}
diff --git a/lib/vnet/opensshconfig_test.go b/lib/vnet/opensshconfig_test.go
new file mode 100644
index 0000000000000..3289577f783aa
--- /dev/null
+++ b/lib/vnet/opensshconfig_test.go
@@ -0,0 +1,104 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/jonboulle/clockwork"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/utils/keypaths"
+)
+
+func TestSSHConfigurator(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	clock := clockwork.NewFakeClockAt(time.Now())
+	homePath := t.TempDir()
+
+	fakeClientApp := newFakeClientApp(ctx, t, &fakeClientAppConfig{
+		clusters: map[string]testClusterSpec{
+			"cluster1": {},
+			"cluster2": {},
+		},
+		// Give the fake client app a different clock so we can rely on
+		// clock.BlockUntilContext only capturing the SSH configuration loop.
+		clock: clockwork.NewRealClock(),
+	})
+
+	c := newSSHConfigurator(sshConfiguratorConfig{
+		clientApplication: fakeClientApp,
+		homePath:          homePath,
+		clock:             clock,
+	})
+	errC := make(chan error)
+	go func() {
+		errC <- c.runConfigurationLoop(ctx)
+	}()
+
+	// Intentionally not using the template defined in the production code to
+	// test that it actually produces output that looks like this.
+	expectedConfigFile := func(expectedHosts string) string {
+		return fmt.Sprintf(`Host %s
+    IdentityFile "%s/id_vnet"
+    GlobalKnownHostsFile "%s/vnet_known_hosts"
+    UserKnownHostsFile /dev/null
+    StrictHostKeyChecking yes
+    IdentitiesOnly yes
+`,
+			expectedHosts,
+			homePath, homePath)
+	}
+
+	assertConfigFile := func(expectedHosts string) {
+		t.Helper()
+		expected := expectedConfigFile(expectedHosts)
+		contents, err := os.ReadFile(keypaths.VNetSSHConfigPath(homePath))
+		require.NoError(t, err)
+		require.Equal(t, expected, string(contents))
+	}
+
+	// Wait until the configurator has had a chance to write the initial config
+	// file and then get blocked in the loop.
+	clock.BlockUntilContext(ctx, 1)
+	// Assert the config file contains both root clusters reported by
+	// fakeClientApp.
+	assertConfigFile("*.cluster1 *.cluster2")
+
+	// Add a root cluster, wait until the configurator is blocked in the loop,
+	// advance the clock, wait until the configurator is blocked again
+	// indicating it should have updated the config and made it back into the
+	// loop, and then assert that the new cluster is in the config file.
+	fakeClientApp.cfg.clusters["cluster3"] = testClusterSpec{}
+	clock.BlockUntilContext(ctx, 1)
+	clock.Advance(sshConfigurationUpdateInterval)
+	clock.BlockUntilContext(ctx, 1)
+	assertConfigFile("*.cluster1 *.cluster2 *.cluster3")
+
+	// Kill the configurator, wait for it to return, and assert that the config
+	// file was deleted.
+	cancel()
+	require.ErrorIs(t, <-errC, context.Canceled)
+	_, err := os.Stat(keypaths.VNetSSHConfigPath(homePath))
+	require.ErrorIs(t, err, os.ErrNotExist)
+}
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index 75df45f7fd196..48eb3dbb38595 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -112,13 +112,23 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	processManager, processCtx := newProcessManager()
+	sshConfigurator := newSSHConfigurator(sshConfiguratorConfig{
+		clientApplication: clientApplication,
+	})
+	processManager.AddCriticalBackgroundTask("SSH configuration loop", func() error {
+		return trace.Wrap(sshConfigurator.runConfigurationLoop(processCtx))
+	})
+
 	userProcess := &UserProcess{
 		clientApplication:        clientApplication,
 		osConfigProvider:         osConfigProvider,
 		clientApplicationService: clientApplicationService,
 		clock:                    clock,
+		processManager:           processManager,
 	}
-	if err := userProcess.runPlatformUserProcess(ctx); err != nil {
+	if err := userProcess.runPlatformUserProcess(processCtx); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	return userProcess, nil
diff --git a/lib/vnet/user_process_darwin.go b/lib/vnet/user_process_darwin.go
index a88f2313688a6..44c0d672470ab 100644
--- a/lib/vnet/user_process_darwin.go
+++ b/lib/vnet/user_process_darwin.go
@@ -35,7 +35,7 @@ import (
 // interface that the daemon uses to query application names and get user
 // certificates for apps. If successful it sets p.processManager and
 // p.networkStackInfo.
-func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
+func (p *UserProcess) runPlatformUserProcess(processCtx context.Context) error {
 	ipcCreds, err := newIPCCredentials()
 	if err != nil {
 		return trace.Wrap(err, "creating credentials for IPC")
@@ -67,16 +67,14 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 	)
 	vnetv1.RegisterClientApplicationServiceServer(grpcServer, p.clientApplicationService)
 
-	pm, processCtx := newProcessManager()
-	p.processManager = pm
-	pm.AddCriticalBackgroundTask("admin process", func() error {
+	p.processManager.AddCriticalBackgroundTask("admin process", func() error {
 		defer func() {
 			// Delete service credentials after the service terminates.
 			if ipcCreds.client.remove(credDir); err != nil {
-				log.ErrorContext(ctx, "Failed to remove service credential files", "error", err)
+				log.ErrorContext(processCtx, "Failed to remove service credential files", "error", err)
 			}
 			if err := os.RemoveAll(credDir); err != nil {
-				log.ErrorContext(ctx, "Failed to remove service credential directory", "error", err)
+				log.ErrorContext(processCtx, "Failed to remove service credential directory", "error", err)
 			}
 		}()
 		daemonConfig := daemon.Config{
@@ -85,13 +83,13 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 		}
 		return trace.Wrap(execAdminProcess(processCtx, daemonConfig))
 	})
-	pm.AddCriticalBackgroundTask("gRPC service", func() error {
+	p.processManager.AddCriticalBackgroundTask("gRPC service", func() error {
 		log.InfoContext(processCtx, "Starting gRPC service",
 			"addr", listener.Addr().String())
 		return trace.Wrap(grpcServer.Serve(listener),
 			"serving VNet user process gRPC service")
 	})
-	pm.AddCriticalBackgroundTask("gRPC server closer", func() error {
+	p.processManager.AddCriticalBackgroundTask("gRPC server closer", func() error {
 		// grpcServer.Serve does not stop on its own when processCtx is done, so
 		// this task waits for processCtx and then explicitly stops grpcServer.
 		<-processCtx.Done()
@@ -104,6 +102,6 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 		p.networkStackInfo = nsi
 		return nil
 	case <-processCtx.Done():
-		return trace.Wrap(pm.Wait(), "process manager exited before network stack info was received")
+		return trace.Wrap(p.processManager.Wait(), "process manager exited before network stack info was received")
 	}
 }
diff --git a/lib/vnet/user_process_windows.go b/lib/vnet/user_process_windows.go
index 80d935f209fd1..e0ab82eda82cf 100644
--- a/lib/vnet/user_process_windows.go
+++ b/lib/vnet/user_process_windows.go
@@ -37,7 +37,7 @@ import (
 // interface that the admin process uses to query application names and get user
 // certificates for apps. It returns a [ProcessManager] which controls the
 // lifecycle of both the user and admin processes.
-func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
+func (p *UserProcess) runPlatformUserProcess(processCtx context.Context) error {
 	ipcCreds, err := newIPCCredentials()
 	if err != nil {
 		return trace.Wrap(err, "creating credentials for IPC")
@@ -77,17 +77,15 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 	)
 	vnetv1.RegisterClientApplicationServiceServer(grpcServer, p.clientApplicationService)
 
-	pm, processCtx := newProcessManager()
-	p.processManager = pm
-	pm.AddCriticalBackgroundTask("admin process", func() error {
+	p.processManager.AddCriticalBackgroundTask("admin process", func() error {
 		log.InfoContext(processCtx, "Starting Windows service")
 		defer func() {
 			// Delete service credentials after the service terminates.
 			if ipcCreds.client.remove(credDir); err != nil {
-				log.ErrorContext(ctx, "Failed to remove service credential files", "error", err)
+				log.ErrorContext(processCtx, "Failed to remove service credential files", "error", err)
 			}
 			if err := os.RemoveAll(credDir); err != nil {
-				log.ErrorContext(ctx, "Failed to remove service credential directory", "error", err)
+				log.ErrorContext(processCtx, "Failed to remove service credential directory", "error", err)
 			}
 		}()
 		return trace.Wrap(runService(processCtx, &windowsAdminProcessConfig{
@@ -96,13 +94,13 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 			userSID:                      userSID,
 		}))
 	})
-	pm.AddCriticalBackgroundTask("gRPC service", func() error {
+	p.processManager.AddCriticalBackgroundTask("gRPC service", func() error {
 		log.InfoContext(processCtx, "Starting gRPC service",
 			"addr", listener.Addr().String())
 		return trace.Wrap(grpcServer.Serve(listener),
 			"serving VNet user process gRPC service")
 	})
-	pm.AddCriticalBackgroundTask("gRPC server closer", func() error {
+	p.processManager.AddCriticalBackgroundTask("gRPC server closer", func() error {
 		// grpcServer.Serve does not stop on its own when processCtx is done, so
 		// this task waits for processCtx and then explicitly stops grpcServer.
 		<-processCtx.Done()
@@ -115,7 +113,7 @@ func (p *UserProcess) runPlatformUserProcess(ctx context.Context) error {
 		p.networkStackInfo = nsi
 		return nil
 	case <-processCtx.Done():
-		return trace.Wrap(pm.Wait(), "process manager exited before network stack info was received")
+		return trace.Wrap(p.processManager.Wait(), "process manager exited before network stack info was received")
 	}
 }
 

From 6d698e6ea2c42763c35ad9d78a25f6f55aa12813 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 13 Jun 2025 09:26:36 -0700
Subject: [PATCH 06/25] [v18][vnet] fix: support <hostname>.<leaf-cluster> for
 VNet SSH

Backport #55688 to branch/v18
---
 lib/vnet/fqdn_resolver.go        | 27 ++++++++--------
 lib/vnet/opensshconfig.go        | 11 +++++++
 lib/vnet/opensshconfig_test.go   | 50 ++++++++++++++++++-----------
 lib/vnet/ssh_handler.go          |  3 +-
 lib/vnet/ssh_provider.go         | 14 ++++-----
 lib/vnet/tcp_handler_resolver.go |  2 +-
 lib/vnet/user_process.go         |  1 +
 lib/vnet/vnet_test.go            | 54 ++++++++++++++------------------
 rfd/0207-vnet-ssh.md             | 20 ++++++------
 9 files changed, 98 insertions(+), 84 deletions(-)

diff --git a/lib/vnet/fqdn_resolver.go b/lib/vnet/fqdn_resolver.go
index c204ae7047f1e..38dad60b12419 100644
--- a/lib/vnet/fqdn_resolver.go
+++ b/lib/vnet/fqdn_resolver.go
@@ -226,11 +226,12 @@ func (r *fqdnResolver) resolveAppInfoForCluster(
 	}, nil
 }
 
-// VNet SSH handles SSH hostnames matching "<hostname>.<cluster_name>." or
-// "<hostname>.<leaf_cluster_name>.<cluster_name>.". tryResolveSSH checks if
-// fqdn matches that pattern for any logged-in cluster and if so returns a
-// match. We never actually query for whether or not a matching SSH node exists,
-// we just attempt to dial it when the client connects to the assigned IP.
+// VNet SSH handles SSH hostnames matching "<hostname>.<cluster_name>.", where
+// the <cluster-name> may be the name of a root or leaf cluster.
+// tryResolveSSH checks if fqdn matches that pattern for any known cluster
+// and if so returns a match. We never actually query for whether or not a
+// matching SSH node exists, we just attempt to dial it when the client
+// connects to the assigned IP.
 func (r *fqdnResolver) tryResolveSSH(ctx context.Context, profileNames []string, fqdn string) (*vnetv1.ResolveFQDNResponse, error) {
 	for _, profileName := range profileNames {
 		log := log.With("profile", profileName)
@@ -240,23 +241,21 @@ func (r *fqdnResolver) tryResolveSSH(ctx context.Context, profileNames []string,
 			continue
 		}
 		rootClusterName := rootClient.ClusterName()
-		if !isDescendantSubdomain(fqdn, rootClusterName) {
-			continue
-		}
+		log = log.With("root_cluster", rootClusterName)
 		leafClusters, err := r.cfg.leafClusterCache.getLeafClusters(ctx, rootClient)
 		if err != nil {
 			// Good chance we're here because the user is not logged in to the profile.
 			log.ErrorContext(ctx, "Failed to list leaf clusters, SSH nodes in this cluster will not be resolved", "error", err)
-			return nil, errNoMatch
+			continue
 		}
 		rootDialOpts, err := r.cfg.clientApplication.GetDialOptions(ctx, profileName)
 		if err != nil {
 			log.ErrorContext(ctx, "Failed to get cluster dial options, SSH nodes in this cluster will not be resolved", "error", err)
-			return nil, errNoMatch
+			continue
 		}
 		for _, leafClusterName := range leafClusters {
 			log := log.With("leaf_cluster", leafClusterName)
-			if !isDescendantSubdomain(fqdn, leafClusterName+"."+rootClusterName) {
+			if !isDescendantSubdomain(fqdn, leafClusterName) {
 				continue
 			}
 			leafClient, err := r.cfg.clientApplication.GetCachedClient(ctx, profileName, leafClusterName)
@@ -282,8 +281,10 @@ func (r *fqdnResolver) tryResolveSSH(ctx context.Context, profileNames []string,
 				},
 			}, nil
 		}
-		// If it didn't match any leaf cluster assume it matches the root
-		// cluster.
+		// Didn't match any leaf, check if it's in the root cluster.
+		if !isDescendantSubdomain(fqdn, rootClusterName) {
+			continue
+		}
 		clusterConfig, err := r.cfg.clusterConfigCache.GetClusterConfig(ctx, rootClient)
 		if err != nil {
 			log.ErrorContext(ctx, "Failed to get VNet config, SSH nodes in this cluster will not be resolved", "error", err)
diff --git a/lib/vnet/opensshconfig.go b/lib/vnet/opensshconfig.go
index bd7ce4f50d3cc..65f2587f63796 100644
--- a/lib/vnet/opensshconfig.go
+++ b/lib/vnet/opensshconfig.go
@@ -144,6 +144,7 @@ type sshConfigurator struct {
 
 type sshConfiguratorConfig struct {
 	clientApplication ClientApplication
+	leafClusterCache  *leafClusterCache
 	homePath          string
 	clock             clockwork.Clock
 }
@@ -199,6 +200,16 @@ func (c *sshConfigurator) updateSSHConfiguration(ctx context.Context) error {
 			continue
 		}
 		hostMatchers = append(hostMatchers, hostMatcher(rootClient.RootClusterName()))
+		leafClusters, err := c.cfg.leafClusterCache.getLeafClusters(ctx, rootClient)
+		if err != nil {
+			log.WarnContext(ctx,
+				"Failed to list leaf clusters, not configuring VNet SSH for leaf clusters of this cluster",
+				"root_cluster", rootClient.ClusterName(), "error", err)
+			continue
+		}
+		for _, leafCluster := range leafClusters {
+			hostMatchers = append(hostMatchers, hostMatcher(leafCluster))
+		}
 	}
 	hostMatchers = utils.Deduplicate(hostMatchers)
 	slices.Sort(hostMatchers)
diff --git a/lib/vnet/opensshconfig_test.go b/lib/vnet/opensshconfig_test.go
index 3289577f783aa..4e933fc3bc915 100644
--- a/lib/vnet/opensshconfig_test.go
+++ b/lib/vnet/opensshconfig_test.go
@@ -33,23 +33,33 @@ func TestSSHConfigurator(t *testing.T) {
 	t.Parallel()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	clock := clockwork.NewFakeClockAt(time.Now())
 	homePath := t.TempDir()
 
+	// This test gives a fake clock only to the SSH configurator and a real
+	// clock to everything else, so that fakeClock.BlockUntilContext will
+	// reliably only capture the SSH configuration loop and nothing else.
+	fakeClock := clockwork.NewFakeClockAt(time.Now())
+	realClock := clockwork.NewRealClock()
+
 	fakeClientApp := newFakeClientApp(ctx, t, &fakeClientAppConfig{
 		clusters: map[string]testClusterSpec{
-			"cluster1": {},
+			"cluster1": {
+				leafClusters: map[string]testClusterSpec{
+					"leaf1": {},
+				},
+			},
 			"cluster2": {},
 		},
-		// Give the fake client app a different clock so we can rely on
-		// clock.BlockUntilContext only capturing the SSH configuration loop.
-		clock: clockwork.NewRealClock(),
+		clock: realClock,
 	})
+	leafClusterCache, err := newLeafClusterCache(realClock)
+	require.NoError(t, err)
 
 	c := newSSHConfigurator(sshConfiguratorConfig{
 		clientApplication: fakeClientApp,
+		leafClusterCache:  leafClusterCache,
 		homePath:          homePath,
-		clock:             clock,
+		clock:             fakeClock,
 	})
 	errC := make(chan error)
 	go func() {
@@ -80,25 +90,29 @@ func TestSSHConfigurator(t *testing.T) {
 
 	// Wait until the configurator has had a chance to write the initial config
 	// file and then get blocked in the loop.
-	clock.BlockUntilContext(ctx, 1)
+	fakeClock.BlockUntilContext(ctx, 1)
 	// Assert the config file contains both root clusters reported by
 	// fakeClientApp.
-	assertConfigFile("*.cluster1 *.cluster2")
+	assertConfigFile("*.cluster1 *.cluster2 *.leaf1")
 
-	// Add a root cluster, wait until the configurator is blocked in the loop,
-	// advance the clock, wait until the configurator is blocked again
-	// indicating it should have updated the config and made it back into the
-	// loop, and then assert that the new cluster is in the config file.
-	fakeClientApp.cfg.clusters["cluster3"] = testClusterSpec{}
-	clock.BlockUntilContext(ctx, 1)
-	clock.Advance(sshConfigurationUpdateInterval)
-	clock.BlockUntilContext(ctx, 1)
-	assertConfigFile("*.cluster1 *.cluster2 *.cluster3")
+	// Add a new root and leaf cluster, wait until the configurator is blocked
+	// in the loop, advance the clock, wait until the configurator is blocked
+	// again indicating it should have updated the config and made it back into
+	// the loop, and then assert that the new clusters are in the config file.
+	fakeClientApp.cfg.clusters["cluster3"] = testClusterSpec{
+		leafClusters: map[string]testClusterSpec{
+			"leaf2": {},
+		},
+	}
+	fakeClock.BlockUntilContext(ctx, 1)
+	fakeClock.Advance(sshConfigurationUpdateInterval)
+	fakeClock.BlockUntilContext(ctx, 1)
+	assertConfigFile("*.cluster1 *.cluster2 *.cluster3 *.leaf1 *.leaf2")
 
 	// Kill the configurator, wait for it to return, and assert that the config
 	// file was deleted.
 	cancel()
 	require.ErrorIs(t, <-errC, context.Canceled)
-	_, err := os.Stat(keypaths.VNetSSHConfigPath(homePath))
+	_, err = os.Stat(keypaths.VNetSSHConfigPath(homePath))
 	require.ErrorIs(t, err, os.ErrNotExist)
 }
diff --git a/lib/vnet/ssh_handler.go b/lib/vnet/ssh_handler.go
index 02b95f548d325..1ca080d294ee9 100644
--- a/lib/vnet/ssh_handler.go
+++ b/lib/vnet/ssh_handler.go
@@ -59,14 +59,13 @@ func (h *sshHandler) handleTCPConnector(ctx context.Context, localPort uint16, c
 		return trace.Wrap(err)
 	}
 	defer targetConn.Close()
-	return trace.Wrap(h.handleTCPConnectorWithTargetConn(ctx, localPort, connector, targetConn))
+	return trace.Wrap(h.handleTCPConnectorWithTargetConn(ctx, connector, targetConn))
 }
 
 // handleTCPConnectorWithTargetTCPConn handles an incoming TCP connection from
 // VNet when a TCP connection to the target host has already been established.
 func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	ctx context.Context,
-	localPort uint16,
 	connector func() (net.Conn, error),
 	targetConn net.Conn,
 ) error {
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
index dd964b4967f04..1c54bab4048a3 100644
--- a/lib/vnet/ssh_provider.go
+++ b/lib/vnet/ssh_provider.go
@@ -17,6 +17,7 @@
 package vnet
 
 import (
+	"cmp"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -241,18 +242,15 @@ type dialTarget struct {
 }
 
 func computeDialTarget(matchedCluster *vnetv1.MatchedCluster, fqdn string) dialTarget {
-	targetCluster := matchedCluster.GetRootCluster()
-	targetHost := strings.TrimSuffix(fqdn, "."+matchedCluster.GetRootCluster()+".")
-	leafCluster := matchedCluster.GetLeafCluster()
-	if leafCluster != "" {
-		targetCluster = leafCluster
-		targetHost = strings.TrimSuffix(targetHost, "."+leafCluster)
-	}
+	// matchedCluster.LeafCluster will be set if the host was in a leaf
+	// cluster, else it will be unset and the target cluster is the root.
+	targetCluster := cmp.Or(matchedCluster.GetLeafCluster(), matchedCluster.GetRootCluster())
+	targetHost := strings.TrimSuffix(fqdn, "."+fullyQualify(targetCluster))
 	return dialTarget{
 		fqdn:        fqdn,
 		profile:     matchedCluster.GetProfile(),
 		rootCluster: matchedCluster.GetRootCluster(),
-		leafCluster: leafCluster,
+		leafCluster: matchedCluster.GetLeafCluster(),
 		cluster:     targetCluster,
 		hostname:    targetHost,
 		addr:        targetHost + ":0",
diff --git a/lib/vnet/tcp_handler_resolver.go b/lib/vnet/tcp_handler_resolver.go
index 47791a6b4e30c..7d4d0dbe16696 100644
--- a/lib/vnet/tcp_handler_resolver.go
+++ b/lib/vnet/tcp_handler_resolver.go
@@ -209,7 +209,7 @@ func (h *undecidedHandler) handleTCPConnector(ctx context.Context, localPort uin
 		h.setDecidedHandler(sshHandler)
 		// Handle the incoming connection with the TCP connection to the target
 		// SSH node that has already been established.
-		return sshHandler.handleTCPConnectorWithTargetConn(ctx, localPort, connector, targetConn)
+		return sshHandler.handleTCPConnectorWithTargetConn(ctx, connector, targetConn)
 	}
 	return trace.Errorf("rejecting connection to %s:%d", h.cfg.fqdn, localPort)
 }
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index 48eb3dbb38595..dc84f2b6c2f2c 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -116,6 +116,7 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 	processManager, processCtx := newProcessManager()
 	sshConfigurator := newSSHConfigurator(sshConfiguratorConfig{
 		clientApplication: clientApplication,
+		leafClusterCache:  leafClusterCache,
 	})
 	processManager.AddCriticalBackgroundTask("SSH configuration loop", func() error {
 		return trace.Wrap(sshConfigurator.runConfigurationLoop(processCtx))
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 72674a59edad3..b980a5c8bf46f 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -749,20 +749,16 @@ func TestDialFakeApp(t *testing.T) {
 		clusters: map[string]testClusterSpec{
 			"root1.example.com": {
 				apps: []appSpec{
-					appSpec{publicAddr: "echo1.root1.example.com"},
-					appSpec{publicAddr: "echo2.root1.example.com"},
-					appSpec{publicAddr: "echo.myzone.example.com"},
-					appSpec{publicAddr: "echo.nested.myzone.example.com"},
-					appSpec{publicAddr: "not.in.a.custom.zone"},
-					appSpec{
+					{publicAddr: "echo1.root1.example.com"},
+					{publicAddr: "echo2.root1.example.com"},
+					{publicAddr: "echo.myzone.example.com"},
+					{publicAddr: "echo.nested.myzone.example.com"},
+					{publicAddr: "not.in.a.custom.zone"},
+					{
 						publicAddr: "multi-port.root1.example.com",
 						tcpPorts: []*types.PortRange{
-							&types.PortRange{
-								Port: 1337,
-							},
-							&types.PortRange{
-								Port: 4242,
-							},
+							{Port: 1337},
+							{Port: 4242},
 						},
 					},
 				},
@@ -773,36 +769,32 @@ func TestDialFakeApp(t *testing.T) {
 				leafClusters: map[string]testClusterSpec{
 					"leaf1.example.com": {
 						apps: []appSpec{
-							appSpec{publicAddr: "echo1.leaf1.example.com"},
-							appSpec{
+							{publicAddr: "echo1.leaf1.example.com"},
+							{
 								publicAddr: "multi-port.leaf1.example.com",
 								tcpPorts: []*types.PortRange{
-									&types.PortRange{
-										Port: 1337,
-									},
-									&types.PortRange{
-										Port: 4242,
-									},
+									{Port: 1337},
+									{Port: 4242},
 								},
 							},
 						},
 					},
 					"leaf2.example.com": {
 						apps: []appSpec{
-							appSpec{publicAddr: "echo1.leaf2.example.com"},
+							{publicAddr: "echo1.leaf2.example.com"},
 						},
 					},
 				},
 			},
 			"root2.example.com": {
 				apps: []appSpec{
-					appSpec{publicAddr: "echo1.root2.example.com"},
-					appSpec{publicAddr: "echo2.root2.example.com"},
+					{publicAddr: "echo1.root2.example.com"},
+					{publicAddr: "echo2.root2.example.com"},
 				},
 				leafClusters: map[string]testClusterSpec{
 					"leaf3.example.com": {
 						apps: []appSpec{
-							appSpec{publicAddr: "echo1.leaf3.example.com"},
+							{publicAddr: "echo1.leaf3.example.com"},
 						},
 					},
 				},
@@ -1044,7 +1036,7 @@ func TestOnNewConnection(t *testing.T) {
 		clusters: map[string]testClusterSpec{
 			"root1.example.com": {
 				apps: []appSpec{
-					appSpec{publicAddr: "echo1"},
+					{publicAddr: "echo1"},
 				},
 				cidrRange:    "192.168.2.0/24",
 				leafClusters: map[string]testClusterSpec{},
@@ -1105,15 +1097,15 @@ func testWithAlgorithmSuite(t *testing.T, suite types.SignatureAlgorithmSuite) {
 		clusters: map[string]testClusterSpec{
 			"root.example.com": {
 				apps: []appSpec{
-					appSpec{publicAddr: "echo1"},
-					appSpec{publicAddr: "echo2"},
+					{publicAddr: "echo1"},
+					{publicAddr: "echo2"},
 				},
 				cidrRange: "192.168.2.0/24",
 				leafClusters: map[string]testClusterSpec{
 					"leaf.example.com": {
 						apps: []appSpec{
-							appSpec{publicAddr: "echo1"},
-							appSpec{publicAddr: "echo2"},
+							{publicAddr: "echo1"},
+							{publicAddr: "echo2"},
 						},
 						cidrRange: "192.168.2.0/24",
 					},
@@ -1296,7 +1288,7 @@ func TestSSH(t *testing.T) {
 		},
 		{
 			// Connection to node in leaf cluster should work.
-			dialAddr:      "node.leaf1.example.com.root1.example.com",
+			dialAddr:      "node.leaf1.example.com",
 			dialPort:      22,
 			expectCIDR:    leaf1CIDR,
 			sshUser:       "testuser",
@@ -1314,7 +1306,7 @@ func TestSSH(t *testing.T) {
 		{
 			// Connection to node in leaf cluster in alternate profile should
 			// work.
-			dialAddr:      "node.leaf2.example.com.root2.example.com",
+			dialAddr:      "node.leaf2.example.com",
 			dialPort:      22,
 			expectCIDR:    leaf2CIDR,
 			sshUser:       "testuser",
diff --git a/rfd/0207-vnet-ssh.md b/rfd/0207-vnet-ssh.md
index a78cf3c5fe8dc..66ebabf392673 100644
--- a/rfd/0207-vnet-ssh.md
+++ b/rfd/0207-vnet-ssh.md
@@ -7,9 +7,9 @@ state: draft
 
 ## Required Approvers
 
-* Engineering: @espadolini && @rosstimothy
-* Security: doyensec
-* Product: @klizhentas
+- Engineering: @espadolini && @rosstimothy
+- Security: doyensec
+- Product: @klizhentas
 
 ## What
 
@@ -24,7 +24,7 @@ Advanced Teleport features like per-session MFA and hardware keys will be fully
 supported.
 
 Here's a demo with a proof-of-concept of the feature in action:
-https://goteleport.zoom.us/clips/share/3xSvI4taSD6YgM1C0l12nQ
+<https://goteleport.zoom.us/clips/share/3xSvI4taSD6YgM1C0l12nQ>
 
 ## Why
 
@@ -197,13 +197,11 @@ we already have an SSH forwarding server implemented in `lib/srv/forward/sshserv
 VNet SSH will support SSH connections to DNS names matching any of the following:
 
 - `<hostname>.<cluster name>`
-- `<hostname>.<leaf cluster name>.<root cluster name>`
 - `<host ID>.<cluster name>`
-- `<host ID>.<leaf cluster name>.<root cluster name>`
 
 These are the same patterns supported by our existing OpenSSH client
 integration, which will offer a seamless transition for users switching to VNet SSH
-https://goteleport.com/docs/enroll-resources/server-access/openssh/openssh-agentless/#step-23-generate-an-ssh-client-configuration
+<https://goteleport.com/docs/enroll-resources/server-access/openssh/openssh-agentless/#step-23-generate-an-ssh-client-configuration>
 
 If users prefer to use a shorter name to connect to SSH hosts, they can add
 a `CanonicalDomains` option to their `~/.ssh/config` file, e.g.
@@ -236,7 +234,7 @@ If the user runs `tsh vnet` instead of Connect, we won't add anything to
 `vnet_ssh_config` will include the following:
 
 ```
-Host *.teleport.example.com *.leaf.teleport.example.com
+Host *.root.example.com *.leaf.example.com
     IdentityFile "/Users/nic/Library/Application Support/tsh/id_vnet"
     GlobalKnownHostsFile "/Users/nic/Library/Application Support/tsh/vnet_known_hosts"
     UserKnownHostsFile /dev/null
@@ -299,9 +297,8 @@ When the VNet process receives a DNS query this is how it will be resolved:
    1. If it matches a web app the DNS request will be forwarded to upstream DNS
       servers (this is also as it implicitly works today, now we'll do it
       explicitly to skip assigning a VNet IP for web apps).
-1. If the name does not match `*.<cluster name>` or
-   `*.<leaf cluster name>.<root cluster name>` for any profile, the request will
-   be forwarded to upstream DNS servers.
+1. If the name does not match `*.<cluster name>` or for any cluster, the
+   request will be forwarded to upstream DNS servers.
 1. VNet will assign a free IP address to the FQDN, but at this point it will not
    know if this IP will later resolve to an SSH host or an app or neither.
 1. VNet will return the IP address in an authoritative DNS answer.
@@ -310,6 +307,7 @@ When the VNet process receives a DNS query this is how it will be resolved:
 
 When the VNet process receives a TCP connection at an address that has been
 assigned to an FQDN but does not yet know if there is a matching app or SSH host:
+
 1. An app lookup will run first in case an app has been added since the DNS
    query that assigned this IP.
    If the queried FQDN matches a TCP app then the IP will be permanently

From 67e956187399a3d130ca8426c7204f65afd49429 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 13 Jun 2025 11:15:22 -0700
Subject: [PATCH 07/25] [v18][vnet] feat: add "Connect with VNet" button to SSH
 servers

Backport #55623 to branch/v18
---
 .../MenuLoginWithActionMenu.tsx               |  2 +-
 .../src/ui/DocumentCluster/ActionButtons.tsx  | 55 +++++++++----
 .../DocumentCluster/UnifiedResources.test.tsx | 18 +++--
 .../teleterm/src/ui/Search/actions.tsx        |  4 +-
 .../ui/Search/pickers/useActionAttempts.ts    |  4 +-
 .../teleterm/src/ui/Vnet/DocumentVnetInfo.tsx | 15 ++--
 web/packages/teleterm/src/ui/Vnet/index.ts    |  2 +-
 ...netAppLauncher.tsx => useVnetLauncher.tsx} | 79 ++++++++-----------
 .../documentsService/connectToApp.ts          |  6 +-
 .../documentsService/documentsService.ts      |  8 +-
 .../documentsService/testHelpers.ts           |  2 +-
 .../documentsService/types.ts                 | 39 +++++----
 .../workspacesService/workspacesService.ts    |  2 +-
 13 files changed, 125 insertions(+), 111 deletions(-)
 rename web/packages/teleterm/src/ui/Vnet/{useVnetAppLauncher.tsx => useVnetLauncher.tsx} (69%)

diff --git a/web/packages/shared/components/MenuLoginWithActionMenu/MenuLoginWithActionMenu.tsx b/web/packages/shared/components/MenuLoginWithActionMenu/MenuLoginWithActionMenu.tsx
index 7c29494ce00d1..8a46e5a35b377 100644
--- a/web/packages/shared/components/MenuLoginWithActionMenu/MenuLoginWithActionMenu.tsx
+++ b/web/packages/shared/components/MenuLoginWithActionMenu/MenuLoginWithActionMenu.tsx
@@ -54,7 +54,7 @@ export const MenuLoginWithActionMenu = ({
   inputType,
 }: {
   /** Button text for main menu button. */
-  buttonText: string;
+  buttonText?: string;
   /**
    * Handles select or click in main menu items.
    * If isExternalUrl item returned by getLoginItems is true, a button with <a> tag is rendered
diff --git a/web/packages/teleterm/src/ui/DocumentCluster/ActionButtons.tsx b/web/packages/teleterm/src/ui/DocumentCluster/ActionButtons.tsx
index 2e34a07ba7c2b..8a9a2759ed2d2 100644
--- a/web/packages/teleterm/src/ui/DocumentCluster/ActionButtons.tsx
+++ b/web/packages/teleterm/src/ui/DocumentCluster/ActionButtons.tsx
@@ -35,6 +35,7 @@ import {
   MenuLogin,
   MenuLoginProps,
 } from 'shared/components/MenuLogin';
+import { MenuLoginWithActionMenu } from 'shared/components/MenuLoginWithActionMenu';
 
 import {
   formatPortRange,
@@ -57,12 +58,25 @@ import {
 import { IAppContext } from 'teleterm/ui/types';
 import { DatabaseUri, routing } from 'teleterm/ui/uri';
 import { retryWithRelogin } from 'teleterm/ui/utils';
-import { useVnetAppLauncher, useVnetContext } from 'teleterm/ui/Vnet';
+import { useVnetContext, useVnetLauncher } from 'teleterm/ui/Vnet';
 
 export function ConnectServerActionButton(props: {
   server: Server;
 }): React.JSX.Element {
   const ctx = useAppContext();
+  const { isSupported: isVnetSupported } = useVnetContext();
+  const { launchVnet } = useVnetLauncher();
+
+  function connectWithVnet(): void {
+    const hostname = props.server.hostname;
+    const cluster = ctx.clustersService.findClusterByResource(props.server.uri);
+    const clusterName = cluster?.name || '<cluster>';
+    const addr = `${hostname}.${clusterName}`;
+    launchVnet({
+      addrToCopy: addr,
+      resourceUri: props.server.uri,
+    });
+  }
 
   function getSshLogins(): string[] {
     const cluster = ctx.clustersService.findClusterByResource(props.server.uri);
@@ -80,21 +94,28 @@ export function ConnectServerActionButton(props: {
     );
   }
 
+  const commonProps = {
+    inputType: MenuInputType.FILTER,
+    textTransform: 'none',
+    getLoginItems: () => getSshLogins().map(login => ({ login, url: '' })),
+    onSelect: (e, login) => connect(login),
+    transformOrigin: {
+      vertical: 'top',
+      horizontal: 'right',
+    },
+    anchorOrigin: {
+      vertical: 'bottom',
+      horizontal: 'right',
+    },
+  };
+
+  if (!isVnetSupported) {
+    return <MenuLogin {...commonProps} />;
+  }
   return (
-    <MenuLogin
-      inputType={MenuInputType.FILTER}
-      textTransform="none"
-      getLoginItems={() => getSshLogins().map(login => ({ login, url: '' }))}
-      onSelect={(e, login) => connect(login)}
-      transformOrigin={{
-        vertical: 'top',
-        horizontal: 'right',
-      }}
-      anchorOrigin={{
-        vertical: 'bottom',
-        horizontal: 'right',
-      }}
-    />
+    <MenuLoginWithActionMenu size="small" {...commonProps}>
+      <MenuItem onClick={connectWithVnet}>Connect with VNet</MenuItem>
+    </MenuLoginWithActionMenu>
   );
 }
 
@@ -121,13 +142,13 @@ export function ConnectKubeActionButton(props: {
 export function ConnectAppActionButton(props: { app: App }): React.JSX.Element {
   const appContext = useAppContext();
   const { isSupported: isVnetSupported } = useVnetContext();
-  const { launchVnet } = useVnetAppLauncher();
+  const { launchVnet } = useVnetLauncher();
 
   function connectWithVnet(targetPort?: number): void {
     void launchVnet({
       addrToCopy: appToAddrToCopy(props.app, targetPort),
       resourceUri: props.app.uri,
-      isMultiPort: !!props.app.tcpPorts.length,
+      isMultiPortApp: !!props.app.tcpPorts.length,
     });
   }
 
diff --git a/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx b/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
index d2d9dab4483dd..244c26109af0f 100644
--- a/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
+++ b/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
@@ -45,7 +45,9 @@ import { MockAppContextProvider } from 'teleterm/ui/fixtures/MockAppContextProvi
 import { MockAppContext } from 'teleterm/ui/fixtures/mocks';
 import { MockWorkspaceContextProvider } from 'teleterm/ui/fixtures/MockWorkspaceContextProvider';
 import { makeDocumentCluster } from 'teleterm/ui/services/workspacesService/documentsService/testHelpers';
+import { ConnectionsContextProvider } from 'teleterm/ui/TopBar/Connections/connectionsContext';
 import * as uri from 'teleterm/ui/uri';
+import { VnetContextProvider } from 'teleterm/ui/Vnet';
 
 const mio = mockIntersectionObserver();
 
@@ -311,12 +313,16 @@ test.each([
       <MockWorkspaceContextProvider>
         <ResourcesContextProvider>
           <ConnectMyComputerContextProvider rootClusterUri={rootCluster.uri}>
-            <Refresher ref={ref} rootClusterUri={rootCluster.uri} />
-            <UnifiedResources
-              clusterUri={doc.clusterUri}
-              docUri={doc.uri}
-              queryParams={doc.queryParams}
-            />
+            <ConnectionsContextProvider>
+              <VnetContextProvider>
+                <Refresher ref={ref} rootClusterUri={rootCluster.uri} />
+                <UnifiedResources
+                  clusterUri={doc.clusterUri}
+                  docUri={doc.uri}
+                  queryParams={doc.queryParams}
+                />
+              </VnetContextProvider>
+            </ConnectionsContextProvider>
           </ConnectMyComputerContextProvider>
         </ResourcesContextProvider>
       </MockWorkspaceContextProvider>
diff --git a/web/packages/teleterm/src/ui/Search/actions.tsx b/web/packages/teleterm/src/ui/Search/actions.tsx
index 559aa71b28f47..f8bd045aec7dd 100644
--- a/web/packages/teleterm/src/ui/Search/actions.tsx
+++ b/web/packages/teleterm/src/ui/Search/actions.tsx
@@ -31,7 +31,7 @@ import { ResourceRequest } from 'teleterm/ui/services/workspacesService/accessRe
 import { IAppContext } from 'teleterm/ui/types';
 import { routing } from 'teleterm/ui/uri';
 import { assertUnreachable, retryWithRelogin } from 'teleterm/ui/utils';
-import { VnetAppLauncher } from 'teleterm/ui/Vnet';
+import { VnetLauncher } from 'teleterm/ui/Vnet';
 
 export interface SimpleAction {
   type: 'simple-action';
@@ -73,7 +73,7 @@ export type SearchAction = SimpleAction | ParametrizedAction;
 
 export function mapToAction(
   ctx: IAppContext,
-  launchVnet: VnetAppLauncher,
+  launchVnet: VnetLauncher,
   searchContext: SearchContext,
   result: SearchResult
 ): SearchAction {
diff --git a/web/packages/teleterm/src/ui/Search/pickers/useActionAttempts.ts b/web/packages/teleterm/src/ui/Search/pickers/useActionAttempts.ts
index 0b31754da7115..de73c428cce77 100644
--- a/web/packages/teleterm/src/ui/Search/pickers/useActionAttempts.ts
+++ b/web/packages/teleterm/src/ui/Search/pickers/useActionAttempts.ts
@@ -38,7 +38,7 @@ import {
 } from 'teleterm/ui/Search/useSearch';
 import { routing } from 'teleterm/ui/uri';
 import { isRetryable } from 'teleterm/ui/utils/retryWithRelogin';
-import { useVnetAppLauncher, useVnetContext } from 'teleterm/ui/Vnet';
+import { useVnetContext, useVnetLauncher } from 'teleterm/ui/Vnet';
 
 import { useDisplayResults } from './useDisplayResults';
 
@@ -48,7 +48,7 @@ export function useActionAttempts() {
   const searchContext = useSearchContext();
   const { inputValue, filters, pauseUserInteraction } = searchContext;
   const { isSupported: isVnetSupported } = useVnetContext();
-  const vnetLauncher = useVnetAppLauncher();
+  const vnetLauncher = useVnetLauncher();
   const launchVnet = isVnetSupported ? vnetLauncher.launchVnet : undefined;
 
   const [resourceSearchAttempt, runResourceSearch, setResourceSearchAttempt] =
diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
index eb6bd8ecc0db7..878ae406aa808 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
@@ -31,7 +31,7 @@ import type * as docTypes from 'teleterm/ui/services/workspacesService';
 import { routing } from 'teleterm/ui/uri';
 
 import appAccessPng from './app-access.png';
-import { useVnetAppLauncher } from './useVnetAppLauncher';
+import { useVnetLauncher } from './useVnetLauncher';
 import { useVnetContext } from './vnetContext';
 
 export function DocumentVnetInfo(props: {
@@ -46,7 +46,7 @@ export function DocumentVnetInfo(props: {
     stopAttempt,
     status,
   } = useVnetContext();
-  const { launchVnetWithoutFirstTimeCheck } = useVnetAppLauncher();
+  const { launchVnetWithoutFirstTimeCheck } = useVnetLauncher();
   const userAtHost = useMemo(() => {
     const { hostname, username } = mainProcessClient.getRuntimeSettings();
     return `${username}@${hostname}`;
@@ -55,13 +55,10 @@ export function DocumentVnetInfo(props: {
   const proxyHostname = routing.parseClusterName(rootClusterUri);
 
   const startVnet = async () => {
-    await launchVnetWithoutFirstTimeCheck({
-      addrToCopy: doc.app?.targetAddress,
-      isMultiPort: doc.app?.isMultiPort,
-    });
-    // Remove targetAddress so that subsequent launches of VNet from this specific doc won't copy
-    // the stale app address to the clipboard.
-    documentsService.update(doc.uri, { app: undefined });
+    await launchVnetWithoutFirstTimeCheck(doc.launcherArgs);
+    // Remove launcherArgs so that subsequent launches of VNet from this
+    // specific doc won't copy the stale address to the clipboard.
+    documentsService.update(doc.uri, { launcherArgs: undefined });
   };
 
   return (
diff --git a/web/packages/teleterm/src/ui/Vnet/index.ts b/web/packages/teleterm/src/ui/Vnet/index.ts
index 84e6538a4bc67..0199a9148e28a 100644
--- a/web/packages/teleterm/src/ui/Vnet/index.ts
+++ b/web/packages/teleterm/src/ui/Vnet/index.ts
@@ -19,4 +19,4 @@
 export * from './VnetSliderStep';
 export * from './vnetContext';
 export { VnetConnectionItem } from './VnetConnectionItem';
-export * from './useVnetAppLauncher';
+export * from './useVnetLauncher';
diff --git a/web/packages/teleterm/src/ui/Vnet/useVnetAppLauncher.tsx b/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
similarity index 69%
rename from web/packages/teleterm/src/ui/Vnet/useVnetAppLauncher.tsx
rename to web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
index dd18aaeeddecc..9ede335521b95 100644
--- a/web/packages/teleterm/src/ui/Vnet/useVnetAppLauncher.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
@@ -19,48 +19,31 @@
 import { useCallback, useMemo } from 'react';
 
 import { useAppContext } from 'teleterm/ui/appContextProvider';
+import { VnetLauncherArgs } from 'teleterm/ui/services/workspacesService/documentsService/types';
 import { useConnectionsContext } from 'teleterm/ui/TopBar/Connections/connectionsContext';
-import { ResourceUri, routing } from 'teleterm/ui/uri';
+import { routing } from 'teleterm/ui/uri';
 
 import { useVnetContext } from './vnetContext';
 
-export type VnetAppLauncher = (args: VnetAppLauncherArgs) => Promise<void>;
+export type VnetLauncher = (args: VnetLauncherArgs) => Promise<void>;
 
-// NOTE: Almost every field added to VnetAppLauncherArgs will need to be added to DocumentVnetInfo.
-//
-// This is because during the first launch of VNet through useVnetAppLauncher, the act of launching
-// VNet is split into two parts. When a user clicks the "Connect" button next to a TCP app or opens
-// one from the search bar, a DocumentVnetInfo is opened first. Then the user can start VNet from
-// there, which should carry out the launch of that particular app. Hence the need to copy some
-// arguments from the app to the doc.
-type VnetAppLauncherArgs = {
-  addrToCopy: string | undefined;
-  /**
-   * resourceUri lets the VNet launcher establish which workspace to open the info doc in if
-   * there's a need to do it.
-   */
-  resourceUri: ResourceUri;
-  isMultiPort: boolean;
-};
-
-export const useVnetAppLauncher = (): {
+export const useVnetLauncher = (): {
   /**
    * launchVnet is a function that manages VNet start when:
    *
    * - The user clicks "Connect" next to a TCP app or selects one of the ports from the menu.
    * - The user selects a TCP app through the search bar.
+   * - The user clicks "Connect with VNet" on an SSH server.
    *
    * If the user is yet to start VNet, it opens the info doc. If they already started it in the past,
-   * it starts VNet and then copies the address of the app to the clipboard.
+   * it starts VNet and then copies the address of the resource to the clipboard.
    */
-  launchVnet: VnetAppLauncher;
+  launchVnet: VnetLauncher;
   /**
    * launchVnetWithoutFirstTimeCheck never opens the info doc, it starts VNet and then copies the
-   * address of the app to the clipboard.
+   * address of the resource to the clipboard.
    */
-  launchVnetWithoutFirstTimeCheck: (
-    args: Pick<VnetAppLauncherArgs, 'addrToCopy' | 'isMultiPort'>
-  ) => Promise<void>;
+  launchVnetWithoutFirstTimeCheck: (args?: VnetLauncherArgs) => Promise<void>;
 } => {
   const { notificationsService, workspacesService } = useAppContext();
   const { start, status, startAttempt, hasEverStarted } = useVnetContext();
@@ -82,8 +65,8 @@ export const useVnetAppLauncher = (): {
   }, [status.value, startAttempt.status, open, start]);
 
   const openInfoDoc = useCallback(
-    async ({ addrToCopy, resourceUri, isMultiPort }: VnetAppLauncherArgs) => {
-      const rootClusterUri = routing.ensureRootClusterUri(resourceUri);
+    async (args: VnetLauncherArgs) => {
+      const rootClusterUri = routing.ensureRootClusterUri(args.resourceUri);
       // Since VNet app launcher might be called from the search bar, we have to account for the
       // user being in a different workspace than the selected app.
       const { isAtDesiredWorkspace } =
@@ -105,35 +88,39 @@ export const useVnetAppLauncher = (): {
       // Update targetAddress so that clicking "Start VNet" from the info doc is going to copy that
       // address to clipboard.
       docsService.update(docUri, {
-        app: { targetAddress: addrToCopy, isMultiPort },
+        launcherArgs: args,
       });
     },
     [workspacesService]
   );
 
   const launchVnetAndCopyAddr = useCallback(
-    async ({
-      addrToCopy,
-      isMultiPort,
-    }: Pick<VnetAppLauncherArgs, 'addrToCopy' | 'isMultiPort'>) => {
+    async (args?: VnetLauncherArgs) => {
       if (!(await launchVnet())) {
         return;
       }
-
-      if (!addrToCopy) {
+      if (!args) {
+        // args are optional, if unset don't copy anything to the clipboard.
         return;
       }
-
-      const copiedToClipboard = copyAddrToClipboard(addrToCopy);
-      notificationsService.notifyInfo(
-        [
-          `Connect via VNet by using ${addrToCopy}`,
-          copiedToClipboard && '(copied to clipboard)',
-          !isMultiPort && 'and any port',
-        ]
-          .filter(Boolean)
-          .join(' ') + '.'
-      );
+      const { addrToCopy, isMultiPortApp, resourceUri } = args;
+      const isApp = !!routing.parseAppUri(resourceUri)?.params?.appId;
+      const isServer = !!routing.parseServerUri(resourceUri)?.params?.serverId;
+      let msgParts = [];
+      if (isApp) {
+        msgParts.push(`Connect via VNet by using ${addrToCopy}`);
+      } else if (isServer) {
+        msgParts.push(`Connect with any SSH client to ${addrToCopy}`);
+      } else {
+        msgParts.push(`Connect via VNet to ${addrToCopy}`);
+      }
+      if (copyAddrToClipboard(addrToCopy)) {
+        msgParts.push('(copied to clipboard)');
+      }
+      if (isApp && !isMultiPortApp) {
+        msgParts.push('and any port');
+      }
+      notificationsService.notifyInfo(msgParts.join(' ') + '.');
     },
     [launchVnet, notificationsService]
   );
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/connectToApp.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/connectToApp.ts
index 2602b80b0763b..8343dca0cc6fe 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/connectToApp.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/connectToApp.ts
@@ -27,7 +27,7 @@ import {
 import { appToAddrToCopy } from 'teleterm/services/vnet/app';
 import { IAppContext } from 'teleterm/ui/types';
 import { AppUri, routing } from 'teleterm/ui/uri';
-import { VnetAppLauncher } from 'teleterm/ui/Vnet';
+import { VnetLauncher } from 'teleterm/ui/Vnet';
 
 import { DocumentOrigin } from './types';
 
@@ -46,7 +46,7 @@ export async function connectToApp(
    * launchVnet is supposed to be provided if VNet is supported. If so, connectToApp is going to use
    * this function when targeting a TCP app. Otherwise it'll create an app gateway.
    */
-  launchVnet: null | VnetAppLauncher,
+  launchVnet: null | VnetLauncher,
   target: App,
   telemetry: { origin: DocumentOrigin },
   options?: {
@@ -111,7 +111,7 @@ export async function connectToApp(
     await launchVnet({
       addrToCopy: appToAddrToCopy(target),
       resourceUri: target.uri,
-      isMultiPort: !!target.tcpPorts.length,
+      isMultiPortApp: !!target.tcpPorts.length,
     });
     return;
   }
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
index e974727d40926..352f161adba54 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
@@ -51,6 +51,7 @@ import {
   DocumentTshNode,
   DocumentVnetDiagReport,
   DocumentVnetInfo,
+  VnetLauncherArgs,
   WebSessionRequest,
 } from './types';
 
@@ -243,10 +244,7 @@ export class DocumentsService {
 
   createVnetInfoDocument(opts: {
     rootClusterUri: RootClusterUri;
-    app?: {
-      targetAddress: string;
-      isMultiPort: boolean;
-    };
+    launcherArgs?: VnetLauncherArgs;
   }): DocumentVnetInfo {
     const uri = routing.getDocUri({ docId: unique() });
 
@@ -255,7 +253,7 @@ export class DocumentsService {
       kind: 'doc.vnet_info',
       title: 'VNet',
       rootClusterUri: opts.rootClusterUri,
-      app: opts.app,
+      launcherArgs: opts.launcherArgs,
     };
   }
 
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/testHelpers.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/testHelpers.ts
index 90f3f72cd77ac..2f393d8cac0a5 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/testHelpers.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/testHelpers.ts
@@ -221,7 +221,7 @@ export function makeDocumentVnetInfo(
     uri: '/docs/vnet-info',
     title: 'VNet',
     rootClusterUri,
-    app: undefined,
+    launcherArgs: undefined,
     ...props,
   };
 }
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
index cf702cab71fe8..ad7fb854a503c 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
@@ -227,30 +227,35 @@ export interface DocumentVnetInfo extends DocumentBase {
   // the document fields, hence why rootClusterUri is defined here.
   rootClusterUri: uri.RootClusterUri;
   /**
-   * Details of the app if the doc was opened by selecting a specific TCP app.
+   * Details of the resource if the doc was opened by selecting a specific resource.
    *
    * This field is needed to facilitate a scenario where a first-time user clicks "Connect" next to
-   * a TCP app, which opens this doc. Once the user clicks "Start VNet" in the doc, Connect should
-   * continue the regular flow of connecting to a TCP app through VNet, which means it should copy
-   * the address of the app to the clipboard, hence this field.
+   * a TCP app or SSH server, which opens this doc. Once the user clicks "Start VNet" in the doc,
+   * Connect should continue the regular flow of connecting to a TCP app through VNet, which means
+   * it should copy the address of the resource to the clipboard, hence this field.
    *
-   * app is removed when restoring persisted state. Let's say the user opens the doc through the
-   * "Connect" button of a specific app. If they close the app and then reopen the docs, we don't
+   * launcherArgs is removed when restoring persisted state. Let's say the user opens the doc through
+   * the "Connect" button of a specific app. If they close the app and then reopen the doc, we don't
    * want the "Start VNet" button to copy the address of the app from the prev session.
    */
-  app:
-    | {
-        /**
-         * The address that's going to be copied to the clipboard after user starts VNet for the
-         * first time through this document.
-         *
-         */
-        targetAddress: string | undefined;
-        isMultiPort: boolean;
-      }
-    | undefined;
+  launcherArgs: VnetLauncherArgs | undefined;
 }
 
+/**
+ * Details about a user-selected resource that prompted the VNet launch, so
+ * that addrToCopy can be copied to the clipboard after VNet launches with a
+ * helpful message displayed in a notification.
+ */
+export type VnetLauncherArgs = {
+  // The address that's going to be copied to the clipboard.
+  addrToCopy: string;
+  // The URI of the resource the user clicked.
+  resourceUri: uri.ResourceUri;
+  // True if the user clicked a multi-port TCP app, used to render a slightly
+  // different message in the (copied to clipboard) notification.
+  isMultiPortApp?: boolean;
+};
+
 /**
  * Document to authorize a web session with device trust.
  * Unlike other documents, it is not persisted on disk.
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
index 1f2874502cad6..166e4a01a59f7 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
@@ -590,7 +590,7 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
         if (d.kind === 'doc.vnet_info') {
           const documentVnetInfo: DocumentVnetInfo = {
             ...d,
-            app: undefined,
+            launcherArgs: undefined,
           };
           return documentVnetInfo;
         }

From 76232a3709bdb466a1399253fa3c142cfc0e9e82 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 13 Jun 2025 12:48:31 -0700
Subject: [PATCH 08/25] fix test in backport

---
 .../teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx b/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
index cd88b6df22e4c..2da3ec26a9d90 100644
--- a/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
+++ b/web/packages/teleterm/src/ui/DocumentCluster/UnifiedResources.test.tsx
@@ -404,7 +404,9 @@ it('passes props with stable identity to <Resources>', async () => {
         <MockWorkspaceContextProvider>
           <ResourcesContextProvider>
             <ConnectMyComputerContextProvider rootClusterUri={doc.clusterUri}>
-              {children}
+              <ConnectionsContextProvider>
+                <VnetContextProvider>{children}</VnetContextProvider>
+              </ConnectionsContextProvider>
             </ConnectMyComputerContextProvider>
           </ResourcesContextProvider>
         </MockWorkspaceContextProvider>

From 75d1c5a74175fa2546e0653d22eba62651d858de Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Tue, 17 Jun 2025 09:10:56 -0700
Subject: [PATCH 09/25] [v18][vnet] feat: support VNet SSH when cluster name
 does not match proxy public addr

Backport #55655 to branch/v18
---
 lib/teleterm/vnet/service.go                  |   6 +-
 lib/teleterm/vnet/service_darwin.go           |   6 +-
 lib/vnet/admin_process_darwin.go              |   2 +-
 lib/vnet/admin_process_windows.go             |   2 +-
 lib/vnet/client_application_service.go        |  17 +-
 lib/vnet/clusterconfigcache.go                |  22 ++-
 lib/vnet/fqdn_resolver.go                     |   2 +-
 lib/vnet/local_osconfig_provider.go           | 119 --------------
 lib/vnet/osconfig.go                          |   4 +-
 ...onfig_provider.go => osconfig_provider.go} |  12 +-
 ...ider_test.go => osconfig_provider_test.go} |   6 +-
 lib/vnet/unified_cluster_config_provider.go   | 152 ++++++++++++++++++
 lib/vnet/user_process.go                      |  30 ++--
 lib/vnet/vnet_test.go                         |   9 +-
 14 files changed, 215 insertions(+), 174 deletions(-)
 delete mode 100644 lib/vnet/local_osconfig_provider.go
 rename lib/vnet/{remote_osconfig_provider.go => osconfig_provider.go} (83%)
 rename lib/vnet/{remote_osconfig_provider_test.go => osconfig_provider_test.go} (93%)
 create mode 100644 lib/vnet/unified_cluster_config_provider.go

diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index cef2749ee8ab4..f54565c2684e1 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -225,15 +225,15 @@ func (s *Service) ListDNSZones(ctx context.Context, req *api.ListDNSZonesRequest
 		s.mu.Unlock()
 		return nil, trace.CompareFailed("VNet is not running")
 	}
-	osConfigProvider := s.vnetProcess.GetOSConfigProvider()
+	unifiedClusterConfigProvider := s.vnetProcess.GetUnifiedClusterConfigProvider()
 	s.mu.Unlock()
 
-	targetOSConfig, err := osConfigProvider.GetTargetOSConfiguration(ctx)
+	unifiedClusterConfig, err := unifiedClusterConfigProvider.GetUnifiedClusterConfig(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 	return &api.ListDNSZonesResponse{
-		DnsZones: targetOSConfig.GetDnsZones(),
+		DnsZones: unifiedClusterConfig.AppDNSZones(),
 	}, nil
 }
 
diff --git a/lib/teleterm/vnet/service_darwin.go b/lib/teleterm/vnet/service_darwin.go
index 707d26d70a43b..9eaddaf31dba8 100644
--- a/lib/teleterm/vnet/service_darwin.go
+++ b/lib/teleterm/vnet/service_darwin.go
@@ -77,14 +77,14 @@ func (s *Service) RunDiagnostics(ctx context.Context, req *api.RunDiagnosticsReq
 }
 
 func (s *Service) getNetworkStack(ctx context.Context) (*diagv1.NetworkStack, error) {
-	targetOSConfig, err := s.vnetProcess.GetOSConfigProvider().GetTargetOSConfiguration(ctx)
+	unifiedClusterConfig, err := s.vnetProcess.GetUnifiedClusterConfigProvider().GetUnifiedClusterConfig(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 	return &diagv1.NetworkStack{
 		InterfaceName:  s.networkStackInfo.InterfaceName,
 		Ipv6Prefix:     s.networkStackInfo.Ipv6Prefix,
-		Ipv4CidrRanges: targetOSConfig.GetIpv4CidrRanges(),
-		DnsZones:       targetOSConfig.GetDnsZones(),
+		Ipv4CidrRanges: unifiedClusterConfig.IPv4CidrRanges,
+		DnsZones:       unifiedClusterConfig.AllDNSZones(),
 	}, nil
 }
diff --git a/lib/vnet/admin_process_darwin.go b/lib/vnet/admin_process_darwin.go
index c91bddbdbcb45..9161c45d94d4e 100644
--- a/lib/vnet/admin_process_darwin.go
+++ b/lib/vnet/admin_process_darwin.go
@@ -75,7 +75,7 @@ func RunDarwinAdminProcess(ctx context.Context, config daemon.Config) error {
 		return trace.Wrap(err, "reporting network stack info to client application")
 	}
 
-	osConfigProvider, err := newRemoteOSConfigProvider(
+	osConfigProvider, err := newOSConfigProvider(
 		clt,
 		tunName,
 		networkStackConfig.ipv6Prefix.String(),
diff --git a/lib/vnet/admin_process_windows.go b/lib/vnet/admin_process_windows.go
index 2f6532ace2a26..a386ae57d63e9 100644
--- a/lib/vnet/admin_process_windows.go
+++ b/lib/vnet/admin_process_windows.go
@@ -116,7 +116,7 @@ func runWindowsAdminProcess(ctx context.Context, cfg *windowsAdminProcessConfig)
 		return trace.Wrap(err, "reporting network stack info to client application")
 	}
 
-	osConfigProvider, err := newRemoteOSConfigProvider(
+	osConfigProvider, err := newOSConfigProvider(
 		clt,
 		tunName,
 		networkStackConfig.ipv6Prefix.String(),
diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index 37a3cc86e8c0c..b612cc0891826 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -70,11 +70,11 @@ type clientApplicationService struct {
 }
 
 type clientApplicationServiceConfig struct {
-	fqdnResolver          *fqdnResolver
-	localOSConfigProvider *LocalOSConfigProvider
-	clientApplication     ClientApplication
-	homePath              string
-	clock                 clockwork.Clock
+	fqdnResolver                 *fqdnResolver
+	unifiedClusterConfigProvider *UnifiedClusterConfigProvider
+	clientApplication            ClientApplication
+	homePath                     string
+	clock                        clockwork.Clock
 }
 
 func newClientApplicationService(cfg *clientApplicationServiceConfig) (*clientApplicationService, error) {
@@ -255,12 +255,15 @@ func newAppKey(protoAppKey *vnetv1.AppKey, port uint16) appKey {
 // DNS nameserver and the IPv4 CIDR ranges that should be routed to the VNet TUN
 // interface.
 func (s *clientApplicationService) GetTargetOSConfiguration(ctx context.Context, _ *vnetv1.GetTargetOSConfigurationRequest) (*vnetv1.GetTargetOSConfigurationResponse, error) {
-	targetConfig, err := s.cfg.localOSConfigProvider.GetTargetOSConfiguration(ctx)
+	unifiedClusterConfig, err := s.cfg.unifiedClusterConfigProvider.GetUnifiedClusterConfig(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err, "getting target OS configuration")
 	}
 	return &vnetv1.GetTargetOSConfigurationResponse{
-		TargetOsConfiguration: targetConfig,
+		TargetOsConfiguration: &vnetv1.TargetOSConfiguration{
+			DnsZones:       unifiedClusterConfig.AllDNSZones(),
+			Ipv4CidrRanges: unifiedClusterConfig.IPv4CidrRanges,
+		},
 	}, nil
 }
 
diff --git a/lib/vnet/clusterconfigcache.go b/lib/vnet/clusterconfigcache.go
index b0dde70c522bf..70b8403d86ddd 100644
--- a/lib/vnet/clusterconfigcache.go
+++ b/lib/vnet/clusterconfigcache.go
@@ -32,9 +32,10 @@ import (
 )
 
 type ClusterConfig struct {
-	// DNSZones is the list of DNS zones that are valid for this cluster, this includes ProxyPublicAddr *and*
-	// any configured custom DNS zones for the cluster.
-	DNSZones []string
+	// ProxyPublicAddr is the public address of the proxy, it is always a valid DNS zone for apps.
+	ProxyPublicAddr string
+	// CustomDNSZones is the list of custom DNS zones configured for the cluster.
+	CustomDNSZones []string
 	// IPv4CIDRRange is the CIDR range that IPv4 addresses should be assigned from for apps in this cluster.
 	IPv4CIDRRange string
 	// Expires is the time at which this information should be considered stale and refetched. Stale data may
@@ -46,6 +47,10 @@ func (e *ClusterConfig) stale(clock clockwork.Clock) bool {
 	return clock.Now().After(e.Expires)
 }
 
+func (c *ClusterConfig) appDNSZones() []string {
+	return append([]string{c.ProxyPublicAddr}, c.CustomDNSZones...)
+}
+
 // ClusterConfigCache is a read-through cache for cluster VnetConfigs. Cached entries go stale after 5
 // minutes, after which they will be re-fetched on the next read.
 //
@@ -116,7 +121,7 @@ func (c *ClusterConfigCache) getClusterConfigUncached(ctx context.Context, clust
 		}
 	}
 
-	dnsZones := []string{proxyPublicAddr}
+	var customDNSZones []string
 	ipv4CIDRRange := typesvnet.DefaultIPv4CIDRRange
 
 	vnetConfig, err := clusterClient.CurrentCluster().GetVnetConfig(ctx)
@@ -126,14 +131,15 @@ func (c *ClusterConfigCache) getClusterConfigUncached(ctx context.Context, clust
 		return nil, trace.Wrap(err)
 	} else {
 		for _, zone := range vnetConfig.GetSpec().GetCustomDnsZones() {
-			dnsZones = append(dnsZones, zone.GetSuffix())
+			customDNSZones = append(customDNSZones, zone.GetSuffix())
 		}
 		ipv4CIDRRange = cmp.Or(vnetConfig.GetSpec().GetIpv4CidrRange(), typesvnet.DefaultIPv4CIDRRange)
 	}
 
 	return &ClusterConfig{
-		DNSZones:      dnsZones,
-		IPv4CIDRRange: ipv4CIDRRange,
-		Expires:       c.clock.Now().Add(5 * time.Minute),
+		ProxyPublicAddr: proxyPublicAddr,
+		CustomDNSZones:  customDNSZones,
+		IPv4CIDRRange:   ipv4CIDRRange,
+		Expires:         c.clock.Now().Add(5 * time.Minute),
 	}, nil
 }
diff --git a/lib/vnet/fqdn_resolver.go b/lib/vnet/fqdn_resolver.go
index 38dad60b12419..cce5c910a02a8 100644
--- a/lib/vnet/fqdn_resolver.go
+++ b/lib/vnet/fqdn_resolver.go
@@ -146,7 +146,7 @@ func (r *fqdnResolver) clusterClientForAppFQDN(ctx context.Context, profileName,
 			log.ErrorContext(ctx, "Failed to get VNet config, apps in this cluster will not be resolved.", "profile", profileName, "leaf_cluster", leafClusterName, "error", err)
 			continue
 		}
-		for _, zone := range clusterConfig.DNSZones {
+		for _, zone := range clusterConfig.appDNSZones() {
 			if isDescendantSubdomain(fqdn, zone) {
 				return clusterClient, nil
 			}
diff --git a/lib/vnet/local_osconfig_provider.go b/lib/vnet/local_osconfig_provider.go
deleted file mode 100644
index 0e54b8d522855..0000000000000
--- a/lib/vnet/local_osconfig_provider.go
+++ /dev/null
@@ -1,119 +0,0 @@
-// Teleport
-// Copyright (C) 2025 Gravitational, Inc.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package vnet
-
-import (
-	"context"
-
-	"github.com/gravitational/trace"
-
-	"github.com/gravitational/teleport/api/utils"
-	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
-)
-
-// LocalOSConfigProvider fetches target OS configuration parameters.
-// Its methods get exposed by [clientApplicationService] so that
-// [remoteOSConfigProvider] can be implemented by calling these methods from the
-// VNet admin process.
-type LocalOSConfigProvider struct {
-	cfg *LocalOSConfigProviderConfig
-}
-
-// LocalOSConfigProviderConfig holds configuration parameters for
-// LocalOSConfigProvider.
-type LocalOSConfigProviderConfig struct {
-	clientApplication  ClientApplication
-	clusterConfigCache *ClusterConfigCache
-	leafClusterCache   *leafClusterCache
-}
-
-// NewLocalOSConfigProvider returns a new LocalOSConfigProvider.
-func NewLocalOSConfigProvider(cfg *LocalOSConfigProviderConfig) *LocalOSConfigProvider {
-	return &LocalOSConfigProvider{
-		cfg: cfg,
-	}
-}
-
-// GetTargetOSConfiguration returns the configuration values that should be
-// configured in the OS, including DNS zones that should be handled by the VNet
-// DNS nameserver and the IPv4 CIDR ranges that should be routed to the VNet TUN
-// interface. This is not all of the OS configuration values, only the ones that
-// must be communicated from the client application to the admin process.
-func (p *LocalOSConfigProvider) GetTargetOSConfiguration(ctx context.Context) (*vnetv1.TargetOSConfiguration, error) {
-	profiles, err := p.cfg.clientApplication.ListProfiles()
-	if err != nil {
-		return nil, trace.Wrap(err, "listing profiles")
-	}
-	var targetOSConfig vnetv1.TargetOSConfiguration
-	for _, profileName := range profiles {
-		profileTargetConfig := p.targetOSConfigurationForProfile(ctx, profileName)
-		targetOSConfig.DnsZones = append(targetOSConfig.DnsZones, profileTargetConfig.DnsZones...)
-		targetOSConfig.Ipv4CidrRanges = append(targetOSConfig.Ipv4CidrRanges, profileTargetConfig.Ipv4CidrRanges...)
-	}
-	targetOSConfig.DnsZones = utils.Deduplicate(targetOSConfig.DnsZones)
-	targetOSConfig.Ipv4CidrRanges = utils.Deduplicate(targetOSConfig.Ipv4CidrRanges)
-	return &targetOSConfig, nil
-}
-
-// targetOSConfigurationForProfile does not return errors, it is better to
-// configure VNet for any working profiles and log errors for failures.
-func (p *LocalOSConfigProvider) targetOSConfigurationForProfile(ctx context.Context, profileName string) *vnetv1.TargetOSConfiguration {
-	targetOSConfig := &vnetv1.TargetOSConfiguration{}
-	rootClusterClient, err := p.cfg.clientApplication.GetCachedClient(ctx, profileName, "" /*leafClusterName*/)
-	if err != nil {
-		log.WarnContext(ctx,
-			"Failed to get root cluster client from cache, profile may be expired, not configuring VNet for this cluster",
-			"profile", profileName, "error", err)
-		return targetOSConfig
-	}
-	rootClusterConfig, err := p.cfg.clusterConfigCache.GetClusterConfig(ctx, rootClusterClient)
-	if err != nil {
-		log.WarnContext(ctx,
-			"Failed to load VNet configuration, profile may be expired, not configuring VNet for this cluster",
-			"profile", profileName, "error", err)
-		return targetOSConfig
-	}
-	targetOSConfig.DnsZones = rootClusterConfig.DNSZones
-	targetOSConfig.Ipv4CidrRanges = []string{rootClusterConfig.IPv4CIDRRange}
-
-	leafClusterNames, err := p.cfg.leafClusterCache.getLeafClusters(ctx, rootClusterClient)
-	if err != nil {
-		log.WarnContext(ctx,
-			"Failed to list leaf clusters, profile may be expired, not configuring VNet for leaf clusters of this cluster",
-			"profile", profileName, "error", err)
-		return targetOSConfig
-	}
-	for _, leafClusterName := range leafClusterNames {
-		leafClusterClient, err := p.cfg.clientApplication.GetCachedClient(ctx, profileName, leafClusterName)
-		if err != nil {
-			log.WarnContext(ctx,
-				"Failed to create leaf cluster client, not configuring VNet for this cluster",
-				"profile", profileName, "leaf_cluster", leafClusterName, "error", err)
-			return targetOSConfig
-		}
-		leafClusterConfig, err := p.cfg.clusterConfigCache.GetClusterConfig(ctx, leafClusterClient)
-		if err != nil {
-			log.WarnContext(ctx,
-				"Failed to load VNet configuration, not configuring VNet for this cluster",
-				"profile", profileName, "leaf_cluster", leafClusterName, "error", err)
-			return targetOSConfig
-		}
-		targetOSConfig.DnsZones = append(targetOSConfig.DnsZones, leafClusterConfig.DNSZones...)
-		targetOSConfig.Ipv4CidrRanges = append(targetOSConfig.Ipv4CidrRanges, leafClusterConfig.IPv4CIDRRange)
-	}
-	return targetOSConfig
-}
diff --git a/lib/vnet/osconfig.go b/lib/vnet/osconfig.go
index 0edd68ab93bc7..4b0a19eadd033 100644
--- a/lib/vnet/osconfig.go
+++ b/lib/vnet/osconfig.go
@@ -45,11 +45,11 @@ func configureOS(ctx context.Context, osConfig *osConfig, osConfigState *osConfi
 }
 
 type osConfigurator struct {
-	remoteOSConfigProvider *remoteOSConfigProvider
+	remoteOSConfigProvider *osConfigProvider
 	osConfigState          osConfigState
 }
 
-func newOSConfigurator(remoteOSConfigProvider *remoteOSConfigProvider) *osConfigurator {
+func newOSConfigurator(remoteOSConfigProvider *osConfigProvider) *osConfigurator {
 	return &osConfigurator{
 		remoteOSConfigProvider: remoteOSConfigProvider,
 	}
diff --git a/lib/vnet/remote_osconfig_provider.go b/lib/vnet/osconfig_provider.go
similarity index 83%
rename from lib/vnet/remote_osconfig_provider.go
rename to lib/vnet/osconfig_provider.go
index 8a91db28603d9..3a45e8aa89000 100644
--- a/lib/vnet/remote_osconfig_provider.go
+++ b/lib/vnet/osconfig_provider.go
@@ -24,9 +24,9 @@ import (
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 )
 
-// remoteOSConfigProvider fetches a target OS configuration based on cluster
+// osConfigProvider fetches a target OS configuration based on cluster
 // configuration fetched via the client application process available over gRPC.
-type remoteOSConfigProvider struct {
+type osConfigProvider struct {
 	clt     targetOSConfigGetter
 	tunName string
 	dnsAddr string
@@ -38,12 +38,12 @@ type targetOSConfigGetter interface {
 	GetTargetOSConfiguration(context.Context) (*vnetv1.TargetOSConfiguration, error)
 }
 
-func newRemoteOSConfigProvider(clt targetOSConfigGetter, tunName, ipv6Prefix, dnsAddr string) (*remoteOSConfigProvider, error) {
+func newOSConfigProvider(clt targetOSConfigGetter, tunName, ipv6Prefix, dnsAddr string) (*osConfigProvider, error) {
 	tunIPv6, err := tunIPv6ForPrefix(ipv6Prefix)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	return &remoteOSConfigProvider{
+	return &osConfigProvider{
 		clt:     clt,
 		tunName: tunName,
 		dnsAddr: dnsAddr,
@@ -51,7 +51,7 @@ func newRemoteOSConfigProvider(clt targetOSConfigGetter, tunName, ipv6Prefix, dn
 	}, nil
 }
 
-func (p *remoteOSConfigProvider) targetOSConfig(ctx context.Context) (*osConfig, error) {
+func (p *osConfigProvider) targetOSConfig(ctx context.Context) (*osConfig, error) {
 	targetOSConfig, err := p.clt.GetTargetOSConfiguration(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err, "getting target OS configuration from client application")
@@ -73,7 +73,7 @@ func (p *remoteOSConfigProvider) targetOSConfig(ctx context.Context) (*osConfig,
 	}, nil
 }
 
-func (p *remoteOSConfigProvider) setTunIPv4FromCIDR(cidrRange string) error {
+func (p *osConfigProvider) setTunIPv4FromCIDR(cidrRange string) error {
 	if p.tunIPv4 != "" {
 		return nil
 	}
diff --git a/lib/vnet/remote_osconfig_provider_test.go b/lib/vnet/osconfig_provider_test.go
similarity index 93%
rename from lib/vnet/remote_osconfig_provider_test.go
rename to lib/vnet/osconfig_provider_test.go
index aaba5f79a079b..af49b67aaa203 100644
--- a/lib/vnet/remote_osconfig_provider_test.go
+++ b/lib/vnet/osconfig_provider_test.go
@@ -25,7 +25,7 @@ import (
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 )
 
-func TestRemoteOSConfigProvider(t *testing.T) {
+func TestOSConfigProvider(t *testing.T) {
 	ctx := context.Background()
 	for _, tc := range []struct {
 		desc                 string
@@ -97,10 +97,10 @@ func TestRemoteOSConfigProvider(t *testing.T) {
 				},
 				err: tc.getTargetOSConfigErr,
 			}
-			remoteOSConfigProvider, err := newRemoteOSConfigProvider(targetOSConfigGetter, tc.tunName, tc.ipv6Prefix, tc.dnsAddr)
+			osConfigProvider, err := newOSConfigProvider(targetOSConfigGetter, tc.tunName, tc.ipv6Prefix, tc.dnsAddr)
 			require.NoError(t, err)
 
-			targetOSConfig, err := remoteOSConfigProvider.targetOSConfig(ctx)
+			targetOSConfig, err := osConfigProvider.targetOSConfig(ctx)
 			if tc.expectErr != nil {
 				require.ErrorIs(t, err, tc.expectErr)
 				return
diff --git a/lib/vnet/unified_cluster_config_provider.go b/lib/vnet/unified_cluster_config_provider.go
new file mode 100644
index 0000000000000..bb6cdf1f4f470
--- /dev/null
+++ b/lib/vnet/unified_cluster_config_provider.go
@@ -0,0 +1,152 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"slices"
+
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/utils"
+)
+
+// UnifiedClusterConfig is a unified VNet configuration for all clusters
+// the user is logged in to.
+type UnifiedClusterConfig struct {
+	// ClusterNames contains the name of each root or leaf cluster the user is
+	// logged in to. SSH hosts are reachable via VNet SSH at subdomains of
+	// these cluster names.
+	ClusterNames []string
+	// ProxyPublicAddrs contains the proxy public address of root and leaf
+	// cluster the user is logged in to. These are always valid DNS suffixes for
+	// TCP apps.
+	ProxyPublicAddrs []string
+	// CustomDNSZones is the unified set of custom DNS zones configured in all clusters.
+	CustomDNSZones []string
+	// IPv4CidrRanges is the unified set of IPv4 CIDR ranges configured in all
+	// clusters, VNet will try to route all of these to the TUN interface.
+	IPv4CidrRanges []string
+}
+
+// AppDNSZones returns the DNS suffixes valid for TCP apps.
+func (c *UnifiedClusterConfig) AppDNSZones() []string {
+	return utils.Deduplicate(slices.Concat(c.CustomDNSZones, c.ProxyPublicAddrs))
+}
+
+// AllDNSZones return all DNS suffixes VNet handles.
+func (c *UnifiedClusterConfig) AllDNSZones() []string {
+	return utils.Deduplicate(slices.Concat(c.CustomDNSZones, c.ProxyPublicAddrs, c.ClusterNames))
+}
+
+// UnifiedClusterConfigProvider fetches the [UnifiedClusterConfig].
+type UnifiedClusterConfigProvider struct {
+	cfg *UnifiedClusterConfigProviderConfig
+}
+
+// UnifiedClusterConfigProviderConfig holds configuration parameters for
+// [UnifiedClusterConfigProvider].
+type UnifiedClusterConfigProviderConfig struct {
+	clientApplication  ClientApplication
+	clusterConfigCache *ClusterConfigCache
+	leafClusterCache   *leafClusterCache
+}
+
+// NewUnifiedClusterConfigProvider returns a new [UnifiedClusterConfigProvider].
+func NewUnifiedClusterConfigProvider(cfg *UnifiedClusterConfigProviderConfig) *UnifiedClusterConfigProvider {
+	return &UnifiedClusterConfigProvider{
+		cfg: cfg,
+	}
+}
+
+// GetUnifiedClusterConfig returns the unified VNet configuration of all
+// clusters the user is logged in to.
+func (p *UnifiedClusterConfigProvider) GetUnifiedClusterConfig(ctx context.Context) (*UnifiedClusterConfig, error) {
+	profiles, err := p.cfg.clientApplication.ListProfiles()
+	if err != nil {
+		return nil, trace.Wrap(err, "listing profiles")
+	}
+	var unifiedClusterConfig UnifiedClusterConfig
+	for _, profileName := range profiles {
+		if err := p.fetchForProfile(ctx, profileName, &unifiedClusterConfig); err != nil {
+			log.WarnContext(ctx,
+				"Failed to fetch VNet configuration, profile may be expired, not configuring VNet for this profile",
+				"profile", profileName, "error", err)
+		}
+	}
+	unifiedClusterConfig.ClusterNames = utils.Deduplicate(unifiedClusterConfig.ClusterNames)
+	unifiedClusterConfig.ProxyPublicAddrs = utils.Deduplicate(unifiedClusterConfig.ProxyPublicAddrs)
+	unifiedClusterConfig.CustomDNSZones = utils.Deduplicate(unifiedClusterConfig.CustomDNSZones)
+	unifiedClusterConfig.IPv4CidrRanges = utils.Deduplicate(unifiedClusterConfig.IPv4CidrRanges)
+	return &unifiedClusterConfig, nil
+}
+
+func (p *UnifiedClusterConfigProvider) fetchForProfile(
+	ctx context.Context,
+	profileName string,
+	unifiedClusterConfig *UnifiedClusterConfig,
+) error {
+	rootClusterClient, err := p.cfg.clientApplication.GetCachedClient(ctx, profileName, "" /*leafClusterName*/)
+	if err != nil {
+		return trace.Wrap(err, "getting root cluster client from cache")
+	}
+	rootClusterConfig, err := p.cfg.clusterConfigCache.GetClusterConfig(ctx, rootClusterClient)
+	if err != nil {
+		return trace.Wrap(err, "fetching root cluster VNet config")
+	}
+	unifiedClusterConfig.ClusterNames = append(unifiedClusterConfig.ClusterNames, rootClusterClient.ClusterName())
+	unifiedClusterConfig.ProxyPublicAddrs = append(unifiedClusterConfig.ProxyPublicAddrs, rootClusterConfig.ProxyPublicAddr)
+	unifiedClusterConfig.CustomDNSZones = append(unifiedClusterConfig.CustomDNSZones, rootClusterConfig.CustomDNSZones...)
+	unifiedClusterConfig.IPv4CidrRanges = append(unifiedClusterConfig.IPv4CidrRanges, rootClusterConfig.IPv4CIDRRange)
+
+	leafClusterNames, err := p.cfg.leafClusterCache.getLeafClusters(ctx, rootClusterClient)
+	if err != nil {
+		log.WarnContext(ctx,
+			"Failed to list leaf clusters, profile may be expired, not configuring VNet for leaf clusters in this profile",
+			"profile", profileName, "error", err)
+		return nil
+	}
+	for _, leafClusterName := range leafClusterNames {
+		if err := p.fetchForLeafCluster(ctx, profileName, leafClusterName, unifiedClusterConfig); err != nil {
+			log.WarnContext(ctx,
+				"Failed to fetch VNet configuration for leaf cluster, VNet will not be configured for this cluster",
+				"profile", profileName, "leaf_cluster", leafClusterName, "error", err)
+		}
+	}
+	return nil
+}
+
+func (p *UnifiedClusterConfigProvider) fetchForLeafCluster(
+	ctx context.Context,
+	profileName string,
+	leafClusterName string,
+	unifiedClusterConfig *UnifiedClusterConfig,
+) error {
+	leafClusterClient, err := p.cfg.clientApplication.GetCachedClient(ctx, profileName, leafClusterName)
+	if err != nil {
+		return trace.Wrap(err, "getting leaf cluster client from cache")
+	}
+	leafClusterConfig, err := p.cfg.clusterConfigCache.GetClusterConfig(ctx, leafClusterClient)
+	if err != nil {
+		return trace.Wrap(err, "fetching leaf cluster VNet config from cache")
+	}
+	unifiedClusterConfig.ClusterNames = append(unifiedClusterConfig.ClusterNames, leafClusterName)
+	unifiedClusterConfig.ProxyPublicAddrs = append(unifiedClusterConfig.ProxyPublicAddrs, leafClusterConfig.ProxyPublicAddr)
+	unifiedClusterConfig.CustomDNSZones = append(unifiedClusterConfig.CustomDNSZones, leafClusterConfig.CustomDNSZones...)
+	unifiedClusterConfig.IPv4CidrRanges = append(unifiedClusterConfig.IPv4CidrRanges, leafClusterConfig.IPv4CIDRRange)
+	return nil
+}
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index dc84f2b6c2f2c..f0c502f18e822 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -98,16 +98,16 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 		clusterConfigCache: clusterConfigCache,
 		leafClusterCache:   leafClusterCache,
 	})
-	osConfigProvider := NewLocalOSConfigProvider(&LocalOSConfigProviderConfig{
+	unifiedClusterConfigProvider := NewUnifiedClusterConfigProvider(&UnifiedClusterConfigProviderConfig{
 		clientApplication:  clientApplication,
 		clusterConfigCache: clusterConfigCache,
 		leafClusterCache:   leafClusterCache,
 	})
 	clientApplicationService, err := newClientApplicationService(&clientApplicationServiceConfig{
-		clientApplication:     clientApplication,
-		fqdnResolver:          fqdnResolver,
-		localOSConfigProvider: osConfigProvider,
-		clock:                 clock,
+		clientApplication:            clientApplication,
+		fqdnResolver:                 fqdnResolver,
+		unifiedClusterConfigProvider: unifiedClusterConfigProvider,
+		clock:                        clock,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -123,11 +123,11 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 	})
 
 	userProcess := &UserProcess{
-		clientApplication:        clientApplication,
-		osConfigProvider:         osConfigProvider,
-		clientApplicationService: clientApplicationService,
-		clock:                    clock,
-		processManager:           processManager,
+		clientApplication:            clientApplication,
+		unifiedClusterConfigProvider: unifiedClusterConfigProvider,
+		clientApplicationService:     clientApplicationService,
+		clock:                        clock,
+		processManager:               processManager,
 	}
 	if err := userProcess.runPlatformUserProcess(processCtx); err != nil {
 		return nil, trace.Wrap(err)
@@ -140,9 +140,9 @@ func RunUserProcess(ctx context.Context, clientApplication ClientApplication) (*
 type UserProcess struct {
 	clientApplication ClientApplication
 
-	clock                    clockwork.Clock
-	osConfigProvider         *LocalOSConfigProvider
-	clientApplicationService *clientApplicationService
+	clock                        clockwork.Clock
+	unifiedClusterConfigProvider *UnifiedClusterConfigProvider
+	clientApplicationService     *clientApplicationService
 
 	processManager   *ProcessManager
 	networkStackInfo *vnetv1.NetworkStackInfo
@@ -163,6 +163,6 @@ func (p *UserProcess) NetworkStackInfo() *vnetv1.NetworkStackInfo {
 // GetTargetOSConfiguration returns the LocalOSConfigProvider which clients may
 // use to report the proxied DNS zones, run diagnostics, etc. The returned
 // *LocalOSConfigProvider will remain valid even if the UserProcess is closed.
-func (p *UserProcess) GetOSConfigProvider() *LocalOSConfigProvider {
-	return p.osConfigProvider
+func (p *UserProcess) GetUnifiedClusterConfigProvider() *UnifiedClusterConfigProvider {
+	return p.unifiedClusterConfigProvider
 }
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index b980a5c8bf46f..25950d049b7c6 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -282,11 +282,10 @@ func runTestClientApplicationService(t *testing.T, ctx context.Context, cfg test
 		leafClusterCache:   leafClusterCache,
 	})
 	clientApplicationService, err := newClientApplicationService(&clientApplicationServiceConfig{
-		clientApplication:     cfg.fakeClientApp,
-		fqdnResolver:          fqdnResolver,
-		localOSConfigProvider: nil, // OS configuration is not needed in tests.
-		homePath:              cfg.homePath,
-		clock:                 cfg.clock,
+		clientApplication: cfg.fakeClientApp,
+		fqdnResolver:      fqdnResolver,
+		homePath:          cfg.homePath,
+		clock:             cfg.clock,
 	})
 	require.NoError(t, err)
 

From 440d564445272d7174d39e3428f63fcb45cad14f Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Wed, 18 Jun 2025 15:20:50 -0700
Subject: [PATCH 10/25] [v18][vnet] feat: add SSH configuration diagnostic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport #55594 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
---
 api/profile/profile.go                        |  25 +-
 api/utils/keypaths/keypaths.go                |   6 +-
 .../go/teleport/lib/vnet/diag/v1/diag.pb.go   | 164 ++++++++++--
 .../ts/teleport/lib/vnet/diag/v1/diag_pb.ts   | 141 +++++++++-
 lib/teleterm/vnet/service.go                  |   8 +
 lib/teleterm/vnet/service_darwin.go           |  12 +-
 lib/vnet/diag/ssh.go                          | 253 ++++++++++++++++++
 lib/vnet/diag/ssh_test.go                     | 229 ++++++++++++++++
 proto/teleport/lib/vnet/diag/v1/diag.proto    |  21 ++
 web/packages/teleterm/src/helpers.ts          |  10 +
 .../vnet/__snapshots__/diag.test.ts.snap      |  16 ++
 .../teleterm/src/services/vnet/diag.test.ts   |  23 +-
 .../teleterm/src/services/vnet/diag.ts        |  49 +++-
 .../ui/Vnet/DocumentVnetDiagReport.story.tsx  |  49 ++++
 .../src/ui/Vnet/DocumentVnetDiagReport.tsx    |  97 ++++++-
 15 files changed, 1058 insertions(+), 45 deletions(-)
 create mode 100644 lib/vnet/diag/ssh.go
 create mode 100644 lib/vnet/diag/ssh_test.go

diff --git a/api/profile/profile.go b/api/profile/profile.go
index ed9020e433b61..ade1410fec17c 100644
--- a/api/profile/profile.go
+++ b/api/profile/profile.go
@@ -317,19 +317,26 @@ func FullProfilePath(dir string) string {
 
 // defaultProfilePath retrieves the default path of the TSH profile.
 func defaultProfilePath() string {
-	// start with UserHomeDir, which is the fastest option as it
-	// relies only on environment variables and does not perform
-	// a user lookup (which can be very slow on large AD environments)
-	home, err := os.UserHomeDir()
-	if err == nil && home != "" {
-		return filepath.Join(home, profileDir)
+	home, ok := UserHomeDir()
+	if !ok {
+		home = os.TempDir()
 	}
+	return filepath.Join(home, profileDir)
+}
 
-	home = os.TempDir()
+// UserHomeDir returns the current user's home directory if it can be found.
+func UserHomeDir() (string, bool) {
+	// Start with os.UserHomeDir, which is the fastest option as it relies only
+	// on environment variables and does not perform a user lookup (which can be
+	// very slow on large AD environments).
+	if home, err := os.UserHomeDir(); err == nil && home != "" {
+		return home, true
+	}
+	// Fall back to the user lookup.
 	if u, err := user.Current(); err == nil && u.HomeDir != "" {
-		home = u.HomeDir
+		return u.HomeDir, true
 	}
-	return filepath.Join(home, profileDir)
+	return "", false
 }
 
 // FromDir reads the user profile from a given directory. If dir is empty,
diff --git a/api/utils/keypaths/keypaths.go b/api/utils/keypaths/keypaths.go
index 60b2c472f8df5..ff619e49ebd8a 100644
--- a/api/utils/keypaths/keypaths.go
+++ b/api/utils/keypaths/keypaths.go
@@ -82,9 +82,9 @@ const (
 	// vnetKnownHosts is the file name of the known_hosts file trusted by
 	// third-party SSH clients connecting to VNet SSH.
 	vnetKnownHosts = "vnet_known_hosts"
-	// vnetSSHConfig is the file name of the generated OpenSSH-compatible config
+	// VNetSSHConfig is the file name of the generated OpenSSH-compatible config
 	// file to be used by third-party SSH clients connecting to VNet SSH.
-	vnetSSHConfig = "vnet_ssh_config"
+	VNetSSHConfig = "vnet_ssh_config"
 )
 
 // Here's the file layout of all these keypaths.
@@ -463,7 +463,7 @@ func VNetKnownHostsPath(baseDir string) string {
 // VNetSSHConfigPath returns the path to VNet's generated OpenSSH-compatible
 // config file.
 func VNetSSHConfigPath(baseDir string) string {
-	return filepath.Join(baseDir, vnetSSHConfig)
+	return filepath.Join(baseDir, VNetSSHConfig)
 }
 
 // TrimKeyPathSuffix returns the given path with any key suffix/extension trimmed off.
diff --git a/gen/proto/go/teleport/lib/vnet/diag/v1/diag.pb.go b/gen/proto/go/teleport/lib/vnet/diag/v1/diag.pb.go
index 16e907e5481b7..1eb4f2d78f753 100644
--- a/gen/proto/go/teleport/lib/vnet/diag/v1/diag.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/diag/v1/diag.pb.go
@@ -496,6 +496,7 @@ type CheckReport struct {
 	// Types that are valid to be assigned to Report:
 	//
 	//	*CheckReport_RouteConflictReport
+	//	*CheckReport_SshConfigurationReport
 	Report        isCheckReport_Report `protobuf_oneof:"report"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
@@ -554,6 +555,15 @@ func (x *CheckReport) GetRouteConflictReport() *RouteConflictReport {
 	return nil
 }
 
+func (x *CheckReport) GetSshConfigurationReport() *SSHConfigurationReport {
+	if x != nil {
+		if x, ok := x.Report.(*CheckReport_SshConfigurationReport); ok {
+			return x.SshConfigurationReport
+		}
+	}
+	return nil
+}
+
 type isCheckReport_Report interface {
 	isCheckReport_Report()
 }
@@ -564,8 +574,15 @@ type CheckReport_RouteConflictReport struct {
 	RouteConflictReport *RouteConflictReport `protobuf:"bytes,2,opt,name=route_conflict_report,json=routeConflictReport,proto3,oneof"`
 }
 
+type CheckReport_SshConfigurationReport struct {
+	// ssh_configuration_report reports the status of the system's SSH configuration.
+	SshConfigurationReport *SSHConfigurationReport `protobuf:"bytes,3,opt,name=ssh_configuration_report,json=sshConfigurationReport,proto3,oneof"`
+}
+
 func (*CheckReport_RouteConflictReport) isCheckReport_Report() {}
 
+func (*CheckReport_SshConfigurationReport) isCheckReport_Report() {}
+
 // CommandAttempt describes the attempt at running a particular command associated with a diagnostic
 // check.
 type CommandAttempt struct {
@@ -761,6 +778,93 @@ func (x *RouteConflict) GetInterfaceApp() string {
 	return ""
 }
 
+// SSHConfigurationReport describes the state of the system's SSH configuration.
+type SSHConfigurationReport struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// user_openssh_config_path is the full path to the user's default OpenSSH
+	// config file (~/.ssh/config).
+	UserOpensshConfigPath string `protobuf:"bytes,1,opt,name=user_openssh_config_path,json=userOpensshConfigPath,proto3" json:"user_openssh_config_path,omitempty"`
+	// vnet_ssh_config_path is the path to VNet's generated OpenSSH-compatible
+	// config file.
+	VnetSshConfigPath string `protobuf:"bytes,2,opt,name=vnet_ssh_config_path,json=vnetSshConfigPath,proto3" json:"vnet_ssh_config_path,omitempty"`
+	// user_openssh_config_includes_vnet_ssh_config is true if the default
+	// OpenSSH user configuration file includes VNet's SSH config file.
+	UserOpensshConfigIncludesVnetSshConfig bool `protobuf:"varint,3,opt,name=user_openssh_config_includes_vnet_ssh_config,json=userOpensshConfigIncludesVnetSshConfig,proto3" json:"user_openssh_config_includes_vnet_ssh_config,omitempty"`
+	// user_openssh_config_exists is true if a file exists at
+	// user_openssh_config_path (~/.ssh/config).
+	UserOpensshConfigExists bool `protobuf:"varint,4,opt,name=user_openssh_config_exists,json=userOpensshConfigExists,proto3" json:"user_openssh_config_exists,omitempty"`
+	// user_openssh_config_contents contains the contents of the file at
+	// user_openssh_config_path if it exists.
+	UserOpensshConfigContents string `protobuf:"bytes,5,opt,name=user_openssh_config_contents,json=userOpensshConfigContents,proto3" json:"user_openssh_config_contents,omitempty"`
+	unknownFields             protoimpl.UnknownFields
+	sizeCache                 protoimpl.SizeCache
+}
+
+func (x *SSHConfigurationReport) Reset() {
+	*x = SSHConfigurationReport{}
+	mi := &file_teleport_lib_vnet_diag_v1_diag_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SSHConfigurationReport) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SSHConfigurationReport) ProtoMessage() {}
+
+func (x *SSHConfigurationReport) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_diag_v1_diag_proto_msgTypes[8]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SSHConfigurationReport.ProtoReflect.Descriptor instead.
+func (*SSHConfigurationReport) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_diag_v1_diag_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *SSHConfigurationReport) GetUserOpensshConfigPath() string {
+	if x != nil {
+		return x.UserOpensshConfigPath
+	}
+	return ""
+}
+
+func (x *SSHConfigurationReport) GetVnetSshConfigPath() string {
+	if x != nil {
+		return x.VnetSshConfigPath
+	}
+	return ""
+}
+
+func (x *SSHConfigurationReport) GetUserOpensshConfigIncludesVnetSshConfig() bool {
+	if x != nil {
+		return x.UserOpensshConfigIncludesVnetSshConfig
+	}
+	return false
+}
+
+func (x *SSHConfigurationReport) GetUserOpensshConfigExists() bool {
+	if x != nil {
+		return x.UserOpensshConfigExists
+	}
+	return false
+}
+
+func (x *SSHConfigurationReport) GetUserOpensshConfigContents() string {
+	if x != nil {
+		return x.UserOpensshConfigContents
+	}
+	return ""
+}
+
 var File_teleport_lib_vnet_diag_v1_diag_proto protoreflect.FileDescriptor
 
 const file_teleport_lib_vnet_diag_v1_diag_proto_rawDesc = "" +
@@ -785,10 +889,11 @@ const file_teleport_lib_vnet_diag_v1_diag_proto_rawDesc = "" +
 	"\x06status\x18\x01 \x01(\x0e2-.teleport.lib.vnet.diag.v1.CheckAttemptStatusR\x06status\x12\x14\n" +
 	"\x05error\x18\x02 \x01(\tR\x05error\x12I\n" +
 	"\fcheck_report\x18\x03 \x01(\v2&.teleport.lib.vnet.diag.v1.CheckReportR\vcheckReport\x12E\n" +
-	"\bcommands\x18\x04 \x03(\v2).teleport.lib.vnet.diag.v1.CommandAttemptR\bcommands\"\xc3\x01\n" +
+	"\bcommands\x18\x04 \x03(\v2).teleport.lib.vnet.diag.v1.CommandAttemptR\bcommands\"\xb2\x02\n" +
 	"\vCheckReport\x12D\n" +
 	"\x06status\x18\x01 \x01(\x0e2,.teleport.lib.vnet.diag.v1.CheckReportStatusR\x06status\x12d\n" +
-	"\x15route_conflict_report\x18\x02 \x01(\v2..teleport.lib.vnet.diag.v1.RouteConflictReportH\x00R\x13routeConflictReportB\b\n" +
+	"\x15route_conflict_report\x18\x02 \x01(\v2..teleport.lib.vnet.diag.v1.RouteConflictReportH\x00R\x13routeConflictReport\x12m\n" +
+	"\x18ssh_configuration_report\x18\x03 \x01(\v21.teleport.lib.vnet.diag.v1.SSHConfigurationReportH\x00R\x16sshConfigurationReportB\b\n" +
 	"\x06report\"\xa1\x01\n" +
 	"\x0eCommandAttempt\x12G\n" +
 	"\x06status\x18\x01 \x01(\x0e2/.teleport.lib.vnet.diag.v1.CommandAttemptStatusR\x06status\x12\x14\n" +
@@ -801,7 +906,13 @@ const file_teleport_lib_vnet_diag_v1_diag_proto_rawDesc = "" +
 	"\x04dest\x18\x01 \x01(\tR\x04dest\x12\x1b\n" +
 	"\tvnet_dest\x18\x02 \x01(\tR\bvnetDest\x12%\n" +
 	"\x0einterface_name\x18\x03 \x01(\tR\rinterfaceName\x12#\n" +
-	"\rinterface_app\x18\x04 \x01(\tR\finterfaceApp*w\n" +
+	"\rinterface_app\x18\x04 \x01(\tR\finterfaceApp\"\xde\x02\n" +
+	"\x16SSHConfigurationReport\x127\n" +
+	"\x18user_openssh_config_path\x18\x01 \x01(\tR\x15userOpensshConfigPath\x12/\n" +
+	"\x14vnet_ssh_config_path\x18\x02 \x01(\tR\x11vnetSshConfigPath\x12\\\n" +
+	",user_openssh_config_includes_vnet_ssh_config\x18\x03 \x01(\bR&userOpensshConfigIncludesVnetSshConfig\x12;\n" +
+	"\x1auser_openssh_config_exists\x18\x04 \x01(\bR\x17userOpensshConfigExists\x12?\n" +
+	"\x1cuser_openssh_config_contents\x18\x05 \x01(\tR\x19userOpensshConfigContents*w\n" +
 	"\x12CheckAttemptStatus\x12$\n" +
 	" CHECK_ATTEMPT_STATUS_UNSPECIFIED\x10\x00\x12\x1b\n" +
 	"\x17CHECK_ATTEMPT_STATUS_OK\x10\x01\x12\x1e\n" +
@@ -828,23 +939,24 @@ func file_teleport_lib_vnet_diag_v1_diag_proto_rawDescGZIP() []byte {
 }
 
 var file_teleport_lib_vnet_diag_v1_diag_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_teleport_lib_vnet_diag_v1_diag_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_teleport_lib_vnet_diag_v1_diag_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_teleport_lib_vnet_diag_v1_diag_proto_goTypes = []any{
-	(CheckAttemptStatus)(0),       // 0: teleport.lib.vnet.diag.v1.CheckAttemptStatus
-	(CheckReportStatus)(0),        // 1: teleport.lib.vnet.diag.v1.CheckReportStatus
-	(CommandAttemptStatus)(0),     // 2: teleport.lib.vnet.diag.v1.CommandAttemptStatus
-	(*Report)(nil),                // 3: teleport.lib.vnet.diag.v1.Report
-	(*NetworkStackAttempt)(nil),   // 4: teleport.lib.vnet.diag.v1.NetworkStackAttempt
-	(*NetworkStack)(nil),          // 5: teleport.lib.vnet.diag.v1.NetworkStack
-	(*CheckAttempt)(nil),          // 6: teleport.lib.vnet.diag.v1.CheckAttempt
-	(*CheckReport)(nil),           // 7: teleport.lib.vnet.diag.v1.CheckReport
-	(*CommandAttempt)(nil),        // 8: teleport.lib.vnet.diag.v1.CommandAttempt
-	(*RouteConflictReport)(nil),   // 9: teleport.lib.vnet.diag.v1.RouteConflictReport
-	(*RouteConflict)(nil),         // 10: teleport.lib.vnet.diag.v1.RouteConflict
-	(*timestamppb.Timestamp)(nil), // 11: google.protobuf.Timestamp
+	(CheckAttemptStatus)(0),        // 0: teleport.lib.vnet.diag.v1.CheckAttemptStatus
+	(CheckReportStatus)(0),         // 1: teleport.lib.vnet.diag.v1.CheckReportStatus
+	(CommandAttemptStatus)(0),      // 2: teleport.lib.vnet.diag.v1.CommandAttemptStatus
+	(*Report)(nil),                 // 3: teleport.lib.vnet.diag.v1.Report
+	(*NetworkStackAttempt)(nil),    // 4: teleport.lib.vnet.diag.v1.NetworkStackAttempt
+	(*NetworkStack)(nil),           // 5: teleport.lib.vnet.diag.v1.NetworkStack
+	(*CheckAttempt)(nil),           // 6: teleport.lib.vnet.diag.v1.CheckAttempt
+	(*CheckReport)(nil),            // 7: teleport.lib.vnet.diag.v1.CheckReport
+	(*CommandAttempt)(nil),         // 8: teleport.lib.vnet.diag.v1.CommandAttempt
+	(*RouteConflictReport)(nil),    // 9: teleport.lib.vnet.diag.v1.RouteConflictReport
+	(*RouteConflict)(nil),          // 10: teleport.lib.vnet.diag.v1.RouteConflict
+	(*SSHConfigurationReport)(nil), // 11: teleport.lib.vnet.diag.v1.SSHConfigurationReport
+	(*timestamppb.Timestamp)(nil),  // 12: google.protobuf.Timestamp
 }
 var file_teleport_lib_vnet_diag_v1_diag_proto_depIdxs = []int32{
-	11, // 0: teleport.lib.vnet.diag.v1.Report.created_at:type_name -> google.protobuf.Timestamp
+	12, // 0: teleport.lib.vnet.diag.v1.Report.created_at:type_name -> google.protobuf.Timestamp
 	4,  // 1: teleport.lib.vnet.diag.v1.Report.network_stack_attempt:type_name -> teleport.lib.vnet.diag.v1.NetworkStackAttempt
 	6,  // 2: teleport.lib.vnet.diag.v1.Report.checks:type_name -> teleport.lib.vnet.diag.v1.CheckAttempt
 	0,  // 3: teleport.lib.vnet.diag.v1.NetworkStackAttempt.status:type_name -> teleport.lib.vnet.diag.v1.CheckAttemptStatus
@@ -854,13 +966,14 @@ var file_teleport_lib_vnet_diag_v1_diag_proto_depIdxs = []int32{
 	8,  // 7: teleport.lib.vnet.diag.v1.CheckAttempt.commands:type_name -> teleport.lib.vnet.diag.v1.CommandAttempt
 	1,  // 8: teleport.lib.vnet.diag.v1.CheckReport.status:type_name -> teleport.lib.vnet.diag.v1.CheckReportStatus
 	9,  // 9: teleport.lib.vnet.diag.v1.CheckReport.route_conflict_report:type_name -> teleport.lib.vnet.diag.v1.RouteConflictReport
-	2,  // 10: teleport.lib.vnet.diag.v1.CommandAttempt.status:type_name -> teleport.lib.vnet.diag.v1.CommandAttemptStatus
-	10, // 11: teleport.lib.vnet.diag.v1.RouteConflictReport.route_conflicts:type_name -> teleport.lib.vnet.diag.v1.RouteConflict
-	12, // [12:12] is the sub-list for method output_type
-	12, // [12:12] is the sub-list for method input_type
-	12, // [12:12] is the sub-list for extension type_name
-	12, // [12:12] is the sub-list for extension extendee
-	0,  // [0:12] is the sub-list for field type_name
+	11, // 10: teleport.lib.vnet.diag.v1.CheckReport.ssh_configuration_report:type_name -> teleport.lib.vnet.diag.v1.SSHConfigurationReport
+	2,  // 11: teleport.lib.vnet.diag.v1.CommandAttempt.status:type_name -> teleport.lib.vnet.diag.v1.CommandAttemptStatus
+	10, // 12: teleport.lib.vnet.diag.v1.RouteConflictReport.route_conflicts:type_name -> teleport.lib.vnet.diag.v1.RouteConflict
+	13, // [13:13] is the sub-list for method output_type
+	13, // [13:13] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }
 
 func init() { file_teleport_lib_vnet_diag_v1_diag_proto_init() }
@@ -870,6 +983,7 @@ func file_teleport_lib_vnet_diag_v1_diag_proto_init() {
 	}
 	file_teleport_lib_vnet_diag_v1_diag_proto_msgTypes[4].OneofWrappers = []any{
 		(*CheckReport_RouteConflictReport)(nil),
+		(*CheckReport_SshConfigurationReport)(nil),
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -877,7 +991,7 @@ func file_teleport_lib_vnet_diag_v1_diag_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_diag_v1_diag_proto_rawDesc), len(file_teleport_lib_vnet_diag_v1_diag_proto_rawDesc)),
 			NumEnums:      3,
-			NumMessages:   8,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/gen/proto/ts/teleport/lib/vnet/diag/v1/diag_pb.ts b/gen/proto/ts/teleport/lib/vnet/diag/v1/diag_pb.ts
index dd193b224d559..e41bee08a843b 100644
--- a/gen/proto/ts/teleport/lib/vnet/diag/v1/diag_pb.ts
+++ b/gen/proto/ts/teleport/lib/vnet/diag/v1/diag_pb.ts
@@ -183,6 +183,14 @@ export interface CheckReport {
          * @generated from protobuf field: teleport.lib.vnet.diag.v1.RouteConflictReport route_conflict_report = 2;
          */
         routeConflictReport: RouteConflictReport;
+    } | {
+        oneofKind: "sshConfigurationReport";
+        /**
+         * ssh_configuration_report reports the status of the system's SSH configuration.
+         *
+         * @generated from protobuf field: teleport.lib.vnet.diag.v1.SSHConfigurationReport ssh_configuration_report = 3;
+         */
+        sshConfigurationReport: SSHConfigurationReport;
     } | {
         oneofKind: undefined;
     };
@@ -263,6 +271,48 @@ export interface RouteConflict {
      */
     interfaceApp: string;
 }
+/**
+ * SSHConfigurationReport describes the state of the system's SSH configuration.
+ *
+ * @generated from protobuf message teleport.lib.vnet.diag.v1.SSHConfigurationReport
+ */
+export interface SSHConfigurationReport {
+    /**
+     * user_openssh_config_path is the full path to the user's default OpenSSH
+     * config file (~/.ssh/config).
+     *
+     * @generated from protobuf field: string user_openssh_config_path = 1;
+     */
+    userOpensshConfigPath: string;
+    /**
+     * vnet_ssh_config_path is the path to VNet's generated OpenSSH-compatible
+     * config file.
+     *
+     * @generated from protobuf field: string vnet_ssh_config_path = 2;
+     */
+    vnetSshConfigPath: string;
+    /**
+     * user_openssh_config_includes_vnet_ssh_config is true if the default
+     * OpenSSH user configuration file includes VNet's SSH config file.
+     *
+     * @generated from protobuf field: bool user_openssh_config_includes_vnet_ssh_config = 3;
+     */
+    userOpensshConfigIncludesVnetSshConfig: boolean;
+    /**
+     * user_openssh_config_exists is true if a file exists at
+     * user_openssh_config_path (~/.ssh/config).
+     *
+     * @generated from protobuf field: bool user_openssh_config_exists = 4;
+     */
+    userOpensshConfigExists: boolean;
+    /**
+     * user_openssh_config_contents contains the contents of the file at
+     * user_openssh_config_path if it exists.
+     *
+     * @generated from protobuf field: string user_openssh_config_contents = 5;
+     */
+    userOpensshConfigContents: string;
+}
 /**
  * CheckAttemptStatus describes whether CheckAttempt finished successfully. This is different from
  * CheckReportStatus, which describes whether a successful attempt at running a check has found any
@@ -599,7 +649,8 @@ class CheckReport$Type extends MessageType<CheckReport> {
     constructor() {
         super("teleport.lib.vnet.diag.v1.CheckReport", [
             { no: 1, name: "status", kind: "enum", T: () => ["teleport.lib.vnet.diag.v1.CheckReportStatus", CheckReportStatus, "CHECK_REPORT_STATUS_"] },
-            { no: 2, name: "route_conflict_report", kind: "message", oneof: "report", T: () => RouteConflictReport }
+            { no: 2, name: "route_conflict_report", kind: "message", oneof: "report", T: () => RouteConflictReport },
+            { no: 3, name: "ssh_configuration_report", kind: "message", oneof: "report", T: () => SSHConfigurationReport }
         ]);
     }
     create(value?: PartialMessage<CheckReport>): CheckReport {
@@ -624,6 +675,12 @@ class CheckReport$Type extends MessageType<CheckReport> {
                         routeConflictReport: RouteConflictReport.internalBinaryRead(reader, reader.uint32(), options, (message.report as any).routeConflictReport)
                     };
                     break;
+                case /* teleport.lib.vnet.diag.v1.SSHConfigurationReport ssh_configuration_report */ 3:
+                    message.report = {
+                        oneofKind: "sshConfigurationReport",
+                        sshConfigurationReport: SSHConfigurationReport.internalBinaryRead(reader, reader.uint32(), options, (message.report as any).sshConfigurationReport)
+                    };
+                    break;
                 default:
                     let u = options.readUnknownField;
                     if (u === "throw")
@@ -642,6 +699,9 @@ class CheckReport$Type extends MessageType<CheckReport> {
         /* teleport.lib.vnet.diag.v1.RouteConflictReport route_conflict_report = 2; */
         if (message.report.oneofKind === "routeConflictReport")
             RouteConflictReport.internalBinaryWrite(message.report.routeConflictReport, writer.tag(2, WireType.LengthDelimited).fork(), options).join();
+        /* teleport.lib.vnet.diag.v1.SSHConfigurationReport ssh_configuration_report = 3; */
+        if (message.report.oneofKind === "sshConfigurationReport")
+            SSHConfigurationReport.internalBinaryWrite(message.report.sshConfigurationReport, writer.tag(3, WireType.LengthDelimited).fork(), options).join();
         let u = options.writeUnknownFields;
         if (u !== false)
             (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
@@ -841,3 +901,82 @@ class RouteConflict$Type extends MessageType<RouteConflict> {
  * @generated MessageType for protobuf message teleport.lib.vnet.diag.v1.RouteConflict
  */
 export const RouteConflict = new RouteConflict$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class SSHConfigurationReport$Type extends MessageType<SSHConfigurationReport> {
+    constructor() {
+        super("teleport.lib.vnet.diag.v1.SSHConfigurationReport", [
+            { no: 1, name: "user_openssh_config_path", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "vnet_ssh_config_path", kind: "scalar", T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "user_openssh_config_includes_vnet_ssh_config", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 4, name: "user_openssh_config_exists", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 5, name: "user_openssh_config_contents", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
+        ]);
+    }
+    create(value?: PartialMessage<SSHConfigurationReport>): SSHConfigurationReport {
+        const message = globalThis.Object.create((this.messagePrototype!));
+        message.userOpensshConfigPath = "";
+        message.vnetSshConfigPath = "";
+        message.userOpensshConfigIncludesVnetSshConfig = false;
+        message.userOpensshConfigExists = false;
+        message.userOpensshConfigContents = "";
+        if (value !== undefined)
+            reflectionMergePartial<SSHConfigurationReport>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: SSHConfigurationReport): SSHConfigurationReport {
+        let message = target ?? this.create(), end = reader.pos + length;
+        while (reader.pos < end) {
+            let [fieldNo, wireType] = reader.tag();
+            switch (fieldNo) {
+                case /* string user_openssh_config_path */ 1:
+                    message.userOpensshConfigPath = reader.string();
+                    break;
+                case /* string vnet_ssh_config_path */ 2:
+                    message.vnetSshConfigPath = reader.string();
+                    break;
+                case /* bool user_openssh_config_includes_vnet_ssh_config */ 3:
+                    message.userOpensshConfigIncludesVnetSshConfig = reader.bool();
+                    break;
+                case /* bool user_openssh_config_exists */ 4:
+                    message.userOpensshConfigExists = reader.bool();
+                    break;
+                case /* string user_openssh_config_contents */ 5:
+                    message.userOpensshConfigContents = reader.string();
+                    break;
+                default:
+                    let u = options.readUnknownField;
+                    if (u === "throw")
+                        throw new globalThis.Error(`Unknown field ${fieldNo} (wire type ${wireType}) for ${this.typeName}`);
+                    let d = reader.skip(wireType);
+                    if (u !== false)
+                        (u === true ? UnknownFieldHandler.onRead : u)(this.typeName, message, fieldNo, wireType, d);
+            }
+        }
+        return message;
+    }
+    internalBinaryWrite(message: SSHConfigurationReport, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* string user_openssh_config_path = 1; */
+        if (message.userOpensshConfigPath !== "")
+            writer.tag(1, WireType.LengthDelimited).string(message.userOpensshConfigPath);
+        /* string vnet_ssh_config_path = 2; */
+        if (message.vnetSshConfigPath !== "")
+            writer.tag(2, WireType.LengthDelimited).string(message.vnetSshConfigPath);
+        /* bool user_openssh_config_includes_vnet_ssh_config = 3; */
+        if (message.userOpensshConfigIncludesVnetSshConfig !== false)
+            writer.tag(3, WireType.Varint).bool(message.userOpensshConfigIncludesVnetSshConfig);
+        /* bool user_openssh_config_exists = 4; */
+        if (message.userOpensshConfigExists !== false)
+            writer.tag(4, WireType.Varint).bool(message.userOpensshConfigExists);
+        /* string user_openssh_config_contents = 5; */
+        if (message.userOpensshConfigContents !== "")
+            writer.tag(5, WireType.LengthDelimited).string(message.userOpensshConfigContents);
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message teleport.lib.vnet.diag.v1.SSHConfigurationReport
+ */
+export const SSHConfigurationReport = new SSHConfigurationReport$Type();
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index f54565c2684e1..29341f7153470 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -29,6 +30,8 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/profile"
+	"github.com/gravitational/teleport/api/types"
 	prehogv1alpha "github.com/gravitational/teleport/gen/proto/go/prehog/v1alpha"
 	apiteleterm "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/v1"
 	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
@@ -90,6 +93,7 @@ type Config struct {
 	// reporting.
 	InstallationID string
 	Clock          clockwork.Clock
+	profilePath    string
 }
 
 // CheckAndSetDefaults checks and sets the defaults
@@ -110,6 +114,10 @@ func (c *Config) CheckAndSetDefaults() error {
 		c.Clock = clockwork.NewRealClock()
 	}
 
+	if c.profilePath == "" {
+		c.profilePath = profile.FullProfilePath(os.Getenv(types.HomeEnvVar))
+	}
+
 	return nil
 }
 
diff --git a/lib/teleterm/vnet/service_darwin.go b/lib/teleterm/vnet/service_darwin.go
index 9eaddaf31dba8..362246bf292c9 100644
--- a/lib/teleterm/vnet/service_darwin.go
+++ b/lib/teleterm/vnet/service_darwin.go
@@ -62,10 +62,20 @@ func (s *Service) RunDiagnostics(ctx context.Context, req *api.RunDiagnosticsReq
 		return nil, trace.Wrap(err)
 	}
 
+	sshDiag, err := diag.NewSSHDiag(&diag.SSHConfig{
+		ProfilePath: s.cfg.profilePath,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	report, err := diag.GenerateReport(ctx, diag.ReportPrerequisites{
 		Clock:               s.cfg.Clock,
 		NetworkStackAttempt: nsa,
-		DiagChecks:          []diag.DiagCheck{routeConflictDiag},
+		DiagChecks: []diag.DiagCheck{
+			routeConflictDiag,
+			sshDiag,
+		},
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/vnet/diag/ssh.go b/lib/vnet/diag/ssh.go
new file mode 100644
index 0000000000000..27be9b1afd741
--- /dev/null
+++ b/lib/vnet/diag/ssh.go
@@ -0,0 +1,253 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package diag
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"unicode/utf8"
+
+	"github.com/dustin/go-humanize"
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/profile"
+	"github.com/gravitational/teleport/api/utils/keypaths"
+	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
+)
+
+const (
+	maxOpenSSHConfigFileSize = 1 * 1024 * 1024 // 1 MiB
+)
+
+// SSHConfig includes everything that [SSHDiag] needs to run.
+type SSHConfig struct {
+	// ProfilePath is the path to the user profile (TELEPORT_HOME) where VNet's
+	// SSH configuration file is stored.
+	ProfilePath string
+}
+
+// SSHDiag is a diagnostic check that inspects whether the default user OpenSSH
+// config file includes VNet's generated SSH config file.
+type SSHDiag struct {
+	cfg                   *SSHConfig
+	userHome              string
+	userOpenSSHConfigPath string
+	vnetSSHConfigPath     string
+	isWindows             bool
+}
+
+// NewSSHDiag returns a new [SSHDiag].
+func NewSSHDiag(cfg *SSHConfig) (*SSHDiag, error) {
+	userHome, ok := profile.UserHomeDir()
+	if !ok {
+		return nil, trace.Errorf("unable to find user's home directory")
+	}
+	userOpenSSHConfigPath := filepath.Join(userHome, ".ssh", "config")
+	vnetSSHConfigPath := filepath.Join(cfg.ProfilePath, keypaths.VNetSSHConfig)
+	return &SSHDiag{
+		cfg:                   cfg,
+		userHome:              userHome,
+		userOpenSSHConfigPath: userOpenSSHConfigPath,
+		vnetSSHConfigPath:     vnetSSHConfigPath,
+		isWindows:             runtime.GOOS == "windows",
+	}, nil
+}
+
+// Commands returns no commands for this diagnostic.
+func (d *SSHDiag) Commands(ctx context.Context) []*exec.Cmd {
+	return nil
+}
+
+// EmptyCheckReport returns an empty SSH configuration report.
+func (d *SSHDiag) EmptyCheckReport() *diagv1.CheckReport {
+	return &diagv1.CheckReport{Report: &diagv1.CheckReport_SshConfigurationReport{}}
+}
+
+// Run runs the diagnostic.
+func (d *SSHDiag) Run(ctx context.Context) (*diagv1.CheckReport, error) {
+	report, err := d.run(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &diagv1.CheckReport{
+		// This intentionally always returns CHECK_REPORT_STATUS_OK even if
+		// ~/.ssh/config does not include the VNet generated SSH config. It is
+		// not mandatory to configure SSH and returning an error status would
+		// cause an alert and notification in Connect.
+		Status: diagv1.CheckReportStatus_CHECK_REPORT_STATUS_OK,
+		Report: &diagv1.CheckReport_SshConfigurationReport{
+			SshConfigurationReport: report,
+		},
+	}, nil
+}
+
+func (d *SSHDiag) run(ctx context.Context) (*diagv1.SSHConfigurationReport, error) {
+	_, err := os.Stat(d.userOpenSSHConfigPath)
+	userOpenSSHConfigExists := err == nil
+	if !userOpenSSHConfigExists {
+		return &diagv1.SSHConfigurationReport{
+			UserOpensshConfigPath: d.userOpenSSHConfigPath,
+			VnetSshConfigPath:     d.vnetSSHConfigPath,
+		}, nil
+	}
+
+	userOpenSSHConfigFile, err := os.Open(d.userOpenSSHConfigPath)
+	if err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "opening %s for reading", d.userOpenSSHConfigPath)
+	}
+	defer userOpenSSHConfigFile.Close()
+
+	userOpenSSHConfigContents, err := io.ReadAll(io.LimitReader(userOpenSSHConfigFile, maxOpenSSHConfigFileSize))
+	if err != nil {
+		return nil, trace.Wrap(trace.ConvertSystemError(err), "reading %s", d.userOpenSSHConfigPath)
+	}
+	if len(userOpenSSHConfigContents) == maxOpenSSHConfigFileSize {
+		return nil, trace.Errorf("%s is too large to (max size %s)",
+			d.userOpenSSHConfigPath, humanize.Bytes(maxOpenSSHConfigFileSize))
+	}
+	if !utf8.Valid(userOpenSSHConfigContents) {
+		return nil, trace.Errorf("%s is not valid UTF-8", d.userOpenSSHConfigPath)
+	}
+
+	included, err := d.openSSHConfigIncludesVNetSSHConfig(bytes.NewReader(userOpenSSHConfigContents))
+	if err != nil {
+		return nil, trace.Wrap(err, "checking if the default user OpenSSH config includes VNet's SSH configuration")
+	}
+	return &diagv1.SSHConfigurationReport{
+		UserOpensshConfigPath:                  d.userOpenSSHConfigPath,
+		VnetSshConfigPath:                      d.vnetSSHConfigPath,
+		UserOpensshConfigIncludesVnetSshConfig: included,
+		UserOpensshConfigExists:                true,
+		UserOpensshConfigContents:              string(userOpenSSHConfigContents),
+	}, nil
+}
+
+func (d *SSHDiag) openSSHConfigIncludesVNetSSHConfig(r io.Reader) (bool, error) {
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		if d.openSSHConfigLineIncludesPath(scanner.Text(), d.vnetSSHConfigPath) {
+			return true, nil
+		}
+	}
+	return false, trace.Wrap(scanner.Err())
+}
+
+// openSSHConfigLineIncludesPath returns true if the given line of an OpenSSH
+// configuration file is an include statement for the given path.
+func (d *SSHDiag) openSSHConfigLineIncludesPath(line, wantPath string) bool {
+	wantPath = d.normalizePath(wantPath)
+	line = strings.TrimSpace(line)
+
+	// Only consider lines that begin with "include" (case-insensitive).
+	i := strings.IndexFunc(line, isSpace)
+	if i == -1 {
+		return false
+	}
+	if strings.ToLower(line[:i]) != "include" {
+		return false
+	}
+	// Consider the rest of the line after "include".
+	line = line[i+1:]
+
+	// Include lines may specify multiple pathnames and each pathname may
+	// contain glob wildcards, tokens, environment variables, ~, escaped
+	// characters and may or may not be quoted. This function does not support
+	// glob wildcards, tokens, or environment variables. It splits each argument
+	// at unescaped and unquoted whitespace and if the argument matches wantPath
+	// returns true. It does support ~ as an alias for the user's home
+	// directory.
+	var (
+		// b is a running buffer holding the current argument as parsed up to
+		// the current point.
+		b strings.Builder
+		// quote holds the opening quote character if one has been found.
+		quote = byte(0)
+	)
+loop:
+	for i := 0; i < len(line); i++ {
+		c := line[i]
+		switch {
+		case c == '\\' && i < len(line)-1 && canBeEscaped(line[i+1]):
+			// Skip the escape char and write the next char literally.
+			i++
+			b.WriteByte(line[i])
+		case quote == 0 && (c == '"' || c == '\''):
+			// Start of quote
+			quote = c
+		case quote != 0 && c == quote:
+			// End of quote
+			quote = 0
+		case b.Len() == 0 && c == '~':
+			// Support ~ as an alias for the user's home directory.
+			b.WriteString(d.userHome)
+		case quote == 0 && c == '#':
+			// Found an unquoted comment in the middle of the line, ignore the rest.
+			break loop
+		case quote == 0 && isSpace(rune(c)):
+			// Reached the end of this argument, check if it matches wantPath.
+			if d.normalizePath(b.String()) == wantPath {
+				return true
+			}
+			b.Reset()
+		default:
+			// By default just append the current character to the current
+			// argument.
+			b.WriteByte(c)
+		}
+	}
+	if quote != 0 {
+		// Unmatched quote.
+		return false
+	}
+	// Handle an argument that ends at the end of the line.
+	return d.normalizePath(b.String()) == wantPath
+}
+
+func (d *SSHDiag) normalizePath(path string) string {
+	if d.isWindows {
+		// Normalize all paths to use unix-style separators since OpenSSH
+		// supports / or \\ on Windows.
+		path = strings.ReplaceAll(path, `\`, `/`)
+		// Windows paths are case-insensitive.
+		path = strings.ToLower(path)
+	}
+	return filepath.Clean(path)
+}
+
+func isSpace(r rune) bool {
+	switch r {
+	case ' ', '\t':
+		return true
+	}
+	return false
+}
+
+func canBeEscaped(c byte) bool {
+	// https://github.com/openssh/openssh-portable/blob/5f761cdb2331a12318bde24db5ca84ee144a51d1/misc.c#L2089-L2099
+	switch c {
+	case ' ', '\\', '\'', '"':
+		return true
+	}
+	return false
+}
diff --git a/lib/vnet/diag/ssh_test.go b/lib/vnet/diag/ssh_test.go
new file mode 100644
index 0000000000000..2a1549a49c172
--- /dev/null
+++ b/lib/vnet/diag/ssh_test.go
@@ -0,0 +1,229 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package diag
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/utils/keypaths"
+	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
+)
+
+// TestSSHDiag tests the SSH configuration diagnostic, specifically its ability
+// to check whether an OpenSSH config file includes the VNet SSH config file.
+func TestSSHDiag(t *testing.T) {
+	t.Parallel()
+	for _, tc := range []struct {
+		desc        string
+		profilePath string
+		userHome    string
+		isWindows   bool
+		input       string
+		expect      bool
+	}{
+		{
+			desc:        "empty",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+		},
+		{
+			desc:        "macos tsh",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include /Users/user/.tsh/vnet_ssh_config`,
+			expect:      true,
+		},
+		{
+			desc:        "macos tsh ~",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include ~/.tsh/vnet_ssh_config`,
+			expect:      true,
+		},
+		{
+			desc:        "macos connect",
+			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "macos connect ~",
+			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include "~/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "macos tsh not match connect",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+		},
+		{
+			desc:        "macos connect not match tsh",
+			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include /Users/user/.tsh/vnet_ssh_config`,
+		},
+		{
+			desc:        "windows tsh",
+			profilePath: `C:\Users\User\.tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows tsh unescaped",
+			profilePath: `C:\Users\User\.tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\Users\User\.tsh\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows tsh unix path",
+			profilePath: `C:\Users\User\.tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:/Users/User/.tsh/vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows tsh ~",
+			profilePath: `C:\Users\User\.tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "~\\.tsh\\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows connect",
+			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows connect unescaped",
+			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\Users\User\AppData\Roaming\Teleport Connect\tsh\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows connect unix path",
+			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:/Users/User/AppData/Roaming/Teleport\ Connect/tsh/vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows connect ~",
+			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "~\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+			expect:      true,
+		},
+		{
+			desc:        "windows tsh not match connect",
+			profilePath: `C:\Users\User\.tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+		},
+		{
+			desc:        "windows connect not match tsh",
+			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+			userHome:    `C:\Users\User`,
+			isWindows:   true,
+			input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
+		},
+		{
+			desc:        "some other file",
+			profilePath: `/Users/user/.tsh`,
+			input:       `Include /Users/user/.tsh/ssh_config`,
+		},
+		{
+			desc:        "multiple includes",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input: `
+Include ~/.ssh/include/*
+Include /Users/user/ssh_config
+Include /Users/user/.tsh/vnet_ssh_config
+`,
+			expect: true,
+		},
+		{
+			desc:        "commented",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include #/Users/user/.tsh/vnet_ssh_config`,
+		},
+		{
+			desc:        "single quotes",
+			profilePath: `/Users/user/.tsh`,
+			userHome:    `/Users/user`,
+			input:       `Include '/Users/user/.tsh/vnet_ssh_config'`,
+			expect:      true,
+		},
+	} {
+		t.Run(tc.desc, func(t *testing.T) {
+			diag, err := NewSSHDiag(&SSHConfig{
+				ProfilePath: tc.profilePath,
+			})
+			require.NoError(t, err)
+			userOpenSSHConfigPath := filepath.Join(t.TempDir(), "test_ssh_config")
+
+			// Override isWindows and paths for the purpose of the test.
+			diag.isWindows = tc.isWindows
+			diag.userHome = tc.userHome
+			diag.userOpenSSHConfigPath = userOpenSSHConfigPath
+
+			if len(tc.input) > 0 {
+				require.NoError(t, os.WriteFile(userOpenSSHConfigPath, []byte(tc.input), 0o600))
+			}
+
+			expectReport := &diagv1.CheckReport{
+				Status: diagv1.CheckReportStatus_CHECK_REPORT_STATUS_OK,
+				Report: &diagv1.CheckReport_SshConfigurationReport{
+					SshConfigurationReport: &diagv1.SSHConfigurationReport{
+						UserOpensshConfigPath:                  userOpenSSHConfigPath,
+						VnetSshConfigPath:                      keypaths.VNetSSHConfigPath(tc.profilePath),
+						UserOpensshConfigIncludesVnetSshConfig: tc.expect,
+						UserOpensshConfigExists:                len(tc.input) > 0,
+						UserOpensshConfigContents:              tc.input,
+					},
+				},
+			}
+
+			report, err := diag.Run(t.Context())
+			require.NoError(t, err)
+			require.Equal(t, expectReport, report)
+		})
+	}
+}
diff --git a/proto/teleport/lib/vnet/diag/v1/diag.proto b/proto/teleport/lib/vnet/diag/v1/diag.proto
index 6d96cf1958a78..ce2407ded2e03 100644
--- a/proto/teleport/lib/vnet/diag/v1/diag.proto
+++ b/proto/teleport/lib/vnet/diag/v1/diag.proto
@@ -107,6 +107,8 @@ message CheckReport {
     // route_conflict reports whether there are routes that might conflict with routes set up by
     // VNet.
     RouteConflictReport route_conflict_report = 2;
+    // ssh_configuration_report reports the status of the system's SSH configuration.
+    SSHConfigurationReport ssh_configuration_report = 3;
   }
 }
 
@@ -158,3 +160,22 @@ message RouteConflict {
   // it's likely to be empty.
   string interface_app = 4;
 }
+
+// SSHConfigurationReport describes the state of the system's SSH configuration.
+message SSHConfigurationReport {
+  // user_openssh_config_path is the full path to the user's default OpenSSH
+  // config file (~/.ssh/config).
+  string user_openssh_config_path = 1;
+  // vnet_ssh_config_path is the path to VNet's generated OpenSSH-compatible
+  // config file.
+  string vnet_ssh_config_path = 2;
+  // user_openssh_config_includes_vnet_ssh_config is true if the default
+  // OpenSSH user configuration file includes VNet's SSH config file.
+  bool user_openssh_config_includes_vnet_ssh_config = 3;
+  // user_openssh_config_exists is true if a file exists at
+  // user_openssh_config_path (~/.ssh/config).
+  bool user_openssh_config_exists = 4;
+  // user_openssh_config_contents contains the contents of the file at
+  // user_openssh_config_path if it exists.
+  string user_openssh_config_contents = 5;
+}
diff --git a/web/packages/teleterm/src/helpers.ts b/web/packages/teleterm/src/helpers.ts
index 207bd43271f28..f21ec32989aad 100644
--- a/web/packages/teleterm/src/helpers.ts
+++ b/web/packages/teleterm/src/helpers.ts
@@ -26,6 +26,7 @@ import { WindowsDesktop } from 'gen-proto-ts/teleport/lib/teleterm/v1/windows_de
 import {
   CheckReport,
   RouteConflictReport,
+  SSHConfigurationReport,
 } from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
 
 import {
@@ -194,3 +195,12 @@ export function reportOneOfIsRouteConflictReport(
 } {
   return report.oneofKind === 'routeConflictReport';
 }
+
+export function reportOneOfIsSSHConfigurationReport(
+  report: CheckReport['report']
+): report is {
+  oneofKind: 'sshConfigurationReport';
+  sshConfigurationReport: SSHConfigurationReport;
+} {
+  return report.oneofKind === 'sshConfigurationReport';
+}
diff --git a/web/packages/teleterm/src/services/vnet/__snapshots__/diag.test.ts.snap b/web/packages/teleterm/src/services/vnet/__snapshots__/diag.test.ts.snap
index 77776b66d752a..4d55bb3866f8a 100644
--- a/web/packages/teleterm/src/services/vnet/__snapshots__/diag.test.ts.snap
+++ b/web/packages/teleterm/src/services/vnet/__snapshots__/diag.test.ts.snap
@@ -33,5 +33,21 @@ default            link#25            UCSIg               utun4
 100.100.100.100    link#25            UHWIi               utun4       
 
 \`\`\`
+
+---
+⚠️ VNet SSH is not configured.
+
+  The user's default SSH configuration file does not include VNet's
+  generated configuration file and connections to VNet SSH hosts will
+  not work by default.
+
+| File description         | Path |
+| ------------------------ | ---- |
+| User OpenSSH config file | ~/.ssh/config  |
+| VNet SSH config file     | /Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config  |
+
+~/.ssh/config does not exist
+
+
 "
 `;
diff --git a/web/packages/teleterm/src/services/vnet/diag.test.ts b/web/packages/teleterm/src/services/vnet/diag.test.ts
index 5d7d12ad1d3b8..937632b0386ac 100644
--- a/web/packages/teleterm/src/services/vnet/diag.test.ts
+++ b/web/packages/teleterm/src/services/vnet/diag.test.ts
@@ -29,10 +29,10 @@ import {
 
 describe('reportToText', () => {
   it('converts report correctly', () => {
-    const checkReport = makeCheckReport({
+    const routeConflictReport = makeCheckReport({
       status: diag.CheckReportStatus.ISSUES_FOUND,
     });
-    checkReport.report = {
+    routeConflictReport.report = {
       oneofKind: 'routeConflictReport',
       routeConflictReport: {
         routeConflicts: [
@@ -51,12 +51,29 @@ describe('reportToText', () => {
         ],
       },
     };
+    const sshConfigReport = makeCheckReport({
+      status: diag.CheckReportStatus.OK,
+    });
+    sshConfigReport.report = {
+      oneofKind: 'sshConfigurationReport',
+      sshConfigurationReport: {
+        userOpensshConfigPath: '~/.ssh/config',
+        vnetSshConfigPath:
+          '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
+        userOpensshConfigIncludesVnetSshConfig: false,
+        userOpensshConfigExists: false,
+        userOpensshConfigContents: '',
+      },
+    };
     const report = makeReport({
       checks: [
         makeCheckAttempt({
-          checkReport,
+          checkReport: routeConflictReport,
           commands: [makeCommandAttempt()],
         }),
+        makeCheckAttempt({
+          checkReport: sshConfigReport,
+        }),
       ],
     });
 
diff --git a/web/packages/teleterm/src/services/vnet/diag.ts b/web/packages/teleterm/src/services/vnet/diag.ts
index 6313c556c895f..98043f7293ecb 100644
--- a/web/packages/teleterm/src/services/vnet/diag.ts
+++ b/web/packages/teleterm/src/services/vnet/diag.ts
@@ -20,7 +20,10 @@ import { displayDateTime } from 'design/datetime';
 import { Timestamp } from 'gen-proto-ts/google/protobuf/timestamp_pb';
 import * as diag from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
 
-import { reportOneOfIsRouteConflictReport } from 'teleterm/helpers';
+import {
+  reportOneOfIsRouteConflictReport,
+  reportOneOfIsSSHConfigurationReport,
+} from 'teleterm/helpers';
 
 export const hasReportFoundIssues = (report: diag.Report): boolean =>
   report.checks.some(
@@ -122,6 +125,10 @@ const reportOneofToDisplayDetails: Record<
     errorTitle: 'inspect network routes',
     reportToText: routeConflictReportToText,
   },
+  sshConfigurationReport: {
+    errorTitle: 'inspect SSH configuration',
+    reportToText: sshConfigurationReportToText,
+  },
 };
 
 function routeConflictReportToText({
@@ -149,3 +156,43 @@ function routeConflictReportToText({
 | ---------------- | ----------------------- | --------- | --------- |
 ${tableRows}`;
 }
+
+function sshConfigurationReportToText({ report }: diag.CheckReport): string {
+  if (!reportOneOfIsSSHConfigurationReport(report)) {
+    return null;
+  }
+  const {
+    userOpensshConfigPath,
+    vnetSshConfigPath,
+    userOpensshConfigIncludesVnetSshConfig,
+    userOpensshConfigExists,
+    userOpensshConfigContents,
+  } = report.sshConfigurationReport;
+
+  const status = userOpensshConfigIncludesVnetSshConfig
+    ? '✅ VNet SSH is configured correctly.'
+    : `⚠️ VNet SSH is not configured.
+
+  The user's default SSH configuration file does not include VNet's
+  generated configuration file and connections to VNet SSH hosts will
+  not work by default.`;
+
+  const pathsTable = `
+| File description         | Path |
+| ------------------------ | ---- |
+| User OpenSSH config file | ${userOpensshConfigPath}  |
+| VNet SSH config file     | ${vnetSshConfigPath}  |`;
+
+  const currentContents = userOpensshConfigExists
+    ? `Current contents of ${userOpensshConfigPath}:
+
+\`\`\`
+${userOpensshConfigContents}
+\`\`\``
+    : `${userOpensshConfigPath} does not exist`;
+
+  return `${status}
+${pathsTable}
+
+${currentContents}`;
+}
diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.story.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.story.tsx
index 3edf82f6683ff..e84383cdd321f 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.story.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.story.tsx
@@ -26,6 +26,7 @@ import {
   CommandAttemptStatus,
   RouteConflict,
   RouteConflictReport,
+  SSHConfigurationReport,
 } from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
 import { usePromiseRejectedOnUnmount } from 'shared/utils/wait';
 
@@ -48,6 +49,12 @@ import { ConnectionsContextProvider } from 'teleterm/ui/TopBar/Connections/conne
 import { DocumentVnetDiagReport as Component } from './DocumentVnetDiagReport';
 import { useVnetContext, VnetContextProvider } from './vnetContext';
 
+const defaultUserSSHConfigContents = `Include "/Users/User/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config"
+
+Host github.com
+  IdentityFile ~/.ssh/id_ed25519
+`;
+
 type StoryProps = {
   asText: boolean;
   networkStackAttempt: 'ok' | 'error';
@@ -56,6 +63,10 @@ type StoryProps = {
   routeConflictAttempt: 'ok' | 'issues-found' | 'error';
   routeConflicts: RouteConflict[];
   routeConflictCommandAttempt: 'ok' | 'error';
+  sshConfigAttempt: 'ok' | 'error';
+  sshConfigured: boolean;
+  userOpenSSHConfigExists: boolean;
+  userOpenSSHConfigContents: string;
   displayUnsupportedCheckAttempt: boolean;
   vnetRunning: boolean;
   reRunDiagnostics: 'success' | 'error' | 'processing';
@@ -91,6 +102,15 @@ const meta: Meta<StoryProps> = {
       control: { type: 'inline-radio' },
       options: ['ok', 'error'],
     },
+    sshConfigAttempt: {
+      control: { type: 'inline-radio' },
+      options: ['ok', 'error'],
+    },
+    userOpenSSHConfigExists: {},
+    userOpenSSHConfigContents: {},
+    sshConfigured: {
+      control: { type: 'boolean' },
+    },
     displayUnsupportedCheckAttempt: {
       description:
         "Simulate the component receiving a report with a check attempt that's not supported in the current version",
@@ -121,6 +141,10 @@ const meta: Meta<StoryProps> = {
       }),
     ],
     routeConflictCommandAttempt: 'ok',
+    sshConfigAttempt: 'ok',
+    sshConfigured: false,
+    userOpenSSHConfigExists: true,
+    userOpenSSHConfigContents: defaultUserSSHConfigContents,
     displayUnsupportedCheckAttempt: false,
     vnetRunning: true,
     reRunDiagnostics: 'success',
@@ -208,6 +232,31 @@ export function DocumentVnetDiagReport(props: StoryProps) {
   }
   report.checks.push(routeConflictCheckAttempt);
 
+  const sshConfigReport: SSHConfigurationReport = {
+    userOpensshConfigIncludesVnetSshConfig: props.sshConfigured,
+    userOpensshConfigPath: '/Users/User/.ssh/config',
+    vnetSshConfigPath:
+      '/Users/User/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
+    userOpensshConfigExists: props.userOpenSSHConfigExists,
+    userOpensshConfigContents: props.userOpenSSHConfigContents,
+  };
+  const sshConfigCheckAttempt = makeCheckAttempt({
+    status:
+      props.sshConfigAttempt === 'ok'
+        ? CheckAttemptStatus.OK
+        : CheckAttemptStatus.ERROR,
+    error:
+      props.sshConfigAttempt === 'error' ? 'something went wrong' : undefined,
+    checkReport: makeCheckReport({
+      status: CheckReportStatus.OK,
+      report: {
+        oneofKind: 'sshConfigurationReport',
+        sshConfigurationReport: sshConfigReport,
+      },
+    }),
+  });
+  report.checks.push(sshConfigCheckAttempt);
+
   if (props.displayUnsupportedCheckAttempt) {
     report.checks.push({
       status: CheckAttemptStatus.OK,
diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
index a74ed7feeb4c4..b90f34f0dfd40 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
@@ -21,7 +21,7 @@ import styled from 'styled-components';
 
 import { Button, Alert as DesignAlert, Flex, H1, Link, Stack } from 'design';
 import { AlertProps } from 'design/Alert/Alert';
-import Table, { TextCell } from 'design/DataTable';
+import Table, { Cell, TextCell } from 'design/DataTable';
 import { displayDateTime } from 'design/datetime';
 import {
   Copy,
@@ -35,10 +35,14 @@ import { HoverTooltip } from 'design/Tooltip';
 import { copyToClipboard } from 'design/utils/copyToClipboard';
 import { Timestamp } from 'gen-proto-ts/google/protobuf/timestamp_pb';
 import * as diag from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
+import { TextSelectCopy } from 'shared/components/TextSelectCopy';
 import { CanceledError, useAsync } from 'shared/hooks/useAsync';
 import { pluralize } from 'shared/utils/text';
 
-import { reportOneOfIsRouteConflictReport } from 'teleterm/helpers';
+import {
+  reportOneOfIsRouteConflictReport,
+  reportOneOfIsSSHConfigurationReport,
+} from 'teleterm/helpers';
 import { getReportFilename, reportToText } from 'teleterm/services/vnet/diag';
 import { useAppContext } from 'teleterm/ui/appContextProvider';
 import Document from 'teleterm/ui/Document';
@@ -297,6 +301,10 @@ const reportOneofDisplayDetails: Record<
     errorTitle: 'inspect network routes',
     Component: CheckReportRouteConflict,
   },
+  sshConfigurationReport: {
+    errorTitle: 'inspect SSH configuration',
+    Component: CheckReportSSHConfiguration,
+  },
 };
 
 /**
@@ -367,6 +375,91 @@ function CheckReportRouteConflict({
   );
 }
 
+function CheckReportSSHConfiguration({
+  checkReport: { report },
+}: {
+  checkReport: diag.CheckReport;
+}) {
+  if (!reportOneOfIsSSHConfigurationReport(report)) {
+    return null;
+  }
+  const {
+    userOpensshConfigPath,
+    vnetSshConfigPath,
+    userOpensshConfigIncludesVnetSshConfig,
+    userOpensshConfigExists,
+    userOpensshConfigContents,
+  } = report.sshConfigurationReport;
+  const pathsTable = (
+    <Table
+      emptyText=""
+      data={[
+        {
+          desc: 'User OpenSSH config file',
+          path: userOpensshConfigPath,
+        },
+        {
+          desc: 'VNet SSH config file',
+          path: vnetSshConfigPath,
+        },
+      ]}
+      columns={[
+        { key: 'desc', headerText: 'File description' },
+        {
+          key: 'path',
+          headerText: 'Path',
+          render: row => (
+            <Cell>
+              <code>{row.path}</code>
+            </Cell>
+          ),
+        },
+      ]}
+    />
+  );
+  if (userOpensshConfigIncludesVnetSshConfig) {
+    return (
+      <>
+        <Stack>
+          <P1>
+            <Success /> VNet SSH is configured correctly.
+          </P1>
+          <P2>
+            The user's default SSH configuration file correctly includes VNet's
+            generated configuration file.
+          </P2>
+        </Stack>
+        {pathsTable}
+      </>
+    );
+  }
+  return (
+    <>
+      <Stack>
+        <P1>
+          <Warning /> VNet SSH is not configured.
+        </P1>
+        <P2 m={0}>
+          The user's default SSH configuration file does not include VNet's
+          generated SSH configuration file. SSH clients will not be able to make
+          connections to VNet SSH addresses by default. Add the following line
+          to <code>{userOpensshConfigPath}</code> to configure
+          OpenSSH-compatible clients for VNet:
+        </P2>
+        <TextSelectCopy text={`Include "${vnetSshConfigPath}"`} bash={false} />
+      </Stack>
+      {userOpensshConfigExists ? (
+        <details>
+          <Summary>
+            Current contents of <code>{userOpensshConfigPath}</code>
+          </Summary>
+          <Pre>{userOpensshConfigContents}</Pre>
+        </details>
+      ) : null}
+    </>
+  );
+}
+
 const Summary = styled.summary`
   cursor: pointer;
 `;

From f2c9e0acc2cf39136e15bb886d5c63bcba3fb228 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Thu, 19 Jun 2025 08:49:11 -0700
Subject: [PATCH 11/25] [v18][vnet] feat: show SSH status in VNet slider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport #55755 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
---
 .../lib/teleterm/vnet/v1/vnet_service.pb.go   |  88 +++++++----
 .../teleterm/vnet/v1/vnet_service_grpc.pb.go  |  50 ++----
 .../vnet/v1/vnet_service_pb.client.ts         |  34 ++--
 .../vnet/v1/vnet_service_pb.grpc-server.ts    |  32 ++--
 .../lib/teleterm/vnet/v1/vnet_service_pb.ts   |  96 ++++++++----
 lib/teleterm/vnet/service.go                  |  31 ++--
 .../lib/teleterm/vnet/v1/vnet_service.proto   |  32 ++--
 .../src/services/tshd/fixtures/mocks.ts       |   7 +-
 .../ConnectionItem.tsx                        |  24 +--
 .../ConnectionStatusIndicator.tsx             |   9 ++
 .../src/ui/Vnet/VnetSliderStep.story.tsx      | 136 ++++++++++++----
 .../teleterm/src/ui/Vnet/VnetSliderStep.tsx   | 148 +++++++++++++-----
 .../teleterm/src/ui/Vnet/integration.test.tsx |  24 +--
 .../teleterm/src/ui/Vnet/vnetContext.tsx      |  17 +-
 14 files changed, 457 insertions(+), 271 deletions(-)

diff --git a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
index 39c2f91caecc4..f1103603824cf 100644
--- a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
@@ -248,27 +248,27 @@ func (*StopResponse) Descriptor() ([]byte, []int) {
 	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP(), []int{3}
 }
 
-// Request for ListDNSZones.
-type ListDNSZonesRequest struct {
+// Request for GetServiceInfo.
+type GetServiceInfoRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *ListDNSZonesRequest) Reset() {
-	*x = ListDNSZonesRequest{}
+func (x *GetServiceInfoRequest) Reset() {
+	*x = GetServiceInfoRequest{}
 	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[4]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *ListDNSZonesRequest) String() string {
+func (x *GetServiceInfoRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*ListDNSZonesRequest) ProtoMessage() {}
+func (*GetServiceInfoRequest) ProtoMessage() {}
 
-func (x *ListDNSZonesRequest) ProtoReflect() protoreflect.Message {
+func (x *GetServiceInfoRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[4]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -280,34 +280,40 @@ func (x *ListDNSZonesRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use ListDNSZonesRequest.ProtoReflect.Descriptor instead.
-func (*ListDNSZonesRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetServiceInfoRequest.ProtoReflect.Descriptor instead.
+func (*GetServiceInfoRequest) Descriptor() ([]byte, []int) {
 	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP(), []int{4}
 }
 
-// Response for ListDNSZones.
-type ListDNSZonesResponse struct {
+// GetServiceInfoResponse contains the status of the running VNet service.
+type GetServiceInfoResponse struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
-	// dns_zones is a deduplicated list of DNS zones.
-	DnsZones      []string `protobuf:"bytes,1,rep,name=dns_zones,json=dnsZones,proto3" json:"dns_zones,omitempty"`
+	// app_dns_zones is a deduplicated list of all DNS zones valid as DNS
+	// suffixes for connections to TCP apps.
+	AppDnsZones []string `protobuf:"bytes,1,rep,name=app_dns_zones,json=appDnsZones,proto3" json:"app_dns_zones,omitempty"`
+	// clusters is a list of cluster names valid as DNS suffixes for SSH hosts.
+	Clusters []string `protobuf:"bytes,2,rep,name=clusters,proto3" json:"clusters,omitempty"`
+	// ssh_configured is true if the user's SSH config file includes VNet's
+	// generated SSH config necessary for SSH access.
+	SshConfigured bool `protobuf:"varint,3,opt,name=ssh_configured,json=sshConfigured,proto3" json:"ssh_configured,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *ListDNSZonesResponse) Reset() {
-	*x = ListDNSZonesResponse{}
+func (x *GetServiceInfoResponse) Reset() {
+	*x = GetServiceInfoResponse{}
 	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[5]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *ListDNSZonesResponse) String() string {
+func (x *GetServiceInfoResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*ListDNSZonesResponse) ProtoMessage() {}
+func (*GetServiceInfoResponse) ProtoMessage() {}
 
-func (x *ListDNSZonesResponse) ProtoReflect() protoreflect.Message {
+func (x *GetServiceInfoResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[5]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -319,18 +325,32 @@ func (x *ListDNSZonesResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use ListDNSZonesResponse.ProtoReflect.Descriptor instead.
-func (*ListDNSZonesResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetServiceInfoResponse.ProtoReflect.Descriptor instead.
+func (*GetServiceInfoResponse) Descriptor() ([]byte, []int) {
 	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP(), []int{5}
 }
 
-func (x *ListDNSZonesResponse) GetDnsZones() []string {
+func (x *GetServiceInfoResponse) GetAppDnsZones() []string {
 	if x != nil {
-		return x.DnsZones
+		return x.AppDnsZones
 	}
 	return nil
 }
 
+func (x *GetServiceInfoResponse) GetClusters() []string {
+	if x != nil {
+		return x.Clusters
+	}
+	return nil
+}
+
+func (x *GetServiceInfoResponse) GetSshConfigured() bool {
+	if x != nil {
+		return x.SshConfigured
+	}
+	return false
+}
+
 // Request for GetBackgroundItemStatus.
 type GetBackgroundItemStatusRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -503,10 +523,12 @@ const file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = "" +
 	"\fStartRequest\"\x0f\n" +
 	"\rStartResponse\"\r\n" +
 	"\vStopRequest\"\x0e\n" +
-	"\fStopResponse\"\x15\n" +
-	"\x13ListDNSZonesRequest\"3\n" +
-	"\x14ListDNSZonesResponse\x12\x1b\n" +
-	"\tdns_zones\x18\x01 \x03(\tR\bdnsZones\" \n" +
+	"\fStopResponse\"\x17\n" +
+	"\x15GetServiceInfoRequest\"\x7f\n" +
+	"\x16GetServiceInfoResponse\x12\"\n" +
+	"\rapp_dns_zones\x18\x01 \x03(\tR\vappDnsZones\x12\x1a\n" +
+	"\bclusters\x18\x02 \x03(\tR\bclusters\x12%\n" +
+	"\x0essh_configured\x18\x03 \x01(\bR\rsshConfigured\" \n" +
 	"\x1eGetBackgroundItemStatusRequest\"n\n" +
 	"\x1fGetBackgroundItemStatusResponse\x12K\n" +
 	"\x06status\x18\x01 \x01(\x0e23.teleport.lib.teleterm.vnet.v1.BackgroundItemStatusR\x06status\"\x17\n" +
@@ -519,11 +541,11 @@ const file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = "" +
 	"\x1eBACKGROUND_ITEM_STATUS_ENABLED\x10\x02\x12,\n" +
 	"(BACKGROUND_ITEM_STATUS_REQUIRES_APPROVAL\x10\x03\x12$\n" +
 	" BACKGROUND_ITEM_STATUS_NOT_FOUND\x10\x04\x12(\n" +
-	"$BACKGROUND_ITEM_STATUS_NOT_SUPPORTED\x10\x052\xe5\x04\n" +
+	"$BACKGROUND_ITEM_STATUS_NOT_SUPPORTED\x10\x052\xeb\x04\n" +
 	"\vVnetService\x12b\n" +
 	"\x05Start\x12+.teleport.lib.teleterm.vnet.v1.StartRequest\x1a,.teleport.lib.teleterm.vnet.v1.StartResponse\x12_\n" +
-	"\x04Stop\x12*.teleport.lib.teleterm.vnet.v1.StopRequest\x1a+.teleport.lib.teleterm.vnet.v1.StopResponse\x12w\n" +
-	"\fListDNSZones\x122.teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest\x1a3.teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse\x12\x98\x01\n" +
+	"\x04Stop\x12*.teleport.lib.teleterm.vnet.v1.StopRequest\x1a+.teleport.lib.teleterm.vnet.v1.StopResponse\x12}\n" +
+	"\x0eGetServiceInfo\x124.teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest\x1a5.teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse\x12\x98\x01\n" +
 	"\x17GetBackgroundItemStatus\x12=.teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusRequest\x1a>.teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse\x12}\n" +
 	"\x0eRunDiagnostics\x124.teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest\x1a5.teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponseBUZSgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1;vnetv1b\x06proto3"
 
@@ -547,8 +569,8 @@ var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_goTypes = []any{
 	(*StartResponse)(nil),                   // 2: teleport.lib.teleterm.vnet.v1.StartResponse
 	(*StopRequest)(nil),                     // 3: teleport.lib.teleterm.vnet.v1.StopRequest
 	(*StopResponse)(nil),                    // 4: teleport.lib.teleterm.vnet.v1.StopResponse
-	(*ListDNSZonesRequest)(nil),             // 5: teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest
-	(*ListDNSZonesResponse)(nil),            // 6: teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse
+	(*GetServiceInfoRequest)(nil),           // 5: teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest
+	(*GetServiceInfoResponse)(nil),          // 6: teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
 	(*GetBackgroundItemStatusRequest)(nil),  // 7: teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusRequest
 	(*GetBackgroundItemStatusResponse)(nil), // 8: teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse
 	(*RunDiagnosticsRequest)(nil),           // 9: teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest
@@ -560,12 +582,12 @@ var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_depIdxs = []int32{
 	11, // 1: teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse.report:type_name -> teleport.lib.vnet.diag.v1.Report
 	1,  // 2: teleport.lib.teleterm.vnet.v1.VnetService.Start:input_type -> teleport.lib.teleterm.vnet.v1.StartRequest
 	3,  // 3: teleport.lib.teleterm.vnet.v1.VnetService.Stop:input_type -> teleport.lib.teleterm.vnet.v1.StopRequest
-	5,  // 4: teleport.lib.teleterm.vnet.v1.VnetService.ListDNSZones:input_type -> teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest
+	5,  // 4: teleport.lib.teleterm.vnet.v1.VnetService.GetServiceInfo:input_type -> teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest
 	7,  // 5: teleport.lib.teleterm.vnet.v1.VnetService.GetBackgroundItemStatus:input_type -> teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusRequest
 	9,  // 6: teleport.lib.teleterm.vnet.v1.VnetService.RunDiagnostics:input_type -> teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest
 	2,  // 7: teleport.lib.teleterm.vnet.v1.VnetService.Start:output_type -> teleport.lib.teleterm.vnet.v1.StartResponse
 	4,  // 8: teleport.lib.teleterm.vnet.v1.VnetService.Stop:output_type -> teleport.lib.teleterm.vnet.v1.StopResponse
-	6,  // 9: teleport.lib.teleterm.vnet.v1.VnetService.ListDNSZones:output_type -> teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse
+	6,  // 9: teleport.lib.teleterm.vnet.v1.VnetService.GetServiceInfo:output_type -> teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
 	8,  // 10: teleport.lib.teleterm.vnet.v1.VnetService.GetBackgroundItemStatus:output_type -> teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse
 	10, // 11: teleport.lib.teleterm.vnet.v1.VnetService.RunDiagnostics:output_type -> teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse
 	7,  // [7:12] is the sub-list for method output_type
diff --git a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
index d14f95a833ae4..dc680f3295f6b 100644
--- a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
@@ -37,7 +37,7 @@ const _ = grpc.SupportPackageIsVersion9
 const (
 	VnetService_Start_FullMethodName                   = "/teleport.lib.teleterm.vnet.v1.VnetService/Start"
 	VnetService_Stop_FullMethodName                    = "/teleport.lib.teleterm.vnet.v1.VnetService/Stop"
-	VnetService_ListDNSZones_FullMethodName            = "/teleport.lib.teleterm.vnet.v1.VnetService/ListDNSZones"
+	VnetService_GetServiceInfo_FullMethodName          = "/teleport.lib.teleterm.vnet.v1.VnetService/GetServiceInfo"
 	VnetService_GetBackgroundItemStatus_FullMethodName = "/teleport.lib.teleterm.vnet.v1.VnetService/GetBackgroundItemStatus"
 	VnetService_RunDiagnostics_FullMethodName          = "/teleport.lib.teleterm.vnet.v1.VnetService/RunDiagnostics"
 )
@@ -52,16 +52,8 @@ type VnetServiceClient interface {
 	Start(ctx context.Context, in *StartRequest, opts ...grpc.CallOption) (*StartResponse, error)
 	// Stop stops VNet.
 	Stop(ctx context.Context, in *StopRequest, opts ...grpc.CallOption) (*StopResponse, error)
-	// ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-	// includes the proxy service hostnames and custom DNS zones configured in vnet_config.
-	//
-	// This is fetched independently of what the Electron app thinks the current state of the cluster
-	// looks like, since the VNet admin process also fetches this data independently of the Electron
-	// app.
-	//
-	// Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-	// be fetched (due to e.g., a network error or an expired cert).
-	ListDNSZones(ctx context.Context, in *ListDNSZonesRequest, opts ...grpc.CallOption) (*ListDNSZonesResponse, error)
+	// GetServiceInfo returns info about the running VNet service.
+	GetServiceInfo(ctx context.Context, in *GetServiceInfoRequest, opts ...grpc.CallOption) (*GetServiceInfoResponse, error)
 	// GetBackgroundItemStatus returns the status of the background item responsible for launching
 	// VNet daemon. macOS only. tsh must be compiled with the vnetdaemon build tag.
 	GetBackgroundItemStatus(ctx context.Context, in *GetBackgroundItemStatusRequest, opts ...grpc.CallOption) (*GetBackgroundItemStatusResponse, error)
@@ -98,10 +90,10 @@ func (c *vnetServiceClient) Stop(ctx context.Context, in *StopRequest, opts ...g
 	return out, nil
 }
 
-func (c *vnetServiceClient) ListDNSZones(ctx context.Context, in *ListDNSZonesRequest, opts ...grpc.CallOption) (*ListDNSZonesResponse, error) {
+func (c *vnetServiceClient) GetServiceInfo(ctx context.Context, in *GetServiceInfoRequest, opts ...grpc.CallOption) (*GetServiceInfoResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(ListDNSZonesResponse)
-	err := c.cc.Invoke(ctx, VnetService_ListDNSZones_FullMethodName, in, out, cOpts...)
+	out := new(GetServiceInfoResponse)
+	err := c.cc.Invoke(ctx, VnetService_GetServiceInfo_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -138,16 +130,8 @@ type VnetServiceServer interface {
 	Start(context.Context, *StartRequest) (*StartResponse, error)
 	// Stop stops VNet.
 	Stop(context.Context, *StopRequest) (*StopResponse, error)
-	// ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-	// includes the proxy service hostnames and custom DNS zones configured in vnet_config.
-	//
-	// This is fetched independently of what the Electron app thinks the current state of the cluster
-	// looks like, since the VNet admin process also fetches this data independently of the Electron
-	// app.
-	//
-	// Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-	// be fetched (due to e.g., a network error or an expired cert).
-	ListDNSZones(context.Context, *ListDNSZonesRequest) (*ListDNSZonesResponse, error)
+	// GetServiceInfo returns info about the running VNet service.
+	GetServiceInfo(context.Context, *GetServiceInfoRequest) (*GetServiceInfoResponse, error)
 	// GetBackgroundItemStatus returns the status of the background item responsible for launching
 	// VNet daemon. macOS only. tsh must be compiled with the vnetdaemon build tag.
 	GetBackgroundItemStatus(context.Context, *GetBackgroundItemStatusRequest) (*GetBackgroundItemStatusResponse, error)
@@ -170,8 +154,8 @@ func (UnimplementedVnetServiceServer) Start(context.Context, *StartRequest) (*St
 func (UnimplementedVnetServiceServer) Stop(context.Context, *StopRequest) (*StopResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Stop not implemented")
 }
-func (UnimplementedVnetServiceServer) ListDNSZones(context.Context, *ListDNSZonesRequest) (*ListDNSZonesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListDNSZones not implemented")
+func (UnimplementedVnetServiceServer) GetServiceInfo(context.Context, *GetServiceInfoRequest) (*GetServiceInfoResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetServiceInfo not implemented")
 }
 func (UnimplementedVnetServiceServer) GetBackgroundItemStatus(context.Context, *GetBackgroundItemStatusRequest) (*GetBackgroundItemStatusResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetBackgroundItemStatus not implemented")
@@ -236,20 +220,20 @@ func _VnetService_Stop_Handler(srv interface{}, ctx context.Context, dec func(in
 	return interceptor(ctx, in, info, handler)
 }
 
-func _VnetService_ListDNSZones_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ListDNSZonesRequest)
+func _VnetService_GetServiceInfo_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetServiceInfoRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(VnetServiceServer).ListDNSZones(ctx, in)
+		return srv.(VnetServiceServer).GetServiceInfo(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: VnetService_ListDNSZones_FullMethodName,
+		FullMethod: VnetService_GetServiceInfo_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(VnetServiceServer).ListDNSZones(ctx, req.(*ListDNSZonesRequest))
+		return srv.(VnetServiceServer).GetServiceInfo(ctx, req.(*GetServiceInfoRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -306,8 +290,8 @@ var VnetService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _VnetService_Stop_Handler,
 		},
 		{
-			MethodName: "ListDNSZones",
-			Handler:    _VnetService_ListDNSZones_Handler,
+			MethodName: "GetServiceInfo",
+			Handler:    _VnetService_GetServiceInfo_Handler,
 		},
 		{
 			MethodName: "GetBackgroundItemStatus",
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
index f0240cdf36c14..fdd21d783c4ff 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
@@ -27,8 +27,8 @@ import type { RunDiagnosticsResponse } from "./vnet_service_pb";
 import type { RunDiagnosticsRequest } from "./vnet_service_pb";
 import type { GetBackgroundItemStatusResponse } from "./vnet_service_pb";
 import type { GetBackgroundItemStatusRequest } from "./vnet_service_pb";
-import type { ListDNSZonesResponse } from "./vnet_service_pb";
-import type { ListDNSZonesRequest } from "./vnet_service_pb";
+import type { GetServiceInfoResponse } from "./vnet_service_pb";
+import type { GetServiceInfoRequest } from "./vnet_service_pb";
 import type { StopResponse } from "./vnet_service_pb";
 import type { StopRequest } from "./vnet_service_pb";
 import { stackIntercept } from "@protobuf-ts/runtime-rpc";
@@ -55,19 +55,11 @@ export interface IVnetServiceClient {
      */
     stop(input: StopRequest, options?: RpcOptions): UnaryCall<StopRequest, StopResponse>;
     /**
-     * ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-     * includes the proxy service hostnames and custom DNS zones configured in vnet_config.
+     * GetServiceInfo returns info about the running VNet service.
      *
-     * This is fetched independently of what the Electron app thinks the current state of the cluster
-     * looks like, since the VNet admin process also fetches this data independently of the Electron
-     * app.
-     *
-     * Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-     * be fetched (due to e.g., a network error or an expired cert).
-     *
-     * @generated from protobuf rpc: ListDNSZones(teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest) returns (teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse);
+     * @generated from protobuf rpc: GetServiceInfo(teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest) returns (teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse);
      */
-    listDNSZones(input: ListDNSZonesRequest, options?: RpcOptions): UnaryCall<ListDNSZonesRequest, ListDNSZonesResponse>;
+    getServiceInfo(input: GetServiceInfoRequest, options?: RpcOptions): UnaryCall<GetServiceInfoRequest, GetServiceInfoResponse>;
     /**
      * GetBackgroundItemStatus returns the status of the background item responsible for launching
      * VNet daemon. macOS only. tsh must be compiled with the vnetdaemon build tag.
@@ -113,21 +105,13 @@ export class VnetServiceClient implements IVnetServiceClient, ServiceInfo {
         return stackIntercept<StopRequest, StopResponse>("unary", this._transport, method, opt, input);
     }
     /**
-     * ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-     * includes the proxy service hostnames and custom DNS zones configured in vnet_config.
-     *
-     * This is fetched independently of what the Electron app thinks the current state of the cluster
-     * looks like, since the VNet admin process also fetches this data independently of the Electron
-     * app.
-     *
-     * Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-     * be fetched (due to e.g., a network error or an expired cert).
+     * GetServiceInfo returns info about the running VNet service.
      *
-     * @generated from protobuf rpc: ListDNSZones(teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest) returns (teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse);
+     * @generated from protobuf rpc: GetServiceInfo(teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest) returns (teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse);
      */
-    listDNSZones(input: ListDNSZonesRequest, options?: RpcOptions): UnaryCall<ListDNSZonesRequest, ListDNSZonesResponse> {
+    getServiceInfo(input: GetServiceInfoRequest, options?: RpcOptions): UnaryCall<GetServiceInfoRequest, GetServiceInfoResponse> {
         const method = this.methods[2], opt = this._transport.mergeOptions(options);
-        return stackIntercept<ListDNSZonesRequest, ListDNSZonesResponse>("unary", this._transport, method, opt, input);
+        return stackIntercept<GetServiceInfoRequest, GetServiceInfoResponse>("unary", this._transport, method, opt, input);
     }
     /**
      * GetBackgroundItemStatus returns the status of the background item responsible for launching
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
index ffc239038e5f1..1457c1913f871 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
@@ -24,8 +24,8 @@ import { RunDiagnosticsResponse } from "./vnet_service_pb";
 import { RunDiagnosticsRequest } from "./vnet_service_pb";
 import { GetBackgroundItemStatusResponse } from "./vnet_service_pb";
 import { GetBackgroundItemStatusRequest } from "./vnet_service_pb";
-import { ListDNSZonesResponse } from "./vnet_service_pb";
-import { ListDNSZonesRequest } from "./vnet_service_pb";
+import { GetServiceInfoResponse } from "./vnet_service_pb";
+import { GetServiceInfoRequest } from "./vnet_service_pb";
 import { StopResponse } from "./vnet_service_pb";
 import { StopRequest } from "./vnet_service_pb";
 import { StartResponse } from "./vnet_service_pb";
@@ -50,19 +50,11 @@ export interface IVnetService extends grpc.UntypedServiceImplementation {
      */
     stop: grpc.handleUnaryCall<StopRequest, StopResponse>;
     /**
-     * ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-     * includes the proxy service hostnames and custom DNS zones configured in vnet_config.
+     * GetServiceInfo returns info about the running VNet service.
      *
-     * This is fetched independently of what the Electron app thinks the current state of the cluster
-     * looks like, since the VNet admin process also fetches this data independently of the Electron
-     * app.
-     *
-     * Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-     * be fetched (due to e.g., a network error or an expired cert).
-     *
-     * @generated from protobuf rpc: ListDNSZones(teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest) returns (teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse);
+     * @generated from protobuf rpc: GetServiceInfo(teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest) returns (teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse);
      */
-    listDNSZones: grpc.handleUnaryCall<ListDNSZonesRequest, ListDNSZonesResponse>;
+    getServiceInfo: grpc.handleUnaryCall<GetServiceInfoRequest, GetServiceInfoResponse>;
     /**
      * GetBackgroundItemStatus returns the status of the background item responsible for launching
      * VNet daemon. macOS only. tsh must be compiled with the vnetdaemon build tag.
@@ -110,15 +102,15 @@ export const vnetServiceDefinition: grpc.ServiceDefinition<IVnetService> = {
         responseSerialize: value => Buffer.from(StopResponse.toBinary(value)),
         requestSerialize: value => Buffer.from(StopRequest.toBinary(value))
     },
-    listDNSZones: {
-        path: "/teleport.lib.teleterm.vnet.v1.VnetService/ListDNSZones",
-        originalName: "ListDNSZones",
+    getServiceInfo: {
+        path: "/teleport.lib.teleterm.vnet.v1.VnetService/GetServiceInfo",
+        originalName: "GetServiceInfo",
         requestStream: false,
         responseStream: false,
-        responseDeserialize: bytes => ListDNSZonesResponse.fromBinary(bytes),
-        requestDeserialize: bytes => ListDNSZonesRequest.fromBinary(bytes),
-        responseSerialize: value => Buffer.from(ListDNSZonesResponse.toBinary(value)),
-        requestSerialize: value => Buffer.from(ListDNSZonesRequest.toBinary(value))
+        responseDeserialize: bytes => GetServiceInfoResponse.fromBinary(bytes),
+        requestDeserialize: bytes => GetServiceInfoRequest.fromBinary(bytes),
+        responseSerialize: value => Buffer.from(GetServiceInfoResponse.toBinary(value)),
+        requestSerialize: value => Buffer.from(GetServiceInfoRequest.toBinary(value))
     },
     getBackgroundItemStatus: {
         path: "/teleport.lib.teleterm.vnet.v1.VnetService/GetBackgroundItemStatus",
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
index 08f7483ad36b1..772371fc2f714 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
@@ -60,24 +60,38 @@ export interface StopRequest {
 export interface StopResponse {
 }
 /**
- * Request for ListDNSZones.
+ * Request for GetServiceInfo.
  *
- * @generated from protobuf message teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest
+ * @generated from protobuf message teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest
  */
-export interface ListDNSZonesRequest {
+export interface GetServiceInfoRequest {
 }
 /**
- * Response for ListDNSZones.
+ * GetServiceInfoResponse contains the status of the running VNet service.
  *
- * @generated from protobuf message teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse
+ * @generated from protobuf message teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
  */
-export interface ListDNSZonesResponse {
+export interface GetServiceInfoResponse {
     /**
-     * dns_zones is a deduplicated list of DNS zones.
+     * app_dns_zones is a deduplicated list of all DNS zones valid as DNS
+     * suffixes for connections to TCP apps.
      *
-     * @generated from protobuf field: repeated string dns_zones = 1;
+     * @generated from protobuf field: repeated string app_dns_zones = 1;
      */
-    dnsZones: string[];
+    appDnsZones: string[];
+    /**
+     * clusters is a list of cluster names valid as DNS suffixes for SSH hosts.
+     *
+     * @generated from protobuf field: repeated string clusters = 2;
+     */
+    clusters: string[];
+    /**
+     * ssh_configured is true if the user's SSH config file includes VNet's
+     * generated SSH config necessary for SSH access.
+     *
+     * @generated from protobuf field: bool ssh_configured = 3;
+     */
+    sshConfigured: boolean;
 }
 /**
  * Request for GetBackgroundItemStatus.
@@ -251,20 +265,20 @@ class StopResponse$Type extends MessageType<StopResponse> {
  */
 export const StopResponse = new StopResponse$Type();
 // @generated message type with reflection information, may provide speed optimized methods
-class ListDNSZonesRequest$Type extends MessageType<ListDNSZonesRequest> {
+class GetServiceInfoRequest$Type extends MessageType<GetServiceInfoRequest> {
     constructor() {
-        super("teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest", []);
+        super("teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest", []);
     }
-    create(value?: PartialMessage<ListDNSZonesRequest>): ListDNSZonesRequest {
+    create(value?: PartialMessage<GetServiceInfoRequest>): GetServiceInfoRequest {
         const message = globalThis.Object.create((this.messagePrototype!));
         if (value !== undefined)
-            reflectionMergePartial<ListDNSZonesRequest>(this, message, value);
+            reflectionMergePartial<GetServiceInfoRequest>(this, message, value);
         return message;
     }
-    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: ListDNSZonesRequest): ListDNSZonesRequest {
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: GetServiceInfoRequest): GetServiceInfoRequest {
         return target ?? this.create();
     }
-    internalBinaryWrite(message: ListDNSZonesRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+    internalBinaryWrite(message: GetServiceInfoRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
         let u = options.writeUnknownFields;
         if (u !== false)
             (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
@@ -272,30 +286,40 @@ class ListDNSZonesRequest$Type extends MessageType<ListDNSZonesRequest> {
     }
 }
 /**
- * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.ListDNSZonesRequest
+ * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest
  */
-export const ListDNSZonesRequest = new ListDNSZonesRequest$Type();
+export const GetServiceInfoRequest = new GetServiceInfoRequest$Type();
 // @generated message type with reflection information, may provide speed optimized methods
-class ListDNSZonesResponse$Type extends MessageType<ListDNSZonesResponse> {
+class GetServiceInfoResponse$Type extends MessageType<GetServiceInfoResponse> {
     constructor() {
-        super("teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse", [
-            { no: 1, name: "dns_zones", kind: "scalar", repeat: 2 /*RepeatType.UNPACKED*/, T: 9 /*ScalarType.STRING*/ }
+        super("teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse", [
+            { no: 1, name: "app_dns_zones", kind: "scalar", repeat: 2 /*RepeatType.UNPACKED*/, T: 9 /*ScalarType.STRING*/ },
+            { no: 2, name: "clusters", kind: "scalar", repeat: 2 /*RepeatType.UNPACKED*/, T: 9 /*ScalarType.STRING*/ },
+            { no: 3, name: "ssh_configured", kind: "scalar", T: 8 /*ScalarType.BOOL*/ }
         ]);
     }
-    create(value?: PartialMessage<ListDNSZonesResponse>): ListDNSZonesResponse {
+    create(value?: PartialMessage<GetServiceInfoResponse>): GetServiceInfoResponse {
         const message = globalThis.Object.create((this.messagePrototype!));
-        message.dnsZones = [];
+        message.appDnsZones = [];
+        message.clusters = [];
+        message.sshConfigured = false;
         if (value !== undefined)
-            reflectionMergePartial<ListDNSZonesResponse>(this, message, value);
+            reflectionMergePartial<GetServiceInfoResponse>(this, message, value);
         return message;
     }
-    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: ListDNSZonesResponse): ListDNSZonesResponse {
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: GetServiceInfoResponse): GetServiceInfoResponse {
         let message = target ?? this.create(), end = reader.pos + length;
         while (reader.pos < end) {
             let [fieldNo, wireType] = reader.tag();
             switch (fieldNo) {
-                case /* repeated string dns_zones */ 1:
-                    message.dnsZones.push(reader.string());
+                case /* repeated string app_dns_zones */ 1:
+                    message.appDnsZones.push(reader.string());
+                    break;
+                case /* repeated string clusters */ 2:
+                    message.clusters.push(reader.string());
+                    break;
+                case /* bool ssh_configured */ 3:
+                    message.sshConfigured = reader.bool();
                     break;
                 default:
                     let u = options.readUnknownField;
@@ -308,10 +332,16 @@ class ListDNSZonesResponse$Type extends MessageType<ListDNSZonesResponse> {
         }
         return message;
     }
-    internalBinaryWrite(message: ListDNSZonesResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
-        /* repeated string dns_zones = 1; */
-        for (let i = 0; i < message.dnsZones.length; i++)
-            writer.tag(1, WireType.LengthDelimited).string(message.dnsZones[i]);
+    internalBinaryWrite(message: GetServiceInfoResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        /* repeated string app_dns_zones = 1; */
+        for (let i = 0; i < message.appDnsZones.length; i++)
+            writer.tag(1, WireType.LengthDelimited).string(message.appDnsZones[i]);
+        /* repeated string clusters = 2; */
+        for (let i = 0; i < message.clusters.length; i++)
+            writer.tag(2, WireType.LengthDelimited).string(message.clusters[i]);
+        /* bool ssh_configured = 3; */
+        if (message.sshConfigured !== false)
+            writer.tag(3, WireType.Varint).bool(message.sshConfigured);
         let u = options.writeUnknownFields;
         if (u !== false)
             (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
@@ -319,9 +349,9 @@ class ListDNSZonesResponse$Type extends MessageType<ListDNSZonesResponse> {
     }
 }
 /**
- * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.ListDNSZonesResponse
+ * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
  */
-export const ListDNSZonesResponse = new ListDNSZonesResponse$Type();
+export const GetServiceInfoResponse = new GetServiceInfoResponse$Type();
 // @generated message type with reflection information, may provide speed optimized methods
 class GetBackgroundItemStatusRequest$Type extends MessageType<GetBackgroundItemStatusRequest> {
     constructor() {
@@ -471,7 +501,7 @@ export const RunDiagnosticsResponse = new RunDiagnosticsResponse$Type();
 export const VnetService = new ServiceType("teleport.lib.teleterm.vnet.v1.VnetService", [
     { name: "Start", options: {}, I: StartRequest, O: StartResponse },
     { name: "Stop", options: {}, I: StopRequest, O: StopResponse },
-    { name: "ListDNSZones", options: {}, I: ListDNSZonesRequest, O: ListDNSZonesResponse },
+    { name: "GetServiceInfo", options: {}, I: GetServiceInfoRequest, O: GetServiceInfoResponse },
     { name: "GetBackgroundItemStatus", options: {}, I: GetBackgroundItemStatusRequest, O: GetBackgroundItemStatusResponse },
     { name: "RunDiagnostics", options: {}, I: RunDiagnosticsRequest, O: RunDiagnosticsResponse }
 ]);
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index 29341f7153470..7b41d7d278005 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -35,6 +35,7 @@ import (
 	prehogv1alpha "github.com/gravitational/teleport/gen/proto/go/prehog/v1alpha"
 	apiteleterm "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/v1"
 	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
+	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
 	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
@@ -43,6 +44,7 @@ import (
 	"github.com/gravitational/teleport/lib/teleterm/daemon"
 	logutils "github.com/gravitational/teleport/lib/utils/log"
 	"github.com/gravitational/teleport/lib/vnet"
+	"github.com/gravitational/teleport/lib/vnet/diag"
 )
 
 var log = logutils.NewPackageLogger(teleport.ComponentKey, "term:vnet")
@@ -219,13 +221,8 @@ func (s *Service) Stop(ctx context.Context, req *api.StopRequest) (*api.StopResp
 	return &api.StopResponse{}, nil
 }
 
-// ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-// includes the proxy service hostnames and custom DNS zones configured in vnet_config.
-//
-// This is fetched exactly the same way the VNet process fetches the DNS zones
-// but may be slightly out of sync with the OS configuration if the admin
-// process hasn't configured a recent change yet.
-func (s *Service) ListDNSZones(ctx context.Context, req *api.ListDNSZonesRequest) (*api.ListDNSZonesResponse, error) {
+// GetServiceInfo returns info about the running VNet service.
+func (s *Service) GetServiceInfo(ctx context.Context, _ *api.GetServiceInfoRequest) (*api.GetServiceInfoResponse, error) {
 	// Acquire the lock just to check the status of the service. We don't want the actual process of
 	// listing DNS zones to block the user from performing other operations.
 	s.mu.Lock()
@@ -240,8 +237,24 @@ func (s *Service) ListDNSZones(ctx context.Context, req *api.ListDNSZonesRequest
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	return &api.ListDNSZonesResponse{
-		DnsZones: unifiedClusterConfig.AppDNSZones(),
+
+	sshDiag, err := diag.NewSSHDiag(&diag.SSHConfig{
+		ProfilePath: s.cfg.profilePath,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err, "building SSH diagnostic")
+	}
+	sshReport, err := sshDiag.Run(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err, "running SSH diagnostic")
+	}
+	sshConfigured := sshReport.Status == diagv1.CheckReportStatus_CHECK_REPORT_STATUS_OK &&
+		sshReport.GetSshConfigurationReport().UserOpensshConfigIncludesVnetSshConfig
+
+	return &api.GetServiceInfoResponse{
+		AppDnsZones:   unifiedClusterConfig.AppDNSZones(),
+		Clusters:      unifiedClusterConfig.ClusterNames,
+		SshConfigured: sshConfigured,
 	}, nil
 }
 
diff --git a/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto b/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
index 05acea0a5c6ca..d63a140678c62 100644
--- a/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
+++ b/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
@@ -30,16 +30,8 @@ service VnetService {
   // Stop stops VNet.
   rpc Stop(StopRequest) returns (StopResponse);
 
-  // ListDNSZones returns DNS zones of all root and leaf clusters with non-expired user certs. This
-  // includes the proxy service hostnames and custom DNS zones configured in vnet_config.
-  //
-  // This is fetched independently of what the Electron app thinks the current state of the cluster
-  // looks like, since the VNet admin process also fetches this data independently of the Electron
-  // app.
-  //
-  // Just like the admin process, it skips root and leaf clusters for which the vnet_config couldn't
-  // be fetched (due to e.g., a network error or an expired cert).
-  rpc ListDNSZones(ListDNSZonesRequest) returns (ListDNSZonesResponse);
+  // GetServiceInfo returns info about the running VNet service.
+  rpc GetServiceInfo(GetServiceInfoRequest) returns (GetServiceInfoResponse);
 
   // GetBackgroundItemStatus returns the status of the background item responsible for launching
   // VNet daemon. macOS only. tsh must be compiled with the vnetdaemon build tag.
@@ -62,13 +54,19 @@ message StopRequest {}
 // Response for Stop.
 message StopResponse {}
 
-// Request for ListDNSZones.
-message ListDNSZonesRequest {}
-
-// Response for ListDNSZones.
-message ListDNSZonesResponse {
-  // dns_zones is a deduplicated list of DNS zones.
-  repeated string dns_zones = 1;
+// Request for GetServiceInfo.
+message GetServiceInfoRequest {}
+
+// GetServiceInfoResponse contains the status of the running VNet service.
+message GetServiceInfoResponse {
+  // app_dns_zones is a deduplicated list of all DNS zones valid as DNS
+  // suffixes for connections to TCP apps.
+  repeated string app_dns_zones = 1;
+  // clusters is a list of cluster names valid as DNS suffixes for SSH hosts.
+  repeated string clusters = 2;
+  // ssh_configured is true if the user's SSH config file includes VNet's
+  // generated SSH config necessary for SSH access.
+  bool ssh_configured = 3;
 }
 
 // Request for GetBackgroundItemStatus.
diff --git a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
index a53701d1bf292..3520508111585 100644
--- a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
+++ b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
@@ -118,7 +118,12 @@ export class MockTshClient implements TshdClient {
 export class MockVnetClient implements VnetClient {
   start = () => new MockedUnaryCall({});
   stop = () => new MockedUnaryCall({});
-  listDNSZones = () => new MockedUnaryCall({ dnsZones: [] });
+  getServiceInfo = () =>
+    new MockedUnaryCall({
+      appDnsZones: [],
+      clusters: [],
+      sshConfigured: false,
+    });
   getBackgroundItemStatus = () => new MockedUnaryCall({ status: 0 });
 
   runDiagnostics() {
diff --git a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
index 99d9a6ec9322e..d5c1953afdad2 100644
--- a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
+++ b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
@@ -21,6 +21,7 @@ import styled from 'styled-components';
 
 import { ButtonIcon, Flex, Text } from 'design';
 import { Trash, Unlink } from 'design/Icon';
+import { typography, TypographyProps } from 'design/system';
 
 import { useKeyboardArrowsNavigation } from 'teleterm/ui/components/KeyboardArrowsNavigation';
 import { ListItem } from 'teleterm/ui/components/ListItem';
@@ -98,18 +99,9 @@ export function ConnectionItem(props: {
               line-height: 16px;
             `}
           >
-            <span
-              css={`
-                font-size: 10px;
-                background: ${props => props.theme.colors.spotBackground[2]};
-                opacity: 0.85;
-                padding: 1px 2px;
-                margin-right: 4px;
-                border-radius: 4px;
-              `}
-            >
+            <ConnectionKindIndicator>
               {getKindName(props.item)}
-            </span>
+            </ConnectionKindIndicator>
             <span
               css={`
                 vertical-align: middle;
@@ -152,6 +144,16 @@ const ConnectionListItem = styled(ListItem)<{ $showClusterName?: boolean }>`
   height: unset;
 `;
 
+export const ConnectionKindIndicator = styled.span<TypographyProps>`
+  font-size: 10px;
+  background: ${props => props.theme.colors.spotBackground[2]};
+  opacity: 0.85;
+  padding: 1px 2px;
+  margin-right: 4px;
+  border-radius: 4px;
+  ${typography}
+`;
+
 function getKindName(connection: ExtendedTrackedConnection): string {
   switch (connection.kind) {
     case 'connection.gateway':
diff --git a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionStatusIndicator.tsx b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionStatusIndicator.tsx
index 25eb8297975bc..f55e5831889a1 100644
--- a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionStatusIndicator.tsx
+++ b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionStatusIndicator.tsx
@@ -109,6 +109,15 @@ const StyledStatus = styled(Box)<{
           &:after {
             content: '⚠';
             font-size: 12px;
+            ${props.$inline &&
+            `
+            // This cuts out a little portion of the icon on the left. This is most clearly visible
+            // on Windows. But at least it better aligns with the other statuses.
+            //
+            // TODO(ravicious): Rewrite this to not use weird characters to represent different
+            // statuses so that all statuses properly align together.
+            margin: -1px;
+            `}
 
             ${!props.$inline &&
             `
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
index cab7d7a71e2fd..8ec5a33d8f246 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
@@ -15,7 +15,7 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
-import { Meta } from '@storybook/react';
+import { Meta, StoryObj } from '@storybook/react';
 import { useEffect } from 'react';
 
 import { Box } from 'design';
@@ -38,8 +38,10 @@ import { VnetSliderStep as Component } from './VnetSliderStep';
 type StoryProps = {
   startVnet: 'success' | 'error' | 'processing';
   autoStart: boolean;
-  dnsZones: string[];
-  listDnsZones:
+  appDnsZones: string[];
+  clusters: string[];
+  sshConfigured: boolean;
+  fetchStatus:
     | 'success'
     | 'error'
     | 'processing'
@@ -51,6 +53,20 @@ type StoryProps = {
   unexpectedShutdown: boolean;
 };
 
+const defaultArgs: StoryProps = {
+  startVnet: 'success',
+  autoStart: true,
+  appDnsZones: ['teleport.example.com', 'company.test'],
+  clusters: ['teleport.example.com'],
+  sshConfigured: false,
+  fetchStatus: 'success',
+  vnetDiag: true,
+  runDiagnostics: 'success',
+  diagReport: 'ok',
+  isWorkspacePresent: true,
+  unexpectedShutdown: false,
+};
+
 const meta: Meta<StoryProps> = {
   title: 'Teleterm/Vnet/VnetSliderStep',
   component: VnetSliderStep,
@@ -68,10 +84,13 @@ const meta: Meta<StoryProps> = {
       control: { type: 'inline-radio' },
       options: ['success', 'error', 'processing'],
     },
-    dnsZones: {
+    appDnsZones: {
+      control: { type: 'object' },
+    },
+    clusters: {
       control: { type: 'object' },
     },
-    listDnsZones: {
+    fetchStatus: {
       control: { type: 'inline-radio' },
       options: [
         'success',
@@ -93,21 +112,11 @@ const meta: Meta<StoryProps> = {
         "If there's no workspace, the button to open the diag report is disabled.",
     },
   },
-  args: {
-    startVnet: 'success',
-    autoStart: true,
-    dnsZones: ['teleport.example.com', 'company.test'],
-    listDnsZones: 'success',
-    vnetDiag: true,
-    runDiagnostics: 'success',
-    diagReport: 'ok',
-    isWorkspacePresent: true,
-    unexpectedShutdown: false,
-  },
+  render: props => <VnetSliderStep {...props} />,
 };
 export default meta;
 
-export function VnetSliderStep(props: StoryProps) {
+function VnetSliderStep(props: StoryProps) {
   const appContext = new MockAppContext({
     platform: props.vnetDiag ? 'darwin' : 'win32',
   });
@@ -148,22 +157,30 @@ export function VnetSliderStep(props: StoryProps) {
     };
   }
 
-  if (props.listDnsZones === 'processing') {
-    appContext.vnet.listDNSZones = () => pendingPromise;
+  if (props.fetchStatus === 'processing') {
+    appContext.vnet.getServiceInfo = () => pendingPromise;
   } else {
     let firstCall = true;
-    appContext.vnet.listDNSZones = () => {
-      if (props.listDnsZones === 'processing-with-previous-results') {
+    appContext.vnet.getServiceInfo = () => {
+      if (props.fetchStatus === 'processing-with-previous-results') {
         if (firstCall) {
           firstCall = false;
-          return new MockedUnaryCall({ dnsZones: props.dnsZones });
+          return new MockedUnaryCall({
+            appDnsZones: props.appDnsZones,
+            clusters: props.clusters,
+            sshConfigured: props.sshConfigured,
+          });
         }
         return pendingPromise;
       }
 
       return new MockedUnaryCall(
-        { dnsZones: props.dnsZones },
-        props.listDnsZones === 'error'
+        {
+          appDnsZones: props.appDnsZones,
+          clusters: props.clusters,
+          sshConfigured: props.sshConfigured,
+        },
+        props.fetchStatus === 'error'
           ? new Error('something went wrong')
           : undefined
       );
@@ -204,8 +221,8 @@ export function VnetSliderStep(props: StoryProps) {
     >
       <ConnectionsContextProvider>
         <VnetContextProvider>
-          {props.listDnsZones === 'processing-with-previous-results' && (
-            <RerequestDNSZones />
+          {props.fetchStatus === 'processing-with-previous-results' && (
+            <RerequestServiceInfo />
           )}
           <Component
             refCallback={noop}
@@ -221,16 +238,73 @@ export function VnetSliderStep(props: StoryProps) {
   );
 }
 
-const RerequestDNSZones = () => {
-  const { listDNSZones, listDNSZonesAttempt } = useVnetContext();
+const RerequestServiceInfo = () => {
+  const { getServiceInfo, serviceInfoAttempt } = useVnetContext();
 
   useEffect(() => {
-    if (listDNSZonesAttempt.status === 'success') {
-      listDNSZones();
+    if (serviceInfoAttempt.status === 'success') {
+      getServiceInfo();
     }
-  }, [listDNSZonesAttempt, listDNSZones]);
+  }, [serviceInfoAttempt, getServiceInfo]);
 
   return null;
 };
 
 const noop = () => {};
+
+export const CloudCustomer: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: ['example.teleport.sh'],
+    clusters: ['example.teleport.sh'],
+  },
+};
+
+export const SelfHostedWithDifferentClusterName: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: ['teleport.example.com'],
+    clusters: ['teleport-example'],
+  },
+};
+
+export const SelfHostedWithEqualNameAndLeaf: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: ['teleport.example.com', 'leaf.example.com'],
+    clusters: ['teleport.example.com', 'leaf.example.com'],
+  },
+};
+
+export const SelfHostedWithEqualNameAndDifferentLeaf: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: ['teleport.example.com', 'leaf.example.com'],
+    clusters: ['teleport.example.com', 'teleport-leaf'],
+  },
+};
+
+export const SelfHostedWithEqualNameAndCustomDNSZones: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: ['teleport.example.com', 'company.com', 'apps.company'],
+    clusters: ['teleport.example.com'],
+  },
+};
+
+export const SelfHostedWithManyLeavesAndZones: StoryObj<StoryProps> = {
+  args: {
+    ...defaultArgs,
+    appDnsZones: [
+      'teleport.example.com',
+      'leaf.example.com',
+      'second-leaf.example.com',
+      'company.com',
+    ],
+    clusters: [
+      'teleport.example.com',
+      'teleport-leaf',
+      'second-leaf.example.com',
+    ],
+  },
+};
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
index 89fe7bde6cec1..ffc7bd59e9c92 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
@@ -24,6 +24,7 @@ import { useRefAutoFocus } from 'shared/hooks';
 import { useDelayedRepeatedAttempt } from 'shared/hooks/useAsync';
 import { mergeRefs } from 'shared/libs/mergeRefs';
 
+import { ConnectionKindIndicator } from 'teleterm/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem';
 import { ConnectionStatusIndicator } from 'teleterm/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionStatusIndicator';
 
 import { DiagnosticsAlert } from './DiagnosticsAlert';
@@ -104,18 +105,19 @@ export const VnetSliderStep = (props: StepComponentProps) => {
           ) : (
             <Flex flexDirection="column" gap={1}>
               <Text>
-                VNet enables any program to connect to TCP apps protected by
-                Teleport.
+                VNet enables any program to connect to TCP apps or SSH servers
+                protected by Teleport.
               </Text>
               <Text>
-                Start VNet and connect to any TCP app over its public address –
-                VNet authenticates the connection for you under the hood.
+                Start VNet and connect to any TCP app or SSH server at its own
+                DNS address – VNet authenticates the connection for you under
+                the hood.
               </Text>
             </Flex>
           ))}
       </Flex>
 
-      {status.value === 'running' && <DnsZones />}
+      {status.value === 'running' && <VnetStatus />}
 
       <DiagnosticsAlert
         runDiagnosticsFromVnetPanel={runDiagnosticsFromVnetPanel}
@@ -132,41 +134,39 @@ const ErrorText = (props: PropsWithChildren) => (
 );
 
 /**
- * DnsZones displays the list of currently proxied DNS zones, as understood by the VNet admin
- * process. The list is cached in the context and updated when the VNet panel gets opened.
+ * VnetStatus displays the status of the running VNet service. The list is cached in the context and
+ * updated when the VNet panel gets opened.
  *
  * As for 95% of users the list will never change during the lifespan of VNet, the VNet panel always
  * optimistically displays previously fetched results while fetching new list.
  */
-const DnsZones = () => {
-  const { listDNSZones, listDNSZonesAttempt: eagerListDNSZonesAttempt } =
+const VnetStatus = () => {
+  const { getServiceInfo, serviceInfoAttempt: eagerServiceInfoAttempt } =
     useVnetContext();
-  const listDNSZonesAttempt = useDelayedRepeatedAttempt(
-    eagerListDNSZonesAttempt
-  );
-  const dnsZonesRefreshRequestedRef = useRef(false);
+  const serviceInfoAttempt = useDelayedRepeatedAttempt(eagerServiceInfoAttempt);
+  const serviceInfoRefreshRequestedRef = useRef(false);
 
   useEffect(
     function refreshListOnOpen() {
-      if (!dnsZonesRefreshRequestedRef.current) {
-        dnsZonesRefreshRequestedRef.current = true;
-        listDNSZones();
+      if (!serviceInfoRefreshRequestedRef.current) {
+        serviceInfoRefreshRequestedRef.current = true;
+        getServiceInfo();
       }
     },
-    [listDNSZones]
+    [getServiceInfo]
   );
 
-  if (listDNSZonesAttempt.status === 'error') {
+  if (serviceInfoAttempt.status === 'error') {
     return (
       <Text p={textSpacing}>
         <ConnectionStatusIndicator status="warning" inline mr={2} />
-        VNet is working, but Teleport Connect could not fetch DNS zones:{' '}
-        {listDNSZonesAttempt.statusText}
+        VNet is running, but Teleport Connect could not fetch its status:{' '}
+        {serviceInfoAttempt.statusText}
         <ButtonSecondary
           ml={2}
           size="small"
           type="button"
-          onClick={listDNSZones}
+          onClick={getServiceInfo}
         >
           Retry
         </ButtonSecondary>
@@ -175,36 +175,100 @@ const DnsZones = () => {
   }
 
   if (
-    listDNSZonesAttempt.status === '' ||
-    (listDNSZonesAttempt.status === 'processing' && !listDNSZonesAttempt.data)
+    serviceInfoAttempt.status === '' ||
+    (serviceInfoAttempt.status === 'processing' && !serviceInfoAttempt.data)
   ) {
     return (
       <Text p={textSpacing}>
         <ConnectionStatusIndicator status="processing" inline mr={2} />
-        Updating the list of DNS zones…
+        Updating VNet status…
+      </Text>
+    );
+  }
+
+  const statusIndicator = (
+    <ConnectionStatusIndicator
+      status={serviceInfoAttempt.status === 'success' ? 'on' : 'processing'}
+      title={
+        serviceInfoAttempt.status === 'processing'
+          ? 'Updating VNet status…'
+          : undefined
+      }
+      inline
+      mr={2}
+      mt={2}
+    />
+  );
+
+  const serviceInfo = serviceInfoAttempt.data;
+
+  const sshConfiguredIndicator = serviceInfo.sshConfigured ? null : (
+    <Flex>
+      <ConnectionStatusIndicator status={'warning'} inline mr={2} />
+      SSH clients are not configured to use VNet (see diag report).
+    </Flex>
+  );
+
+  if (serviceInfo.appDnsZones.length == 0 && serviceInfo.clusters.length == 0) {
+    return (
+      <Flex p={textSpacing}>
+        {statusIndicator}
+        No clusters connected yet, VNet is not proxying any connections.
+      </Flex>
+    );
+  }
+
+  const appDNSZones = new Set(serviceInfo.appDnsZones);
+  const sshClusters = new Set(serviceInfo.clusters);
+  const appAndSshAreEqual =
+    appDNSZones.size == sshClusters.size && appDNSZones.isSubsetOf(sshClusters);
+
+  if (appAndSshAreEqual) {
+    return (
+      <Text p={textSpacing}>
+        <Flex>
+          {statusIndicator}
+          Proxying TCP and SSH connections to {[...appDNSZones].join(', ')}
+        </Flex>
+        {sshConfiguredIndicator}
       </Text>
     );
   }
 
-  const dnsZones = listDNSZonesAttempt.data;
+  const both = [...appDNSZones.intersection(sshClusters)].sort();
+  const justTCP = [...appDNSZones.difference(sshClusters)].sort();
+  const justSSH = [...sshClusters.difference(appDNSZones)].sort();
 
   return (
-    <Text p={textSpacing}>
-      <ConnectionStatusIndicator
-        status={listDNSZonesAttempt.status === 'success' ? 'on' : 'processing'}
-        title={
-          listDNSZonesAttempt.status === 'processing'
-            ? 'Updating the list of DNS zones…'
-            : undefined
-        }
-        inline
-        mr={2}
-      />
-      {dnsZones.length === 0 ? (
-        <>No clusters connected yet, VNet is not proxying any connections.</>
-      ) : (
-        <>Proxying TCP connections to {dnsZones.join(', ')}</>
-      )}
-    </Text>
+    <Box p={textSpacing}>
+      <Flex>
+        {statusIndicator}
+        <Box>
+          Proxying TCP and SSH connections to:
+          <Text typography="body2">
+            {both.length ? (
+              <Box>
+                <ConnectionKindIndicator bold>TCP</ConnectionKindIndicator>
+                <ConnectionKindIndicator bold>SSH</ConnectionKindIndicator>
+                {both.join(', ')}
+              </Box>
+            ) : null}
+            {justTCP.length ? (
+              <Box>
+                <ConnectionKindIndicator bold>TCP</ConnectionKindIndicator>
+                {justTCP.join(', ')}
+              </Box>
+            ) : null}
+            {justSSH.length ? (
+              <Box>
+                <ConnectionKindIndicator bold>SSH</ConnectionKindIndicator>
+                {justSSH.join(', ')}
+              </Box>
+            ) : null}
+          </Text>
+        </Box>
+      </Flex>
+      {sshConfiguredIndicator}
+    </Box>
   );
 };
diff --git a/web/packages/teleterm/src/ui/Vnet/integration.test.tsx b/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
index 275b7e41c8fdd..1c9cf1e6bb2b6 100644
--- a/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
@@ -88,9 +88,11 @@ test.each(tests)(
         clusters: [rootCluster],
       })
     );
-    jest.spyOn(ctx.vnet, 'listDNSZones').mockReturnValue(
+    jest.spyOn(ctx.vnet, 'getServiceInfo').mockReturnValue(
       new MockedUnaryCall({
-        dnsZones: [proxyHostname(rootCluster.proxyHost)],
+        appDnsZones: [proxyHostname(rootCluster.proxyHost)],
+        clusters: [rootCluster.name],
+        sshConfigured: true,
       })
     );
 
@@ -120,7 +122,7 @@ test.each(tests)(
     ).toBeInTheDocument();
     await user.click(within(docVnetInfo).getByText('Start VNet'));
     expect(
-      await screen.findByText(/Proxying TCP connections/)
+      await screen.findByText(/Proxying TCP and SSH connections/)
     ).toBeInTheDocument();
 
     // Verify that a notification is shown and that the address is in the clipboard.
@@ -141,7 +143,7 @@ test.each(tests)(
     await user.click(within(docVnetInfo).getByText('Stop VNet'));
     await user.click(await within(docVnetInfo).findByText('Start VNet'));
     expect(
-      await screen.findByText(/Proxying TCP connections/)
+      await screen.findByText(/Proxying TCP and SSH connections/)
     ).toBeInTheDocument();
 
     // Verify that the address was not copied to the clipboard after the second start from the "Start
@@ -182,9 +184,11 @@ test.each(tests)(
         clusters: [rootCluster],
       })
     );
-    jest.spyOn(ctx.vnet, 'listDNSZones').mockReturnValue(
+    jest.spyOn(ctx.vnet, 'getServiceInfo').mockReturnValue(
       new MockedUnaryCall({
-        dnsZones: [proxyHostname(rootCluster.proxyHost)],
+        appDnsZones: [proxyHostname(rootCluster.proxyHost)],
+        clusters: [rootCluster.name],
+        sshConfigured: true,
       })
     );
 
@@ -209,7 +213,7 @@ test.each(tests)(
 
     // Verify that VNet is running and that the public address was copied to the clipboard.
     expect(
-      await screen.findByText(/Proxying TCP connections/)
+      await screen.findByText(/Proxying TCP and SSH connections/)
     ).toBeInTheDocument();
     expect(
       await screen.findByText(
@@ -241,9 +245,11 @@ test('launching VNet for the first time from the connections panel does not open
       clusters: [rootCluster],
     })
   );
-  jest.spyOn(ctx.vnet, 'listDNSZones').mockReturnValue(
+  jest.spyOn(ctx.vnet, 'getServiceInfo').mockReturnValue(
     new MockedUnaryCall({
-      dnsZones: [proxyHostname(rootCluster.proxyHost)],
+      appDnsZones: [proxyHostname(rootCluster.proxyHost)],
+      clusters: [rootCluster.name],
+      sshConfigured: true,
     })
   );
 
diff --git a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
index 4deba14e0d802..1f20aa48be18b 100644
--- a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
@@ -28,7 +28,10 @@ import {
   useState,
 } from 'react';
 
-import { BackgroundItemStatus } from 'gen-proto-ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb';
+import {
+  BackgroundItemStatus,
+  GetServiceInfoResponse,
+} from 'gen-proto-ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb';
 import { Report } from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
 import { useStateRef } from 'shared/hooks';
 import { Attempt, makeEmptyAttempt, useAsync } from 'shared/hooks/useAsync';
@@ -60,8 +63,8 @@ export type VnetContext = {
   startAttempt: Attempt<void>;
   stop: () => Promise<[void, Error]>;
   stopAttempt: Attempt<void>;
-  listDNSZones: () => Promise<[string[], Error]>;
-  listDNSZonesAttempt: Attempt<string[]>;
+  getServiceInfo: () => Promise<[GetServiceInfoResponse, Error]>;
+  serviceInfoAttempt: Attempt<GetServiceInfoResponse>;
   runDiagnostics: () => Promise<[Report, Error]>;
   diagnosticsAttempt: Attempt<Report>;
   /**
@@ -234,9 +237,9 @@ export const VnetContextProvider: FC<
     ])
   );
 
-  const [listDNSZonesAttempt, listDNSZones] = useAsync(
+  const [serviceInfoAttempt, getServiceInfo] = useAsync(
     useCallback(
-      () => vnet.listDNSZones({}).then(({ response }) => response.dnsZones),
+      () => vnet.getServiceInfo({}).then(({ response }) => response),
       [vnet]
     )
   );
@@ -469,8 +472,8 @@ export const VnetContextProvider: FC<
         startAttempt,
         stop,
         stopAttempt,
-        listDNSZones,
-        listDNSZonesAttempt,
+        getServiceInfo,
+        serviceInfoAttempt,
         runDiagnostics,
         diagnosticsAttempt,
         getDisabledDiagnosticsReason,

From 1669b77d60c144a947c765f7a0db83df55163575 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 20 Jun 2025 09:07:29 -0700
Subject: [PATCH 12/25] [v18][vnet] feat: support proxy recording mode with
 VNet SSH

Backport #55788 to branch/v18
---
 lib/vnet/client_application_service.go |   9 +-
 lib/vnet/ssh_agent.go                  | 155 +++++++++++++++++++++++++
 lib/vnet/ssh_handler.go                |  12 +-
 lib/vnet/ssh_provider.go               |  27 ++++-
 lib/vnet/tcp_handler_resolver.go       |   5 +-
 lib/vnet/vnet_test.go                  |  73 ++++++++++--
 6 files changed, 257 insertions(+), 24 deletions(-)
 create mode 100644 lib/vnet/ssh_agent.go

diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index b612cc0891826..4aeeac71bbd5e 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -353,13 +353,18 @@ func (s *clientApplicationService) SessionSSHConfig(ctx context.Context, req *vn
 	}
 	var trustedCAs [][]byte
 	for _, trustedCert := range keyRing.TrustedCerts {
-		if trustedCert.ClusterName != targetCluster {
+		switch trustedCert.ClusterName {
+		case targetCluster, req.GetRootCluster():
+			// Always trust the target cluster and the root cluster in case the
+			// root proxy will terminate the connection in proxy recording mode.
+		default:
+			// Don't trust CAs for other leaf clusters or unknown clusters.
 			continue
 		}
 		for _, authorizedKey := range trustedCert.AuthorizedKeys {
 			trustedCA, _, _, _, err := ssh.ParseAuthorizedKey(authorizedKey)
 			if err != nil {
-				return nil, trace.Wrap(err, "parsing CA cert")
+				return nil, trace.Wrap(err, "parsing CA public key")
 			}
 			trustedCAs = append(trustedCAs, trustedCA.Marshal())
 		}
diff --git a/lib/vnet/ssh_agent.go b/lib/vnet/ssh_agent.go
new file mode 100644
index 0000000000000..314db3373938e
--- /dev/null
+++ b/lib/vnet/ssh_agent.go
@@ -0,0 +1,155 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"crypto/rand"
+
+	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+
+	"github.com/gravitational/teleport/api/utils/sshutils"
+)
+
+// sshAgent implements [agent.ExtendedAgent]. The sole purpose is to forward
+// the user's Teleport SSH key to the proxy in case the cluster is in proxy
+// recording mode. In this case there will be an SSH connection between VNet
+// and the root cluster proxy terminated with the SSH key in the
+// [ssh.ClientConfig], and then the key forwarded via this agent will be used
+// to terminate the final SSH connection to the target node.
+//
+// It is not safe for concurrent use, setSessionKey must only be called before
+// the agent will actually be used.
+type sshAgent struct {
+	signer ssh.Signer
+}
+
+func newSSHAgent() *sshAgent {
+	return &sshAgent{}
+}
+
+// setSessionKey must be called at most once, before the agent will be used.
+// It's not possible to initialize sshAgent with the SSH signer because the
+// agent must be passed to [proxy.Client.DialHost] before the session SSH
+// signer has been created.
+func (a *sshAgent) setSessionKey(signer ssh.Signer) error {
+	if a.signer != nil {
+		return trace.Errorf("sshAgent.setSessionKey must be called at most once (this is a bug)")
+	}
+	a.signer = signer
+	return nil
+}
+
+// List implements [agent.ExtendedAgent.List], it returns a single key if it
+// has been set by setSessionKey.
+func (a *sshAgent) List() ([]*agent.Key, error) {
+	if a.signer == nil {
+		return nil, nil
+	}
+	pub := a.signer.PublicKey()
+	return []*agent.Key{{
+		Format: pub.Type(),
+		Blob:   pub.Marshal(),
+	}}, nil
+}
+
+// List implements [agent.ExtendedAgent.Signers], it returns a single key if it
+// has been set by setSessionKey.
+func (a *sshAgent) Signers() ([]ssh.Signer, error) {
+	if a.signer == nil {
+		return nil, nil
+	}
+	return []ssh.Signer{a.signer}, nil
+}
+
+// SignWithFlags implements [agent.ExtendedAgent.Sign], it returns an SSH
+// signature with a.signer if it has been set and matches the requested key.
+func (a *sshAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
+	return a.SignWithFlags(key, data, 0)
+}
+
+// SignWithFlags implements [agent.ExtendedAgent.SignWithFlags], it returns an
+// SSH signature with a.signer if it has been set and matches the requested
+// key.
+func (a *sshAgent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent.SignatureFlags) (*ssh.Signature, error) {
+	if a.signer == nil {
+		return nil, trace.Errorf("VNet SSH agent has no signer")
+	}
+	if !sshutils.KeysEqual(a.signer.PublicKey(), key) {
+		return nil, trace.BadParameter("requested key does not equal VNet SSH agent key")
+	}
+	var algo string
+	switch flags {
+	case 0:
+	case agent.SignatureFlagRsaSha256:
+		algo = ssh.KeyAlgoRSASHA256
+	case agent.SignatureFlagRsaSha512:
+		algo = ssh.KeyAlgoRSASHA512
+	default:
+		return nil, trace.Errorf("unsupported signature flag %v", flags)
+	}
+	log.DebugContext(context.Background(), "VNet SSH agent signature requested",
+		"key_type", a.signer.PublicKey().Type(), "algo", algo)
+	if algo == "" {
+		sig, err := a.signer.Sign(rand.Reader, data)
+		return sig, trace.Wrap(err)
+	}
+	algorithmSigner, ok := a.signer.(ssh.AlgorithmSigner)
+	if !ok {
+		return nil, trace.Errorf("VNet SSH agent signer does not implement ssh.AlgorithmSigner")
+	}
+	sig, err := algorithmSigner.SignWithAlgorithm(rand.Reader, data, algo)
+	return sig, trace.Wrap(err, "signing with VNet SSH agent signer")
+}
+
+// Add implements [agent.ExtendedAgent.Add]. It is irrelevant for this
+// implementation and always returns an error, it is not called.
+func (a *sshAgent) Add(key agent.AddedKey) error {
+	return trace.NotImplemented("sshAgent.Add is not implemented")
+}
+
+// Remove implements [agent.ExtendedAgent.Remove]. It is irrelevant for this
+// implementation and always returns an error, it is not called.
+func (a *sshAgent) Remove(key ssh.PublicKey) error {
+	return trace.NotImplemented("sshAgent.Remove is not implemented")
+}
+
+// RemoveAll implements [agent.ExtendedAgent.RemoveAll]. It is irrelevant for this
+// implementation and always returns an error, it is not called.
+func (a *sshAgent) RemoveAll() error {
+	return trace.NotImplemented("sshAgent.RemoveAll is not implemented")
+}
+
+// Lock implements [agent.ExtendedAgent.Lock]. It is irrelevant for this
+// implementation and always returns an error, it is not called.
+func (a *sshAgent) Lock(passphrase []byte) error {
+	return trace.NotImplemented("sshAgent.Lock is not implemented")
+}
+
+// Unlock implements [agent.ExtendedAgent.Unlock]. It is irrelevant for this
+// implementation and always returns an error, it is not called.
+func (a *sshAgent) Unlock(passphrase []byte) error {
+	return trace.NotImplemented("sshAgent.Unlock is not implemented")
+}
+
+// Extension implements [agent.ExtendedAgent.Extension]. It is irrelevant for
+// this implementation and always returns an error, it is not called.
+func (a *sshAgent) Extension(extensionType string, contents []byte) ([]byte, error) {
+	return nil, trace.NotImplemented("sshAgent.Extension is not implemented")
+}
diff --git a/lib/vnet/ssh_handler.go b/lib/vnet/ssh_handler.go
index 1ca080d294ee9..89efeb8d35652 100644
--- a/lib/vnet/ssh_handler.go
+++ b/lib/vnet/ssh_handler.go
@@ -54,12 +54,13 @@ func (h *sshHandler) handleTCPConnector(ctx context.Context, localPort uint16, c
 	if localPort != 22 {
 		return trace.BadParameter("SSH is only handled on port 22")
 	}
-	targetConn, err := h.cfg.sshProvider.dial(ctx, h.cfg.target)
+	agent := newSSHAgent()
+	targetConn, err := h.cfg.sshProvider.dial(ctx, h.cfg.target, agent)
 	if err != nil {
 		return trace.Wrap(err)
 	}
 	defer targetConn.Close()
-	return trace.Wrap(h.handleTCPConnectorWithTargetConn(ctx, connector, targetConn))
+	return trace.Wrap(h.handleTCPConnectorWithTargetConn(ctx, connector, targetConn, agent))
 }
 
 // handleTCPConnectorWithTargetTCPConn handles an incoming TCP connection from
@@ -68,6 +69,7 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	ctx context.Context,
 	connector func() (net.Conn, error),
 	targetConn net.Conn,
+	agent *sshAgent,
 ) error {
 	target := h.cfg.target
 	hostCert, err := newHostCert(target.fqdn, h.cfg.sshProvider.hostCASigner)
@@ -107,7 +109,7 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 				return nil, clientConnErr
 			}
 			initiatedSSHConn = true
-			clientConn, clientConnErr = h.initiateSSHConn(ctx, targetConn, conn.User())
+			clientConn, clientConnErr = h.initiateSSHConn(ctx, targetConn, conn.User(), agent)
 			if clientConnErr != nil {
 				// Attempt to send a friendlier errer message if we failed to
 				// initiate the SSH connection to the target by sending an auth
@@ -159,9 +161,9 @@ func (h *sshHandler) handleTCPConnectorWithTargetConn(
 	return nil
 }
 
-func (h *sshHandler) initiateSSHConn(ctx context.Context, targetConn net.Conn, user string) (*sshConn, error) {
+func (h *sshHandler) initiateSSHConn(ctx context.Context, targetConn net.Conn, user string, agent *sshAgent) (*sshConn, error) {
 	target := h.cfg.target
-	clientConfig, err := h.cfg.sshProvider.sessionSSHConfig(ctx, target, user)
+	clientConfig, err := h.cfg.sshProvider.sessionSSHConfig(ctx, target, user, agent)
 	if err != nil {
 		return nil, trace.Wrap(err, "building SSH client config")
 	}
diff --git a/lib/vnet/ssh_provider.go b/lib/vnet/ssh_provider.go
index 1c54bab4048a3..2584794cf2b75 100644
--- a/lib/vnet/ssh_provider.go
+++ b/lib/vnet/ssh_provider.go
@@ -53,6 +53,7 @@ type sshProviderConfig struct {
 		target dialTarget,
 		tlsConfig *tls.Config,
 		dialOpts *vnetv1.DialOptions,
+		agent *sshAgent,
 	) (net.Conn, error)
 }
 
@@ -77,7 +78,7 @@ func newSSHProvider(ctx context.Context, cfg sshProviderConfig) (*sshProvider, e
 }
 
 // dial dials the target SSH host.
-func (p *sshProvider) dial(ctx context.Context, target dialTarget) (net.Conn, error) {
+func (p *sshProvider) dial(ctx context.Context, target dialTarget, agent *sshAgent) (net.Conn, error) {
 	userTLSCertResp, err := p.cfg.clt.UserTLSCert(ctx, target.profile)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -89,9 +90,10 @@ func (p *sshProvider) dial(ctx context.Context, target dialTarget) (net.Conn, er
 		return nil, trace.Wrap(err)
 	}
 	if p.cfg.overrideNodeDialer != nil {
-		return p.cfg.overrideNodeDialer(ctx, target, tlsConfig, dialOpts)
+		conn, err := p.cfg.overrideNodeDialer(ctx, target, tlsConfig, dialOpts, agent)
+		return conn, trace.Wrap(err)
 	}
-	return p.dialViaProxy(ctx, target, tlsConfig, dialOpts)
+	return p.dialViaProxy(ctx, target, tlsConfig, dialOpts, agent)
 }
 
 // dialViaProxy dials the target SSH host via the proxy transport service.
@@ -100,6 +102,7 @@ func (p *sshProvider) dialViaProxy(
 	target dialTarget,
 	tlsConfig *tls.Config,
 	dialOpts *vnetv1.DialOptions,
+	agent *sshAgent,
 ) (net.Conn, error) {
 	// TODO(nklaassen): consider reusing proxy clients, need to figure out when
 	// it's necessary to make a new client e.g. if the user's TLS credentials
@@ -117,8 +120,14 @@ func (p *sshProvider) dialViaProxy(
 	if err != nil {
 		return nil, trace.Wrap(err, "building proxy client")
 	}
-	// TODO(nklaassen): pass an SSH keyring to support proxy recording mode.
-	conn, _, err := pclt.DialHost(ctx, target.addr, target.cluster, nil /*keyRing*/)
+	// Forward an SSH agent in case proxy recording mode is enabled in the cluster.
+	// At this point there is no SSH key for the user yet and the agent is
+	// empty, the SSH key will be added to the agent in [sshProvider.sessionSSHConfig].
+	// This forwarded agent will be used only to make the next SSH connection
+	// to the target SSH node, it is not actually forwarded to the target node
+	// and does not prevent the client from forwarding its own agent if
+	// requested.
+	conn, _, err := pclt.DialHost(ctx, target.addr, target.cluster, agent)
 	if err != nil {
 		pclt.Close()
 		return nil, trace.Wrap(err, "dialing target via proxy")
@@ -168,6 +177,7 @@ func (p *sshProvider) sessionSSHConfig(
 	ctx context.Context,
 	target dialTarget,
 	user string,
+	agent *sshAgent,
 ) (*ssh.ClientConfig, error) {
 	// TODO(nklaassen): cache session SSH configs so we don't have to regenerate
 	// every time.
@@ -202,6 +212,13 @@ func (p *sshProvider) sessionSSHConfig(
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+	// Add the session SSH key to the SSH agent in case proxy recording mode is
+	// enabled. Adding it to the agent here before returning an
+	// ssh.ClientConfig guarantees the key is added to the agent before the
+	// agent could be used.
+	if err := agent.setSessionKey(certSigner); err != nil {
+		return nil, trace.Wrap(err)
+	}
 	hostKeyCallback, err := buildHostKeyCallback(resp.GetTrustedCas(), p.cfg.clock)
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/vnet/tcp_handler_resolver.go b/lib/vnet/tcp_handler_resolver.go
index 7d4d0dbe16696..ff679b48eb2d6 100644
--- a/lib/vnet/tcp_handler_resolver.go
+++ b/lib/vnet/tcp_handler_resolver.go
@@ -189,7 +189,8 @@ func (h *undecidedHandler) handleTCPConnector(ctx context.Context, localPort uin
 		log.DebugContext(ctx, "Resolved FQDN to a matched cluster")
 		// Attempt a dial to the target SSH node to see if it exists.
 		target := computeDialTarget(matchedCluster, h.cfg.fqdn)
-		targetConn, err := h.cfg.sshProvider.dial(ctx, target)
+		agent := newSSHAgent()
+		targetConn, err := h.cfg.sshProvider.dial(ctx, target, agent)
 		if err != nil {
 			if trace.IsConnectionProblem(err) {
 				log.DebugContext(ctx, "Failed TCP dial to target, node might be offline")
@@ -209,7 +210,7 @@ func (h *undecidedHandler) handleTCPConnector(ctx context.Context, localPort uin
 		h.setDecidedHandler(sshHandler)
 		// Handle the incoming connection with the TCP connection to the target
 		// SSH node that has already been established.
-		return sshHandler.handleTCPConnectorWithTargetConn(ctx, connector, targetConn)
+		return sshHandler.handleTCPConnectorWithTargetConn(ctx, connector, targetConn, agent)
 	}
 	return trace.Errorf("rejecting connection to %s:%d", h.cfg.fqdn, localPort)
 }
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 926977f6b1049..0e3ef9c42636a 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -370,6 +370,8 @@ type fakeClientApp struct {
 	// requestedRouteToApps indexed by public address.
 	requestedRouteToApps   map[string][]*proto.RouteToApp
 	requestedRouteToAppsMu sync.RWMutex
+
+	forwardedAgents *forwardedAgents
 }
 
 type fakeClientAppConfig struct {
@@ -393,13 +395,16 @@ func newFakeClientApp(ctx context.Context, t *testing.T, cfg *fakeClientAppConfi
 	teleportUserCA, err := ssh.NewSignerFromSigner(teleportUserCAKey)
 	require.NoError(t, err)
 
+	forwardedAgents := &forwardedAgents{}
+
 	tlsCA := newSelfSignedCA(t)
 	dialOpts := mustStartFakeWebProxy(ctx, t, fakeWebProxyConfig{
-		tlsCA:  tlsCA,
-		hostCA: teleportHostCA,
-		userCA: teleportUserCA,
-		clock:  cfg.clock,
-		suite:  cfg.signatureAlgorithmSuite,
+		tlsCA:           tlsCA,
+		hostCA:          teleportHostCA,
+		userCA:          teleportUserCA,
+		clock:           cfg.clock,
+		suite:           cfg.signatureAlgorithmSuite,
+		forwardedAgents: forwardedAgents,
 	})
 
 	return &fakeClientApp{
@@ -409,6 +414,7 @@ func newFakeClientApp(ctx context.Context, t *testing.T, cfg *fakeClientAppConfi
 		teleportHostCA:       teleportHostCA,
 		teleportUserCA:       teleportUserCA,
 		requestedRouteToApps: make(map[string][]*proto.RouteToApp),
+		forwardedAgents:      forwardedAgents,
 	}
 }
 
@@ -573,6 +579,7 @@ func (p *fakeClientApp) dialSSHNode(
 	target dialTarget,
 	tlsConfig *tls.Config,
 	dialOpts *vnetv1.DialOptions,
+	agent *sshAgent,
 ) (net.Conn, error) {
 	targetCluster, ok := p.cfg.clusters[target.profile]
 	if !ok {
@@ -587,6 +594,12 @@ func (p *fakeClientApp) dialSSHNode(
 	if _, ok := targetCluster.nodes[target.hostname]; !ok {
 		return nil, trace.NotFound("no such host")
 	}
+	// In this test suite all SSH dials go to a single faked web proxy expecting
+	// the ALPN protocol alpncomm.ProtocolProxySSH for SSH dials. It doesn't
+	// run the real transport service that handles SSH agent forwarding over
+	// gRPC, but the test shares the forwarded agent with the fake proxy via
+	// the forwardedAgents collection.
+	p.forwardedAgents.add(agent)
 	tlsConfig.NextProtos = []string{string(alpncommon.ProtocolProxySSH)}
 	return tls.Dial("tcp", dialOpts.GetWebProxyAddr(), tlsConfig)
 }
@@ -1598,11 +1611,12 @@ func newLeafCert(
 }
 
 type fakeWebProxyConfig struct {
-	tlsCA  tls.Certificate
-	hostCA ssh.Signer
-	userCA ssh.Signer
-	clock  clockwork.Clock
-	suite  types.SignatureAlgorithmSuite
+	tlsCA           tls.Certificate
+	hostCA          ssh.Signer
+	userCA          ssh.Signer
+	clock           clockwork.Clock
+	suite           types.SignatureAlgorithmSuite
+	forwardedAgents *forwardedAgents
 }
 
 func mustStartFakeWebProxy(
@@ -1666,6 +1680,13 @@ func mustStartFakeWebProxy(
 				if conn.User() == "denyuser" {
 					return nil, trace.AccessDenied("access denied for denyuser")
 				}
+				// The test suite doesn't implement real "proxy recording mode"
+				// or SSH agent forwarding, but at least test here that the
+				// user key used to make this connection was forwarded so that
+				// the real SSH forwarding proxy would have access to it.
+				if !cfg.forwardedAgents.forwarded(pubKey) {
+					return nil, trace.Errorf("user SSH key was not forwarded")
+				}
 				return certChecker.Authenticate(conn, pubKey)
 			},
 		}
@@ -1751,3 +1772,35 @@ func mustStartFakeWebProxy(
 	}
 	return dialOpts
 }
+
+// forwardedAgents is a crude way of tracking all the forwarded SSH agents and
+// checking if any of them forward a specific SSH key.
+type forwardedAgents struct {
+	mu     sync.Mutex
+	agents []*sshAgent
+}
+
+func (a *forwardedAgents) add(agent *sshAgent) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.agents = append(a.agents, agent)
+}
+
+func (a *forwardedAgents) forwarded(key ssh.PublicKey) bool {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	blob := key.Marshal()
+	for _, agent := range a.agents {
+		agentKeys, err := agent.List()
+		if err != nil {
+			// sshAgent.List never returns an error.
+			continue
+		}
+		for _, agentKey := range agentKeys {
+			if slices.Equal(agentKey.Blob, blob) {
+				return true
+			}
+		}
+	}
+	return false
+}

From 90401fa7381e6ab930010fe70d3ac3d25b908f6a Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 20 Jun 2025 09:07:06 -0700
Subject: [PATCH 13/25] [v18][vnet] feat: support diag checks on windows

Backport #55856 to branch/v18
---
 lib/teleterm/vnet/service.go                  | 59 ++++++++++++++
 lib/teleterm/vnet/service_darwin.go           | 60 +-------------
 lib/teleterm/vnet/service_other.go            | 29 +++++++
 lib/teleterm/vnet/service_windows.go          | 48 +++++++++++
 lib/vnet/diag/routeconflict_other.go          |  2 +-
 lib/vnet/diag/routeconflict_windows.go        | 79 +++++++++++++++++++
 .../src/ui/Vnet/VnetConnectionItem.tsx        | 23 +++---
 .../src/ui/Vnet/VnetSliderStep.story.tsx      |  6 +-
 .../teleterm/src/ui/Vnet/vnetContext.tsx      | 11 ---
 9 files changed, 231 insertions(+), 86 deletions(-)
 create mode 100644 lib/teleterm/vnet/service_other.go
 create mode 100644 lib/teleterm/vnet/service_windows.go
 create mode 100644 lib/vnet/diag/routeconflict_windows.go

diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index 7b41d7d278005..c3b17dd6f9a53 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -258,6 +258,65 @@ func (s *Service) GetServiceInfo(ctx context.Context, _ *api.GetServiceInfoReque
 	}, nil
 }
 
+// RunDiagnostics runs a set of heuristics to determine if VNet actually works
+// on the device. It requires VNet to be started.
+func (s *Service) RunDiagnostics(ctx context.Context, req *api.RunDiagnosticsRequest) (*api.RunDiagnosticsResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.status != statusRunning {
+		return nil, trace.CompareFailed("VNet is not running")
+	}
+
+	if s.networkStackInfo.InterfaceName == "" {
+		return nil, trace.BadParameter("no interface name, this is a bug")
+	}
+
+	if s.networkStackInfo.Ipv6Prefix == "" {
+		return nil, trace.BadParameter("no IPv6 prefix, this is a bug")
+	}
+
+	nsa := &diagv1.NetworkStackAttempt{}
+	if ns, err := s.getNetworkStack(ctx); err != nil {
+		nsa.Status = diagv1.CheckAttemptStatus_CHECK_ATTEMPT_STATUS_ERROR
+		nsa.Error = err.Error()
+	} else {
+		nsa.Status = diagv1.CheckAttemptStatus_CHECK_ATTEMPT_STATUS_OK
+		nsa.NetworkStack = ns
+	}
+
+	diagChecks, err := s.platformDiagChecks(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	report, err := diag.GenerateReport(ctx, diag.ReportPrerequisites{
+		Clock:               s.cfg.Clock,
+		NetworkStackAttempt: nsa,
+		DiagChecks:          diagChecks,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &api.RunDiagnosticsResponse{
+		Report: report,
+	}, nil
+}
+
+func (s *Service) getNetworkStack(ctx context.Context) (*diagv1.NetworkStack, error) {
+	unifiedClusterConfig, err := s.vnetProcess.GetUnifiedClusterConfigProvider().GetUnifiedClusterConfig(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &diagv1.NetworkStack{
+		InterfaceName:  s.networkStackInfo.InterfaceName,
+		Ipv6Prefix:     s.networkStackInfo.Ipv6Prefix,
+		Ipv4CidrRanges: unifiedClusterConfig.IPv4CidrRanges,
+		DnsZones:       unifiedClusterConfig.AllDNSZones(),
+	}, nil
+}
+
 func (s *Service) stopLocked() error {
 	if s.status == statusClosed {
 		return trace.CompareFailed("VNet service has been closed")
diff --git a/lib/teleterm/vnet/service_darwin.go b/lib/teleterm/vnet/service_darwin.go
index 362246bf292c9..221350086ac5d 100644
--- a/lib/teleterm/vnet/service_darwin.go
+++ b/lib/teleterm/vnet/service_darwin.go
@@ -21,38 +21,10 @@ import (
 
 	"github.com/gravitational/trace"
 
-	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
-	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
 	"github.com/gravitational/teleport/lib/vnet/diag"
 )
 
-// RunDiagnostics runs a set of heuristics to determine if VNet actually works on the device, that
-// is receives network traffic and DNS queries. RunDiagnostics requires VNet to be started.
-func (s *Service) RunDiagnostics(ctx context.Context, req *api.RunDiagnosticsRequest) (*api.RunDiagnosticsResponse, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if s.status != statusRunning {
-		return nil, trace.CompareFailed("VNet is not running")
-	}
-
-	if s.networkStackInfo.InterfaceName == "" {
-		return nil, trace.BadParameter("no interface name, this is a bug")
-	}
-
-	if s.networkStackInfo.Ipv6Prefix == "" {
-		return nil, trace.BadParameter("no IPv6 prefix, this is a bug")
-	}
-
-	nsa := &diagv1.NetworkStackAttempt{}
-	if ns, err := s.getNetworkStack(ctx); err != nil {
-		nsa.Status = diagv1.CheckAttemptStatus_CHECK_ATTEMPT_STATUS_ERROR
-		nsa.Error = err.Error()
-	} else {
-		nsa.Status = diagv1.CheckAttemptStatus_CHECK_ATTEMPT_STATUS_OK
-		nsa.NetworkStack = ns
-	}
-
+func (s *Service) platformDiagChecks(ctx context.Context) ([]diag.DiagCheck, error) {
 	routeConflictDiag, err := diag.NewRouteConflictDiag(&diag.RouteConflictConfig{
 		VnetIfaceName: s.networkStackInfo.InterfaceName,
 		Routing:       &diag.DarwinRouting{},
@@ -69,32 +41,8 @@ func (s *Service) RunDiagnostics(ctx context.Context, req *api.RunDiagnosticsReq
 		return nil, trace.Wrap(err)
 	}
 
-	report, err := diag.GenerateReport(ctx, diag.ReportPrerequisites{
-		Clock:               s.cfg.Clock,
-		NetworkStackAttempt: nsa,
-		DiagChecks: []diag.DiagCheck{
-			routeConflictDiag,
-			sshDiag,
-		},
-	})
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return &api.RunDiagnosticsResponse{
-		Report: report,
-	}, nil
-}
-
-func (s *Service) getNetworkStack(ctx context.Context) (*diagv1.NetworkStack, error) {
-	unifiedClusterConfig, err := s.vnetProcess.GetUnifiedClusterConfigProvider().GetUnifiedClusterConfig(ctx)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	return &diagv1.NetworkStack{
-		InterfaceName:  s.networkStackInfo.InterfaceName,
-		Ipv6Prefix:     s.networkStackInfo.Ipv6Prefix,
-		Ipv4CidrRanges: unifiedClusterConfig.IPv4CidrRanges,
-		DnsZones:       unifiedClusterConfig.AllDNSZones(),
+	return []diag.DiagCheck{
+		routeConflictDiag,
+		sshDiag,
 	}, nil
 }
diff --git a/lib/teleterm/vnet/service_other.go b/lib/teleterm/vnet/service_other.go
new file mode 100644
index 0000000000000..e710809f91ffd
--- /dev/null
+++ b/lib/teleterm/vnet/service_other.go
@@ -0,0 +1,29 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//go:build !darwin && !windows
+
+package vnet
+
+import (
+	"context"
+
+	"github.com/gravitational/teleport/lib/vnet/diag"
+)
+
+func (s *Service) platformDiagChecks(ctx context.Context) ([]diag.DiagCheck, error) {
+	return nil, nil
+}
diff --git a/lib/teleterm/vnet/service_windows.go b/lib/teleterm/vnet/service_windows.go
new file mode 100644
index 0000000000000..d41fe2ee00f7d
--- /dev/null
+++ b/lib/teleterm/vnet/service_windows.go
@@ -0,0 +1,48 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/lib/vnet/diag"
+)
+
+func (s *Service) platformDiagChecks(ctx context.Context) ([]diag.DiagCheck, error) {
+	routeConflictDiag, err := diag.NewRouteConflictDiag(&diag.RouteConflictConfig{
+		VnetIfaceName: s.networkStackInfo.InterfaceName,
+		Routing:       &diag.WindowsRouting{},
+		Interfaces:    &diag.NetInterfaces{},
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	sshDiag, err := diag.NewSSHDiag(&diag.SSHConfig{
+		ProfilePath: s.cfg.profilePath,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return []diag.DiagCheck{
+		routeConflictDiag,
+		sshDiag,
+	}, nil
+}
diff --git a/lib/vnet/diag/routeconflict_other.go b/lib/vnet/diag/routeconflict_other.go
index ce0acdaca1553..5ca8360dabd60 100644
--- a/lib/vnet/diag/routeconflict_other.go
+++ b/lib/vnet/diag/routeconflict_other.go
@@ -1,4 +1,4 @@
-//go:build !darwin
+//go:build !darwin && !windows
 
 // Teleport
 // Copyright (C) 2025 Gravitational, Inc.
diff --git a/lib/vnet/diag/routeconflict_windows.go b/lib/vnet/diag/routeconflict_windows.go
new file mode 100644
index 0000000000000..9dc89fc2d775d
--- /dev/null
+++ b/lib/vnet/diag/routeconflict_windows.go
@@ -0,0 +1,79 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package diag
+
+import (
+	"context"
+	"net/netip"
+	"os/exec"
+
+	"github.com/gravitational/trace"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+)
+
+var ipv4Broadcast = netip.AddrFrom4([4]byte{255, 255, 255, 255})
+
+// WindowsRouting provides Windows-specific [Routing] implementation used by [RouteConflictDiag].
+type WindowsRouting struct{}
+
+// GetRouteDestinations gets routes from the OS and then extracts the only
+// information needed from them: the route destination and the index of the
+// network interface. It operates solely on IPv4 routes.
+func (wr *WindowsRouting) GetRouteDestinations() ([]RouteDest, error) {
+	rows, err := winipcfg.GetIPForwardTable2(windows.AF_INET)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	rds := make([]RouteDest, 0, len(rows))
+	for _, row := range rows {
+		prefix := row.DestinationPrefix.Prefix()
+		addr := prefix.Addr()
+		if addr.IsLinkLocalMulticast() || addr == ipv4Broadcast {
+			// All interfaces seem to get a link local multicast and broadcast
+			// route assigned which would always appear as a conflict, so skip
+			// them.
+			continue
+		}
+		if prefix.IsSingleIP() {
+			rds = append(rds, &RouteDestIP{
+				Addr:       addr,
+				ifaceIndex: int(row.InterfaceIndex),
+			})
+		} else {
+			rds = append(rds, &RouteDestPrefix{
+				Prefix:     prefix,
+				ifaceIndex: int(row.InterfaceIndex),
+			})
+		}
+	}
+	return rds, nil
+}
+
+func (n *NetInterfaces) interfaceApp(ctx context.Context, ifaceName string) (string, error) {
+	// Interfaces usually have descriptive names on Windows (the TUN interfaces
+	// used by VNet and Tailscale do, at least).
+	return ifaceName, nil
+}
+
+func (c *RouteConflictDiag) commands(ctx context.Context) []*exec.Cmd {
+	return []*exec.Cmd{
+		exec.CommandContext(ctx, "netstat.exe", "-rn"),
+		exec.CommandContext(ctx, "ipconfig.exe", "/all"),
+		exec.CommandContext(ctx, "netsh.exe", "namespace", "show", "effectivepolicy"),
+	}
+}
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetConnectionItem.tsx b/web/packages/teleterm/src/ui/Vnet/VnetConnectionItem.tsx
index 9ef08eceffc83..ca303cd2942ca 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetConnectionItem.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetConnectionItem.tsx
@@ -114,7 +114,6 @@ const VnetConnectionItemBase = forwardRef<
     diagnosticsAttempt,
     getDisabledDiagnosticsReason,
     showDiagWarningIndicator,
-    isDiagSupported,
   } = useVnetContext();
   const { close: closeConnectionsPanel } = useConnectionsContext();
   const rootClusterUri = useStoreSelector(
@@ -259,18 +258,16 @@ const VnetConnectionItemBase = forwardRef<
                 </ButtonIcon>
               )}
 
-              {isDiagSupported && (
-                <ButtonIcon
-                  title={disabledDiagnosticsReason || 'Run diagnostics'}
-                  disabled={!!disabledDiagnosticsReason}
-                  onClick={e => {
-                    e.stopPropagation();
-                    props.runDiagnosticsFromVnetPanel();
-                  }}
-                >
-                  <icons.ListMagnifyingGlass size={18} />
-                </ButtonIcon>
-              )}
+              <ButtonIcon
+                title={disabledDiagnosticsReason || 'Run diagnostics'}
+                disabled={!!disabledDiagnosticsReason}
+                onClick={e => {
+                  e.stopPropagation();
+                  props.runDiagnosticsFromVnetPanel();
+                }}
+              >
+                <icons.ListMagnifyingGlass size={18} />
+              </ButtonIcon>
             </>
           )}
 
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
index 8ec5a33d8f246..290698fa115c7 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
@@ -46,7 +46,6 @@ type StoryProps = {
     | 'error'
     | 'processing'
     | 'processing-with-previous-results';
-  vnetDiag: boolean;
   runDiagnostics: 'success' | 'error' | 'processing';
   diagReport: 'ok' | 'issues-found' | 'failed-checks';
   isWorkspacePresent: boolean;
@@ -60,7 +59,6 @@ const defaultArgs: StoryProps = {
   clusters: ['teleport.example.com'],
   sshConfigured: false,
   fetchStatus: 'success',
-  vnetDiag: true,
   runDiagnostics: 'success',
   diagReport: 'ok',
   isWorkspacePresent: true,
@@ -117,9 +115,7 @@ const meta: Meta<StoryProps> = {
 export default meta;
 
 function VnetSliderStep(props: StoryProps) {
-  const appContext = new MockAppContext({
-    platform: props.vnetDiag ? 'darwin' : 'win32',
-  });
+  const appContext = new MockAppContext();
 
   if (props.isWorkspacePresent) {
     appContext.addRootCluster(makeRootCluster());
diff --git a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
index 1f20aa48be18b..3779cf77be607 100644
--- a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
@@ -54,10 +54,6 @@ export type VnetContext = {
    * Describes whether the given OS can run VNet.
    */
   isSupported: boolean;
-  /**
-   * Describes whether the given OS can run VNet diagnostics.
-   */
-  isDiagSupported: boolean;
   status: VnetStatus;
   start: () => Promise<[void, Error]>;
   startAttempt: Attempt<void>;
@@ -149,7 +145,6 @@ export const VnetContextProvider: FC<
     [mainProcessClient]
   );
   const isSupported = platform === 'darwin' || platform === 'win32';
-  const isDiagSupported = platform === 'darwin';
 
   const [startAttempt, start] = useAsync(
     useCallback(async () => {
@@ -429,10 +424,6 @@ export const VnetContextProvider: FC<
 
   useEffect(
     function periodicallyRunDiagnostics() {
-      if (!isDiagSupported) {
-        return;
-      }
-
       if (status.value !== 'running') {
         return;
       }
@@ -454,7 +445,6 @@ export const VnetContextProvider: FC<
       };
     },
     [
-      isDiagSupported,
       diagnosticsIntervalMs,
       runDiagnosticsAndShowNotification,
       status.value,
@@ -466,7 +456,6 @@ export const VnetContextProvider: FC<
     <VnetContext.Provider
       value={{
         isSupported,
-        isDiagSupported,
         status,
         start,
         startAttempt,

From 94caa6983fa06ea3ef9c1956b8eb1238bf87d04a Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Sun, 22 Jun 2025 11:22:22 -0700
Subject: [PATCH 14/25] [v18] fix: data race in vnet.TestSSH

Backport #55980 to branch/v18
---
 lib/vnet/ssh_agent.go | 13 ++++++++---
 lib/vnet/vnet_test.go | 54 ++++++++++++++++++++++---------------------
 2 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/lib/vnet/ssh_agent.go b/lib/vnet/ssh_agent.go
index 314db3373938e..1db229c1e82fa 100644
--- a/lib/vnet/ssh_agent.go
+++ b/lib/vnet/ssh_agent.go
@@ -19,6 +19,7 @@ package vnet
 import (
 	"context"
 	"crypto/rand"
+	"sync"
 
 	"github.com/gravitational/trace"
 	"golang.org/x/crypto/ssh"
@@ -33,10 +34,8 @@ import (
 // and the root cluster proxy terminated with the SSH key in the
 // [ssh.ClientConfig], and then the key forwarded via this agent will be used
 // to terminate the final SSH connection to the target node.
-//
-// It is not safe for concurrent use, setSessionKey must only be called before
-// the agent will actually be used.
 type sshAgent struct {
+	mu     sync.Mutex
 	signer ssh.Signer
 }
 
@@ -49,6 +48,8 @@ func newSSHAgent() *sshAgent {
 // agent must be passed to [proxy.Client.DialHost] before the session SSH
 // signer has been created.
 func (a *sshAgent) setSessionKey(signer ssh.Signer) error {
+	a.mu.Lock()
+	defer a.mu.Unlock()
 	if a.signer != nil {
 		return trace.Errorf("sshAgent.setSessionKey must be called at most once (this is a bug)")
 	}
@@ -59,6 +60,8 @@ func (a *sshAgent) setSessionKey(signer ssh.Signer) error {
 // List implements [agent.ExtendedAgent.List], it returns a single key if it
 // has been set by setSessionKey.
 func (a *sshAgent) List() ([]*agent.Key, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
 	if a.signer == nil {
 		return nil, nil
 	}
@@ -72,6 +75,8 @@ func (a *sshAgent) List() ([]*agent.Key, error) {
 // List implements [agent.ExtendedAgent.Signers], it returns a single key if it
 // has been set by setSessionKey.
 func (a *sshAgent) Signers() ([]ssh.Signer, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
 	if a.signer == nil {
 		return nil, nil
 	}
@@ -88,6 +93,8 @@ func (a *sshAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error)
 // SSH signature with a.signer if it has been set and matches the requested
 // key.
 func (a *sshAgent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent.SignatureFlags) (*ssh.Signature, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
 	if a.signer == nil {
 		return nil, trace.Errorf("VNet SSH agent has no signer")
 	}
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 0e3ef9c42636a..07f6075aed119 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -1158,8 +1158,7 @@ func testWithAlgorithmSuite(t *testing.T, suite types.SignatureAlgorithmSuite) {
 
 // TestSSH tests basic VNet SSH functionality.
 func TestSSH(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	t.Cleanup(cancel)
+	ctx := t.Context()
 	clock := clockwork.NewRealClock()
 	homePath := t.TempDir()
 
@@ -1343,42 +1342,44 @@ func TestSSH(t *testing.T) {
 		t.Run(fmt.Sprintf("%s@%s:%d", tc.sshUser, tc.dialAddr, tc.dialPort), func(t *testing.T) {
 			t.Parallel()
 
-			lookupCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-			defer cancel()
-			// The DNS lookup for *.<cluster-name> should resolve to an IP in
-			// the expected CIDR range for the cluster.
-			resolvedAddrs, err := p.lookupHost(lookupCtx, tc.dialAddr)
 			if tc.expectLookupToFail {
+				// In these cases the DNS lookup is expected to fail, just run the DNS lookup.
+				ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+				defer cancel()
+				_, err := p.lookupHost(ctx, tc.dialAddr)
 				require.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
 
-			_, expectNet, err := net.ParseCIDR(tc.expectCIDR)
-			require.NoError(t, err)
-
-			for _, resolvedAddr := range resolvedAddrs {
-				resolvedIP := net.ParseIP(resolvedAddr)
-				// The query may have resolved to a v4 or v6 address or both,
-				// either way the 4-byte suffix should be a valid IPv4 address
-				// in the expected CIDR range.
-				resolvedIPSuffix := resolvedIP[len(resolvedIP)-4:]
-				assert.True(t, expectNet.Contains(resolvedIPSuffix),
-					"expected CIDR range %s does not include resolved IP %s", expectNet, resolvedIPSuffix)
-			}
-
-			// TCP dial the target address, it should fail if the node doesn't
-			// exist.
-			dialCtx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-			defer cancel()
-			conn, err := p.dialHost(dialCtx, tc.dialAddr, tc.dialPort)
 			if tc.expectDialToFail {
+				// In these cases the DNS lookup should succeed but then the
+				// TCP dial should fail, do each separately to make sure we
+				// catch the error at the right step.
+				resolvedAddrs, err := p.lookupHost(ctx, tc.dialAddr)
+				require.NoError(t, err)
+				require.NotEmpty(t, resolvedAddrs)
+
+				ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+				defer cancel()
+				_, err = p.dialHost(ctx, resolvedAddrs[0], tc.dialPort)
 				require.Error(t, err)
 				return
 			}
+
+			conn, err := p.dialHost(ctx, tc.dialAddr, tc.dialPort)
 			require.NoError(t, err)
 			defer conn.Close()
 
+			// The DNS query may have resolved to a v4 or v6 address, either
+			// way the 4-byte suffix should be a valid IPv4 address in the
+			// expected CIDR range.
+			resolvedIP := conn.RemoteAddr().(*net.TCPAddr).IP
+			resolvedIPSuffix := resolvedIP[len(resolvedIP)-4:]
+			_, expectNet, err := net.ParseCIDR(tc.expectCIDR)
+			require.NoError(t, err)
+			assert.True(t, expectNet.Contains(resolvedIPSuffix),
+				"expected CIDR range %s does not include resolved IP %s", expectNet, resolvedIPSuffix)
+
 			// Initiate an SSH connection to the target. At this point the
 			// handshake should complete successfully as long as the right keys
 			// are used, but the SSH connection will be immediately closed by
@@ -1414,6 +1415,7 @@ func TestSSH(t *testing.T) {
 
 	// Test that a fresh SSH host cert is used on each connection.
 	t.Run("ephemeral certs", func(t *testing.T) {
+		t.Parallel()
 		// Set up the SSH client config to capture the host certs it sees.
 		var checkedHostCerts []*ssh.Certificate
 		clientConfig := &ssh.ClientConfig{

From 6830541cb2ea9dd394a8bd7e94c2df830aaa84b5 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Mon, 23 Jun 2025 09:47:54 -0700
Subject: [PATCH 15/25] [v18][vnet] feat: mention SSH on VNet info page

Backport #55973 to branch/v18
---
 .../teleterm/src/ui/Vnet/DocumentVnetInfo.tsx | 77 ++++++++++++++++++-
 1 file changed, 73 insertions(+), 4 deletions(-)

diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
index 878ae406aa808..d21ed692f32a6 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
@@ -39,7 +39,7 @@ export function DocumentVnetInfo(props: {
   doc: docTypes.DocumentVnetInfo;
 }) {
   const { doc } = props;
-  const { mainProcessClient } = useAppContext();
+  const { mainProcessClient, clustersService } = useAppContext();
   const {
     startAttempt,
     stop: stopVnet,
@@ -47,12 +47,14 @@ export function DocumentVnetInfo(props: {
     status,
   } = useVnetContext();
   const { launchVnetWithoutFirstTimeCheck } = useVnetLauncher();
-  const userAtHost = useMemo(() => {
-    const { hostname, username } = mainProcessClient.getRuntimeSettings();
-    return `${username}@${hostname}`;
+  const { username, hostname } = useMemo(() => {
+    const { username, hostname } = mainProcessClient.getRuntimeSettings();
+    return { username, hostname };
   }, [mainProcessClient]);
+  const userAtHost = `${username}@${hostname}`;
   const { rootClusterUri, documentsService } = useWorkspaceContext();
   const proxyHostname = routing.parseClusterName(rootClusterUri);
+  const clusterName = clustersService.findCluster(rootClusterUri).name;
 
   const startVnet = async () => {
     await launchVnetWithoutFirstTimeCheck(doc.launcherArgs);
@@ -229,6 +231,60 @@ export function DocumentVnetInfo(props: {
             </DemoPart>
           </ComparisonOption>
         </UseCaseSection>
+
+        {/* VNet SSH */}
+        <UseCaseSection>
+          <TitleAndLearnMoreContainer>
+            <H2>SSH Servers With 3rd-Party SSH Clients</H2>
+            {/* TODO(nklaassen): link to new VNet SSH docs */}
+            <LearnMoreButton href="#">Learn More</LearnMoreButton>
+          </TitleAndLearnMoreContainer>
+
+          <ComparisonOption>
+            <TextPart>
+              <H3>With VNet</H3>
+              <P2>
+                Connect directly to Teleport SSH servers with any
+                OpenSSH-compatible client or your preferred editor's remote SSH
+                extension. VNet will intercept the connection to authenticate
+                with your SSH certificate and handle Teleport features like
+                hardware keys and per-session MFA with prompts displayed in
+                Connect.
+              </P2>
+            </TextPart>
+
+            <DemoTerminal
+              flex={demoFlex}
+              title={userAtHost}
+              text={sshWithVNet(username, clusterName)}
+              width="100%"
+              boxShadow={2}
+            />
+          </ComparisonOption>
+
+          <ComparisonOption>
+            <TextPart>
+              <H3>Without VNet</H3>
+              <P2>
+                You can still connect to Teleport SSH servers with many
+                OpenSSH-compatible clients, but you'll need to configure the
+                client to use your Teleport user SSH certificate and use a
+                ProxyCommand to make the connection, and Teleport features like
+                hardware keys and per-session MFA are not supported.
+              </P2>
+            </TextPart>
+
+            <Stack flex={demoFlex} gap={2} fullWidth>
+              <DemoTerminal
+                flex={demoFlex}
+                title={userAtHost}
+                text={sshWithoutVNet(username, clusterName)}
+                width="100%"
+                boxShadow={2}
+              />
+            </Stack>
+          </ComparisonOption>
+        </UseCaseSection>
       </Stack>
     </Document>
   );
@@ -298,3 +354,16 @@ const curlWithoutVnet = `$ curl http://127.0.0.1:61397
   "body": ""
 }
 `;
+
+const sshWithVNet = (
+  username: string,
+  clusterName: string
+) => `$ ssh ${username}@server.${clusterName}
+${username}@server:~$ `;
+
+const sshWithoutVNet = (
+  username: string,
+  clusterName: string
+) => `$ tsh config > teleport_ssh_config
+$ ssh -F ./teleport_ssh_config ${username}@server.${clusterName}
+${username}@server:~$ `;

From 11bd108e61373933d467320f68028ecebbb6ffd7 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Mon, 23 Jun 2025 10:33:33 -0700
Subject: [PATCH 16/25] [v18][vnet] feat: serve DNS on IPv4

Backport #55539 to branch/v18
---
 lib/vnet/admin_process_darwin.go   | 13 +++---
 lib/vnet/admin_process_windows.go  | 13 +++---
 lib/vnet/network_stack.go          | 35 +++++++++-----
 lib/vnet/osconfig.go               | 17 +------
 lib/vnet/osconfig_darwin.go        | 30 ++++++++----
 lib/vnet/osconfig_provider.go      | 75 ++++++++++++++++++++++--------
 lib/vnet/osconfig_provider_test.go | 40 ++++++++++++----
 lib/vnet/osconfig_windows.go       | 33 +++++++++----
 lib/vnet/unsupported_os.go         |  1 +
 9 files changed, 169 insertions(+), 88 deletions(-)

diff --git a/lib/vnet/admin_process_darwin.go b/lib/vnet/admin_process_darwin.go
index 9161c45d94d4e..0465dd8e8aae5 100644
--- a/lib/vnet/admin_process_darwin.go
+++ b/lib/vnet/admin_process_darwin.go
@@ -75,12 +75,13 @@ func RunDarwinAdminProcess(ctx context.Context, config daemon.Config) error {
 		return trace.Wrap(err, "reporting network stack info to client application")
 	}
 
-	osConfigProvider, err := newOSConfigProvider(
-		clt,
-		tunName,
-		networkStackConfig.ipv6Prefix.String(),
-		networkStackConfig.dnsIPv6.String(),
-	)
+	osConfigProvider, err := newOSConfigProvider(osConfigProviderConfig{
+		clt:           clt,
+		tunName:       tunName,
+		ipv6Prefix:    networkStackConfig.ipv6Prefix.String(),
+		dnsIPv6:       networkStackConfig.dnsIPv6.String(),
+		addDNSAddress: networkStack.addDNSAddress,
+	})
 	if err != nil {
 		return trace.Wrap(err, "creating OS config provider")
 	}
diff --git a/lib/vnet/admin_process_windows.go b/lib/vnet/admin_process_windows.go
index a386ae57d63e9..09afbf8619d48 100644
--- a/lib/vnet/admin_process_windows.go
+++ b/lib/vnet/admin_process_windows.go
@@ -116,12 +116,13 @@ func runWindowsAdminProcess(ctx context.Context, cfg *windowsAdminProcessConfig)
 		return trace.Wrap(err, "reporting network stack info to client application")
 	}
 
-	osConfigProvider, err := newOSConfigProvider(
-		clt,
-		tunName,
-		networkStackConfig.ipv6Prefix.String(),
-		networkStackConfig.dnsIPv6.String(),
-	)
+	osConfigProvider, err := newOSConfigProvider(osConfigProviderConfig{
+		clt:           clt,
+		tunName:       tunName,
+		ipv6Prefix:    networkStackConfig.ipv6Prefix.String(),
+		dnsIPv6:       networkStackConfig.dnsIPv6.String(),
+		addDNSAddress: networkStack.addDNSAddress,
+	})
 	if err != nil {
 		return trace.Wrap(err, "creating OS config provider")
 	}
diff --git a/lib/vnet/network_stack.go b/lib/vnet/network_stack.go
index 25256b4a4eb59..6c7d38ba14415 100644
--- a/lib/vnet/network_stack.go
+++ b/lib/vnet/network_stack.go
@@ -158,6 +158,10 @@ type networkStack struct {
 	// ipv6Prefix holds the 96-bit prefix that will be used for all IPv6 addresses assigned in the VNet.
 	ipv6Prefix tcpip.Address
 
+	// dnsServer is the VNet's local DNS server that can handle UDP DNS
+	// requests.
+	dnsServer *dns.Server
+
 	// tcpHandlerResolver resolves FQDNs to a TCP handler that will be used to handle all future TCP
 	// connections to IP addresses that will be assigned to that FQDN.
 	tcpHandlerResolver *tcpHandlerResolver
@@ -233,6 +237,19 @@ func newNetworkStack(cfg *networkStackConfig) (*networkStack, error) {
 		slog:               slog,
 	}
 
+	upstreamNameserverSource := cfg.upstreamNameserverSource
+	if upstreamNameserverSource == nil {
+		upstreamNameserverSource, err = dns.NewOSUpstreamNameserverSource()
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+	dnsServer, err := dns.NewServer(ns, upstreamNameserverSource)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	ns.dnsServer = dnsServer
+
 	tcpForwarder := tcp.NewForwarder(ns.stack, tcpReceiveBufferSize, maxInFlightTCPConnectionAttempts, ns.handleTCP)
 	ns.stack.SetTransportProtocolHandler(tcp.ProtocolNumber, tcpForwarder.HandlePacket)
 
@@ -240,17 +257,6 @@ func newNetworkStack(cfg *networkStackConfig) (*networkStack, error) {
 	ns.stack.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)
 
 	if cfg.dnsIPv6 != (tcpip.Address{}) {
-		upstreamNameserverSource := cfg.upstreamNameserverSource
-		if upstreamNameserverSource == nil {
-			upstreamNameserverSource, err = dns.NewOSUpstreamNameserverSource()
-			if err != nil {
-				return nil, trace.Wrap(err)
-			}
-		}
-		dnsServer, err := dns.NewServer(ns, upstreamNameserverSource)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
 		if err := ns.assignUDPHandler(cfg.dnsIPv6, dnsServer); err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -542,6 +548,13 @@ func (ns *networkStack) assignUDPHandler(addr tcpip.Address, handler udpHandler)
 	return nil
 }
 
+// addDNSAddress adds a DNS handler at the given IP.
+func (ns *networkStack) addDNSAddress(ip net.IP) error {
+	slog.DebugContext(context.Background(), "Serving DNS on IPv4.", "dns_addr", ip.String())
+	return trace.Wrap(ns.assignUDPHandler(tcpip.AddrFromSlice(ip), ns.dnsServer),
+		"adding UDP handler at %s", ip.String())
+}
+
 // ResolveA implements [dns.Resolver.ResolveA].
 func (ns *networkStack) ResolveA(ctx context.Context, fqdn string) (dns.Result, error) {
 	// Do the actual resolution within a [singleflight.Group] keyed by [fqdn] to avoid concurrent requests to
diff --git a/lib/vnet/osconfig.go b/lib/vnet/osconfig.go
index 4b0a19eadd033..c27336fe33c17 100644
--- a/lib/vnet/osconfig.go
+++ b/lib/vnet/osconfig.go
@@ -18,7 +18,6 @@ package vnet
 
 import (
 	"context"
-	"net"
 	"net/netip"
 	"os/exec"
 	"strings"
@@ -32,7 +31,7 @@ type osConfig struct {
 	tunIPv4    string
 	tunIPv6    string
 	cidrRanges []string
-	dnsAddr    string
+	dnsAddrs   []string
 	dnsZones   []string
 }
 
@@ -125,20 +124,6 @@ func tunIPv6ForPrefix(ipv6Prefix string) (string, error) {
 	return addr.Next().String(), nil
 }
 
-// tunIPv4ForCIDR returns the IPv4 address to use for the TUN interface in
-// cidrRange. It always returns the second address in the range.
-func tunIPv4ForCIDR(cidrRange string) (string, error) {
-	_, ipnet, err := net.ParseCIDR(cidrRange)
-	if err != nil {
-		return "", trace.Wrap(err, "parsing CIDR %q", cidrRange)
-	}
-	// ipnet.IP is the network address, ending in 0s, like 100.64.0.0
-	// Add 1 to assign the TUN address, like 100.64.0.1
-	tunAddress := ipnet.IP
-	tunAddress[len(tunAddress)-1]++
-	return tunAddress.String(), nil
-}
-
 func runCommand(ctx context.Context, path string, args ...string) error {
 	cmdString := strings.Join(append([]string{path}, args...), " ")
 	log.DebugContext(ctx, "Running command", "cmd", cmdString)
diff --git a/lib/vnet/osconfig_darwin.go b/lib/vnet/osconfig_darwin.go
index eb7b7307a19cc..4dcdd9e3da777 100644
--- a/lib/vnet/osconfig_darwin.go
+++ b/lib/vnet/osconfig_darwin.go
@@ -18,10 +18,12 @@ package vnet
 
 import (
 	"bufio"
+	"bytes"
 	"context"
 	"os"
 	"path/filepath"
 
+	"github.com/google/renameio/v2"
 	"github.com/gravitational/trace"
 )
 
@@ -69,7 +71,7 @@ func platformConfigureOS(ctx context.Context, cfg *osConfig, _ *platformOSConfig
 		}
 	}
 
-	if err := configureDNS(ctx, cfg.dnsAddr, cfg.dnsZones); err != nil {
+	if err := configureDNS(ctx, cfg.dnsAddrs, cfg.dnsZones); err != nil {
 		return trace.Wrap(err, "configuring DNS")
 	}
 
@@ -80,12 +82,14 @@ const resolverFileComment = "# automatically installed by Teleport VNet"
 
 var resolverPath = filepath.Join("/", "etc", "resolver")
 
-func configureDNS(ctx context.Context, nameserver string, zones []string) error {
-	if len(nameserver) == 0 && len(zones) > 0 {
-		return trace.BadParameter("empty nameserver with non-empty zones")
+func configureDNS(ctx context.Context, nameservers []string, zones []string) error {
+	if len(nameservers) == 0 {
+		// There are no nameservers so VNet can't handle any DNS zones. Continue
+		// so that any VNet-managed resolver files can be deleted.
+		zones = nil
 	}
 
-	log.DebugContext(ctx, "Configuring DNS.", "nameserver", nameserver, "zones", zones)
+	log.DebugContext(ctx, "Configuring DNS.", "nameservers", nameservers, "zones", zones)
 	if err := os.MkdirAll(resolverPath, os.FileMode(0755)); err != nil {
 		return trace.Wrap(err, "creating %s", resolverPath)
 	}
@@ -95,14 +99,22 @@ func configureDNS(ctx context.Context, nameserver string, zones []string) error
 		return trace.Wrap(err, "finding VNet managed files in /etc/resolver")
 	}
 
-	// Always attempt to write or clean up all files below, even if encountering errors with one or more of
-	// them.
+	// Always attempt to write or clean up all files below, even if encountering
+	// errors with one or more of them.
 	var allErrors []error
 
+	var fileContents bytes.Buffer
+	fileContents.WriteString(resolverFileComment)
+	fileContents.WriteByte('\n')
+	for _, nameserver := range nameservers {
+		fileContents.WriteString("nameserver ")
+		fileContents.WriteString(nameserver)
+		fileContents.WriteByte('\n')
+	}
+
 	for _, zone := range zones {
 		fileName := filepath.Join(resolverPath, zone)
-		contents := resolverFileComment + "\nnameserver " + nameserver
-		if err := os.WriteFile(fileName, []byte(contents), 0644); err != nil {
+		if err := renameio.WriteFile(fileName, fileContents.Bytes(), 0644); err != nil {
 			allErrors = append(allErrors, trace.Wrap(err, "writing DNS configuration file %s", fileName))
 		} else {
 			// Successfully wrote this file, don't clean it up below.
diff --git a/lib/vnet/osconfig_provider.go b/lib/vnet/osconfig_provider.go
index 3a45e8aa89000..a2f4bbf4233bd 100644
--- a/lib/vnet/osconfig_provider.go
+++ b/lib/vnet/osconfig_provider.go
@@ -18,6 +18,8 @@ package vnet
 
 import (
 	"context"
+	"net"
+	"slices"
 
 	"github.com/gravitational/trace"
 
@@ -27,60 +29,93 @@ import (
 // osConfigProvider fetches a target OS configuration based on cluster
 // configuration fetched via the client application process available over gRPC.
 type osConfigProvider struct {
-	clt     targetOSConfigGetter
-	tunName string
-	dnsAddr string
-	tunIPv6 string
-	tunIPv4 string
+	cfg      osConfigProviderConfig
+	dnsAddrs []string
+	tunIPv6  string
+	tunIPv4  string
+}
+
+// osConfigProviderConfig holds configuration parameters for an osConfigProvider.
+type osConfigProviderConfig struct {
+	clt           targetOSConfigGetter
+	tunName       string
+	ipv6Prefix    string
+	dnsIPv6       string
+	addDNSAddress func(net.IP) error
 }
 
 type targetOSConfigGetter interface {
 	GetTargetOSConfiguration(context.Context) (*vnetv1.TargetOSConfiguration, error)
 }
 
-func newOSConfigProvider(clt targetOSConfigGetter, tunName, ipv6Prefix, dnsAddr string) (*osConfigProvider, error) {
-	tunIPv6, err := tunIPv6ForPrefix(ipv6Prefix)
+func newOSConfigProvider(cfg osConfigProviderConfig) (*osConfigProvider, error) {
+	tunIPv6, err := tunIPv6ForPrefix(cfg.ipv6Prefix)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 	return &osConfigProvider{
-		clt:     clt,
-		tunName: tunName,
-		dnsAddr: dnsAddr,
-		tunIPv6: tunIPv6,
+		cfg:      cfg,
+		dnsAddrs: []string{cfg.dnsIPv6},
+		tunIPv6:  tunIPv6,
 	}, nil
 }
 
 func (p *osConfigProvider) targetOSConfig(ctx context.Context) (*osConfig, error) {
-	targetOSConfig, err := p.clt.GetTargetOSConfiguration(ctx)
+	targetOSConfig, err := p.cfg.clt.GetTargetOSConfiguration(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err, "getting target OS configuration from client application")
 	}
 	if p.tunIPv4 == "" && len(targetOSConfig.Ipv4CidrRanges) > 0 {
-		// Choose an IPv4 address for the TUN interface from the CIDR range of one arbitrary currently
-		// logged-in cluster. Only one IPv4 address is needed.
-		if err := p.setTunIPv4FromCIDR(targetOSConfig.Ipv4CidrRanges[0]); err != nil {
+		// Choose an IPv4 address for the TUN interface and the IPv4 DNS server
+		// from the CIDR range of one arbitrary currently logged-in cluster.
+		// We currently only assign one V4 address to the interface and only
+		// advertise DNS on one V4 address.
+		if err := p.setV4IPsFromFirstCIDR(targetOSConfig.Ipv4CidrRanges[0]); err != nil {
 			return nil, trace.Wrap(err, "setting TUN IPv4 address")
 		}
 	}
 	return &osConfig{
-		tunName:    p.tunName,
+		tunName:    p.cfg.tunName,
 		tunIPv6:    p.tunIPv6,
 		tunIPv4:    p.tunIPv4,
-		dnsAddr:    p.dnsAddr,
+		dnsAddrs:   p.dnsAddrs,
 		dnsZones:   targetOSConfig.GetDnsZones(),
 		cidrRanges: targetOSConfig.GetIpv4CidrRanges(),
 	}, nil
 }
 
-func (p *osConfigProvider) setTunIPv4FromCIDR(cidrRange string) error {
+func (p *osConfigProvider) setV4IPsFromFirstCIDR(cidrRange string) error {
 	if p.tunIPv4 != "" {
+		// Only set these once.
 		return nil
 	}
-	ip, err := tunIPv4ForCIDR(cidrRange)
+	tunIPv4, dnsIPv4, err := ipsForCIDR(cidrRange)
 	if err != nil {
 		return trace.Wrap(err, "setting TUN IPv4 address for range %s", cidrRange)
 	}
-	p.tunIPv4 = ip
+	if err := p.cfg.addDNSAddress(dnsIPv4); err != nil {
+		return trace.Wrap(err, "adding IPv4 DNS server at %s", dnsIPv4.String())
+	}
+	p.tunIPv4 = tunIPv4.String()
+	p.dnsAddrs = append(p.dnsAddrs, dnsIPv4.String())
 	return nil
 }
+
+// ipsForCIDR returns the V4 IPs to assign to the interface and use for DNS in
+// cidrRange.
+func ipsForCIDR(cidrRange string) (tunIP net.IP, dnsIP net.IP, err error) {
+	_, ipnet, err := net.ParseCIDR(cidrRange)
+	if err != nil {
+		return nil, nil, trace.Wrap(err, "parsing CIDR %q", cidrRange)
+	}
+	// ipnet.IP is the network address, ending in 0s, like 100.64.0.0
+	// Add 1 to assign the TUN address, like 100.64.0.1
+	tunIP = ipnet.IP
+	tunIP[len(tunIP)-1]++
+
+	// Add 1 again to assign the DNS address, like 100.64.0.2
+	dnsIP = slices.Clone(tunIP)
+	dnsIP[len(dnsIP)-1]++
+
+	return tunIP, dnsIP, nil
+}
diff --git a/lib/vnet/osconfig_provider_test.go b/lib/vnet/osconfig_provider_test.go
index af49b67aaa203..dd4014fd6123d 100644
--- a/lib/vnet/osconfig_provider_test.go
+++ b/lib/vnet/osconfig_provider_test.go
@@ -18,6 +18,7 @@ package vnet
 
 import (
 	"context"
+	"net"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -31,7 +32,7 @@ func TestOSConfigProvider(t *testing.T) {
 		desc                 string
 		tunName              string
 		ipv6Prefix           string
-		dnsAddr              string
+		dnsIPv6              string
 		dnsZones             []string
 		ipv4CIDRRanges       []string
 		getTargetOSConfigErr error
@@ -44,13 +45,13 @@ func TestOSConfigProvider(t *testing.T) {
 			desc:       "no cidr ranges",
 			tunName:    "testtun1",
 			ipv6Prefix: "fd01:2345:6789::",
-			dnsAddr:    "fd01:2345:6789::2",
+			dnsIPv6:    "fd01:2345:6789::2",
 			dnsZones:   []string{"test.example.com"},
 			expectTargetOSConfig: &osConfig{
 				tunName: "testtun1",
 				// Should be the first non-broadcast address under the IPv6 prefix.
 				tunIPv6:  "fd01:2345:6789::1",
-				dnsAddr:  "fd01:2345:6789::2",
+				dnsAddrs: []string{"fd01:2345:6789::2"},
 				dnsZones: []string{"test.example.com"},
 			},
 		},
@@ -58,15 +59,16 @@ func TestOSConfigProvider(t *testing.T) {
 			desc:           "with cidr range",
 			tunName:        "testtun1",
 			ipv6Prefix:     "fd01:2345:6789::",
-			dnsAddr:        "fd01:2345:6789::2",
+			dnsIPv6:        "fd01:2345:6789::2",
 			dnsZones:       []string{"test.example.com"},
 			ipv4CIDRRanges: []string{"192.168.1.0/24"},
 			expectTargetOSConfig: &osConfig{
 				tunName: "testtun1",
 				// Should be the first non-broadcast address in the CIDR range.
-				tunIPv4:    "192.168.1.1",
-				tunIPv6:    "fd01:2345:6789::1",
-				dnsAddr:    "fd01:2345:6789::2",
+				tunIPv4: "192.168.1.1",
+				tunIPv6: "fd01:2345:6789::1",
+				// Should include the second non-broadcast address in the CIDR range.
+				dnsAddrs:   []string{"fd01:2345:6789::2", "192.168.1.2"},
 				dnsZones:   []string{"test.example.com"},
 				cidrRanges: []string{"192.168.1.0/24"},
 			},
@@ -75,7 +77,7 @@ func TestOSConfigProvider(t *testing.T) {
 			desc:           "multiple cidr ranges",
 			tunName:        "testtun1",
 			ipv6Prefix:     "fd01:2345:6789::",
-			dnsAddr:        "fd01:2345:6789::2",
+			dnsIPv6:        "fd01:2345:6789::2",
 			dnsZones:       []string{"test.example.com"},
 			ipv4CIDRRanges: []string{"10.64.0.0/16", "192.168.1.0/24"},
 			expectTargetOSConfig: &osConfig{
@@ -83,7 +85,7 @@ func TestOSConfigProvider(t *testing.T) {
 				// Should be chosen from the first CIDR range.
 				tunIPv4:    "10.64.0.1",
 				tunIPv6:    "fd01:2345:6789::1",
-				dnsAddr:    "fd01:2345:6789::2",
+				dnsAddrs:   []string{"fd01:2345:6789::2", "10.64.0.2"},
 				dnsZones:   []string{"test.example.com"},
 				cidrRanges: []string{"10.64.0.0/16", "192.168.1.0/24"},
 			},
@@ -97,7 +99,18 @@ func TestOSConfigProvider(t *testing.T) {
 				},
 				err: tc.getTargetOSConfigErr,
 			}
-			osConfigProvider, err := newOSConfigProvider(targetOSConfigGetter, tc.tunName, tc.ipv6Prefix, tc.dnsAddr)
+			// Keep track of new DNS addresses the osConfigProvider tried to add.
+			var addedDNSAddrs []string
+			osConfigProvider, err := newOSConfigProvider(osConfigProviderConfig{
+				clt:        targetOSConfigGetter,
+				tunName:    tc.tunName,
+				ipv6Prefix: tc.ipv6Prefix,
+				dnsIPv6:    tc.dnsIPv6,
+				addDNSAddress: func(ip net.IP) error {
+					addedDNSAddrs = append(addedDNSAddrs, ip.String())
+					return nil
+				},
+			})
 			require.NoError(t, err)
 
 			targetOSConfig, err := osConfigProvider.targetOSConfig(ctx)
@@ -106,6 +119,13 @@ func TestOSConfigProvider(t *testing.T) {
 				return
 			}
 			require.Equal(t, tc.expectTargetOSConfig, targetOSConfig)
+
+			// expectTargetOSConfig.dnsAddrs always starts with the IPv6 DNS
+			// addr, assert that any additional addrs were added to the network
+			// stack.
+			if len(tc.expectTargetOSConfig.dnsAddrs) > 1 {
+				require.ElementsMatch(t, tc.expectTargetOSConfig.dnsAddrs[1:], addedDNSAddrs)
+			}
 		})
 	}
 }
diff --git a/lib/vnet/osconfig_windows.go b/lib/vnet/osconfig_windows.go
index 0b10495434e1a..06bfdb77d0d79 100644
--- a/lib/vnet/osconfig_windows.go
+++ b/lib/vnet/osconfig_windows.go
@@ -43,6 +43,7 @@ type platformOSConfigState struct {
 	configuredV6Address bool
 	configuredRanges    []string
 	configuredDNSZones  []string
+	configuredDNSAddrs  []string
 
 	ifaceIndex string
 }
@@ -114,10 +115,11 @@ func platformConfigureOS(ctx context.Context, cfg *osConfig, state *platformOSCo
 	}
 
 	if shouldUpdateDNSConfig(cfg, state) {
-		if err := configureDNS(ctx, cfg.dnsZones, cfg.dnsAddr); err != nil {
+		if err := configureDNS(ctx, cfg.dnsZones, cfg.dnsAddrs); err != nil {
 			return trace.Wrap(err, "configuring DNS")
 		}
 		state.configuredDNSZones = cfg.dnsZones
+		state.configuredDNSAddrs = cfg.dnsAddrs
 	}
 
 	return nil
@@ -135,20 +137,22 @@ func addrMaskForCIDR(cidr string) (string, string, error) {
 }
 
 func shouldUpdateDNSConfig(cfg *osConfig, state *platformOSConfigState) bool {
-	// Always reconfigure if there should be no zones, to make sure we clear
-	// any leftover state when starting up.
-	if len(cfg.dnsZones) == 0 {
+	// Always reconfigure if there should be no zones or nameservers to make
+	// sure we clear any leftover state when starting up.
+	if len(cfg.dnsAddrs) == 0 || len(cfg.dnsZones) == 0 {
 		return true
 	}
 	// Otherwise, reconfigure if anything has changed.
-	return !utils.ContainSameUniqueElements(cfg.dnsZones, state.configuredDNSZones)
+	return !utils.ContainSameUniqueElements(cfg.dnsZones, state.configuredDNSZones) ||
+		!utils.ContainSameUniqueElements(cfg.dnsAddrs, state.configuredDNSAddrs)
 }
 
-func configureDNS(ctx context.Context, zones []string, nameserver string) (err error) {
-	if len(nameserver) == 0 && len(zones) > 0 {
-		return trace.BadParameter("empty nameserver with non-empty zones")
+func configureDNS(ctx context.Context, zones, nameservers []string) (err error) {
+	if len(nameservers) == 0 {
+		// Can't handle any zones if there are no nameservers.
+		zones = nil
 	}
-	log.InfoContext(ctx, "Configuring DNS.", "nameserver", nameserver, "zones", zones)
+	log.InfoContext(ctx, "Configuring DNS.", "zones", zones, "nameservers", nameservers)
 
 	// Split DNS is configured via the Name Resolution Policy Table in the
 	// Windows registry. The UUID at the end was randomly generated, we'll
@@ -182,15 +186,24 @@ func configureDNS(ctx context.Context, zones []string, nameserver string) (err e
 		err = trace.NewAggregate(origErr, deleteErr, closeErr)
 	}()
 
+	// The NRPT version must be 1.
 	if err := dnsKey.SetDWordValue("Version", 1); err != nil {
 		return trace.Wrap(err, "failed to set Version in DNS registry key")
 	}
+	// Name is a list of strings holding the DNS suffixes to match.
+	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/c1f8a4c0-d4e0-49b2-b4ef-87031be16662
 	if err := dnsKey.SetStringsValue("Name", normalizeDNSZones(zones)); err != nil {
 		return trace.Wrap(err, "failed to set Name in DNS registry key")
 	}
-	if err := dnsKey.SetStringValue("GenericDNSServers", nameserver); err != nil {
+	// GenericDNSServers is a string value holding a semicolon-delimited list of
+	// IP addresses of DNS nameservers.
+	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/06088ca3-4cf1-48fa-8837-ca8d853ee1e8
+	if err := dnsKey.SetStringValue("GenericDNSServers", strings.Join(nameservers, ";")); err != nil {
 		return trace.Wrap(err, "failed to set GenericDNSServers in DNS registry key")
 	}
+	// Setting ConfigOptions to 8 tells NRPT that only GenericDNSServers is
+	// specified (DNSSEC, DirectAccess, and IDN options are not set).
+	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/2d34f260-1e9e-4a52-ac91-2056dfd29702
 	if err := dnsKey.SetDWordValue("ConfigOptions", 8); err != nil {
 		return trace.Wrap(err, "failed to set ConfigOptions in DNS registry key")
 	}
diff --git a/lib/vnet/unsupported_os.go b/lib/vnet/unsupported_os.go
index b21576076ff8a..a003fa6c4f4c3 100644
--- a/lib/vnet/unsupported_os.go
+++ b/lib/vnet/unsupported_os.go
@@ -44,4 +44,5 @@ var (
 	_ = (*osConfigurator).runOSConfigurationLoop
 	_ = runCommand
 	_ = newNetworkStackConfig
+	_ = (*networkStack).addDNSAddress
 )

From 11e8bc244e61c8e8df9f33c7f29d764c870bb8fc Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Tue, 24 Jun 2025 13:21:15 -0700
Subject: [PATCH 17/25] [v18][vnet] fix: close proxied channel only after data
 and requests are complete

Backport #56020 to branch/v18
---
 lib/vnet/ssh_proxy.go      | 154 +++++++++++++++++++++++++++----------
 lib/vnet/ssh_proxy_test.go | 104 +++++++++++++++++++++----
 2 files changed, 200 insertions(+), 58 deletions(-)

diff --git a/lib/vnet/ssh_proxy.go b/lib/vnet/ssh_proxy.go
index 9dd2c2a0235e6..df82175c25fd7 100644
--- a/lib/vnet/ssh_proxy.go
+++ b/lib/vnet/ssh_proxy.go
@@ -19,13 +19,12 @@ package vnet
 import (
 	"context"
 	"errors"
+	"io"
 	"log/slog"
 	"sync"
 
 	"github.com/gravitational/trace"
 	"golang.org/x/crypto/ssh"
-
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 // sshConn represents an established SSH client or server connection.
@@ -171,60 +170,134 @@ func proxyChannel(
 		return
 	}
 
-	// Copy channel requests in both directions concurrently. If either fails or
-	// exits it will cancel the context so that utils.ProxyConn below will close
-	// both channels so the other goroutine can also exit.
+	// Copy channel data and requests from the incoming channel to the target
+	// channel, and vice-versa.
+	target := newSSHChan(targetChan, targetChanRequests, slog.With("direction", "client->target"))
+	incoming := newSSHChan(incomingChan, incomingChanRequests, slog.With("direction", "target->client"))
+
 	var wg sync.WaitGroup
 	wg.Add(2)
-	ctx, cancel := context.WithCancel(ctx)
 	go func() {
-		proxyChannelRequests(ctx, log, targetChan, incomingChanRequests, cancel)
-		cancel()
+		target.writeFrom(ctx, incoming)
 		wg.Done()
 	}()
 	go func() {
-		proxyChannelRequests(ctx, log, incomingChan, targetChanRequests, cancel)
-		cancel()
+		incoming.writeFrom(ctx, target)
 		wg.Done()
 	}()
+	wg.Wait()
+}
 
-	// ProxyConn copies channel data bidirectionally. If the context is
-	// canceled it will terminate, it always closes both channels before
-	// returning.
-	if err := utils.ProxyConn(ctx, incomingChan, targetChan); err != nil &&
-		!utils.IsOKNetworkError(err) && !errors.Is(err, context.Canceled) {
-		log.DebugContext(ctx, "Unexpected error proxying channel data", "error", err)
+// sshChan manages all writes to an SSH channel and handles closing the channel
+// once no more data or requests will be written to it.
+type sshChan struct {
+	ch       ssh.Channel
+	requests <-chan *ssh.Request
+	log      *slog.Logger
+}
+
+func newSSHChan(ch ssh.Channel, requests <-chan *ssh.Request, log *slog.Logger) *sshChan {
+	return &sshChan{
+		ch:       ch,
+		requests: requests,
+		log:      log,
 	}
+}
+
+// writeFrom writes channel data and requests from the source to this SSH channel.
+//
+// In the happy path it waits for:
+// - channel data reads from source to return EOF
+// - the source request channel to be closed
+// and then closes this channel.
+//
+// Channel data reads from source can return EOF at any time if it has sent
+// SSH_MSG_CHANNEL_EOF but it is still valid to send more channel requests
+// after this.
+//
+// If an unrecoverable error is encountered it immediately closes both
+// channels.
+func (c *sshChan) writeFrom(ctx context.Context, source *sshChan) {
+	// Close the channel after all data and request writes are complete.
+	defer c.ch.Close()
 
-	// Wait for all goroutines to terminate.
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		c.writeDataFrom(ctx, source)
+		wg.Done()
+	}()
+	go func() {
+		c.writeRequestsFrom(ctx, source)
+		wg.Done()
+	}()
 	wg.Wait()
 }
 
-func proxyChannelRequests(
-	ctx context.Context,
-	log *slog.Logger,
-	targetChan ssh.Channel,
-	reqs <-chan *ssh.Request,
-	closeChannels func(),
-) {
-	log = log.With("request_layer", "channel")
+// writeDataFrom writes channel data from source to this SSH channel.
+// It handles standard channel data and extended channel data of type stderr.
+func (c *sshChan) writeDataFrom(ctx context.Context, source *sshChan) {
+	// Close the channel for writes only after both the standard and stderr
+	// streams are finished writing.
+	defer c.ch.CloseWrite()
+
+	errors := make(chan error, 2)
+	go func() {
+		_, err := io.Copy(c.ch, source.ch)
+		errors <- err
+	}()
+	go func() {
+		_, err := io.Copy(c.ch.Stderr(), source.ch.Stderr())
+		errors <- err
+	}()
+
+	// Read both errors to make sure both goroutines terminate, but only do
+	// anything on the first non-nil error, the second error is likely either
+	// the same as the first one or caused by closing the channel.
+	handledError := false
+	for range 2 {
+		err := <-errors
+		if err != nil && !handledError {
+			handledError = true
+			// Failed to write channel data from source to this channel. This was
+			// not an EOF from source or io.Copy would have returned nil. The
+			// stream might be missing data so close both channels.
+			//
+			// This should also unblock the stderr stream if the regular stream
+			// returned an error, and vice-versa.
+			c.log.ErrorContext(ctx, "Fatal error proxying SSH channel data", "error", err)
+			c.ch.Close()
+			source.ch.Close()
+		}
+	}
+}
+
+// writeRequestsFrom forwards channel requests from source to this SSH channel.
+func (c *sshChan) writeRequestsFrom(ctx context.Context, source *sshChan) {
+	log := c.log.With("request_layer", "channel")
 	sendRequest := func(name string, wantReply bool, payload []byte) (bool, []byte, error) {
-		ok, err := targetChan.SendRequest(name, wantReply, payload)
+		ok, err := c.ch.SendRequest(name, wantReply, payload)
 		// Replies to channel requests never have a payload.
 		return ok, nil, err
 	}
-	proxyRequests(ctx, log, sendRequest, reqs, closeChannels)
+	// Must forcibly close both channels if there was a fatal error proxying
+	// channel requests so that we don't continue in a bad state.
+	onFatalError := func() {
+		c.ch.Close()
+		source.ch.Close()
+	}
+	proxyRequests(ctx, log, sendRequest, source.requests, onFatalError)
 }
 
 func proxyGlobalRequests(
 	ctx context.Context,
 	targetConn ssh.Conn,
 	reqs <-chan *ssh.Request,
-	closeConnections func(),
+	onFatalError func(),
 ) {
 	log := log.With("request_layer", "global")
 	sendRequest := targetConn.SendRequest
-	proxyRequests(ctx, log, sendRequest, reqs, closeConnections)
+	proxyRequests(ctx, log, sendRequest, reqs, onFatalError)
 }
 
 func proxyRequests(
@@ -232,7 +305,7 @@ func proxyRequests(
 	log *slog.Logger,
 	sendRequest func(name string, wantReply bool, payload []byte) (bool, []byte, error),
 	reqs <-chan *ssh.Request,
-	closeRequestSources func(),
+	onFatalError func(),
 ) {
 	for req := range reqs {
 		log := log.With("request_type", req.Type)
@@ -240,23 +313,20 @@ func proxyRequests(
 		ok, reply, err := sendRequest(req.Type, req.WantReply, req.Payload)
 		if err != nil {
 			// We failed to send the request, the target must be dead.
-			log.DebugContext(ctx, "Failed to forward SSH request", "request_type", req.Type, "error", err)
-			// Close both connections or channels to clean up but we must
-			// continue handling requests on the chan until it is closed by
-			// crypto/ssh.
-			closeRequestSources()
-			_ = req.Reply(false, nil)
-			continue
+			log.DebugContext(ctx, "Failed to forward SSH request", "error", err)
+			onFatalError()
+			req.Reply(false, nil)
+			ssh.DiscardRequests(reqs)
+			return
 		}
 		if err := req.Reply(ok, reply); err != nil {
 			// A reply was expected and returned by the target but we failed to
 			// forward it back, the connection that initiated the request must
 			// be dead.
-			log.DebugContext(ctx, "Failed to reply to SSH request", "request_type", req.Type, "error", err)
-			// Close both connections or channels to clean up but we must
-			// continue handling requests on the chan until it is closed by
-			// crypto/ssh.
-			closeRequestSources()
+			log.DebugContext(ctx, "Failed to reply to SSH request", "error", err)
+			onFatalError()
+			ssh.DiscardRequests(reqs)
+			return
 		}
 	}
 }
diff --git a/lib/vnet/ssh_proxy_test.go b/lib/vnet/ssh_proxy_test.go
index 4c9b0e026ab80..d7eb8313c8a11 100644
--- a/lib/vnet/ssh_proxy_test.go
+++ b/lib/vnet/ssh_proxy_test.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"sync"
 	"testing"
 
 	"github.com/gravitational/trace"
@@ -108,11 +109,17 @@ func testSSHConnection(t *testing.T, dial dialer) {
 }
 
 func testConnectionToSshEchoServer(t *testing.T, sshConn ssh.Conn, chans <-chan ssh.NewChannel, reqs <-chan *ssh.Request) {
-	go ssh.DiscardRequests(reqs)
+	requestStreamEnded := make(chan struct{})
+	go func() {
+		ssh.DiscardRequests(reqs)
+		close(requestStreamEnded)
+	}()
+	chanStreamEnded := make(chan struct{})
 	go func() {
 		for newChan := range chans {
 			newChan.Reject(ssh.Prohibited, "test")
 		}
+		close(chanStreamEnded)
 	}()
 
 	// Try sending some global requests.
@@ -136,6 +143,26 @@ func testConnectionToSshEchoServer(t *testing.T, sshConn ssh.Conn, chans <-chan
 	t.Run("echo channel 2", func(t *testing.T) {
 		testEchoChannel(t, sshConn)
 	})
+
+	t.Run("closing", func(t *testing.T) {
+		// Send a request that causes the target server to close the connection
+		// immediately and make sure channel reads are unblocked, and the global
+		// request and channel request streams end.
+		ch, reqs, err := sshConn.OpenChannel("echo", nil)
+		require.NoError(t, err)
+		go ssh.DiscardRequests(reqs)
+		readErr := make(chan error)
+		go func() {
+			var b [1]byte
+			_, err := ch.Read(b[:])
+			readErr <- err
+		}()
+		_, _, err = sshConn.SendRequest("close", false, nil)
+		require.NoError(t, err)
+		require.ErrorIs(t, <-readErr, io.EOF)
+		<-requestStreamEnded
+		<-chanStreamEnded
+	})
 }
 
 func testGlobalRequests(t *testing.T, conn ssh.Conn) {
@@ -156,7 +183,11 @@ func testGlobalRequests(t *testing.T, conn ssh.Conn) {
 func testEchoChannel(t *testing.T, conn ssh.Conn) {
 	ch, reqs, err := conn.OpenChannel("echo", nil)
 	require.NoError(t, err)
-	go ssh.DiscardRequests(reqs)
+	requestStreamEnded := make(chan struct{})
+	go func() {
+		ssh.DiscardRequests(reqs)
+		close(requestStreamEnded)
+	}()
 	defer ch.Close()
 
 	// Try sending a message over the SSH channel and asserting that it is
@@ -170,16 +201,43 @@ func testEchoChannel(t *testing.T, conn ssh.Conn) {
 	require.Equal(t, len(msg), n)
 	require.Equal(t, msg, buf[:n])
 
+	// Try sending a message over stderr and asserting that it is echoed back.
+	_, err = ch.Stderr().Write(msg)
+	require.NoError(t, err)
+	n, err = ch.Stderr().Read(buf[:])
+	require.NoError(t, err)
+	require.Equal(t, len(msg), n)
+	require.Equal(t, msg, buf[:n])
+
 	// Try sending a channel request that expects a reply.
 	reply, err := ch.SendRequest("echo", true, nil)
 	require.NoError(t, err)
 	require.True(t, reply)
 
+	// Close the channel for writes of in-band data and send another channel
+	// request, which should succeed.
+	require.NoError(t, ch.CloseWrite())
+	reply, err = ch.SendRequest("echo", true, nil)
+	require.NoError(t, err)
+	require.True(t, reply)
+
 	// The test server replies false to channel requests with type other than
 	// "echo".
 	reply, err = ch.SendRequest("unknown", true, nil)
 	require.NoError(t, err)
 	require.False(t, reply)
+
+	// Send a channel request that causes the server to close the channel and
+	// make sure channel reads get unblocked and the incoming request stream ends.
+	readErr := make(chan error)
+	go func() {
+		_, err := ch.Read(buf[:])
+		readErr <- err
+	}()
+	_, err = ch.SendRequest("close", false, nil)
+	require.NoError(t, err)
+	require.ErrorIs(t, <-readErr, io.EOF)
+	<-requestStreamEnded
 }
 
 type dialer interface {
@@ -282,7 +340,7 @@ func runTestSSHServerInstance(tcpConn net.Conn, cfg *ssh.ServerConfig) error {
 		return trace.Wrap(err)
 	}
 	go func() {
-		handleEchoRequests(reqs)
+		handleSSHRequests(reqs, sshConn.Close)
 		sshConn.Close()
 	}()
 	handleEchoChannels(chans)
@@ -290,17 +348,6 @@ func runTestSSHServerInstance(tcpConn net.Conn, cfg *ssh.ServerConfig) error {
 	return nil
 }
 
-func handleEchoRequests(reqs <-chan *ssh.Request) {
-	for req := range reqs {
-		switch req.Type {
-		case "echo":
-			req.Reply(true, req.Payload)
-		default:
-			req.Reply(false, nil)
-		}
-	}
-}
-
 func handleEchoChannels(chans <-chan ssh.NewChannel) {
 	for newChan := range chans {
 		switch newChan.ChannelType() {
@@ -317,8 +364,33 @@ func handleEchoChannel(newChan ssh.NewChannel) {
 	if err != nil {
 		return
 	}
-	go handleEchoRequests(reqs)
-	io.Copy(ch, ch)
+	go handleSSHRequests(reqs, ch.Close)
+	defer ch.CloseWrite()
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		io.Copy(ch, ch)
+		wg.Done()
+	}()
+	go func() {
+		io.Copy(ch.Stderr(), ch.Stderr())
+		wg.Done()
+	}()
+	wg.Wait()
+}
+
+func handleSSHRequests(reqs <-chan *ssh.Request, closeSource func() error) {
+	defer closeSource()
+	for req := range reqs {
+		switch req.Type {
+		case "echo":
+			req.Reply(true, req.Payload)
+		case "close":
+			closeSource()
+		default:
+			req.Reply(false, nil)
+		}
+	}
 }
 
 func sshServerConfig(t *testing.T) *ssh.ServerConfig {

From fffa153f03afbf09b41b31b25e4ed17c5bc9d3c1 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Wed, 25 Jun 2025 12:53:42 -0700
Subject: [PATCH 18/25] [v18][vnet] feat: automatic SSH client configuration

Backport #55923 to branch/v18
---
 lib/teleterm/vnet/service.go   |  14 +-
 lib/vnet/diag/ssh.go           | 152 ++++++++------
 lib/vnet/diag/ssh_test.go      | 349 +++++++++++++++++----------------
 lib/vnet/opensshconfig.go      |  79 ++++++++
 lib/vnet/opensshconfig_test.go |  85 ++++++++
 tool/tsh/common/tsh.go         |   3 +
 tool/tsh/common/vnet.go        |  18 ++
 7 files changed, 464 insertions(+), 236 deletions(-)

diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index c3b17dd6f9a53..e92f981187ff6 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -238,18 +238,14 @@ func (s *Service) GetServiceInfo(ctx context.Context, _ *api.GetServiceInfoReque
 		return nil, trace.Wrap(err)
 	}
 
-	sshDiag, err := diag.NewSSHDiag(&diag.SSHConfig{
-		ProfilePath: s.cfg.profilePath,
-	})
+	sshConfigChecker, err := diag.NewSSHConfigChecker(s.cfg.profilePath)
 	if err != nil {
-		return nil, trace.Wrap(err, "building SSH diagnostic")
+		return nil, trace.Wrap(err, "building SSH config checker")
 	}
-	sshReport, err := sshDiag.Run(ctx)
-	if err != nil {
-		return nil, trace.Wrap(err, "running SSH diagnostic")
+	_, sshConfigured, err := sshConfigChecker.OpenSSHConfigIncludesVNetSSHConfig()
+	if err != nil && !trace.IsNotFound(err) {
+		return nil, trace.Wrap(err, "checking SSH configuration")
 	}
-	sshConfigured := sshReport.Status == diagv1.CheckReportStatus_CHECK_REPORT_STATUS_OK &&
-		sshReport.GetSshConfigurationReport().UserOpensshConfigIncludesVnetSshConfig
 
 	return &api.GetServiceInfoResponse{
 		AppDnsZones:   unifiedClusterConfig.AppDNSZones(),
diff --git a/lib/vnet/diag/ssh.go b/lib/vnet/diag/ssh.go
index 27be9b1afd741..c0708aa650b2e 100644
--- a/lib/vnet/diag/ssh.go
+++ b/lib/vnet/diag/ssh.go
@@ -31,6 +31,7 @@ import (
 	"github.com/dustin/go-humanize"
 	"github.com/gravitational/trace"
 
+	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/utils/keypaths"
 	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
@@ -50,27 +51,19 @@ type SSHConfig struct {
 // SSHDiag is a diagnostic check that inspects whether the default user OpenSSH
 // config file includes VNet's generated SSH config file.
 type SSHDiag struct {
-	cfg                   *SSHConfig
-	userHome              string
-	userOpenSSHConfigPath string
-	vnetSSHConfigPath     string
-	isWindows             bool
+	cfg              *SSHConfig
+	sshConfigChecker *SSHConfigChecker
 }
 
 // NewSSHDiag returns a new [SSHDiag].
 func NewSSHDiag(cfg *SSHConfig) (*SSHDiag, error) {
-	userHome, ok := profile.UserHomeDir()
-	if !ok {
-		return nil, trace.Errorf("unable to find user's home directory")
+	sshConfigChecker, err := NewSSHConfigChecker(cfg.ProfilePath)
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
-	userOpenSSHConfigPath := filepath.Join(userHome, ".ssh", "config")
-	vnetSSHConfigPath := filepath.Join(cfg.ProfilePath, keypaths.VNetSSHConfig)
 	return &SSHDiag{
-		cfg:                   cfg,
-		userHome:              userHome,
-		userOpenSSHConfigPath: userOpenSSHConfigPath,
-		vnetSSHConfigPath:     vnetSSHConfigPath,
-		isWindows:             runtime.GOOS == "windows",
+		cfg:              cfg,
+		sshConfigChecker: sshConfigChecker,
 	}, nil
 }
 
@@ -103,50 +96,84 @@ func (d *SSHDiag) Run(ctx context.Context) (*diagv1.CheckReport, error) {
 }
 
 func (d *SSHDiag) run(ctx context.Context) (*diagv1.SSHConfigurationReport, error) {
-	_, err := os.Stat(d.userOpenSSHConfigPath)
-	userOpenSSHConfigExists := err == nil
-	if !userOpenSSHConfigExists {
-		return &diagv1.SSHConfigurationReport{
-			UserOpensshConfigPath: d.userOpenSSHConfigPath,
-			VnetSshConfigPath:     d.vnetSSHConfigPath,
-		}, nil
+	userOpenSSHConfigContents, included, err := d.sshConfigChecker.OpenSSHConfigIncludesVNetSSHConfig()
+	if err != nil {
+		if trace.IsNotFound(err) {
+			return &diagv1.SSHConfigurationReport{
+				UserOpensshConfigPath: d.sshConfigChecker.UserOpenSSHConfigPath,
+				VnetSshConfigPath:     d.sshConfigChecker.VNetSSHConfigPath,
+			}, nil
+		}
+		return nil, trace.Wrap(err)
+	}
+	if !utf8.Valid(userOpenSSHConfigContents) {
+		return nil, trace.Errorf("%s is not valid UTF-8", d.sshConfigChecker.UserOpenSSHConfigPath)
 	}
+	return &diagv1.SSHConfigurationReport{
+		UserOpensshConfigPath:                  d.sshConfigChecker.UserOpenSSHConfigPath,
+		VnetSshConfigPath:                      d.sshConfigChecker.VNetSSHConfigPath,
+		UserOpensshConfigIncludesVnetSshConfig: included,
+		UserOpensshConfigExists:                true,
+		UserOpensshConfigContents:              string(userOpenSSHConfigContents),
+	}, nil
+}
 
-	userOpenSSHConfigFile, err := os.Open(d.userOpenSSHConfigPath)
+// SSHConfigChecker checks the state of the user's SSH configuration.
+type SSHConfigChecker struct {
+	userHome              string
+	UserOpenSSHConfigPath string
+	VNetSSHConfigPath     string
+	isWindows             bool
+}
+
+// NewSSHConfigChecker returns a new SSHConfigChecker.
+func NewSSHConfigChecker(profilePath string) (*SSHConfigChecker, error) {
+	userHome, ok := profile.UserHomeDir()
+	if !ok {
+		return nil, trace.Errorf("unable to find user's home directory")
+	}
+	userOpenSSHConfigPath := filepath.Join(userHome, ".ssh", "config")
+	vnetSSHConfigPath := keypaths.VNetSSHConfigPath(profilePath)
+	return &SSHConfigChecker{
+		userHome:              userHome,
+		UserOpenSSHConfigPath: userOpenSSHConfigPath,
+		VNetSSHConfigPath:     vnetSSHConfigPath,
+		isWindows:             runtime.GOOS == constants.WindowsOS,
+	}, nil
+}
+
+// OpenSSHConfigIncludesVNetSSHConfig returns the current user OpenSSH
+// configuration file contents (~/.ssh/config) and a boolean indicating whether
+// it already includes VNet's generated OpenSSH-compatible configuration file.
+//
+// If ~/.ssh/config does not exist it returns a [trace.NotFoundError]
+func (c *SSHConfigChecker) OpenSSHConfigIncludesVNetSSHConfig() ([]byte, bool, error) {
+	userOpenSSHConfigFile, err := os.Open(c.UserOpenSSHConfigPath)
 	if err != nil {
-		return nil, trace.Wrap(trace.ConvertSystemError(err), "opening %s for reading", d.userOpenSSHConfigPath)
+		return nil, false, trace.Wrap(trace.ConvertSystemError(err), "opening %s for reading", c.UserOpenSSHConfigPath)
 	}
 	defer userOpenSSHConfigFile.Close()
 
 	userOpenSSHConfigContents, err := io.ReadAll(io.LimitReader(userOpenSSHConfigFile, maxOpenSSHConfigFileSize))
 	if err != nil {
-		return nil, trace.Wrap(trace.ConvertSystemError(err), "reading %s", d.userOpenSSHConfigPath)
+		return nil, false, trace.Wrap(trace.ConvertSystemError(err), "reading %s", c.UserOpenSSHConfigPath)
 	}
 	if len(userOpenSSHConfigContents) == maxOpenSSHConfigFileSize {
-		return nil, trace.Errorf("%s is too large to (max size %s)",
-			d.userOpenSSHConfigPath, humanize.Bytes(maxOpenSSHConfigFileSize))
-	}
-	if !utf8.Valid(userOpenSSHConfigContents) {
-		return nil, trace.Errorf("%s is not valid UTF-8", d.userOpenSSHConfigPath)
+		return nil, false, trace.Errorf("%s is too large to read (max size %s)",
+			c.UserOpenSSHConfigPath, humanize.Bytes(maxOpenSSHConfigFileSize))
 	}
 
-	included, err := d.openSSHConfigIncludesVNetSSHConfig(bytes.NewReader(userOpenSSHConfigContents))
+	included, err := c.openSSHConfigIncludesVNetSSHConfig(bytes.NewReader(userOpenSSHConfigContents))
 	if err != nil {
-		return nil, trace.Wrap(err, "checking if the default user OpenSSH config includes VNet's SSH configuration")
+		return nil, false, trace.Wrap(err, "checking if the default user OpenSSH config includes VNet's SSH configuration")
 	}
-	return &diagv1.SSHConfigurationReport{
-		UserOpensshConfigPath:                  d.userOpenSSHConfigPath,
-		VnetSshConfigPath:                      d.vnetSSHConfigPath,
-		UserOpensshConfigIncludesVnetSshConfig: included,
-		UserOpensshConfigExists:                true,
-		UserOpensshConfigContents:              string(userOpenSSHConfigContents),
-	}, nil
+	return userOpenSSHConfigContents, included, nil
 }
 
-func (d *SSHDiag) openSSHConfigIncludesVNetSSHConfig(r io.Reader) (bool, error) {
+func (c *SSHConfigChecker) openSSHConfigIncludesVNetSSHConfig(r io.Reader) (bool, error) {
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
-		if d.openSSHConfigLineIncludesPath(scanner.Text(), d.vnetSSHConfigPath) {
+		if c.openSSHConfigLineIncludesPath(scanner.Text(), c.VNetSSHConfigPath) {
 			return true, nil
 		}
 	}
@@ -155,8 +182,8 @@ func (d *SSHDiag) openSSHConfigIncludesVNetSSHConfig(r io.Reader) (bool, error)
 
 // openSSHConfigLineIncludesPath returns true if the given line of an OpenSSH
 // configuration file is an include statement for the given path.
-func (d *SSHDiag) openSSHConfigLineIncludesPath(line, wantPath string) bool {
-	wantPath = d.normalizePath(wantPath)
+func (c *SSHConfigChecker) openSSHConfigLineIncludesPath(line, wantPath string) bool {
+	wantPath = c.normalizePath(wantPath)
 	line = strings.TrimSpace(line)
 
 	// Only consider lines that begin with "include" (case-insensitive).
@@ -178,42 +205,41 @@ func (d *SSHDiag) openSSHConfigLineIncludesPath(line, wantPath string) bool {
 	// returns true. It does support ~ as an alias for the user's home
 	// directory.
 	var (
-		// b is a running buffer holding the current argument as parsed up to
+		// pathBuf is a running buffer holding the current argument as parsed up to
 		// the current point.
-		b strings.Builder
+		pathBuf strings.Builder
 		// quote holds the opening quote character if one has been found.
 		quote = byte(0)
 	)
 loop:
 	for i := 0; i < len(line); i++ {
-		c := line[i]
+		b := line[i]
 		switch {
-		case c == '\\' && i < len(line)-1 && canBeEscaped(line[i+1]):
+		case b == '\\' && i < len(line)-1 && canBeEscaped(line[i+1]):
 			// Skip the escape char and write the next char literally.
 			i++
-			b.WriteByte(line[i])
-		case quote == 0 && (c == '"' || c == '\''):
+			pathBuf.WriteByte(line[i])
+		case quote == 0 && (b == '"' || b == '\''):
 			// Start of quote
-			quote = c
-		case quote != 0 && c == quote:
+			quote = b
+		case quote != 0 && b == quote:
 			// End of quote
 			quote = 0
-		case b.Len() == 0 && c == '~':
+		case pathBuf.Len() == 0 && b == '~':
 			// Support ~ as an alias for the user's home directory.
-			b.WriteString(d.userHome)
-		case quote == 0 && c == '#':
+			pathBuf.WriteString(c.userHome)
+		case quote == 0 && b == '#':
 			// Found an unquoted comment in the middle of the line, ignore the rest.
 			break loop
-		case quote == 0 && isSpace(rune(c)):
+		case quote == 0 && isSpace(rune(b)):
 			// Reached the end of this argument, check if it matches wantPath.
-			if d.normalizePath(b.String()) == wantPath {
+			if c.normalizePath(pathBuf.String()) == wantPath {
 				return true
 			}
-			b.Reset()
+			pathBuf.Reset()
 		default:
-			// By default just append the current character to the current
-			// argument.
-			b.WriteByte(c)
+			// By default just append the current byte to the path.
+			pathBuf.WriteByte(b)
 		}
 	}
 	if quote != 0 {
@@ -221,11 +247,11 @@ loop:
 		return false
 	}
 	// Handle an argument that ends at the end of the line.
-	return d.normalizePath(b.String()) == wantPath
+	return c.normalizePath(pathBuf.String()) == wantPath
 }
 
-func (d *SSHDiag) normalizePath(path string) string {
-	if d.isWindows {
+func (c *SSHConfigChecker) normalizePath(path string) string {
+	if c.isWindows {
 		// Normalize all paths to use unix-style separators since OpenSSH
 		// supports / or \\ on Windows.
 		path = strings.ReplaceAll(path, `\`, `/`)
diff --git a/lib/vnet/diag/ssh_test.go b/lib/vnet/diag/ssh_test.go
index 2a1549a49c172..a152f38c1ac90 100644
--- a/lib/vnet/diag/ssh_test.go
+++ b/lib/vnet/diag/ssh_test.go
@@ -19,6 +19,7 @@ package diag
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -27,171 +28,173 @@ import (
 	diagv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/diag/v1"
 )
 
-// TestSSHDiag tests the SSH configuration diagnostic, specifically its ability
-// to check whether an OpenSSH config file includes the VNet SSH config file.
-func TestSSHDiag(t *testing.T) {
-	t.Parallel()
-	for _, tc := range []struct {
-		desc        string
-		profilePath string
-		userHome    string
-		isWindows   bool
-		input       string
-		expect      bool
-	}{
-		{
-			desc:        "empty",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-		},
-		{
-			desc:        "macos tsh",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include /Users/user/.tsh/vnet_ssh_config`,
-			expect:      true,
-		},
-		{
-			desc:        "macos tsh ~",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include ~/.tsh/vnet_ssh_config`,
-			expect:      true,
-		},
-		{
-			desc:        "macos connect",
-			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "macos connect ~",
-			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include "~/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "macos tsh not match connect",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
-		},
-		{
-			desc:        "macos connect not match tsh",
-			profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include /Users/user/.tsh/vnet_ssh_config`,
-		},
-		{
-			desc:        "windows tsh",
-			profilePath: `C:\Users\User\.tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows tsh unescaped",
-			profilePath: `C:\Users\User\.tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\Users\User\.tsh\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows tsh unix path",
-			profilePath: `C:\Users\User\.tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:/Users/User/.tsh/vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows tsh ~",
-			profilePath: `C:\Users\User\.tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "~\\.tsh\\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows connect",
-			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows connect unescaped",
-			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\Users\User\AppData\Roaming\Teleport Connect\tsh\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows connect unix path",
-			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:/Users/User/AppData/Roaming/Teleport\ Connect/tsh/vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows connect ~",
-			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "~\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
-			expect:      true,
-		},
-		{
-			desc:        "windows tsh not match connect",
-			profilePath: `C:\Users\User\.tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
-		},
-		{
-			desc:        "windows connect not match tsh",
-			profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
-			userHome:    `C:\Users\User`,
-			isWindows:   true,
-			input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
-		},
-		{
-			desc:        "some other file",
-			profilePath: `/Users/user/.tsh`,
-			input:       `Include /Users/user/.tsh/ssh_config`,
-		},
-		{
-			desc:        "multiple includes",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input: `
+var sshDiagTestCases = []struct {
+	desc        string
+	profilePath string
+	userHome    string
+	isWindows   bool
+	input       string
+	expect      bool
+}{
+	{
+		desc:        "empty",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+	},
+	{
+		desc:        "macos tsh",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include /Users/user/.tsh/vnet_ssh_config`,
+		expect:      true,
+	},
+	{
+		desc:        "macos tsh ~",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include ~/.tsh/vnet_ssh_config`,
+		expect:      true,
+	},
+	{
+		desc:        "macos connect",
+		profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "macos connect ~",
+		profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include "~/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "macos tsh not match connect",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include "/Users/user/Application Support/Teleport Connect/tsh/vnet_ssh_config"`,
+	},
+	{
+		desc:        "macos connect not match tsh",
+		profilePath: `/Users/user/Application Support/Teleport Connect/tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include /Users/user/.tsh/vnet_ssh_config`,
+	},
+	{
+		desc:        "windows tsh",
+		profilePath: `C:\Users\User\.tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows tsh unescaped",
+		profilePath: `C:\Users\User\.tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\Users\User\.tsh\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows tsh unix path",
+		profilePath: `C:\Users\User\.tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:/Users/User/.tsh/vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows tsh ~",
+		profilePath: `C:\Users\User\.tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "~\\.tsh\\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows connect",
+		profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows connect unescaped",
+		profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\Users\User\AppData\Roaming\Teleport Connect\tsh\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows connect unix path",
+		profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:/Users/User/AppData/Roaming/Teleport\ Connect/tsh/vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows connect ~",
+		profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "~\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+		expect:      true,
+	},
+	{
+		desc:        "windows tsh not match connect",
+		profilePath: `C:\Users\User\.tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\\Users\\User\\AppData\\Roaming\\Teleport\ Connect\\tsh\\vnet_ssh_config"`,
+	},
+	{
+		desc:        "windows connect not match tsh",
+		profilePath: `C:\Users\User\AppData\Roaming\Teleport Connect\tsh`,
+		userHome:    `C:\Users\User`,
+		isWindows:   true,
+		input:       `Include "C:\\Users\\User\\.tsh\\vnet_ssh_config"`,
+	},
+	{
+		desc:        "some other file",
+		profilePath: `/Users/user/.tsh`,
+		input:       `Include /Users/user/.tsh/ssh_config`,
+	},
+	{
+		desc:        "multiple includes",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input: `
 Include ~/.ssh/include/*
 Include /Users/user/ssh_config
 Include /Users/user/.tsh/vnet_ssh_config
 `,
-			expect: true,
-		},
-		{
-			desc:        "commented",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include #/Users/user/.tsh/vnet_ssh_config`,
-		},
-		{
-			desc:        "single quotes",
-			profilePath: `/Users/user/.tsh`,
-			userHome:    `/Users/user`,
-			input:       `Include '/Users/user/.tsh/vnet_ssh_config'`,
-			expect:      true,
-		},
-	} {
+		expect: true,
+	},
+	{
+		desc:        "commented",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include #/Users/user/.tsh/vnet_ssh_config`,
+	},
+	{
+		desc:        "single quotes",
+		profilePath: `/Users/user/.tsh`,
+		userHome:    `/Users/user`,
+		input:       `Include '/Users/user/.tsh/vnet_ssh_config'`,
+		expect:      true,
+	},
+}
+
+// TestSSHDiag tests the SSH configuration diagnostic, specifically its ability
+// to check whether an OpenSSH config file includes the VNet SSH config file.
+func TestSSHDiag(t *testing.T) {
+	t.Parallel()
+	for _, tc := range sshDiagTestCases {
 		t.Run(tc.desc, func(t *testing.T) {
 			diag, err := NewSSHDiag(&SSHConfig{
 				ProfilePath: tc.profilePath,
@@ -200,9 +203,9 @@ Include /Users/user/.tsh/vnet_ssh_config
 			userOpenSSHConfigPath := filepath.Join(t.TempDir(), "test_ssh_config")
 
 			// Override isWindows and paths for the purpose of the test.
-			diag.isWindows = tc.isWindows
-			diag.userHome = tc.userHome
-			diag.userOpenSSHConfigPath = userOpenSSHConfigPath
+			diag.sshConfigChecker.isWindows = tc.isWindows
+			diag.sshConfigChecker.userHome = tc.userHome
+			diag.sshConfigChecker.UserOpenSSHConfigPath = userOpenSSHConfigPath
 
 			if len(tc.input) > 0 {
 				require.NoError(t, os.WriteFile(userOpenSSHConfigPath, []byte(tc.input), 0o600))
@@ -227,3 +230,21 @@ Include /Users/user/.tsh/vnet_ssh_config
 		})
 	}
 }
+
+// FuzzOpenSSHConfigIncludesPath fuzzes [SSHConfigChecker.openSSHConfigIncludesVNetSSHConfig]
+// to make sure it won't panic on arbitrary input.
+func FuzzOpenSSHConfigIncludesPath(f *testing.F) {
+	// Add all test cases as the base test corpus.
+	for _, tc := range sshDiagTestCases {
+		f.Add(tc.isWindows, tc.profilePath, tc.input)
+	}
+	f.Fuzz(func(t *testing.T, isWindows bool, profilePath, input string) {
+		vnetSSHConfigPath := keypaths.VNetSSHConfigPath(profilePath)
+		sshConfigChecker := &SSHConfigChecker{
+			VNetSSHConfigPath: vnetSSHConfigPath,
+			isWindows:         isWindows,
+		}
+		// Can't deterministically check the result for fuzzed inputs but it shouldn't panic.
+		sshConfigChecker.openSSHConfigIncludesVNetSSHConfig(strings.NewReader(input))
+	})
+}
diff --git a/lib/vnet/opensshconfig.go b/lib/vnet/opensshconfig.go
index 65f2587f63796..e1ff49cb17222 100644
--- a/lib/vnet/opensshconfig.go
+++ b/lib/vnet/opensshconfig.go
@@ -21,6 +21,7 @@ import (
 	"cmp"
 	"context"
 	"encoding/pem"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -40,6 +41,8 @@ import (
 	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/keypaths"
 	"github.com/gravitational/teleport/lib/cryptosuites"
+	libutils "github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/vnet/diag"
 )
 
 const (
@@ -261,3 +264,79 @@ type configFileTemplateInput struct {
 	PrivateKeyPath string
 	KnownHostsPath string
 }
+
+type autoConfigureOpenSSHOptions struct {
+	overrideUserSSHConfigPath string
+}
+type autoConfigureOpenSSHOption func(*autoConfigureOpenSSHOptions)
+
+func withUserSSHConfigPathOverride(path string) autoConfigureOpenSSHOption {
+	return func(opts *autoConfigureOpenSSHOptions) {
+		opts.overrideUserSSHConfigPath = path
+	}
+}
+
+// AutoConfigureOpenSSH adds an Include directive to the default user OpenSSH
+// config file (~/.ssh/config) to include the vnet_ssh_config file found under
+// profilePath.
+func AutoConfigureOpenSSH(ctx context.Context, profilePath string, opts ...autoConfigureOpenSSHOption) (err error) {
+	var options autoConfigureOpenSSHOptions
+	for _, opt := range opts {
+		opt(&options)
+	}
+
+	sshConfigChecker, err := diag.NewSSHConfigChecker(profilePath)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	if options.overrideUserSSHConfigPath != "" {
+		sshConfigChecker.UserOpenSSHConfigPath = options.overrideUserSSHConfigPath
+	}
+
+	// Create ~/.ssh if it does not exist yet.
+	err = trace.ConvertSystemError(os.Mkdir(
+		filepath.Dir(sshConfigChecker.UserOpenSSHConfigPath), os.FileMode(0o700)))
+	switch {
+	case trace.IsAlreadyExists(err):
+		// This is fine/expected.
+	case err != nil:
+		return trace.Wrap(err, "creating directory for %s", sshConfigChecker.UserOpenSSHConfigPath)
+	}
+
+	// There should not be much lock contention on this file and it's okay if
+	// this fails so just try once to grab the lock.
+	unlock, err := libutils.FSTryWriteLock(sshConfigChecker.UserOpenSSHConfigPath)
+	if err != nil {
+		return trace.Wrap(err, "getting write lock for %s", sshConfigChecker.UserOpenSSHConfigPath)
+	}
+	defer func() {
+		unlockErr := unlock()
+		err = trace.NewAggregate(err, trace.Wrap(unlockErr, "unlocking %s", sshConfigChecker.UserOpenSSHConfigPath))
+	}()
+
+	currentContents, alreadyIncluded, err := sshConfigChecker.OpenSSHConfigIncludesVNetSSHConfig()
+	switch {
+	case trace.IsNotFound(err):
+		// This is fine, the file will be created with a single include.
+	case err != nil:
+		return trace.Wrap(err)
+	case alreadyIncluded:
+		return trace.AlreadyExists("%s is already included in %s",
+			sshConfigChecker.VNetSSHConfigPath, sshConfigChecker.UserOpenSSHConfigPath)
+	}
+
+	// Add the include at the top of the file for 2 reasons:
+	// - options set first take precedence over options set later in the file
+	// - if the include line is added after an existing Host block it will only
+	//   be included if the host block matches
+	var newContents bytes.Buffer
+	fmt.Fprintf(&newContents, `# Include Teleport VNet generated configuration
+Include "%s"
+
+`, sshConfigChecker.VNetSSHConfigPath)
+	newContents.Write(currentContents)
+
+	err = renameio.WriteFile(sshConfigChecker.UserOpenSSHConfigPath, newContents.Bytes(), filePerms)
+	return trace.Wrap(trace.ConvertSystemError(err), "writing to %s", sshConfigChecker.UserOpenSSHConfigPath)
+}
diff --git a/lib/vnet/opensshconfig_test.go b/lib/vnet/opensshconfig_test.go
index 4e933fc3bc915..9bed1ed5b0410 100644
--- a/lib/vnet/opensshconfig_test.go
+++ b/lib/vnet/opensshconfig_test.go
@@ -20,10 +20,13 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/api/utils/keypaths"
@@ -116,3 +119,85 @@ func TestSSHConfigurator(t *testing.T) {
 	_, err = os.Stat(keypaths.VNetSSHConfigPath(homePath))
 	require.ErrorIs(t, err, os.ErrNotExist)
 }
+
+func TestAutoConfigureOpenSSH(t *testing.T) {
+	d := t.TempDir()
+	profilePath := filepath.Join(d, ".tsh")
+	vnetSSHConfigPath := keypaths.VNetSSHConfigPath(profilePath)
+	userOpenSSHConfigPath := filepath.Join(d, ".ssh", "config")
+	expectedInclude := fmt.Sprintf(`# Include Teleport VNet generated configuration
+Include "%s"
+
+`, vnetSSHConfigPath)
+	for _, tc := range []struct {
+		desc                            string
+		userOpenSSHConfigExists         bool
+		userOpenSSHConfigContents       string
+		expectAlreadyIncludedError      bool
+		expectUserOpenSSHConfigContents string
+	}{
+		{
+			// When the user OpenSSH config file doesn't exist, it should be
+			// created with the include.
+			desc:                            "no file",
+			expectUserOpenSSHConfigContents: expectedInclude,
+		},
+		{
+			// When the user OpenSSH config file already exists but it's empty,
+			// the include should be added.
+			desc:                            "empty file",
+			userOpenSSHConfigExists:         true,
+			expectUserOpenSSHConfigContents: expectedInclude,
+		},
+		{
+			// When the user OpenSSH config file already exists with some
+			// content, the include should be added at the top.
+			desc:                            "not empty",
+			userOpenSSHConfigExists:         true,
+			userOpenSSHConfigContents:       "something\nsomethingelse\n",
+			expectUserOpenSSHConfigContents: expectedInclude + "something\nsomethingelse\n",
+		},
+		{
+			// When the user OpenSSH config file already includes VNet's config
+			// file, it should return an AlreadyExists error and the file
+			// should not be modified.
+			desc:                            "already included",
+			userOpenSSHConfigExists:         true,
+			userOpenSSHConfigContents:       expectedInclude,
+			expectAlreadyIncludedError:      true,
+			expectUserOpenSSHConfigContents: expectedInclude,
+		},
+		{
+			// When the user OpenSSH config file already includes VNet's config
+			// file along with existing content, it should return an
+			// AlreadyExists error and the file should not be modified.
+			desc:                            "already included with extra content",
+			userOpenSSHConfigExists:         true,
+			userOpenSSHConfigContents:       "something\n" + expectedInclude + "somethingelse",
+			expectAlreadyIncludedError:      true,
+			expectUserOpenSSHConfigContents: "something\n" + expectedInclude + "somethingelse",
+		},
+	} {
+		t.Run(tc.desc, func(t *testing.T) {
+			if tc.userOpenSSHConfigExists {
+				// Write the existing user OpenSSH config file if it's supposed
+				// to exist for this test case.
+				require.NoError(t, os.WriteFile(userOpenSSHConfigPath,
+					[]byte(tc.userOpenSSHConfigContents), filePerms))
+			}
+
+			err := AutoConfigureOpenSSH(t.Context(), profilePath, withUserSSHConfigPathOverride(userOpenSSHConfigPath))
+
+			if tc.expectAlreadyIncludedError {
+				assert.ErrorIs(t, err, trace.AlreadyExists("%s is already included in %s",
+					vnetSSHConfigPath, userOpenSSHConfigPath))
+			} else {
+				assert.NoError(t, err)
+			}
+
+			contents, err := os.ReadFile(userOpenSSHConfigPath)
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectUserOpenSSHConfigContents, string(contents))
+		})
+	}
+}
diff --git a/tool/tsh/common/tsh.go b/tool/tsh/common/tsh.go
index 550811255519b..14ceadbd60e89 100644
--- a/tool/tsh/common/tsh.go
+++ b/tool/tsh/common/tsh.go
@@ -1331,6 +1331,7 @@ func Run(ctx context.Context, args []string, opts ...CliOption) error {
 	workloadIdentityCmd := newWorkloadIdentityCommands(app)
 
 	vnetCommand := newVnetCommand(app)
+	vnetSSHAutoConfigCommand := newVnetSSHAutoConfigCommand(app)
 	vnetAdminSetupCommand := newVnetAdminSetupCommand(app)
 	vnetDaemonCommand := newVnetDaemonCommand(app)
 	vnetServiceCommand := newVnetServiceCommand(app)
@@ -1723,6 +1724,8 @@ func Run(ctx context.Context, args []string, opts ...CliOption) error {
 		err = workloadIdentityCmd.issueX509.run(&cf)
 	case vnetCommand.FullCommand():
 		err = vnetCommand.run(&cf)
+	case vnetSSHAutoConfigCommand.FullCommand():
+		err = vnetSSHAutoConfigCommand.run(&cf)
 	case vnetAdminSetupCommand.FullCommand():
 		err = vnetAdminSetupCommand.run(&cf)
 	case vnetDaemonCommand.FullCommand():
diff --git a/tool/tsh/common/vnet.go b/tool/tsh/common/vnet.go
index 5d01ff4e67ae0..256e9cf3a832e 100644
--- a/tool/tsh/common/vnet.go
+++ b/tool/tsh/common/vnet.go
@@ -23,6 +23,7 @@ import (
 	"github.com/alecthomas/kingpin/v2"
 	"github.com/gravitational/trace"
 
+	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/lib/vnet"
 )
 
@@ -77,6 +78,22 @@ func (c *vnetCommand) run(cf *CLIConf) error {
 	return trace.Wrap(vnetProcess.Wait())
 }
 
+type vnetSSHAutoConfigCommand struct {
+	*kingpin.CmdClause
+}
+
+func newVnetSSHAutoConfigCommand(app *kingpin.Application) *vnetSSHAutoConfigCommand {
+	cmd := &vnetSSHAutoConfigCommand{
+		CmdClause: app.Command("vnet-ssh-autoconfig", "Automatically include VNet's generated OpenSSH-compatible config file in ~/.ssh/config."),
+	}
+	return cmd
+}
+
+func (c *vnetSSHAutoConfigCommand) run(cf *CLIConf) error {
+	err := vnet.AutoConfigureOpenSSH(cf.Context, profile.FullProfilePath(cf.HomePath))
+	return trace.Wrap(err)
+}
+
 func newVnetAdminSetupCommand(app *kingpin.Application) vnetCLICommand {
 	return newPlatformVnetAdminSetupCommand(app)
 }
@@ -104,6 +121,7 @@ type vnetCommandNotSupported struct{}
 func (vnetCommandNotSupported) FullCommand() string {
 	return ""
 }
+
 func (vnetCommandNotSupported) run(*CLIConf) error {
 	panic("vnetCommandNotSupported.run should never be called, this is a bug")
 }

From 5a1abdb948759bdbe911a80dfe3dff39ee255594 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= <rafal.cieslak@goteleport.com>
Date: Wed, 25 Jun 2025 18:10:11 +0200
Subject: [PATCH 19/25] VNet diag notification: Do not show button to open
 report if there's no workspace selected (#56067)

* VNet diag report: Don't show button in notification if there's no workspace

* Replace deprecated MutableRefObject with RefObject

* Make openReport not depend on value of rootClusterUri

Otherwise the effect that uses setInterval re-runs whenever the user
switches to another workspace.
---
 .../teleterm/src/ui/Vnet/vnetContext.test.tsx | 45 ++++++++++++++++---
 .../teleterm/src/ui/Vnet/vnetContext.tsx      | 31 +++++++++----
 2 files changed, 60 insertions(+), 16 deletions(-)

diff --git a/web/packages/teleterm/src/ui/Vnet/vnetContext.test.tsx b/web/packages/teleterm/src/ui/Vnet/vnetContext.test.tsx
index 3bb407ef92671..e08aecf3a2b21 100644
--- a/web/packages/teleterm/src/ui/Vnet/vnetContext.test.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/vnetContext.test.tsx
@@ -20,8 +20,8 @@ import { act, renderHook, waitFor } from '@testing-library/react';
 import {
   ComponentType,
   createRef,
-  MutableRefObject,
   PropsWithChildren,
+  RefObject,
   useEffect,
   useImperativeHandle,
 } from 'react';
@@ -218,16 +218,16 @@ describe('diag notification', () => {
   const tests: Array<{
     it: string;
     /** Ref for opening/closing the connections panel. If provided, the panel will be open by default. */
-    controlConnectionsRef?: MutableRefObject<ControlConnections>;
+    controlConnectionsRef?: RefObject<ControlConnections>;
     mockAppContext: (appContext: MockAppContext) => void;
     verify: (
       appContext: MockAppContext,
       result: { current: VnetContext },
-      controlConnectionsRef?: MutableRefObject<ControlConnections>
+      controlConnectionsRef?: RefObject<ControlConnections>
     ) => Promise<void>;
   }> = [
     {
-      it: 'is shown when the report cycles from issues found to no issues and back to issues found',
+      it: 'is shown, closed, then shown again when the report cycles from issues found to no issues and back to issues found',
       mockAppContext: appContext => {
         jest
           .spyOn(appContext.vnet, 'runDiagnostics')
@@ -253,7 +253,12 @@ describe('diag notification', () => {
         );
 
         expect(notificationsService.notifyWarning).toHaveBeenCalledTimes(2);
-        expect(notificationsService.getNotifications()).toHaveLength(1);
+        const notifications = notificationsService.getNotifications();
+        expect(notifications).toHaveLength(1);
+        expect(notifications[0].content).toMatchObject({
+          description: undefined,
+          action: expect.objectContaining({ content: 'Open Diag Report' }),
+        });
       },
     },
     {
@@ -407,6 +412,32 @@ describe('diag notification', () => {
         expect(notificationsService.getNotifications()).toHaveLength(1);
       },
     },
+    {
+      it: 'does not show a button to open the diag report if there is no workspace',
+      mockAppContext: appContext => {
+        jest
+          .spyOn(appContext.vnet, 'runDiagnostics')
+          .mockResolvedValue(
+            new MockedUnaryCall({ report: issuesFoundReport })
+          );
+        appContext.workspacesService.setState(draft => {
+          draft.rootClusterUri = undefined;
+        });
+      },
+      verify: async ({ notificationsService }, result) => {
+        await waitFor(
+          () =>
+            expect(result.current.diagnosticsAttempt.status).toEqual('success'),
+          { interval }
+        );
+        const notifications = notificationsService.getNotifications();
+        expect(notifications).toHaveLength(1);
+        expect(notifications[0].content).toMatchObject({
+          description: expect.stringContaining('Log in to a cluster'),
+          action: undefined,
+        });
+      },
+    },
   ];
 
   // eslint-disable-next-line jest/expect-expect
@@ -445,7 +476,7 @@ describe('diag notification', () => {
 const Wrapper = (
   props: PropsWithChildren<{
     appContext: IAppContext;
-    controlConnectionsRef?: MutableRefObject<ControlConnections>;
+    controlConnectionsRef?: RefObject<ControlConnections>;
   }>
 ) => {
   return (
@@ -480,7 +511,7 @@ function createWrapper<Props>(
 }
 
 const OpenConnections = (props: {
-  controlConnectionsRef: MutableRefObject<ControlConnections>;
+  controlConnectionsRef: RefObject<ControlConnections>;
 }) => {
   const { open, close } = useConnectionsContext();
   useImperativeHandle(props.controlConnectionsRef, () => ({ open, close }));
diff --git a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
index 3779cf77be607..7e2afd7750c7e 100644
--- a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
@@ -28,6 +28,7 @@ import {
   useState,
 } from 'react';
 
+import { Action } from 'design/Alert';
 import {
   BackgroundItemStatus,
   GetServiceInfoResponse,
@@ -256,13 +257,14 @@ export const VnetContextProvider: FC<
     [status.value]
   );
 
-  const rootClusterUri = useStoreSelector(
+  const isWorkspaceSelected = useStoreSelector(
     'workspacesService',
-    useCallback(state => state.rootClusterUri, [])
+    useCallback(state => !!state.rootClusterUri, [])
   );
 
   const openReport = useCallback(
     (report: Report) => {
+      const rootClusterUri = workspacesService.getRootClusterUri();
       if (!rootClusterUri) {
         return;
       }
@@ -294,7 +296,7 @@ export const VnetContextProvider: FC<
       // upon on the next run of runDiagnosticsAndShowNotification.
       notificationsService.removeNotification(diagNotificationIdRef.current);
     },
-    [rootClusterUri, workspacesService, notificationsService]
+    [workspacesService, notificationsService]
   );
 
   const showDiagWarningIndicator: boolean = useMemo(
@@ -396,10 +398,10 @@ export const VnetContextProvider: FC<
         return;
       }
 
-      diagNotificationIdRef.current = notificationsService.notifyWarning({
-        isAutoRemovable: false,
-        title: 'Other software on your device might interfere with VNet.',
-        action: {
+      let action: Action;
+      let description: string;
+      if (workspacesService.getRootClusterUri()) {
+        action = {
           content: 'Open Diag Report',
           onClick: () => {
             openReport(report);
@@ -409,7 +411,17 @@ export const VnetContextProvider: FC<
               diagNotificationIdRef.current
             );
           },
-        },
+        };
+      } else {
+        description =
+          'Log in to a cluster to open the diag report from the VNet panel.';
+      }
+
+      diagNotificationIdRef.current = notificationsService.notifyWarning({
+        isAutoRemovable: false,
+        title: 'Other software on your device might interfere with VNet.',
+        description,
+        action,
       });
     },
     [
@@ -419,6 +431,7 @@ export const VnetContextProvider: FC<
       hasDismissedDiagnosticsAlertRef,
       resetHasActedOnPreviousNotification,
       isConnectionsPanelOpenRef,
+      workspacesService,
     ]
   );
 
@@ -469,7 +482,7 @@ export const VnetContextProvider: FC<
         dismissDiagnosticsAlert,
         hasDismissedDiagnosticsAlert,
         reinstateDiagnosticsAlert,
-        openReport: rootClusterUri ? openReport : undefined,
+        openReport: isWorkspaceSelected ? openReport : undefined,
         showDiagWarningIndicator,
         hasEverStarted,
       }}

From 37c065524d365311bf437399e28846b1df4291c1 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Thu, 26 Jun 2025 14:50:57 -0700
Subject: [PATCH 20/25] [v18][vnet] feat: automatic SSH client configuration in
 Connect
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport #55924 to branch/v18

Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com>
Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
---
 .../lib/teleterm/vnet/v1/vnet_service.pb.go   | 128 +++++++++++++++---
 .../teleterm/vnet/v1/vnet_service_grpc.pb.go  |  42 ++++++
 .../vnet/v1/vnet_service_pb.client.ts         |  19 +++
 .../vnet/v1/vnet_service_pb.grpc-server.ts    |  19 +++
 .../lib/teleterm/vnet/v1/vnet_service_pb.ts   |  84 +++++++++++-
 lib/teleterm/vnet/service.go                  |  14 +-
 .../lib/teleterm/vnet/v1/vnet_service.proto   |  13 ++
 .../src/services/tshd/fixtures/mocks.ts       |   4 +-
 .../teleterm/src/ui/ModalsHost/ModalsHost.tsx |  12 ++
 .../src/ui/Vnet/ConfigureSSHClients.story.tsx |  51 +++++++
 .../src/ui/Vnet/ConfigureSSHClients.tsx       |  97 +++++++++++++
 .../src/ui/Vnet/DocumentVnetDiagReport.tsx    |  17 ++-
 .../src/ui/Vnet/VnetSliderStep.story.tsx      |  10 +-
 .../teleterm/src/ui/Vnet/VnetSliderStep.tsx   |  30 +++-
 .../teleterm/src/ui/Vnet/integration.test.tsx |   6 +
 .../teleterm/src/ui/Vnet/useVnetLauncher.tsx  |  46 ++++++-
 .../teleterm/src/ui/Vnet/vnetContext.tsx      |  62 ++++++++-
 .../src/ui/services/modals/modalsService.ts   |  13 ++
 18 files changed, 619 insertions(+), 48 deletions(-)
 create mode 100644 web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.story.tsx
 create mode 100644 web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.tsx

diff --git a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
index f1103603824cf..e87f534e7c998 100644
--- a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
@@ -296,8 +296,11 @@ type GetServiceInfoResponse struct {
 	// ssh_configured is true if the user's SSH config file includes VNet's
 	// generated SSH config necessary for SSH access.
 	SshConfigured bool `protobuf:"varint,3,opt,name=ssh_configured,json=sshConfigured,proto3" json:"ssh_configured,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
+	// vnet_ssh_config_path is the path of VNet's generated OpenSSH-compatible
+	// config file.
+	VnetSshConfigPath string `protobuf:"bytes,4,opt,name=vnet_ssh_config_path,json=vnetSshConfigPath,proto3" json:"vnet_ssh_config_path,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
 }
 
 func (x *GetServiceInfoResponse) Reset() {
@@ -351,6 +354,13 @@ func (x *GetServiceInfoResponse) GetSshConfigured() bool {
 	return false
 }
 
+func (x *GetServiceInfoResponse) GetVnetSshConfigPath() string {
+	if x != nil {
+		return x.VnetSshConfigPath
+	}
+	return ""
+}
+
 // Request for GetBackgroundItemStatus.
 type GetBackgroundItemStatusRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -515,6 +525,80 @@ func (x *RunDiagnosticsResponse) GetReport() *v1.Report {
 	return nil
 }
 
+// Request for AutoConfigureSSH.
+type AutoConfigureSSHRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AutoConfigureSSHRequest) Reset() {
+	*x = AutoConfigureSSHRequest{}
+	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AutoConfigureSSHRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AutoConfigureSSHRequest) ProtoMessage() {}
+
+func (x *AutoConfigureSSHRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AutoConfigureSSHRequest.ProtoReflect.Descriptor instead.
+func (*AutoConfigureSSHRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP(), []int{10}
+}
+
+// Response for AutoConfigureSSH.
+type AutoConfigureSSHResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AutoConfigureSSHResponse) Reset() {
+	*x = AutoConfigureSSHResponse{}
+	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AutoConfigureSSHResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AutoConfigureSSHResponse) ProtoMessage() {}
+
+func (x *AutoConfigureSSHResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes[11]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AutoConfigureSSHResponse.ProtoReflect.Descriptor instead.
+func (*AutoConfigureSSHResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP(), []int{11}
+}
+
 var File_teleport_lib_teleterm_vnet_v1_vnet_service_proto protoreflect.FileDescriptor
 
 const file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = "" +
@@ -524,30 +608,34 @@ const file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = "" +
 	"\rStartResponse\"\r\n" +
 	"\vStopRequest\"\x0e\n" +
 	"\fStopResponse\"\x17\n" +
-	"\x15GetServiceInfoRequest\"\x7f\n" +
+	"\x15GetServiceInfoRequest\"\xb0\x01\n" +
 	"\x16GetServiceInfoResponse\x12\"\n" +
 	"\rapp_dns_zones\x18\x01 \x03(\tR\vappDnsZones\x12\x1a\n" +
 	"\bclusters\x18\x02 \x03(\tR\bclusters\x12%\n" +
-	"\x0essh_configured\x18\x03 \x01(\bR\rsshConfigured\" \n" +
+	"\x0essh_configured\x18\x03 \x01(\bR\rsshConfigured\x12/\n" +
+	"\x14vnet_ssh_config_path\x18\x04 \x01(\tR\x11vnetSshConfigPath\" \n" +
 	"\x1eGetBackgroundItemStatusRequest\"n\n" +
 	"\x1fGetBackgroundItemStatusResponse\x12K\n" +
 	"\x06status\x18\x01 \x01(\x0e23.teleport.lib.teleterm.vnet.v1.BackgroundItemStatusR\x06status\"\x17\n" +
 	"\x15RunDiagnosticsRequest\"S\n" +
 	"\x16RunDiagnosticsResponse\x129\n" +
-	"\x06report\x18\x01 \x01(\v2!.teleport.lib.vnet.diag.v1.ReportR\x06report*\x8b\x02\n" +
+	"\x06report\x18\x01 \x01(\v2!.teleport.lib.vnet.diag.v1.ReportR\x06report\"\x19\n" +
+	"\x17AutoConfigureSSHRequest\"\x1a\n" +
+	"\x18AutoConfigureSSHResponse*\x8b\x02\n" +
 	"\x14BackgroundItemStatus\x12&\n" +
 	"\"BACKGROUND_ITEM_STATUS_UNSPECIFIED\x10\x00\x12)\n" +
 	"%BACKGROUND_ITEM_STATUS_NOT_REGISTERED\x10\x01\x12\"\n" +
 	"\x1eBACKGROUND_ITEM_STATUS_ENABLED\x10\x02\x12,\n" +
 	"(BACKGROUND_ITEM_STATUS_REQUIRES_APPROVAL\x10\x03\x12$\n" +
 	" BACKGROUND_ITEM_STATUS_NOT_FOUND\x10\x04\x12(\n" +
-	"$BACKGROUND_ITEM_STATUS_NOT_SUPPORTED\x10\x052\xeb\x04\n" +
+	"$BACKGROUND_ITEM_STATUS_NOT_SUPPORTED\x10\x052\xf1\x05\n" +
 	"\vVnetService\x12b\n" +
 	"\x05Start\x12+.teleport.lib.teleterm.vnet.v1.StartRequest\x1a,.teleport.lib.teleterm.vnet.v1.StartResponse\x12_\n" +
 	"\x04Stop\x12*.teleport.lib.teleterm.vnet.v1.StopRequest\x1a+.teleport.lib.teleterm.vnet.v1.StopResponse\x12}\n" +
 	"\x0eGetServiceInfo\x124.teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest\x1a5.teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse\x12\x98\x01\n" +
 	"\x17GetBackgroundItemStatus\x12=.teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusRequest\x1a>.teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse\x12}\n" +
-	"\x0eRunDiagnostics\x124.teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest\x1a5.teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponseBUZSgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1;vnetv1b\x06proto3"
+	"\x0eRunDiagnostics\x124.teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest\x1a5.teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse\x12\x83\x01\n" +
+	"\x10AutoConfigureSSH\x126.teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest\x1a7.teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponseBUZSgithub.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1;vnetv1b\x06proto3"
 
 var (
 	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescOnce sync.Once
@@ -562,7 +650,7 @@ func file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP() []byte
 }
 
 var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
 var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_goTypes = []any{
 	(BackgroundItemStatus)(0),               // 0: teleport.lib.teleterm.vnet.v1.BackgroundItemStatus
 	(*StartRequest)(nil),                    // 1: teleport.lib.teleterm.vnet.v1.StartRequest
@@ -575,23 +663,27 @@ var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_goTypes = []any{
 	(*GetBackgroundItemStatusResponse)(nil), // 8: teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse
 	(*RunDiagnosticsRequest)(nil),           // 9: teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest
 	(*RunDiagnosticsResponse)(nil),          // 10: teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse
-	(*v1.Report)(nil),                       // 11: teleport.lib.vnet.diag.v1.Report
+	(*AutoConfigureSSHRequest)(nil),         // 11: teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest
+	(*AutoConfigureSSHResponse)(nil),        // 12: teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse
+	(*v1.Report)(nil),                       // 13: teleport.lib.vnet.diag.v1.Report
 }
 var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_depIdxs = []int32{
 	0,  // 0: teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse.status:type_name -> teleport.lib.teleterm.vnet.v1.BackgroundItemStatus
-	11, // 1: teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse.report:type_name -> teleport.lib.vnet.diag.v1.Report
+	13, // 1: teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse.report:type_name -> teleport.lib.vnet.diag.v1.Report
 	1,  // 2: teleport.lib.teleterm.vnet.v1.VnetService.Start:input_type -> teleport.lib.teleterm.vnet.v1.StartRequest
 	3,  // 3: teleport.lib.teleterm.vnet.v1.VnetService.Stop:input_type -> teleport.lib.teleterm.vnet.v1.StopRequest
 	5,  // 4: teleport.lib.teleterm.vnet.v1.VnetService.GetServiceInfo:input_type -> teleport.lib.teleterm.vnet.v1.GetServiceInfoRequest
 	7,  // 5: teleport.lib.teleterm.vnet.v1.VnetService.GetBackgroundItemStatus:input_type -> teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusRequest
 	9,  // 6: teleport.lib.teleterm.vnet.v1.VnetService.RunDiagnostics:input_type -> teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest
-	2,  // 7: teleport.lib.teleterm.vnet.v1.VnetService.Start:output_type -> teleport.lib.teleterm.vnet.v1.StartResponse
-	4,  // 8: teleport.lib.teleterm.vnet.v1.VnetService.Stop:output_type -> teleport.lib.teleterm.vnet.v1.StopResponse
-	6,  // 9: teleport.lib.teleterm.vnet.v1.VnetService.GetServiceInfo:output_type -> teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
-	8,  // 10: teleport.lib.teleterm.vnet.v1.VnetService.GetBackgroundItemStatus:output_type -> teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse
-	10, // 11: teleport.lib.teleterm.vnet.v1.VnetService.RunDiagnostics:output_type -> teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse
-	7,  // [7:12] is the sub-list for method output_type
-	2,  // [2:7] is the sub-list for method input_type
+	11, // 7: teleport.lib.teleterm.vnet.v1.VnetService.AutoConfigureSSH:input_type -> teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest
+	2,  // 8: teleport.lib.teleterm.vnet.v1.VnetService.Start:output_type -> teleport.lib.teleterm.vnet.v1.StartResponse
+	4,  // 9: teleport.lib.teleterm.vnet.v1.VnetService.Stop:output_type -> teleport.lib.teleterm.vnet.v1.StopResponse
+	6,  // 10: teleport.lib.teleterm.vnet.v1.VnetService.GetServiceInfo:output_type -> teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse
+	8,  // 11: teleport.lib.teleterm.vnet.v1.VnetService.GetBackgroundItemStatus:output_type -> teleport.lib.teleterm.vnet.v1.GetBackgroundItemStatusResponse
+	10, // 12: teleport.lib.teleterm.vnet.v1.VnetService.RunDiagnostics:output_type -> teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse
+	12, // 13: teleport.lib.teleterm.vnet.v1.VnetService.AutoConfigureSSH:output_type -> teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse
+	8,  // [8:14] is the sub-list for method output_type
+	2,  // [2:8] is the sub-list for method input_type
 	2,  // [2:2] is the sub-list for extension type_name
 	2,  // [2:2] is the sub-list for extension extendee
 	0,  // [0:2] is the sub-list for field type_name
@@ -608,7 +700,7 @@ func file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc), len(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   10,
+			NumMessages:   12,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
index dc680f3295f6b..074693d5c6c11 100644
--- a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service_grpc.pb.go
@@ -40,6 +40,7 @@ const (
 	VnetService_GetServiceInfo_FullMethodName          = "/teleport.lib.teleterm.vnet.v1.VnetService/GetServiceInfo"
 	VnetService_GetBackgroundItemStatus_FullMethodName = "/teleport.lib.teleterm.vnet.v1.VnetService/GetBackgroundItemStatus"
 	VnetService_RunDiagnostics_FullMethodName          = "/teleport.lib.teleterm.vnet.v1.VnetService/RunDiagnostics"
+	VnetService_AutoConfigureSSH_FullMethodName        = "/teleport.lib.teleterm.vnet.v1.VnetService/AutoConfigureSSH"
 )
 
 // VnetServiceClient is the client API for VnetService service.
@@ -60,6 +61,9 @@ type VnetServiceClient interface {
 	// RunDiagnostics runs a set of heuristics to determine if VNet actually works on the device, that
 	// is receives network traffic and DNS queries. RunDiagnostics requires VNet to be started.
 	RunDiagnostics(ctx context.Context, in *RunDiagnosticsRequest, opts ...grpc.CallOption) (*RunDiagnosticsResponse, error)
+	// AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+	// connections to Teleport SSH hosts.
+	AutoConfigureSSH(ctx context.Context, in *AutoConfigureSSHRequest, opts ...grpc.CallOption) (*AutoConfigureSSHResponse, error)
 }
 
 type vnetServiceClient struct {
@@ -120,6 +124,16 @@ func (c *vnetServiceClient) RunDiagnostics(ctx context.Context, in *RunDiagnosti
 	return out, nil
 }
 
+func (c *vnetServiceClient) AutoConfigureSSH(ctx context.Context, in *AutoConfigureSSHRequest, opts ...grpc.CallOption) (*AutoConfigureSSHResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AutoConfigureSSHResponse)
+	err := c.cc.Invoke(ctx, VnetService_AutoConfigureSSH_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // VnetServiceServer is the server API for VnetService service.
 // All implementations must embed UnimplementedVnetServiceServer
 // for forward compatibility.
@@ -138,6 +152,9 @@ type VnetServiceServer interface {
 	// RunDiagnostics runs a set of heuristics to determine if VNet actually works on the device, that
 	// is receives network traffic and DNS queries. RunDiagnostics requires VNet to be started.
 	RunDiagnostics(context.Context, *RunDiagnosticsRequest) (*RunDiagnosticsResponse, error)
+	// AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+	// connections to Teleport SSH hosts.
+	AutoConfigureSSH(context.Context, *AutoConfigureSSHRequest) (*AutoConfigureSSHResponse, error)
 	mustEmbedUnimplementedVnetServiceServer()
 }
 
@@ -163,6 +180,9 @@ func (UnimplementedVnetServiceServer) GetBackgroundItemStatus(context.Context, *
 func (UnimplementedVnetServiceServer) RunDiagnostics(context.Context, *RunDiagnosticsRequest) (*RunDiagnosticsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RunDiagnostics not implemented")
 }
+func (UnimplementedVnetServiceServer) AutoConfigureSSH(context.Context, *AutoConfigureSSHRequest) (*AutoConfigureSSHResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method AutoConfigureSSH not implemented")
+}
 func (UnimplementedVnetServiceServer) mustEmbedUnimplementedVnetServiceServer() {}
 func (UnimplementedVnetServiceServer) testEmbeddedByValue()                     {}
 
@@ -274,6 +294,24 @@ func _VnetService_RunDiagnostics_Handler(srv interface{}, ctx context.Context, d
 	return interceptor(ctx, in, info, handler)
 }
 
+func _VnetService_AutoConfigureSSH_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AutoConfigureSSHRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(VnetServiceServer).AutoConfigureSSH(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: VnetService_AutoConfigureSSH_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(VnetServiceServer).AutoConfigureSSH(ctx, req.(*AutoConfigureSSHRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // VnetService_ServiceDesc is the grpc.ServiceDesc for VnetService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -301,6 +339,10 @@ var VnetService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "RunDiagnostics",
 			Handler:    _VnetService_RunDiagnostics_Handler,
 		},
+		{
+			MethodName: "AutoConfigureSSH",
+			Handler:    _VnetService_AutoConfigureSSH_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "teleport/lib/teleterm/vnet/v1/vnet_service.proto",
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
index fdd21d783c4ff..6787923ba9de6 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.client.ts
@@ -23,6 +23,8 @@
 import type { RpcTransport } from "@protobuf-ts/runtime-rpc";
 import type { ServiceInfo } from "@protobuf-ts/runtime-rpc";
 import { VnetService } from "./vnet_service_pb";
+import type { AutoConfigureSSHResponse } from "./vnet_service_pb";
+import type { AutoConfigureSSHRequest } from "./vnet_service_pb";
 import type { RunDiagnosticsResponse } from "./vnet_service_pb";
 import type { RunDiagnosticsRequest } from "./vnet_service_pb";
 import type { GetBackgroundItemStatusResponse } from "./vnet_service_pb";
@@ -74,6 +76,13 @@ export interface IVnetServiceClient {
      * @generated from protobuf rpc: RunDiagnostics(teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest) returns (teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse);
      */
     runDiagnostics(input: RunDiagnosticsRequest, options?: RpcOptions): UnaryCall<RunDiagnosticsRequest, RunDiagnosticsResponse>;
+    /**
+     * AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+     * connections to Teleport SSH hosts.
+     *
+     * @generated from protobuf rpc: AutoConfigureSSH(teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest) returns (teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse);
+     */
+    autoConfigureSSH(input: AutoConfigureSSHRequest, options?: RpcOptions): UnaryCall<AutoConfigureSSHRequest, AutoConfigureSSHResponse>;
 }
 /**
  * VnetService provides methods to manage a VNet instance.
@@ -133,4 +142,14 @@ export class VnetServiceClient implements IVnetServiceClient, ServiceInfo {
         const method = this.methods[4], opt = this._transport.mergeOptions(options);
         return stackIntercept<RunDiagnosticsRequest, RunDiagnosticsResponse>("unary", this._transport, method, opt, input);
     }
+    /**
+     * AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+     * connections to Teleport SSH hosts.
+     *
+     * @generated from protobuf rpc: AutoConfigureSSH(teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest) returns (teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse);
+     */
+    autoConfigureSSH(input: AutoConfigureSSHRequest, options?: RpcOptions): UnaryCall<AutoConfigureSSHRequest, AutoConfigureSSHResponse> {
+        const method = this.methods[5], opt = this._transport.mergeOptions(options);
+        return stackIntercept<AutoConfigureSSHRequest, AutoConfigureSSHResponse>("unary", this._transport, method, opt, input);
+    }
 }
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
index 1457c1913f871..15198d3f54bdb 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.grpc-server.ts
@@ -20,6 +20,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 //
+import { AutoConfigureSSHResponse } from "./vnet_service_pb";
+import { AutoConfigureSSHRequest } from "./vnet_service_pb";
 import { RunDiagnosticsResponse } from "./vnet_service_pb";
 import { RunDiagnosticsRequest } from "./vnet_service_pb";
 import { GetBackgroundItemStatusResponse } from "./vnet_service_pb";
@@ -69,6 +71,13 @@ export interface IVnetService extends grpc.UntypedServiceImplementation {
      * @generated from protobuf rpc: RunDiagnostics(teleport.lib.teleterm.vnet.v1.RunDiagnosticsRequest) returns (teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse);
      */
     runDiagnostics: grpc.handleUnaryCall<RunDiagnosticsRequest, RunDiagnosticsResponse>;
+    /**
+     * AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+     * connections to Teleport SSH hosts.
+     *
+     * @generated from protobuf rpc: AutoConfigureSSH(teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest) returns (teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse);
+     */
+    autoConfigureSSH: grpc.handleUnaryCall<AutoConfigureSSHRequest, AutoConfigureSSHResponse>;
 }
 /**
  * @grpc/grpc-js definition for the protobuf service teleport.lib.teleterm.vnet.v1.VnetService.
@@ -131,5 +140,15 @@ export const vnetServiceDefinition: grpc.ServiceDefinition<IVnetService> = {
         requestDeserialize: bytes => RunDiagnosticsRequest.fromBinary(bytes),
         responseSerialize: value => Buffer.from(RunDiagnosticsResponse.toBinary(value)),
         requestSerialize: value => Buffer.from(RunDiagnosticsRequest.toBinary(value))
+    },
+    autoConfigureSSH: {
+        path: "/teleport.lib.teleterm.vnet.v1.VnetService/AutoConfigureSSH",
+        originalName: "AutoConfigureSSH",
+        requestStream: false,
+        responseStream: false,
+        responseDeserialize: bytes => AutoConfigureSSHResponse.fromBinary(bytes),
+        requestDeserialize: bytes => AutoConfigureSSHRequest.fromBinary(bytes),
+        responseSerialize: value => Buffer.from(AutoConfigureSSHResponse.toBinary(value)),
+        requestSerialize: value => Buffer.from(AutoConfigureSSHRequest.toBinary(value))
     }
 };
diff --git a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
index 772371fc2f714..500e0d2931bf4 100644
--- a/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
+++ b/gen/proto/ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb.ts
@@ -92,6 +92,13 @@ export interface GetServiceInfoResponse {
      * @generated from protobuf field: bool ssh_configured = 3;
      */
     sshConfigured: boolean;
+    /**
+     * vnet_ssh_config_path is the path of VNet's generated OpenSSH-compatible
+     * config file.
+     *
+     * @generated from protobuf field: string vnet_ssh_config_path = 4;
+     */
+    vnetSshConfigPath: string;
 }
 /**
  * Request for GetBackgroundItemStatus.
@@ -129,6 +136,20 @@ export interface RunDiagnosticsResponse {
      */
     report?: Report;
 }
+/**
+ * Request for AutoConfigureSSH.
+ *
+ * @generated from protobuf message teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest
+ */
+export interface AutoConfigureSSHRequest {
+}
+/**
+ * Response for AutoConfigureSSH.
+ *
+ * @generated from protobuf message teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse
+ */
+export interface AutoConfigureSSHResponse {
+}
 /**
  * BackgroundItemStatus maps to SMAppServiceStatus of the Service Management framework in macOS.
  * https://developer.apple.com/documentation/servicemanagement/smappservice/status-swift.enum?language=objc
@@ -295,7 +316,8 @@ class GetServiceInfoResponse$Type extends MessageType<GetServiceInfoResponse> {
         super("teleport.lib.teleterm.vnet.v1.GetServiceInfoResponse", [
             { no: 1, name: "app_dns_zones", kind: "scalar", repeat: 2 /*RepeatType.UNPACKED*/, T: 9 /*ScalarType.STRING*/ },
             { no: 2, name: "clusters", kind: "scalar", repeat: 2 /*RepeatType.UNPACKED*/, T: 9 /*ScalarType.STRING*/ },
-            { no: 3, name: "ssh_configured", kind: "scalar", T: 8 /*ScalarType.BOOL*/ }
+            { no: 3, name: "ssh_configured", kind: "scalar", T: 8 /*ScalarType.BOOL*/ },
+            { no: 4, name: "vnet_ssh_config_path", kind: "scalar", T: 9 /*ScalarType.STRING*/ }
         ]);
     }
     create(value?: PartialMessage<GetServiceInfoResponse>): GetServiceInfoResponse {
@@ -303,6 +325,7 @@ class GetServiceInfoResponse$Type extends MessageType<GetServiceInfoResponse> {
         message.appDnsZones = [];
         message.clusters = [];
         message.sshConfigured = false;
+        message.vnetSshConfigPath = "";
         if (value !== undefined)
             reflectionMergePartial<GetServiceInfoResponse>(this, message, value);
         return message;
@@ -321,6 +344,9 @@ class GetServiceInfoResponse$Type extends MessageType<GetServiceInfoResponse> {
                 case /* bool ssh_configured */ 3:
                     message.sshConfigured = reader.bool();
                     break;
+                case /* string vnet_ssh_config_path */ 4:
+                    message.vnetSshConfigPath = reader.string();
+                    break;
                 default:
                     let u = options.readUnknownField;
                     if (u === "throw")
@@ -342,6 +368,9 @@ class GetServiceInfoResponse$Type extends MessageType<GetServiceInfoResponse> {
         /* bool ssh_configured = 3; */
         if (message.sshConfigured !== false)
             writer.tag(3, WireType.Varint).bool(message.sshConfigured);
+        /* string vnet_ssh_config_path = 4; */
+        if (message.vnetSshConfigPath !== "")
+            writer.tag(4, WireType.LengthDelimited).string(message.vnetSshConfigPath);
         let u = options.writeUnknownFields;
         if (u !== false)
             (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
@@ -495,6 +524,56 @@ class RunDiagnosticsResponse$Type extends MessageType<RunDiagnosticsResponse> {
  * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.RunDiagnosticsResponse
  */
 export const RunDiagnosticsResponse = new RunDiagnosticsResponse$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class AutoConfigureSSHRequest$Type extends MessageType<AutoConfigureSSHRequest> {
+    constructor() {
+        super("teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest", []);
+    }
+    create(value?: PartialMessage<AutoConfigureSSHRequest>): AutoConfigureSSHRequest {
+        const message = globalThis.Object.create((this.messagePrototype!));
+        if (value !== undefined)
+            reflectionMergePartial<AutoConfigureSSHRequest>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: AutoConfigureSSHRequest): AutoConfigureSSHRequest {
+        return target ?? this.create();
+    }
+    internalBinaryWrite(message: AutoConfigureSSHRequest, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.AutoConfigureSSHRequest
+ */
+export const AutoConfigureSSHRequest = new AutoConfigureSSHRequest$Type();
+// @generated message type with reflection information, may provide speed optimized methods
+class AutoConfigureSSHResponse$Type extends MessageType<AutoConfigureSSHResponse> {
+    constructor() {
+        super("teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse", []);
+    }
+    create(value?: PartialMessage<AutoConfigureSSHResponse>): AutoConfigureSSHResponse {
+        const message = globalThis.Object.create((this.messagePrototype!));
+        if (value !== undefined)
+            reflectionMergePartial<AutoConfigureSSHResponse>(this, message, value);
+        return message;
+    }
+    internalBinaryRead(reader: IBinaryReader, length: number, options: BinaryReadOptions, target?: AutoConfigureSSHResponse): AutoConfigureSSHResponse {
+        return target ?? this.create();
+    }
+    internalBinaryWrite(message: AutoConfigureSSHResponse, writer: IBinaryWriter, options: BinaryWriteOptions): IBinaryWriter {
+        let u = options.writeUnknownFields;
+        if (u !== false)
+            (u == true ? UnknownFieldHandler.onWrite : u)(this.typeName, message, writer);
+        return writer;
+    }
+}
+/**
+ * @generated MessageType for protobuf message teleport.lib.teleterm.vnet.v1.AutoConfigureSSHResponse
+ */
+export const AutoConfigureSSHResponse = new AutoConfigureSSHResponse$Type();
 /**
  * @generated ServiceType for protobuf service teleport.lib.teleterm.vnet.v1.VnetService
  */
@@ -503,5 +582,6 @@ export const VnetService = new ServiceType("teleport.lib.teleterm.vnet.v1.VnetSe
     { name: "Stop", options: {}, I: StopRequest, O: StopResponse },
     { name: "GetServiceInfo", options: {}, I: GetServiceInfoRequest, O: GetServiceInfoResponse },
     { name: "GetBackgroundItemStatus", options: {}, I: GetBackgroundItemStatusRequest, O: GetBackgroundItemStatusResponse },
-    { name: "RunDiagnostics", options: {}, I: RunDiagnosticsRequest, O: RunDiagnosticsResponse }
+    { name: "RunDiagnostics", options: {}, I: RunDiagnosticsRequest, O: RunDiagnosticsResponse },
+    { name: "AutoConfigureSSH", options: {}, I: AutoConfigureSSHRequest, O: AutoConfigureSSHResponse }
 ]);
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index e92f981187ff6..748ef53224511 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -248,9 +248,10 @@ func (s *Service) GetServiceInfo(ctx context.Context, _ *api.GetServiceInfoReque
 	}
 
 	return &api.GetServiceInfoResponse{
-		AppDnsZones:   unifiedClusterConfig.AppDNSZones(),
-		Clusters:      unifiedClusterConfig.ClusterNames,
-		SshConfigured: sshConfigured,
+		AppDnsZones:       unifiedClusterConfig.AppDNSZones(),
+		Clusters:          unifiedClusterConfig.ClusterNames,
+		SshConfigured:     sshConfigured,
+		VnetSshConfigPath: sshConfigChecker.VNetSSHConfigPath,
 	}, nil
 }
 
@@ -313,6 +314,13 @@ func (s *Service) getNetworkStack(ctx context.Context) (*diagv1.NetworkStack, er
 	}, nil
 }
 
+// AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+// connections to Teleport SSH servers through VNet.
+func (s *Service) AutoConfigureSSH(ctx context.Context, _ *api.AutoConfigureSSHRequest) (*api.AutoConfigureSSHResponse, error) {
+	err := vnet.AutoConfigureOpenSSH(ctx, s.cfg.profilePath)
+	return nil, trace.Wrap(err)
+}
+
 func (s *Service) stopLocked() error {
 	if s.status == statusClosed {
 		return trace.CompareFailed("VNet service has been closed")
diff --git a/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto b/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
index d63a140678c62..0336e122b523a 100644
--- a/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
+++ b/proto/teleport/lib/teleterm/vnet/v1/vnet_service.proto
@@ -40,6 +40,10 @@ service VnetService {
   // RunDiagnostics runs a set of heuristics to determine if VNet actually works on the device, that
   // is receives network traffic and DNS queries. RunDiagnostics requires VNet to be started.
   rpc RunDiagnostics(RunDiagnosticsRequest) returns (RunDiagnosticsResponse);
+
+  // AutoConfigureSSH automatically configures OpenSSH-compatible clients for
+  // connections to Teleport SSH hosts.
+  rpc AutoConfigureSSH(AutoConfigureSSHRequest) returns (AutoConfigureSSHResponse);
 }
 
 // Request for Start.
@@ -67,6 +71,9 @@ message GetServiceInfoResponse {
   // ssh_configured is true if the user's SSH config file includes VNet's
   // generated SSH config necessary for SSH access.
   bool ssh_configured = 3;
+  // vnet_ssh_config_path is the path of VNet's generated OpenSSH-compatible
+  // config file.
+  string vnet_ssh_config_path = 4;
 }
 
 // Request for GetBackgroundItemStatus.
@@ -97,3 +104,9 @@ message RunDiagnosticsRequest {}
 message RunDiagnosticsResponse {
   teleport.lib.vnet.diag.v1.Report report = 1;
 }
+
+// Request for AutoConfigureSSH.
+message AutoConfigureSSHRequest {}
+
+// Response for AutoConfigureSSH.
+message AutoConfigureSSHResponse {}
diff --git a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
index 3520508111585..9f2a80fae0196 100644
--- a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
+++ b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
@@ -123,9 +123,10 @@ export class MockVnetClient implements VnetClient {
       appDnsZones: [],
       clusters: [],
       sshConfigured: false,
+      vnetSshConfigPath:
+        '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
     });
   getBackgroundItemStatus = () => new MockedUnaryCall({ status: 0 });
-
   runDiagnostics() {
     return new MockedUnaryCall({
       report: {
@@ -134,4 +135,5 @@ export class MockVnetClient implements VnetClient {
       },
     });
   }
+  autoConfigureSSH = () => new MockedUnaryCall({});
 }
diff --git a/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx b/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
index e5fd1b58b97ef..77cc1037883a1 100644
--- a/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
+++ b/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
@@ -27,6 +27,7 @@ import { Dialog } from 'teleterm/ui/services/modals';
 import { ClusterLogout } from '../ClusterLogout';
 import { ResourceSearchErrors } from '../Search/ResourceSearchErrors';
 import { assertUnreachable } from '../utils';
+import { ConfigureSSHClients } from '../Vnet/ConfigureSSHClients';
 import { ChangeAccessRequestKind } from './modals/ChangeAccessRequestKind';
 import { AskPin, ChangePin, OverwriteSlot, Touch } from './modals/HardwareKeys';
 import { ReAuthenticate } from './modals/ReAuthenticate';
@@ -281,6 +282,17 @@ function renderDialog({
         />
       );
     }
+    case 'configure-ssh-clients': {
+      return (
+        <ConfigureSSHClients
+          hidden={hidden}
+          onConfirm={dialog.onConfirm}
+          onClose={handleClose}
+          vnetSSHConfigPath={dialog.vnetSSHConfigPath}
+          host={dialog.host}
+        />
+      );
+    }
 
     default: {
       return assertUnreachable(dialog);
diff --git a/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.story.tsx b/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.story.tsx
new file mode 100644
index 0000000000000..6ebb469d4feea
--- /dev/null
+++ b/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.story.tsx
@@ -0,0 +1,51 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { ConfigureSSHClients } from './ConfigureSSHClients';
+
+export default {
+  title: 'Teleterm/Vnet/ConfigureSSHClients',
+  argTypes: {
+    simulateError: {
+      name: 'simulate error',
+      control: 'boolean',
+      defaultValue: false,
+    },
+    host: {
+      name: 'set specific SSH host',
+      control: 'text',
+    },
+  },
+};
+
+export const Story = ({ simulateError, host }) => (
+  <ConfigureSSHClients
+    onClose={() => console.log('closed')}
+    onConfirm={() =>
+      new Promise<void>((resolve, reject) => {
+        setTimeout(
+          () =>
+            simulateError ? reject(new Error('test error')) : resolve(null),
+          1000
+        );
+      })
+    }
+    host={host}
+    vnetSSHConfigPath="/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config"
+  />
+);
diff --git a/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.tsx b/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.tsx
new file mode 100644
index 0000000000000..b11cbf2cbed13
--- /dev/null
+++ b/web/packages/teleterm/src/ui/Vnet/ConfigureSSHClients.tsx
@@ -0,0 +1,97 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { Alert, ButtonIcon, ButtonPrimary, Flex, H2, Text } from 'design';
+import Dialog, {
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+} from 'design/Dialog';
+import { Cross } from 'design/Icon';
+import { TextSelectCopy } from 'shared/components/TextSelectCopy';
+import { useAsync } from 'shared/hooks/useAsync';
+
+export function ConfigureSSHClients(props: {
+  onClose: () => void;
+  onConfirm: () => Promise<void>;
+  vnetSSHConfigPath: string;
+  host?: string;
+  hidden?: boolean;
+}) {
+  const [confirmAttempt, onConfirm] = useAsync(props.onConfirm);
+  const host = props.host || '<hostname>.<cluster>';
+  return (
+    <Dialog
+      open={!props.hidden}
+      dialogCss={() => ({
+        maxWidth: '800px',
+        width: '100%',
+      })}
+    >
+      <DialogHeader justifyContent="space-between" alignItems="baseline">
+        <H2>Configure SSH clients for VNet</H2>
+        <ButtonIcon
+          type="button"
+          onClick={props.onClose}
+          color="text.slightlyMuted"
+        >
+          <Cross size="medium" />
+        </ButtonIcon>
+      </DialogHeader>
+      <DialogContent mb={4}>
+        <Text typography="body2">
+          Compatible SSH clients can connect to SSH servers with Teleport
+          features like per-session MFA without complex configuration. Teleport
+          VNet will handle the connection and manage SSH certificates
+          automatically, simply connect with:
+        </Text>
+        <TextSelectCopy text={`ssh <username>@${host}`} mt={1} />
+        <Text typography="body2" mt={2}>
+          To enable this for any OpenSSH-compatible client that reads
+          configuration from <code>~/.ssh/config</code>, add the following line
+          at the top of the file, or click the button below to add it
+          automatically.
+        </Text>
+        <TextSelectCopy
+          text={`Include "${props.vnetSSHConfigPath}"`}
+          bash={false}
+          mt={1}
+        />
+      </DialogContent>
+      <DialogFooter>
+        <Flex>
+          <ButtonPrimary
+            ml="auto"
+            mr={1}
+            onClick={() =>
+              onConfirm().then(([, err]) => !err && props.onClose())
+            }
+            disabled={confirmAttempt.status === 'processing'}
+          >
+            Configure Automatically
+          </ButtonPrimary>
+        </Flex>
+        {confirmAttempt.status === 'error' && (
+          <Alert mt={4} mb={0} dismissible>
+            {confirmAttempt.statusText}
+          </Alert>
+        )}
+      </DialogFooter>
+    </Dialog>
+  );
+}
diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
index b90f34f0dfd40..5afcac23aafff 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetDiagReport.tsx
@@ -35,7 +35,6 @@ import { HoverTooltip } from 'design/Tooltip';
 import { copyToClipboard } from 'design/utils/copyToClipboard';
 import { Timestamp } from 'gen-proto-ts/google/protobuf/timestamp_pb';
 import * as diag from 'gen-proto-ts/teleport/lib/vnet/diag/v1/diag_pb';
-import { TextSelectCopy } from 'shared/components/TextSelectCopy';
 import { CanceledError, useAsync } from 'shared/hooks/useAsync';
 import { pluralize } from 'shared/utils/text';
 
@@ -380,6 +379,7 @@ function CheckReportSSHConfiguration({
 }: {
   checkReport: diag.CheckReport;
 }) {
+  const { openSSHConfigurationModal } = useVnetContext();
   if (!reportOneOfIsSSHConfigurationReport(report)) {
     return null;
   }
@@ -442,11 +442,18 @@ function CheckReportSSHConfiguration({
         <P2 m={0}>
           The user's default SSH configuration file does not include VNet's
           generated SSH configuration file. SSH clients will not be able to make
-          connections to VNet SSH addresses by default. Add the following line
-          to <code>{userOpensshConfigPath}</code> to configure
-          OpenSSH-compatible clients for VNet:
+          connections to VNet SSH addresses by default.{' '}
         </P2>
-        <TextSelectCopy text={`Include "${vnetSshConfigPath}"`} bash={false} />
+        <Button
+          intent="neutral"
+          onClick={() =>
+            openSSHConfigurationModal({
+              vnetSSHConfigPath: vnetSshConfigPath,
+            })
+          }
+        >
+          Resolve
+        </Button>
       </Stack>
       {userOpensshConfigExists ? (
         <details>
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
index 290698fa115c7..eb446cab5d2bb 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.story.tsx
@@ -165,6 +165,8 @@ function VnetSliderStep(props: StoryProps) {
             appDnsZones: props.appDnsZones,
             clusters: props.clusters,
             sshConfigured: props.sshConfigured,
+            vnetSshConfigPath:
+              '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
           });
         }
         return pendingPromise;
@@ -175,6 +177,8 @@ function VnetSliderStep(props: StoryProps) {
           appDnsZones: props.appDnsZones,
           clusters: props.clusters,
           sshConfigured: props.sshConfigured,
+          vnetSshConfigPath:
+            '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
         },
         props.fetchStatus === 'error'
           ? new Error('something went wrong')
@@ -235,13 +239,13 @@ function VnetSliderStep(props: StoryProps) {
 }
 
 const RerequestServiceInfo = () => {
-  const { getServiceInfo, serviceInfoAttempt } = useVnetContext();
+  const { serviceInfoAttempt, refreshServiceInfoAttempt } = useVnetContext();
 
   useEffect(() => {
     if (serviceInfoAttempt.status === 'success') {
-      getServiceInfo();
+      refreshServiceInfoAttempt();
     }
-  }, [serviceInfoAttempt, getServiceInfo]);
+  }, [serviceInfoAttempt, refreshServiceInfoAttempt]);
 
   return null;
 };
diff --git a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
index ffc7bd59e9c92..900636a9efe35 100644
--- a/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/VnetSliderStep.tsx
@@ -19,6 +19,7 @@
 import { PropsWithChildren, useCallback, useEffect, useRef } from 'react';
 
 import { Box, ButtonSecondary, Flex, Text } from 'design';
+import { ActionButton } from 'design/Alert';
 import { StepComponentProps } from 'design/StepSlider';
 import { useRefAutoFocus } from 'shared/hooks';
 import { useDelayedRepeatedAttempt } from 'shared/hooks/useAsync';
@@ -141,8 +142,11 @@ const ErrorText = (props: PropsWithChildren) => (
  * optimistically displays previously fetched results while fetching new list.
  */
 const VnetStatus = () => {
-  const { getServiceInfo, serviceInfoAttempt: eagerServiceInfoAttempt } =
-    useVnetContext();
+  const {
+    refreshServiceInfoAttempt,
+    serviceInfoAttempt: eagerServiceInfoAttempt,
+    openSSHConfigurationModal,
+  } = useVnetContext();
   const serviceInfoAttempt = useDelayedRepeatedAttempt(eagerServiceInfoAttempt);
   const serviceInfoRefreshRequestedRef = useRef(false);
 
@@ -150,10 +154,10 @@ const VnetStatus = () => {
     function refreshListOnOpen() {
       if (!serviceInfoRefreshRequestedRef.current) {
         serviceInfoRefreshRequestedRef.current = true;
-        getServiceInfo();
+        refreshServiceInfoAttempt();
       }
     },
-    [getServiceInfo]
+    [refreshServiceInfoAttempt]
   );
 
   if (serviceInfoAttempt.status === 'error') {
@@ -166,7 +170,7 @@ const VnetStatus = () => {
           ml={2}
           size="small"
           type="button"
-          onClick={getServiceInfo}
+          onClick={refreshServiceInfoAttempt}
         >
           Retry
         </ButtonSecondary>
@@ -205,7 +209,21 @@ const VnetStatus = () => {
   const sshConfiguredIndicator = serviceInfo.sshConfigured ? null : (
     <Flex>
       <ConnectionStatusIndicator status={'warning'} inline mr={2} />
-      SSH clients are not configured to use VNet (see diag report).
+      <Text>SSH clients are not configured to use VNet</Text>
+      <Box alignSelf={'center'}>
+        <ActionButton
+          fill="minimal"
+          intent="neutral"
+          inputAlignment
+          action={{
+            onClick: () =>
+              openSSHConfigurationModal({
+                vnetSSHConfigPath: serviceInfo.vnetSshConfigPath,
+              }),
+            content: 'Resolve',
+          }}
+        />
+      </Box>
     </Flex>
   );
 
diff --git a/web/packages/teleterm/src/ui/Vnet/integration.test.tsx b/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
index 1c9cf1e6bb2b6..151a8c5b553dd 100644
--- a/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/integration.test.tsx
@@ -93,6 +93,8 @@ test.each(tests)(
         appDnsZones: [proxyHostname(rootCluster.proxyHost)],
         clusters: [rootCluster.name],
         sshConfigured: true,
+        vnetSshConfigPath:
+          '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
       })
     );
 
@@ -189,6 +191,8 @@ test.each(tests)(
         appDnsZones: [proxyHostname(rootCluster.proxyHost)],
         clusters: [rootCluster.name],
         sshConfigured: true,
+        vnetSshConfigPath:
+          '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
       })
     );
 
@@ -250,6 +254,8 @@ test('launching VNet for the first time from the connections panel does not open
       appDnsZones: [proxyHostname(rootCluster.proxyHost)],
       clusters: [rootCluster.name],
       sshConfigured: true,
+      vnetSshConfigPath:
+        '/Users/user/Library/Application Support/Teleport Connect/tsh/vnet_ssh_config',
     })
   );
 
diff --git a/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx b/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
index 9ede335521b95..96fa09bb30ea4 100644
--- a/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/useVnetLauncher.tsx
@@ -18,6 +18,9 @@
 
 import { useCallback, useMemo } from 'react';
 
+import { GetServiceInfoResponse } from 'gen-proto-ts/teleport/lib/teleterm/vnet/v1/vnet_service_pb';
+import { ensureError } from 'shared/utils/error';
+
 import { useAppContext } from 'teleterm/ui/appContextProvider';
 import { VnetLauncherArgs } from 'teleterm/ui/services/workspacesService/documentsService/types';
 import { useConnectionsContext } from 'teleterm/ui/TopBar/Connections/connectionsContext';
@@ -46,7 +49,14 @@ export const useVnetLauncher = (): {
   launchVnetWithoutFirstTimeCheck: (args?: VnetLauncherArgs) => Promise<void>;
 } => {
   const { notificationsService, workspacesService } = useAppContext();
-  const { start, status, startAttempt, hasEverStarted } = useVnetContext();
+  const {
+    start,
+    status,
+    startAttempt,
+    hasEverStarted,
+    currentServiceInfo,
+    openSSHConfigurationModal,
+  } = useVnetContext();
   const { open } = useConnectionsContext();
 
   const launchVnet: () => Promise<boolean> = useCallback(async () => {
@@ -106,6 +116,7 @@ export const useVnetLauncher = (): {
       const { addrToCopy, isMultiPortApp, resourceUri } = args;
       const isApp = !!routing.parseAppUri(resourceUri)?.params?.appId;
       const isServer = !!routing.parseServerUri(resourceUri)?.params?.serverId;
+
       let msgParts = [];
       if (isApp) {
         msgParts.push(`Connect via VNet by using ${addrToCopy}`);
@@ -120,9 +131,38 @@ export const useVnetLauncher = (): {
       if (isApp && !isMultiPortApp) {
         msgParts.push('and any port');
       }
-      notificationsService.notifyInfo(msgParts.join(' ') + '.');
+      const msg = msgParts.join(' ') + '.';
+
+      if (isServer) {
+        let serviceInfo: GetServiceInfoResponse;
+        try {
+          serviceInfo = await currentServiceInfo();
+        } catch (err) {
+          notificationsService.notifyError({
+            title:
+              'Could not establish whether SSH clients are configured for VNet',
+            description: ensureError(err).message,
+          });
+          return;
+        }
+        if (!serviceInfo.sshConfigured) {
+          openSSHConfigurationModal({
+            vnetSSHConfigPath: serviceInfo.vnetSshConfigPath,
+            host: addrToCopy,
+            onSuccess: () => notificationsService.notifyInfo(msg),
+          });
+          return;
+        }
+      }
+
+      notificationsService.notifyInfo(msg);
     },
-    [launchVnet, notificationsService]
+    [
+      launchVnet,
+      notificationsService,
+      currentServiceInfo,
+      openSSHConfigurationModal,
+    ]
   );
 
   return useMemo(
diff --git a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
index 7e2afd7750c7e..d0130ddd155e8 100644
--- a/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/vnetContext.tsx
@@ -60,8 +60,18 @@ export type VnetContext = {
   startAttempt: Attempt<void>;
   stop: () => Promise<[void, Error]>;
   stopAttempt: Attempt<void>;
-  getServiceInfo: () => Promise<[GetServiceInfoResponse, Error]>;
+  /**
+   * Always returns the current VNet service info by making a gRPC call to the service.
+   */
+  currentServiceInfo: () => Promise<GetServiceInfoResponse>;
+  /**
+   * The current attempt to get the VNet service info.
+   */
   serviceInfoAttempt: Attempt<GetServiceInfoResponse>;
+  /**
+   * Refreshes serviceInfoAttempt by making a new gRPC call to the service.
+   */
+  refreshServiceInfoAttempt: () => Promise<[GetServiceInfoResponse, Error]>;
   runDiagnostics: () => Promise<[Report, Error]>;
   diagnosticsAttempt: Attempt<Report>;
   /**
@@ -106,6 +116,18 @@ export type VnetContext = {
    * Whether VNet has started successfully at least once.
    */
   hasEverStarted: boolean;
+  /**
+   * Opens a modal that handles SSH client configuration.
+   */
+  openSSHConfigurationModal: (params: {
+    /** The path to the user's generated VNet SSH config, available in the
+     * service info and diagnostic report. */
+    vnetSSHConfigPath: string;
+    /** Optional host address that will be used for example text. */
+    host?: string;
+    /** Optional callback that will be invoked after SSH clients are configured. */
+    onSuccess?: () => void;
+  }) => void;
 };
 
 export type VnetStatus =
@@ -233,12 +255,12 @@ export const VnetContextProvider: FC<
     ])
   );
 
-  const [serviceInfoAttempt, getServiceInfo] = useAsync(
-    useCallback(
-      () => vnet.getServiceInfo({}).then(({ response }) => response),
-      [vnet]
-    )
+  const currentServiceInfo = useCallback(
+    () => vnet.getServiceInfo({}).then(({ response }) => response),
+    [vnet]
   );
+  const [serviceInfoAttempt, refreshServiceInfoAttempt] =
+    useAsync(currentServiceInfo);
 
   /**
    * Calculates whether the button for running diagnostics should be disabled. If it should be
@@ -465,6 +487,30 @@ export const VnetContextProvider: FC<
     ]
   );
 
+  const autoConfigureSSH = useCallback(async (): Promise<void> => {
+    await vnet.autoConfigureSSH({});
+    // Refresh the service info and diagnostic attempts because SSH is now configured.
+    refreshServiceInfoAttempt();
+    runDiagnostics();
+  }, [vnet, refreshServiceInfoAttempt]);
+  const openSSHConfigurationModal: VnetContext['openSSHConfigurationModal'] =
+    useCallback(
+      ({ vnetSSHConfigPath, host, onSuccess }) => {
+        appCtx.modalsService.openRegularDialog({
+          kind: 'configure-ssh-clients',
+          onConfirm: async () => {
+            await autoConfigureSSH();
+            if (onSuccess) {
+              onSuccess();
+            }
+          },
+          vnetSSHConfigPath,
+          host,
+        });
+      },
+      [appCtx.modalsService, autoConfigureSSH]
+    );
+
   return (
     <VnetContext.Provider
       value={{
@@ -474,8 +520,9 @@ export const VnetContextProvider: FC<
         startAttempt,
         stop,
         stopAttempt,
-        getServiceInfo,
+        currentServiceInfo,
         serviceInfoAttempt,
+        refreshServiceInfoAttempt,
         runDiagnostics,
         diagnosticsAttempt,
         getDisabledDiagnosticsReason,
@@ -485,6 +532,7 @@ export const VnetContextProvider: FC<
         openReport: isWorkspaceSelected ? openReport : undefined,
         showDiagWarningIndicator,
         hasEverStarted,
+        openSSHConfigurationModal,
       }}
     >
       {children}
diff --git a/web/packages/teleterm/src/ui/services/modals/modalsService.ts b/web/packages/teleterm/src/ui/services/modals/modalsService.ts
index 93642c22c7257..c80f2cc1b3308 100644
--- a/web/packages/teleterm/src/ui/services/modals/modalsService.ts
+++ b/web/packages/teleterm/src/ui/services/modals/modalsService.ts
@@ -298,9 +298,22 @@ export interface DialogHardwareKeySlotOverwrite {
   onCancel(): void;
 }
 
+export interface DialogConfigureSSHClients {
+  kind: 'configure-ssh-clients';
+  /**
+   * onConfirm will be called when the user clicks the button to confirm automatic configuration
+   * for SSH clients. Any errors thrown by onConfirm will be captured and shown in the modal, the
+   * modal will only close if the promise resolves successfully.
+   */
+  onConfirm(): Promise<void>;
+  vnetSSHConfigPath: string;
+  host?: string;
+}
+
 export type Dialog =
   | DialogClusterConnect
   | DialogClusterLogout
+  | DialogConfigureSSHClients
   | DialogDocumentsReopen
   | DialogUsageData
   | DialogUserJobRole

From 882175297bf029c5526e39f73c96ba806a1f3852 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Thu, 26 Jun 2025 15:27:55 -0700
Subject: [PATCH 21/25] [v18][vnet] fix: avoid empty host matchers in generated
 SSH config

Backport #56103 to branch/v18
---
 lib/vnet/opensshconfig.go      | 67 +++++++++++++++++++++++-----------
 lib/vnet/opensshconfig_test.go | 30 +++++++++++----
 2 files changed, 67 insertions(+), 30 deletions(-)

diff --git a/lib/vnet/opensshconfig.go b/lib/vnet/opensshconfig.go
index e1ff49cb17222..7a3fcd52dc195 100644
--- a/lib/vnet/opensshconfig.go
+++ b/lib/vnet/opensshconfig.go
@@ -23,6 +23,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"maps"
 	"os"
 	"path/filepath"
 	"slices"
@@ -38,7 +39,6 @@ import (
 
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/keypaths"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	libutils "github.com/gravitational/teleport/lib/utils"
@@ -193,7 +193,8 @@ func (c *sshConfigurator) updateSSHConfiguration(ctx context.Context) error {
 	if err != nil {
 		return trace.Wrap(err, "listing profiles")
 	}
-	hostMatchers := make([]string, 0, len(profileNames))
+	// Build a set of unique cluster names for all active clusters.
+	clusterNames := make(map[string]struct{})
 	for _, profileName := range profileNames {
 		rootClient, err := c.cfg.clientApplication.GetCachedClient(ctx, profileName, "" /*leafClusterName*/)
 		if err != nil {
@@ -202,7 +203,7 @@ func (c *sshConfigurator) updateSSHConfiguration(ctx context.Context) error {
 				"profile", profileName, "error", err)
 			continue
 		}
-		hostMatchers = append(hostMatchers, hostMatcher(rootClient.RootClusterName()))
+		clusterNames[rootClient.RootClusterName()] = struct{}{}
 		leafClusters, err := c.cfg.leafClusterCache.getLeafClusters(ctx, rootClient)
 		if err != nil {
 			log.WarnContext(ctx,
@@ -211,17 +212,10 @@ func (c *sshConfigurator) updateSSHConfiguration(ctx context.Context) error {
 			continue
 		}
 		for _, leafCluster := range leafClusters {
-			hostMatchers = append(hostMatchers, hostMatcher(leafCluster))
+			clusterNames[leafCluster] = struct{}{}
 		}
 	}
-	hostMatchers = utils.Deduplicate(hostMatchers)
-	slices.Sort(hostMatchers)
-	hostMatchersString := strings.Join(hostMatchers, " ")
-	return trace.Wrap(writeSSHConfigFile(c.profilePath, hostMatchersString))
-}
-
-func hostMatcher(clusterName string) string {
-	return "*." + strings.Trim(clusterName, ".")
+	return trace.Wrap(writeSSHConfigFile(c.profilePath, clusterNames))
 }
 
 func deleteSSHConfigFile(profilePath string) error {
@@ -236,28 +230,57 @@ func deleteSSHConfigFile(profilePath string) error {
 	return nil
 }
 
-func writeSSHConfigFile(profilePath, hostMatchers string) error {
-	t := template.Must(template.New("ssh_config").Parse(configFileTemplate))
+func writeSSHConfigFile(profilePath string, clusterNames map[string]struct{}) error {
 	var b bytes.Buffer
-	if err := t.Execute(&b, configFileTemplateInput{
-		Hosts:          hostMatchers,
-		PrivateKeyPath: strconv.Quote(keypaths.VNetClientSSHKeyPath(profilePath)),
-		KnownHostsPath: strconv.Quote(keypaths.VNetKnownHostsPath(profilePath)),
-	}); err != nil {
-		return trace.Wrap(err, "generating SSH config file")
+	b.WriteString(generatedFileHeader)
+	if len(clusterNames) == 0 {
+		// Avoid writing the Host block if there are no clusters to match.
+		b.WriteString("# VNet currently detects no logged-in clusters, log in to start using VNet\n")
+	} else {
+		hosts := strings.Join(hostMatchers(clusterNames), " ")
+		if err := configFileTemplate.Execute(&b, configFileTemplateInput{
+			Hosts:          hosts,
+			PrivateKeyPath: strconv.Quote(keypaths.VNetClientSSHKeyPath(profilePath)),
+			KnownHostsPath: strconv.Quote(keypaths.VNetKnownHostsPath(profilePath)),
+		}); err != nil {
+			return trace.Wrap(err, "generating SSH config file")
+		}
 	}
 	p := keypaths.VNetSSHConfigPath(profilePath)
 	err := renameio.WriteFile(p, b.Bytes(), filePerms)
 	return trace.Wrap(trace.ConvertSystemError(err), "writing SSH config file to %s", p)
 }
 
-const configFileTemplate = `Host {{ .Hosts }}
+// hostMatchers returns a sorted list of host matchers for a given set of
+// cluster names.
+func hostMatchers(clusterNames map[string]struct{}) []string {
+	sortedClusterNames := slices.Sorted(maps.Keys(clusterNames))
+	matchers := make([]string, 0, len(sortedClusterNames))
+	for _, clusterName := range sortedClusterNames {
+		matchers = append(matchers, hostMatcher(clusterName))
+	}
+	return matchers
+}
+
+func hostMatcher(clusterName string) string {
+	return "*." + strings.Trim(clusterName, ".")
+}
+
+const generatedFileHeader = `# ---------------------------------------------------------------------
+# THIS FILE IS AUTOMATICALLY GENERATED BY TELEPORT VNET. DO NOT EDIT.
+# Your changes will be overwritten the next time the file is generated.
+# ---------------------------------------------------------------------
+
+`
+
+var configFileTemplate = template.Must(template.New("vnet_ssh_config").
+	Parse(`Host {{ .Hosts }}
     IdentityFile {{ .PrivateKeyPath }}
     GlobalKnownHostsFile {{ .KnownHostsPath }}
     UserKnownHostsFile /dev/null
     StrictHostKeyChecking yes
     IdentitiesOnly yes
-`
+`))
 
 type configFileTemplateInput struct {
 	Hosts          string
diff --git a/lib/vnet/opensshconfig_test.go b/lib/vnet/opensshconfig_test.go
index 9bed1ed5b0410..7557743c796e2 100644
--- a/lib/vnet/opensshconfig_test.go
+++ b/lib/vnet/opensshconfig_test.go
@@ -72,7 +72,10 @@ func TestSSHConfigurator(t *testing.T) {
 	// Intentionally not using the template defined in the production code to
 	// test that it actually produces output that looks like this.
 	expectedConfigFile := func(expectedHosts string) string {
-		return fmt.Sprintf(`Host %s
+		if expectedHosts == "" {
+			return generatedFileHeader + "# VNet currently detects no logged-in clusters, log in to start using VNet\n"
+		}
+		return generatedFileHeader + fmt.Sprintf(`Host %s
     IdentityFile "%s/id_vnet"
     GlobalKnownHostsFile "%s/vnet_known_hosts"
     UserKnownHostsFile /dev/null
@@ -98,20 +101,31 @@ func TestSSHConfigurator(t *testing.T) {
 	// fakeClientApp.
 	assertConfigFile("*.cluster1 *.cluster2 *.leaf1")
 
-	// Add a new root and leaf cluster, wait until the configurator is blocked
-	// in the loop, advance the clock, wait until the configurator is blocked
-	// again indicating it should have updated the config and made it back into
-	// the loop, and then assert that the new clusters are in the config file.
+	// To reliably advance the clock and allow runConfigurationLoop to update
+	// the config the test waits until the loop is blocked on the clock, then
+	// advances the clock, then waits until the loop is blocked again.
+	advance := func() {
+		fakeClock.BlockUntilContext(ctx, 1)
+		fakeClock.Advance(sshConfigurationUpdateInterval)
+		fakeClock.BlockUntilContext(ctx, 1)
+	}
+
+	// Add a new root and leaf cluster, allow the configuration loop to run,
+	// and then assert that the new clusters are in the config file.
 	fakeClientApp.cfg.clusters["cluster3"] = testClusterSpec{
 		leafClusters: map[string]testClusterSpec{
 			"leaf2": {},
 		},
 	}
-	fakeClock.BlockUntilContext(ctx, 1)
-	fakeClock.Advance(sshConfigurationUpdateInterval)
-	fakeClock.BlockUntilContext(ctx, 1)
+	advance()
 	assertConfigFile("*.cluster1 *.cluster2 *.cluster3 *.leaf1 *.leaf2")
 
+	// Delete all clusters as if the user logged out, allow the configuration
+	// loop to run, and then assert that the config file is well-formed.
+	fakeClientApp.cfg.clusters = nil
+	advance()
+	assertConfigFile("")
+
 	// Kill the configurator, wait for it to return, and assert that the config
 	// file was deleted.
 	cancel()

From 1150f4c339f6ab35b68c98b094e959d07dd52520 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 4 Jul 2025 14:18:02 -0700
Subject: [PATCH 22/25] [v18][docs] VNet SSH

Backport #56147 to branch/v18
---
 docs/img/vnet/configure-ssh-clients.png       | Bin 0 -> 159670 bytes
 docs/img/vnet/how-it-works.svg                |   2 +-
 docs/img/vnet/ssh-connect.png                 | Bin 0 -> 124321 bytes
 docs/img/vnet/start-vnet.png                  | Bin 0 -> 205539 bytes
 .../connect-your-client/teleport-connect.mdx  |   3 +
 docs/pages/connect-your-client/vnet.mdx       | 101 ++++++++++++++----
 .../teleterm/src/ui/Vnet/DocumentVnetInfo.tsx |   5 +-
 7 files changed, 88 insertions(+), 23 deletions(-)
 create mode 100644 docs/img/vnet/configure-ssh-clients.png
 create mode 100644 docs/img/vnet/ssh-connect.png
 create mode 100644 docs/img/vnet/start-vnet.png

diff --git a/docs/img/vnet/configure-ssh-clients.png b/docs/img/vnet/configure-ssh-clients.png
new file mode 100644
index 0000000000000000000000000000000000000000..522856f80bfbb458debd092d2bbeede48de484e9
GIT binary patch
literal 159670
zcmZ^JbySp5*Dp9afG~h`qo{<^-6-8D-QC^I&`JpiNSAbX!_eK`-Q7dqLErDa-~HpB
zwPx0uGiUE}_HXCe&+}bYS_Jf(;58f^97s%5P#zBM^$R$-S80f_Z#euo%_=xJ6ed#v
z0a;UheK<ImxuQ7NZwk{mUDw1>KfnC``X!KF#y5DN2fYo25zRN(|HGHJ9lz1PC5?`~
zo>CRG$u+_5$e4UBYRg}wM)jk@(S%4gZ$b~-c#{}0O=kISz39?us_r`O_~1O*bErv`
z4fl&cYmBI1E%_I4t!x51PDjG8*r5zZz^e<Na9$jZ6v?*mkPsl2-!|P^CpHAGQz!?X
z4!X=ALih6&u9Uq))dRl-?o<ZO;Ij-F&C4|LpH>_dvWyV(H~Zpp;9zqEc9Gs9KvLGm
zxgUoZ5>dxB{I`i(4O3JfH@Y!Zp+=&O%=GUwLIb!z-XM@&(NX>$5@|#)BkqfQOLB7E
zciTa+z06%9%w4yT^oB$ugz=ki0OR*yF2cuUxwlbh!@3~}YQ@alx;le!GY|K>a)81>
zXbk&ja-1?&IO*3n!M_SqKcmSgZLK?T<5Liq@vb2;%IS6dOo40zMc%OrC(+<^3ZiZP
zGC&qUuw#Cs{2KXv6guJCV(cD%j3B#k@f-@2VfT;feY$A75w-Gy;!kL2_XgEtsUt(!
zf+#nbL!EVEdBOO>ej)x;48fCcx_izrGXw1yf7o*{v~$S2@-ymv?vMwwQ;Y7(d^3;`
zzzjTd#_kE6mL?j+7Vbbf4QN~VW3#FC=Gt|k^%jJF{kr2|Lzfh6A%AhA2K8M*-<%V}
z2D5X><wXOd+R|Qbs*HUl`w>Di=JztA6n^oAZB!wpt&4@+yLyh8M}xdS^t58C6sj@Z
zVWA3B0!INRD_`hKzl5vdNCt7EJ6$ke!kOn%VAZ}2AVT+vmdD4B<eYgg+$~5M*n*Dq
zg_V)kBn_8JNYwi&o-++egn4rmsXWHhkM`yS&K6z}jOZDM#`#_3lPLI3^o^I?8(bC=
zH9tg_iKo=dH<y`h!r~V{$w*Tovlx=ZK<Pk*_Pq3O?qk6h6rQ~%4k&_yF&AV_LDQ!U
zsb@Z8Vs#RAl5(=eGMKTVd<Ax7ls~<9Mjj13>-qkG&KxNGMEN$tlf*p75R*jNn9&kZ
zzA!bsk74@8mVa8ob8qpAv}DAFWHBIoTx1lm>y#St%~{r&bgQ-L(ZTyyl@aLpTJ)9n
z(D04H_00~^r7QU<s4SITi0J(gdXXSzY4CeNrcr4ker~&Nkk(>S<SYhozZYTjgy(z{
zn{+`eUZP2&rk~4DJ6%WVUD}Fd+(7JWdpl%Ri;E8QQnC*2Z3b#(TxDk;@HQGsR|T|n
z`*rs6qn!FZg3of~<Kts0pIM{`oY%!m9isc(Syy<IycbElJ<$>&zX*^hDIsv6kyirr
zuOvzZ_HAFGodkSA1d9d-d=T}^%e~d0{Bk+$UssAKo=&9H#+mC&QwlO$MVLX58hPEl
zg3FG)y~?-%_sXGFe<uL<1gD*zpsT}yUSI&FqKk+@c>wvmo4?eA8eXEEv5ZJEw70Bo
zMz4@aJxozoy^Qlf<lwCn3YVXw-gFt43fmRh6_CP)MFW?u)$*jQ7I&yC^W=la>lD9X
zNXY3&s9hsQNvrdE7?k0j+6!NKCE}F#1)?H<Dm_IKBAu^52ga@->${Izn1+I{<OG<}
zX?8fZKVS)>ohJN=;`|We!0&9s9xr*;gTLWnhp#F$6&1FDbVlYHbnuZ+_BWRPkN2HH
z7+>QBd(#L0{F47f$wi4kNik}j7jot+p0%f7nU}It^ILc@b10oQ(<<XAog~Xi{#fqL
zggN2eVC0raNS3W>K&AW~aL#J(&D<+B+{2h3`9I=+6o}`F*Z)w-63pT^jO){lLH>lM
zxHQJHJLN#?Mx88^Dy98(S=u^1HPd-?nXwYD8ih|7<9$R~uw1W+PLjcb0k?vpVwLQr
zQkXJ!KJB-nZ;J(PYM0@A<}8*h2rS`hfe9Lxb#u~HnP$_IDGc$Fghp?fl2v;&h6?pb
zjF*g><)`JGl_F%f3+QA^l&rtCq&*7y73&tYPW{f8E0jww(_T*!jv&_@7mm*ColGiG
zEpnAT&o@eq4WD8!QYm^-WT@6qIb^~!mTfw35@d2-6=z~S&Rgs$6EspbvAT2OfU|Eg
z&5<{rB{5kw88$LFPBZ=RwML*uSw?+WicZKnR;z019Zvvnx^*ULI^CFddW+1{kH<tg
z^30jcmzlBQW_XUe6B2%-KrrxyAEO@+Fb=eYSB@fpat>0)XT@J)Bnu-7T?;cJuw>;l
zonTUPt~@qb+9@Bs6MnJ^CFH`Rz#C>*GFq@&FxE4}Fd}1^)v;Un)BSCkd4ze`p=eik
z+=_{q$(t#CR;}W_k$3rpibZU&VlQXw9t#^Q8e3eVHOn!*x4Eu)q=lSbS@&A($M&&)
z#(BFU!$iZ9nD|M-f;y#3r55$^qNYOoqG|QiaxYVT^Jug4Dyitf_v(Oo#Cg4WxA{aT
z$p*Lvd?yyCxP!bat*e`>#Dih371SftI@C$jZ6aF{G?Dam^6nvqUkpq79r|Wn8jkYz
zdR*8XlU$3oQ_kT|w6<1uUW`*_7Pm8s`Z8e;D{Dt&cC$xz`bk%{J+>d$)w&+m_g4Ds
zi=3L6Q#g1X?tM=O*Hh~`>X8;$8#L{wZBut1tK1Xs+|gvv@<jYZYI0(Xv$utZ3$*IB
zY_<9urQH=8{TgvyYTR0`PEV*VX1C94N}{csk7<`hFfAw$$t_ZChKJiC_G>0(R)^1q
zFP?_9-{_D)K)Fb@geLesXbW$kKP`uc^pB1BknE76fW(Myy{D@K>qH=O-*(@AUoQSi
zfhd7|eybog|1JNipsT>Tpg|-q0%@d(*V@=#ENvfrapiDF33u^1=*|RxseRM?rZ}+(
zGbvMtenAhtjSdz}>n@e<VEqKWcdTSiQU^us^R@W4eBBD`>uUw;q#r^heka;|lB2Ly
zTPyCs75ggoIm+t8{Kx+2d3k1eM)^H?t!!XUv9zKj0hj60p9)i9)3(Yj2Q@eG+whC#
z-gnW{Qb&C@!<2)yjGaz>g;d7b1X9>iJj_!11kQ7hlHx{YTg3y;3o2Hi8oJM9=K4x>
z5$)>3?gMBWC7aI3_b&@xp;bJTD;x9mo%X9nk0%rURF9m0zkyibFLT~@UcJ#Y5HYwM
zzf32NeMlus)kDorIfb(wA|uI`%xmtJ(;+ASNp9dIzRXIvgju{^Ah0*PCjr@Ul=Q)=
zF8TiRO)}Y2#$JXplY-GvY8HzGcY$Yh`$1L(DNYcMH(yXvd*V3jw8v3Ko%2@Nwq<g}
z;BdlnHN>tp>XjyPJI)lX9(AAgh5C1i-o2>p5Cz;CY6jJEo8G39w&r{~MY@<+t%tem
zeVXN;%ZM$zDx6-sfmx(|P{WqkhF{9RTGYGLul8%!n~UzNy<M-)!m&v{vzGiR#wuwn
z|D>aMXjU}YS#VqwUz=@9V{SP+x4oZT#HFyRRA$Jd-{jGh!B}7J>Ngn}L%5{4siawq
zn!i*r>aso-M#px_ra41YTc;b+8+%4$-HhqwY-v6-)kTn)@WXP#QfQvULT1)$&%NY$
z-wE%Ka{1IN$0a9&HT_C3*;sRtc3t!H-l?0b=k-zO;<h*9V|ra{p6))$1J9<rZi&Zn
zDxcA#i=p;JbM=GP9idnGqv<+)GQcoQW&NOQDSLrj$X?BUyS2y9lBSsk!OQ8<)wsab
z{PJCsz-Lq@R633Y?>|t{Wx3wb6n&2Fqbe!$23wD@QwfSS8Hc1$PS@MG5$*6)y;M%S
zxnqZY{8T0c@5|e&-NNqKE~o1&Kug_|Q(Ajw=4sM)-PZZiwmK(;14%Qw&FW0&N=S>w
zk6MQ-yMfK2&%MgUnuE3ZwOuV&JM}xa<I5pl-tPLVQhkHv>IpTUtO%EjZ`vOtcwVD*
zrgODA&mEI5HQ7cuAD?>8J~(SikkFHU<7ReOx$e1?Gj}$*zTu;In!QvxgIdb$YO8r$
zdgxtm<g@^utd5f><}bh9Rz9T~4x^+VdK_If7SR<SUxoPMT5HEPF?uN8&Fx?2vE^Bl
zG$-GLUlpG<J>12j$&p%J;a*%z)XLMMyaW@ZB!f<drQwVSe1=@%x;9#`1q^k3!qD&8
zNIZhR1tNU$qy6H62DkkQvUCW?+N1p*@HQOj=LQH0J$-LU30&fe5uAJprG4~N`igTO
zB-<SARd^S|gi>4Iy1nfU?}Fe5_?k4u4ZB4k*@&vz!@=QveEz_T$$vP3d!bJyCiwN6
z%iO^%kJZ{2JRjYoH(CA|azJ|T0_xx_yL!#S4?JziGnf_tpqey40Qbv9(o5AgpSo6Q
zBd5r;c~&>RCKP=%ZrtA!H_IQy?6^tR*<%YlLMH{~DrYTlLWD9$U0hr!W5f@g=Bq8=
z38F)F+2aSZ&G;W!QiqMritqM&y7LI?TDZpOjvrleR@eXk!&^-I`0|N7+7|sKf3Q`J
zxoWH~UPMI1rJHA&ibc&l<qy;#0itd<si=*@EeB3bTHHEvGx@Xk5trZvqRE~?uNLhh
zrSNqFM*MN+0Q7NFc7j*U$7p>1`<%txgck_;UM<%*yO$GZ>f~&U4_jAqIof-q%iK#T
zkBck+|1+(7J3gHsP2yi@cH3$iv)`Y1T62>G=u-OAOED!&qXGRc-H3%oZ#<@^8xUA-
zU#OIv8SWKsxxrIkpNTXq4qZQJ&>E{M;Ys^KoHe_v8;*}l<ex?@yu7`N6$@hQ>J0EY
z`M<_`yOI4rBjc&)=P)kvt4tMYeBmsON2P*Z<XNMNn=`%UrlvWkX~*QZC)wj8<%Jfk
z`>sn?H6fEb5?Y?5h1X(He~N2b$_QMmHE6k#rL*MYCA(7CDlHox_KgcB^A!s;t}#YQ
zua1ne%9v1AT&(nsI0o!=ru50p27J_5%Cb^2cMR<OIfasd(cy30Uy*56emg}K6xzv1
zOO|SQ<G|5S{1BYrr6G{YumbwED+nd_5*zA$hvZu0O`-)eKiGI2<|j&b^01)Ju)J77
ztc|n{>0E=2p&{v<@m=AihON8d!^r)s)uSe-hNikY4kjihKE9UfYNZnI=<ME|9#Q6P
zsFMWBKV~OldNzXdqBY~=rX4FY18n`}%u+Sg)togVf0nIKj*bwM8s@*SA6Z&kD;LmZ
zJ{A`?7AY0Ph-bCPmS+Fs0LO#j_j%Lq+oF<rmR3o(*sqm_mH9!)X;KI^(e&xj($dnx
zg2n;&f(2{#xPyTU)Roto3jQCdn~1?eaGhxsGhsgiK2aoF^~1yY)lT?}Zn0u}_oS2*
zT59SEvl4=^O(-NpUJL;IN44|yrny-@k2yIz(z${<WWwFf4g&<;+RAQFx1rT4E-qFp
znu0*SRLn|RZ~Lt4Poe%JOY1iFZLwrUKtNDdR-Qj}GFUm1w4o(wXlRg0<+ZF*(o!sl
zj`_i%^KZ4!5?yPg^ZPTHz@BFty^oJx%quf^(A!&1XD6pA6J{f0W9=3#(d_J7<X8Kz
z{?UxwksW7?VdSwnAr?>X<Kp7NHhSY{9~2Z6LBeCk9Gi&|5gvNM<8D;;Z#|rw_Qqmx
zW29SLTpTH%mxqG`7Cy9{`J}6>tD{3O)=(@8D}}EH*2MTbu7w1b49q_HTGwf4X=@)l
zaLW1GXJ%$fNJyv_vGTGSVd4E-x8enQDY6%~a<?@o-?4mtevXC@U2P9SM%M29eIi?C
z680Z{M{#;(c&%*Z$9@QC;SmuqM2cl8C(NqwFo&)$Rp0(w<#YE@-a6`oYEkU)HX14_
zEghY`Eit}Jx%>^?vifI`7vIe+T}5ika5i0w7ygnllP$h=S5d^Z_f~WpT2Z>TH^HO6
z_5HE)X3J8{`UhHXi<q^k?z_eGO7HsyTy3j}!AEY@yTg#V<EL_GJ{dU!1R_Y@#!sTc
zxdm>EA(E)X9K-=QKu-j|5y4MwM*5N)hMovTjaO3`hR`s?Tp!3M-7meqX^6gJSq`5S
z^ES|Ww92d0$%UqJ5oVieuOGy5hijO4nwS7qx;I(8lamj(P1B3kf$bADOZzVlRz@6o
zF>|0i@1NsB#>4QYowT$x9uR@f_RH9qJj)<pcQ^dK2o&`0Z`{amMtPyF85|WAb#!!;
zBa=#wxZ2Ku^F6$zAtAK#MsGNK`K~<OuAnvO@Jc#sVYcu*<3;}Ap+2<V0vQlb_jurS
z$reGCq(;;uSk=^I<>o5>C@a0W{pyx4B0k?k!{>FlU0|!=^Qcts75hHj-AztWEJDRb
z!F4+n5)#4VQL9^PZ@kL$7<q7XwAbi-OxyKUO|5=>7Qd%=Xf5t%@ZYh7%`rP$j}9%!
z%X7UtaOJnOqzPwYVqDuP;G#nw_ts`5J7syH^HZ$UZAXCR+fsq?j<s}q;qqava<qE;
z^-OcRXWfS2W>dY@QM|)(esweyr_YjI5>?pHYyK~P6E=DIgWwOD$|}E~yt*JlLfz!#
z#e{D44H?!hR|oMyg!_?Qn7Z`BNRvyXQ-FSNv47A#pnyxz+qBj99XMNVwy5-02s9Bz
z)CN>{gJbU+N#2zF5pD?-pFF>P%{==62u+cAx{3_-8uV<b2skFG6B*`k^43&#4}>-l
zJg9vZG%S2GNJsSMc`yLI=JN|2Z>a4nS}D~X9W(?z&Cy5-Zyu_0?^8-iR30TT{;oST
zM)YuehyF;y>j8B{2^DK)ub#Ik8v=OAX{Y~bnYrC)9`LIPwVUA;#0U*+NJ6+je1ARk
zOB=*>(&taUuXDGkk4A80M{*(!wAdx(;}pakLL&cbG_|u9Vy!C!3k!t~PmetK{Y51u
z>4KYf9QXi{cqJ0L&q9WidwYF7JvK0ZEmF5P;}GWL)7D2B!2A6V&QyuA`GDc=>uC~B
z2NU~q?_h9&<2#GqUWO(#yb$ihq8En>PQNO|G46#FsS>&$cy$V25mQ}*;t{CP!aSJ;
z&uf<vLWNQoTG_bwS!g<%7cz7?moX*(nvwg)T7VONe^|Iy$Tz8RZcEFehX+sPl28X{
zXBM{9z8)KuZpf*lZ_PF<3k%+-&yAG5eVlH48zP#?@a&5VNio>Aksti0XlRVx+}%g`
z+NNcAO<APW9W{F-R)F#f3bJGPh%2$LUo%H^hr#Zw9<dG1ak4KqH@j(s?VMPH`!I}v
z^OjsKArbfRY?&!dc82WC=`zy!#l?HIF1jWrHZD-Rw<B`e+Cj7Pd>p*4wA;NA3AEbH
z{vwai_3>Pthej$Vb)f*<)VrROk$|gnMa362xYt3nx_GwjwTJ2H{c*IHsl1CCN=g|^
zEtilpzQ})ol8Q@<Ga3QBp{v%~-4N*NCx20K$<XGI8@-57ugxiHY*uYXg2DBM%TDmX
zPs3EjJ}lkykC~&~&HGzun}R84pRx0ECit1Rr^Em9^Gd<PYdHiWAQ%uk?%4<kGzp;)
zX;VNgsfN97cfTnptk2DP?vwj0r;2*pvM%gY6^N=#_MO*Q_f}9yL*EGZ31}2oT~a$q
zhJ}S?)KNunp<z#O$%u1f$RjxCN@GcX`}DS0ORM?)aQ-CvtXe2q)bvmC&!4a9*ICET
z_v(LxfC34j5fSe?!q(5D8kg)A%v>G<0*0BTnD$iAsGl&u|2^Z?yO+)N=!o8EB;3%A
zUT@6&{EOduI*}>$yVrfc*!W2f6l&DF@`O|6j4Oshr1hGP^Y!LKT56??;0h!J3b@4U
z%7pA4F!mjZKRPY1zu5nnR)qYSkIv?o4L|)~=XoGvu#u5rla8O8Q4v`)c?0MkMbeYL
zWT_|IN0V&t$;jZZdMYlK{w3nuTZm{ls3)hPhdsa84WXgoGuyP=N{}vA-0v}MuyS5H
zJHrr{EGjCBjm1d}N0ZhKZcEfjx0ak|@mz|DX_yH#x8@_g+y2ORO@=?2NItuCwjK)p
zC*zV3l%WVYeSggl&FlP9Sq8%fjxwzLp)|Gu^XQfzL%S~X$eM+KOO`4<TIJZia`0WI
zwwQ3E96v>w*0dw<xE_tk<+nc=2bq{&=YKKVvFwJxVk2dokx@1R@Yd?R(l?CRs3@{=
zJoaX3g8@@ZTibUuG?ONFM;e6U6DKZix57Oe-wK5+2tvdefyD*q!vptk9tuj%gpgix
z(q`1<Jw9qV7U};I+}#<K48>LxOMNiaYL-yxst^A8J`Bx@jyu58(z47&i-X;aC?)9^
zUibE<!&abRe=Y}~w>nLo>p9R&?SHA%7=_w{S2GxZfa>uu>5bu!&K}(SAneL(rx7sh
zfKjT3*GzlSb$YLId{?rrs<c}|T}dqhll6M$mpxY>O$V#hj{h?E-`ML`z+m%ZF?%b(
z#j;2)ycT_&&5%Qj!JGilJ@?&o;CnSc^q|_nIYpuftxfs+t;=2EoHsqYexY?JIV=TD
zbTDx3=bBP;vbuq+%Y<@6<Iv|1Su;_|8~a|{SA6}YqHt_!W`^-muC3pBRIrU~*e>31
zpdn^cMRv}?gPekbDE!-cQ`;W9j+pT{9$rO3nJ?~{R$TvgHuM6`^bg^~`xAN5W)%F;
zP&<@7w<lPonhnbtU;gC`&!J$j_f3d4hgS=pJ<5Ga{uqsZvN8U3{zO|cX9-I)N5})+
zMY)RgZU4vV&lNGLhPqhx0ae~~okZQSC1yC|9#YHbM5xIp<|2Q?p*0H-r!8lwS;&b}
z<{g6~Mbz3i7Zf6Q3UUStR71}XRW8$o+yRciYwmE(Jf+SlF)f)UOv@3e4XN{mtHrvg
zRj7(9?c8p&3zw&-L!v0()x?5=YAO_|(062w@aPh|AbV@W)5Thmn`~B+@m&yD5LMNZ
zP0Q2N-Q8m6rIW-`B59;B$g;Z7fpGoC2Vnkntfml$ch&kU+FV{WKhwJL08dYXuf`VG
zsH`&;*O2#AcU3io3fUgc5U!4jsD508ud`<<$)CpLy1pt#MPxT5LS^;yMMMFVuj>ka
zCtx9AEmryQIyZO6$hj3j;P>WD;i4T{RUXZ<kMb6y)`wNHgXVyTUD+qMgKV|>MY*zO
zSToQq#p^ac{%Cct=IQA?%o2sjz_qj~i3?+jERyM*bnG4c3AgDRFQ?~1@CO0F+4*=h
zO)g>QEFiKKkG+cw$6oDRS6g^~+`et->N1(8@VIez@u$PoYxTwJ$xQ;+b3B)wzD*ad
z#qfw_XEpg_2N^@gA_C@oyXrfAw(;Z^W9PVJd36hI6r#|{s_5tj3ft_ek6q{Ww(Ip_
z8+N2Y9twIo&s(cNCLuq--cO9cA>nXvQF{e(<sf_aP;HNenuVX*hrOT_Ih2E~h5-Gt
zH_JM*3wSf6w?K36RCE9UM(onfa59=1boi}yZZ1Iwg~<91+t#;^+&9WK<G#?_%gDHW
zQl#Ck!lfRktATi}5FyWxrPe7*X10kXQHF$QIV2Ma*450GPQ&>U74FsbpEeu#Qazn$
zpz-bcD@NOQYQg3VHWS-1qJ{D**6$NpEk6LCuP8ofB?KyBCs9HY{mKj9H9+^3O{PXi
zP2l-^#g?1U<jaSGp)rO8egp+ALZtisluHZQ5JAu7SR^|1hrrlZd`MmGm&^grjARe+
zpd;x30*7&_IN_t^mK=as(USl@FuW|dGimCV%KKsf!sEsj&(&cO7x#VEU?p$w(N%qV
znaO?S*qBM?<76wxTo*K2CLF)%TV4h02*{$4%X!@B(ty?p1@;K%hS%HN9GQV0wiBF(
zPC4C^dijnsT>}5UX#B}NUCNw%j?J{4w)gEmc{6J_`G&DJ@0>jDr2t=ZBkj*S0{7in
z33JTDF*3Pj=k=;j{cif>WcLTpys%h+N)dY6Yj|XMfNqr!9>?nVJI56Y6z<Z{scC6Q
zb(|$VJdX!d_Ec{rJ6kx>I?`U0s^W(UvRoN~>ikNxr@LQG+g6Fvj@kyy&dv!48_dry
zUo9&1Zp_`@UUY@geNZYP`v>%^Cbp9V?99jl@LkhHXf*t=%4!MSb(P=!0Z|;z_uF&?
zG$p977FVghaw&mIrRc<U5pPr_nNGolqsRffKhCN#0_?bHxeTR@+-$l<;ziCiF^2~S
zGu1Q{v(=KKC`6`_Iw%X%&O=*l)~0smGS1G2<(Gp;i<(DIr3Wcy*27&tz?Wqd6HTgq
z?|5%bvIv8JG|v@eH91<XaWOI$ejVkhX`QbTK_-L?VHI*>V{PVT%xKl?hA^Z|Z}!Jo
zJPszZIb<FL?r;IEy-vE$*btx5JHA<h1emRyVb{Dr1|?}WY%SNt#(Sh~O!NF~Om++j
z%sO-}{-|C@z87?4A}Z;vxgX&Yrts1tX8}(oyCr`TrjDA7vdY7|%2)NeDFaQGrL@!k
zS1+-nqv}pqQ-g#cP~x}f{G*PhrW}j=q2&2b3ZO2?DNfn%agAnXmlepPOa!Sim!5ND
znQin|zh%+!hmd?R#n|}a<639yfv)cE<2Z7qVLqS|d49##!7S5jUURcHr&oJ>bDJ6&
z5H~xM9dYOD6pi9@=xK|jv~;bp^U*@F#D}=MnQKG!D(%zQZ2Rq@+V#8ZV|Qc*o6zm7
zI}1O%)i$58+rdOa>10k*KQxjBy3bPn%PNl;&)tHRheg6#Sy1D>l9+o(_6Xx#X)DIE
zj);lex$$SLtA1k#*T!Mb8n)eu$3Pr-37w&3H~rX+smr1o73G5&|M2O3J1<z*4i0XK
zAEnT#x$nf`li+l*hbW89gb?)>3LE`Mi(OWcHXj2638Sl-*;u~vHa;Lne&26jqn_CW
z)Az#l*WKI(x*slGuF6!t(Qq;sA@9@P<h%aT5LhmC(aKkwnnp@36opo?#kL4OZ{(7y
zucHWvqiK0lM^))iOyfP*>{`v@kWS6cC!%We_EYS@_!YS($+7)*0>*Gx{??FZJCNt$
zuB6NiHtG2}v0sh6@ylUJK(lTF1-Isq^>Y{Fi=4hr=A3ka0f^IfZTx2wSf6^WE9w1v
zZL>QS_gz-f>aE^tmgDvy`;wCKg`uIM1WYO*&c{KyadFT5kdl7E2x2ZX{L+tk@02|s
zZ?yaS#4YXQ^jGkPC9veQ8#oP&{n!RcVi#5Z6L@W;(iK5O6u{V&1jq4tCU7C!x&__=
z$*>XRX?`>x+0oS^r=j2bb_nF@*}XO^aeiJy=#WkuK~q)2c$eAomc5a#atA}R2krUf
zkdn=wNIrD}=SPp0usePY@1biGGZ$!xWcKA`lmGrgb}Iu8Qdd&1fuZ%WY0UZDN8BN_
zZ;DwK&519yLH?0*TGLKhELN3;SDo+Ti`6*I{pR!Xf}*3*SX|RuWY$+FKB>l(U*XWQ
zluXr(C#4DM#hgLiuOEv|t={iPQ@Ho_PuDVWan4z`O{RZ7qGH*4P2RD(to*ehS)OSd
zZ@B+RQD*r2>8W>Zbj;NLv|+q6G;EXZ&9fGl?y^VNB+AS5bns8)$GOyuwP>zbm>&IA
z@NI<SW;V+}B>7NRR-~&Jx}~QU8#&hIj^8y&)GtT>d~A({237?=mNjpgL}?SkSot_-
zl$Vnw7mrJqEd|bvjS1S~#5c?-x{rUlokT6q5Aj^Q-Q2CrvGkjqWslb|UoV?QkR7!8
zBf)L$XE&?aa3&s5V|94KE#tR(fitO?*VP4_RGgmr_L)#i1x=GwWmuH0rMX#J#_W+T
zmXG%N>@L>WQOi(<QgzHi@?kn(Ep3Gz9lD+HuAiJMcr2|jo5Mc6ZPVdm-FrnWk3f`3
zUV8&(8`c_`fPc=M(9&1>I#z!p65Me$mBTwAt-4o}pvbHWL+K$V_gv}fO*M}BYaV@F
zn`Wu^!}c@@=;fp~2cEviDPq#znwf>lzD;R4E%|lxi72yZ>?wU)WA)9K@yFvzm;2E-
zv_(h<2+tizAH08EtH#ajk#d96v2w%r9|I(zQhu9N=C@4~-|QF1uLhrHmu{CWi}EqN
zCNy%sCXe}(?V5;caI2g``|6GL6`#B{xXz`D`n)ggPIR)Qv0>grAW;zUflaHxEdHeY
zNz&L`wBTNujwM&&zU>*9f3*RePYo&H^Sx%{4jY}GP7}J-^IJo3Z}T1IxIAxv^(-}c
zZv;Niz@4BPYCqPvj9N=z18^C2|E>G`4;;0|EWg5zkOXFbGo>6*lI3qM{m)+}0UOFv
z=@N0EID<>le_8gvZK-L!8YCzOM~ngzv+#W@w1<`P?T^EIs&d`eMsdG%C0xJWKx|i*
zjil^em*@hw*O)D4wHDZ(IdVu0!z<fz6oHQ?ApdrNi<cNY7Ah>MF44WW!6NuKndZY{
zlMgNe|EI$$?n3DDt#i`$F5_>;gsq|6pmf0AU%yfX{ig#g+atH*3c4p6YG1L``NzcP
zU>eenzP|Q}I6&!d9R-^<IJ|ELdX@iQHkK=RxMu%DfFU_(oeyS<SUsR*{>S6Xqxp&)
zc3k(M0(*qq|1iOl19;EhqdEVV?!^+2B=8e0T4In52gTpJ*?+%8tLu^!I^EO&+RGj-
z%{Qm3>$v|o!!gDrESrKBxc#f|IBqX)KL2Mrp40I`^uJOCUpbk171VMvKegrUPeT5)
zM%BE*%fgpVugUsIfJ?^j0qftqk4KfJ8elqTi&v7gX6k<yyG}!PEmu6x*^&zXi>E80
zOX?J4>3?A8nakVXCUB`!e?qdH=6VhK$4*ud)Hqk<EyYs$KNj%?UnISor8INoKj#o4
z4v=QCInMdd&yCL@AAOC3sh0mLu8;k7ve^pT)zM{5-Z|=uiw$#{J3|pOiU0;bzrtJQ
z>o20Uv#r1QDL2PPM(xC=`zyuwD;?$44?8QJ7Nz!|8nw^h!ZFrn!u3<vJu@Qmbq=7b
z!S)^N)~Va~6BQdv|05zt+!gqUrjhk&%iFyVy8yh;rsTK&?EkRgaJB@AiD_$oIJbT@
zP}nirD<S!h$ry-#YH11pm=}Pj6H8Gvl;Mu{NlBAhxZUoy;v<fdJ#XK3u$}h1(0fUs
zJlC<X!TB2;H^mmf>wU&&s<0D;Dt-t@1T?}?cv$>&x#Hp*)B1%CpCmc;_orlS7vt42
zDV>teIvit-B<Ernv5zY{+(?oG*UAjmToZWT5+V?iWzxj;BZsQ>3oaf}N@8-!?{I#R
zj#=F8v}a?`A$bYM{7LC48>O+DfPLy!KZL6o5Z<9qVeSiVBy`>9Pw<l(rU69^k?y8C
zNTz|-G(wnYhZ-DSbj9yH2Z7%R@Nl4I!rJmNb#_X?@q*7?cvwzT+CG*{cpPQx7q4mf
zoV;muV;o}8PB8o3m?_?N=6|=XBw*(rhHUP$1}tU6lWH-sdvmN=39NnGFH!Ub-+$Nq
zjrF#thvKa*Z~gNtiCbUczC85BR1!cTH_=Z=RO%p&syg@<FBgl8t3hEVo5l}XE+%0p
zC>vrH9lxA>9Vye+$BIpCmHtbdOm-J|ISF|xC#Y2dpqh&81a?TQ1&GuC<ib?=I8M_O
zjAgi9=<xh}V!#hhhi&!vi3UJdWck`thX<fM<+WPUCY%RP5$TwCa=%#}2(;V0Z{uQE
z<Q(JMmHpD)8IQNEpA_>yDwtrN`c<JxRc_s}+}51x2(yl$2x+W4iU?FmV&bHu$~=ND
zUMoA66Q_^tK|#f?3_W;eC^IaGcJH>-T5WwKlcWC2sA<&Na<L`mSnX!9mY{ZFX%gbu
zd8${9vGom<b41N%YrR5%&p!Oj;{dNw0^_$iJR>Z!`g})%Ybb8HbXaE6&H1!o$-`c5
zedDGETDU?XLKa|BqRcTP)S_ld03&SEO+&e`?7Vgoj8*CXH#HJO-TVl$5-^@)H6-oj
zvU{H+f$RNrG|9J2>wUd6rp@nx*%FGdUbBXDTIq7Ol{zBCz`lrDn*d(NwNytSqM_Hu
zht8Y~%!phQ%)YrjBJA!`PXUjo@4uLO=~svI_BqV`{tY)`1Gj`>wM<Z?@!QpIeQ!F_
zoe+cWJ8oD1dXR;}g<T_o3lHEp0%c*!9bjxHu%1VZBALwYo%M*qO<$qnF63%5ncly9
zG*YajQ~at20@EEiIUF;t4?+Z8Qlgtf!G+YzMa>_i7<`|+beua@_OeF;9=3%aN1IWS
zu9%1PfvE45`!1PR(mM;vdZFPpiA$U56)em!UeaR9FlG>LM4zK-N93J!%s8BFrT5F#
z8uv5M)yeBVOC+t&Eio}mZD9NNd{-UyD_0AIwKIJ2EhyZj*?3daFT0OMSgw3YertsS
z8*%a3iR+8scoQkp(oerI(1CHr#Dv?^c&Txa8lUP#)Z`@7sop`j>85H^Pi$kox>6VE
zef8_Jr5cEchh-X{ors5lr%{E|aeHc}`&w&id32r)rneT`i$g>RU1*h)_Kw3&eUN8*
zs|NDV=jbab371;{pNh}b)TnXG%4kX0LD)IpnYdN?GUrTvW_n2~J@aXk8xYhRCVx>h
zSAjybe!xhp`@ayJSVFwDv0ZCBsK~9b#Ic@JPU=|)j+SAuW4*rH7WVoDHq^n#gNc&!
z=h>N8GLhgICw+!dP-(Oppo)UC;lVZG@E!DLioWA!D|<~~!<EA<6pfF7e#rmY<G>Wa
z%OS5tn-iACMGi!7?@>mg6}c%A1oHk?0+i5zV!??j=nJv{R6@d16qNsEnd*cmJBia7
zZAOA9<RTy04*|sZ(9S0CXC=UNA~@QJ@ub86cDjKoIDA;W1nGF`qXu#@_(OEcq980R
z?n>1v=asrl=mHH&`B(r>{M5P{15yFTg8ze^Pm>dLN3hJBk+*4}O{9<^3NHfYN;Gw(
zHgm|F3VNb`0?2igt($$>lMv!MHk(HYo2I|yU+w?uHBIRD$9gCDn|H-WVQhUS2KcnE
zlR%GJcH6@><w#8?O5l`oQf}-@q0x%ULqiG}t*{8F)glMW3qfFm1{7|kCwU$G86gle
z#h2%-nV|kM=``X|&mU&g6EvJ^ECB7_o;a;66?!fVJz+O=?fB4@gOh7>{28+qVF?>~
z%cgm*4=|L|IQ|BKkqk#j9rS{(%T({hm(2OE5y@KN6A88qJr>p=%|$FXtBqrhC9K=S
z-U8=i@B2g<Z|ABDEfWExr3t@8a|k00^#shnekvvE{?%AJbR33dV6`7DNunyPXW|12
zkzZ)K6?H5AG8QM}NxO#OiW%GzCCT^h`Dk$TEkP*?HNbD{<+D?MA*u1R(h8mGc$pSJ
zo-NK6r(EyCwR5xE{YKUPU0}jyQF`WmAiu7+!HPyPuy|^j=3}iTvabN<|AQ=2=VLFC
zCmdcT3j@4KOp6tCuP+NCKtU_4H5iF!V}$!M?(;CyiG{&RR^uWe`<3@nCG33`*E)7~
z5>s^~t4jEO2qV3Tv=0g_FEblIF!k=<|7K)>-_zK*-8I%0UJSJ+3RC_e1erukLj9&p
z^NJS}=J4k+V10<`2EGP*(!bo#b?+&|yy{`N64&WG&N|wljZWkg4@Rr1ho@**{?bsD
z(eQuK2i|CY*3)}2G47*1H5i<X+VeR}a>)@PzaGnF1<LO~x$s@r*#4^xHC#AUeWr$w
z(dH4B2x+go-cNQrr+-KB$Q6b|P3Cei-Mk?A4*4&ZJ}_7Tj>5~ggf{iqRu5}8nxy^X
z%GWfnQWD*Mb)yiq4{iCbeDiWgM$oc&t=W5LwqiyijjTAY;A=j;{HG$w>X^Xh)6qXD
zB&CTtSUKF>T5aLre!_e@ZIFwwn~jTk<zl0&WzE>>bTove_1$BrW;GW3qdP2^k}%nz
z+-;J+Gx!9c<5|YKwSF#8Tn8X>9_HLLffz~r)}Uk_2U|)tH_3d~rSGah;2_dZaLwN5
z@Q5&NDw@SQr-!2r$-Egpd^D$cE@#prue14|-Jgvm3C35vA4VyLSm1n)`XPSp6%PVj
z+}qF-4t%_wmB(SimXgzrz-FS2B)s|GU=fj$D(;abTJM_5lg+h(_1%i&;jrZv539@D
zEWQIFr0`bj9*8Pc>#h@|jOt?H1ns7Q&E`+Hl)1b@jO3oHtHG#2+((ygxFj&jf=6M|
zL$smJND>@AG-eCen%nhO^`cWMh4-$p^1_Qd-F(6Og#BTZHqL6>>V&kAJ1mkSXIRUw
z9v;p?3Yfy7{oVU#&hXLN(+weqqwc;v4&Aa_{jICpP+z;Ty8B5`gwi_c59R6`=*4XV
z+M08FK&LYd=DJs{goHMSb_?ht>=9i2!^7OBx^Ydmn-Th%5(sFI8OHt7>Ds6R;mZ;H
z3vD$at;ROmJ1P(A&5vtKkTP0!ZG3ja9`Yk4!j?qeQ{jg1tt>BWni*}lbusbro+F3V
z1fj^#lA6|cG(R(!lh){&5EbB2Eg>6eM^7}gMs+$>{FK9pGUm9p6b^1N8BCEQk;r?m
zq4}V<V^DP#Xi}4yf;kJFIo-o-tC*x)JMH7Tu5K2}^Pp(jYwc4g0E5Xb)DRAQ9Gd31
z_=5<QTdWj+g(<cmTs<}BY$-4AQ&?#{C=@I)0G}8EK?4RWF)Dxsb#}Z&{%vZ&G)y&5
z5l!}<;d6~`>;XOikQjlaWhwl8$JHG0_}16?@Rj>?4NJ53^a?U75U_~>S!m;tYQB)*
zyHLnsN@k6hrWk)Jm$6$3%}^fG`Y_+HZ@kSGda)N%85Jsg_vkQmS{XG*LxEZ7Vzz>l
zwZmMhzNl@c!@rY+_-+E?ityX_BF0f=b+zCAeAgV$ee5b`lCb+zF4#G~Zx7MSVmN1-
zvmSWehVG}4w;OM`q=NX)A6<Tqz{SZ6TfnKpzF?At*b&6=XQTC?vzfs>H7f?h93Gw%
z$x@%5w|(11JRr;&HEXh>a?dyizf{KMnjn^r^zP<KG82#u!~tn|ej@l4875Rb6H51s
zp3J9(UCq>-&kowZDiPs3M~9kz!fZp}F#@rH2<3nWb(CV_NVeqf(psvaqw#JgSvg>M
z7W#J%(*EdXD+i{ghXF?8b`^Mz<zgZzqNWJk60!hHn53{1|I|T1Qe0+b?li<vO&)xw
zPzlFf)_<^Zp*XO1IT%V%TU4PvrK!~<r#U_}2k}Sezc=<rW%=`>?^V-fFPIU#$s5|3
z-{2_}7ydCNNC5Um5XI+&5fVgpfBt^tFj<{a@27X8kWO5Xg&yeeRd$L)Wugl(1J?Ia
z8X<)pfqz>NF&#KW@)9$5(-HYfQ>*SBF*@fLkYp|x2?i$r3(^lA(X4?77!L}JgjO<o
zI5Dag?SJI)1yydUe$uyjG_lz9ce4`-;z`ix{uSqu#YTjkI5>pIlPu#$&6&&l#*$fz
zS<mhS#`@2V=sm@@hymH)k8n`PV|hjdkTsy#7l%m$?{SPK)P>Gm2XhKY?mt9j{VBiA
zB?dZMfor|oEZ`L9e7w}+aYNu3XttjTdp3ba!sB`CVZM)_t<RH}nCLu;U(o1z=d|Bj
zA=qO6rklwTS81A6yXiKI$>n_Ousuk9<^>(uZ09e*`hY1>Jv1|&LBz0J?HXQOJpnxF
z7sw&z;lyNzy?OB;Ut+$ub#Sxwv>@}WX4rZN^?&KS9vy;r=&K*Nu`eOb%-T7af~et>
z3#5z%N`!gamc_=hmBt>r#VDt=yZ(+>ud8>^te#E86De+lDelIDF0l9KYr;h0M3s(K
zG9YIQLJK(E6iY3-B<R;%@Bl<=c(B<oa@18awfL}cf-U?!q9W+{xCz%nc1p;Q-BM6A
zh`GyMWU)BS;pe_yiu!ltZrtX258~-JaoM~RMLY%4HK2%r)!-A*DUWTmNCyA0--|;{
zfWo-M%*t6GaH<WPu7vy8)4`3(P(ekm7%PyS;q%I#f$Ns5^#_=0Mc<g}a5wbj5|h*+
zC{(zFw=sM1uD1$DqN*eiB)3#IQ&r@caq%#hZiNe1#U<QQs{J*Im-2W}y=l-B*_GWg
zra76(K>g)`mHJpp%qGa>6b&_fqz@o)clDmCQV{T-7LO?_5^L^dh>y6QB>SGEq%1%I
zW^(sWQ)ZmryO;ZH$C|voU{iJP9W7O?kO=nTa@YNox;WW>p<L~5v_h1U_q~KWkZb6M
zxo=r)aWeu7{nFD&=!k0}>MVI#8@Y>@-!PN%ZYZi)uWoeuM4@^qBl8~*#m>F2?T6o4
z;w<%O9tg65v4``J><=7HS12gMJ@w?6(aHn#=9+5Cq*YE`qN&&6Ln0Vsm^qq+=@w1O
zL4V><gXwI!Yw#3*nF`taICs<O&%M<BXoc`f0lD?qMNfc+?5>I3D+4=u5xphxGJcyl
z3LWOdo#|kBt(^8;%`3=pbq{)K2(b9!Qcl6mi+E2M85RW$5`hNvtrcb6%r?1vk8gck
z7VO7AIjal2UrLVfRxC&s5yZO#1o;4{C_yNP$Ttm7&InxQ-jo3*I_59wJN_83UZJ;7
zKqesmKM$cr0fn;1)NVM@5j81f($o2-?zCYE1S*{SpAb>2)wEuEi5Y{GDy%T!TZ1X8
zk22^udL_hOrhb|p{^2eQ5XjDFjegplRj{w_mujy67}=Hl6~{G~O9T|U@sd&3Y^8Xn
z^qTd}2Q^h}Ru=lX!J$2c(~an8@oTvBu55-$;=_8NQlzynrDZZ}S*M43Nkg|9;@wpq
z*q-yekp}~Y#2*!AddRRn_om)Uv<Nf2)^;ZPZ0tAnjEi%zKNT04=~)A)N6N)>H!*PJ
zV3ttb4!@uFS|+&rd%f*Bt+bq&>B`xN=<+xmBY$dW?(AVdmezvGbWU<+WaU%SI=ao<
z031-#Jv!)~I0MX};4unWLP{NE9%U@xv6L81CHPJ78-4A(28WS*Um%es-9+DBL%?6x
zhJn`FOvgh|C>PW1bS<m0{mjhWwUgsdq7r<l73Wlh_MiH^ttl-nDU4jCs}}KHa~=Pt
zAN1oBBZs)a^3ZfaI0mKBVELDBYkZD>GPN<K%mwp&2J=~k6SO~ocx^xVI{8znD7Okr
zDpC#POxu(Orv*R-v-QsJ-V3FC@a0t;2M=`3E%C8in(4sn8_XnFnAy3B&0_-0B%2^|
zJD+;uLobGASW*(u1>Gm@yezEi(}ccSFgLT_)4rr=z8^Bz;n7Nhe|aYCE<cxh$KS{z
z&$&KglU_xf_j}M!zSPq{M~CJ^a^PZ(6-{E}h|YvOAzlT4v2n^V-kWE21T)k3G_#fl
z0fl3UxgB(0tjN7SgxL}L6D_8J1Ed}+j6-fNQ}LF{3<0GBJ_JZ2(|kdv7eQK}P{H*{
z5xiJ8!da5so-X&~-u*5Z2+RPtTA8mn*ddNWQXM9|v@Zx|LU&j$>9ebHkmmBhd9a)T
zd+z#9bb37<)SKZ*_2EYz_;|_PMEw;|6eqo_lvU3`i*WEq6dI{zulz!q3yWA9`Hc7W
z*ffMd${cvc4>euW?#^$TQ_Xx*ye50Ca1N)gO&clP@ewjJt2FAOy&z1an1z*G_0DTl
zL+*FH<|t1B!OZ;@T(&BXVSFKpwt57X(HzcX{h2LQX`iEc$_8iV%R3l^pqFf*&!{6x
z;m&)R)Ip8T;}Ef!9qESl0-)++gc9grdw_|B`8nNPB>=0zMbD<`OJIF!2btrzMysyF
zWu`Zh5C#Zj-fr(4_Y3Xok?C(g9`WS?Q713cJNaM<EsKagia(CuQfIR1cTesoOIyhA
z*sQ-Ei=Nt2)kTi8Nwslv9v4o$BK@bm=`KPNL~ZNE%FI$3c(K@g4nZMSqU{JYpz@7y
zWf6mr&nVZxAXy?;AyzkY(DH-E>_!ASc8SF)eG70zrkQ<pYkorOWLz&W+DlHL6}nfw
zB@gZ2i~&LUePop<Aq4zp#lEG=0(td%MF;Z^M^XAq7KiAjGG+~{>COrOeHtdbX_P-o
z8H?@VpZ7i?@3NSd#d~QWPuAC&>7*K`Tnj%JB?n(YMEhdzo?<rwit{4mp8@H6vPgD1
zO1jJWCPO^-RRQ2G>$DSWve>sCHv958A6U$VO(O;3{`Hs(Zke8g2$g_W9f*;E4Mkbw
z|A63YshUXZQRpd}zb58_1!GYJ19w&yo5^@5d+a}+u~`&+fyO-UkNj#Yeh7g^7AmBq
zt}MMyi8>VkmQtXs9#_=%te|GXuJ(G<5E*95*h#R~Tl?gT?tQB4d}hN6gJ{;h2_s<^
z`V6(fte%0w`GMNJrH)$NJk4Rh%j3aZhX!*3m5&8Cs6P`8CKomBM<G_;KYLn=mYI~F
z^<N>1{jC2VqOeA}+euHHs5C5q;k(fnr5SpzS4(DIl+*wN0bSH*n>`0(eO<jUnf%dP
z{AgwgrFvEls4V@oIK|Q<5K^(!GQoULg=F^3Hp7~ekX%e64|x+=O0jgb>S-@!G6EGT
zdX$e4!LFp?fAJg+<}L*l+yN`72Q%*`?Bx0Zi3BsYG1l76<)%7?cf1W~uLI6}qjaQ7
zugT1Gx;0J_uLUiN$rl|5Hq8r&%`+sr$q$e$2ol$9+H(a$!88~CSl{w2%yf!)4t503
zMemV82XZVpRTdS~5X7&sDU`wmVOF~1Q}cyoA)4b5H!CSnq1R$)$K@16-hB2?rn&6h
zMn2dx#dQh$x%`ud64d56W5wbEoK<}nSRKO{L_m#=ZUX8j)maza`mhx7?gJ&}z_g`3
zkE33Lgcu;=f(MkwdZJuq=F}av?B;y*x}KH(xl%siw?ij@j?fX{*|v776RHrGvW>+4
zgTV5k$noj%y{jAMv7Y?7<AuKJawALW)$n~Q;b3Fh2OG?TDN$JUYBVK8&RK92b0t1_
zbMSrl1pWTU>ZfiiR}-Bbvm)(~Sq+wxtd81fAa7h#eo|8NCmx2?DFhC*KWKX&;~Ifi
zN@q~}vvja$vg;DYU(r?w@H(RmCXVKA$uU+nG@EIu(zbDnsm9<XaB-&T-x2@J?4N-2
zwCP!P^v8|y%|&OxDpM$tMLJ+9@i##&-y@_Yn8%T<(1`8L;>A&@8)UBTbK{ElF}uI-
z7(|WmxxUqo=10RZWG?L!4FgQ6RtP13{K7SY`cLRDUgoPQZ<SE0d>7<X#1VQHVIo&|
zti8vkXeT)_i?U>F-J)i(xq6$Vd`N63GS6?sAQ)i#5tCAE!ne~uzdJCSL{sAOaO_Oj
z&6e0t)zxIBdgu|&yl8n28&qfvEMF*!AbBBtbQKINj!JBSKa;o{fiw?s9|yr~9FfWf
z)cEtU^I+|UqJItoyCdm&aAo-6vz)|N;FgljeHBnhf+bS^;HNprX)&zQt1fbthdr!y
zZEH9ujYysx%3JDwybc$jtek`BdBI-Iyx5+8q7MHvqGzK^`YI6+i}Tj=Peru>3RX5S
z`x&&SqJUQ0H~O%8h0{rtuGn+u1ZuiO03BVY7<+NowlCz=`Et3|b$ZVy4_q{bDUJK&
zc9B=w@yIVQm!w_G6ImeLwern<+Q-s#?@Z&0VCJGv(Rj{D3-G?mvCGE5KSMnAd++D@
zBJgB?Ld`AlI7Cf&ZbNVR_app&EE(mmx_byzE@@r^`l(Y+7`V($bQ&RH+gkC-zw3Qt
zCpKNtK!qy|@|j`jKc91$KXd|exLWD`CUI|3zT$2-CpF?@O2eo5aPzryXc=cE6d_2~
zga9ucvNF<I-g19ZLN)^VM2wwzVQr;OU!$Z)pb}P_LN)*ls56A!iE_bJ7bPBTmQHaB
zs>H4jw_((slpae2c>Ci0729-glLo|-a?cO}SRv=Q?`OY{u}nb3Ej=efSD5p7$BP$j
z#(xSA9)?ads2)j&fSiSc2C|f6i`~t2tog#~E3BM378cazF<Q-ZDrSlj#iz@=zd!cs
zz$~XX*0#(^7~uXSrt?SseUJSlgm;+x*#AHJr*=&d5#DA1jW$%4gH^d3Rqs}83Bp8Y
z4a0!KtftnWLLGCJ4^HvVW*}PpH}MOA^1f&s^!^~fZ0LEzlj31|g&)etZU>b(oU*kd
z|Eal-E(qwi{SKh@H(4n!mwCFHPW{7r!VeCryp7mYv@a~s;U`>WgoTLpU?+?u;lH@F
zhTzh5{%mqR$59L@3?boNV9dYT$^@4cTWv2rh_E7f+zkQ3M7JhC%xl&M63j@su34hg
zSmDu+S-Eft60D-Klw+pM*wP5<`o`L%R;p;&EllAHXx5PjOa;p*M%^xA`Dg7J6`0TY
zO+pfg<}*bPAtRNW$PO=y!Gj=H*4bf8eS4xqt~@aOK&2&(2SW%&%8(cU)>ODpb$#`H
z@bm>d`2brgQ5a+D-@9-*z|TK-?(@2%OTBPUiR3g(SD|MVKw&Ig{w-r!Ggu^fpb8vw
zbHPH5-6{!^L_|6nyqgmBHP*K_U0F}h-!pkj>$I~5<438`sV=8wO@qOm;^CO?hzf3-
zgU?GJg<aWS68#^pzB(X^?)w{9Tosm3YAFE$>FyRpkP>N-TDoD8ZkBGO8$<=9OG;|#
zF6mxrl~O<&-a#Lq@AG@dKV)X-)`@%WJ@<3YJTtOF<?<@-12HYvKaQ`rJ0Oa1^iPV_
zXXTx_8!02RD%!?@p9(*ZB0XP-K!DkI0!jUOtUTt|V&gGhi$|37Xhz*`2bRtGLOZkP
z25{c$Yxivm->Avs`vdUqk9nf;xg{cUfSwl|4IPb782#tCFMN4ckGN*uQ@+@m=E5Lq
z%hxP-Ey1{NFOxDgC7VZCtT1r69l^#(D#fLRV=EK<FsS|PlIvmqk2ivYuy=^0!mso@
zRC|=wi~7-Ob^2sb`eYZ`(afoVpbv4BQ^<`ROyeP!K$PO*EnaiFxJ=%7-*d5plT(!Y
z1c91XUa#{<uNmg3d+*twrsP(7IMD*a*;|Wy{}(-jOYifd%2XfKcL#H~N3_zVUrN#v
z)88)OvU^oj`$V*o@b1mTf|=?Q&0tz?h2j`^QrN<P*qVuP8b9|1&dtwXZ5hz{v5Po&
z&c*0RgKt-<d3#VueX&B_Lc_UOZS`9UWfJ^?F^x>+<h7`k{IFDP>GjnLMnO0{UmKwR
z+bd#vtCeoK(a+v~DR|;XA)@lu2ScY-Z-X1kH8uvmCSb|WZT>(T>4hP>JGc-5mCif$
zE_cz#B-Kta(ElVZT+7K<P1io6xS0V>t=hd4`5H(Z0WTw)Vf8NNcK3dDFPU&$=E8BG
z3`+C<Va8ECd}+TVk3q7_0!21cQc~hdEID&$PqU}>fK2<E?v0j)N=D-W*sQ>ei0ISL
z{hXdO0h2Jkd!LB4rUJPmNkLP!3^$Y;hTLEAD6gE=7?tne+L&6ZzR#G+p@^k)r;n)f
z{M$@c9cXHJwnL?DWgPiNl+aEWhnZ7=SZ5*S>p|C8e{LjR;2dpBlW7n;FHRI1pu$x-
zz88BfR~Rv1&4I0{U0Sl4(ZRet#L=5tB0zb!GAT>~sKn>03U$^ZAIJ}-XDv7N$%8WP
zzRaaJ@ILRaCD|5O=$_yTx~6xtb1SeBNzsy?XuuFK|Ms|P34L*^Dk5YvyE^&jB*k!q
zuxS0fC~w8Fd9-S0n+<Gqbb?m=GftsmQz;pA8pC3KXQBP}-g|INm#k?!=Cbq^UDH_L
z{VWH|MepIJLPXr4Uft>kgo?ZJ{N{$%A1MmUk!(li0wS{QjpBIJL{Z^7yx#Hg^HUJ(
zR|h`$<uqu&P?BrZX>a>$DqUEukGROI5<X`S-XEgK#V-T8eEV9#>g3Qdq{Q__t4}IM
za0y~)u33hCCDR5}%+6Lihg`}XY3q1D8Z;{85maL|N}>BCTZ0WuAqef<i^A<*Ny!*C
zY=0wKPW{ENPk)(maA8JzZs-Heg68r!PDx=moMUx-8H%0fLJ?w4vOLu+AC@9gp7RRS
z@M$4<9}3UTlROMvDoRx_yPUe7ZJb{cEaHJ6uT0AmI35$&PID15wsGLk%RQq|jj+o^
z%T>j;9+&@kr{+?<(EDrToP?S*{fho||5C;i@Jb=&UboH&gyd6D)3E2}V7NtM^|APf
z+@+;h*Tp15P7;IZQg;mEyB9e_bD6S!jD~BU&lDHDPtd7;a3^<$kIPT~BLD)nvzLuU
zT*IXydfjO)qoJR-cs(8*d5_PEFuC~F5`$ue4m1)Dykc85;`|WPek>clP1(xN65Gm~
zPRlaL(Wt@1pborR!uo!j>%+~~32xL}g6ws9M|BG6cX^i1$q!fo3L&1K#%venuX-9C
z{2VV!m6w~m8OHX8qR;1b&5BXuiAGulFOo0>Xu!{p9O9P^%8yZ!enqx~3;R&PS-a*S
z0YBkiF%9cUHXKX4(0Xx)xbmFfCj^XOa2f$MSp2X&<q-UgJ$0K+EOUA36OW;*yHEV#
z^w4b){<7Wom#^BZ8N~g*GE9F4!#s8@*82+RIWo|=sVwBmGD8WH@0=!0JLD%hf?ppV
z>Ua;X_nWhU%No=(=KDTa%wsE%>s)UNFpsP9lR$NUqB6C_WA+bua!C62POmS0XEje>
z6XIN34rk#2uq-bd3_{G<idJ3XK!)Rvw7N{&p4!_jEk7FH7nLR$3BXNI%;4vI`vS|N
z&~D^V3AoInE}XpQ8P)ewN0ov2MgmZZM@A}z3IxK<@ED>P`9992M#X--J6VP3Djf~2
z6ZyD~K&kOG<|UTiknT;*A3siZLj^nRC%TbG`J;htlJ7F4rmN>Gc~Hz$rB!Pet%m`-
z1`xfhuRKbAJcu}xaD?OrW*EXMQvG;$@$$WOZ06D&0G9NxeU_4_*@Yx0euPw!tAMy~
z`_7qt6Rs75TU$HmU%%BSg@ZGV1guR^o@!fduouRt^XO<qF<pH&dX5m)AppVd%|zqk
zw2RB{q&F(nGw_fF4)jKeXRY#{I-r?<Bz}ZeVDL1nA0-+ULxkCS_)}yj0>OhaPsWgq
zUrtR+v-0GFH@EZkPaDIyIH@r)Qr?T8DHDJS_?%mqfD>2C$VhChmxo}OjExZn{F8Mf
zhFcN!N%w|@U7tVCM0YYq&#(az2rpmWs)AJw!U_hL)I5gR&WY@Gc(t}1v=!9Z`+Yq5
zY;JPQwzPD)zLT?jka7#{g@9inrB5!;b8G^%nA$UU$$d`MEZvz4_jALc5r3Xu$dM74
zLW2oDUW5RW9r(2@?<vz05Q8EST}b~L;xNP_aH9X_3;ST}WQ5x__f0J_->|dJ=91Q9
z)2TofuSu<+h)8L9f%e3Tz)KCZfPzFK&~4c8L5%>!!hdSCfSUFrCpt<_^IbNkgZ^bx
zA1OS<O&UyL6Fo;>KmDDOf<jSjFsKW8LlRi&En}D)aHel5s|4q1d}5(anh|^#&14VX
z+h}*_*uigh5F!W~*iUa_ffIrD#BH&fTU!m&rIu67BL4PQNdyh;;|ErEUq>IK!n+>(
zGBWW$v{TXc4{x<8DCkn{@!BV#AWR?|UnY3sj(<Txff|mj1B|Nz3ayy>%@6=lP<j__
z_ziV^HfHPDH`j4v6r?a2T>!uzs9t8Q33!3<iV<ogtp9hUXiMp6u&Nd+P|qv50Kc<2
zdnaxbWJ3k4$8pQRCcU$z5MA7DHxsJ;hiypuueiW4-EA=Z!8IZ5d~Fs>l)@lJ7i6jB
zZG8=ptTD>BRieg8R?YICj&W50!}{H^^v`6Uwh1n-b~r|uLBqKNzDPT(+xj~=6wL+>
z+Bi+`$o^^KF=YF16Cw0%BpXw;WxnF45W(9+xw<LnvcR4qD@zF?+GdSXAlJv@b`oB1
zQe1?pZN`A7UjD{<BHJ<jP2z#L_^oJw*WydrF9NqH7()jn70?#SAoZQd*?T7{eEUoL
zZJ05_t@TTJtULv3!vho1TrTz&04Kw4upq38XoA9bWA@@v4Z+dm898F#A%da3h?W6=
zj#^d#>D6-A4`2Zhulz_0$J_CXd`i_|=5rwqHG%Glh7?2%G4%})p#qQ}FU?q`fYs;}
zgBF+Xb0i}V(S`>$x)jj7Z2?Id+s+^Dum(t$V~zR}cvqvwHLt<(`Fmj|HGy~!%G|b>
z*uQb4fE2*n(^2*N+E8z+uNyT-%S-cDo8two9&t_T2K$w0g0DtvC(%j5eG)JW$lN)h
zioD<!&TCBppij?SRP*g83Z1Y)Hf)b?4)I||7)VFC{V}sP71jA^!};ch({sF~^Z5^7
z9en8|QmM)fzJ)zRC7U5tYC&bjs4t+)=$>6G+ixEO!T+h@t4{RG`xFDA%z=?z3IfR-
z%gvta0(Hw*tGhd`z9&n|ew7D%@h2ORqJshlvK~^|$qXquMH*;S%os5*X}9>*K@6u^
zX=#N!IHHB^Q^~c0!xi7VO7eGu)CzE+B{jfI1*jmPK<^xgyuG1%O^(I`Ki1IdgGu3&
zgu-0=K&U(sC`Z!n`^Czc6uHz8g!_qDQT*hDnBzA>^uYfRzi=SHBrp4Rj}ybMi!X<D
zRdY)ZQS!#i9|LxeJUgI*E^Xn#mt^R_wRap4x*M?$(Ge4el*zWc9Bm!Tp~FjRRAzDA
zU0r__mtTt{-3H#rMTf6WEtb@55Kk-J%52aJZ+PIO@#zN8I3<bp0y~g}McJrE0UfRq
zzx?&<*K6-1mvkv$W`TaHs?1uSVkuwdC4z6fqTlcw)cCDS+PBe>w8f#nAZ4U9$7}{$
z@@RVR2?eVJ;H}FfAkhBIE1QF}vO<5J6qd@Ms$HNNe;0hTi4GJqUd*QKq0|p!Squ~~
zJ(o|DcO&lt^AQ^1wEeDGmy5?br5d^g<20<SQ!n;!ISQMjibz@aO8ZhT*WCr>``)_?
z4XQYztT?}PF&?uvzY>dN7sAgx^`eUVK1K<&Re_7)PoOJ?sIh19d1GN=aXYYWV!tgL
z0N1u0eOoUrX_R-E;WbXz)e~UgL~odS)s^(XGLGeMQ8bxo#J~~~a89JoY2ZK}mp-gG
z47v4)L(8yC@@BR~3g1D4Iyj(sgT(~}Q~R}kfx&Ossd}5MDt%U`^aoT@{q<}bR$eVO
z{6k%&`^`jFH~rnGQJ^CKFVK}T3{forPnW_of&B}@rL@G#f&!Xg`4=xcT9ZE-j@Zli
zi^lyW|C1cZT2b^Db^B@jMzAW#+^7EquCi&JJq8Smub-cvwT1Ex%ywVm*DkOgV8KFF
zXl08Cyu*Cq>MEa6#MbmU?+$)dCCO#aTWj-0+qs^td3W=R#O8!tDQS9tq8A&(Bt8)o
zOvA=2i^`i6z`)VE{m9)9%*kd{EpP4so+{ddLh;Y$k<&`re}TVHH?V;rNAS{)YlrIA
z+!J6@y1Ag`Unusy#rHl9+rfT6K=U8dwfnB_8~N5UJ>L+E?Jp2I>WY7VgS(sY@4YEE
zPG%=`zBa40Hd*S1puh#Z1HUh|Re;dS|4RrNdng+FK$R8QIP&)^04&@TbyR!hK;}Mv
zjmrJ!S(H|P3)9u`=E0?}1KA&ZJsNdv-l)r+T)TN+GWVlgV7o25tktueIJt_S^0eWf
za`g;SdijZI0p|Vb<HN`!>v?66o4%Va*w_8+qp&!~d&58P!RX`!>4yo08B!6UPRJ)<
z-#t6jx3!BbS>lv`Dms4I0DZq8)Mf>Mb|T-NT+bu%p63L8Q@s2qQHD&RA~BO^{-ID!
z-sn>mUL_|UP=U|vQ$_TX?gZg~Mqj^a-;JtI9d1LlT-dWex#I&iI996no%bIIM*9bb
zymmkE{Jv<`Jd&$hpbnu%{J>Qb8~LXTkA1lWyGEHzQASM8^R*5sQlZ~i(ElMtF9)~)
znhw<G@O>={q9-Oe?f-{;{(1^<`L}ARU|gC*()w1Mi*I;1f6FvtN{ITTJAs#`3Nd@2
zp;oA~u7PPXK<sX=*EMD?KkcSSPq>)|s=j~H@pSpIZE=ItySaMjxI3$xc=qAs?sfA+
z24#NAq%(du>U;Cs;?K1)Jdb5?4A<`Qxz603e+5MCMONl!I%0ZW*bId)<wt%p8@c=&
zWC@glVHqE}ERoi;4)`)1b{!a+!EWlhc`kJ%xR*C-rsJwFpa1~P04sNMJu=2p$o>1$
zWAKCK3IBw*jEa9{j~gzokQ@0Hnvd{{`zvUq?ib_8qp>lSao&H0k5n*n9+}}wHuG1u
zAA_%&*t4$>yKdBD;csiEsF8X9>!vdipKA<Kcb{fL&$@Zac!Z&y!7>{a-=7}!&bul5
zik?J=LoOtXl_YRPb4Kvez|SXt<uqP>`gAt1`QXoc-1f*Pq>3E4zV9I3jgz&{N$VLS
z@~y;$Kn12ELGvOs{|o`?%)O8AjOU(Wg^K-z)6@{f^&lIuXPw}5CUOHDzPT9N>MmOH
zMyZ7U=vmUuK(Ea9cKzOd`Yh;wou3kSKV!$fu~c72X`(8U!|G#+P2AgBtge(>mD>7+
zL`Bam?{)p;=DCi>@H5NV2r+Rgm}^+IqaE5@BfuCDa&mZ>nbVSeaMO~5=KY0Fs*r`}
z4ye~=v%}&z-ut6{k+jztpM=CbR<AcDTF;hlUt8-RT(w*!6oho-(&lu=dU<+EhzmKd
z7K><=D`k-hYIzkOo8j%vdhKtIZk=?NW*90Pl99%`%_iS80fdIy-Cx)s<AP@Zk_}|M
z$sz-_9_+^D^$ZLp|5&^{E%CbM&@yP@PE%%MWz7~p@G!arLi6HU5L276zCvS`yjYPW
zBq^Rt;+7USFmwRTSR=PzY|(|>=|OgoJThG6h3CDqg;3~hj~B3ftuB>=0~^cmz49_c
z!}6YcU$oOQDaqt+9(NA9KKfk&ntCc`>sxlPy`d@6k?F8Zzp=Kq)>Ruq!L<EOHrCL4
zf7cCEzyZOD70bL9CvsS9(G5e4*PriPj)e3KLk#rvynno|97wRb99s=6yz0P<eRzLY
z!gb?pZAU#bEv=gEkA}YaNmpO<5X|n!bZDAvMovziWr#(2eb}1lOO@9-F5iXBx!Ck}
z@`{R4lBRFChKVaZeYrpeGHmdqW$x?mw>HR0%TnkH^F07E_I;%>+TYGQ%-qfPoBK;t
zqx%%6CNv;oPzn(#oUYB0%-zYUx@rlj67|FD7#!2f?*};K2Z9TCn{TT=S?-|1`PhvN
zJ|dWQSU<|kV<^-vpFS|&Ll6WXDJSP_s5u(XWMlp&jz3lcN`e)Hn^e$L&hKi*Y>YZN
z%V04S0E=HcIiM&>0pOv*upzIQSVBap+)nS7I}JDnkC+(G;W{+nMBTvSc+cmDiKnk*
z`X^7j{*Zs_lz;DpWD34$*6{sY$Nb~tv?vY**Z%He<2!+U+(?9$*7Q#jeKJyqtgI}b
zRN)h1V^nZ(SNlr!lXt<;lhz#HF<X<)opD#%Kim_<x!A}AKTna8g<M>m9^jgwPF~76
zpsKjw(zT`0z6lMX*r(ghq7~i{Z)=pElNT$;wKjg&(UGV3!Q=!b`Tak&9D;p2JVA!B
zUb)q*-+94ho}D}cEtgA!df&GJ>Whnb@4mXtwLiZ{VQn8<;?){`6MhR^eviQv%XONa
z$gCr9*`#$AK<e^aOrvb{K1JI@C>t9aKs(;Wd+&c4+xT@-aqNDZ3$CqeI1+i;GfX%o
z%Sqt?nSF4V>rY+k$>^;m>|l0s&}NF1gRSj$#S-#*OKfT3!SSxxv!glP=F{dOF0yDD
zb>T?F=4NZGyzlkF^3r#Oqt=TfIOfRL50zPW|5TM^iY(720@ZQEV1xoZ3e~OK<FAul
zz@W7Ar^Snz;3v8rDkB_&INp)aEEo9c*?c2i<c*>po5RgAv_#~KUU)N^e`<Om30~+1
zw6$;?sgu0Z3l$t37PoCNjq(+`hYi%w@g)|V&OzmKSz!14Pk|5AAbYPoXgy_)ergn5
zy=L*w1XOVDaOvVK!`W8A1^a4crKY_<ZtRCQzrB||4;WWA*6-8D!}s`T%YK|x7Qz3i
zhrPi7vLFNT7ISuSv9q^#g@QI`?Nk|)U))Jj2x%K*7L3_^Ai{M5OhzBnS<cXpFV7Fd
zV?$Tiez1!W{OOFa=AiQcLys|PISO&GgdE8hQ{aN9CANIK$5qkl_2-?FajIJ}4*k9_
zAbLdt@KVkBxjA_*_}76<mV2$GsJ(xt^Q#2|22y7xXOR^~cqc%L<}IA<5!^pDxC7pm
z`6$FY0k|F(+l?*pHQrl_UH}I$MtE+wQQx9}n}bdav$O)y7;}cHuBqPb)lQo6Dtb;_
zXCMI7;19V#WaFGHQv^Q<$vtNO*S774I{gie1I!inc-7L=pua&`)F2DaAwTYYCmipD
ze+}Qs(KK>iFs78x2KJ|8kHOD>kh>euwmba$VEBN%K5<3hAJak&V(3FoAHN$tZy7-T
zDFgK8XZ~p=xJ8eB>fcA1Z69sNt7N2Yl>TQb30o1HHB-$0b{C$`x36g<7W3qPuRvN6
zd-6>Gsb-DwaFG-8*RcI*-K_e51?b8K_=mm&X^2MD{`ZhVHn&c--;v@!#d?wRA4R8-
z&2E2JDz6cSOS}@k0NDQTC^9W@y!C6t_R0TQ%e+P$Pz1+>O{L##R&TCe<X!H4;UOEQ
zr~hk8v=w1f>ic&{IsGXmExy-BJDa-F6g__}HX8T-fLEg7|61k&0vp%s5+D98#tl#A
z+mEe#S^T%9tu_zteNM>#dW%|bwm|7hZ=e6mY`Q*V&D4SD-<6I(9qE6#^f((L3JLr-
z0I!f6zNi1U&;LeG`d@Q^WdD_q$3>6}J<z|)E`Ll?cZ!~=^uOZsIGe9x8Tp$GXlNeX
zaHg&s3GrXvUev`w<GS;-tyO%#Ja@E6kDQ#luU_!?Dtq)B<Dro3-*zqI5k1hqoJ9j@
zW|9AQxTADHNB+HG25BYzdqW2*ulYA1@yry}T=(}U*x%?!BnQtvbhVk`FEtN!{#yaS
z)V<#epqsw`T~wl7r64vl|7F|9eq<Wc-{QP|NE^1lyn3SyjtPrx7SXhVMzo`e^54^a
zNXbpqsmT}?NSqtUSnsU5jO-KG+By$f5Y4l2WT|@=+IiAeN7tZ(D>SY=T=`d)VCqkD
z=WB`nw(;AsbJHQ{nmypOyZH;)gMM(mas2(c=?46}W@)PT|CWfd5P*;K8pBZapITaV
zTE)b@ce8($a~K*OH^mOrlg3W`F)uK|C%KJf1R#)*OLKU=z^mmbLHwSH-@(3UZ;qk$
zj985bMCSa_x$=~k9);!~JL13O1|rA8p>P$~wcitexNw=|PH&(t_PZng4@^*r@ldEB
zbq@Mw0&McnhJ}-m>;zQ(Mky4Sx_}Gn3lU9Iyui7L%~awjn4H`;))*?MF{zx9N%VUA
zX({tpE_?AQ7Bpb1XRCi}NOAL<+lQ9f#=wbM1Y^{y$ZCHCwAhty7WZBi#kA%Qe<Z#<
zO|WxZvecVqsaz7v5mUozJVogUr8r&_kM|c}>U!nLh6X_i$`0x+`6n*F$CjQbAr?!#
z8acW4Q{QgQ^_5z~kz+QaSZwlYWX-}Ia9?77XaC^?lS#cK%y)UP>{*H0E@Y!U%Apgv
zvr%6;ofB{W_D$ow;ThL{Peu+AKeH7+%)@oPJ~WW!8|8<WYC&x`qkIuu5O4YO*T=rs
zkjEiLhvAxQc0G?0Y~etyudk~7N}>^zJ+t<8&Y-%?)vmSl57k71B$(5A{LCI`qjzH5
z1Z&<dA&U5(-v2$Dtbdp;6svp<>Fy*La@E4_NxLY$n4lUA{qis@dFrJpm2_bGx~Z|5
zXO5;_zMql~t?^ij+%ILdPl!`~_<#^QDQCY&j*kEl$l{=<ojghLj%9q{W#oj&3sSK^
zeJ!&2b$U8@*;cYKvfI0}mOrBWHkpRh<DsAXy5|pScLM3il`w?Dk5DJt;*G0nyy?p}
zq8z`^i6aGBRQgHu$-zs-p2a38`?`TTgl<grn_S0-&OVz`PW-H+tN;QcSg{!-%-2<}
zc|#XQMhR?T3O2)rlmfDlg_q#hIk=_Q((&kC%yHUvWX7l}IXJHlX&-BcO8580U){)!
zV(|gx&{_#F;QGoK3W3(wWb(X3sLZ7(`zdxI@!VP??bKg_5F4|8&2gT$o%j2H>jz=(
zh1Jq+*0{kwp4=t|ZE*g9^cO*=X6?^<#wgG2=b@UuMIIC%KZeGm&p!ZVl%E}`O%^2g
zAhVu_+N18TtetKAy1F`8?U<&L>CIaUcr{ClbD~Helzvj~oYPqcCR+G#aZF`NQMk~$
zy*Om8CJFWbqHouD-|w^Qy%$2=hqvumlp+G|`8`%=j&P$k@Q;YFZ@S&6%0b<rC~*fj
z_tpJz9)|9dM2lI|M~Qe+%Y$p3tQl?}1l5*o0fkYVn3<sfr`9KXJorU058Y+p*IXyc
z5;J_?_@+7mG0+m#P+6(L1?qX)mjAQ04{7yHw>96_=BkyvetB;Inb5`H>FGu#TVE<C
z>cOhg5j`6GSuXtHAT_9whIqlqW~r@t6yQR``|&!bSB0v!v{}!~enzY)!Vl+O_95S`
z+}Yb_b?Ab9eN_&`R}$r4on=~}CMPw3yp{u9LyR>%_}J@<4Ks4##!<4(Zagi7bFEij
zs9cPbheXuZ^numJ<E0n8*Shj}5^lLfdA0W3`yamf)xhY!L+N#gQW3WU5fITY34-t3
z1ncIqK3J0S*ol7GVjHi_gecl~sqZ=)ZuTSV@C^E-sCClZeg`+2qJH4D)@R!XWiyd#
zgZUS+GZ8>e(AEc31ISf?BzO*DC0|A6SFBe1#&<@!IsF7c%QL>&EFcF%k@(=pRor{O
zL)v<gt5gr3Y65|ON_CJ-0Z@5KNt4I90hrz8Yrlc;?MyPb61`y7-I%9lu%Ar%leVr-
zW~iDPF`YYfEC;wZ3j=?MXb!1hFAyg8)c`e)q!RayM<`G_@8OKw7B3chm1-N;YqBzf
z5}MD4uMD>8@4Y0(=<9C^yfHt(T514!lmG-=jW=_Wx?5R&oj<1Hh8H?Z3HVUKeT>7M
ze`<p_K1Q&n4|Pz;B96^yUY87t^dbQ^al?H`-Q8M`*S-!cXRS=%|3d+%8((=ZGVftO
z?vT3>X(|)Z?9Oh}hf#lty^lHnhjbDi?j}Awiu3-hQI}~e)AAEpi1J#IV=4*_I#7na
zuGm3BGmmb}%FNV0y=?^-xq>zr{k{}|6hS&Y?^|?U|3~J$obEld)0?}}Grr^|?)?W}
z%r4`~N_N>ly<B9oy64AOq*XT9-``KxTdryT#S%4=BOwBIg={nDCfA<7Tg6lPo|Ws+
zKeMlvVzy15D$WGaPNxuNjYW^e*%l&x)j*+>mG%8{b7M)jH1NY$Pvu{F68x_5UCs@;
zi;W2bTonWBuNw5&Q-J@3z*mp%E3%e5F2uH82+&j$pl2?YzK+2IT^ls`p-g*_zAj!G
zlpqoC@cXte4Slx<ba?qI!>$Xble&i&H@!kbTbmZWmYqu(Tu<Dd^o(vb)%0D)HAsK!
zUuFCGRwRp-A>c|LC)$kxD;{;tLI>S<OPRBd41Tjmpf-@8Hc-Ayfg3w4q7`<l<ZZZd
zCBM*~VziR}l60A82lDawRPA{_OEhKh!sDWi4!@^GQ@E7+CV@|!wp`C&{L+h7S~TVQ
zLD6T3lb+X**IH__w%goy)t0vFMPPft?U|R`ab9EsyBXs@Lw%9R7-XdD?B_nLjt8wz
z{LID4t3}+0&w)F;C|^_sO=UCyqUsj?UVU3LhW+G*MnaKHYvZF6X5tX4(@Fi>H~d?+
z#wZ|#kk9GQF0Kj_l%J*3Io}|6<WiGQC_s>twRlPnw|T)MnSsYM#`7W$_i?8k4tJ=$
z>8vb{*+7>^BmS$ixz#+dp<DX8kOc`&0$26th<Cw3ci<epF5?Mb<d$Ak@M3S>X7RL{
zAO;;6VoR!tA2F_VPhf92Rhzx}1+CB3|Iq^5Ht9kpPR(EYzcn^u;5%}{FV=l(A0I8@
zLP@#pZ%7t{(ErWYn?V=bOWx~rbGUv|^sLAM5@j8ZP`Slbac@CXO&FV@I5Qy_aT{!L
zj3-XrJ_5~?JF>DP=guK1$G!N*o`J4QUggNowGX77r2x1OB=2GhsJ}3Sip8BB;Z|MK
zppUFbC2R4s5v4i@pj9}pcApH+aJ*Q0*p4pXsV@eD8R)eqNX>kD7rYJC_PpGntbUX8
zBV=yQx3v6m)4U*fI0iwKT`a72z1o2slpi`&Vve>Ob+G($P4pvZvTi<<t)|#Z)Q?ur
zW_NPw@-rN={g;UidM<Y&dX4K-s9|O#<irnf6Ar5%aKcL_j~17G&r7YL+OHsbI*=&-
zIs^Usi4~}J=}Sj2>wWJj&i&Ja%^N{}9>H|y({7A{k0gwqnoiLeMSeYAn%1Bp@@qY*
zbaeQMy^EbJ+X0rkIuyjivw2TTq-kN)u?ku-u^>9NTzz*}Kkd@+NvrLCb*n`r-9h1P
z2;`ff;01JLFl$jDhByL-8s2sEPYaLqwDt^USQ#sLu$QYAgSctA%m%VBTJ|pF>J{F{
z&0Btc_AS$1iJfZmfH3_>PKB%AJcHCflZk`zvqqYrr2dQtn&bj0(JZ9~ZS1|9w0oap
zfdw+Ghqp}woY9j~8afV&oD&XFOBv?N8+MOUDRd;(ffkt`X13CQ?`TR_6ues>V8X@Y
zYjs_$FU_keIP<uB+w;nJIp)%S&(zZ5gFaen<x$^lmS0Xbn=UVDodd=vLXvJFR|ymd
z2MlWmUdy9hPg`Gna_-Y=k$ggX0E1z+hklvm_sMr>_gsxG$9GO77r-%i#i2AL=FB|&
z=u*D>VKBLoU4vL^SI+b2$M(%m5|KPA{;WQdGoOmGBw;AY^e*Qe8Ha~81#YT^6y~|a
zmfxY)dlY?DHn>4*@M;(TbAO%f4S!Q6)5Jt|OSi{-F_8(qg;Da)jxD<Etu;*DzDWiB
zwAnMutjc`&HcNP4z~b)VOoV0$D@1R%<)r+U_n7+oEcCY<9Zyr9sS41Flq6yZImSIn
z_Z!!`emHz6JYQHw@~*;ECCl%VD+xB1*BjNzyM65~hdhz{c*pV2n#s1GhQj!AB~r5r
zQgvRODV2P&DP?4yluWR=Xnxn0R?n+r%9=*k)*z(wY)DmS3|Ei(Vn_$WZFM2Z@xQX#
z^VIOyujO~F4Pivx33yqK=Bv^$6ysNSu8K8ieE<~7RizFFx40J)RY)ndw0bwb9tqxi
zskq6pz>EFG8uIoEKl&->Mf(RbKeISvW!DIvCw7Fo4z_$jEg^^}t7++kXCo5V&X8@W
zAPLy_)9Ghbs`8!A!jTxxZ=DlWI#7Gu%|viHnY9KlTUZ@FT6UJM*;{WR9+iWY&uZkl
zu}}LNN0uI-Jm_3`;ePDrm7uc36bp+e1XZ~`59iRx3KTjfxWUPH@S*A+5~Ul#mV(*g
zPr@cbUek_Dq8wdb@U~jOZ5I%4FrDZ1qVW?aOwBNSCxGQ$)!b648%8sRup{|ATwS*v
zmXL(yZ(*+0(S91VPm`5wpP+fN=ta=UK3=(gy?y$C1GADrFJgG4Y3S$LXOt1Rs4o^V
zHlTI8Jtv&*!@>9v37uSt*P_V&8+>bhZSVFDjnHe@2A2bv&?Y&WVPs7)qgc`V{yJlL
zXfY}M$@tHH^BH^TC8rUlpb|mD1)Me8gEA;G0q>VO4rD0FvHzzDvpjnSW`e@(h#+`l
zXUbe5`IBe2i&!^WQUit5<`u#!tQ=-~55mezUR+toLIfgE@+x<bCw^e0rBV6Tx@ERN
z4}V<!HZDcsqM&uAi6eD*WUxkMsa#%mOCRRm8i*wCQ96s|+e&EyIqi?fTc0&EQd74*
zzsV>_$Pp2ScI2t>-+h!)1x%>_7^Mciva?Pkr#@|Cl_^czh1eK0m5!o}UkEJD1wH8+
z0LhqCnV^QtxZJU5%a{?4FQFC~{l0F68n{t`l44NoBr|)X%g^il3$VWL%GtqBxe_RT
zY1h5HJuT4UDc|{-b6zj2ViJ0c1qzh|3_}c}+8D+TmDCA)ncDfL`ezlT2`r>xow{<)
zeqiU^QJsr~xv;Xnt23@;ygF7+e)98A^KKK8hr!?J;@z8mEWzgKxhjkpoct9xZzCNA
z%b&p?fW5IeIqUR0^rfxHd+TyI40aEA_*R_kOh`htUuc|Jx3^Y%4ThPQ$QJ8Lu|8yM
zV$Bymc#~9(Nkz}35jkZAN_?85c(R2wVm{^K<oh^r8cKc_Rauv_gyD1VZvJrbcah4?
zxwGM!6JuWpt8l&U8$S2&@YVQf>`cd9nBK%J7yOqRaj`X{z_5EV7pFiF#>ZD7xXJKG
zUfWE#XRDLL{l>5dHJD@F&>DAd554Dd(&?0-10rk!5KNIM+M@)j{VV<`N`o(v+yc;|
z|CyMha734XHHkf>ewd5%S~lc}?C$eB?>OQ21kkLNI4kzqu2F45F2Di;sUhleI!25y
zfDO(zoIz$Y$KSb7>Ox{Bsi?PKe_2uMeiK$KH$zHeF~d-4D3g<VmN=meDVWYI?S7*L
z6?7G(wfSvZGf6-^yyao@W!d4J;gh^it<4C*k4QxC9=1PhRP<K%rXddAd6`(+nWd1x
zNw6l{$r*f57)g5iD=0i=eXxdsTWOR=;#52sC&{nCgl?eHiG6T6?0E@bd1a$9OPye-
zCOScLWB~}sJeGoMLR{adliDH}k~k2{Pn6fM1AYl-4&Nmrc~2FhXzZ}pOh0x!LoyR0
zAZ4V2;pdnDdu{G_`VHTLu@_j}Jt76mVB~hd#U_JVhLjnx$+38FNI^e3&DV<BhA##e
z#a8##lQIcFYL#`evhv4wepIi-dcfP~XZE%i(v7X#*6QW-rsuG~bm5z2qR)gBvjiX<
z2`ZNse7h1+A9+eke>Ui&9y#_84u8iDi*#5BBP*z5#Mi6dz>Q_6UT|(Q|I(D`*l#Tr
zu*zyd3KCfUrsnz_2mOsRU5hF&c0-AxK1M**q4kn|xL`psjBtQ82Jxly@b>CE`St)t
z(eAoL#mwT<{U+qwW{b31viMTgiSgvy?D4@JMzV{toT*{D#k$Z91&Ru?P!Vujzu>}7
zRv1H7?Z~r+o{-m2#~wy<kdtux=My=nVCo!`61KZB)q?-k<8%|$MK01^{s@@A9D=Wd
zRoXE+S_>{gTbfiLo>kOd(zz^xfdtec3*CZ=PWk@A8&2#*?&DVTa0{Kn(hw<)$B&G@
zXe+WNrbQq~7tQ?BxdtnLgwpti^m6j{quAcD)4-mim}L-9w;H;Tandeh^&m-Dk<m;l
zdR}_fq;n?=grYGkxaRj#V;F&WM;iOZAlGNL&#Br;SMJu^1xjdPEXl&tgmIRtCn-dX
zgFbY0qv<cwo2s6858Zj2aPLP&9r1=i^7@RCttPHI6D>FdH(!`@qwI-^2rb&MWI%Dd
ze>t7H7ld^Sdr|0NTrAeDkd?qiOzFFK@y9RHFRyyNMHhJs1A@aCwV$p;M2?OO-4P0T
z6U3;1XnI33+aNP|CoTEjnAX?sJM!<pStVOd)!;~e{oMa3I}weWi5xTz($Ul@gqH|P
z&q#e+?LYX2U#3+gl`ZP?yvF1#n+ik_TdcoI5J3Os6rY4Eu90*PZzMQWRIJf@XYi~=
zo6g7!twN_?(2S3!t@6OC9eI3KaHmg+sE`Y6ZlyaLt@Lf8L#HdGLnoji=pHuAsXVfe
zQB8-i2l?q`jo~*#x`>qY)e<@y4W+tl9|KEAGe!<AVS?U)QhdLi2v{{`A|D2y@~yS*
zD0;z4S2mMbsCH+{Z1nwcPpAGD)hpRHk^v?bJ;;9--UAw&&=Xzk6wWC&@YKX;<%xug
zV;$dN3OR4xBd9i4o6xQ2`I!kZh|{~58W8r?v@R}AlMH?gxi<=yo0;hn(zHaN>dsBK
z6o*JEE}R<pD}~2!8dh@#>642t-6{uBpECbdPV2Oo_p`Y+VTkZ``~|ic#M1y}G4R!N
z>($Ze0nnEi#DOvFi!R2Msj0v2SY6OUo-u5wnDyR<rQE`~sh%izRftWyAKZO79!={9
zWbm<0@KQ1jo9!Sa4Ffoz&v^pkv5AHhdIt9ed(*44aqZ(-1&mTqcuT)f)ea`j^)z1#
zH<JnPsH4k{F^>x)DPVcn62Xn_;X#}(Van*tZ*P6|`Yz8;EaPETOFQClonW@`!U3}&
z`qZ&ULMdX&!Qaw(R6Mo&@!?_HMPE86;=>hey*6v&-4k9A3npyCXn5qy4Jftm5B9OX
zpsL>9Iav9L=ZCw$9w(7|QPr{YF)}1axboTHyJEU_;mM!gcZ_8!GD+!MWUJ{mT9e|O
z>|~@8`eO1vAd%&Re(uf&-BJZ5!k>L-d)Jc<&Gdh+?_xt(Ez{+k8P?a^Mc<aHaTnQy
zZzq=oW~$8iNkJ%17&zf>ai6s@>qgrQthSM=s(QJXV;?^Y^Qx}0u9UyfAXSimoT6)Q
ziN^(x)3bia)QRL~ew}_jxHYAJD;Qn}scU-mUvom*Ir^IET&fk4zdmE456lupSm3he
zZ&aWs8efaeX~;I)^OB*U6m^H|kEc9X=@E##WVn~4v_ubZcf2plSuv&4;%Huw)`V1c
z3YOCQ;F*{4)G|XTOjfHa`1h&&F1|o#xZnnm!FVJ-_kq#YRFt$$S}=z+mQw73clB}<
z@P$TM>C+e8ixytybouzZL=pJP3J+gtT`9uL_0g_3Hm1=hBie@8DG6ttjA3+)!|%Ar
zLBq-c2Rtb2ATAB-LvQn6m5v;6+g?i@=*;#<@2!y<bJq<Vb{#>=`OLJR0@z73#xob;
zu4ZM^FWzV>yp<TB`WV%PshX9c8>ofQxZf3FR>WO0udK~HTc|+_tq%*^z|&zpQi+dw
zsv7?ow}u<riLZwUmK1pbg??hCrShXI>SPKV;m|YGfme`jFo}wQ***HLp9h%S?m>z+
zncfZy!D5JP0k%@CU&MkQNLj3UJwjTb7E~l5nOpmSqk~Z{M>CP|sMWVRmR;YHZ@G$#
z(@9UwZzJcnRxxr)q$doKQMTCiR;N%XP_)x3FFgS@)AoOTBAQ7>QHUBTxb@@xy81~7
zh+rT?g8GCI21BQ0TNqFrAm!T68?b}uauI@wjY=jjNap~n?`|CTs33U=*Fr7|#e{u0
z9R=Cz?L||Uk~gMqzT&EICVmur^>aPa1lEIW;H-G-ev8CRrPqNO46f>D<T~(omF+YN
zGl|50(EX;VpOoA%$|sedxG{pQj3qj&zjwP0SRv6AZ9GA0@`E#TFgcR@{L7y)fI;IS
zSe*I>vvg-lD{5%fJQlA~Z}~|M#jhV^n+^|(WaWux+Gj>al8kb`fvX2`;{zWPEeE6B
zMK}2%qetd=AQ}aj;2kO4>WT`kU-55i!`-)nyBHjAbu*9v!cch{zw(s1^HtLsiySXy
z)o`$!H8CXfN8)4<W{+IKeGtjrRxoKdw0<0F%JjqeP9v84&)w$m-W_dD&TK~+BNX>;
z==N^;q@RZ0B#j8z{MGgYdnRkuLM*5@dRu%zVCBK2g3>d1<{EV7UnflipcXvBK3JUa
zs~SY4dw*#^uu-xB1tut?gJmFsFfK0h_y`11hJqf}0b#!(a{z+$O1=kqkOxr5o16Ha
zR;CH+tPQz2l5>1x3AMnWgND#kPA@bGQYwo|N8c*eb&U#}AcS46Awsv14~f*Gh1jl#
z25jFKu$}kU&CHwM>G1COxv}Flz*xy`)7=XL5H&Qt<@d*sektJ85<xWf7%vkO+%w$*
zD75?at;UE4;S=VWFLm$}uMSF~Cw&`{FJMv_iFUf%vVuX{MvgXgzXq{d!ab7G^wOzM
zE_nmam7u8&95CiEErDbKe%g_)`dcfs@qz~PC@zPqQ9~!+)EGnxb0i{1M#J;+?Dbc*
z8I-txb*EkEv>L3!{8UERdM=j^JnY+Fq!?iG&IFb~j3$$L8FYey<PSnH<;?rm53^H6
z!oTP53-=%^>yaJ)sBLI!Bc|N_p63~(@){k;FrId|k_)O13OZuVO$v=P%pRHl&vt2F
zMPdD{6X&X^N~vMqA71V}UiBm3ZY;%D>@7#arE)XWDItTYG$%lS+x6N66HuifthyS`
zv8qxCP5nX$epQ(<16K6+jU@uv92s}Mv6q6po&&G)15qv3cCZ}6IWD*vC#T8Og3aJg
zfsNabk2^gtR|H&Cw{*wej|N&LNJ%X7(7MTxR%1ia(gO%=S_fEkb+}*UXgqd$4jF9b
zw(O3>1eIaj#r4xnzPh3YG_)=^IF$VMZ7O-Jctmx$5MrqJYeMB~&$CAwcMjeqA8LKM
zoHH@kzZ&Zuf)Eth6etX26b@5AoasB<X2yFdw2bCYw0H|mV|Y}4R#t|@wBTKSE!u#n
zsSs9u;VBQ3bLOWD%W>6d0avp%)ybv1Pav0RWzup@#2IlOo@PyD?|NBxUwXSqt+87g
zuEQ%s#r;jIodg?{b=JEM!L=OxD>)i3NT<DK&m%bDpLCazAR`#**FkgJ8;1wS!eHz9
zlJxk|gWXAUi`FlY&p%1P_RTzWw7|={AN-6_zXXA;$B(%Xyu^<a<s{{THmQU_YUowk
zTMrI&WEKSVfDG^WpaG~roIUI3taljmjfsh(m~#;dC5;vfqAsjG%uA;AiTLC{Moi*c
zy&C_xeSzKQv?J$qo!6e`1K{fe5XfP4LKNmIHKYUulT&FIl$Ps>K}4fA(mv}5>a1tt
zLcD*dVw=Rz<N;2xY%5oc03daizEO2xbSxf-XE|F(yR-TvR|s6j0s)XbzgHhlMldUL
z`^kkn3u&1Km3C8f907=M4#oEv&soF03~krU6F0TZ&9!P^aALpR+70C`Wq`9M?qnA&
zfklr4XzcERhI@SSuuM?3KRdaPq~DRD(ee`9Prz4MP3|v_eZ>`AMXJ*xfKcw05_+~D
zTm7gh1&Oz27Os;SE=-iG{sqV~<?$LBnAW3-tENqIymo-SWI04Cqxt~+h&cI~S+#`6
zS$jIYJ-PvjeBj426{n?nzmdjg82V0vT;P1|odA>q>;2<sC`e5#^&_cASDR`!V<^m+
zC6piqiNq)tdalFwY=7?Txwb|Rk_N0P&H9*E!SBTc2SG)soVVQze(*+daD)kLr&(~V
z1;7kqW<($wTJGyuiYWv%buV`kb|Ebvfj`^rbR>H!r?{$%8KEA&4JOKBH6eNiceoCG
zjsAZ;1c0N~2pN?Tw_ak5%CdzDCYzwhU@&QI44Um=PWX7u10HU=tIPFy6}lgeMyT$5
zd(vF;7=(|iWe?H<7i1&8Srffz!ST!P$Z+>wAygattO^RJz=}fat2$tfYYqM^4?5mV
z^(Nv1l}1GlWbm`F(st$Y2xzk0Zb@370o*|u*B2epnb7)XC-u<o9aTvEOFBVQWW!g7
zbuPH>a|GH`3bnYqmG&D*T6s=z6Qax6&y*cVkn^*<GFQ4LJ?@HFm2t&qXt)E)O=nxk
z-1f5KSy2C&^5{i}3n>-57(#}&41=_zT~2i^)8n&5DH%G!B9DdT3lAt12X}}$JXl37
zjgg0WJhTHTnSWjpXl+GF_;Fr>`F5{-aZz@xW*uiY;HnBSH`MbbOIGIf!vIA#e0yKf
zQ^ALJph++3_+egH={Us_o%M73N=Ooqcmv@a(PCr1r|&9L@uR!MAXf-0q-2jAmJnfw
zb9s6V(IXg}|2jG4AsD^^kw|9Ha?=`dmw}Y9{wx^Kpa8LG8eAmpNHb4IMyz!4Dz2Os
zpXiHFe4V-n-Ux)G)0;PQ0Re73gCdW9gn?p<86YL8CiY_=gamJeJ-Ku0%qLd?{lDH`
zof~5qre{F{@&ghQ()J)Hdywe}AxaR>m5Iy=HUpy`TWV?=;3mIQVJu^8HEh^Ke-3O6
zoCsOfqp0P93H3H8N5pOT-How>fNXx5hcg<`cR^23`y}F4UpVUM9){Ps8nDp1vFsWe
zm7NCTC>WO-wzJqp%k1*?OI5xyPo93K?~VEGag4(S-&?x@A{MNM_xbst`V2f!u{`FT
z2z0Gz%t-XjH?1zwh}`&Yr27nE`qlB!{F4JxvNRGVQ)a8Smskk@pO@$iV^N1A_{hhx
zVYDR9@4Zm1O;v?ZJ>vk!1mtUThUvp?6N7Lx=B79p7ka_!Y--`%vCY>eAMWCLZM-D;
zKs?&cINJLXyXny@yH^cqaq4H<v(VJq&vbpLeSF-uNkQT-^SN<CxCno%FBUD$NTs*a
zRvaZ0*aBIG+5)2r?||(MZKrSsoFqNwtk)2#9pvtGkY_C-UMZdAZ?vE>andO_K;>Fi
zSSsX0aZjmDKfqi-<PcjRT=_94vuL^+>u}1CM2(w~ihzm1?9xvpqb}ZWg1Cju0@Asr
z)+IqK>x=0zxo;-7p-{)k$g$5tOglZ@G4je-KC-gWpJoPjBynH2ijtbOT09o8Cdm67
zn&I$^a<WucPCY~5<-=T}v0~!L%{a}*A8ir6b<cBDXGsccVVnij-N*%pNqhHKMB{qY
zMn6L~>#XUtAv6D7j%K}pM774j-iphgWkP}U(g)wmTOR<QNT2{|k%M?fcvdIxLQ3d-
z)3Z>d{YLMDC0~*PlX8N-&Hd^Jmdi**n|XX9*vEw^%rEY|@Ma@eB-p?Sa2eM>ghJB;
zGCFzQ+yR^S2LOi_LJH^SRL}z@bK5OcnXGjYGzTY(wDnO)`D>naMwy0s`#QWxZ2`TV
z{y+pGxUFf*t*DIRux^)&(-sZaB9`=lP?c<DhVoEo?*v>)X(Ol&itT-8F5C!>BcSl=
zh4w~1zW`Co$G7bXWR$wk@Cp4bX)OBNXfPG@#0#@UL-<;49045*I(|xRN9JXnuw>tA
zXgMvqO@zTHoHW;@mu*6TXQvC*){}R*pGys&BQCseFt_9rC`QbnP>qUULr+r6irz@i
zz}#wo@Tn~aa0C>nQx|VIOgfst9_{f_mA<A_cBa7oEa!$(piN>gjg^)+s0!6K<!w)s
zWVHoO#Uj3a&FU0NHnunopt}<9PFGlYyb_4jwe!@~2o`SM`Cw(q9rs)P<88n^*he(S
zJf*bcYR&)Gn5KNUjmV`LuQP`{+h>)hW0RPp3vac}`0*Zw!lSz0JmKO5j&Z~wtSz9~
zXf94;w&CVWcX!uVu1!F(h4-aaJEXt90L-RKFoMIN>E!D;L+s7L4i}JDvzkgkWyw##
znYageK?l9#T%?yVUtS4|b;+xAvfhY$dKfX>p0Mj2MTmtAK1R`6xJr9Jkej`Q{c(GO
z84v7x`fZc~!mqBP@ut;I74ThVr+ny5uc48JbjV54b{^f&ql{NKmgyp+AL_H+SKfx(
zoKJ3@1aQ4itx^=%u5Dje{#E-ccjC3U_}q$7cx+}`Xj<LpnY3>za%Tnd<{aL3`_;+Z
zLkPsz%6XA;wxkcUm`nLTS)XLUMli4P<AtJv_9C+gU_<v8sf*((ZyBLdo5VfN^rDd(
zkhX^kQ3(2&bfo>xt;*=&Ckmza5pxtNnGGcOv?xQ*?uIxv1&o*YWM3u%%L*!Bf`;6$
zPjvV6BrM<t7dwmIDtZO7`gC=@oi+5l{V}0T9qR>6P&CtrXLK^bL8<j{Gre<Mdv`p;
z#Xu8rCGxG0l<At{uZ+p&h8La})C~W4PW7R#2%K;FN_#fzZGgf9hDl_A`$lBJ+va@9
z{Ssj$1>tl1kHAM@CE^@7WJ(|UUSS6b&gOqW5b=K<=4A>cEgI&#6&Hk|v1r-EXbrpN
zFMZ9vGu`QQ_N?)k&n$|o8)_28HHCcP;MQ#y0AX)0GN(Cu0djcASMlr}BG2Iz6-fTm
zkdO2Ahvac2hEba!9k+HhFV8EN>yuZOI1tD%Ohbo$lxh(8sEznRBSIt<XWI>=3o2MM
zu1b7omTl3(G>PnAZcZ<4xSgcg#^}VaAMBBxmv-#m*6xnrFT+%853x*3`s7+ojr)X#
z@!@+D5=uDeNLLq>VwvmO_QrIao<CsLkXG&W4}$3fK1$Z2{k~dw_U0BcZ+={kk;0h&
z5ju&$JKhD?7ueLzhcZiIaB9)p7AY)g)%s-GqZQ8{iIyE|Fm1Q*EyC{~D@U@S%Mi`-
z)?y7~-@fnBUxIKO3$FOee5iY6&osoCM>{qt)LOX9<6KJ|gKIKWgB($D4yEI4pVy#{
zJ&%hUKoxy_m?(4JQ*aOxiV16*PW(f??$i)6ZEk4q<t<`pjfnTNuY8;j?%_}<!f{&?
z!R9>4fp>@7Qa&Tc-j5;c+(vS~iYqA^l(V6}?t_a1w(MHJRe#AGWB4T2@@CaOY3;G#
za~x49<iZ|igG%J&*d6H{rXsgT=OU|L-G3|FoRI3g<{8}7(yS2e)(b>QwE#cF6La@G
zQ2{mbl^~)4R{rK_H&m^o;g<y6j=>X92Z@(k^_(<ex1+n(96MIqTkLz*YJ6<c7ii?4
zEW5NxYAhYUwntCrrX;L!Uv?mLI{B><(t_?Pd+@XIIEC0^o&Lyny0F+#c9~sHlfY(c
zwgs1&2c#rsW^R^nfxcTRebgv_xtc%vZtNL=tw~9$%J`g?AXy-bn9o7bIw9ACt7kVb
z>MZ=3?h4gesLd);@h|&-haj=N{n)S_mmwG5-MpKV0c6bY{MWA$u_l$Jxz{OoQM&An
z*_!OS+DV9M1)$>QZ~CO}HZ}vi`>Z)3%kn8~n=b{J6%uQzEWdNZpGzohlz3mgN?@ZB
zcm&$K))9Iwc)lm$x!|?6!?e;M@QT{FIK;n^21E<|`v;Lz&Hxfn1}d(Z91<sY7kw~*
zbd&$UX!Xl%R{M>d&fAitr@AQ!2}sD@JOK$`T#nXOUnlYNmB0?SubpuwZU;6jnTI3&
zBCX%D#J9TF_Prl9{J2;tq9;HuN`doLniC{vYuBAQ53PEUzY|bX1Gr%zzc!E%Hv{43
z=4OV{!NpzHB={s`-8kmdRNS}9`qBh!z8EuCjqNO8dP9sGMCoIoe?a1OZQVrxe3YhW
ziqc^hH%Jl|5p1;mfVo-e;jTkJu+G6<0rr+~nF8>_uMv_r=-JnZ=|qGV5dake=w{7E
z>h9$=&$~~doO7gRQJjXdUCeCKGRYqT6$_zyUje0?iogpv|1F(?IL>*0_522~L^@N<
zo`3*8>uicT&8BKrexr|IO<XsH;kajeek+GSdXc};RUg?v$C1$<dGQF5bB@nGoAG~&
zri1NGAJuQ;F1{9R8bqJADR+9`YmF?vi>#d1*+2i@Je*s8b=tGExLtc!+6cNd%XbSa
zeDy?t=FOwhLKYX5n(qdsJH^`!l;KbFu)L_<{r?|VR~-=5`n2UPE}*+$Ah4uLNyk#s
zN+_+g<cjptExmXFY3c5g?yf}zq)WP1kWT65JD}d*z2DJ4ba&5t-k5i0-Z}HkqvlK`
zMbq`biUuj1%;EejQKkvBzE7C<7)X@5_5#_!!eR^kWJI;{5~dn*!?q#K(jO&~dGvWZ
z;MKPWU<+1UxPeprlw;Lrsu33o)+Z66DM3KgTTU%>|I~>Rq(B$Gb0iCK&0)UyxidmF
z@ww)nGebj)&VJ&J;IM=jl`cAlXbGH8KU&s<g7NET#Tl+q@m1Cb&+6iw7G<k<U*_R@
zYDh~})x9$=`R41a?9+l~>^k!&1kK#rX^D3~Z%f1HDBjV@_5Vqf=LSG{6Pv;k|9SqQ
z2-H=O(hr5h^q%wSSa6UPZuRWxkpRWl6_GxH6|G|m<Enq25f@iMqCQwf^=ZmH;3XF0
z=arYQH`I3RUgRHg^e`WDk4S#{f>wKFA>HDnq2VYXD7$S+$%PBUrF;nyyqRo2sFEQh
za;^YMmZ#UlJO~){GIqe&qA9V_cj$vEOTT@`z9t&-(P-H*WhhDS*%ijK`kPJJ%o_f7
z^|AA38ue^dtSGF!3_~?#Mm+h&<n$jB)<w1?z`Ui_`SKb#<*hfnoAceO*NUcTruIWc
zVy!x80`q$dG}r3&0fp)B!6Md<<BoqF=dGas=SfpZdK6db$gCOp%CO>B=AAzpSD{gM
z{E5ohg&i-XpheF)ifNnU@EVI8d>w-Rt^+6!nZO$+U}o#E30+cr><L*bevf$<FC22v
z>cR@q1i97T=^+(JAzP^tsQd2~LsNZoj{Gm4C*M9z<O8ZeJ%#F9!LC4`sX__G6(Nrn
zz0^(bqNL{om&u$Kq-sDiCk5mU<jq)?++&)gW`7Usk;;2HxrA)wDo-QhRV>ru9r{mR
zg9}T;U!>*+aLJ)tZ7Ek@sWYS1;RF5k$33v3c{1;Q{ThK?fa}9WBJpp6#<3L=EhEhM
z4r#3B#&zvH4_&dB!iO&+{Q6do$Ic;IQJE0(7TMydRBjAVW%;b=F{UU1@4RbD&&B2X
z7ItZUqr!+|)8ct%b#~V!1C?v+)S5BS{N3CO&nafzxd_`cpVwSR6P*gx8X;;Iod?}p
z4`qk>+QzzX$nDxzyC>0r=%pTlp3zJRjd%M`PnVcZd<CC=+;c2iGCcCx*T|WvoDf+t
z*uG{Kl>c$F<9OPx>9fWrgBThRYTdjlwQqC9ooBIBa%a|izQa@vewN=Z4ucwR62Inp
zHKtDxoQX~FOzj=<;@;q1kQtYol^*AzNR2zC2q@cR#SCH0oF@vjbM2aNcbT1W%urUJ
zib^{=<%&t`S_(FZll}g+t2FWZV36ip9)N}5H+1w-b02nI8K6mS{lcJ%LVOnVG4k2)
z<X)hF`|r>2d=?U*g7Mw@|NaE1QlZZL?@xU6F*H&M(0{f3u?%H?1Ny%weFV}wubO=`
z0K0<y-QKoS#skMc1%>ip&d>F4S%_IjC(E}H6SPHdUM1a+YRm=rp4yT6*FC9T-&BY|
z0PjX8)+<ebj);vjfxpv<#B0E>ekrJXG-h|pVn8Pq`yHe{0qjl>5-W!uS~;1UU*XmI
zXna2-X-V{Y&;kMi2Cw44KF`Ulcm-e-Gnxcf4RG}?9X7@%K5D+T&Q)B7dN2S^pwJ5H
zO+3GOIj?={b349k7->8oT)0&jP0!`+#n*3LekBTtK)knAS{gH>1BuzWJc$QgW#GRz
zq8r`lyQK-XsL;qlJ*b7O2_i0k?m60n7lnFIS%&H?jX*s}1H1CoSI%B_;eGe_Ee$*$
zCr+!lEKYXuZ=QoXuM4i0?N)ZV8qhNZaAB@A*k_$^*y5H2v)yHL*JinJdDppsFU7#}
zVPCk|#UoHVWjWqgs3y^b?XnyQB=mAcsX=1Q(CQ`+lgM8!mYttx-hpJHP}z5QUf;4{
z0q6>VOOFS)>aw-IL&&6Q1yO)E1oBcJ^J4PV?A6y_m<b($o^e98Q~*4PCau|X_Z0-<
z@+;4e^Vx$Aq`*|XCUp`{?nD<0eOd@)qh$WmZljZN_7gn7<{Ha`D;uxID+=}@;k2ro
za^PV%3%Rm!Kuv*VNIte01OOMyz({^$LoTUDNW)O!G@+>1GT6UxAfC^@qNUlngn!BZ
zRTA^1RW?8vfBPl;TR*&h!BWt3`UqN}sVnd2m%;xYn+PSB0dMTL)}4*WNFCekIhWd&
zI}5E76++^^c@i`Ux!vwDxEj~B^H@|Q;{A6sj5_Dm1aH&X?p(4=Q9xDRh;GnyzE0D{
zcSkjFP&@iy)BSvIu9t1o<2SP91L{I=Qzt&|>%g_(rq5b1LampgPai(;L|wB9`f&e|
ze|k!FO7O^&W^en}moE~|geQgPg#k*i#9b7TCf(?d<l`a2!DWH^;uYOR@)R3RD?ak+
zu`xV-aA85WbTzlcT)UVdM%LMR1^^~kr%njT>bPb5j%EcU>-(CWnAyvbc^Dm@g9SO>
z9(cGUixl*>wziIsAMX$c<k%&<VE{H-E=-6^vQ@s{AMDOGD^7M=l8=8^pm=$CL9r;8
z(w)Nd@u)aP1@N%a+d851qqQ+|57WaQh#<Vq>IL}R%ys*XQXxo9ZH6Cq7$Pza{{!_0
zd@3-bsp8Vq)Rd?pA{IRssa+IQFSHLaLsqkY(IsnygOH%8k|ycn!dR4n{?^i{+zvWR
zd}L=afK9j2qI>rrFdP65x*Yl=!W%!v(R+JtCp>DgzBOI2L&Mi@#f!0Tst>#~j86(@
zhfK~fR-Ub&jWF}Pd4)v}OBVF3$CsPQT#_rh(5UPiyjvk;mqH3$=o~B1uVI27GwdQZ
zmK$M*HilVUu<D}K&{a*T{t-!c_-1aN+wh!OsJhIfxZ+9|JPFp0m-`Nu{Z5MbT$SWa
z&)4EDrKTeV>q18EEkT%}>hR)%##Avnk0>znh1=08@(;)jNN9(Axb*D)ib9En8oqK+
zqedDn6rQ`jSv%t}MBKYzVA0L_gegsQhZj^8hBThMJyp<tUd>k@XH2^DHI2n@_W6v=
zTgk-_%d^=(zh87fodQvXd8<+S8?q?{&w`-L+&qv8fzDRH)6HPli?oJ!S~8Bta`G$t
z(`)q>3S7i*h6=RT5A+e`=U!dm-x4gM?Gp_ME2hKheN&T++P_r0N$iX$lWX+P)YbDI
zv3%WpIh_FvDFwWih#G1*AxMNUhfA!s7HYY>e_uZR6u#e+s`MTF&*0GQ=m><TRH}!#
zT##DD{b|NR-!#0VCqu)AAsis4pp>WkyiK_Us{^daa1!z$`gJpAiNWbtcT4N<o>1B(
z+SZ1cn^`@+!&LKv(YpI%3)T8vX~`jqT7iw#{n<VbyE+=3<%$Jwn?wS;Uc2pDi>h|`
zI4GU^XGYSC*aL=~iMG`n%HX7nFjO=_7h1^eP4fA9437KciJ<dt;6F0m2U!F33Oyev
znctq#DIH~ylAHIbV@nk-MrjGI3|Rg#<XGFVAnO}^t<r=CUm{MX=up1W1<5C(Ps#bg
zWwxYjI!0^B7+x%#n23T$TTm`UbzwE88kaSi$LqY5Bsp=?re^?kI_Y+!AN(^dz?v(&
zf`Pi8Gx*YA{5I*<^Wo&x@E~Bi$Jj!IfGS8*w&N@P=W551$T0+7-dI;4WWqkOQ>!gu
z6+aT5S*9%eIQIu5s3;I?@U1}6zCFuQvBu8RXECVtB$jXyqY0zL^Yvqg+^y86ljwfb
zNa6Z|-Qad$p_u+(D?OD0g-jizNROgbb#BVn;G~#(YAkhnZyxy8@iG4&0Npi&Awrtn
zY8GzAMLIP;eq+EGqZ|;+D6&k0rZul_yin&Xo(_cTylUq}_ox9ps4J2#m{R5kX2DiN
z*0pg@*IPnpt>SDcR%<_%N*29+0MzKQ(w}?U|K+6tqTz0PVNdr*rl}A+93d^=(-kOk
zup+#P&~8jAWW~7djl0XfS<m9?4R>(x7uH6Pi{^GT6O&~(XyibcfJ%t=53=qW7byNK
z8jVK@CC`AE1sg@a4LO(+j&aebgfNSAX0+kMJ~Cpd%g>sog~1a+I4()c4tU89B0Ro%
zE5{YlaQK48*TTqm=0n`Du|aC(DjNR<e7}WH{e~F$2}>_?_cWxo5S!`th@cov(zhqm
zjH-#H7bIP6yF0aB$*9#HgQzG~JISTcQ~Up{sS_CA`{@%6GCoze<&=5t!5p$-(Ow&U
zgeB=K3Z*wxb|=qgItMEfSvkE+H~NO$dml?X7r%YFoYOFN9i~ohvr<aiuci1Fc@R*#
z;E9N3K7P(w+;FQjj0ia$c3Qe$Fv6*L#KsNNo*u2II<bfD3G-%;?EkC{R!9$lFelgG
zgbdBj4y>$9D6}pf1+)x+F8)FBUK@qQ+<_>6%IJ%ak4Lqm!z>Gi^St?J$s)_qZ+g+C
zlSLWQJE9biTuJUcvCn*M5{tvq$W$@9oRur&HZl2ZI_!WtQ0r(9aBMsd-khLoYb{)c
zHvj^1x4m2O4Fko1MyQ6Ijvbn<xoJUT{@Gf<zS76!=H}iH0!M{r`38D%KDLDcCtVZY
zRZ3I&syh6LAm8Yw(vLVDIr!4?aW-NvwPg-bj@|dtK>)sMwyz^pAK}vchIX!UeL1m7
zdLdZ&bT#Z?ZqEMtL(oiOA}?8SB5GuKnD$;B0fg5WtmE|j^4xuOk-$cug2D3B<7iDy
z&E~J@f&E5?be}hVocajc`6(hJ9>X`|Mj<&d-U)3jH8_ilz}9-3FDRdD@Kh|nfPJ@h
ztPF0e#@lhPNkg3$?;;&Gs&lM%K5_zGHEGZtQGP8~MGTI1t1m<tAp9CXAFY0-4wmX4
z)HIg1^WJx${zpau>`(%P+)w;3;0(_{W7&bui9#CmppPTN+COw#c4vABOl%yw5ZvK2
zuqsei7mClFj^9wHthaj;|F&94$lhavxEsB2%jo1$tkak-I9M%P#)JFraU_oIvTn^6
zk=@#0vGgWLeR;jjX!<AU>_(R^4De-x{+WMv_?5Ya)HgIx1VZwmitr4%rlFeP&ID9E
z=?>)qVqpMKGPP5@%Q*}4tQE53VwQl&PBZNpYFIv=VB^u@t^!oi&PQWG1~NB&1O?tY
zhdjSVVlB_MD&1Ms^+@{dCV}WEMT_nu*Dpm(qA+zs)P5)`6YD?5dEm-8w;E$=2g=97
z9(71+^1zj9!Rwi&1_;`FN|kvx7jgEOmV+16`~t4;pkI`~DlOTS_jS#?%h!32qM&`1
z)>k~P`)=j=6u0HQk?wVFBmS=b63%FwWldB2#@urTbBj&WWbPvF7?)!qnEHTadl@e=
zKItLTXNSZfPK^=4AJSDPDxHj9k87RFc7%0C+Pl#IvQU^Un0hD*bvGO+abU&HS^RBy
z0F}!!y^4d}VDSK3@QKh&L<U+775%83zf%~ap*zF2!_#Tbm#uQgATfPgjY#|F0AAId
zn#_W6+ZU_bXlX{1LfgU|>x}gEU`Q2r6Dft0xdKrE%^BU@xmX!q`%vu}m^$U4y$@>g
zE=-UmBz%+Yt!T~Lk=V#@vstZqKa&R*S8??D>`l~Ik6pA4MwX~SG9bEt1S*&j1iw#$
z;Mxj#`ZQ~}?o%IGh){N`a135$0!-b6Yv`$oZcn_jrqGYc8etb4+h7BizgAxSNE57U
zJF>^Z9O{^<j;oqC!i&Q;kjZWCtl8r$o(MNZ0?yQO!BSuo7engB|Jg!-!|Vz$aH^=R
zZ)}|R!A2={C*l%zM<0)H7;P}mz3WUyRfw-Jx1~NWbDxNc+YXKklhLM+Alnxf_d(Z2
zZAad2ou*aqIBx3Mt7Rqhqqhufm~p)DJGG3fIy1n$V16CkR?)6CY-C!t&#p(2zLr*^
zn>5w7${!2koBZvE13THt2(jP|W_-=HwZFd~l7u>`ql$;JksjP|vbWb>=%H9n4iN+)
zb%r2jOc2)is!-X$XouP95>%#}Ql6|Mv%sh+vP|*y`pW`E^L1_u`;zaSu`rXo{riYl
zM!Y(S!$R6;>XIER-sQ5LNM2h@9{5}+N+?5vZcSK7`}C2wI;(XbOFMM5mo;QKE+N7i
zeXcX&*NYyk+Vp5g-&DAQ241NfPWBfs(=WZaMty{ibga}~1Z9FT>vR7odsDFsqs{Y|
z8MtY{TQ8v@p-}!bv#OpS{<w6eDSEkdU>$Mn<~Jlae9qW*ac8jv!>;Fnz;)$?4L$Ye
z02fz|VU97TEw5@??s23en0Ie(y?}m%=V1T(uB%$%bk3@8-FjJlfMd8qL6wrcdErd&
zg(hWd;u|ZT=qd7g$EswWy>z!TA>GDgSDB;2?VNaCO68+(kP+@CLrDWSqTk0P1{h!X
zWytdU`ESj&H3Kh3A#jsXYI#F^!JO>B#|eNg*}t@-wMW{2MH{bOyNsvaq5)+`=p%4T
zNq!e|LP&!vDM>yV0h)j9R{#~5A|MLt^CINwfg2m>Gp+GIhqlW@*9TNK1M+uQ{9vP^
z?98uuf#}0;!+J@FnCbvL=l9|7>XGyS%Kk9~2qFLLN7fFYDsz`5*x}F)0ed(utUCYq
z=`70#<EM|{TLIXOts_vOs5v7HU>Yu$4YLvd6zp?d9}}TCbHK^Yxiv}p+W~^9<N3%;
z0Hg~*SO5747y-<Q#3vaxnt2sXz67HJ{D99=QE!0KlfU-p786L50P-EaWm>@rh1_gM
z)4NYzKI+<w2zpL-<_AE)57hKKK>X{V`9Kt`Q#7JI68oRI;u}OefW)>STEFN1GzoPR
zM)K4MK=n`kXDU`+E>)TvAozyCe|kU+8?EcRB>*Cpcuh(|RPtw8FkF{ClNp6h+9&>J
z;+}9?si^$3$T;8UR~?guJ>H(2&$Wm|iiFJ*)B;(UQL(6##%R<7GcfC~#ltxLusYeB
zH~_-5MU8W+y&Y&E4qy$pl5Pj6YS33h_5}*YO{_O!bc(Tz3YEb=28Nhz92X-}eHHt{
z?;d?APq;2@l>7!8q-Zk@(ndaEr~4=>kv6n`;k$)<<2Key4rOA0b=*5vp14>op16#=
z*Rb^oZ+*B$cl-7SDMMJq6H#SxuB4M;Azob~<iV@_4Y%5pgoRgor^frQToM~bbX+F(
z%bGTk1K3cA=RZmfz`f^tBH+y?4)oMqq$Hlk2rl+(|C~yJg0Hva*zrk#8WlrB=pa(=
z-28lT5QxhRddkAJm4ogr+;IJDDIJT0ko#4W>YC^~u4X<=JraQegN;Y~(ev~3#t2W1
zjD2!;(nG>Lzk##%CvO%TN@mXzsWy%<=mnO#V|<c=^;uuys$miM#mGJtpX;Ed3%m9U
z9OLUfy2YQqTIkCS2L@=IHm<&V*Q(N`Q|8d=>mo8<gWMFz<8j;kG!X;4n%-+@>^eFU
z94%c^^%NAAKkyDJE$y$%v04~Uj%SS|yzS(zubM+Y^9`Z8*zRO&I{p!!UgxkmSme3B
z;a*?eGvCBoZ@(Omg!@$*FUOhrey66dnNTZq4$;-mYcV&cO5{McZwQ@KJTF)NCVaNL
zG~Ix6QR1YMeUg+L)gGR!Tjd_FI@RABVv@kt$mhP)7g{jk5JIxIVxVRZS(_+T$sS1R
zC2cxP#-VO1H}`F<9NFA(&SzbeV`7;rUy~fxhxU07nzqx#nK^$a|Is2+GpL<L5P=^&
zbKsAxtv=Cl9Hd%LuiJF{RJkf2NWfLqu<LQ?{Jhlv*Vx&c`7T!u7<eBVnxNw*`6!C@
zu9>18D9OD>oqQ{+Tfn{x3(DNEZV|08OFZ^GBL&~%)P!y{m_ndX;vVIqm&|y*u;tN+
zt_KC>%DN*@W%Vq9N^sw%ABRORUiiYZB(JLR3dD*UsEjU8CfWjIK2KN*ZrmPsY507y
zM?vsxBhNRo4)9A|)~Fk7UQcin@J`=}l+YruazwW!lXO4*B_4d4vcIGWSRCuQ)^A|2
zD2NxA*_5Z2p|12P`_0n~!l1a4g|BzGTXGFgWD^8u&g@qAg-#!my_;=;_siut+rm^0
z1XaIT{@}YfT^ym{Coo2nR#y-In9W2IHY6JSSjyS6hB#b5vsW}GRbQKMWS=V^F=Pvx
z?5}$QCdk|6Dz5nKD^j97`jhl9M<k^4q}_puLJuic)x^x#D|<DSo?e{4=JLxW;{)gA
zcBo!DdKuu5n-!a57>+7l>iU$CZzJDof<r)AletH&lPtrwnQ~}Y_AHUgDNa{kp`$!D
zfO9xa&dMesuc%4)Ra=2V2A(S2qE9v|z*>$Gr<$Tk(QBlWLqDjff}^ObdTXH4`>}S1
z`G%0loBfr(oTdY!0C{$RHKg0w?bQQggf{M9!B@e*Yd0pb=REt-*KQ4?X=!PJjRnp_
zktIr#I(=@Xh!qc?3$2akbW2Serty<Ia%wi3X<FL%5-Qpwt29a=`q(yhmYUjd(vY(C
z#62L0p(Rd=%fMH4V4-BbOfo1ot9bhi2cQ0AmjaV_KeI|sL+5%^PtwUk@glu6kL7e}
zXGddgYYD(LuoWi`QuFf{HA<+oym(;Ftj=mOHm%v-R9oR&>HDhMII=E4x)S+D6qLts
z^RGXeL=RYZJ~q<o+oU8ZC{s+9Ts%PNm7;pYLt2f$G<I^NKmH@SwOjU>UWy^0p-h#>
zUA{Rf?pwqvG40VIEw_+n)%w0_=MI~!yu<3?g+wpLeSd7x!gpd^c%^_=YD{%xDjG5p
zb-e8?{Mgv+-3S^?%17*6a(}M;r$@Zn(m{{krjV?MxwSp~smQ=d5s<7fE`dkchyJy7
ztQ7ACf(qY21M$F*YBTz-G}bjPtJ}6O17<W;bp|t~#p3cVpiK<iRi<aOD>ru5eo(CQ
z-AnGU{P_0CH18bO^#VySGMC|Ixf}o6m6;0K?Y|nzOv5MMuGg9a>a=(o{FP5`&-mus
zTC>#FMeoM4HzHL{(|IqJXNtj<<ZH%=U){isK>#|E<QmW|V~kG`$`?NwbM)?{PUP<N
zd<SxK&!PW*4S(mY5OSeCssJ^Hx+29&#t(Ks2e^wOx{t?(5<$Aw&+4Ydk|>fT9()}O
ziq;+~v6<Cc4icgwe-UOnFYRXWg~m_Pawe*Pf2^_ayRh?aOeINEeNEl^z(r29*@;|J
zcWjmlDwmO`ULUB>@90`=vLi3C%|Oy`qlcU}`+x;Jz_I>l-*=t*ZHm^Mu9Xy-J^Oh1
z=A666xNVHvx6~caHA!zUt46Kl10O)IY6AK&(sbX;LN~GU#enre(pen;kut63J~(7C
zSJ!Tj)7ST;bENicK6#B=TlyfK<BbuxwSRB>^wkp+4Ap7%9=h3JhdBR*I}pRfU$M#8
zDSI_oD5I+lCD#czDYSHAVR-Tr(CPP_3g$+pa_^LtzUz3C&}C+JVwjNSBBu!vqRown
z>tHYP&Yk;4xLm?+b|^ki5~9Ftxm;Q{lNQf0$3@XZ;px?H+we7QzQnb~d8&n9DRGnR
zrkXIk{9)|r{gx?W4SJoY-ei^x&|TePtIUa4z6C+Ap=NS2k90tbNR+*s)eDCxE_ztD
zNt)STF1yabB1FH|k}v{1EE0Pc&>hOJ$N=lvSIoUtMOqJzy4lWW-Z`wz;nJ|T?;~oQ
zb@bG{>TAD#xM@eGC_V-M?24v2j4PwQ;|W*eWHE9x;|=__T&7Xk*=Fsc!iK~3655bO
zz#2Fi_)LB7JTE*w?;)7NHF0!Y4lm}du(W=bbkKU^<T?G4dj?~@%>Yr9dAI$<Y*L{@
z+=6T+h>C(|o+?O0yH@f0c~}74kcDG>>a5!BhhLg6B?Tp=bWXN;g7v+!o8lmu>CSU!
zi{1d6sJlTU=<nRI=f`v-VLY|ML*aGOq?-+cAN-87j+t4t?7xIhF@GI8ZoBVBc4#US
zNd8#cp;uakQNU|Y!S<k~twJHO<Wb+zXvv&~5p2l`nhzfk<5RqxyXBmu$FBsOws1X|
ze@)pVY@9$m`5Y9Ki(M2{2o1b64a6M8I^)BG<tU7V!ip0k*D}H6-z8WtUykpL{W#>5
z+`!Ot*WKVOECENo!eioX(UWHIenuvk&zXX{_cU4;n*UsBN32FX0-xb-e}29tO~=Yw
z5CSV5OYbl5d(+wlQ#YT0kUW=W5aGO@#&nBE5#&3ff4mwW5qFoq={BXl*-<_hsrt*Z
ztagxGXwi+Eg|tvXy>EH3@9FYPd0+b1v3VYN-k=?{m`E*}*jZZKkJ;lcw%<}sk8;ca
z%a@`5=og6<&&Zn^7hkZ`QCRn*!4?A<QW6r^ft?Q3%HLgqKTLsrdOrH7*@Wn9Ez_<?
zIlDaoo2wXGF;GmgE6sqmI~^P~7x;6mba`ONJ_{u`y?E!P&Zp^c{<Xu^Lh2Gr-jI3K
z)1YTh8l<Mw#YqomlP66!alYh#Xgdy)E<!2k>UyxW8@H0zmsV>!IaY8Lhr!!+tG+c?
zq@p6Drz_j|T;`KUbhztI^tL)mm=x?Irw9!;9O8uzx{JZX)X&x01nNtF+UjvxbzJxP
z?KD1;#7UTXk0%KNi2|HxfE~ZmSb7G#orB@t^hytD6J(=vcbh&xlMl;LVR#WaAbW$X
zvt`8uQ4~M>Oy!BHiL#2}Xr;^T_L;gZ9*Ogu)8egx3Dbbol-6P!nXD$BmOMx;wN3)3
zX;=9@Cf?eC%pR^{`c0J?WqSv1`VOpkmg#)ZR@eq(P6eGV_Y1Xx=^uXP_QPszx_Uzr
z@^pLJ<@)x%@@Le~aB(HxzG8{IXsmbpjzn~BAlJ)!h1K?q8?=8eHbvxtD+{3Uv;{j6
zq<r0b&?4HYN{vyCA=||!1B=m43iInNWxSy-UdM{&9ECNhnw4b>Uv5?n*@`Bq6yblY
zbQ~aMoUuXl6tr6HYcgZcBq1EGEzlVlh4bbVCT@2z$-e3h*B7h`mKGRZ+knq9o#$>_
zL{4#4PjpL*<8WC;_Gq@aQFB`zUw1&p>x>=ER4=<#g{anPlTH<!mi*cfDWc@;beEp@
z_l&;C$Vk9Ua9NdXkFRCIvZc(ksFbi0lm7l-woeOWRn!ZY>F5#-qwm0z((+>1M^*<*
zRp?K+a#Cnq%v}DqDVrQ=G~0({HY)ez>u?qSsP$&4eLm`RK2cUbF4Lwp$9qkAhWD0N
z&FeY*SjxT75Vb}2j)g?zqqh~jM1^Yti1NfY_2A*ZkrFK_Abcd|P>S8r_^WYTds$x>
zAt~PwFnO7P@!lP1iBExM-00K8r{^7>`fjpKr8CKYN*G2Ktn06UPrABsVmuStF5G?~
zA7M7Ontt^2Snvfu-}Xix)^_Q}3o5Fd+5X+SI!fD<rO=N-9He}&ermgMt-ppQ9N@es
zDwz2GlU{NM=a(Pp`P3F2bLsE?&21$mg;#Ou^-2VKy@Jb!+sKG4q>4S8<S-!2UCXK#
zQ{cSLRcwQ1+$(pB%Znd)vZw|MxtI`C*ieOiaFkhnMrfhlMylTIphBeBfC=N-XkIdU
zoXtpWZU4cdTsH%YyX~&h;afmu-{>euMvKc&iJPRfhci4Wq!Y<U4OSgW9k$J?O#gKb
z_=oKl{D!?0S>MphMV2-!-LX~m((hIaR!EI8Jp_X5!6_epGODeW&Li(RBxlN<2)_jg
z(IzRBAeu7YDCvk;$!!lL?hIF%j!f-7D|)9_3aUx`OsYO2uQnNfgbPh@KmlC5SAyaH
z73+=Hr4Oh?7L(Bj_zJTvA>pe7=7<igNW9^j)Md=olwpr_D%F>hGiJC&D5$9;W%-&&
zoi0$HH=aqqk6Zl`iCrDcUEH$hO<j=PR5`kecz#a%nQHE3w_2j1e#ww%zpjd|!^rDu
z2E47Hst6)4@cyUwa*?zz?`V6=8$RCZ{|;=Kvpu;&+M0nM8}0l>H-bZk(e8o`d;Rml
zx^I@bi?>PYD9Q)c(zjAg&6yH}Tn{o|4@6ww@H{r+qb@gvw;>U!t|QYN(fj0p&@K~`
z{Pq%4)PGBS=s!m{R#kwX?;$&7+0E}<HK@`$M(Gt(49WGhhv^noe&I7;i@^KRi1XdW
zgCG3SL~5t0tlY&%Ni;GuTC4jJQ2%;$EG4q{^D2pk@tIai_wyU>e)w^|(fd)%3Hzo(
zgkr8P)OC5DLa>)Y#AKPv>Uedvh<3U4>zzu+shw;msM(VCEyr6mTYycxSExZxI@-IR
zFO5d^*Apx4etLr0knxkIMm{=NCj3fTfb*V5(i9=aF+9yU^oB77HOR&eNay7x`jQVJ
zd+FCbzX5%5>st~?5~LOz`^p+|!~zkt9S##Uilnv|$P@pVhx#1ctuIwzig`X{^gR{O
z^&^E7QOH~KulH$^<?E&GXxfW*-m^vIeQYK;a3>5Vm@a?2D7Cke@?ai0Y*BJEI&YZ_
zM5^vvVmmTT@(rGXq9#s~ukX1WSDx+eHrXQor_zqc!0MDTX;Kx*7aJm$w(y+m()PKE
ziH!@ZpyeFf(=Qj%Q_++vP5WL2w%5l^qkx3lXmd@?NozYVENFuJKQee@29Uwkm!O+~
zv9>nBv<8vgy*y~M>Sf95##oOt8I%n`mqyAW%y8|Z46Fs3&Uz%(K)!D_^B-BRn;^Vv
zo%j4cFBT$(Yx~hWYQj-pYbE8jx#x$fOsh434B)k@P$ZFcp<<novrzV^_|B?D_|u!l
zn9F0RdjP}&%2kZtHH8E`Uto>~b!QGMGFD@BKr)i!$Gt;8<_v)1fYz%(1j69EgTPW2
zeqa{w%gG)PPV{v{W+A|?*v!r$8{K}aXnHqklDK7ndBz=<R^=*6^#Q&7FC%9KxFeS)
z&Ys(fhxG7RZv-u;Aab&6xX6Wcw<v@6BHf3Nx|@!YuiZ}2we8_Y!R0aaE7l8mTmn0j
zxIH;>3$0^Pq(3&9dYjlE&y_<r*S}giS&!i0T<4#0J^4)UdeTa9Jrm`zH8;HBupG5j
zvl_Fi35qB3w>&>xye+|NF;%HaogI=9QFpw;B(hiDTEqrr&Ys`kHeX2N@4Hkn4aSHE
zO?7(nlFMDP#cr-Y20IH^VgRQneVgvFut@X!mqo)_;C)@Leh^LF*)UJTr|;uGN!7oy
zx;!58cx!v$`5zZ$-ShK1_B_g-nIMX_-cF;1*~#!U5$k01tD$+<^qMwaB%}v7t&cNY
zKf*M^D#F3+8tGyApga?B%^G9E1{>1@`qyMPUW<Z~(@3jjs!*`(_VP^f7qI|okZ(u=
z;nHOGMSz77!w-N&^iwCv=~;k9uRTCSx5aZ5`Lqx1ui@ZgG0{lxxiIXm+A=(@{w7Ra
zYD5KedAcyk27(#iqQM)d=)n!0RbI0q5H#WZcsKye!&+Zn5Jral1QJ%q$$yFg6spSs
zrEDYrhno`ib%`hVBos*{yGymz)Vj7}yygje$DErPz>C`-agUw0-Y>A^{Ck(8*!8{<
z4puSPb7D1L#=yRjv_E5b?)OzM1k9=mb=4@dRrmG;3%76sgd4>AmnUfs0iA);1{+`L
zWdn|Pd54c3%Ozw~+p;r~1ot)p>g2s4lyf<2Q{5_uJuVV)@`(MpGc^ChM#e$zGyO_V
zc>(v+PEvx*=X#Eh=D!uNLGxejeNtZ)1!Xri?q#FS9O<}}TmG(5p$lLo6QK_wRez9c
z;X8e%gB!R&5mNZn9EmwsX!sE<cy75<pB<Id8&?=Xs(z4iAlV7nzA!*N|0VYO9SNbb
zXz^oA#N4eLfnb2^SvrF{Kp7Mr5kY8R4lG>LME()*o=+5%j%vvriZ{JqZrJNKIE4g)
zE@SILE+U&2YAAK{K*FeZzA8j<VE5H^=*F|$b7WlKpa%cob7+1Rc@0)}q#|e)Dp!@=
z+O_HRvSg^}e8|oug1=59)-uH1y$gF(O<qY@#~hMwuz<hU)#raafaXWC^;@LuNU*qH
z3?|Q9x+^U;D~o_PVdWMe0Xosz3n+BJV?N~yA$4m06xr@5XOrqkIN777<6>!!1en3q
z`WWR8MjR79FnS#M@2x~Bf^Pav%Wh;TfNnwnm+9*A1h@K#O4HD0(gkoZ>;itOzbuG}
z>Hy}q(q#0A>m<-N&V9~I+vkqIh#1z-_3`^zS{~^ai<**RXOS&m3b<>Mw^(y$mNV@s
zxDDgx-RwmMdaEkj$~&GE)-8wVc*fDZN;N?=Y%R$J=POn}EH%N1>irN9*dJ`A0o1Wn
z5$ay=`o30!q3vitY3NPE#lnV-Lq<03g5yEX*|GH-1rAjnKU=JoibJC|He8ZF%0S8G
z%LOV07q!#Xm?j_na;yr>p{{GA*5)}_yr)@Qx7d;tL5@rmv$TmkcQ;cB`z#cM`1Js#
zR_m2?V1MyeVT4}E6!B*2*!)UYdjobD^~YhlX8e4qw*~*=0qL_BG9DYP)S{^S4UgI%
z4L$nqB$-BD@GS$|08r$TL8SLyaTRCrg~p%MXLa`&+W$p*7%_x?x||3fW}dRJ*vTyx
zVIv&iuD*=Oq=|TZOVj2A%PS7A)8%BXUlN9Um|>3$o^CH}jN#vyf(Oi*U_9wn)5b;D
zC!Ryelb2k8LqgtK&azEi<i0D9VTEjB$@4_*BjV>|E_-_iE_bVqmr0A_N-Lz4h>Tq_
z!j$WFxAB4f&~0<{_-~<lP&@}x>IO7n|2S&|{hA}0D?h$!&4!AQ$15O-VB`LF9H0XD
zU)c_!>J%Ky4^%s3wR8CU(LfNj$B6|otYnM{@UY3&sl+wLoC=HXQr+G(X{EybB`nu~
z6Q_^Tjmu51AT6y#q-K7}6`9tL4%^ZpFaFzAYH+id2n*`!kHo}VdhmrCZ}aNhw+vu9
zPx<gn$+2cTKWd+R!G5%H4n*5x5Bf?N9kqMw`bU&^+E32gEcqxLeAXR)AOux{B)>R~
zwpkBT1d)yRlbMcg`B~7JUN_g&uoS@DWHnKmDy_~spp#EZ&PVWLmZQVz?SWvpI!>bZ
zK@O+<%y?EbP$MrS^WDC_j*uy$<%^3EJ$>#<k45qmv5tn%jk9sA3|v;@tMQJ|{MC5}
z^%9%(XqrhqO>_UrXQ;l{E}e+Mg+ySI^m^*&+v^nCmVKz{b<JPadW{dFU&mX>Jxh89
zWv;a&BLOT7vHE=$6#tSO@ww#hDZ12)35w63NQ*mjG>1jDq@m(@%r#_5NAqx8NuQuS
z0sV4uGiNeza8g}Ir9tK4OvXp{D#p}1A9>9*B)si2qaqd6Md*b}_89@5_>R`z_JsW9
zdS=Kt;DBr{aeGg$Pk206U(<GmnwiQGvp!B~lo43*qHD75*!4zXeV+H7V#<`MasTX~
zEnL@u^*Q^#&FVsT;OXqR{RCHD%`EX=@Kaz;!Vku2O-g69t5jsPQxi~w3aKb1t(kA6
zd>>jTRU5+)t2*JDD!%xM$MjU!0dt|Oy!*9ZiI`O*QZQ8hKqyiNbTVlF?SjY~cXjHo
zsj{fa3G>?dxjcsKXFDHqa?e(VDVMpe)cxbZJ#&AR<@Tza<46$r9^HHo`JHIN1-N?h
z4>G75_?sm%P@SEf0Z&25sNQBQ5Ge_iT$JH0e8_BDC@N;8Q+TDr&nlcn>AgO{a(r`@
z>vgQzwiLfXY!l#;{Al2$M{YAQa2G!~TWHPoiT5h2kP*Cdq56QYaXC)I*^1X;l8&d5
zp;qH$xC~s$OF0|2fqPvs`|9lB3?;`us~S!pu^kg;%ue*P@TVMR1r}ZPJ-<!uT0unZ
zH?(8<s`)$LWVL1Ptpm1NZEC>viMvk3%8OXXG*kaMfC7<7V+3EMTyccKOTfs7h0VSP
zvp!xI&|x(mCQm{2qgD7Lo#?aUs--s*kdIXGrb_Kcq;Nw2hKFhula5YS{+I=9QE8?m
z_e)Z(MdRjx*HGq@G^ZuB@+0|;R!!+aBtk6pZ=wNWW6Oqy=I%vuORt$%6%2Q$re}^)
z!~7R>gL2h(4$USOJb^fkCXHLQNuv7HBw!-u_qv<FM5H1qsP*PMbA+^kLytE}M>$1S
zeS#i?yA>!*5i<)Kz%iH?_*6AmXi*L{(h3rXVfG~cgjz4n9oFB`6dJRoTijORbaMV;
zpyZ9e|H``$-}A%*GyzYTy}Ak?9LaCXy)3KJ6$C4AY$CR)QJB|@{KVmLs}Ftrc;s+o
zvJcqV2IhlE42=q9WzSbRWIl^jY{rMxjO_@9Sis#-8IDj50gic{<nRmsMmLj5*}D?c
z(H4`tjRuJYux&4_Ds!nYmp#~R%4dth_N{4JN6F^W(abI*S~lvS5K=hHHX&hqq9Q1u
zlHz!!0JqmEHWpyv>_d<9+Q?-!HU31J04_Wh)NFU{tbX9SOPX5d>nY)a!aB>(E&|Li
zE3@|-q<{Pr++ErtftuYjuV9b(j6QZ5%4%@^_7fhJq?XMBi3sf}0uupV@vI3Z;wJOf
z`{9#^(**^OUZ1P~d((T_d(l3UQ<c`b15MzKOMKhdZKgEv<VvJN`IMJ+o;3+-OOP8p
zi`cPk=?IcWGHW8<x&dz^!iU3lBUKb1WoyZFswR?7XVj3cg)0P)?`J56$&+pEb^_t*
zqN9kj(%Fs*-+|jqOAdfS?1dD(h{-abm-nkl1H7DFAmq`pl($`#3(dD`AG4kLHlppI
z(q;<H9DDIfHBwsTH6n<bh~*Vaon;XPA*cU=`Cy|$@;MtmrRve-d#RA!^SrbN>w~im
zjX$3+>b_lX@UI&R!`-a`!tfN?!K&Lj3SgI<w4UnY<CD$J^FRyHpNDtT4Sw3APdAYT
ztn3C#eLBu$qTKKHAo|k3PT;?6#fL0;Q)9o*Pb0tIi!$3mCwF%}6jotINxl4_OGWT-
z`52Q@lt{-Lo3~i)KL*P-pQ?->yUHcMoZTxi41^~Xt1NeZ0{l!iHa0tGKH4<*ugjT*
za0giIa-K2LXrvD4L{0*4X*lUC8$pur-}D_o1D6Wf^MTwe!ndg`mq+HbK5nbBg~fBt
z0*`lreV6)JjQfTAoIZmRZHH>DStPEC+@L<ie6R3H!rTA$LMwwo?v=D|8fwQ=)28Of
z?q=!Nt5G@uFL%y?@NMi89aH}J$F4sq!PkIy#83$4p`1yF;&CaO+iI>gC?JK$YNxEH
z>M_gfP^`<ZhcXQE<WC65d&J9u;BzDJ>L8Zmw^Uubb~!(2vABVV%w2=;$V+4UbOaqI
z{qEjAfOg?9{p;l|&+pp}Q{fqS8DF)Z-sgENLHghUHgnj+$jJM+t38x5EW39C5`n;2
zFqJEP%)XJ~Wg<K4&QaN@*?|%7yEf~|4SbIaq|#Nu=rY@4q97_8qJ@kEGCLL;1qB-#
zWwU0==GPqeI1-y0JcNW50<W0PF7q1(^f8s@)Id_izfv78i75sS8vc_hz*&s?oiKly
z_&^QPowo$;{wJ9OMxuBIVBN03Z@+UJ6u=g7bPq3cJg!9Pvd>=uVv<!L(ez)pZC^5?
z0Jr`3@xv>;e=-R!Gfy&(p=*!0{*{W7(Sg4G;1`bYcP2)9ANa=qGC~3&u5Q2}^vHfc
zim%j>mk9v4k^4G+=98b3Wl`c=DL1=)o8_ja_;nyc_^iGI%p9;J_VRfMf#9kmE2hl@
z|0>%=1+0^gO8(Cv-rol~)=g!Z<o{>10NF;>e?NdEWaa$#quk`D03hl=!++S0mI_n<
z_ejK)EkV3;zd@3}1}8=X<Ll)7-+dU~MAr|*sgHam_Qs6wHJF}$chcTdJZfpD>v=C(
zlpE6V(t%L9Q-yQOjOQx3=TZ<ceQ>L|gB{L#M_pLVl#22kGePb=8;nm*3HfJ*_;w))
z^Y2>zQU@FA>Px&}@#p|*@jnCWh>>V(X)Dk<_8t(hY4#_X5>y(^D*|HnE03m$(`tO3
zc>V?0a8v*72UG!y*M^_3sm4ufVWI#TQkBg2QJ8c^=FiU&#GF<-U|5XMnLs(@)EvO1
z=wG5iJV=I%)~1jO;YK9rpV2p7E|xOCDt!mJryV#p34YjP&S+dJQQ1{S<o#AsdKo2_
z$}%I_tWcB3A`JTb2B^coiN5KUju0=6-0^JkYOTk6#R+U(4-x~e^KLRn%8as_zJnc=
z|MdWFHGx`rR17dMn~ID+02Muk))yDw2Q?YtJ00OK7KRH=92$MeoAvIjlHELt#l$;O
z8E$*a7P2RGh8XQE`vFwo8<XC7m&r+&6N@g?$AEl;zoN?v-}wp{V7RkU#Kgn~7|Ag0
zz6Ljtz%GaXNNZ>KdY=pTd!56*Dzn!%52>OIFlPFg4`-{YjCz-t)GH0u_XFa(WaSHy
zT|Hi!djqszZ$go16!sXCfwlPpPu|dLu1_fHsX)ku)8e_6g$*O8)w?^VoZ&%tnEz1X
zT<#SzdQcO99$lYUw7^K#_UhzjkEu`94;r=H-Yc8!Yq;xKSG$=dxveyK)ShDit1i|7
zQ+CS+1}p69R6qQ8JDgh{J?J9crYO`%r0f#U_a(lEv4YcN*LR}>niP5n>9dV)3=US@
z5!7aCetm|*_?hD2vpob~*hv6t;GYezkLfnVoShtWqJzXE3Xtd4EbGQ<jw{XSIeONn
z44__dFn%cNa~zECOdjm6!_@pN*q!aaooIzyxwzETp$stVc5C9jeV>7x-J038Njqx?
zMr9c*4zSnFy*u^J_xbY4aq(l#6upu&;YPi>p@6ozTpa)+0waMr&B>$^6A=Obc5>0G
zcQr3mj!R^sh4GmQg0g{(w%%4wg|^n-B&tgt_2;hYA&S+Njdim3$ycc1iy7?|DrPlC
zp!%3HBR#DXo%EI&=Pf}c+&on=-wf=cGE#nVJp7klI7Kt7%Vhs)NJ8QoC8fI}F|9hl
z6%C98=!Hyh@)`{GRwFjK$N(dqqty#k2J%YB9szp=452W4oK_zVF<N0L+jh~dTnKqm
zz3ejp6!!1F!L3eNL7S6PmyqWA%xi)d`#H)hwAJ;>UNV+yVk0tJvgvmc@M@mg-{<3E
zZdNd*J+x*40|4k>fm-0ENgJ|M0}LIY{VOY5S|otoF<sty_HKtMSz3^Z(~9#}JqnVb
z*@1rD4LNmH0pq7HKTCfz<#q<#`b+FB3@}UiGYKo}R3xW!y%SZN!qsn??9I0fH*3z>
z8U<NEgNXa1Q)szrvcsV~waacEJ-}2XMdqb;mf3DbVYbeP`d(9mnnO{mw1;^;@IMWU
zhQqC%Ejo@^PReBZASH8sa(#RxH?n;cJY00Z_{px$Y1s!hQ%1?j1D??UEZUA?H=ft>
za%J<d_}(&ha$22*Veau_)5G}cyV2igAmpV-8en`R0k&@@3Znr&Kao&5s5x&4MNJTp
zFE0t+opHD*cC^%%sz8#o^>(~O=BwQul)lT2#S3G!=u^YuP)76KA{?WR%lb|?fyo*=
z=6N+^qrLrgFyiqO7OQSa;yGUOefB5(vlx*L7f#UK+kdXmBzW-{CuvY-sEYx(RU`nW
z{#E{T{mJ{Y&u}XxnUG1;WIy*8{Z5Fh0Ia&OF!%s$2yXmNwA2ARRKz=nkl;2ddxd<X
zJyd#q|4>iB&IC`GkF7c7QM2crdNnO5%bP9DFPIr1t<N{Bs>+s1#9fe8c<W?%c%sJJ
zb760lOw-qQlYoF=m8`DA0P`UJjmHJT(!-;f3<0Kl_~%MvG{pF_L`6nolWx^G8A5Ce
zL!7NFj7wse)75XWaIyy~ba8^<z@H1<4QN+pUl&@904v~&%MJwM4RJlD26+s8MQ<Tt
z)qS3?*Sj@!@9UM-d89*5i<$y+l=m|Z`BVjiZ-kib+fSVhsI6~ocrXi+LZ{|Ai`{JY
zwZE4TY8d>tGl=X?-(x1uV)Jhdy%(lSUN~}efsg$lft_(wd&Ukk3vEF5!q-;wR$?bV
zL$D;7DSONovwKJW#5Bj~PqWcJv;MWlYIStv?6EJ4(0dAnB>Zn=vTAgit~6x^YdQVL
zDeZyb9h4ROjt&z^vCsONxY^M0h}-2|Xzi@q3222$Sz@*}g}2+bo1POtIYAeXVTUIN
zn_cKGG%rwMde3x;ZDpu0dqfj@_QaNZSH5PbuM`_34G>RGtd%v%fLm`Bmtrm2xG;s%
zs2Y)zllwywdKZDD;8>L3`#;xndRTQy``>514?!*qAlzD77>UM2QaaYnm3VB&ShI7F
zPdU5JwU3B;Wd$0lgDj-LNeM{`Mm&9NLbfPpv8uuOkhT$hmBc;l4^EL#5_5Io35)Wy
zesHwjHVtX#?!JPtgSfa}uPb{{r~j;9g<npM59j>ofB+?~q;)Kzj?_54P{%-^V4$s>
zx#VgPC;c{y&fXv`Nl_S^5qLq-*bpNk1nRtY$^<(s>q5ui0m+`#B)C0`BE|&RVlAl4
z|A5zlnnHU#WfkvA5Q#>Zef-ts<s4)5p)=E42UBMqeS}~!cN{F{&v@Uz-~E7cId1Lu
zlmPQMXjrH9pb=#DastFDRWpTV=)|edF+NX0KD)GJI=Z-H6<XjV2j-71j2g_xp@!g%
z<*IbnJY6p@%{#X>DGyklDLP4abC-P_^K8jh)ZAkI4p-&{<ted}vBS3_VTS;-WWwbZ
zI_5zS!ElAoIBsb%H$Nl6_1U=t(a1}69HMpFMC9?^J>_?7BqjYp;q~N|*Xz-ZVRNt~
zk{HHE7>v~U@LXRU+^WU^XaBQ@Z{J>i01BCy;slY!$&SNFD2>ssgai4;XqnU)w@+|H
zVw~F%V`$ey&}SKiYeLTxQQ<lEr@Kd=s|h%K?5OihVwF$8blh<E^Dm}c@33Y=OJK6c
z9Xne#PsftB?mXrohqSyX>K2-dSq-|^7W{KDV&qMUZSL0V`-Jis>D3P)Yx>CPTfX?&
zYK4KV$wc>5g}v{hZ`rQ<IPcAPa!dyHg1XS$-Do}1(KbjIB){f*?J=mC9_XgKFlh4;
zoShWl{3<T4feUU}tQN1ZgG5YR&btJ+yUgk?EYlaRf2NiXMO9Tg#Qa-A31B2FO8N*p
zEo+-I2sv({KREE{(XQItV3I&EGs3T&AN0;`HnXdt+OKF5f8FYs3vNXd=l*S+p6sr3
zfoty3%Ob&K8)m{Ct2>r?T@9scv*(T5<U4Jg^kkG8KOUdooFzX~uL1IE{KT+$DO>%N
z1McKsfb-X8mzsgGbO12f84&@2IWBg1vFS}a6&d!3e4lgdMcTvaYEpiWJyYXRk8I}V
z_}rns6fG#U6g!)@>h?SPC{&S;JTs@2g=5J76FyyM9YBFdbn|wg3)Vp~>GxpO6M~A{
z`6E<!U``efKK7u0imNhvL?y6N^|ZV%HUw7&^<cz#=rXj92#J(BZNKTYC|g$zbk=xI
zva!gMLJY@z>Xh;BK5-ttdu`3NFam|t^%{y^hJ)rD4Kd?#Ab@|e3r%c`#;qFaMW^(j
z>FM9bqB!p6Kfc8bXD3gHMi_v7c>PfbdoURIo8G>!sgF5s-PwF9vpE{*68i7n+eM;`
zCf!2;XYw=9dpFSCOCjv0?M=h=2Z(Rwa^S@t)-X9W6T8VETc>;KLtW^v<qttJr5L^S
zvRddHEt0zp(lG?AV>iv$NW(^Wd19><V;#VSZg{G?DS1JFGOzl8T3uOjvP2kSY}XUt
zk>p9dFL1y+w@k(MV2DCgOX7he5Tba(gn6kdwCXjaq|zI=Akmw*5=KXFd>ND+e2)*e
zniGTDY__(N=}*0Bnfti)Z{zY%+W^zf5b_n>Z+yd6Zlo7oeK+kZx|2z&`#Ccwd*PEi
zjP2+cLDqKk=k&r3SoM@KOFP<6zmf(-CLl3fAc{}!_!(2Ilz?fvFK_V}q=w&cY>D2!
z`<FBOCRA%Mvro6l-QaS&1I1m&{fRVJA+B}+_9+^^Rc8Yu5eE;C-VC}{-w1neRL^9+
zX`|%}bFvym&AKSMvj5ve_rSOM-h-frS`T-sE1H~PPKx@N9|ih|Jv+<$BrTc@Eq9Tq
zOcHnN8se5c>NoJ&*~sU)H(=G{wCZjjZM)DFK*gGk$?t%)ZUG>?2W`Wq+`EgtZM<Z-
z=l4~`bY1R~uu5+oJFtemdUkC;73;H&tmUQDSvfm1f~;7pd@bcJ^hUYosK^`-gsL=g
zvj4La)nFu5+!3%*e!k3D)GC$TccP}|%ttBbI)6_uc4YQN*~p~6RKM+s1hBX=smX#A
zXeonU-BXsLwwc;_h*k}D-bFj))OUvLaBVFR7IO)7%A<JK<f#XA3W`ld<sps-U_e+6
z5RddR0rA+nR{;2V3NI`wC$VW7CxK|^vsPj$&#&m?1aQw{h&WiM(?ZYE=h%zB;4Bhe
zoI0k(3aT?Y>q3kFb1CmZASh9Beaw*Y4Hfl7RCiRrJ||O*ORM;jxf}m|cyT+Y|6N*U
z9U|B$oT|P80?F$S<om)`%9oSUZ5+92Ss559DDaqjG49ouC7`(2&29+u@cogG*mL{s
z9pEltFh&@cgAESAA<^wX_itf+)U&!Lv*jUwV<MF;5+fLa4-~Q}&c*%=_<6j5hR7M2
zXck|n$13vdLZ=i#0C&qy!>QimBDJt9axnOMHzc8R-5(OT*>3}LGNA2&$o?}B@rti#
zp@um?t>=km<g`5OF#xrS7hP(7^>;vel#UjlYn&dZlH*q5%TZsu`L(1f7L`q*Q?poe
zWX&c|!=>#ik7hy5e^-3OTEttf{-ege??F#`iR`;(nqIQ_F1~z|l$MF8Q#?ZeX{(R1
zoN2rq)5TY`ysi7kb8#V}K+}_(57c8(sjgsf5aje6I3G3CP)Hk|=1F<bJUA3Bf{m_f
z-hq+mBIXOnMn?y_(0<~Q`k0*M8ek|!i!A>(U_%c<?_3;!A`RlN=|-2g$0fB%eD{vT
z+J9&~A<6-ip;re}1xz<3tm95#hXCK&Ru@iK4q)Im#ytAoSpa&CwmCC~kARJSJ)BZz
zldqP|zk=^eUa^3Nj^!G8#AX?}l-y$?A2WF~bZd(3g2!5d?sKJ=<ZZgVxSS+sE{qIN
zD91&GzIpNOp6|>ynUxFb46ov=SM;h>?w|-!x5SkRZlm<Dh1x#0;d<dZucnH;xUsMB
zumvZ6$nn5)ddlT2+^NcM=I2|I#iX*Csm-Ky@<S_kY3i_)(1>o9*VZ{KlRBHoT>Ee4
zlUk-ectrRyq%ou<q@#KzTU=YN)j~m^It?FiJ$<i^8z%;x#6+Z^jPSANf;7NJRa|zx
zTA8VD;F+l^bcbI{{*S1?jB4wPwufOL5G=R_FYXX1TCBJiiWdz~in}|(y-;YO#i2-X
zcL^@Vtw@33?oyyop8W2;|MxwgGR_zo<D7lwUTf~P*PatU<fsA#SksMWZblyI9q=d%
z7_wZAqOB2>MWMEbRuszulnPCw@E5y=@KDw9)Ug;M2xW)kibvf#8U%(V2xXBsk{{>b
zM~<T0D|xn18D<T34dr|e!ibp2hxt&;uRVoC7GZsq4FN%zxQ+@A459U<u%0Ll7FZuc
z!x5}y)y$+YCCOH%-6BM{p{a5`|G?bpk8N9ii{LW0P>mneqJ5(_U{dMExml~eRLjMi
zJA$y5P|$$NusYZxGF=IXi}yRz@5Nnj1@M%J>W)Uxl}Z5+j)AP00+T!y0Zu7{3(52i
z-`~<=Oo-xj6z4%g1kal`?ek$IvHfNx1|D7pMYy*HU##WuI;<U9r{JHM=jZ9CL=kbE
z1`>4UjZ`hA757@_n>$?r0J#y&aLp={&a>5!DC%~F%g2Gt*jSZqjaAWyouTXNT%WV(
z=cB@HwPt=C`8U_rd%HhRHk=Oz5q;Z@|4=17Q!#gQw(HZC&*tV_ysT_~-MFlW1V2cO
z+G#4karJ#;iAv>veI0m4+g@%p0{E)J*y8o);_hy{{Fh5@=ezCXPjPvMA^h2wk1Gc*
z8JZ><*PhSk!@qPnZw&l4_`<~aF}F<1J=T8^&?^lN24{bEac`><zV--RGQ6L3*vOUk
zC`Fpa$d<zP^0WxDPABS?LyofpJaq?Xhn~Zi<pM;D^w>90jOg+sW#yDZck>w}WX&Qv
z7)Dr^I^?hz*a&U8!}KfW^wo?d^DrCrh`$@|yuCrc_@1Jz%4LYIs$k2JgA!@$kgzQG
zpc1A2tJA`#J~PNV#G{MN#^Y@4_fjiz-8*Iz+^wRlTHg!LxL>0s`B-Ahc>P11Edn7h
zOAN4Lln`<6G3Z(t50yk3gOuj|;ICEr;+j55Ln--z$|ms}#7|$=vMnjgh7&CydOYWs
z&HF{+-2va!i4h*%l=<BrRIXd)L03v_Ah`pyT94iPX<7D<+9`9)`zoG~t)&KsVvf!g
zA3F8H8QqE^(^bicv!Dr~>jygGj)~D1i?72{gs^$J%hi8!DUVJ>q86f~qW}Ta60%CX
zs&w=;yNPjlb@_*fRFN=j>z&V{QyJ9!(o9^<_SRlOL6V@Bva&W!5a@`9r&0@?p{1{1
zD=HP)fF1i|x8T#a94#|5N?Wk#`!~U}r@NX`_YFS@msg&7JZzH2gb%6uPUY#J5q;0D
z+cSR+{(fEwB9JJm<E#oCUPV05?@D`mdK#^I4#M{MI;5p7=22MD$;w5se|UN0df$(F
zS(<hK%g^lcJvv)weWn(1Hl%ZOXfIY>obfmL)}Xx2kLs+M+X}A(mH&%Snn@{SE14Lh
zgh!m^v@1tUOlZ<_WQ?BpxTr=Ws%O7>ULLXvJO18<a*iqLeOf<ua;ru8_!MYhAPqRt
zXY(n5yU#X`meJ|^m`DGmUuKx!Y%vLOSpBmiaw97H%>iX}5g4e%?W2zo?*A$$ZoYt%
zEMATKqs{Kx%8p^oH}h$miJf_4=P!GYEYfY}gSp)ee)K6F$}#f6aj?d)!8e(t5=Sd9
z8Cfx+SNS;&PY6M$jXa_kix;ypy@f;SwEyO@r_3ui^r<%DSVgOdnl%UC{Hcn~Hzz1i
zCOH}G4tftUw0RVfRo+Li)R5_mVdf=>Q}%^p0NSwu1e5~bfBaB^)bJ=M3~{_tEA%A6
zW;GTtFxYT6t2oSan_V*d1w?8R!_eEKU~YJ;;jp)+d_YBSeuy{x=QzvAk{<+GBvlFf
z?6AMYA3slVEd-JX>^J2qH>j+~x*^Xm{vb5jZES(CFsCzk+gi{hQgMnGhnoK7^W;}?
zzB~xTFiGr!H*;g>sq!-F529}p`YvpDO~>AglfUwfCLZMGm;&spAMrJ8spSA-`o)((
zw|9`@+x)x3QRgKTcz=J~&s6Z;+`&~@M0;@1)DfO~uruSYNP4tyvsdj8%?;9GK|DXS
zoSyUvNI%`{bfS%bb*15Q_Ibp0Zz6SagKo`-_|G?(LQ<NxOYq-#;*JQp)Jb?DKKC`8
zHz(zK9ld978a90bh4>#OjIFh;#WFm7aet_$I9+YXp0|71t8w}I4>K@$bA)2PC&a{&
zWRWmbpb2%I$TaTM>t;r;z2N0^AI;CLpSY(UL;!keH~pdfq4Vs&)`2|Nd>}{e?nh1x
zK)ie~4Aw}BvH)%|cP9aoM~`$R!0x%hi$M!;ai3FCkfU0~YuJQ+Ce%cP0Lnic2Wq5+
zY`U+N?JY*kRXi4qJr;mc#hOdUgn`0vD21t9^>c^Ae&e$bULvR}f1Hf#Q~C~z4bymN
z!1oH+=b3i?^WGxL4gUDz2nF<Lg#;Rr`Ckx7o71A<qt#sHJEW2QM%P8`k7hjTm+seT
z#um_ifKWHwF%o$jmz*_dBVL9f|7{>EGix!vKWI$-)wVW)gWH#%w%*GXCXbu{?n=bJ
zrp#?=vu+hf@1-z98~2Jt9Mvf+*3Xgciy?w!>ytL?L+}i4hg$+7zlZd{<2#xBIpN<N
z*N|eb)<NqRx5u8c&%N-w&#O<H`8GM?@Lw1HfK=4a!(JR#EvaW6zp8b2>o8Rm?gpA9
zPk9+kvziwB2sSjEgzNZGx$N9=MBHzZK8oMeb4V2}97Ke{0Qwyp9p2~r#p4Sf@($l(
zFnc4vDM9;C^I7f88laLh<Xgc7w{V3(z>z;&)LiC?5`EB^jbB~>24I%KW&J{6{PHxC
z3tbrfTY?kZhX4G?g~r463_Ba0o*Aj+9pFW68R#_jRVKRV2yJv%{LjxjqkVJmqG9m8
z9uAN^79D^Kqzk0W#{dKjQnl39zJ=7#TKpu)y9sScrZ@?$$BnDUakfN&bn;nyf-Ipn
z77*~=U%X@}D2$pEs3-~SIckt`4dP*Lp#c112PMGa<qq*&<pNjZYG1y>;i@8)Ffw3M
z4KPXN4Q_7pe&$AsPA`)`1oCj&68ka;58zOnE_Es(`#~{0_(U-Z)!{-nM^MaDQ5m_b
zDgT?_zD`O?eq_^4D#porSvpk5JG%VYo*<E3aL{6>Vz*!EV>U6!(MNld4^rd(IB+_^
zEz!IINgTmnj-ADR!U8yqRMaX%YHW6Y?kmnU;x|6}%`~WQEo?0-K94PRi)U*=YKC>d
zi(PdZ)Vlw~b5_~vo1G8)eZ{7q!X>686JQv^F@f)pW4J21M9$@VY>6nzSv!)qFdQoO
zSg@k6R)f?)p()DDU_(ev$O+z<`4Tnq*B>rYCet0-Wer9TzGc+HTAzu~-EXR+LfCIa
z$O?WJXeZee=~MGVFe{ZIg3ac@p5c9}W#zEXG7v>Ln5%?aghvJiT50xiYM&K2F&wL+
z`t_Cgp>cg793F>mMbhzt#p-vz)}$5G2W!+p4i*Kw@vekJJ7t&HcWbU+?W9$Bg~2dU
zfl>8`+5RUFy8Zo2{~^qJ!H^kzr|-=+NU6s(HBex%bo1)Jw^xR^zV@=@chhV8v;*S>
z8#33yVA#i7&OS?mXVj-~xc^lD)qd-sfu7V|Eg^{ezZd=A*DdWP1|3U*Bs}-EmZ)3k
zEz{4YY62PvY<?-|zgKSJ45_w)zUSmMH!~~%h4sMg{4nfVF~oL1A*U)6$Quj5Bo6jX
z9E1xsdSMii{b;>c^H9eDFmZtr(u7<+A3xc76j;Ei0Dw>m-th!AbMo{ib;x;M+HDrn
zof5FZZ*26jJcIAV;b688B2Rf#{?nk!ymfhES4H&KK#+d!JN`u}-+i!fVc>^UW*T7u
zhIj)_VMYII8;vjgKg*k4O{0dKoPM1*|E_Uc**<uu->O&fK-9_rggnMSYmVuyOZpHc
z`JQ%$)IHOu*IaaNelmEe7W4UP=jX2$!YHN|fusbUW~#?>H9{r5USv9+C;CY_SiCw;
zW1(q64F(TQS4L|>hZK4ED_d_aC~B-cEaf{3c8NySJH0~2uhLt1wHB~LVrgl!g*Pk8
z0urd>@>(ZYt|7o;fsni5>c!I(s=>BwPD^+<vsGm{IAfgYhsrYO-_pYvjmQDp+CS>?
z&@sDhM~2@esFGcC!<g3Fg6A&Bo1c#fM^1`Ua-}?A=33Wbs%%sl#Ci{bvkqrjhZA@&
zmE6m#0(7(8bxiG?d=Vp0)ii@*66w1~5YwWkbSfuSc8LqUy_y3gn>_hwu0S@lE*xa_
zNT1;1)RUoFlqO4cB4@k2Jmlolyn50!WiP|5;A*8yJbgz4dP}kq*%VtKPb|o+D$k7f
zwp=D*k}9^pUxYcV>mo9D)#cv3b?@|e^(%gUW~<oJ<Lz3j$KFO3(ri|IZ>)q4O?ivQ
zmrN!nr=3sJ{6g$<qhDZA4&(Lf887*)A53WMDl%|v+Kvh{*~!532|hxGT)O+A_-Fs!
zO%L7tn&KrIGClHFBxEJkuJ+=uhBAFCZ2F}wOVZ8%5p*jY@Ujky+vNoOo0OuN;KTnC
z!AdNhSKx;$l}<;e5`Z5hPv3TZB+dM(=bW8njyCMwwPg_4&=KX=({@REGWWMgA2G*|
z(~uwu>EE(0y+vu{77<S~CY+LT6AjO5d{5M@A|k9~QxIW##_>-2zxIg&q)l=(3z!42
zmM4i#mq5=GuUUU0>b6On9rFT{L-X5O4pb#-+xSqi$J2XE%*6b&E;oF=5md@=MTGOI
zc8VBaQFCeeBPYK-|6<t0HW>~ap#V!KJ5RNd(lCF1iVS%$Mjmu{-IhL*n$&*wFWT<?
zTA1;g*OPiaar@ozRTB7&!i|V`4xW~3$7!N5pE2-O{0?^c9<-le{<{YkLR1%tPW66k
zPBxshn?sCc!^doXMkiht3}(qgdwE1XQl+a=J@v6uDJ|Dd*ehRgE}kfQVV3ljOyp6d
zk-vb(4y|r3rl=U!ZVARPjbF*TsZ_JVBILnRD|Upm7BApcp~Op6aMY6pC8UPDH&8O0
z4rAwf3F7KM8RwZ6{PKh*H(V(sX*c#`#&y~19ls$TU2Vk2Cn0wu@BsZt0WC5iQ)p>a
z_)$huDrUFzN5M@Da+@p@5`Ul%yAL)9zm=5_C)SoI7L+F{`B6)jX28kIf+#XKd62Zk
z?Ey;ST`lqD>~T=`-oGFIq3#z~H6xG4lBXF@!WeY<FFGyH$;WvPiU0yc>>=m#Sb$vV
zkggthB5xnOc!Z?cOfig&A{qL^Fc})7gbfxA>)FZA*UasFLR^nA0wp?EAm<xD%;atV
zIR`xFCmJ_*TWx)SLYaDy?&m<1wJw(pK5Qyb$HVZK>+XLi1J)z}lM%M?A0cN%Q9P1y
z6u2KV$Q&S)HxR~Q<MII1wi<6s{*RT+ABF`K-J&$s@7GfOBmD4jr=co_9UN{TbBPSP
z?>a3l8hdT@e2%Z)u+|G4t;v8hfc;}c9?(A`YF#Oinoy4~A>omzG^#$9+~E0iqRP$q
z8w;pa#G>^~U`7;--uIlSXua{w1lf{4_8E{(reWtFcLLB+4#aJ0zVML<pGGVv67hlX
zlr@T)J`pjvXS<2Ue~-l(y~V?S#cr7~y=83oM1qS*T}*zu!^u=O87fs=aLF)I<+EV3
zPL~UeM>lk>b1>?CyGug5K*xvkJ8|~>`sMk^x%Hz<a-ibt4qaUFt(mhndcS~wB<A!>
zm7ZB^mo?gd1|A>~V->A~aH}{Ysap>6&J44{D2C?YqQ!r0v6Ml+qx(NXrh#^)QEv5$
zl$Xm4#NyOxQdEs8CVS*X89`uw^q5ld?)ww-wpBb2-hmBG$)|E#Q0Gxjb${B-2^kcj
z{zO>WypyfAg7yOM7AhYF(#E&9v)+Fz^k!|5V}6Ugt}MS_>k|vro!nj*jd^YKk}9TW
znz#RhhDt@?<{X-Fpoq;a=?8<#Kzkya%4s(7@v6a@K%j=p(fqHji>Dr<FW-urt+y*F
z?2isfKl^9}(V;-;93{U`wlgvkq&a|m=<}8l@-bf*eZh;8bbS;GXsIOK44(|hfr^CJ
zyyfmnWv>bK8-~$Z4cZ5k9Ct1}1*NRBSx6;re`VNNkcMat_Q3iQ-df5ny7oC5y?NKc
zh3dL>cUclE<%L}+_*oZ;_}`zp0=<QVQ)T=tl-?pw4)Ui!cdW;0Y;3U_ar$C3m#AD9
zOMBpW!2iHrjtexa|DX{LqeenwcKet^9Q`NdpW%yEEWqFOi=3XTDKwBoHx?jd4stHm
z1NY&B!)+$k+&sOV>CJOZ9v`L^z+jv;xUtV!xAW1h*Vz&X=m_>bs_I<%qxm`vmMH>h
zFp{H5k5+!zAfagIVg%8HOF*ai{thXMKfSmujW}!m&^!~EHSeJV->s0s!<QV_enP6e
z&+**(A=mZE-ccqWrEcf)Lh40)bbwOmg9qy8;k7~Nt`wHA6YGzsC{9Tcuufkl%JrF`
z5Zrdx<-89N^#$!rQvN9|-}RKqS+Hfi+vKh3#ebkmGWq_8MTFMvTaPUHqaOq^Xs+E>
zzprttV>Nf4opTWrl1SG&dtp{o-_M+MFPziEEgB{WnX<Cqz_0u8p>$6FSORHTY78dE
z`E-~W^O&aqSf_~N1Q6OK^Tj@@CR&H0n}+XlRX<V$peObjaCdhG?I6(ox5FoiUj0lm
z{7Ki~Y-XLrtF3W=ab^DR&D1x|uj5sA!b(eh>LnZBFcIu8cn?pTkLCJU0T&<h-#w|_
z^E0!2dx)i%R1+ArDl9WY4?bOv-+(!*K!#`ZQB%R~mCPu?US<_Yr>XZX82jA6X_HAs
zM@8Ij_HQ`0bX~xQ?)Z4(qW--jU$AES+|LO#rT-M+w#B9{K(Q@QSm5zRij;NB7NSNi
z=;)|4o+C2@XKOn5p_f%BpQ2!in(;*}HB@y9ib+nOfe__^ykbGx=Yj$z@H>1!`hK)+
zCyx!JEY`o4pF$d%INZf<A@NFH!=6Xur<!tQq~P|zh_S&2Tp2;x(r?Yhf7_P=;{QXV
z&8N*YRnb9yTQR0eaQDS+mSqo3k4h{r9qE(ySxr{s?eMY7aH-MYTmc;j6x^pI`DI`}
z?t;0PelGs~hs=mnhg<*rvZ^;aZ!zchP(=z^rI|mts|jUGZ>fc0jtT*Pil~Xy%T&Lb
zM?e<ipwPLnZ}Di{?M_tH8ssttguo`wywk^9(NmZ^Gi9LH7$BAGEqZKhd!ACoj#Wrv
zF1gX;Qr8wfi!bnSxl=u!NS3uPDj5&(kvrrYok5@X90oVrlqm&o>rNDrq?dqy+`S?N
zoV5w3utq@sxvzY639HZgf2Nx2jj6^S(g-gg1$heK|3A&}foARAPU6%p(??Lmtj!ss
z`e5<LO43BmA!APfYcXq5t}+~Mm4fgq-68~a#-U#=)asP*DHYw8<mZS$JZ;^7^0fbQ
zS+4u{K>bT5UKt|QbG8!TiV9f6qy$DG^NPz2k=hI6h<d9Af6CV{UL=_39Bs+<S@vZ<
z6t*%vFcVd&dgElGv?18@qdPJfo?Diu6<V0REB#fj&P75HN^w)T9AixP>>{fos8C;v
zm;b&u3xbXtQ?uSCRQXvC96EzQj?V<kH4e9o#?=k&Z-30XWtu|bU>I4a<(Eh{lu_(@
z)8k`(==Ix(yxdH|1`c<$8T8%I_>CZ0UDOxOLe*0=u9TWSkv9_&26c(%^pwV&bT7)Z
zWn}%D7qy$W<vJTdSv`)U^Y1$dI2APwh?Wyyj_pTtej%(;^OeY<vEEdc_9aSu;IA45
z+LNc(1m4XBOi_}Ke1|Mhf^s6PXJUZ{<=y#)h{8N2x}X_F*U?#_3TS2hYUSY)d{>*|
za`@uoUny96W#WC6pKnJj9!Qf?->+5*lwjvbm?N)pC{>G!Ik_86|DBBIJK~k_gd(rd
zWc3PUseZG^@j}qwCt1#4mtF3I`1c~I9H~(2CG$O>GY&=s&Mg#?P!HRZ0t{RVp}j=~
zPD~N>_#6Lj)fWnjcMLJGDqDq?$na=Ph~D2zWuU(%`V;8^fewsh7Qa4rFZUOA%?B<(
zDJBUOu9WwOJ;p-K@B!^Ut}n-{{+k4xpoBkVd)s%ZH?rKI)6P6^(UAkGzsVBsl}63@
zbdgMObU#ld0h2I9NP(c(3(MzCyz<rS*1^~FT(8s;QX_s>VgYa6!D~7<Ow-}2V@lQB
zpoETng%05WrbZvb;*s-`*0w$ORosTDpiy1(KVNSK{*8)K8<wd!k28v{SFNDOOw==M
z_rP~-0EOvoTIF+*iNrb2FMX~5BUQsoe@0|Pc!(;N3*=w4?!;9EGFo)@ggVE|3!){r
z$V4Slfqp{~ig>^-)o@w!7T0_vk1`8~p<4FX-mG|f-ZHyZSRht$UmtJx*ODN~RA`S~
zG$MeZ2QClWb=?HazRbRgy>IAB5;<?^gkj%x9CV6TFEtE6&Ic>Sn@%KKw%{qWf7#?$
z@_~SAdocJa^%vZ48za<|h7re7%~>$Xm&;jD+tsaUTst!xgJ5VLzZ+8%c2j)g9N7BI
zV>X?QWx3TsalZqpaU&uhBucFhU}vK*!Lv`|R?3+!_@2?w<e;SLnVf!_arW*$eCU_&
zG}r5<4^|;6B#mGK004{fi|`vt8JXjEln}^D5mWoO1o)D&ld+S@WI!Z{_(%0e8%Sa3
z1=xkSk64+K$E2`w_$#mC;#RA}b&LDf?{?ein3Zh>sY2Xh+B1t-iP1xf4H_ZVneA80
zm3~v@eNkZb=(l_qeNmY$;t@&1<^LrKZm<~VZY+tOBzTcU#c|K4#+HV46RDsvzhdo5
zH^2Z4uui1dz_GZ}7P6xv0Q9}wwgU<HN54>F7c6)Fu5xf6Poto69gOi;>YG|(sN&^d
z%s%n;*U6Bd#UnV@!;aC)ipGV>viqnUrJ{<3^kJ|TQsC~3#SAzRnxhd<G)(PUu3_zq
z4{!Q(i*t_fnWbuy(YM?8A5A63r-RiX7Fit^x)%&wJ@81LV~seI76yDeK4POfUeFj5
zgX@kSSFREAgaXLEjGG6v-=5aOf2A%jig^DZe{s2htLNqQO+dU<iU9JJf0^pDbRSpj
zl5#o%=APJNjN)>E(AIP|KrZ+-!bv2Uj?PO&FiR|;q)ecC(t&p(tE5V=Fs(w{2kYa6
zwg2GfvMQ#j{(J$JQ{>l7{e96+18lO7!z-;roljpRT=NBI5Pw@CA(Ud<{h~Xn78|oE
z2SPP-a3CU88$Mc!s~VI?v+!gl+gOM||3zC&$Q}oz6t;)BBAHR=$N`T_kg*&OHR!i3
zC3rEpGAPXD3BL3Tj`*6|Yni`FlKP@2nj!_k403$s@i&|PO>`7%&-HJo=wcg!H{&!J
zMxn5tP+HQq013!MS7!6-<;1v%c|f1Wlu)KK8g`f8ubga53KS^GezmPJE>5Sv1r+o{
z_~Qpc{oOU*Ic0Pl9V&8yY0=F_%NR|v7lwa{mwu-%f~Y|xmxPuWmNZ-%>;FzacJ?*X
z0KL;D1UGwUB%QRZsJ$G=db01D3KMI8|A@GVs2rku{<?}WYAy(p_=kju6=a4=?=_V9
z%M-YyrrFZehy&Stmfnx9sG2oA@Jj`1?6iD<mkOi3P!a&A?DyWrye3=b)DSi!RH*TJ
ziJFR{=e?Ctgbn3G4N(nahrG9NqfHMZN2&bGw)?j<efx%ZK4wR-x|oG#KqYxJx)Q?Q
z`N-o+lTTD?q=!VX%vd_kUOa2sz~Ko}HPQq*8OubwG{Q)XYGv5<D#MbE*hyoBRc1T3
zBpip_PDC%5g8M&8WEHF0l~R>?za`hr!(lLbEsI7@nDT;93l<StT41TS97d?!4n=h|
z^n&Tup11_AhLm`Gc+>S;+(&!G$CGs6<+_MR?q2(!$5XKq_XiurE{*r#gs3?zYRk<;
za)3by(y_9^`&_MD+j>)Sfk2jPRQ2c8u%G`jAuSGYF)n0Q>FX$Tg~15IG<rXSrYnYZ
znIu%>?(z!Q<g>(v@v_JiEUF-Fc;w{2ciHcDUZ!s{GZXw>saGKamz2mLUWD@c$^vms
zeydRU)=EeOxL_Kqr)F;S-3p<WZk|`1zo;>(Dx5$QAfU3>oVBTNOd+s80=^J0y|N0O
zWpEct%8Wgr0=QV&7~rP2y#poGn7G`?BP_~lPb?5Pe0R+x@IG$Z@njDSRa*C{#XYH(
zbftVr8Wm$~ml7*zrdZL2%veKQ6N4umpgbaPLH`#adM2xNK#nb#$bMejd%n`SjDnGl
zV<5Ppz~M|*_9rvTFD+5q;G~^*8<7eNSisX|Pn#aNf_{}_$4QkePv$O=7u+)Z7g+=}
zd=9y;9ioPwZ$Ew|%<{8EBbHFGUyEJBzy$m`>mY@kKW;|Gr+1lL2`_L#5jHt~n<GCx
z;y<d7Wz*%FmRcZmuFe7gntXl$zQ2r2FQcQAq-)yu{(U<pU<T(Rx>7D+wIfW!wi<^f
zuy~Pk&LQ|BS^<BJ_Vs;J=-D&EV1YT&O}?F$3m&ddPM`FR^R8_5#CF{>@-eJyApi3o
z{gA;*By7p(@1T@pSeHy<wfnM0fI{nmE=7gzT}#B}5sR_w1M=JJ;F_0NLA7#MOaE%q
z0_1*eo4Lxp`4O{TH&0wUl}llAKmeg8m29aI-#v(FiX+Dhc#~!<8W(jDP9xw~?&=U3
zR&A#Amc1M0JGen{<pEl<fS2-f)1FGQ;5x}Mrfa(oKH7P>5`Te?^UE-^i|-s|6Ng<W
z)ND@H&sfKW6!?YQeV_-Pw1q{kDIN4feI!Y<<1U&t{pz|Q%Jg;1SBlG-2}9rtK1W*-
zgZWl<$d#(HF2^`r{N|#-8eMY;{zm;xalV_T`T%_Tp~uK&R@}hhV=?2En->qy(+G28
zya*LD7x0afg*mCWp4#jq*w8OVr+k->=h6y#UH>TVw5GMaRQ)vNHamBI^+#a(Z)BkV
zr-{u)2d?~B#)aT)N<fyc)%!9X*PHl^*jTD?<@$-`aN&>05_6Z@H>dK8G>p7Xu%Yy5
zRXsyI=hi!d_PAbtQlg%y3C7>Liwu`+E~;){%{2$$5f|qGqK!!^8@YW6;6l!~-aX+2
zQGVUL0sNSqnAT&m>A0#+Tx{&KeMmI^1%;vE`x7YQ#xxTb$Xn-b-8Xpp|3h7!<I<WH
z120(gF@7!;isFQYN2`2}SY*Bv4z%ZYO(Y~RM+Z#un7ueS8yMo77e_buJyr{3xR1Kv
z0RotWKpp*|0HD6sexX&W@h#13y4PPI=T&R4e_JF<LnXjL))Xcz6fnq<N%o_9pj!aJ
zJU7@EslMX6bjc{cWDS}94S6?xR^7b}rRl-Z;xGG*zHWjE;Ihdea~I+m$yN9%nuv<Q
zFEH~WV<Oy-krrU=eYDrJL$#h)eEdDa)QMBDqJVekhU2ftH>^Cye?9SYH5VeglXw-h
z0-5toR!|^H$isLQXR6S<CL@JE?%Wtsz^3A6h=oFpD0o61f?2+@u77#?J<L!J%VKDa
zZXM%T2UWDO7jANpY!nZpjf6{-8NT7pEGzs-9x?ho-IJ=XR><R>iH441nj?Elvo{^U
zxIW38c+)D{fiC27#VrntOlH3q<?y<fIo;Fh-*5P}fvszic+mZ45nss2Qg74y^Y1P~
z#M?`bxj9{bG9&{cZg@IW++iT=7#B?G{buFLtj;vUq%+-~L;9ZIpOMzOTYPbX0ASKI
z!GeG0OzS^8Fm;pxddzNT{+ES{hIo<d_xhl$ncju%L@A5o>9Q<hL_eUhID&Q%K4TZF
zca=`w%I|vKeVrbeCZE!mZE?)j61&E?J(~)m!z6ci>0jpi1Fjio-%i-w7}0iPEp`A6
zq%;l974SpOGqvB5D*1wWq60w{5>t+G#@M9wc5g^BS$aM`ZwFLs>t-k8u1|iq8ZVA~
z*Y_owdX~Q?M3*Rn14Q#bh%6rCw9xO1X(FbXw*5A&_%@Q}cJjBTuIB+RHZ_8WW_PM}
zMHVN%0+}OKT92Ae!(j0h@=Kn7*>D>j<6yt4%|mVu=aDzLf9{_CE!NESfVfJ6fWO0F
zDWR~BNjWsqLLUVO;KPsi)*y+1TZx`rSkE3^r>MsVH~S3}Jiuh`*9;P1ur#kH9RAq9
z#uRS+hwgV91t{S<6h<Hw80Z>E1*G}@L&OyeuhYrgycF64FV{3|U!jG1^^j6Kv-ukM
z4)K><8n^P-q!JJh2?a2f5+v<_Etex<pY0kyv*V_@XqAJzb-m9?8D2o5-lQ@?b_aih
z4TY&LC7WphKUI1|?D$R=?R6kE6}rhc{!_f8z4`7^<J0<_V5glqQ}AN5ExV?n7sxR@
z|Gt3t>L|u4I<I<OO$wM)ZZ{g!Yr<Q<RoM%lR||Wo(UL9L85@UH@+IVXuiO2^I$3Ew
zgBrla`f}M!lD+(urXV8MZUl!faby$>KC#%NxEB&ayi8*#pe-95*Pjr}E1WB~OvO=j
zPYi6;=C2Wo+8u(sJ@k-^c6#i*T~$5zm_Zwvp7~;L+p}Z=%3AEz-qoGz?z#et7TI&C
z#e0G((&?|hN?^@%?f4cCo={vKsL%th;)xu(-z1?f0AFF0QXG=jVeEN)ummQi#K9_u
z%I=!+H!iXhRye`nHvP9sDIi0QA?F5}JB2;ws_r_L<C^7~;Ca;;=)Y}^6Um*OtT5Qg
z^&fuMEWG?HaK_>mrv+=DG7v;lxWC+<T(g3jy~h5%X4t3?ek4`b3Pmt-y%qNKqOf1$
z6gmIQWq<?Z)lU7}bPVezPV__S!G3Qd1L}v`_CUqZ>1oBqTnm8VK`sa#o5{&68FHD4
z$A!7xB?O)cJ*hvpe1u~0-tD#YBjR7*$}O$zi=N@ruAUyMV8#B>bY@=wrkGhDJUU9#
zan<K8he!N$t!`^;^$$6+<Qx&%6^rTR@m_gNA&KS9hwI;9U-#1`{einf4{2=)#-pnK
z4|MS$aVPr-wk40rXT#7A9`K?Mzizk|U5L^+29D5gRfyjeUvmio!Mgx5-<PLI>}0&w
z!;xF{28}K1e;U?zdh>xbEaj43_Pxyj{Bi~1&59LX))R#OTuI{;ncXI}!zrCu1Rwz|
zV0z!R@<W2QnOocmclpd8Qt4gv0TnO7qSo@T3R0Pi1xx7X{#Mf~tbxp`$oK8rUbnr!
zQk};>!an~ZoR1y~v<;cw|2Y|0o%2(FZcqCD;Oz0OePqo3&8}&M%V1l2KIrWUf}XQX
zdgdb0#q7tK=&o!=P)GIacy}vPH?XLY^dee`Pu1kx4163(qiP%EH?Eo@>eyevw?cBW
z4;LK!3R{rxcIb44cfoFp3Q>0xR*1B+B0ioOe#omhvHgg*J7QH?g_WENUq_}!LbBZd
z2Vo;5shahH_ACt+{ma!z!iLGkL;vN-zqW<3tNA66QAjZu#LfE?C=)5d-Q)z$NM4pQ
z&@s?AzkAwvDCf*f1Np1yEkx;BG`AKZZTcpnru;zam<O*t{ufr&`!f{86Z}4A=s2AJ
zi>u+NDsd!?>gwM26(iGPcHY#lDpM|Si}E;uZ{Y1UG0+T4#m{X<Pald2U_vpS0U-M!
z+>yM@ZTs$Sam*xK<UFhc=D^&73dl9R1me5pa|}wz^7}_C(H|eIuFV?v!PS_3HJ=gi
z{gG(44{*55mrfV}Sak(l6A`WRdfu3HT=kn=pj88d{r0VLTiT%rJ=P4AEUP=>uO?#b
z<FdKBig-=IQ$M!GnV3__01gg&e@UQ0<V!P2tIjppB&)Z-;jfgPF}MsDo5jWLO`~|~
zteDW-KU#Jv{1+%*a+11~oq)kFMMA!z9w?iE9Ce5-7qE2{7qa%7E*sI;umw)OK038R
zYKqCcDx9Cv3uAMoHT8!lpolag1wmo!mCi;m*yH1G>p(U-%HEmC$CNromemY;q$qeW
z8f5fBExB&(Ra3o9?Pl}R+ryG(1CfjVhAM^wYh}mi!x!{u-)H_k(Lc|XjJe^t{HwlV
z<RStn9bp<Ht|#VS4o^O*H>;`{^IERXU5}kWfNxwZlEY8yiUvp|sQ^bXOBhY=16b7U
z{QLhvCW3&LWk@N&9ZTMVP&q>W6d8?1)M@AL`SXhK#k34-J&Mp?h*`Z*wAvnm$N5f*
zM6i)gjK?WYdxI)K@-!9iL!1;6Csm6#ebBfYCqJ1L;Ce#T<}KDZgdC&!UE}ajLB}ri
zIlhPD9N<M_eU^(GmMU#Zi0k(PHFIUd4c(v?1F9T5ZKy>`V-zgK%QQ0<-xT7SLPms3
zC5@2fp#^m~ueN=nZc)}a?Kr}ndN*~v$j#gm1-<B3fHt54nKbxowk3%JwV7K&-ctg(
z*smWqnLJPdNUlDaWrnQY+`m*?gVST-NCvtW@9m!_0fGo<_mNKRe=(!rV~r90SSW^<
z$nCKAlz`lf-^dc?S(9n*Y7;Jq=D*@4X7n4+kcWR^FoWD0vOk&$s*4*U^8A+dC4~JV
z>e^U;M&n>XYMm96t`*QvA2c^Z8A0PtLvTl#AT9ZAmJlVLNnw_hIC8gBwjBTI)&#78
zf>wSJWTv>pzCslf<KQ6HFr@{=o4F=F9y*HwZ&glKT%M~>oG_$GG~JIU?jaDl;bs{v
z4jlE-!3W+{Bsa7M<B3PX3YF6QdxqXTk|)CdAOl$(gT+;au?E=;LQHnQ7lL;nBQ08E
z>pYs6Jp?DlH;btDzdSgL@-cfjx$H}kZKCBtF|f@-Kuc<ZTOfyFNRnh5t-7d~J+Pc-
z!2@IZaHl)MTK)9+k&E>IA?h>U>bvjrI)qXBEo%OY_I5vZkO8Nke8Dz<RQLPAk9aJQ
zI%<{z{#t<^#MN_tCY}5MZ1`41-kDumdYRBH=MUM4@SB1^xcArZqww2qtdJczwnnJI
z;y~^HVot>X!v;&~n<+2m3`C)@C3M_6gxwxi8DxEfN7RPpOG!1ABelWAi{&)HgXCWv
z!svsa*PZXavsyxr3=<T3#jeM|yX!5g)^K=A9B&YV#bk=skG%M(!LEXXF}nKmUPcET
zfZBr3>U3kQZVv{4;(lsG$>n)&aOHHlrnX({Cub{6O>3X=Cs=gKWU7J&+1s(bL;Lj`
z#%z@44mmdw897Mm6&2)M{uzte*U@u{2aFUVHXMYj9l-8+Xu?Xu<jw=u;6f-8q8(RI
zX*8fB6dr^$me<Ip%E`h8gYDpO<#XVvq;M2~A7lsyqXgReHvGAhKO2@uk|XWl+xVl=
z=YAl3$*}8c;`!uFC|<~-VpRAHF-F1rTpDii<KOO9(6}BI8=HC!GODh<ho99#mE1R%
z{1EcC%wBlXB<97^o$jrJjgrQl41LZtu1R=I*WJBNkcj!cg{=dXkCijBoO-{|ouwh*
zjeLSSAKf9i3`$n8A!IDALF`X46dDq0k!V@QSb4i4m}c@}Wkvr|t_XDN|G^UZPyPv!
ze!`0C4Q^ZyNXIPatG2qqPu#6m|K-7v=x~8Nwd_aZQX(}i$e(@-DD^hpXZFIH3b6%y
zmwM`lQ!MoLtNIcL+5ZigUo!G((qx`qUHpMWjW(1h$>}u7Us-B>V2+8`Rl@DfmAHWn
zE^*}MgHldjT)?<6r;j<<$Er8R3HiQJEDRok4PRaLg~GP3!+Bi&_c$NrX0hLVwcc%V
z>AKwOzE{(z;~BJorWp$U7whzW7%kqUQ-Y2w!F~mi3RoYpl|+#7uFd}7Kk7B++NhpX
z{N->;kx8pLnP~y1Ql=;?l?Az^tY}+KAI2Y*26o+S3h@?q1^4@=eWwNdpkk5+>IW^g
zyNxMFe_2j~y%UT&8kyfT8GJRG<$EPRk|5?b@RGOxva!bqoMn<%)Lt!iQU@Uduq_kH
z1_m1q66iC4j?>pE$X+Da{5;_3z{io-<wPz&v^-Btlot!>HiB+hzg<RBkiSE=Zl$a5
zo}$^t34WI4SqXzxn{^r?qoFm3`>RxEi+Wgz12Y(%i<tYgT>2&{;u`Lbbt)~q;N$4&
z>3<6VgAJg}P((5{_^bH1X*&VIu~gvuU-?Wh^glGTjDOCF0a8NDAPN3iLZWXW0ZN0-
z^!tAwZ&z~zYFJ_DXOaTwD5v45OiWuCfNE9P1A81rKnXOl?k`P~alwEv?pwIm^5lMI
zBV{=A#T#c3x1yzw33)OCKpMv*SK=*WfxAiyh*z#XYvTY_z|F}qM=`@Xo4X4?T#Z>*
zCWPurh^Fs5R=XG#V5D`WPt^U&3OV-Ma2-=Yt}KV(a66&G8;7B|_v1h2`60j;P9-;8
z5kA}IKk>yd0Dl4M8(X$!0lP-C^(RgPJ@@BH1wCrKrok}2kwh5%BL8GFheB!W^KF4{
za!~5#68osSoRoID7YLyAk=;6=v8U?u6mO}<(aXf!_!#DoXtia=vK>R`2S*`6Kk*gD
zgT$j~ugLYBcY>51B~9f56#pl`|Hx(%2=RN;pk5^^BVFsSIL?UWZ&%907{C6t=F2sP
zK@u(22s${?TE(aS*T|ncqF<%CvwQ@F2E2$On}|mJf1y)vp8_}enj=U12Deg+voUsl
zX7}JsCYzMygN33c?$K-PRAp8#W88Sy6ImfCY5%V_v@2sGuxNojky<<r*f5c%xHT@?
z)l6p~nYi9fX~gG<l+U?4+1TJO@vO}K5K5^Yzwq&dthoZ8xYY}@{}Ob?%g<>B-`I!%
zD^Uf>s<TJA;htR!vA6wyFlpUSO>ZZ@i&QbjYz@heiXe0d^=mQMYUPeEMAwG?=I9yr
z5+Q5L*pUEYO#Cdu7j8_O{gT?~nEj}38)!;hINfgI&k3eEmpaYMJt~r)3r6m4GR+S4
z4CcGb51|u#*#YKkZwK*k5^q>a^l))45XAIhIImsvx39&*9HG#XXWkS|h1;-}H%fyS
ziR_s{Yk8b-_<dNFNlML64QCGx3ITacSAYNr2P_Ij<mD;j&_d2%q5<NE7b`*$qzUaE
ztpq@0upxZ}I?1p0XmkKz@}s&}-o)qwaufDM2~aL^etb9xA8v%D@R#BO2%4)CG&OiD
zFN1pXOZ0D{(EU<dM9;+m#X21dfE@HVh``!`8D|%v1C#_I*B}QTF5}#vRG4ac`gqQ0
zj$~65>TU_BPh|Bn{CJ~LX-PZ9g|iI<-72E^q4X2)BvT8Ykg`8sFP2Q@p@<@DlSP-s
z#a9>0)DtlwI{Z#FmdL)%c1)a7E#<Fz3$;1GoBecYF_Q}FKyZdL)T^Z1vVOyG<G17s
z9P`nAcW(P5k?#x>L6>!w6a0n}7!^s0(_+G=WyMJqQK4a>n-YY4Gu0f5?`m{Z`jE{5
z5tv#@)L9fYI1x&(|DmybaKr}~mjF@|ls+-0%ja*PV`^<<%c|fO!h(Q(^@XU~B@o)`
z-El@USf*1|{beh0Kl_(Hdc14gf+(igPj(MobfAiT60d||pgyJ#=nQM}Y)|F!Z*GW?
zBHHNzgpc+p6Q`S!VnziHU!q|-bK={7vt-)K=(a2scpV*4Lze0LBVwe7vnG*VhcN_C
z<62!9%_NH)u!W|rz}~~tLS+%l48SwlBMO{&qN1n<F%<#Owa?#)MeL-FIU7;~cT2qF
zfiV~VD5N3t$KM^l89DDpI}PuysP`nrxV<8n)(;kGnGmZ$q&`^jf5HhG&c)0{yuKkE
z>Kso$g@3^ZjkOm~GrWCkss+el1ZDBiJ4XMcNIy{hl=wV@^PPqPZVXR<Dt^d33t32l
zf6C8tWyWwqjg${!?fib~^Ez9W;X_ZtCFQP<mvpexHUka;1VEiAsE7;rOT~1lS`G*t
zXmMTWqh_DEW&i*uz(!H_ZwY|A0hUuvIJU(K;<(YYBPg&5mG_WYH7^vmY>!9&6|+*#
z@}N<Zya$O;wCW$PpP*z@&+nL|_7}Ngy7~YL#D!9zF~e&`4}Jy~NR1U*seQP)#gOLc
ziQ%ZqC36nx5B5*^_z$0E4REiZ2w8eG{SwjWDYFD0K_^|Uw5;nQC}Q`?r)>KL`JCKc
zssVPa3<1WzyIhXdcQlX*^ZqCqHivSB?1O2J3ubRSzzWkIObT&Du8d?#@PSeuyXx`)
zOxjS``ZIJ$DGb#Idqt8QNDls;qoRCnLV=x=#bSMZefjN^Z1rl3#uH*ecW-9@ZeT%(
zouMZJgCsr>QNloiC(%{&>Q%e%zuuy&Gm}7~Wx23eY`UBrOcdvF*)UjsD9k3;LRLsK
z*m$qEkfCsgP?RBj$n1_3-E%$)b|FyGbZhBZ=2%9!hkm$-8$trF5i0*g$srO=%q9$j
zsU$J?&70BS?2dHFjlZfs`5bIY)HXy+K;i4iH}Hd02-!jM^IRX?+zF}qJkJ9F4i4nu
zG~Q}|s+9#V+CYvy{3HS{3{3A7xyH%NYJx>{prEE|On`BXQo6KvFj~W;UGLvvCpK(A
zx@#H^yZ!V@<lZlRydfg*{U)Tc?t;XU+DR$b2>VW+x4&#lO`XpJvro-cL;qn+|EH)%
z3+MpkW+nWSpj?gNaX%&6+N%kR?fFby*KWM4vZ?3-zjJJkvZlBJ!6XHRZNW&`G%9}L
zx9dwyA|P)HK~vvOe0+4XIoAVFdoxX<!9ey^QPy4Fn|#80sNy{c0K_t?|8@FwmSBJA
zw68x~Pf?1EyVnPg981kNnhS?{Nf-2;PKUDFQYB^iY*XvL=bKBP|8hxz+>BKI>Z42a
z3UU6rtG^UEI<KcB7S}nWVMW<tMMCPAj(8-}VJ2*~S#uY4HGv}s<&nsBS3Uviri5)b
zYiT61?di|@WD?WwIWzUfeucsR0`k}Y0<zZkc5g|oJ-JC#(qAemukpgsfcRih_I<%#
zI0sb=*?*YAZt47U!Peg1eo!A{Yl<-Jfu{y2L*8X08&1)ua6!Khf#{R?niFQ(8DHO-
z85?%vD@(kR6cH76Yn9{$`}$gbu)Es*{h;p>w0SV};(GhCtpK)?J%DSl!e`pT3<gu#
zY9>tZeDwZ8+?W>%%LRZ9zZ!^nC%U<R9|*&RyQt-bbK}8O3{6m)e?vFOTl=^zjBtTX
zLSCNSPs-gWlKB?ZmAy7&Wu9wGuT*Q2QxA%8w{l;Wg*nE$*LPVRYigts0JvbB!qT}M
zr~^;YFZR;*7B(f3YLuE>sc&?Kl3Picd+huJ>NQ{gZE-wqd+8!U*icuKU&&O?oF&Eo
zx+ve_je2pMVSK>Xz$1H@)eg_41@ztnCQ->38ckwlQO-Lee%yx~q;X1+W$e!Sbo?Ny
zM^R8YzX4%#Xs|&S0b@AHig9X=*$?zIK+?mFj1#{7{5RtIi(rn<3{!#MhE#>ToAQ1n
zw5{6#3$7zOiGm*s9qr7ZJn`ih>?K;wG}_}9P-qT)i2rbMWw&|`2l?v5=SA)`yKXUt
z{h0fDXV&6$xTVCqNW4k{(k>@_K<akh#_PrJ=Oqpzy03cHgP+US8>U9gC^`yQ*pslT
z&Rl<Ja&kBUjq?etuMi~S0WM>SEE{r%WdwkD-)V$Jh7zRaG2?)G3SZjc)u#@0;O^>N
zy5D7wcT1pKq-m|B%Ip*!Y;Z^3y|C?k?I3udw$?)|BTL}vL6(~u$eU}Cum6hw$5o0g
z?)PuW_RE2Czj7vczhr2+IF!wBf*0TNj7IBM85vg2n`7jfe)cta@zwLqc8%ce8Z!%?
z?x;yXepf|PTKDT4Klr-eTLmm`@3sCiVmU~S`RMWjTT=)coz6~tF!(zZdhp=~ws(Im
zYVj+`-tP~%hk$&cZSvc?xd>n9AUhsf;HKIHt9^dZ)6?;S{4DtcVOrHY$+y;AoB9?m
zJ@E0rA&%<8OU`q0*!FiC6@~)r>uImoU7^srO*NwrxNYtVy*We{gGm+gQSq;_zoLo$
zKc+H^0mwz380rbfB*LS)MhC9lpEE(B1L*6gGTsJF&NnZ5%1PqO<EcgN)*@kKdV%Hj
zO)1)PY|M9^7j`pJIuAasj_x(93SqHiIq%+K(&Zp+9gUBA;ZV3LPEe@?gs86?1nPP`
zwMNEa7c;xYJq#4NzbFtvVwL<{0%UC*1qE9X;|no{)$qU}3bB6ckbZ096U#TrV16;2
zqm)MP?SF8S9uJrdJMQ?O&#5oJ*aD)a0&7J7iOyB*iIk*u+W$Q@s9U<kGN#IXv9vb)
zk&T)=6O3D>CyRb=CEx<8(eHbRNYv1<B!*b-==+OKZONA~rv3#Dn!8QSVj4F0n)pq<
zXpO;c@2S*!H7L-uhv#lN>U3aos)?5WsBtgtN@{`%c;P7KuwH}ROq7qSWUUPJ1@L9e
zl59#7+FlN%6P_A;(jzVorvPKWE4K(jYY5#jWHPMU_*UoC18hK(tDGv@l$y(pE)lX9
zrSU5tKN1{`z8q+T)KC>*UM5||@hglMc`m;b0RK>qna|xwO9JbC{mQXEB_!Cy*4ERf
z>1eB`7w=z26lC>pJV|HWtdy^ui(AW!4%%!jhVopuQ}P*%%9aHoD~puUyJ0wIWQx;C
zNh^CYAXvgVV2*mU^GQhKBEBdCVqk!1NUv!W0ZLAYJT^#8GBjvyt#t(#m^$L;cl1GZ
z0tAw%t&z1`8%R6?0-G8-y=>a++uR6&IdpAbk`dVd8e06UEVle9fM)Cd#CRQT6nGu<
z@u14-$3|Gb0cKPi<eZLJUES5;gN0*oE8e)*4>nTK0+=~rq<g9io6AYRBRa<aUe?J_
zL`Ga*4MiC8lAZeRCi2lpArQ#<QoT)~u<Mjm=f8#INEaAvwmZ4&n6XFgV+vw`msmoo
z8x-h}Ssn~|EdV*+%|1z7d9L;O)1}gHfil$m4bqw+iYy#iHpYhIq%q3klCryYq&0`P
zZ?$YS*2nT6nCGj|npn7<YhJhhHU0Qf56Gs|Jz@hzOWNq=TbGzL^-5Ine9=;rc^OrB
zpx)dG;_d()iy%ya!u{X*!Fy#!j0S<3Tz4#Y+{QnU{!4>X$v|#<Su|HcKs4T+c1Skw
zu=OWcj~(WJ`g$N&GZYkOPZUa|dGYVRMN^sMQJ{oXbyvNklM(nd?KH773jp^sjQVNX
zb@Pz}fNMjGbSAF-@?-O7?L4Kib|9Y5fi={oO0y5tv4UGEP!lNMRm^f#^u7!H0ij)A
zj;CP<A9X2#&D-y5xAUd5QXq|rOK6cQV*(JkA1X@AH0pb(0L1m|<#|sJ>MR^fBDVX}
zzvW!f;`WYASRaK9cG4gspC}E{Q@W<Z@4GH|{=T+p*V208%jLVMcCA_XbkP)`k;o`x
z*51Z7Q2$MK4lYN}W{@724{#>5(G+m|!wy<>WR1A;=JPX>Qh%SrCh&1f={?kS87b0+
z^wrFwKnbO$eGOy<0G|8mVa+Q%lwdOe-SSImK>J~S2U6~2tNZWE8qOXWAh{$*kAI~&
zjp3{<kla}mk0uR)G+r*XgRbV>oA(i23K_NenUsFVCF2A9WfAqspZ{A}>}=Qe105;2
z3`|l7P&7=$Z@2foADo15Zf_KpyoWx9KMdada*>u=58Nw34#}N3y;M+&v@U(M%N@u6
zjSlh|-$O^>wT20x1SoBT=R3ZhW#@Ix8hc^`s>-+?#&58*87BigbS1T#7~V*4eFL4(
zuqQjHL(`=|&C5R}u#k5+t90)o6~%Qba!AV$R)|d;y*n|9ak1g~D~VH#!|=}9@0*3X
zx7M6ol!l+7U$J=`{V!}>{!eW3f4&nX*q89{$Xe&Euv-x-O$a9Tx<w;y!~AKcDSLAh
z;gCvT>{)uNpF~ck3v>Qk5y7dj{$DWWT=(3sB)MOip**JFc`ly!*&N{V%)x*e^GS~?
zKcJMD7z2Q51YWkQ`fZ-l&~U?0pi<ZPriu=C!INx(zvZPC<)VX8U-1rpT`i*TJ>Rt@
zl_*Eg)%zEsT7aH-J17Hci<T442waw`285a^<9L@c3g6TQlG{_YIJXJB=Ef7vg*6*>
zw(Vg5pXA$rNLL3U^<RKy#>Q4u;CH}<-g}r4o>R06_7`-nuebJp#tCq6X+K3@=;EQX
zu`GI0@4~T%C<JN}(2(e#Uxix=q*rq;EDsntcr+KOy0*@q`N=GYZgow-%{=Xx8ak+C
z9vf!ve$8%5hp3hkKU)1*tC4)$JOckeu}|bkQi2U*K^<LPZ-9zlU{`Yko%SylaR%+d
zzj8~#fkFTqg19uqmr7OFPq3pX9T7*im{}0_oS>_>WDRYSLr}Y+3-Uok%Ete(r>z^%
zF8_aoy>(nvTlY9D4h%Jf<Pg$G!vIo(AgMG+_t1hMp_Js164IU0-6BX1-Q6J|2&i;7
z{0`oGpYOe&_m6ju0q30Av3l*b*V-6k5Oz_19R1(Pr|HDGD4P&=6xV5J4vMzrGVR~h
zMDHq*0)(vqIz*J|gKy54o*xt$aJ0TOHn(wc0}pjC=f%arF`JyB8wnE64?P8vA44n~
zX1`g#^Ji_f?S7lp8_=SwpA05xuds3_2-~%@`9^4kxmfV{b>6(aOdlNxI}dSwiv!H;
z?h^@|t&Th%Mhd)H5EK@s2hsN<%a<BGPj}MZPnqdzS;9?o<o6CBsZk@v=)SqAyC>}Z
z5jm*x4E&816Fb|V>z{z8-^c%Y{@csMz*q5M=C!smsFt$4V*aAJ!qbSIXHTj7)f4(r
z{4WVKpno5-4e!iDC@U%TAbWWBM)%ozk?$V~8aey@GAu(4ddhXwB?~c3M>t`YkvTV`
zYBgBozK#{Xe%WAT&B$1{SX)X%)x|52jGM&(95p>9pUGu_w*X5E>KyYMe3&U$F@P#i
zV%)!<i?ShCafZdS_idNzto3YrzShoh<Min2i(vWNjmZ^CuA%bKL!PG;0a*WnJ6O}1
z{Osr`781q|Dkdn&z>6?kH?0u!OgDp1nlx1iK<e9(6vOdm%SMJ&`FKI&ev(X-@|Z*B
z@ahFs#=2>z=Zj{dl*7>wO66*+Wmp=RL>5e<x`b{1>P)pV)ol4QYQI7S>hhP(T7T5#
z0PJjJ{Mn(!@`|%0`5x&2(vi~gKZjZKz^H%9xgUHknYR@M6>A+wb}o-*p}KD{3MTIs
zyOdkNH9jzclyPy_OyI&F4neIrZ{cYBuXs+ofKFw>N)-0-2+#u;eedE?&ngYKMh!20
zb}`m?sa#8^g=gdyuY$!_vd57T>2Yh_S8pxglRnpQ{RQis-$^DWysG0^8_w7%8s?I0
z>i%ZS+1d2};z&pd9Ng@7_{ascDuMatG)SJu-fK~-t#k-DX?YhS)9!jv2=SmHJL_}<
zQ|&fI+Sr_{_EX92<5*md#XTS2Sd_9{w&D8Rhdk*1qW6vZOR<=Z);sWGN$pzc5Dec|
zD+fpWe#H<nWZRbSV~gkM-t9ruO#(%x1~@*5%TZu&yW#ZTVy*(HJ=h+EX9m{~Z`I-j
zA~x#2(sqe)%U@Oj8WP2!+->@h9_nY`Og(hsH)|M;U^={d`AW;ypX7UvalKfawb;%U
z7E5c^%+JqhsxDCHad3%z#VZ_{b1S%8(_sYD?~VFJva=I`(_Z8segXdBfjtAq1106Y
z$bh@5pzP<)vfwH1GZ9dO*SxHpJ<mFY;zR>_%L|aw0C1WqYbz<wp5YUmk`swxKqE6H
zpELoCBgQceNQr33!l7?EsWT}F&Wu(SICcKM=QeM}CfJd!qA~jK!=&zNf%-r^Hm5jt
zz+Ft&$3vbE{iH>KLdG90t!e7sR-$flCFG8b`(-e(g7N{qdPUQV9N+l$crPG#q>Gu=
zCG4Zzs!lE~pd^;-xnFQHkQh!(G71V{mGD%|D1CV*7ENs|&9k?^&;4&ED2RX0a@5<4
zNe0cRq}MI5OmpSxTpn5$0SRz?$5n?YQ9g3dBppY}Vx}{JS`p+Jh6<q2@Kxd>MWCM-
zphc_GT<+8B7v}KFS4g@ZJk;GEWhjPe5dE2wH#VB)T#x_VRSzI(J)9v^-?VNI=ox2v
z<KW}Ai6ACQBcLiQ7P~rF(*+dTyMW15lde%x!|$S3gqk3HolctAIs-A0<f+IohchN1
z{GKZxll&y^Lz26I{wbRc&<L6KHyj0U7j^I-!cYm^|7>1N0B~Xb_ZOJ)*TYtKibt@4
zY6iEvrrDsRRyr9WU2Tq2YR?`GrtFw~T#=v%V#1lh8KYfBKX~XhNmf_)EplU^Hdq+&
z53NpjJ!0xgzcn%OV-f#{Hx9o2nbI9&^z+(_f(1%TQ00Htv<tQnJxSi}Fa91dKe(fr
zO|Onw=B&ul?EJXW2~6SzXp#ioJY1v^Fe-7FCgYjn&Q*H)63K?sPNQz>YUjC=gJE9K
zUsX&28U*YMwiLwl^t7_Faxe0Xp4-(8Je4)uOrfX_E<3elX`M_rKaYyN)42Z@(|)eM
zUw}xycVN8(H#ZVpoGein?{2&vM)F)<cJl63O8_Tg|4rpU2gPmzdq6Qsp!p1wy=X{@
zIpfR=xxF{TMb3kA)66axxz67CPKLe>Wnz@W3$F1N%ZCIu0jr(gkh6wAgD5V@mp3C3
zPLLZq`OMD2BcnI}0n+-*pVig8Jg}Ps>XV(^nqX!Ka*t<UfSK8sQ~!etYE4LF9X{bi
zj#`X!^gs@wWwdrS-3_WhnUs`1W{4Di0$u&#eP4`k#QVOVK4CXh<i@_3;Cj2|@WKf{
z4W81trW0F@m9K{7dER{fx_J6cJd`pT(S+%w&E@Wt4VT5lHCtAoE0x>(p6$kKCp_l!
zma!K};6vO*H1~2GNf*^uqEqX1u0L9ou3gDP`EOzc^Mkrq9TsuIm|di}_#J+S{V?9`
zknKf&(W+gTtI)y1MWyarXE+U?Q-Xo0FO%*pI^+2I`>=7O!oTTq@*rUsY{ByQJ=E_G
z_24p{Hyd%tm%hBFou8v(R$hlwQ?mgQk;GAOMF1Y9K{oUG%kG%or%M=UcitOz-~y6|
z0QSM(i0VNifm(PL)v{ojVH10M@|h)U+XlW~WUgF|_I^mX7SshOUd_nGIOBK)S>PV)
zMXr6%N>i|$#J8umgkvJ3EaB}?#(%YTPd@Xjij=0W+H=Qm<H$*B`Am*DL@tVO84Fq6
z!c&}*1PSU96xZ2{c7u^3lzs(!2KmfW2qPm%fE<Ts?`5@>rMNxb-O#)&+vBgkeB(a_
zeg=4P@_?Gxo}C1+;hs`sYmxzGf?lf?P+5Xp8!*Mcw@|qTE#7|$Bhzjk4f@`83zf%w
z1ma?GkC`kawcFUxTe>O_ieQ>NS7~#<UcWv%+8E#9#2vB~dCwyxEbOw~Wk3blUi8b~
zKAG0s#MVM!c$bQLTrmt!_G|4*;9j2fDwq%V1(9xW>EqpK89ZEUbh`ESgk94wf8FLy
zC|gKRN^(E(u)db@o7dhtm=xYVaXA^f%`f5!U!@SM+<!h(#8Jz?k+41&&DHkfwPF!t
zq=Tg#>IYaKACE%_w`z8wUam2Q++waRLvRRZ6mw=+;i0@9f36kugCpPb#IViFo$Lq~
zQI{b1;pMG`w~Lm$l?@x%r>Vo9LvPbJ+|q_O$bw*JnS3_I8x}v_V@*x(T6gZoZR+@S
z*_6@k-XH&l#(uu4Y#GT`4bIp#@|=1Gda1_L)HG|Xn?qn#_CiDFI6%Z>$*VRHCxwUG
zY;r^8F%3728zwEy0w%FrW;cOb|275Agiip&>}fbZ!<Sc{i)V)V`biYq`UE4|JCJ*z
zaAk#dBNMp0683W$nQQUqr(7G1#oIl-%ZyY4uiT{5s{F1EC|~mQUp=5oR7pC^%5Wdb
z+&McF+y#nA9>SXZ`M}^e0cy=f^@i-;1x<P{D=yesv@R}~N}AnwjagEg_nvNi)2!WH
zke0hWruCR2e7MA8)UU_LKYMcS6?b-(+8OP-3{U9X$i78wTza@(8zd~POM1abE=9Vi
z_TZ8sH*SoaU;UeA`R<8<_XzE^7*giEk0VA~^=aNF1+IdtW_Nf-bQ|yb`-Kq$xHJ_P
z=2Py92}>NCvI+J6ixUfxGxgxdS~<E}<1`zZ+VxTYfax>sUtppKhlhq9zHd4L=jCaR
zr>7J9w65Uj(?PXYB>Yg(VK4@VOx`Ner^j11>a^f+3{d|f(#?&^1Wr*@Qz|brpp84<
zT+MhK7vjd!8C|nlyvwlpy9R~H;Nbho&TDVHbRl<^9Pf1fgP9qq1r2{oB%03J4F(>K
zx5+ZxcBYZyBg%W0ugn9ibq_ld>vSHmd;A(MetC8*pe5U<CqG@70eU0bHF@gw_8kE?
zEdGr{?&5WPGhOMDW(ShQ6uxSq4B3jt#o1e5YzpEQTPBp%19mw@jl36r;(i_2UCZ$>
zMgxEnMKZ3E>l>zeB{s-b;7-=7&PTG(QAF|$2Mas2)id~J;5NHY3c1r)x#aBZI*`d>
z1JV$M*+!$u4Dkz=2OvV=Qj4W;LVOi~nWyQ&U=_e_Gh8g3T=aW;lq|9kN*17~J{TM*
z3FEH73BXY0F#%ssE_E!-o;{TrI~>;%{1wgZ7Kv68`IWl#+rDJCojjIUct}&K_>NQW
zWi|cn$KN`96e%ANev@N!g}er)lU`NNi<XJ8R->y8_3vjFYVA5f!WOoq<Km6sLP^-9
z<=R%p*I($sU!Wig0e2Jl>AP2Z4*nY}7jrV?A;2aEqAjoYKVISaCJ%k&LKYmi^Ub?^
zHGM*>=2jauht7DojBeQ`=%$EX&poOJd)n+O{r}DU5N2;<!+r|RD+z3spFBYZFh*{q
znbhC_(-nfSJ7j(psCdfwAQPxvZ7;V9m7Op-%M2V~1OxG!<FugI*ERcJWDbTO%nLDq
zNhHE-Pbh&skRK4i2$t7gI=X()8RG^g_)L6Di7uDQek;El^Qx=qzV$dUz?!4Ks=Z%u
zH2&<W1PEG@6PO#_1CW~PL^%OStpiE4#%i}5mOu*pqKUnr1+&+5-uY~4K_38}c?{MB
zz>_cY{Fc<LhXn^9bNj?6lb7y-l^VBXbu69BUPJ^SHd4mkv9)h5VbH|8iw^t<>|FXJ
zpql(mw$CypYg_fNkPhVcpI4pz1&+5j(C!n4ybk2urO!(X&ijC134yv+!R!?j6b^h9
zOyD6^XkaC|A-QC(K97<d9|BOHikxe~k$=Zy)y9_+)=F=hg}Ln=W-U6>+T%s+n>zhT
zyu7-qAD&@MP4SuT60&z^_pLR1vGcQdqkYp`ISV$#poe4T_<fAMxTzO)HHF&k2=GzA
zH_4x$eBBaz@GP+ElizTbZ?rDUVOyhlv~THC$@Imk;S=Mh7)IQJuA64VUw`8?Fkq{L
zY9foVOr0Ps_+j`5S86={InPXfJH~ye(}+%tG2-*IFa%`DnaI0w7t@}g;nqps>Lt5{
zaj;+zFXAgzh0AW4Dw--3c}vGuqoPt#F)m}nktLyC@c>go1vOZ+c`r(Wqq9Kj{^+ZY
z0u0rxGr14F<n)iSps2<0ZRK!Cbnl{hkii&gAjiqj>VV78`TD@q240{0-_}df;~5OH
zYI{6VT$8I-QPgVmuIZbF96t+?@_@;`9<L{gYq4;#UnM7|9!Cr#MdI|&>bkWQ-%s1u
z^KT4hlMb?_fESyq`-PgeLY!vR#PN#Idimq+Pb8MkI+&KnhmN|x&bv^RFMZCZeRLz&
zhMkD7fPwUHbT5rhQZ(G9NKd|L`<;lWyg*Oya$9%%>h3+E-R)i$@cal*#F(P%U`gKv
zH-Nz`{Nd_Maqn3mEuWO@?v2`L$iVUM5xWV*URAzg)nk{nJW^_Nt7X5SAr;CaU%DRU
z(sRTBcg;_0hkchSkJ<|j1zt+GS!~jM*(3X{j>)USt-9w!2U#lvrE_uMyzy_BO7F{Y
zJ_5BA>xGMoFUOLd8h+OpG*p6~_YxKi$0L7Eyz}|Iknk%!+t~C;(cl0cL{zOM__2NA
z{CaNY>;~&SxYnt8!fRiQT^&uIRBL|o7_@+vw<tGn-iZ~_1k%qER+6f`Lz9N~kG`FH
zg%gbP14z<d$^Bv|9_E4KkSV82v-mYsK=qXq!}6X+)IHSCzP7t@u!%grO;(j9L6WLi
zgZ|87&dE*J{+eY+wQM-1>wV24WiiEE#9Q5a(ghk}K^I@P1+Q+8aR$!XCycuGtinaI
zd=hlA?<0Z&jr{Yaq>=+H(P)h_2elGrhi`G67b|kB4Ij4Dj0w%UK6hxJ%0=`GprLK)
z;@=XDNMmIN;E%GR5#$dq^|;`4s=aZtF$y=<Z9V_=2;zFPiFXwkX)8O|Z3m|%7ATya
zY(gJ471O|9B|a3%cfI~1b7p_bh(M><Qx9T(5mXsfq9szJ_+dE%3mhb)C|)tDu&n#W
z4$YT19|3x1qyHf8DWzM|GtThXnP?5kNSZBf^XYq*PX?E*hb2h*5!tIT4ctz^QH?0o
znj|HGR?8E3F2#F%ExW2gPiy0x&>+cs*F;Y9`a~@uEFbc8sT^17`f5ZU3D*i&dlBzh
z>$!xVldE&QY!0eA%H9;%wYIqM@&L#1{+cxVZB2fL=WcmhJg+gapHpLZipK+0^_R+e
z^hi2}pMUJr)F+xe;*wgptQx~J9}~7oR@73irj2+y1ZoXDbVlI5Z6^LJ3VJ@qM|+{8
z@WNK=Jwm2yi;bkF4IxX<49kqS?=3AI-wu17^y^kz4kjn<ChOpU1o$8x(Z<W6TsKh-
zyUh*8%XxXL{)o)i<=2zXeC?7cEpKnnni9e(n7VhH-!*RMu9k8=yoYpXJYX_%r$r*~
z`|o}97Iayr!awe>ZTxkCceRXuE9{OP=+4<0*!r;L;IV$42Pv9Oesc$XgeS+)hTn^V
zPqTtC2=15Y+JQ;Coz+>@R}@MOW!{~|UQaoZL8;~sMkMt2(04Df)6AGg1%sJ<vUxm5
zgLdof>Q%`MUEV;T^F)=%P3_+YVq#a5bWe2`<zw6W(aS#QC(m{f%BD8StER^p!&9wS
z_`b>_u6v}*S06e?RDbH~bUj8>-kY_sW2mbjYLvlUmE7?AG($lB!A{1?{Gos5cVsl|
z74=fGq3icfZ835D=S-GC49(Z<5QUMXN$9?JPB=z?6dX>Xz-~p{`14mBp4i32OG~R~
zqt8`pbD>W%A`az`e_$FHyfP!#bVnf0KlL@GQ=z6?koDt6>0BKdI19#~lT>Gej2E#$
zDee4f94F_5_gv|}pPS_28Hmut1TkpiWMh5fDaoo1fjg#pk~(OB&-T<)B;%{?#EFQL
z`e^07IARy0noGvcz@Lj->qEjHM_d}Ad?Y#v#<ha0d?W{RPP9ozh{WZ_E}O<aT*qEF
zs@#V(nQ@~S>yhV&eLAxa?6vIiDBKXz_Q{R8Y#0qfc;+J~%9^iZCeh*t#thgW^%(k%
zt{KdotV24<yJz{YHoUI|;6Fr<QusIB!ioLOec1!2Xl+G|hOu)~s1iS*#0)zUx28-Y
zc}%OeuFqb3twshGbJ>A#D0~n)Hbi)>*z3az_d*;{u(7&DM3L1hLpq;33I@uq70r@y
z;VheemK4s{A8YLb5IWpsmY)}yy?Mx0&alH@V9*=Y2jCjIP3oAw<S${7%*?!Mm0C?+
z;BSmZX{u)$<{lPzimAfuB%ksy|M1>Rm?t<iWMbc6Mvnsg23l8WyuA92;%wpT+dKMx
z$P0l)VKquZ&wdwsCykAe0=tbFJbw!#sJ>g9ytbCC+HE-#qd=QQ#l`HsN0CzRwsg68
zO1~KEiPtEI#^U<mXQ5#Sq1m_lx+7p_eOz6rx5OE3jo(K^naw?17)Wzs47(;?y09St
zfws2{SuU+4GT^@cSuTi~{bDCm_CQsKiA_uB2{T;Mz~ZY54k+d;ffb=O7?<jG881&7
z1y^?<Q#<q2ayQ!wymGG(1{-3ae&uK7FZ3?3%=V)Tv&EonCArp>-te_B6|gApuah2G
zRY;-3sHo;diayvsnCE!#_~_Xu@v73ZV|Hr$XeUzNj*n6eXP@?eG4?(d9ZGH4MbK-g
z>B~`CM#?n$xp1^1$1lcuw!a(0+sHEUiE<^%9)pGQFulpQd^=W@dDJ#_$Cv3G<oywO
zN1a@reuwhkfn8We@weq5P<zuW2wO9?_W{{wRHodgBkn?rIh6_(apgz~r|9F$8*NP$
z$(85Dk+ytcM<wK7{vg{t-7Nu86c9RDc>E!-vNE>WQ@7TqnzW$wgXK*{IC#&&DcXZx
zO<G>s$JpL8O!G5V6;T*5?hl0;9n+3b?IE<oU&;6F85D;C2i{4&`AO92&w<f3#g*ca
zhO%v4QI^#{yn3Sr&wTb+`2|C-EJoa-gi`N42>Y5JYM{~xsFx%AX)E=k=QEx1$84Pj
z;G^hX)cf7zIw|~wo-*W4FW1<>3ZjzhZ1=(VL9+2<ZmV6yaQHNf{pVu4TQetG!sPf4
zkhuhJfO&cA&jU_d_n;thlgv$K?lz8b+7f+3qZT2Uz3uAxd&2};7(4y5;h!YYD&p@L
z;5`HCT0hnt#*kxL_MrF>A(LNIO6Ld86M;BLWbHQx*t|rP&&vy*<sDifYyK-sEXj;+
z*2&Mfe3h@o2$SIOyx?Ez6pmS-+sZ%$0?wD3P^H9ZaXC_dMaC*!OS8yr!x)oz-IXI^
zq9}xg^Y#I4QZktb{gY0Ei)6WXWyim<(oMP1i4~*q0`gw^VCS}Gh=_49jv8D%GaD0_
zn}gZ6BNcH#)btRK^?@WmKfgdkO0s4E!t=>MtOv_GV<Zx_hp4?1FDd>eW?Z_$PB#-5
zq{a3uKe(ktq*I%eCdw1<oRt-vyO!m<^koM}-#yIr!I^7_xU!MIB`3O75Uj%F!`B|D
zykdLb#!`VLBi%~INR+i&QZntHqT%?a_qJwQzGkAJGQ|(cqWudN5k0i*0K7_d4|8bZ
zfzH7|Hcuj}0M>I_-OqfB2(ts!+y@G3uIC?2NO>~c=){ERsvRG?Njn?SGls_iNuwon
zA4^Uq4PwXoJn+~141^ct)E;0_?q0EtL0j6M+_1yp_q+YC4w6sF!J3XDeo=S=r7LK|
z0m><QC9Rdqw4vPsUddhL>e%YpFXt>CLbYE>y^<$>Dv8E|AHV9^W+V;S{>kM#n6a*{
z$?WeJMmM$0w(u#ZogC~OSlS|BPigjp8Jm_z;_<@r7y1|{%w{V}A#J9zgOC1`IK@9p
z=+wWc%ECjAxL*tw#{bm76$`jxetUo9$@?NMwr1LmOjgGEo{FqJy%wAB!jD#3F-~-*
zRJG0bUt^mobvO#}(FnG4-vb2+wYnc(L^O7wpO^@Cy0LQO{$z~7WEd>a7|+D%$plB{
z3tJor@fan%3<BMc*lpY->|5Y@qmKgql6qgQ;o>A>LfWBuk35WXci@YFTTiyhg00U}
zA6qM-*y1G!w60>`xo{(2<CB|2>ckknML|h2GWCGKGB-rY>AsA`VpqdXESH^9yERm>
zT^{Al+Ju4^aW)vE<Vo`B&gr)%)t7qMw%E?w9(06|lEU~6Wl5A*cum-cC5sf$=QL+5
zlgTYSEeENduMFNi;0*81Kg<aP&B`4ZcOr8{EEJQl6kjWw-<QRtA+UDN)Y3Yk<eP?U
z;ZUMq_Sj6!lZp&y2)*bO|G4unk<Nj2ot$wqdq=Y5VA0YJ34_j^eRM1V8JR}9xH|3g
z3!}#MZO3T`)~a2EjshyL9aEu*JRvwQK3pHIam@q!<YLGeUN4fu7pfP|+fIw_Dp#U|
zJCp*0QRTUcHn^p;Mpdl~2#97e%__D%3@Izc1QAYrFgi~lUT}*M(Pdny40kDjYn>d?
ze2oqH_JPS!|Ik3{(;17q=l%NFqUh@%9}X=<e-zZ?fr{tmU;6u^QTE}N8pAQ{^wYnB
zolrp4R1zp3^!K$jIwS1~!J3~?3VSXXBBv=^J#K?`RF|~;5WRYXy@viVD_UO+$7MT2
zW5LDv7Hk3`-`BN=9%Sej0(G1RjW^qoTRFKgZp$D{3Lc#Yt4;7UQMQIWA=W4AQbQah
zQBUz(#=PDZNo&0lf9CZd32UEi9%?xd{T#EbzrPde2dW!Nbav8aa$I-VVEdH&AX+4Z
zucJqU+z;W#j+oZRk$CpPquE9kzKZjcQH|(4yfGjmUBKuQu!ot9_nb1R{8zHTf<(1|
zBU#i_x#%oJ8pUg9qEINqR`OW~8e~flEzsF%o0=NTU*9M{@0A#onwl2qkKm5&aaf4+
zng^CwHr;G*Q@JJTNiz6a!si9n(KrKpU*(q|q6!)-s_w`w8)qID6zb0-C(pE14b7R~
z|B~fTU=)*tff(MJ>y`r6I3{ekC#z_x0uc}7gN^tRD@<dBr<qPp*e|0(DYAdp3=kz)
z!U3b9@IgS{E+b(<#kMSlGaSD3_Q-fS?6GCPnJFfDF`3GJ!8gxtK7QecEWqs5+L7HD
zAfxxca$An)1s+2dCV(PvR*Xfw#QXvs;pVO?ks{Rkq4wzsRU{uqI(dU3N}dt#9iCX!
zhB=~xHTT}s7d<T%Uu1;nOG#Q^oGpnmFU=!>62Ftt8(ULd26gz~nTq#yL(?!J^qe%n
zP7|nhLxZd<j}_a)I;|jnZF!2F*_Z5mA+}>s1DbSu$3hAEPgQN`x^7KT+L6Kc6!m%0
zdi_&zR*m@z=k&^6$du4ty}dC4_ETTW2x3FEDcm=PhVqIcBh1^7Ip*EjdEwj$J4P+p
zt$c2-06r}r#AYhTVoIIv14?<-uThm@BU807<`3nQunHj?pq|y|RTINy+GYg{g3S-~
zn`YqAq{nWB*;%=CM0kBECssbfY8;5px_}Sf&7y5@-5kQ$5xH$&neh{mKVC>V-kT;H
zFT>rWc}wNed|%?_l5YrwAL1M}U^^jZo@Qm4M*>i~R>zZFe)l&)k1|*e`6@AZ?$^2H
z%gQOX(QS5#C{pkDz$$i$pmUQo-X74IJ3V`8Ol9Jmr});O=&}kA>Z+{y`Ek*5YHn_1
zUt@{v9xboax5DE!MI4}`xS%u?SMB_o98(zVR7NM@>h<8AWmzGw6X(Pm*+mW>dhzx|
zanYk4{f<6DHA&VvPWZY%D)xb<VzWmc!&%;lxntY&>~Sd2^!-30n>T*8BkS4J8q@qD
z77MJ~k$;?{1$U4DKoEC|vw=a{(ZSSgYYO$K|F}l&xp+@q;K!-F=H~`ZG18lk>kpyO
z-CSIb?}Ixe;32)0$=J=(rk&r_xDbU;6({_ihPd~`DL&@keD?@Jc8d~|+OGlCH?vV$
z`WQH*?F!vA{Q2!k(e&OpHP#^YMOdDRP9_s(Nn&+Q!BZ2@6Hc$LWAUV!2mKKm+Z<Y;
z=9{kh>V+wwX0&*3Hl&su49+d?rde#BnoEII#NJCkl*#0;no{o!Wo@Ql^+ns-1U4~H
z%|8o9!+-fqyl8-*KYr6EG}_7<Iz#qF6rvDj@yl5Q<FR>FbM(8J3%NUstOA~!Zk=S9
zRv2%xJBL%xPy9izm!P21p88)Xmw1SwxjudmGGNJZ;6j``7$<U$4|?BgETQ;vq9BSp
zW;pVEJ7+AJ#&Rz0-FuPS?cIA6i2@eT#O7&rBr;rW`IXkv&Au^kLR_=$?jimQi~1;U
z!>@IR&0Cb<lVgu4n-B{&&HQi2qsr@Elm4U3Us<2jG&dF+o5CtSGk>xg%8RQJk&!#F
zP+xfjg;fYgnM3QI%@%Ud$`Hd~Qi{of<tPQ=*eL>^%bc(ia~0MQvTn#^N1|i}8lXB`
zBqr!GJsT)-Wi?&+{YSDu(Lbh9#(>ST`)*V1og*BGP-gp1m6L-Exi`=z!niY>;e>H-
zf%%duaa#J*LJ-1D;z5cghG{JfcB3#T&}bB2zJefRfwQossy02M22VYDR`ek;_@$D=
zpx*FJ6nRF7PHx@6Z&<~JL_J=>OH0{HCgMySZPpXcr$H74u3KQ`nRNTYeFmC0TVwu&
z!rz|M#%ByaJzK*OUB1|%1P@Iv<~emO+om#rvI7wUW>DN>9z7J$D#3Ir6IQlK&m%~Q
zD~=1xJI2S-v-eDdlc?va-YG)0Egd_hTajc>q$?{*>6b!XQJ#F%YR^Kg4GS~BU+9+K
zlsc%>jvT5uHikoA4!_1|;fj%-QC)4Kc`hwEhb%FS>pc3cP}37_Uv+Wlz}#l2cVD!O
zH_zbVl=!;Hjt5%&U?)fCPDP{3J@C+p>?@zFIdqT?waGIsA<c|~)uaR+t5#C8vrl%j
zQ0<yEA=5+;dLFT7CDQKmiqtZ?CXTAdXt6%t*)0Nq5D=W3to<Vds$S2hhzv+76jLQ7
zuyiM<+Z~&u0hJlDEMvApqw%!)&>#a|8>e0?C{*%K*!9uwg#yRLRj}DPwJSgq8)sZG
zA`J}>$-f*yGrRbNQOClbm=v2n_V^<j$mKe-C_@x57684>xK>>Oug_yDtzHP7n&de4
zYB!BJ@Znoye%weq+Y5#?`fmJeLmo@KEZGc1{Nq-}KtM*$v*zgN=y$>aSUS;VNf;=?
zymT$Rd0EyS>XPh<M;X}EhIESf{NpVj^sKLVh@kn(*kJ|++ZT^x)y;Bg-pt<T#6sKX
z%D{(edluqJ+l7t<q8`J#-Np8_R)R?|ri&@*2ug9vRyeKgiG#m722cAVboxs=mSjWh
zSxq$CkV5ud_wwiF2_PP>L!exM-$Np3Z&_7JbeFK~M&aTqSUV+P(0Dn0D-u<F1dg_Z
zS__FV$1MGl%ob~i0-|W2@<kkD0-T@Ft3Whf+}+TlIts*-Q<*Q;6>6kd@p>t7C|R*4
z;(a1E!>qJ|oFauHgpD#u2ug{y$-q=2^0<Ty3=+6wv{2WMA8*YTY5AdfDMeDhmjL0}
zthQ`5y&8l_<GlRRG%T6)7&vvsPwO7M;%s=g{|T(3d;{3s&-Wt$o(m*mK6NXmSZ_y$
zmAm%jiycNP9e6U9;i}dM%HeEc)I<by4gKs!15LZto8`)jSVOgU{Mg5U(^Yk+>(Mq|
z$a|qbT0?o=r}C;7l?T2|Eb^Qh+!bUEtutP}vksL2_hwX@^!EF<%m0*lW9xf?yhbs_
z#QZJd`Wky`G{|%iu!rR6cb3Xnv+;5xZgN8O6Uk&21jm<LV_B9;2*AI`j$5097B6mu
zdttD(P>n_B;Jt>kQ#;%pE(ySaVdkkiqC5d-r;^^Pwi@pHubt>^X0iRue!<99%BI4?
z`Gp)(BByy^@u1O_X6dv52J6sLlaRr6eo;($Ku@3z2tI=RJd_Tm=7TLFCYpg9k5?KZ
z^p84kl^;PM$o7no*nK*)z(~|zJoo%NH~~g>%#GB1;9LR}Hl8U%1zqwa1^4-ne{03&
zQ9mjIYW?3l0$BtL!D4VC&XpNPRIVGkK6~hQkCcHSTZ5}zT7t2WFw0U12=6Cj5M~>d
zy2!m&5S>ZZcVb;u#Cz&H+fG21jR~IS4G6_cB}BeK#GMtlHFqM4cjzl-#>X@B4n7&V
z@ay!B7e@{o{1KH``SMdRQtGp-)mUq$(HOTRUZAg@`IEpTfF_}b%x+Jt2z5d$hFcR=
zO$ffc>Q&rrd<_u5p;8lL$d~XkWBAw;ff3EB&)NQx`&dSs>kqxF9>uO3p@aDWA^oXn
zpavL8y6GQ>Re;Z654I;=?z*PT_m_EA$bg`Bi|L%hD^K`jt*3bv0|+qN^zLSzYOXe|
z)Nd4ZxL8YP;bK%ih~Q{u^@N8MedXss5&}Ns$z-T6W>u;gH1UO;<FDsPe*M!%u~&*K
zvLB^bhZ9GBgS{jt*p12qx^%@V0g);_NWdHIW7@;}3=ChUz7F2pb4BwTY(sw7`F`2}
z^cm9cU>e5Ll!mjN2lc6MzpW`h?Da<&7fK1dmOry;L(1{6si4v_@<D7M^Ko#v(WB74
zN@r&F9+gp`j35Cxp#L=iGqhHv&s7;#k!gSfok{6VEB_?k(F}T$lpy;L!q|I5^m-Hr
zFye^>E9U^k8s(Pp?APOmi2@gQ=9BB(@!3CW)Lyo_QotV^V2|CxMFs{drFhcNM;S!`
z1oM6|2w^U?H!y2(mEpAx_<u7|wc9v{0NC#1EFDQZdVNtg)2lk{td;n!p6ccV)z-~j
z97~*<0xD35&H7&uMlRxYPSnC^rvhe=zD^^6GE80F(WpRXyVuihfa}P?Z>+7MXVLPU
z=U+3t4FI$O3k?~XZR(}%r>JNJi1s)32TK(xn{(-NEa)zGrBuzg?pOY<8~cnc)osyE
zLKi&~js<FGt5<urZgkt#vV#ilN|<4OlNzki<$&XJDhuR)RjuSoc>r0hfSoCF55!he
z5Q&;)>Ja$J$6C*})8zZ_K3GLj)Ag#K(Uc>4)8|0MCf~#d=6%6dq|S`?gR1+Gk_y}z
zpZng?Z$G??M;3oJeSBG*rU2D$&-etYuf>=I=(Z?8?B)lrysaO_KNx%dXj6Cgn1HY?
zSt0rAb-~YLINX}Qi{sho6CJ{~UP6g?q0AIrppTU8PLOSDBy#aiEAr&7kT{#Me*x+L
zEiwz<8?Xbk#i`z8dSIU9f-xgXCGC~2G$rn~Dnklh%=}w$qSrSv%`awT^5Dy#Zbs}J
zp&{6}eiR#dAF3L|jfO8_FkbhjaTLv!dv|>HtUb^e{=@%J_1E){IaKX8D|mCbw_AhW
zRXh-Om*y|DXjK5}0AaycipFbxwWYsloe#oI8>nU0uO^4sFh3r=A-?Ku_{pW)?}OkN
zt^^F8zdUOTyXChVLw~cGRc?gGmYS249xZ=TOB*;o#8MQn<2ukLs`SXfn(u6S^<wA~
zqHNk`r5`YPGy*Ho2f0*N`Aim1ABzOhspmMg>XFfr1^~Y4qLZk!$YetdHmIMh{i&aH
z^~ik(Wh~Wbe)S-J`|aOzr4<1iuPEUAIT-lMLG9jgw{stc#>;0ve)8Iyv|~ud=U|xN
zAptX1@el0ndYy{3(dV}8e|}x=J`ICFRJ~NffTdHrLRu2eb#jaZ;pgK$1cKJ+w-*c7
z+-A%(6d+orD5Ncohuant2{@0j5L>ng2P(LcFhIx2?2!!6>Uzb~oEc$Q1#Jwml^|hx
z5?ZmzD_&x9*7r}L+T>wg0lNMEuUaVsUTZKai=TvXj?B77Nzr-EVoh^@E=B>lAJ!cb
z6J3H#jAPgIkoV4<%%QG;1*EXtByG)wM+y<KI3VLO5`WWU_)d!Yjb?iRS=UESNTXgp
za-^*6dbJ&CYOwg#R&1bsez!593W@Q|V3J??WwV!`D%wbA*E|`x>~6{Z5>_#!awVI<
zD8|;SG0S4K2qxzTgNo_U)(c3&#?-3`MCtmXXLYJW9H;h4AZI`fWHL3errWiFgb{FG
zIJv}0+n#kkn|sYH^U>pHRKA5B;*fQ-i5#-U{P<vqZ+uWmV~*ID{8xaX!T4K1%cKL2
z@n1er(-nNVpR1+uZ<Cl?b%mHh3;UxQ;}79D$|U6#+4ZrfTPt14-(?BJwF$vPoRp6Q
z$@pCr{c~FH>#QoIw3`ici%+$68>nBWIqd;jx*!hy^oMmH4#pW%kQR~Qbe>d@F-F|d
zN<34`#a7pG`At&oh*7H$;FzfLkZf0pdQ!tG_%&8sk3x-xTUI`FmHQ)qkAO$@Y|UKP
zG%N+u+sTIHRd^xn`$O`SsCyq?e4cy}b;&9y^%?_1mZ;3>;lt(mb8{QA2hkqrV3~Bc
z9s<aKp`5*)Z2huwPPBc&R{ls$W&H;cCaOd>7isH9+oR?F^-4Stg~Jt+Ng#J?!WVHU
znk}?0q5tTe77h@*If*pcMIr+gG>?+JUDd}^Egp9cA{=Y_%QLgI0uZhDRyg~H*V9yL
zG6ho#HxABV{7ka=ZbSqs9<y|L7O%8G;FEQSLpJ2qz=qYu%>``F$IvkmnUfv+Q$N7B
z7C3r{_Z*T`{$h$gNpe}Ex~u5%J=u>pA4MTs!f4^n$A2%c@XjxOH-=E-LJk@qi<6Km
z&VBXDe)l#Nb$_rB`Hq3@cCPF2xDlv++ObZ+auNJwhRn89c&#508i4qG`{XLD-(vH&
zI#F4Ha5A2$K>H?cr=xtgZcQ05idJb>-&!eB1zj!N2TxgOSFlB{)`jiXO{+i-1KvC^
zOnfuSPYCF)aEbBgwb>Qa^7q>*NlVA2*iH4}8;Kjq^|C;UvhTOU)2GiMSX|koQ-7>y
zKr=v%mw7FRQh~E3{vo6X2?@1(=UgHvB7yEc?S7ptKTJIie{KA5_GMhKUww#L)m!9o
zVwApNc3*8e0I{~oN%=TYV?G3Py(n<zy5yQ+D%j3X@&!Ij2^WcUO_aNDI?9H#UI~-4
zdWj`z#{5*bC(vWM@jJ<z5;D44gx{c1@TiJpL>D1g<Ajwjxo!**{&}x)uO2W-8bDna
z?^k>}9)8kWI^5V(OpT&f_vhbZSX+H?XfDRuC;NS--I!Ce&g~2HyAJ~L6;Wo3N+sgB
z*0=$yoHG1E=uqO^=yU6qJ$bus%WSzsx`|J(p9dh^8s6l;`{C4bo?g12kTsX$;e-wz
z%3$%ceDTTkxI-&FmxPlWJ14fhw^qC82Hh(!an#m@at~{)9B=mdeg<frD^7oPxtECy
zoaaU`*V1syEs9<ux$Qp{H@0UCKcXPuL@@1!+~c%bX^cghyehqmxNQ5(-~q0+0!cp&
zJgQ4r7Q{?K)#<ABIT;&5+{6zF3sK?47>=SqiI<6Ip!W4d@2vf3JoJNE-bV*&Ltru)
zOH^L;b;^jpdjim9t;lteH(mioZmSJKg&pr1VxV;U`XfYTVc?R#%}D?Ej5bH)KNGkD
z0(xPiZmq~ai#*b8oCM6O9X6&llrf~`@UTNB&sg1OT4#URD*yBH{#xoODiG|pq&_2P
zG%;BrJj_U>Lo?XYZ)v4&N>&}%8g~DM+n3Zu3bQu`;w+0x6x!oY@|G{f-r?D{)75WW
zS;iHn{wVqltQvxVz5Vb~%pR507eCVoS~myjkDmE(mx$})7DN=X(4#O86a@grno?VB
zZlNZI0}g0I-+C~b&EI6kU7H;Amh>YEA?*1m0lA+qKVaDm$|4MvN!<-j^G<!sd6}}7
zawyGarr$fE0dYq@rx;3TVkYYNV|;R3+dGc~P@568%tx)Q;(yybx?|z&{ph2WHb;a#
zoNrKGu2q==)^cJnMW4${R9eSTM+F$h^y|Xsb$TG+tOiEABu|=ay5;D0d<QK-i6{5y
zu>%YAqj&nyF&R4qJfUZPwHd1ll{2&ch&4M>Pg)v@iaK1|7b<I=gH+4cNlXZw=gTbA
zjce<AV$t(qm#p4A)ULrMrrWxfvYJxLP6J@qA+Q~0OD#~rVxe0s!FYKKyg}dG{KbWU
zyN;jp@>=g^EApZLN9ikR(~o{mr%b?6b{z%xbVMVcQiDlQ+)**2@RB=xga1ukQ&y-U
z1M8rg;XY4E>2e&9B<g}G5&N&Fz7B5KKk%15I@r`zYHzB9?t~rQov^!Q^U)?c=xxvp
zM4;b=;Y{-6?J@^pBKJG~M5J}}wO*-+s!K_g!0e8U;Y)wT;Lczbe`3+Nc!(FFn`9Me
znwBTh1=^y_HF5&H5dC@A=JZp*{)Tn~i9kcGAxe%KPJIcr2*CS*xu&F-{1VneTB!e4
zP&^B+mdPWbDbgGVYy=)W_OuiRDQa6c2591%oEoJ|fJzwufZ>xw<5B4AHe_?J;@VrY
zk`b#po4ToDHrH^svceQ#aqvSeRcA=S{{<ud7HW0I@PwXvnxf_h_vv9D55E$nwJN)R
z4<L1FlADhj&FZh(6<@B~dumVm5Gt5pl?9_&^kN^0ZxL4}CLEX)6}V4l=HkHh;ROl^
zn>5uaQX94DJ90Io`Vo1B$c8-H{u51-L%>rPeE#$^l@9vr%6%%0?b25sf#C;JCLW?^
zgl?c79}sBT3af-fOJ?X@0N?yWb0+-!7vZl-)Z0+WDvTe36gXGbUtnM2{c8Wk8CjiG
zM#`buBdLv136tI?r2br~Mw~;R=acaZiDdXd)H!>gWU70qPk0_G&0-+e#3B?e>84eJ
zHO=?+p0EQF1)9iK<L@0G)aTOMGF3Bm{`0t3p~h@|%s8x&azT|Opb8Y6pz0z{(<Brh
z7oNv>f9$G<ffg1=mm~W7^PE{K!#!KvdDY6L8%$SIf22ZE3FbrGgPi@cI-%Xk$Cd>@
zfwNW}RcF4XT5CWkJ6_1yB`4^p&u0f_vZHivo<HePzBb3!w|v%cQQ~*yws4CD<rpho
zVZt8Gn-!A_W-HLd-kR2y8txs%?4=x$7bW~KWS3}s75tG^dXR?aF3u~z;xr)<L9#9l
z%Tc)$Shq?p8N7PESj;z#ev)=yvO$x6LW|Ta9f;97C7fE$3yXxIp|I1BfC9?6k*~Wh
zJTqlsOopYuBFv<`<Y4yZtJ|`}rm-Y|!_fRXeQYce$7>9#S-UI;XJIVW2Ix>A-<U@<
zG$!c<YQk(+O!Ze+hD61+P;P92W|pn@XQTOMCuYvuc0lBeGBPDF#X`@56Y>qB+=Uia
z*LE;5=SwWXZ9OvqkIZl1dndsi$hVffV2}4LT??|@pC1ZnTHlSt^-oo@HF$Bvq~UsH
z&Fu}#%GssBn$+D=_1^vt&RtXk2y1XrXZ@t4BJKS7IYB|3b*1|lUt9p~LRrvQruhB_
zd!-TyEaknFQbd)@poy`_Io)^m4c+gv1n|My377A)Rq%6;mbZEjy5BLIjIiN*qG-3F
z$RIzzU4%Z6pnEouz4s|P$f)!Q(-|6Xp-j(DK{IwJS9mF<xM6U_rop3qZ3e`3{Bp0=
z1grWFu(;R{A73jonXy^yg^Vz)+@D#V-tV3nHREQ7jf!vC1sJ~$xxV1hiEvRzl}xvv
z!Bic!h)68O7vbC8!y<Xwn`-VcOZ<6L?yyd*cT6!1AL?%Wn=zK)8xu9D*{h{TM)7Vz
zDl8)C{$LZ8kq4_?YO6$NbCX)6n=Z4p+n!WdS&}}j1+MGK7dVVzr$Kc^$pLnE3MD~6
zka`aJGnUp)rk%3QQH|sJiVf<0g{3RRUpT5Ly6Mn~#RDnX$9NSaEAt@X`**)J$b0gX
zLF$Al912MB<>v-ORZJAg?+o55k0zk@=c99*A3``a{|hNK3*1H90WVk}jfU<U>q(w&
zk&)CFxwFa$k&_w=t#L49L2vgl-`%ICcY0!C;@$U1>mNh+BQvg!Na@5hbQ-B1ia{DB
z+iWMOUUIzn(-MH+BgX(ldEH9L;l}VCx&hmM9FvZi#zZf<CucOAo#?x2Fjf3De>o5&
z1w8V*PfU4XVd1Yf1|F^&(B>A}lE;ORSFSbptsT@gTLMfxnthM2u$V*se;x2FQk<pV
zn(p2h(1xwv3%7Go{$^yR3eJVxfMa;bV_&>9;bs+UYkRvR#q1Z5V}_LAIR`<d+Pd<~
z(itpyQg@rmwBj2&Yd81nPCZ*PL=q6<;JkniH=U1oHz5z6bK~&^ZW8&GugpTVOfw@9
zC`b<KXAQwINK@GF@k4nB%#UiV-X7**?><@z)Z&>hODL4yJV|!3GM^U4GJ}&r$3%(h
z4a@tHG@x<a6_Mi0pzeqas&czsZo4i5S`f%bPt=E>h}U8DiH?V<g^fw&EE~nrmtfTq
zp1oQ=E0L2E<;FB1K@CB>4M{amn!Rf#>jFJ*eZ4k3oU6=kXJunxOILX*(mXRMybKYr
zmNqi`^cCN|yFo^;(7AcJQDl#s7Hsd54hX6lJH9_|xovLGe!Fk9*mHJev<()0+Mv56
z_@PB~QJx0Wj~v0RMm)sA`8&CXrvd_zHDA^(eFXCRE0xFx!VdD2%;aGHJ7*6_>w@vv
z1F7APUu^_n|GLQlB&#<d+|A(t!0z%#A`#~B7c?L();Q}L>;Jr&Q%x~r^Pkt4K$bcd
z{QqgqiTPdn2G4(PMI+>MqrU<008(c>s$9AYG*E%8er#hGXKGA-+D~xb8E`3R7;d~q
zY~$#Ik6-+mpg5K0M7UaSgE^fh=tC*Uicxu#&(6YouL0>b$>ZHjc9)z-1}%C|A=t(I
z?+HsXlGW|HlR^JZBL4GIACiUfKX+Jrk+i7ue+}m@p{pOMq72@tR|13oPB|je27~93
zV66XxZ5X66j;ziq*(%xW-}5i9q!7$y00yA%ckLIG)|72=y4U+#=njfV>fYy}=RVxj
zynO)RCn|A7!m}X|9{bt!CJ*ZL=7S8ZySJ{IJZ2IjD9wS%n8874WM|ylEv}p0M0d~5
zY7bho0VGO(C9AX5v%Bl%gsS3J_3jxQ_xwy1AhpZ|2&HK(zy+Lf4WI6?=X3rhC>}r{
zGf=t!|8A`EHQx3s%6}S6R2KD*y?e$DI`!PO{qwNe<%ht3A0EB@85?~!(x~Kbk}a8c
zy&*jgXmjq!>CfLQqjPk$yW8uJ?m+i*9+=-9aoydzBRWY9JK+8uSnuxKyQ9owv*ohQ
zE{D5;#{WfRcbNI@M&SwtV1D=W-J5s3lbJ4`nQs;S-xvQN><$3zf2B*^^`?HzUm>6Q
zpZ1FSkgI}y|LvJGfM4Z~p#N##9B#I}-H)`Lp98QBpc%ODQ&bW$Jgj6_#`&h4Yq#0+
zy7KXP@nP)-<`1E}j@bD@OLidd$o~!L(>psu@2i7f?n;>p{o_5nQ9$$Bx?sanO>UVx
zs`_i*Dvd6i!}YsdYrTIOv89;#*Ryu2iiJxb5o%xrfoo>V_`bFO*ShPDua|au1Tfe3
zEY1L`K=J<@sBdY+aKPfngV;NWkwha>@+xs4cksQNow=}Zld79QpIY?Yc!uVY+%o?M
zS}bQLhvI`bvH1+Z@G2r93#Uy0ivRg$Lvy3r|GudNR$}S>ziGgNPX&7Kz`y_yl+FKe
zaEIuA;PyleqM<D2f1|%c;T<vCfG7aD^A}A3|5pHS(}V2H!Ecf+k{|sutYs#57eYEy
zN_6`LE6ZdKf5C!pjUP>9tUnBj>*cI1Gp4BE_PwU;*pbn}+BR0Mi~RBfZb3Iksc&yz
zZCy+G;fJ-5Ym(Dk;ki4zoRxu11MjehmnY}jq#NGh+dUCaccAhY04Hr=M6{wVAW|%}
zfBO9+JpOk-RQmsOUmScA<oh?V{WDP>`(yKEDZ1}>Vr<$SY#41NG&<Vk>Ly>4)-asZ
z!mg{$kn-AzQBwb*;Ct4&9}TAuliK*$2g^c9@MVW=oTUH^-O=G4#$C;pJw&<g_<5S_
z>}Xb=)<4Ezqj-D4^SbMyu?^Kzx8HJsb*u^fwEpF}V?<?{yX)I9{-AItK{}w3zo97!
zFep#bUkv4Kwmig3Y6dqcaX4ukoIkO6TgtO1#<TZ*HI49c&~CB$^60!Dc}Oda4}AX*
zK<>DpcK}(a-q!%2u51$`QqJPOvFL{{vH#|_kB@>p55Rec?EKVIKS?e*diw9D>a1}I
z<%R<JTD{1aNW}B!-q%m`9ss;U-iJ(R2y(IgWzdx6sX9KVZ*e*FCB4iqqTJ}}PCNh<
zG9{Ub9pHN>Q4}w3doFC?FgcU&5y7I()Hl#v8nQ&_&tFaCT}jN%G6CA)8>_B`cN3lT
zg*w=OWcY6p(5~IC{Nu+;m#=w#DQXRQ{(&O&&oqFc|Au&Mca_3!7IwYQ(wg2ze6e1*
ztZRIgpMvqAN<)f;xR9vu#XHqBh6K4R7kSzGRJl`$SSe?JTy%36hL=oV*OMFQLIjDT
z<WqTL+l2$aUx%HZUZe@Fj~kZOSU5K{wY>G{rgDFJSet%6u;I3TVd^<`dfH#6H_+j(
zB_d+%VGT*GHp02t$&-tz%=NDBUFsoV*yRlyIAS%{c5FK8d;P`R>wL|7eNmug^E`p)
z)`=oLaR1w!_t{3vjF--W<3a2A+hk~+>y8Iltpo;JJ(paPsAyJ*Vvvpg^M{oYde%0?
zn|8U=q=oylc1SgUEw=O(M-ZjD<?p=+e?$OqF#^Yc<?>g+Dj0zJaZex~1N-@Pr!HN#
zZ{H;Hhu)Txai>=m)~+vsDtd`Pcy-o45{x`?b{#U-T=bfaD(oFf>j$es@wj28di!l`
zIVUw|!~7nL1+z&VR}OQxkx#}g7sYkPD+vMjx%~ErnpE(tHjGzBxHqWX%U)ab{3xVU
zua<kBe?#o{s{gmk61D5`D{Ks>@vtjzk9rhWD}l?-yz)GSw4}DZKATTngY%POg~xh!
z<?9^IwDFF=kLI5`8n)7f`df{DXS$u)+bnM(IA5JART-<WjQ87aeF3dFoWP-IxtAR%
z;{NS9^*HaP<?2St2Q!BZ*8?G%%}}lu>(%p<1`e}_c;#(<%@=cedd;`3>p_g`B-Ycf
zNj@6ejck7yjTz5(kPM8d=B}=B+<Y9ImdhsGzj6VyaZIc{5}**8%y7Rk=QQ@SjGHdI
z{8^$DkQ~-<^z-ujg>s@y%1MG&vtg;sH4zjVvtt?|*4l2u&5oMu{L9Re(ckFs<_VZm
zW4>C=vjRfy$T8n_0!j%QK(Pso^yV@+c^qSL5J7Io&B!%2uw%0H=EAXB5x4r{mnB8{
zLvKm^r2UmVFM{LJkbltq60-|AjdKmpXgcLvnJ?T<)LCt*c2+>*{7yC9&QJ3I!bo=)
z1EjHG0!#vqX8=&I(aXD5=5efO7*5IC3A1<3(|E!%pdqpu{#AD6A;?eb_IfwNv{i+<
zJw({xVZGti1;wswy$$SZ&63;c^%Mbte!g7gNxbb4-vl`o2_=td#klk8lIN~p2>KM(
zQq@%<G08}^*5Vgiu>iZH7Z_PJ_lDbG_7)|UKIX=3Xf>Uh6gZ1-5*0(KX@61j8W#<|
z6%<O)7oBNOciWM++wfAh9`y?H!SAt#)Lo$f>tMe(?V4*EhTd04sm=Mka`kC%XOm!V
zfAPHM`wyQOTk&?km(8dQL~PJ)UME|)Hdjj*#wyMp_53IE$50Uk_uqb)$~>;=M4z^t
z-5*UialO9?P5Bj5u&enG0Hfs?z;DJqd@2_MorF7;RH0|c>$gH0ocWG7{=3=v2TV63
zEgOENDQg<#np~$9g!46&9_Hmi8w#@|ACp9_CH+i=KN%VvSSnvx)>h|Hrp>Q>kfca;
z`i)<N`@HO6HMrY_aq9>8sR`(lXyq}?sRKA?%or|9P@{kjN?_9}`}FA<R6E)qAx{cE
z$*B{ZzYj@G`hRr21yo$i(gqqBm>`1$9Xtegm!QENk`RI=xCWQtlEGbrTkzm6K?e`+
z?(XjXhMaruIro3>E!G<L+Owy2@9OHWtGm8k#aw6bZ8XwYwSm*)q*7*b5K4$jkYRZ7
z`I0J-$7%KX*ye*XhH%rF%<}?X1wr0l=zI-Y56Q0SHf4I<-^vQvjy6h~%W9VBbL`}Q
z+UrpzwCNz=*f0EAJ5<uu`qW_XYmwzL6&^suo@Fc$Ii!%BVvnV#Bc)xc;#7Le^}6)Y
z4-96Yw486gJ176R)8bEBR^T%=!mob2?1IyXS*^oY7WYnT>aj<c6lkk&^jl>>_(AgR
zC-aT_XPo8ED7TI9xr~L5%_0lG4cJ*f1~u>9<)%8PKI`kBw%~T_X4Of%ZWcVbYP`f3
zZ_(|tY}E7nAl#8`mur9EcV#VP!^;2CxR3YOagLOy=y1*Bc=!E5Z>(^z3W+YSVkjhc
zo;|4oU0MCbLND-?KS;eS0W*3YF>*n#yrW;^ut<IP)+gIQC^NckhU$t^W>;p+k>M{)
zgnd$B00t9Ilw*3v(Ev(B*XrPByA~f{RhTz=V%}M6KE_|TB1jcP!%E%Q-<MWBE-qAh
zrX&{WwS1tskVdNH3j1|3zBNU!DiGh9uM+m1NDbC!;!L9@XaZIX0#DruWR?I={VHKA
z^#OzDOg=+yM3tBvI`>w@oB(-28s-2oi&yt~#?2}PlkMhtwGtxQDg|UxZydnj;yuRe
zfSFKz1m-?1e%&7X5_KY90|RM?1tVm0G0>iVnC(X(MiPjPwNc_04h*ZT>r~5C4{vPI
zhl?^&eRY8UX=7i}ct5)<J`bPRjAhz9?43+H@wsNbw72=bQ+Z?AhK<56e1Rr5G8+D!
z?-MDaH<pr`u7Qrx-{;vPKwedO1C|x9@zxc)i}&_lih0(yigsAG@RXrcmy-iG7K-je
zc~qV0_qOEOUHQwtvtO)W0{r`CM@??8QVbjq7IJ@o0q_X!6E8l?t=Zk!SN(KuY*q5U
zNKrD4Qe7bM#zo?9_2>EME+t7>a6V|{wTf&<>zmhK6ziL%F2Jhk2=Xs{%5)Jkd%bz~
z0`{)z!jYD1OvgzuIoQl9f!*~$WOZSk_-5lX>*6c^8j@WrGQlN7GlBYX>%WJQFx{CK
zBB~FBN(NkOud5@U_AZmWL#Uz?I;6a7JoP(}UvObLR4ir4(9C0K&)(z!d5Fb7QtJUP
z3O|cv00^ju`(Cjf(lt8HZ8|N)Sp6jzwCe}v_31Ch1n4u(7fU1+v&+&C_&8<O)9a%u
z>}z`0USP=;ATBXg<MmMbbD1@U**bki;b<;DL8}&LWMRw9h_b{H6#X*)aPaedSwik*
z*V$e&OMSnjhPfGnprp5qlsrcI`E&_bGt)Pm`Mk`R-=FCPb=8K^KBIbGFc846wO*{B
zTRL7RQTv;fm6pe#j@q$CscAV@URZ|R9qau3U&!AET?IBCyy5AuktZylS+E^jRwzZ(
zT<t4M!k9WlBD|clV>yxNVr7*|vvhR9DAh7EAFi#bieOJ{7_E%Zo@wK&Ca}<5Epbr>
z|Hq!&p|4-R&PQXEX@zE^0$eBNN(mX9Khh{BSRM>=R&A9T4)~W&?9Vy*^BBAiOK~wC
zcXgoOJ%MsqHS@>bIrrc0-mHIKtw|#W=ud>i3Wl9Dyd9z=>sH`6d4V&Ez(*BWoMIS3
z4nz;S&4DHR$7mxgGyk^FCsH;W1x+BI=XPa2AuM~@2L=M8reOt*tESv;=3fh(+BP$0
z&zCGRo@BI!Ce={z;tW}iP3>CGb@sJn$r`2ZQ#s8tTOh?YbcNlNM(_b)23<Dc&|%%y
zaDK6~^=yc(D@~6nscDXwP*V&fVDh_4sKJ_}@ODd|pMSObb<^{u1OD&0{r&KOXxrC?
zGJ8OEencfEcF>+m!E7qYBls*0U!cxOJtvJaLFoTlwD994idYfN_+jdXru2rnRd@YS
zx(UCcwps2V7+CCKJs+RuwD{=V<P^|Y))DA#LZ_Sq!u2icAnqI^-SGU|fSb8XqeSJR
zSglRlp#h*iBH_g|P3vdojDuhJzD(qcoi!SSAyN(e+JxH+>0X8K=#qXO4Z_zdQ|^qa
zh|rft{}LPpeH|bZ1R-I6tpXpjtlh4Otce!4TEmI1WKXQ8vsY@Wx77B9JH+s3wZoQ1
z-;~Rx_J*_i;*s@Ma3P{JUebaZG@~naT8<?%>85rsC_T>#1!Sr=b}HwZqs<-j%YWZ6
zj?~?GyS4F4GFNcFWb8JMkQJz_40qe+ou}~v`5-zQYfSuT0&)JSMuVZb;^xZ^8$59Q
zxV-MlrSUJA4Hp>UpC|7Zr#7B=<taMaaQwfFSh-kTKkMR1Y$x|RcB21ek14uX3)g~d
z$}GJqZE-mV45SXUFO1fZ;;u0mc2r#W!Zdm2+Umt}JxZ*lNOVmn9Uu33RsrjebMvk@
zgw<L^1oD?>D+$^|!u(>mZM^(l(H<0>lS$szmB2BAp>z>k!YtF!Mzoj9PXb`kDxY&X
zLMi#sNu^*f3L@U%;g%+FDX}5-M@;J1k+t$g{-Om2HkA&3<78vqvhjyGbqp+-pd=D_
z53##dFncFF+0ATbYW3uT3K*EvQ!-hrVAD)ziPBTAv#duHLZ(kG|CNEMX6dU|TYb|Z
z1kn#tF=f7nQjJI4xeR5MpH=rWW&+0*`4+c28PNe{wY9G6a%q*=UfUfeSsi~j@T<<D
z@PLaz1YYb6AMLfiVUZfvSvm?zub&B>Bw(`4QOao2`p5a#1v^b#9TvW4sd7#E4a<;$
z?Lt`6Xw%*`e35=1tLd7{J=w{6l&8QP`t|+cmczz<qkC)YB2(*Z{)b{k{Y+RH&2q=d
zX*}z;(yy)1R%jIEm%OZ@C`u3`D7l!}^(|36eDM&W*vqRIqla)%KZS_8Qc1D<mmJnP
z#}a;!cO`PqJxVXcn(H!$TEw~{247QvKx6hG;-J1xj6Q87U#_K19j+aSpQFa@4929f
zJ-*Ho>$sgQs85g&L?ra(y}hV3W(qMtjJXKW+ez|L4o;`1sa0G5b>p-^?5nG&-shSW
zkqrj=v%OO+L~4<RY^<zYg)v02z5Qu+B~`3hL!mphg7yFoxm3C2IEf!);CS6G6moxX
zQoptVcxu<#Kf8tBzHv(N_%s*>rmZyZw0}tdJwe65>OO}JSeTYNygigyh85%jOATvt
z(jOw4y>4#f3?>_KH03<W7^ra(W&?dX4ah08yex48?>{Gb%P})mygtsk@x6%Gb)=b)
zbaHr+7N##onT*(N{iSll-UD>YrF*k$pAFc~{gYBX!N3jAF94cCH)kXN)8p=8Z+>=;
zP!<^ENMopGds8{?zW>4#OPtj6!vT+xa2Mg@m&2L#%f!MCOTSM4{an~;<e0Fa14i_L
z%tkni@kHzE?2JjGZsky15hr+{@!cHnJ8J%JG;inm7*L~ddoV1pre-S$bT8X3C}b<G
zP@1b-=AC{m^!0)NnVBxKUd!D@E1R`iT@ri^Os4SF5QRgm=r8gZM`3qckbvG9tniO#
zk4k|h2ceiV_w5Z$Rai=$%hZ$($>`^~BbhOL+P^g@lZ^(@b~|A7uEJ#?mZsm>qPuHa
z@A<g$VVqv-{SePb#oF=iI9E#J-3d#xeV*_K0Y69?VK~WE;`6rfqQ-ag0}BBGWfzb}
zGP-&t#E0$aW1~L+IkVmqsH1aac-#fu01D;u>MzNve7Q;9`0z7bff^Zr3V5^ugT2k)
zAaLOMS_!JK_)W^M27>|hb=uYhfq5zHe9600MR6STW(}*w&7D1?d;*G_qRP382hOEp
zs#KogKj)p|^p{`@Sj*5ZZj<d$tqGpjz^2OwFB6(PM91)$X5V@-&CCL_0m|Ku$E*11
z&wl3JU~@Rw>R3z;3)EmStCXJfI`;5ptorlZ!vQ~~5ogyl40U5iP>1lIg9IE_LLFlF
zhR9(#=mT|8yB6*J${wPXG7I{w#9QOHtdP{Yrt;#noSAMSsCDlyD0ldA{<Dma%6jh$
z=|*%nIG60y#t^)!JstQJ>D4lJzdugZ+}d=j=^DpD<K*_xPG)_q!Qb*`F|SRSucAX`
z!mDPAf&@S$-E`LQE84G+de*MvL?zSkTV}q8^=HrCRM&^e{!DHZnC9e0nDOIBBB`#*
z<Mo$L)_Vujgqv&YAq@MD-v_swaKp!_qo1}5u=R9)46Mqf722Eyk^{A>TtY=6oe_ga
zwo!Oe**fBXm`z|1Q`KK(bV0TH<6gB4n~z^P?tg&I88E6}Mpq_m8H1yz1BjS<(<Y~O
zJi{t+bjng(>F^ehMeMUf$6G&DPB1Kk&O(_a!y6*X62&0MF1J9xZc^Ff5cRGvBn`GE
zY^I&gqPx_5_?9Wa{+)>|Nni)_Yw4GPLm%)IQ*%kvMJ$iYgE1iOu8Ewp^yEy!5or~f
zjWyLtYh;U+KL@rZ)x*an0CvXgau@}#uXeGU?T=a}D9HURX}+F-zp4_q1?`=8Fn#k4
zJ3tT`?TZ`K{VkjcOM)gdHu*oRhs<5SCeI<bstejRlTkNlO0;K4r*es7v#kG&x-6>e
zn(la5+G_{900`0KuHIMAOsP{ze1D4V8Ox~WV@2*jrayRE*^8KCZ-Cr1$214+AOWcU
z{Jv|ak#1Yeo$v=^F#*xRQ%6KOd{{dtBPhD?Q*&QrjOOj@TEVa|FCv3Q72$cohXRhJ
z{76b?htAlS9+Nsc_|!{03!gd|UjvOQ(Gy5r?~vb6|LmqS4}c8r*h6&X-dpgPPLmq>
z+2KTIWOuLsK(YyW<Jx4>S1bQw-MrwVaIxK`(4}B0l(FbcnG-y9UmkK%J#E+h9TgQJ
zVl;{vkc4z`FZtqA#B1d-*cQ)Q%}==-f?q*>eM6fvOm`Q`fh30Wq=~LxRT2GD{`=Pn
z6>U&*f_2Adpd_=%zUe840Euq*{p0B3v=)s~B5cz0l&*$t&YK8n>;8O5=kc!Ck6&C9
zzNM70?!YCDx;@i+Jh{D4^FvHm{rrPCN3=nBy3zD%@>BHvUk~<ehrd`n6d}K<Q@DVV
zVcmIH{oayRcP3D#8S`%lX_VXl>z|41>Dc$ivuJYdTjj-jZq^&-lQ_vQ9$fmgn5-;0
zDq0S;Ei*qX;n7?qaG!7}`hvj`0=h@DQk&JKanDtY+&k$2Hn{%tdW;)&&91(Of82|#
zm6xp96mmy~Y+X-|a=nPfk~_oQ^CH#a_i{<{PnReLK#m<BK3>7;?#x?Z>cTuPoX?O#
ztoB1a&|bip#i%0By)_U>!~g>L`)dXX3YVhN9%Q{12*Ltj>vxB?Q8>Rh!4^{N@>qV+
z0j130?upM)G@b8uaoS1PY<xk)KoC!G`aO^1n(SRY{#4q$k=#9T%L9QmQf`}c4lNY=
zLSE}C5))u|tDCkwl`%C-ZUzSa!eCi8lX`Q-Of7&61Qz(u^Zj(d_m~Jyx{<+w?FRk5
zY1jgu`Z`-{CAlHE*t`i4yJc$rIyaf;opSCXp{p7IDO#T>OUeyXBa@UYc#+gt>-LMj
zqSKS%&pg*5q9ZF6yVSdqhU2o(;0!bCOxa=6qO69YDA>-E^~enL>JEj}V=q`iJE5X~
z--T5oGu0Gj@aOc2-t#;?*H2@@x&l88{f|1Glp>LB10|-I_f1U+0G?v(Qh1+!GqBRN
z8-+7#`K7V%EjlHg&P@5@3Dw~k5Cv;D7&w0~$j1D@#Rb$leW(M|h3L8-ARao+Rt#3e
z%}HQ^%v;HO8hn-8P4<o9rn?=b2eq8(TCpsvA5_s%pAQCsmoOw!zXaRd@+vBGq*`7-
z__H>NO$OK8HkjYoay)EM@)NMQqI7QelFZT^HeHG^`Yod9penjEy+>W*_8U0B%uE#I
zBZ1Wg_v0`vJAM{bW=Nwp2TB!pZ+!JPh<|`*wSGa{4mItZ6wYz4BrN;07q@Q<M@#Y%
zp4pUc1MHOMet`@F10fbpsyMrcxW;-_8CrAz>w?qBTQ=ID(sUEEFJ>kIKl0K|Xic^O
zgo%VG<rp{Ley3L#i?C376=#;!`IGWeQU~~-*$+h0cyLO8NM@|;dc57BUzjz3B|*I0
zB|lkL2(7l!XuLf&)=6h6+h4hXTzBtDQjuL89TU6})#o=o-w~2!Hy&hw#J2fXbs1kY
z*c!z>BQ`W*`5G!%{^5Nwu0#+Kc1x|kpDIUJJVo`fJ8m)MB?9vc2CFu>-*Z!_8ZU7x
z2y$1Ogsq8VhZpaDBSAlF%e=W+7e5*4aXF*dCepm^v)X)UJ2nL3*y+Dllj}1#Xd<{+
z^-F4q?!ZXgM!ch%o)bdytZ>2H<{5s>|Kpbt@E(8!H1a|B4QwHacHKrg9HrlRM<^lX
z7O(7Y908NN=OBZnm)gsTb>wQWFRh6Q;)#ijbkdkiBHn5y(Y$@l-9tVfU7@LE_a^>w
z<&Q`M;Db`1Co_I-Y4xZ5o0jZW1i0D{@djPiyy!C^b71WIDqOHn@0sz^C+4_NP>5SE
zL}!fzjfta_pjHVZ^7XhZO=iTkxd_0hfql?=Tan1wd2squ$zLvz(b5NJK2Iw_ICGfR
z<pL>WAHIBFez(MEuq2ro2@@u2+KI*ZB<YYK-noM~(V)Fx5RWq=e(C<?=HmDocVcm(
zW@RdQQtFR54r`PINI&#F9}#O=6cH?9=>76{pQ#Q4#c0Qg`K-OkB|`60gK>siSLo#o
zF44ms9m1z<cE6eYF}*(MleP%db}BJyE$}!KqSO*%Kmr1H{R{J}l`kaV!25g0Q_iV2
zbqG|X;mR~zSQ0zt<Y=gGq~Foc1cc$1KHIbDe_sxdCz3(~0fG>c$QTliBNe4OVwlu#
z>=*aB=m1jNI&{CJ$XS%lTK<XJJsmapafXO#Ed)lfDR&A_0~gGZiyghp+S~}e-ENGC
zDcn{@1OFQ*3xOTAxkQ;9vE_7viT$q|F<&Q6pw+^%SB`Eo;ssM1F5P_HD&TK9VjtZk
zVj^IsOQUXnankJ)<ZoDY?EbG<A#wS!SdiKEqWlC~UoTN+ZsJ5a|AJ5&VJoU{Vd0{e
z<plSUn~;?nu=reTIokg}_kVU%3_I$Dnu`kKd`&c;<F-~&QRs)h8+l|!lKAcJ{}iQ#
zg}-1yxThn6cvZ}k?Uy)g;+@2FfX7?!7Voz{=2$1}MAxzuFey)0zJ!G=d!dOhb_o>3
zwEWE3kvc{QmO71=ENfith^CH>r@p0xZZ&G>+3kN;_$!cH%_rFO-AOeF7J|)GJe+4b
z%sk*5Nl_Sjp<_qj#GUj{RCP#)Mhc()P}WBFDF&+<1&OAN{BI2P$29uIpvpqb%AYWA
zH6<X|R6`}^pKvW&b&c!KlVY5|V!49hqJx`u|Aa6T_b0;_MGq-f-2VE#fzDG*_K6zs
zgRRN!q4-?r)qoW2jBbG??CJiFRu2KSFFkr1F@mB4PoMNNmH+Rkex)(Z)b3DChv}z%
zxTlbwxeD;$+(kv@Uk^m;TJQh-b`$nkxm|IZ@gA$5B#)Q85MKWR$detJFIz0Z($4<V
z%s;VySle0fQ2)<KDgs^^tbgL+e~2C$Ux}tNhyHHtA4)+{5A@#+_;Zfb7x*`q;IAm*
zLo;Y@-@)R)QR}DZDQhJ?K-&V~`A^XLuUkYwZtow=xhwvOs6X9rDAhve|1@SM8rEH=
z-4;vstfW4#45B0ArcDwX?-9)6g%(Y^t!1t`uR|l0CX@vj3qlXgmcwIMFNk0ii-%H2
zo&t;Zx6dRUMN=aU2Va3lRub|W`x!V3n(_rNls`u3dEH8pD`)gUPJuH4w>DHTh6VP?
zQzPDPXAb3#=B<E;XWe`B5A3xKmZ*%D&fB8RXrBy~HI4lbuj3~hEJRPg0JJ=%HFyPJ
zc?~$cF`j(;bcK$PArjpmL5tAM(_c*>V&$}&=eXDePRj(f0kfG&f64K$6^#8u^biYu
zBD>tMTSxo#D>Xk_*6GiL^t%M)g`>wiuAMS|OnaceJ90WDKV%5kZu%7h|8x&K+EuBi
z=(Y>T5vKx|;Sx2PBOI@zKQ)FT4uMkwLG9Fjb6xnKE3FDZq`iO9S4Lp;l|oY@-kb+Z
z3|@=QsXY=J_9H!xBa0`4dy)#(Y(%^-fBrPG-&#F!EMSuBAHQkJL1A5a#8Cg>e1C*<
zvXuH4o2DSbpIwJhzcbGHi8$kJvGkbLp9y>drawu0VFV=40Vui8?zx5tFl_(ffXPHE
z;9p-h&jC|&^1MLFT1D`i2TQ^_e_PWt0`S#5_tCm--b=vdfm1Iubo0l50Oi}^-h998
z2VF4qcs}_uIYE9G{w5Ix<<p1Ce1@MAmA~I;j8j#bj7k`&Mg-e!fDq<I_-$74S47{v
z#T@gE`@#D%q~P5Pe2#G8tIsWVI^e6*28?IytgIshwI=h2JWI3K7GxMOwLTG5U<4T;
z&~S;dS8|El+H4O}@T3FQr!Qc?u<izZQW-BbUMf5GzXyGqJ9)+VH@^c`vjo%!rOSTz
z8;Tu%L%>^gaP9Q3U$W8y@Fm#bYam^Rm4oc1;r~Tcn7THFQ0BMo{e%FE?sJ>H<gi}&
zbGzSAn9P5P=h@<h;n?48fgPs*1up;5dM^}{2C(U@HCgpP7ui?>;tc6vgYyr6<qvfz
zSt`ALzW9Hx5@ENN?S3LF{g<4E^dB_%M>;)V@+;H71$j%Q{|}!H-1J1r`(G(B5TzQ(
z;uD7bBj_c7C#gR_|B2`FuSWd^0srX&7@g#aBJ&G|6aUfu)AN%0GWWj!H-XIWB|+`5
z$<+UxdP{IM*%$JEpYH##<q&$I&HvMOq$r58tf!Ij|C|h{K!X`L2=r;90)Mn*!Hw(r
zv!ySo@`{ZfxBJ^`#+hJ`Mo;%aZN(%pokL-d#f9lz^-o$np{EM&*VmVekJ&My3$=<&
zjGqN6e_fA{R~4mVq<O@rlPNvnato|8pT>-x-~|SHcvu)ujl(R>-lu&z<#*u6YR^|*
zTdt90^xj(%fm%XfBoTLY#7Gvy!vKR$7XkyW9)oT|jp@!Fl^h%@j&wJ2HUo-R6s&pG
zwmr%9`dfsT+smKozDrFHOwBc1ULW6<0|uv0lT++cT~il-VVC9SnTay2wXoY2i+}8Z
zQ%$1zT5ytIfE~RI%T>8Q<xVdbrdxDjk)|4@2gO8}<Lnw)>Rbt;pkYFrsFn)XUNmu2
zv)P;RD>BqT!Q2cy9-_LPAE0)<)mn9CJj=C^u8;uCRTkNv6$s-5B^R6G%&$8+e8tF6
z5qRKN%2?H3&de#4O%^LTL`7d6`ygIJp=0LZr^Hweb88Y??`2&Vzp)U8&O0`Z4Zc;g
zP@<%}@Nl9ORwflHzB_u39f-gh-`8L1fv>k7xZ9$G^je6No>riA?M~RZ4ggB%FRe|E
z(QR>8A`-TD9K^JaPYI>r`Y<_s%)vufmB%=(9QyG$1D=0??ul{(H@A`yZBwLe0(8s9
z5L;GDJPHyh{<#|p^ln+Uj{+srs}?e<)i?e8S!-}RFcN}U--=$QnHWh4hz2DCt>zuP
zUjqGwGSW$TNdn>DENx~*j3e5ivJwkvq+!<_!`@V|7dTXyM=4N*4$U6+j%f0$-S~UH
zlwspzLMp492zss<kCCYlhxWmj5v};h9_PWIv6t3Q*Peh=JQ57vV<M4hJh@|<D$+8}
zlBvCNJO1*fk@r<y@A01JrAPviGZqOMDjAod$_g=kx4jW{@!%0jG4tE>9%!LSarM?3
znbZ+hV7~9<=gQ3_S0@Dp8>No*8&{axGK5*-KtJ!7q@o~^S988QsH~NaO~cTVPiEyU
zZm^Uv?A9)MMfQv8I?zPF|9>qtHloeV+<Y@wTKiP(Hon1B|F*UttIX~WB{A+vJ&Z2r
zSO{!;_wwx40~irbA3FIWd-uD)gYHZXK;Stg*Yag+=W()&fdi`im!MTok)gD=y2}cf
z=HdjnxE?w(WVD8c>N4M}>RfSTkn%t{XcTmqQS4mXuh{y+L820(!J_an?6fzvdCYYq
z@ZQ_H=;(5psq<ey4<@^7kv3QlCUe*c8ErH)J1;6{;x%OIJxBj6Kd;<Z<I5V;K#p&=
z<{M3}ot#cy`qSZYiKy&{;LcXKN{fDOF_Nj{q2ucb3mud1U^Ti262jI8pURTOCK@E*
zgeHk6`6gvC(gzI>h72#2s(y!-qWS@5RNzE`i1x28ERop(y}OPGRqJAUJ5S^X(=H!m
z({EHqbV-Y9oBl7*x{_t3#n?eL<HSmJ5f_#xb`pmA8Xqx5iir=upP2@FxwS*9BPhj~
z_D-{t&!D~!$ER@-ehr9-zT>+*8?W((*-97lVQIYK0lRjJj(R$q1EX#r^C7jIG}?I!
zy-Jr`zhhqLAQS>ibDZ&$H4~z#p&1AvspRW^{+{Uh@|!?A)MD9_r$pB*?~f9>I34bC
zix==k357mpJq97>w?liwAQn7ZSM9lKx;j~emYxDba}%g>u&S4bV`G9#a-vxvaKZ;)
zOcd0X$!h)zq{F@=)FqFK6vUkbu1Exb$sl2OZZGlLs}+ia?vo(DNY&My+~qj^cleY*
zhwNm2&ZXqe9Gb0u2cs)&1i)@lSo51nAI>bb@SiW?t9>}n6nkL_Exrt?9#E|lH&SMi
ze_czCbQrwV-c0+o5p%&O93pKA`HmYiUL0JmGWO-m4o?@aRO923gmeYR3Kn3tLVHhE
zx=p^12;aqMqa?y_6xVe6&9s8NWh4R8shi#sEo-UJracYN;Xt6j3knQ1ya^ncr<Ozo
zO=;x}{-rW&HfvP2Qe|Rm6ZFlm-AQjl!Q5#4pnmogB(|1<$(wQvG8UBBEANjz7xsEO
zdP`F~(hr8@MS0n-184ydv{oqd@Ybvhd1%?o$oyO@HAFG!bI!C&1;f$zy|W50*q!sG
zj~hl+&(XXL&*>Rng5QiG20|2IsfrrHAz%MWKh7{dE{rqsO^lfPf)>avfz+=0EL?xC
zb;h-nlk=Q`t+Z$sZC`J~AuHvwvs`if)hGLf>vm{Zim@9j>tSODuLCSwH7rB5Y=ae`
z<^_O-G6vPfPIf0K#w>OPbBf8KxLnMY=-K94Ds8oFa1j;}te*CS@3$&LO}?iD@vy&A
zv-H-fcBv1@1xwd{n4j0M8Nb`_(1SjyR`Tkn8NMZYZv1*T#Wm&BVsu(Ci(NqKbHrac
zwPBxACUopRAG+J2mUy<YM=G!6$tyogC#61Ai2MKUVJ>JK_B-MNc?r5dPSw}M=6lhi
zFNJ%AZe`cJq^12`?vHc>e?B6IC4oq%fj};<LqJJ2y-p<>B`bpjpT4E|>eYKXqxV{M
zGFp7ZJE&*g5RtjfiLmzuU6|zwjYj<%W)po{j~r&_{9H1Ejh6Qd<)zv6x$l*04G!DK
z=TEb$_QQyAaa*BDHDnQKi@_eLCcI-00miE201;uzqO9h-BjbU2`yJQools2|8pY3C
zdg{-b)?1l6uBtXpNwP5pzfAu$$s{Mbup}^9OOF(jo6*WM35wylkTp5Joe}nTP||C2
zV-p{0Y@;f|lF5%}4i#AVNtAZL=qFAA@k(1WVm(6ffkY2*ctbeAy#M*Ah^@j!1gNU0
zd^M<o$W?Ng@wB@_UjQDYq^%pU&4*M>?Z&z4cZtF$P0>QT2xDKioJ;NOKw1bu$t}=F
zG$5XkiRu0aS#fDqtcvb!0w?4#`uQI}KR38JI<2kFeX?AZ(qbYW|H!Q}N$raAM!;Pt
zYkztYN2phY_kt;|_uftTq5IOazc`Z$_&x~P@MqS8lgH33P4JJw)p9tq`I{U6?9CMI
z-$cdtH-ZAWR~m0eOs!4&68Mq&#l?;3zhjY}P3jradHPcayv6)5RlfQ|ppTv}>2P)#
zW5fmj4zW&FAb=J_45!;muy`JcN?u{`E!wM^deV3HzGRya!9rm1t2RBEZlr;>E<naJ
zwUm_p&=AF;!fl+a5HfK^o<*d<ESCe}Oga{n`wz78hbUn_%d}%zlmd^gu67b!XFQjB
zVyFe%FRxXm-}FJ3Od^Or_6`KN`wh^tcrdf;@jCy?MAXP<jNn#iVW(L${FH<ptqqtp
zuL5JNm`SQCD-a8u2lt`_Dy;Kc9PEW?l8UK*=cwbzEOS^TX0WKYqkS1?K}XN8xwJG#
zQF!Ed#{9D#D>&|mmpO`3$x>KAY2TE=(S)dG!jDE4jN`57EAGs#6=t{b+)pdKo+k|+
zXf)nBCt{f+GZQyc@0F%Be1$#zyF0A_gS0c}Eo_^6fbU!=>eB-P72aS*-@$BO!$^Mj
zohwO7<4uxlpD0<(`?_MyEpJ<=$U_t*uv*LK7&fHQf_()uMq<U%$D!#FGdQ{mZUhv(
z9PHoKDgMf(=`k@eh}ohXohR4YAfdoKsDyOtohh6uLXut=9n<?#Gzm5P2_Zuf-l(z@
zoZIu0>w>c+UqkSX=fjDhNvsvJ(wm2}r1M>5A=GjysUz-KC3gFs$5p0-86Z{TR6=E2
zn_l!+q%laav<>^a^~!zO%izVmd8J+|DO{j+fO@<YIq-8ZnE0&-JP?2S7iMUNjXsEy
zfWwHIBSK-w*TZ-C$JRG5RH`4eoxX(lbv+uxzBh1`ST)y?C>R}r^D(JAmno=X+Cj@H
zuJv`hgV)NN&Nm+#R|C3*uXS6%jmU=L71t~o2U(Vk-6?4gopgR#zrDdc;xDmG!i&Ih
zocx>YTONs_qkQUg3GkT^h(6R5yKK3NrtWQ5TIMEdrS|XxHd+<Jc>xihY#Z9^Lc5Mn
zA!-hG<Uo86PmO7Z<YKbf>{6&1u2u7ioX>%tL~ODXhKY`!*IL>bdo#|XWgdRoRZCUt
z78CdQKwb0gy*9oQisK;9qFceoVQGV-4AXut<{u3-xQ&}Z(?z&k(2~_b!slX)_$<_Y
zv)Fm3Wl^~?>p#B-+5#tYzz&vit%($`?t@hyp$a&JPO6xnGo6BsQ&+4!AMrKGf9qLE
z5Zk>N^;mt4*xEM=RT4ZEv~ArqN}+H$zt`)lpOOk2R0@W?u2`fmr|gL9cgi-+6&3-g
zPG#LxRRc@QsmjFX>lvwes!cpW<-!Q4;$o|b`~jt9KcA<&4nd_}_q>}hUAiRWJo+hc
zax6u}WwyJ~>k%teY3#h^PHjPUH`FEc*shx9xqK4<{FquFg!}+)BNH@P@&-1U6RH)~
z`=LKWd%iZIkyYlz^E;s9vb#gk-K-e}%(#Vb6Z*`~eVG2opkC5)LtqKL4$}Y*A`@_5
zCug6tRIuMCa-G|^Mw7+!=9H+)QZXSv3qHdASWm2mt*x_ErwQK*o>%UQ^Ud=KLdKax
zj8>eNMd=?F%1azC+`X^J(eKYQa+q!pixhl}w#G=EIS%(-;dV3t2u?*S@t!JM67{yk
ze3Gqs@`4H|4s%E7_)u!RNcPHUb$gD!<nZKNo9B)n1t`!!4c}~7f|B>r9zr3=*+0D>
zyCxTZp00n5sD4+CT-40IZARZo9WjMialQB`qaI&cIg6&zAN2Dh`jp7hE{Q0Oc^1S_
z>bhy6%X)r)BlJ^eqA%n*Tr-f<djDKe80-8w>x*iQUPQrMJ&j3fUyHf&NyC)09hG5^
zH>WOa@n84tohvF#>La>llh~LE3P{~B=u@N$18Y1I`cp`0j^;EUwc{BNz&Ki^C&-@e
zc&=QBjB}nAMz^0O2@{daO9Z|2SR8WGv-g`DEfd!#LTupCsJAUuso78SUoc-cC4IMP
z7)RMH`^hC_OLjRGq`}S2->UB!c7dj>!!)n$O_zKi+PQd>_0jY@4VuQ7l(Iu?JVO?Y
zsvo=gfaORm_g*M7Gob8+{tT89>kkP2_<r#KUx(J1PC8yY(7||ajJ~p+!nVr9twEOk
z2jp1S?CWlZ^p_J(v=F6~ACSoMDp|K_PBb^k$sDx>M#)$5;^`0??=8X(ifcSo65iEc
z0j9af$<K5*Omrk`2h3|vNojx3?YpX<k6&edw7>$^-20?5Hko%aDDdAS6V|p;ADjJR
z;&wdVR`R&#FK(y>8wep(uxes+f82d(k3o1v3o~Uxw7VfOjQcAZM|47`DoU}*%tH~L
zXlJ*@-_vbm9&4!DE+?9kR-fuU0BCp2*lr3U0Dt7BiE2L&f8>Xa(ZSD+CwX1ygjYWx
zEP+79pJ^C=Z)DZOSD_u%%G8);jBfXE()V4$j}$#UJWH(-XKyi+N+(c%+algYa*yGU
zGkLngx6!LtU`qwcX==SgEbI_<j-cPa<s7sQ&Gf|t++&)C054mt6*hh%(xWVXfLEz}
zbYarCBYsa_s!ycmZV!13%9L&A4>FFRB_R8X##@_D<5Q}z3Ut-1t|~qM?0PpJWG!gL
zS<_earcRFrN0CK;#1gNiNj{Vx@Iu@hm!ObRmc@z`jSYu;Q?8`{;5(1*g3fdEr0>=A
zTy5rPw3mgUGX@B@J8GdBT>S5{Ll};<g@1D%GuF{z{BXBoUb_$B=Y4m)$H~eVVts*S
zDZfNACQOl_x|bW%x+GQ1&UpXZ6=g4zE=-0q29qZ$LOc7#2VA?FiGhH(R#hKz-(tr)
z)Qb>}LQOtboiN_-_ZI?_s+c%SeOgIZ^)aREd*SEIl{TPXw#>s_h~QF2211@uu!;bb
zt|EUn8%3l|IC@r|1&pyT{d%Y=xtB2eD(r3*?S)Tl46W>4F`P?xKdne>c34rFwg~o_
z0Q06CZ)bnb@9OTqog}o6<$WPn6SUP6x-b$FdNGQW)DprP{zg5cm(Xn_UTbN4TQNNI
zTRa7m${{F)zNLre?)-XhyrJTEU#CSv;YH|O=_PCsOI+FqtM|HtxG0+aVWmabyRp~+
zRHj7PIA43WA2h$)$OC2zs<rdJ0Lq3NQgaikaaX-chowsz+SzN2k`|qIpzH33m6+Gh
zb5nOkJB8!kA;>MJsz(YN?{IKQmS}_RWE`s^A}(s|W}RQfk?K-kNLd3`W%h~^8@Mk=
zdTaKPU;tsFGdi{#9DE!WPqXWA_6+}Z4ur$-z0p2}m$qXxmU{?Fbn5POP)m$`R<0G-
zAf<~>3neg^vs4AboP}pG!jfHsWuB+1M2|M-`MYAzB1y8;18~z`*ZaOA=3yU`ehFp>
zV($%C8(N~VN_6>vx~jr2X?3~%RRZDCav+22GdM;2>p>Q}9;Yvpn0<f?Wa3@o{v1YF
z-F{~A(*gdJx6=Wp3r>pPSg|=-lO|je4=SPs&vfTj67ytsxs+^1@LdJ6f|`{)EC>c+
zFpRIwy&6NE{IEU@1zC|HoTtj^+h4=$M{Hv<Vk+eDW1?9;{Cm_cd1H7yJ})8WJo+Ni
zQ*BEoba2v(t^F{A%46ANz1krO&=vzYBDaJhO9B{ZIFCjLweCABR7>1W%DjO>CQGQf
z5Rp)ImY}0sd;un3>;a1qR+YgS9Qg^U`Nf9=4Dau76AUg>D-e%&#V&dhFGPK5qOhk`
z;o#PMhGhZ9^Lv7GLN{o5jKx!;fM7VU&ld&GHT_O5c^B}5KrJ_6d|>3%lAx*1Gbw69
z_z`6srqp53i?M+U2=?98_;JlW{{!+*0qIW~Elrd|=8K%jlGxRShu>?Z_i)g^hBr(b
zefc)_&DNH6sy44$VHRD%2vGb{;+507pQh6^#S2AC4lZPc(CfxYg&iGk>|Lx5$XkUE
z0{m#8jGm>-5(u_1H#cu@<@>P~o*45F5<{=91wFAFw#T&_wNw~GY=wt$5c+Ty%yP3y
zh$`98lFideH>>&?heP)XhoHFJ;}1>!<y}#l4Qxsb#c;S|7=+85C*4#tiU6hC$ovPb
zhb>nTLgnD<g^CJ@ci9D=T56qhULXaxj``y4WMArD4-xsCGq*JfgWXvqgZArR(2YtF
z$gR6<zeN1AxpC6)%(ai)Sd^moietm|I_uaEHz5~aX4FF_>GcWY2SatU=<dI8)BlQo
z8c=N8!6Cjj$~>F-=&*UIHebf)0x}dLpHU@(qaZYqTr}m}V7PPwD~|E}DwWybZWq3f
zMDc>NGjFW(rC*Ib({=l=r1iOhbx5psr%e%UhR9n<62{G)%i7tk9OuHk$E>(Pk|Agv
zMeH6dz8?5%;XtyBqt*6;MPj@^nIx>2+T=@Qqu~l!Zc>_u{pMs0P^)k&H{!jDrxJK;
zj-0)@(E#+ElXZs;NUS>PO1!(4!g-|rDQV#1R--~roj)P-&c4hTU<?wz?9jXqq|f5v
zkLyb(!0xm|_escsWV&zk1|!`&P~gq7xtQB}3T_i(mOW?*Tx-tn^lmha_>4AF67u#^
z#v0pDkjdqshKNv$madw^TqvQQcVXrJK#wKJrTa!jILr$Z0ccxapJj%_UO=9JakGmT
z8>Ts0234umM2}9fyl~}9PnfYoV2+r}#xI66r@bE#3_>Siv`;)qqNHQm9daVZtzw{{
zO!pH$hkLGgebK5P{#;n-1>`9CZ<>9cEhlpon^e3agbz%#o2DV!R?YqqRdE8tpRQq1
zhj{zJAjV(=fehxB%TXwLS^+*n5#~G4N&*6Kh*))EKGoMP$lLm22&%J!)VE^#e%cs|
zTC=6e=YBSrI~t+IV%|ud+n}C?(j>fr>Rb2+)nD(;hJIUL5FxMDbzpmCi4XVIu%o}3
zf@)o=@#x#ZTTvZKflI1zB^R~XI9aRTM77txA<s2kl6E4A<{QA;yP%Z-YR}i1nZ4wm
zhnpJ5>&#Nc^|lc4q`yl<jqfs*t4{+K(=`W$dfCC%dddSh0!6@P0NebG3b~q1R)Wf)
zD27Lmq{h?Rs?7YAD*$;5S)>o9sGj`GZxL6|gx-p>5w2x41t42-!FRw*Y%#5CXj)oX
z$+)o#M3{K74Vxg|!F|bS(OFZ)Ne^s>m3Oz2)V|}mv+ne8b(s*-&M_NISdJ1@CqJ7@
zurs>YYrN3ft(erH9iK)+TDfS0UOS7or9BS+2%y9zWTS=^t~Kd|mv$0*M=BU3HcUCZ
zu3(1Y3+dk<hSUoUdL}St*nK30RVQ%iT%K0Ie+3_?jnQ<{?j{)8)T4;!3<^1j(nAPp
zCu^<edkMT?z+P~gOhCq^Hxg2P%xj0j_9I?8;iOb6Wq*|r1jfRvR!j<e%?NjXY?bhF
z0IMHwp4By4*VtFYpW&){2)qutIZ6I~97Tr~jms5Ka-zQwb`uj90I4F9e3c59aIx6N
zJAMhZIscWAGAJ{C`Zh?MXDPXcn5~p{qgCaU%8AzwM(W)ey6mdk00p^#1RlolmehZr
z3UC6sm4PNjuBdY=14)r@Q%z~);Q<u^xNi)xwf3O0X;4MO>HM1xwebKrTzpgeZwFZH
zXzjlkUo))J+%L1S7UjYTHP1tYkv%XBy(yDF|4DR`B@;~ua(lSmTr9oicse5x|H=9M
z+;OhT>U1i$3;LS?R;9WNdOJy0x195*FpLu|XpZ2Snptn`z>IvTT!AqzF<wq#ufkVa
zk1*^tLB^S7EOrD3no_D?&8Mod#`bF12ALS%R*J)42Q+jhtuM)|%SzDvDDp@Fu9u<m
z_y>!#93;<HYj7yPQ2ImiP=89d8(Ok2$Zh^gx-9xl(u@*EfM|a%lhK^FUAyTUrtnO?
ztT5%#NEwfIge9SUIOt*jQ0tQPxut7<S>P$WT&<dK@R+XACrV}<;DP%ZTd4~#S7#6n
z^c3m1J>7ewkO1e4TX{&Qob&{K4McA0Ip*hQ4eHIPaB&$oDjK5``Z|*Sn~~!CU=S#5
zUlBmd4A8d~O^{ONcV%JHh;s~O6*+5%#+(NDd6qr!c&k=S#e=~LYHpLmv%3<A3u`t7
zUC<s0V%>c0*#HD<)olWQW&_wJuV45QgHqpQ^mf6RL1Y({UO=AG@ls~(l2bzvSgf7E
zYL3V;0#;MBCX)%IQ0t-0W!Pb}Zhy8db+lg+_9f$8V1aUxp1X;MDyEA^w@6w@I}&3h
zW8dYi@Lj02?}Y{$!%R}ESJ9)2Ir%zPcAT`1j*~%O7ZHxCdcZZRdT>vMc&%*du>Z=S
zR00upAYdMs)!LadBS+ME2^p60)=So|GetfI?6j5_YO`#Na)u@AgbN1W8SSYzk?;3Q
z(+(zMQ$rxm3NvHtVn^y6!It^=nG7<gglX;W0-ww_%G(RSC!YCtL2-E4wh7+$7L<zI
zB<cKZTXi!~vQM{e!LWitPDsCYc0N1qH#+WK*{n@XOsG>{MfSI4j}6gd%|+^D`$^V~
z4ZUi)B;iE@!O9QmE^z{5?+f=hZ&)q2_XpA|10Tun0#9#WHL89-wm2azubSiis3$_#
z?Eb!5%3e)B+*uAwDWV4NirzV=;ZS8c{u~U}E(%v|1D#%g!gQ!Ky;;!1AS%QG-n3M!
zSV1EGoH+ri+2S<prX^=G#m(J;lI|(B;ruthL1V{YUP%NzHtW6Uj<Zi^1*TopuHEFc
z`D;9$celcixC_$SU^Z5gZn+l#j-De5Mr;k1>ZqPLLKzGct|l$_5DpH6$kul@PV|xH
z0@?%}>v>8hGcKS#k{&%81PVfse3AI5<w?Eotb_5%ee36sH~LF=0vXHN#6m$+OO<7;
ztPKXHau;jzY<NBy-rhPoqpi7H0u=zRdParD^6$CE#J)32i)Uc5lxB}6(s$bH)WHJ4
zk6N;0O?la>;gDTb>a4}P$1C@nYgmCs3CVr#(|$Sfz~theUC>ChF+s1H<_1gM15|s;
zwGXhAWa63&%@1ld$#2pFQ5dd$D&KxEX$^ut6Jx_(Sv9<VJ%jCKqW3+9v94ZxiCBTi
zKCcaW$MI1yRP%#7s`BsYuJ^n0j4XB=q8DG=^2e333}C68$lu>E6!G8!jTqx4@rnvt
zpcG0L9>!7d_o@&GvhBEkOPF&1c1XwfKk(%V+QToic{L=eSd!FjlFo-^SI`u#gtuW>
z%x<Ty_pwLurcGbRVKBZ5^K^{fJmP^`?N2gI(~&H6fTzyt(eP6SvErD);`!=E_m!)Q
ziwPS9kei#`E(j=e@|*GH6)pIRBtch)QfG<zr5gAuod780Wa0;j^u82wvYtHn18BUV
zkaa>R+0H(Lp**`+jqm7M9!n5wNV#~A>(6AXVNZj%*v#LIJ<r)Mz#eFLO?!hKHrRbe
zn|9&v?2}iE5SyljbM}()wH|ukg0GyX`>4oZgMnR~pCyLTjyUrZ;sXH+pkN>(gG!$5
zbAvSMfY3tb^}9pi45?vpgfG?@S$=KQV{JWlkq1^i(a1W%l`)K8+%2PM2`qYwl~9-%
zW^Pez^uoBg?@3=o!NKoueLW4l+M<cUpO^%G3><PoV(Q|vco^7y?n_8kqCWiE#Fi4X
z>|Hz5cI9d<$ceT*kvklspdk<{k^-ym&@S;yChqIk#_3cojSY17_u&w;jTdO1gp0iK
zo$XL9xRGxe)GshFH(H6Z(vB3>b?hC5c!3*c_fUg|tK!ziY-3`LH`c>l&~9H1VQr<K
zC3gnz!XeJNeu4p46Z%WF?8m<Q@5bbr&!`;s*j|ANx3Wc8OLq)cv^^%<$yuU;d9$B@
z&HVI?;_5<mB_f_o6#h+6Vmkub<9=vOaFtxlFP#2NE-b5|b|Kq0mO!3$oVr|(s<$Kr
z#YSTk7;5t6txJ05E+Ba;PX4!zDu^%eD=+HvXmJNk$vwTXaleGNG+|9Z`E*a)FJX4r
zZPc=f;+c#Bh_=u=ob0pVdO|n_GgTG1a4$V#JU~+8+Zh!)P;zN}c@M{-4{XfeFpPP+
zZ6EmRGKBpsRgG%v4H>yN$=RUih@&#f-pdje08*z_PjgEdgC~I7R$j2&zO2^K)CxOn
zN6womj-$C&rcbEV@ab!Rv6OLFAT~|4QnG}XF<gr#2bS9&5ef3gH`Z2Ih2L}{msl2>
zo`e6ShD8R2tmpM*2#r^$SNU7*eqCZ?tIQ0)jHvA!XbALgfi?x<avL}n)!?}ZWrk#Y
z0WtoJ=z^k@8;IGkwPLNPg+rF@P9?krX58-hg-hC@uMkdxeJOO7K6qkltopB+w!Xtf
zx#LYgdhce<!mCt;J)H#!5)BD(`>`6Xz`}`NqIvB<iXY|&c|DNluZkX|qNlTez=HY$
zxsEm6beD}aK_6BKu$vWDAcgJwJ-S5{YsOR_9GkTzDVquG^(SHmb{9}zA?*Dn>kuyp
z7wavFo0v=IJNy$xwY)R(&E4(u@gwlmV(Ln)WE&J}t5v)Wf`Rg2{Ye10io)c@?c)b9
z?>$ncu8wt_Z9?Zv+6+V_g#Yo}HD<`vqjWOZ+H~ymtMYdo0WR#!m0lz1{v$!OdOCiZ
z=zwTAwfvLkG-;=U9rUV~qr%zT+P&98qcVkD44^{Rl}l=%(GH`fMAXp=J=;-$a?%Hg
zWb)#Rs4i&gwewStWA$)s`pD?$JSKklA-<|e#lgv087Df*6JuEElNx>{bshhUk&S`s
z$!jWYf?4*m1?E5f?U#>sw_dXMCu=3;v!>gF+h<Tz@YU6)H%A*F0ELvIzK*za`X-Fm
zgbkqBy%Z>IGP~4xg00JT=rGaw?xxmx_m4Fa4%<P%;z$%uuFShB7bO?6hvz;YR|O4}
z*BXLjD+P`K<-enl!k9YU-nT<Zje3PzQqLy5_6!77arVd_de@`%m-I+Tz7bqB$fJ(K
z!%((daO_)CJeyTMDImHi5_O%n#ndYfQmZ-lTrKMyX4?%ouUl^SNn-=XAACJlgD*(l
zlVV42k5Q^*vM!kDS2Ra>g%==1jNrpOpk+LlUiKCOLf6_rvpixPh7Ra6N;@K2=WFyo
zXoC36?JJ+{M<P()ryM@(-a0;wl`3VcW8t9O%ftk2*vQ)4j7$lKAg3(1NZ=!-xSdz=
zT;n!eXMwT-A%2iNk%fx;Y3is{8z(icNCh!0Hfz{4rmP(r2*F+4yU(p{=xTv}BkSn4
zp|(m$h+~r7TZE4Y7XPTH^VMU+#+v{hEs+$EOQuT<D!g~=h>GreAu*sK?zhIcTtdxs
zLEq}tqPmtV63jf8Zu0TFS@EoQqG+x}L|-2a$f!#-8I;m~X^_WL-xkpD5z9A8+~;A3
znG2SAvzAuVfk$JCT>tn%Xev5C3Tr2Qz`VL_RNsvUko8G>ZW+|}or1NDBKfMXD!JK4
z2?_aAj5h4nPgVW$(^;+cM$*s$80Ow*JT0(<ao}2+XzFwDl@}_r(@A&k(-~fjZ(qLy
zylQYT3&)1SlV#9Czr%Y?#%1|QE|9l8M_=HeXt^cjefG!m(Fun1#v-GdXdkP7^m*}3
z`BC&6mzrWH2g9M>b)9F!eaS0eY%WwPY59b8!b`F3J`T2+)6qGEPr7ti?vvHmac4H)
zz9i8%&1EaK)EdVQR=;wJi2?H_uJ{;lr^#ZIv{TJzU#^6V`cwBwcjRZ{?gt{t(8Y+G
z^_3BH)cZR@Z%}vHO5>!}RB%S6UEUU=16-TGHDpv;D?a(h_x3n0^+pWd5M%-#^Ovd^
z;gaCLyZo5TtWuI&CUI++mGxfP+eCsRY=K?Bo#hz_cyW5ZcJsvm1lm{oEk)wX76XN5
z5wL=%@LhiROYyLo!&U<Yfo=j+Et+sN^5Kxta8^R#g{VyzVrv~}vP|VS4mMY-10?N!
zMIulJSKnu6L*v9|i0S^C{XhpqOC~s93XaDu^a_8s<hJ75kxvTu)uxzFoxV4%w1Slt
z(8a^<Yl;PS%Fk0^;B5XR1&|MbVB;x^I&UPiB7@{t&5&+Q^k-OiIMs6S<UVA4h8DXO
zKTbMy|9|(Z_ZU#f`K0T~!*xTq?VYh$X@b3fScis8{nF`n@7t0-3etiA2w5l;!ovp&
z`38wZ1cfAbLVv@ikC$L95Kyw|rV225sAUG5Ep);mhF>cVE*Wg89(BuhJ*5}@B+A~8
ziGRpe%Ji9rmFVelkx28U4|g#WAtmdpNC|^T#Ngnoctd`{49qP3{HINPCp7=9NrQ0t
z8m!N31?leMv<&v%Yp3>G-G{Z%mfS5L!pf|_<Fw+_yABuNrYpmvkZV{Zw^{Z9$1~?H
z8(j%zzcM|Y`=LexjOA}r-Ds<b7^*x6Pg$Y<_-WvX{(>F|P<E>4M|-bQl3<hL^ge(g
z;TfWqBRs(0dF?(NLV$B7wtCh+$V&*MPOQFFyc*pxA||96a73jmzb<HjdNiee(hd!V
z_~!KNND#iMV;;yADA_K+1H_#JPR-e-5`!LK9xh&5({ChEB-=IPQJ61G0qg&Bh7cr4
zPG9aH;zrp9PN^?CP7<+7wQx3iXG6Y*y<ovP-M~WIgkxhRH{)w5P2gRqLPFMiss3{i
zOZMv*&9yKnl#QRQ)5*r_6FfkPw`#umA^tEM3B~h0Xpbq!1(fXAO37NP6&;&r^Fp)X
z`G-2ASA6-L6&EG;p5qTj7vDj_5bWp&d$5xZQC2hZ#Gi7HiJSxo0O9ko(Wib-2ElW~
zwMfgOk;oji!TyCdh<WiCQC=;JzF{3fL<mM$to3UUW<8>c)3Uq9O=~#HV6X*WWdxVh
z?VXqjyDb}{0rWk<c4q1~dQkxmG!bDjo-Qro-y7@9%M|MbKF)IelzB*@&|KsS><9u+
zT{S%Lu8Of6g;f0rDpEu0C~3`wzLsVUPeGJ(`G3gz4rsW$?p-mAHVA^zBU<!cqa;M{
zL~o<_61_7@M0BDgS`eZeL~n!Wy>~_@I?>ymeDC{T_xs;FYgx-!m~-~o=Q;cA-+rDw
zIAscP@XO%orMhjkeJa$KYR3g5&xVt0z{%{DOIv^d)=4bVw3CNPb4ZJJ1C?rf_CB7y
z1lVW2S;&pCl`ylY<+>`j#<6X-H`=|yP?kEq8Plo0`jhf(i#}nfM8GOi-&ZNR@kwj@
zyP>x+8^Eq&B$IryX}NdEAkVf%@(i37ic*>zmtJ+agk{4O3f)XHbKof9luH_)(sEwF
z>^t;V!^Dd5&}l)UJathI{JX@EDZ~>CIU35%`FRa@+0#Qb=Q~H_dsBK9Rx?o<R+jJ!
zCJh#`b%fc4lkZ3G<7B3-y}mzFz2LMI9j5DDUQV`*5kvV@R^PBMH8r34>$}Vlrw3zd
zR$^?ReT+O4!xPn{gsblKOC%jZxz`}@2!i-S7aa>d%Ox#yAffvkq|)m+K9)c-Zaj+3
zC(RK;Dthkc&18oeX91{yUOny@B8;f8HG1MxmLo7oX;?Rt=u+kWAzxy~95Gf<3r6U^
z9ai#r`6LwDLSPj64~i6IB2k3R?^v~>ZL`jPH1ks{y62}~xKXb+4?8(b_<9cfVsZb+
zqg*KHokOqy6KuF^NQF~m@+C_?C&>NO;%|JQgM#=7P4H@mBUR4@@kqIkWsr)=?eN}E
zOnUDKGX#FXMpey7fUWuZUb<V)Sf1?VQPA=Hp19U8IH}3$NlZ*kgrLC1enV1F;2-ns
z`t{+a>$g2QQV|!2OJ05XI>^ip=Vt{%$4}aV?{)5q6b<Ko)KW(2U!&)0#;INzuB2R0
zW21L1{kp@_T!BEklDbUPUqN6#_D>8FCfpasI7iXhTp`(iF44x=N;=_JURT>Z0~?h+
zLF4ztBw3ws!m+P{%Xixy*-j4~BB{O26+LjY3HO!m`yLI)<~&nwu5sdboxj%JDD4yz
zTt#&E@>HNP(g>QoeOr~Qr8wmfWyN}8W6s+c*qasOT(|R7orxCZWx(ncShs67S4Sle
z)M*eb!2J?wk<)Zi9JTk4Kb2G_WWrP6a25oqy%Em1H)!x_lBT%!GO8<ui4PlVp=Z?X
zNrUQ=)(dhW?zrz`cq^j;!~t~1Yj5gBtdS|afh-atvv*BJs2PZuh8SN^sVJQChk_qn
zT3lmW;BBP!1TP-lq)?4KU|_plCo8Su$CwVCIV8NdP<{;Mr)WUr<{odGzaAD>-X6)u
zXn@?!Vz>$Iw``R)Zdf1d@KEqVlrA3x!V6wn`<<`zP`r>7NJ6|GsbC@`22_#gP-%xN
zSmbKVm2|_oXg`}8w!pA+X+C}aH4R}S#W~cNeyiCw9e55-8&8&Q+(%FB*Oa5_Fv%k~
zwQ=9;#B3CT=yyGJ!+SRr+X+_~`Q~vHBEt_(i!cLd#yv=kPm<Ib_6*7IdlOC0%rHjp
z@BxSQl(06xxFIo*D>U37ITbQj;r6Y+{Eo(NdtyzCxcj|aLecjZl>%SM)D>}~*szKF
zu#3W>$x^~*!Xl478GRY*FEI7%k}&&s(ceNW)zhEn7{9IUB`M3d3`m>sZ&=!1?s>KC
zEynAOH)6IWcsYEue6}sT?IXVJ6I-M;^h02q7ej8Z0$cRp2|!lq<_ot=BW|Ki$onvt
zE28&z;p-$I!|!qlduE6l`<cV}>Iw)V1S<9(1(r^Jvv}wKyuFu4Q!2YO|3lVcJh@2k
zPQrRfdkGNWJYVH#Wpy!VR%C{lh(ZVZ|JkX0HSJtv3JLjOZDpmBDZ(!z(z@CzTTt+0
zMUSlm{`Z&eHipHJ?Xa3r^cBpqlt%)if5f44%XYk_7a<xjRUg(!``q9_Ziybp-TA`U
z(<=8;ZNTI%bYHqFDk3NLNa_iOBRGx1C)$OMgwa_+Qtpn<-^Twk>q#G$b=9JfTkN06
zS^cMalzh$g*$?Ho9Kcq&Vg@Cz<sG0IB=ZH`Ko|}eeh53QY-G7=JKUGLKY8Wxd#;=z
zF#YbK$0W3d(T|4;ux_Nmia=}Up;!8ZH|Vu{_6)RtrO>F8x_RST6=7}e5^f{0c#i^6
zUmm3?je_DxZbm4q>-bWYMT)619Oq!ZPpOoTOLUH+5h{q~joBHg_uB#96*F0IouZ5h
zZgs%<e5aVZchmM0w$<BiS4l<rv8iJyo&}gA5T>iw4IjR*331Hrat^&7n+qHJI;~?P
z4g?N__elAyg>IRRixRGyp1$x!0<l(^qy`ozV{2G@*Xwm<$M_b`=da6k@Qn3of}WnC
z_V)|Th?pWi`p}O>GN#svFf~fb!AV(^r4o%e(RkLhk<P!vP{V)nbP|LabN$g|Di3)C
z^vJctFJ|Q$$);jSBzs?TNDdxM8vlu=i>RjzDpZbn1?9f(r`y_#zF`3Xr-OK<?>}KX
zyD$A-eY4(-=P0{k9?Xj8(EtW-7BHXhDW;NXMw|R$iL&!RN-+d+-9)h(_VK02(MBl1
zU`#jIOhT>RxVR*Qtk{5_mX6;Y@SoqX1P%xQiX*TLx-zjO9;&pPF|e~C@i*RN$q({L
zBo-Mwac3o)A9umJtQhQX11c*cS&l)CBny)tEhif#>s4$iB>5FA$BM2b*d&VS6PJKK
z+*}hRdn3h#Q==DCBVU5uNdce8%UdyT^E(Fj%poKaD&+osL)r6JBRhgduZ!^${nh#k
z)f$yYS3BU$GVW-=SXkPN&(^s_1+Re9Ss?xwH=jHhSx{#%>=j!u`+uoBJ)3XjPN@Ij
zgAW!m8y`Ui%#QKyMA00@o2<3Gn(SgQl%)`8)HCMs4^U@=YOBlT?RNMr4v+&pD*>$c
z6OKS8$w)x{+Tbg9IQ$3-O%MV8J!_D{{sQ55_y8J{4!9fzP@G3pgirMJO4CmV9r^IA
z-SO!PucD>h?+pZE6bh)Ip%%fWzyqi82#9l!hCq9In7X^W0f4P-9TUHGM0@+{DiIel
z)qzVv!vU_hOEeXDoG=zz9lXUpTe0v<&lUA9T9!(r>*LZ+$V)myui>f1v!|N1!m)Xa
zXR=Z{F0w$vK3AfGVRB3{?bP$=+R4qu7;%TH)oEOw(QrB9riYDuJSTr|Z4mq|O)3)E
z%qo21Li!sITjg7jLsOlxa?x`-IoP1zkKphfNxX$o+oD=7Aottq=%J_M1Q|Rkw1v{1
z9*Z%0Trk|3TJ&v#Zwyvye~|I48Emk&2afw=FOR>hV$>fLokGO;6J4RF3lEs`nsg()
zG8{>GAn4he%VnD;K-!*K{(UZUu71AaGn|>;b+-8U5NP|CRV>GxK9o-2vQS(?7?i*3
z6@Z9_^5JBMOcsBn-tBPB_dmXDc*8;ml+it&<;MGoBDh9h*5E|^l<iK9HJ+HU=Mb!W
zCtnCpsiyHa<AMo-@4JZ4>7wm$W=hO-@PM&?;Zvbd^bz-Qw@2_S=X|dvH_YJ5`15NK
zU@Z<x`qd2S)+^7#D^;BG>V@Pq`;77~ZdSt-T!8(IPF)B`v7QgDjJEWvu(!!<KpCjl
zjyhR^02<5mv~eM(S_zlSCju%cl#Z<cbCYa4EV2_Wz_v`HYn4~o=TL4x%VWt8OTwh3
z0>~=gT>l5kokA)H%ga`T+6w-4y0r}4ySZ&r1wNN{xG~9&HzD%Id-kFodHYd+?ZWWt
z4;q&)6PjQWqOU6$5m~3?X(Pu)D0jS7wxA;f{BZl}$&t62*STt4#ftyV=&Dz0|3j*=
z?Jszal8Q<K<JS>}1sXpf3MJQZPP?G<8<3K2^7`*Cp$23h0CuwE%=6yk2uCmBN8B@2
zKd=_e?Q{OLFaG;4*UM6DtMe}?%-$L8nrW>$tuJ);gRAElS+~fpzNC(Gcng2)yPn&T
zz$NADR#}bE;&?@DSm#h{<di=qqT4ndvZ<DFjJ2@f@!mY-4NHHe^@i#7*0`lz!PbkM
zoVkF-dt2Jij$qvj)85oVLVYv~LRYB1b+(&l0_W%`xeh`{pn4#3FzMI1Ak(tZh5t{8
z0ISiD^Cx2`jWAql4KcN{$W?{9K7N6z2_c(LH_r5|KtaZ(LZZY*$_eR5e9}F%HKA3-
z&^RfE=V--(zH06jcW2pwyAa65mEseDn~Ce}ae-6Rb=iq7=C9K%d^7+9_6WMBElMWC
zXv|2Nqgs#lmrc)mP4GV3eOG*&#rFpbhP>*eX}aqhEHus5sbt84A40yx65*CwQcZjJ
zU)g(s*y0EcFn*0(*}W>ci3h0a4eiQD>y+6(zd;kRNg`SOVMN_Y+Ez{<_CgD=CN2Jv
z2@pd+EJSFm{7L6Gs?N6%sBZ9y+b{o2b(4Hm614ia5Qwt%Q*sTqT*u?>;>y;>tE3Ku
z!=2!Sea+DcFE69k0R$3c84}SlE#od~93epX+#Q$~3U!S2<;yyb%%aI;L`yDY9Y;o1
zP_jqt!29Yy9$Z{49kl+txqoUkNcG*>6@O0d);Gi#V-lp)KK)kVK$gOA=ecP|r-G0Y
zfjyT+PDtB&+vNEB5bb`{6w_dEOw{XdM&?@8Bsc57O=2i8lHWGI0+Ps_b8`*!wsOOk
zV-EuKHM#X*gX>b6-(5}?vK>YAXdXAd&i@Hxdv0&f(kR%djz98Jg*&&5_$b@|4a_;L
z>sgNIL?+io{(i&-$-A(aJdZo#LiCtdCIQ^nB48m)ZH4SV_w#2<j1SF>puy<rP~1d|
zkTD6evPCT}<UW!9^sIpcXk6#C6doQP0>uGdpt!icKEBK7g3BRWpWV~^1!y{f=k=eU
zq+~9{0DRgW8PEO2CNu8i>L%l~^mH6hS~c_l{Vhs1m<$K(?df?@?pG^d2GKq0zNINs
z?i*YjIq(yPAR;5>3(l(QZ5J0*%0<zvzog8Jg=j_VpkknL$ju$RUwchgOI*z^)=?c-
z15bB#&dtW0Ajn3?%JWYArI43`Sv8ij@qnh7j%Eq|{b_esiYw#z+N`(;dJ~YB5a&&I
z7u^z=pfTBR8UJDwk4>ZYdHgwEZA53+)ukAy)VF&hFAJ*~^45YfT^mgBQ=E~tLvUQl
zR&a}Sp%aU*o!hjS`|+DiC)`!zTRmo84)0r=`Bq|b4wVnQ%GtSj-VPyPZ&@*)#$xN~
zQChoLiws%+9N|KPv^`gQ!l_>^t`Ye-%7CSwzAlN8D=>N5G34Eg0~~=J+wL49S5lKV
z_m?~-+cP@X=vUwApEwd4{|54O#GewRit$hHK`by|zqWnbiWgBc&)u}BQ4u_9=UP=A
z*!0CDCPdOL5$|gmODT09>*1vZ!7~^}VH`g(K1d;_si2~i&6T8F&D$%?#&UoI`{G@t
zGVcANv{tT>&l}fHF8C0{@VrCh4R7qnrX|pu{*_~&;QCmL?0MZ|7t)lEwH+G*xfARK
zcPikZ%)TaA?x+Y;s72bJB>E`aM5mA(6g>#cYU^Tcl?_}km+-<7nUR1%Ojo1+I>=!>
zx(GM_pEcU{B~7U)G%sabcEae_A*yJE`yGfoF!<LiYOdqa(FMnu#egHJ;N@Vb*Fj(<
z0pQ5rmor-zB<iwVP?X;>V)<SZ8GYAN20OTpoP&_^iNc@WLJ%5A-Hc~?Et0*Y%f=z-
z6qQew&rr7OzfEc-JcO;s5aZ#%n28C);ti#lQs;NHFsCPF(4IP+t5Vie6oS7{C`c1C
zCj}<Fc&zfO<Mfz*PuWA`*y9lTMq1rTMAnL^o!Cj6%P#k`3h!w__4<kN59*^6t7R%G
z0?>;N1v}}n!Q=}Ietr5s^uVr<Qz6fDgUm*0AlYt#S=lqgLmpPI8bg~ojiVh6_e1QZ
zFpkddACL_m2rUtVgGwoqNl?MT{0km3A#gvOm$!O?5fEV=B1NXVhKr_X@mx29Oz8Tx
ziv!R}3q_#O_iK}{u}=+08IMbMC<bw`GH_Tzf6di8w5|`SGCq7*Pj<B`d$wi;8LMn(
z1Xx>=o@P^^7~Jrc3%Hj>a4N(8$`}BHGyeowRJL6#+PQg5YG^j88Y|NI=*)_XOiC>X
zNsFb`nMN?yFikg;46&X`YDiY6v$S%UVAar1U%x?XiqT`zJHCJm1|TWM@BrpNqywpa
za0^7}Ttm+@GtCSr6@&M@ddR`+V;QV0p&x{7tAuPPI#LUSY&nFYT+dkAa|sto{Ul*j
zn1?m~2S&m^UAsw88o#wda#$by%WbvM;p9`~cOt(91pxSQ(L1S;JT9`b$d8DKdv=1H
zi`V*T|5t65Io?2bQCMKof5^J~$NKNK=T>j}3-W6CeRo8^T`nAzpXH+Lqu$&Un95QW
zK5m7NcsvhJgbCa{c<vpY_Y(X4Y7*Add)4XVhe#Jk^0pC)P%-L}e1>5l()zrxZaZSL
zI{W9d>;P5zA^1HO4=fFem<8>N(&|bSo$%{SUXQZ?B#hL|c#dah>jxZNh3a}OAkr(d
zAWF<XO%{mhT09=EVD>TV-!mT4;?boeOMm4IkcR*9)b-3uD_$toH!_xBllaLjKbg1K
ziO20lTO~%&SE>g6lz|1n%AY4l?(${+s0D=Q*a}EO6k1n@wikxzwcDxewX=yV{g6Um
zlG9a5uD_@)HB<LfXZn`q_lA<bC1RZ+pAm3*j@!7%C^9``0Wm^~v@bYbm(-XzKjcpZ
z@t)D_rC!cl{aNc$ZTkWW{I!B}xZJTeb7MU*>zSqV1VTCrSq%3|sklErE0cH_!!Q)T
z+vxw2;zLZZ3<@@qx{V;@N7T?bZ;<*NWKRFNlV%^-oPs*vAo=&N$3e|+k;Z$)>(Xxy
z8-f#hNW#J}LYQQ=Lg)bPbnkhPD^877h=z~XLxGvH14R@JAI^{)u>20l0kPQ%;2Nr3
zW%R-G^2|Bv<fn5a3;v;#!^_>PN-qz*+M0b2Za4)W-k~(Pp8q&=4$#);hNnM4^6G>A
z`ru?_WT`1By+|(<BGdhBq)8YW+TNho1$p(<LGgHU(!2Su^RcnC6Sk1gr$F9+hNxrV
zg(<)!D1%w|D7vf=?&-il(GqwT?j5{Uio;9%QSwV4yt9+;-!3IcO8r0cgB??orGc8i
zKvlCTlRw9zFMu2{LZr!NDG8CC*#}a1VBQ9=R0a981^B+wXoV;PQ-1a%UAoE<D4uv(
zI*?i8A&%_E;D`F(|2EhUc;PMjcb%!ouDX6OW(jj`mQg9p#o9EH>znCFF|oG~PmP*s
zOEJA{AF}pK4rHG)p%Y7$9Du{)``{ku55H=z;y)l^fP=My5%3?PJaV{5a9QL%&Jy!m
zeuN}|GDeHW?ItX}5M#b!J}K15p3g8;7%$+59gh(BnI+;|ADmF^sXs>|w95+8L)#8u
zX^#c5^}}0ML5oWgv#tWizMA&QGbU3AFAGR#YSsi?L)+M#2UfmD#M#yIqoKhFch&+C
zLG6R=N`n0Czb_<ZU#{_)ucc);C`0WeQj>9LYm;W>(0Z3(OV8IvBm>uh7j{3E0=br8
z@OE<YtVSDA`SJx~5W>X&lx+;qo(pnNba{joq78Jvb}>->R$Ejyzn99QjuP0}mH^!x
zwnb0{RVHq>lKMJ0EFwE4^z~&d<`z=)o0Na~Xozdv78vp0BXJpl`&}Ly85uDEm_8@@
z4XW%MO2jt>;E&TdF~yy$jRfs4?WyWpQ^HTY&Z?~Rs@RwEjf|@K&Lj=COAFtqv9iA?
z`{eSgbJK;Oxs1iJti9`A*!ZFU9uHqs3^jDsfqT_noHH8X*6SmEI&|bE;$Fg3K#JUo
zdvWO5pB|H;E3E_(($>IO>$3{M#5HrEG3hXfO^JK!Waav1)o}oB<}z#Kdbi<f!1F@%
z;Dj@L`Y)+JE=~);L9%iYbdE&Xe{A~KsLuf_C>74?Q+k(^9ZW3kuBDXa<u6kA5M_Zk
z4%34q8tDt?WLGktZ?ivbmE=et*zM#2OLFj|<}zF4c&eKdO06L2OTi2%tc1b13j?s#
ztf1@r;1VgXb7RGFrU@SGQtOcOI6g=+bd#WC#s5-nS^ghg3*-Qh@(w=-;bLN9si~<J
z2&=%xqePJs>kvziGu%Lsumaws8(flOrs$S(V8eWO=-ho6=Gr&pcwdNMB&)v%?+?Or
zMW6bgzJGotXNkaP0R+9YhP-D0Y+o+-G8qbJb_~NmSwP-<kb4ITuLV+rUHv{ViiQ$p
zL03-}zCgQ{Xn=xBiWrbgs3qp?qglh_@W^QvvQv@;%Rj<Ce+?85g*pwut*xys5F~-u
z9!jVO*3U^bboP6zp=BMh)o8M1rMy5SBHqgyg;*BW#Sr@2r6Stgv1&0wRQnm~CvBcz
zwXn3GLLk@PtOYeMp6I%<g_k4!eHiXmp)JeU(s@XhqX6^c;5xRsBe8;%T@Kt{Qj1bk
zojsfk3U0Ut`CSU$YXktDcB4Mg@V74hyJpCp_*&2cvAk@|a~zb3rM-|NK_F~6^u&t`
zpg2@>`s&2+jWxoCg+ktvupy**k_#}?gRr-P=;4;}zzVG(tAp^}vL%-e{TKt*j-Qld
zLiv}HC7^wrvibu5a`~g)?|hJSKk;L;Dc$Has$uv6-G3v%Jo4bWzZa#b#|7Za_AqTt
z;%!sV%JxBBOGVn&$#ms6y(k%k@)TgBV|AuLCpzFBp<xsG&BkxL9dj~Fl5mMjb8U_c
zxeCTo;!LOq3Q1-E>ti!|flYkztW&H$xY;i;BA&JOLT21F&|oUX|IC*Rypxzey1l(^
z0TJSb#kMcVcs%!J|3XrXCO8PcNuB1_wT7&MF*%B$h*PN$58(1Eq0dpp_)k^l$#hc@
zU-L&Fw4_jvlWem`$#gFyG4f8j3T>?+1atq2fFM5x3G<L(kP`5498}66SeKV#6hhZG
zsQ-dWMfb$vVTH%VfI$}@E$ZvksN{oSbxX;MpTlt66iMe<`b+Wi!FhT>sxmtoU{!bY
zW0W1xiahPV_t(;?1B8c*g-o~3KwUG0m8_o7Oj@A}u|=j!GwblYUL26B&~zK|A(?eR
zhLuc6a~LkL&FAvcZWv86kJn8ESvemHt(i?kgAfoGRN2r0&hG!CN%HTYzp-ZFDj}sY
zL2R_z<Oj=dDxKK86?tGR?WWA_1x6uAFKwQr2iSLc$;K!gukbTmA(s4vc~geVN`P#|
z==z2Eqjt}QEYg<YCEQ1MM`l(|@4T(D+wdZye~tS}^1v`t5}<wX|5*nfu2C(r`ihF9
zwY3mXbkJ;5It^35Q1H6o^HrMTUU@p~5NJMZ-{~@c$?=EtLaOa{{(+LoC3^2^feor4
z=W-Z;8yQ~Gx{RfB`)Wo~N0OTRM>=E4FmwkKf_9v5e)4u6qLNF+FL7RfkEq>u7r7nZ
zNMAWaBhy8Nq3H)bzZzZ5bKNVcZA^qpFPD#8Tx`~mANW~A9*4W~I|mp;Rk1h$eu`2w
z!VmuD55aRbIGli{2R;{=@cW$K#URnIz5B5$2cJ~rfygFGvIP^THuHrA3@DdN!q|pp
z>NfxCx*)sTfIy|GEzpt7SF*ql*-$_rP`eH%;)Z|bfWw!2_QJLFGeWOAg|~zSSn(CA
znb*@Cfvs2;9y$~rswf+`B>a?3#RHGBDxIoi?t}-nFaRH}0xg;(ie#}O8PpNo=2By6
zEbZozKec&yWwgFaONSLe&mrXAd|#4y8UAadSwJ8|oY(;;YtlSiHy5Cu!xU(09J*lB
zJ;=d_Ovw6OHSvPGL5UTF|79r;Ec#AhizGFcIu*!<qozpgDS|Ve912?8kpl{3XfyP}
zhs;`NWyw@GUl5&$g@Q!OEj1gH`R!ly!U=;zL6m$5qg!*=kpBuGknUT04QjTXV7vgz
zKzc^KyBwz$&b$WTzo(fFY9)}lIl^W;AjcJ%_gJQZd!t#-@|RTesd+c#QC>&2OrcBe
zQsAJ7viwSz=u1Yd5@rRO>h^htUh29P29HdcAg)8i59p?6fm)=}uxPC%1z8%t;Q#e7
zn92pvO5NtqdAG}go#yiVH?)$PZ=GbiOVw<^OJ10%b$<s>#`NzAxY<K62(8I&faf@4
zX<uI>gd+2S54Mm3V$)zSUwJ1f_jj4|^f@#u-L#j8_z=Z}e2^stIg~5~hnQ%GCEnAG
ztORz|gZ~b1kTw^yK;V#a#6wpPaM_HeF_R%nwja!o#r|$6WPJ!Qq=m55z;=l*qhOv(
z*Or~y0hc7)({BQ<V*LhB-QENFoe@7S+Xla!9LMaii{S#z%m;IMS_bbIV(I+F)yrm+
zv3v;e>g56Wr#3+sex781-=kU01oa$+<I!J(DLr0E{{*N=YaoL+E_m*!1>!sr$}p#p
zT4S*E2B>{|D)4=*oD%0EyaYC7qX-<n0ERFCekjN+muh8v@O@{AIOc;*oB%`Y9l5PB
z_9XqJg|k?rRes1wlIa$^wEo`6e}Y3CtOG(T0Z}S%)*et1sU9T*_al`U3(htz`d<7$
z4rq;tp%CQ3jeZVbJs*}VL=*guM&UFN*Urj|w8ttq14{u`L>%*J;tw@8j|&&>{t<2|
zk4t+BieWV4xH&Jfp;$4RJwu+Z{WE(f(|Bl?9a((}+n3w5`HKK`?w9T6yy2e;490`|
z;Qsahk$FN+8+qV*Btob7U^2+4U$F=`NqFfL@?4j&^jPt@AJlvrIN^BC1LOK>#-R5y
zbq_Zgiou}E18WmIZnl6h_l#LEetnt<ofr=`p9=v!6qBkIHsshsn3`X>PZ!!UxCxbu
z@lp~80<(HI_?J|Er=&uq`{@6_IS-`^W=jNR*+P*1EsXWEaXlH4IJmCe;$zq}*I)o_
zb;eTJ@Mzg8md>$!K8s|92n|^n)67&!D!|f)iSw_D-){s0NwmDK`Cz+C-L73!bnDc8
zaIssnd5iMz$&TE;a3w$z^aOJ7ak6XvRYgx-YJ`lwszZfK<UdAujhs0kP64<KGwo#k
zF%l0Yus|d+sZxu3BA>Ee@VLO(stXlCt<FGg&=0a<xMYQ}^nyB>u12Lcn`(g@QBg)V
zlEzoE&lhfid^+)aXX;e}RI{<h&E0i-CoCIk$ta}Gr$HDT?sT0<%>!%2Yq@=3LMGc<
zea=+H7sQ^MpLC6gKW=r$qz9cp1RRfT^1JmJ2izZI2R@u%94!2vyz9MR%^#R4zkldX
zKMKqC-|R8junaocy!2PR>$Df~I=1xjYr8+}SGwp8x?W>a$x7zrSUgm;zfG0DQo1hC
zpOU&xSiC9CFCVy$Iy$M9P@AcEq&+&zkCV99dEDE#cP_%=BR8l&O4<}Q3Apc^Drut<
zd;dZ3?vd?|bi?%CX_facR{TA$5ed4_ZvK$*a7mI~HIN#ACiI8w9)GGt2-{W`qmh0`
zGcd-gC3p1M$s!Z_*j|jrl#e!&Qedq}wxpCgs4F0m+^1S#t%a2$XXxmGTURE)#PK+^
zJl8CM+x`A-v8^jT{S2XNQmehdVRS>DUh7#<uD^(<MIeoj-T#z;(p&8*zR1aQAxgZZ
zH_{(eOh1aWL#fezXb^ni1eu24I8uL=u`6?~HoCy2ah1zT5gp-l-bh;EBqnn3r<g6o
zVP}?a5*)QUGRA2%v?N;GbXB00mp@ODM{UF7KW3SMdmW8PBHA}jmYsy*L}y)H6$}%6
z_lP2XNdaHm@tx0lfTO`|u9Tl%R?!zU5&`Xrg3c>$6<1wpB-k_$eI<a1xGbW_Bq~v>
zgQUoYAB#o5Pag66_#LqbQcGqEg!Tve$2ADn?<_95obRzK_CKNs3*ZSjh`wLXvT24L
ze*rA_r&T;x7Ogv`4t^?$NgJjH&;$^TuaVDMRcBI?<p3GAa6wN%L=N<5_?up)PAIZC
zq&V?UDV4s5{w6UEp|FK;h2aBOZIw6BkQE*&bkxFYhd50DuJ$)Ux{>+(S`=z^c)!8{
zz^UBPuUWXDn}CG+&Y8O5v5CVSC=fUbcM>N2_=6thiQ#I~JH*Q<Nds-bKxM#L#R^pH
zR<));lTtj;*kKhogBOMSaP{k*e0KaRkDL88*?uq2ZMLU8&q7G#;c0Yd4hBxMOh?_4
zrPyyTKXH&oNn1QQB{-(RnY4D}?2<EXbuHO-{du954|MWgYZMobsfnYO_yH8)JH~D_
z)Bwz|qSBJLedU~_5Rs{E$SiINQ3DYDHO5m(TqVqFdG#HfJklbl{E{<33J~Q}p6jhX
z*uWN=v{`Cs8e++Bse<!BdnL^0B9n$t8?*@Nl*9ROsBBfs#G|J*fQ<`cA=e!N0vmxB
zACk{iR3j#qR$Xw294-|e3b8Rj^f0otDyaFC14PFeQ!F1?OReV45FokQGwuG#eBJ98
zNk^i-!?C)kraSJ%i~?;GBi<+W3?Ct#rVDruub}hDAM3bdg5wn%$Ug7NY|~>Z<C;+H
zdfP4OpF9b)1k0!3VU1tTyB3Yf0$z0oi%u(<<D9h8Wao-+CElVXzLmJj{}uA)DKUC@
zTlhzbeByuvg~VC2s6dT3J2kfsUSpL6++Ye$?-%=v%_9f#?bM66g!rV^+u75C-UG3D
zTR~bpE+<|9sP*x}!2uNyY#2`b=e<0TgKzD2_zzu1e{EK!q%+lsgAacH9hM}}Dw?|+
zY#t371heuy^R@Df1r56LQ}40-f(Mz9AiF(+XEQA!5gRp4qE!+$KuCM150F~R{CyDL
z;k!Esq)C(d7{r?M(om0r8yAR23x+B3LPDX$#D2Eb!fXdU9zdsqgF4|QPrWzyiDrhl
z4qPx(IPQ><&}$wpWX{EK{@2?br7fN0%&I*>(qGskMj0%pe1YhO#qaz7p1)*iy1K?d
z0a@VIn*=DC`QM=;|7uV-pVtN1+Zd_j?J*BDd_cIo)cy#~X^?wl-zOp5k0<`F2;-#W
z<>kV*bISo#s`Hay%C5Ece&iGl31H4aRw)vA8HX?g$(>?h;e|j|d$FCU7bnNecXw)k
z=9Qv(WxI=P?3W+B<ZPdxf>W>CK@O}};+u*(8-LVhAulM5fYj!)GAhcMh&T!@&wj=q
zgl6Gj1$pGplaPV>KcmKw{@1R5-<l`)!mBMHjEPfRcT@Sw=D?xfof+tW^dC}>k?q33
z6w!OBUff^&yf83!*>4aCfM<=Xi?vk&!~^R96gz?go-8o$+Wa7fLJ7e2H8abvUJAoU
zdbuDK$gdv@B8Vz?{XI5zj~Mn_3IjWQN?L%99<Nt+v!S6+%Y}Sf5)JjIL03Abt74f7
zxWG5k6#>oq%FV0mzO{9<TVN0OgV+5TBZqfaNs7*Lmblyc$`L0kNs>}Q7j|mO%&(N)
zhMui$*`D$ief|5!6QdQ<l!${Zu2PM=OxhzfYU<jnts@DOfa)w2Ym<+DbH0-Uvkx@<
zd>Du9qMhuQiA74kdq%vD+8{f*K8Uk$#kww3Pp@jh(Jq~{HCpUg!?H!q+M{?yHlX#J
z(x*qovmyLDs($g_P<Cr3rvtI8^cFY2aQ08@S9^EN+q>UYw%v!{^jlI}$?;;PgNPD8
zGvS{;=Vwm1Wx%F&<&@@YFk$QiFxSQRhBEhOBdW_HBbTb?dk2c0C$i@KkTs}*D=W?i
z7hV@PMdGLrR3^PzS7(P0Ps9<>l-T!yDrSQ-;i?cP+FxvTcDF*q7h0+#rDmef%;J<i
zyru+WM#(P({70Hy`0@9|^pZcJ7FWCse)8*c@I2U1ow5w?&nL{P<hqu3_cB)f)(Qj0
zxt^}RUBO(Q=JqS6CO8t0SHBDu1}NAflwFgfhzK(*S(cB<wbn|mNHL{@&7Ul11yS@g
zcAKtYHo=m1D;y6icN_B=9F3AdJfh?qSF+L2pb*7ZY0wB}duSsxPLBWS^Pd4InQ}3m
zc>}SB%nnHtO$`B{E&>4L`P^F^4Z^t(ASLVfjIM$2r2@k{t!}(7l-!anwJuX96>KP%
z;_kGhL#Qw8DsV%mPWIZ`YTV2M-0+9jeQZ{iSPAt!`>rNWcjx%q@G4WaJ?Ee%NMFXa
z^q-Y%{$}`ypcF9Zho7>rEJ{*%6VEV*BojP*wEW7JmWlsHj-^|+>fDWvwQUHJ|8$RZ
zowIzuz?U^^B>FmCLZs5$-M=r*UxT60gHVTS(%;2k_BEsHWrxMo?#(Xi$3?Ctp5rJ$
zgGnMA_8Mgh<o-@w>VIAXaQ)1&(W@6^v#Ty3JX~8c-Ohd7!Mz5V&xFxv6zo7n3&`=$
ze78z(+Szv@ylxXbZqXqfmn%RSERu9dfLna(1^f_1x4awc)@ZJ2h{7PmJ(T3M;WIc?
zh%*{Y_puj_ny?IC7JY29n4$BtezedrS~($O0J+~tJ%(x@%+k#3KZC}{FAaTIvba1v
zJ6uZlyWBmrl1gMyC*(SXP?G=tn5(PK_UtWz+B>$FEcocCFRp%t&K9f5ey<(B;Zo50
zZk}0L(UQHS8oTXwl$zvxxLP$g^5xPZ(QR04+pkrX>C7kda{E^2N8RJ*yZ}ADx1;q)
zcFV=H9(Ye;)-6ql)48CW%%?>Z;*Y?2-bj4HUq4B=?__C$`m;DqTU}loR*V*UkBD8C
zylYOr@?PQ%y5C#T{VAnn7~6VQ71wSQc)RdeEkRFi4}GKi*14##vFoZM6Q5}$tbos#
z5A~3>uCK6CrVAjUi|;N2@*k2F*QqnJ6~Zczec5>ZZuAwcKUz}~6Oqq|>#Mc(&k`<8
zD8Sm3y`88CZZ2K*5^|KMV($!=c@L5#x%1IADZ-WR?Hq4Ch0%(O{PetQGmgEEZfsKK
zQRD?go;=HJKJ5@bvYm`w3A&NE4rI_Ggv2TNj%v#bWzP$}k+AQLg+hZy-}>?U58iY|
zqkpR17{B=`=?NPAe0oLnXjMUXmGM=nif<0TqG}WRZ9x5&AK<|d@w#lx&G{{~dS~%W
z0#d@gfApPbK9+q7^}s$1x~n+uqe0=uPeT;O4cjbr<>9sKF2;$f+C8oVe2Np!m9<x4
zw|`7OK}f02LQyO>f41CKe2Y9#?`~xmJ!+D9oXT;~m><L^egsCo)I|eY>Bnac2F{sx
zMZ9q(Wu%OgXhdq<4{W+NPy$|kd*9&N0cXnc&NYY35CT8UOxN#+m_hVXNoDLE+g~hk
zhM<{aQkRm2w8OzZx83~)siwzws9<kFFj(q%A6bdkWL1j;T>hejEheCKKuzwru=oS)
zZKQLgMpkb?1$~m&2@-O|{P4t?9DKbuv5<f)QcU+1i2LjtMHCB-<6a6lntAgcZHYb>
zD1gY`sdN^%?87a1DvX=mLl-A@J=pe`%ES9HHWBQBq0l;!&)Rm}rl$3xwh_ZXiKOED
zXN=;UUfBzX$M}R?Jxh+`TvpHnI!KC8b@FMMkhFt832&}AI#8|ru4#p;^;uke3(ryW
zZAl-PgVuvmaZ!W}G?nzesz21FfJ@+kqodyw#P>y#^!J;Kr{yu7@Sh1O&}nGkdp!JH
z{^t)Jn9_XNUGQJ6=Q@)t5<k^lS;fWWfc;$?slT}RNZ1pp06j*c(a?&AW5-V+wV=Z&
z>SFezFBkIpnzriM5AAV@j`zRnT1jzJswRPqqSrrE3`Ope;tBB$KP8+Y;&qnJN=)v7
zM|oZFLFm=9{NigI{^&N%pm6y=a@<@-a(<|m@%QrwtW#0!%@%E0&-n)tQ(}W~J!Bg!
z=2*M?&tbJGvJ<!&729rAqJebrBNtN@L9aaiP#rZI<F&t9-&+2NYJF7hTSOyz#s<*C
zfnP+b{&+>-{a(z@#LmCkj2nicLZx;p-tl5&cJiXbkt_nrt8Jv)SM^5lO^3TAb`g=J
z!Hndh%}|Zyc^jF?(tC6bWv-7u%_@Zk2Bj#tWsb*A4So46Z+coYD76h^fScikuY9a6
zcgvOiLoGOU4K-{w4`ak7b9wUdy^&W#*M|T2A9$7<Hn8ag>49?+07<6gjxQ_;MKQ3t
z(@VH!%^(cz*r6DBNeG2E^00a+DH?!tGrW9y5iWNsN&3TD5I@G_&!0NyT?_yY7RR#z
z^9eWeiRwHEf|-j;p$Xdc)bOSDv<IniT{!>?>jRB5*^)wt4H#yQm}(Y)xniDV+j_p;
zq)a5&k+w3zeW_?AcWz|MMtnT|nL&V<;Ju|odm~NK(>GcdQR!h^<uN1uA2cIGQ+%I+
zzpW0~OZfW9SpP7_jl#dw2&s9@#owLcV=h6@?U6|eUmqX<gCPYYsKkn{QBwG930P()
zSDb+GzP#&a0DCEm5jEvxmdCux??<)(=Cj}(WTn8zC<73iu=JFw>SqbF!rEr*4-MoL
zWI64H^V1kB*92l{u`$T>ygtR%B<|VIyvBD)9@1{1VjE9wkJ*7KxQVHhr2Zxy=ruXj
z$l_|pjVhH8noRHOExOI6@A;ELy=uzjTFJQ{#LJX$xIWbPVX`)~kw#~ay^dOA|NE38
zw$~i9p_;UYWx!L#=+}m>R3BV^Em9aE_OFOE16?I_Qu-o%RmPk$Kg$WdvD<0n<d1^N
zZ<MUe(YHy71gzt=79~o(2Vd>X6j{#CM7|Wp-qCrgEc~|dWBu4y&4KwxE3WRO>X)6`
z7pzPwr&iBP_L)xj{oZ}Y9z9EXma<%Kgs$UsmE-CiYQc_#sqS@qYwv~6Y@>*F+5f;3
z(o4*d-oc?0h$IKD$F-dlq*DT#62ZEr$K~Tyv|zNTFtjK(ph`QUe_s?_--e0BLE2q=
z5u2jG>jr^%0GN^_=@KRJlbK%mVu<(xp8>pZW6h3}QKMBx7#HDM9so`r1UZWFiqTd2
zIh7o@%Qjrj)W6Eh-;4l|XV%4iY}XAJ8sU3hh|1KfUdq&WRf?8(P4p_Ni=v-v(hNM5
za<SiJ*jf6k^neH2pTgm{(&Ol_y<dD0iz1QKFGSy^zILG)iOw^XK!lRZTG4mf1OILI
z9q+*7n7?0L+ZyzY@yAwPIp{l9pCsw)ufQSpN5E&9f7~H@K+UZ@L~E8P3Tm*z%MPsF
zk?v|7zCo0A!RKSSX#L!Oy5?wz9Vd3d@46(F7eDp4#bE;6I1g>wtkg`_p`kN74+~C@
ziTkB{=V-Y7>M3}*<`9&0adX#j^}T1ms9F4aZ`8aR;q}Y`#<2w?#>xA0-i}C+*g=hu
zcE;$hI!R6x>pvZ-UEp;=HP5b~WCNzu(RbAb+E4{U9!Sg}uKSu;(FFQKDauy7Y_;$6
z_-9h49<7cI?!zRzC=0LgZP@%?y}H;fe24DLO1*eN(m>8k*@2(jNkMPl{(_4uku1vq
z&G@Ci=Gy<e&gD*sxPW~ia>={kww0n>S&-Kb1QLgnxiq9BPIMp#`Qx1pC6f@e%joF1
zk-_0NA*oC7j|LFZWnJ*IHz5RBkdGC!3B-Unl_7o5V7B4KcU%fmbYQuykxq{FPs5kW
zxt5@PC&W}Nw4&+Z4Eo)_@2)THdV?vf_~05dB0uAJH>mOG<s4xH2B2Lp3`1Jw`Fd{5
zNJk2qtX|QCT*?j(=0at+8%3s6hW;?YXG`c#zkSsmH&+Jpl&64*vtFx~%Fqw*Q@Nww
zA6TcIGP|X=+9)W7*pf*E09lhoB=0ue>ND}JQ4*KSo?n4Dvml`vK`+N^J1Ekkj<P52
z`cSQ(R%}3V>&M%@twRA!Q6gaL?|Fkxq6A|#QigD1ex8{`M_uX|B2*+(PfIgPPVq^8
zXYjYrI;Qc;rYd;vIj;#no@q9GhVFd5qV+tC;dJ>am-KDr+pIXCWFm9=lI`3)Dqu#;
zq~w+rD47KoGM-;8ni2wKm<;?5;{AgIxHTcQx73C%9}GSvIpAQY2rQ&rey)c@f|L|-
zWBzXRA)}pR_qFKh&cEo5?41Ul-Rxh$_3w-k6ajitb;B|6C})G(!<h*UzbqL~{v1rQ
z0fH%!>^fHu142Mv`}o`U#Uci70G;Bq@XGOm)|}y1+IDz7l(q+)FvbJb200{3>J+Su
zPG8^Ds&v7<L;Sk?1Nc!u_gd#1{oKdJ-EeRjs!G2_!B9kMP@?|U^qN?rfGmswM-grg
zEflGgj2zJil|GSWO$0>HwRzh1!E<3VhL?K67)_=qAIrZp4$uJ1O*GHUz(pUF7lip~
z#vE}^tV!Rgx}{kQOCWWro9esZ@~q&`nR&=Ezm#*O01b_$)*U*-z^)<ocI3`8?RXQS
zEgZow#11StKux0kK}7%r?(>U8h=2L>JM*U}V-3s~CD=3pge2shBxhP51vuv^CS2(c
zt5@^<l&}9b#Hv{4YX8N;q17gf`=1qhHk8<Gba5=E>Ag>P^P>ws8CipBu=jg_2(V6^
zaxH-e*q*Pt6YOklE6rYD6n@PXn6cSnwNk7UiY%R8!zEOQ34x*~bllb#l(?$st7WN;
z{t4_1W1&=lCc_4E1O*Z?3Bh0>2x~cD*f_s=fXkbSO<V5xCB3&<0$MeQE20C5r?7a0
zvD~rC`!kpK-%@xQ?Oiqop$W?Oo#{8E@?5v9ZVLm|3w6W8)k2kt5F-lRGs(+T#sxp1
ziqpy;AR3kog+P|D(7egl-v*QPEFZNofrmS6NYz|rWp+DPy9*d&i4CeUrM9J+m3s0Q
zS4&^@O$JAH)#O?ZJ1K)pGRLJ@XwpW(*vNakf?nJc@fiLjw#xF2u<VEZhCB<!#O(N;
zoI|YHTQ;DTa+6G(8L@^i28LF>_soiWL<UyvM)vCHnZ(Lv49Zg@GUXHrVC}#JP=Pp5
z_p|I7GZ2_-(GaDah=p)q0min~cc@b_J5-fA;DPIt#Wb_u-G9?A#V#f5FbIdP=B;|Z
zLo2~A2kU-wxT=oa2Mg_c=`7@C@fwPlG^yoXj63}HyEHN7hB@8@GZ>Kq#4qpgd#O{{
zl&7x6E(4@W5AN<m>P#5c<+vM418(omINy%6jG+&=eim|?yruEapgsP>JJPXjLrP5>
z4$X-x+RQC0L<0PE^lNUPJetJzrcLC&_K`UM;`hZ_{$vQ=uE{ai?A8rGVJ~?c`gZ+$
zE4yw_x5Vao0LPxF72>!B4@>bS*jb5ZR&i?s6GVCcH`b>F%FzFYooygvXJ&IU&8q*;
zA<Pi`_S1{rc@?<(3J}Q8%jUYBmCOC5o@|yBj1OHeK<%AGyq(FmwCzto&Bs=A4c39C
zf&+jkCT|>iZ<|s-o9L;aCgAh-&hRn9>ugiFP~3nb2yCmd)9{r7tc9V#Ml0&A(DTK4
zUx)}44Tl>^nFBV90?|;6r)hMdQJj0<N4XF<_6z8d2Y2%q)0>V#W_|;wp3A46ho`m9
zJ_}7=73Pr6Y@P%P)Wf!s+IITbME1VGwGP^_i)80M+wYIcUDjBkAD9(MQdcv*g0#wI
zQ0@HQ2}k56AQxZ$@8Y)ttnIdxll%-eNBvL0X$~!4aehXEg-+M7WrsfKv15Q1*RqOK
z8y|C7H6u!|_gimi9EpM5sbo&F%59~iI^3{#(nQ=a4peerSY)F05=X!Y?h_E3a$JD0
z%VnL3YnguC)Uy)%1V;Pa6a##$qC~w+i*?t}{oC0lfme|`4VO09lq93-+WdG95J=fI
z+gzECe;0f%3U}QB*;IW1biF*_<YR`oN*Tfj@aD_m%(EjIG;MEQV3Wi^`}{db+vh62
zEcYF~P>lAQ{oiqNvLG<9i`7_IyI2V5$qZD%0kH*PuW5m!X~8<>@ra!McjF`(<LQ@~
zJrCi6nY?W<>xGW2lU+S7mk_kLiy4jAoW4<Ynfc&)e=uNX5nlKK>L;W4!*O5S!+fTQ
z%1AO~!S4pA3mXJJ&ntVm3Z$0U2OjQItje2YAv=U~IU!<W!oT|Bmzb*`MEzE;VYgK@
zxV0JsY8eO;g6@iEGB&_MA&YlAbJ_jq_+rO4bgS)aBk4}9tRd`k-vqoscZPSy4!_CA
zuGkK9T~3XOtU<)ifve*#7KUZ|Bp=J0|3dSM=WXi73)O(5h!};g-0#mR9|(IP8B%9m
z=8!~+fqe0x9x3Ht@QXEM(^sxOqsi$M0MN;DWJ8`kth%J!j;a<Lu!mxe*=$p*MR>6l
z0qtBiYssr+4wdUO%)5Beut&6VLmfmb=#2u<6n5QYI~!z3r7riWuL-0;GfyIdF%PJx
z@NZ_vi9fvKsl4zZ_2=?E6#I%S>UPm$V$j4TqD#ULNZd#NV+>C-gRrNSNj0T4z6V&d
z2q;gpfCgWQTo++9q#lX=!Nh@98}obgW+Amn{0FwepnAc<nP2aMy=YdrPSV_g&)uH^
zV}nB9K4T*XoJk1!uqI?0Tx0|xXxs_h@n8Md#T@9_aM}&;q4HWR+M7p$c#8Y{O}PwM
z$Ps6`)*K6<s)YY0WI!|2fQhyGEQX7#*c7qk)-;^8<Rie9b~h5bo;=n^Hm=;6Y|mUk
z%FTrea4zG9yvxv2z{d4veE(;D*r^MC&;kfpCkjor<x`Uxa6+H~wSjltyp7)QRAFE@
z(PC*06djO6I?wHb)&NZhuB8vvfKeqU3y3ZTPcQ|Te@Zt`$IA)~v-R>ibawb#)yF=`
zWi9y|=IR)?xF@tdBADEE?@oqDkqRp>8^7CYa=YAh5yw6pOFS5mC~9AYNr@o0<5%Q%
zB&VK?W<Kv^XipSTD7!HElf!5RLAPBM#c0Il{4S~k8Uz+Ny5ohXk_m0*1JNxT!n@!X
zXPFO`_fRGL3kp2Ulox#ZyfyE*hKfCg<5TgNnMcjHm#>g(Cq41?=kC`!(4i)%l)r*z
zXtsp;yAH@9V)k{VY2~hYSqD5#+>)cXiQ~vC+h1lu#O&wRWR(vD()uO-tncUGHjYQ?
zJ(3DP<{bYqL>l?n0FzG~;z%G<*+coi&sokVK=IWuA{B#~L-4F61lA7saBPPeaHBEF
zyPTIAoiD*R!atxL&5PBY?axtJ>v*xf8_`djYqci>9Hr?pwwK~Y+tGVd3v$g^pCBd#
z9rdC_1nH23o`jQ}{z0{vC#+cI4N#^eC&<J8KE?gIgb)9Shl4pn=l*(+3LqH8y!_A=
zu@M5VZsz79kP`ld`l(3jt7v=&4tXV5H^yB%4JWBj8X#hS+0;>j$@&EnT8SRKqhN=O
zU60EJjTlL3JF*nF<D6T)K}r!D5gLzBX_7uiMTJ@95xBNS601R6^mZ=#Ytr=a29gGT
z^u?2SLuMQHvLK@~;`wiBUSk(t9X?{fW7l47ffaj6xZ83k)>`}k1%P*zuU~&qUC&2Q
z%T>HpSOGM+lGKo=<vFH?O!Z_gzeka(*3g<<4ydKH<Te`p?0-KR-5}TshqgYEBsxqU
z$EawO=60#t>fEF3v}6Z9ERv>tx<4Fnw)-P>Y@o;m6Y+vxK9OohjDP%l*W7|a`vx4<
ze#%?YghJO>o)e%)b;Ad{zvhLYs>$gUub9XF8yRu*z+<6C<*6tDnxMOry#-{?XHPxC
z!A~v3eP_r!GInSxQryk;TNtC<?jjtw*;<903v^X#Gyy?eOM^<~a}pTCKVT!XS$bYp
z_^1Fnu#2pzO|ys~A9v_8fH^t|GoTv{gfiU~9Onp9(y-A+=ScmbBaBS>%s+FL^3D`P
zrJxUU?EE-m^yrglutq2RqW0Zak<pjs_Xw$TQZIVH?-?%07`-|J-W}orm0ueuA`Vv<
zQc$rWOiB^+z3HZUdzMd*rGfG9`oXl>YGw+FKf*LwG~NQSlm3I2Z;dB{2gowc&axjh
z`lSpkkRb$V9az_GyK2n9-FjcmF<|89Zbg@&jdIGQQgPr@X^mOi^Q7!MWcsQo2IY6>
zkqth#$VT1gIcjORqH@$%Rv=!6YB?m`$Yhp<;@kYgTk)fBEjulyAkeSm%s;yN4Tm1j
zBn@zil;Xy}4&n<){IYg>MgK!R&1$ga1RW1Wg~JlxmVp&Gy-I|L)%~>FO#&cgT4sDz
zL}Gud{pijI#M3d-{d!A|Q?Xx3Twc%jKbvr_Q+uXCMNn;?Jg{)9_3s%O0p&kI*}4in
zy89Sn9Vh(1!P59s4b<dX!3)r2yhsB2g$sd%)ue7BGeOOAAw5htJ*=C*1@485kAUL#
zbGW5GIqHr+kaAc~lZ%X(X@Cwg&FOW4kDv1618I`Fjw$?wXuBD@ObAq6_6UZGm<onI
zfp1R>kN}Ls!D*s_<m67+4Q~ivT6F4L2cZfl<sG%1YU(L?4|!xKpJ8Deyk&w0)?Nl6
ztdbs16okK%ak2xq#$GFX5GZ=)&HfD*54sev`5hD%=O$rD(5(CmnwLwDg@)UtZCCk5
z_m|_B%P(d1?D){nf<vmvZJhps=+x|63T4MvX(IiX*xf@ZNGiCIXfTx9ukvN-{v$Fq
zUd`lLSlenn&qRFH_<kVknfiyYxtlli)+%~o%D-I!DX2B3A91pTUwNT3zO1p=)PbiV
z;ex_TiK>gNf+6f~H!!V)k+`liTWo(O5rYd>emZb5E10cd6j2LEWGI>0!k(@W)Cm54
z=+{;*JD0}smHV=rbXLKQU(-81Ez`Y+vI>0VNc#AH$odMfs+R9<<iG*pAfQM$NOw1a
zQc?nv5=XkbLEsRAbVx~wv~(%Wp-VtSq~Xxg-SzF`z4zz6{|_D?A7<}8vu4d&Yi7@0
z@4PvmF&(wtr*K7W7g7zjpR!EVugz}7bi-kvuzOcq{FW;jw`npy6ixseL~_XKvGP!W
z$F91HpS`Sx|LQrgU-)}w+|2FSq9OFx>&)!v5wA<&j`Lyr{%6~8#hKs54!MxEoA^aM
z5hBesF%>A&V1#zJ8&6D!7Y*ce8NSj|dGPZQF|Y=01U9Y%Ej+NmbG7LN-WEK}M-wk<
zeJpG2T(XQ2Wo>cU2S0jWxS@d~??Z&lfQ{;`j{_*>z!`(Gzi_tGMmAhQ4<g3lOe)xW
z9m_NG-Em}%`sCB2!(!O?Xe=WtoS1&xk$2pToKWf;Y!0PtL&VejY8&_z%d#^|T9Lgi
zj+ag%ZzT<+uPsTpO^{ZsI94>eVerTfMziq0GHLTG!t<5Kd&aMa-*1XO`RsTx?jR(q
zX=M(0^ATnjTc-s*c3t7uy&)!M8tAju>VV5ZNiDdd(AP)IpRp?xa^WVWzC^B$(CpO$
z?y%h{qs9wCfeg}<1JF|rd+v%bPR1j$2t|%-%cJLZUc)u2ERwl4QfPUxxj0ZeMRqZT
zRl9qJ%wjDf`REOVgpWVzx$9LBl;NcLrqx2%-4rq}GInnsPvg&T&s}Syq+7ZY`kNKp
zG4Of?g_7Yife8C$NKy=7ueOvbUk)rhF7@q`qSW4aAkcAmzzT|jfCXeV1(+BV&%Zkq
zxyQF{)I8=feCZq+*+(VtjGs+)ya^fUwUUjTs(&sJ?OtGcETl1t5I0Lhfz{Q3H(B!!
zCXi&!b4T|c(TSoVhd0FYkM=A-NDPhd-;aWIXc8q=88*zD?OqDK70F-YJU?UH{Yh}|
zpaR&6ib)#03$o#H=~r!htmDPBiiY*!GV${ps!zHOv4w$vwq&OIYOhMIUfPUx#Qm8P
zIFgHXiO)J8+*;1QQR#t~(FL?A?AV-QLMVll0$I@?wJm}T@gPm_h#K@<Ky-cB2I-lz
zVthYGM(11da3O5;b<f#il!v2~hob{w1#r0hEL;Kd^?ti4%#SY5006eu0vtuOp1^^l
zGhvjn31p8rNF8d)Dh)n{PSWk(r}}{dHA%LwO)JZITQJ&ffi8o&R!tTn>A3g)aS?DX
ztlGy}%mU|8;2kFp`Hmxt&=GD`<DJ}U*&_Im_S*!|hreUFKln^zWlP89*x3c_7!Ik}
z<3vYMek$DtK0+wuer2SN+9=pjuM4I0tWmpjcE2kiPw4?s1^co7hsIo*mxYEoI5S;V
zUMA2txz7BJZN+Q>1<UcfQ}zrpc9@_X;MK?O!@3jNPh}!p?lG5u_pmPeRQWWXQ&}RR
z3e;kC!A1%pPh|s$@5UQ1na}Q@(v9lgVI*r|2e{0>YmFBay$7-=X$T<x#4|dDQ+38U
zf77yvoVK3~tcJkwjl%gFM75XLncd=7vfuB4-?Hh5fn_gR`AGwDQPt(<FK<+Ty}mO?
z84aAT^LxaA8M|J85cq19?ik1z;!Z(wmrxgy9@v(sr?qxNOJAo?JUu0<$1?a81{=dk
zSHg;t#}e01-T6iF>z5Q1;YaK^j$rDZUsQ^^ql(-J9y68wC57Thg>q)fTwsFG41?|K
z8<)fICLYr;2;99wCls+mqtwCIU{AB%uxt19_&${yX{KQ)4NWdA%wwkgd9O1f$3tzH
zY8A0;B_M%KWBzL3#Rrm$kL!5V5qM%_A%~m~c^}=g`M3rSqkO6S#*P&m{8?A9)D8Dl
zNAqo4Pi<8E9G%D;Wx`KS*~eFxVmY2sFcQuJ2MQCZH>Hwt=~~w+gNTK079%Nyv&)2I
zMzU-8y^)^@rWnzy;}CpZZcG8@F<)qfKSv79$`jwC=rOQ{tN(l(F&}@EY&@aDN==fK
zzg<XXrRL=59M}b4<p6^$bap52DcCdGTg?)89aX|H?%+{ZI_KwWrBx;74muOuHa8Op
zR~CKz;ikj%ZU&{{d2wRW=N(4W+l!2X6{g3<%q|YDu#QD+M&0}T>p#t!mim(X<KxE(
zccU9yjOQ(l=ie2_v2@Hu)TSR(eBuRv<4bi8DiXQ}3N7YfYe6#}G$5g~E)VrTe92Yu
z!|tEYN^Y%;jTaqX(7Cv9UYyp;!(zReZr<L}p8rI^Iq-yk9p}CgSH??J(Nag0&4Rmb
zl4Xne2UL=oBmbWldk((mFUXu*C7yT)3IaTVp7{8YyyI~1+1b}Ea(d56oXGqyyNfkL
zE!j~aQo!bwXCO_>(wN;6uS+;guD~1}L<elEd-Zz{qBg5@?;Rbb$0D%rPoLLrmkvzd
zbe<%wY&WfJ&#c&G*%m{9V@W4!B0l6!uzfT$aiJy`6E}U{ncJ0V3A4THuOY9?@H6~J
zPN(5ri>0;dQ><y%u=u4n%c1(qOxOx1(n&AqX&6T|F?&8)R$a+-#m^<^%~tO^=e25?
zmLzsR0$(3ENT8V{Q7Vd-1w_a}#*#gTx2UF7u{2hLBbhr@4F$0ubm`pnv)8h#$O12t
z_q~Lo4=l&wlPm5_-&b%p0Dq8?TA-9qz)3dc>k<@y>y`R(aL?g-lV=xIk<{1Q;AG^f
zrpCfdh7kq65BP}Za-`X+j_`$nBi_DUQqk9mk*SNMC?eBjMp_(j7RQRt+Jd0GZ`+~_
z;T^AfBiH>g*u5>7{GZP>$pd4{wXhh`otonvu)9nff(xvbSUeq1OpKGn5U!!w22b4Z
zeN|FZ<j?dLrod$I$^HoxK})Q|BW<JpE12xe6dle=4r*PkWfY_UfDH*vO$p^Lx5I<n
z)Df^|foSg8i+YSsR>;-flp`_<Y!c&{8*wW%PLBUs764xpkMElxK1Tyf{4(O}^<pDV
zE}=-+LooK;9RvEduE7qOs}|5wV%e?5?v6oPSO-dUj2*=lw#bW4gXb8P&AGMpEy1gK
zR)%R`8kY~86-w~&r9u`L5eTM-xv^o@;W>3e;dRU^H`rL}Ge>>1E41-69VB&U>{-l;
z3w^N*1BX5z8#m)-i$$Fp(Ry4$((O(8>2fqj%@*E4PX#J2IgY$d9oA>iB_Y;M&TX}h
zj$@z2?~`LfZ0iYn^6yVnl-3bwrVINR`qd-zvCf7HhK;r_0|C0^01|4|m!jh>F-F`t
zzf+z2;BY?Pz4mr#sPZFF$3QKjH3j1&G~?5xO0ugDqvvQp+}f6tKslIJJ#cB^sfgzH
zygO@rbenw81qrOum(%c%<j$Z9Nwyp8ge!Vv_SaqxK$zMq$jWF!f(}qmyPfX6)elJG
z-P?I&?zNX*3ABlXxPbH10n%#=Q>f>IpdNEX5SieL%i+}Vr^%ue3g)&-+l83>=@Sa8
z^rx$=wb#$s3&yt~=@e#A8!{aolC$p*$8KW&$})q9B`gbDo|~@(v*e(lz*`Ml{7!Ao
zJe&`B<D0safX03&G6Qgy!^1;y9xkz{wk6(*3IIvt@VQ2oRr7~&sxM!n;<BPlj#}YQ
z3;?JDvBd;Xm&JD?O#8eD^rGlhGYk)Al^9xa^qDs1=D>zpFL?G!8k+PZy)UGhXcDZx
zrig~hol=qWVxXY-Zl5&wP)YcC9iCiw$PIIHXcJ=sA|TU*p%)|o95C7r>Zu>tb!Laq
zvUnbtX4gFOeWTQQmTmlN{0O-@;^L+P&4Qoq<!41l&Cjqg%kO^ZQ!xy!SZp{G(?~Y)
z6=^OKVxU6g4*=}F>43~^9zOzw0!sH}_q-Btl=I-N;6vzDGm+GZ%m6vz)9{^~Zze-1
z!<OLBWRBT|7}_04+i{4;Q0PFOkU%2*joqV){j_GE9y{7_RIZuSeOnkRx#*7xc|OcS
z&%1YJ2*RkjX$jvNvpxjY-?0@aiv%Y;^)8|HP7j#hraN)Zk7(;wy(DTKs=pQYqI^Lj
z#0D@3|CX*7{_Qg)eeHbR)|@OQEvk(hWK@CEr0oD2_sAYSgyT|)D@u;VL&)6&wU3ef
z&B%uU$V=%UJVV98-JJn6`V?{_hC_1p;VV2LDC3$1q`Hyw?Q%da+sMATQIsh;zzi{9
zftZ6b{gpUR4G<EO^Ef7%&4KgZ-oIMi4xP0o^CabUd`)zrF$2E$sqtHRKZ@9=mPa5X
z2~cRxw@|0QktU`9z4IYJrnkYwr`&~zg^ddA9jN`HCJ#~3{$PeEHb-o4OaG4o`@7n&
zgak<*uBdK=lQ*TO11Ujc0s$b34ONKW)sc(?*So)<6R`jy`X0&I>3$_dX;k`j_U$yh
z{L9?@dQ3aOF<#5-xM&CcttMpSPry6wjXYd738)niUxGCg?wxrbNBioUO5uhHN0a9p
zkFGBt{ypj>#8X!Sd&ZTquvdd5bxhrIPJZlz!$Oi9=Pi8m8|Qk%uf&ZOfnhj;{&^q?
zR?U_+yvD;-A`A+holmqt)M5F){HI562q{C7V6U!8gt`!#6d^4SZ|lvV0RU{Y(waaD
z;1!py67-3WWk7qO6k8)z9EMRJD@{h$*51uP9VmktrumeOUdzha;vt!X2WQuq7eN*^
zF8)gl+b)f-(&i@^tweQJ_NkKdzi~Caa40E2(a!2ofa7u-WA;z~f7yaL!i@#e{=<bG
zs{r0P_GZkf{0)IeY6?mCoob2z4&&HAi}+9JxhW#<KLx@753kZNQnM}<4WFy)s&v^(
z=j*(F!}t(coyA?AZN%jyW`K$gJjp!O$9TAU;Z}`qyG}ZDdl`Rmxwlp{;g^#mZ@E7V
z2e9oVLUzR-p%O|+XhcBqLrzNMrSF4qGu@wqFOZiPgrW05_yN3<Z1EV$|Nf-G0i<1P
z1qhK~M#P7_@@>xD63J2TIuFoXOMz9!Hm0IE)sR;{i0|K52MTGrAmq}88?wj>6(U&E
zB%b_k@1#>v9{C{sJb34{xStOxE=$tS*Kd9k+Hb#2jzua*!5mRll2!z0!ZF@A==UYN
z1eh6A{>To|mm3eXnDm!vnj$-%3bt1QJmzn1dL$vcDIX5GVY46I|0#`!J;8h#^9HG-
zzo2QqsnR8YlNg|KfSiAm!^Z**^_nxgs{XeKS&aOL>?D%h+YDOQLgGoxyQe`yj1=Ra
zavA_7wtM;o{A3g$ME^U0{5{|wnb<=9X(ph=7WdxC=}-(Vr%DV*tKZEC|Gsw5Jf$ji
zCbBC}<dUUBk#XR!UOi@@obf+j-#$%|K7W)cEA{}X!+RVdlsgj0gChRY2DMk?^sejt
zd^jT=(D1j~yl=yqtw`tn`|`OkwEh%#@f_KES4(Es^3$6Rxj({xHzzup+5U!<HA4^U
z+K%U6HNTn;0%d!Yc|Jp4o$Z5bY7YFbcd-@M%`S=mT%_oO(*!GMB0b=*&c{|PbzuMd
zvYBrGpNpSIa}@t~G5=pGmJjN@Oh)QeBpw#=(K7#ES_VpWfIiV=Ss^}s`ZFlV!9l9U
zHy^f{|3~(}#)^cPrypJm7!)8sa-@L&*#H4!$EM*Hf9wI!46^(QU=pT$f1BA^UrTfF
z(}!J7<VIZ(dA$0t5BJ|uK7EiVqZgc#ubaeetn-e3M3jaOgJo;MgoY)Yj*cnN-qd~Z
znbVRMQDEQ)ObMd!4}rt8kv9vtLHcSO8(%#$%6(%8Qhj!XEryyyeTHLxgOu<9@@C{O
zNRA%-dD6BMj)ElaMal};8${{%FN8dUc*6cm<LvQYmmP(=^y_qWm$-%8hVZw%%jX)5
zbdKaY4OB37Epk4ZXi$k0^{r3Bq}NLb4I4B1MW<h_etmsOyQ^`P;mRs-vkW9tdeV5L
zClQ;jG{sFXn7|@npMyQJ{E71iwa<-|D1Anpv^l|-Z;4q?t_}Nnt$byFDsq5=4W7wH
zFQ~BH7`2U~68oO%(GL^jX7M<@e4Kw+3(>l{bcmaL{hEKYz}W5P*~h+u&1=yI9tQJR
z4)pnUuWd)Ai$XRZP=gtOUvNdJ5y+?6&=?v(EL3HT$i)~si5@bj^Gocvr#UPyu{N1D
zlK#E~9pALF9cfrTmN3moeDtvN$L=Wx7TJ5fT1P9d$*ZE4#+waKbS<=K3d!O}Zkemw
zmqY|NKUE*uMhCBuZEp=P9)QG3hu0Eby*JW<IA2Bu6`Q`qF198+aa7S2`#w-o+$g6A
zVPGh5!<dXVwMwnO5SQ#5nzr(KA)y(4w(MBzVrMtYWp^(o^1ayS`aEUaI5#iW=#h!D
zcb|<I#EWZm-|MLx&Q6a@@``?`YGAp=0Eb%7L{-&&RX5<uzb^cxGby036Q+DJG@F-5
zjkPq(&M||H1&|(nfWBg!ILENeOAN_~s@2iKq%}5UBxDH>q(zg#&ngVjD=aKL>pmr$
z$MuC$%3L8H$8tZbvWT)hz@efMo!l}XN);AOo!=^1IUE|~Bw-)fJRYIA@KQ8e(F8p)
zVJuiv9Uk_~NHu^f5$Sak^4Ge4nEF!NNb9A(E;TDDHZ}2my`Sp)&>ZY(b?bgnrI!11
z9sP``LPJBf2gbX4oSovr)Qg7HE<PScJdFAIx{}P{!~pj=z&;L~k{?bBjNRt|gTb2m
zT8cgiksXQ7lse3yrz26Y2*qcTCW!9U6M%4AU;WJlR=Fo<YF(vj^wQyZ3&|&NINaQI
zU~HB#WZU(4N+Qh5;}*KTNxIfg5!?Gt?F9~)k|K*9d?RbIMr0fs*uMBdw4~HwLBkAv
z)W+kM3s0Ec1R6YVL}erUI@3re+8&agY!tk=b4$DM@#~044$rR+37t5};9QI^2IAMU
zijnBR!5E?_7O&KQs6PL=l|GZ4JpLh5&tTeAv8_acn5tc-f2x52Y^pA#9RfRMpVb|r
z1-l1pX$f9s-8YvHooM`N<LH?V^f?Un7WicjuX?R!`FHmPMi;;LI~<SiuO$%+v4xKU
zlugRUh?tAySTJ^2+=B$(j5jdlwfi7Bb)9ncNJlR>3fEA{Ta8>&`G)%D(X1De4shT|
zNw|`<5rGNf-4PqJ`G+Btg`8f@=kY=4G(vh7FTiFKxJ01V=6XA3R6pNHDD){AH^pMi
z_Q0&-Xe?TtpRe<(yN~JNud{dTc`ezRC9seue8tR&9qTBUV`828?-?s>#!xx2LV2v6
zeNWb68%c?eVL)Gu2|?qUhAq_|=G=M&QYa@<9(PQ_PGM@=kg~v%a7<5F*rF_IpncPR
z*fWAAnWv9vt5ENtVsCyzYmyN(#*6uY8TOG46>A^C$AZi90Y9?6*iRv~KX>gm%?Zon
zTv>VJ)t3T`{Kn$O{M(EChVnX7<MAQ>?U?nsyixc-aZgm8+X%18tt&D^in}60@$M^x
zfZY`E-QLLwqW{TQ_kFz4G3^$Vv6bbm!{}2UA@E!pH&-3eY4A*N?EpEbAj2L%CQ`=I
zPVA{1`Lyu-3gOBWH`i5sJDrd_aBAR$Y<i5LOUE}9>XF<>p|EMnpHd<qa4SI{)to=G
zzk(~vB9V*~8`|uCO=e%4#H)h@6nTKSW(dlC>AIWy&F<(SNqW1O2-sc?Si49>mrnZ$
ze_DJYK9-{``JvZi-r*$9m^wlv?i=pZGi)G_YL**FniXf|*Pf?+$jBhkvo!_uXy6tX
zH2;FPxXJeRwYprvz1Ice4P(HK$Yf29yg=AX02n%f+?(&};&v=DhBj7IYPGnX{IGaW
zVPDGz{%H)VA0?i6K1v9OFENfO-ozvcD1-wU)cj_>4h_$b6AgOHUp--T-Fmgv=bkNg
zff?kyL_EPk1OCi99^d0ws?d-=rmYuH%H&~_bA&6O*=9@1L&jB+J&7ZXvpj6*y!6Pu
z;qBl!r#$L|S7BB*Z-{C}*g|o6T*1YYYn!3u5ds=UAh1Bq+j=o~Gk!_%&viW3`$55@
zB*ahIMZfns^xBS<XRvML7j(!)_kGkiv4}8%a&SkxMoh538Zd_Xs18NLYWp8?^;8&q
zY>i-4e!bCJoNodpN>*=!k3$MIb{gkfN*}i-_MF;k`UT{Yd+DqMV+a5#a!7mV%A@CU
z)YYB*(O?C9hSUc#@WIiq5R*|Zx*@m=p*GvWB3cO@iFB;T;+O5kPC{*;KHJt5sW>9A
zvb42dWLmYsi^qMt0Lqs;xilo}z1tq*DK~w}3Yf2BueFM>)5N-f`PARYzdCbvJ$KoY
zey#bMaxS*{4rnvetH4!wJ{lI6Np$aH)rNk~+vgk&b%pbZUFqvJ;5fVcwH+Zsk+jp9
zQE5U34R|S~F5`10B4sugYAbv)WZvWQ_9|aSHoo0#wWf4!7TnqS@dZ&<MqsiZuX-YR
zb|&mH|7yW#j1yapu!*Lt<I#J94NB&K6ROO-&6fKJ#o=Xq;deHjaBM=3yZysF9!>yd
zK+_jQ$F`_nayMfJx0yD_MjFp+aHam#s3oD+rENMdCr=e2$4yEaHloRT&rYbzb;<N5
zKckEPZBV2wacH1m{f7owtiEbmyV|SjVUI>_*2=W+Y>b*2tf|~@*KG?`Gv#e~H%3|r
z(zImgteTwGnq%Z|4lf`j{uh&3Uu<*k2%nkgb+CzollYxUR;4VU+)q>{2ZbiNKGoa~
zWi<BEVHx|fU%PsFPqc{o)9^o3^C@Je<%4=l4t&^)yRa_)NO6(&F0?xr^zCIhbHq;n
zyrP7mEQQPfedgQ}ZNwmBI(MU&Hi&7L$DQDw%3y|I))A+czty^!ZJ~ns&J)Qi=!o1i
z4y)o#hn8xcqM@Bxs<iH6siTmGdOvI8&kAPf#=nv9q`c+@M-SiGBKBN-2aco>c<xR5
zB=Y>>y6ga+cG5_s39%+~y883%x0vWd;yRXwuXpDKja}XOdi9TbvOdeFTB*<J#zayM
zGk3@jznjmW*}MOS{zOBYdF^%Q44bg(s4QU`1F%c<G^MO3tKAySnFja!(;Vk&)d>QS
z90T-R*1J_|T;c9|A3Eo<Q#@?P?uGpf&qU%wqJb^(OvykPo#gdapzQmka^rHe9nS4x
z9u%gKagD<m*QXx)Yxk9(hTR_$Z~Q3?Deae!OY^VV;%z}$diXWO(FhqMd}zRai#N4q
zm$mqd)2+jW7bC6DM5N%FiOKTb!}ec*Q2Cdyyf^`88XE2X4kSPvA_i+2p-8sgJ|o}H
z%Bg!jHu51<y2O`QsHKEl<;koC_g?$b$7e*Ko^)dbO8#QXJ)YtR7@;zN&o16YO$1V*
ze9M2ikqJDU5z`b;Y-@XygFXPMPKF$X2aYrFF5$9hQKlnEf+~d?GBq+JikVcdnA`63
zu$)c8%)jLkEKNi{o-@|0TgnV|VHyvF1-(i!bAVorug4Fk99OB;OQm5be~MTEw=<J)
z)-flL$$~}CP-W=N9uMNIr=ie!kj;(UEbqjJ5<XBTR=X4Z;zqMS{zUsbX~R9owu?YD
z5MyoneRebqu>e{Ut_swEy>GSUQRd{uX+t@yVV9OFnp#(QH~6uis8vlJpzpCEB&I)0
zy`;`y7WyhM?QBjdzsT;Q*$W-5_}ed=p_06ZdB&^KuP2j+a$d*BaK#JLjcmt^soayz
zI(YFe&0(2T<jL19GA_rT!U6c8QJn7rTI`bDogZc({X8j7Ez%RERll0+F%*vjipMO`
zj>Gx#hgOcBt7F>pMII@gv-fMFp--~>%zQyJ5ku|FWiVW~c<+bq1NQzX)d{u-6<c%$
zM)Ro5*!O&8gCTbeNhTB1I{sKrkE&$j4{>3Q7YP!cL4t?!F;sMvlxaThrIKGpccn-O
zTy6h0kQPKqcDuLg=7gkBS2sMA@<m(G&(bLYv6GhvFFI1TpOks$dBjXlQH&HV{^GsJ
z^f|3)b20z1qqLfO^=<W2!UatbhJYBqd5;;<xO<_{T1w6*4vAeucM27;l^9+XlBb{T
zHMP;uq5j789l`hjus{?!KlcT~1_lN;^S$^gB7m^p0|y4<#?$a<K|LLnv@VCWI&WNS
zECt+>(!D}YwG`2qE6lwYo>*MF=jn)v%CIc0j%AEE-{n-f(0Oa*dp;)U*s^Kv#vTEC
zEB1W2jsgUVWqR8H(}_#r+$<_*q9}Oc_+TP&wLm${JVpQ1^*gRSIvt1k)quK(*wiml
zYZ<kK+`TEX(2dft$u6tovpQx^MjF9SlVK1N0sS(A*8OSuwYVVYy>{{<RKJd1b+{|8
zNQFEhq{(@V^mXTy8yPVh+udI6+xvGOb1C0j(c{|tx@NAp;1p`s1{cxkeM6>A82X~!
zT8(2?0ab`tYq<H0^!+22xZ=f(te;vUtjR7GJDg?i00zn04Ku$7eJrku!qs%-5y#zt
zBvB}B_=?x|vEZZOiG7XpWRCuMm>vjH(jrFws}nMUgKA0!rz}O!_6x4C#A@yhgB6K(
zD~o`rxuRg~=INEp>`D+?Cuj}sJkE2Q<{+rU^$g6@7@q?_0r;S1W$f)YKj2FLJ<<sR
z*<C9U3AFOvDD#O{4++C2Hab+SUTeDELFFg%l?B!`V%qc7p*5mjF;J-D8vgdCe8Jl2
zT4n0{up))kH8*m;d*%suiakDHtP<D18N%be1Vhr@?m;`@)@wz~JAQSSFL#^DGoqrC
zpVSkYnF%iWqUApuIb|?cet^Ho;}S#g80!5tqz>v>W8FE%o%T#czOdz0u0_9tT3J(O
z?qJ@eq@5m2+Do#^wb~eZ{SkkZC8{Jhb%T+NO8wz2y^NJ5Ui14W^|}nUCwFyD;-cMA
z5A&oW^AC7~oOyM@ja7^BuTSjzvaSoVWK5^>9}~RnAqTyrKM7|Pn3gYaN|}9Y$o0B^
zJ>kOmZOBZujl}V{_Pv`GX%^OEbb@pgjTcBqVULDc{MZqxuoG>AC&=E!4xwy{H;?A^
z7QRweaGXBx+yEA6<@R3~$|(eWXC>EXLtlK}eQ0VfXgqiqmei@%k;FLg^CX}{L2Mbm
zBu0u{u0|-HG{dq0ARV%LWFEOiJKVE2UeSt~>e;3Dk4>pe_?qY8{8q-xuLd#?dq%_U
ziqMy7HCfS1p|*;2)R<GG_TQ;XpNBtw$V^BpfEH_G$C@VyDOFC0SMMy$PR7(^#d{Ly
z(9Hx6pCWCt2^+(p;_H4of4v^;@BZ^BP08Z*?4^$mBdhXo`sAhPT1o1p%TI^faXmjO
z$yT2Z_^#+B9Tqv0K<)>NXxMo`cn?0o<|@mJU%nY!*1K=oAGcFyUT|||8MvJ}Z-2m3
z8~OpunBCCIy{~DhN=tcY$EyA_aq*5!=2WvF6-w+~ewOttF=IAul6a-sNZ4IrZk{eM
z%0q?#9igTG7!gN{?otn)Q+#V&(u4S^RegUu==a;7Q0U#WA1YU@wJx`4s%aV6*2eLq
z_C1yhOSv6=_1XanVwiCr{8Yb$bM<p6c8TrEq_7zh%l4!32tt$3qdqVcr{+Jo1M=wO
z3#6e@(n=#gu?$f|yrkAL%4ikfYQH82`6M~1dspqPzRQre7rD#5uf~Rf{fGq$O=1|d
zM0xDtHJ)6aYAM|v>^c}Z8a`zni1A(@&4osM`OM82@urOqQX<%4G5k>eSy|axW3L=h
z(S}$>aDM706~ukg0}36d{6GnEDOnCOXnMW672#NHV&*7RY)rCSAi#B2%~0<#)TDb=
zul#iT1vl43<Ewn_69>1l>)vnA0aj=2vid2@^MSz~pPdlbcTSc;E@T3>H#j<8`K$(L
zn-lWmJj<&%L&v3%pSmi=^UXdN<F`jP0)&JH(RaQwob$d*rZC~;oh5ahVOqUzv^i01
z_-tKoo*IIN4Z^6z#wN2N_T2pR<ZUaZ<jN0k=SW*YisKuSWHy7Vu}9cnG9|Xte>jgl
zVs(ZnH7}S%r-m&PNpXFjb6V=YE#DvP!MfnM{V`g!HkMpIvQWHxreJ+_)`bfO--D17
z5^BZ3Ja*?E0PnDDT#ir#3#3F^OBMs_cY5DqWcVQPq>Ku}c1&q8v>P$Z&Gl&ipfiP*
z>dp6KhyDd-=xQe%6IGqgD^mHk{d%i2<Kbv>_U-cz?6};lz5>@@53&5Eu~IO!%Ct@L
z+T6ZZE^D*lQd0i-wedOU8UDjVC{%`Qq~1GSlnqQM`TU*6JlT$oqx~d7bBNzVX#86P
zLR7n8<5G>1(NdT!R*ky4C;C=r=A$xTxc5=I79W-ly~0iBjCrkSJr4rAb1d<oi##e>
z#{seOrK@VvOEoZ3<C3iDDLBe__h}Gkl3^<eD8i_y@hse-f0=^We7?#`n~zq`9M^rp
zC*H0yj$ieMp%nuyAW-883h)L^@{BXZ!_1KP<-4-B`g<0dY)j2h=$OW1sh7IvbFq{p
zRWfGwmTBw9*J<fCr}Po_I$CGBepS5_2nQ<#50NiTuMTbD?=3`h;zrV99K#pWoO^MG
zN{vXo+u-h}JL|hw>uarRptjBDyv>4;5^UDVfx$Px`;X2<N*5e={y03qeuai?M?B@8
z*RT~4HMUCB^v|p9<u57)PFH6py+n3gTrn>RC5w3B-Wp3Yhe`Q_>aqzQ?+FhSi>KQM
zv<mEPcK!H~BU({WaWMsN1W2_)(19V>4~2!C+U6<zVDu`Hf;9o$IhB6dwPHhwCQv?d
zk-Ib~JP{0Z$K2+zF+F0$xQI`(i~u8bqC=v*);Uh>xz;nH7V^VurUIt72M2gAW-Pp)
zM&HiM6RBJMGViZ}BtTv1@Ap~k1A7(h>sM%*VnY;!pqy<1P6~k3kl>TOdzmbA{c&s+
zw;yJV@uvkWDt34-pDOknS$f<DLC`#nVO;z{vwr%X=IbNj8iE4|*~$Zar5p}^Vxbt_
z!~MjR5jbT>cHT#=qAp6V3Kx<!b9}9b>Ol-^EU5RYHgG_6^!>$&ib;&Z@9&bNQMWMT
zl&J>}b_XQy%@QOo8*lW$kAvihg<9FHNm_p`q8Fi$RUI4=eqe~UOsQ{agC@V01fT5Q
z35E@5Bpxo0KR@6oJn{^3p%|(fIHM-k(W$(VU@=oz*)TUWzWa<5Moebz{p1$BR;8z<
zMYf+HQ+2d?Lf7gtKqfE@{>nRApPMf+yF4aD3mi%2Ifa;clbDSGv31{#z9|FFed-%}
z<5HM9hYS8W=y+})dx{76pY2y;1gGCk=-t{($+d*U(AclS6jfKF!>-e67y0f(R$O~E
zMb(j+o(H$toTSG5L)QrQnn*Ii=<xQUN6e8$;$Lq;APn$5Z0zE49CB-5+~IH-%!ZrG
ztxG9SfmBn2MK$33TZ3|t3AC#*arwEd6Ej(^3S+q^ld@5k?9uZO`D<bw6t=NE4NuJV
z+#;0Z`6eSjE)-cT?gv|}{<0HKPG11<a^+yow@E+Ab;`upZ>7<&g9=DMIqY~&M?xNs
zkP@^2uWTMv)4?IL3N?IXg}nm|?;=z%AxpwT5gT}z2jO?9^AakB5_?174>EqGFGA^W
zn%m&&8LMp1So+9M<VR>P+plr&N}dM5(vqEwXF|Ku8(OmkA(2$rr2M7qUcD)LLHX6;
z6<E$fQE`2qCM}zKIeJ|x5PeBcSKVC8!1Z$H@tMNxMt>|)9+kZHNiLVyL2VqDevqws
z&^vCfdeeadw-U%bi&QgTAqXU!jjapaygYvT91C)6m9ma=O_r|6@!AX_^oclSp+8ZO
zM#nzNS!lfSRq=FymwCehWp#8B{)xGO0L~ClO->|i+I@HBCNs-#u>0xr=+ta;Z(QQK
zCbC?XXGo{xj(}0s@76xGR`uyg?|;J4Z0RLp+98h7u<bF|#92FEhhPPR5}r<_FE?BG
z3O$POb6#rI7<m1qIYq?(q@jG@b)bJ-s$Hzv{pJmF96Q?EqcK6dQ?+CeUrl8F$U=ZQ
zm87P>5~V99myeVj^uR&gl41CsH5Zrk<4l%2CT;Jyss)!aomTKQO(>ricEV-TQfS${
z!}#A9k{nZvDt11=Hj4h_yFz2WjLFZ%tiU@6lCq|uWu83!#Ba1})q&VIfgU{GNb-+y
z!RUcsWFGdRO4zz^)N!l}=O#<P?}m4r#mHO3wto7`J{A6cjhUAE_3Js=C>hraw&CPr
zse_4V2YQV%>2noWt5|5Z(jil*I6dExjF?`Y4;*ecP={7`VHwPy;Eyip-2wML6r6Fr
zl=qL5qvVlI@#EvJK<9n0^~rs`4e7N)v5K-ByS(_0U@z-C#P50(I=&v`fE%|ixhwo}
zpLfHz>N=rVjG=k_LgNc;)seVCFgH1s=5Nnk>Yodw3^;WtIsBSO=wCf5I#ug}&pe5}
zXgwOezPBbKU^_;}HLPTzwxVi@`srOzJql1mB~K&|xa@zEwDKIK`9%e>4&(CbQpaip
za@G_O;NCl_^;b>wE}CVfefb$%vVwkpYLNA2!mjo9Gga=1s{YBNAef|gTj?r&_3-<w
zn%0=|%O0}(3%BW>?R=!e8Lx3vlMOGQZtVR6wc<d?k<)JpB}g?>%xkU8ARFn$K%ple
z_g;*Vw{Ams3s;3i1P*<i_3+FvhtJI=Cl&}B^C8zph3p<jGTMq(5KOyd&U2!{#+T+3
zKU38s6>8}Z1n-XX@v7qo5~JeYM8>F>8+(RBlQv`84;_txT?1M)RJ(g?_hMiQ={APy
z(gSh=b~Y{?j}>VSFtqJ{MYFnwnn6nV;?YMxK2^06KaRuRf7afA-}*&w<TG4HKLG3?
zHDED*#Z%D}T(3MUwbStn1C*S+&m%TnzcyWvDbOgIeAxrX41fsps%f*wgN&hX(_c7L
zfkC|HN2_TVF#!2w&+0>^`b?H!gSu=fH<CLL9Nuwm;;pLP9{7#;V-gVd3=55K8)^Ec
zW0G!nC=e%leljZjeC;=tv05A3=Q0OCoLo54DyuFgV_>!Rzi3w+%S<}7n(w#_x!Sqb
zqj~JAE=t~m%vA6k1;AL{cX6&S+u@`MYy;w7kM3|+d}7}9KYm;Y_|*lUB$fE)?BV^A
zW}Efub6^i~>s9!TadFZuQ|(M0RB^+9w~DAi+@axuJEI4RAQ|Q4D-d4~_89To=;LjO
zI$WE5vXuL_N4#>uXzi<hA?TkV+yj5WpfpkI<MEHT$~^$F1`qnb=dRe0TuD-&#&_sv
z&0>yyw>I^N33}05bxY(090sAJF;KxE^+cM;_rzJky5Z6H{G_I)O$v{4w)8tv%X7OD
zS>7z~l5DrT*;(3FI^oCeU4dk3!;ZGf_a^LO{4)xkyn?zRj6z*Pd*JsOR-eauYNfgO
zpBx6!zVr%FlmsW?TPBo59X}PS_`2`{Qd=U*Ci$&xjX34lCHJ7_ISI(;Yn9crc^XRK
zLkpr110=|~<Q?kO`w;O%5}aRAcz1~uuTX(c2<*2iI$Q*H;jmtN^VT;6Kira1tR3#V
z=bQPdE<Xh}Nx%Ff0fV&8kGsO)<eGS*72_LGV4AGnwzAbm)tKn`LJ4;;Y%SfNnUOC<
z3@iWp7J15iU5>)+?;%|qH(UG_CzFSDd+gx1h8)z@>433eR|Bs^i!@`jXBdlcxVahe
zeURYR+~(!!TbP?4`ACNn6&|P<O(;t`ilqkWO}1<%h++L|@wTa@{HCZEUu$~5T~dnf
zdm4(Ybn-I&vgyBTbd^0^#8^Hga(M8g#qHP#;7+w}S{+IrBk@b08qRR5CFQ=zJrPaz
zb65;!zOv|RFNMKCz#=LHKsIOcS*ic{$4P;yWvazo=eV?aINzi%v7j4E_}yL%4!s&L
zCqL?2W&dFGcDV4}Cy5`s+mz7{kC^)-(=p88&b=0kmp|EfKa=vKcG8MmL!pl@5~{-r
zmY+TCyFB~RVGL~{X;TSx!RUtjWX>h4igY2S(y<Tt+Fon8jK{!mFlmSfW95Bc)88Gb
zn%-5&xZNulA0R1BJaz8=itRPUPwe7-*Gri)a`o|((-B`*6+39mb9<E!17_amerR9F
ziR+w5w4ImazSs_9hbI%^xK8J*ms5etbz3KUbE2+Pl1tmTx%!}^=ThUV%Fo)&?Ww=5
zlzZ)Af_NbZ10RdVF(vRt_~!*&q;?Blt%`tyevflAMnzp9>79_G{??H26r3SD$D~8j
z*9e4-SKh1E>+^3$n+NoY7ey2~&29<_g#f~BRsWG90*{G@J+b@QOQQi@rg!229ra~6
zFR#I0g-2^~Rvn6Fz(L{e7~nEplB=PEwAp6Cqg@=(;il5OKQ8ZUCI}mIJ&$9`<u-D8
z8)XJj;`qgzpOJR9DOxbpbn|JD0FuA6I~d`vl<KQ)ZRFY|ay(yolU3-cA({beNu#{F
ze(18R!fqKcra>$OTYg!7yZXilH-7uP?o0Z2cF;_%m4?N7?EcbxjoVoEKhrQD^O1%q
z9kZ*B4io{0=Y+%X-{W-;=1_WTdUO)``LX&MVOF>MG|&v$uc*{=HoQvZ$#k1<?Tu=K
z=YG~OobPy(&XL-xQyJv9_0Ebnk6R{HjYL|;|C^np|4yQ>q!(BqFfn(4qnC3}UNA|j
z@MEkl>Doup{os`BNaut&TT-D{2M;5102W!b;zIA4AL|xr+T|~u$(;Jk*M=@Reb!E_
zH6MoTqbk#L4RA2rfBHVw;4xjfyrsDWQ(-!XwEIXr=8_m@_5!yu`;(56Fb?$(n1O2d
zCFt?PWyGxrq+Z}kS!u;w-#HF?OI6JM@^FiH$UVc%LP_FjvP-%6IJwDJ{?oHn;v8mD
zVk(Z0UrCfH`yc6}&$F8TG*{Rr#IfDDlP09tw)aX;X`|w*Z46zT0y`uUJF7O8k5tM>
zlP+F^(xk7Ca%KBnNVs0W(z>7-ZPHFYY<A!*X}eKFmH66KCP=PwfUn}<q{GQQ0&q0`
zk-Vf(>N|8W@AZo^aR&ie5U-v(^YRljKUc@luC}Jn2Z-$9Xn*?@v8)66Z8fr*@!aJ>
zZQ>siYw>M8axv?@Asx=I`=1-0T=M}-1?YqL<d~`qp>wkh6d$!@;#7~&Cv_aJ&aI$7
zH4`M8SmAh`k<Lnt1v`aQ`s_-@9vYfDN|>xMERlSVL6^bUVc(Rggs+dkoZoMoStV+t
zv&m%E#=<L%u_t_x?08KkunYd`u&!=?tuxW^`b!%4qzq#A>U?3MS@c5iF^KoJ%5{}}
z7;T85|JC|-4$MtyGCFjdmS$B7gn??84{M7)o;MJ+|Ne;Iu5GJee(FTKR`S@pCptCu
zCi#2&hOpC>UHM7IfE8l>3x}ecf3e+3P3U19o6%9Ah*CyVEGtkA4ml<o_&tI5WrS!D
z_#Rpyn9`7MFR)8o2<^ccNtR#W;{LeI`Rkb$lxyRHxa34WCtvre5}$p=cCLpk1<ud)
zg0T|2f2nFIrE~g<;btwK^4g;|p`ev9pHX|z_wC}!gxdr(BwqE7e+dH<`iUQ=?F{=X
zzZZ#cSPOEb5h_}lvxEGYQd&CSlfNxW(JnPCSo?UPJ>1Xuy?5W+MyvRGVYyCz!`9R3
zey3Cd+%xX5e&?5n;PS^Al3(`|Kp4ZPw3aj6zH!4{CGh9=?HT8^`t)2mxfNQ`Qhbaa
zo1>D#@v*k!R?rDdeHqmGc!C^nwM>5Ql`3WktPi%?RT~wg^EFGg&No>IqFa1N*u2<q
zX}y}rDxIl%$oChmd}O&L6#cXD=g4%q*kqi~!|eJcvO#N+sBx+~gw=zI_M>pDii#Np
zLv<D0>Fk%Ot?!2O!}cHIlyK=Dr8bQ|`&<M>@ktPW*b?zd=)K&ug@^ryKJOB~&$6YV
zjGOXH7qhq~2FRc_gb|H>i9D1#UY7Dyip19>>e2lG^WxAI#Co%E_yhg}J6N<R+UV(O
zlTXsRF~4Kf9UC6z?0(b59LCj`pZkLOWI;KH3VfZD)gQ8B0i;mGE6doihR8_5oKc=3
z7w!&q=@Gd7%E;D;=X_<P$vP86D_=vx?fv6+>tATSZi(T^x3jP6@0l?HZ#|?FUoe=S
zOGHMErKFk~Q~6YV`P3JtYPH}cO9?w)qsJ--u_?xN-dhj}Ude}f@mbLgU>>8!S9q?Z
zX6}SplXCKJC39Ef(!UOLUSF#b)O$VuJuxgLM+UR3-wQBi(O}jFY|S|CgT)V$yK<N&
zH$`7LLJ~OW34l!*1|z}YLq{(51|i}FV1-?VlQIt&wJt5lWfUHr*hW)w?;n@g<Yy;Q
zBM-i2neVy`GqKi(Wx4BkgZL^;JO<CjZnU3twM;z72Sp$qguMXPmZ@y9n^`ZAXDl(i
zYbbK_o;l`pYd|!pw7I}yW<Q|UU@>TI?)+C7j%4wZk1!c}hjnqc!zh<g$?`^T;F!A2
zFqR<)MJV^YkA&7)#s?VELr_6^Fu5qw+QpkhWFt}_TryIfhlUYRztFyLQcFTJzo6oj
z+;7caFj2?Q`NHzHm|^_06a7L!g5vDio2Q_(`4i`g)zVj_DZ;7*s5vWb81EL?9cHk!
z-z!h*&F>kH6I7Sj1r@-s1w(BGuH$MK)*2K+4?buJB#FtRe^%Oxw)zO8Xn%;KZ~J*C
zM^@dEI4m2MKsQ~(Ycaea=!%^jTFP6@!4RSq8Dek9G}_y4Mr%A!`T0AXe7D7e%kAtY
zGz)@bn}*|BZ5pFH^YmpBtC{im^QZN_2OF*{YW2zco!<zO%oIT{2|ER5>IBNoE174M
zGd+aE4tsvQpC<>J_4;^Yl0|u|%Ky0kBW$*xE;~gqXGn47PMGnxL$I10M(B#jySB<L
zQA_A4<zsBc$*K?ie1~2SG=AZgJ<(Ai)v?I5)xa^4q~3Pb@2*J)zsde;AzLE+(KZ0=
zj;-x;&>&aASCRM4)}+yXQKMc*{?#HLay>U2aL#UkmUb<(qz%69e@>VLik@xE@dxp7
z^)MXq^pj2FhUOt{%zd2YygVO=MHZjWk@}lCsg9@JAr)DsNaaa3XmcDmj_PoCWoXe`
zQ%$GW3gK$zFkhcBd}G;=YTe1)bapVJ-Ewo4^-okZB=bBns9r-yhDaQ8zP(mb&9+b1
z`#p)T@1%2-M<@+a?BlUur93!*8ViB^_SX0+n37mDWK^Z|m*r`>%j*}?&lP2sfAtEu
z<!;DRXTIaToDn$X$MedmDaHx-nzvrOukX6kN=MG+@l^dKt18QYmA5oa@$5Uoy64@H
z@6sI7Ped04nS)vS(~QDM#xkPHgJ<64^Ooe2b5}@E9B`v^=DsU10gi(fPO^%<=G^U@
z#cX%HtIeG}TL4=qT{+eW&XZtTQ9H_gS;rOEZ4;R!?aY)#31fEiGG1S2;VQDOB|KZi
zPAyY@TKAKLA=_85yNLgp(_H_9Vl(=J>l6&lM6I8e=&S?I1IvPMF)C-$!QiLw2wfis
zd2lY_*$P`krV-mMe>Rh#%%K)ZwPKEa#3pwgO|{Kq-Yep8f#?h+Ey6eIGh^ed2Gu2U
za~w*mL1TApd7@aOatRVMub2r(OT`YF9%wuY*UQc;DR%Q>KEhNd?!pme8_$MBo6Uc<
zev8~&+hQeF>B`L?2BFo?kuv-5ji|jCr_m3sARnk(u$i=lYWQl85BD{<-o~OCM5Rto
zeCarPO8zZ9pHW|EBuYZj<LLCRHuaMLTIFJ?TPB)~7X{|z7HvuV=U&1O(O0WFM!KZ1
zfc+X5TR7NioqT9XgNNL}gDD8u#>X6h9qi0b&fks>;~oad#O<T83Yx6DP3auI9II~B
zQt?y*QOIL;IM|uNrTN+>&{1)|!M6kQV4_?8m+!j9tULcUBk~bAZ{S}us}`T*A)-z&
z64Mmo6ibi2{nPFhk&s2yVW8v+11pFY4TF}0#(C#q1Iavj3mI7Tmtn$IxtJU+^u<CI
zBmtD<`c8<aS3<4=>cx{>q7$+Ux}SW$5X7$(@JQ5Ylo~aCz&E}8m+>I4D|jb3l`+G7
zwpwFXncfVWpK5<0{248R9Q5Wnq5X6~Ok`XKDoeJp_G7Jux#P4t-ca5K3G+Dde)_xO
zx*TKOl_}WV;1T%Qb%J8Xi&$Tx7zc0CD#o!6I%cN6^He6=1zNpsnmjI@hRW4m53!nW
zX{fkt3BomWFcUhOwV_#u3bx$b&FhwGA%ZR&MO!27cXE6cVyn}JQ%_0~Bl9Zq_uYR@
zU+|E4C)zaM;j7*fY{fwE4`!pSCO{^7@0ATa(r>Mp!d3YaOF){iFnpl#xG<KROhGNM
z?R3c6u<kr9B7wwGh(T57v(MeJde)37r`fjFS2kbrzWAF}?Cs25U#DSU1PH}P<nd-*
z&DyPRV>}qbHt^DqkIxdhR_1btJ^luFBNjXXujDY0@H_SWGfaGYy>WDOq(XR@q(YX6
z$BK6}W69B$y`m?XmajW7h}v;dmVKP5h){jsuE8ITqu|&+XYi2@ypvtrZ(@beISD1K
z<U!*gSMl4|{7zn2TXFRGLkJ>8Uj5)nXiTRq8fr&4nBn$NQ(Fm5an)h#%i#p~_!E>E
z3SJm#2Q!81H#l-GxkH5GtNRU(lo0q+4=cJmVd@@UGD&q@4{bpoO*DHj8D5yIdSDxR
zgil?3P|3K}fyRFO2N*~S)Kf*p=ZNrkC&yBp^xxxB>w2|r2M#$=z@HJeZ!k0W0mlS@
z`8@mQa8-SBB{1>7GW+U!3BBkFLLBH+p~7APk#oP_rS%0}05HWNb#P{hz^4PK>i^aT
zHC|mW%q8kaG7HI^*FwYZCNYp!jrs(YLVvTOsOBlz-bo9{|F&c9y74JV&mD5AuZ?Rz
zYDo14!ap-v#&Seg)!qa$$y-|CWxv;#(L+;JWg<u0Rr$f~Y`KX+z+Z!oj}zh_Yy-Ud
z#mlR{J<443qA1@FUTZN@?K*v(HS9;pT`rQ<NIvTSGU1uAwI5siiPQ);e4-J>6cLTg
z`9AA`%#4omIv>CPD`Pv>nA`k#?Q_p5RhkppGq5c4J0RElgH5yFrG!N7XAf@bCLaz7
z`=YAyh;ng*{uPcd{@XX_o;QnTSCtzE|Kxf*qEy4=fVc<bh=b*8&m{HG#w+%0nRm{8
ze~r5=99V98pAb7NT9vN#5KSph-Sh|!|45khta=q3I;08?5F-}xy15CG+po;T1^5BZ
zFSf_hJgRHESjQc7N&ZPa4{BgOii@lIllhNKf=8yD12lEb&HsO%xjT<z_H!m}``-U0
z#Q*aENguq+c>iS9=l_4moX1hUbm&k1{l6Z`Q!g6P|C9Po-9=dNg?=vDI1#DT175Pa
zIm<sy#TxS_q_H^2RsK%uKTpMB`vW&<h>Ec*Y@+C5=>xC=%k&^d1$76$KdJWemCwAS
zSGJk76p(rNoYk<)iw(DeKS+a>d`dq;Zx8&<2gLy29y~S~qR+zrp7l>(a;NhmJZk0)
zIxmo5gk@_0rUale|A&qEK~^f3<a5iS#qd)O*@AWfEKTK)bml{7jiN{Hm87LEzqMQ6
z4_Am!!TDcuf2umOYGjPvS0#H66^9kB>+a&{aY|Oa&2M^mNPqx<O|y1W`Cn@&$kFRn
z0cVzvA#pZ;gL#lQMw%jwE1CY+E&zQ4pd~Dz^78UO+DBR!WU>!#V`CEsbNGX7_+3uY
zi)8jHE-wBf{9l!9@HviKARequkqA|K{YD-9MkOE{sBi(R#M7f!!!Tm9t}|d5Dw6=~
zAkt=$Kmg=8PA~%?(7cTqeV_&tiz$-2-CtH|p}*k_$Xk$@7LceJLOT0-F}te|n39;>
z-U0#3e)apFTjO0rXHtxhDB(jT;Y;sK=n0B2-qKJCytI^UMn6Fph2Oo*eNO+NUG6H9
zN$C3|j4{vSIP(wa1xCcPw=y>7F$^~wyGK%IFG7V2h&IP;yovK0Y!q1#R*D2rM3dC9
z4Q%=y&hk3mPuscSaCIdj1#WEN6_q%I06<C<l<tH#zo9;<<_JGYkcAVGh`{D^j@Qya
z4?QbIPXBw8usH&+-EH0?7S`dKidrFwh6K1^v^O2z|En&%RRdD#exxO(0A~RyP?89x
z?y#dVY7}J0!ORe?ME)wbJ^)%2_%V@Rl0zzU8g4{0H2#bW7(HKT<<*+_Z}EN0_&k+<
z-|$9>*HMjNIxWqX$FWfBSk1$cV#+@-4(9IyrgRT92>m@85}Sla_PD>XD4TYOmU+_z
zSVEPx#`P>wnwu3nG07Q`1)|N^O+r+H)p+wSG**)){xly{$)tO>NeyY)r*?=z_cUcN
z<+Htt2V#Y3WuH|0b;&+y?!n?<S%0&HH7NmiE`*vQl(k4a>i~8cRW4tpQ$IP}AGjs+
z`SnC;qvOI}Q@-CMR-JzHO3qYyU@%8LRU?+QIJQrWlE+QU&mNhryN5p$6sQ<xPkn6I
z^~p3*79U?u1<l0;Q9_+S;M;T=1cAs^<6OByNzP{b*8ORa5ToC{1hAPB<_PuvGbge$
zL}y>CQNiVfTec-FFa$`A0tQVDYBfg)%|NcaxX$u0vbGN=&L<r-iT_mahHeo4dj5;m
zVG`_`X%FYdFSPvXk%z-g)8Std17JzHDjfZnzqwbDbs|AKG{Z<N<=-4)NH6o^aeVqi
z;J?^9Gcr$N>tj*?frWhRw|{&$MYK4KB7tXrp-TZV-iS@ZmvoTv>o?Tqx5FQjdLI1W
z=fWz0Ao3UH2H9YdA*g&j=l{sCw>{hZ-=b(~BZGOQ7Jh3V8IEHC@;Y_BG-NpW(_jM3
z#_kg0%M8SmzY(H<qXa_4ARRiz<NxPr4+HK0qYMRbH0Jbw?%H5F@^&R4{a4TLQ-s+6
zpN`X$)V<@;`tO6km}>sp0UpQs)8f$IP_X}L@qj$Uu$1yYJ&=!w(E;euf2s8aiD#w-
z5<&LA$Kp*9Wt;Ae8UJm-5X3n^`=5Sij>D(7wf<chQ18FAb>;;KZcO&?s@2U9UO*`N
z*G>PwKw<zQ5Af}O4+Ws6DmLWI^IJw_gzbd`_J;fm87ezsW&m3QV3EiIL~66B>|0g<
zJq!UL-p$q7kKem0;KyQ4KEccv#C!81JR?#Ab4qA;5YnU@Hc;V?@p<kM=EXOkGsMdd
zE59LOq|s#i0S53d0q__BTj+Lr_fH$YO?$`zaqY+XAC05~Fy0O%JoAs$Qj-X+Z3+Hc
z^xzAeEhfHy^(D9;z9fX4b^d322qwON{k6Bx<M^yk;NNw0_Q4ItOUr)pgZz{KBUHBo
zVr--TKlcVt{ZBblF1|Gq;`Oci692Ebw+?G^e*?yc(}}PFB9a0&-Q9=^3W@^K(%ncm
z3?u}>Bqanyy1R!6NQZQc2@+DHJATgw;~c-|{qy%;ug`UHcJ_SY?)%<-e*zgRF?MG8
zjH7OUzIvbuZ6XG1IFD_ID`m+Eoh9XJJjE)v_pZ)>s-$VZIL2aZ^UF3wNW+BnPaJjH
zw|6Ers_<M`9MiC`MG3?#opA&3xFcd<h>?tBWsD_IgUB;k?c#`I>ZjQSQhFYU*@GG6
zOr~){Gt>H&ZjEfbC@I=J3`BL@wm1Uw{#yU7opJi+9X9~$&n?_kVD`v2iZBG(oKHAr
zz>jb_Cfq9;>o3$kX1#bU084dgj^)$G`SVZEqx%@JR3J+g)|DeTiv-+pjP=4KCNyQ}
z^CxNnSWj$pNa<^c+VMEF+0i)x7m#DDUk|uS<--5Tb9ev#|Gp5cg?k?yVm7g2q!nN~
zfEHjf-a=y)hqq4*6~OA_@Bt3&7eC=9ppJme1K^W~u%|#ru(~K(=*+>U{PG1TP(-+1
z=<coJi}JUMv+gq_g%}wMNO7KNmc5>Yf2Q))r>j4Bi};OX-hX~gKKJ5RM=na1jKT~5
zq60&)yFc8I#pd(3RvyvJBjbRrxG^*>Mr(j8mx0NQbn$P3Rizbd@-h2nF*1CLpd`2L
z{rg5%W3c}v$(d$^0@;74ClBc`E-ZH3IAH>ytJnya^Xz;0q~Ipsu_*uZ?S>7?V#66{
zsQv|v%!~c%QcU!AOudDtI!&?nb?0|0$sslDn!xD@0MvS_JhtqSG<59$KtZ$9!+)^a
zeH1XiSejd71|$pPb(lrl47vGsq`YUUl=YR^w!FT-u=~P%l<(+av!u4qyZ1SfVI$Q&
zUli>k@{UM{mw1o@<8+pR-OD%q{O+D2Qgw8=$y#kr#T;ubs^WP&QtY{7+V1a_wNL>G
zhtkdkv>)HtqHx|)g<}d|oO4YAGjRgnfqbBz`+<Xlm5h8`neB?@+KlsuZ@)_R_e$(I
zg<@(rBRj>Ag_odHrRxI~^#o6rjvfW_?f7N`VUI38HxMV@IGG&5?7l@xs!Z1OVqcgz
z_u<E)3k0w7k~ot>-;oJ6^G1>D84ZFLLfh9lEzRwCW4cLs-6Vy|OnKOn$S)R|c7J<Z
z@>-?%mG9?aGNxdQqh%AKWP4hYD;#rM%j#{hM{)L@VukxJmaYNE1!g&>SvF9&rn^=j
zM%-m8y-hB@!tH*WreB%fYW8Q(2NCbc@T^`%QSPd<ifylyji!wGoUA4I1O1$J_C_gX
zgX$ffDb|^b<GeD7?GlCJG{+S4WmM5WYP9urkDt$Z9R9$@(V%0;3gXJE{KlZO<53dc
z7krS?-%CE~XqIQ<aX3@rymdJaG29part<Jn=IvqezVp^a37!lI6xFjkTPiArA(0Y~
z_dgYSHa6+Z=6UHf`)a2Q&xPz>)fDiz%On=|;tzOl5)+?NA%ofahk4-N8W1H`g*22`
zkDUeRJHoocdtS!O_(^utWH#}=J!`KIhk<dm?4?x^%Y7|H6)~GT3CQVSALN0gRp2J8
zI-f{~y3(hr@1H0Iy`iz^G5dQl&(khS!8k8=E?Y1cr{u9`0tLaf6pFK(TZ;VZM!t?$
zxs=-(be(;9kdF@Ydr;Fywd1nU`^jayJ~?NcC$3HS?SAf~nd*5RLyp|ZJh!RcRpx5<
zwL`B(ss*an8tG=j547k(ngePJ+V?AKNB1@ZV(RSQJnDb%@nemZJ0@27${VQMLwD#<
zA<HeTE3h*rawcgr!{nD;ANew#7ZTC7oQ@EQer9)1&e*0@w7?_$-q3z4xcT8`$9{Rn
zE_4zc_43nMDW|h%NxxkuX+Cp7^MM-pC0kavu9TEy5M1)ig|h}h_$`XO7d|U3UN8Hs
zm6dH(TvAdTm+n}koFAfT;i!>1Jp8A~TQcE~h^T#|z5OFQj`DJz&gf2uS@)W)=~%ST
z;d*)Jp0IWMIsQwU8nug5_#K3c2^;(B24doaeVZ3pHV3#osL?)69kzjJvF)aVzRo0X
zK92b1Yvj}DJeug3{6TimM!cx0cveYu?n34+drolWOx@58dfGHsx=vcni=QFWev_@h
zQHscSyg<sDH;)AT94sRvBVo6a)Ps<E04BuTQir{&j#`k{q2%D8;@Z2f$(;Osxm&)(
zG`yy7v(rbHKVQBeYO%Dg_-L^~T{_rgv}{hTo~Fd7cWf7?>9f3Y#5bru^JOGI*;ukx
zsJftUtf}!b1EZ<BXw}|~%FPi0Z$2h3QHtjY+$s6fLS@1#v6C+gQ*%ltdR*PJq{usv
zMybZe*0W36!GxO)jW;zKSOw#*i-#?>cdRrnFPRW|ca1PK)JAc6EtMxHNc9hwUMpJE
zZgUY3H@eKt?3fY9tTUo_`FqyElD(yaFWc3(#g`g8oN`v~!#G;TUyT#ENLWB8LTMse
zXw?e0iPp;aG;2D9kzDxQlcB1krGASo(KYPM+yUMK*S`fab-VDywcbu?-*UgP%{s8W
zJ3v8SNB~b@k5XRrP}|=6QgnvVqgLAK{x7&5*TaqhFT+*Cbyebf;MCCQKNpSUU(=hI
z$dU8QfiVvu7lO~$(C~MIT;vzH|62(8F`WTo^V*vF1STh&*DN+HMTE0k1YQG+w6c5U
zBs$nh#prC2(+lh(zm`@i`I+8%RNMxRf0I83;^VZuQajExx2f#OF-u)$cL3hBG1r}b
zZWB}WEm+j_P}rS{uu-S9)0$n#|A??#{?mvA^)@PuKHA-hUci`D>c`-udZk2x>(s;F
zZ>n`@4z)t=R1%MOl?5zH;6DZP1c(TE!sF~}BT7GwI+~jC%gx-04&5s3q%O1Uqhirl
zDQ$M_(LSQCJ%1xV1&(?ADYqXdid0to7d6S(;nwM;`lL0NxL>!Bye~7KjO>0Nd9nH9
z_t%AN^um2tm8q^LF28Fyw>Q9QMk^s4IFNVMM#P=MM$PLACzq(FV!pD5x%aPZ_{DKU
zJ6`VVZjB$`JIakL*D@+HLUQ1)96?INbRM*Z$k>I|tn|!_c_n;n_AFK~enTULOEFS6
z$V8Z@q*<;T%R0{C`DOg59X{XwUd77e$03JQKAySmtoOp)Le{73F!y}VfYjfqT`M$o
zI^rs4^;l#%uAU>(G;4@8vtUEb4=2>A`JLsV!=q!TJ3m?VW4IAU^Gcz{<$RCLk4gJG
zDub?d3k2fEhPQJvO7<UC6<v5?KzV&e*2ReR^X%itF{T3FUgl_ml?IhEC(TWabDG9}
zO+Au-Fhh(Vi)TGr({~Y%L*2#Hd1tD}$T^fIu3dA<^q|a!dRvaoyKcOoqTHk)aoaj)
zz*5%?c&<TeAe%cLTh0y`jfJt|bQa$X)dkvVA~Uv;AcUJF_@8%V?n~at<>nXWDE*cV
zdGRRv>Gz$lU4d;clCpCy(<0f&<?s0A&t}6DSJKvJU*EA9Ywdbl*M|_4hSK|g`Pz5k
z3Z2Yi$%0q&pB=^$3x4lVN1F@*F^@hsWA$@M7i;=OdB58x@NwQTj-+V2o`{x7u$t*S
z_gSu-xa>jg-iHL`My|G~^48tuK{5xjndFz9U(qvLsQ#~CD9${((@3V>&lMd-9dDJt
zqfxQP>~4Xo2)0?xV3zF^5s|2O<*8}A*kFrvQVw)FfL<2AnBi77hcwsqZ7p%D%VIY1
zoY;2VC%!|ihIxX39Y$k)jzFOfA0Q5n8V|sM0cMvXqcme;^2=1|zmxsa%WvKs3cr6o
z`$0c@`3Euhubxr!<p+x#W7X;HjFX?hy@&;+(6brJKO)}$yfc6Z+9{Cd1PykOPxlGV
z^OFt9v&ATlv^KpI5pKDz!KHaoq1WOId~7kOTX`h-tn|3Nk-YYjv-gs<%caY{sItEN
z{0?FLN)?%&$om2g`BgG$Q-Icv=qGa&xnJRq7txg-^2^G!xj6C7vkMVxX61M<<;AB*
z$Q!pThxZJBiu52bkJQWiO0&S#TvGo<ZNbbUw%yUaBYk>{v6SR%(RH)5!<vyZim;>`
zMdf;SrUOsP4?XrIz}<+B#BY==tqltlw9jF$A7IR8fxIFq!{8YgneT>iSEtNUyOsvs
zKa7R?qKCIM`%7~ci>@bC3_JrXJ(|#MwNNa`iyrPNm$;H;ars-x;FQIZb3d2Uu6f0-
zTPDfZ#y5-J)vhy7HlKMA-Z7t<r}zw!J{(N9aX<Hk6)E=RgL8z|#4WbC+R{#H${X-#
zbr}xpL-}t*;O8f-gXhANlam1h^0!6&fnd~Wk?3$*yb!deXiaP5(Hi`FJyD`ui?#3S
z%@k#P2UQgHpw-7~Ps^ij1OkjhZb=Eo4o*sT&c!dd4rTD{<2R0z7BLyqy6p{{p+Z^Y
z^A7kzUIvin#5}ZqbC3uLXx!{aKo2qIvE)|{8!QIWxNPjKV_~zYA|5K<2mQW=e-Hd&
zpGs5kcJ$>6dyLirqV?@QSf|EA{XfirtY30!aB@F;CF3qwXC?CTSBO`l1mALWy|+_o
z{Oz))Lx2g_zE3v&7OvZ$EYnNhL=!q65QbDgq~Td33|(D42OCfXk58(0akI4PI&|^b
zs*W(^WmmP|@q<jV*5L6A1W`x%mfO|)vAR7iSSE?#Sv#X|K&tfN_5|0t9QdE8ooO|w
za3h6{$ZNc2oZ$FF=!6~8{^QjRixxfo!wAxUE=}j@+u6$MLlB^WOxN+Pow|`yaijYM
zwY%!6H<zBkpj~l;R>CmeO8}wl?X8OmqCaRM&%<J4-&zv_N?JI0KF=L_CTh)LC2Eu!
zu<CbJu3flcJzEZOve8I=_2@iHNKEW5e;KvQd<8qpZb0KTkmoq9_f-0?e5Se{goj$|
z^nhlAp8?FqRsgu8JV9{Ty-9L5w5|)WTyvD~!)>@0T~E)uxSzik_T|{a;1j|Y)^`5m
zU>JXqjRfJ-f4n?zoig(%^7_`R2bm(l=2_Yv-{tS`NlW%`7D9}@$i&>A@YjYA_<b|A
zSWpFX{1~xr_`dx@<yxKtpng0&10!cVctSiuR&dw4E_l@I`7driRriUcqy_tO`)X=8
zZ18*CEOhV5FTT47y*aIuKE6rI^8TUOIVXY<ItN&+qjDz)hh-4~{VlTeQb?o!##8W`
zUds4e6aF~e4>L0=9j)1@`O=i%4$jGOGPfTSJO{6_Q$B619;sa^J8_`+6tF9oFZXqK
zGXVx2h|F-|!584Lu?-rcb(Rv>inC$u)IAdqg6ZE3Rfrb5EG?1+$`g)gY;k`@4yXI7
zE2pi0f*6xi*_&s_$G$CbQ)rEEv6=K{sv4uFl>fK^xPpQ(UN&X`;o_+$!@lzY_hLTZ
z>PjHbj{o3E7-G%naNv}A+d!thtfH@vbwV+l5{Nvc_Dp!U)=aDmD>T9N=+$SFoAes*
zUQ<PzrIOqReAFPi<{Ix6fC56U<(KVKBZVjbcx;VQQ%cC{W<{glmqL(^t&{uwZP$!x
z*(#~X*fkx8#h8Y666%*$Tj2u!x7jLn3JR5Oll@A)u*m`|`Vj%aJmlA(^V;6KcW<D4
z?LPwik<<Pa_^wqV!vLFA{iEkfc^}O;M&j%AeGd_wY70XmBJ;)%>dJ*Q-+@XdHkg#U
z8cHSjILnRNJymAv$lI-9kLHcf7YP(Z;q%@=n(t<-Qb%2tYH6=CMmnt-^nId>cl>$V
zq^M#B9CcA{qZ0BYxNiP@*uhBfAj`9DG7^S!lhP*jVRz;B`Vb66`$YGVWJtWT?_4)K
z#A=O`|9rn_K+&1)*YN!iN=2%7f0TmPzKf6ZOV;Ig2mbYqbV-lb*B>^dIi$i_1|)p0
z7mm4n9CWgQL33jPUpdZ;5Sv{3Z1)GXQV2PlzQc0fOClyk^`o|Askvdz#X_Pah;gPl
zT@Y(BBa9XE+!F)}_m%(Ehda8xtI11#R8ONcau`fB#qVYGRU-|50e&Ly_DyO^#9DN@
zp`R(G$RjOB3*BVS+(u7|4?ii$rqBy1km;8LM?JZf#Iu@NE5^-L!kVuSM{cW+6`}V+
z-5;!B0`A>{4)D8Kg><Dc>cJ@f7wPsdEFI1Sf7vOaSh<9^<viS`vH6ZD2hwQx{ATZ%
zcfO$>4_%rL460*MpXdtQ+%=O37YYN8@K~y+;PbGV`YCS`%VU*ok7rQnGJ2;M;iA@o
z&K=wRc=GE+?+g6KjT;<dyJ>(z0Fr?HWdi(p3mnw<Q8P-a1z9V|c=h7CsQd5aC2^O6
zKeRWQ-d%3gFS!%Ib-#kl<ZddwJ>U@RxXt5HyCE%2q2u+Xcu6&(u!OVbV~C)wPT7mI
zu6v*1L&{}ky7V5*wU?s1U%#*?>J{zeqa%<08A-V2?2^T+(1Kuui4|EtGlZU($knoA
zFiZ`E1W4YOG1_*&sh<zx?wk9K3Zu9xV#Ubu;pePMyA1hrSX*XGd<lfTzk?{`p_I3A
zRnFj*Qphx?K~+(`fzpEFnz7|(7viil9@?6%iz-hVNip8YXPK+@Jdb{_p2Dj;R^#R5
zii}?x9Bu9LGrF@eljVfzQD!K)|J4Z>gimuBet1$k_rjk)chSicu*=l?>7jg`zb1o{
zl1NESy?^}%wMFkOrS)496nvTtwMmq5U<lO$Jyo3);ks5<eOT-j;ksOtH^%vnq=(f_
zvi%iT(bH_N&ZKUEnoFhjRV%^%K6`l2NgWodAKOgQR}Z@~&ml##SV)jtSN8psMFofU
zm+}vC3n`p!>)Kbf{EemWpSbts9>g2*&9eVxANd{dJCzS6%@@of48GR>R#P`rELPCJ
z>SrmyaB1>970!o^S)ydvwci83l>nEE3+#Fj*G&=8Fe=hIywaz&rkf$tJ*Gd}h?)T_
z&@KH6@7$glMO%jK<Cxi?GiYh86F6*tBJLgs8Ak@_L*?Y4BoNVv;o;>Z-AkOh)N&0{
zck=Rr(@3BYnmgb5)zltX>R$_Tdg!Fu@N7t=@a7-S03QxLCRZrOmy2X%qv3J&r5=3|
zO0m;T<>!GEprP*9g@!_ooyNuJ@dNhQ+V$NX)r6oO2lQqukHo?1{keU~Qf$h!s}lNr
zz;Wd9X&Ntzsg)sk09{k*y1261vte&S!ND=!a$Y4N%X4&ScWIKdv|k1J`|@T=1B*b8
zxZCdX+Mk5u^eDXzIJN&Ii49~4mkF_nzQo#6ASDK*Bmt;!Il`b1@XQQZD~8h);Yot^
z;|K!Sk!|%qt?@s==PMR(pC<E8vXbA+VWM;l|C`yIumn4o{BJt;5hN$0<v+s~!>Vc}
z{tu~J>k&+e`tL;Q8!24!{501LTwZQuc2Xz#Ouy+s?K3opIVur960T%!52?ZBz}w0f
zvoEDXbjeq7Y3@&7sZtGbJ<szCgr!jXsQ&<~U^2&wz&V!Ji?dIvI9*_i%)5W}&CIaF
z^%OwX?tbkDJyNC1c12(k`Dfk9+`JbQOtHlFi7zW$RmsDP$`RGToHIEgMlj}d>4aRL
z1^VeddMrU-ZxQz$zxFjk6|gonpAgBXX7Q{$Ej4O<+*f=IjLk9coYt<o<Sa7l+e0T8
zvp<LlokyX6!=syw>Ec~q#&;-Uvae}Wg1DqE2$Mi2xeZoT=97PTLR3HufJRrT%5p4D
zpgFD{T7tp<ssP$Y1BVaJ-Ua~vW`qLH`30m0gn9y$rr_6R`E6x!1Uf#_^F;}KB<JrE
z<^zbfni?fk=0s{RS$uBJ??Vu}Q1QPChCq=BO$6cQTxSIX#}Q&?0Ua@c1t^SkXH@~I
znM0v~I>KL-p)#|W<m4NFfeus{3RsDWiE(lcWZ<zM|JAR&3cJeVwEA^77SOwmCE(!M
ze-|ZVtx&&gZ~pbwTj+DLhK?mkNI)Ky;0O3l9g_Bo;Kh4*l-enonZ&5u>Ot0LwVqt{
zT^fZZh17wA2;cDVbl|<8gWfDH;+!>q$#`47b{8dbPeB4LhQZD!kbC(#Bmg0oSUTeV
z7Zww&{_IBoQ!V3NcB_5||Ml{;&<LaKh=n)3U;*E4gT|hG>y-fi02HDkPjv*x_SBD$
z{=y{<`n*MrXF27s8YLe0GAHzt;@>UbLPs67sDQ%g*GM?aF&TY6n4t8of$M)`il)}!
zyUWn$CuRC8`{o$tY7<l=)d*n!5+Znnl=tDP@?Q)Tq}tZs_`61psrCWoo!_Sj(E-a^
zAOT%eE`OJdqk#Gk_g{7D7Z_N8sXGzj$LV89M^gZlAHWe}Y;`Aqcz=NN>Eg%1D|0k!
zyjcFCN30nt#Y`8!h61RhVR(aL2!tp4Lq$KeN3dX)GM$zdNlcmkt{hu~!Ah-&@Fp0h
z8%Qf2&@u^ds>3gS&RFDxL?oc^nD2e)57Y2k5uDu^%#KYkRy2W9n|+7%U!bIo0C2~i
z%3>BC@R57DwhbV}F=&0MH^Fx=mBRP7=yMHqqc*ioPv*EWgb#Z>3ZV;7l>SSck_=I?
zO^bh5?DZm~Qro}&t$;VdTb@UYOY)EaGZU2T$!wG|`~VJL#bF-y?kwPXq0_>v8(ypl
z_4e-We>qq+jyBRY)#q4Wi&RBo&k6>yWzskBOWnQk6Hz$^jDMSZ`6mUv=nD*KKpH9%
z!9e@p{CQ@&rnkTx@zrbJu}cO_)ejgW;EC^`9>9@0fVtUsMKP>}GZ1;0poui*)4qYA
zHWO{Juh{&Db(dbh)wpP3YY`Jfz<zcyNsH{P>clsRq%!_LQe)B4G^+w)rc}Juk5jj%
zJK{uU;4?B;Y9i4hnAzVJ2r_PRaejFVcXoE>;NY+V-z6oiD@D_}O<-PwzOWJnXP>!C
zKqc5(@Usv&cKM4P#qME!s<sgJwOQ~DeTu|uamigKokqHp^3_A6RjTyvv&Vgz!h&>0
ze2jFXq#;Dt_MP0A!FQRd%BmbuiCBSp`&IBd;Aw!)i~CZLfR{^B<C%1>^T&N}69sC$
z4EPczl^_7v*b8iDWze3>*%ZW>x01pWYJ$Y!%DNAL%DNE~_^ut*_M!;A`1W?R^Kk=$
z2}!{)f8e-aHn0FU=S?+Vbk*9c)YErr;DBCkV0F*T;~U_+8dPO0bxyumnt!c6zi$Kh
znQO(s`G3H%)GiwjWNk&k6A8MQd419k&tC~dh|vJW<q|mjl_9F5dhXp83FaN*<M%on
zx{L>q0A3#8-0rmyLMlo{j=HIAzv{VdfM7^zOe@d`OPK3qo<NufpKcy(lovoP-2~OK
zSQ+Tv_we9w;5@yUtL^NJE~crELWtj}U`OcPF~Q+bFw%Mu&{->#lXxTsEK@n#&2N_Q
zq{3PuG<I2&<&VSZHf?-D<!(C|;MSUrQNY@YTP{<itWYemlX4+hc=aya%V_U?j5Qgp
zJu4%i<m+#UnMyZqGc}PAF~A4N`nETuV{QLa(-TA8!63I@!a7em+afIG5GXl>LU9W-
zfc=LKL_;CE23S3C!K+<9j}q%nIFmr5i+C0YL=r$e(-{hk{gK7GGDHbxWS5O`#N&|`
z#OJd*443?{^p?Kl!>9YXa~#llOO<NJTWV0Ol2cv<<)#A$<E<1Bg-is}d%uV4`OW1=
zqU6U(Ss_?_)&<;?A+fnhSpbubY03nJcYuW{gmtZ1=jQ7$D1qiPYeOP^vd@6UxR*86
zog7vHYftVwK;gHci+SzSVYvgcyi7S82X}UI5*I6hL1mXewYoK;<gZ=8&d`IFkfINV
zKw0B}BgaK{+xR&xwZ&FRM<pO~-!LP9#Cp(A@dTNH=%HtiMo?mBA8-&KQFR8ksX;IG
zFb#Aw+sO&L3-Hvy5S1Ump~wl|JIauNXFRrK84BM~X+h79Td}m|Txz`NlUxAE-4JxN
z#2zyY%?B+$&4=CHuP}7-scYLMV97XS8SsJAv>@&)@N#p$macx7NL_S3HwQBni1J>U
ze(y#pAwbEShXQ$4x=(#`KcZGPb=jz}uQO0Yir##>x>i(WX2Vf%dQ2GUe9OhN;G8kG
z|0QLuce$GCn6I0l&m*Q>e-2{gr;Kv6`MMs~h)0E)CwfpCW#fUhARPr+W||l<>2A41
zF|!h531*<G#ep_OAObL|bqF}SG8-tJ98LdgEDAI#Yz*UN1;FZF)Kqepcbo_TOm>-1
zijN-)9|E<?!mA6TZ1g0nh|~E2$jBB6GZwI39T;WFb#Ov_9444!sl$Fr4andn;GF5R
z01UcZl-r-GMao`L1|%^u-(r06{+kaK*8&M)MN*)kQ#h+yp*~6X&v){dYupYoo$(RW
zoG*=l7!K$vhQ&<spwH(TX2F(uHa90@ojz7(eLz`wcRPSH-hnl##8|0(>J8jp2!Y^w
zp^zJ@V93&Yc&gc4bt?eziCFaHLZCtxs7XOXfCtCI1_D|J#PZo%JO*g0MsqwGU;+SF
zcuS2E`@h>lyXFXlH)e&?7^V^P@wZkJ!1ZcMMktL;C{#8t7^`QqWu^#{_t-@$jK}2o
zjCWTaqCL=u;W~!cAW3jQ+LOdLlfc>E7qA0?V8B8u$>YzGV2Hdc4S?7!EcPH?-Jl9g
zP)Ld$9YoFf+Yn`>u3^E=8FV~6DwNjF8jRj!$F=c+K!1A>jJX5)f2^>QAcz#VEmOlO
z09`(Cz>|yn<K}=-2DKov`KTzr>tf&ooz+F8cKICJ4IdCRmIK_mW(lYumh=D!B;oMd
z0fZ_Q<@#~^UY)B~!8Ri*7R9Gv!zh2KgDYXsV|IbgaK8Nj&;$rb+>ZITOL)(dpc-8X
zg`Q9e81+36GJ3cl0d#+O%=z7OQb5=TT$s+m&3X0Mvfv{m+o-pJrA9aPu%P~-_|bxh
z`~-#09#dnEgX9C;lK=*IV9dV?4j?{yaQwLk^ZETT4m}*pGr(H3fYf<_b+g~GZJ9Yp
ziXb(k04J_txzgnZ|I7!7GGh}+XJM?>tU;3GUbp{CV_t%VA<9&tTE=Qy(j-CKf-(mR
zpuf*o!kb3A0|@L;AW+H40tk?c8AM!sy!Ir_14%xBh!dSe{GhAM-~^r1mhVg8z-<r5
z{Uv*F7gYdJz&d6P)$#ZEEr=P{7ThF4RNFP^;)s(q2_UT4RXd-KeiK~Uzll5@@&P2L
zxI@TD_jn|qSS#HpiCB3Afs(kFHRNz}ER#{6G}$sjDF$2MI;27Oy<z(|j^j;0NDNUk
zu8ovAI7IDo;8wVIfQ)KnTAg-G?fMHUoq;LpW8nr}1uo8beGS*`r6H;x*ivvjJ0N5;
zv3~(yfrIczGh)m0WO*wHbP9os5u_%^0?mdS?)P(W=fCi^K>b6ilc*U4TCRaUm(7R$
zGiMX!UvvJ8)@8-UG&r#5nAT&JaNuBKX4IQ%k@9@X063#dA)`=Hvy$dV`|XF6p=X#w
z&KF>)?DNDL_?3H%8b|>XM<0Kdl!q);C)l6-NCE+DK?$YeXz+H8Y!}Ib!v`QwM!_kl
z#jph?>}3ytL3sudpE(JBL7;dkticCxtA>th*q?R?hkFkoyiezqgm{fRXaB>A8R|j)
ze_+aC9ytZ}N#b9O@QQEZ!!_*X|CitZci9*~Po<9;jIKTvHsJTE@+qI}xNXtEZh~X{
zZE^4+7<iV~M7Ok02biID`HPqT5DA29<AXK=B<3GMgI4vw$H^mL@_=g&jwb;LQMtU<
z`#1NHC%2Md*TEe(+6JP09N|fd0h@b5MnIU6dqThs6vxee3_;@U{}GEPiD+Qw$nh&c
zx&KYK5d@YMM+;-kp$(kSdv%}g%OyUJA5My`fAY<g?5Vma?**Xa-`orPi+hE*SpfrG
z%eS0x3g26J6Qu>)scy#d<&7hbfdFtV%h*5dCrltVb8=A(2n3kZHPL=tLxo!SfX2UI
zUjiKE$ruV$|Drus?r;MFx`*C7MgMdx4{oqTr#(6xM}50~gu4xnO;=4|9v$y+uW+Ic
z0wPpR3ojg*?-~6|KLJygdGad{NXh`abDV2&-IKzk{t>KyB;m;+kQl?6Gt3&_6HEXb
z={as6h9lhDH5!)=CfuCAulUz&og#DXFT!D$@*WTJe~m-iCTMwU)&RY$1V}?!BCFM2
z@~JCcq|(VgEfa7{U~ZqZ)GmAZQ!-)<`g0uY_pHFV#W-5}yoHK3p8R&ln)83;8_-JS
zf3%zdyoJPRCFs;!0o*I?U;0OmJNTCW8Q@3xzpV>SUO?lmh|V=23_T_hAfFa&{{mF?
zB-H`v*9SmUPn}#+{QsGI|1XT=zUZ4%1p=H~CFJk}PJ+&GFYnb@u$>Y}XaI4F0${$B
zhfeW!`&++kE!zKoGLEQ(YLP~(>p^EY9~JXdvOhH?VY+%<N=gW1cj?+Sz2K)(M3UiQ
z28(T3#Lf6hNsJMSE(sEUSV-MVU+m3Sp9i=Sg@X}wlLttiVdA@EUR~|rwPga9GoNsd
z2lm|JRBv$t1(N3gr+ys8HNpp+vFoXR0h!F$LYzhcxzQ&-f1kRJv=rdPY1~XeR`hrh
z)J>azR5I~j%znYWEEx80(5$e#2#$OC2+Ac!8l4&r%(V8|K%(vhaC@3TMbnd(PpQg^
zHz(#x6UOERj?+3IP*(4f&5jtW{}R=9AP(9*^T5?lz)uNv0@!iSJh!738`<LicsLq|
zyAO!UrEusYkZe5h054<yu`O8KPkm!zgjDC+si!#GjHu^4B|E+&P1(omxG{itKY366
z5wIvfrRx{~5Re}1DDP*+HJq84*xj^q_bzsKIXZA2IGR1$B(66^y#TI=I_`jCt@7CW
zGZv{Mc5tYAlp&FK2=y?*1yq8Bx#Aw;zmZKFP5t69VDpMsZRCki`=IO*Vk_bb-Y$!!
zfZ@d{GRcr0#rma<zyWbs6>A8NPA?r_c#cdiDeMBf0*|Lfys8*Q(tm>QvCOw4m~NHg
zM*WfFL=0T2ci57_lQ)7$ot<poblrIfSmMJxXKyjHyLwleY!U@kcp|PPp?ZDo1;e{n
zOMNBfhPcn)TsmV&rHu|>xxIDs@oTCt1h;%vAB$6@%={5b@hsa-!EPSQ%fHzlS8tRv
z_cKEuC3#g6x^RnHMC&2MQe>>5g(8MWl#ITUtabBCmiEXilUeLGF)X~6Qc%%-;9z;}
z)z($u>RbgErXp3yf^nK0k>9NXN52vOs2h;Oi~&*M4QrS2#f`oo>A+(=fxoEY8ZwQ&
z!_vN`-CqF~1^MqIrQS3d=<DX5w~tIXTRD`?TAh~5=?wMQv)ESi=6oNQbBOBPo4r7b
zP4-}h@!6ng9q*t9w_X#csBTjR?v3;v;DW?oA;=6=$(#%$T9U>yN+3FMS3rI$W<)%z
z4bz-M073-u`;HKQk7^HrYi%@!YQ7aL`;1M>W8up?BppbeF+nJ@23Czy3X&19E!4u_
zD3-T`-*}a5<Q#0|?u@oHACecff0u1;cJRv}(NJhnyTKtIDsChnJ>(>;lBtw2nD1hI
z>messUO~76;qR~~VHxPKP><?v;FckCl@X2MWi<;H58K$DsU^7=LzXE$jWip{GM)}w
zMQQ~xn@@J?qEr`qo7XeRcHTzt@2!_Jjwp3LmG10lKcZH1s_@K|F0#y-_Ly&$k`>%3
zTUgwDXZ?JDM&kF`RsTk>RZ$XI(bv0G)ZF2ZO!p1Y9WlcX3OJ!#DR0kdYiQFD;u*Z=
z`n2**pIqJ2>gG#eISDG8;|kBkwax{^=9AbrLiN#0%=d?w!~5X-PNLm+j8YU8l`E{p
z<J$aTFl`rw_!#xWja^T=7A&zaf8r`*-8T=o@`QC}fpy&S3Gwkx)L<4WE4tbNXZ$qU
zs*dM$L=MR8D|5Yf4jeZd%Qho7I%=r0?ZnXwWDUw&pOEd!neESv(<0yNzJXu*=mKSJ
zVnFxZ5xCW*%@{FW1w-C`{3e3tf&`F_S;{K@>X=^ZO>`w;pDXGUk%O1QXt9zL<>%)r
zCL8_8>-;pAYsd#WwdX%hN_&fV>K>`zWl+7#Q#)0gJk=K|8hI)Y!p@7x;VnbN2Ma#O
znl3I|=J4I^6$2TrJSpxc_Teto8F9VD<NHDvh`tw1$&O8E-_j;eWExS5$&?ViNf@b`
z;aBV5_$+wgPmJ9Z;nPc__FQ>mxvSP=nuagTltRD0Shqgv%Xhrg&<N)qPhGoTn;Kpn
zFlRj<Xmc<HR~&mLJVTY2mI@gl6btIhB_MqTC!VwMc=UK$dM&QxZV6Gwy(9aNnbBG4
zvuqhqm4rdnNo%kE+Aue3Yvqk4WD<c(eCsLkU-h1q$s!WdK6EbMdD2ii=h{u-f4IM6
zzfZZ{gUDNDlglXjoHL<m!;zyZ`W4oM`1Siyar~UwqU;}yrF)rNKclO1<+3avg{ssI
z$vw>DAjmEynL&?`heo(SW9eNDX^U731<cPGcOHrfhYywemhM3>?$II?)~a*eS$9VY
zo=oKmJ9y<5)0N4#iO~SEvGQESW>^opfR|VEnNPT(M?25@U18*MMs4U<ViL6ZHbw8%
z`s6p&3bbS{nw8|q)8$YcDsO`_lUba}iPkia3f5J<XP<@!TV8HomxPWE3=DK55yNeL
z+}XuaA(8GoU-`W;s4S?g#FO$p3G<Xd*~Ts~eV)6$m}MU3e)U2al143bwG<7Dt>&|4
zkqS}Ntfi=MCU0_!%lui;*gsD3q(9?FKlj!b5^bgmCtJmI{*UYKDOrvxl}JY3@Y02>
zr15+DsAbZh!3KRpr23vy%a=Ff-WzDa+_wr3Q^x$3Z#OX$_EV@L+b&_#cNi2<fpgIq
z@%P?cXYzt(wLEC8(1>q`Lg%xpM$`QbbjR)ZVy{>XO2#u}a9WqgWyH}^dwr>2TE3^U
zqhr&A;3>@fIkR4>a-Th%n3W`4Du01Pp~ogP!#7mz-mqT}%TWFrflaG*a+b}Kx{304
z>CXBv1KkAoY(L~sIiC%b)i&Gt*&UCn%xe)@7Iz%){}9zXmGvOF$ZNQW2ARekjrFA}
z*=be{!taRSQH{;<VPt8XQuTeuxBa9CROAuY^*h+V7l~1VWxDu?$?S8<ov!zI=36;z
zWyru$Kc_oq2bC;dyJXK9-B5I;k)<*Z<jUipf^F%re6;jXmYV03TFA^-%GfDsk{wmP
z&~8tT<E#&*;AT=+YHBK%0ZMMBp+@6(zs5IacNn23m}?oZ3G)@5p|V%k`;hrH1{QKo
zD#{tv@9;v<)1Q7I5%~tXa@q}X0*73-j=W^wm%P{b&)E&tB~n>znW|^fTlkx>?7)tq
zBuy4M7lyu7a43$cLl;(@mPcHV9<1aBY!a8m7^mJ1mn|ee`6&+o#bsNG(fD8;Sk{mB
zRc0MR0ZaQzb3L^x%E9__8%5+O4OL#PobUT#8kgMRyv_aD=cs3{rPirQJCBx`o-ux`
zVpXdWA8gU{B)Z3Na7jsS^P7mDlEigLe?;}g<cHT)Z-~7enCQ`<7#4A%%gX-fx^U{X
zNWi5u;7I-Nh;+HT<D*FB%dzD1jbU&a8FW@{@S7X6_3M(5D`^m-Wyw;u3ylbZ8)8w=
z=>tt=LX~8j4}q1x-qB0AE2Q&#OzI_E6F>j)&9L5J%bc8hcqEfd6GB6(Dx1<}(!*YV
zZ(pxj8`gLCNqg38j_X+7;Zwto511Sp_MZ>sw!1#+(e1UP`-w`Cc8g*9Tz!X`1|ra(
zvfs%6G=#zV$_5@w&wD{e*WAISP(jTI9|@hIlFh*o%Dv$qF*HXs=C(c5nS1TCe9_8c
zS7x6wM%?%sT615MYq@8QE$)5dFB#$2Zx{Ny-q7@SUNXHuAnN)rS-ioxd?3fSygHXd
zw99Qp(W{dAm~bSE;OEYCt}u&*f1C?f9)oQS(q=GR2d&i{mR?dIQoitn4$SgZ+09%)
zD}>U0&&D~mk1-@dC172Ls@tlk^&ltx%peh%ta$jT#<d|0-mk^4N8PV1C6tR=O2_~X
zXtNQpTpIUGs=L$k%Cafd%yL4%K2-_S6G@3dYT5H4`??Zy8v7R1%2JsF7JXUfrke?I
zw338gxdYGDAD`;8^Y%U($kp*?BHMC^UFs|q>8k%TvpXAsNa+zO7CcuUk=Y!oNvz+5
z7%13cgZwmYA@ZZwHE#}4sw8P41-o<7%RhP(gJ#o&1r`r!PMVh<c!D>|>XYj_i0Rme
zx1HAt`;$C+3r*V37YpWIjwok1XVd#}E#Yd>=mQMMMMNdlvK+**8tU$5sm3$?6I!9K
zns3qEG5Y>%bWENt_wX<N3i_VWX{aIa&ef^)Dq&pTZLA5)wl2`BvC3ffyNpVAQK$=F
z<qT;T{TxaQZtZO=fc2Ty{QN-<nLqN^SAP*>g_k*H@9l714r=L;?pVh*xel|K>W>Qy
zHp|vxp&YLgOKfaI<n^dqP;6ZIUL>4imaK1mqzBhnh%ec%gHI^8Gmd$-7p<HpEV)vY
zMmOLle8kDztZc$kq1=%XLCIyiIbBAac27m;J3%C&|NGFdk*Pi9l&baPV-}y485fir
zV%GZOtGWKhNNRdDNMFalcF1xw3s^b46%%HqH$%zX7f>T9$NceGAd!Kt4*8(^`x&7m
zG$KaujX@<nIONb4-dHkN`hXd-sViQk_`=Jf!zOh6wt&#VsQd0_wY-4V!9jdjXs4!t
zKy99$NxgQTyr{3^&bxAi=*p9n;<%Ae`2D_Saa|YExy4?F&Az7{R<xqeHi=o~T1P~k
zPKCOH2JHTTH+j>=qiE?VDsxcvmkoR5-s)5<hse}jTAjj{j?MJmf->#=-j?(jd%YKT
zO-6#@m%phum~4N{xEW3c`GyM3&Ip&^B)$BKx$N=N39dYwTo#p?xx*Jn>DD=McJ6(R
zy4J#?KdSdStA_j5p0TYiut)@Yb9IXnb>L-lEH-@qwW1upw2}b?E#|FrJN_G#TzRJc
zCfVL}+lXB!l|*ZO9henymZ-?vEAwkCy3^680^T)6ISAG*c98OOSX^USR$i!75{`<B
z5)6SmvpCX@SB)t=&TiofH(+9*p>?0IIL9E5mxz>d^9p@_uJqN@G*+#{WerNv$OL8l
z3@IzkToJeFQMy=aTK9}kBmGyNp0V<ikuwT-_9JunIU7M7s`RJmz!MVETI!_o?99Xt
zQS(z89_CQ0tz;jPTfC|}gR)k{QW3qnx;m89m13vdR6Au{UW`*p5Xftla*#)tW2Tyf
zZ2Pd3+U3bnTmxdBW<;2d_R~!NsksGhM;qv--sRK2O5kyMk38fPy|@Q}nTfHnqo`0}
ze<an!(uBmqXs0=~0vSRtGR16HX2d`Ha;m?>rQ!=euHJ<4nvo2%%BEXCpSQrTu$yct
zrF<&0vf~y|b1%SSnX9mRv~vFi(J@$}ceu7Sk&r9t0=_ne;~^of4f+a(DDz^sgT-r$
z#K<bKwTk10h@WIMi8nw^r49_aHG8CW0tGhNDw??if%S<!^BZ1b`=Q*UkJuC9c&piu
zJ4mYE`yJX#gJ~E8T(~;rsvZ64w(5Yu(Uw%LOL*Ds<5oTeK|kD)Oqj|4I8+Q-2AiR#
z?1oHvYsL@c_x!f#D<Q|VF%YPQn_xe2hfmSw?6_NXjYf9Kh}Aow#!C|_?JNQ54ooIZ
zs5$&ya6BrAuJ%Xe%$Ppe_U5LS;FU(kW$RKAx;Nozb%jG&edc4thxcwBdPKxm6;Yqm
zG*Aj5c{Hv9*KNKaZ$6w}bLB;ec5dx?-ttn92yL2ls{C2IJG6xCrHPwKWh*^NH0)c<
zXsZn4*9*Qj8R}Pp<!6WA=JQS2cuSd>1bNJDAkFaM8IOtsllA=pS=(fatN3ns1k@q{
zOcOiPyC%{jIa+BUGgAyfUeO3kdL%K&hxa+(a#nM$+X#ylm6f?TIZf}?Q0KAxht0~|
za`E=ARZJ&i)7<+eJiKzqa#91tBCBl(mS_A!^u@lVGD6wz$_xr6DImpis13QK0PZ)p
zP3|5X9_EH7KaU>hwq=MKNj#NZ5bC~}x#u95t~AcBkF!l9`|Cm`)Pt_g6GC+Kd+%^}
z*G)WOp!@UL88^4u(yGTb=D};s|LW|@G{%hDTn~Hcj*uVXd#v<MwOG}?R^wbvSs6Zs
zFPg)@e>TIkbFII>->&?5zUe%{pLgAV4tsw$JxQM~u|BE)VKER@1*sG%S12QBsp1sc
zinHE-Tbi4j`|~HAdKs<zjnu=@@v;Izzjhva@0V1b{_^y+af;%@l%57NRhasdKQysH
z&L+bK)w!Q8Rq3CwANY?8wQLbVaZ7P<$?&8yf=$C(Sj=!_v#~J%AaU-QyqH|-Jg@Sa
znwm}o!M9%$&t7?-D=aN7&CBbGdlaMe^PIg(C#hJGx2+;eqt;3<u$3^0R!3vRy*GBe
z=q9qr!&vJiXNH-Ou5=;uH*>qy!~1F}YUhS>Tr^&&%-8B2g!>AaP^w&ir>3DXJT_)^
zcG5MT-^=m9Ud=ZgZewkIs6~)XdS&VCylJ(zgt&OWM&5iyTwI)ifqJTFLY(dTNeT-y
z1LA{1nsN?pr#$1BN@kx%whFOyCc?b(NI-WHPX}`8LZok}--=(i83(23>hiL!iHV7k
zk&%mwAbH5f#s<afbgI3;nnw0^itG$udt?-CYlO=lX4vC@%Yw2wuJ$>)9pr2S><7=@
zvI*JmR0(l%Qie+NM7IIPY;$w7ySux&xq18x4f}4q#Ooz^O?7p3W#t}NwZDnthy2qT
Q%t#OK%iqh9()IoS0CX$@p#T5?

literal 0
HcmV?d00001

diff --git a/docs/img/vnet/how-it-works.svg b/docs/img/vnet/how-it-works.svg
index e37da9d95d0e8..c3f47d4d8d486 100644
--- a/docs/img/vnet/how-it-works.svg
+++ b/docs/img/vnet/how-it-works.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:lucid="lucid" width="1487.82" height="471.28"><g transform="translate(721 -3130.173498858219)" lucid:page-tab-id="0_0"><path d="M-1000 3000h2000v1000h-2000z" fill="#fff"/><path d="M-719 3177.43a8 8 0 0 1 8-8h581.87a8 8 0 0 1 8 8v220.15a8 8 0 0 1-8 8H-711a8 8 0 0 1-8-8z" stroke="#512fc9" stroke-width="2" fill="#fff"/><path d="M-720 3138.97h600v25.64h-600z" stroke="#000" stroke-opacity="0" stroke-width="2" fill="#fff" fill-opacity="0"/><use xlink:href="#a" transform="matrix(1,0,0,1,-715,3143.9677536428208) translate(240.448525 16.522380000000002)"/><use xlink:href="#b" transform="matrix(1,0,0,1,-715,3143.9677536428208) translate(285.395425 16.522380000000002)"/><path d="M-719 3183.53h283.18v8.46h-283.2z" stroke="#000" stroke-opacity="0" stroke-width="2" fill="#fff" fill-opacity="0"/><path d="M-700 3226a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" stroke="#512fc9" stroke-opacity=".2" stroke-width="2" fill="#fff" filter="url(#c)"/><path d="M-700 3366a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#d" transform="matrix(1,0,0,1,-700,3360) translate(41.848888888888894 18.879999999999995)"/><path d="M-608.98 3266.34c0 8.2-6.7 14.88-14.87 14.88-8.26 0-14.87-6.67-14.87-14.88 0-8.2 6.6-14.87 14.87-14.87 8.18 0 14.87 6.67 14.87 14.88zM-643.7 3276.26c0 5.47-4.46 9.92-9.9 9.92-5.5 0-9.95-4.44-9.95-9.92 0-5.47 4.46-9.92 9.96-9.92 5.44 0 9.9 4.45 9.9 9.92zM-673.44 3305c0-7.65 6.24-13.86 13.9-13.86h11.9c7.65 0 13.82 6.2 13.82 13.85 0 1.93-1.56 3.47-3.42 3.47h-32.7c-1.94 0-3.5-1.54-3.5-3.48z" stroke="#000" stroke-opacity="0" fill="#512fc9"/><path d="M-643.26 3289.2c6.92 1.88 11.97 8.15 11.97 15.68 0 1.3-.43 2.56-1.18 3.6h28.92c2.46 0 4.46-2 4.46-4.46 0-9.86-7.95-17.84-17.84-17.84h-16.35c-3.7 0-7.13 1.08-9.96 3.02z" stroke="#000" stroke-opacity="0" fill="#512fc9"/><path d="M-510.82 3226a6 6 0 0 1 6-6h176.05a6 6 0 0 1 6 6v19.33a6 6 0 0 1-6 6h-176.05a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#e" transform="matrix(1,0,0,1,-505.8188784005588,3225) translate(0.3622222222222149 17.546666666666667)"/><path d="M-600.8 3440.08a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1-3 3h-26a3 3 0 0 1-3-3z" fill-opacity="0"/><path d="M-580.48 3437.08h8.67l.46.04.46.1.43.2.4.23.36.3.32.37.25.4.17.43.12.46.03.48v8.66m0 8.67v8.68l-.05.47-.1.46-.18.44-.25.4-.3.36-.37.3-.4.25-.43.18-.46.1-.47.05h-8.68m-8.66 0h-8.67l-.48-.04-.46-.1-.43-.2-.4-.23-.36-.3-.3-.36-.25-.4-.18-.43-.1-.45-.05-.47v-8.67m0-8.66v-8.66l.03-.47.1-.45.2-.43.24-.4.3-.36.36-.3.4-.25.43-.17.46-.1.47-.05h8.66" stroke="#00bfa5" stroke-width="2" fill="none"/><path d="M-710.82 3439.58a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1-3 3h-26a3 3 0 0 1-3-3z" fill-opacity="0"/><path d="M-690.5 3436.58h8.68l.47.04.46.1.44.2.4.23.36.3.3.37.25.4.18.43.1.46.05.48v8.66m0 8.67v8.68l-.04.47-.1.46-.2.44-.23.4-.3.36-.36.3-.4.25-.43.18-.45.1-.47.05h-8.67m-8.65 0h-8.67l-.47-.04-.45-.1-.43-.2-.4-.23-.36-.3-.3-.36-.25-.4-.17-.43-.1-.45-.05-.47v-8.67m0-8.66v-8.66l.04-.47.1-.45.2-.43.23-.4.3-.36.37-.3.4-.25.43-.17.46-.1.48-.05h8.67" stroke="#f50057" stroke-width="2" fill="none"/><path d="M-261.3 3226a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" stroke="#512fc9" stroke-opacity=".2" stroke-width="2" fill="#fff" filter="url(#c)"/><path d="M-261.3 3366a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#f" transform="matrix(1,0,0,1,-261.3048767654043,3360) translate(42.777777777777786 18.879999999999995)"/><path d="M-177.5 3265.63h-39.6c-.85 0-1.4.55-1.4 1.4v5.65c0 .85.55 1.43 1.4 1.43h39.6c.84 0 1.4-.57 1.4-1.42v-5.66c0-.84-.56-1.4-1.4-1.4zm-8.48 5.66c-.85 0-1.45-.6-1.45-1.45 0-.84.6-1.4 1.45-1.4.84 0 1.4.56 1.4 1.4 0 .85-.56 1.44-1.4 1.44zm7.03 0h-2.8c-.84 0-1.44-.6-1.44-1.45 0-.84.6-1.4 1.46-1.4h2.8c.84 0 1.44.56 1.44 1.4 0 .85-.6 1.44-1.45 1.44zM-177.5 3279.77h-39.6c-.85 0-1.4.55-1.4 1.4v5.66c0 .85.55 1.4 1.4 1.4h18.4V3294.18c-1.28.4-2.12 1.4-2.55 2.53h-11.62c-.84 0-1.4.6-1.4 1.45 0 .84.56 1.4 1.4 1.4h11.62c.55 1.68 2.12 2.82 3.94 2.82 1.82 0 3.4-1.14 3.94-2.83H-181.74c.84 0 1.4-.55 1.4-1.4 0-.84-.56-1.43-1.4-1.43H-193.36c-.43-1.23-1.4-2.12-2.55-2.52V3288.23h18.4c.84 0 1.4-.55 1.4-1.4v-5.66c0-.85-.56-1.4-1.4-1.4zm-33.92 5.63c-.85 0-1.45-.56-1.45-1.4 0-.84.6-1.4 1.45-1.4.84 0 1.4.56 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.56-1.44-1.4 0-.84.6-1.4 1.44-1.4s1.4.56 1.4 1.4c0 .84-.56 1.4-1.4 1.4zm4.24 0c-.85 0-1.45-.56-1.45-1.4 0-.84.6-1.4 1.46-1.4.84 0 1.4.56 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm2.8-1.4c0-.84.6-1.4 1.44-1.4s1.4.56 1.4 1.4c0 .84-.56 1.4-1.4 1.4-.85 0-1.45-.56-1.45-1.4zm14.16 1.4c-.85 0-1.45-.56-1.45-1.4 0-.84.6-1.4 1.45-1.4.84 0 1.4.56 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm7.03 0h-2.8c-.84 0-1.44-.56-1.44-1.4 0-.84.6-1.4 1.46-1.4h2.8c.84 0 1.44.56 1.44 1.4 0 .84-.6 1.4-1.45 1.4z" stroke="#000" stroke-opacity="0" stroke-width="4.69" fill="#00bfa5"/><path d="M-569 3237.67h18.73m18.72 0h18.73" stroke="#f50057" stroke-width="4" fill="none"/><path d="M-568.95 3239.64H-571v-3.95h2.05zM-510.82 3239.64h-2.05v-3.95h2.05z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M-320.77 3237.67h39.47" stroke="#f50057" stroke-width="4" fill="none"/><path d="M-320.72 3239.64h-2.05v-3.95h2.05z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M-266.3 3237.67l-13 7.5v-15z" stroke="#f50057" stroke-width="4" fill="#f50057"/><path d="M-480.8 3253.25a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.33a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#g" transform="matrix(1,0,0,1,-475.79665617833655,3252.247992141838) translate(16.617777777777768 17.546666666666667)"/><path d="M-552 3264.9h23.06m23.07 0h23.07" stroke="#f50057" stroke-width="4" fill="none"/><path d="M-567 3264.9l13-7.5v15z" stroke="#f50057" stroke-width="4" fill="#f50057"/><path d="M-480.8 3266.9h-2.05v-3.96h2.05z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M-350.8 3264.9h28.83m28.84 0h28.82" stroke="#f50057" stroke-width="4" fill="none"/><path d="M-350.75 3266.9h-2.05v-3.96h2.06zM-262.3 3266.9h-2.06v-3.96h2.06z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M140 3179.17a8 8 0 0 1 8-8h599.04a8 8 0 0 1 8 8v413.28a8 8 0 0 1-8 8H148a8 8 0 0 1-8-8z" stroke="#512fc9" stroke-width="2" fill="#fff"/><path d="M140 3131.17h625.82v40H140z" stroke="#000" stroke-opacity="0" stroke-width="2" fill="#fff" fill-opacity="0"/><use xlink:href="#h" transform="matrix(1,0,0,1,145.000000000103,3136.173498858219) translate(229.83256999999998 22.147380000000002)"/><use xlink:href="#i" transform="matrix(1,0,0,1,145.000000000103,3136.173498858219) translate(300.41678 22.147380000000002)"/><path d="M140 3177.72h296.43v22.92H140z" stroke="#000" stroke-opacity="0" stroke-width="2" fill="#fff" fill-opacity="0"/><path d="M-100.2 3178.85a8 8 0 0 1 8-8H112a8 8 0 0 1 8 8v218.73a8 8 0 0 1-8 8H-92.2a8 8 0 0 1-8-8z" stroke="#512fc9" stroke-width="2" fill="#fff"/><path d="M8.37 3237.18a3 3 0 0 1 3-3h197.75a3 3 0 0 1 3 3v76.94a3 3 0 0 1-3 3H11.37a3 3 0 0 1-3-3zM-133.3 3237.8a3 3 0 0 1 3-3H5.36a3 3 0 0 1 3 3v74.07a3 3 0 0 1-3 3H-130.3a3 3 0 0 1-3-3z" stroke="#000" stroke-opacity="0" fill="#512fc9" fill-opacity=".07"/><path d="M50 3274.8c0 22.08-17.9 40-40 40s-40-17.92-40-40c0-22.1 17.9-40 40-40s40 17.9 40 40z" stroke="#00bfa5" stroke-width="4" fill="#fff" filter="url(#j)"/><path d="M29.8 3257.17H-9.8c-.85 0-1.4.55-1.4 1.4v5.66c0 .84.55 1.43 1.4 1.43h39.6c.85 0 1.4-.6 1.4-1.43v-5.66c0-.85-.55-1.4-1.4-1.4zm-8.48 5.66c-.85 0-1.44-.6-1.44-1.43 0-.85.6-1.4 1.44-1.4.85 0 1.4.55 1.4 1.4 0 .84-.55 1.43-1.4 1.43zm7.04 0h-2.8c-.85 0-1.44-.6-1.44-1.43 0-.85.6-1.4 1.44-1.4h2.8c.85 0 1.44.55 1.44 1.4 0 .84-.6 1.43-1.44 1.43zM29.8 3271.32H-9.8c-.85 0-1.4.55-1.4 1.4v5.65c0 .85.55 1.4 1.4 1.4H8.6V3285.72c-1.27.4-2.12 1.4-2.54 2.54H-5.56c-.85 0-1.4.6-1.4 1.43 0 .84.55 1.4 1.4 1.4H6.06c.55 1.68 2.12 2.82 3.94 2.82 1.82 0 3.4-1.14 3.94-2.83H25.56c.85 0 1.4-.56 1.4-1.4 0-.85-.55-1.44-1.4-1.44H13.94c-.42-1.25-1.4-2.13-2.54-2.54V3279.77h18.4c.85 0 1.4-.55 1.4-1.4v-5.66c0-.83-.55-1.38-1.4-1.38zm-33.92 5.62c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm2.8-1.4c0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4-.85 0-1.44-.55-1.44-1.4zm14.16 1.4c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm7.04 0h-2.8c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4h2.8c.85 0 1.44.56 1.44 1.4 0 .85-.6 1.4-1.44 1.4z" stroke="#000" stroke-opacity="0" stroke-width="4.69" fill="#00bfa5"/><path d="M-30 3329.92a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-68a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#k" transform="matrix(1,0,0,1,-30,3323.9167555475055) translate(10.008888888888897 18.879999999999995)"/><path d="M-130.3 3274.88h16.03m16.04 0h16.06l.02-.02v-.04h.02v-.02h31.15" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M-130.25 3276.85h-2.06v-3.95h2.05z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M-36 3274.8l-13 7.5v-15z" stroke="#00bfa5" stroke-width="4" fill="#00bfa5"/><path d="M-60 3217.84a6 6 0 0 1 6-6H74a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6H-54a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#l" transform="matrix(1,0,0,1,-60,3211.8429024563884) translate(18.604444444444468 18.019999999999996)"/><use xlink:href="#m" transform="matrix(1,0,0,1,-60,3211.8429024563884) translate(60.347777777777786 18.019999999999996)"/><path d="M71 3274.8h28.63m28.64 0h28.63" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M56 3274.8l13-7.5v15z" stroke="#00bfa5" stroke-width="4" fill="#00bfa5"/><path d="M158.9 3276.77h-2.05v-3.95h2.06z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M-561.42 3443.08a6 6 0 0 1 6-6h38.6a6 6 0 0 1 6 6v19.5a6 6 0 0 1-6 6h-38.6a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#n" transform="matrix(1,0,0,1,-556.4233200180361,3442.078786016449) translate(0 17.546666666666667)"/><path d="M-671.43 3443.08a6 6 0 0 1 6-6h41.23a6 6 0 0 1 6 6v19a6 6 0 0 1-6 6h-41.23a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#o" transform="matrix(1,0,0,1,-666.4339741663744,3442.078786016448) translate(0 17.546666666666667)"/><path d="M-480.8 3308.37a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.34a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#p" transform="matrix(1,0,0,1,-475.79665617833655,3307.3729796261614) translate(16.617777777777768 17.546666666666667)"/><path d="M-570 3320.04h14.53m14.54 0h29.06m14.54 0h14.53M-569.95 3320.04H-572" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M-480.8 3322h-2.05v-3.93h2.05z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M-350.8 3320.04h22.45m22.44 0h22.43" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M-350.75 3322h-2.05v-3.93h2.06z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M-268.48 3320.04l-13 7.5v-15z" stroke="#00bfa5" stroke-width="4" fill="#00bfa5"/><path d="M595.54 3411.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" stroke="#512fc9" stroke-opacity=".2" stroke-width="2" fill="#fff" filter="url(#c)"/><path d="M595.54 3551.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#q" transform="matrix(1,0,0,1,595.5384840755543,3545.578786016564) translate(-18.977777777777746 18.879999999999995)"/><path d="M631.64 3455.18h55.6c1.44 0 2.5-1.43 1.87-2.9l-6.44-14.46c-.18-.8-1-1.24-1.6-1.24H638c-.62 0-1.42.43-1.86 1.24l-6.38 14.44c-.62 1.5.43 2.92 1.86 2.92zM688.5 3457.22h-57.92c-1.24 0-2.04.87-2.04 2.1v8.26c0 1.24.8 2.05 2.04 2.05h57.9c1.25 0 2.06-.8 2.06-2.05v-8.25c0-1.24-.8-2.1-2.05-2.1zm-12.4 8.3c-1.25 0-2.12-.86-2.12-2.1 0-1.24.87-2.04 2.1-2.04 1.25 0 2.06.8 2.06 2.05 0 1.24-.8 2.1-2.05 2.1zm10.28 0h-4.1c-1.23 0-2.1-.86-2.1-2.1 0-1.24.87-2.04 2.1-2.04h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.86 2.1-2.1 2.1zM688.5 3486.18h-57.92c-1.24 0-2.04.8-2.04 2.05v8.3c0 1.24.8 2.05 2.04 2.05h57.9c1.25 0 2.06-.8 2.06-2.05v-8.3c0-1.24-.8-2.05-2.05-2.05zm-12.4 8.25c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.05 2.1-2.05 1.25 0 2.06.8 2.06 2.05 0 1.24-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.05 0-1.24.87-2.05 2.1-2.05h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.86 2.05-2.1 2.05zM688.5 3471.73h-57.92c-1.24 0-2.04.8-2.04 2.05v8.24c0 1.24.8 2.1 2.04 2.1h57.9c1.25 0 2.06-.86 2.06-2.1v-8.24c0-1.24-.8-2.05-2.05-2.05zm-49.6 8.25c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm18.6 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.05 0-1.24.87-2.1 2.1-2.1h4.1c1.24 0 2.1.86 2.1 2.1 0 1.24-.86 2.05-2.1 2.05z" stroke="#000" stroke-opacity="0" stroke-width="4.69" fill="#512fc9"/><path d="M593.54 3224.3a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" stroke="#512fc9" stroke-opacity=".2" stroke-width="2" fill="#fff" filter="url(#c)"/><path d="M593.54 3364.3a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="none"/><use xlink:href="#r" transform="matrix(1,0,0,1,593.5384840755843,3358.288123278978) translate(11.248888888888906 18.879999999999995)"/><use xlink:href="#s" transform="matrix(1,0,0,1,593.5384840755843,3358.288123278978) translate(50.946666666666665 18.879999999999995)"/><path d="M629.64 3267.9h55.6c1.44 0 2.5-1.44 1.87-2.93l-6.44-14.44c-.18-.8-1-1.24-1.6-1.24H636c-.62 0-1.42.42-1.86 1.23l-6.38 14.44c-.62 1.5.43 2.92 1.86 2.92zM686.5 3269.93h-57.92c-1.24 0-2.04.87-2.04 2.1v8.26c0 1.23.8 2.03 2.04 2.03h57.9c1.25 0 2.06-.8 2.06-2.04v-8.26c0-1.24-.8-2.1-2.05-2.1zm-12.4 8.3c-1.25 0-2.12-.86-2.12-2.1 0-1.24.87-2.04 2.1-2.04 1.25 0 2.06.8 2.06 2.03 0 1.24-.8 2.1-2.05 2.1zm10.28 0h-4.1c-1.23 0-2.1-.86-2.1-2.1 0-1.24.87-2.04 2.1-2.04h4.1c1.24 0 2.1.8 2.1 2.03 0 1.24-.86 2.1-2.1 2.1zM686.5 3298.9h-57.92c-1.24 0-2.04.8-2.04 2.03v8.3c0 1.25.8 2.06 2.04 2.06h57.9c1.25 0 2.06-.82 2.06-2.06v-8.3c0-1.25-.8-2.05-2.05-2.05zm-12.4 8.23c-1.25 0-2.12-.8-2.12-2.04 0-1.25.87-2.06 2.1-2.06 1.25 0 2.06.8 2.06 2.05 0 1.23-.8 2.03-2.05 2.03zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.04 0-1.25.87-2.06 2.1-2.06h4.1c1.24 0 2.1.8 2.1 2.05 0 1.23-.86 2.03-2.1 2.03zM686.5 3284.44h-57.92c-1.24 0-2.04.8-2.04 2.05v8.23c0 1.24.8 2.1 2.04 2.1h57.9c1.25 0 2.06-.86 2.06-2.1v-8.24c0-1.25-.8-2.06-2.05-2.06zm-49.6 8.25c-1.25 0-2.12-.82-2.12-2.06 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm18.6 0c-1.25 0-2.12-.82-2.12-2.06 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1 0 1.24-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.82-2.1-2.06 0-1.24.87-2.1 2.1-2.1h4.1c1.24 0 2.1.86 2.1 2.1 0 1.24-.86 2.05-2.1 2.05z" stroke="#000" stroke-opacity="0" stroke-width="4.69" fill="#512fc9"/><path d="M345.5 3238.9a6 6 0 0 1 6-6h176.04a6 6 0 0 1 6 6v19.34a6 6 0 0 1-6 6H351.5a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#e" transform="matrix(1,0,0,1,350.4940396311397,3237.9121193498827) translate(0.3622222222222149 17.546666666666667)"/><path d="M290.9 3250.58h17.54m17.52 0h17.53" stroke="#f50057" stroke-width="4" fill="none"/><path d="M290.96 3252.55h-2.06v-3.95h2.06zM345.5 3252.55h-2.06v-3.95h2.05z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M535.54 3250.58h38" stroke="#f50057" stroke-width="4" fill="none"/><path d="M535.6 3252.55h-2.06v-3.95h2.05z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M588.54 3250.58l-13 7.5v-15z" stroke="#f50057" stroke-width="4" fill="#f50057"/><path d="M380 3271.18a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v17.67a6 6 0 0 1-6 6h-68a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#t" transform="matrix(1,0,0,1,385,3270.1825560342236) translate(2.928888888888885 17.546666666666667)"/><path d="M307.9 3281.9h23.36m23.37 0H378" stroke="#f50057" stroke-width="4" fill="none"/><path d="M292.9 3281.9l13-7.5v15z" stroke="#f50057" stroke-width="4" fill="#f50057"/><path d="M380 3283.9h-2.05v-3.96H380z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M462 3281.9h21.42m21.43 0h42.84m21.4 0h21.44" stroke="#f50057" stroke-width="4" fill="none"/><path d="M462.05 3283.9H460v-3.96h2.05zM592.54 3283.9h-2.05v-3.96h2.04z" stroke="#f50057" stroke-width=".05" fill="#f50057"/><path d="M380 3310.78a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v17.67a6 6 0 0 1-6 6h-68a6 6 0 0 1-6-6z" fill="#fff" fill-opacity="0"/><use xlink:href="#u" transform="matrix(1,0,0,1,385,3309.782780877255) translate(2.928888888888885 17.546666666666667)"/><path d="M290.9 3319.62h29.04m29.03 0H378" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M290.96 3321.6h-2.06v-3.96h2.06zM380 3321.6h-2.05v-3.96H380z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M462 3319.62h19.76m19.75 0h19.77l.94.07.92.2.87.37.8.5.7.6.62.72.5.8.36.86.22.92.07.94v23m0 23v45.97m0 23v22.98l.07.94.22.9.36.88.5.8.6.72.72.6.8.5.88.36.9.22.95.08h14.1m14.1 0h14.08" stroke="#00bfa5" stroke-width="4" fill="none"/><path d="M462.05 3321.6H460v-3.96h2.05z" stroke="#00bfa5" stroke-width=".05" fill="#00bfa5"/><path d="M590.54 3469.58l-13 7.5v-15z" stroke="#00bfa5" stroke-width="4" fill="#00bfa5"/><path d="M-127.6 3140.65h275.2v23.96h-275.2z" stroke="#000" stroke-opacity="0" stroke-width="2" fill="#fff" fill-opacity="0"/><use xlink:href="#v" transform="matrix(1,0,0,1,-122.59745280929874,3145.6519732101297) translate(59.16404499999999 16.522380000000002)"/><use xlink:href="#i" transform="matrix(1,0,0,1,-122.59745280929874,3145.6519732101297) translate(121.08530499999999 16.522380000000002)"/><path d="M159.9 3227.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" stroke="#512fc9" stroke-opacity=".2" stroke-width="2" fill="#fff" filter="url(#c)"/><path d="M159.9 3367.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1-6 6h-116a6 6 0 0 1-6-6z" fill="none"/><g><use xlink:href="#w" transform="matrix(1,0,0,1,159.9051989397222,3361.578786016564) translate(15.253333333333345 18.879999999999995)"/><use xlink:href="#x" transform="matrix(1,0,0,1,159.9051989397222,3361.578786016564) translate(53.528888888888886 18.879999999999995)"/></g><path d="M243.7 3267.2h-39.6c-.84 0-1.4.56-1.4 1.4v5.66c0 .85.56 1.43 1.4 1.43h39.6c.85 0 1.4-.6 1.4-1.44v-5.66c0-.84-.55-1.4-1.4-1.4zm-8.47 5.66c-.85 0-1.45-.58-1.45-1.43 0-.84.6-1.4 1.45-1.4.84 0 1.4.56 1.4 1.4 0 .85-.56 1.43-1.4 1.43zm7.03 0h-2.8c-.84 0-1.44-.58-1.44-1.43 0-.84.6-1.4 1.45-1.4h2.8c.84 0 1.44.56 1.44 1.4 0 .85-.6 1.43-1.44 1.43zM243.7 3281.35h-39.6c-.84 0-1.4.55-1.4 1.4v5.66c0 .85.56 1.4 1.4 1.4h18.4V3295.76c-1.27.4-2.1 1.4-2.54 2.53h-11.62c-.84 0-1.4.58-1.4 1.43 0 .84.56 1.4 1.4 1.4h11.62c.55 1.68 2.12 2.82 3.94 2.82 1.83 0 3.4-1.14 3.95-2.83H239.47c.84 0 1.4-.55 1.4-1.4 0-.84-.56-1.43-1.4-1.43H227.85c-.43-1.26-1.4-2.14-2.55-2.54V3289.8h18.4c.85 0 1.4-.55 1.4-1.4v-5.65c0-.85-.55-1.4-1.4-1.4zm-33.9 5.63c-.86 0-1.46-.56-1.46-1.4 0-.85.6-1.4 1.45-1.4.83 0 1.38.55 1.38 1.4 0 .84-.55 1.4-1.4 1.4zm4.23 0c-.85 0-1.44-.56-1.44-1.4 0-.85.58-1.4 1.43-1.4.84 0 1.4.55 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm4.24 0c-.85 0-1.45-.56-1.45-1.4 0-.85.6-1.4 1.45-1.4.84 0 1.4.55 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm2.8-1.4c0-.85.6-1.4 1.44-1.4.85 0 1.4.55 1.4 1.4 0 .84-.55 1.4-1.4 1.4-.84 0-1.44-.56-1.44-1.4zm14.16 1.4c-.85 0-1.45-.56-1.45-1.4 0-.85.6-1.4 1.45-1.4.84 0 1.4.55 1.4 1.4 0 .84-.56 1.4-1.4 1.4zm7.03 0h-2.8c-.84 0-1.44-.56-1.44-1.4 0-.85.6-1.4 1.45-1.4h2.8c.84 0 1.44.55 1.44 1.4 0 .84-.6 1.4-1.44 1.4z" stroke="#000" stroke-opacity="0" stroke-width="4.69" fill="#00bfa5"/><defs><path fill="#512fc9" d="M398-581c6 222 109 364 330 364 220 0 331-140 331-363v-866h269v866c-5 286-141 466-350 552-142 59-358 59-500 0-210-86-349-266-349-552v-866h269v865" id="y"/><path fill="#512fc9" d="M519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" id="z"/><path fill="#512fc9" d="M1058-1446v214H417v401h505v207H417v409h641V0H146v-1446h912" id="A"/><path fill="#512fc9" d="M1153-1030c0 232-137 352-319 413 34 19 63 47 88 83L1284 0h-242c-51 0-80-22-101-54L637-517c-24-34-42-48-98-48H424V0H155v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228H424v480h168c180-3 298-77 298-252" id="B"/><g id="a"><use transform="matrix(0.00837,0,0,0.00837,0,0)" xlink:href="#y"/><use transform="matrix(0.00837,0,0,0.00837,12.186720000000001,0)" xlink:href="#z"/><use transform="matrix(0.00837,0,0,0.00837,21.167730000000002,0)" xlink:href="#A"/><use transform="matrix(0.00837,0,0,0.00837,30.751380000000008,0)" xlink:href="#B"/></g><path fill="#512fc9" d="M415-222h579V0H146v-1446h269v1224" id="C"/><path fill="#512fc9" d="M1417 0h-208c-47 1-77-28-90-61l-108-295H412L304-61c-11 30-46 61-89 61H6l568-1446h275zM481-546h461c-77-218-163-424-231-651-66 230-154 432-230 651" id="D"/><path fill="#512fc9" d="M1187-985c0 329-222 471-561 476H424V0H155v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253H424v519h202c184-1 292-85 292-266" id="E"/><path fill="#512fc9" d="M1165-1446v221H730V0H461v-1225H24v-221h1141" id="F"/><path fill="#512fc9" d="M1480-1018c71 176 71 414 0 590-106 261-323 444-679 444S225-168 120-428c-71-176-71-414 0-590 106-261 324-444 681-444 355 0 573 184 679 444zM801-214c307 0 456-198 456-509s-149-510-456-510c-308 0-459 198-459 510s152 509 459 509" id="G"/><g id="b"><use transform="matrix(0.00837,0,0,0.00837,0,0)" xlink:href="#C"/><use transform="matrix(0.00837,0,0,0.00837,8.654580000000001,0)" xlink:href="#D"/><use transform="matrix(0.00837,0,0,0.00837,20.539980000000003,0)" xlink:href="#E"/><use transform="matrix(0.00837,0,0,0.00837,31.00248,0)" xlink:href="#F"/><use transform="matrix(0.00837,0,0,0.00837,40.30992,0)" xlink:href="#G"/><use transform="matrix(0.00837,0,0,0.00837,53.69355,0)" xlink:href="#E"/></g><filter id="c" filterUnits="objectBoundingBox" x="-.08" y="-.05" width="1.16" height="1.16"><feOffset result="offOut" in="SourceAlpha" dy="4"/><feGaussianBlur result="blurOut" in="offOut" stdDeviation="5"/><feColorMatrix result="colorOut" in="blurOut" values="0 0 0 0 0.03114186851211073 0 0 0 0 0.018069973087274125 0 0 0 0 0.07727797001153403 0 0 0 0.09803921568627451 0"/><feBlend in="SourceGraphic" in2="colorOut"/></filter><path fill="#697986" d="M398-581c6 222 109 364 330 364 220 0 331-140 331-363v-866h269v866c-5 286-141 466-350 552-142 59-358 59-500 0-210-86-349-266-349-552v-866h269v865" id="H"/><path fill="#697986" d="M519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" id="I"/><path fill="#697986" d="M1058-1446v214H417v401h505v207H417v409h641V0H146v-1446h912" id="J"/><path fill="#697986" d="M1153-1030c0 232-137 352-319 413 34 19 63 47 88 83L1284 0h-242c-51 0-80-22-101-54L637-517c-24-34-42-48-98-48H424V0H155v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228H424v480h168c180-3 298-77 298-252" id="K"/><g id="d"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#H"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,12.942222222222217,0)" xlink:href="#I"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,22.47999999999999,0)" xlink:href="#J"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,32.65777777777777,0)" xlink:href="#K"/></g><path fill="#f50057" d="M572-1057c257 0 406 153 406 409V0c-68-4-160 9-208-12-30-14-45-72-60-107C623-47 539 18 382 16 189 13 70-77 70-270c0-183 145-251 311-298 78-21 176-33 295-36 8-132-26-216-144-216-125 0-159 78-268 78-94 0-104-95-146-151 112-100 257-164 454-164zM366-285c-2 73 41 96 114 96 97 0 140-35 196-89v-144c-104 4-184 15-248 46-39 19-61 43-62 91" id="L"/><path fill="#f50057" d="M666 16c-111 3-175-34-236-85v398H120v-1366h192c78-3 80 73 99 128 76-81 169-148 323-148 201 0 299 140 348 307 38 128 40 313-4 439-63 179-182 321-412 327zm124-543c0-153-21-288-164-293-99-3-151 43-196 98v440c40 45 88 70 162 70 160 0 198-144 198-315" id="M"/><path fill="#f50057" d="M440-1037V0H130v-1037h310zm-154-466c113 0 190 70 190 182 0 111-79 180-190 180-109 0-184-71-184-180 0-110 74-182 184-182" id="N"/><path fill="#f50057" d="M236 14C129 14 60-51 60-157c0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" id="O"/><path fill="#f50057" d="M958-162C862-50 728 16 528 16 297 16 159-117 90-293c-49-124-51-307-4-437 70-194 223-323 484-323 177 0 287 60 380 153-36 45-67 98-109 136-73 33-113-34-174-50-21-5-46-11-77-11-169 4-215 131-220 304-6 205 103 354 302 295 57-17 74-74 140-74 25 0 42 10 56 27" id="P"/><path fill="#f50057" d="M366-1016c125-49 306-50 431 0 190 75 313 236 313 495 0 261-123 423-313 499-125 50-306 50-431 0C175-98 50-259 50-521c0-260 126-421 316-495zm4 497c0 183 45 305 212 305 163 0 208-124 208-305 0-182-44-304-208-304-167 0-212 121-212 304" id="Q"/><path fill="#f50057" d="M580-820c-67 0-112 34-150 70V0H120v-1037h192c68-3 78 56 93 108 65-66 139-123 267-124 134-1 209 79 249 178 61-110 169-178 333-178 248 0 368 145 368 394V0h-310v-659c0-107-46-161-138-161-89 1-146 65-146 161V0H718v-659c0-110-37-161-138-161" id="R"/><path fill="#f50057" d="M612-820c-81 1-134 39-182 81V0H120v-1037h192c70-3 79 59 94 112 74-70 159-128 302-128 236 0 352 157 352 394V0H750v-659c0-96-44-162-138-161" id="S"/><path fill="#f50057" d="M544 269c-20 41-37 60-98 60H214L414-91 0-1037h274c46-1 73 23 84 54 69 190 150 371 209 571 68-189 134-380 199-571 10-28 45-55 82-54h250" id="T"/><path fill="#f50057" d="M774-74c-71 55-172 90-290 90-196 0-304-108-304-303v-536c-70 1-146 12-146-61v-121l165-32 61-253c16-78 146-38 230-48v303h252v212H490v515c0 45 23 83 68 83 48 0 88-50 122 4" id="U"/><path fill="#f50057" d="M1024-162C926-48 781 16 578 16 325 16 169-111 94-299c-49-123-59-309-6-439 74-183 225-315 476-315 298 0 466 176 466 475 0 66-3 115-70 115H362c16 155 90 243 244 247 98 2 155-39 218-71 37-18 85-16 110 14zM752-643c-3-120-60-196-182-196-129 0-185 80-205 196h387" id="V"/><path fill="#f50057" d="M768-795c-14 65-88 29-146 29-81 0-145 43-192 130V0H120v-1037c73 2 156-8 222 4 64 11 52 105 69 166 65-96 144-190 283-190 47 0 85 11 114 34" id="W"/><path fill="#f50057" d="M440-1497V0H130v-1497h310" id="X"/><path fill="#f50057" d="M564-1101c10-146-196-154-298-95-28 16-47 35-82 35-29 0-49-13-64-37l-82-126c102-82 223-149 406-149 244 0 402 115 408 354 6 230-160 297-278 405-47 43-40 128-60 196H302c-4-86-47-189-3-262 72-120 253-139 265-321zM398 14c-107 0-176-65-176-171 0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" id="Y"/><g id="e"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#L"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,9.582222222222223,0)" xlink:href="#M"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,19.857777777777777,0)" xlink:href="#N"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,24.924444444444443,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,29.119999999999997,0)" xlink:href="#P"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,37.76,0)" xlink:href="#Q"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,48.07111111111111,0)" xlink:href="#R"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,63.37777777777777,0)" xlink:href="#M"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,73.65333333333334,0)" xlink:href="#L"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,83.23555555555558,0)" xlink:href="#S"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,93.19111111111113,0)" xlink:href="#T"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,101.7777777777778,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,105.97333333333337,0)" xlink:href="#N"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,111.04000000000002,0)" xlink:href="#S"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,121.35111111111114,0)" xlink:href="#U"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,128.46222222222224,0)" xlink:href="#V"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,138.13333333333335,0)" xlink:href="#W"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,145.4755555555556,0)" xlink:href="#S"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,155.7866666666667,0)" xlink:href="#L"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,165.36888888888888,0)" xlink:href="#X"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,170.43555555555557,0)" xlink:href="#Y"/></g><path fill="#697986" d="M4-1446h217c48-1 77 26 90 61 125 326 256 646 373 977 12 34 20 70 29 108 15-77 34-144 57-203l339-882c12-30 45-61 89-61h217L831 0H588" id="Z"/><path fill="#697986" d="M377-1009c4 38 6 82 6 121V0H146v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237V0c-64-4-144 10-192-10-14-6-28-19-41-36" id="aa"/><path fill="#697986" d="M991-153C899-47 760 15 568 15 237 15 63-197 63-535c0-237 116-392 287-467 61-27 129-40 206-40 287 0 444 174 444 465 0 54-3 95-57 95H309c4 226 158 349 385 292 52-13 93-39 132-62 32-19 73-16 93 9zM778-631c-4-143-73-234-217-234-154 0-226 95-247 234h464" id="ab"/><path fill="#697986" d="M738-75c-64 55-158 90-269 91-176 2-277-109-277-284v-573c-65-4-153 21-153-52v-98l165-27 52-280c10-66 115-35 183-42v323h270v176H439v556c-1 59 32 101 88 102 48 1 68-25 104-34 19 1 25 9 33 22" id="ac"/><g id="f"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#Z"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,12.622222222222216,0)" xlink:href="#aa"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,26.06222222222221,0)" xlink:href="#ab"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,35.56444444444443,0)" xlink:href="#ac"/></g><path fill="#f50057" d="M252-224h280c2-282-4-570 3-848L370-935c-34 38-114 22-140-12l-98-130 454-381h256v1234h240V0H252v-224" id="ad"/><path fill="#f50057" d="M1079-1060c53 176 54 486 0 662-72 237-212 414-501 414-287 0-427-178-498-414-53-176-53-486 0-662 71-237 210-413 498-413s430 177 501 413zM659-254c162-89 162-477 122-722-22-135-65-248-203-248-137 0-179 115-200 248-38 243-40 632 120 722 52 29 109 29 161 0" id="ae"/><path fill="#f50057" d="M532-896c89-35 216-36 312-1 162 59 274 190 274 411 0 240-136 387-313 462-125 53-311 53-436 2C185-96 66-254 66-506c0-186 74-313 166-437l328-443c29-40 94-71 166-71h276c-157 187-313 374-470 561zm46 197c-139 0-214 93-214 235 0 148 69 235 218 235 140 0 226-93 226-234 0-150-82-236-230-236" id="af"/><path fill="#f50057" d="M1126-566c-12 87 37 230-60 231h-90V0H706v-335H120c-39 1-76-30-82-63L6-551l674-906h296v891h150zm-420 0c3-181-8-372 10-539L331-566h375" id="ag"/><path fill="#f50057" d="M86-1041c45-269 211-432 516-432 221 0 368 97 436 253 40 91 43 220 10 318-51 154-158 259-262 365L501-245c130-48 308-33 481-35 63-1 108 39 108 100V0H66c-2-94 2-169 54-222l420-423c101-110 202-200 212-395 7-138-99-209-232-170-58 17-99 60-118 117-22 66-66 96-152 81" id="ah"/><g id="g"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#ad"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,10.311111111111112,0)" xlink:href="#ae"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,20.622222222222224,0)" xlink:href="#ae"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,30.933333333333337,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,35.128888888888895,0)" xlink:href="#af"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,45.440000000000005,0)" xlink:href="#ag"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,55.75111111111111,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,59.94666666666667,0)" xlink:href="#ae"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,70.25777777777779,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,74.45333333333335,0)" xlink:href="#ah"/></g><path fill="#512fc9" d="M449 0H179v-1446h270V0" id="ai"/><path fill="#512fc9" d="M4-1446h217c48-1 77 26 90 61 125 326 256 646 373 977 12 34 20 70 29 108 15-77 34-144 57-203l339-882c12-30 45-61 89-61h217L831 0H588" id="aj"/><g id="h"><use transform="matrix(0.00837,0,0,0.00837,0,0)" xlink:href="#E"/><use transform="matrix(0.00837,0,0,0.00837,10.4625,0)" xlink:href="#B"/><use transform="matrix(0.00837,0,0,0.00837,21.4272,0)" xlink:href="#ai"/><use transform="matrix(0.00837,0,0,0.00837,26.68356,0)" xlink:href="#aj"/><use transform="matrix(0.00837,0,0,0.00837,37.154430000000005,0)" xlink:href="#D"/><use transform="matrix(0.00837,0,0,0.00837,47.80944000000001,0)" xlink:href="#F"/><use transform="matrix(0.00837,0,0,0.00837,57.76974000000001,0)" xlink:href="#A"/></g><path fill="#512fc9" d="M377-1009c4 38 6 82 6 121V0H146v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237V0c-64-4-144 10-192-10-14-6-28-19-41-36" id="ak"/><path fill="#512fc9" d="M12-1446h226c47 0 80 25 90 61 87 312 181 618 262 935 6 25 10 51 15 79 10-53 22-104 38-149l284-865c11-30 46-61 89-61 78 0 148-4 169 61l282 865c15 43 27 90 38 142 9-49 18-98 30-142l246-865c9-33 45-61 89-61h211L1632 0h-243c-113-359-232-713-341-1076C938-712 818-360 704 0H461" id="al"/><path fill="#512fc9" d="M424-840c74 2 135-1 169-44l399-505c32-39 58-57 122-57h232L859-845c-28 33-52 59-89 78 50 19 80 49 111 90L1383 0h-238c-63 0-84-18-111-53L625-587c-28-35-53-49-116-49h-85V0H155v-1447h269v607" id="am"/><g id="i"><use transform="matrix(0.00837,0,0,0.00837,0,0)" xlink:href="#ak"/><use transform="matrix(0.00837,0,0,0.00837,12.65544,0)" xlink:href="#A"/><use transform="matrix(0.00837,0,0,0.00837,22.23909,0)" xlink:href="#F"/><use transform="matrix(0.00837,0,0,0.00837,32.19939,0)" xlink:href="#al"/><use transform="matrix(0.00837,0,0,0.00837,49.717800000000004,0)" xlink:href="#G"/><use transform="matrix(0.00837,0,0,0.00837,63.10143000000001,0)" xlink:href="#B"/><use transform="matrix(0.00837,0,0,0.00837,74.06613000000002,0)" xlink:href="#am"/></g><filter id="j" filterUnits="objectBoundingBox" x="-.13" y="-.07" width="1.25" height="1.25"><feOffset result="offOut" in="SourceAlpha" dy="4"/><feGaussianBlur result="blurOut" in="offOut" stdDeviation="5"/><feColorMatrix result="colorOut" in="blurOut" values="0 0 0 0 0 0 0 0 0 0.2996078431372549 0 0 0 0 0.25882352941176473 0 0 0 0.4 0"/><feBlend in="SourceGraphic" in2="colorOut"/></filter><path fill="#00bfa5" d="M1187-985c0 329-222 471-561 476H424V0H155v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253H424v519h202c184-1 292-85 292-266" id="an"/><path fill="#00bfa5" d="M1153-1030c0 232-137 352-319 413 34 19 63 47 88 83L1284 0h-242c-51 0-80-22-101-54L637-517c-24-34-42-48-98-48H424V0H155v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228H424v480h168c180-3 298-77 298-252" id="ao"/><path fill="#00bfa5" d="M1480-1018c71 176 71 414 0 590-106 261-323 444-679 444S225-168 120-428c-71-176-71-414 0-590 106-261 324-444 681-444 355 0 573 184 679 444zM801-214c307 0 456-198 456-509s-149-510-456-510c-308 0-459 198-459 510s152 509 459 509" id="ap"/><path fill="#00bfa5" d="M493-744L32-1446h268c38 0 48 9 63 32l329 531c7-19 15-35 25-51l301-475c15-25 34-37 57-37h258L867-755 1346 0h-269c-37 1-57-23-71-46L671-600c-5 15-12 29-19 42L331-46c-14 20-33 47-67 46H12" id="aq"/><path fill="#00bfa5" d="M789-562V0H520v-562L-7-1446h237c50 0 72 27 90 60 102 188 210 370 305 564 12 25 22 51 31 76 20-56 40-105 69-157l263-483c15-28 44-60 89-60h238" id="ar"/><g id="k"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#an"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,11.111111111111107,0)" xlink:href="#ao"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,22.328888888888883,0)" xlink:href="#ap"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,36.27555555555554,0)" xlink:href="#aq"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,48.34666666666665,0)" xlink:href="#ar"/></g><path fill="#697986" d="M565-850c-86 0-140 48-186 99V0H132v-1026c80 9 198-29 214 45l16 76c67-72 141-136 276-137 139-1 214 86 253 192 57-117 162-192 328-192 240 0 354 147 354 389V0h-247v-653c1-123-52-197-169-197s-180 76-180 197V0H729v-653c0-127-46-197-164-197" id="as"/><path fill="#697986" d="M1165-1446v221H730V0H461v-1225H24v-221h1141" id="at"/><path fill="#697986" d="M415-222h579V0H146v-1446h269v1224" id="au"/><g id="l"><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,0,0)" xlink:href="#as"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,13.097777777777772,0)" xlink:href="#at"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,22.353333333333325,0)" xlink:href="#au"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,30.395555555555543,0)" xlink:href="#I"/></g><g id="m"><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,0,0)" xlink:href="#at"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,9.255555555555551,0)" xlink:href="#H"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,20.57999999999999,0)" xlink:href="#aa"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,32.33999999999999,0)" xlink:href="#aa"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,44.09999999999998,0)" xlink:href="#J"/><use transform="matrix(0.007777777777777774,0,0,0.007777777777777774,53.00555555555553,0)" xlink:href="#au"/></g><path fill="#00bfa5" d="M1165-1446v221H730V0H461v-1225H24v-221h1141" id="av"/><path fill="#00bfa5" d="M1284-209C1170-69 1008 19 759 16c-347-4-553-182-649-442-66-178-66-423 6-596 108-261 330-435 688-440 220-3 375 79 488 188l-90 125c-16 32-68 39-102 12-71-55-162-101-298-96-304 11-465 201-465 510 0 241 101 401 267 477 125 58 330 39 424-24 42-17 97-111 150-54" id="aw"/><g id="n"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#av"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,9.884444444444444,0)" xlink:href="#aw"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,21.80444444444444,0)" xlink:href="#an"/></g><path fill="#f50057" d="M1377-1015c71 172 71 412 0 584C1271-174 1052 0 698 0H146v-1446h552c353 6 574 175 679 431zM698-214c307-9 457-198 457-509s-150-500-457-509H417v1018h281" id="ax"/><path fill="#f50057" d="M377-1009c4 38 6 82 6 121V0H146v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237V0c-64-4-144 10-192-10-14-6-28-19-41-36" id="ay"/><path fill="#f50057" d="M519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" id="az"/><g id="o"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#ax"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,13.28888888888889,0)" xlink:href="#ay"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,26.72888888888889,0)" xlink:href="#az"/></g><path fill="#00bfa5" d="M252-224h280c2-282-4-570 3-848L370-935c-34 38-114 22-140-12l-98-130 454-381h256v1234h240V0H252v-224" id="aA"/><path fill="#00bfa5" d="M1079-1060c53 176 54 486 0 662-72 237-212 414-501 414-287 0-427-178-498-414-53-176-53-486 0-662 71-237 210-413 498-413s430 177 501 413zM659-254c162-89 162-477 122-722-22-135-65-248-203-248-137 0-179 115-200 248-38 243-40 632 120 722 52 29 109 29 161 0" id="aB"/><path fill="#00bfa5" d="M236 14C129 14 60-51 60-157c0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" id="aC"/><path fill="#00bfa5" d="M532-896c89-35 216-36 312-1 162 59 274 190 274 411 0 240-136 387-313 462-125 53-311 53-436 2C185-96 66-254 66-506c0-186 74-313 166-437l328-443c29-40 94-71 166-71h276c-157 187-313 374-470 561zm46 197c-139 0-214 93-214 235 0 148 69 235 218 235 140 0 226-93 226-234 0-150-82-236-230-236" id="aD"/><path fill="#00bfa5" d="M1126-566c-12 87 37 230-60 231h-90V0H706v-335H120c-39 1-76-30-82-63L6-551l674-906h296v891h150zm-420 0c3-181-8-372 10-539L331-566h375" id="aE"/><path fill="#00bfa5" d="M86-1041c45-269 211-432 516-432 221 0 368 97 436 253 40 91 43 220 10 318-51 154-158 259-262 365L501-245c130-48 308-33 481-35 63-1 108 39 108 100V0H66c-2-94 2-169 54-222l420-423c101-110 202-200 212-395 7-138-99-209-232-170-58 17-99 60-118 117-22 66-66 96-152 81" id="aF"/><g id="p"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#aA"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,10.311111111111112,0)" xlink:href="#aB"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,20.622222222222224,0)" xlink:href="#aB"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,30.933333333333337,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,35.128888888888895,0)" xlink:href="#aD"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,45.440000000000005,0)" xlink:href="#aE"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,55.75111111111111,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,59.94666666666667,0)" xlink:href="#aB"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,70.25777777777779,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,74.45333333333335,0)" xlink:href="#aF"/></g><path fill="#697986" d="M556-1045c246 0 380 151 380 397V0c-79-6-181 23-196-53l-22-73C630-49 541 18 379 16 194 13 81-77 81-262c0-184 152-247 321-292 78-21 176-31 293-34 10-155-29-262-170-262-104 0-161 40-224 77-47 28-107 5-127-31l-45-79c118-108 260-162 427-162zM317-275c-3 86 56 121 139 121 117 0 179-51 239-111v-173c-122 6-219 17-297 53-49 22-79 51-81 110" id="aG"/><path fill="#697986" d="M635 15C514 15 442-25 379-85v420H132v-1361c64 5 145-11 192 11 33 24 28 86 42 129 78-86 174-159 331-159 277 0 379 232 379 524 0 241-96 412-258 495-54 27-116 41-183 41zm186-536c0-181-37-329-209-329-117 0-175 55-233 124v460c48 60 104 93 198 93 188 0 244-152 244-348" id="aH"/><path fill="#697986" d="M395-1026V0H148v-1026h247zm-123-457c96 0 160 62 160 158 0 94-65 155-160 155-93 0-156-62-156-155 0-95 61-158 156-158" id="aI"/><path fill="#697986" d="M225 14C133 14 73-43 73-136c0-92 60-151 152-151 91 0 151 60 151 151 0 92-59 150-151 150" id="aJ"/><path fill="#697986" d="M928-153C839-49 712 15 524 15c-227 0-358-131-424-305-47-123-49-306-4-434 67-190 213-318 465-318 165 0 270 58 357 143-29 37-52 81-86 112-71 26-104-41-170-55-24-5-52-12-86-12-192 5-260 143-260 339 0 194 67 336 254 342 98 3 148-38 200-79 26-20 67-17 87 9" id="aK"/><path fill="#697986" d="M361-1005c121-49 297-49 417 0 184 74 298 236 298 490 0 330-178 530-506 530C241 15 61-185 61-515c0-254 115-416 300-490zm-45 492c0 201 65 338 254 338 188 0 251-137 251-338s-63-340-251-340c-189 0-254 139-254 340" id="aL"/><path fill="#697986" d="M605-850c-102 1-168 52-226 108V0H132v-1026c80 9 198-29 214 45l17 81c77-76 165-142 317-142 235 0 346 154 346 389V0H779v-653c0-121-55-198-174-197" id="aM"/><path fill="#697986" d="M496 282c-21 85-170 43-266 53L422-76 7-1026h216c39-1 60 21 70 46 80 195 164 386 238 586 7 18 10 37 14 56 74-221 164-427 244-642 9-24 36-46 68-46h198" id="aN"/><path fill="#697986" d="M604-806c-122 5-180 74-225 167V0H132v-1026c83 11 206-35 218 62l15 124c63-106 147-205 295-205 51 0 93 12 126 35l-32 185c-4 23-15 33-40 33-33 0-65-16-110-14" id="aO"/><path fill="#697986" d="M395-1486V0H148v-1486h247" id="aP"/><g id="q"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#aG"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,9.306666666666663,0)" xlink:href="#aH"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,19.359999999999992,0)" xlink:href="#aI"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,24.17777777777777,0)" xlink:href="#aJ"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,28.17777777777777,0)" xlink:href="#aK"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,36.65777777777777,0)" xlink:href="#aL"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,46.76444444444443,0)" xlink:href="#as"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,61.733333333333306,0)" xlink:href="#aH"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,71.78666666666665,0)" xlink:href="#aG"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,81.0933333333333,0)" xlink:href="#aM"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,90.87999999999997,0)" xlink:href="#aN"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,99.15555555555552,0)" xlink:href="#aJ"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,103.15555555555551,0)" xlink:href="#aI"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,107.97333333333329,0)" xlink:href="#aM"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,118.07999999999996,0)" xlink:href="#ac"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,124.95999999999995,0)" xlink:href="#ab"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,134.46222222222218,0)" xlink:href="#aO"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,141.7244444444444,0)" xlink:href="#aM"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,151.83111111111106,0)" xlink:href="#aG"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,161.13777777777773,0)" xlink:href="#aP"/></g><path fill="#697986" d="M1377-1015c71 172 71 412 0 584C1271-174 1052 0 698 0H146v-1446h552c353 6 574 175 679 431zM698-214c307-9 457-198 457-509s-150-500-457-509H417v1018h281" id="aQ"/><g id="r"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#aQ"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,13.288888888888884,0)" xlink:href="#aa"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,26.72888888888888,0)" xlink:href="#I"/></g><g id="s"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#I"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,9.537777777777775,0)" xlink:href="#J"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,19.715555555555547,0)" xlink:href="#K"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,31.359999999999985,0)" xlink:href="#Z"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,43.982222222222205,0)" xlink:href="#J"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,54.159999999999975,0)" xlink:href="#K"/></g><g id="t"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#ad"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,10.311111111111112,0)" xlink:href="#ae"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,20.622222222222224,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,24.817777777777778,0)" xlink:href="#ae"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,35.12888888888889,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,39.324444444444445,0)" xlink:href="#ad"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,49.635555555555555,0)" xlink:href="#O"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,53.83111111111111,0)" xlink:href="#ad"/></g><g id="u"><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,0,0)" xlink:href="#aA"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,10.311111111111112,0)" xlink:href="#aB"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,20.622222222222224,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,24.817777777777778,0)" xlink:href="#aB"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,35.12888888888889,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,39.324444444444445,0)" xlink:href="#aA"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,49.635555555555555,0)" xlink:href="#aC"/><use transform="matrix(0.008888888888888889,0,0,0.008888888888888889,53.83111111111111,0)" xlink:href="#aA"/></g><path fill="#512fc9" d="M1177-1061c0 181-116 262-257 314 199 45 298 152 298 322C1218-130 997 0 692 0H146v-1446h499c307 3 532 89 532 385zM952-431c0-152-108-202-265-203H415v424h273c163-1 264-65 264-221zm-43-598c0-163-94-209-264-209H415v418h215c168-1 279-50 279-209" id="aR"/><path fill="#512fc9" d="M1284-209C1170-69 1008 19 759 16c-347-4-553-182-649-442-66-178-66-423 6-596 108-261 330-435 688-440 220-3 375 79 488 188l-90 125c-16 32-68 39-102 12-71-55-162-101-298-96-304 11-465 201-465 510 0 241 101 401 267 477 125 58 330 39 424-24 42-17 97-111 150-54" id="aS"/><g id="v"><use transform="matrix(0.00837,0,0,0.00837,0,0)" xlink:href="#E"/><use transform="matrix(0.00837,0,0,0.00837,10.4625,0)" xlink:href="#y"/><use transform="matrix(0.00837,0,0,0.00837,22.64922,0)" xlink:href="#aR"/><use transform="matrix(0.00837,0,0,0.00837,33.55533,0)" xlink:href="#C"/><use transform="matrix(0.00837,0,0,0.00837,42.20991,0)" xlink:href="#ai"/><use transform="matrix(0.00837,0,0,0.00837,47.46627,0)" xlink:href="#aS"/></g><path fill="#697986" d="M1417 0h-208c-47 1-77-28-90-61l-108-295H412L304-61c-11 30-46 61-89 61H6l568-1446h275zM481-546h461c-77-218-163-424-231-651-66 230-154 432-230 651" id="aT"/><path fill="#697986" d="M1187-985c0 329-222 471-561 476H424V0H155v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253H424v519h202c184-1 292-85 292-266" id="aU"/><g id="w"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#aT"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,12.622222222222216,0)" xlink:href="#aU"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,23.733333333333324,0)" xlink:href="#aU"/></g><path fill="#697986" d="M1341-140C1204-38 1028 20 789 16c-350-5-566-186-673-442-73-175-71-420-1-596 107-266 333-435 699-440 235-2 404 78 526 189l-78 122c-45 78-131 10-176-17-110-67-334-90-474-29-171 74-275 233-275 474 0 251 105 414 283 489 144 62 360 37 477-26v-263H916c-88 2-46-125-56-202h481v585" id="aV"/><g id="x"><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,0,0)" xlink:href="#aT"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,12.168888888888883,0)" xlink:href="#aV"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,25.02222222222221,0)" xlink:href="#J"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,35.19999999999999,0)" xlink:href="#aa"/><use transform="matrix(0.008888888888888885,0,0,0.008888888888888885,48.639999999999986,0)" xlink:href="#at"/></g></defs></g></svg>
\ No newline at end of file
+<svg height="468.01" width="1481.01" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><filter id="a" height="1.16" width="1.16" x="-.08" y="-.05"><feOffset dy="4" in="SourceAlpha" result="offOut"/><feGaussianBlur in="offOut" result="blurOut" stdDeviation="5"/><feColorMatrix in="blurOut" result="colorOut" values="0 0 0 0 0.03114186851211073 0 0 0 0 0.018069973087274125 0 0 0 0 0.07727797001153403 0 0 0 0.09803921568627451 0"/><feBlend in="SourceGraphic" in2="colorOut"/></filter><path id="b" d="m1165-1446v221h-435v1225h-269v-1225h-437v-221z" fill="#697986"/><path id="c" d="m1284-209c-114 140-276 228-525 225-347-4-553-182-649-442-66-178-66-423 6-596 108-261 330-435 688-440 220-3 375 79 488 188l-90 125c-16 32-68 39-102 12-71-55-162-101-298-96-304 11-465 201-465 510 0 241 101 401 267 477 125 58 330 39 424-24 42-17 97-111 150-54" fill="#697986"/><path id="d" d="m1187-985c0 329-222 471-561 476h-202v509h-269v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253h-202v519h202c184-1 292-85 292-266" fill="#697986"/><path id="e" d="m415-222h579v222h-848v-1446h269z" fill="#697986"/><path id="f" d="m1058-1446v214h-641v401h505v207h-505v409h641v215h-912v-1446z" fill="#697986"/><path id="g" d="m377-1009c4 38 6 82 6 121v888h-237v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237v1446c-64-4-144 10-192-10-14-6-28-19-41-36" fill="#697986"/><g id="h"><use transform="scale(.00888889)" xlink:href="#c"/><use transform="matrix(.00888889 0 0 .00888889 11.92 0)" xlink:href="#e"/><path d="m449 0h-270v-1446h270z" fill="#697986" transform="matrix(.00888889 0 0 .00888889 21.111111 0)"/><use transform="matrix(.00888889 0 0 .00888889 26.693333 0)" xlink:href="#f"/><use transform="matrix(.00888889 0 0 .00888889 36.871111 0)" xlink:href="#g"/><use transform="matrix(.00888889 0 0 .00888889 50.311111 0)" xlink:href="#b"/></g><path id="i" d="m572-1057c257 0 406 153 406 409v648c-68-4-160 9-208-12-30-14-45-72-60-107-87 72-171 137-328 135-193-3-312-93-312-286 0-183 145-251 311-298 78-21 176-33 295-36 8-132-26-216-144-216-125 0-159 78-268 78-94 0-104-95-146-151 112-100 257-164 454-164zm-206 772c-2 73 41 96 114 96 97 0 140-35 196-89v-144c-104 4-184 15-248 46-39 19-61 43-62 91" fill="#f50057"/><path id="j" d="m666 16c-111 3-175-34-236-85v398h-310v-1366h192c78-3 80 73 99 128 76-81 169-148 323-148 201 0 299 140 348 307 38 128 40 313-4 439-63 179-182 321-412 327zm124-543c0-153-21-288-164-293-99-3-151 43-196 98v440c40 45 88 70 162 70 160 0 198-144 198-315" fill="#f50057"/><path id="k" d="m440-1037v1037h-310v-1037zm-154-466c113 0 190 70 190 182 0 111-79 180-190 180-109 0-184-71-184-180 0-110 74-182 184-182" fill="#f50057"/><path id="l" d="m236 14c-107 0-176-65-176-171 0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" fill="#f50057"/><path id="m" d="m958-162c-96 112-230 178-430 178-231 0-369-133-438-309-49-124-51-307-4-437 70-194 223-323 484-323 177 0 287 60 380 153-36 45-67 98-109 136-73 33-113-34-174-50-21-5-46-11-77-11-169 4-215 131-220 304-6 205 103 354 302 295 57-17 74-74 140-74 25 0 42 10 56 27" fill="#f50057"/><path id="n" d="m366-1016c125-49 306-50 431 0 190 75 313 236 313 495 0 261-123 423-313 499-125 50-306 50-431 0-191-76-316-237-316-499 0-260 126-421 316-495zm4 497c0 183 45 305 212 305 163 0 208-124 208-305 0-182-44-304-208-304-167 0-212 121-212 304" fill="#f50057"/><path id="o" d="m580-820c-67 0-112 34-150 70v750h-310v-1037h192c68-3 78 56 93 108 65-66 139-123 267-124 134-1 209 79 249 178 61-110 169-178 333-178 248 0 368 145 368 394v659h-310v-659c0-107-46-161-138-161-89 1-146 65-146 161v659h-310v-659c0-110-37-161-138-161" fill="#f50057"/><path id="p" d="m612-820c-81 1-134 39-182 81v739h-310v-1037h192c70-3 79 59 94 112 74-70 159-128 302-128 236 0 352 157 352 394v659h-310v-659c0-96-44-162-138-161" fill="#f50057"/><path id="q" d="m544 269c-20 41-37 60-98 60h-232l200-420-414-946h274c46-1 73 23 84 54 69 190 150 371 209 571 68-189 134-380 199-571 10-28 45-55 82-54h250" fill="#f50057"/><path id="r" d="m774-74c-71 55-172 90-290 90-196 0-304-108-304-303v-536c-70 1-146 12-146-61v-121l165-32 61-253c16-78 146-38 230-48v303h252v212h-252v515c0 45 23 83 68 83 48 0 88-50 122 4" fill="#f50057"/><path id="s" d="m1024-162c-98 114-243 178-446 178-253 0-409-127-484-315-49-123-59-309-6-439 74-183 225-315 476-315 298 0 466 176 466 475 0 66-3 115-70 115h-598c16 155 90 243 244 247 98 2 155-39 218-71 37-18 85-16 110 14zm-272-481c-3-120-60-196-182-196-129 0-185 80-205 196z" fill="#f50057"/><path id="t" d="m768-795c-14 65-88 29-146 29-81 0-145 43-192 130v636h-310v-1037c73 2 156-8 222 4 64 11 52 105 69 166 65-96 144-190 283-190 47 0 85 11 114 34" fill="#f50057"/><path id="u" d="m440-1497v1497h-310v-1497z" fill="#f50057"/><path id="v" d="m564-1101c10-146-196-154-298-95-28 16-47 35-82 35-29 0-49-13-64-37l-82-126c102-82 223-149 406-149 244 0 402 115 408 354 6 230-160 297-278 405-47 43-40 128-60 196h-212c-4-86-47-189-3-262 72-120 253-139 265-321zm-166 1115c-107 0-176-65-176-171 0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" fill="#f50057"/><path id="w" d="m252-224h280c2-282-4-570 3-848l-165 137c-34 38-114 22-140-12l-98-130 454-381h256v1234h240v224h-830z" fill="#f50057"/><path id="x" d="m1079-1060c53 176 54 486 0 662-72 237-212 414-501 414-287 0-427-178-498-414-53-176-53-486 0-662 71-237 210-413 498-413s430 177 501 413zm-420 806c162-89 162-477 122-722-22-135-65-248-203-248-137 0-179 115-200 248-38 243-40 632 120 722 52 29 109 29 161 0" fill="#f50057"/><path id="y" d="m532-896c89-35 216-36 312-1 162 59 274 190 274 411 0 240-136 387-313 462-125 53-311 53-436 2-184-74-303-232-303-484 0-186 74-313 166-437l328-443c29-40 94-71 166-71h276c-157 187-313 374-470 561zm46 197c-139 0-214 93-214 235 0 148 69 235 218 235 140 0 226-93 226-234 0-150-82-236-230-236" fill="#f50057"/><path id="z" d="m1126-566c-12 87 37 230-60 231h-90v335h-270v-335h-586c-39 1-76-30-82-63l-32-153 674-906h296v891zm-420 0c3-181-8-372 10-539l-385 539z" fill="#f50057"/><filter id="A" height="1.25" width="1.25" x="-.13" y="-.07"><feOffset dy="4" in="SourceAlpha" result="offOut"/><feGaussianBlur in="offOut" result="blurOut" stdDeviation="5"/><feColorMatrix in="blurOut" result="colorOut" values="0 0 0 0 0 0 0 0 0 0.2996078431372549 0 0 0 0 0.25882352941176473 0 0 0 0.4 0"/><feBlend in="SourceGraphic" in2="colorOut"/></filter><path id="B" d="m1187-985c0 329-222 471-561 476h-202v509h-269v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253h-202v519h202c184-1 292-85 292-266" fill="#00bfa5"/><path id="C" d="m1153-1030c0 232-137 352-319 413 34 19 63 47 88 83l362 534h-242c-51 0-80-22-101-54l-304-463c-24-34-42-48-98-48h-115v565h-269v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228h-172v480h168c180-3 298-77 298-252" fill="#00bfa5"/><path id="D" d="m1480-1018c71 176 71 414 0 590-106 261-323 444-679 444s-576-184-681-444c-71-176-71-414 0-590 106-261 324-444 681-444 355 0 573 184 679 444zm-679 804c307 0 456-198 456-509s-149-510-456-510c-308 0-459 198-459 510s152 509 459 509" fill="#00bfa5"/><path id="E" d="m493-744-461-702h268c38 0 48 9 63 32l329 531c7-19 15-35 25-51l301-475c15-25 34-37 57-37h258l-466 691 479 755h-269c-37 1-57-23-71-46l-335-554c-5 15-12 29-19 42l-321 512c-14 20-33 47-67 46h-252" fill="#00bfa5"/><path id="F" d="m789-562v562h-269v-562l-527-884h237c50 0 72 27 90 60 102 188 210 370 305 564 12 25 22 51 31 76 20-56 40-105 69-157l263-483c15-28 44-60 89-60h238" fill="#00bfa5"/><path id="G" d="m565-850c-86 0-140 48-186 99v751h-247v-1026c80 9 198-29 214 45l16 76c67-72 141-136 276-137 139-1 214 86 253 192 57-117 162-192 328-192 240 0 354 147 354 389v653h-247v-653c1-123-52-197-169-197s-180 76-180 197v653h-248v-653c0-127-46-197-164-197" fill="#697986"/><path id="H" d="m519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" fill="#697986"/><path id="I" d="m398-581c6 222 109 364 330 364 220 0 331-140 331-363v-866h269v866c-5 286-141 466-350 552-142 59-358 59-500 0-210-86-349-266-349-552v-866h269z" fill="#697986"/><path id="J" d="m252-224h280c2-282-4-570 3-848l-165 137c-34 38-114 22-140-12l-98-130 454-381h256v1234h240v224h-830z" fill="#00bfa5"/><path id="K" d="m1079-1060c53 176 54 486 0 662-72 237-212 414-501 414-287 0-427-178-498-414-53-176-53-486 0-662 71-237 210-413 498-413s430 177 501 413zm-420 806c162-89 162-477 122-722-22-135-65-248-203-248-137 0-179 115-200 248-38 243-40 632 120 722 52 29 109 29 161 0" fill="#00bfa5"/><path id="L" d="m236 14c-107 0-176-65-176-171 0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" fill="#00bfa5"/><path id="M" d="m556-1045c246 0 380 151 380 397v648c-79-6-181 23-196-53l-22-73c-88 77-177 144-339 142-185-3-298-93-298-278 0-184 152-247 321-292 78-21 176-31 293-34 10-155-29-262-170-262-104 0-161 40-224 77-47 28-107 5-127-31l-45-79c118-108 260-162 427-162zm-239 770c-3 86 56 121 139 121 117 0 179-51 239-111v-173c-122 6-219 17-297 53-49 22-79 51-81 110" fill="#697986"/><path id="N" d="m635 15c-121 0-193-40-256-100v420h-247v-1361c64 5 145-11 192 11 33 24 28 86 42 129 78-86 174-159 331-159 277 0 379 232 379 524 0 241-96 412-258 495-54 27-116 41-183 41zm186-536c0-181-37-329-209-329-117 0-175 55-233 124v460c48 60 104 93 198 93 188 0 244-152 244-348" fill="#697986"/><path id="O" d="m395-1026v1026h-247v-1026zm-123-457c96 0 160 62 160 158 0 94-65 155-160 155-93 0-156-62-156-155 0-95 61-158 156-158" fill="#697986"/><path id="P" d="m225 14c-92 0-152-57-152-150 0-92 60-151 152-151 91 0 151 60 151 151 0 92-59 150-151 150" fill="#697986"/><path id="Q" d="m605-850c-102 1-168 52-226 108v742h-247v-1026c80 9 198-29 214 45l17 81c77-76 165-142 317-142 235 0 346 154 346 389v653h-247v-653c0-121-55-198-174-197" fill="#697986"/><path id="R" d="m1377-1015c71 172 71 412 0 584-106 257-325 431-679 431h-552v-1446h552c353 6 574 175 679 431zm-679 801c307-9 457-198 457-509s-150-500-457-509h-281v1018z" fill="#697986"/><path id="S" d="m1153-1030c0 232-137 352-319 413 34 19 63 47 88 83l362 534h-242c-51 0-80-22-101-54l-304-463c-24-34-42-48-98-48h-115v565h-269v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228h-172v480h168c180-3 298-77 298-252" fill="#697986"/><path id="T" d="m1187-985c0 329-222 471-561 476h-202v509h-269v-1446h471c337 4 561 134 561 461zm-269 0c0-176-112-253-292-253h-202v519h202c184-1 292-85 292-266" fill="#512fc9"/><path id="U" d="m398-581c6 222 109 364 330 364 220 0 331-140 331-363v-866h269v866c-5 286-141 466-350 552-142 59-358 59-500 0-210-86-349-266-349-552v-866h269z" fill="#512fc9"/><path id="V" d="m415-222h579v222h-848v-1446h269z" fill="#512fc9"/><path id="W" d="m449 0h-270v-1446h270z" fill="#512fc9"/><path id="X" d="m377-1009c4 38 6 82 6 121v888h-237v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237v1446c-64-4-144 10-192-10-14-6-28-19-41-36" fill="#512fc9"/><path id="Y" d="m1058-1446v214h-641v401h505v207h-505v409h641v215h-912v-1446z" fill="#512fc9"/><path id="Z" d="m1165-1446v221h-435v1225h-269v-1225h-437v-221z" fill="#512fc9"/><path id="aa" d="m12-1446h226c47 0 80 25 90 61 87 312 181 618 262 935 6 25 10 51 15 79 10-53 22-104 38-149l284-865c11-30 46-61 89-61 78 0 148-4 169 61l282 865c15 43 27 90 38 142 9-49 18-98 30-142l246-865c9-33 45-61 89-61h211l-449 1446h-243c-113-359-232-713-341-1076-110 364-230 716-344 1076h-243" fill="#512fc9"/><path id="ab" d="m1480-1018c71 176 71 414 0 590-106 261-323 444-679 444s-576-184-681-444c-71-176-71-414 0-590 106-261 324-444 681-444 355 0 573 184 679 444zm-679 804c307 0 456-198 456-509s-149-510-456-510c-308 0-459 198-459 510s152 509 459 509" fill="#512fc9"/><path id="ac" d="m1153-1030c0 232-137 352-319 413 34 19 63 47 88 83l362 534h-242c-51 0-80-22-101-54l-304-463c-24-34-42-48-98-48h-115v565h-269v-1446h441c324 4 557 105 557 416zm-263 20c0-163-114-229-294-228h-172v480h168c180-3 298-77 298-252" fill="#512fc9"/><path id="ad" d="m424-840c74 2 135-1 169-44l399-505c32-39 58-57 122-57h232l-487 601c-28 33-52 59-89 78 50 19 80 49 111 90l502 677h-238c-63 0-84-18-111-53l-409-534c-28-35-53-49-116-49h-85v636h-269v-1447h269z" fill="#512fc9"/><path id="ae" d="m1417 0h-208c-47 1-77-28-90-61l-108-295h-599l-108 295c-11 30-46 61-89 61h-209l568-1446h275zm-936-546h461c-77-218-163-424-231-651-66 230-154 432-230 651" fill="#697986"/><g id="af"><use transform="scale(.00888889)" xlink:href="#H"/><use transform="matrix(.00888889 0 0 .00888889 9.537778 0)" xlink:href="#H"/><path d="m1366 0h-271v-632h-678v632h-271v-1446h271v622h678v-622h271z" fill="#697986" transform="matrix(.00888889 0 0 .00888889 19.075556 0)"/></g><path id="ag" d="m519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" fill="#fc9432"/><path id="ah" d="m395-1486v1486h-247v-1486z" fill="#fc9432"/><path id="ai" d="m519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" fill="#1071e5"/><path id="aj" d="m395-1026v1026h-247v-1026zm-123-457c96 0 160 62 160 158 0 94-65 155-160 155-93 0-156-62-156-155 0-95 61-158 156-158" fill="#1071e5"/><path id="ak" d="m738-75c-64 55-158 90-269 91-176 2-277-109-277-284v-573c-65-4-153 21-153-52v-98l165-27 52-280c10-66 115-35 183-42v323h270v176h-270v556c-1 59 32 101 88 102 48 1 68-25 104-34 19 1 25 9 33 22" fill="#1071e5"/><path id="al" d="m991-153c-92 106-231 168-423 168-331 0-505-212-505-550 0-237 116-392 287-467 61-27 129-40 206-40 287 0 444 174 444 465 0 54-3 95-57 95h-634c4 226 158 349 385 292 52-13 93-39 132-62 32-19 73-16 93 9zm-213-478c-4-143-73-234-217-234-154 0-226 95-247 234z" fill="#1071e5"/><path id="am" d="m604-806c-122 5-180 74-225 167v639h-247v-1026c83 11 206-35 218 62l15 124c63-106 147-205 295-205 51 0 93 12 126 35l-32 185c-4 23-15 33-40 33-33 0-65-16-110-14" fill="#1071e5"/><path id="an" d="m928-153c-89 104-216 168-404 168-227 0-358-131-424-305-47-123-49-306-4-434 67-190 213-318 465-318 165 0 270 58 357 143-29 37-52 81-86 112-71 26-104-41-170-55-24-5-52-12-86-12-192 5-260 143-260 339 0 194 67 336 254 342 98 3 148-38 200-79 26-20 67-17 87 9" fill="#1071e5"/><path id="ao" d="m56-725c5-259 241-361 518-318 104 16 188 63 250 124l-70 109c-15 22-27 35-60 35-81 0-126-60-222-60-69 0-122 24-122 85 0 75 88 87 152 109 156 54 328 97 328 304 0 247-181 353-436 353-158 0-284-54-372-128 35-48 58-109 103-146 116-42 152 74 285 65 73-5 130-23 130-90 0-78-87-92-154-113-167-53-334-109-330-329" fill="#f50057"/><path id="ap" d="m1079-1060c53 176 54 486 0 662-72 237-212 414-501 414-287 0-427-178-498-414-53-176-53-486 0-662 71-237 210-413 498-413s430 177 501 413zm-420 806c162-89 162-477 122-722-22-135-65-248-203-248-137 0-179 115-200 248-38 243-40 632 120 722 52 29 109 29 161 0" fill="#fc9432"/><path id="aq" d="m236 14c-107 0-176-65-176-171 0-105 70-171 176-171 105 0 176 66 176 171 0 106-70 171-176 171" fill="#fc9432"/><path id="ar" d="m1417 0h-208c-47 1-77-28-90-61l-108-295h-599l-108 295c-11 30-46 61-89 61h-209l568-1446h275zm-936-546h461c-77-218-163-424-231-651-66 230-154 432-230 651" fill="#512fc9"/><filter id="as" height="1.06" width="1.16" x="-.08" y="-.02"><feOffset dy="4" in="SourceAlpha" result="offOut"/><feGaussianBlur in="offOut" result="blurOut" stdDeviation="5"/><feColorMatrix in="blurOut" result="colorOut" values="0 0 0 0 0.03114186851211073 0 0 0 0 0.018069973087274125 0 0 0 0 0.07727797001153403 0 0 0 0.09803921568627451 0"/><feBlend in="SourceGraphic" in2="colorOut"/></filter></defs><g transform="translate(720.012358 -3173.355233)"><path d="m-281.16 3603a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1 -3 3h-26a3 3 0 0 1 -3-3z" fill="none"/><path d="m-260.83 3600h8.67a3 3 0 0 1 3 3v8.67m0 8.66v8.67a3 3 0 0 1 -3 3h-8.67m-8.67 0h-8.66a3 3 0 0 1 -3-3v-8.67m0-8.66v-8.67a3 3 0 0 1 3-3h8.66" fill="none" stroke="#1071e5" stroke-width="2"/><path d="m-719 3208a8 8 0 0 1 8-8h581.87a8 8 0 0 1 8 8v364a8 8 0 0 1 -8 8h-581.87a8 8 0 0 1 -8-8z" fill="#fff" stroke="#512fc9" stroke-width="2"/><path d="m-719 3222.7h283.18v13.6h-283.2z" fill="none"/><path d="m-700 3226a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m-700 3366a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-684.617778 3378.88)"><use transform="scale(.00888889)" xlink:href="#b"/><use transform="matrix(.00888889 0 0 .00888889 9.884444 0)" xlink:href="#c"/><use transform="matrix(.00888889 0 0 .00888889 21.804444 0)" xlink:href="#d"/></g><use transform="translate(-648.271111 3378.88)" xlink:href="#h"/><path d="m-608.98 3266.34c0 8.2-6.7 14.88-14.87 14.88-8.26 0-14.87-6.67-14.87-14.88 0-8.2 6.6-14.87 14.87-14.87 8.18 0 14.87 6.67 14.87 14.88zm-34.72 9.92c0 5.47-4.46 9.92-9.9 9.92-5.5 0-9.95-4.44-9.95-9.92 0-5.47 4.46-9.92 9.96-9.92 5.44 0 9.9 4.45 9.9 9.92zm-29.74 28.74c0-7.65 6.24-13.86 13.9-13.86h11.9c7.65 0 13.82 6.2 13.82 13.85 0 1.93-1.56 3.47-3.42 3.47h-32.7c-1.94 0-3.5-1.54-3.5-3.48z" fill="#512fc9"/><path d="m-643.26 3289.2c6.92 1.88 11.97 8.15 11.97 15.68 0 1.3-.43 2.56-1.18 3.6h28.92c2.46 0 4.46-2 4.46-4.46 0-9.86-7.95-17.84-17.84-17.84h-16.35c-3.7 0-7.13 1.08-9.96 3.02z" fill="#512fc9"/><path d="m-510.82 3226a6 6 0 0 1 6-6h176.05a6 6 0 0 1 6 6v19.33a6 6 0 0 1 -6 6h-176.05a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-505.456656 3242.546667)"><use transform="scale(.00888889)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 9.582222 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 19.857778 0)" xlink:href="#k"/><use transform="matrix(.00888889 0 0 .00888889 24.924444 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 29.12 0)" xlink:href="#m"/><use transform="matrix(.00888889 0 0 .00888889 37.76 0)" xlink:href="#n"/><use transform="matrix(.00888889 0 0 .00888889 48.071111 0)" xlink:href="#o"/><use transform="matrix(.00888889 0 0 .00888889 63.377778 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 73.653333 0)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 83.235556 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 93.191111 0)" xlink:href="#q"/><use transform="matrix(.00888889 0 0 .00888889 101.777778 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 105.973333 0)" xlink:href="#k"/><use transform="matrix(.00888889 0 0 .00888889 111.04 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 121.351111 0)" xlink:href="#r"/><use transform="matrix(.00888889 0 0 .00888889 128.462222 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 138.133333 0)" xlink:href="#t"/><use transform="matrix(.00888889 0 0 .00888889 145.475556 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 155.786667 0)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 165.368889 0)" xlink:href="#u"/><use transform="matrix(.00888889 0 0 .00888889 170.435556 0)" xlink:href="#v"/></g><path d="m-598.28 3604a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1 -3 3h-26a3 3 0 0 1 -3-3z" fill="none"/><path d="m-577.95 3601h8.67a3 3 0 0 1 3 3v8.67m0 8.66v8.67a3 3 0 0 1 -3 3h-8.67m-8.66 0h-8.68a3 3 0 0 1 -3-3v-8.67m0-8.66v-8.67a3 3 0 0 1 3-3h8.66" fill="none" stroke="#00bfa5" stroke-width="2"/><path d="m-569 3237.67h18.73m18.72 0h18.73" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-568.95 3239.64h-2.05v-3.95h2.05zm58.13 0h-2.05v-3.95h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m-320.77 3237.67h39.47" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-320.72 3239.64h-2.05v-3.95h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m-266.3 3237.67-13 7.5v-15z" fill="#f50057" stroke="#f50057" stroke-width="4"/><path d="m-480.8 3253.25a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.33a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-459.178878 3269.794659)"><use transform="scale(.00888889)" xlink:href="#w"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 30.933333 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 35.128889 0)" xlink:href="#y"/><use transform="matrix(.00888889 0 0 .00888889 45.44 0)" xlink:href="#z"/><use transform="matrix(.00888889 0 0 .00888889 55.751111 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 59.946667 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 70.257778 0)" xlink:href="#l"/><path d="m86-1041c45-269 211-432 516-432 221 0 368 97 436 253 40 91 43 220 10 318-51 154-158 259-262 365l-285 292c130-48 308-33 481-35 63-1 108 39 108 100v180h-1024c-2-94 2-169 54-222l420-423c101-110 202-200 212-395 7-138-99-209-232-170-58 17-99 60-118 117-22 66-66 96-152 81" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 74.453333 0)"/></g><g stroke="#f50057"><path d="m-552 3264.9h23.06m23.07 0h23.07" fill="none" stroke-width="4"/><path d="m-567 3264.9 13-7.5v15z" fill="#f50057" stroke-width="4"/><path d="m-480.8 3266.9h-2.05v-3.96h2.05z" fill="#f50057" stroke-width=".05"/><path d="m-350.8 3264.9h28.83m28.84 0h28.82" fill="none" stroke-width="4"/><path d="m-350.75 3266.9h-2.05v-3.96h2.06z" fill="#f50057" stroke-width=".05"/><path d="m-264.36 3264.9h2.06" fill="none" stroke-width="4"/></g><path d="m139.8 3208a8 8 0 0 1 8-8h604.2a8 8 0 0 1 8 8v364a8 8 0 0 1 -8 8h-604.2a8 8 0 0 1 -8-8z" fill="#fff" stroke="#512fc9" stroke-width="2"/><path d="m139.8 3205.8h298.9v20.28h-298.9z" fill="none"/><path d="m-100.2 3208a8 8 0 0 1 8-8h204.2a8 8 0 0 1 8 8v364a8 8 0 0 1 -8 8h-204.2a8 8 0 0 1 -8-8z" fill="#fff" stroke="#512fc9" stroke-width="2"/><path d="m-132.74 3235.9a3 3 0 0 1 3-3h292.5a3 3 0 0 1 3 3v77.77a3 3 0 0 1 -3 3h-292.5a3 3 0 0 1 -3-3z" fill="#512fc9" fill-opacity=".07"/><path d="m-130.3 3274.88h18.4m18.4 0h36.82m18.4 0h36.8m18.42 0h36.8m18.42 0h36.8m18.4 0h18.42m-276.03 0h-2.06" fill="none" stroke="#00bfa5" stroke-width="4"/><path d="m160.77 3274.88-13 7.5v-15z" fill="#00bfa5" stroke="#00bfa5" stroke-width="4"/><path d="m50 3274.8c0 22.08-17.9 40-40 40s-40-17.92-40-40c0-22.1 17.9-40 40-40s40 17.9 40 40z" fill="#fff" filter="url(#A)" stroke="#00bfa5" stroke-width="4"/><path d="m29.8 3257.17h-39.6c-.85 0-1.4.55-1.4 1.4v5.66c0 .84.55 1.43 1.4 1.43h39.6c.85 0 1.4-.6 1.4-1.43v-5.66c0-.85-.55-1.4-1.4-1.4zm-8.48 5.66c-.85 0-1.44-.6-1.44-1.43 0-.85.6-1.4 1.44-1.4.85 0 1.4.55 1.4 1.4 0 .84-.55 1.43-1.4 1.43zm7.04 0h-2.8c-.85 0-1.44-.6-1.44-1.43 0-.85.6-1.4 1.44-1.4h2.8c.85 0 1.44.55 1.44 1.4 0 .84-.6 1.43-1.44 1.43zm1.44 8.49h-39.6c-.85 0-1.4.55-1.4 1.4v5.65c0 .85.55 1.4 1.4 1.4h18.4v5.95c-1.27.4-2.12 1.4-2.54 2.54h-11.62c-.85 0-1.4.6-1.4 1.43 0 .84.55 1.4 1.4 1.4h11.62c.55 1.68 2.12 2.82 3.94 2.82s3.4-1.14 3.94-2.83h11.62c.85 0 1.4-.56 1.4-1.4 0-.85-.55-1.44-1.4-1.44h-11.62c-.42-1.25-1.4-2.13-2.54-2.54v-5.93h18.4c.85 0 1.4-.55 1.4-1.4v-5.66c0-.83-.55-1.38-1.4-1.38zm-33.92 5.62c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm2.8-1.4c0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4s-1.44-.55-1.44-1.4zm14.16 1.4c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4.85 0 1.4.56 1.4 1.4 0 .85-.55 1.4-1.4 1.4zm7.04 0h-2.8c-.85 0-1.44-.55-1.44-1.4 0-.84.6-1.4 1.44-1.4h2.8c.85 0 1.44.56 1.44 1.4 0 .85-.6 1.4-1.44 1.4z" fill="#00bfa5"/><path d="m-30 3329.92a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-68a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-19.991111 3342.796756)"><use transform="scale(.00888889)" xlink:href="#B"/><use transform="matrix(.00888889 0 0 .00888889 11.111111 0)" xlink:href="#C"/><use transform="matrix(.00888889 0 0 .00888889 22.328889 0)" xlink:href="#D"/><use transform="matrix(.00888889 0 0 .00888889 36.275556 0)" xlink:href="#E"/><use transform="matrix(.00888889 0 0 .00888889 48.346667 0)" xlink:href="#F"/></g><path d="m-60 3217.84a6 6 0 0 1 6-6h128a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-128a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-41.395556 3229.862902)"><use transform="scale(.00777778)" xlink:href="#G"/><use transform="matrix(.00777778 0 0 .00777778 13.097778 0)" xlink:href="#b"/><use transform="matrix(.00777778 0 0 .00777778 22.353333 0)" xlink:href="#e"/><use transform="matrix(.00777778 0 0 .00777778 30.395556 0)" xlink:href="#H"/></g><g transform="translate(.347778 3229.862902)"><use transform="scale(.00777778)" xlink:href="#b"/><use transform="matrix(.00777778 0 0 .00777778 9.255556 0)" xlink:href="#I"/><use transform="matrix(.00777778 0 0 .00777778 20.58 0)" xlink:href="#g"/><use transform="matrix(.00777778 0 0 .00777778 32.34 0)" xlink:href="#g"/><use transform="matrix(.00777778 0 0 .00777778 44.1 0)" xlink:href="#f"/><use transform="matrix(.00777778 0 0 .00777778 53.005556 0)" xlink:href="#e"/></g><path d="m-558.9 3607a6 6 0 0 1 6-6h38.6a6 6 0 0 1 6 6v19.5a6 6 0 0 1 -6 6h-38.6a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-553.89681 3623.546667)"><path d="m1165-1446v221h-435v1225h-269v-1225h-437v-221z" fill="#00bfa5" transform="scale(.00888889)"/><path d="m1284-209c-114 140-276 228-525 225-347-4-553-182-649-442-66-178-66-423 6-596 108-261 330-435 688-440 220-3 375 79 488 188l-90 125c-16 32-68 39-102 12-71-55-162-101-298-96-304 11-465 201-465 510 0 241 101 401 267 477 125 58 330 39 424-24 42-17 97-111 150-54" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 9.884444 0)"/><use transform="matrix(.00888889 0 0 .00888889 21.804444 0)" xlink:href="#B"/></g><path d="m-480.8 3308.37a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.34a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-459.178878 3324.919646)"><use transform="scale(.00888889)" xlink:href="#J"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#K"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#K"/><use transform="matrix(.00888889 0 0 .00888889 30.933333 0)" xlink:href="#L"/><path d="m532-896c89-35 216-36 312-1 162 59 274 190 274 411 0 240-136 387-313 462-125 53-311 53-436 2-184-74-303-232-303-484 0-186 74-313 166-437l328-443c29-40 94-71 166-71h276c-157 187-313 374-470 561zm46 197c-139 0-214 93-214 235 0 148 69 235 218 235 140 0 226-93 226-234 0-150-82-236-230-236" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 35.128889 0)"/><path d="m1126-566c-12 87 37 230-60 231h-90v335h-270v-335h-586c-39 1-76-30-82-63l-32-153 674-906h296v891zm-420 0c3-181-8-372 10-539l-385 539z" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 45.44 0)"/><use transform="matrix(.00888889 0 0 .00888889 55.751111 0)" xlink:href="#L"/><use transform="matrix(.00888889 0 0 .00888889 59.946667 0)" xlink:href="#K"/><use transform="matrix(.00888889 0 0 .00888889 70.257778 0)" xlink:href="#L"/><path d="m86-1041c45-269 211-432 516-432 221 0 368 97 436 253 40 91 43 220 10 318-51 154-158 259-262 365l-285 292c130-48 308-33 481-35 63-1 108 39 108 100v180h-1024c-2-94 2-169 54-222l420-423c101-110 202-200 212-395 7-138-99-209-232-170-58 17-99 60-118 117-22 66-66 96-152 81" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 74.453333 0)"/></g><path d="m-570 3320.04h14.53m14.54 0h29.06m14.54 0h14.53m-87.15 0h-2.05" fill="none" stroke="#00bfa5" stroke-width="4"/><path d="m-480.8 3322h-2.05v-3.93h2.05z" fill="#00bfa5" stroke="#00bfa5" stroke-width=".05"/><path d="m-350.8 3320.04h22.45m22.44 0h22.43" fill="none" stroke="#00bfa5" stroke-width="4"/><path d="m-350.75 3322h-2.05v-3.93h2.06z" fill="#00bfa5" stroke="#00bfa5" stroke-width=".05"/><path d="m-268.48 3320.04-13 7.5v-15z" fill="#00bfa5" stroke="#00bfa5" stroke-width="4"/><path d="m593.54 3406a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m593.54 3546a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(574.560706 3558.88)"><use transform="scale(.00888889)" xlink:href="#M"/><use transform="matrix(.00888889 0 0 .00888889 9.306667 0)" xlink:href="#N"/><use transform="matrix(.00888889 0 0 .00888889 19.36 0)" xlink:href="#O"/><use transform="matrix(.00888889 0 0 .00888889 24.177778 0)" xlink:href="#P"/><path d="m928-153c-89 104-216 168-404 168-227 0-358-131-424-305-47-123-49-306-4-434 67-190 213-318 465-318 165 0 270 58 357 143-29 37-52 81-86 112-71 26-104-41-170-55-24-5-52-12-86-12-192 5-260 143-260 339 0 194 67 336 254 342 98 3 148-38 200-79 26-20 67-17 87 9" fill="#697986" transform="matrix(.00888889 0 0 .00888889 28.177778 0)"/><path d="m361-1005c121-49 297-49 417 0 184 74 298 236 298 490 0 330-178 530-506 530-329 0-509-200-509-530 0-254 115-416 300-490zm-45 492c0 201 65 338 254 338 188 0 251-137 251-338s-63-340-251-340c-189 0-254 139-254 340" fill="#697986" transform="matrix(.00888889 0 0 .00888889 36.657778 0)"/><use transform="matrix(.00888889 0 0 .00888889 46.764444 0)" xlink:href="#G"/><use transform="matrix(.00888889 0 0 .00888889 61.733333 0)" xlink:href="#N"/><use transform="matrix(.00888889 0 0 .00888889 71.786667 0)" xlink:href="#M"/><use transform="matrix(.00888889 0 0 .00888889 81.093333 0)" xlink:href="#Q"/><path d="m496 282c-21 85-170 43-266 53l192-411-415-950h216c39-1 60 21 70 46 80 195 164 386 238 586 7 18 10 37 14 56 74-221 164-427 244-642 9-24 36-46 68-46h198" fill="#697986" transform="matrix(.00888889 0 0 .00888889 90.88 0)"/><use transform="matrix(.00888889 0 0 .00888889 99.155556 0)" xlink:href="#P"/><use transform="matrix(.00888889 0 0 .00888889 103.155556 0)" xlink:href="#O"/><use transform="matrix(.00888889 0 0 .00888889 107.973333 0)" xlink:href="#Q"/><g fill="#697986"><path d="m738-75c-64 55-158 90-269 91-176 2-277-109-277-284v-573c-65-4-153 21-153-52v-98l165-27 52-280c10-66 115-35 183-42v323h270v176h-270v556c-1 59 32 101 88 102 48 1 68-25 104-34 19 1 25 9 33 22" transform="matrix(.00888889 0 0 .00888889 118.08 0)"/><path d="m991-153c-92 106-231 168-423 168-331 0-505-212-505-550 0-237 116-392 287-467 61-27 129-40 206-40 287 0 444 174 444 465 0 54-3 95-57 95h-634c4 226 158 349 385 292 52-13 93-39 132-62 32-19 73-16 93 9zm-213-478c-4-143-73-234-217-234-154 0-226 95-247 234z" transform="matrix(.00888889 0 0 .00888889 124.96 0)"/><path d="m604-806c-122 5-180 74-225 167v639h-247v-1026c83 11 206-35 218 62l15 124c63-106 147-205 295-205 51 0 93 12 126 35l-32 185c-4 23-15 33-40 33-33 0-65-16-110-14" transform="matrix(.00888889 0 0 .00888889 134.462222 0)"/></g><use transform="matrix(.00888889 0 0 .00888889 141.724444 0)" xlink:href="#Q"/><use transform="matrix(.00888889 0 0 .00888889 151.831111 0)" xlink:href="#M"/><path d="m395-1486v1486h-247v-1486z" fill="#697986" transform="matrix(.00888889 0 0 .00888889 161.137778 0)"/></g><path d="m629.64 3449.6h55.6c1.44 0 2.5-1.43 1.87-2.9l-6.44-14.46c-.18-.8-1-1.24-1.6-1.24h-43.07c-.62 0-1.42.43-1.86 1.24l-6.38 14.45c-.62 1.47.43 2.9 1.86 2.9zm56.86 2.05h-57.92c-1.24 0-2.04.86-2.04 2.1v8.25c0 1.24.8 2.05 2.04 2.05h57.9c1.25 0 2.06-.8 2.06-2.05v-8.25c0-1.24-.8-2.1-2.05-2.1zm-12.4 8.3c-1.25 0-2.12-.86-2.12-2.1s.87-2.05 2.1-2.05c1.25 0 2.06.8 2.06 2.05 0 1.24-.8 2.1-2.05 2.1zm10.28 0h-4.1c-1.23 0-2.1-.86-2.1-2.1s.87-2.05 2.1-2.05h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.86 2.1-2.1 2.1zm2.12 20.65h-57.92c-1.24 0-2.04.8-2.04 2.05v8.3c0 1.24.8 2.05 2.04 2.05h57.9c1.25 0 2.06-.8 2.06-2.05v-8.3c0-1.24-.8-2.05-2.05-2.05zm-12.4 8.25c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.05 2.1-2.05 1.25 0 2.06.8 2.06 2.05 0 1.24-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.05 0-1.24.87-2.05 2.1-2.05h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.86 2.05-2.1 2.05zm2.12-22.7h-57.92c-1.24 0-2.04.8-2.04 2.05v8.25c0 1.24.8 2.1 2.04 2.1h57.9c1.25 0 2.06-.86 2.06-2.1v-8.25c0-1.24-.8-2.05-2.05-2.05zm-49.6 8.25c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm18.6 0c-1.25 0-2.12-.8-2.12-2.05 0-1.24.87-2.1 2.1-2.1 1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.05 0-1.24.87-2.1 2.1-2.1h4.1c1.24 0 2.1.86 2.1 2.1s-.86 2.05-2.1 2.05z" fill="#512fc9"/><path d="m593.54 3224.3a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m593.54 3364.3a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(604.787373 3377.168123)"><use transform="scale(.00888889)" xlink:href="#R"/><use transform="matrix(.00888889 0 0 .00888889 13.288889 0)" xlink:href="#g"/><use transform="matrix(.00888889 0 0 .00888889 26.728889 0)" xlink:href="#H"/></g><g transform="translate(644.485151 3377.168123)"><use transform="scale(.00888889)" xlink:href="#H"/><use transform="matrix(.00888889 0 0 .00888889 9.537778 0)" xlink:href="#f"/><use transform="matrix(.00888889 0 0 .00888889 19.715556 0)" xlink:href="#S"/><path d="m4-1446h217c48-1 77 26 90 61 125 326 256 646 373 977 12 34 20 70 29 108 15-77 34-144 57-203l339-882c12-30 45-61 89-61h217l-584 1446h-243" fill="#697986" transform="matrix(.00888889 0 0 .00888889 31.36 0)"/><use transform="matrix(.00888889 0 0 .00888889 43.982222 0)" xlink:href="#f"/><use transform="matrix(.00888889 0 0 .00888889 54.16 0)" xlink:href="#S"/></g><path d="m629.64 3267.9h55.6c1.44 0 2.5-1.44 1.87-2.93l-6.44-14.44c-.18-.8-1-1.24-1.6-1.24h-43.07c-.62 0-1.42.42-1.86 1.23l-6.38 14.44c-.62 1.5.43 2.92 1.86 2.92zm56.86 2.03h-57.92c-1.24 0-2.04.87-2.04 2.1v8.26c0 1.23.8 2.03 2.04 2.03h57.9c1.25 0 2.06-.8 2.06-2.04v-8.26c0-1.24-.8-2.1-2.05-2.1zm-12.4 8.3c-1.25 0-2.12-.86-2.12-2.1s.87-2.04 2.1-2.04c1.25 0 2.06.8 2.06 2.03 0 1.24-.8 2.1-2.05 2.1zm10.28 0h-4.1c-1.23 0-2.1-.86-2.1-2.1s.87-2.04 2.1-2.04h4.1c1.24 0 2.1.8 2.1 2.03 0 1.24-.86 2.1-2.1 2.1zm2.12 20.67h-57.92c-1.24 0-2.04.8-2.04 2.03v8.3c0 1.25.8 2.06 2.04 2.06h57.9c1.25 0 2.06-.82 2.06-2.06v-8.3c0-1.25-.8-2.05-2.05-2.05zm-12.4 8.23c-1.25 0-2.12-.8-2.12-2.04 0-1.25.87-2.06 2.1-2.06 1.25 0 2.06.8 2.06 2.05 0 1.23-.8 2.03-2.05 2.03zm10.28 0h-4.1c-1.23 0-2.1-.8-2.1-2.04 0-1.25.87-2.06 2.1-2.06h4.1c1.24 0 2.1.8 2.1 2.05 0 1.23-.86 2.03-2.1 2.03zm2.12-22.69h-57.92c-1.24 0-2.04.8-2.04 2.05v8.23c0 1.24.8 2.1 2.04 2.1h57.9c1.25 0 2.06-.86 2.06-2.1v-8.24c0-1.25-.8-2.06-2.05-2.06zm-49.6 8.25c-1.25 0-2.12-.82-2.12-2.06s.87-2.1 2.1-2.1c1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06s.87-2.1 2.1-2.1c1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06s.87-2.1 2.1-2.1c1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm6.2 0c-1.25 0-2.12-.82-2.12-2.06s.87-2.1 2.1-2.1c1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm18.6 0c-1.25 0-2.12-.82-2.12-2.06s.87-2.1 2.1-2.1c1.25 0 2.06.86 2.06 2.1s-.8 2.05-2.05 2.05zm10.28 0h-4.1c-1.23 0-2.1-.82-2.1-2.06s.87-2.1 2.1-2.1h4.1c1.24 0 2.1.86 2.1 2.1s-.86 2.05-2.1 2.05z" fill="#512fc9"/><path d="m345.5 3238.9a6 6 0 0 1 6-6h176.04a6 6 0 0 1 6 6v19.34a6 6 0 0 1 -6 6h-176.04a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(350.856262 3255.458786)"><use transform="scale(.00888889)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 9.582222 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 19.857778 0)" xlink:href="#k"/><use transform="matrix(.00888889 0 0 .00888889 24.924444 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 29.12 0)" xlink:href="#m"/><use transform="matrix(.00888889 0 0 .00888889 37.76 0)" xlink:href="#n"/><use transform="matrix(.00888889 0 0 .00888889 48.071111 0)" xlink:href="#o"/><use transform="matrix(.00888889 0 0 .00888889 63.377778 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 73.653333 0)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 83.235556 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 93.191111 0)" xlink:href="#q"/><use transform="matrix(.00888889 0 0 .00888889 101.777778 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 105.973333 0)" xlink:href="#k"/><use transform="matrix(.00888889 0 0 .00888889 111.04 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 121.351111 0)" xlink:href="#r"/><use transform="matrix(.00888889 0 0 .00888889 128.462222 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 138.133333 0)" xlink:href="#t"/><use transform="matrix(.00888889 0 0 .00888889 145.475556 0)" xlink:href="#p"/><use transform="matrix(.00888889 0 0 .00888889 155.786667 0)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 165.368889 0)" xlink:href="#u"/><use transform="matrix(.00888889 0 0 .00888889 170.435556 0)" xlink:href="#v"/></g><path d="m296.77 3250.58h15.57m15.58 0h15.57" fill="none" stroke="#f50057" stroke-width="4"/><path d="m296.82 3252.55h-2.05v-3.95h2.05zm48.68 0h-2.06v-3.95h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m535.54 3250.58h38" fill="none" stroke="#f50057" stroke-width="4"/><path d="m535.6 3252.55h-2.06v-3.95h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m588.54 3250.58-13 7.5v-15z" fill="#f50057" stroke="#f50057" stroke-width="4"/><path d="m380 3271.18a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v17.67a6 6 0 0 1 -6 6h-68a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(387.928889 3287.729223)"><use transform="scale(.00888889)" xlink:href="#w"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 24.817778 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 35.128889 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 39.324444 0)" xlink:href="#w"/><use transform="matrix(.00888889 0 0 .00888889 49.635556 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 53.831111 0)" xlink:href="#w"/></g><path d="m313.76 3281.9h21.4m21.43 0h21.41" fill="none" stroke="#f50057" stroke-width="4"/><path d="m298.77 3281.9 13-7.5v15z" fill="#f50057" stroke="#f50057" stroke-width="4"/><path d="m380 3283.9h-2.05v-3.96h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m462 3281.9h21.42m21.43 0h42.84m21.4 0h21.44" fill="none" stroke="#f50057" stroke-width="4"/><path d="m462.05 3283.9h-2.05v-3.96h2.05zm130.49 0h-2.05v-3.96h2.04z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m380 3310.78a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v17.67a6 6 0 0 1 -6 6h-68a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(387.928889 3327.329448)"><use transform="scale(.00888889)" xlink:href="#J"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#K"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#L"/><use transform="matrix(.00888889 0 0 .00888889 24.817778 0)" xlink:href="#K"/><use transform="matrix(.00888889 0 0 .00888889 35.128889 0)" xlink:href="#L"/><use transform="matrix(.00888889 0 0 .00888889 39.324444 0)" xlink:href="#J"/><use transform="matrix(.00888889 0 0 .00888889 49.635556 0)" xlink:href="#L"/><use transform="matrix(.00888889 0 0 .00888889 53.831111 0)" xlink:href="#J"/></g><path d="m296.77 3319.62h27.08m27.07 0h27.08" fill="none" stroke="#00bfa5" stroke-width="4"/><path d="m296.82 3321.6h-2.05v-3.96h2.05zm83.18 0h-2.05v-3.96h2.05z" fill="#00bfa5" stroke="#00bfa5" stroke-width=".05"/><path d="m462 3319.62h19.42m19.43 0h19.42a6 6 0 0 1 6 6v22.06m0 22.07v44.12m0 22.07v22.06a6 6 0 0 0 6 6h13.76m13.76 0h13.75" fill="none" stroke="#00bfa5" stroke-width="4"/><path d="m462.05 3321.6h-2.05v-3.96h2.05z" fill="#00bfa5" stroke="#00bfa5" stroke-width=".05"/><path d="m588.54 3464-13 7.5v-15z" fill="#00bfa5" stroke="#00bfa5" stroke-width="4"/><path d="m-100.66 3174.36h220.2v25.64h-220.2z" fill="none"/><g transform="translate(-64.000199 3195.877613)"><use transform="scale(.00837)" xlink:href="#T"/><use transform="matrix(.00837 0 0 .00837 10.4625 0)" xlink:href="#U"/><path d="m1177-1061c0 181-116 262-257 314 199 45 298 152 298 322 0 295-221 425-526 425h-546v-1446h499c307 3 532 89 532 385zm-225 630c0-152-108-202-265-203h-272v424h273c163-1 264-65 264-221zm-43-598c0-163-94-209-264-209h-230v418h215c168-1 279-50 279-209" fill="#512fc9" transform="matrix(.00837 0 0 .00837 22.64922 0)"/><use transform="matrix(.00837 0 0 .00837 33.55533 0)" xlink:href="#V"/><use transform="matrix(.00837 0 0 .00837 42.20991 0)" xlink:href="#W"/><path d="m1284-209c-114 140-276 228-525 225-347-4-553-182-649-442-66-178-66-423 6-596 108-261 330-435 688-440 220-3 375 79 488 188l-90 125c-16 32-68 39-102 12-71-55-162-101-298-96-304 11-465 201-465 510 0 241 101 401 267 477 125 58 330 39 424-24 42-17 97-111 150-54" fill="#512fc9" transform="matrix(.00837 0 0 .00837 47.46627 0)"/></g><g transform="translate(-2.078939 3195.877613)"><use transform="scale(.00837)" xlink:href="#X"/><use transform="matrix(.00837 0 0 .00837 12.65544 0)" xlink:href="#Y"/><use transform="matrix(.00837 0 0 .00837 22.23909 0)" xlink:href="#Z"/><use transform="matrix(.00837 0 0 .00837 32.19939 0)" xlink:href="#aa"/><use transform="matrix(.00837 0 0 .00837 49.7178 0)" xlink:href="#ab"/><use transform="matrix(.00837 0 0 .00837 63.10143 0)" xlink:href="#ac"/><use transform="matrix(.00837 0 0 .00837 74.06613 0)" xlink:href="#ad"/></g><path d="m165.77 3227.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m165.77 3367.58a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(181.022575 3380.458786)"><use transform="scale(.00888889)" xlink:href="#ae"/><use transform="matrix(.00888889 0 0 .00888889 12.622222 0)" xlink:href="#d"/><use transform="matrix(.00888889 0 0 .00888889 23.733333 0)" xlink:href="#d"/></g><g transform="translate(219.298131 3380.458786)"><use transform="scale(.00888889)" xlink:href="#ae"/><path d="m1341-140c-137 102-313 160-552 156-350-5-566-186-673-442-73-175-71-420-1-596 107-266 333-435 699-440 235-2 404 78 526 189l-78 122c-45 78-131 10-176-17-110-67-334-90-474-29-171 74-275 233-275 474 0 251 105 414 283 489 144 62 360 37 477-26v-263h-181c-88 2-46-125-56-202h481z" fill="#697986" transform="matrix(.00888889 0 0 .00888889 12.168889 0)"/><use transform="matrix(.00888889 0 0 .00888889 25.022222 0)" xlink:href="#f"/><use transform="matrix(.00888889 0 0 .00888889 35.2 0)" xlink:href="#g"/><use transform="matrix(.00888889 0 0 .00888889 48.64 0)" xlink:href="#b"/></g><path d="m249.57 3267.2h-39.6c-.85 0-1.4.56-1.4 1.4v5.66c0 .85.55 1.43 1.4 1.43h39.6c.85 0 1.4-.6 1.4-1.44v-5.66c0-.84-.55-1.4-1.4-1.4zm-8.48 5.66c-.86 0-1.45-.58-1.45-1.43 0-.84.6-1.4 1.44-1.4s1.4.56 1.4 1.4c0 .85-.56 1.43-1.4 1.43zm7.03 0h-2.8c-.85 0-1.44-.58-1.44-1.43 0-.84.58-1.4 1.43-1.4h2.8c.85 0 1.44.56 1.44 1.4 0 .85-.6 1.43-1.44 1.43zm1.45 8.49h-39.6c-.85 0-1.4.55-1.4 1.4v5.66c0 .85.55 1.4 1.4 1.4h18.4v5.95c-1.27.4-2.12 1.4-2.54 2.53h-11.63c-.84 0-1.4.58-1.4 1.43 0 .84.56 1.4 1.4 1.4h11.63c.55 1.68 2.12 2.82 3.94 2.82s3.4-1.14 3.94-2.83h11.63c.85 0 1.4-.55 1.4-1.4 0-.84-.55-1.43-1.4-1.43h-11.64c-.4-1.26-1.4-2.14-2.53-2.54v-5.94h18.4c.85 0 1.4-.55 1.4-1.4v-5.65c0-.85-.55-1.4-1.4-1.4zm-33.92 5.63c-.85 0-1.44-.56-1.44-1.4 0-.85.6-1.4 1.45-1.4s1.4.55 1.4 1.4c0 .84-.55 1.4-1.4 1.4zm4.24 0c-.86 0-1.45-.56-1.45-1.4 0-.85.6-1.4 1.44-1.4s1.4.55 1.4 1.4c0 .84-.56 1.4-1.4 1.4zm4.23 0c-.85 0-1.44-.56-1.44-1.4 0-.85.58-1.4 1.43-1.4s1.4.55 1.4 1.4c0 .84-.55 1.4-1.4 1.4zm2.8-1.4c0-.85.6-1.4 1.44-1.4.85 0 1.4.55 1.4 1.4 0 .84-.55 1.4-1.4 1.4s-1.44-.56-1.44-1.4zm14.16 1.4c-.86 0-1.45-.56-1.45-1.4 0-.85.6-1.4 1.44-1.4s1.4.55 1.4 1.4c0 .84-.56 1.4-1.4 1.4zm7.03 0h-2.8c-.85 0-1.44-.56-1.44-1.4 0-.85.58-1.4 1.43-1.4h2.8c.85 0 1.44.55 1.44 1.4 0 .84-.6 1.4-1.44 1.4z" fill="#00bfa5"/><path d="m-700 3414.65a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m-700 3554.65a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><use transform="translate(-684.417778 3567.526327)" xlink:href="#af"/><use transform="translate(-648.471111 3567.526327)" xlink:href="#h"/><path d="m-608.98 3455c0 8.2-6.7 14.87-14.87 14.87-8.26 0-14.87-6.67-14.87-14.88 0-8.22 6.6-14.9 14.87-14.9 8.18 0 14.87 6.68 14.87 14.9zm-34.72 9.9c0 5.48-4.46 9.93-9.9 9.93-5.5 0-9.95-4.45-9.95-9.92 0-5.46 4.46-9.9 9.96-9.9 5.44 0 9.9 4.44 9.9 9.9zm-29.74 28.74c0-7.64 6.24-13.85 13.9-13.85h11.9c7.65 0 13.82 6.2 13.82 13.84 0 1.93-1.56 3.47-3.42 3.47h-32.7c-1.94 0-3.5-1.53-3.5-3.46z" fill="#512fc9"/><path d="m-643.26 3477.85c6.92 1.88 11.97 8.15 11.97 15.67 0 1.3-.43 2.57-1.18 3.6h28.92c2.46 0 4.46-2 4.46-4.45 0-9.86-7.95-17.84-17.84-17.84h-16.35c-3.7 0-7.13 1.08-9.96 3.02z" fill="#512fc9"/><path d="m-498.97 3604.5a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1 -3 3h-26a3 3 0 0 1 -3-3z" fill="none"/><path d="m-478.63 3601.5h8.66a3 3 0 0 1 3 3v8.67m0 8.66v8.67a3 3 0 0 1 -3 3h-8.66m-8.67 0h-8.67a3 3 0 0 1 -3-3v-8.67m0-8.66v-8.67a3 3 0 0 1 3-3h8.67" fill="none" stroke="#fc9432" stroke-width="2"/><path d="m-700 3604.5a3 3 0 0 1 3-3h26a3 3 0 0 1 3 3v26a3 3 0 0 1 -3 3h-26a3 3 0 0 1 -3-3z" fill="none"/><path d="m-679.67 3601.5h8.67a3 3 0 0 1 3 3v8.67m0 8.66v8.67a3 3 0 0 1 -3 3h-8.67m-8.66 0h-8.67a3 3 0 0 1 -3-3v-8.67m0-8.66v-8.67a3 3 0 0 1 3-3h8.67" fill="none" stroke="#f50057" stroke-width="2"/><path d="m-569 3426.3h19.18m19.18 0h38.36m19.18 0h38.36m19.18 0h38.36m19.18 0h38.36m19.18 0h19.2" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-568.95 3428.3h-2.05v-3.96h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m-266.3 3426.3-13 7.5v-15z" fill="#f50057" stroke="#f50057" stroke-width="4"/><path d="m-133.3 3425.5a3 3 0 0 1 3-3h312.84a3 3 0 0 1 3 3v75.88a3 3 0 0 1 -3 3h-312.84a3 3 0 0 1 -3-3z" fill="#512fc9" fill-opacity=".07"/><path d="m-130.3 3463.52h18.4m18.4 0h36.82m18.4 0h36.8m18.42 0h36.8m18.42 0h36.8m18.4 0h18.42m-276.03 0h-2.06" fill="none" stroke="#1071e5" stroke-width="4"/><path d="m160.77 3463.52-13 7.5v-15z" fill="#1071e5" stroke="#1071e5" stroke-width="4"/><path d="m49.44 3463.44c0 22.1-17.9 40-40 40s-40-17.9-40-40 17.9-40 40-40 40 17.9 40 40z" fill="#fff" filter="url(#A)" stroke="#00bfa5" stroke-width="4"/><path d="m29.24 3445.82h-39.6c-.85 0-1.4.55-1.4 1.4v5.65c0 .85.55 1.43 1.4 1.43h39.6c.85 0 1.4-.58 1.4-1.43v-5.66c0-.83-.55-1.38-1.4-1.38zm-8.48 5.66c-.85 0-1.44-.6-1.44-1.44s.6-1.4 1.44-1.4c.85 0 1.4.56 1.4 1.4 0 .85-.55 1.44-1.4 1.44zm7.04 0h-2.8c-.85 0-1.44-.6-1.44-1.44s.6-1.4 1.44-1.4h2.8c.84 0 1.44.56 1.44 1.4 0 .85-.6 1.44-1.44 1.44zm1.44 8.48h-39.6c-.85 0-1.4.56-1.4 1.4v5.66c0 .84.55 1.4 1.4 1.4h18.4v5.95c-1.27.4-2.12 1.4-2.55 2.53h-11.62c-.85 0-1.4.6-1.4 1.44s.55 1.4 1.4 1.4h11.6c.56 1.68 2.13 2.82 3.96 2.82 1.82 0 3.4-1.14 3.94-2.83h11.63c.84 0 1.4-.55 1.4-1.4 0-.84-.55-1.43-1.4-1.43h-11.62c-.42-1.24-1.4-2.13-2.54-2.53v-5.95h18.4c.85 0 1.4-.56 1.4-1.4v-5.66c0-.84-.55-1.4-1.4-1.4zm-33.92 5.63c-.85 0-1.44-.57-1.44-1.4 0-.86.6-1.4 1.44-1.4.85 0 1.4.54 1.4 1.4 0 .84-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.57-1.44-1.4 0-.86.6-1.4 1.44-1.4.85 0 1.4.54 1.4 1.4 0 .84-.55 1.4-1.4 1.4zm4.24 0c-.85 0-1.44-.57-1.44-1.4 0-.86.6-1.4 1.44-1.4.85 0 1.4.54 1.4 1.4 0 .84-.55 1.4-1.4 1.4zm2.8-1.4c0-.86.6-1.4 1.44-1.4.85 0 1.4.54 1.4 1.4 0 .84-.55 1.4-1.4 1.4s-1.44-.57-1.44-1.4zm14.16 1.4c-.85 0-1.44-.57-1.44-1.4 0-.86.6-1.4 1.44-1.4.85 0 1.4.54 1.4 1.4 0 .84-.55 1.4-1.4 1.4zm7.04 0h-2.8c-.85 0-1.44-.57-1.44-1.4 0-.86.6-1.4 1.44-1.4h2.8c.84 0 1.44.54 1.44 1.4 0 .84-.6 1.4-1.44 1.4z" fill="#00bfa5"/><path d="m-30.56 3518.56a6 6 0 0 1 6-6h68a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-68a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-20.554162 3531.443083)"><use transform="scale(.00888889)" xlink:href="#B"/><use transform="matrix(.00888889 0 0 .00888889 11.111111 0)" xlink:href="#C"/><use transform="matrix(.00888889 0 0 .00888889 22.328889 0)" xlink:href="#D"/><use transform="matrix(.00888889 0 0 .00888889 36.275556 0)" xlink:href="#E"/><use transform="matrix(.00888889 0 0 .00888889 48.346667 0)" xlink:href="#F"/></g><path d="m-60.67 3406a6 6 0 0 1 6-6h128a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-128a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-42.064264 3418.02)"><use transform="scale(.00777778)" xlink:href="#G"/><use transform="matrix(.00777778 0 0 .00777778 13.097778 0)" xlink:href="#b"/><use transform="matrix(.00777778 0 0 .00777778 22.353333 0)" xlink:href="#e"/><use transform="matrix(.00777778 0 0 .00777778 30.395556 0)" xlink:href="#H"/></g><g transform="translate(-.320931 3418.02)"><use transform="scale(.00777778)" xlink:href="#b"/><use transform="matrix(.00777778 0 0 .00777778 9.255556 0)" xlink:href="#I"/><use transform="matrix(.00777778 0 0 .00777778 20.58 0)" xlink:href="#g"/><use transform="matrix(.00777778 0 0 .00777778 32.34 0)" xlink:href="#g"/><use transform="matrix(.00777778 0 0 .00777778 44.1 0)" xlink:href="#f"/><use transform="matrix(.00777778 0 0 .00777778 53.005556 0)" xlink:href="#e"/></g><path d="m-459.58 3607.5a6 6 0 0 1 6-6h159.03a6 6 0 0 1 6 6v27.87a6 6 0 0 1 -6 6h-159.03a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-454.581906 3624.046667)"><use transform="scale(.00888889)" xlink:href="#ag"/><use transform="matrix(.00888889 0 0 .00888889 9.537778 0)" xlink:href="#ag"/><path d="m1366 0h-271v-632h-678v632h-271v-1446h271v622h678v-622h271z" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 19.075556 0)"/></g><path d="m7-1026h196c35-1 64 19 71 46 60 241 137 465 181 722 68-246 151-481 220-724 17-60 103-44 175-46 35-1 61 20 69 46 70 242 148 477 212 725 47-256 125-482 189-723 21-78 165-35 255-46l-325 1026h-199c-21 0-37-15-46-44-67-218-136-432-201-652-5-20-10-39-13-58-8 41-17 80-29 119l-187 591c-9 29-27 44-54 44h-189" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -418.63524 3624.046667)"/><path d="m395-1026v1026h-247v-1026zm-123-457c96 0 160 62 160 158 0 94-65 155-160 155-93 0-156-62-156-155 0-95 61-158 156-158" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -404.573018 3624.046667)"/><path d="m738-75c-64 55-158 90-269 91-176 2-277-109-277-284v-573c-65-4-153 21-153-52v-98l165-27 52-280c10-66 115-35 183-42v323h270v176h-270v556c-1 59 32 101 88 102 48 1 68-25 104-34 19 1 25 9 33 22" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -399.75524 3624.046667)"/><path d="m605-850c-102 1-168 52-226 108v742h-247v-1486h247v571c76-69 161-129 301-127 234 4 346 154 346 389v653h-247v-653c0-121-55-198-174-197" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -392.87524 3624.046667)"/><g transform="translate(-379.337462 3624.046667)"><use transform="scale(.00888889)" xlink:href="#ah"/><g fill="#fc9432"><path d="m361-1005c121-49 297-49 417 0 184 74 298 236 298 490 0 330-178 530-506 530-329 0-509-200-509-530 0-254 115-416 300-490zm-45 492c0 201 65 338 254 338 188 0 251-137 251-338s-63-340-251-340c-189 0-254 139-254 340" transform="matrix(.00888889 0 0 .00888889 4.817778 0)"/><path d="m928-153c-89 104-216 168-404 168-227 0-358-131-424-305-47-123-49-306-4-434 67-190 213-318 465-318 165 0 270 58 357 143-29 37-52 81-86 112-71 26-104-41-170-55-24-5-52-12-86-12-192 5-260 143-260 339 0 194 67 336 254 342 98 3 148-38 200-79 26-20 67-17 87 9" transform="matrix(.00888889 0 0 .00888889 14.924444 0)"/><path d="m556-1045c246 0 380 151 380 397v648c-79-6-181 23-196-53l-22-73c-88 77-177 144-339 142-185-3-298-93-298-278 0-184 152-247 321-292 78-21 176-31 293-34 10-155-29-262-170-262-104 0-161 40-224 77-47 28-107 5-127-31l-45-79c118-108 260-162 427-162zm-239 770c-3 86 56 121 139 121 117 0 179-51 239-111v-173c-122 6-219 17-297 53-49 22-79 51-81 110" transform="matrix(.00888889 0 0 .00888889 23.404444 0)"/></g><use transform="matrix(.00888889 0 0 .00888889 32.711111 0)" xlink:href="#ah"/></g><path d="m382-1486v851c54 1 89-1 115-33l255-315c22-25 41-43 86-43h226c-118 139-232 284-354 420-11 12-25 21-39 30 29 21 48 49 69 78l342 498h-223c-44-1-65-15-85-44l-261-389c-20-29-30-36-75-37h-56v470h-247v-1486z" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -338.377462 3624.046667)"/><path d="m991-153c-92 106-231 168-423 168-331 0-505-212-505-550 0-237 116-392 287-467 61-27 129-40 206-40 287 0 444 174 444 465 0 54-3 95-57 95h-634c4 226 158 349 385 292 52-13 93-39 132-62 32-19 73-16 93 9zm-213-478c-4-143-73-234-217-234-154 0-226 95-247 234z" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -329.106351 3624.046667)"/><path d="m496 282c-21 85-170 43-266 53l192-411-415-950h216c39-1 60 21 70 46 80 195 164 386 238 586 7 18 10 37 14 56 74-221 164-427 244-642 9-24 36-46 68-46h198" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -319.897462 3624.046667)"/><path d="m254-198c95 60 334 64 323-83-9-119-156-122-253-159-132-50-252-110-252-289 0-214 163-309 387-313 145-3 264 55 338 127-26 36-45 82-77 111-69 21-111-33-176-48-103-23-247 0-238 102 11 114 156 118 251 155 126 49 251 100 251 270 0 266-233 373-514 331-102-15-188-60-252-116 28-39 43-95 83-120 49-31 96 11 129 32" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 -310.413018 3624.046667)"/><path d="m-660.6 3608a6 6 0 0 1 6-6h41.22a6 6 0 0 1 6 6v19a6 6 0 0 1 -6 6h-41.24a6 6 0 0 1 -6-6z" fill="none"/><path d="m1377-1015c71 172 71 412 0 584-106 257-325 431-679 431h-552v-1446h552c353 6 574 175 679 431zm-679 801c307-9 457-198 457-509s-150-500-457-509h-281v1018z" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 -655.615096 3624.546667)"/><path d="m377-1009c4 38 6 82 6 121v888h-237v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237v1446c-64-4-144 10-192-10-14-6-28-19-41-36" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 -642.326207 3624.546667)"/><path d="m519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 -628.886207 3624.546667)"/><path d="m-241.78 3606a6 6 0 0 1 6-6h255.14a6 6 0 0 1 6 6v20.5a6 6 0 0 1 -6 6h-255.14a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-236.77905 3622.546667)"><use transform="scale(.00888889)" xlink:href="#ai"/><use transform="matrix(.00888889 0 0 .00888889 9.537778 0)" xlink:href="#ai"/><path d="m1366 0h-271v-632h-678v632h-271v-1446h271v622h678v-622h271z" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 19.075556 0)"/></g><g transform="translate(-200.832383 3622.546667)"><path d="m7-1026h196c35-1 64 19 71 46 60 241 137 465 181 722 68-246 151-481 220-724 17-60 103-44 175-46 35-1 61 20 69 46 70 242 148 477 212 725 47-256 125-482 189-723 21-78 165-35 255-46l-325 1026h-199c-21 0-37-15-46-44-67-218-136-432-201-652-5-20-10-39-13-58-8 41-17 80-29 119l-187 591c-9 29-27 44-54 44h-189" fill="#1071e5" transform="scale(.00888889)"/><use transform="matrix(.00888889 0 0 .00888889 14.062222 0)" xlink:href="#aj"/><use transform="matrix(.00888889 0 0 .00888889 18.88 0)" xlink:href="#ak"/><path d="m605-850c-102 1-168 52-226 108v742h-247v-1486h247v571c76-69 161-129 301-127 234 4 346 154 346 389v653h-247v-653c0-121-55-198-174-197" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 25.76 0)"/></g><g transform="translate(-161.534605 3622.546667)"><path d="m1165-1446v221h-435v1225h-269v-1225h-437v-221z" fill="#1071e5" transform="scale(.00888889)"/><use transform="matrix(.00888889 0 0 .00888889 8.764444 0)" xlink:href="#al"/><path d="m395-1486v1486h-247v-1486z" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 18.266667 0)"/><use transform="matrix(.00888889 0 0 .00888889 23.084444 0)" xlink:href="#al"/><path d="m635 15c-121 0-193-40-256-100v420h-247v-1361c64 5 145-11 192 11 33 24 28 86 42 129 78-86 174-159 331-159 277 0 379 232 379 524 0 241-96 412-258 495-54 27-116 41-183 41zm186-536c0-181-37-329-209-329-117 0-175 55-233 124v460c48 60 104 93 198 93 188 0 244-152 244-348" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 32.586667 0)"/><path d="m361-1005c121-49 297-49 417 0 184 74 298 236 298 490 0 330-178 530-506 530-329 0-509-200-509-530 0-254 115-416 300-490zm-45 492c0 201 65 338 254 338 188 0 251-137 251-338s-63-340-251-340c-189 0-254 139-254 340" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 42.64 0)"/><use transform="matrix(.00888889 0 0 .00888889 52.746667 0)" xlink:href="#am"/><use transform="matrix(.00888889 0 0 .00888889 60.008889 0)" xlink:href="#ak"/></g><g transform="translate(-91.214605 3622.546667)"><use transform="scale(.00888889)" xlink:href="#an"/><use transform="matrix(.00888889 0 0 .00888889 8.48 0)" xlink:href="#al"/><use transform="matrix(.00888889 0 0 .00888889 17.982222 0)" xlink:href="#am"/><use transform="matrix(.00888889 0 0 .00888889 25.244444 0)" xlink:href="#ak"/><use transform="matrix(.00888889 0 0 .00888889 32.124444 0)" xlink:href="#aj"/><path d="m601-1285c-158 0-198 102-186 268h267v176h-259v841h-247v-840c-61-14-153-3-153-76v-101h153c-17-292 113-454 383-454 47 0 91 6 132 19l-5 124c-1 41-44 43-85 43" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 36.942222 0)"/><use transform="matrix(.00888889 0 0 .00888889 43.173333 0)" xlink:href="#aj"/><use transform="matrix(.00888889 0 0 .00888889 47.991111 0)" xlink:href="#an"/><path d="m556-1045c246 0 380 151 380 397v648c-79-6-181 23-196-53l-22-73c-88 77-177 144-339 142-185-3-298-93-298-278 0-184 152-247 321-292 78-21 176-31 293-34 10-155-29-262-170-262-104 0-161 40-224 77-47 28-107 5-127-31l-45-79c118-108 260-162 427-162zm-239 770c-3 86 56 121 139 121 117 0 179-51 239-111v-173c-122 6-219 17-297 53-49 22-79 51-81 110" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 56.471111 0)"/><use transform="matrix(.00888889 0 0 .00888889 65.777778 0)" xlink:href="#ak"/><use transform="matrix(.00888889 0 0 .00888889 72.657778 0)" xlink:href="#al"/><path d="m254-198c95 60 334 64 323-83-9-119-156-122-253-159-132-50-252-110-252-289 0-214 163-309 387-313 145-3 264 55 338 127-26 36-45 82-77 111-69 21-111-33-176-48-103-23-247 0-238 102 11 114 156 118 251 155 126 49 251 100 251 270 0 266-233 373-514 331-102-15-188-60-252-116 28-39 43-95 83-120 49-31 96 11 129 32" fill="#1071e5" transform="matrix(.00888889 0 0 .00888889 82.16 0)"/></g><path d="m165.77 3406a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v116a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" filter="url(#a)" stroke="#512fc9" stroke-opacity=".2" stroke-width="2"/><path d="m165.77 3546a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v12a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><use transform="translate(186.235909 3558.88)" xlink:href="#af"/><g transform="translate(222.182575 3558.88)"><use transform="scale(.00888889)" xlink:href="#g"/><path d="m1480-1018c71 176 71 414 0 590-106 261-323 444-679 444s-576-184-681-444c-71-176-71-414 0-590 106-261 324-444 681-444 355 0 573 184 679 444zm-679 804c307 0 456-198 456-509s-149-510-456-510c-308 0-459 198-459 510s152 509 459 509" fill="#697986" transform="matrix(.00888889 0 0 .00888889 13.44 0)"/><use transform="matrix(.00888889 0 0 .00888889 27.653333 0)" xlink:href="#R"/><use transform="matrix(.00888889 0 0 .00888889 40.942222 0)" xlink:href="#f"/></g><path d="m201.87 3449.6h55.6c1.44 0 2.5-1.43 1.87-2.9l-6.44-14.46c-.2-.8-1-1.24-1.62-1.24h-43.03c-.62 0-1.42.43-1.85 1.24l-6.4 14.45c-.6 1.47.44 2.9 1.87 2.9zm56.85 2.05h-57.9c-1.25 0-2.05.86-2.05 2.1v8.25c0 1.24.8 2.05 2.04 2.05h57.92c1.24 0 2.05-.8 2.05-2.05v-8.25c0-1.24-.8-2.1-2.05-2.1zm-12.4 8.3c-1.24 0-2.1-.86-2.1-2.1s.86-2.05 2.1-2.05 2.05.8 2.05 2.05c0 1.24-.8 2.1-2.05 2.1zm10.3 0h-4.1c-1.24 0-2.1-.86-2.1-2.1s.86-2.05 2.1-2.05h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.87 2.1-2.1 2.1zm2.1 20.65h-57.9c-1.25 0-2.05.8-2.05 2.05v8.3c0 1.24.8 2.05 2.04 2.05h57.92c1.24 0 2.05-.8 2.05-2.05v-8.3c0-1.24-.8-2.05-2.05-2.05zm-12.4 8.25c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.05 2.1-2.05s2.05.8 2.05 2.05c0 1.24-.8 2.05-2.05 2.05zm10.3 0h-4.1c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.05 2.1-2.05h4.1c1.24 0 2.1.8 2.1 2.05 0 1.24-.87 2.05-2.1 2.05zm2.1-22.7h-57.9c-1.25 0-2.05.8-2.05 2.05v8.25c0 1.24.8 2.1 2.04 2.1h57.92c1.24 0 2.05-.86 2.05-2.1v-8.25c0-1.24-.8-2.05-2.05-2.05zm-49.6 8.25c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1s2.05.86 2.05 2.1-.8 2.05-2.05 2.05zm6.2 0c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1s2.05.86 2.05 2.1-.8 2.05-2.05 2.05zm6.2 0c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1s2.05.86 2.05 2.1-.8 2.05-2.05 2.05zm6.2 0c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1s2.05.86 2.05 2.1-.8 2.05-2.05 2.05zm18.6 0c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1s2.05.86 2.05 2.1-.8 2.05-2.05 2.05zm10.3 0h-4.1c-1.24 0-2.1-.8-2.1-2.05 0-1.24.86-2.1 2.1-2.1h4.1c1.24 0 2.1.86 2.1 2.1s-.87 2.05-2.1 2.05z" fill="#512fc9"/><path d="m-537.78 3414.65a6 6 0 0 1 6-6h228a6 6 0 0 1 6 6v19.33a6 6 0 0 1 -6 6h-228a6 6 0 0 1 -6-6z" fill="#fff"/><g transform="translate(-529.997632 3431.192994)"><use transform="scale(.00888889)" xlink:href="#ao"/><use transform="matrix(.00888889 0 0 .00888889 7.822222 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 17.493333 0)" xlink:href="#t"/><path d="m694 0h-282l-402-1037h258c43-1 77 23 86 54 69 227 146 446 203 684 58-239 142-456 211-684 10-29 42-55 82-54h246" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 24.835556 0)"/><use transform="matrix(.00888889 0 0 .00888889 34.311111 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 43.982222 0)" xlink:href="#t"/><use transform="matrix(.00888889 0 0 .00888889 50.08 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 54.275556 0)" xlink:href="#s"/><path d="m368-536-334-501h298c45 0 59 9 76 37l185 307c49-107 112-201 167-302 15-27 31-42 68-42h284l-334 487 348 550h-298c-46 1-70-26-86-54l-185-318c-6 22-16 42-27 60l-152 258c-16 26-40 55-82 54h-276" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 63.413333 0)"/><use transform="matrix(.00888889 0 0 .00888889 73.6 0)" xlink:href="#i"/><use transform="matrix(.00888889 0 0 .00888889 83.182222 0)" xlink:href="#o"/><use transform="matrix(.00888889 0 0 .00888889 98.488889 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 108.764444 0)" xlink:href="#u"/><use transform="matrix(.00888889 0 0 .00888889 113.831111 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 123.502222 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 127.697778 0)" xlink:href="#r"/><use transform="matrix(.00888889 0 0 .00888889 134.808889 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 144.48 0)" xlink:href="#u"/><use transform="matrix(.00888889 0 0 .00888889 149.546667 0)" xlink:href="#s"/><use transform="matrix(.00888889 0 0 .00888889 159.217778 0)" xlink:href="#j"/><use transform="matrix(.00888889 0 0 .00888889 169.493333 0)" xlink:href="#n"/><use transform="matrix(.00888889 0 0 .00888889 179.804444 0)" xlink:href="#t"/><use transform="matrix(.00888889 0 0 .00888889 187.146667 0)" xlink:href="#r"/><use transform="matrix(.00888889 0 0 .00888889 194.257778 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 198.453333 0)" xlink:href="#ao"/><path d="m612-820c-81 1-134 39-182 81v739h-310v-1497h310v551c73-60 149-110 278-107 236 5 352 157 352 394v659h-310v-659c0-96-44-162-138-161" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 206.275556 0)"/><use transform="matrix(.00888889 0 0 .00888889 216.586667 0)" xlink:href="#v"/></g><path d="m-479.8 3445.97a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.34a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-458.178912 3462.518252)"><use transform="scale(.00888889)" xlink:href="#w"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 30.933333 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 35.128889 0)" xlink:href="#y"/><use transform="matrix(.00888889 0 0 .00888889 45.44 0)" xlink:href="#z"/><use transform="matrix(.00888889 0 0 .00888889 55.751111 0)" xlink:href="#l"/><use transform="matrix(.00888889 0 0 .00888889 59.946667 0)" xlink:href="#x"/><use transform="matrix(.00888889 0 0 .00888889 70.257778 0)" xlink:href="#l"/><path d="m114-1041c45-269 211-432 516-432 212 0 355 88 422 233 21 45 30 94 30 145 2 183-80 277-216 323 161 56 242 166 242 329 0 307-208 452-512 459-308 7-443-159-522-390 80-24 165-97 266-58 18 7 29 21 38 37 53 91 95 158 214 158 155 0 236-120 200-281-25-110-146-118-296-120v-214c165-2 284-26 284-189 0-138-100-208-232-169-58 17-99 60-118 117-22 66-66 96-152 81" fill="#f50057" transform="matrix(.00888889 0 0 .00888889 74.453333 0)"/></g><path d="m-552 3457.64h23.4m23.4 0h23.4" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-567 3457.64 13-7.5v15z" fill="#f50057" stroke="#f50057" stroke-width="4"/><path d="m-479.8 3459.6h-2.05v-3.94h2.05z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m-349.8 3457.64h28.83m28.84 0h28.82" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-349.75 3459.6h-2.05v-3.94h2.06z" fill="#f50057" stroke="#f50057" stroke-width=".05"/><path d="m-263.36 3457.64h2.06" fill="none" stroke="#f50057" stroke-width="4"/><path d="m-479.8 3501.1a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v19.33a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><g transform="translate(-458.178912 3517.64324)"><path d="m252-224h280c2-282-4-570 3-848l-165 137c-34 38-114 22-140-12l-98-130 454-381h256v1234h240v224h-830z" fill="#fc9432" transform="scale(.00888889)"/><use transform="matrix(.00888889 0 0 .00888889 10.311111 0)" xlink:href="#ap"/><use transform="matrix(.00888889 0 0 .00888889 20.622222 0)" xlink:href="#ap"/><use transform="matrix(.00888889 0 0 .00888889 30.933333 0)" xlink:href="#aq"/><path d="m532-896c89-35 216-36 312-1 162 59 274 190 274 411 0 240-136 387-313 462-125 53-311 53-436 2-184-74-303-232-303-484 0-186 74-313 166-437l328-443c29-40 94-71 166-71h276c-157 187-313 374-470 561zm46 197c-139 0-214 93-214 235 0 148 69 235 218 235 140 0 226-93 226-234 0-150-82-236-230-236" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 35.128889 0)"/><path d="m1126-566c-12 87 37 230-60 231h-90v335h-270v-335h-586c-39 1-76-30-82-63l-32-153 674-906h296v891zm-420 0c3-181-8-372 10-539l-385 539z" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 45.44 0)"/><use transform="matrix(.00888889 0 0 .00888889 55.751111 0)" xlink:href="#aq"/><use transform="matrix(.00888889 0 0 .00888889 59.946667 0)" xlink:href="#ap"/><use transform="matrix(.00888889 0 0 .00888889 70.257778 0)" xlink:href="#aq"/><path d="m114-1041c45-269 211-432 516-432 212 0 355 88 422 233 21 45 30 94 30 145 2 183-80 277-216 323 161 56 242 166 242 329 0 307-208 452-512 459-308 7-443-159-522-390 80-24 165-97 266-58 18 7 29 21 38 37 53 91 95 158 214 158 155 0 236-120 200-281-25-110-146-118-296-120v-214c165-2 284-26 284-189 0-138-100-208-232-169-58 17-99 60-118 117-22 66-66 96-152 81" fill="#fc9432" transform="matrix(.00888889 0 0 .00888889 74.453333 0)"/></g><path d="m-569 3512.76h14.53m14.54 0h29.06m14.54 0h14.53m-87.15 0h-2.05" fill="none" stroke="#fc9432" stroke-width="4"/><path d="m-479.8 3514.74h-2.05v-3.95h2.05z" fill="#fc9432" stroke="#fc9432" stroke-width=".05"/><path d="m-349.8 3512.76h22.45m22.44 0h22.43" fill="none" stroke="#fc9432" stroke-width="4"/><path d="m-349.75 3514.74h-2.05v-3.95h2.06z" fill="#fc9432" stroke="#fc9432" stroke-width=".05"/><path d="m-267.48 3512.76-13 7.5v-15z" fill="#fc9432" stroke="#fc9432" stroke-width="4"/><path d="m-537.78 3174.36h220.2v25.64h-220.2z" fill="none"/><g transform="translate(-481.835774 3195.877613)"><use transform="scale(.00837)" xlink:href="#U"/><path d="m519-204c146 0 246-70 241-211-6-175-195-185-333-232-183-63-339-153-333-400 5-199 120-319 272-380 126-51 311-44 437 5 72 27 133 64 184 112l-66 127c-15 40-64 51-105 25-64-41-136-87-246-85-132 3-224 54-224 182 0 167 202 176 334 227 173 67 333 144 333 381 0 227-120 364-289 433-138 56-353 39-478-16-80-35-154-80-210-138l78-129c23-34 74-43 115-13 73 54 157 112 290 112" fill="#512fc9" transform="matrix(.00837 0 0 .00837 12.18672 0)"/><use transform="matrix(.00837 0 0 .00837 21.16773 0)" xlink:href="#Y"/><use transform="matrix(.00837 0 0 .00837 30.75138 0)" xlink:href="#ac"/></g><g transform="translate(-436.888874 3195.877613)"><use transform="scale(.00837)" xlink:href="#V"/><use transform="matrix(.00837 0 0 .00837 8.65458 0)" xlink:href="#ar"/><use transform="matrix(.00837 0 0 .00837 20.53998 0)" xlink:href="#T"/><use transform="matrix(.00837 0 0 .00837 31.00248 0)" xlink:href="#Z"/><use transform="matrix(.00837 0 0 .00837 40.30992 0)" xlink:href="#ab"/><use transform="matrix(.00837 0 0 .00837 53.69355 0)" xlink:href="#T"/></g><path d="m329.25 3174.36h220.2v25.64h-220.2z" fill="none"/><g transform="translate(361.577384 3195.877613)"><use transform="scale(.00837)" xlink:href="#T"/><use transform="matrix(.00837 0 0 .00837 10.4625 0)" xlink:href="#ac"/><use transform="matrix(.00837 0 0 .00837 21.4272 0)" xlink:href="#W"/><path d="m4-1446h217c48-1 77 26 90 61 125 326 256 646 373 977 12 34 20 70 29 108 15-77 34-144 57-203l339-882c12-30 45-61 89-61h217l-584 1446h-243" fill="#512fc9" transform="matrix(.00837 0 0 .00837 26.68356 0)"/><use transform="matrix(.00837 0 0 .00837 37.15443 0)" xlink:href="#ar"/><use transform="matrix(.00837 0 0 .00837 47.80944 0)" xlink:href="#Z"/><use transform="matrix(.00837 0 0 .00837 57.76974 0)" xlink:href="#Y"/></g><g transform="translate(432.161594 3195.877613)"><use transform="scale(.00837)" xlink:href="#X"/><use transform="matrix(.00837 0 0 .00837 12.65544 0)" xlink:href="#Y"/><use transform="matrix(.00837 0 0 .00837 22.23909 0)" xlink:href="#Z"/><use transform="matrix(.00837 0 0 .00837 32.19939 0)" xlink:href="#aa"/><use transform="matrix(.00837 0 0 .00837 49.7178 0)" xlink:href="#ab"/><use transform="matrix(.00837 0 0 .00837 63.10143 0)" xlink:href="#ac"/><use transform="matrix(.00837 0 0 .00837 74.06613 0)" xlink:href="#ad"/></g><g filter="url(#as)"><path d="m-260 3228.7a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v299.58a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="#fff" stroke="#00bfa5" stroke-width="2"/></g><path d="m-261.3 3391.63a6 6 0 0 1 6-6h116a6 6 0 0 1 6 6v15.77a6 6 0 0 1 -6 6h-116a6 6 0 0 1 -6-6z" fill="none"/><path d="m4-1446h217c48-1 77 26 90 61 125 326 256 646 373 977 12 34 20 70 29 108 15-77 34-144 57-203l339-882c12-30 45-61 89-61h217l-584 1446h-243" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 -218.527099 3406.507284)"/><path d="m377-1009c4 38 6 82 6 121v888h-237v-1446c71 6 174-24 211 20 269 320 519 661 779 990-5-42-7-87-7-131v-879h237v1446c-64-4-144 10-192-10-14-6-28-19-41-36" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 -205.904877 3406.507284)"/><path d="m991-153c-92 106-231 168-423 168-331 0-505-212-505-550 0-237 116-392 287-467 61-27 129-40 206-40 287 0 444 174 444 465 0 54-3 95-57 95h-634c4 226 158 349 385 292 52-13 93-39 132-62 32-19 73-16 93 9zm-213-478c-4-143-73-234-217-234-154 0-226 95-247 234z" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 -192.464877 3406.507284)"/><path d="m738-75c-64 55-158 90-269 91-176 2-277-109-277-284v-573c-65-4-153 21-153-52v-98l165-27 52-280c10-66 115-35 183-42v323h270v176h-270v556c-1 59 32 101 88 102 48 1 68-25 104-34 19 1 25 9 33 22" fill="#00bfa5" transform="matrix(.00888889 0 0 .00888889 -182.962655 3406.507284)"/><path d="m-203.7 3359.1c.36 0 .7-.05 1.07-.1l1.33 3.1c-1.45 1.15-2.4 2.95-2.4 5 0 1.03.24 2.03.7 2.9l-5.12 4.57c-1.04-.68-2.25-1.08-3.58-1.08-3.53 0-6.4 2.87-6.4 6.4 0 3.5 2.87 6.4 6.4 6.4 3.54 0 6.4-2.9 6.4-6.4 0-1.05-.24-2.05-.7-2.93l5.12-4.56c1.04.7 2.24 1.1 3.57 1.1 1.45 0 2.82-.5 3.9-1.33l4.62 3.56c-.33.8-.54 1.64-.54 2.56 0 3.5 2.87 6.4 6.4 6.4 3.54 0 6.4-2.9 6.4-6.4.02-3.53-2.85-6.4-6.4-6.4-1.45 0-2.82.47-3.9 1.3l-4.62-3.55c.33-.8.54-1.64.54-2.56 0-.17 0-.3-.04-.45l2.66-.88c1.13 1.76 3.12 2.92 5.37 2.92 3.53 0 6.4-2.9 6.4-6.4 0-3.53-2.88-6.4-6.4-6.4-3.55 0-6.42 2.87-6.42 6.4 0 .15 0 .27.04.43l-2.66.88c-1.12-1.75-3.12-2.9-5.37-2.9-.38 0-.7.03-1.04.07l-1.38-3.08c1.46-1.17 2.4-2.97 2.4-5 0-3.53-2.86-6.4-6.4-6.4-3.53 0-6.4 2.87-6.4 6.4 0 3.5 2.87 6.4 6.4 6.4zm0-9.6c-1.76 0-3.2 1.43-3.2 3.2 0 1.75 1.44 3.2 3.2 3.2.45 0 .86-.1 1.24-.25l.04-.04h.04c1.12-.5 1.87-1.63 1.87-2.9 0-1.77-1.42-3.2-3.2-3.2zm17.6 28.8c0-.73.23-1.4.65-1.93v-.04c.04 0 .04-.04.04-.04.58-.73 1.5-1.2 2.5-1.2 1.78 0 3.2 1.43 3.2 3.2 0 1.75-1.42 3.2-3.2 3.2-1.76 0-3.2-1.45-3.2-3.2zm.15-14.97v-.09c-.12-.28-.16-.64-.16-.96 0-1.77 1.44-3.2 3.2-3.2 1.78 0 3.2 1.43 3.2 3.2 0 1.75-1.42 3.2-3.2 3.2-1.38 0-2.6-.9-3.05-2.17zm-12.7.84c-1.1.52-1.86 1.64-1.86 2.92 0 .8.28 1.5.78 2.07v.04l.04.05c.6.64 1.42 1.04 2.38 1.04 1 0 1.9-.5 2.5-1.2 0 0 0-.05.03-.05 0 0 0-.04.04-.04.38-.5.63-1.2.63-1.9 0-.37-.04-.7-.17-1v-.05c-.4-1.24-1.62-2.16-3.03-2.16-.46 0-.88.07-1.25.27h-.08zm-16.25 15.72c0-1.77 1.4-3.2 3.2-3.2 1.75 0 3.2 1.43 3.2 3.2 0 1.75-1.45 3.2-3.2 3.2-1.8 0-3.2-1.45-3.2-3.2z" fill="#00bfa5"/></g></svg>
\ No newline at end of file
diff --git a/docs/img/vnet/ssh-connect.png b/docs/img/vnet/ssh-connect.png
new file mode 100644
index 0000000000000000000000000000000000000000..2baeee20e737fc91a78acd742623e8080babc4cc
GIT binary patch
literal 124321
zcmafZ1yq#X*DoTeAPo|NAkrb-1JXTohk$f<4Iv;M(vl+}jC6N*Gt$z{&>=PS1%2QD
z{qFazd+%9`XRSFryMKG1bM|?{loX{fpOHL6KtRBhkrr1$KtTV2fPkEhhWIe!+=~D~
zK)~Rz6cbajG%-Oy@R%)5_Eb}yChWO*757Et>wA&lcff$qp+4*m40f!5A3@Y2ue-it
ztEG>QJ)6=NclcpJ(3L&;OxjVjScg8m($#`YDSyJ4z<lEs+Be|R^;+?n+f@BU^5Nb|
zhR;Z|HV=`ASbL(hcpZ(%r#hunY{IV8grt#d*Qdy*{?PzJy-fLz=!ggu{6HA%YBxa}
zLbn9u2`hX_G=lZZF+v${mo|vF6yX?%@R1Qn#f<b#_KO`~r4oCaHO{WA@~2R1R9>n6
z;-~4k>nDMHGU#Mo7f;kC>hvsM_<OOAX-hPbt><Kg{gN0W3dcdEI%lQ(IwIACUH)ny
z_BHv@#lTe;Eo@1!Qc|#fJ{^Z#FM?ey;4^zzr~v8RlJe^~ET~aLs!j=~pwWk6gkQHe
z+saRig5in0j5LJh+z5)#E<+QFz>HWxjm<STL1Nlh<$zUmc4gzPFPUvH6e&t>$#iDI
zZgH%Qgpbd~P@On&G@m_x6NgRux`d!l6gR{vS{6c!0rh^XJ79#h9aE<wE_;vl`{rZK
z82IN1fjGt`-bi=7OnxYFXkbJTJzMA`PH*3DyqsVs_HbuDwoX13Pf>Pb#x9jlyiC&D
zK(&u@VtB#7-3j`FrxnSD2_(BPjz4$Ie|Ok0z`5|8Z@<FCzIfKPw{Ar7$wuY$NCzIU
zjJ+`{L-2{0PdPsxC9dNe(uUU9d#dmV^07dq?6M~dh>meZbdDZ2%9IU!iFY6KzrSOV
z(Wcc-?2U?4of13vY_Tlzu1q9ahfqF55ZmpP^9;fI2Q7Zx>(6A^{_!fr#IgLp-bnU}
z(*?I;ql<8}vsip1qL+~NyHDZ&hAzdqF^XQ1=o83td4%BjMEnz)PcjyNm=uHbr)y~(
zUu7I3E^?hfG_Hwz@EOioPKTuI=@%-B%-CGEbQ#Pn6xGiBEH&@3&{JBUehU{2@!`Z%
zs^*aCV>a+_|1p_*xq5kJr4k@slC*H46BXSTzpbBlAAK5xzhnM(p$(K4UXM<f@fkx)
zm*(NbO2ZK0Xnd2%p~h2iTq$&8gG^ES(}8^9bM&~>=+kXCaEzL}k~_s_d-I)(UqZDR
z=HZ1jvf&8y^5ezj7TK96%`s*<m{)@A%?Ng}I9^%k8*z?NMKV!Ar(R5hh4k1NT$J5@
z)X^iMlMMojd6^WsX1Ury0aL@Q4;qx;mgSR&lAbv`J=eB5?ZPgj>Jo&pF=-NMy8C~E
zVPW)C!rNib@|NzDb#GApmtybk?!dxUu~G=Wr$`^jZhp*oKC#G0Ob7JE%S9xRpwrQ{
zAz=PQ7JG**S0=XWh>UggSp@Bqbm(Vl>A?ISS9)|JXV9SfGBnvNGK~)Y9|6o|m{u#O
zzfcu^KI>g3;(ZQVVV_4pc4;@+`b>00*!hm6r_1G?*bqi#4;h>0(DRdC(J~9BCvu(a
z<z(`a{pIz)jEl&0qtuOb%lY@D_FlVT2n4zsPnQd5@tk9wqtH5V=@Id?+a8tI5smcZ
z98rUwWd=gqB97m}otkh<+uhfq;A}TczQmf#F~<NzG<8w%JKA(K)&Q|C+--4g%D0<%
zrsBxTVw~8_Tl|L9_~KZ{so&%HsUuuO-5q#S<bU@OuY;V3wI!zFqSn!WQ+bB$y%kpa
zif<DBraJ`peTsO0*3kC^6$Uy1I#fE^QTzOe-vP3@JF2$%nOn7AC5LlHvRHELvJbMz
zbKO)9m9H&0Qz?gIH>DzS9W6gssm!9x+Rft3BI^+CCx#b<r-T>E{*Y}5*UA;o6*WyB
zFiL#RfTg}T#<e}=LgB@f0R$@;zF$(b&jRPTk1nxSy{y3ymc)G%Qy!|^Z}B1h<NQZK
zRdw}hr8A8vO@aazwPLk}LNA@O=pAb=TP{?tXr16xJ=^+O#p)cZ>B&sC6nRp!*Blwz
zeR?BBCgkReW-Thy%I+F5O0Ys!rBV%hwbpNU;(;Yb#qCpH3zUnLv&s$E(j{YP^v5OR
zbNVOKOSOwVl}-xGz)8_lyv16@h{dKlja4HSLSuQBa~2^MC)LRo_TzvOA7IGO@`;tL
zBNxJ5n`yrM@m#sd>dB~|!{f};x9@AkYBhnnPz6>A`y_+vMM|O1fGqnQiY(SK!>m@|
zefV9PGEL5}9HgA2Xseg5MiX*@qbQ$H5Cho*g;0_)7hhIjh+&*yY7%o3FS1ibkwvaX
znUUCX^IJ}E=(txMS}bl=j9yFL+eMNJyrg{zWm`0xx0^RNw!$@|Vw?HkH2=L<ZHe<I
zC)A~Q+i2X5;}wS=N7jr^<r_1<ic>9{q)_#K{`MU%9&Rk2<TQJ(!*_nxM%J-5%Eslr
zt4VJ=#|GKwoQh4;OiL3}CdCWuHO@3zb;paFi=2z6b-@+BmL}HmRwva8@xyO)pU$Dp
z8P9pmrMbyBA~X`aak(Y$<)0gzU!JG!K?Rmy9K5K1G5G>U<|u_Fm9<9GJHnR0wrJ92
zV%4MPs^V-cK)^RCu;4i59__~BXy@e1K4oQd^-J9Z7<Ie6dO+ngbKqo>eqPt-_;yXF
z=XPypdBC~Yt(h~E58!eWa6G&QZs2P`pXYAWcb;|xZ{1aUr(Jtv0kQI>0;OspiRO7Q
zNob)#gMp*LV3VS^YExhnkw>jp>-q5!{pk$sq_#BPzU7c*Nea(~7LCRR>;Q#!#O&5i
z0#~5Fp{MsFhBzO{+c1Bi*O6Kf_hHTBz`xi+M@$aQgwdVQ<4|6qdG#N!46Tu2(gbt{
z3<d~@R*A)l6^Pn}=mc#BO@*8X*M|(F3y>(H$2>D6@a5{D4j@t{8YSH(=41UWo}i;<
ztfoG(@Bk@GmqBrm@p=~*o_&v2Z>UMCF(o&Zo5Ef(?_3?Rqj0b4+S+R28U=Nv+}AV*
z24z}Doz;>qBANFxjB$3<b8iRZ=TtaV*j08^4DwJQC5r0uBm$O;-zzO8Ejy|<U39!;
zucA*|`YGe56%Ga*pmf7^?A>kyMfB!*BnkuyLYxXFB<{0!^0H=Dn<Yc;^ICS8wXBR(
z)+QRPF`c?l?;))9(hc|LH%NuZSe3UGn&!d-$AjAO;~Au1bYth<tfLhM0Z%$kYSx>F
zVuqJemRMy8_UV=A`<Qs?rU+pXKzW`FfVCH-OId|MdFUvm+)lETQ?@}YxIeEi^||XP
z#jRU?#tq|T2GxD`PPQh8s@VZJmrG8t(5I$zFSn9{Foe)gI3&F@ZJc`=bdX)|zF7{l
z&4?L>rY_aAIkm?j>p$-#oMJI%8ZbQ74U_BNiGxL`64f%XX;(P(H<xy_6tJqZCMFr&
z&R*;?FMU};Yu(o3_uUT8r5J#lwk9<uXePAk_UNAP)~>Y_-_-bdp8t*}AZO$*{a%7!
z+El^tL4Dt<c(S|jusEeI&ym^Mc4ii~n^!ELx}s5TDrC|OYR+bFsPGJ&3{E6nRNv6h
zFL_b0SUKvkHWtOobIhavi>$8RD55{<H?w^Up0B&D^{=TOlC;!t+X-8VIdU7|jPH(j
z>EW*1%YC|~V_%2|B%3?yTs*^Ee}QF9pK<5d%hTuLAaVibhjy1$-=1%@OMWY~;cZk3
zIs^-w-FcWAPPEkA8eEh5R@_;xJ;``#8l|<i*Rz;6Pb1;1;|y!>3$$f!VMg_JyYn<J
z^t3*sY!+jD!SRBXZ{F`aTzW~le>BsCulJx@!Mf2AG<GaUy9#tkkL35fO8#jW4K@bz
zJIx-t>=J`HQ2oxXs<(@JXL{T&&Y!l{-@AS5%*i=Uht+SMEW&j8X<f)$upL%@buUM>
z>V?<2oI4F|j4<|Vmgo=H71Z^#o^Lg5U5zhA`1*O9tSAf&SLmkJGT4zWm0Wh-#Rxsa
z>dq2qcb`3^S!{NUaX&ovnYne>mm_~ip(e=bt##3NrfltQad9b3dp~og^&4&r+&0wl
zvjrJntV3F#-rF5!Ow66BT~*zKO`#azebB*qQ!#7F;dw*=k-cG3GdoEAdUp3LpC{j*
zyd~o@`n=?K^X+vKmNJFiInn8bT%8IF2GS>z%nZyUs3L+HiT{WvLeF~pg_!9F|0wJm
z9&%8KS}>|eAd3hH3jxN^wz!YL-Dmjb>Fa3pFYB0a`0*QCI+R6$MDa-^ILn=n#(Tn>
z5T%xQ-=gaX4ve~nb{Nd>i3e)n)A#99f)A$%bO&i|X9NVow~v2MWK^h+5T4B7%ZR^M
z^O)UBYqnxnei>wYd!zSL@%>&kfq>j-8uls5o{e}m4r8gL?x9E%s$cf5oy+~{Gxl`K
z5KK!%OO>H-tj?Q50PB0>&0`NiFqAHQl~*wiske&`LoDb$_Un+4`lZ7uB+0#byIS`*
z>!&S;ot-~T8cMvI4TPY97m+N<&v6y!JJO-%9whRBj?FY24Eq(w=VCFQg5*F5p5SwN
z2SKtIU+X$Xy>vGtzLwcPrxs&6yzmx$0Y$_kV`CQFA20oYNLh|Nh+_yk?k4)bKW@NB
zGxx)HyR_F_LGojF*LTtA(QY%a>lX7aMK59LmA+_wdQrDdw9Z=-vfg*@Iem1TvT;b7
zZd6&Gz6^nZ3qBp+p5T$TBS{{uuTI<4&YgJ)fuYy8zO{3<+-cQ1#X7}FvbmyJUj{es
zNZW5X0-&&y=(X3M`pqga#$T<cOWQ;#AZq&?b)e435Ow`O^!#JRO>3t+8EQNd8sA_a
zTST{Uy<UkL!<kp}sD%rEM*D{{Ehde^NxNESeI5+4J3hQ;00Idd&GdI)_3S!6;=W1W
zN1g+HWduS`xYLH6>K~N#a4($PIrHjVao{A0>Rs#q$ez)%%#o&G4p(Gr?F%lY*jpG@
zBvD2PUa2QhnC)^!M#hxnq+uXc7RRU-W?4t$a6ysPt8=sFWYL*R43jKvn<^$6Ex3_>
z*&OD3OpRw7e^3zR304}wfy@7DA)cR)B%eb)ryW(!HaRs8TkHm0?^QzoUk~9lpE+Uz
zGSVnXY`C?x^(DxFPeob9(#hIdE~R2_f3}ckzgawHl81oP_L*yTr9x(FGe1V>+S-~`
z_3ZR?a{os){zG5K9F4-u7DaXFiC*n$g9?4}VB$dFT*jGq@7Z<f<q4sXwa^Xa|4)<3
z`=WE#%4+2qWo4E9N`q3y00vo<_wNJ*=9ZR989bew#&*wae&Unzylp^GOE<f|DwwRV
zv)XQ%IoR@;u`%S<6=o?>Y|W@QP$x>-BqZYD<|c{qs@@@1)iGfC$X*#AAD^#g<>JB_
zD~*AP*}ZnG#l+3a3x7QI|1<7njYbJ2b0v{`V`F2>%ge*U!sKak$g~-X=@q7SxlCod
z2Z&e=k{A!RFE}LR6BUq$!O02>wfxh?iWdcwcGab?&J<sr2E{=PJ{lIRL2g+~H5aMl
zWxUn%*=Uk=zow>+m43H->?!;maCZf@2T!Yf8hfc)h%B4b8P+xDekgqCr#_&zsy0>S
zGfwX6yf-~3>4$cDe$I{2xv;RH$5LBSF=hec%;OXWtLv#-zxDjz3_a3s@<sCHQ-(*1
zOG!Tu8kg6Vm6bI&FYKNraM><ZU0nUvmAdZ&WL>AFrDbGffB=Rp$v*dDS!J9Y92|mz
zL$uHTRSjYJ_yl6Sae7+Sk^4KB&CJr$(%zmGLoAK=O|(#<`|OUVhsTc{OZonjc^mFD
zMabGQF9qFyi2WhiAM+jZLE8-kCXoS~?d_lT)6VB?&)P<3##U}_K(4OUT1*Wkg|)dV
z`C3dpFtq<rE?d&;F&NIC=YPvD%CECzJ;dJt(qf2RzpY)co4&Xer&{sMTzm%rj8td-
zhX&yee4e5Rfo*Q$bH?|7#74?cq`ew>uyp&il$6xdr%&H66FvKExHkv1A~7QCU8$F>
z7~)5@xWjlUEB$V{>Pr)T7ZK(JQmP0dd3)l|2)cu3UWob^XdRI+oWom|aT-#(Pizc4
zl3Vvf>`SLrg`WHo?5`n%Q%M*8(j?U-6AWfe9yEa$?eYr%OtpP|eP5siCMP?hQ9_+H
zpZ-;ImIiu)Ejo~T>+8p!l3=Pm?K;jm!v-pu-mR>xjERYPxpsSd+ui*+{x5d~+jteT
zXQ^yG_&lnsdc_(F;}fnKx%;pchp)qC63UU1IoKU%XVu>SyuF_gV1~AG={d1`rm`hp
zUul_IR8X*B=kD!&eRl^SdqF`?KJ>5N+%bU01-tMxd;8Xdg9DWVd21-s8Fb&x+sTQY
z{63OxaelrI|F6<N%^p12!%H3m1Oj=|6x7wV^`}oR1)(Qu;^558|8PudY-+-w{NCmH
zC#>h!J{n0IF8n?qkbJ9zGUyVkvovFAslo4R=|0+5tu%1wjKcfk_k>zf@00Z6QYVu{
zb(VRZyC)j2$kEZMsj&Mth%LxJ9idQIJg<7o@J$d2<RAHSz#psO{m~Oys9MbV(8R<L
z#q!8!ooud2mhax<d)IO$>45%bbeS@u)eBXKDi18vyZ(Y&TWjeqL-)L?0xl!-g1=nu
z#uD^7DXS)dLTb!ls3GY-HYymiNrKibOgL)6#5KchJ;pR?$eQ4OM4}UAu|ZLwJYtEP
z>Tx{l-WVWz)m&10cNdY4-MElvX;(Edfq!>cC;n&PQwlEQ;Xr!V-p_}b+N~`%dutjR
z#;`~OfkbTiPQM_}7UZgPDM$vBNt->+>=Oo~avM}I+TI<@OycY2U8f)3C*97q&gWq^
znq8&8qygk7#I2{dpZ*3rG2SQJ&kle$j74P8*MN_zWJA@BjXV1Ks&}XFagF4F!qik6
zT3_!wu_C-0-R*Ti`SS;RB_$)MSO+HLAJa0Lr)Opyx0Fa)gZ|N!ykj_AeQ{^UipjN6
z=Qt%X@iWhsGcOsH7p!tjY4tKI|E5!Cot`J@>7o}KMqoGX*tm_9DMWaABEUcsaTU1V
zZDVF%sSlzeHiRUNSX&dDXM(u6@%@e8wL1Ti0M1$e_*}HEPuIX;B$*gQh`&B~dU12f
zf>Rz(3uIyeu#J3=6lRlKl`~D(x}y#YeH@YLinLUUNEr{?ku3B1xmtTHGF~NJ-9UrJ
z1(s|V?Lm0`iis(Na&JPnZ4pd5;1K$&Y(+J{RWQ-WTqHh&(Yn;472t{mmc=36v~pLw
zk-`+{tQEv?s}{Jde)H%v<D+`*KxjdMtS4)&okDnDx`4ae0=>_T$CG;v0z>MxuHUpW
zf0Y0Dv2q66acV;C%|RD?t)rZr-1YhXI3u7~!@8<E^N@5Pp$V_lpq?2|$>y8kln>SQ
z{D%eF0Uke3hCzNVo1&K$z<Rls+p`o>RJ*b%RiIFg6>pF$_^)4HMZ9%%a#}s#*R2rp
zIu#jS|Cz&`%oyKp9(1Ya=%}pJ!zX-y^m{{2NNB<RU|!=|88<aPhYkMm=pWSvjLWy$
zVRyIJI9??hpo4`*qQlX&goKCi@0Xcu>r__THV*_>X!ZlZ*Wm?Z=U>6QVFY%XL(haT
zt21TUca|caI(iI2&$`B{DW3_6L9*^|>o%Fe7k{{))(bf2>7yujc8XCUDLB_wSD&As
z>(x6EGbV8JP&o6dbfALEGmwDoHda;>y4u?GUSne~$c4O+u=>QU?d$*^Kj}q9<mbkI
zySiU^rc*es@hnxPZbl>~68r`(Biht_Jaut#S&nmZ=BgDSy{(h>WW6|q?gYxow%}$_
z_Nb04sQKwI$#k#+43>>2n$g51zJ34RRlu+`Q)!NZa)pYD%FjQ-#X0eoR(CpsV*V`l
zO$aIq%W4uZoj3Z)%HgzC^|A=)AejZTrWSmD$>8A0=C>6$Y}SpuR^fO|#ClFHyr`$P
z{{C~h7M`#1r5yDmCaB`D?XHp=if1d$p;kwio5N`fjqYm{QCkYq(%3j@3@(FZsx7G-
z-!`AGtUBPtZv)Il+UV0L_YyiMf;%PTtJ+Vcr)n@KQ#ihkuu|YWjM2>(06g5)>+5Uz
zWE)!>8#Fvnk6T=7s#X2PoPF;L3OgMw5ByE+6eg;}E&~%%l7?`3Wx9jK<~J8p)6-PG
z@%G0s9bKStXO(^<H<M`J$Vdmm*?{996?TadGm1Lu>u(upjkFg9o!BbDDHI>0-iHW+
z;0Wr8SqDUvTkGo|e^S1AGyUbR=g3ngH}`Fw+8TU&`;bck&v%73sa5=s#Z>4kG>>WK
zhXihP+y8yZFiJ{6!AhkXYo%MjoLFxbiZoH!!m`_#+I02xp+KdJi}!0<c-~*^DHYBR
zlsQXme%rc-_4+pBg{)Ci$-2c%UNiByD8R0YZy<V&ArgOap2i1na>yF|s@DHjH@5uq
zGk}QzdVmm@nfLGYa?2YHr7yJj`uZ7LSd&U+q0~?&w66Tk<A&qq%G|fhKZb@d#t~&*
zF=RPRE%<qONOxjbn1;LsKj)nU>VJK<Myb{EGB?HSB0}r5W!v!mw)rVI`DXt4M_$|1
zh3s$f?X-_!z)`Mhrwtg%5OAkDjr6{~I;*jr`?+!E^#%*TYDsMEn8!o6mO#35?iAmW
zb)Niah?p%s`yMBu*TCHoCM}M#Q-)hG!$xG&3iZw1ABMJ5%az5&5|}?|XnL-%ybuFB
zkz*ijobbqfYW82xm(0vs9u6TLhZFfV-?UsnH<C(E9x5^y%BP;-<;s#0H{;b(4vulF
zi4bzmA_GRzt^IusO$P#;&VlByjAtY**LJc1JT;UQG=->>H>}XF0yQ-?LG^}wd{zkQ
zU%z5^!aj%c(8+iA<>xnAL5I_L-m%|w{Z5wtQ&YYd9L-gj4qA1?29sIOmhr^92<4m*
zr_0V#3B3w3dM53NS_g2HuN<j|nGVIrr!e1}3ehQ2WhV$H(Z`Q`B~|SB2f29|4;3yV
z^~=g}ywfYSgspyGL58sh16QbfK4A4~sCh6aeJ^54<|iNCW$uNqult_>6&1G%YgVy~
zmJ7^mJT!h-Vuv>NjML%d7$cNuz_WfRzi8_e==PehCM6|(uvLt6GNOH~+UZzJuX6A3
zpydO<a8Ay&s*26k$@@vqHqq+5c3K7tpOyi*$BL8bs!{q*{!hG4nCspz<uht{SrA2@
zTJv3Gq|12N2G*B9O9q|%QN2m;3pMYaX0J1=hblda0*3lX3|{S2voEWq&F069)~2m5
zPVU1JyQySZ&GdUFoZmh~-hP+@xuE&$FupQF%5-)=@9>FodXORDF+Z{uh(T0cDhy1J
z*d&=gv`ORld+aD+w)C!-dn?6Sfi}3%$b`nShN3&*d)KC-NF>O3R+1=HHV4WlG<wtA
z9DFeV55QM7`fz)j5JyafG=WC;)hk#6!x-QAva0^r`OYL`#eGi{+xYUseoyQiwrRDK
zU-sG-156bDK9RH)yXx-UGv~8l^L%#r-vSlR4HwU#6@~KN)Vl6!lunbXA6?#GRV>X2
zG-m!Np~E;qJ-x8WdGif-5VDNW`I-Z5RqLg&ba_I!4E@VjFWXpe3J3}$tg|9R74WL7
zd*G;%Vc!hSvh#^DW=RjOsp2;>D?>W>I27?{590}(H`AMW%+L9pjWUa>msyv*hkq2V
z$@6@}^&>~4my5$<=Y|j2h$K(<UCS?)mM>N;<+ejE+NeO6Xp}+NqG<He$1@8)UCJG5
zSYoZjtK+^nmA#No*%z3Y1Ct&gY9F7Q(K!|XZhu4`T9*s56Cs$0Mc!jqD@A&!zssUZ
z&N8Tz(#P*hKg0E#w0zDN6aeaErM+oNfI=*WbN&S(=4Ty2!P4F7)_9KCKHq9?eDI^p
z2f?dZ6SlG-*?e8OV|rKXjc;7}uOL_=-*0}TcTpL1L0&3cSk;;d%D%d}Z8HD?7Mp#2
zVdH0AFq3fLA9B%Ws-W`=ig>vLWmQ$%aG-s}mNAx!0=kM8mwwtS;l)E06G8&Rjh!P0
zdGT*=hS}VOL%K}`$5hnazLgZUJZ=9FKPIxTeap~b$$t(TNF3}DB3&KdxDKzuKeoJV
z0<{c#3C#rud;Kd7?b3hMd95dkarI<lFj?u_RIc4zK>v^sKsO^LWAsAv)qS=>Nv%q4
z-n1U~J(r5`1~s8_QWdY<!qxus#VhTdq(4S~5hVco_%!q8UkeI3nAzF6oz*qn;HiSV
zw8XnI6Li$KPtSczG@V^f`_j{!@{n?_7-v6j%7DWC5=GPvO#R)y_wgsvu`Gu7q+o|g
z1`ZA7S}0p`FRhNBd-mTBKKqYre`j^k%FboC?e9*PMi?}EeI^Ij<k}r_O}{q}-{u5C
zHhE1WF+%eIck_A>rh4J>an20f!I7!VP@PM<PZ9}l&ypFPSzRL};J<PH_*&)5Dqf-{
zX76SIC19V(@z4nUC$cI_)?TrRkIQL7W<uVHfLjr(-)dz({p&S}iiYon9YiGq$_cQ<
zcp)KhiZ11v@)^(J>iC`K@X$l+|A%ahdaIwi&#kP@Ohw9S{9inX+He4}1SkQT>;T7)
zX~%pTy0H^Q<|=Ulukuu1WaqPaeZVp8pJA=xo5*vyNH7r^iUcA(_*m^MSq2y4_{Ell
zj&NmA>JOx)--iRW7#HX@)Dm|0DFygvvB*MS>*#i}td3jZsDh%SdrU#j&Pq^LL6@y>
zMXa9y$yfKdXL7c--pt*Q`Ex<5F$T>q*FP9VkXm%SuFNtHcp-T-lLBQhr{9~y+i`Kl
zJFkAGTPPJofmL2Vc>m5*K|VeCn8!}9SF%5NSs*pd-j2yH@L!zA9f#RKvme%VEFr*!
z9qZ+rvA9SQ%Z#fhR1BJDT}tANc_uifGTu3d!>n8^+L>`%DR~mrPrgP!1S0oSad9iL
zEx@*5!I=O5Fz=nvZF5OA2`TC8btPvmLIHZ1{Xzr!TeHVR2>lh$>vyMTe>nQ-(-VB{
zNhm5J=H``yWuHJ$^X|@0dPYX<Nmy4pwDzs{G5Yf#_r<ZXMn771b{ML;vCFR#ye|k@
z44Qr}_)z0+zkCU|GBPq~ot-?(_mZNnSUNV<)j1bA?pf=+y3CRCzQa1Uyl*OlUioD5
zaYUzKA&~$x1u1C{=TicgU6!=&aMAyi7|O08xVSk`8k+skf3f*h)~*2x*zVC^<sIg)
z?N^i0HP42ijc)glY=q5~SC~4c#LVLgDLf5_Q)=W1D)Z<Zq%LjyF2-zwPX4J_ACAMQ
za?3R8)^Sm>B=y+=wnRAPF!HrElQi!BtGmm~purEk()~(9Dj=$H98Cq}!YP!Cr{gKZ
z!(btA6!h3QV&a&Xx|mj%?QE^Nn{ePY44F2(bPezl*JUAUgEjUaK)QT6sMpzXlK`=>
zuu!dy*YwhE{ZhUvDyCOIa^pJVNToa*|B@4WR9Um!@+x-#?>exhJ4F^JWxGDpDV^`F
zi)G%k@kH91eR{i;QrFRRmU8nJ!tu+^e^RP#6%Q#;A+Fe>XL)&=MF>z#$kx3$F~L>!
ziL>_&CeB-<@oB92=3PC*1`{`zJ=Hcz5MrIWu5d`B&NQNNXSbKx+KW<y+q^oh7Msj&
z$n6Q@mkOmyr^)%MxH#k99u*Mo-zq81O$`2-amWFX0O_!)HJ>P$|0+u}Dn5qzrdMS8
zxdy*e-e}7|7^}tVw&0JLVJS5dx%a7ij;H=Y?bK%JnmXb;6k<uihKzSP`&aMZ<>O2D
zxtWsrA~YBDW^y*G>+7{E4s^}578wT5COfI}elar6kw;{R4&=%6`FJ%|R8Wm8pvd0_
zbEk~ytNb)&2(M_+lE*KQ$Qk(jxe*P6oRm}@#cYwbf|BD(C*ezXt!m2ACAV1U$jDu&
zk(cKp9xcklK`uek+xy|mg@F7qk$WQBT^7?5pRA+}T-k|P0P7PgXA6sWv2Ym*4B@C+
zIi}L<o`)^gU!YK$#Q;MeVF!bPy|<3(Bd0Z*wlUt0<MF?ZQ>1;iOWcE>$N{^mX}(pz
z$UuWhk+BLtEI21+D5`2BYOh%3oWa29-Gj@n7<v%wk>hU)Z}-YEN&H|(!MT2d;htq`
z;&3hsT8LvFcR7d5H^K(Xg}N;R-LeS6X9gl!tCH_=@FhxLuMG86Kkxp0(1c+4^5vJ~
zxk&8a_iWnh>+gor`-{jIFA!cb=Bg;~2E&FYcB@5=s3PLO2SUHosC0~2RZ~^RU}Y?g
z>RjH*SLW;2+F*t0`IDWi(y3#0iij%lc{P`)476xErL`P-8mQW7jQt$-+Hz`lnyG-}
zej1GTy6O1s^w?w);fF`+F328TrV9baUBP)Aq=)mKIaeGDD>b`=AHAiMTKIc+6Ln8U
z3e(<<t#GUFUdA;*ovg)#Dmt0}w(2UryZ~rpKQ@-yexZOLy37Sa&dT^gjjJ4^i~{#f
zSN$LXOIPodF0dgYG2i7x5<2@ZIm1lZ$vyA_1aX@t2g3v=t0_w4D?<u?G5ko(Ulv)K
z+&^Dyu`81A=e)ChWQ+#*(+}(OiUFF)D*|vo^@y<w*?ay@_G+B8`Z{tw4s|v^an9pt
zyv?EvG_o8Uk)KY3H*3w`UQ0d`VRf@k_U58LPAK&wjQAa&LEOu#*3x*W0hvo<5FA^{
zva>DN+^NFg2gK4o$_fBJJ`oJcSDoLzq$U6}VLtwhd{#X9`?m^+i3w!#{&51qgbpo$
z7ao~SXC7J36tRr=XY%pU7FyG=e{qcj{?818Brm+G$ol-?m6Yhq(Ci<TJ<CE~<;)mg
zW3<QQ-;EVzeRrlZ9)s)-9A4io!HcS|xc-ug6hZ9d=%FXy*@9R9;UB6G%7pPjor@=r
z(Eq*^L<)d;lAC<rZIGo8|EoK~>(!%rCb>hQg$p5t_?3T1(Re^pI?f|7&%DL!3Z~2k
z<iGR*gy0Jwh|iLc>pwkWBxV4_a;F)x#`|9wS{!?lNzK+M9RDM=>lNU_2UuL4Uiq(P
zX#Aj>sj(W{R>S|TMHCbY8`qKBZD9BtKm`A9-RATg_HdWAf0g0~ZKhAVDl8phdApaA
zNZ<!Q@n}eQ4%YjW`1;o`<o9Ty76k9{u-)G?zK{G|uGC>?(>2vWlUV&(^MfysFsc2J
zy<1?YH0~Q3G7p2yPZ=}CC}u_;mm`-3vMFib|D5yw^T?-mj{ly}5C%Q=(392nsB1b}
z?oKRp|0hZX?`-)@KFxhSw^_BAbIa#Jo3=as&%Z4BLUI#I;DY@81AOkuSJrlaFoA%e
z6k#DGCQC01rHNLNO;3X({iP^i1elwfH?BJS`3dLZuVp&+7yr}GEnonk^1(VgJ852c
zgZ^pns}q86jpl0Bj_de%dFgVy>cjqt;y0@JB<C+G;g(Rl{JC`JbjE+37%tCqnx2vp
zHdaX-B^jS<r|>T;u9Rr^B$b9$=ZBU)tjXfv(EPB?pZnr`=ep`#Hlg{ScNIWALFOZT
zvQRT`?>X{+&?=IM2X1~(|2F(lW{oYuztj5Js~GgT4_6CdJg`{zpG0{uU;B8*aFEa5
z)|MUsT{%Xdr}%4sU0)b9{p8@luCl&fTUHsAnR7Vd|JT~Kw>o>6dEKyMm0J3@-LM%(
z=q?X<sMXi~{^Tmh-q0(jloHTosTWx~@sDJOSUhlULR1uHH*874bJ44Xe_!C9t|gq}
z>mAbF!ouf72o%udb+Wzh@Cv@PsvSYgk|}Wipoag&YlI(iHb=zF=Ca$hLI6~|;r?RS
z{^Z4|T_%HX-Zj#Q?cL(wMq-RX+p<d6I1%)l-vd>fH#WkAv1P@C?Oe@5mw5uX7Z2=%
z2ZjuJN#=V>ZUQdb7he@|<471GjMxRI_4bLD;Zy3gH>mQcw|_1U$TfCZ>tH~`b%FKd
zrj=Zg7{yWAPjfVX7S)}lj!=Z$E)P<P9c;!quN*l;+pG+lu3{UbSq<-n{4RZbOrV)<
zT%kG<;Smjk$S)JO9-(yl9^q$}a;>TM2<*f_UA>nF&>H}iQ-ONN0M^lKpNCWQ;?B^P
z?J1Pb+cf!J588<^W?wlGOA7HnqRj^z!DXYzyenh)$J~s~)ZxWitUJgc-K&I)`{G_a
zy*@$9sY&A;or%G0uupI~`1D3OM)846gaQdczy3HyrJ$fdbJ|rI|5*PhB?BmgYAv7}
zf;xx-F8_!<NE!fKwu082pMd0apA-*PW@a;FJka_B&=4B1LD7R1>57mCu?Z?5teVY^
z366EXTDh>d<w_6YEZk3dNFqHNgNyyAB;HC2Nvi*=tv*Kmf!@*Oox5y)$?oDu_Wm5Z
zwOHY<lx1fJV}XDng02p;`cJiOh%L7_6qr3%J(>T51JBsVGdstJuHQl(UAWnVEl3B{
z3%gx82<)W@0ZL+leeLG9x;8C5c2sMGboYDAk-$=W3%WM=>IfmnKE@&XxNDVIG~qPG
zY|le27|#Nxv@o9Ri++~<R5c&)I(e#Qo?f#XiBju*5FHY0Rh3AyLkvEC0L@EQAPN}t
zt_6F&UFtSjRbcmkea~)gfv<D=#%gxo?ZRbMKK)YAe5@AuoJaqFQyNqK>83Q2$IqG1
zWv>tn_v6U^lm-WKB!r{ej$BE>?vF9KGJ#$(&=z8_f~UbwjYZc)>|2fn!Og=XJ|lbU
z7Z>nTG%&Y)!@T7$5<yfN|H|k7`f+a_+>e03qJV(Fp5RtKru!qoB?iK(@xGxK(qXQt
zsR@L;kkLXp09=<q;-RD+`Zba%Gg5#Y5z7UfM}}$1rQT$RwrvKvjin#w52s`r1cVe?
z=)~eB952E!wajGXbR-X%h^P5@_k7atVAjC|n%62}xTP!fgJK)qD>XA+PvmKWuqzLc
zV@-9G<2yXRbV$rIZ8!hQR1;1nWaoAh@pPuhx$(YzRJFO&{2*<_cjy|4w-MpjTfRS)
zVR;M*VVS%C<i1%orb+8~YS$IAsC^cKXs&U}cqMV$V9<rBg?=`0P7D?c#@I#&OT~~6
zpF{$S-L16Y330^0)*AMcqf0IQz>9gKexLCfpdVT<)Bo^|OlGc0@(9?`2G(FL`}Oua
z(Wu-u^3!<XMBcX~QRl%xA5-#yIjUOjAZUurifX2AJ!Slk_EZ_a>ywR%wBB>)@$zNn
z2R9*f{HcHr#)t^*g_&XfC;gDr9hfVl)(hU|B7=Em?Wr1|D&MPK<x`ATd`=&?er8?y
zt|s&dHo4o#N5yo)m?7Q+()E0Ys@98MMGn_mw#@~w4?)1nZA3A@7rm_iUF|W&Q?lc&
zz0cLX>U5}yi=y@)k0*e5fWp+ym9m3F;+?%cHTck+5I`z%=(jzbso4jfAeEW_YP!s<
z1NE?{Rq*Gu0HfO>o&K+z<u|4ChI-q<&?ox)Q#K84Kf#^K7|VNzAClMqT-Ex^;UV}3
z?GU%-vjg(0t2Y`tK9X-mox1th4n}F$FuTqPta0FmZIOfHLM}9pD+EEZ3RH<B;(<f}
zt`Ywg5flfvCuMR@f0n_vTy%tQUNkKBx@6w2{ppoEv7UK6%;D;Db$k2612f+}Gs80}
zefXnuLO8eMk7VG~AjEWigx7zTr)5Dj1f|d&?Mrd(+s&TBfiK8ewNnV37>%=#0!UEj
zO6F0%Hh7a9JOoduT2YmUyLbjcL(srM!2jyGkw6558FeUZaJsgHXK;=%66KrGuStLc
zoQ&J%Yqt5;(MqT6w+ALcz?dWYnINbKuBy=6axYxKlmB5ww4YH#Lk=*~&!|#je_a01
zg$z<z$?+X{aGbxMvSC##8TFBG;n9fyj%X#Jg&l2!7K8dx&4EGPJqs`mNP~;s-70@>
z@hJZ=<v4{K<W&olk;%lR1w9BJVL@<{iGEB#5ha3{g6OFH(YIXzhDPHrIdP*x@bD1I
zu39q9KI<Beevuta(jEn<^9@HrGmmCQN3*;^JJ(I0fzLG>hx2?In#UU-EI|h&m=hs1
zQcFFuY;%%$lNZI5vfU|XOOn{r6NZkU)lr<;U9QQ)W1wzvN{LxSr?FoHYz+oFi$NWD
zi?(K*W1tqC1&8S1#dyHNIeje#_;?87jSJwbdh!sfy?<&~BaPS9O+cDt-y_F&3*%})
z`Vu{MSP^cHy`=}qcjA4A)*2v3^8;`!Qsx$k!FUgLlL4CNAcL6c<dgs1ZAs9xs@2rA
zp8iK}<$c8g#vql#)oiHc7m@-nQPZSKZT5Wr(G1U8r83scOMqd%_U&kUX-o6zctMg-
zT*!Hfnuv2@W)QIBzt*#|Q0<kedrn0~d4#rb2|JUVT^-$$YhjSpU#99C6BxkHKndu>
z^<-Mc1>7axoJuIW*ZBo_rUuww^xr+{FJX7`K4+r~Nd!R+s?(TL&D<6-&r&2*Qe=UQ
zISGBfXk`ZxHGgQ5)b~Qne5`sPQ7hy78T9+A!o#}P@@az2g|sX2N9g|rW=y!GswShR
zJW)vxL9V%`U3ud%E<}Jcm}#Y^R27O+WOVI32Em2!MvpHpl8-^mKs(-z9T1Ibh1Au2
zsVf@)o!BSZM;elEPhNoI?RACF|IbwTK&1b&YO5kmaxe^i`6MhdndLq^6T<q7#L_Yw
zk|s19{A|JnI&d9sSOT85)r3#@bJ<`ny2n4HN|BYu!329PrO)h3z%_~a*lI0#Jir-z
zv7I73$s3PB5wt^pYe?wvA)gZu@T3Cu-{qrB=?F&sP#xj*Ugu|m8$#UDIy4xlc4GD8
zLUKJU>atbQ!TV4daGulo;@Zj2EU{SWu7)Ge!nS;=`Cim=pN9Fx?O4HFhqRHQ=vUOT
z1rK?>_n*4*nC1wU9Oj#o<MU(e&R)LDCuNsti!M-4j_3zGaM}1NUZwNqj$(qZ9+o_8
z4#2`|E1EYiY_1cOw>>TtbIQ`}jtU@_L;qnaqCrkB)NDM)Ui0`#$75jTDR--Pp2zHL
z1Ng47n$7%cGdF$0?|S?dE+&NCOB&5g;1gwB9u$gKoQbL@f?RXsS4a6h+qWO?=OFG+
zxGcxTjCeA*Kf}2D^;ci1Kjh%d(+|m~&^dyrbV6{A@qSNpTJ1q;zIE6`dIvtKyyz@(
zhLwg!Nsa7i?~dr#jrpvE<bc8Eh7anX8Niud@m!2n=p4c#ecS*mcy&)Ts}*i$*ZQ@6
z%3_(>wDF%SaFH37o3_QTA7Juuvs~A=9Ek5H_?+bV%nRPnPvtG4<oH+}(SX8r+n*`$
zz|}U?4s7i0v0PnTZro#_k`WycW8JYPvF&T_ctcGz&I&7VJ`QK#y7tjgig)IzuW1LZ
z2ps9xTc0zxh@ILDK_6`i=Kk%<rD~g52rW`iI}rF)*!D72e+u)i@|=UD{#ZpFuaWej
zfPLtI?IGJ|@;lGyv5ntvXaI~Hcbs?9+%qq)yoFZMB7|#P(-oM%Ni{T_QG_#2H-pca
z7Z>lsd>JB0YaYPVNaI7J0X)=5C8#Nj+MQ=95a9EF>oga>v__D2(6XDUG|+qGEw`yC
zRA+r__!RC&(uAeisJ^PU_3#Oet*tF(H}s*>sB;g)IaioN8WndSG_f>0z`IlFOt;TK
zAxiWWyoaS`FRrF(;VG8pKB%<$+VFhjFgO2Q<eEV-_ivgb8oD2^8|Wjc^~FiVdG@n0
zcJgdKmQaY}#s*mkGt*f_Y3sbEO!OM*Cnl_}X3nUjz%@Oib&2)ZSX$OJ@bH{D{c#ik
z%UC+D=RNe!JU*~Vw}o9E3Bm>`h)~io_={9PCA={L%$Hfq6w3WzS^K4^Pie1&Zj2wB
zqSBTTP}L~+FLZd4sy6Gt<FB#w)l5DxJ~tklp-{gjnfw}CZur#?+eg0%=}tAwT-&~)
z2u|IlbP;CTLP_$j9?D!~ROF+R9BkA4h1F0~dGqR5OEt?BAlF)=$%8Clx?!Qi32|$r
z-WxPq6UAJo6xao6ymPs5U?1xCVHxyq=u-^rf{9)neuq;BJ+$C6<0P5PvCMMi#Gd}j
zS|Jm(;I!ilgZ9<*>E{o1)nw4p0W_2J+a1g=zHx9m9gKBOI(V`I@)tEJF1sHajbFwd
zj<<>^VHE&IeN|GvmsTUucU?zUQFdILVmqWXU_rTWL<cKZ)@z3M#vc4*<@m>*xo@LA
z{o|DCR35HaA{%+L&-8|W_}CR*7)))vPV4MMj>f~qSI<o2RwEqJELytxaRx4NbwsO}
zD-K}*<if=#&0k|<tI~u6t3N1Dx*n9gU<=hWM=*1l6*%dp{r0a>i-rgAe(rqkQ6)w#
zBIOH>si5oqDvUN(-fr5ghj$(ty`!0_q{BceWkUWbs^Bg4h?T*XkB-k+JYG`;3pF3I
zMfMa+bi-0kF4)lHw!?O2X%^QW?kk4&oxQ2?$H!M{_U~u8HdJiwX6j%&GYRu^uHJbo
z7Re+^)j8xRI&G951#`tk@YCzt8r$UezE>bXqyiCGgn0?6Thz_~jEXLMOi!hbjYS7Q
ze^dwZ{UX`>N|4f8h=^fJ-uH^d_@_(4YP{0lX08QrI13vutU~v~Ak;`~Tpt59UH-ij
zJI|f>MbU@(3~xn534dL_V<0HFdrCCA2iaf|s~*qAWz`u!DqEQ|Jouo?TxXBJU<fe#
zvX`UH|5FmHLmr;0g7c`vdZ2@|v8HOb)i)xPjV^OO0Re%nXsCLj#uJFhC(vt>9X#;Y
zWOqb~FSS7(5D7<Hf>-?yGZv@O&_}-WOc9ydWDfOPyF3)W_jgYPh1L$2{J_F~bJZ6K
zm73&vtE9E$Ena5_+m+KIZod6N@sLtPf~VCtS7+BVCp?(N&W<z2u+(brrEOM2k?>Dj
zFsR|hfiQCFJCd-R&^xJ?52@H0zuqCz0yIlzo~P&{9_)4H(lEB7^7<o+TTdPK7Q6;j
zd)}=Uw_)Z8xMgTHuC$$M@6LmsAJxh;SV5ral}~tEDs5qo%T*fsCpJsV?DC2I#I|ku
z+ONYE><~u=5oJDnw4L$A=OrS|_!U~DqA!g2@`YT|;e68>TG!A{aLVHQw@9=AvFri?
z@8qI64{VFQ)0y2*nOs%!uS@GE7n{*MjBtOFeS7MUiu_b_X|Ca;u{y@_L|1;HzYQrY
zvY>&u?Ff~e2E#>I{7I$?es=9Q7b?A<9RLC<Ee#=p!jhpI@=!$SrVqi)9}ii7wx`v;
zdeZaeot5Bi#4>||ZJakP3+ffx%T^J0#OIzwhoGBG#O#T^XwQfm1kCxGwU<gn?|Qf}
zsE)5*;3Q(__>)kwA(Kr!b)rNg6bKUYt+FAL$g%hf0m)J9R5((NKBb9i8;!f>y~+oH
zXMHGc;7^#OyaDqE=n4Da3a7(Q9M~n*&M28-z@K4ty)2@37_O&7$l;NSpy)>&N#gi7
zb6}Mew5;;p*BNCf3QW4$KsemQk;4P1sF>*ns0N~6)?h2))&wa?qluzX7rn=Q$7GC+
zM1mGvhA!!*A~KMzV(n-dJC(arw;VjGyqC=9(X@Cn)%5nT8MFlYcyPP0r0?6BENFiK
z%Wz(8XoGddLPJW(i8h;H^7awx_Cmcvbqd~#E}cFW=&vv+g9ktbaQT7Y13~Z(w*c*7
zoZR;wb2sDf4b>m;l$gVjV-T^P<AWdWM!QPkdo%81Go=Ns7pMI02YQQpi6wW~=@qW>
zn}{*quY`QZ*6u}L3kaQuge+f6TVVv5(n;KvCm$G~cEf%r>T*GCG2KE8;yjd|AEbUL
z+hggJB#_=#8f?l|SsP>ch}WeXrniH|JG|6JIeu|)0g}g1V(knEqI<ZOn=d)aT$1uu
zQs^^Z>m)HR*@#)XS~q%2?F%1em#oet9parSq%a7v?azAHUxfG^zF=m4l?Mflt<A6U
zr8YbD+X%8)Q)YkCPjeWSdFtGR`HVO&t7`wr@yilj1jA$-&>+G>H{u!T#Lx*|+~ehy
zBPHNTi%77!>8GbTDeE3(X5F+cy^(0jMcE`<LJK`vpI76*AbDd1Adg7C!UGFEd<BCO
z{B;mesAhhCSkvYXlbl{G&LEP%G~6=p#eVli3lHpJ@Cm6F_69(!FdPDx_a_05&;ft&
z_D}DKeO3WI+&0BYuj19)wcMWTx_)tpw{Jap?|R0g$i@d~{1pz|E^2&@FtN>rGyf)o
z>vg}UJdzKU8NP<PuG4Q>xCSnz)$g$bE!1w>)2#4p^!V_=*;?CP7yE`$T`N5hd)<|m
z_J%U(;Fqg7VG&%O;`+y-2^IEH9^unsxOn4!5enPUHD+>bwVKVM`Kzo<X+kSyke#Nh
ztq64qi|)mC_^xZyp*rAP)WSY=mE%VWtoP01>boidLcH;eZqyUx>AW}@kpdk60!$@7
zLYS~T92%UZ7y*ty^u1$@F59y3(6rkhmKjmpey^Pz48_oxFn-WFfxI$e7&Oz*;+M($
zk!zzq=Q+@qh9UZGUs37CnzZZ;4wa5C7DQrgBJap>z-;Pkc$Rj%StI5TUo@4I$K>1j
zK+3E8?M>Ca8)~wJyJ@>=DIFOAv9%h30vVRLjq~7qqi=mObMT})4bbXm+Ra&CsgPLn
z5fID%QR=MkZIsU!am_?n#;ft%=F#EXW1g>>&F=U8ARd{CdB{SpT{tw!Jui%EET~pY
za_Gf7#TW0he@Wz^9B=T_6}F3+CnO#^Nnk$XWeT9@@}yVETAa6fH+#5~kVWkN<c0A@
zdRdDx7D@!247IVuoqD}*lvEcYuAhw8oQ7=(pam3vz-w}#ssVcTu$zsoDhd6qcQ?T?
z3-FnG#(9OD^HcvzA)$=5qt$%jYb9J6_g5(8UHqa?j!WzId;^`bP92U%iNO2@Ln7mI
zDw0vG6R*{Th>WdBxpzadR-&fdsJ~VRsyKjxUVmWyKKA)x+v+tXQn3)Q`gTKS4X;qN
zj00*v`G{}o=q_5crXC2^v9^+0xGpb~KV-^AO5nkd$JU4bhP(N?qc8EpZX=})9c_g^
z5yFF5^-}LWw|2@M1J8HZi4?B;++jGkgH<PO<PoC60>S>DEK-2PCQK9X8)Z=Tta+0Z
zX!eH!qj-6d5VHjY{;)@)R_vxlWb>JScecYL6Uc5p<T(%y^}9JquqNWgnhDa$n*Ewl
zsYW`NHsAnJY-QBNBKJ)>qzQ|@uFBZWgID3iTVdlAp?4=H2ud{0?4->u5v(kHlfjiW
z8=wgavhto@)aGUXRSlyfOXMuToBXN>iu6cuRuLTg{F19Nr>vn$g?oR|dng>}y@6n-
z&W-#vfHb+-Q?I)l@zxIYrbIDcl~$m#wT2@%A%_*f^=q16qKo*o>pn2LW~XEHLtS$i
zR4^whL;Ex3^wXOtjbq}0A&wR1$2{0cg}bmhNRvN8@IIka2RO$ECyLf4>Y~-alLU#9
z1&>T>a^c5@A-86j3*J;bTo~*-{lw*GqXooQyj{f`t0W&=FqTQheZ7kJ+;=0LaSCs+
zB5^hTp}z1EfaNlO(YYf~_}vg|FdyNKt*jS9is1=bEJUeC8iC@5{KvsneeqsIZ+eE}
zi_zX~G|FTz18i#>m;jSLR$su(9@=Vp!5((gEQP)f;nsra9W=ExyH6-yVk^C?MX^|Q
zQRIU-Juf7zl0#L?uhKQztI;G6Xb7Yh<IM>NV&YXbzOEXT7B6kn-Vs0Bi?<c{u;@ar
zqH<Eb@O63?AN*?&MQ_J+x7Hvb((xoiVD`O`ez}y69zWUP=kTEq-R7YjP^jeN)^_6k
zF`t(xPJy><6tpIT{b8#Xc2QI#xt220-iqtG^JP70bsSamX7AzVf0)GmjN)6$MM^mI
z+;2cy@Hig_Or-CkyebarXwL6G)q;=D88pZr%N)x{--JV(uVV&ZwH*@~b{3eP=U9L5
zqy>Y_y3He|#P(PWeJ>MjZ12R-MnWhuVv~q~O#tsjD<ZGm;4PJwH0rT~akp>qiH>mI
zXtUDlTw+y~lk{6IOWUdSZmsIqIr(hnEnhX&7;cY0V=%&|id=Wq`(q0=f0gh4LXaw0
z#fyz_v)*;<bnWxSI+H$FD{0esj*)xX4o!0n;?*yX0Dcrcffp0m>)@n(%5bc5Q(E+W
z9jmTY%Axg$oXS1SKNVCOv^Zx1T6(Vv*-T!ppUEp$*V6c@;(GK}TM`|(w2C){SJ)Ru
zRXE3hwZiK1P(W9Cokqc(s<*_vVf&GIw3D`LN05feQ0UTaUf9wIM{jHPD&85O6TDO7
zC?5*+AIOAt)856CfYDz+;Gv`c2@`zyqud|gA%+6i3latV)pMc7lVfizvy(2XR`CXt
zfWp@uZvlmct(SnZY35>-6U?`<&R{pZZb&c2FSKo4oeE{uFs~t{ouP>5ogYVEL?o-%
zDURl9(%8`Lgsm#SxS`{Gd79`_v#M$xIx8okFQ1rzMu(vXy83bFAvWIfDFPUjA`4@l
zdts4N`%`P);D1r|)d5j8-`^<Gh#(~(AX3s@0*ew#NOvo>Gy>8~cZt$StV&5M-5ruk
zch}PFg22-6#dv<-_x{Ia=FZHSlQZXYc6zGKi6cT;v`P!&y20D|LjQ~mT1``^H#`jA
zfW7*@%-5a*&wYGDEE8jhlDipEJrhk52KGTx`95!FCJN%(^~R3n346j-b$<?^V&><V
zo5m@2M#C2r8IU!P;Fp7ArkOVTT1hnw`|1nnF9~!?(&OsLLw#KF=>$8Nm&LfGAx55?
z**g2j&$PsVNGQX{|6As7ZAI4sFDSWuxtG??uQNR#M@Rig)P@yQ(R5ATSkWUCFa6Vd
z`bC6tQ~7T4`wKnRa*fKlQIkhnmnP`AGv&0ZH7noY87+~@*m^}$;bX5m;8}SJKdj5@
zF*!jBTJ{M8z1sFi<KXf7vEf{k!^WqNK@~YUiV_9h0i;m60Wpc+Nk8{jmWdf(uj)?i
zd3UKOm~0=T$4*ujLaG8117X+H`n^JX9Rcqwhb+QKq0Z|ij)L~HYK&O40*xPTREKx_
z^KD%r;BMYxefvv6mzEH7L2n<m%cvW8^k{Tovs?K$4ahpcYR3R>(ZI;a2*`eNA%r^W
zt*9TRc6x5*+o>vG4HA^2|1qu{AY@mp`=ikdMB-1?r_aFSIuPsL<US0=Pt50jfSUer
zUS2=~^)EBi4L-|%A#^hFUG~;Jb3ywl2mc@`#h2`_&YxGh><QfZ;xq88hA<H(=JmEM
z$NQ(5K05Mr@Ow(Bi}4uV5DC=P;&W)f7IiD;rn**R!TT_n{#x6DUt!JDs+I^CAvgmX
zdJ}PmJ0inbH{Df2&Y@^FkokE*JBKkmONviC6D26ykvDhjBid74_YwdlflY_hU*WS^
z{W3VV64;<HYEIDTo3cOPTVI^%$_ZKB9fZB7OQwYKByJs-_Hs%^D-*6PtEVwSQWr}z
zhHq!Zyc;KLYWe)n`E5^nA%oFyIe?{8VLMr_{j~n*_*{StdhNX}ZsqT=crIhz;VrN0
zRgpmgRf1tfhWmQ|0#JmdPdUPbtTci}-v0dc8iV!zOwRkX-Dy44WbNw?=2u%WrA0?l
zfK8X3WJ~`@HmOe=L?sV3?-hEf0m%<9Z@!RGhva0fn~w21_T1m}gFF5q1Z~J)La>k#
zV}Q&_-B3E03R470D6zL2clNx@U8dqvhtyCyDaJ^gw^VsV*&O?_nLvPiV^s3GsU)>y
zg5wrclTIU{*RII&m<IWt^110Uz_|a82#(vqWbHTNkyR@*tj|xk!I#*PYc1FjkHFu<
z2AVK|#%^tsyb&;%q*sUBSBsoRhi;k#0$Jxt7awMf_-#ZscC^QaZ*{ZUu!DY-ltWNM
z6i>+XRqu^WFN$?qaIOM&N(Db~S-qw}JtTU#Y<Aot%vEa6*h*TC&g!}35SntXj8tee
z>vw%2iNlHJj$DCK;P$LYg$Fc?DJINue_1_J>$bze16W3u)LzsY(S7JA$#J8yM%^JI
zXrnI!!d59WDDaOY;oPLp-AK}u4f3;X%hw~Fkm*@15A1?!59i~SU4F`si8#F<l2C$l
zTA?wV2o4Y_gGmdMO0Cb0OBvLT_ZZ|K2D4AcYcruu723>xL7d`13%i~@PKi4`OK7Tp
zQI~zBOP#20iv1X5ZeSvAO1Dg$XHO@-{oF@BTDcnb;GRCdxRJVH-d+HPT~LDp12UXQ
zhWHgd@bL;u-GQ`IgS5d3W8aalM}+Vkb%(}GJ(4k@8=`T&e-zDZEWTTs!Ij}|n5lGX
zA1h1V_8Ij~4)l%pqZI1OzslZy@oQ|JRqyj*Y<(sUuVd;^ilb`s$Ggwe4oIwqoTm;D
z?$yL*`TEgYGbQ(nH|<!8i&*kJJSP*~vO)|Yg0|zzSenauldFXRnx40+7E;J?kei=o
zI2(8k>)!3A2OnETC`+Tab<`fW25-uk=mp$|ZnGT+fevwp1*B4D3=xMbLthRCe&?R5
zy7Px_r5?oNuisCwWZ<wn=QK_8KCmeH0DAKFkpQTGpz+-db)HX0u3F`rs)uxLopC@k
z$<QoRe|~RZ&2|(A$zl$oqT48Y89Bq(YC?<0bag(gP^^;Yv2v82)&T-2ZsLCJf{i&w
zAnRUd+d1_;jq-P7fR8H`NsaV4T}zVk9M`XN<sh-_8%LFEiZPCVx6ri~XMOrm<zB*r
zWpyl4bHMG$lj-Gk-@uO!J>RQycDUH)$f^=QZY>xaTd+Kz&UO0=j_zRAX?jydv%533
zmD#1dtSWG&Hxi~+|Kh!O{65oCiCMg|wqB*wCE=B8fU=Xz&(sP@QQK*~>|Hz292>8-
z_iajXK>nj#*y%`77+Zqt=y`miW_Chxv-*?rPvNjHo6asTA&T=Jm)z+nvU=NAZh9gl
zPKLozl+iQ5?I>2(o(uYs$>_99oUL{w9x&<Ls2GMHR*Je4#^Z7&`zT}bl&s2LNbEz4
zQa_h!9IgOOVoH~y==%_%34twUE!&SKKPXn#MM+t1f6R7gZRe1fy-B#cKlIXB#DnoG
zUv?t1{e>;Gb(z<e)OA-pC(n^|w&RWZRa$~hWqGa5xAyScB<DA0nI1*5v*9osN>{E=
z2Sz$~%=Dm|M?Pn@XZaz7X|h&c9kAkem8PUa&^ID1oHSBla>$h6-+?XCIBEj*E=NPa
z1m^qs&7(R?ujO!MeB47a)wj5S^J3CcN<y0Cy?=RBm09x4H0TM)@y<^rueb9BL|5|T
zdz;hcv~*)nD^QQOo|BQ5gw`089oMAS#e7zkS-iZYaoiJiyP|}T7tIimaIqNw@JxNm
zx7ZgePE9c8_;{5|=Dm$O3(g##JY@QIq9?^5R6#+|-gnQ#YUsfTcDQm-bA-{D<D2=n
zq4aT|LtDiF-D(}I;ipbNNJdvb*uYz*N(S{D2HcWoPx9jhau3may1q6^z0vCCaEk`h
zh+rZ{>_<f1wywTAAKR*`HB*lLR=xw7H9mpPb;rl~42(qf`?umm-%&)aQMPGR0g5AR
zvz?fac6`K@;2|h7QVPgmu9|x(UXG5*!yZLbo|n-yv0q}Z$Bope9texPIU-0VhRP9t
z5#<_1wcj5%6<i*17Z{<DY|kYsz+nWrs1V(pI86Rv4~r3TIWtU(k|vuCXjPk`X!#5%
zs2mP;gH*($tG-<0>VbpxO*d8ln0<PHUpdkVy1#|mm54F8c72T~FrD~OOijfv7x4P<
z2l+z=v9Dzexn?;PkBm8O%@ND$_v&CY>SIaqB+(yGchbES2c2Tck_Gd)DOHi-TuHAh
z8~Qo$E%`g(lYJPauUir}VuCuZ{PLQ$9`V|U9b#j<Mkp%|L5yKYor*xoTO4-Abw130
znXn`G(-m+&o3(ex&7>s>@IYGXli7vr{m4m>Q#$S77_a>ljKBw+7K*}COR!AF-J<QI
zZDWB4gLX?_t!RUh@2cHd5aCO&RVF&aP_JqUksi+>Uptw{O${K^lxa+D)`J2dO+qG}
zXl1H-O4a18#1A@U?EQKKt)?aqIXJxElN{l5QN9smH{F};3l=|DlDxRP@VwQyTTg=8
zV077>^u7f6xomdgarq;;ijZF{vL#QqmLy|XZNf!{wua?3-lS=3<Wsn%BR7V_ur(G!
z@Kah`pGsab*s-+A6;(-P<-KdJ59S0_ykLP8$qR_z9tbuot88+`jznn`grf9F{aGpL
zDv3gD+H+H87CV@kW>fojg`SY(eE3ng*!rPXa1#00n5Uk7wulJ&99ExWpXjF{%`7_O
zxWHCCda6E@<-yxX{D^#^Oj+;`IVFGl@bPWpV=6SDgNPp)InIcZI~n4AI$s%5w(l-t
z`-drC=!@-|%C>W>rJXNjEoru$B^+-WaDP5GrC=eg$&8Uxg>eV;j??`N<1W`BgsKe^
zCx`=Pt4P19*yr+0C&nCU6-fT0(4?d@f$Qj}CnAUl`qbg+u<YWeXMik|T)8~Q_GQfU
zc<Kf7LpdaKPcoV1Q1f`sD{^3-&C5gzFBjmm<ekd0;u)@1`4&`45p6|#$!<P;>Z$YX
zIm92GiL^i!bC~2v{^Ms-^1-F+ojGL(gE0zBgzfUhDM@%~GY>CLu`DsMYj(DETzKTp
zm%Dd`pI{7yVLpEFHD6O|=JPNsN4B(~i>8R{uuL6G{-}KP9h>7Yag)Fx)NQdi8`@L@
zk#IYY_4y^{%cz}j@snBN1-1e2gGP9J@L5Qnev+FJ7mD3!ucC%J$dh7w^w-7aY42%t
zPdP){d`~L#t$q(izlF0t+N*WGvFlgk#=ZzD<q2cuH<p<D1DHUTt@tNDIx_EZHJD4;
z@cGG6N>$oUnBC!NE8n&J`^l#iuINIjsQh}qyY|{_AW_94RAFuc&SYh5RYH6Dlg-U1
z7*O+hOs1D4kbp&EgV;T^S@r3|Vq15Q0xMItmfR*FrKpAZJ2gdyp@@*io(S)uRsd{x
z_juzMZ2AGjVlo?MR~7)<+x}SXEP{H~0hYkq734>;TbUagEf~b=4Ub$@y{o4Fu~?S2
zS-GB`(){zs9q6NDw4^LiG&i9U@5`bBUoOLd5gr{NGj@<{Gid1RC|_m;w||Z~R1K!+
zhQp~YBtHYmu|HVGtC~*mv}mSq9T7ya1AZgo6=KT4<px#Qxrfw+fwuGDgQs9~I@FyX
zSk(-3x2o&P^@?~qmd}+NS%Dl+%g7ztp|4%`6h*-}+`I{;c~|UQ@8zpz%%HjNC62A@
z0$}*UZ3By`WAI81$iPve{@i@M2OlX^kpQ%<8KvsYi2^7Tk3k3-u3bDFKc~%EvNIw9
z@?Oe2+DA9Z#9ezWIbQh<sm#nd$47uf;jqSu#8Ez}e!o=RJ&JH)(}`lk$jC_1gO3rg
zEym6CMRf#Dfbug$x1h)Q9F;F>q?N5fLc-~yrgKli^R#Ed==`+qsuT@viw1OT%a&1N
zo<_!m*3U=Pji(&}0;`Fi4vtRQI6&qvM)?B!RQMM0>sU_!<o3;0WVfeVIkN$?#RWY_
z;M^o(`*{hwqh1!duO~X{C8P0|&)C`J!k9((`6W<&k0y5Zrm8_z*~@&6;HELVRv3Q+
zDbN)I`UrLBCL8)$0oA-k(9P&vXY8Whd$jxYkUd{TC2_ub{8FHAvlDEi??@{U2Fcni
z0+z*sy3@i8^hHD4(><B$%c!Ez?6i1ud$2Mcq#UgbI<nYbvB=4wm_(0LHve#UcCO3_
zner5-;dL`)fHEQE_Dw4HYtw9K==-#kPZ_jl#FbHW^xf|4uh6E|e^IcUu}^`)XG2LP
zm$i<m-WIYWF-AWTiR!TM;nhly7VwFh+CY0cfHAmSbT*HHW&Be5pBWVfqD?k_g?YBk
zbTu6n<X}K4)QY<8h<nB9iNFB^4PGb5Y#?GEPHl**=5G?bcDeOCiGBMKS|x19zv8X~
zvqk>SVYtI}rAQtavn<xLSg=NX@aJe*d9C8?)WVAMn>S0Y9bjc(On_U)Fn-ek81;cl
z+f3;cTz(Ed=rwPFrdb64R3vVrXiue!OsOuTy+Nep9P@Eat^B560p7ElJaHYYTilBw
zRgC9-K2V2a5RKMWiWJxw7V9Zk({0zV><r5g&pY1PM~VmvCYIa~uZ3C1@OLJB^HXd;
zIt%DZ+#DYKN)$E9hvogcbf$8&><+X6m}v$4{mx+uHotKf+Iw*qTc7x^b!kd2MmhGx
z>hMNPE%L?KcUVADh1e&w58jD8Wz+l4*QjpVck?yJoqp5v>(4|C2=sQhr*dw-H>VIT
zO6$8U?HdEjAG0%}Z2obNT7*x2(@-h*DVKUxc%HL5dI8>Bx!RjF4H`wXpCIirSoq8o
zyv64jVB(9@vg`T1(Zh?W6Q|D)IkEb`@cEHtXE366`i_Pdk7t#Q9{!?%607IFWNGN#
z)PS3B3G%q?SpplwDR+|u-kgc!SMp;@U<w?+<7{y)zX?ZnaT-Ccu4jlm*6j}0MWn49
z>e4(x)q+R1&k?%EsEaxMrv0i~MMO#o*2tD1AYMC`(rzLjoz!ydGu7d)|KIW#-|sjB
z?lj9~RNTv4W6!HTiEF3RvLbl8M_j$;{9DF@`pgD9QETySF9;LrRqBinB4rMQ1)RrX
z-MfCvKU|k4E5f2)HI(N}|Nqh8`zP=5>3OYeDC1QheBp8+At~b=M(d00esMT(A?w2}
zks-wL5zO+-U}Rp<LO<T~h3jD<D~Q;0Pe)I$2Rx=wTWMdbUXVAkN><3(%(zJa&;j6;
z@497<pN-B$c${Azfp@4RJXSZ9MHlKk_cnch8C@*)*w8jy_9|bWrE=v*@j+L6>yssV
zgjQz``p@mJUl;WpzL$i3tEjS*>wp8Hb6FFdkQJnWG*O_cvY0#ykWqJos^^Xq|9=Bs
zB|_a|BouB_GP9kZDUGhiL@2Q!>-ATseskK#bn){RFeqOfWcuVN@<y7U3NBm>asv8l
zqCkt^<s|KCaK`^_B*3!gT$hC%&;pzdYi!DuZDF0(fs)nqil1d#8&j=|d@dQiq|iFI
z{eg+}nhawmwEvM3jk4`_DB~>-I!niV3nuwV-GhN6dRVfJ4PvT+Ur^8$0D4m6;o;$c
z3dBK|Ot<iRPqm9JTzF1@#wcRo8y2@4#MH3P-DLCvg8qrnw=-#H?uRwia}ta}`=kVr
zj8Y0~dU~haquca$Z`6`W9ElhSv9;udSkzX9+Ap#ftS2VjzdL46kzy&C8*tR3$MmLp
z%=)b}T5__9LXXq2zKQi3xXkb?o&YIj%6?9qCHAJx!sm##T)*YV;UBwXvu{up+*r3%
zrmesKq#SJNz$^8gKS|eJ6R|o^bf)skkU|0lYEE*GV~p=TW66c5KHzRNx;|q0TrF#|
z%A>Y<lepRU94)GCtK~7<b7zmKDN&Kw9zFn*k`G`S)a5U!pn{-VJ!h4t<b0jEkqaOU
z5)z6ih8Hxyv%f{K{Z#eDE8IKf?9)YJmz_b--1u4{P(l7dC-XDM{efcBzCp+{q?Ls9
zf9;3#8(Pn*kG9iY482x}UmMH=Hv(}ld{@lti;?TQ<O_EQ9+i@XZ#%f+ew4mRxqVG=
z+pn7hx?5@WDSp@+Ic0ALxgBM;U)F@YFI+EcY&LiUPe~3$d(E1-`yDAl0zDT3Igmin
zRvbMWYwBw+ueO_R;s5?-<gCceHaQcby;8XT4A#_~)2sr@=Ln{9OaMy+{sW}5vusX?
zrsjA|qAqOz;Z>5SHLK{h2EL$X0h7tD{|^cAwrid`OAsGj747Kj<|9K+BaxRs)NzA{
z%i5pk?o5`KYd>&D)PG2t_PNr|?u5JO@}b0X>}g{{h5ii{8x1qROsS<d{WXvA7y0mv
z<FGV4Z1TjrXWtfL{}+~o_E`tvQ3sw);j8-Z&D#~el>yT&!8X|Vr++x4Z)>%MzAa!M
zBEX6Hy%;oBL6E-9)bWj@@%v%yuR5={B|<_#xjdcwRM3KgKdVN|Plf^MsppOR*OXA9
z=zmz0$x%D$D4v|OI&q-szfqn{p!%v0u|dvzl_wcZ_5Z*@@iqVysB~AP!5h+G!0AEu
zZ^*F#n80J;z1=>vgvdjw7!%FU;dt+LcJve6=C?uv!t~Z-vh1VSkHhY%n3`4$x4V8R
zdfZ{lCP_X=ip#@g7N$H!oc<ulI_Xn4mhq#MojrEn0r8u)a4Rj9&GnZSP9k*y@z{Gx
z`DcZ%qgvtJ9?WvF$*A&w`}bg<8XAb0+CH*xgOB-^)EdqS7Z(eXYag#Cxml1e{3QYG
zae$#&U6|WP#186VFpOUjnv617cv?_gxz2jDBw~MKfq;igQhHEc+{s9~K@O->xCa16
zq+!~ZJ`#-`nZ6;g1ikI&I|lg+(|<pjq1nLA{`uoElk>8(HBcoW99GdE7rbTf_$qVq
z6x8=`Xgk5#mxCSOsr|Wl7qWIyeTNW2&<fuyQUn+3AoL!b^w@*!FkNP+kpIsd{F1Vt
ze3rS2>LdT*@U<2EDW{_y{_EGf3y{cuR6cz9n7-SY{7*}FI+|{%%z0WEVrq{`&dJ&N
zaO>>sX)FBlJus1xbD0dsr=Gvl+5xni;w|b*7~zt`a&c{cDZ48q1m*DM?9E%U*nbV6
zFRH07qYy&3mdc2i_}0ZD5h*#Fi>h^XrLNyR|8Uqdk!kR1lUy?DRje5y==}0(?mf(5
z;kv!OVCyf4%-jlkbW~I}912TGNeRmcq=tTcW;%O_*wEH69{URrlOF*URKU#dLDTsa
zX?IW;leJ;yx%q#m5id!9uyEm&xw=&5O<Kdp1d2p>ygT!{9=Z2l_i>O7m9YX9Xr`kb
zOawCR0?#_vEz}eKmAlW<lwb5j*&R?jorB<5hQI=QpoU@wyq`;g9^!fOhi)pI(LJew
z2SzS4;fNITDa+-<&n_%~S^C)~zmfKdJY>u+Y*sf2CI-v&+!Nwza0hxWa(THG#&Hv3
zzD?ULK9L0l;JtF`8tcF1ew$buJYnM;^QEs-Xc#@}snrNS1HZ%p+vYPmfBS0)E#Qjm
z81%a@J5Sl0M1^WriNHNw@u4<NPyb8@8=AxqD85FmxkNQJ`9DAeAW;;WWIkqJKqxuk
z66u-zPv(~nAGg8#IXjb`uLz(v|A2rNR`bMAp3b&>08}=@|9@XluUP=4FR3T)t}{c%
z>4W~H;sa_BA)<K%nQEGVAHISJD#kg}(1K`bpt)-yf5hOmQgM=7CRbq)%(uwiRR9t~
zc-CkfulC}i3%naot1e-5;;`rQXYLm2;>x6j8BvWYsEe7c>Mg<SQJ1;>aM;X}v0`+5
zu7(JZmifD-Urh*1z4f7ELO9I7z+MVFJ6>i$q*Is^qErE`Y>fGfeQe&Dfg>jLT|^<v
ze4XytQ16A@cxzN4kROZ&nyQ;1WZM?=TRH3$A!wX3%8IXRKQ?iDBQ$9^jbSyTsZ~iH
zz-A^|XCG!mSgxZ+!e^oTz%?^<Ex0`E$xfe!>yJpo4U-4iO6J*&4-E0C6pH$WENnY{
ze&Js)deo*J_Th*iJW#?>*KpqfzPAI1TfNt(H{^J$F%5RiLFleTz<`P`I=fT%k!2MX
z6&`JHEA;{0db6YHmlF%u%_9>=zFqs*qef}Y2SF6@K3$TWSE52!qOKQNW!Fsz|Imz@
z!{ShQU&Geq3Uf}1$cpc23<h43X5EDN!Q@$L(me5mlk*=j8$=xIrqM&jAA&?#6XYxO
z?83c4^!|dTsEdBN5l^>$aW!G1nbON-$K1}K)k;m9QgzY!DUUbsyEUg+1P{|(J5M`K
zj9qO`78hUJ9}J`eu_KcI<ga{1TSGg_TEWzScp0q@EQy0w05sY$%63E50Tp$I+RQy4
zv5DM06m0_=FMI)><%_E;e;rIpzBmOg<4*%*GvFZ2f8U~afOa@8l@%jSVZJWy==KF;
z*7h;5b!_MmwcG9)YKGk2{pcdHSijn`L*Jn(6>~zohK?LGf?QV6FRpfyfnRjc`c#YF
zEw1-g{N%e{cxrWVdCyhmPC8H7VWWU@wq>o=A#fY`htKG3p&dj^WwSKUwwT&zgzlMY
z74lXPgEy;7xLW}mB*U#mV3X=QM8++OLEmU0Bl=}l6i5#rTCnHN{UVmDaih0W=)_hr
zaKE96jVg-w(>z0;@mmE?sAChVF7+>i4)5{-5CTtJ=o%0S2tu@26JG2hQ@pt)j%c7n
zEM<7!7u}7sc`HiEX@cu%o@cWpAoaWb{rj~i;X9)*8@z@Wo12$x5e{*%p8kchld>I+
zLR=T{pB+`H^-lbjku6YfbM-x;faX1dLc;gmx@;R5u-6@ciAgLjE=F+(qHMn+rs}*L
zT))649Fzh(1Z&JZ1js=v!8P65Mtl#4S2U-7%K4^cG@8N0n^>6BYY+D->=phHNM6=P
zT;1_JPXHnS&TOxXhIGKcsb+q1>A2a*9Z5ii<+@kG6YQ**2MkcN$bo^`Re=50TESf%
zLezOnVc@M==067O`|{zFVpJ4@!UQO|6$C?R1IRVh)CY0U_FaGukyNfs4)!x2(+#gB
zmBSGt;62Svg-VA7xCqbWf&^icSoyJT6;L_%<~c@*)p|if<g<C}mz{rY44JorGh^Ig
zo+XWrBdHx_=O?s32RLibD(^2Hwi_$U`401}D7l>fnZ+Oiz$}r!41)3AuqsgO)XmMU
zcWbPG9+Eh-!soM|6{MTw*#^#Ez`936De9vZ#o!BCYufB}>}l6!Yy}JdGWQh}HnjlT
z`(zDPo1mt26#rC8^ot!kJnsyK5s7bA78MoM0DIk=b)6k^y%z0|g*1(UCW}W4zHe!1
zdB8#rTA07G7etv~H}79@i$`B?RjJcg<g8`w{dJ+_HDI(LHpn<JNc1tJ^C@fzp_`}C
zhyw)+D4_7SGiE=4uG}l_Y~d6b{7=m(>sLz|v)kZ7O#?tdumW4i>qW$RMiHBX@nK&X
z6@89HpyP2hF;kt)pY?yM@*L-Vi7K?|0E=x^QZAJh6tDqP4sQi-c$m+8+!sllo2Dj~
z4~20b{i>0Yl3F-j=ke+E<#dYt%W_{m$A#5Vh2oI+6nsoy!3sM_3Y>C^Hn45g>Bb6I
zR(6Wj1dNJ&AwBhm$waAO--~!4A$(xN3)Ow#qG$Ht>{#dC7TF(2`Df{)LYqc}u0Cq#
zn+7ZW+zMYof}H(#*P19jhpQ+K2~(W)zNw@%u{STG__cPnMJ^Y}2SDeg)$#_tmw!Bi
zXVFfiWzuY<AYU;^rQ3_WC{id3#DWc^FuEB+O$74(yX%&&EZ-8glX#3#g{m4b+Yb0!
z)P+S1Z0bupy*1TiP}$<lJ%Fzu{qu9HovJ~O5BH+CGmFfK_hQ?h{CqH_?`6*A?+ytW
zGWeEXt0ZUY#=rCIHbcHgRxZ~faxd4n0S)atvu|#I$JTL4Fl^-M89rV4c#ht-7|da5
zL;^6=H_ydOY^bkwx>xZM9~@!?!TsyIKZ0DTS8ko|OSsg@v)C;i&MY5JDc?lbz|#uH
zuIzwcuJB}!>ZQuFkp0)?y}3RFL{pV(@3n9L*S`R4Z`x5aoV8QOCVd?C56>M0qichY
zuw-k<6aDpLo}nJP1DIXCM03{c)wJNh97hQ1a=LaG3xyp;^8DY--dCggM3U5QtmMr@
z2nzj$c&FC}lrg9fJer^T&v$SZzE`3=H*jcRbGh>WO<zZOuJeJ{zB&tIHUQfD{SjcE
z%gcP(qh3%wn?o_LEwbNl(Sl$^<WLc~TF<E0Jv!|F7E15{6vNXwKCNNXFM{{q+xO%k
zsFDbLw-YV~`=9k2pz3|aLJ0M2{^#9sG;B9d|DQh-1bglP$p99h`hRn0zo(pA)d4PY
z(Mx26*VCX#{*O@hNDoKHH~(UlR`{e4P(Z=HNO2q9`PY14Ljyx#4^}EsuUG)|&hO_D
z<oERGg67XP<mFgu{&n|ycXU+;+m`^m#if-iNX_Z#`rccgEkU^Le=Y7p_m8PSzV)J6
z@s$V)Q^;K?%;&~I1fIzhJ7mpiH9fR(_QJ^<sG&Wmmzrpf9Od})@0|&F!`V`<@dU!d
z!=r}1S3@4>KPrAV)-Dhaft5^D!FXQ$3nLeOm#uw$j3M(4t7%E*Q?0rG;?pOeS5Q6`
zS_9iNQc;e0P!`6>zq|jMK_3Od`N!D*d_nHS2`Xr4TG_wu+y~2tdyLuT!7ztN7})n;
zd{x*1md~pYOi*M07sdkH4gX*MMKk3D8Jk2^j9Xp)Uz;}gOf*a_;;$2jhF=fRnWL9C
zLCtC4zX`lXiP<hWUzz|RoWsr>k39(wiQkfy$+-wvZr}rxl|OFwydkdAGvGFkz>hG!
zYbEt<+^k<BQ6ULsEN5)C@>%6%O5W_1=U>0GIf@ucG^7W>ihdK;Pp%FA1`0^Q$$Sz|
z2=(7BZqCx48`qm~xpZ4TT(tbN1Aa9?03;H_lQ^!&BJ+>CEYeWy*-<=+^Ik<`npJ-q
z{vAQT^8pLvKfX+MT;_w%dKr(qL}UN=jterM{&=~5rEJ`~>o2=;ue1YnJhA`pZ%0&A
z*r8_Cf5h+xrut7#nr)X3-#U9mgt-_d+08sQ@%<-)Xd{XcBLjo~eE%E*Xs({kzW0=`
z>%aIrE(9pc;IUj5|M=gV!(dpQy1Z4?kMePOmjBv0PqD%KcafX<Ghy8S*tpMq%#LO4
zA;@{aw-w$p^k>y*&cU#FHDHX&{{IM(wRCuJ;51X2U6H5;KwAG09H$M=1GoKefzGIU
zQJMBiJ2=8>nb>`3Yz%psx(@|iK~NW{-R+XOwxq7h{j0aWYmh(PwJWs;nuwurgswaf
z5=U(1?5vGO_+<Dr>N4<>5B$gK)Z3%Pvg1AXduxj;w3dib&~rD5jN5R9y@e}_eFD9e
zCvC!h@c6!UOTB4^kaocY%1_cJ9G{-)SNzD!*0AB%kZCE$h^!<b@|5jRXbJrMc%J0m
zvRMjjk$mIJLZ%NMtsHeC>kRw(-j2mVpz-?@5AeEoa`(ky{b4E}=I>c*oJPZ5WPVv8
zwuBF^p3Xq8C>$+bE^9B7r~f{rK>Hl=9wt-*);$(RT~w_&kL2CbtH{cr215sEe)m^V
z>;fm66L}J>c@(b@yZ7K$rPrOk7jXDZLce)8NTR|VnamOu^t{VIyo{KyK>g)JPK=?S
zpqAF2wEI+ca4;1U>!{SIsfPJz4i#}$5sPvzaOv_g2Rxy~UIf)UMU0KmYBRZ#i$)us
zoP|xYY1={0W?Q>Y0uF7j@YTBDM?h`#-QC?Us3BwxZB#VW<M^k?KE+gak^a59d!YS!
z$m_3?{nEiN(rbC1Pk%bd0_v-ajjcKta5XqpH0jFXKMMJH9LDg<Ydc?Nm1Upb7n2V)
zd)f)kfCs?5mljuTjMz)PdV8zrD_@!TTzv}1Jt7|4>bzrR({sp*hBnyQ_X97GIH>*g
zeVU=jT)}17S4;L(@1^0{<%HAhBmbkl&ZIZ@DkM9?qeoH^`5glH?~H4o<(D+B@b#AZ
zCf4>J)(=@?gSO|kH@zQIpPH?lXtcmP*Nhc4zGZ*Y6=IT=T>!*wFo&<y<+7W;i%aWb
zDQePir`$zg`hi+3{ipQ0ca~d6D|ik`OJ5iHYJ|JxiuHbZR`#{Un8-i;bt`Ev9$pqZ
zr)hjNh6SCV!Ga=*Bj<5JHhq!-zs%EToGSE*Nv&C|$D?tE$K!LgfbicpVY`Jh19F|x
zmU}J`HR*!?+2FGDoIc{2y_1CtvpNYx>w|Zvm2&KG2mb@n9jMzjIV7j#Y)cfB3FCt~
zw}AU)*!LA5r=KCWo76C%3l8GEs$Yt~I?W|N`htF?2^d&Zj1GF`&QTQM*L@b*sas^|
z+v{N_IO7{fQT(b1-Du&ZHO*~{k24!b@t)({s8_#do;rl2a0Hi4J!Fk&6#}{K@6`0e
z8moP;XN-MNn=uR~>OWd0ZDTOSc*?c}9;Zh%^U@KMZn3gX{9ab59k47M=EQNg$Dul|
zPK2GrZIcwr_=TzT5fT9=!TK#=^W~r<?V{90J|@5XLMuc{<5q$3mMc&s*vqS~0$_PD
zo0YY-dwbr8&e93u_o-qG8EB73hXhK9HXRUFUnLD?*8Z^8PoTbz*q5CO$`3LoCJ)T9
ztc6~Z6qyn+;)2-t1buSqt>>iQHE!!JEb@7eX*Z49wWrId;;(sRn5Qh3H3*H{OAG4y
zPpVFT^a_=QCe=2a{FDx+bT$nr7jpq(bi1z~De?0zjy4_vdr){@Ko)PtCEu;0?gFvU
z)sjX`*$QT!jHp%ZdWq|6=QOyV9;Uz-<SUSq8n)kEc4sHk7vrv`Ymc}!5gsS&=)|N!
z{9DvFx0`;8Wk(ZmvJ!0I_Ay@{ky5!*He|W#0n#ApKp?&^mPI=S&xjg(Ph>i9DZaV}
zeA04hQVg^Qu4`{E(e0+CgRO*#WbuM|FJyT~$QWO!h`hJ@r1nIbP?bn6GJxzko|UOE
zefd2rK8|U#x~mxKYTmGAVG*}lOBjOPtR6fNl~Lv?;_THHnbdTsg<>$QdYKr93#FG*
zAY%>VKNh|5z5Eb0F76v)t+@y*H#}%}2CC1DH(2t^8*_8Uh{sFLLWbfs2fDBi%-ce$
z?#P207<V2*F5>Ca^;le}o!!d+euo9{bFrZ=_)zcDClP}C$f?oMRT^kriYJ2g{YP{u
zzM~AbS41#UCQ^{x#K@F!I0RM{jQcqHlHkUoJpwwnGPi;olp%tGf@HWDC#YGeQxXdx
z!KM~hJzhBp7n)U2cKBv@i7z$%yUO#d9}CZKEN>7js}-(uH5D3DAgbw+f?$D6&xHy@
zUZ|Fz0;Up-K_}IDg?!h_oL47$R+G3T^7Nux660g157v$8B?JM~pdzK!G)go<)r;|$
zp)B%VwC2w37VS}k_)?;Puc=LSG$J=^IzHF=E|*|t^bmBRJIr}FErO0(&8&RKob7i~
zfkpIRmo3bQ+8b?jV}N1N8WLM(+hg1eu7w`WPLh9SiQDSYUu|$@aNVGI0TEu)T{F)M
zf<>>=(0#^*x>i-yj-BoqXgh!+z7mR4MRb^;Si~3sikR1Q!w+K?v`mkOw%=ZUar^4>
z_NZ5H^Zab0f)+gOuv5S2-kabx!nM*Q=d;yOxzOm<^sp22GVtWyIF<v*+uNtKJZ1~H
zr^|jPC980(hcafrc(X57mswlNzr(eQdgEE7dtAP2pX-QbYKyN(7LCC~LHF!V_!FW#
z$?Q(CcbJkHV!K=K;3zzb?S8x>nB%oGb}6y0?M~wvDW1E}Vp!~=pqXt_W>hW@PfLZ>
zRK3eM-)k^|k8MlD@=sU{d;5d$6IegG93(mf?P$Et{TXkycz78Ta<~;9Hsj>n?-w@w
z!hRxe=zGBFh()msdSf!FcOC)sy$KN!>|>T#k*Bwon6SffvZDgCG8?V9efQ`3sfIJM
zrWv2)BTaND6Y%2?yeY4k;x?^b&^MeZ%{QEgwvT3i+YL}gWg9c9#9<PpX462HN6khg
zKq&C53PZ$HCX8X-iYSh>zryOeTh@xtu2YX{jw3M&nLC0!tplz~A3`xf#0BehY$~-+
zYUfdY$GRn@*)yx|VA#Uy1aIz6#*h825)8_By8=rC4cA}t8^3(a+XcXt1w{5EcpzqF
z!xh(2`v&G|GtXz2m<b^<d$sBlbWdErM&u^I467+_4e!`ykwbiD&7(|OU1?)%i>I<!
z3bGZUKI$U`Af#h{F7ex${Kdn}fy^%Q5;M)lPGzI+$_tsNZd|e6+lg^OsjHz-lAqHk
zc`K>5=G?yo=r-#ioJYH^_CDFikxB4}#rrG2NwohwEsT}`wIhJ=b~90zAlH@CYsr{w
zM|=nItqw1<y##Ab2|Pez-iu}NeHk&$%-0-Ux&F%NP`ZGWxyEyB{o7nAV=e{rp4X8t
zPd<wJ<_g|{e9bo$P!n}qny^DM{Ms|Dw78OJ{Rlq2@Ev5AGU25ahIBSO!6S31=>D~_
zsP0mPY=KKzfYz8Jh>G^bb*gv}6x5J>4E2+gO9yd;T;W{oFs|WD{4nlocsxado*Hk%
z^2nZye>Nt;rJD82D5D49?X$!f`?-)1f8~E$-5u{b@7Jr2!g`?$IuGH_b17KWMhCV`
zpA_<yn3=2T!n4?4S-e0lH=_px6-0!?%DR!K7l$w^6hDF@8HXC=`NeuUehgPK`OK~0
z;Ke|$x2uifnvuwHzF~#EM;B-235~E!&Bno4Q-~i-RVFg~xTm72a!%U5!IR?&XJN44
zUNOqpKOM3-vD_M`A(#3J4Vqp{I)A=IPQI9KZCT#^ixAPRvp3=p5%#>n<j5ZRM8O^G
z9(6-kOb{Oh<Ul7yXZYP{GU!%XeUg-jMBT3kLSM`hG@>8Y{cHxv|9|V8vuw}JfP`(}
zXJ+5@&btM*oXR)E1RWJJee^s~U)I|$Q6@q?)Hwrw?njWHUrb$F8w*u_!@g4OB>A^v
z{iVQ+uUMHpa}AAJFOt-Hu>|C|9_tO)yd;|E^*IoM_|9*CxR*hp_5G3C;=8XtFXiwi
z91!?gO7mT053g$Qs@5ju64w)BQp+Vj!o!Blv*O~7mB)=0-`x)}Y(mC)5yX89R;c`;
z=hJC`Znd<$^J3i(rt2*9Gmq1_3hG{Tkg^e}yrV5r6Z4(6%3(8T>1&Ck@Xs06bnfW%
zW0-hXTmrETZ`~X(VyfaK=$YM8khxyLqb>>bz=KAH%x6_;%nr44UG(lfzcwWjemr8_
zhj5QJ@S%i4Kj=r>4|K^socR9n(Ai1Bl8ljm<HLo>p3!OQ2q%A&ZDc%Jiitt#uY1nu
z&|kDW=h7aGINxY}1Rc+nFvM^rK09h4y47Ob8MY_9ud=pv<W+=GW<>MzAB^cEj`y@~
zS6sYd(o_c*ny<y^Zj$fd$O&Xww<q&X3H1;!w1fJ<Y=semILbt8bIwexsQ3yi)49iA
ze>7F=uWhHhO4XbhlxTV03ltSW4}$Vc3}(aK|3^u&NDYQ5h__)pB6@1FIMNJeZDFS5
zHnYHMhO_zZbQKbK9Zc(^f3i7*mK>8_cJ+#=wU$fm!{q1P-QIp?lnxYm!^C=-fZ~{X
z5-qVI957}<srZg3*H5_$v55v9`H4Ke{$g+JzJ%cnp+rTYgJLqOpHwXDl$_YWK$xKb
zZb=S@xX?b!!0&6T%pHrLv=yI4JT)3!7ozp=RUp&7BpjxEc2*=}<R*Rks<U%pvv2!-
z;Z03^+2y=vKhO)_O~rty*8*YU=UeUV!~`HB=9iT0#to^)aZhA13+#AE-mn;oi8h1#
zyL+9ar4HbndX<Kt6841=1FsCtZNZ1{&Pk#7G@)x-=h4~d&~FKf{CP{W{T;mp?vR|)
z5lNFuEo$x0@9pQWW-`2w@F!7=#D<M$fw!BUk)|EF_cP{e+yy%<v)T~6u%ABLojaG<
zUMgX|#w2)JVp|rk;p@e@6qb3Hkrnf^7BcLvEe5LA)NQxnys6sJGpTsCyDBm0SokUC
z0<@f`PWyb0bkBh^{3EOJh(%GPQ+Mg>WH2MDZ&S!z63J?<i4hz*7P(0;m7!wataE?`
zk50z&!NY=bM*SN5qW)YG5pEjG94XoJgE-M;lp0Sn1{C)x@ly@ii{$Um_h;{CaT&cG
zEk6->bz4NZJa(tjNuG9J$9$-LO?uoVb&Y^MyN5itS40NycJ5E1jP>X=xJ;_=J0)SN
z+5wynHZNw;OYY{_FGD8B-D<Vf|EmgI5t}3L!*=2T*}e<Oxeqa_c0VaP36aKv_URF(
z?v7Ja@`nri{yIbpxoCr)*`TjOk{!fUz2p=cr`<P>s<4LfJv}#m>bhyZ(&Yy;is^80
zq-yB9nWMf1r#vUVq$^n*De1XVsX~dRHZwnWV7VPSt=`@Y?rmmndtu!jOz{@>>#R^G
zX?Lt@5(~<W4rTiwKrBo<iHl}>GXK=t`#C!#X)Hg&A!~f1lA8Ik=gQB!ERkvAz6y9Q
z<H>nCrw=h8i5zy1-*U$yqI06GQFs=&P^;@~FW()V#r&eMw?EkK=sj8edS2WZI0m*{
z#CyN-GK7J(kXy`H<*kmP^;3?0vgZ>Q7EX&%BdEnV@%ZVxsRihFluGB%K4G8#BBVEF
zyiCL*5aO<m#Q-7wyYa{x#~q$NoMddiry=^rw3@}O?8zeE8Dnq2n+(N8Vz|&+BWnF_
z;4fpytpi3|V`0ZrEb35Za)|354?$+uJp!KG7f8<S$3&lB1FFJ{D!J)WP*SI+u2K+{
zl^uT`L2D%es{ch^u2S`%`@tgB41PCoYn=q=sP8R8q@w)(I<pGjBisbb5FrITl*a3B
z32e((6)p%I6ODkdxLdXq7!clGX3fTLt+OeF5CY0G#sb{(YtL=fH15?bym+Dci|`tH
z->5~gFXQCI9Td-qz030!M;ty}F2<=;#Wce=M{+qvi~M29i*enS0(uzFh;)%8hn8Og
zl*QEQKi`t3(`9<z5JPjFalhi#N9hqm(i5(`9FcYJSw^|wcB4<?Ki~&w*6xv2B=zee
z1e%81;G7qF$9$gkFN=fAyY$G1*>O<}4~rGv4G(}WWlGT@`5n$}6Ju((%M<Shl%DZ>
z!!zO{cIh<Za*MvOEiY=^4-ptiPY>-;(Das~XIhWlBz<=u!#`P6eZ&eGB~Le?U@;T^
zRDlM-n8027d0Lpo9_+DIm@8C?G*?KA=Ts}mq4l{=6ic{Y|8R(fH`LJ#2XAS8|In(!
zHbMLPokHVGmY?z`mQ3?sL>tM6eN&id3UrOiZsLsDq-s8!J>H)QC<wz{6&zH{xRzcW
z9S2+Hbg?l)ZbkU~mhHQ!9b}T6bq+&2TSiBQH?uQ1QPRn5IBAxyc_Wc^eld_~nKh?C
z<=ZdLhY-mZoA)@0Rxu@UOx8fCAkX*E`q)r*>L}*CMB>|Y^4vyO?t?Ou%8G|mY1j(A
z8QebRL<R|^4#f$?CAp(YpK3!yF+((t?fOvJo|FrA60eLwuXXo+Y~dzUICfd`pjN3d
zSlS(XT~A3Hd$F>IKCkhYD*F=kBCUS=us5EZ+C9+9jJQ=^4+IhJV|N9$L9RN>Do|$8
zKn}DIOS;dyaA!DCK^TzfB1C6@=mA@aVyK_8xt^NO_VGeu;bhC5){U=>gU0gGuS^*3
zK>G-n2h1cL=3D!Z2;MT@W?Wik9p8oWHnhs*-{NnR0o$wOquuGF=W%J<`BANuB5T&l
zz`@T0sb@p|N;MZpK{m6K{4!#kAOX+r{;?@QPRzC-jZ^PEUoWMeni|xi`YRXriE``N
zRZ^0(>Hyu>0)b9Kj_{VTlg|30M0C0=!ouv}FdTJ}w&s{8T?CPu7KB6)lPcv&Kawa<
zOGpkw^v;Mwn!w^=Uky`Vx3jFgR^e3UdJ`dKf98bZt4JR09`L}_=QYZuM7<7E?A**+
z4&BNMQI1s0`coCkIOwoUpk|%5WjE#bxXK3*laWG{b<?<{eR=*mkI8If8D`<~z8H_g
zTzz2e{gBwyHEj=P2tsbrV2=Mmw+xFL0M6W0rhZoHcFn?)#^cq{8$Dh)#|%#qOOOBd
zVCYJb9ncuxZZt+*D8?;q;)uijKxH)z>vlbwr+e9<;|d}>J&NhQgfAFM8TE5vx5K5V
z2tcHtw?JjrK94LXWb#e#ut+n6y=%9ux_?hg<|NQ&oq&~*-SzVi<%chYOW3Qi7@1qV
zuhA#FKbf<9$zuKaP11nFmItNbW$)8+yNU-##INOBlDqy$JLs|#6QuZ0*{HwphlNGA
zq}@_Y{;{ZzK7ZD_M$w?F*PMF>GL4`>A0HWSVQy*_9RpA0*}M@(v8PwqPh`Yd?x3>m
zMJ6<+lQ^al2_ZBEHK?srsDen@vpW+BPCpr)GitHRAZqV5S58WP4LL!WtXW;s^Xe%|
zcpOHsK@{I3_}W@>=P635Axg~6MQb;{G&!WUdHCLw9<u^r=-a?0Sp{rR$_Rd;^<iZu
za4v<ow43a>y^ABtqG`i=ayD{Vy&Z&B@rqI+?p*Q}Latg;+?tMU(*){MR(K1_jdQe{
zmm5*W5iBO1trDE1njhv$r9+y?GQa#BkK7^Q{%p#F^DJ?8hSycB##P4CeB=w$>51a1
zF)U<b9}<aLz-!uA?wa!Lb$CIkZ&yyvGBko(*uG1;yk#}_e<h29rZ$)vf!>ZrNegjW
z7tjQM@q6-eP&e=PwdI%2nz`~d*)T@VJCGMmW)uQ_W%!VgUMwj7D;D<Hs=E(~+_mzv
z@PZ?KzWp%rka-lo$cK=`FH|kS7NPp+oliFw)30Fn4ne^wo5kM2QFYXu`^h|#1Sj-K
z1;E%Aiz9!cQ$VuK2~c<3+gqrt?m$zxFrb^7u71kGkBx4#&|$%QOW<cf^}WZQiRBBv
zh<AXG!82;7JSxN@;kx`)U+I;wVUWiI7PDGqyi18m$4c2T8;83;`9FPI9Kp)gB>-V1
z28cRB1pSqNJAODIx!pW}9svTgp{zBv)>I<3<v`e;NZiGf;24T6Z;tj}#^9Il)1fN$
z!=!01ILxPMII~mzx(a9B653EZm#R@2daAI~5JLiV_&;!Uj}2qUTwqS!0fqCkg;oOP
zcf8h@kZK^$+51)EEehFbz2v2O>A|_#eiwuUA3rJK<&CAkfgsiHN0w=Gph4-*jwdma
zK&29T*<D|US^J588U?reuD>A1f}G{3wa#F=hAS-2bkR-4e{)V^jcO_s18UCubn}9f
z!L+FM@u@Tjf+bnL_qks&wtK-gBzI25w+>Co6FdDb)widhA<^A~SZokF_0=W8sot8N
zU|YwP+df}-XkiAHHe|$x2gTsTb*}ta4Xvp7!-TxvJ;*^RGb5!<65CI5%mKCOsoaI;
z|B0V@5h?PBa2viaseC47zXFsmJ|PvMQ@21vP3(8wvOl1H5VgR!9q#SSHiY>Zt?rBI
zcxz45f}A+%0I#5KCw5IV>!Kh!boM|9C<Gn(;YuAhC1+3)pXQboDSuXxAIuhp6j6K#
z1+>XS==zQL5JPH}6ssja2cf)hTA1HE?b*{9eJW0+@6W}1)E102aJ10JHM3kr_d#f_
zcKR*Pn<Bi}6%Hnp^aK^{Hw7*ZmG+VzCWKt8lA4wEhU!BlRz(H5T3a`wX|_(U<+IJs
z;pD6@OC0KhRzFm1_SCY_Blxq$+~RJ7ezakRFyqK)vl{H!H6QjAJz}7;d5Gw4WAEWa
zW{)5BnwXBUu5}4NckF$`9(fx?Z&b?uU|lzECC;mwB&4^3cZA~EJ82c<Ba;F@WkERC
z18T_GcQV+Mg?f*fwmC4aFEMI0xa&d{Z!JDw4GrYtcTUxTCNHw@krnKHrun~WOdsEc
zinA9vCBMiQE&{ssO&1MBRPBF%$d8Uss+svp;p=#MVV!(Y!COSP?JGbg{FlNP<4y@#
za3;zrZ0<rV@KNlHWz2(zDQ9PAzz_Tm0kJa-Fi35B_l5N>47=TambmR-U#P-|K&bfH
zP=3569`+4BhVgyePCp?H5Z3J!-nyPTD%^$-0c?ua4><dYWS>?6-laO7U1ya3Cr_zl
z<7D&2INhTspMP93(|Zeco3caJIFISyKX>mPeWw?|Ow4=Y-k*IQp1kI88!A%6sB))W
z`xZrISbM`21tLba1KAV0SvHPg<n8BoChGT`j{x;+Ax_xHi{-mQz4bFSHIVJ3!EQ0G
z5ysu=hAJgfa(Z#=0jWC(ilf+U?_??ziPdA}c52~A$yE?E$QG)#Nx_uSqn@TE&@Z71
z2SFhlkymg#_yrbpmN7?ddy-RxIVv4E^l2xh5VIxlrBvOHP!as)Pg17bH26PE-ouZ`
zv${s5crV6j&m=fvGOSgL(F-bwquTSjb9^BPSaJ_9B0RBVnsJR`(aed74rPWLP_7#v
ziRz1|{$8fpl50UHgLMyz6NYd&@YgN}_Ce{r^6lAAD?mKU+md^>+sy4QZ@IZbi~$8T
zt2j!@5pEsNDzdCzJz*RQwz*pzXb#^9kF1>o4qH?c*X#>&#*!C_BczH_>39=%My>_U
zo0%7ATJv(J?Jj*PfYTEW>7{U6B3RRhM3%ksXGCGQ<z7%ZfZpk>#{=g}r)izJq#rl<
zmnarfU&d$pkqF+6P@m8v+#)MTnaOyPdF35A`bBS&1N@kgDBCu?L=iZd!mudARNSDt
z4Kg(-<;Mrk2=uVU;#$AZlN1GqTPViAyHE@Gig^G2_7MIZ=uSqMPx3cs0@biypBHza
z_4LcjY9}&5VoFN*h&&-OQr{ws=3HOwG&byF6K(Ot_#evGz){pcLmkJ$2mCVKh@W^V
zDWrB_z^~))X(VphJM^*6Ti-7FC=sVU+cg5rT<XOKE$|fQs;q}2%)|n#SP4$gthW7?
z4?N^>Hp^S@^*4iagn#S#)aG1a5KBdFm_JN-k+?{=PWjT=Y#<Ic$t&3m?-QZAUD3W3
zpWkq<d>U*sK^x`FUch#2E!p^F7x_W%{4}z%{SK6~a+7Y7DR}2l<%ohj)QlMQtE{hh
z;oXB{LPF)2d5oet3nh)>K6GgKIzdN|It+o+)^jU%Qct3gjLy}r_2ry`5uaffc1~+6
zd{RpaRQtX=;DNJrDY52uNT8cU;c3tRJS``g5xSH>vk`en3n|r`YY&Rm+<S~+O75|!
ze!p69mxCvo#VSSTp7D1xaRcFdkgdsZ$8I%H-(ARUkoN>VHn+U*BI!e`g{fNz?8bQ$
zgk0jF)@|tQ$JQVAz$wu%8d@45@H?ZN!;;>3&-3{OO7pR!C~-j^=*=&`2Oe4|?7DN6
z3u{diA~wAW$NWF_K%m45T6Lo%|0@P&2%JO0k>7`%Dfd7`^C471w1QZm6z=#|n`nu~
z<8d^%7IQYYN*dJ8VBRyl)4;iAaOzuNe*PJ-(Xp|V8+Lz%*vyPa52YF~s^*Zxs!<Q}
zQ<jXmU#M2_cEyTxL!%cDmt2AF2N>P8n<X3gF@o7=sg)0hS~)bkp6h;VN2WirFH!uw
zJsJF@tGEX3mL5+F{KG|!r=@$y6FHu9jfb%bi^Ln*QT@Spd`jw0+PK8zvp?W?hqjcs
zeMI+BT(}N(R>cL5lcTA7_O*j_{esI~b33RRIZhK7j~TnMIHQ+nInbeDIu&{{0a8`@
zm3#T|eEi>&YSzC4G1%H?_hwnT0f)P7USE%S!I~$;^uoa)lysUD%R*z>3p|`<<v~4i
z$XWcy$X2qsvRe^}h5;Wf>u2e^2AsEqQ)<u^h%H$DA6su7SJm_U0Rz&Yq|zYW-E|QJ
zkuE_Rr9-;m0!lX`h>}-Ox}>|gG+dC9?v}XZrJsYJkA6SD=XuT_zCg~|*`3*)o!yyv
zk8!zam_f;dp^kb8?;bxZ#X36ZA((9>tcwx%tZ#wyy~NwipYZ<8@gLp-)waOZi172n
zyeuf7rn&fDe1!tGus!3!6mUVt7z=(d#%JuN-PpXSb3!AbC7JT8zyLZalfV2BRW(XY
z*zW*~VS>$}f|kHjTtt3sg*$---p1VgV?<6#y%ct14-rMRQGVEx^TChpMBw0mXDL21
zaKV<=&p$$*t1Sm1I+s~PzN0gp%@#pqo$VwKB0kS1$nbez-+Tn=-v9>j%5=f?9(G^`
zDPn-QJ2$l6-rD;6-G%B(keXCuu1{_|{@Aq%x#LZzS~!ZsNW#fW)-i#|S?Fx`D^g84
zuBOAP%kO0g&N1S#T<x~kPU)|B4yjCSU-vx}k-m|Ma|ywsfOKs~V}aa1aTzx=Gv=E^
zBA)`<;X|p0Dz}MY3XZMM%EVKfrzMIOW?-e^5|n|U^J3i!j2Aht=H(t75Z-6TnKsdD
z4m%Y;OM3xfq+&u#e-!Lm41bp;s675tIXRa3djWAdW@fGdF6g%5n&<wtA_K-|tR2dV
zF0t-VO2g~UO+Mu^Y(rj!hC=<yHw_LU(WwT7v5vD~SyR&^6-HVFF;hXQ`mkf2D85_D
zDG2zrPZ)P@2HIaBQn(2D+THR=hKtNt*B<tX@cz&KwVlxbHdNxD`K(^v<Uf?Fda*L2
z(UO#Kr+}094?bWyUn~;wDt`lSx1_}bIp{eXL3_34pe}m5D&oT`3bAmD<k-yS-pxfK
z<OkWdebI`VF{d;VD}XWAiw2qPJI)*F;kCeZdVoJB=JJb9am<z#Q%jDbCJ8hPxN!36
zx~p|~b6R77d)Vb^h67*M#e}FV;6mc#Q6xII(D^5|A+{OQ&9ylFo>D^;!0vC+PEk^N
z##>8_Szu}CATOXqcKKr4=D!v?2r;G%3HQ8!{Or23B`Sl|vL^ZZw}aI3mtV3<>A1$9
z;F9ts*eEbD7zlPVn>w4WD2OH`1qW?QS)+>&JDr9SQ;WGwP(qSd5gdMdbsO6|JCLOo
zQQ*Rki2%%ZsmA|s1h^++ejMCuaT1*0`h39aLUf?^Oe0nOsK2^4rmSsA%C3ZW2RUh&
zL-Dy}6_)?O$braWh3(52z;(gdr*nWsA0`oEW#(=MTc&bz9gQrVBzci>vnA@e@#HB{
z^+H)glIjP*23I7&-^AfzT`56Z9965@foM9Q+~kbA=C?_F>}HT?`pL3pycDE{h%_~N
z=!q5h`eIS*U1X!nQdCsPREiLnO8jh7GwC{TIWyYz&^pYeW~x$e$A5>hf)-+Yu+>27
z_l{w!#9`4|(2tJMsfeErag3a?<EhMrkS$6uybw6ezIi^Me6WDI#NIFyomY1wT^IOm
zorL3{EjL`4mc<h}*Fc=bvARWO@1@tW-@&=V<?HRz6X;+vzol8<-_sHqBDx2p@kOzH
z=`aEI`^u9FOc!Cf5u_Fj55iLDGkX2*Gk<_qVW3*4_;T>i?Ae#sTRXoh-oXZtAs<!}
z0Iat=u9Ja1V9BfGjo)KKg4Fz>-t+{r4;3|jq}e#0Z_m}{8>%CFwFZ3{Mh>Eh8i=jb
z2(p>W-yy6M$kL6lq%$woM*>|d2P;pKqbWGZhYYY%<Mc{yec<0rp}6O&eJ<?Kg3`Dv
z?xnw(!u>}1yI2j;;d^=<j+dez)05_A0uBV+bS4LMYJJ_dL}RA`6NkE}`lYcQHj<IY
zjrxgR!E9S>-RK6G5bcvAp<>kj>}4{;>i2DLi`0kUiy{KY?DjX!aQwv2a^Qpf<-7=O
zc7qYjj>MkK^M+uums-hmgq_RyA-2Mwp2V-Lk!Cyh9!G9|8fdjzf2+p0BU_cN1AS@b
zlPKlC<>DssCglfi19QCgro>2Ft_R`rTDeH`v&>u?CJL~vt`SFsZTO3KLS-+TuisI=
zQZGu&rC_$V<xyhsy|LzDBV&9fyny^uZ5ptvJt=}X)-@hz2~mkW<WZeW6LUk%o&o-l
zGvJISjwG~>l0TR@-tOt@lKb=X-|H-8bP#={DE2#n=Dc$C8o+^t&2f%_9FzYB4HEAC
zkOmz2SwO`3kPo3{2IG6!>pNeJ0lFqZd!c*+An-2XIUd&lt7#p9>IuSj$GKwIEWUGt
z^=f{iUP)vu%AaKqSz6TE2-pgyYKV^IsY#tIK9glq!}4Z+C207H(^55lMx?%HkJT54
zHG+sy?Hv24UC1o8I+lFC)P;%fR#mw_Tu4hyTPjNj1#NWNrZ*cS2EWjv@0-=zQu+^i
z{DyA68Bv|&+B(E2Ah|T%@7SxF;V+2GFxxCeVTQ6;TV!1C@lqGvW5QDx>z(B2jQQ?C
zk|pL}pC23Cn0jZ~y^rl&iP%Xkx{P+K)_HjEom*-&+Pnb@`?G)%47cgot@Z_uO@XXe
zNn$_!;GeJpyku+MxIDycibA~lKkMKP*^O-AQv_0vO_V4oH%X`c3e^@}Hj{Ahz;X)(
zqRZ;9GT$O%)vV%LIyryUX!eQs_9WLof8m&Bfx1V4Bl+!@Z^_C;?u}9(7hQdTqnVVn
z<L|3HR;d)03HIm8#0SYsfp6vlD5Wc*1Bbx*b@jc%u{D2nv+nTmaSsN>LkJg~qRjMP
zqqeD$_Na{+yZhb9ool^dpFamFuZTHjaWvH24wrFe+*}j{_g+2)cH%|;l0=J=8L#JN
zW?6zVh-tvW@RGC$V<s+r)3!`%@ivFU|9l%SSfP^4;2v$xt=ayKQ7YyN(gQ2(RULPp
z$Jid~VfA@I4<1z#z7Kp9i7<<Q`#4Wm;Bok(CWp@4tgP(8UhS0Bu%q`H{#ROi7aJmK
zucRb_{TU|iM6lPw%e%<le<D22JQsJr|6CKj=}5T`86*M~J7`_MMEvTGh4rLc=v5aK
zxO8t|8qAnzMkv>e39*GfH-mn0B>|Z<Ul1dIJ-u0}5yA0&-EKv>MOMR{(||r&m*Y!#
zzjiMNRQ6B?9~7bnz~J9Sq1>Yd!ZmcxP-xs!E%Y>q1NIQVd?ELJuiV(7J*hT0-U+7R
z0y?;2o=Zo)N1pNMEw_lerlXU#j>)eyl>03#UujEV(cByDU31bYN7K7jz87u${WZ&u
zgi@r!85f;8n3>i78*=(usX<f$_m_x%C#o%J0iy(llfIfa)03{PU3DlCM+Ir$xGgf=
zpKRc1$kj=0{ODOVZ$uvSK<bGa5Qq}2_B{s(DzuRWJ`7PSoOu!E34XRWdmmz<XQ{WI
zH$yPrc%A06y1w|d5*AuuCE-oZ7#g*Y2}Je0J;0g(avvVYU_$O9h1^rOMZ`hk>8cqU
z#o>@$4+8|{((;<`2>p&9#QE_q@&09WZX~m^uVezLDnj-z;YWht4DlAOJ5JRch|W<#
zoX70-l8Uof=-y#Nz8dXFMly)r<5kCH1_Pm}?aaDbKxd=KL7#?7umG~-oM2Uc@chp?
z`1xfljH4e&ejI9sxvkqjUG5z<hHZ&C*KhF4S~AT$&gZ@AHQ4{YFSusnaF=oixB=Cg
zmaIM3cm|kr;@63YQdfn=>c)sbR$D#r!h}ZKeiES{JN`wNQB4hc_H@`CNWYlgS4rto
zM3q@;D3xi-8QLU1!_mZNja)1-Uuy3^Fm?IV?7q!W`CL39?OOr{wX~u6&;Xc*;pifr
zY^U#ojVVTb^J=G+Q0-u6E>K=;5OHvP83#ETs@z@sdid`ACmN@hs|cJl-c-{O`(b6H
ze^{5~TE7qy(!r;upaeFTpY!M6v3Gj;3Qo*l+Yhlw1$tzFiNTK&aE#}wlG?1WpS(=M
z1&I%zFb2Vt!5NP3?1*3AW#QEHn#$WMnSn`@`@;kFxAu3zfbvZAJ9>qw6s1WGpE<r{
zJQ-}CP8%5|G1+qfKsbN~=hsW-e4P-v4_fA?y^492&>>Wt7mTP7@0r}iijF<UmNSNU
z6iu7IoitzvlG!q?xLb7cJ8q6(N&_I*O^z@63Q1!((a##XgO+3u^qz3JUp6FV!s;Jb
zK&UW5IBtGZi$`t}$pC`Erni|;>YC#@bDPymiz5d-BG$(rbJV5#cRa19wfqHutN{`V
zi8KcHybVyruKCh^GnZP*%8ZLh4jV43#3x*?kf|e`gSz3difg07FwjmNEHU`Z&*L$I
z1K<TS$hRpY0_N^)b<lMr`-n~O--c(knoEI(Z+Wk-1G^r^LkHl|<!C!o++RmVHsSES
z8|JnRFh-V(_lDP`OWdIb@#wn}ZVIsKktM8Rkw2hu#Z_e;WY5_{_pL<J=pQ~<N?J?+
z(POo%iRM*Le-T<B>ve%)&%e1f?dh+Bj5JRw%G<2gC1A`zc5CyZtBSdVx2wpMkK3v!
zJ!f{Lrcypj2)4d)%hQgGa#o-~rjuN9^sKl@{waimDXd@Gbu%O*K6s0Kt}5C;<>rMH
zI|;Zs^~QAH*nuMA9ZTeCq`8JSD}i1<oMa7iMd%kXwn*z1s*f*RH#^aFNU+Pg_-_)z
z>S2BwgaXo{Huo&}PsslJzUwi2yWIzns)^gBqqWK3A;w5Zb?sKH7RBznO@GThGTev6
zb(`(`#qcV!{)sq$&ja=!*Z-Re!WRbH5T`qx_e50Q>A<_EJOnm*whWY;DHi;bO7QqK
z0{lr6h@elaIOF;gU{2-;{!gF0;pgC*iM@mK3IzE4Pm#+KsFj_4v3m^f-wc81DA+=-
z15ET!#s`up31nY?C++A0{3l!HN!P)--->HA?H@uBB#`2&rZd5=@V~M4&q+Zo0IhS|
z;=ki^hLaJP;r<E6e@+fEf!rmD6uYOp&i)zN2ax-WFU0l62;6-2Z>GcJNv)cyiGR5M
zCnMxZ7trtBG}q!PpZ&kZH2Jtd^rq3y>8}6br88X5&dAQlbtwE#*6~~L($RTr_+^*X
z{@kAg`^PIlTz>h4%b!H`=aeA&W&drRKfMByr1fvhJa4&FgPf7V_$$2=Jn*H}B-&Jj
zNiZ-1USWKF%G@SL=}Q&4$RV7+_|8cSPD$*H<K0jj*>D@ADkc)eB^D8Cj729rdvTg^
z;O5QxO{Lrq(Tw$%HTsCO=mHzPB>Uq5(`aD7RQmgu*-opL1rrtUsgESlzqt}m0+(FH
zNO4ngdMzvTQlI=uIC=~{Ad|69VM>K<F#QSrX8<ygZ8A2Zpmc>hV!?}lvMrw2F1hj*
zRO=YbRYS@-{#LMLb#ONzhOz-k#7Rr8%fKbj@5d$tNUcuI={1d()1V9~c2G;NtMc|}
z-2WL-IClY$*_pfO9Tk?KDN4X0**C0rfw}+l*@OuAL0AW=na-qp#)dpCc+Vlguj<Hd
zp>}$AqSR=9ZvrB9v3~x_zR~~a6n5x!cGEF^m4Aun;m;ix2LUxef42f;{uC7B%S`Vh
zBs^~%QrX10Avd!>iyn}H9OKR&;6k`Fu0#g%A(B^z`}wz*WWI4NH71Du`MHKlf^KKZ
zed4|HN=-An=^s+9ZF1NliZm=9_%`2<dp*hs(>RK?^;t0e)HlEU$j(+rlk52wRT~~9
z7M}MdFbMA}W>(;5S(R1Q7N?7+LkN7;EGciA(xo2B_m_tuxDfFEOPy(tBM+=O^nLQw
znHsz)j{eAQ;m}a#sHfT(+{z3ehHR?sO$M6+cndU+vU|Pr&d=rI#uLilykTN^a(!GE
zFZ3^p0n(Gn#R`@;DLKmEf<>*C2w3D~ddYCvs)8$epqhK3+4VKSU_X2A(xQg^H>*oj
zgSj)Q5*$Wyw+B$uo$U@BGO$nSeCr}<`af9^K%B7$!<rit$TLW-gU2lmkvRFIKCtUz
zdg_P>T!1_*jz+U7nx=C=7Sr`ma5%r(QR=qtW`&1OOpsTU%I7A2akRYXdOSfvZ>IX}
zr5g4}_u}{de>+;U$p7o;oZ+~UI70Tyzr_OpxbU~=`=T+=mAbTe<T>}_($g<?+bO_r
zFgiHB<QKnJ;pgh0v&Eyuf~0qgL7^s`y{k!z`-&znavQPQa<wE$SSJtr3JT_LC%7(v
zkn?|@-3f$%iq=X5tl)4yv2CMJ-7Yi;)>kuE@|CbzXl$sLc5SfYlzuPC?^;7g)n|v>
zc&M5AWwwEU-aT!u#PlQj_m?7br3_V?u)Tc43k-;2+Z>-@qX>u>01DDMadD7H+)~>}
ztEwVx`CT*lj;6H`T#r}?*Gw2On~EqJUPCTH#kM$Ce#qVop3XW=ZRSezK41+L|8Vqd
z{!A~`lUn87_uzz<jc<E>^85zPt=y>gZ1t9oMnP6|!&A-q0@s+sarhm%LjKmQ&B$&@
z8Ga=xDbB45riijue4}wutHHrYo`<QakK7X%g1#IMtbE4)VJ6h}(5v394XQ;q*#@QB
zC1)^~FbgE9Nt#EmCnA*Y31wkHW0o&L+e-}T0g9rCtTOMryIZ$a5{Rad<CM0qP?0)F
zYRA2UW2TKT(AS3ccQT_C>(x+Xt#`vroZ7xsUKsht-qUzth-NrE&qzl1Q_30Zy`3f1
zobYSjgT%?ReW|(TBkP%1`n~z&&+8kHJY?LmErpQlK<~T(zi_?l8N9)hrqr;h!sSHu
zp$a&&Ad>>=#XUDE_3QqZj@(Ag<8w7nUi2ZyJu>?GUd7-65Fbps`5o|IAQz+8rxg%E
zFvn(vcBF7$X}^yjb=f}tXazGyrgFV)8*RE&6|2i#E*ty7^?<aIS=9)|ff;RkI$%*?
zxCPtR*sGEuSC~@Ddu!zD1`P;|?z1~ERk)^2gxdLrSG$Yhh4eBVZT5pgjn+KmK8Gof
z=lUb}xkUUX*uuG9Mc*^h)RIE8rs5HM%O&ed%ELy&J>zoS<@aSQ>XYNUSV!A*v^2w9
z(<|)A85FIt`uo27^Fd6RYwVt~T{_V^u>VzNVIludnU??j(lZ0cN<*Mhxi`F-DyOYk
z8J#Xi0mTT{-NbzPEP2TBwLqWYni<5aVb{x9OTI`<Ri2pQBLHS1Btp)Wf_^hZ{*`Xy
z^hkR;^gKH|z%tDlNrRXt@XO=HlHhctELslksQ35+$SCnhPwDJhzwk(-qCuUJXL)GZ
z9;d#=?4u(+b$<^<&X;jAuawp3E=y}z-!$q5sZ6F0rG8fToD?)!^BoeM%T+7fk1NdB
zaF%1G%n(ohL2T9D%TOgxyHOkMYt2l^wR?_L%;ZWeZl3mp(nUsb)xC@P!A!r%HzwTd
z>n}HwQ6d#u4K~pYi&SvIblZ|$rUx?{s_USgakU2lh96D9KL+ZyOEw3`nGSC-4D3T}
z0wL)aC^CupS*IZ(8J8`W^N;u|H+QRC*EwB2T_IKiZZ8gqHjbQ{)ucn_oAb^5J{=Hb
z?4)a__Q`<f6GVdJ@_e6WF{eJV9P;F!@uWl?Jp|QFpO3DeH*@=xUo`K}aca?uOD5!(
zHOM~mT8H`Bl#yNMd2t5`DZi?sI!!iVzj#2Jw&6`#$(Y-8HLd9|?<)Pid-YPtdiLS%
zuXB)TM^5^<ZS_c8<z1nQJEYaSf5JalfPr$u8X6keJMai|*?w^@X;jweYOg}fW!DdD
zn7OfHU0%Djm=zL6EQ;~tk-ey*@!=S*JA-<s9|p#>krV28C0MGL6C5`pVMA0IeDO$!
z@>D_9tLeA8Ridi&URW9796#{8-D!cMBz`W|ai5t;IY6-V%e`EP|1uj)P{KE*6k#r}
zd=_{ulaga)_MG-w^nj1`8+v`s+w-1?=sJY#Hp70LxvaP|(J7Y~e}+L*m32(Fq0hHh
zefL&=o!g5)5HO)#d{Nf)Ib1F2NHCywnW#6tjRuEECcuR0a9TdnGYn5C;HY9-UjKii
z#-x?S;s=d#HzSq<0|VI*CTo3&E3Fe95C0977<9UDw*2a{%Q+}BAM37Z<5vt4*PhWE
zBDONmPu|x)#6E^bEzjRsg#ppeAvGNZ3lbL3c|Xm%%g3@4V;t*68!Bf|(-0fL6%HPY
zC?!@lwe0kFA$+JM&93s>SlPSG9gaFRWG7Yh*FIEUlAJyVzm}Px7LP5jr;Xi_A%w6L
z^$9ds^MSlGo!G~SFATFdwiEMRA7|ys8Nqw)*0xm?;+Jx|@{60R9cK2i<;X{|5;BUl
zN{I+5H9Q{TWsx^7r&JsMDAEoPk8<;GiwyQfH=>$E&eki_egM@0)5RyImaXJzMm^Rt
zg7^KjwVWWHjf79Z9_nR)sC|Xtei*T1Hvw3BFThYy@YyvUQ>;(>DOfz6I4nB(GtE|d
zOt-YR%S(h<86o6Kp3dqxfyFoK6Q6gX7k8}x(V%GK%M}A()3AuSa;GuM_A94_PpKQ-
z*@lijzTAm|>&5Ti7B1NQoq2cC7>QCFT_Lh?V22=-ttF=%UfKj&A6xfVbj9%d%flmr
zp<(>hufiGJ(=0+AY%cJF99-D+-%aa9_dvg0xu$+DXU{ci`*<xqVn;-Pg14QMb|{_4
zMZpg5O@AVgGWcG)S4s3;fAWNlBdK<vAER&@uceDN1Kb<6_rCBkp7-4nmigHBB3YDK
zH7)WPnD6z-b8eKD9*xoJgk}CO_<K2n4J-r7!R0Z|LLa{IAGwEZ+V_g^Q{`i6&<Tbv
zCkzTolEp}{)bz1?x?GJW2n?PUTc1emie}>R5{cp8ev;?)nN<d%L{6e&iP^ajubG>%
zfHb&1I|nMOJ5cwHQU{W3NP6zx)Cw$+P(4vOfY#xt1b-Rf7{VZ7$n(z)`R^)CWLY7q
zcSTm5lkv~mv}YuQcr?hra6O5U8Vhg->a}0RXqJRl&f{o=k_f|fpI}N<IBnjuBMsYj
zjmb~{&;v?r`mjDNsiJ~0jAT2p9i5D9Tdfi$(W%gnnEe?E6KN4DRFgW)F6NQ^K`>3|
z9N3(JS#8hTJ493LVd0Bv|5G_pF77GiOA8W+u+WzO=7F<f4x9)QVGO>wF@Pz4+eEUB
zQky)A*TLE<>bLdmUJcp{SF=px>BWoqh}&LY=kw8UArFTsm<aM*VPG&-<;z2yC>?51
zpJi~ikLRA4^|J3Nwds39?Oe%q-v`(=YpiY0=m`gI?#cTpt$*Nz`qrN7MgS#A9`J86
zP5%&Xs7ib-j2!J~)69MU+LgO8pT_L}OetPMh)oNC(~BqP$R33#^4AVKs<LSmeqEn1
z@UnWDpLAQyR*uJP){3%^x)wgY<Ky$>wXW*s%&v9?Hu{+C=ZzHqTRMg~W1V8OXGZ#h
z5NlY=klNE}1qjPK3L<!KN_{lZPkCGdFb9o^fjHJw-eStMk+S*oZAD+HJ?HyM2K`vp
z1?0=MY@ZOFRbIXNfw-cW{M*7hDKVO0x~f>|MRGp#fcoX5O=f0NhUXM()Su70w;PIR
zlxEWpT2vbG%nSC}bm#Gx`4^X|)i1`4!|hWunJpU$!RpqEwsbKLu|Km-`1xqe=5x8<
zI7Uo=Zzc+j?Wr-S>5>J5K-Y}uy#rR*pZ9uSAuTm?|7>1)n=XbsS_CowKOD-2A!IX{
z%O%;95y9UjAak-}kHbE5onJ<(Rqh6-RgmzJ36QQ=l$){qO5djx7zw5k%z5v&dt4+L
zmTMjqlJ;KGS_>Cy^{mgOOQGqam(<0M03+x$&5#gjCLmO#1pAqnyZjDW6XNR1<Yvw(
zj!LR`RpTX?E5IsfpY7C5AcnK89lG!AxM{xCUj3=|i|X!0-uJo<tx#)!GFN!SMSTzB
z2}fmm-u{i~>%nPGLnyJPk8GalXAQT}Rmyf7Kdo+`P{Ralc~T;H@?on8I+jE|nH=wH
z^m~|Re$oqLywApuF18CRc7)%^x4`-fpgS9S|3~llLN|hX5W#yK92`ZOFJ8Qe@B!1M
z4kxJDnBisiTk1ur?IB}NEKWTw7Mqj6A&AaMlTNMsK2bHN%QkUujq%bXYt!L-3+mS}
zV%G=QT>#tbW0bI5TzO@6D}_j3bjIA&I)MO9-i{A>PHA`$I<l$}p~hB%zf3gGiw*DX
zf{Ylm{ETAs%5p4KZx^NQ+?c9ZXs$aj3Iyw+N><tSjyqF{kjDsDT^8@n1a$Jh!^lV$
z4B?L_-^uB%S0~C+vYv{7;nn;S`icl@Lu&UkdFu0wx}VjTf%isQ?*8lR=Q#hBG>c9C
zj1qTK<(Dt5LkRHqz<mm8UUKATG!a877Hpuo2Pws=Qh}IcqE258UQHyt-9(=0q8?bd
zrb9c`Z&baU(8{AWa;fl0O_mggy~bC=^@v0wtW<{P&a@NVat9(GRJV1XtRhCE<7n#n
zJDs(;;8=AcfX1UB)`GS)D#sS7FT3v6n-cL#a`?SN;t%K?Z^2UvjRDV&DvVj2y2=ql
zmc+i5OK@uu(xQ>&wyXkaW1y7=Z-m@f1(b$+$Y@h<{`l0`sc-<hs<ijqbyofhl!=Z@
zyYvlIlye%S>#>}$K=Lt|4EOQu86$%E(ZU4{#_bll`mYMrCe@4dNB^;LFg3C?YlhQ%
zPKyFvYI+bw#LE?qHIs^oyvf5pE}~It4+s*ys^oVcWk?d5JYhgp_j&$Bc?$&bq!+Yv
z??P>?rE1(JXT!M7Y6!Y4c7ie!>dtAiFjJ_4C-SDSo}wy#c#4dxX3)(@RDPN`;;aoe
zbl=cKzAJOX?P|A;KFY|~&avc&;zINkh%)ddo(xuiW$eeG;|}3m@0Qf&aF$C%)$CQw
z8CRv)OT>|;iuZeZYnqF^G}04qqXz-{akC*(h}Q>xepsk9uvzE2z)Sk}((mcLEpe;)
ztkRYn^cqu9i)+>YD|n4AW;ZK>PUgNjy0ePqPxaaE^u2Q%4Ubg;6ZYlJ@==Mn3(6^y
zZ+GTMP!t*7ecY_;+6VTB1aF2Pk3X1C<&msivD}E|S81F||N2WL#e(j6!Gv{K@EHE`
z=%B|Sb?r#+8zrwdtC{&<V>5ZT7pQMKCCD8<D-BmyaKtJtSN!U<8ro!@`p(~XpME^<
zlwGpJM3}C({CGKmhxO=^<|c?(*%z~kd2skD@F8w!j^`muGr7w4Clh~rI;AAP#Rl6h
zt<o}Fjv%$66dEU#gRi7)`H0~3HMYcai?lDu8$tJ&O*e{acfbqpc`%40G6nMgKjMyt
zDRI@IPGx96mg278%!=d&?FesLu@?$)9$xLr{E+a~KPePTOhqspc!Vbyq<}hUKMVQh
zSyaF=3Ek3zS>#+5kzipON!d`M`)8G@r>Tqq5j7U(-6ksYMOY?0;aF8GbROv6^6~A`
zHRbu;*2d4K;h;HV>G!z1w_JglP-g7goAtRB*WHoVHg=-HW6DHDdg2k%JS<bbW1E(J
zD~b&PuOs3BPH{k)56Pz>hab=TXBmqLe@r_5eDG!$W6L7xG1~j&c=Nt7QPRjv1o%}e
z>O4Mc^eO&)qH3k|N=Y=)Dr?I1nF^H|T}MSOr%^Mt+rHqBbXZ@#7R0Mpc3!_SbZ_{Y
z`{3k$!f?~L^3QtvmUI#&ib(z1Xnq=jV1(?FiNExVFBWNw6lK@8oBL5W=~17Gpy!C8
z0Puy<x`PPI|Idt4oTHnmz`g*>ywd^0v0AKC8>L=4?k->)>z^WLFLF4-BiakXiOhLj
zHV?Op;h2|l>VZ|xE4V-yj?jQTmcTc?kNnmZ5$cm<+E~R=V+u9pTr*(8ytXmw5YM>`
zDg`h#>&MgK&ja=jScWK5QzdI()5RsAmdTk=s|2PXNfq6&ZzZyU9L5_<(VVCFLi=_6
z?`WDXhcpCB_Qom|m^3YSGj-rZGL)Y>t)?Q>kc{N9gl!Iw!tvdT%-Q=SeevqHqH8^N
zZ%89TDYvK1P?ZgeI+<T*(Hdv&-H(V~n34#A$=EV|OHaQE7f`Qx%B(o8sUTD@3h2kg
zbCwNxAFI?wd(X4i_%dZl?ruCO%xeBaBfyCUd>Pl=<VHn@s*vmz1*rKV-+;oMx84R1
z2EjRxJI^e3w1#r;Td2Hh-j5*4Jr?KubMCs^ld@2k`Dv-@k3LaDSlkWZzF@lSxMntC
zJ5P1FS!al|CFq-(C{PtZ<vH^Pi0iYzBzE05jjzbjL^`o2oQ0QR{i)KmE<GVJ60`)o
zkYT3!;71VD9R9^nF!u^;@^P>5{l&6h9bRkr-HdR(XUhrMc9}>7=GzR0>)V2<asDoW
z(zOE<yQ8}wa&wS4ELNB3Au=o(l9!wt-8%mqM`yk}he=j0#%P~{oK4wZI<{L5V<y1u
zXU<$fvh*unaKFpA0soTC5K$aB#tKWxjz{0B`}Q%}FXU27_WAp%9zLhhHk6Xr=gFQr
z_U&EPP8|_yV?9ueWqko`X!o>cV;FZo<>(Kv30TE<gI&jA03w7(n7H-57O-e0_y6x9
zmCyp5)yl~SVwa9n6Amjko5@E`xRk^G)mydg#vTAyIP01&W-0F*xtxYQ;du+3OEV};
zJBmiOaeh!ra*D>wrO<4GmOePX`E1E#&}+V%6DPSP9-ug+fjOtXoZ#)k`Pp>~hwZp)
ze0NtbBwBYp^8y7L<%#EPNC>fD24U&T$YfssGORRZ5$f+92>SMBMGk&CHd@-P2>vkV
z3tFci2*9#=t&#un=^k1~7+u+Ch0j>qzO?!9E~YujCe8(eOO4hKz|m@0kZ?9QXV{fW
z44jsq1e|?xY!0jULgHjX$SyAF#2*c6-COSn`hOo(6@X(XD1a51Ais^S8GY^I5w2G*
zO*@y<2@MOEXP=|gu;n7vKEa=QnkH5Pc00BGPagX>>mDX`;dCX<!i^;kj$ZPXT;;Dg
zB(i4;Kd3zQWgHAqaU+r(;jVZ#sG7FLn-hn-0K*u8F8^dU-+hg``$CBUqyQKIvv0<7
znQtgmo}63Eanc$P8@R}^a)`J{c2G^Caf1MT%?elp<Ahj&&4mZVk!m$i`p%4fwrOsL
z2R@<XLc0(Ap7Se0PnMGA^8EU2GES3p14T~>Hx*{t=#O|6yMI733|u@mN`f**%IYe9
zdMA?bsk<IonvF5C@=?}B&q}aQJ$h8!na52puVO{W%#A5i+2qDtLCD?wMO2%b6+~p)
zbrGpHPxCN{%q^lYfaZg|w?U4J!-DhMk6udWewmS<ign|BeG-L?F-)~vhW~32&?+*5
zMs|s4zkFr2T0DRC#Gq?Kra5b2)k51qwgS6JYQNFm{HUROqIfcFi2Jjcv!p|Vy9nD}
zRxVQ~Pq4K>;kNK*SQG6MUv+Q1Te5m1XKGB#^#s9jdfOs+ds3}U@AdfIHG-&Mr}Gx1
z{xB?^HD3L5Mm)w5_6X_V2V23JFAq5D&14vt9lQF;>UEFTgFT>@ES^Di^dPeR8Ad*o
zed<B58|m)69Ru}<xOZYYDLJnB(%Uv~;I_kj&t|Kw_<c&mAfW!AE|4AVN11h|=H#r&
zq;H$x|JVG(UwR@8OWOTG3!;@Q<k0<&6hO-WXT1TSqGyC~pK1_mn;mKyv#B(O7ipKv
z`lK8O+R!s#^GUx2FCxjmwS8#IMg1>M?$#s7r+(-k^tb0!pfh))Zqj}@rQ=^84KH{?
z9|nL!{sCEg(tO}Oqr?i^aNTN>4;KI9i~%sUe7&1)soiJvEB<(v_^90}2&@oARsJEc
z!Q6iUn~+>WV48iTX34H%f3VyDXIbgwP8!hO|FGi#mtW(g{@fpoDDwx9nx-nD4T+8o
zDHCvWi(e}ZT>hU+_2(3zntkX78Q|2)%K+d%03eXNXR3X}SP>|%3V0xmUM>;+>zI2R
z?Fj%#bAW#1egJRvG$I;z37kV=5a`DG=<g2!Pv#>C0dJSC&#n2sgU45qEEc4*_R*6S
zH0cOu!fvMcUW50+_`D)8-i#1P_rAK3ky`Qx{&vj$CvS25eoRtu&oqgOx$blBGl81^
zz?prCfL&_W6j!BH{9!ez)3Pg#jBb*}b{w#y{eE8c08nUMR;+S=28}BLCo?mgbZ5){
zmIxq?|9)EELN`t_5x>+hrT@GZEdt>4v1POTk%V*<%m{+Or5)4Hok*eh^WB$12iKwg
z@<u6m-I47-ZM`kinY)9(1K{?$^8U!|SsEgmw;Dhrv>Tc#F!<-iSDg_67#FLBZSmky
z(SKh2O~XP@Q!(<-5CDA51~pbH2k?5@Umq{fV%kRC#P%NyJRT>YzhXu8+J79Z9V8H1
z)IZ*39({P7?};Vk4slR_QZRe$_S+wdp{a=3H$s2if0<D*zoEJbv6JpUp3Yap%lyGk
zpMe3e{b2??61MA~u>l|gDn{_u|7BTrP1<$W#&y9=;)lQN@6@j0?Rp9)lc{9~c^d!g
zwBgZ#i^5z1u)oRizuXvJK0+Y8j3)CF`C$JO=yycp16oQQ0O+0K4`|-oJL;h9%90&7
zS65dzH}k*JS8^1+g&+Xg);BfnLUaH2p>^3+>NmM0#_Yf2e%1*0)^#_qi}}y6m_Rj`
zq$`;KeA~i9h<NG09x_rp0InDSbW~*h%OwJ4(EiK0>Is*jzd~w_fcas*)=SElTIlNB
zIFq_|_qn<FH7UID$q~|0>vMD20*D>lNb*wB_~iZgR~<Y<LK?vN)_L|k3f4dY$xd8~
zg6(HC{kr{dq*O-&1jq1imlcMUQnxXHfDa?~%T&N!q?7JIFIcmI$!OKmc*+SxPk<F9
z!xipe*9aHP*g&OtP^$nL%#Mc;HMLubOZ%Nmz!!%&^r76zR9*&te2<{+y#udH<THm)
zdEPgXsNHgL_C8sGN=aQ^ZEtPSsHvv80QhVO21(r$ukoikarz{9NrR{A6JL`%F@P{5
zxZm!w>m)PiDQ49K03|pP1G~wh`9<aL>vCG-2*e>R9&O$A8gE$_&-&l-jlY~*2ha_@
z1D0KdJ40vi{Lg2ifa@G?zj&b6fQx*;(fP$|(zi9eX`%@z_;oBp+Nf|mYkU^fK&pFa
zlDn4lw9;+Gn3&Q;5hxMQpU9^sSJ1QIKSW!0d{Vng-My;jMEPijk0s(Ue4sP#_|1wb
zT}*7H_sO1Ta~Nk>DP^0`HMU5%Km;BDt+u>#S}=nzGgJMwzNEjLQW0Kf)8C(Q&;Jw$
zfDX-e!JnzTmivcG_2~$XewQi$=ulhx<89)}jS=MiJ3!T5Bn7+bCLn;0Gc-S72AM^>
z8^ujmb4F&}LN``?GZx$y;u8Qi4S!S-e!SMh1P4BO4mMH&+~b;xUvq3sqp!I^XViwb
za7W`(+kSxTlbRV57XgDP8`1KAq-Y`x-B@Pm5}ASPX=~qlf~h6yD^LAB_dVALfVaC{
z1ZIYHxc+_hB@skU<6B~A*~(F`U-yLZUglRNRSMuW8p>&P-Sx$P>8BF|=;2e^H301+
z%wi*Mp!a_Bmmh*s|B<M>A<#V^WAL6-`S(*x&%r_QJ5A>I{@%2{ZhxD~KMbjEL{P%G
zl})2nMx%2^ZK8Q^^I_19F0=x*Uw&;Gz|7hVq8t|D@DpYHXUyr!K%Mt8Gae#H7{s_m
z7Ev}A3#jcU+^cV^A5FM8{mVkGNSK1QHfy%V&9Q&?#)aKr8b7ck{MQBl71uXF;SMl?
z`paM3X|*qRD(jUOz@Kj{k=6F{?nVo&pzhxb@V6qzEkICiP(gNH0&u6l0~G%GApGTA
zl7%QcFl9X>VP%up0EIh^@%Ht@-`smPx;6G24Dq+BC$)yxxo!*@`owP6b4AMBskVRK
zMt%gzeTw-Ta`B&Ld;XDAx~kQ`n&zKA6eB2a1>pd>{&Io;^L0WN%kMc*P@wt0!Gwzg
zbLh8LQNR07p4A8#R6#GPV)+O_S^sZeRlrFW$(rQj?)Ja6-EY1AG!0?cvR!R&@Y`JY
zr-6Y8m;z>|O^U|NZ(zwMcU@?G90d~>2kq4B{Eu)e5fEBfV(e}(=^m}|fBKng1+}^f
z#{WH<e^|2I31H2Z*!`yYo7?F6;Mk*1D@@vK0o$30*t>1&pTQp&%oG%)<V=acMNjpC
zx&Kd}itZ5M?Pu;d+OK&>%d^bR!GEu(9hk1?0pEt%&vn;3lH>C3M#cbQXto!J>m{w(
z0{dA(LEoKd4oWj-J%6=o<(hL|aMO%|4Icvg?_)SE+`c0MMrvj>`L)_UD(j9|tJLm%
zfMKnv?qTNLM)<Zftg~j02@pLn$3_KspFubLQUaW>E>bsuDs1EDFm4I_bB*(N=Vi@i
zNJu`2ev{-#+CKT0a8_Uz|0eKt+0~iQENvI4sL~e;^YuBcn*?1U`Y8=*K3pAKsl6%O
z|G1)L1+GIu@>_4F5B0tGVOeYWZg&43h#(LrAg9<H3%hi2*-}<5Fj!nYeICl3G^E^e
zz4XaWnA^DFd=F#84~l{$S!w5BoMKvgh^zxv1RIIMKLD%qIruT$-W{-4(u~{-5se$%
z0mAcI$9;v4l-}!W7$*l;c~`A5!mN^qEhsk^4K&=GrC0v0Yc&-8EygCzUMK6YmyV4`
z%{;hB$NjVMXd01AeHgmH*xb_)B}!m`I~ar}Bv32B=<z18JELkkna{=B;u)ke?!hx@
zK;F{0<`TUeA(_;1FllnXJUr~n9$!A1u*GezCJzdzce!pCUTE<<<zJ{pdZI=tR?ncw
zYj}>t4!TuZ7UzIpFLZiZ2*R(+MBzqB06!w|ZUDp2bh_xCNbJ6h!J@UPsf72GG~Rr4
zgyVZm15#T7YUMH6dkjHs=AoiFUHxfMsWWZ;gzoaR77-d|k3Q5fx-#L2sgt@9Z}w|#
z;`jyJ!(M~lwy0g=vr!chPnSC$P01v^v9~Ti9Nb^X4dDQV!eTnCv{cfsqSbhPsCmd^
zmf7L*xRBHW?<xiH^FqM`u8-e6uytp*K)w(2?L;p6s|-|4oVs=(87GB|Zw3<&%q=ek
zrgEfi5(xo2fbm_dOr04}k^8h3VQBCOl76QaiD}eHaUr(>-BxmPX#0p+eY<WwK^5p)
zgvVubr%~P+<DT0s>OuU3$)%$&3T=(l<{=s%*{|_fB&+)nGokK0IZ@{eLT&)J`YkRx
zDTuYXoUM5gD21&?V!{jsb`ciP+og)u4l5;K526G?xj`#O$d&wc+qsRu*qlkG^;WLo
z%W!CN|IPC;l1Q(oOE0j((p)ZaR~xV5`CLsBzmN0UYCp^Ql|I+W11y&y<WRN9Qnx7X
zFON)k3K3Vtfc5bOffVT&7pB%^4Ds*IZF}_!F(4<KUx4ZPa_E6z^~tS2GieMO9j}Ql
zE`%Vt?cMu+61NL;ba9F1BKlS$ee@Ywbn!jCUmaSfarNBIh6@Az|07fxxqp!ZCFx-U
z*?GVRt)aqnk^97dM}^;E<rk%zyR)++K0G=~AF2jgNx<bw>?oyb@OOPI)PkR$ir2j!
zI8rNtLK*AxbZP39Zqj!tmN+C|Vb<5XnBRMaByF|#^oYy+Zp3ZG{kQ2#JAHpar|}m2
zb9bD~C>8)EPlo%x4HrVZ;1LCDF$VXoLpKt0jaZvMj3CyX<NaYR$NmH~9cF5chhuH%
z8Nf~q#oz(2s}!XPx)1JrsxK}oTBU-RJ4vUBo?U}YogHX1Eu2_Bw%t&6<bH5R73n@W
zkDC&+u66?--Y@O;?JB9A&=iJC-CF=GTr%8WLe7gt6+3~5^reJl_Wk7}j3d@&tQ~yl
zO9pm!_N>bfy=$hDZ@=!EMEa7%Ep-hdXFNdq88DRI;&KVgyb5obId~=x#mI_Va=rXi
zFGz~JwWL)#nHvgY3RUA1aWwI}e(K`w&6=#t!DYip837AhImG<#aZaz%PQm3R-mtb7
zml*Gc)xUeBxbL{j%zZ%AVf+9ns#ke92W&B5lm^AI{bH%T0$Fr^uqK$%034+U75-!d
z&N#N2#2|*STft-cmv_D(B6-1)3sEOXln>7I*F6rBC%vB`y^<oRSeqVlFa=8VJ~`$E
zI|Lxcw%lA00^~7<+ex_dOE{lJ-d2>?rvSm>L`q6HQG7uw`Sh*vcY=)Wx?0K;1N&6s
zp7!DD%o;ZsSbm3YY4HCn5|KkseKTsdg=;K@A|V1gIlES<hNX*NpVzEdrVfw$Mcf@U
z`AD-zTbJ$bX7N=dH(eC0#s=;!^k|_H06BiRU=+DOLIJ`EQ?~Vu>^?vwRE1nv+3gsN
ztzVa&k;C|qh|j1X=LAyzJmA1hGX(hOQbm2eessnmKM0E2cc6g2LDg!TRn(_Qz}QH)
za9o#|$e7k+c=J5biGw=adS>H-U@=)4Yep8U!E%jYk*sDGM76c+Dj<)A_n9e{phNs%
z6ec{zTr&9+b_bJ97M*2s7=9=FwdGL{)?&mD$BS8ic%3<1?+0{4fPD%otPGbd=-2@K
zvEmY@9==!1s*eu!yZ8MLru4Vhooc<4kiRICXoafb`{6?HM8QHkCq8#eWPZs`?IOqG
zz=bV{WSqVgYZueW1Krof>R_x3m%2Z`Eg+c*y^CotI=03=ePaVD6xf;-IfEenr^OSo
z6`xufd`_fJha_1F*kV_1FHJ@h&EoP0h!daifEn_MrF))wql#eP`@#13-BZVYK09Sg
z+q|tUT|HCNuL`E&y;>R_!-Trj{eh3g9zK4~_p2O7re&@ot;ulDVp7i9^LqaL0l)9Q
zs1=OT<LA-R<>mE|S_pHb|5wL(qXs<t=iabEcEU!CUg+&|v>HBS1%Kgf^@1{3a)NL{
z$}B>SRSo>GiVYu9K>;ysLj*s@bV<Rk5$e~7h9z^gjqDhIRhhfFht{o@Hh7u+tKpXf
zTXBuK9_27PImU%k*TyP2<OaK3oONZ?989-DMEb_{C%2KrmaE%2eN*0*#-|V<$mVMw
zP4A<|HHIRg58or7|Lk^@tS06G(P9QZ?os6tk%p_jc1FWlCEn^8`H_2%cv14lvW0Vg
zs^<sIA0Dp+g9G7M%M~We6y(*{;Y7}D2L1AB@6WK7gWy;zL_iC){DRCLBRZW!F={QX
zF;W{JpA(umZ|ytpETBZZr%okNtnFT1q6$GH!0y^G4>wdz0?>s(ThVIfV3Z(x)K|P%
zcw|rCV%(=~6>AEWd0TZYv6b+eM;LTVjfLF&!++2md}Go2>S>z+J-V==kf~FYC@LZg
zD=0M??p>mzo%tfY*yeF|W8xNNYLM@qf%HN;9?aM#tZU;K1Ckk}IV(Y578djvGw>C-
zZ)=>BCTjQ-A1H)7Dw2Jov-yEcRJ3<8H>S=#Qru-%o@I*4WW+QXTridil+6Jb6eEK>
z*VTp**h=#7FY1Wbb9-foO(R8nss!|P3%}d$n|=cxN~alGxCj`T<4@8ezt77W&l;@;
zaJAv#E@RpZ0ynOYg-w)M0c>bc?SIje_C=iX*}C_$12ky_cerCgv>ICaFB=y3)Pw|n
z`)L7ENbBOv!(!Kj=Ln`Vkb8<hRS44Asm&n6)xIv_9$zSurzWOT)cfF>Xogu^Ok^En
z!X&ABb6jKxQwC+)RtCBy{_&IE2RI#(tGnAdLNU+!Uw(*`A4xCuph<kQ@Wpm(a!aAY
z@abyTH+oIoR6o)4UqkYGzEf1_HPMb+j9OE@ilQq=0GtR=OLya0jNMMk7X7<HN>pil
z)D^9~;c&ND5BVcCXv;x$p)ctikSMS6raiSg7P7APw0-n7xE+Ct9)zHTAdaIE4!TNU
zD!S!DM|YQH`il1>6ZwZY$1You2%Lbi_<(^)tx}rDwMY8I^i%2bUw&AvUz||T5v9E4
zbzTvQvV1+keCgwR8O#_pBVI4`?M=-OgtE%*;`X=)$ZDeYS$<Aw<IKmD-XxZmFNWpF
zA@l3hth7(49~s`e7qn(|!$9<6?DI`&-?OhFYdFy4ny(cUGZdJCUs!oS_Cg%H3y5Pc
zx`J1zJBs~4*jDjIyS3$Eapcddr$fA|;L^r;v=yQ*=5WVt7~&fW;Qd8KH=sD}-)et^
zJ7Mc9h>p9*YwGlgAV~a~*}=!tAtADr3S;yj7zI!5NN`&y{-RI&;;6Q}$*)0`zMor9
z8s3rNoyX8%X=@i}EgEW++8Igy%I{w(Tzlq!c5PI2KZL4Ge8Fnte!odyJ(I#pLVdsc
zIefA7Ck)`YG!N*UmHUNOTW2dXdw0gnQj;5}<NGEl6BqoxZ+e>*Ts&@CudKJ}Ai6%R
z*T$}amV@_cCAY~3#JSFtzSR?yP{01rp=ri+1kNy2ax_;Np)G~-BDeKcGJmTZQJ<&`
z@UZydO3NxhR@XZkAu@|tb!`|w(#R9PCZ4Z+je4Pi9P}C-h$v!irUkSLAH0_oa=+Mg
zxj`fnF&3)|K5F_pRUbduqpV)1Jy*Z$+DpKql7QCJXS6Ck@7q#pZjvQu`AN}uTrkEw
z%4J3ChZCctyY7vcTdmWwQYEWB21W59c=u=Saaf9XiOZz0uS>{okWPz;s#&^f-0po~
z!bQU(NFm8IdrOwa`p<GUx8BrfL;Sqon#EGuj`*R}y#Fphv*1;LAuheVvit%XKRC!A
zC{39S(HCItO*PlbB4CmMQ%dy`uG_8ABo1t#ZwA3dBglR$NtLdR=UrBG(Q2>0uPMq;
zBpiHs8?3SxC$N4fFWHX2=+Jv8Z~Lsh{ZJkV$~Nd+i&JKpef4;0`{J;m{u^!>7OKMw
zlSj{nG^wbu-Ljn)_x5goitp#;?N!EYK#Bu)MSbVzDjN11^eU!gg(JE?lTLQZCg_@W
z#&(gimkFy&1CUpdUDRj<IC3`F&*O)1S=e5Y2-*s0JXL=|j7*W_*W&3vu(Bq!O$CH(
zf;*D0`kFjTC@q_hy!-6QyI(cERg*nwSC(;VNqoun?28S*PF@?ceximfCtbX={o>bJ
z)jHT}oEyiZD5&WH*2yM+GI%c0rvG?4;0L*rJoH!3h^wb;j%g&Sx|n6V%!zYzT9Xck
zZXFXTlgB)rRHS%lQZeRR=*QCi-EG>O@3^-+LLSt#x-8ZPl+C)6jjzB#l=#F^g5Sc^
zS%bm?vW*p(v2kMyD?xl{5Z+bQnGP+N4BI8MXE6>UjqD!d)97X-_ErbIiwRT^ct`Ex
zZu;ff$JqVqjFpCxT?AL;BWBxfPh%K7CTPVsr`1YBgO?%WQ)1#$_19%p={CW0BQ!GY
z?qZxHISgqR1#>rjRR?Mdfo12l?HH*m1u~8(vHHkz$;*m3v;B8zM0mfh1bMw7)Ck#Q
z&O>?|@kREMDbqp5uZr?Kcwm421$lq2+81N0;W4ma=8vQ5$FLmEp7e*Or|of4qcM!I
zDD_u2ULB@oy0{>_T|`RFuXKlE7MGnBlFZ%%^^cMr4o>PP^1M;4qbdepdE^uor^3#}
z@khnPK!y~99*9?{Pv}kUw-lE>tg@D4*P~D#L0J!wgQ{2N9&HsoF0JwaBW00J5*L_!
z-!eO}vF&1R&3&;g#J~{D51K-sG?Vr~f#BH-A)4=l=j%LMUa$qY)zlsj6@MtFOTFLh
zQAnyvDpb4JrNWAen2zZ`#b2c9Mc4YVp{9w+llI*_DE=%0f3boD9|f%5jlM7G;R74d
z8lu6B?vrp^Sm&P3ljnkyiaWnHYPH(+0sk<IKVy<xJjm`xJBAI?Z0X+3l|`bI8mD{E
z(`~six(v@D6qBOh1GoW5(Erd>(lz|>1YO8$BF%l96S=MIU<s(%8B2n$I~Pvu+-;kn
zFlPruoksbcZtpwv_KX|0c=%x!c~Q0Hmc?1z8vsOa(jn6960&j+K^$AUIz8AITRPkW
zr=6~9ho^s{Tp(}(FGzL70w~XtPv|siwKbk64X<Z*C?1AMXiP_aj3lpaeJ?;!%c)xS
z5`?3R`JQzF=aoVQ(1me7YY(MXu5;pflT~;_Nsz=K5~Q`YmMyCqL9GY6{J}0+`sh(_
z={sL=xh{teJrYFi4IVOxgnKS}1F<C$>$r%|-N}jNhk#o*SrE;A8Zi2fOwRLD3pAhI
zU0Zp4?`L5WEcAOowUY*r2~lOLf=>zY>7V$5-7UYEkaKZArCQuM&PQqgX0M>HsYE>M
zhX6O$!V5c*X8*lMcCqUhRXa5aD?8hK)buF@tcc**Tuvfi__qm)DY)RrXf-y#fkn_J
z3CNy8z%##)$R8oFHL7#-+!RuMD4#8K>TQ6H%vG=b7JqT)V;WBg5~Q#b#H~czy1`9d
zG2SSLd63CpjlVd$QJ%lAG@s1z`Snt8Tza2`k4rRB>e6fwGnDFH#F*jRF|{(JYbA1Q
za28{<4|0}&Pe@i5N<e{G86fi@HS=ehC>APbSrjaAsoTN$6(&w{{@2L*exr+<a2$cQ
zT%?3%3VL;`-krkn2Gin7v?}xQMWP=5xs(P;4&<o#B*jVGw&Z@bcjWR2{n=Q~r&2U<
z_ZGF>*D-H%kkXpiW-L32gAkD?nFI=>jXH~ROJ<yzS}&Z5fnZzYL{E76VDjnHrGQNC
zt|5Nz(8=?BW*+_$4AX<&*wQl5=G1XF@VQ5~r-BQ3gH60yD<yWHSQNyJ0g>I;uXffh
zovLJve6+bHZhJHIxSyyi=0@)3##GpQnSNJpje5{dJYdO6@&GGULCYrT%^+Lt^XqS5
zE&f(!KCP|n%&WIPW=BbWEbb3`^Kn6X9FO`Hg1PyzbcOg1woXpSQM@=&R|~7>Z=K9F
z6_b8aJc^g_>*~v-x1x0>+OIHmI^TX03@d2M)m?1h1(%1_<PO3|1aT3wO2{A^oIcvt
zh8RdA<}5M2o3Y#n>)~oI-jL&AULum(<7B>ZJ5lM;Et8VO(*3JmEhh@X41saib0=Yu
zX8U8p9(dD;!(-K5kkN9iKnTI+_=I0sE5qs5)mVjH9K4n~ye-#;4D!|gD0Lw?G!zte
zE3%Sc|GoZ)#+?0uS;PI3#A7T9!<_q|fP8Aiz&*rRRof~4E3d_sFBuPoL{@rwd8w7A
z19;l80%~U5Nl|bx+Jt|6p}ToGt4X|VgMSdgqTjT#vLjPw2`zYh^P(G2gdFIQ5#C4d
zM*knW-a0JmsQVWcgpo$+Mno7&x{*N%ksKNXq(cem9?Bu4K^lRP2I($|p+Q0#q=pjd
z0TqV6Uwq$t&hOsm9G>}y=OOmqt3K<q_gX9Hk6qn^6}Yx_4rM8PLpz8Zhi9RVJ|Bd*
zf1fp`<NQV7mmp!=_DVV!fwHo{g<1KP=>B8FhzDBVPrL=%VY=~8lf1i<*mQpDwP)`z
zvMBwsepSG}5vC;z&Z3rG<769{cxVN>a1Yo~(#H)B62w^bpAt#5ySl=Dplat1Fp&Y8
zkNtO~+Q~nzUyRQkJ-6%M+CY(S(+O7$Eai8Vd#kTcnUaS(PPcNLk?pJW2%hP84~zr-
zsyak=bDOC@Q{Xy?Ai-;|d&DD;cCzS7N}C*N3jPv8knZCS3YDT{_=oS@{ai|EZ=D2S
z6WWX`xdoqaRiYxRr`!)4;&G~}N7OdHQ(zK*p-|?gUyxv&9u7Cy6<Oj*<dMX081T1I
z9N$^hf~_ZXzKLGFy)2zyi9n(mIV*z{hwj+6h#0BXzms}KwN0;hM|Ty|BmSXe@n|*8
zeOdi=dneu?(XDtBD+sW$tkG{l7z$~K=Fb!)cmef=n=xJE`WH#EObzwdHr?)HMe6!*
z%vohR*LXD&tJ=<8Gps&&(#68xg;=M4=WzT0VIeq#E4^S-HAN0O|4V#R2iCc*UNNFA
zG3nf*x%Hk=dj1>Q=)@$?2w@EojH>cHR7XqGW!6@%i5;WkJqisUzQ5iSAW30S`^LXi
zESb%Do&4kj=M)PCYw@=bc`bpt`hM{<3kJ87r_4Qqa{E#wlembVwa~wUTQ~^sQNY!&
z)NWyzen~<+q7qep#2!*d_|pN#3uR<}Ot8$wfDnR1xm-*2-flBigGMxpd)dtuE|J3G
zxXV&KHMLv36K2TdU5ooj4v^pYu{Jpjn=10CJXip<P-4&7<-S7+BWuW?;nFpQBW~0|
zh<{;gQm4OhR7^*s^e=rEprw!xAE?R9C~60O=G#@<p(74$C}T-WGIbv6lfz;^)oHZ1
zPa9S25VVQ2v&CsCnM^ct-|f{|3D&lb<x?c`)Rby(hNz@Eg`$;XI*ZQswA+Rykl<_~
zj4<aqd6PDm2O%aRw~+|&+Uty)9e=Mr-#25!@U*&>QiwMF3A2Jbsfae=p|q9HhZ{Z4
zzq(J`zzHi%;vLYGA$Jg=#1(fCspjwp*sw*t{S!O~G%Yc`st<w!n~2^)0+y>CSFL`%
z8bmPIzVH_3Jn3P2jX4tRtG&y}%=Wh@qgzq^cah{RrW3%ZRuvg`<;}cVzf=gYVExEG
zU3+bm+f#PhXf%Z)Kg)>x+gV{@XRi@W2g8PH-RGsuX4?p(%C~U-9-l7!p~*7z%}~LZ
zRW;Mfl(r2QW6w)F^jpY<4xjTE$=jVBN!P|6Ry)H^?KUwum??KyKSk_eod6KJ`AB2O
zfPRq4)zjp`FJQD^Ds(T3Iy?mDS_k|R4fKqSmEq!9G(89kcw3cU1}d@UWiTmm11qI2
z&jM|-GW?flq?r8O2dW}>5Gxf#_u;6FJ};Wq9_7m`EA-$$(52=9`=+m-6vMWzr$$UC
z3I9MX()E}nM_V-qQceducl?oaz`|9CPWgfl8Mn~JV&{a{+OBX~p#L`9eIu<U3&>gG
zbEIA4n=FnOW$E`~7!eOJ!U+E_)Z)5XMj*sb_!u7-(7jP^9QeiozOuU)_RKITlg&*R
zx*3-}H@C$)h%XbL=}arJN;ZgZ+9<VJ>IuFS%5=_of`f^qz>dyn6a^cb5n_$%ORaW$
zf-|`#%*RhdxgPpM)x{;Y3^a1<wc}jWG4!#^j|YOq6TC=5!#KXAG7%F(S_5+Z`d`E$
z#!!j9|8}axLCM`Y?W<g0mOWEJ`hY%FBgVL#NWJb-2R@c;|DJNUU)}i49f&5L{=CCa
zRxuHbyeB6y-J6<zt?Gb{U(FUcEB;Xr6yHNF>;5^9``B2UOo%;9HfR5-Y3sV*%h<{~
z-`K;CVe8+hV-J&p*QJzV<0Sp{<Xb<kyQ!mJd6$0x5&v)`!^l&V(F7|ALljaEEPIEJ
zkHe4oVu>eIm5S>tK#005SlcpuM&rRli;BKDE~Kr2{72vWg1_Q@cmCl1Z{rJ}sCjRg
zGtKsQy(~8V{aZd+d(ANthBY>u@)_f2%D5Q$MD<=@;dNo4d4nXezJrqbQqdg*ql_y#
zYv1uvDY}96#Yllxn?(;2HA&+rDf2g<JLK83=KdldTExI_`35i?+JH=U;17AZ;49qi
zi~8L#0$P#Bt7<21H<$+@*yzg$upnh11iF(_6r-bclJL1F`fmdMt|z-VFh(8{GMKai
z{Of<oP&&(RLgrBXx);GM(^DB9EJ>4Z<4Jc~$H!5Lv3d6)h9AJD(OE?Xabq;G_Yi$S
z+S0!^Zo$YQts4xA2iuWs-_;dw=k7!O{s6(~NVUJX3pqOdqWn%#!6ib&E|!MS9uGFu
zFuUh+*)xBRivVDUWxsO9Mzv1a@EG6!&~fr5YVtw9izSwNY=j;hrV%C5?}DnWr7vHh
zqll6l3>D1{URXP_LXrjcs(c7pcN515gEDuXd&1O!W{oU>8xrE-*=zpr0q@{wP&Cbf
zzob1AP401)cQMT!sPl$95C?3m!I3O8RP?^_OgC9Z5}b){|9VKeku{&3PJDNdJl(7o
z*_t&1TBq0YdH94UT|~}zQWpEypLFhVI^U_Lvwwgns@Ipj6TDoHPX%N)AwM(poQR)M
z5lU7(pCWY2W^@EO#_2oF*Xh36nSr7452dxE<Aubi%EL_p${SgcML?Ip8$LJ`1nA_z
zQMv~D#GKeLlR^u*&_#G2d)O4aF7<F4GwuwF0l@-9-3w`+UqIKjzfQU|J?{gz6w~ba
zSBFN~^nrmHp3>ank4>O1t*3kHi&0?d3$>g!W_QL=ee*J4M8(d%4@lsNByGoK{jOZ^
zkdSR4ATPkc)QKPq`igOmaR+VesI#?#PiO|2qs7P5e<nqi-O6d3Whw4{xj(>W7`#TW
zkGGn0qW(zeP2P(VqsmPSF0MXVxR7o6130(dJuc){2(E=4kYY$+^0kYRwg4JT+nM(g
zOl~Ro>$r0ERdU+*t-lE4N{8v8iqQ@=Ojf(_3Ath)dGAfly8T+gyTF@^mGH2zAtA^T
z4XlPZY-fpx6$dkJIfqgt9b$fj10;1Uodp1nUz@1;#8x2oPKFq(U270zst9Ct{IWq~
z-Jly|=aZTdkZF=^5cK+`Xxc}}7%On~@(w;p%6J;1{(etXd>ns0ka-SnPRa-=*nSB>
zI}0L+sh?b<YeJkU4jg(LGpZSYDKw3YY3AX99DWxQrEPDNiFw9p3lvHrCz91}J!W>k
zC*0*1gR_lq=E0oSh&0@BcN&bt%{4!r!{48GqG<?sr(<LW&;0!BeUWQ1gsGTDKc`|k
zn4zGn>6_(l0Hbbo$f--y!fwIa*0X*usPcJP#kyQAGzdC)l*Q8TmBZEVrO|yPLWiC|
z$wIn^-(XTtiBCo|YGd!0{CL|{PrKJ^6vmFp-}g5z%5b-hMs9r(S%^NQ$G6fcTm0k^
zf&>HGkif_2-2K*v1<9%UV1+fOHE{xmf1&<!aHw8KI@bFTcAxm;>qm}rG%SUB<;0#e
zm=HC&_);1MbTjpf=)Z{5aA|-1HZUgxVk@;&qXe&zv{Hv0rZrVbyXV&3=bW3phiRI6
z;tW(dA>^8ktZw&0uPQ1odMT*mWRsSO1_H!NYNoTqN65E>B|t(F=DKHjpPaj7sF$DN
z@n`s7zf`B$`#r&D%R4{BeDy~d2Q$}<a8Sp*FTWfo-40iGP#H~n>P#UoO5@5)ui9o1
z8KrWAE+WaWM~CI$L(Fe_#0@)sF*2_l31F;l^RsW}Ku%uUnTla16TX@6QaAvOKOiq)
zoZ9|WS-(w+0rwqA+-H4E5&TdC7(4=H1VM68@k<u>pS;{8cIdRfYLt)2*Ok|vz?@X!
zR6_(MW72qqhaDSe;uf+v?`87(7k&4UIgr3&Wv_<jW)ndG{JZYP-mjnU36q)2d(AD;
zPS^ucbA|!NbhA~-xP9VzD1kKNo8avgOcSU3YI7r|@B|Cq_HyPix`g&k)EmQlaH!=Y
z6)hvnuUh{c?({P|K59sSm<3wGtO|_$x^EuwWaXD>gzt%49CU!9_JNeP$(sXN?P3P*
zKCc%EugThkI&$tl5|{$EeQtN+WpUq8%BW$Rud(8D+M~CW&s$u>U+#Wt+)-Qaelbe6
zUVSuUBiMgh8F-qn@<`DJbn$p+Fg6b8zL|IDAgS|T6-%PZQVlUX{nP%<nc}U(;=94C
zhW4gty&5D1wsFAhcaW)%9lUbE5v_{_3H*K+0VGSi317b_Ne2jU28<8VKQy|mgzDse
zxCzZ10$rRPQk>cbp18D$fT3BlIEcANebhcq6AMN<I%W4Dd6qmD1g2_$%G^q>^Z=E(
z$etVZp>aR5emHweXt3Kar%{HVCB_mcbbmb6SmZDs^m%SjJ5}BNG%T**39I5*uOJZ6
zb#~QMm%)8kVv1{3Z5Mvgh_5t!U)ChymX!TU%JY1Mo-c}42{f<XPXBN$w&DgQoN}7p
z%t*lnUh0QB34f33B|71JD*7MC%Yec#DaTf3GMK7$ZcTH^zTQVo;`DFjqsV0^l?CwX
zN|t3|b@}<KJaVj*9wi13RsZZw*^>~A6%SIsy&&D<qwjbYf|mUY%>8O9HmqDoYu<UC
zM6L3T!qkqKQ9>n}n!<QJP8f)*)?9}US}1bEX7&$e^uD&d$0vx5gBWb0PYv=D-gZ9%
z6bv7mS;?+3VTV_#c*Er)!9NV6o`>|k7ndZ1S*VyfXVNIL@9K<gzSPA1u=G_#nTVa;
zw%+&K-;(tU=f^L4bmXmoQaC;=ue*GDM2`-&T}*^=D7C%Q?PnYj5KHS)(F&U?=%rPE
zKS~?8AUg2skZUNKTK_%UaV-LeN(Xb{n?`m>*&qmu?r(J|(SHYB_`k-Z2d+uh@YBuv
zQ)IYuj}>e3p-ab#M;9b#{e_r)<uJ1#mX%`p0Y$-1{P<c*h%8CC3mz9;L1*vV_hU}_
zAexJ<dAC_hJyO^sGeuSFt!%S@K?i93h6I<WwLV{vQ#i;2CbArQ>-ON5?v*Z6<wsfs
z!;#>r&BW>wY@;tBb0xD2BsvTP5ue_sF!U<7jHc?=2hN^_49<SmWB|Ro1>qtD{rbEN
z%yYJX8CFENyi4s|EZ(oX`J$E5GT-rGTL_E&-1s@3@w4)8ir9~QmnaeaN{XDXnx$*@
ztVDEM(bwg#Ql-2OB1FiGcuM%tB_!A&jlkbBh!U~u&9k^W{(mKNazD4EbtxPx(gEQ?
z@UCYD7KC}8sfyA&7U4}&_J$p^r$>0TyTTikq-P(SeP0IWMe#Dmym9<ae1_3X#maKo
z8ThzY$fo>(_BZ`|T(LqnT`+-qiH8}WPmOyDigz(O4oa%a+=a$>AlB;x2E+>q`94a;
zn+qe>@7KhajQcE&t3Ou!ww@at+U<v$<QvSiuk%OO0&we92Q5(766G+q^?i#RF9}(c
z{r$ax!6ejIP58oCJXD-o{YQ{!S{YySny)}N)Ik)pnx{z0^urO|c2VGUI4|kH98ApH
z@|u7iwx2QrqFy2s1tM%J_X3J}uRg9locOw=3!q1@{k;um3g>hJIoPc&Rh2`DW7SV$
zKCT7k{1p|t+_K5a+M=e<PB|D8`|Urqr1!!13vx@5IWDJU#3+x_FJb<U8vxE-B#+|*
z1FPx(8(?=xAWD24GxUeO0xq<!U&2GwAN#8#nvZe0=u0Ow8eiqCMjXGMd(UC0DnSGL
z*z%Vqj*ikIC6*r`gfikR^vVIK@<^KETd^#k$%FRF)O&p2KD9q2rXbSQIgg2`6}5gD
zVH9IZ{{ab>YPVfDl1^e+@mK4=hkoVY1rvKmsUzOL3lQlQAJ<zQ0E{1ijwtJ|scFSw
zM+#E5YJ{g8$dGXgm)_f^B*@h;Y>TW>jLQ<JDs}pL#kuCy%fnj}AOzVi<#z39e3u+l
z%Qc}3%?>!nKI+$YG5ESLvDb+-xhx3-P{i<y?EL6qI1bM)HiX4@O$Tt){VG}`*`1Cq
z1Yg4G{8UmL0}4E3+G4U=<Nh8I)($lE?2q1A$5HJqTStQbyl90!FWD3q67iRLv21rk
zYct&?6N$JXG0c27vdq-t_wj;kkvxX}ud5fuH{xZcxG96T)oiUxesURt>pf!o+J(HK
zJA@zBX48<iK!aw5Axzn?qX@0W#dUyRka5jRTkN>*mcIu~G?mgW6Ht$Q&~N{7*7dlB
zfIb?rqxG`h7O^P^j?N#G@`@_BkE)^X!Uw>Zjeu;B3jq=W@ap|Td*m#g_l`#o>h@O1
z5Fk<_mTNE8wLnWPAm8BAd2sVd+};rt?ms9e8C5|=HGUO5`?{J7FZ97jtrJZInXfD=
zQ654b_nvz;!T5dHXAWlQ@bS-)1z%LHcB*FGDH84)a&Ez@KJuR|kVlI#o&5aOn#v9q
z!soqlz@pouzb++O<qIV8JpAu7HAqsu&AWG|XRbOGS0{|xw+*lUGP~1Xky-oD5%7`M
zrI|P+er#do#N&XEf!ttYwd+F2qa`3g`6%lO6HAIcd>^(hW&2MT@S91FlU7#0Cd!n(
zW{%u}1S6|+iNS0l*Jn2n9R_kFTW7lKSkqe-ijzmqRFEXDI}sw75>R+mWF4cC^Tb({
z=p!r&RUM{$DZ51&z@UZ@1h@)EO-&bkYwSA7{dMj?U%%=r9A|8D9Uma%;=HkfqPP3c
zJqr6ns2jkde39yxy|!@D_o`}xR2)<`GHQ&x_Ktg@%(1ik*+z=ZSG3H;w*YKH$cs-I
z{fxWR_$G3n&3#9bfWFj+U;{pp@Tss<3ZG`3`_y-kpup4ygh)DyxV@DH=C|q+_C0IT
zCLP-}L$LdpF&Jm!7TI?iU3vDKr*!-Hil$}9lUL*sw_DaC*+l7KrTJw8BoIQt8+<cF
zks~_>CHk>FjT#QrSI9^U2G;@yLF=}H?*of`FC@1PJ!?~2;BR)81g7>`WFxG1x*#D6
z)1<1%`vCDP8I;O|muCGRzfToGSWrWU16z}TkA=Dalf=SNvW_QAOcls*a9~=M%4?|^
zarU!LS_wvElwWbb3ZtX>lkLz-vca#C;zh2h71OcGgz;gr#gb;1MvY>-A56%#HMDvy
z7K#6Jjy4aWBA6a%)mX+(&i*PtdQd^{6$uDIW#4c=d-mWVz_s+C$Wi392+D$Yv@klt
zw@c1N6u8mH@_*;9aKpQ>IFG5jw&`{tfvo~hMRzrZm*L}nt`nqL{0&F~A>*z0jb0_F
zasZ?{YNDy`jdfILqD8m<G<V9YbiU*8FCDq-6bmN~(<;E2;)TZL=3`bw%v%e2UM&P3
zr(UrKp80}X8rAb<t~dQ*6ra6yBW)CTxC+fg@L_h>*Fkz~6<jBe_^FnieneAR;8;@$
z)8{^ZY>mWB)4_60?*GSm-s0Vzg3%{%s3$De6?V_^<R^edMbY?tFHqXQ9~N7c_8~rh
zEcT3wYyv61P{%*vddjNBQmx7J5M44mKpv5OdLZ+;Z9{TAEj`Hob%<8*S{mkVar5W6
zU7Z%0W5s{~mU_taWDO-&lgfYCewKm6PTPa-9}plbqw~sIXn{k?f}!;^FufqC`-K(y
zEsqX8{JBSvb8cA6;Jzer+)ALh=Sogm8NBsmL*CY=h`G$UD?_x&(}u=#_h=nlh1~pg
zp=A<q7z`jwcG;kB2XnGPDozxsogmi#BzYZp^v2#-WDe-$E>>H<p1l!#^<g~aIuM(|
zT{507kkbQEabAx+>FZf3=kWfTLr_!TzT_siIs8IBW4@%{py*0EusW1bd6i|6va0q4
z{dhh(WjwnNPp?UxVM(vg%Dymm0cGc_GdSaIvIksXz9ODmCzomN2TMV;84-9M9`Wmb
zpZ76$Ai(8o#s-Er1BIbWyuWa+-oH9fg|mO*@M~D#=(O_Mq*GHz10imW-*7i{CKmPR
zlp?SYofwOH$>K_FO1*}S=K9{$@=7h2{Q5MsVqcO7xpcRGGfwOl2QnS!_hn8)kBpnF
z@?@D$8RFpL1TatQY6kY5BPEY_yS#AILw0<~lB8#fFAUokLe0b!YfA%!d}|7R-DiSw
z;^OM#@f}oIODG$m*zCv!aHjJ+9UD)pzTi4|zW@_`z$-`i+xSfWMTcZ{n&3hTY*>e}
z=Jm@#Nab9nbNdLs=|Bfrs>d5Y*Pjjf!zg)sv-fP@ZQyquLgPgHbJhv10M<h*#Q~pI
z*zu%D+m`fC8e3*n>*)_&mhmj#=yfRnKaQvx(1=XEe+Ue_|J1-07AJCx!b-x{FA6+?
z23TzUVxf%8{|=d51KJ;j1ef9u;h^zFdZWiouXgk^k6u}NTn;!c<}2tF6(4lvI6q@Z
zQ6H}or5O@;7393&aB!|00UZJXCZU~A<TNdtxNnROgiT0)S!{e4Hst7hq)iVif3tFQ
z*gaVzt9|lPbna(}!X@9l*?`^!he!5G12Wr9=F<uBycy}?;Y>(hS)8gtqfoFT|GzZ>
z7dF7>cKMu)rs{1{?fsP20bg)|?{CwRsA=JZtw1`Bv5vXqUe_em&p9{{;_05wEe`h+
zAZ5B<XF~AQARq50B<5af=Igq4J=lI_hTxP?6tH%H4-(B*qxL;o$suk6GQ8YkkDhSz
zcsPBqf}i4mtu<Ej%5&FMjOpx{%U2#8)=zkSnEg5?y+x7@QFQH^Y(I)q55YQ#P_3Fr
zEjhq}3pZf3fYk#ZfM6Rtimgog@1d%ffHpD!^)1_pA8!eQ7AplqH+=K}WPj4w0r=ZT
z^gOAX8YUF7LFHO_RaWxaC;3*))3r!%tt$gmKQ#O4N7*3ec?aia9LS-PD5e3RZfzm}
zO*wFV{sU>5AT9+HAI(m|r6-!VV^$KSk=<wQxv3zU-)!#knj1covmIuo|N4l(OH2~K
zW&tH1dt?3Y*m{A8jY<Td7vyz+s$oa$p(b0uS7Sx2Q`6#+Pt7`TnOb&ZdpK&jUUv92
z_BXWT^Ec&%Dzad*&wC9M%1h-_h0j};;_DvkEGaJ(h)Iioe1^Tj9_}XL30tUMciXF$
z7Ha=_ym-3Vd|2JTjv3I^)8Kf`A=~QM_(RsKb!FwZceX0n3QcM25cq{!k3vPHeCuqz
z{P6VD?@mgmVTSw91+*9xo2RjN<T<q{=CQpsy4im=%WJtruk<kf+omw4M+)+M0LATe
z`LUhg5j9^-w8@5w!6v>YK6fUT?bFu};adh>b=azW7x|PZ85o+y2<sXlgU6<t%Ba9=
zGIOyG3$dSzBjFB>igP^)wAOP<mcPCn9NL2FJk@uN{p6p*EWI+GD_9MhdB6h47o-6y
zA^0&kL=XXt{LzvIY}rT)cG+NWa&!fb1PYKoi<dQ<+g_vGq@KB?FWh&>f<tRSAcWK}
zM#OAoOWSTmtMeLp2vOnvf)^vDub_4obM%_FLIwwD(jRTHzYJE1cp18ZDXM{$w&=rV
zqU-&@o9knGCyDj-J`FAAm%pwqjcgy;RfJGF+=vM$`L9PAILXW}w*A(bj&%Sr+wVDO
ze`<}c;BBi-biU|dl$7eYQHe+1u2_+t=?cVdTje@_j|L7+3p}d6u+hA&DNFOMSo0}D
zAr%`Oz1^ic_kSO`Y5Zg-|9(&AVgts!Q13kbB<pu3BW$9eaS`Qq4}=&nV|f+&1XVIy
zky;LxK$-^TJL85iK)B4M^t*5c4dOGJPky!@E?ssRajlXr`<}LG*z}R9r@vRS<bO`9
zdeO1it5_Bs@jh@ns(a;&XljFsXX;G5cj3>_$>~;gU2Xi?!K5X2{Zyn9M^MB|TQDO}
zkRuK?Gf-*Lxwv$L79|=p+sq~92O+A^Yi=Np)|5I7#H{yp*N4)SkGp-sumba?X-zxl
zwtg$6XP?=p!f&s^=;r$@zc<`M+Z$Us<Y?<WyrVs6%WIkxvi-#fVAV@>ns%r{h^Uke
zFu%uE&UH<QTFGe}!gtZ6^Zs`m5(1+7sgx)OP!)-XXxhxQ_LC^D0JV!=S<nr0BlhJg
z^9|-Y@JbZo(aWS_l$V!+F6PV>4kHV@lk9A~8&xgVu7Ur1q5r__Tl~T1@p<ad&S_@(
z(ug&`BUY5~3{zt3Cz{t5dG@04zv>CG`!{5U*S)=pw-WO@UGBi`7BXo5bvGIb=E=oi
zbKF)5s!F?+_h8wY@6I^&r4dKITE+j>w##ffSNpZ)9s+SbRrKc9;PR0Ys|FDycu)Gr
z!#aBt(4_uHqpq-LnXdzTlARH~tU|5j=2YFx>BzG9<c^oBrZLdhG3q7(>oUtDud&)s
zelAq>G_j@>I$ES46Ew9yoCGFLb@~QITRWeuv6c+hH|DySDy(yFjdmC>qqSZwr8g|A
zXQ^2nY1}3MaYH$IT{+%cc_#`F&^_UXrT(2GBcQk<sQF^p7SVG_r1$9j*Tk(38aNzD
z%;$_*^R=^AVCb6GN)>O*$|#U1H(aPBp&x1$%mf1z($#1W=g;6hrg`?K?liEUL=dkD
z+(z$y@Ww*jChg&zRWQ+LjJfU85n@Q&l`%*qM%`ZgEj}AW5U%9<lMaDQh)~HH9^UQn
zJzX0!CABJ4)S_M*j204j7gu{_YHu~gv*=HussXZxX>#pzx!fSX5MFT4qulsXk!o<m
z^l9$;*q1y#iM2P}R{Z`R6UT=+bPocWZ^dJ}J0lbOfUZpb&p7b5NYD64H}ZniD(aB(
zw&>#71667L-LKl{?ThwvRNlg!l<^bnpAf9qUMn`&<3@8Bw`mff_&V1GEOj(U3UOH@
zA8_;IR$WaJNct12u2r(k13y!V#~C%q&<koN^HfqBHG#vGo6y%z-WKfQ5ONyCag5r;
z*l|AlVuVYioga@Hu>-y~2+Rq8+iTGO8m2QYg0_3TyPEM+ZhGY2my8pA(c~yAf6vNc
z<rn$JcTY1o;SrwzWoygR?mr3qlpJ<7{bXfH|2WH^&2;ftIN;mu4*3GFI`ve?&8%}s
zpZL2AU_xYj#TtM@VP3hT*QiKnOZ?hG<ZX$JK}N~e@tD+Mv)aMy4%$g^4kkC+_sf1a
z>s>-ksG}`A2G{`#3L7PXY%?OnkMQFh{b$G+g+di$a*|jEOzLIrn=e~U2yFTBW1$Oq
zdH!|S4z5Z>u}p1kM)o52)_pEIIDgz^{X7ZeGa=E$w=MMFb^w9FnGr<RRWVEc!hM3`
zN%?^>o&`rQ{TIg18(5Q&^-sd>GPor#d}BtjT02$_b{o&EMEMX%G6;O+or~v9W1$nq
z?Dg&`Y3AkfH8~6<Q-6xtYQLlixb4Wzzv6~y`c0)bMBI4!3Q7c7rJ`6#Bf70>snP=>
zRAi377I}|1j|KXoRx2$xK)sw^c;}t0(6ZJ;1fk3)dp~q@)bie7MT;&6h1ZI|7~rRT
z7Gi&GP~KqbBn0g?$ddM#&n>5lVMK{viAEE%{3UHw3~cu&3{-<@{8gGT90LAqqCOJJ
zw3+ES-X}#x1|YCdg;n1J=Ena1vV{4lxFnK5xQ<J%ru!wVzdFp5Yqe#WC1Ox|gNR5H
z`>v-cVq~G;x+=OAQ#`wOAn<?}PF%5Lau!FDb-kK1DI@M3$+vnX@<h$`YQ||Fd3al9
zPlZ~(Xk5HOHxS1K+?^ER5dBk~PYU*zKO5r$A^5}B^5$(nN;x*8)@q+99VPQLVIJT5
zp`f!@qX}Em+}~R++I?5To*;ZSc1Z(H@PmvTO=`!+o*ws{hXef>uWYW*)(}0taWeXw
zQjqQUMnHGe7XxPPHk@i_L^E!1XpETTQ!*E@(4X=}1+(WSlnakIBNCWlKRDo0;Uh0(
zxXnMd$kW0^M14X9(+(iHWG6-QONw=GRIAn49O8=J#u+@v;?d4-`R-9uk_cRv8iS&A
z*ptC!&bY5YZfwJcHw3h*O|5Z@j$FS>|L#MXA*@ztWX6n5X!UD*`^mX~vGL9w8dxr7
z4kgrxA^T<o)B0z?)ua%@F)1<F!OHb&wKP4mOx@ev2X~qZMBhnVhN|&B{c~1y%p^wy
z`3;4=TTxgaok!Z9^lXt3K@yPID{~ZqR|zxy$_CP8R5l2oCGIlNR!vyq<zL0Jkm*8_
z<ndoog>P=W>_p*m>Dy*DKV)9e4x7S~T-f^<tKH+4Jsawa>gq4tYt#5veIsC<KQ;Zj
zl)YY#3W|%P(1g^?N@rs2Y0_j-MgDWHb(()B^Q>hgTu=HdQ)<W{z)W|)57<p|_UnRk
zkwpKh+dEO@y;~}Iw-J&5@32r&!q!#X<+oHZ=1v|0vops<SUgkbS4CHW+OcV`HQ*3|
z8DP!EvE+z{R?bW<$sfw^T+9*h6Kd*zr(~vX|CEaCVh$lIR5PhgDZdjnRp?oeqn0xp
z7qXs&+$-QqeRCt$xqsuUIDcI^O8vw>HL3A5+tHF1R;U0oDNK@r8J=%1b6jj^^IP+;
z9zZN;RnHwD0XL26g}y(%&&Fbt@o8aA6>Tj}2KioALUXZKrogK2+#!N!!kT-FzCD4Q
zVn>eo`b8e%-GVKYsH!yc^`(~p47;iAmw<8C{MHxABTi$FQoYinSm?kA>RV;U-z_$n
zW@_8@%l{1t#o@Rq8nR`pHV7_OZu4e!JNGZIu{@8)#jW|v??5xK1rjDSra4RRD~)+n
zk@4E^Zci`#xfW+$r8~*%R$g7p%e*p8pI#`al@6>qJ|m|bOU_(ZZo2$+7E6^Jfo+h_
zDhndF0?OooFA##GUA7l&Dt}bJT!;Dd&vF*5w?};g$c4Z`7SBl6wMHQNvk^e!iOUTz
zB|$IaA5wLg>^opa$)^>6^lG?|h{{EC_wp_r+T4BkAqKa<h`_e0li@?uR3AwLc9}ix
zgeWPI{o-?baRsTaEG|pOF|+z6(*aZp(%crdNTa-S7rzY=xT`8Zl3ewE|0XP~#tHUd
zcOU$z)hqkU4;CwDC52}1&)<ISOh`%5-s^P^A00isA^RVzr;mzbJRhc7xqo}$clxDg
zrBk+4npUYki^JajzNSZf$7Mb@2JRxR84<3{3~=bc7)or#Cr;2{4m%sRAG0fvnW^E|
zHBWW|%-THpMRVmJOho0aO%4i7>bU-pj7B+YceH30I>Zm{`i9%J-YX7S*!W=%9r!;Y
zM#B9Y$;*QMwpJB;)2G_MyS8^;8{;!e@a>2;w-BkzVyVhYN^P5AIj}Zi@ctb?97?g$
zPl2#c=q-}_hc4m@GJGL_&YUcN;AlJ*z1(k1wL59fP=`%4CBF7h>4vua0iMXAgbX;$
zSI1_TVNzmY-RZRY7RIX<;gEa#?O3}nJ9;gn@*$#dZJ}AR$=N^cc*GE+S0H;{4bW)`
zU4Eo*M5bQQw$X{f4?4#B5Jk1se1Rl>oZ^smL(}NCqfl=10;zoGdq!dIe5tb?I(lP*
zO?4@PX$?UNboOzBOKQ=))#D<ckiJDPfw+wS<YsM+_1{Kr4InhqY0dYD_{nFW!An%-
z+wtDUEr<Pgx8ACAjc0Hw5oW&58=Y|{vVX<NH<)QyViYnvjB?xBLnU74s5l8=aB5E9
zz%|N!XjM%k(5VOVFIG2f5zAN$FaIIJvel^(y0qgoSxEtZ5r~I~q|YlUvY~W;u1!zA
zg8KhE8uU<qyr4gh8EOto{YG!XRVp<(vrtm2#KUA~CVSCg@#99M1w(1}VD&UGqOak?
zK>8oH_>aqlv}25YdbhGoj|NjKFm?Zo!^m&37CrTwX|(T2IKLe>2NU3W2eL<+M<F-W
zRl06#iK9M4o32C<mO#R$JgDhIxZB}#*S^WU??ofuY^$bz)rBRBeKY%*+1zLAY_+Dv
zAtba%0vNZOxWvbnU+OlQ5iWk2`!|NHc{ZyDd1mhg4c4P3;)=;mnaf(LI%+frP=(LS
zhj)?<6(3Wr4bI<C3Z}J7zCAmAKk@Qr5`6)*%>Ygt@TX#9YxLWuDQl$^r_9g(Y1X{U
zm|qRQEjEW}*SbWi9KzlV-3-4~EbS7V<(z;12<7<WxQsJXFzn;<_~0jNe*aAs15|Xu
zy)qbnYd*VeCDI(9jo|QRVqXb)l-`L+a&q_>kOCH2Rgc!zsf~(zw714;XE|gh_poA}
z7eZDtQaMx4RPh#~vjqG6<!zv~cJs@bTv5%t-^y6EDuVq+l8`+kCxH>m<0Y0C9V5!!
z*E=bP2i#|)?H~Ex`OtM(|5veQ3)PIM4PgxqN3^Nsn0!Lc_VRy{=p}~yR?L2{Mk9zt
zLGR1&#x$Y82w1xQ(z5^Q5<%#r(|_S^wx+)UVjmHk-j&y<F?1go-j-8u9I)Ex3?f%_
zC|emSzw^nM44$XxbU0%;g7jX#c8WX+ENZ@5iAt5z=}LcVD)|XHh;REyj@H4_i#ev6
zh=gt1RPNm=V~LZL;fiO7U{k}UhMJp#t!d@BgxTrog8!8$V)*B#kU^Ji)%=su`J3|8
zlJ-E<#_0(HC4?zy>t{Z1bz1ZK*M%ks366Bi?iF+W7F7wlg>V}3{nBnl*)%Y0ifxp3
znm_OP_pP0#os_;TyZUpIW@B}rIXecYg_;8>qsqaFiKc7D+4OQM(LAGJ_o2<~XJXv9
zWZTPpV$R5IuKh5@??}_)T-o8+HAzrhj=OX6`VYl7lvQ8yu=v{g2_{WM(C;W=V$~_0
zOPNlgf6R-){!I~CAtkEs`F^|*|1UhEIe&jqC+1Y7;K5p+No{Mtd=rsqlW$BcGo$2H
zw_H)6Gn&G*>%!hJW8=Jh<p+G_Khs%22>S+%s_fAjwKlBb-IH6lZ1#lVbP;$$@@yQS
z|A!&78z?t$jMO{|P`!zHsIdoO5)w9|m0`jRJGZ2B3K2~HlH8u$ipMihYGL%4P2d;~
zHA?N9kZ=$@e}$ho#WsX0tsdk~Lb{(mxbixm+&f@36fT@ABx~rO1Uz{89kG|mMZE4=
z4m(fBIk;8@n{rD{H}ScRpQj*=@qb@*0MYN@fYs~M(50RK#bo%{h7DTc$m~<!i~ohT
zD$dqaXx|Sy94P>br&oa)j^c!f0(8o4{x^#fy7_1{s?To)n9?6J0yq@;g9&!f0x%~V
zt`dIzTLASFfdr#zdC)OxN3+at{Q*qHYVIZIW_kLv0z`<t&1o+_Xd2j~Y~Z+~K}+2J
z=2qcsgv685No)$QER&Fzy^6H97K;y5PJcPt8u=+3wL-<B&d4fK2ktpA)q~62!#8-~
z@Vg`(&PNGJf$LH8tkvF0+34{X<IuR2tBsf2ai&kK*<hIAoF5G&<ym$1`vYeGwIxkh
zV=gB8H&=T~DAkHjJ7zTZ9}jWVw51PlMjWF^@T)F4L@BBV3^aSt;X2gdpb*9e(no-N
z@a~`6HJBr);sfxoIm-?~%i8*%a(W?5A5$S&p&Y{Ei4hi6NzA^o+$Y&0X8e9m_`HfK
z@Ax$zZf)EZMZ-<$Zv~_9y3PGI+l4vQZ`E2%PpEoxcToZ2Af^U!0OW?ZGD$(^kNsRf
z4cxW*VjG)!vuBVVj||`a@hSO5LM-;&OiumytY{1+Ez#|6Zf)l<FOo0hUy7FpA6rx!
zR8*6`S)07I9!6h&r%eBA>ueDb%;KmzY_xqnv7)8-9}@>)E(KHEsbWbkb3Sf!%H%33
z4lhvVk^3qUm4Ph&^?4o%CHJacv-%dXBDgs!t`A6BalI!fK15KQe^GxG`qH;TPOC53
zxpKMiwBN({|3}WHj(V=i&i)2-WphjPCp-HnS=yEk@k~f5_}&||smcOcAlxpVA5bPr
z9>`5ON4xSrIDbS6`CXJ9QkZSU8m4-uH;id`Z_jOV#0Fu%56Hq9ki{)t97CN3{%$3O
zT=G}iyp_=(FbfrW=!IdduEqw8pWy=`cjptiA3uZ5W29&@n&hRr2wEE(Y^w|x`G_D!
zpz!I6&jLwP_sD#2_WWK<8{>1&T|2$uxagy<UJj^f_S-7?!U*OLC8|i^XeAm|Cos#c
zO(c<}9Y+0+5YMa)ll#pBNz{P3{)_98bg-Yyr^5(eGP(*gG`>bA9Qugie1lT_Pcsz=
z;lAc}@&y<;%OVC}fo(|-nVA!cH#$fU;vaMwwTJk_Ju9V$ESk(fglr7<x^LWU5o%XE
zFVbtCKdRhi{IbvVne1JneYiA>inuiadkhlCnt%Vsm72L4#7=Nsz*l#(i}ore`u{+!
zRO4S{#74a!YHR1z<%B2Z_pF_d4sQZ}o0{T>P6isb+~~~yUDN*OdTC%?f>ekD0I%3Y
zL0fQo8{M*d!+!y6fvR-sK@%8+xYH|zF+K*2!4|FLbOBuOVg5tF)r+kFgpQYBw_ece
zz3*F}m&D8%w;R135_E!zu1`(d<xKyJyp~^nl3f`RH0Ty=f=)lwol@DT!{!l^*srb=
zk+j2)%ji<F<S@t6!0)ebr}0}S)W1!kR!K<a{kP;N02b~QD0M~)G)d(g-uJ`O)$5b7
z1w3)(hHZY+)K6-B?uT%1>y66bc~QYNse%Y(?!OjMHnk?z+PNn82hcJQ0(bao|2CGC
zB_VBB#r!K`kXx}&7UrZNZ-4oOD;MO-jGLOH@%`dN@%A%Pk$;l$0=LzzDAe0S+5lD&
zQW0`@Tj_j8(T3l2AY!}psHF5y3-$iX4}7bHiv(3K9jBs07^{UH$!m#XqcdddZa(FM
zW-csw;I%*ks8-?jXudtNPk&V8>wh@7>{^eldtq!g(8~D{!L(aSk=ySy;dV#+h6~y2
ze-$nQ+cnB5x}(4pB9Q6-ZfCJ@jozkrHvHd)o{a-3FZ1c+z|h-3l5@{3HXJfL8Zici
zt&sz?4YOufo2v@Iwk@GO`X=kJhi$8d_fqJxW}J_0XrKQ5K|h#o4+AN(^J<Ecw!)VT
zOC>THlwRl8TL7+>$@ZdSW}x_0(*;M`XQCNQE=6DR+Vx#sYJis_0CL0fRDxG_v<U_r
zaOs<|<>W9$U7PLe>36@MMo#8FY2qvY{3t57hEJ)pO7VWYE*{ICA6ZvBh^$8L;bRt-
zd@jzKME?~rJS-(0XW9i9+SdAd+m`<7*S^bN$lEy&%l(RWmVxK6t3HE?=k0EXUc03&
zC0~8Ue4q?2W*ax}LADQwMem+<T*T7%d-EQSrYOq4I*M_F7XN<Qb`k4wY7FUHx-bot
z8M<!uIF7EDGs*J1d-}UM*hG89;52-z@R+fjyu;7=Pn9O&1##NyPAJm_e5=?+1w@<$
zrxY>W`J7Yh@)4Y!<*vQAFMUdUC}ws}(^zn2`lsvkgy9&)`mQq8I7mN#EbkqiXv)eM
z5eSYnTTRS~IMT)IOZ`q6&8G@px189zf3Pi$-C^#lZnU%|;5G8NdY8ojyfO~_cn%b!
z!*?38p%k=(Ph^u2f&BHZGe+qLc&U6x0U<4i`SZdST8oajSzJ$K0e344)0ncU()hGm
z1txh{;QX+Kd77Iz*2Y|}kjgwb>+ncjDSzwN*iznB^H;eyl-qiXFIBX0RfivfeJ||j
zL6g86XHO69!d?tVpZmMXoZ^`059mo=7^FGRWv6Mo%=aptQAV6?79Br_2iG*Y*<=oL
zHjLi%&K{YR9_7FDA&Iv1a5KxPjE;*{8sRSHEPX>ZFjBhA>`vA*_mc%~nx5z|z|B=c
zeN?ciM*GTIC1wBPJ=U7f#iMVyw3@@x-9%YIXkWLytkkQYMn<DHNhv8Jk@g(Cj{Jp`
zYvJ@OQ!~G&{d$J#@5yzk-z7|SNWHh{zvAq)BK;hRzpBX@QZ*pddeZl@Zev?$cAaPk
zk3`M)GF{2;Z~;j5!`N^x@3KCel|W-1ZS;&_na|jYlVv~cwJ#r)9uEuJPgra2;P);Z
zN%Lc-IXkJzaxcN2bEb488`^A#gUi=X@AbC*`C)V`!khn!a9oXc#k?&#P6;75*TTvr
z)reiDRt1i)oWn#bA_88^C@t2XidRb%)MEKFp9157E}#RpjMiB|6(0>z7>?wSG?q{E
z)_p1nZS(;bjHFuk&sn7J_|_91Sng;o&^+v9!O0fT6ZtTtneH3@oZ{-g?(GG?gc=`1
zS~+-2zh}-FP0H6YG6zP=1^phl*{|BTY5yJYBn@2<I}|nh*7@7!+E10wNL-u4JiYH`
zk1uUzh3N^nNqdVN@M9akqXvkde@3p_5)360awigSeI(!_C*<O|NsW%Xv(^db**Ae*
z$)V+a0i}3Nmd?Jt)p<93l*&Ob_Rp|ZbF7H{fz9)@O}x0Lle^amGe=v;r2^Te2BogF
z8ezYjrF4szE@D{?@FCo%M~rITKhNIIME-oy!Rm_dynDi-I{1Jtfe2S!e$<rV<@yc{
zzg5aaFREA9@a1b>N^i^{zG9csa-zk2WSj4a{N0BWMy7Z06OUz~F9*_+fhy@azuqhh
z+$3+V{U-!3L>zclaQ|P6LLBu<emZh&AH~c_jbhUNNMvkfWPU7?&w9w+^+*-06#YRx
zrv!}1Ds!j(F3-t+Zt!K~4sltclO14@_rD*yUGSaOpa;zst-8Pu->oun!CL%ofLmLU
zbkz<48lw9U;4wls`-_$*53Fc3a*-ijVT4Ll-3vHE<h=KP6p1tRDULAe(^r07xkCrr
zUdm{Q{SvirL$~N!lE0~?Ngf?%m~f-gr&yw(%Tg4Ll_PMi7<(4Vz_u?WDFQBNVs9?y
zYOdlcsrvZF*`l2vB70q#4!V0!okr2`{Dc88tG{k$EwdT|oMZuBdyp`}A)hF0O%wLM
z1ZoHW0i8+@n#XAqDxw$RNShhkUX%R0Q7$^!%{mzQlxl-rdE@gTk$cX%yJEOS`BWcV
zlH!jUr7dSbWSu(lkd98g3`y8ym!FwxeC@)7_3(i%s_@Td36H|#OzPfgSCMIWDjmgB
zKH#|r3?mvX_~vDqqq&}n%6h>XE~~DYCMkc3?8diTYGbM4Jy~W^molFq81Y-<K!?*y
z8o$OESNnE+f2b*Vars%yY=Z5?ZmF;PSl&BnA@bu$PWRSo-KR^rUM?+`$=H}p`e39P
zKMfB|P*?~Obut)z_><lLJEubP;{XZcy*6@u7{?u4HS%>*8G+|_mE0@PCBYuYj3dCW
z{GfvkeUrxGo+hUm?gGQdr9+{so`f%f;lbLU#y;s`jNjw5-_*9Wt;b3=ttFawkdi%Q
z!X^XeeevQ;q~wkbUy^V8^pE}gsUtEmb$0p;UMXVIOh89;$jWd2-OQUAczU4~gbX2E
z^`H74Nr4I}>vCKLV|T|o5y#+HeMf!9P&hltDXA&D{7rxK`HRqv7~&1T#*4F#d(eC>
zw^XLyU{a>od(KVjBt$BY9>s9>y}!pqXDj_zr(^IvzMTJq^};_Ebc@a47p@I1Oy4@w
z2VJR76nV)Y<Az~+Sl=^W2omDP7OEp8X1krNnyLt-9eOkF0)-Jn(xE#_F^_x2?d;wX
zoaaiHvvJaZ%7>hO;6$bit*o>>Bs*vlR<A51==1d^bTayAi9cymK|Ln>J6oLK66*s=
z_+iCI^!%xSS2e?9r~nD6IU9@Hbjw3J(nVTF>2_;-@2%-~61nD<XKpe76-#D6W^~&e
z_84Yo2~#~6j)ycxKxDgM?>?u781%APP4Ecr3&+bB5hCb-xHWnkw{$T&r_G@?f*%yv
zL3yoMVug$Q4gCZND~~A2G4)mQ!bY0+3`1RDxh$e@K77)3$PlUhI3CrxBtM=f;MN)}
zz@YZ!;R!bjSnGLT03Rj@Y0+6+4ErfCpB$rUJK^;rYmw=JimJFcGTvC@9aklkyHqG;
zDhMAAx?2>Od}9yN3i7`i*e>pOF~iF00#7|(OEil+e)Wq(n9x*10MA!R35gm!meVME
z5&n>6R-tR_TlY^*t1q&X-!t8GDZaNJ8l3S=mEbx#8MUtRE6X}gxW?P^U}*&QT%1Qg
z&tV!;GNrG-&#o!Vb~7%YARNUH=8X*h;ryEQY0Pxs4chzDqZPD3)En5zQ<=fl?^18=
zp6IfD!7eI5nG;Yy-I#8sxFbT6k@+{NKc7<A1Eq0!v*iSP|0u^@xiG#(U7N#mssT)b
zblc&Q^z8n5-`klJA2Co^#5s`ik#mnrE$8u+VR;W8)>^SvFlPo_vZeYmq7SeIA|RYd
z(jwltVE0ky1s^HwSlr4g5yFun9~<9jD-@VuBUJlM<e!{;4T?NcSd?|1w`&wc^5&2v
zRJI<{t80&uq*Y9LQq<lL%4*`c;j!SSSyI95^#YdVB7}!%Gr&AvopkW9r-DpQOw8@1
z<OCC`ys640-I}e>9On5j!e4Z!Kg~6^(8gAOCbh9nBpCGRQ~THO%N0A7Yo}gZw`(UG
zYdIa|zU;iC*4*`nu!9dDmY7@~iAwXe)vP)ww3U?c)|ZWHXgQAFJQ1a54hA7aw{8q2
z+cUWd1&glE7xx&_$h`mF-5O_yvC|)a5P-;d7s9B@oaTNh1pUo=dGMl_jaU>q2Vf{k
z9Gq!Ds->*d8dkCvqA>#!VBR}PS`}&U$0n<>t6gZxcw-2jX2=r0;CS(f%)_HHIt{wQ
zDrDHs%i#6avpa=V-B>3M9f7SlG_FT>ra}0DQnQfLN;DY2dXI_pr>U{`snxiXO;=u1
z2>G1To$+`qCcX5<Y386|$lw491d-u3`W4c}ZqT6cY;;=dLo?Jjr=hWD_qrNW2%vta
zw0VzU1pQ{0$%=xZ=Y|<wBlcJCa*%2PImaIQm84`@5FoY%W&(i+1P_IVne^#@13V(D
z|3D|J4VGH$i;exK$n5hDaXG*jwxCPGJ+MiiJ|%gqIg?OFG&ZV!9BQkWVQ=oz27B#*
zr@+p(CF!Dh&Dmqd-=d7saY7H?N>iHvvEvBwdyn>+eeL!9kMJob1P3t3ZWeY1rvdFE
zB(_ieh*e++g&F@Uhn$U#0^^&ic}y{}Fb!v?{<E+cT*`Z~;DacM`cs3hcZB35D#}6>
zy4HFkHaepDrbWoU2}5@n7BR#!2l-4Zpm#O#t$dJ^-DmA@GOy8N<KOTWA3TxoF*%K^
z+q!RQ$in#EQ0(tZYJ3DL*UB-Z^1##2B-oZJd1{?Q!eU*>L2zPkQTYKY&D(d`XU#$3
z-x|NY;mUof;k(8Ag?Oeuj_wQnlC=N!{Q`aYgRb+T54g$#UE<WfUtm;+Y#EFN4hlhE
z-$ov-P;r7bq4%@G-4F07^v2<nHZ={unk3$J2|m?%00|YS9El1R;KN<?yK1X@vrR(h
zV|l{v^VGL;qU><z3IKjG-)@D0>;mUS(XIq6-2%Unz}S!27F0gCA}<ZxA1F=n!FFu3
zP!XIZxUN4H#uyDtvNpIceI>SOUVV$(Z;hRxsCn$c3!E_=>CDUU<P>LPGdt+bKWU7&
zg+e<GF*s8p(5@$3Fy2t)lT(b<uSeZG!Umsrx}=(?)dZ;M7#s(pRR{5)kWVIt+J0x!
z@#dE1y*W)A@am#aG;KOev^<}^s6nFi%b+Zreyr<nF@vxH4YMvAwXXK{Vbfb~r_ihX
zOH<pMya|EupvSL}O%J!9k7F^{PI5<Nv_GSSt3dS$5M8hc=RNNqJ)GRn#dX(QLg$--
zCl4OO9}oe>XYhu{sxCQ9gS4D)OFv(keRY=f{c=Mw404Fd=cJ*1#W#NHLRt-0H`Ngm
zCPdu73Gvw@d^B#9)2>&rsQpgC{&#X$lzOd@jbps(V2qK!{=R-=_4HTpF({LtBZZn_
zlEQ@bRu)GfjaiHFrxDmFPqw2DMu`(gpUclVZf|Dz_+`8Mj*Do36pG&fW7QOUr0|k<
zh1R~0dR6>3iQ<_6E7Oz&k=2L&O8y-DxWy1NH6|Hq<|CR%!CUjoPcR@C3bRQ0mH58A
zDjY`4T$@%XYkd~=okxMHjGTIt8A1e-lQ9O$X+xo)JU;@2XWiMJQdd!{*oL|e%##3N
zd^Gr7E^PWOKTBgv!d_f%OqQznp8Jo4o~d}8?o~|E=R})*a?VbrW;UO{)UNhpTT=~I
z`eL@hAbpXpiw~0R`6)B+LERU4jHW5~LKb~5@Y(lx-n54Ss7ggkJ4Yjz>48$2@^)MN
z(c|zStoO&k>m_&ycN?~#kOe;2BR9P_k?$qn+jYJA10<)%n9b4?O#{`kL0^VC2Fi5z
zCN*NMr>tjtgQl%Z6-@_jQh_d?C#m;+SIJ|*QtOSyy@_P131}=m{5(2kn66VgXUGeQ
z&$QaZ!xEo#2sp+M6;HFDeT+tmUpgp#qyW;a5CdG#rk$=LG(jKL{MS1MkF<l(Q-3?!
z(_i-KH=7w}hsA7;@!jUKRp>!y%5@?B_1&3#(vIRpx3W6}`mV}MbgC!*!>>t|k_ZvF
z3LeVQq}s||MFBJTxCs`W(yP+;<rj2Xgl`FYD?LB*Wy&9T5*8|j%QK1Wm?i~I{U?wS
zfd~<jSjmZ85UEh;AIwH1G|VR2-3VK-OcpK$xu!53>$rIC)?Z&1dH%*SB^`uNB9(F^
zP*Wz9uqIM}`JAAt`t#SSBa48m(624On^B!2Bd?~PX@fjqoRvkFrVk(UI{w*JB{Ih2
z5Zg{KaCKw)zK;6-_|x$J!`55CMfC*@!`OlX(o!Obgc3^Uf|N?Fw6v5<ce8|~v~;sd
zcXuj{#L`H!)Y9ydOMe&i|Gdxp``)X9zuj~1#F?2hGw0kHQg<4?8K1}eH2$}9=%IP7
z9*C$4@HZW4o!BF#h>!E$i9^vsa*q{><bG6#`bLPoudL;IS1`Rb7C*-Sm51|$tg*C(
zF<KHacml-!FCxzG_I`i&u74frtN8U5hL8E2)xUqS+_rd#{OOE3W$*7VkxDq$zf*-~
zJaG)=yT6yDwX^yJthXS8+56JaqZ{7Q7s(PgTHms#MWndt8~et_`g|UYQUSC8U*I42
zSH(IYpE|}1y>xa1v+XQ)*+ZUf$TPktZpjuH@dFDN5Upi%Eg!5%W!_Z1-{=@wTqu~v
z^r=F{?%ZPB-4fl&l@h#58TspzJte}9=>hCvM<G4*rZD(#T4A(s(70i*Ur-%m$k%fZ
zcne?T5@)~WJYB^5E^no-czs;RZXFXR5y<RwOJHv4n#+VrXuBL)A6Lx{E{vF^wv45m
z4A0;vzyxu{v&iX+Ey#Ie+3gk!?CZ*2l0kk#N27IE-rtkwS&E2fyw~gUz20zH`9lU4
z-w!Pey{5+VPuc;#;F}np$S{LNj-LU~?|hGf6p-jG;HVXg(BHt}HTms!Y>E907pIDq
z0fECTnxp$Jnv_cCGL2UiLj^3rbm-rQo`W*NeAW=IJHXq;;Zh?&3Go*B{HZ^A4JTr{
zzJAelNkzj)5)D$s_@1vQ6v#k+Mn!XD*4?@E9aX53%m^Saz$Ip(|9sVbMv&}D?bRw!
z^=}nuT@GPSAlI#CaR1I~#!DqN_sI794T%JXAhLsRKueG`)*Qk`@n1RAE!k3I*t(<?
zzJ3M1&>u26)(fRk&|et=HwWH|FW5a;$aPb&T<`w$%90de_cU1cp_J1tOIcFTb77F4
zbq@*bVO*3RkZg$!!%v(n=FxhS9(Tm?+e|K#8(aMtX`0m2ughl9q&)KHy$@^0TULG`
z;*2(O6kg{7X&}gKA6QXql=C&t1bZ;BB)bf7b6zONevhWF$iZrq{kEN$pv{J7leD^6
z_XH-rNxW7uj}kleWswHon=_E0ey17xN-;Al<`YKZ^v#S(o6~{Ed#RFCNvmWOGsVY9
zhpn3jc4<f1(zV&s0jiQQ$<<8XJ|iIc_IDc?nLDPO!li+Pj3}_8PdQO%I!D`1K7*!Z
z=4Xg1c~jSiD`3gmm>8a~Jfa}yG5zt|KVAPLAkp_o|Jn6dfGubAn$xy%@h%sg91$f<
znO#)k+{h5paQLnnbiM?v{&dxvv{*7Ds=~p$_@sAz2K#)$?-;}mHl<pStK+xa$Ec>9
z{&1P;z3S1{4q4vNZ#v($nma$($>(XGbm^+ZZ^kSQi?qYomS;9N5JbEzGqv_)M*~4%
zC#$X$AXZR;>PG`!*UPSwu1kwjXPWDXP|Iy?X8k&>Cm}0}_PJZF^}^EhrFq@QfdL!}
zXwmi=KbL#1$?rUq{sPm7a(sfO3uT&a!xwAbo|O({DQ*$@V|NI6Ww=QuT;5F|Xh_97
zI+mi|JEJ1d?^<Fi<O!fpKFbjr8paG_7@9wvk~0&=`c1JOPfJI79<Wayv@q@q4dLCu
z2kUkhL|QVEosGB~qm{HX4+##keisIke&{9Dyc3Ng%2KEQP%nm|0@h5N*~XpQzcmYK
z*`AR8`Vf{2jq-Z)qEne&;e5s?{rO7uu(?X*g5-~h(G4G}xsQio27uKCEbhb4K*(TD
z4<fYqHSXpbJ^*n4CDinDO3mZvyLSdKr9=#;-DGGb;0+G$lzmk0g%WDuha_Mhu3~qA
zpn=uo;^t%UMtC!g=h@mGdsARYx4}%lne~AW+yp6df{_u#KVFX0edKvC37J&YDnDMr
z7dgAnRi&j8?n@W^szH1e@e#gdKi}+mc#v;U%|xxDI4h;Mt>jdOatT&}ieb1kXDA-t
zEdo}5Z|qLWUHaqZ@4pP8%3v;xzMIiT%<hAo=t?cN8@O3#b0-f(EeqQ*Ia&N?%C6w2
zKf8u9@$r}bEV!LN%54kN!PdZP;xVP=i&w-V`H&Wq#iTDT<Yi^vf&ZA}0UGOJv=%*d
z!PMqPjcq0t--E$iAiXkpKhk@Y-RqOcGrtV!*PKXmf4yj5hYj6|4L>lZ%wLLLDFj(D
z`dFb8ND4DQ?pHh1^4iHeCl(oN)s!S{cX*M4n7t=O=XIi<$5pOXjV^iV3wH^wq8obh
zfrMSp^8*#`f=9$S?l7@5&+_hzi{y+UBKwvMk}Io|{m<(7kn7^pyTkEQu@8NVrEj1E
zQzVn$tquP-N$)%}2<ptwmt_8&eIR{?!~0yL_&oS3tM$r~2VsZ8B?bl59*grUy~px?
zA+?~2-{uKD*y8m(E>1iNWBZt2u|R0ytYT5$!p*0SY3sppp@d+L<8=M&?=kt^+2$7~
z^S`M?K`vqx;Os^mTk(SW&*UL(yR+<Eri&)(uyy!yGuW!m2ZddNGAY6kt5!2a1-d~w
zv{LTNa(!I7B*ZPM9Z@jSYcYzxoSIfO?7r+Pw(83l#Aj%TOb&A;yw}0oFZ@H%%N0pT
z%<@7Vn|3cQv1y=7e<y`7fCgJAyC@B7f5tun<+ATgA(=KF42>OOz(J|kf{AAb?@LHS
zUMmVw+tzD0nbNe23uZ7Mr_E>qFP&-F7e|ax<Qa_5J`SSUUDrBzN4wTdX-J47BMrQr
zbNk0L#mP$UPt`9aer-R4;;7iRub=PoHheH$Hf4J1GBrKtRFKoz9wP_@*k~Ypx(={=
zF|G`2&jhKAolD-8l7CB8XIKrn8@Z~50BjW0453PqQ2+F&`qG2;#C<M5I4cK%iFDJ|
z%6fNEN?iLunGE#9)sYObHwQYF{`yfDdK{<JZB$a%*JXl1rL(tV;&k1oI4i-5q#`?n
zqZYnze|EPKV#XFI{miV(P}mg}9-{28r9EQwi|o%L^bc=m{`Lc(`S2ER_`*fbj|C$?
z*C(K`|2&7@tk!SOKC-Bu`OHP(>2nGAuB#Lr&{<iZVjjB7qm-i!wpL6|<N88O&;tn{
zcCufXoYI((a475Tc>WS`$oDoq3#yN^F^21u8%yQZ2N@HF;;FBQpT}xy4WXt*+4=7=
z469*zWB{3}8R57GR?l5<UcJjT-osvGppZ~|H(2N2YjUS*`>R+Uhu5TBz++~ffD3Q0
zZT844K3CE!uT<$#hp&2m3htMY9%0zF$Q@7O$FChrAJ-zA5M41@=|b<4qPr8USRa;z
zy+y2fS63gnjL1C%UPw-*(<795=Buz6JHQvDy3?+z8S`a9WtI0+UAh}xvq#srlABf7
zOmp^6ig|e#^qOyQ7Hk;5mj6lP+Qyd}{n!&RK5^us*=hnUjCm^UZfF7(JU{6C6}pVi
z@Xwn9JSooiG#&<wX|(XDTd0@3SzpJEp9ad4fw;@%`38pW<GEZVw9!Ni#Xp~Rk?{=E
z?)u3Sef?psW_yctp;Y{@wtd7@5Fy^$`9Yssk<=nTOoBzuWy^mNsIx#FxwY7#X{Ah!
zO#{s_INqLB1-s!io@oTNsN=c0ORUmZKX~dhsA4$y&orR7t2oyVFZ7}jUqhgXyHeMp
zWZ+Zqk-}S*{My9_@z(G6o-bWWJvRzVobRLhqww{D&6Tg@8>M8`W|Eb~7i>bW=}}^X
zFY$?dMwuCn&k01VtGb8By>{N{?W&iOO|*IQ9J%z)I0%E<#RmAsEpVP7OCNF#S)_$u
zR=s19Q-W|xOA6V)6>4A;k1f!$n_t%3vtIsG;+;#^K`V8#>9zKi;OB6*jc~AIBMN&R
z??sqROY-rB?YuTEd$BU}(IyZ@SocX9$iD^w>1JARU1Jkf5cR%@R`_Gzgu;fFNFE8c
z-Q#;wLi@g*Ge@{Ii&e@jkQ7tgHw4ep0<%t1b99>pKEwBv)*RN!9@8d<FGR9THpG3S
zm&B`=D<nR;Swv;@-C4)>$H<S+W$^R=d;S`Ulb=7!Hy<3Lp0@-aBt29hYGw*zKJzdB
zLNB0=8EF+bx|h=SlmPB!5rK&!bEZor>wnq+rGBo<bR_W@A)!_G*vVJ{NTxmPkYj@4
z)zP*fk1qG{Pcq!H&xw+52;x7M9L$z09>KkV{TeOFY%&@k#`(Ed*m#eAFV4@c7$o4P
za9<c|_TE^`R(%BBkohuw`4=CycY8FF((RdkKdnchE>*6XG%Atow!@fp)m?P3`?FCP
z25?=RHaY3Dl-t@!`rS{z8j>~@*WC3=J%u%2ycAC6vV#R#u(Zo2*@>R)H@3b4ndy}n
zQa$5h8<7xbt$9B+TKwicrY-9^`HK&6flrd1jTtWvk9KSblYg%${86m)@?SZM_648S
z4;=nTZ()=#+wgkLU-{xt8QoEsy>ufu_U-&}S|gM8lcsE^!B9fb4N{O~JL8gk`6z1}
zIDYm@91|txR~#SHI1J4v@>m0YeWN%RAKhz%5nrSG26zQGJ~fZ9O5xvQ_|EzKPaL7>
zpA~kziZD;W#d+Ud`y#-Lim=`;1;vkv;lJ#eO}MM3l4_F-2D;{oI0&475~<KV$xLxH
zPwD>{r$O+7Iu_?+9w!SO@onEScHFX{GTcu;6kicOB2;gU<nk@lW7hn6zl*L*)m!u1
zQ#~^oPt-hT!rrXiioZ<cgA4eX{kD6*TffT=|6nh0&Nj6(w%+EOA9*hE@5p$QHg~DK
zFLP43bPZXsFFVwluY7`eyfI5V)TChl2t1bx(u_$~D{%~G5U>-7__6Wg*SCQm3ni@b
z?rO9C0-T1cU)LU5r@A#Y@1$XW*cE;s@9Dn~m0`H6WDvBl;<0lIKJ9u{%I#}*T(WOf
z;6aW}>-!Butbuk<B69~`I4vm-==i0!j}g<m8{8)N48*DBa5Is|5?b6uWNCnI_xi9u
zwwCt7;U#cWfmzjDdvF|4G95Lk#m6>&1X;08BPqcrMtS!`+58CRgLN`p)gyAgq_$s^
zi~0T9KdpckQBL!|Qyft`O*We~fx)fh`Z(cF@<V!kO*j!XmWi?LtCUs`#y3$noRz#0
zsxDP8-a!3x6IR$+`{hc$wpuXixc}&wm6v$!YHP7TC58@ksG8QAGY(pVbCH8;sKtKF
zSQpRz=@-rlSlC-kkFm!-5UW`Wh7aMoS?o4x*V=|s^laL0_C|!J(}T)Ip-uKO&|RP>
z{d16{IGexvT`S-)N$iehb^bz3QcPII-4#g&#_p1t;MOCEl55+t-$tpHO`4x?yY&qr
ztBc<O9s?{K&Mt_%hqi%+=mZZ>Vo|OkyXRUzIbZ5l2k1JcM%DMeb)86qoi%9xUU^w?
z7=;uKRT2r5TwhB|5D(~zjx3H5tddZ4JUW|r=2`Nt>s!)f<YsSx#~&8OxJpg<U_{hj
zLzmydYn{xoA-3aRUpE)(QZv{0SB3k7r|WFmSjvJmHL~3Z`$fok3q;N(Por;j$x?IZ
zYZ$h)+I@CLPkkdTbOR?QcD@RzC#cYs+vr$#`u0fdejxY<35?X8>-LZPa?<Ya@Qhc2
z+q#wZ%!^s?MztfAPfZO(8S>@X>ssURo&~qH%Zv{Z?H`ir0wuRsX*7l6k0lR8aA_qR
zzrx=t0&PJkWuOa}mN5c<>O}M&2YRtih2Nn{y;rI=ZoqS!@tHWfyE(!R;k?Nl#6}Eb
z&}t2>X#Q%`#+^l_u4D&vMx&x!A&%J$OFBk`!>y}suQ`tm=@{@ioIGIvowzIIV#>^A
zwU>COdPhKu5xr(-jaJvzZVk4kuU?J=<LZCp5K>pm)6*$PIffoc&iXIdS+z6f7`ugL
zOIT+;1F4a0RX8(oyB(ftjs?R5#L?JuRUzPAq3*+I3~}hKjoGB0d3R1^p>u(WTHzN?
z-CKeQ!C<vO<>0M@^$lVp_x*19g1Mn%aLi_f$1O&O^+W@PVuT*+iCCxJ`8~On;9eGn
z;p2EHcf1FyEaunFS<t&%k977^8Q+jchMXpSo?%LpQR?-DO5ju|mT}W=#1R%JFRiW2
zybkUj?t)$<_}oNV(Tv<nj~EK~m`;4hp<Dw%3?nA>>GYW4FBnUL8pNzJ1D%N%l#JW6
zC3SDB((&fCA5w|eKiVa0J{?dZXCd4O?o~^XjSOO!gKdR<uPjPFkaJczKYKt+58C+s
zt2KLToT}1v!+!qd`JCghYD3l8@+@y&xqM>N&E+**U~Wt(kNxQN7s&1*d-pJ9F_$>)
zjFg;hzUmIsoG~h-ZR~_LOl9lspWc(Vjp9B|m0?IT6SGUW>n_V0=AFsJHfod58`)x!
z8X#aK^&?b*+}mB2&BAI+*@i_!>oeoppi}HUbmD~#POJrXeZJy0H!;kl|BH6fEo5W$
zmlyRFOZ2D1F^Cd{Jqtq)CNL#fPY=JPfWMtow@lwG8MCyN8f0*I_y=8%y)aDVC+ry~
z(0c!qqDQby&rGVuFT+dB>|)foe;dRg7|v!0O%o(z)fmb6{#{fU<kuC+{VLGR>Gn(S
zwk)@o*Ug>jL4E^iV4%Nq8{{w;{=rFIyl<bDa|jRE0It9Hg|3>I<=}VD4~$j=H2>a@
zoq2wp*8sYmU?|0Vp?1~8SNSsx!}$kvx@Os5>X<V5b2=M&*l|I^_iw#j(xB>Fd2>H+
zoZ*W&u5i(4IWF9%xRNiAgBXTwci+h`U_fMa;bpMnM|$$xhB=>qDVYpLVJ{F(Y=%Ep
zOMD7CCwR4I*?77B=Hs3m!}j`u_LJLWuqP3iUVp`Ed?D1&7QY8(zzLZM3~?H8`g|j0
z=HtVS4jkGmngYSJ6{|!*16`o8Rv^5%U$<h;K2{<g#2r@@Z}!kB6jt%4pP#pwix{Ri
z{=P@fkl_brKP((CFr%tRW=%e+_BWm04p>prLhT}wBe=p?u!D}|G(3QlaXe}SJS1wR
z2|Y>ScUiY{o2qMdR{KHFcYM$;6WiIn@vxoo=oKOI#TNy6Z=|<+MQr|)HdQG_^TjsC
zPjQW!FL(sxp(p&+79x-3TUUN6#bSCd6suR|%Y>6YY{!Ox0kkQoV++Q2raRIScZfHN
z{vXtUfB&3h7gQt}775x139b(yh7me(!OL#pQb1ox1!+&|DUu*~i7+zE>URg-EK8Zg
z>DyF>nx~#be0OAcr;5&LQYwBCWwBIt)$bG{EvOQ{f_oO}IY(y|Jz}d3e?=B)2o6Vw
zuRJ&8B!guuZRz7VB-YM3j>qzS3jPqos}7}jzH#W>hq!7m*LTF~jXq#pepIbfLI|6H
zp#!%YXhF<QGTYhGGk-C^UOun-7}p?y9`p2O?b&Jt2OY5{9QKB()RlS0+4sbk9k=s~
zpDje;eP=G0Uu=W${o%?E23PBMPaUrZ^El6R-~{iJ^VO%eWivK7ZXJ+X<&O23X?)tH
zpzhiLx(kmwCbK)HMAl;LZ&7CrWr^&)@pKt4(ors(q7!203|k5Zj9oY7$`3c(B~fS{
zmE5FI`cV-n%o+}X&U#*+8@lnl@t6hP1tf%Bp$Ui%U?2Sc{z_li`*oKDW~7N94|y?z
zd2{mC#Xz1u_Fk)Zrg8b*N3hh2-`(OY{n)?>r?I>El-$j!ZOFwwf7`DPoRYUE3xE2T
z<y-gR=_nz_l+?O!FFVA31%Cp8TIZTkt~oqW?Tqs_jay8tLgHxkhN@{g`;&*TxMN!#
zYszvND2NG7-iOH;VVy{oTipx18G|AI4?Xmi-2()BqGrL)x?iZ;AG?)7PPf!#4^%>z
zW4Jh>@HSk<-$y&%V$PxFMq76MRP0vgE)O|0n=HN%SSQ$Gwcs~e?Fx&t9eB3(vrRxM
zFHxtz0$_$QKrh4G76z0eoE%WeKW0KsCksSO&t#`lnQ30pf!@k>Rd)d<s5=T!KvVQY
z#ml-q)o`%%OkQX96+Zv8?)n$Jg9MgAuNXV#W=M!_GP}YpqiL9dEtJ#r!2mm0k6<Lh
zE@;b_^HOI7Ya!||YE5n9Kq?9Fi%7RKX^<k-o4Oh`tX#o0vO3w=DmwhPcWQoYit8w+
z7Vc_i@Dq0HDt;dRX`jUoN)UGshU29$PTc-owO##I%We$^Ef5HvKb+K=(}IGAO*15o
z{WTcT$0C7nmL5#TPgZi+`akXgXf7ySBfY@+vW@ZE=~tDYmsnF3M*ZDNuz+RjJ~{uB
z_2V$2zQ{6k-HkR#65b-KH`45MfiglT<2Jf-RTh72M5_u-&mdK%F%#(jIRf90{_qn=
ziks{avt*e}x7R)&B^{4C)ZZ>g4UMg<sy)x-`L#WBxtbQFSwU?eCQJ;|`4AVn3C3^P
znG8j&SwHRjAbcP4BHtXkbEEt@sQfK7677;dQrPzY=dSr9SPhp_c&u`@#p#=U!i6A?
z!aF@xT8)P^a|fGt>E}$u={qfTa!Iv8-Z}OIT)(=jT&8aLb9-TK%M=(czStk!<g`A7
z1vL3&9ej>rKk~@0!gZjmE<fw)vU%_}L`RfFSIr$T-W<Jp`lKSZ`@O!*GM9gh%G#sQ
zNv%>8nVtMTopL+vf$$~%5f~;J)*O)zU3@d=kMYHhiUV3Ims&OLh$!=|CEGlxZx-OR
z8kA}_Ih%joJE3F~^1bphIYo0QeTO9wzDWqPKLxyv|A$}?2T!P`)LRRCJi`xX>F84U
zBN63?a9r(bCLj2;K!o=MM9q7A=QxRu@y&1tZikoD-De-%txmYDj_+^l3*QgtrCb+q
zl<VHUjZP2>I3a>ff9xmEnGgsDe^O%tg-+ku!0tFlJzZ3C{Oq9p0#KxZzP-TgdOA=<
zs@(40o{QwWf3g7x$UpYCLDGZ4-(4Wxb;4P{q2*1f$`Hx%*9;kR-)hG^2YHp5EF(K$
zKQQ(NWMith?U3ZT$&Xd+nZT~sQoNJ|OKOa{{GorZvm3YCegw}AUt_-A!7TA0X-B1$
zO8JE-rFMt1g0ubPExJCS0Z^Dr`qMuCGhPL#>+-CC%_c^@eqg#`sOB~J%rPF)#}I<3
z4S@GJGZv2=)zN2Nl&Hg3=P%2hM2aoOY_K|I^!J3YgNQZr3S%rVG+hE}(=4%7bS=dA
z-mA<jOYHk)Q45j`I(Ku)BngsOX>YLCW6u&dZ0Sydz~z~g+BB=f154^U2+8-fxNFsO
zsk6|gxqcD!#sioV&{9=IWNvnf^SW0l&|~c>R9+23wcN^wI2;$bxY+2w<n?Ug6j<TX
zeYn@YR->zZxfM0m=N!=Oae;X_-h9fLxbSLh#qBbk(uQdpGIvI3^crcDPRUg4j%h{3
z5PjPt|GnuG?inKTCON9%boPj!o$}5+=Ae4^Tose-jhc|&IB;~cVhgKx=wt*=NCOSg
zy-+S%nA^7ZVZ)C=W|bQC?yt}ZS-Ds3-@LBz!+|}8#<D}VD^|=ZHLI=Q4)rtlVcS<d
zY(;?|k3fFlN1z^3P?Ak2q)}&X$G$Axaxvk$XSFXF3k#uyxs51~c7kTDU0l4u$VM(b
zh4T0TUtj^>dS&xL?;?mkvq9N(QvC!$<*13BBWi~S{}*U3C=W%bJW|!M6GH#tx>Gx%
zJl?6u-D5F(&gUEp>psj2#UF?|Hi@MFhm}x_=ViUy4nq9&HULEwlPrpv?hdOvU+5{O
z@dXpX0O0pwe)$l3@D>q3zzxLSrsQ%+AY3}r)nu`c1)61IdflBCQU38D1fWLq-!MBd
zM7c_?av5r3<A5U6|1XQwYh3ScMYW{rx*DJ}`<5#UW9+8P$Q*TD4z@5(@kYQY8@y7A
zQif8FQV<U|z|s4#V<)I;{&ln5N1#px;Yx6jy4FNU16dLbS}I+t%Jc9ic>w$=w8cIE
zKJE*@M+6frY(*VgFO)N1^}T%xO|5V>g%OujlpXK-X-n=&=(oo%fxT?5?-_m!(uEBM
z!Y!-K{*tiAN5I!=GpcmDltCI>T#&dc<TtuERqD?}_!H9#8I$n^GudFE+kOeSu)bCl
z|Ko?#e<jnU!U>NPxoUF_i*HJ`mg)iH+|B!dEa1SxWua9sM%Pa|Mr(D7A%Ed;GP>Z=
z@Q-pfyLW{DdEvWUS$(_bb<jaYE-(XtjKJR|w+e#B*&qC6{#(;!<2Jhymc{N5Umm<!
z%r9&SHq%sG{?nc}se!eK1ABw<-3@@ta0;SboUg=+?5blsz%9Wn@}2n#&0g2U)7wlC
zOal{C%%ue>iP%Gh!9AK`^nripBthwAaAUX)czR>43G6i#0KWqqwd*f`(1HY5vzep$
zSBmz!#bIcPgQaMIG54b&Psb)c-+BakgGnAmO<YL>58B1S^3~&-MWAUT7GkgFFxS<V
zA|F|$(#=`o>M`|i@K(AdOnuJT{Caw<VU2F#g=IqXe6!~JqB0y^Hx<57Fv)9Zlx8mL
z+`V<<3w9Y@T#4n&a-SkR!K{A1fH9SLGJU29F9R)U&B+^hwP&=S6+YFO*Dc(Z3~>I!
zCh8Z9m(yrHQS9DZ-s&>Nn{9<ZFln`SyeJITbxlofK+-h1qyq2!d7;+KVaj0V;V3!F
z;`CH==LZ1Wy-*Whs_QI1qWMi_KPo6hs6v5!7C;K{RovnG1K)e@X^ex<iYeVEg>0{M
z`96%=u^p*~D6gsE<KT!awEQ>t2pB98ypM5ZJ%V2Ng+kz|Zaeb?+Pcq94=<IhN^`B_
ziW=8`rGc?fk3sF^peSsZsM~#5x11jwL2ca*X;rO$Mghm{A49L~0dOJ8xwoR$1F;&L
zb+X-J&0SQ$&dU>*>n9Zaj%U8JV#iA3v-{gU?_qy&;%InQggNWr4G5(os&d&|0g9#r
zMhmzA@~D<&r$94{OyRdfEQOW!-w}a|?J&gdyFwmV#;`&>m>A~vBp7q%nA3vHaijt<
zer9qaB_`!bM&}k<@?TFY0K<N+bu80;{YeYs*}>|vJ8a4(%A?A?b7Og#B#vEoY^=C=
z$K7qL;VqY?a6PoO){aaXpQ_1fyY&*Z>!PjQxINO9SgE-stXZ`+*d;Q{Z}>K(Gqzv^
zlMs~WaVsl6;)~P8{3)jgf&;c6!nhA!-`F_tP2!D|42EIbwv0_Wu)|)6*sTp24c@Lg
zKW2Bt+t||`oEs4t*VJloRv1qUbeY(yBCDUdiG?6~3UzEi@gqE7@VMq&FV26H3ICp#
zeVSUmqE-jXzG<s8;%qf)_whHrnb}5>)_J-jA1n9NtkQ=HO&_wnX62BFHFn7D#+B6P
z{Q13I-<MAJhXi)fuW_H8FV(o@&b{C=HS8?n?fp93a?iGy&%-uVhv>|AdH%;U3f{Gm
zS;vJXlf9{w`Xl~1I=0uNt@m=ksh#*(2+k#hU6)h&nylzlgb+g#YV9FR1DybC&ehA;
z{BN?>bc7wKt!Eh#M6@FFdxAE@6~v18k%|lH&FTaq&MR;-*1|l2;)uk=NnhIX^VV#S
ziZRa9A4vPDA;_31kwz3rpIG;5d~TL;(>Jy6aZ<hC-Q=9kwxZY*BWg{;Pk6gl_QM+?
z8$HEqJgloDl@-P<hxrw@qn{faggxp$8%cQ_qwEe@!{Sm#x-NKS99XILu(5cVpubfR
zK%Z-5RH9eaGd5;zUD>x7Drrpb+{j}PP<&VRYL&Y(JTv*(w=2L^b&_^zX^bvk9o6yK
zIMKEp1?`TnmfhAgM03%Mp49?Rq5a8w-x{}yx*zn;H_(WDmYO}8YTn=7Gho~luI;(_
zbQq~ZTIn;1SDjWSZAHCA4tv6IHbhgsmN}NaKB-tXI@@5fM}xmb4m(+LIRn7@;KTG=
zvj+_^o5P+sx!A^nC(}H&2`K*FlF{;3UpOo*<=YQb?Q0Q{f{Y9aH43_`_2Fu5V;ddL
zbWe;p_hem;@Uq#kaB}<V$iTM#wATv_2C)uf@{1ddTC>%+$*q%uvbsZW<nvcP8V*?%
z{m`iV=s<|q4~$Qw^DV~gv+e46ICs8Rk~k&kpnDH<<0;gi1Dbd^A^cj;khBup_yOVD
z&ucGD@)!}rp6w84=bC<u`A76bt`g&Qi}ov2V#{6Ys=;o3&u+A8R-B^J;YD1R>1?Ys
zpk_>(;`oKBsVO&*#GDLE7SXkEsvo^u{uwsKZ_;cjhuMFH02C;vcGBjK1~qq{Xue<e
z4;<Lp90Att8PH5?HpUO!Yyh%qauE6jV6tztFEX#Rc>~6V7#2S;w?Zhr1U;jys_X0R
zRlW)A1pZ}=zkYVQYh5Lnb>9%C>5K>K-_53>jxw2e#wmkOb%+lGbbcG5bW!0DE(JQ@
z6shwtU6ZL(#Tj)lYsn74PC5kUfPtYY5jLFt(gBYNSVk=O)4&i6u^;#tXdsMJ4m#h-
z;=jQg+vI=3p+gO#z6T9TcXjkd<wglpwm@`rp1k}|X}xmRbcJW87<+^X@(L|0c?-6p
z*}U;#=^Yns+m2?ckQaVc98lNz61@k;QY%U{R3KA^DuZ!KbHF*WpoIo$VxqTAVc5KH
zL**VvyocT_YW9stIJvoQW_(!dfD3CC)W;;p6KwC15R>|okdQEcvF-S0G}l-o5~Y8)
zVtFbIMhQvOU)cfqlEBs#OgKEg(i#1%hf!Yp&k%~)$S9i&v#?HBK4RMzPgBVNU1t@N
z<#RYJ-iG(qn(f|1nkuB+rFgZw?MAaU$$4#aA4Q_pgjST=CF>lU_hOqC^@)Zf6-jZQ
zzr8UY*`)tIovfX{w?1=D!u_DvX~5<uBf>8FMRq@Cb0||rXZCl=!omVz-2X>%M057H
z1%HWG$WXjiBN$Ac<A>TOk}JRA>f>nslpTON-rU8d;PO-@7^%HbTq~`rlE)r)x6D_K
zi|0-Rw8(1B_wwTK4d=b{fM{}ZVYZoG$DS(T&l0nj^Epyn<ZuVo{VRzUm6^<T!$i~9
zPZi?A2q(_Nx-6X}JYE(J{*)>W)%WJXT79MOO*&=#DV=YSOiq^<D9nV}pF*no*Z6|*
zN6Q<n9O_$q!P+M8_@l2}k1O}=W}(xS5uRZaUc`38S@BzESGm#WAZermm@Hvm_|#&y
zZr%PU&Dr_hM&I{J)EBM2e5GZ`G-H-ZlA{5#uI{AZUfdlKgh}qi;S-D4{G*{BFX9&)
zJeJi~3fkJ~31%gk*O+@DQ6@Rx-zg!6o89qDS6|O8B$>mo3dU66&hCTz4)w0J*_=>3
z5_cCtXUs!<eBFpRGF3&zv`W~O2>nI$$58tCNBqJ5qIe-4$Dvp;?M=^eF1@ZzFHz^+
z5tAd73AOW)c<4({0j0Fb48nAede9|FqkXky>*2|XD`$Rk_V{fPy#x@aX1>^grdzoD
z-BE&!izA6n*_rws>d_B&U@iT;yPDE4p>P^3K-v0s90fm~wL(Ns?N`9T6gXVZ$GRE7
zkb{SRkg8Ot(}W<-I>)WN)d}m4Y&i1Se<~}QW51EGzz?02Gp_7XMCz}Lu@~oJesTIV
zs|zbKy1FJ=U;c5cI8lNutWW-0fnSz7z0J2UgkW__&KPrfPnwn3Bo)Z;_Q_RGX(vB-
zEZ`ckr(_%m7Grl+a8>wra6fbZb)AcMWeWKOxb|(}p@egq4|kcN=AIAi*V68*N4>C}
z(+dio)ecL6eAF&T#7p8dnH!oF01~N!htBDC!$_KMF+llqBZV0AAhy$X{-}h4)RzPx
za2X3FUV!CahrK1OAFAkc3x?%nFlF%&X0ys!Bd|~2(0oJ=C3#@n9{01NSA8wzP0a>*
zK4iHLLUojU9~QVi5sh*Y>e>^Mg@(0e|BI(;-e}^7M|VA+ay5pt{>+#q=CrC$;n`R3
zh7IO;g%#dXGM7mIL#`Z!jJ5$P2wA%2Q-V%u7(ktf^5M1kzag7%(!ufKxc<_R@AzT&
zjS+0v=plJ4q|RM+55n^OR|l8w8=rH;Feqs?C1xq1DD^c|H4ie}0=%Pa8Lm1LYc#Rt
z_%C{^QJ?Y$#Tif4Fp3tU68<=zcFVv@-BouX`wn6u=>znyO|#thx|jaa^bmGW4iARz
zfTSY-MLv38p49Hw5{EZg&k%juMkN@-l5!6LLa=qk7u};CMM3IZ?<(a%d>BFD_h_BM
zT9H8D=Kj}lC$bz^>6cNl#cmNi{e!h)30sqasgceCpcT9Le@54lKaWJVMNaiW0yk2*
z^N_z~q5dd-4F^qPzkh7}_>J{}6`6TYq^6e!g0oH@6S7qvDRQKL5kf$mW3-dr7a_eH
zGRjE;GB_|-#B6$MIk>sFtX*5s7Dkr-{%zQD_Z@7jja#>Js6pwEK@fA;YtN3GFT7i1
z53`Q?=cmZ?ARls5<q|PehU%)ZMla9)W4_<X^0pJ*a_EEN_2HW}wWtJ3;7*1~WJY5&
z{JS2{aH`aB9@21ERvF&m569;P1*ZY=>6HiaYdTvU>=iSTq&Kz2vc;KtR^TiUENtwR
zU5=^J*B{{27LIbWOnQYTw?!I{S||{^r2Y%F=4Z3(Q?dL(#e<-iNmkhsAHG{|hSXai
z3scu@;3POO#zhplM;QyzUod*uJWe{GlfIYBWmRu=8*r>v#czImhY5Ls;2Z=MFM+@N
zn_eMjtR?IRKO%y;q>@R}{uA;t3lX7{Gqf3r9Rs4h3fJ{!Z-En$IBd{^4q#25PfJK9
zr)#Wi>aRDUHt@T?aF2LQZ<#qCRTUdM`^-Pl)SQ5x4(ubjebvgQNay7%;ieY_c{~c=
z6?uvDceRucv`ST~XDq8(db$JQO@Bi@Y?-Rk^UgwD>a9%=vfbJ3#qnm3-7G``XM?D7
z0Ez-3*V5yAgpR=K&5n!Kai*lE--DnY*3h1gE+yooDpb1iFhlXmSRM?g7N#)?q=fx@
zC{{_3>s}??{vza#@@+qtP4Ird@@|2GFeS$ogMrf!0j)rUJ<1B$(W?x~A^8-9&Qo<0
z9R59#N#ayZSs!BmO+Ix`4L+KL>D_B!3K|TBJJz%Q<<w0qE_SF?fE^NUOcOu&Mw!<|
zs!_@x9>vn*->R3-(jx@_FF%5{1#sQqLYC}<9B~$3eEZ(}jR!fYFG)b*Z;4=wl&~4g
z@zDQLDOvvT)e_Z<5Iiq_A^dd)`1kQ?)baY#FQ0pJ&F&ljWcLbHYKC28B~A_tj*@V5
z)`7%sa<OZXDQ44N;PUcf%XqZ#KNdWNj+wy**}eD+7&G&;QOB>LpVb-uqreyzbEux}
zC7to8Fne?@<scs!<PX0X%m?VCkq2v%k&z*)QQ&Le|C&KA=V#dT)2h3&YH*S!w2P~w
z<=?ac5tis_^2)2BH;5`3$oYEhI>PQ7a%Q-^e9W59{%_z748atnh#V;7C~$48-)TX{
zpc0HGn4o|yTC=|nDX)HPajre8QEAlBDe%AuJrOdlhR-#ckw_A>WK;f4IbdN;X5Ykl
zIVhM;hI=1&ZoS9}-$Un3p_2Y5Rkfvb+wb(T;P7ZUcD|)xO8?s0=@q0?)WpB^!wswo
zFf(y%el-?51qo<s>yQbmqowunfAUqHH(w$o2P#m2jfD62zvTsq-z52~R#$h59yA0X
z_UL;!c>nwCo5-8p1~_8R`5W?h;`o>kn)p`_ZexkwxYM}T<Ojb92!xmKIi;fjQf2?+
z{ZmixB^UhGE0cVQY`!#$`CmpE3rpfdO%HKhTPWOT7WO~4eE0I6b+NiKrDkR#Gy!lJ
z1L*X>$-y#ZnkMxtnr%Z)PEPiuH&+Cuz4|XZ>BWLm9mzvdS8D|gYeCLkT!fD;FE0z%
zppTd2pktvHm*Rj1Ok-0{5qaJfaam-)D&Fdep6O^q&O^-1F3-lBHI39~&jaBzb4_9F
z^|gCL*&X4VGjLNP1>&CwFZ<8i=E@a;i406zoJ`V{+(U%7$>`X$;y~ZFZW&)@zE2&B
z((pH_&P*Z4%xgNR_}3rX*zN%4aPsNR!l26gyjSIpzGEmJLyH`tpcC|-8c>R|b=++<
z&i%r4TmdM=VeE6i;>8%<^i`n|uLZNE4#-2$QTCiFP*Gi)l?I9@6}8^e^w`s81i<_M
zerV$LLz_-ZhBaA8T~e!|fWx^ge_+&^r1Taj{_!1`ZXoYtu(i@vdEubq2uhfl`r+Yu
zw&g=mYtEs~cmOPg2LSn5GI4aQQI_N{czu-1BVN#+(B;XNn^mpWm=n}-p>pcu_Y-IL
zse~(Rr6tre)Xzts{iQ3>b)6@39|=_J1tyc{au|Fvg*Mu92k1ARDvEp5opn`rhgeq$
zJhS5B;o&iu)c09Zp~4eIenJ^_qPA`2d;t`Q`+g(BfOo_Ex<(JNt`9G$_#SNUxPhf-
zJ$EXWvS~uC1$fAo$$S^rKcJ211jQ3K+p<Y?f|0t~T^JbXqo+Bn$^LZW0tli|SaeO6
zjZVa0NE7~nU*rXW;r*_0adFI<MF92Xaf0Z=4gJRTlL7oM0Iu5#hH7o&g;c?!|9FM?
zg}l&{UOQVb?S!buru;#xvm@5ke#W3zxb6<Zb+<s&P-w$;2moyQy|2oWiiB#$nDd^a
zw`8<rBJ-7iwU7H#!hkzdQ=H5@A?J58E~j*XkDWh77!Vj;m5LHYR~n)c6a|DEUDvDZ
zeBjca1`B5ZDnc3eU;m|Yk_Xc;i%vkgyuAlQy!Ui_l^DX4-A@P9Jv$HF48jE6{)elu
zeiCwfR!@Pr*^}mgG+0ua`C?@77sMU6_Y)U+)2t?|?u=qP0NbgYJG3FFD`+HWUh%I)
zRPutx$Hv0K!mXw;6~9S<F~GGtGQU^yZf$k7h8G6!DdYN^Uckbt;{#R+A^+5TN|>Yq
zP;BMz=ow1rHqB@CDlIm*@`+7TlnYQD=kGW6?_~L%t~}jp+?EfIrOpj?IaPEcC2!v1
zw*R7kQ$EXFB~$#Pz>waJW{;EFIG4n%S+|pO(?ZfKO9)&)zwv^e%>r5ZT{4hW>UI50
zpjh2Y=t{EN&e}2b<a%8L#=SDe6jaWRb5nOl*pXftE#UIH(TYsAyJ#rB_HC~|Y4wM1
z5E2|6Y*2$({~I*eg4|l<h*O-rc-MIJwd6lK?>>ad^t+g`rXcy{qW&W$#CfrNY;w}_
z%H~{M59=`vY|j^{L6>AOUNE2*S64_SCgf{jr9D+Z`*j=(Ah!|<=chY7kI*TOyEgH_
zsGsq{@XYAlMvFBeaPZ$`BSvorFLtOa?G;ve#P)_%;q7=|uY?wt2b?y^id}Xe8shAq
z-2^8n#nO^)M-DZmoa8l;2ySbipC!9t85^Np>X~|WEpz|Fe^MB&K6a2-u2ZZe9rXA4
zSl`{-k&9t)*UEMC>ZvrQ3$KN}nSf%S!2{G@pD~AUb9~C>9$+xMbe&!YJCo49OjEth
zrViAk^)hD!jF3~0(MB+Q_`=8+H7GF*Z~zrV=O~E@y3e2tQ2tE`%^w~JPh-l<+un4n
zKimd<(YnJ8;G3VCK~EXfu7->%RWoNAsfYl3h}Elt$+#EP7w#KmfMN8iCbMA?ORxuk
zi!y*`NF_@(W}L=04uA)`1dq9d>6)Xdz@I%sFFh~O>*lEC3}hlO#U3)Z^S`PQl+l@n
z>K2d%e)x>O;&*~96hs0`>RZ8J_&_)oCc?Vri3x}Pm$hmDoN=Pkmo4LOsD|AE!Tr_>
zoS#^;tlb3gwXB|sUEqA8BoKcP()<Lr&!+tXz}zetMMALoX?r-S8hG;3E42Ek0}_Ft
z%^Znc*!xrrxr}-Pu-1#0<jv-%xol1Vr|;bhdyWx`8Z#o>m^1Xqme8rad*K0)n(Hb&
z4JlcX1s-DzY>!NBsUGBU3xdF>K<lOHx_7`svZxwd+$O8Nfw5j4LGWlr6=9GAP|?}$
z)d~MLf1>Qx)l-Ze=O7a0?y{6253eW~Fhn0$ES56`odv@O4XeN-jX&OArNSvl2RA1!
zl^}Rm4`T>|ACLCYWmXjA^*h$fF}J_vCxh*PpfjCorF;O#zXhPnn{%YB?VbY2adDts
z?Cq6D^BrY@C1<?K4S-@;vo>sY#Q-jCD4U`{(Ry9^g!%3qn*R)14j<YP(Ww;!z)(qu
zP6brnx4eca6$D5^sw3d|B)Fgf<d4)(%u($mz{8fF-kdDwhAG_x{x5o~9l5oTGo?K<
z2h6sEdThcDMyMH6%d?V!!~w`CdvwEsW{j?e{}BLu_G3kI=^|(5{{D!CH1l2{{Of?*
z_LT+Ixiv57c2rCu`N-=AG-<QfJfBpGU=UJL`r11c<g>Mm^MK|}3HHa8?TYeO^-iZd
z%+zcOEE2@T9833_E0R73onkPbv9K^UqZT2h7WnOu`-l%vwmT*O$fc_af4^UVHtH;=
ziW0NdcJnl^RrUJwpqHSethGAr(Ia>5@oNpc{uqY^1Qx$Pd+i<R07CzLX~C{kni<%M
zR6(0u`zj596%$pr?QyBaY&xErQguE~zcv)RSJj{IkizoQ)6)+=YvQ&JaD`rbo-S89
zNjQfId2LzszYzdtLzUJye_`)*!H)SI0PATnz_bt33wBhUc{^_Z2i4!u#XYV}E;%J`
zc=@$Q_wA~(Hj^E?7Kip>>xX5L|1&g*1w@wr*kJDHe^I0Z?RcDRl6TSsW@f&!nt$&u
z!3g2fnpeT{OcKTJ|F6;7(A47p%@0;koC{ig{J^!maK+{D+PS}`)KAADNwLnj9!3U}
zd2>bjHJN2ab-1(uTk>{JAE*B>>d9bg?MS{bxnZC+z<*;2$zaTx#bjioLU0G|>ulv;
z%<Rz<j@sN0#iie0@w?gP6tjdu^xO;AMe1f)7cLnj;6p%Z*EsN2V6+MprR&cTq3|q|
zhU?+>8{6fl;W{ScH5a>Y`Z`svCUO2Q+m#U1r|^O<`@4ger<@=Vn&xDyqf3bk<%>@j
z1$Nk2*0?jZM_MUT>bpNwu9ijX;VUJcdIFRlhh79Sg6A48QT%E#m+vo}FUaQp)O(IG
zwD5T?{<39&Z%4nm<!$xG+N46~okkm(!m!4`50!wi_I9}fA2R|XY%-e<I769!V!C2$
zmprvH+iadEJJ0vYim0?B*@Ru=PFo;#2$$G7PIs470|8)y#2m(>g8Z2x2md9L^~peu
zo=}FU_btdz2FJ|o;Jb1>LGY)bKClhN4J^@kbPFq;v{c;RRqm@CCb@TAGIIp3$gEJP
z8l$)yh~l3wLXO6nFzPgQ3sE%Zwi_|4qt>TtZEB8=3tpX{&aJ;0p0VQF5%E}*y@}=Z
zs4lL52>wW$<LBR9G*PG})HG4`#pOZ=^5Bfj5+VY957~cO^-g5K$mX(diuOrUY0Exr
zxiWDWRHmtenJ(X?9`>j%>FNf|*N@2l)izFvxQDN<6DnAbl2Ga+74@|(!M=Kr&lc^x
zHuv6N7G*DW&+|mKpS!`z);`G3wq);w_Lq)skIl&UZB@csdk)t&<NLN;?ZVCgi4a@7
zXca;~9DIK3-=;|$BXpLW+~v%$!fBB+Mw$S0n&5Ie5gf7m)MCJ`n{-yEZ0%cLGU(!D
z=hC6xZNU#*4#rI9soU)Zr`OVD69e9#z;E)j>wp{!>#Gc=mxNnRQ{yBeNBIRI=(rOi
za=|LQ)13MxlJ#sVQ=HSHHZWm1CiHNv7HA$s1(QBC2mU(rsb(L|7cL4rZ)~d{7MWO$
zQ)*UrtVD1NUdH&~Ty0MPyJ~>s1BD<nY(F2UN#`ooCck<pu3h3}RcsLp90b{kWV!U?
zt^e=_CFc9(E13gn%F|nZUzjS>)C(JPlALf99r9gY+ToN*$V^cE7BzH;vRGfQ6W0dw
zXTR?~hJq?x+*29*PAK}Gni!>@gP=@}GS01T2g^rphnso}<&^4lG1M5F%Vrw*Wo+*X
zQ38<o8&qbnWrTJZVzffPqR4>+N}9XCExor-GyFk5GP6I^Iz6Wv1rE2f8;St5QP|h%
zAuOz#(>%?nZu|9U9GFzPf*+i=1<0<~H;CBKsj(R0wA(j*w}K)14il8OIJa@%3jfHF
zsepg_gTS9S&vQSy`5@2zVr{q4J^E@U{|{4&5W}Bdb)oo$h5Pa}TaY}Hm&rye3+7GA
zO>UTn9fT*Swe9<`**+Bi&VJaFbKfIUS2r4gpW;{PsvFnQB^Fj8%7iDWP&KJxQHlP;
z6;2ze{MML-%v$L})uOSWW$7m633FI2^sJd|mO<lzmC@-4dxN&h1FNa6z1U&5VFbCb
z*oE(s{V}&({@D60A1f5s)&BM7!&6vgNGLd{`L8x$x#Gi$$wQ^KG4xQ&q(B2*9tyKc
zsdUBs9+Y}6>2D6`=LgRTKuY}l`{eK(RKjoIA5I714RX+8lOx9djwB{p9QLvhwWfj?
zZWLf|%|7y<v2$-1-tDK~L0KLy{CK8us?}uc1FWx4q5Ah8b?*%=Z?LAh|JzSrWrgBB
z44yWroZx9;B!c<En{YuQX(k%w6Iz<ORt1Hl>vf0BWV5lO1CZCulMo&<FeH7=oIU}M
zaVXE7;aqz%o9bl0`>=K%-Q!oy1~Z4@!KZ^xm#UFnu=+8BQ#_L`PVVzz;WGwEfBzq9
zkltKWF{&QeM<@DIgkrv6{2MO}$Y7{U<)9iCb6qGCj)ZuC6Nhm^#b>TcN^faE`7eN1
z1qUEa%KfB43DDQ0c(BqwRKiFA*s5~?5{F{;2O(p%Jz4ni!)cI4vndQBrveGTgKXgU
z4)JDNiwVN$xg7ACxcb9y0?hvu>}HAmH<U1^h2l{@yj#2OXlnY~oQDX64RdDzI|xic
zkS$ZTZU~DvRdCs&N|b69+?VR)?5IT(DKZI}ugb1OjXCw?lFm-fj4PieYuf{<5MXtm
z1`;H{-s(8-6$Zka`P@(H6ZS-Og-_4@h#27wmdEpmxA=s|0~V`Mf`0>z)zdI=?fRIh
z!9o;jqC7mzGjlBr1T8A&mBbYAQjEGbDh}hilggN`mVfJAk;H^#E*rrRh5{ovuu@-L
zU-(ym?dHDl5*(N(>*-BExxC-%9P;ldB8F*Ok<&pNlVuNKYGl;S?0;AnJDp3fF=RyS
zjUtXdv-Re!HOh-5pDyQS2LwV}7Qqcd9EYW!$j`rJ|9Ja1Uigj-gn!XX@2(&KO%cJw
zfvP4D8lTjY;gJeKaoDJ9XUkOoA$i1>60Up4@<6soo~|>cf;fzJ6y)Ps?&QcW=VwE;
z1I`JKo@Jtc@xY&6LGi)cAK#daC9qi;NVs#Pup8C&c8Kqjkf`%&|M}`b6!<!=?vWo3
zAx|IGT}ipF3B}3a8uI-Vk;4+ls(Xnfd`*jXrF+SHg79+WX0ja`apZQAHJ#1426Bts
z=8V`sW?KVM7JHr5NXlhSy~y8`u`OJzYf%nH`ANoj5_8x83|Z!6C2@N|`q6en&C^!M
z(E5T(KdvzE&ARwRhqfI~-=*H}>n#$^LwJhr1$!IvccegV85EyD?A?=KcsgToX1BZ{
zG|Lj?iO!pKO_s-F|G-U~j2i_0@7$tcA~~#UPd2*FK_I0UlYvQY+Es?ZlomK+6`=mn
z7%HU&JElkblx^9{^#{+}kYr!M>TAPEDo{L8sH5B5t<w+(m|rjtqAon_;+;$y^%=_L
zsA<KV6t^e$W`Sd1-@$TKweb0U1w`pb=+7gYgGuT{k01QSbN2pX1lS5+wjnd9;*-}K
z0U5hK=yb)mB#)10oeQ2DU;>qR>CetG>#Z|$a2|()^L`2*J?YlNDA@iPS}-+nS+$kv
zS!87AZcVCowxj0=Yi&UoC(bp_tnZ!%Ff!=p3HAndZU{Q_ozong$QAF$2x$Ky?$<Hq
zK6LwOL(UlY{zLV9tGQ2os`qr?`96w-ED*sRpYu%#3Rt-H6DOGt>S(B1Ss1&nZ!5ax
zZ%`4#uKrw~TLyk~>2_m?(Gz2bpJIVRhZMj!u3W#BG*OO(Pu}6o`g^iF3+l5tQ@$f^
zIM2YD#dBA=W2F=YI=Evc>FMZlvi0_J{KfPqldn>p+~qj$Kg+hUsF!OW;@$Jsrz+Qu
z81Ad)IIQnC_q#u$^;>*0;dUY|32U+UR*$1?myChx@@VX7S#@JNQI}IX=8Tjoigc+;
zx<_6!s^X`XslU_q0{daVU|taC&f*0T@5y*Q1a2u`wo^Y5&D#+gXm-*;+?V&d%2=QG
zwUj}yc6!IGrfO(fns+FjT#)xr{>NY5I24;=ZKT8`5^wrEAWyd8=zb%-xHQqGBPbs7
zq<1GFLGZiJkzI3hr(BG7qpSAa2=SQBtk!$UOuv1VvddY6v{f;a$L2X^!6!fGAJ0bJ
zr_C7q3P<W%27tGi65_r^o9Yyx3$q$Ce)d2pfukg^e@^Xq9-9Qv!W<u;^q=Y?!tr{n
zVeV*}tzQptr@Gt1HTKQWYd`%%1^K60gGliEk&QZh9~P_Y7HYYRo2SmB9DUI5`I3{8
zBOTm(cziUfFXiPspu00oRO|~%{e2UXuU}K^hWaf3xz(ifzo*dDd7=E0<^pvO9}E|0
zYHE^&Dnd0_k!xp*v*)KyJF`BR5w#PRp*F}522e55><2ubw_*Sp1LQ!&U=wi_1B}zi
zH7a0-q5sV)(KgY7lIn?&;RE+=b^;jVq2Zrk_)<ms)G){0&{SQe3o*J&Mm2U`UUu5o
z+)VVO-C`2hMrSSUx&+=8<slq*a*({1OXA9m44ErST0Adg;}yyexK^0ib$*A2&iVLE
zGXGI9Ad3Y<pPU|tNHC&f>1L5L)grAJX?SYS>tHZHIde}>eS#ws=gW<jjNBe+;FRSX
zdG0^;JBHkJ@hQuuN21&}kMr2doRuC=3>3c4J>>{l1M6PCo9LFV#xlRdK`^Tviq){l
z60_PD?3}-On~ZcW5#vj2thPuJ_I0v*ijdZK1P?t?G;ED+ANF|9z@*1h8n+>RW~}K}
zmK9D=#7&1=)O?0j#P^A^YI3~WWg1h>1{{H2mIVHM%$B*KiBP?Qoj*p=lfE2hrE}lO
z(>{I4c6to*_p{*y-hP;xCl8{aefp|S4Hmc}&HpVx?f+x!Euf-mySH&$5d~>!r5mMl
z5F{iAM7k`byI}yO8<CPc^w3B*D5d1kor5qm3_}e4Klpo|_j#Y+xBlz<j%%@;SxY(R
zKKtI+wfBAPy~m&LOAeSGe2k7sRC~uiWBNf)x=fvns)ew;YZLNRF-IMIQ-puHuDl6k
zxrX;j-+h|PcT2KrWw8m_{^3bF$I3P;1ypZ8+GE`UU(Ks6j8CuU2eU0qmyRFAfh%Ru
zW0r0&A;CYO8gB+=CcfuJm=4`*m?>I<+~2~e2A^0SZ`<S_8NCpas<mDTHlN;u!zFx}
zql;)}-+bt1!GAAE$-inj_C`aRJ}Z-g_`y$N&XBe&ikJskuF@-w&5h%eI%w9&o48|?
zxaY_E1$&vy)Yc?uR(x&k`saE<h|ip8bKAq&)@;sMRu9>J>HBnPtX)Lgnp6B&J4Dm%
zgP+Vy@I%f7WjYDQti~-}cz!~Yql*mO!<JHlA4r*h!X`iUh?RaAi{iyxlsJABuwZ1n
z>UAbyeQb@@?{T^V34H$;!VJ~3PA&VvPFzhHh$M0;mR1)hrIXnkvLt=Cc=)y;ft$J(
zfe?udgDTl+Z<n>8mc~RhRbjf_in`E$aG`m-4Ha!@I6FxJ?5~Yvg2+&zno9BjaEZk>
zWQQV>>aab}SBQ|9<8XHHBX1(MAuSkTnS>Q92u3(MtPHV02#&>IJuHxDyblaCFKC4n
zEZ<hXTT{}iHN|V*e&I$(&Uy?c^V5x`0lh#)`(hn3j+-5JH@M$#9ZGNrK&9=~vRIQd
z%8}|Kqaymf#E(@<^IbpTwWEr~1K&^U!a@o)e1l56AmJQ_$n3kXsf-^~jngrQ{K`pY
z+s#o4M#LL!vXtCZ(+wQEIsgsE?Dk3Dd0hDn2L9Ho3MQzx{Hkd0EeqdU_({CBzc?z~
z;(uJ7>$PWr#D0~2evL1eR?x0<x&KCjk73ydG|m!v{O7U(ZmRa6>@H#7)pE`Bm#)oj
zv=xls%oOLin-lhA4xi?#4HEkhB@SuN<!`=zXr!@C`9S!?G+hJBsXP4|apR!|<1xBr
zx9`l(>Wh^YmLBWeA9nYaphd;L--nK)EB`Een+`f}6uY;3P`tRk9hp;oY1*TWR_voY
zRoWJ=9+dZOY~s@wHcRpsiu@q7=B^&gk}JHMSn?Uq)H42t5weq*fa<`=)h&$apyUc-
z&%8jQ^h#D1rEx!%M$GBb^i2zDU0G@I_tRXwcMbB*cl0|Lor48jmUZalvbC&)+n5uF
z5^<$phG=XG+SWZs2Y=62M-sj8od$_nSDNrb$QYw9P(dAr=Y`dsEPdduRxZ{cl|l%7
zVU$5E3_3^n6~kN}DY!Y%`F&30f}qtNXAh<AB_{?!xzh(46YEWb;dVq`f<$kQI_kxH
zkVMa(cDZJbi7Fzd%y_jD+u>zdWjrij@(RXogcP*}&DYu$P#9sO;ZMax-nWUZx>*#)
z<5jP?^`{M(@I+YV-Vj-;xgw~F^Q-GoZrVv<`lx!}-R~d&@ehytm>^M@>G=gov^@Ig
z;~d+*oe@6h9!8{qAWFKu;C6`3+I<@gAE=lN?Khd-?|uMiRrZ_o#TI}H<eNyMbi_~{
zRxCXb@)#1C;*TAc0_0Rykr?S<>@?gT0^M+8fJ6`RSRyemT0YTptzRz~!56sZU!y>}
zs}vMGmD$A;2{@UOXLlBnn<{DyHE4LtM|IgvIX-+jDV-}f(cC8A{RmRzlO@$Lpq_8(
zvFlY1b~`fSN5)`J5y&sA+C;<2%`svuT%xjFzXq2e=E&uKS9lw9L&;>_?7PtRb7MQr
zhLYYSBG5rQg5y<G39YC^?3>hy&`%%n6S$m$ph+(H<B`G!;ZxOeY*^UrP4?Aqi^c0~
z-hs$+w*s5+{h4Npk`BA`GWNooT>Ig36*iyh`C;{well$%zd-n<f02Jn!c1^nJIqrh
zVIibm%(Y}<j1*a(KLf8VbPs`w!LbZ~bE0Gd;OsNjZ)<OFFQ4eagYWzhR>+S)&J#&-
z&7339BEi9s?f!KqJ!3QQ*`2B@=}?Y?;C^P(lVOV4Wy7K8K&>sH)8(nKGSugp+9z`F
z&~4X}f?}3NqNo-D+~49AFK_d_*0{jgKaKjaw=;8+R2^+Ow}{$zsnfen<u8mG%jI!2
z<kyvTpwz>?9%!0L@u{6yc=H>3VJ(p*Vpc+k9fF?D803ERGB!P`L>{JKqm61~CVikG
zMP@fBAu-fbV^-;rmiXmsj4tWpaB=Tbd2fbS55hSCY|Q84LSXFygQtehYukG^Dt-@M
z4z-)qaGK+=uMW2*IA|6G-%(Dit}DUS)I(jEr0BrtO3bwIH}eIG4yWIe0{zj1^)Vgg
z8Pnfx<WX#(NAP*Z*Vl2Jf8`vc1QfW#niRg|l@YP`Aj{XlMNQM)ug(5vP1#1*s%Br3
zk-bBf)3&3w^<i`(IEOkU>Chm=lqQlF8jMJO*#;7lpR|MkDq<Xbppy!G&zyKah;cUb
zBZ_7Lr~7(qK`bcqdskSeT5V0Dt5s#r`+~HcPfvCo_PbMk!WoIdfFs`L=nHP&eebUb
z8rN{9(-PQh{uSeBEnhHHhiX_DjRTe!6bpm{HElu>idh}#;*5KDT}w!7dw5L{bG7OW
zCAu_AL_o(`%+g)vZLwc}*<-L~se*pd=Un3nTb+eWroL#J+6cmA?cE_TCCj~ERzS<=
zSmlqErq{1`=h(0!1zyB=rQK|m<5b=Eyse}~k7bFZaBD*j6$)5<-jCtEfi>{A_z&(s
zUNUvktG1po?v5WrqtRe*UGR^3F!a%J`CZCcQewku{)V%W(H+uI&q>g}bom;@kH34S
zmh(4=H%biUFId?kt;f=KmOj1Kt0V+mZMtiya-43d6`QoTqjm;9NA!vJgH243>W(=#
zFOI)e=S%aH5w<hy-pp72=>>Tw#_nLKxwC`E+c<qU2zultd?e&36fMXsbti8X>2RbV
zkv&@F$0)>4kTSwJWEOSXVD-SYjrri+?a}X=&?aiW)?%9OKnZuW8K+RM?+DdDo<EB!
z82Vd`AH9k~X*GL!R@G&LVTMlaF;P^N2jMYCnciyo{A4f858~Zh|H-=g0ie5r87n|N
zhH!%f)qza04ekfwMWo2BU{(?=9qYl>1>qTVV%O`iO5!=8h_Kt~i1Fd)vug6}K6LuN
zbUT%GjF15dO#?=bRx^W%3LQW}36^n`5A$t+Rq1}bDI|Ctu-K_s;%KV?>vFsM;W_J{
zb@*tc6@Xne(aR-B_BQLbk`jEY-*<!!c9^33GBb87v-$~7UeNCrmpE=TYrTxRQ7C(u
zRtP;(K9E~>XBos`egoJ6t(f}zh1;~=i{En4dIokDJ9ET0-*fhm3skOxF5j&yaX&}1
zT7w(nv3D*RZi&Yk-4^TKKR*%?sR&EthaW}$i^>}#%MBadUwD{X!01loK~HZ69=B$c
zB9DpguFW={*a9-{ty3+cw+<5`1F92G8s4HHB`f!BxL4B=xQQoX8c2x4UO;to(21C(
z!{w5i^m^t{fe`UjH8o0}-IxAHNSZAJ1bw+!bJmlJ#e+cV`L7K7-HN4*7wjw$Ml05%
z0fpx(@;aSbqPnl#UH$XRHa0?I*&)>dHd=ZneRk^fW5qL{)p^$6?|-LD!;%V}vg<(5
z!Ns-a7I3aiw=uBDcrF-gx$9gl4Ynkonu@3J{7_8rCgF3;<TpEJJz(6-{0Wmaf?c`k
z$*3T#Nd5huN+pRbCMp<l2szfhMcF(-LO=SVk>iy0^ekIok%=pTf6VGY?9fHxa$})`
zSrN_C#Uaxu^Fw9X^~(j4|Ep3si<B7>bx^ptzK(lS0sNj7>9C)rm}Z{|;J2Bm1!H^0
z+CiVv;JldLk7^HWN7drSBjV^Fyb1(Bo*dL~>xBU|VI>cPxyFm%3J<9ALJ@aVi`q~C
zV8#@ms~q^4H1@%#{Edy;<d9HA^J!%*6`41>-~|ki`Y9sgWkwup-YU3AGA5}aDOTs1
zQT*#ZBTP5+6h$@Hn!<L2p~CWGBUc;NA4t6@A_H0~bl4Zh8PblVS`TC|0!f|{5vup1
zd$s0P?j6B9&>oLuZ%k9k#0a>-Pw0sNFt|*jXd}!*@SCzP?o@8A`)HVwT;zR5hkGsL
zLs%Fzlew^UbHw~KRh*qHLQ~!lsfZIW27Q=EcgQ+==}V&jstA5jL;@65v@s8+f+X0~
zsrwSuWMC>5-bEMXH`C8`V#kjT&TaA+HXG?2TBl&@t$KDq`~t-4zRe$#(pSB2vnd4(
z?g%WrK3?lpyV6BecrW70ibDY*Fj6$aiCv0U%sA#aT?wZ=%D)#HsG$$@NlxxIf3S;q
zyLEB8bX`Wc&15pYXRs^Prk~W)SYrZY#>M(*9Ih!ZO*AR5CWShJS;@JSy<5yn(<+h2
z)1RXBj<s$Og8M{?4|?xjgqj{Sx#x>yXlRe<B}>3VAMILD+pQDK1x)>nAun!~?FGc=
zs1sE?)G|48KGp|k$q2dzyp`Nar$?1cebdR=qkckd9QhKKp=TpKtir$5BygvGbKGs%
zr4@w)yDq}Da%a5gGF|eNKRqrLdR}<tI672NWFlYkHza)DhJVvvQn;WNcQlL&^Des{
zTAKQ=ZR>(0x^EqY{Y?RUzss=?S7NxQph1fpsQR--k~R~pLgNcTguo>j_uLL?+E6p1
zGVOOfTRiFZ+=$Yl1~5Z^Y{U7ZJvT`*pgAT8%GUsXc3eBXSpx-KV7VjOO%vBMXB~;@
z59Xa3ia2g(st@d_v5F7~g5DpSzoUAe2pE*t5Z@t%w<b2S$|;?_V`qbasf#X1>2G*z
zaM9#FDQ<lYOf$m!Z8b^woAh;#Hf9<;637Q*V}s9z^+AAU9ag_?T8;#aJz@cGT<H8v
zZ;EC52MzMkr%pA%1&1bTQ5)7(@T}(NLUTC}8E(~^wjLwELPJ%R<*LqXGME-24TA1~
z9N5-`Alu|a>`9JniHiV~O6a|&nfe0~nIH6|K$^ys<WmK`#Ak&Vz{W-0_?k~rDcWO`
zZApystNR6)%RcYu>lurCg#Qg7NTOiG7fmo`AiYN;AlLb;3b<di_HN<9nzoRsllG!|
z8yrS*h|{$Q*`6DF4!G<GRLk6~wn352Ha*_L1dtv#(A~GO+9DFSAvkV(3)G!7<oZL(
z9UdG@BlJdgoX4WxT`d(I^Xs^B*l#Mx0I8Oa4}zvKLq37{uwDe2v5rkpx8GU><x(VR
zYWe!#$FbrM^N7(nGk2Dlep=0To!88`hqE_$%8_i$dW>7M&&K<ew}lk_vd|5J2Acia
z`9)neGA2PtAIk-~ICyK3ZD|*f&*O%Y40V#VySbBEGNajG60S^&B#M`@^0^u-Nq>9D
zD{fWYq;As6^DJd6Lj}$I{g0tjpm8V~CJ9(uIo|}!76d*6Nm7kd21e41$m1|+W1aR*
zvOnwDErn5xS}3%?ZpK9$NAK=1jclY|P`g~|h*A<FfQ}}FXSF|6%Ma?ZK;*TI^ghKn
zv^`r;)qu}&zQK8TI^&}lPD}ahKd#g-<~a;<^gCM7AkGX)RN(m%7AIRyddA>?)HA22
zIrAyittvZ9(M~l?j5Huz&-5{b{o$D(wxJ*tAqq}GVh7_50wm_WbA%d9c1!r1m)>+;
zk)1`WBO0ely536dlJc?0!|;;7t>mG8i)x3jfRql+MlCP#Nr)-2M5;S@q4j#|Zr;U-
zOM5%Kzx)utV=;$TympZDiiDqOlgsjk8@XJ`*x2mK+hlABzDM_Hk{~WsDq&(Th@1xE
z5?)BEz0C|jtkJVN-EcX>oBQQgjmHp4FfQrP3Uu-4<wrCQ-|A8?gMZHC{ZNv6xHxIx
zfwv&GG#SSP8F1D<h$N#VZzS5D@|tz3D9z+9P94^7hzZ?Z?Gd)V^RXou8B~^cF`v-D
z3+AMY2!Ly&<!y3_bq7?q4q)mpy~CKh$P5HO?`oQU<j^P6K=!5`^k8l$*-j?s)IImj
zUM}O3i<<q9@eE65IEGA?r48e{k^3Q8PtyKL$p-Nv%Z<w8&iK)_!`Ttd%@Sq6!wf9P
zeHNA_dbx0eJBK<lqeP-wa#2gSXmLFQ`a;GXo_Ni@DaRJRMu9$iIiMP30pM=X+Mt|W
zrl6cP-%`i-+)_bI6IVO5R@Ln5J%+p+3urIK3HRS0CIqeoBVGqV!?T-`<a+cbv)mBo
zCq%Pg#?5%X2Ok|Y_`3>;R9_K&ow#pjGs6bM7#)n=-(FC-`Z7H`W$>i8`G+P3(oWp8
zr*K;-j}9#io;a4L@cRmqwks#nf~dGtNeAgQGtj54XZ<|dL7^|cq}q#5Q2c9YrwZgx
zBSZoUjFB=hq;Na)|1|vYdw>LE&|v0NTb+(J6LQz}#?+mtFDKH^Cl&O!iRxSM7}s%Z
zg~B9ATb#G>XQJvDg&7&lY^Ix9%YMWCv5uPFv)(UYq>?buxneXQx0%fLUIWu)PH4BI
zL_%OJ2BeX^ibOy>Vg>1Nfq)Cx%&n70&6B69(m_6PLB{;VW3b7nQnTMa#s;!V8)C2)
zvQ{R(ZQXEEuv@B<V;R523sc@U#)WZJb&&M1fTMC*KX5&MO7fGR9V#T|q|bYDV3NDd
z^eVfZ^>Ic>N0qZEHyfMm9tLEXX=yMdFEgr)tsI*a6f14_NF$(CXQN0hy3e+?z1>Bl
z^tZ*&FeASrQlxriLHiPa(=!fkbHiUmlF;(&9UPAL0uamMV9tyMg7YJ=6#V(ua(%uV
zgg6INT8DeP`Myq&+79M#w`Mxh7-+8weWuzQC_yJUK6&l}obVmidfM0`Q)^!No`b;<
zKg$-;kKVF+1hO7vk(^uQX*=#eI2#wNnn;g(zz|jo^T$t4DF9k3?~U$EMXixUt&l{`
z6VPm5MU&Iu9|pI<&7E+kEBa0N2myyNtRt;>_Ec`Cft<?V462R5!631^plOTf6rG2k
zD6sB(=TTgX6uYiat(=2?MY7B@hn;?5A+E&Ax8XfyLLMxQJayyMNe2{yZ#uz%ZD(zV
z;_1u#Kji6{Cs9**+ya){8`D}w+hN{P=#fb)`pM909yEz!B3ctPA#mS(9mBS175~e9
z(V=kAd0;@W7l$n8sD-Y&>5;rfec6ZUBZ<y=(9dLtXZeB<y>-}o3geBeUM5Nk6avD;
zz=ty(JhV<)AY?%q<A_cG9a^^*hD)3S;zA{|Oxfu9ZrFJ{m!SqKj?QZ{5t9O*F@o6?
zlNz`EQ!n?(0rk4b)M=~V3_*w}j6odM(vapM9=g-}TK=_i?C+6BV0Hm5|3WzJpO`qA
z6ev2DP^&IJ><D*)!C;TT*Jna*HkvUv|HdJU*Q)(T@wew2ns{i}b~xR_Gk5tFUYsol
zt+Xx3yMr9oUbDv#8Sl6ePtqy=hDLDEjEA}dFji~<^0ks|Y6<E(@pf*e31;_tm-k<^
z-e(X3G^(jn$nSMeIQN2UP`k=+-jUUM2|MeSY{U1dcq@N?Wu1{zcE%5OydUy$KMTx|
zUgkqULu+UL&))nzd4q#_6kDiOVklprCk7sv24RVjhqO2YZK$p9Sc9u}qNneoGeMG5
z1MUoH;XXVF;ZcX>xXfVtyMVURbk}p4Ous&g8_A2A<{n@*OWGsa37xr$&YOn2WHCWL
z6^&R;zXd*Tlhq#32rd@b@k+z`bQa5bgzRNhYb;cSnz-<%W&dLRsxXi)oO_4=&2Kp^
zoI;b~a5xwE+DV`Hr(ZI(56A;*JcZ$DR8CFG`O{9XfvL;`Di&p!$O6RsMA-#6-1_cG
zI>Fz-`TZ?`D*3%722&a;cK^-yNRtR~FPLK3&XqQE3WZd^?$ZTqnEJMO-;9nenjC-|
zK-hCbN{g(yKlX9dcP0q^*Z*Fyi)PusqmqMQM4i*RIdW)j4k)q?CIsHHe@Z#wAOK1e
zv3tP^(+?9K)Ott==!8No&OoDz;)39YBYB(W#}h0$cqqQyP;lS8)wVg@W};MP<H*wn
zXMoK3v@qA!947I}wV|*w#ogChG$q}9UO!m4`v}6%0+Ra6K8a<!)nvLu$x(^8ULTJx
z`2Rj0ZKg%*fYCTNw~bXeltncJN{1v`BS5lYrrpE@36tFKoPqRhFI-{rVR|iM^Y&0_
zrxffiiW?;Yre>S77Od3dTc-*Yo0+J4?kKBFTtg?+FbmnasQTC!i+(hBs#h~w9`bZ(
z8#cDMrIIq|-PK^jjPO6%5VbpqTtAx@kSm!bY!tZ+v0@ZplWit9(y)au&#}X|w*@b5
zH5|y28QuqPlt0DfeD=$3*sy-;5x0lS0p*z6tet)?$HcDHP-vYDL4~)Z^-De$!h+ls
zx)*B1@|Hj48(!tmPkoWG$YlIN$M^-w6_vcuV_VY;X`QI%b?D<TIq(!}HPEASEg*u+
z-n~&9GE{-^z(c)YV&rFkttPSP>-*!L<+apWH*`Cu!3ccd{}~^A#nrS0#a=N_>H=#q
zXkliA=6~txM@2$Tal}c`Ya#Thl|OkjA;!TWOkCugquaEQB|!^4iMoTWK+znD3zT5<
z5kKYeDZf7=5^}VSoOCMI#wS}#hw*<d!1Bf-40#e=+8pe$8?Snsz3hIQBA)mowCZn9
z)o}qp{}8<V$Jbfz9&DcbZWjL*c?#3k9Zj%$|H^lpZCt2Wu<I>+uH&nVmwLs^3ttfn
zs|&Y>PrRML1Hd9NMi^Vn4y%OV>_kLjZETTtc4q+OsDhC$u{P@|RV1;w!s7Is9L&3e
zsKv9c<=)+n-b3%>as*d{@n*T*8FkZeP#gsZY}o=lG8`GZ3vii@Y<_Y4iK^*5lfA%}
zHkAr;g*T0g+E=*Lc$jOhFE2kw*S?0u-FSQa%u*C~e4{8{8AdqiFqJKU3<YoS<J_##
z#pc)mVqQ{O!XWul-w0mwk0oQ(Q$bWM<bVxQU*7Zty8PYYU0@eirf|AK4I37+d<Pc@
zP_=yg$o6Q>pq2Ti8eJd)dA#4UR(a^PYxGLotZ1uV;!G!}RNgmB%1snz@4xiAiK6G_
ziKQ|uM?t0ZnRm94iP%%yrCv?2^qr&6l|FRgx0I0NNc1lvph%;-A+CZ664@jkuuTTu
zkQcM}dA!kcDc{=!XO4E4(n9e17|05%8t6^694VTyhEG8VAd&}zrA^O@*+$2<Ngzvb
zAM<R+#4iC5qJXqvh{H&IAXJVWR&3B+V%RNE&C?q`yj!Pj1a{Y7j9qrda`d;sE7k<`
z&?a58N)w!M%coL6pR2v;Zqbk6gKn)nPnvC7;G27Rvg!PnP<?wzYarc^56!y53Oiof
zk%zt+Brv5-J{?>@q0cT&VSA1HeC-Jvg_!n=Tqx#JrwLwSmM$<FA=@<X*AIvQTfLeW
znQ@iRA~wG&kB<Gel&7?I@q-?vh@!KNiTn|&u%|3NCr83Y3^7F;sn|m6SvH$l4$zlR
z?oa0vLnzmYb#$<W#dnvOz|Jdn3G7_z*n7+7#1J#2Itnj^TrGu0ErlXcOjt;M0rO>4
zh-^NbVBn#A=?<#~)NO<_ssI(nw=QgqUx8oH<bXV_o)bGPT14SV_~KsbZsrdYPTKnP
zTvY|82N5Ly*>WpP5Wsq>+51AmYZK7Hg0GTB5)1pajqTwRd~VrmnKB8N&_m~RcTR4e
zx|QtYRX|NRx+hJZnFF&yv#tI-#z#n~j?=oPv4h75rvY)Im30m!<tuHXkyvdfe}4o|
z5|$wy#`(2q(%<oC&GM$5^3Siw8@b1O-`2`z8y<uu9aRV?3dpE4-315+z6Za=W?5D9
z?RB=mhavBn14a-j8(s%R#U_)Y*#~at<KKTT*koL)y}xfSg4^<_jSM(WYCa(w=EpXq
z1B_=vtIQ$)c`+44K*icYd;HYFgr$HI%!dlX`Z9+yNy=CT2S|O@$w-PEiJi#=c$PeM
zDpcV+wU6$5_PN)PyZq{6yuO-onnwjuTo(+n7{e6kO@I}bmQz+QC!N_}C7vEsO&Obr
ziCWt_8jhsY)A=L7cFTFblW%njK9}y0JMgtLL6&wVbe#&6V1~(0#l6>BT%gVpE@kTz
z2P$`g&FAVw0?m`um%1eI`hKbPy}S-aseuyJtqSeJlVlZUuqP5Dtm|d?{i>a~Nt1v{
zlL1arsao@fvJ?rIK&TWqag>y@t}Eq8`2qQ;i0>!I;Mo#2>~xKeZl*@HB~l&la=)>2
zz~U%g3I4pVD6U>U6U}Qt#5)W@7!8;kJT@u&7V~RLZy~zB4V41^>_=6w!#?Probig!
ziO#f6qFBuVGA8P);misnME@hUyz;lnj5`nkR*{h7+=2I#Ce>3<(Kw<la3y`i!_plc
z`%oDZp5~Ze?QF`mj$3#@{T#}EM28i&rZ2hq^7Z5bCfI)sbb!a<gLTsoLEgbO_%9~N
znCYP7ELp9P_*_Bax|$kxSRG4cP@$KRp~xXb<R(XF6KbrDCEn6@>JHwBK&VPBB1MW#
zjf6bVw@o}^cZ8pq47nefL8TXi`_(s>|58@k{_Rl2NkIF~oHlzx2Wt^;f%_cvyAKw6
z)|oEzq&l>fN!8ko?c_D6`sI1LFCCB%zSvYZ#<+hGb{nxOu8lRb%vrPOoMa34%eR{K
z+I$Oq_*4nqpVnyo5)SnkVid5SybBz-_A$L@h3UGILV}}+?i1JzufUFA7mBE3!;P9f
zsoNHSNeAC^+3L}s(VEz>w|{ipSN>T`4<g_;9##M99{6O>1Mwcid<Y@l`>SwT*lB0P
zK`k|ehyyn1R}l*Z2hW}aLS<O=to@-9{s`8BpV7a#a8{@9;sOi$GV6QzYvI>Ld<h|_
zGXn3b4aN9I1qWq?h3Ip44vPgFD6G$wPOk1&q$Ak=qWqnHrhR~8j99Rs0-ql^((8Z3
z&L98YI2)xqM_uP<C%`GZWLr;HHzT|H4v+@+ExAC(4?{|tPZlD)5^{?~qTOmeC;h|t
zyCzL4wBeCkL=ci6O7e!T1vv+1cF?Z|4yikZqGENgDHE#kdJ}K&GnoTy1<Zy9ILqdr
z^hba^>>#7rY(?5M+RVZLBfO5{&RzC$eUn?{u@hU|UFhkIx3^m4?rj->bxnb$9ms<v
z-wOZ7%N0P^dSB2Rod=eHueWbUzB76f&a>yX?i;z1m&UdlWU^Tr77NwM$VgD^+QeMk
z2P%v79Dl%}9J!kiisR&pnv%q1tuV!Rp$7wQ>pRIZi#u-Z*R*m2F_n)r5SH!nkBy=E
zD_>gR;3;qBf$-+N{d_XRW+D3ulds@-z8PODgLt|7eIOVMJRCalCvQ%}p#Q}lK(G5Z
zW$<8!(WD0><Y?S}Z#VCbc&fmOTrOX>3#hLZADeT7dNDVbkreQ4N_BL=ISED~;R~)=
zs_L>5+ac%se@KI}L?zU0VKZw&X47GMK5YQ%UB?iUH1N`wohuNt|GKGb5(PqDZCi$V
z(=u;rQrXGu2Cc-X;6X=r>6p7*!~vcQwAXxQ8phJs!i>|l_v!02q!J>zZVXCa52o=}
zEU_6NN`PYhzjsa}Kf1F872mv@5R9M~deQn{bRla8BslaOFbb(s|Bv673ibx9iKW4Z
zXfBgnz{uL2>3Z!aGDl^mBW`k=pwug*1r2o;6vItHNE>bS7tugGi)%4SD5_JAozA0E
zhEcSjy;9I^-($hqM~!Kz09ux`wbS4BEhMH!94)^v#2g4UOu&jAA3SWjtQfp<<!?^&
zdb_CZto-bx8C`PGg!oWC(8k=t{42oe;BUTQW*f}{++Dg=2_>RDR(k03@}x&&sC&J>
zl{wFPCL<j&cpMJ0o9QmioZ19y%b@+r_g3KoD`mk5d-|99IXmQCV?H|O0EtnR)WT2?
z<L&+B=;zTk_f;y4niMuMt`}Ip5sTl_*W>knv%tQz>9agmhTU~hfeor}hbB`c9{)`o
z{@V)dk?I9W6DV6D8t+rP!n&J;TwJ#?{C9ySB}N@1b<N?f1&6~vy_-h50&3WM?PR_!
z4FG_Vk(%h*+F>oJ<199s!vn%WmLqbOF73qM(PH9TRL41tqYS%MzL5yE$tiU3?+eRS
ziOf~GubfJioVDX7*_h^h>;E7Mjz3T_;{A}q<Gx_boEK)gIsy<qy~p*xF=?_5mHs^N
zo-BR+B4+-F?;YTo3vBSthumkI<$aUPGCv)Kb?Q?jKxP(u08(<DlY1{VhbRX;YE*Mz
z0NAsw>w~U2U^&9+k5Gt?XM)tW*b5nD9^~2GLKqA*h!?Lu)Bvb802)n$(Ihe-J6=FQ
zZYakz#2*o4Iv=C)hX*j1w%fyHhyTq3+LrQK=cK_lf#CHIeh#-W&up0SBprf<+zM&n
ztu930HLfd7Ft=32?kO$|MYGkmUDN3N2l7GlG+S{PZSAdjE@JZJGgl{|DaZ<&W%)zM
zPT7j;W?l%6wjaBH@keMhO^3zBEooFMmTuJi7;w|5riT0+hRcn-(y%Hm)cB>14HHfT
zb=+MG(F`%ch#ziK7&sT~@Vy`|u$e*(nF`Edvh=DH_4(hfHgD&MF9}<rU9=Ga)pZIL
zg-GH7Jb9j@u)!Q1(DRVurt9+?PV@nw#io;myhvx_YzSWim)SyZv)p-8GuEoUQ7xtg
zUa{%S+X#*j1~tiS?6BGem1Sn7zSO*lEqTwewtJNbj8=uN)~^H(4#wRB?YK#1f9UQ+
zFf<?l!e6|TV7GaQ*n@35;#&alIz(7L^ZyU*gHTm5Kl;9EJ_0&U4k1DA)<yawzUXm?
zL?2~Kb7`8f0U+S-s{dF5D=k&F@z(!={H|MiPV9jQ%jkUOqB?`<R=BDeg>Osy>XG4y
zex$i5EP`ti<@+>V+m>lJLVA|8`&%&djmJold?NO}3#{ySr<49blkEW#zt8Yh3+j8a
z^7;~7oFJT83R;=;{C``lHa0658Z8el<_?YmcA8Vi2$Q9A;yBP_EQSg)_P1XwUQl;S
zzk|wmhVZven!IS8gd2g7-wunanqeaX!tWmw@exkK4K~KO4$MfkPhKGm_&Fx96@mtD
z>EU2qL?p^mDy{`Ca~Ej)6&w&GWW3)1Yr4pG@Z@&ZcTe}7G}%sg+8aZkyN}Kyfn@$^
zAoAZv`T-lWjm`QK*x&%o$9qGUs46;XB4lK;!26>GuKYsph}cNC$s7C1uWU)Qm070i
zrcoOSVmUD>p+i<kZ-DFQwn-R>^i&X!R}Q?^eE{dlpmE8deze=qO^s?ZULcAYgpM|L
zgZTe9u+QFc``rm2rv_xB&E^IN2^%x2AAn)kl8XFD^dzW}k$6>?bLvwy@PCDS42|_D
zHI2cy@E*Ou552zbM3o4fa#8)<+YXh_iq{aYV5@{lg32V@4U5rM^-H|vUgtjMTY+Q&
zlXbV34vuJ1Cvv3Jf8hScf8ZX1Sa7g?4~e%qE$#OXpAY=Ql!Y!U`z|+rDu5NUo&VTr
z`J;__;~wzaH&Q~)a1NYZ=+1^5A(0cah%_#QbrF*E>c6xG4sn1a2`?ZO#Q)fEN=Rv1
z)rskf!yvNB+}`jhS2*XS9IB|*fi%1oMS`oJPSZE$^Gdv&#3&#}JP)Lys@NDNh{G^Q
zu3#nZ3;Ut;avlM!u%=1z@lhwY;rV3T4in#}jYeP5>ifUtEv9)zl&7N*n0&pEn2Qr;
z>}?6lKR5gzrtc2gDB|ZtzFuJKCveN-03p;1(Wx%7y?-YTS|;It@&;WiVEA^9h+I7j
zcbP4)oaL~Y-ebZLLpuK=0sZx@=Z^9$f*IMjw6b<|@RtjISdKJPLln76S7J(z!caLI
zO^auXKaV?RYxs_Jw|@=HE^OuL6eT6$x9eaTK7EBeh@OIvGMhG9BBT3Lr>>@KI-Fb>
zZN=<nEz_!W=FVZO-(ju(gyww~e^&j<x9V0D*qsEP^9npRDE&zTZoq#f63}J>d*tam
z2~Ygq;$Ho9B0(+e5B4+-QZc-$0-F_cK01yH9UI#co^E#CZ*bC!-yX*olXf}m#1)MI
zro1*dY>`B;;my2oPz_47E{U3!imWpzUA(d*G<`bSBsSh=G80qFJ7$&CY`opT>9K4*
z>pPCFC2$<({GABJMj*mMQh!kGUi`Qs^hP-M9&xmtJ*LmrQIRCBf*DeMd}}F5TlW6z
z*J}@Nodgo+u45yYP47kp#rRfwHpF>7DB^ti>afa1MSv&r#^j4C_3$40j{z(e$M;^@
zvgW$U{}NW;c->X>?2(rmCBK!#W4ro+Hn9-d0Tv3GOw)>HfxrJs9G;=Z_xA@OD6B5K
ztgK8Wl_&PiM49pTV8nnZM2=v2k9oO`d3h8%FVM?4b;vz?H}z!tM(T+eZ0-9*x3&u`
zwa%HcW)*{7N|NI?lz=Tv{=jJAC)by4_bfGn|A{)8bE;7DSzE2u&%SHS5J6huMsn9)
z=ADYE=ggo@eOj(Y=;}{DE&b;CR#MN~%fj1QaoaC@oz!}!`t|zkk=|k7b%bZ%M8oZd
zMF-}=2<U?e5r^8E4BURBRu3dmQ*E^U_3YmUIZ8&Q##8CyCo10uayW16iGIKhns__%
z){>ysbs~<sKB8r0d)DLa=COFE+5N8}pV+E5h00(fcw*Lf!Z~i{U(J}`c}tf9dW9<Y
z&8-=ah}M~J4u_>n?A6zCs|S?A!)~-&mSd(oj>)d7!R$FlC(4F<aw4|eh?uzj)6V4;
zDH7qCy^Oa5NUte>kE}Z(Wi!LhD^`06KQn&DKA)T6PG?IK<9Ao8y}Y7~cEWEKC-lq*
zlSj$qI%F>Yu3PDfhsiO?l3M`U3&U_Uc)(|sINqq7l*pHu&6H;sni23YJXkaQDOfAb
z&n0OW>Jy?SKo+C??8f`o+Q!sXS8sh7SG$q)HT59*AlYlhXuyzHP%Nd77uS>gx1;^i
zDN=qG<u!*|qJG_%42*fg4Ox@N8|N`K>km3^Sqo|F!4C8M>kk<j^na=8G35NF74{;>
zkDI#yGyGV$|0K|Zu675L1N|v4U?O@mkc07eN-)A1&t=jv`9oa^r24nLdn7{70Zu`S
z#3vtl;rXSbqi|+O_DIpYy#hP5u-GVsZ&JXuxzam}99jNzWNj33$GlFz$lA(tCymVB
zhE_!>R9?v!E9Urv6@qv_oxfr`ZT@Z6+%ymy1Lno*ZoU;S*S`)ym?V-07Nn=9b3p7e
z9J^AEZ=!nVa%12sZpNWor2>|ad%dgcG2L3BO_;e)<&(!MR3$bWyAG7Vh6pDdIw;i+
zbW4|V(;X%+;#ck@k&V_-_9EV@JKl6X#qe>gK5KX!lgB18=_OS%;D(O9|FXoFY-~*S
z+$j(FvsoVpcV(ZhJ_Dh$nQ-Hld{?WS%p3QsyR$3zDd(hSpEkef0pl9)i$Km(R`4{Z
z1!3{GU{tCE9PGrL1y_glCGz72raeEBOvHwGN$DLE0N<Tm3J0F9I07#ETjgbs>oc0F
z%C%DP#0Y^Z4}1~uI}Jj>(}lCR&7{#Yx7g##7DiU)taLamlXbPUb1Z_vAhh<YGo=1W
zNlteEpxXGjTK~A=74*c%ez;S{2&WXFg2quX;vSAMVF`t@K>3G<c5W`2C^IreRf&-R
z5f7K*te78AtN$#pD9n9T=yq`h@9y&MhZhtT3E^Ro(4Jh82;!NF5U8};h@p<~k_SXQ
zvR>q2v}1jiBy}Ji61rD+KT!JPQ539{xi~lMkxzhw(acBH<pe(tr@MoGFKb_;tFAwl
zZ+aG@ww6w!R#^W2NX4l)MGZY}I#5Q<mgV~Nh{^m~##;JuT!758GV4g8Y_9s<6w_A3
zd!Dwo9Jcfz?l(tMYIm%Wj!vw8JmIt7(41dhVvKPF$RrxZZ%VXpl{^yB!kByl&v+zC
z2>v?8z-c50A6rLPw@b5{A?<uP6Yvq?;+wopaNOe%0HI9dEbp@5?d5k7aewdhofSfR
z@Cfa8QLsf&QAfT0kfstZ1WQ$#He!YNTv5kqRh9iaKDj2wjf3By%>)GBLUX(FO=oqJ
zsO<7@rJi(XvtCdv1!|n?EA3Jrb3+zH?YO=oZ!Y#lpqOluC{m9H^tKe6k2lQ;;$ENo
zaIV$VHpt_pLZTP!Dyua&qzGT>_GQRzfhVroR1-J-N@h@{cds)m-ju1d|4rFliYQ^*
zCplYnGuV}%R@Xt8c-2jx3Gq~x-G~xMNJx1J+X|&@GJnNpHzX%F^20`=_R5UiQcXjm
zmv$YURAmSWHG83fx2h+Jx*OBgX7n)EFS|N!&u>p<;~?U$1O1@YA}a+YzAXM!F>Ehb
zo^8Ue_zfC1v4w138t#AZ`(Olfs_V7EA+VeA-56xFlA*Ud17x56{=ro<*Q8BHz=@n_
z%VEA-;!w1H2I5%L1}~V}^o@9o3WL@lmYY0Yz~ZW%jJTcvP40^rb{%GJlOLWm(B5Ax
z1^m?$ihA|Ry#h7RAgJn<!&L=X2-qUp)9@FU4i$}m{r#(GVR|w@YGUO(CV3@Ns-0|K
z-mg8%%2C?eqo8lKd?9@EX}=jEU^>GZ%LoYwn9bY#?6Zw9%r9v=?g-SA5U#yYrK3x4
zhFMn{UNH{k{MaK0+f88nY85QBN*N02c=AeT(3@XAyD)<zC`sYd)nV5c8|SUG+!(ea
zQjQ6xpMuuG`$E)B>Tw6&aSv^|^+&a6)LfVLdtYAZ#hF-bsz9cg>WFwh6;$<J<jC_A
z+S8VL{VMJ=9shySwX)+z=>Ck8x8+JexJ^1?Mzd>Qxz^4)Zgm&oxxkgV0r3292Sf4q
zA$>m~AUZHl8Vv2jGRTU|xsw39@C=$pbN2P}?scASa~_3leeS$`^XkL!^pVXPY{iWK
zzI4IV2_0l$ttz*e|J>bLU$<`+JhQe8LS!Z7WXM`1j96Q5a+z&%S#LQqL6W9*XGZl>
zcp>Rx<qC0ra$TTkhob5A8@m*t7BWM_k`g+;gTVHwk0;QKitkqD&MW)#34nhmYk$TN
z10>xci-)^;(&9%6VB|~rQF=Js%-AU@x!_k{-p-SnhXSmMCJ2+~?Rg3}NTZ6Q!8Qv8
z!-q0I4RpjE85o0-RAgXu^DL5vMqltBD{cgRWui&^x%$A&{;rSjxuBGgHk%#mT!~Hc
z@b}Ht0#NpUm}*#9l5e@<C(=8n6<-t<Ga`P{{Nz-LSmL-nq*pJp_vDOr2LF6(X}|yI
z*-Vx-Bbwp<^tT1h?-|w3X%Hm}Pm8%7dxhVr<uFnDe>-6X80ceMKn)5PBmv71un#8$
z-1o|h3z~}yxVu*&7DFjp<swBjWrLIV(Pmn~h=tOsA15q|zj`F%?J$<^sY9NI-L)}B
zx|XZC8!LIHE-|3Zsw-;QMc+r3|3VT2^O}t$>4=%q&WkyyMu6k3ecE?OOdB|Skj@Kr
z8<*K3B(K6wf14U_hfOIO>lYELS&ikj9CS1KDx+9VZL<0vrRnPQd4zv6Usm{6q6lj2
z+DU-~SM&s3tc2&m=DfA}Jrc%Y#<}+&6{FR!HPOjM7{zss%}%e07AEA~CL+Naei@Nz
z3WPSFPBP^QyYJ>V<u^U+8Rk1xiuv{mqfp8kapV0+y+_PjKHJuSsykus`49WL1bIN0
zdD`&zX*9$8k4rIas2Xfr7?cSTeD#c66?V6>%FqSvw(s2DyVg-gnxqJe7@0WcQ7CBs
z#U->2h8YEv`Bse@)Qt~-B~3Z<<LN3%SiWZUg*;65{DK|IpT)Z}O2o78-FTmYKK7mO
zV5o57-Rr0e;^8!H<y-zF&y7aq=pp-fjgQ33iB;|h3`51YzSVWG?VGJKogO@2#(z$v
zp{{Q#JR=#R=TB)!NQ#~g-99t#tJiL4kkL6_43x_<{Cb8VSxdO#sowgK6!`3&PsaW>
z$cv4DWMnZ_WX;^rh_zv*tj@aiaU^3S{nl0^&iT|hg$L8I){XwO@e7%qx=i{C1?RqV
zov)uL1*-fn$ZnRt6TUg8=(-HU{a+@e2$OwX1}`5e>U{5hivGz8t`RBM+~Z?)GC+hs
zMVy@L(5-hB(#=g4XHch+sHX$OXeEF3IB5x&x)f`MuIa69`0^WEcd0ur5IxENjCHJo
z)}MqyO{(=2P2NVhp{JrAAG{#wzeoBcuVd?t$*TsrhXetHZqgOUd$CvjJJj3R;I2pJ
z17#XfUTtvw39^+GQ8#pOKwTFrn~t{TfIZXW^&_|K^?fxDguISy)x?=lhZS8EE8N5B
z^BVi0md&Y4_0&o*q?*=Bf?!(NL>eZ$t@yA+f-sGSNt<op_Bb@*JqsE>HnPL-aXmy<
z=v|&pGi!&%)c~WnB<dgF=Ss-F5A&{Tu~K3B`y}@M-=wd0`3;%yeBR@CZVjmJ=MGZ0
zl_V~R#}~IhT9yGl95D8m%)!rZHVn#FV+>-4;@*(&ZSOPDb1Li*aMD4esk1qzqyf5o
zR<`C>uT>f~5@ACzF&-yxRn*+&HL^zxZD<SEX>vd9SL|yz`51zb><|pqLYCuh@e0F<
zyP~09$K&6QY(e%H*c}s4ET321um<h%EVTHRE*qbt`q8l6<QX5D{JW=Ar9h?79(#;d
zm3zhaM)w&8MR%e76=@%b+0$?uJVK_C_0e|5aQA9G^;N9oz3t@V9A0+F<26;*)ZJBp
z<52x*ifl}tF{b>&A|xC$QcE_-_nKBqNG;FJVu`EdW>B(%q-ttsxx=hK&mKmLG)AA;
zEtr9?4ogx0=AGWki|lJO#0a8AsU!A?e{+?}HWTd|j^Lh)X=9Gq_2qjS<^iry^Z6nm
z1UZOr-WSK#xooVP7c{2jOsqn1yXPV5yNYGq>-nPYiSB`v9s%pr&z)v``Df1f1sFiV
z_Cbse^#^jy#2^WEQVaad^ee9mbz(_kchc+aY4Nw9!~Z2lUGdI8GOzAktU`Nd&3YX+
zrmCXpds8Cz-o0V^FL@KfBwa1}S60@XPBaqgT0L)byMLU|;gFGT_YnGpD?iIgy`_5h
zQP|R*y2!35i&aMTImZv}sIu6ou8Q7-lcozK5xhhmeR@-GPeUA?0L%OCO{piQC*f{r
zKC9>5?=3i!CP9?4Q+YDaZ&!UHq39?WgH@EhWj#JlDw2B}*a!&?R+iaQuN;(7iD{nu
zH%vZIgh^e-9;9Ssyl8o!)brtX<`qg`ENtcBS((T0?vT;qQ_;AFF8Ao{MyJ<V+1shv
zCN%?3Uu{2htgPE?UL*z@HC7y^@TgwEa(>5o+Ehs|Nj-4PX@Ai---q?1#_4K&L-#1>
z!}4t5OPZ%!mN^&dO%figx(%9|)p_c1B_YX8<bcSa)WK^d!n$8<hd7*UMtJ9xa;LtQ
z1%bYM{1t>0+S5-cu60MvoDlvdj(Vv+?Rcvl1%iIYhYY7p&5N<N4JhZ<Y6)%uZD+Od
z6poIJhqkB2_rt7V=?%yt^Q*h9=6eYbO-9U7jq)z~O7{G=t+%Rn@R9i*`1+sK`)lL3
zHUG`bUNAy53iQe+ddLBWnk^z%W!OO`NWDrtWN9bmnl|bV;eGY^A^|@OeKV~d0B47Z
z?%M(fc!EL!k02HUo1?c5C$x;$pCftsODqTS4bso1AF*EW-@o{kg?N3{j!vMs%`)LP
zt1yv{Y!5xG4XN&W%-sFzSp9zYD?CDKPx0Jb^Vr2ZoyxP4bQ$?|Gx?C}aV^dJRw5Xr
z!&U*Mbo(cgh5GA;m{+hm;%1PKT@BUH(<*5mAux~8_^rIJag|Qf{K@G{BN>S|Ix_DM
z2tuG|ik~~Gel)-F4E^}MsX&#Lau%$9UO@dvo|GPo4g1P(5!d<tnDqS8nFO8>gX;FR
z(Wl2FHCQSd3t9>*%7(c~iNSm5iA8fK3)&kmK#O_XWAZXWC&uI#eJWV|{IEamHOF4?
zM2HQ?@x#$xtxq>to+_xHld16zUpGo9Co`J(=&q{zN>mvvCJv?io^rzWj9aI6cp)?X
z_nnN~<NGU0vyxJI3cbh5fdeQ_hsIk1DR0n6>!`6u3M~AlWfVI;+`V%w?WU21C2JeA
zNssmwwWP5F88uK(4eXXWuG%ACsWT-U@f{r`$olW`$<Q76$3u4ND4IT$tc_aC2ZUQ)
zHFWdjRYC95!&Y8|B<~KMD#HM}e{&gGSXUUd;<A7)Qp!67yY~V%xh1}0TZ_<?haJpR
z)(`^w&S6JXA5W%<l1_WwG`rOM=5G#AYQCqu7TQEHu3%aEV~|s>N-kMbUCgtVob~&3
zFUX_E49pZi;$#})5_0{1A^AJi!TttPF5=nCTiue#?kMZ(OIQ(~PUj#W2e&-4*HC`c
zXA9#;#*g~NHP#-_GVMbu_K5N%yq}J}!@)=z<80cB$L(opvXOC4EtL8>*Oyi7rmU<I
z0OMx?VG#d;VJ#Qwj?NJQ>tN8%JF1?I8DAXhkT1<Oe2d#w{kNU7FhbHrQ;Mt~OI#{8
zqs6YBO<Y_-V&32r0*B3OG?E2Vr4b8i>uEs<0$kmhgM0D?Q|w2vp$5H_tdI*hYr1-K
z8W?xMrV{b-RtnIlviFtWYE<@7#3Yl$8?IinCv_~bIVD#%#o_X>0Drl>TMh0zj(yWk
z<~__`Z0#RBCtbSJWN4;RAmqh%-%a!5#)oIO^CYMo>-iHn?TstnzaAnd2DD#Z7aFq(
zN$45rpBinp@o?^|7tKV@>DL)hA00&Fe&G(UA0f#&<`cy({QNn+-a2-k)QE8lro&s@
znNtl6$};+TJAATL_6DJzWu{g3w*k#%gn4(@m%C9`T8ww<#<L6G-40%R;1sm-I)3GW
zwlsl^^o3Gn(=pG+H@t{KAJ{y4UUa+Xu)h3y>+Vj|c6bx+yZfTo@RxC`Iim53Y5bH9
zGQi5HUqyHt8oQhoS-Yi&49*uHtt((R-tUWAXhql+ImhUZ-=I`!kTyn^-qhngs|@2|
ziap75xvUR5GrXM7d6~{Ajc7BmlZ5Tc4e13#)oc!r_S)-9yw5!o)}2odF%8({ZReAd
z#p+sepazjJLHi1(qTJj`)%e~-9>(;LpzaH9o%J3?FYipI$KcJCEp7?#qgnhVk-+>8
zy=%9K7004zttV%K-%vC-BLXclu2VW!jmX1%xcwFzgn1IIn!|+d+52Xf%5f-D88)8J
zAGyk%8w`KuecpO_Sbgx#VU0id>rX}#9lSE(SmvJ#i+W-|GAvjiPbb89+ro=yUlON=
zm{uYQmr^MOsP~F%dusQvokP_#2RDBfry)NlZv6CJ;Q5*QsjPi7Kzh?GZ`ao1o#;Cb
z{M#}{Tl#a<(Agxe2WXslyF&)Ai==Af;D?JYV0n1+<T%Vn<J(x=Hj~hg03z-mBd5dx
zyL1+6S(cP`>*!BNzgY!v@%B8F{~|+eA_ds2zG!oBf@o>tv4i~qS&=na8w$Ry4b`1F
z=R<?WyPk>9p^kK@eM05vj~sf#!`Q?bGSxeaiM2hC+my=z8jE6WJndNd>C3&4yq;;@
z(<Yp`ErsS!LW7JcD<O;NX<yUUIShwNo>dmyB;u$8$7U-S`ILTMRh6@ltebIvqNJ`E
z2x#x`JaLMB9h3XK{f$Ru#_d)SUIjN8Te92QMi8yS<_TgprJRq{{|!~O%2O5op?d<n
zXWzfS&O}<b$v&V9@kch%6$knFXZR>Gh6K^kF=W{lXh?q}yg9JFnE8pU_At@Um&x|1
zyF|fyOIVo6ueJ3gRr{E~)BZf9nDgUaQp((`Z5@MUo;Qb&H&Sj5k%iFGU%7JfM_Ku-
z#s|^2o5<Ck5-gqZC_xFFDq^pH=2l=`tqCS-9PJKGf4ULEMCK$*G^(edwdq|Ct~<0v
zmn*K5T5$Y$`6EN3M^sFN`<QxPA7<~IZNe`t@B=>bJsX~8XTfZ?pCVhXt24uW&wL|~
zSLhHgLVT>?e0Tdod)_W7#BT^83HO*(-uO{MH9Uhbiv9H1=v_XU1=A<E$2q(8k!ejr
z_4v#72pR8;)VsfCf80d$?q9r|G#S&5pL}%=#}7cUhFfUle|Y_#b%b{`_x|o$$EVc6
zFCX-y!!UyG@2$Ot%H-GIPYqaMhy!s%@!s?XlEu4_5Uwj^(zN6kE(zYb^4;stsnG*4
zbrto3fhMxK1iSH`K0KK`(XiglwW-N_5+cS~u=zm}CTx6elgpwu^EOaUYdEGdE91F=
zcKK2M8gXlBo|6nu-0!8Yc>9(XK+4zIph^`sNYAoW{-es`bR(kk^GrU$=skQ2cT)1>
zyoc2ylLbt5%Ds!4E35Fn>NWqQoHeaR2dC)7V@Ty^r>_Ba9_hD6)KbjZ)>(fzCVo44
zaGuu4HkrvYB!vfdHvMMw=fK6UZlnmQqTxZBJ5$64!GT1P8CM!`_-L!-MO5Zbo)VM7
z%BsL4nb*yKG^ux7+TqB)v3d1PYmF07EB?r4<8vQ3R{dJnBq*2rc=kuFI6sB!;S!yx
zP10e9&B+%+HMl%aaeSMIqZD>snM&xE^J}G_LVO)&BqA@l4zII}XWuOIQ`vKr_)T8w
z>+R*XeN@N|p+`E37|danSaE=zxw=_XuR6d1?EAWLX=hEzp@^74Om~%=r)T(`1)_82
zBTTgI3eJ^}jo>|gk0*r0C%x=Ch?FR?fmK<p|LKAM=O3DbZm#zO_f*lJj-1~v6|1>I
zFxfUCl`-hd-OHY3<CmvTuc#n!J#3HgpAiXvz8NNkXkpr!=mP94x#AV28_xc8d3^n+
z_b1qBf6>wQPn*%pU;nIe!GUNXVrcmPYwo+Fn##U^nbEOgK}8TLDq}&Kh;#@#f(2Am
z1SB*SH9{ytM1%xzEQnMaA~iNZgurMFNC`y*R3K4-M5GB3t`H!E2nqe2o0uEs`+n=a
zwcdKawSM<6J=}ZBKA&CB$=)e+j4zyfP4t!r=&z$gppg#p=lvR{Q4Y-0(dq{4g;DCE
z^i{K7b`m((%dsO~hxO@iaF+DJ%Ji{TV_jNIG=jhzYd#|#$%0hD%%Pw{XM!+OCmta2
zvQ;IfCBNaqxuRTaKtu7X$K+8=BPh;%=JU@GH!H3%HRve3XCv3?-DmZasrZ>kpvWRh
zn6zHFoa>!9J+~YcW#zIY?OZvc5k_uyX9mlbEi<3~`J%T-YlAS?o`}vM`6>9xdtO<f
zFez&}eADOQ*C={-k0#+zL#G0&C7*ho9={%*r*IH&Iid|~hn@?w5I$xXy-x!vvg2%Q
zZdATl6aL6sRFqG+vPIgcJYvznjTc~|TJVii(ME13w6_Z;M+!QG<q?GQ=qnXW4o;{f
zwfV@&2r~`}mns`hA8`^8_|v-^_#re$$%xfa^rIh`9Rzg=$vuQSk-{@PRKHDH(nWkI
z*qQLKN|4JKAR`<k9h4Gw9T3u|4-pI%lXKbr;P#WaS<jWwUWw`8%XHcnh<Bp#5_gTv
z)V5ahfLX)!f`qFF4>AMNR|)Sz3YR<n2J&Ai15g64o5*zj3(N=9Vj3!h*{#L6wN|5R
zw`8!3^1UTg*t(QBF@;M1Q?e={zLK#5La0ah$t~&sf^%CH<fU&yq%))FDP&=iS|KU7
zN)wawy*Zt_!fpPhGCKGz-%n{#<rafYL3VcfeyaJ46(DcT+m99JW(_Yf^|@018_h~-
zQgB{PxH}JY2=|Xlpu7zyFzxWCm6erwxH!xpJ8<I7P|%p5q?B0XO$w4gIfz&^g`2Tz
z$?r~a>*Sq+)9wnHYMX<=H1$x}AiojMZ`2eM`))WLa85{ifD3Nc7OV`XW7W>6s8Sf7
zq-lg%%L$!4LR5sGqDPCq4SWq>)bB|_$z-uWu|}7|uu_vi?7=odyFYD0-ou3%A-o|d
zS{he{D5F!|se<su0X#RTG#=g2iF3T~ASjVX7_}~d>xd084`2&#X9{;$O&bN)WSEx4
zFVz4yNq#Xz`87FW!BMLY{wwcf$sS}#6Co!OB|w6WLTwaVes8d;vW&3I3Nm{Jy2kG*
z1FdE$AuRxR#5t-&q#aN|X{!*KM?aLtHR6R8EJUmMnbi{UW9AKpHYSVGmLMBv7T{!M
z6pKMKDffhh<V0h!svr|WK4Zfh39##6V3YWK+X4v#+;t@kx<3tY!IC6xyz6wH=7v~E
z*GxGsVki#Imo7xw*%BZsIjmVNo0bw~UU2d<eG<;dApHJ7j}Uu1-@A5}l&)J1FR38n
z$3$8%hr%c$N+eQ7F$|Rn!_WEN>8m6X?0`JVSEhCXEP2*`!cZO6nFUsF0M<iBDs-^;
zCUeOIwh>%Ws63e$aktUfw4y(L$*mKgGkvh6iD^)s0h(Myl-mtUSK(F{0-^?W?CqoC
zCD7hq3BA;CSL~gbFo84>2Hge#2+!d&ogNn^X*~nx;Ys4>&9rwm2-8=?GG~(BuJkki
z$hDJFuGcRGVzfOh?|#f!YDo)wc1+>umA>POhU=GGM(pmJ+3loNzHzju_(j;pyPI4R
z{c{vJ`{I6DMEXabJ(TAb#{13VrY0r@R2rD92Qa;#E-ZZV9oDxiG*FpWE50?c4IEqY
z?d&88srP}Rz6(wkI*SUEz*2r)(@i>CiD*y-P28m8Bsr#EZ9>()j84ZecEm{fy^|v7
zPb+dE*<Xa$xDM8)w|d?}ueL<ydy@t3l2p`xM$x%;+_9Q$2T9WF&uId}R1ZDJBWd|x
z9Uz6|ez~WC7hTo^1+3lQpDRn;yAn=!UJf#`CxF@b7e<$jln4}KX+;_#fiqv=wCF!~
zNuP5$9#v8QH(298AW_BgH&tHu_i%%Tegq|?bIdOFzzNaE*UfvSl~eVtXD4{;^+*?Q
zGPnze$|E;<Hq9szCn_7Xti${Ssp>#){kSUsvFM-GSCi*}?@p-Nw1qD}%L@+a;*}K4
za3Q`87~1fqKClrU%AMNDeuI`4C2o%~1+}NDPI2|INf{coX>!C*=QR&;lnLzBpc{Sl
zJ!GwnB_WowKs3}JB($$0f?67Ob^$hRo48*G&R@tUPc&MB)p%J+pV3JQf<UV7%P3IN
zYPr@~a<&pE!Ne~Ul#uy5&Uz%n&>hcj(=8%HwOL>_UjAJ;S0>og_1C7ssO^;vBhFO*
z$E&c8TDzR}C9EOQ4`xe!2SRM-`fF7!fhMTz=Y1CmqpcMV?rlK5?F>WH<r`9f*pf<4
z1<)b5YJdL1Z7wXHsqg&s{i=cQ0DO7!bt*MYrR4nDIp}DQLty!r>sJ%kUmKfjvn^OC
zOZ)^VbE?SIKrwYdS$+z<F1U88KeCg3)o}Hkq`P3s50_Oz^|2tieNmTg{2)1bqF*s~
z6F0ktuWVXe99BYR!-WY@R?_x5u2r{WpD;Rqgvs=udkp99e>lGi8Y4purrKI(d0vIi
z;mf;-N7Ycp2EKWG_~#wxYfmZi-oUD3DpAn-_3Jn{Q*Qqu!o^YLwDGr~*Khh&qB;s6
zGrMrc^3uxYM(;sEDrO*I6GUrom;xo`cW`?F?#nY*x;sd_>0DXZ1Umak5@<wrahaO|
zZO=GnI1zHSr=!<Te*47h{Lx>lYPJP@P-B$z_LA&w`)D*H2+ZVTM;Fdi>H8R6JG3?_
zL#=i=xF+)nm;wA8m2slIX7R`a1Dk6y9bj0UVk1Q-?%?|_;_*YZd1Y?0pgc&4I*P6Y
z>?-)VWe;kYj1gQhwcVeE@)@-4d|ZVA=%Kz#%6QKMNjiitO8t49P^uAm%9SbPM7Zt!
zY9h;HL1$jsOraX;Ak3feBN7p<?d_rdgkU>RY5=4W5dCG}KY|n=Z|~HQnca+hZ#z37
zqk=!Jt5PDK0aY>HyoIeH@Z9Qu3td8A5DAFAfOPQlrvcX}kDcS8AgsO(8g@pmBr>ZY
zz!Xlu!~^`A$05R@sK*cLAwXAQojA~T85Rz&G-{&~k*VOj$T@6F#*Tvvc7X+!m-V+D
z^z7fWD!lVe0qOaZKQ^A9zkd^V)9-&jZM)U|c3{ctjfFqSA6~`G30yp1`O+Q*&+*|V
znDUpeb@B=+`r6jbd@5tBm;`I&h$Kpwo9nO4(o*X@fK-+vR&FbCcB}PMMCzV+5Q}0G
z*dsMnQ1h>ggi`)MhhoiQpZsih!V2{u7~~d?+l+bx<$JRXgN14Vw7q)`s+qLojbh#9
zLHTpgAZp8@__WwF0$`8lSDPG)s3pS<VBr)&H7OBTE=NbvYierPY)~vl^w!QU@Eaj~
zVd?z<7oklETGxeu$}K{F2mEJe{!q~L0N>i8H6yEkLRp3{s>=oba*JCH?a&sNh1uCY
z6m(NQGf1l?zYxI<_@M(MZm2L9i#-UN8t^lGot|0C+NQzbr1RU+I8hyCu&C82I)5!u
zhC9;eZE+l-CT!{*Y`}o|goe|}B99bQfmj3xO1MT3=`a(OqXZCHLSz}zct?XdmD_|q
z6c}pfo1rmhYydKZB1{h*?OF%HEAebz0xKhg8)Te19XbuFM&>g##DoI7J3KTr#N)fw
z7Ui-G5pq<6N$S*-g$fpoaqA*?>_Qf)o(ILyLCG16$PEVTp$NQ42YJrH9E3n0svwNO
z`99xY@diSCS{0Pe2u{v;nVXIDxSfD<L1TRlkbR^Iym%$|+VK{%7uJeSPDt;caK#FX
zgn^mBTN`nyxa~iXm)Xz@{JE_)ey@>T3F#YcDQK|i2pjX`295r@P<h$erj3D4=%)S)
zetukF=M{Lbt@(sVi0UegMM;}aw_)r_d1Ne*G%N{vnTr)qaYzLpc&n>gCj8{<ouu4x
z{8HInrdJ%Vok&@}`+gG2>aTo8%DTt~7rV@8RqWCuL*?YYGrn%6<G;yk6VjLwf^p7N
zHL!dTZc)`jK|!Tcye6T40~UMY+t3=Bf|jW)k>dwi<P8WYA5ery4B`{7hJuXD@?^OD
zf%|Bz40ix286;f*YP`iU3k-y&Gu&D0P~rUu_K0Q^T3AaEG)c`{Lgbmc<?*X9A}bkg
zt6ofmW-2ipGw&9AD?c%;<TVMdhv<2=FB{ReB)ts?fY$pG?hh{j&NyCBB7p5A@RXl7
zKw(K)l%6anQNxLkLt~(P3fj6Qzn&+w@Zk12;dEvSSqzf$cb&YFJr>vjnSYf?>YnK0
z$)K#&#P}+|+=)wt3K>bGA#V4DmOb3no)TbgBd@%RqVv#JLD%T~DyT{<cdF6AqV*&J
z9|s{w-C82YrfswxAxE_{A=d~B>1ZfL@LYbYlNZXuwdjj+Du0RVXyrjlH=mwV7g?*~
zwd@s`hFmgITq>4o+q$}RH{^R;6GJCLk~SgViwJ21p|O3`Vli5!#~TM;YD|=7GQLj4
z(4)j6AR5RCS|L9z-&<W2GXZ0jM*t7qieok~0i2~wQ2~0X%QAAnJ@9rK?}gklJ$~if
z7q-F!jd#{0{QBV;C=(@*qGK(7wl~z+5Hmgekqriy9O*ccUK3jNjaZ4u>k#%>ko1Hj
ziGEB0K378haw)-FwxI<jDFDh}_+}KwhOQP+xg4ejz^M;6$W$4rb@iwcD$=kf>4i*o
z^L8j9;C(xkh|8s9G~7t2>;y%DMW3>Ourj9OIA$SZ{+j79KTp=Qx3S(GvN$QPRsV`z
zL*94|tx$Az*W8?nf#vJ<FTDR?=eqI7sku&upH<Cn@6OCCH5T>+3T#~rE6L6DsgWn?
zi8p;+mu*4q%gLXUMlm{8Y8{nO4;%o4pBHbSmX;Q#c3Fl|CPLPSpaR(TYEYmng)An(
zTxnw7(MU0DcYYrlYjwinXzB#Ccm<+?+dDeUiEbXzN3ayJ9R59=K6SBpYIH)S*D!XL
zChCfzGrp!Yh{?X7SU?!0Fw_at#e&vJ*mVNWIz|_nVGO1ch%5zE_hJs@6F^oLV|s&F
zW~}S!!iC|(W;$!=vnqit2jZ50#t}ty6QgrEz%e!z2g;sFv=*2jQx*lK{EEDQQ6pXh
z0YB0%-m!J(1g(Q{4r*tjZ_{|9+LPd=1pvH7xix;1Vcf#8Uov244jiY0f<XTyJMsEA
zXaTtZ+H|Uma)r(!yfDz{gr)K?q+vv1s9$Z?YVOe&6!%Id*L9r^wWEuD2)XP&VaN`=
zxZIDMh*Ne)g#KLcQ(OvLA}$xG0MUW0Sd-wxuW3h{#H!XCIbp-X5H>j<ML*++h_sKL
zI5%cM^zCYSL^AKH#He+n2@Ets2v@L0Mi9@`mP2JorXw7IU6$$NgcVDpoo``R*Z~AR
z3CoDdV#a>E2#8FbJxMsk-dUi4GDo3$QnL7Il0tHqJ9%~z85{vrJ09yz3%V|@+$OaS
zEohx~B)E2x8J=QU0sxAq1x4SEWgTb!BE2AriZ383EquJiYH$D6t!hR^H=T7T)0Re8
z*Pwo+A1?p>zUAG)>fYa_wzdoE4u}EvaJY*Xu=njs)QkqILloHuWuCA=)Z%DQ_&(zC
zjyV&iQ31vLi(*motWZ$mgmsU0k3K1W=N@1hlMTTf@m?H;<0Dwo6MkAE(zJ~*ZQ6+=
zHKA9EtrL)qu&!Set^u39^V87S^!T&~sop4#T7WR%r%azbwu1X4RX`9Oz<@VN@DAWP
zAXkeh<O#k$><31~bKGe`E(r*Giw01^b9koWoqgEVMW*OOrq%L^YGQ^Sc>}R&bx<`F
z;DSIxR*nb-(Tot?vFHZ94*ZS)u~UXS$)F(oFPYZ#2AW_`(CT!mUobw@g_-{<4I;I(
zunMZFLF)A#HYT()1Hkf(L={;@iw1`4YN9B%1sbH_$)JFI4Efov`bNz4577cbSjfyI
zDj+!#L0(m+k80OKz!5V*w2AegClIfuP)ZHD7O`~zUB|`>8OFgJC<w6tD~84zB!=rV
zMU-3M*<4E6kg%2*Jdb0Gi5y@H+6bZ-Ab>d`D53LG07pi%i^NvbLm=Ji5L0w32=xV8
zn0E5$UAzIY=%s-5=|HBltVodFm1A3g_eCuFq$qkZMZemx8eEctM+ckyerT*n^)X*d
zOyujZ3WQf7*|<L{A^J)b6HU?+E2d|!1$A}p#X}3r&HLM4#3-69xBPVR{%OCvXpF(_
z#QiZjXYbAIR@i0r=<*!J?D~t^%8P}Afy%u#Og<UFm1$Ii5dDX30gguHmqpQUh#9*P
zl+)yg(h3=9cj;MUD!QlOa_dqg><;D;9YJ9P&^$;87^<p()uo$94HVm#;2dRWj29Wf
z2W1>3hybr)HFakLFXGa#06IL^ZeY8)h$Zgx>+rnQH;lG3Lpo%*Gl+uTQXrTV2>ubj
zXLSSEV!FC{b%;>kqJYA4I8~7RuOIzMN%dW)6CJPvDL4{kmS_afX0a#6_#k|U^tKfh
zU{ZbQ2EBbEZ)j{tY<i;sN8C>Y^FTyDpelGKO7kf85;?ypoQ~nNAvE?EOa@uL4e8+g
z3wd!M+7&2JbVqzBu+!Oa@9lUR!nU%$ggw{94#(jj?if$Oy`&N%RzZ~rH)x`2<P(EP
z6h!*N8BlH7(r~R}(s*j2+^BpipTf@<H*F24cYuQ#G$Oh#agC~9b0*MO%WGmYVU;uy
z%&>%0ECDDG833S&)_L5?<Bm-AQ!zaOG{nx{0(5B#jx)vS;&meIkybQ7B?3!{A=!+r
zT43T(in=b8f{+umsh%PQq~g$sXAPuYGoD_D<tRx6p*CT<WJ6a73rFh}>rwbMbnO8V
zw|z4o9c<g<vo7NCmek(Cu1yr$fepF`NMT2;Zf(gqy5*Zx&Ex(2u7Ka9Zo$WfQ;ouE
z*f8>*E+bOx#h?eSZbt`QeM7Z;4O)Fes6^Rb0KPd3Q4CL)5}841IGVd;GPiaBMauyo
zpY2UE?W~&dDpWor2@(AHKplXZzG+1<hyYs0vMnG{Ou+Xu*XRXeo&=6``aL7)1!Guv
zKmuk8h6oJ_AyH!6@e;>pML6Atg!o?TZ~}r0*sh|=OfiIRX@Vc0YN0qFlt30k0eqBw
zZ#%3mX30+2dq!4x+Lch6%lHavwQ5SV=q)TDcrs3TmNm!f;z3z0vlJWfn(eSk?uzcx
zV)?qxT`-AfktK+_3CCe5j8FJDBp$L)9%UXVaK<)CY!w#pLnNvfti801NJO(!cwg{{
z1M(+umrdz9)iY7E=mumNqlk|R=1Alx2+Mep2B>jHP*55IyzKyZkNKhfREe>5%TH)t
z0!<(~RRBc449=MX04uY2rZ$LN2k!jQ4=EDs)enfp35fx>PX$<vVm5>6Uq*DWh}Mav
z*jr3a3lH;P;PtL1#?@4c&F6hes63&Ho7JrcT%|XP&PWoo=l8|LyzF}~MT<jb<JHNV
znwp$64OokKlRK+nTOtsAKfRFXTQ*Nn)lO}Bw`A^-Rq5n5mz1ZB=KZI`*DPH02=K?p
zqqk=B2Rya^5_>4+IC#^v5uXl@;p9?^#MaX3r9{9v40PbXLO4u*7Z2FC5?2NskXWe!
z)`|8@%M`Ec^lVRfXHONx^CY!(@_;z$7K@WYkeH8R1bxC6h(QeYZ^mr41@{hEaGs=p
zS#YPNi9qJz5ex3tC4gWjtP-eQ{3}t2Fjg3HgHExRSo|VnASxQ1^ssqs7vOg&&(iHr
zfxLx`ss&+i(qout04u^c4ZnRahbpn6gi%K-A6N?X2E=%Q12sR}<EViWMh1goNibbx
z5TSQVn}EuTc<oC_gAkzyL)0n}hfw`baKh#{OOf_gVk8RzAv7k$l$8NAA<4>=Ni4Xc
ze_3$1j0vu=SvcE*`#j``r2<ApY>;;#WC?sI*n)GyA_iqMu<Lm2Db8#~x*b&FMHhp4
zjMxYWh-;NQ1kYO;t0_FKg~<iz%Hke}H{)oe7zuw$6FF!}0JLXltYibw4mTve133Q=
z(f)rBXQ({JS2SC|WkDTPP_0mv!d$_s_5&_D>9TEH&tubY!)sYf<j;RQeOB?3&C%m|
zc2>*xKF&Y?_neexm50nHf%dq3Jc<s4knYqJy$rGG-U4dc7C;GfG0!i@af7teqjf%y
zH8@H9!#CIAFe-2wLxW6G4<YZuGRFm*ZjKUNO@S$+Qwf2H5?$NZ#s&%LE{C-pPpk`;
z8xUOS2~KKfXo=G$1e)k56?_RhZgDJm_ouwtyrG~GF))wYw1HE}_TJHs8Hut3ZgLJ~
zklK)t=N88rLVAYBVN)|_$@GsP(gp^q1`!FdqKuG3xp7DoYG5B#rKVG?k-;1jacMXZ
zi$L_<M>vFSD!M5FFRc?erAP$q@pU?T%-@$3qw^V^O&Og+;(*tj2x*5lBO2s_phTrc
z2ReW|ga|!2#xZ>SKb%`Cl)`V%;=4)$%Mq(VeXZI7R#pomNvsi<bF*5|Y*i3h3%y3q
z7VBG~b8Cb_V@1~&z*K>AOC%DR=>K$XX9XC6a|@G!!chHJAY~+kJGKCr703dBivguT
zDIU>&iZ{eiw<rOGMpW_!;9`K2@4bRaAjQU!ctjP36hKRy<ztAjHcJjYh@#`+(8equ
z<L%H`=xl}iw;YJ|Q|$Yw1q`u&vkuJ2><xs@7F`K|cLoIGNEFz~fd3;UHFpV-$?LWU
zJex5a3L<z-mco-HxO3XQ`@j4RPJMO%jJn%sh+A3Mkj0hj#@|8%opR#0T2FFYOr^-3
z6bVPV5mWxje+Wk$jlvKgt%HGqvW||>sScp2Ni+?Rm!tp^a57c@5{rLuSiw}1p~ukM
zixIGa*VN9Cy2Wr5ntHtdgQ@4%5ol3o1p6+NGyBCIf7XO!8i;A#*vT8D=23Df_mN>>
z*%$)!5yA~XHo66>b*JEBbkP5jjlh3~UBX#*6`?PmGI|Zj5a47;;`;#1FBwIn?TB%5
zN9bfw`Fhn`Bvb(U)>Z=Tcd&PB(N85xe2mk;y9GYR=KnY>(Mr#u<QmO#u(r3)@_*Oy
zK)|Gckv24j;m(>8useXfRFF6;K#_$Ji_9P-ZuQ-n&`x0(L3$A4C~p_~7&Y=@;U?6#
zEqJ%t1{FBHfff?+K+KDwcG?-3<Pt9dtewx~+rS&1D)DIU0Ih;2;y`p!5-|Z`QV^O;
z!A5_QgkOMd#`p@yk4M^(6DZLDEMw^2QG@|lATn9RDC$X(1S!UVGK-CXs%Lp}>%ePZ
zYmk8RK1Fc9F{sZT0m}{guXW742;}I;s_&BD)BCI#W`?61R@kx~?gi>3L^ZEkWLW;<
z+~=vGKycRg9~R-*f15>!`mZg*|1KxPjnEF9Wl+vcC_kitDhKugi0SFjKt2-j8K(hC
z5~+Vz0=yO2^O<%bl#1@3f{-y&6v~<<^Q!+dt^#h6W`nTu?6}H@p)uTSnfL$S$p8Tp
ziF5Wp+sXK!1u1ag$d7HYm!5n0UW|%4+B!+&4QcHhE$6L$4S%|>2t%J%-XQDv*F3}W
zla+S{s?J{tr`L9GhYnErEJK7_PY5P&!<Gf_ix^(lKybDI%|^4=NG>_NNQvj^aL1&H
z>8p_I2<1aTCb91SVZFR&fzY$q^@=d%js>fyn^t1511uiD24WU)I3f&7t)C>Nl)?T=
zBXE3D95&nhy7usPA<+%fO$Y`4N4_|MyZ}041RL-dlz&w*mb(0)6P)SwN`k@PZUV;<
ztv=E&@eh|964EwH&g5i(-As}A%DXC|k(?AG$O!Wl-y&Z6+*IJs#^_9^3QB^-2QBvS
z)jMi~{F7M<9ghEpmSuuCRlP%jXhA#Q0^OzL{!}+qxkh;L5N_U8Rs;-CqgjpvI8(ur
zM!>f^d$9Gf@J%A{tm}FU`6*&Gk=1=M0Y@{U+t=XFI|bliY_*ut&vo*~7Z7o@S9}nE
zbr9==<vzfr>+UXOHHa^jEZ+f?6|hWAFA}D2w6}+qPMzcox+X1RNyTzJ@k^zPA|5{8
zrXBou#G-^}f4Hu?9TUI*Sdzt#55wtC8#8pHRs=hl_%vuOM!WZyXXVy;2E;cKo0g?1
zH1@0rGQ9C#4rMTInnF$K$SqC5MR%!#tA3(qCnc6<?ci&=<4xYsnnl<D44$W0a|G0~
zcX(;;PfO@CN>G2G7YvQ{b?kgf^))@|uvR|F+k<^(tN42<#@=C#unCX*iVeJ>HOuB*
z&1KKCO22b75<|#6W)`6L(=g2HX=B#s2)%1`b|pEWXT*AJ@1xgWN=!anL;BdERk+9Y
zv(4Gk6W0{2RO(xX*37W&3+|ustHPv4X;XcPMfM-8lgAfeml6jj{HuzWxtWKebHCH8
z(mD8LKew$%I$C1Iw0ciGtNWZ^P-JH{wUij<6R;NQSMVXmfC}LW`FbignBm}nUfyu{
z!MzWbBj3HjY$S}2M%yq0G;6!;3&Oub<I9L&S(v<^^QysZFVS;(sMl8@eWP-P*_>F`
zzTfp$plsgG%N*=}`XU_~W-TlpIUiQ<t?5m5$Zd;DQ_h_X!gpC-d}L^pI_2AE(&%?2
z)(g{-p*wbSzscuz$a(_Qac}*cWpJSW`*VlDeq*EU<KI2{C@GBI`HMdd-Zsvo1WkO(
zwcYJMdIq;4@n&jaA*J_t>ePHEdR*JV%zlGm@_t%fO|VZ>Yd*%UAiBAEvAdo_^2Lkq
zJ!iVVo6pghX~e19Y*Uga+`~H_XfFFwj8Djaye*dHLZ<BYepHoy?=Q6rTd$vT@=DN3
zzjxGXzRX@3S=ow;iUL7wgl+V^jS5S+u5PEItDil*GVL_|?OkQ}x()kRcP~~+z$?cY
z@s&BltoQrPLq5rCW`~VDA-P}h+Md4bW3yTF$1lUL2gxz^K?XbGH+gZAK7PNddUNJr
zNM6VEcZw(;59ql7<va7dW!(bh-o2S2_CeK|FU#AgwxqY@G?PoNGi~aJw89lW{E=?J
z3GGeUr=GuiW4xE+iz9-2u5Fa<<P@5D&}jGiGsM*d#^L&_HfpQr#~$A3a!~;{CF7=Q
zo(}l2{(cxXJ#sHji`w<Mvx-yZ64)^ZKLM$%oxB%vX-98(ztz1v`(pZVd$fz%47a63
z#A#bV4pzYveOBFz7Y}C_uH~4wPKGry&1;h7#QVRTpuk%C^H?jm%l`*4K9KPIQT?#>
z8Ph~BKUEE<vv=#2E>(P=JoW8&8lkiC`W`FtJ-5E{eNoqQuG5~CPhaaf=HnT3bh~W(
z)l&L=IYM7W*1FrR5w87%srh@$D7cq*)Lw5ta=4G;pPygTcIzd*@$>y)^{e%&69IWj
zwl{9>v9+<w&5_mE(bRJ!*7fc;T{%VcbkY5`4jS>taa)InKCE+>vQl$M=NuZRvXUY>
z)tPzq`RSBbS&7|s!Jk$eniPDfowbtSd;UeSboMvh)lqh>Tu1(J@(LwVXC#&E5VJM%
z&9e~Koy%pS)}88{b9{@%f)&fX{@A!n_5N!8X$$xDbLYyOJZ8b&Y#C8??$v_TS7JEb
zSA4%znN?c){`Gt16+7t(#lch@w7vdR*xHDNmdEX<daH{YJ-A*~7<S|jX!psC*n}kG
zBX_VXUZOp+zpRVw{hYj!?|7u3_4mjkPFO|Ls0$&j?2_u*1<9lhg)h$(t1hnm(8qcX
zEm^43VPYP-xn8f1Sg6=?!|%YxM&E-UbiCi5*`4QF=CEm4-k=RGzzJPeTOIKwC$?-V
z@-#{R;45ryb=G|I7{yy;ZH@Nl8`d5!DKwNRo}P(}kUU*vS>l1w6pJ=mef^TvMCmip
zRgO+7lx(7Y876*xEJ@(yz45QbP@`XZowL^;o<Z8dtd~}9z0$Ag(`$&UIzM6vX(;?g
zqk_wsIUQG4zhCg~;=au%NzHDz|2a*~co{sgKRK+JLY<gqG4HfOS{fML0H1rODx$yS
zY%t+l67nkw7rgs%oEDMcO+0_lRB3d_2|lE<HLoMo<3{{v%le9&mq%wDEF{k=;y|>`
z?>;pwu1pb%|Czg=@6=CgY<f~7cl>(76OujQ&TXfvD~1hoJ1<JF{%HAiux8#Fy^fjk
zog1qU(((l*`NNkF)s$miy1G%Db1m%W9e-)`E#LNOgHHTXnZNnWO`b#Fv(o!956^Bj
z^D?!r^$jo^ExS=!g@M|zO+CZ)dj~vE;R{s{(ks*Ez1_HSWz3F|Fnh`DELIU`fPM0V
zc2jVmW^?*)%)gXIY?|L%Zd7`uin@KkmTw;RB5`4a-6N)E{50o0<P-PBL`ui#Y8QEa
zT2SUme&_fW>&-pd>7UoLwwV*!d!Ln-m`7QMH5Vr&JbMFVm}Xn=rki)_9-`-4%AH?-
z^Cao&cF&dTFFyHe@uTe1j#gLho&C14K{4e~qSgc1SL~TS2lGph5?E`Xx`=IrPI7Oe
zk#A*6r&lP7-T<9?+#SYzzIpq`8>2_8mSjt#D9*aauFQ|y98y~3;<EqtK+7e)_{D7N
zc%AH)_)Pekt?*eVXx&$ndBx^>TFdYlp(oaca>DrerysP#(RFpQO1M20kX0wXYl299
zaP!omfy>9LZ1=1jYkJ=sZ@kY;)2ln@eJs7MB9pvF*N$M|G@2HzwT5_H1E2i(&*5_u
zf7s}+&MTO_HIY$Bc|_9vI<M$eiNe;~ScAQ9ezf&np>O#ZBX>UB>gl-e?!{JZ1)hUu
zb|yI&BZj{qN_{SoeUT7;q#*sM8ZXvH)8xWmtcApz)zxx8=XE<JUbU$?az^bWDXvj>
zQd{pBxM5A^ZDg7hX%(+12}*XL=1^41o)AA)K2j?PMSp>w->>;$@KCMz(F!A+Pr013
zF@wCOBGcYCBjs#U*xHuB0OvyPt08WtYvhW<B#Z9OSt4HbkkMKNg+{JpQ!G8BXY?gj
zA;CX;>2}@u#43<0CRFc1#>X33R~vQv1ku+PkT>W_qh!mn<m<Kc4@Lysdk~teh(TZQ
z=QM5B<ykJ%8dZu5ontk3_r~p)eBU?}%2K?BvMS!m{z0VI^bn?liDmg6;lZwWt)+dr
zYHOCHKJh%;JvM7DPrfynpcY?$6IPMQSG9lp#HvF(WJ!EP&lBUf9~23F=jWS0x^vF@
zD7~nIo4Bf%YVF0N>KYCP$3Jm&`daj}W$4KKxRe0DlU(cZr;gqWW3JRa>hvg3$eeq3
z?K0E^r}XDutEq|0U&Gc$^7ih*gfx<-kEE4}(Q^5l?%~&KE)rHpRh3m>+}+*xGB?I2
zC8;k(L2@V)*U0;*@Qty-c7x`@shWZdJ*y7t#Jn10`<R?ZPvM+WgBf8%y>|B&tuxE8
zd*ZlzYKY4#{XSa$K>c<qDYfWeQR_@AdFEb`sVr{OCLZcJXZ#;^<A!+JpsPdO#eUR_
z(HqnWZ|~vAO2fgmKdv5*eEBK9&+CG%g`(4Y3n%9om#?oJ3+xRFwr0@0?-?1m_<7}4
z{*4nXvpjNa>xRg$5B99uwJQYU%DpltEh4E!eplI$%+J=%&~#u4(Rq><<h&+mtS|NB
z>wr_lu*Xk)bc*%y1-ajB$I|!OO84G>ck`~pg^Tq~b8RYT8XJzkKK(F1^Z8#><+6jr
zQ?t<8vtoO<6*Z&<4brA{51UTyPd^$mWl72C$;%3S{la(D@LQq($f0A~o^NT~e@DZ~
z=#C+{FVXuj!My35Rqf;HCvKdje?%ONSicap(c)9X1o7Ph$Om;k>G)b3EtezbgP{;(
z7o$EJ`(?`$nyPzQ@MPUrzk)3?$86-LJy8}@F3Yx7DK$JgVym^N?a7i|>_sTc?1^!Q
z@t_OmIK-NebJpCv(>AQyn6jX2X81V9{qpgTjVd*Q>0h@)q@=FU*Xflh5VrpC^7gi)
zVDtoDSZwXm1J9aFmNL}6!k+cnSlTOC9En-6ZocLEI|o)1zGnDlnjS0kcT>%N+i*P%
zO*>X`r@;T%<B8|G`>xQJr?LMwX>yvZIC0L6`{`K%%Kmxg!5s;C<5n??zcSV0E?8zf
zvsrbZ@1xw4V&{L@TiUMvSY;FQMRto%%XC3|>DjLz-yPESSASl3fxc5MOZ(`Vgueba
zRvV){_b(@CIihlY3km$NE<jc5P#d4F7MDR(pRgI-K^Q#@JwNsFu+eiP&gjpV>r4Ly
zUa6-`P~^hLU9`TV1@TttPoA)N1WFfqAT{mu)wJZoM=k$EM0U1r_8VHGdC^nr!Q%JL
zAL43SNu7U5HBWwP@Hn$vk5Lu)DdL-M>|=ULYCzOTF7bShJatpc>#@L*oB5qP%6<+x
zS%w#OzW?#`ZrLRCgrenAI`HvRPG;VZ-zp!h=QKuA0{$S5deB!dJ2#DgaLqV%{7<~X
zp^I(J7j#Nbw3r24i_;c!+qu7n5*;T}zusN=MDNC%gO(|aj7>~TvMZq0R%ZtXhtk8x
z6rZ;(UzwRTqio1dsdj$B=jC2CMmr1{QD<Idk9#i5T5+iP_^L2v(;ckg*9PHHf5_VD
zA9lZLQ|wyAM&+K7)|Z}smcZU!F_t*IIop7_^fPhhy=+X+rQtVKkxViveP*kHuUT|Y
z`OFQB^ES^<0<yuN(cxF@bo|%gi~i8xb1O2>wV?;PdmkM*^RTG+oJ`MYo82vhtrbhg
zp5+~8=Ix8uM%HpEy&_Z9rl3T6$>&#Wx1n~-A{4K(>Vh%JlOB|QG^@DS#N0IZ8#&~N
zz1a%e_o;W1OQ$(Z=%U8-HcoZ8?VlO8Tf%}_4%5euH7}1mlAh==n5yQ$_p$5GJmstz
zGtrtzevY@*=U;UlTul4zpwz)RXL6M%n_mTyBK7RTveJFl`Ui4Qr6%>b>w_^N3K@l@
z%ttiBc~J-pIJzsZ*kq<1(rUYNS(Sd))9ux+3h3}j)4T7t2y*NRs~27WyW$8%>i~4A
zLcBFn<t-}-#^eKsUyglMYjx&5qvCsSZmqABq8WS)-zBqFX`5%!-TO|8o7*CG9=U#a
zr|ivy>csu(*FVK1kgQHMzSi-(da~0sW>M0IOZ<j<TSfOxy{9)(A1Hf;Z7wTP%2s}F
zRJ(bGuc=v2Bjz&Mq;wxQYB1&1s~wI$sZ+UO6-z|E+~vGX!K8)?Zg}w>e_dIOhkwzh
zbEm(ONzGpER6PIVqrX#>jE8ZI&I@s(m3~{MU770U!!8V|+4rITSjwEMm02db1I=4e
zDk#F2_IA_}N1FaM6a1!DchN!x3a3+Bj->_BCbX@YX-DC2)Qp)71{zQ3xh?B^<Him4
zV(4?k;7q8G6BL1$7JcP)P;G}THlsC1GsT1;7>bh9M#&P_OqN{YcD;Ld{KZ%Anp}4+
z@Y^W(`A0APqXwhU%-A@z^Ud|gT(4T|{PB`Nj%#2b|JVp&-e34-_DkTO2f>dMu9eI=
z5pa6a>qC87TG|93R8<4TYf6K7n>b1JJvUcw{t#by>IcuJ&0TAa=#zh%o_=Um<a-^s
zpS{^8&DqV3PD{&kEAvqwr>`P{ir{_V*BP{ea8w!F?OaDtqusA)P=4%a?x$mkYxpUN
zCLJv;ffJ(xIX=lp=-^j838#MO;zPBxv_|>Ml#{)rX9BqN`DaT%A(PzQS9|Y4)^^)-
zqsyezTU)<;5kNh+tH}c+J-0Xf?5<6~VzCsoci$z=yN|{y2HPVCe_dAovWSF%KW#4N
z2`+?Oym&DnKu;4>L|aAVfU4BT2&Ewt`WT$&nKOW28vDZN%g{LDM5eA*pYbp9%xGt6
z=&~JOrST|b@wMH_2EO{q^{1TZ1<8AzxOeDkDDnWN2bJesxLrp_XC`aH^sc2pdDoA8
znvC2k5w!$n=@|zc6F<B>XNFxovnAdN6rrm}rKuU%`ejVi85fYcbZv=M0!&)eAg`H>
zNziuFir=JeOL4zzt;&MJV>L#VAN2lEunYS&qcZF6G22BS+UGPqQZ<i@Cf1jx+19XG
zELMV+OYrn$P$d0Wnq_UGftp!MJ19rQ*-fmv&2cFUrJ_korKRiZv@=Z(P8kUj8Yaq!
z9nH31OLtHGibYS_cy;*gNI(7j{i=IeYPR+nFAw+`nVE$Qe5D*qbga_vK1*)as5Ubv
z2yT5QYsO<x-(6@uTkMPL3z$r%is_~EJ#~qINA9bWZJWCP-1E30>+FM9oD(B0rB(pw
z82)j9(T;w_`tZjs#%;gG{8pBC(rHI@mV!xfP4Vb~&=!OEMcXY;_q}_}iT+SGe7dm6
zx1-cH^AIUFH{-*BxI}&Oahkp*W-Dz+8X#QU<B>_is>SWOzRGbb=B|#8j>nIGp=3|g
zsO-fq#?;it)XzNm7*R4t={P^_fcahvh+9e+8wP;+-~TbA2gM~Mc#gP*Dy(Ut;sZZ?
zSZm;Ox{MYR6O)j<_sF@`?AEilTN+c>jC<9p?nQm~Quri&t;afuwrsdoBW~hnZv$Y4
z)<PU6C@ARMxo1EP9-b+G`<C0+pEWkFjT_lB&pPut)Id4A`{RsYb7*L6weJ{{{(qa)
z{P!x!bvrTHo;fsadei-*D0}Eof>ne0<j0QYW+OwxFXwg~wM7O0+(LqQ^{P*jJ#=je
m8LbDni45`&lzHf+KpQ&SwqI}S6bVM-e#=7^xqqFw^1lFiQ<IDU

literal 0
HcmV?d00001

diff --git a/docs/img/vnet/start-vnet.png b/docs/img/vnet/start-vnet.png
new file mode 100644
index 0000000000000000000000000000000000000000..81d03e073624b56f648ef52ccf38c1e0f4f864b6
GIT binary patch
literal 205539
zcmaI71yodR_XmoiASDeFqSB3Y4}x?J-67rGFo4n_AT2rcNOyNPBi#+sG33w}Uwz;E
z{nuUVp0${@=A3zUKYQ=9e-EJw@)8)R#Ha`e2pCe5qDlw|C_fMoo@cyx`gjL`nOTH@
zfX;65@uPx;kr4ud`&@CNhl=tvLC@vum~S7x3x5cD5A+Ke>ci?lXT$XS5kUFjZP#}!
zmDJHO)G19-`yb}`U0IW;k`5xpT6AHRF6N{P`4fitW}B~HWB`|M){D<wr|K^gkM>W~
zyhoZfxd}gfY>$@|t)u?%rA{Fki=ZnxE@33g1@ZaW=STp7PP%MIWOz6dp8pohS~q?h
zLbn*?2@8B#B%I|N455stOA|y?iU0#57&8FLnVw}xf3xMSRA6hf!rqfs{1Re?%p=iX
zjF_6caq7=2g+khO`9x)+PRHWqXHS+fO|d4@jqJ?O8L=V4Fl=P<3l`e%BN9zm<*x^#
z-;y0)4qSK9Y%L2^iVM^)q+*llgtMvm1+s;P@RQsxE541vgc^h=Yn5;a7<?K=n7O;%
zQA8{Xg2(ePP!p7MA;_a%g~Szs88Crrzt&v^h-hAy1J+R36b-w+rMGP%Nxb6{Ph}$L
z7RB6*Ge-M}?8t$wj*3PRgGKVT1iw!NC)hDk8bX5(^`g=qFu>f2s#6k`e!x7rHLe*0
z{~W;=MZdxw>8_W`4<QQi4-cSY4VlF5?K{EE4sv7*bK+&~<W=$zVKZdtQu@NfD7gbv
zF_!s=8+77^-xoA3Pdbb*-h~be>{!UL-_*mt^jK)W#=yEn?b_ckc=N?t>Fihw?ze)q
zIVXkxg@;!$KNcybBjeeo#+Wd9SUB03|Ff*JCyP%VVv1-T+^rSgHSosY8|UY|XO_~W
z(Twkn_^Leh@i5SQ<-_~350P2~vcUpau4f$Q2v$F6@ao<Ml45<1RU#sa=9{4q?-ivD
zYQ;kNz{SRFo<T?_Ch7Z-#Fv30!Ld1tQW5X%&wO=^;P6EB%M0&BOukSFddV+0lGr|q
z*o2&9TK+FMCmz7(*yq_D;?if|$ls(#=dz|sVPqmHcjjlRc#Vae(RlZpJEMyZ$Dffm
z2T#LT!6%=`r0QkrWfc`lfVc^gLWPdxwBLNUf8HB=HwfimoH*0?OA2j7rb>B_y-1bh
z=D<ur|G?fz5znr|T>z^TytRJ*ru3&h*<xVixWp*pjw?7y#ZAHO&9C<6duQLcYEz7(
zOUdW@BhV}3%d2hDa}R15Mmd;AjFe&ot5_7bEQCUoeN>)QM8L5ZLvJxPdKL$1uOE5z
zSnzZc|ILC_l1#Hq?I6F2e&#2&cNr_Pi9-pfPL61r)@NN<W#nA~Tda)ggz9dezieTm
z_f*2$w@~wz?-jLgkv}g--{0SZg)E~b5PZ&_eImX6G3)WfJpXAbpf6S?JdPNJmbMK6
z<LC2_@1M(*ecW?+j(HsT;l&rpkU&aF|NI}<I<z0op#k+}FQhX`)jIfo_%W4XSgs<^
zAj|zk?Oh?{LEBnoTR?d3+-|fTNO(-p`JT9^%lZAsA@s@~QdadLw9{UZGIPc!GM#MY
zq_SW8%j;(hi%7L2R1LJt`SvCD-@2mn`@0xUm-B0IUtnG!(b#k95OTNM9GBM-j`U<7
zQ-V;_{h@8)Fe<oX6HaNn+j<0?^_J0xNPQ&=26*~HRRsK=CiMl2-^VVT9Z{}#RKIXd
zM4u~u<iKLu=F_Ld6UBrj=fv<)hC7S6+4CgHp7arIfE<Z5#in8+Hc(E;J%abCgcQEx
z8HG`F2jd7QiS}m><-{q`)AG|I)6$IE<%gg6N$2h=+vKNj*M1it&K}8R&bG}u%p}Wo
zRXS3<G3Q8rHyr&-B0Sf@BCtwn4r$JI4twso7U4mBSV34)SfTU}>4q?kT+v(+lf(go
zcr<!U)ul1cohj!xo{VWgu$;c|vb<d;INNP>nXT$o4Z4sx4n<UXh+@C_r&QwwV*zDV
z)oO)vwFq_m0%nzBmBm6&t@FrTD^43uWX?#fpky7J`Z@XPY|H7%bk-zU64STrX_|dH
zBSl7JW=p0mO4EvNYEcSXg)9oCYIZ8E8TX?8B?iUqQ{M{|ixe}<_19Cyqo{Sq#bdMk
zCsRu`i#-%h3rxWYkyAXy8pThGO|%-TM$84r@+{`fgUwH?6V2_$0VUqR;Gg9atJ}xU
z1bf!gy!qp~GLzMl5kH5=nWpcAYd_Yi1GS-YEMj&Edeuws1Oow?cG+(-S;q7;TY(Q@
z_bH0h*)!SCvJ)aLU%41e$oP*UeL;Ha&*m?Pl!&qPssjBZ`YDDw5f{-C8+ioj*R=>!
zVjC_#iwSlux2hxarR|E*8}SF*uO$4hXkI~CmrNII7t9PTaZJfsXFoYE<n*d6bNu9h
zIv4L4jN7umX7^>!oYktNF!ilC)38nmQSIkz-{s`y!sJd&vEw{??`vgX6>Y6(Sl+vq
zK-D=m$Tsg-Y?5M98lN;NT3D}kuGXqOUff*dR6MN>uJExivWm4lt(J=&rqD*5e=%=3
z?>V31D%*(ANaV`tnz)~Tp?7h0k+KivUwL`>vi{}d%Pmp|2~3I1b?V*`);QKBqb?)M
z9vv4YCqsUG-bwyNhbgy6S7rxWM<2E+OY7?yRU=@;-OAb_x#R4iqfzQbU7rKhx>nEK
z`tHhrQ?Y9^M>;RS`PL6Mybf;QZ9rMzYSeX_b^veRS9_)0cwquD^CkQxY9aAvd0XPp
zLcIn(2fe{2c`xNA|0Y8BTF=%C*fHJN?AB>*X{=q#5%aPHt~JdIYHP4P6xtEBS33z@
zg`Pmq9!B)BKasUz{6MKAF(>N7T)>8Zvw@Bn9hnNDIHJTLy?)`@4_h5tC&i%l>+~D+
z;}@y=81u0}#5Pzf;8(y@@I_F4@GuHLu{=r?sy@CCX9uMpp(5cZ$qo@O%ZX^5mWrW@
z>crw>NLe@!ih>L`x;Sy|dNg`NjFJuCagn>q?HBXR*AY1g^(wEguNAJpq5LZIJ;k10
zk;Xx5t)z=kN?3{^#+GuPYA|+Qi9?A^X;(=v4+&BtuPRH-Z?Tk9X(4XWQT5AN%TxL~
z@~ox*UF@{n;eb7qcDRnM+jXFb&Mc2u4qr}?L(YiUZSG!H+SKw_$&lNEhAl=d3j?{8
zks3=>r#94U2y>%!(+%zRS>bcc%DW16Gob<4pl0lN8p${9=y{5b7li@9(~i@cjpm`K
z;pL=d7HRwgIt98uMjqNJf~|0%EO#2f$`jJ1s6?+gbevRfD_+VW-S9D}Kd&zt&1Lk>
zoojvCEyGnB`9s!jmO8t#=^;3mQ%0cByQXtLxAF}^FoCa7aB64DIM+1jFst6}SNWDr
zTGTK!dAX*|u|4LwE?OtS6tf}Yfc}|ws7(KE%vQKEVJ#!8W`%u!b7@CQ0gEb2e1hKH
z+~pqA^0(y|tvecgK086VZwBBdtqF~B>T#{wJ=zz0wd*a#w>7>V7blVUWDH!TIVE_d
zO%?Q?R1YkRC%X%eij(T{9GI+ZX6Lr{@{0MDSJlc*1dW<O%~@;>6(0VRLGdI@s+(%M
zB`*t>Do5Sd$0As`Vcfbiq;>TM;r$6GOm;1}K5jNvGgCdpDam0r6E<S=WY)l0pIxug
zqdnJG2eivDABa07i!1X&G|fzRk$GL0VHf7<;eC1db#cr0#eHUdd%nRQ*`45~mq97$
z2rOiJ?{1<$(Nc4#cSGV+ac{ByBn{CdLSucuXDM%iTFgnyX{)`@--fA$3E9W>-ovcW
z!|ME9^GAl4>@Qh(7kqQzlFN$yqv=Mxy@%CuR*epzF_;X^8qhiQE1$=8;!piZupyYw
zaqh@@j|j|;?0bG)y;IaX+v9q9f!JFA;F{5yoefLfs{eJmw582Q<4o3qWxqPpy%OH4
z6ISPZ;W)H8!qBf?qB~qyP}kFXvE8tJJ-!_7<LhO#DmO4(p`BbyZ%eXVa@BbsC5VdI
zoyp(sHg`n5)a(%Db_DaDy>ru*A$$KuMS#Og<FfBu(aO#I@=A#2VfI|(1a1S|(bw{|
z0U2IyKw1$WY>(0==Fe5Gs~*56P;~GC=<uScn5E?CBHWMAPCucU4WxQAw|Ab;oo`3h
zl6Dn&QF79Jcawmr_{R2v@a$5iPKg=)*%#vUG>l`YJc23l=MfKto{jd)k0zf!M_}D@
zlYxR&f{;J>Gk*YKB5cvOEgc|m_32X}zKulrwt)eM!zgTMk(T)5MJJ!ZneV;Tgb8kg
z6<T6_if+Q$(d!!8x3+wrxFh=`3a3s9JibMs*h^|UAs`S?{r-C*r9^p*fJmSwB`U1q
zKDWOp1H@H))dTavm>LKRC{`%Tc$+~TM=kwjB9uJn8SNQYyu7xpZD<*}0V4G)4Qv;=
zPZ)2$c-iT6h#ix_+fY8Pb)?07d+3jftyR9}__7(xzD}3$k}{EH1Fc&m^GCe`WB-zm
zJmF>OW${6p-LkK&EXdLtq^73!>)f-kq2c=a1}8LNJ!fpk*_D!?kB^Ou%hEg|D$2rs
zNB7SBr_1HQu#eYfl(60RWo|GP7<AH4^Z)m8q}g&ID;}R6D@%=x+?il<1p>s!$jQmY
z#>O%*Fi1#9Kp+r8LP8<CgkP1F?CiG<nq)4i-Aeh+8HdX2?LN#b#A2PlrY<@<rZXis
z+WmulT7{xRqP`llCk-7R_ZpAMZ@UP%HfKc_a&9!}`8zsM8M-=k=WdSJif|A+2<_>O
z$^))8VuAmEAIlKX<_}AbwCn~6)o=L|Wm*c8nKd@ZPrsa;IL5~e4h{wf2h-5dSbl&)
zp{gEwdU}>W4_lh(0jGg}TENjFT{A(syZVNjgtCLMFx0domD&8GpXx!KhzaM^Sms{$
zO}XXenJq1cu=TmQIpWe<t%AbBf&#K9k74lVYSaIr!GV!oAdVjiOrIzOSzB1xTAda~
zs?g<Ivc*fARL&~Us%UEN@Qn2I1X;?bopUrMT+3Id6FZ-c#|~}|7u(8h(h*O1jzE2P
zcCHlE)k{TGxA<KOswyi_HwOtV`OeR8Y5rw~fN+~FuacWnAcY@SK&Ps<8<&?n`q&+J
zcZ;RnsLWdI0$(F=7DEzf^l2L)0-S>vBZpi0JL;u++6nRU`~#>+{`BgT)s7js{}F6^
z$QQD*Z2C>Cpu#zIqS4LnF>FjtO(UbCRDBzwu2c{U7L5+=8yjm&2b3GNp!xY0-k;u*
z)*J*hK&PhE=z;%{LU2>^-4(C%@hvoImZG*1B<H|G9Ud7exZ$7yOn$cfdGcd_LKArK
zi@Mgy>9oCY%IPgZ_;de*;bFO5#Vh~cujhZRItIQU`D+!;cP@+s7{Q&pfW(A^3D1I~
zCMJNYYgiaiQ&)G-=V7U$$ebf<sxotxF6#8zziScfw^VcrS~wQX+}zyk?2fLl8?=Cv
zVAIR*mFbOMUMbr1qvk_fr`_wYi{<@Aep_Niyw3)96t4K;F9|+1Xy9oGSD2g98nS;v
zVHBp6-lcp!*hZ%q6H{l3B4vDPi510A9->3VXcz{(R<obe-%8~u-$VJsdqZL<@!=9+
z^z*Bx6A!6v?fg3IRiW97RqJZ4-ivyj;@)+LVLAM$bjw>HrqJ`RwjNgC+FFP&I9JJn
zEhzv?o&+4eNgo7Foc3saC?7Q!0Jx5Ggkp-wVf^9Ix7rHjkTaZWYP@;>3Y{xO?!~I}
zu4{{i&&~b%!KMl5fM{=fSZ=cE&#ym|(kGT0{<P*wVYMYd4cu`i7MVG^G#i}sEZ6b5
zzRguD6cng>q#rTy?*ai9@0$4o&t?E|gyFdW=}T5niSOOLa=waZvtEKp_1w*jBnH}F
zQ4Yq;hLSZC&TsB4s~cvmT^n`L!FymR)NTaYxM*AH;p=@jlJi#(fpAUs!Q?dgt+h2n
zu9QHm5k0-Fbx5iDrek3|m6YM)-*D`E7&A+zE}qiAI9TDfpp8W2@trbEW6QV@Uaj8y
zME+7w+rLkKNtPq2E_yrRAj5x07q{GC)Hpn-vu)6Ii`?lnD@O{`{^`+ugI<$)pD}W!
z-AO-7>!sJQ%+g>ZN2{7-%!D<UAQa78kXKjJ!}=AHDrdyQ;I1i0Q*Q62<EbwHUc$*?
zGnKS?T`rCJ?wYHKNeRFg%VILlNaA%BysX<xzCyK8SS-1rjq7B1cB50{IzIU(BQ(;$
zTd%KqdYlD!mm(?8e*Pb&SAZ&<<(0~q*49PqA39d|l6#~$h?A1qFYEr;<UO|BdV6cy
zq-FK;QLwyxE6O`m5rufxO;Gq!=y0><hLE(3|7J%<>Ki2ic1A+KTd$pqJu&$xIX8B<
z%E}0{ic31qL-X|-t}M9rNoBUz8xJF0W>d&Q(ASNUVLLX5vQMu~i?XY{w=4Uw#e`T$
zUtLpY_u8-i!~0%2#@WQ{Myy#cML}SMT3;Ym>ged`IdMd7;>9;!U~vgxcF_h&0^2^-
zEnYg1^?4%JACd1PS-Uv`Et0zpM_m?wCN8lW4b|8b3^?wSGL+=TmAF`yk)H8%YYt)F
z8KejKq#4eFcjsoSHzt;J!Asyh-hKydlG=0Z?#M%K{yWMxiPjnZ+7;RYj!20?!VgT~
zq7z|#b$#y+v=@|55Ic=y`XeY~(~~~*y|Nup^>Yk$lzaN@ndp=H&>)#Q>w0?YD$2Ez
z2FxPz@+Oh^HvhhlLpS%0tvl<rf*+4$k!!->5T8kxYkmmO4V)w(dk1eZlIVD453@Hv
zZ_@syBlC-J@^us?AfiX8xNG!0EnX_M!;{Zu6zn1x-G7R9l|~VOCGz6khP?6q4C^=h
zdSyMmi!D5`JE4*9{G8gR&+6?J3%rQtjK;L5Y*p+ya1%`V?w=I_#!4zGFS=(ZI4JN?
zb?Y5-S2_ai$b4^MJL3?FFs2WuX(jARj>WvDTW(=HqG4ue91xd9Bw?(|MpCS%Inqw5
zkG>HlRDs;`!D9CJhXe8)pF`34B&Q?Bb9H5?(eGL^r`F)JKQ`RfXfdX}Ewc<ivhqx5
zb(OyU!yOOYsS2WwMLA`*Yp$m0E!6Y5qWXHd)fKu9KL~68LL`qiC?xf$*Kbk#pE=@&
z;b!4B;O5#Me1*0OT$>vi;f%5xoy=q7?xd)vb<}XhEbI^~#NN@>VSCL?s(5Q}&%XQR
zxx~YSk|ypEB<Iye0N(CE=%Nr0U&GPisnUUVz%^r+HL=}Dq{`EK{H5=-QT!_LsfKPS
z|5|f>2Lhg}G`n1Cwj+vs&2K3>(H~2LHTr2@J`75Fw@_ul`KoAVhj(grw%qf)P(uo+
zPN^gflY&Y85&0eWjsBoQD!Zwy?|ykNvwn-t@#HiinGZa=r$<~A)(I%}7KGARcG(WN
zrrR25L*5DV%B|vcz3<_*X$y=HTlZ^5;Mx}r)Q(@)q<67>y=(z-9~i|3n+G6!Q5b$;
zt!U*B7(_hU3mvP@VqbhMXdsv^WiJ1drlNA}@W9FQ#`yc|e15%wI{?Z*2CN_V*vT~!
z7qwYxl5(?<mgx*9WYMZLJ@1J~n`v`AT;L51#J%k{E0ZdVmXaBC5@A$}>dTSB-5N@2
zcHBgLZ@07%iW`nSgvxQ?_xx1fBNyZJBlnt~iAnU3L8$1$!c)xmwhQbbMH=O#Q30@-
zOk4+n9FN4#;6@XBn*$DTd_d2*CGO)6o8C4T_<9(KHN4<cUCtU>$YrguywqZFb&{Bp
zVzyRW@^Ia!4NVucy1RC9-`oO&gP+_Vg+Gw$=<5eVo3pdMXDigs)?j|#+sS6>MB&Ii
zM(eB7CA$8=g1kH}q1K0v6PD=TTj9}zXAfFIYXRG!jc5sG-3FE8^T)^r9SaXye!y!b
za{_OFP=z;W_e{-p;P!ss@aFTwwV?nk21QVXIs2;e%%G8KY486SE|b1wRBiMUNAl|A
zX=pYWe`Vi8s-;f4-(qqA%`-96*D~W1b?H3h+wxOJ;X@qYlZJ2p*^9>R;ZU0NSIxGI
zTI}MG;5?;az#97uB^<Lj&#gD|pv<s0>JqL`e%k4_YjB+_(29C_v~1>SHe&7P!w#ui
z><C2r*(a?&Z7LXLx;ue|v`ypt*!l_>9S86c;X$n%-s+U!L3SoP-_m(cA(vodU?{mq
zt9n#k2L2KqU?EOs(r(CL^7qyg(bZ)l<8->s{Aic5p!N{BsZaiA>jk_z4j;n?_Xm@C
zZf}8ond^>+yOGJ<5n3^^#q=X9yU==dlQm1N<{NBW@K8|4=@7M2l@)WCFcQtCjAB4w
zfa29z^<~EUZa47_p6?eK(NENU=P-Id^W}qMkcbnIn0qNb2w#+tjUT&B8>S<gw|yS4
zFj4BFA>J0*h0ytUji5(zrPB3M-ri&X<1DtX-DcYJ^v))m6Zx_B){mxYqr~#^<d;1&
zowUQpR}>VA5yoyMlGNzJ{K)k5oXMWF0e+^#>ES3f^-Nk2DL+X(nf_|``BH5|gLG-s
z;TW`Z5h6c4apZNjjXge9Rl|&N;qj%QK$;1{zQ|NX+fDP=3L7u)x#{uD$gx|GT5hai
zS4X8SEnDecjDsS0-n=7YihQ%2$q8wPbT;2aC=$5RV)kYYFQ3L=hSmw@QN+06Z2amD
zjOn72$hX{c|M_ArN!#b8q(Y>v(din>)smaEl|zU88HZ>r4>9HFX)AfW(goL-?38!J
zT3SO#Z~jQ|m;jlzs<0e7OLXnBRCZdty{i2KE(hoVh_YGT=|YlJq(VNaIu*wKhN4x2
zp!JBf^k<?AqZCg$wLs*^c)*aYO9A!|ucuR(C<cahQA<KLUeI599=aT_JekE+373^r
z2A}tzMQS*KFFC`r2{Am%p8!~B^`d0EC84j~4neOe?g$fnL;utQtTk*f!rCbW>_ZRV
zuk>ATnbyS_@J>*!HlZ#a-yYhdhA5l)4SZISZP>usxwF#MYym#pPf6``)L4WQ)kINe
zDx-`%p#r42ciHkt$i^IbGt>YRoPh}8q1p0#aT%{2A|1LGnb}{d?0@h0Pk$wlA-m)&
zwq}c5x_W;+LEK)oXw7c345=nV%xNt(L|1N<z`Si(M&`R9*o>GGG>Wf8sTw~q!>^Dm
zs#&Bm?1OChB5nCN4bqB*33?3iFoN|`Xo%4DY>nM=kYuF$#l7f`ma>4FS!2ufE`#Q@
z*?i6P+s`Jx3e7KRRSLTyH2SzgndR)XT<a6c?{HR5J1z=6aX=b4y)nC6EOZ`RdmSg3
z-~Q&43i1S}jlO81d$^IXmjomPcr_YNv4zX&S_0``vBn-o$$59p9>nU2AdfAfUD8c?
z1@L@W#mdPm<m&WK7X|X(Y0Sl7(qr(7cST*e1)ntAEy6-_?1<CoLeu-t=)QeYDOe$o
zG|~~x=g%vF#OVY6WU-)JcvTS+6PpX?YaWp_#*h+O7?C+n=}c!n5hnN5#XPbcp)_Ow
zC@iSQMiIESMxKU>B4#F<kr0=Dpy+qSyYW34)^{&TDdBpwv{@dCv>}{aLLu?e3?JN(
zbC4%TB6oW}?PiP*{((}&O)#k}T#W>8`i8z+UWv4T7Fz#wOpxwx`FKaE592lLdcnV5
zX)<Lk0qQv&fZyiwnkE)<inDLl$wsF!vC^#31FIrVL_e05R+n(}o_L?>3w;k`ggz<%
zzEdSX+cYjH2XQB-<^L?*h0@U6>Vq}n)ei`hrl*NS@N(T%k%uKqWmNx&>%3c!k>1O8
z^tt*|M~M>FoF41b3*r?h2iaW$9l&4iX*oouz_VzhK$Su6C<tRu@U->jkRJdTqh#5=
zS#uN(Vg}UOF5+1CO2?H?2D-YaKUTAhCrL#W08iF)_cTx_;q)5&M@qEp^QEjh-Oo@N
z^-UYg<kizWJn-MW5W}B0aeygwtDvCE&h#N)I|K-q5mqgYSDuvbk4#UXp;CcUse+HP
zA1;Jn4UAK;Erz6qVc>UAGwXJoW1bR#r+PO_T8ly+R{66n_GZn_AQ`Bu1-o@qz5jAR
z2f}9O8t~e6zVmU${nja~n=FTzoU9g7oiuc$Y(#*s?{cor^wcGJ{pVe33-*}O9rB)G
zhv)M=xx&%rAA*Hm<tce)-md#I=~qMdYn3&w$)Vvj6Km|tP_**^muLD2VZgt=Q+?o?
z)5H(OW#0$y_O8%aRMf)?#(*`CgoeOTyiFq9=uqYOO*$$Ys;nqh3uH!@`Pann{gkEW
z=uyHbj3M556Nl+zR0&nBUefouwlcbbL~@pmvs;IU7JlCLsahd<Kw&1CMVvo*T%a4`
zb|ZzyI4OCjYGH)j`xvd(IM`mEIKx?DXfB-U(A!4WX1Y%2b9LR2Nr`7j$4-ElS2wnv
zNPVt38a9aX(NIgSjtLUuU8O3|sIhq_!0BC+090RJU*f;6s<vk0z-`%E9gB_u^Bc^g
zphh+)Z;zh|iUdBS3%PqIs?C`8DopAz_%3VZi33{q@yA1hyh$a&<kReH*Ya3I+Y#TN
zDV#|o3jdR$TxA`k7uE8-X+9r4+rknR_0K?O?^{8Y?O^#gLo0!@P6~R<uh#IvPpDzb
zoj9KeWydF{Y6jSaT+dXzlswax!&#W?z1J!qTM#6x{@vIT)G`w~KU%02IZM-V6I4my
zd?L118}zufHm=T@3p}GH&8u|UI+a0xj3y%4vUYlZb5z@HX0(3h=ht)z-w%<!S1p*^
z-H<0$7PpZG(E3f;WeJIeWUYRc$e~b*Im))v)1hS^=S(vfrA)zvyfo0=a{U=8iY03F
zlQScQ5ZHIwqO29J6HYgq`Zg>(u3QW&BF7t5R$)xgq|DpqNA>sr$u9w=WAcj9#SLF=
ztz}12XP*%h8~#bbHKono{zRA-kW(}>Xu8R-Y2iBtMK>xO*rzqzsEFjM7uN`@1^92<
z3U{7tZkl+ur3*GvMRIbtBO+f6il-y=$9+pohy78!#(HNgH?&;ARQNFw<q|%aq7AkR
z{|(Q6dH~GsF|#iF+}N~-%V<Z#LY+iUzh@mM$;h2sG|n2<^QMI*d?zXI@^8pN)=$=a
z!$O*Pluc8Z-g2R*(Uix)Mp3ZB^dSq<l@=m}D3;Cbw_e>UC#Ul3&dC9E{ym6&vu180
z&?eWRM2Sd20Xz68fFOPefL`W5mE`z8epUo|rp-PU;KBm>=!W3rLaV7FE|@<uW}Bl)
z81z$Y$jrF2i;Z5LeR~-GprWyAFKg5grv49I;**yKN9kV7E^zzW&^P?9cqB@{m;nY)
z&YP!7^^qqDQLpfuk~j;+^q)%H%vot~jimW=Yqi{N;?hL!EvXb}mRLR}9uG~tuid8L
zy6i|6jrR`^ZvluPJq@$a7bM)SYXp;%s(l`l;h60^jb%lYqJLj5^k685&6j%GAhNw3
z6op*^(jTZYRN8g2TQlFNi$$0knP71#Fchs7>4TLoyY^)eUo#unk);IC0#owiHpX7D
zV8pZTSE*|!pDrV+gc#~mY<(bX8802WpgSQ%I-wNITij9q6uxf;i~s{HgW{i?hynUj
zU!e%G=H**JGc)9>6dff+?1LTNU+nOWe%zSM?~U*-q=fBZm9my_UgEs*E!H!>aL#Au
z)-z>GzPB|trJ>c$i;tb%R^X6|l-BtZoHJi$#s{1~uP5&)t$NISeSO;#_3!r%8;@ST
z1(1aIfPoV;Vz$aZla@B*8{a|bLN##WoS~=v$vs&P?dd+^!{6@@zpe97AW~Q2CXd?&
zP%Yx3&s-}LW0U4C`tk$}`Y*bP9LzMNE3qbHrNRKO<P=k4U~~>QKjz0&eFgjmuZI72
z>#xFrpZ7n;7jK(v4&Vd4KuF(3!v!a#ySct4t!M7#P!=s2;?}2oejRB_1vFzDo#22G
zY&rFXf+2HN7TK-Ob!v(xHGu0cy-VimPtVJZHVKz)2*HoN76Kg_r<Er=A;#dErpA8>
z879GXM#^f~)g4ZVc7Jt6X#N}voWaDgW9h^fudLcwJ&{k!)cduk>$9FrxBaSu-lyRv
z7&ibt<)kKNfo>l3@*;1Z`bN2mHfWLOwVt5et-_)9iHN}(Zsj-)2*N=hQ;|rsEi)*O
zGEfGm8I8FLyq){gW;;SEop-|dB9z=LFcK_kTn{{zRg#u^loCZSI6~F;@$vCXbQ_WA
zQX0M&EV(N+0@+(Hd@CAr#0ORIOwP-{)2g6dg*Aph-`_TuSa>5TXZ&$jdz(oB=IUAI
z8vOp};^NUROtR71N}JQ?wk~B>j`I61^PuHVnZ&`HwSy{LjAM_aYOQL^&CzTL0UzRJ
zW=2Wo$21`NHw}zxs5ML!GXaDiZo?I`#ieN5bkd@6>Y!DN0sFF{$oN>;G`la|nO!;Y
ze~%r4OQ>*dQ(diQE`oILh-w_>{F}2xC=f3`kCB*l=*rlB@lGAnisP}`8!`q<U3Mu#
ze8dlw%~F6f3g|slw<CY-aRSLIv+wYoX#^8eb?`*4>!r0nNE*4s$2n{zMq1?`{P-!J
zeo~=uxnCxXE$rJSQkJOu!Z6&Be<RMz0i%2b4ej-u^1}yx5Bps#H7;hxn;^o@+k4no
zvLMXmEeBnQ5=_>KDPCIKE9MG6f~_YfAgwzq)AG$$pYd3v(cqN~6?bCzex;c0hh4UZ
z9jrk%s?dFBTbY-0wzbyt*X!>bQ9NY(sRc_JF&QkjyFGUtJ00gMDoM%hc8^FBgb05R
zxo%y*0(GZpVx_F#^GH+Tpdo_`4o~Y;RoC4{qy^&j*P!wr38GS_Rf^3hb3jgWTL(q4
z+DSg@r)&1~Md!CoR%ee-@K6`6ZI;yx%ry4s#x-B;_DgH7Uk+A#7yhI=|2?P1inwa0
z!T4tYTvufT+HC-kMHvYn3;*gUu_YWIDcM&UicLA!^sUK)6`xk3EyNCA%Xh~tlHZS%
z=A{eud3)CrT(~kQb7p5L%u@0X5luU-!T<*cw>>24PvuvU>F?3wZJS)u4g}W!nKHkH
z|1%u_l-~~7-E}1f`H+&{`5x!P3mGsEI>PrxAg1Tel@6YT083R9MYVyvO+nze3}9}6
zRG|LaWSYmzB)z#N2j^_X;vP0-IVi(?)Ub2T(CsyQ!k%4Yc5}24@v*kXtUt?vJ5dh^
z<41f{@Wb&xBk?xgXJD8+h=aKM`tHLxM|D`<Z_wm(c!$Hj-cifg!BVF1<97svL{9h_
zryR-4;PT76xAK41KHi46kED?@pd%{cO)4qjQd~P2iu)(Y$-XHK5mtrl8N+tD5Y99~
zQ(B2@P6GPm9sjO7%dI}QgX@GrmC(WekVp6s)oms^becMn*#Ga3oVV=i)ubQ6tk%^^
z&d$H+%Fl?YgeIqIt>)z;j&v4Yv+jTIFBZ=0!|H`dW$22D0Dpj=&-X!4tvvzgjyo}h
z2<$HcaK-}??^=gRLLAO^3I6cjc7WgN(QRIV@)qwEtj_<tT?Gd<>sibkHZ?r|^TTUK
zz%=jH&0Ts;qqivSzg*<Qq4Ng`T%8$ze29Q>{Tfg@Z8e8JpIW*0cWA!t3{TD50XN^6
zIT(g_A_y#|I#J)C*t)DHs56RMmCuWCM@YRJuzW|L1xJoyVq~<o!LxqW`Z@j++w8Eh
zTcx(<RkT1Q!(2#R$iSDaO_ZS|S<d%gj!#m?k6=kkb4yEVpubp!2|k$DMfb9M%dnip
zsL4J?TJ(RfoNqcj{h!|R001R(-L~T#Dbt6xdd)Y`*2F&+LkRoEFv8g5?(D2meL(&O
zLt?ymbffh_;*a_WVtq_o_D#4V+xjjy23$b8O&7r4)Zb^%@xim7-fNUjPlA@X<k(5&
zf~fyBkYj39>UiAP>Z$=}%J9b*cloeL?cX8zc*SwTh(vgJcz!ruB`FP9;r<&94&7Ui
z<3b_Wtc$Mh^u@o1MP&p$&M@xo9>EN)+_?RJT^gqjiiFVRw!rrrnBQzxhyDe-GTwH=
z5<{VrmXm~F)}E&SO!S<0@n>bpUddiTb8~Z^MG(b*T&3iD`IV*h!=SI$6aJ%8rM_s&
z+Oz3+<+A3)M#}K7QZdwk(*U!ttcmHW^ELlT7?uhrl~a=ThSlpZr{pPu(!0;!*!%v`
zbp_goZ$==Z!APJ_1Av4<D=*TB75+Se4|Z?4)AaCwp@p}Pi}Ftd++e@%f?1ZDyj$nJ
zb>8?6oCxdvioIeu{~PYN{h`oTMnW*&lwl?5Feo_nq{->%>agO7zm>r^p5^@=%54Kf
z3a0IXkL$x|c<*>(+ff3z`nGFxYlP*I<%%yBLY#>e$CVnW#)d>h0dz0BcV)aaY0-Xl
za^46VhHSAc@-?%)*)Rdr-w!P{H%n^vI3Vat>*zk9myQt(zpS#QsqlLoyccxk)ti(g
zsD;%?<2fsZe2pZ)cgJ?dC+qn*8twP;g^Ob1sJAojs93GH*_-*GR9!O;vkP6JV@-S0
z<;yfTeGr-Zufd~B*;}sQe!!PXt~$f<nJGfXwhRWgYc{0eM@c`sU?Hd!uCcqM_eQ-T
z1l1_+X*v#Lq+H6osQIWyDqf<brlr{WRu%D)%~Y9n+eGDjsWE%{`dfJdcA|qi(kJmO
zqDLZSFQ0yv?n44g@#4Cf`a(UAub^b$b+TcVe6t69tMQ&1*7H=r%}_h9*ab?J_Kqq6
zi5vRC8OLua2Hp?3bNmk0DPe^7r^Tt}E{&hs{XDzPI-tt<U@H|6my96cw9RZysdJsp
zCTi}MjeHW1`Xd?oW)oww_aCQjiK0v&m$&h~Kqwg7<#I495cG;96Xa8b@iN01<$;2P
z%zEdCU$iQQtT$!{@EtW?j?kewd8V!4@>G)8EoxnBd*c0c$(>df&;3so6%h4dQEh|V
zq?x7AX@VdCA}zSS4&C*(P1LC_i4Wf>BTZFy%-Y8_AMM*7*ZgGch7t9&ftiAJoi%$5
z{ZSYV<R=Q<-}ass!T0y}WU9@ep|~`jUS6kK#~z-s^MMd_n!c}7EUJ;v(DQN5rsrB^
zCO0ygpU(8_r?Nkn3`!2U5B>PpCPR{iBOOIA0lnk97c=EX=W4Z~A5QuBd>O(MB60wZ
zvu)d({+Dj^+jN5xiFa1su<k@5(CH!&k=uF*qgENlE1-IzxhgT;vS4h>$!$&TXJPDu
zosKy4<DCW4qo76p2;X55GU2P^MGbGYViQ)Jh7Y^a@-Oyz9XBK`TvBTJJa7{ko3|>y
zoX5`2pko4-y&gKBfiLZrQYf6}>#x)<;Hg~jqWf$seGg}9>aqrekN+3|Zu#^x0jG@`
zUtp&Bh0kf1<<v8<TQM2Xf8Mij{?^$i3X1nYg;XfLOT-U$r)b~eN4AWG$SSwO=ThEK
z!WSxRmN_0`vt*)5ZsL6WCZE5G`NzfTxCm9G9$fwWrDUM}Lw^0mx{IGB!L5s@aA>K(
z`Mfst?rJ2xmHeS^uqjD@^D}9Je+p$rqI|NL7bqbNI(AoMRGlu>T7VCFS@Mcu(e}+O
z>|{ezE}W3tdP)1p>1L<@p5f4j32yx`stRrZ{vT!XITPGp5_)W1XzRN>chay3U0FRH
zso982{XXs#-H*nVr>?rZ&facTthPrqfA%w#*NIOPmgED$M*|qGv@p$IQo*f<0H?tm
za)L(A`&T<w!P$k6+6meXYkqQh5|r~h^o}Q=Ary<I50=ihT(!*Y0Uy#|oRV&m*Q+q|
zSgk?#e`(SKln-VrfB5c*5$ftJ?P|o%(?0|6J>Y_RVxdiGE0t$W!#?2YrCWuaxrU7b
zm)Yq`=emg3jrvw&AL{!bkDQ%tb2L3KMEj>R`DF0)ePdBrPv2?7p4-99nd;NQ2VLfr
zaBgbN&2a`T7_Zymg6DDlb$YbC8i<-AwY_~SZZq9MQ+C4J2ex_H4+t-9y<?R!Q{-ES
zj1)|qs2pCYypvG(zH%DU|34bZp$R7HU9C(Z1EfVf^foC@gyWg-WV?uFXCKYgNd|t6
z0!YO8I<m0hbd}@})$m#GNdq?BFWtOJ&=uPA*fOJ87F6(ZpAWxFjAGQ`;2;9kEF9GQ
z<z)DOIAP>(9S3Bt#@}2Dol5xizwATaT&J!q9xwq@ZKiVD=?TIGoVS18UY(v^mrSm|
zhVN7A;bQ`fbh9bbB1ZI&lWtN?WR3rq;^&FV^5%mqs!Q8>xW`G~%fVp13gaA48#|ff
zdeg^q6?Tu_=5;^*<Oi+jg{&wa)4`wpweDjA_!%+bWPUvN+N;-B3Vjy;YJ1^>Z8qyo
zkwW2oXE5gDiLcVq(w5%GGDUX*|Jt*{o`(h?L<2kr|0lp>Qq5?dI88_aFFsgX*v)g+
ze_0T(u7HNdIjQdo;CfDJFXrtW3{3h~y15lA>Nt@0HqRTxsw+14Csc6Gd^V)5dd9&W
zWNIWmW=n!I=RPWu(k3n)o+tf`<yrLSkSsqv%GuADD~RNxVqGN9&y|+_LRdcd!UAF)
zbbCW*U7)_VK~deZ<DR77zs#~cu;XKR;{b3wAVpN51k1WzI@qoh{8`)h^ERsf*N?G_
zfbd2R0b#Pzt@oWv?}xL)@2nF5RY9u6K{`)nAgI9&#0E?9tko`Mv?9Hv1mOUlq%$Kh
zOCA2R5^nw!;YWJmWF=(Fce5ws>`XSr91H-})Yh^9L28AnR0>P5BrE{#90a~Wq)h&Q
zSAS5$=L-(kHSrFZIRVa8Ar*`6t+qcykZqkFKd>jkW3te`3<$m0>EX|&)k=r!=;&;`
z2D`X6$}Ix8eUeH%aR4Y_1Rx<oBBk4JS=#C%OM|)W?l{|`=Bnt6Bam?s-oMimMC%5d
z(gX2{5px1v@PfT>(D^_w<>}l?f`Hzo*#Xd;OyDwLvw5{L&SxR^xW5=<W#{Qi%*M;#
z6laLf&~FjBi@*IQ_5N_D0D^b@aD9-6V^mfpz%*9us{G@i((d>m6xh73yo?JlT4h(g
zaR#l(7NiFNJ81sL!tVil7HjO>#j%f+%F6p~GFvCO3+rC-Fe%AkcywxCia>RkA=~u^
z1_qhM#d6Ce7+|4<2Y#o+fkm&V`!vA2VLNd3^Rx8=n$_52lw;>7_EL_>za>O>;9m#=
z?rr?Gnzf_$0vi|q9r^8XzL;hHJ3IHi9{$s-TSs`2T46GL!Nh)ToCeDCdKBgo1U)-Y
z9#egkaTWJ}^eyW@fMiUbe0us8F-YR#by^zqn7Y>YtDdSFhwwjg+PE+bq%o|X4tJS}
z1zQIK-|#QnfUj%8Mcz|#>HU+j$B%L4-hfa?S^rN98-&+55cGHe$kOBelTV9<GwMja
zf@pV(%W8Od7^8mcBuhbDuzVC?AW#g7ae8`6unf!BwXqTxaOuMQyes*Ut0{g&tAEvL
z#sB|9xn|p6_~V;Ki)w-I2wyPSmKq;K1%a)r))TqHKz+f*(1EEsvj@V!H`Kj$v#4OL
zvV`JpWS+D9S^2<`_+s008C>wM4v1YUXUcL<Fd*gq<xY3!)`ti=xgY5j_cmWhWO9>^
zQN9WO8|9ycXTee{?ayA+dtRqQntD<42Lo3Fa80}yoc1nS<8g*ZD>_N9Ro3EY!#ECh
z9{X48K<MRj`PZ=ClsQ1N#*wUK`dG5^7Q`q;R4V>|2_yV=XNK)BSxvz^2Bz_Gs2M-z
zP3eAwSLB1^s3Cl!!k^^&Y}LuW)NyNJL5C4E2ZrOh{luW)s_~XK6GUkqw>rqTQaU+1
z_<zOKh%K$TZK|~MJADj~4{%D*)7d<(9TGF8^E08Qi&FGjU>er2ci4R-5y|C*P}G61
zEi1@!_P(@?wd|OV;RvpB`*^s_wG%>Y*3s@l620+scg)mpDxEJatS23p<z8I1gXY7<
zqlY`M*7>+F<Ad&J-HtbgRx3BlcMR1vk=cK3?8wN}z6t5(-#YHQ&*jIoUG#8YJ+Ud_
zeC${E1EDs{clUCa<|k0=2OrE;TsXR0b;JYUDtO%2AtvG#R=0>chL;<erF)Ek&&p<d
zXm701w746X_zhpH8+2?n-;8g`UaJWWyvCq0crd4{i2=UG7mKbx&Yw|ZccZ<Z=Xj_W
z$%t+6o{Gw#i!sAmW%o{(eek6QJq-YUmSOuLbO`OIn6_K+9bQV3kWe)9O7#`x-A!V5
zN<Uq4SW0nArJ+AoP%tJTh?a|c&1!7`oQWxWfub!Uf>ZM>=F?lO4nv#@7HgDu{Lyk;
zCZ-EfJR_giU;3fazdwx-YF1WLB}{Xs+1Ul%fX-CzcBj%g(yq^%3B~0kJT~*=3tiu~
zS<R%mNT$t=;cHvF9nX5;J6egu8Gn_M{Dyu*rbB?OyjFws@&z=e@C5CLcc))j(Gn@u
zRKVhGqwBr{Og}h?e+u4M9Sb{nh*s<{8{)E+;|*!YeSk@YFunifVAwSmKZT-az&}-w
zk*v2Xj!RU#-*M`%c6Y7bYGvRq2yb09{kqspbrMG67VLl7W?4JnNDi&6nXu8*OF!s>
zgw%REr*$bQ=J+vOkBfNB$$-c|AU^`*kNDKF`WSPg)#4HjD;>}|nJ$Uf<VTq_Y<8oo
zIgX0^IXI;0UOnG_*`SP^KG2TwH(my_h3)X$P?5#aW#>~DSdCl|zt<)~)XooY=O*Mo
z|DG3-F91SXx8lwj4EYRIu`DiHa5M$s7%E?eTIgYw_BM<#6&ZlGdk@FH$(T(pctO3H
z81<uWmz80eZ|be0c-&L{AgYaG{y+`+ZTYjy2~$wej0`Bur!W>C_ulGqr|Ai2d|C}I
zIP%&}=@C<TM2dW=Y|0z=n;ac1Xc4r_YKh65J9~;!Z&3woqQ$68XvjP#g4Zf7c4ll&
zWTZTJpU1O5o#G4@I+{$Ii&q=sCip#(bgzXE_0e_uS1fAg>U!N=k_gl`?Q)nB22)uW
zg-J&mymycRSgr!N9Y+}?pa!lnzH#hpPCm!tUlDTxI^rMYFl-cxG#5-^pX005Z9uLc
z6dp-yQs3fvCmg+bb#ueN-E(v^jJTKRvt4qxhL<x}+-nR9x+Pyf9pOLfy0w3kVge$@
zB@mm|tm6w6Zu(kBe!MZ!1Oz>O93s;KP*zKGwvG-1Q3l0qvNF_aA-B~s{LX2q(Yo|c
z;Do7bu?l~%rMkOO9o1n?0a_9PdX3>MH6~MKw>KOBzrCqm{o%a*xhPGL0jy@tX?IA~
za?wARrs3?uDC!Y5EVoOWU-e&KR9<zx>TW!2QlI$s<{okyJ}zUt^DBgfCUT|-V|&7f
zvS;zBe0z4mqIACY_Q)I=cy@MH=(l%tK~HV2so$gWDua<xq+$8w)o;mui}a6c1by97
zYJSO-K(Yfy{DUJ4U*WyZg;V~;MQwdKf<<KoXwjmUGEHf&#S97VsGTus3iUnYOflnI
z!?1H4wZfr<ppU8+Ivhvpg2KN6>aLcx@#We!ri=1k+*nadS9AVndE>8e>sL~1uxvlu
zm1w(0C?5;Jh_a*?r^0}7jbeuo;)+H%ULf74uJ1UgMrP6UbJpDu><c($mutf2=m;*%
zWfTf%z3s&0RuEkOHLR^(>Z7gYP;pc#+_O@<e0Mw!Y;A&%nte}ie1AWwZ1?t6A?V=_
z^UdA*>GAeK<i%Lw!+ynpvc9h_33|)T;mzqAoh|}*Tq)cHP&89Up)Wfg_%R<0FukiB
zR~*`}FL(d^^aQm~7Loc&>`<0Lq{CclC-hcuQmX$sV$e|Ky>SH(hlSMunZPm~z?oEw
zfzfgPn__!Up9Q<R@bFU(LBGWA2Zzd+qyngf{65kFTqmo&Ju7@UW@K~v&Z0I>n((PD
zaptCCILK$AqIz!}?SibwG`0qR%~(;s#^+6~T5nF40ZxrS;)l#npqm!6R?SEdyW~uq
z{|=eA88gPb-(Hkq2agZ_Cm3_Vlvpqg(f-^#5Ce&2-ne0^sJ@&Y;j;T|u3$l*^!R>_
zqAseA(?5vmTOW;=tTy;tD0|0Ux5JuT%d(SGF%T6#tXWBMj=-g%<A`px8YwhpP;@@q
zU#ybS5w<J8nn`AgU&k-6=h4Fb8yf8rU&96KPFAvkHuMN<Nx<3fBZR=Pc5#J8!Ez2}
z*2b*ss^mMP<s^bf^qc&!+^N9G94!3hRVMuL0G~EDTt{H5Zg1DYXr_1Wq~^N|Ui~M_
zXi>mLpVKRc*QtII)mL#}p=!li@8&C?Z<q}xFin1Qi)-NY6Z=p_OD+4HjG7kk7+d9~
za8h2^o!aS=hw*)vy{Y0p&PHb#R;uMr)5^2)YWXye!80&cpZvJH`->$BCA+tbx)vu<
z)yC(hw1C>9ITjb&y>h;@m<|8kHVE}A#&vpjf5RM?ACWU~bblEJh48maN<IQA!dCax
z^7@)CGoTb6VP5oXcwB%wQ~ab^&PHi$ktR3@UruVNW%|1`gUpQ}i8H*<iY?qsdy4<@
zKd%DAx=a$=&4OFaoB67$P&Mi;gLkUCoj5p|Bu&<zzaxppDAEovx=4EUYdc5b9g(!Q
z>2rY~k_(X+<i!@3UC*BJKi#dBS5H6s_B)T42g0AhpAx0V^J0F@ixSXa#|6X5*x5u`
z!)-I5=-QvLACphhKI;o=ch2M_IB7XOT#$Q1CsGPOjn_xR&&7To`9|7aWLrpQnP2`1
z&6>v=`?Flz=!4m(C%CA1r)^Vf$|;*D_>kRdtse?uz~98AKv`465hUDQ!X0vYb?}|@
zy=ANJjSi|%J{Vnl1uD*mYCYV3L3$0Gn5ucvF&am41631BMz+A(m=_TgED;P`A7Loo
zv{~k(V_kg3^JbquQ!H-(;9y=NB7GiS#D)*f-K3!srvV`TDy?0j#(DB)PhgZ5z-o(5
z;J<ylg<)dML_4EhtS#0^kz`8`(`4M8Ltt|-ncD`qcr+*9=oyt0D0%4;f=Bc{S_J=z
zNai)%6{r(vpxcQZBvi_^Ub#k@_neA<@+=^q!GuW}7AhC7p4M{~ZL}41!`M##Tg86Q
zfoya=tZ+1!wGEOwQ9Vk4#C_&)NI)5IL1C+A+}I&0^GR>9fA9rb{7RdYEp1h}a$D$%
zvw#ffn(@ow(BPm|bbNfS^rB&(>)Lq3*Wz+`adN!mqEeSK=y#QQ<k?Uivyjge%d>Iy
z=@I{yn{x$z<qiWjg>hmodtrWex;jzid|67jjw!^4B<3vU0pNW9A)?kBByf)u+Z;vK
zn(7wIk$l5ZGA7V%HVwIrCy()~9XBg=U<1CC%F+<4K#CqhHsLf8cXrjQXSP!KGEAPN
z6qcBUx4XUw`E<J@{6)!u@Dl|eFU<y?%9?RBRj5eOkJf@n{S$1~FCF>?O*WSR_8Qw|
z3I_2~FHIUipbN>Es;0WJhpq3`=dYzY&C1={{*~WU6$%N&tjeuGYQkBRVTYFJhG8Sv
zsC~ZO22m-bFLQ(a?LaWPt#F2)nS(hQfetYN^fw~%HYt(o_Lg;{Y>`hZdt!0QymQ`u
zVu~9Jg!Y8EtC<xn`gP?9?7%`b#dJ#rT2(*(hR#Vsfh(XWAR3Ga7yKp4{yPE-gwW`*
zVq)FQ@vr2ZcPXJyp&a>$Q?h7l1K(l*R?%ujbzO7?YpfRab$;cAuoU^5ML`o*LMgcF
zTijBg%8Sl{3Y@GRVWGiVwDu{nvExr4W@~#PVpDmFA%<Gy5uYAuKT=N#15z4lfj$v)
z+U8T5h?jcL(gGe%et9g?+ml&hdj<}y#FR0y%`E>UI=s~vQj&>EhqE71TaaE_pxdUe
zjelpQL&EM)R?q>oWa60ax6r{F(2u4LynnJOGl@w5_=@@ZwI7rJ$$+xGilsv8j}7NF
zn=X|RsZ&WN!wF+CCJQ1eOGU9s3uPFc1an()ftY;4N{@leYxPaTFQ8gPA9dz@H5#kJ
z){F6KC0kS&U4M%>Bt!r)uH>$JO38PQ7`>JPMr84`XRe^*+n)TrcsSg7bD(mC>31ia
zoC2R<b?~Ho>>XWw2MkOEsp<|{tSfm#fJ2@U@Bkj?v>V@f@laXW1umZJZlQ2E=@bh(
zMajCwnzAQI#B=KL7!q7%(ysaKIxcQ)yi<b?P_{4^5B%5<%sftaZ5UL*2raiKVHOCt
z0jTbK2d%{2kPSzRXusMR%IoX;%ZU(y{Ao5Xy&|o!XUa=*V=oTJUrnWUL+XH1C+u8J
zUx7p7k7vQ+C%|cj4M}gUA96~qj{{NUshni|s9hoPPUN++(;aoF9}=b4m0mTj#TY5L
zeKVFc!-LUT_~GQ+5EjITOtona1QPR_hO#0|%awFew$c(!Cr#(!gEa=f+tURzEqh`=
zCA5C8t0+%jo1uhM%}07EB5JDJ4GDittP#Hxt3}Y`5w<LM=SvkqzzsTT&SRf(sA^L^
zKGi<b+H^ja*~iokd49R%1jb2vJ&)1s?Pt1yj}5+ic(vWU#=fz<hPw!$S|2}L!zCE6
zg8e^SeFaohUDy90Dk`N?f=CF`Ar2`pASob>gtQ<zbV?7Qbb|;;4k68ebc3{lFf`IK
z#LzHOL;o*4&-;Gg_rGiDTC8>FoPBnkbN2r2ee<%bOp~va>Ld(R*bW<E^#hkSnb3SQ
z_pZNF`+hY{74EtvGE>_lG^ekwBzl(marcNSarB2ZX7(*vO0G1dp0VLGVDptH{5N02
z6-{Jq<O|1X^uQ{A!$-Q51}9^dQj~?*(wI6^b;uqfGSS#TqU=;96#rmRek`ZFu)_+R
zx<;;p^%+&9lGj1Xle`EW>x4l2(I?e3A2K!ga30|2QX3^dJ6Q`6Nj~eHv6?bw?|x<r
zP#~gw7*yYAM^%)dhvPX>)k0T0PAm@Y+R;`Pr&S!H*y>yXTzH;xzx%qpvTjAgEr#r5
zEoL=WC6n!=jHhikT)ET<Vdp`SV1lz%vDwXtro0hb(Zj_0_z2X+dFeq7u|d@i@jb-K
z;p(|s4c)*p*^JnmF4nKGaNs`u%IF7S2cQ+gB7UJ$n&mmTOCb<;uv(24LO})81j_ip
z<t#xEA&0fB@6pm~9t%aSkGEXpIhV55L+6Q~Y`GxD!r36oobQ-&?3ENVKi?NXzAi+D
z6SkYmToYuaT5;tw)p%;db{vXUB{^l|f3QdKn7e~@ZL254uldVk_Sn}ejkwB{bKJ||
zvi@-B*QCNf-m>zh1FBYB5CfW0y4)0fIC@ey1cfKPOkKeZEIo>#LhclQtOxb#UsVdb
z<QNu?t+SY5aaR`OalSvoyDDLtUVszR_LPz{MnBUKgO~%bGGn*HpQSEi`$M5~`!qmA
z?jUr1t!&fZyVHzC*2nCT7)&ba`Uwg2z4x~8jp+M`PgsxcM{e#4U3uD2YlgL}a}QP#
zdvqX5UkFt(1}gtNSYF?dbRCn2D>gdw!mZ<lKJ&+%@RO*)XA>a!_^%C>0up{ycRz=I
zenA*<JFw{(#ltRc^k};g7myJT`TPZ0gwwA#CNz(HV~|FLU~f1m`m@<^AR4CgC?(hU
z&Vi;78J1mKAaV)zBo|PQPEJ(K6)42L7AHgaV86IH>zLnDVS^Wvb!W;P^XAqA5zkYo
zcCwas;BAV5y7BkfIQ<63x1!p$r8oT<ER1LYPbBEw@nU^Kj4urJrggi%gswqii<1W|
zw({BK>9MDx18^r;_v&VM2NKmQ8#<g2EPd`%d%!s!D?5qv8S!0HB6v!|?002jdg0L1
zvae!yJ$-~Z7W1!VfY-SpW~K%XQYR|Slsk5xZaN{lbi$w*1x22_hNA~q>?g{C@6t(a
z-ocTQZJBvYERTH>Z2jfAr3w+%aGrpr5B~DIhZ@<RY{fe;l}SY-Lu<(u%8wySJ(8pk
z6MEPei@t0${xyFLL1@^Y-+V2gRbu<E^n<UY?|=>ES#^IMgpyD>z-^3mw-hdO$(dg-
zX+YvO1l|ck$l2|myK6kXM7aO1>4yDCH7P0TF348zFjMh>OgzV3(9^KBI`;C^0-M)I
z0w7!aWA~JOVYj4VtL^j~m6Vu1oC9`yE_Xl&icRE@yCIr%Kg|8=sI~!cDMvNuBai;+
z2tR`_H2x0mBoMmB4Y@ctj2^uO$KR&1ynk3QIT^nH6*uAu(SCJ0_c-?~t{Gj)FgudL
z_A7K)>pAc19Nz4?RDt>&M_w}#UP$NHbG_>Q)G-{I?1tByr#;t1!(P;9h5?7&nirjU
zUtTgj^^IhQupY@8jr~9mFjM$p99<|7JirBk`sz5=-kDea#bT$x9DAF-qM<^`1-<*D
z%o#UbWFF_X(fM*(X@U~1{=NI<Pqxj;DFm<$OWANh&fvRmwW1w+dBb{7_e*_hM9@mX
zpN3kb9#2(mMc*55Wp~fQ?dc4aoAov}Hc}=fCEZ1&&n=K86B}9#m2);}=Snkux@SUc
ze3$(}&9XO|Oi`_$hU|+ARTnp4dg$_l-?!Gzs(seG$NN%*yz^vN5?nW)AEnrr7Wloj
zlzkTEgRmNSpOV;8UziYv>!`O{tU&R;D0?8fHeYrU6q&T^Pv$NZI;HUYv-3KJD)-@$
z)=<0K;a-L$PASlIm3no^x;`LtyOahndHu-ZFa;MUx8NRwH$}gQbYc2oJ_v17MhG&J
z>sbD|mBxms?NUI&Jz_>kj^z^v=4kAO!i@lVd$$JM=lkVj-4W+dfV-+DlofJ2HY()-
z>l~1`jep^+m-SB}!QoJi(!lr*daf@)lUy7kK{{~v;jTZNh7V+PSYAmRpr-=9qzMRh
z>B8@@b$pa%V9JZQ<nPAE`v}QUl#&0!v@yMC75x)AvUvL%xwisc#l${`&2wT5M&~9&
z)8*Ewz>8~*9iE<21$w4l)!%)Qx>Zuq&_9+3{gXP+?Zt06=9J%IF}-`xpVGnFpU>B7
z1~}}mx4C<Bl(asR)%%<^^o!?NQ#JXXf3#42KUZ7>@bdRZ8u%`f^!?cG#`<=?>`RWN
z8D`=|NT;V7e2v*~pA!}zL4IP!{MfT01V!?ewWt-ig$Z0cxdFDS9~=8D{=HjBBl1Uc
zM5ok_gS=~*NS$OCS<Pb6i;eylnsY|64v*?z4RNO}Qn7m$TiZ+2grfu>bu+#K^i&{4
z|4|$V!N4ZFZ%sJ#1&PUz{C6`P((=LY8u>a|x2W`s?YL>b&@%HVrFFnmUgWH68A#Td
zvpFwt;EwoQ@=q5pE5>5v-1&pIQhF5I^s~q!Ih3Y+e~8(>T1-ykxJgW+5sgaDE_GYo
z#C*kFpE#nhBAg!-1>!*1k87F>c>%jt{DjzoNqDvF5GJI5=Gu%gy$NND?|9l_*a&=Y
z{>7v@LNB{HT>wJ(GvmJB$C{smbM*jN>PG4<6#~{k^<5$?^)+m$7z)wB8a8WuO94S=
zvEAVr_BKvm8iUMxSGe-+#l&Z~5U5CjTo5`ghNY5A-CRZiG7a3^=DfG<Jp$wN`Wsy~
zC*7W<$Et_@I1YufSF-7yET>qrLR;!=G0j6^ai3Jf##4{V8dCyVK1DW)YD@A(IkfL6
z)PwS$-Ii=uq22~RmF!}iuVh)xl=qIg$)Oah#gQXFdW$A!{XR5vVvQ97yIxGz5?K1v
zI+{M0Z0@60__K1QnG`Jh#!GPqg1hDLUEaC3*=Di&^*8S$EaD5hVucCI@|u)?5LuXF
zZ^xJvp2bQ+_&%ChqI@b+MJ6az*^SjQyJno0RBzwZYwsIP6F65;>odluvKinQY9cUD
z?Nev8J6e{zl+8_Vek#hOtoONVOQEDbU0-TDY$!lIMJh^``gjQRH#VzHp5eFeeLaJE
z$Zl91040DS-pIW7yYn|J?a;d)1lt#+C0xV(_UPj#(TSzNdHCi>vM09NO&G|guzBp+
zYC;<NkK>(mRtOdT=XxXsVr93$6W-?SS&QokP}vYcSXeZLMR*}_9SZaH0&Kr;0Pa2g
zoz8&ncEZAVXq@kdE(cY(F=0#^rPl|?c_i~`yv^y%{+h(YasVx^dv3avkg0n2mzl1d
zg5^<B`K_a5RJ301Ter<){>>q80s{|AXP);OI-LsC<C;I^9Jx26TyrTiy98|VO+SuF
z!>`dk9r^rQaRtTA9@rTiWuhq=Wr-gO{ra7wiDQOy7);u_!Qsf3(&l3K8q5Aj4bL^Q
zB;lc;`HMqET~m`V=)`Js7Sr9Z$7YcY6*o6c?v<*35vcu!qt)K#jHbaKN}+t|fqBtx
zIAS1fqOSIxZuD}SvrLtDUdRm~ePo-%j1BxYNR~kQ;2Hh!eo&6x?J~k2tK<!qw&G8I
zd#otivO!cgUEK#N)gH*yJazk<PFdr1c79I67mjMU3LRfl>A>&A%(%@Fuj))Kklh)H
z^MZ$IRXlKevOu=huLp)KeWf7>?&)IP<qX@qXQVu9rp$$ZN~XR|J>dG8F@~;?*7BZE
z5Zi8ke^hA4i;<`eIml{^26R}tssRX(Q9cs8!)S_UGw?lg*M+m%Zrfk6n$miSQlpK@
zO3!I|yFf59KuT#+^R*k6Jq4*|lvPl<W^MkOsBM}D64;tesUWJrB+Rk;bkYG$X2|ma
z+gTgivj%>e0XXKtZ#uaye_k%iw_Q8JBm2NDX*zb&!^HT&|31T$WW>X|yTFxK3ZI)A
z^^1KW<tnK_Q}-cJ05~M`BNkO&Y3o35m-L2rI@#hkX52??e#X&aH^4<kcV{}+WbKJp
z__TUvtqd=Y=#i{MQ?=}9LZK}Zf(vJVlrHutgCG=jm%O%0J{l@7E?h;Sxjw$2em&D|
zA6Kbj?;^qFq7;&+lMwZm75arH3VB3O9GjbNC-dx=`OT8fIBcv*;^T`Tx0oHR@}F)5
zR8^MN5Tc}lcp1f<$^-t7k4I0!qgOOVG!Co=!XLhRGiKf%rRGL2Lj_pXjGCiX%8&e;
zu^+5#f3#`ZN$=YXA_{HTds1ndW=blJfdjy^l5ps%YH}s=wJW#Y_vY6&V-I-o?Cv3q
z_YG8dDetjm-81%r>Bg$UyI9SOT1U$)_sI}!p!FZiQ7N<rYM$4IuaOYtSf@#-7ibaj
zhSPuXEpwCOR+clOZJE;wW#ixodi$QYGUChVnD%`n!_7cb<EOiiU#?``loFbe*?1ga
z*Cv`25)$$!a8Bx!=p2(o+P*qH>*ghn*=LpL*gf`i@2_YI{uzxCOGATImZ_Rgoo*ED
z=d{q!a8S6ERPMfY+}Ffj^aK(582@ETc?e|f7$88^-R(rL<jm>m$#o;~&E*#@YN_JA
z+PFYubRcb}16qA<eV5=<i1b&3DTH^ErpGbN30@X+f~~I9FS659M;T>)v%PI6tDDS=
z21_u_6ojFwaU;Jk!k`uLQW7b@!>5mi%&UK@GeNlRtB39lCP{X%O2Ri^(1GqEq>p}O
z9NX*2z0qDXofI1Fw5~xMnw@v$vZVh?FyL8vt+Sftyp5Xm%~7-W4ysHsF&<VVrZgBa
zRTFsiKtX+<a}*EB!T*`JGALVG28?(DAx1U{?@u_TJeV;n7AjwYEqS<1Yv?lPExh8v
zFLY7(-i<ol7k$!%f;RaqnP;BV-;t&e6a6n2sHO&o`3>x~CM6PC?R9N>CgGZj7mN4&
zrH#CP|50E3yLq`XjcA}-7dc|4y1b%b@wjVCzqcm-ME-ESR3+o~ev!qBta8u`{9Y;v
zOUuxE+%BMZjVC*AV+cT{bPBG1K7SCuUkqX!yNP*Inmf(Wafw$@SO7hl?cn}?i8g;4
zEZ_mgTIS8n_GwC!BkoM~*X=99>x0tQHYT30RS#O2KBJEGCPQE*6)V#3Mf{nL6?f@T
zmwx*Sfvb#<8gb+Jpz@Fjf_E1I68p3P`Y|{w_6r3+JMgNiTUbO7q0BliL5q@XE6fpo
z#d%q>@N2kbNLhL;^mg?~PC;MZ8q1tkvXKt-M)5asn;mw257>IXUJ(xNFi3&8$05+?
z*~LnZUF8mef+`6>(afSC4vjrK<F(W*zH<wjD-7t}J8Sg!VsILjz&kHLa91DXyYg}8
z&GdLLcWo&LKY>tuYqQfqNgr&PSB0`gw7a|EJ5#B(>K4%B-B3^D*fNd{m3@&MCQ21L
z5P|L@9f=ITZkfmfCUeFs(Z99TglFF-x??{?8%$EwH@+u6OyD!~e&1E`=49|8trBLs
zKHE;V&RGIZA_Ot<F520d_+l46xM^{P+=#ycq`z;iy~UlLFXWLljtT*24iKnW8!5KO
z2Dj2}WA$_TF}tNxpM#nl-Yjj_fJPR6ur2Wl<H!>fqkvF|Cw^jPKaE0ladEuS+biPk
z`jxE<e-BE9Icm9+_!UGm+xy*Cm5d&kIs02StiIUnxllH7B5&AoG3`^=i?~GQdT5o{
zd#H*F<mEnrU-RRO&8Lb=ga}oNdz6(o9WK|Ltrai|6y6;Bo$Uf0j5e`esG!@XcM*L+
z)b^B%1y1K>8|x{LyPnSlx`i;4ItL)?euw>rK7V9!BdGyU&{KBZ{+T_G(u1EqxRIEo
zDe=BEXHLb```2G2=PDi3*uf!&?{H$rjhbtZ=E*Y3??Uj}V4r0PmUtfnlsWv_d>=dw
zAZ@<mhVmL#cYi4&_ZL%^)(WuvUmIqIkzUD!h(kj*Hx>moNnAv^`Ffh(O?GQ4lLW>-
z$a9cN(F{d8{<}4%pAX+Xhp|eYT+-(2g%CtFj%sAT1yCO#cb8$zOng-zDV8^7RNX&K
zZ)zmQ-2U+Wy!vO+3p$q~T!FMb6&WPE(d0no9|A!P@ScK#%*9LmuzU5f$LeIZVwEGh
zNgZr)zh(u%eSqi_AhJq`67R9Xb!1b`GSA7#%hCPZuHl#@7ijoJNx|rX?|jAFHo=Rh
z+dI^cx(<IQ<rzBjorCeCN!UJUHZX}1d>@hjBqXWAPjEHMJG@&6(4WB}*!lM<Jt0FK
zLIe%F+Ye-?3$zAXAdWI9tqIwoUZV9>eX<|5bK4KV#l&)9AHJKsrFgkuKq{cunuAUU
z-={_+RZkk7PtwxX3XHl&haWkukBP63t$c*OQCaHeS5B<l7inGq8;oRO0{!RX0HFe)
z2?Bn%=Y5abSl_K*a&e1=J)_v?5=9P3mhI$2%~m-IJBtZLcogBuHKcD@p<eA*(m;ac
zXM&8roEmK#7%y<3Ktx{t1gzH;Gd|v+3eM=lyU%*pkd472qfko9=4BU8U(ON>Ti*@V
z@62ii8BzruPssBN6*r$t7xUC}6pqLW%~X_VYZh{3+SRXA&;6pNM=au))5FuKQB2~o
zXhv)q$*-01i@#@ix_z(U{pmV&FHoO7S>bmO4DgRNU!i_EO!<R=tN^__{`-BZ(z|OH
z;``?4SoaO8_Py9R7@0l;|6zNcKlLN63I^|Ttl1AmDF&b@km)JX@@<%Qi7k#ID#(J9
zb@*GCT7ED1{b_=g!pm{3<0Pv79k<py$|l8oA-<)=XFnp`ZbER%c@&(6i<kyP<v4Bo
z%ZG*6rPy;8QJPLH%9>)GD%vm=6`IXA-|!r*t9)u>_h>IU&OV)V3;+G7-VmUsx;z<&
z1}c}rn<sm>S%X^iK%~eWNC@p8+56ThcF%SNqMaNEYxl&PG{uKQQJI;UUk+$Pa3aFO
zUm7d#k2>$>R7XE*{!5GLPcOF}&%{x+024WON&yqqGJDmM4!p5fK!CU{EBq6vECFA`
z0Kc}UchXoo3#l2K#2gS93Ll^mTJ@fEUfAB+*GNx0q!#MLv&b`dzCw*7-gweELl-G`
zEwZ%zjuy(nVZ9$yQC6`z>#;XUGr`wj<rU(HtTo>5nS0)_7US}Fue;UTuf$X7__}r-
zd7<|;5TKxvG~<-6vNW4u@dH86#q8)b$l2PQ=3|epnn-)P#Fx=Ewi>9DiqQ%{02>oO
z(jsAS7WtVjrANi-M~g|5e2!m#&U#deMyk*nEGf6w8mmiW>Je}dGQeFuuD{hh9|6$!
zlDO;I4LsI}Boq6%LDV<jzYVMg;>US&jfaQ>FBm)yr->z|`h+p-o;nyRhS5Os%sCvt
z+rEM?r(^5dM!^vg{gB^ItEn50^{Nxs=e_qkC>H9Qc$!=!$3lnc2@dh<*SJ^7GHxI#
zUT*@$8-OuvIy;~Lo_cWhYY~MzOQ%m2#SR%lJTQiR2mLrsEY(73w~#^{?D<NP$gJS!
z-O&oxbnJxiS~VR6#qTn*Szd%`&7u8WzYu&hI{{x7b0Y3kK#rS&`AQyYZL6*#D-a|e
ztSa8*|53iEm3QZjZn2j|FaW%cMx7+7)|DYeqGA|f<ZgO_TSVm^r28)I&~uhvoJ~(%
z;P$94&Sy?8lxbk6EX@&A3-q1zArh3n?zQJs&g$uj#GXO3Q#J}57-Jk)yyDLe%$f$O
z<HteLU?`Ik3kp6tJ*ZqAO+Q(_`R+8&0ogIS0Mj0Wu8+Og7KR)eInZYm&3=O5-Fe^W
zXZ4RZ-Tk!Xx^$XEIq*$_Pk;B7%4zn9hIvPYu*bo>eIhJB$`lRG!h8ox{1)7PDsk$I
zlk!j3umxRIZyu|P?SuPL(|FQ?Ma|xy4&alDOFVl{b|LWIAE$r@{0xUrbxC}Si)5^c
zGyU~{#lTSfnzqU5KVpA+oTO}{aQ=&Opz{`u+#Q>~j{aBMzgSRokM@2+;RbFqF34AK
z*KeK%w(=Vjv?t&Edam6<%oN9yOd6b!|EoD(J+epOsc{}+*sw^_X7Vq{E62Y?U~w9V
zwAe%iC1gSCZv<-KycXuTuV3#LrP3^TfSbmV*((Dr3H^NT^|okV?^1IpxTgCXLJTPU
z_d64UuFQp)GIh+%9lw%ah`MXZ(HWh04)l7C7AJ=1!OLO~$q?g)zTR+g0d>m;Pda^{
zefYbLB`oV~<vIaq0A>8*L2uhq4Jrc|O|o13XfN~@BG|wkg#@ikp6X05km$D#op97G
zPVCM*A8h>j^XK&R^m`y7)nho%HZ@`?qPh^X(k@ZeM*xz1Oc|_P1Dywy_BkeJyk8bK
z-Gr&t!y7>M6l95M71NGwfc^i<&yWxkE2A`|Sc_oTubcQLyc09{AO_BakO_+H13>AD
z%;!GTWO+7wp5oVB%aH%<JW=u;-@6Q^R+<Vk?ytB9QOZ$kB$q}ge_oVv-2X-DnVafB
z2$DSiHFdhnN)tAPX$l8y24vCX86=+$@0$UwoZXt_EdxtnspV(J+Ax4>Fnt&^EaciQ
zsd^(W&uUmz3eaxAMV?}d2m*wZAu!by)!{52M`qWq?gg!91?|1Z>9_cJ%b+H~5T*|-
zD4dP`G}uslcYb%GtQ%vqh6jo{Tsh?I#z4e;*0LQQr=H_X(S5t2LbJzTx5kaO0N7U^
zhYlh~1;PGT1O$o+BeU!Cyf$!h<?<3vB2c+q;)F$*F<3i}OmH8lj+iW~Bb93QUT%X`
zd*1=nexTAMub<v?zG=oQYKn*89d`g~0vs!9f(E#;u<l+J>TIW1nBMA22Lj0s$(jIr
zdB-QE*LgFSo9P~Mb)u^S#snWjV0GAu5Jzhh)7j!C>l^~MqJT<0F4O;2iF&>B4b^tQ
zepSP@m$>*L9czjTNyi_xa+#@j!Mf<pSJZk2F$3M4fMX4)Q?N6OFE#-6@!ucB<VU-i
zN7YA$q6&_cdXee9#0blMB31FckDEXn%rIuoE@pV{rn84M!tBzafifhb>xpAUAI?`m
zusWfM&n32!G*Qg(DBv&wBA?{HKM#JzTM3m0{sMvY&Cp;LF($a&9&N3|d>aL@1{I2E
zFS=W@!P7y3YnK!|#P1|kqfQ54KLSwtS7rtjz&WFxbBBc2Tzz~XED*vrn1{|hATjA`
z&!E_X`m<^Px5;+Dw=?iS<Wada;^;t!7IL}aURqcv__Jb;Rn_ymEyifDM*(;ty>ryr
zeUW;~1E4N+39Ys{JaAP5)d|>x&0@dsvg?y}*s%rbtLLSt^ts_A@;IWT;48rae*<U?
zC)j5GR0zUx#nx*c?AC8<qY^k>i`k(BEX7X>;6I6X?mXC3E9H{8AW&#QQjak%!Z1h8
zQe@uQIV;H#6{CTAJ=HZ?UdkkDEKl-gF6m^g!mZ`#tnLC2<Uri{iHp*_Ol<u%Zkj5*
z%XI%s0E#6T(wh=^wW9MBT!aYf%fYWeRCRwHH{D^x+C=D%4$sAWHsWHKgb5^B6Dq6A
zHTwKMq+LxKq0(?!YWT+q>xarujTLRdp~F8M9UTS2;F{0f`ZwSIi1s3}pP1^G`wfly
z#X4n$>4$so?R3s~&AQRjg1%Q#D3xn}>HN#3lh^qX*|bw9B(diKO&hkmEbse~QbO<2
zU^i25RR!Q!QpJZmL~81Gk{%us5iX<?&hKt*Z`i`dz!S<|XG^@BPp^UAr)YnDQdH%-
z3^A$u{oq)i2vL`b(#O4@<OW8QM9{lDtOMtY6QFCSjyqsEIXgP=ep}aR=f$Lhb{K7X
zE>PI|-uEQJOpmn<=CcC!okU($b~3=nSRhPpV{I^6w}%yopGwL>s8f81iBO@rIt!cx
z)?a5U0;dzvP*$m}Lfirk^nC)`n_$P}aKA{sRe}R|sLSUo<gO|LS9br;3F(2M8wZ>c
z;rwuZcXh1#`)tw)hwA_ut13u_2ddZM`fWTx8D68=jv3Yx-qgGr;9bFv4tu;J-=@fG
zq$bmcuJL)R`Q3LF^Uk%7{hQ5qr?k0)QK;E77S{pSZI3zg#~?|e@EdwuQ^wdaCmhkw
zwX*668wmX7rOO3nwEW)_&4k2f`ol((-Px(F-%Z#9dHZ@7<Myt%5AA%|roXMU-VlA*
zT$OFdUkp^!oafpiZ9jA#=zNR2T<@e|U8hr7wME1Y)Apzs9$qkEfAIZ>_aC}ZJh+6M
zYZuuaA1roF(Kl@Nvu-!K86tvF1xbpu4!}+$i^6f`p)ZP~^;{Q_3yItGGmV_ncZUv=
zxHIM^>)v%A$5f(HstEx@X@fc9ir=8>U#1(u9uJFF7>m%9+!gM=)RW`y+ON20T`}s1
zHr^!&#N}Z|unl&WqX>b|`i#dVcJ%9YNqf@UTRdnODT#^9Sht_0{&afj3vMA~KP@H|
z(^Zs#b&Qr1(iV)Q*AhZg6@Wqg1Z*G2QVvXQdlmv{wz>zG+lUW(cZ>VPzIijYR$gKI
zmmS?qt>fb|#@N-L6CMNga_6t|Brc6;zT)Ncr6gt)u|R`VD=kK*md~Zvw7>oP#Y98m
zXl@o8s6CCJDl2wU@ew(`8XJlKr%xIVS!pshcP+c4((YvPlD{-i(<+AwE%D=#QYtz%
z|D|wxXhuGUngl{HelrJR<o7CnxZcBg!n6eLAcSfx7l0GYEF2OoznXIz8aIr!s@N4f
z?6(u9p&S}^dPU+NuP-SP08=`;InWF!Gy~l36YpRBb3d-PqaMO96$#U3HY{-8Z(XVc
zr5aw}(XNAo({YvNL&V9+$+{3^Av}ZzE~KPu-v4)pO=!_{_qpxM;JIZJ`>Ulo$7Olu
zR@f?WrdyMIdlY16WV?LT_A~!O)lmh{Cip%qBt<-N9(+Fh2*D0N=x6cB`n)V(=N1$;
z57xTe`z3M3_aUU31i_c?90Z~uXXJ%7-0~H;jVQzD*ublGk?uY&;*p0WQ4+cALrs>0
z`MNl`2ylf01)#c#5ihRn0!NS?bKfAKMK=JIG9{N?rp<L=UZE3!df$y%pG{QTzdTG`
z{saW7uJo2WFB(^^*>v@C5<fdwa3lJpI0`N<O=r|X-I=f8z0!)5c36udj;MW0{L06E
z_doDBKbSd8BS8$`x}+-rWnMwe`!>qAbBB#I^z!&{`48l0Ymex*=W+8{s2H^1YRAAK
zP&YWx6Lr^4_dWLa{O*}+AWEW0LR|^umv`qsq(j*^o7@E^k9H<j-#_-`*~Ud&f1ZA7
zw(X;v71jnKsc|AH(Y-#@^#;N4(OBl5t%H$j44Z2B$cnGFO#iK_5K2vrTY;2jU;LfZ
z7(Y&qNL5CUQNy^{Y4T|Y+VN4v<}RdeE<TOhO*29cnU3PXS0gTM=_<bUY_sBI;OEzN
z7++%V*=ZNd2&X&ur*`KbySS9a?Vs{*X97RBW3<_q`>m=bi4gwMi9+o#ly3kk`*Ms;
z62#THAG9O%mw@De^&zA?nGDglLoKz!t4|KOQjkkm!ys~W_O@v?2$dwfH!(P<YUq+;
zrUQe)iqpOQffA@IrMx_QFtZ}I3a8MkgSJI>(zk305%QO8o!^~ng8|on;DuWVq}Gfa
zV}LnsIvJNr4$%uh&Bq1{Z8bJ~*{^QkhSR0kn?!pEDvEk1x=!L<#;Y18M)syUm#SEu
z>7$8Xi4p^Hx^jNsJ1_-<#<wz?*Q(VDzTj-`K~Sk)dsbL$u8&Kj_ESxqrJc8uhaN3$
zRFLk=_X_HdZ|NQ_bp9PH681O?#K)7wU1}5v^a|c}Frn|FS2QZf3Sph3g^+G{?s)8v
zNo9l2eomiaW;3bh;~u>?vobpGOSJgYab|cPrk<|ExgP0ezj$f_yCGRP4+cU?z)-H5
z^<;<~w!~gDooe25satKB?RhZC`}13=C_|t6_q(EAuw$}OiXcaS7M64Qw?j`9i>mL8
zaTrqwRr0)3b-nq(+#%@AyLZ16jSO$Zde?+owj2=NW@KaxAiaAlfPbfsH2v>EPaXIv
znNpa?FX*#WuUY49Z&Ji^;-PqsVX(QRvq96@w6Q%Uqweril1H*wg;}bC19O|}!rra9
zhQ!3Ea+uq+mwuNF(2^tb5|ne9|GC7K-8zy8NB#c#3I9IA=;uJ1g|iZN^$k3$33>km
zDMDk#x!<62Az$_tsEnO14EonF1ZwUN{HT-l68iA(5I?-;{~$4?_U9ca{{mdV*0h}q
z;ZbOA4PFSeA-ipht;Q_j15v}26{kW?{8zJDH6)LcC*#ZNMb@0fCoGsQR<mvvVMLc`
zdWSjPV=Q~0O_MTVOML0_XH8O7_<bN}1kibz^ZtiiMpG)7bk;SJ>*NTp`%WTQLu}|p
zchsX@Ex7q}&g$xFK_Q_F&l7tS6BBQ5Z(Cbi7Z(>ZGcykl4@*l+M@L7X8qCMX$Ii~q
z)zuYfXYJ{EJP?YKFN=qmLwL84#Sa6Y@i!f}r+rLqqoW<uek-A=#`h&@7~6N)JhBbT
zQ_or`r1f}fHYy#TuG-PXJeJ;Y`U*i!YustYz(0L7_%pyd_6AOWiCUH%vi+RmK1I<{
zXA?yg)0>N89e)AuaH!1Ns2_nJ+S?PyiD1H0cBd=H%);z`ranGhpFYoOYflEl+QFvF
zuCvkX5-vP5^0x{tZFM#~m+*f)l)9s6aQ6B2F1A2s&f|OOiflyEic-Y)tfA&g7<VfM
z=}DeUQN&iY99X2IFec}=#8CYVwf}4ut-3J#o#ip*!>|Shi8@*FPtL>=u6WKP>Tkv(
z-!Vz5yr`iGt#FTE^)p_ybV{qSVa*j_m~y9Lrk$j-O@bCyNC^x*LTYn7>p@-{ga|cc
z=$&iw$}X-kw&kpgOiitAwZpY^B-Fgm>=;{CSOJCjZ~w4>yX8s-9P0t3cm!(jtvocD
zOM3pnG$rDNeDpCVgf;Kn4@Zl@dE1;4KcGIdbze-(oJSDcG$bWb+24mYu07oL5E+^Q
zPwyLl%dThvVxKuxc?CzEnPi9<U%cYGaLA*{+w;$bGY0vY(FUs0y`L>_F(;LzjXbe<
zYQeFv*o__SO4hKq)_sJW?O=VyahghZ%_Nvf<*Wxk8D#Rpo1JJjl4lgtE-WQ({E_52
zsXWB#<Olwi84U%6Ruv~l=h)YhHhyX1HP!Uo+v=OazZNNyB<S|O<tm*`-QbG4r*1{l
zWlB@YBS)i~xA(A9hk2^mj+sG3u@r5lj6eS;)5Ilo{nz%hCc*&D>l`gx{~u$F_Y$+7
z;)fV_V$%QkK|@dr-O)8QHS~@RO8y@|UL!+TxSV9BW7*MUJ$FU}d~~7K-o2j(bzj`_
zNM<#Y;T`wC@wv!BHy<LS%AlW2l*K%#fn%3uS7oCl7j<8M!Pj-;jZ|1k<Fk)PG1~Pw
z8KbOZKV!&eurbZeCD*LOgN`*DaI#7<zIBLz+1<{Nh6tMUxi19T3e&3NK$PxvVLoJ}
z=9Luj<9Qr|YUaF7E?WJ%fpWWWI`JKyI!V7rpM~PPrM>ftLy2XZm;|-tDocKxZ(j4M
z?>Tw#b~xaNhQKEq+i7*Ud1H$0w3LB7UN(RPQq>6`-N`K57m)gP@>eYvGv3qAbcX^}
z%PY4i7qT>d2B-~yvG}h$x#oa4hF90mkY?KJ&7=!EW+9QAA$@jp_YiJukVrJyeHDJS
zFeJ6D#vwJ&lP`Crx~|pk8j+ZN0l~lU$!Ms*hsQgfqN{A!o-7$E2O|EyF%tT_myqYg
z`#|~B%7&S<#_O)S9XZ0&F)tt_Qaw#IP@GiqMt+@)NVdL|i8j_WrsH@b!QH8`HX^%|
zM<Zt=Fcr@35u>DKxBM_%-blKWVGXVR;ZTZIyGcWf_du3V$8mnnpoc$K_gv#09{yCI
zcRIEp94bDwQosp$NN+dm7Fr_*)_V)*82B^p&dyP-rf4p4wwBg%UG<M)y0U=od|_H+
z8Rin>`;V);a&$4@^>ZO{XlDe{P8AE3`*<+(@O(fIYrv({3;xRBwV*fJr%06s9*^pA
z(S9Yr7bZ&nHP52yg=vt!qm;ola)vcRmJM7rcrNLdL~)Rl9Q|kln;JPW3%rbJk)h~4
zR%c3>F-*lzT|>)uV)NuDqkcvS>HcU8v@8XU$-wU2wfqo1^hzCj8&N1^_9n1eTZal^
zMfJ{LpGnM3O~`a4Uy%&WdZ2`21-?{6zQS{z2l8Y}?O~zbtI@VY`-A?Cyh6^fcFhGG
zZ<Qry6h)rq0(s#Wwzc2|GRrUjRv4LXRaoHjr;}rXBf=U$W3S;0zkrySyKVR~_>4h^
z=MHZ*`(_U5P~x-Ga=S@TrwQ1mbN|c<&IvNEn~5V*w<oUBtjhMZFx06ZX+kE^zJFii
zx$JU#2H*Y^I3yx~jNCtupMIqI1Aklu0xJUan7fUwvp$?HP|s6c6C_6*GdLIYAb1vO
zIq%lHjE`sb6^bMd1?P54eLd!S=kha2SSb4`^d@m2;!civYL1Lt#rxc+(j!6|&Vft2
zb-2B?Tt*H$YZ53Tn_XAeDDP8DFC|lNQIU1shL*r;C42lR(&$@(d;=b}v7xJB@Iz&2
zmX_CfdCzM&U1=YeBe#bt&#?SwjFtLgCRjz)IOhg!L4Ar1)%|d&;pTdzj+S1P?^zj9
zXWr66ZkZ+K3H0}VYmYiou-2&8!(bh_k^QH~4~W5V3oI6f1AqxYsBQv@M5-$u(!+Tz
zqfuBamWuZxA~G^EDk>@>Ld^I4bfN;*-rg=PE$#2`kB^TJG_?UXNT4B&xVZSt%#3{^
zj-NT_fY#!5-N=AnPh<fu&zSZ}Q_^~mtCJ9%px3^0?Lj?STRTFdjd$a0m5otgFKVzB
zw-@z=@p;O+B<ry##}eQ2D3Z&zQnd(C>Bd2mT1~>bzGarGraNYV7X~cn4vD<}%ajK^
zQF#(URe>`htW$v<XlG2bb-^gatY6sb(P@D*wm@t-LcOsNnXo?ktkd9~&UpNX<t4~v
z{{Hfib@_a%LxnhYz@pH*F^V%lO*~XY*MN@#OU({>WJ%{y8n#Bc-EVQHM?7^WJ&L0*
z`JTY}UUFHcSlqMXk_NZ)zbGqm4kMOGjwu>O2*tL4RQYjZsp&OrQj^=N{}=Rd@9x%b
zXMyF>B|_V<aRL&N=a$!nw(_BR!EbYf+T7zl-a}X9*NU~Z^$-Tt<RO1nS5Rh9W`?>l
z*5N+)!Z)poo*_F^g=b<}ATAiA#?YzPa1J4jqXI!YB@JJsIy83;e>Z_1$RJ(al`dCv
zdm1ME5%)_6Uc#;3g^?+knw$iy=P4^qFF31WRm#4(cYk~`6&Q*-3a{zcYs|42q>?2R
zLcRUAx^VPRBH8foVB;s!aKXkLG+4%)ZM6R>7oQcAqp&l!8TDy1PBJVininE5=Q9|U
zkRY(c0a?<S(}x!Z6hD^5u95MTmH?L6VvB@Ue6t;o|GYfy%cLKC9j$K18-?4O3it1s
zVwntFL{}8%a_et?d;RSM$B*?`Zi_Z*6pzcq@t^swZ5#>;A@NJdxkNI6+tbxm?s8Ef
z+Ysw@n&DzrH24EfzifFRf*Q>743d(Pvio~sxC0|Pya1-DiqvR@#szM9?M;N2noDmf
zO4LA?G2GfduLK9xS2WbM(8_(}IkBd=kx8%?wxCi&v@nib6JD=l(_cmQRX149@a@LQ
znmI?6<95}xaHy@~FI#a9N6|qZW-0_-i|eq?!`nKw<vqrGqqDE!o@;qynvWcmFGLkB
ze0*DtW^q6a`VtcI@8dWPYc0<E(J&sdY_6Wyk>}Ga_{>lo!rB4T)0^5`9lnRS-I4ct
zE#-(V{(e=g9(PN_qllmLJ)*AnEx*3*^!_`6#i56l3m-MX&sr}YL!MYWubHetpfcpj
zNRdPThs^+iE#eb)^h7Tk34eCxo%~rD8M19C)qZvKGXcn8)Dt5;`_?4z+y&nL|C9|j
zCa)KuZqypjR*38d_8%;ZLoUb=J!dlTAhi0Oyw+m@nplqh&b*#k&(a>;&nV3$0h6SG
zCIb6q4u}h#2+~5KU^35&-AX9Q4O=kk5TC*==kcK)4@FWeJn`vR&d?kuXK5|!rr`0R
z6K3X8q#XO=m+%wPh8PWa$rPLi>FyL#uEH%x_{k8vTC8ulE@1Dm0ECfoGFSJxOYX&B
zbuuDQRb~lT_EnLb>}+Yo$R9xL@X39Y==1`(&mzd(CoiVC{N9qV-1=iP2M)Q~riRhK
zdI3E3r+xka+X`AHE%6#i`Ay$D)u+~pd-nq+qkn5%t0~s4+OoqnHIrN#CU*wp5|9P1
zwk(gnlob@-$e+oLBv*s;7<%<6)lG&4-f_N&-L6C;?DCbX2{Uo}b<Hfg@aM;){n>e(
zscIVfTT|H9w(<_N`jTz5#tg;8hW$bsPbcSooX|O-t<WpH$dx9DLkPzf)Tt314k<l2
zplOYHdBp$kOTXY~>FDTaXlQ6@X&*dT0lty3zP`S>xw*Q!y0zuA-T@n);ZfJgTq!JS
zvFGcN*~5A$aehrKpAfdpv$vP1%2v`$bBH%nD|C0UVt)NzBpmh0mWoR<@9i6>=bJ0o
z$%Bjqlk`qZ*-vum&IZHx^Q<08V@P$jma&^CgJX8CTq`?hew5vOXWml<_R81u<g4u?
zn?D^{CU4|b77w;qzQPu)l?%$QsiL&MO-667ctF1^Cu0kINoJb_rkS2ydeQ%MF$3M5
z^IUTVyw9t#1?T=$5i+#8@4mtqSf>k93ca9=Mx5@iU=cvItr5CnH?hQbLNqQx_~TO|
z4F9j~JBy!Vr0?H<Ny5lS==e00nK`W1ui@iV#6vcG9`VVwT1GqHetD%i|0jLF!x$QO
zXoE_kv+C=iXTS93wq`B8Pb`XjYRf#nrEiUoxoXB8|Ls|3x{vtlFd+2F=a^4+T#o-f
z-RF|92P`7U0VlNqD^=-ivZ>S=#l@&UOj4ZJw?USL$3uuChuFcb50mSp(j&eXB4C3F
z!ej1W-1VrW9EO+WEsx$%lD3?4zxtI5Eo#@;ehXJ5(kf-9E=i1F$kZ0hZ1Pf|i@L^f
zBU@M7?A*`R)Z@B%nP-48Q}^irT3x<Q$|Gut`+jMFJ@;@v#L{Ut1`cH$%aLLA3Lc;H
zp?yM<!VMAO`+~`u$&JMn9r}OOK)E$|7Eh2r>*t2(O;Ngt?&T6++<vD!YqXC$J@aif
zJdNb*LJy;dADBe&bzT0Ki?{Bv>k^KlMaQLL%+M9uT=m^BE{Lkz3qLbITPfa7@E*~K
z1{qkSfqw4`Z6?3=EA@g@DEx8z$HIu)nxyec6HNdJ`s<r5@J)H#sj_`OxuGJ(l9|ct
zL8#$-NF$EiP%jsp(A@{|ns7<X%ZSJ|Zq?%1W!8gVbJExX2YGHvLa+sHE@G*3oRy4;
zot)>>_5fx7m%t<eE3Aho_Nb)kHQQIqV`ha<gxCpFtcNl@Xs!?G%s9>dxt}?<U@V;v
zk<uF`cqf1o@3ovs{V|yf(Hl_(8%ov?j+az~5|tJQO))7ld<M?%7TFifV*&`xPM#eH
zJ=0qd{dpcUPNXCG0!~&Da_=j{%~&zluGywa8Hz4PTEp<l)z0giA9Y8v%*bW#DZFUl
zS=7!o`xKzSBG*7UG^(VjXgQIUU&9c>5K=o3`FOq=L3NY5Gm5Dm%Y+C-Q!oD#fe9F<
zV_GH;1bgBYR5?-STt1I_=E1!RLcyricENe)UY+=)hNQnWM@Byudq20$%mw}>8W}ri
zrd1b%ca^C})`f~}hE*p=$C>4dyzAYW7#nQy#ueMI72vee=i#YgZa;^HxKR6VCH{@c
zwXW5j@wLI?^=8IKMzpbYW;iZU&qfHCrZmwYA=$HBhF5QplGiuXnW_{5e1y!%=Aq8u
zmoycWzD=oxQ^V)2_{@k2{{4>C<<mM;c>rIL1nTYD%LklJ_a4(r6g=Y<F+Aj_aF9S%
z|5?rPGpHR(f_@G*ir$hc(JOb$?ONV+^{jF>_K3OPzq_(EW7{X*Bm2Wf*AR;jpfUjW
zMqZrW8BGoe4@9Z8!NxpFf>Ab}4K$GT0954sa81I$amDX+8mO#pLc|RqqEa*!zcVp4
zr3Z9b1E`(rKJQqmnPbXsX^uM8CqziMOF&2?iG66#o(d01?Bvwg<7Q5v_Om3-p5m7?
z-a=djDjg&>G=6dD0;vyX_}JJOi)YC%+^cIdmN+qw<4IlIX~S_vWo2b;ZSA*j-zXs%
z;8|Wa2cnDS=DEOk<Z^RafbX=iuyl2IU&SNUuTB{xBTlH(@?okw2+`Y!92*C{r3h5H
zjmy-~@nbqMxKB$?LtRe8>WlHFledw5X^wei+4Ea*Lum(7#L@PnH8YK8D_uy<tLXJr
zAkfc$7*Z6KSY6Le13?KgyP0>wMBrm@?m<X9yQmTOf}_6xPLts(_6h<uFvHKa3Ne#m
zsQsO~=L@^#K>QN`qJX|j9Bj?9ls~xBzSAe?s*_@SeemuERO-gVzQ-SA{6a$5+L~)=
z?qpmK`-A@>1H@mSK)32hD(~ZB1H{lzDdqFi9X(xRb5N%nNh@`Gv)0H<=3Oz+Z$~7t
z*oy_8pk@Pb^&eT@LR9pq*ThaA(Lp2xA*f5%T!pYf^Uhh3sJJu6dGMgKC2|7b7Jy#?
zgnt*3H;tR7pGDL^GQlkXQQfOJsw6H|1%iv1u^aa?bo$?;s|TSf!Wa9;lK)-YC9+4Q
z5t}r9bUb2fjr{!he^KHrGC>b%hpEstQ2_hPKXLj16txfpXpJgxIn95jQiI@L;a+X&
zkGoKt*jz-TPS!E{h%=nW0?R$nyWVHt%xrphfVMIKwYL!R4#x*0w#cf(bC-o(c*Xqg
z+MJ2q!1=k4L((nKH#6$r&#KMb$*yh%Kr~z2C1qNqOIz1^0ypiBJKZh9+}u34i0hRB
z`EmDtPblMVPXQKkxd=Mj1#sQ20K8;f*Lnu0UgPL?)HeGloBys1-UF4mv|kBya$cgG
zoK<&Q+j{yHxvmpJ-`S?wH2RHyQ)?Y#zC+gr6O4KMHTK&?fIaS-lFH5(MAA`&a%FEg
z>?9P3sFP>w64~%och>wnouDfkjG5j(6ul=Ao@L>S6MOC%;mr@^#WVUw!5zQ<vs&UH
z)cR+&H*eBf-^DoF`QnH$Flbr4=A6evl>8?B^pw$ckap>VpT<v%>}!enzIFa%S$;bc
z`Z%$=pCYJP99M67l|7s%{iJxi@dha4jq%GO)K!N1GW8ZWzq^C0XA3JV)IIIOIKlG#
zr-~AT8|XzNK%jLBCLJPkzVuP&OIcsCsAMS;HSwlKIS4x5iuYfA<Ag6b(?Qe~|Cd_U
z>7YNLfK;pus^394qSXD*rE&g8-GsI}U^P=NmzULl<v;yrhq|Zyln{a4?fQ>ye-})?
z(d;p(hp1UiF1GN7j=PKbcwM|??^A&vc#8j5dEOPZV`kMv8;IT0O0X?srbgb%;}(0p
zvolL9_ins<ur->LRL(fOSu6D8+igZ{(A|=<_GsY4QEVBE9G#rd=&!%;rm$QSTs-=#
zzXKL^cV3=0(9FIoRWTt}G`{YU-tb?0__L^gT0ONNRjPPWndhyNqLR1G6Fj9gLn%9d
zc}To6$L|HzDBGDSPZ!gLO5TgcQeQ600jsC|yKpi{1((wNZq<KH#=(il;NyCwz1QSn
zCD2xwRz>R8;XLq8DbU~dA2!8Ekgl<8cAo=jGRp8y+?fkfle72lc@*mI$N!GP5J=Z=
zJGu6=(^~Z8%%^nRD}_>`qZHd6Ot3}A+q~&2oNTJI9Q9uZ5H&A7Ib%o(b<lhRd`50|
zgX{dk#UwI)egC<^kw{%Vdsr4%uQKlaf92xWe)Oe!_U&3?no8dOV*QLA+~&-^cgcyr
zzNg%V46-Zc_CK#)+=meOzgVXZkKPPIxp%{EG0LGT<gy)oe0cur4;)T+fF`k%o359y
ziPIhf*sYeX9i3BSAS1TGwg8GMtzZGiX_?*&`^v3(LZDjsvWj6aCF`-^r|arDA+}gl
zX1e&-Upx!eJFlP0+?A4KTOLT;3i8V{bwmFQhv=E;b9}a4%>^%k;n#jHCy7h^N}K~*
zTKx}=?K>wk>!^#jz-?2gySWWL=+#@k;aU^NJVA=MP=WW4J_eHgg1&o;Z5stS3owYd
zqboJYuba*0XImGS4XTYr`O07ZVQj-3A0Ol9oq<%s-mFiHZ^N+iCuSLxT!NWP5)N*D
zfOh8P@@%{XdaZ0!L@8)<r5hkpa)_3eRyQfa+S>Z?75v<7#5NsM<=%~{V1@9ZZ-ZW+
z;SGGV{l{-Tkbuv^zptl<qR{=CwB1O}qI*6ZK#SetbSBb~MJULxhkE8~VBbHU>-&5F
z%FbR?;S*P{)m=#Y2TOBtJkXlJA$7IGKQqUXApBbyUcp%uo{6mq_LlQ27tunR#sN<g
zwf!$l=F5BB^u)v}dDGbrwGUdj#0DqkWHWoa1_W{u+ZD7~{AUMYp@H<46Okb-lg)Jm
zi4f}Q>hZ(~c_@#&C$Ls|BPP}>5B+p-r>>?(i(Jo<wq|NmE*;ZnUQrG}WJW#(2La=e
z3p)Kn78x<3p`jryO9%`ewyL5TFZHF89h}(_(Q4iCIE^3!fFf4x|7&JIy&Pe}*d&aH
ziN}#ze0v@%FxozVB?ml{!!0s|!Y873Og9xK+u|Z$@4xQBuRZ`(&eh%lOU~6v5SaDe
zKFiB``Cng@VQ`6&b_+A0?cQ{4z_td{%U;s<4}AjgZdgrCTCQa}CNi)yCx2q^e@w}W
z3S#e8KRi6#9*W}BD)H!M1xYqF;{IY_h9~IwUBhP2`N?&AZx^4fb)nhw<vzD&;x^uS
z)Q%BOOZ#p@VCO$GK-W}jWXs}nSD(U5ii>5G0je|B(tTIe^1ons^u;Yw7YJ(t9=31J
zEB(X&^e;O)31)dKo53i}qEQ<NH=M2<F=lrr;PkfnxZRs_?%3A)Jr)fUIzNKfTy(bv
z&&}bmkhz^*-V_2(As=or;hTP*BHmk0KN2zxA@}EtR4)2v(+K2s<{W8J66JT#*ZGjN
zH(Cv%Y|Gs8xF<PeUT>+_P2v?j>b+$pPwT=!izgBwO#6u3;)a_-Sm({mky!S8@;fhO
zLo(Wy(U9_#8J6Xbd5Cv^cT$KOY+QvJfE{P9@fn#9D$d&nwFPP4*qzwk7P8`L1$cb<
zJY&ES-SmHwqfCLgBVKXm&YkD38~HaNw;^$s^W}XBgXdm99vT7Nw|fuLiHRd!eV=NZ
z92(X+ne}A%wu`rwMMEdO=#IW|onuKK2sUuMwoN%+RGR*D6O<vIFQ*<i#({h#EM82P
z`sXrJ4LmA_3&ZQ&EvvaH$()e4JX912g)!eBT;TrVBI{c<u&vX``NwKtoQ67HKAoUQ
zE9Uz>XQ{B)b$rAiNn>Ifaa5GpR5VE@{=F-e13F;VwdQd^Dk>^cK0?n{gg&AcMfLTq
zsBI_Jtw$y%Klpb`Kkjm9&6_N7i@po|<j;E%Y3I#Q+c@dq;TO064O;%G{WH9M$cfWP
zgE@ER<<>vJy{aEj>rdO(m#8R4B1zeaBJaWr`+n_qP{TP!XrBp21B>y~;Kqpf^r!{K
zD&+dF4P5^>R^_1I3DY?$AbIqhoRZSKZpLm5_lko1w`CQ7&KIN`uAQuiJ9~5HaFEy^
zb$lFTM9LGwi2G$&w*-_ovizx{A|}3WC1^kK@cu_TuiYj^!`H)Wx^hJ&C2#Wb7e7A)
zDmXe`U4(M_zhWfz`wv4&?m+NA_|<$poz$pFd+w5j22)7om8Ibt%+~lfe|!9xHad<F
z5F&z%s<@*n*>NM>{a_d;GRFLKQu6Q)B|UddTTOY`?sUaX5W`IoX;@_PJE(n%B2Cau
z>8tYwATs&u2nYhIK2z9VA%c5fr?2IY`gt9pa4_QRTNZI}oY1t!|K>*FCQ<+~R=}G4
zN8NTN=#lD81b$E-$@Ml!)Y~(WrNO03235v+1usP<RcdFNBoDmfXa4waGC<h4Q11pJ
zd99iq$Hm6>u5gO{S>leEZ>zl>jnGlxk8r=_R@mT}x1yYMR*%I;RE-;zo?KBu!A!;W
z@3Bn+m9%El1H(r0f&Owf-`&jiC&A&pzmPdgm{Imp$}RLV(1p=fS-ktaOGSJ*FzD-t
z|ELZ_pFgx^&QRC0+!@n<M?7T=r*U0zCyArskhUtqoTqqyysx28Ia;imLu%(}a_-^`
z7g4o*t{YTw5u+39k2;a>dn03IU#~&^8ZW<TKXUVgJNpbfAu*M5GwO?pohOSMehm^2
z6k;2s*Dwa2v3N&A_aBoRYDDh_)cjg<D(ix+DSQ8Y(raNo-eP9|+^ZjU$hn{aUHqdi
zE<1IgBR93b75k$Vv*u!-EStr|%B7L_leYc*5W)y}PlmD$7xCe^Ao+jg<i}r%<Kh&}
zsRbI5_qDQ8AlSc7m?0B1)jU<ipPAaEn^kVwKZ<yaBZ}l0HDC64d>ygv`={z;eT~LP
zViU^vi$WZgc1Q*oNsMIj>Wg{f<Y9*YSV&BDD~#bTt{4p{zz7XO1D-n&l@|P~yf-zo
zPRp9_!jjr{sQn0#xh{2O8Mb`J&~Pr}Bz_)fG#s|8IiifmeYx_`tlJn0&gUP46#ql;
z9udU9^__xcpyq+bO41V6y}Y90Hbi|Tvw)K;`~Ok(o#Ak;QQOIhBt$2=kO+ooL3Bon
z5)nohJ)#BCJA*{;qIVN@bcx<Yk2+!WZuD-9GWxeA?>X=L?H_*N+I#J1)#uswx))c^
zT+smeEWa}(hbJ$c%@?9om-&lt(rz~i@Mp@yicISsrEB?K<9Z^@&tr2G@xTIVgo*#U
zg*i3!6biPHt7WYLPT%#^ZUY}JoNH>{9#g8Hnjbe@c6w(Lg8M~2wLRm<ihJe`P2a~I
z_RBk|7}zNlc8a=oa6f8+LH$W2&9nFa+G+NxTDA6~s-2m`-h>KTBx#;sy~<khePu;J
zK<7!Qkd}<ce6{=}Ep%4MK7y~8?hcHRq44_|B&{hs{TD7EYS7%bLCk#?(TIRFzxi_c
zNCW5f!D>rLZMh|)zHWBE(0XWdY{q?Nrm<UM#v}CLOndiI!J4Am+^+OBaa3u_o$<Qk
zf%T#CxrF-Zj=(?DrMF+e-dHyqEk$~Rcg#FNtl>m(AQ)|X%GmZ4Iy*#qG#$4Mwqp9u
zK#SM5UMc{lfId0sv#*~4RG4bbsx4D*`=jSvPpm=!8{1`8L`Ve<z}Gb*0#k8M_33@O
zaU(Ok^qB}RcKAF0W9&1h%{WX)%I;F`HD~;1sdabxE5`GKFT<vfXg>!;jq@`Z+K(3I
z{)%acIYz7&qcA`~^7r>ILMIVD;qV<jOg2M`{kRQNsjxCwns)%~WhM94-N-`Z!O_kK
zu5I=Z>EkUi(_<iuOz}-#`oe6f=x%)eNWc&SCmGCmh7H35E5!ckM|vHUK1ZDhei3vh
z<|qFKCX4s<ARD4n?d9>?$}_-w_3SZnG>8`xbY~a$l&>WHokSxZbmV}R6o)kpQ|i8|
z35}1{sL|z)?25@@d;&&(iI(4Vw`#9h1>PEn!Ulk14*6gmvb_o1JSuXsKt7rsDqqP}
z=ecS-Z@bQdti`Y0w-#ecT`%LRUCCW4Zr=EnZ4ZgL1B+^bD;@vYqFwg9cDU@;pKI8a
z@4kr60d$gFK4|e8Pvr4!bAxrS<LV}{VInF#Fu5Yc{-wUai2J0?XW03NhFLP`gplG9
zhGzLvv2i1f5gH!{Q<+|OuEzr-JJy0ji!>DSvjscIp%E$PK4d+(E$|R9g^sq61r^Wj
zQ{p6(%M5qzT@4Mpbg@a`yuslrul5H^#Hq#LT*y&?WA0Lh<2@Q0sKtN|xcB;NT~MF|
zV^J>kMXTmnt_8Jd#hv#EFPbYF_OF{m<*<LGA7S6VJj#blJYr9qy#wtM>TZGi0_%4d
zrmn7DfK{8Gcs5ep3Q=&E2SR34A^%wM9I4qJyS(OoX<YDft;kM5rwj)aqp42(K+M1+
z*|ZPpf9+I)Gy-;ppX{=nD*bWd+1=REe6oBYtiYBSfYmb`@V1v6s^LcM-)}Fuf&7UQ
zd92V<pbg0h#({NbfW*@^6$bP5Hsv;wmgbQYnvED=L{HC~V)O((bfat8o)ntvtBLQd
zC8PRiWquIDw6%-5;sMgp?A1@YN7(x_UBlpFc}YvlO@S}PTASwX?klGuF;smaLyNQg
z)5CXe%-7im41{o5ik~V=XZk=egKDQVQ;*lA`1r8Hnu#aEcL5n63RchYs<`=noa}a_
zjtt0X3A#gxpjj`EHmw1w23m=Qqe4o^UcS%`O%py}NSDFk0P%Hpegals&9{K~Ky>+S
z+f&#1N0&;c%RU@dnb`{wc-X!ecCmMmjqui2&kzp;6vyxSR-b@9t91Y;H$AffsS^75
zY&h81cyFRnsQgb8K~R*QrAg^#k~VFC-WOWn`HOLxQa*@m<)qw;f)4UQUbu4fzfZpo
zuyX#W0f3~!l!B77?0ReeoNT35!D)jg*|Xr3ziPsopAP`s4g9eQAzHi3uYHo5w;#2b
zMR!~k;3XJ)=)NHkNb`lj5b%6!pwg0Hh}1%hi1-3kK;*Jyz3ohN0)Bj{x57c_Wxk?y
zE710}L@jAz-q&LG+Ds=@fWmg8luTfuSkdoqXa*CvtOAZo4kd%yJCQ?kz4x@#)pPQ#
zDO?IB`FppWf#Dv&t??o`wZ8Whf5+5S$cfo<Py)q6;g>cuP{A~E=aZ!;{E}H&8YcSS
zZ)E<3omUlMY5}!?G=*B=s!zZaE`mTkv7=E5OA;N~euXqpt7CW2*OfHUzMTKzFv5N+
zeWeB$40c`&;Jk6;HS9LHf1ckSo@5d-E<w5>);};Ff5QA{n|Z?rP?`^<#5y3E=sE=|
zb(p~w)6}+;a`wt!1rh=7R1mA0k^9!u-K55|V*P4sX2ue!N#BK@ea2op(J!?o_?s}b
ze*6}lQ5d^p2&#?`G?h9uSe&~lI94*z|J)W=u~==x@s^NKV2s6gWfItP9meNsI2~d<
zR#q)%zb|j1RU!F-*%GNs$Ir=T7fj^5Pgt$KHREGeQejDkGk_|C2F$iSJbf~aOyEX@
zc_P-<N1r`B;Y1n@Q^m7H*Bh|w!@6r`b~B-73jsd_6kJLH>o!&?1Q;~aAS}P@2w;<)
zqb2D(NBM@}7{ColC&qsunA>igA+;@^rH!Zx)qk8c$_WK;({4a)0{>=iKZO6M^;x?$
z+mhH-YJktXdqM%rc}xo<kBN*EGb=?Wy~)|wrG>3G`I-jmzzoC9-$53Pw17iS|Nb=J
zo5!_Ir8m_Zo=K}3Z2KM|UlG9E#r|%s9zq8S=Nsb0D7~?t^yZL~dj`+_AOqH3BZ+OR
zZ9jsgm@+6}P9EWi?OU=VeD!?#T&hO2qpH|<fOSY^NHjK=?XAxyRk7K+m+U&8--rC~
zZR3aB`&*GyGaketiHq9H>p(*smebEg^*IaF-WgNaSv9ha#r6q+&8q8)d-p_Kjo)!$
zVifA30Rp*(68@1UK$qeDrj66a>Am%!*obXgd4Bj}kbXwlUVinfKX&rj*26d5YaT(q
zzfCL_K1m4MNXQ{h%FDlr_<?PMYglZ^&ega{egponTe>wqSuZ<UX{GmZrBX;Jk*33Z
zU?(KWA$5;N1Dl$hJR|^y`6G<^w7eHoAF1}Ft^QfL+gG`3&7w#!%Io%(diLdCG&hNc
zjnY+({q{h^0YLj*wP&83)2M9q^>aa~02R1d@yg<Ik2`$YeRGCqHBGCrWU4P!!X>R-
zY@WST%nzZ|x_WSMfXzyxfQ6(J0@#x}I6g3|;JPFITR<y3jmsCVdQFxOSkUwH#upIY
zi&yv(PR(rLL2kodzo7C!%diYBczGO+2~F0)g)NLq)w|Q4#sg=F0^qJrRysO5STWYP
zP^ap8TGkIMr%guiOcL_PNb%uU4*#+duD^FCXl&7waO!d}No2)?`5|0e;pb)BHx~G(
zlRpl8^b|PLMtI6&2^heYDE_!N{eF;(!d^?LHKTAr{6w6{8h;Tl;U+tj6CbEley7jw
zlHZ?^D|-el_z-_bk#MahEBX#GU|b{QU=KbInbK+fsZ*fy{Q8Bga!Bjl>)5|0ioOKi
zqmu?~(l0xwNdl&7uG!c=7F-X>=$9Yme1?HKgrcW2DOP?BnG`ctK(nrfsT7*Z8mu}3
z(|DRsf9%wot4OM~^%`8M@#t6y3=X8SLMQLy!CthQfnl21VNt{c1x!If;gAZ9^yKHl
zR7(c@e>NrPLUd{-eSE4Y-9JQY5kXhC`!O{_;M?Vaa{)8-=wO?HrZH!4;><zvuhhkU
z5ZP_pYKSKbpr}OxnAw27PFc~2BrvoIyY6~~T2m+N6HThmZpLI1)M9f+9B$b(U^;r#
z)2@iqQpCy}jwN|G^$K}MkZrPxQ#>Yt?^5oK&0VGQ8FeZhwVopQM^wqTRcDD{N3Z-4
z4*?V?D<g<3SeJY3YriQ4coXpGvg6Vsd(+*jS3A6fAK$h?S%HOTD*It%P-{0x%Ck*t
zQMy}ULz`Y5DeC1X*_dX53zIzBt`oOcT__hqA~b-LtQ$8hIH1~TZO0u7hei8)wK*QL
z8A?x;%U>_xd8{4}sZn>Ldw-<h`ur@s{KCDTx%2X#^7o-{%Q6`!My<5vRf&WCuNQ=a
zvw4G=)>;`~$On;>my7Ulrm<yKyXVYHJ{_0*W&kygafrZ}I4q{3Jx`tvoHZbT{>cIB
zfxuPI!S;^@IqC+`knd8yH@V2+p%6A1=)FZ?n6x|v8qYAehK0ILW$ZmWIAvF&ODzC8
zEum&Lz;n*u9ut}r(5a7UJyg4sWjYVueox+Sq1p}?`GP8chED2TJ~|@4r!!MGvol$U
z#d+|Bms-IN)=><4&NtV6P0^P9QruniAA@)Mys(Z?a7XYz?KipKzaq?fLaY9O6aEra
zUM^O^1~!z4$-g3jWqj}C{}*o=K?2K>BQjq3(Tv3jG<)_c7*rB!%#?A8D$n6^bhRTS
z7u5thAfoe{m;Fs*t!0nrYf<D8awxXruqGPWb$Az*f3uX-Pb#jCRi7rGjlTEIql^qE
z=<<iU-WU3(0AH8;ac!^Uvm%Pv0&J`J*rtR7rkC%TsNl(Oa&rs3c}JCeQH7kb9l>Mu
z5!Ql>IccaiFvBeVA-H^kv#L%yZ8iA%IG_tvUftOaS_^&q+@dGF`qH*xgepdu`?s``
zOjN+P$3fu(rlT&=@>5n|LcOUWilEI<orl;B4g=>xjE4Mt?!}-GV?~#RQ}|r&(7VOA
zA5L1$ny!R%;nib;&geTZ1lgl@>k4-PY%8Bjy}(@x<)WMFcYE`{0--Y9a};x`i>86{
z5^UmqAK{8P`42cRtPCxHSl@Ud77Cf@9wjIcA3+wdgZrIeCjWd1aZBX}4{mSK^o?oF
z)~s`JgVAc<saT>(7(r^pqEOuVub+42fdWTD6PQzj8rPso*<883k;W?N^Kxz3BRGrT
zV1HyPA!1w%xmr|m7J(Vy$12P{vuY{%Ar`Zqo%YOHR8GI$oSsgIH6mP#U_4P_i|suf
zu4UMBPML>&Od4NU{C+=X#v#+b@r5Ml0ZnwL)rJY}R*k1+mE^;duZ*d}t5QNj?ivzM
z2}aAEiy6$c$4>2Wi!b={!s~c(*@H-nUSxw$^`_p2#jL3^bpHjMKMO!C#k@e3yW{{2
zK(Td=9AIL4;jg7R)_Sw>kp_PfA`_M|2jo$Fs3zDCRe3k_FoUo#f4A&c4hN%?!5NOA
zwM47+0N*OS-YR`lNZ?XS%j7ty-*YF22|r*fU(~Rz54-Z?eua~VlM0W4yiVT7*>~ST
zp~tRe7|GffvrDlsw~G}SoyOi7M)@DOkL<%AwQ01Eg$$mgZ6$YX`9BXIxEW4d9Ro(!
zmev`*Z1KTGi!6dTCL_{Y+@lYI4`Z?S|F#Ysh@gY_Udz}RD??Ynicr&pa}t=V)W)>7
zA496Q#Qa$X*6*V}UGuL_qvrtKHFE%&U6HP;H9DkGfg5-3e1O`gQ}b$F8vk-}EU@l9
z_Sk(@=`I0ns-@syFk;W14Aw{j6SA2-KR{l2U>5?T(p@~Dna?rrptQFg1i85K*=9U{
zLP2y}WJ^jKiMsDh16JDe4WtMPi*~*n=A_VZ4cVP0P$pGp@AIfAr0FrLv4}cApwTzW
zLkwlyOzLmH+8|0R=Y7>xw0>A*u~GLfaPfg8!T{a<GHrEnkP}*85E+74TMhbMNw<`D
zKa_;&E{)j94Azvlj<&d(PSrd2$xIC0g7c8(1|_<-dF6LIJN{KRHdVPMv$B{R9ekMG
z4}jkOr^N!r4-BZ#N_kiEHL<OX1Kd6K7QD_c*$&TnFUTNb@?xW_^FHhrqxX(Mv&3mV
z1d{E&8nN$A*KFzXiVgfFN{T+V+sW#M9tpM={KEGLMw$Js1iwib8WAWarSrRq2|Th`
zK1Kt(I@?45M9v5aumh}|%F86$^c_O4EYHHjrEdhHyMSCU8nd35sLT7vIE7vyNQFO8
zj-5i0n>PG-?1=)%dE*LU;<%{tlaDU1kp5qN!>ME-@8(=O%nlrM_l{=E(uyA&@I)Dq
zzFd0vxGU~Gp~u)dvKFx<2L@I_4u+-Q8&{33lZLWdq_8UJZ3QFN%j2sn(qBSVHYhjQ
z(d>U4TYfF7R1fBLnI*TI-SdDlDPf*N|KZ{fruK!w7#@MUo1q>ZRU63~5$;k!h*EC{
zV>WO`o~vvH7AHAUo0;~0eY@GL8Pw}&;wnq58~EN<{v5^M_GxCs)W-sIMCtrW>9gSH
zh{%OOC<Ux$b~Uj0EB38Ew29AJul+k<n9*!6gT$>dG?WD$pI3Yiajcn(Q4T+i=CX#l
zP~{~hweKg%fSEY`Pb{q0p95ka4SG{^{ww%eJqkH_iRQm*2c0Aj*tx%>zfIxrZlwd1
zl&o8~IbF%z&5y>zr?jaM?l6*#NMa0uxE`IDJI*m%e-FPY?QHrM8m+xCI5cWPXQXey
zhEAG8VUD(^;?Zsp=+HGdE-7$Yfm{ua@cL=}8a1y)H@`1-GetT{*EZ^kTH82^)M%_s
z%-9v3X`+5Wk|t;-b|*@B+)Xj<Bxl>+T<EUzIy0^QgXUiua{SfbAGB81^wgWku5jf8
zh<7Du>z4orbO&6l8{%E%(iWd9kV9C$nsAkGou5*h#=m;m%lC02VC<gYxS7>hJt=L3
zw)orbG+`rrbb`U5Su0YjtRdNCAz`@a`FPoVnQ((HGknvyiJh8!I<3s;@W8B&Rbm5u
z>zItX_XX`{*!{iMJ_Btzz2#Q7`kG9-&NP(=31{vO3k(qXE@&t!6ygQbugHzJPUD}O
z?5;#f%C<2rG)~=GZgPD#{cDKg%#CCa{{v&v$w~yFi9#47{|~hR8Qdu5^G7j$1#h*6
z%=T&H=;W%g^ulW%*VZ=5_$f`?ll^)Oh>2`6gbB><B%cBahWu@Okb+UdKEq#lEahMi
z_{19TL+-TG$Gf4;2ZlJ*rYyhoAR0(v1~gd5kxNQcgc5XADD^wG47IIRnj@LlL7KBp
z4l5b9nrU%%e*6{NXM=VFCZKP^ycEqK*=EgBOoPqd-oc2X=l4vd+~;z3B844m&x}?P
z-;SCHofLx#(kU|@eN<Nf(RDUSfxIHZNygqeLPomNnQ1m+g#nDJ29;lad37yQV?+t&
zDxC6-3N(7Wr+-rLw)|o!;`k`7B37fTgM$%eBC_<I-(!!Rh+<&Iq+aZZ-e~O0QaN^E
zMV``*@;9oI&`j^EcDq#<aLlucw@+tbQxzDYTam@~c4hsJY!HNgX^?zu`biFeZRH`Z
z-i;?6&^w2*`|DV};ojj=<C)FGMF;OToHt!1MpWo6s7GSxzeG_kc+>7FHlfmP=?<Pf
zEEIJ-*hr_unOmO`wrQ2m((IkaeZ*(5Jz5L#%4J^Ur`a@jvPSZN7v|WVLb0Dde&k@E
znHe9Bz-A9~jjEzl|Mr+g-31&7x=$Jm2}Vp)!S<G_Wgb{c&c$HQ6TCe-e5_;<MAXj`
zgM0_R0n2W1*7=lbY4?x}MqGq#uv_dbExii(r@9B*$M=hx{7L<j$;MX>RGK7#$*0`T
zi$RdB$CAL$z8H9sF0xBWO956sb6f5%^9R3ZoAU~V?jVRegj-*~KVV%S$BZ6bi)mb>
zJg&9ik7Vg%OYYf0OLE`t`=?F^Aa3I1n%!;B?ryjt#Cac<D7_k))eh1Ukew>k{+@q$
zk5c>rDyG6{YVRC9o2+U`|GH#(vC%#BCE6VHgYGVDpoG|UDuxv1daxD~i2qWY{u4@T
z60lwZo-o~Du`Q%6K0w@m>#iqEr8)@F+3DO4%CTnjL}~qJu3kZqr#fwLW-trb!2sG?
zBPZ`c2FrHU-jnLe@%FNBPpJ1|u-JMH!}>{31aiGo(LT{MaO>%~+WBEt{Yn07-o3XF
z6#uUL%+MnF3=mjmfktw`aGz3B#iodSPv8HiyDk){r*1s@Cx10qFe@5v&R;XOh#BVj
zMCCRrX0rT=1pKM>pug{?y4%*00KNu`Xv}@s)+i&`roOmqE)w7p_H9=v(bj};vzE6$
z5cRMKogZyE3^1Pho~6sNMYAr&r&J`6il^?+<r7(f%knN%W6WMwt;|U#zGD?=2p%PH
zL{HvQv&gBkU;|rCa!17ylYMavf*@04@mG?fhb>h``@K!%9<UduK2@GumNLKB0Wwd}
z?I<}M2)M)Do@MMCP>S;<SX#0R7cEz+D<%@FS%vXO>BkqpsYytpAfjp?K;U<tb^4m}
zrMAz6_Jxx$(d0$_b}5Eaxc<t<(qpm6>yU9B*g@%0|5h+dF#s_n?5Rm-$QtiMG&?%U
z2`zUxNtklvk3tgtutfJ1umZK>$vP5W6G+u@qYSX0T`9>B9eSjQb8EDjmv9`O()p;5
zm<yv?r`c>MB1OmsSblWy!Iq|~YE~G6bLh7tubQPXNis=J9%nte15_9F`j-THosZTd
zr>KU>N%n`-_~TGNIs5KV1Y<Z`lkLf?P$iI{Hk1j`7w>lH+Wn1%Xk3;G2h`Uf@>CA>
z8B>nyDUo)B38`ngU2IseoynC3J*@j;-P9alwXOLIEtjTlw)OBnjNVFQbo)>uoCmBW
z({6~nN&tIMy-wzQ^YHcWZ}lM3z|GQNFeDDUghuPPl#K*Gt)<LcpueDh+z#R?zFoZw
zwjedrv1{C!qVh^HZLH+)<GQ2m_ht(BQS?HGa^YDC)_6aO3Ksd3T+($Z*o+zM|F_aP
zVFtfC#+!Y_5!ef<VgU@foEvQTTQhK;52*i2!wsbBKz6q88O{3j(=^a{b8Z_>Z??#Y
z<>-YwQ(3@_eqjhnfJL^jP&E?4$>-tamdJfl9w$IKtuae!08I{&kHLoBi8En(;)ce<
z1tr)AUTw-j%M7C~oPb1?EYg`Hja&X3V+9lhQ9zc9=MS+n_9Yh8Sz%W%d&KoJ^i8Or
zc@}P!611suO@fM`0|bsMD5%oY^O%h2q=Jz?%~68ZRh1GU5ewS2vAUF8ZfKftc@3~L
zO1rcJR5GR=AFyg*-&|qe-T7+PXWpf;g*?~Bc{imZoCMYK_O!zBzr^GBy4L2oTXHtu
z0?<zb<o@LEON;~`qnChvri#cbw0Xnc{#N5izoK`Ep23U!DblRf93ALnqs@~-^b>Tn
z{b{xLRhT;z{E!AVCV6q55y<d{nd}0qNdud>-L_QAo3JVb-I~Or92ng>RZ%hS8O*D3
zpTxtGi}QBgzq{7~cY+>#vStHQQEZpvvOwipF}7NfgROnNi_G|#UUQ$o6do>Z4HLWw
zjq!N0{4F02MR{_K(7nz1pfLShU`S+<z8}`OfHYDd0{h9Lu`fCxvFy+wUCONHVLFR|
z>ogFbmqaluN|y-?nZ^^*Yu&Gfoy!tXF*qN_7z7&V=Xk_=GTrc7&nVNU3FFI2Uov+`
z8fcABb%2oZ|2kdJ!O0zZP$H3GTUxPAFhWi>Vd4C(g*(Z!EE=PC&h4vT6YhDZ)Okm1
zoq)F+KbCa+VpC+jzMjYvL(gkL%>o-!a}RoL?$}SWP9E!_`2A6s^1114v|N%-Fk)-5
zfi&%*!iZ}+UoN(&Xy<h`b}7^NxxUwx5sD$70v4;xvOJ*9cGwOF$z~Z209{WCdQ^cm
z0#htwF?w%`_w95f%5Ke^s*c24-4d`gjotnVRK6wei$LHBU|&yiB&uK#3DHmA3W0z<
z8WvZph8ckLGGx(6phxVH<TinVrd<01yYW&@bd!lh($oL*(p#qiK;|PUzO_i)+kka+
zgUR_kUl!K_TIb&6E*56zuasdMoHi+GU~2>Q!0;j1{l++KAJZuF(4k%SkDTr3<9JmR
z#y^Uq*p?&laeMgSSPWk_I~DAy^@a?*W$h+S2t+$v8^^!%nRuV+j~BV7^k@+qIhMe0
z?=@(uKTSz`nXm-D6FPSMbemR(yWC2NS@0z^y6Ts5B2cKgppe;mUZDtchbplY>%bar
z;?UVVxe!EaZ9S(CtC^5r%sUTlAWun|W+Wf)|A?8}<`|91=QI2_b@_b-*mm{={WuZW
zwrDEYgfu|?YONp;gTjRJG=1w@l|Xkl|9Ks5){S3$%t+FHQ<b}+F}&zt69U3icu}5}
zWfam(^7$y4o$X3&DCAvpZB&iG$E7?FxI3c)w?O!m%&r|Itzi`>xchNoHjTjHC_*F3
zRY~x3Q+hk0W`q-v<`>NKg)C(UJAn|}P+e-&Nhg+inuD^A2t}+_vjO2WZbt0q*?e%f
zaXUOz37o7){C2w$eW*tUdl}T%=1qGVf~~j;k%Qj*TRZx-o0)#a#$t!7bx;@{GFY|E
z9P46?IHXJhNY4LkJ$%_=Q8;<0@lh~b1Im=@{^r-?xk0gEXvLJOhN47Mtu1jqkulf3
zCl65MAM3gwwUNVK$(A}Nm7zP#q?}oEG(;wy&kNkv^eDC|y`5Cp>y_LM+U?Cz0h_16
zxh7*eG>-Xls-f*vFx}W0Ad+#XP!=azqWCX$?sI{)7(KXWc}BZ&!hd16A|8Pkw)_pW
zi1ntcgl0`NOSLt5fIZ8vd%#Jj;*Ji4wOftl-`M;T1yo~y6(iKKnkME_VsJ%2qXl$h
zm6nt!N`T9W^8Hp=^;#h9hCLmieFBPApXZu`N}{cP>nXURCd)JeTb%U~WqMXPNM>+g
zq+V~b9}4-?)a}8uaA1Fe8p1v#6xJh|^frj6G;OMV+(22I?o1_UYHyfiw(`2$>Ehu7
zY;*eb(q$cg`@-v~xY=OH&xP6w&4%}i!3eC4as_s2H0Wm@dQ+DKLK9y{2s5g{I^r|j
zvoDLEDL2&t3dtxgYz!!&7=$#62DJ7++yy|+W=H4SROcp_qcEM}bg^~YbIsmNQCRy<
zvoGytl;*WCy1P`|-mjT~a2~?Kw--;jyLz0M&gRo70RNa1yggNOi2IUFO#}M7^8K{Z
zsNa$fu-y&F#RrCVfeqI~E+m2x($Z&~K@-Jq90v@vMVyYR2z8RVoxF|hbXnWz4+9b8
z&)iOc8inj0p6JK-D<!QoLBeeQ8${|jn{TzWQJ;fYAooe%Rn#5XVpzrq;`om>phGw%
zxSsOuWy*`85YyJ}SHBX2bMnbx=($WKXh3goTIPrrx7Vbe7@Fo!Mi$zf4a^<oNKNX5
zRVXa$n6_+8A_-!EXljgqnaU{O<!P-AVeLHlFAM)4O(%4$7VA{AIfd>pPn9z+TXzFC
z-6vRLlym4Jo}_|a@1w^G*a%r!I@{TV!HWV2cslw0ACr2tBSGLVuhOvug*bs<&DKq7
z2K01aOp}hjapEJ8Soe8Os_AoQvaiE4jmCb&gyl#Dsy)fEF|ghzjN+%&uZj)&t5D8F
z^_AtrI_t8MF5nm;j0E;H$F?vH)E;ejZIl!K^v8qb_5+@LEF5Iq|L(L&fRg`wQYb(U
z`Ubi&#f6^G<O2_;xpaU4*)P=cr;2<tv!V+$UHM-^_v>FnM&|ok(TccnnpH88)FF`Z
zrn9^U_DnIR@gz?;ra>YO8p2~aYld+}%<LGK$3HxIJ60oQ?oa)i3@9fxN{yC^b(fVF
zWT?s_a$c`7ALXa->vwPEe9NL+CAyHa_;fs`e)e-gvLa%3kR#SBFN4V`foS5#>O0`r
zcST1Gj~3WR6JI{?aG9c4ck8lC%}7p^qQMd4!hPcMBrNMGUdltccVuM$+?3`0NU{0$
zF3eGzLJsG)iG@yan&KwXxf9O9%9FwG`CIe1=EFxy>CxZaZe65dB+ur`Yk#@_T3JcF
z7=YHSh>q1xC<tz*&cLoV%g~=8;W{ZkZF`X*0x*|*g#uiXS!}tlwv_5v^PtrGYRne`
zZ+6qsRu}j1+TNC27uDaOZHh45qoK4rg*H_2<ss!y5W!d2Gq!Vo09*HNVM}#6&aL3^
ztqSnP^!lX#BLMR_o<-uoa9|ApgaHHK8Q!p{L#rw(@+SGU7t8bWgXha%d_>Dji)nDt
zmgJtKgkJr|sWQ~39@5Qy0<Bo%0I4NrN+}^WMhu|Kz5>zjFBmE+HliV#c|4)&+XbmA
z8EG=KFOHfsIZJy>dCv9nYcs8_xKB3o><#s%(=(cWuS(+H*cV*2QXD-SMt-NUrsKj+
zH*E?tu3n4BskpEw(o2^<u06a`fJA;@%>rp4AlZ?cI4}-#O#I`+1`8gih79B~Tqm@F
zgASxXFn35u4ILO5C_t$KXt+s-w9%7m$QXe6_`ad<ake?4AaRJZmGtcWUhQGh&A(sN
z-=$I!g}qz)j;S@YDiM_+^Z>hmI6Rj+Ejl<4EhU4N0Qie-^+JB^FyoEgo=!Y)n~SGW
z30lN+GXgbW91c-%>ZQGg7P{GPY%$Kc?WV*<iXVP+|0wY#fDn9gWqAG3o--L7;95MA
z3p=(jrdY>wy<GsHUL*%EeQhp3c}TXbh79sFq-$FBBD);x9G#o9P|CB3gk;cw-P2A2
zaC0+nF`l(Ly8G{AQjU&7%XdrGDyrRuCGr^R41Ez+Vo9sO7uFlk^(O0Q%Z6X5yA&pR
zZe%oWK_K~;u-Cm%3m<wP1jRQ4r;F0$=F^R@o`SFUXqq<Z915oL^FM|oj0<$G4dQcy
z$VF#@&BaD(?*q4uM+eW3g2L&c`{pFq_fAWn=FJ;!*#rx0FWoCW&JRTTx{oBRv5#Dl
zYaQj+LHgZ*A@)W2X22t;Jl$u2@BfK&AFXg;6LW{*G}m@jjMl;fGkReS|2&G`eYw9h
zp8ayz#0fo5TADB6ENW3G^>~0NriZ-~aflwsGWrpT-;r181wSkdOCo47yZWaEUim6h
zks3NG(Y@Wf4rV+D<htRP?sk;z6PWrtMynO}TJ`$|G6rnR4x6gJB4}Av8N3Q8G$`_F
zye!~S4+xQ2^p*sK8R+j<m<a<w2<{~*iHWXj8G#i)0cZm7lGaq0x~<(dPWcN_lCI+H
z@s<psQzwS2=HcGfiyPxL)z0znWFM~!;(_&eE!w`9E74byI_*$FDXX`|Y45^38K7@S
zpdq4$9q^aG7b&3ygl07}4LM^zeWIED36`)NyG&I;;%{~vV5@*}^=!~L_>T%n(kPVy
zgUataF$U~_bXA?J;dIq%t2F9Rue0sy&9PF0oe;=1n(#)R%{F2#Uq<!Eve>RC=9?j0
zk>+F>X5faA*K6+;Z4?l+_GRU~b%<5<CA*V@iKu>wD6?-C)*zXSn=G7HjdeFo+|Y=1
zByt7d9BA_+KWP|Wh3A+Zm-3>2y4FyStxdQd&7umK5+LFG;-R}SfLDy4$8g9H!|#r~
z;@N~qwZ^V$a&cZ{pT;!906$Pi=f_E8&113#e;jUlzr1#`y~p<ZeY+GsO@9F07on`h
z5-yiE=>Y{<3WOF3M86F|2<U=bwx;vxYfhSc6-5~%nC8&$;q?y>h@~#xdwk2zRi%Mv
z7l=!&bGqWvBDX(4k>d;#%n#~v4m^6X*5wa3Vs|CCn=0go<>o5g%RaWM4RtBFHcZa{
zdcLx$x^oTf0z93*Wp!(-$Oo~qvciVl;yMC&IDp@>x{>88);xjlQV^a-#amD2hGTQh
zQVr+$l{d$4b!4pMv8_~ixrIZ}dUm+9yOs0E@w6qQxGm(qB63;$Fl-X!v&H|KsgazZ
zZa#LNQ}ycb;s&4cp9enQt6d90tn0WWCnp2Fc4HFNyZ*vhamb&r6Oe5w8Z+vkK=X7Y
zaH8Z=6(%ivib_-Gh1>L0x)m#?YCf{?PhX$sx8^ww(x$6;yg0AQiT#uye0aYQ%NgrL
zTZ%oHN8aYmKIX^6{Ib<N+BDN896pZze2wS7al;1@)?${gR>$kak+h+4rLC=<cWo)}
z<b8&bf*s{=scf{z^V^2CXWcd&7=I`s0m=!zH;<jIU&|hKMQ5vSM=@_5B=R%Vu05U%
z;{YFTMhwF1C<?L94EM|_V2VP8>Fx!DZNEAKzolFheN*LMIS{N+@@GQ>t^!;Sv3(5C
zfxf<v1yiyNZp;9>bKQy_nhyFS0lu4==-~n0CsqGM+GEnyj9k$HjAHm%kaP+d<te7p
zpr)o}+Pd1H4&vSTk{7A7w@v{Q@I{n7#UA`Z4o5kjq7NejiBirYlrH{i6&K9t_!omL
zcn|pQ&3gX}-w42J`I9#Dx3UUe-ek=pI(sl`{j=(6xYcP%UZceWu}-1J!?yO)`N3Rm
zho}2d<28)$A4}3hSueh!98}@AVe2HrHU`C&5oiU*1N7c&8%xIbX_G!iJF3)g#{Ye2
z`CS+Qs1mZdEG;fp$XKld{E_3IVo7Z5GA{T~{lT0bpa<h9?&XS69DIim>9~~wm;36p
zjJ)0GHsv`{Q5jFkPUnfB?dYZj4!J(_D7b$bS-`gr<xNn_YUi7ylkvqNL(a3JriHCo
z!jkAWr>(I3&&ZS4Yz>R*I?8d0ruAMVWp{pwUFVP+H(JajC}4AQiK95xEwr!`eDGO-
z<f8mrAZ{}n-%c}6w<Bt|La8~0=N_s~z-3cHxICpiBL$INex6S4ikw8AWYXy!%xBNQ
zOmSP~$371h0S&jncb-UK!*a?IiX6w!^f&X5cy;!XZM_67@Ln>DjpWd#ra4VBtwU8@
zsefe%2TXlkEJRElz20J`$N}~UEZLJ_1!5=VdYo9};j*9=vPYDIe1yp0hpuX|e_C)1
z%)Lt$!uaFGDrkdxdxHlyBH`Li)*mrT%rz5BWFzpQzQ@yvVFs%*)p=n>mz9YSBnB@I
zW0Wfgw{s?2vnag*+6qs~Sohr3X0GbMqC*c&I=S7l##yu;MzBrCz{<4t^3EJx#e#U9
zxm5a}h59_tFTbbtB(4a>j|Z;oG_wZ2w;mdBdq;JpUIQGC7YyM$2}6Y*7R;4iX2T(4
zF7EHmgH3zjw8y_NYuymkk*d?P4;AKjKmMK?u2BrWgWthCrZ%-uETb}ECJQ<FoK8Gk
z#nJ+2!-lO14s{&I-!;0u>AGiL-~*9kNw~>K(8(WZT-)TND|$u%|4H~5@+YPOE3~I2
zhD`<9s_NWyI6P!jXCfjatE;M31hKKG;6i8$U~@_-{%NylHZ?0gSaGHLathh)_)+(v
zBw@P=o$dVy?FTmXpO87kn+(*d@$B&*LqvOoM??`~g}x9G5))XY&LF%36g?$hIj}1(
zfpzqsSF9{N3L-W|CM}!>QoebWW(FJ0IJkz_07x$=SZPm$pWne~Bc8RU->Cz>xl!-9
z^=$ci2?h2QExEQ1v=NpXbLRPQh-u1On@#nUeB5$ZRJ0W(*I@<ep%GZ0zK&TI(k@Hn
zS)>uDUjJ#()B|z0J+rT~S(r6?XZwaz#rmXRQ{Ft1nF98~CAutMkMpcT1G<37p3yZF
z%ESNBC~ERWZ}ybAZlOgFA4ca~r|W*IyPNWGzo>%q<X;cm6&ooAfdA7;II!gq1m=VQ
zyu9}lbb2pR#0D_Qf5v=9BsxUnU3%0NoC=SguTFU!J(y~&wmHUlS}YC>&Ul<z8INIP
zbB4T2s3Vz+JFR}pgq;fJsSa01Ov0U=Y^ELsnw$+V9L6XN<{rl=Rx^$cm$6ih2vm#H
zOi`N0ZCe;Moy2Ox70_NiNQ+x7`nx#wt^FOk&0L4ibGK;-tE|UYTR={KdrJVj^Vky+
z6Dzz%aRd6*Z}yT{rGTY-s$8RvNorV?LHES6nnWqxv^knG;jO(bi)JS8_qN_kJ%B6N
zwCRDZ;k~aN^H1QB!wr`~M6au@l^PtT?-*#BeLtn9i#=esjv8ZpI_j-gOz7TqQd7+>
z+{+Vpc>3l!vU&nPC;dLaNPd0!Aikr@`9`*vmX`QR(Ckh)u!Yp>qCX;(J%ONeBve~g
z)eVLn5VKw;ULNV&x-9<F6EXPrq|^^+=JZ_LHrCT@_x}`xz|EfTC6!=P>)h&VYu%tw
zXxgPo5!SJg3|jZ<A^~vy143_^n`}VE@C8z-kIs+Ct*9g!_JQymZ_!1>?+uGr6f`hn
z`*g0;N!9G?9ZTO1FrmZjzj8jsrZ!O&qw~$JHUCsNKgnn?RZ8?6_hnhu>1$p0e#ufa
zQi-}t4vQxHcHw~?sGvkd+ItiEVjIGT&*Cy6%^=Y3b#L~K8#pkG55nVkCm#iX|Np~1
z1FOFG_!;Z+FXU-fynDPaBJ@Ec)v)r$#31IyeW(gL2|15p#|Ik)CjP0Puf4*Q0K7Zf
z2xu^7UiIqP`t}E(zs1)(iF;zji)b^rc22tTd6F?K-M#9#q1j4SNOfk#wP1>yYR3F7
z8kGNUY9#PQsN`pdKt|kvZHS2vg6L1xo1@N+CRnMJP@!;>iJ3lvQlGt_ifF@u0ao3J
zLSo%vF9-j<K@sVnI#pptWBLRb3s#(xnyR+FN_GeKr_%cVGQ=p|x2L5B;EFSc{IEwH
zSw8_|9zd<1WS2ui#Ya^Brx?NoTjId@`T2p?oytllC{$bz?dH|(3z54EYpssC@%gIU
zrBqU3#*V(rGc#B#p4xLQz6L}o_4Q>&&i#C!+syhmD3sByH(o^9#)O*oD!rv#5ill7
z@HfxYv%8f__bJJmtu6zg<B*nmaJzwEFBm2Ho%o_sGE(BRtTt5ww2z~IU8Grq;W%w~
zS61pWlls_C<>odrhg#~eeHzXIrR+;Ls$zKxZK@}S`4GT%3nxL}J;_M_UTyIGas*7$
z<tSVc3e33(nX&F_2epBKKMr1nWxBglC><zP0OP}v5`?@vdm_Qb)~k2BiryvFmN(QD
z6qt@|6n(ut>cR!3WkO~31)qMGrls=RD0Zc@4x;0SZaC)V<w<4n-W<E4Ng-UoyebVw
zBy5x4{}JN=llptL@8zdsrFQ5EVMKwq%3<2ob#ca6zcGNsmEh06c(EG6gT6(Ll98lL
zzuB>a^hP}Gb#~3#qamSo!tVV5LGA<wq`&d?Z6hQ+`gX$G6E_&Y)Si9t+Q`Sd4ZdkP
zCPiySUNm?+F?HZFBV*y{sMm-)k?Q`%{1<Y3udA$A)3uK4_hv=YZv7Zt-nf$lGYEjc
zr+^6H6FdX4mdL$+w}{lJ<`3^V$`@Z$)qTzR?LVp6FT=ya-lH5&4}iV|&x0_8IWo7g
zV-GK6kH(y95fOX+kC#3}=DJH08<eF#SbXS@{cL;JYCr%TwurLeltuVRdF5ehP@2Vq
z1X15tlsz43X=AqKwY4M73&_LDw*G!eNJCNnIw<MM2&BC1UI%h=QgnH&^#nuZBpRdX
z%gL5U0$D_<pf&2ZwwTZ@OG{yLfe@u#=R(Ewf2tc<nEqY?kaLftEgDuZ061-1Nc3?4
zM?Jrw1HX6x)@yC$@<0C)4a_h5W!9qw(XD9(1tBG<D1*l|Tg{%e!nKUB?Il&2cFrzy
zy#wr{fn1%e)k$>Ka}5(LJ2pIdUqgXu?Ga*JW|QZ1U_Aq|u+lVFE$4`O;n87wCCSRE
zly+o?9ed9nyPBr=Lg`*oiVhRF=F`NfoIm7~6I})o%ziDV3;LfKuDY5*kBG%(b{t{o
z^@)umBgQsRgCKN(PzwQL4+exh&*)pDIk=w%BO%?K-PUmX2`_ZFzO}70!yvL>iJQvK
zo)UXZ)ydtpQqAW;%M{Pdr8hM);wwfaCTbThVY9mNHl$mb|FWytE$3vaCt+OUHcoOw
ztMPgCaCXjm%Ol<|m_GBus{0hX`b{5vA2Bfq)z|H0KGxsD;*X7EoJ$6TXHBb)caJ|T
zj}(qIGWc@_J)m}FKCV>{M94;7wtUX*1T6CX8-*F&ckd_|cQ0^7+~%5mQNGgB^)b;y
z3b}ql#IPvq^0#mF7h=Sw|9fk=CO|Aw%}6&bN*^JYj>hAID%MOD6Ts}Nbv&g$v3ut;
z18Us&oL1GZkF6<yd%&g=7Snlm>=57Apr4#VPxDxy>19H}d%+d!hiopE<|ZSv2bCiB
zNeROhTpyM@6>et+yAvEA9hsP}^xmN<s7A3uJ<jW!ngUUE84JVgXT&vo(aBX>&^N_R
zmo@LopScz9d$ka`bWCeqP9!d<E)AVvxX1$$-yZe`lM|hz_f@N{XC^8wVXh%@`%S}>
zrztk%u=nl;%n$@e&{Frg-2b=-0j#IkI&EN(A3UQo(=@V&*RzMmcsm>2_2$|tVPOFf
zTL{#rhGaxl5t`{9vWMsH&~(HPmOMFdQ0CB?8jzKm?9|cl-fC|Pj5L{S7hndJwq?Z*
z_ZP5=5>Qhs$jva*W`jRPiPA7gOe%SA2{*~kqM=rut_uz(Z*t$c?fus5IWzM*?+_S0
zVV)*gr2yOUt*s-?+Tj};O-aJgbnz33oxJ7M-FDSbmfGeyJ*#EL>GAPQ3Fzdff?x<K
z*zmmAdIEfHb=TJd`IU@}jBV#??_Mwx46qpwjW3W(Vf|>_^**wCm;O-^zOuv%BF{hX
zvOp<<t|c^sT1;;UddVeQ#*D*1tGOL*mA=jxKhmHgVHpGXoZ&P41R?0(w=*;x9PO>F
z($;*=j=l4VU~Exq32d=9zp!qbLEns(%#ipd+RN&`k`lkPpO*4%*KxwO10TlSZ3$^;
zY8U;1z8?wHfIq%BQ`4QhUB)I9nT{dZ7J@v7+hGtIuq3d^1J8WQ-0w|q#Q%MjAZl<I
z0gOk#!S*`dGr238fBMu;L4-}!#o}x)sO~tQ&4wxUdD<g%t`)@?6bxZ&;V3Z>nMXQw
z!i&<~9T-@_0s)ZM5X8=|OEqNuXuJL{@rZ0vj6NOMZr03M5j`2E>vk9JdUPQEoc5EI
z7@PoxdI*^iGbCGZu<5^vRu^Vdn`SS~qjae<-lpb<qTJg8#1W&FGYboLMgfTUc)^D4
zohGwqtU+R56EvU1FE8B(SOG?KW?DJ3P7@&-kZZYs>jRd4Hw-a5`vu_2EMNuCsbF!`
zv5t62bY<MrD%3y(wn@0QMcQr$iRH?14CRtWH7*SG86tvSpWP6AVTr}@ebkg`5Air#
zZfP+zxdad~qpjo1<bDuy{jVk+J$+nS{$lqEpA;UQ_s%wgrJZK&ZtR9y;MB6`ZC9k(
zvA%Hmq8CK<z83e;hx%>bH>Ph7zh$;Q%!|s7)-KJeqzJUgk!#4-fB3NFCe90z+Z7tf
z@%&0v9=7?)ema`-yQe0M$7tJuow}l@6e}JpF=^$^nAA9lh1>jdCl?H)gn|N<c|M34
zj}WO2;Lw7Jk0|u!nP<owqeYg6Mu%!WxX{EsFsUdd6(hM&x~RIL05JMx_ot5dO@gYp
z{r!8!#~aTbfzwFH3*-(S!GC59G>BuRx<JlHTZCXV>_P(E5<E|CyoXmXkL;H>hJE=3
zmi3_3mAIuVapB>HO<M1Fj1Coh%X+=qmaJL=J^f=SiE<Zj@gW^Y=#l2{vu53@Ph5P`
zB3D%fb+cZ3=1&KN?U!QT*`R%k=N(ipHQ>IG{2g8L(YZzsMmc!j3*t*OF82f;n78ie
z^pMUTp{TxR&ewsOCV~#UcZMcQ)q|d5uYKwIx&zbjMeOWY;{d~Np%Z8ki($4^U&wbV
zs1E`71rF>R0l0Dk{;m4=bqy0m7_;2X;Yp@sKy`fVN4kq`51L16{ZfEQobjmiMMQ9K
z9h-x&Ma7mcm1{iD^c@^@)DLT45P}^Xgp4GzvrVmL>NHck`XObE(AM*lZb-WLEA-_>
z#P*bTDFGM`f%!UQG&O1A#l^>Sh`H?00Xwb!bF=cyMSe9BZ&wagNaug0%)IIZdg5@e
z`&ZOsfQQOkO-1Dc5m=MJc`rZBx$x8JR*Gi<3bL6Pb{+l?!^NHWusBif_u}V~Q$V9_
z@XA6PNM4=;GwNN^IQiRFxjji0-d{xlRZIcPzU^u}9c%9BhonCf8P+B4oNB=bhksGl
z(~Gq2MK78p@EEk=U5X5E1NCOagEOUAK&|7K<TlMGD+B|@v_B&tR!F!k%)ENx)9L>%
zalw2!9KQOZt4%Y@T2EKkxNG&>CyaUXx@wB&8wM}u^|Ov%kDhTmr2k-gskIB{-dCr{
zA20Gq2<gb@2w~ZgD-I8tXm=b@mBhUNP?d(@47Wr;mSTZJ9Q+^4X=2;d_Msv7sqcGk
zj#}xS?$kFI%FK9qFXk3;>c&Rgdp}gfnRzl49D&%iIlr|^^l~X!hxx!$lo}`*GZYkx
z0quu`&^BzZxl+@mJRF0h2;%#CH=pmjzHGgxzL%7Ckq_*y5CZvTL4YMFz<y$5{*7-?
zl<VcWh|EkT0%NiloKd|p@8GZ60>>b&XByNd;Cz?&&qu^@Btb=Q#gkGrSa2X(ESopI
z<c%dPC(PA?0s;@|s#5tG#ay=ArWO|3Zks!;EEcvIV7z%rqmuMpopwrYQDF)#$dzzl
zL_6qO4@lH&?kl&=xmvf|ybk21{SgS=M$+}%JVs&Hcih&W8kj@sowp-H<z<#H*!f}L
zi%4Ku!ueM{zXq)+6GU%o?gd9uXu51a2@92fxm+2YP}1ps^RZi7>xu|9^rhOc>}#RQ
z7WnibdGKy$xDIL&IfQg5(XGu55g{kn41OcuYrw}h`iMq)@C7e#NCae;Bvc9ikOB5q
z;@{lW0=FOL@_~faZ4-ifdwQ1griAdpkJRknPZnFub5Y-HflJ@0Ia(+^C^zVv{;JGT
zj1b;jm!NRc;fs0mT?UtUAj-+tAhW1cz7P;kgInZFhsJWw*b=9t?`{4zp_8|`9Un4<
zD%=$=-RNWi(q4uBiOgFDetw=sz$$#xUEv)K>UsKI*e)Ea!osp_b9rE4xf#JA@#AB+
z#bq+-Ajv97pQRnf-RKyvxu)=3wt?STv5!gC2QmM(maAAZN>|%ozmG<lvAe_n?8-0m
ze)H1@9X8Dpg|+BFuiG&Hvrs#^5QD^kOwSmnjMo+&r^(58)aZ%9k9bO-(?MSv8uC8T
z#)2G0V{+~~R#8`Q43DO}Fkvf1Hby~VNbCPyqLKM>fc&K#gI*iVB6UC7K?mbHKJ|gX
z%OMjN6PllU?v_`1mX*C2uPI}Ai!6_doGddn7a7GReN<a!y$6YRVooUA`6)XQ2q{bx
z=B3;Wo^4-2xCn{aX6LTvTXXW1-cQ)r7+Bce`}#GOrRjdt%nfj3W+o3dMMmmXyyUwX
zo*VgaX`5SlxL~6d(P1>6*ClBn(F2dYZ>lu<&dy*_w}Mt`>f&T?9bITqV`Em~ChsVx
zcIuZ*@8?T{Ml5+j{a{8g^n9w(n~g)vSLu6Q-E0}hYFJk!EHk=%hrdA`k06AMk>j5Z
z=}@FHwAj->@H=%`8K#)~qqTM0NDK&K=?h`wDQ#6h?;|C(D-$+X`Bi1rTyL8}VO3P)
zcl&rpV!W}Q?cu|hZZ;McRf!3qj5Q@C`OO|s)UL6~20QzdM3Vcz1+6c{s%!P)t{%0m
z*n1DCPyKsItQtW>r67j#AFeP@*Ee^}J!NL#NmQ|bc_~-3h~=o1q#8~>-28Hry{yU3
z#J5Nct9-O<Cb;f|SL6T7y!o<!R<PIZ5}Gv(MSswlGwLW%=%Kp>@AL%fpfPXm;4lVo
zv!7fqfa5F%fJtLWOLKE|aARjDKEN{F0}s5r3>N&_Y$NsT+3h?xtgky$NxgNu*y3`Y
zPM5Sa&uh8vH*fSM95lqMt|}_u!io8*%^u=x>pb)K?~<0~c^($>Z4eJA6nM!Vu?^f!
zx4EJYSH_i6$bENaNf7Y55nR;V0xz3Ew&F0D{$GbHjzE-@fP%yZ(d@pE3G}-0Q9dDf
zTgbDZ3?jV=!m*%Mhk8n0j!aS(qa}lXsu$YFYxbHb8^V6Me|@Aris9$^#w4<@yvaYn
z(kJ<lnTt(^f6dI2JA-?n7~%JHT6!t9c<M+`fYHPxu0UQNtU78+RZ*$eWFeAi#*zUJ
z<5K9Sn5(F(8(4>f7VJiZp7p@1Yu^)l&jo#4d-{ufq&7@)WYJdQ;IWJXNtX2$#Ai;l
z$>tUg3_mW*n!*E`JdXaahzA4d1fbo{T)d8?5?~V`KPc8$3hZf6cw69DaGmVEe{n=n
zoS4T|W1(*CZuMf+<dLYj!KiPTd0E6)GK%h~$Pk!jUY+PAJPH^mRm0pdFdb0Gl|Jjr
zscMT7uI7DFgAcmkGu6elZttFI>jl*`OOmBiG}SvqS_Vxv8C^MH?CLUmHvVZe+^Mu2
zYfn~Xp~xdJ>WyCww$av^dioGz(^r#UT%6F6ET5pQ^oWVpB5X9*g!;Jz(O4UC3rJ>$
z4-1|00W1<uZy&080;(3o8vpa=-z^H*puu%;@B~-P<0ztzi;D}Gz!BH7N+;wQ@T7Yl
zDRU&U?cFMRfhYaX@5i>hq_!J{qMIM}cJOfRU5WzBL!(_@48PB8U3yR{()H-qVD3NM
z)_E`-s?r|Ou!7L<$}Rfjyc9ui#z&1A0}JKCbt4LHJR@HHsHgF@;(@Rhe);KZnLh2u
zzV{hkq#h;Hn04Mo+&U%w;A*mxQ8a$|{BDr^<ib$qw>7#2p<<?s8{?FDB};obb(235
zL!2s%_Q?caDM8m>z6IEk$mj1B^<x%LHyI>s?Z~qnN$o6oR^zv7!bx1}M1~*JF|lvc
z&kyP)R}nMeGk;kiS(Ze$GSeYtmOlOyK>RfJVbhHOofrGg@5T4=Q=+JJU*T3(D2U#@
zvpH(hl9O9+CMwk*90Q;CxqPvXH08u$g21F|zWs2!A@#kc;`aUZJNg|gTpXIklCFDu
zoeEPRNSc{BU5L4tlp|P5Q|Tk?SIbT6iE%zd<jVG4B6|HsQ&rh9H7#jqM!`1}uG%d}
zNu`VQ#xu?0NhPIeHZ}_%+0c-HUcX=mL4cjpaeUOO{<Fp{J)--O|BtM<j*IGR;>QtC
zLg{Wn1VlpVT#yizmTsgQ=~@~DNok~(?vRr1RAOlmSQ?hDC6@kO{5+rM`+a`j3$OiS
z_uO;N%$%7sXYQSO%d&kzI`>71PGGl`rlmN&@>6^B4#@L-UgEYt``CFfu}s)}Slh&k
zBB<}9=rcOQLk`_$tGioCalL9Y&Igwo9~K@(C;Ba&1c$5JF1At$JbrvKJC<in7%S@@
z{3G69-{;r2`oqU^T~@@eto*8on4u(bKZ72tPdZCDKQN}=jEz6R&U9(tL}|ny`qW-%
zW0_iS2P4g#*cZL>kAe=CkB%X7jjoTes8Cf@6&DAGelSifyq@f$ivJ)p%0em4$l#6n
zwN*XB08hg40UVT-i;H<=S?%~PVjoEzL<F(315Q~dG>}4-jGVai91G&eY-OIXxA%9V
zoDFxqD13Rf`h8b{u$s!aqkJa&eFRPJGfdJSpB_AXtcNZw#1h7E7S-a{l4-<gA+>9i
zgd5PpoO;b?d*{Cx69~8^9<5n7X9e8wA!d7yMW^AGb6ALQ)MCpyR=`utfTz6$y~yj+
zX#+YjkEk5GNH=it%tY0Bk?$`1W=A{5L(#^EgSbsYa*tb8>#{CNU(^wHvA(k9RywD{
z$U%cL^!@S?I>~^cWirdPKB6IaTL)Q0+6@y!i2A=`52{L*&EbaOH3Sqs;(~AUS8d3N
z3qSLQxiyyrMYQb0u4A6eUvj>|MR}vYbt+dn0p8L76gu`KEAZDsU(BoAJBCgARopjp
z`;BR|{*;C@etG>hbx~h%QAD4$$Pc5}P}T&J3Zfuv#$7+3Chkan>d3CWSSO>1!{>E(
z5B`X1fS<&%*#A4R%o4w)SLTQN{&k+e<Tc{>SSd6dTad!$18gX3O)WKUgYm95h)uGJ
zF{Xmct-}hYyuUC+vBvkN4qeiM<9H8zZCvktwi`UFE$Sts_++%PC5Q5|e6IbaMwJV5
zwf$X;CzH^EzSIdd4Bp~&UcQfT<#!txZY>w?-V=69zl@&d7@kj{hE>DyrATIP2C(?f
za-Qn9rVTNCuTNQ?b^ZJiyuzE@yb<<QN9pB39c+5|q^Ur-`;2A_CsjKv;W?&SK`N=M
z=&#$Lo%iS1t8r0{2{e#{y(q;!<vN$zUS{K$1u*Qtas)*ASDKy^?B1(!yTjP4h`lH%
zN`yA|fr>R)z4K~f7SfCEzMoDMlS&*T89`YUWi$HKc&un>q+IGFN+?dFUs`L6xdi_X
z=z$PL;fVhy4Icl~MnM%Y*Eh+xFHRE69x;A_(U1BiXCe%EUa5G6fBziiY}|Tf*R0Lu
z>R$YYizy%1#F)SzzadZvZ#~r?z3zc*mf{%*n?@1iOH=t04|CI2DY-Zm&(3$vY&a)n
z^0*cG8X|N^=d5JG(HoylzcH)+`gebSP+^D5XO!oM!ETL4rmQd5nCYEL-H5|Y)JRE5
zvpzU^T=f;-*e^6Do$gxmFRFc1Rh_6*@g2sXQgJ1t(%;We;d%a;w1U51%x#~LpF_9)
zqfQC`peXvyw5`RXbhcmD*Ql$%J~L@Hc!sBZOHEQ7$Y!;B7BC66zEZv>eWIR_Uy%5X
z|5ujxRkVaEeP0Zb4UGsr@IuoH01lZ$k!>quKK!Ru6oxcamcUu$y!lcn`vIzu_`;{#
zngl&d+qt5C`dQ;^feX^b+v~OJe8-7B;B{uA@&eaBW_mg#F%Ss&_dh~WZxvCu=#yg)
zjy<~AD4eUQ;Yp`~)Os(mqpcEM$N8OOU5$@CD4QN}R4`eX?+0(BR>;Iy7!!b!x*g5F
zEKIORq`DIbdV4_w?53V!3Tau4_&aFigxLAvTErO{&FHPk9nMB8nTRvJcsh7+VhDfO
zrK|Dnd+~OcZj!YbW<Ve9?o>~OlevBIM;R>2xTx3+7^)`vsJ~Xum-6TESdmpX91~*-
z%jO6k9me_wwm{l#Z)%}Te<No7WYE^^QfoL%L0(a~*(UN^iN4(nqCVP*&6YCb5$^B#
zDTL=8*1G8%V}gyvw9CHvo&%?Eewh5p_gbGW8rQ<-l}l|+cItm0klbwbI9%9`#!q0F
zIfYnP3(n!;9?WZF^d~pZR&}s>Wrc9c$q6xWTW2>{p`K^=-idZe(z7XQ_(hRdCUCa;
zSVp-I!php=x0A<}wV9mCD(E@v7W_rd(w6x{*~vOSSu08$OYn<qQo+pGnT?qh9hV1_
zyjpr!Pq>D)_31~xf=^t<K3k4_Kut0`VNovmgf!!AY)_+)T*qw|7H^%*ZcN^q4e+(R
zw;7oUnDU<oO+iicl@Rs|&5`96F)!kd^&UMO`TYF(^JJ118r30#`oz<ltv>qVk)~C2
zVGPbte!F=if;PejZ;tf5aI->+rwhrRk2uk%#Kp-%PvyxpQnFNh?X|6fSlT=f$m042
zPO(CbD^;fbclh@uG+NSozp-FSsEuA``Yzyw;rWIgU4Rad6B$mj{ZWelXA$9dBTKuZ
zpnU)grKqUhRU~v)>~L!A^CGh`?vmg3Wu~k8C?fmu_dm;STBYVj@=Tk}g{b-Cb^84n
zDuJBOvLKQS&InqfENE1}KW;?RF?FLd){#l+Cb1T_e=9B)b++D@;(d^Nt+v3gD;A0O
z1RgF_Db=7(m**#z^cs_dRVVSk;A84yQ<ekIUig7%ehX23o49~H;;LNwR%S}<JbN8R
zD1OU8_@#j@1k?j(3{S?Qh!mk%TK`Fam2%vO<5fh&WRKkYpbZr1U_E3r&HmkE$?-K)
zG9+eFr~DjZI-v6Vcf|oTEd+B$J16I@Abc#(X0t@y-qc}wUlPCXsyDWCx+nb4DW%po
zOs3#r2_P?<d2`M+SF*rP3;pVhZWUi%a?;X?{)E()dSV1K`q$>?voy64Ji1{&1wkvU
zo3H)DtzS3S2d1q|Pc38_F6V1yeX~}~*(L|qI)h878A1*!^kPik3tD|0M>%lh{1Lye
z8TK`f@KtveNfBGXVShs?hjt^uWq|aKR?twXznr?l52ur{=Etr5$3eJ`j>oSq?3<pb
zO0I?HK#lvL6Kgm6O+Mj07muf^P@^CMk~@+%^EEouY;OvAL`SCTGn}W%A%n~i-Z*=3
zYf>-#o!)BPtv-&S>+dAc!~aX<t18v2h+pGm5TDDfg%&Td?7IoTY}9Uz&s?Dk>4?4Y
zCgH|kzPkxXChYC=7C!mhHvZTsjKY2s`-uL}yUl}S^cD@M;ieM<A`5M`yigu;VIuOS
z^f9H^Hz9hxt!lqgC5{t^MXYpJ$tuik-l}{P#^h5>vvgNEiCobl9LhNg#R{!~)_APu
z`Hxx{&behNhJUQFcU;w9<C}-Tq(Pxi1j2)s%YTh@T`R<(YS+;O;J?F$zLB`lYTdA^
zk;HHtdmxrmCe0XsF)Ga@zbi-)bOlkS<?b<T09hn5+xuwxm}azK5;*U!#k%ZsNnc>&
z$VylMHG0|d^Jx4x_sBv_9#i3MX4ce1<Vc2KNX}R8;D-|jW0vl|bvWq=#K3PlArJF!
zJg0m_lbf6Ga57t~ga3=rIED$2pyn>0j<6rSY-}6W5GVYc0ZU2>YEWx7ckx)`MbIzb
zoAk%nifMx;qN}Q;QX@49qU+YAVU0bkycRa^!(K0%>n~jcg;jT$sD;w}e@W`rm^=#)
z!G(;Kv9hskpkINE=|AGJWe9oWGQ6sD>=TNh=6xtczD6pQ`W5Rq)%w_{2!j;Pt}82s
z9iTMu15LXEga7tTq^Ivsu{N+V_%}aj@qh-B;$&Cm3~eA;Rr&8Ofsg(gq_&FqgU~Q>
z8+%=+#trhXJo+jRQ9A)qIH4>B@>y;FVEGxZMebE0OD1-042knbeK9y+$bhu+8`hQX
zMClU@JEF)YCY8{5z4@Em(Y(wvIO`St36sPdW8CDQ6s4ckXY?4KIB9jLnf-o(HH$9j
zx!F6M?!8oC_2Va|24b#;DhxlFOfLw%;!~<-O?6aoGI2(@2|kHCF4nV0<sWt72U+8;
znwyz#h`g{Lm|vmOwEa}OQ_n~H3RJYyq({?9$5Y2bMk+{3sEVtb0$v)U$K+I>eT96H
z7mA>!$*rj83FfGAANOQu?T%YjtJ~u1P|&T478rR*AeE4o23EktQ4FZJhJGUD)Ng!5
zFkx@=Rj|fpr{Acvl%zC15vCD`V<z#I?XvPGU73!w`g3O8CfBB_5_9)YxI~g>#lbwb
zxI^zW?V6PaV)?6&<>CIDhjt3Lng`^wIX18As;)>R2lX-!P%j_JNr!A&{Th=mr53zw
zu~Tz65>?p5SylON3-0_F`qW{VHLA0bFVpiNNzjLZNKvW{V&LXVQt$!a3aDGZ>#0r-
z$)uuy0Nef5RixsLlig{gVx`#sXl-1@qVHY0D>xPgZ1y@_VqzC-aody--gD3!PL$iC
z9<Vs1A$)b88)5vR)dKm}L@q_>8|I*wf)ULiX3JNWQ#4qoP1P*3GulYPYi=fkf|h72
z`cp;E=SMWP;UyMOhKu-1$)E-D{l?fd2^V6r0uL)(_4mQpG58{9ufor!9Pr_9NuN@5
z%hme@#RRHL7Iax=MbkCV2w6<~pa-|RrT13bJxR~hxmag_)_)i{eNbt2dS;$buaGu4
zMqIvFpDKAZt|)$j6Jh?Exeg^8n<6X?pHz@+C8I?~Yrb_g)9yZsB$%bv1S-wV-S3&l
z#twUsi4*s(aB(K=gNR7iMIR7GpR%>c5?1=X;hpA$FjKHCTlf`GdbVig`w~A-W;|Vt
zaO{jmdUE|G|3t>Gg(k<--Y_+trc^vhT=Ch@(J%1TTKBjx1=otJ>YY6Rx6o-vJt1)c
zj*d}qgpWXkYv$sl<G<NX^rmic;>XK=FzMCS{W)66vtgT%gd~AlAelhGp*M+%H2x{3
zgv)E=k@A@nEr$bT1-F$rp`ojRDCqehvZjhs$qt-i1#M7^P?Q*MAo<r>1N8B)zm{a+
zlVuMEq<yluczeb_i7Y)uv$wYJEe5gJ*6MPd(rZ$mi%a9kpMexESh)-4-%j*cf}9^C
zlr|q59mE(tY3!sX?M~!M5v<{%DSW|Lc`QfiOB_5gdA(^Axc1FKW;;dG@wkwlDia#c
zYNRY#2z|dMrC8sd-7=)Q+BuUc`|dMcGpVPlA*r)so&3m~>GB7}sB0gq?FJ{ll_VH&
zXhW>nrZGCUYlZd6^`jvoT5S$^#~okfEz`t%38mVw#<d22z3?k^yy?|bz>H48du_Yu
zK+10qtI#>!{o|xyF**D-;aT5sbK%LU3;d0$#IxgQQ&T)=8D%HC#bLm3#?aKi;Keb?
zXbBn(X;7R}t+iOyy!ZtXa-j{zN!5f1`>MtHJv_%r{xX=jmxiCs=Zph|Xt3F|`9COS
zGpGzEscLkQ-Cy+W$HE<6z<>N$R@0e|<`Dt4XvQyPD{-EC?V?zvL9G2E3i=$=A=g$o
zBuB#{gCA6ESpJh@_U3D^SaRJNGX=zX!q(TwPsSr~e}6(rsyE$NDo2c2k}>!V$*XP1
z>=PH+^h{+RW||e0N0zMk4JM4;tmk+w5NxT|XjLf~wI3l%!XD(OmyiBA)iuudI<Hn<
zknQ2Ljf3d_>MLjMS+v+~CJn@8dm;;#(c5c2gxAb_2C6+PsKlDBI?XgaQVh)-r)^sw
zZF=fd;`59uFKzy}aA@oi7Hmv}__A~6<L0A6y-2D`n#OcBo)=Hu=RZw#WY=F=Np!}~
zQCiIMVAze5Nlt2eQe(^^XTByWm-~a-e|?w4U<-Wrtg7&n_B%dD32$!AU0ZIPmF7Yt
zMl=^^E>PAuLH$U}mppL{8sVsX{7ky{JSZ?qPK}RJv?rK%+>@H+cmcfDZmn!>{iu&|
zASEk%{F7tDadNt_&d3**y6%TckEFOjz(Qc3C~I`!4k2R5-jJMcx<e07t;^q0ADtKQ
zk5E(}!!!9IF<qu3*!XR_Cz6lmQu)2%XH<AxR0c1bW^;_w{`{|!v2DFZu->F4-pXp9
zqJXNZbF{Sh?Q<qbsz$Ex1qL212`Mb6cWgbCcU{l3KF?-BM^`sY;j?^d>u!al=FH~Z
z*H@NSfz&U(I7yS3?LV!X^a{dQQ^=XW9bv^}#7MhAKZl|mod2Fo#m6aJxO#X(C3|qW
zlD8A@r*Oz2Hz%wT^%OIq>srxGX>m9F5?nEJiM4%=czF!^s<=~=DV+K2vslsi?j8+~
z>B+42$%h&@b{BD{R&Jp%*J1X;p%2n?m>(>PYF;Ki%KLJY69?5HoY;6In7;0&Vl~n-
zOlHsq+qX3RJX~gT`M-xY;Ejj7Yq(eqY-3ze3<jhx$^d9u#YY!+E8d;AJZ5W4E(0qN
zR*~1e9US^MeH~h#1Th<gIF%xxFGfBQQRcYv`mEu?@W*doy77LXqm#C<xHBDjiNPj1
zX9q)tg_O$JXL^)8h!@8z4;#|1TF<OCj9C)4;ty}JT}{Yy_cQrM{5={yntmrsMo|C{
zX06HUJd)eM9qg9_bDoOCqIAN4KI#v@jZWOTG2gq?s~F%+{+M8*vJK)8aYph;-DRSa
zB96mdO6*|6>p}gS5An|nASMnwXK0OToCd8c=;N-#rKMVJaS0MV>O8$J{Zbrn#8A=%
zJfesk9kH$IJx~0|IfU#+n=&lY?Af}D$8z&p43<t*3OJk9%ij*|@kj=}q^%AcSbD0;
z%j;t3(DU22G;OFcTSvOdUa+IG0<SwZmWxzW<k{1J1Z&sN@q>n;Un~~wYb$@yv@m$Q
z-22!Qw?FHoIuE$SMR?d(Dpwa!T9Sz!eFgpvI{VGbFPvM$IN1Zjn-M?h^)7}jh-qW?
zKjbudVyq)dlV1%{D?WJVanPQ!D$~ALX5W5z#lSXmYI4YL{!?U&WA1;od%XQ`%xkM~
z4k~sB2Hr!ocLn=gzovpbAg^_8Rzx`%Z@(=K!urrV8MX!W@B4;>Qi$b1#96Xl{p=W@
za>k9oxkP_?BuUN-9fnf-(*7J~)!)fBVTk*hh=YN6<6QK_YP`?xi%?qJjU1t{^NDJY
zPm~jnnt{uq5|M5?yxJ~{?cr$Vd;8krPbz)uM^JnkUgu{L&gdK`ue<8RHMA)2&;{dK
z6fLruhAz7m8x<C}<eosY_EJS^=KM%lv_wuj?nWJ3?nYk!ykl*vs(=-J{Is3u%pu}<
z@}#@{E4LOK8|!3QW2#C!mU3nIQ(6J%l%73dydCwM!>;Hw!`W8Oms!gQ&8#~t$&}Y+
zZQC*z;7CMzajJ^;nIF;dahP?hCt&vlFIRd7zR257j09pt3)Xy6q3pKeo`3cvns33L
zHT?WQ%*b?lKc`X6X`^g4NTWhuGOf-qumhWi+ofCF`|^TS@zSqH*_eSozz>UCX)?Qv
z$XTf(W|I6sGv&gsgUET&9_M1Lo0YlXn=o60#@jGJo%6{SPmAmo;&tr62fw~0^t-u-
z`3=20W*S|(Y7$p?9>0%X`@lv))ZH$bo=vf=r{4_+fAkfLveU>T-UB)xX8z5VLp}e6
zrwaAYPxKU@E)?7c#QyVd1TL;^ySo*pagh}US=Pa2oafp1kU>Wmi>Dy}=f+EcuGh2N
z9=)<gJrQI<Es?D+xH?^UrQfV>D1_;J$MZH^>?uCNN{@mD+xg8V;88)ao$)!g{C-j~
zteJ?(;{4Hmdv^i3En5xXT=mKe9mZ^te#QlaW~S;N4it#VgebI_SGK<T`Gny);B$w?
zUPkV2NGE;6O{w|3p;VoCqvpM~bjlcjrH?ULXayeoS~b!aHG{2Z8Vkj$ou6WT8>v9;
zhMsltI*;w=D;G6cut<&U9<L2|qV;_L-o3%^M#^0kT{pVk*d<`|+l#gb%S4+>Jb9AQ
zW29W!+9GvJ#4Odv@x}dc#FBK;6nu+ZZ4-FVYo0@TW@1!XZ`Va@f-2nS(5GlZ&~!!}
z=w5LGN)qw8j`uVqU}P-M#W%RPc+P7e%7qxA*UGgD&4_oIO?nS048m0}Ul>NXoktix
zcR${RS@wm}cQMoBj0l#`e=-`QRR3u!){o5|UwcDN`X<C)55S=4!TN4qAx<a26VwBs
zYrL{F>toQYHN(i*g!aNENo69x24HUUS9VYhw&qtWokR%$FIFO~+7>s;u6Ac!lBZ<&
zeb3T(=c(A^HMIhiXbx0@*%iqlKg1|R58@7NBptgjHB);h4u+K=VE8S`&5*gw`yvYz
zIXrHgL)VQ7!*nH4*durGydh;CN)#AjnWpfK220D2p19et#rK-UbE1EaRq-0uo2*=a
zxBhR8<$5Oy3I$#5MjpNIgWcX7`1UE+)gE{kw_lYuqHXWQB&HpP(O*@+G4_J-j893j
zJb1F*gr1e#FQEtf&44PDp85FRO3+2~$k%wCf6Wd2v)q8mYcZetMTyQNUgty7u#fWw
zt9)S7Lla3ywd4a!H8<CHHe=bGTal^4A(tkFSrtMNE3wOH8bz0}MbZ7wYF?$TY{aG!
z$5eb_K!YlSmbUyeUx!fJ7BmTQMnIh7NM6mdKU8z*(8!FYs>Eshki>DD=4Xy~@}a=#
z%a%ju&2S-oN^`zBzQ}E|X~kha`<2TcCHX$2=*w>DN^za;ff$v_*{$M*w83KO$K^y@
zjD~N6%%MaQgj#G3ZU%L%{1wSWMk|TpBF<}1fB+udWZC6b0Yos%<*F6Gde}6sQv)nf
zm14j8Y9ENTQ8$9uNlz}q`Lfnl@=|L?@v}O*Bz$f!%%uPa(AxC0Uwj?iGw5uwUi`pR
zl+qYD5Y~8DGY46yJ4d|AR(Cbl6ianUAmJit+u3-FeTb751+F8=VmqsG4nbaD$f}rb
z^^Y=|Q;vSxSHZWMnIOH~7wvoZU=_Tw`2yc%8y<phYiR0lGGh_S+81S>^;z<_zI+`f
zyKb!Z-uc|5jll8wu4vW<zva3goSmg!=H3W(Ng$q~>{fQTzwC?XIFph%C)PS<a)9?z
z)n|obZml^<#;JoyVWXMC#OY|p9>Wv)!gURA$W`c~j5%k%efh=8d(cMa&z>>wr;MXI
zK(utnTd18;HT}OwdY4G3*ex>96+Bg>65{IRBeenVqx04E0({IpMZ=;h@MX1HwU5b4
zK!pT`q5err0=EJ8*RU-C<|@p~Odr`y9UUog1HKyyXS9j({+M9ge8pC2dP8%X0`4^W
zj4r;MwI&77NXIb+C(rMiZ#MB0yp`Dqcbt$Vxc5TMy#7OiTXO>5x4fW&M+U(P!kk&w
zm?uJpBlH>J-XHR%cl_Nyq7h2ik3Z8eZUEu0IxV&hRHW89mZ;XdT+wrg_^hN^fvW&3
z;cus=?}NqMEvJWibT}$U>b3{U*O885WUjGW#4}2*xE#+AC%o{y>52v(#4zBU+9}XW
zaW(FyH!DkAWzdQFd|`3%x>9&RVYBv_0YW7$ZCYF9d83Q^YW|lB8P9N~kfQc$q2nYb
zNerljnC~s+ar)(zWC2D&mrGLlOrztef|WQko*GR6+gn11ghbI?!I7NN&-mO525Tnb
zmZ4+n!zY0SmPTu2RRQ4}fw3WYkRM2n)oQIB&`E%j>;ijB>0s&0>mTkcjwV2OX3Msi
zd(n4EbtSFVBw%b`ZSzeWVb2g@5UWuZA5S?mk{RtlW!2AWD{FywbGsKS;hJZI4EwWC
zo6^(uAsRadT6vF;xR!H5f``v)gKH<-iVe9rt`$V5$5Z^)i$cnFum0DGj6AxSvu_)X
zQWV-wyqEssMQ)DWC-5y<i(+pv*U2V9mFH9&ig(S}66CJ=i#@#)ag7ys{Aq*ob9{_*
zoqU0qn2{}{%Kho$B61c(uaedK1v+Vu=yg>LZ#Kv9<M%vIEq3XL(Rr2=xP4!-d_9EP
z%ycWWTQ2+#9`@vAq367qQ&<(GNaoq&=4@2uhqSf|K0D#_Q7!vpNk5$lL<P_qzg$M{
zZ4Tr=Qprv)+H0jOD%zgyfh>f-QTu4}Afu%ii0FT-61<r{-Z|U5W+kzkb4Y%yXqFa2
z&SS|JZhB6)rA|Ve=qRyUV~QV5Jz(VEHtPT@_Px6zQ^-7UE^gczF`Ny2*SLQ=z}YrZ
zCn89ctmQdECh3Csg`rpD%v~q@0YF>b)*EV#q_-$xaK1G5+CGt<a^ak%naliIHmkOs
zi1z5hB;99jGLrjscO{Y5qv!l~8+=yzuqB1`k=NCY7jFBctv-5{p2J~B?_IgVGgghB
zTK#aLhQhY>Pd<7IUp;N`JedCNvs-P>iF0fY)njH#d^&*={(J8V-3+CmUme?<b6oBr
zgHN|!-S$vXb3HeSPnO`~gO}~dmj%7_@-->xnf}7W-aPh0*gtlPs2xixMQpnd{#VK{
zdoalBHp~^Q4qlCmZtUR)S?_zRcRk?cdxO@3TmJqUE1AcM>)rmysEW(`kVeL81>raJ
zxchBSE~XNdM>GcAv0#3=p{Vi5$c2hjN%NYI!~(O!N;&C59)0L~Qp6*qlXkEGXJMPg
z4&%3*>1#pLR=369#fGC_?Cd1x>KvOsON~LBX8(Sc9GB1sUO#APvkbp&R2$N1=v8bj
zqOe$*>0**k?_Ua90a=KCSdlE3q&sLOYUCJhA%aVhI&x`J-Z_UYp7V4!<x7R^8-4Jj
zjnqACWSZ0}$HT1J_j%c7QKt*I8~MBN&IlE<r%{OXUZbPCDmM->`G?Bni<PK!ez`~#
zNh{?PP2(4JEh0gNPn#u_V|cRto-$%T;Ke4N2*!G;cg6W`KK!-aVdblGJr=`+Abg%T
zod!$hUn06*O;k4IKW^Jd`ZYN3wDHI8a(y1LoHP2k8Z&S%4$l-G_uV|3s54{qacu4@
z7PcwQO125m71+*pudngg|M%(2`kc~*)~bbn6={9@TbDQUj9<3tnqQ`b%AIbXbdDk%
z6Q}JLtQ83^8h;>7y?4w#JWQ{LpRHQ3?`govVrN(A-!h;~Tj0GdSM*I$v{GSXXBSKM
zX^xW(PHo32E(oJ=kZ+Z&efhE^yP&nwV0PeWPN+OjpgeYrDaghusrGX3YQDrx`u0%|
z*Ui<?soJnedQWn(D5`EH4Q9!!r$N`EQAI@svd{%pn9^64c&ZtyM3S$wHNNPBiOJfG
zbO~#3O`g}%et(OrYCpJ3gP?X&nHF|YomA=MpT94n{7>1>PB>jKv<GTXT~&pDR0Ky3
zhMr+LI%nUZT?C(Y7%J8ZFAMQUqZ4{z7uz)B|JEX)EsIz<#%Oe1*GZpTj^$pC>*C!v
z;o<u7)%BpH=7?2vHnKK23UBRVTV(OdKbwhBvMeexDMaQoE+2;gM11RE8cFjva*|6o
z%D$evKJIhdit^&73E@{RmG)fJdsPlE1T^PnL}tXC0c@2BPqS${%%85#Q8-UveMV<w
zI^M?5>`<?4cgQ;yY<F+^QdZ$_UrU>>ywzf{Yxtp3;B{3lH_59ze5&SAtM!DWWUF_D
zfL43g{#xcd+_+nz$%`p~dF9$4e}w?|n+uH^lK8pON7WA>F|);YUVs1faW<3-b%c{u
zVpWwuluJtOh5sgc6w`B7dGjk3|178Q3hg5wFj}K74N;z|sHt?XCl~NM_8%tVOR#|R
z-6w6iE?)M*H%jbUNJ0MA?7k_#UW@+<yRW`xA{<rJM}7X{*R6c_M{G45XJ<0Ol-$k}
zBh9ZP!Vjiitaa@Ps3)J7Ljp&8!jE!#FNgU_(6lp|S>^WL|0^kcY{*$B037zn5iEf`
z;pr=gvX<3nvvtIzUt{(<kDIR{!T3C%`Ywh=FFxa;l~bB-o~V=;%Ae!(AJ+wcjAZQ2
zy_wz;R21VYNfLv&Ar=|7>!!VrNx|>}4Dk?)lppH_8j*Ag`WY2_J)aHE`u{AKIcTCp
zO?T<p+*!s8rb-{K-qdPci-d=!0||V7hZm!V9wM|Qr<N<+QqcEWi3dy|`;<eE(X&4W
z;tx=e&TTy5XS`?QC1<A#h?#-2OUa6q9TaajS6q3%H<fjsxcqzW1r2XGntZ{E<HE)c
z$7#F(1R#*Wh};!ib*i1!*VA(m+dj*_P{DbKQlBdTK64xS#+;f|;4)I40Z%HkCYG5y
zs5`K+^Kw`a%g7KB_9oVw%d6(4piq4OQ`l%k@Q@NlS3WwpzJ6{mR=lRmFI;}NBK6M*
z)U=?IQw}IX1^Gm5dU`tP38do*ieH7@<uF_0msaxfQ3ear(Z-@!+fn=A9RxzCRge#S
zhX+7ip6`rjYanzY;d=bw^_!f<?Su5;)BB9ZAgKQ`;<G@|;rIM4j}>lg$T2fYyMTPE
zbj?0NLjT6lTj)Tc^VuHJUDoXlG@Fp(VNWLFCgUANTl4kpkkOB69H;w~Q~>zaWW}kv
zMLyP~L02Ix8*{nZySLyP3*}HszG+bCqlEzrPPTAPlJ`NMDNn0le5aNQc8-a_?oB=K
z&*`MOHkrlrBXPLg-yF*zs3JDRMX#cGuPeu{nk}3OM52V^ca(YtCJup;4GC$VY>X{m
zo*&SH)4T)7M(w4;Wtx3;h0J>am_-1=)X5zQptw$Yl5L1Um$~J~-Ifvg7bVy%DDD07
zO;h7ha~w)S82bp1ywC0q*Hc$*b`>EagHv1g*~q}sponh7S>}Eps{+8Z9=FlDlmw!p
zL`*r)l$yV?H84JsseS-CgW+#^w(cA%u2RwN-9~PX4^s_#-Y1%N!VeEU1gNKW#2}(x
z>WS;QEMbiAQw}c#ZjR;_&wcJrIg!2>5C@djRa_z4C&?JL`e$`x({B`??tTRi2{rx{
z&AL(4;Qr4VT_=LrtEckF=Wv7QT#!MJk1C#^IDdZ#<D@#mIZ7X0`E_vcq81nwW$~Wz
z4MSC>Yy(W-1xyHl2XT1Pqw?iw!0;WS`Y!3fe)B#N8z0mr0-kd57CZ95g)B!X68&wM
z{@r`UwmKui{4RRmo|YJBw?w#%a2HYE(TioI_f*(Gcx1rOm&d1ZP};q!p^yE~Fz(xw
z1Ve9p+KPW_C5p=Z2WuIqkg!SX()4Hk%RDf^0W-)R3<H`1SG#5>eEG9`^=!}~MK(N_
z1)J!fBxaO$a%K=6aE~rW`oBo`5e_TW+6QAi=}>swq47Ob=>0`*jGVVoGzXJP)BgwS
z4<+Xb#LdkOkg}t>R$^Q>OBLHcNS%NX9fF}iT(Z1)PZ0bC!XtkVxO{&Z>MmE8?^v}A
zRF$$|{{>M1z9ctAiqJ-@)yj@LS8B>74&-tF2MEw_^gkqeWI*AFvu=1~1=ZhfP{?JG
z%}q@uQw3k4>yCmi!WjN94gds6?u!7Ml2Hu2LFO+&4{+1!{c_gW(MvRyR+f{vmW!3T
zFI;hd^^$<_Lb{4)^DP@S*_aR)A_H9iof(V*lDcP`XbR`PM|Qo(>bbvOH6C7=)xM84
zsnis>$HKk8$aiw=O01Gh|6C~7{R3qAx1HAXY4I#52>L%P_$%A-Zu8KLH~@x|mHP0-
zzZ_i^`j7GY{_pJGQvV-gGyLB#$$%+KVgi_>8O)%Hii-cT*O};kzOjq|Aniv0_zCjg
zI{+eg8uiuYLS$fOT4w*1smA}KroF%_`+G%fD%a5i@TiX15K}GSeXjd2?|!&(4#-n0
zll#?vdMm1r($izeK~Hi_TK`muaZT{r&dH0}+POoAhqgt0_RUOGKU24B(R#(U3Q5lx
zEVb=c&>JWt(y&r}aJ6-USXj^>=gFyJt7cRAm-=7wU|K~pkBqs0S0baxkzi_i5I%rY
zN(N#2cU9DcK|hhVDuBzwp-1jE|I+fV1gTr54s(t%)zX{JDJ~8J>aG2gd5!|4qXP^X
z8<NEQZy!OB#`GZtBUl3ms0|qP!U^pks*8vr-ivgKW|hd&9Z%K7bvrpQ$o<mwt|uf=
zgU;akxKFX|7RWPiKQ}T8Yj}}gken4H0NhD$hrtBm%xJWo<J+QvoYT_ni}`Xg1AShL
z`$T!L=Cjh{0((=atlLU;D#x)%MX?pJ@0J3%ciiP3`s=nJx$K{AI7U~T_{8Rp07TQ`
z9{9~om$}&8z8TPu?$_iWM#F?Fz*s@`00RJ&RlCMe7xTX?l*9xmJR(_5st~iK{(KE#
z<`feVaVLwu*w5jg>H?Tx6RP!sDL*;Y$n$bqm1H~-A21-_ltNX&J{QNPV?)zD=GW^U
z8A?YK(T7)Lk#u5LLwi6Aq@q#mrO&k4psoZpFnbC5{X{ZI*DL37Y0NCPf$lJ<rnNos
zY~{+C<tu<Ac)lQNmC0V_uGbz|4!|_Ag6rpW!R6{D<vME~`qQU{wsS$QV7t<wqsaT_
z31HslO4hfb0B!GBx?vkDPQaek=%GxkrlyyH6q!A4>$ydoqjCdHak@8>+wS?}cOp5z
zPX+;C?qMf3E7i7h%36u5NA6eQP_Jk_ep(sF0)Uz2BfU=VUkCqp4kAYsJHypL75JTO
zmY;V;bIeJt#8KfoWkEpO`eU`%uWj{i^)>&_L!^7p=Sc90B)?t|{_iU4TH939KWAi+
zqqXK}z*c-VwtwD3%+w9s$4I;4+J@Y{@);XKh*SUzMNJL!(?B>BLvb;KZf;;2GH(pb
z)|!xe+T%7%OYYy!0ifzX*Nj0w7LK%tdlC<j^S(zNM&v+CDt$tt>g2ytaSxrlSwXmS
z0T!}+hsPC6+kENnV}^&f(9jJqb(+zv9C1zZf3+>JYqBGd&=hm=(g!nDE+KAjvt$80
zz|ZnV8;#BM|L|AvAG*47Qw@kA9vSvPwZ!P{d6<m7uF-#{xsLglu3YMSy8fyWfka`k
z)dY_`COrpIE)VG(2#{^Z7Vwv?23w;)UHjlBTx|eSrx@TG-0vkU_v%Ru0ahZ+S(&&;
z>xjbl$RO<A?i1ht90mneZR>$CfK`0qx#A>3`|`g1UlnBm#ib(CfW$X8>p54|L{m1<
z-o2p{zqbOJNVyUu^_Nd$Lx6VS&?o=z54s#lFz45_(ZB-Efcug`WN`1H5PJYK?YF|6
zRbU5<X8K3#=nqe10f3zR-_c%zu38}qVh4MByz<<v16%`K_qU+@ootV}BN3!8PAdcM
zdT%~5?*~)@GyOk?=sz<bX9b0PLJA!LcBF5$^6USSJ83m3Po|YP=^|QOT+9O0y#7Cf
zX!pP!8`7K+_yPa-J^w$eBnT+VzuZ&3=Uy~(wI<*{h_Vih-Q%nOJL51S2$>@6r>%7#
z^L5VxP02f)?g!KgwQ=uXlG0*lLk*3cNW<_xc_b{o#N@+B44C;N^lMlW)-B&ATgADA
z$q?Y~7Lb81h8!E_L;EAvCI^uH7tg8_PN@h^bik%R@m`!5_&d+PxM0gpk;@1K0OI@~
zc>BN5(0+#vzYhhWP80<{ZR_T2<35JH#=e*Pe|l={g!{C$u{7B)SL@TG|J`5jKg5x`
z8c5y5ya<(u*LjTh41aq6fe9&j0s;6L|03ws6UjKIvq*rkNM<{Th+xCr?m`#*G@1jf
zQ6~i>ck#L(z|gM~pBb!Ad%uxO|8dcqKEH`(20`y<TTfB9pSIv_s0+t-iJK^60J=By
z;}ZWAN(AyH0l_^uR*5D01^Hj({j|N`MeBdT<K+W&4PdYCH}OX-uez}yNoh!%IX?LO
zldch$bPbsP_||xJQpGTI(Fc5fJ5HyZRQ!0#6xIURafnO;j{kLeqiv9)BsGfP1MDXb
zop9)~lU5>^!t37nk8w^5Hhi7%1X@v_qsyTXq4nG6E=QL{cE$!XO-VB>+bB`1x+#0R
zlSE8!pJ37E8XXx%jHp|Df@O=gXR&1P)K27|S<(@EJ^do}29qcG+vfXm+lU8|$(IV>
z(DB|Dp1qmd8{Qop9^O5xjZQ>Ox?KE8p>2_5mQ@WqmIvW;>@v!8ry8_2-2tkgc`lHN
zRYa2{g*55TgO!wX?JomL^Wb6W=WYU!?PEyHyKd$Z+>ox-Bb&|5&2Nlf55LdbX?#zv
z<(p}VGBX+GW=FLj1jL&*8YJVQPPiOLki^lX|8nPgpWnWnd@SHpM!|_20|n&?i{bNU
zQHPdu+@PCcj`w5N+@N#?W++nb_Vsdb2xWsTE5EISSTPwH=X3qf%ayV_OV7Hl>I@v=
z*EaONz)H}}m{;vSleFsQ#JeAZbP;?PLjB~z*~y&`j9Yw(<C|H&PF&{<>=J&cvC#sZ
z1-8phGjKADc~24AjH3&~spWUPILzu>)6T2o!7DvwtFc@+uuTgG3*Y@b$+?O+F@P8Q
zM-ygImJ(t2V{iu(Fi(*_<1ihv-P3kg<(0WMb1(PyB-$G%e^&#bo!R>qKfj;XBjO*|
zq0hjxt`lW!*0GF3bS|<;Ifk}FnjPcLDMS6dKQ`Vbnz}qWi;>#ll4bi!;R7P^vR8mD
z(F|G+33&r>{ZIagp3hO=fTz1n(cyRG7~Id`K%)kvRbqJ?;Ux^LY4HcL4B%NJkZ~oD
zZ+`GaF{JAaQg?XycQo9!v?<rIw&FR*Yd3a>(Lr3u{zwn^sMA3-F9}6t@P-bj^Iy7V
z_MU>dR=6aTkCy2g%Y%BKZOll0cGji)ZVSmG=)oN5?L@N=<iGa!c|P*eS`?H3oD@;W
zl>o3ey=89N=z%b%_pzZFR6@eSJ#F1+01%yQ6{y`>l+f%nR92HtZg|rz$H{i#8Ar88
zg~zh<iOt1KNK?cY)YT!|zbA25VN6IwJ?~zQF(mq}(KDja;AL)n+DVD8oZhSq;73EB
zU~)l<>;g;E(pS52wfd0D#UFPD6~}MJ-|r*-E=7FMo^Njfw7|^N^e7UFLG;))>LzJG
zSI_sBy@u|Tk2Hl$K^of3uWevBu}*<e=Ryb0xTjzSfUAomsN2|uX^fukOnybKY4UK)
znj>4!ikN2Mp=lP7tYyDt9P&V`&*GC;3DSGjjaw!Q8Ey@8fGhHdSR7fy4gMXr;VeY7
zta80f0kPRgz>jh4tA>|pe-{Dkw@fkL-d+x5oT=MO`YS{1C-!)(+|aG{vBp5tq3qC>
z4m@B*xeCt=0w9kCJEvg=K6fwqT)2e<pLfEMD~FbB*pN@A7l(hisX$F3Yu16S#l1xH
zhqga?&)faSJeR*lUR?9stBoJQxn?l*9V5fb6rf(pU9Y*TE8lY5P@2^6Msb~iu5wvT
zr}@D*u4zzkb(y4#$J;#xNmb}}(&^8SzLT;YV`bC7AeKA=Ymo2X8(e^jS8jr0!0GYQ
z={k;+!{CCMcjc~8mi5n`JFvJ(CQl(@ZCHS?YIgzj!11~RIr+tuW<l>d@7@(z8h7hj
z=#K;6v;BqIuL4o4^(wTtPslJHmN0Nc1@vGFS%%a%#K#I*%JBq-2ND<eN+gj=^H`A*
zU^i+f;g)GCrSvt4@FnT5JXemB<@j~cvUpl9Vf|QNFz#4zA%5qQO1riB_(r<z@TbzO
z&vKb11hTqCb^GF4wyF%yNv3)>IM~{2`7{V070h7b5QPTDh4q^AX*df|k6N54F%r@v
zyWPM>W(zbRNwVN?1>n7j1#OSzD$eihv2NQW=*qrWi}Hlv*5tbn2hnI>k7N(L3#R*`
z{Kf7hjrH5CM8YBJpPvHpF<i~=#NyhJT_PvpD)PwRbYw}V7G{sYMxj*g`(nu|jWAc4
zn7Q<PwmX|&VmwG2yH4{K`l+9Zpy{52-Bi%aN8m&NCOi0J>=Jk15_jBPZ*?BD<`Kjo
zR-^;|flZW5>kx+OJBtlLC@!w>0O7m`Ac87T-vdwxCWtEXQ6Kzgd811cYzEmq*h~ga
zG-obxdmFsu(cxvpU&e^sJ-xaZ>m{5+PUvVy_B1qK?8H5l5u<xZNW{#0h3-2$|Gip&
z(p|sh!Vm2YCcX1he$d_XpUl`usVmT{ap5H*$@xrg@u1uJ(Io&gLMY4(!af9=OY!E@
zsX5W&-cu>If7j^!!Dg%a_pS=#)f&!~9Qj#8;wQ2NN1H9~gio>%>Ob&fZR|747DE>5
zaKyw=JI@jk5Viz9s5S)J;rJZ|jPJor2aXMV%i~+lT*zizfR1Yo<VpNu@J@&FC$ntF
zE1-{JH<OS7dwJx9tXVh{`1c-e9s=I-vUBa79vm8Si$or+Oy>Mh)JaY8Q7@XZfFTYE
z@D$L1aV}Nl9zZPG_GM7-#i4nu`e)qyum~T_I=74<>o9jQM-n@={SiLcEZlC6^qLB6
z+P$szT0m_7acgQSFD(3_9?!y3*l&~<>Z}xo`R?fn>j!1@7{Uhx5`H7XQrZ#~4D48p
zxr*3ZrXSx7Ud><0w$2ZxzkS*zcRY_s=DvU}wr~>}?Tefvu0V_1ONc78Lyw<?;9gX4
zMnof+fy->^kkdV@sFKfafw@Ej3-lr^n<YRotoS*d%;8p(avcgJv~jW>p2BNQ?jj4_
z)g974(QV*yybYQetv~^94DLa=SMpAl*~b>^`aloCvrCE(K@WWcJOjM3Z_`NdZ<f1?
zXlNO3fgn~kOYw#q!kW$C0VLE`ya#XJ!hV7Br`JIx@Xj(ch3Hy;I_A!^kOrsNjf2!I
zS}{eSLT8RXHOBkahV7E)(E@2v`<xv5!p25PyN=Unf#4zOF3}K3ZK<pml(VX!Rta4t
z7)1+#F7bvh0fC&bY!SoEecvDKyM&;EGHsg6uKi~^b#$7f%_M)YhOQgO%ajzr)L!6A
z2IL?VswgLS0Xy))*ep6lqN6@X=9;_Wg4C8bnvW`<87M&JIE6E%FAvGaZ*In}Qwv;t
zN-1x57foAM(#@{17A#F50$H69_skhMvM$b3EO{(zlww5@pf@br%9+1ygX*w=KTuKN
z?7d1W%y)@6F+C;NYd-q6Koo~HNQXQS^c~lm$D;VWnKb|)`ryThGbX4)?`2c5Kh&sY
zv-(Fpx-`TiSeoT>aF|nS)cgx7<c|<?aPaM@c`PnywWQrV;t@zi`Gg|DP<e?+8iE4x
zTmpdUy|%M)LC<oc_3BSX4=JF)^S5xa4rXa(V(Cd*q|IbL9cjcYuhOSw=B86hnR9f}
z!_UI?%z1r~-F~`IWpoHg<A{O`6681cyKwFi4&{$N^P7`F-y4;4QoJ%7$2*gxCB)2k
zmO?_`sPKnK>NAPUS8XR*&;svc-PvzumItERTBR3LM4wu8APdbRLyy28Ru#E#d8{^m
zZ0h6X*4R7e-vpi#``#Yh)wZi$9Pr9#N;~hptT?|z+*BN^5CGFus|cdHbRh?4XF4sr
z?L@w%L3g&FaairoXaD5Gd77PPbGPvM6s-dqlJR{hZfQJ1WUmUk(+QOFs568}_cTym
z)mQ;+d#F8Xu0T6uZk4Eh@;xn!%sW44Q)R|Hh1NYao6MVuYNlXe3lXb-LXk(}O&cBx
z!oJqh_#o!%Td{~>_XM3uVQ`{DeCweHT5Wdj9@mB9_w0Llc%dNUOVt<DPkk!RV|J}O
z|Dg>2XgenV;5Xh{o`zU%4kPkpD-4>OJMjgFDtko*4dS-w&Hoa#lV!e-km{V1j|%q_
zOV<F05kE*5K06-Sutb5x2{8{*&~PKSY5>&Zy$NI~D&*UeV$-iWg+qA%&m-;|&eM9a
zyqmTif~)J#?FC83ak3vitUr>{(h_{zs@FWc57sR{$^i=g`*Mi5N}1SPOqMtbXrC@^
zFVtIlHH8?2DYP%++vOf3i0*mI-)<i1pLZSzCCF(b<)mzOyz*V7jd&@*=7~sbxt1A>
z=Tb7^uiTFVI2*TwFe_Pp2-cqj3ilFwZ!d8}Q9#^|2%f|5YB=EHY^cDC%ZUziRRFA9
z#DE5z5!MK<A_VKBB1If;SC*ZW(Z0x^kIE`mlQlv_$@DZegCJS;KjPyfXtF|XFDs@8
z5rG=E8XPt={T0;dM5i|ie1c5Mkzii02FeDXmSe3$@p&GO2T|>C!#fHMF2}<%>V)|C
zpJuRfue*s@Ix0ZL3L9}i$_@31kgnfkK?h>NHgoxkZXdrLM7o8P>efo`s<jvXxi1*c
z<KTh@267*Z!xVAA!|B2Y8f}*(fKXC_@>USZf*SVk$DWo4clEsxi@73;ypL<^Qm2L;
z-Ss503?|n*%CFHN?{=mbQTtVDOg%0+72@oNklYrd9+-Ho<eo)42J8n@F4q@*ZMBZA
z=vVU>7Nujgg4mCA_V&i@$Ks2^yDd`>j8682N3V1L2wqr8<n%49z?tuD#L{?b2i%GC
z%uhq(t@FUo8?zcLTvno9h2)(=Gvakn@}EX|-}MU``9NZ|gryvfIb3n}A{bwGf8jSt
zlfxo-V~r*Mi0KEy4AjaR+eONtq=~f`9`A=YaxAt^`5*lRucI|_KB_@kwOD?(q@qtH
z%H3h!f(rS#skMCeh<lm!aEkR_V<u7UD^wphN4iqGdkInQj^n#i5tPj^6W4>Qq03MY
z|B{~I@BAZ52nJO)MP)Cs8*og{`0Z5;|3n&)UBVlnZbA}O*Iy{mv_xbxIZEFSxkL1k
zUHtL~$Sdwza_Sw-Lq+@`>^I{q|5+auZvA;p_f?c8$el&t#S8-lzZd={B=Ytp=~j=r
z_va<a=(fFir%(BrGGIrqd=HJJ^@3z9z9RitVLrGRv>BuBp&Jut@9u^n-n#k29p;KX
zvs9y%&tP8Msih|tCGQX4A8HvNTGnb45wdUY7D>Yt(ge0N+!o~zwKzM>El2u~e^prS
zR=bT;A;+nG9v{A_`N#^2hBPtOI8KhS)ND(2DTri<fqaa1#yZ&J-iW3r`Dn|2*yXzo
zYCUNSs_=idLUL6)hveRHjCCNeb959U#iSE)7UHiH?|r?A31&blkejdd)U)e!o$m^l
zlb-#aLIh%=Lx=&j>nMm0P%M3u=&qxw-sIGZwEB*|kmAj2QK)^urcGIs2NRYYgkxz}
z%FBzBKE$+M%C05E3+51zyf$y2p@O$f`V`KFBUW`v`y>c+L>>=+Nl}eR4Mwcy8AVx)
zx>4!-lySQLnQZS+nFM>hu5ZKZwM^sYF=TT6Uh55i<7pNE^+X3fpF3mXC-%O*Mz|1r
zCmOWmlXxd4kh~u)P-{1T&<;;1u9+kDgGR6dkMT&n1H7|0xwX+CFHj(?d!*73c<y)s
zE=ck1p8&-PZ(1R;$;CzU8TiU`s+Uiwc1cJx+e4o-<^6g}%@N>XM*}{)*&J69dn@7L
z5lo1i`}Qe{0yk2`;W!|m3Yn6UNYS{1X-2sktfUa;uJ7ZX2`KV5Bhuz%Q|GD^sG;)1
za9O+Q37+h$=K_86yF@>CnhyAjTL{a!m&YI0%gqf^i|$kLewv!@Xitn2)3I>Y|6wVf
zz*ixEX5{ih{240!T7nJC2ju}@vKi?QmJA7Ycaq1CN?0DrGb-R%7rc_M0p8XG+bG$n
zEim=&VH=VV&6D{(k1BqB)vfF((81hc9@$~8udff5a5SB;Z4ZqpMV3YbfypeEbCDk_
zvsHe_d0hicHLQD+6Q8yU{1iJNsGwl=d!I*P`?Kk2cf1;RHT>iy`Q68@Ow#frW=h|T
z$cWl-F*Hh&Qhh>G6Uf`^Ki3`7E-1d)CT|7{{@kn>z3{s7z5cFu_@W%S%ydA`?7Sza
zPWrTKCEJDNpI!TKD}0HlGUzw@@SSU9j^JTlTt2wO#Ci2cM|GRlCu5^v8l$`)&knIh
zFa@kY*u4t`$RKI5KD*r<V}0?Pqi>corlfX5UDv{I+RW&;$oRQ1L0G__earIeQndN+
zwC-2jVIbK7<rA%6pvS69wplc1mPJO8uUno=w%a7^hf}dkyWCY_-Wj!~kfdO5b+d(x
zHq0}RLz~?5RmHWVcX0%zxRsUK$nmgtomw(qD*K1vsnWgz8=0td-nST8zn$iy(5lFM
zYc7`m8U>(OEtlcb31OiWzRkF;-{LOYT%7{A<S$CZq*wZLhsU0P`sCBhLFgw0UwSx@
z-L>SCoEwscRfDw!RD63q9M$;fEaOu4Kkv|8q5Ic@2=!&&dHqAnFG;x>=nyy7ZBkK?
zFCul(V##T#FR+*ubcGLqaYA>e8x;>v*y6o7sPt)DuV>G1*O%f~wc}5$j5;CM;1r8I
zV(Zx@Xooy@V7^&K_<P+8)3X`U=Z26#edkCq2flBr2&@ERWNBO;gjrFVWe$tT+70!C
z*kq8T%&-6|<Zu!*6sULQ@F8=sBi01)q5m59koJPySKl*pngTj9gp9u$DmZ`L88sIn
zy;zBAP<lU)`QtI@)2VVJkCQ7tCJRWJd<O(^|5;4|M)fe7{{1ceSsysEbHsGOUR-7V
zL%W>vbcXR7e%eKP)UD<xQMWgtlv1ueaYGCI!*qv7a7We?&;kGF-!g&u3_Z$^OyzkN
z9=lR3a<vA7HpTuRhSf<yT`iLLTcQ5Q@c8K?gD=^NS4-pC@g;#!Ho&L$gVtCrA!30O
z!mR2EmKv#dMkG2?<TI1e-S<!*$pVi(5{#KDiN&$8>RknLUe~A;!&*`=07IgSxXB40
zmk~FHj`n^-7QzC3df&~qGz^!g36Iy-t(dIT^bdQU4D*T(WG9qF*9gvj&y7?i!v7v<
z0s}mdFBLJ<DEQWBpmqEjE`PlMI4XZns7Qr;jK$&aJ*(+3HDM*Hz(d*@A^&{$n5cGk
z5Vs+d%~Md(?<M4W#B)qC*Y{;~33}xIxk|OYnBxUS1xSGa#YI%e#l^+u5!NBF2jEg{
zL&Kn#SRmhK^2h9uMBXg5_wFOL4(zh+FZ!C5xMnMI;j5E}@OHboAf*)9|Bte_j*6;n
z!$+l4P=^LVKp1JIb5KH%a8yc3B^)J18fHLRS_DLL3koCMjdTbCgVH^ObPPT8Z=>(~
zecw6joU_*XM;FH0``LG0*LB~|^C;TA_+5L8qOWF-5Xql+%*6^l9`1ro*dOzC!&a`J
zs^svOmiw(A{rKSu{d8UF;8&%47&k72s_-*7@_MJc<9in;{+#cS!%#HHbhFIL2O&>i
z>s<4Do$KdAsAEuYa%U^jwgLS>*@8jXTl#f&<ObQtMzrX`3tR3J>F73*=SK6NXRr1M
zzN}`7K6vbz+ZOHqO#I-Hs_e;+jayuYwxi|}k?-|uHdxwDd#bHAahH<C8ll?B29{&h
zG_`uGkQCT?h08tWC3KM3OL$1{9`+n~w6k;*$IuOHgherrEL7b{LEYuwI~dpeR*MTI
zqRr4^JH0!S@@fMx?8NjnV|7M9NiWZY7!@hq{cpg2P}1PIv|sjmfW~F@Fv2Umm(I-$
zykRAy{e>7l;0;qmo0_OYbhHg4k}#4`p;MSmxTe=trL8?2$RQodpUQLpa^e2H9aZ2y
zvsy&fg?=*D`j@7@p(<>*>@W53VZun$D}E49--&>F#YJ)Bck)6ptPd+@p<0$v=XNV1
zXT<98y|8BJRA{gJ>W`V{`J6g5j6kc2kRP$_-_ce7)Oyu0<ipLEPgwADYm@JTAd$BE
zTbop1@*OWr?(KrDu$?;RJr{8{s1rZYC^x|+01hs%rCDq`OsK~nUH{iyRLJzTjF0*H
zc83%FMUOw`(x{-mbmtqGZit{&adlu&D$8n&gS)Pok)0l01Uj!~udD~u&01fY8%Q1$
z$obf9g1Akk%N0YOvfV36)}+XA1@(;$IdkjWI`N=&gb!=;!Gddp-L?*)f#vaJfShh9
z4CX{xnvT)Bip(_d!?1;s!b-06l|2V;9QHS$Nw7L1hg$s&2o)p`UOvYc<4%Wa3gB8B
z1k?Kk*!~&aW$#0!sWctbX7=?bm2Sky=Rb;gr+cDwKW{Y?og;nl-iF$Sfi_dl^_40{
zFYFDT+*idTVS%a73y5)iL8?{kmo;R5TMd%{-^+_SN+h5=Gs%zS`J-!}x9{7dpIH;%
zt1bRTXW7qt=|$5VNvHC3iYx)Z{uJmzd;Dvr0F@sFJ|`>h-o2~IgrE7*1H0ujkbp<S
z3&og{52)0vuM6=LTk-chsNFNav|9{lC>oF%7CQIKoCYWd!ONckC7z7AAEV1QSp|Az
zdNC5GT9~frHb7WYaSFNk>Z;8##q{abk5<7w1mEGWXkeQS2U%bGp!T39295`SM753t
zw&~H(ztU=wme`jZE#S>mbje!8FRBX*@lcZtZphCuQI8b$hgaH^SwAM$5-2bpjZ9DM
zt9&qeqrW8EvG!&{)H@#T8W*ktLg0Or3ho|c!PgKII`-`(ozTH2-x2^B<V&zV8olPm
zNph$HO)#g2J1;xF>#vH{g`!Ns-|is*3eTU2<Q|v^bkVoM5uH7};8=(uw?M-!C-0^$
zZoe@H6ir@?l-I+JLr#%rIdH`(5+9}`@12(<<#J@O&EWo816fqIjFr{zW85E#c@M`|
zRP;(p$_0Bgp*DSk=ZWjf{O`me;{I^r$&X%dvrRPp%R!qx{{51OH^Xlmq&i>kI7^A?
z$Bw$+=zlZ%Wx`w{Tb#iIJMGHk$R~#1xp1^|f0+*!iS2W1L_8`UoOK$=)^j5vBZD9Z
zl`-SXyQjB2ThUE`((QQf4+mCJ$h5R6pG29}j`!?Q)xL@un+QM96DiQ(5%%P?y^o#o
zIxI)W*6N{!80O}5U&V(jOZR8tg_!DiB-P>DGRXyzme|->N_1?u3|PDS4mzB&nV_eS
zApbR4wBz+mO%0(5Iz#ttqUayj{pTrrIGgKk`olZY=%<OYA-E7WsFNF;7(Q0sXyH9c
zk6Djl=G{y!lQ|=-&api4LKiz&#mc^=?n?S&z&lQsuq9dohk``-QkF)<9SK~5D-rVf
zC>cP(f)BrhW99~RuQzb7mlc<L^C5^2!9f+aat%}kaxe7#hKK!w?=vzmnAF>gI=ayz
z&5PbrC#vG^oilwqT*!+jj>NyB`mUxC>s+n$u=z-x$Zc2HK>qF*DblZev`bCw{sOjd
zBg0fOcy-jNpA=dCBJXx4mC)l#{qBtkw{(@=?8_K`xY+0p{qoB_$JNaxBW%g1PZz*`
zGho;+ghlw1UL=RDaN@PdHoCeV`c~krm2X$%-!qk#Br+70aT@hHP)>?<c35RN)zbJ;
zo17fEJ&c9F!6>lmAY6X2`;2_MfbYxPaXNWKH4LRLmy1wbd9)?;fhY-CT!Ynll?hS3
z+xjfAI#~11f-WNu8Snw0CrdUe#jA3e@haNr7|&kLQ!#mJSnJssxyWOMOE|vmpXheR
zM)X^33~#<ZSeKj&P0ASEsrFt{*LLSKxF;>hgVNh}`YoKK<YqYWq`tsmc)mFpCJVIf
zK8EboKBqw`+k+cBO1Kb3M^#lG`k;uvf?O>z(p%m#@na++(JhbQ@53K_nQ*5@YLGw!
z=2Ij|DTS#GeB|+9f%BmHHP!Er?UOii20VYYTt*HuA;IgB(%TU{_!gi2aVOeF#0e2_
za$7-1tVBnw_@@VnXg-}j9@4+vTu(nMz%G)IyxC#FGr>`0cf3UI({w_4BtC<Q(-Ea7
zCcy`=O=AxG@Q}3awz7eaj-|)q0YB&|ZwE&u24?nEt}U`5xy&XHbSy3Bza~76()#z?
zUBbtH;oZ!qmGtg=UT{HO_m$FO3SaC)zo@owz$UU<buaqq!zf?)_=+23rW1MV;IHZs
z*??YjErNH?WTj(lvKLEgE3Y6w%o&C4-UsyQP|xS-Utq<^25AScV8!IBD3NUj^r$v+
zyw(N03f7Km7%KaRhHbZNx;8-T>|w9izB@GrrO4vPr|qziwa^F|g`39h@KiOQnI}$u
zj{A@}hOe{@#DCG}R;}-QSI!w5HldrUBDBBLdd-wCx~@NeTaD^c?axCrAo|d9%$)WS
zeVz)mu<nn2$3h_YSy%(l0}TxPinkpu<jhu(z=ha@>dEe9<a0egOl-LAkGR}03I^7k
z@b*xY(v1tPlN-FxsXf1Z8RNE(^QJr%hfZnyL|^vVvvy&5?WZW^p!i^)#RsIChG`Cp
zsgWvX@a+J^Nwo|a0KISe>Xh!${m{s?fBCV4FT7}~hl+zhu-neIFjC{9cfGAx__xpH
zJlA5`iGcUD0Y_BpwQdPf=Dop5wH6RU>ep|`$3b1SHTZ@YzD3D4yiW{FX#zMt{PrH%
zB;}Ey{%Xk$HL6;nuC5<y^Le26rsUA0o<E0D9OZ&PWS79HLSa8wLD|$3jluW*baZb-
z3ooyVJzCkR+GyYQP4a$|-GKPYsE^dhyl-z$a5^X><@p@9bj<HBC-(QP^(=_2N=WH8
zWiS<se6!EFiKdHKZ0CneNXNd3wai~~-qfwZWnnC^5STrv?pR-XQX@R&UczW!8+cZy
zFdVeo)Y*7DO`dL}Ul<?zYH0K+FePk?IOj3MK*d$0VcuW>G1aSu<$;_H!x~p1YekAb
zlGVYkcUHpf)F-!7AH4Q_{)i>^GQGoPz_tZ|jQtLYHkIeJc=~z9p4Oll;PhpvS?x14
zwr&GK;LB#%QF-MJywhl}W&_|-v$+6@t_8gn$H<k9jolJCG6QZXm|zRJPZkpPZ>lkY
zx6FYkLKU~<goW(T1ggxaDuPU+k}-ZOp~U~Dz3>zg{kcB8*@d;cd~SRu^1@wtQrI1V
zM(zPDs6*Jze>SGSO((U^;a-`-f?N%uA#Z-L{ZPXyIV$mCO$F1dV5QUw?Hb>mF3`V-
zk>+Xq&R#f>PV*hsdV*3NC^f>#fRVihXeca(jSf8S^a4NurcG=f0mzO>H%1E{Vj|wX
zfq!3VSSYhmG*~p6&0Jf%-!LT$wk^h7*&g`gofa17zAybn<6n)4ft2d-OFC~>c!j$q
z`<>JlIhO)Mq}fL3YprWo+O77}+NVBjnsVHag}AOuc7hgTk$aZUGG6#n<T(1Wr8&=6
zenU{rdmmmvJ;Jvg;Xt7OFv4NNyP;Bv?z#4_H$kLbE$VAU@U%asD<gn`XXIUSIU1Wf
zmArnv<?-f7Ft+5>7h}tcOZb=={mzr*#K2ZVu~m`khz)n!@yv(b4fS2<m}2jx{V}t=
z0@W29SbojbH56BrXW@c$*}WB?+c7eUkju;~Y)EruO5e}Tj)3kke;wGZ_{%k@kQxZa
zRw|x-m;Pay#qNWF)!(o3MC+bTkNSKn?!yKY`Dt`=)F*HdCQ~4U`yq8Kh`sChfOm5R
zq|^C`F5}U>A?f}XGs(X?=?Wh3hAGAyk)F3EgiMPcMts*M_^E?&Y5Y{n-~XM4d5`2=
zMob|C9)Ar@W_MbGO8>T_t`&Npj^X;Ys6*)Bq=&V$xBdW%?3^huyJ18qWi5yt=-q41
zv{b&Y`%_h{npVCXs(5F*S@qQ7Yc@WhmJ->7)LUfrM9Ln-fsD8vo>)K%KVe#0d`wp<
zM+lJ18`Qkw0L5sKQgh**g>#eW%-;MEKsJ6#6MH4prgw$=*VX1s!7Def@G3QMe&S|G
zo#_;IrDh<7{fNOrq#XPW?BiW>)W-v<h~BE^N3p1UX_<w)inH7b|8CSE&|>uQq?@w#
z39B-+2|@kYj+#k=6<WKts`C|e|3-w6FUHT0P-TM9Eq!!bxMd=J2JAOP!+_Hi(IR}9
z{um|@{QwgP&2zzxWCH1_2~`IqgXXy%+PUee6nq9VLQBz(9hV*NfkJ-zCUaPu)lN-)
zrOoGn$cP*X@Cfa5<Ro?^etl|ivkf5sl+!C!x>qVkz$i0r|B3<@7N&Uys^qJCsg0(a
zZU3f8O<YKUDLE`{Xo~3u&3Hbxqq`#?`{@^#?sZ;{g%&nifB1`rc0kUPv2bMGjo{Zy
zG3{PHd(-dYKgUTp+g^^jv426-wVLTBN{ifd6mCE-Kjcyc++P`KC_byX0DCt6V29!?
z@Q*D^KB?2A40qEpgmfrV0({qCBO;R&7L#wun`xs8IA&2IGx=~K=@@lT_y_UxSX8oM
zt;>E>cg?kH@EflzZj|0uPL<<y2&=Z+(nV9Elr^Ij#}^P4_YlvXMPCG=9lOk+{pT1o
zu)#&zOAUKinC_aE@gKd*SUvjTH^r{^iT9TdpXshho)BoPu@ipgv~Lx|>i9VodJdqB
zg6CKples)n{?uexle=wZ7V;@5sWS?|eC5E>RcX}kExJ4y{mSg_!DAPZT>Zbc+GWBA
zh`!!>ryuJeB<hEe*7US}%`%K|ew1x;TxF*%`o&|_F|mF9*Z1-r2o3Y(aCaNf0NhTM
zXaJr9bz}IFH6#ByGC5F-l=O0Rq3b)3$gqf#V+@B`>1NlJ#sIQPZsmVaLp3pQ2@C{>
zc*C|1Kq$6T{Ygw1VefuT)N5xtzobjaZ;`6A55wxl-c*EqOC<vywTGziu3l;E_<X3N
zmzx;4$~%BoTUD^<xb|ac-O`z;)u=67q)gcB$KWfBoY7K7sA~5mkX{<w`NMrvn(jC-
zp7w{q3e3*+d_AgK67c>q3t&laRV?E@YT38q>k-&M)Q}B@Jrklo(p3e5F($?(`#3kF
zeZipeRnt-{Hy-?WDb>S@ulRuZ75sLcPw8H^08OD)VBJ;O*KJzDVADx}I_dMr@$X@d
z`zODxk_;cs?L3VKbw|vNQyKxYfBVO3@5$L7Q{O9~PqX2rl)C(6W3d73T#y@=>JvWY
zRGIa23@zBai4RD1FBeNhF*(lH;UG-D_gYL#aLfZtG5-60^t%2hh_A2pwmqLP<;Uf?
z-Y5yN=l(@p>aBrfYeYNvVw#$ibdi#_!<Pn94Wlq#>s7&EP`>(cmjQP=HD&YD{$$f3
z&+?gQYCjQHhX?G?LG@Rci}~j$eEF1ah43+&Ln2_z!i-b=b5-2eJv!98b^TG`-pt!^
z?-Ednn+qc!1Ah03YIjt))NU@sg|l(jsyv;j4B5V<_AdH~Oe9%PBU*(s&g@(0kthD7
zF>r4#i=10LMVjYQ@TGr94)`ymj$AK~mNo>tE!|>Sy>zDxn`kdd8OYP-i%&jK?{oXs
z0+&Qp>*PqD7?z%1;7}j0vhy|P>vEVZj?XP|^&nptd|R>qu`9(En@j=Qhz;?_Y*|4T
z4E^sS`JDU6VZUu6SbZq*$4|(B-v$M7%h;0d1o&EW4kQ?;;dwN$DATv5jIKLJYhHI0
zICYW2O05eF{V4tUaeX~xP-GHo|8mNmN!M22wf6w+1D<t$b5-(DS6<$X#z4Nz8*lpN
zA8W-}_^Mwvh@4YU8Ay@wx_5DYo&l6O@kvpRjy`0xDQ%&b@M{0coK+9%@vdY(g$jZx
zD(?PCYK>CUMC|hYV%;^N1XU%39<5%Dnx4fYN1x*C>jLA=Rs_BeW;~$fN8|^K9)W5d
z#~-!sD_*5vC|hAe34mXF;0K2)?Nt;PFRoMVJ<$weh8ke}(9Lhblx(fQskcIbOE7v`
zMgaT_;T!QFx!K{WsfeyigpO#qZZ3o#-1Ad3kvt_n0?*H%)R@Hxj8v_QpC11Js>d6r
z?2OfKiwm&XzE$_Da-o4acHh0I7C3wHCjIsw@BMms0k%oMy8Zn3Gh9b9;Q8X?=11%{
zO`>$AkeQ@o{;pOS`!lqNGy&lLz+#W$-2xY`yw?#cB#Y7~oiqg*+^5u<`^hHd+_p=R
zs40iwJr;g&EMjIwIM(YB9{+%C;};0Dlp_KybdRalqZ{8*;!7`EOR!y~G7c@36~og}
zaKs6T@<;wt>b`t6+;Rj(j)7S*J{kJTlHzt~y8Xy(Ur3=WyT1Mh>e<X;J6n2xo#}vL
zEvBYE4^pIcKcp=6(mO<UkbIi7reQ9R5c<<iX#GuIKGn~u6dyDx7~a51<gQM`^>+A{
z&8?3qj`>P|-P_8;!rk6GIF_?WovN(n#nYj<(ivV7nTNLuaof<;6neLVysH9)Pwz4s
zi(6ZbWSwaWkG^EROt7Z$COS9>IdAlFV@onw8=-od2kPe%Gkb4%U`_=)tn8q-L!0dW
z>d|Jc6Yh!FaR~oiCK2hf*B6ndLVN-O{6aazz+k%ZRpj%8P?!+&2nfWx@ZuMd>5JPc
zx>^rj3>RPRt;>+zH7>r0g^YgILn^(kp7^SV?0NFd<9n&YC@uTR`lpB5hR%CED>SDQ
zd4uK$eE0UXb#<Q>KyVaxlPtVEX~kFN9N7o1e=npbdcj!1ZOC?Zse%x;NvrWsl71A+
z{b$?-D<%x1AON$UWfZ(3!1Gll3oSYPI(!+tq8xZngA2iN=^{<<585bjUPNY+<LQP$
zu=Y}CXX*J?-uF9Oc{a!3DbXx61$SoQbSO^>JRN5?4IO0S3xQk;2Gnkf8dGW_l!h<6
zFDR;ugL5`t53k=Q@3$X(ES+4JlASSm6W{qq)%b!i+8g)Y*(v8nH^M4(5r8Y$klI{u
zDa5RRic{YRqRMpViKjn`Vf-nu6t^m-MqArWcq9*j)c@`c!S<f~P;QRjpf)QP)AGe^
z(BsF;5fAlR7j{0moSJp5i93UIvCWl9^ezJUY*fCsQD(rgv$Q(t#U@*uuDrmpzFm{G
zTX5b<PJhN0_K`zo5View+@X}N)dSD`<`4e*@^ut<E@e19te~I(lW*r&@bX2ecxp}K
zM|R}U{W;O;_|YBhYG3&@=YCJ6q7J>^skc+J$HgXJ--5~f(A6f7u?0VyIZ*L=b74nN
zEke<21@F{W_@WVrWbrYTH;tS#YK3uvvK41SBUJGM$Uh#^q2zvdbK$>)<nSDntrK}y
zouSnU0M>mDGY)U(jVvdoscPO4YM9l7VQ8*#cLQ3F3^)LXWPUaxp1a^cwN5E*p}ZNb
zzb;!i6HL^YHho8~+0PkQr4?0eQhZSX#tB|TIH};$(b;o4dq*KHQn~E{GJV}?FI!t^
zj0Rig4=y|X1=yqH1r;<3yr7_<N)(0_3z+~rXcKhR1QrUJ0W1^MulSQMq4gH_ui;nG
z{upW^e8A3NYKLJSbQn}Ev<hj#xu|NvliJ-jps}yyn$s*eDU}lI4W_3Q-;4%O5PH`H
zoR}T(J;mi`Bq_=5vTOhG&hxdaVpbO!<9K_hw35YeStXdaCeWT2z7=Gknr}z0SZzNQ
ztpLTy5(3YUm!4zu3NbURz7;%Dgbv#gsz8-m&v}u51p;pteE$eK8&8L$SbACE#Vca`
z)1_r@KN#-rGfZ5F**|VSfCF++%OA%V<rea$z*hSCrx$-frwRdQ!Px$AQI)(INbh#O
zgv}uKG7Itw$hFgEbUuUjeFvr&@K=pWlC1z?y@!~um6n1NfkUcrZJe^$QH!Uk8xAdg
z8v6?_#p*L}6t<aX4$RLPJ%BHOTA~l3NB+f7V|h+?+QAK3^5uV?{CDBU=L?tP!RpX?
zA2vO|h-9C-<ZWv*99?!qvmxW?x*sAY+DHwXXb0*SRRNs+1;7dvV;x^6fbd7?XBaFD
z)Ygxcq}2*BVH6+ig5miSUhcc8$~odVkDK`5lPfMYy1QVAFuttV9<t-u)O%X-=AH==
zuS*so5GEB!=pj5@s6z(Gk^dQt3nc~pV1^uKvWE|kg4_3gA`k#wKmy0SAc=1w#bxPs
z6B+0}RVb)BgseK5*VK*;<F}2q(y{PpW}lhIpr_O0TMYh|%=E=EzVoKMED=l<tS7ee
z7xp}yQNx!%wM%%>P#l5jLjI<KPxW(PD4Wp1WiKQho~t)N<dApkL+Lkkk2MeanVJNy
zYX4>f^b2~z8VgYx72<~>@<!Qi3KTAU<x{xpJ&J0Xv*+e@yZ8~W*E`yvt$14xD;7)t
zXB0sdYz~Nng=PH>To;*Mf+mG+a(IDS@V6bqDPo;GD4ot#kL7+bK2gbgzVML%)Ty5~
zc4l`aD?x_+#j(fw*+|XyC+Usjp4rnMVtdCWdL!D_ya^hTBct49afuV!YnJa5!sEK4
zSq%7foJMBd+gxoi!;w}-#rHoOsVga|&)BXjkH5`%dH5wQttM?L(|5kk;T^FO+eKOG
z?;Q*K@)NW|)E6JE7Tw|)@VY@cw_g5CcegKWV;{PSxOB9-<33ad@0XJIb%ftXincLX
zgfF<ZiHS{bQxO3Q+z|I1-LX-<kzPY`&s;iOf=zbEEq&Ij+IOa%oQ~+gxl<%54XRTL
zWquE{HafWee%W(%REW4ne{h}%7N=Ly*#fe;?2;^*f`DX?-~JCsV6-YNs=wnYb_MTJ
zBDtEN7U8$ri0CZj!CeMYzL=^inFi>*JPHDsoo>Zb00AKXPijOfrFI@kuXxi1C~}<4
zfW6`h?@jbC2R9cxN&rt`HGa2mQi>WcC~CAObQS-@Zw*g>4ESu$I&6TdK;zI^>J$ci
z$gt${iqD=h`|<E>paXjo)QAzb$&Hrw$lKH$hB8bZuJt8aeC-)DqK<64hGPy;^cSgJ
zV`r8cl*)1Jco6~F0}pR*(b3%FOC7cRu{X5|o)%9VqTzkAST&^7Q%89u&*r)K2x;rf
zd&f@W#;rDPa2tF6V-fiOeTgY}Hs%!ftqv#^C1vXOjt&CkRwU*sIp9D003IT*hAK(@
zy6|i(w%@7pn~(d}UM{j7am~kjCt7-cCO6D-tEGTGYcp%?4qgnu2z`_+if;va9}F*W
zH!f^-66IP{ubD7adE{8U>hF_#TQ7*+Cp!PU-U!qhybe>s;Z=+4R>oV}V8t%+#Z_VU
zeD!{a*BEYfm&-4HE|ML4+R?AKv=V@_rv$#Hl{na1dv*&!fAuc-^H8INg{F0-VG?%R
z&L75DJ9CB01}N|?E$Gr^{jbo@xPk+5T{XrRk?mh<9gmM4q5>)K@?6+$B~Q~w34Ce&
zZ*Qln>*cCB`pLVz&9P?&---Q``=zIUY#s<N7?P6~udZI+%R;Blv_Pkw6!1F{UK+S6
z*BOYzrbVk8&uNR%M!LHhdzNk!GrmaVv_+X@0mD8d+B9lJe5#Ax#;!#4Ic>8xE%@u<
zSJ_y$cW5rd&Y!YZvs#Z_V@^H!ugR^BbSF1B>WhLD1&qN##{42uW#CD5c8+05-QZPX
zn4@*fbl=ENDOnFHwfbPj$r-4I!SioayK4%bYBA+KCiZUeBPP~KC3FyACg@>s<*ZII
zM!qXa|MBPIuql|!W?sy+Lu%!<F@(D1`|Jlv#`@6#{h2Cd9b^E{UA>}@conAoxoo5J
z7$dvEPRvB>7=Y29c5-!P$g#h*u;dRH{1%7Z)@xemc{!wbeD^C_E0x=OOU2(}D;JD`
zVal;Vsq1hgsePqt&TQ&0kyU9W0Rh@ek&Q22G7Cj%-&fpg1z1NGv=x1n6a*w@$v5Uq
zY<><&e7c6KDlPU?)#}@xoMzSeh__v5KJM8EcVmE8_a3F}srhtTX|F~%S6r;~AO~!<
zYiI)m46DE##=yrRE|a8bvs`jf6si9_*5FHALa8ewtV|e53F&5aaoriL*dHu&i5gFS
z)Z;AucsKGsmf&I}Z&ws0KG!9F<mTp*pXUc%Ib!6Y!NklH*I?68lq@0cpa9xDCF?l-
z!ud5aTDWYSdROHmUJLZ5(d)FR?052;A(So-Y?KQI3E=z95`?xBv?;SqJN4;Ryn*Ld
z(}T@s0HaqS#{?TPU8BGoi>-_>TmTBSe*3{&K};~Y4Kfx$vFL~#Z2L`|7MIF<ZtK76
zu83*}9=lL&=w@5vY?)z<|Exau@LPd*JoNV7*Xgk!T*u&A5~fynV3>gzMs(2kc&gMI
zU;$9pcKI&TkSf_DOMI@~Qj>-e+h@b0U>o_XmAC11zT8EW)R}4_t!*Y)tj6-dxDYJu
zw~9@|@S09It#^7MMCyr-sOk4ScxrB#7{z7gX$h&#zX<`+%I4r(N6fcpj>j{9vM$+;
zKg$%r$w)~_$;+R{6(C6#`PT8ozE@yw*O2_nBipxji9NWwJk!f3(*`FwwI1`&rrLam
z<jJd~3aERZHUGA{rx3r6stoWU9<#c20wysIhwU})MyTnPyZ3Kx$~aqOqn>`rLg2;%
z;O9Q*Xa<?}zTUL3w;DHr{;_&7L*F2-=AvZPWh80-H&s$Ki_H7fs7xEJENcsmthDiY
zYS`vWhow?Uw?Xj=BbG6o@qEw+N`x2_eU5!v>TlNuG!=NU-7oW(19mTz=Igc}ZUn1#
z;ttjmG|{>*nGds_g|f9``o&a<@GA7?GmvKkc3?z=cL|{Ojr%c^GRJ)r!F8KmA_scU
z&mEKYL3prq(?TW$AoAya{OX4sxZ#MkVWA-i7h=Xi67B`NO>j)Hs*8shyzCK~d{XNL
z_k{<*rx5`hvon~%pr=EwO*-`WTw7e1(Budc%%Ik7<6zpUGy&HEuDl4d-u|JgIK<9M
z=KZlnQviH#^VE9i$8VR2L_?`n9Xp84bAgGxt+mv~X~>f#xxx$v<%A`x_oxqxF`+Ij
zHmGaJbW$y(t2zY8n~)qvqnm%t1;Y)(el8Ipms`rm?h*i!23Z5lNd>S=>`plIu2ZU?
zg`laU(<qqvtSvI@4znj;>mlw9>2=@|_?yw0Tt5{znLjw%VFDKy_Sg<uy*L$p_K7-R
zv}gPE#}xI0=N|-&gw0E8c+dzkqM`)rV7$=6zzbdbMt7Tsh&mv4Dyc#W{)_WF;ny&4
z%xKxaPkNZyR+@OcmEUBT3>ndQx6qX0wGZ2gMjt!cCbo9{?%nN>*sEG^1?urrc9clc
zDbp}AXSZDmmwl;y8d6`l;6zHj)BfQ2F?P43+&8*y-Pgfq!wi4Y@aOyCpz-y4(5bUS
zVDkcoopS05zU_hc-H+!XBsb+lfBnfs|8y`M;pn2^+NH!}b*i$`gnnPw6Oo1yzqOME
z7artch=UsU#STd0_^bx<N<O#$95f-r?>PHu<|K`hAgkqh<J%uZ=~YCG8ct=8$t%0K
zTlY+BItB~3u~ReRJUDse%5u5J9>-XH?dUfWb=G6Pg3Q#+vDXo=oP~fxtJbnf?@xYw
zQ%g(5+*=O0x$hx^wj3&P*s|#cUmvVLe{%0N+|sV+?+`c#awZZ4KUZKJewfpXSe^Sp
za6a2&5=SL*142Axud1|GkagjNHhwS=9^mm{(W0=s!YCNyW&YOb=?riF+Bgf+GZ-AV
zTxQ3%`~fsf76BL#n-rT7a%Tiq6r*HA1zm>tZ5+v<Fna03tkSkSE@c<9-lKRaj{4h<
z)*uqj1Te3wb_#Fcwl#sMnX1Ay1~;Ui!7~6{OU&o0pyjY74>fLxQhtlit0ykfT<Z^1
za{228r))72Pe_m&dwg&tKQ82pT?PHEgTxa?aQCR&YT$m9LjC^YwpZjTMOb8)UOU5*
zIi<_rz`xZ-4m3_XJ$v@-g*&yBSEyb^RaF&S@kD&u3EBkh?}Mj)h0KK<2B)Rkp_Jcy
zQf}?+P`g)?*^ehuT!%;RXjV-?mMJ!3zdMmsXMsLe>EyPVuadgoLU!u{e+)Fy=y9^i
z<JhuC^BDGaBBcIE-j{|28^x@okEs-|?VvYZJZW$qL_@BU`^5ejFHKGSYX9mnwxzrL
zbh>Tb`yUK?>n?u04wpq7C0IrXYo$*b%C@HBU!%W|ss5Ek?N6FnR`Xud`JU=%fKo*E
zCqdzQUArush89E(EzB;JCbv4zo*3DgW3K=v=f<A_4}U^_cC@EoiMq?nUUh}zwalrK
zwQFXN@ze4Jz2VoyNJFuU1D)Ap;s=rN2<9<+i-I_gw+~LN&q5gYInEH^&9FNjynL*4
z%m!b;NlQ(<<#{+-gyWdmU<d?)Eck8__5%cvV}Z5iE(}gPxeTn`JqG0pa90=a9pC62
zFZ&G;3p>IapoGXt0%VUnqdi6hOZM&=z|bwk45L4izxwMHtep3WK^Y&i69PzobD)Ra
z+8hCk+}{UXhE*saN%aSY^^J*+a{W<$?Arpiya+K^oiLJr<HlYBBKN*=8Qew7{@%T~
zZ|vaI>%nSM3nD^%^T}@p2+;bWTF3Dv+Fa*;+n40G_hs4R=%Q2OEeh2!rci93Eg6#Q
z<yhVucz|8SR?9-*&T%|#iuV#W%Zx+%Acv?4wjbC&oe0+pX`}@_|Hn9;*+%1=6ze;U
zXrGyFJ?}=>`<P?g?(HoVN)N7gh@8@ChPjb&Be9yp0{Da}ncPpx_XvgPDEa8pX;+HS
zkfQq@<2uq`OQ-cYF;5C|Q%$LDl(^8(=RMU5_QSP^*}rdRFMm4EzGF7uewC&4>J)t|
zM_eOEPM+YD<#*>+*<wq}9EK-aL;e)9bAKK?-#^*Dsh{<0A~X%7)N7IP24k$F9a%KG
z_=1uK&|t|CODi<?#VjVzh?k``=yK~%ND_gT9SJh2bgbe*=)O$L*28P@4aVsXSqurU
zGYjSBc9S9bbL`_nKo+7$(OPYw)KmLfTGtmtblLIYfz>s*-mOPi$X~44#>9=ZCj^|F
zoWPjH@##;@&&|D>acXadzAxA#MshVkx0*rwlNz~D;bV=cfRDQ>SCEtO*gmQCDq-aP
zp00^ng|MHGMqp)CpQES%e~@3jbe-;*TdjSA@%~Gb{$v$eKy0!#<M(d~?+_d5TRTe?
zaGS_G!|1Xq6gUHlFM*jFy0Z#^U3$@+!osHPJi7+n8!&H}jDR5DwyjcI0)D5@G3((-
zVB6vIGHqi~u%+*Zn#tlhqJ!HNTODoSwFG|#tMJr&?~L1UBFy5}wqGq~wd4|)@ujse
ziHN>YoDJRGYJqb7<%#Dp>O2GbyWO2T1mNiv3Ahmn>CAUfYch{?)3nrUa8(6Xxg!?2
zBWPwOi3jYq4HRazr6T>(Vnr~2FSfr=E%kfFv_A8`@lMV{?F0CmjP%qYG=kTDf*nX~
zqZPDZ)A7X+M|e2Dmi@jrdLZYvc?~r?lwl($m5gtpYRhRVnO*wyMJV|{@mO^-?F4q7
z+HYB{LlkMV@fjlng!nFh7)wsc#SdC0adr8ZIi~1f5A~EavoeGw3+R-Aha;*6q6H>(
ziBVSNj5<!jUo2DLo$~STF30FNciRe7NX0%evCaYKr$XQ!KfyNd@6I8l`Apvflsxb6
zh}i`nCqb=-h06rM5tr^gtIU8$+=L!ndPVH56kGkA`PEkcB#NrI5KP*1kqBx@^E}aF
zeUkCxRXDx~FVZH&N;|eBD~H2_af7(algsz5Mid!PIqKv|gm0-r&CTcaq!q1F8fitt
zia#N3{^U*4Kui=Jo{g#g-hWp<F|AVs|9w(dwBmalLSIHN9AybejCg8($Y0JL%q?(n
zpad?apn4+fu4vlXnuZi&a+QV`GN_*c(@n4vO+lCcKlJ9p(eYYQ;k)nG_0lA(a=9q7
zv_q_8XknV++2*%4LvF5j{7>E@1h_v#u=jJTc#!MHc<Sr$QrAI<%dXT+<=D>^`wf!E
z-nQS?C=Gew#9PMiK@g*!sy_Ov=FP>53PQ<o%H8BE%QCVaHgog+xQLFlm6#`OEMF0?
zz$v&CcT4&E8^bOh_nqyZq3|uQ_)Q1wHV9LTd{%?dZsbsp{|TAVb)xA|oqS(-t!gKk
zcF+9y1$@_y0(AkgXAWz3mnklhq{zy7u8euDj8=#7gZ*{ZC62?cp9VAkuT&;8TN|yr
zR0CJLf%6cTm8nyYH?$A(1dp8JHJ{P3dmjwbQ%}XK1XfGY1a9Yao#Tx*rfD&0WDf=d
zo}M)hCI>>rqMZ-8D&=XXrx3jD72L?e`YMr8e#)*fMe?q3^mB!1pTX@StP^s1j|sb-
z`3C-V0Sl7+RbvjUPHy!C6O2Q?fhq~CC0*tNdFZG=nD+c3PGcBUn^i2aFQ%cpqV16P
z<+RXhiKsH93q}BZ9~gl)BkVNeyZfHJD5w8uE$+%Fe5sW#>*q*r0V4z$HLSQh;%ehU
z2%{2mVg5Z|5@N8QT(dPf@?#^wbo46!>b8dd!|HN=ZKDLk$Swj1IO9K)cX>9|V5=W*
zFgq0grzYM45j##sOw3;nhQfuMJzEl*b|Nd^$7Sq!hsYlVUEke_h7x+Dw?&$Udr6k=
zf2s;>1xp65M{n2I@b0gmv5Wynj90OzpZw3OPrs<77JGW8rRs!wcCvyDBj#7-!o^$b
zGSZG9?3&ld>P(t?K_I|qh!9FyIvoRQm6`$qVf*XN#t!4Dt!4yIXZlqC8zFW_IS5n!
z5~)~26TS8F2rR^bXbr;57Lo7<vlY4{s*^qX@lm!&g^WKOX>OKZR#lQ&HSudWXhBq}
zR98Bw@vHfOT^>jvFOncX4E8gENK=m_5w-Ank~S=MdV4}F{(knabjr?8sY|1s;`bDE
z#6c;LlNWYbe}W+_1oOT2mm5a)WHqH(aRRl-iaCC7W_1oB{sOVSm0gezIi-HwyN+C6
z++z!UOa&<9;70mKhK5I=*pknTwg*Le6<j2+4YG!XtJksHb+oXb&0wA1+i8YUZ+Tur
zPS#2wEv(gj;mr)weHF{)s-`ZiY_M;l$Vu?Xhd)mOb9LKt)ynU!>bu%`Mi-AtLnKP#
z*7ZGF#K@8SdmehjXc_Ht%oWt5qWczkv;pw`Hz63Bmop`0W28qr&W{t1aZA>>WI>3U
zGVD5b1KT&xUnc9c^WkLr7Fm<Up4r<V)cVCRYVGgp4_U=_2Ml&U<j87P=W7IEbeUli
z^dX?XOfMZ^)?~J}-ITpg*U8?a*iUB_&o2KZHx}WSVg3yZO-)U`y-by2A|e|h;FQSZ
zW>vG-2DVkdXnJq@3H*Aur|eku&s;ahlP8$p5+$jW9{G`8JsrzSNxPtA=IU*&-{ndA
zbz$e@hBaKUihemnuT&a9uw?r;Lrv*ZFQ<m8tuUv&D_9$UF#{=JD4-O%03Vg}{8okN
z9r<}A^<Qi}=G0;5;zS1Sl?SW|fSwsp)chEz(RmyK5&#}l3ac{k@>eh7b&+t<S7RL=
zGyPd|W0#fHMaNQ?Ap)2J)8Xn@duvAA($+^~c4Y++XIR^ya_qOM2d1-Rf<;=dRx^3^
z(gK$gR7ctp1(mfkC*P;#biTuinHahxr8iy$)cr7zbV5gQf9cCNXg}oH`u6Ml9r=i<
zxuL{=;tX*KpPZ7?nmvXFyk$Yf;MHFgChe1Nx;8Qr^#tzb#qnIh#7-f<d|hT^RIeh6
z1PFTr_vl#b59fe65Wq5W6i#p<ISOR#U_YF!0h+%?UA*k-q3R0{50>1&@<&1YgK8}B
zu_srU_=IZX*7`VC`v%PSoo94>KLZ*zY`O+x*F<Wyuk2+-)MrNje-If@+nPL^mfnTd
zo!ZaQ6rAz1ij}#tY?s|`a7l_!Ti1=G+7wgbV^?)j@w!;Zy)k<M^DT)Zk+!<RjbW+{
z4lnPGp9}kccriMr7^E?8|C90lNvi`wm5{zv_|pj?UQj2X{^oV<IE85X0es0C-cPif
z3nu!`mIcwR2rpsH<tk?%ie<iNG_nj0$VU&qs<|OK&K2&}x$Gf;wT54q!|Q(XyiY^&
z6}rAUP6ylcj9n|6;GRvLyc7QsZ~Vt~D2-g9EiDTw5MJ1r*V+6Acvi+AtAIdV0LkCT
ztqH<u$JY6>>`^}rufV>Nd}sdVPZ|>1c7`<qRVwkiU$iSTAJWIR{*M1(xXf~Mb7b8g
zo`fdKvCm;80JgG?qJECpz7l_?yQAW~RrIyxb99JWeoHe<<jZr!au>;SFVjFFwFWdj
zRL*L^E)m&|ZVR`o@OXaYOFj^G1h1_;tE2{)4#&M<via&!=3zVkb!?+#Jh2-kzNOlz
z%lq|!kd7a!TJF}$2soBiP*TR)f#a)SySWbf1P2AoH&VwJ=V5cVY834I?&`KF+=?D4
zp~oXXH7tD4pYYt6tdVH{Z=tV$fXf<2=vgFL0xpH{UJLKQ?m62w^q@bcjF5i}!L?e_
zivVs_@$l&Fc{ZRc=S!#{fW)sBM4XWplEG*>y(A3YnwcDaPli3kS&)CpUtm*)G;C+p
z#oe`%_m4x6Ah~R7;-KI+Sg1!X?r4(1PYxS8%&uPAs}hkH7KP{WlX@)AggU#k>U`z-
zPs*dF0Zh+p8(d+RE>ofPDgcKaT%V4~TUtXg&OLz#qx+_p5>w0`KS|k*ZBsza@nwOM
z>;5{$?hZ&}w_~7JN>ZI>tikG=n4^%E+BuL)w3Q3(cd{geBpXQiV>03f*2?fFg<1w`
z8+Rdqd*im-x{~Q;e~R+whzTN4HU1xLnm1kI<<901$3Kzxsa;7CIiG0#I(&es8+^ro
zxQQQJ0xKqquKfCo22Yn`pF{u}(N-YGwdMDR<cAr7*}p9D@|RO$ALR;U<;T0NG5lY9
zECJ>d(*m0XY&58YUcQEf0-9ub<URVhf`@TTdOW0{Jf-ko)DAuqBq|^AE!jp|UNB!T
z*qu)S@N#>HdY{RkzXCzQTYy$F0RGz=P60z1fFN~Y%|j8{qmGlwYe3h|=?7sNcq)c!
z)Of3d+6$H|$N?$>+(-olvZn(lGYB3a^)KoL;dookTd`4=`WA`gt){VB%A7*Da@pm*
zDj6jI@e`3%u>##;gzG~~{b$bt2L^uyX7$Q{`;C09|9EDggn}6{(+6+QxNAkv@G;jq
zsnU|}-yTeY058mL<Wvp@(cIyTzE{AZuy6Q%#6Y=6ea}NyP(mcFpNV!$rPY%z_yWN7
zKPdd*>R&WEbrqC?K|yik?zb|jRkQundW8+W{%z$a3M3xFzVh_D#J9Pof{aREAqJ0n
z2U2ymf{enwCjC6Y%$gPM#c$xXr@l;)1b)QMvXnlMotiXTXe$u)L_lGiew$4<H$zUU
zulj>5;pbk}8w|%u-<ZBvUp?wqeUFLyon!Vt>Lw@<iAW-6_AWJ`MfaIsBs@2u3W9Ba
zifUW7_2<zs$S81{olR<j^5;0J{HAN2k27Bs<F8rNm@oUmd~kWm<D9BofW?Sncr07y
z=uE`MI@c~*>Bo;QgLA(#I;N#myDC*%62M2ixbAG)q_p>`RC^OKlKnEyWAU}$a-w8W
zKQUhG#x49>-vvA}IRvxj6FW;0`A-hxpoNi<suf~E>7aHt#x6_jS;u3S8Y_G)>jfa}
z3X;@xO-A6k0s#;M64*;P8K(1$A)DcdDWV|&K6Fp(Xd%Ia-zNLTD#7+_i5vAj+`+*|
z{BZ?*jge;hc>OOY0+)XigdJJ6Q963peDo{j51!YfmIG0yLQ*R>6L+vqugtGFu*x1K
zUq$hJ7<~-l*dW+5ApZIhbucQ^G9#XOH<H&brDl9xxTL0E67lllDnu$=w&g1D9yR}L
z$UcxB!<wz(vto%)f(kdle7ppyodCzc(YfN#FQPi;Sr0*cUgrpZ2jvI<3$PLbm*$~$
z{Oh)ndmfKn<ixM9gS+Ocd630I3@jh6J5<syFG1m@i%__@NDTDDxW=4^m#J-~UcVUD
z8uQY4O@<5OY07Ber3Bu`ZMDnBxGW<*3X^_c#EhIYGi=*4ly9vp{ia`6?!<jgUC}s=
zo3`NJhsM-?&SS+LB%Fogmfy@n6Tzz=klrhQ0bA1oWAOx86MddB5#SycOPiS7UDd{N
z!IA;1W7Bh^pm#vBU%YHu2h>$<(|aN(5BE%saZhw#hII<-2Ep_WmYX!>)-MhWN&G+b
zV*W#5YEjGSgdh?bdL%JVryckP{zZ}}Tl>_m;;siM&|}t;f}0gFXD9U8$Ck8?$8G<*
zE;y%FFcc;SGnj@{psv712IWw~x5$w_3e-TKH@^0~fCRyf*A9B$8xa7IH}Il4eLqaO
zZ(cLnjSwdzXf`%tWM5c73vdv^HooIVHV^zU@Z)GVa^y@@;Ag1$PcxtW3<<#V>?twq
z^f-)6aextb<Wot7dA<3%P4RSY0=^f0Hgk4zyy~$z#BsK8rnv7O^$M>}XF3+;Q;z7H
zIuNOsiJUqZTrWB1{^Ql49E$+>WPablioMDN`#RT!YQbICnKt~tI<*XIY`F2Z988Wb
zdmXqZW4}ml2#Jrq4=rV>p<;Y%{;q$~c5o;x1a6mS^x3wi4BW66_(Ar;;z&!5SC5Iu
z#_Df3C6SIj4|!gC-b8)V1Vb9UIP}Lds24OKLZ|_d6b7{|ta|Q6V77fce%}aogDE1K
z&vuT$w{!D8S&ec#oAx<rWH^gf#DA_oYK)p3-t`~y-pH9cp+4(s^jH?D-z7ZbIN?}T
z^jQPh%Goii;z22}nB#N&&EaINVAB|X-)lAg(5L=D{#0_S{-nTXT=>l6Y{y4Fj4?bu
zg7J*+M2-|jQV)O)Q4pTc08~^|%FQ6%SUgbi_J&P1lYmY3J@vgOFC8hjVh8#ZS3>4*
zr&57MPh0_-wa_&_*Ss8Zu_Dydym{>nvJ7<nNU&?w!wGnn@6jR_kvNKS;|ed$oFP|N
zng~$5EbJ;-h<S+JF!sRxOgY*|FfiOHeA@52gfmmakDs3OVJ2&?q(symtT7H9S8@8V
zec8{ddjr7s>yB08^DVuLqmVbQKk}ZVjl8Qk$!#3j*`(-=^A|`u?TJaFz^7b}FWACJ
zo%0!REqp%q#DIHE8|-3ao0c6<5UlUV-&R%K_`ES<ro`uQ0=~4u*)U1YCUHzC!cK2p
z(n(n}u!NbGM}J}v6uo;NG$3ATql&;Tw%(@^H`ww?p*nbIT$S^qxDUqGU3j;>9`UZw
z<*wO-_b1KrVwl<MVhNVKH6bCI>5;6V4?nl@urTV5lV7`r^($7D9I<?<GWgu)#f!zD
z%(OJO@=U2kk{5#voR@uDER(OlkrspV##nCE>>Ha3ptJACyLds&fcg_>K(=DJKdXBD
zaB9k9s-jf1#(AvxQ3G_e`ipd0E31?TH|)S;8{X2Iynu}vDvy&wzU)fAs2XQfE@7Le
zm6e-r?>KnqbJP~q)G#pKHNayfu|r26r>nC>>S^u5E(MGEmR9&J&F7#qFB5~m7seHN
zaAcs69AosT$Rn8g&1QkXcxXtUR9QyNhL`JM&dB5PhZYNm6{iy<L%UaRdUx(*49jwN
zVTUOarjC1}zD?A*bbMP))0^-fy4|k+^fkonNf)QexR`<I*ftUBHucq8eYN`I;?R%t
z$t`^r-|lvVDB^Ivy%oz7L`&GKVnJ8cnUB~$b0|4@$7y6d;=_kOp4}cUis3lJw@b|E
z#C>Rko4V5=Gc~+C8_|4g2Szb-47h_Doi`Y>g9dc$-gS(fXonpk@_q1LLsI*`8X4e|
zw5<O)GahxiB=QE%1*;Lq$1?aG<Ch$kjBymK%@}GX@hr`WV3A1ofse9XRaU+))C^p_
za!tq@PFq*Y)>4mld`4EQ&OU`u!u0t6zLTzM3vlztO&p&eDqp=AV|8z@>PsPV^RRd(
zk+ft$P*t_&E#CItT_n3Zcvo3fftA;`3~r><M`sq+fOx_+w#ME7<xFL@W^wva0q-`H
zuss}4>zi+Y1z#Uo=q$FA`8^gNuV=nl{DWV+1%1yYjC$Ajqabd?M<pn^$AcEu5iOvq
z&_@7V>!Q!m_!Q(zDBxP35e1k~Z0+PcJ^4^z>W;2B%dM(<9>e|WBCqvfR|3FjHB1W=
z)xDW#=APgK-XM6GDalz?e1pOFFqg*Xtjb>SgH?=KK~Lwjp(aLC*ymlFJ_!{yD>Y~8
zvjVOc(w$4lC7TM0$&#J^zS+Kn7^dpQ;v-9Fq*Wh$hg}FI_@P6NXHVv?Vn7|0?)ewO
zic#XP&%|`5Qs6qy3}<!XBHOeLFKopA0`*>%m+-HknU1yj2e<bvD+56tC+dthdRqVd
zPp@0Y{7NNDOI7r-+4yPk*qi`J8?oUV^N<zy%EMyLj<$iu(t5=s_98TN@<1rKp?O38
z6@E0y(?tTu=VE>=ltK;*OfPy-syX31_t8oh!Ye{al>V_{kDchudk+cTsZ{T2Gq%nE
zz~u!(tPfNh(V&NA>GG2R**BJ5H60p(?}WgIPPg^@Bq-j-g>)C5)`5$qKYrYE83S8D
zF=Y^3Rn#ZUhwOP}3ecPmPJMNuq>m=nIcNI5RGXMQlt8^)|IWM}jOc>kWZZV!^pdP!
z^Jl;A%(-D@-hgn;`clm^BSrxGITz?L!BerOMuglNl_UUOX;8!`Cl=)zOci~};Ji>;
zS!y`Sd26x)Ds+WjcK-K)f+vmFPDlLXPQEqbsB!^(%M$r)m&mY|Et}8@>HTZudZXZ8
zqWp~)TznUmoNmL|rmD1mynRx;6UyE~!x9!ut@J_jY&@*5StW!1kb6D2@RR8tZ{u4_
z6La^+4l)nuRNC#HAC}Y}kyY#kw!Uufw0Ef4UJ_rpUQHfjMV;pdf0OV0)J3$<tGWBz
zZ$bC=R#^LDaIci#`In<ZmQ%to$udOv>pf!hn+I8Nltv?(UppeH63d2H$t;Cp#S-QQ
z34zpKsc$g4@5f>m-jCPCX}qox;m03yTgja<ATzmOLfVPdEmSZWjVnmks<-ebdq1{|
z>Otf1Jhm9lzLy+z;pg`4|B1cU9%L9^)za}nsGIP_<LENZRv2ThkZ^XsRFdmeQY3q;
z<+GIUu2e_F$oFd>SO8*F6YNKaYmF1_9YB-nhZ@EZ|Er5cF)4xKh%Ne-gT^3#=i7Pv
z{3m5uo>nB;8mh<-EVz&hfKl&UV2(rWXMp<jGZC!F{cSv&2<A}rt^QiqhOukC8$?1b
zUeLs$TnSz4VWU0UIsOZS+T=A<F+1Bc@zZQHTqA?|retn^+}zI7mYUd$oi0c!UyZGW
zacCFS>AN%CN+CWw;N%cMMQkKVawok`n%r}QF!V+~b$CcaCM9wFXq{5iA4pOnv&{H#
zRZ>*d)Qkz%j3U3w<s0s2ad`z5IMJ3A<9^S++uPkux&htrGnj*QS}4<o;TgBaa@!vp
zVI=-0D_e<~?Us%T#mx}-+`@v7pp+CNE=vNYw`8;0(zPWd*YQddJcmw!XIw`E#HMif
zuiy_9`|_S!b`<*o#_Sr8;E?sIh3`ot88o<iBRz^|7>?8U;uN;Gw;w5~7X22yOG7nt
zeaERQK<kEJGxmm{>EzE{E?CCTsk{<v<kpu+pS$vQtg$anEsN0g+kuQz&C9B<8B9<o
zv#~R@NV#pptq%2xQ=<*0+dldr3(+*sPY*@=i1BZ&J*Ilt{AN+nd-^W5{Ew#xehr6E
z)$zdOPco>(67$1+K>mkpcf+%fr^P{|?`L;5Gj!oq`@Wq0<<qxMR~4M^hL6+>WbRk9
zdfh6N+du^sK)L+j%t5O%;0}&9RX3+6G7L}NAJ00&3zVnocA$bQ&ySCr%#GTwy0=Ow
zbi*b{?hjL_Apq*KF<Q@CAH_v{jn;Fpsdu%<{!JM)Er8_G96Sj%xYjxPpy)aQOp`HR
zsHaOLvEH*eXid)T@}|f4^NM4n?qXC%hI<L7in0F6iu5{<=DkB1fuYERZ!dOoRX>{=
zT{ucEch<W<QhsbFH)xypV+?HK5+l>;eIT0&m+k;WL7MhsQEYg+3?kSw$)IajDwn1X
ze>>eQer1s%u3>6?>GK)SC&rREzvy$XOXQ`amtC3C@Y65nN?kiK$}+mAJ|m`_c_pLM
z0{IEu%y{iSpeTZ0SeM5sDvA@0y$~cyAGLZs^00i%b}EQ00;Tytqwk%%R=}HkR9n+(
zFH~q1WaYy}VMk4+`XKhcm6AozA2CRw(ZyBr%*1mfK-Jo%RmhLfFzKz0coMm5xB~QN
zD-Xldu6?FwScrhNWaBj<>ZmHQq_?pVsK}qRX~2s=RTQ^G3Lr443VVYc`#KZehkd}{
zTezMPMX~z1H~t^4z5=Yt_WK_Lk?xWX0i{boU?_-)#6Y?Q1f;tMC?Xxw%~S-WrMpXV
zgmmX<Hgfd;nfiX;_xFD;ui^G=cbxm&pHug9&JAb?YZbg1&a0Lsd9BuL0myU`NQQ^r
zOK+2=6ZSUA)TsIzc!XvP+z11ja|4=flOwpKb~xO7z;S?$>eDy$nC++Yo9+^+O2-88
z2fWW>)0VV)%GKS@{I$a=yfiLG_?u>~pFY+j79vj2*$V9D{FO|gnTOg*@QZC3@z&cf
zS%Sk{z*qj%R6{>FUNzqRMD{o)_m0{dW3e(z#DN-%CabK9VL_NM2_(0|ZQ5pu((e>J
zFqP8K<@fj@4r&FWBre6<bVe+KYJZE&`amlibFVu<F2k@cEz0jA&g_T<oPeiy-ahg&
z{+{*s@cAirYY$WXn?WY}m|a2-uhapN6z>n#z*+*+K+dq=S{jVRNE4px$G(P6ryM`R
z0Fj!32uYDT>EWn?ne<?kev=P8O=GJI*6ZbIH#Q*_*41aII0#?zkMZ9TAJ^RdIj>vg
zWo@v#w)w0bp8YIOuNjU5XtkxC7RWIzio%4MN(L*0<=00el;<If_}G<#;Y4ig5t?E!
z>pH0rqu7MB88Xzx?#V8pzS0Z7_SCA&X7-;WzZl{vdi9g|wYB3cfG8@>1-X3xWXOwZ
zt4Ad^i59*a-FVJ!fi(&CIHE$NCSK-nvWms0fX?z+!143V(}K}vT4Dp#thxv>r9y#R
zzP!;FyIluxQc=6yS(Qo9Y&-}vJ<zcy)qbywO=vy2d!sMJL%y0tGeymrMSG6XVTKPO
zA2!+k^6j;<HZ5bd$ZzGtHw{fUKmgr>WPp59)T`P(vzyuF?PC|pstoxw^eo97_>&ip
z$D1T&1E+5vT@cDh&cFA1X$i~B)dt*m-K<9v8J{!cqJ$a5D$gUHX=a(ho7r1ZMqT?U
zP~U9ee(YuAPF((?_q}(paF)~&)HIMK(t7(>pQCL`RR%|A=}%1AyK7B1u7V5?8D_tx
zGLM<xtGB8sD@t%{S7;Z*_1xbY6ThRqFv1U1xGhPt^asChPxxF9NZ7m&0qH+~s+J*L
z0f1#KQUOx{r!i)acSU%%pHwR)PX~{1F40f})@1!QQQW#x{|a}t$?R*0jgFAW_Bz+?
zNN;SLjyjxOOZDU2zuHWsF;u7Kz8&Jh!y-$4ZIzhYP#X9e`9L?2azl@9K`?sLjdvmT
zGwj0xtiH5IKDn38oJVlMc_ytxuxxxq)5ge1qsi`kz~6a6&|ZOC7zhk<0uS|a^A@I6
zzUdFT=cy|zKZR(bn)@`!e{14}Drdg(tVs*=C9wqTQgq4}_>t1bjd1rc!)Qkh!(>dx
z)tM4j-#axWZ^fm!?}Xgo_d6q|Q!O(mJyoAR{*1hR7LQBDQcKM8-0$$&-q3CapLB2Z
z>Cqb~e}V;}K1Aa6Agkq}+(@YDzC9*in3{s0@=yOQQFo%u$(Q?vS1#|sr@HUNr5qkq
zqDCg*RF_0&I@y1yu&WLn27NWl_B)lX&}d;^`eB))^ZcWQ1G-zF*piHQ;MkRf;f$D-
zM>jz8U?+v@98A!CtwMazH6jQwC)6@Z)3L}QomkMwkI8ra-a33fRU0HAQz5Bb;JI7+
zMu&%<WR5Kh#l6jXJDO37{!-`RR>zAuT>)0n_~YK9?WbYu(5oZ!ULCP_Z?B({Dp|bz
zNwjuXeVIL<tHTx5l0(H*fGe-YAK?<4{tX+1ABEP}*ls;6d+6=<0Zg0ADD#RNxq5Rq
zI9Pkp|2Addd+^<I6|i730ixSAdVn>FIhvPrfVWed*{QoT$uNO%#3WL7^R?i6hz?6v
zjB7!_G|u}qTuedM2kWix8n6>SX2f`e7JI)?>r=6e`_fr^yV6AeBge>h28useoV&?)
z0pRi1JV~t3d>X~p>D%Y}6?S7i{{Gy;73YK>q_h(4p|x*T<77F3hgd+CPmcpm6)fOn
z1(W(^C6y&V@|b`m3F9$vH<|^tSF@U{>guV%Fop|{g;PH0(%RHn6Jbv`YrxQL6%y;8
znI8F~N<Z{f<%PjNpVUR(hQ@r+dKn>|!{czL-1GhFl&juP<}kwhzRD*2T5v5sa*7W^
zlP)(JP-<hp_9yI}+ESDx8uWtR>7*pSel>Ocd4q!<@F9kQn^5P3)!s`3;TDUx+iIhE
z$Bm7HQ^{h<E3x!rZbgQ^H{;uYg=m+RkP2KL5;Is31YEj&04KLK|5V-8D~tDL`GX;$
z|6+)k^BM|i<a1mG#q?scg7`lnhvZGkvvds@XuWbBMw>9qZQP3)?Os#A4wO>89;qs1
zudbI4+X89v7J(|c8{li%c6i-hv<hXO7lM*KMQBOT7O`=h{J!#i@Z+f=z|t;YcYQAp
z*qVK<%G>>UxHm=i#Ys7cBV`wKK3m^R#pL-4@j|?@WVPS<Ug9kFSY=H58wt%OkOM&6
z8Wy8S{yKpG^@dN=Qqi<QR7V6AcjNVVVZDqK`OOw~x;`lF3;%m`3$a{aJQ5vbihBDu
z_M2`1r|9V74p&mJq_%apmsT~q7V|mPzMn9I`cK>l)uj6Vc|<$0Su;GJ$n4%xtTbBD
z0rYOVC@H!HHFb3Z@F2W?G~_dEGJmWgq0DV<Us$kI%Yv&v{SHb$?Eui;d3dMvOHJKX
zcZwn^lxXs3aBo00j^5M>3xl-mb20y@<Co9hq$R3_!mT(vXfW)0-$cqvKY6es&v&2m
zZd=}?!T$W={izO}EuFVNO)GCf5;T4d398tH5`c(j3;3JqkX)ZSnx8!*u?XQkaGIYP
zT{S1|9E366I_Xrtn6z`07y3GRun#ar`b|(to6B=`LdTQ1(ax1TM;DfWAs1XcE_2`3
zCz-)2s{9`!NmuA!_$fb0GS{Li;nSMCOaNVMU_fuGoKhdpS#W+`lHYa?_q}_0fkqQR
z9J{x}Q@fNuEofRp@*cln>FkRh&bSGB030v>R&IeSZx_4ZYy_mpnj($b!GQWpsVy9E
zEeOVMR?4%0#BV`fl0R?VzOXk0Qv03etn$CbdthWNg)F;LC$fCqsUAX17O=*_L!w!7
z>xtQWFdtQPm~pp1LU04{i)u4ZB=NQKA-eIz>p5AIbnase5rT^AE7_Y;YvQdq>=2Vy
z1{A|jI+6@S-=-uCEw6PS-U-##!(MW6A+5hxEtD}mn&w)d@S3wzBUm8fjQY!889|^~
zrRVhlSX$DkPMCqbnr5|6SN)q-J%7N7Ud%QLKV&`c<1FSXw&$5GsrzQ9Mf|HQyX40`
z;R1y*)NM#gFgUK{O@D;cW{%*zuL-8%acBgiNYmROb<DBZ9F?plDZF^6C<&7D77H?2
zENJjlEZ}ykZwDLq3uqE|ocFVh%?4urxasxr>C2>S@yX(GvIP}ImieeGzrg`aXsbYp
zG#8uOVSC(A*Jn|R4==rws-%rUk&;PH^jAs(P?slfPO!I|&s0a4`o)N?2_ui1)L8Y%
z{c2ls(#XsOZTfHMsW!bQHG!HQ%B)Md{M9!jfo!NtwhrvX&<BWIVrU-0;E$oQZ{_U2
z0H=crOh$gQMoL~X<S4)^W|6{o(qa9@<rk5JgaCiAkYmqMe>{GZ_sMp#pF7SEoX0>V
zCQ%2}JxnMaF6c{qYv0#cDU~$8twCbJe$6H+?96WyANUwUZE^dW+V}OOZ|U^*30SOW
zvtARsuYj{3GHc{chBhf-L1K`jQ|-O|Y%#bW--Dm?xN>G12`Dl)iBiC8Ti7cpoL_WP
z^a)zJ)$7=rD)L%%y>1U6Rl`*vsGos69O}ATKIz`<!7O_DB8EyWglVmgMu8-y`(v0R
zHdjYA4so{XANK|sz^;Oaf+}5ezF4WxP3UPg+rDHL@MQJDx8pHM4r|`pA_Mczl<@np
z5jB8=qwafA?)Si8@GSt(HFx{K38#HOd-ispX52$=Xr{0*HIj-vD*#A%r&T_QttIR|
z@0abnr>gt7kM#I6#cJ+LSf01A>lng$`v}QyWD+1Yh&VO*2|m(r0*O{a4td;!BKQ<C
zrW;yQl9iIf_5pRk0#AZj-b@ke!ap9KurP2)I90Pi+Qv+=@wIo?+1+=2XwkTjx4?=m
z8`eaAVw*LM{bpykpioV4Ne=S750^WLD2VF*QtWwqdOc+r<!{HKR3%ys%vu<^0Rqem
zYi5wzLhL>0JtQFG@ac|HSZkF0VWe1d<qF=98hyzSA$4x=z(ecU2Mr6(PY3SYBZs(A
zq1wenw<A7W5NB^_-`M1Ua9k)_IXu7p)xU-7v?Yh;jR0Ycm&ha3q5W6pY+!Fc*BOz%
zZF{J|7DM^`Hk3-2r^=6AdfP;i*Wc*ur2Fy~S^0C>f}GI^$`lOE>rjKLV4;XVixg?8
zj`&AsD+-aqgnZ3TfU*}-XGszkPixk>DfADwmM%?o7S<ixTh3^yLT^I5)vJ_fNEgb!
z@I}KP#c#ST{0KkrKIWsd)t)W0rJEriKYZiiFZeXIP=Ja4XITO{jytUgs7%rdQfok;
zFsSgP1Bc)D%EeknHLHV>UD1%tt)O0*oNc-g<8@eNw)3F!ZK#&fb+vX>ex2m*9FzGY
zlWKPVqhV6x^$R^mh&d;<W7}~vzWLefT-rMcOckW4H=aD{#7!?UX&^6;C@f28^WOx7
z{x<U%wEu294Cr3N$(&x7pS&6DS>AMgeLW1aCWsa+xs-+}$wsf_Ey1mlU*aDf*~qJc
zO+>g68-ob`va*BTVg=1{6~tsTkR7vQwu8X)8Tgpmv~p=|=A6kse8W-$+){{X@{_4e
zpdNwee!FHxpLXG(hB7CWqU+R+5A`M@N4wu+fz(endyE4}vf9fK=b==F{Z&zye!m5$
zB#gh|c^b>-IMx>e(#g)(x;7?~{dwBO-^r~WV?51@rqf-55H~HHj$lFgi~LOiw#fTq
zUF7vHfkRM2_g`!h(%*oL?RqzO*(+!qeCe6Rs=5J6J+`%)(3>07uXH9{D66*9;x_|X
z-@~!KH?B1b)7KrmJkA+7_dLILLltKi)!@thH2q-=z4$ieUtXu6JjhTuP`v&c@j$m!
zh+N_!xEHUp{8Pp_?}+j*OP4#?OEJvpb1PNz)$4Xw;jV)NSkOenAsO0)UzIMw%yik#
z#f=mQ+#+1-$MeqD2Umr(%8-&}J0YLI2uMG%V5q4TAws^#=zU~(0D1XWz$5ZJFBxHQ
zJI19^U#aW?qAVQm`F_K*8MMsnrzrX(BzO>>XNMc6_UWuGh0g&TQImPz==D=?>fq;j
zmgE*-SPk5S4t-lFTW(=j?^bUQzYC%p3?|{7<EkLQ_d1S$@?7>c6cd*?Sv|{!y{L2g
z8VQZWxdlzrdacY_;!H;fN*1zyZ}kj;z0JxWoknTo33#$ri{GW-bx##Cx$$R@llaE0
z8-95gY$Envl4-Shpj)l%cCo<0+^L1#Y*{o274AqrGxB{w?XRX{5b9&TnxIV#r4owW
zbPKux?GLKl6RWm8d0(h>E&?E0s!{|PP)!wG^+r%r!~QgOTby;59NJ<xIZq{hN}zy6
zV|6C+d0(*LR<|Yor)3?3ygU0OPYfm$6ticP^xP^*Q7e-fHyC}f^+0dkWTy<fw@h_u
z+nx_mvpxvMBgx=*7V{&iwk(;W!rIYCcrLo{MGGgo&j@Ny(Fs1e4qnW-yUeDONUI(9
ztKh0I!F^5Bovf@~rUDDKA}I|Ej#+KJbw??NRyxu@J!$EWEhF~V*#y`!zkp*o+0F2p
zVAz~ji#lDgg<RhY6_^O#kwnV3413n^@T+m_lZrRw_8JHvCpminSAoEiJ5O2vBWhER
zU^xd~Tyf$~3)jF-vp)R+Hs9y+5AXM~-kKz*m=f<co-}V(HeQH5IJ(70QI%2{SF-Ja
zc(5g-bah|hTcdHFPPw&#fJ13XMT~S%s}x{X-WlF|e@Y-NO>U}K>|IzgLq!nb>Dfq5
zVKWf+een3spB)24YyMdmvBQyf=uNXwW^SaQ5#wVgObm_i=8PeRW{Cr*ym$P42xxg~
zY^9_ZVvQaT(Imu;CcPWL^$!hUBux!=u$bFVSn<N|73rN*G#hlg32mo*X*l^KmyeEu
zTZi4ZrToX)k3uTemXtN2`!Mc9<w{+wou!3XKTAjFt6)WUw$$~-jNp{wrMN}^F-aLy
zGLW1(<4D94y(V^YmnqlgoCU+Ng%k?EQF1)XKPsQcUzJY;CE>h=hqix1)X|T>pk)Zo
zuGjdY5$j9u%5O0<W4nG0&s!`KZv$KSOyTtxg1$R0T{L|b2-f`%;Af-BPu{(}fL3sj
zP#qU4>>lwb;p^dqY9IuEOz*vn_>{*wmLZnThX{FXqgkDE*hN#<l7m-=-;#rR>|zu}
zS<ojfy<DL1TvhRaT_^P|vBTCKs3@mjBVAFhh@5r!h8Z92N4<{L6)LHbgXk_fDx3j~
z_3o-W6ap(>^%7sN2PYd3#!bE^7pw{YX-!555wL_@GRazG8eyIYS>@^djbr(6AmBwn
z#_3m3#9J=q`=dKw^42~85BQ;GjGpFApGmTf?u@iqB#l2rh4YZEcEeoinL76I?GMyQ
zpRF*Y;!z(Z7LlpF*0}}bv90=+-pn38_CrHj0g36mZ-wK)y#KMsw8nDre!wGLP5<Xh
zYRP@Uc&{?%l&Sy)pWB0W`7;o&F^*VLq4)538)sl#s#wh~)#0FX9&qjyl=Mt|X^o4W
zhd<0$Bs6FFm<4-~vhhO3vL0~px*T}BHO9s*anTMLchNd8(Mv5Ps5ieS*^1B;;?{m7
zhHH~M*z=_Mfxbj1Ix6MM_s6KS$R~#G<<$1WVB`0oc}1U}%H(i!e*X@B1*>H}YFFn(
zZNFMjBN_laF%Ni|D!>b$NhX4}ya5g5S=o(%H~cI$Iu|Q2Z7!4BEv8h;##)~Rc)4yT
z$&1&k;eA-eY3~lkFG~}QC{2m?G4wrRxo8E^34=Z=L>tFn6$ITU(-=+|1~igF<0>W;
zYhN@4_DuVY7@A5Ttmwp3fQ^3(`u&{SXJvK%{3M8WK}}Ssk*@so$bKGkam{_NuRY1o
z4lma&1mB#AJ2K9Q^#Lh&Lhf2VZD7C9z7kHnha$_>SY744Ee_@Qq1I<Lxeg)z!^;LY
zw~O$?O}PI*@x_@x&D{{YrRF#H%c=amE~`8uxzBC-RRz21GVmB%jUxjw)H#82?o;33
z_l1KGFGIbum+?cEZ&y+ma?YFqUKvp?dhw?qiJl%d#bk}SSJDr?4{4wC(cUC0?BkAC
zlBll4LdCsRU@DcMS9?SJq5J1Ke%cefd>j8{Po__nyxhedu}e7iwL1?6!t6A8=GXCJ
z9Kd4p9~E%ENp?OJ$A$QFmn@n{>AcvaOq`gCr{aVZi4R4J;82_?gw+#81!4tt>okIw
z%sOx|r9rPq7aLDOi=7O|ErU7%F#E0<fESwdC=Jsd^JdH5yJU=QS?CwTv{T4?uS+I4
z_nQ|U{>uyYbl0owQm5U3MiPZ=0_0n5WQMP!m4U!anU_6t&@c%m5L1PaD6{)^_IQRZ
z5*ObmX~g`vZ^HiIh+%?(#_~Qvyb?lv<gT#*cK{NTg0AIjP@Hc0>I+u|RmHXvE@L15
z*UAV>LiCmnn79*~{N=+f2s2*Z1UrW*6{;Qxq4F8L&*ANO0O<B3<WBh$pxCVWB|L6^
zjQk7iSexgol+E-bRC^?dkI~!k62r{j-eIc<@IPCZN?J<r9%1z6BTSI>v9zSTt9SD|
zn9k(ZZBJmgGJVQ<K%9~-0zpK7X<fW28$vV~rV-mZ1a0UZu@`?2F3@*VjyA<(ls67#
z=CjrI+tv;*C}UKVT90r<>wrXd_w?d5OvwdJ_)-f-Dgr1;!Eia3_a^w|RqScn+o@G_
z_Ec-Lh=t+)-$bYNgCHKr2ezg?$oI|CYj+NJynD&_2Sj0j>eb%;ECM_{^AM%(Dtp8r
za6kHqCG7qE4!zGAFr}2@g)+`};7{bnkRSX~sAr7j#w<p$LEffcJ+c#V7%1FK?2~Zp
z{f-rF?)z{l1O^#z0S67{G^#ZFpqS4vU38iW50)iqpG1!quYp??xe@Y0n`T<aNvIx^
z-mJS^<<0Ps5A5PW+&R3RFnS0Tigj+tZ@T$_tDgP&EIufDMJIj{8J0}SSy7y9MZ65B
z!I9aYkPqJw#(n*MeQqFIf6G;5>NKo6lEQb*{pOR^X$sD=B7LrnK7Yp|*=+?zxAc+I
z;c>e#NAj<VnOCXBe{E}?qLwy645&EkQrYQX<t)}6f>gW8hp3fA7q?-yxlbM0tUvJE
zgWBKSX$)XgAl0+9lu^Au<mwy#rm{z^<QC)($R?<To}}}vWGhtTJ}t*!Yz*kv*LpJk
zc*}CCH~E7KdEN>3Q%n&%kU^9QmG4hES=jo5T79bc3@LH^TL`J$FF&}pU8EFs;QVJ}
z&zqLa-9ZbN3GQtw3i_FCkz#A@{JvE`Y+RnRu2nn=3F^=-73po$wE+QODHh;+=kEp~
z10Kt++am#<-&6cni|HG42xKPC!`;k<vqz;wyCQ`N59<73%2-f}<p6@7gW7nTgeQ^|
ztbq-Bz|*EF`ky9FioKF5(k|%To)vd5R(ImnFL1KlJ|TgTW*0*a2-0q4|7z+c1Z6$G
zD+@w!x3)2d8dse(MF6KnVoNHl=V;srFxC#uxE*FTDmvPo@*Ub1kh+p;Zees0rA}#I
zhHLPpc&j6SL)#J5{huxI0%<`4q3`LN^tdeaag_$nOw`P&OkkIX96?|WqUo5PrFTb}
zBnWURu%txHfU0{sAwSiub1pu}&@vr8(|)V)Fp-1cqn*@+svkz7`l_NDKY`a=*g4h*
zhUyTvT?&D9W)j{-$5u8aiu>msCm8zf6unMZCT*q@CDqGO*GhL~{iygb^^2;rb1H=A
z#A*q@T=)Gk8Z2B8KysG{RuCW{aUF}M<jc_wyX1~{ww%)e?u|AGYVi0BB4F~?mLfM;
z_@H=uwkdB!g|-=~EU#?X+?|7@rfqL|iiP!*7U$~e)2I48GmCb1Jl&Ra-5GNf@XBsn
zkC(VFTfTT*C-t&JvY*Jv*Il64;Ix=Sv2;P;YcNK0pH1+GRO;1Z&iS>r227xYuEYb#
zu@96YpGbN{sFi)DaTeljE7y2MhYN*e_{|tCu6uT0EbLrC40*MHYQ{t$<M2#<p3in%
z7#OW^`9)`{z&K4aolYutgYn5_QoHd*%>I1PK2ZkrX`}bz!3ezgblCzve?|7};H4-~
z6!#qhTSTzm;FJhnbQ7r7n?VK|-#U`u-m0~mK0XlvLC;#=Z5<<q4tLJOHnt9$8e78>
zjplr+JuX)IhfeFUo`bHfypE&h5p$PVr!?lCqy$Zr7_ZGAq04IDg<d<OX6&jgOT3rM
zwrb@^gfuj;|5HSmY93XPXGIAz4R<xr+oS->&;F?)OsfUd;s$YRG6iH?vKfq%%QF3^
zlJGJPG_~J6BjNWHZKnf?e%CPmTgceO8)C@g7eGV+r0;RHjRFb)WBhYx@!<TTlp~ZX
zQxaXMnh5<804w2fO&xw1;Gn&!`MVM|`h^H2M~N;d4VXI!orEj|P=gep5xSCbBqxNR
z?Gt)orYmD7Z78IF(m?(eMV6YZgN})A^1WO3?(VaHg!O=mV)%JMDCNBWN0SN-!ZYU3
z;DvmmXTWpTdE+|fK9oz7?t_<<&i%@4yv-n6_MI;)pZe|G*dYn9z?DxcKO}BRHA(=r
z(lJ^ssxpvb^e}ffH=F+ufsO!Lf}Gqt0diJ)cy|JojsMnco~%LWjJpQFBw*7Ku(+82
zjNQ#{8K^`*P--J|@2IC#@qy=me^rQ>6zca7@bk%^{>t&+er9o?VI3v{k}n@rEDFL7
zC>IY(2yK)aFV4=PzNdmolIV)h0Lg%|&x?h2ED&>@V+n|+#;RtO_0fsc^_Ab%Fq+Qj
zRmE6z)>s6Jwr?CZ&CbpSXEc;@vAoBDZWU!jOH=^s^iMlGo$wJP7t9%ks?Xk}uBwe-
z`2X(OxY5>><>ftsOriAMkMO406}+wYma9(o2np!7o6aX&&ZFi|7Y>pzU(cG1nJk&?
znw**3F(omG#BeaDK##_yybuSfG*Ul<vT3t;+1&}R&CfaRcKTZJ%w-7rTA^K{Q@vK`
z#zG$#n%?Vg^+-UlfdRIWOs-yLuj9Zr<ED8^(73K-1vueHmEZM%ca#g;gfxGu_dYwu
zKp(ow^t;GP%thxC?Qr%3G&PH!-yU#KJ^BTzDbV}iU9|`LmGHW^BdxQ%_RYV&q&AH1
z*tn&=vTB2$cEU{=Cd|AoQpI3K_L|_G*!vWcN382a`A`f|L0t6yc|3Ke&B9<D+*KC$
z>KV*XC*cvOI74E3ykqoW>3H%gw1gFJ7sAZ)6yCm43;9ncQz!_q#6xdasG)_uqdjgN
z2O4GJ_R`u*?>{3)wFN{y7#W|+bzIa2|N9%7NmQC*)V>4*K~RIoG|I-{JjMJ1)4i^v
zh<yU6fBbi8HxOc}3^{Q<rDPxx4bJH%(^*p3(QVkjU#LNNdU@TWfj-E}%kv_Z3j0a~
zO4K_Gw^s)jt&c5a=-(E3u2|lC?;i>xJZ%>bR#x6fBv&m8&Ut3wLbWWRdF)z_=esh6
zckRNH-X;oTq$Q&(d}AygOto5!2$djp$YgaATH#hxIh*oYc24ITl=JkU)2%M(b@e22
zqb;iO?C8hY&dJc(Rfov@r2}e(+S{FQ>KWA?2MM(oc8<AWqHl?^!Uzl=a|Em46oz7c
z4CSsY&yu;+zD=A}q3KAe{*XX-dsS4Sq_X-2(%Q+PRJl?~u{n?9wEC?Q^T}D#JMy4U
z#o{T4eiwmw?qHcI@w<L=RfKikyc%Y@d(FWTq>t+c61^6$60S}yisd@(#t+%IuTr5Y
zzK^LPBom_pfmMHT3F95Fqc9zayBFu<*BEj9Hbhc(_cf~E<@q<SuXuX53VGO}oa4J3
zK)x5hF?W=Wl#}i%0o=D8&O86+>JqC=BRN6Y;*BnI^uwdpkM3a)-Gzi1iif}xJ|cE^
zG<K=z8&=yPHN~FQH!x5Gis<bNFjR{8q98>WcMx+*Hs*&GKP|{H5;y;c&nrpQm_VmQ
z??%WG8+{cU8+=n3Lcc9a8l@*qu~G=*0+JSfvYi&VehaV3!_z-K)X3)MmQ!dzAZKuE
z_+q<z^q3(O8^0#E9=fk2PCWkd9w^8OAk}ZC0k&3A0PGnvF^=4Q_mu37A=g>>0Wrwn
zEmR$RVbNQeu%Gghwe)LT%!N+zBA}+?K6EdbMu>?Dv9*;=8fkFl`g};N+Oy$Yo+`=+
zt4odS#%;AgP7x5&y`^)oYn+*tSVChzdOu=d3=Zk*As^HnfKfttG9yBjwS}Kn`YMif
z_#&MEcjd@h!~TgPs$d9s^7ULlFh~l*<v@^%ZSUX|b@2HXAP;`aEQ}{|&W|B%vE3@7
zn<wY41}85r4!s%zU^oRk#(JN9dc*?2>W#3Sh7juBGrMUw-<mJ=6cOH!uQCQlq`0U-
z@n=l%pS!suQERCuu9T!8x#Gws0}trHn>X7_uUsy6)fYs(;rk@6WF5$>FiqR(3G-ke
z>FB88-LOx5NzJlP$y6CxpFcIxslKZ_DP*EEG15cSM)|n$IW07N$@G~VQh0!{gB^ux
zeh(e55eTkzaP);xO6^|GIm0C3R}^jTyEWpnU7<Y~&g5sld>yFv!?UwHcTZ&Z_kAj%
z)z9wFExsVLPNJovy;M<m6S(iH^`TFg#u<TQUG5CKzuSFs^G2L+z9N0XVR*sWled;Y
zLcuaO=(U#Bl#g1%v?-*~_ZsF>*pd;T3U-<srVkU_4N+u%hvdy7XX8FuJs&8#iXRmY
zmqF=h`XEckS?j%)yOg~-6mv&QO5|_8XwJeFFkn#VQSuEG5g+_jQeE9pgqv93j#Zu3
zrGtsLk_{IBu_AOYJw~y=uXAs%w_+r~_rV@kIO2ocDaqFWF7JW4X1!Xw*?|P-g!-=K
z16o!5%A-=D$p}{2%90RD&yOp?mu=suuw4)3OSj`2c{oxsl0S56<Z1|Wqa1pi3$q`+
z;Q0~Nh9ALH2BgS45b4MdP}=Q>^ju@F$C#0f=8rR2Rp@<`{-UyOZ%z&($3g#>gADld
z5thjXc^ugm0)9E`G<86A0%3lihw$Xcv)E6m8pbqgdV(qHyVL{v7ALjpnmQJ{Bp*B1
zCl1>&?9zGi>Lm}v_v`{jKQTOI>!iYOx$+~o|B&+fQF5^SBPAE5X~tK{3c=ywBX)!~
zHoJ<xOdPEl-HByM*<4j!s1*rs_6Y2FQ)0V*T+wJLS?}!5f(I#6ovJussDis#$9=#1
zsHGn|TvZ|xtXV${1jfNVTx%Z)Q}wpf`>oVe$v#4#u|IZT4rXk8_m&*X|Ai}0`FBy3
z+fM^t;xbEDjK+nMc1Y(Ea9zCuQnnt_k#Q5#a%dy)FW$s=9MR%gk|<zt7CbHWcG?Ar
zi@e`2IlemA7j&oJB$GA1@!l1Lp~br#uAk1ht08-q%h&Zw!RmYPuM`8upVJ+5)FF9h
zL`wFncX7Fb?bD?go#$Jkm%h#WU2rA5M{F@Ne4YQvhVziq^04ojk1Xis4|n^8*gX&5
zb#%_rcd&Ob;Lo3b?_l^z$jPfS{F$0Z%dwhO$;e5mqZLp7J;4RRGlpBBr@~2?HHi)j
zNZJRD*Mr|hDGX&G5p~CSZK5}nr9pJfIhG8DB6yxjWRBVo{aec4DM~mj7<b%C<&Pyf
z(;yX2gWUOgQHhaU&tzBcCG(k1><39mYE08rxhb5OV8VF+{vc)b_X5#-I_b0x!|g={
z8;u}+U28i<*lENHBZjAELDt<h*%k?QH=q3sOJoTt<qt8FfYG%ioyoC<k$UG^VQ__`
z1I5A!EwSKt6^8MSreJDfcAjXv<{VY#Lo)Z}%bJ{DL3bNr*&$_&kv^JKcKr$jOLtqH
ztb*+jxm|_Hr|9x=G)zmOuW7i?)?X3rGUV}l9=r#AwBVf^W4}b@_6sQYe5}77-uI^c
zdUrXS8Nwrs;#%Ng%@E=cJz*VCr%N-VKA;A2$*%gX{fDd$<x039DL>1R1&S^Ua|l6<
z*H?d^>`~i8UfW5x*FOY7&?bo7r@1cz?`m&Y8XFh1<kUMJzIDCL-E{WkQwCJ{%{?*6
zxd4Bc+xPG42_%jRxZApV`G4#PT#zK$_3VUqD5&XTM_9W#+~@2V*JGH;s<#mdbXV4I
z;8f3jW3zjE!xR7brMTu+|CcCCl*D7mT(1>S>e2tKe7FKL(+!9cv`SMO_=ROR=I1xP
z8@rW@m_QZqEZSAQdtP{hoN^&n`Df_Qr}-J>xKRmsY?kj7Z|P;|mEV1oeI)NHDAK};
z{WArKh^~Jv$1G~esawl?yP3UZ_O-Af8FU&658?rM3kQXV3jfPuz?+$OnpK>fe&&#(
ziduXWE#pzaWDd*Md#7iz!(%%#w{AlTrU)&%TRo0vDsDn3KL5PMi2q$N5HESfi0imZ
z={tWYy@F1C$?MlLL11B#Hx4W??>o>i@SMxf&@QhnQwG)yDOm^7yji=F(dCZu$h%RK
zKi-BAv?B081{VVhv8QnYITXFwcGu>67t-JIGDRCf)!RT?-`oBww<V811!z)e2ES&M
z4Gy`l`O;63nZ-NWzf>wgH{p5Qddf;^VAe;rx7lXNxn_a2(z~@OG4Vw^!yiCLvyD!*
z7v}CM-WC>5P<RZ+$9<QxH79)yx0ZvP2U2?4EvB@!ZwiOLrNhpHIe6%>t5w7p>&@<o
z)D$fVyol7<v1K6%FtN9t-sa@isc@ff3BD@=R$goMvfB3l$caS)EmEAV-Ko=lC0W~b
z`t=qDMmzfwTK@+wq>eRma%3cv8hRZ9RyuzMS<Cw6mEaCVrcDzr<<aXSHw?3HNwnU|
zS{lJ=>XR|$>V3iX#jB-2Mz_XFW~nxYMO|xRn?S=-OB>R8*zY4n`*LZ&dQN8UBA`&e
z{!K*~CbzIb1$Ev8`KO`#qvERh8ghy+)Z!loq7D!HugRfJ84^2oo!#b}nR+28m(20t
zyRLl4(u6`v-$8BW<GZ&e?W%UWFS-M5vz7#zpR0+H)<H&WM=JLwGR@1nJygSB0*Rl(
zOkC;AKh!ezhJiV!$AP+)1vpo+lo%MO{_sDV6h?FAs2b$>_}GnpD<2hiX!F+EdPEQ(
z^$bG6ae}v{)9IsYJ_x6<;s))&XP}S5SU7dZPB=lU!VP(V4dY8`MQg4puygT9!*Pny
z`q!_*U*01Jx2pu>zteCbH`G~Mxx@q2qV!MsGhXB&vy`=%r`f>iTWsZyHjd?4lHQ{?
zCYbq(QHQNELE<s}zX~cykQ?n3B+w4QZLj%txBLfrbIqB0oRm=IQrQZ%!aE&#%LTcp
za>LQCh~IV`+T;N)Mi6feHI$C7D~N#ZWrxL6E@4vi$Y1SZyS{Zj?}E<a_)gU3ZcnL0
zI$tQ~W|!h}Cl9aXGtIFIXJY&+%`4ZitRG?w1;dylYNA?7-KXn=fDu=Pr_;{@XQf@(
zjy|Ut<o&eIfjwh&5<MuPq{UYMu`bfj3DVQ_+bm$CR^c7H7Y19ReiRe8>$U}|QdZ|d
zZY%;dAa>PeKeQ<|RzVDQ+H)e+{OqRc0q6$?9E>&ufU6yTpB<!u%<azbS#qBE(Hn$E
z?T;$RWv;lt+WCQtrHIZb3w5#49Brdgk#rd<KUpp2Olj3_o{JJH^7_Tm6<pnsuj#pO
z_JWP3U%V3*{<>UHa>}vQFK=_`rRCg#0v-P*?bhnJzQ`9Rq}bXqR&S2U73W?ey+*jr
zFBY)x@T!w{5vj)XC@W!ifr@9>U_y(5JM4I0&b%Q>3)1<0Xm<WOEzWyP8$tp5aq4kN
z$>VhN5jj>mc5_M1ZNy5-vQ|$VnOj*qS5tJMou%*Unm$aBbwJnsao4eN9he<5<X;}s
zg=C1kD=(?J0y8bkt*QC)<pvU4#Ujv1vgij&!s9zQCSA&piF3tVs^ZC0!oc#G7!&nn
z9jyClcSxX6+nF!HShQ0w^W<{_)oND;%sE(N=~B5;R@XaWO>Pd|!@{9d-Lfa*5vQM{
zK>YJKh{R0x9=-f_g$-005}VXwW7f>-h?VVWt$eN(r<uHgZXPm$>F&W=7Y8|x*KQ^r
z^h0M$dw@KR9KC+#1Euw;t^-P*^-oSA;N>y|7B@VH)Lj!x7IJo2k>ysjsVGO{WG?E%
zvh^wi0T2Sdm9H*a6<J<sTV$E9r)1;$OexUylGEw(r@Ys0nFA~D|6oN5(D2b0;;rj<
z)b?ZF(vlL#ov8|ZB_*GwSZXMS>slVMI|T(a=5c~hf{beB*#1)^i3^n%rS@(+4Btm>
zJ+k>Ubg7p4jJ#YunUlE=W<Cl(I(PJ|tKt_4uZ3lFZ~n?2%oHkY=?Mdqvd~vtWV-5=
zMm~B_4LO^XCFoT3{P~u7;$dHu>dQ;32?0Um9D91!Pfv&H20<r|)OGk&w`A<v`smH2
z5jrE5ZskUBr5DnYX6NU|JWMp^lSo_0>6lF5Ty*`?h?Zqq#qhdy?(?OQ@1nwUzospA
zyl=Qf9mry#8QT}_NdvBhApkSHy}TYjjxw@w&G+l??^lQ1{FTfZ7{$#6(om~j&Tn8M
zvn6fYk-re#b&^pEQ<qTjgf=KIo&Lgp^etO9#U;^5iFG72;fO+Y>~(2i2&PLzreemN
zq!opR1pMq5P6vFs%qZd0!9K!xggzywiekh<0v@b`>df2L>HV5JAw+CLzQ+EkzoI6*
z40pA_@e6VHno6P0Z00C#lxzAcI%AW9*pkE$)P>V|#_+7wKvr7XLrslL%LCnqz-gaL
z&P0^UV)jK9b595hHl~1$`tfF>%St5cT6H~2sF>HTWaH2jK;f`?eS<8N`t;m0$foAY
zJBgcZ{kn#A!zSzW@Gt_vK!#of140G30HD={xVgLMkJ_rKjmRQ%v#YK{VL_+O7@M7D
zT9FU9)TR9*X(hAf+0tV4?vaR{jbZKYswn_?NpmTSwI3(oaPM_)cg5<7dE3h5r;fqs
z8IJ??>D)orFS{f{InKjz7B7wH+Aqo(Hq=QfZDuvhQ&mlO6X!S~J&O<SFFxDXslQaV
z_SkyLbPQDyZL?Fb&ZUiR4W|>4k^So1b+%y5wd-#+C^<k$hsM)WVqh_W>z!P_Ouk+S
zth3W^qVB_Jbspd`EK5lf*Lm^9__I>GrsFcFHc^-or7VKFlt{mtRR0W!L!_nl%_R;N
z>N#5o+zIRHOBd%|ptM(1a5r$-ZRjTS)nR`ldW*rY(YaG=@nCzKD{CcBZ+$Zv#^fOg
znbX-Ju&%>BSC)m@*~c017&W3cryntOIazVV%+2&qgQFi#O9|{AH3&oNus}EX1ZmKl
zDgZVY2&*lEA4naaoUnLBIt@fW`3PQLsnlC^ev;9IT05FHnXmAeJX{+XedIqU5r5BU
zT=L>N4RYDmZ`-XJY-+zx0a@Rz!EFBHMY{{VoJU<;LWn76yp~BHyP;4X98B;;Bfqem
z$9_Fh^OJE$vnNuWevF2@Gn4k=A_CWE-sDj=l{?NAQ|;454fvtR@k&29l=nKM0am9k
zxvYQgbPMe`2RLDH$gL7tqpkmZH#`Eig|GzLcSOt&v)6Yhq)8ql*^SPAw7z!*WAya}
ziUL!kv(;KGvrKVYK6nhtj<bPCYte(e*vMK6iP@*d?_rpm%h3Mz;FTe2X6^D%oh0bx
z4r$}f#F7;Q!0SB?8>E2yDMECpaSY=xtz62}Kf;c@d<+c$^Jke<-vhULh2kHtbF<bg
z4@KgGtS!XpbtgQ85U*B1@<Lz8|7n=oc0L}4U>Os@(of{39Z>~akLQ5&g|dgVt7*0n
zX$HlpjF)nJDvrKBAvgZI)7Rgo+dvv?H{BkkdM=Z0``mPsyz$#@N(2h3M(Xq@dV71D
z=|nDdb+UWxks^xN0S7!V<5oCP8+>U=AS=$90`$dwR|zTsIaCDuXM{Q5%Nf<8_}`qz
zj8QW-k47QMuYh#kkKp=b9}(D+`j-+ANCEd#!j8%Eb?kS^lSBX`f6hE&f)r`yA8al?
zhIE4Uy*MG#QnP-D$q$5$gUO%Smn7yACH`S1m-4v)Shi)}Dd2riD??!4Ld><~4C!Xe
zfmv#4eLOC%<X}ha6YoW>9ha77IyS-tso00ciT@o{{_mBrqOLhOJaiFC?XO4v>yanm
zffS8z9c-EiB*&SZp8X~<Fy+5tgqMHjLtP_SDJdrg|3Ch40>@>+EEjUna_#iQrOPNc
znoxkR=p90=0C0vY2^&$!Mmy8XUeHE${q`aK?<U}1w}EtORF&+AJ?t&zxH8+bb4q*O
zih(EBQ*N+o82((4g^E>|rG@_qBauI54o1lWU$7pE-F<T+viq?e{AM-Nx0)y4cvhq7
zp`Ytd4>$8e|I>c*3=Q<soW@k59`I&<6!}l2Vx<*+R0}IDD6+QyPaGiE&~>^}CLHN7
zTKFGdKN}?|$5OW{wGNRCuldjC+2o*;bDwE^{?5ES3Z;>DDmWJCw+r=8j6|?d1c?3g
zcXWJ=_&0DOxQLi^lTjtBT6DhpFXe$gx*Tolm|zEOofdbW{?;DRFGQf&Y1FpJG*_=?
z{^(b(ULybh&Z4{(E~K>O=IlOd8$R@(2t=|bYG%jHRwRJPt_>aph9>r|Mj=jz-UFhK
z5k1|zP;3L&X*Zb!v#P~|(dm=kRfeKk%)e0sBG3p9bXnAGwyL+cH`|iJs1ed%`rEPj
zcXt3Isy96G%<x|R9f$y4o}d&xmdp04_&c*L2^L5G??}?JH{hLcCP*OBe?uXbA7Pii
z^XMVC8t~@jJq(rp&zyk))Xmz>+L?qu`p=pL6xZ&Y+umIy0{PiOd=;0PuP#oKrKkW|
z{%kFI>x8%uy_Y^U6S;RTI@5M-xiUz9-||vTSOvfma<Q_5Y`*eB%z*JQFdUc<`drhR
z)^z^-Vvxu^g9hrZH4ALPa{yN|ujgrD+fX^)%XWZ`*#%(wU8mL=9e9qwJ8XPMcnuO*
z!VI{E2KU<Dl|2OHadGBhPFQSs9s<x;d1Y~Q_CgqDf`-R;0fE&AcxV=s=I9lOK%AcV
z@kUy>9UZ1a{~5NZUw>H=8nzg}Fzw>C!TbA_rt#5{Itnu#UyHq6w^Y%ae0b*=d)r)C
zSynV^cgr=V>)xv0^&j3^m~$KV276qNq;(#j-Fa-OPfV?jeKR<hVWT8KH2h>`6rLW!
z-$)H|u3kG>SyY4Z143Rd(Q0dLmX8_TVR5i{>mpD{(rJwMq|M?ifT;0e(b>t%_aOCr
zvu<9ZADAwK>SjTz_3Gt_Gg{z&Qf;S$BgF7zq>MVKwrU5=QT6Ul35|k@XgWax!;E9p
zjeobC87w}q=v*~@bonq~uyW`7R_zCIP!l2%lpYW8G(sLG_wtor2%13k%)6pN0NzV(
zC2D90D>)xTz_g66pv#M3-Zz54c-isS)D8a`?bM=k-R$v!#@#PlwW<c=W;$yE5MN0#
z?~C5v56dz7<be1>7{3D3(MHClaK<O1#o15JrO1m2SSeR=Agt0hKd)!;`*eeS<F%wu
zm`GNb-lY|K9elE4UP`*EXy?{E1EkdxLt^*7HaH*NC4}6xV9V>5tAQ%nDIWCPrtzv9
z(egQ+ZP%VbLcXjLN(gjN&t38AVfHVj+>ALLjoiwA8dzzAo0laY^`c{&nc0>m;X3%x
z^W~VL;!uD`7LH#TXAO{``H7jQP8>wp8%DK!6$#7BBiKdtb*voD#Nq>7s*qcVZth)h
zuL}wysYfO|RJpTA2c4{OcXGQvlt_QO{Qy`L58m8wuefva&iaT&h|x_}g^2=elxcVF
zOK#eC@_pKUo?6iJaJwZ6c7&#=pNrFGwmLZX%ip$rP_%)@W4!ZtQ1{)L8hVfc2`<nG
zaIFYHcHQcH8$<aYDG8=1=P(7hwB-DWH2`$oiiAzth|x!#*aI8;H<F=$^F{;$tdE9<
z7Qj#6{HW2J7r5Tl2g3TzV*_DCtydASuN-)2ISO1)-0UGd36!#`E(RibTT^uZ`xs6A
zGT+m+?|SZkO=yfseCXCuEws3&bcPVRj6^{f58|an{<QOHNVUom#TB|_g-TP-*)WPk
zV;TC|zXuXY?T1{A&(^t*tc&Gsc}dXI{4=QSIW$!Rh-T0N5PiM5=!Ba%5}N{ToG*^h
z{4*Lu^k~NIA-h4q(Em5n72!YBc^LZDc3O2r$V}(nKMe!3{mszha<jF+Arff&=h64+
zjwJxVFA=AEG|=LUn!lvcN0a8jtCFL)6llj_{C{J2f-E2Ot5z9|YiOALwNo)lfxths
zSo*HgNceEq{{|S@1~>6kO)xVUzXqt1y5|R#@H$@Tf=BsYEe9E013PZPHaF>&NS4=2
z{QGEq^qKx{8{DmK2c8e?i^$r-t;d~7dkD|H6&ok7qF7*HpwCb>a8}-54juVFAR#~p
z8mZbsb6$1UFHQ8;eA2!u3Pkb;VOsp1wMEW!pr(v8$%~DT>@+~nnJ+%ZKUP2+UBT4=
zVP@^dPksmdGmExL>y`!6O)gN0iC9JsXVCK~sL%O={8>uV*{;ZV8z81=UlhiLK5$jb
z%W>D#$m9MCLDc9I6$M6`8lyt}{URWv)l#oUpRdU7www%KfY(l9UT*HxJyLW2jW6NM
zyFY_qJ8si3EvA5?t>>-=iDt>Yh-CAf4^PFFW_<4f;sA{qS$U69-3||V|MuazT*lR#
zzgT8FotNh%wt2kplB$XL4lw10Uz%829l>bm0-8<=f*Dhtoj&Z;9zOy=?kh(r6^K0t
z?oSO&T=0$a=0DBR?I3C<ZOktPexspf3e|F=6l6|ZOk9+<TM*dl2oZ1hJ(ez=t{WFF
z$o^E^0BJJFYrfmj9K+bb&pzN)1}haPyeFc|7RM(3@rk2VfziK{1QU~)h*gF%X>vL=
zFfapj=wV?bx~e}>Cvr}>LOpNp>~ui^KX!>aVe!$NvdT`9t2!BV&w#rJ?~3v~_{R5J
z;(R5lDi;J{wWUkIfb{8MUq!D3K~kOzN{f8eqb~qpd?&*|PC7i+a`N#bdcwidGs6_n
zaqkbT@{iM%g#<xuvCbe808*mU<H=qnp`|a8YOvl^rrlO;I&u>DYSE=|Z>gyv1mw9n
zb5Y{6hMQPm3N(a?oot=aBuznzW=3WlM+I%jBc+l2pt7ZdNw|onmR6J}^7L?n5<d`N
z8_^{uex@*NG_nzYtiI0$${DeowRZ>3MO5t16rg4v4|KrKlEV%xjzf+PD9|#_KcG(-
zX7ulGR@0D^TlnK+V*tX;*OpT^_Paqk`4$eA!G5#Mz@ln@`cy-p98COoG`%{Iu}f7|
zGFzlhf*H!KFARqGz6Lt}r4t5_<n>eOwZ~K~0e|U1LII8KW+j7Krc`!VXlUpp$f`qh
zTY#a;QT+Lik5{>A-Lf;^jC{<u>77b(kUb?-FBGj0lA-Y>6c!u`DDz%N4sO3}Q7fKy
zUF_&j(f2zn^gG}l5=H00NeS}~i<IoDFc>!>z^)h_z<1s)34YDAlR+l4%IiTA%vQha
z0XP0OxgHAZelxsxeZA5hJ3T$kY0>0()gD6n-(J_<AclMR!$P+15YWj*=jLV};NZc)
z;6Otd8FXj|MT_UQFF_~{vgpY94a<M;IFbWLJ+}8yHes-;xifE+`TsXwm&b+YnXK{v
z3*@6!y5FV++FktwNv#E(yNU8Xa=8AkCy4Gw1&!<+AXCXrH@=DP((Q(&gAjH*fI9R5
zng1aHR|ou!0Jb2gjLSNzmb+H~QuZ5A|5Biq4!XzSI=$o8|66xN_x2fhP@>CXmLbbh
zS7Y=gYT~~mFhz<{RSJT7O94j@`kMeSsz9FWKz4U_MlS*U+)=FpR0_|c|2CG7s(0Pe
zET$g_g(2ie)c@O@77{RQW*JsJ4HL3{yX60ls%Odhar)R1hti00PTBDPH@G4cU;#CF
zX_LunXkfWR>^xupOZE~nC}48BHq9a@cigmkO8ZI`|J&bkB#f(fYN>2wgG_c2z22f;
z;6kX8lr!>BkoTjXi!l#Z$Pd2OeKcX;wFeR9pz8hp9io}|vY<Q(dWf`H?BMkCLwJ@E
zJtJ4l4|O!xFd~`SAAt5WAj)j9hLVaS<s%yf>KgIznxzA#^tvBMJ@NTkekWB@^~fk0
zVjglHDxR%GU^C<zp2y$u^e}GW0HG0r6%-)a0dD}}T!G@A88CAQg{*NW{Fcv=b)wPr
z4pgSc;FAN=0aprGr(VQbG11Q;@`Q*bH9${$vLq9%2AQis)z8te$`5b2^r0XeyoP5_
zgDd11XMO^TR`YVdr<}x;qkJeBja?yxOv*^l@jp-_CcdeOJZ&BiAf&e{Ki%Q9Xsq_s
zrX)<np_K609$rTFAU41Tp!4mD2w20KI{^S#a<pSQ=$4d$zCWRemdK#)WB_L$ZZ4jq
zw^}IdJc%Lla74?m$#-pu+0JpZjIy-@-gUp@s_U|j_rltFdEPlj5TjWi<@f4%c_^SG
z69ow%q8v^jVh2Rs3&>r^C`Y7Ny7HE9-7;{xDt>2Y2f>YpQisfq*5K+Lj0eEqdp<4k
zyy|hNw)_PgLi9WBEPmwPblp0QZk0}1YWWuny{fjv{~02~KRC9Hg8a}b(w~KuEOKSa
z&U4O~TpKQCt6n=^AN7h{?Z>7T8%#A^#8)+yA)%f&ZgwOX?-sh`zM#mK(75%Rbf+y#
zWxG*8!9f7s_?HhrYrKeo=dE0?syi+^R;mRL)*}3_9QXPe<}W%rW}!wC4Hv7|Ue;6?
zPw<{2AGD*<n1n$(ZRubz48R(aP?(UCg*dQFfi+Zk@#8%5$_?ptAaadsk8{1BH7j+w
zzD6Tee_CeWc(8fu-gt7qoBIE@G*h>oZt0@2+R%CVs;=B<*T8+&&9kO*RM&#~nd-y4
z9R9BzpM4a#>+dfB7QngL!|IQt{4<>BbMR-;FRp8$p*Rm;w0`nbe({3wZu#+5E6ugt
z3CJQgpwDx_E5&tx*S*ObN(P&2y1c-mhLWctlau1S&Ngz24eE}|HS#r$A$eUnNi{c*
z#=52lFM>`;9^eT^S;c}%UC)B8M}n#p_oh@<xa4D4<zx7?W8Oe;mTo(u->}LvgXD?W
zm&;7Tfg<kymq>Z3#9GPaaKSj_19O7$N&MQOnXI_axO}N=;0c9qh@YApEV|i*_R){F
zQ-prh^qMilNz#vkD%0!2pTUisockr(QunA@H-zi5Q+I)<6@U(?xI&UK9sNb0>Tev4
zPv5zvrd755Md~B^UI>cyX<9h!r7#FE;W%6sGAu%n@<Y?4ofZt#P?NRb+HLR$Z=u<t
z%l%=0p6?eM<8^qcaHR=B`wM#Jk2lu7^sBME%F{wLbQ2Y-a8uI@QG2At>GON}$rh+$
zzssK+bmDIM?%coUiI>pxjpq7nVK6%CK&>-}QJF}K(2URZ0wr~n^9el`VyOC-sB))8
zA*X8?Qa*RuWZAhtMfjmBr#a|>Ah`O0vvgPAZX%S{MSMoU0c?_&xti`x@=Bm|_B^L+
zCwWE~nI$`4V+6fND)QNKYBuqgyVIj(XV@HTNiDi{><?LwSyWEjqAJB&`UF4#J*vH|
zA^U26IA{`)AmuBfm)}6fn3n~mq@<XbRz;dl@v|))qrhA$Xi7Mk-${bf#EBRAbWXTY
z&)y4q&(n8N%;5LzQ<*Hj{cMT2o1cJ`XOmTTk=$-yl8D=Ntm)EPWaQR7$5Bz(C2kK2
zSWa|Dt*>(jFa-C^ey_g(=>9*QhoL(!3WxcelRj|Brw4iz;5!He%25e2x?g<|%PfX@
ztk)jeMKDt;379{htnt+IGg)JZq?h?5*mSe+!#%nc_B}X=Y`V$V3Kn*9yIZF-Cmj5{
z@jD6?RiKz~@Y6I#<^O$%lsB9`X^y+`A?HiJu1j$;Ex>@s<`6cvY!mkwq>c&X;s2xR
ztHYXpzxOSaZjcgGN;*agOfhJgfYKon18D|Q1C(y0L1IdZ(%ndnX3_!!9786}$kD$S
z`u={d>&JER7Z=;>^*ra?=RW5-=YFs{18mt##Xgs7Q5tB#?oMvNaC@j*<2=5WtGmag
z=o!g}L#EdIN)(U#MJwY#-!*#5;&w8$$`4F3ym3$c?7@wS(#(ke-jE5nj_9MK1+RRw
zO|Jl}sjt&cBcjBl)@w*dpuvs9ckXFsCrT2eudi^iFEao8x6Yf{JcAqTveq%9UC~aZ
zJBhnT=^S!K`2EI^N&Og|Sk$x)oROZsE(%49O<+g#5$HjP#I($%2Tds|7_H(_<r+1P
zIdKQi$f^<w|M!EZjm0z7&6i$K#)H0O#KFER551}sI_v!M(?>+5ey6?EcTo@vSmuSb
zjKi=yXfj7{%at7tIDrVxM6dhDD#astIP7EXnyk$q^4(vbY$b6;|NQuW`}lOseSH&D
z(YP%#d+`@bpmq4-F5W1JN`58OrEn%SH5G)C*Fi!RESKh`|4bcaC)G;MMX(^`WHZv1
zw*%D5yxL9g1}ht<gR`xU%Iro$&bS>^cB+I^k~$CPrgxitoCvNR+Y&OeEV4f3%;ovZ
zg~L8R=dyW|UVND%TM4jcaq#($htN#b>I|W;vA=xjFa@pgP;JM~r$VJlmLh#_>MZ}p
znWta(S23{v%qI#C+)A>-T4G-=8S7l%)Y)eJx;yUg`$Mn^K|?ngO9IKC$$Z*usU4Tw
z?n53Jnob%ap*UgAS&pFA*i^vCF5Fo13e2!-`I)v~H51~Uc4N%x<6j#O{AMa%&VZd?
zA3l%i5@}kS_-gt6I<5-)Y0YnfV|t}V@d6X@d{~_e=#xM~O-<*{2wbFSer)BLI4tJ@
z#p<ZU+~rDh5WVlnD|1eq7xsYMF77($fuykG(9X9DFaOgw)+jQ&k;+WeJLQdB``L_A
z9|GI6`;MMXb$A@e^VWBBBy7seLx$XE2tg`dMF!8E!)OkU@ZB6bqZLO~aEXNt`bL<4
zN8u=A+2#?&`S;INzQ7%)n{&Oba>w3hw!eQfl=U`(LpMe@<F=U*`tfN7^&4z8@CJpt
zz3Rya^1uZK2VtR<40vWvTEQ+hv^IzD33sdMXv1WR+4=&x!@Naz%w|k<>&aK)hTx0W
zT}i?p{`koo9i&%;-UWczA~*}?r<_$u<!@7y_r9gtD{>ob1qZCSlVstm#<{z$z)JK@
zMs}%J@3Vg89CKvQzJ~8Nc?2A@I(lPsK6E7{fY4PomwHM;P!U-;A?(&{aj(G?FbcJV
z!`)=jW?;BAg?}bU#oRGGGL>A~dRXq^!g%QCaq_H|63~h(Czo;QtDI})-7T28egPC0
z*l-aGw38e1x_RFMf#47@R3HrOMWhwXxml`(X8VX7B*2`-Z<!SVtrj9eM?-TDWO*DP
zj#hmhthipQdL^}^H*FkDuvdQKYFhJ)H8oATGGu+@?3nmx)JiU1_1)I{t2fSX{oXsg
zIdAT8^cJz#sa?xZ^F&J42EP4@zRyZ@dUa-V|5B}$IM}P|4HtQ4K+#+=6*+w1k{n^d
za!b;eEFQB`vt9Q6vU8`e!9GSgYuF?aSlAa3QG!VEhSzx@EkLU5IIa~xgFjCf^;>AN
zk<BsoO7nUgdRFy;L{;eN&`Wnt|CTyB_nST3R-!V9Yn(G(*Uk4RGp|cDER<}ay6)Ul
z?+3YQhWlJ%rAmV=J?~Dx@!@JG=C1Bl>x`HJYxs11c-lYkW)P0QE%Zf#aI`cdL*5gH
z#Jy`9CC5LSkRFS;{w{V<p9%jXgF*Ha+bv|2%=;aTD|JBf^A)NGY|;C}$t9lSjTS`W
zw;LM|{$U3*0wd05=j}cjQ%ioWDC!sdXf)X0UE`WC(d9m=r@4<NJUCM%>H~9($Fm#d
z)WT9pN)^4HLzkl=j^DnR5kI;JFJAmeD4;&902TvBs?U}fR;vM9mz<Uo4ZeSf<czJ7
zb9G7(bqz_Qa7!ujo{d|dxYbDErYAJ@H07pu^VV5f=)toFj0$zSR#mpDqAUA&xo07c
zo&QWW`?Mu&(YQMb)qETebKRNsS%a{fX_v*=7>h{zHT!x<+#l>2sJ0E-b)2V3PfQ%j
zfk;Q6H@r7W|B#-JIudE!-hd+f)hY9$3!sa?ijzkOT<f$<HFQf?mS@#O9BX^+XQk(k
zf-admJ>uUiwK<dK*qvs+dysW984Es)FlH1tYo6mB`r?=i>~rqXyS5zUK=pPFQv?mp
zS^X7}Q=lnN?KR`DsW*ld_7(**q1Pr2_DAd-+kL4t+RS|&+YAN19M2sisF=Z{p`EpF
z*_Uc6z^&Sk1CHq4((7{WM&Li`BXq1{Y}?vXN?Y-MQcvl@@6(-lE8)L+fXk3F%z-u|
zzI)q<&i^O_X{qq4di6<bvE1z<$b(~K{H=MokNR(Bgq+7Z>`M=(#<xB}O?FO3&pEc#
zYOao?u53|<#i>E(%AdO>C$R?)KtI$~dvlX7>Dt&E2c&H37EN2q>C#`__Hy9i{eB~A
zCZXrE`^;^?9eWAn5yIA$IN_O-je;7i-1*O=h3q|<Pc3P%EMpAM^VzoA@J`y=@R>`j
zoq<)7;r`sD$*V04%--&!p@~1u4WCz;_`EsezZq|rV34L<cL&MK+vK@?eI~LIxGb{=
zFc*W3C=>#)6O%?=1@I~-2q9<xrkj(a$ql~zB}ZN9OtgGGF0@o`q|wFFRmxiGha~Vz
zl-g!p^-8-hrY`7ZC5)#^R{TpfBEw(sDJnH8<Lb#us@Gn&Nhf8;z!%N<N@m3Vm7C3U
zVL6|XaSlZBfo^X^q6X#>9u`~ouA!zg-apPi{tCkX`BAg|u0jIId&rm^6K=Ay+S1FZ
z^;mZ+U7*}Uz#TC#_)JA3lDIjfB}Hm^E%SSCdLY@{s*)OjS6``^nwB=5<cQ%*hmylf
zA0F@YjNvl>EG$K1fW%ZC%=x3~vAAD0GXm}UD(3n@Kr+zccBu?sMnX@8Tz6H3>O4=q
z_Q^eLkCi^jkK}RkzgQIZ?X?$kM5uRF`7SNvymd{rcof73|LI3#(mO2<6J(KBznuAQ
z9j^mjtm0$cr3~|zW{ck@SAUaeTZ!Hlt6s6c`)})RT64{rOXOxNX+C8}+&1mJ`u=@O
z9<lv2VddDK^v!z1AXsi<q7!>^+`ma!x|-y1>W~-(VMhG!CjeC8Y_HV+79Aao<@_H}
zNS5B6+CQE94XOyIHx=Lhvw%_NaD-VtTD@C#xDhh%UC!J#kax`lXmh~^FwauH8?^b2
zmBp3_v5c)OK25ln*cU(($z#yuJj;pugjao~=}bv(E6nNt#l}r7OpH@;n7eD~$w|S}
zWZo^?v_$;^43f8ym9c9eriyY;NaaIJ*ADF(o&4RDmvY=C&NQD>V(qKe#@oAA9RmLO
z<o(#Tx>WFJxkhko{-Cj?6pjv-GCzvL(BvR~$=21!C#FT)z~ld@_J}HW%6~#g?8!RK
z@pdH!AbH*T@{`1zwq9g*{>bb1mwJYOoo2f-XP2?w-goVA|Br(CT&0*JwP8qF^G+e$
zMqLZpI{&Vait=L(Kq94VXu9EyQeF?lTeDkEdG&72YnR&o>FJL9OLR+w71@T+s&?ht
z!vz)5kTQX~n^vyvyjzm1HIAnz>D1VS&ADGK#nby@=kaa>q|k@PkP_nt$VD1r2^>N7
z@Jgo{Yk1zs4QMZVNU5Qxh2&*YsbqK;(|FV922J{^`UA=H_%{^tk=KvdGtchQd~u}K
z++{}8fN83zGq5s|IaWW~jlQK^Q2P5=kQg6BV}f|CICxbOl=FME61OiagFoWz+>dcG
zxwa7FU@-P=SR^~-#;zwtQS_JFe_C4IyJuLnFIyKRRk|XpWaO7VX21WuX#dS&zFt~o
zh*4y%YspCXsI#oTi-_ztZrTy9{qEkh1g*F|ON+&m`_+`0V6E3Z+lo2GsOru>W|uS)
zF>pPtk-KppBh3(-@u2<iMl*8el>}@TD`ch|GzSm{Wpo@Ti~Wx2fi~b++Ox=4b(34P
zfn^%U3&hhcss5%Q_q}P_O}dAB%!nlxZ#&G$kFMmqCsH=>yDJML50FPLEoIJ`tliM+
z!!g%aR^Rgb!v+fk<5>|Wf5=Q%q>eK2gx5+M@2XgN^TrPfqq7gIS%`RNIBvKCUKd8!
zInEr0warQTV(YBg7zQKe<;IuCN1>=$7VOYGPwXj2zHL6SBVuu|Dxq-{&CL>eu0(9#
zC4PHv#696Zq(o@2@h=9~9bPN7&nW0-e5IB%NGb*nPq{nSFGcgjF5M>THMYo}cxm1J
z5#)K!gZ2Wz_!#z@u|Y~xM}sBHx{oi?P9bqH6}!9&5}-aVg+>FAh`ByOQRo0$dg{ky
z-|uld6}D4PNMoH|N|aa)|73i6d*jd2(*ubUBH3>F6gG<V=0*7KPnYE2<Yreg$|k8o
zv-C}hbZAUiw9-)GtL?a*BJ)O?Dr0DNNFWkA$!=jUpKC01k2P1PMhPAHQQewun@!Zx
zx8gopV!HMT2z*#ld-T-IeumkeI6_8^dNVK^nOW@=PTZ`!D0S~q|16ug)vD=V6r5qw
zm{AWbskwEOWNWr9IUBR6d?Z!9`g1<{w>OIfxcpAeOY|)XH>DqhDt8TuUvAi{$Vz7u
z_PR#Jtgkn|?KM0TDfXVdzHIwOh5Y?-dqh3Wqfw|(w!9LBG}uezf}V$c15u|WXRUh%
zi6B4NN)&#T$0mei(j44vYnKuD$Z6O7007pBKCWy*>g2`v2&;#$z5Z`w1UY!V8*`~O
zJQY<G=p^J`3Gx6x)38sdb^FlOM9D1H??IgXQJ-yg%KgO;0+;kyw7!fW)fXXjO^7qV
zLk%tA>@v>p*b&@F-t(M4#ZjmuW<mP^#9{qzx!{d~O7BIXw2$LC!!=ri5gYYuHy4|Z
z>Mf(HsDA{f#ojvS-HzW;udI-E(l8POr4!w#iei&wV-K-kB<G)`aHV8HFp9Ejy{K>>
z1)r{^-_G2&5y>Uhu@&7eXC|Ai0)&mjkh~D7;#Qu|kB2AHWPQTZJFxFQbhyw|t6*;L
zhNP4~Q&aO8b!>3|u#tB`Od6uwt__5^X_MTX${40TXo|ca=Y_4&J_lT6L}av<?3U6j
zPnO$_XvkeJlZFD4^ob$#bWHr9ZQ$$%^D4t(kz)p3<zb@yws-BFukVq(G#39V6!%G7
zCc=Wws~+daF=zqPp=N?K2ie6b>C}i1fIpmxJ&^!++|to;bqz^Z^=c-ye7J&Mq5PLx
z8Sr4~3O?+od48yMV^>p(PGJMKfQxb*S4=y;B8AtOxjyfQJBNqZ)eR7WF6RW#ETrmk
zcJ~sB@{myA>QQFIqF4MnAGR_}95xekijCJ+w6d^1K0Io$v{>%asZcW3iW*c9IZeyp
z-JNB4G*pi71>~6**WRT`+jK>(#pxaO9wy}#D#x(z6(dzTv&7uPGX@E{l-h)WLsaow
z5T6NP`zr;?=t!H7+9i;s&~(*HPCp2XR!;3YLVVMXqkiPRQxX9&6y6<l`o(53e~TG~
zS+7JHg2)>L$14)Eg9~Qj;uWQso~X6E1|kc_KTEm<vb=`V8n2~82D3lmZTIXutS}w1
zD1#NHd`+Y0t5J|^yqrA-7c~Zk>n`DiKm}+exm-gfiRH;_Z!0DQ<`VJUdXnRP-js0y
z`394zK$tRuq5oaO<Nv|}D`H7<pH(zTUY!%H)5U@iDqUTl>5|t3ftS}Ec6z__CE!&(
zwC8#H&QtLQbTXO>V7nB&fxbQy2O?^=-g|FlbfUxrDDCVeq>Wa<bShmf=yak!V2nHi
z5l#N?&qjRxWlq`&8gn8aGh~ZgXnwM>OWLcUdM#);q&fyRiy)c6mC(oCKJ3@h0~ebd
zRb4-1j8?jG?ni~|OB7DT0es6+ECjW9n3JBC6{q99@msDTaaD(YQbp1RKHYEsLb#k}
z5_1RJ+D}->zK7KTfSwk(j^2=6%qXEBNN*S2LKXulnZcEYQ7G<ysiRJkMrk13fqQ?L
zRKkvO0Z5?to;u}vCpYoJS7k*<(wne1DR|qr)?ozex1iROH<N{;pZ-;xI`t^AbQU9@
z)7*D+>2P1iorH~>T7XZTklx+Pf)lYIE-E}$|5Y4)meQce&Q4Dd__&8q1Ra3imL%H*
z@p6Np9*-i(7^Nu91-_F@vC4|TxnNsXPZfmu7-Vm<fobD1^fU)u%R4Srnpbk-<{Tg&
zU`Cu!e<tyaHBOurSxe!%g2ezq-tEgh_!2-!Slg1be9k9eQRxrO2DbKWix}eZwnXl?
zxa4>xUjsc2tY_vfgJWRQVPyoo3nFe{p!}~6L>|M#Ij$$w;?b5@`y}J)RD4_bpG;d}
z?6iCOYz&q?>!zSP*`0JDLn|aMv70fmx3l_CU9Sl!o&lASp(xathN5wF4<WbBxksYK
z*3JTn+xSV?ibZ`cMsNIo>s6^YAMUu6?&P#Q;=9ZJY@_U1spFAoCjstu6xotz1An`M
zgeF*f%)t3KE^<ACXe6#J@CKiI<g989&Ni`;8~8@(sl}3CT^3*0_l(R8t)krBqD^eV
z9U~E`$HSL)P(S7Qc7}(%t_t5rV_!dzRgPo{`4G5hk8d{xazdH`d##Qylm}5H`-GFt
zbK6_u2~O}1><G-M(yn3Z2q;B-`>@BW@zIIV_6atD7It#q`b4MZmr;6cQ0F;NG{oES
z0Z;JHq!J|UNL1kx9r4mqJ-z{~#!YTl({hHVlYc$eO~ZR_o+hA)*^608QU-aMcNdVg
z#}St-B3=Er0rHM#2ja4WGII*R#VdytjWzkH59r!}TF6uVkd0E`^FW<P`Fk7$n=rgB
zbHebGhi`y-6H^I>1CcbV@yJ0l__7uJA|&2zab-flviQZsm7~*EZ#lVjnRM1%kA^t+
zQnZ}(HMZpG7NOl%ki5CJA>T6N!%GBWrX3q$br%HuWdc5Y*1#UFy^)NDBsCP*B6<0(
ztrN47Qj@EB`5Y$w9>_LktDd-dyS!csyh(2XJBajC91<JuohqB^nOX>b##tg`zsRO7
zK|<t%v<GxRC*oiLsC}dt2MH<6Ji{uQFW27$jZbWP?z|i6T<5v;4dAP+cV;^$7Ds*?
z;oiTGHCX!c&x`K6lOvl!Cy#xPA^VQaWtd_h7qpO1Z6Q&bmO;%o-?MXf>?O6z?Tdn-
z)lO8Tdvg5e;aQ(y2q1IKe_)30r5L%hc}k`B=T`f{5HGaK@}$=+%A>(I>{jjLg3IDS
zooT`yOBdEJf7wMfppIW>0^<LsrSwsL+%(fLVNo%Q6{0y5R^t>1n-=?Q7zHtHb@;)v
z2*dj$+FpJ5Z=JRCSP&Bw*T{F@sxUurF$HQl&70|#So)JnJU}qTT!DH-nWb>iWWI?R
z>$&<jAExp=OQ5<{WRI=<^yys`3N$1WXpdT8M*z2NHUQBbIWXz*2PX&-5#`ObLKawm
z$~=xFkyRPWpPb-P*ur(3qU6|O1~Cd2`&@aYsd4L8)}84iA3z4-atB<A`B04%n1!9V
zY&xEKP9wPU*`KkK{t=jnnrbh3n#GxoV%r_*=!VCN*c}4i-}}bF+OrCz)Y9a%_S>)P
z_xGs|*Ir1w0`*8BeIp6%AX2#hx~idc?A0e}-lQ#|21bSB_Gwtp+U^gL&($HHAP?vQ
zGgYBCVG5shbxT;VAmX2$oT!ZET;)xYMVktqVhzsythT<r8X|yrUH5hw_V%N=E4`q4
zIq<FSVh=!k)CUByl`#*EyZ!jsCqcuC#=w;t5Sq@HnG?nS-KW7omBsduxtPJm(XoXY
zL8JbQk>TlJF`JB~w<HUqDYj-a(?oenV!^d<@ZG=a5sew(l`21yzL`?J`T1qa(Y5um
zPILkBqlFO-ypet^4Fb<>%+^hl;0h#2x6tojF}#MGj{T_tk}pph^4g@n26PEici|X7
zvG_&7J3BkQgxoQqsjPxw939yUBve9cWm-`X62pJ2&(?k`G7#|NH22#azvT5jf7-z}
zAgc2z87(lgyOu`Ib@%SdLRuta5h5BrP3N(pjVAhjuKBOEKV*bTp-AFko~Tr3SIXBr
zz_Hf21UBI&<R}0ZRy)`);7sR7z}PI;PqKIZJPHg&MakeQQLWXo#&eo);1_jiTeZHr
ztJZ2Lui6cCHOgV(oMz-X6Uho*mK!>Ry~K<F96w%^kb8HVBqZokPB`)WD=R(t^VQ|o
z6~I-8y&3#cV48YGawYms_7i%U%of{_qri~CD%*T7)Y+9|>1KRf>LLC4XVQf?*E)gM
zGq~b%*hQTZj5i>6;d^L|BneZe?R;6|`Oe1Qv|a7)(BU7fhy$exgOF`}s5i~5qQ=4-
z32+)UP4zoDft~b^$?p8*|HWARVN<U&#>G%8BURFgh&PJqG^n(@z;<K|7qD|tZKf-b
z_gO&}Fihtq3S$*rYV@lA2w#Bt_%1<1L#=B=a2YrYGuk6a5UswwAG7Y+|Gf{)80y@;
z@ag3%xHn8;hm7hs1Dk6y?{rE=jWnMFM4SKl(fZsqv#~Nx+~fq;9leLW)gMUWL5Yz8
zKbu5kJCuiJunQ>=)OH+DU3dL?vWKf5_C{JRvVDoZ2$>S?RY978a}H)3RV4BdKHwTi
zf)G#M9qAP9`D+!A?R~S}ivxA&k6)r+y>u?zTXeXswh<=e`RjWdP~9g3M^uEp5-$H|
zmFCWMf+;TBIU@S{C3&v#myT+)EV9?1z8QXOfpBZ9$tNN+TN+9ze(3}^Walj(uosUD
zRogGHDmuD$pq(_iI!!BSpRq=F#{h2meI~Eh5x#f2vS8$0NDGO+I9uVTU#Ot-52%CR
zrtGKVzUs34knR3um+*i(wQ&!*10@Ry7~xSAs!k!?kuF!sonw=y<+=m@jTkuaEUycj
z4_*8jRHA?s)pxx9?_e&R&}R;3*`%I3nphHYr1K#9#X9WCYIgiR3SuTBc+;%%>F};W
zq_D$C+8PSTEh+R2LL)+I<km-eju&GBimUqx5-|yQgVp~|@YIn7-tep^@)hNm=FShX
z6iFVRD$jmQTuG3%Nn%E%)q7p4?B5#@_<kk`)D2w1`CLf&d=f?hGUuhhV{3RUKL=S!
zydiaPq>~(*Vdl*v#v)rutk`GjdOcmyN<<2whDz0r2WfRkwp|pAs=t^%OmVv*{7RlW
z_ayFgiqEiL_zs%YG`7cd-mf-vuf7JKk+`BE<ww|xo6q$1<%@<qsTG|`$<W&5X_)nt
zMf5XN6R1-x`%Ql*B_@`z|MR6fjqI4`$LZ{U-lFuI9<xhe?UF0B?%nQ-K|@VP7Ack9
z1bmceY;*|qD|Y&0C(3qL<!t*~gJ|p1^togP?-7$<Z~b)p3j!0O5AQ&k5#vNI&blUn
zby4=WDdVp!s2p5d_|am<f^hjBce_Nq>#Fh%wT-0YtY&AtH?iGtyq>r?Z1&d#s?|J(
z8PO(%U_4O+S^SAjHdzcG;Tgr>bo$ywIC(vz=`pQw?Abq=!F1l_^{|(3O4jMnt#MtS
z^7@O|zlWcl9xGR1z=_?|?n+4>?pAxTr~yR_|Kpp+-egna?|6}Ko(k%pUYvctO=^ga
z71_WWXs_rZp>>~bhE^nwAdic<URk?%&{KA+Fo^Di8$(`b^dIutOuejAa4w@xTO|<%
z#yW6|w}NZ|Di4ry8@GHcG?n>j6wBF)4%xPX>TvE0PMqsr6ego1k|)iv{tq1)a|sEO
z*9270rH}dai)=EXYziRXUvSNIQ3Jjr{nJ%<Yx5+)!wY$=_C(^!r|FN(2q~610OteX
zEvQZVmJW3)kd{}n+@YNQs!knhoF3nFsZ;TBSl!Fpj<vT-w#nu~ez893X#D^rKzDt>
zK}lb9mGv)(Qqe$ty)2Cx06Ceps!&;`=l=-qLc$xei>&YI->gpo>@Njg-si)Do;>Le
ztY8$^5XvF7XXwxtv@vfF>v-9WXZF9VP3WOg{%jRGSbu{|NLxk<Ok^#ksif#y<7uwr
zIh^b4ns1|R+vC--T@|L)fv`Uo4$2U+tjlLclz8wcwt#yUIh%lL(RjR2DBe~@)uisz
zX>a9qd37vGoEc$r9HVcv0-Q<0)AHvxW2hE{6@Og44ym-Y3N}6J2I|)TmVx5taN9+O
zoMa1c_^5E*#r9-iP-F|pEb91sj)ThJ1f~4^;GhsDgiU+y;gaKa#ax=@PGyo{FTe~J
zJ42ZeZ*?)qg2$CV>#oh$GtjeTtLi(qRfzvz0>e9QdEw0J(J0{ZbV8726hs3xI#FcM
zA;$s`7;?@5*3D4sZx7kNL}cs8?aG;ZWs^6w*NK`d_xHFe+!EcKLu62Zd`uPXl^8|r
z`E^jK<URFk3Krk3>5FY>xA&r$hyBb3EthVWj&Kue1$=L}6?k%f*qBVu_DOC17Y4L^
zLuu;rb%B>$UmM#0ymJH&R9*DluL5uWw~0Yym7)W(2OJW<OvKwJ^IlolPkG4Z@{K#0
zH~SS8^}*>Gm!k1F@%PW92jB0Ez85U|;ra=Y1DbX*z{T<F)a8-NZ&QRQ&V1YK40*Om
zfAxYe$A>{Ke1PYGfNp)Ttk-&!Bo6Lp6u18!&;MA^l)=3H&-s*GBS-g8W6b6=sj0zd
zGz$S?*%ABK3(qeXeth`o3N5vZ*2cp{3X(n}zGpOH0{l|X0v~1v@GE{HnSQ49RE2Ma
zR!dv^<?$I9lvS=!)4lI$y@qe>#-^3?t{-IJGP<EL>lP@>$}|K2B2<ael)+4+9pBNP
z9r;$X2k_)87??sGgA#A>(<cOp*v|zat$UMQDlqm|5Rc`MQ`VH{Zx7bT9!PmsuQxJv
zpe3L45rev_9L|nMOZJ(E2Yx%VW_~B7gma*&^U|lbtzkvNlLc`07N544M=7-A6_+p*
zI8H{!n6T&sG~!>vUR5N>zs2ZCgR7@TNdTd>7*y}!2_0&gHjDX<o8AwdWs<$B18<Jr
z(&j&;m4#WSi_Fuc7C{E~FIKfbeV%4B9~v$Qu^LJsfA+O@8kzBXAn<WQ6zImF>}zOL
zkk``84l<+lF!tv8Y3oqrycZ)B=p4Ny!Q{LY$MJ$|gILx0Gm}cz=}Oub_mD11pEUgH
z-#H}Y4Ha}%5X!r`WUJ68Yc3iU%I+PuCHssG41epRQ2c=gBgxe<U@&dZh(s4>iq+Ef
z-+@h_=ss4SJ+EC#i2}9m*V>+*WP13AfiB*Wg<NLmClx=f$2H<$2n{9TE;V?^kzoHs
z1<g-;<L}r}6xD~i<3C8Kl%9;&_Ts?6KzJn-#SgE*!d5a4mv3G*GPmC*cM7H{fAJQa
zBt%3>#_Ev#V0D%1O6;RT+OZ{TpZ?UH&?#onL`JdHc^j5YH{GK4V@?Q<YC6%-Mf0hR
z=&ykw6qeWJIKIG{TlgF78|CHj{y~xGWSP&Q-&BGrxG4XQ$uV)<cIgJgrP2r8cqTdA
zeE>~BN4TaHppZZpLy6cgE0csCSC3nNJ~=dhi~PfVeNZ;dh!xEYvKbm#vVk%-H!GZe
z&K*RiweGZT`fv2&2=c&}e^<aJApA)2fgPWzs4xjzg{xVGaA)h-`c>PG0#OX;(SoJ(
z=M%48ZsFKYnu{h=QSieBVnj|mv{-lai_z@PZhJw<TmxoDwjK9Ew$eyJFVra*Z$DL>
zrT)791qlbE6mM{CjYkkPcjK|P;k<pRM)HHaK{LWy(fCrU7dSt#!~1Lb<Afqvj<K{x
zAD{Hhb+t-&yzbfvdZGBq^$Ux5=hMrH@TNWZ_k?uek)}GYV@rmjKgc9$a=K`4qd|XM
zs<=xgcepm*t}U!xp*_&r+Cg|74R`yS!Iy6O2etz3;FqGPHnKa1hc~9a7zIP38{FG*
zGfu68UuJCIE@3brY%s*U1G-gK<~Kpjby~DvKeI|Ph!|P&tP!mPDLp~3)J(HE4B^h*
zyD6XDw;>cs8BOg)>+{53SkQNcB`CWW`Tw3TT>`G8Zd_}}J+z3L(@L((^6-}A4Oi#9
zXt#cczf7x4AP)tsx236Rd#i&=!27-&IO!n?VibvmwAMMbJ52DPwoFj<i`(|%Iz?k^
zs^)<TeD<#kt~IP@^C>@iyZ&SSccfL$;J&#B60QP^F<b5f9P9jGmce4kbt%QP?hH9)
z_uJcIZ1ZKlgM)it^u)HIEjY808REY|k^!{QU)tb%a6mQy4!D{V8x58Zf^a#)w=<qB
z?6b+PsH3yQWIBcu>Pq73@_AiIxPZRU|8^Y1iYRo`z3MoH4+r^pC_KFlUs^YTVD9f!
zxLex|RahP39-dWA+y7bi+4U92b*x8)GkxTONQDLqZJIQ@pS8aflY;BA2(1pVG5+1u
z0m%6pPVAw~y`!Jh;J7-HjsoHk)T^^G6V$`AF>GMl)uN-UOh;)ww9F&gNiBjKa{sR)
zB7jL;F<Y{`fIAvJ-x!OAh`?R3Fw)E^V%Y14sTRv<xLWV%1HOzNw5nyq?~j@Bmiui%
z@zAZ@vcqZO%1&<|4?VwPk=#PMji@wq2Gz;{Eg|1u-&6QEngFN&3qVMY%R6zzi0(%V
zC+`(}!*}8fh*gY7lIqm-7w*Ov@Vaa~G~{%-rD}X|Pt|x<#h5Yt0!09fkZFhB1Dx|2
z3_D7On8x=;L)vjYTWM7oSdS`@rw?V`${GB8QeSBH=i?Ti!`o|ejk@u?p#z7RwJ-}0
zB)a~-cA#E=b)XEalmk5a7kCIVkjtRUBs|P9mN6uB;I@Q1<L7`ozP2Qgqt=%99vzNq
zHcEngq;7@JyzPMMVRU3@YtPC7+v{3>2|Uwx!liIdH~<aBx&oCMlhzRE*m^w-r-=YR
zBV<Ui`>zD6*0jq^Dqxpq@Vnkqm1wGyZryGjD+Mm(MDpNG@kNtK&EWU~iN@w;2kkFC
zMT~iUgZmRdGsOV!UDJmqH#@z}z$Jpte@(9o?BI{Aea58Kf3dC?M|<ncKS=MJ)7MZq
z>a2vb1CR2{LZ0}fry%QOu>f!WGZajF^y(+5JqY65fg|(VuCi0J-=>%Hick!%4Arf*
za&GpeovfrS=)7lUS1rfmMSAKn{@iwU`_1x(nsGl(M|@mezXg}$WKvxSr;EA@Fwk}B
z75p6lPaT*_-EVmyS&F*fNL~!go<J@Kd!8P=UGPDQjIUf0Hz-u#;&{v%UvmYc<0oLm
z$m4&#S~g3lCxeOsTw9IjHqoC%rWl25B!WDSF)&RGC~Kii6!`QD3BR8~D0@-(k^_Oh
zq*F)$PO7)?rll?X{fX?O1^OrMz<rAFh(-Yy!x;nHD(ztR${Nto?i;`m@(h##xcvJW
zLBQ05(K_M91^}7<*d5ukwtRj#Pm~bZ1Fva}idt4%LVGQvj@|D!_q;w9i|*%^)wHW5
zJ)Pl*;WBi%#W*M4ZvU;|Ox;4KYPI-naW&s?^%7fa9n=G<u`%#=OY3Wy^>vP?9E=m{
zDQ}|P+GGXcnH}x_eXqq`7mOr#;i;Y4$)YWnW`Ul`d)6%(vjyWovQoZs+R2Ten34wC
z+GQ2vqsQtQQsMjD!U{?Y_hUL8WNB;p!;O?K<~S~9Tt9CalulM-bugpM?mqi#20;9A
zA+WVDSWEGR1VdzZ!cLZd(8Wlpzs~D^)E$)9#{*wU1?X-4s0}a<S-o5ZxkZ;O)Ss3&
z>S}F1U@&xY;$-G|n7(<lZ+sXtdVl8#{j;MTnYLO2D)`@;S+Igf<1nD6(oUufXY!$u
zJ+2ZvmV&5W6=NSCOF|KF(?&a{GH*-vfhxg1eXIAc<zI}HZvk`4TD2e$XpNBZh}~x;
z*z>%kV9P-^Q69@jvNIT*H?GZn|1C>y>3tsiP)=rr4Jzd~9>zv<+S^5qHO3A#60={7
zogBwldQZMGCvq9pH0{j=PqrRpeE`MYf>%{lT&%Y2&X8vDxbVaZ?Vg-^zxO|Q1tzq;
z1i6Gi$am1<UO+^=j%aJO@ZPwrHm_asAq!NB%$@L=m)nWL)kU2S?oaw5S&w>kcDYOZ
zJi`+}9~rpf>tt2YuM;~R*4O^%MZVNqi2rNg7xJV%(Wn8}v$h)?@*W##lG9&E9DOM2
zq-?96jTo_<9s??{tnAqEo(8ptI1|RiFs}&orUZ#eh0Lvb+YEyO5B2dQ@4V!mVs<IG
z)ah1Q3^}4P1~kd?7iun63{QzD^exbH+N46*vA(o(20kmK9Xd&YXje0a!hV$$5NDYR
zsV#ind$REhQ#s=RD15>LwhX=%n1naBg#8l%p$2>qlrC`3<IR8&2Iie9+r+?Q8_F3R
ze0bEZ{rLqz1{}88n(%x^Qby)ACPp!Hq&jw##IU^l_YM3-0(pI}-~PUY8RdW{8XHKm
zn%&JX*i<VmNl`B@nqT^#ClXXL$TjbIMR;+exOu%uGmYF!eHyMqxg5deZ@7k7&|lIN
z8joX2NOcs9-mhj^TSLYZ>hgWu#?_3A%d}`B`)?%3C^+;sgT5|TC#awsxJqt^_usyV
z&KI&0&k2D3Yy-X!y&To>@?`9X5g-N$x(lCkZihZ419xZ9OJQ_8F)$xEVGPc-I`HlH
zn>G@}Z+LlASyT2-lk1X`@4@l;2?7V}+OFGLj%hH7_!vKy0NVT)yZ{&KmVhr^#ei0W
zP(LbYfswVaDXm&90rl(9{jgsZ@gW@GVBqtd35lIA-MshS(L$AG8w&Jvrc@!Nj30ne
z1K_6}_hHMRShxBj&K!OITpNVqb6e7%hGePxZPQ=v-I<0zl86e9nIg3a<uov&bP6s!
z?uh$(rpxrKE~%}=YrJwn7Zr^@LT(%KRT|14oN}Cw4){kBLpKP4v2OZ5$-!T1L*!r{
zP7op8(iYR=!uXZ4t#N(Yzrhh0c4wywSO4AAm~|KMq%#wg{&oYG<4{uFug~LI9ya3@
zSao#Gvn-3rL<xzqZZ?zR;?0!0HE-KT;gtd^yYeK;3uEHSY8i8tb4jKqBD~>^Ne}-I
zT!1-#dntFU&Vju9Ov08bp~}cyDF~&n-2+Ud`%R9TTN3Cu#4v4J2KbJGDbh;a4LO+R
z&{_~GJLB-doUgw)lrjW0R<~7OsK@nh#FZKx3ndItk|At2OA5k-yf7fwvGtgwIxS4)
zdMGNH1H8%uZ}3n6d?BUt5Cih14%Z>9Axvlg_wPWXoKdkZPlDbCe6_e%6QKTO0N3zZ
z(?f9lB;_<>G~K43#3g9%Wki}~M)tdR^ukVbnMf*&vy7|-G;FG&g)3w`Ap!$kzU@Vd
zN_U_!?C{)<cIz!IhZlskz1@=C74N4cH5rGbf71Y9<X@hh_8`DSM_lgpvtD<9>)5!u
z=i5N2$4@4@U9nSpV)HDVSS3TD!O;CHw6J2NG^=Z1k+v4AZd~Hb%M2{s4ToFdb}Yb4
zXs9pvk^JQ)z<yn4uQq&^;|M{3eSvA@U(qNW;YPYt%kH?|x-JuT;B&F)$9Ok)VJ~;^
z9kNWgzyN_p6;muKi7P3fK-lrXOE|dTH4cO*w<XgbY5#Oa0XM<&xSYT0fT}Dw5<ou2
zv60g9LZqm*atv(7^Z*U)50|4G0sXUeTBkryPi?~;<<1MYo`_fu3_%(Cu6>!=$l?Ik
zUrb^Fb8G}Q8Zc{gh|(;-$4U*3B)W0@f;o+C<IH?tdME^YOzPBmC=BW{O>O_4A|y>c
zCF*~*R<(B2tK$Zc2F`?nps6%xyI|QehJ5?l_FS^n!X!!C_4IQ(*QGCQ%6Q{8o2@Ub
z2=7{NJwx@Jo6i<?osgp`IJ&<q^g_FVoj2TPdAzMLOZtk3f=R4V5o<V|H-TN+`<ZID
ziB5%NUH+4v&*&9{+VRnn{TF*{>c-~J65NsM8MOhq)u!%1(jl(B;H@Cw;_a%6W>7_!
z{trsFq9MOEdEsx+#T$O&D{uP_D^ps^fgq$}3fuHH1t@K%*H%fvPuu{VW3Vm3$oy+{
z^)Loz+a<Ge4p|%!3Wm(5DaSS>Egp0fWXS&2ulW1Cdf{ZDfLGLEKo~V+Ik!ojYk&kd
z2e|gQK(7NcN?BiQrxQ*G_6@Im?AW}OCQd7DOF+l5zp>ot#8i$`A^sOl{0a6_=?(Y`
zY5CcGx3};tc`rbYdjZl4T+t#E??0<EzB7{fRLm1QN?JKfT4`0=eod2fGL!^1ObqjS
zo*JoWuDRHb0eNH9<r^2~323&XL6+Vb^osr1AW$lzaQvSS)^;{846UiAF7hSHcjd{E
zDJ=wv)m<&(v#qC{tfIwnm=y2EmMlegQm~mML4&!3y@`6W1zhwr2yEOg>q5<;0dh4s
zC3*L>|E9BpP^Xwm)6!LBfzs@S!K@#?xWWw&_zh{<j(}-<f|u{Z9&yGC&urO3NR?w$
zTr=utNt}YqhuF}hI{UTl^gzCTH$(O{wx6I?D+L$-tLlCcvpH1JW-SXFdm4a6(}M$Z
z9D@a16du4g01Voyh~I7*&#E4$kcKlJV?fOfj@-gvEdp9jg|H@zsl)_BG)sX2$P00i
zP(W{BiL@_sE(S<5t-5)y9b!fNPxqwf>({2YyNt>sYZ>1}>-slBCkwNX$;wp9w8u5=
zHq`|TOW$=<)%*pbzCzm=mYR46Tz`E4DN}(*4$|9{a~$C-6n48MbAhJ!vxLz48YUkj
zVfq(SoqwNP1#Rclg5`mf-;VtzX_VDACCP1~yiju$ryHCkGc4LWYJ6a?vXJp!L3bg*
zPL0dO05+*J4zqeT4ibB`kgfMYP_PuO@kHHNkG7z;{BC$ZL&@K4^&%dcV?aqmZ@w2h
z0`(3$rR^?}R=5F1X9(`2IE0=j#hM-fDBT&hWvk~y>Mx)nRK<`_`;!zK0s+2ZD8oJD
zFnWhB7!^T*a9z?DzYkw=_>*Umb`mY~e~8yK&$UsJRF{=D1u`d8fqYIHvvN9sB<pQY
zaXWN~1VNhSq~Yy7jwV!LDsM4>qdSFgvdyFy?+xI_{S~PMm$z{597hrabsLA@@<4EU
z`I{W(EN6h*(@`qNi%v#~PCjavcN2)Bv9@)vBvg&sHMc1r30ZFqf7vROE|Si#{oK*M
zla@hAW|pBqJ9M(zy4S^V_6KQ#+iX2^3PAm3|J2}uhzCcJDI(~M$)sn@#=9SB3%rkd
zVe<o7A^vXFEcY7>+5OxkakosOt#}gaH0vE5;Y&_R>gW;?mprwBxH@iDaBNujDZ%l<
z*542gppL{vs<;m5AmY+MB6c%?;&k@mbbsl=KF=KK=za&Z-!WJWGkVL_2w&Ttcw}V$
z=$iu8AQ(lGSwBgxsS4B}<XMJJu(8{BSaDY`ib%j#@g>TDD!W5aJyzTf7<J?Rgt`Ww
zNgYh(S`ftcMGFTwGR>E^w!!mK_$vFu1$%;9_x?5I*|~1^f~>w9e@%%Pkr0Z~{gz}f
zBmf6ID;%2TrDSH?_V3x!CeJno>?*9BWJdOLjm-P@kV>zr3%)}A1qK>g8S=}V1ftgT
z%w2^uPxlWw^r7sHc<yBUb&hCP>t=I`=Oc1)C8#{uBxADhkg(s{P?4zZZ`~U{n|Hk*
z{jEs=#7HG0P9|M`=Bl0A8c<hIGp@Ac9x~H;t>^RAd!?knOrf~*x0Pjlo%AExoAm*f
zO`QNgPKoLq4CUIe@yr-l-Dtn8d$A6{+P?0F-p};;_5MZ%D*{32gt%boc$BA`PU-fC
zgk&Q4sj!$}(yopL(<h7~t0u!;L~ozIcaFZsrTF2tIY|of-Ok%Z?=0Vc2;#aLcIWQh
z>@S`<q^3f?yU#dsn*vC$^*p`J^?o3g|63FH@5vp+$$G}d@^Ta%NC*DXEUy8A*p-Df
z_$-|q$>B~;p9E`RM<Fkmm=L&jBoym3K%TGg7TJoQa*QOn_9djXLd30gUunuunF1~8
zEsSb?`;RPm1f?j8XP-y!Hl0xX%t|&1TaV`UDPh0AOjUxp)d5wdP>vZ={~R*@CN{G!
z$jtXG1&5?`S%){T<iebnJ;jCi@PI~`y5CDjA0l*6eb)1zgcBN=!X1;cZmCJS_#auX
z;eB^&-@t36_&bB6QPWOh-qm(-Mh}fmAh$K6Q3-QM97JY}t?DtlH&+}?=eP6(^I3#g
z&G)y+R2ZtxdmW^76f}?*0DA1$vpcHx;|FWO_Uc04SVVT;%13E3J))oV^nhe9aJ7RJ
zSPV-Sryzs{`F_8|0!XI6EMK=W!AKdtV7f=kz+<BnO!G=AyItn}VgKl!Qxk`|HMP?~
zn8<!`>=ijmCRzXGwQHChNBu&QYknshS5pr;SrCP#p{|qiwYXb0yLE7^&*Kpe6VnKj
zlcd@7&7QMByRZn=Vc1gfvx~(+WgXME?ym9ART&vxFa7Y7<>IN*(x_ATzY-I7G7F&J
z2J_ich4RIH{?=ymSkH)lp{PFVzFRd|+-<M!L0I7VQ6^0Q7fYwR+ovH1nlQUAw~-vP
z$&foG?~qW9!+=j?H&6KC-?#ftm5z=USaK)j&-Xul12v(_cJbo2dFhUbHjxN{=e3mm
zZR0o12_mdP7mB_3v}`2w9(@3wq!9#6FRf0-0-d*^HP`n&m=Q7D@!to4ZD9t&TClB4
zIO$bvrLg$y4%s;p+M}=#8DD7&H&mbHDaD6VXz+}Zf4s6+j3-Ggn)Z8TrNvN_pu8I4
zQGaE9K=vDv$wt4v3N`@=y;5!ew7!ZQNp$em;M;_K_hUW7^4LL5EkO2$kV{MEa(@<N
znZ98gydTAcNM0?Zh6e9TL_^-!?TCW8t8n<Nhit#fx&K^UxPRXPiQ}eskvL3lko-d7
zpUGGF8a}6R_hu%9IIrNz<O}7->_|s8@0ulwT&H4h<{1evAC);+Vve`RD7bA>b7Q<>
zmj-J%@y{~m09EWCo-O|8XUZ{bs_GDq56Q_$Cd3PPUmu@fsdu5mYp+KWq_vJ(<^eYi
zMU1|q$zN?mkitG2y<pNf82cj1C^|Xe>$kGjcJSc2^?n3_cGs|3x91QSLrD!@x$doe
z>v@o*KB3=9R9|K)3S!S1l6T#E*$Aui>UQBnz4we)f95b}>ro5=-Tzq7`=cF6tQg8u
zcjLTlc*Y9zEE<ipe|zCXNZzD}VFFh>na$M%!^o&is)P4~R=rBN*St;bgI5hE$I!li
zz6SBVU!7ultFVgkJ_?dajMP4P$d>=bl=880$5XNeaLsLDRVbXlTUJLK(6dj~>TUfq
zJjgdJIq2nC{eo~7^>lxC)hR7M<X$v{KYxQo42mD2t&49qh&T)@pW*|af&~#S2?q2g
zP!p0X+O?u!S!}|Q$rY(@_^BmF_?rt{!PI9xGtn~dB#iyYa*x}K1D6&bYotxVlDGuy
zp<8mBVItqH2MBH;aDpSUfF)VHRY%7L-mub;UU`i*`KF^J<vQB^IfWJrLIUig3Tzwj
zrQ)DF!tQr8qai9$5R&!6NVKVqL&8(XE<)9kw;>Wr7lqPkRYc2@Eesh_9}wLhYQ-1k
z=s`Rc(FYIok-RITx2aPS)n~n7Y}z*P{rCyTFEz1mUs|F3XqSJal0@3Vwa=bn6aKkF
z0}?9A1hh&mFE1zKWo>@EOvN)xfm5~vv|5$(l8%ew+5x1nR0?*v1bXBX^1gm}$vbQP
z`T!zJ9@{p+f+tFx6QnU4Xlu{!yLx<i=UK{(s6JEPtFo<7Raq?Eh(nTK+!!yCH^16^
zkuzwnUO&9TXZ@MM&;W6`m{8+Z+<8f>|4DZ1nQ!(gHtM|Vo!S(Uk@cW{_(?*(aO2Vu
zpF;6Wl)*RS_l)j3kH>mX;>}$rEOr>>PrvUnFj2BqX4TH0QroK+5QU*q#p*9D%S2EJ
z#$!hbV@vT!iIMZ&S{H(dhQQb;vIqm9q$bMiiX^l9{E3Y9-E0GA%#Ygy+3&$yqF`*v
zorv#+&h^nw+nAiC*Cwx<(zpC>1=5~_tS=+ou#Rcs4)xtAMYu=i`M22Lv5Q|ZI_h1P
z(uSv-O;D+r`vUM86VULI%udg+mv?WJ4`&(nrB@Q?Q?x5IX6NL*Ze0<Ltb1E``8lJ1
z)P*iRfW)!4DU*5K_*Q<5>pnED{rqjdf!yR}*l{P_!V{K&Ye8S`sJvD*roQd9=GM_|
zmf2pRplSnulMOQ3?j$^Uz<A5n%`Wpjc_{ir_*}l`CqZxVcP7M5bd`1yshnzI?XkCs
zc3oX+e9lf)21H1gX}cB0?oU^{&Ik;XYsnTUa(rP@d&2E9CJIj4UZg8TtmI-_$<sbO
z-wH=0X4)`H&pmRvwE1f_|K}!S6}jtBW~<*?C-?B1l2_ca!-5AfCckhI-R}Kqhgu!s
zRD%8e^X~>CtYsov?_20^vmV4|*RnnBXH{RyW+BLY0!h@JD+?|W{f00A*#8teio0;3
z^08toxHS~#Txi7qep<VHQ#%DulIXDF2yb^;V`SiY4G($jGhz3F$*uucz}qo!l2w48
znz99f+Xj$P5Dy3b`N%hHawh)2el%jmxuLYoh`ALyES)at(QnP9mra%^sWmeyPVL~h
z8+-uzyOca6dml4#bJ9i=qy3@Yjw$Mdo7IHl9MDyoV6frHI1I{wp>wYU9$p3!Yg&xK
z1{*R-g_IPu&VgVmS)f2={F2@Q9@PHwG6Knq^i;d=JWCmL+h0fv(pdKJM$kve&htJw
z;_(vPTtM;a{LeZ4itc-q>W^fjQFV4<;q|B&9Ag7-RL)_RCB;i4^relaHu~O%*<W+*
zOL<kg{U^Q5e4UHdUO%pLo7|`^i_G}x-jE*e1zRTDzn<t{{>^jL@z^0M^4_wN14R|G
z8U}XrB<bSd{D+R?pfEC$&ft%YifAix(U)OzSFt*b^}+b5OF+K3e#mfpsKy$_%X`VC
zB^t#TTu0}3o05pHlRF8&T-+iFW(cUU_oZRwcT)xxJSdUHi3q+8ZVBjCQ)tXz5|<a%
zjrNlZ+4_olqv1Q6@ilvVX3Xw|p<)z?TT{|x)No13=Y#hQBVx%W?#IuW1Ji$iJXjF-
zg{YPiV4m4*SF(Ai;U^$<w9Qg<?N^z1H*4}Jm6a5S`g*EC*A^u-V<OsOcT2R{YBS<E
zJR+Bj4PJ0F*KEQm8VLf8b#?J~q@6M=ch8;tOk<{%?>J4rc4giWmIy;A4|Eg#-hKY}
z<)QXi5IyPmB!X4O`4^@mbd>Ve{cB{2K*-Q{5T5rb7oufYf=B-L1`sO`toDNGvUN16
zMST{pCdX<1{+_UPGPOtu*Mho{Cx)}_S56COOVs8HWRws!LjdwHCw~=&kW6{O%X*1*
zW76(}h+_dC+*ywDOQegRz%GX<(o>zj^q%LP2o{k~cwtk47mC{SFC2-yvD#0ygc*s%
zYyxUKgSbzhMzi=oC;6d9b1!%#xrPr=ihcCro<p=m#4xH6dc3|XyXljvkm=!J+nVl_
zKD#qCl#wP|2|^r#ab6E2?N{4o6F>E_*$kf$_1h>PF^D}V^zLB1x)bDQT3OURpq(&E
zC@=e(jVDnv`N%RAyo5IRanH=0u=nHf;h>_BK%!v7;?Y**{pW3jq7CzaliNco^J2j4
z2=!>+y6q1}k`3W&A%HBK=YBtu_x^ddoemjHyCWZ?KTUJ(+Y7_rv$hs+o(@Tl0q^Mc
zRoeM*!Tt(CR>Xwm9m=wm`YeBcwn<pGU)b@C?jt=`>d@6*W5{jc;1cmkn7rE_jWOy<
zC(!tJPf`1_ixhZ<6`?lMajqCaCsZe1^f?-D;P;c~M?$?X=8xng=T(g^HLk8htpKg)
zJJU%9F6NI+9m4{c<hiJ>%%BP6_YzqVo?4mjAVig8pADFu@<@Mm5d^6~OT{5cFsU2O
z3NriAFw*9)tgeP&<_sdNPF4d_iCtQQcQkIyQ|E=9aQ=EtU8iB@^ZDF=uYi)l?!*;a
zR9X+N3=$USwUlrDW<luU?(!TAhkq3n-D%;fT~t;>LJ?m@XVO(2H|2g1UL>X10CGxV
zAf8pGLPuT$d>0azE8crMYm?3}mxG~(M2i^lOZ!*am>Ab$Tn@6}eccmIQQCz4R3UzU
zVhsHoFWRmzr*&9dkg-^MQpFwqCA~k~-+phB&|x(d9Lh!0JL^9qvTuF*7;MGeo?*x^
zU&$Yjd3X1U;g|eZaN39b8?O)2>5GScMbSo+xzJb@Dc$k?b0_pZ{?2Fg>j$qJZ243a
zNV+XImes4e9v+V?a0#a#5U&-nnGFVN@a1~ef6AF`;&2%;s81E;P7P+q6L)Cz8NbXa
zf$!(w3pMkTVK}pn*m!C~tI(gq^977CtQ{fd1JcVvQIwyA?=xsG9CLx=XTBbgJyA-y
z8*cLJ3UHC~BVXPMU^VUGh6$l{naA<y{V0erBwMfWg*c_lo!<2r(>&TJ6i=tay~n`Z
zls}j;3iZ~B%O0-Fgs2GfGzJEFl%Mm^^KWS?y2GC|)7D1?v~1@T8gqxA++QqyMzv0z
z_LJ*{tLnD}RU_M1ZOD^eHl^pr`79kfqNXoWK`9nQQ?Dg%eIWY7zQ>~?{gDOean$@?
z5O1(DEO<rpInfpmRwp#&=9LVZ`&0#X-sL~J@^*&%R8PpL%SEDIN-}P+Fg(`m?>9O{
zr>TeQb7RV+=%XOHOgfhvUx|`mI&pWvQ#gT>bOz2@40j8<xF`05j(Ds9(X=UoAd0}o
zdQA3~7X;>wf}jXhA-UXUhgt6oUYcJKb^24EWub9E{{5t2FWrAT{XtmT|6}VbprZP^
zc(ITYkS+;9x<Q&jT5^zX1nCax0Sp=eX~|J3X_1naZiYrWMi?4~9QxhS|M&m=-h0=z
zX1Tccp0m$ByUxDn?BAofgJx(Tm9=gM`G?aiS^=Qu?N3yq&*Bbl#vZ{o77@N_l&Z*@
zdi$e!`biDv))2KP((hwmec~Bvy3Fw%@amT9r~DwbXrWKwWv3oW`0YJt(YuL#(ZE)?
z8`W-4dNah%_giF3Iz>;>VQYEV@afx=pMDP&0y$Ma71-&P-sZFJv<V<!D;KaWwLkb7
zpQVRslco6dc|k=n$&&_r4S$XCFC5TITS%`1tYYqFk>JBT`h2o@W4EUF4})%9gh`nA
z)hA9`j(=2hTW+;8dHJJxR~o=mOpXQ@;Ve7fUS^ijyG}EPDV~Rv##ntSg5kMcuS?Hr
z#m2%=s*j$&`YsidvR#Q31rFz>hP&TALZwOB^zLP|hfzhv<_+t#zN0xDQqRdt)*IWp
zk+sanlCNm>uJS9cqc#jiq+mB)B^~;u*L8WXM_Xmxi|HYGQ8apvL(y}5m!^Q$#|q+J
zx^&XSb34ty-NH`zb#_yaJ1?_rP#u-~DeWD&KtBsvhYAU+(l#E`qubU)?!k}eUq<wN
z;4!n<27hq@{~ieJ4YJn%WJeJ0(TbAT?`D*Qk5Uzq@iacmmE;4tNp|!%GSy_4v*Yzc
zz}65<$EFu6m+<}uy?#fyN8LN{ntJTjX$Ni&0|px*dGswGMlr8f2CX?C54ba)Yp>QF
zJ>LG{nI<6BoU4F+L7WgANEBbtk=V<u$f<Nk&g|vkIZ)7L6l#!T;J06Nlj=TG5m`iA
zDI>Aphe_$z^_Ai)QY9_PxE$D(W^=L+O~=DAYNbuB?OAS`MBf&_3l?kO!IH!)r0@)>
zFyjS90I+bYYgwH^(rM2c4<pkfT~Z!~Av%m({HO1~9q^_DOm`n}9u2#F$?x;P%!%}D
zb#Wz2C!&puVW;`-liB2Qe+jq;suPh>i`%A{7Kdr?X$7$eEs(KMx9J_jxyv@`aJu_;
zqRhZsRQxOBDLmjgSz++V8=uHQXxoj~V(<#$y@Kb-ID#Cv)F1C*!UcG)vE#9fDt8MJ
z(<hm-3<cn$_oMsDImSYuq!FQ?(T*z7+hw4Ox&22ISHWkUmVY#h0t$S~rktyO+nd#>
zUBk%82<-2wM%t;pCNm9ed#z*skhh2(Z_WSYOs#0b=?qzx-cRGXGA_J(I;nO2vnpNr
zGp{JejS6fsPz&%y7T9-rd%)AdPWr)ha_wn;Z!Oced+axz1mzeuGQ>cK<p<-e1zQ%*
zL#xQIEKMi4cbcP(CD*l9_j*v;8D&^z!yk#bBKLB!l;3~WRpKM@`(l^v`_r8@H{q5!
zZ97$_#I|(+fhQi^OElg*`}K8sWm2E;?kDy#V^?HN9hGNDR!TJZ*l^0Zjqp))iD6oQ
z|BuB1T*^?<vFMAZR&ar)FAu52GO$Qv&6^<$<$ug*rZi0{;wM!2rdxLEX02P__sv>L
z8l$73PNgTaFV5+AqyfWIicFnU%V`L~`oahoAd?&OaHn-*<F|0?KX3oQl#RVzl54Y1
zfrUlWqt}Q1%m}+wvkEzN1EtNY!eUFNL(sqv>d8%n=6&TI?n!I@aAMp*GodB<tFobZ
zD!G%T&UNYAj|i5=-Quy4ll^vV>l?Gq+}!Lr?Da%;8MrAwEe&S8AN>|11U=jXF_>wj
zSd*|gApj~Vn0V9YOmTX;>u=uLgQ6+Jxh0T5xBhyd2eq}L_$GDNv}V2Zp@2$C&}Cj8
z^7JkAGG2iis$~s{H`JOPnMS=E6@0W-Zgq;oDLH<?O7%JJRF)y(NzQkTPtem===Jg>
z&L~R1`2#xzlxUVH!-PvW@ki6FY^{YATuYqD<8$QGkopIQUn8&6Ni}c^{FGeA*S|zb
z@=!yG#^&B(e6&|LeCG>&9abBzT_A7o0x4|d<i4@+@=qY3t4CO4pycdNSQEgNq+IPt
z4R){heAvT9Skolg9$?mqkdzERzY{G43bTQ%hSGUF5f=tw-{5@3WNmY>E8Dv@LPFDJ
zsVHBToU0G!;&EWNxwm>+fVksV$O{t3fZ|xMlh6{N?Nof?<1nD|3B&65k1{)->lpG^
zlvHNsfs?0SZib{!*&6t+Wi|ACJnpnPC*ClMM>`sL#rut9D(KHl;!Xr`-sS+(T3j$J
zpAu*@do+vBd#et^;|os0tJK=`*QvOMm523GCRZ~xF_V6PwFQnTO(zNF74J*Pw;w*X
zTC}4K!I=uhNs;;Z<Km8w*0M&N(`!6rInKCrjCf$ohr%Dcr{+vw^`NG{;{(z;Rniby
zzQNLWz!nid{jVo4Rqg%tVb?j4%3O<X=BnR@cN9z-kv*0clsyCELc7Lg0d0WS<-nz>
zTO}o$$}psc@*8+Q{H!VNzcds5dmy75_{*h1J~J`5Wc6x7hsJg8q60#L8*r@%{oWs6
zXeuPswLF5svWKSWhf<tm8HMk|NqO-IU>m+!e7024Fo26>v;>$w9PhxLIU20HzLEAT
z>F*f|{JM3hq3jKx>0MT8No_(RK84@uK6$%@vs)twV(FW1q6D~T5C$MV*pC+;m$Kjr
z2c7h=Ky!cvoDI+THdoE;GH^n?a;;UR>7Kv~NNax&ib-mu5w2rC@)DNxI&}uXdmW>O
zMu5M10E4<8nbVOnKh!?<rrVgLp;6=Hek6Xs+0)HJx$HCoLwZ>Y#{*?iB1ak;1J`FH
zx7!kGST4I2MsKn|l*tw;{0MN9wNe9*sO(v#*>IaW%FKxAT4zC9hQGF++ViM0zxT&p
zwfwGy%>JX^Uqj(P;I3Y%xnp4G)OaN$#k@E1AKU#niI7~y-#LSIyLN+~ey|hq$sDqZ
z4DWrb8EBi2^>8PfW~id+;%GmRZ8~Xz9Z;j#uUzLllk|Y^h4^M=IseT`SPfK=XY8Y0
z(HVoD3&j0SPxLC&Y9Q~cGW+ZTljVninrsA%`HcfUL##g<R^>2REetXc=|{~%H@r^w
zS4sh+oIPj;dGJHk4tA+yKH;==<KQi|uEf_R#pbidXjrN>q_;cnN5mqPGLQd}Vw2CH
z@cXPIdE;NOVT;I9wLJQ3Jw;S&<->$0oFVpcy#aEo^FuJ1WRt~;SBcsmNvMS-C-rF0
z`4|FN-?(pkO64NctfW$@;0L}ufnY<&9;*eN7odE?ZzXHydKYCl-){db<m>;M)35r8
znl!s~5H-d#V$>q!a>F(y{927sjk(DBjk<j&3!|cJ_sRW#xOtDT278h?T%{C|m$g}Y
zY;Ft_r_(2BpF%;Zff5lGA;=y@(N`MH0s+d~Z8CaCPmNWXNwx*MKToO0|7;3fyQ>b;
zOHy+uNOHalCk_&9FH|o6WCX8xV^9~;_4dX*4qQu}f#DOWY@L1gI5iXxTbj>>=p_zQ
z>8P|r=$0jfjHld3CLjuJ`tfbx9(~DN+tFY$d;ySR&Gv`K4inwo-S;mJ-hqMYOY@(t
z5L_1%jRY>A*x$v^mioBfLPsB%R8aT32NLDKUfWHJis<xY$<-nwzN8LMK6$ilV}GCe
zM_`%HwxY+!0rQA<k=JB54-lrqv!f}jMVc!7!Cp6;Ln8T^J}-66qDU~JM$?@6X2ruj
zdv3_%u@wdE;DQSUKn$wNt3Lt<{FsV)xq6he8O2sAqU=cEI)`5!u3`~XHqTsGQKs99
z%^PhtSpgx1p1RR>e(;1b*-A#8AO=M(^@`r0A`UB!LZff&>ml0Tx$JY+??mHdk9614
zFa9_o|7RLh!;KW;joyJD)jskY??hBgqkf%he8@)GQkk$;0&xtcWF;{M`vkov;T;Z=
zn4tvURExwbIVHEp=^E|i%WfTJJW{KchB=2c+;D*(Jmyj6hO|sSOOOUFoO7)&0)uC6
z0lT0hwDA)TautFTdT-<-dQOwqqg)0qp0;{9gc&y?3+U}y-;CP7R-<}!9Hk%_)bb4|
zGP075GyqnNP>qEEV1|liXHb?CtC6G})8Df=^hzz4o<m}scE?dn10~U5hrG3nJCm5t
zn_divQ9}iKQSBAOx20d*4P&c<zg?c_7H4u{FR%LmN#lQN>-s~~>g^4QCpTZc&xe%T
zj>2yfjm0daQl0vbliTv8zEL9kU{>@{YsYB8w^MvRfLW#RLD!e=(zq{G?2bYcn1Kh`
zoaJwj5l<I#MwnYY=M}pna&A2#`O?|)N#QBR91fhAKIhR#s=K^2#6#L$OcYQZ$znuM
z$Iox_wGkARBv%pv^D8oL`2M5P+IQ3>y3?Kk%CGQF5jVwH%GOWtqJP+bokOaf_EGYV
z1EdvJ@IVooa^KkClyF&N?;%ET9xvYeV(IYw9r36?hMh{NJ!EKnX0o^fdAju&bc0xu
zwvA-y^}FO&^g>Q@C_YV|V4MAL2v28Bmsi^D;gU$!e0e5GqCwsVIl4W&pKK4W-!QPZ
zh%EDLSdB=EML^|LoFVKV$;$C!r}Xm|--dse{jE{56+XcnuWDLRInOu{iRJEJpaqrF
znOb0@;t)QoHi^YZ20bfC=V|tmCQikR`&G}T?$@;li)n;+{s}MhUI3op!9Gx^B0D?V
z=^d=RynHXJ-fP<eT~&o=oNJXu$;Am`C?IE6he}I=_d~kUj%pT~cfy1~Hu1=a{LeNg
z?+?gSG!w)hy?zAS6m?s|Ucp7Eq9VX%#j(K?>^*ExHTZ}=xes3S`i*(lzrW6Lzw!F)
zR9WU`E-+W&NY(9Nbq6A@b5;eMn-vl6CBWIFXDx<rFIz(`X%*oWO<_kDvAlbjj(p5!
zt%`Uq5AD$&mNM2x{i;lC2i}u*?~V2O1j_QBAv2gWc{K?WK#y`^{j&;l=%sgVM*22K
z!)(ft1*c9#4y+Psy*irafmG+9&Coj1H{Xm=uBwup8hFr9Q7<c5ZQ{FC4(2>QUk0PW
zTO8Xe9~b}l1^j{K`=uCw*&=@3DTps4G0gXHL+o7*z*!r}hRNM@Rwi>Yk-H(<H6bd+
zm)J+!ooLrU^A6mkTV`tFCAnL_+jLQr<+F@!4^gLpUNEks6+>Zt3%9K4@+!>P=yHf4
z=t%t4=^K|>OSp$$H26OArznb4nWpzCm@*Eaycc^v7;viZwRcSWw7YP_(jrFjsB^Vh
zC|@SwC_JIw$G;;hsCd&ts^h|yD!}15fp?_AJz|kP1%u~E?O}uVj&;@mGo(FkxFyGb
zpjbrD)YIdmTi%HqtKqRmmvm=7|JgT*17nXe?hLGq7pGNXY$it<7tjT7ef^eNwYW{T
zBobxK;9^^$SA6w*Z&Dg+{Kg6pKy<0d|4VlyZJdJa=`DQ=4}H|TwkGoi3K$j3CzY+H
z*3w7n14i>m(FMgnvE)Re?5xiBteO&2l|%bCBGk}PdkD^(Uf??=@&4!Rh1j?@;ymNj
z<!rl`NkH7CPJidUMhCs@@EJ|s^W?Ak>U^s4xWlC_grsV>Z$x~sZ=t<4v6^`_e#j_3
zVoYnO6!_ug&K*4ggl4A=%c2%w-98yew0i#FfD;F6XR9Z_gVA{C8#TGtW=%^!QIaip
z?zZ#Q)#L@Gu2N6SHn0WIzWns)S|5RHZ8>j$7RRU6)NYuiv0#NZZf#wt*?MoDBk|pa
zgTdMToVZy1k1lD())0PJ!c>+JsD!eRSX}~+d(iAV<tgPifStdW9SyS+2EFaV7G=d3
zW=apqz>dAA=MdweoPdkjaHW>ds|OBF;7HZKIei<OoU4wTGa2iK5XXrbW%8@Yl;%~-
zH$epZ1lqm)I6q$cymxEW=UV%@v>;imt3E`pm);XjLpUFS*Bo|qX%qF1j9+c(lvF{b
z<4d}Q+YjlNUSU|v$$cKf1)<Jgr9|m7#APBxo0|gk0et{ST@U__dn}s~4O<riZFUed
z6F^<*z<nKxqiZtjwU<AIkFz|n+lzhJxwYQ$7Y{Wy)oQY08~l7YXYFxYx0*BMY1hw`
z7p5oJNSC{XEGs+1s)|05ul2a;9ait$3}D40k{6mJs9lPpY|FU$s_u-a56B{X1UjBr
zvV+)TBJ$MIf#Y}{lPL0qJ;vy_$qT^pb!`oQYtYE0@hE(yFQvXS-)i9Yb7mdR1@ABR
zaF1TsQuUkD1c8SVk1=J(;Jq8-8xU5sFaaxdE6+i<Ibg{nU^*N^^*NDEP@!HycC25M
zg+LVjz&E7m98g<haxha|$x|FyHpj)qt-gc#g3Oa2bDb^lHq#?y@eqR&=aEgR;qw>O
zqlszbZ+rJuZvT1N&Y&$`a|>^~k9+K+uR9PhvRup(s;z4da0&rn@<989-V{_&z(zhC
z=kj8ykc_3D;}QS?Msh+>`B`IT(Cg(e+QDa=d>Br=ay>6Mq^(XLy+QkgDO6>#xd#mu
zW;@^9DA0C%vYpXb5{+ee8c@H&5N)#<cD`l;<t(NIKuX?yv*7%?s$x5G*O?M)X0D+9
z#5*a*f$%pS3k9Zaq6jn3^$}`BRufZY5M)rk5@z<b|3wd#;9op4nA;GANyUXZ9qycD
zN^UtlBOqFnjr7uqP!xM|J~Qtbn%W^dh~^faTi7Rbp2yi5LVFZ+ytC3NO@Y&9D^wm}
z=ivvB%fckqn2^qSt)%d@pk*WupY-d+uXDx2fa@s$Xzll2%Rl&NHUO&K!bvUgp~Q`b
zr;S%G_%FyTp&F#G8Qpz1XNZ@H&0p|Qj@*!|!IQ)hk(j>$pLD@<6Ls?Kz8ku~OY)<C
z2tnz%&@Q)r&&yC48vP8tr40C?hg6e-%*ymks>3Nlm-yAR<Qo15i>sm}8s=+SHd#cD
zKHcySoxlMMZlg(0=-%no-^f%0A+Ugj&2K9iFmh-v$#1}$KLBWsI~|CCfSg3<nwi|)
zbIr)VV7)3z_Izo&j3;*sX2SP=g8}^W3I_xPh1EIcCJI1SGp^eZv2^J3M1M#Ydbv@}
zZKS+T48V)I|K8d6&r95popU<>ljIRz!aL8ugL`rU2wOD2kT-D2N|W%MySgOg_<wU6
z1JzVgyZ(seAY|EVnIugl7P-i<tS}CYQOK@#y35!3nf3Qx`QJZF72f1fmxEGHm4&}J
z=?_6pc@`BGPFK%`f&XSqb1Q%jbJ>KN4TBNBiTW>iS%n!I)QKyZPX3vong9T<B|?Mq
z7e9g5{2H@(=8Fp5k=U26yiKBM^J?mJd5GA2J($fTj~&^o=45LwHRH5;!2mnVQ6@i{
z8_#X3(R=aNY-<}gsyB5Rf&)+&wJ69@n6$H|gVL~k&>PhpUsbL3;oGk=r-%TAk&oF{
zL}*Z-nFd@2fQWFuI#e)TbiOxB3QUaHl67EJ|LXRSK}Ym{;-TUF@2HD_@oh(;gJ^Jf
z@6xYh6p$!?)1ND<Ho6ga=ie4DcRLUkr@s+&-X3}&u?-&hZ72;fs!QGYDqw`(@cpv#
z`W|%doIRNE1qq0OF(JX965EeOt+b0A!^>I)IMM?t_dfZk7VL%*CUCU#4O`|eX*ue(
zNZog=H)c<DNNCvCG%Ca2s=tZSFDA(dnK&zFJ&w;<{`@^0YrI36Wv&u?VDav>P=v<j
zkdOY|NoD_XBpbM^L5X{|1xmO3V9k~b8(L*pVq6evuFsz2?na~dj0qys=UF<%M&H7p
zl-0~_f$<^r9{N;(nBg&i;pOh$Ab}Kz<XuY>VnLsmu{>Y+7rbyE2YTe!Xk4K1jHIi4
z4?AlU+h_jYo8R!D(F)ndrI^whoMawK@jjg_l|zw(+wS)(qYvMC8T=O{k{=hUrKJU5
ziGYC2SV^vCk-n`2m{Ueo&at|;ofsvvP5uIO>_;EJ<j^aWCIk*FN5Mt#WS5Aq64GaP
zroHWdtv0rB)J%(moMzo!ZF2-6k_L4(YvPjcX?x&}<YZP=^G#Rf<YoRbnPzLa-dmv4
z!>PWjzRBrDESuA%T`3=aL!a5If|+|Rf1n$A+pB<Mzr1(}Og*Gg9T3p2Zp{!;QT?$s
z06>rF0-znHrtWS(0M!#@+FhL))zzR5PaW#6w(AMVt*WM`=+^D4rfWi)_6BCW4;Ef-
zR%bi823NRwe&M}d;xVN%jXWAXnC`guFV18iGh|}($UT=z{uxbIEr5z6CKe3tp6_j*
z+Yvp!7(aXoA6(1!0)W2=plZ#}+2`J$xLDU7r4#fI4CHRot&7&M;s&Bnk4&~NeLS~A
zp<9_ojym!rp}tE~<k1n>3fT-)4Ghu|ukRvn63H?>eNV4Us(G8_ZT#~mx23s1e<Z|`
zYk!DEMri2l9w*KvbMMY;60XJ?)(}%iyCmH)9s^5(RK9_wO3CVdD1-pfZ{UC2zcrVz
z1u=0b-Tk3vbnNk5R+dpV9`!D+9Bw_e$kkE(_`87;R0fNI33Nor5=;pEFPL!O7W+PQ
ze0<yzqPdam2*ckxh`5=AB6*0M_3F|>iY6^Do4E?D!LEx?G-vzbtGUy~C{<d4%t31E
zYe(sXGyDB9aq*KV_)qdMu;0fS`uV4jPW9%i7k(#{Q+}5RlO<3Qpc5jfUpVpa?qslh
zE8Dk_2HM7<I}LSREV<5AUHOFAt9eF#?ouj{YAs}HlP_H+Ia#K|LxqlD7grSZBta%X
zY6Mua9UEv0-HL?a&2}5p!25Tcdr)JvP?^enu^Kirpcv7_Gt2Rjd%grGAQ5^T3Xnzb
zYuPStlR}ozjRNWsuamXMoMcE*r_Pate0LsU!J+M`hWOmR3I7qd^Fh49D#uey^=DqC
z7rjY9;Go*FRomC*#?Qo#TqRE&p*C5~;<~bs_d{@BURTKudX|4qdp1nHz2(ufr&@R)
z!(nnarx808FWrZivA*fb+j?L&B|qngPGoT0ov##D=i=p7mu-;Wkj<=S@YG*k-ZL?-
z2WRMX(xIl_TmS(HT<(HieV=`Txb3LAFk0jtPrbL)#dheyDITU-^ypFZw^y7Z+fR7S
zN(>vvqv?_bMd5qMx;h5{ZNrCX^VYNe;D`g!_nDx!kd?IL<SYcI>ypLz+N4cr3U-j)
zZhCF2OOxbea(8{N2_0p>?de9Y9<x!_quruH`=`$a&XxqVD(d5+ENaU8?pCC@MSl+x
zVav3nlX^kUk+H6LpqFU&h3Q?1ruVL7E5**{*~NT-fidox&5tntiaE_6b9B`9+565w
z$h?cZz74S&wbZ$bM^$ED1I*N6e{mRk{?U{69_0wnb;iX}?nX5jZs-EAFzp@=`7FyC
zZ0R*S*Wx~&>taJq4^F4gmuj{WBQ)&|A%RuaMm~#i*(`GuoXpWo>7j9K9KyA6-8sDd
z4c0#y3OR9DSvj*MC3p|ciPc=NB7b_oxyVO<^E=Tls${r`ChEJV@S<E$ntxtrF^5{)
zAYaIwA6|roZt1*5l*=uzsFke29ysF_503S@l6cg)1>SrE8IOrW#U2^ieTta7OH?6z
zii7HmQ$-NRRU84e^KPoTE^fnkWyY{{Z%Y+z+%{Xk2P4b0;mCVkvE7jUR7;mUL?1^3
zFG=9fZuxikIm8Yxoz}jT3$zNjV-L+EBfwXkN3v+mTh=0Q`$r!bVkZF5pS-+KNl;k?
z*y}tIMe@1PaWA5f!GQ3QEGF%4%QSRHxL1O#HuTqH&{zO(4Dk{P8&m`0R~>6COtk-0
zlc{aQ@G0*R6EP3}-qQ}*^m3L*#~gz8mizKDiF9O4T4M}TKIUOh#XFxceGs;~I3AZg
zk?Ojg{_~V*J<7Q98Q)`t#};FPdi6xa=Vz|=QK`+(ld3RY@ZLDx8Izxo+5g<rVEfzy
zkt<j2GxQ!iM>HPGAv2+0xuz5)xKR6im`XPtZ%_l0rpQD&rcH-<6clGE$M0qr@eGot
z+@2Lb_uXRLdLoQ$A2i3LJ}Dv;1R%IWEFbPH<zy%j&5=SI$hb`p_Of|CQu8fO$V`9H
zQ%t$DbY=c{HQ?JwX=}36-PY8r3?n%Tffc!D*WzAQ@eDXj&W5;?k4T_dvmNaMcw`y=
z@%`HABIeVpT7Z~krT%T(oU|Yl6BA@4$@HMOtOuG}TE1PFP$H-dQ@pzOk=>Les3y?=
zy@Gw1;mt3vTalU+vPipHw=r8!|CysXbE<+<O69y?e4{38PvteJ+*IOHs(1^lL)+T8
zd>?#1p>Un`hp1;97RXz`XK_k}*i9$vL6#}|<=s;a9-YN7RULi`;acKc@{aeWlvc%|
znJ?%hk)p19M$VS3pzWM5AmR8b`RvYzfYx^K`)v}C9F-Jb+_Rf|$RXi*MkFq;y-hZ3
z%lE|s4AI1%GQ<dSd~ByRxgFllbmu+W^UauGqLw_n##DEKdW-lQ`u6T)tv*{hiFfcj
zY_uOwk`0vPseG84K*fVj|NjQ`7}XEs+4)(X%?}De!M<PaG;wi&><;&r@KnqpFD_`n
z5WmmeGZ;kDE2#_#s^P+ALEo^Qs5@+ply{%NULOT`Rn9O_3-5!Rk*U>oVB+j$((^MP
z-}k>R3~;A{b)6?S?O#kwZDqn#w9QFEjqV-r$P<>#R65?5ODB`wyn5v&e@8}IE{7pn
zgwQI=_L(N(<wwW+mQ`#xcjP;6xb1S3;e~mGZ8o9`@Fe!J{Aw2vE2wo|iHws5O4D*$
zk2Z^TFAaR2NHBS`Da0O>o31tLMC|Q9&~AfImi**_&~Tn)l=e^4iH?`kB~C>Lf$-YM
zE_%s|Wv7E%w>v-r=e;akC1-VejPvVzzXZuAv|hN(rWHrRex{!JT_rSehg@}@Dgv=+
zIC%cgK~exsKIRFe5U!OV>D`eJN=0J3a^}|+qh2PjcgHTi{)Uq9-?1NHk1a2bQ<b@V
zGt8g{%2Fxiko=@+4iDX^bl?FU91euIM6K6JlzQ8mLM=IVRaNT^G&Dy|(v?W-Z;h}O
z%*#D1TIb_b8!x2j$e)%yA%&{+6{!oT*RUzpM4(;{IT(Mr{etK4$>`HKob*^|b62I2
z4Zl=+dRZi_GCj|oxgN5A*ip0F#Of#%O<sj67L{?192b2@?n%Gdk)O0ZFayfC`-Yqo
zIQ=du;PU5?BgUSsA{*%L+t=;+XA&o3p!zxPW#Z?v9r>3T2X>52`?edWPmye8>pDh8
zGmPZ+G}ei#yHb{<`P84EX&DxH7lEqbs*g65Bfu#Su`5JEwdhJVUP#1g!&OX5nPvvf
zzOND*N*ei1+gq0rz2dq#6A9)qzBpx>%lkUPygVA>#0rYi7CAl_+t$_64tQ&7Y#0G1
zpZYwVtNWz<OoTuOVpz5@8U1@X^XKpu01Mw$3O`u5UQy2<-8}&x`bkCr+YxTQ^B>!u
zKFi|<rTQ9F@B&a(@mhri)=7`F@XXYf)iec!UMcJ9WGlB3urq=rqXY*61W$Hgeqp*t
zeEEaMRC#k(XP3f9Z|%JbN{fq~*EY4=`t(ZkOUAyg(M{_@)YY0@b+qmzb{HB%k_*4a
z<p2`p;cW6ncX_l;@u*}rf8=eL^L|TPzW7$Aq^%Yp>xg(ALO_aLUk<f&w9w^fd}7sf
zCA}YF*p5?&g|DkUBwdhzzx*8gGnOV-xa_4gNlW1u(k&>dv^3GTM+q)xz4t*+*T~af
z?HOk=h}JF)G_nZ4-g6zagQCWKH`d=q*i`-oa{iYk*E~pr0&QzV)0LCw%=ox`2g{SN
zb%V+C*yV%mdf5H@g&nHxIdRd{Ah&0XLevAOm*d$Aq6+O?rd7QOJhJ>#w$8hf6fL$k
zVgmJR`GtO!nqr=QWB0QM%T1fS0v7f=5XnyG>G>AFW~+V`zf%;l@9P2A89T!~Kik)*
z{bEQZW#6Tk=Kopc-`z)WFRO<X%4dJLQgotJYZKOP6Bs%$=O1hGYl9lzJ6=xKp1+kh
z9ys!{CSY01$uq!p?zCLF)=(c+dP^B09v{*KzZe3RipvR7e~v$6_*8mD!88kUbZZI^
zE*L@Mhh9n$+QnP9)+pv2ys9}tQjlVmZ}wHz3^t)LCK^L;8Mtb4DCT^0(}T4bk-k9?
z&HDr*l}XwOn)mWw_GAudJY^OaG7#(=MuveOG)VZV+-Iy^3(V)EJKT%A&+&stAZnmQ
zXF2!fRm_K`E9u61)e_ovrl-PeI!?Kq1u80!=lO4&I|shg{PYn4>fIByrBPM=Q0exo
z<#F0baA`pCguPfUC(;f=di8PT;^ordMr1hHtm$~HMJIFpsf=~#sPH%LBrF&y)GMP&
zMd#&ax4zrwk`m{~<>U7sQ%+o#b%(0m^4ltMWg-vgI{gGJZ`)ad{?*e5ww@fw0^J%<
zqyZ<HohR;)ukOi~tpP-NLw`gcUp{&|I{nB8_36DO%uMyMy(e`Rn`#nSr$~PVqKqZJ
zhaYC5|Dr}%YjnQLakc@L)w3~{H<T?{(vlVhCT66qx;V~MjL7zE$rTOUkALf?OUs{z
zRc*D}#hM%V*fDi|!GFvkGUF~Z5AiVUTSQ>-+bv3pWBl6X(FbOXJ?c%|Uh?hvPL+&O
zfmiNK48m;@rxVPwyH86|hbB~dC4y(B_6aCKcJ*lCqpOGjnEZlU;2N-yMfO1d93aP#
zFs$#esWr}mUhA@wFiCC-fO4PQhhjXi);XC-?#Q>tVSzT_f3i)daE2`_ruW@@%%zEZ
zvJ!AC7J<-W`T3||eOuTcF-W9H61o(auD!0g!V^r0jX4q=Odm|b5Uzw3LHM32lOZHL
zDf;u9=WLP7)k3;B(-G4VA!Me>^5sOcC0mdbJ<L-~^33tZHAXNzHFIVv^L1O>c>rk~
z^V~{_G`|{<<CZgc+e3wkyVj7cnl+eZNk*FG0Xj-su0X&(24{GKAwO&A0>r9N^K-lR
z1ti1*PJvSNBtrMzl$>4U#0^x{j?LX!DfaqwCEWi>xuQ;?$XkMyhE0*;ou{ooWjkWO
zSK;jIh6fu<etRK*noyY?(%0SHj}f`Pn0Ha5Ajm?CZTZ1G`)85xdaoo=zndr0E>t1U
zQS7p&u3D5|NGltqJvC1cI${m!%sq4GF*2<maa^NB$p3a>WdCZD7!%0*1c%*KB^LZD
z6uIW+Kg2|Nh^VMmCtt#Q>Rg~?Ia5?7EScwZI(x)Zz~h&cpZHqqR^JI-pq^CPy##+*
zYgxVh3#*iE?a!OVJ0oAfi2T9%!wI7d=ys-Zv4@*oRj-X{Wl-FFpKC>nmU3&vp2<7#
zueUX&_vxh6Rw=y<3{_U9d3KM|okQdTI?omt^nGx?eX_|Qe*on7KnDMM+Ku-pP7?fF
zagGRZ6qpE#5p91kg(HVNeeM=IZtzoF9yCL071aTci47`wPpa-YF;V54PFSRDma}o@
z_lx$)TOgnHe4rl<T#UYuQ<cjV+U%l8Uk1=PJfWTCiEQEALy%Fp_XEjKhFh7R2lJE$
zbX10NbP7!;)kLJEg6@4c{07hJRkQy({%Md41LLc;!oSuw9q<BuE0=FSi}~v+&#fMu
z8gqxCZrfskvznYp<0_iUb9FN-Ja7qgt&XnfB*krZ19j8GKV#tA2&)Qd+F~6N=#x7`
z?%-OK??57&W-@sRk|KI!o~8CMahUj8aMbNsxaVIk_KCfAy^Ak3I16oFUL9;{;@j!I
zIBtyYGv1xCnK^c=aj2H&3*5fkz1Tle+zJ38HYgF(ZU4<$P%{I`*BZwOD}!lNFk||q
z!CA24Y<udbNf*#*MQeW@3x>6|EE;z_Mrg6f89*KF&Lmhm*zH7QO5ufi2YPalv?SbT
znSSwCi<}T3C;A;O&}t(GQ&R5fWT6@ExiI8-!@{Uu*+uo=_I`CDn)T);Jhx-Od#y%4
zRGj~0Z3sbK-;q<rLh{eFbsk5=MuSD_PCNXEu@tz}%M~gA`#J=5(Eyr7rfL#_7|0L$
zsMoO+*ayqPDE@w8>%7Up>7h5Rsb{(-d!Huiwm<Zh2^h#51Fj<&<`x2=z^4qHF+e)=
zS#g$#XHT%dPZDGNNs@XPqtly@i_{E~*&ZzsfAipP1~u1>C(wJislzM%EN?uw7W$K{
zR0PoAFPrRy;>5|LI&w-Kydg4KMNslGkiE+LPa^4Lk~eq-sQ)AmX@H_6o_*Gmnd(J_
zXFwsHK|0J@QAvOA<NddTw^PFpeAs<&{@d<UFsx}eecT*gQM#$5%q9d10e4SDP0iSH
z9rUFyY|W{}5bIHdnseOu6zRYqOj#|J<F&X)|1|q{4(D67_oS9t_uk{NrZln`H|6C2
zG?{;Lg&$K+NPIK;tULCwa_j|QMGlV(h=*5pE)gfR4MWgH>hN7d2z=R}e4z=2-zhvC
zq=@meU*Y%Udtrhh3Of?mP^TGS!gOi?UHK<(Zm?9bd+uD<Eh?-g;B#<ZHeS0M@>i0$
zc(2y5gn3RPcdUAQ5vE7rag_O2o}SFR3*i`;=mGK_-`><C*gR|$M^DW^^Ro<8I_oJe
zECe#xL6^t8EG&QB+c))`@r=qiP(nct&SL8Zf7jPT|Ge5W&_!*X2aXH~FL{X2<R$){
z_y(vkEvsLDh@ctv;H8RQuKB*G^;ZtOuMY0Pp9)|=4MzMmgvGrnHF8fAXfO;FvG9Mj
zW?1qNl9wpN0)j!Mc+iSZkN&}ec4VS524V{fsbag{=Gi@j{DFS|lhNnofE))%t*_Dn
zQt9FK*Y^S726sxIb6vPcR{CD5=9w_0>F@`@>3`Vq#?+H~3BZp{*b}9SZusjH0Vg-4
zRJUmTa2J=HTkeoXP>mQ{`>#<&i6c+F_*K|y|N6wjiE2kUdL??$Mk}Q6t+xYw!}yDN
zSC<hmHPkzCQ08CF^x;4^kLuF73kxIHL@DsYJWX)_O7|NqdDI%K*ZB@k{SWK(<_4`5
z<HUuR4w{LfJd)@$>HmC#NJI<9atsU$dSCLc+Nj8HaN|FpLXv%!588^HyWr)2O9K%Y
z;x#I-Y$rm4znou83@Di7J~r_EMC4I<tryD&G*-K7r((vQXgZzzj$>NhyFK5NtAp)Z
z^^m=vfK|X)Ol)7B-YNTOftKhe(u~doZ3raNP1r<kN5Xg9sU4PaKuG|t2}Jpx_m|H5
zZO8&=(_NJ<Je*GS9Qhal2l4Ua{hF|)gSmR|1m`AfC^A7)48C-*xKpt$Q17;zO27xy
zEn|xqsG2h??|27<E3e)t%+iJeI*b;$SwS_*rGwr9mKhtb-4<Lr3*f#MQMyBYvqcmo
z+Ueej{w|4!=I|yNTP`5+aHP*k4D4a)X+z*S3-kr>cp3M^#LgV=Z}JU(lkZ-e@$#Uq
zG^}lDCjypYb4s_oIJmTvQ17!H2NnRR(IXLesL`GO?qQ3zR3w7S#{v*qIy!GO8zpE7
z(()pRp*B(w)4D5>tW*_%B#fq(4qgV`-^|n)3ZFp`L*vB3tu`~&o+d74K;0~Y06#r6
z$a_H(9b5Yq|1$7OFO}OlCFs0qH!mu~V^r{MI8;Z66ewu6O&7$M4s@&T$=kL6pC|pP
zL3%~wIqCU{)71~~!rC%C*p?3VTj2f#rjWxrCcO@z!3(MKe2|~0remqT>F>e1F*>{K
zqV>srFkKw9SvNnA^gTAIJ!Q&TF8%&}-0U6@|3XUjHG$U*^~-C2^ZuK{Y*rYoCc!{Q
z$7v?{Wfx+{asH}j&v_`OJ>Y0!w0rsrf|iMdAS#+DHZQH>d~j)@zR`cWgPHxYE~`2<
z9U(Bn*wafLV0JMewfg$y73lUc7)y)yrcN$%(u1&|Y`IP-&c2pRS*Rm0O*|wsy#SCj
z2Jf=+@A*vUb{_;pJbRcmFbWr>f(Kn1IqDMLq3NWK4(J8=15)8E(C;fRY(j>M^DZya
z9q(9IMRVZY`s!LNO65Bod?Df%m^MP9{3%N2Q+n{l2LPcnk!(RrxejKV;~#0w)G=c#
zQTLkmQQ?b3P20eC;KLsR&l|=v2KvMoPJt1&p@Ery#lVn0)7xHJP?YfkWre>-(C+bz
zQ=p>aqLjOPzZ#!p2i_yJh+w%vrI7~X6@ksooFKSI1AH`I9~dlf(I+ie*rgR_g%Iiz
zLmN%Oe=6VrDBr?J(NtP%10kwtG5Kc=+#rJAxbwgpPh>g(xq;iC9T(0>z|_!o5q;T_
zLJv+G3T+xqU34I!gr?-syMfMsZqa`#axU@%K8b%r(cp)bqL;4dE1m<Co>#D$A}%go
zerOETDEWhgj=lx-erh3s&F~x9{r4Xv0CH$neL*z%dg7qJJ9V0AN<|ryLJ`$9fB!kE
z<8z^nL2{B+E%4Q9XI2!AiH^SB>mo&=u&(i!p5xmUHbG8KPHbrJ16;3umDXjd;`=ww
ze?vje4q+wZ?TFV<>fiS;p5~$))0lTq?>c}+GZ8RoI@*GwFU<@T#D9F-R&aWLUiUxD
z=uv~{9&rZqQs9Xpd;S`h9z;E_?*UZ)8D|s>mGav~08KnCLP>~;6>b<5i>K(#k;%sa
zi0s6_8%N)Q9Bqt$Pb-atp@IoPZ<i02tIq3%Pfnbrnof^+%mNQMfG2k&BiL5+K4e*h
z5}{Q$`1@EC5CQ=_NBBM?=^=+A06gGE<WqIPtop=W&>U#1>d2t|KVgb3vR0q7(4I_&
zweOn%RrJUll5(L`3$TiNuPv(oX^bQab_xNN=3NE`@ls@Dpd_BIdDnjR-#ycl5}yLP
zqmx(F=d(e>g=5GV8+IUuho9-dWU#V_zi5$kND)KtVwW5=cp`eHabvD){T!}G=HH^y
zn!iIP{Qx0+^_Y*Nqn*S<OBH;bR%kK(yH6q<w@8>UF|>Tgm<(!VaD09lTv``hwl_x|
zU1l7#b_l591rMK6W4(ibH8&b5p8gYI%@SHJbtL-^8dxJ&VqlzonrxsKC5^haU6C{S
zEod%Xp1P{)I6(2be*M-8CX!{LT3}wSjn!natPH#`-%4j83P_+19Oe*4z)S2cSyUSu
zkust+2>mRi3t{Q^0dZ>IWz)O>wg7BTwBk*)J!WfP{m_g?U4IoUGs{d4<>^e|?Cbre
zYTbo6<v5w(R&>t;ngD&S+KjirAx6&-FhFYmaVMRDeF-xY&vZGY?@@b7tD9R<655s0
z1?Z@%8nHB!ll}8-x&ct|O1w1BB??B^I>iHmr+Y~KHrI1WBw8N`0T=mRBYdWR*`r)v
z`^bG+AUP{@$(7<d5*Gw>NBSbCFX5A3n}fs%3cxZDN2G3w1a)vS|7TbpT?ikEZLj(s
zRmjf#Yz+k<B#VhD?d|`4q5@UCVbHu_Mg~QSo{NJ3*#iaIq#V<Vv;)LKpY|JfopM<7
z{bwFtci4;y>PX@;6f=VWZ7M{mnztZA=KS%|j+BK+V6x{PA6ojJ$S^nyuz*-b+c^6a
zvY+L%M(RVdkPo0pod@U3`zF7AJDOO_+yAmm{|_6Aikx?)X3f+f%$g7}^vvdywfttk
z@S&|u1u6rE(2<PtM0`VC9M|vG&+Tk3AN;@tWabIlx_v~ct`*J{W?30jvx91CYF=#G
z{nj?Lg?P0r@Cj`X>jG;lDg<co#icG#qZ1R!e?L$g0V9ViVVR2}PiJ<6+LuRTz*pA0
zS322P%NQ|c33HiF9Wu`d0|>cDS~|m?K0=XPNtY8jR$+^XZ@mbwa#`HIWN_MX-o5d1
zkj6eck8rsijG_s?UHv`%VViI>x)|<1(WLXT2S^H^VT&0Al?br@O~F5RxFIocA2DPt
zE>uxbk@>IS83?Ss>K|D56&7kLCzNjD<KzE7VQpTUMbMa&azP<Gy0QQCwew}>^y0f+
zS^x@<0fGw+1O0D6XIdr&MyQSEBr@}LUS$3q2!4-%(J9Uy2P{;V{2l%S&Z9rs)5P0E
zxQB=MuV^x2$)o8fU}As`7Jx$h6aPMJLs(Z(TKDDIc`43yQpjTcZ_F<tDw>KP6@cn5
zt1JEA6^LjIoYyFn(Bj?SFIb{xoom{@7H^8>3a+2eKlrP6w<Qmt?p&DsOts16r3BJ<
z?G{=l(1x54q=F4iAF%$g%?w05&~}RSyx*0j|DlkG1@Kf;A+SWvnd+F|nb$ur0iiQo
z1i!)xi=k6w{k-XadCCDPo!ngi`sFtvb=<-95ceip2}nkx&(Tg>7g(xKN;D~G)8r-w
zcUGU?u5qK=?pewCDS-)!n<t`ycYhz<_m3EYbdjZlSZ~N6c^5<Q<pW@yRtHZw*vPDP
z4ir6@w7Y%ObOVF@M=nQA*<9uM3c>!v9u;{sapEAy<zU!CFbp>8tE0pA$Q!axaHM{R
z1OpXxwLR(lzM>CT;lIzBJ@6FA>mzKv`eL+nu;siU2{}Za9;CRKHTz!c{Zd@HyV|9k
zwa>Db)F^K4^e_f4VyryVfO)6<;dfHUmX3}V5*0BoN0z8JYs(smBX6S86F#~;!BS&R
z;cmL2C;pxJv9u#5gBqb6;YEuyUNF;fe@LEhFXPj&`bQ*95clg_AF^Dos9tC2Kpca?
z=!iUufKeT_b!k^+m}I~0g6dy!Z$)U-IJ@jL`w(*oGrA$a%g?UejCwl7V}1pa#A)8x
z4Gf%LCu>&1>xNFVVDK7bc+1tn<Nvp@nwfF9Uob2@OCVR1?TVZSMFP6}z5bZjdYhs>
zI&VW77M`iJc!5ODYbf1KlDdJRNV`<bv@{yt*E&))w@C09<5fr37X@G)Qtb`VWv@Ct
z^#wz&HYbDY2_8p=*7#)e7DjdDF29-U;_leaTat!7%~IM`W!SeF0^N9}^wQUD{FpHl
zwTA^&Fjf%K#m7~l6Z-`$Mx$cm-iZKpftM=$jAMoUY2{Gwf{^X`d!kPet~vSQW&CF!
zOzYBOqr78O>b{Rx2>a&c2i(L+SnKu7r;XEu_yog97`Z2s?+cGz`Mr2?>guqPaDk2S
z9Ld*up9K=bf-cRD1+6vSp>MS**Uv~#CkCC@CM@hg)V>RR5J(%yEW_(kgIy0-MO5g*
zu6hIluEqdzu`N(YDS&(2jQ*R^jWRF1w=EqE&TnIUMNv=!w1Odl1py}d`m8B^0w*<e
z{ey#kT{cp&Sq-XQj&e<WW9`38-9|mmvj*q&JUd-JKMrjf7oa_Sr=A)TUI0wbbIcb4
zxBwgMpGht>g96S`=Lh31uzi+v;n?3CAz1RzY_%yGKWm$>y({lI=Qd0EK>Cv9daQq}
zvmlN2vjj=DH2r6xj~}%eS$U#kMTkffg|#7qs!j=Kq0^lOYH}@cd^fVyX&g#Adu)ry
zRA0SmFsqMx(?CM9nYVB_lyI+pYxy2`{np8#;;P@ttbdHR!g1g(;%czuOYwTv#zf07
z_HqI#w2^^sk+dw>_tQt*)92sru)|!Uxkp6Oru>wL?#!{E_cKtu#TF3gV3EzZiNDJ^
zQ~e}itEfkGD2;45kr(`6w*=qw(-jkX+k^QsBMDTO9+aM*&Np7t*cd>7tc_XLqGQs3
zo#dTQlh8Z*{Kl6ZvVH}Q*__ll76@0fEqaqnD~0NZRML+#Y_b_|c8X(gC!Jp(Zd<XQ
z^iM7L*~-4is1Z9>^9=9HB(&K8|K3Kx43a_Gt!vH6Kr9MpoROk0*EG~U`}$|SH>V7=
z3DTq**?!cS5))Ttt)?E3y``Hq`<&%5c^k8fOTTh>KTPa+{0>huKXg(OP4f%hPbkZ9
z0hafPSqU*%Ms}JIQy51ptiPEgCqMDitblWj*o4XhctPZ`#&AG<Ak*_HGN!3iT5}0f
z;O!46ELoZkn;<UW($VqER)`k!+!%YW6r;rkN=-etmHZ^iAwxiYn~stMDx;J(8ZbQ=
zT%$A2j)YbIx^7sMoA52sJ>N<_zFeSL$|XRvV$4Q-@kUjNTXPpU5*#XW02gGi&z<r3
zsmuy%9bsPrNgFD&^-8{I82g%KG`H!Esi!!gc?Ud@f5jw4Ybo3Qv$Qn-AIicXAw(j<
zMMXeii!ap`6>xEYqG$uKR_|!#Rd8tVJ3)aD29pZR4N1$Rlh=|_4}Pg+H$Io_5Sf{#
z-5&`<&*r<z`-DklfxarQ`c;uVgf@Z5)a5cIqyrYzd0LnIVr6w?!w;n{ow?eiFIrhb
zvV71!e6yHNwT}A!UdJkBA*t3EDJ7|JSU&i=O-mZstPl~a?-P@assuv(jg7PWj0zu@
zD~urDmJ?D9$Vrshzh>QpC(Nc@TS0lhlR$YAe<jLxJW8VHwu81{K6sF6k@5Jkz3CZx
zca3Vi5XFabb$}*e!sUvk*f_Q3{c)yq+g9V~DdljOjiFP?*?jc19^?(Rcccot{fgOW
zJjdR_laaaTQEgY~7&Le};kUTHK$Am*oSK+mW(NTY9_hZf2FRZN*;^eGT1jaf-f}Cs
zf^oORm$)K9Y#=il=*pEE9{g7UE+%!cVfxJ#Y=I3pd5a1iS}2u9yjB%I1ENIz9JxN}
zx~k#ut&BO~#fxRgcbK?2Hzsp)(z4d85ilEwPHO$8OwbO_h+JJI&SkCCC#Kfgz*@#R
zmQN_O7JWcv#UAZ8HnZ6ae^{Y(P8E$=9#!tJ@%Q()(%IfyYHLp4IR07w&b%%38H8V8
zGufZLA`4^NKO9UJpa~%YNXcoo*i((=?XPk@glEjcc+47JN}eBf1l*0i8^+Qk=F4|b
zapz4&zc+-x{T|8Ae35_@_eERGH%q#3SYBm#Ua;?mh>PbJh7-098-h!=_WUvE*DP14
zX3$O)kHM}!onY!&g2wNTdWjb*Q#p9!vVII7ZA(Mr2ZP+yY&&XFy7V1m0C6jM1`!e#
z*3+JN3HHQ2wR3R+1FUuYI!ny0m5NH_K~=v049IvSTBX|yI}j+Pt9s4rmn$1;zhnbG
z%4Fu<)fBwxU8WOf6m(ZeVW&Fd88F`Vd*P_y^xNw*eME?&Q6a%j|04M6mlqA%d|8Er
z2)Z>`_}9@^?~P3`O5Nln;ug+j1nCl}hNr|-ynwr#A@)C%;}9)KEFAGqHG;(7EhjJl
zHVUa-<I~0R(xwJQBkKO^x*Z`F3AVPjTFHtZ{Ong-Px$_p(V<;*#axr%G;RltN5K38
zNo(hz2=FZSQAYi$ui}0MvgtzxSsQOUibh}%L5?e|nnCn~g9#YiyOz3-9}lvnpc9WX
zc|WFbFAUAad#rw&Y<Nrpecj@=9K3kJ3zRU#@7?K)F<6ll9re5@Q;URc`pSPa3d&2A
zhIBR+#2jfV`hTe&)OB*xyCd#N?!fI<-*8+qQ%lJnaKdJKQBWr3IYn&rZMCZINm#=V
zrRpN7XVBNi#|IIC)@!(p^aYo{^5=V7^N^0=2*>vd!<sEEZZ_Cmdh{SQg%_q0fHHhS
z<p9E)jS_6CtgKvo00oeJvt+-0`=*anLKbj<NK^c8Zdr*g6U#$&1!uUv&9)pCA0I2$
zA-)!Eu7^aKiPqm?16~RLc`|=__o0r(uzgju8kd;~tgEIVE>2D%NCUOI9}}Z4idUSH
zJbpW*eN$+rUP^Wr^}ees^5;!gVcqKfZV48lPUfA*KN&lN4s<_B;FAe*bCgMDdE%RA
z>8Sv!!3rXdC+KE^NF2<5&V8ow3C?`BwCbtaN^5`_Sr#|}$iF58e}}MUu*AJ!^B(qL
zJ~9#<!TZr}MmbwjhY(sXQ%JzP5S><lla<zNVc$dueX;?5E3iN{42`%V^|y#zpfn>F
z8Lpm1ta3G%6gfN@lZlKgUrT>8^2*A{uTt*U{d|1UQsI*D{zudFZ=y#%zJy8jDwu)m
z>MYH=W4)WWrQZnn2v+6Y50k-cKf^oGs7w^M_>mUMJSQzC!qd~oqi{3n-dAyE?JkWY
z(lUx)DU;59Ggt!yPIW9dL`l|RIVf$yXkSvasa#I@EtVBEk+9wTx`Dw#g$@?rUp~eg
zjdGNB?y6xoF6hz3L(syW;py6ax$LDoH~86C-y(>hMGJGU=?jBcDLZ8K9#KL*A8(x&
zEgUyN(ma$_=fN>S&N)`*&uS$&Zx;UiP<I|4nBP635Oc67y?JQR((wFYFrh^spU-iI
z_f=r7kyDnazr2}K>)T$;8LylpU4f0IMk=laLyFgW-4twGcUlW0xynSjJCiW&mF_hu
zkmxA7lh@ui2v}NH;}%GMF^9Ewb9Cg4C!+nmu^G86|1fQeYT%7@jmsCVyk9h1y&90(
zkzi3FYwJi@%W!62@S65@jCS*2)u`GgxS?9>r?RxUU6Q_NL&XK)SZXf;^R4Dwm{fX4
zBP(8j(!OLk)#d02QO;;~s~AFILIbMyO1-xROEF80?UIeQOdW+@>eNWCR>#@z{fwx<
z458Ef)PfP!s+e@v6xXyUcSL|fA&HS}q3jZ$ulASb!R>8jG71|!HP<?0@UN(7E|C5A
z$zZbv*Yd{b!tXgm;BQp-p}n8^c$k3c(SY=dtR5?1S&PYiCBjyRV&g~2F}K!K2fm7@
zqf`wMY5K`;HO+s>-zQ*vXmPtz&Q!Knc4Mm^_0rYw4Y~b88ML5Ybw|Q_3k}7^>l0YO
z_$_q0z~7WDKmW+7iZt6}>tL~|-_Aag`;`E1e_Qh%d=eWJ$Y{^KLiC_HKX#c|__n7v
z1hv<^mD$H32W;2A#^ey^xPFy;=TX5FYmX)o1IaT}hS(4yhDR%sY`F4I=VQYqES4mh
z$}G%_6m;R)T2kISjdLBvd8uZXY1V_HC&Gxq<-yY|*zSqA^qZ&@z2h<$T6w#Jyqtzn
zU}F=T-u?Od$_8OE5SVeeYDC@KNZ@<rXW|-)^2R(|6DLDn?A;?wsO1-Z`K^`lw$_os
z<DH)KuKdaaIAKJw1M_3xssak&dq!Vs&Xavy6AR6BVDs6uOdT3Zs=DRZ!F(AtRXeUO
zwbhY+qnMb!xQ($wQ^VWlq_VDhhB?Ax-(HpH>Qvu&Vo+1M>5j{<oH})iYt?bF+_>^u
zRWmk|QeA^_tIj@4R<;}P${6!<xs*};I|bIddz7+^2Qv$Mqf6&6pz>_js8NFpvOTs+
zO@2@;&rKN)8)g^L!h~DmzEWdnW64J*Nl472L-orG9842}t9C#8TMhV=Qk2J(GbjND
zzUUkUhiDp&N3qN|g-Z+_Juip;4^!VA&u06@-JwNMRPEK)-c@Rg7Nurddn-z8wO3F@
z)o$&X6eU)uz4xA}y){OqcI?>i?RlQx`@YG4K8gFf&brPyxxU}yLrJPV4B8}|fjT-e
zr<wFH=V{ECh3dRg=;C-mUix`6b`vb_-9ZVxCGg7r0cX%m**&?j#5Z8a@cNnnuSNO{
z&qX}AXCS0k`j2<NY0I>?9v`!OAwDirk8Z<2Rt<RZ4YhJ;llh!o&>JecJSHL(ae4f`
z>YLx~QL7i4{oj#=m3}>Lk2!M4?{a~{0xV}!QlT2}zfcmec^Dz$Q%znB-ld4;3EEXf
z5|CnhgE?}kR=CR??}ZyYgmU8|X`oF_jX{!Ju7v=y5RyE7|N2iFRw8sQ9OutZTRF(f
zvc&g^(i{RCpXj`WDfNP!uw3UFXtpcussj1E(KmmS8iitF3+nc3I5-3aPk1;WT^6d*
z*&MW!tk0Zd#aIG4Q?0uMC6%V+Nxt5czw?A!HeQ;OKkUh)Pmjv1jXv}Ws^5Js7-op~
zP5W=cXOp!-$4{)V6JhEA&^EG3tDvyHpsr~L+MeIE(|Bg$K2vb!2mkHTGs^C{n`7Br
z=<UgS?6@~nuS55_!wWIJEOa0A65-L=*JoQ2PjQrX?C7X(#|})X%eQvGu7|>$*|EjG
zI-VZH)9EsBj~I&ivN*wp>iLt8__v}MV{gpR;_!rTDYlmn@P(q|DuYkVD0HMEXLFvh
z*30hNGukn}Y|hL(P@ySnL9{?hKceD_+2{99@bB|x)CBYfH>=bBbn;@BITXT!f0iME
z(jkL=+CTx97waLKp3+__7mO@vPEww~r!EE0ZK7l*oo2p02vC>G@g83qR60uOfMe1d
zetM$8pp?OWY{igWOYH^HW!8>SPKsjk*RS}ZCz2n2p*A1JvPub9^~9kZ1eD^z;^lEh
z5_oW`oN(F-;|hZ39oF*-u_5mtm(VE8Qhq|Mh+q=gOeQI%@~cH}frQGt4Afr()AfKE
z8r~1>H=kB${pfg41U28)Fd?A-tM=;cMfYT}g)V2og}2zmYOpitU<1;)ESMmJ+m#Ol
z2cn3pR#&Z_fm$;da~uQV4;v|Q4{@6kI98=GJ8X)s187Y$HZ)-Ny}}Hmda|&9)c4;X
z`}y7_%7+r*4vaV<Ic`B((UsT*R=bs#ko0E;PX#(d%5H&_UOlJS-tM3<O<C>gr5-K=
zw57x?OHbTMoM~|y5@R)_Z=W1@IoHnL{H+q-bXtLpOK2kyTu7nP^Ymp0*{}T3RgQfS
zSMI}4;5n{(og(Pz%!U((pxav6aV8h9h<8|Pl8F=IsnE+NxzFIsKl42Ej~r9(yx7CR
zqf^W@=ga?Qe#=H&09RlmlB8^dsGJ9U&2;zp_F3x8$JA=~s>kf=Y}<@jv0M~Ml!ww+
zdw<F|ULPAtm|fLb;&0bm$)vluTpcY!PI03x2t^(~{n2)~E^ON6YG8(BwqIue*_;_5
zx#?=(%(4u&3i|PxLP8un&7&#f{m7a<I;J~b`-9R&g|(JKEK+z^%<6mFlWH?cquI{(
z*7#b4ni_KZ#@?AU)@I@9fu@^`l8D^nk6n^CVytxHtLJEOKMa-oe&6u4On=Zpe-oaf
zZ^6d_;E;Y~-GSp7*9P@=cI>>%|6r!`D6~?3vK3J)n~Hq*_d|#X>62RnDl*Ugd)wai
z4SHIf=AsPb@e1fWIDF86C_ho*W1#7s!_TZ2k+p};x8NanK*!tjDlsTIbllb310A#`
zdejGMWwf4Hjt3gmO3okzMYg=<VRn<pde0HwCLmLYCtSCe{S?vu#yp&~rj^?N$^as5
zk6V>%*p|Sp!1$7rK3LEncX(DwMsk!Jh+M1tm37c=qm{tT;K&~WU%qD$ovXBsY1`c|
z1rrzGgQDoz?G`n}+jF0si{Qb(JcvGsDfLe$+V-1@DwqAajQYDTZB=Dk7df>X|H@@q
zRL%6O+x)6O1l1TrPN6Up6*scpXy-b7o-DT*x0Mv+N`;FL>%WJCy7%9&u-BQ7zqz%s
zE%WrmZtFweM)Qon@$Vy*<_|QN4ALuvEb(URfKmh8{nj>L`rd@A^Z36-1zTio3N7G9
zQ~i#V&uzGp$0D~jX+YZ_BpyGP$BTWIT;YP3D$l+`6PcFM^u~+L^K|5oo#rR7xv~b#
zn&DePEf?wcsUpc6;M50D9j#45R2hR>8eH}-IW{Hb`Gkw?wehQCl^D2(h)Qwq8_kyE
zLw?@Sq;s&k11$@F6w>9f`^vuFI?{Z3z@CbCdLtP2ef5&y-Mv;0(kLK5@R~m7W!>xO
zCWKOv;p}Z}9xum9fy<=tfbM|GNkMBxgl+>A)5g0Kdt0PwHM&CWT8{}xf8tDispWtD
zz=Nj@PpFh6n+HL24FwIE%oWs8_i(~lO5)jGI}Cd|GVUXj`6Y#xae$F&1&btCC0W(o
zH4=;ccJQhxSMuBWYbWZriXwb|tFl<a&znU{+f#*BzG$Iz{NazIQKOBsZSMNMH7|SY
z^pKNVKIm42{a0A7RhTo{L{IRNfqYKk)o&?$02T4CdggRY?%>?&0<0L<V4??-1R#_R
z`~c3l>59gP(4D12J699-c}6o6&VGyktS`O|P4z#+IkGn#Z5|1lN<X`ts}5*ZqbWlz
zgvw<44fVfyFn5<_H`k1qzctrU*TRB`i#*YTP;&t7kL&OdlBzno()a|{z-Yn<AS4CD
zxlLgH#X!_++gzK`#0)AUz`1A*Es&ho&SicZzUw2ys$8e^@w@&_IPYT`!QqY$4>lEi
z{eg{|-DWKRODshkOZXLVe$2fQHDCNGAEaO70K<s|qHf)SBaz6QoCNfccA*YqrPUxE
zFf$b=Og`kK@MQTe+->3^PE}FwdB4v=_?4T^{1+ejlt3`=le-C=luTk8cAR){?5pzB
zhAC{9NH`62sm6aE50vuTR?bEmSQ=~ZT~GE~RxBA>OJy!{nVlB{`2f6do3c9TwE8jb
zhiR_oJw}Cj{yt8&R)po3IyW#y^2GMsOmys^O;FHh<D`ctMULt8<;z^&E2Xnv_DG;*
z+YbO;Y(z%_^x~zc9HI5Zp*;67*X^&lY@@au{<VHn7*drBqvy@BfBYB%Zh?M_V?|^9
zhU$w>0>#~9=BE47v(K1l1Ge)Wuyg?m8ZrXnhom91xY3VUlc6J{DgsV!q0;9)<(ZP@
zUCj0-nFg9tvhfAAQXC;^52onw;oWermwieeiCT5Hi`?@NrZT6^+c(bkk6Iw<V-J?i
zx3r$1g)HofC_}EzaRp7G@%l`aW`*r{{kozYyZ2D(20BhmD+c*seBI;X*t2^YErhxp
zzFq80i|e@ULFGs!IG7njf#ZFHot~O{oj)7ne~=B3yQo@0P57}~SS4O=s<v2AYszbM
zd7AtkkNQT>>@>*d(VOt(4}IigV<LJ)v`#`;n<d5i#Cb}gr=-l}(|6#kJ~Q7Z<Nz0r
zwf_Lg`b6f@uTrV1`B27<L*rS`T{#scJx2l%@;)-`jx8Safzc)-crc3$Y9KvZ!wdD=
zZpd*Az9VNA2qvOZ5Q7|EJ3{zfBVpS!Ut0JJWtQ(MxsyYT6Yqr&n$qmL;p3o9SMqaO
z;Y(g59#ldQ$>#UO<d>dXTeIg+lwtSQvm<fHxd@h{7PcmQ8SHnI+gGhL8Xp~Yb`en$
z8uxWF+0CTn!qW9T>-~7#I|Boq%Bu`ddzaZIbljvfws%mz6|x=)##x@jx=p0J8I`(6
z32*~bbat;E1C~a~feU^f%^)2mrQ!<B-TZ`V!rVVr4|MiH?{AjeuUtm*JEo%J?tH9{
z*ps;n+HdX7?}nHKqJZ2%dH$1R?~zovOEoYr9eDeU3C%5$JycHBB>}0O%q@?m*8gbU
z#R=R3@p-z=9+hF|#BjoAYW%s7AA?1E?#X=EUVF!{viJt1*T+U#D>+!DlG)BBg%-z(
z5Q-(0*iID}zX_LWJ?<c>r~U}u!KJuTQ9r>66GHnsEQz4o#dcH1vp<pc)F0!@s+n#Y
z*Vmc1l03KGRjVxbpK?1)*^)!OCJIR0DfTNgC*AkLQD9FtS+w`>dNjZ!D`?Nxa{NIJ
zKOP);qn!d&5WA3_Jg7>+9~s-F4|-e(AHNG7$<GQp-y-%FHwRN(u{L5tPhi1yEVXg}
zzw934@Kh!2tQe)0^u0ffJ8d`ad`tg`y2O|+&O@tO5US}d5Gz_Zdgwk@sn*a%Mti-=
zx)s9U-SznIwoMEhJs`AP0hPXrS;I?o9QiPXWoIA4yVbQ_4EJN<t?wBqt*Ww;BrVFc
z(YKYZFE@rxD8mV4Q0s*r9d+g)uJP__(>0lY?;dR5?g9~A-e0BtcZ~P@Ad6=R<<QMI
zR87aM-Hljcb$R2L*^zckmq^LoQ~Chf#JbMM^i*4d*xqCRRI*7)|Fyl!Tku=(XU=y)
zg|-{jiCePwp>^(+?eI4!c>1rd<^~g}=Abs*iP@*_H?CahycW?kTnZ))C{EVdc*KdO
zaQ`e5f!IZ)uz*}x*tf$FFib6zfY&n`by<t$_YG@?lH3iq+xQ>byYWq5>WGi>8=Ut<
zP9Mi=C_Un85aK|`r7d=U@p``&ZEtHE^$`_`EY$%LV<ippPhciY9ZSIeK!gkfbZgD8
z$*z6^bOObLs>3UL(!#G(AqZT6q+&V0h6nKT6glkl$cStgMzEVft_t(E1(h8GGC-GG
zw{oaS=il6DMMgcx|0RR>a;v*p)TxJg{bW*&VxJajaDz8m^rCzTy${qL2J?@Z^q)Og
zA5@c+!qPg)hv(<QVlUXak|y1;CtY1zj$h~QBSWua^fdZQk-iG+?(j!80eiBu^}9QU
zr!*<q8I^p2Z;ohi4fY*cqPMc6n(cPHsE836CyXToPxa!*J5h*v*OA`e#H}0-inP?%
zS+_CTm9?k5AlF~l-PqFIxDz(Rmy^&1A_<T<3VVISa;H(#t_!vRS~+;V4j~RO_+zMY
zs=9<)ylo;!ett3)hdOTRf?Gv5U0m2bOA8c9JS0(rm9NT4vN2cQ&a*xaTRzP>CmJBc
zy<eWTUU7I(zI4B^s3`g)7)587@d(%mAyh$lCtB{2>(Y<e*kx0(4g8L(&uEJJmAfYf
z$GHYgOTEQG;B@wu@p?9jm~R<&7UMt)jh&uHm*?k)MS_**W4F8?`hi}4zXk6k1ZBb=
z@1>vDPdFj%-IfjuqRvKwzfS;(rjXjj{;p~H?6OQt(MRx;ka_eE`t84)@*1*oSlY=_
zIH=^P5yK_V@5u<=i~4()hx^F-zoSqQuTkhMw3x<S(?y_@$+33JzpMQ~&HhJ}=HX)-
zOXLurerDtW4K7%xjb$GFmj~k09VdB*%(!Z)7X|YurDwfiH}4ucCwU)EP9dHh+T|o;
zf4;O6S-xT7wQGG{37O!7=p|YpgD<gRM`Ic}ROf3`h)@}X$((hR47FN5t)KGj*U|g!
za2||q?t3`W;Y{}2MhVVz#xNWZv53;wb-EL9blL^);^iugn<gfe*(*vjJBHO2ax9n+
z2=IETOiNTJsdf)pWov<pTQJGa<@Qpsg{ONwP6{m$>!?btuYfh-f#kgBU;GU0z0c*=
ztggTAfdl8xh~3l{0pUhAXxHxHh*egX4*x1UE?*5h(XfalTvx562iLy>-ST8w-&M*t
zJjC(JVrezNG#o!i<M3a;y%`90WQVtMlogcI%y`NF93^k%*d8VsSrdx2qWgrRxH^3D
z9ul&|g^-NkuIzR0+pcvsay~`JIdy+&6rC6LdkN%L3Ey6S_^*mnr;q#)GbCs*ulpqZ
z@1XaFLqBgF)h+?dY5&LBpZ-Z+PRqwFDQ+Hu>tS}5tFW8!%vN?L?;$>w&%|)mXm(cv
z9?g<tVouR%Dz{DTa`Hc%IKhg!FC2G>XN*gOX+$rn_Xcjk8<$-$#=<VTYSJ!iuxOve
ztzxdi0<L-O#{3^`Di^}*Hk<nhxC8xRN>wW&H$=t^Znlg9iny<Vs9i|qW0ecu*e>|H
zelI@*P3t8x6mH<2U(U|g_u}cPGk14z4zvAp{7hU5&)&G+0ZlqhO-!%IZ@nR!WE3$Q
zX#k@70G*xq^@(_>j8$U&8;%dZ_v%Nyq}R${n^nZ?+#i3XNxgP`BE5htm|>|We5ruY
zHKVruljR*K>@>tl^9#tP^*d5)g3Y@Nnyx&54|+t5o72}&4>WuRKsNRXvc@WfN~Oft
zx9yw>J^A=&+Q;J3hrYU5-F?aBp5`<*DiVIWN`G0=S7Cqf+>CYX4s}%7wg6mWZNnLB
zvzq7>9nVj02WV{>+|a_mXx8(z+!e@Ydz~Lh&*R{x{w$1G+67yc{@M5OpE)i^InHJU
zWtb$C`u}a0v~n!v3p0)IT5~>uw)Yi(c(bu)UPhHX&?_iS3>pS^54?MtqemCAb8BRc
z(Mkt?>A`?rOY&s4I)g(`?|85BUuO1o{0R#a!s^#o=bvm<wYNaD-3d2cA$P*js1VT!
z-gG0Oy&r&1;xEyW?Q{V?IH0H!dJi}GGrKU4iwosAqGwl{pS8PRh;%Sbrn)XIi*Aq#
zGB|#1>ZfYy+XpGATK)EdCGW|)V)!hbid#6+9tWVjG-kSS{Dc`mHC6h2BK*3VT3160
z@zWqEI~UFDy;^W~PKQ3w)Liv6W~KmCR%q@V)DtL<DQ7IFTf8{8kNPphRM+7(MWZ?=
zhfx|tnoviHi~NFlHq<S9&-aExot^VAG#8fH;8OE2c~JZ?xEV-cWHe=*Kdy$B2D~@+
z!Y5`p5ZW&c@L7v`-G#syE5&zc`A(L})|ho+3QHVZg5oQr1-)eD56BkllmZ-=Bx7Gf
zjFf29n4x>niS1w-fJkRnw3eD#g@dM^4VePC`498E@WlSte0W6tm0Ic#UWAdYZ}P$r
zSDSUS#y^oZi;c}zFMAeX`0&JTC0?O=)s@WH3me)(7`9RCkD7*I*5^SE-z<7gC)(w$
zk@w7|_0g^AUrY)*G+6?{DK$lZ8;BHjnkMJVbDK)@54Um?t6#!?_$F#?PwUr06gwRc
zR-^YE{%CXUVkioE$ONcVxBuRj`1?@iFiu!)>V0aIOe_2miWtkWS^kSYpsC5f@WMw>
zeqkZtY>$-WtntFb*JUyyz`&^&u)94REwLag9J@+&VsyxlM`EeF-GXpdzPftY^pJ+s
zAS)Ox<Z4&+Cm7hXRxo<>{Qe?R%Gtdh>oX;qwaXN+R2z?`i0gFe{K>hri=*{xQapm_
zv>>LnS5M~ak~ZD?@M4dZT&a$zsBpr}99Vrlba_rr2opTC1+!KCd$*O;{|&la$c&Ho
z<8j=Ti~q4Pfr4dV?<%BD30lEs9KPGnUj`Of6AH+~6iTM;(+2GQc;;=9CbE;>{DCBZ
z_`P0YqV}}dVZ@ie;!kiZzC-FawU@N=sTB!OX=xr$g9L}kpnHKsUrtoX)|S{}OhnAN
z$vXrZ8-_i|VVfZvORwWZm3C-hD(bM)LIRxdHz`}pUPDm*A8&r`Gn~&dlRdR`ONA9+
zuRvHwMw6Ld05uuD<cc9paf(&;n@CQMvLUHPlqYR3{^7|;%T4O&&45cvtIsTLz3mUg
zF4Id$j>}|O5a`(xQI4JaaC;a$B(VijtjYi?{H10@0OFgZz)pL;VXI%jhrfGO;jE}1
z>sM7#xt}cu10##{pbjJ@W^k@uj=TpUn?fD%jp`)+H0=$`04lj<Feqfeq*QxS_ywo;
z6Qx_6s$*pjrk`4SP${h^;`J(~h+-0vIgU<tcJ!T2MJ$9vJwvBJjj^2kv^?N^|L%RE
z&#4qxCFuG><KXt;QFR|zb#%hAcTT-v;r2d|X1r>FbWP~>69Pdr|2u=}QOKZp{mw4|
z|38XrXN>FTH}wah?xE_S<p&aB=2ABcr<0!^gVX_{*cOPLot=$78#>M&mEGh#9N>q(
z&HTL;IN=~qj#~Bgm2KKV^}SDpYU}SMZ78iP4IBKl)akGn2cNFgF&!FVXZr-y&smmU
zEtG+AS+)93LUUdd(=w|)1UO=ir<zW|3-(?XX@OvYKAL@6anJ4{Wd?t#g=r~U2{Z-i
zd0%1L6WtYm+#l;!Kw&`Tt#Zd9*_#i@CMiN^x!our=>5hC*z+I0B222sc-|r+)!Pn^
zTQ6Xgj6JTt)BF|4in69sT9K4zhpwxW^e3J`4e}8ckJ}Hd?~^{KwK*p|lkWo6kKoGd
z{GBACWMuprDlt7NPpuVj4TEBT@&re>yj*@Gzub=(PXGFXq}*bql0#05r0nx-e@O$O
zBapV?)qHZ=;$FN<^~cy%84qe@6;+vdoieQ8e!zCGn|kBR<v)Hb$uXb4QS8F>BK*{8
z;m+iYF$tAl&1`8cOSOqL1v5hkS@<U{(14@2CpJD>qge0Fky}rB$a2yP5_H;t`QC}4
zK9xw#&}(tRgZgBa1^=#lVKH0aF<HkVhqcMlx-~GeKRys-nbYR5l1W+_84D3q`kTll
zk+kR5b*we%>%?$1z#6`i04(c$P|hvNB3ZO1d+}Kd#~SPnDrgOc#2=ORYzNV&8Ul&d
z$r*aIb!Z67amzdP?w#wXqrk(G;6xITt9g<*{mk)PX?j*l>9j%t_GsYix!FeE;@uuq
zCe^asS;ODI<cU-jWQRWiCtGfCtk6rc0_q%PGrc<RQc(+R*kX7Pc)^$fy0;AElcYj_
z#r4Sq^5ImjWI)$P&w`KjTEXI=d_zB=FkActeg<0GoW2RdCt)gJf-8=B|E38{+q&tT
z`H9EH?uoasxcB87)Tejw#G7HwIWoTzCI>S6YAXi@RHxRQ{Ox!({m#xN-zm~6nHu?E
zb3`L)Mf*3952(kFY6AM$u?o-fs5%W-!_j(lP}^_+vn;+1lJ@5HU7!KYhb7#Tx6~fz
zpQLD&oV}_GaC+dKsO`vyoHNjPi;q)n8Tz@4NIFQd`eUfs*H^uUMs+7{tsW551;iet
z=%R&sZ-ttOq+BhWB<YQ8*OTc)fF6mlr|aJTT@(o3Ss<{<Nf)@Y4f41DT?DkdnE%^&
zs9(Ad6o{!np>+%Dk85Y%z5y2nryYHZfy$$WGQOJeB#kkeyAV<E*SLX4yHan9TuCPM
z`$qb>AjJ+N%fU;PhY7rZ41u1=&oQ-sT1re<{Vf-1&xWM!TE-(ln4UL5)$v+%IMuf6
z4RnLbM{%wIjb4<DfaDh$OyuuXEab;7CQ)Vwv4^yP_uPh`iuB@R^M8N-M?||yx8Nsn
zyZR<?-4BKpOZ3ZE^J-n4ZbA#XA*t)4XcyW0$h^0com#3r71FL(W_6H2cE7HC%opE<
zgV&IBzb0&G^IsnQ>jkn-zf*!u$2a7u8ab+^ugwuD#%nYFfQ5dAgj#RawpSkUmJ~SI
zI*+;95u(ep97_Vh%mH1RGUX#U*ON_&ha#75Xrb6s;HMopteNzj5GQ{>Ai54MKv4p<
z>dkJZ^_q4+6(PsP|0`G}c6Ib<Rbpad>`1sA5I-B;7l0ZxI}&A1<{bsB@+F7g=du0q
zj6tTu$S*+&2VDQjkQK#nC6^G^PkIxiI5I<V<V^<Ep$8rXm6c}1$=?O7<rB&fPebqm
z6aclKrdTbbawkOmg^$*>n?iiLb`j4n@w|&`14gsB*c!ZWDb(L#*LD0q+wbP+?I48u
z7+P4c<T&>3OW}dIe0<5S8)7Mjlx`WbPuI%vv6$a!qF!SZ=_ySwekh;*vl%53y;ukp
zj+Y?gEQ;KD#ikaP=BZ;pqi<4Q-J8PL!lAr`@+5WCb|-lZbfVN7YXl>rWJK)+gwAd5
z?IH%ruH_aNaNVP3yWV3oI5vy|w^=mChmO;zW<<L#G|XzPR}r*wc$L-XL%zuP#`<ut
zY5re@>7&c515pJPF4Ce&G&pF0N*T)Y?X3V0&t-5socyTP+b?1ey@o8~9+6Ji<--0W
zM;B=9b)yAh2yngWPZ!7dZCVuSmRtrLZF5u&)&p0~1!gN2$Yj3|vf}A>gs`OP-J$qG
z^x#2#I}O7-y4zhZjM$xLDjq*>H3M#0b&a^s*!(0p!oRCo{ah_h#GP(-_e!j4`O1F@
zch!YCmO2usqL6Vf6L#G=&YsNWbkC^p<BwT5@ef!9h_BzYVWfV&Sq@{wdduxYgs^}0
z4#xsBsw|%!0QdH-rXip!cc$|X!gbyRa91Xfdj(`n3+2BT|1}mt9E&J=^`HQzE4p+K
zeinyuEN3&>+dP~r`)iUm+sVRwZbS6v06)M$M#^=oZn1oHYfCt_aIvNh6H(H5c;teH
zoiPFZ?>y*c-0_^>YCSMi*e|r11VGCy1<A~lx>Zo5;UeWJ3_kP&^9L+z9>QK6635>I
zooMdv^^9xoJk9s{cZqYx@WvR33`3M7Qya&ks{oW8aSxv1=&5nJnbZjzcAtev?8M1j
zD9ChrC|?E1Xv>X*NT~skgipDCk$A6>KVPB&VfQrv_ag@gOQwipNW-bJj`U@u;)Dww
z56LOuu9P5M*NkN(OhV9&R{_-Ic6m8z8cUt^G9_MyRPsi_B(u}u!^Yd!cl*<m!E^2c
zD1R}!d8uHOI4PW^SE!VBCP|9zC%NvS5lOd8=bql4)@ISxrcZDAm2-CficNAMLb<Ni
zSZuEq?qhg$PTTN{9N9?u2TTuQ_Wh9mCSUz@Ys+!cM)=;i!ILyn`MCbfztW~G*Qh5L
zu0@Vv(RHU_+;*V@K?qMh9ixS-Ld$?ld4-5SaGA;q9r1nZam@%@zwlM^s`+&qt!-eD
zAF};UT{l5(nQK+UgK{`lsN;|O#BlR=NE-><nI7bD7Jody!nIH^JFid(vWAbW(Q(J;
z8!h(W2dLY^r(a%b9YU9L)Q0gPrZwk%C$Dx%;Rf!8MG_`BBSOJzu!q;uZBpl8)VF@;
zbUmq@IO)NH*^rQsQ3RL*gyDnQ3T;K@!3>-vb)=7}-@q@bnag}!1^^sL4HxuW({z!L
zEHr2KGgcfk1YO2osDW@kJ`<f|zfHeg1DVo7@nl|hAU=yVI)l@se9vMLAhJe{hwO%1
z(ZYsX??raXPmZilGz%TaC6S`ky2bP$!;I*1J9f}=%2wgG4wt7s0KVz}DY~xjkBe~P
z*e64F5GJCFRuRCk>Y|1RybsRTOr_nq5lC3~r)z|TUI5+^3pvOs7F(Nx<+=x7it?So
za#<{nM*F66p?1%wXZzvv{+Ggljg!KobPVMZQ!fvC;fk|R-yWdlL<F}Q=exEJYzIEm
z5&?X<(2*jn!UX_}-e(6fKY}jIxP8p=)6*`OnqCK<oo`%YF|L`v=d~uib>@1#T#7TU
zcOs9>QvU#VX9y`k&a3pKpB?tbiV#yPw6v^X!cHw|0sQP~Ss7?kN&k_$YoilF%3&v7
z9Z_FCn<wFpSa`E{V2}?gd0x&Pttf`u?_26f%pV?kU;M5eLm$DDka7Bhny1Tl(y>V+
z%HfX=OPES)&%Egw(=h<mK!=e^b&!L$wDYx|3<tL%^xe<qTv39%;-QPK&nHiwj%zmi
zi79ZK&7^xbob2NjApT}tGuEQBPhX<zLB78sAk_X-g};fvqRavmlCgwNO8`m72A5_C
zSe!F}+ji!B?aok@<i^@&Dz;YgA?T3yttW#W9G~gj`-)lzuxX#!sfnXbyG4}^dY;U`
z4;Ra+`t8%Oy#<B<u8D%#>kA8XI}JBy=<W;P4To?m$*8z|*yV{P2-^rd(Y3A7Df<W8
z{Rlb~BV-!zR5(@2k}vknVZ)5fjL@nMDz5<3=fi6F^xFtK3Wk`}oT+GZ^=d~JAlO0k
z>uboa=kQ5LNB$1Cw2tR`U)-?U1Z00Jez9D7%7k7Ca%;wf{(uy|W$Wizzo`y&>`0nO
zxrTQDko9E%M(4F2ExE0yrze(km5h7;*Hzgz2Q<E4vxgzn1v66HHit*Q{KF0)a)6JE
z8sp+G7DtQgDs@W`@l&Smg;y#F9s?IUIz(z7cebXJHG}KZ?dcB+?U3o|w`W?&gFOf~
z1Lm)^HQEmsf%;#~Vn#zoI<V7+Z3qe_2!aGo34}rZf8aDX+AvMnl-Icll9j88*xp~5
z#{~%g2=JlQ!Y!X{(K!R<f`9NzAF<-VM0>GRDYmDtVN2}busk1r)7hRC6^n9MT^+1A
zd4X#y+AI!12a)j(SAvm<dMh_BZRYtT+D1Pttc)6roWV4k_W3T3R-t~M`|O6vG#qv(
z{XQUsBh>?ZkqavYzV-+(ZVa!$|G924XN`#<1)TnW4~A+NYO6uHJyW%-!{G)#D%aBT
zC_qqhQf?-V8m$rrgD?Jk2n8es@J!IU?YJ#!&S7bt+cEgh(q*)zk?NDyo({N8VS`*h
zophf@aRPWfKtR0x8SH#7!JtWFo?o{uANlSHa>XXYZ@-}cQ~DWIMGq<*cH6#J=y<IF
zKthFD+^;Np{c&Rf*UwMqX}{Rpv|X+n*DL`V88HGGy2%a02iofI{<`8&osHLDA_GB0
zpg!ZSd{2~NON?7UAm5DgEmlmNXfvFBRlhJnqXaW%L$%gGy0uU`^^XS=8IRpQ7eG1-
zVb3+CBeW53kbn9MVB<#l>3oUR_t;AOE-fC5TjI3dBU7>ZBu<V<g$F7d{)?KwV?Wsy
zYYm&s^)KQ&?Nt9ky8^+rP^ZvlNz)aUdc+DHV&QXRw1byxN?(M6rd^5tSseyoskO&F
z6oqy<;Ec#c0bqJn>GP)biNDdS;3(g!2JE!RqU&)BR-ZW-3?T#YnBa=?e5}GP{W9H}
zYG6}iV!0%6RKtPKGhHkx95`OuFgY8cD2aa%Y>%Mobqw8Mof>@^5EM+>{U6`^;aA|O
zt|^`HIJ6MM_w*pYn(e=}ragiBEW<n|T*bV@)nF=i^whUAXVfoRrfgF5QPD~;AhH8C
zHUELfqa8_mTqNOmShPA=gfNsQV$((qZpm`%zP8#A+dMMhJ*=L*JU*i~J(;g<=7F9%
zm5dMMiTp|3s+<(z9%=<-Ro=vQN7qkWdnDnFy)&Qcf8N-xTWd5?FbkYO0=&G$U?`|X
zhGuKD+2{0O9|isC`?+gS9uOhCaS!2GE_Ub)t+KI5fJan&2r6R{yT-HySd`%%A>eK?
zN?wE+W#3)pg1X%2(?$UwIE?BWTER}+C#GlED=lgQZvW~Za3Ek)f3=Z17S2Mu`8Fs`
z1JA-Ra2v<g=qidf59TiikMsr3Z@`>Sh~W#LXA9dEeecI2c<XyzxyUpQjT-2RxY_C^
zU-oKlel{$ncLaFGU&Az<J?2QNqaSjc9A0bcr~o3E(9eNCE|fZ?P66^X+%C=dqs*Do
zl(khE#{rUTgf$hK5B5I&2V71D^5Xy{NUGt+>I?_{%hnT*#G%Ml2_PO#(41<?<@o%&
znzSBpz~StR_pDG8CL(wlm5Bin;L-Qh3^Ix{v0Nh1a6-76D0C)U+VlNiYal^Uu~;ns
zI`C(!2C_o7Snk+{NCC2mfBzM!`?&3MHRysjCL{Go7y@1JKidK_A}9D>Yw$*h^{=}<
zw6v#V;WHLRu)3xbB(v*3pzmPR^l^^>TxZYdIlZG|EMiI@?Cs=k+@88z4tw?*HnPb9
zmIUJ9=PqfU=o)%QyM<xcbBEmdqv#{8!vSh-X-)BJAFHb66eBmD!u5QSlg&cV;;3VZ
z16Qt<O2WHme&Y59R^GBWd(ZmQ;(OYP8QQ+iNkPLzfxnXep;^DN==!%ni#ruJR$!>+
z3mXxKD}N6L=lPxLqJY&h@O+m&{5QV4{`uAo13iM?w~_{onTQ=4T~fD2<A~d2paG>R
zM?PZ!sa#<7_uC*tL~xH@Bq4me2t(e6uxN)s-%`Mv7R#qd;VFOK9JCn#N8&&3+C2nh
zouhpj7eb)Q^+X|%**<1K8!UOS=Ic#97C>HX@?BR$`rly1hhFT48F&<8Vv9lqOr9^p
zsCA+|ONw-_lR(i88}RXFg@jc*G9MPS!Uee06iKz!TzSE|jmX@6T@(_kMDM6}IAGh0
z6q&0VcNNNB&mXT0@H>>byiU;pm#V)*k;e15ISi$PFr1y|)3Un<&s>?vd3PYK2K7()
zZ@G$X5Z2URpA6NYE?pc7oOm;wc@tuii<*=ZGSE}SH-1Gg!39802OvEg5~R)}5FOGp
zuFK|+8fXaW7ljUBgm8Cl@Ww~%bSeYL^K@~Px0aCveq;>}0s8_4M#dpA50J$Zz^#@>
zN#HqU>>%B9-T74P^xsgh=lGUy(LZbk1n@JR`7U!{?7(G#VH?M14iJ!0@gpwN^ZCKF
zFUKX1IZ#(keqrnX%GZg6RQmJ>?J>iEPoE@@U0>q-us+y^%ezW#&z{p;<RTU!JtMTk
zw3WY}uMakq9vp`0yH+3yARUFUeB_&Fjj*W$K$X4@?G*#6rA3ozTa|%doBjq0I95rH
zpBDEOHWhQP<sA0Z>jwQVL@xp%8aPuLvH7DQLiiLj$iXeWQV4W)Fw_W3x-C;m?slpY
zpm3S_pHf#d;WGJH;Njkwz2}|%!0LvJ5S-9(Q(Sx_R=jDYDtU&9w{~zP3!q3+YpkUP
z%;ZS+-BJgnd^rS_+J>q0>LY>wPcke?%VMQ9DLAbIsl)Sq)CTZVixRGbHxztk%;h?R
zwV5X1X1!+R0Z#pD|ATT4EoqbhexJ5t<ERdBSg~w>o~;s@Q*QPFPI`?Jv8<IfZB%Lj
z20IK>j>+{|opVMFc+6>`ijc6E)jkDkmwysAg27ue?ssSH4t>fSC!ChbkyM3F7DA>*
z5jly;|Ak@vj9uC&cBlF+5q6NEAk?<a1vumrx9{)NR+f&2nplOtgf#ou?i5$;_<xv7
zy6mYi`NuObKmC+zSKaERQyzjm>C~LtA=w5yp{Tt_P;S*#ju7w;U^b`<LinN<yD$OV
zPBR3x{RTJ35R9rb#T7+{f?>-y&f$&aVNnJ5+J6@2&gT>T;!OP#!5@#OCQp(e{J<=5
z=Cztq-Xj@7>!+PsIayzFWT+CT*lZ2--i)zt&E(N%6J>`52v%g>nOS>CuOXb#pT~74
ztO+tS*X}OiAVfV=yCxNf7+g`^IT)xNjXOD=+c^Ukeq$E^+V$bIAYc~I;j0+%2fX&G
z*UxbS+E9tPz_*U;Cp$&+ZnECGK#mPiFP7i1u@!$mBAo+Vt?fOm=+k7?T!X<XVM-R#
zY9X_(xoyZIL_FdHQW}gf^o42Lp<3OFF|^t>TQM=O&H8*UrNp2IqXN0qaPI1~gISM0
z%gZSzqg5?hcxrk2U+XqaKV#{W<L30!++*D^@Djk90K7U7_1-X!-FzvOTNlLHS#XKM
zs0-53iBO(dWd$W1(C+?vt1w|a<?HU;l_V;1{f$Q;qPVU^Ie;Y3%y##rS^zNSP6VVA
z!ab?EwC@>)(y{}aLhl;-9!c)fO3o(*;Z&o~1wEjzmt5aCNFvDLsk7Eg>Ev)h9*|lW
zhciG&0KArjl6PsDnYg&Q*Voo+a|;Vqmg1P;WR|=6b@h%qE-CxkP?JLl|JRTDvu)dx
z3zWwtQ^~t;wuUa~Om!QDCNV~htF(+YcE_!EL=!L@?rXYs_nj);LFalThNB7RevQ*U
zE8~qjd`1V43IR|1h~w3xGufemC(|VDNd+wEfla;dX)YcKWJ^(0RU#^3Rc%|z`5){?
zq*2`Snv{;nLx!k3MHs@_nbB%k<88SNp$HU_2GW0a$jq?uXc^ViciKKuk($Py4cQ=i
z4}H)b^2KhIZ5+HkVpo*!$6^8P?Bk=O7G0<tiG0YEqr$y;Z?4jw(f6Ho;@pMTKFIY|
z+lX(09?<l70aeh4vd8tdPGSFORI{<My@$5F-_0LNB`1eFDwieKhJzEj+(TJF7`7Ol
zZLtqnmQs6f_pT<hZc&*^j!Dee<D;q09J{^4x(S`}8Sx4x+(#sr@Y!tijAfC*)sz4B
z{^9uKB<Xi<C&r6vm#YXjV7-+O^h{?)so}O;Ya`OecHl5@j)k%+ljQTU6D0$vvY|Q$
z$T;7y*#WZO)c!;hs;;+7%j-THgCi!N9M~Z}KaAR<T^1Otv}xGNAT2R|W2JD9^iI#w
zCQrrt+r(<~{Z6x%V|Vb10D6l@pln_cMOd)%JU2>+52Sq{!Un4T(DtHLd#nSIOKy+V
zCs@*CdG_lR<jvZ=q}lpjvwsm$E&9s#CcMOMknR_#tV&^dX`zf`@0j!xwy?lvR{ZbV
zs@z|j4(mVrYZ{=V=^4t20HNWR6vCw^Dt@l@O2-EY2rTpumufKr!ab)f4EuISTyYeC
z=!TTWw=YH%LFV+py(;>sg}|C344A`0C>;C;mRm6C)0|_pN_queBCbP4B=Pr-*_vzo
zEGU~5CA-?j^_Ik}g^H4Q4=NbBc8@6geW%n9I4hSlIQRwoe9Tg*IZa*TZs^w~SCEnI
z9CEuZ2KRo0C~CpLgSOhiDLtsLZj1TdS_Wm2)U`n5;_DJ{TKR@7p!)iHE_b4r>Fip8
z(|ONv@twTE8r6<%af*99AU5hlXBmyaVj^q$RLR^2S(ALc{e?K<=7O2TNhhey@RIhX
zN@ndzm9|0qUTD?&<^L}Sbw5qtT%6l0N9ni?E>$})56Iyk7Y(1g+kyEm00MVJ53qua
zXVuwa*Iy*m4ZdD-JKbky0Y*#X820%iQ1NVR(P>dNUB=K_vwa@@60QpJ#BD{q$~&bL
zO(phnAI=kJbtNB%<K&?xgp<FqAEEDG{c)`mg2X12)m=LqvGabz)s$q3DNg}sq~Y7P
zAkrff^PT4&FIzqlgx?#95YD0gW`g%a_f-d3NDnhQ4)@O7+#LGri=Z-De1GFdyr`Ql
zt=3trmqW%$F&WcBt~)6~i{B%lk0Dk^n`Kt3Lzk<wcF5b6mGy>|wjqDLM@H0>;Qs5q
z{7?xzy_DcCTMCe<Ba>z^wpX7c5u2~lGJ^JsA%YV=x<@BS^UU63i7bVY?TgM{V9WTk
zP*Y`q`|E=k#N)v+yknr&?!J7!wDWOCqecOySYdo$x7L@tlA{3fb*6lK_O2&N&9J)U
zH!eRIbzYI7b?K+ZIBZv5F(67+Bz@2gKZv^g-Z0Xaq$mZ-=&r>Qc7csj>t+tu__OUF
zkydPD+7Q63oqNDC0d6Lsir_xR&6#K_ew>Z%#_SF0raRAY!InqKUCIl>JtCI#PlLYd
ztKuHc76Ij;<g$4;k0>z_J)t*VazI+VbsBD@Go+;XaGC?oG=anfpE0lb4!v^FV1^7e
zu0>-U_6s&7K*PI~eams4t(IGTTZY{b#oPx5r-^J|VD8&;PhU*f%U&@#N}?MgnE8%x
z-%P0XwkPxR|EYGhFJP1AROid|cf7JYxLcxO;B|jx!IoL2i|wDWfm;v-=h^xBdn?G+
z`#QI8+Z?Za9cwPuDm0nq@?4nBSbPH#OuwZtbnC63_3k>oL@$AeDt{>mvNHE}a{in+
zq~47YQMn+3H@o69z1pb@V$yX#3PEmJFO`jKBR$<M#SVfc8)ET;{Xyg2VuXsNkNx&V
zqp$U2gmYu?+}d9TH%;jV^aP_GRbu=#d=rCFrqTD{&wY>j=F1;fB7oCB7JIUMe@;4$
z4|=)42{o7*5?<6Sh6}AWP!Pd~mhTb32V7D@o@qy8DyU5s7T6bb{5$fz?Qbo+#bb^e
zLUvO6dYlHQEGAkGX!u*w(`UYOt6gS(l+nNypZUaZyhV%`yJAWPAIL9Dl++w?P0>>9
z-Ou>^`-5Rp$J@J>7J+RY>?4^jv`Z&RRYY5a`#J8h<#S$Vu3-~{bk%bwx8e(WmA@MZ
z_i?4`ea7kwT2efHgapPsd|UkT?a%)6FEk;wgxNeM=@Q!Jc{NhfD{I+O{Y9@HyU&-V
zIqa!gP6uc2M(oU_Nz8VJXm;NYHFcf%yBo0?`&L7tzd7)NZ}kH}>_-ifi$T@Z!40eI
z_4jZ_6OW*E-3S&|D{aaxos7rU4uN=Zz$sE<mR}{Os0!^z3)&5({-jBdGI|*HY_oQ?
zOWhgI;6{D&Q=3|4I)RWBgjMR=e1P)$vdnfRTYfOrr})%q^2?uYC-`9sXT-@9s*4nd
zcCAat6c#HJ;o2`wE#6DwRWQVk{?OJA+M*TrFw1iJvE=oT0#WpJWR4a6y5MCpXv0Cw
zEK!cn2jMMz&j`eymB9OM<$S6W+JKH;y7~#T<PmAv)v%zuy<PFsSW?1vPIk6JGFX71
zO5A%U&3RP7EnqzQXj4*&*|}m}gyFvE`&!a3Aj%MQ!LVS!4j=)*wZPrGosr^&VIO$L
zHOU>{N-J&YLz-Z|%K6f7rK_J8!0M~V5;c6Yd>$-Pjqj&9JkNvWC2z>|QGl)-RcF0>
zMm+ox6&barthoaQAxBDbg_8lecV|iI-3dI<Cv^kKjj7CSWeM~%o-_rq(x<BCkjR@s
z5SMswvF2rc=K;E3dBPmj#<HSnhy2<~W*vV|3^q9p<m2D!-T0)*E6ROh&ibWTNQ7=%
zz9#kA1v0txvpEgnnS%@)#k0q^OXZ4o`H~)IInO+fAGQ(F?c^nXLGoZV=R?*5<mr~^
zhq|d0i2;cr_7GGbSK3q*@soGqvpe2`5ha2O<WF|%tH8uMy?uF_&T{!ur++tGe`_n9
zsrEHO($0TM20}vBh<mJx91YBhU924>**bpY^RzEc8Ivz>pZSVl?jBVq|LbZirha~n
z-q0t|L@AJAx<{EWRN_gNHs7!#j}q2~BRske>unzb=6s3!8cy5|O%CP}+<Hl+%ol@u
zSPiQ*@*EyH6wJJ1!NE)ThyQj3hoidIPo+f)s(5z^i*B%>8yT_EcV3p$c&BmbA_bRd
zAw5x2k=+oplEhc-+p;WMU2PCv8x9cu!>2Ay*j~LdP>J<)%{C_q{Axc0{GzmIrNq3}
zWnv6Q1EsLJy#0yod3tionMyYhBN%|lT5xmJsw6rD)inmY=MsUfrC2O)oh%o5y*2#^
z>fh*orfcYL;3<#m(BCgdiRKW&@kzJlL$N1@Tn-SAJVUfpvFxJeTP2*#-IXV%xF4Ta
ziQrjYySLt)yzKKalYWsF_MT0{=grRw%|hcG-D#$ihh3jIeJI7bp4C-H-^nmH>k_>A
zq*#4t+^KA<gQMhzoV)?WqOzs-hfpn|Y?iKs?+G(8dMf?YARdIhi^Thn`nO|}K$tk?
z5KR782}+UpzKBi?0sMu3O7I(H;X&D(we~ZxKsm^t@*U`6T*TA>{gkO0VBd=$0Mg9X
zAW2)#O6%cIZ>n<`;1Jk$rXyp@u%l9`{vARP8<fiP*saZoc+dAXmfxbhDxa<Tt6m4I
zvq+B+4=15<AzLAX+Ak*ZcVc&mWOlcL9(Tm~e$381;u#JxCsF#;M=nnpr0Z7ad6oZF
zu!HZ`*-uS-aX=m-yAa!;te+AI?xW7k?|RHHsWcJ<!@1jS_K~S9(6aBzdj{aBt0&Jb
z<PO!Oq==^8Jb$VhF%?9VPa_t|^B5ZLzHb@0T2qrb|9z=5GF<>l_uXUeb;TDC{;PM1
z6XxR`jBK+bN)g}$HfU@KCu{L7InC^m<nbpZuZcTvnLwqVGmNJMaIH0S3WNH*E;J}b
zV<tW?Ypw4vUW=p#yO#F=ZD>=#v7MZ`UORv7-xG`5O2M<Q56?4Kwv{*y2;t${^!MNa
zj39tiN&olPs{Oof3{}=-9ri?k5Wd8Y<;~5PCmA23qk5ztB8PjXY)Oo%I5HFmIZ$*I
z-Hc=?|Hzr!^{hh^trq_<nJL2j%i0Ti3lJv>uX>Kah0>^t_>@vjI1x+HgT%yl;uW`i
zDPw+q`~1?}I`yp{jYitKoObeTQa>3Ra!vMU{OCQy%Gi>hGKE6<;p(eeS&xLt_#<Ns
zxOf&TQv{$o>eFa7H*ICsXWSNnC1FWsImspY4ZDh8C_M;vqWbbR1?BP^@|aah!vrH7
z9c=x0p>6r)pM-|N$g<~#yR%2{-ZM#q%(3mnoOT;GwJILN9*Mlv7ya4Xd>tNlWvD^N
zJHJiKEf67fhYav&)q98l?I%#jIjP*_^<Ei{fo?q22~9$d^T3N6?CHr45d&mBuPYRZ
zgWV#{%m|bQY#!hJN|B$OA6(^r7MOo;;^(*h3QcZaVHWpV9^*lB(4q^T;;V-hdf<G}
zH^EAkj`T$%+mGpQ45PJyk?V=M;X7=f?RB!M&Nq1@WmN^<27O}8lnc$KIJ^gtp9{Ai
z#hv~5`YnwLM9q5{+E@;WdJ^9Dq5kqQeZUvl%???zQZkuTGJ1MR@_rm?kt){|C*4o7
z=V;qUI^lXn_XvX@dV8YwKBTx}J`Y$aJrZab&oF~*D?ZyFaz%-62)?mCToiI_VsJRx
zUm|`BfS;6u^o_etak6*x2b0En2i?zxmZQ}iz&ZD(zB1I<C+%2HoX=ek%q9jQ%d_!;
zG}^v_zm+2gz_vw<z%;QZZ_%!)D>~@?dUMg=PEl~D2JTi4Tsa|#akth8o8OVyKw7RX
z-2A1lvh!qy_chBc=t!(_5LOl5Pq5T^A|4R=Mzg`6NZ!5fdjv40`ZagbUjt^cI~six
zuOfUHJqTx5Lt`(ZYn-Mt-leQCGNQ>|+SOqmWN2t<GxGN9t+U@W&;}u9*lb@?3m~zQ
z4%pfnOA6|Ns*InnltbS)cTpLh=HdOknGEibAfe$L3iVMi2FJH@1c1b6kyzXGd_1ie
z2YMq#Cdw$Sa^c&c>3zSVJDZ_Nz{JcyTGa)+07>%dbCAFQ3#i1qt?1!_cV7a?-Nw=4
z#v$w6=x6VIv}Px-5?Sh%SBMast)aPZUTm`H>m?`w;`TS46sk%-u0YzYdsLfZaqH%9
zVrr}@p;c@GGlJ?f%L7yfba9_Qf;)Q@e(>_Ww(&5}E49@>|D?deJfbjDlQn16U4bbf
zG!Kklq!sQ_3<76~2#w^*a`1#30GlL?fiOEdt_<+bJ+rG3Oc39F_FL>Lfg{6+*J<tb
z)MWrB0Z~5Ig>RmxclpRlb8U%d!(>1XU=`n?Jj_v~kN@l(UGv$w`vq_z`jgBt>HW){
z?TeE$FrmAr|AkJ=-_@jDdPOKdE!4!Mc2?YNe<E8fc-(*i8g8-sDPun6BW*{-ua=`L
ze1B7g?<l%FmT9deWeFu`*H=o5Q(^#pOk*qu7ZsK8tF8<&iI&HoCcgi`HZUB10p=PP
zSbad!F?;+LX~8TdlAOUgLQ*JA2L08X!)fEqC#b5`gYd)mOMbr#_ig2{W}t%Y&+Q#%
zgMSc>Of1~RNp0UcvbY|TDuF=*9NT$ah!%|0IFbc~WC;RIf*PbdZ^3`mF}{#~^}!)I
z=`KhxF?2KIcZ{(%V`t%)(WBmuj^N}e+lOR7vV!HwZ+9pcjA&GF9_l_q#%l>8e<gCi
zBDQ_1SCmXffqcts#jd8Ry7DrLoHB^*^RL|au?M5(%wB>HkW+jBCj_P%)KAH%_1$)W
z<l2?V@?&7W+tX+1v#t{-(17#4EJige-|vc-{LUGUSwHGB-8r)LUK_<NN%X$id@a~B
zHI(uZ{E=asQG#Hy<HELoLB9Nv!lq{a)hIE@l7&yZRP^PS`7g>JHum^wqkKBPzlQvl
zM$U=!x?_74xObiv`YS9lZJ<XD?;+2}*ri3^O0)eYVAK@L4YsggSD7ge+?vVMDrJXL
z-OssI>^dKo#TkAJlr5gORqqeLZ%;Z36#==uw?kRztQ_^of1AbJXTH#-gl6r?oJPo8
zxnEs%58VKnrr^P$PtmR)(4%LXc{VvOQ$4V2Yhgo2?+i>>6OrGJYdz+5JWcq!-$s9`
zao7Ert7)=6;pW(*;;IQ23=Ypf<!STna}*Yn&wOqlLSLc5TvI-%u{F_(peykR&U|x|
z9v^;DX73_eWJFrw-n{C^Sz7mpFT8JPL84MEe&Sd|<38x3DA928_PxHTQw0J7^apHI
z#oo<S*-=I>N!;ck-q0PM@GMT{E)0E+<8hHbj0ryMR$Z=xJ!;7DmAEWo0l!7jtiB8a
ze==)iRcC}6q~^YIHXwgXJ@J~V^uE01$$Bir1Ismrf5kKICE;=vvwTR|5`|u{!V*er
zcV|?wyjFkjM-*AS;<-+)z*Yy`b#jOWkc~k-c1eAzW{i@Mhb0gKkhgKJ@eMt9N6OMd
zMHyR;<p;Q;s~3HHbz)Jj!~c_e;aPJz<dY8*$GmG+B_<+nZ2!@i>$CZ|30M{k#U!zW
z9<AK?#&HuqHY|<Xa|Yq|e_z5vZo-3Z!=ovCZ*EEA;$5Blvqwr!k2A^2p0vJFE*O*a
z6cgGg0$W??UxsOWdLA|KljbETz7X~s+q)aeS@9W>MuKy@#W5_Z<?xabdem9gJFm4V
zqm;O3O4-Z~<G_mhZj3#B>+iOX9^Lo3+4AHMY%C(t^wfqSE5?o;T|P-6mQ=tANS7Ag
z9Sx_Uqobpx)j#lh1{jeJcB0<*^mn0!!2coZtHYw|y1tPHK~h3WO1h<C5D<|Zx>E&2
zN>XCzZjlm+L8M!dPD#lT>4qUjnjwe&4&L|kzCQ1F_=D>@=j?S>?X}lAv-bK0h(~+I
z8vGs;3iASdB=zMWC$y}~#~bmS&v>(=m(vzjvPC|*Q=>#894(RakqF+cD08jr|0H_|
zKY($NXWkHnn`b*W(SP=StM3h+yd2zu2DO?HV)<hMbDYa~s&ZqwpV8VxIuKT?<l&`W
zu!?2t-0iTW4b`eKc1Q{5qrc1j_2oyUOP-rdanzX0>Zq37yq9d3Z@HKzxq@c9&Ewu_
zL~B77sHq01YE3MYzEMdqZbw{q-rRwFXqvtQy}#r6J92URV&yo|Q11@(E*hl&!5HC}
zVqdurORt(|mqpF4d%NGz^A^=IqvyQPX=HqtyhasLRi)3X@a<+2(DD@D{)R6XtC3W(
zSxGR=&rpO;O&!~;>8*Tm?<g56qs9Hrr$UeYqU%z7jd($ghE=?(sAx*%e(}z+qA(4>
zCf?`>iTetg<XDi_gSJR|XlG|<0Br3JRC9iS`a)`Qj7%litmIn!IK~oW18ln6h96nu
zg1GX74ul=G6QcVS4xTR*R!xzHM?idLG0@%fzdOo4o}cNPXnfNAk?9w^Rlqb9dmk^S
zT936wX*M?_sZE8uxb-XB{xm-jMhrPjqxHuy;;{EOl-h}pv=9?2jCe-c-;^`%FU$F$
zL)U%^m78b-aU&-H_PW(>Yq-~T2k$tyhHb3++X*CY0;m&~SIo|W(L!wZwEdm;4fWd*
z=x9*<>?6;gaRYBnkC)x&>h5|woS!ovI|DG+;33Qi$JTfFm0wGad3?;WRWtD0MZ~)N
z0%1{-!H)g7z=Zx{^|JX5*39-KEd+=G!m2t#C>?4>I!Se@iW612N{M3rXF~BpXiyJy
zgdkvHKyT`&q9P(dqn9PuoUxsFeLiE_ed?k5C7$O8bK2m=M2UkgrXGHxdyq}Ng%X01
zncTw(D~9@Hbivo%!gT{D?5)2fFIV2Kx;|intYu1lNg|M=2&$T)C$`Y(C(SW$8H=}f
zFvYwv0+kFE%PQ|Z2<khM`%aEyon=e$OF(B-_?2#v0g++LTCI~v062YhItUCqUwd2V
zuSA17;>(%gF{v)aI6san$m&;>wZ?(^vCr?y8Mvzb8x*jzd5E^NI9&jrT>f&war-|o
z02Yb{I<vq)t@4O6AMJgch!LLn{cfo|-EqNSA_OF%==QL2GiAt1oX?tyKdOd<Ifsv#
zPpbXvE-?-!i0iQ07eQ}DD{-sI#7@%PWYp%tgs-HBXaLO6s31S`4G#3dgLNY}sM=SP
zoJAXPvM0xW#ro}Ry^f7!VwBmpvwg|6u?^^h^lQZxA9DR_=%CK*C_eyJsQ!_A?{H2N
zyhx2X@3vt0-iF{1DEBXpQLYNo!5=4-MlUO3FAN5|?YNt}1Vpi4{@SR<W%a$madP#K
z;5*os5Ou-Td9<|Y@cg-c=p(Z#`!zQr+;$%;yx?&h61CT_4nmy-5<fDS=%o?jSm>Kv
zP4|~dpxoZ6y|HJDX|xa5+?U<KyPt+T;fH8)@|f)#Mp3L<04_?HxUD$xoz2x?yBw;%
z)pqcN2IZ#TS16loRvLNr>NDm1nqU{b1nNkBgVpsc>Yh{nH0Nm0bE%=4M}VaGsF?NC
z-TCXOHrSh;GgzM+tgY>>=N<z(2*HI~b;mjIn#A+%`p(8QF>3m(7t>h?Rt6%)AE&Fo
zkfpto6)o&8Q-LYg`%<)Y?jdOPN%>UXsmTd-%JZkjRqttBa-REMXc%9=Lj;4xWJ@Kx
z0)xO^b)M%%qyoUSAF1LnOZhnCqOm%uEXZ#3uJ?*?srtKwsrT9gdpg<nX2(n*YTzAO
zdqw8+C|>TQ&MhrZ29<td=W{O+NLg!sEf(mi3kVR!`*vR(1XAxod|*{!cc<B>7OsQ^
z=K6syFRLHw7G$}XM85cl<M8pSoNh(YMolX0g;9gKzG8}GYjZH#vq9ZuB{}7Lpa#kC
zLd(2L1}gqD`Dso}fpM2S@q@i&8l#XQ;_<^*vX=q)7e99}R)$XDLvyAV80bA*58hpz
zJG`o@BI^2D)#c#uRXRcuL)6cOxk-)lbFI>tjjtZpQlbt1c7Vsn-~oA@pO1b_r@w<E
zrGDN|&-Jp9aR&Cpcj@7+TOJse{fR|>ujn8Y0ctpuJwG<O*k4tO{~Q9=B*kNm&gz%<
zD`Rl1xwpgC7rz%UD2p5KNbz~%KXH7#o^h7yYn5s8`riPxut76Re{sBb{TK^G)Os{{
zryUV}2YN^e=^$~BzL(T^o!`{e{&T`XTk|7kI(i|$?>*4nfxy^4tHLqFbfxklI%dmd
zan0O9=ll9A3gx3>@%=LO8eIi;<w^#e9EBv9F2aw1{7e2a>vOP)-dc3mU8^tb*k7o6
zfkoimJ_k$%ni@av$#zfuiw2S&1L|9CFGfkw8bu@Iu~`Lo{`OwYveg?4N;nZoxtZN}
zHY%aHvqaWMpR*%*>gmiK8(QSIc)vuvPWTDXgQLV!%O*k=S!uP-_Lf%(Sjk4P?tx$#
z;;!3Mk)J<*9vK-?@NvxRwQ09;TbL?f^OgXXhb-o$#HKg%*(JFJ1nE^sma`|NNwZm6
zmObN2zMY%Dc?|9F8&g;hmN`#1^$g)F-S_MF2XhtlfI!#n8xT7G;zF{PVnA~+H+r1k
z^w_X00PJ=aRRh9z))Rk*>E}9N>H({>h|HA^fQ2cYFwfqB4tf;bT_r0I83Ps%Fxgz6
z%Id&DO0>pn9Oy9vZfI(#!d22zkp{28zw5An%~>mhtn`iZ693rY27>5HaLJWE2;3%r
z@~O_^^RTaduQ0@C5;k|2oK(*uc`>i)VP>PdqM)AKQ$ghbgR=D}W2~O*=a-aqeN*^W
zvaebMSUfAfGoDaFitoLDB~XeDx_C2PXs^RwbC-;5bB+vUU#b4~X$#gP`;Udwz((jQ
zku8R{19>Rd>j{67g_UXm?d_-M(Cj&02G=cv<ojNmV;su!yrzwAuU@?x$r2R=iLM4H
zNLRu@%V3ZhsdT0{He^_MKeDrV%Wg55h<s9$ikrK7E`Q*_(s%v@_vv!Zz`0y*2)3Qt
zH2p7XT?eJG32nB7fWo;?xpLB&c^=JVUlSqG`X5Iy(8Y~2!aS&!6#^qdx{7t;y6*ir
z*@{L>4Dv`e9CvwVRs5v;4P9f*iq_*oY-5v@cfUXXs6=;3c+u!ZzYJ_xuvn_L{IK)G
zqn*vzbJ9njgUH}||5JSFX%FWb*XEM8y!?koAD35G^B;^&P82a3Tvz0$^mXSl&xk@w
z&DHT7lotmMlT1whoicZRXE{lq*HyP8QW&JD8Q%H%W?TTRKeE_+Ou49C1O)}r8~rDC
zc(*+3S^E4B&~rW;C@hLbofbOAYE84B{xXbZU29^`(@uFGzBy7ZsL{{szKol6$o92v
z72P|*IQdtCf%cHHk4uD{9o*m^s70N_Q7&upjP~VZAp2n_#VU>!4HoFaZkpISw$RYm
zr1ulP{Qb7|Yt!3M$T5{#Wa0ndQGdKT7G#rPo7^>pl}`nNWi`q<LeXwmDp3$+>`ozp
zDuuQ;paB+CxC6b6jg8gZOo@T{UYzjEw0KYdGzMOHJWe<+BR}1p-30qeV1N)0P}}_K
zgJlIj@9%|=G80rE+PUu+2{w?|hFX)9aa=5OiaZNT@ww6p7;AZLD{QprZ;$<m`0mIF
zSeZI|>WwJ`%RFS(_TzZt!~Pifrd?ZrN@?Yrlj>HiN6<!9wLHC9w(0oNU@&1IzREUB
zqHC*Pt|~bOqjOqq(U1(W^vu%bXKRxDD~G-3UbBDJS|Ov?jXncJ40A2-y4|-{R@MXJ
z?I?ExXp9`~q7_|Jzc=Mx0f{Y86@?|aq}MHq#bu>7Ztnb5*ghXIbw6tpuZY~S2-xU}
zan@<|x;oz@TntwnM)t6a9l4{rB3^Cpcw^~)sjpb6HZ&1AZ}+kAd*PMT>DR;R1EGHK
zl8M_tZU8JF@NOVfl1YOo%`exJ8e?bn3vL31?qXs&Fj)>W4eT|)C6k`#7rMND!%MX;
zfwE5|D4TH+BOZ!(yH;Kj(kA&w|C;0sqP=TNu0NSdetj{ei{NDuhYb+%lilXGfO#_8
z0Ei?(P%5{fpp=x<$jTu+`qzrkreW19LVu;B?TF<zkxH4`w)S>Jk58+9?N6mUEacy~
z3(Oq-J_GsiKgr%RO~@QN1~j)R`L#Y|%}q_9^AKpOrg?i+bq)&`1cu(0R^&MXAO&o|
zboR?^xv-7>5`!U@CDSBSogPf7!uqkX&=a}-JsQ7Ts~E?XBw<EA!36VuGU+~%F7Z<$
z;rlMgpBEpR3%0lIKONqycFJzsaJ04M2o(vG+Q0!7@I1EsfU~}wzIf=S3OSHF(>{<|
z==H1;7r)v+LzqVs?u-V#&TxO}fDZ+Vi||gIZMY#lc+kU&`_5aovN|v_kTg4*J=|<q
z5>(QssS2r8oL`9ApEh;wW#emIi{43F0Q#XjyI)MEH_gf{`t9B<H!)ma@0`xtP5OIn
zAHv$2NuW31d<W#!XHI3V$=Vnv>m0qwZ;`?Z7SCc;kmwA&{^vtV{$-~!^%Uu?`%~sk
ztsac6;U|ajpzHHe5F(=W5OF!&l<v1B#SYZ)LJ6QaUpNP<KBC-u*?PHMte^hm2Y-%_
z0>jOZ)&E6HAO^*670y=K@1g8F5jUdcCl}Ix;W(&rK}6JqIN752y%6zEhf<V(p)7ps
zK-i0L_3m^bfZr`=t~Ohkwz{yOe<3HNP0&HVjO5Pl)RI9Zp@dcAR(~TmxGW0+&<I!8
zSNjd(>=ImmkJCc|U<(~KS%||(nCL;=U+@q@Es?M{E=g9?*Vos-+JM?$K(#=b&F$cT
z{WQH>=oKAxT6dsG7_iT6-RmP-P{F9JIEXvy1qrBn{7kdX*v|qO@h>KwoZ|d504AuE
z5LzdS^EVJf;$5h_X?*Xy$%%=Rlam=qP*cgk-z?5`A-)&(A6|a%D)<|E43iC1vROE}
zRRc);H#st(tZj6V4a5uqbYW;S{TGfJz;(uu^%{zQph|4Bwq>RIx5QtFZK~W5^@34N
z@iYeat+@Y%niCrT;s`v5J*t}y+S1(x1b6_5<v(gr2Gn<Mp`(B@p>?-|lc_i85Bs7v
z&$|z4QYUayfpQ&}<sI+~9yAzvG;4|~cZLDzYs3o<!w!oxj1D$WJWReoGz+qKJ;3%2
zdiRUP^>#Yw+c({I-pv)WjqT2nSoa6|NwEhQh(X^~9s+lxrPm7yAr0e*4y73Gg{w$D
z0xj!E)cGNgMJuLq+La=@@2d>{bN@2E&uQY!Q>ySgVlxwIedQ(G#gC_P%T1bICs0)5
ze(T0yFTBs`iS}KtsF8%z;d3^;W1gjpxv-v`ZzQr0Wci5lEqV}6p^|k!2FzRTx_S8&
zIShd^5)%OIlDxx<f-PS40sCxe5#2VXNW9Q06JulB$2=+)GY8pg&SaLv{s34@*b{zC
z^Z<BubGOZ>d?hF1u;o`JvtP=_HIR4;jj~f(nARLbnYh6yj3_WaW)LGW8ab4e2L$}?
z;`Qss7((wfS;1qX36UciD|a#oY~NlR`9E|4G^Z3RfUW}2DmDtt9yJrIW=HffRVsjq
z08YdX`c8}+_5@7>l2VSMjqg<w#0|<G-Oy3@*!-RYC!1p?*gcyk{%=N2x)HA*OMuVE
z-_*=I>Z@N%BhR`hv4?~2*tA6ON62KOFy$Xoq2GCeG)#dD0e~u^0Lj@My#<Fd?C2=)
z$Mm(CPs!Niiu6h(*hn05s0A)?KN>q|;JC|%Dl8Fx=-EWiYg#kTGdQ69#Ww9ucY>l;
zi0tK^ZZ;}(fLXLCSQR<cFom^6mR!M^7CekHF?!p>HbonG*LKc6Gpm~c<lEqWaXn~u
zv@?RJSoB*k^#6Sb?XXtFirtS+EjWXf)*N2C_+vHsgrChq_FwxePde3}9Bl0|WL%||
z%(v8CT=iB2Pww$0!4Ld9s&BTcC#l&%mT_D4Oy$D;d;3GZmk#AlpsZiVP>|0t@G}Ws
zBohG!{}s<rQM4%&J4+OM(1C_Vc!b=!CN8-isi546#n@*#xyl@QN+HfoM{9NRP+J9Z
zP0o=#iC3wE^B#F)&rRxB--_0m(OAkl%+s|_J9&7fARbm74*TuZ?HvqD2`#eQ2gZ$M
z?d<v@D#~H*oi#N5d-MJi6W8^g^M0|^6R}shBbY!L_(PCQTh7R9e)5DoN43!mqfL*E
z7rQ9TpPl`1EtW*lsrm*utZninQ}}FpWw+&yU3^Q$VxoV|bIZoskQJo4;Kq=?QHwMd
z^t@AW5W%+~Mt(DrNFOOfOshj$wzpzaLZwoxyHWDuiu$An3?&yH!b5|TJpq#y-WbTs
zL_XCD^QyZ3AdggRjaR-*G0s%ZQB!4MnL&9<O%hg^In_P-hP)*FFK!W#9viWPasHU1
zJje8>5MIL{LZCYbV3Il?CQ$X44HuQi=ZEs<H!;%c>iNHVcNTJ*5M=~s*2byjL=V?C
zH1HV2JWawL{mAS0?kc$67_C?fQ+&qix8)#gUKws$!D7UeU{c-6J)mZ-F908vR^ozt
z`vX|h0q2kS=YRPaK<*LVycfXU<gM2pP%24L&SUWly-6xY&NQX$PDMsfg!IqnM1X0O
zz5oFQC>I<C0OW%#p)i|Ik6?gKd!ojD_Cq6J_Vuo(MNjEzqK8m7DP?|Jg)pC|O!9)S
zkT#8=fTRL>R><#t>aCI-1;{28bY;ZrJ6uw=`K|clxG-V5GN<bzziD>__>@IWIh_Iv
z4T+cCh^Jb2L{9;o=vE?(ot!IL>-wR*|LUNwqx|6YQU>=^`<Ju6Ywk_Tc56gkHs$|e
z?%JtnR^#<g{+NwCM?wJkcfqh0f>T9|EL!EpgO4)iK1c9acG)mSfxVjZFjL7~(-wPP
zbj*wxUq9wVivR}@s6B*N6L;GvB2@6MSuc4GXAM+8J|YI<H_|WyE<_QHC7)o6oHnWL
zuX}w5PL>@o(Qx1VAbW++2XQ#_l)MXh^Xxr+E{^}h6ZrSwAcLpgg;*H)3Nf!WIoP8#
zqQ1T!4<;@Ycta9dlbbA8^sQ!`ex@s5*N(I_R#@q)Oin22ukAh}0`B-a%T&`4Gl~Vq
zv`pYnbZ<@4t7$JbSvj3N<=b&=TZTT4rm^SL3}+pt<6H}+RTHC`(@gn;Q6Y0wuesF<
zr+syiTjw&`EUzvh#xT79f#j2kap=)L+M^lvb+1E?1QYgDt}&hD{*%?->3N?A!qy9u
zhW+;|l|5Vet|eT7hI#x_f}yop&t;nA%F1rOSH2miqJu8zzRT$Mzx0)RWrzdM72Ud*
zD24xkftE~`3C&;oP&gK+BrX$I0<~7Eb|ciG3myqdl}}nEh0HO!HN#j^(GiX$m__Oh
z{Wde*weL+#FB1@UTcP)cbd<f-D-t3|Ug?Kt7xu|h{t%=woxUneRZ)zqwXPE1mKFC?
z$Z=NlxcNNV2fiE8iDvw{()&g>mQ|wh{#{n?-y8AqpNNzdp+ph&QgJ-IC1>(k?=`8g
ziJDXxeX>92S?g8PXn}6hjfst&B<ZeB83*y6ylTpgs;AhZ(Ioru{sY03s&~P<;Laq&
z3^zn#t>83af!bT}Mm(CZ<Jkk|-&C*CcdPxi=qplF^;v8_;!`E3ScxN0CXK(kTSS!8
zXNZ}ly9f^HWanhX-;L?X%c$o4emH1Bn*LGsfYfH_vn+O1KG)&ws13%?irRPbh+J@T
zS{mp13t|#-Qv7FJLaVc%@x(rNX2-rDsxGuj71<-PHW`4F^a-|Rlf7{;YMm#sc1stU
zJ+mk%DSC43w)fpyh)uIQm(4gW0hZIIVPf@xoTE+~+BTB5c)898IUjP8H13_2_ui`s
z6XKsx;S{^$elYuKcy-rJAw;&*h*r1ViT$SnKZXX*b8T(Q`U0Z4P^H(wAW>*2@3Wv$
z6t`P?7~iGGm#0tL^^Y$;aSyl*BfYNH>FUyzAmc~X*Z7%6o!pNj(E820!%UaVu)ggV
zOxGQeW@E9&7R+Gkx)hzRz3(TYc~8`anHa$T-Ms;-Am$~l<Jm6LuFj68PiR`riYKO)
zO+pUe*6H+)=MS?COY-}~-9ki1P^25NYM^8yMDUP0yrPNoP#669ZYA5|Tf>fPF<NFQ
ztJ@D!)rg5~+m*YMm_5vQ9~HcV5dRi!yL!2|ZT77=hu?3Mzw;8qbXv{SjSQ27{3)?1
z3!|axLo*hgr$@31fh?-*>RJg;)3k%}@9XgWV#CdeGu!-~iNBf5fWr9^k)3)@!(eDX
z@c@?A;!B-i7%to?=>xQp+;cwx?RigBPb_e7aNxo9=#i0l-aGKT&=}Zvi?=>Sv*ABb
z5XnebQqo#dxPHr2bH=^wEo-p=Ce||?&urpCV!M=fj2U@Mg8B|!jGnPtLcZo<Ecd1o
zO|6Mb>kGcGmT1YO@Ss%ouIQcOWv2Mhqp`EOm+|d76{?U@{2;Giq_6o;^5Ad2Q)?dQ
z22|x?AKjtiSPHk1F}u?*i@<jWJ1*Gj`<$E+el4QimaRWRu-E+H)1VJ-!9k^Rh5W7}
z(|lgq9;lez3^Euyr%}Xp4D!TcMl5(a*<JGO679FqjJMl|W{6hUbhFT%lgGu%cw8o3
zhbm%+1H)czJOnlM+RUo<dXc9)U!BJmWEn1&t+w{o)f2y8-i*HYuFIyv?{${4h~s%{
zGw7bAL%S`A@41+AcE)_1EHd`na#^34@T%0WK&Z;S2eF-E!vpfPpN|KI;4^iF*6eN3
z9Ug=$A6CG$&vs3)W6p4PYGP&uitp0twcwA9dJ2!l@d<<O`nuM%oX_O@Kj7rxP=e&=
z5_IEk^KYboeO6(){qQ~-%LEJQ0M=yBn;yHyyZ!Hf28LSG6wWdZRLir)%OE+!!X>ee
zLhzO&U}jguo4IoPnO}Cl-6^0>lw-iG)17Xy{$|qPqRU|48zO`lKBV5A=9D=*lE5n8
zs3bFOTe^G97x39|vQb#i?widyzkO2}HUFg&%hzkSA!DGq!8~q)%L|VZi`L^L*UXtn
z7hV-i(Rx3fPw6JexStEQnEAQD!4hE{=mRmUf9nN&+hSZHJ8*S#dn^Rf)}l`$1g%*j
zrUazXFiOo1K~J8uS`Ej3#=YErN+vI5aURV26pfvDN+bLpNWQkE`J_`m9HDctc%wKI
z0ghwvH+oGkhFMrjdhnG%=WY{veB?ORhlE<JOy*Ccfp6}0$lMXf^i0{k2(Iq^jrC$1
zeYqs%H7onDX}zE$`eTeu?QAXso$)8maq4fioP`lFg<e_*ONkoYvE(&nHljYB!?<H@
zH<`(l!La8?*T&jK%$G{5f)1TDOpk|0(rGDhh)xwsy2QTR>3kpZo3r0QU|vd0GQr0-
zKsIpSfHC&1=x=U25sblS5i<ngh-bLTN=&(!f<29;5bfYO_NaS~^R+5nG@>pBM&3`(
zzTGrXF4)h)t$u5N{0<%%m(qDU857Igt+5tE`|P5t5jLD5T|xSoIuaIzG!z<byV}*i
zFF619H$U2Q-1i@nRi{6%4g(&k3fmrc|Ka#50zQ><(GwA!V%+H06+>EWz7SLw^<V{J
zMlscTatt1meIw{by+ELFsl7?Z2Ne^p7Z%oJ<}pk{h3M+4eTvnO^Si1%1W)pbMwcw)
zOx*Q5JX;VREHPkhF4{IBFOhq#aB8$(qa-FXf3tJytLo)DsRMW`uvsJPJS{=h%GO{d
zjn)Kzqbh57E^>6JqIGVWgO&9*I$Xr9<R~r12p1E)^nJJG<25_!lRflYf@O%ehsTnW
ziZSXPF4>Q5>feQ)vJ&Vk&()sx;ALuIup?YgYwubAuvD>lhRz#vM9Nd=cJ-FINKR#p
zYKJWt5zRB2XDNTz_D%A<-LvT5&r}~KF>g~uf|=uOJZ?g<Li>h3$Z&43f_N|~F2b{3
zjI+n3#93r}yqNMJB<m?iPeBOkVIAdAt2zSV+q_*jIe?=WaA)!`D$-BopGyRlKjy<*
zEoh5Z2P!-k)oks|E}p}pWts8>PBcDYOO5}+RaLq@i0ghu0KI{FdwVG(z<#KtE*s^3
z!GU5$^Eb>O+2U2){woKjXJlqWjAUprmj@}K%&2g#xzG1lWzs4SVwS9EkbR^|R#_<&
zjh6Z}!4;1K%mR4m=H(9CRj`ZiuNX2>1jH_BD5-Admx|c-88_-QbP-yB5pc^oIf|!2
z3&czDe_Yt$ATfydm!XA7NoTAW3Doa2?8(Rl?9KZG0|jV3c8F#Pz@l9l=F)@Sz5<%M
z5{*iRX+dH60Tl)0P>#f&AAjBlQ=e-RVxGN-6fqK}VxPq4&De539xfl4+(mkPdEltZ
z>d?VbmeH}}1355sCG#%j))AZ=X-G^!l~O^4g)$|LR{eAY<Ff9tif$wOFk?!Fe@T8>
zD?aMPO_CXKy9?8Qw#HnqPiy`o%0UaA`(=^*qaf1E`7w=!03{aCjzB}Vlc?J6?}s43
z?Tq+76%Flueoe)g^!@9Sl&tde_wKFgGbY2bxJGq0Z}v*sy*INq7=o{o>UCnKnS0k@
zZ~TsH)NUT@XlZ>wsVY%tkx;3fdz5NgQPF^lDlC|>GRx4Hs>Zo<&eUE?!~}*(gKW{p
z;l<UZsdnE?lKl+iyQ!rrt?;8dSSnZ5sYPl$_?|@zL|6?yhrCcVTD3D&i+RZhfOyuH
zKEP#qG4=WNRH>DN=tGisxK|s47Fn&vOHZeo@z;&P11Py4p0ST*Rq&3gJx>cC3#|x0
zxIg7EUZ2@x`5+KjK>sYE<VbND86u=o79ukS_Vw#m79bj?7}9&$A6M2c;$SD5uaUkm
znaIZD^%;LWw%i`<?8M0yRU3th5tk3@jcbl1`AJqcCE1iZ)Xy37j-?PMlRS|8slOtQ
zR)l6C9r>~>-7C$AAdRpOfjEqjpRLIiI1)pHDJ)kMWf_KFkx2Od4F7<0SR{|tFWKxm
zX4tm;sod=3!KvSb-|6A7RP$tKcO_K%V*a9a(s%K~(9ZPKXln)9R+y}wEEY!ySxjyY
zq}A<Fxgc*Y`6d#qF%sulu&0+vQWBrEL2Ivn;F{tvA`K@S9Xo2rojN8M<qvqVF6G4y
z{!&G9q{Ehp*UxVpjI6ll{e>4q+1d|-k0~(^8cLrXRkt;;Yi~&?4R`b-9ov~4_?AJ)
zjYN$2fQuZ1MrDY|x{XbqU9;*GQC2kb7kn=f<VK~!^COA;oHe6^&+pFVor1G@M;?xT
zVtF?G9BQe1?qDd?CDD>@tT4Xp3?I#UG^r!9#Mc`EyEb;?z{9wF(eEMo!&T+|X*TtT
z$mKdwI`b>tr7Z7v_u6sTp!#{X)55>Jk9Yje6gBaJh@rASHPC0f5D?=pc~o1Vid1tY
zF{$vQJ0cJDOi9`;2p^NpYaF-PkU@VxUn%C`lvM%61wYl0kpK0NGP$y=xwj<m)X0`G
z$Tb7im0f}-j%F*T#{$xH*$nsu=P`KFf!1L#?TF(LY(f86UQl4FkZtFy)%vJ*i3hfF
zk=U5>=nSJqD0VDQsED!!F{UhW2ui05Q8a2(UJs9A%kqTt#7m!0b=kauV1H*#8?TNe
zQ&m&NqE5N~s9rLcjNFF#b7fg{Z4xsg2BU-`VBfu7;5c~9V0QGWn>}K>@u2W7?P6;Z
z6Q|!k&wXu9_{GiU2HB6dSO&3IQ~Tmv7buh?q~#(Zw#Mug7!gT+cbpZ(G4W$k=6Yjo
zCYrN6K`#E26sD%L{n!s3)UYx{t2AQOXrGl{&xTzPi%B$uEYC$cMM~T8gShMW^m75a
zUBjV!j&biI*GaR$kb6-NCOCzYfsdqqwR#dO#trPUU!H}$COLq>6RF&!<1*JFWoNd?
z7jA2va5#Y(X`HEJzh?S^`t|B(^Sumx3~yL&QHWk@j~KGg?@Sp}f_e`ZIqez!;I0x?
zrS?LWn&gv~y;ce8625p<tCBYSH()x&;fS$MKM9^*j87_(4?o03Qe(zOwxA)!dnaCV
z^tkgCF>?$tHazkkzkl@*ei9Wc0!2yf|K4}5C088~Ue!)|^^Ni|v7$qx!$RuBPoL;t
zf^v|KVk5TF4{0nQhk{85*W6L64D+WQadE<k&7TIU$0Ty578j+pR3d|yFBHW(!>b?D
z49=3kN6X}5<4LIiV`4Ib&g`9>7-XE!Z;Bi%nh*M)0(Q)&8ceeO9>Q-M5*Y68rU}<x
z(>)qTMaBvk(^)0vw`;E&ngPD#_-^PqR;=aCXs$v8IFWZVby=Ce)`D%Mezu)@gqmZ7
zW&ew0CM7NNATJURXk%g~`;$ulUOTe~7(x$n88Z#of1=E!Kj<;FkdH}1R0H`&MA!H(
zLwxkuo!brj(;N9naB4`Y=_s+!@4HBGX&Ga#c?a#?s!x6Rh~c0vwmV(N&Q=#5V9?y?
zv}0z&U1g^w_Z;liCDnOFaGc;-Kw}r8X42OPmWQG+R~bA%kA$^`*s)-aE2&5+dhzJP
zUC(tZrH~u?<`6SkVz>~lNH{9P$?hBZ%PSAbkFad+LjTrz5g~(QPx)EHDAcz%`V0s^
z*@2qX6`!2@Z)3_ndrru%-76rn{oO(b*FL)`lTLwik9M)mxI<AHe3qhMjBvwEsk&1c
zcGs7xgd)gk{zFPu(71h=<bNj7YIRMGLa{MiijNq|(h_>i@>>Xl0yEV=ie<B&eKx+X
z0-cmd4?e1?HZF28U~c|(Tp%K~_{@QV4Yb#AYMJU0yya3ekQV{YNw7cK#m;Qfwdp!~
zt_#@@GiJABGCqRdc(<rPK*xg#Sh#HsT?I;yB6K65vdrBcV|2ay;7^GVzw@zW=XKRV
z0bR7-Stn!fV6FKopT<`}Cy*}0(WQNvTk1POzSsO$ESFf3;ERCGmFtzHO0_f3jpZRm
z^|8-rev0Es4M!cLF#f}E`=+jf3O8XZw&;}+J2ub-sYt8$BJ-mkYgQL?JmwoD(9w#Z
zwMcN=`G+-bTsgqQ)^i&(|ESxq>3)lT4W)B<u+}FhJx)^iTUmIb2{RDKqD&^M<OPR4
zR5E^NOX1h3h|BX5`#Rj}`!FniL9av~y|J3I%f`H;XGEr%B`D+WQ8<BbFv|YpSu_b$
zeOFGaggp>&aKO6SMUIRhC3l}J6yy@wo46^0dqO`p2>l%TQYL#^|0SuYGb?B<qD~jB
z5cpJ}RM9xPSvaEJ@6@R#2Do`{=J<N}fJqdJWmq@1pe;D+k>@yFuyAD0e3a0O?ga0}
zV<_V+sY}U)D-Xm+iQl_75+>Pt<epYUTnG_fg1)DjxHgIed(2FzjhgK7^QB_s4j7ar
zv%T!XvFZ9r^ASGojIpoBPf@8nKnmsl)kC^V27KmO0{U3Vxe%H%J64cFW6!1yH<}-B
zw+euc5{$d2G;`c_ez>FZz2+W-z8$sMThD#nP!2IcCTJ*l5WNk!Yi+}rWArF$xOljH
zN<%x0NrOn*H&+27fvu^^qtZSs++aPS4mn{pIlV|MoY>2tK#E^;8pNTt+s@AiWTKRT
z08bFKmegMS3sxs=6eZ9$f1cd6yDwbs?6-|7Iq$C!F}G`Fa8su&Gs#3jmOeAYMR(-M
zZ}|18zcMOkWMKRDb6DuX_J<6|T9q7;qlHIETfDb65%LIh**Zf><aFxWShQ!|AKae|
za<S2L*>nz?$DrI&NXAT4t<hfR>hLJwg$(}_o4O)q^}7($)i&TP$j)X-Mc9#)`3f2S
z<1QQGZGm#HQ+Lz*bAxHBBxk=hk){G)NuiuRVVQ%}QK=S-{crR3X9Mnim%CUk*!`tc
zFOk_b-g*x{+Cyagf^Jx$B!vmIy!^XWIajQkHS8<B<uA&uOhw`o7Q4zE=Q?=IM_P`8
z&ha$9g|qBP9QTaxE;N-3?$o-c&mzE6di0#LM3Z6l6qJfjf7r2t)a)S_O)`RIcikUb
zNCFMoom|Y8(E06{eCUN{Mg2F{UMhdE4adq>YMec6yAZ-I!`9?w0jaiGMS>|dBvLAQ
zJPIgJ!mO0S2#-CQ_>&Hlbm7$kGLl@G{LXu06Jy6>f{Xi0s`w4}pt3rw+G9F7zO;TB
z9{sMdwhbwe!LZ_jny0MY4_mmJC+c6gRK2fB8p8rr7MsGg<y`re43}l+v#=syOoLJ7
zA%uQ{N9NvF9+9vF{qH$lHaFvw=GU4!K@S0aau;CgCHu9OjcCOj&+;gQLhaLNV3*ro
zB{+_Fw8d`sxnx-UG=zR;KT8Vyq!naW`dF`ez&ewmz-|iKOFinsbA~(Sy_#Ddj#-8s
z_pvf;VU`UfuvO|_P5Iu}^9|<>uPj7;wvq==Ki!DIT0i>F93_QrN3NE{ICg(LAdh2x
zJNy)nAm}0Pi>{rz2pF(IEMZAR7!<tpVVQ2v`$j65y0=b^!_caBmlL^h_Z8p9iVIz>
zL_JmKlU?hp&r&}={){GrR<U_y&^)3Px#5+AG``7a_<qxmuCGB!QOe^rN(w1^Jy#~i
ztVhd1VE+bMkBfgIF0b*<n2fb3k(8Xm=lHtGn^5hT(04F@(!HP&i>jquvsm`?9mt>u
z+VgjrBOVqZu*p03-&9Z23A}S(8aYHrD<qU9zTwT<Oi^fzW3|^ZX%U$pn85Vj)O;4u
ziv3mpA2ZJ5r3ph?X>zP>uIk_Sh7&nOUx8?S@c3~qaV2)+KBn09;Y_)*DJmsH+}9#l
zT!Vcfi&r>qvZ*Lc;=#sbnbkL)lC`)<!%)MK<o$O4E(8WcYl8|Tt_?qh8FW$6dVLU|
zLkg_n!4`(BmBmNZ4zc6+U-~uS=zY%8<?<ravb|Dn%!#%mC2C|s;yGIhe^?=@zKcT+
zMy|YW?&=79-4Ir8?4my<^6gH}BP9+XxT?WNKYh+cG$jxPm+yQ)*-ur{;pso165p>;
zfB;E^LL^v!ZLw(4JKi>_{UL79!)J4#7?hOzCV?9p36wGdcAGuWuQ*Ja%<6vM*?Z*6
zKoPpbZgN6}0qk|B{Y*OS39Vr7>^G~VCi9s(&E<{)KA8k4HM}S#wc_hu{Czl+=D$+A
zz>2i>Z>0N;sb-`>TS;To1Ty{l>>DO8MyuYpU27Z6;~gVrg$GO`d7FYnWb0Sicj9S1
ze}!=wvhQ5I`&Q_DSa!<ZJgCPzhaGFkfQ+Qw=9N{J<N?!4xVufEm*zaBctluB)@x6A
zpTbsYD6P-a_Q8~c+Y(MV{?<Av02jk#3c>S<=~5t^z?yD++d3tgeRc4`ixot3Sl#f;
z8Bf67>pkDgfThl!P$_Xp9A>wCZiV$@Lv&T0CZkr!sVH7Nh4v3DU_zMtEL}7PWRy#i
zrEcUx%#tsTnm?41V|<lBMxO5E+-a>W7#r>)d*$>ni!N?})3I40n*Z)6((-HJ-0#k*
zD3debbwHgAdKr1yKnwFfK2G%~PyUlI4sZtQ=0P3oR5^Q&>(UhuxooxYUB10}TF6yM
zG1n!5!5Kp8sY(izgTCP$ffxukHLJw%DDMhmqq}`s4ep=$<xV&?_vsL$TlW-EUvjFK
zmq!YP(SeL^wtB#Gci4JCJT=-^Im~(_rpNv!O+eyOX_-!XGPO}<etB?e3a_?WZz@Ra
zDlnnGG!7Ms$V+kG*x;G@H>qKEY$Jir&dx@mnx8<lR)k2PvX#A_TeFLj#*}qr3^W9J
z{vVn;GCI+n-#paVATEelRrZN$>Ap|zNLse9;p#^f5=Ci3_WQ0+$=8HAj!yNE?%fH7
zqB}*MLp8oN9pmpT$n~6xFUfrf)@e@4Iz$zpfJyEOpY;Tff21ETy7SRVm40YbI8dQ+
zf^~2%IN?`Up*^)39*ekt?Ww*uR+eyHH@)mT)b>H)l3{WvmP#Man^A~asIL-36VhYR
zOJuisi_wH%!x<y+hkFf;`QV!lAdzFqhQ{wf_IkH`?;m|ltpHJY{>KblfEo5?AMkWf
zN#*UvTQVK{XiWxT&d1&hco3;2VC!LM`Gm`CjzVZ^lMPf+c6x%0b)tKU_jDNJnPJA9
z$x5D6=Lzc|xfb)h=Zc`fAzQLRW8|wGOl%-y5rCiYAiZ|y8pznp^QsVMI(0Zi^v#>a
zC4Um9r0_I`Z=!M#^}Mx=>%x6AVtbbJZqw!vQ8cT(JutEV(rWn@_O3z;)oq%1$%jh+
z!IqEz1@ac#G>fSt7FB{U)2L^07(O5hni{+f9Inaj%8*@Sf?tE>_kYjgr&!tW(@2k;
zKfjh$&HaFFUdt3DsXvg$|MgDr?R@V-gpopxjg5N&c$M!COu+cVDwZ8-q*9HP%S-j3
zfbL4G@7Q0UD-m{b5XTJI)`=wjRIm-n<Lq8>#`O5)fL+0^XvLdyhI_2w0f2?uwI_x>
zkP#$`HO9@bx@ykF-=2p$TVZJ|-t?x1$BGU&4n2MI?9b8wya%VJZ>Bte{>%gd&5Z(N
zA?eQDAn6{-Mc1oOIwxgi4m(10Z86H8#q*>&T(|@j)~<Nw-mmh&)}adMuRhIVKvT8f
zYko-VNGboI&{sIyx^I56Yf%@;Ot4hXXFs(T@IE32T~_0q>LDXj_U324?_cA86%>Y8
zue9j-W_V66tUsuj<on4NoBnn?a4c(;?TX16WBhE4`bt`;ZD-3rXXkD|a_{nLi=hXo
z{b0ONSUQPTL&}_1Y`{>5SLEj2O-5l?PW~&fwo7l3y%oL|Bg`KCkQLjL9ajt=j_U;d
zy&}a=HMp2)%R-C$;sl-35Rzq~90W_=Y8Tsf|MG}W0^W%lK|aa4<N^Z?*lXveO~~<O
zwElBnv+&jpq7F6#%meAJ&O40J{x+rhzGf7GXj5JDfn-oo{dp0!m00l9XGDd}^vm|^
zh=j)-7MFLH$+*$KGZ6!A=wj3%wWj`W-)c-Av-oA8Lg>5&eQnb3TrfZTg&T~-2?1B)
zVn#m!>ZOG6q0wtztHVhj_VIX?(Q98&#qv}6KS2Rkfm;B^zw9@dRm_&h&v|)`J17@%
zt1Odw*qy_JuduiEVm^~#uMpuvEl6+y-X22M?}PYwdDnMbXh17$ye;=ZmWcdbHV?W=
zE`fk&R53CSAwdcc4S;Ht{WMb)ZSU8e^D1s_<qkGfD?ci04~LoHR?UC_+(2~)YES^;
zD3V^g!~8BQD@*-TKC*|+lMTCh<3-4K6i~EdfC<n7YMQ1)VL)R#r&L|tardj8NEjc8
ze+mbjzn9f^{fY~{jt85kXXw90J|u*09XIZr|HxDuRn<~<hHIljq%ZsTqZvT6DeVps
z%TXjke{0hozS|QC`;nQtEL7f9R@|>!R|(CcZ;|mn9-+W$O{FTN;`*EO_D8#pAuwm!
z*>b)C!Mw+jC`0nleY}fp<npXRJ~$ryqQ&oW{cwQ6zsf!EhAE8o*&}SW9=0&{XMKOO
zSsB@+vg}F~=G7Ea;<)k+kz2m?Jp1ozta+M$47WoA)z$S{xovrPTf_$FjTe$NM5&<J
z6$y5_?cE2I(%sg6HJG{2*7_Qz%$7KY{#8`fv@agF(rmgA0`uI_zU}J;nEtj*?hqfE
zK9s+6jteD`W~-j&z9uJv040F`Q$=Rx1Q|vQ06|RbwjbfYm1owppxN?@;!QzFPrT?~
zWpmpd2z~+*&`Jj4qzlm*PV`?4klo6mN&d$cB%qeR$N}!u>zq+HkY3_AP~`^yOGGY6
zxn4=_7C=x0(vw$r6LM>IfVn>nNCBTMab$*2C^%DtY^u}#v;-x-<t7C7hY{1$$uElW
zOy25R$_Y>Y4=Xl@3MOy2V*gSQ(D^mG8<-%|_O*mi^}iJA6$%)+0%#N4Y153{_`AAI
zA2nw$;xI|6Kr-U0HR-Oa`?uZnQ6^=2haQG0d4E?1_UO;^QXmo}>y{4}$)M&Ci~rR$
z@2wkDpD}gVJcTJK_x)WN*!#bs;D3b&PC867(9({%OGh%W{bdE(PQ(i@`UauAKP?^q
zbqm8V*s=G#hwtj}K#8NavX!AVIf#Lw^_YeL=qs)A0(QJZG5F{n;6=e|bJF*ql$4Z*
z9u0(0Bw6aht`|xQ_$lWc!$;5;kqQ*!Ev0m2ZF%3^_Yp`38j=OXh&Z3}L*iDZJOH=j
z$dl?ojFiMrLZ?T+occuq=5SQnZYV!B|4LaM3G__+@tW)%Q76K>+IAM?g4o#D$hG}+
z<-g+U4RN_jllJj~|MLVXAFt}0sFsgvv}o;%+w%i1v(G57EgWNZ!zi8mBY#J4E4`6&
zB1tA|_<)oOUmy(FSAXP5?Vv^q3ABx+HdJWRx^J$vxv%Xz_ZrXQaB|W2-V<5IUEF9u
z3DPtv?xuAPJ{LWR?o3~NB8IkRFB_P7^9c#S9fVcfb$+!XqdVkQvLLxR5(?<-j>pFe
zIb7dG@TdGpfdz7?Lg|^5*Ln2bttz4iY`0DvsTcv(WtS4a`z8u{88g{!GwJSbx`@=Q
zn?5?aJW0P;2f&Sn0MnUk3>((X_A3@3<bWn>w=9W81Kt&W#+f(vcqn)8qPTe14|%q<
z%H1ZU@&Xue9n{TlsBZb!-9y$wG%1WB<y(&&X7iIAqhL+`8>6Kx0Jjwq3>*VzDiMGf
z?7Urch&WjH0cYN~MWo^6apoej;q<6?vCI1Q#s?o=4@ltv`F?!oUK2=b8c%WYW@C90
z9n@!09hTMR>C4aCR}6?305-#O<)`JaDbHyBqY=2=+(=v_U6`)2t;}X^HeARDg|hOC
zu3PIaQzyLDUkCMaM!`K&y<w9-JR36Ze!P{?rt`oTNiD}-fST)F4`%K(yat!oxA`2n
zme<fR08PeFzekobKDs#eZ)|)i;w<3#k3Lts5sq~<>m^BAv$cr>0|QA~X8VTf$OeYg
zBS&4pb<v=FY^531x4fY-me<oktEUeZT70_aQBsekrBAJHS<25S`}g`!xa-G?&Bj(<
z(BYm%uZ<ynMuxP6G>k0PcMTZtudJ>m&V$f7rVOtyBE|vQetR*hBfSpmrtMt--lrB(
zF#;)u5c=JiG@xK_HQap72GEeqk3MnHwWB1Vq}w46yRHZwA-pO2y1K`{GPa){^`IPk
z3s}Db<bmS}M>j$&uG;d<Z_GiNqb@7zHvRxdb~fC##f<1sH^$i<5=MLteAx7y`{&XV
z*)NW+NJC)JLwb36*^cr2b6Ud$*)VOtet5Ic<}Z_)m6&f^T&(q{gDY?ykRBpr974SP
zr+*`G0>2g6U|^D$bPx;kMQ-%4{Yyg+39JcCG|&sUP|xqb&Nj^Mgq;-^7yt3G3HP%9
zkm=_HO>Q0A8{{X={pS=uy?c{^NjKGLH)2l|#3$wW59#bAxNG(FDjigy2Oy$0TK}h+
zEpRQ#bLH>~$lvyM{zE~z87V%f&lpncz;=fCA0}P^44ZXRrRQt@M<|7VC*q5k$uExS
z`AQrdw;>NW0;-~5bxw=JVQa0Z!8YQcKkEl@p1lM}J)A#QXeq0Wvj68^rfAr_qbNZM
zvD~D4;$K`uas4COg!_E$4zScxD##Rt$D6A|Tf7fCD`3}Wd;XVOG5}QwJ6nE6x{G%|
zwesymBZe#Uf$C;=_{~F!&s(97)yQ6Q*P$S9T|}g%QxgFOL5wm8sbuZsf1KmK?}|{5
zrzyn4RDaU_^B2d%+2iE@cF``lD{Zf3t1^eMn$X5YYjH6=3g%Q`1NOfhN(H(N?klW@
zB)g{kLoHeNHglS;Bw%zi6}6oe$<xt8rWH`h_#@Akun;#=-q)K=Y%+++%b`;lLn5GX
z{Ov=Vy#H^OWfKFF(y=aj4VcqyD~G3=b(DGEvKZ7KgMb)U!2rZKaG%m<r)j#lE1ol;
z0jyB5ZbbTY&aHpo&mz<8c7o+3_2=TSZv{C(E@u?qiz7g+vUUN|las^aAY(iHrCQ1t
znsr$Bp*UQY86>y!ov9#<NUt0BAA<ESd2cfS!hzFn8{E$ka93|{UVe=Bo2jOBiiRqQ
zfX<o?A6OB$PLH$d;|Fvjx=(QCeh^T9#FU50by>{`;|9yVW$YKja13JNeX1$zwo#Uv
zOe4yxP$%dYFjhuM^PxMp*vS`7TG~`^rY|?~Nawz9V-|eFRI5(O^w$;Q9ZVdpGVrVT
zka^f`(2ohLFC&B=o;A~}zlh=RuJvv)ixB`oHhMY{iZaOl3lT*ZFd%B_&x=|WW$ll*
zk?P?WMn^jsik6^9Qc_a940XBsl`VAids$ovpaX+5O##~(iR<Rd|GBl(Mmpo$>`v!?
zT5FZqijc3%i6W4@O--38+2RY`>h0CzE(e?2+IbF0id6&9x=~JSW%;lndNPG!)~5CC
zs4o!uDj(Ud8x5P=QvA;dL=<eqvyDB<uWhlom^0*U4-5raKCrtN22h;ZXB7DBR?FM%
z1RC)Sj_x!srB=8=e5MUwF9$(>8@i$bK!g5IxoLLd{&|Ljw~qFHgt#tr*;OKQqEiXi
zk_0qR1>uA2S~<5Pdd)n$)&6Bg!cQ*dKLSeDHL5LFvqyFAPj4L$U+dLvd@(xzamd$n
zn+{B{44L#Q^2^^YfY0RTD8gXV_9C>`7agH@0c`_}M=^cb-?#@j$<!3C_3b1R%lVQy
zeINP`=Svm$&0Y-nuT30-c0dvNH-?wn$KKKVw%xap?cWU(`hbM%ue%XUKtL_M4L1Lq
z@cyxFRL=8}>hTS?nVs6(?G*oJwm>RcFuIXV-%Ir;>is)LXkpXi@eC0ocL(A|53+mK
z4m{@HOw;6cr%00|RVcC6k-e_2)!!_vM8U$1=T9ztZT?Cp#miBp;fYn;l9}pUzJ`Bi
z!Bil{l`CSo|4t*VP*P%Ih2e?B9m{%ky1Ly|e<!jP`)5ECDOqW=5ZIA!O5T6Vk)B@^
zo=Elb|B}mqA>5@o2C9IqE9Y0OK%Mmehyo<dZW453D;`br8*XtGsJX*H;NpK?D?(tw
z!NJ~Qz{thDy5eGd#y{Ik{@rU5#|4td4PUMXh|W3~&jZf<?=T>F&bQrMX6Z4|)#d7j
z<*@(B-2YAAEB3|Hhp><9xd$BUW;fj=1fKnE+1(hxn`L_H#a6249VP$!#b<#oCMxH*
zN7L|MhIO6atSx5~=;_w0>tIX&b`d+v@S}|Ytui#L?PxQPOO&?_b$k@f%bjP;G*7j0
za%;bK;&4WFl+@Yy<DqPN83L%4AwIOU!uk3L;eR>1c$0RC;4oA47raV-N{EFv{1w4#
zc5#G=?U#~mRQgrM1Q<1d@t%Cf{#pGb1O#AXQ@xDJDl@B~e5r~9yhDLkW{z7#9Tyu8
zt7R?^CjE^fkMuSOM`yFDry71_lz7r9XvpZ@32;4$skD7xkm^XaJPORV|4<YH;RGXx
zhvV);VM`_EO~)r-zr_4GVI`+5-h_7tCJK8}UIK;a_-GmNy&;5wQYCJ)xX|11Mc_;Y
z4}lR8K#$-4a;zijv^jU_L6Eh097@`j&Ih<Lwv0Z|KwE-Ti<1`2@+zSo1JTAJqLY{n
z0y_WnSGXYtf&ElbsQhO|ho)!n-QoqQ7G3Yom08}r0i~=1HZ%)=7EiYd7J%hCP^ygk
z)*9c{^(JEBh(Q>TAWoOixdYLo2Z`&sP|!TOxYE<rWyG|BWLY$b|2p;Gk5<ulEL|a`
zl<|>nIdf@Z={rm_18BZaIJ(H4jvrMLjo<f*V&qjb4y$K7pHT6iZaJT1JtG6m)vFvP
zw(KgjTy6VFR@$$A+#zNp3f9};;p=qvao@$lY;>v_@=DB9=U@y3Xm;Zuy7oCd>DLf5
z<N<tQb!T$##`AQc&fHt^8WWAb>uU#K{5e%rhI+yATT(fL5LgxW;$5gu2ja^@y)WW*
zoZ5FM3^n9$qm3M!!{Fz>NKeNknLB7%$=~CN<N?i<^%++z-prpa_#Upe7@K<`()Dk?
z+CxR!u+aF!_APOtG_#u`p@7fd>$ItutRCONOCj3ljSDd>aEn|E?xXO|+D&flJ1RT3
zBtZL^CLmO?`AoPg^F_qKuyNDr&1FgOqTlH}!+iZ|=hmsC@0oduANpl#i%@)dvBa#{
z&6wT=xNZD+qY5(f#^FBB6HVi!AMCgkh&xvAm1NhwvYgSL5~pFxS_hGk5SPkx-K)tN
z=j8lBD+mq=!6Xe-Zey4~I(`dl31@jE+R*1Z`EsHU<g@2`Z%G;<-gebm0YHtZX0Ys2
zb1ezU$lSCCjzMoO5l>*+!hevL6GDRBqYjqIe;54(|3Md9O=DF8K=^niK8gDAEoU(s
zTMcg{OE%f;R$5cbr@xXi0i*uG-2%YNNKrAd5x`d0#OH5I9zYKU^RlyE`~xGVbTIfq
zs#?{g1{3P!hob%@<N?qMfPGdI3VYl~1ySkAu8#@d#P?VJ1K~x+2H>~pO2dUXI0)yI
zx)8SeMG;`H^~$QF+OMePRl5$~Q}}>m(^Ag571dOsZR*7gVZ#o%B?r>sVInPb%Qo;h
z09=|(-?_2S!-vx?<-MMqw3=(rHtU@0^OczI&eXvV@`#$n0jRm%2h0Bm`U=jXv{W4x
z1Pcm6r$l-^0KS!LlK?{8QIPHim6Yn0FF+1f`}W#o#5ejv^XPmYa?D?GDD2$$-Z&pm
z-Qu_P38{=5lpa0cU#0fL2f*bO%qK5v&3mzDB~0|SjPUj@QPFfgAe;DUA)h1q4(ZQX
z7!UGeol?j4h&Fc0ueG-SQDd5z(k+-Jeh{pqqoWIhL+1q3dm<`6US_ZP5EHbPCSQnX
zD;WtNC`x%ZXP&`;bL=*0pz$_$5Upw)Xf=Y5TCMlCzg6ODTHYpS>A?j9WIY4`VoQpQ
z2BBzOeI`DN7}AwXN|xFC+CZh1{vT7{9ZzNd|6dW=o9x?`tc>h)Dip#gvR4r&J6Yi%
zMY1<p=aiYf_uiSOvN`rRw!<+F4t|&J`}2ML{&Mi(y56rn-%ndgFQ+-zf21XQ9Km2a
zWM^=!zUakgM=ATxomq-MoQ)d)G55c>vI{^qHa4Dz^zzo~b>=F%QXkTv6`l$S33)Jm
zO-rLGx8JV!^w`l*k&#&!{ufnke?W(i#isfu$a*n@3IO%So~=gOCCHUq+nk*~tfa-9
zocG4v!rOjFnAB{es=z>xv&6jIs{K5<;>nJ`Q|C@{hv#u&(ot(dJ0js*j1}Bd)cNNZ
zX1(S3l<KV=ZCgD&>nYjQaRKg~$Oa%aG~J&@K;8lpb29e@>2w3&-`d>hfv$*ieR_T5
zbuUW^lj?Qm^1DhrJ!Y~urT>GMgBykV`SD(1-)ayeHW6UO8qb|HbK+nbB-@y9rf(A_
z*_i^Ck%nq4y1a>)V^@f5Mc_#fw@h}$!IN+~2LoiiZF(_^2hVI>WO8W$%~`bYs|Zcg
z2_DLHyjOhj@k%)UBVc(e)Xxtj4Z4nafHVf+<@5n6R^0hkoV($x??M8*5`Uel;{lmj
z6#Ols>#4a(%ic`Q<-SY%R1I{%_;+y!rhlU{;bBoqSdiWl0F7BbQmPKUwSsc-AvsPP
zzU%3MME$E%@3%fTQJr9NnPA?^;D_)J0Pfv0$RdCRKXki(^Y`81of5h}kXZhVxy9js
zNPl$b7rC=DQO92IF4_YP%zcUJj;B6*G6@@>8J4IUSok2=bQ2C;^7oiCX%OJ7dM!1z
zXAyu>Qg7Tj0uc26<+fg*q=om%HXVNpX7=pz<z$}4w_o<fagLzu&o1ewlwUu3ANuBR
zqyebonx@tPkX$*dW7-|LO7-sOZst#me~6_u{D15)Z&g6gsuY@qKX{(*2{cM#=f6_}
z@TZl%2=@Ad&6T`ki@l&n;G3XBroUR(8T6w+b7}5mbF7r#siRwD&{#=`Sbz>d`;DYQ
zgb?faoem?qdwRwf!K$!6$;{kbkqb`>+}mVR2feYN7N_4C?oo3V?oYBmAjw4Sv?CZ9
z*;F}U?|MyTlS-g}fdS!iDuiz3f)n<!T;Ke?j>#_v+81hV%$AeA_Feq{!Jqt;B!lU<
zbeNeo=*Gzx>=d^!jJCL0isQ0g2*?kDdai5^Muhp(k_6Fg8fZS}-~tF0%v|LSvBgBY
z9!-bX!~Wrb^cYNTk}vnF)F4Z9P5-Wrf<>bD+=?`dzxnfHQN^K4v#I<SnSL&QY`^if
zrC58JqFa~{<YJ+?ceYYNYN}iD^t@ldUo$2oiDSFJUq?Nm-kCcsj@*CNLnGlL0l>Si
z+yuqN4!5Rf)iD5I*22<<;l?lD+)UR=RXBUwtEZ)6+jw&Hq$dhdihb=fzC++2zWH+&
zJTrrAvVMP(P}7*1STeOdMNH*CRt4K%A204wh_Zi3hcKijc_8X-JM%lU>wf6abju7=
z2wlUZj&8+`;<dxU-3F)hhA6UYh=>%A$tHnbpM{=C&biukUwj=${uT4QY+7EKm)X%#
z5q<mh)Nk(d^xC&q!y@GIP?9d+zALg?(HZR45Hv`uxs41@2nZe&(jY#Ap;5DvrO)N(
zUB`aRNSYf;0>-LYCQIr4VG<>b8+=jOj+pk?A!|cuzG3k@yIB9^;Ze_<z2vO3bM7nM
zgD@Ct={e_uVHVJM(tq%Hgn~9)alPuLf+wH(aj?hrxDRsBK_fH6_wg6A0kF6;m!%5H
zqy`?p%k%Zj(gkB`&+C_X-%~I}$N_vbhDX)Hw~6)X?aqGZ^@Ejavzs@cILwF8UA7-P
zUSNZnEId+c1ZaeI)@)X8Tjs{6yQ<ar0H@CToLZ}}v+c|uIi3~e#@f$vXNncS_dU|A
zyK!%I&cS)w=d{1`3U>1Xhg|3g4#5$6!ZqB<@Vx6qtxyVLgmvcUXZK!&l*Yw9v~CW~
z&wRp(SPsv=R92{JFg#oGyZP9gcrnxr7_wokPxL+0y&;M}soQ&Xowp!@o8o%a<5OY+
zL5f;I>cY*>E0Ki2<p<OA;0)%ihF#7qv=H!m>hP1C?kESZU8yM)=G4cpl7zU5GP7qe
zl3uc}z{`7fsvcb>1G-IZ9LlEWF4EFaE>h!Qscw64d^xx~Jwa{XxR7&HG<{U;c}~za
z-o^FvjoX=-uUz)2%*36WhtP+HsS4h7OkE4@HUv58p}DKc+o<K_o1g*;TpG-0FKbNI
ztc0u!aWNFXU8$4KWn712o%RD90pN~^QD0|DY$Zk{Z~IG3`yd?1!oW!)cv4JncV&Qr
zf+^c)Uwr|5uR$VK*l4nj^5f(3cUA%e6bb}$Hq{$aTdjVda=g#P%*yVyt~k!Qd{!^?
zRqt;)`)IlVML1Kjn#n^iSSZ<T>7_<enZG#ieo$^zc5g@mq|~lFq$4#twx|3MSD<Q{
zqP9FQUuf7Al341rNfjYKUnKs}0dqGZ21b3l&EQ`i5MkoRQ^m2O+CSdOmFTfR?bYCv
z>o#^F3*tw=e!U3XheZ$LkazpSg2-(XxQsc_pReHmgw$#4&yVI$>ImXX`u59E_-OL5
zY;V@Jf1r;Kdv+SJTh21>fDQ{APoReB2%d2w9G_HU64PpmZ@M6{1ZtGf!kD05;ngm=
zX&p;YJVn7R%*mfWhc;VvhN34kB8b)1RUZoQvAdG-6?dgkl2q*XhRG#8?l~ZAk)l<B
zHGYXC6z*i9T7^oa4TbL~`^L?P^{pQodKH%j)}wOHs8T}34v$(kn**H0uvq&V4!VIR
z9vdG11do=lb4|Cz0VEGQ>@<g!f#KoKar~yUfbuNaR#^?Q_51MT%6N_pC>jVr3bp55
zCoxuZ&UfLz%4;{P9^&XQww3RCHwGyoz~;;Fo0Sbd1;J7EHtlM3<c!S4m?ij3B}QWI
zbPxUOer`?*cxwdNR&*59g%~A=S(-<?Japi<7_nWSG=D<Ce5eaaOB%nnuNCGaBqUD|
zw4ZLH%&{rm%Us{sc%$aHVK*|lzv2MA=I=kc{Ofy%`L&bdqG@yAZ81(?e6~z|yw@Xc
z+4Pl4WE%>WIP#LA%z3u*0b@kpQ%z5|#M!B?sXGtt{!bRHdh<?b9A0GYBgTk#ZkH#?
zbeA-qQZ{HB7I8EQoS~WJR=vhwb-Ug*6w&Y?E;;KEGI!r@TCrR-JgRg%Av*m^JJvk&
z9V_S$QJ{_@oV_rmL5iehT_Mk^ez*!fxj`XV-YMOA$<Ioz2YCYNpK|k2r0KtYeI+~1
z8X-*_4d<>Q-8FY2xN|4jW2kMu!a*9eja`mcoozBObv4k@sZTeo`vf_QmI*QVF-wWU
zH2RrD>0gBv6vqRvE#A&L?~sW-*-(~32lk4|#)!@~_<5{i?=o*PZBff`kic%R1Y}-3
z|GJ?DPkur<i#xNQz!^|r9a=?OF7RVd0uzb8S+x8-=ohl`vI#(@+yIHO%hqY_`P_vF
zvwJ)AM(=i4335yq)&f{txZ&2^-x>q}DED`GDWvi(Y@>RHSRVqG&9QZv<NuDsz9u2{
zx8YFiETM!I8v&PpJ!=)nPrUl8Np7;BN~sEA-YQIA^n&a^QP<hFXH?4|Ti>&rg0vE=
zy9JUDwmK&+5M+yuJ|PdPx~haZ%RK4>)XWs<8ND~yy9V3UMCOk2_paP`Z)dt5PJ--}
z)DX0MS$;_XnJaK(@V)2Z#@P#A;=oOkYY3}u<Q`Q3$TGz*D}?9Gs7UDHUE#AvZ1Z))
zq0;l-BV;Nx8Hg<35hDP|)R2%n^Fz}1V<Q?@;SVx}9Mm79K(qwWZ;}7qMso0FLcET$
z?Ow{t4UmX;)gM*y>~!Rp-xYZFT9H>-cUfSuTH|v82H7^_y%Eo7=IIQO&p%!o)_QHO
zUj=^oWpL)u^-qy}3=kTKmYKuXI9ivHgjWF~CH;fHV%-FVah=1oYm&aJ61N1MP^`!5
zS}ZNlZjlOmAPDYwqSO;=v-{|!gQAjFttD&wz_FtE7gCuDbXP++1#6Az9OjktWzU(S
zt!@)$@ou5Zs>rn{(y^bJk(<3$rTsp=_|W>}G()3{#2NyE&x)T2fq1=7)uqPcY-_ry
zKX;jWr|$L7vLqsQ*6GUknsM9{=uhq~N97PgoG@1rq5n~Vg?RQk*Mxxa;XvE-8u~*=
z*wH|Z3bn+miGdo%10#_=f%#!hLgoxrv7!pfS&!yG$E|1@Nj!o2A1l#twPT$C2=}4m
zyLTssKDXkl=+3%MT#8-(#F2@ZJ)3y`UT-|0#qHnlhJU9}LOHNQXxq><HJM#U;^i0d
zhlX7CybLOam~~TDTc4lFV25Sb_jg$zm8X>_%bL9D7t*T<)38IG@A|$K_x;)?Cnla-
z1Fm~J_-OxEJC=&6Yq(sx{B{9pifl_19WGo1lbn?FB!3z^q#y<Y&9d%IYRy;V1V9X}
zZpJ*y{Hp)C;)TRNc5y1fOOGuk<$_VY(J$}oa5@11Fh#N$b*F5#;8nk+Q%rs(s!f2Y
z%Z&HW+u{+Sv9<p(I63}_4d{AcHcP+chlnm2?^hcsfifcF&kO<3`GeK=l~)5f-t!CJ
z{g7Ma_f@S6InW<f?FZM4{Xb@Woh)DfV|i|Lv^k|d_<CEIu=?gtUAR{W<1ihhWo?SY
zmcnQBtDRqw%0k>WRWOv}Dx2BAfp~K=EGOB(&N1Hj_1fTXt<d>+o~2OvaRr`(3eTSL
zS8=aaauZCdoqX(lSw@C!M=L+^u&}ecxIRZbz}r^%*7=qIJC(nH&~(-a?c5DwHEX8E
zGXs~+)`ph)`gy&wl5}w}QP}C0{wRK)Ngl~!EzE$En(|&&qe%eq3?gE@#5?oMfCx5r
zoU7TrgYrB757ry;41eLyUoQ>`6%1ehb9eMX;=LHh*@zY2LQkfWatgz8mQgAY4TQ!V
zYc1#8qm^P{Ll>+@zc6LQvib2z5qHQ+<Ka;ac}<pBJ$^&syx=9t+H$Slug()+z=o0s
zAc5(GxD7^>dL>lk&kQYq?rkL5Ca}u8`iS?F_4UkqF&IWMJLsRn(ah^gd(jNUpk&@Z
zE@%<8x4t0!S{R_^S?@`25A{E*81t?Nlrq+?5Sp`<oh(W#9&aa{GeW@&l6Y;<e_zRQ
zDo3Q@tWDsygiiNNGeHhcsbbK|Qmf4Vax)P!!0NdJ8j^lwem?0vQ=CvBW5Oe?WyTYA
zSCln2g!*pZ=s$Qc32(kE?zIU}TPZeeMHgpP9;7K#`iuGq1;0i9jtG0)#Sr1}f-skD
zwsb9~9y*W2o!p6;$Yt{9Q1JU``w(tkM{<UWMP;tnbc1p!XBkNRW1q+n`fIb+(gi4f
zQU+VGz>H%}S_*UcEuxBpZavNX?zpq2^;Fz?xx>?}w=I`OtGVn%`sKxCLnVXL2<<|m
zN+OxT{NEZxh(dw*L-XSo@1DC1Q}AAgq<ee%cs`^S*@_i^2F7(tC1cCO8}#pI5Aa9s
zFOSV3ZZHL|dpsXURhjDN78QB$9Z2%t`CS`=O^a&C+vCyWgq4e6m|bZQ^FzAxac(u8
zenO*;6oiOIURqq1KObDAbl5~i@&W3R5GAafUht2LdieY)>;lQY0^9@niHICck#jCx
zRzxg(6*}8^uRhjl_`2TyEzwT+ciIJ8-Kwf1`#tqw{QR(m98tlRM+|ZAZn8_YQ&%yG
zrajcj`bo%YW%p53_(AA<{qdm?BmV+NtF8MF^adp><PEQ=&&>_edhpCo)K_BqIntIL
zo2WUoW4K%KU4~KV-5@j0br4U__T*X-A&djOC$`*$xSPAu*u>@AHNwWf#m)pekd#dv
z!3Z=~$S*($5T-BH^-E~g*Nwk@wYe7X?YdPFs<$KkaXcIB9mq)xRBT#I57L-?-n^ln
z*Hig#=B;T;qWZ&naw8$yf0oqs^f>lp?9T$OO<*sD>%6VlX*|}Nwa;OZV?(yxc~P@E
zEMvYHEI!Jun`gzM%s&JJgg*Rl&59d@R5~`zP_n-cM#`bt0+1}XKrZ|@5DBaYwhtrf
z>Q35}ygCeB=Hs$uVj{y@uFO?_@O%Nt4<ERx{vwp46cF|-yUaf}^6gFuj%DI}iZiX+
zW<7?P;ExrT^R|8%Tdy}-ir<JnK*D|1{QE{ulqyy#C=&HJd~LdQ#@jQs2Ld30kjJvn
zQJ~m#m#ON_u&bvIOC#XV&ryx{yFRQvjVmX%@DKI%s6Qpf%jKL!Uc=Yjz1I~05xa03
ziKD2r)EJ6peYA(Re>xl*#ZHzSkysi8E}*-R!Xzi8v;K12ZH}kLsOwo_zY7q6#~cr8
zC;5mG_oGLutZR#}Qg@|NDiFT$+x(YN=BlXH+^hVO&fuL(?$KxCMAOx;UyRBh`x6TA
zfzRh%f$;3n>G2jeFaRl$Dx2}N=-vZgVr}>H2GIT4szS44ZHHvQ9q2|NCvG54PEJ%{
zu^WkRkj5h?gaM?mF)8GLL2fHFo7nf=bg57(blWJs6^aQ-ejhdOy<e|SWq1{C4IT_E
z-{9_vDcTTW#qs7y{=-pu`7JNu254`VYcX(!Xny$A#5T?FV1WNWOU*17{Kxg3Cto(p
zDxuDP>j0!$ra2A2RuUz8JH6{@F~o>qlc@~^XtowJG4?BOpzjUPoKe#Kr8eDZq?<hX
z*})RB>ZuMMC&{BA<FJ4%O?E!VRj_=7JpG~DN3{voxCQDpVNHVw8p3RKnMZuy{9nBw
zP0~NYm5=ql(;Ze^=lRXfPdcfRr}L5%o$kAG_p-o2+SWkUl4-gmc}I={<yGG;kmsbg
zRPor$hQQ!ARpf}fS66uqZDLvHm_8UI=h1HJ?DHUpe`9X#`qTe{nlroRm~zoqXY*zu
z^C}}lQlC;vj~r#*j!aBmyr@}bmk?$FZn1nW!)h_50@)w9fsk+!nL1EI4r%odX${JM
zO-ZQ0KFANlNm&pS1$wswH7wDT=+WJjj7WooTmFn}B9viZ1Fa#C>))P1tPqs`9=3a&
z_(^WX3*G~|3FePiIbwcz5ZH<n#=^5)VR@KyjmD!+=z`)t?n3x!Ct5l?43~ASg4KS!
z>TtLOz;?14Bc08rtqE|?{`5a7dbE%`K+z?=Nn1^IC{gA-)MF%~d6%*rHp+h)tt#fF
zGxL}X7W=;C1@-tT4_y5!%gZDI9dARp+eBy(`FlomN|Fok8;IX6#q$!0@gbCJb@s;r
zLbpIIXFG<ia{djH_in@9xl)J<D05=By<7kKog8R&tWaA(6p`>`X*ZCkxkreJm_e4`
zWR>%Mo&FI3>Guw-5$mlo@gJkHFuH_C^R~Wx&Jmz?+$otbC#hTZ+2blgw<7`#E6z*u
zNeamEpr<?OF<D8zA0K^(gG-TnMi5lec<#{eNQ2LdNVV^Xm)bz><Qt%kgfQ;b+#tUU
zLHdjE=a@-MqPF#|K4HfQNX1LO@gw##RI73@C3c&=8d<i~^KS_?xt4Zgij}i6AqQ18
zNX-Q<&4L16qoG?gD$+B8_o8lN%BSgE-5Oc&vW6*xSsK$z5H5Yg-j;;%{5%LO@}0(m
zmhQN7SnPiICht|{ZYR%)j!yRrPBDE0$d7ZpY!uaj&OsVH-LCL;gNU%=#?Y(1*m3T|
zg~SI{{Qw<5ZF~Fqy%NX0=6NZ5F&UYWd-uv$@cY<=bH0+XVHf!nT{pKbne=;yYA)+5
zn~0y)Kqz;=>(dv4BF_mBzcdO9?YCxj^P(@Dnk1j5`g>ZNj2qUpotw;_1#d#;V`{+m
zX&qB%)yD@lOVv)(CUD@&eR=j`xp^%8zT(%|^&e0VoySK32Zc(#>k3B#tQQA1%`3UX
zVN2!SW`2OZ`{7D-5gru|j__r<BJlA1W)#Z>`A=9FJ_uanG;Ji0XFi+9;-|E>cfZJp
z177dWciK{!2Ljsoeu~D^sk3&E`Dv3pCqCdz$+bGR_~jEDO>r^anZ13mkmaJAgII)L
zj}-PKp%TYbeM94V0dS@-!t}*4nvF^C$41)iEle9J>4H;GQ!`WQrVFPnr&AW;>)c!U
z_E)7iSn*ZvdGgnV*ugHYf%1TIu9320#qYMh8-dTiyp9mbY4BTW@St42{;kU*k55`U
ztjU@P!7d*q<cYBzwfNHXg?@mvl$;2`i)-4U+U90YS=KI|Za%;BUjS7Lb($(~aBWFE
zcJEv>8d-&TtiEH*tU{VZe;_-YvV~JStZZRjm)eqREi>WHO;}HxNPe7(V)9orguJhM
zkEoSlR#%#SU%X`H&}zhB@iDvj&4uEky-1%kpR>8Qx;`x1g<oQ}!S7QPD_Wt4L<qrq
zB6LS2^9M_i;Z2g>sLP!<$o@#83gmn{!Y5WzU$b`)xc2(7Iz}K2RI@AhEVdo7EjqK(
zgBZOA%cwkX7+1@$|4`N<3m&?Ym7a!nk}aV*&oq=>JX&30!0)$r$MB=i5-ESEZgSwK
zfGE<5UQ}$J(~B1~nYVd+d?<UJQ4HWyZ>QIIYPn@^BZ*i*k5*c664wNc=9_I4D#9|w
zs{GCG?0%VNJZaBg@0D>acYQaJY7?0Bz628NVs^3aO3ii+ebGK)yPt}URrim2nall{
zBA@b`NGANP;{sPilabL;WnBXWz^lytPOPg1f$}@EK1ADSSyR|KQs~r>t(`sWlfIVx
z&k0Wd8<zFvE@Xk1b*?Xyi})I)8=g8ccqCkhmCufCTY5dO`-F6~*nYQN;_L_BYHe|z
z>7KoYu}zM@I5yD2cl3lKtb7dzv;Nhm&ptLPUG{AMfW%`TN2P8<NC}DE`5v9OyGjW7
zW{`t^FZsg5-57ouUFywamFt=1t-n{gOAf-BcDJk7BdC^>{g=Tnl56{<U2;~7d}NoC
z6H<w#2gDQ?qXniADP>?jD+`TNnX}l|xSLPH+82=_o-2E<ZC?j^{9G%~8LWE{Sxtva
z$m<kTMDtg?tc=gXpjE4;d*pG;CPNo?UlPa_O084j)uHjE|IC^NzN`0uW%$oW$kf#I
zf-iVAi91s{O@fWjViR}X6$ZK2TyVjHndsR<2th`Ti&Ie?B4Z-vSB5tPo8QLCX>8r=
z)4m?WWWhD_(f?)CY#a~8Jz{z-OvrmsSyev2a;l<spr-14&MWP>bo7eB+?^}4MI#Mh
zH$g6XA$}QOkQHIa5<@*VMl)KsQDw4ky4bVpbs!z}_Xt7TP2tCyFGEq-Z@z?YpQ#K>
zzq7a_g6mu}?*0zsAHv&Zij`Mo^MI<XC983xw%kFs^5|sjD`QEdu-@2k!c|~{+)8ZI
zhFJ#GX_2kGb{FyD;f~<W{!<!*EYt5*uv^G5@Y;Xve9)HL<x+1w#J~6~<id@nz|Vd2
zUO-`^xm}pMK$7#s(Ce)E*s?iMO%I@JBBdYtBU}FEPf4|_kQmk`PzDED4CH_(K+i58
zDD~RTZE2B`oV($$he>fU{U0|sJ^;;`AG9X`m__^mHU4B}r*j1Y4W0*F@Xs<}n0qkd
z1@5YKBLO%OTa0?OiDG2H<Mtip$4V1^x9^M7HnPds!i!RxaOKl@;;xCQIfdS}M@RSV
zrn)vhI041;F{dyWFn)~;tSKTSbR;k9U(Pw*)w?PBuXY7>`dSj-Z@e)7Nve(d1(XtQ
zY#7Dr2Hb?qJ|}NuEW3L;Ka3g#a_1TI)K|Ys*W)c-l~^bWU@0ekMonq17Yef#rtlB#
zE)jyPC}FgFfMWtOlgk%Nk`M56PGs->4^vI<?mS?+s1Fj+T>Yj;4U@RfA2=LVN18KI
zNGf|TwmG(=sB+$Q2roU`s^R?(J%9eP?gQk{Ag6*Kip;();$eE-w2>{cVhmR)rFHwP
zYIAmBHeB*@V{>NKJ~)5l_un=*^zp2O5DK_dSAy2#C#!3%4GCFLyB70L*Hyjo*{4tS
zsO8etD%I}YuIRho&Jo9pxM-}cVIqXGw}%m7N1ro-CN)7rfF~-~WCInje3d0YP<q+0
z4-j~9sP*6QT4kWm@Vx_mhMZBiZJ^59k&mvI;o||~!oj^>NL8Pe4{Ta-0*aoq37$tL
zxW;iWK=^yb6gRpMrI7bPx_|Mt9l_U$2=wa~#Hk4D$?@bNBYm+<{1~bbhxZ}Ge+t<<
zRMVHD<xZxKJz9mz1p{GnV*$6G_h@aCd;Pu&0x8=9-rQU5V=9SQoZ*gGT@v>!boss`
zF*{hKZmnHFu+j2osRuGqKj9CnW_Rt8V42zZ>)vEb*m-L31XNT(rm>#H5QBF;Blzkb
zpu!G7teL(N@Y-pra))rd(3nLOe8|%Gr9&SBtt~*MuvqMMM5h-#5{I8e`tf6!|Iz$d
zQBDx79qg+g{mSN@Cp{%o(1)LP%saOB#Q@K_qnCG-)VXq19&tGZZ;24#c!LUy2CAq+
z68sc#mGtU1zUQ2YRQ^Dxt8G4RNvBg`-Z{`6;$3`YAb`&L*SI<H3K5J^2tQ>FLjnH~
z70ApM=@y@0@s_t_{^!Mr?gBiRk}2czBgBmq#xbBk{uPxFzuJQc3x>+wBE_k^QU+h1
zl&RXm`LK>D3rGou3qpS)XtVSTP-S5}W^S0Ld!9meaQkIY>AP_mnCw=i1*~ouu&9R~
z|5$O{wIJY!in*k5+4@}6uf(aH%jwOY8vXcj8K0wVVVO?Rx8d=xlBn+k#CaZx)6~#b
zK&QFV($d-$nK!Xu@>mepE!`FM#}dgu_4Jj!AlJS3U4-s2TQTWJh>YUrk02|)>7q+u
zs3n$3kY1w>7_%7DuCFVFC;p>7t}S%!(m_S_*Bo0FpMsDaj#n>+6P6-7I#6huii#bM
zwTCwmN%sy=M_V$L_xDq>I>C~fynp;hwh0D^##ML^ggET`Ze{S0yxexBuoi{YXz0$u
zM-={}ZW&zgo;B1`Lwoksr}UpuV3D<9`m~e#xBX*Js(Ep)=lchx-x2<2TdCLZwk}tU
z-?Ib~(~tIxU&ZbHmV4jnC6*Dre@wgmfbo2OI53IVZn%Y-5v|&MpcaP}n{*x&<kx@^
z`4F@UWayJw{TI6aJ8%JX<{v(6yXaiz)R_Swv+6=|<cwt#?>`8BA<$b3dU5s^LUvkc
z1M@t|*V-Xh|7;Fi!ke?=|JF~xv##vh*T6~?5l(&fbGg<dUlyET=fTbyaamE%zx`vQ
zP<JE8+kW}oK-ar202waXiuT{|hEpD+;?kVT;0?686tJltBq-*lZ;FN<PLd99blMIm
zBK;k#2<aWXT<vJ{H4O9c=}J(9`kYpP;f7fZ;g1*kUtXZY`8?v(xevLB*+F4q-1%Or
z8>_)N<O}gXe;$LGIukbDsa2l!)J6j17^Z;VtDm{b$Ru21uZjjzZBTP_jy$IjtRe+S
z-J6V_YYk{Ryzec|ewu&lo)>*0$#~$^nZrXIYE<lWly5#K<<mg`t>>z)3M?b<+H>Xq
zF*Ww8n_u_CXp@7uaYS;3{*ZT!E`XfmSmhZcTHw?JXo*2~1svAUAAcM9;f?a!5nMRe
zuJ|;lJUgWcuEPH1T5b&n&58|cneh&<g%ASy{>e{vXK8zR9Zx#I)%~6A04neh=X{e^
zAom={gME&Vr}UY7T=30J^kQtJSYm=UaNBoQO6Wtvwh$R}2YKg4oveR4E+2gTCMXn2
zdPl^Hl(dVJ?w~zicdS0gWcdD|y6zalK1B*V<(hJ;4&Ulk|C4S*GPpK$hRGmgEN6g+
z`Ff$fID(LEZ4V>s9n+l_M`bv-zdueNezHz*ST-|B>{UwnVf*5H^9&VYirYv?4<d7l
z8#c?xX%<r8NWbs=OMw&gr^jFV+O?N9M3RyVl7z~p&v4<nS)wov;TTd%#C;E<W#oJj
zq7PA&21^}U)x3Cta{!%;1w#BU$ZK)BqpoWOKm7Whpr173Jq*o3T37Rs<SsA2@W964
zZu04BS>8TA3`+f;FrffiP{#uiadI?js?X=2_FViy|Ce*(*AlEe{^z-8&&|D8(l0!b
z7WkdmP46Q}O9;MIg6P_ZWafc^K;&C_zx_g`h5NEzeVySIZjwb@?T3mp1VReUxi5qU
z#Y*m@AytseB1F0cUXJmp)H3AU;hz7-F-wGYD&}O;$K|{cv$T6P^w~;H{8_dgU913t
zE=E$;u0%rGp~uEAkJ;n5i-MyLl9kfiqD}?vfz1;e8*xcGkn$$Z^>D$pI2&WjF$`jO
zSg@cAI~i^kiR(|rPxf{pd{!aTpgCEO!D?j4?}2UYX1z1|tNGuTUkH@h79?Nx<Sq@|
z^|b4OO2f*RDk!+>jwD{Rlu#gMa>?SbC+$N{$o9pJf?Q<ThwImBWfTwAD#-obL@`n=
zNG>aY5)`d-(iF2}71QJM;LXc-wB71~T@J8+%5olbdSVuCVZ6P(2svjMJaHBB$~;*_
zuHy5KnAt#GGqYp6*+;hR=pcl@g7+f%CNM@T-Wk9ZiLpg!@>_Yp^gD8QaIbp=7UD2o
zo*lVOzp-7q&g(y>ku9~jw&0kWvpN5*J+u*k#EyDO$qs7U3O;(XM-5Wu1TksiDyNmK
zbjT2YZiCKyhnt7)`X_GeL%n&D>_q(Yec|4V`Hl#*dFrnni0>mzZ_NdM61WAPAxy?y
z<mW^cxThpaYmoM8=vSHT_TnwXg+S`y5dW%M1@z>{bU;7=9L~{x^;)*=0-Jy+Z55nR
zDGmPb@f-k2RDG1}dv)E~9nJRRJ8>^8UEBv-mUO|Abud1!#QSCjV*5cE)jr;z4HAuw
zligNR#V+Cj`K|UPLL(O-_qTg%ih_|M$Z0`(gYk-?_IFZnwur7Mkn;a8w^dbDI0qeK
zRQZymsZ<p$=on^r#nKif+%00hg-F}U|7cNwMrreHcA&Q$J95?GpUn$AHS+eC$x<0q
zgCHG;eXEQHnrD?!O}L5<yxd7m0X`4owSE@giy%dumt3B?FC!8Ty!#j8*b%_=Hy0(j
zOCYj4(}^8wURS{aa^A)%D&u%zv>>Cu&z?DM)z$n^t808e5E-rDv0oUQtF)lst6O|l
z?eiFbs0KcD+c@Gztm4p#n^ViSmeAs7^yAn<t?|*b*s%U>Gd%O#{UXcU$vxY1Z!b4o
zR6i{}$V@C%tgsMDE0fp_jWyt3f|OrPIsYpu>pp+h4>VEFal)MLtRX5Bd+LAR24EbN
zF8~{J3qgDjreTIlt6r$^7%7VP@aSBI(9u_oSIGHKVT@2yf5;rm9rhNHV_4{u1xa`#
zEzi{q`e#}3P8txaCu|H@;$mT0ywbnc;p6tyKy!cy=eR!c9==x)W8PK!_CSarOvp>4
zkjtz461wa6E}m#fHoRezT~kvN<xMEV&*D6PT~jeE#Ph8}XA#p|+YB3e{@bC$W0tq6
zA3qAHR=ezU#!6(1=gEo=1bWTFCd4~5xn`uOT56iaMwd@U?cJLaw<(e1bO<ka(h}S#
zF)TLs>#UI$JWP<04|48=FL)o~w@mdoG+p5YJGePJ%j#bZ8mZPi4{D)8$nO~4j>wgS
zEDY~OIilM#p=ngW>xap{rFjBO5Wu|WnoSZ%-$*&Fw{@Z^zLTi6qY+6U?jeA<7(|OS
z>}+RA;kfpFH)A@j{Jp;2TXdi@FihTLp~8p)@fhyhtyGc0pR#PU3hB~LcpilGqBrQs
zT~pUG$=4Tpu+y}M9zGNB>43)CguP!+kDv$5`8hN@dwx<iWCg{&W(1Z%{|>;5F1D(&
zEnszU2R^<lLz$U8fAvcJO3;BV-SL?Y0c3(=SF;*CWBHCFA99%6OQT@3+M&i)p#!Tf
zx0jc|Y{Y1GFeEjj2`i2rtc9BDBUg01{$xGlgH);SZuJbU<!&D*fJ<0F26>ZB9y<rb
zjy1K8=t>Z5Bl@E_ix$E8ah&dDZO7k*)dx6~@k8o2i@J3c6C3(_x~a3YAQA*IBglQ?
z?=1cYjMuY;;Sw^09}Q@H37&yj*Kg1LUNxyW=HPxeWFPumChRB=jqXc(Wl9I)OB+(I
z0SjYu&qeP#<Gn^PCl$949o#UF<6vYN3ButDq5@ct5G(3^z3AQKjvMJH7X}WGZ8e?`
zODefo7~IfHyIRz^wt)5ij65}h+<_|1AlcEnJ<Q<(3KekUycot<DQV4p)518k291>Q
zh0U(E-%{hIY$RIe?hxlS;!f}l;s;8t0dxYCYHXxTjMs&z178GE-+E-iOQ?Fo`va|Y
zS?5jaJ34wl0{_THrpub!V1?nM6(ArrhIi$io+u#)B*T<U;`xUL&VCo@FqlXpf9hvF
z*@d-$p&i?MWy23yJ(^M#i|hu=?fDv5v~8p|^Oo~4c_l)y&{Qx3sO2bo+F<s*n4X~4
zg!v}Nv{&>%ZI6fcEkr$^ue5yvPu^C?r-_`)zdI!WC5XkQtEKny<RDr;v>?vm{mKVs
z|56=l!?6hW#f9?`x96t857|f%t8Pe_lL}YM_Y1lyMb%Teu~|O#x!p=LMi5WbFa?6o
zBtIzBOmO<UO81OM!SZ_D-p;nn<$19t1tKUESjLyHcD2I|7$vApksu1|Z~hgv4udM=
zh{tq&=`v2J+S2OkZe~OvvTNF-V4DB$Ze1WUXm1kfZ#Fv2slN53zE{^HL6PrGKKiJ&
z7QN~xm@eiKhvs2chYL9E$9v>vlIOXX56=FEdlWrCzK?=)92dR_V=xJW>Ty?O??3-d
z+KHw_OciW8l_;s@3?3O@W`#gzV)cqPn<|++73dq#R)6>N{((`NC0g5#Zf8GDDz<0=
z$?l!df=h3%visDLPdkkQSl)jH#C5Mdw*)ws&w~1bYrkhShnc(m4{z`8Ac!7PvK?Ba
zuwzvC)dkr&N`+W|bSFXVlqwDz43PxxoP$*x>ld+tIRE;(YwhT~0-Zb+E1N~#VK`Ie
zjy@eC5CX`gE>jEdzmkah44HeoA0M-P=h&Axl{DI??M3n1G4E-*z1ZB!c*SYp@MXQa
z8XluBkmc!~anRmAdW{_K)zDs3F8JV?Wr*5_+5$G}5{5qZZ(%?(<~Ws5@cr2-OJ8cw
z-Km>(NX(aRN*7x95UgJyqxrjx*p6NgfvjlLfvR@&D*$Gh(Q16{FWuIc(frRugt39B
zx<4aDf{^FYW(EG@)??T#>vm`l8RD?69a;t$n>x!!3&4ob`}i=M^6|NoOXu+mzPNU1
z11HFnlG5D)jl-NgY?^%64wXw&lvs%SyHWlDBL|zTE($@8j_PUoq)37c^!0B60+FYT
z*s8k{nD;iTTszF4A+D9s+9XBg=egeUy^_DQ;N^8pjWtYD6BIv;DEW|a=KBZv&<38N
z&(j|MC@d~KQ|W27iISrp67}G4<g<ycQiTl)D;^hSU7mt#JVhMmd`3R*m#ZEYB2Ev1
zIF^VQASn^)PonI4w3>W!-T-(kgqf^on*Ryp_X1N<`$gRXC+Tgkhv>ht>!gRmQ>JAC
zz=vH^l*CdW4|L>)lOasbh*Qr<5f82VEA(er%yABsfynx=m`S$|sH$B=8^$*BXe$U}
z{qx`@PO+~?qHc|Cp<+7_sR4$K@dqPW{;nJS1JjmW!ivLncDCSqd3rTzfU8YgF&=S&
zIH!xXaQ!PDif6M?=Et#UWyf0f<iq%x58X=Rp7<5J!PLX}??%X>pM_AcS7^<Ge#uLB
zs8afdt=_vt$<4ftWX}R9SBx~Plh&bT>PFsuufy#-3%WJ0tH-Bod>sFQPf;c(+D0Vf
z91v-1iEacNg;QZZVCuRCCcM;tFGm@Se7pRN%t?9=K!ADL69EgW!HgBa*{+to0NcXU
z?3<FQ)P%XyWQ6o-Xp3l?pGp5<#Ib4m>BMyvGx@e1Izxhxc7NjByZsU;RRM3pFsnm5
zT!WDLOdu=P6kOUJn9U9`kLR)Se~v(|eB(ZgG!*7xFhdKHTXnrYm209j>H4otPipfN
zYq3d0)%OnP!C8(`&kj)}KfGtX*2Jb$a0f$&uo2edtsma^ryb>-+~aabynBaPk1L6K
zl=?mV=HEc1)hZV5=Tg+<!)?Zf3*an$`044(R5p+TDPpKB-Mgyw)&9e`i=9w(rxTm~
z><ecWH-6B#^xg^gf3!FP3@Hz=6b9R<1hjYB2{HG0O%M14P~rj3RA}yG!Jg%K>obIX
zyDoQFi2?L!lOHywr=;}B$0^luJqWovfw|*^8}M0z&j9i|6g$0uNgfb{5kUb6BRY@|
z9irkhGMW`+^q&U{F0rd(iAWBCs3OT^oM%Ta*FOLcQ%1NB`U-u6*F<%|O@JqVz|;jc
zpMSDQrKo8bDnv(GEWvld6E#~?^Xu^KNH^n|<vT^6Qx&74v<|oUAa{;|IL8QCE;pq+
zDmh#P?|MBn^EUN3@`xPpeEINzj*$^e-gcF@?%|83Z*!Wk6f1?pNT^?hgk$#XGq2Gz
zqNO|$f83DMhyQ8wyKX2it^Yz0(^s6S&Ma&h3*uYXDv{XvS3Hs$e49^KNBsq1#k;t1
z22hP}V$Ft!Chj2ei0u|)F$lT9S3`;j`jfmcZ1RpZJeNTNN`@E=z%Vy$YQwYvt6KEn
zt6t5&I^c#I>CDwWl3LKcbm<1D5214F^D6#)dTW;be~;suJH1Fypz_U!*KlqbdFVA&
zv@DDj!9{eHSO@*C?83TJZG!F-pH)<*lJrip%&6q=BDkC$@=LeU*{Ec;3&cYBWUL6#
z5Ko<L$CA<G)a|Mz0Z@XiyOmr)>;ThoW{4L5f7UY(un~7*c0&~kdtQ5ss#oIB^i<2G
zR4m_q=qnh}zCRsvW)$uMDOm!!oW3Ei04xW<DTn5h{e<ahz-H{^PbYUkJ4g_R=D12S
zf+s#Uq=3d6X};FNg<GRAUds_aM2mM?NDv`;3%W9r^q@~pxWXtB1pAC(v7!<Tw0p@h
z-tayWSWgAwn0x#ns-?VygajaWAsa6?)5R@^Lq3B90$b~hGuIs<QXe<6AHxNh#9)3Z
zoP&2K@$JChUA>OqUIF;-mEjnBfi&Nb2hwanJ|^Fq+|_@fH252Cet2*nmG2$Nww<?;
zX9UUh=GRj?=H9DuI`@2sd(l6Vx^bv`5^KDw-&#4~LWk(9tS>9n8_UWw$HRB$&)Hj8
zK}<L~ZQ$CX8-JfCcV<29!OOB+Qg3EvX1y5q9oZ}LY;WrhxHNg{^hL2N?e``dJmLCH
zFB@R{_S%AL@^o$`Q9IPC8e{YfSE-5H60H*n7p;ppN<!H*^3~*jZEy{QC|L7@7(hIm
z4Q=WR!$$7*?a&blgv}xruh_HRyV<+QS^Agsa=X?>iTX1D!&pI82V*1%u{{E-HP=U_
zBgfz%mySGJ53XaBp9-Y<DJ|%5y!|fNR~dAeToMUeU+FK|1dfo<A9d{NbtvP1(u=&n
z>_M7k`;Yw>!sdSYoZ}Mae7EQjshbh2zAhI#!1Dqj11snjd|W=-rGPKOW_a?gkEv^H
zu1{s|4~4#;zX97dK(8@do1332xs$ASNPZl3q-j3}=wr%H6ba{ryEo3^ZdJbZhV@`)
z?p!hsAKg^p>Bt?vgiGWL6RnqB|MM_dbmJGf+14Vf;o38cH+M2JCLXFh6uif;|BOdo
z?NL%F<q0vK&Q#?Wcg9GioaR)Pva9l4ippQRGs7Uy_1_n3zn9E$iB#-<bxFYjsJ0}C
zAJ7WI;pf)pdBO<?bHMIB(D+VtfQ8)eMO{k!`XK?C-#_oARXn`K75EIc<C$mj1^GhA
zIs~ba-Jb0<d2pu|0Q}G$3%!VYjTwtul-x08Ve`lC(8&&ay7%}fk3MnM#?@{WEE2n)
z{=z61a0fK}Sb`j+88BG<WCBLUsUO|qqDOQR*P*SyK$@y@O<*bJdwDfSm0eKZUZ-OR
z<83%Ltf)?OZ}Qn9-S$`NI7xqdW7s2;9X`+?a6@pC(ffN<Nx)U0_2<fa%ufPKSM#vR
zT2k-G(GLIq=d)8utqT1D0Ip6AVjl$&d=?71?@PKfY`|o5&F=nK7^-hk*Pt@q-QYp(
zqU2d&JR+^$SEl6d^ZB;S@t>+)HJnuJy|tT6C8#ItX@jO%m&x3da`~nbe-$Rk5v3*3
zwPu=72ylczaY@O}u1JUPl^F)LW=1zxtM>^frs&38^BnCqNn~t|kcrkx_F>hB4pJhU
zC(hT$h9`mFR@k+AUwlnRTnK-G;0%6@=}#9<i(;pDi}|%{E==bp49!eBT2uNR4^kHy
zE&K=llH1yNp3@=Zs}@>nXftq)GN2H=M2rt7Py~H7XhL;^3w86d!pwabuA6isPiyu5
z+uD;)!`i^xaf#kzM~uo5kfGj1LAYgH7Oy>gtRe8YVx6udtPnRcHhCr;bQi?M6!Rd1
zk=&dy_g=o~_r_FeC79IGQh84#75UtIl)uw}nF?P2-qz_F-T!yym;f@*@{?E*P{8aI
z-GqscQy9cyd)<85<0(wkAp}w|PPaJx0q4e87lgx$hC!gy+Jbr}FnuMhG!1{Dy~(zT
zl>QtZP-gu|(U8lmhT)=aDsN{-DO8ive%AZitp(9H-A>k{T0Rh}Ju}`;%!l7mM7ikz
zYn4qc<v|pgWxcbLRVp-(UGO}FO?HV*AvTX084~guil&O4?3?48ELC~46QbSCR7eg<
z8c9y+&5o|u3uZVqJ|h%sq;*%>`!hEbL$FhE_U%(?|GUJ?uAxcjsv<gh^3??%o%RW(
z-i`i@v1LZ+W5%#9B<9Sw5NwUFgCIj+M86qp;s(Mx1Y+A+gFk~qRUg_@KcSAeK?kBB
z`qcJP{5JGHt$`m7<7N5$1@fN)?;)|Ed~`dlH*X#Mfga?KQr_Ewe5m1qM<i*@q#MN8
zXUIWE=~7eM|8j3w3|3rhduVJitz8MstL5(x5%>Qntz_!zFNqz%9bjdJ`C*LQ_8bi)
z2%`TzZNYUD@y{*ZC0Au!R!^=q%(%_Ozis+fUWS5n)4ukxTM$ILo-DFVupPY<s-J)D
zx?w=+v&m&^O;1d(q*5Mh2f^{2nJqiYM;v~<JJ3vlKDEZaH<M5HYkP0LQTW4YdI$AK
zspPf3R@oCdu~0@@mA#K*iW10_)9~An^ldAB@8IjB(szU(+`k)DiB%ew5eoJ_@iz5K
zxNYXR-}+s}#O}xO5i4V7`hB0?om1|LhAAH*tDrzg##3Iz@58K2tQ@v;@k!ut)<jjw
ziRCcC4X8NHN)w6hYeO*-lJ9(b%VRS&TY}d&Sh}YWHtE&m65TsZe~J7RV=E{>>z@+s
z265b0uNTPA&G8xfybkAvtyUiK&cuzuvwSY7f{-oWF(*Fn`T(CjJ;dNRo!1WiKGj&)
zj&9MR2aT>#-qnwSz)!qXI4}3LM%bGPZa*tiOG6aad5k-cmTjgd)2NM|^dI8`7vDHC
znUZvO;!eBGtDJ*SD-R}~U8a|HlMzsJ`UBuG!o!U${^Xo58bnz{ANMqe>N1)t>#D3;
zlM1bE7!g%b%m^D89N&t>6Ss`uqa_*xNfM?l+y^CP+p89sEj&;8wUe`+b_D5{RCwMO
zd9M13Z4SxwX0%-E85tS3@oJ80!^hY{-i#X|v4ys8-83?pEbjU!-%_^(Jvb2g$mpb^
zqN>Uy`uH~ZL(5)3aK9HNanl#`<$z1e)!81`9XYgl@a1{BE5}LSuj!1^fp_=U95vS_
zUB_)HXZZXSk2Blc|M;NP4&=sH!OWsb{VVS<Mz1lz?HEak2EAL8QybOhB}p2<IAimI
z;|;p}^>Y6pVLraw?DHQ-tTdHGaGINHtpbl}z%TV!@uJuJD0`!6I^QmjtQUA-x!o3*
zS7!HXABV1dz^KNRpz2LRKo?5LC(Bd>b7692c@JNI6lt5(uz10bv0{ryvYgbSn+Vl<
zWfb~h)f@F->QePa>&wlO$**NmlG_FxDgsPa-G#()x>Cs{)o&$Y2*)wYlj7Ra_dd#f
zR`0a`_<PUd;oGVsRrW$N&wjUc2P*&D={C45l84B-I)lT@roX3?!?`g$JpVLzzsA^J
zNxBMsx?>Dc-zGVHT?7sDE_QsNg#Hds9)Ujtet6>VN3(I_?DXo?`3B5xYRFOOM&1zc
zb(u9p!;yAhLshrs($p^L=ZyelWh5yqQfuJ$<)3oxV5>#Utt}(FF=>{HM8)Dm%LjzI
zd2iU`9y%^OXwW#UaD2{apFNmP`XQK=lqC#W38No4a>7BMu{d*l`@k|RBhFlOfbWX@
zR*7oXq-!H@O1Eox`$?2ko=fBU!_w;HbhCB6(vw|^2sB6k7;Du6bgH;_JjoZ~Fgj3`
zP{Cf)FVDx+@4V|ZaOlTL!I#-KO@L_Md{<{G3T%noL_|Eca<L7faPsZSwJ(9iRCG0z
z;zx$t&;cKi2Fl=as=O59O-{oFs4pc-iY3aYtjeVR&c}j~AhJmCHhb?WAB~fMF^>sq
znFwLGjQe)i((!ApCmG1yrr;*RP>T#S36(X*W$ws?&<xzu{K6UZChN9seb+|_Q9IF+
z4X4L$si)07?*#YTy9|U*O%mp{st=-7uk+kwU?Nw0c%)-o6?mhnGCN!IIC0eYPh!!Z
z+YGEt-?C&<eg-k!R(<y1QMSh%6QjDyTI`z)-qTdC;NXrEgqMQvneWp2L9(Kh<gT1+
z;<3`4jN;sG3yQPnca@ble%9V7(b|Xzq5o9sa+cu(5`fySI)W_?Zj-=ve67M-(L+s}
zddnW0LrK>WsnsPgDws}z#{-O4bana%WX%`>NXC)#_4JTf)A$K;zJg%BB9))=B8w+3
zJ^7w}vP-(bV;)j@y?#@+pZ7$(-txT`r2-YiQ=WCJWpWtSm!DQY4t<S!;+9B1porrg
zl_)k#7Nf&0TVy!178yDE3klqt6{Ni<X`qL9C~e7!@yE{7l}$fzv^Y`W-Y&F!!P0BE
zihrt1X>g`;v<_wj&XFi*Z2xrT&k`MKk_t4}k8A8DvpGtJoGRwG<x+oZg9eBf-x7$%
zYo5{=<ef@Nh^UNP(&Wi0TeAuW2x}e4eW4UhvhY=Sl~2e*XEwcd{?dxYps`elzPE#o
z_Dig5@0YLKuox_@ZsAXqB5v8H&RPR}$K-k3GwZl=07}~A&S&Lc1)A$LA0f%m)j%0#
z%ft`|Jr+Jae`4e2kJgs??yrZ2h)Dyr>GlWAvL3>GC}4e0m+;9_8Svrt*F0YBa<^P1
ztWOC}@$JrySBJ62*j7Ek?s#oE@9H93;&$@J;0oruMQ@+h3otl+hrg)hn{hQu@OIkK
zI?kd8HcaJhDEu#Sr>e2%;Yh7dh357cuUdZX2=Wt9UID-M;Zx~i%9P)Q*4;~9b)^+U
z?CE_qp=HnQgK0t@m4`mg-Vn}9Hf8Y4{b{ykGK;$NDUMlJk9D82&SJ+HpFp>s#lnlC
zlL=<vW=J3_@YYL@hpFtn6nXOEien=KOU!a&<R(i?-N*uO2xYO0jyTsBdcHsZ42ilr
z-b8*r8V`NhTc>t?>lUakOzP40qA?lkP2w=U{<wWE0lKctM+X&7PkIJgq~3E;-$U}N
zgxq-tm7}-MkD@eGxhyLc?k^wsZF~zD%$<G`1!)!d<=ROHQCtXzJRK5&P(*oPdMQ|7
z93io<qD!K0-PGH7y&oFOcIO8K^n{ljT&R=~lc)Q|>Emha^+;*2+fUpg9V#Eh<p`7h
z{$?4$l_*I7A}EdbiE@bbmc?sGVNlM*KwsSIE8$Sa!@T#&f_z#1KL(37XclawgN=1n
zrFd=&e2TCSjMF@G<@4LE0^Uvd6Qn>dqj<|cuL=sr6;>a?tXyv(fNyRfOl-GFaHxwv
z{H^FQ799P>zz5`ujj{QPPxHF8Gt3%v!MJ<w=g;cK-;C`q$vb!Yd=QLG%XlP>>(zbS
z%Uq@`O%bm^>%<mbm#VZ&!&N+``mS4wYMtH?Tu7IcD^XV_s9kidacjd-KR~SDBV>cz
zo;uximf|Cdg?^dH<FnMSUo-qawkBWtCu}g-4@|rr<PH0SyY@+Y_}2GUVZwa9gKTNd
z`P#Z9BK~w26>3+On5NN<Gi2bE=tYhVg(Huj&J>$BO(}tj9+pE4yPlJR-1mqOGuIH3
zHX^z~$+*R??SI;NS6nTro`(FRF=;@ez)L*(CUoSrYLnp~+3Wo*owxfvy7|`r!LccM
z*f<U^=Y{>@pHaPsTh5mfT)5qltr66(Qn>R#Ji*Ywtg-QpRJX+JyU!8Ug>R$$mi|ZC
zpp+)e^B;i3t19U&R7ZL51Q`99ssO&OWx}Vw!Nm&a%J=i;fa(4Tv?Q|V1lSqnz@uAc
zr~IQo);G*;IZmITDNHWc!jU_lkX-j&?nvvdr~~gWS&WTsPJV3JubKQ$)vbsousVZQ
zYB8tGUFV&Ar!W4}-02GM98%acpP^XD$|SJX^A)X0z5cewmg`o&;u*KhA_$$>$E1GD
zPyV`ijj|JW?kG#n_h2O+hBNzK;LGaUF@Jt~>FI#&Q^nV9>8fY^d9DP-wUW^WwgaG-
z@AYuD*p24X;L+ibg2a#n<k{=sOfp!gHw(;z0M<7^{np!1<UuK?O95#IZCeUBa;Tsy
z!baVtnI0L!7s6{9t#Au;Z?sB_a5_ipbpG3In7PO3HcPxy{o&5WUiPB(4c;D-7~E@K
zN4|IZ^O9q1`cD$Or88c}x8+_jml<ZfJ^ugt`p&Q>q9$A{6e%JiC`z$Vq)Q9Zf`Wk5
z0HId_=}meIpr9xqAYE#t211q45s)r5B29Xzp%Z%OcR~HW@BX-Ve(dvX$?lxlnRDiB
z-t$fuVZ<|B?)?hefe}>EkJZpS<=}e1PITgTgzM=voB({<OAKy*ICu9by#ageH5&A}
z^4v*_MqCtZ;7_|J^u8_PuaFhhq#-zjc4pNnt=B4Fe=>diP_2jt7TS_wmw%*k0nfE-
zei42#%c-U83KGHD|4d%|)~0QWFQ`;<quUEd_aJuBIODB$Y<d{+l=T#~$~S@JBqakr
z=RxyFyc7dfVSSAc(&%+h-TvDHtoSmF$tUOsLO7eiF7#9sv(2~UxG%udQ;Fb)7vVRq
zs+Uh<Bv8Ku%`VT~tqI0B0#m+hZZPvTmM1z|Y%aD87vLH?Nc;Q5rBDpC7IHf<WAT`-
zJdO)mHmW>^+|~^_82rw*JAvsd0bbWig8g(*g7>^+$x=K-JC|)SH9gh#OKQ^dy|>=G
z**+)M<MSlo4BD}Zi#U1N#S#0O{T8O<X>D@g9n!$c8=7TMaZE#Awqj&1q_8CwfnOV2
z^D6I*=7KgGA6++2;!;-y?6U{h$CbeTC>cQtwoZ$Jb7rC4mxh1jTTcXS)sp)Z^l-Dl
z`aTS5q&&{p#6Wq&TnoS9Z#4Sf{^L#MZ_vkwd(j(L)>gOyo`KATf(AsaC48U$CsOb?
z5srPy8aFI~%iTDnJ=S@kw*LiK$1$e5m#u4DgQu181+`+YU(9caNZIaIda{5}sr{(T
zO$<*+RvB<5mE$yE6?%OyUeM*?O6ec385S6AW_VETGSQUeUSCdy8y*^Q;VzJ<Sk>!`
zUpw0wCG%ZOopsOx07@uY@WIwVebtvDx^E4Z6%CemlnexIoxYL7kfnB;>}uA@ml%JI
zO;rWdw2!OBmOj1j^d#A8N`jO0yX9A2P69Xw!RTYN8weSg%f!w4zFf<UTd<`HjaAwg
zOtw_f@7ljKYrN_dr#VU@hC68yC(`O+Go6s4`w;<ux-JlIe|OZeZwAE#+hme)qyQIu
zjO4`IT*Aj_3*uKmcqP#F2oIgqgeN1FvA_7zzN?{FCr>WXjkl_>-8AIqBWf~L5V}tB
z>t`SYIcFtIIAQUfEwbQt4690=WHhB-vC^2cC}xbXQ|J~uKV0D!Oz&*4mOv?w@ntQ#
zFd9^t?HQ+~)>fs80iFNOiv4PpN$1uwNLm7}U$e1+NDapb@B&>C0o?wPQ*VCDhAB?O
zTH*A0-QoPbZU!svFy6{TKEE!-0gor9f;w01`N_Up2A|nPwDQF(4Fo*Q8ONTaL{Pdk
zW*Tif0lm<`>|m3e3+BSf6WLE^`!!Vnu0alt;K6xezF*)6w{J0z_F?)srovZ=;YV8h
zA;1a%V)$F7)?JQEZz`fCx3~|$=>k1<<?}8MCq@iWy|b4*A~$X|lwWyCbcz0=O7ImL
z)%+}<>0L@<SchqBASBDJk;_&LT3Aj6Yvqg~=~D?(UQ^*PVl6w8rz+Fz<$R}X)gKF`
z0CNNVU1#br>)NgU(&5g7&@qRTCz1N!u_z+AJ>h@b?zNF4Z~fMBGd@z-!&y30ymhl6
z#?IUV=d}1O=7s|CJpq0#rS8{|=SC-+S3BcrUPGGqKE4?4U@QnYcZ$JR&9AykDHnv@
z#lz&g9xpcmodA!Pv3mWe{&`+2M}-&n#9;~zivq;pu+4TVfV;;%0+RP-#XhM4(c^#{
zrogd(r&TOax5>Ue8!8OdOjt<ht$NS~@?PKfI4+)l&Zh<kZz+UfB>Pf5qi&@RTTSrb
zJHkYH*&2(cacyA$G_>E75r$lf{AHxrfMAWL)7K?iZ0RxoZdtm~|68plu`4r{8=7pA
z{#kSX{rdmd<#&I-t|Fq#VDne2J+H$N!47Pm_YUJ}S%YQhceV>(_#a4HPpgQoI^Sg~
z=X4yL_5_B_0@g4BE=i}&tTKxP^6NNK6p$KF_b{9ARj0Xz%u*x9tC&~YVOo35)}XlR
zEPcd?yR4GuA`SGp<nfQT`m~0p2POQtVS&T6H=kLC3zcqG>`z7bNzCw(rH1k2*e$vY
z5s9rY6p2_0qZ^hemU3UHTm}p9hUrj+KtBlE?ti9zHl2G)ssk8y-pc+G93Zy3n&kiy
z-)Pp%)6x_GJ8lN(60V@^F#`8!1JU7u5W=_VB3n#ZC{``4-h8rk!+S^W$CbL4sV)pM
zx_r$1<Y9FrO#}o@V70p>eJqwbW$K^p!#F46D)MDX@oAL)A|q14il)#TvhjhGL@;E|
z)x(+6H@Wyceq3;c_63%ayla}>%vM1Hm}n?;J|1f9*?YMq9cisFlS#ux4ZneLZVCLl
zA^5przFkoLdB`~Ve_c{%a5j}C(+50B3<iR7aafxGzDxnuCj=w*wgtq=NuCjt{nVsp
z^X_m^c-Qs0?2*w`aBo4yIN~Jy+OwmZT4Y*nbL_Q3j%zPpk$j>lHRFDKgZT3Gp+tx2
z&_0qw=r>~h_u46Zwz>m#1D>b_uJDL<lY7kyu_zr(C+T;#K}}*yByZJ9ITT$TVxDDJ
zv<AF^&{QC<+Xwi044t~STUT_NkDwm$K2u(UqNFejqubuzx)%#tgoY;D%`P=so|L(-
z%<TD}1sHvSJ;vqq<T$39&?9P9B*3}iB@9?VOo#_w19Z-w0$g($?DTPy9O;#JqiZ%J
z{nc%q@C6r(9<NHLQ@s^t5WoZ{(?6g-sNweh_KbZN-()JcEn)?7F?kC}8)9RhM44l#
z>p2b$lLpA~O4>9n?EKMM#Y!X|L!R$QVIX|z**N55k@T2MIdOxaK;jhFL6n1CAIv|@
zZLm!G&UX3v=^fsyL-y2il99K5(sk?6^Af?M7Bu?Zgtx6KK2||JqTY;MO9)8T=r0Go
zmwJsU1@f9=QM-b9?x_~NjElxv1Yjx$r!Rphgfk?gjmsO<(SR7_Y}5{h>4IdaZ0H*-
zPqLo2n-j7qj!^KfSNQ(1Nf{lmX4wcQU#0IXX}C1V@d93O5nl2R$XzeNJtOWo){#*f
zT!Pym-wenX%3C<D1<YOk1v;P)5Bi$FhK^i>rc0QMe8?-HxqJVz&|q-EMKzJqho%CM
z(=nmSB2@h&qS=Ii6afs1wo{&o>VD*~@q~_y<0eL+96e<yOqitrq#UfbKmq8bhTsPl
zrg_myR<Hbik;btHtIOnW$Va88B}9{eh3-(nN{qhp7i)E_=lz}TQCw2~X11|@0nWP@
zh_;?IHo*-O;er=}A5ybb_W=(1u}w=xRQ5craO>WvxQ}l}e!8q1==J*h7B4+oi`{We
zgG}2bw_5l9<Jb)L-QdXlR4VZMod<^e=ESnmE!iYs`IwiRedagt{BO`!1Lo<r7%0}<
z&xV-IgBF^w@tF`U>!-X0GJrVS0aQ@Gt%+P8%&>8ZucEXOOjiOKj}!wf18)Xg&Du(J
zKA`cdI2&rZdPlB+Dd`_SX~kY)OMX(0CBa~w+88Wx)-)J&+-pcmCkEw%5oi?9i8p;@
zTSyrpN0Mn&0Hh*H4{|7p<W-BwUurmaP8WGbX*6V)>+{>;zj|IS4Edn)Y&k~odg$)6
zfX``&E`qHuwmh_vNXrzl+q8N6U5eZ;k8<ALTXsKpM|tFhcUa4?hhwu*;B!l&?Wip&
zG9!&^H{z^A=XrgOK1Q11dod^$3=~94CcS`FO|1N=+Zi6O=tr>?VAi<o<k2#(;y}_F
zM`9~$eYK$?u=Gu`hL~;GEjm-<Yz>X8SKkc?d@}Caw9Gg(O|PU<kK^lX;icfF?o^PO
zhN`rAkCOcvZVHIthr6o}W}?+AUiyT8L9>zc17mNo7Y3b14F6ibTFlqg#Wv}odI450
zwJ9TKly41;l|rA1(?8UGwv+PcGSCx{K`PH;l+XP5Y+~6dYQQw4dj)otjrt}KJ$uq_
zf(qy$MB~}%uHKV%3Gm)oN<2Jy_Q<sjYZ@{$P%{Sl@zw9HDSsd#HJ}hM7BrcbSR{F7
zuGMy>Nogjg&l+||ULPvR7aO0Go)Psdmp;$9=iF?-cc3^;jHcL$P}h07HU{}SVE|6Z
zT?Biqj7h)I=Le6^^ex>wc{aXK*`6j9f_?S2ZG7LfH3-hDFs^Jh&Uft^Lr(LuOuSNN
z6RFs<hNro&XK$9AC1$#DKq5&~iBa)w-@PjEr#;lbM~*+Iu#qv<<7IgjZI=GIKz^SW
z*jVVgSZwusNMWf`&ogN#d@-Tsg%^6|eMrQU-Vrad_=w}R<PrQphUFu0t>q%XOdZ%?
z{^lV;(}<_V%gK^=QfVGmX*Wn~pJ?mqb&at{*|FJ%ZV=vQBU&#Zefx$I{AQ!$$F9`T
zH?MWaL;U6{_Ta+FiH}a-B0wNoe~L#Dsht`Cf4EZP7v5LyF%7P**R&U$g2qS*e)fWe
zVS{>Yi=LG5|BD{ijuU3Y6K`Fo0=wGub1r#EdpY2Ld6DgG+pv!rg_FYmr;G$@3MbNy
zSatUS>Y|vpoq;C)P$dr=;0@x;6Cr%9qd@WLbA;kw-s7Ysyf{5vnj|a6p?(q(bIvFK
z_tYpUyll`(bRwd9^>E^Uiee0F;l<(TK9~Z#VUuN#NGtv}xc;CKc-CLO<e>2ClzAx0
zJ?vPlI{g{W;xF+s=q5PcJOPUschFW?3^F14zvzWssNoSa_gX)@tPOUC|F>obswEiR
zG*z{JsNTU1OFV;3{jYKr!DxNF5_`g*<FoH-eY6Yif4KA*mbkLkB~6n4f+ZkZRjrij
zDcK!0jbf1xA+#Z$4UJNzQD0unU3y#lE(S!TSk_Jb3`ezjQAJ5mhWXyj>z2nD{og3d
z3f=O<4LE?seT)9qh@GCEZro#%Q7g3<vjGVIJ$G88XK}rqK%37*SEn%f-rIp-be=FH
z**U5WP*ZDa%UWG?Kmn*IaH6;5Zbu6s-p}NR3^G|>Q`3Gle5v{b)rQbMgBJiYOAT(z
zbuQ#`8{PB$sCEtz1CBZ;<AK1mPE-^91Dpa5c?F@JG&S7}|MR2?AAoFL7`ZI^_MDOV
z>}GWDfkjB>?B`f3U{@pveND=6=p01@?0&Mw(<3^7C>br!NJyab`FB}@3as^3e52*$
zUOgMQ%?RM4Ka)?|fC~J|KH-Vkxk!b-ioJd+`s!qVwrLmz-NJ&om=~Fkm2MJKgY%Gj
zq;SKbmRrE|@z2jMq1OA4`-<u_fA4EA7P&SNGy?qZK!ZZyGHU14(!gbpn2CA6J$G}F
zUM#-=7{F~j$A0u$z&ZR0I4hmFV^ENEM_w394{p2nHdX?tzp?vIj|Lr7<Er<sZe0ja
zC8pOcMdBPg0$|BiuO|DaI?rck%9TvaxR~eap9745+Yy;<POVrpS$Z=c;u6A3xX#(O
zf#X1B7U)(I1$;45yb0?m1k3gX_vuzM!%m<)hJMAUZ|cA`fG?juBTdkMwY=78Kav-W
z4h{~kTUUlTV1CTTO5~=lPe9i5i6bWLOpo@PciPYsg>Huvd1h@z`yA)LCJ4F-#)ADv
z>!K|k*8Bk1;CY93{XOH7vQ%Y2;UVIm{k$rf!=stD5u0*YG`Mdh+3lNBD7hx-+Itf~
zJP_cbYsGxSkqR@9dpJWm`kmNm2^(3P%Wf%XG#Aq`w|*u_FCig~Cb%ej;ezz<NGlzs
zyLR`a@3J<({gjD%L2{Wsg)TWBx@BS1Wh_vSe~hT^S+)69G5XxQPLnB56r1W(eK?_5
zzrQa|43K+E=#9^7o?`nGT3_mX%DfrK1Vi?04TYTX5K_Zh+3V<!R{DM^)Vd+-q!utJ
zZs$?!^-7nSc|(fC)QNh@y*3X|sXt8ywrj!y6=iI<VM{U0lNtpM{s;^T_lB6!%GUOd
z`_7W)E}lHeH`^aaCobslD?J2C;a<8oI4=3IYx)WhfPbX2NU5D&SrFgPF3pE8jd5xI
zKy^$5FDNJ|tyVVNO*m;l>>vDQN&0T~H=KY<2uz94-L3CXi1Hx2bm=ry1DpHP<@3p*
zao%Vn^N_EAzsq7>U&n6_70?P-E^NPSfDcjo*me#MqW__P6nyA%Sm=oC0j*BxyP<Q|
zvxb?h<~op^9HL`oHO}*Sd4BOL(U`3bw)x?=zm5@sa%?I-d7ifWz0~n;`g@GxNfnuo
zdwjy^;3@jWG9Jd!io3}j#s`bh)U>S$k~4F2Vs$x>)pU#eK|Z_ic7H7Db6={TNiZYI
zLwn_emuq9c0fS+!d&C}r?ax&G)fd%HTk#0A&|;WuxZxKnHnWZ-eem(pvRT;yFzJ_!
zD|<2iAY;BVL*9sjJBu*1f?;6#eYi%E0hE7d80MGw&xTLZ`Afibp19n0X;FMXBmB4l
zF*43Nxum80VsB4!G08Jg&%5pAOP^?4p7KRi#pUiU>`hzvbKzloj@*}ued46>r6O0`
z07PNka&NCoAJ<_iM&O+~BdlX5wcaMcAw<}(az$#A;S{vE@uBM8LdhI_Z~WxF@cw)O
zJie~N9)teACw#K25C<>u-`5Od*lZ1pdd@I_{m58~*ucaOn9unSlF6}KA31uU)-7+&
zvbhLl*WWmtRBNB$@Jsn`BT~I>PoJoxX$}*Gyq*)oDZ%(JQfL!yZtjpL(!_ABpBBN9
zEb?L95<?>g+arP%+ujYc??MY`U%4Bewo5(8((T|aGsz5n7r^40h?$VG<q&rBQdb80
zo18<X8Vpoeg&JvFC`0Km=_M7&`fFcWdd4k@l~kcty+^sl-2M5m<?7rA8&3UE$C|!c
zXC-^q+bP~Q7EK;QZt0`;8Y12b0qD3veIEbg!hKn}A<B`#e%73k$D-f*qx0o@!*ULw
zE>gx}!&_kIh|;=|jgacrY{or8h?e2h5Zymlf17jov2V-WdZ(V(^%VMMPL&cofYG9X
zx36u8*o-YJxN;?_C8-j|Ieg1MN)O9x?jr-&=KmPjVs9*Unp5ZVi0MzXDOsv6;Gp>R
zMRPF=y1S@1zQmngwWs_+OVJA_;%JhltcubV&Z#TmSuHRAnXm8vJxoq+Bo5}`etK)X
z+il5(Fm9LKsg!DFt*n|p@8j>Rv^?<GYSfRf-hG*Y5VDya!dmE!=8@jra537FYJTOG
z!t%sAw}m_tW7SCsG0VU^{g-9Fl~?MmY%ZS_@HrQ$&rwiO7yZK{#}jiegwX<of+JId
zoNqf2E!C0&gz^ETNJ<-K1C>>D+GP;GBYt2n9nUbp8s2~r_^ie8Q+<BcJZr>-@79;<
zF~u?`cMZ2J>rcL|lQYo3&6@R%{jTk-L9A8`wAv@_x;)w4z$90sZeF(sx5>crfb5_@
z?BVaz^2MdFk?Id*RmMs6gRHg&j<elEj9=X~Oe_@wAVp4vgr8{Jmc%%+DU3`iW~?jo
z?g=|g4E)$njKf%DA=3wMYLi*{#s9|-NwZ{dx>hvs)zwvp2=pf!IMNU0$~NE2H-mE1
z06GrBK*-Jyiqv%X>_L(t#o}k0nGO32fh#$_Cr>jT_Lj77Uj+~4k7g*yWehFtco!ZZ
zmwzBBxW?H#%I#HS!$H$u?-sjGS|7ToTcmam1to&6%k4XH?w29kJkcgm4T!xJ!i?@R
znZxlfL*?4*IqBF}+R|K#T1i&#vX6Ss#)@+ZK))e|j|@Z8EdBFFsUFC_y$YsbXqhyJ
z>c+Sc?*u^JDe+;olkJKbu8n`N8Mk9TvHV^Az`a<Qq~T>X5!`7Z(TA|chcdNHnmT)a
z<U?C|(>H_3MH%1SquE(|=b5L<^~rgOKOT#ea%c5FYR5p6Y>BYzlCC|2+GTlRmsz}o
zdXgR8N8>rnw8}W^%l|3$8Y2K!6dAyPhC?8+FZ47r22()SHGD)&`2dpY^3sWqBBwyt
zX4I7{aaYLHP}Zy@1ItsIDYwM#pxqO*vOy<`FU{vmlwENMPfDIiQP*{wORZ>EybqA|
znx%w=dAIuw!K8g{4RsL}cdX2y5qCCVC1qn}6UsdJ?Td!~msEtO<xgy^0@d^Mg|vK-
z&N{32I?z1-l)H-;YzTp<jSVxwmL&7={i^9?)+lL3D}(pwFVwL+iC<uxt~hI_ehGFH
z<%s^iT1C<<n+UX`8w05BMX&d|s#~{E*d%nlpl0HMD+cGqc`WE4sU0isjecFdQcZ>S
z;q({@7BDv4(Z38I@$S>_j*iOXb6yGPhWibSOdzC<E+V<r_BYN@`sZ>P&c_Mn#;-WK
z-Kn15id1u1t5P;IbBQ2KNDD+i$5Mif3A3FRnlhg*Eo#EN4c;bvx<LdFnG{^u;Q=jO
zvsE)a8l9c)!gSoJpwBG`)tND^nVAsy^6Y1rr~7(A2}&bG^b-ae7D-JCj!3PvTOP$y
zDy$Bub}u6-J(dgE>D*#7I4tJ&ZvIo}8qAvpKDY$B9!$Qxu<*(UHgfXe%2%x{im;*a
z4|2z9+|8s6FdHW_zirXF28cwTUj$kwa-xE-6Xvm6Sh~Tij|xvJeU1*|7Mh8r0qOW>
ziTNRPSFbM-CcN+D@yu#9dX%7wtC|TVWr(Ug^?$Nd6f}LbITLS}YcCeQb@(@<1Qu6;
z8QvwuIbUT08yx!VR#f}qr`{VIYviQK$+FPH1_wNJzs=eoEP$N))rLKAb_*D2LiA8e
zzkrF&T4tB{0D7D_*YW@ej1ct;nPt|Rwpzj`zg8$$Vphc<zdvBxuaLPVxmF*GIF0Bd
zH#NHGP|U+|BN_%45A^zEY3Citdzhjl?PDXAxoaI>jUQZc4+$rNR1FTstKxExerZ9;
ztskTcU=w%NytSGPDUNgV`1Tho0tGZ_Y;GD%@zmG<GbRuR)o+!mel3TFFnTYf83&@<
z7=2d4#_orKMMb9^zIICfHopLIQ7qDagnZZ!aAf<nmi%nMLeaDOhtPuT(ypY_6J$yu
zfzvh9=K<)2hX+3+mlig9)|j}J$y=k*O2)|Tp4~;)*bI;e&?gIf4R50DkAb15go-5~
z(fVDzH{-W`ElLg<CMM@V@7ZrZ$49RTreUD{<3l~a7AMkv`65<-j-($?6}HxJy8kAv
zQGgIBzF1XlPlX<x{I`dJ$W3M6S0PLZ5gV9y|J;b~&5*;+77Q)Sn9T?2^xFI9EJ0+n
zI8>n;8JC|wjl3xzL<TmWOT4a+%vk2t(`8B3TF7<JCXKV>lw+x`cO#O=EjGFszEa%D
z1}CkzBG9l&Jtoe9KGsCuZ}?QAwvT8n#>HJ^KRxf~{xpw?$-)4`n^~jxy+c1!)m&_8
zq#$<N+sWiMDj!H33$fv`&(4VH2WNKh2n~~R#&X#(Kf~>BlPQ*d@f9=wbZ}oQ*&7H^
zePsmaA*F}V%D7=lUdU6!xtvt5J7}06-~Ya;J~e{OVpg^ytNt9d;|5DWWMyTIo<_<R
zxLA{vxl#FsebyjHTxq`yH$p+p2wiwYk~TJ-0UzagO@D-eZZ~caQJYTQ-^U2tk{L3v
z3uQDew(>p8l|(qT{L@4xK*_BR)neL_CKFMn>&ie1SC;WKOj&}*)pfpJ?Il^Ykl{pb
zcv&zJd~@Wete0%WcJJEKsvz6;fNF_twBbh^rr$skJKOf3KqZ&LiTF&szfIXz0D3G7
z7BQwm1oQ+`vmv|f{c$4pBc(@KGPiy2o0%*KmgOIrx~iDb_yDP7cE%M#`1^2!Vq_iW
zo@OKaovmrK*<`=2mw~9-y)Ws&f+#N>d%>zNsLh5hMR-eid4A*`R^70TQ#UU#be7i6
zi6)FE^{70p^I({05v~BFm0sxY8zG|Fk8T^(b32QPs@mDt7Xa9=in#YAU>RTAvUr4k
zclG+xsF(6*AXx0TaxV|fW$a$r*{8|f?EFu_`z>Rjk%%y6=}__!ED(JX!ZnZl<xMOs
zEc{z6wY7)xby2ju$IlzEcy^I?u7W5r7GcL(2ZNZsjeabt-J`i1!He86l3Bi3h)gVd
z+AU3@{ieKer@;WXkYkOHwuT>OBt>|8^b(>g<b^$6qhB);NDy@xl;H^u#L${wvzK@W
zmIh^`1b5>d5m<vXpN^uSh2g=0pD+Dh{YwYFV=lu<xpwsIm@kKl6Gt~H%OsPEqDo5c
zM?UulkoBscjEfDN7G}G|9nNZ-{t=u%4U7Y|tpIxewmrd-6R+_zw-QxT;{yaydV2cG
zyDFE{&YtlVL8^Bq1oKw~V{B*yt?pi?)iA#o>h$WC-}P%GZ?BD)5zc~iN)1bwcR3EC
z-RCb#lwBG6*(l&;!77j!?GooW!CO1dWi0yQ&m%oW8nDqg5#!}a4&xSUZi&ZNoUqJz
z`Y_pU3m2b5Mf~CF;rfu{eapXD8`|ihM~~wYooV+qhgRzXgOd>}K~|uoo%p(|Xp5=S
z=>kZB!%=cY%<S*ouQVo)Uh@jVjum{{-ngrPyf@8tgLK@%L!1$E8xEj#EiJLrCD##U
zI|W<XGFg8sBfgM*_r%3_nM=j?ruM-2__$v^9J|kq?<!fDnz|Rhhv;)4%ld8c*U+e3
zoWuHQ^5`g&le53SB>hzsmp+L{Dz-q&*4%s!Kg*+lgo9LK|9%8`J)H03H-V>NiM{5)
z!^;a4@#8XpG+5^N8yOojF~F4-;fm}2Bm94~e=*3Vyp-xcUFz=X>Fwgux4e@bjFs{X
zYnxF$g~4D3`ubuLr*~Kex;N)ct<i=56f*mI<NZSc1r9c>M_yjuj`y*#&t6GiD_xM&
zn8zo~+sDBv*B`KGQZhFbjv(oYR!qpF=|(pKl&tbt8BtQ-Q=5ps%5ha*x=ez8qtXhR
zUpm<IMOJ@!HXsv?+^;{7XN-`GSQ!R;w*i!#*50)n!|Qu<IYY~YPm4=RHdltpn(X5J
zVO#iIiKwKhiGR)r)ZXL$bg;P*&63Mc(FafF@=3iJH1+Owu9!ge>5*Y~Z*Syswc>8x
zFwzxnRA&_iAkPB-*x+mn_F87&0m=ian-9|737>gh#ZF@x#ay!FWeDpCH9CkvInl4L
zttDpbI-c<B@9a!i?t;h9*ZQ8{;x$B;Ly?`wZJAv&+gw-O)+ooTNcJ{b2@-aa1UVi)
zH~{!#R2@(9cfpfCq@CBn$u&Zv-9YKBe}dzaSN7U_b1!xdUVtr%RWNsP5zvTc4t7mZ
zhZz|eS$NwJ1-?m+g{s|Xr@3?IP7q&3Wxt@3zxRpZB5@JEzi#XM7ohUfKfyV1K-eE<
zWyh4Lb0{`#+lEp!JsKPwtR8oWV%~hFe_WAzNr>+F{`wq>Oi1kpVAZm+xoU^p?UdC*
z1rHA0=*fD&O*e_X9OuIca^c(m?n>~zermUNaV!I=5v{JOpe&-lvwE-;+8#CY7$^?-
z^jfn`=CD!}vvQwby+2^IK?MCGc4Em$P=i{gx1ph7bJO{&jzKYf=Wf=?4etvYaq?~T
zFx^{4<EM@E-Dt%j(WoS<{I~xZVF~d16|xA|riYp{3r!-q3}iEL8lQ|M9CK;V71b&E
z!wh|;ZLO{1Xfbhd@_;AW2~P9~8*iJ;?Jn~7O>YwSY_=~s&Q(7mN2AdY2qa6$9+b2X
z^Rwx&`sOX>xJa}ueQ?wbKXHRy+H7Y#`$PNxy*YL1Dbh)iT^@%(Wz$rx%JfD@N7W5d
zQ&I?@e({iSL*))h6crW%4}Lz!?l}8U^TEv)n}E9?`kyzqx3{01)U6+8sk0~53h-@w
zv*8hOE1Ed!wl1|Fs#pm(FS<Sd-gvxzqYXa|KhpUBDRHjisecsjPWtvop&GLxF^9f*
zmah1<<^7In;YpR3sA1<Spw{Ky?rwNQM9p|1mwk}Qt+uZd_!w?9vwY@)QlG|c^wcXn
Zv1N|@0ci|N!`WMvmr;3EDD@)X{{VlRfxQ3#

literal 0
HcmV?d00001

diff --git a/docs/pages/connect-your-client/teleport-connect.mdx b/docs/pages/connect-your-client/teleport-connect.mdx
index bd666ab4ba784..94df94e6d9d22 100644
--- a/docs/pages/connect-your-client/teleport-connect.mdx
+++ b/docs/pages/connect-your-client/teleport-connect.mdx
@@ -87,6 +87,9 @@ A new tab will open with a shell session on the chosen server.
 
 Alternatively, you can look for the server in the search bar and press `Enter` to connect to it.
 
+If you'd prefer to connect to SSH servers with a third-party SSH client or your
+editor's Remote Development feature, read the [VNet guide](./vnet.mdx) to learn how.
+
 ## Opening a local terminal
 
 To open a terminal with a local shell session, either select "Open new terminal" from the additional
diff --git a/docs/pages/connect-your-client/vnet.mdx b/docs/pages/connect-your-client/vnet.mdx
index a11ba1566dba6..c5c497750b449 100644
--- a/docs/pages/connect-your-client/vnet.mdx
+++ b/docs/pages/connect-your-client/vnet.mdx
@@ -3,22 +3,32 @@ title: Using VNet
 description: Using VNet
 ---
 
-This guide explains how to use VNet to connect to TCP applications available through Teleport.
+This guide explains how to use VNet to connect to TCP applications and SSH
+servers available through Teleport.
 
 ## How it works
 
-VNet automatically proxies connections from your computer to TCP apps available
-through Teleport.
-A program on your device can securely connect to internal applications protected
+VNet automatically proxies connections from your computer to TCP apps and SSH
+servers available through Teleport.
+A program on your device can securely connect to resources protected
 by Teleport without having to know about Teleport authentication details.
 Underneath, VNet authenticates the connection with your Teleport credentials and
-securely tunnels the TCP connection to your application.
+securely tunnels the connection.
 This is all done client-side – VNet sets up a local DNS name server that
-intercepts DNS requests for your internal apps and responds with a virtual IP
-address managed by VNet that will forward the connection to your application.
+intercepts DNS requests for your Teleport resources and responds with a virtual IP
+address managed by VNet that will handle the connection.
+
+VNet's SSH support enables third-party SSH clients to connect to Teleport SSH
+servers with minimal configuration required, while still offering Teleport
+access controls and features like [Per-session MFA](../admin-guides/access-controls/guides/per-session-mfa.mdx)
+and [Hardware Key Support](../admin-guides/access-controls/guides/hardware-key-support.mdx).
 
 ![Diagram showing VNet architecture](../../img/vnet/how-it-works.svg)
 
+VNet delivers an experience like a VPN through this local virtual network,
+while maintaining all of Teleport's identity verification and zero trust
+features that traditional VPNs cannot provide.
+
 VNet is available on macOS and Windows in Teleport Connect and tsh, with plans
 for Linux support in a future version.
 
@@ -35,17 +45,21 @@ for Linux support in a future version.
 </TabItem>
 </Tabs>
 
-## Step 1/3. Start Teleport Connect
+## Step 1/3. Start VNet
 
-Open Teleport Connect and log in to the cluster. Find the TCP app you want to connect to. TCP apps
-have `tcp://` as the protocol in their addresses.
+Open Teleport Connect and log in to your cluster.
+See [Using Teleport Connect](./teleport-connect.mdx) if you haven't used the
+Teleport Connect app before.
 
-![Resource list in Teleport Connect with a TCP hovered over](../../img/use-teleport/vnet-resources-list@2x.png)
+Open the **connection list** in the top left and click the icon to start VNet.
+Or, skip this step and VNet will start automatically when you click "Connect"
+on a TCP app or "Connect with VNet" on an SSH server.
 
-## Step 2/3. Start VNet
+![VNet shown in connection list](../../img/vnet/start-vnet.png)
 
-Click "Connect" next to the TCP app. This starts VNet if it's not already running. Alternatively,
-you can start VNet through the connection list in the top left.
+After VNet has been started once it will automatically start every time
+Teleport Connect is opened, unless you stop VNet before closing Teleport
+Connect.
 
 <details>
 <summary>First launch on macOS</summary>
@@ -57,15 +71,28 @@ tsh.app under "Allow in the Background".
 ![VNet starting up](../../img/use-teleport/vnet-starting@2x.png)
 </details>
 
-## Step 3/3. Connect
+## Step 2/3. Connect to a TCP app
+
+Find the TCP app you want to connect to.
+TCP apps have `tcp://` as the protocol in their address.
+
+![Resource list in Teleport Connect with a TCP app hovered over](../../img/use-teleport/vnet-resources-list@2x.png)
 
-Once VNet is running, you can connect to the application using the application client you would
+Click "Connect" next to the TCP app.
+This will start VNet if it's not already running, and then copy the app's
+address to your clipboard.
+You can now connect to the application using the application client you would
 normally use to connect to it.
 
 ```code
 $ psql postgres://postgres@tcp-app.teleport.example.com/postgres
 ```
 
+As long as VNet is running in the background, clicking "Connect" next to each
+app is not necessary.
+You can directly connect to all of your TCP apps without any actions in
+Teleport Connect.
+
 <Admonition type="note" title="Support for multiple ports">
 Unless the application specifies [multiple
 ports](../enroll-resources/application-access/guides/tcp.mdx#configuring-access-to-multiple-ports),
@@ -77,19 +104,52 @@ If [per-session MFA](../admin-guides/access-controls/guides/per-session-mfa.mdx)
 first connection over each port triggers an MFA check.
 </Admonition>
 
-VNet is going to automatically start on the next Teleport Connect launch, unless you stop VNet
-before closing Teleport Connect.
+## Step 3/3. Connect to an SSH server
+
+Find the SSH server you want to connect to, open the menu next to the "Connect"
+dropdown, and click "Connect with VNet".
+This will start VNet if it's not already running, and then copy the VNet
+address for the server to your clipboard.
+
+![SSH server in Teleport Connect with "Connect with VNet" menu open](../../img/vnet/ssh-connect.png)
+
+There is a one-time configuration step required before SSH clients will be able
+to connect to Teleport SSH servers through VNet.
+When you click "Connect with VNet" on an SSH server, Teleport Connect will
+automatically check if this configuration is present and walk you through it if
+necessary.
+
+![SSH client configuration modal in Teleport Connect](../../img/vnet/configure-ssh-clients.png)
+
+Once the configuration step is complete, any OpenSSH-compatible client that
+reads configuration options from `~/.ssh/config` should be able to connect to
+Teleport SSH servers.
+Try connecting with the standard `ssh` client or the Remote Development feature
+in editors like Visual Studio Code or Zed.
+
+```code
+$ ssh <username>@<hostname>.<clustername>
+```
+
+As long as VNet is running in the background, clicking "Connect with VNet" next
+to each SSH server is not necessary, you can directly connect to all of your
+Teleport SSH servers without any actions in Teleport Connect.
 
 ## `tsh` support
 
-VNet is available in `tsh` as well. Using it involves logging into the cluster and executing the
-command `tsh vnet`.
+VNet is also available in `tsh` without running Teleport Connect.
+To use it, log in and then run `tsh vnet`.
 
 ```code
 $ tsh login --proxy=teleport.example.com
 $ tsh vnet
 ```
 
+While `tsh` support is available, Teleport Connect is the preferred application
+for running VNet.
+Teleport Connect offers better visibility for MFA prompts and cluster logins, and
+automatically runs diagnostics that are useful for troubleshooting.
+
 ## Troubleshooting
 
 ### Conflicting IPv4 ranges
@@ -232,3 +292,4 @@ Before version 18.0.0, VNet logs were saved in `C:\Program Files\Teleport Connec
 - Read our VNet configuration [guide](../enroll-resources/application-access/guides/vnet.mdx)
   to learn how to configure VNet access to your applications.
 - Read [RFD 163](https://github.com/gravitational/teleport/blob/master/rfd/0163-vnet.md) to learn how VNet works on a technical level.
+- Read [RFD 207](https://github.com/gravitational/teleport/blob/master/rfd/0207-vnet-ssh.md) to learn how VNet SSH access works.
diff --git a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
index d21ed692f32a6..95481bd6aeaa0 100644
--- a/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
+++ b/web/packages/teleterm/src/ui/Vnet/DocumentVnetInfo.tsx
@@ -236,8 +236,9 @@ export function DocumentVnetInfo(props: {
         <UseCaseSection>
           <TitleAndLearnMoreContainer>
             <H2>SSH Servers With 3rd-Party SSH Clients</H2>
-            {/* TODO(nklaassen): link to new VNet SSH docs */}
-            <LearnMoreButton href="#">Learn More</LearnMoreButton>
+            <LearnMoreButton href="https://goteleport.com/docs/connect-your-client/vnet/#step-33-connect-to-an-ssh-server">
+              Learn More
+            </LearnMoreButton>
           </TitleAndLearnMoreContainer>
 
           <ComparisonOption>

From d55c6b545880271cd8ac8d07a56bd4083d1baa01 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Wed, 9 Jul 2025 15:42:45 -0700
Subject: [PATCH 23/25] [v18][docs] add VNet warnings

Backport #56601 to branch/v18
---
 docs/pages/connect-your-client/vnet.mdx       | 19 +++++++++
 .../application-access/guides/vnet.mdx        | 42 ++++++++++++-------
 2 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/docs/pages/connect-your-client/vnet.mdx b/docs/pages/connect-your-client/vnet.mdx
index 245bcf0699840..eea8f885c40df 100644
--- a/docs/pages/connect-your-client/vnet.mdx
+++ b/docs/pages/connect-your-client/vnet.mdx
@@ -32,6 +32,25 @@ features that traditional VPNs cannot provide.
 VNet is available on macOS and Windows in Teleport Connect and tsh, with plans
 for Linux support in a future version.
 
+<Admonition type="warning">
+VNet's VPN-like experience for app access means that any software running on
+the client machine can access Teleport apps at local DNS or IP addresses.
+
+**Avoid running VNet on shared or multi-user machines.**
+If multiple OS users share the same machine, any user could access Teleport TCP
+apps at their local VNet DNS or IP address.
+
+**Protect HTTP services behind VNet.**
+Untrusted websites can potentially use DNS rebinding attacks to bypass the
+browser’s Same-Origin Policy and issue plain HTTP requests to VNet IP addresses.
+If your Teleport cluster contains TCP apps serving plain HTTP APIs, it is
+strongly recommended to either avoid VNet or implement one or more of the
+following mitigations for DNS rebinding attacks:
+- upgrade these APIs to HTTPS or another protocol
+- enforce a Host header allowlist at the HTTP server
+- block browser access to HTTP websites
+</Admonition>
+
 ## Prerequisites
 
 <Tabs>
diff --git a/docs/pages/enroll-resources/application-access/guides/vnet.mdx b/docs/pages/enroll-resources/application-access/guides/vnet.mdx
index 6510f1bf8391e..683d757b67386 100644
--- a/docs/pages/enroll-resources/application-access/guides/vnet.mdx
+++ b/docs/pages/enroll-resources/application-access/guides/vnet.mdx
@@ -140,28 +140,38 @@ $ tsh login --proxy=leaf.example.com --user=email@example.com
 
 ### Accessing web apps through VNet
 
-VNet does not officially support [web apps](connecting-apps.mdx) yet. However, technically any web
-app is [a TCP app](tcp.mdx), so they can be made available over VNet as well. You'll need to change
-`uri` of your application in the Application Service configuration file to use `tcp://` instead of
-`http://`. There's also a couple of caveats:
+VNet does not officially support [web apps](connecting-apps.mdx) yet.
+However, since all web apps are served over TCP, it's possible to convert a web
+app to [a TCP app](tcp.mdx) to make it available via VNet.
+You'll need to change the `uri` of the application to use `tcp://` instead of `https://`.
+
+Exposing plain HTTP web apps or APIs via VNet is not recommended.
+Untrusted websites can potentially use DNS rebinding attacks to bypass the
+browser’s Same-Origin Policy and issue plain HTTP requests to VNet IP addresses.
+It is strongly recommended to either avoid VNet for plain HTTP access or
+implement one or more of the following mitigations for DNS rebinding attacks:
+- upgrade these APIs to HTTPS or another protocol
+- enforce a Host header allowlist at the HTTP server
+- block browser access to HTTP websites
+
+There are a few more caveats when converting a Teleport web app to a TCP app:
 
 - The Teleport Web UI uses [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
-  If the application is going to be served from a subdomain of a Proxy Service, it means that the
-  application will not be accessible in browsers over plain HTTP, even with VNet running. It's
-  possible to work around this by setting a custom `public_addr` as explained above in this guide.
-- If the application needs to be accessible over HTTPS, it must handle TLS connections and return [a valid
-  cert](connecting-apps.mdx#step-23-optional-configure-tls-and-dns-for-your-web-applications) for the domain it is served on.
-- [JWT Token](../jwt/introduction.mdx), [redirect](connecting-apps.mdx#rewrite-redirect) and
+  If the application is going to be served from a subdomain of a Proxy Service
+  it must use HTTPS, it will not be accessible in browsers over plain HTTP.
+  It's possible to work around this by setting a custom `public_addr` as explained
+  above in this guide to an address that is not a subdomain of the proxy address.
+- HTTPS Applications must handle their own TLS connections and have
+  a valid certificate for the app `public_addr`.
+- [JWT Tokens](../jwt/introduction.mdx), [redirects](connecting-apps.mdx#rewrite-redirect) and
   [header rewrites](connecting-apps.mdx#headers-passthrough) are not available for TCP apps.
 - Teleport records the start and the end of a session for TCP apps in the audit log, but [session
   chunks](../../../reference/architecture/session-recording.mdx) are not captured.
 
-When accessing an HTTP API through VNet, the same caveats apply as above, with one main exception.
-Since API clients don't need to respect HSTS, the API itself does not need to be served over HTTPS.
-
-The important thing to understand is that VNet doesn't do anything extra with a connection, other
-than passing it through a Teleport Proxy Service. Which application layer protocol is going to be
-used depends solely on the app itself and its clients.
+The important thing to understand is that VNet doesn't do anything extra with a
+TCP connection, it tunnels it directly to the target application's `uri`.
+The application layer protocol is determined solely by the app itself and its
+clients.
 
 ### Further reading
 

From 8f44b37e07e6fc6448e82211efb8e7b5b9e3ab35 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Fri, 18 Jul 2025 14:33:12 -0700
Subject: [PATCH 24/25] [v18][vnet] feat: SSH usage reporting

Backport #56537 to branch/v18
---
 .../vnet/v1/client_application_service.pb.go  | 62 ++++++------
 .../v1/client_application_service_grpc.pb.go  | 34 +++----
 lib/teleterm/vnet/service.go                  | 87 +++++++++++++---
 lib/teleterm/vnet/service_test.go             |  5 +
 lib/vnet/app_handler.go                       |  4 +-
 lib/vnet/app_provider.go                      |  6 +-
 lib/vnet/client_application_service.go        | 14 +--
 lib/vnet/client_application_service_client.go |  8 +-
 lib/vnet/user_process.go                      | 12 ++-
 lib/vnet/vnet_test.go                         | 99 ++++++++++++-------
 .../vnet/v1/client_application_service.proto  | 12 +--
 tool/tsh/common/vnet_client_application.go    |  9 +-
 12 files changed, 231 insertions(+), 121 deletions(-)

diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
index a30d0cece9171..6e007a0134f22 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
@@ -1247,8 +1247,8 @@ func (x *SignForAppResponse) GetSignature() []byte {
 	return nil
 }
 
-// OnNewConnectionRequest is a request for OnNewConnection.
-type OnNewConnectionRequest struct {
+// OnNewAppConnectionRequest is a request for OnNewAppConnection.
+type OnNewAppConnectionRequest struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// AppKey identifies the app the connection is being made for.
 	AppKey        *AppKey `protobuf:"bytes,1,opt,name=app_key,json=appKey,proto3" json:"app_key,omitempty"`
@@ -1256,20 +1256,20 @@ type OnNewConnectionRequest struct {
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *OnNewConnectionRequest) Reset() {
-	*x = OnNewConnectionRequest{}
+func (x *OnNewAppConnectionRequest) Reset() {
+	*x = OnNewAppConnectionRequest{}
 	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *OnNewConnectionRequest) String() string {
+func (x *OnNewAppConnectionRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*OnNewConnectionRequest) ProtoMessage() {}
+func (*OnNewAppConnectionRequest) ProtoMessage() {}
 
-func (x *OnNewConnectionRequest) ProtoReflect() protoreflect.Message {
+func (x *OnNewAppConnectionRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -1281,39 +1281,39 @@ func (x *OnNewConnectionRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use OnNewConnectionRequest.ProtoReflect.Descriptor instead.
-func (*OnNewConnectionRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use OnNewAppConnectionRequest.ProtoReflect.Descriptor instead.
+func (*OnNewAppConnectionRequest) Descriptor() ([]byte, []int) {
 	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{20}
 }
 
-func (x *OnNewConnectionRequest) GetAppKey() *AppKey {
+func (x *OnNewAppConnectionRequest) GetAppKey() *AppKey {
 	if x != nil {
 		return x.AppKey
 	}
 	return nil
 }
 
-// OnNewConnectionRequest is a response for OnNewConnection.
-type OnNewConnectionResponse struct {
+// OnNewAppConnectionResponse is a response for OnNewAppConnection.
+type OnNewAppConnectionResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *OnNewConnectionResponse) Reset() {
-	*x = OnNewConnectionResponse{}
+func (x *OnNewAppConnectionResponse) Reset() {
+	*x = OnNewAppConnectionResponse{}
 	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *OnNewConnectionResponse) String() string {
+func (x *OnNewAppConnectionResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*OnNewConnectionResponse) ProtoMessage() {}
+func (*OnNewAppConnectionResponse) ProtoMessage() {}
 
-func (x *OnNewConnectionResponse) ProtoReflect() protoreflect.Message {
+func (x *OnNewAppConnectionResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -1325,8 +1325,8 @@ func (x *OnNewConnectionResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use OnNewConnectionResponse.ProtoReflect.Descriptor instead.
-func (*OnNewConnectionResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use OnNewAppConnectionResponse.ProtoReflect.Descriptor instead.
+func (*OnNewAppConnectionResponse) Descriptor() ([]byte, []int) {
 	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{21}
 }
 
@@ -2187,10 +2187,10 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\x0fpss_salt_length\x18\x03 \x01(\x05H\x00R\rpssSaltLength\x88\x01\x01B\x12\n" +
 	"\x10_pss_salt_length\"2\n" +
 	"\x12SignForAppResponse\x12\x1c\n" +
-	"\tsignature\x18\x01 \x01(\fR\tsignature\"O\n" +
-	"\x16OnNewConnectionRequest\x125\n" +
-	"\aapp_key\x18\x01 \x01(\v2\x1c.teleport.lib.vnet.v1.AppKeyR\x06appKey\"\x19\n" +
-	"\x17OnNewConnectionResponse\"v\n" +
+	"\tsignature\x18\x01 \x01(\fR\tsignature\"R\n" +
+	"\x19OnNewAppConnectionRequest\x125\n" +
+	"\aapp_key\x18\x01 \x01(\v2\x1c.teleport.lib.vnet.v1.AppKeyR\x06appKey\"\x1c\n" +
+	"\x1aOnNewAppConnectionResponse\"v\n" +
 	"\x19OnInvalidLocalPortRequest\x128\n" +
 	"\bapp_info\x18\x01 \x01(\v2\x1d.teleport.lib.vnet.v1.AppInfoR\aappInfo\x12\x1f\n" +
 	"\vtarget_port\x18\x02 \x01(\rR\n" +
@@ -2237,7 +2237,7 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\x04Hash\x12\x14\n" +
 	"\x10HASH_UNSPECIFIED\x10\x00\x12\r\n" +
 	"\tHASH_NONE\x10\x01\x12\x0f\n" +
-	"\vHASH_SHA256\x10\x022\xbc\f\n" +
+	"\vHASH_SHA256\x10\x022\xc5\f\n" +
 	"\x18ClientApplicationService\x12z\n" +
 	"\x13AuthenticateProcess\x120.teleport.lib.vnet.v1.AuthenticateProcessRequest\x1a1.teleport.lib.vnet.v1.AuthenticateProcessResponse\x12\x83\x01\n" +
 	"\x16ReportNetworkStackInfo\x123.teleport.lib.vnet.v1.ReportNetworkStackInfoRequest\x1a4.teleport.lib.vnet.v1.ReportNetworkStackInfoResponse\x12M\n" +
@@ -2245,8 +2245,8 @@ const file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = "" +
 	"\vResolveFQDN\x12(.teleport.lib.vnet.v1.ResolveFQDNRequest\x1a).teleport.lib.vnet.v1.ResolveFQDNResponse\x12k\n" +
 	"\x0eReissueAppCert\x12+.teleport.lib.vnet.v1.ReissueAppCertRequest\x1a,.teleport.lib.vnet.v1.ReissueAppCertResponse\x12_\n" +
 	"\n" +
-	"SignForApp\x12'.teleport.lib.vnet.v1.SignForAppRequest\x1a(.teleport.lib.vnet.v1.SignForAppResponse\x12n\n" +
-	"\x0fOnNewConnection\x12,.teleport.lib.vnet.v1.OnNewConnectionRequest\x1a-.teleport.lib.vnet.v1.OnNewConnectionResponse\x12w\n" +
+	"SignForApp\x12'.teleport.lib.vnet.v1.SignForAppRequest\x1a(.teleport.lib.vnet.v1.SignForAppResponse\x12w\n" +
+	"\x12OnNewAppConnection\x12/.teleport.lib.vnet.v1.OnNewAppConnectionRequest\x1a0.teleport.lib.vnet.v1.OnNewAppConnectionResponse\x12w\n" +
 	"\x12OnInvalidLocalPort\x12/.teleport.lib.vnet.v1.OnInvalidLocalPortRequest\x1a0.teleport.lib.vnet.v1.OnInvalidLocalPortResponse\x12\x89\x01\n" +
 	"\x18GetTargetOSConfiguration\x125.teleport.lib.vnet.v1.GetTargetOSConfigurationRequest\x1a6.teleport.lib.vnet.v1.GetTargetOSConfigurationResponse\x12b\n" +
 	"\vUserTLSCert\x12(.teleport.lib.vnet.v1.UserTLSCertRequest\x1a).teleport.lib.vnet.v1.UserTLSCertResponse\x12k\n" +
@@ -2291,8 +2291,8 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
 	(*SignForAppRequest)(nil),                // 18: teleport.lib.vnet.v1.SignForAppRequest
 	(*SignRequest)(nil),                      // 19: teleport.lib.vnet.v1.SignRequest
 	(*SignForAppResponse)(nil),               // 20: teleport.lib.vnet.v1.SignForAppResponse
-	(*OnNewConnectionRequest)(nil),           // 21: teleport.lib.vnet.v1.OnNewConnectionRequest
-	(*OnNewConnectionResponse)(nil),          // 22: teleport.lib.vnet.v1.OnNewConnectionResponse
+	(*OnNewAppConnectionRequest)(nil),        // 21: teleport.lib.vnet.v1.OnNewAppConnectionRequest
+	(*OnNewAppConnectionResponse)(nil),       // 22: teleport.lib.vnet.v1.OnNewAppConnectionResponse
 	(*OnInvalidLocalPortRequest)(nil),        // 23: teleport.lib.vnet.v1.OnInvalidLocalPortRequest
 	(*OnInvalidLocalPortResponse)(nil),       // 24: teleport.lib.vnet.v1.OnInvalidLocalPortResponse
 	(*GetTargetOSConfigurationRequest)(nil),  // 25: teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
@@ -2323,7 +2323,7 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	14, // 9: teleport.lib.vnet.v1.SignForAppRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
 	19, // 10: teleport.lib.vnet.v1.SignForAppRequest.sign:type_name -> teleport.lib.vnet.v1.SignRequest
 	0,  // 11: teleport.lib.vnet.v1.SignRequest.hash:type_name -> teleport.lib.vnet.v1.Hash
-	14, // 12: teleport.lib.vnet.v1.OnNewConnectionRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
+	14, // 12: teleport.lib.vnet.v1.OnNewAppConnectionRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
 	13, // 13: teleport.lib.vnet.v1.OnInvalidLocalPortRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
 	27, // 14: teleport.lib.vnet.v1.GetTargetOSConfigurationResponse.target_os_configuration:type_name -> teleport.lib.vnet.v1.TargetOSConfiguration
 	15, // 15: teleport.lib.vnet.v1.UserTLSCertResponse.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
@@ -2335,7 +2335,7 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	8,  // 21: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:input_type -> teleport.lib.vnet.v1.ResolveFQDNRequest
 	16, // 22: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
 	18, // 23: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
-	21, // 24: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
+	21, // 24: teleport.lib.vnet.v1.ClientApplicationService.OnNewAppConnection:input_type -> teleport.lib.vnet.v1.OnNewAppConnectionRequest
 	23, // 25: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
 	25, // 26: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:input_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationRequest
 	28, // 27: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:input_type -> teleport.lib.vnet.v1.UserTLSCertRequest
@@ -2349,7 +2349,7 @@ var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32
 	9,  // 35: teleport.lib.vnet.v1.ClientApplicationService.ResolveFQDN:output_type -> teleport.lib.vnet.v1.ResolveFQDNResponse
 	17, // 36: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
 	20, // 37: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
-	22, // 38: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
+	22, // 38: teleport.lib.vnet.v1.ClientApplicationService.OnNewAppConnection:output_type -> teleport.lib.vnet.v1.OnNewAppConnectionResponse
 	24, // 39: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
 	26, // 40: teleport.lib.vnet.v1.ClientApplicationService.GetTargetOSConfiguration:output_type -> teleport.lib.vnet.v1.GetTargetOSConfigurationResponse
 	29, // 41: teleport.lib.vnet.v1.ClientApplicationService.UserTLSCert:output_type -> teleport.lib.vnet.v1.UserTLSCertResponse
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
index e153a98dd6646..1be07457d7424 100644
--- a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
@@ -41,7 +41,7 @@ const (
 	ClientApplicationService_ResolveFQDN_FullMethodName              = "/teleport.lib.vnet.v1.ClientApplicationService/ResolveFQDN"
 	ClientApplicationService_ReissueAppCert_FullMethodName           = "/teleport.lib.vnet.v1.ClientApplicationService/ReissueAppCert"
 	ClientApplicationService_SignForApp_FullMethodName               = "/teleport.lib.vnet.v1.ClientApplicationService/SignForApp"
-	ClientApplicationService_OnNewConnection_FullMethodName          = "/teleport.lib.vnet.v1.ClientApplicationService/OnNewConnection"
+	ClientApplicationService_OnNewAppConnection_FullMethodName       = "/teleport.lib.vnet.v1.ClientApplicationService/OnNewAppConnection"
 	ClientApplicationService_OnInvalidLocalPort_FullMethodName       = "/teleport.lib.vnet.v1.ClientApplicationService/OnInvalidLocalPort"
 	ClientApplicationService_GetTargetOSConfiguration_FullMethodName = "/teleport.lib.vnet.v1.ClientApplicationService/GetTargetOSConfiguration"
 	ClientApplicationService_UserTLSCert_FullMethodName              = "/teleport.lib.vnet.v1.ClientApplicationService/UserTLSCert"
@@ -77,9 +77,9 @@ type ClientApplicationServiceClient interface {
 	// SignForApp issues a signature with the private key associated with an x509
 	// certificate previously issued for a requested app.
 	SignForApp(ctx context.Context, in *SignForAppRequest, opts ...grpc.CallOption) (*SignForAppResponse, error)
-	// OnNewConnection gets called whenever a new connection is about to be
+	// OnNewAppConnection gets called whenever a new app connection is about to be
 	// established through VNet for observability.
-	OnNewConnection(ctx context.Context, in *OnNewConnectionRequest, opts ...grpc.CallOption) (*OnNewConnectionResponse, error)
+	OnNewAppConnection(ctx context.Context, in *OnNewAppConnectionRequest, opts ...grpc.CallOption) (*OnNewAppConnectionResponse, error)
 	// OnInvalidLocalPort gets called before VNet refuses to handle a connection
 	// to a multi-port TCP app because the provided port does not match any of the
 	// TCP ports in the app spec.
@@ -168,10 +168,10 @@ func (c *clientApplicationServiceClient) SignForApp(ctx context.Context, in *Sig
 	return out, nil
 }
 
-func (c *clientApplicationServiceClient) OnNewConnection(ctx context.Context, in *OnNewConnectionRequest, opts ...grpc.CallOption) (*OnNewConnectionResponse, error) {
+func (c *clientApplicationServiceClient) OnNewAppConnection(ctx context.Context, in *OnNewAppConnectionRequest, opts ...grpc.CallOption) (*OnNewAppConnectionResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(OnNewConnectionResponse)
-	err := c.cc.Invoke(ctx, ClientApplicationService_OnNewConnection_FullMethodName, in, out, cOpts...)
+	out := new(OnNewAppConnectionResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_OnNewAppConnection_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -274,9 +274,9 @@ type ClientApplicationServiceServer interface {
 	// SignForApp issues a signature with the private key associated with an x509
 	// certificate previously issued for a requested app.
 	SignForApp(context.Context, *SignForAppRequest) (*SignForAppResponse, error)
-	// OnNewConnection gets called whenever a new connection is about to be
+	// OnNewAppConnection gets called whenever a new app connection is about to be
 	// established through VNet for observability.
-	OnNewConnection(context.Context, *OnNewConnectionRequest) (*OnNewConnectionResponse, error)
+	OnNewAppConnection(context.Context, *OnNewAppConnectionRequest) (*OnNewAppConnectionResponse, error)
 	// OnInvalidLocalPort gets called before VNet refuses to handle a connection
 	// to a multi-port TCP app because the provided port does not match any of the
 	// TCP ports in the app spec.
@@ -323,8 +323,8 @@ func (UnimplementedClientApplicationServiceServer) ReissueAppCert(context.Contex
 func (UnimplementedClientApplicationServiceServer) SignForApp(context.Context, *SignForAppRequest) (*SignForAppResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SignForApp not implemented")
 }
-func (UnimplementedClientApplicationServiceServer) OnNewConnection(context.Context, *OnNewConnectionRequest) (*OnNewConnectionResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method OnNewConnection not implemented")
+func (UnimplementedClientApplicationServiceServer) OnNewAppConnection(context.Context, *OnNewAppConnectionRequest) (*OnNewAppConnectionResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method OnNewAppConnection not implemented")
 }
 func (UnimplementedClientApplicationServiceServer) OnInvalidLocalPort(context.Context, *OnInvalidLocalPortRequest) (*OnInvalidLocalPortResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method OnInvalidLocalPort not implemented")
@@ -477,20 +477,20 @@ func _ClientApplicationService_SignForApp_Handler(srv interface{}, ctx context.C
 	return interceptor(ctx, in, info, handler)
 }
 
-func _ClientApplicationService_OnNewConnection_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(OnNewConnectionRequest)
+func _ClientApplicationService_OnNewAppConnection_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(OnNewAppConnectionRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(ClientApplicationServiceServer).OnNewConnection(ctx, in)
+		return srv.(ClientApplicationServiceServer).OnNewAppConnection(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: ClientApplicationService_OnNewConnection_FullMethodName,
+		FullMethod: ClientApplicationService_OnNewAppConnection_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(ClientApplicationServiceServer).OnNewConnection(ctx, req.(*OnNewConnectionRequest))
+		return srv.(ClientApplicationServiceServer).OnNewAppConnection(ctx, req.(*OnNewAppConnectionRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -653,8 +653,8 @@ var ClientApplicationService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _ClientApplicationService_SignForApp_Handler,
 		},
 		{
-			MethodName: "OnNewConnection",
-			Handler:    _ClientApplicationService_OnNewConnection_Handler,
+			MethodName: "OnNewAppConnection",
+			Handler:    _ClientApplicationService_OnNewAppConnection_Handler,
 		},
 		{
 			MethodName: "OnInvalidLocalPort",
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index 748ef53224511..12f18e80a6ad8 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -530,11 +530,25 @@ func (p *clientApplication) GetDialOptions(ctx context.Context, profileName stri
 	return dialOpts, nil
 }
 
-// OnNewConnection submits a usage event once per clientApplication lifetime.
-// That is, if a user makes multiple connections to a single app, OnNewConnection submits a single
+// OnNewSSHSession submits a usage event for a new SSH session.
+func (p *clientApplication) OnNewSSHSession(ctx context.Context, profileName, targetClusterName string) {
+	// Enqueue the event from a separate goroutine since we don't care about errors anyway and we also
+	// don't want to slow down VNet connections.
+	go func() {
+		// Not passing ctx to ReportSSHSession since ctx is tied to the
+		// lifetime of a short-lived API call, inheriting the context could
+		// interrupt reporting.
+		if err := p.usageReporter.ReportSSHSession(profileName, targetClusterName); err != nil {
+			log.ErrorContext(ctx, "Failed to submit SSH usage event")
+		}
+	}()
+}
+
+// OnNewAppConnection submits an app usage event once per clientApplication lifetime.
+// That is, if a user makes multiple connections to a single app, OnNewAppConnection submits a single
 // event. This is to mimic how Connect submits events for its app gateways. This lets us compare
 // popularity of VNet and app gateways.
-func (p *clientApplication) OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
+func (p *clientApplication) OnNewAppConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
 	// Enqueue the event from a separate goroutine since we don't care about errors anyway and we also
 	// don't want to slow down VNet connections.
 	go func() {
@@ -542,9 +556,8 @@ func (p *clientApplication) OnNewConnection(ctx context.Context, appKey *vnetv1.
 
 		// Not passing ctx to ReportApp since ctx is tied to the lifetime of the connection.
 		// If it's a short-lived connection, inheriting its context would interrupt reporting.
-		err := p.usageReporter.ReportApp(uri)
-		if err != nil {
-			log.ErrorContext(ctx, "Failed to submit usage event", "app", uri, "error", err)
+		if err := p.usageReporter.ReportApp(uri); err != nil {
+			log.ErrorContext(ctx, "Failed to submit app usage event", "app", uri, "error", err)
 		}
 	}()
 
@@ -606,6 +619,7 @@ func (p *clientApplication) OnInvalidLocalPort(ctx context.Context, appInfo *vne
 
 type usageReporter interface {
 	ReportApp(uri.ResourceURI) error
+	ReportSSHSession(profileName, rootClusterName string) error
 	Stop()
 }
 
@@ -675,6 +689,51 @@ func newDaemonUsageReporter(cfg daemonUsageReporterConfig) (*daemonUsageReporter
 	}, nil
 }
 
+// ReportSSHSession adds an event for a new SSH session to the events queue.
+// It reports a new event for each new SSH session, in contrast to ReportApp
+// which only reports each unique app once, to align with how Connect reports
+// usage events for SSH sessions.
+func (r *daemonUsageReporter) ReportSSHSession(profileName, rootClusterName string) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if r.closed.Load() {
+		return trace.CompareFailed("usage reporter has been stopped")
+	}
+
+	rootClusterURI := uri.NewClusterURI(profileName)
+	_, tc, err := r.cfg.ClientCache.ResolveClusterURI(rootClusterURI)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	clusterID, ok := r.cfg.ClusterIDCache.Load(rootClusterURI)
+	if !ok {
+		return trace.NotFound("cluster ID for %q not found", rootClusterURI)
+	}
+
+	log.DebugContext(context.Background(), "Reporting SSH usage event", "profile", profileName, "root_cluster", rootClusterName)
+	if err := r.cfg.EventConsumer.ReportUsageEvent(&apiteleterm.ReportUsageEventRequest{
+		AuthClusterId: clusterID,
+		PrehogReq: &prehogv1alpha.SubmitConnectEventRequest{
+			DistinctId: r.cfg.InstallationID,
+			Timestamp:  timestamppb.Now(),
+			Event: &prehogv1alpha.SubmitConnectEventRequest_ProtocolUse{
+				ProtocolUse: &prehogv1alpha.ConnectProtocolUseEvent{
+					ClusterName:   rootClusterName,
+					UserName:      tc.Username,
+					Protocol:      "ssh",
+					Origin:        "vnet",
+					AccessThrough: "vnet",
+				},
+			},
+		},
+	}); err != nil {
+		return trace.Wrap(err, "adding SSH usage event to queue")
+	}
+	return nil
+}
+
 // ReportApp adds an event related to the given app to the events queue, if the app wasn't reported
 // already. Only one invocation of ReportApp can be in flight at a time.
 func (r *daemonUsageReporter) ReportApp(appURI uri.ResourceURI) error {
@@ -716,9 +775,9 @@ func (r *daemonUsageReporter) ReportApp(appURI uri.ResourceURI) error {
 		return trace.NotFound("cluster ID for %q not found", rootClusterURI)
 	}
 
-	log.DebugContext(ctx, "Reporting usage event", "app", appURI.String())
+	log.DebugContext(ctx, "Reporting app usage event", "app", appURI.String())
 
-	err = r.cfg.EventConsumer.ReportUsageEvent(&apiteleterm.ReportUsageEventRequest{
+	if err := r.cfg.EventConsumer.ReportUsageEvent(&apiteleterm.ReportUsageEventRequest{
 		AuthClusterId: clusterID,
 		PrehogReq: &prehogv1alpha.SubmitConnectEventRequest{
 			DistinctId: r.cfg.InstallationID,
@@ -733,9 +792,8 @@ func (r *daemonUsageReporter) ReportApp(appURI uri.ResourceURI) error {
 				},
 			},
 		},
-	})
-	if err != nil {
-		return trace.Wrap(err, "adding usage event to queue")
+	}); err != nil {
+		return trace.Wrap(err, "adding app usage event to queue")
 	}
 
 	r.reportedApps[appURI.String()] = struct{}{}
@@ -762,7 +820,12 @@ func (r *daemonUsageReporter) Stop() {
 type disabledTelemetryUsageReporter struct{}
 
 func (r *disabledTelemetryUsageReporter) ReportApp(appURI uri.ResourceURI) error {
-	log.DebugContext(context.Background(), "Skipping usage event, usage reporting is turned off", "app", appURI.String())
+	log.DebugContext(context.Background(), "Skipping app usage event, usage reporting is turned off", "app", appURI.String())
+	return nil
+}
+
+func (r *disabledTelemetryUsageReporter) ReportSSHSession(profileName, rootClusterName string) error {
+	log.DebugContext(context.Background(), "Skipping SSH usage event, usage reporting is turned off", "profile", profileName, "root_cluster", rootClusterName)
 	return nil
 }
 
diff --git a/lib/teleterm/vnet/service_test.go b/lib/teleterm/vnet/service_test.go
index 58fba75e2afe9..b97c73acdcfdf 100644
--- a/lib/teleterm/vnet/service_test.go
+++ b/lib/teleterm/vnet/service_test.go
@@ -77,6 +77,11 @@ func TestDaemonUsageReporter(t *testing.T) {
 	err = usageReporter.ReportApp(clusterWithoutClusterID.AppendApp("bar"))
 	require.ErrorIs(t, err, trace.NotFound("cluster ID for \"/clusters/no-cluster-id\" not found"))
 	require.Equal(t, 1, eventConsumer.EventCount())
+
+	// Verify that reporting an SSH session works.
+	err = usageReporter.ReportSSHSession(validCluster.GetProfileName(), "foo")
+	require.NoError(t, err)
+	require.Equal(t, 2, eventConsumer.EventCount())
 }
 
 func TestDaemonUsageReporter_Stop(t *testing.T) {
diff --git a/lib/vnet/app_handler.go b/lib/vnet/app_handler.go
index aa0e2d7fee8b7..aefa77fed33f1 100644
--- a/lib/vnet/app_handler.go
+++ b/lib/vnet/app_handler.go
@@ -165,7 +165,7 @@ func (i *appCertIssuer) IssueCert(ctx context.Context) (tls.Certificate, error)
 }
 
 // localProxyMiddleware wraps around [client.CertChecker] and additionally makes it so that its
-// OnNewConnection method calls the same method of [appProvider].
+// OnNewConnection method calls OnNewAppConnection on [appProvider].
 type localProxyMiddleware struct {
 	appKey      *vnetv1.AppKey
 	certChecker *client.CertChecker
@@ -177,7 +177,7 @@ func (m *localProxyMiddleware) OnNewConnection(ctx context.Context, lp *alpnprox
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	return trace.Wrap(m.appProvider.OnNewConnection(ctx, m.appKey))
+	return trace.Wrap(m.appProvider.OnNewAppConnection(ctx, m.appKey))
 }
 
 func (m *localProxyMiddleware) OnStart(ctx context.Context, lp *alpnproxy.LocalProxy) error {
diff --git a/lib/vnet/app_provider.go b/lib/vnet/app_provider.go
index 113b0cbafc38d..c8ec1e8d3e269 100644
--- a/lib/vnet/app_provider.go
+++ b/lib/vnet/app_provider.go
@@ -74,9 +74,9 @@ func (p *appProvider) newAppCertSigner(cert []byte, appKey *vnetv1.AppKey, targe
 	}, nil
 }
 
-// OnNewConnection reports a new TCP connection to the target app.
-func (p *appProvider) OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
-	if err := p.clt.OnNewConnection(ctx, appKey); err != nil {
+// OnNewAppConnection reports a new TCP connection to the target app.
+func (p *appProvider) OnNewAppConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
+	if err := p.clt.OnNewAppConnection(ctx, appKey); err != nil {
 		return trace.Wrap(err)
 	}
 	return nil
diff --git a/lib/vnet/client_application_service.go b/lib/vnet/client_application_service.go
index 4aeeac71bbd5e..94f58a48c3baa 100644
--- a/lib/vnet/client_application_service.go
+++ b/lib/vnet/client_application_service.go
@@ -217,13 +217,11 @@ func (s *clientApplicationService) getSignerForApp(appKey *vnetv1.AppKey, target
 	return signer, ok
 }
 
-// OnNewConnection gets called whenever a new connection is about to be
+// OnNewAppConnection gets called whenever a new app connection is about to be
 // established through VNet for observability.
-func (s *clientApplicationService) OnNewConnection(ctx context.Context, req *vnetv1.OnNewConnectionRequest) (*vnetv1.OnNewConnectionResponse, error) {
-	if err := s.cfg.clientApplication.OnNewConnection(ctx, req.GetAppKey()); err != nil {
-		return nil, trace.Wrap(err)
-	}
-	return &vnetv1.OnNewConnectionResponse{}, nil
+func (s *clientApplicationService) OnNewAppConnection(ctx context.Context, req *vnetv1.OnNewAppConnectionRequest) (*vnetv1.OnNewAppConnectionResponse, error) {
+	s.cfg.clientApplication.OnNewAppConnection(ctx, req.GetAppKey())
+	return &vnetv1.OnNewAppConnectionResponse{}, nil
 }
 
 // OnInvalidLocalPort gets called before VNet refuses to handle a connection
@@ -373,6 +371,10 @@ func (s *clientApplicationService) SessionSSHConfig(ctx context.Context, req *vn
 		return nil, trace.Errorf("user KeyRing host no trusted SSH CAs for cluster %s", targetCluster)
 	}
 	sessionID := s.setSignerForSSHSession(keyRing.SSHPrivateKey)
+
+	// Submit usage event.
+	s.cfg.clientApplication.OnNewSSHSession(ctx, req.GetProfile(), req.GetRootCluster())
+
 	return &vnetv1.SessionSSHConfigResponse{
 		SessionId:  sessionID,
 		Cert:       sshCert.Marshal(),
diff --git a/lib/vnet/client_application_service_client.go b/lib/vnet/client_application_service_client.go
index 72d6c33b68f53..ffee0471ba349 100644
--- a/lib/vnet/client_application_service_client.go
+++ b/lib/vnet/client_application_service_client.go
@@ -134,13 +134,13 @@ func (c *clientApplicationServiceClient) SignForApp(ctx context.Context, req *vn
 	return resp.GetSignature(), nil
 }
 
-// OnNewConnection reports a new TCP connection to the target app.
-func (c *clientApplicationServiceClient) OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
-	_, err := c.clt.OnNewConnection(ctx, &vnetv1.OnNewConnectionRequest{
+// OnNewAppConnection reports a new TCP connection to the target app.
+func (c *clientApplicationServiceClient) OnNewAppConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
+	_, err := c.clt.OnNewAppConnection(ctx, &vnetv1.OnNewAppConnectionRequest{
 		AppKey: appKey,
 	})
 	if err != nil {
-		return trace.Wrap(err, "calling OnNewConnection rpc")
+		return trace.Wrap(err, "calling OnNewAppConnection rpc")
 	}
 	return nil
 }
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index f0c502f18e822..b74a662d60098 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -52,13 +52,17 @@ type ClientApplication interface {
 	// GetDialOptions returns ALPN dial options for the profile.
 	GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error)
 
-	// OnNewConnection gets called whenever a new connection is about to be established through VNet.
-	// By the time OnNewConnection, VNet has already verified that the user holds a valid cert for the
+	// OnNewSSHSession should be called whenever a new SSH session is about to be
+	// started, after getting the user SSH certificate for the session.
+	OnNewSSHSession(ctx context.Context, profileName, rootClusterName string)
+
+	// OnNewAppConnection gets called whenever a new app connection is about to be established through VNet.
+	// By the time OnNewAppConnection, VNet has already verified that the user holds a valid cert for the
 	// app.
 	//
-	// The connection won't be established until OnNewConnection returns. Returning an error prevents
+	// The connection won't be established until OnNewAppConnection returns. Returning an error prevents
 	// the connection from being made.
-	OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error
+	OnNewAppConnection(ctx context.Context, appKey *vnetv1.AppKey) error
 
 	// OnInvalidLocalPort gets called before VNet refuses to handle a connection to a multi-port TCP app
 	// because the provided port does not match any of the TCP ports in the app spec.
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index 07f6075aed119..405a466a14919 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -365,7 +365,8 @@ type fakeClientApp struct {
 	teleportHostCA ssh.Signer
 	teleportUserCA ssh.Signer
 
-	onNewConnectionCallCount    atomic.Uint32
+	onNewSSHSessionCallCount    atomic.Uint32
+	onNewAppConnectionCallCount atomic.Uint32
 	onInvalidLocalPortCallCount atomic.Uint32
 	// requestedRouteToApps indexed by public address.
 	requestedRouteToApps   map[string][]*proto.RouteToApp
@@ -565,8 +566,12 @@ func (p *fakeClientApp) GetVnetConfig(ctx context.Context, profileName, leafClus
 	return cfg, nil
 }
 
-func (p *fakeClientApp) OnNewConnection(_ context.Context, _ *vnetv1.AppKey) error {
-	p.onNewConnectionCallCount.Add(1)
+func (p *fakeClientApp) OnNewSSHSession(ctx context.Context, profileName, rootClusterName string) {
+	p.onNewSSHSessionCallCount.Add(1)
+}
+
+func (p *fakeClientApp) OnNewAppConnection(_ context.Context, _ *vnetv1.AppKey) error {
+	p.onNewAppConnectionCallCount.Add(1)
 	return nil
 }
 
@@ -1037,9 +1042,9 @@ func testEchoConnection(t *testing.T, conn net.Conn) {
 	}
 }
 
-// TestOnNewConnection tests that the client applications OnNewConnection method
+// TestOnNewAppConnection tests that the client applications OnNewAppConnection method
 // is called when a user connects to a valid TCP app.
-func TestOnNewConnection(t *testing.T) {
+func TestOnNewAppConnection(t *testing.T) {
 	t.Parallel()
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
@@ -1067,19 +1072,19 @@ func TestOnNewConnection(t *testing.T) {
 		fakeClientApp: clientApp,
 	})
 
-	// Attempt to establish a connection to an invalid app and verify that OnNewConnection was not
+	// Attempt to establish a connection to an invalid app and verify that OnNewAppConnection was not
 	// called.
 	lookupCtx, lookupCtxCancel := context.WithTimeout(ctx, 200*time.Millisecond)
 	defer lookupCtxCancel()
 	_, err := p.lookupHost(lookupCtx, invalidAppName)
 	require.Error(t, err, "Expected lookup of an invalid app to fail")
-	require.Equal(t, uint32(0), clientApp.onNewConnectionCallCount.Load())
+	require.Equal(t, uint32(0), clientApp.onNewAppConnectionCallCount.Load())
 
-	// Establish a connection to a valid app and verify that OnNewConnection was called.
+	// Establish a connection to a valid app and verify that OnNewAppConnection was called.
 	conn, err := p.dialHost(ctx, validAppName, 80 /* bogus port */)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, conn.Close()) })
-	require.Equal(t, uint32(1), clientApp.onNewConnectionCallCount.Load())
+	require.Equal(t, uint32(1), clientApp.onNewAppConnectionCallCount.Load())
 }
 
 // TestWithAlgorithmSuites tests basic VNet functionality with each signature
@@ -1230,6 +1235,15 @@ func TestSSH(t *testing.T) {
 	badUserSigner, err := ssh.NewSignerFromSigner(badUserKey)
 	require.NoError(t, err)
 
+	// Check that each successful SSH session is reported to the client
+	// application, do this in a t.Cleanup func so that the check runs after
+	// all parallel subtests have completed.
+	var expectReportedSSHSessions atomic.Uint32
+	t.Cleanup(func() {
+		assert.Equal(t, expectReportedSSHSessions.Load(), clientApp.onNewSSHSessionCallCount.Load(),
+			"OnNewSSHSession call count does not match the expected number of reported SSH sessions")
+	})
+
 	for _, tc := range []struct {
 		dialAddr                 string
 		dialPort                 int
@@ -1240,22 +1254,25 @@ func TestSSH(t *testing.T) {
 		sshUserSigner            ssh.Signer
 		expectSSHHandshakeToFail bool
 		expectBannerMessages     []string
+		expectSSHSessionReported bool
 	}{
 		{
 			// Connection to node in root cluster should work.
-			dialAddr:      "node.root1.example.com",
-			dialPort:      22,
-			expectCIDR:    root1CIDR,
-			sshUser:       "testuser",
-			sshUserSigner: sshUserSigner,
+			dialAddr:                 "node.root1.example.com",
+			dialPort:                 22,
+			expectCIDR:               root1CIDR,
+			sshUser:                  "testuser",
+			sshUserSigner:            sshUserSigner,
+			expectSSHSessionReported: true,
 		},
 		{
 			// Fully-qualified hostname should also work.
-			dialAddr:      "node.root1.example.com.",
-			dialPort:      22,
-			expectCIDR:    root1CIDR,
-			sshUser:       "testuser",
-			sshUserSigner: sshUserSigner,
+			dialAddr:                 "node.root1.example.com.",
+			dialPort:                 22,
+			expectCIDR:               root1CIDR,
+			sshUser:                  "testuser",
+			sshUserSigner:            sshUserSigner,
+			expectSSHSessionReported: true,
 		},
 		{
 			// Dial should fail on non-standard SSH port.
@@ -1297,32 +1314,40 @@ func TestSSH(t *testing.T) {
 				"VNet: access denied to denyuser connecting to node\n",
 			},
 			expectSSHHandshakeToFail: true,
+			// The session should be reported because VNet successfully got a
+			// Teleport user SSH cert for this session and made the SSH dial to
+			// the target, only then the target SSH server rejected the
+			// connection.
+			expectSSHSessionReported: true,
 		},
 		{
 			// Connection to node in leaf cluster should work.
-			dialAddr:      "node.leaf1.example.com",
-			dialPort:      22,
-			expectCIDR:    leaf1CIDR,
-			sshUser:       "testuser",
-			sshUserSigner: sshUserSigner,
+			dialAddr:                 "node.leaf1.example.com",
+			dialPort:                 22,
+			expectCIDR:               leaf1CIDR,
+			sshUser:                  "testuser",
+			sshUserSigner:            sshUserSigner,
+			expectSSHSessionReported: true,
 		},
 		{
 			// Connection to node in root cluster in alternate profile should
 			// work.
-			dialAddr:      "node.root2.example.com",
-			dialPort:      22,
-			expectCIDR:    root2CIDR,
-			sshUser:       "testuser",
-			sshUserSigner: sshUserSigner,
+			dialAddr:                 "node.root2.example.com",
+			dialPort:                 22,
+			expectCIDR:               root2CIDR,
+			sshUser:                  "testuser",
+			sshUserSigner:            sshUserSigner,
+			expectSSHSessionReported: true,
 		},
 		{
 			// Connection to node in leaf cluster in alternate profile should
 			// work.
-			dialAddr:      "node.leaf2.example.com",
-			dialPort:      22,
-			expectCIDR:    leaf2CIDR,
-			sshUser:       "testuser",
-			sshUserSigner: sshUserSigner,
+			dialAddr:                 "node.leaf2.example.com",
+			dialPort:                 22,
+			expectCIDR:               leaf2CIDR,
+			sshUser:                  "testuser",
+			sshUserSigner:            sshUserSigner,
+			expectSSHSessionReported: true,
 		},
 		{
 			// DNS lookup should fail if the FQDN doesn't match any cluster.
@@ -1342,6 +1367,10 @@ func TestSSH(t *testing.T) {
 		t.Run(fmt.Sprintf("%s@%s:%d", tc.sshUser, tc.dialAddr, tc.dialPort), func(t *testing.T) {
 			t.Parallel()
 
+			if tc.expectSSHSessionReported {
+				expectReportedSSHSessions.Add(1)
+			}
+
 			if tc.expectLookupToFail {
 				// In these cases the DNS lookup is expected to fail, just run the DNS lookup.
 				ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
@@ -1400,6 +1429,7 @@ func TestSSH(t *testing.T) {
 					return nil
 				},
 			}
+
 			sshConn, chans, reqs, err := ssh.NewClientConn(conn, fmt.Sprintf("%s:%d", tc.dialAddr, tc.dialPort), clientConfig)
 			assert.Equal(t, tc.expectBannerMessages, bannerMessages, "actual banner messages did not match the expected")
 			if tc.expectSSHHandshakeToFail {
@@ -1433,6 +1463,7 @@ func TestSSH(t *testing.T) {
 			sshConn, _, _, err := ssh.NewClientConn(conn, "node.root1.example.com:22", clientConfig)
 			require.NoError(t, err)
 			sshConn.Close()
+			expectReportedSSHSessions.Add(1)
 		}
 		require.Len(t, checkedHostCerts, connections)
 		for i := range connections - 1 {
diff --git a/proto/teleport/lib/vnet/v1/client_application_service.proto b/proto/teleport/lib/vnet/v1/client_application_service.proto
index 85625f7b693cc..b8193a53ff4fa 100644
--- a/proto/teleport/lib/vnet/v1/client_application_service.proto
+++ b/proto/teleport/lib/vnet/v1/client_application_service.proto
@@ -44,9 +44,9 @@ service ClientApplicationService {
   // SignForApp issues a signature with the private key associated with an x509
   // certificate previously issued for a requested app.
   rpc SignForApp(SignForAppRequest) returns (SignForAppResponse);
-  // OnNewConnection gets called whenever a new connection is about to be
+  // OnNewAppConnection gets called whenever a new app connection is about to be
   // established through VNet for observability.
-  rpc OnNewConnection(OnNewConnectionRequest) returns (OnNewConnectionResponse);
+  rpc OnNewAppConnection(OnNewAppConnectionRequest) returns (OnNewAppConnectionResponse);
   // OnInvalidLocalPort gets called before VNet refuses to handle a connection
   // to a multi-port TCP app because the provided port does not match any of the
   // TCP ports in the app spec.
@@ -262,14 +262,14 @@ message SignForAppResponse {
   bytes signature = 1;
 }
 
-// OnNewConnectionRequest is a request for OnNewConnection.
-message OnNewConnectionRequest {
+// OnNewAppConnectionRequest is a request for OnNewAppConnection.
+message OnNewAppConnectionRequest {
   // AppKey identifies the app the connection is being made for.
   AppKey app_key = 1;
 }
 
-// OnNewConnectionRequest is a response for OnNewConnection.
-message OnNewConnectionResponse {}
+// OnNewAppConnectionResponse is a response for OnNewAppConnection.
+message OnNewAppConnectionResponse {}
 
 // OnInvalidLocalPortRequest is a request for OnInvalidLocalPort.
 message OnInvalidLocalPortRequest {
diff --git a/tool/tsh/common/vnet_client_application.go b/tool/tsh/common/vnet_client_application.go
index cbffa21f90fd1..a4e8c9a87241f 100644
--- a/tool/tsh/common/vnet_client_application.go
+++ b/tool/tsh/common/vnet_client_application.go
@@ -134,9 +134,14 @@ func (p *vnetClientApplication) GetDialOptions(ctx context.Context, profileName
 	return dialOpts, nil
 }
 
-// OnNewConnection gets called before each VNet connection. It's a noop as tsh doesn't need to do
+// OnNewSSHSession gets called before each VNet SSH connection. It's a noop as
+// tsh doesn't need to do anything extra here.
+func (p *vnetClientApplication) OnNewSSHSession(ctx context.Context, profileName, rootClusterName string) {
+}
+
+// OnNewAppConnection gets called before each VNet app connection. It's a noop as tsh doesn't need to do
 // anything extra here.
-func (p *vnetClientApplication) OnNewConnection(_ context.Context, _ *vnetv1.AppKey) error {
+func (p *vnetClientApplication) OnNewAppConnection(_ context.Context, _ *vnetv1.AppKey) error {
 	return nil
 }
 

From 5b913a42a882047ef791ae46212d5c3567185824 Mon Sep 17 00:00:00 2001
From: Nic Klaassen <nic@goteleport.com>
Date: Mon, 21 Jul 2025 09:49:45 -0700
Subject: [PATCH 25/25] [v18][vnet] fix: mask default IP route on windows

Backport #56957 to branch/v18
---
 lib/vnet/osconfig.go               |  2 ++
 lib/vnet/osconfig_provider.go      | 25 ++++++++++++++-----------
 lib/vnet/osconfig_provider_test.go | 10 ++++++----
 lib/vnet/osconfig_windows.go       |  9 +++++++--
 4 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/lib/vnet/osconfig.go b/lib/vnet/osconfig.go
index c27336fe33c17..307b3363f0170 100644
--- a/lib/vnet/osconfig.go
+++ b/lib/vnet/osconfig.go
@@ -18,6 +18,7 @@ package vnet
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"os/exec"
 	"strings"
@@ -29,6 +30,7 @@ import (
 type osConfig struct {
 	tunName    string
 	tunIPv4    string
+	tunIPv4Net *net.IPNet
 	tunIPv6    string
 	cidrRanges []string
 	dnsAddrs   []string
diff --git a/lib/vnet/osconfig_provider.go b/lib/vnet/osconfig_provider.go
index a2f4bbf4233bd..64975a762d121 100644
--- a/lib/vnet/osconfig_provider.go
+++ b/lib/vnet/osconfig_provider.go
@@ -29,10 +29,11 @@ import (
 // osConfigProvider fetches a target OS configuration based on cluster
 // configuration fetched via the client application process available over gRPC.
 type osConfigProvider struct {
-	cfg      osConfigProviderConfig
-	dnsAddrs []string
-	tunIPv6  string
-	tunIPv4  string
+	cfg        osConfigProviderConfig
+	dnsAddrs   []string
+	tunIPv6    string
+	tunIPv4    string
+	tunIPv4Net *net.IPNet
 }
 
 // osConfigProviderConfig holds configuration parameters for an osConfigProvider.
@@ -78,6 +79,7 @@ func (p *osConfigProvider) targetOSConfig(ctx context.Context) (*osConfig, error
 		tunName:    p.cfg.tunName,
 		tunIPv6:    p.tunIPv6,
 		tunIPv4:    p.tunIPv4,
+		tunIPv4Net: p.tunIPv4Net,
 		dnsAddrs:   p.dnsAddrs,
 		dnsZones:   targetOSConfig.GetDnsZones(),
 		cidrRanges: targetOSConfig.GetIpv4CidrRanges(),
@@ -89,7 +91,7 @@ func (p *osConfigProvider) setV4IPsFromFirstCIDR(cidrRange string) error {
 		// Only set these once.
 		return nil
 	}
-	tunIPv4, dnsIPv4, err := ipsForCIDR(cidrRange)
+	tunIPv4, tunIPv4Net, dnsIPv4, err := ipsForCIDR(cidrRange)
 	if err != nil {
 		return trace.Wrap(err, "setting TUN IPv4 address for range %s", cidrRange)
 	}
@@ -97,25 +99,26 @@ func (p *osConfigProvider) setV4IPsFromFirstCIDR(cidrRange string) error {
 		return trace.Wrap(err, "adding IPv4 DNS server at %s", dnsIPv4.String())
 	}
 	p.tunIPv4 = tunIPv4.String()
+	p.tunIPv4Net = tunIPv4Net
 	p.dnsAddrs = append(p.dnsAddrs, dnsIPv4.String())
 	return nil
 }
 
 // ipsForCIDR returns the V4 IPs to assign to the interface and use for DNS in
 // cidrRange.
-func ipsForCIDR(cidrRange string) (tunIP net.IP, dnsIP net.IP, err error) {
-	_, ipnet, err := net.ParseCIDR(cidrRange)
+func ipsForCIDR(cidrRange string) (tunIP net.IP, tunIPNet *net.IPNet, dnsIP net.IP, err error) {
+	_, tunIPNet, err = net.ParseCIDR(cidrRange)
 	if err != nil {
-		return nil, nil, trace.Wrap(err, "parsing CIDR %q", cidrRange)
+		return nil, nil, nil, trace.Wrap(err, "parsing CIDR %q", cidrRange)
 	}
-	// ipnet.IP is the network address, ending in 0s, like 100.64.0.0
+	// tunIPNet.IP is the network address, ending in 0s, like 100.64.0.0
 	// Add 1 to assign the TUN address, like 100.64.0.1
-	tunIP = ipnet.IP
+	tunIP = slices.Clone(tunIPNet.IP)
 	tunIP[len(tunIP)-1]++
 
 	// Add 1 again to assign the DNS address, like 100.64.0.2
 	dnsIP = slices.Clone(tunIP)
 	dnsIP[len(dnsIP)-1]++
 
-	return tunIP, dnsIP, nil
+	return tunIP, tunIPNet, dnsIP, nil
 }
diff --git a/lib/vnet/osconfig_provider_test.go b/lib/vnet/osconfig_provider_test.go
index dd4014fd6123d..e368524ee465e 100644
--- a/lib/vnet/osconfig_provider_test.go
+++ b/lib/vnet/osconfig_provider_test.go
@@ -65,8 +65,9 @@ func TestOSConfigProvider(t *testing.T) {
 			expectTargetOSConfig: &osConfig{
 				tunName: "testtun1",
 				// Should be the first non-broadcast address in the CIDR range.
-				tunIPv4: "192.168.1.1",
-				tunIPv6: "fd01:2345:6789::1",
+				tunIPv4:    "192.168.1.1",
+				tunIPv4Net: &net.IPNet{IP: []byte{192, 168, 1, 0}, Mask: []byte{255, 255, 255, 0}},
+				tunIPv6:    "fd01:2345:6789::1",
 				// Should include the second non-broadcast address in the CIDR range.
 				dnsAddrs:   []string{"fd01:2345:6789::2", "192.168.1.2"},
 				dnsZones:   []string{"test.example.com"},
@@ -79,15 +80,16 @@ func TestOSConfigProvider(t *testing.T) {
 			ipv6Prefix:     "fd01:2345:6789::",
 			dnsIPv6:        "fd01:2345:6789::2",
 			dnsZones:       []string{"test.example.com"},
-			ipv4CIDRRanges: []string{"10.64.0.0/16", "192.168.1.0/24"},
+			ipv4CIDRRanges: []string{"10.64.0.0/10", "192.168.1.0/24"},
 			expectTargetOSConfig: &osConfig{
 				tunName: "testtun1",
 				// Should be chosen from the first CIDR range.
 				tunIPv4:    "10.64.0.1",
+				tunIPv4Net: &net.IPNet{IP: []byte{10, 64, 0, 0}, Mask: []byte{255, 192, 0, 0}},
 				tunIPv6:    "fd01:2345:6789::1",
 				dnsAddrs:   []string{"fd01:2345:6789::2", "10.64.0.2"},
 				dnsZones:   []string{"test.example.com"},
-				cidrRanges: []string{"10.64.0.0/16", "192.168.1.0/24"},
+				cidrRanges: []string{"10.64.0.0/10", "192.168.1.0/24"},
 			},
 		},
 	} {
diff --git a/lib/vnet/osconfig_windows.go b/lib/vnet/osconfig_windows.go
index 6ce2df16eb698..b480d2d7a5a67 100644
--- a/lib/vnet/osconfig_windows.go
+++ b/lib/vnet/osconfig_windows.go
@@ -68,8 +68,9 @@ func platformConfigureOS(ctx context.Context, cfg *osConfig, state *platformOSCo
 		if !state.configuredV4Address {
 			log.InfoContext(ctx, "Setting IPv4 address for the TUN device",
 				"device", cfg.tunName, "address", cfg.tunIPv4)
+			netMask := maskForIPNet(cfg.tunIPv4Net)
 			if err := runCommand(ctx,
-				"netsh", "interface", "ip", "set", "address", cfg.tunName, "static", cfg.tunIPv4,
+				"netsh", "interface", "ip", "set", "address", cfg.tunName, "static", cfg.tunIPv4, netMask,
 			); err != nil {
 				return trace.Wrap(err)
 			}
@@ -126,7 +127,11 @@ func addrMaskForCIDR(cidr string) (string, string, error) {
 	if err != nil {
 		return "", "", trace.Wrap(err, "parsing CIDR range %s", cidr)
 	}
-	return ipNet.IP.String(), net.IP(ipNet.Mask).String(), nil
+	return ipNet.IP.String(), maskForIPNet(ipNet), nil
+}
+
+func maskForIPNet(ipNet *net.IPNet) string {
+	return net.IP(ipNet.Mask).String()
 }
 
 const (