From 0894c770ee41e34846003ecc65836aa5833244f5 Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Mon, 28 Jul 2025 11:12:54 -0700
Subject: [PATCH 1/2] Add a blog for TLS.

---
 src/pages/blog/tls-and-quic.mdx | 295 ++++++++++++++++++++++++++++++++
 1 file changed, 295 insertions(+)
 create mode 100644 src/pages/blog/tls-and-quic.mdx

diff --git a/src/pages/blog/tls-and-quic.mdx b/src/pages/blog/tls-and-quic.mdx
new file mode 100644
index 0000000..f4d53d0
--- /dev/null
+++ b/src/pages/blog/tls-and-quic.mdx
@@ -0,0 +1,295 @@
+---
+layout: "@/layouts/global.astro"
+title: TLS and QUIC: A Masochist's Guide
+author: kixelated
+description: Setting up TLS is a pain, but it's a requirement for HTTPS. QUIC and WebTransport introduce even more pain so it's time to be a masochist.
+cover: "/blog/replacing-webrtc/artifact.png"
+date: 2025-07-28
+---
+
+
+# TLS and QUIC: A Masochist's Guide
+I hope you're having a great day.
+The sun is about to shine brighter.
+I was inspired by Helios himself to write about the riveting topic of TLS and QUIC.
+
+In my opinion, the most difficult part about QUIC is setting up a different protocol: QUIC *requires* TLS.
+If you screw it up, you'll get a scary ERROR screen and users won't be able to connect.
+This guide also applies to HTTPS and WebTransport... with some important distinctions.
+
+
+tl;dr
+- TLS authenticates who is allowed to serve `example.com` via certificates.
+- Root CAs issue certificates to those who can prove it via DNS.
+- Cloud offerings don't support QUIC yet, so that rules out the easy options.
+- TLS is hell for local development, _especially_ for WebTransport.
+
+
+## About Me
+I'm not a security engineer but I have dabbled in the low-level protocols.
+For some unbeknownst reason, I've implemented both DTLS 1.2 (for WebRTC) and TLS 1.3 (for QUIC)... in Go.
+Both were undoubtedly insecure but somehow passed the security audit and served production traffic for weeks... before getting the `rm -rf` treatment.
+
+When in doubt, always refer to the nerds who take security seriously and use the correct terminology.
+I understand a lot of the security primitives but I don't exactly have the LinkedIn Professional Certificates to back it up.
+
+
+## Why TLS?
+*Some boring background, feel free to skip ahead.*
+
+TLS is a client-server protocol that is used to verify the identity of the server (and optionally the client: mTLS) before establishing an encrypted connection.
+When a client connects to `example.com`, the server transmits proof that it "owns" `example.com`.
+This proof is in the form of a TLS certificate (technically [X.509](https://en.wikipedia.org/wiki/X.509)) which can be used to "sign" stuff by solving a math problem that is super super difficult without access to a "private key".
+TLS certificates can be used to sign other TLS certificates creating a "chain of trust".
+
+Without TLS, an attacker could intercept your traffic and pretend to be `example.com` to harvest your credentials, called a "man-in-the-middle" (MITM) attack.
+Imagine if your router, ISP, or fellow coffee shop customer could pretend to be your bank.
+Bad times ahead.
+
+QUIC requires [TLS 1.3](https://datatracker.ietf.org/doc/html/rfc8446).
+There is no way to disable encryption but depending on the client, you can modify certificate validation.
+The IETF grey-beards decreed that the protocol can never be insecure, lest a lowly application developer shoot themselves in the foot.
+
+- HTTP/3, WebTransport, and of course, Media over QUIC all use QUIC under the hood so all of this applies.
+- HTTP/2 *technically* does not require TLS but browsers require it as a forcing function.
+- HTTP/1 is the lone exception, allowing you to choose if you want to connect to `http://example.com` (insecure) or `https://example.com` (TLS).
+
+Not only is TLS required when using newer protocols, it's often required when using newer browser APIs.
+[Secure Context APIs](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts) require using TLS or a localhost connection.
+Want to do literally anything? Then you need to use HTTPS.
+
+So yeah, browser vendors don't want you to make a security oopsie whoopsie and thus, effectively mandate TLS
+But there's very little reason to use an insecure connection anyway so suck it up and let some cloud provider handle TLS for you.
+
+...unless you're one of the early birds using QUIC...
+
+*ominous foreshadowing*
+
+
+# Certificate Validation
+At a high level, a TLS connection is established via:
+
+1. The client connects to `example.com` and sends a `ClientHello`.
+  - The client (usually) sends the domain via a [SNI extension](https://en.wikipedia.org/wiki/Server_Name_Indication).
+2. The server transmits a `ServerHello` along with a TLS certificate signed for `example.com`.
+  - The server can use SNI to choose the certificate to serve.
+3. The client verifies that the TLS certificate is for `example.com`.
+4. The client verifies that the TLS certificate was signed/created by a "root CA".
+
+
+What is a root CA?
+Your browser and operating system ship with a list of trusted entities that are authorized to issue certificates.
+It's like having a list of approved locksmith companies that can make keys for any house.
+The list changes over time as these companies are audited or catastrophically compromised.
+If you've ever had to `apt install ca-certificates` when setting up a Docker image, this is why.
+
+One of the interesting things about TLS is that the client can choose how to verify the provided TLS certificate.
+There's no requirement that you use these provided root CAs, or a root CA at all.
+You can make the protocol as secure/insecure as you want if you have enough control over the client.
+
+So in order to run a QUIC server on the internet, you need to get access to a certificate signed for a specific domain name (or IP address).
+If your server listens on `example.com`, then we need to prove to some root CA that you own `example.com`
+
+
+## Cloud Offerings
+The easiest option unfortunately doesn't work for QUIC.
+Poop.
+
+Virtually every cloud provider offers HTTPS support.
+You point your domain name at their load balancer and they procure a TLS certificate.
+But I glossed over something, there's actually two parts to a "TLS certificate": the private key and the certificate.
+
+None of these services actually give you, the customer, the private key.
+Instead, they run a HTTPS or TLS load balancer that terminates TLS and proxies unencrypted traffic to your backend.
+It's done for simplicity and security, they don't want you having access to the keys.
+
+This won't work for QUIC until cloud providers start offering QUIC load balancers (one day).
+Welcome to UDP protocols; they're barely supported on cloud platforms because TCP and HTTP is so widespread.
+At least there's hope for QUIC support in the future *because* it powers HTTP/3.
+
+
+## LetsEncrypt
+The recommended path is to use the glorious [LetsEncrypt](https://letsencrypt.org/) to get a certificate.
+It's free, it's painless, and it's highly recommended by yours truly.
+There are paid offerings too, but there's really not much point using them since LetsEncrypt became a thing.
+
+How this works is that you need to somehow prove to LetsEncrypt that you own a specific domain and then they'll give you a certificate valid for 90 days.
+"owning" a domain in this context means you control the ability to add DNS records.
+This could be in the form of an A record that points to an IP address you own or a TXT record with some token.
+
+There are a few different [challenge types](https://letsencrypt.org/docs/challenge-types/):
+- *HTTP-01*: Host a HTTP endpoint (not using TLS) that returns a specified token on the specified path. You own the domain if it points to your HTTP server.
+- *DNS-01*: Create a DNS record with a specified token. You own the domain if you can create this TXT record; no server required.
+- *TLS-ALPN-01*: Host a TLS endpoint that returns a specified token during the TLS handshake. Same idea as HTTP-01, but often more convenient because no HTTP server is required.
+
+This cert generation can be automated via [certbot](https://certbot.eff.org/) or any [ACME library](https://letsencrypt.org/docs/client-options/#libraries).
+It's a little bit annoying because of the 90 day expiration; any long-lived servers will need to periodically restart or reload certificates
+
+## ACME
+It would be remiss of me to not mention that LetsEncrypt uses [ACME v2](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
+You don't need to use `certbot` and in fact you could integrate ACME directly into your workflow.
+
+In fact, I'm using a **not recommended** [terraform module](https://github.com/vancluever/terraform-provider-acme) to generate certificates for `relay.quic.video`.
+It's not recommended because if I forget to run terraform every so often, then oops, my certificate will expire and users can no longer connect to my server.
+
+I'm also considering using a [ACME library](https://crates.io/crates/instant-acme) within `moq-relay` itself to provision a TLS certificate on startup and every 90 days.
+This makes it a lot easier to use cloud providers as you don't need to fumble with background services (in Docker, ew) and reloading the server whenever a new certificate is generated.
+The downside is being unable to generate wildcard certificates as those require DNS challenges.
+
+
+# Private Networks
+Anyway, we've talked a lot about the internet, but what about the intranet?
+
+The problem with a service like LetsEncrypt is that it requires our server to be public.
+What if we're running our own private network or just developing an application locally?
+If LetsEncrypt can't connect to our private network, then it can't give us a TLS certificate.
+
+Additionally, LetsEncrypt requires a domain name and potentially a public IP.
+These aren't expensive but it's not something you can reasonably ask developers to purchase just to try running your code.
+
+Remember when I said the client was responsible for verifying a certificate however it sees fit?
+If we control the QUIC client, then we can change that behavior.
+
+**NOTE**: None of this currently applies to WebTransport as we don't have enough control of the browser client.
+See the next section!
+
+
+## Disable Verification
+The most obvious thing the client can do is skip verification altogether.
+There's usually a **DANGER** warning associated and **DANGER** indeed.
+
+If you skip certificate validation, your connection will still be encrypted but now it's vulnerable to a MITM attack.
+The server still has to present a certificate, but the client will blindly accept *any* certificate.
+Even if it was generated nanoseconds ago, was riddled with typos, and claimed to be `pornhub.com`: doesn't matter.
+
+`moq-relay` supports the [--tls-disable-verify](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/client.rs#L22) by [jumping through a few hoops with rustls](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/client.rs#L202).
+There's similar flags in most CLI tools, like curl's `--insecure` flag.
+
+
+## Custom Root CAs
+Instead of using a "trusted" root CA that ships with the browser or operating system, we can use our own.
+We can trivially generate our *own* root CA which can then be used to sign our *own* certificates.
+No more depending on FAANG, we are our own auditor now.
+
+This is arguably safer than using public roots because our own client can be configured to ONLY accept our certificates.
+It doesn't matter if one of the many public CAs gets hacked as long as our root is kept under lock and key.
+But note that you're now responsible for a lot more infrastructure, like the ability to revoke compromised certificates.
+
+The catch is that we need to configure clients to trust our root CA.
+This normally requires admin/root access, and can be done at an operating system or browser level.
+But you only have to do it once per root CA and then you're golden.
+
+This is the secret behind a tool like [mkcert](https://github.com/FiloSottile/mkcert).
+It's a tool that allows you to use `https` in local development seemingly via black magic.
+The first time you run it, `mkcert` generates a root CA and adds it to the system and browser's trusted roots.
+Afterwards, you can freely generate new leaf certificates on demand (without root) that are automatically trusted.
+
+Custom roots are often used in enterprise and VPN software.
+When you install the VPN, or as part of a managed IT solution, it'll include some root CAs for you to trust.
+
+Side note, I highly recommend using private CAs and mTLS for service-to-service connections.
+It's about as `dank` as one can get when designing distributed systems.
+There are [cloud offerings](https://aws.amazon.com/private-ca/) available, and unlike public CAs, they actually give you the private key so it works for QUIC.
+
+
+## Certificate Hashes
+WebRTC also uses TLS (technically DTLS) even when establishing a peer-to-peer connection.
+How does this work?
+
+Both peers generate a ECDSA certificate (fast compared to RSA) and compute its hash.
+They then send the hash as part of the SDP exchange to some secure middle-man (usually a HTTPS server).
+Yes, you do use a server even when establishing a peer-to-peer connection unless you're a freak who exchanges TLS certificates via USB drive.
+
+The peers draw straws and one of them assumes the role of the ~bottom~ server for the TLS handshake.
+Both sides transmit a TLS certificate (mTLS) and verify that the hash matches the exchanged hash.
+Ta-da, connection established.
+
+The same approach can be used for QUIC both peer-to-peer and client-to-server.
+We're effectively just trusting individual certificates (by hash) instead of a root CA.
+Just like root CAs, you **need** to secure the transfer of trusted certificates otherwise you're vulnerable to MITM attacks.
+
+Here's some rustls configuration that [validates certificates based on hash](https://github.com/kixelated/web-transport-rs/blob/3e656ca4e89c60c6c3b45fda6e4c67db7c9b2ec2/web-transport-quinn/src/client.rs#L232).
+It's not the prettiest code but it works.
+
+
+# WebTransport
+Unfortunately, Chrome's implementation of WebTransport leaves a lot to be desired.
+Rant incoming, grab some popcorn.
+
+**NOTE**: Firefox is spared from this rant because I haven't tested it.
+Safari is spared because they haven't implemented WebTransport yet...
+
+
+## Disable Certificate Validation
+There's a Chrome flag that apparently lets you disable certificate validation for WebTransport: [chrome://flags/#webtransport-developer-mode](chrome://flags/#webtransport-developer-mode)
+>When enabled, removes the requirement that all certificates used for WebTransport over HTTP/3 are issued by a known certificate root. – Mac, Windows, Linux, ChromeOS, Android
+
+If the description is to be trusted, this would mean disabling certificate validation on every website (that uses WebTransport) which is just a horrific thought.
+This is the equivalent to silently disabling `https` on every website via a benign developer flag.
+I sincerely hope that the description is just wrong and this only applies to `localhost` or something; somebody should test it.
+
+If you're having trouble with the TLS handshake then absolutely turn it on and **don't forget to turn it off afterwards**.
+Not many sites use WebTransport right now but it would be super awkward when they do.
+
+
+## Custom Roots
+Chrome currently doesn't support custom root CAs for WebTransport.
+I've reported the issue multiple times to the WebTransport developer but it's apparently by design?
+
+It's quite baffling, because you can use custom roots for HTTP/3 but not WebTransport... which uses HTTP/3.
+There's literally no reason why it should use different certificate validation logic.
+Just call the same function!
+
+This is an unfortunate "bug" as it rules out tools like `mkcert`.
+Local development and private networks need to use another approach.
+
+
+## serverCertificateHashes
+There was this awkward "Certificate Hashes" section earlier talking about WebRTC.
+That's because WebTransport supports [providing a list of certificate hashes](https://developer.mozilla.org/en-US/docs/Web/API/WebTransport/WebTransport#servercertificatehashes) for a similar approach.
+
+Unfortunately, there are some strings attached.
+The certificates MUST be valid for less than 14 days and MUST use ECDSA.
+Apparently 2 weeks is the sweet spot between "secure" and "annoying as fuck".
+
+These are good restrictions so you can't be lazy and ship the hash of some long-lived certificate with your application.
+However it means we absolutely need to figure out how to rotate certificates because 14 days is not a lot of time.
+Additionally, we need a secure mechanism to transmit our certificate hashes otherwise we're the major of MITM town.
+
+So in practice, you have to run a TLS web server, often on the same port, just to distribute TLS certificates for WebTransport.
+It makes the "feature" quite frustrating in practice and make connection establishment more expensive (time and cpu).
+
+## Local Development
+So what's the best approach if you want to use WebTransport in development?
+Unfortunately, I think `serverCertificateHashes` is the best (right now) as it doesn't require browser configuration.
+
+`moq-relay` listens on TCP and UDP.
+- The server [generates a TLS certificate](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/server.rs#L241) on startup
+- The TCP socket is used to host a web server with a [/certificate.sha256](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-relay/src/web.rs#L44) route.
+- The UDP socket is used to host a QUIC/WebTransport server.
+
+The client has to first establish a HTTP connection to [fetch the certificate hash](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L225).
+Then it can [connect to the WebTransport server](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L231) using the provided hash.
+
+This only works on `localhost` because it uses an insecure HTTP fetch to get the certificate hashes.
+We also don't care about certificate rotation because you can just restart the localhost server after 14 days
+
+But if you want to use WebTransport on a private network, oof.
+You'll need to configure the web server to serve HTTPS using your own root CA just to deliver ephemeral certificate hashes.
+You can even return the hash of *exact same TLS certificate* used to establish the HTTPS connection, but now WebTransport will work.
+And of course, you'll need a mechanism to rotate these certificates as they're only valid for 14 days tops.
+
+
+# Finished
+TLS is not too bad in production once you realize it's all about proving that you own a domain.
+There's a lot of existing tooling and resources out there.
+
+But it's a pain in the butt for non-public servers, as the whole "chain of trust" thing doesn't work any longer.
+WebTransport makes life even more difficult.
+Please Mr Google, add support for root CAs already, it should be like a single line of code to reuse the same CAs as HTTP.
+
+Want to commiserate about TLS pain?
+Join the [MoQ Discord](https://discord.gg/FCYF3p99mr) or even the [rustls Discord](https://discord.gg/MCSB76RU96).
+
+Written by [@kixelated](https://github.com/kixelated).
+![@kixelated](/blog/avatar.png)

From 67a3ac60e7d91e47a34cfe8cdc61f0235165a5f3 Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Mon, 28 Jul 2025 12:35:26 -0700
Subject: [PATCH 2/2] More changes to the TLS blog.

---
 public/blog/tls-and-quic/warning.png | Bin 0 -> 52256 bytes
 src/pages/blog/tls-and-quic.mdx      | 142 +++++++++++++++------------
 2 files changed, 78 insertions(+), 64 deletions(-)
 create mode 100644 public/blog/tls-and-quic/warning.png

diff --git a/public/blog/tls-and-quic/warning.png b/public/blog/tls-and-quic/warning.png
new file mode 100644
index 0000000000000000000000000000000000000000..e98740d99eebd4532697e6c2c16cabe65aa76024
GIT binary patch
literal 52256
zcmeEuWmg^B(lsGC!8Z^#?(QzZHx}Gof;&NjJHcIpySuvucXtUc!67)jn{)3u=l+EE
z!}Ec`7)|$D)g`lL)v6{$URE3l0f+zr0f8hbA*u)g0ciyR@y;6#27KjOARz+$3*Jsb
z!vO*U#o+DdU6DYcIRpd|grumD@;BYz?XdA=3$FP%yQR2hY#yAG=j-lg?YCqQ=xjvP
zvC|TyV`=GAqo?C3YuvT&&J$^KqmjR)azsM_NN_!95C(84sEJGgx9g8VXAG&$x9%|t
zm<jl3I2s8F33Hx=3S~znOpK@QIA<M?trdNror}e6#Jb=<z9ZF#3im-{g2WFKbQ$<F
ziq8u9KbPU)lB--v{=G>os~3&Q;Q0KV{q0{5{rA?MJ?{Um@^--&S-dNtycc$G?SI#T
zPu+jp=I_OM@ZMoGAQKX~O#F`w6jmAU|Gojd{(&8o^dgUk&+4bYg#`Z*ED-Yl3G`pH
z{hx;Z&xiiMjxxbY;sXdM(Nx;cxn>?C6-70=04F4Ig^5yy*=G~>Bh96E&korCK#4Cm
zs4Ku)_SeGLV~*L*V1?OEa)p`4RRz@-(Gq6!W6u)cjh<G7Tjo6Db!O^6U{Ym5qTj<Y
zu+8t`p~mK+>Y}VeIfr)9aO6h?ToVsnX;G-#%*<>0WZKU$AhNrH``^$>W`+9Q%b_+I
z79T-CR^#l9ukra-d?4I5*HCsIMR9BOU!mABz)-~vbQ#SQ(ZkZvn$3E@Wnt*<1TtJX
zgysAPne-z>!Ll<1=~yhCyRx`2(7Ie5Wz9B`iY~eh<DcdJyWAY&+j1Y}q_Yj(gMAV(
z$CxrtOS1xujpdU4zhBZv{Ed>n8Y18Y=d;E-?2NamfFy%ioz1w0JoumT;A0n7cRlO=
zQNUz37!~Us?2M-I`15&7tau_)=luYKGkYfgfp#!zmTA1*^0jTi`8ZSzCAC9JbxGnK
z97{wC&VSXx1Zjx{NnvFTw7o1t%ACVgS;*){%AbtDtFWXJPyHWd?-A+u%okJ>aLf9_
z@Up26w5S4HigGShwt3k*WK#)78kzsW_+=j-cr9E(f(@zs!bt2{q-lFc&x)rem*Sl6
zZ(fCPsvo<{jsS$#AGtSr{+k2@O~I>kjBG=61NnIwm{k^k&ODrziM?M?&N;nBj3kSx
zQ1s*K8=yl;W3>J6yJh*KG8v@qc7Ob&ULdbRV;1jFzAuB&9#+;)nQ-!J>&w|)cf^Un
z2>$KvznYB{0&5oQdrnREXi_1Kgnrf?g-)*mo1H8B(F+lO#hJ@o(Q)mU1nV9BUHeo?
zh+aDWMn>y@bXkW5HsJggw<|jdkKAcwKc^)s5fO9wZMMbit&dkxea1qG!bDiy>-f<Z
z;}GQr9Xt;vt=|1(;NO@{2F_|G=4}0qs#)FHB+5vrr(TqyFpQPKp7}gES^h68qKjgP
zJcVv~$y&H6nx=;r9vc66Sylwtj$<&302j3^A*ZhweXU|f2<^IFmbMjccxbtIwV3Px
z4k?}Hf6ZFT3E5tHyFE5G6LFd=_+EvbO1YCMke^2B06(r^;z)D&Ae+yUl#&|3F|6YJ
zHb&;E62lJ#z`X3ORDJJgBY&>*ui8|J!KSAnvs@@<C{tlGLp7UxuAZ%@#njI7c^|x%
z9Q!LW?W1@+g%Co**iB)A!cTVA)TbRWW9O63dM+2OFv6*%e+j{IxQ|Q@JxrQrc9CHq
z5@G!@4TdlDT`N*%B~LDFa2ZlR6hkzZikMFoCi`VIH>Fk>?7vS>8oW8PoghuBgbr`{
zSCIeueu6_p79?;gPkdombuKFCdLpX<Q-!~auEiFSuqTP-AD84o2HQ>*DI|E|Tyjmp
zICl%t*%Pdae3n3(A|KTy!2rw7Co{#T<(AMKkYxf2aM#Up&hUZfA5tRt2<AVQXnTe$
zBYCb8{(|qNv!y~;9!HI$yA~@#ueA%CFxJkn)%d%hv|`L>$Nu3q>Yv`8>u%a|;qVB0
zngA*j9Jq2b2qbWPg>fn`if%<db5%&EV+o_7GH}$xXu$fA&uH+sgOmRCXjS+L<G?G7
zIbTbMyx%IVve!}W5Uy%|S%mdM6T0xk43Dj=kT`SLDT8+-H2t@adVhx$m_~8EIUE<+
zoKt>9I-OH_=ccgYkRSDRO!57+ghyDErb6#R`99{Z6^3~j!gRR`Q<#lSf^|^u;mqHr
zcO(Nt11nx)jA32{^^&#1u`8%xvb1mcdP8)EI`{kWE6}Lt*h}qbnU};JCA2($L~U*@
zI_o|9pZ|fEQo^@2KF$mmNDY0J{t83^)ChqB3uLlaW6h?;L{UKHxA344nr54`+7>Z|
zVj8%tr(gDQzsEPZJxl&UI;KXj<z=wF(ei%HB=n1zbKB!8WS0m}J}#CtjG`_r70n+|
zD$L%>doUadx@FRFgsBqyu4o#ko<=|L{T)N;p+4{{Y~m(qYy>6J^2&_y*ZA){Q-GL1
zR&6{=VfN%_>-WL&dmLv}c}B2ni#vSA<mE^z4&K&5!t=*}CGm}XOH@1}xomhM`vBMv
zsB_$RpV7)DYHWRgs-k~_X-+ypM)V16jr-&&prN6}g`ac%L&x((u4j$}OZ)%QSBLL!
zvQ!bSDEY#Ko{#RzD0ahmm1|}*0s@_|R@Dn;J6iK9^3i|WJ1zu!F(#BVX(}s}=E7<i
zr}kGp0RDa>{4g-i#)<eVdCM<cPJa_@I4u+NbOA)OuVJtRg*HgVLD%2Hrzlny2k84h
z%)97~yAJsR6%ZylrLd=W3?J?OUPnwH`OVePpQc3eD}H$=&Yklr>340ClV~aShH7r~
zk~rOld6cK|A^3?!cl!~l=A5F`Oq_a&-xevYA4TD9DEIB8Z{-ff-2D1GUU;y5VKlmU
z8n+#$YD;o>zRLjy#)QfrPpCA{m164gI_n)XLmu#+5`veGNqjDObFY=pwn@HHnIVl2
zG+Ha0EEO@rLO*-m1ymHN?NnO!X%p?b{|%!|kmcZnTMo}A9vLt4O2Ivx<o5yVNfhdL
z#3lCc2lWn{1(n>RF%ngEd8KzSAhm9z<tt})5_Sn)5oo+mRkTN)<%?`u9gY0c|HNoA
zEtC~HeF&eEfOzDHY;0I4yPXC(mC=lOw})nIS>W;U;!CPyrJvt<k!^1wjohl+%wf#L
zzuArl9t<t9xy<%yv-RO*&3EZY+A1Lr@GQv$dbCUa#orBh#;zPbM}A277{A&`<vCbq
za~k(AD`+6mk28aB8nWcDw+d<rnkM(I@wLP)($Tn;XK4Ht_obHH;^U6xrbUXFfO>tn
z%KYJ7^Ua28NYFSvRYbmkLH~(od?iQC5PI?h>Obbp;sb{qc@>bGySGl_0l8TFeG(0d
zxRAo1wh=WBtQ19v_Z#NhT8Av|jvyUE>bp%e&=1|>P3Ze3%=(TEmE4$K<s`@2r(B6M
z=Ii<jvuuPxmrkuM1JB@p!g2B|+#=bszJ%RxLT*tSbs+WEx(?U`ukB3H5=C?FA2@4v
z1PU1;=lNR7u%aD_!GqL2tgE#`xj%ZkkdCC^zcyZswdQ0aw&Wi9iK$(0{EapreP!P)
zYo?qhfSg%OR(D8pvZJZQd<*?bRP*Ql`a9sJ%(9t5bz<a>vvXYHN2(Ji4IwJK=7B(=
zW#s7!CXzR`0Qt~$=1<dqU8Obx93k&|40&nao#+-ro<*~hm+PFnkXR1qa>NA{*R*`p
zC_klnaJl_n5^(O(T&hHGaE_3|i<>MrgwJUo@3HsCwrn+_wKnSCOtKsZUJ`janezKY
zY)gTna(0NsO&d+kpI7RIAJQ?b)(JPDG^4S!X(G!r&{R*SBL4KkFf6=$ZM?*sSi#iM
zavsGL>!G{Zo((I$Smr-uh8~P>yIp)Vgf$l@mPbI*BYN`wXQ6Fnps{%Q{*48ZiL$tl
z*{>NGNv&gn2u{#EI?IwvYYEwt5PmtOuM_@ON`GTm$}$uV{farE=|7BR6dp1Xeaxr5
zg-Vu3s~j5Iv6Hdp&#hwnI#s1x0*(yaa!w~+R6nPJ<3VUs#X+6_#~>qMdlAV^882{!
z+_=B|7!Gv&eOv`P;6@U0dU>DvYLvhKpRh3_ct>l6lN^C3py7vbweRPxjOh;py^#97
z!#QZ$Ul6K!!f{B`-gesg!;7+UsV+6La1kA*5LwNvhxKyr9>(8RuX|(JJax2+8Df!<
z28Rz&kYqIlZDv>b&;qTUsyju)MuD+vhe77I_@8F_5{k~o@2{k<pxtk0{wqkA6)`x1
z@M{d+N2v9jL|Tb01u&}bpPxuM?gr@Z9xd41igL7#3CfX=T$ORMA2Cye&Js7$o-Y1}
z=->MbE^LvvjtYpe;NA`ES$otrDbFshOKn{ENGF`lr`_c%L)S}TA_;r3`9byHaC%Wv
zzMgZYJr8Ay39rILzSd4Xk6OmEiyB3kO-?dKIj&^gM*JP&b?9I%ohNHXcOM8{>Z~wP
zaBZhveb>xj^P{mOD+@bgw@-}E`$1&oJK0B8X$gv0rT*xnZLZ_-Ds3XwLHmnggV^I&
z6LET6w2%a5K$X$fYR^zK>Y(cQN4=4MEx`+pcY8Hl{&rp<KQ}{9#)@)TdLp@^%(IS|
zeQn5l3#e#sN~ma_JOn;CGL+c<+k|R2aeW9Q#_6*-IK>yNK?1b=kmc_^1J&Ab`j8#+
zbMo)L4t$m<@Iu~EAY-nBAunI%$MqEX2VaOVeAzRqepQM=`v})?%nZft*$qv=zmtyn
zDY>QQcTN5qjRk8^qdYF;A*sl(UQsQCX7RZrM?x>IS#8LfT9*(m``@}^atiGE#W_L&
znQDcNbkpLQ7+Y%gWCIHdTdUTh=YVJ?$BYu1r}`Xy!g>d-LX^(O|9ZD22c)HkCd$)L
z%Z7F@9Acsd`DA|4^W^=*08jvN{&!NB#q;&@WL8e=UyOK<7t-=cF+$RA(}KK0WqOI7
zB@}(DK=|55Oy5bw$E}ODa|z$`Po{fL!p31FO=^XW+`&E=;q_&N^&=>)J~(f@pEEm8
zVnO1k$Yh|l>Bb?PvPME(Z{eSHK)>5Gfl_6KDzT)^FxB!5zeztL*L#xtG<AoC^O9Y<
z<nZ_v><VBSNOgE$=f?l^Qz@is(+9<%w4yYr&B9$Ze%{a{C3f5<i)iF#d#82^vi&K$
z$$WP2;xTh@ro(*;SOAu>URbbT^1}KaPi}s$oGuQri?byMS|C2>rQ71B&g&!CF!K;#
zuBYgaXP<Le`baNniE;t!sRp0~ZI(vY--xcp*Orqgsx3(fT<HWL$9-`+0TyHAB!3Ym
zB_bkrl&mxPj>;#Y`Fb-~q!%zY23O_`XJ*K5AI={)WEulIYZ^67NIKvG3tIb&*D_^-
z3olDH%^l9|uvKHif+3kBQ+j0Ix|kdhDQ!?pvQUK9;KW1v3zk=5=SAx|G`x1{-gy)u
z&VJ7N+_VQ2c@(2f9EbKq{GEc8t`OEU=g~2T4xc3KG#u>f8r&!;6u3TOyN<+ZCAH2G
zLpcq7u$>&RxaV^ta+w3S7}*Klc)awx*tHT>(;7agK$`^BM;#gzt(r&5FRZBS!7IYW
zkkQRQp=bk%irgPOi9Fc9z#aCo;RX}XK*nUguMeX%s!YtKC!5nj+t)sJ)ooN{e#}Uc
znb%~#?hrF2VQLVUI;=SUV*H8P`Z2g}&C02nReYiy4F5!L<-7Alm{CL)KxJ&n+v0M$
z4U~6!8!`=JK7+l0K*q@Zfn?x@c|<WMR6mrREIMaR<ml0f05X~1VP@{2mbsx6ZiW6q
zFuB%geY05{%#@7Y+8271Vptdc@y$5C?D+4j6=`q*ykQjV{xXa6*F#(ToRC+r?+R~{
z1q^pHz*$Wm@|~Zb9V3-hy?zdQ(iQO=-SUkT1Sd_>pzd^VlQl~PP8oZSqydpZ9Y5St
zc<nC~x`GBve$S$KS_n?yyQp1Lxk3+V70ma5@c7oW|712tNHBt=Ga;P%gKwc1Are)=
zuu_^;6cV6st!6ZO%O}a8w_*ZKTW=Y><sVX1#dS8fTBOEKy^h>BTA)t>$L3Z(wzJH?
z@CHkh&QQW`sW9|pJq0FJe+9dK##@Ci2Q$3J1{M<!k}Sz4ugXcofEKpkO@u5%R6Bx(
zNE`&0pK$RaJ_tAoG8Xk#3H5~aMf>EKY~G!#_oa^t**jVaq%qfprMw7U{9vzF<pc|*
z+K6^@RrUwYQNdnX_R7$`B>LWfgfgB21Kc=j03zushJYdBgqUj2FbpW*%@p#V+GGz6
zk|V@<QD0?YUbs!|ePCAa!|&5NoOk!SH*LiBf3Bp6%v6pBX*7NxywjOF4|$PL!?xrD
z=HJ}SvKKG&S$gt<w>Js)**Il|s+uc|!pjBSN~g4*_kLxCgoe`x;%|tJl1&ZW7#cgI
zR|R>ONFFOJ=E*yI?-d*WrA@sz0wuJql0a>GH+u>PZaFknm~GOOLg2IU;V&dyl(*ze
ziTs>av_QWfAhOq?<*jI?Ka?jbUU2~#@>(k8PDtL0SD)$Lt~|IE0-x^XadGP_7=ie|
zI{#{O@x1veGB7Hj45aBO9(fq~K!A6~<xLi95_N(>>(d_9H-5^H^@%gC=uyW&fZx@2
zQ0jG!guawk14C$=mBr0W4G`LxOQu={8<tgK@s6zQIL<<Osc4a4nLMt>A9>GY{GkHu
zd(wp9Z4M0=rdbsh#89S%l}09Ym(;^%4%enO1yp;!%)*z~D0iH^g6YHthpLksay;Rj
zoakysH98me_RMoO+;W6U%wt87r9?GsXR+vWV?}{s_C1GvfFE7toQXj?V43~Ow#deZ
z+OZe?B@?w_BJ3+kk``zIxFMUSE@h$uh2|9HN(g8N_g&7e9$s4DYLo&-`>t<4MRWnd
z1(w$L5BG}%nt*vZCo#nLvODc4jv!Bzv1gJ|lIF`55=&m`ADjJ+@sg)@7!A#7!v0Ar
zIUSFnMKL2F8IR*>;c!`(LQIN-bmn(zBkL9y^dZE)4c0Ed>xdJ|FW;I5e{fI`!!zbF
zjlJ(yk0H>>6juNz3BmZ*jT9SGkBqmN0DC!w)vnzSd%#{-HlnC*!))u*r}nzDaxqVo
zWBLkZ#2M?{WSqx>jIk|d`!<OcB?sF*63?GaPeBEA+FZ@HENhg1T<L`b9T<}H)vi=^
z<gVnJ_cf=ebn3SlckIvIJ#9cuZn}L1B~g`ox93ajIYB=X7Y<+&)vdpXMJ5WY$$pyh
zBUH&*FI0Q|Y6kt%5d;=$=B>8~Y(mPM#~+n%s~c#X3-fYm-?5E$J*NrGl*wI1+M5*g
zI9edB=)^a{iD?+vw_)xA1jy;sd#h9l$5;pNv1PaeCm-Y40lpOm)|y6tkf?c0mKV*e
zXp-K83=O}WcnNS==6w9llQ(uQTx_dtdC*f~_RBkI_<mlRcmL`y*0%&#_6r`OfRmmk
zHDCAWcO9rnO!h1^XdEkTCacT0YWHqEYcGb#iDBiAL35B}_*6(jP>Mv2lawh8&e0Q<
z62|6GyO)h7;ls@SM~5_Jo|*fi>gr|T(|3wP{{g((z%I6fJ}W2V7j0}-Gdpj|LM6dK
z9u+ToL#ctUH*BN1uCpn9`lXsBLEQE>{h5?p+6$bYOsKxchbpIG=TemoBvDVxbC0O!
zF@rEPmY!oeMq)A#Mx0^X1Q!Q5)x7J_is+_X?k&;eCm)OOR*0!tnd&FPE~us?0ag6a
z%HfP?s?-9*=!IB>inrVue{R?c<(FYAQh3QdmOXDnz;QE*2!^c!W@*n`S{6ApOS-y4
zm|`6Md@VAu$W50-@2_gD#~!^$4}c>vDfojQ{+cm6bqGTmwLb`|_Y*EBxRHvqTtcNA
zg`i^?*NXt3Gb~BEEhJFTykmel`!e?&=Hc#`zo+PpP3M7LN+lM|9)6?iB*fVQ?5|W0
z!n1Z8pQ@EwuY&pzR{X-Qad;V2(<wvSIBBhzjq8UF(9y<MgQZ=%EEV!fEjI@o4K7^4
z^47tC<DBB_2XY@|(Ld86IIRw`uE?ICypwdP*((ojmfZZp$yp5LEKo}!nA@-Q8!?nv
zMSH4UYK(n9;Iel{%FKS!kz&F1h_9KI_PCJX`OLP}!V+_`h<Ssjgk;W2BvU?a4fF2%
zY8+7tcdb+}CrzHSkgJkglD9lr4xlUV7iaxe=18Ud_}%-<^xvK47P8<x9M`ZKg#?)=
zlL}>D9&x6Ab+M|eUS2){Tm0#~mX5?udm97|Y%7?!=<dVKUp4hx6}h|i-0~_KJDXpJ
zw|>{l`4_tb2Sa%Z+JaxlWmMhyc4-e}W^X1Dmxx{*#-;a^@T>VYu4Az@@(yKG<gZ0N
z4O<eB);8iiVfR*4PMvD`1{D0@&)J*62g(HEyX;*kr0}y6hf9-?%U&n%NiTE_pwEvK
zivwKERn9pFw(aU-(|&l*gH+V_#oE|mO!SPN`#tY_pYDS8Vy4B}u3cvrzu(W#;nUw~
zQCt6@rTQwOrxbrV&;08nPoY+Uc5zGSH!GK1#&U|<h>UkvRQ1a4>yt4oaXGO<Za9?*
z8`vTAaMGI&9OtPP!7$e9Jv3`*9F!zRqVYLhHNL<#tp(I#WT+Ukwf*HNZ_=_Sm$%$W
z2zJ6BA4jU!^4h5MG-FpA%qRs4F1hLQ5S6o9vr*73bQJ8hBNS8Yc{QSXTt#~#P8suq
zKAcBmb)1L!l?ko#Cmza)`al<3HhU$$0z~8btgQ-{{o=n~*rYGqNMb-V+{<IlW+S%x
zE3&U)kr)|^m0JZ2LrYRMQi)WFCtSY!BF(ZAFq;)#{$$f=XYD6w(I#fhbMoMpCechX
z!$3_HdyhT+naZMhEg-^m?or}+ZlIt)G#oFKV3!uSAOQS;(md0JoY}2N-^`z1cJ3K}
z$pfPxGW2;pqsW=@b4YvT>ME6!9^qf)rRdGjA=JL`<h1pmJ#u-mowAL`cr3+x5zKnQ
zAIgf9nm;;&r6~=}<i7x#c|tpNJcWL1q6!@>^=o$BjSIx1vc*3Xr+9>Aa7MR?`J(bo
z<CPiSl_Gi8LV*vD=uy1ldC<zT&qRrxL>316;tEIx?l8S|OW}w+beAMd+A@R9=rJ@N
zGX{TPJs0Gn&3#8pFgo%|Vgs-%X_w$CT5To$Jqyr1p-^x|qSuIuM(zF6hFY|n(-vmC
zXSG0D`D`W~<Ex^McoWvHoZ(q@4p3ZYfhIKm{w|J>Q!Qd<TWP@YJn08^g`6ggETJJ(
zco*ASM-P%Khn*FB`Ga0Vmv@~Hawe%>5q6y*R>}-jf|Bwp8gd|tRvhi`CJC`YWIeh0
z%M9+X-}Yt6vDlOm;?vg$zNl1mxKn8n=QNB(?Bl=GC|C0tM}Smc^nIJCL_Y1rR|C~%
zsT6*sG&cnx<yq%T#~@N+CvxicSl`jbutTzUDZLi_IZCEc{g93gi_Hd_KTn7q0?x4B
zewZqcHz~m-9Q^1x@i`}qa0C1Gv)thAfHq!}vX?DXzceX1BF&5xbyAEnh4RX2qe<73
zCKqQBKrz$9En(#I5Cu<@0%E2b!jOZ^Y#rNreO91Nu@hDJ9qKr&-niJr?>7!KxdbjN
z6Yw%ODQA*MyQ>Z^3O^81$7i6CFXKPq5DedQe&&s@v<D;-NbRsK^*4riE|`=C+N)e1
z9w$!s=im>byx8?*KjL%$-r(m%<jxNa?ieKzOSXfpNa$S9!65^7){n927XGBzQ3+;{
zN`*T=K-5v_L?<_8pRJ$rEd0UC{25k&=UzR5#F8ql2kmn15jJHxSe1M;YtJ-TN^OIP
z24r#-gOSG(n}*{p=Es!R_NOhU>toFm=TuXFs6b-oNA3|L#ljA&YqMrV!2sGza=aCx
zjX(#g%?zpjaBl)ALcOXiDb9uZZxz`0)b^j&zd2!oj@+XZ8#Zl~n+4hJzgqij2GSt1
z-yjFF-%V0~Gte!lr{>h=AATFtc#DSLK3R&pF%)p2($WcKJ2lBQM*K&ua!2C6N-SY2
zs<Y+?1PEIGAc`wyCN*J-&qc<@2I{*_nu4OBn1q<8HThB^5rgh@|07r-9VPBcIwc0g
zlO94dVlR^K@S9u}a6h31019q=sxwED@)B$IHPXIv;RE%&$3Plw`2$6y`WiZo-ce~~
zi_Q)zCIXMzBh3S)=XIgX9jO*9>oslwvs@g`thn^k7%E2we&?v*bW`VPh=4kQt4vE*
zvOG3+W@D)G5)+5UPa1_s*?0>|zn1gP5cy%wGOG-ML49Ha5lJL=QN$lM;zK3tl!iAk
zHFi@<cpGHyX@6jcDgWvY)}WbD*w~EqGbv2j%j;)PT<s$i^BV!_hwnvyni!<Q7#w?2
z{HZio6Tt-DIgtaOilu`b0O5j1kzb2RO4(wnyJ-;yH6NfP3P%GGy~_5Zmr6Ubb0YAP
zo~Pi4b)PxldR7Mq@CTfzEi9i^$nRQ(PHP7>iO!0&aLQ|hx@F*4B;}ZAdp>O)4A(@M
z;>KNa358yh3IT5J;bs;{zr+oWWuFa7mwkmVF|P3ylmrm>r4htpiJbe^i}9;@sgcQf
zxf^rh302dYW!I^Y5^~=7A`Li7_Zfe^{`yx*cu1rlSWae91ldf3oyhQ{u``0H$Ua+{
zdM7~r2_{r5BZVot9Z#?6{4u^#!Ok!7hhj{eQ_VNn@1|I!v7J(qeh@hs*BgrP6iaQ|
z7UYDTcT8w$x@h6PBYD#D5bi)P1^UD9;0`bPGM#+@eCgTgo-%q4!$6}l0^D3$nlSKM
zZZzY0LGEVCkk0R6)=H^S{+Wu1z}^*;4Ni{0fR-f$22zKUQ6Z0M2^O<hXuAWzQ%T8(
zx$EnH4IS820Ug&o2t=zee}a@W<TE-w@nrdfkM~eBJ6h)#LDQT7w{l3v66sLLZV^$1
zLahLtBbnQ;dOYdBwV1^Q_YdA`PYZBj8zw<egocDc)OfAGbd3q2QmT&@4zdO82C+QP
z$zxwuOq^MI_ttTE{D?<R=!OpwuCIcw8MsH~03i5%v{PQ_@qeA^s-*FyQxxS-KGrlN
z2`my8{@OOKSvS(N61shEP+|mH{<7>=#pTCx^}=Jj`5?vCkU2|?mg?va!3y)-D9vyh
zoz(WDs(B(Qn*ClnVfaeSeghf@19~??KOk*B*Ip|(p_oEskIvj;7?s11%FkZI+Y%B*
z8P)|eHg`LyULjd{ULFlJ3&Vh=fFXo*rJ9L2TIOoRdIuoLEnfGjf+lHgQt$sAlezmb
zCJ!1Zp)%cgNR#=@6X~rN^Z~2@sYr+VPG55|M7c^D-0QW{8kJ$)Oi)MgIWD*EJGi8n
z<LuM^GE!&++!Cn#(4hD*+9Km(r@|72a20l)#LhYN5Y_mK_r@r%Eib9G+5OZvG#Ysq
z1|?Np)sxJK=!kk3ZX8SISbF!^NKZVfQo|282?6e!-&HWHlMh?P@TEXkGKE6I?q^Xd
zS=5H1k_ynhg{U0dJDj_ga2jzW&70rJhk#0CLwlJQOc;Cp;nKL>8x;hQ@f+>ek0Up8
zT^rG^%4ezK*o#a?*7A$$0aB3ESClsI5sfdA(E94dGX1^vbaSJI-GiEIi=@>hEEV^8
zxprfFpb{8%I%&<AFH&KeGskx>x&I0V3UIrM7G9Oqm<AO(h6%4~z=&bQ5rUF4byUjp
zc4Vow1BNo7SfV@5jm6P-P%|<U*`&sI#P}uNb}ruV95yz^=8lhhc*Ka8s*`T`V_=aQ
zxeK{Egp<Dye0=OV>z?Yg7J!Na)u-yNf$GtF$bgEEE>CC33{?Z6MXnKgz+<+!j-}Xp
zYXoc5mtCMSnjt4dPI=;(#8L`vTDpB&zMKS8BgLyAq(+N7Afk@wW``#J8@d6>jkK;|
zMR@6xl8sdAhZ<~zB}*?EHV-();(Tw(4Y-7IUrK8bRHzILeDD>}P%oKP9ycQc`wK~;
zsp8%;A8pB|;P*V5l+(1EH}+oU1;=%e^*dSE4p=N#Bnv?9q~C}_tX(_DDWwsLn0A)e
zET%FP$b&RJ><%;fK~^uOW60clX0e+YGC8Dx=KwJ0lF$(havr|fH0nI>RL!Y>b>ZIU
zEb?Ebg}s+0vE*Y2{bE8BHBp!uAt1^{6HOeaJPYCtnnfYU4L#TtfEO92WuJolHT*bx
zbUT;U8CU|)xDqY_U=oJ{g`hzR?}V!abr74k6qCr^xM)$y$s)#s1JdoeIe2Ez=*{xr
zsh7{A9ik>AL|)lSq^KG<9cjbZnB)0p|B7_L+d0=Si@YkCcn@^7<IZxT7?ZJ|{wb7e
zTR)q)BLFt8)VM?;n!zxPp|uNf=wCK1(xZ*Hw$?AJNe|6!jPzuF7MaD2TZ`VtP<Qrf
z>W*`>Y;IFxO52j>SQCSi$BQ`c`(B9!=mv%R&jX}Ts7>7gjX_gc`UTZEZHjrxvuH9L
z!J<qCrghPjOyZu1G`SKZG!fj@g%ujn`zZC8Gp?#4^~Wz&7Y+fAR0!+peO4hBl2DfZ
zVm_j1A;6Ue2zTj;iT;3?&15kgo<%&Q%pEnuT;_|n^Dr|;NSTjz%PZBgty)A}pkwqf
z*)c|>Ew=MiDG8cXV-m#X9srlmtD+(ve=>8JbPhLZpoVq%t5%6-iMHbFO{mSPw(Q=e
zs}^~e540w`!uO86@aN7!3g_f-1o%9=gO|DslC@LjQLV{VkePT?k9YKwZciEwEX!_?
z1#~#hFknLZi`qSe>H-#bG!DaE?r!-C>h6M~gWu13B)sMK1ktc)^;tc#xtQqY8RV4|
z^!(aKw&xn9sir$(q(tP50y^h<Bcy(cCoPKn=0l`t&mlRS)y$KhLb56tj#M4XXBnvL
zifl+}QWH};tB_N(E+s+735x0)OlxWj6R+o4TM98g^N-07PG7$Iz!(zHe51nNaFn=V
z3z{qZ>j)hPZk*1e=G^(fzh<><AJ3!3SHu{C(&|u6*mF)LgqZEPe^WX;j$7)G_`4#S
z)SJ#7*9y|h8wVZ<&y|l3-$jK;LXSNX%=um0^+N{Vb5bs-O^Zv&71p=$$I;~8hDe=n
zBNnumO^bFVV_(NyWTEnxppqduRZ7dUKCQtdyyO`m&EwgXhKi1n$MC%;V=e5U4Y1nD
zQ&DnYYJ?OLx+qOWezMkvkGbN&C~DQ1=s9cFTVx|sif7RQ=<c(=)7Wz!tz{{p4B$G!
zNa}$Fl}&Cas&JxbD#W5)r71lm__9NxEd&bEg$?&REr0KNeyddLL0v80L)qmFbbqpa
zmGg1K7PAJ`E4(AID#0&K)DY=V4E<W#78E5Hxdi83CvS#Fn4v84wU-h+U_)ojG|T--
z<93`WFwm4<;u%em&}e6k27b2;KQZMLvVwTdd{b;UPiZ*;-u|8TA)}iL-%pI^J>X6w
z;^I888zLgMh6P!4c5m*H?!7coAorH`f*mv3hoNt^2=TDBX657NI+Vf{9J?YTRz=SG
z(Qz&)of3de>gTz9VObG?Gz|xtQG_W?sPdd^HzPx?O2a58#z5$v(X8o5UT7F&a?y;3
zccHmH;!$+m)WaV#qW(HpAB6xn9AY;yVW6uPjgoVMhktwWZJ5HSm>iU{z_Uw8PLitl
zxTU8=^r<3_guXWOCTq-?2pzF7+_@W%O<d@J+lRKTM}7clX>N+DN!U+{iSOMdsZ7tR
z`0@)9Q*Go`J`PGIsT6fs6%z41clOE26Xi)b%6kJ3=6-3Xyf=+i=Su!~#RU~WNh-|d
z$}uP<7Zi#WqzvVCu&N@tUqpjcrl?f!EEHe3UU(JbpUiNF8^Zyq4!lOpcM)9Np^4&i
zh|I)C(8@T1V<w%GZ9$WtkxO3@%b#J(43g7fht*qZ-rD}FG5^;f1Kp2k-?l*XQn^GN
zsW1S=#A&?uQv8ZggAoaWDDA{yYF?!xvs(fL=fZd78zFu>5xtX0{?`q+oNU`+01djh
zCbZvs81MLUDyYoza5iG31QL=*fa{WZxdAd8{p5QREyUN>(9X|?2o_391E}1j2}4;=
zFEGkmCAt@QE6m0ZBkzJ{afH795E>zs)2`ty7T2=#JTfu?IoV4khnXsV<m`Y@7@F-K
zWB*QrqL*9r+5U$9iI7IEAfC0`BXmNGev0)aHJXP>=lB(~;_~sgXO++7UUUa)blla_
z&Pz6ddCMWsbEk?MZm{<I>Hd9xbPYhe%U{!AqvVi(3~0l=6vLP;4Z4u5UH=H<O<S*K
zUy2p(C*!a~<~{<bpfu&(GBC^^rC;oLf9|^3;|4Aoli(+Q5zn@M3TScCRUf^aEu<r-
zFHVkj$c+xo#&~wS9Bn$>Ktz`IM|?@W+$~mohk*VPK=(lAi)0j-4aFM4O<@ff*2SzX
zBy#6zGDLt~Ea(>XBQqlyW$U)n4KS1cG!(MngQ7SG5gVT(h{gI`>~`L98eF4Y)Y;sT
zFsp^xOtT%f@Z1r6iP<A(awyLX>CI*>e@_45$Tosahzz?3*_y3rP&>s8mpT!C%QYDa
zq;xylgO`v1;F^+J`|OL-EULbi)zcg5ogJ_sFvmxw&|mtSwr}9CQ_3IU@x*dEO=ybr
zD)l`~-i3_^TY1;qH6zU-ctNU5?Bjj|pt11L&}OAYt7i!gfc+_eNQaD1<;!YM;x6t$
zEf(FAPH0_Ph(;ydjtpT^F19KC!Ck#V17bcs84}hIxo|w>k<PXo|B;SVdR{!bLUcs1
zWUi0D;8R9=N(&6ZO-HPGc*};ZhbN$dpF9hRjNQNN`!%kj$A#^OD;BwCzn?h|98<#W
zYcK)dC%_H<L96mQV74<gzk5A@z%>aD25Y?AX9?$N!mrGih%iY3X;@EuAXN9vC{C^>
zSg3@CmlR@aDfrsUiG((6W7#|72Rn*y2@*=vP*(rR=BRHxjT=q4z=LJqgib#@*-2>1
z1}omTv}9^nAmsfADb87<dpPo9f%7Yka~Dh%zThzDB&XPkRzjNhf%V6@6xy?q(!0W*
zN1n{889c?%+E*W*KnlS{xtBM`UW^)xsieg4Fl)A!3XJkg^7ZyI+cFSKxgK8(MXl$H
zLk#E=hB~Et>3H0#lpD(6zA$v*F}ks4Rjj2e)Mt&3eZ~`kI^FDJ(JCbw3{HC)$P+Z|
zplpX5CNi8GgDGwZ5k?|Y858|t{+tod?Vm)oCL{avw<zZ~Eb_GeMwA{HitXV;tP-!y
zg03_v>7RFLB@&+&Z}`jHix})a!p1_z?aR`*o5+iYnEv_Ck)9a1dBHAR^yhZn^vhO!
z!ZGdL5Zk%T5yld5fX(eoq&ZtI;VR?ZQXVkuCnQ?eFNbXp3lP5yC<^A+QKyO*hy?wn
zJWN~7mB!bLkmP;gfTdK<r-)tzj}N#H4Kmx#H-*=hQ<OONs-H$a9?uuWKD(4YEna+5
z!XOmk$)ix9t(8VZ8)Z?bkPnS(Q#5T}@U8kx{hKmMyLlzyaJpnbg1C3z*0-Z1sXqa$
zzcEtg;s%pLehP*Wli{+Fl*(T)_{9=5f2n*HPEcKZlo*1|YFk7}^D1ZYs+uU{g>n<1
zKwe!_!l+VQZIvT&HXZ#@76m%<KZjy(2bnuYM2Z+QJL>Hr3Q_>xYrc(wkdd$hd0&02
z#~<c(zWFS9KJqmabiyD#tYO$NMI|zSqyoHIAF+ipr=UP9K@-hs2BZ61{T2i-*^&))
zZyArs&?DKzfZE;f#9n)e$h3o78zqsbXwogg(ff2Nm=Jzb-nGF#9-Ep|a2|pR!mbEM
z$U@YL-(f0fvMKU;x;`RPStLHxjTLoJxxU|t841(0=@XgP@pr!n&)Xlgda$}#!@;18
z?~bm?9SqDCBE+c`{7_8!00A5JQ)sp;^;l^uOqrq_XIevWGzon0sqZA3Woma4@zQ&A
zr%&%qA#JJ&Ctpu7jkrlk+7~7<NwSfX$5{Q|U0Z_JsE?6IJ$Z33H?b5wOR(zOb|ERN
zMlkA!yz+)<O8!qC3)RV7%%s0W0C-)9c$*>_?4leQ?7RB_>DGl`-`4CMO+ADZW5VTS
zse0+8Iv>3`M@nh6g@z4_kcM*@KDcAjK{n%{8l=Me7Qq&BQkh@Y`_G2SqZ;E#2go#J
zEI9cMBEML<l9x{>eJGIPKH9!r2%#U<lFq7~Y?nt&AOcK-QSF8oP40FG+)x@9&a%9S
z)p>fL=B3aK{ywhS!8#`z@KOFWC=@cfbXuk`mfzrjSFzv7UL&wh=z~gpIvd;_JbOJ?
zk@svZo*vND3k7+Fj_q#IyqbK)oyf;nOnX7|-ih0b5F11AsS@TOE<RkA?e%;$^ErX%
z2YBv;psN1WQ`UK5`u)O=@6yYKjBeiMxu*V5IDF`Njw(&PD(z>dPC5ZW^c^W3id(!R
zUD_ejV~C4{aKU5LgX#Xp%1TZkj(L1prPJ*-_#!E|UIr2?zq%+A7L{S3CHuBXv$jKb
zFwb6nZ~}tL{DiU5WBMgOiRcXABs=}^EF0aH<R+=5or+5~ZQZaKQZd~nQFgm~5(u$2
z%KIaDqj_Dq4;<BS{hg>2@5n?dZUN?x9?-P{Kh>hq^27D8^XG$qII%*O@<M*3et3Au
zDQ{S0(`>m2nmRjmHFNSd64>Aq>f*N=LspKJD_y!eiX6Z;_npQLxJC%&?}e?<dNDXW
zXvA6nvRAl`n-|=3KiN{kUiea`Z3R-n-RteG&yI@zO2S&IHlV@~`y*de+~o^S4Ts>C
zR#`UOIgOBpR>NWJL9oc5kki**jHyZaT)S;{0G)ud)?3Gzc2&t%48bRdPr+fa-qq#U
zLaswje^8Qhg<{zCySmu-dU<9_5eo$Sled9|kG}1<i`2k_v#@!sHY&H30BfWS`1Gp-
z2AMf-!(SPr5WW@6)IzQ{7VC+l5KDj3TdpEkL|-p9o;B(=)?4e&3OeG@1_kvC@f#9*
z8ot))ck9<xz=6LxIDi5hgvS7|`aOlzhbW#BA*3oW=g<Z}tjq1V0wdl14?NmN<A%*h
z<Vhj#JRc;kb(L;i%4pbC{>`6jQAz@L2{tY!)SK%+qG4F<aVH)feEE;ugy6SJjmq8Q
zuM8Cw;x4DDZ8M7G5#i;8%PO&MdTAM!%5@|sC~L+E&}capg8hw#?>x9(>v(gh)6mN6
zeQ4NQwNyh+ETUMS6R^K+9m$lrPI_O){zg;T^`jSp#mR;_7*UmL+l1G78zV)t^t^;&
zPaEB5Y1#e%{AooNKN<A>VNw{}pk0?}5#}UenBjTs$C~rWdCee!z{$l01pB*Ht4_W^
z9*7%^pa5qhmh~Q-43B+;)YDs-xF!ibcRy2tu+!Y79tmk}Ny{|Wi@4k$d5?K1;C_>A
z)FT;l<VHk9fNa~#w<>H(ksxs;xKCnIs+E>)cx|yy>i1=*I6Le$9hW7=MJ>zOHGTwi
zoDu~h<%r?Vd1!ZN6F>d6Ulp%2?1!GC>A;MP(}QrOs7T~!&C6Q7mxA&rQ2uxMD*pWn
zGIZx-X{bMnYy^^0=CrD1;p?x0`P8ebh){Nmgp(9DZPVN)eKLtQfSW-w1O?uUMUmWg
z=MCnTGv9%nfea7+W%I}KT#%*QLs_{tH=gH9A6uMt1s3VS_k*`jBY4c&_FVOx*UVe>
zmw^NXk-DzsV;atq5*dvYX0@x1F;}kqSXcRvbbGv3t$hJG)lb`Uxx0iix#RO5uAA&-
znTRm3B%|TExp#DqV(z<hoFd*#eYHcYj&TvWta6_ycuo)eg<&yf_!1{?!L4M^>*{?&
z)9^HRgB}i){jS7RTXfIc9)}!kUAIpUOMMHX3CN4>m$AGTTqLCrxeL19T8zycs<4$2
z1`DBiK1U_~nmTO{<X?KNl+yQK*o$y27XT5Vcx@{}*9x8tTxaoSapbsSulKM5Vf-2X
z&CA0J$N^?2_4A>L3`>GXlRXEu6KbM_!{N8TE}JQVd42jBkr7U^`7x#$-rR1deQLQn
zF3Zkeav{EInWEJ{O_u}PpT{3b>=+d0hVPFoW&Rnw=)9?C%^k?}U~oH#Da6&iJs0_-
z^5EY$CCht#1ZpRGxMpQZAGcm{XvEKvF}CQszNm4oa+pToxJZcD%M-74RvP6n+}@rV
zPM`ts4nzd=K3w%-(+X#rH9^oXnfdD@yDRaVYanuj?R119%RHs_({4|NEeDJ`^B$c)
zlRoWjw!liFy_}4>O#GoYJ$b;jt@Co+F?a;s8OM0#wC=gz3>9X=PWM0VyucEo{LFZ*
z=iT~>e-pxn6Fn?z9{!lHu!=RBvtnJ_7r@=o;f*@xkFv-bU*z`Ew*WST*C)5jLu^Wp
zK|VE>4c^_Q)u=gKaKItsY*;t0^SKp@I^r?LoHQ))wL!#OFKC#aa8p{fH6gEhN6CAm
z6ka6hDqM_no2?Pj$UCO~##P(Ss+=o0Y1^Kk3eyza3$6O)(6GX=BK{q}tuc7%!S|`{
z&x4i$vBzs~R1QWYHyO{~;CnW?)_i?WtWOU=9j1DtKH=|u69&Su3DQ@5{qSkT?z%tq
zZ2aisjU;`DOx4;$i7XVa(Helov8$sMcI#@BFyjOALHaaNE9^<9=^%E)i`y|&T3nE#
zWV|7W`^0(4JaseYd=;_s@Y99sN^55WKmbsZ!v?fIi?@-`A3^c<(5QRmZ-rKDxDY!A
zS<-8BF=HQMIQ(z{Qp`kfXbX^h8p6IbH57R`&z%UE$b?_f4qyM_E{D-z9{!y5#L__z
zvKs2g6~)$ZOV<sml-;I@E39Iwf}n_z1Ywg3pqiin-REV4J2Xj@KD5e9kg?ybd#a6^
zBWvDTwj6q~>(`vhWof3;vxd_nVihE){$NyKQz+l-`Cb1l9W=F6NQf~7i&YoRD-(yd
zRn-l1EGF<eSFh+zncldd*+jH#bQqM)uwBd8M$)$*a*iJdps3CBB+9uRqKgad3tNbs
z*Yp0GW>~tMP+U=k#<LgvKF2VMk4dx1PTm()WC|N0=$mw2Ed~%b4?}b|GHC)6VUJ9q
zG{B4h@u_sGz0;cvH7xsA4EG5Ozg1fi`mU`kuab+yx{Axjt=+XdG@iWi_R0nqZIk09
zQTqhnZ4D%{YCy-f*JTL@8DVgn$nt7<m-gG&Y-C5#v2l^SY|BojPlPSIjZS9gt-pE&
z)*94la1bR@)|ThB=;CUyI+fL_;tpC4*IP07FKV=yxIQ}PC7TL7<UPMw@`;~?&6ycV
zc<IC`JX~y3f6T`HRWRmjp=H}l*CKzPK{VId_Pgbv*i_d7dKE2YyD?$-p&|H!kignX
z*mg+95?iSGetuybu7HdmF<LCxOn8+;uYrwcH=x%)2PQ-g4jKW`VuauQ6fbz$(zXqQ
z`HYy5ZEw8v(lc#nzi8B<BHu&*n%#y4ef}PzMnBWDznUc>=i@--fN%FpmPsM5sF5-5
z@n^ra{Y#nmm2q-hbkRe3a(q4edLC$>uFsXG+HVE0+Hc0)tvNmS3_2UmDekQ(IoDgQ
z${r~9Kmg@A!q=_ggX8^lVEj(`wMNIEpbb!E=e_J{E~=9S%fb-pr`N|lJ}a3>;%Tm!
zXga~@GW^CBnuj0!vu()*E9X}SSogS$zmi+6mijUFpmqHnPDT-td96F=0-_Mmytdf|
z3Ru38?NzZ1VBz;ValAVA9t0%)iF{eQoXPR7fBHO?>FsFZxNa&g+S*<Zs=H%8xn60q
zsY=dpe9C6YFQfGC1$AeZs#t$NY5b6fKUZS4B0r41>nm>-N7YobPccv})TKdK1E-<&
zGF3R$m-Nc<Fm~f2eRpFw`iI0Jng0T*_e0X2=o5aR+oN^kED3iAe8Kg;r4;*sbYoOR
z2E3Eo<+2X36qEVWOW90hO!3#)vWv#3>$C~}+u``nBJ<$6l_FNj(@L?kC=rxZ+EwpH
zoyMq0F2@b{njqJESMJHzD8d((mYoGo7~v@!fqIfr;z6AswC(Jdsd%3)kfxjUZKPvo
zIe@KV-WwjZ`BO{4?T(evzh?nD^J_fVX1-j#IAdTT&(;s@$bGnfIEb6*(KZe5aP0re
zlG(p4zp?1?yEVyjlf%C?%KB{{U*-!|&a&c8ILcLr`w1O+He<^{>~Y~PrSP+;#XS44
z3KaLU(NNy4hYIqGp#vTR%F@m*t~i|-F}cW67f1pL5&WMA7;WtVTfG{0-|OruI@h-j
znsSlD|0KHA+Ld<~*%onfsl$2|yz*Ap=v~hnoPjtaS8+d)7ye?A+N<M<=Yh{R=e;MV
zK(o&)H3Nwl5R343sK?vW*n9Mgx&~uCtkn<tvq}-}rT>aSL!&8nu$S;Yk13RT?8aAd
zusJ(Co#OJwd!7NQ!75EDg0zHXnLVeONVjHRk1cJGOq%1O1n7#aqela>Duri3P0iyC
ziZSOS9-=QcwNo$$A|=<Dk^5}?T2%h9giWSh9OhJBoEy%WB#dfEzYVfq$2rF%ZQ5=!
zHp4TFFV{^<#~`aa9y`QY2w|r$$0{=jAUV8BRs*>j_t7A=nPj>4^wH8jn&$KpdTwbH
zH!ir8)w~xn>9}5i!^KUWk>g?cGUH1lz`_G;ubg--ci~6<^srdVdWqqoQ*uIlDgHR(
zeQ$kV)J|ydMcm0_>ku2E5WOQF;3l_6#_#RHVV2wtFa1l$f7o@eSUk|>X?u7n(MFH|
z`0gO2F!YQS_iAZDyB4*oXa46mLzr$!_I6r1-9Mt{p3hH8tirvx8~XV7P}S!giUq+x
zSF-lJF*>V^A!iY78E|<gHVYNC1b+-=L*MV_^Q6O=uWOP)%mo7|i;y>azl1+r9ELLH
zFb1i?)Ei_KGNQs@iAgUWLc8+ZGB_ZUQ8U9%XEv@|$ozRhs^7G(-z_jeuJPHyEa+c)
zn&`Mq*gS@Eg<>2;_!+<$zhwxr?<^?+L;zD`Pj-u<CIDpaW@c1S*n;zB;oQE^apknj
zir;e8e{I}zzS>D%E9GapsvZK)tA`bRh#IIC9?h<<1`Q|TDV`%9bYER&GaNtLe-#Qi
z*ZMqx^l-n~D>poPckq*1-?g7w9OQk^*nt_}G?uTPbF@QkBx-lscw3R85Su(Hf5_Ae
zcGH&bITB{Hg<D)!2Hf5N^#CFiGyq^+mZR5~QMBQ+L!=9IN9UtNh-O{G=r5A~B1<i*
z^MGNh{XszbA9E`cs}xJ9uFVXgsXt(5K?fDCO?Bm&Yl;37+BJ{7spCQw@5#^YK2IA5
zokdn3awlBIVmg`E3Yh7!*Jsl5+b}|K22LG3Y{P=}D*_-B&jyFl%7TT9C4@C}HO@`^
z(2P~+W~ztP9;irUr(ZFV+E4+2_F5S9HvL3R0neR-Vz_OH(Tz~<Xl4r;i~22w!zEsl
zxrY^x0`}T{=Oa>(WN(?>V)tVJ2-iE-W#f^l<^Ip3-<7SWf0MBKIREovRq$7QWkQxj
zftT4UVqWgn2YMq4VuTO*{@C1P(DgemE&{Woh8#|GVW+aZ`V^73BAGOO!lh}4F7fx=
z8rs4p%^$eq4AmhdpL?DHz6pjCCP7w>sgC%?-UQEvZ>(L(_X@&g{F=o;L755$=bJ$9
zWzr}CR$urltWHqBZ~rIGSa>Y*gSe@Qo;EM_4re*3!$s+V-_<LTzIZYeROK+_J8C3^
zwI^h9ua?V}2b6ig;PQvKb;E3y<&d=Xz8%&dlvvuLgwh@TDyA{4i;@Cn%dS&^4kUlw
zV|&{RbzK=zhbQTIUeOrEo05fM`HgzWa(cAJPOy4*Ys(0VCT@k(v=rJMpM>Zwkv`ly
zajxS$E%P+@C98@cAgxDeS#_8vi{~zzZ9Rs4hRsw^UJ^lB=C!i-ay`5eGB;!ms$^Qs
zp3Si^2DR9uNG}yxG7F`N1`HZ%qhIC}yD~aN?bHst-x*kcj1}!1O~SQl=ItTG?ECRm
zcu6ec`H-;^i+Pn#*tO$xH)1+JRyv>DYNP$z)KM>W8=QnrOdAvTN$rFHiX=^vbq$$E
z^!?;n_8_+|L6VM>(l?yytB%dpxcX#z_%PDWZR4<`8e#4_ro&&8!_9X$;YVk-7A^xM
znRL3p_he&onez+<^GMCfMxNr%(h94d(b{(elryq8{dj!0Vt&&c>nWqA{}jRlMe&dB
zfO^MSm}yl?5`qvJ7~35tc!(d`?M3nv-bo`zho^(wn6oDvCyd;<PK*3|*oR~@Y>tP+
zKQym^%Opq*(w{H;oh@QNcec-er&8HFU5#<T7YI&ESD|J_elWw66S$YqIisfr*e2mU
z?;)?KlR3YqreMR0a$)C)82pyPn^l6Ak`no0T+uyB;9(QK2FBTC?a_{D<=2WsUc7{~
zYmo+*>c+R@_Q1xVP5kmUW2nWd^Vp5!Agxo4z~r9=b{tIAesh#*%-=mP5A!ZzU>Msk
zP44LOuI#J1Vri`!hJepG3}jc4u4u5IuVLb>-AI2XXIJT41gyr%-#l)-C`!Duzp}m+
zYuvcm3^+R=ymsYP3dQ}#0(*S*|7bc3wy4^!4J)8@ch>+zDBVcM&<qXIAV_z2Hw-01
z!_cUJNT+mzlyo;pcYova9^XIM$KGq-E3S2&H&Aj?%|8m#b~%()VlrxVVvcLL!-1&|
z5|<@1-E0eP&V(L8r`Wfks>3729+db>zcYm!{d+pKAkWVBM9(;e{>%2S<)#-e#s$Gy
z9hg#TXwQiwihV)sskiJo-mReL=g!N=F<)w=@L1<{!y(~|-=WuN2SD?olB646a-J2>
z?1#cUgIrQTh&#P^U??iMz>aM)UXz>OdI_xF^nScLcJe^{&)7u78M=Mf$=y>C+TwdV
z|2$soe>#}?7?v%$KLh)Sv{1*{7hghNPfIV(-)cIiq3be<Q&%27q(>~S%))m9Y2x3+
zr_t#jk4?7k<^%H#yEjyB1!8H~(JLF)?^D<hi-y_$4Emp?%p0~V%Tc!*m+=IN<h4qB
z(VBgcxbH`W_F;K`2C)nK8y6UUh6xcev@r<b%Gf)fMjl|rbi!m(I*EX9yWNvq*<=Nl
zF4%y$5LA!CM3Lve1Y6D(mZpkIl92M3`&lt;1#&di52lMB+r_p{>8ySUpR`kZv<P(K
zAIadLlvF^W3Z|2l8SQ6WkxK<?NgCGmDC99i7D&eK3ie7P#?USr(b2bYcFk^^`CS0l
zQ`Zb)u{#SJhj$~2K%(dxk949w)~Yt%00$WoCJSu4Q^!yf@uhPzdCPf#(+4!0{BJX?
zGTFj20J3m+?@T#kF;b@1*9XYydV6*DuK0tsoUdUX6X;dBJX9Fqt5VvBQlz4ARP3^*
z8ijv>z3WxodUw65y1z3u-cInyG%sT65O^@3URowt#v2*?Er|xIpEfS~GL(8@?0sZE
z>Pt7~&F+R=ha6&<cVVxVRAI;Wd1O-sG!M3HH6yGe8_+-Z?n(8{p?jZlm$<qj_WW3}
z_plm5P(^;a@dQ~LANR|paR+YMsYw}$mDl^degAks%3CALT%H)hz83s&LPg2go8Vpl
zov&F}tR^|xvEqhtupi&RIPD-^t9V-_{=>7ULCUU4Xf&#4Tkj#rzRkEt_y|w!Eh&5j
zH1i*f31HbOo$N+-#;pIU4sukz{H4>PA<t-FFg7oTs+}2#%&u^?A)^eN@*<{Y#rY~=
zc<5PX_w=;99v*Z@AQQ#@STlJb<DX6&$Tq;b{V{AlD1CTwp;!`YOue1W<NIGe&ZGRE
zwwKQS;5~^+hqle<>cVYDsO=#+Qq&$3tjsIp+>T-x!GE_cuq<OY*-BkZgZLNE4b!S1
zKP0Ru4zDTBh?q3=l%ZXz46>FE9pF$jq1y}}(`g&W-<1>v%SFgIaAHdQ`CP_->ouWT
z*?j^Qz3pPo=+ix)%==EXYZN=B#W4mHdi33;tdCAeRtS<0@5yO+JbvC|7)`7x?#04&
zR;3urz=n8NAQq8ZuJuUAZ``$x_(acpTSu{kH~u*<vBp{>PAjcBqmY(R#gQ(@hW_|T
zroef#zn_tfKGJmGC-RFelhJPLDD+o-VKA?2?kF<4(+54ND}{&MiPEDhQmaSNu|4`N
zLj3*ukL+=LU-q$hfkzh+`U!}_Tep&TYAeiKZ|6-4k=lX0&bKZij5sa^)CXF8ntzeF
z`Dg|W9FQ%i+K}@)d#0ffUQy4o)GHg7Jme+nu@4Vn)wD~+B|I*o&*ir_rfF*;sUW^O
z9Kn%ObmE?ixN#&2gsRqSOMx#pM4~QBS!)SwU9vuz7OuUI4C1s$B}pQ}7ZIO7)7@dG
zRZ$GlTD%y(QCf0$ytXoHZoCtrhx~KLL^pLF`&cm`D5tO)<$ko?jez0eMGg_ufyWyG
z!W=QE9cO>ECd8iq#;hU!$U`8ipF9H)V`8n*QSB3R?p{oG8i&KWA?$uNp9K=BflLdv
zd6==oE;H!Tef`v1v@(xL`Dw&s($iTr1yiT}ovBwP*{kz|4$Q`QL}>SC4KH5S9HS-V
zH-ZL?as))l@n$7}tFA@$pAH=tohClp+k@!rdQJjjoD&j6w5pH_w=b?vw<%&m>}5Q+
zNgse_Z##eWWbhCHMxuC7oHt%&Kjwh+=uq{xbQ@3g6v<S&pefEyDnt^RnA!a)luut3
z{$|QR6_vu(BLM+CgC9-@yHlGoQmf{q0b(Sh!S-7u{);D6Q4UEqQ@~hJmFWk0e`Td;
zySHkN2Wk4LN<`eJ{eFpe8R6)Jucw5ID7xaidY~@KbR?*6%N+krZcpFAoT>R3y=Mf}
zgbqGx6A=<D)P{=sTYI`u=Hc%6+U?}ntz9o>9S@DzBWpt=GK{TjdIZ$eu{_`G2o164
z&G$4w#y76i7iQC_XWpw%(oo68)=IsCq9b9NGBN@q#<9qGMK!L%-X&DW4|3Qzb9a6y
zW;|k}=vfNhQ@Q+zA98o$7NN@0(D72h1k<p{ji|P-!kj-k$G4b@?2-rUv$Jaih40Mg
z`M<EznFzmaKwI%o+5X*(kkM6v%O_t)5!jk{j(5Z5Apg?%XG$G(L1uwJd7ZFgX#8|O
zX!^YL4ndTd5MXKA=r`#759|{yL5GHd@P)^yZ{WU_XVVan6ivV2Y!CcN&HR3YJ{s7S
z7jJjjntEp@m*|L{P+Mj|kl!~?bbj6F5ebc;Aqgv%8c6ndiuVk6!$LKca&JD45boZ9
zh`tx3l9b9sH-cUgs`rJ24e{@zPZ1K45y1}Y)EM3k%7x=Q)^N+lhZ>02Ox}>Iqxiwd
zU`5XFP!NVpvcUm0;@)`Komd$U8=51>q}&=C$a2&J@{t`lEDW(U&-D8d(dnDu^hxPB
z^V9y8$AgbB_B?Nc)2z<^W09i;@Rrv+qk_u(G(AH}KTBi})^N1VWO1+8WNI!229b2#
zhFGu2ucn+g^j~qE@01zVax`awh*ut#%gT?QQ6oKqR4@$Z?fVfu6h0e(!bDSyTWD<o
z8YRuk*TtgiiR6kmI7q4U7M!8q3MoF7V`uks7w$1TgBr2=t&(D{YDr4@DQ|VvuksBs
z=@doZJ(5oq<%~~#@DU9`JwO!9{o?x?DXZzSboGOnN$-#7lii<P<i;$1Oq>r=0+VmH
z@9toVmFT=;v~Ey-{PdWtt*<i2wI_iO!_FD+pRfZPSH*7U!fG(iKqCdOZB2!#m7L_I
zUAXGCMzP`B{O-blO64|ofs=vmYfRVEibIDykiKFyvZyUE73iwz0ooBh;U94HxfmHg
z8PwEYRa@ozGNiCcveKrv^ZU{pBK0Uly95c~Q-%u&hW{jMak7nIL2mmliQ-0GtU(J)
zRsIpS)f88kjh>;9YNdlEom8Q9>OhZA91`a>8|b@UWHE^4l2Hbm#i{8j7)<+sbllyu
zE-zIU10uc66M?_@q){ni0TwUXP0>!8JKK3Gny7-p8^8TS#88Cg$acupi2&%V>_4bq
z9*3fNu=cG2v_u7vPsFIAXnP0)vr*k8*gwa3i{%T&!5aY{s31rxsVoK}LBJovHEF3@
z8LCPiEzbGr4?ha|=Ihs^Lmvqd*rk(EI}(2$VSmP5qL1rMn_a1op$2~yvlEb&l1?eA
zur_<O9y|gl9=KH@IAlCmeHguJh}@M|D!Ogv<e%dZuS`DtrrX5TEWcCu?FVwoFyUzk
zj0kV(k0#)8`WR=vPb@|z^3FL9<qYebiQWufV_dPS9XINgG?JJ=l>a0&-CM9rAi|Z#
z*xv=I)H!Edn(C08{0pG&?FEv{o$1lf-v`cR9aOG6PVvLJ>Q<8y*q5Qolf2MY>7|3k
z_=Xi?7<q=`tr_mSA*--<^8l&Au-u<}H)aRpprBFNbsPV7a4C55R$=A!(uvi1i;({2
ztAb5#-}AFb<n07=wX{ic*;KPf)m^E>uT5`%>+oTC&xq3KTjhATDf=H~a)_Bbtibh~
zP|0|gv8CSBoYusq9fpo}+Bl~2v;)P*Grf=~(}+q(yD&8#YsjEg@guK`s`%NWhNa`T
zS7IGo3lT_;qH#$N0)cR4%a%jC<)qnAZ78{K_=$8orK?tVl}1_zv`mW<99C1ic3Bag
zQu|s5__w3|EM$FqbR%n9>I(%m3oD#paDn$iQ)e62bJ|6Rdq7@ix9d6BA4e(12&AjN
z&3Hq}U}gHr$qbi<2`}~y*m()rxV)%@s(<PPu&eF=VvJWnhsVJu(I@&5f=2{=%u(BF
zG@kVbM;(OJ9x?VG6raE7ezkOnMdV^s9(o+<%H3WX`@m5*$>F=T?M$D)Ruy>pHQ$7x
z-56Tc@pQ#q_;IT{tcd}2+3~8MuosD&i6Lx*fZ{eDSL;#c^hal^Yu68CWPCj(w-!X_
zr(C6(+v4>bX(yB-)C+GRev$*UqQm_VE*%q9^^ZhEP85GO5}2_&`ij;+4n~A3zhxAd
zR^Y>nwsC7zH!K>KHFaRuAMvuR9PGMJdL)lV03g(~YavOiSD=W|6Kr?@xJszme$y)O
zrIDns7FwpL0~{~9AD_?01HWVbLZzkUASVSO8Y5Nx`g4oHeWQcc%|rSv@LA-7G>btr
zutA}1(-po=J+5q4p^}~->n|)^isS!hH_|(v1*&o<)r(^AVKRPKa`00-=c-`hoo}9k
z-2~NbH$E*HK5Nf2*95-l&~3pABOp#tk%a+)4@lqpHq9J54mAcxpvsmxu4N;wa}dXl
z6l4!uF(&}2FrF$B8SSrpduF*2uKt}HQ2dWbQ-c;Y${<OYx<yV*-nf>!vs11z2pgTc
z==GFB+soU#t~mzDR~@=Zc^c8_#zNan>}(W9)@(S&FGJR}$!^9np~={2y%<fo=23QC
zMTkj03jSUSN%lqcASI*hj@@J7uvP;R){>s0f=XPTq*)H$wb}%Qp7$BOVZNuyN(91V
z;nk;fJ2y~Yul)kDFv`Z`XqVt}v_Ogbpu1>IMxDo<FU%9EIO{!CF}+p5NxYQaD)(ns
zuBMzqTm0`ar01I3YIMo?b@q(R$}uHax*M@kA-%VfY+zzMcy=|q%v#GrbXfaEAaw@_
z!8^~nT`fL&?akQrB{L!(gr&<r#Ea|!Y2-=T3@G#7N>U`Vs7%_AY&R?)dRs;Vthm**
z%ur3aWQ2(M@f;R1S{)K%wio@O;WuoS=mT|jTYfFWZACzpeJ%B&m!f}{e6?O0yrZuv
z1C3V2&r1CkuaH^INk#8!uwFDFu<nayX|032BbtT(4W8HvwSVY|N2~ZP-+o&vsAV49
z4ZEQ`5VbUWjFOX?o10!LAJ-B3gu9EYDQ<5VVyO0u#@zdEc2BGc0pBH_PPG{VlQkh=
zVf_-169g&f<Ll}T<VWECx5M_@=Qf1FFTQstp@n*cXR4STk(O3fE%_p*Lqg4KqHs(C
zl-z3<p2`)4S$7!oSV1G3r%*7j)-Hqd8U{=WN7zPF2Z?c(iuZBI)Ht2G(3AW4cUxh;
z2r4;e%jqL<h5ocv+Pzaipg%ugu0F*}8;a$EhPZJmv=DqiA5U<Bc)0bG-Vvu85f3m3
ze<A{o)Wlxe-F!GLGir5SX}0Lxz5hEmTnlNDpJlSbt0UPIvG7IO#{Jo62jQC*j{0D%
z7jJcU<>(N<lG-eVr;_Z;_-r1nYT`n*8E51EV2B;o`)%Hh<`ahk_0Q`C^pY~QROKOc
z;6c?eXGil!MAxD}ord+mQ>iT%vekoL@)%oM7ls5Vt29FqSODc4<{=;_kP!9#=<q}S
zwA&)|HR@~n0k<#bMmr0m6dJf-5PpH>nEmXJA~d>2X3DuADJZiY55p%jd^XM;cwx)|
zI{8C^C8MkU_|K{G#`D=+I+FqQ-s7EhYQr1a25%TE@w!?X@g`{qnU7nI6NT(vs_(jL
zmj`CQ8wxy#!a0v0LTw!{ssDVFb2zpJ&#9G$G#B*VG~>l$uw$M_d@l}9T+)-@0%Y7#
z`#&~S3#)io`57C>5Vc4}=^B}rHnynSn)pb!fvmLpHDm5r&oV+N&d)nBzRZGdhp|Xp
z5&Qd9PSLwzq4P|f`*?;|acIW;J`&Dint2&)zu0!l-U~1mYD)5jcBGGxKgLlLvYTtF
zfJSD{?-U+=$(D(`<OZG*@b-o-5tx^CwOHrk#qLIyreF1lL^0#e@J_Q31S=_lMrd<U
zC*${#i*Z+5J^mharcVQb^=sJjc4>GK-5)Lv8~9hJoHnPHnCfmnr{XHvL<<s7oO~G+
zRY4Hp<y9zrP$`K8!)!*irseqF=!yEqS883Kl&t_YF4HX9%2r&pmW!0~Xt$lyLgd9j
z1oEPeDM_2o;&@qqn8H?jV-Sk@Y+4qYhYDml@DBJZcu#s-WlhFb(6&rnGaFECbvob!
z8{*)9jOD?Yc4JrEa$lE6Ey$5xqmj>cd<hCFJ0l&Xd<6PL$n@Gr_Z&LWpV|B5!3lI8
zB^0h_DPOTweziuZr$8NP&0n^W#ol4O?CKin%G-;0978AOWYlA#o_|*377tc(S$DGA
z5M4ldy9%C9Zed%+S!H5GuB#n)>8qI>50cU^RUP+WOZ`~O2hOQYZ!Eeuw8LfCz^bDB
zUuUgJ+?PrxhJm8ys&wWfLt8Pn79sXK&qxbfcT9Y)IhF}B-p_qHD%gxxqQlUmz>>@N
zGK@bhE5#Q3Hyj|TYLb`-TlWR1MAO%CQ^q|kWF<@DTvya5*a)V%;A-T9M}w`jZj9kw
z%!X9ii?hHdomI?<Yb1eMn9ZQwII(fy)jv?`m;SVL!XZ>ts(Dj0te!`~<p_oJPhI9e
zUS<QG*QJqwH%(UwtH_^9z@a@5*1u|Z^Af*xarRtM8h?9^e2~CR%1E2Wg!IbBXczj{
zpPv9&Ws-(j?UD9Z#6_K<7N?}Kqq;xjXkwPJ)6R>&>3vIkx~^M@eKoe1%5Cl(a64gT
zxn=ujC3k$h#gvP2Ad-g(hwJ<)$rG!l?=8Aa4dwQLWeiojt!7e_QgJT|g$p-=E1dSV
zXh185e$#7ZF~01Xc{*i^{IL3R4O4%Xb3@i*@OX7R1G|=RdXzH^v#Tj&x^pn9-D49`
z*;h=?OOVcl7IQd?C+h*6SXPuQ0Teya5j}r(jeYU0E;@8_B$O&0{@LrXUh~Nam#M$~
z@>;>GI25AqnLgi!cOuSGs7BdsVej$ddWM`HE?1Kjdb=X2%mm)IT`)bmsm%j#BrjJE
zR^Drx>8UH2G<QohM!Jy>Nf1pI6m{Ebh*wWBC9zqHF4(&mEcbVhTOq+ANX|WvFr3q=
z!RL?*N~@a=5d<tDV4_w(b#$nZ%*r4+viy3u6cTe&2P1vy&NFA3+pn>-uE9&}yhaFf
z-oXZ`JvJ^Uoop<{YMxFJwcv2n80J2a^upY_RZ<;<N#!*b|B6rIz{1HBSMCGzIu#sE
zBb}eJl0}IM5uVXTg1g?{II*YU^A?u?7nA_h+rc|937;sMa0~|TtlJEPReol%X#-vx
zUG*)WtnYl-)^aqT1s=_OKJ6;d{v8+nSRh^L7~Zvb<^FE4U$z`DUETWI7d9DCKtPG)
zx>hQy6$-5dvoOEM@AVhOE%%qbLO3g>oz?Ka$33?LBYqK4yzOnOLw*h8N0p@!n{7FH
zhduE#UK4W%CmKrn^9{=@6@(>7wN5bL-xnbXp237qUajMR7AULlvzM8NFf+Ukb8aLR
zVp@G5Q;nmwDzs_HNXhC#Ws0|U;I)VMxTzj;J?p}<dhaK3F@QOUO@%ZDfAyISd%7MI
zVg}7!e#trX{{GEUu6$ZfFGqoEiPH)*kVlflaY>XC+*feoDrIE$?yaA9`3Z522UV%2
zoiMYOvoafis?p0uHd6~j3f;89m)4j{gDH~b6;C%9#Y0q@?NuI$dV>!2mmD@ZxdG>3
zT2l^2`vLOj^bV~Fw@196WWiikxjxg<=T_4eEdGC4k<Y$L-$#qM{kMMqP32$V#hEGn
znJRxF0r|MYmj+?$+9!vHa%l7qkc~1e`j<4?uW?KIi+e=<z4Uh<xxo5S2&-%nP}#*9
zU2)Y9XHjczN*2tY8i2Ygxy8Gh-|pzs-m&0YD|{EL5CLKumBm!o^dO4YMD=W=haV+&
zTx_e!{hYYa;O3JzQG5pC+16)OCkc>DqRjU(oum&bzwy>HBxhD?f4cg4>19~a@L<bq
zd-66M>W1D=?e8>40u}@;gN&t&cqbFoD3R3V2H&%ILWC1E@d(U1J_^41ANk`e`aegQ
zoC_S}TgV64=a%$l$uRQJ`QxX=6;`5wTn!Y%W|SClwC<990*!bA!2}*JYNT!D&hpBA
z`}Nz@fp|5$)Rhz<DD*Qhs0=$EW!UW`!<|arOV5qgp|HD<_I90bM&6F^?65g@7Hh|F
z#9W^9-txYw0Vc<vX1vItvov>F+t>kBGk@vG)(wxC%@}+=-J*oR0FrWnuSI?Olb<vA
zL1^EAK-Z=1NvV#8xm1RJ8_^hB^wHwhFXuZNA%SINs%fR@ebiGZs;O$l|L+3m<>(iS
z>AbJ&X*e4!HHvHZcrGt^B$*MF%w^B26Si(#CjLhw3KDM>Y9gd_ibE?jc3NQ${<dCt
z?J3rz#MrMKvP#A%=W&fw1*`vYpvzb%BbcCeW}Ya-;j>XrEctG1JoV5{C#mA!;GnZp
zl)dK1GnK$;icXvY@}=qcvPH?Vjb7P&1|!7c#wy8Hr<+HKG%t<I6{{k-Yp|b^3@%Gg
zl~{<fPZ8&`r}j@0Gfr5N&ySQ(pjxxq+)7C};V+>E<>N`Td=xrG*pPKcPhFn*an@vd
zY~<UWgKzQfDI4OugmG%Pq|uWVLoY|wY+R<NDDl9mxxh*pb$+Wcj=U<x5+S|-l&Nnv
zYY-Yk7E6JXY<f|6IuI&NqtuJndN#38vHs4M`=NRdwEOLx;U16-y}J6q3<yX~g~(C)
z@=bRS+uWKlJlnVYtyK=|Am}Z^&tr4Re)<WYC_;naDk@YB@}TtwXNy<KLyodN5EwNA
zlV(9D@&dgrp`(-KWS>xlG3foGd4E))7L-UL3ev<AI4Yu-oUnh4txp<XJ@OPK8PWR0
z6~S~srW7M$Gs<Vv;SztNRZZHJts{z_2TVp{!rai@VxP4W8=`uNh%uz5!FPdOno<FT
zU%DwbQhE&*OxoNF!_kquy*PG(>C#Pg+v>HMsEvXu<V5GLZQr;YWa0%M^3jI!oJKnF
z30Z*L*JVSJGyDf*8#>J$2E<V$qHsa)PgE`6r`_~K_#bZa3^&PXb9k_+5ZK9WdtV&g
zgdliyaYlyq+UTliH4OF0m6tmjI$55!2wvv5g^;PO(r9R6fzbG<zshV8cQjj~(FV1u
zjUTIa_y#mmGkgy?k7eb~*;EyMuKvvqBI!X8qk>80C9{t=R|rP!<6hv!^t{>4#UpyG
zo8A>DRr96a3wT-EG?fs&m@bsU9K4cQ8dLXvR}-nxpM)nN({A_V@82nc>VY$6Nj@7P
zz=(;EC4)mV4J}UTyB(7Oy|DfpjMz!4fS)}eFQ#8n$S<67-2Y&uQ74PzjEvqMfLkfM
zdSwC29P{SttELa{>ICP-dpsoU4v6G8bwT93l95F|ZG~aOH!Cl?j2Q~Xu8~Le)3WB@
z_o$dVKau4XAYLzjuoERAj;XgQ4wgtWZ#~PgP`X*RP2Z!M!T8R;t-X``Kh))KdH6X=
z829#WghrK3CCk1Ua0@nNpx?YwZdhTGyG9OGC2Hq`(nt4Mysl7XtsWDy?TyVQ%9>IU
z;=*CI@&Cg=-GZGSh&Lj==-ARkl<i(JjqvHLkM;>?`Kzk*&INlr3T{%v;K{r4aO4a{
zzu+>7J5}N*MxmE%{31JhDmo@B;XPV(6{6vPL#}EsN$GU9d2yA^VHkRckIyOR{r9Mk
zM!#i2qrt{{s({HB8Uw17Ip&HSh2O|w*fsj~KcY4vM%4b%W~e3d<b>8N3aq%(BiXIa
zpB|FkmyoFg@KEF>=b*l+w-OB5l^YGZNSGJ&cYnQ9P8DNDrjU<0-<zS!%VhNa4Lm%d
zLP7d+7sf@VUcKjC-U1)Y?Q5tZg1r*cjr9y#+bcfr-(1}glSu}-C>Nc6TtG>)h7aA`
zx|mYV7#S3e%-eApeB%6;iH4Drm%{YO%eii@IR8tuD*yUL69A30!0<(voJ43@8+<xD
z(YElT5CC|uBK_m+#$F4Q1MIL3@a<3in*1dM)ZZB#ymkXW+1lA|D%so5eL!-r^`ygp
zVY6AYEg>JbeAI1~k93|Wo>gV0!=^2)c5gO?Jx!=qq2PMrNT7Ufp{L%*Rv@+^cUL$=
z75Ut;Tztuf7d^)bl?Q(sAk<MUQq#oS2<ws^ioDn^Q$b=V+Ar(ALEnX`@NxZs5m3J4
zKHpcEmzcIu`nAcf?%gA}xFH+1Cx7139jBb9mQ3P!N?#ocnw_VyV=Z#?2g2HNQzwhS
zmgul(gg<uXSUC*tuH1JVF!eKx+x_0VlMMpawLapD7>hn8N>AN6H4{nEM~Hv-8ANc%
zYl44ztWD-shK4*d_kFMKQ3Xvfy&KknE7<&fq1zWs$%41QfVj(tT)c_A8?j3-x3z$l
zH-tX?cdwHHO-h<BKX327;AtUFyyc&<N<6doD0fwito;<<JZW6NC>rl+zqcd09dKo<
zb61KRA6-ts6!_>k@C%zXC~EoU*JgNt1x|42^&&ms%d%vwU1l{npOPU|=D0vEH<#n0
zx)HzE2TCUuc<R|<upNEM)crWXjbqK99^ZAPW9;cm<5*-hXTNI?_oWa8j_AU-P?rg2
z!rLP&Fz=}WXoUFcK`~uFAuI5BKOlVGNIrD&NAb4wLqdH9A)w=(Cx;{ZOJZ*6Mq&2E
z`#E>C>=rC7nSB36NG%KtZ}^VOT8RplS<k^TMcjN>Y*`Yj8|4xqAa*&RQ4ql*{gyDH
z%qrDvhs4@e?Z-eMvOJYq(b>*0AF8oD-3Ih_qT8lc(uN5Md(yKOMQ~PCbJfS-l-T0E
z=*1&zF%7*C^fQ>O=gj%d0gsKN;=a_6k}<Z*S2ztGEr>h^g)a{O;C-L};jofFOYp>y
z#nNP4d*VBr$%(;0bwzV$eOywe9$kUJVX%<DA(1=*2a#HWY6EfID~TPBWzz_u+n^6!
zX2S@v_ny5o4Fp2|{5}!MYPDM&xwxxzQOwU^=+Y@WJ>_6kWuxf^6@7(@csFWZ*e?L9
ztaXz@5&TXdvAE~QM0S*RAGSSWBPSn@*Sl{5!~?*iAXmKfW0nAd?EPpL|Ksr4kf{e(
z1%;)Ae9V!s8O^oVLt4qOV$xH1RF?Sp?e9{MQDHTm!tF)!s9y?1NCv}+ftl%60c+T*
zpgKS43n$RUm7r;hGL0F~c4QMOt;5^j-{t3f-;@q}p!SpWzQMwNPPU^NQ`3*ndz6&m
zB_$72)*5}K;R#k#z8CcT%`1;D^&rk-OwW+EIX7L+JSTtUzR!LD`yU7r4sPuF(=}n9
z6a<+`;X3z~;G)rqPtJ!?Bt^#e){0^xx4TFOnPFLUc8f&PT}*Scze&L^_7?hXYNPac
zwSk5KCw|FfCS5sQVs9~5-VI7VRwN&mkXJA^USE5>N#QQpD9!Z;?^76Ib-dJ}Ee2||
zI|0R^F9QLI@J90)<^Z&~fzo3~tt25xHRC+a>yCg;XcFZ^c}%hTb!?jms=f`O{0zT(
z;1Vw3j>#W;zv#B<)Pj?NYE+<NqjM{`mx#Z`{Tv)9<%Y5V;@9L*dIa`Hnd7K&1ne$j
zhqBYS@|QVe>eL#eDURGKZhH<ehCCDsxQw;Xjf~7nH{G9&S0yKI|1j;A3>q_4FqC>V
z!lInhJ<ferXBW1)9(jzPn|2*zfH%bFCu8iljagnr9$qVW6^}V#pu@=gz$QBO4|@QA
zeG!7Mm`%X;sqHlTL&^=y<lxHEm9TEQfavMcRc2c;QCGI?TfzdKx)e1YMACh#=S$z+
z$TDdnUy!B2u3NHhPg12+!8d|-x%~+Jh=XoH2#ep~aU(0%b^eF@TkZ*S^<^5`GAD?h
zi{}Tn{=56P(cPL67b2qCi9>GjO;yH#od@Dvd~ke-Y@phv+UFe@=P@uA-G^}s`nUG!
z&qT*dL!gMnB#j-Cd5=g$o^8ZXW)4?nF4;p`F?kO%?}g!=$+@4&uP3OYo&?ctqv^`-
zS8(W~0pKT3$%7Qu5^LEnU`JUBj*J2F=c4mlv6sAbGDC-rliQizO?AR@He+U_N$-F9
zp-|yfQdJ{Ps}WA4TC=O@@BfexjBqE(!YiI<a|;LdtgfJ_LDtH4LD$!xCZtfU8M$gO
z6QRE7Bh|Ck6C(0WfBBM)30R22P`bj!@WL=O*n5IEPOf?`W@cBgCc+eL1?S2(AeBh3
zqZ!UPiW@k33+7DeMs06H3v@BR-Xj1Q%4E=3Zq-z-qpOGk_*b7R$)K3AK-|#`9$4I+
zjZA3IyR-whWIA!w+eT&Fg6VvFnOqal<P-J>+z)icSlq|j71k~Bc!J{qp$x!pxk1%4
z!}6fS4`+TFIMwnS-WmAATgXuhqawkO7LcEY+Pw+<FyA48A3b~+ugY0(C22R%FMxoe
zvQKHHU1!<7mL~bCVP@W!(UlWQut`1<o1J$?6R^967bj~kk8}64oB>4?@|`|d1U3Ou
z5T0^TcH`fnEbTLT-v@YKd;HF&tzfID@WWwMTP4MBT5IY6o;pz`aKp@jibSU*;ZPU#
zuIK5vYl$Oay9krY!xm-i%s@uN{VVh^f$9bSbV|u);*op^)GF7PVHTN#lQccLzNdAx
zuMix+%%v)OPk}<yBQzcfai-7oNE*pTx)cB1HG6;fmimMGVLqGL{S(|mqFfG9E5ZI>
z)x|N3QftWzJuKZ@d-z${Uuq?nQ9FPt<LnWqlQ*bG{*s9-Ez7~bT~6*?5q1RIOxvcU
z<^UmvS!gnH`vnc~yU+S3j-c1QqU+K5IgtR6XMmleGpj;_4$0@1-A||`V^EVX+5rX^
zWcvU(cG*9u4AO<5bqLn_R;J3{b%m9d;V38gW0eW6A}jm=r=r_2YT!wFf7g_6H`ljl
zJ=3!z03^AqR-0BrxZ|6@Nq=UnQxMFxeQ!`rBfZBsCk~_i23_EEb#aWsE5e$bK8`rZ
z^uP`hFw>6|*+iE&d6Pxz_t#16*9hg~gJkBHIRT|+a+mA%i#<T|5tYO${9d$RZJOV8
zUW4zC*r9VVxt_PYPW4Rk@3F3->$;aAg$>$jAYG6)%TF3`R1s!pXAWrU-ecoOWZ1co
zrjE%vT7ay+1-_N*bA0F{T%U7RP^rg?w9;-yzN0D22gX1+O(_oW%UzB;?ub{hv|c?A
zV+VX8rI0K*M@$n-aIx?#Yt=3^F#qlaibA#Kx?c61%~xWivZf8B;0LvrIuPwdJ=5de
zd`R2!*%%~7_#yXw(Kj)NE@r4ul(X~~YuG!KSCz;f(q(<m0n|u=KjE&g_W(BsPjgpE
zw>?SIAa&WiL53(X01KID(iVSQsCJE1z}-l-Jk8pc!yRZ$<|@WxbLRnWhOhSd2S-NV
zRH)tXw#p-k>D8&dT|a$Xd7yqn{q8YE&ADFlnS<^n%E4lv0T%B@WX%waa0b^Zl|YS(
zl3F7c<87x3YMb>7E>rof1uQ?bf8?tV*)X<C{(RNj+6+k8D~iugu+<LzoI-?D7h~Xi
zWF!59E1iRhNi+b-?3DY0wftAoK<ywF#;5o@%@g7Qzu-rPU<wFjfF)vZ$Xn|N$sv6_
z!0&_I9)?%k3^xFE{EY$69WLXoMJZH(E)7yS2z)4|ht<QT;$R?aza^Lp=HU!RmSOSu
znl}#Dyx@iJ$XocJ;+-rZ@*#SMhou@42mObVsNRn!QML(x_@kCdODQPvwj|#IKR@9Y
z%bFBe1V6`$Jy(pB9S(%uSYQ5(twIfO+LzsVcJ$k>g>+!dAGt4YA_oRKm#EKf^j~iO
zaY6zKhVJ8TL-Dky89rSEXJSljSS4?&cN2xjDWmNuJSVtBP&4kj#LsP!<8ubQSNOby
za@~WZbhNstRTFRWh0A-9%y1U2=lpwC-ha<Z@tO!0_}o?nG@c_;XVI>Zo;i_3OMqpj
z0x7p}yZK{0y5D(z9huCT@N9Rkw{bkC7+CC0H>|QKQMJ5I9T*mSc-E1u{PyGQ2Yln#
z!8W$MGQ9du-8JYHQnYl_oD?UkWOm3)`T#LfY!H%C0uCE!Hb`^j*7wmDM26ec){NyY
zFJD3a_*Z)no8P*EtuRIz8BNr<EGjkG7oG~zDz|<>vVQN3@8|Ek!Yi~rO(Y7p-(5)s
zje;dAQBz0f&UD7Qg%N?6(MB&#)3prhBUlT8i4c)5JcMkLWj43e+q~JQgNCxGbVP<W
zBK6%36%(#^CqE-!soVf{A>UW1G%E!f$T~uuB+7{Ly`l|F)x&}$T5l6--hdBJW}WFw
zf%=aWBe3ST-%G!ULq!~G=fvU;-cGx}vr5R0FI7cw1*U72XE>s^dTZQGJH7E*FP<e(
zs%d4|m$xi@X)pN)3x)%<;TJq1wKcms?^(VMlTM?x9o)YqT`o1yfXacF%3Oksv6<f;
zYZn~KzNv}c>y~fr=n$43OVVrrH^*s<@UdVr)0P==R6cBOsRT6Mk%ULeXIcfHs;3jw
zAe#1B;UFxH)flZQn7m5LieqqnEfd>Bn1y2=($_)j_?We4&ceU8+v{ml#RyLRu{x`S
zI%@&j)E>$CW(x?5%SR6AQ)PdT%}4Plem3=Ja@S9L#|dsPs_$%=VjQ0*!!?F8zk^jI
z;f-9+=jzh}%{2_=FtVhu0=ragLNs@LdAUW4ec4V@GA3)7*f1Z_Is>^Q$!x>)hN6Tk
z#b~;1uuqdTGZjG^K;iw_8y4S_eTx1MWo%AyFk*i798D#2=V@3>&{wn9&r&zQ8I**(
zpI|$xR+PDX5?`a`-<G+tQ7iDZT;|kvg~?(J%=oagl0S^RA03;o+V{qMpE+2^HCAVH
zJm(ni$N0ywN`~BIqV~%_M$5Zgqw3rXGEPnR(BjZKr3u2S1WaHs8!U6$<+s6DYw`Nm
zO$1hxm8abB;S+RRJItBZ(KyLhg4_Jq{6C2C#lH!09BwFN?NZf&NhurnzKGyg*fe{}
zqy=U_5GQqUYw59dgwvK4-=E=|rXej_WqYmW(|4NSmg81?x1NFr=Dg`-rxm6=KO@%r
z6~g2V%WXtOW8`xeh`KUBUKvbh`BPlbdmBsGD^Cppt@M152tUMK+J)$Qn|tl|^Bmj)
z&zZUgWSJtZ_+62kzxdK5o~RSqflr0T;WX$l49^wk!~D~<(TfN!8J7ia6+sq(HnGP&
z?jdWqMeYksoHp|opx$zoijNhmqQU8!T6yT${Iy_1aLP)CLD?m`xQh3qsEOW_^1yo0
z0U<s+OugGP1CVhD{JKeJjKhB32UfS$-Lm~`A?@lZ05kzs5oATiNsP4X{xFl|g>OGW
zBnI@s)}|$M4}Sl(pr!EB{0kW=h)mR?C0aU3`xPOkoQ?j98LIXCr&9Zn$xys>i(o6~
zDkeJt_o`B*hmREo*gFkJMSIl(<|~rUYh(gS)Pa|s>$zL`L$;9kPg!iJ79o<05Kv_>
zwJP_45jQ@*+~tYUZLvuSD;@SDW{p%P2Iyp4XBE#TpdPleAN+8Hd(<&rX=?X{nQ2y?
zIYoNS$g7jol%h=1>1?|rjrn3GB2gB$#4X*!@l%2gtT2U!B~AA};yD39Y7FJ>H<0rh
z?nvQny;j1a(f2B4s!yig{6c$=XIxXn_<14mTdt;Zo0YmU&vQaX(us9f@0rBw?+mly
zUcC%0X1uHf5$X56C9k{Q+>sIChSK0;aCeO_REz(SmF?@QqqPNoj~}_^?(E<Fk4*VT
z8eYNL6sn{$#)_hW!PbSB0Mr0Jm!JTR7z}WxvqFfC+QL8o*TmrvMxr;*78H*&H0aE=
z6(!QGc-@69>{j7Pn^$gM4)(?LK#6!%_Km)dwI~QNq-rK%(UDo>sH++}MLhDe0T>P<
z;)FR`gjn4@YxXz^ZK3kwgk&(<ia54<ebsHckDc;0%iR{<I(~Fj!4TC=g=R*}$J$c+
z-#-5kB)hy^!m%8gwrJT6fPUdL=cBWO@ALS(9YjYWrzNB^%WRjN=7b<UXV3-7w<^wr
z&tF=H?!9ag>)4L5p<S_eiXdSF4Q0)qRamGw61QwhiBgIHV&u}_=%(n=h<4mLLZvTc
zq?vRj28`6_tC?hQ@U@7vFbs}}>lxo82Ux-*N{AHx^DXSzvAl2(=qE$Dk3v&4NyNQL
z(oj);(pypy*(*5_ls<oPsgfv5t`QT6*GOOi^O=1Dob5)-kIAtJJb#NK+b##X_JsHr
zjTEA;cd~iF@aiPbX?)q%07MK!*y`zJ?}ER<3&$}=G&TQCp?(T)@l#=`H%)Lad!cZe
zLzv|9Xsz_1;@EooC3)9HxnIJ7WTGVMkHRIe<lkRcN*R=#XN=DQqf7jP9y(g_AYu<{
zeA3QwYmfzJ6Y(l)$ehVjZ`1tU{_0J~)pkC>&~5*!*e2BMkN@d96C$a|LG@Ew&33}R
zh~&O2jRDkSIMXu)otvFzaBGKteD!+q9qNvEl-NWb5<QZ!{1Y{!63bhT7wGtZ+7+CD
z*#yreGkrVj{kf<XLBC!PUF8d?$>G)^nq5Vsx!`+8kCVlcw+mZG`Vd_nr3SvMG>i(t
z%>wr`1Y)dfem?|HXT7=QCF~72E1s3oe!5?XBPdT$Hk^S3T_VlkD5o~&vlO$Oioe<)
zhL10a3|*fnn@I0D+o-(v+9kFNC2oxfC)g^QGI&3g^JcV*m2kL>g3Xh!_pR6?VGB6n
zaKD5BhaTfr3eqoQp-o+e>n9U^cU9VMh(sTwb>1)!GB`ZUBw3NH69K59x19=dJiEG3
z#oW5zRE^+5by(?#yH%;siilqX&ks3sb0(wSuh`yD7Peh4$y@HlcavPiX(*S?h)@2C
z2Ml9>I8Q~n9A>o5;fgwr{Fi0({}CI=1c1Eh3I!pM{AAw4P(<3;(NHeteL84PRBo7(
z$j!#riEW)_3cA%(ZdRMvq7nuG)7eLb1l3g00l-r)&kf|U+$i8GUNX`irawFBo)STt
zw8}em+R<H<>2T6|BS90p|Mo4UzT+uUar?wW<#bkYfK@c4pW5BzSJQk%xvQ;K5(vdy
z?Plv^gcxB*VX8W;-4tQT?58r<u-p-|dgz99VTd$$!Xu7&l;8{-O{dJ=S*CycKE=4m
zyajVWx^DzoL9EtN&Lx$Gyni+oV&n^P+SfSI4mR$+{)MPidjm%%nabm)2Q1oI@|#bE
zudnTFPMztm-mcPyjf~?!)L8R+i6Stu@>m~P?=S%Ex$*Zw8UEtNT707ScH3{J^Jye^
z?nX}Mdo7eirPT}bkJatN{K9K%7#b!kyb1&EPhJ9jcVE-bx)<*+&Wt)Raz@Jo7-SjX
z_fc<WyH?u`*V_%7WB;Y}YK_h4H1pupwd;C?&PIgDX6b3^QGGqP>8$&)KFu{BLFP@&
z5DWw+kdarSV^A*w@d@8Null>U7!!UyXsbx*^-R$Gc3eSx{B&~Y6PR;KE%ghB11SQ2
zLfXlo$la@^$!nF%tnX}HRl60gmDFero)8c@rO@3`jV~achcM`+A`%VK5a1W6dIYc-
z*7Gk}diRS?oi*x}aJuY67J@|9UoWv>uhzHfu#G<3A?ne;Fgs+)yh6cF=W0z7d%5yI
z9tWWK)h@W1nmCvAgzH#i&1fg6rzueBa5&r_Zc(E7^V|@dOyoCFX}B1qSBTl33i-1I
zZ`jO|fj99}g+aRR0910*9aeVXasI;o7VVg&hS;_0Yg?m_hi{;IDf%p&%ztn1)2q(X
zrog&lc$1j@XvUJa<S1KlU7@FMLhT>g?bJr{ZFi=YecL?oCmYmrhs{DY^S(yh7_b+;
zb~5TZ344-)Lg`Y_$A!B`HJ^dAmZ=Z(?8aS!ozWf4EU{JX8;^dx6$3?;c_1@@PsHa9
z&fSxkk{if^y|9N*qHo=-%|ZwB;u!p$Vg%dZaCB*7>J!$7H#*^?^u_0#k`JD01{+mC
z0Q{N6+8yAtxL_q|{wCloaEn4&hnz*k5GNj>YWN6Pl=*Yqd=d?eR7UpKv#-Rt`QAsP
zboQIAUtZy_ocK+9WUh9{)W=6<{7?h6ZSR-v@gmU=R6n=Tu6ko7PN(hEW$ZXy_9SNj
zUIpLZcE;{nCN0Y3Qbyc_XSvkvNL35H7BmZ^_{!inlUp@?tvLN=v;Je{WF2oy6|&VF
zR&t03DVZ06w_oiiUmHj5rXS!vaVRPJig9K5+Tifu*T`@)(%EE@;mynKU<%3B@$t6X
zOeW>9zh{p*&2G^Zp6oXksB{a&+B)0UTPG@RVh`JGM%j154Xc0KihC{Ursws(dOe#r
z;YRT3m<;Hj=&UeMtplQSw@4R>B7$g5P%tpyvFQES$eg66V)RD=wMhFT!|nsoP#eyb
zW*k+b=w0hWLgr8WO4?f2i>vgZuczgXg&JcB5{E}JC54NLkv~kma4Xe8NlWEg?CnM~
zLsOW+a^EAU3{9W)8$wYS=WQqXS`N-H9z={r5*2iJl8H7q)9~fSryIc;<l|uaC5mlq
zSt_ChjyK69*WL7p-hGg~xe9YlTO8LeSAr1nS6|<um0kOt9npUCns#VoK8ONmj}N$?
zEs!5RU9}ueE%SO$Da0pI$hf>O{}zrTYfK}#Sg~N);~qbIqoTDcncQBI-Onc<gLB=g
zUBgEkrb@_1b!ZtbtS4+?rlQV?9Tv|{J8R@!z!I8xeG=Z0vmi@wv^_;SeSoe<%@JTd
z`Vo#@MHI|CvPB_5h!EFDimOH~M@?S89piVH#N0<RmKlss+L;J58@SmZwSLnT0x8Xx
zsZ(h-bc}+i*+)|#?D%pY?1T&)XW8;MezH|P&3)JUY6+>`dlB=PI>5zBFFZg*$KRB7
znPfG!G)!A7*iZZs$LDDS-5b2(&3+_=?Im3Cd9yFxT{T7oxbxFvS(aS}&!J4yDdZDb
z4WdIjFiu|7gd;&dirwh)hcRJGXLp|m!~%t|DWFp~QrzWQVId5bXfvu9^ShgyeKy$=
zYbLjF>3Uci>d?0DLcPOk5R1h=dN!BBep|h6LN1V!9u>tw`)4){S<ao=g~e;7k@2o&
zO)<tXBV0#dhm<~%+pTNu1j%tvv8wgE14-3`AJ_AHNclW0TiRvJFHbYcQAqDw@(rfr
z)hx;&3r}o;b5t9P%YDML%9+P|BY~NFj?w?$1yF4Yzwo=I9OpaisY}s@F(r`B;!-W~
zYeu=9gsK*gd6U~M9eMp1p*^?*BBu1MZgnofDq6W2FF~I1le^8+hQ2f5{+VW8qja%d
z;=yX`&iVWItB+NA4<QIq<QDNF^*<){=?$)LHP{>R-LSeo{1t}t7>`*S449eYkQE}P
z28z$DVkW~VX1<b`_BdU1wp@%ZR$kB+U(vmnvd?bN?U@}Xo|qx1x9=|vsHC-cE801g
zR{QW*kJ~Rfa4AbVjeeuXnSOma#r`|>PQQV)9Zfum5nZdSHU8@6ZUF;P^i%d*n3w_I
zM<W2wnq()^E~d+SY_aF;bc*s%qSpP`xe_&&y+6M`cx=WZRY@hEW=2?{;Ja{{jt)9X
z;YIHJ&0`LHcWfx5iZdCx8@EXt9(r@Md?T9bb?UtGb;Ox-hs0ZhzI!uT69c<4DH@;g
z)}6L0zQf+_L9&GpjRCT;PLV_`lH3<;vXK?8c`gdbM$<?0iGbDV>yOwA|CfX|P%JX5
z{ck=tl${?*pJ2w~BZ&Tv?Y4IQ-Bs^5=ctL5pyQ`ADU9^Ci-;fZOP=vlNsEz>jYKKt
z-5U|2y#_*Zw2R(?eqSox^$+S{c$-|Ls}Pza_J9j<<tE*kM^Yv5mFZG<Z@cgI6Nt54
zSlNR2c;5s|;*rmqf;cZQ0$aH^J}bbPt`S?lKQ4>2hmT|>-AN_N@ZGxUpA%{CAjvBe
znpt^QlDM1klp<95mrfenu-S=UQs_=)@3x}Xo8lsWBEFrem)i6>_3<9!E&3T*RW@dP
z`$&n4kmsuhK*v89`iM<=PCInUP~tUavf-O}AR&R6>lCA;%fCW@bI~u>F?{oRyRNK)
zXE*Ss7rCAIm^QCUThX~sttyyu6`oIO;>Al)7ljY`?;KBY>eZ>AJF|#xD$b6m)x-G~
z6>aFR{<>D(V*B=d#C5SJq25*t$M(z3^M5AH1I14x^>0MTiIStPFK+wCkf-I*))I%i
z!E#|8cir^I$Tlbef0y=1L@dVy7W@wn`5ObDXZ)q~2l*6tnN|L(e5@58o7g^g>A7J7
z)PFSk0_e_?hBk{$d{_wGaz-Pi8UEOC<T4QJ#f)0vd-1(z?)?D7$yM~`o5qzwEgvNA
zT}A5mKVPibxUH086KK^tn=vB6pCz9SDWoJlJXhd8dk8N)cG`W~bSl1Zm~*PkmYH2d
z*uH<i7l&IP3<~cM>{_)yvY*6UTCY3#Q@IMgk42!AbJ6#W+gzX79@c6a+F93C6pn;v
z4ibbqItY9PX)d&p-k&a1E}k3-5X1N<sR#MUU&ud!%p!)RUe)9HddA+l3gIXhrHKXy
zy)&Odi=&H8RrCqgBBf>T1?13I^1s_*T^4&9UVgJ)(6x0}CI*y+?u@liT^#*HuwG-7
z7Ml=D#`&un=&h>v=|!JCq1sqek5uFDjAK~cz!AM)tN0sKlTe*d=MY3e<$lGlaoI&)
zdyp(q8DcMq<iFF!vBktXdxqxJF7TV%tmMyw>r9oeqs058k+vcX*iq;=4T>mA#SyNV
ztKPj^$1v~th&+g5fgl*e;|j_&&%Cix$ve0>+mHn{=pwR@{;*kQ{G5H}DVg;n7(!Kv
zxg`+u$&7@2R(M@Kp+j*NuPG+%sezflY5`K^xT)o~oVok$59_aMZg_Q)Bug_DhIv}b
zEHB98wd?8d82GZedSL07&+^)^D-`nG+!DVJjHUIQ<*&Qe@W&ywWE$BhUKFs3zX7ng
z*y4T?l<)<Nku?aQN<?gU-iW+EnH=?Bp&yfZvrEa6c{^Wq{C#c{&l>~D6*o?qe9VF^
zY$JvhFN1Zr=K^2EWQ1u6XLGTC7jeSZXmCfquN60p0h`6)so(MR4lJT}C5Hf;!<Sp3
z=6@>Hsl29ZC)tE`L9!ca`vl8I0Aa*QqM+SBv`0*2)Z}!vXNRvaP;M}b*lib@B9Hc(
zB|ZTUaZmWbN6vErAu(?^0$tZhz72*Ze%Ou0z6Pm>!a{>baA8J%$~|q{b#cqroJbh2
zrA&%&Q06b`-JfyAP9)iNCaC+iECbfoI$J%z3%xcBlMj^{U4DqiS)f<_#!{xgwc}ZL
z?nzWO^iDThiL(-7N4a8rbIho^aC(YlF1#S&FGJO07J^URo$lD)^_1RmU+_R3_~h7@
z`%yoO7F%_R1|#P@gbliyX!xRwwrJIRvl*e}Tl#ybV)Bleho-aRl~g#_s@H=dH9{{s
zespe)Oh=ThpKk?vo_fgRS?ul&p`f_t*TK7xZ(!XJId%x6$XDB<Py7ZuRmD)-DC5vw
zr^Y^U2TK~&Fz7@hYo)fbFj0&wpZ$sp2|Q!Qb6iK>n{^SF219uJxZH=f5V~X?40w$-
zC&&8h;ei2v7Xml~wUP1Fr0eYg4us|9v-bt<8W!xj%<M?gZ=QHuJSDFvP_K-e*SYdA
zlu1xXW1I@j42pY1SG{c8vS8$kqYH@#LKs}m^&$#kfO4gGx!p3m?8N&5-^Ya|XRP$u
z@pEGuaqA@~Lw}pKK8R1gS%eu#WX?~$-Vj_r%_Un+M{|`BXKy?G*6o5$YXg|qsEcig
zb$AO33*t5J@+IXtL|~NI;>-Q5LOsJHn}k4X+?r2of#ulM(l-}5d}?_fm15V`Wgyo<
z>|HA4T^8@Y;}iA`Towx9GN%E=H+~yeoF*m`DFgHFNQhYu*tb@sIG-;_C4RrWD?GD}
zHP@IK)S>j5#;TQctw19Skx{2CZgIij_3-ffFG;;c3|7MDOWxn4ViO`<ODmu8I0~tj
z+4$a@`@>0T;q>>P&+CuC(imjrP23}YyWWd-$#+8^V_nuzt_aEb^L7CVF|tcq$pF+Q
zaj)6;0yl1}T&Sw1ODh3Zh2z|X`Y!PVr?IP5JiGb6g!Qylj(INE$4Rm?Iu7kaqfk!X
z)$SVO|7-89!rI)TuF)z4ch?}LcyYJjF2%J-i@SSq_u}sE?pEBL;u740`=9RpeP^GW
zb9XNPT(0L$@-CZe&N;@I>$zk0f^=}@F7e<;6fT3In>w&+%Y)fp;b0EWS!qkwT~xO`
zng<Iirge>$<vQ>W_~?&hiq+HQve;97K8p59mN^)rHY@wH!N3##Whq2~iy6Q7&*mHS
zC~<i0cNZU|MI1DO2GrU(!FfnP14bWUjZB|?TMhSqZU7^G@T$_AcblPh&zjFTKzLbF
z7i|IA2w5*VFt8uVKt>H!VxK&!5`VJoQ>h817gBvg0g4}$4#`c&Kc>0&pW_SBl&yZh
zfH*u=hTfn=|8=r-O3k+cbJ*SAvdL#EAtZEyRP8OWNdkg}DYQ{eYQ##v-dLN~7)7vT
zNUMAPVJ8-0{Fofe1xt?4HN^dJCJ~{6Qu%z{!`;tY*)Y1>pcuV`j=Cpn82h6KuK+6H
z?|_RW88H)e6iw3@7V#Ghj(wX;#OyWuao)MTf#==ZsHUjK8;tK(TXEp_5CVO(mQTN!
zBNu>`vek{_nO}bg!W?v?j`p#rkE@5V%t|~zlrlgb`|PvM5&1sZDHnegWm{COrMJT_
zG||~6rk;n%_dfT!t5*5mmsH9n-)sr3Q?00Bq_R5};vZdo*8*{8D2&2-jtYu3Kq^Uw
z%QUoXu|oCp0*P{Z*iwH#cHYU~bL-X&bu^>KB-JK(&3T(#ccbKIOS#DOuXP$^)laQh
zp=0z-;XrSm!YQ2t{6S+Nzcs73s@ggByzcTi*lAqBN=!fE6T~%wJ;OCRU4vCCO6|td
zwIr(4;_B5Bsg$!y-5Xv8LHGu8x$eKxBEV^t+xwDYQU&{c1xwB%sdK0h=UWB(Hx*e?
zID}BZ#HaXA`9@RglI6*rHa&~!(MxkChALq`Z=++cSS(a5=d~3~E0MOLxPC@PvfCaQ
zK}T7hUTIYZOzi~}bL=^y%jmjIZ*`ch{Uo4>HwaOISVa0;zL>NwkhW@Cc5D#~NGyw%
zG-<o6Xy1;Ouw~35=lRyouBbEW*-A1+@LFiMhT)uC>nhCC78>~5J@W#!T*41VFRG0!
zRCyn3D7a_WmGwA5P3wCi!<X2V_}@<e_r5%K#B*2U-;u#O*lx}4j?b9bSK+_8m$;DL
zLicVF7Ifz}XiU$B2FXOP2M<bI!!T_Io;SYkslA8^-BqV;vbk?1Cq5yCd1Pggkp!IL
z=V^AzS=zF@04MS$3Gz;KV;UkL4m#wbE`WJkGUAnQu-pA(+M(9{;LrI(mxjmDUx-KH
z!i!eg?tFLnfxKqNM3Ql+Fs(-&RGwZ0*_};H1JH^)t!0G)1bjIqCKi3=#ngL4_WLDo
zn6i#Q)kNfs>sXL|I-cu0kErn;U$k*~?{QcX&jur1tRv?fP#e`lv_<X0_HyYHecgiz
zf0SDMQRwy;n0`qtrlYvJ4*fFJgn>-Asi-rLkbRixk;gRe3b3?Q=ZTxESz_y)+2d79
z@bb5z$n)>-Y&F7<;!yVlUJr@A%d2$<TcQ#0+cd+eQj80&vm#jsmd)g`7YM-*h<1#q
zR`^}QyxUyCF4tC=roBgmlIM9G74<IPEraI4ED?R9|0FuxM4_%k1c8jupfm@r6$pH!
zP%g%4eE2JucWPso*=wa~zaLsDc9Y4f0o;yefG|zCqD~uAZ<8&EjK&`zLmK3>@ZlYo
z^(h_Wp{6Vu7l+sbPe<tuZ+L1oGK_{{nIdf-=-o^~|3N*jf5I0Asp~5%owAkoLGzi7
zM<D}aT0(rr#dG-U9zSs|gyF}&?RQ#{%bor0R)r}!hTvDB=n3v^BRzcr$~m0zIC~Nc
zQQ<R6*Fe=oN;Qg!bs#-&u<REJfE^)gs4;yrLy;2rR_=M6<w#5p2k!BkaFJtB-Lcc@
zl4p{*X$ol7rFh?R$b-5n*m?WgKKKi>UK{jYHuvg^-1N2Wk@wSxKBf6Q?-x9uw6#l7
zooKjjJzgR!lXjl2-ca&JCN?TAe_@0yN~Oo;Bo-N)P{e`cJ}s|jg|1|&;LgLvnA$PK
zJW7~@z4|5T)pHk&fBX~Rx06L{^z?JM+IfT2-eO0??7f~&bnFdba1e@c2<JEg-a>dp
zA_&m(B4Ey<_%A$sw8fXg-sV5)t=(tICj=GQd<A-_hrtW%<-uE3(Qbkof8M2;^s=Fn
z!@`?J^uZT@WR|F>U8~wo6rrfdyt|SZHWc=eu)S!eCiZ!=eIHgyMU2gQ*mL26f~Kh%
zyNQ+K<I3B};H3>1Y9QiS6^`QHdrVM;9|9W5ROqIi-ya3Or`gge9@7v}f9f=|TQ5In
zem54>24J%HbrC*PZNCeo^3s7UuDUMdX8hFoRB5D)s1OVg`IyswML`_)<QNcS-N^b<
zv?b!7@O+O4(kyd^xgdWH;{uZOFx|O#kuF?BTfA~#2Mx?<6L{dkXFF*IFfBkGM8!3&
zFnH5(dJ`Qn7yJ7IDizU1GTQ^MZ=`;Gb0wzzrpwS&$xq-HP1Hd;{cW+kj-KE(_kvX7
zbx3=-pe}CwJO4Y`lvK)$cQ?x~L&hES=-I?p9`Bi~l$8Y_xDnWBF+DLcwW_5;pHP3d
zZ?w%IT%7@c3<|{9YiUg<tIl2RluFt|MeJ=#b2W;COvA>#cQ{eszvy<p9EM%Wc1n{l
zxy+rv<G%qT6hkuB)~~92JX?92i}NkNvT8dHC<IXGcEfECJXUcp%p;Vpp99C6KH>fT
zbxyZH>Z<E9Cl%9UqYdeH5!_nDt|asS)y6bPy4e$XGY(+sjPrLh70S;9j({iV)qrAE
zE^Ef+3vV-;P|c|PN7pkL^IRdWuiT=rz(S;MU3g65Iroc#i}>*|oCr?E^@@y+dKVn?
z^vo0EzYDGF8##2L!9+W+zvd;H2+kl<!BRx5kd=^m_L}H^{XEiG*dv{tiqFwxMxcXo
zlY_K(p^(qWj&HPJfEq|p(L6Y!_}e}nfYm{##N6$!^H87WDgHKwiC0*%K{|U}`WFEX
zRia|;tyja4dw!cRArCmgQdwva-Z3NV3x%Z@p8hDw>m>=rm|Y}~D4$_*bi|+-I6ER(
z;U3SQMgoATKLRb#rl8+nPbRfY6B~|1AaDiuWK6GjXumMn7nV|_CPq7)99{)jvhqO%
znGN!2(GJD$iDJV|cs-9SV7j3AHPV~PhOSd7<Aa{B?hzLqoQCX+U}0>9b0a!AB%WD!
zxb0-4TgCU2hrtxvOQE;0{jGPyN4b{>iqqQ1p8xoL@7^VUviSLP;1~mAmhKTpXuo9f
zd{EgC)sID9;E%MzXoe{Hy_Zs8;T}-{VGKdGqz9>bbdtOX_GG!Vq4`4lnXrfVz47`<
zDLnnSB&}mwQL{@>uk=mNA;)Sf0Y~A@*6%2Bew-EuWg)V15I>nd7jM%y0F#-Osuq>&
zBw0^hiE0cc0ABJsdfIVV$p5Dbxj^?~ruPBTZAmEiWJ4}_?~~!)=M{k|HNnKvHKSu7
z<_ISM2R)FonS?C(M(c|a*F%W0-)`=(!dQ07u<Vy$@2L<PPVygclHu;Cz~Mo!Hp*$2
z6u`MQ7Hd{*;`{^T<7M^_CB!xN*W9|+Wv73#Ug1(7nB^D6c1pr?goyHc!VP-K6Z!$t
zXu~b)+_qp?Y>vmsB@s(|Zw1HCzu)_c-F}1=PDTjV7|raKo67Ap`q(@j<J>l-R&>f>
zH7UlEDpB?6@(lVUlA#UdxW$C75c!WPjhC+c<YWLf@S0R&a)1&r@i(5k4W;!zW{|Y7
zM>i%E95$e%j=};Bh%p7Ca|gB;U28o*JMgv(Ix@6br>76c&m>|71216={Vk=3bOpa`
zFIl5<(3njPlf%YsE5L<`)1^ELdCO>)#Sn<wzQrml^VEJH{WP@!M<@D3YU!Wss%*~B
znz0@-tWc3#mpyAX@qL-#AH$&yz||*U$UC~??OP+3fU7~y9}TJyLEa^15iSptyP8XM
zNs<Zx!bMmr?4OOdlAMskpAAYooe9gkM!|C#5$s%-%+J$So_hu;0?q5n$rvMT6=vT|
ztyKELfho^h1eF45E2-0{lu=QfY$XV(=EGreL7{*+^d)RP2SdyRi}((ba2V=e6pBl5
zWZHfAw#v4VWA3P2)|_IMp|Btmu0xYaTFE$7y>E~%@(FCZ?`=u>`0_d_M{i??979hD
zS^|}aQt<wEMBxnDk<wc%!mW$WJ4h<OI86&2cP3y03Adb8;ti-Nx+a;WkV_MDOgWXN
zO>+e-9YDba<J%RS&Cd`L<?{ADF+-30`+C7h(jUAMD-$I?9NB}KmkdK{PwFR2MYD7`
z2FMxAq3^%+bn<>Ka=l-b4Jv0@7EC&D5E^WVHIk-35;Kk{%+%U$PxBudgL<`HsGR7i
zCP}>JroqI7aF^9wh|KR+!Y6p#lOGF2G@A9d@p{~aK35K@v5C$3Z~oAs-XsFu`1Dwt
zR8R4GX6bhcWt0$AAik?ZX?-qTxR=91y`>;elMHKIUw>@Ux;=%Z<QRDG_QF+o|HRL_
z7&yJ1#H#E5H<O0w<0jYz(Bdnb{)|hmX}jM1{DX0nU;<8>g%uLiV6{$3U%lXwRH14u
zpJM-qUD)rZwNJj3GKJ82QEV8j>7J$_Def4^4l-y=9(4-m`2EXjZMFsiPYE>4F~Wdi
z7k{*GQ+`B@FIqP0o?z1_?Opc_yUw%?ccK@3Cd@jty)HG6uWV>0ebShDV^N4E-eulG
zO%>T-wvU7ECGsW_1W%)LP`JDl`m>trRNSN5;th1-Y(#+H{7-^4$FnmLGqBp|u4*YN
zLsB`il^CP4ZK!FUNvu~lMMI{TYYB6*^)Pt+{)xB(yJDh#qBW3vM+6xKD#K4>hddRK
z(#Zf2WveT!9O?tXbxsQZ*f!`?kj6n*#t67(Iqx4|89GL9g|jkH_Y>193l*2u|7+|*
z9YlR6w#Zz!$gc9gUxxbD@=zRNZm;D}(SJ{p3jh7dNrPqO|Jt(n(V&o6=FyK__P_t|
z7kWhWL4@{=UO3G1E8Bl<4<gVB@~lXWSo-_OzfUszLwkcr-yl2pU)$l|0l#jxVmJHm
zW&S^2Fy+vG@&El8F7*eufrC-QoZ4IVqf8h+{QG1Qqi!M*J=6BnmPLisDHHD3+9Slu
zgJ!<YbY1fe<Jw**p7#SM;NQXh3srGaiA}O-w3&hYj`*Y|zFxHwx5r&QD)U7x7#d_`
zg_K=KVsXv9divALFOmMp=(^YsL1UL7JagPz$FMcuaBlEvyRg#|*~ce!47ys$9`NA}
z+1^8Lue7w!JlLCH1K(cpJmP3n?ruiepATxNlUs<7Yc9$BKjQ`g2v&RwSsyhC4o;R(
zpRjlyy+j;LVvpV{bG8tvaeFTe0GpF8HvC${>rgduMbUZc^Nq;4<%_}4H+QWXU=tvS
zX=-At3q5--O*8kZTVS)|f1-PzJS=fy?r)hFJ+bdPz{=MAHG#pFh=|DQIS_?#&6eeV
zrc4MVC{ns-!dD=!%M`3W!Q}HR<TyCoRUU7R0Th27J)|4j8}jC6T$SQ_KCR7;&uX+J
zCp841eakdn|DrJ-@n{=m?$-EX%`UbGb6{<h6=Z5^>SU;;sV!X5%@$=kZ5VDoZ7+R^
zyHF+`7mO@WOLP`B<+tEcnVsF;nK-iZ<ab+D&@c8%Y-Jj(BrhN3O>%_w)ok`rXLXgK
z(DJUmuy7%>v$a%9*ZjF~p{3QmO|5mL6Z>RgE}(L$IdYuATW0NOe}A@N^;AKt)w{F4
ze$2D__2;s87L@qqY(_YK^0@W0btiCSWhXIho12Gcb;8TB(%tyEzz1af_|J(DP5l8N
zbORcW#70X^pfX~)tdyPE<H`#stVPYC6LN{f>~bqO(shvZGk4Rvt@NzcI8a^S5xoNx
zHk`3GUA(p~>^RNcmPJ${**ueqY!5_XahajN9d52R)Z*30r!`=+T2YtJbFm~udFJ=h
z4wF!=P3_`mLWhYlGYuJ3GptZNV{`NUT`NC3d&Ct(&8w8*zZ3W2j>(NaMdE4itz7x>
z=_X;oTJ>ksx1fPVmqScjzbDU@NBc(m1*=BenE@#CDB+$<2)nWgtbM!IANAz)<DU~A
z_Z`|$&->lWAyPsz3jRb3tBf?X7G9~$dY}Uy?{}azogb;w1P(ik<Jro>nJD?_Q5cy6
z!inz62J-Wlz5ds9LR9x7oGcl1c0g}awPCxn*_OZUn)yecE`&aJE;L47ZI>Ds>u|3?
z6W6nZL2LoxhW<#)n~CH1Onws8<*!P)+aG<gT<dc>3k1u|+KnD=&t8Wy1$G6aGJj}8
z`?EK^hjoXOn@K=$&8A>=1lQy8Qa#XAJFb3c+r1dRP(Z@hcd}S~toZL5t?~UCED{xa
zJA`wYhlnnA7duG_mdRidUqn}eIoQCS_9mc?m_|Dmm2RUuFA!}^;6F;ok6GFe%>6ty
zgj8{@7gqP&F0qUgB2E}jU=&&<l$AioJ?`#`&B#6P-cI@hm6e1Hv-)s~1=u6V?aM*y
zMjVXf@amK14!->;a7G`l5e7I*GyH+CPjJ6ejrNa!4HQ%`0x5GzI#Om3)6lyA*s&i5
z=s@`669@IHbOtG<TVyHP1=Q_}61TxbW)aJ9&e*#}j`U&kSra0MEpnzdmW{ONH|8<y
zSd_D=-$Sd?J+{bh^9dN7FL%d>gRoHaDyHufZ`7DEaoDrhx53}tuOl3VZC!W@{xMg6
zeu99npneZ8_0Hn}Dnm#x&`+r2m;64Jk)#Sm$c0aMKx){k9E`CnL>y>sIVw$NQG$yE
zqj<zEB#5&<S&yBLGwga^k)uB`r-ugm0a$j~iPG_SfrLV@k*y@-QK$Lv<1+<5<Xq|G
z8^J%G#+Tm!!H$+FYa5+m&%<OK(-^KcgK45m-Bb^&UsQ(AZ<A4z@V2HRx;Ec8!nql{
zSphW7Vi(Q}*4v%%Dd0koZ1mkT!-?9@GKD+XaA6d6Zs0zmyOpD;MG{cyJRdB-xHQY}
zWO>M8<wRHFzCysRx~4y5lIothV;b0KluQWT(!tsckD@l1ex-7^9`6!PeJ{A|L@)Rz
z$EglL;OecM{I5IoB@GZgy6zRHq)&k|WtTZ^u%=eu=4JKhH13$rV22GE2((w|wXGm~
z7g&G?9(Kk>4H0T<&=;6+`@BB#>Y-36>EG~{NsBm|sBRLqB_JHAL?A&(vKOrZAV9J4
zAMJBkZR;mU3pK91FVH)efbitBfzLMcN7dTgYGmXz`7;?CwT|j_Tg}Hp*%qH{K`)wc
zywn@}+$y>aYKJ2u33xs8Gt1lGX-CCi-h%ntEF`BAGcLCK?+sAMEy!yboK%HLO95A-
zA^s|@a-kq&Wkb2AsP@?4!RGNDH~Mv_Vup($_lC9s1Tso8n9Uq}K`UpG9=lAjJi5Z@
z9IEfA%z)H}Zr%`rGOZskNw#z-x89WLbO+Bbx$bW_;2-S#>s#yk4Rz_SMk8+O#}W0H
zYmGCPpEgxF9EU0N+BGUw>59<;FogM>DGGgXs?|QQJv^X$%X&w9xxbc#(&iY13FhSZ
zhV_Kb+Yt{*Op`yo?R%b`y63dga&P5vC|dQrn__pKRm4~c8DQi@bfU4MI%xMRr+mpd
za*VN9fm)+4C1_obcKhyR<|TxPz!u_zL{~T@z6V~R-0#@WBo|Wy3~OK7)ct|+yz7${
z6ShMtE@Ta`O4!eGx@x^%CqE0rZ{%FMTz;{fqSR%e^RM>wx)1$EAH*;>nS1u}eL=U(
z5<`&DCtPb)Rc6!tA|_kzZo80wIrYC>0IyVTrTAe)eRK0O8(KY=IaxG)t-5bknLm%e
z>6!!>(L5l84JwO#yF)n=3Rk6r^U;t%XN0A%kqen}k`7O><fdR4@jAihdDj>`+feU#
zXS^m{g`HkY`YjCCvau}~um~fxY~!Wtmu#y|N9Oo!6j4o<g0KufO)xN;vB}VRXTj)=
z&Jp<JGkErZ6tho10Q!d0`?Y@&bzIcj^7gbnqv`qlQI8RhZ7+pWQKN+i)}HcM{T~bd
zOFV0v#`A^Ygv#7YdKJl3JMxV=)usYuK5%$zJcsu!#0b83q;H@eh3}9h#W*+-kVs{~
z8}_TO_m}^Nc8+p%ywWc?G#ahrAwB-9!_PUP@l^(-wLZ8?A%F6|kd<eN*+<DSW+7xp
zsD)sUkuVZo(xEOBm0T0&ZT|?Y@>wVt(^@$@b6xpMgg70Yk*7(X*yR(3Uxz07IDr>v
zgP3_kv@b_|nzTZZWXy9rdd30`-K8IFH~9eStqnWLmYmpULPbm0$C9a$@BeI7`mOi6
z0+WL;K!NWr@bety9g}iD$=Qqq%!KDEk{)yL+Ra2|9P7Fpwm*vaHkl%>wkieA4uFS-
zQQ7`Qv2an(hwnIOVigD>{#S!xtUsXM%!86gvekZ_^YEVRy{a5#8Sn!Osmuogmrv7Z
z0L+0g4!Ya5s>xA8vYUWll*)U;YF^1+@_u$N-l^)qo>I{Zk=qcYifyx1XRzrN1wF-U
zViMI{WnJr`5|h|K{gypSQPAED{>ta8CN|Qn)M#v?68CL`)?S-?q<zd}G7Fc$28+kv
z?T>3e8a?p*Pi&6Q5ud?&r*@g%F9E?{uN?d0SSv=_jKdP-qpLQA2&9<%n#G52NI3T!
zEY}@z^$mH&Wz+V@HN8UJ_p9TJ1A}&ThERCud!}drO#h49{Va3EdLkPM`Fu~vu)3eB
z7Ti?Kk)OD)kn5o5(M9exv5||%j0M1#yhCLRplTPVA*s2ljJZH7p$amLh1=WbZ|JV~
zRskP{7e%Oax5f4c?K1}8tt(57%@Qxz$+NCc8I>8z88vC;{N4$dnqA{=y@sBR0RgET
z#y{@O6wA-nJRdzdE7LaV!;a4>Bzl6V=rStVmFfAFo27}1bTUs45bz=k!nnuO*PxgU
zkIL8*u-KLy<vfi=-WDn>N;$*R95NXTD6Fbu<D_x<H$=oW``|{Qxom5z_?gvv8m1>4
zV)yYf<N>v5Vuq?!jqufklr6<=?+<!ZyKtV0Iwr+#&<dxOwaY7M8t*qa|FHXU+3O!2
zSlGlRk)?LA1N*iSBuMCDehzQ%zSy-@niOvzCd_{|Zp@HDZ#aOzh&R_3Y{HP&tY>$f
z7ID7D+G}Nz<585n!gvHF`3p8$Eg$HrKL@%Cg9|f{Ronw({=7V+G&K3aqHyi1S<Dp3
z-WWwTt1y=cnjWbPx77{QWy@gW;jJ8({WWM0sQXQty4gy2xLX7fBzd@ub9rRk9nL!|
zpG71t9p#Pgf_qc@PlU5a`%(I!ckalY7fi*S&AC>%nR)5q%1q<>UBdCPV9}DAPG2R!
zBQ$_%CEn}zVu*4CUO@Vb1F$d8lFPLl?-jMm<#swE*n4&tfW^i|yYjao-LwI+w$F$*
zaieJLyuvKT=QyhU5S3qZ8!aZ?ytmH+4>djh7#=Twa2`<}2su*PXT&f4DKA%_ws)H@
z$8~p4y*4BpJ%eUn4xtF|W59CNg|O?49A7wi%aI34@>oq#TTr#wkW&QZx2!-DnQo>i
z=I`{VZ~~BKP>X~=kea1`Z!`D5!WWP`M-TZ`uSf1{*E|^N=GD*EC)GVwpGHO(gNK%#
z;4T`dJo+VezFjb*{w%cYV`Xe$+}CQg%Ng{H{I72s^O-x~U+>$+c`T4ves0p>(@Fjk
zoZp8C#$79v#Vl9IHiVXK9pL*EKi=D{!E=zvYab0Vi!T<)B_F#7C)7qp7JViypAy=X
zf4O5n^YOLez1o+$ou;+E_w@_G=zr91mS*H08B5}y8_`stcfEb4CCu)3`_dL+zF?^w
z(?1k+{qFnIz*s6hvs-vChT3?4xT%Az;jo@roIeo|JpSyctfzw#W^Bj`jb`~ja8D$1
zltII6w8eh<9gUBhf<3|Mm}I{?Ju!2}61^>@*=P)^wpBLaLhu;;!Z+St>dT{5H=OOZ
z`ydK_z(T62e$DA=ad0#YLeU!N@>>+$e5cY_Xqqv6e`$w*pMwAzm9++`J7&lSn(t1z
z+PPya;uEvm;T;VQC2;jPjg}o)l?@7UUE1MFe9L2Pp+bGvmx7;4sD$f}%4D~h;bj$p
z60qjA>}Yi$85aLdpwIKje4+HfBTnmbiHCZExhA#!_GN&-5al?uT-2b+IQW+;nMF*4
zmTPaTDjgAX4NF5UGyv*C3-~D^GJxf(Q;m+Xy}PEsaNgbFGG78TzpxiX1h3|_)M&^K
z2d(TU7Ee;mWxC9PjNg#djK#&RL>9dkoRMWMv`bjk7Z^Hf7jFe<{X!{JF!iBAsFA`|
ziHektK`?dL_FCFb(IpAI-`n%S486rwoirpzsmv&Yq}OHqh_x$YF(yvO38HToKFSu>
z9iS_x*KjCfk6-{nsw2}mMuI@wV(J%rogI3*^|u~Y1Xu};t8Nh!&IG1@7F+jPHFuml
zvGF(jO3LRMJvpwD&AvdEy|41RN>k<`4&swev}}5VOCkYr|6_mPKeXTsw~FA_hQ~DS
zARtPqPtc)}#zf9$)T0lahdlH;H1_2#IHijCTpUlmvevo4&jbn5yjEPVgI9bytsG!q
z3Z{sj<eQ7kSO?uH=-*MO8kL_w`J*5%lZ(13QK8M*25aQ%2A!#-b_E-y$xrJyG^Q=N
zJI|x8i@T#4y45p6lM2$Uf|t98m0UM-29Ug55#5yhKGj7P?1+Z-)#s$Mx+<F&?aI^F
zct)Kar{ky56Pe=g2~IMS%P|8Sdr8TszV`CY((>A~Y6^l9&W+q4)C!%;CCx_h=}+Cd
zp7!lL;`e6$Kf@wy&fkrhJ_k-~v?4WY_YpRv(MU*Ru~Cfmu5tX$z>p%nb4hFS5S0}B
zL=_JIepsXNK~8Mwpq}8~HsWld!<)^WSq-4khoVy;%=A_V>FS%8PT}VT^^ArzP_Ln`
zSd<)aMQ5qv18a2mjaEF0+K{m5;&p&7$0-haXyW)vHc9XbwaD_maJ;a!t`y~_az}s)
zQ9UWar*VO+u((}BicXB0GNVV7EajxNbA>)yIV~`K3dOYQ@Fbi2Rfvi%Ax>(=;h?#)
z26q~a29MT*srS<f<2?gRE!bAX$q!Z(13{V4b_6N0x$|zyc_kkwV~%PM>O?NDCY0yL
zp{As!dg_aE341ifqA}Bpeh9+A;YozXO@zsSJKmZZ8dO|88wLH-`dv;T>?=i*P-KZN
z66B-&f(mS}<ca1ZU3AxR<d+4pvw$OB`46aY(H<sfyl`lbUre}WlugU{Uk1=L%sbiO
z#W}n<d2zp#1-|E20~O&+6k4<EQK^ax6LIFCq7#3wWGX+?4PczX&+dTRj_E#aq_9?O
zLq~ttY&2!Nwk-Djz-G~6CmSf>8&saQ14hf0*lN(KR1J1+czkY;dIW{z=y`p$Y~O8W
z68-q$oXPHfSjA1rri*C=k8{J7^<M{}3T;36eRB~ia{k=ckIZvLZM7>@==zi-bVGo*
zyIK-JjOjZ55@gw5NfO*vSZCYx$G=Fe`gBty2ZVEFepl|1xvo(x3o%aj6G70?MbO~5
z%gWWJE=WzsqKe3)K||@>FdtzJy}!0=t4@ERZI|c#<)nv2P3G#fZT21f9#6;e@keNt
zYzD8Qe*|*^q~SJfn5^o8@1g?hD2#0vf0ZHzG`Mn5n6dwzu|O^ze7)d;3bIs+_5AW+
zA}8QBT!q%~y)bQKca%YXe(TaNNyp}t8E#q5PT;wZ?=<~7)dOWpNp=NFk5g@!u2l;l
zlw2kC5cr>L01TebDaIr!t+&FG@Q%or;bi$qJ!((603^@Ul2AG!>rf!8K)zS1{C?1;
z{pah5&@V=Ncw|X5c11%o*qM53M`H5h8SK{@tBli>XaT`s<u8^_`$19xTt$;5{qKpD
zw~$L?LNk<Qd`Pk*K{-%QuTHS!*VEea^7hS%^qD?+IEUEpvW<s%$MCG<`#m~)C}tdz
z8aqi<D-0pI(5|k-VSVPqp-<ZzBJO(wi#e=Q_~SUU_>UVGd2?nOTThN8HvXS&JRbd_
zcg_PR9L<@}5aQeO?TO|-geX3lEyFT@+Y9yt2&S*=ca&87xSj9+O}4Iba+8A1#<Fxg
z%jzAFu>C8TsfD5W?hRK&LuE)AVRXlzuwE!>?MK9;X(i7UmD1U_)Ay1d!|sTw^P*5P
zQmW$$$-z&!0TJG$W{yfiFRrMn@D2`I%O0rk8(`YJ(%;>I3cKk7?J!^$dQPzF7bco$
z_R_NckOA^hwTV*&^uZH-ieVeCbsS(|e2tk0Wa_$2{mDR;OJVKiC`93trM7U{Tb0#C
zK<?I!Y&{Em_MA&coj1j5fhQFQRnGbKke2))I%`Eemti|DOP*PU1{kY_X7zo9+u2jQ
z2}}?Qxf@Z;pj7^2sraOR_B7Hl?tha%Fa$oQeORY|_B+YyV>aM=d0205hX-O4;qbyJ
z<Ws3E*Rf6G#LXz6)Wlk%*T#0QvJU8tJuK>o+#<5}KaR(uXv<0`t@d$31+7FU(%CJW
z<s&vp2;SZrco2(x!}vhr@sfhp(ESoekhZO8qd@&i#1-|vJSI>R|1v&;GEK!LEK+Kd
ziJQXrdh3v5CT-YSSYW&o2urrg0;=dH73On`7HGW66Sdm(ZMJ$^tUis?$-LLitZeHT
zZ(KG@z$t5PW)%;TSHyd0bth)TMIr00{dMb925NTaU*DUMraTbWa%!rblV-ibjetx_
z;b;l^#{mdh98kO5%va;xE-ZwhNm^W|52#`%$;!Z-tW-BEtzms?%tgpg{?9z_+K-8%
zOX$Au_+rZ~9(Dbw<eEE>-%?Mo0aACaR$Y%@<AThiLIEAXM0MTCd6E`PigViFlqXog
z7P|m>PD8>yHge!?93qnr2|DpwU43uh4y`C{a{q!ka4K(y@Z}bWFBx(|l%DRH(`YKj
zsSE7tM<2QZ*IO#SD)73YCffx%BgT6Nt2;aI(57x{f0|f27?C?BH;*n8wzQ0$Sv+3T
zY!%Y2zc~FApbwX55Qa^7B<cxNPi42Z%?z{I6v}%qT+KB4br#2AiG>l%-vk&>;#D^$
z@Ff&mq;tg+h3{l&DcLyfxHnzdErE9byu28lMzp&|V@-<O!nA^SxgUxgOp{L9TYNu5
zM;f;WlohZ^EccRqb9Y|>I`RW7lZH<sDF9fB+b@c1%`_hXMO}IJg15H#0_%Rj1hb1@
z%f(e-akm86@-!=L4?2sPCZ=ifBP{*P@}i8Bixh{|+ImXKTiFK>)%|Gg_I?zR>9rZB
zSRgf3!3YyggU57xp0p^6P9g1{C2oM7bcIlC9!>TtcPPvJl)}u5X#84*=rqO*W=*M4
zbU{T$9@eSAyUigbJrz=mQeBTR43QF=5nHT=*6RY=Uyp3_d@r+MSQ8N(XFZqW=kZD1
zH#F;~a;B~A&&a-Q<Et-oM})traQ7%3Tvt_aTA)?VQ20B;2^;O&l?&xl524i{Q&*tm
z_@52*Ivzg9;)$VDH^rRWjm~_Bt)R4ek76oo3IAU;PAW;$hV`*R`{(ceCuOD%aF~#8
z0v>H=<oJ~!dRD6}6}AuD?*5Kboxj3cY1Upc<X~?~XpQ5OQ~uH5t&-Ddd~o@N)dXez
z{&^sG5Q~_xCm!Mz@m$Yq0_V@t$aqGXn=6#aYfP4gMD(ykKM`A*15OZ1Apw1)=J)kH
zn`Agq=w=a(8OT19tdIoi8_9}|#`@b2>6enDEDKJfiCZ9<aoL91mBlWR)YA|yRTP|<
zmj5aY_2ilu*KzlVeSvo^LngGK|3mrHQgXiY0dl!YiIb*rQRf06_r=B2?}ti+7$!7D
z=BtKiY(9SqdXls4f%0n~E!WVSX&2nWEamxavme)p^dK2^2IP#$NR9FkP-i(h?9130
ziEZgZ+X-JB>Z}qNbG11y`g0$_esl7_=}&cNX0A;8o9N&uM!cD9X0zeE1g7dq0)S8T
z<y^ITYbP|PXc<H){91NhY1iTR^UPKfz#=w(?s8upYe%*I-VU$)Rfx;%Fh-N9QWrR?
zko{*lE%A}`YN#B!M@sxnPa5?g{&r9mo767FkQ=xgYP#=l)FlZ}rXEAmk(0y%=2e7Q
z%TiEM@p@pAi)OEgK3sfInYl|3+{p*PH>;zHXezBfcfsEZyq@BmvN^(k#yJ(PyMdDK
zoeI-roGeT)`;e+Toq3g56FSe^W<0}68CPAJd2~~(@-5OJe?BX9Mei<FfP(D$ZRNSW
zvLC;)6?e+?v?%wW*Q7J1*PnT8f8uZ+mtpfeOFR}+JB1?RjuT~?+e=H!lwIyFFjUPx
zd~m>ZF|-EOxl%U0gN9tFt7U}jlVNC(S2%lo(Upf%f=MjI;STcJ_R6s_zTfibL<xB~
zSxBT(1^3o_^1%DtsC+ZC;JW6>U$R@7a9{C%tr+meD9s5_RW{#k!GchN4{vD=JJ@D{
zxSF%!URlp9a3SpNvB(_#j{EZB(RGweX?eHefAnO2fO5Wmk}vs8-`zr3mb3BmWIN>b
z!jZC)UJm&};u+G2Qe@wie5x5hCGEO9DA0P}A}w0Le=SnEILJqiLw}5*n8stAfIqap
z->w#&Za0l*(faL$u(GhheM0vZ%u-svj`SUlZW)6;ziacMl+l3*-bW1mlkDk<Bf;vf
z2fr3Bc{VtRL~lpS3T>C(YGm%uAD#J9oXEF|{<#0M-97`d3^FHI2*|dD!{1jGG-9T-
zvA{<ql=o9qN^|L;(k&@t5#+Sl-lOq))1wqA97{$pIzbB?{w6@#JZN&MS+Z8O?R}+G
z)^H<3a=&up=Uw3;wo5z)Lb;#JRPvua_sfPwrp{1`(-`G9GC5ofj!I>NW?~0jq$;;;
zkejEQneBrpnmc1*sZ5e715UTT^<NHcRg#BG-+i%iIsMDSe7rs*W=JN1k<2OW%Ew7p
zVHP5Bjf|h@)ZBP$L?VIw8?B~)5$NduEzGhe6b0n$2Q6fLTV)vEBEiYtu1IarB^_im
zuzFkh*_}@aJnR%I5q<q;!~kt;3L<W>{TCa45bomO&s5+-JZLwE<2czOWQ#<QJmi+7
zd4U&q(#8(J^R!a?$lv3oV;tXK{pfOnKLQv!QLXrs8(=hcNz#+pCwmAKJ$w((L}MH=
z8_p!(Y~q%iQukIv?nBiMF&8|kuOv)yTJDca?__(+^(jv?+|(tChV*we6iSJ#o%$XE
zEW{1TX7$R&N@$R;<w50i%`??f0eXKj`VYb7o{t0^*qEqQyU`UhSZf|oX&xm(Pv_I&
zGCzf@Pfx19Vz0*r=mcJTI$%S{v?{&CY{I;vEo<X0x+R(AGrY?>4hL`X3ir*x(Lgl~
zUf&xMkEXF8erea&*b220Yd8)y=1i$92DE>nIYgLuFF$ndbLqKd-xVG;i3NOQ4eB<e
zsu7y|F=2G_;U12HmL#Xlh0YUt&6;X+Zx{-oc<X@ND8#WewDx)etN1?I4s3u&=hdou
zB2fROZ7Dac;Z&5hnlXY<C9^^es}SG5k2p)^jeO<gT1YIXVvPSpv-Fp?^b?LEHwTUJ
z`jtwvSq@Q&uM++gM2%aIlBQE4p|Jb<M3Z+VD_ku85&q9vYkKhHv3I2>oIh_gsL3g~
z^*vmHi)@wc+pVONm9>i|fT-O+;~oayPoAJC6n;pV`>P+l)gS7C*5*T4DX+zG`P;iT
zW_Z*=>Ryb%-~G_qMDuDUQ>1?)sQ3GKBFKCmNxYU$?!aH2?<x2041qL+c910e4;a2;
zSce$$oyr&*+YW$-PbxpR#)Lf<{$-^K3BB=+#}t+VR!9xjUaya^d`Oleb(Y-j7gilc
z5PvJY_pzOf#g*)nojBln!&{Xpp(jeVQq<L?qp}bYeSwA6iG6G)NO`2`4qqUg*S_dM
zJOI}ZH3f4j`@P8N*8o53iM@47&%MC9*o6Xv4-`^^0R)$^p}121AqZ9A`7X_iq96N`
zh(X)=l`JxvYd~)SQ*L4YpPSr5#qh&-%|I$xX@7Luh{{^u1(U7ckm+fJczM+d=TE=C
zO9hDSTSD*7l!$}9w;246xffn<p6Z?-CuVYm4kd#@7LRz)ej~+(E<`GPf{=%)$cExX
zG94?LI3C@kTdlT|-0k^jwjFpD8y2gt))%$R|L<u0jM~WKNdq8?lqqFO8&TtPfQM!U
zVG1U-w%zl43zWShAM^P~IvFLSFv!k`z^K;h%L{W%n+d^X(aY?onUjh~j+X0mm}is@
z2tZo4#FauaRruN*1dbx0<XG_mlB3Gvr=H?Tn}Lt6)<#}WI~(upgSBq8FDO;|+#sLY
zIWvH{CiC|mf({T?D@Gk9;eBT6psA7Mq##RDwd;*D=~GSZ%(7WLw^{MJ6l_I8KclBu
zu&`B$t<*FlJD7i5(fMbpvbI980oL0;tg19>^vAFvf79Srz5OVwV+(q_!o~TT!CR8c
zlqf_fpz3fmd9BnBt{Btf(}>m9sgXDSo$$|_zeeE74n-QO|A9nFy9VriIbfz1^DNJ0
zBHF*|?PHCL$mOc~Ik2{W^%8Ut#=X7etGG1S=})IMMd8(VxhAEF=5x*Nf1x>x(5zg*
z$BI-wD$byO&>(KeIKa=W(Z!c?u=<J0UR*54p;9Y(_{t^|ZKmq5o055a1EJIzE{3A1
zlX6o@3c0byV?jm2`?$C+=dHmSQG;4Rp=2H(4_lYC`J_DuSv}3qdc|a$mMX13`jyR5
z94WmQ^Q)GgzK!bU90(?PFRvVX3&XT1^`U5%V!v3jsIrMWZgK|)Jz?iMcMjmSw(`d+
z`-AZieJWGBS3&&q)qVm};HHrK*>lv2z!SK!BTGM~gfnhQK(ywQ-)nsC*X(5}F<e)l
z{zlnY@?eNBQMU5GQIr{oG}>2+M>zN#OyMy*`Sz!7j^(<Pm81&9;X#7vQrj-JLw;Ay
zE76)=zGB6qkN7jI0%u)Tdwk_Art72NTnbefv`C=%euK~|>afO0J9_nM*2y^pDPZ%h
zawL%wRd(;&bW#(fz-WfcP3LtBq6uuv)<3Yv*DM+JVy=h7DlMu!Mw!-0ll<ZKY{w*I
zyd^|7p(iXti_v+cQ=PFwH6@e)e}sc0E_n!k_qmi1_+06EBdX&#GR_NcQyu*fqlM*O
zm~>r8tF)UHly_$RuqaSc4|kX*sHc2RP#KB%O|s8qME$uU^Wbgh4L$`X^PrzW;07hw
zaS&IeKDK%yJ~4x~y=kTnnTS8=Y`dIi1*-glkahoSj+G+>V}l~1KNG!CB5b<Xh$*Uu
zn61)GtF~C$4ds$5Eawr{?_wEHQGci4m7F1O%<cIA0nUrn$4WV1^u&O_=PG>TM0&T-
z<m@tmw;MFTRJ{K?PIN?{U|gE)Ui<St)pbpt@eg;U#fp7p66<G?bVOAgijz15=c}o&
z9*Y=^iukeERPNw7OV#>41%lsZPffP)s||O^@O39S&+*>S1dFTnwg-t)i8Ro>gH(uV
zt|<2FI#~HPYB-lF&AtRrVo_?Z2p<_yQ=GguxG&Ij`TM_Ib2fm2kHolIei}U_Z^>G@
zdq&E&>X*RIqi4c4&OLul#4<pX=GCm4SA3^L;c_kr2_9>@HBMEvnBq%G@`lM;0_ta7
zww~B+NVZXl+0adQs~9TW8MaZ#Pvi{t`Vj~=JOX6w@UbVQDY34Tkz%unFw7G5{jT<4
zd6C<K`#fgLr@XXTrxGEfX;4n?F(^mPI1V61Nsg&5t3~6jLrwSqDK%deC$YZeGPru+
z)gSUrv9E@LV;jWY52B8UxSTswB#0+mZH5^6aIk1(ykQkf4ro$shM4@(wfzmK%yc@9
zKE0h$s=_iey2PlQDI=90oAo8_nWhu^%TS-aD<<R(IILh7>)E*F-dVdat$HN>?j>1b
z4m%~EcDBeE{hIF}tg!+;nRF#_8668anU&4}(~gk~dOJRF6OnqY(4iR@iWR8cVnC4)
z#dxs45^{b+0}d&Jou+D^xvFJ7l(;zqdeiIO*(N=~<soi~708edJ`p-hZ8clDZtbok
zP%yN?xFR&>ZtY<<MXRY-40(pG26@KG_=`{lCn*G|4|(K&N6OIRHFIFz@KODv_p~2b
zGd4$?o@sOZ6@C8soBj7QeBIVuh)CEez@@L?GdMIH)*rEZt@!ZpCxHH>+Qe;w|Jl_Z
zL>BSty~x-%O-1np-(1G7%_kLT-TT+oLK7h^q>DbCCVG4j|9G!pQs<u0_Cv};9C1Mn
z`Ow||)E<o?;M#7v4+}HHLSbFOEr^|P|9VrjCogGY0^RjITc%B%S~!y&APXsu5$(1Y
zT~r4n;GvbMy62(oWe&;a0?7BLKE}rHzQiWJN?<m~5`RC@GC3gKyEaNDweY`+m4J`M
z!O^K&QIn3nLiXXY$(lP#$!B97IrTiJW(?J;VDcz7j4=!>JQa35jMVc;qtfbr-){@h
zP*MpU2yZ5J7-0toqAh`GVSwv-Tm|U^CQHaNr3Yu+Dg9Q4P>H8cjOe#;8YEBqE3;Dv
zR8FOg>-~Ovr!p^oBy?<*Ux8mTtO+aq9W(esdI?~=lLh~9zj=cYDk&nQ92Z2NI3Z;3
za*ug<33p@j9=|CnL6fH7{gi)nG5LpV5k@33YmHmF=g0*aViv{-Apmop50&Y1#BppP
zKhM#;NWCSI23w*nk!-0=ks`9zPATHqEJuf3`I)QaTTtQbJ)G<`R+b8%m}~!t-!E8$
z`e*<YFBAQfp+Git!O9eLB~+3E(eIb)s%CU*0P~}^TxUx@1BLp@c$h=fQ^G>pderpv
z)Euv^QVf^bp*W)rn0%u*5#Ajsw8i^{{7=xm$7h8JGWN9xLbeCKGo7Q$x|q_BlH~GX
z3?E&mcQ1F&w}1t-puNYGSft*GJGkhyt{EI&Cn3&+R^OhWcA>lk+Y5Vsqx}#pUB=VX
za14+bG2R3!t8T8_^j?xER+_Gp-*d@D?A-lM+@r|t5z1IE`(Xl_kan<2Y#NL%4W!vd
zb90DnRNVsD+@YRJN3rG}8ZX}?|K7hc$3o^XGiFype4ahJ9xCFnEu}m*|JM-F15k6I
zNAa_?irb$OJ`G+(+#XM+x!0GHY4nR8&OZp$&KJ>UgSW#}+mDmx8C7iH^~;dEV}e_0
z|AnnW8H|cDr&Gr!zTZipXrMwBz7i|*rvCEtJ^vXNl-Fb$jjTVQv^j8RE^gq$jKu$b
z6()-Oq$We7z8~Q}C2v3wt^OIw$AWyaO-V62;E+^sxiD{DlKia-H3*BunDl3Lb->|(
z$ZIrOU9Z}&Q^e`ATq5;$jZc8(J!k^dsgP{i;v6-&EqqE1)YIEti~C%LTHPZ4VVjLY
zXjmmXmbOXd!TyNDV`EKOe%8_~=(~~S`TTIC5x@w`XN4*>=}AbJeTUAGenO4m2Ua-U
zMCy|;WPVnvbO-2`HBW*I-6?v<0{dF5G2{t(1FGKAoK57&6ye1AHr2>GkeE(!eUV?i
z3kNr)xPF8ks#rhHTM|X4Sn_Bw0h8r#d-`kv;+LeqJ&qz0N#<#>m~Xd6tXo>o^z=W%
z__d}vu|o5PsP7_D-Bz12B|{C1DR^fuW5o{mlsSoka90h3t{=`xej9;21{ZMxCa0y1
zPE_0ykjr-FBn;BwdIIkb57pM3?4yzomPNjEX~S{#e6HA6ysIYKqC7J^%64M&SU<Ws
z5!m2gZeI|x8+u-@G=>a$Tm%5{7Xv^cnhe@T68n~+{hD7&?4Z}z%aWVdzcG7+66XYI
zK6vmikH81C7cj=!i!8}a?`65^PW!j1MW{m)JSK?A1u3ha|9p<7gs1zQpl~;Zqo&|u
zt6<&FgSoqGc^f&jhf~97j+!`b=q};7k3fL4r~(XHu+8P{H9tMbp4V1Bb@ODSaa5@u
zaV5A*ms;g+3>>OWnAan1gqfTo<2m`Yy}E;w2_<r;sns@FA{7!R=z!2fDtn@z2x&Af
z+)e~+CL7y8WZReRkE_H1!MC2(de3s#581+NhA^&vzme**F>Z57JbLNV1SaAHc&#0n
zUCyWCUyT3tu>z6a*7Zl%CZU;DIWorVSz76i`-VyZL~P8}`PJ*_Tp3kKfS12NlZpD{
zwZEx;@SSeryA@qa#cII^hf#3C=#X&+R>~n^H4SS*2EOa~H&(`e^v<{x#X@DIG2+ue
zFlfbVb~FmC3PAZ;{Pj~YLAOVvHlN_$;I<e+LD9tC{;vsuO0m!A#wyv$U@eNIlS7l|
zBeKg0Cvh}W%HoVihB4^ZU|jeo`r5CF47Tgf^Ypsr$km&fPfrZ;H2(vS+J1N!BHT^l
zqfUM6UaiiJzkj=y(1r;!jfWaR9x>V1W~3WR;Zh|sJP3Q0CnLMmenUusM9-Zk36d^G
z)9WI4ev?dYp-+9$B%8`TG?wC8m&#|~;=L<mE&JOn*GZNu;54UGtN{gkr@QaDK{3`d
zdsf_~bKOT$E)j)#IBvEy6HXr8Y*wC3S;v(OJAnAW9Db8b+jWCf_e+~m3`h9-5EZ%d
zA8L@8oi`ulzF#*=$D<0zSES9?i^9&!41s?qL5%I4NxWjCn1J+yij+kIEaM6$-@c9{
z?I%9*la%xE1HZ`3KUC|l)9wjdArcpaEnCaO-+a-caz9!tXN2EZQId68#&FOz^2q<r
z`?@O}7R?Ozjt3OkJ;Rn{SZkOsMq2A%P6$$t-MaUwikM;Xlo;5r{}EC<^(kb9wjpGR
zkL^Y>;N1P(_aj;V8F&KC?04@@@2>|wio>|BiHT_TP9hzw-#?a?mybe!=65U^5RlQN
zVE~C`GdeYQ_5bb=sIKGZ8{!sHi8uOwSyR;CJZ9;L-)b>xj=1YCvY%CN^9_>rw1KBD
z?4$R=F89&jtaEdORv%I_y-%fUCgP~&OI$vX^;-t;GDF%>_bC10ghreV&nsPf3M@(O
zg){LCabzL@MmhUg_!gw7Vq_&kWet{|9V=hJqjT)s%On3#`0>%Y?6H>QH{%a^WSSi=
zm@9>sAaJ+QyqRb5XJ&7xFO86y#e@VR_JG<eQxOhxO*XmS9OM?c-Vql5(AWQ4xkE#k
zlw!_&&84gAU4%}XiR+~<8{LiO{KjyPhit$ngi;H8D7oT)6$35M;<;KnjG0Jl|0w}#
zenQm&bY(STQ~$Lc{w-_f*zUpZ@-J`w@An7aLFEfIRm1G!|FspF|CKLXL;h_1CsiOt
z_$y!Np;;#UuPv+MuY6%)#Mtj2Nc>;<0v#z-zVLrv@c)h=v_#MUU4u~B(EtCN#OD<S
Xyhrz>u<Jbg2Ktc{l@qA|ee?Z4_9>Qq

literal 0
HcmV?d00001

diff --git a/src/pages/blog/tls-and-quic.mdx b/src/pages/blog/tls-and-quic.mdx
index f4d53d0..284138c 100644
--- a/src/pages/blog/tls-and-quic.mdx
+++ b/src/pages/blog/tls-and-quic.mdx
@@ -1,9 +1,9 @@
 ---
 layout: "@/layouts/global.astro"
-title: TLS and QUIC: A Masochist's Guide
+title: "TLS and QUIC: A Masochist's Guide"
 author: kixelated
-description: Setting up TLS is a pain, but it's a requirement for HTTPS. QUIC and WebTransport introduce even more pain so it's time to be a masochist.
-cover: "/blog/replacing-webrtc/artifact.png"
+description: Setting up TLS is a pain, but it's a requirement for HTTPS. QUIC and WebTransport introduce even more pain. We like pain, right?
+cover: "/blog/tls-and-quic/warning.png"
 date: 2025-07-28
 ---
 
@@ -13,22 +13,30 @@ I hope you're having a great day.
 The sun is about to shine brighter.
 I was inspired by Helios himself to write about the riveting topic of TLS and QUIC.
 
-In my opinion, the most difficult part about QUIC is setting up a different protocol: QUIC *requires* TLS.
-If you screw it up, you'll get a scary ERROR screen and users won't be able to connect.
-This guide also applies to HTTPS and WebTransport... with some important distinctions.
+In my opinion, the most difficult part about QUIC is setting up a different protocol.
+QUIC *requires* TLS.
+There's no way to disable encryption and only some clients let you circumvent certificate validation.
+If you screw it up, you'll get a scary WARNING screen and users won't be able to connect.
 
+<figure>
+	![WARNING](/blog/tls-and-quic/warning.png)
+	<figcaption>I'm sick, so this is the only art you're getting today.</figcaption>
+</figure>
 
-tl;dr
-- TLS authenticates who is allowed to serve `example.com` via certificates.
-- Root CAs issue certificates to those who can prove it via DNS.
-- Cloud offerings don't support QUIC yet, so that rules out the easy options.
-- TLS is hell for local development, _especially_ for WebTransport.
+Most of this guide applies to HTTPS in general, which makes sense as HTTP/3 uses QUIC.
+WebTransport too as it's layered on top of HTTP/3 but there are some important distinctions at the end...
 
+## tl;dr
+- **TLS authenticates** who is allowed to serve `example.com` via certificates.
+- **Root CAs** issue certificates to those who can prove it via DNS.
+- **Cloud providers** don't support (non-HTTP/3) QUIC yet, ruling out the easy options.
+- TLS is annoying for **local development**, _especially_ for WebTransport.
 
 ## About Me
 I'm not a security engineer but I have dabbled in the low-level protocols.
 For some unbeknownst reason, I've implemented both DTLS 1.2 (for WebRTC) and TLS 1.3 (for QUIC)... in Go.
-Both were undoubtedly insecure but somehow passed the security audit and served production traffic for weeks... before getting the `rm -rf` treatment.
+Both were undoubtedly insecure but somehow passed the security audit and served production traffic at Twitch.
+But then I left and those servers rightfully got the `rm -rf` treatment.
 
 When in doubt, always refer to the nerds who take security seriously and use the correct terminology.
 I understand a lot of the security primitives but I don't exactly have the LinkedIn Professional Certificates to back it up.
@@ -45,23 +53,23 @@ TLS certificates can be used to sign other TLS certificates creating a "chain of
 Without TLS, an attacker could intercept your traffic and pretend to be `example.com` to harvest your credentials, called a "man-in-the-middle" (MITM) attack.
 Imagine if your router, ISP, or fellow coffee shop customer could pretend to be your bank.
 Bad times ahead.
+The fact that the private key is (virtually) unguessable is the only reason why I haven't taken out a second mortgage in your name.
 
 QUIC requires [TLS 1.3](https://datatracker.ietf.org/doc/html/rfc8446).
+It's good stuff, much better than TLS 1.2 in my opinion.
 There is no way to disable encryption but depending on the client, you can modify certificate validation.
 The IETF grey-beards decreed that the protocol can never be insecure, lest a lowly application developer shoot themselves in the foot.
 
-- HTTP/3, WebTransport, and of course, Media over QUIC all use QUIC under the hood so all of this applies.
+- HTTP/3, WebTransport, and of course, [Media over QUIC](https://quic.video) all use QUIC under the hood.
 - HTTP/2 *technically* does not require TLS but browsers require it as a forcing function.
 - HTTP/1 is the lone exception, allowing you to choose if you want to connect to `http://example.com` (insecure) or `https://example.com` (TLS).
 
-Not only is TLS required when using newer protocols, it's often required when using newer browser APIs.
-[Secure Context APIs](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts) require using TLS or a localhost connection.
-Want to do literally anything? Then you need to use HTTPS.
+But even if you choose to use an insecure `http://` connection, it prevents you from using [newer browser APIs](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts).
+Want to notify a user when their Hot Pocket® has finished cooking?
+Then you need to use HTTPS, lest your Hot Pocket® Tracker™ get compromised by a state actor.
 
-So yeah, browser vendors don't want you to make a security oopsie whoopsie and thus, effectively mandate TLS
-But there's very little reason to use an insecure connection anyway so suck it up and let some cloud provider handle TLS for you.
-
-...unless you're one of the early birds using QUIC...
+So yeah, browser vendors don't want you to make a security oopsie whoopsie and thus, effectively mandate TLS.
+Suck it up and let some cloud provider handle TLS for you... unless you're one of the early birds using QUIC...
 
 *ominous foreshadowing*
 
@@ -70,18 +78,20 @@ But there's very little reason to use an insecure connection anyway so suck it u
 At a high level, a TLS connection is established via:
 
 1. The client connects to `example.com` and sends a `ClientHello`.
-  - The client (usually) sends the domain via a [SNI extension](https://en.wikipedia.org/wiki/Server_Name_Indication).
+    - The client (usually) sends the domain via a [SNI extension](https://en.wikipedia.org/wiki/Server_Name_Indication).
 2. The server transmits a `ServerHello` along with a TLS certificate signed for `example.com`.
-  - The server can use SNI to choose the certificate to serve.
+    - The server uses SNI to choose the certificate if it hosts multiple websites.
 3. The client verifies that the TLS certificate is for `example.com`.
-4. The client verifies that the TLS certificate was signed/created by a "root CA".
+    - It must have been signed by a "root CA", or a certificate signed by a "root CA", or a certificate signed by a certificate signed by a "root CA"...
 
 
 What is a root CA?
 Your browser and operating system ship with a list of trusted entities that are authorized to issue certificates.
 It's like having a list of approved locksmith companies that can make keys for any house.
 The list changes over time as these companies are audited or catastrophically compromised.
-If you've ever had to `apt install ca-certificates` when setting up a Docker image, this is why.
+
+*Fun fact*, this is why you may have to explicitly `apt update && apt install ca-certificates` when setting up a Docker image.
+Otherwise, if the base image contained certificate roots, it would get super stale.
 
 One of the interesting things about TLS is that the client can choose how to verify the provided TLS certificate.
 There's no requirement that you use these provided root CAs, or a root CA at all.
@@ -95,7 +105,7 @@ If your server listens on `example.com`, then we need to prove to some root CA t
 The easiest option unfortunately doesn't work for QUIC.
 Poop.
 
-Virtually every cloud provider offers HTTPS support.
+Virtually every cloud provider offers HTTPS support often via their own root CA.
 You point your domain name at their load balancer and they procure a TLS certificate.
 But I glossed over something, there's actually two parts to a "TLS certificate": the private key and the certificate.
 
@@ -103,9 +113,9 @@ None of these services actually give you, the customer, the private key.
 Instead, they run a HTTPS or TLS load balancer that terminates TLS and proxies unencrypted traffic to your backend.
 It's done for simplicity and security, they don't want you having access to the keys.
 
-This won't work for QUIC until cloud providers start offering QUIC load balancers (one day).
+This load balancing approach won't work for QUIC until cloud providers start offering QUIC load balancers (one day).
 Welcome to UDP protocols; they're barely supported on cloud platforms because TCP and HTTP is so widespread.
-At least there's hope for QUIC support in the future *because* it powers HTTP/3.
+At least there's hope for QUIC support in the future because it powers HTTP/3.
 
 
 ## LetsEncrypt
@@ -118,21 +128,24 @@ How this works is that you need to somehow prove to LetsEncrypt that you own a s
 This could be in the form of an A record that points to an IP address you own or a TXT record with some token.
 
 There are a few different [challenge types](https://letsencrypt.org/docs/challenge-types/):
-- *HTTP-01*: Host a HTTP endpoint (not using TLS) that returns a specified token on the specified path. You own the domain if it points to your HTTP server.
-- *DNS-01*: Create a DNS record with a specified token. You own the domain if you can create this TXT record; no server required.
-- *TLS-ALPN-01*: Host a TLS endpoint that returns a specified token during the TLS handshake. Same idea as HTTP-01, but often more convenient because no HTTP server is required.
+- *HTTP-01*: Host a HTTP endpoint (insecure) that returns a specified token on the specified path. You own the domain if it points to your HTTP server.
+- *DNS-01*: Create a DNS record with a specified token. You own the domain if you can create this TXT record. The server doesn't even have to be running.
+- *TLS-ALPN-01*: Host a TLS endpoint that returns a specified token during the TLS handshake. Same idea as HTTP-01, but more convenient for TLS load balancers.
 
 This cert generation can be automated via [certbot](https://certbot.eff.org/) or any [ACME library](https://letsencrypt.org/docs/client-options/#libraries).
-It's a little bit annoying because of the 90 day expiration; any long-lived servers will need to periodically restart or reload certificates
+The main downside of LetsEncrypt is the 90 day expiration.
+That means you actually have to be a good developer and worry about certificate rotations instead of punting it to future you.
+That means adding a way to reload certificates, or periodically hitting the good old `restart` button.
 
 ## ACME
 It would be remiss of me to not mention that LetsEncrypt uses [ACME v2](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
 You don't need to use `certbot` and in fact you could integrate ACME directly into your workflow.
 
-In fact, I'm using a **not recommended** [terraform module](https://github.com/vancluever/terraform-provider-acme) to generate certificates for `relay.quic.video`.
-It's not recommended because if I forget to run terraform every so often, then oops, my certificate will expire and users can no longer connect to my server.
+In fact, I'm using a [terraform module](https://github.com/vancluever/terraform-provider-acme) to generate certificates for `relay.quic.video`.
+It's **not recommended** because if I forget to run terraform every so often, then oops, my certificate will expire and users can no longer connect to my server.
+But it's easy and it works for now so I'm embracing my folly.
 
-I'm also considering using a [ACME library](https://crates.io/crates/instant-acme) within `moq-relay` itself to provision a TLS certificate on startup and every 90 days.
+I'd like to add [ACME support](https://crates.io/crates/instant-acme) within `moq-relay` itself to provision a TLS certificate on startup and automatically refresh it.
 This makes it a lot easier to use cloud providers as you don't need to fumble with background services (in Docker, ew) and reloading the server whenever a new certificate is generated.
 The downside is being unable to generate wildcard certificates as those require DNS challenges.
 
@@ -144,7 +157,7 @@ The problem with a service like LetsEncrypt is that it requires our server to be
 What if we're running our own private network or just developing an application locally?
 If LetsEncrypt can't connect to our private network, then it can't give us a TLS certificate.
 
-Additionally, LetsEncrypt requires a domain name and potentially a public IP.
+Additionally, LetsEncrypt requires a domain name or a public IP.
 These aren't expensive but it's not something you can reasonably ask developers to purchase just to try running your code.
 
 Remember when I said the client was responsible for verifying a certificate however it sees fit?
@@ -160,7 +173,7 @@ There's usually a **DANGER** warning associated and **DANGER** indeed.
 
 If you skip certificate validation, your connection will still be encrypted but now it's vulnerable to a MITM attack.
 The server still has to present a certificate, but the client will blindly accept *any* certificate.
-Even if it was generated nanoseconds ago, was riddled with typos, and claimed to be `pornhub.com`: doesn't matter.
+Even if it was generated nanoseconds ago, is riddled with typos, and claims to be `porhnub.com`: doesn't matter.
 
 `moq-relay` supports the [--tls-disable-verify](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/client.rs#L22) by [jumping through a few hoops with rustls](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/client.rs#L202).
 There's similar flags in most CLI tools, like curl's `--insecure` flag.
@@ -168,12 +181,16 @@ There's similar flags in most CLI tools, like curl's `--insecure` flag.
 
 ## Custom Root CAs
 Instead of using a "trusted" root CA that ships with the browser or operating system, we can use our own.
-We can trivially generate our *own* root CA which can then be used to sign our *own* certificates.
+It's trivial to generate root CA which can then be used to sign certificates.
 No more depending on FAANG, we are our own auditor now.
 
-This is arguably safer than using public roots because our own client can be configured to ONLY accept our certificates.
+```
+openssl req -new -x509 -days 365 -nodes -out ca-cert.pem -keyout ca-key.pem -subj "/C=US/ST=CA/L=San Francisco/O=CoolCidsClub/OU=DaveLaptop/CN=cool.bro"
+```
+
+This is arguably safer than using public roots because our own client can be configured to ONLY accept our root CA.
 It doesn't matter if one of the many public CAs gets hacked as long as our root is kept under lock and key.
-But note that you're now responsible for a lot more infrastructure, like the ability to revoke compromised certificates.
+But note that you're now responsible for stuff like revoking certificates if you truly care about the securities.
 
 The catch is that we need to configure clients to trust our root CA.
 This normally requires admin/root access, and can be done at an operating system or browser level.
@@ -187,22 +204,22 @@ Afterwards, you can freely generate new leaf certificates on demand (without roo
 Custom roots are often used in enterprise and VPN software.
 When you install the VPN, or as part of a managed IT solution, it'll include some root CAs for you to trust.
 
-Side note, I highly recommend using private CAs and mTLS for service-to-service connections.
+**Side note:** I highly recommend using private CAs and mTLS for service-to-service connections.
 It's about as `dank` as one can get when designing distributed systems.
-There are [cloud offerings](https://aws.amazon.com/private-ca/) available, and unlike public CAs, they actually give you the private key so it works for QUIC.
+There are cloud offerings available ([AWS](https://aws.amazon.com/private-ca/)) and they actually give you the private key, so it works for QUIC.
 
 
 ## Certificate Hashes
 WebRTC also uses TLS (technically DTLS) even when establishing a peer-to-peer connection.
 How does this work?
 
-Both peers generate a ECDSA certificate (fast compared to RSA) and compute its hash.
+Both peers generate a ECDSA certificate (or RSA I guess) and compute its SHA256 hash.
 They then send the hash as part of the SDP exchange to some secure middle-man (usually a HTTPS server).
-Yes, you do use a server even when establishing a peer-to-peer connection unless you're a freak who exchanges TLS certificates via USB drive.
+Yes, you do need a server even when establishing a peer-to-peer connection unless you're a freak who exchanges TLS certificates via USB drive.
 
 The peers draw straws and one of them assumes the role of the ~bottom~ server for the TLS handshake.
 Both sides transmit a TLS certificate (mTLS) and verify that the hash matches the exchanged hash.
-Ta-da, connection established.
+Ta-da, connection established, ignoring all of the ICE shenanigans.
 
 The same approach can be used for QUIC both peer-to-peer and client-to-server.
 We're effectively just trusting individual certificates (by hash) instead of a root CA.
@@ -240,7 +257,7 @@ It's quite baffling, because you can use custom roots for HTTP/3 but not WebTran
 There's literally no reason why it should use different certificate validation logic.
 Just call the same function!
 
-This is an unfortunate "bug" as it rules out tools like `mkcert`.
+I classify this as a bug because it rules out tools like `mkcert`.
 Local development and private networks need to use another approach.
 
 
@@ -256,28 +273,25 @@ These are good restrictions so you can't be lazy and ship the hash of some long-
 However it means we absolutely need to figure out how to rotate certificates because 14 days is not a lot of time.
 Additionally, we need a secure mechanism to transmit our certificate hashes otherwise we're the major of MITM town.
 
-So in practice, you have to run a TLS web server, often on the same port, just to distribute TLS certificates for WebTransport.
-It makes the "feature" quite frustrating in practice and make connection establishment more expensive (time and cpu).
-
-## Local Development
-So what's the best approach if you want to use WebTransport in development?
-Unfortunately, I think `serverCertificateHashes` is the best (right now) as it doesn't require browser configuration.
+## Private Networks
+So what's the best approach if you want to use WebTransport on localhost or private networks?
+Unfortunately, I think `serverCertificateHashes` is the best (right now) as it doesn't require users to configure their browser and disable TLS...
 
-`moq-relay` listens on TCP and UDP.
-- The server [generates a TLS certificate](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/server.rs#L241) on startup
-- The TCP socket is used to host a web server with a [/certificate.sha256](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-relay/src/web.rs#L44) route.
-- The UDP socket is used to host a QUIC/WebTransport server.
+`moq-relay` listens on TCP and UDP (:443 by default).
+- The server [generates a TLS certificate](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-native/src/server.rs#L241) on startup.
+- The client [fetches the certificate hash](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L225) via a HTTP [/certificate.sha256](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/rs/moq-relay/src/web.rs#L44) endpoint.
+- The client then [connects to the WebTransport server](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L231) using the provided hash.
 
-The client has to first establish a HTTP connection to [fetch the certificate hash](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L225).
-Then it can [connect to the WebTransport server](https://github.com/kixelated/moq/blob/becf50263488ded6bb26c4cbc3d1ffd14ab11f5b/js/moq/src/lite/connection.ts#L231) using the provided hash.
+When connecting to `localhost`, the certificate fetch can use good old HTTP.
+But if you want to use WebTransport to connect to any other private network, oof.
+The web server will need to use HTTPS to serve the certificate hash.
 
-This only works on `localhost` because it uses an insecure HTTP fetch to get the certificate hashes.
-We also don't care about certificate rotation because you can just restart the localhost server after 14 days
+What this means is that you're establishing a TLS connection just to establish another TLS connection.
+In fact, you could use an **identical** certificate for both the HTTPS and WebTransport connections.
+But now you have to deal with 14 day certificate rotations, all because Chrome doesn't support custom root CAs.
 
-But if you want to use WebTransport on a private network, oof.
-You'll need to configure the web server to serve HTTPS using your own root CA just to deliver ephemeral certificate hashes.
-You can even return the hash of *exact same TLS certificate* used to establish the HTTPS connection, but now WebTransport will work.
-And of course, you'll need a mechanism to rotate these certificates as they're only valid for 14 days tops.
+It's not a major problem once you figure it out.
+It's just frustrating.
 
 
 # Finished
@@ -286,7 +300,7 @@ There's a lot of existing tooling and resources out there.
 
 But it's a pain in the butt for non-public servers, as the whole "chain of trust" thing doesn't work any longer.
 WebTransport makes life even more difficult.
-Please Mr Google, add support for root CAs already, it should be like a single line of code to reuse the same CAs as HTTP.
+Please Mr Google, add support for custom root CAs already, it should be like a single line of code to reuse the same CAs as HTTP.
 
 Want to commiserate about TLS pain?
 Join the [MoQ Discord](https://discord.gg/FCYF3p99mr) or even the [rustls Discord](https://discord.gg/MCSB76RU96).