From eaa5cfef6f94d56344f7bbde02c8c76dacf4d422 Mon Sep 17 00:00:00 2001
From: "R. Tyler Croy" <tyler@monkeypox.org>
Date: Fri, 30 May 2014 16:15:20 -0700
Subject: [PATCH] Initial open source commit

---
 .gitignore                                    |   6 +
 .gitmodules                                   |  18 +
 Gemfile                                       |   8 +
 LICENSE.txt                                   |  22 +
 Makefile                                      | 149 ++++
 README.md                                     | 121 +++
 config                                        |   1 +
 contrib/nginx-sticky-module/LICENSE           |  24 +
 contrib/nginx-sticky-module/README            | 129 ++++
 contrib/nginx-sticky-module/config            |   6 +
 contrib/nginx-sticky-module/docs/sticky.pdf   | Bin 0 -> 81907 bytes
 contrib/nginx-sticky-module/docs/sticky.vsd   | Bin 0 -> 54272 bytes
 .../ngx_http_sticky_misc.c                    | 315 ++++++++
 .../ngx_http_sticky_misc.h                    |  28 +
 .../ngx_http_sticky_module.c                  | 691 ++++++++++++++++++
 pkg/after-install.sh                          |   7 +
 pkg/borderpatrol.conf                         |   9 +
 pkg/borderpatrol.init                         | 148 ++++
 src/access.lua                                |  16 +
 src/authorize.lua                             |  91 +++
 src/config/nginx.conf.sample                  | 151 ++++
 src/health_check.lua                          |  55 ++
 src/logout.lua                                |  37 +
 src/redirect.lua                              |  25 +
 src/robots.txt                                |   2 +
 src/service_token.lua                         |  49 ++
 src/sessionid.lua                             | 275 +++++++
 src/ssl/README.md                             |  11 +
 src/ssl/server.crt                            |  15 +
 src/ssl/server.key                            |  15 +
 src/validate.lua                              |  83 +++
 t/.gitkeep                                    |   0
 t/access.t                                    |  91 +++
 t/authorize.t                                 | 271 +++++++
 t/borderpatrol.god                            |  69 ++
 t/health.t                                    |  33 +
 t/logout.t                                    |  77 ++
 t/redirect.t                                  | 105 +++
 t/service_token.t                             | 166 +++++
 t/services/account_service.rb                 |  89 +++
 t/services/api_service.rb                     |  48 ++
 t/services/api_service2.rb                    |  48 ++
 t/services/auth_service.rb                    |  49 ++
 t/session.t                                   | 128 ++++
 t/validate.t                                  | 161 ++++
 45 files changed, 3842 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .gitmodules
 create mode 100644 Gemfile
 create mode 100644 LICENSE.txt
 create mode 100644 Makefile
 create mode 100644 README.md
 create mode 100644 config
 create mode 100644 contrib/nginx-sticky-module/LICENSE
 create mode 100644 contrib/nginx-sticky-module/README
 create mode 100644 contrib/nginx-sticky-module/config
 create mode 100644 contrib/nginx-sticky-module/docs/sticky.pdf
 create mode 100644 contrib/nginx-sticky-module/docs/sticky.vsd
 create mode 100644 contrib/nginx-sticky-module/ngx_http_sticky_misc.c
 create mode 100644 contrib/nginx-sticky-module/ngx_http_sticky_misc.h
 create mode 100644 contrib/nginx-sticky-module/ngx_http_sticky_module.c
 create mode 100644 pkg/after-install.sh
 create mode 100644 pkg/borderpatrol.conf
 create mode 100644 pkg/borderpatrol.init
 create mode 100644 src/access.lua
 create mode 100644 src/authorize.lua
 create mode 100644 src/config/nginx.conf.sample
 create mode 100644 src/health_check.lua
 create mode 100644 src/logout.lua
 create mode 100644 src/redirect.lua
 create mode 100644 src/robots.txt
 create mode 100644 src/service_token.lua
 create mode 100644 src/sessionid.lua
 create mode 100644 src/ssl/README.md
 create mode 100644 src/ssl/server.crt
 create mode 100644 src/ssl/server.key
 create mode 100644 src/validate.lua
 create mode 100644 t/.gitkeep
 create mode 100644 t/access.t
 create mode 100644 t/authorize.t
 create mode 100644 t/borderpatrol.god
 create mode 100644 t/health.t
 create mode 100644 t/logout.t
 create mode 100644 t/redirect.t
 create mode 100644 t/service_token.t
 create mode 100644 t/services/account_service.rb
 create mode 100644 t/services/api_service.rb
 create mode 100644 t/services/api_service2.rb
 create mode 100644 t/services/auth_service.rb
 create mode 100644 t/session.t
 create mode 100644 t/validate.t

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..897fae4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+tmp
+.rvmrc
+Gemfile.lock
+logs
+build
+t/servroot
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..16d3933
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,18 @@
+[submodule "contrib/nginx"]
+	path = contrib/nginx
+	url = https://github.com/nginx/nginx.git
+[submodule "contrib/ngx_devel_kit"]
+	path = contrib/ngx_devel_kit
+	url = https://github.com/simpl/ngx_devel_kit.git
+[submodule "contrib/lua-nginx-module"]
+	path = contrib/lua-nginx-module
+	url = https://github.com/chaoslawful/lua-nginx-module.git
+[submodule "contrib/memc-nginx-module"]
+	path = contrib/memc-nginx-module
+	url = https://github.com/agentzh/memc-nginx-module.git
+[submodule "contrib/echo-nginx-module"]
+	path = contrib/echo-nginx-module
+	url = https://github.com/agentzh/echo-nginx-module.git
+[submodule "contrib/headers-more-nginx-module"]
+	path = contrib/headers-more-nginx-module
+	url = https://github.com/agentzh/headers-more-nginx-module.git
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..4f9659d
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,8 @@
+source 'https://rubygems.org/'
+
+gem 'sinatra'
+gem 'httparty'
+gem 'god'
+gem 'haml'
+# For reloading every request to the sinatra test apps
+gem 'shotgun'
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000..e9fbb81
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,22 @@
+Copyright (c) 2014 Lookout, Inc
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..e672750
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,149 @@
+# Debian package name & version
+MAJOR_VER=0
+MINOR_VER=1
+PATCH_VER=0
+PKG_NAME=borderpatrol
+BUILD_VER=0${BUILD_NUMBER}-dev
+
+# binaries
+CC:=clang
+LUAROCKS=luarocks
+
+# nginx and lua modules
+MODULE_PATH=${PWD}
+MODULE_PKG_DIR=${MODULE_PATH}/pkg
+CONTRIB_PATH=${MODULE_PATH}/contrib
+NGINX_PATH=${CONTRIB_PATH}/nginx
+NDK_PATH=${CONTRIB_PATH}/ngx_devel_kit
+MEMC_NGINX_PATH=${CONTRIB_PATH}/memc-nginx-module
+LUA_MODULE_PATH=${CONTRIB_PATH}/lua-nginx-module
+ECHO_MODULE_PATH=${CONTRIB_PATH}/echo-nginx-module
+STICKY_MODULE_PATH=${CONTRIB_PATH}/nginx-sticky-module
+HEADERS_MORE_MODULE_PATH=${CONTRIB_PATH}/headers-more-nginx-module
+
+NGINX_MODULES=--add-module=${NDK_PATH} \
+							--add-module=${MEMC_NGINX_PATH} \
+							--add-module=${LUA_MODULE_PATH} \
+							--add-module=${STICKY_MODULE_PATH} \
+							--add-module=${HEADERS_MORE_MODULE_PATH} \
+							--add-module=${ECHO_MODULE_PATH} # only needed for
+
+# build locations
+BUILD_PATH=${MODULE_PATH}/build
+DESTDIR=${PWD}/${PKG_NAME}
+
+# packaging locations
+CONF_DIR=/etc/${PKG_NAME}
+SBIN_DIR=/usr/sbin
+LOG_DIR=/var/log/${PKG_NAME}
+SHARE_DIR=/usr/share/${PKG_NAME}
+
+# test locations
+TEST_DIR = ${MODULE_PATH}/t
+TEST_RUN_DIR = ${TEST_DIR}/servroot
+
+UNAME:=$(shell uname -s)
+
+ifeq ($(UNAME), Darwin)
+CFLAGS+="-I /usr/local/include -Wno-error"
+LD_FLAGS+="-L /usr/local/lib -L /usr/lib -liconv"
+endif
+
+all: build
+
+$(BUILD_PATH)/.install_rocks:
+	@$(LUAROCKS) install luajson --to=$(BUILD_PATH)/usr
+	@$(LUAROCKS) install luacrypto --to=$(BUILD_PATH)/usr
+	@touch $(BUILD_PATH)/.install_rocks
+
+build: submodules compile mkdirs $(BUILD_PATH)/.install_rocks
+	@cp ${NGINX_PATH}/objs/nginx ${BUILD_PATH}${SBIN_DIR}/${PKG_NAME}
+	@cp -rp ${PWD}/src/*.lua ${BUILD_PATH}${SHARE_DIR}
+	@cp ${PWD}/src/robots.txt ${BUILD_PATH}${SHARE_DIR}
+	@cp ${PWD}/src/config/nginx.conf.sample ${BUILD_PATH}${CONF_DIR}/sites-available/${PKG_NAME}.conf.sample
+	@cp ${PWD}/src/ssl/server.crt ${BUILD_PATH}${CONF_DIR}/ssl/server.crt
+	@cp ${PWD}/src/ssl/server.key ${BUILD_PATH}${CONF_DIR}/ssl/server.key
+
+submodules:
+	git submodule init
+	git submodule update
+
+mkdirs:
+	@mkdir -p ${BUILD_PATH}${CONF_DIR}/conf.d
+	@mkdir -p ${BUILD_PATH}${CONF_DIR}/sites-available
+	@mkdir -p ${BUILD_PATH}${CONF_DIR}/sites-enabled
+	@mkdir -p ${BUILD_PATH}${CONF_DIR}/ssl
+	@mkdir -p ${BUILD_PATH}${SHARE_DIR}
+	@mkdir -p ${BUILD_PATH}${CONF_DIR}
+	@mkdir -p ${BUILD_PATH}${SBIN_DIR}
+
+compile:
+	@if [ ! -f ${NGINX_PATH}/Makefile ]; then (cd ${NGINX_PATH} && \
+	./configure --prefix=/usr \
+							--sbin-path=${SBIN_DIR}/borderpatrol \
+							--conf-path=${CONF_DIR}/borderpatrol.conf \
+							--pid-path=/var/run/borderpatrol.pid \
+							--error-log-path=${LOG_DIR}/error.log \
+							--http-log-path=${LOG_DIR}/access.log \
+							${NGINX_MODULES} \
+							--with-ld-opt=${LD_FLAGS} \
+							--with-cc-opt=${CFLAGS} \
+							--with-http_ssl_module); \
+	fi;
+	@(cd ${NGINX_PATH} && make -j2)
+
+.PHONY : test
+
+test: build
+	@TEST_NGINX_BINARY=${PKG_NAME} PATH=${BUILD_PATH}${SBIN_DIR}:${PATH} prove -r ${TEST_DIR}/*.t
+
+mocktest: build
+	god -Dbc t/borderpatrol.god
+
+make clean:
+	rm -rf ${BUILD_PATH}
+	rm -rf ${DESTDIR}
+	rm -rf ngx_borderpatrol*
+	rm -rf *.deb
+
+distclean: clean
+	(cd ${NGINX_PATH} && if [ -f Makefile ]; then make clean; fi;)
+
+pkg: test
+
+	# copy the build target dir to the package dir
+	rm -rf ${DESTDIR}
+	mv ${BUILD_PATH} ${DESTDIR}
+
+	# Install configs under /etc/borderpatrol
+	cp ${MODULE_PKG_DIR}/borderpatrol.conf ${DESTDIR}${CONF_DIR}/borderpatrol.conf
+	chmod 0600 ${DESTDIR}${CONF_DIR}/borderpatrol.conf
+	chmod 0600 ${DESTDIR}${CONF_DIR}/sites-available/*
+
+	# Install package hooks
+	cp ${MODULE_PKG_DIR}/after-install.sh ${DESTDIR}
+
+	# Setup upstart config
+	mkdir -p ${DESTDIR}/etc/init.d
+	cp ${MODULE_PKG_DIR}/borderpatrol.init ${DESTDIR}/etc/init.d/borderpatrol
+	chmod 755 ${DESTDIR}/etc/init.d/borderpatrol
+
+	# Create extra directories
+	mkdir -p ${DESTDIR}/var/log/borderpatrol
+	mkdir -p ${DESTDIR}/var/borderpatrol
+	mkdir -p ${DESTDIR}/var/cache/borderpatrol
+
+	##########################################################################
+	# create the borderpatrol package
+
+	# install fpm if needed
+	test -n "$(shell gem query --local fpm|grep fpm)" || gem install fpm
+
+	cd ${DESTDIR} && fpm -s dir -t deb -n borderpatrol -v ${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}-${BUILD_VER} -C ${DESTDIR} \
+	  -p borderpatrol-VERSION_ARCH.deb \
+	  --after-install after-install.sh \
+	  -d libssl1.0.0 \
+	  -d luarocks \
+	  usr/ etc/ var/
+
+	mv ${DESTDIR}/*.deb ${PWD}/
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9475c78
--- /dev/null
+++ b/README.md
@@ -0,0 +1,121 @@
+# BorderPatrol for Nginx
+
+BorderPatrol is an nginx module to perform authentication and session management at the border of your network.
+
+BorderPatrol makes the assumption that you have some set of services that require authentication and a service that
+hands out tokens to clients to access that service. You may not want those tokens to be sent across the internet, even
+over SSL, for a variety of reasons. To this end, BorderPatrol maintains a lookup table of session-id to auth token
+in memcached.
+
+## Overview Diagram
+
+            +-------------+
+            |   BROWSER   |
+            +--+----------+
+               |       ^
+          REQ  |       |  RESP
+               |       |
+               v       |       SVC
+          +------------+----+  CALL  +-------------------------------+
+          |                 +------->|     SERVICE A REQUIRING       |
+          |                 |<-------|       AUTHENTICATION          |
+          |                 |        +-------------------------------+
+          |      NGINX      |
+          |                 |        +-------------------------------+
+          |                 +------->|     SERVICE B REQUIRING       |
+          |                 |<-------|       AUTHENTICATION          |
+          +-----------------+        +-------------------------------+
+              | ^       | ^
+       CACHE  | |       | |  AUTH
+      LOOKUP  | |       | |  LOOKUP
+              v |       v |
+    +-----------+-+   +---+----------+
+    |   SESSION   |   |     AUTH     |
+    |    STORE    |   |   SERVICE    |
+    +-------------+   +--------------+
+
+## Use cases
+
+**Assumption:** All content to be access via BorderPatrol requires authentication
+
+There are three primary use cases for BorderPatrol:
+
+* A client has an auth token in the session store and the request is forwarded to the downstream service -or-
+* A client does not have an auth_token for the specified service but has a master token, a call to the auth service will be made to get a service token for the downstream service -or-
+* A client does not have an auth_token, and the client is redirected to a login page which posts back to nginx, performs an auth service lookup (and returns a master token and a service token from the auth service) and, on success, creates an entry in the session store for subsequent requests.
+
+### Use Case 1: Authorized Access
+
+* Client requests a protected resource via BorderPatrol
+* BorderPatrol looks up the session_id from the HTTP request in the SessionStore
+* If service token present, BorderPatrol sets the Auth-Token header to the service token and allows the request to continue to the protected resource
+
+### Use Case 2: Unauthorized Access
+
+* Client requests a protected resource via BorderPatrol
+* BorderPatrol looks up the session_id from the HTTP request in the SessionStore
+* Record exists in cache and there is a master token but no service token for specified downstream service
+* A call is made to the Auth Service using the master token to get a service token
+* BorderPatrol updates the session_id/{master_token, service_token_1, service_token_2...} pair in the SessionStore with appropriate expiry
+* BorderPatrol redirects with the appropriate service Auth-Token header to the protected resource
+
+### Use Case 3: Unauthorized Access
+
+* Client requests a protected resource via BorderPatrol
+* BorderPatrol looks up the session_id from the HTTP request in the SessionStore
+* If there is a cache miss, BorderPatrol serves up a login page
+* On submittal, this posts to the AuthService (via BorderPatrol)
+* On successful authentication (which returns a master token and a service token for the downstream service), the AuthService sets the Auth-Token header
+* BorderPatrol sets the session_id/{master_token, service_token} pair in the SessionStore with appropriate expiry
+* BorderPatrol redirects with the appropriate service Auth-Token header to the protected resource
+
+### Caching detail
+
+The tokens cached in the session store are a string representation of a JSON structure as follows.
+
+{
+  "master_token" : "MMM",
+  "service_tokens" : { "service_a": "AAA", "service_b": "BBB" }
+}
+
+The token that has the key of 'master_token' is the Master Token, and can be used to make a call to the Auth Service to get other service tokens.
+Service Tokens have a key name that corresponds to the name of the downstream service.
+
+
+### Installation
+
+#### Darwin
+
+* get homebrew (http://mxcl.github.io/homebrew/)
+* brew install luarocks
+* brew install pcre
+* brew install lua
+* brew install luajit
+* make
+
+#### Linux
+* apt-get install luarocks
+* make
+
+### Running unit tests
+
+You'll need the Test::Nginx CPAN module.
+
+* cpan install Test::Nginx
+* make test
+
+### Running full mock services locally
+
+* bundle install
+* make mocktest
+* In a browser, hit https://localhost:4443/b/
+
+### Additional Notes
+
+make mocktest uses God to run 4 processes, on the following ports
+4443 Mock BorderPatrol
+9081 Mock Authorization service
+9082 Mock downstream service A
+9083 Mock downstream service B
+
+Once you stop Mocktest, manually kill the processes above
diff --git a/config b/config
new file mode 100644
index 0000000..f2c9dcf
--- /dev/null
+++ b/config
@@ -0,0 +1 @@
+have=NDK_HTTP . auto/have
diff --git a/contrib/nginx-sticky-module/LICENSE b/contrib/nginx-sticky-module/LICENSE
new file mode 100644
index 0000000..0654c57
--- /dev/null
+++ b/contrib/nginx-sticky-module/LICENSE
@@ -0,0 +1,24 @@
+/* 
+ * Copyright (C) 2010 Jerome Loyet (jerome at loyet dot net)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
diff --git a/contrib/nginx-sticky-module/README b/contrib/nginx-sticky-module/README
new file mode 100644
index 0000000..77bff37
--- /dev/null
+++ b/contrib/nginx-sticky-module/README
@@ -0,0 +1,129 @@
+Nginx Sticky Module 
+--
+
+Description:
+	A nginx module to add a sticky cookie to be always forwarded the the same
+	upstream server.
+
+	When dealing with several backend servers, it's sometimes useful that one
+	client (browser) is always served by the same backend server
+	(for session persistance for example).
+
+	Using a persistance by IP (with the ip_hash upstream module) is maybe not
+	a good idea because there could be situations where a lot of different
+	browsers are coming with the same IP address (behind proxies)and the load
+	balancing system won't be fair.
+
+	Using a cookie to track the upstream server makes each browser unique.
+
+	When the sticky module can't apply, it switchs back to the classic Round Robin
+	Upstream or returns a "Bad Gateway" (depending on the no_fallback flag).
+	
+	Sticky module can't apply when cookies are not supported by the browser
+
+	* Sticky module is based on a "best effort" algorithm. Its aim is not to handle
+	* security somehow. It's been made to ensure that normal users are always
+	* redirected to the same  backend server: that's all!
+
+Installation
+
+	You'll need to re-compile Nginx from source to include this module.
+	Modify your compile of Nginx by adding the following directive
+	(modified to suit your path of course):
+
+	./configure ... --add-module=/absolute/path/to/nginx-sticky-module
+	make
+	make install
+
+Usage
+	upstream {
+		sticky;
+		server 127.0.0.1:9000;
+		server 127.0.0.1:9001;
+		server 127.0.0.1:9002;
+	}
+
+	sticky [name=route] [domain=.foo.bar] [path=/] [expires=1h] [hash=index|md5|sha1] [no_fallback];
+	  - name:    the name of the cookies used to track the persistant upstream srv
+	             default: route
+
+	  - domain:  the domain in which the cookie will be valid
+	             default: nothing. Let the browser handle this.
+
+	  - path:    the path in which the cookie will be valid
+	             default: nothing. Let the browser handle this.
+
+	  - expires: the validity duration of the cookie
+	             default: nothing. It's a session cookie.
+	             restriction: must be a duration greater than one second
+
+	  - hash:    the hash mechanism to encode upstream server. It cant' be used
+	             with hmac.
+	             md5|sha1: well known hash
+	             index:    it's not hashed, an in-memory index is used instead
+	                       it's quicker and the overhead is shorter
+	                       Warning: the matching against upstream servers list
+	                       is inconsistent. So, at reload, if upstreams servers
+	                       has changed, index values are not guaranted to
+	                       correspond to the same server as before!
+	                       USE IT WITH CAUTION and only if you need to!
+	             default: md5
+
+	  - hmac:    the HMAC hash mechanism to encode upstream server
+	             It's like the hash mechanism but it uses hmac_key
+	             to secure the hashing. It can't be used with hash.
+	             md5|sha1: well known hash
+	             default: none. see hash.
+
+	  -hmac_key: the key to use with hmac. It's mandatory when hmac is set
+	             default: nothing.
+
+	  -no_fallback: when this flag is set, nginx will return a 502 (Bad Gateway or
+		              Proxy Error) if a request comes with a cookie and the
+		              corresponding backend is unavailable.
+
+Detail Mechanism
+	see docs/sticky.{vsd,pdf}	
+
+Warnings:
+  - sticky module does not work with the "backup" option of the "server" configuration item.
+  - sticky module does not work with the nginx_http_upstream_check_module.
+  - sticky module may require to configure nginx with SSL support.
+
+Contributing
+	http://code.google.com/p/nginx-sticky-module/
+
+TODO
+	Stress
+	Code review
+
+Author
+	Jerome Loyet <jerome at loyet dot net>
+
+Copyright & License
+	This module is licenced under the BSD license.
+
+	Copyright (C) 2010 Jerome Loyet (jerome at loyet dot net)
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions
+	are met:
+
+	1. Redistributions of source code must retain the above copyright
+	notice, this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	notice, this list of conditions and the following disclaimer in the
+	documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+	ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+	FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+	DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+	OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+	LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+	OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+	SUCH DAMAGE.
diff --git a/contrib/nginx-sticky-module/config b/contrib/nginx-sticky-module/config
new file mode 100644
index 0000000..bf9bacc
--- /dev/null
+++ b/contrib/nginx-sticky-module/config
@@ -0,0 +1,6 @@
+ngx_addon_name=ngx_http_sticky_module
+HTTP_MODULES="$HTTP_MODULES ngx_http_sticky_module"
+NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_sticky_module.c $ngx_addon_dir/ngx_http_sticky_misc.c"
+NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/ngx_http_sticky_misc.h"
+USE_MD5=YES
+USE_SHA1=YES
diff --git a/contrib/nginx-sticky-module/docs/sticky.pdf b/contrib/nginx-sticky-module/docs/sticky.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..ae74c1d0127049ec83e0d9de2d87604d9e61b3da
GIT binary patch
literal 81907
zcmdqIWmH_vwl<0c2<~o8@F0!5yF+kycXxMpcb5bRZovsoaCd@3aQ6?AH)rqtoqNVO
zciexsdv&j;WJ=YVRqL58q;f(cH1xF0@GzwHuMc<_dH@~3M&BGBhKmcR=w@pK6x4In
zv$Qb*%ITRHIRF@5o8^I0de$Zs#`ZKK@{|Cef}_2Yfuo|mk&(QOjU#}b<#!iZCr3*&
z>sJYS#@}UWJ$nmrYh#;NwQtbK5b!Ey#Pj-qhcU7?{B810`G45{Z4)SH<7EA+7bt0F
z=%4}ktxgN@?{aTd|4r`IVSA%jxj!Du8#&lG*&7%+yxJGBv37hr(F2%&yC%W_V0{BT
zJU}^n8v_L+M-AZXv;Y;2TpfYpR<Gk0_;V8ca}s~E4wN=BG}9BXan*Pgr2{atv(Pdy
z1K5}twE(XUTRXm*b^tK_)-P&r<7E4HI)4{{3P44BJ!=QsHx~`ufPxA@AtPrq10#7+
zfmhXvdioBpUH(k$pJ6xv=>C1gZ;JnpSj5cI(a0VsVyWk7BxGb@V`v1FGO{*tGzBow
zv9i2LIXK!I=~=<UxMm({XxQL0BYE@6Kli|##eUeRJUXlRC@ejh{{bCo5LTWvPy(0;
zKPRxU#<+TQ?0z$Hi^s}MlIx%7*uT1P=DL#+k+pNJ@?+&&BVi5?hsC1DO?pD@R55y&
z+2cORvoFXG8(=gGihos&9qoIgjNyVPFrXtAG(L(Y)d-Vdv$CmaCSv~8W`a$TT#Z|J
z0xG|Go>PMMl>}_qSA@)|si}R1t<&hi6%sd*aT#AiXnA(M9~6VPOwj4?&G7eU>iUXg
zY|n=aeq6*vvsB29w|1@lFcHlVVaZ{=-Bh~J4)HiR#jC$wKQo&$?4wMu%htrRvgVCU
zrrh-T(R)!4r63*gvI)da@`ZudcE$S^>EYYw@whkJ`=tq3Q9sL`>0uW<og;Rj5P#1o
z-bPZ!tLS+IA#NphU_)|+E&h~L`24AB!zKQ{rG%#m&>$v#yP**}uICQ&3EUfwMK=JM
zApdCC_n|Prb{zLvci5~6H@G711DtF`<F~;ngwA9Jo-Aw~V@us2A!k#|y_4GNEF~<t
zr~|VCS7~`2WzUL@Mzp=40^-Bo?ik*6H>`9~-=uS_i{dL0T!xB>$<JSZJ~CbP!-$ox
zA`brwIdIx<s}fIP+U@vgNY(5U^gTLJmB@bgr}q%!De7kmeE%3bC);z%@M~F+?xwx&
zy$%@Sm|8K$yGUp>!>Wm$N!!M3-h$y|YQ6Yg{>~g0q09?=P`e=tP%H?3=tE@7K-N?N
zZjE9{PVxl$Dy?_?y%1fXDT;F4sn{vU4HfRLG4nilAY*V?{cv^Z*lhH8RD)iRJU4yf
zNBw>t0a{SJon8S?O?pWK?RsB|e%1{i13>ye(*R>HMVd_rAl2EJ_}>-luA;Y0K~LXs
zIf@DQ6ggRJwA0W{Jg{de&|i$CCOZ#PSU1i;aaTBfK^<*!J=s`YUkTTERqP$WsJptx
zMy}Vpas|H#qAQzl(+0{`?iWrb8=}#IkUP~RkF+|L<lSsP@U=|1{Yz=qp3->ygiZnJ
zLv1>^6<n~msQjn6czFCn{bniA4?kp4Np{+JhDCxWteHJVg$?00=*_IFwYyTP5Bj>B
zlOTQ4eDV6>3^WYM%%ob;lt);;Xtx8D&W-p<D^t<UqAvT?zY8~0Q7+P_jD&GDb3`p<
z&!}pfg1T8<=Y9ZI(t9p`-#5?i^FmZ#8RR>pZE7M)JC@kaG8ZQs|2RRLhS$(u5R_17
zJ9OR9QQr--P07&=Vila+J#x=sE}?EH?K@W^?0;?^^kT23u;rO6zNT{M#h--dl+F-!
zIKOeI3@n$E+Muqml@fuC1B@#>=cndtAftXw%JC6A2)=&4@b438T8q5q(na+)ArVUn
z@4FBKe|IF-jYpR=h3WQ*hDc~$ma%09H)u#<ftwFwk*D+*M9nWv7(;ZeUh-Io0)qk<
z<!50C+h;E$x<aks9X@b!_|+nN1L>p6W!Dz=ww0$XF9lF>X8!WPCaF?Zo_r+TK{F^S
zF3V{}scA=^dv{t9B6D*Nb8~7!6^rKJ(z3MD1$7~4{UG$ADXHm1<<9sk_>=GE_fmX<
zp=_`?35SiU@7orb=lMKXv`!`%rq@^VWLlmxl&GvI9DnAwMXcD!r9P7gHq#4NW=ClL
zB(WJFjJ)cmU>Nk92ZP>>v`*Kvt!N;pRy8bf3(=F#-kT7vW*M(_5Lut9yx8=)Nv-U2
zHp4bQ&wT07VPL13$MTD+7x;X5G5pl9>1A4mNOL9p&WcBqfdeG88rcUSC(@i2dxjo<
zu$O|Qpp&FPP$Yw~IoJ@b$xyK(=!=YqpQMP9<;GUIjVl9;BLmDCpGR|SH$NxH1irfH
z*8I2ZfJ0D?m5&W2n<-9_-#r>y{Ms!T&eG|gXf#%IRgQ8KT}H}aa>oLVINxiA?j(+Z
z5?wgUrB76>s+tLHe$=-L?TB1!w1SjM#C22i!+jcEGG32>CSfDO7clbSwVjQ)F3<*{
zVJWri%iQ@<T(>o0rPanYFIsAdf`xQl%<7`5B~mz}hMHsX!4s4PZmK2aX;6;L1)3$2
zMAxA1GH)=|!e^MfPN%uQRdA4dGSd1=Bu~R!M0brPfFQ0Io}0o~56#Yt2iji8g_$W<
zwpBU#GJ1JtWMFLVQQ1z#(b<9>c}HV7EEWN+t}iQj6V*IVxHHX$26x)5b(*U+9Jy#_
zN_gv%Nk@n*#6>FGhQ=gt<G}7iA(g6l{3R3Yzc%y+8}AO4#cYX!^=Ud*5&DlU<KHpz
z#$w#t+d)aC%7hBFM$b#rPK`x`fI;FOe(Tkq_7b<CaJ3OJ>R1LMw?obhTAp~p->x1j
zJPUXsm2V}3y%_0wwsFH$JYPOyr=ImX&`~}-$1**26*`7qgm?Hi8!(t<IF`n6jk6fh
zh2}2YAFH6XG9}UKf7P~|VA1Kx+X<{FP7plIYY8*k-x3iP8)7}UmGOhp@+ki1J*kn0
zns5P=2kRrCmxdd0TU7P9-VZ@Gl0&77vXLw$^EI!$NZ45B2A$(p;3sE2d!><o*mavo
z7W$}`hD{HHO6^b5fFj!*wAAs~4D03{sXYR-4X}!$49&@A0yf6k;?6+7k&PG(dotN*
zH`-|D-3dkpT0)Fey5~$TVgvgr+?C67(@QxV!Bu^ypu^GVGQK)B+fqO4bah|r{#-x5
z8IJ7bk8~T>=Ec0tVheHdEX=h#kK%eLoGK9#dS~c0kCgB(hj&5#)6!7|1N26CDNrNp
z?$FPmDGiA$zggH{qVSiHz44>JG~+iJe4|c41t)#SH)g2#O5lFi%IH}cz0xV5fS!ZV
z?;iXDf<nT=RD!Zf^5Vks#0+#Y!Yb4PHkO7!Ve40dVrFduR57#Ww{|f5ukxFmkdcFd
zy_v0}jXmHGi4-xjcW@Lm)w2gMGQ5(`e=t1*{j0d4qv<QbdZVka#O+@k@=fr+x%@B1
zzscWkfB$D6UzwDN!<$9%SLSPGz;A70X#}7H@;ey3@kusD##gfT2h%XnvA+^zTQMUu
z6H`Y3%WD(Av&nDY04#KLuT0nVPl1h{>9=K-KOI?L+f@G%Vqm6wWqL+d%C8c?`w09d
zl{ED141hQN09HDNH_flS@@<Y@*`5&tfay1@{r7RdG1&h$?tfjX*Xu?1|LXdP8@>+K
z%+ZZT?4QvZ>b)9&b-)3@_BQ80MH?k+vp2R0VERqT|J|9l9>1N@0I<Jx)&l(N0=-rI
zb@YD`Fn@zhP+aKE`dhp){7FpSion-uMH^9ZA!$8Z;9r-4LMi}yy4NXwZB%e`c%9p~
z#N)N<x8HAK|B43y{qG0@ssNaNCj<XJir)f%U6r*rG_rpUT#CO|UNawgBNMaNCF4fH
z|C+xTy`@4<wzif=R&QbQA9Ve<k-wV$Ya#v1i{DrF{|8a|JKy<_Dg2L=&dkx$h=LNx
z@8oD|V^3kM=ScY$pyoyfj<2<nMs6-P_J$6xQ1CTfaWu2B7JAKSD1<l|=w7cT3mr2(
zD;*;f!|OCl+Zg^&O|J=@p_74;J;n12h%|^9hyjQ_hz*Ft>&qC#5u_3X03!Q}jDNQn
zy_S?;k;CiD=64$d2;J+G^&byjef<BV<v%9kzvZZZ6J+4;O%6c+Cs%yi<N);lJrw^v
z;ZyuQj}DGz1{Q9#&JKo@e^cFmQtf{f{z-2CP2oR@G!6aRigx@blLo4)slToZwzr-1
zKeOuJUi??k{<is+j|1rcW$%yA|0`__Z|m&8w7uOvWcAGz9Ib#d0EXAS@ol4j{pf)0
z75z`yEHgd*+l>CbN4aLUDN0-5(j&D&ofEEBw>dK7cnQ3}oRpNHld&!eiKXouXRG)Y
ze7|;Mh7Q%>WLX`Oy;@o5md<)160fIA!_@sTKFA44^fXrLy(Wh0adO+c`p4n%tz5`a
z<aet`)U67o-4}%%?-<HN#o%B<3)k`K-}QaKM*Ja0*@JEPHTE4n3K8gsH1^Xekz(Ue
zH9MynnjxY9BbPavmJHxy;@3S4DpR$#_V!jb`_QsZKQll!*P~h6qSeFk=FP^+u2V->
z<I~QD*^|Ru2atOIQ8?|6(a9J#56^{1K=tRiEp>G7U=do;Z3BN@P1MDf_dtQ}A+9y_
z3}ykL)EOvu=d(qCGfqHpE|DoDzV!OLx~!>->dQ<Eu`!6IDekZRD4N9qCdrb^s=zf}
z;W22l*j=+ZNH?BN)`1IX9%8I_8$ur_z(f-+kdQuvpb`ZbU<9Ftmxelc5znxlIUd;b
zYbb2S$O^HUx~pC>$OyYNCU0-!@KZIxv<s9XQ5C{4M|<P*e^kV%pjKC_t1&g27|Kr)
zri#E-dzQZSeknLP4n8`zYg)U0I=^$%-C6Qxd`=FdH4hJW1h}rW9r+-#J`tREJAL!G
zS6bzGuvby@PI^&6$I(?Ug*@$-SOhsc`Z*RPIJM)CcX(HKrI3oFcMwuWQ+#~8M(4D-
z-Ah=^Uefvh$X9;Tf!{%<@pk`xjkte*|6Bf3_qX(R{@3$gZGUC|p8s9b8~*$HBl~~L
z{Vo6P^|$=i``_{3(x1Bj?EOEN{=MaYf&cyX`<prZU5EekVq>CbWMcW}b0m5I8v`BV
z|Mf}IFHdM!Md8`&G7nA<fpnU8VEe~R3#gp_mePQ%C=gIiLq8^q5F{2q5oLZBlkcRo
z-#?*YC++3>N7|y|k=r5JE%O-(VStKS;bkE=BFfnc+IKX{xP-jhPI<|2Yu~-gS<`S^
z`>Zj{UZ4HB1v(axKMDXhLQjmMXfd!X7s$V%&u<C|hk*%kf{ytN;8+Y2!&XxKNqrHl
z(-gJWlwsOQENq1C7Dun)BbZ-+b{<_jGTYx|We*l-DiG*l*|j(1oiu6`TOVAy={4i<
zWrz2+YxzUI6y-_v0cpfY#@BB&Ii}NILV5VbV>$FLH(#iNQ5NKQwvw=wV0RVZg7`Z?
z&m$Rks588G2k}uuhgeaiQ@Lx4%@;SOzxU?>ard80K78<unGd}Yc0J*CIL^nlBsa($
zN0*%Ty2q1sQX0K3=NC#xK2g|JUZLwajH^71^8r84*j4&bp*Hsf-FhN;SL$}b4U1V%
zGO-rAdZ$`ErX$Dr@^mj6TySJ6J10Z(KwD~JE~B72leqWGAx|%lB!^eg)xPLuh}a-r
zBl($*Y;U7VC6+bvVi?N%bQTsdf9j@@dZyN&z*-ub>vLq-bZH`*x5|JRi+x^7dR~eF
z+(VKUnou4;Zos{OAu#8w@`PiNf?O;L3SKb<e|VRz|KugNBe=WTHOalTV|!Ym2S=%a
zWOI2KLl3{eoKs@^RFz~yB3$qjli*G;kg8QOaMIr0pCAvhH$(z>53?bEMsb8<Goic)
zHd3Im&)<?3JptK@kN(i>b>BgeG_()kE+8yqvzG&gmzX6=rcux%(nH*TyEofXlc5yT
zh??!&vpLMs8=2Y%oe+?nfN+;zBVtLAe96QZmm4a$;zLvy#6h2wzK5Dl={qPfW&4o_
zwZ}6+{v?_xQv&&^>^*(3@&Q!d3jbL-C8U?@1dT6sj>e`-?CinMr(?Ic$aJ_O^NAQ`
zd6y@sCM*5gJ?XN0WU)-XB2zPV$LsvTMA>R4e*qy;WNB!zj_`(1t$VwctmJ%0BJ>HV
z^id~?nYD>E{)Lo1dJcfP5X|C>N9BXyo?U@z^eVf^w}}KwM_+ll587bX5o<*?5qgax
zsX~QfNXlojXQ{4os^6XU^1<rNnB8|k&E*202@XDP14Uz!CNuJ-G->ee3%L5Xnzs0h
zM~?W$#NcLJD1d?`l3*3MFwkcMq@Va$A$+rssQg+Yg)7<NC`-_YKOhI7pp-%wQ1mT{
z8_+4N7L#6rMa{X4p9qsr3nEj2$408fOQ2qEO0*)~V;7}NO4cBPk}H2~Gqhe?+U`zq
z8G_pj0oE(j5iXfQkPgO)NZXe|x0U8fXV4XIQp)pwCRF;6_`W>2O>7JayH4wJlLzKf
zGdG3AehGl;z?$%3e9U4|k6_0E&$xfa@A*4*OY#HbcuD)S=EP!(_g>E3?t?o)2{9M(
zSCj`MPY?$DFZ(*<yab1b9hbn%lkbiC8S_FRr`{X+1>CLj#BSwVAEN?<nng_V2q;xc
zh~+{Y%O_9D$mOT#gKeh3R39cTp^L(vP4BYwfje#(2bsW;(gzmRfQh|?5B9L=dDXtS
zSF;oHQ0nzTR(}3TcnAx~i6hLuR=(}7FjE~HpD2m|Pg>Iy=&I573?`83IAP4!Y2ISI
zeo6k%Q)_|`T6;8V?MO#a{;ScpN@y?{>Ci`msSmJnJn$CG_}ln3Tz!{NiGx$T`4;o-
zXn-+rOJt@ejgfnT*jSOlP++c5-H#%Y@HqWIth`GMpWvm}j8?JyQu)3h3l~lPuvD#8
z+=&VL`fH*$@vp*yZ47$fAyed8A;>6{>Prr%qWZcF?R-u%q9=?7Jq#^G4TiwrP^gJU
z=aFiLk5f0DfnSBw$7ZT6sP6KYKT%&`o3~RSvXc=Vk){`KMQ{dbTw;9dwRT4V*olq2
zLkO$y<ggR6MCl2Ndxm70*d4cx<tgYLXclf3c|>oZh#np1724{pfGLux_4xD)89pDZ
z))!#afaQmL#m(>i0)7wv&^U3)!kKk~?aN{#?A6%)!`B1nIOdXjcFEP}QK}lOWj4&b
zdQ?aL>R~_fWt^BLoZKxWVPnPgB;==Zb)<Fy>-V0Y@RcP}?0!`pUi#Ts%ZszVFQ79o
znLvyPA?V|Ph9}!<-f8FOqA`Sf4^H0kMu)*Us=O`Ez-f7uLtJ3r#RJZW*IhfIQxf80
zj}^9W8chz-eDjVz_h^t3<o8`Hs}b1p;v%dc#CtbvBfj<eWYo@hG4~uVrsbWP=kF0E
zexQfY!)kxmcF9ns(DuKAS3p6+ksQ_)_fDKmUBMbb&`E>09UG^*3{R!n(GT&2=afLZ
z{#L}Kz3hwa3VOn$!ha#e<|VG9k4AuD%mI{GymZdR+>%P$IN@DTCtoHhNBrsvzUhRR
zU&tM_g65>pP=#EHK$R=A3|1I1TD6nVYv@EdN*!|$6aKB2kll$z6HSxDi(KDVR$VKr
z)Z)f_f?b#uz+L5|O}Ti4&l}R2jXaNEiI(yU?<m%L!VVwo+=mQU-UH=`727}uhtYt>
zDE0xB79gCxj-p$#?VS?9A(+e-L4QIcFT|)BzBZ^tVxq6hqTLc+Io&a0{!pYeAHL!3
z)7jfJi|)>@dEC4V)9%>&91m1+1mUl!ZYQrA0$zdR_zd1?gbd$%TbxCB=kn?)2_>Db
zpsz=S>1!W0X(NDHoogt(+&)mpUG_iVITt)J#jW<=mVf8)g!Pcbgi-mKnEe5ks-Z(Q
zCUK(*&uc5X_<NX!x(CJh!?U(%%NPPoQ}g`NlXE2v-Mun>XfQ=qBHOec_4V3Ux)7>?
zaQwAAA72Ng4QKiATB^L2VLS4!84T);T!d+Ka)@O?yY>~|^9!Wt*)<WWZEVr(W9xkC
zOovd}p$$(Jc8EdNZrZ3^jLfv3cdg5)UqqvexhRKmha_5HYwR~Fg_nYwg5`TFXPtu^
zEB&~d?SrbX@UYk%Bz}P6R`C^X6z+Q%;tXBvKglmSltn>j9)LRoY+H0-$md*jR9Ao0
z^i{}jg|jx)@=nrT3a$y|H*SfuK~&-}t41>75UoTrej;$A<DoR{vYHF#{GsihRPn+;
zeIflM9lr)zJ`LSW!zLVE<Y#MFIw#nKIdqO)8c;q(eW_{Ej!65xOmY>v7H~t`ifLe&
z3~+*$Q7fbPhK0kpua@}$LnqI$JxQ*)D2N=0yCPi$vo_9}59>wB@ex@+wh5D^To_u}
zzZZ!<(8f=>=Hrtc=Q5m3ERS-J_h_}BmVYXMgHNQLBIrARQ$6YWHB=wB%Ib>y=Cv_0
zSt1YE8qC}Wr&4ihNr?drS*=7ejbWqq-YgqV38Udj+Zsa>N$Jx&HhLRj_C$=cd~qVT
zufY-Dtv$pBkrq;wL;>{iE0$*_K8FcJR7zW6OcVTuFiP(xJgQ<SFPY7O8fp9wwgw-^
zZ}MOI;^QP-%gGA}OS;sm2|4$y%ClIjqsjA2LiF3$#1>R<987s0k0|J&nwb-qf*EzV
zWPZA_Rf~=TGMlCh(W`>rH^wsF-`JiUoD?iyHTm5dt1OjJtrD+iZ%m#Out2vV6OV@3
zY`27LMSC{J-mKXk<oN`onG}C)D~gKDYYJe$4VD{X6=;rt$fjvs(-I8WcEMadDHKFl
zmR8iWTIt<BNU-2L_N3@?w=UK%%Q-|+MLrKk@l!(fO>~4~zrTQI7k(k1HRe)kI2h~I
z6mGM1pu#xWfSe>D!0e~HAiyL9kNHBpM>s7UiT;HyI<#x>iuiks@N*0@aYsT{A5HK3
z6u8!q1O$x;W!#-w1K2I;7xLTYgaM}VmWam1>-VZiW?o>X7e9PYnosn#->ts{j~{CY
zXbjM6j9%NzaEeJfQi84F(>^_qU#~tk_-I2M570j=L^%4LprLT@@wD@Q8=s{=%6g7m
zE!8P9+0%0u8*Webng^<9X@BL-zZo~s7_Ik=BCy)M47dm7R+CLMy(`>CUCwYe=tUPF
zM`oMUxKz1H!KS)Iw`v!UnsGUZ(9pJWOWTgNKDj(<`TT|EYbQg4!@c{;%H()Wz?tH(
zd}UiX>4CqN6Qd--j~n|NV8a>aqP=hnP=XiB_NT^tu1(RA8Sw-0lhg7M^U!ym4g$*E
zeW+%yseape1v|!@Zm_k8L_R{xfP{9g{%ro2HklCJ75Dlw*;;S;wQ`%{Y>9F<QN&57
ziZ7Dh3Xy#>#2rC{0o?|+ggxAloF;w|fut|fCp8-)p)q>06+hiZ(Z9SiSa$9l9a8()
zlcPHd%(b(<Q+?^ki>XT3-Bg@JZp(ry&--$T+Eg;U+Sv73GoYCR=f*vL?S*a^$CP~q
zlv55+L1!=2wS!kuQPuT16g7MgHUckbWlKG8J^PU$OT-iE)B8iq*j!n?W}5kGo&uM+
zc$hhOT8M^a7+eDIh-~P>4aX#Z`vO~;dz@#jDmVjM*qRSIADlmbWiRfCY&IoHiZO$-
z_RbQ5$U=2%!mLEqF~Ee$Ob3_6|78NB9E%??>(`R!MPB-;RCO$7<NMUL8i0o4I`qpp
zIn)9qI-pV0XYR9$!Ml7R?j@JCk<K52mIcQ1HI(|`M;I%55IG?ps8{n**rz9JA8t8?
zzh&^PH(x$`H7h(BWp{c#PI}zQK6Z*f#xDgwV_2TKkKhXM{_vAN5TY8F)ccUWbwa0I
zly#3;^-iZVo*a;LOLZ4gRaSBf+uZt4vYA-iBdg~pZ2Cky(qHr*v!KmBW~`eF`-e+?
zCDw{-HQH!6sw>YZ?#TsLSRNt0i@aU1-RUpvz((s!njInLS#cM7l)F_-9o^)k-3vh+
z8Q8K!DjHf5m$@S4VDD4*5k}_}brufj8)D6Mt?c>jx#nXw>HBN-JBWHrV>P5jGk)BQ
z+h3ljYx3X?UIa28^Ub|%IR%*e!k?(-Xw9$m4_S}4&mRb)wzQ;<)$K7_TuTUn+PzU%
z9NJF{Xc1l?l@)K>^Lxg6)yw%}q<pg^@-|w(sP03TYpo5Olra7jWV?ef#N<RJUoZZ!
zg<AMob;e&mpgnY6a4qQIT)9N26Z!*OqyrCD39c=P`V;Xlzb%B3iS-LMWMMzfpR;xZ
z7v1lV;hsTV$lQ+ihVTTlY@H88v^uLtR_tu<5Uip=`#-VT%I;{JZZz&K9qXdjrj1Eq
zWTLir{fdvwi1UtiH{j(K4I2?Rgd|t+_r_=guqTzTGaXd;MA64)@`tTUNlbQhho@K;
z7}{cta_MY5Cgtbk@g%|=OPZ})=>Cx1JdOoD9^>+5pf7;xR?qAfm#xXNT<>zMf7W4B
zk{}T9>J+5E>G&>QPB_p1)YZ%cVnGtao&)I*Yl_r_^vDiR%-IwQ84#kta_m8D`refU
z9s)Cfx9C$MI6>6ZVo6hixU;@>&UbMZM6TfG#Pe$KMEVp3q9*@vTS2U0E`*Cs9kvDZ
z0IhYOpADQaT%Z;=Ic(%Hv%JOPjx??e>|F|_LN8*+qw60(LdY6b7Bf5%&VL>1Vjh_)
z13UDBlz}1q`HRL4L#bPPq_6q%oipd4gDICQt@L=CDr!786Eas0*@m|}w=^iQQ~M6o
zT2_h82AE&A-m3_&-QAj4yiw@^KI5B04=mZgU$d*p0oCqmjW_Q4{55}JeP+aBkK<ID
zNt8GGN$%XnjP}+zy@ar!exxxL%9BdwR#fkXWG#ASgW}hQ{we;t%btunSbIdW{|O{v
zo|7YZQ*^T5Nf&}=s<$Ys|A|q1jI!_Cl*AL#%Ge`F1(;3lOjSN2gH0jx`r4F@ZUKS5
zcd9q6cc3+-4H#kPaTUfR#R`}=+#|+y*iu(U8O9^qO5O|n;gig1f+MCY?1gfR#+t0`
z1ji}M4zE1^bxX-U!Kw2OzT?+tNa}g7b;unN)jL*G@>{26lVhltFai)>*i})VV)%73
zccf)0T)PMNXm7-4SnhYL!ZE%%CDQj6br}a;K)RDW(JK|beFE^8q&w2Z@(uyu)aJTM
zs!kDk=humZ`{BA2H$oY8;M8HAl26#Gu6IH<SONaM&c4lv&BW9?cpd&D%dK!`fwM0n
zJt3L&T7bim%qi!H=)UYdtYc(01fhv{$}`+EC-eR{yX3e>9_9ev+}+FF!C_DTXRznk
z>^YZ>V&XgEMfm5`Yu^`f;DJw`&xB4_&bZ`y!usx>f;;vjb{p7pruIz6KCC<ZBk2*u
z3+54cPX62#8Hcou?--qru+4!_@z=Dm$=8j+UD5~R#%FMC67<xCZI?Hqc5dlDr^*BW
zT~0~QI$_t?I0Ofnb)HKn2mXx9GoqDyh)++ki%|wa4-5CsTGf8?3wnk(`jR8=+i_V=
z)vyn~P>g7p!4qoLlJ$1n>o)8!q*U*-TTbCyPB|<T@773<8DwOSv2f>Dxq~iU`s-NT
ze`R@k@yJ-c{UU8szfWX2)dMt`Dwr=8t(K0tZ?wAiImq<hX5mh=a%Wh&L~GbDvz$^`
zC@y(2pYo~S?^wKi)qp;KiTNzb;<fftBYpFft(jl)0(4lrcoMF>g~F!ecsFb+LV+?{
z&-x;*&O2XERHfZqB}1%hG^9sU+zB?Vs|4)v^i1z)N{izx(mM9sB7n!;8rFjMu+0KC
zK2M-Go44JQ`*1$O#=I|%@Chxa*m{B8WWgSH6hsOFU=h8H4)4XJ=nPgZ<f7Nih!0XO
zBMPah+z=hi`S?nW?qr@zE>`7lFx9xCX&q8yE2t}L(>rSxSv&@Yy|_3%ZSU^Bh#g?&
zyzGij(0{gHo)15-nWQHjwGfRSz~&(FsPY=`1bwR9U)nvOUQ$ZK-Zv|w925_0tANI+
zrEFIjYa&=N_}1%qG}){mYTy`BIuLqVH6FVT2>ASdh@uX`A)}t8(O9eofiRnLtwJfZ
z)EsqVb|e&MmM6y8*@4C3AroOM(_3671XxnQTtb&#OUcRDqiM=)@c>)CLq_i{McVCx
zuBv5xB#98SQ$-Y}lYgpTog3Ip=WOh!hHCAQ$6`4+vMAsJy2UIMxT|qt(ap$MO2h@$
z^**r9diD-Je@U(jv`8bbjX!UkVp`%*kA`BpMFZ9lor$@+$~;|}p}3|BFsg57WNiAO
zW06CN*diMvYgCOQXU4SaPW}BC`my*Qd7LBg*dFF5mJE}MF78`QhjpLBlG4?;<2g8r
z1#SFht?v4(F?EPq6}-1AtQ0n<7rW=xjPKMnJie%XAyimknfb7=?GKlzgc8zh5yF3!
zRfB0@RT^5}ZW;dd6Z5P9_GY%#Y<IcaY+8No3RWyZJx&sBEz|YhhG}1OzGz-^L+hmZ
zg#FL*%Fq7U@LHt}jtis52o5*blxf)TebMc!mU~D?h(aRu@Y8k0cA>Sya&~4GE--4u
zhwr7pe`s2XNPny_9pDpZ1}|%H2h?oXK_^ZY>tPw2>D?Wx7ijejpR3E|PncJ7i()w+
zrs&kgl%4m#BgYwwgBu#0;OL4acyF=4udbe+iAi*aB{pqG(Qz|8qB>dlt8tVyeIxIo
zv=F6N(;4@ESwF78T{Iz}_@}T2WAWsTb#a+p)K*o|H>O@1h3j|nEy@Fl%zlZpKdq^X
zPZ(PlznSNWSMW~srH%$M9;Jug@siBlPDTuu_Zsx6q{CXQJh#)(+T83&63(aZAev=e
zP|dLQ63YKnl<AeqoKIJ4R}?W17J7VlA(cIgh7w*jK;O+J#n=+^Fpq9st*Mts_EbmR
zyV|S&Y;Jyid3_SF)YkY#+pr=W1~)$O=lNNE{l?K3Z>tuJw9+6_ePz>6Vd_u_E;5#p
z`*LyCvm8yRdVKjBYVmZ+iUiTMO(RLh6<qMiq@34vM~)53{@azpB>L?V2>NOhBcG`2
zEb?b*=#{Z*eMShFzGHa&tQ*0|rkD|B3?Vb`6RIE%F+jon=90*~H_*aaUqf;)4sQq%
zxzM2*V*0$FT<RnnNowG{7qj&hb_q)QmZPI^5?^IIo=W!l9jUUSdDn6qhMCCI(~O@I
z)?Gh&1Ky#sL-8immuaU28zXhk-bJq1Tr%j*(5^IW<-kzE9TF;UBx3TSg(#y`RZhB5
zb35k!77cZ!W02k~)8xT=>vt9EYUxta4E<erO$nM5#UD=SEMI>H+*7`zSAV?tnat~l
z;+F-}3M*xU>D0x$pySRDR+Bm3h-Gk{OJFbTi>rD-C==&&(Ho=8Y(tlZ`cznOtF6|Q
zwHHd?ldfg$n(sx`4H+|De~MO8H`vZlYyVWuN6z#yFB5I<7eKwI3^IEC=75YJ4-+R8
zRdJ>8_Gctsh$w=Xx0}(D(jfl9(D#ovSSCaG`bdW0H6TfX?7pa}U`>9FAV6D~_oTJF
zCmgy7yriL0pJiA8uyT}8To9)X?G@lGpjVw{fKWX1;n7e8FR5l>bJ*~PaZg=TUA~D3
zn-VtTtd|M`IZ7NTA+>#gBJ+E6Xn`63*x~Z$P}c(YY%V_TRT&USu@}&!ST<RiTkAfz
zby0WFXV7&fq{@>|9ZT%R<%rwHU)BW2Z%Vgs6v0NIW<hXl!T5N6tqvgSZav<&cQ!Bc
z;h%!7-gNS=kKu!|GxS4jHSuwRR7lgNZ89N2Uaherw0FodLgjPVuP@7ZIOl*jYfU?t
zYT!FC%|mX1$mrr%fxiz<uZ_}+(>%7^1bF0VE)>?XVcpEkbpiuoZn6v{CQi;m2S77@
zrMN)e@gJ)xo>Mbrk*ZCDSefK)P~X2$i-6N3ohcdka9Z4bK3hEJX`UNGqP6u};N7~(
zxq67Xd(wD(R`1{)I~lutFnID#TO&NU3Auf;>{#nR(K)(7ee(8SV}0;KeK5fpzMtJL
z{%kUCXMLp*xm99%T#_n6y52zV#K)Zr>fsB{hc$x@M{>!nJ1zO7j4g_8=)XKg%__tF
z!(LWkNL-A4&|bD7q73{16n-8YPfnI4*ok46V>*N0!<uYA1q3p2F;pJ+lR2@3RickA
z3=5bs0M-_S6r}Rg!KXsJUWkK0_xBgOv8@t*QNGv%V0e6T-&mEr#M1<(s<c_D5^ze=
zEK?z){v4$b&{uSZ_{M4>M2B<|gd+Pr6ke%DTAm6sXHf@C3JLdfeV+SmO;Zd%(6T)0
z(-F_^QpN8~<#@ghb2&~DoI>+;MGgs?69jG%i4vq|it?MsrOSv@q*X-r9`zL>C{Hak
ze!>2Qc>VxBbJ^!To{($IFM+XRoLmQO&afJPmONt9b~cM^)As2HwXIE}RPY+6x6RDQ
zHTuw<zR?vof(%@mu;)%CuY0bq>WMHoBWl!~uo3r74#d;hr6#h|JZez|1-|~@oBF;y
z*j6|7=?OoB{1UYmt<PWxaeDp6=rw7Zrae{IaJhac?z`nus2x!HNDmX}h8DIOEu<ox
z??XJn9EY_l<|s=tEut?X^mY&kzaIIF#Pl&AT%7l&2PX=DS^QdYnQ|D?<|z8*q)1^L
zF^}f>QEb7G%}9==tVGc$!CvB%_Iqz4A$o}2ce2pe@4mt!Fa&J{N<p6mmcv31eX>_9
z`KbuM<LcngzL2R$3&YTdOVjtxpoYFj6^)D3CD|Sy(k}d*;P~i-GFwidc9z0NG*gWo
zVHAuLBxrg44o@Ata#N05b#t6xlxDbm!^OaYJ?#R-7EF#kd-!925_|cNa=d_Kg8{Ed
z#qHFZAcLr(PlW?c0QR?_@a1R!Y`Mjyk?2wi%?4RI#5v@os!Fykw#htEybL>pY((AB
z0eu6xd}#Zyew{B^fc@3s%XQxIgBVm*3DGM22-JZuHy@Jwu2Wrwwwr>rtS;0#q~Y_N
z+3RBU)xv1DdcR#&PN~cPB?-Mw)6BPcW(dBML6_Z@7-QVr2)PPN6^wd2^{(@(6HJ$=
ze*|;~>;eR_f8?DpXszEN(xzWD&g_OC0-~d9Zch&f*Z3c-8UpnXK0M|7gZ1zU_Ws~<
z0}{vgr~eq~2ZCXMOZpb!F%mWrsDe;$rLuQw>JqGPq^5OJ>#_j0m(<$v&yQklLOeN#
z8wLMhlRM{uKbU$A;Sbh2W5W8?%z-wa*NFh(tgLGQ!9r2R?*|WKS>6fx2S=gL=l;Rf
zV7O?1u(dDzxmB!9fG6(oO^qjT%Y$eQ_D(zbB<K$wK5vWtgVowG|G~pI0)Md4-IpZn
zRIw%Bqg2f=N#?pZa^O<Cmz2J^rC`POBky!S&_Sn;&~N%mbV5Y#rZVK>m4fu0kB{Xp
zj4SlGbB%BM5g=Z=s>VS5gAdR6{$M?Bg1tYuydV4z4!M%@%cdMs#zEAwuT}(~^2O2R
zD3JwS=0m4TG9Uv%^%L(jjK+pi1f$jE>Q4mSZe}YLm_nP~3M3<EiZYazF|`*+Kuymq
zAB6sc6PVfa{@|L|9)Ixf-s)R{1muT<egvG36z`S(F(myz8{&hYOWs|9lQ6(%*{k9Y
zf#<L+?}7Y-qnze*|KMr_T*p6nRxjWW?&D}3KchW76$rt6MH@!=+IxR+c@OL#oZ{q~
z_XpP?03H9}GC?(>Y&mN*?kb5<gZf8br3;E#5$@RmvhpM|RmROKhVUwZ^J@8;YW<oj
zT83&KhANr(YHgJ2k0@0f)T*S$<;ku_kcKiLBRCv67Qz)id`E=B_=lh7q)RWDroHgY
zRRhy^3i=jGU%ymK33E5jZ67Rk`Cy*ntFA7mQ7gZ*N8t0~G9}dr4(og9_r>pvFWE%T
z1R{CC1s}KEJ40|aK8D!$Bp}8Bg4|Rr%^w_2a86s!3c(a?P;!Z`*>3n3D<hI=qV$;b
zOZY1i`Psm*&op7@i9*tpVfINv@Kj+nDMC-eb>knmZof}hC{5oheQGQZPjC8YzV*4Z
zRq0dnmwd>I@Pm$zL%~&Qo<ucqXY@M{X(w?~yJ;N;JY8IA>=_Fqc)%Lm0*Z3+Op7`=
z{%>O}>Y1nQmUU7=jr9}uQD!Nw{?twM>ECxmh7G?z=S|4N*oYJq5w`9}C4br2W>!Dn
z*yb@9WO&jwV|XuGw=XyhHpM?ImSBu+=&snuoX%n=A86)Bx}s<x&M18$9CP7zH|a6U
z^u6Xs;(o;7X|JLq!XcjW97#I9m*9amY?(vIv{BG>QOI;r&@^e#^c6xG<Lf)jKFT8H
zG}a;!69W?$6B85LG}7lldD9fKr$A!C=j?pRs!#4+kb{s2xafoDDmeaP$ayePBsUI2
zNO-8hOcdaCqvqA}n#tth_1rUxTr=ff3dU9_8wPzA{IgtnP9KYZp0{2GRrjjj)aX~h
zVP2CNg*FuD&PR$KY7c$&fYDS(fy#JCwA@eV46wWjnFDBUArf~;;>Kz(qvfZVgHJ`&
zSH(jo!3!)Ob!QYWLsD)hNeiTWve?`z*)T@wuDh;e+ds58v2Ug@7MHP<Dapf!f~UI0
zwtrxM`ibg6PvMk8?I4ui5RwWbDCH$6HH(C;qZvHVazx}5MC63^UdPZ9c=Y_UMnd`|
zDEJP%7ptD(;`@*>sVKI*>UcR^QuddcW{<Xb1=Ww6-{uP9D(<S-9AXhI82fW#P>gsa
zT1j;L85DOUle2+3V7rp0DPQvjUIlfl-<_k`W#?bJ9W3pZ?Q&f`bA1NJ6iH`~f)94P
zQD;FtlgM_XZ;3xIaP6mfn4i;TOkX4aQ2f{mACNNe_14-#4}N|2Se1cMS%Y!L(z>{-
z`|zbRXDeHsTj5@bS-RVzf^r;E19k+yNYXpKk|u7jXx1N6U0zjtq3Zi5g>lsb3Yt1)
z^d@HxldTc6lH+UNmf%cmUSi8&v}9r@_T5LRbG)=)i7h)~S`LM@B|U>JFeZaDD)I|R
z5^j}`VLU!1D9F)jC$BlixqjqD$T<p@WtbNF4PNE52E~V!B4PE5Ito5AqaEX&ArflO
zv}yk5@V*?hZ{}5`$L!U;Ifg=xq80>t(2rY`)VE{bgdeF}{dXno<pExwEH}#i8+cnw
zr!b3v-(~NAD)YMr=&J9<sMgVCjrT{3xzup>Xce|>u3#8#2&6=M5;T5vJB+)b@?)zG
zrMr973h;l1lJ^9S|0&kT*Kq1q6OMF+7uNzKpsBx+-#bv9>iImz<@YWJi0!-1r)$R%
zw}HCuf(FH_oi+3#vv}CgtFCP4K9>wjcOt5{bMvs_Q9R`x7wNKpTvF0WyRO`#wEUsP
z;a6K7dTXY2@q^)}S$!*9xWqki(T8WYqAAtqm-zO64RUw%{f8^YMA4Aa%!?AhF=%TC
z^~)MjZ(xOS2T>dX^vY@TULlW+<ahJ4dJc$lLf=4)Z3wOB9CnNSym2@$PSUu5ok^IM
z5CV*e5BxbLgeAJ+e#Zh&c3wawqI$pd?^EVsdPVKfq{F5JPtn=PD%i`xUYI=QcNNDI
zi1H*WGP0rX_2OQHm?@+QMY+uY+v7s+J#+4QEQQ+R8mn`-0NyNnA~WW?Rl)PGyrZFD
zb_20!LNo%b`!;(g^6%k=7p@*{h9f`l!=WxES|4Z}AU4VO%Ogw37UHDy6R7jac0VE4
zbCFgeKMDEC=Ss<2E6h>>%WiO#ag_B8m8W#xK?jJTB7CAA`p#k}hbLr1qoC4&bYLLj
zaZwg4GC}gZ27g@Arg^yO$p3y?x8*c6>E}(p_AgArkH9b6!5hJ2SNr!r9)b3pc^%Y=
zQi1^f=U{KnqeA1vXPd=#uJ)*(j~>R(P8ySy)EeL7Nh=T}8xSOuNf+!bEwW;JM)ASK
zb3f3&ldmL0NX+QlKtMwQfTEb9R`S6>*drwd5<_^?$jP54V+fe}$zuwX5sf2xlU85y
z)Kc|AkB{v>?MAgS*4Ea3nHah7%sIIj5xc`}EqL!`)8lsQITvfTg+lgYL|?|FQeT-7
zk<rI+w^}xFvS@5*F69KstKt3S(c0}@c0Vz1ctIK6q{D=#Bk9QU(H^Ml!PkkUJ;`kk
zTi(98b>_|i@1UH{v7e2$VX1=#QpwE;3tjrk#&b0tlxIaylD(6=+hN-f+Xbh0qe64}
z8GMTbLK%EN8+xWz`xDNXxNviVq1MA#*OP9MA5oq$^#&0Krldl#4J&mk4QCm2s-u3P
z|H@%XNrWlll;j*9JQp6{%ouu6^v;kFI^r|i$!8pI24G80knS<;T`1A*%<+wVRnczj
zCci~*-DNaojU0yB)7hi4>@>FQvd#=tfjah+WhT^#^a-BZ2ssV8HF#w18c(1YjK?;l
zAK87{GCC)_!(~iy%XCY2OK?l5Fe#}m@kQh5=E>v7(O#<Xc^cpp&B1Fkar6pHOqUF*
zsr>bkHIY0ehq^=2yW|nuv@%d1kiy7UQYr9--#na7p#vOx8Oq@a@sfTZ7IG`9pC7M#
z>J0G|25TQzxBR3BvD<=CY&4<iJ@DSDjQiH-ln3jn@eJyg@b*3A1}RazFTsm%reGyW
zO#JSEWa0NzEKF42vtRn7!SrqE&2bCwayAf0Fh}OfgDQ*!f3aO#UL#!7U(fyG{Du6(
z@Q34%B6aNt#-q<L_K_RV+i|GkIN7qNVB;@1SZ5`JHez^8`X?_Ta}tlt?hrAeFP#N|
zZK{oWFnkd1bWyVP7`}Ld&ZAodPhP!F2lcR<+^9Y89lJ-2W{fAex(*007)mnUZkk)N
zNf1+4&V}G-g!pRA%WYT&>>&@mVu-qwg@_b?;2CK<`ox+)F2Ko@{u%tBlXW9u9HI~#
zV!YS&>p3ol7;&wt1IPN2et6q2^>f)83?GE{1<0Z?-X2~dTsy{rC2da*_xRQ^<Aq&5
z339(=j=U?p{N9uR%T-a;%lCKi1IHNSwb;4nE&<op@3{Aav{~~aCf;%3-X71*`?|KG
z6h6U?k0g!f^p6|3CQ^2JNPj$$j|L}!wr^Ly8{L#a6Y8K|3(oF0@h7n97jY!K$4&3U
z(?9Ig$1_|>4>OYIKs^GEiF^gsw;S;=g>lDR18bs(c*345@EFESoB~9748!K;%;gd0
zDKNF+Am*MSc6mJ2TNhk&TctE8MKG(FVwmli7MqiqE;3i78%N0!o0sDdKd?WjI1@f_
zJs^3&?^(lY^v}|rfO=c&&C)m0Nv7^gWt)MfIWkh;A>KuL3Ooy3CvY1wszvAcYqx87
z7qwP$eOcDB2F@i*6n&KdCS_BsXsBznR4^&3tK(pK-R<ebw7WSDPlTLpOg#DObo6~q
ziuQ%S6~C)HuRGTpXZ5%nwRhRKYK7r3AjW}sa>uv5l1WVo(Y4$K?;Z?%Zcu^t3KG!`
zT=hTXoG2Iqq9Wuf)H_T_rJf+=f8$m%<HD`FMrJe6t+dnyJ*WFQr7PnNl8qkFqid!k
z5|eUbBI9Rb`6+Q5`5ZD?0x_R1cO<5ZM_SmYpL;LobTPUirm|#hah3<{q($KywpY;;
zyTiNeCe#%HGILiJPzGL!<aLeVk`x&gZ&H2o2Si7he9r08Et=W!BW(^QnQK!gC}<I!
zYd}Dx`VanKBAI|_?$Ef>9QPumtS<b6be=`#0M2FREZif3yUGb#_d2pASHiWuO|J+w
zM@9W>yd>tm_wn=G(<+_~k3>D@@w$l1rrDMZsc_2q^m>f?5r#t7O=Qz)mYDY4L7^A+
z(6nRKc#Vlm{a&5;TTGhBI#o1g-}_9$kTXxQn;@V+9oy;^(y@)e7d-BX-p!JzvxH(-
zu&g5nrOA<HSxL^!Enst2$c>4y_d5%Hz_%p#=qn6^72M?H?7xY|og0?HYokgVBpGyr
zK8y?k_nIZP>1+9BFmX&f)9)3y@Z%YJKW}%_s6)7x5E~v6PP@vkwk&DQ(iPl>tm6I$
zbgGWO(2_8x9T;VRVyd_4<@knR!FU&Kbo(BXo=#DW0R;E#jk%{xN?})o=_h;sxF>}&
zo~<*cpRzM}<8}(zpkGvjj5mpzT{PFGc~G2boV8favMDp#dMVYjhKUw6;ZYColii;K
zUzWKdJGw=vbf#9FQyhB4xAb>=+qMd|O9HkzKjB(02`lGeHE^NE9R@jWMXb}>;~r3-
z#K9|jWFIDSh?^kWxQm#7juUoiDGrU{s>q{Z{#F%K33uena0m8-B0jAqEM<cXn6nOz
z$U4Z9c+&s0QC$4|T*f0VVCpOzmw6WX5TP^+udKf!Y%LVH{Bh}0Ibe=%s%pBb>-6<U
z7|Xu!z316hSNe-`-%|#5$_NgBeYdQ!y$)V5yr%Vpu1R1tWK5@)CQInRGS^v=S==x9
zU|2mu{z+d+-@soj-Ss1XJandO@*|w@jZCXtT%u7xP-R@4Q3#}{2y8$>!Gym%N4HZ{
zn;h6jsDhs5yuG|VF{ZpsI8nqXG}jDb6;<Qmvj)6SHBd}QyEfu4?^Uxt=xoS!eyynG
zJitGNk}sJlyGoOyDBlSO>8`(TQ1oC)KnUqR72U3B`%q?hvX#KrSVWo<!Me+&K#Rqt
z5<l9!e^zE<y_9GXwrl(&oTXvMo+hfy{oC%)s?pTq<1_3WFPqh(Al1InH9VHMV7rf}
z4^PJE4{M09G6yI!nkIw2#!1wtJI@zXPrCW3j(pxVNBb-^e9U9B3-K%M{X_-Ywn7TW
z%k2v<$8Vp%)rH&%p@JAsP-Rr=R!6(cM_v~wbI{~7+t9@K8)jQiNP$fdfEZK==er!s
zJZdYgixz}{Ao5|`ftD=Q9vuJ{oYdt_8YziUPp1$G5RhF=F6&ma<;o?S*2`;Yky`Yl
z;H5V)As5e5WUap)`$aHnA-hZ^Pg>xzBx^6BTnn`XcA{(0x`#t%w^JVxjZw9Y3>ZUw
ztzC!`t+226VTJ~o4BCS@)y|SfmR+`|I$GM;e1LqKFjLYr9b05DLs3Tdm&q>3=6YH4
zXn1OQ0FF8fb8XPDeX|1}wKlUC9D7u;R%-~l{-x&WTb}?0Dw<^vUxl?btsD3H=U@-I
z5wAd$DNzbAL(lT3y@C->PhHlw!<O@q^7883_xB<V;bi5Qp90n`ool?ggX2<YoCI)u
zHqu+uyCgdU=7T!;wSTVSgaWodGscQ4zQq1=Eb3}rsH4Hs1*Jbpv^XHc9f9qU>>los
za>dk+dM5{1@^vnA7W<|?jKC*SH;T0iKiwk>9cp>%07@APM+fTeQ!$rGhnS|4u~4YS
zf|!b3i?srA`9kK@0tLFxXVip@rA-k7hY1oE(uLxC2(8P?p^Aka-9SdJNeg==qkLi*
zL{T{>_`zKB)35OvVWkw;UKlRbPA58079^yc4hCF0bSuhn^l_Rj2DMgTkr>iyefjA!
zYe5k);R;;=CrT=63g%JE{$j7Bbwc1gn>{kROT&#^m7@C-V$PW46^n~3-JG`j_BN~R
z#x@H>#An#vtG4Y9IyeVd1|q0|Pw*H1{2Dj@GXpcaAe>(<>*^ioSbe6$yJ>YNXbwcP
zdE`O3`0nDkvIaISC6DZkAji@ej1aiR>O1MO7>ymf>2WI2I+d9MFz?>izDtXPjatf!
zA=bjvGlx4oq&{=EXl)-26r$!>DVMfvYAwaljy2@_T)9v8OV@{}2&|~RmV;{q+N6AU
z4~GLV0>Q*xDMgSA&L1-=%c&0Htgg<HE9*n?f{*q1Z2(sLsHZ0CYMy(`EAVS@-Z;Io
zLq&mDyLX?O$28Z%Al>+!Njmwv*Hjq+z1rj(iB_mw9ChN6x_HX;V2fHyQ47(E2>#<{
zq_F(_v2$Mqo|T?suDd3%FZo0c&MifNyg25R9i}^%N(cU<vKQJ2XKp1;ieOL|je5(3
z1^Hys+M@Z-Ns1P}E^MU)#)a@w#kfW=?nP9rPTa+7F|L~vVP1BhQ_cGYpJ$<sUZ2$#
zz3xbC)V{GydeDxkw80x4Mb*S(PT<l0@XaOfa?Ydfg;7khW|-Y3immTf;tPo7K85Y6
zF&eSU@UE!Q7jnYz22o5=9~>=oFXqqiLT3e!7S%3Dt_sT<kKT427n=if`F7b&shPt$
z#M*(t2u+l4aUCM9wC-M(T3eN=YCRdkf<mZ=>r2AeH}TLr+SV{WAJfJ%h{3pWN^JCj
z$!iHTmBCEAA%P`fVnn&%FbLIYfw!UadzO|6!VH=ruEZw4!s~j)zRPwIp;+}*n<fr8
z&FeDFq|zuyZ@R=?ZE4%DF=q3ylYHB9zo*MkV;NwsQQN(M@{h{1RbV{Wo_6+a^4jJe
zfEIm^fQffyJKd?pY<x5yd^2QVM38Nf^uy57#PceAVJc)g>VmdJ0q;<RsZSJ|GXBDd
zxPK`xM8B>%En7ln0)gf(H5DV2=BH>wDxn&EpQ9#9Eao6ZtVG9{NuYPA$K3}t0Pg%=
z?<bTf`yZDhp_!SCdzyQOS>ODc>p-B?PNfnvzPAnhAHu#VMi(a7c07BJZQHhO+cx&t
zwr$(C@r`ZUwmtX1$vMxbyOQp7C7tT@OVvu&Dn^1NeVeGd8z4g-6^w!~T5>X|fia1c
zE?lhWKohxq!DkE&;aWQUA~nPv-SM)}rS9?CBW=U66oD-exgPSu9ps9w|1r+}+^@T_
zn9S6(81+7H<0t{<q0^;j2;9}>lFJJvRzoiqquNTrW`=SxAm|VfEE<sp`Lakqfe=v0
zT8aROGMv%nww8=PkAsP%DTQMSAL@R-Uo1R75T1c<hhC)|TAs-p-hLOMVeI=qRjNxC
z=OoeijW~Q0PQBGoB<=XSs$6keESNMKvi?NZXR_;Vn%pl+h}}RrQRpG)ta+=xq`l2I
z2Y05|+{3v4ln45-7xkwF+qKzNLz$!RMMK*M6hRA<%$CV$JSJr(g(i_E9ivtnvuJ=8
z3W!(#Sv#NL%noW&Yp`aL1te+NTG}CzN4@p8#^T#4#gl3=DlEdg#Gtezf_FX=52CP_
z@tNkhbX>)iT+gJ6@CY`$#Mly=%Y+knZ6FF74WJ4>S8V*L1^Y*AP!6TI=QpazpE9NJ
zQ5FIfvK^Cvm$Tpx^w|Vnq3hnvb`z}}NFK@B*?GeK=~w@g*ru<+)<jARjyuhpa1(&~
zdfk4QC~Mu|J00k?o|Qe5>uX>KC(d^eZf<Vdck#j6cfY};WGhdSn7x#ovk{Wv(q=Q{
z;>M~>KLgwD%(tfm$`H{vK9kd{ZmkE)SoU!eV#mactk@%rkW&kRady~JU)hAAYHiKq
zlbcSAw1^nSCo#Gi3BrJ!ostAj8Q0E>v#%E?x+UsZIW?%WD3zSwE3eWkcO0O2fv*OM
z&w*Y%Pl0O>4dcGDX;RLtZAC*CH9ue_9J4Q0*mB>}onzkrA?;ge%LGQeri~uHCnoI#
z_UR!HR-r=(@_WXTFT{<n1dbIR7&f<_e^?{c5;`NyChXx#fzV#p23h>B9;J5{O)E2_
zpQ7Jf(ENu4E9=)=boPofCZ|om-H-low1Xqu$&b!+HS=+{`(*hz7i`R#9Iknb?QIbM
zg_b*Hq6Jdy4FqGK#zU>PCA7QXwJ91_buYPXSuLy{&3~2_+Z6fG%HFFRDP-X^*3g1~
zc+wNcPO`alqhGFIC-bn5kR1os9>bCw`BPVi)$3z^?KMV^12`M@iHumWuK*0cufbD!
zZqaUXM2HP6tYv;P-7b5*z1~6i@H2+XQ!2{FIN?j>#aPCuRA5R{#?v~ejc~p{8QWes
zZrPtR2y6!n^kzNI)HsU9OzR+is3JaC0s2n_DT!&4CMP#Fcl`2Nqv+LIKu}D~Qy&em
zWy30&Ew-&m$~8E4hUFkzgHJ3K!xC>1lCXZ*d1PdIi8mj&ie2cCVZe|cXvDONphSqP
zSjSnxz@ELKLPEV_<UDx$`?=Vi;bRPHv8v-t$&og2K*}a6LE5$i+k-$>jG0tEZ@d6E
zNf(oX0=C+{wyU}2B8_ckiELA|Wh&dG(5I9#D=2)zj-lfsw>QiDBAvjDnxii1s+uD#
zYu7&tiRP9xGQ7<8^UZgQLOy_wM_|VTnA7oJv**8T|LgSLMVbczV%Sl?=X$S1-K#nY
zsGB3l--Vb-h;*WgHNC?!D&+8U*74K3Ng@f6-Vq)*9`D<}m>zb@PM-FtdCOYJl16cQ
zV6xR?L@80H$m8m3_Dd~d-Tkfm8!J*}%yza^l&>6<udMe}aRt=5mn_<Wcor^LRfmMy
zyXqPk9fgXtpg~9kkrF<}s+I%dkni~Cw{MsEMYN}~HXO<Uv4Gx6zE|2HI+t%k1jduM
zFKaF@`Eaa)drqhu5_#C1+5gC>?6!6m<rKMm&>8%1*TZ0Cw80P9qxTkA`Lf9^wlkRc
z>cSIjiOh^T#Mfidt!jpssmVEve`v}t3^6AZafXqeAJ*S&0k9C=p@j;g_x{)!nX0*r
zfCIR9y}25-N`ptGy5g5IjF>@^6;2(ZOXsBsMDe1rjYLOfbF6t1%1`V9Fi9m>DTTnH
z$a(`=$3T*?0Y1Sts2ZuA1y5-!(2aPV)lRx+Fi)a)_shcy^f~Bp_~0NAH`hy#ipv5(
zPR*q<eCrR>v)Uy$<sm+<AL0(`@79N}R8Xa|EpGs!+KE!4_woi;ItD0Em1t{YzYOs_
zM!v;^2v{>klT<Hv)l<T<$5Hj@s#@Rpc~WHyMEb7D<&oN!7L8wh4Q0x|661^;mB+8~
z_$0Su2*GCPz%zjgO3LiSd`+oPHcCvaVvC^UJ%0$e2G$J6y<%@iGtfC?5vO=>ace0%
z)NTg(z@3CzdG19b%aG09WLb_<JE$;N0zHN>d>h;`iuG|THtA`y3eB`cTWo$pS*MO3
z;xsexu6hX#VjJ|(5aGZXI<SzA0T-#^$pL(D9|Z|va9crn7mz8_Kwp~vwP2!d|E35L
zK0zcXD{0|gAHG2EZ21RLpKAGkGjIMz<Nds(6aD*aG=sEIBT?C^c>IjEDZ~v=RMan8
z$ZAHYn|j;DOrQo8{!aqRUFB*pt}$r&Le0lW1|U>GA;DJdPxk6Ra|MPM$bq01leAF-
z_-c_I*xDA004UK~6lyQWO5Z{t{9zl%fGwfG<lqB*id}-cFerVsHO}TOwDjaKV4OtS
z-W_kHP_TIs1tA&-NEN|Ai$XPEOGw-TMRW-i(Wb}?Qa9Kh6=8b8L?jtD3c<wUh=qY_
z5$oz^&6Gz!?Bar`$z(t{S}!ar>ds;RTEWugn;qd_<o*I*aKGQ}yxa5X*3-}5P~5eb
z*B@{3P{)FWG?qQ~=fxTs$EQ<cgTnK0pv>qU*%?rY2xp7f-c?NXx`ZY%c%|TgU>`gL
zvOxV^Nkmn=vUFJq=K~p%C>i3&aLgsjMmiI8NwqQ25$Hu?r(mHYoc*n_Pub8zmhX<k
zmQ<v|%E9%eFWRuAprEj#)&u)WtlDp1So}{k*OnFFe870Oj<lgL^NY{*VZDw(Likcf
zghGx>c%Uu{IIwu;uxfs(G8eOj#L%84x~aLj*pqm0^I+b~J5DhtQUTY63`H6$xRRp+
zL;_XN(iYELbF*c6gk|EWOG#FC!|gl<d34CuM(T^Bq``_~O}yT)A>7!L{1SzB@`9z@
zd`2XtqC8bDWwBK}3D+M#jfhl*YmQQQRTqRwd>-LJvP2|q#UOGE%;lh435{Vi&bzj1
zB>etU9CA%4Pz*v=DO5J$lrL^F_D(U>3JvpRQSX>+ZAO**nIfJT?*PB{zhA=4Nb_Qx
zt!Q=2)$G;Gb#1kEJzY2d{>uVnmSk9DYAEBCS)5?YR?oWL>mwY3F@s7ZPV9u`(r_Ku
zua>8mXqOnd<~eT?rNFfApT(#UJ1gWf0Q(kzLc(IpX3T5Bp=FK0_S}#}fqa#!)1Wo0
z&|<mEKSYSaLZj7<isB9|3}F=C`<zl?2uW(j-z;q7|EPF*x?lHK_5Iv$8Tfo|!>ZJM
z-u5e(@e`S)^3qmzda{1LZkycFR#N#kznAxQyL!1)?&p8dStw$;!qxbgkH$U8Jmj9e
zw?15|T6<iSF1J>cmCZ|7;QYL79BuTjHrAf+yBf0^xl7bZib$;@&Xr>3Eojj5P|o7=
zu+q_ax$PDA_Sa(9?2K2A8#axKMddA_75#DuF#fp9-#y17RwC1urd%W)_i0SsI^x?S
z^hCV1=<%#Z^{8wGU<>GNt*l5se!7w<ou@5JH}dQsHNQ^0)g8<ZXSDMWBBzm=A1LCK
zr6b0Xs_fuOH!Bd>Sk6OVGd2iE+=~<{R%!)IJQDWVX-iYpWDkDM>9h_GhJkQ{&_ky8
z?`X~koGBzn41`>hn-~7dDgSMNXQ8phu+rGBFB4q6b0KFaiKI3<N>UkjbmCI!z;xn=
zA}*Q-AP#e>u-ag>W1p#lY^_tY<Eo4nMz#uOnFdL4##AQ!qs(yeRI;tH70Gfb4dOTt
zAUU*xKVWks3inTU)U70j)}vYDVR^&#{zXGwniq|bnj#YzFkEf{r-a$#R@L=(iH<$=
zx%KXKu5arz9f4uoS^Q1<<$3CgfhNnD_gXH=J7AY8u|phfTZRAX=58Z!<2=0%KfQ~@
z^wI@r?#q2xV@?VRpZbT&4g8*-*CW`-1pPV-w1QzRYWRy7#+h+J64A2k;a$7Cf$l2v
z|8T872V`}vMzg=5OhTF}v^j&S8_Qy6mqN5=1z38;)sna@N|^nbDq4gePu$adpX`|o
za*KL(zP9jM{>W<mUTNFlyZDK_v~MfP>XpXcIxN0j=asW>aKQ}(W7;o_AP8vgSSn^F
z?k`{&zXK56q?X96jUF8`A3`5WA5<OOj<!T_#P(qjH9Dj^^p9agrLRw%A=+9W4U%Ja
z14QEcYls`;69M-!teitn5Cm?GU_!Z4#eWc*Q5zf9u>huXx4B&4;Sfh95AoevW~Qeo
z(5Q;-s1M(pd;dIpL2vYI0seZ_xhL^p0{IY)Tzh5#j}mwf9jEzW?w-yPSxdbIrp@~D
zzBc3vqO4qS-G4>w?Sqv-Olhsbtj<12RHFSqxtX%@DUZY<_AyGMQm8x)wZPm^qQOZe
z6bh88#jam#B^M;rpety4aPapl!P<cyah`2_dM@BY?>N%rC5{{;45}6n^qBpQzhZ6N
z7HQ-7de82Dr@9+@Dk8)>g<zkbyFU*srPWL}zTCG?N=|oQ(v)xHrCYssr@!ClKxU{X
z_jN3UdX~>~`Woy{^+5sly>>o+JAgc8d@1^yKeDabo*#Y=`@CiPD>B3kPC)$hpkFY1
z4vp~M%;ay;AOg9f4$v|z_O@6-9fyaEgd0XQctM`na(_C5seTGT;R+7uwWxdx5#f@s
z&cw_@s+PRbsYiE=uhI-ES9x-Ofcn9}xv@pLvUZP)dyAC8wp5MYX8rpp@b+|IRW_{4
zSH=_;?SbMt(i(N&{iwqj2KP(cS=%!|>mjJAPs}DrYS&lZDv=(GyEEzFaSJEySqgl~
zbyF@cE<WmZ%uUyW`O$y~>b9%%qXMa^QS*{uDfb)#AwLR1xT_p2<I(hrokU*K{}r;u
z9v?4f*<|r#l}z8a@qU*0ZTujv=3R5jcLH34%uAY?YOmX5?`2ZSM$o-{Nxm1FBo|h_
zL@aZ|-g!TG`|z(%e{a4Qs+J$kz37G0?%Cbl3Uj(=f@d7^u6qWakzbW=U3Oe*S#PFm
zA-lPCH+$;ZU)*a1GTxirYG1``MR!u@a8I8-l6Ka2fNzy<t?FX2N@|jrBW)X<&1{gn
zo4QR}-15>WQf*GgE!n}j2oa<<pAz|U-Rc~hoOsKmiw*yrakFx7T3a<gmRJ=i2`6K5
z%1Fa9_3SAsX^}}~OzH3VlgbvJi~|)7Str7ocZ!9IJh4n!VE_>i+gS9&vb$qp@!-uL
z)<`U-v-m|ZtnMicgU90I3tn;4^%saBT&~|jRiOsAK&bx*Ivf<WVVRg}R*0EY_Suu*
z9wL%4{O}kFdB&|uqnpWePtSOf?vPcS(tY&7d+}1-G&m@2MR5}1!bK5MUBh;bp^t$M
z4o6tZ>o^3rXS4o@We-&-4Mn|;${S}*9oq~~@S)V%#>K4V`%;%>+9Jns{B?f-8g*1T
z(5ARmUWM;46kz{{Q6C!xM~wupx}@^xygL%}ky?Iibz?dPUgA%|Q3-~5-Z6ipBh<fz
z9uxxh%A|4HFf2wN9oD&~vE7ZUnx<_LU$-u6n;1m~%X0q){HnY3k7aI17CFMIC(O4{
zi{i}`Jq><=L;#r`m1|5lMMv@XzcWjJMu{XK*{u|c(yB!2YZ!(2Gv(wm?0kax)?6v<
zc5{nOO9#){cpd1FJp>ZpOfZWDflFA0@I_|rXPH9tyXb<Nc)vWmj~sWRwbZ}^F)!4x
z&D2v%gJvv|lGQX=I5eo_8*lh^0II&QCR0U?YWAk9I4RVN7iv)Vl73IeQ&rNQ$$vP;
zOVsSB@cWNG=xs)zxb$bGMR3yF<V^d4h0IeL-w+<(wcUBYl|M{c9*%C=-;^2PI%0|}
z7l-ONV-rU$&3UDv8f{+>o1{>rs?V23uFojq%ak1O)2CxEvDFIclL<MH=KL=_FZjnl
zR$|uz#7u~=a;*lkt$f&HC&cd-d@HzpbB-y)`3V=rUC;EE`YAu<xGQ)w7l>Rh*hZ?)
zjb0yb8z#luad)uO?VJm_wGEi(Ph>nwnV<{*WyoU^(Y+yzJj|iS4Q5?9@+H^in;d!K
zt2Q`Nhs|-U8Hx#0n>X5Lqd!&xqqkF>|76g{DH~<Qj~A+nte^I{U5?yT)ND)RVpVu#
zI;-qV81mEuclUBf<R_g}VmqYzjQ|oTZ+Cl*2>??oFz|RYY!)W9!kdvum`abF#JC!}
z1t7S*!ynO>q*TkPZiaA3=w2C9ZMk~dV~&5P;#}Igs#THjMLI>=wf*qc=G}{KvR-em
z8gBXa!&9VXySdLSr&oZjX8kexZp{29*SiUPT_3G5YSubGH~q$r_wh%yujQSM1x%JW
zYll!Aot(G3$_2~FKeULQgR=j!>X^Y(Z7`><Xc?LmpE`KHaerh#Hvw(~d24))ekflg
z-b21521}c;z=<t6)AX%5x^8ld30O515St(W@p_<b{95{uzm|R^6;4s6StW{UP<5YK
z&ES^Mx+2%ww&Q9oAjICLU1wISnNb}2YzQ_y^LC4K3M^R2%~C!2?&39beFR{0?zK!G
zQbQS_BnwO|EW=?V8g}(n|5hu`wl%|$IcVq}7HgApbh^=s-`7omR}@ZU>#?n##;`EX
z1s6`JAw*amMR1Ys68Wp<x!E`<Z<hs~b)J-t*uyjv9@HXhnf*S!kmLJUTDU$e2^4qP
zJDuO1uG)<P<mEepG;zjWbys(Z*HYUP`?^mWwX?ULa>pdM%ko^lM{kYlL|7}zzW6>P
zLLr$^0Mf_7^Tllz7wN)iQyJYZdJ$0)r6RgQiA1-dJ2Bo^A1sc^_$jdvHHkJXCB%`%
z!h(gD{1X`l`DZ$pZsW2i{&+F#fZL(mxrV&EDyzc1bLO4=y1HkAzB;uscDDB^vb_mC
zP>WO>QEC661l~7LnR@0G3G<QjV>3tS4$>{98=o7e+NpDWg#!+ss>-gCa#vK8>%vV~
z!`QvJ3qe+~M-~PRI$1YE8(y@cg03<U!zfw<>!-qc@I->!*Ms<$@u<qpGKJl(Nz+<R
zqsoZ%Ob{EV7<PYIF_>I3E?3ou^~+)|KY_!h!R5{mWA*c5bcU&SMhiF!t?;FB7Za)-
zi|hM<xEp~y7%f)I?d&*d{QXk?X)S)$`KJCARAFuQ9fwa)te>$al{}?sM4OLmJ{&7s
z+C}h{qRTY?=Oxvkwq3X;UOcl;o;f;pr~@xk<9W4a{=<)&DAq*|SN$OJo^Tz5-<lWO
zYu``bd*f^1PvHCABkJouTk-4P%WwJq%w@S1q|J^Or;x|&Q;*rd)r8pHRiJTR_)y-&
znOj`2#+9(1^^LA*=Q5Y7Qit;J=db7Eg1kEY&+?l*jod{RS<A3Mmw-m|F<~{2`m%6v
z&L9))ZQau#A>omzdemtVJAzV~R}O!5XpvQM!}<U0v}(11Z{~<HF`(v537NGoK+=OW
z537)~+m9gqr$1PBM&VA0fCaR%M-9%TyG7bsvc{&h)OvWN7aGMOLWu*f6a@5<`8)nU
zxCd(X6se!L9G|1m#JOjYIEruiVl!(AhpXlYI4jZ4wvy=9{5P$KJ|^y<{iWvOW?g)d
zmzTH8tkhhLSxc-*k{N_B!?J-GZJef+FoBW4&?J~77>Hgn-gtE8IW(_MJsT|Xl=Z#`
z!N#Uv&i)`6ojxLmV`T3L>z`2gHAWW4-cSVMt%^$=i_!S>t&fMkNKvJqs``H;r;_V*
zsRFCgA3d{WAE@e)&FN(|a{Pua*a`p~`m);9U#83s115m;pNhp27azM6_RyLtDjclN
z>*?(H@8?SZ{uI2LJd7G_U*qxO{$TsvNSdD}KQ-+y-?zc*1tjy^#0#pXrIM|xhYgi$
z&wm62^`*AjoXw8=$VvLXK!u?@q8srmH$@oJ`y8pFn#6G?h^kF2w59_T2YCzmH}itL
z5dNw!8f(O_g7ho-(VMnhsBhx0*9kuoIZ}CZ+LYp3^K%KH{{XDeAew!f2_W}mixz!J
z$U-VgFa|RXxiWU3Fx{)C{XLs;Ty)YjdR+VEhvofpVBJ{*A1<8wyVf_dtB{?(NtyKd
z$&_-BEXy#<zH=AkRXfjl=cS=g8B67?2-f$D&EYD4Ctd|<2nb4&w(-d$z7GAB>$HZe
znk*j|2MG?R?jSAsN~m(?>CrJQ*MfHqK~>KA0BkY|TkpGsd*B>)zNO;8giHzBKP7>C
zBm>KY*)S!uxcE$(ejY1%v5pxJ?kJx=#v_p0qN=9VT$NRo{$7m5+tipi55oZ9BVl{i
zo0?ieeJ+jUSj4O9BxjMg0ch-9;ypL@+FV!jOM1ihyKl#zoRCp=8~5z52HUiFhlA*<
z)6F0ge+|~YrdG5rzaQu;Ik;K9*EQoy2s~2$nsD#A_1wS?L!u9bdpt(No}H4qr6v(E
zqwwpHBWEw39iOSqqAE`n4k>e{^~X@J=V-O2aT6L<m&&d5P8g0%*i4CL;-f8f+G}RO
zI&wlcB!9)-n=`=_=6|tYxdN`95h@X)ZOOLagB_9)21roI5?W=<D58Wlv!B^ob!(>A
zoL|At_b*jKrB&H-Ia~_!BQS@Sa5m4Qp|j-`A<HvqyRJF8sIh0FRyQDiyBrsntnswD
zcat)<J^)ujBiwaF-@}&M(i>wRpPw}$)#iM-O)f9{ocC+hVeD{rrBQD&6%mBMhtIZ-
zM1I3}3X(Wo5slq2Sb?qSptgWQ$EO87N6)pz)W&g`b2T}jYqIKOO14r9G-A%ti!4=K
zC}vNIf0o4d#Ny|v)w9JJAd4gQQ+y|m7(Rj%^{i+bFm<cK)EBv78h;t*nD1L~a&mLz
zG$$m~C998MX?%*y4^U^a7u5ElFAcs_L_6RXq_gM0M3?KQW|TGFl50n1Np8yG5<BG0
z`MurWLYZla8%N2T|1o63xjZ5)$*R4UKG+_$Pc;lQ02q(jr+uU!%Er?c?YMjoe^ejr
zU*Kb3o4(u@xp6<YW=UR4{I1?A9!=X4oNQcn)3$Ehhu(ExizJ27Wni@DY!hhLe~;&&
zV?|t*Trst-G_W*NS#eyv<9V+QWD(6dkpG1{huB4Q<GeFG2tL(eHlg%zPvkSCX=3OR
zZzuY2el$&G?JpW4L-Et_;&?DT;xF``?Mz)JG7721o1a9)*H^LPtMO7Xxu48TN=Bid
zh~lj`5~}3N7Ns95hXDjnQihhYgJi6)p~HU<YB@cycxz(7%&B3a9}zvw^x)dY76%@g
zulG$eXn$yrwL!E4wS~|m14h4<I>Hb|OPmq@-A5N7Vg3wIwJ1zyi7t+Xh{+U(8t}2B
z$AAqaC>@Id#pMp_G{U7TnVp0rXK&<gWN>9H6f7m6BoXCdXC(3`4pgX=&bCau3=RKt
zy9T>0kAm)KZFg;->EuAq5YxHumSzO#%i7MAu$<@$?{rU+wj^5~Q>Auj=uw>3It~k-
zVs}|SO`RDf*Z|fIgHg&kj8FuE*@lneNy3C9#fV72lA4pJ&4~7+mGCAdmokp0wVT$c
zZIju|G$1F$itSla#xpNfVdjE+GQQKZp`7@qijUm-NKbmrMdl0Sbl93AXatECRV!K3
zI^As-rV_&I(rbhOM>SC*IO{%ByM|xiRR=C(0Q<5wB8=;)FSmiE@pSHMB+cREmwov7
zAP<>_sIgdY&$`}`YzE_arQNM4zbKx+>5EH#WwE4Sg&8~!fnS1dV6G6zX5<M9wh#e~
ze01KP2f~#(09Q9+-BR|QOsTV8ny+Bx)sMeVB*7mnxMTsaAZrQvGKl+O$&HZ|3c@5%
z&!Gx$YJfEx8!;0bT_u$Z36uVZs^+Rp@c3ng3Fwf&mq1L4sei-_Ype!TbS<3FNx+2?
zLBcKM$7nBvIm$zVv^erZK(*SXpw%t++tFgJ_oZlcDng1jsw&|3!z%?7p;C&^3x^^U
z#JytQq=v*`Q1kZ^FHmR^nMB+u5yMO#S>95#jKx{`h0si7fS3}D#vou+$Uxw{>w?Hs
zWCT#-tMXGzM+eXkhREt7IZ}rHB9RMZJ06Jq@i0M+)G_t%k3cy7PtOT}h^yIw_4E+Z
zA5KRrmrZq`f^@1sC-UvYx-3u#S`m-+*Nj*}xY;;!?~(}djiM0X0|yl-aa;jk!PVz-
z3Bjc>+TY*law(=ZbSVx1i$PZ^GX$k0;v!T(z|SSQbW&7>Z`g)TVib(Y+ix`k;j^I?
zfjb-?+%5WW<{He+a5EmLyGYZ+<SU+GNV!M<i|$N3MdxJbdY@lMf#&=p1(_j8-yIt@
zqdm%s*aexScxdM18o-h)5H6+K@DH5>a7indw`3niM@sTj0gV0l2tAcj$-wau($CZ#
z6%W@WpHF$^IP4NU8h74@{-$^R7|;Vawf4hvZ&{&Gq88U@5r@4Pn6Z$%f_^Sx3u7y5
z4Q?%N4QVZj4UR3I(mYIv5QmZpC}vxCM79(MCJ>rDQJ~vpFf=+WE-gL5XV@HJ3J~Q+
z+*vWA?h&_@3Gaz0-^leZE~CzU!iUl$pyjtJD%23wy%z^j8uzhMYWXQ^rZ{o~%gkzC
z(*>-5>G^A?JQy^R#lb3j8#>9RZ<?^l%%3`SXiQm#{ujjhwJW8IM<@57JX!u;@zx~+
zw~tI|NtMobE#c}mot*PEfE?9J0nSuNCcN1wyxIIuu3xKCv@nE2qM#@bei`Oa+z@|k
zUW}9a@aLiMeb=E*HV-oS>=0p@E=2}Wqg>OR$a;XguQu{YRx3NMCD(>?qvR_WI8Bdc
z7mKEa5*_7HW^yWJM`=L?Gw^gKsKt$tz;#sryO4P8ICo3_-?j~YqbF8#0IK{e>wam^
z6hkJIb8GMnXkKCt%!PX|w_Iophwd4af<9#s`pB}Nkg_&uDvNRvh7oV~rYK(i@^L7+
z4oN{2iE{$IGo>i?!4T3%q?x;J!aE%T#Jn7<S<GVDG@&@Xt#PaDu4apOrqzx#L~!hU
zjD#~5z_=9A2yE{!#^i+YO8PDeOuoRJ#hum`Fb=~9NOjp1dcO(-F}=*(wp}HP9>FpU
zvAjvR4F6CBMK=ehbT-IxUSyKE>dh0P5|D&AIxv7ee%WPQez2=weX(}X#3`q<QktEU
z>snM%Zn++7Bv?EslQEu5ZfQw3Q(jLoNq>`r;Ze%;;b<j|XkLOKwTuC)COttlfAE&n
zRd8q|y2n_FO-)-ntG)QUYS6<-Vq`0`7NKV`OuaHdg@#jgnCepo0dxPtFqnAbiN}@7
zm*|KW!5}U@HW-8I-0~rK@|X^Fekr8hgerwkeu0`Pfb7ttO+_vG>74N(cg1Is(l$HT
z7mH*d7dP)Es6K5~edI8(KWm$Afi;GVG`@@`>1^8C2;XjiY&VzyO3{ou1xxBs0jsPB
z)>yR9jOslux{3-o@J)QPUBb9sLOWQv;6!4^NlVeX6gn!1c>1+}NP9E4#|+UDYeNk6
zoZ7rrQz03gIhU<vzSNxQGIfX9dof(YX>mzmIhb^i{T?7$i7{p^JDfi`gSY?BKlMNm
z>Z`%=*l7yyTkz3vllwq>CMdV9`}Pe!<#+x?{e;<P9rzZQpE%bZ#|iKCXMDEjkW=G_
z?@|2Q;W5wVHY!wZmi0L90*{^7?ET+5a(6+NX2~s6U4t&MYv+^Fn$=whXOsX6rP+fu
zClgmB#}khe7S_TvjW3<a6vk&vwFCVSSok~KJN3=nmA~H-)-L|OEO-Kk+=68PYhWL=
zcS{n2q&87y4OHibg8pa+OveOL%qc88Y+lD>Y|~k4U0%;O+|<t3W5#5k%V#h8&vh&M
z-A&A|%VNx}p4(tV-R@5reVxu)pY@<>9Di(j6Fxls!A;OdL=g^Oaq(=hoal^7o@DMs
z_Qd(KuT!=Mn>T@X`N#E<*Yar6N4$P`*|%dha*~L33gK5aq=3R-k}oM;(VF|h7wwJQ
zIKO4zN%ZXN=X`A{q<#O}=GP5>Kv5mEx<AFgDv}nQ>9NQyx+V!U6HPuUCvH=kPpq%i
zPj5Z?NIwu}Y*UQx4Xvxo%+AgFnDVYi>b~OhRu$hLj(Hd8Q5Div9xCrVf<Pb%VEl!9
zd1YI|!i|TVstu@>(@Lwr`3rXvJ>+Vb{SOKb)dG<}rvomc;OLmb;?6n^?qquC$Bhln
zC{(`DvC`GD?~_Rl$^3}R%c+Ckg>W*eL5qm2MU8`)TpmETStQtuN<)%J(?*dT!{b3`
z!(2w_hd~#X{Gy`P89F-J4Ma=9>bnA~thdzrFy^*BPwMSfqr9^%wx-3FZggH2=cL^K
zzApS~v3DdtjhL3le53L)*Qf4oU%Ne>?4Wj2-Zm1SZJW?}x=}q3Y4Tg+SggF1$MGL>
z9dquHJU^vR=sAN#mmt$ed%U*kyWrLFWqiR<+<2@}h7<(Q7J=oe$ym~eS<K5=PRUuw
zRk6qOrAyS&y$sEix3^HD;<i;?`6wp<>n~iCh%eZIWyc5z*(PZA<a60?5eP6LRNz8N
zYD?m3Dj!js6t3ovYpd})qco)>TgU6(V~Z!6C+Ck(Ua{_cFWJu+uU_?|S@@d9l2giQ
z3{h1y0}jvbNUCL(S{Ifm=Hw{oJZT3L)=hHyOec}c9}9%ZE`do8AU&pA#%HpmZ6DcZ
zV-W)Xo?|B{(5{WgYbr~56maXHfI60w2fqdGa2z*vW&co%he!i02e(&-3m3YgQpyrH
zKVtst>7*6cE}g%@8bQEfFA2Qr#4O#EsLgw{-*kGt>Q}YX`<ScdPkQ5*@4B3*k*3ID
z{N&eHBw^Xgm3rR!y1>I3Gck`Ji&GKOZg-*1DDW}}B|Fq&?S0|IJcNAKD5mk8N@Itv
z0cjFmGlYaorfwKth_SMqVN}JmRv-RP&rkI9=y7Gd2e7`vRAiBsbe^qinekVSBeiMM
zI~jdqNwM_m+#vg7R%!>QwpDX4D7ij{!seN;4inQfoogdT9q?4pw;3MO3nn&3ha}W2
zj<9_-hu2HBg})Nk!|KKG^OGiKD;m&z0zE27LozYsLC!Lvq^oM`H-mDcP-dUP<Q`xM
zK7zJ<U(Fi{#vR0X3_*GATwSCEBT3+0mBXPz)`TpcRlO3!0KB9THS@V26>dDuzO%aE
zQQ{~`)Ju{5wuA7W+L*dCZwtQZEyhLqmR4HTe=@c5vv*ae6f6Zj`2HTfm>XVXkHn;Q
zNY5U1XA^Z3TZtX~j}jLdOVSlVrTSU$W^q|R>Aa@jEVk^%K{EzSEGnj03(QsK#WASC
zTpzSN>yQBSsqoQ}GccA8Pl$yw#pXh)yxfFb59^nJEAum&AMGWY3!3WX<W{pSv~jGv
z;O^dNj&tkOP3FGFFEU&1owwa2KIx`LY;&qD8=na)F`WSgL|4roOfpj8P4jSL(k>$<
z7tW>=ZOOdMWcDh&p3S-P9q_y@pH3gcnd<i^U+XMSeD5kNb_jq^rJG8F%(VI5u?}e_
zpQIP$J!(=N6MIEQOXjp!I-aQ~8L24~B^wU_A+y)xV{}o|*K^aEj0IO-y|7`+xrC7a
zdyh1Y<#IccKf_6%8mI>swuwUL5A%KypOdLZBSkn3W$ToD{Q3G0J<MM>Xzmd7kfK1n
zyJ<Ea_(5adN`qP@8bJS-LXS>fh52QL6*12AvX^;_?R+ZAIGIH!cBV#rZoc#!`HBmU
zG|;0*pp<b4a@&T|-(?;s2@M+@Ml#%Yb_4a8zk9!2R&9de%i?Z|a-=gb2QuU{EC&i9
z$Zx2b^wz!_x;6CFCgJsBrx?iL7UzF%NkfNkW6ye3Tu`0|Gv#Hkw}46$@14jT%n;1E
z9O$aQ0U`+!V)Jj|`+qtjN2*gw$Qnw@p5}x-$)f+r4{ygixN7OzJ(gk?V0GNKyxasF
zxAk=$1%TiqGCxJ*X@8td-eluXp5lLA4us(9d)S`HPRG{Qm=zMphs&Du0x#y^LJ`~@
zA2)c>UEAs+L#3`m)hud5FT1ENx6sL_%#wd-nb)1?Y@gG&0ctuc@T@vxZ$f(8<37PF
zMdhy_um-*E=txnV3ha5%pwDE>TnxKPcB6XqC^dCsK5N8lqEpmp6}stBs}xju?*--}
zNE(F}=yXY+rMXMcONtgG(-R02MPMYk#<RA<7-!JqJb~3>ADkXT;*fA(Mpzoc!shMp
zIPXOBPu!e8P(&aH8~TS1fQ)cDffnH08<eGU7FdtmeS?)3*owGX2&2c}tv!3+TRsF-
zld^I78XbRqx#U_F6eF1ArhfKoDQE6f^qmT+;{SO)X?-Debfj%<R@DrG6_nx`-TG@z
zl#5IuW)&F_dCD|Rn_sfIP3BE>T5XDKsvn5o5&rP%)iH6teO=#OSPh(Yv#3Q!CsWc5
zS4cz(BcgJ%iqWZqK-tmeH15#R8HWTd>-7L|$PS9vow+btwW1Rw(lJ2p%JFZ3PQq{l
zwO&aFW|_&3gnfwwHm-$<;1a$USdGEQ4wI|Y+UN*6?KLdu_U&^S0ruKFWZ*9G5fw}Q
zLGdr;NJ)**$dQIK;zNM6+BLqa%N-F3Qw3<+q&8=3=8+6EBGA&RO0-$ac9cab{>PeB
z=|-p@IfoSje$WrJB|k9!XBv6}NaBUVNRlYpSBQZ^qXG058&<;<?LXo~<r-eam;%+M
z*TR{nkXB!3#6{Q#;%SzQh0;`LT?FfjLv$ib^%Ptrh!cAPg}bNB8PT3#v=7k~154n0
znkBj%lnng|SSU?4ea|E+-!&9Mi4>DKYk~*h9k_;YlI6It1vwIs@BjR`Ix!)%=q>Sf
zGvM+dLpNfP`RGGLdie_`-YOX@Yb~NHYt54Dp)H0ERCJTpWM?@Fu-veLsu5u04&<y9
zfxzI`6~u73qqApGNw??c;T2Pj*s%gNMB2znRP`$hf5IF8xDDZKyi04DM;}<+pT*a2
zxD`!Z{A%shQa2mX6NZl6B|(Pe!6-1>kN$^7HQh0L_oHPNJ0hBErGHb2&tn_~Ab;SL
zAEXJOI=r||WOfaA<wQs9Yx+!025YEa0gnbP7@owxwLThLfu8W*$ITov8dCS>b?n~9
zKPg=OwCi~*de3`+^$_;%e_`OF#&OLSCLNH=L1Se$(}ayhM}`J6aU6TF98F3`(%<^?
zlWUS@bkLAn^(J|Lkzkeb!Fny%J0b%aoiUTZS=KQH#}h!!n3n6>xcw6@-YUf+L$fx)
zGHS}eY@pvj@9e#37xu*M8|bF_8M@DO?tfogi@Kk^)9f-C@Ek!|9PQy4TQjb8N3M-)
zJFvW;yo0du0>yXeCd4HKH5>XX8Ui0qee5yN!l$0=2Hun8I9J-|h4qE;HXAS-FTthb
z(Ol#W)`c7XGmq%n;eI3{YQz6H_U;Lym^3ry_(4nzUjbonBDK^Q_@j&%g@`wD<t!=p
zCVc;fcT#WUD20%$;iv$=g>sGbgab)reutx0DY1)$i`qa%d1Im*Zc2qqWOgkfBF9EY
z7`A7C12;l)4OpcRV!-&5K263eqYo1_UF$Q&JvP%_6pVVN@!f2VD@vXaQ0^lk--S)|
z^hZ_o$B6!iJw3DA1PcW2M8jdRzSZRoBj!H<F?>%UhVJ<vE~i@96aTX_F0IPKUpL}m
z6om*7?*u91fQ0SA;eVp2(sXgty7ul9S4YmJ>H_Z2XgILM=B%XqdSEz}zOA>4>=45e
z<fy#hBcO8UP|KZgEcO3jb^}$G>y>qpQCeCAwHVSTMW)LPDFVvh<!Y>>GH;iv9Yv?h
zdI&3y)10de_uBsRp5yAV_6S1@Yl=?0DHUX7p8M@O()pF&YZG9>8aOK4ogHAn;KGUb
z6mj&IgH#2C+#l8A^RhNH%yss)DD2y1^}VkbymaKku-@g)-3`ItKM%Gse6Ejx@p?$S
z!0^YN!t%$IS*KDi$82S!9`q)S{@10;1mczGbNv<NbBTu@{h=E2NPypg?27Xf4-sn6
zByJQ8sCEN?6>opH^4RR%e5tp@YtnnoQ^Q-@bMjMenLDHJF_rU6>Bsd)^{1?*Q^AW6
zUjeGw`iANV`!##Jf+f&SC!U?a*dFAjRo8m4296iQD0>b2E_7$;c5Mf?8{4yK{;d<d
zO*2)qRl`-|McWxID&}8P-j(y|!a0ef!SMVIhNF$!mGc=6T!B^q_VRK+7b{fD-)xvW
z!mK$A7!qMN8|aWwG`AD3u@|W`ZzB+ChB|gKP++7U0)J4F56S{Xq+l@{WDvok&8_sU
ztTk+?mEotlHD4+miSF#LEmx?c06&tLSCZZg?}eB4yTEJ9{fwc<@l_l8zx<Njnavx>
z027V`sTK0fBxPi$q_)j}X#XU)Qk(V6w5fDbH8OQfyTmk7+R5JIuYmzqtsY>M`|_<D
zW`9149pv~jGBVJkllJVa^x{vC3W7mSttFPG$HS1;MjQ}(f%9zpVPSEWb7se#q)2kD
z59|A{kMxc-JeMK}PB>JV?oK&sDUt5yDeHLqhTEpw2HSRDJLONM-AFDLU5#J`+`m4Y
zN4Yw||C!+9Xtt3$eq``}1>h-fZppx{UQoPvL%F|&UGkm>=kV#*0o$_dnI^?ok(M%*
zCe$o~ZUBQww2Y7#@w=u_9FePFjet2+H<P!MN1ucIkx%DHpgKrOf%hTS<?VQms|krf
zb})ORfBze@f=+l>atZtu@BGKx;;nfDa{(23ihb9nrb-6+@=^><JI*PF)xM~e($&Sy
z)JN<Zx7iMc{vg-CH^Bt+_=M6MUTb!Dz=>y_+dte%)4=!+?Z+DM3Bu(YF0um;$1f85
z(~h6*`?LFgd*?OJ`~|Eh4+q}8?Amwz3+7^(-KYxv3V8#|hvdz6N5zG}fyWZHiIDnE
zvpYb)=k<nr#{U*KKiW+>ar!=O!R!bBt6fYk9!Zr&^R7jRXVE&nM}L|Il?J(*|8H{{
za5?|nN<N?Tl{W|ZWj=O;jsu{GT_by7ezOD!pVj0`Cd)QzwvMTF(9o9RT2fxKlw5;j
z07J(Hs@S)3Zjcyf^~l;d(KXQ{r*WoAPG*bcwh5||Bn{xXd?pJT3)p^na91@qHG%{f
zoNKxU4lp+ylvXiHy*v(uZeIwJUSzG!D~oGQo#v_*-t?la&F?1CC-5W!{QEcS0SM@c
z<GfRLsLBikfMUx-4<sl88bX8GhEzDrLxuqC0+#!9*rPUb#dr?|M38|y^f|1deC@W!
zbo^Gt`@seLejx*=Jq!O3!ovV_cHwow2X|opXr*%hT{XAdTJHIVo9I`Suv3vy#(k9K
zohqJcujB|-^V!62mA{~@9g1oCXJ4rPhO4+lt&Dvu-koxo1jvMMLcw;;z(0I-vSiZv
zgJdf%FmquZ6UU)Y<*23q{Tzp=9tJLPS+9~fa~kmPwmG4+9%V-Q5-)6XoRGdKC?gI%
z>$*Q?MKgP@mjE6g>(_LrPQkN>fkT;(qazeUCx51{#TfkR6mim$J+z^ZJ~M;Y6LOVG
zQOv&8SL?)+(Cw#p2$wvma?BIVE!TA?bWg;N3CDFO4hQ4&2LFpu9ezhHIeOWD?Lu#W
zeNc7!*te`Rt9AR->8n)O8f@4*+>`3p^fbG1E~RU2V{I337jS1RYsp?&URh>A>PA1)
zUmG6UK$3)*P5Qoi?rsZjp!i<YzA`5=E4`;DhVqiSM(ggazp(xzVgH}Y&##Vij49zK
zFj1eG)Q_&PZXl!MJc6{}<5GB<Rk~;nN0A}ixO-%%%UICuay{Pgy)qVCJ}B`!h9U%S
zsUb4eXy1Z8W)rGku@(T($Mfm}YizRbn{No=(AgcTsZy52Iz=d`USo*cc!6f25r@-B
z&1xe+E&jkr1pkT+n-wqHCO2s6o*Vo1!*!zJo+j%jGl&y;sb8c4d2be^`QQGGzd!^2
z-cz_HloN$T0tH*52UCj`#>KR}XzkCv+8`^|i9(1W@Gx1;k81Tw-+#5ddV|(4mD;8L
zu+?{!MvWh8)pMOu%l|sb*JOIP?bAZ{H({|UTjO`R*m?eY-!ew8U_*-UVHXzJuDibx
z_7JpKQ7EU1DTic(z@vxyAPGKePtZ~UW07IGa8a01MDi$y{-6S$G3c;dcv^JOe<9S|
zN1=3Cd|YFZo%hK#q?PjL8z%nnQ@$jzvHBJoS|}fKqd;0@wOXY&S8TWvChm|}rWgNa
zA3!aXmO{V^XJrPWtj2#Z(k?SB#Yx)MkxZX@!V2@1qJm*dU+iiq{U@w{%arP!)<V+r
z|E*ZJdf3$iX}lbcf*^<tL@QXWi0<yRfNu%fFX)VGN#3|r$O4GLAx+quT{a<*o3<R1
z4wKfuy=wnmusJuhv;Q`52^(-7oJ<l1i*Qrgz?2F9Lw46?`Eh*5F7bF1{MNDupU;Z0
z8m9KmpDbP4$1CrslBW$*@b6DT;+O?t{xM5&ZwI>3A`4{3NskuwzLeI1o>uL@OfDC_
zzht^kU8Mrv@JBomEB!z`x-{B&590%*MO0&T*gMQXZYzs+xFXAEjZww;pJdOx*LSSr
z32xItnVI13$Tj>AHBJP}1UkG=8KnPRzH;lbXP0kVypps5S9Qh>Y1tER&+qe(wx-AE
zyC#1Y?b4NN=|(3X<as?Hk^B3pi)){j+A`KE%ck&F>+em-ZdIt{MvB4(Y%(5~<p!TU
z_xZPPdy#LzhUZ0BXA6#+m4}OB+FZH!PFfNQFN!L_X?YL1Qk(Ii7CNQswY&TGSqp2r
zC+WnQbqH1=Q>nuG_|LW8+okxqhfPPO)P=uy#0PEAlh3f8;DdT!OVR?w`vc#`BHdSs
zl`K8Ja+R*uEk|2iycTY-Gxk|haWnS$s&mYdu+ob_q~C^^{De!!l!(Xt1)YbUzTNJg
z%eU^sQg6UdZ@_WTwoeabM@gBu-ki_#1>pH1u=ZIO6uXN{S^1L<#@P*a?6He&eEahF
z_+hXAVWzfa5^`nCr;08!ZEKqvexPT#XFEtY=V1VF9He_^Z)e_VCvX$Q4f-(A3)>SE
z|NNoC7$jM8o4K&M$Z2W3+V7dD&6hGgq59aV4);`ZtIew6qbb?_g21!b%OIJX*=C`(
zTY3zd^N?K&0OZyNkosUBwM^C}u~**)G6C4DFD`MD)9TVbyC7Cv;S(Qf{u9-9{W$2L
zwRiJ}_<;Q2Vz0&_(QmYLd7W4$oekXG?rJm_Cg<T=BX@JHyS)uS?>_}7Z^s*u7GGT8
z%8WbSAN%z1u8ym2FFUSopdMAscY8)v&})!nb~kmsT6yGK^Qx>$DRq(7l|5G<FN;Vk
zEW_GiUTH~Z8s%f}Y^=9cw3XR;oJ$wXO)eJ-*~T?X?1ln<V1pdZS4VDAbV;T!YIA>_
zdd~`p8Sm>#dt#zL(WP0#+4h+7M_%bOjZm+n(7U*Wu`THx^S-%0L0`zPeC_*w`BR%e
z^HQDZhN?q9vG@5TJN64H%@=<9a$_HYn)&s*pKgWeb%XdqbaunI(WTumr_YVt%mJI8
z1YxSbEUMf?Np)L5#D!cZy07%hW1`ZtA?@Qj$m}WBdt{DKZhzUsth+5@qkcwRbA@|B
z%n7H5l@Y8i!ah1JGU{=^V`By=yzkYniktush@8-{;`6hJSP33dzYXCMe@uQyH3#|x
zqfv+QEL9*nk+y;mUfFbLxQ4a@7@Wu-5sWfwrquf3nc+cyARb}+cTIZ1-LajJ?(#DF
zfPbQw38yYJL5(ztt-)-J1PcwOt5NMSt;J!e6K(%gXSoPRhdl$oH2L-)+i>myZ34N2
zaDyt%n4Ahs>AXPn>l^jK-0K^%gW?&<1M^M$!o9&j?hYEp5;meF=y5P7V74>uZD`I6
zcK~~FxI>?wP5?u;Q|v*}!L=t!gU;A%_Pgl7+2>jV@dR{%-I>S%Zw*XCY)wo9^Q3`t
z23Q|%0JS-#4Pw{rsR8$9UIKTgb^+h`Mr^{khkvr|-JVe)uBe_Pg)c8(Xd|r1&(8`~
z`?mI?-r;-;^+!EL0nxAM1G`7~vhMx+W(}XOo39H<$Mb>TYx!vL_j<+#wp*|ZWLdqa
z3rW9x685)S@<ToN?+Dnt?FTsAZ|)7s{=N=tSG@WjR2p*tEerf&>!4M@gGMzKtN*Vw
znte_Q9%E{@DcPPT8by|At0~={M=D$Yb*gKBnid^+cYh<o9nmCGzjTe0|7D(aP8i0e
z_a$6Dnp_dfgE@rd-D<clU%fYYqMBO`hJXw2B&658NqZ1FeL5NOU&4GIu@cot2{;mX
zqydpe;i)arCX*wrIW~E*V-~y^2Nx47F(w!5@+|Exvumv8<W6caXP7Ar6G%!mc%&-C
zVrAw=pzSn5>?bhb1YAZqij1TekknMM=OBd#%(+Fnpxy?kk9)BvRA=Z;=<T@PkX#{t
zk-7r6d50&&4-{<&+L?Vb9@yF8s5^8A@*72KaCQN{q5N07JKwt+reqLr?WPN8KGvMO
z;LMp?fxiIs2oWoS&BrD8d#dT*lnd!k3$B^%Lp;abOW(lIr(8GQJojh4Joe+9!kyRe
zHMhCf06UGI+uifuh~N0%K}Qw3ig&OZ)$hIdi?Gy%WHC<i*~GeJ$m7kU>xZTXYnImP
zgOEses#w)8TC<q(1|1u<tEh&bwdn>(WBH1bST`i}ug#^cgV%Cj)3^(D{kjiU?q%l|
z{-rO_WTd;_k{hW#<Idh+kJ}j^%#ObaA|fOSwq`<PNs?d<Ay(y;2#CeyBXo!fl~z?&
zlD4YS78I2t6a|rm<u&D27L}<As>=$Zs;a`ODQ|gRW=v#Sy1soszP^61PBYwY|IOXU
z8y^q5^vQdw$&oLuUw-^za*|u{qqe7`2Az3nj{pMrquNDhEO(;VK|mD3Rm|G;pOzLA
z5qkuqHtJxDits&#Ax&5Y0;x`+VhPb|4Z(^;g%W|>?fI$^AQ5>Hp*$>Rkh-S$la1pL
z3F!niq8ibS@MhRYv3(bICBy~bVx(eZi4vd{PIulg=f4#&e@78?;Shpau@57U0*-=$
z-y;4B>T<fniZ|x-VAeIb=lolAf~V|DIuWtD4!;`1PB2yUA{G-#MV4)K7m;au6Va(}
zj&8THM6M7EK~!yNPBZyuIzITs(>)_T!7ksBos5EsY?^}Nz)-1b@*kTHb#*L}Vs{K#
zqfF?R0z0G5fVVgtCkk$Sc?)ea#h}AF^#zeV!LeQk?s*jd^DypPa>P|zY-X6RxZsCJ
zT4KmsIvlh9%D31%nmB`X%B^Z?)>NV@``|Ksqi_qjf_4HoUWo>BdOKm^Dmm&qiDgtS
zB-L6(n}$6?t%$~wd?FF5Xe&HYk<K*|Urcl1p1;88>c7I<sEd8NOo1=T8S0o?39>c-
zZyb9S053Vrhdbf{FQi#IteWfhm{QJC44g1nlpBQ;@vdA{iZI={l^pERA>nlNmBGvC
zN4TI=O<f0Fgr*XWzgj0yi?0W5iA%4svBy(-&>6hf8Jr$fG(aMX)sTz13h3>9aamTa
zHa0=Lpz7q#OSms@LwTkZ=B-kQqkkbrxU3s&Cus(C!Wd!K9%#t1w`oIf-J~}P8%Amv
zH3ImW?{%6Jhe$B34nC;S_#qsQ+B}cP%4r!9&uC;Cd?RY?;=7!zTjDB0cHuhLZvu3=
z$Hh0UP<8{FPuZVuPi_S_?C|_slOmFhIL*qEB+MDUNft1hXM;`*ll_3tnNob<ESqyi
zHXqRqJS4$gC%%y@>y^3jrm^SPNUvi+NUm$Y3%kKjXAS!>^keP^DC7%`qNOYAccDIO
z>ldRq{vTu46kJ&pWjjg7b~?6g+qP||JN8S*wmY_MI~~5*w((+5&(zGvRL#d!UF>tJ
zZq==Q{?=a5lv!5kp}1@Ty~^=Pz*W_$O~NN**hE)g+r(B_30gc+ZE<!=_z20kt|*q;
z2S3hcpAhy2+O$0TCnv>UxD%~5lRDmpM~e`-GgmOAUf=wAg~dr*KtB|eW>G<;F!5)b
zL>6z)AoqDmjsz`i5f{-9ElT_o$PF!u<3o%jT;WMYTaY4(;m5|}|KQl-hyFzcOJ9iM
z!E>aa?1CBwf79`;Rtx_niKe$N$A8)Aa@5ZMK-S)l;n9k$rFkZH+kyHz7WW2kz3xpn
zEM~=l78DRe3nFX0Q2+hn;wh19?`WOj=x7P+kxUn%OW;Ln3vpDu=O%YhT$U{k`|k(&
zvVHem?`#_=j0y&=qY@PpjKoCO<6n!68h|d7w`F_jYN<hqw6Ay?`aI(DaXfOaV9TfA
zHEx1iMDZwkV<&HVlJc?b;V;+@Pt5d5VXSD=Hgft>(Pji0?udS?3ilTC7Wm}@t*d^r
zA;`|p;Vn<5f)&;68k3j<?v$|>-&8Fp-A22#jAvr=)AdsMWia>4`cx&}x89*KX^)0y
zl{%ezj5ZPkk85HiFt-T+ev8g(a{$k<5>bT*X#PR)908V*vwhfwu$V!%5~3UsZ@;Sn
zT+V}Ydj`{Q{+{Ss<&9_C9;w?MpBKa7p(u6<*iodP#c?Ie8!7&oVMm4L);*cIpyZ?4
z7rMb_;pzlX^pdz;{$!t;p^!xjr!Za-y}RG|1C0eu&IEW0mjtp(QCEyraI@`V=bMC@
zR#8q~aBDwZj;(yqg)`RN&!PlrvxJ{UHUoYZo<3cBJ#*~XuusX98)}(9m23tCihq4G
z{AFab78>j$i+)9;&{oR6n=|)6i(K|y|2g&0j>Ox@Mn_sH9!z3<kIUU|d+#ffLyx(v
zG4yEec?DuHph~$XZxYaLWB}vuAe%Z#Rggm+Hd3H1hz*eoayMN)sh4K(z-(M{Y(Ci%
z#Ieh>Uc}|b;k9pHHsY*SF*djWUu;*RNjbGZP#jglz0aV=FI!9*RX@2vSUgd}ybq}+
zkUX9F9$hN`EBV}np5-Oab+YKk)1LulUi&VK4I5PzUSoPTNA}&9dG754OMMHFIL)&9
zqPB4tr0oieo^bgJ*5`i9*a;7`wb<=_Z7EwT^jdf+E1Z(7W1WP*g_AHJ%Mi&h83l2(
zn5?MiI?KJdXeSGTsOTS-yeXU+O9X2+sHPu->H&3{o)Z6S4`MAE>~c8Z(Nx%nC9fN2
z#t^}p391QOti1YaI}b)IVK*Ru=;wg4Ew@#hIW^k`b26Trq*h_r?C6OT0_+r9=syE*
zZ8LN;IWs&npMOT)iz^c=z;u&I&RCeKw~v53bpkCgpzs;T1C{b(?k@?~CQ{t$a6+vi
z^op6twz)|4Ld@Gd%<@>eIWS)viTCE3Hqzg1SUJj4p8Ju(vynJ95@(;-da5W)LDnhf
zzu~71+4#mX?4uUIXdsD;sM>I%p&Cg>P^`ka$b*T&`~Io<4Tl8{wQ7R~x@K@Ss>yT-
z#C*=dc^kMGyMnQ;0iCXTFUwniodpAp?2_pbO(V5q5lruz6G>q6#>4QdQhvo}{3o;L
zS=?#d@7B+@PnWX%FVQc^g@xRuTqvUtoewT$Ie-WN%yu4~0pP8u0ex)8VV|dSmkd-7
zOcOP|ncGR}HwapWazdDed_vg5;%D*n_^ER9dna!PE!quH@Hb6y|1q;ZTr4spe9!OO
z=N;!Cb&{x|#0cnO`VpzBKbKCbl+GG#8qWLC=vc1xe=2Lkp8kRZ*@W>*^}yyGRj&VH
zbT20o&3jGoMiOmKSd;eD-Xb9uSwNMvRsh=iCGcM=t@+|VxM>rqR5Gfye$#5rXB4W~
zSNc*@f|&|?hZhR25nV%&jsN3IDyj5SCG1?y+=1bGS}%KIN8?yD8(xG)WHX^uWhSs`
zCU9n8W-%X6v^Dq&ffv7nt111J8QV=uC9QIz9@(kV6I*S$%ue}>*NuSr!QjE*VpsD5
zbF?1wcaG$ttN_Nz6eXR6>!@7l*$U_e5S6S9kghW8M~PbaUS6ENwo;qwvseGv6ge}L
z^CXo&<~K*@+VY<Cin$AX^>q5WTCVkZLx1Dje@!CZ#wNi4&sQeFs0bE~Q7)sx&?Lct
z6V1oVpCM3rW>9~d(5xzRSkSSaaBPFVfq=n5jzsUjp81%&)>_g@!^Ia{9{Se19n6h@
z>C7Lxoq7WgGq8glkHUQ7;o^{QAe>rge%LWc;H=swUD`52dL6m@$(!wCVb^_3^tkJv
z58TFoAc|Y|ik>d4gaNqef4Rqh4*dG^MDzplcSW_G2`vGlTfCG3C=PdJpVVtdGJZ5$
zay?4`L_^oy8>|RYRNKhd0<z~hfx@M2P;a@kjI_?dZ@WO>G$$JQQEj$Pts0rbN8%8&
z>^42c+kihfckanagwJk6xK|+iOEtUS3z@#i@=7@02l8T>%TS>VV1hJYf@*?AL_9>F
z0NP1eh<U3!?0BKjRWj3+?|NX~RMh!AMIO&P;EC^l#9lVpB^s-f_O6q$q$`W4>lJMf
z9nOoIJY?naHB^%kd@|wowi`HXEP9>{@M74(Y*eL_WHWJW=8|G*pQ@_|a})-1riMOg
z7T99eT-u!wOBA(SF3n69ls5gAPp*?c_H*71V|qEABkEq5bC%{qvvixzI45bsdm`B}
zpZr~H1hOYES2WQ%*XKWZ^gmeqvt0muuf3^sqw1!uUhC=a)YS-ziBo*VG&Mh`Y+~(g
z>fQf%D9UMO@=PT#Fbq20VcLA@M139GKW-1s3z-cApveH$PH^_YrfX3Xi@!6E;~7a(
zL<&5{zii{pmWXDF`e(CebN@Y-b4QzcyXb=5>JG1XhUwtrxQ>ZuD~Uo8#{8z^FWS~z
zShGx@f;%bv+*kgV=a6m7Y&*Gq{C1B}`LKFL|2l&aC`F@KS}`)~RmxK`j`_%W$$4Qt
z!ld?!NlNs&sxxq44PnFlr88&<I@n~_6ZV6qW9L2P^U_kIKztK$@yD|crg(J$m;s7t
zO<Z3MEuP4mSz>4)$H9lAZ`-HKD-1PKbZ~&>$(hASs*c}2YM~U%DbBz&{Ox8Jc~Uq`
z>MJ&^nyZpCfk%zrIJL*g6=wm5yk2c<ie`7}@Cy{&EnJHhCvIA0bTiOZs#?1`Zq*%F
zQaw7G2#nkygFLOLo#)E3+zRMfAwtc#fKG390l3A5{j*;;%1Sf9;?#=bvO7DC*CArm
zU_lo3U{OR96e!&nArSM|X3yWGH}*X?BIETtLh1GYd^ZvruX`caU9SGSy$-TXi-=Td
zw>0lco4ijNG1^pV7=ot}spyJdXq>Ti)M=*F5`eRu>as2x2kQziDRb&=A@$|cHlA2r
zM@_YNt=H#_JeTM8HrTsW^F7n4?xBx>Dca)fJT?{2;-<l-xEuE(86`#mq!~f+e7|tn
zH<Zw~c(pb>#^KFyIf`IzdQCt>;)CpGg<6LKW4oP&bKJi6gN-6+va`YEhtKA!BCi7|
zEu~5-mJVMu{_QUpgpE0v$HXqRdApmj4`)RH-Or7OPTswgs{sw@Z!m~x22TGvUz#*v
zv|&XZGH&6W!;3JASTiX6D|e6hM{gSSre7EO;TC%Cemv$fGqeisl2TQ}em~@L6ZGn9
zFX3lB+mg|yUyh3J->Y?DjUfQ|njc?L(VMc?Tl2BOoRvs{+*mK6_;at?8*rf4v*v4=
zIpj?an+tmExm%sap!1#20{l945s9~qltE?UnFwjs{gnv*%T0dlDcgxRo8rLepYn6H
z704Ub`)fIc4<SUE_S#IsV~_UA?hK;^tzAP;_C5Wei_f{6F}4l*cHg>u*<OFpAY7Hc
zms&W7)WwV28K7fGQ^G12kp}V~I#io6-78l8(~z;-Eya+mKh`|vOPi7*%ethh=7n04
zetD`2<nW0+Xn#!P{K4b04^+uGmOj=WbMv9rdSuX`>ZM(k<WDi`zu$E3;>O}RQ=gKj
z8KkBNx&O<g6wNs;E1k-K+pNC_n)FgD8B|#1Ish5G8?s8AN_1aJR9}}QZ#EcMV8mE(
z9bT2Jt|&BGk+);VShRK{C^PVU!LsAQE_eshk2P4xaP+6jy-pPgEl=-Trv~UIXZn>7
z>+cns8>|RB#E?!&u0m%CBvM#Wm_ta8r4+M2It-O66P3hg*~;awN;m&%jz3CWihZ?g
za?yo6v#QAyZoqqRslK3EoJ(q%@Gwkkp<+;L-kMJG5g0R3^a8uJZ+Bwcrm^}{)f#?K
z074s2>B>Ej<<l`_k*o0@PaHqvvv&JAoodQN=4JB&$s?p1*O1})>xEWUM}l>V!KR1C
zr$D_}5F=$YNncdIg(Ld4F<(E{PWwf&qB+5N|ImIWT($h*YMts}g+i+og-aHRYa+;;
z@u4NHde}MB#I_i_IbE&`+vY@qVjY!B?fgSp3AMRlO;BjnIXc-tR`zJka!@n0sk!lR
z&OR<r_qa@xZ*ST9GwPr%FWmdw=3L0;Z}G;TCSI;$PHh?9DRot)wF9BUY4AO}h+Go?
z0Qcn<bmVNht0EagMI{dm@3X*TnvAXS7UW(R0*jb&ggjSo!@`Raecn^!xMF-6=dJ@=
z+TwTdcfY+BmpQzl<M>b&@;DN~z~_nNp5z0Mh+H!N^k?6_%80mP&DVH*F%V2OGKnek
z*k-(yb;gi|cgfNZuZ~b^<=iE2QX*09i9FDcH5^$$)&Y6qTYMHRPcMTXJv{OKuD{%6
z`FuPRMb2bmF=tLlSMI(48A`Uwcn9xaywicAs;#^ZhlD5Ng${9QyQxF9w{BnPvAI8&
zi<D?-*D#lhyOWirV@f$ox@bU(SV3h!RZ=;E&`R=4Deq;Gp`>4e7+6u2!G9C8EaYll
zw;9PNbfivA8YVBh%`+M%^=T?U^jpRR&(GsGgq{6-5`~g74P-684rvq}%18MUct?um
z$2AVxa5a7~$Z6VyzpHdN*}@m!&j>M%o})!>?5GmF`0g>hP&IV5D2?MLH8)+`Py&)q
zH$psNKpDv(>a_F4pwhWlq~b)?!T5FO1%dIyEc$i<q?dzr;Ml$Msx0V|Ch;6;Hrs;Y
zrP33m1v#`oHkd^W1cY2cD&NwJ+*0_*crxnv<FBqOG~9vjIYh)I<2Ot5gv(mSE8s>@
zDOX2Yq54_Sk%!6rxIGj*1zn3^Us~wqg_0d^lU}=7VW;Q>f#^K^Q}KU>ULR~E0A3>N
z3w8W+xm3o$kFW36=AOI^2)2(Q=eXP%i2?hP$cuTre~mulZJc}e!8LvY_P}z81NeH@
z)K2vcUpl*mOPL-qHXPP#H2N!@wn<i*v!12*%-$?Ykb}n{<{G^RUH80BbxsFO1aIH(
zOT#P&SobRHjGeTld|i%adNS&Qo(cEf!tSrrkf0-o@F?AK$Q3`Md%iXO!hD;ep$zZj
zzNJ;vciD4P%vwE0vu=fILhqU|xa^{x4nU=EgX?{Q%&#_V`QRORRKR}~Tmz#OxHLkD
zt@9)KyH}<Jr)S;k*kbU&<)GDyK_9nln|5i0;=R7NICycZ0`d($<c<H_1%2?%w70dl
zb*j6SO9Dz?By=lPrC<wcZ`{osj9|dn9(yR7f-o*vt{{a+`49Et$OZP|*LaJh2vqsP
z?r~&rTTT%DQG#7eDH((kLs={QQfv(ib%j)7&OytmGvmI$um*9i#uxFbC>KG6x`OIG
zsq{=9D?1~$@q|tlbYI|4WG!%$A?*S1-HXz_QQzh9Dq~c}On)$tyI9mXdkh~qtx=DI
z^Y0Fe&{@Zwr$GJS)+#h%#pt75f#KWzo|VEhNwX!JhgLI0J(bKUi}pbvMm11>=taKh
zCjCH5{(zo*l<3+=;&&F0#9JgrKIYW)t7l=5wd4w1!&SLg(hDhtXOG%oFFsbY!Xx_Z
zQc_Ui<J*fp?Olf24<fg?g)l1oP>SQSQG!fC4{0j=Ic%iUBC&tO<!onZBc3AFMEx16
z=ebNde0H@b6FVnkpSQ9_u7$W0hM^A}z3|(Q<PK$qfrXGWo3I)-@-Z$A2Y}s_R+`C}
zs2gTmMdjk6vVuWn4+P<vw;P0K1>PdV4r0qT=3VNx@!X#n;bXs-k^|F8PdPt$H^)AZ
z{AR3`zzdh2##CWrp)b55=>VkLPf&XP<MlSg$;6ZJ!mZ#!exorwFMLar4%VCIon@`;
z#GEfXk!!AhCQ;7W2gl2ShDL`d3B0)oeRK#LTVoy0Qv6}vtv%_V$&$KL`n1D(9(zH(
zzi=z8Es52pm8-ffu@2^XD@ZMWE-l_x!Q9gc%&1mq+(Wa?uvaPEGYm{DIutt?`4gpX
zt^YyJJ29SSTUkOwdUsM@R5^b;Z$@9xyST1_^DiiZ$wI@qN5C7am%De!Pg0`6(c84=
z?}8D%lSaGq&j_EifSBHC>{|+79;3nKI|W}lK<@P((G9W}>Q^w)p47|n`@a|vz+ms;
z_8rl`xMggAJvH_kjoFRnGhM{$SgfiLTd1j`#YNI4X$IM-C0y&6rV?G3>X0Ra^WukD
zC|ILis&@&c1j^S45mGhtsNFpt7TIXb{b6wy33=?sA$%4idJIU@3~d_CC^yr>6;k)`
zP1Cq|BLwV*ZyQcvm4iQ-21IqJ%O;29+i+3o!Ml~nqrOiU=&)N?f!PK07~|tXdq1N2
zz*f}3+Jm<>$k?O7JhJ-y=>E&jiMX+fzzI>&p!JKRvVPT`)3eUYo>1M&sgA2JiNP|e
zKdO6d>$_7+V08fQ1;ZoOb6xA|x^hyriCte>_u$rV-3x<9#^?H{6(8k44p!^^xtFG$
z!~uSP1%riK;x2=DFVG)hzt@XhpnPvEyr2%Q1FjyUjQ5xu6&&+TDF*%a8|(oidrS3$
zr+g%MLmF6py6`ER@HZ9`7I-9kLnU>U=^$r5S9PU98JpTbz={PcXiL%SA2;(v5WmwV
zglFj@ae{g9!jB8m-a_z5Mf8;0Lc;}p&-oVPskeo-=jpRWh<it#^IgFcPU&|EKc<KJ
zl&8`bdgdK_4%BTI(UrK~jfgKw(?JG5I^mv9Tc^WtqZcRtWZ11qd|%kz?o4Lf4p|-|
z07>aH?k2&Pyy>v;nc6cs?x--IfM{ZLz>GiaSlCA}CoW7}FhMC8$(J=3f#3y05Hj&u
zoqyGRZ~nzq`l#`l{$%p_h9`dD`0iyUgy{f2pN?q<awdjpe}Xur_Na3AS5Ith(3LOQ
zHjKbCRu7~%h@dUZKk)j1FCTk*%40Ce7kL}P#(G&|<`4Fr>B%56C}<`v?FQ{+H12MH
zCO7wh%H$i<VKH-j?xB?lN^c*NFmLY=lL%CAAm2d$KdJ{*#yeCmnAkIeKYRmwyBki$
zDLa9=owowAl8s{~9>P37JF=(l-BOo`KOP1Q&{{+nC3;4*3B^+retuwwXR7SSuGh<#
zY`=7MjwZ6<%w*diqGBC(_^vV?4!Y<i(`Id)LXHL80qyFDrSBs)Q%#ofg~N8YH;Iqj
zIjSRe|3vV8->X}f@F;B|ntwCPEMRb$G?Y=;_D_%sfA7PX6}u168cN!eNvC~{>|s_w
zz<@C6z@dj4L|{=z2+_Z7^2D`_v>I+?mg^!m4A2_JVSxe-$?Z|3Gf;-ZGD~&Q8-^|q
zv9ll^MP`^%PNFvs+ov-fMR?tGc#3s_!4H|%<7}ZgMRJ+sYm;d9k>0j=;(><w_6W4;
zw=l0oe|su*LCX!f*At{h8kk~t(Fmdt^|9XOKcl3Q9VrbMV+}-C5jHkxyT>S4G_L5k
z1RORNSH(LR|5@d1NxC$Vs7fa=r?}we8<SntaR>W2q;OYQ)>)3>I%Ierd`JDnxt`<$
zId(w<5}ytsUW^5kfJb-Fc)lz~{oA|Opr>c|1(O4!+qjp~cbKneK!5L^(cRrU-zP-x
zIN+!k#CH)$sU3b)yf|mtl%t!ur1U+~upkbHm{mL#hf*>;!L%uzz9dpVf$As{lGKPE
zGsHASn~pPl%Jk0)&4JHN&{z_f7i$QAhOA(80`hzU^8P_3J4luBAou<tw;~?kOz}nj
zSExOK$eBt=J>^}Q10+Ux5LS^y1R@tYknsQe=Uo{QBqn$eW}8R^q7YJ#dXFc1$zMAN
zdmnrH9)Ar>zO5GaE{pP#Vho}qInWXvs|`*tVu?3mNi<?fFoLD(RZV-B6#&tp9%xMl
zKTC^tg`f~ggtwyY6~dmg1V6k6KWGnlLkxI}iF%QVdg14HvE+Bb=6BKLcm2rk;>qXF
zQQitv-bz&dM9J^M%zrl#^#afD;>hnp%zsA}_0k)7Dh$4M5569?MxM!u&y?1_5Z1ns
z)|Mwda3ejSKnL-ngH&O>4E|lPUYjsp<-uK}{|Z<K0T>4XSO+DPHE-0l9P*}O)HQGP
zwO5q2SG2WP)U{XiH7JxdD6};w)U`QS6A;fUg=Z!t8${(qfwrG}O80<e!}7|xJ*wV7
zYU6`F`ug~m6;WN>%IJlfd$8X~kFimG?W&gzW{0`EMq1VRxZ$pXC%@D1`i(n(hR2S9
zm&aDr(=LQ36!6f?m(i&2Zq^PP)a(nfJ=toKO*Yy01p0XYCNvp$i~f!wGzh$ndS_+Y
zUw%<AoSwd;%%p=~;^#182yGQD4|^<HN+ZH*9!4){Jz<&~M!8M)l;meJ#7G*VGY$3B
z==vuLiyA_!*YBcO3V$$7TA|&-Zu=Ta`1}&h>N<u-xdMmvaD(v>an(YmybnQn6@~RP
z2^NIN2TGr?p}r2l`nkdSJ;3<=0~XlwnG$ELNbV(2U#o(9tVN9w@@oY*oy=f^5MhE4
zVS{2|f_??}kGS?ah)UbbO500H+bc>(Q<1k2ledtQ3yMqIOGx{s$EOQR+bc-hi%I(i
z$FHQuKU0&`6Oi1ph?@FzY*V5U@}Us&p%Es*#AU<8jky9Z<ew%n1}w1$EVTwKxjK|e
z&_s!-g59ZtABlq>$%6$&U@j$K{1Q<zC1EZVU@paAF6Ce@rC=_VU<ia^2&7>M#9<Vu
zf-O-*q0vRzVDrUb@^yk|@`GpWMNia%XH4!xJMnU&=kclLKa{~scfgbT8ThwXfm6!J
zKq1d7Q%}i}#u4D((MF?qCCgsY+?p6M!m{F^akA$AzlBXCe+vOpgKl#_gV;C75nH9j
zkZk@EBW4tlM6vI*E8x+}#V23J=Qv9b;?K<^+5F?CkC4Qa#c!<f6^SR_Y{VIsVtnf!
zL|(D|(F@0Wk0ulpnzN@hLpI<s*GZIP{AQP}C=hqtr2(P|&y4FL@QW}H*7gqFAu&a{
zE=w?|if1R{9bFz>(cmxilR2ztU^yXR2D)2dpV|cS^L)z&!>D?}6p*qBqmo7*b;0mf
z%=ee4nlc?Nf3NZ#3@UQMpKFJc!K0D;+8t}&<4OL&ZnISyspKjay{uo#S}Sa#eV}Z~
zes1jCD>yn{APkf_ttb$Ox5JE)Qn#oeg0^#-;t*AHl~p9um_77pac{`XR(*#DAAJ>L
zgCodC{^+x({9rZ$gs1i6UKGh68!)dNx}-KyQhOce7hVmnTm9&DO3KLHzYFJ(I<}co
zaXMntP+7FCgEzEUvUh$EyIp=We61*6+?-W=fnQm=IDxS<h;f^Rt&I;0vlJ4N|FpJJ
z_T26enT^5Yf^&XXru-l;rQn@8bE4BPbdLQP<t+@Vb~6{e19kt&<##=~$qUQ*A!vP4
zcfSkNgRtx1ax{;LZPCTkxixyqykc28Nq?PvJb^e-iACGvXMlrFEmVh)_t0>`fYdBo
z_pr#d(_PAUe=b<gIk)K6t~1Tt9m6|pTxVKU|CAI_elJsmti_&`j{4zSrqO%MREt~B
zbSS>+0Z;h~)MoeZdqswhyFmA*&s#0G9j}6SdF&$MG5&lP8S#StlfLcY!?oB}Ipwwd
z+{SZ+xf=t|B=D+QSv#t=&MVX?cdfxwh*c^fxc<5Bh4;#loqIr3jeKX=wD&#<v+Xi<
z{P>_Kcldz~$u667e+ME0Ep#`>b!`_vyrzxzY#*q~8ip;lrp4j2b`9cg@9}611m){F
z>UtMe$9Z+IpL>^%*2+P*ouv^FE;p|u<NbLA{dlUn8hRk89Gzw~dK*hOoA?NQux|mZ
zV}2x}oO?SA^gM_Fy%nBiEv%pAMlf|pyKM-x0{+Dtos3Mi#`-u^NyP=N3Kb#i;jGy-
zJ#`G7dI%cwU-b6+^8ifu<!g2?;7yO4Dr;XjpZy!r+}~Hvw0ug2>2;|EV~^RWfGf)f
z`af4w9BVVTrvOD|K;%|II>)u9x5!YM(?b(6-3vNHugJJpR&U+Af94!N^d<!OUQ4dK
z+-`PjD?O0UJnMn*cA87Hk=Ewn8?%7=V+^t89yx!-+b;^w?Rs3TBrOX8{C#J>(xVtB
zD9a9yj-HRvgSeL5ZL@An3<C@2zKah32q}mKE&#sXIOl!a<8+$DCgT&}zVIM922Z=~
zID5lP>z+;0$^UY&6*mJI%dhu*u}lWqHI|Gr2*XpP@%!6YCn9+n&4io9c)Og<U|&sl
zW+=o+H@n>pq+AXxmx?WEvc8J|q*<&Qd2(jlpRq-y5=~3h##>IATsj!`FM>25l4Lx*
zdv0&1;d0S#^0L781R0^e@}a{;tWXGoW}z^rcf3G(W#V_LovyKu4Vr1F-D!5MTS~~X
zKwNJ8Keu(7DG`i@jAI{fh(9tHYYWV3p3b$)I98TegpS|+KZ1BmktY*-<Nw^>hyl(p
zIR(D<>Zz7m9rbZKX<vt!LZRXWJMWfx;e~8J7Ldc%^r<sm`*$A4{A#AugrxaDtu58H
zeZQWNgB{TvxMIAHCYIK<rpq$#^GOQmzq)*^v&E1@HZRz&=XI;MeVYxky>hGK;9l|!
z4$AU#mtpLAo9m_anOc{-IrD6a&|FG47Ti}mGscS`dmVL_J>;jE1nx#-a+&=cR*$+U
zaz_~CGL`4q%Lmhz&S&1&wv004)>&@fCPyY1>X*5+m)d$(td3kDuqOT1{Pr>%1hj&-
z&QEx%uSbu7X1dEAUCo<WB{JE5$OtF*@8hjhm~Jsf$w}-yQN8oV%kU=aNzm;7VzIbQ
zT|cUB<E+E52<^F4rZQpVJQQCm8aL@SnquEp&nU73MUE}q7Vka9_BTT6zldrIGA|0#
z3N~hc(G5m%2ve#rzMOPLK_Ep3ToBs%^VgRSzAM6}Qo#DvYKKhLl+2SvQ}T+0`A)(+
zRTFMbYr7lkh3!I?m+U^|=m_0D>RsOD1PwVo0gioGKL#rx3u`KnuQ!FtpCym?HltcR
z2)v7(1|q+=@t0bEs(ekEsxUlt0TsXZ7(5LV^%y<gSNtf&RdN#KGSl0LA52;f-ugUS
zH#^m^RNON3$88xg{P0>}BFw@1G}z>+ZNbI=TqtS#QOtPtmV<LY_E?XMNT}TAHotUQ
z|2C06T9zP0!07O>2!B|rR7>0Yxv28=usUk#xB1IVzrXBn;*rr%q+rZ~#6GL2QO{Q6
zb#(J)E9WP@gKgTa{{z65mrH20dS^^)=?@o!|J{D8;&%t%ZCyLj_*S28hp}Zs+DnTM
zZ%xnFB7;?{8b-i*--_m-q`CwV8=9XyQD@v~b;ignlFW59S*-sNSb;8Y7WX|n3(G7^
zJtD4jnAz|pwB-3jncIfkS3*yF(r(`A85$oYg%*a@6U}F7kJVcpB2(^@5&Lf8?w@(@
zhR`YOjT|m#|4mL3yELV<_m4wP1;Mj^iPiyyH?P}-N1$M$fXN3J5rE_7J#l?dp%zL1
zeib9tc=PS9hv6;r`$;FIYgM_&mxWlh2;Ja2;Bb@D_ss-4ZAWsVm(MtMZRIS<xaWPP
zooshgutESNycx=vOMd|ZEM|MCqpuQ<CZS|vBrr-l!McgUqkxgjCDTfXD>Gx*pxJ&;
z*eb@0#EB>ER2A3cl}@O*-$^Q%ODm==D<g)(tIMC@dz<#Ut~&l;0lZ&LcC&e0T|d3}
z9ZzSqZ@MwPU^~HX6a{fP-M4C&87K1%xmh#5gw~2P{7XS)D7hOyG5q5Qqac4Pm^sBA
z1WZc^fXq2ycPmH{?6AMyYbg-c4&9jk`$M7BJWpuyiu<s#c8p&Ief|1UmKq9`d|?|$
zL$Atk0VX@`9=o#fjK><HGe+v#&P8>*BA&4w_L#^l+vh$*z)tw)PxtB_LnLH)PC>^5
z9-Hs=W_xWt%IcCHAY%20V9m$6iV~dpcpib{Pgvnqu%*22!OxRNFn(o=Z;;fMWQ~WU
z=F>i2CMiWl%!G`IHAW-KX!}RBA#Uy)j47}0%N|NJO)O)#<T4Tgk7;z|r-_3BXn8lo
zP{gQvxp+gnKYci?kLxQbYKg#Y!vw88iAuIC*5;cJ*W&3MFe(hz=atH|eBr!k)E*_f
zg`EbU>x!?ztSHG0nM+3Y2^L-7EXY(eS9-%6mnGg-PNC8_l6K@QAI^guTva_T$n_uC
zcPt4_pei5~^=*&gd>Qt&cz?1Opro5yLW|g!NG5x`(m2?TFkK;tCI6Z(YX)Q7+<aZK
z87`8Nh~_`IW59)s%Z#zTQWts?MupOS829N|oJwI3R($CU*LTs~>mNX|OK6W_W^p8K
zqU&J_c05TXd<}o<TcLL38JY6}6gh}`IcPW}1i|J??$+NmQd-q8>+$OA%QlglNf(S`
z94P$3gC^+1s@i_&(@c@)*ftJ{KS`1)P<p0%W#*pMXR`)}#U${o=r_AMj(;Ny@{e6g
zfW|-teFKkAk#H=ON-+QYUTwB_VtagQu^;)N)I8005E8?Oyb#ykD0H%@$>Qj3G^9_*
zXfSI1b5G>N1v3McK%BLTb<90*l)0+qg_|Yb*I~7DS9Y{|lp<F9EsFHfB}HRmmqUOF
zPKb4@h-Vl%?TnAr6zcH4{AaV9fF<Z(nwR!|%uH<Ft*`+M+E)op)Ohq;mnKj;DXw_o
zP?p5HebuH^EWMieYmkXhEaV>JmtnHzRO%qA^sno%d-#pWg-^jh8I0KPl&R`ya}67(
zz)0M>+{V;tT$n}d{Z{_kUl#JT(fv19-jGsR6Y%-x@^%IYV!QX1B!W5r5PARh%_WR~
zj4f1F4ZG)g6I+v`-Dmh>{=KzL$M5&S^ZI!|yY8sAf&)y7_(<EZf0ca-Eg(TaJ{-S5
zVcoO@gI$6buV?kx>c-g5-i8PJ1c#U=<92itaX&YMvwfGH=teg0YDD;kTlCnC_8Jwv
z2BGZP4H0e$80>(!<>5>=e$}p$+-NA3>89mqAJS}2`1PEB94VvWWyx+<pF*v;CwW_o
zT<OoYx9?i$jPR3k;&9pbO7-dtXjJ_|ec`t82{n%M@)iYlr%e}wHwLlUU3jaI6jLDZ
zDTgdqL?pH3YNC4>ap4;yXjT@@stBa-Dcc1(OD3&oh&FE4BcwC;^I8g31dUx4xEpL=
zDpLf_xg44Gy?2o=yWUq)MfRV|`_{LJ;J{g*RU*LXo+VnUUt*aLIex6HptIIiS{z_o
zce3U7+rKv(HJ~Eh&<G<*V5v0~%W47fZMZaRn8FGFG)j$BgG$jl<bF{~$_5ciUBh)z
zfK|kQFFU9O!7$a6#gzea_+Q~++z(I#l2gg@WpL{UsWX%)P1nB%PJF_8k%Pndv9>ei
z5!A24N8)oV?JP1cX^B?QNXz}Dqb`%7wxyLN3;y<7$&dHmFPA*Jm2cS2{<yyT+t~IV
z1BEA1EpKPSw)FVjIZ>_z8rKPWIu=|4vt+J<z#wTZ`)s8yI;3T6{14v%!{>S7Ckv;U
zdETapP`&!MNSs-rc5Gm3#=K_dC!_I#r7HLiC5+s2*=K$Rt`RGK4E~j&|E5RB;owVz
zRtxO%u`bT?9qxc2g5fEJRt@wUPGo#_h(^8SkPer2|1k2?Awa%0exKFYK^5nyMMWc(
ziOtNizc>$PD@e9hQHLZ-{ET^TZL+^)o)I3>l;)SpJ(yRXZx*pd2X$(dt~xV|SrtRt
zmuKM>4O~_Pbcgz|`@Jnrir3+hZxK?nug+?wyhwm!jZ@w|4Y!}>@Sli5oeH_kvQ6hR
zJQQOZl^B$TJ#^noi>Z(6PE82b*6?kbVu6U;ZE6Z8CHj#gKtXa((?K&=Rqs3iL&0Yj
z?!Mr8a6vfPkIHwgpadENt<Q3m(lfIDYKiYS|L;^=4IB}n;%DnMCEtYILLdI$^|in1
z7jKRkMke)(>?wxwbrr1FGAd`~bWr=J6*d|T(f#lUh5A5Shqrq~l@1mn<XE^Ae#IDl
z?k(QNhMEyeNJIV~ZmXkCBMxkdt<SV1oQ1daQk?L_+zEKbNkfofttaHP`C^4e(E>;W
z94KjGQx)aE;YFI*YoXk@eHQl_Q+iUv8v~U%haf5IpOf{Rn4>T{SWFj8j$~QN=%oB>
zZO;`2y`<+SdGhIWfYJC1?NIo$Gekl-8egF%7RhG#BL<H5a9kw(22uo*&(V72Mi8jr
zA1UHh{4h8O-=#i>q*|^C$$J$7te}y<O&T?#BShzslWo5cJMdZg5z5=Le!slp@t9lm
zZL~(Y@4M=zCr|aQhLMN|-?1FEJZ!+0yREAZ7#3%rm0;9uz^&WR2*JunKC!%mzWv;+
zaON2h3H(~J>-Md8L?Yx|x$Ef?Qij6?hq}#r(H3IT-%Y@w-uyR~*{?dM9}b$<9}F*e
z8?2MA_o--v=;P7JFDpcg>Scj>-l?KIq+5A&=`eKnV*cG6yA5@<3!hm!2b*6EM@xzW
z^2I<N%~bJ+X^*{@HEnbxL8c2>qE%7Nd|xrv*}5Q7f594A8WTe;fCeHv6wP<4xDBvp
zj}%Tf9i;UIzQ5E|Va-a&U3G#(jzs14jhM4-?FT&$Qi&kR!;V~z!^_v24bt9j9b)c1
z9nKljy%slpvXu80{m9##DtRiXcB6c@d?t&jZu2*M?%_iy7i>kIlYo0enoS-e4nAI=
zMb60~F5D4A>CgW2TMA&duDmR=W4>_9LxMs`{C(iX!JZn01VvXBby4UlQ>bL(I+6R(
zYI(8+e8t0uc&b%P%y^Ec_liX7f{H?K_|k)@NWoBZZI20Q<)^J^@aYf?aFAiwJWZG_
z)Kx*Hlt{bzl9c8u2+1lE*x;SvvyLsYsvA~cLdWX6is(pI@3+jlf+nZi6i#JAmX)IM
zCordxQnUKf7T**%o3?D{wXp{&O!&!`DWO<|N~07gi0y_kL)Hp09_$<oITOcUo=`m6
z<cJe}?}$If8iCp6#8`aeSh1iIQ#s6faVsjC@kL)<2Te^pny&T23T@&NFsi=H^T28q
zU<pv|$__u7A?Hi=@382?_ZM}Z`5P&Kp!=HIW+}YBFQs2!*)y7(Nwt2bnSc9HF@#c2
z(h(ysalY$U^+xa>R*;`Lc}D-po3?vk2{8BrvYSWN4PJfusms!9=T>K;>l?)~_H>kw
z-3eqsVXXdyjkv$(M})I*G<R`zwlHz{uhPlX77>n}jhLDEzbbxyCP^E6R|{t*NqZAl
z3vmlGCvyuXc?(A?S8HN6W-dWNM7aO?+B3^fb;2=-8Kvuu&Q~58mGd__bTCFZ>8}&9
z;*W22*rw$;6Wq|BJ^tiP3dP#s>{}VD9Q$Qeu_+i(Qcm9H95@@WV;u7P5^Q}8_oAek
zri|(Bq+ga|h05l`5BxuHXjfyXCw|^LMkUR%84^6N44_9EazHbf$7$tSIQ;TcIfI9a
zheA(2P8YL^$-#S=LkJ*a($m^l3dva3yc>K@$J|*l!woed3zOkMa3%8*{!vdix;j>a
z|NFq>fxB!i_FvTQD&7PoIc2-p?O0*a{Tf}=7Q0*&Ic!t)m;Gr9!P$L}L<4fuee3B_
z@9FN+dZUMbUb1I$C{62VT}J5CPG=NRt5THkx{#n6syw_$N&3tOk=hfP!IqrtML{#-
zUn98O=m~LY?W-8v6t(taJd2FBiT}I%?Ek;+v$3$S{`XO^5Oeadak2jI)41@pF;<sY
zdMx+hql2|+iARz4D3uZA<ZXaeAkL2Y2F7RpJGdDFHVQnZDv*8_HLVRrO2u5gAP9~X
zf~)@*8Z=2PURm^C(vz~7Lbkm}a5zT#_G`7$PO(7H*weJ{buLiPE2pD1)urNWiATc?
zomfQNKp09E$Uv9^czUJ|Inl#bnJj#1_af^E4NXH6c%V*TrR<&2xq$8Vq?%=;3a|0w
z?`>n}qjx^97AGun^IF!iKeyUwITIwEg(<JOZ8w{MO65rt)8tSog|?ck)SkH;bD)Zt
z>nNBMvZOb#-|`*I<`IVsiwNYK)@Qccx?0vmqB?tnP?@Q0q{U*$lZN~K=|c?Uwz~pl
zuwCOkva8&dijM)OYAVY3voO9e%q@rkGxp@coKZ2JhSA4cjmHc<WA3DL5iL@v62PqU
z92J#zt2yF=MZ6n+Kf_@K_zr?ocdqgMjLAE?BaP}Pe{X@=LG18>W2T=>x*LhYfS}KI
zRzUwi1tigufFN2$W<-Y@C67CpKoaZL>hon&cywbwNk4h*c3MZH`TN=aKAK)?HXink
z_TNfsyn(~R5bmGn!&1!u=>Dmvr(ki-N6$<eCBZiAi5UKxf2BETN2xhPm`ZUT={l(c
z0wFk|?!*2XZfRHNWyl@}e50Ud7FPks2-@YQIG=Jwm(+<RR~cKuXCp~3gy3yX{+mkO
zh)?cnAa&`3&}ptTX1t=*Xl^sq(BCP}T%A{X`s-EOx9YyY>8BBSPM*P@!<wvKz>6!i
zfN1M1%UVEbp=qzD@)tIR3M@g<@qG}67}A+Uy}FD}awzUyLSkiaZLVkr<^r^rU0FEk
zgU3D7&9vHy$*d@FPQqJqn}k!X{gZ;BXg68m{5PSx0`B1~!>iOn?#MY6i=xY^i8l&J
zrZ-@XMxALKgJfiu_Jg>Ik2;k@!W4liBqaV2ak1x{O*P39wjoA@_1Mo$5~w-a$R!|&
zJ^CLBC)v3;;XQI%Q6;&&Mr?&*{Kx_o407HGm`E{yqcu|Z)9YD-CWPiY>Riitc}KOx
z&zeuhvmSY+Ij~vM*SxRZ{g%PCV3n%A6a2zWoH0SyfY&_9s_z3>M$&sIWBI!2;_2b&
znzu@~MV{i?L+&O8`u8@7l1C;LTEU-SYqW>8ec_n1dIj40WcaV>{G$gxW1;doYrhi`
zaB8lV4S!EN!`?e`lMfXni!*NSK})vueqUoHEIwi_$|CJTjgVf57pB7*yzR+mM`Al9
z(3SPEF6asJr{XOnh}1p|GoMT(&n)UK9fHfx)%2$6CimGzHcgq6OMMhHIQ<+K$$<O_
zFLsZ-G2yE&`u<Wfn@DdvL`{1#PuVpefl)%V7)MKxj8qre{Z|RIyvYFJfCUtn1xO}u
zSR+Ps;fmok&Z=BD5j=81upH(1yd9$Nh#j35D%rZ#U*$~|JTZDcdh_;IlJb;%#C)^p
zAYvt2x@S7cg?W2r`k?!OzU^M2<eVkpH|oMD%V6M$-cD(n!;wzr<b}RGf#4$u;VkNt
z1r+7{Rp{sQ4Z|8(k1GaJ>mY~%uTgzifb+9Q_$HF;t^Ih>!|4Y}a%F9J$Za!@1Oje(
zT6!zk)O82Sf3JiiHo%{uPNIrYKKT6MB{1@O<FF{e=#-UG<t3B`jm?Zs!tVF$Frsrm
z!CsAGXA>XpX10HxTm~zP^xu@*%;bc(_o6%`nN-r0UB^G%DgyHrTRveCjlUA3Sdkm0
zX6~<9&V7VMSt&>b()MOsohb~Xu?mN%i(8-B2B7M}JRoJAEKpwCMM#=cGl%rl<<xe*
zB2P3;s0ajF!|lq`u?8tsZKA^qxXSRVi#P9CH^rh(xNZ<#P9&cbP1xo61M8d3Vlma~
zw-B&<u)MaEC-SQg<eW$ACXdTb6Zw<V1H017RmV`DVA4()+@m({5rp^R(-HB}?0&oL
zg|CoH!jXL-+7~e8?-Kio$SFHVu?oLq_E3i^&I^gJ6c@uaEB^A7VUO}wiPRB}ckjjt
z;X3OE_q~<+=TmrHl;NPsd+o;X+J$+!8OaR48wUf(BQkM9_d9JImOas>vJ7|Y$*f>f
zG<gqWtXJV5q|55sj`{Sbze1Tfb@Nu^r`$SlAJ5uvdwNis#1_+gJBt%4=*W#4Mnh%l
zH=A+CXN(D3W9)ff69G73zm2*RdPz~Fcm0XSl{NN59~Sqo8QDk!zRhZS<qK`3*|9Vp
zav;zx^RMjlds+zlMzqFwf!XPXwt9WvCk*;gr#Trq8oS%tGyTM=X{y*Bg4cW$F_;d?
zWK!L!Mvulc_!dh2s|`<SVprxLL^f%HZyDA)4HbNRqT#JEiGEin+7pXOfq%Zqnn~?A
zfY23g<wRZlLYmxDQhSR<h;GTt1h*dD0>C(s&p5;rTGgW(z*q^B>WX-B6G|)+3fabJ
zHl?jY&Bwx0rgMZ=7033xD>tp^K=4VWx~CfQ+e6Os5fJ4Th5H~T{SDL=t1feR@}=RH
z@E{)U^*3Z#t0oYF{>t1nBB;SitH!^Kcc%G?_YMM-(02_=x#Gn4Fn=d(fnk#-MeJvi
zxZ2s<DLwQ~i{Sic$sFXdrFW020ORK?qMMKv@ww{Rj%ncF3u*U8L1#ZKZRC4d+@uNL
zjaK7oFc!$vx?&VrEb)dqlX=$tuIcY}vHUDo59HHldGv}hivHM#ttF)meyR%4mdCo&
z+dfYro}tR+dgun!QYGGsJN4N%<x<Xvc?wk;hdG%!oXY0QM$f4g4VpqnJpBCu3!GJ|
zv6hW)>vju%FTBQcJMj6)6HX6n-aI~D19#e{4V_^wZbS>>j2?Y`Lp=IPqf@`fcOO@W
zOq!(_S?57<?*lna&b<~$fxnQ@VNx0}Nb=Z<rwkChBD?pPk!v4K=<L*^CV0c&%XX&D
z)ld`#P2I>9mO=WIXm2q+1wZ_4rSTXC1vf-qg;dc8pU-%ZKq)7#EUp1(H1YnXrqV@M
zzX^ZksM$Wg1%#0P;8VD!xKqycxK4Y^nedASXk9-+d~SZQez)2G*!AL?z-pCEz;d!b
z1{4|LgxA9kT90M_Bntjv-H&!L3-jWB5z#Of^E4ku&waV}vt(7Sw*E;d+`Xr`R{|=z
zN!2R3#Tc6>2a0Sc&meA3pZdJC0I@;Ah1uEQnZFIDlhKP(K5WD1RzHBN5u;tMenM7s
zlVT=a5@@#lFZG_ng|Sz(SO^1*dv+7N_J+WZs$-6;AZbnn0TsC~teN_^Y#t6}=q=5R
ztfmEuV%VSlU#y`V7sqIL+(QvE1!U$2;iS^|fogjAiU8v*m&4U+E=4CS6VXeu@M;(a
z)v(OIhN57E+Y1VthF1M!pRAXbLe0>s7-GB7`UP&MXo5S<1u+LyI$X@eW82_=;9FR-
zdctoVx9@0!-1<zP7w3MY<`fb33G}>??D>)3UcY_TBl|@yO&FHU31+1`KXl{t-kKMQ
z`Y)@o#HPS#R*fQgL$};vU3juedUGGWO(lbM=E}jNI7!8{Q&;D2abCQb)}sSQV!I&_
z`(ycZIKeo@xkIv+0OFoTUnmcbL$E`9ooj}hHydEPJT(kJ6E$YsguSX~!!-eNkG;ka
z{;yC~<PW|{em0F01_yJ5(I1ojRKcWzsN))w0EgWN$8U%!+XkN9NnjK|IaNZM-7wRZ
zs2qfAe9QX19SgzBbJurTVZ207zg6Cd$?}Gx1w99ENPSV+v!#yfK3JL56c})~V}>LD
z1h>IZiZDy}Qi@ReUAmxhk9<Zu61C_VC*42&fL;_Q^`ewO+MAR;Kr<X3591q<jpP%h
zNp$pJ27f5?MfKdCElp8%HCNsu@J=Z1O(eAD%eLck^_Gt9|J*~;^p-k<1<I~A2Jo~J
z6j62He_kV{0RYxMj{c)uweMC3(%Ur>P+uN!5rp@|xp@<_%fBvzKC`y+o)*;}Pz1^>
zj3xxDu&YIC=ZThmPE;7I^m>NFTi{<sJ_2&eM&+7(mq0(J6*^6Ry`Z^%|9y}3!SR7P
zBI{@I$4PbnA^SBkby?TYq}^;C+OM<b%yy#kCi*h4$IzpBq4mO;f4w1Ek4Z10#aLr=
zGI12tzVQ&{_a4%tpK>KPhy41FjVpNKbLzA9_fs4IVdWDuS2tZNHSNVqmFDz{0cJ<5
zctq&A10BCl6yyNIn)<dfkJHO_g3_f|%Xw)tr*!h?VQN7w0?q0awIhGA<A7@zrivY;
zm%c&GA8|u7kaXjM70m1j0{W3am?S@Ad@j%$9;m9w5^t>|J?rrNn?75m-@)5}iy~co
zX}*4^^Fnf`$Yx$!73O$YjN8v*l-h=>W&P&jMnC;P-uq=Ty*Llof#*-G<!zD-69)8(
zYZ-v9B$cEt5aM^{)=WAN4s-!QyTY9kNDy{4iUbOV9k&<{zXoneDWZvb1Pk6AYChjc
zd)~7X|LCj~EaQTDD{?~Jh6geul@im951SRgrm8`WCCe$Qz9hTv94zZ3&*>z@xa{)Y
zGH8-~)vN**2LO-1Ay;qbcvU^_uemv3FdyH^-T57AL*{}^V@{%2c>W4fV;2{H7?f^>
zaiK7tt@Qd>K`9cN;&Jq+DWKz7w}yve`=ahLG?{T(_VofHcdjum6~RBxL3d9n?hjgR
z@5i?jz(b*k55C(8MZDMbo8fa7CzyS9Y{7E2>LKcoaG1p2LC+ZXGoyZVUq~gwF#WyS
z1ERswoCBr<&_!;bL1t_lGW?{}wTFoy<DehdE8X(5>ts^BujYAZD;`}ciFQ2%u-|`Q
zEQcz=70iVS)&~a~m_y=urnqgUI2n*F9yLq-l>ZFZXfJe4lvuAPT|j^O>(<@F;L748
zi_19YSKCJ8ENn15%%@emS(?#tLH(cmnr0BZEz@MfxBK}(LCd?X7c9ZzSHCyki^n?W
zDA+AwrdhcH$u&mZ2i0?~OH9xkVa$<+e2uO%R_dLskV;o5`Z=Qg#}AAUH(J?b@7@Bk
z=|F~5Q*p|ErHA~4t_tl_o0XcUsq51DJ+tpGkmlIX=vF&Lqz9OJ6?L{EDqu!#)+I!N
zZeA7hOs3GN;3I-W(VK|e2;Dv30L1NNF5jQ|-Nkoz6uI59M!T2;I|G2bljKhXo9Sfb
zY>$eY<#gPUJh;cHL^I3MKM~xZpUkg92>s*gW1#+|Pjy)}80X#)Sf-h0Mc+3r;GLi9
zL|Q2lvvDWv-Lv69j>(uqQmHw8=ygGim17_)7JmQ0)9y0IqX?X@|2GAAs}+2;Ig^sv
z`AkM2{O05jXBDP?LwsaMgUII1+%+t7aZkQJ21O{leDW1yP<&vrfXt8Y@@0211QkfY
z4wEIZJRsSS;bP6qofaB!*Jm^b(-3rLL+wd!vD3vB8Twml{^w7yXBS+tjGg+GYQI>v
z40EcZN7xJV#{T{EC~9arVHOwI!{2f=|L9J)ljzJspCQ=>U~TyCN?Gos0aX3&UlD#F
z?GLp~(dFNziRk<>a1TlcX9zWUq&KcdKh&$fAkH;l+akRvQwFxIOiFK99=8&Ym4Cbs
zKdht?j@nXrF)Dlq7Rq!$bCRqoB=y5v!%dfR&9UEzR;3W_-mCxqcr?vKG8AR&lgmg`
zp_uOAQo;1(xr56r|03Xf)7eRxth7ezdbRB!><Vqqbo{n0>hkbZM=1M=I0dmSdG}z}
zl=|ZC9CY1>^hN!ibI@7GiytDS58i|K&bTQi*Z(xfdgHf4))eaqzC7oA^P&A4dEV*N
z@&;lOc~17mTep~~AS|7zWN`<v3Ci#u^(aOi@snT^j_85<&g>rVX5SUh6aD#{W?1tM
z)rtE}(oSo=;s)fFJjYJyiQ|V;-IGrraHe~QVN&l@&`(G}?!0e3{Y$u6`}|Y-DX5k0
zIuH7u>p$o^$KXu5s9nd_#LmRFZQGdGoY=N)+t$RkohP<!<K#Q<cYdC#RlBb4y{q>A
z)79Op*1GTAK723$Gkfnuk0f`W?GDd9(u@29!;AY3-y5?H5c@pw4%u4R0s!`b`$q3X
z@rKR=_k+l0Uaxdh1#)X(Lq`6jwr_zK`iuI0qDj*?SvSA5x0b0#Og>Pr)a*gsoc^Bg
zqDeQO-MsRPscY;5oflS&|Dk7oJ8ip!KLByo<%WAFwJvrIm~YT4jin3geJy*(H9dAd
z_kq_bDhIM><b&@M>%-M@(bb5a_*K{v#8-s=ggznkmE#lqgR!gZx?fWKj=TxygOWAy
zTay0NH{W+ouP=9QVh3dh<HXSe`~$oT<|{#WA@hXV1Mh?N68szE5;V7n{XvXN)HXn#
z*;m;1)VIVoeP-6@M$_YuFaELb*!BYO4dTi%e{2_k`z^Q50}m{>bYKT|=lFyO54dHv
zLq9v_jQcy3uWP?&ccG(RKGrxF|JC-zY2rIV{(6FMbNGLP_p`$LP5<dMaJ3ZCAos7?
z{{&x>x5qG=mj~Iq6Xg2?&C{vo#X{q1>2aO>j6rVB1Rw9SdhS=H{P*`(Df`FS!XIxB
zr1yte>X!$*r_<ewg@JFI+^^iVQoSyDdE?xiQNAw3_Xm=vQ^|{kMBm5Lp0@`*@3&gM
zPb#msobPz~?dP70g{~g*)RWWqiH+o~o>8=x1mI=an?<oA%pIMP{+#1pqSW5;v&p#+
zlPS0vW#IK3$n&If#r7KCdAdoCuZ5o1M_)p?B57ZWDvE=5*c~?TS(X8MFH>vB)p=hs
zMs{0~F9~cN28ie2{fLNir;i|}fIsi@dZ}Mvd-5~idMfX}eB&{UCMd(HDX19H)K0qW
z9x6vS23W$E!Vr4gb^_l%fTH!clHw8)@<&OTuxp#>#x&XbE|1}du$VLa)oQEM>FlUq
zcmo4mK_Os};1HN9q6(Hd&OsAZq^&H%0nP`bEU(tp0z#shV5z2J^I=aWERB(o>FcRZ
zc?XjdQe2&+c-5rAb6J8|7Uf4gm743hR;=t1;rruuzP2^Z8&%#@&ql9XalMGUZgm<8
z16dfX+<+?RR8D!EdM6jz9BPcaGwz@x4aW+h1*LMnCeXj!J96iLbrk5^5iz_9on{&V
z)Tp>IY8JdzZSGo4tm<rn%KP_JRL%YNChl#F=+f?56=V*k8l_goQ_Dn3tx$(`*t87d
zu!gKhoDJMgEp2?wZAUp`#Iml%L8@BR)MTj^mZEKobClp7j?Gupe9`R>P`lZV<5%XH
zIEBjxqEn0$BN-XolUkdt4gcEE#|{tU{M)5Ipwy?J%DTm443psD<EK(}Ze1$IGsu;-
z0h!H6R{xw`rXJ}!<M3Ir(P&#(9!_@6``b5&XS9`-Oq<Qq8JF)OHgX<y%1g{&r_Dn-
z+r8zqEW7FxU0Ke##a{mQ_pfiMG#}mKVWhf(i&hU%8b?+YGQhLk!!c_qnTm=-NLOIX
zurfmwV%9kLYiW_{4&c&~jHntlO*m=l!G^JGO|hCm*KWQ&s$VKoc~Sb`4mXn69v+xy
z>yJKfTTxPKIW%Np2y(i`oA2BC;HRauHz}^#>gcl&_unWQU{xfq+h96Iigqt`;NY>~
zA!<FgGF>;OmyEE)4Wua5P|~F@T+E!RQ8`w8a#k<tsL5;}uT*qc^g&ni{~8{pb8o!N
z2>akSR(HRLji?6SCre4cx76;gr=_rXKA0ld$T;p;Xg^3QXN<U(3s>aCV77O#GI&)$
zFTvWoMHyvoYha|nRE}2;at|_fihgi#FB@`5PR4#zZa^1Lt$58SUsYb?N3?m~sBt%7
zrNXwBP=JvlTV4$MXZz+%sio10jvT9*A3S1(_u4J(C2Tx0kJ`9AhlU7=JU5;YRNr)A
z7gfBWZMrO#u&c>bAh#-KVjj%kS}n|TRCxfDg4TySEz~h&wYgsy#JDds9B1&aY`@gF
ze%7s=FMyLnmwDJK`-P9Go3K66T9ABsvn`o)PG0Lbj{fA!A)CmJ{IeS^7hgmaRv*SF
z0R0Iu;|9UUAf39TKwB&413HYJb^*lQjdnizZMc%SlHo2^-5UBr&9P($QccSz62L^e
zWobhvp@0%(zc|~ZLVXo>JqfM$@mo|*su9){Q;(Tr*pkwA(K+>@f(IyqdW)vfO1rh$
za%hZ+y$=`Ebw`RqoE6PPT%WSM9Ls<;w#<G>h2?B%q1v>txkNHrh1d%HpzT9!t*pn+
zHHvL7$6<0}wI2bpNWrB`b%V2Ji|~pjM`PJ|(81G8QZtY!30K|4-P`scnKivW#-U<9
zgDQ9OE*u67B3}^ts49&NQjzr-o5MfXj0I+|N#8dk4=Xx?eQMOA^#FE^lG4g5nJ4ei
zqVDbux}?egLXhn@p28~~iXF%T5XKGL4zL_ZpYc<&4y5(nAy}N`(ilV$D3wV-DR9nm
zsdFz`9s&nASe&rU>T13bzp`5QT0jMD6VM76ro!X=f~1`0v1bLSN<=S&92*yqEWCg)
z$ZQi(5>q8c++UTMM4YmL1^Zs0)8kpF@cRRi3&Si(x>@`|NIzwPvaPDGI!A4L{_$}I
z-=I8#xp9JWBn==HP;5KgUJgH-Gtq|^aj5RmVr>E1I>?!+FvJ%rS3g|MJt8UXB0Rt4
zk|Y{?7%2ZY0-O-O#oBP&e(u|;)$FGzAIOIG3bVNuts|&9_))N|UM_t|Bq&xhY@z<v
zt@IGWCm+oQX)}tzxAUd2$Y1;J$E`$Bo;1izz~sM~5rKf?JRzcaKxNG&)K~@9vCKIF
zZ}|gT{87VRN(|z%o4pq7bR>JK&JXYq1U@<W4kB}(hveV(*1d1F^mw*0W}b%jz3uDi
z@vkC7U-#hjHfAvN_9K68Wzn;}8={Pq;zYayOi9a28SUsE9XrQn<~C;-qhb1Nlr8<a
z1VA(VK?R_eu;EA^Oc~aSeQIU$l$ZpsC{u6>a}3+ae;<MsW$Cw(uN5zXIQv1cfI=>!
zz!PRqX(BwbP3Eji3<m@KyF3$H>?g!41Bc@Pu^!~v2wVO4%Y?n)LM&;M;#)+FHzKQ$
zV+U6q(clX=K^(8{7X#?2A1IXhb5R97^+Fl)Q@dvRyn;o80XB>N|BbxMk)?q+=QI<%
zkg9<)Z_H-I!Y6|i=Tk{la<;PM60yfxcupn{i_+qG)OhFUjGua!G)c}A1%!1IHi&X8
zFI)wN!iM-vc*0eR_-HyaWxtHt5(N-TQ;L0y-+TF%Fe5Ik$@_%eZgm;+3`ib(i%t@f
zBO5ZQe1fur%0xNHujTAH9{c6&8R-aD(HY@k@5EQtT8GTK1#S7#EHg%qfuvim3oUv*
z7^;y<Qo?OvCT6-m{OW3u&E#vVDAn>RMkf?`znM#RGkmmZOAJK1uOYsOD-+jr(kI&6
zDa{yv$y%xpN``g37%B@}|0|a?rZjPb4RS{fnL`-(QHb>#U|=zDn=!!5VJL$ih=Tf`
z;DPy{&<`=d55BxuX=^N0Tm{T_e3xJ(bvY@mo>Qn!qSsUI82dGh+0Ex!E6G=klN}Zn
zTtIK26s3VMgO-A~g95-I(gK(QOTgO#m%+h}snRQy?JFQ0t2n2#%;i{*Au)}j(T%bg
z=h7@E5wlWQ#oK`C?KAFxr<VvQuJnakDw2DMr>Z(3<si9%g0*+Rz0~1r4m-H&hFzz$
zwU*0|%#5sfHSd7za1}VS&#A5{9W^sGIU#6A6y7k)#~DpvOR<v+N8??7bK=<n1^Wqd
zR#+b}{Yi2y|HT1OHr_D~|D!?WP-GwwM0sA|Ac8eBV@uc>ego0Z7xW_<1T~DaQR!{|
z&NmNSWg+1T4C|+rhXvJp(&^v5L}@#A2z>#h?ML$sQ4RV8q+z1C7SbV;!U|7g9^H_j
zM)5e?B-RG4flvkXHw3s^5gk<8ueg^<P7`PYiUthbeq380pMk*6aok!T!H(AsRB2;Y
zafoYUb~glp-KkYG6z6~W+)nsEHpTmU@*h_X!2idY&QT!<z}^3Ca`Z6Ni>yys7p062
z#0~=MFPg=Kkp?*lxsk<$lLo4dDDmo&VjJqkeXvfrJ$-i>_aAF^<NYsBv<Uyl>Kl&`
zo+$|6E);db{@G|N8vgJw)(ZN8AUM=@g8#7*I2*-(T-6KlA4hZR2YTTgtpDB~zT>6Y
z27SdJeHQ2rJ@owjAJ_dT-u}la*Z%+Uz#VVgf2{F^ZGuiV&!*2!2EaCfP=HneX6E$8
z-T|TVJI!K(PJ@#HE^!zK%Y&nUBy*5rQ~*f=*?(P{DLBtBjd*O$AA#rndt%>+&;IZq
zFYkx^$5S2~v;VPXEYAP(c{&8|LQ*x$ulAz)NgyhJDt)qJc~ETuaE5GUGT=mi%3c+@
zbf6^Q!(I_NN(iZjI>q1;i>fhbSvhm;sf?`IgCH_;7EaAXl>cQb2ciGi_-Dm`{C`(J
zj6(CuEhj?rx|}H3v4fU@RrsZ6vBTQ|qxCw;rGv>plmIDnnt&)kB!QxE7GqKXOZngO
zT$?H~o!1G5!gE>A8W`cRo&3jD0}%glwDU^de_W4%<Mbad@A}6)YlcE{@yzb}BOspN
z2>izec=#v(an%6me;n%UmiHe^;EhY&HaRq&08?`!T5&>Fx`X^vgv40|`%@k?CF5su
zFd*chPl;8R=CmS;eL;-ok^toy9;!On$3;_z%v?pPmJXiIOxPGPZKgSQ=4k$jVs3=D
z)(&k`BeG7O7yN2&fuNP;pHf=*W7KU%wU!y?GE(SlZ(a;u%}PBKbFvcZQ^v9hP6PHA
ztOocEB)TBf=(mg5u|L;uf>EG(f05t#VW5)&Gy?JQ92w46s28JWHE_yxh<SFmME6`r
z?`f%wu?Ev-|G3*RLV7eXb(Jx%=-_hIFm-h?`3e{|bTPj$=7cI0_n5_Nmv+z9L$|xR
zyzb6!<|+po)kDpy5eOQ%yk^hraIU8IsN?+u<eB&fy?TtfW<Egg?T^YQu_jHAG~(xw
z<OrkptOHFj-@Hru_Cy|>15LOJs^L?BOLX=u8g>TFkuz~<l;hvtA*6p5Xu_xXhnccz
z)CeYR>W>K~J!X+^I!(`;BgH^1jHCpY1g6Z9O)(8V1j$%2*z8pylmw@sDkqb!s+`K^
z>_j^lKXh88nPgH<WhR`-QeGm@lNS9`WZ`^+T<XSGIfto`MXZp8u8>8jkcFza#8a_?
zsklU2WNme<V{A3D)37tQv$NB$Bh-K{*{O+svlp-U;1vQ06h?u-C%}8zs*p_RaY7M^
zf>E<%Xwy>+)X8G1)oNEdE5arP>{%=3vCiZLoSI&C7+MuV;jt^i)|tXqI|8F68JE&T
zP|X%Z!ZsP=uHYmaXgUA&$4W)l8H}B3JJbT%W`pVX=HKoDeRkRQX1%)iex}f?(aBVr
z#Vo?G2vmk?itCp&c@)}Ek0F<BLs60%#}1}TTpk{kACM&pvbgMGWLgGn{n3?+mu4<x
z;zqn?F&4R+iJKUqOsy%CZc%dGbr4Up@QkCRA6?`hHHJ?(1s{^A+Qe7M#88RE*p-bs
zE9O;E&@MUcnq}OU1>VxCcX!ZCOelw&n6Oa_nJDY5qHLENo1{)SopU}hw&KJzBOC8y
zWA;9z&`l|PnHV3U9587U!E&D%vTtj3IXt_kb#Hq_kL;1*OC7V-E2;5L=b}?SrY`iD
z&{#`4WlE#b9-cS3kslw_5ltV=rA>4wuB3X8(6phS6A|rK=65Rph`4SzQU#{Fyee)i
zY&ttNbwq(j!{3Jd0s}l?HJWHEE>Z9-S7_Umu>!R9njT7D*ObzAjHjwgi`_|09;NYA
z+u%iG3V5tU|Gvr{S53BEE^Z#GtLJi_n*~iJ^fMLH9dG20<xn?fD*?32t!fqzoj5er
zw{R`IgH0a$l5}#IS8=XYxPlCqI}B+KSL27l2UfvCv<lQlI{ga2(a++PYJxQzo9zTl
zi%p76#%M6RC(kH+MfWEnw0IYh?*mr$CYXrY5?M3#LHOJ59KP=j81*7+_S!QN4rcUl
zliA5zE)j8@$M=#%UnDi>si5SMWFozwBQc7RhF5+aNjVj_->IrsO%%{*snDV54VFvg
zcpSV+{g$O6li}N*%`3PLK)r^Sv?o#i{l|@XRV2*AUqT0-@X&B>kCdW5sPlG4`wPyN
z2Fp+Xdny5yXuz!3mJ-6giYxm&yM83px2fvr<1a17?pAF7)b(?p=Ty-r(XSaM9+8=V
z34iVr1pAJ#qeVz_YB%srF~srd1#EXrRFeltDWNydB%%G+Z=APZ^4X`X2iE|3Wj4G5
zWV&rg3&j0bwAb$^3NjkjclcW;iIWg|QL{%%Evn@(+a-&*Zw8Vk3Qwn3-|4Di@j&Ir
z%OnAW3~}mH9}gLkFb?nTFMMz%5~t%+`BTqwkhaG~imx(sY_-!&g~qg_pM)Og9AJm(
zqT@w!!q%z9C$9g5&O^%y3H?=`2Q=XkdNC0~nM}5Xy{ikuRCr#r>rl80|4x|#Hep%d
z{FCI{W3OoxEffwKc#+5{@vG#E4}8vUQD^3xZGvKN5UO7Gw5Gc{XCR&{;!e?%Np+6K
zVL`|PVi(c;P?Avq4z*3HhDo$dS+lmYicep|L?fELG31L#0#l^HE(}DG=3jW=-fuCh
zw)TqPS$yWVOksDHkdm8kgd3#GL$w}pj9>v+Q<xSFQXlfOL7&_Dy9g~qOp6z#-16<=
z?}BFL;R&H|7C2<78=sa1IZL6-*nCE8n`?Text>4CjN?kqep+R6O6nEOXUb>3jn9X-
zimGM<#~UV3lN;%ie3K4l(qxVDrU^30X|Rj}0fb?#eq!|nP@<A$s^@puuC!X(=W7Md
z`D%KC0`Otrk;Rc(HmYFWuuY<amPr5zFIwXx&*?T-iP@*;_pg_3{_blG1jlK|8BSNv
zr{lKcAN%L*K3?_dRQ}ox75A!!;)cdM0~5>`Gcmy=kw&0}``Ppps=N)I6EnL-^||*G
z={NjU(iaaedN<?m@Z5nvH*(shmT6`yWKZ}{q6m)2t^_TG)^z;3_*A}%r&W`+xPkBQ
z2<^a|FdI)C9xxn#iE(Y{bNuCpOLxHC2yt&sy>N5`TlQx#V>mP2{i7Q|FOn}*FT5`d
z==ycWx<>TWuBf+_w^YVdx*^rQtPZaq*5&9H;pnD#oDj4?vgTsxgw=al_24;r@M}KE
zw66TPU*tKCrB6(HC-@$)xT2a{A#mz3%<`IcDDBkE_M~qwUj#qEzNo)2eTVd06F3$I
zCr!~oc?pbkjkXNF`lpR@O<L-%>#prwYC^f;TkYVVabw*YEgO!a3p-+~@x1jP@|l!l
zlHaM$B1)OcnF<^JHFPy}+;K|$1tRsMHw%=}iM|4>!2*%$Lco1tn|&jGV7x&>{4gCh
zz#Za!vG&5#e>3fUB!01{kOw`k8WL6*T^C!wsl8qI`+UCT`}oBd;qRVKkr+bFm)REA
z7V-L%LvPHcZ1h+j2m#8yya4xGuv+=EQo4ixHTcE;j%IdX*+u~v*6H1x;vMK3zdVZh
zac#l>a!A&6?yyWQ;2eH{z9r^P=fTbGyBGX|_q)YN!;?WK*_--?J!Jbpd!x+>;p;E#
zJ!}zdL%;*$<O)3Ph4f4G3CX<Od|?a;9zA92gy)UGH_9F2PRE(O{QXJ!K)IOK232}f
zJxMYf;>w6KyY0uk1?K*0YYNe83sRhYBKst}fmlD7`hp<RUHmVuK7Z&%z6^XjLSASh
z4HG6``Zn_c2PrI-V=@=~&4qEUYvaf9JN^9z11Yn*1mMNZhsYaY)N5<I*Ep+XN)H(9
z0@3EeD_VqaJZ7T$0Nt4q$3&<$Z~?mJLv&!nDcbXi+Y%R)E9qAS6iO>X@_~PB*4Ck?
z-`ezE9{U+@K>+UIJRo8lOgI1!<EC%iqsD$S*M-+`e}xPlBFAHA>2F;HV%QDwJitD|
zvnONh*y=DtIq0`F4aT<xJE%(YwgZQeS9s0I-jHg+x)@Qs{Vq>-#~Y;ZTW_bvy;`Sn
z=0s0ee5kHLZM^VBYHKS9R4)~qD;uaL^~UJ;j_(>@5W3T6?ih6sbUMQU_Ih@{M_Wfe
zW4wJjhz*&0)>;0Wpl|o?Pl7I_9a)zK($+9;^Aiq}fXU-Y@=0IDjx?Leg~?_&Jnh5K
z<ZU(ls>yPh8WwfSiNm|yyQe$H!_bN6WM370n&(uEm~NMgnUO8dr;mE_+xR)1ydK@5
z9(n?BoSV<_fbp?p;@`H*<GjgZhtIcEts_v_;IAH_4`;jrspLQ{W&t6In0Gc+Ok7bR
zz{1=HUMO#zpAFkWPVJWXXW$;<zcgtn9rwZWtN^{}uuTnq;1s~a@(>wW@bPGo=e_gY
zAvx7N!#NNmZaFX$*hjRu6#Ow~0u$OGPZsEJI5`1d2qwg99B)YO=bFtB)9sRvEL>G@
z(4MF<t<crRT<*-N5IF=UDf`@1X2~-JdYUVP-a&H0#^6}HokKjDF~wpw3G&5!gZhJx
zp&CWXx1ky-_Et+9gi+cVn(CbUjluCxIde~|{qaxu22FU$YvSu;^qCeckw;<X=opSC
z8h)EDGJA81s5}4SHSDDiYiUNzdhy-nuo84D0U4OOu~tazgK*M(@}aV}Z5npEQD8lB
z=u#l$P@nzl{d~J|y|BV=t07Sc=l>YEp!&`BQ5}YZiM<EBLEnQv%UC?}lBV*|K+{yq
zh5F3#aA*%Qu^nA9lbaI|+#}0T+fqV8&})*p%{-3V<}9kK7fSv$%N}xx`({z1GEL4m
zSv<ADcF2ftOUmSAg~|U-HQHdknAq@?09EIcg~5K+ktkg<3=43UKW{uLZMNMlO|LpS
zWtmMCq?>qV+hr+`I6KF}!sBFOg27m!ixW}^5<SEo0fJwaITURn@7)&#gL4Bq*rHx9
z<kJK5rE1B;lLw*V1!|x#_%%j&N>W{v3a1optaADgf?X)d@W-+gW>R=^V3JrLx1DNz
z6h-}R7UOi+%ui3&B-5CoVk1XVH<$l65s#{C{|B~vxAAO)(K&!^LYXAB7H7Jg+h@6+
z)OHEWM-L-$*7NSKSnaPSU>h-Ni}&WhHST81YVM#LB**rHYEkq)<T_)T1e2KJZ6@=!
zg@P%Kx*;^LFH$U9ZzfN?pE7Z!86Sf*w<bT%#xjK^nsE{v7V4%$=yFxU;V5<t<*~hb
zA=mOn@7Kek;Xe{nKK9l#wNMK9zfo578I!5@(94h@zTxZ({Q$V{!?2^299YK+ChH+@
zB7E#BoG*q}gy+_@KraOkbrUM%QVQAe?>2wcV-E2=Qm1z9?f-^OE$xK0a!89+*iI2E
znH1@R{Vrol;08icAq&bbiQ0kVAU$4}d!%ZjYGmqQYQe6a=1KErc*gahySIK?-B4>{
zZJco*rPPko$>@M4+eq}Lcy@cjXv<#R<lO9t`F8L*dHdbLK0+L=M%E=+mXJ3L2-b%2
z1~qI39Gw>wF-wuv)bK4M$&)CbPA;RE+mbl3Ga5~xj}SEcr2847ud8ePP(hb;t7|8c
z$EHX3E)-0*L*BIcr0vpelh^0VXPF4360_(k7fv1WHYRbW!S%J|0ysIL$qq(?vKD|*
zaBHl|j(f3A7yB*ks*o%M5pY+th7TS<v$L?pw{l#Mb!5<8-j(L}gG#z<<SLiU{X*WC
z>1k$<RNB&s*%uB=ve|G-oDU?aSzA!=vlh;@4>|#Db8Xw4dn$jj4UTz^qnq|wk2~aK
zSJFcfm;$XUvIQns+Gs2DMYJTX=2GWRl`<qz#9AOAhFS;%kiZ##n~KOK8G_qG5hMli
z!1xi<_5IZd&?(bs1xsY9X0}bhMt)T#yI?PtjT&2e=_oah#|#@0q}aRdcG;Eaw9WHw
zLgdm;G4vP`$VGl9G*g|zwV;oVx?smx@J=zDQ_}tw`kfXq^he3~td|zh=^{O@37)LI
zd{5O7XNuy`U%lvuYDQ9qRITsCC$S?yK%_48<(x%3vw@VM3j&59C1!6)Nh}yFAu1xl
zM20sDjz*Ncp=ujUSB6wxmY1%57Y7gsfis4x$WpcihN^%oKZ(Ld!D5NGQ24BTaplwA
zgNcZ8BVc16w-lU1KccX~#pE{cS@Y_*D@=#qHD^~v{yw3TO<!BoKKp`o(Vy6Em!=Ia
zSI+yMsQEDjS}r|bojj2b!;g1{-kt{<H-7Ljr8G|pLH}CGSuWxk&f@n7TLHW#^KO7%
zV2Az5xHT@H?cJAwxtDz^QBW?=N2MnvBd2H6wOPCa{<GsV<+5}Qa$WIM8N*_M#MM3C
zN@bv?m)gd*FpDela)cSf%5n^kj@Ku*hA|4;&dDV<4}XT4?e-VsnaqypSEJOJ_Lhgg
zD3bSC+Fyp)d!o`>LE%X(oFT_R4h@sdypEGrQs%)dGR?(=0gby#(6guv)ebEw`f+W{
zYb?ARS<E;Ja}{iSisTSUkU<iOF>q2rrdJ73NoHRTgbmI*LpS~4NosvHwq6oE(l+_O
z;IZ>-<{jNqORqtyQ=+@f)+wv#i~M%@Na{3Y#)0^MCplqW%_+*%;JlO_6RmMkD;k|9
zO`TV89A&4fdd%*}<iCI`5ubEcJ3gv9GQ8>wShaaxOXrteg@TSkYuZmTz-e<fur}#k
zO$_UsrEA|CSu-u+0ZqjlilO?ByloYoezU0bu5vY%&su}axQ0}@YEKUQM^kx1I5*i!
zDP~Pt+5X;&jl%c!N4Z+lGf)t|8et{reuQ`kBK*-lYj!fuGz!pwAkyk`)Z$ji-!!KW
z?(K(Qy~Or{u`0EZmT}h0)odL`oqM7q>RGW^$3McPvRxKPEU?GIg7M0kPLBn0*W_T$
zM9l)_l;y`iU-pY`x!9GbZBy+DYuN(7i0cB4oqv1w=G6C?Y+HTz>(*DQuh(~RO<hIg
z`m!Ddz5to{xs1brdh-tS!t_FuI@$xBEGaFK&@W1O5XM3q<cq2VJADW^j9`Nh)uOrg
z5R5b_fU5}d|D9cYkIy3NxN1LF0CW;a2sO#shGCxxYiIKz3x#0QGzIFbiwhfsz%%zD
z5f~aI^^J%_Lq6{EvG`2|k;Y9$gyovRdJkCj26_7lLj~@LHsW7-BLY$py?CDeu|nIW
zmDI!Tz&+RA&LIH&9?zSxw?__qnY6w)PqyQsIEI{5@2SeJ`}tOY>JE>cnvPz!Y9L8H
z=mdOmJqg~9scVgG#Os>(L5E(C-yf2jisy52az;xbX=D@NM?)#F))>nKtYr@n)~5{*
zi&HHhtL@w$<&TMVYnK&_zjc59jaJ}U1JrKxXOPg@A?A`9e=qX0!x+j`<Mr>vGE#M5
zE>@bpL#2bM=Wn;nj7;8kT^e~^8PlR2eNl+b39z7C#yTjf?;)yFlNCc6w{?O9dGP0N
z+gYG`Ss1j&hT(n)Jm88Fxrp?FN2?gopGp*yCWj)Ssfef^7x?qZ6vs;F*3n^CbH`|j
z(o|a}LxBeK1kgT}OXz^G7zYB5WU}uFT&q7{pZb)UN<*>9o<Hln4k9zz_HIf`H>c<j
zlH31Y<m@%kJRAGif1*)u3e6;iB$DMif5{T~hJ6ATXqNhYco&T7^&~ByvWjgD$6(gy
zJ+FTN=M(11uh07n41~@h;*>q4i-V5zmjK1LK#Z>efrZh`(~<+>m#0YR$w~wcXXUF8
zze^?b#q`hy$mykCnMQa0%v5WE&Z`%?u3Y-i{-Q<Eig{;jgufnub0H@RV*1-NOPxhc
z6DnX<dlRhii{%eEP3xXc<xioSv47au6$9qez7m<2i}s+C$l%2`Dx+E1v^lgUk&lX5
z5S29qaAd|XbQ+CdJw#W&AmSYw^NX-XEw^GfNWl_%oxfMO8fNqAcd{2{JDW%|Q$qMT
z1;w2zw_JDYSUw$e)5Qbiv5z*N-}!dt{VWZY9-(IE)f<*AUwg2GGTpM@V~;zIc;l)R
zV>&ju4qOJrqAtw*p{T(}T@g+LoTlF0$MC=s5@L;20)0=Irs-$&nfDUiIUQi6B5*md
z#+Tv8RI3iR@hkTGJg!`lRd`4vMI)6XwLSHX9&U4@>S-IxWBFU;B$uvBeX8+otq##D
zOw!VPDp8H8HQ-fnY90FsDab;2<tt!_+#ObBO-7fYm5=5X!h4d6;0fNKR7D_xR7CqX
z5E<GBROW9QFW7ptS@<2DW5PwG@O0Fl5bel70q?R6(`?1psexpVXjN{?MkA%o;zymn
zUNGw7#_q<&9STlpR)azNX#Q-Lq2&;H)lx6AO0P-|ci)o7gg9AX7D{Gvi`sz*NFbA&
zW3Um((z}tQt3N2LvFh6B7hPa8&cA$nt04W#YR?hsC_u0yU_FvK)Tx7xN#F-oH7~on
z@-QEBDuD9i6yZ+x61{0--10L7eFXB#KT5&%q`Y|<N2{HD8q)H5JlwA3Qre1^w$-~I
z8BRa#-JVCJX*=<U<1?FfZCG9w`7Dxv{MXYBn>lTL(fx8DnwsrCjAe!#Lou_jYvSuq
zL=kx%7ctC5Hc<wT5NJN8RiYX4A-re%*@M<o^UhU?!Sf~2n;7%4!m!6r_0@P~?nUCx
zQCUmekXyaB+b*a8skt|^478IZ#2B0O6k@D)V>nrdTdO3zqKf7*2QYCKp;hbPzHBC!
zVPq^4Q)kjhM(^@SWc1*4@qefV#IHQVQ5OBF)~VdA@Rpu<v}&<<w$SWhtG--n&~n|!
zoe+XGT8+;;S|d1t&%)8bKS8|t1In>8?o3-#5i|$tEwB%)Nexwanb+w*d-*Os(9ck2
zQ_<RIp!5)!c>?)B`#BqT2aXc}%`f$u7ZJ(GFZZ^vy@;4zWu~;8h+v;CIfwMrDnE-j
zZ0D^*g1&b?z<@3|zQS>+P(}sWh}I;$^m3E|v!6WVhSxXEBf{FR`G<~M!mlUCaZb|J
z>HF7W@Oy0IHAVI7*E1lFV4XYtBwX>mVT6tpX0LxW5*hl!?H+L@p2iiP=W($&f_!X*
zCLSl~QnL=8_Jnz?Sv^vfs-r?~C_x}CKAQ>>EI%{-d1Ox$8>^H#{i0>@r?(&%L1^OE
zC+#A80{CXdKtb9u@uMV<$+fVy5*$3_W+4HZ;3>cgy|R`)6FhrDvQ=pI!P1_eVVJKU
zs#=01dsxPlA@UPRq9dX!5-n2p-bSP!(ik#p*t2*y-au0$ym{EW0bm6Albwl!7EsvU
zIAAy~S5@<^>^Vc+B;K5@e<+VM<7QTF|K3s^Z}sRuZIsty>H);lI{VJ+jB}YOXT#^r
zR+$?g4WuU5vc5)=ELz;cV*1vyBhhDR;^P9yxh0JAX=V-4X9GkNXP;z^yMCU(Db$d#
zWOzSLEg2;#8P;f%W}8n_U6`=ms4g|m9H@=kRQk#;E<N=OO2#g@32W17pi9{L!g>uu
z#w=ZMl>@yHU1~!Crdu>z))}@xy&3g%O+PA1u6-y>-O%mg0#!hB#q&TX@|=iE;zfh#
zR9?)zJXab_=VEnsLHd?X5aqEvlGX&aTU{MqODBt#J7GOVt$hcXGd!lgF(viKl22V^
zA4z9e*UaImU723=<XaEjIkOsJmEC=K1>H>~YeMc54&Qf+&0ki^l^>N#m7kT$o}Zq|
z?Nz3>6I;m2M2*eEUa;vpuzsQeFo&?RQ?x_N|NcFxr!A2)xjuHOCfZlne_%EY%)s%(
zet=~V>{VWOzIlHe)=1`vKgGkLcfYk;Q?+U4P(_Y3l_R?s{_B!G)ww=rvH`gvv`C;|
zRp>pl_^Sx`?T~uDxS$g3#fMyf>c{9ON6&GgR3jjaEZ?M`>Q((}S=CS5^t=vv>AJ=l
z=?z7YFxl<Lzi;+IGPOr;fesZk?N&dH91J=uK#fZ)atd7FS*RyMt@xLaV>ED%yHAqr
zU1W?;kz?K?N#+;c7G0AfBBPeZW{9j!?7vH!b%0A*v~MH`4W0~*M9NyxSg}_oi?dd@
zO`Q>h0J9me(_J~xR6696ruQqGy0|3c+Bkp0a60SrB>cp>-8xxG6qn!Uk#f&9)X4%L
z=kA@5N&{dv%|39GdL)L`uAf3uQjBy6FLuVZ)cvOk1Co2yzhDB`b7f3~JKdbz^(V>>
zWKSs9cAZp<m58EjOX3CU?~62zf6ZH(Iv=;c-OD8acH)}hyqA*VGe#T5!ykE!LdbR=
zEG@}I;eN#~AB*bdie1igcdk_0dup0RuSb^m5t2utG#0vHkOr8BF$DxFm`I`}$)r$f
zDkYoe^!_BE{}ve+jDq*_H~<%c`>!_ko#n5e=O-T{_&GEw9-jPe4lI)x5*bSedxTy$
z%9H|;R7`|#Q-&F1#(}}WP@m)w&tNL{^khJN5Q9O53+`WNM27k#OAsc~Bz}5YwkC;}
z7$l!*>(>5VPI#2!w6b?blS^+~L^Otgm9hllANFZU^6GQr0=q)y9(LQlJ#n>k^~k&!
zpn4BN!pLCiQNYrXDN{VZ-Jrh&m~YOog&(6NBU&I&V-)pTpcJhQ$a)L=#k@a&&tM3S
z=H?La(~o~4!osR$7u6gDpg{^5KbkBW(sFG?d@YxhE{0fG$sM*(UkE3w&h}to8R8uF
z(_fa8klv%Rjh7*zFbGcBFDr{X)yr(#Kj`Q=OxeOnohB~IXMri5Nx$7}Q^iTOe;OA#
zpEQO*-_YsaZEf$)AJE(8>G29215jnMCkjzPWFy#*sR~e{Xtd}_9(NAHmAjm|;PBUV
znysID%{=;>0g7Uy^%(UkEnQk&+%PBXE`8R40j2m?pvTjaxeNrA2q%23K8A|)4s_WM
zBt2s9NnaSO{Oska3>X!3v)+K##fH(Eh6sq}KL-yW_DIf9&=h`8ga}=exDY~IX$!h{
zR!kW_@Rh4zyt;QzQ6J{!@=@p?#POY5C@dDz=t`?$aRTQ7F1$?*aY%^$Qrb@pQx&X7
z935PG>~skoXCZedcrEI)Q!Q$0TQRFR+gbKo^6G!L9M%zAb};DP@8JQLuYIZmEj1qx
z8Tay+df%VHR?7l)H{fok&%izf6tS+7r;6Vab}VcexMNWVs#LLb<DC>&NUlR$^7v7B
z5)~i#gc(m@1zDt$owsne!;)%nAhoUH<H0By`!l>?_sh0?*9ma#zV~oO7ohM<x-GR6
zha&8u`vm~+73W~}OO?YxhE~jBu7E=YvftoGU>c}MApX7GKrIMf_O6M?QZ4I;LUZ(e
z4T>#WCSpPYqfoY#2Av+P(EG4b|70XnnhAb0cGl^+Y<ZR`1K)m(`WR@uM4j;unTQXX
zxcV-bJhL91<9Ow3uwdHUEWO$rK~;G8Zp7Xj)||D*PGp-j#G8|4z}l}$aDj#K_qn!^
zDCJ0wNsOZ)-iAvu=ssQ^-sD&=!kH^&w<YBdgAx@Mf&HOWB9$CWB2ry)L-OsRzq{VZ
z7t2ftDJ<8@ils`|%y8{Ep~|rDv8CB}F+UP6{eTA4cD)yG{TOXZx@Nua1dLhLc6_z@
z-*Hhz?%Xx<lg>U^mwdG318h4<f_+hYEWVySI*#~0kWQvd^4OtUhHlX4!5Mr6f@v4+
zBU)j(^8e^B!&pu2VAu`Um!^9?#;0RuS#tOn%DFjM9uIfl*$Z(!{n7MDt({OPtWN_S
zbK0Vj%?3`!9LtRUYnji)X-UQYQqbf*cQ(GCrpO=Em0(V?>py-uPbdon<`H8`2-SQh
z2fy69k4e}VY?s9u_LE8D+!LzTQwgsLA&koHX+Qfn?=)w<+Z(}m*8T*SIEq9;3UKgy
zfgk!Qs8vhnl>r%miDDeg)Nq7?HqFqkW>VM&GC&%mLbC0bq4IY_F;$|ZGTv#mEQ#GN
zXG8yvuHEq2^j5~mCYFs6KMub&gRoC~n|h9alX_zb>GH0#m2#!aP4l{IFgXPD?DBzj
zT|-{3BRu5vbyA@<p{w?p)ML<1Ze+dMAB8UtFFq~GU3Ro*uY#_{HWG&rTQnk6x;LwB
zs^nTo&4kIyTlEKVzde%Ob&jdb6QV2!Wy~e5I2B11DztXT<>chpOFw;G0LlWs$%`6q
zJeKohahMRgmUf)qbgrU`AIUz)CvzVNN}?end@Vk?rXX-RP+aPwDFYGg?VUB6aI~?=
z(16y=BuswG6DYTJ{&*va?EQh|YRfN_6?I3|Vrn;-E_ctKpTE7*b;s3ee}-##Hf>ua
zKjntO;^0&d<@%HC7^gPhetuVdStVGCW0)eDou0&+C|PgVxVG(XbBvK)Ro>W=c<Z_+
zM~OP-DkU2{ot;SDQi+>Dp6;qm2-I_lqDhh>BDQh5ycDk16(j*-b#}p_m~rG|pwOzU
zL2mscflk%8S?rU}3GbE8(5Nu~-r4vW?LRC-ye`2^XGpPqlCjz$C8_@y)f5Pj1lho^
z`(oMU<e6>ZN1*Ftc#M}GXu(vzwF&|tnV3k=?NRvb|Js3R%xVw$27M_1WuV5M;Kcgl
zK_pAAN?tBUgy#O%47^r150Rvn<T$`u3}>Hz3d%;yF@2ghrdp97vLK4Ary>rKtfsOC
zw3H6ygyhT_sInlrBw6A6xWdFokjR1~nIjs@|Bq;>hGL5AwLG=+>*u8hfYDEu%%6_l
zn@<4a+4Se7bd`KRT=<0dKeV0HY}o5e_B`6wV*;neip!RmPV2sX;5HS92`=sCdR*-O
zb~74=zick3&liPa5!Xr+|1ouE*7noSV4-w)rc8D61zcA$rnGZ+NY`t7(-^oecWk1&
zx&mD3Pqhxxjf3*FLz$C_8r<kd_e`%4Dg1MEuIIyq-MS89SK=|FMLMZ24Rl$~-*r|F
z8_0|pH*8nT^x;sOdvC8)NN7sO3UqVfH6?lYAc^jL&biLn&iT#>E9Ly;<{8Zot7{HS
zqwIlIZLB-2P0V0(N8TrgSZ>6zoAhQ*eD>sH0(Of{Rq7U*aA9k}pNL9Qo{2cOgQp%i
zcVD7Rn(Q`wC@18sBVdf~azae_+sfzuY@?5+Jm>T{Q!goRs!%IB4qMaeF-(!Uw65<z
zZaG~is_$GH+o52slZbzgLZ*4db>USdiNTx&46h}q1xT4W;iR6VfW?5lq}30-5X^PC
zrJm+VvXXe7sg9UVHZs1plhETgN|SRv_hFCGt&&u#P-~Jj9>itMlZ;WP!|ls1zb_Sq
zpG3B)SY}IPd1XJ<$+MiW_T@>;Pm?Xi0`|PqND(nN?Qc!Qr1|{hH#{2MX9GTs!Q}_S
z|9%3WozL=+#vlH&b6uk~N---$U##An3FMZCTX-3P4r-1~?3L*XK00GNCX;)6VkXFT
z@9VPfxnN5wk<)AzsmCl-4mZoGspYp(TcAuU@Omg!CO0GfXslTJO}z^M`ih(^&Wvkw
zP+)RJmGM{dcMec}imPxhbBIebM>-EwVg`B|tVQ<x=?-p9&p8c$etCB4fbXEa*6i!6
z{r-I~pXiff;croV>by{k(&;N#zLP8kj_sEMGn7BhRSs2c`d2WTrQ5V~&@DK=XY|`I
zx85KXaOex^tG}_ox$j$A<}MxU`FMP$ehN5iIdkvYlE6rnspq^qbwXY;EO(K+)W0lj
zKDT^b(;_766QF^J(ndwL&w9xC5X(QgC;Jq$et3tJ|C4lmZ^S?Mn8NW7BqdU^Hq~h+
zSRl)ZpBl9~Kw(e}7{n>GCT#<C`{4PIsA3z(m-Zs;o6dcb17z*hT*=Y(gM6$s+A4^4
z7`}h_WnzpyYCRaRS4$3m)Jjh|tUNaC=Gj2(<KR$yE4F*|f|wYx5Dgo&un(Jnft?D2
zF`P<9z_LYuf-6?4AMKg2IeZ#GRi3UYVQPvBCQJRn1tX-d23(`CvmtxCQ5C=+6OD_(
z!n!Mk^4D_D+>5iaSF+E%J9Pl0C1!oN9#=<Hf6TEV=jq_5wHMQA0gc=drgEcl(`xh2
zrfr+MYdif`8XJ4bzI}l`&Vo1SpvK^os&IqhP%qGJh8X`_7@eiHZBMZL(EHwa1Qtx%
z4#8iil6}*5-$D?IuMWyQv^(gAL5V+)+qW<#t8fXqgGl6X>m%URQ_g27Z1yA-MHAs%
z4lJ=YWs5ZZQ?#@!8nVm0FA`jA#qax9O46{?N#Ba*bk4Sc(UrAeJE@z+M`WFqUTL($
zeP&Xjna=E6=A%o+V~GHwNO;IrLr^%9HKNGWMONemB<h6JPrLNCWbcG`C<{fAh6>mC
z>!S~3+qo@TyEMo1Yu^MY&gQv7KT2esh~|b$_0WkGhfuP;8dpbxWX+Z_^vV9)v-Cgd
zEho2UB;4XLp}yh&7+l|%jw`U5rCm>9#{<R;?pCDuh*AK~Ec@zp#hvRq$1!DXv0~d(
z5H@7&ny{J5<FTXLH?RCUH_aFA-(CHmLB2{$r8%Xi3lA1Ol@n+G#)ob^rV59nEb1-l
z?P^F3SG7G!DcPpJ14)hkFes9Zi=<Pam=wq)g){yCF1`t1KDS28FSZpQV_9g6S*7_u
z%}f8#e7b~%d=-1V(i_tDV}Tzj0Ld%s<8$72!Bhz;epG=}&c*DH%;mv(NclILBY!1=
z02mN=XJWsTOF&#JL5zxybrtm??7am2HIw#1VI~RvV<{P8;Xbs%)$+BzaKY6I?_&wX
z1G6?lVX8#Md<6Wh>=5O<jY2rlr%hBY)%6iXRc#g0LVdEeN_%l(D!Pm6VBS>Ef<PQc
zOaCcp$ljD(sp<D7bBP<kKj17%qooNOJZi&Op?yr$MfqZ-+|my)eVJ$s_rOiOq#9s-
zGtunpg_!)mNqK#|HrK~kRLm<KZ>-?QgG__7Xqd@-h(}^nwpq`O!rlXXSA`V`zVMnk
z3Wm_LrBDi*+5HPeeFt23AKJcrvcg_J;poJEH3!~|RTwxxp+!L*{9AR#|C|DPY8Cb0
z!fPxQL%J_@u#VFg0yx=yZed;Mtjc{c2&gP8fx?Qk#aeZ5PzlrJXv>+CRwYQ{>j(ud
z8OstICBv-Bd7&L>U#yEi2&hjJQ&++RhdLDluJ}71h}H0}9y7vshW&FfmaATf{XP8t
z5zg@3kV5gq0)?MLFEG|3$SjZ3uXdm{{3cu-kRItdL<RoK(>%Sh^U_E6*`A<jiM~;l
zCO9deso?IRy6@r>&+o|gbN|SS@vq}9?q?>4KBQm2eueTg2QtA)ypS^!5fg*6iV(9R
zzY<e?_bV=JurM<#6Dun-r%q04F*{B<>--ER(Kb_~ldOPAR!5zm0igPk?YT9{P_~k5
z)AD)Ccf8^Fo&A38HPi7t)#-02iivJ;8a@hJUo_7EykDGT>F<vz*I$=3eoWjZ;YwJN
zYNP?b&rppV;VaNX^MLbLs!-9EVpxi?#KX{^km68z(!32s8AUQM*eSKuQ$v8aCeJ5X
z$>La*_hfUg_07-&%koN=Ss}Wa*ZVxiqkY%JpJP!y;!?$E+6}uBw!OCweVpBP%-oD2
zhOBR04SiY#Vm#6OYf%GIpAtjYMCDj_UO)deJ8Bn9i`Xb9%9)~sO^1b^N>}u8+~SGn
zo;~Bt<LC(?Yg48Pr0{REyc}9|rNZa7;=Fm)7>Q*i&};KL>t2O5@RJ9~sxV=4wTQ07
zt7@82RIdhaVYO0A2uMo}(cZWit$MU}G6gXu!nt#wg65{V?H|CI`jBdS&pQpP1wDzZ
z5kqx`^>|$kNbRMr=Y#CiMyDS8`=md1I3qen^RZy?ylqr-oV9RtXF{CIWjr=>_O`WJ
z<i<%WGO?wa&cio`PEik3wN7-&Xr*{E%>Xh$r%;_{Oj5FohLcn@rD{Av3UE+CG;x`{
zq?)|+S~EWmQ+oKXfl1osGz}TxChao!Qg9Y78a%yDO|FuPuKEW8UA7@9rsd#|_R?#x
z=;7<qK27ov?O8*Tnuc~7dsD%ps){+*-nc88!C^%I;JBqU>5<AG7%Fm=R)t5mQgK1s
z?SF4-DQHhQ8Y;ZH7Ux$N%Tvgys#*#<oZSs8OD1XZ?H$O=SUe<xOXK5XWm!pjI_6jk
z2M)<-s@s1!`;>C{SD6gFemy~tC}?Z$HXOvZsGzB)rnakmi^-R4Z85UkvrSf)NT@oS
z>;{3PVviLi%m*OnwqvHKp(e>v3|7=gNgJHLR4`csg@!gu)e8WpP*vD*(xS`nC!?7p
z(%Kj6(1;!us#cTfpykX1E|AgaX{s@e%IUCU7gY010j2I4W-T?D<&gHpD-o4t+O(q1
zl>f9eILiyFn6_IKFPysPRI_ZZBUI$<RAucnVIs*=&{4~oNJULl)uYNp<$2<K44N}|
z416MswHX9qMXWv=hLDGXhEg2f+jwnYU#;0ZBQK3@iGBC~cxriU=9n5vK_AHvdZ{`H
zMUq~Ve8iH|UlZ~C+jyt{RlL80Yx#-ns71vd#nPOV>0h0kAF_9zf*o~gnS?S+jLm0z
z=b90Z?rD2wEycQN-M+avusD%q+CIe6>!cis?bz*{4OymWzF8+TL7K#>y6e@vLS7Az
zYruFC{6}|4svYCNb4GI(Q@AItqHoC;Zt{V;dF^mw*cUehi07+l0gD3hl~3j!lOE#z
zu`TcP{-L<{!Q_o8DR&`P*uAYA_we`;E$_>0-Xf`Iex~q4ept{b;1$@&)KshuZ2$%Q
z-VB%mvVkqHQ6D{m@>0`N2HI$s!qpg0F-HFvg{vX2!qwQD!5H@{kj$7dVm?puC)@&o
z>4JjVcd)F{w?2kqchT2#swDI28BMVqJ(;hwDFgUkO?JAF?4=?CvjKHUObJvHce<fM
z4C|`Gzf5FBIVNXe&efy<2UlgpB+rb$f}Bf9A$K+<9ST>r*nSQr&@<2_f+d0!h-{mI
zv_}~ciuguU!fhK5NJnz4vcm4|r{GEI4&3HEF(aV+2=+MU1+}9<WLL<aiuk`n^0J5>
z6!57W6uZ@v^0cXj1L%gs?bDRV#uex=4k^^b!YSmD6YC}e_XK6qX-Wz|!qWUtV<Sox
zYJSZaz9HZL-5BaI`$A584T1xc{g=XV+|V`nHOjGycIdVWe`xGZe8MEU748r+*ge)^
zOg66RfHWR>sGoG5;#!zR8~U^PwWzyWFVM!L8HBMvJ_Ey!^P?@^MoP&jfqWo*?_K4+
zxUhue+=-<G-Gr;E0M(JXaN`0k5{O?)Db7Esg!w$Dvb47mB)5o($+0>C^QSx-SP=y-
zmVNEbj6R`G>f59{`@?;Gj@!8{GdK_Ca`+rW@EnaPH?Bv>a2Eoo>R-@;X((_u^=6k)
z;87k%LGdg1J`d-k?kAB{v&6h`jrx2vA!v2z{{(q)1B~oorY(Rogr(=+%ulsSQVOFN
zVVaqY)SB?i#0PG8%DzX-z%}YHF#lZ{1qtqowdJvjwXs>O2*U*~g)brwun_aQC2?<9
z1rh!!%PRNQd_TR!_@^h#_{)XjLI!e<urshxSdW<BOZ=t#24y!|%xB~g&(&pP`_>pt
zBnZ=ki<YH-^i*ucog<m$j}i@53Qyz&(}<GQs&RSgV(&_Iy{BR9a83(^2JJGcRfuy@
z^ElT+`(XR>NprP=J=`(onl)_HtgdO0P6?&~;8Bcogw3@zl19*x#jtFg?E8H9`=gkL
z(4GEwj|o}qVXSTit;C&xKbZkCQWQr_;J=_9q`|A-Cln38`p^fj7{buo!ge$UHM#4E
zq(TG(CPk}A{FkY^mZY3r#A`F)W^K@s-xd$TG3f-f_EOY;R||QdS@6!26;-FPqYdCm
zI7?g;v;M{t;DU>5!W=M?AdjE^y^Gn-3PMtNN%l?*P8du?=#x;W2!MmzkISN%8D;<<
zcn!&+mgo@6Ks?3UuSA|E&yw6g<7do|H~+^>;nU5`^3}>r`<2wF7m$M~y||WMJ~{_z
zLt4NvY=tXdW*l)>P!w`7OelEa4fjTQBY%1ff`$(_fQGD#5&u>R#4WAISNeb}g&y0E
z_dom*uGKU%{Qxh*()bJUNDlIj;{Q1|?6QEIqE8@}{}nua@_&l^>ZrJyrq2-EEx5ZS
zxXa+~p5X584k5U^26u;`!QEkSC%6S490pik+x_0>$vOMip1o)0PWP{?yQ`{uYR>KH
zs=ha!w172OUYBabm2`p|N3~c0&P!SQZWDyDDiMbzeFX^>5*`o_ITR|}mG`{RX`K{v
zOxBBOf5!=1$g8yA8;w|?gh87x&^gE4i2RZNydiS4g!7HjpbdvGR0$B_0=G9S16%zS
zj}B^)j8J+Aa5~`GoLf2L#gXGbbkwgbH2`1T4~toB@Uqs=BZl}L=Yydh@{AFOe~iJn
z{?`VC<8lY_Z71Np<FiKjO`ijD)sCaN;P)XNom7jrm!z*zWj++ag7YSC%i>~3H8qfz
zdM>ZJwfI3!O1vXfdBbY19{VQ9P>{Ut1ty9?gwLVh$fuqSWi`Cd?W%UY_uf{)9IQ}+
z`6Ph7*nvQ&6<@%RqSy=aX6^)*D!RE$rDOQ_FB2Rq_CKPRI_G6_q9MDi_6Ri-u`f%1
znla0{=Pb<9oVOp{2ya+bj%rd3N!nREDE=lT$^1+@gWdoXh_M<KjB$w=1%zGKW}3BL
zr5byRGpws!ecG*4<sv2`nC8Sfm4Tw1HtC|Z?|HadVH#XC^pQ7WRu&k<dW#!oyg|$-
z@YPt|1!XUC)Go88>xXKgRBV=!USU3zw$UP#q><(jS+gKK%L(@BGwHM*7ZEGmsWJC7
zmLK$N)V*C2EXB`LfMFWV8Ip{Y1W6MO3*;DTd$}L)AXc=PC%cN15vq9F2J97u@>#*K
zE?`JCdxb%`Tu3KNNJm~$XQG$IfUs<U+o%$$4BzqIp*N{NJ!T+`Pki%xL`&vYsqjx2
z#}>lAJ>2ZuePA&-`Rtn7zmecAI-_P?)y-0l{L%sfmtS*!J4M|+{i?&0R!ww^E&Z17
zH~t5BEIW|F3vS3^B9XxND<a>wrE(|a@M8=VO1u7c9i(Q;?{aGjNij*^Th@oTCfzG3
zv=Jy)BAZGN(H=M`8<2|>AE@s5Y0ecZ6#=_z1;eu&{g3;aVDN5%*pOpZ%#POL_A>;0
zU2=4%;3q#f5d65H;aXqqxJXjGgTkx>5lf7#+RB$}Q=F;P2~9`JSbOKE53#7A$FL{{
zmYlS$!%UxyTHO$1IthANz(JNfD$F{rOy{9a=`b4#Y6|})!<B#e7#q_szgAyoSx5WF
zZE6D9N_+g*=+>*i{MQQ<`Ow?PjY}j%kK2CSHgv_@yc6`df0=gZ&h66dM|<k^klinE
z49WB-^rzq7^LDBtZnxbtPD~yL6%QD~ws2~tiRWt228xw(Y6OKloI;?Jk+Y|UeGq7b
z&u?x~_eN0k3|=8u{wULc117of7t#(s_#t&l#Urv{S+j*_*zv2?vde-bgdL-y#SeG8
zY*24Ig&|HyN;R&SVykl|=4rG=4#`p9Qa>=rTZZq9?zE+(VJCY=BZ};d;Z!@`LD6zZ
zpor)$$!$$_#qr;nM7K4?6<}_)4U*%+X*BJ@`~IzJ0Y>1IGqmNR)K!r|?UvkKhzq~u
z-u984z+yUzvjJIl-a<Fb5<;5+>fx<J+n8Ms%h4^|(`WC}4um3uCtB|`BH*%Hy>FTT
zl(}d#$BOf*@GXDR<jT`ZurId^%}Iw1&S@DfQ4^o7`AIr$){mi;nANs?mpNiPK9h6t
zpTbQr-n24LC%sLp#E~<4tKzF}Z80-XO>9l_Zv6f$Da(*H)~7wR^Gn*R8Y_%}#BIP9
zrE;$7*A`n=uStk}48>P7UT4_6Xeevdqt`VX<#Q74X@$y;IF<OB_(uw436a&h7%`Ey
zx)jp9iO<t!l@@Fo4R{PIQLc<aHu^~a1HiH!jNmjD_pZzD_&lvwX~Cq?fWxp7iFG>Q
zwN&~fK>JI}+;?NeK)^u2M!-zKQovZi-nJp#=B0^LyYy2pHc|Z)wz>0)icN>DWs_f%
zoOaWv#T0XfhUiB1W$M9??YBiQf*-2iXMeq}e-sp2?CQZ{nT~+dLT9U%Vs6OCx-7x^
z`Bj55OrsFFdRPdq04p4=&q18r@l#-4JyH)=coA0JbcD+TQ&S<Co{U9uTOi4#9tl@j
z`nV8&SP~?f00y{{v!XA<=G0Wau~?GgeYfJP)+_##hk_t1zIEh6X{4})E7GYgZQAg!
z78{1u!24fCY;z?Yg1u#JjQ~acpejHGQ?SOh4og6`HFU=Dgn!V&KI*tP*-|^O9aUuf
zX(C66?<!~9Kk&^ujOPfaJ(NB$P4)P!`4IBXU{=9-Da_*?SQFV4enHd#s^x14Ys{6G
zY8HfuSH-S;u#LdSYvi!fn2RZGExjxFsEmwDfbIHD6-AP$@7P4mYA(I>3Rf}ON)2bB
zv~MhMvC_gnU)|-w>UzG!1utXGtG2%)&Hdvj#;TB)593XPsD5Q9eD30J`z@XJf-c1P
z$Mb7rG>YOdI)}DaQK8n8kG2l50u{)j2yTLwh&KydhQ4A|omw03bv7bed&?A{p8YJ@
zCqf^CNQ@T9ZDA%ba<jvxF?Hs)Uf+Gu)|zd11wh;Kk(~RiB^cwy_<YdqB{$L-tPKBx
zQ_o^1JMK32D@~W>W-gSfv@QAN#|!K276;L}(c|&sajE~ePKdNO&nN2J3$7)G7~={^
zw&>9uFWTwMiG|;XF{#M5wWf<*;#zW0Ca!MV$$@hObQAK=Yk5}@9ua&K&Nprcy63;w
zMOr1zSDNSUbT$@-7@ihYx~fkUM>z&>KBYc(!sVgC1>@%_(R@G<$xBySicq434~7Wp
z6%yM@b?9?%GLk<pVG`0t=@t;;7Ai^4eL&OsrX^!vR$0R+K%d@Qsj#J~+i?LJF7wdU
zC2voJuDMV+%95#0x7K;)Q}>YNtT_gae&dtBw6x|08G1BU&NgdG98=V+hNe_cZ#d5_
zlGL2z`br-B>^yFHIhB1tJb&K#axEZx$+&Ir2LuzZ>=R!RH%!EiljPYFvy%*Zj~wg+
z^FFQ9h?t~|2i`ix5keWd01q!Z!1jzY289Tq?o(mkRC}!Pq0c1Ens$nNZsY@GL>BZV
z&^^#MueBX}Nw9t>bs=qUXXaUbO3+f>fMmmj`O0iTj)c(r7E-kq%Wx`(nf6El_nyL9
zr5=Kv;JaDhBc`>=RXKn`=o|`}J@lFgz#UTvaJI0KnGLE_&<ax2qO3|NF1jzgVP23P
zyOtiyQ=e(5J7Xu>?J~6<9qrZ9ArQ_8V7Dxkrjd_gPnVXgz_!k;HNUDgS2TWQ|DB$D
z3)ZUaxqk49_Wl_4Xldmb-Kn^Ie7CE`(YZQ|)tk~Ir=<wVLu4_JJZ>2VP|S$&?xJeQ
z?%dPBuYk{7w-h9<u8!5;SgVkHU3Z#K!(ZdHkD~iNGubWt!!w6{f@Jb>JU%{UyUBB-
z!KNw}NQh@?yv}(p{RGqk$C}r_5@-7nGQ0qAAMAW*4KU|s^>nIG8U#aJFpiK+f_K3+
zdRF86s1qdHhcRifn}?mu{=%>Dk9=nchLARvyd@1)-8&O3!&cg1i=PKXW8+Sc*LjS6
zjWl)SsYILcc2$9yZ@xKJx{K4*%vLW;KAWL2%pQ!&8g1*RZlMw(5>2Z_Is`fuMz$1K
z_U=lTo3;`b!!AUZ{p!f>Bj4mL2ZJAPJ=h-)`IZXH(nHpJ*s41%f{^!(H;nxYt?OJK
z^^R{TiCCg785;L8Aa`VaR9)+<tr3|41z)U!_42b|A8&MX=3t(EbvvwC#<`Mj%;;KI
z%-<GCt4zl}Yeu=>NYBf6Tlw(oNaoZ*A2ZzGINC5BRZJgu=63}G45~V@f#t_HH{76!
zN3)B*_%28@Uz(V%<QGX_)W@NY$56CV|3ZH#uEVFBXS70+DO4eX=UP8pSHEh89E*7D
z>u?rUm=)=YhM7@)U?151DPQ62DopShv#H~n#`5VXr}h+D&~O#ezqbkJImniY>O83u
z9Jl|_qy<&vDxOo+b7W>Y?PABh^zoC9YTIzDnPpFgS4>mgmyE9B&ULlbkMg0BxS7Y9
zA?7{xfTvctyUw#hVCSS1AB3dut*gWe`pWB#Wr|zCq?qHx%<T+-yg##;|0jrB=m{<Q
zmW=mQ6!%ONWy|iK`Ah<wLDp|wxBqRTQuET>X9oFa-pJ@2@lf0EE1%txOp^`Pv(`u-
z7kp63M5Saj14@2;Xt_Pi%rGxUa-VXk6G68JXZcq_hqaq0@12RW-l|B5!nbe`k*^i0
zK<O>MGqwhf6*{kMt>_(?SF5S_2OiP`HIy=_-;YE&H2ZP9O(z5wWRpT}>a}d2ju>B+
z1x=3y!H?6EpEq3ZJjD>H+RkCC&|i-%?w;denuYq-wuY%$HHA|2`%t?~*1A-mR;x)o
zs$UJ$dY_B*15(w%GFB;!3c3YyCaPcRhGerFKC;~U-<LbhzAoM94<$WzUP0&72R*t>
zu6=erDm}juIBT^E%|n-&_pLm0VgmZg=k)1`XH#mRZ<KJ8#H`u;7UvJU_iLD|hrww<
zoc=ve06pxi#uzI~oHuHHqh^M6+1DP|;)S542(Fzewl(uOpI)S`p2ua)ku}{<h-$pn
z(F>(Rac`Y*UdYP#h;Az+qcDd63)5eb9_i$_Skmm3ckX4(X;W#3AAn}lIz^*#hVmt{
z7zmS8<mq?{B|AKg*to4pzcgB4a`exqUj@p9B9_|^&%0k<sYRqnc1#p3xGRmK%vW<J
z5B~V(<UVC{lDk|V|6S5}d5aNJO?JYccS3@<F}qsk2fezABA1hN*SG7%7Eh)Os$A^k
zeP*k=kb5<C98MK&Rq1;98wm4QlYuXg%K`F^wph`=43|7}p*)la_;l<9KVcRZr`Bdx
zls9bb6e@(CE2n3rQF8sNHJ=N$%x2tvgPccilT3e0r(&0PWN+8DI8t5GH`?2+Rhwm2
zHplF?4#JG8w<|eTb<x-Gd|3RZE^WJR+Q7?gR@gE|>(_GGl0i}=xhmJ*>G-Lrk}7>a
zg<W4sU|LI+<Tt*mv>j>nN_p{%jg8t)x!syrBj?+5W(G38GGp?Z<52*9+x8>jHs`>W
zNP+mCiv3j-Hi2bGSu+2dY#zjx!vzV?;e4exA~ULzRh7;_#bkVnB9ejxjzJq-Qz>nK
zic~Xi@_Al~#z#y+*(?2$L1@>xRfB@p!n_bCrm5dLN-LY{Ge@}zW;4Yv4P#^BH8g%f
z_fHLNoC^Fd)h+xoml9sB1=FfH{EB7Qor3@{h$jg;nXcHyOYdz<sSfXvL2UAOA*b?f
zFUBJ9xBJ!pXy=)$ew@URGD<}XK>R&sQfI_2S2zhpXX-uc_HmeEiH1btcR7$4O9mQC
z%&vD_ES71%x>q`GV7nSA!u6#QCCI6F<ukpYhFrn5w=}UF$RfcR>mW5L)-(&ww`F5S
zG6M>v-e3QvX=aci4u}4{BsJ4UhSOEz*X)N1lV|?<2_ZnB@-af*2}*VL%K7%Hl*TWc
z)HHD&UrCEpcyqniDDbX1d9(+z<Mr3aXM`_a9MuUwNcMDP!_0SlEIvYO!p9eJSE%U3
zwlsu%G>0r2DrZe~i#IK2l})O|d9+pc<#eb1*|xnemmsK-@r+XOQla`i+iZ|89x!np
zm7rbbcw=)@OTSzW3u+r5Eze3~?dAUxy~qUfbG`-{WZFM_Pom~|=}m=LY!%)$E$3G>
z^ONM#VpmahR9B~J5iVQySX-JZIRqqYHAjIz|GnMg2z|GnNuYFwK%HSZb)VMmG2rZD
zO+uFpm49P`2fb$+<nDvwY{xr(AVvf8wt4ts+}<6zcbkw~XMzXJC0#@THkEei?&lxU
z1eY%5d!E?JxmsjA8Y5vfN-~-`uvreNKe0G`mhP!Q?PKRk>5IyKAP`ps<mAO3Ug|uJ
z{)ioW#od*eCD!JXpB_v{4%hhGCuN860qk!syKx7|28f$65_<VlcW^G&nPMO*E~Ue{
zwl{CqSY}r<&e7Fic1W8og$=STBEo1zx3~|&<x#L{k+FfBqop`toTjt(ZGj$oENn3)
zrsm_f`Tj+t9-k#4ALlQo!gw|mor(8np!{ByB~c&!#u?8z?gut6$f-@<+e}qCjJvC?
zDxa2%EeOE(p9dHg%`gp^Hrp?Dzwpi90(R*HTXzUs%vCsrVn(}fPu)$UC=nd_89U@(
zhL9eM`_3#OxVJ3BP2fZ^lfsS}d-T!W5d@J*w98lW0o1c%YuAKk&Q&(LAQSZi^mFyC
zy9f@QGyLhT=XtHMy%6nT7v462I~bhL<_hi_#5yv)qsFf6ypfv8(xdBRSl>&2^e%#+
zgtuXV>g@@1-X{H|A0NV|_GDe|nPT<)&FZ^qS5uG%c1Zo();-PY9P`sM4eoh_A`p?9
zXXBf*^g_&akdp2V{F>$xJ+t6GtlxE&#G@{yfl+H(apC~0mef8FJbxBZw$U)%u;<Zx
z4DCyXxoG_%YT&0Au34YVXT(ecKEi;4--ymyVc2B@mLpmuRXLn#fFb4)ZW~WJY29`e
z&Dg?Mh$1S=j`QS~!{l3!B2+1rbBi6HBX4y%e^?hDrB}ke0k!?N(3vnb*UI%?Po=+5
zcCW5C$o0ic0k?FR<>zXT7eRfsyGFiUnzJ-|M**6TiJH8J$$%S~(Ds>}jv2!Q@DxqZ
zbOr<A^|XI%l|bz2bGDYR-YbzWq9fO!hJg=PQT5a@vup56y5=H!!W@@+G*HX>X8yBN
zbSF0W#`Tf6MOeS43qtsj=_VSj(tf5{2oAT40XzR!PoX{M`>eZpE-L-*DE-4Op)7(r
z{@IP*`s~MXjYXW9Wo2JP1+rdLR|ilU%h}xq-*o1AeCdwup`3Y-_R+^Qv(MO1DnYg8
zNv7dS=n-dZIzc;S0FhFfnpRGvg<2^y!@7?#JZXtk^~5$XnImR(%Qh&PK&vH@rnFDS
z3`;Ui86BewKU{4DR=YXtKG_hg_PEuppZGSVo*Kh0k+}sC8PhCDyG3M~najCnhJc{5
zhuba*-VQ-e+~~L8YQE&V*9F^U4}^leAAI?9a4uE!CK(<eefV>_X)Z^=WG`%hXu)2R
zz1Yj42TZUuAXac7XA1~AxCcH&f=yp|U#VWPUXlGXyZZdcHuhY>s9?w!^w%K&QNbPm
zEqzeeWzD_dz2E~?9z3H~xX`pj17?<ZQW(01A&#zCyA)b@e&$<biipgCPum(SI=kW1
z`C=g>4tQjeqsl*&QifT-Q0an%dDInB+4es2NKU3A?i&4+tBzyXvwA4kq2U^qcZyu2
zb|21C>0oIOaqWG^uAM}>BmWpO5HNW%9#er1+@5}-tcBXFBshi%bTwa}#^LWJhG6qf
z5<sY0GCpCsFpsSt68=H6gn1~wU+0N7oNc5iY<-JVy^s8MzC4t$4V^ZE?b6kWC!85m
zEl%zy@9+*NvJ<RZga+d-gRTIjTYPWimHNfyW3<6v2KGX*x76O4y~{PrHF*@?ksZ+J
zCq%a>E=K1++{qH2v!981>ji5C1A=|K0RgnP=udF@%QPpLVTL(B6sNCz2LX@_Pl!*5
zOG~LIvbFVHKe|K+p9r1^Tnzoq{X?ry7;drpGhs4ezV#&;kA8(Z+eC42YA21SxulfZ
z9^uDpz5I~<exx1t9D)m^*N#(o0cfc|nVj{&zur9JC-MRzWkYm$Py>T9?+pOBURQ+K
zkX%<fYsxoU6c17@!Li!~q{%qj3fCHXy|Sdysh6xR(VClQO-wc0>JEH0`}1*=x@*wx
z7vVnS*E^`&Bd-d8V8u62m1M=>w);M?;UTc(>WDc2xXDJE2;5~Oiv(`h8<6HqnD>za
zLV;g<d>FHB&iAh#e1`WC@89G0;#>{H^`%~#GAGq+G8o|Mk7)J^_`C(5_~}EW4|@kf
z_JKq?$h@b<?P<RF#GGK?CvffS!?%Ir=>xj~ad(yFLlY&^R{hOK4|r_IzR`Cl1Yy64
ztTcRg^{mv73i_rrj(XL{973`unHNNIFqD^+vrA+6Q81dX*Ae_t5YZIOFNnGaChvm7
z60s$s50*~Ll}QW6BSwQDe^)LZ2N!rrE*2Ev#YKxj4HsG4Er$Ln-!LHztL`GV7M?&3
z+mRflIIKFKfuEAFB{PTqdoR2orZhP`F*Y4Jba6OwKCB#0hq%3m*fqMZL5LJq*+pp!
zjv^h~fbTZILvA<HCyi<_jOC)mhH16WW?9%RfX0Mo8Ge5l-3f}H?mYFbPv;9MqCqwx
z#Zb2ok3!715|g6JAbcLZn9!0vN*;LZ;m}>ti>U9^B|Rb!r9L09M}~HdYd-_Xastfv
z_<2xMhD-KlYt<MNA`Q}Y=u>;0L7or%A5)ozaW*|45`5q_hBbE?E}S1Se2}g72tddl
z!ku&*LCK&+(BehDk8CG&#V#L+$V2)?;{{t|%zdxzg4O7SG|G5-e6aNgWlHblkDoRW
z+Px|DT1^pEh6KxIP06<Ad|!wv%)LKDt^!eh^qtW1#k_zh`K<AcT0=L+?f06m_#WN?
zf>5{bF3`b#dfh`8j$q5qFs41=70x{a82N?zmBSy=b?N^6-WwbX7JXrP#e8LZ{qEoM
zI{G@<wZC!Ue>ry268BN70gFiN2QHmNxCkEI)vm>tk3*vfUp~={(t!+lv?r4}obq(Y
zQ^&O4LeRup?|J=HwoB38b1UnF6^!A>i=&wxPCVM}!+l`Jd|+1Sl!;3PQM{T^zs^N~
z69pe=q+jR)z)GYKc?-LtcBFzI#QaK;AMy-9qP8Qb!Eq#3l76&FU?p#msNrrXZyX5%
zjo@57SPAMOTVdCmeB{oBy32^H3q#zGDg!Ko^pN}+#GnCU-~=(affyWjHCyBKk7WF)
zvcVDG&~k*r+%dK>;V-3w?(KqZOnM)qgKj?bdb#&{p^A7aig+@KJje%ueg%Ot;rD#u
z_L|W~RpIxVF-B+K(&(d47^C(yNhO%0=cGw@6iFM>v_Mjy4e|Rk#d~5Q?*KUwD{MnY
zQbR{HLq}$^b2|||PBMEqGN#ZtuB14ws5p02GN#lxcP27>?mSzlJX^}VQ-Fvzao(w)
z$SSRfHXzTIJ+CTYN<+$mfxH0=b7c^1MF!5cD2Vxn@R>5oTzP!7wN}iH;weL5B-;%5
z<6sH69C>1TD|^duOK{8i^y!JnJN7x=cNk#iZ{%;5Q_qy7p7vvTvDjvo`Ihp0Le*3M
zSM1%vvJWZAVCWS;AOq*Bu04clSN7gXFH+ANSs%y+n($#*c!>M*z}T7D1-t|Kg5L@D
z$6gqNp#%qj7tY}K_9prlzj|}T!wt}>6Fl{kB*LD=AvPHJMxRVNKPD9Y&;gLr43B`!
zL5>fFJ~9A`oMhlg&KS<#7zhXC`XKwj@Idg;)c;Hq^S1Y6drqJWbBi&-VKLpoJg?2`
zLmpGc6prX&B-Qm7cwbJDoUADv$-`rj!(*AlNSbRNIA8c608JiK{8Xyg;jzS_EcNxe
z)ZOZbUIX`D1Jqsv#a;uZ-c5Ozu2Xrb_Vl==&^Ql7GM3~x4+b)p=r|7ovN|TROE(cC
zUb0IR5hFp7?W~}FB#~|1p#GPjeu$ucxz-IcbYfTxV%WDkCh<8nzuBySGu%3xGhC)9
zd}be9=G~MpYbu%-6PXJ)nF|z|3nke#K*WNW?AlM{kXFP3K<2_u))0WEB?b41JO~?8
zWC%?}7A~(SXsRw~$}wn)Rm6gatRWChOB$|<JP05JS5<7^0=qflk#uL$N`SwKMi|QG
zfDUv&b7pfHxI)ct!_AJrth_`9rJv*so7el3<uDNo6Vu5EAHW+Cg2a?#+E+Q)zf&L|
zNcTa{IK;D$lOh{Si{e?9k|KN9VJ4SDNvrD}LDZ<7CJ%a3rD|quCR2MA2FTSUiDP6x
zO&=4&2%TTJ+uR_%;>#UUbwYg2-qtse2(m9Z_k;R&X_+Pc`X1<MJ+F$^f$iz<g*gI4
zca20QMNRQbnSyUCUW_(t$G(4Q(c{gjWVF$2c8bp+8~q37HM?*YVZh`&`~@(ZfaFmu
z%`oY?^9L`5ye>(a39s`qaOq<RthE27%n*M<TE2|_-R^Hsl)V?|>X>>Kq&&4lZUIY)
zp|X7S#V>gEo$zzu>lHkrF_tp5#RfapvgFOns&wK>GCKYHA;gKoiNiAM;uSJ!cN!ia
z6><#;h1dXq3v%G}HDtZ%b)S!TTzPdNEs1GyT=EVWVE9eH*~I>Jvp`7GEcn#^dDO~0
z=vO*>--qw)qFqX3F7k`^0q&b40AI7_2htmzo)N(kDrhh7az6;ZvT|)76`Y=s43pKv
zRfY;`%?gs!hJGxUI+wPi;%w}5RMQznC*C%3YH{4)RSuxz>u2-k(!xploJM5pQDAkY
z%NM)MP5QD*Mpt=-2pbZQ*;jRUVj*Rdb>bW;h4(U(mcs&~W>AzF!_(qQtO=nX!@A?d
z14%tc!o=dSC}rZlCo%|ARZwC<siA$fhjAUyZN63SxLbH^wX*uXw(9%jvf=D^w~_ZK
z10hBEP70!BAT5RvnpD|nm}y_}f);Mv^S&Wqi_`)w4I_ww<}1|Ko?LRNKGAX6>sD$^
za)t*Gv;j{uZN|a&f?mFt-i@9FV_SQU!dcDFIy2f(Ln?+Gt|GnlN5uurnZ7jRdJ!A?
z6(XNcEpKP@DJlo<;3TeO1li8aFkTj;j398tuL}-6DcOD%)8mycg(FkF|Lsyc;{#{v
zn^Ex9(=tv!CcU=#QN^kVi&s7qPr6?|Q@sI=M(S0CaUfyggm8^FQe1`$EZSrBzVO?T
za^hF3fyQp?Wz9$U4AVB~P6gr&_oJtTFmyuF0s=EPl^gRi_*jCooQ<ERq9QKdP}UX=
zTEU$TNXN+Dpw7CF%#Jnff(8u%(-XTMz;7J+{0g~&qz!F>>zULp`0odx{fL{;y7wWM
zbk>$lAo^-8-*NK9{RX3%%};(xlpV^s&6XJVvyWNr+IU+4M%z*HA)#hW;FPqdoRw{_
zhH#GcCRt`?5j8bUxE<}=AvbC>)px3_!CU{(n&bOp%;;wJGYP(}4rQ5r^U!JG)Vd}=
z^j)Ty#F(kF;mPq`Y2)E(h9EK>kc7o-QLCxNsW~lARw+WVWtumXHz9O}_52&)ic|9L
za2k1C#oYA6mL1yq0;0C0Q`Q}_y(=F9_DX=_iPSb+ikP27^w7sRaPwETsnM&<E_pY+
zjyk}4S%tnjytvZ&2Cgne#7&K~9aB7p*V$A1l=m+N0(O&{3kNY)CyDr0rQYn3m$Lqo
z^YPk);PP5VV-`zuWHYBotAw>u$=DmLxyN*5JL7DXv5<}HaeCa5LFFDKxWID%;`iZF
zBk|@dPt<rF6Z+}Bpn8LVF>lKcc0K6tg1<pv1hY|f_I4ix<hDq_S&+hbN#Sq8{UXgL
zV_|jgGC8n0{<?~cCG?evvXE@9vB}BFvFY(Q?#KquAhd&zThygPM>0oSc2*VJ3*yg}
z(TG>6V5^*pf?}+4*5K`;VVYHbjFOH__a#<7bzRNSd2Ih!D_5n(#wEGn2CJwXw-0+M
z&35>k<<tV|M4LQiD@ug2dFzuDE!iDHlLMTU!_U*?u5rQ~ulsmSb1w+WlM8IUevFus
zU#68=)mRge!I_*EhRjy}vFCHAPcfSp*IBLJDG<V|)XPh8Q)!@^jG%Vmqt%r>7oV++
z#BT4nHM5~6!X}oJ#sayoVfRlm@okivpSBrS3rkuOL)UffR}E_B^JAJ$urh?oSli14
z6N45O3P@_FFX=ilf0@$eU=<Q=A-&3PZ(*Im=o0)?n*a#=vmC@FLiMGKn)i}U8s=(G
zY|VP<mtLTE`@OTcP}=+&4?zhf)&hZyLK7tN%BLh8eisje^eeOng7ys6pa(~(JEq6t
z=`&2bP}-II2EcMwZdMt6M72%_QtEO(i5ZtMx)-Hr62iDTDd{0+OP9nW_bA>w1}NHH
zPj1sJCa}dSWn5<d_Asu?Ctke)Blfd^rrln)riQAbXUcR!rAP|;n!1ePl*Jj@5*yO9
zcL{TW53H%Fzv0Fdos|$CFI(qNddiOBm}>3rWjPna&6sa!kFCbkdD&y18KDK$*_-2{
zIs&n!^@)g2RO*+lS6LUC(sWO8ZD%V$qTQTGX7Aw1&P2lUarD=T&C#!?qoG}_wCQ`#
zD*7WG!L5zG?1)4yDd8Wrw>pczGCvQd5G;;GrHkVQF-LTWmYBfC@9DMck*Q@RZfJvo
zI?CY<;7m)Xa6EF`%D9~&(qbi-f(84>Z9gO-LDB#8RNlnhi8PKHz!^-#yf8%lfHA$r
zAGpJPg;|e}N@z)FsYFXDqa*SjmGB*nphGe4FR0p{SEkN*5-1c#7ejoll~#St(3gqd
zufy3e&7;<c<6rW!h&jxtm85@Oud8ja`*BQy0v$RQ?dMGRfPK=@2o>I&zOi#1ibf&~
zde;i8jJu~^7wZiZ_>n>7?}$iRk6TT@gdwRn9EJ@yGvF~|IkTO2M~kGcaKQ5vB51$_
ziB%*$@@zsEFp-c&@uvI0-c!Lpu^~VH-f*h^;IvMDV84uK#gWpSbo_x=-fMuy<&)8T
zqwul^peE3#&mh#?EarJyWF<Jrhs97V06p=m0G^EL{NS{yJg+a76U`@c*5J5^ZSIcs
z@3F=Br*gJ)aV4r=bhNskkFpe^FZWI7H>uDCd%R}-V4VB2piC3oyo;WnN`GjBzpD;m
zllU3}u>*YXjBkC$jH(UYA#Osla0p3szo^Ed%-S}u$M7Eluw{G}b}-VJF9HZY>M(n4
ze%_3o)r0POPauaP1j)LrvW#J9l*-S~{3Aa<#V&?iLH|jqe`Y}X!;V2H6V@|m-rZf<
zR6u7ld@~|IRbQb0C}AhyBkA)z45^`rKK}LX?Thla1-no!(7mb%(UfGm|J08j$6xDZ
z9IoTxAK$M#j;^Pg3t1@qmI?9DfLs*Xxo!yuqQl}7xz(Cht-|I%#8mLUA42OwWdhSP
zODO_GcJPN@M{5ne8?toXPK&Bd459DJ(+*4N4HJmW7mtsX9@i>yH(`PzOPEe)ywBGN
z@BpcU)(|%i5!KMWcoNODe$iE%1s|Ah6DKRx_oQm6M-n$4&i$(LybULXYB-9&bLonu
z%0yJS|E`!%^#CL47>Bp9tq?|f%v{N3#vJBTsU-RkbTB+ucxP1@4r$t=ZeyzJsvBMf
z2(`LQmqmQUsh-VP((`legOb6LOzN4)Zs$hk4WwJ?JP0Xc%(Ncih3T25ft1Xd0$%6+
zppl=qg1Jm0^ei8Bn_T3)10p^0Xh~wk3Cp~f64KE@h$Y7R{(#vK)0vgn*cSQ|bKk$*
zHCvkJeC<?)cSmM}!$C%`=D`@=HVdshTT8Z?;l8nbso&CsKc9ZmDny>IuzK&r;hm55
zeEp@D`PL3AU(|#tAakJn_x#k#3)eu~T(gw_)-DbaKZ_xpF{t(2WY0z7^=NmsthjP>
zvis<rYnWPZ+rAvR=z=WG6HP{koLG&<Wj8%CaFtE_4EB-8{|a}ofNbYf*kZ+qm6)1p
zcUit}oL=<gpfPpp@PzM52EfTPo4lPLfZY*{NAFDeSv78UH{tgU-835gsrTv~UIEd@
z1z4tjUX}w}rVej+k8wHvFmu&h;sQaBm|CMF*#RKNva4ee=**KjRR&0P*~5Dpc=ro8
z6xa^`p2ERA=t;7l?D1TQPYtSH|BQ<edWQ<>5RFzBn*%GsdO&tEWB?$g&nV77?~Vk4
z<ZmN{_%*&RA>bON7(xk#&aWoug}lJ;T`5#F#W1$u=_3UT&wh|W1Z|Ynb$OfLxA!bM
z9$gZWOi2%oayqWrWJhXhSQ(ZcB@MZ4k6c73)HvjP{;(E|B`elLGBkpd_>Gce1k*{;
zLGcNwn&4FC;_@$-6uyv&EEDze@1Ol@TE~=P`>ee`tx|>_@np0YPg!Egouw0^?<6PB
zJt}7&eOfS|L2ExUi%&XKz&{=<`3-vxHD;Bp{XO%2N{Y$n{hBJl_#V4i2eB{ES{U64
z3$vu7`I>X&zi;21R#(l7vxNlgG`h1!9$B-=#-9~Biev?Q$&d|En5ZliMdsVNr}JnQ
zm0WDCrX}dT64~fFYSy&%CEe!a_lOt033DSH10r5UiK*a7hAFmlXkuU92SR#6N##*G
zScs6J;!@o%i*3ul)4sGHrT_#S)Q|kGv<dA|q|MJS8Lciap<^hbjmAhxdfP0YqMRs9
z=J~D~IMfe*W`RH6LXFS`t{@9Sj0kRjLYM8W7OUCei@$$dTsPn9<NHv@J~p5NXH_GB
ze2P(H@->sjJOb&IlnDdOA(8{rQtcI(y}-bC){@j(4Uh6PfJ!-Ky4$d5>wl5Mo`VJR
zdDb(y<AYu~)j(3Tej@(4_Bt;A#^ce<c&qwJO=Q*Fs%JD=jzkS=_a1(?-ipsuRori5
z!)deVVz9^%?3KG}6xHX37!KLk`V59)X${;N;u{4qRbQy&jqhy9^jj6pA9%$hInvy9
z7%}9cVsbBlkbB<Fn8k1gxg77;xMqr1oOytpWv?QeRp-SzjP@L!Y(a-Q^S@N?EsaJZ
zB0klT``_r~yqjYJe@MUEm>>kIc@%{JK9+PsK*ZxtLkZXLOP98lOFY!M&k7p*-}4n+
ziyDFLlM+Jt24}#pVsyT?BRfO2FAA^d?5|-Oxm-m#`x4|fUiSyl)=$F1FD}%lYh6l<
zIDQVeh#Qe-9p?js{SPmFHj1WI<Y~&kC+W&4$A<uQ@5R)REt6r9^ILnJ-%R0I>w-&!
zh*Kjshg-T;!rqsx`P^boEdi%g!-SF(N0ocfaubgAYJ^MiCRRaMg<dC<&Ta3qtbMU$
z5r?kHH~_%`xcitnRCjUJoZU%QLFjWjF}JfR{fP|zIxwHS1y@X>72uU&DMa@u^AO_D
zK=*26>>{+LTq9FYq}6GJ^XAmi&$BFbeS-<CSbf@#PMb#}GV<QxK-$X9{<IlXzRxZy
z*2h=gC_QKiWnDD+<_>-CBfygKh*xnEN6!kU5kR3q421+!yCry;aN34AV$aoGUq|uo
zl%xRjeH3L-FRGqYU+fos-bCC8N<JST(ZK{)<OgX8!s@q}uOlP`y>Ts2E%QG$8-F`C
zxU5BtdF-#$7W8w(<9F{)QJYA~3khVh#XaYkC68?(@4l>--dyywEVZT^Gd|S5hO5+)
zGKZb^+Vx?a`!*9mlr}XtS>j}2!?k)jHTKC6$58Y_lhA&QdWXHuk51pq(539?>6tkx
z^Q(kp^vHMhSOOB@d5dyEnpbMdNF~tnb^;I(BRkg2cx`3`H8AJ)OWSn5-nbi*65tCp
z17F*!h05|a&gUCq;l(})w8EYok~OjFc=amlIFa8P_DXJixwQUeT=nV(13@>$n(@C7
zXmja)#XX;tPPCv8r%-Fuh}xx_QP3CC_tb+rr$obdk?}VAn^NmDYUaR-H`A8wmiFFX
zJFp(5T;Ia|W##NLswXTG!GIj}a#&`5NKu}vggPy%>e52MI^nL><K%(})?;QY3!Bqa
zL=@11kl_NEeUAy=o1g_DX^LIfgzo2rj-A6e_A=$A+agSn#0bsU$A)yb_`WDZN~&zb
zXybwFQP&hz2u;DM?`*)PA+ZwffmPl)T)$Yl<LJfZyI&M5dqbu2k4sO3XCjCACp}k^
zx(`<dSzxS<2$!Q7F_piSS-NnIYAK=+kWr_Vm*2Il<6O(H@_xXBR`=eWUJ8i>G>zxN
zx@zW*)P4zmh^&D=X<^@75Q0{m#Pg2`r)k{&kYdZHg$c<=!+KNDLXwS{{KBkhS28?f
zg#q&5Y3jBA8nuYLn^Q2v=$_2tYacWrv`%(JpV+mcq!Y!F)4lXjAjGKCwKYLs(?o43
z2>_+>;^!e7S-IivG10mYVXl(x@#=k49Glr|+!wvLk_Vz`BQerBr}m-8tC%PqDXeiP
zjJ3a1<*Jd(I=9*@I=BGfJ%CMUvP>%!%S^%FsFwBsk$cw+nXeG>L&5#X2&Q%>&Mr=-
zhPMAq+8bFRBd~LjGL!x@rA^AFP0Gp4{ExRTDJeVGKXY#>PVWDW|GSKf^*?1??0+re
zX8tea-!-^7{)F<d{HGlj?tdl!MXpQwKN#fv4}<*tOlqDErc9qzOwE{7Exk-h**Tds
zwMkh>*-2S-Ntsma?Oon7%%mzz(spL{q%5reN{eapGqZ8Bh;p*Bv54|83$w7Z2=lOW
zaEP(+aEq~UiwKKz0{-t5ZyiWj+PIiHF-h1Mx|oWY8rz$gGRc|RnY&n!vaquP0LTdc
zQLe{#j>(_M?}d?q4S`PQzO`rprQgWIq({&SuZ4-!0-D~x$DowS3pBia-t5lFw)w(|
zxYvQ$!Fv3&SF}Z;pTHw>mu^NtN31ENU>G%@yGK5Wp`P};T~#pj_!gJ;ZRUZ$6I#!^
z5avJ@IRgZ?FtV>7ScmfhFz8G3;JfCS1U7v7v*u2{))q2-AxLE~vi~^l9!{oa$Oz1D
z!~Ayt_r=0V%E`gO#zFdzlK)^_r2kBj+Wl|rO@DvKc>Yeu&c^dsI#v!I=D%TFoPVQZ
zV`lkVdu%Km+<&dh#=`wJJ^pe1AO6_bIR1{Yv;D1KHcqa;_shf1{@3={nVJ8_3p)!d
z+h6IJ|H1R$^~e1OjOXtd>)ZG4uexVt`2)uK2aN3x82cYEjz3_37<1M?$ieytIavQ7
z$D5x2CI{Oe<Y4=Q9BhA(gY6G;yv@+R_wffg*!~~~+aKh3o2P$kkNppF{KGc>_ZYEr
zv;1woaIi4H+0_4<lkA)v>~F^CFBlK&U+Z!+v%Km4zv;M{S-JnmymxUjw6rmGLPmJA
zhX1mGT>sAv-@i<op_9wMj0QI|CmRbg0u`0Gq69L+e+&sTGQ$54-k6k}Ox;NT$<jZ6
X7*t(s-*Rs%`zzBdT&&#xX8L~t=FwqZ

literal 0
HcmV?d00001

diff --git a/contrib/nginx-sticky-module/docs/sticky.vsd b/contrib/nginx-sticky-module/docs/sticky.vsd
new file mode 100644
index 0000000000000000000000000000000000000000..afbe51255a5424a82ef49959c03494237a702bc8
GIT binary patch
literal 54272
zcmeFa2S5`^`#(OLP3V{ciJ)RasG=CU-A#~ULqLcfL$x7>YL|eBf-NdwIrRXs>xqc{
zJcI4*ho1c`2o@APNdUzH?EhJ!o?q|0*K5AMzyA&UklESUo#&bQd7jywxlqc!n_twX
z9DU$=BOEo8`bg)!a18vkx92Q`7~rSEnn{wRf^i`5{_FmSa-a!#rONML_y5lv7>wlb
zmxu(&8%=`Wcr=Y_%Af3b&<nhubDwhK+y3HH;(kh;KbrohJoAsl`Cm@|?<{|6Y%p!3
z9U)4z8R+wVKE`@+%}VHJF=|XHc{7j<LE}*ZkQ{jdMW7@UgQ8k$;`?`g+}{q-Fe?A)
z5QX~vc+6j}IDz-aSnW9j1+}CZgTh+sem_Wi3~&+;e1t)Jpg5cK%dNli*+cr&82EPV
z`&ESB2+)HtBY*7$#;@f5WBhb|BR?fO<$fc%Uj<S8dcDbi?OodZdpj0T?Nb-xP`~={
zYXD>jWCUak)C!0R1P}nRfjB@WK&C)kARbU_ATuCypf*5lf!YCC0JR6=0||gEfrLO-
zK-NGuK(;`3K=wc#fE<820(Am%1nLYV0;2eHhF=#TS0FbacOVa-E<jy@x&d_u>H*Xf
zs25OgAOc7XBmwdS>I38j<PAhsT3?{PK>dLF0}TKg2;>Je2#6}a0H8pi!9YPk!9Y@=
zAwWZch5-!+8UZvCXcSNg&}bkTP$*CsP&iNoP$W<k&={bxK;wWY8UIQ5OZ)qyH6NG*
zCj><JK7ZQK|NNh-3xAjUGwJ_bX;aVnUrwK@Uo?;b2cr5=3e!{lGu8g7e(G)e|EKHW
z`+4}U|MTTQGmIGYU$i<X@jvFM`*kp?2K`@0h0v~?zp|!tTUOQzJ=C$&%N<nz%J?8`
z2?qTt5H-HQPfMRj-Ana-)Hss}M2$5mK-8GB5QvJK4MdGUYk;V+XFU)#?raC5#;Dyu
zMijwAsps8?%1w<s@YCWx=BL^Lbtjbu<v#Y?9ulY83e`pe!p24koRJfip4a2>q(sq}
z@snVf(4I$(PZ%$UQ#6R;ci{M_NrK2}lfq)g$0bFfASzBkygVW*At4EHP@EA&qIjhE
zd;9DJ@KbzI`9p<M&+(DR$3!IvBBKQ1VF@s3yluaf+!SAwa{{97nF&PY!5kne-Vz`x
z4Jz-bbLtwE*Rp_qUb2Dx1`Y6(1bMeyp+<Ar5Gq(QFxY$WAW5+IAc>!MP|NKU>$2de
znAnM7iBbK$e#vJET%evwxexQ1;yt*Jle3dsw=OR5<4O(I|GNKL4t%WrQuXF;dT#AY
z|8cBsOQHSR72lxh)2%_j-Bzi3M733_UZnt0b#NgNHI}RdqQ;Z;KvbPp15uc<5r}H5
zrjQtgBL(pLscm&kSmLkh7L_*Ts5<8b6w!TDY`lDId{~TN%=n4WTI{EG_2@7vW_(1v
zJV8DtQ6L{PW_(1{DD984%P6Wkj)KbXGtgh=*Lg@#@GtfEZF*Gw^?Ub#AynH&VhB_F
z8noy(6mHxNAd%|9sWwIBBb5(tT_5mJ*zc|D1p}-pWP-rk4`3&Tw!^(tUQ+i_{ocek
z5tl$lwgCYHA%o(ni|@HMhWbdokpZ}~AK=h_E!flxG?*|n1@xCmEm)F@J`l(Vp8wW;
z$P1Ncp+Ew3?rjwKO(A|c`Na?7wFF1Pe|sQG#uP|^^1po!)}jGu!y)+pS@-!y>wi=F
zCv)K1wQKX{%~SlYg9xRirT-)sf5Wp=)8@7n*!3EcM2wjEI|oGI+lr>lQ2Y%^{xgq&
ztOgE~_q_PT!`_8ZsZ{?AFMsu^xw*OSeMi49NPNNF=&vqCE&X2WdH)jldkl_IDwTgV
z)qm#xUzdyL=+wZ(+@Z<a`;A`$o)2WP?$qVv$&>#KFMq>R7c5kMVtavT(767FB>%}r
z{JI~rwzlrjp~L$f8}wrk?Vsf0pL({xKV^IS>+VbF#<eB#7jsH17Jmty-oLVZP>%nW
z%Lf_q*H8bgV;|(<zjf?`4EdDPhK2^efquPu^!&|3z!wNDg}-?T0^vru{XeGi*~+D?
ztc+`7x;kC?o5%9h1-}`t4TKxv_Ag47c5T|07ODQk0XKe`vYgnm7jk<}-1I49CS@ii
zPaG9Faa6>T8R-xL|EG?XZ(g!md-_i5FIE=daO2`t!0pZz1t3cg7mv<%9n<5dgG348
z6BbRIy=&!qtz7>TvH+7H2#AwBF%d)<K5%es=(rJnL8AsqGm{h`$f5ji-U$MpFS%T_
zvH;I;Kz#$Dv~3&&gb*k-sE1#;EUk=<#}1SIi34u@qS`+6sGzyOuWh~W@7uR8s4(w`
zyzl=+mH)GiFTX!JXgUA=IREkLzq0(tEc#dkuqpjfMHp`R*wa1;|IFnAbqU)3`+d~!
z`yn#i@&V5uJN+-pqV0G;=zc#C?aP-1_=j->&<h}z77X)?M|(Ota43v2AlH{K3y3gV
zJ{1P~p#uVDPKbxmABOuh`P7(@DDX)84VoAd3F7=u$dawd0EQP%O$8|+=O>H^2b>un
zJ^?TcoPwl*-UFb3{-`V&85y6`V5@EWfK{NHX%DDN0ARGZ<=edN5UBNo=MTwJS62t4
zZE<n&$9jgpJsd2nZOz+sad!LQaCYqcL5TJgBEv18!bWv<b(=PAX3m`XDUtt{IH2l+
zY4O*N%jKGxnf*E(LOw-1E-WlGGqZ4UA8y~Fmv3LcPXTX#i#Wge5PpmM%}c)@2=?<X
zU3xim>Jv8ZV06NHIQsc7YSY$g#*E}o$%Nm3_@BG_CuFIqshKcgl6f1efFWOLrFi#$
zocv_>-s7O8puGMZKY!&eJ3G7I$2OBDO@jLNew<dVn5JCI$cZH&LjQopaDY%F!*`6C
zbWAH06cEJ!{FZ;B#eFO{ppVLKaUVpOJv+T!J8Pc-b9?uhGGx^HuyF^5j@|@9fq<?a
zLqsC?&)G%4<L&olc^B>1p32I~fB>nrZI=;Y-)M`&(`QEO))v`0%YPmD^Mw3qS+wjy
z^%DqeoZW_43Y|j3#z0g0JZ%4FDt}QH?K8c-y?5-`@te>8oPmFfET0+ke=L9gkSuH0
zto=>PGn>us+{y9Rm%P2ap;>(_>AyYv56J@DCPqYS%~0?EUpRI4`={^x9c=8NLH+GK
zf9!#OR2JY9kmn~J0PX%)WYMB)(04#t7}`Go%+Vjn_~pw2)=pp^4$ySK5C64(5K60@
zYC}M-FJBfY4y`y^bsIPbZ4L?r?ClT^fpBOG=nI!6F)|uhoiRQR4p2pdeEdK&9nwD_
zbntLE1^pB}+H!%y`od)i^zILa0uTq(ZIBDpZTJs<I6er3(=WLn``Gx>u5CMaH@9Dp
zFMb0Ceoj>Lhx+7?b?pC(<Nn8F$;->Tbm`K^u70-gzg{jd8usqp`x6Zv|EOGlU6zLr
zAG*4_?%lihALa8?9{$&5fz~Y$SY~EseoAuxXq>+&%cf16EZSRl>pd0>G6doM-+j69
zPs;*q1M`le{_ku`enDA$fx~~%rt~Ld0rOW}{A6Gon15$Y(t5NurS^QAef#$Pqt)p*
zAO1&W0VaV}x2~gykKO`CB(T7MHA!nw0>AcjMCdlH8S`^0Vj!KbuP=+mg2C=%Zo-5K
z1qB7#t9-t|xRq(Zkd-d(vfiGPJ$;i01!cQ;i*oiD-L2O|@QYkWx^@Y7?=}X6BD|&<
z88biUxDWP!nM?*_#K+v&v13=RT&cZ!^ypEjU8Y<MkM3jMS^2=@)jv(*GpmO<4m{e!
z*?k!F37@&9fh^#Dv-*835Db#-+Y38(?&sDuvTM(1VBXm+1pb5F4-VT7{ft|gj2S!O
zbC!sf)juH%+<4>04Y28%n+tsUr@m|c?~In8-}?GjWYOLWO?&9D5UuGFgaWJVf6-_O
zEd9B1(aNIz4^7FuO?#<y#Aoic-seH<hslM%KEKelYu5t@4*dGzpE+c}fC16b(SI>f
z=&_-6{^CRa`t1n`3Dc%c`-{){LS%u#1>FC-EZSa(Z|Nkoc7vIePieUj=QoE`CnqO(
z)9g1d{l#4Rl-r^6q$alBjt(%x1*Z!aE&ly`!PX6?6|fY2a99h3E}cXl1j1=6<5vG@
zJA&Can1h3vIPHYv`y-uu*HL!%j=wWK2bPvE#GVYG0_J~V0xNh#-a8RK@C*&v_&YOP
zUx+NAI&nBWqEF&G<^iY!EQFa;_z(Vf;oyOpM`L4_hldArP?IN5222te83}%YK=37$
z3n)-fDD5mdNPK2$MerRsub=+{uYPH+T_ddQykK4%4!G34w;YOQ@Zg~^{6TF8SrQWy
zq2htRi@S&R<sY!Gf>{#e0&^>Pz@7~MArP#};L%!};Sw~Nf3Cf3*|Nn_XzT16+}Cfu
zRw7V3wB-UtGdi-^+Lqu8Y~F7&U}gcQ?GvDm0jt`Vf3((bu#<!5U5M5L|FxcfR2D5u
zFgwrVwfjKBg;RI~1TOu~8z5gud-<TVg^>a*51`3{<pB<@73Dv^nKOD6wV>IjJ6&Df
z&t{ncy|0~xRoiyLzYZ@y$gBU#>5LgOrc9agUrG9JPxP<rFMm5rfBJ#{yRty*h7SLI
zr^U(dhk*aHHP}C01n~VnuMHm-e|Y~8bZ~{^{Sfef;ot8=Rs)A0ES~T?r?5E2f6JWm
z9}DaK^)6tU3+);g;DOa4V9ATo83(}+$JFglv;zLGtakzY!=YW~Li=AE0{`F1(y^=W
zXSO>2$KrTD!uW}?up-CrtPJz+5=0A)82A3YU!WgAqqY<N{r~S{%P&xhe_8sRIY6z=
zX8H!VQfs=s^?y2){eL57%L;Y^`(VEg0<ZY6DdQ)NHKvw(24|>UBYO_kk~ckHEW_n;
zSW^$yo}<<~MraR%T87Sk(H=%dj4LX*^ZgVj@Kfvey$xRj;TKKUC23bShV>}n`XdPI
zHgE(iX-TadhtSWPt2B6r$F)%QX^4DYOV+(s>tZi7C^Mx>!=tD0U^O~(ltQACk`hFz
zgXsME^9a7@s6k(S^_3+`L1V}<W00SpA95vKT@idBfo>BO=TVL3{>$1b4f$;C5cKNY
zCPXeTEJdmx$`RT4(_vH+;DgBX3DM~0S2>8>_EiZ|6_q0L;>la+#hzrue04hS&Ej<}
zTz>Q)wZ!#*a?&={YO+?XU#)KUs4nkSy)Ls_{ao|#S^vs<diQFzSG5{L!S2|jx|CW?
zKjuhgt>*4)XYAp#aaEP|tZMbJYBdc7r<+x)#bu4zST<b2cC3PY#yis))oPus)oR^p
zwO$*#LABZtPK>J6#?|Up)oLc(pLOp==TkH(hP}j&VwJE?YdD5-nk_h(6^~}cey*X3
z@G#U|rAaTLS81A7u}qw%o9^%}_nkh6IE)wQoWy7YOl-5^zL7jzE)tn1a}GeTtqDDx
zW@E~5$mZ!}^K`R$di&YQoGg9IExant+~e>lJmnZNVas&}niyI~nD9FU_}qQ1Cfe|`
z+F5Y$Y~E7374HZqnWIzHI+>%pZhj}d`JEn{S#S(eYz?!8w)rMTmpd7|!EY;Gm8qKO
z!<l!AUc)tEy%35z69Y|%1EV^xAkRLiAOx^V<=k3zjl__7&|sG7<xZHv<xaHAo$$+c
zv7*^F{vNC>>tP-@xH(+?Y~E@6s<w>0S$cO_CKHGwxP@sB7iF2}aHBiqaF6gWwQVF$
z3%6Qu46}Jg**xQHUaPIyJZ3hJmCa*k^Ek`0c_!KHD$V)}AfKxn!>ZzClbmKm?-fK?
zt(SD~!9fyM4-OV7rEQLsirGCl^hhZqQmR9Xl<G=Y>-={Qy5V2#RgG<;u|jviWp<>L
zvo%s`5-Bx}lyW1bJUD3`DK#sQnrHLctOz%vmj|_dG&q^lZW+DDoXe0X+s%I<7hwh0
z={5`#R<FQ<@v%KB25&)+23HKmPL8FW9E;N*4X)B`x<!v2*DFvpp-SVvuZ>;<%S0e3
z(CMu3DbUf=6DvX#-gW{TUf%53eAmsb*I6WU=s7bPtv0vQ3D;Zhb2WCoRnE*D{hXNw
zIWrA6x31EBSAQQ8FG?D(CNfOYGE92<$M>{oz0|eJ^zPPsZnP;2@%f$T^E)vF^E+jV
zwzS;_92|ZGcQ683rnHGs!<2%y2UxKomRPEk$X*gyrBOYBtJtd~c~b5G?r2%8Y_=?0
zhBnG}`+x6$N>=6H=-+C%1&3>z&ExW<C2G2CS;t|`$1w3g+pN=(E&~n_bG|v9vpK-^
z$4#4g={pjn=kp(&-8d!p=R%a8yCQc>?zg$;bIWoyxp@8(Yc8|Ua(yy~b#P<8348FC
zL!9N{F*$w6bo0io`6k@Qhj?2Kwcc{bEK_i9L%xZ5hm%BP4!127e7kI(MK-TJPkPFz
zp5BJIKrAf%`ulz(`&jxMLzsTnm}6LK_Y3#j&~o?k6B~i{QorejP60*p4V@NyS#x!}
z@buVwr26bV2JAhC0ee_hyrJxH{q7reJx!Lq(8G*6%C?ssF1t`xQC453Q*)-`WyUGY
z_!@Q+!!WOF*jWs_O6ykPR*AbmTtuH3g=04{(Y@>_JRd8=y4{=caC#*^;~~A>vnaYH
zLgP#5$FNtLyfyR`eHCNgn9BO>doO|yt-h9`%d$gG=hsPxpSZb$?yhpW-E5SiL!URs
z!jwM3f1-bKAM3Iu-g((ptmnRE!^^sx7_s*l1H-M@dzcbdL9xs8UAwm)?BtrwbIazr
zr`UQ}cX)1V(#<>UW!QvH4-VFto~zkln6p{0>*{M=h+R4ZEL~5~>YN)~o?|_Ok$uC>
zLK=TEkwJV#Z0~wp$7@F-X2igB-R_i0^&Slthp5;Ceb61p^nEYGqCFl8!k7t6v!{$_
ziQ}=rzAK|l_moGMdmRc74zO&9V8o_Gh#0YJ%aa^EUPqTRo{ghFkL)P1f7-em*7apa
z$qVz~zBWAftZpwlHqOCHj+z?o?wgJE&Y|_r=~(nK>{<GpajtG@RQIOzEuTJT-*Nfm
z=yKZNHfFSHr*?hkuC(`SoTIlhW@p4MW`M`*!$+csSD}n~_w4u1J+qF$`Zl?}Dvquo
zE;!v~#MVgk`2r5#n(x8y+t#NY{X&<1v{VL9IuzSe)4<mkEj3tx+~(o_-!jiL14ApA
zzOvymns<Ml3q96^jbsFfHpmi1thu5~12@^MEw|q9J2Hpy46Q9cKfJF^m8enFiVzSk
z1o9$=5a)>L#6se0VkdEwK*=K?aI<AS6q5KZNkP*t%22LjbomA6Z@mg0WJO0SI?MCK
z^1<@R@pqgDJzL|J=F+9z$v9rhc7m(4o9i^FuC0HBVvLN2?B<U0GMKWEYPVD7&5?R*
z28z%@u|%;?c3QSVB(w@DchRJL>vdSt^<_|b$b+98y)_K+0mWIxZAFbjKH>XFm+$R;
zNz{6oTt0V7TP#GQV=%poc#r&~{D!<*-Xy1&5)W(_GL@ETT?&n|2&H(0GC~>WpXR?X
z@)l=3dVzVgDKJ{)9u$BqH|{+#u%14DxwWNg)Jj$UbMdJYGgPQ}T54|A@^5Mm_@DK^
zS7Rgaj_+VcKb~b!FSIH#BbPXkJ;_0@>sRQSeSeE{+F;bmuFk@M1L;F^Ml27hKtbhW
z%TFC$RbHzpsPM83DyRD$ahOTJs2r#mt=MXt>xlYcXP2JdU2G{n-4E-B`R1bBvt!G@
zJrR+cl$)nol{>JZsc-W7L2V!HP8~EanrM4#*V$b8+`Ctr&AH*v%<fH3Gum^<*(e9K
zQi^L_l*NU~HRF`il?#=RzE<jOd}z}x7dN|IL7qqEfIko>Y2%#VSm9piTR1#FYQv>{
zDCPc=&~<}t1bMUEYy_c35){!_O=|Z$>4UDx(ZpbN{QYIqZ%$Yen)+SQjU}N4?dM%2
z!*8ST3KV{Rl;GZ&=Sx!V85PCsxOB$7enc-#Pfs$K3^#2+DYqiX@ER1Z)S&SDvq+;N
zP6h58P9h!L@*byxu4ClM`p&n5eJ53Km9=FXew?MnmLtN1M4hDgyiqI96$SS;+Bxg6
zc%^xp^|U^#ehfJGUGWJUf#WKDHBp*jl3|k1yv{^(&g4wB;Kv7MKBa}xXjUl$Y#Cui
zv#;2$Vy5y@;<N**v#Q&wn!|VQ=^TIbBb{@s<o+Q+sY|I>Y0_j)4fI3fkCD9k1jE;f
z+awF6tnK{6{G0v_oEdfgr$w!0o*jl_Zn8AKH4%6=nm={(9MN)-y?utgJsUbpH2RoD
zdD@V@M=q3Bl-8H(lp(V+hq9h!gUUk7;>+fgEiXfx%MO;EE4x#sE~C}-73uBh*_|#}
z#{|fjnCMj4*Mtn-C_B!KF6{EaqF)8RhL|Z^JS4m(u_lDL>tjDxy5&LHNZOrI_?@8+
z#;C!-mpPpI%yc0$iNBM1l!>OvA2MGsljPgwo%xQ@gZL<vFPA@-FX#IaGU6Qn4j-xc
zG?A&uR@7D0Uo=WINrYx97Aw|^_KI9(KZ%}*nnj33JX5+6K7>per<_SFCRlmhjvWa|
z-QAORoVZFnB2d9*hJS1S4*os-{rqMAasH>${B!&_4Jr&sS&`y&kT7|o`oS;ydBOR9
zQS_g@LqxAm9m#Xvq>(cBYbF(|qrOom4yz3rTBIJ2#@<<yIQp4i!RoLqLH35UrqS82
zJUYjsyv!q^tx5~`H(1M>Z--^&Ii)oXk1lYpm-_V5xNg$0I;jF&)j5fK)KTQlNl!Ko
zFUG<{506Y-?@_m3lIIR7vFED>-^xoWR!1hphD~~yxAj|@>RB9(o}n5VkGx;)3QCBb
z?pS*@thTw6?NWw=Djsd{EK-kc-sN|~!FH)mL8x&^DRC_1d9y@A^VJLGWR}WLdY_N5
zT{>Lf?U`?2Uaw6WZgFW+@CbESu{r_8x~eVWi)tg#G<xZrMhC`GrgVjuqKDjX;=okg
zVnj*~rdW<)3$M}^UX|htuhJJ@Wh}g^v+yccZ{bya-8jQzKmPP{XqeuLlvAFK6_{@2
z2Bo)bXdr4c`;}L-Pn$WqOgb7+W8O-_9C9?zspqxvfqLne4tSYed~mqt!b7aBS@}lU
zk=(p9vWMbR4=SaWuW5ote1xE(%aCJC&u{Z0%$8V=RjC{H^gg_AC*Jc~s2ufE%#kmb
z?;sD#&&juv<s_mhOcl0@t_lmLkU2?VlZ(3Ku2<|;oKpOxc%o=lu#`xsbW=tINqt&0
z1RRusM|ERf)gxR}+lon&Rhj_4@!i*yvM{c<o^`ca1eyXU0!AK8F9RtCia}-lvU@M)
zWYS2f&)u4a*G<W<nc_{lStsvlrZ)6EOdMdSd<@c6p7{ax>xr{EbT?NfJd=Xr70mKi
zIoLCe;BoD#bbw=h7v|%1(+h+rKbY5KsNP0kE~dH`JZ3Uy{klxO*bG>_z2arFfMygy
zZ*tPXTW4VOKC9Ve+t4*$=rMwRCJB~*7lAU?vf_9r6jqJmt65dIS)EX1)iqwHa$amT
zOOD3wsAh$s7_K0S<V@UplQp%H6?Bgkqc51~U@r8!#|mRQ2%fQgEQ8zI-Di(67Q}M}
zVYgXp#~TYKp@cflM9WEoud$-!LIbOaS;B;yEQ46f3DLrcv9^!ci!C!O>0K@J?8eR#
z=Gn~=*;-j!CVALckBty^LjCLn7XFp2Zpca3WgDwXqc2aVXJG9{>)tjtcdvMvzWLsZ
z$@%ym_8ztij_u7r7`BItH9l86`ef2V*&d?4j@wv<nOHRzx|MB_i5Z0IhxqUXax^7V
zFzzuYJ<-@bDwA$Oh={VrG=qCD4DxYCS5uchNgE&63hH3J`<0;KZXsu*4vI!ZBK`|l
z++7WO4C&rw8X9Bz7@>nm1xa2cGcqtzIhVvzG7yc-P|hK7wXTAkOX5>d#vGEwbTdia
z20dz3V6|dCsT2Dom>ELHVh7-~2IdZeL7Rd+a4ZDv#>l3P)oLGD0)9Lq<6&1J0jvTq
zo%l?hfTO4ewE#y+N&2*jb!q{MtyA9~`?59`$(i)=XvHKH`Ai+hM0)td!!K(islsKV
z#J;c9_LwPSjELrg*)dV~NNfzLPC`??X+k_H-VTjzP(!gULb_3?^DU4!r|%n`w;t*=
zD5i8!QXkjWYS_m5*c`s`{RXJK&o!V&F+5-0d%@~W3zj@z=1H1ADDQtD>&NXfz4{-_
z$MvRETCO-8hbnJh)|i5&U|YNC)2h`tO{@9p(Dgj^R^NMJCxP5TZ<;_uGD%b!*APB_
zsuq3WMlGXk5}kXR2=ve|#idv=PE%nL45O<sqm<q>g6GERhr4q}n(V_2Zqj%=F?v!l
z3KblFRCkwPG$-!Ha07Q9gWzEVZy~22EsrA(<K%IQv0}KPxV6EU))y9XRM-QPXbvNe
z!$|7856v*I(#+`%jmlytZJN~G*pow}r3{>nI4t3soe+FmXw{0}$m}#qBxoZ>aU3+o
zB91d0!yLmf8f^+E+?VBf&I-qb*KJ)*`f%uRrm1|DXaRU%ac8m^js@Af;UU9>R!z0)
z0O#g<shhi@XeTX{GX#;;W@<9n1fa<$7`DlZfNfOB7}#UW3iidi?X=X%1-VwMn+=!k
z7ly8K21Stu4>Fn5zYB(p<*u01diTurhakvN*umUtl&jG<^if^ZL^oYQp{t5cSqN-}
zA~V}A24Ps0CO@yg-U7_Q&&(Q2qd|&uPr>zGk$tcbXC^i3PVo+L)$`Hw`KG12F}F_l
z)U#@i?Bk+^R=xnOzOt^YFUDxye6g6FbOyEn%b+{Rc66!INKfB;(Qzj&cpuhE7ChTr
z$ebALCk(@W7FKEYrts`BY-GSp(>m9HZu-cml#VdL9JJqs7OJ54fz8@pqj_xO<`XV>
z=xa}wFf-84CcoQqSy1<4v|q|S62u_ApsR|9YONo2Yq-R{k46^MYky!Gww>;DEYM)E
zLukS@CppJDJR&iCgInBgJteS}=kMKRI5E6Xze=;}-isk<h~vX&jXsS&b?y=@Uv%1*
zcE~FHJH!%R2{X4TpET75y^<R#+AEx<+_1bD<!57O*{%|-Ha;qwg;rw~)259`2#T-f
z&`S0?3}n-=vR2kt!X)nBCdqBjDefp(>dDb2q=G$f5{+Jr31oWZul#I$L)gQDB-okM
zGpRfY#@fQOPaPH%;2z+7cg>Jmw_!wQ`-go(jcg7c5!>3rKon~mI^NShG|@gZJ$!A~
zwJx**m*j-Oc({O(GFxJUjXgx)hh-_tUrF2#D$mW$<ebR%6YlPBpAh5|WuGHvFU8D-
zpioM%cC2(=Vt6k`cR$c3`?>W9YJBcF8nZ(#pjiwanRiIf=ixI;%u99Nx$E86`vY8I
zVdjZCpoq3Q?~Ebo0&LORV_17{uWiihT{6E~V`KR&Yd+83X&$>08)Mr|hbEkxa9`L!
zLpqnN=tw8ET``t|#Lb;|(^TA>W@tHwf!#Ez<|u;lIMp0;VdjDdqXl~&cR0{Ce4|yo
z&rH08{={lb>&LZAdUs7N+W6hnPVN~;eP)_o6ti~MCJrht8Iy&@C+))UlICt!Q#gCA
zDy)n$ezu!?o`cLAIpUpX_aG}B^u%g8JUxiBs%WRXo}~Rj+Eg1%lXPx(;ITtiPpnSy
zP*(Bdq9E?7Vu4EGbbOYe6vs@jpX+mcCe6QObZP8aw_}|6AVy>wql6_44@C35Q?MwM
zwc^V4YBh9$bE?(7P=h0)J+9q%Oi4WBK(A;7_QH+0>?bqBnETJwSW`W0q_Jwp;z7G6
zZ0kL<;-yYyJ)nU`^2kO!9rgvep#p2_Rb&NSD7j!UJ{tA}nc+atpkv%U9Nh>(j#zUf
zzI|~DE@h$GrdqFCq^8#N*hbuVXew;N5`cY!NxQamzm!?<;WMd8wb~SLLzRYGt(Nkj
zE3MK%?`mFC4+Zw6qmcf;g+eS^P)H_)LLzElv;$B8J2t9dvp|28bdx2jMuW;tBX0ug
z7`qL{zh=eYf+%}dWM^IB7&P%QYw82m9rn-|6l)@gdcYcgkCim0oE47?VDHB=(=7=P
zSRA{^a?T_G9sLPmEXk7JU=6cOc+7GTTTUqFM0Bz3^qMu!G9%pb6??kf*rCGdcB4g|
zf>6*+mYJo;ch+NFh1URms098G0DLTUDi>1dLkm6vDD+WhQ}I#@KE}O4A6oEH-GV+S
z@ZmM?CEu`93;dwa$9G!z;bS6@cSKWeu*Qvditi$LWStKHq(P)l0T93+C?CI#^<W$I
zNqYDOfm{a!@-^uND5IGG`0#=c5CR}3S%Q;f3T&a-j1XWGL=swTf}Zg$5n+K8%?JxN
zg)O#9m`H7iUf|Sjn=4362`_8X)ESFN`U_oBPq`2_;3U;$dJ9OM6dc87G-VD#%sH^L
zoRXYJ(q1s<k~Ebb1#Dn^Qoq(qAA}ScBrR43pa#<&j~ZgI?=vwhb{1m_HW|a1GZ&zV
z7>4GPj0jruaGbf2#9!z#iNz$QenB>k`aNVrszbtFt6>Yz26fEK+Mx+3NnZ~j4j`PD
zk*+#)jM@;VGx~EFWqpT$?PSe?V(|`}k`$T##=7I5j!~ZNq)Ev)Af0T|B9w!pIv1`0
zGd3U;I`_w$M1U5d;IvMR7KFmUj3|I|)QzW0rxjxqMA1bt?;y&fx<U$~h&VU^6o~f@
zp$r9p(k6_9QFufPM^3My@W|u)23#|r1hTfE(VnOxd=#x0oCq%(c1zbr`V-6M9KWqN
z)&#)Fk8vEV6d(z0ipip_4vCgkgKY3p^G9=7VVLO~M8coeHcPmWBkaRroHm`wx@0kj
z0yY|p`}kY9vwk+Z!zpM%D);fG^|fjT=Vs9xq(TBzX+bJA035VPg#@V5f>a6tsyIcv
zbOD@VV>nnCn(!8<+%~bMa7sVGDV$_?ElyE)s5J3#9ce`O(BhO#SAA6rPEm^<@+h3*
zS*2;gDRjSwrhrp6p*J|?K905T;!NR`K<_TD6&?W<9s=__E|sPfOu3JfZ(vGv0nye?
z3sX#d;}8W?C_K=?`{6SNwvB7L&A0^-_}s^@`n2ZhUG=%@bKV`3pg_@0u6rP@k~{dm
z0nUSE*@n^G#a1Z+)-!p@gBK31wE21@msb(GS9WSd539<dQ`wAWT^BUOYSECk?vmi=
zJb}D}ycp4Y%j={uy8&ip(67l`k9-do870oH<S@+>D*+c}wcw)rW*DXyJJa;MtHXP^
zXc^!l@(nIZG)i#J1zdE+^A5)&t`cxjAB7{}qNpV9qy&bn1s6SKMP*K-wRP|FwZgGi
zR9qUiRS+Au&0z4g*n}V_`NjAMy5($zTMINfFE4*pX*0V%hRsNjV9BY;senuvTke~s
zG7=oz9i013KIgXIg=n-dp`giXvF(mau>egj#g2c<N?h`k<uZFp*C{TvSuTQjT-E|j
znC^f~#QQK`fF^C-Cn;0ra;9a6R|<FEw-+STCE1HlqzV%QQJ~Wi9I#2cuK93!FNP_F
zO|0D5K^Fj;sI=IGnRm#v!UM3$O*hph=ew_?Viy~~#U`7aF`U9C62K-e+_y1zbqUNI
zw5HB-OV<4RW+U#?IsHasp)|r809}A+x1Hxf9fM8@c^vaym7E3l?K8XU$@NUI?xNkc
zP3yxk?0KGOPg{55+wH?Dx6Ld<FAHySU5mDHiNoD=N2n%#m+>rLv}d=wOKD-j9zjC<
z1OP2<vaq0ISjim@V#Y<bpatI*SB|!zg-O-w{cq61mW@i{RkNlAEbRSZ6B$)$@L~bX
ztTs2*BUCqB-8XjV_f@SbUNTzH0y*>2M%)m#KU7?Kix$Y>`C0f~*fH_hr53b6FHOVi
zip|7$Bz}2m3jX+|95rjaG_~26H@3xJ%h7y#0Ja+Y6$HTE8X_*dGepo}Co;!&IyA}<
zK`(0@j$Iy(RlKCk5Y$8^DJ9++B64+=Zw(PeErtj}Ylt|eGtRh8Wqpfc@DnrIP>2la
zJs;P~lk`HEa^}4kTo@2Xt-?XQNdk5JJSJjcSQ48-Ycy<t%^p|LLg@pMY&^A1G;|VK
ztU}lVIdlWtVijg^EmXgcEo)K%D+;ZMK#8`j_zmnTO;o@tnj@d!&uB#rjjM15Oq=#K
z;8m{&HKs*7U*23(yNDc}qJXhYr68Me1=;ut20KG)t2*6!5?3_T>na)=_T&l>UqDYm
zjyO4Mrn^yW>jpBkAMFkg2E|bR5JZq=<g7Fj3&pS_psc@0n~EtGG>}+B7*c|^PS$mG
zbtOS>hpBEHCzbHcwQe1Z!8oa?$s`%`79(9)2oO`Ik-7@z%R5W3bP`kKAtlOPwS-A3
zx1wAcx$0#I+M+|E#b}?dy7{Ost|ZlIu2^YWn(OQXG!twt%A(`PP!g7Y7F&YI*|`YY
zf(|1iHjQt}SC)~kS*}DUo?5?Q6(ZX6)MT!@*_S<Us!lAxfd^Bwkj`k<Ef{xc3WYii
zEg<Q(tQu-?rz6Ee(l~7`+D!((RqpB4lydJyDe{<Bx7Vww7hCDyZ_vk{YkD!NG~+7k
z_rSDwPi<wf4k&93!9uXNDtrz#d)+d5?aEjURsa`$*!@o`<|$eRrAFeIu7aB9J^P^c
zvQCof3ccboqe2znVep#PZV@dB-cksCon*vf;rGL7NTHJ=L7+V7afV_^hAg%*w_WQ+
zSO=O3rxl0Z-3%9T95`nJOj%1Y+8VI8VDy-_i$Kv|0*d~lx}h+Njx)m(d5mOE5F;rY
zWwhrm!gOBhjA(DtY7wRz_M^F88Fy=yW^I4H#fxatE5@{0Vy<H?fic@GrFkXty4cZN
zgbA%Bj#whkGujS!5q{k|$-YXnW)Z!jN@MsP{o%7aIxg|;$dhsHPL>nm+>!PD&I`a6
zYJKsn%}o{Y(m;&H!6f^4@nW_<DoNGHt_KU)&xKf{6^3_pkeECk$YRl590ja!2AUNQ
z)9bn=jMOFA+z=3Xpq(jemSBhn{RVHCiKBB8pT$b)JV(Hu;6hJw$!xvSY=jHLXMzhO
zDU&t78w`g_>G!KN&#j~bb^7XIBEKOcoKb<N-Z>r0oN$yTY1Z{}H}r5)qEI&ZW|T&X
zAlMfh%n8A7tqCsZJ0}Tj^Vghe!wDsOP<nSPn)bA(6BwU^!4N3eN_aVs5&LxzNAz@(
z59%nEqcM@5Qc3(U@zzX9SfqIT5b-2ev7j0S4-qGI6bn#f{8Z2Jk>X7fP|Z7vH$?Sx
zntaf6h7+pitan>QSr&Ax^k_@4byjx_Bs641Z{@2dMt9TE1I=*~hp`5;ZW4OaRBIuo
z?Rhu1Rs-FPGfmN^d^k60?2?5cCzh22>kDvT4sC;;yQ}PR?L=&XRlA@e9>LPCRho&t
z_3U+M(s7u061(E%bB#A61BUiY=!deg60in>*>rw?Jxfy^>s_F^t`aWDwfC7ME@Q~X
z9(VVNy4q@`RqP_VcnLNRi=tnY=h;<hz=n~|UPKGl$HZ(XRgBHp+F!4hjF>9#pjd-V
z9$at_x!5%crCpGF80`qH(Z=6(?@(D6w{RN1&eXm6sb)6I(c^@G6?z%auFEk2E8jgV
zX_NztwJaN3CuZl(4D9aIRKR4RtZ>-TwMTP@N1RaR;KSlYlDLGOo-6v~N}|xzNHOiK
z*Z8G$eN2xXMW>JN#R&Hef$>s`c?8o@GW$-I2Bu|PP6*=;Wz&bifZ61w>MObX+Q`Ub
z(bFJY_sG!8VehN5Q$i_K)^MrA<JzW{v1x}t3RUQxezpb1Cg_aY!SM6Vy&u`$Lk&7K
zywzpN-H$fntzc8m+do&UTU1$7`)m35>j9`sJJ@Tz33S=}*(tb-zy^T=8%3+qxXDqK
zW?G9bd+zZ@JO#s_;w`G|m#(3Te@jC(Y0*&U1c22^t^%7}6iO&#CG98!)A*PhtVuUn
ziQCZlYECB&tKueW+*8VA9#qEym9!d7#D!jUl<Hb_jTL4nh`G&zmeSouIEE<z<7*|y
z#U>=OnllMKzRl@WhYYUsCsel&E93mcHnXg4Eg5^8Q`<UNq+{h_>A|p;jx`j7RkHf&
z3cwKV3zqO}Z*@`6H<s|nT3s~%7fU$kqTjr=go7@6k<Am?Yc1he==8Uia37{%C|JTt
zPFR5;@wN@6i2f`hMgK<;rS(awexr!q21RrY=>=-0u3AlJ@|gBa7Y2-iS=5NRAOnWK
z267?thc-8##A)gw%yG==%!SOanLC-uNA(xN&Z=quMHTSdg2~O~`Ix7DQ+2W7vI9op
zJeZm38IDu$XIYmuQawj625sv*8#S1y;WaF<QJ)9>&*!e9Ws-&@9vYKip$7eL#o6iy
z6;Byui2EZE(3#TzI`774l=^3g(Ve+1dS4&V`}XOgw|d`qFl14BUq=qkapo}?SU(!p
zgO>qDtVP)H7L6~0GC)VRSfKBMLWYcXVk)pe!vML9Q;<z*YQyeQ@T!^JT#s9SlJ$6x
z6Cw1VY{xq>tY4_FB^Zw>-Ol7i>wTb<Sy*9CgKgFyr|ij&$IZVrF|abC4>7Q7F&@ve
zQXQhthK~6-|6q$!27}ODN=sXSU3WYPoBxWpKCYeHU$56)95b|J>Vi^c<8ElR*LJUM
zJM+uCgx{K`pVG6si@OXWTc+i~bZp;?*4cF@omOc#eka%|EkPMjaJ%V0a)iFE!SrF3
zhK|;|v{))vfT>a_KD5^sI=5wo)~Xqn(7WC6c;paA+pTAxuG?fosd6{E73v#kRk^$P
zRu2>2RuAi~9{Dz)$_<BCx_AW~y&{uh$+z6WcMV9LtNxGr8eHch8K?QVzuxc~uF4A;
z@L*vLSusQ}5sa0FvRMX0N87X;$>vpL%X~&0l3D8o-sE5foL!ulC4CoQn=|NA`L!Nz
z4BZ^CbkC3cmcv{TS;Gm#=waAs;okkA(9I2vG|jhK*=(*4zz7p`b{Zq3k)dz&IrBtc
z%LE}Fy2WJ|XLp!q4Y%77Ip$D|?nQB*M39U(c5V|Cr8{l3O`moO%<*2>2uElBlL&*s
z(%1xe2TblCACVg$WIgE+n3`DwK%uMQ#>cSJA|zO2T&Ko3%GA8yEHy2nnOoA#J~<}O
zT1RxjEZa5ID9J|dWE)87bAhqx<AY)ogJO5a53nB~q%{T#zYf=$nrZjAV@tr)d_qzF
zYP8K01*ds3r(sSFXZI7cuOs4;670o&QfmRWfz7zxF>Hoqi_KWI=oprv4~p3tyUcS7
zPqOW@=Fi@57JQe!uU}8dn4!Vp>%K$H-z{^CIJF!H<t$)pL<XmF*|(epPt4pbLg>Z0
zCzfJoa(8jC{LwbXI}nX)TX=qzTYgiHf@{3t<Up4Eo6~ERTh7_I6y)|`d>s)IFTo5@
z$;vd0S!{)s?BXm6JIgQ#$4|`rKU!JKz;}N=Xl3wDDP_W4v9B$8E_zlijJ{f}EPGCL
ze_|-jRjSp>FpM0u1^>nxp+oOXxL)LfEPT8z>>xcIlrkxHF%91vf@XSRk@(E7Qt-wQ
z1UermWsUw@@MfJ5WT92c+CQ#+_fn@6ULJ*)LfO@74rRll935ywVzt_>roKu8uY%Ix
zeNN%hzSf*f0Vy8Vi3f1nE?<1_1r27G;1$to^(d0P4=?Bl8%n>bR`+qF)mzQMzjNq<
zU?7$}uElQEOCd$-1=5zJq*PkfYRYi@r&HWcrO55{F2%?mb8yl7DI!E|H4hpr0+scR
z`#*BQ-1vW#YdfjP!{<RNtw1h`BP|h9$>D%pJpfaDL@dhq{insUCOP}?C%=fb9um|k
zbVP4+65Xn&-YcK<R-!k*)ZXZn69bLfw;ewTMFHEYzj?13JnuO%_`UXS$Gbr)+Bj6m
zObE$^5Nb2;!7b03`Q3J$1t|x#gup+<fcb}>x5$<ew$&$|{2sU7@XUd`x8pxSD#q_p
zp;G$AQE}$1+>Teii$jI%25#&BPsq%#w&Pgm_n(t<2j+OI)mv|o<*(>fpcPiux35+&
zJhD-R4~43+pjsXD8lA3IAD^C&S5$RG9jeuymNcVF8wot!0-;P1O^6X*05pZxoftxl
zOoYbQ7V`C3hKNQ$mG>#c%R+&N$<^urG|MX*E7^y)>O7YLy*@ReY(g)@DB*w4nf>0y
zH`i|8qu%D`-h1(aBrC|3I#QgDz9XqO>bGxYBM0&sp{Cx_P?2o$BA<eb<J?YKi!qq9
zQL8m@+gN)9>ax&*Ihq;ETsWIq@scF$nQr=Ed&iJsJb-H&vZz)!=~dSE0#o`clGzuh
zp&GS5jm@-TB6lYB+EO%g7E{U0XFhm-n|8a|3xif2fynM?6sTzNr~%%=xP@S@9+3hx
z2CT3XQ3C+dN3e1GR3z()JWz-0DCP-Dinv8fxC1c~AEC=kb~P5EMx%IboY5?o>&O{7
zA=gG!HVR45U{97mB8P$@R|eIwb!RlBKPzb4Z*toOxYa<XRikDxk&x-e^kEKTPGHVt
zE@tL2_up?Y!0x^VerwbbBznVd4QQ5Heo6F(-x>-)xA3b%Z~3iyg5L4F`4M`L-`D6Z
zzs-%11)jih9}*3KcP|Db83`N%!zf56m<7hO-^gG-mBG;W{3grs_Zw&rp0{Eg#|*wh
zWW*bu%K+wUd4{QXEze~W-}0=O`j+P_kjZa(4unkph35w6w>&pNCTn>n!A_0_!jzVR
z%4Oi$i-mn8ms?nd_bq;t<>$b1%AF?2WgMm*wJa;BdeOo%N!1IAWd&6)TC$m>>IId}
zQf<A^vh3SZFW#_xyQN;VWOGAHy`WfD_(KMJA#X1h`G#X;97N^vmAx$ueRj2aiB6Uu
zev5om$1njf=+IoPev*=d`-@OD8VTc)CGAj${Azq_N3=tv)2U;=3LoZ#P_am7O<AXW
z+|W5d->CDZeEe{j4s`A?I)KPc8akbB12dcOxy4gW=%cz<^~suA=q}B1r-#p8Z{OMu
zIZ!Q-q?#br0tu=KT8r;A)oKFt@qx@Ibudj2pJi05*MeOOUbdPBCPF;LQ)h`WLwCJy
zkYN(_UB=T?Fo9ZA*3OpCGK>ZrUB|9dpJiOWO?y;FSwhnR>yvNBU@__QW)LRDJ_{*>
zXwTP&iLPAg%`8uT%bQvKdApd8Yaavz8LCI}gA6eeUx6r#=xVwte41e<Fmcg2VxcB3
zS)4LUFjr!wI4d19<mj@o+jJdE8XXK?q2WsC@tbvouW2kH!-pqiBwa@Wt13;2p4sUo
z0uxsOro)M$mk?*hI9{02`FdvO82be2(L&1y-`L{Z6QZ1UNLNa_(B*V9!EIf=!A6@6
z*@oQ19jK{Efl1T2T6G`iA{^5NOKczK!#JnW5RAaLVQzu#1$~HiZdL9SGsP*YQ4rZY
z!v*G6;Wdk?2SH;9a{~M9D^2rv7PqPQrhMi($qUgG6j6%85}Xn<7CCov-^Cr(i|{AH
zoJ=N1xzY#5IDu(*5wSJbrH@)Lso5!Nn^U5LS`fd-Jxb5i^gR78U7XOai)U8}X?z_^
z!oZA}qr-3m<O7{2U1G5HJ{>-Q0q_D4h7HB2V+rs@1Jg)g{nb-StXR72z7L-7lkDOi
z^FoH~9|jnL=Q{SofY%HNNCMAs@Jx~XFkp&A)fdeG&kXRS!EYKBpy&L<06q6(Uh^Pe
z9u=Sjj}km|_@z?;mDmphD&ZL`AYcU*kPDt%@T`X4)l`6v<qrdNELD9AAfSK>*an_$
z;L*Ut3%!qd1$UMF;CuRo-qYK(fO!(HEN@*lTjShSV#sDc)m-6Sp|kH{=J9lPyJ6Mp
zHO@06Y#1&147X^uuv%@k(2H$bt#-6q>BWXIwL_lQlPE;Jy^SeNls3vP%5!~m+2}{<
zEIMRf#4c{FW{PA9Q|xUVkbW7gwwY1T8iyrpefX?jvr~jx5EJ7x>0q3bAOVUcF4HN>
z5G52l8I;m=*=Z6EhVIhuf&G7mWStb}CiFAp*6(0He75vk(`|EKuOS25>4?SVXRFCk
z%evW$#d|xFf!}iWkc2o*QRm#1pLUOk%nqrUm~)8;9MzAx(G$m^{<4KBac!)dECF=h
zC9G}ME@y07*28MoN_t!FF0SQJYl~jCR&(N~V^y}{bM?%w2u$o=>`^5nd-!Op$P~*f
z#M5|byoC0;EcYl^BX`L*r-(+EMATZc(fQ~2N$aNHJjDt(Lv2%TonocjJH@iG(&6m5
zj$v33!!xNs9C~J*^Z0pA6K8K$t`9XBaiq{?@rIPL)%mwqZxn*kdqhv;eBKRP?m5n>
z1IEF;h3i9x`PQ%6W#ZRt03QPd7bmyH8ZEusq+=FaH*SHC+twrxOZEQNbjsI}xf@j(
zt19bbke;b7l-^xBqqL;sfH=@UJEqfuuVcBAT*)rZYKdUA#E_$7xxS!UJ@E>ChGceQ
zniS8S)+bdO;Xit4CjCjPmpStb&ALhsvoG(7VboUEFVHi)apKAjub+MUUw-xI{1B^0
zbzK>^=tsU&?c`qBoxt0bJ)8UD2s+NVasJ5O0J~7B=t}tykH1HOWf8YX=OnB_rC-{%
z6znqv5|5Gz@th6oC1Vr4>dTN$jaiMu&)X#1fTJ^UsnQFZ*>}-V(Y_@$)>sWe`e|RV
zBj{;LK@qx_lG-N;I}>-8E;t)?NdLJ0>eDSMHPn%UgGc%I8%FJOd$x<~)qHd>8coKM
z20X9&qh;&Kz2r+>me*_l>(yja(|Bme?B#I*cj?FVjcof4%pTZxSpABIL8xuV`;@72
zDCqOM(V?`qgEUz`D%h&V)P4hu+C9e@SdH$6bA1L`nnsPvu#GTtM@gwK%Wu{wmDXeR
z+>0|0TpWBX!%HoAlqx888aKlwN0{Iw&vZ(h;qqfDyhsuK%0)24X=;p9RVpUvoA(sv
zTsXM{tP}bjac?AY16MkxwBF%2Fvlul<>F(z>Q3+PX?4%-(zT^4@wz=2V?|c9t$1VZ
z{$=plQ4T-<i2J28uB4Fqy3p$8SAjV_3jGRY-?&D(8cr#smu_BOh)?j@Rd~GcYT={8
zyRUXsE<N*1p5Fi)`B~G9wi!)J<rbt#xSI@B7AhoCNmN0qDAkmr-X6WWDpie(8VA{k
z1J)n&>FzzT*99r_g7JkF-c@<t`nRPHO~=Qad=XUh#Q)KLq$s}OKarVKBPx}Y2L12^
zUYD0S$Y#~J)%esblzlDRDJxlAlUFUe7>Uk2`>v*jP_&q$9#mX^$~mLy^w2CJA%K2y
znVdNmMIIT3O)O0=wIJ7(?k@elG!MTjeLl#hwv>J;aIRk+ioWjjjDE$nQ;%trZ%U_D
zl_GO*YsHeEH08mmFKZ0Rn{p%~GhSRzc40P=spRbBkxCS!Jk>lzu}-;L$z%>BtCYx_
z`7LV%vsRYOT*6$(+|5Ma!`B8?%trjQ^Cf44cAe9ZL4u9RC1-a&VWKlnZfWj~+N2+5
zql-H1GyGd^q}-&OlxO9`u)4S*OZ6RV;w&8E$(ZojjVv3nxM|>z6{iVt?2(r;vo*?c
z)wT5p$~Js^Q8mN?bWYh)+SO|tQzR>#Tg#T>Ngi}@Xp#;qlx|*(E<RhEoUyBo<E$PI
z5p~nnUdgkx9h3W2ewktpAodN*Xz1spQiy#uAT%k;Ho$3m><Z_EUD!0$f<0{7s^Xko
za}ME!DtGr&E(UTT9zPg+u&>hnF}H!B>5H9>y>p#IxaJW>-C1KEaV2$e=wdnRm>!L$
zH%)M+&P_t==AW3|5Noh2+A#6tl2Ezj^n?}8>kM`otv-52v;J6T))B-0PouD($6)ol
z6oY9ezW2seM~zODUMqe4y+K`R9;58_o&?F(4GM2@^*1g}@w=8$lTP*hhRnQBO2l8j
zIQ@$1Tfk@dw4BkovAMHzvvZ;L=AtvXw{oAZ&fM9aS0NKsd5zCAmLDI?FX9)S7`!z(
zLxlPVg_a$ux#a97X)1md-#Pta&%KvAr#n495Efobv}s$faxEmu)6RuqCL8F-oK=xV
zj!!H$v|sc}&OVA^;R3E=)Xh^@JJ0T;kln${RZYdsSVLT0oI$&-1u49AJAOC*nQOyO
zbWV>lUsfC6cHnB(UbY#$_AMP-$P#?VO3Y-%u4QdW8hm#*JAO4Qj1eF>oMj4cD<fGJ
zCw%ng3zLw!;A{4{d`^di)tvd<_{|r_X3~~1Ed(cN@o4fh+M(8$oYBm%1DBOCmz>SL
z&s}*Mbt=8lSj4wCk6UxtB8S0rw)ZaZzCL%R$-x2PHWHdbnkL$2RaU%>$5<`8`;ASm
zb87n4z(N86`W_>^<Y6>IV|b~9Ej~hn&b!738ea0XeY)$sEAvQsm-;=Hr_!&mj@iIh
z#e8H7pA}ye-4i`?q;GT9cQP_2_|6Px8={LFGTGom3?n8G@IgrLYUj@Bh*_%d*CyT4
z-__sSf2gF{7B$&B0-wDiOKu0t$H*JvP+?d=;6C|jxt#o2K96K8P$_&;;H#LExZgis
zk<>0rA@)z|Kev_al%mN0l{iLtl@(HRq%5`OmAK=IdmfSy4258+vsY_YYfjDfD}Q12
zN{mgiHJvV_`h}%G%PeKWl>X(I<#0)j43nG4m;TH_iy}|Wu8Gq<(xA{+j`nv{(g|f3
z>22HGSIT51Jw#U_Hdh>1TI7my!xT5hEmX`xGkGf&Tc@gy4zG1|^c7Vf$1s}GRQY<(
zmW$3uipq|ap(|yTWiQJNYb<I+HIf<{hB~l^OY{nDO)U$1=6Y`n@lF|87*nVyTv}LA
zxTi3jyIytqc3#H4Hdi;#Q~Z>(IV6))@_3U@br!AUb)m6}uX0xPQITSCeQ5T<wx&(O
z(fh+Hmz}%uHO7ur%~quqZdC189VooD7gbAt-cz%QRK*ZhrS7G^rD%9*bZHTx{9(_@
zt*17G9XJh)Tr?@&+q};3Qt93&$4gZu<*L@#npDhE@3NuSLU|-LIlZ3{r#wGje&j~n
zb$+<pX*_Gd>>G2BWtVL%i&oB3BBe54S*$#vyrz7t>{~OU1|^jx*DR@7SF^i1`iHY+
z>)p}MHRJ<Fa}&~r?84~428C2gjwPp&3&@rJh2#-(SB=iA<(v}T;t*_rGz5#$(;bBT
zSpcJlOLi}%F-wMcwPg+^r&sUJk;40+{d$)iTY1Gh9ess`{U8XwgZ;n|ZlEVlL&8~z
z8*z*ly{jaOWU~2I{1@*0y}84=rt4q*^qiFP#A0e#)Abu@6~|BG=kPbNeWFk?|AhH$
zouBwm_`8PaicY&=IJ-z@6;U)^G()sVlq*6-qGO^fqDoPlUBe|b!jwR^L|39eF^XuX
zN+FgJ>j|`%IOVpAx6<q$apY)7KOKK$=HFj4T;k&I<v+xKoPTBwTIm0^|6Rq!nr<_L
zh-dz~GGs2RllPLTh%i}#EVgW{9Bq+(D?2YMlW9MQvXi53@&*2D{R{n5<yrC#@_lmj
zQgl=Pvz(MaR9Gq86{}_F8(FksmO`m`CM#B$Pr9l=J>}n=3{{>ky;=HmDOt)cLsn((
zWxi$E&JQ#Zd!9P8)JWa*!p~8|E^3uKIhbA4F_*PN;h!6p8-CAi^Vm&c!fAKeMUju!
z=PqAyC|4@pt#UndnYoKa=w*C86!pJcMU<}?miE(8S^9yAhFdP}%Zt1lnv}77N!Jag
z>+m+)#fAIttyEns9k5)#6`{A5NM4c_EaMQmGYZ9v3STLU3Xc^!<yNkzv5RPPX|!p5
zqE_gu^hAy-LWKfV5vtaCQ&s+=HL4wl>n+`m9q1{=dJMrZ?~Remkmi7Q;m|_MlL>|C
zg^WE<FVaSyusyi)h3)q->q7m93_YUfkREYj!rT<q{h6hUOY=(6uF~!D!}1IA3VFR;
zM`5Nw4vOHihyGK`3}kD{c9fOeK<y7Fm)4YFKhMiCujyD*bsEiE>Q^JHiK|Jg$*FNA
z7LP=BdrE7bx(}N>{U&;8aD?@OF?^jmsC|9W(hlT>^+ikbd`P333FJ(2nQLCo>)@?F
zv8L^;m7h|N+p3-vgd&qz`!w;<thf?&YcMP9sGSnEvshC^ZazjXD?h7=PpC*>mdG8(
zSBy^;k3FSMVwNPAZ%r%@GZG7C-HrN*H96&8#WnIV`I<Cl@|n)YZp89y2dop!`Z7l_
z(L`o4mK!ynxki80^CIRkCc46`G}33k!beKzd>-GPkGk^*@<;Py`Lp>;mK7~s%SVNL
z_}-uYfZxDhmfKe3C_;oNP!wUkQ>RcbS(Lb|C<m<-6^dFvC|Y`6R3_4ha02x#vm-*w
zX2|E1$%#}#AwnC7eZ*<vCUHYV5^Vo&1Y*d1{fGNU`_J-sCi)Ok0-f-`=C6&#mpRM&
z$dFWKBAO;!AiFP{BR?YBDMEYvPx|Z2+sYl~Oj)2jLXMK;LuISvlT{h2uT<MrhgE_L
zstQ%Ts)xdFO7Jkn1O>XWw6$iA;%fF<#R>V58BI3m+AIO4HlfwN=G)KXC`&grx+wi#
z{P4V|*@hjjEybbp@_Or3MvRSpsEVJPka$%!W8p6DI@+d%^Jn8p4y@3NNdmMgeea?l
z`ZgW2S0#0^4;P9DHQXSM(_dP?7O0i9TvH?E_pu!umc?Gow-21RWRmAR45bK=czPC^
z-F*)3sSI9xpzg-fwY4}+z6{Hrr^w~=3v#PTM_;ineq-r^0-fcHJ+G|VP_bNsKgo^c
zv%YcPq)Ri@S>E^hvcdvgn$fh}1=$8!xj2S7Y`&OpU7)k);s)NHZsO!wqJ95gdtU<8
zRJOFcPfo&&Nl=_MK}EoUhyo6+ouDA1LYRVRs{sWCTL>~JPMt)N)~lC@imh#H#Gw_n
zjiTt)wv8ZY(+*J)wOcd{0wQX{Bp~4VYbOYD|Ka`bt@W?>)?4?ibs&6a@7lF%SN2e+
zs(?L<`C<MQWPTKXC33|@;!1I|*j$3J$oLY5rk|!o^_9j~gT$IucitcJQ}?U;S@Vy=
zVHxPI=B4K9m0{^fYoi^Zb=RU<+S$CC1EQZdYpa#369R9d@`q!~xI}r0UBb#Ol$NdY
zpLfD8>5T2PnjN!ieTquyJ1P^)xXa7$>q=|0b@?@BVHL1v)^YvN`|3+_np8#`b!m%f
zj)Q%R+eFHzU7(&rT9$6%h+ES5hNEr6sut4<qGB_ZQTKiBK}yx(UiCZm`mYc6M44BS
zdNZ64_=W>Qh6gi<xi!*yH=&VPZe$jl{lp|uYTiX==O&n0+UO`UUsR(gn?9FN_TDor
zolT<Z^MlCh^Ntg)ec;drfoTA(^SZ9!4e7A==FI1O%h|}jVgA9a<w*w9zAA(DUf@sR
zBg4v%d_k6In`j65W;f%-Fclb;9c2z7Z&h06kV#v5-(?~{RWEe}9|!E)^Q|~TIjEny
zoZskjkpGgimvfRMn4ABN#|p-z8Aqoj{gzd#lVV%8j(;^Pn=I#Fy>~Z#VfdvjQIZ`z
zbnoJ&fEJgGqVnv++9=aaz9_$#sYz}ft2sGqK;`0_p&D9puLj<vG_UDj(W{&%uk%9F
zzy9^KyGvDMKfcoxp~s#k);Gc!;UiwUUqn8C3q4)TT^NdX6*L#Lpj||~FpNYmgb93K
z;R3OJsGHa9uM34%VZuEWL8i`d6$jot=7H?I&dvFG(kAh9U-wM+%IPXuuxgnqS@k#7
zPpY%38!AK+TZ&H}2tSm2_u&D_&_r}m@^{IzZ&xthOLl8*q$8v)?$TM(1xasD?x;+%
zJUb{l*)i$6sR=uzhorC1N%N%QyzIX=-nZ(|4c}lpq%PUqYcTVK#CssAuvI*kRwc1%
zjS2dA?FQ09u|4%rF50(E@cmiETk4U5bNRhu;6b8nv~rpf7MqN_KjiM)A*Vgq?VPyl
zP;Pv0?p{rOV9?*Vd&z;jthmbYO3%F(GCyUQGGxnN%D4OclBgdzc-OIe4m0cNZaWp4
zpt>f$FD@0=i|LZS5=RNTsVY`gt8S_A5fYyuk<Yrp>fwxa>K!>X(TCO9YLs7aDAzc%
zm}vTI%wTrY_-RPZoYm_KyxCTalbN=(U#sU|*cp_1V`+HKc_fx_J#)@)ket#SmSjsV
zTp(Q8Cs>)=vzEwnt~5!im$y9o6YWe2toP^@xRHvn76|;o=A&M?tG_@n^dzl=QVXu%
zF5O^tf3)R|pvUjNDQ**OTo*rxmXvcYEa_YBwxo4Z{SN8bfGMS`0}jGE*$fM1!?SJ!
z5^UyFu$yDwiF0BfiTej5X^E`)DNI8(VS=&i9+V0`)jcAbwdT6%%i`mX<T#bhu5#Cr
zKDrU#ypOb@<(&82M2qZw;4MKOsPakqwR(YKCG1<BbFHQj`@m{CaM#uHz@Qy7&Biom
z%ssbl-fyW<afOQK3fVgamG;J^&u-^j{&_~yNEwS7tFk=Y>V7i4CNiEes@FbZc8Pj>
zh%wg)B2~632i0WN9MvL~L?u_D-KyiN%c?@vbJaT)rD9(}{d*;I1nR)wa(;_fr>HOG
zqMY-Ga^6flm)**@6b|tzQ=<lTF2A2<^4Gynl6jHSf?rOWqY20j{~b1etMcp15V1;j
zmyu9karEXJmsgxiH)Rf^FK&5J8IbE`+qbu`i5JAT$i_)z<G8)_7U;Jnw+sG|l&rW@
z;9~p6B{TQ6r`*oVdTsi^jT81hrC{;wEf9poEf%h7;S0Q$7x76?#%oKj7jrE{+>DC)
zGS5xV>3w6sMRL@QFs|R2o8WLVIc4fh#?0v?BgvQR?{h5Uq}RoazJ8QovYG1^K~Up7
zzM#<}u=14Gs|#M~#dDddn@1J+Jf^I(C++)cQ$VgSo3Ns@S%H@O=xnbBZU|x1FT^=F
z^`pCEQB{S(Si%EqNru%$Lf)|b!;bAAG;{TQPnm6LQ<-Hm<ViT-kJBXlkceiaj9Zy9
z-e%|X>y>d}$CH&*#>rMyxTn^Y``UpK?@hvDUsf2{nZ;;jE9=S6i^D9+#p6{XnU;1f
z;Kj9&;!1n_N?mhl8DX|F{+wJ?;H~qqz94J(j_R|S3=j;Q96sbu$RDA$NrGE$Cd1=t
zY~FC5o74X3{fUUEu}5c0oD(9QbN4QBnn!mE-MfVFlm<1lg<I#85ooWs#Y_nLTi+Zx
zs$kRl!81{B!B5h&(n%u=zmquEN=N5=#2j4Khm*{l#Npi-?bjRm+6CkW<XUHk*oD}Q
z%A>RC1wp(UvC}_@6w4KB6|)DK`GUL_<SxH6>8|3XLa#t`2e<~f28_x(&AwA$5)g;l
z>&x5^8r`iY!ZciDQ_gpt28wd%{EM<5K(T)2|Klqcr$5{T(|E<L-|(!Z+Z$7P0S}}|
zcp_)?^5Z*`g(tL;;b$u?ktkDC;I5i=DvU6#!~Ryt=x~+Ce9Xj|4`jJ0pg^Ya%ipgl
zQ~!2HR8VveO$#`{*Zw%NxR<uD+4;|l;UC{macy^LuoVdAQU<#qSY0TY{fc=<Ru`*h
zr{-TtD=1j~Vt+j?^_Jrg+AM8U-|X6HVXq&xjQdpYZss)@W>4Fx?;nWH(@@f~C%J=m
zJ_XB4rhc6TOYq5N*dxMGJEfR5tH|@wgc5>Wtld><8K|z=^R!quMdIJ8^XX?xi8{)b
zeIVl~nN+f;!?f<?r#lZ%HaOH<3QFv}8WO9HK5~Jdq(eR1Dp8lJ+gD`)Co<is;@?v}
z?liF&f*<cWnJOCzpV9is=A#?tFc&dd>S1c+s-CG1Rj*KQP^YQ!F$xW2x^WE4>>$>s
zIOenS=rAXHK*VIQL~%+OC3YWeX})$NOdYNd@g4qNX{8eK!Y+?yeK^Yd+t^iB#p*Lf
z=<@m5YzDud>uj5cYB#<&|L}~^h{=1yqx91lflB`b3j#?p{S%b_f1h~i;ZTiC`{SkJ
z^-X`cU3Hm%{3TyR3C@6J9SrMm-hFM?_SmX}s^EiV9SrMygJr$plE>+hFLXKfU{rS$
z!u!kFY=JP)w`wG8O=p&S1lf*pFRO=eh}d$nJd+h<<{D665#dgA4KcTw9x(rSN3psH
z4C-J{_XdNyAwAO~x4T7z)sNyc0Z&}A#reUr*%~n_6E}z%l70}WlB@NVh$U#1WV0kA
zf<2QptEKX7hFKH3;rt8FTKv$-bL;%f;Yv3pa%OH*98mnCsH1tX3zg56f}tEr>CPFh
zD*O2>(ahgfSHBxl{4x$~*ut2dTz%B0bV;=1qLKc#Q-i%eAUjvL%G0Wu%N;{fmeUIM
zMxt4<{>%O$`D5h`MU;4*coKxHD+ekgq^qS{rAw5F2UPThw`|juI==7Lyg$zzLhnH8
zF}ar>CfXe(q8b}7v*@=at+eQunft4f|E#lEAb9ihwX`c<HAzZ&kZpviST;Hsj__Mc
zrnkjMO)HsB(0EE>{t=~o{_)c(PEt!HdZIXPdV2e%s8r>?gM@kog*H%W)L|-{%BP-C
zuc@O~P<!2nfXixi=zUI=nswrXh;DJuobB5FLtFaltV<8g2bB6~zPcS=7+l(tw|M_K
z>h~k_dI<!7d`-E{ptjlw1d%V(^Uw_ecXilV&u?C+lP~Jk@{9Mf?z!L3qa~TM!jk6S
zcu`P#UsI|H$vyetZ)~$C<E0<h`oP3KL7FQ{Xg+uPpnbUMBR1zjfm8dgxH}JrUmSd!
zKnG>_&k5E|xPHEG9$_|E<E*)w7x#hTmn*sTjYdw!YGn6Ihqu?Ae5B4JQCoff?*||4
z`?K`+S*=X?NQ)-%tJefiXs?@>5couwceTPS@JVYPy=ES}>g>58y4ym5M{Pv){MU(g
zK@}zs)g7;ik#5@ls`-x@kJ`)T<d`+xTe#1rQvGdTyJpT3Cf>xjw1!s9phOh<q-3dv
zsa#bvRiUaCstqdCOqnyisj*BxGl03&a@u=zklJ7T6Z0%X@^`#7et8_#Gs3>7+ej30
z#qMnbCEgqqz5H5QBIg_1wU-Vu(;_eTI=m^T<>tu%n@FcRTJFU8G=_hW?!ocQ__|*>
zy2tT#vP8S*nLf6mVC?wBS<$ra&4AG!b+U+O0yv1hsU8=nvf)nRMxyXjb+X7n!4%zt
zAXjeUuV`$|cnSJ8r8F}BHj5i5INLiCO%wSqif9<;h(@Sbaih3b5(5R-*)d40wu!I_
z6gas%-pU-at9l1v)hf7^X%l&}(jrpE+vSjT(7tWaV(VPGKwwf$EsguygcJz8E^W?!
z$KN`lfuBC&1zPpy#mM7H?|Eo)?nqm{1K(_K$aH?mbkgGCh6xMY=VX6M<%_VH5sfqj
zGvg8dMgA@RGyXVlH04G!-`p#{;d4qEBo=n$rA1n3cl!QRc~W>)i0%qsdOUM~I_YlH
zf~LLU8KsW#bzH^x%~xCM%lT>Xb?A=xg%}$F#Y}t2W~N4oPB3dPY#X^t{Fn7M=OT%G
zG3&KBNF*0qevAp0PNz(D^kuF6CIrV5+u7UMYXjF4Xg#r@-l^{D@xb_O=@Ut!1VvLy
zse53d1e<Ok1xm6YRIx%agPEo{tT2yxaaW0cP;PHIy=B{&GHHV}T$wFGncQoTBjt!P
zG;P<&ctxoa)hmD0ozX##7G1fnQ3s(g{i!`a$F9m$?M;bYbzOB;iON-tDid{o^(ggJ
zwV&EKg32)(ZUmIz@rs-Uzl1Pg>fDgq3hx6blN*A^cx!t3zU7Uj$3Cc69&0;%K>Z7(
zy?&_X&v@?~(TBp;GHfh+C$`QPoS_$-8q|jg7UOsO$NhCPcGaswn&~x~>7~Mahs){t
z>xp5<QoJvxXlUN*`PZG(tHv!`n3Fj;4wkZ`hu87+wDgN;zk2*EnzoO2<nw-fS<waF
zgxFPyMRvCq)PMKqakO1~P^;4BYKxw&C+-#T#@kui-Rhei0-vn1G{1tU$xY4Lptssj
zT9$5@&b8`Obn4EEZBcI<?h<N0U6?Ljm!hjxbSRigWT%{<^is}KMk_~B_R`r9s3eW0
zWYn(Kq6=|T{hlB%Z7x;R5xc6IYNc%8H{vk34nqTZJP)4t{CVO;W~qZ@A5$ql)EaZd
z&*BDpz}(*yar&>19~VWOZDVd{_hR>ljj3IqKhK{}-wCtfrPIpal)wBLB&s;*p4mSL
z9ey-i?0RCTs`>U(r!}jN$~#Ua+h48DbxfK_S->6vZxN{Rg=#@4ybxB64tTD1>vLtA
z?VXg=U)JW)-1?qST~Y1)kp1z;#?#66alL!L`o8(CrC_xK<62w{XUQfr0a5lSTb*^;
zbD#QkUs`kT2AgBoNNXO_xVetEyfVX~Q2ku}PQ9kOkGaO}UfIlBq`zi~Ch;Ci7_jyJ
z`m(JzosZ?k*!eH@AMPGFjCXUmJ2_;$)o?x?)?;^z0RB?`xu)?CTMOd9F822sGVduE
zBK{hOmjC(JgtgkPA=08sEk1S((v8*eb%nyEI<q9*_qzSH0-qt*`QH=wb*Qu^#!j!J
zQQH^A*f};y>xdC<&3&`hH;X6<ybZhF_K@pidy2Z&5#}@Kxf;D_SVruxTf*F%vcEyj
z+|5MCnU|RjN`~qk(@AB`;S8b<nH~j0cnklNn=N0k8`~LnZ*G{`_p79eP|k`0eEk~E
zHqL>e*ZW>Xi~nKj?n1m(eLDP*Q^9#AMW(y~yj}|8!u~qTD<0o3;vor7&fCp9&b!Pj
z<UQvl+(*49rfCMc@2{)9X}8yZ6YnOn+dJD8t5MQKY!yAqM>${nu6e)*lK{Ul&m@V^
zBA(FxFH_+F;b`GBp->nuL<zzz!XJcL!e52=gj!*p5Ru}aUjKGzfqI5mw20r4Bu3wh
z_lEDU%M@P_7l@yVYsAOe#MaULfs$W8$-LJ$Am0cAyyd{X1Yxf^!zEf#Qx9Hj;JFHJ
zu%gc7rvL1l3QxfC2QnJ;tJQ;3r)U7ATdmcDw;VV|h&bR?2YwN?dT@)dbuc&}Ieqr}
z#9ozM?z02`8*Zi%l&69`7J^Wy(S7!!NebEir86sbB*d<)UtYLV_!7W9)ii@NnfKYB
z6Qe!cGykjV*qw5)Sq7O3)w`WAagBwTPUnRi!``#_!hW?E85!iG@d)J(N9ZXk1f)ce
zLGFewu;H^Of>&DTu1N+N3{=4@69oeX9*e-{?k)rX!zFStxL1Ksoa5^TTM)5T357n?
z;T%<+8L5QB%sfZZ!bKjC(zd=%1fd;%jGZgYOWT~V^VBdicp22skj9F>k+~iGFLSOz
zx|hB*5p67CwNPcfp%(|4)zlYmGxHick`^$QajDl>+N@D@)-<Lg3S~z3Hq|w*A26EZ
zkKYwLbILwKaD`W2nq9z0rWtP_ZwwE0EUVQ=f($%x>Lcu(v=V8#NQ7cr!4py|fmeo+
zl-?Ib2bECTcFLWs;qw^H1V7A`0J|ieK?@}4BM3}{0YrijwHCbMmVk#`=E@SvhB<=i
z&XhrRQ;I>*2vZY?)i9mdReBzFor{HBOA*bDnF%FSf95Fg;>5+#L<>yP%fOekldlr0
zoy8o+MARr$IzyL?ZkY3+O~H4rh{CJ@C!bk4ZeV3iG>U10yi2hqRH6;@#V4|+Uf~EC
zLz)Rhuc@aICJ<Lj1QAB=aTR|=K}QW770hkbi%O`z%(9OV-iZ!>Y}YvUt!`XHAQn`m
zF-DkS{%|E<1n!1hsOya=2}JWn0fjp76d4FUrI6C0RNK~ZdxcGPqY}6jfJSL)mXrxH
zr7_HCbkyCpCz9gYNhs!XH&rxru1&Y$Y4kW;*^KI}Y+?#N^q;x*GIX?gEn4|b9}Yf<
zb<o#7Ol|x3CW!vByj6)17ySJ!C<cu|nvf(34ZbtTRj-HK5>z7iGKNEcspU|2B@CK~
z+oX>mQ352WDxrp!eVoBXFdUP?>3490zNVfuGck4?w+jiB@W9}g$}UjaAYs&?uV}eG
zi9xeu(C7j14vsYT(8wnh1?}O~XRD$=m#3F~+<+-}Rv>9#RPaS&%p7FP0#({!pf4+J
zGnA(243a?u|0jah-9Rvs!eE0s0XI_(nnEH$*~bR`^)C8d40#&_r^Qy1h*tetR0nmi
z;6S&^v^0cnn1OB);Ps0fxu9H@Si3s)9QP#<4GC}7uSU=h+>ip1h=yB&h9sR`@9YR}
z2*x%F1RRT!K94PKhNk=6443L`=F6`WZe}jxKx!2f)vTu|HZyHF*t%Jr&G3vG{{>Ip
zNE?o&3#mK|0><4T5%<3k@C>Z6@i2an_ADH6!DSvaXpK>INrdF}<*kGl0-tY7@=MNe
zmpZi`=S<_ogDQa_4Br()$Dm&w2Kiy}sj>VF;`>6|z41`3gm(Y8wH=~rp%yTjfSv-!
zZTdBoJ`f$0w1WPF^1t{*;pxEx&kpYm(*vFzXp{-bfG&`qzj2<>1w-#~cB^Q#D6$Q5
zyZKRi=zRNNW_2T`F(Y}+=P3qgP&8B09KQIbG&;x}d$<1qey#s}fuZ0(xt;<ZJYP;e
z4n+_ijKJv^BN3r;a=?7!I$}f;=gCQLK<vB9q=d-Hm4Hm@LiUK{<S{@dbRoxr<>XU9
z+`5p9L2}Y+0fJfSb6fd=axw^zDP73p06F=0Kqht}ul(g?J|G@lNTX0rGQNRy^j!!Y
z5H~<vx{yA8a&lRZG9!HD<lY{LE2N>k1;|%jwLIs@NdgvPyoMV49z0u4@&K9Kg+%zs
z$tXY|7NN6D;w(9t0SGM6ok)teoV*Q4H|0Gu<s=RM)fQf<jg*gh$w?1Dy8C|7Q%<f2
zWVWFU{P@@PFA4lh0{<UK0MDx>Fs~NCw;S)wryKf&v&li=Lon>mq>+G2Af80u1m_$8
zy<s_#CKz^K@y&YJ{mw)Z3RY2T$c+U-QO25qP)HkxULz<1J1`*X4XbT5-XFu~&O$)|
zNFf*<*0#tJ2#LV0hvVfDEyabnhUR9%)2HC?|4u*logQ*~;Wao0!F~eP+$K0907tk8
z;A;@9O09Zr=W}DTbAcM(Oh92cx<O%_P+}u&*CU}3SpA83=$Mgbe`s8a_jY5E%fAP?
z1`ue#_6}!+qm~#pXFSBgp-!<-0Uz+N%p&ntF9w5nkCBLAwKblZaMM_DzzZBEArb_~
z(Lz~VC>ohUZaJU=Ex;2jKPmyr<0aR6X){Ec;8Ry1AZs8R3a=)(Jtzs=Dm)w^P$9lm
z&xwW-m<%+~$*6WIlt^gPOAztp0~nv44`6hm29_6v1qRsw(2KQguu+I<)~`a=Nw^nH
z;PY=FyB1Ngz&GyY)1`<DuN7MLvB)-(K#8UZixiH=P|zTZWayqhumuUzqTBS*l)kf@
z@Ej*DfRQsKE}-<*Nfd6QkD+SMM=;o*ug*d5`Fsdebw=(+`N1gnd}?ZZWYm_PkBk*3
z{pS_o(Lc3}N55NkQk?S*qSk<dk-jI4#DDa-iwcMaIP9TAltG7pkf{rD14>5K{|{BE
ztBjFM&)#e_h`|L-1R9_o|4tAb%ql$m%nRO`C4*uO{0zWvi2XF&7{YrdD~}BFSNKBW
z)4sO>S^1-ad;kdEbs3SVP^PJ889*!|5Mn_YFGH=L02v5KH=VnH@OqTF29)`L4DX_R
ztY{Cp1Q1Ra(hjxcfb{C3{0hn_0KvU5@-t?72AKs&cUubqx!wbz?><5n0W!F&)~oa*
zqz;gw-AKq`(i&#0?zToitwDfvx8(_lTMwiiY6$`9?t8?ZBcvFRAzhRs&Kw~(05YHp
zNdY9I2NJPdNuCA7zN^eD`3bTJ5T`C=DwJslgxiJW6Q{|+%McpWg|x>WCMN=dN82c$
zW53EsAs}=>jH8oyMMehoKwgc{BIg0pEscCYk^t$ZOn1m4clIcAY*ZF`wnv#)*JNZN
zAl+@9fwu1TK=RG9$cKP*kManYED};Jeu3Nto*`)93p#xQ&XT=*AY&A#$bNuy>(7p~
zQ{)stMs)T4ar!B8F(BM7<XF0j{0@-r(HRVs4*=55bA<0%QrU$-Rl}kNXJ0tX8p|=@
zw+Y;)aGSwx4mY+lVtb<%+}Ngu^@s^K)(mVPvw^!e+}O&7brqZT`oWDy3Tp<|GAwPZ
zqnJB97Fb4Hxb5H`1~=|2?j6>Wk#IY}?Fcv4kx_6%q_W{!^mVO1o_J7Gf8%vS+f0~b
zlVSQ^iNj$bA3h3K;aS)ajt|LU;%!laEzHfUku7ae+L!fUsqCx=S<|8J>i4+c5w-d#
zl=x-{ien<4Jv>-?Y7iucK;hQN*%U>;9}To5*02UFJ2eD3k46$x#ABoAkJc#K15&$>
zN8?5<Meg<}l7SL=$cmsX#A}sk7+44(g4(doiMmpHnZd+n{&^0=Bh+PLg(v^ZNdAS?
z0R`!?5@cyKu?Cx_km4^*tVU@OhF|udb05&~VY%^B-KQon74N}SE&~ai)nF`5ndo(v
z%$*2H?>r!b5y7J4(VT50U?c`V@u>gLUIHNhlVt`O4UGB0=fMBj=Kc?;3!sjbRR(zz
zICO{4Mh<%zsC)eJe@Bj9z}Z{i(joRsJ2-&<&s><ph1MCQYYz_B;|&*R-Kz%uPgPCL
z4FrO)RSO1vlp%O^d4qmf3FXQx#ewnVtquC-7KmN0AjhQ=k<8Z(jun0sYx$G&6#~Z}
z*Q7nWe3}OT5c&f7{zR`ZTk*?|(gTVnvI;hpW{GKOWRk2_e*ka0;eCks4E*=LL6Gdf
zR=+XW(q?e$E|PEC_aW6ruvt}2aeJ6(VB-MxaMn@|VFlTy-%jVO=HNsF*T@Vtxz!n=
z&9(ZFHXQOihMqxM2JpD70XDyI>>%_slT|bNIIDke$j4yCfYPhRBNYCFjl+h`#8Xzm
zJcObK*mSrIV8c5Lmr$5<j@IfUU~+s0FA?TiWRT{IA*A~(V<7uE3ti)IkLqCdeq94E
zARc}iWLKC$D!xUib&{#g*LGv*TglsRyt(U4ZTJV-@D<Xwf`*Q2fbHu>&&>qrf=BF1
Pd$a}5xc|ET+Y<OUCT7Gm

literal 0
HcmV?d00001

diff --git a/contrib/nginx-sticky-module/ngx_http_sticky_misc.c b/contrib/nginx-sticky-module/ngx_http_sticky_misc.c
new file mode 100644
index 0000000..237ce5d
--- /dev/null
+++ b/contrib/nginx-sticky-module/ngx_http_sticky_misc.c
@@ -0,0 +1,315 @@
+
+/*
+ * Copyright (C) 2010 Jerome Loyet (jerome at loyet dot net)
+ */
+
+#include <nginx.h>
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+#include <ngx_md5.h>
+#include <ngx_sha1.h>
+
+#include "ngx_http_sticky_misc.h"
+
+#ifndef ngx_str_set
+	#define ngx_str_set(str, text) (str)->len = sizeof(text) - 1; (str)->data = (u_char *) text
+#endif
+
+ngx_int_t ngx_http_sticky_misc_set_cookie(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value, ngx_str_t *domain, ngx_str_t *path, time_t expires)
+{
+	u_char  *cookie, *p;
+	size_t  len;
+	ngx_table_elt_t *set_cookie, *elt;
+	ngx_str_t remove;
+	ngx_list_part_t *part;
+	ngx_uint_t i;
+
+	if (value == NULL) {
+		ngx_str_set(&remove, "_remove_");
+		value = &remove;
+	}
+
+	/*    name        =   value */
+	len = name->len + 1 + value->len;
+
+	/*; Domain= */
+	if (domain->len > 0) {
+		len += sizeof("; Domain=") - 1 + domain->len;
+	}
+
+	/*; Max-Age= */
+	if (expires != NGX_CONF_UNSET) {
+		len += sizeof("; Max-Age=") - 1 + NGX_TIME_T_LEN;
+	}
+
+	/* ; Path= */
+	if (path->len > 0) {
+		len += sizeof("; Path=") - 1 + path->len;
+	}
+
+	cookie = ngx_pnalloc(r->pool, len);	
+	if (cookie == NULL) {
+		return NGX_ERROR;
+	}
+
+	p = ngx_copy(cookie, name->data, name->len);
+	*p++ = '=';
+	p = ngx_copy(p, value->data, value->len);
+
+	if (domain->len > 0) {
+		p = ngx_copy(p, "; Domain=", sizeof("; Domain=") - 1);	
+		p = ngx_copy(p, domain->data, domain->len);
+	}
+
+	if (expires != NGX_CONF_UNSET) {
+		p = ngx_copy(p, "; Max-Age=", sizeof("; Max-Age=") - 1);
+		p = ngx_snprintf(p, NGX_TIME_T_LEN, "%T", expires);
+	}
+
+	if (path->len > 0) {
+		p = ngx_copy(p, "; Path=", sizeof("; Path=") - 1);	
+		p = ngx_copy(p, path->data, path->len);
+	}
+
+	part = &r->headers_out.headers.part;
+	elt = part->elts;
+	set_cookie = NULL;
+
+	for (i=0 ;; i++) {
+		if (part->nelts > 1 || i >= part->nelts) {
+			if (part->next == NULL) {
+				break;
+			}
+			part = part->next;
+			elt = part->elts;
+			i = 0;
+		}
+		/* ... */
+		if (ngx_strncmp(elt->value.data, name->data, name->len) == 0) {
+			set_cookie = elt;
+			break;
+		}
+	}
+
+	/* found a Set-Cookie header with the same name: replace it */
+	if (set_cookie != NULL) {
+		set_cookie->value.len = p - cookie;
+		set_cookie->value.data = cookie;
+		return NGX_OK;
+	}
+
+	set_cookie = ngx_list_push(&r->headers_out.headers);
+	if (set_cookie == NULL) {
+		return NGX_ERROR;
+	}
+	set_cookie->hash = 1;
+	ngx_str_set(&set_cookie->key, "Set-Cookie");
+	set_cookie->value.len = p - cookie;
+	set_cookie->value.data = cookie;
+
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_md5(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *digest)
+{
+	ngx_md5_t md5;
+	u_char hash[MD5_DIGEST_LENGTH];
+
+	digest->data = ngx_pcalloc(pool, MD5_DIGEST_LENGTH * 2);
+	if (digest->data == NULL) {
+		return NGX_ERROR;
+	}
+
+	digest->len = MD5_DIGEST_LENGTH * 2;
+	ngx_md5_init(&md5);
+	ngx_md5_update(&md5, in, len);
+	ngx_md5_final(hash, &md5);
+
+	ngx_hex_dump(digest->data, hash, MD5_DIGEST_LENGTH);
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_sha1(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *digest)
+{
+	ngx_sha1_t sha1;
+	u_char hash[SHA_DIGEST_LENGTH];
+
+	digest->data = ngx_pcalloc(pool, SHA_DIGEST_LENGTH * 2);
+	if (digest->data == NULL) {
+		return NGX_ERROR;
+	}
+
+	digest->len = SHA_DIGEST_LENGTH * 2;
+	ngx_sha1_init(&sha1);
+	ngx_sha1_update(&sha1, in, len);
+	ngx_sha1_final(hash, &sha1);
+
+	ngx_hex_dump(digest->data, hash, SHA_DIGEST_LENGTH);
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_hmac_md5(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *key, ngx_str_t *digest)
+{
+	u_char hash[MD5_DIGEST_LENGTH];
+	u_char k[MD5_CBLOCK];
+	ngx_md5_t md5;
+	u_int i;
+
+	digest->data = ngx_pcalloc(pool, MD5_DIGEST_LENGTH * 2);
+	if (digest->data == NULL) {
+		return NGX_ERROR;
+	}
+	digest->len = MD5_DIGEST_LENGTH * 2;
+
+	ngx_memzero(k, sizeof(k));
+
+	if (key->len > MD5_CBLOCK) {
+		ngx_md5_init(&md5);
+		ngx_md5_update(&md5, key->data, key->len);
+		ngx_md5_final(k, &md5);
+	} else {
+		ngx_memcpy(k, key->data, key->len);
+	}
+
+	/* XOR ipad */
+	for (i=0; i < MD5_CBLOCK; i++) {
+		k[i] ^= 0x36;
+	}
+
+	ngx_md5_init(&md5);
+	ngx_md5_update(&md5, k, MD5_CBLOCK);
+	ngx_md5_update(&md5, in, len);
+	ngx_md5_final(hash, &md5);
+
+	/* Convert k to opad -- 0x6A = 0x36 ^ 0x5C */
+	for (i=0; i < MD5_CBLOCK; i++) {
+		k[i] ^= 0x6a;
+	}
+
+	ngx_md5_init(&md5);
+	ngx_md5_update(&md5, k, MD5_CBLOCK);
+	ngx_md5_update(&md5, hash, MD5_DIGEST_LENGTH);
+	ngx_md5_final(hash, &md5);
+
+	ngx_hex_dump(digest->data, hash, MD5_DIGEST_LENGTH);
+
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_hmac_sha1(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *key, ngx_str_t *digest)
+{
+	u_char hash[SHA_DIGEST_LENGTH];
+	u_char k[SHA_CBLOCK];
+	ngx_sha1_t sha1;
+	u_int i;
+
+	digest->data = ngx_pcalloc(pool, SHA_DIGEST_LENGTH * 2);
+	if (digest->data == NULL) {
+		return NGX_ERROR;
+	}
+	digest->len = SHA_DIGEST_LENGTH * 2;
+
+	ngx_memzero(k, sizeof(k));
+
+	if (key->len > SHA_CBLOCK) {
+		ngx_sha1_init(&sha1);
+		ngx_sha1_update(&sha1, key->data, key->len);
+		ngx_sha1_final(k, &sha1);
+	} else {
+		ngx_memcpy(k, key->data, key->len);
+	}
+
+	/* XOR ipad */
+	for (i=0; i < SHA_CBLOCK; i++) {
+		k[i] ^= 0x36;
+	}
+
+	ngx_sha1_init(&sha1);
+	ngx_sha1_update(&sha1, k, SHA_CBLOCK);
+	ngx_sha1_update(&sha1, in, len);
+	ngx_sha1_final(hash, &sha1);
+
+	/* Convert k to opad -- 0x6A = 0x36 ^ 0x5C */
+	for (i=0; i < SHA_CBLOCK; i++) {
+		k[i] ^= 0x6a;
+	}
+
+	ngx_sha1_init(&sha1);
+	ngx_sha1_update(&sha1, k, SHA_CBLOCK);
+	ngx_sha1_update(&sha1, hash, SHA_DIGEST_LENGTH);
+	ngx_sha1_final(hash, &sha1);
+
+	ngx_hex_dump(digest->data, hash, SHA_DIGEST_LENGTH);
+
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_text_raw(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest)
+{
+	size_t len;
+	if (!in) {
+		return NGX_ERROR;
+	}
+
+	switch (in->sa_family) {
+		case AF_INET:
+			len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
+			break;
+
+#if (NGX_HAVE_INET6)
+		case AF_INET6:
+			len = NGX_INET6_ADDRSTRLEN + sizeof(":65535") - 1;
+			break;
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+		case AF_UNIX:
+			len = sizeof("unix:") - 1 + NGX_UNIX_ADDRSTRLEN;
+			break;
+#endif
+
+		default:
+			return NGX_ERROR;
+	}
+
+
+	digest->data = ngx_pnalloc(pool, len);
+	if (digest->data == NULL) {
+		return NGX_ERROR;
+	}
+	digest->len = ngx_sock_ntop(in, digest->data, len, 1);
+	return NGX_OK;
+	return NGX_OK;
+}
+
+ngx_int_t ngx_http_sticky_misc_text_md5(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest)
+{
+	ngx_str_t str;
+	if (ngx_http_sticky_misc_text_raw(pool, in, &str) != NGX_OK) {
+		return NGX_ERROR;
+	}
+
+	if (ngx_http_sticky_misc_md5(pool, (void *)str.data, str.len, digest) != NGX_OK) {
+		ngx_pfree(pool, &str);
+		return NGX_ERROR;
+	}
+
+	return ngx_pfree(pool, &str);
+}
+
+ngx_int_t ngx_http_sticky_misc_text_sha1(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest)
+{
+	ngx_str_t str;
+	if (ngx_http_sticky_misc_text_raw(pool, in, &str) != NGX_OK) {
+		return NGX_ERROR;
+	}
+
+	if (ngx_http_sticky_misc_sha1(pool, (void *)str.data, str.len, digest) != NGX_OK) {
+		ngx_pfree(pool, &str);
+		return NGX_ERROR;
+	}
+
+	return ngx_pfree(pool, &str);
+}
+
diff --git a/contrib/nginx-sticky-module/ngx_http_sticky_misc.h b/contrib/nginx-sticky-module/ngx_http_sticky_misc.h
new file mode 100644
index 0000000..fe8e859
--- /dev/null
+++ b/contrib/nginx-sticky-module/ngx_http_sticky_misc.h
@@ -0,0 +1,28 @@
+
+/*
+ * Copyright (C) 2010 Jerome Loyet (jerome at loyet dot net)
+ */
+
+#ifndef _NGX_HTTP_STICKY_MISC_H_INCLUDED_
+#define _NGX_HTTP_STICKY_MISC_H_INCLUDED_
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+#include <ngx_string.h>
+
+typedef ngx_int_t (*ngx_http_sticky_misc_hash_pt)(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *digest);
+typedef ngx_int_t (*ngx_http_sticky_misc_hmac_pt)(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *key, ngx_str_t *digest);
+typedef ngx_int_t (*ngx_http_sticky_misc_text_pt)(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest);
+
+ngx_int_t ngx_http_sticky_misc_set_cookie (ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value, ngx_str_t *domain, ngx_str_t *path, time_t expires);
+ngx_int_t ngx_http_sticky_misc_md5(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *digest);
+ngx_int_t ngx_http_sticky_misc_sha1(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *digest);
+ngx_int_t ngx_http_sticky_misc_hmac_md5(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *key, ngx_str_t *digest);
+ngx_int_t ngx_http_sticky_misc_hmac_sha1(ngx_pool_t *pool, void *in, size_t len, ngx_str_t *key, ngx_str_t *digest);
+
+ngx_int_t ngx_http_sticky_misc_text_raw(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest);
+ngx_int_t ngx_http_sticky_misc_text_md5(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest);
+ngx_int_t ngx_http_sticky_misc_text_sha1(ngx_pool_t *pool, struct sockaddr *in, ngx_str_t *digest);
+
+#endif /* _NGX_HTTP_STICKY_MISC_H_INCLUDED_ */
diff --git a/contrib/nginx-sticky-module/ngx_http_sticky_module.c b/contrib/nginx-sticky-module/ngx_http_sticky_module.c
new file mode 100644
index 0000000..82d8f5f
--- /dev/null
+++ b/contrib/nginx-sticky-module/ngx_http_sticky_module.c
@@ -0,0 +1,691 @@
+
+/*
+ * Copyright (C) Jerome Loyet <jerome at loyet dot net>
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+#include "ngx_http_sticky_misc.h"
+
+/* define a peer */
+typedef struct {
+	ngx_http_upstream_rr_peer_t *rr_peer;
+	ngx_str_t                    digest;
+} ngx_http_sticky_peer_t;
+
+/* the configuration structure */
+typedef struct {
+	ngx_http_upstream_srv_conf_t  uscf;
+	ngx_str_t                     cookie_name;
+	ngx_str_t                     cookie_domain;
+	ngx_str_t                     cookie_path;
+	time_t                        cookie_expires;
+	ngx_str_t                     hmac_key;
+	ngx_http_sticky_misc_hash_pt  hash;
+	ngx_http_sticky_misc_hmac_pt  hmac;
+	ngx_http_sticky_misc_text_pt  text;
+	ngx_uint_t                    no_fallback;
+	ngx_http_sticky_peer_t       *peers;
+} ngx_http_sticky_srv_conf_t;
+
+
+/* the custom sticky struct used on each request */
+typedef struct {
+	/* the round robin data must be first */
+	ngx_http_upstream_rr_peer_data_t   rrp;
+	ngx_event_get_peer_pt              get_rr_peer;
+	int                                selected_peer;
+	int                                no_fallback;
+	ngx_http_sticky_srv_conf_t        *sticky_conf;
+	ngx_http_request_t                *request;
+} ngx_http_sticky_peer_data_t;
+
+
+static ngx_int_t ngx_http_init_sticky_peer(ngx_http_request_t *r,	ngx_http_upstream_srv_conf_t *us);
+static ngx_int_t ngx_http_get_sticky_peer(ngx_peer_connection_t *pc, void *data);
+static char *ngx_http_sticky_set(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
+static void *ngx_http_sticky_create_conf(ngx_conf_t *cf);
+
+
+static ngx_command_t  ngx_http_sticky_commands[] = {
+
+	{ ngx_string("sticky"),
+		NGX_HTTP_UPS_CONF|NGX_CONF_ANY,
+		ngx_http_sticky_set,
+		0,
+		0,
+		NULL },
+
+	ngx_null_command
+};
+
+
+static ngx_http_module_t  ngx_http_sticky_module_ctx = {
+	NULL,                                  /* preconfiguration */
+	NULL,                                  /* postconfiguration */
+
+	NULL,                                  /* create main configuration */
+	NULL,                                  /* init main configuration */
+
+	ngx_http_sticky_create_conf,           /* create server configuration */
+	NULL,                                  /* merge server configuration */
+
+	NULL,                                  /* create location configuration */
+	NULL                                   /* merge location configuration */
+};
+
+
+ngx_module_t  ngx_http_sticky_module = {
+	NGX_MODULE_V1,
+	&ngx_http_sticky_module_ctx, /* module context */
+	ngx_http_sticky_commands,    /* module directives */
+	NGX_HTTP_MODULE,                       /* module type */
+	NULL,                                  /* init master */
+	NULL,                                  /* init module */
+	NULL,                                  /* init process */
+	NULL,                                  /* init thread */
+	NULL,                                  /* exit thread */
+	NULL,                                  /* exit process */
+	NULL,                                  /* exit master */
+	NGX_MODULE_V1_PADDING
+};
+
+
+/*
+ * function called by the upstream module to init itself
+ * it's called once per instance
+ */
+ngx_int_t ngx_http_init_upstream_sticky(ngx_conf_t *cf, ngx_http_upstream_srv_conf_t *us)
+{
+	ngx_http_upstream_rr_peers_t *rr_peers;
+	ngx_http_sticky_srv_conf_t *conf;
+	ngx_uint_t i;
+
+	/* call the rr module on wich the sticky module is based on */
+	if (ngx_http_upstream_init_round_robin(cf, us) != NGX_OK) {
+		return NGX_ERROR;
+	}
+
+	/* calculate each peer digest once and save */
+	rr_peers = us->peer.data;
+
+	/* do nothing there's only one peer */
+	if (rr_peers->number <= 1 || rr_peers->single) {
+		return NGX_OK;
+	}
+
+	/* tell the upstream module to call ngx_http_init_sticky_peer when it inits peer */
+	us->peer.init = ngx_http_init_sticky_peer;
+
+	conf = ngx_http_conf_upstream_srv_conf(us, ngx_http_sticky_module);
+
+	/* if 'index', no need to alloc and generate digest */
+	if (!conf->hash && !conf->hmac && !conf->text) {
+		conf->peers = NULL;
+		return NGX_OK;
+	}
+
+	/* create our own upstream indexes */
+	conf->peers = ngx_pcalloc(cf->pool, sizeof(ngx_http_sticky_peer_t) * rr_peers->number);
+	if (conf->peers == NULL) {
+		return NGX_ERROR;
+	}
+
+	/* parse each peer and generate digest if necessary */
+	for (i = 0; i < rr_peers->number; i++) {
+		conf->peers[i].rr_peer = &rr_peers->peer[i];
+
+		if (conf->hmac) {
+			/* generate hmac */
+			conf->hmac(cf->pool, rr_peers->peer[i].sockaddr, rr_peers->peer[i].socklen, &conf->hmac_key, &conf->peers[i].digest);
+
+		} else if (conf->text) {
+			/* generate text */
+			conf->text(cf->pool, rr_peers->peer[i].sockaddr, &conf->peers[i].digest);
+
+		} else {
+			/* generate hash */
+			conf->hash(cf->pool, rr_peers->peer[i].sockaddr, rr_peers->peer[i].socklen, &conf->peers[i].digest);
+		}
+
+#if 0
+/* FIXME: is it possible to log to debug level when at configuration stage ? */
+		ngx_conf_log_error(NGX_LOG_WARN, cf, 0, "[sticky/ngx_http_init_upstream_sticky] generated digest \"%V\" for upstream at index %d", &conf->peers[i].digest, i);
+#endif
+
+	}
+
+	return NGX_OK;
+}
+
+/*
+ * function called by the upstream module when it inits each peer
+ * it's called once per request
+ */
+static ngx_int_t ngx_http_init_sticky_peer(ngx_http_request_t *r, ngx_http_upstream_srv_conf_t *us)
+{
+	ngx_http_sticky_peer_data_t  *iphp;
+	ngx_str_t                     route;
+	ngx_uint_t                    i;
+	ngx_int_t                     n;
+
+	/* alloc custom sticky struct */
+	iphp = ngx_palloc(r->pool, sizeof(ngx_http_sticky_peer_data_t));
+	if (iphp == NULL) {
+		return NGX_ERROR;
+	}
+
+	/* attach it to the request upstream data */
+	r->upstream->peer.data = &iphp->rrp;
+
+	/* call the rr module on which the sticky is based on */
+	if (ngx_http_upstream_init_round_robin_peer(r, us) != NGX_OK) {
+		return NGX_ERROR;
+	}
+
+	/* set the callback to select the next peer to use */
+	r->upstream->peer.get = ngx_http_get_sticky_peer;
+
+	/* init the custom sticky struct */
+	iphp->get_rr_peer = ngx_http_upstream_get_round_robin_peer;
+	iphp->selected_peer = -1;
+	iphp->no_fallback = 0;
+	iphp->sticky_conf = ngx_http_conf_upstream_srv_conf(us, ngx_http_sticky_module);
+	iphp->request = r;
+
+	/* check weather a cookie is present or not and save it */
+	if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &iphp->sticky_conf->cookie_name, &route) != NGX_DECLINED) {
+		/* a route cookie has been found. Let's give it a try */
+		ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] got cookie route=%V, let's try to find a matching peer", &route);
+
+		/* hash, hmac or text, just compare digest */
+		if (iphp->sticky_conf->hash || iphp->sticky_conf->hmac || iphp->sticky_conf->text) {
+
+			/* check internal struct has been set */
+			if (!iphp->sticky_conf->peers) {
+				/* log a warning, as it will continue without the sticky */
+				ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "[sticky/init_sticky_peer] internal peers struct has not been set");
+				return NGX_OK; /* return OK, in order to continue */
+			}
+
+			/* search the digest found in the cookie in the peer digest list */
+			for (i = 0; i < iphp->rrp.peers->number; i++) {
+
+				/* ensure the both len are equal and > 0 */
+				if (iphp->sticky_conf->peers[i].digest.len != route.len || route.len <= 0) {
+					continue;
+				}
+
+				if (!ngx_strncmp(iphp->sticky_conf->peers[i].digest.data, route.data, route.len)) {
+					/* we found a match */
+					iphp->selected_peer = i;
+					ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route \"%V\" matches peer at index %ui", &route, i);
+					return NGX_OK;
+				}
+			}
+
+		} else {
+
+			/* switch back to index, just convert to integer and ensure it corresponds to a valid peer */
+			n = ngx_atoi(route.data, route.len);
+			if (n == NGX_ERROR) {
+				ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "[sticky/init_sticky_peer] unable to convert the route \"%V\" to an integer value", &route);
+			} else if (n >= 0 && n < (ngx_int_t)iphp->rrp.peers->number) {
+				/* found one */
+				ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route \"%V\" matches peer at index %i", &route, n);
+				iphp->selected_peer = n;
+				return NGX_OK;
+			}
+		}
+
+		/* nothing was found, just continue with rr */
+		ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route \"%V\" does not match any peer. Just ignoring it ...", &route);
+		return NGX_OK;
+	}
+
+	/* nothing found */
+	ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] route cookie not found", &route);
+	return NGX_OK; /* return OK, in order to continue */
+}
+
+/*
+ * function called by the upstream module to choose the next peer to use
+ * called at least one time per request
+ */
+static ngx_int_t ngx_http_get_sticky_peer(ngx_peer_connection_t *pc, void *data)
+{
+	ngx_http_sticky_peer_data_t  *iphp = data;
+	ngx_http_sticky_srv_conf_t   *conf = iphp->sticky_conf;
+	ngx_int_t                     selected_peer = -1;
+	time_t                        now = ngx_time();
+	uintptr_t                     m;
+	ngx_uint_t                    n, i;
+	ngx_http_upstream_rr_peer_t  *peer = NULL;
+
+	ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] get sticky peer, try: %ui, n_peers: %ui, no_fallback: %ui/%ui", pc->tries, iphp->rrp.peers->number, conf->no_fallback, iphp->no_fallback);
+
+	/* TODO: cached */
+
+	/* has the sticky module already choosen a peer to connect to and is it a valid peer */
+	/* is there more than one peer (otherwise, no choices to make) */
+	if (iphp->selected_peer >= 0 && iphp->selected_peer < (ngx_int_t)iphp->rrp.peers->number && !iphp->rrp.peers->single) {
+		ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] let's try the selected peer (%i)", iphp->selected_peer);
+
+		n = iphp->selected_peer / (8 * sizeof(uintptr_t));
+		m = (uintptr_t) 1 << iphp->selected_peer % (8 * sizeof(uintptr_t));
+
+		/* has the peer not already been tried ? */
+		if (!(iphp->rrp.tried[n] & m)) {
+			peer = &iphp->rrp.peers->peer[iphp->selected_peer];
+
+			/* if the no_fallback flag is set */
+			if (conf->no_fallback) {
+
+				iphp->no_fallback = 1;
+
+				/* if peer is down */
+				if (peer->down) {
+					ngx_log_error(NGX_LOG_NOTICE, pc->log, 0, "[sticky/get_sticky_peer] the selected peer is down and no_fallback is flagged");
+					return NGX_BUSY;
+				}
+
+				/* if it's been ignored for long enought (fail_timeout), reset timeout */
+				/* do this check before testing peer->fails ! :) */
+				if (now - peer->accessed > peer->fail_timeout) {
+					peer->fails = 0;
+				}
+
+				/* if peer is failed */
+				if (peer->max_fails > 0 && peer->fails >= peer->max_fails) {
+					ngx_log_error(NGX_LOG_NOTICE, pc->log, 0, "[sticky/get_sticky_peer] the selected peer is maked as failed and no_fallback is flagged");
+					return NGX_BUSY;
+				}
+			}
+
+			/* ensure the peer is not marked as down */
+			if (!peer->down) {
+
+				/* if it's not failedi, use it */
+				if (peer->max_fails == 0 || peer->fails < peer->max_fails) {
+					selected_peer = (ngx_int_t)n;
+
+				/* if it's been ignored for long enought (fail_timeout), reset timeout and use it */
+				} else if (now - peer->accessed > peer->fail_timeout) {
+					peer->fails = 0;
+					selected_peer = (ngx_int_t)n;
+
+				/* it's failed or timeout did not expire yet */
+				} else {
+					/* mark the peer as tried */
+					iphp->rrp.tried[n] |= m;
+				}
+			}
+		}
+	}
+
+	/* we have a valid peer, tell the upstream module to use it */
+	if (peer && selected_peer >= 0) {
+		ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] peer found at index %i", selected_peer);
+
+		iphp->rrp.current = iphp->selected_peer;
+		pc->cached = 0;
+		pc->connection = NULL;
+		pc->sockaddr = peer->sockaddr;
+		pc->socklen = peer->socklen;
+		pc->name = &peer->name;
+
+		iphp->rrp.tried[n] |= m;
+
+	} else {
+		ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] no sticky peer selected, switch back to classic rr");
+
+		if (iphp->no_fallback) {
+			ngx_log_error(NGX_LOG_NOTICE, pc->log, 0, "[sticky/get_sticky_peer] No fallback in action !");
+			return NGX_BUSY;
+		}
+
+		ngx_int_t ret = iphp->get_rr_peer(pc, &iphp->rrp);
+		if (ret != NGX_OK) {
+			ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] ngx_http_upstream_get_round_robin_peer returned %i", ret);
+			return ret;
+		}
+
+		/* search for the choosen peer in order to set the cookie */
+		for (i = 0; i < iphp->rrp.peers->number; i++) {
+
+			if (iphp->rrp.peers->peer[i].sockaddr == pc->sockaddr && iphp->rrp.peers->peer[i].socklen == pc->socklen) {
+				if (conf->hash || conf->hmac || conf->text) {
+					ngx_http_sticky_misc_set_cookie(iphp->request, &conf->cookie_name, &conf->peers[i].digest, &conf->cookie_domain, &conf->cookie_path, conf->cookie_expires);
+					ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] set cookie \"%V\" value=\"%V\" index=%ui", &conf->cookie_name, &conf->peers[i].digest, i);
+				} else {
+					ngx_str_t route;
+					ngx_uint_t tmp = i;
+					route.len = 0;
+					do {
+						route.len++;
+					} while (tmp /= 10);
+					route.data = ngx_pcalloc(iphp->request->pool, sizeof(u_char) * (route.len + 1));
+					if (route.data == NULL) {
+						break;
+					}
+					ngx_snprintf(route.data, route.len, "%d", i);
+					route.len = ngx_strlen(route.data);
+					ngx_http_sticky_misc_set_cookie(iphp->request, &conf->cookie_name, &route, &conf->cookie_domain, &conf->cookie_path, conf->cookie_expires);
+					ngx_log_debug(NGX_LOG_DEBUG_HTTP, pc->log, 0, "[sticky/get_sticky_peer] set cookie \"%V\" value=\"%V\" index=%ui", &conf->cookie_name, &tmp, i);
+				}
+				break; /* found and hopefully the cookie have been set */
+			}
+		}
+	}
+
+	/* reset the selection in order to bypass the sticky module when the upstream module will try another peers if necessary */
+	iphp->selected_peer = -1;
+
+	return NGX_OK;
+}
+
+/*
+ * Function called when the sticky command is parsed on the conf file
+ */
+static char *ngx_http_sticky_set(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+	ngx_http_upstream_srv_conf_t  *upstream_conf;
+	ngx_http_sticky_srv_conf_t    *sticky_conf;
+	ngx_uint_t i;
+	ngx_str_t tmp;
+	ngx_str_t name = ngx_string("route");
+	ngx_str_t domain = ngx_string("");
+	ngx_str_t path = ngx_string("");
+	ngx_str_t hmac_key = ngx_string("");
+	time_t expires = NGX_CONF_UNSET;
+	ngx_http_sticky_misc_hash_pt hash = NGX_CONF_UNSET_PTR;
+	ngx_http_sticky_misc_hmac_pt hmac = NULL;
+	ngx_http_sticky_misc_text_pt text = NULL;
+	ngx_uint_t no_fallback = 0;
+
+	/* parse all elements */
+	for (i = 1; i < cf->args->nelts; i++) {
+		ngx_str_t *value = cf->args->elts;
+
+		/* is "name=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "name=") == value[i].data) {
+
+			/* do we have at least on char after "name=" ? */
+			if (value[i].len <= sizeof("name=") - 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"name=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* save what's after "name=" */
+			name.len = value[i].len - ngx_strlen("name=");
+			name.data = (u_char *)(value[i].data + sizeof("name=") - 1);
+			continue;
+		}
+
+		/* is "domain=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "domain=") == value[i].data) {
+
+			/* do we have at least on char after "domain=" ? */
+			if (value[i].len <= ngx_strlen("domain=")) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"domain=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* save what's after "domain=" */
+			domain.len = value[i].len - ngx_strlen("domain=");
+			domain.data = (u_char *)(value[i].data + sizeof("domain=") - 1);
+			continue;
+		}
+
+		/* is "path=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "path=") == value[i].data) {
+
+			/* do we have at least on char after "path=" ? */
+			if (value[i].len <= ngx_strlen("path=")) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"path=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* save what's after "domain=" */
+			path.len = value[i].len - ngx_strlen("path=");
+			path.data = (u_char *)(value[i].data + sizeof("path=") - 1);
+			continue;
+		}
+
+		/* is "expires=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "expires=") == value[i].data) {
+
+			/* do we have at least on char after "expires=" ? */
+			if (value[i].len <= sizeof("expires=") - 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"expires=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* extract value */
+			tmp.len =  value[i].len - ngx_strlen("expires=");
+			tmp.data = (u_char *)(value[i].data + sizeof("expires=") - 1);
+
+			/* convert to time, save and validate */
+			expires = ngx_parse_time(&tmp, 1);
+			if (expires == NGX_ERROR || expires < 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid value for \"expires=\"");
+				return NGX_CONF_ERROR;
+			}
+			continue;
+		}
+
+		/* is "text=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "text=") == value[i].data) {
+
+			/* only hash or hmac can be used, not both */
+			if (hmac || hash != NGX_CONF_UNSET_PTR) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "please choose between \"hash=\", \"hmac=\" and \"text\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* do we have at least on char after "name=" ? */
+			if (value[i].len <= sizeof("text=") - 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"text=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* extract value to temp */
+			tmp.len =  value[i].len - ngx_strlen("text=");
+			tmp.data = (u_char *)(value[i].data + sizeof("text=") - 1);
+
+			/* is name=raw */
+			if (ngx_strncmp(tmp.data, "raw", sizeof("raw") - 1) == 0 ) {
+				text = ngx_http_sticky_misc_text_raw;
+				continue;
+			}
+
+			/* is name=md5 */
+			if (ngx_strncmp(tmp.data, "md5", sizeof("md5") - 1) == 0 ) {
+				text = ngx_http_sticky_misc_text_md5;
+				continue;
+			}
+
+			/* is name=sha1 */
+			if (ngx_strncmp(tmp.data, "sha1", sizeof("sha1") - 1) == 0 ) {
+				text = ngx_http_sticky_misc_text_sha1;
+				continue;
+			}
+
+			ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "wrong value for \"text=\": raw, md5 or sha1");
+			return NGX_CONF_ERROR;
+		}
+
+		/* is "hash=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "hash=") == value[i].data) {
+
+			/* only hash or hmac can be used, not both */
+			if (hmac || text) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "please choose between \"hash=\", \"hmac=\" and \"text=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* do we have at least on char after "hash=" ? */
+			if (value[i].len <= sizeof("hash=") - 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"hash=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* extract value to temp */
+			tmp.len =  value[i].len - ngx_strlen("hash=");
+			tmp.data = (u_char *)(value[i].data + sizeof("hash=") - 1);
+
+			/* is hash=index */
+			if (ngx_strncmp(tmp.data, "index", sizeof("index") - 1) == 0 ) {
+				hash = NULL;
+				continue;
+			}
+
+			/* is hash=md5 */
+			if (ngx_strncmp(tmp.data, "md5", sizeof("md5") - 1) == 0 ) {
+				hash = ngx_http_sticky_misc_md5;
+				continue;
+			}
+
+			/* is hash=sha1 */
+			if (ngx_strncmp(tmp.data, "sha1", sizeof("sha1") - 1) == 0 ) {
+				hash = ngx_http_sticky_misc_sha1;
+				continue;
+			}
+
+			ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "wrong value for \"hash=\": index, md5 or sha1");
+			return NGX_CONF_ERROR;
+		}
+
+		/* is "hmac=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "hmac=") == value[i].data) {
+
+			/* only hash or hmac can be used, not both */
+			if (hash != NGX_CONF_UNSET_PTR || text) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "please choose between \"hash=\", \"hmac=\" and \"text\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* do we have at least on char after "hmac=" ? */
+			if (value[i].len <= sizeof("hmac=") - 1) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"hmac=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* extract value */
+			tmp.len =  value[i].len - ngx_strlen("hmac=");
+			tmp.data = (u_char *)(value[i].data + sizeof("hmac=") - 1);
+
+			/* is hmac=md5 ? */
+			if (ngx_strncmp(tmp.data, "md5", sizeof("md5") - 1) == 0 ) {
+				hmac = ngx_http_sticky_misc_hmac_md5;
+				continue;
+			}
+
+			/* is hmac=sha1 ? */
+			if (ngx_strncmp(tmp.data, "sha1", sizeof("sha1") - 1) == 0 ) {
+				hmac = ngx_http_sticky_misc_hmac_sha1;
+				continue;
+			}
+			ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "wrong value for \"hmac=\": md5 or sha1");
+			return NGX_CONF_ERROR;
+		}
+
+		/* is "hmac_key=" is starting the argument ? */
+		if ((u_char *)ngx_strstr(value[i].data, "hmac_key=") == value[i].data) {
+
+			/* do we have at least on char after "hmac_key=" ? */
+			if (value[i].len <= ngx_strlen("hmac_key=")) {
+				ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "a value must be provided to \"hmac_key=\"");
+				return NGX_CONF_ERROR;
+			}
+
+			/* save what's after "hmac_key=" */
+			hmac_key.len = value[i].len - ngx_strlen("hmac_key=");
+			hmac_key.data = (u_char *)(value[i].data + sizeof("hmac_key=") - 1);
+			continue;
+		}
+
+		/* is "no_fallback" flag present ? */
+		if (ngx_strncmp(value[i].data, "no_fallback", sizeof("no_fallback") - 1) == 0 ) {
+			no_fallback = 1;
+			continue;
+		}
+
+		ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid arguement (%V)", &value[i]);
+		return NGX_CONF_ERROR;
+	}
+
+	/* if has and hmac and name have not been set, default to md5 */
+	if (hash == NGX_CONF_UNSET_PTR && hmac == NULL && text == NULL) {
+		hash = ngx_http_sticky_misc_md5;
+	}
+
+	/* don't allow meaning less parameters */
+	if (hmac_key.len > 0 && hash != NGX_CONF_UNSET_PTR) {
+		ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "\"hmac_key=\" is meaningless when \"hmac\" is used. Please remove it.");
+		return NGX_CONF_ERROR;
+	}
+
+	/* ensure we have an hmac key if hmac's been set */
+	if (hmac_key.len == 0 && hmac != NULL) {
+		ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "please specify \"hmac_key=\" when using \"hmac\"");
+		return NGX_CONF_ERROR;
+	}
+
+	/* ensure hash is NULL to avoid conflicts later */
+	if (hash == NGX_CONF_UNSET_PTR) {
+		hash = NULL;
+	}
+
+	/* save the sticky parameters */
+	sticky_conf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_sticky_module);
+	sticky_conf->cookie_name = name;
+	sticky_conf->cookie_domain = domain;
+	sticky_conf->cookie_path = path;
+	sticky_conf->cookie_expires = expires;
+	sticky_conf->hash = hash;
+	sticky_conf->hmac = hmac;
+	sticky_conf->text = text;
+	sticky_conf->hmac_key = hmac_key;
+	sticky_conf->no_fallback = no_fallback;
+	sticky_conf->peers = NULL; /* ensure it's null before running */
+
+	upstream_conf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_upstream_module);
+
+	/* 
+	 * ensure another upstream module has not been already loaded
+	 * peer.init_upstream is set to null and the upstream module use RR if not set
+	 * But this check only works when the other module is declared before sticky
+	 */
+	if (upstream_conf->peer.init_upstream) {
+		ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "You can't use sticky with another upstream module");
+		return NGX_CONF_ERROR;
+	}
+
+	/* configure the upstream to get back to this module */
+	upstream_conf->peer.init_upstream = ngx_http_init_upstream_sticky;
+
+	upstream_conf->flags = NGX_HTTP_UPSTREAM_CREATE
+		| NGX_HTTP_UPSTREAM_MAX_FAILS
+		| NGX_HTTP_UPSTREAM_FAIL_TIMEOUT
+		| NGX_HTTP_UPSTREAM_DOWN
+    | NGX_HTTP_UPSTREAM_WEIGHT;
+
+	return NGX_CONF_OK;
+}
+
+/*
+ * alloc stick configuration
+ */
+static void *ngx_http_sticky_create_conf(ngx_conf_t *cf)
+{
+	ngx_http_sticky_srv_conf_t *conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_sticky_srv_conf_t));
+	if (conf == NULL) {
+		return NGX_CONF_ERROR;
+	}
+
+	return conf;
+}
diff --git a/pkg/after-install.sh b/pkg/after-install.sh
new file mode 100644
index 0000000..85051e0
--- /dev/null
+++ b/pkg/after-install.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ "$(ls -A /etc/borderpatrol/sites-enabled)" ]; then
+  echo "/etc/borderpatrol/sites-enabled is not empty; skipping symlinking of default conf file"
+else
+  ln -s /etc/borderpatrol/sites-available/default.conf /etc/borderpatrol/sites-enabled/default.conf || true
+fi
diff --git a/pkg/borderpatrol.conf b/pkg/borderpatrol.conf
new file mode 100644
index 0000000..8efcd07
--- /dev/null
+++ b/pkg/borderpatrol.conf
@@ -0,0 +1,9 @@
+pid        /var/run/borderpatrol.pid;
+daemon     on;
+
+events {
+    worker_connections  40;
+}
+
+include /etc/borderpatrol/conf.d/*.conf;
+include /etc/borderpatrol/sites-enabled/*.conf;
diff --git a/pkg/borderpatrol.init b/pkg/borderpatrol.init
new file mode 100644
index 0000000..007fbcf
--- /dev/null
+++ b/pkg/borderpatrol.init
@@ -0,0 +1,148 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          borderpatrol
+# Required-Start:    $network $remote_fs $local_fs 
+# Required-Stop:     $network $remote_fs $local_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Stop/start borderpatrol
+### END INIT INFO
+
+# Author: Sergey Budnevitch <sb@nginx.com>
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC=borderpatrol
+NAME=borderpatrol
+CONFFILE=/etc/borderpatrol/borderpatrol.conf
+DAEMON=/usr/sbin/borderpatrol
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+[ -x $DAEMON ] || exit 0
+
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+DAEMON_ARGS="-c $CONFFILE $DAEMON_ARGS"
+
+. /lib/init/vars.sh
+
+. /lib/lsb/init-functions
+
+do_start()
+{
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+        $DAEMON_ARGS
+    RETVAL="$?"
+    return "$RETVAL"
+}
+
+do_stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+    RETVAL="$?"
+    rm -f $PIDFILE
+    return "$RETVAL"
+}
+
+do_reload() {
+    #
+    start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+    RETVAL="$?"
+    return "$RETVAL"
+}
+
+do_configtest() {
+    if [ "$#" -ne 0 ]; then
+        case "$1" in
+            -q)
+                FLAG=$1
+                ;;
+            *)
+                ;;
+        esac
+        shift
+    fi
+    $DAEMON -t $FLAG -c $CONFFILE
+    RETVAL="$?"
+    return $RETVAL
+}
+
+do_upgrade() {
+    OLDBINPIDFILE=$PIDFILE.oldbin
+
+    do_configtest -q || return 6
+    start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
+    RETVAL="$?"
+    sleep 1
+    if [ -f $OLDBINPIDFILE -a -f $PIDFILE ]; then
+        start-stop-daemon --stop --signal QUIT --quiet --pidfile $OLDBINPIDFILE --name $NAME
+        RETVAL="$?"
+    else
+        echo $"Upgrade failed!"
+        RETVAL=1
+        return $RETVAL
+    fi
+}
+
+case "$1" in
+    start)
+        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
+        do_start
+        case "$?" in
+            0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+        esac
+        ;;
+    stop)
+        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+        do_stop
+        case "$?" in
+            0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+        esac
+        ;;
+  status)
+        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+        ;;
+  configtest)
+        do_configtest
+        ;;
+  upgrade)
+        do_upgrade
+        ;;
+  reload|force-reload)
+        log_daemon_msg "Reloading $DESC" "$NAME"
+        do_reload
+        log_end_msg $?
+        ;;
+  restart|force-reload)
+        log_daemon_msg "Restarting $DESC" "$NAME"
+        do_configtest -q || exit $RETVAL
+        do_stop
+        case "$?" in
+            0|1)
+                do_start
+                case "$?" in
+                    0) log_end_msg 0 ;;
+                    1) log_end_msg 1 ;; # Old process is still running
+                    *) log_end_msg 1 ;; # Failed to start
+                esac
+                ;;
+            *)
+                # Failed to stop
+                log_end_msg 1
+                ;;
+        esac
+        ;;
+    *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload|upgrade|configtest}" >&2
+        exit 3
+        ;;
+esac
+
+exit $RETVAL
diff --git a/src/access.lua b/src/access.lua
new file mode 100644
index 0000000..fe823cd
--- /dev/null
+++ b/src/access.lua
@@ -0,0 +1,16 @@
+if (ngx.var.auth_token == "") then
+  -- make a sub request to pull session data
+  local res = ngx.location.capture("/auth")
+
+  ngx.log(ngx.DEBUG, "==== GET /auth " .. res.status .. " " .. res.body)
+
+  if res.status == ngx.HTTP_OK then
+    -- set the auth token in the request variables so it can be pulled out
+    -- and passed as a header then return and allow the request chain to
+    -- continue. if there's no auth token do the same thing, allowing the
+    -- upstream service to allow or deny access.
+    ngx.var.auth_token = res.header['Auth-Token']
+  end
+else
+  ngx.log(ngx.DEBUG, "==== skipping GET /auth since auth_token is present: [" .. ngx.var.auth_token .. "]")
+end
diff --git a/src/authorize.lua b/src/authorize.lua
new file mode 100644
index 0000000..68e6290
--- /dev/null
+++ b/src/authorize.lua
@@ -0,0 +1,91 @@
+local json = require("json")
+local sessionid = require("sessionid")
+
+-------------------------------------------
+--  Make the call to the Account Service
+-------------------------------------------
+
+local session_id = ngx.var.cookie_border_session
+
+-- require session because the only valid scenario for arriving here is via redirect, which should have already set
+-- session
+if not session_id then
+  ngx.log(ngx.INFO, "==== access denied: no session_id")
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+ngx.log(ngx.DEBUG, "==== session_id: " .. session_id)
+
+if not sessionid.is_valid(session_id) then
+  ngx.log(ngx.INFO, "==== access denied: session id invalid " .. session_id)
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+-- Retrieve original target url and derive service
+local res = ngx.location.capture('/session?id=BP_URL_SID_' .. session_id)
+
+ngx.log(ngx.DEBUG, "==== GET /session?id=BP_URL_SID_" .. session_id .. " " .. res.status)
+
+-- Get original downstream url they were going to before being redirected
+original_url = res.body
+
+-- get service name from first part of original uri
+local service_uri = string.match(original_url, "^/([^/]+)")
+local service = nil
+if service_uri then
+  ngx.log(ngx.DEBUG, "==== service uri is: " .. service_uri)
+  service = service_mappings[service_uri]
+end
+
+-- check service
+if not service then
+  if not service_uri then
+    ngx.log(ngx.DEBUG, "==== no valid service uri provided")
+  else
+    ngx.log(ngx.DEBUG, "==== service not set for service uri: " .. service_uri)
+  end
+  ngx.redirect('/account/password')
+end
+
+ngx.req.read_body()
+local args = ngx.req.get_post_args()
+
+-- the account service expects 'e=user@example.com&p=password&t=3&s=servicename'
+args['service'] = service
+res = ngx.location.capture('/account', { method = ngx.HTTP_POST, body = ngx.encode_args(args) })
+
+ngx.log(ngx.DEBUG, "==== POST /account " .. res.status .. " " .. res.body)
+
+-- assume any 2xx is success
+-- On failure, redirect to login
+if res.status >= ngx.HTTP_SPECIAL_RESPONSE then
+  ngx.log(ngx.DEBUG, "==== Authorization against Account Service failed: " .. res.body)
+  ngx.redirect('/account')
+end
+
+-- parse the response body
+local all_tokens_json = res.body
+local all_tokens = json.decode(all_tokens_json)
+
+-- looking for auth tokens
+if not all_tokens then
+  ngx.log(ngx.DEBUG, "==== no tokens found, redirecting to /account")
+  ngx.redirect('/account')
+end
+
+-- looking for service token
+if not all_tokens["service_tokens"][service] then
+  ngx.log(ngx.DEBUG, "==== parse failure, or service token not found, redirecting to /account")
+  ngx.redirect('/account')
+end
+
+-- Extract token for specific service
+local auth_token = all_tokens["service_tokens"][service]
+
+-- store all tokens in memcache via internal subrequest
+local res = ngx.location.capture('/session?id=BPSID_' .. session_id ..
+  '&arg_exptime=' .. sessionid.EXPTIME, { body = all_tokens_json, method = ngx.HTTP_PUT })
+
+ngx.log(ngx.DEBUG, "==== PUT /session?id=BPSID_" .. session_id  ..
+  '&arg_exptime=' .. sessionid.EXPTIME .. " " .. res.status)
+
+ngx.redirect(original_url)
diff --git a/src/config/nginx.conf.sample b/src/config/nginx.conf.sample
new file mode 100644
index 0000000..7f2fdd1
--- /dev/null
+++ b/src/config/nginx.conf.sample
@@ -0,0 +1,151 @@
+pid        /tmp/nginx.pid;
+daemon     off;
+
+http {
+  lua_package_path "../../build/usr/share/borderpatrol/?.lua;../../build/usr/share/lua/5.1/?.lua;;";
+  lua_package_cpath "../../build/usr/lib/lua/5.1/?.so;;";
+  limit_req_zone $binary_remote_addr zone=auth_zone:100m rate=100r/m;
+
+  error_log  logs/error.log debug;
+  access_log logs/access.log;
+
+  # used to store and retrieve keys from memcached
+  upstream session_store {
+    server localhost:11211;
+    keepalive 32;
+  }
+
+  # this is an app server protected by border patrol. If it returns a 401
+  # when an attempt is made to access a protected resource, borderpatrol redirects
+  # to the account service login
+  upstream b {
+    server localhost:9082;
+  }
+
+   # this is an app server protected by border patrol. If it returns a 401
+   # when an attempt is made to access a protected resource, borderpatrol redirects
+   # to the account service login
+   upstream c {
+     server localhost:9083;
+   }
+
+   # this is the account service. displays the login screen and also calls the auth service
+   # to get a master token and a service token
+   upstream account {
+    server localhost:9084;
+   }
+
+  # Nginx Lua has no SSL support for cosockets. This is unfortunate.
+  # This proxies all requests to use the native NGINX request, though
+  # it's a little hacky and sort of dirty.
+  upstream token_server {
+    server localhost:9081;
+  }
+
+  # Service mappings, map service urls to service names
+  init_by_lua 'service_mappings = {b="smb", c="flexd"}';
+
+  server {
+    listen  4443 default_server ssl;
+    root   html;
+
+    ssl_prefer_server_ciphers on;
+    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
+    ssl_session_cache         shared:SSL:16m;
+    ssl_session_timeout       10m;
+    ssl_certificate           ../ssl/server.crt;
+    ssl_certificate_key       ../ssl/server.key;
+
+    # GET    /session?id=foo -> memcache get
+    # POST   /session?id=foo -> memcache add, value is request body
+    # PUT    /session?id=foo -> memcache set, value is request body
+    location = /session {
+      internal;
+      set $memc_key $arg_id;
+      set $memc_exptime $arg_exptime;
+      memc_pass session_store;
+    }
+
+    # DELETE /session_delete?id=foo -> memcache delete
+    location = /session_delete {
+      internal;
+      set $memc_key $arg_id;
+      memc_pass session_store;
+    }
+
+    location = /auth {
+      internal;
+      content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
+    }
+
+    location = /serviceauth {
+      internal;
+      content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
+    }
+
+    location = /authtoken {
+      internal;
+      rewrite ^/(.*) /api/auth/public/v1/account_token.json break;
+      proxy_pass http://token_server;
+      proxy_set_header   Host $host;
+    }
+
+    location = /mastertoken {
+      internal;
+      rewrite ^/(.*) /api/auth/service/v1/account_token.json break;
+      proxy_pass http://token_server;
+      proxy_set_header   Host $host;
+    }
+
+    location = / {
+      limit_req zone=auth_zone burst=25;
+      content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+    }
+
+    location = /logout {
+      content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
+    }
+
+    location ~ /(b|c)* {
+      set $original_uri $uri;
+      rewrite ^/(.*) / break;
+      set $auth_token $http_auth_token;
+      access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
+      proxy_set_header auth-token $auth_token;
+      proxy_pass http://$1;
+      proxy_intercept_errors on;
+      error_page 401  = @redirect;
+    }
+
+    location @redirect {
+      content_by_lua_file '../../build/usr/share/borderpatrol/redirect.lua';
+    }
+
+    location = /health {
+      content_by_lua_file '../../build/usr/share/borderpatrol/health_check.lua';
+    }
+
+    location /robots.txt {
+      alias ../../build/usr/share/borderpatrol/robots.txt;
+    }
+
+    location / {
+      set $auth_token $http_auth_token;
+      access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
+      proxy_set_header auth-token $auth_token;
+
+      # http://hostname/upstream_name/uri -> http://upstream_name/uri
+      rewrite ^/([^/]+)/?(.*)$ /$2 break;
+      proxy_pass         http://$1;
+      proxy_redirect     off;
+      proxy_set_header   Host $host;
+    }
+  }
+}
+
+events {
+  worker_connections  40;
+}
+
+# vim: ft=conf
\ No newline at end of file
diff --git a/src/health_check.lua b/src/health_check.lua
new file mode 100644
index 0000000..f1066f0
--- /dev/null
+++ b/src/health_check.lua
@@ -0,0 +1,55 @@
+--
+-- This script serves up an HTML page that displays current health of the
+-- BorderPatrol. The only check, currently, is that memcache is reachable.
+--
+local errors = {}
+local health_check = {}
+
+-- print out the actual HTML
+function health_check.output(errors)
+  ngx.header.content_type = 'text/html';
+  ngx.print([[
+  <html>
+    <head>
+      <title>Border Patrol Health</title>
+    </head>
+    <body>
+  ]])
+
+  if #errors > 0 then
+    ngx.print("<h3>Errors</h3><ul>")
+    for i, v in ipairs(errors) do
+      ngx.print("<li>" .. v .. "</li>")
+    end
+    ngx.print("</ul>")
+  else
+    ngx.print("Everything is ok.")
+  end
+
+  ngx.print([[
+    </body>
+  </html>
+  ]])
+end
+
+local res = ngx.location.capture('/session?id=health_check', { method = ngx.HTTP_POST, body = os.time() })
+if not res.status == ngx.HTTP_OK then
+  errors[#errors+1] = "memcache add: " .. res.status .. ": " .. res.body
+end
+
+res = ngx.location.capture('/session?id=health_check')
+if not res.status == ngx.HTTP_OK then
+  errors[#errors+1] = "memcache get: " .. res.status .. ": " .. res.body
+end
+
+res = ngx.location.capture('/session?id=health_check', { method = ngx.HTTP_PUT, body = os.time() })
+if not res.status == ngx.HTTP_OK then
+  errors[#errors+1] = "memcache set: " .. res.status .. ": " .. res.body
+end
+
+res = ngx.location.capture('/session?id=health_check', { method = ngx.HTTP_DELETE })
+if not res.status == ngx.HTTP_OK then
+  errors[#errors+1] = "memcache delete: " .. res.status .. ": " .. res.body
+end
+
+health_check.output(errors)
diff --git a/src/logout.lua b/src/logout.lua
new file mode 100644
index 0000000..972a028
--- /dev/null
+++ b/src/logout.lua
@@ -0,0 +1,37 @@
+-------------------------------------------
+-- delete auth token by session id
+-------------------------------------------
+
+local args = ngx.req.get_uri_args()
+local destination = args['destination']
+
+-- default to reasonable paths.
+-- allow only relative paths
+if not destination or string.sub(destination,1,1) ~= '/' then destination = '/' end
+
+local session_id = ngx.var.cookie_border_session
+
+if session_id then
+  ngx.log(ngx.DEBUG, "==== session_id: " .. session_id)
+
+  -- expires a session
+  local res = ngx.location.capture('/session_delete?id=BPSID_' .. session_id,
+    { method = ngx.HTTP_DELETE })
+
+  ngx.log(ngx.DEBUG, "DELETE /session_delete?id=BPSID_" .. session_id .. " " .. res.status)
+
+  -- expires the temporary url session
+  local res = ngx.location.capture('/session_delete?id=BP_URL_SID_' .. session_id,
+    { method = ngx.HTTP_DELETE })
+
+  ngx.log(ngx.DEBUG, "DELETE /session_delete?id=BP_URL_SID_" .. session_id .. " " .. res.status)
+
+  -- unset session cookie (expires now() - 1yr)
+  ngx.header['Set-Cookie'] = 'border_session=' ..
+    '; path=/; expires=' .. ngx.cookie_time(ngx.time() - 3600 * 24 * 360)
+
+else
+    ngx.log(ngx.INFO, "==== session_id not set")
+end
+
+ngx.redirect(destination)
\ No newline at end of file
diff --git a/src/redirect.lua b/src/redirect.lua
new file mode 100644
index 0000000..bc30792
--- /dev/null
+++ b/src/redirect.lua
@@ -0,0 +1,25 @@
+local sessionid = require("sessionid")
+
+local original_url = ngx.var.original_uri
+
+-- Create session key and store the url as value (value will be updated later with master and service tokens
+local session_id = sessionid.generate();
+
+-- store original url in memcache via internal subrequest
+local res = ngx.location.capture('/session?id=BP_URL_SID_' .. session_id ..
+  '&arg_exptime=' .. sessionid.EXPTIME_TMP, { body = original_url, method = ngx.HTTP_POST })
+
+ngx.log(ngx.DEBUG, "==== POST /session?id=BP_URL_SID_" .. session_id  ..
+  '&arg_exptime=' .. sessionid.EXPTIME .. " " .. res.status)
+
+if res.status == ngx.HTTP_CREATED then
+  -- set the cookie with the session_id
+  ngx.header['Set-Cookie'] = 'border_session=' .. session_id .. '; path=/; HttpOnly; Secure;'
+  -- Redirect to account service login
+  ngx.redirect('/account')
+else
+  ngx.log(ngx.ERR, "==== an error occurred trying to save session: " .. res.status)
+  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+end
+
+
diff --git a/src/robots.txt b/src/robots.txt
new file mode 100644
index 0000000..77470cb
--- /dev/null
+++ b/src/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
\ No newline at end of file
diff --git a/src/service_token.lua b/src/service_token.lua
new file mode 100644
index 0000000..26a70bd
--- /dev/null
+++ b/src/service_token.lua
@@ -0,0 +1,49 @@
+local json = require("json")
+local sessionid = require("sessionid")
+
+-------------------------------------------
+-- get service token using master token
+-------------------------------------------
+
+local session_id = ngx.var.cookie_border_session
+
+if not session_id then
+  ngx.log(ngx.INFO, "==== access denied: no session_id")
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+ngx.log(ngx.DEBUG, "==== session_id: " .. session_id)
+
+if not sessionid.is_valid(session_id) then
+  ngx.log(ngx.INFO, "==== access denied: session id invalid " .. session_id)
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+ngx.req.read_body()
+local args = ngx.req.get_post_args()
+local master_token = args['mastertoken']
+local service = args['service']
+
+if master_token and service then
+  ngx.log(ngx.DEBUG, "==== master token: " .. master_token )
+  local params = {}
+  params['services'] = service
+  ngx.req.set_header("Auth-Token", master_token)
+
+  res = ngx.location.capture('/mastertoken', { method = ngx.HTTP_POST, body = ngx.encode_args(params)})
+
+  ngx.log(ngx.DEBUG, "==== POST /mastertoken " .. res.status .. " " .. res.body)
+  ngx.req.clear_header("Auth-Token")
+
+  -- assume any 2xx is success
+  if res.status >= ngx.HTTP_SPECIAL_RESPONSE then
+    ngx.log(ngx.DEBUG, "==== error getting service token using master token: ")
+    ngx.exit(ngx.HTTP_BAD_REQUEST)
+  end
+else
+  ngx.log(ngx.DEBUG, "==== master token missing: ")
+  ngx.exit(ngx.HTTP_BAD_REQUEST)
+end
+ngx.say(res.body)
+ngx.exit(ngx.HTTP_OK)
+
diff --git a/src/sessionid.lua b/src/sessionid.lua
new file mode 100644
index 0000000..489fac3
--- /dev/null
+++ b/src/sessionid.lua
@@ -0,0 +1,275 @@
+-- session_id module to issue and validate signed session ids
+local crypto = require("crypto")
+
+local module = {}
+
+-- record expiration time in memcached
+local EXPTIME = 60 * 60
+local EXPTIME_TMP = 60 * 60 * 24 * 7
+
+-- defines how often secrets will be rotated
+local SECRETS_EXP_INTERVAL = 60 * 60 * 24
+
+-- internal session cookie lifetime to prevent unbound sessions
+local SESSION_COOKIE_LIFETIME = SECRETS_EXP_INTERVAL * 2
+
+-- lease lifetime (short-living)
+local SECRETS_LEASE_INTERVAL = 5
+
+-- signature length - used for basic validation
+local HMAC_SHA1_SIGN_LENGTH = 20
+
+-- number of random bytes generated for session ids
+local DATA_LENGTH = 16
+
+-- secret length - we keep 2 secrets in memory
+local KEY_LENGTH = 64
+
+-- stores the time when to check whether we need to rotate secrets
+local ts_next_refresh = -1
+
+-- encode string and make it url-safe
+local function encode(str, urlsafe)
+
+  local enc_str = ngx.encode_base64(str)
+  if urlsafe then
+    enc_str =  string.gsub(enc_str, "+", "-") -- plus -> dash
+    enc_str =  string.gsub(enc_str, "/", "_") -- slash to underscore
+    enc_str =  string.gsub(enc_str, "=", "*") -- equal to star
+  end
+
+  return enc_str
+end
+
+-- decode string
+-- returns empty string if data is not base64 encoded
+local function decode(str, urlsafe)
+
+  local dec_str = str
+  if urlsafe then
+    dec_str =  string.gsub(dec_str, "-", "+") -- plus -> dash
+    dec_str =  string.gsub(dec_str, "_", "/") -- slash to underscore
+    dec_str =  string.gsub(dec_str, "*", "=") -- equal to star
+  end
+
+  return ngx.decode_base64(dec_str)
+end
+
+-- serializes secret into string
+local function serialize_secret(secret)
+  local str
+  if secret and type(secret) == "table" then
+    str = secret.data .. ":" .. secret.ts
+  end
+  return str
+end
+
+-- deserializes secret string into a table
+local function deserialize_secret(str)
+  local secret
+  if str and type(str) == "string" then
+    local startPos, endPos, data, ts = string.find(str, "(.+):(.+)")
+    secret = {}
+    secret.data = data
+    secret.ts = tonumber(ts)
+  end
+  return secret
+end
+
+--
+-- function to save secrets in SHM and memcached
+-- secret1 mandatory
+-- secret2 optional
+--
+local function save_secrets(secret1, secret2)
+
+  local secret1_str = serialize_secret(secret1)
+  local secret2_str = serialize_secret(secret2)
+
+  -- persist in memcached
+  local res = ngx.location.capture('/session?id=BPS1',
+    { body = secret1_str, method = ngx.HTTP_PUT })
+  if res.status ~= ngx.HTTP_CREATED then
+    ngx.log(ngx.WARN, "==== failed to persist secret1 " .. secret1_str .. " " .. res.status)
+  else
+    ngx.log(ngx.DEBUG, "==== secret1 persisted successfully " .. secret1_str .. " " .. res.status)
+  end
+
+  -- secret2 is optional
+  if secret2_str then
+    -- persist in memcached
+    res = ngx.location.capture('/session?id=BPS2',
+      { body = secret2_str, method = ngx.HTTP_PUT })
+    if res.status ~= ngx.HTTP_CREATED then
+      ngx.log(ngx.WARN, "==== failed to persist secret2 " .. secret2_str .. " " .. res.status)
+    else
+      ngx.log(ngx.DEBUG, "==== secret2 persisted successfully " .. secret2_str .. " " .. res.status)
+    end
+  end
+end
+
+--
+-- function to retrieve secrets, secret1 is current, secret2 is rotated
+--
+local function get_secrets()
+
+  local secret1, secret2
+
+  local res1, res2 = ngx.location.capture_multi{
+    { '/session?id=BPS1', { method = ngx.HTTP_GET } },
+    { '/session?id=BPS2', { method = ngx.HTTP_GET } },
+  }
+
+  if res1.status >=  ngx.HTTP_INTERNAL_SERVER_ERROR then
+    ngx.log(ngx.ERR, "==== could not fetch secrets - memcached down?")
+    ngx.exit(res1.status)
+  end
+
+  if res1.status == ngx.HTTP_OK then
+    secret1 = deserialize_secret(res1.body)
+    ts_next_refresh = secret1.ts + SECRETS_EXP_INTERVAL -- update to the time when the cookie expired
+  elseif res1.status == ngx.HTTP_NOT_FOUND then
+    ngx.log(ngx.ERR, "==== secret1 not found - did memcached just restart?")
+    -- trigger key refresh in case memcached got restarted
+    ts_next_refresh = 0
+  else
+    ngx.log(ngx.ERR, "==== failed to retrieve secret1 " .. res1.status)
+  end
+
+  if res2.status == ngx.HTTP_OK then
+    secret2 = deserialize_secret(res2.body)
+  else
+    ngx.log(ngx.WARN, "==== failed to retrieve secret2 - that's prob okay in case secrets have not been rotated yet. " .. res2.status)
+  end
+
+  return secret1, secret2
+end
+
+--
+-- function to refresh secrets for hmac signing
+--
+local function refresh_keys_if_required()
+
+  -- initial check
+  if (ts_next_refresh == -1) then
+    local secret1, secret2 = get_secrets()
+    if secret1 then
+      ts_next_refresh = secret1.ts + SECRETS_EXP_INTERVAL
+    else
+      ts_next_refresh = 0
+    end
+  end
+
+  if (ngx.time() > ts_next_refresh) then
+    ngx.log(ngx.DEBUG, "==== it's time to refresh keys...")
+
+    local res = ngx.location.capture("/session?id=BP_LEASE", { method = ngx.HTTP_GET })
+    if res.status == ngx.HTTP_NOT_FOUND then
+
+      local res = ngx.location.capture("/session?id=BP_LEASE&exptime=" .. SECRETS_LEASE_INTERVAL,
+        { body = "1", method = ngx.HTTP_POST })
+      if res.status == ngx.HTTP_CREATED then
+
+        local secret1, secret2 = get_secrets()
+
+        -- generate new secret
+        local new_secret = {}
+        new_secret.data = ngx.encode_base64(crypto.rand.bytes(KEY_LENGTH))
+        new_secret.ts = ngx.time();
+
+        -- persist new secrets
+        save_secrets(new_secret,secret1)
+
+        res = ngx.location.capture("/session_delete?id=BP_LEASE", { method = ngx.HTTP_GET })
+        ngx.log(ngx.DEBUG, "==== lease deleted " .. res.status)
+
+        ts_next_refresh = new_secret.ts + SECRETS_EXP_INTERVAL
+
+      elseif res.status == ngx.HTTP_OK then
+        ngx.log(ngx.DEBUG, "=== lease to update keys already taken - concurrent update?")
+      else
+        ngx.log(ngx.WARN, "==== failed to acquire lease " .. res.status)
+      end
+    else
+      ngx.log(ngx.WARN, "==== refresh keys not needed yet")
+    end
+  end
+end
+
+--
+-- generate session_id
+--
+local function generate()
+
+  refresh_keys_if_required()
+
+  -- create 128 bit of random bytes
+  local data = crypto.rand.bytes(DATA_LENGTH)
+  local ts = ngx.time()
+  local secret1, secret2 = get_secrets()
+
+  -- we could also use 'crypto' for 'digesting' but benchmark shows it's slightly
+  -- slower: crypto.hmac.digest("sha1", data, secret1, true)
+  local signature = ngx.hmac_sha1(secret1.data, data .. ts)
+  local session_id = encode(data, true) .. ":" .. ts .. ":" .. encode(signature, true)
+
+  return session_id
+end
+
+--
+-- function to validate session_id
+--
+local function is_valid(session_id)
+
+  refresh_keys_if_required()
+
+  -- parse session id
+  local startPos, endPos, data, ts, signature = string.find(session_id, "(.+):(.+):(.+)")
+  ts = tonumber(ts)
+
+  -- check for the obvious
+  if not data or not signature or not ts then
+    return false
+  end
+
+  -- check whether the cookie expired already
+  if ngx.time() > ts + SESSION_COOKIE_LIFETIME then
+    return false
+  end
+
+  -- decode
+  data = decode(data, true)
+  signature = decode(signature, true)
+
+  -- check whether data or signature became nil (happens in case it couldn't be decoded properly)
+  if not data or #data ~= DATA_LENGTH or not signature or #signature ~= HMAC_SHA1_SIGN_LENGTH then
+    return false
+  end
+
+  -- re-compute signature
+  local secret1, secret2 = get_secrets()
+  if not secret1 then
+     -- did memcache just restarted?
+     return false
+  else
+    local computed_signature = ngx.hmac_sha1(secret1.data, data .. ts)
+
+    local match = computed_signature == signature
+    if not match and secret2 then
+      -- fallback - check with secret2
+      -- TBD: issue fresh session cookie to prevent session loss after secrets
+      -- get rotated, a bit overkill for now
+      computed_signature = ngx.hmac_sha1(secret2.data, data .. ts)
+      match = computed_signature == signature
+    end
+
+    return match
+  end
+end
+
+module.generate = generate
+module.is_valid = is_valid
+module.EXPTIME = EXPTIME
+module.EXPTIME_TMP = EXPTIME_TMP
+
+return module
\ No newline at end of file
diff --git a/src/ssl/README.md b/src/ssl/README.md
new file mode 100644
index 0000000..e1a40a7
--- /dev/null
+++ b/src/ssl/README.md
@@ -0,0 +1,11 @@
+This folder contains self-signed SSL key and certs which will be used for local testing with your browser:
+
+Generate new ones via (won't be needed though):
+
+    openssl genrsa -des3 -out server.key 1024
+    openssl req -new -key server.key -out server.csr
+    cp server.key server.key.org
+    openssl rsa -in server.key.org -out server.key
+    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+
+Additional details can be found <a href="https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04">here</a>.
\ No newline at end of file
diff --git a/src/ssl/server.crt b/src/ssl/server.crt
new file mode 100644
index 0000000..1463838
--- /dev/null
+++ b/src/ssl/server.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTzCCAbgCCQDst2eQl9PzIzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xFjAUBgNVBAoT
+DUxvb2tvdXQsIEluYy4xIDAeBgNVBAMTF3NlbGYtc2lnbmVkLmxvb2tvdXQuY29t
+MB4XDTEzMDkxNzE3MTIzNFoXDTE0MDkxNzE3MTIzNFowbDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQKEw1M
+b29rb3V0LCBJbmMuMSAwHgYDVQQDExdzZWxmLXNpZ25lZC5sb29rb3V0LmNvbTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnqcN6ZWG1q3E2HDU5Z1OM9HIAV64
+1XBN7JW/+CKR+GOpuRGqlwSQ4QYmB+TZJnB+p0f6whKnb5Cch33m0oSP//NCy0Oz
+/TgP33T5bPu+a7/MUIYjpYLwsiD4fWb1AALbJ+ZxqIinouiJUy79tpWU8SjrTxRO
+ubLY3FWHKmpSyQ0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBDKshY0e8H/nu2UaF4
+TV41QX6g6kPEbEGDGlmyuP5n5gDAD0trdBFZpPCRCnoMGObD9InQGQ/ExVpyvvle
+0AcRl0Gan6C/zv9brCTf4Ks0Y/s8u9YwmEA+qB5W020Y01GQ+WfNtlM67X2I2j7G
+N0AE28/IALl4c1BUwdHs2dVN7A==
+-----END CERTIFICATE-----
diff --git a/src/ssl/server.key b/src/ssl/server.key
new file mode 100644
index 0000000..830f532
--- /dev/null
+++ b/src/ssl/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCepw3plYbWrcTYcNTlnU4z0cgBXrjVcE3slb/4IpH4Y6m5EaqX
+BJDhBiYH5NkmcH6nR/rCEqdvkJyHfebShI//80LLQ7P9OA/fdPls+75rv8xQhiOl
+gvCyIPh9ZvUAAtsn5nGoiKei6IlTLv22lZTxKOtPFE65stjcVYcqalLJDQIDAQAB
+AoGAJNIMjoufca9+oeT95BRwE+K6EmdTamXYD/JpTUNosUcgGs2Y09fBcBgnN2nL
+Y/pzyosQDX6a0W+0hFWZ/n25lYXgN9gWK5y9xxE/WGuZCgFEcGrPzvXM/r1zSh1s
+N10dmpQJbIPEfgOVDZuVokk2+FUJZUxDLbGghPhcWElJUEECQQDPXGKiV5ZVl2U9
+wm3VfhT2iKvpsod5573PSeUs12PtExxwIpZJcD54RRrgJWUtubTWBlSgF02egkko
+PihrDofpAkEAw93UYKDoxW42tLvVMMvxOPsshHh+P4A+XjzKXxrNceXxHF0h+xFB
+w+6ywoVGnpp6Om08mw3zhaQfTBj2DaWlhQJAKL1x84tZ0f8ouPWWNrfKzpUTkZqt
+21mYhT1zdVfsHgv/LljdRhhzbZXGLfuq4Uz3JoWf4sQxT88xKGLt9fqo4QJANzcS
+xsa1t+pw+5Qz7lSfxOtxykpZdLdHXbOPbS4WGnSy+sb6bFeaDYz90b5WgSGVMWFY
+A3H0Y4k31XD39DLtLQJBALODq7HHEsKAfZTvYOEVmok7EfMV11Cvt9nrAnHtuFK1
+Nw+eYNPCpckN8qVUzsiUHfWdtAYUuvMzcpEF3M2oVMw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/validate.lua b/src/validate.lua
new file mode 100644
index 0000000..18081a2
--- /dev/null
+++ b/src/validate.lua
@@ -0,0 +1,83 @@
+local json = require("json")
+local sessionid = require("sessionid")
+
+-------------------------------------------
+-- Lookup auth token by session id
+-------------------------------------------
+
+local session_id = ngx.var.cookie_border_session
+
+if not session_id then
+  ngx.log(ngx.INFO, "==== access denied: no session_id")
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+ngx.log(ngx.DEBUG, "==== session_id: " .. session_id)
+
+if not sessionid.is_valid(session_id) then
+  ngx.log(ngx.INFO, "==== access denied: session id invalid " .. session_id)
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+local auth_token = nil
+local all_tokens_json = nil
+
+local res = ngx.location.capture('/session?id=BPSID_' .. session_id)
+ngx.log(ngx.DEBUG, "GET /session?id=BPSID_" .. session_id .. " " ..
+  res.status)
+
+local all_tokens = nil
+
+if res.status == ngx.HTTP_OK then
+  all_tokens_json = res.body
+  all_tokens = json.decode(all_tokens_json, {nothrow = true})
+
+  if all_tokens then
+    -- get service name from uri
+    local service_uri = string.match(ngx.var.request_uri,"^/([^/]+)")
+    local service = nil
+    if service_uri then
+      service = service_mappings[service_uri]
+    end
+
+    auth_token = all_tokens['service_tokens'][service]
+
+    if not auth_token then
+      ngx.log(ngx.INFO, "==== token not found in session for service : " .. service_uri)
+      master_token = all_tokens['auth_service']
+      if master_token then
+        local params = {}
+        params['mastertoken'] = master_token
+        params['service'] = service
+        res = ngx.location.capture('/serviceauth', { method = ngx.HTTP_POST, body = ngx.encode_args(params) })
+
+        -- TODO Check response status (in this case, don't do anything, treat it as missing token)
+        local specific_token_json = res.body
+        auth_token = json.decode(specific_token_json, {nothrow = true})['service_tokens'][service]
+        if auth_token then
+          all_tokens['service_tokens'][service] = auth_token
+          all_tokens_json = json.encode(all_tokens)
+        end
+        ngx.log(ngx.INFO, "==== retrieved service token for service: " .. service .. " " .. auth_token)
+      end
+    end
+    -- reset the auth_token TTL to maintain a rolling session window
+    res = ngx.location.capture('/session?id=BPSID_' .. session_id ..
+      "&exptime=" .. sessionid.EXPTIME, { body = all_tokens_json, method = ngx.HTTP_PUT })
+    if res.status ~= ngx.HTTP_CREATED then
+      ngx.log(ngx.WARN, "==== failed to refresh session w/ id " .. session_id ..
+        " " .. res.status)
+    end
+  end
+end
+
+if not auth_token then
+  ngx.log(ngx.INFO, "==== access denied: no auth token for session_id " ..
+    session_id)
+  ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+-- If we made it this far, we're good. Inject the Auth-Token header
+ngx.header['Auth-Token'] = auth_token
+ngx.log(ngx.INFO, "==== request auth header set")
+ngx.exit(ngx.HTTP_OK)
diff --git a/t/.gitkeep b/t/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/t/access.t b/t/access.t
new file mode 100644
index 0000000..2a32138
--- /dev/null
+++ b/t/access.t
@@ -0,0 +1,91 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+plan tests => $Test::Nginx::Socket::RepeatEach * 2 * blocks();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: test w/ auth-token present in client request
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+
+upstream b {
+  server 127.0.0.1:$TEST_NGINX_SERVER_PORT; # self
+}
+
+--- config
+location /testpath {
+    echo_status 200;
+    echo_duplicate 1 $echo_client_request_headers;
+    echo 'everything is ok';
+    echo_flush;
+}
+location /auth {
+    echo_status 200;
+    echo_flush;
+}
+location /b/testpath {
+    set $auth_token $http_auth_token;
+    access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
+    proxy_set_header auth-token $auth_token;
+
+    # http://hostname/upstream_name/uri -> http://upstream_name/uri
+    rewrite ^/([^/]+)/?(.*)$ /$2 break;
+    proxy_pass         http://$1;
+    proxy_redirect     off;
+    proxy_set_header   Host $host;
+}
+--- request
+GET /b/testpath
+--- more_headers
+auth-token: tokentokentokentoken
+--- error_code: 200
+--- response_body_like
+auth-token: tokentokentoken.+everything is ok$
+
+=== TEST 2: test w/o auth-token not present in client request but with valid session
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb",s="flexd"}';
+upstream b {
+  server 127.0.0.1:$TEST_NGINX_SERVER_PORT; # self
+}
+--- config
+location /testpath {
+    echo_status 200;
+    echo_duplicate 1 $echo_client_request_headers;
+    echo 'everything is ok';
+    echo_flush;
+}
+location /auth {
+    internal;
+    echo_status 200;
+    more_set_headers 'Auth-Token: tokentokentokentoken';
+    echo_flush;
+}
+location /b/testpath {
+    set $auth_token $http_auth_token;
+    access_by_lua_file '../../build/usr/share/borderpatrol/access.lua';
+    proxy_set_header auth-token $auth_token;
+
+    # http://hostname/upstream_name/uri -> http://upstream_name/uri
+    rewrite ^/([^/]+)/?(.*)$ /$2 break;
+    proxy_pass         http://$1;
+    proxy_redirect     off;
+    proxy_set_header   Host $host;
+}
+--- request
+GET /b/testpath
+--- more_headers
+Cookie: border_session=this-is-a-session-id # not checked here!
+--- error_code: 200
+--- response_body_like
+auth-token: tokentokentoken.+everything is ok$
\ No newline at end of file
diff --git a/t/authorize.t b/t/authorize.t
new file mode 100644
index 0000000..41016b7
--- /dev/null
+++ b/t/authorize.t
@@ -0,0 +1,271 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (2 * blocks()) - 1;
+
+run_tests();
+
+__DATA__
+
+=== TEST 0: initialize memcached
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+}
+--- request
+GET /setup
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+--- error_code: 200
+--- response_body_like
+OK\r
+STORED\r
+STORED\r
+
+=== TEST 1: test successful login
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+    echo_subrequest POST '/memc_setup?key=BP_URL_SID_MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*' -b '/b';
+    echo_status 200;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /authorize { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+}
+location /account {
+    internal;
+    echo_status 200;
+    echo '{"auth_service": "tokentokentokentoken", "service_tokens": {"smb": "tokentokentokentoken"}}';
+    echo_flush;
+}
+--- request eval
+["GET /setup", "POST /authorize
+    username=foo&password=bar"]
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+---- response_headers_like
+Set-Cookie: border_session=.+:.+; path=/; HttpOnly; Secure;$
+Location: http://localhost(?::\d+)?/b$
+--- error_code eval
+[200,302]
+
+=== TEST 2: test unsuccessful login
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+    echo_subrequest POST '/memc_setup?key=BP_URL_SID_MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*' -b '/b';
+    echo_status 200;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /authorize { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+}
+location /account {
+    internal;
+    echo_status 403;
+    echo_flush;
+}
+--- request eval
+["GET /setup", "POST /authorize
+    username=foo&password=bar"]
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+---- response_headers_like
+Set-Cookie: border_session=.+:.+; path=/; HttpOnly; Secure;$
+Location: http://localhost(?::\d+)?/b$
+--- error_code eval
+[200,302]
+
+=== TEST 3: test failed login with memcached down
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /session { # memcached
+    internal;
+    echo_status 502; # simulate memcached down
+    echo_flush;
+}
+location /authorize { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+}
+location /account {
+    internal;
+    echo_status 200;
+    echo '{"auth_service": "tokentokentokentoken", "service_tokens": {"smb": "tokentokentokentoken"}}';
+    echo_flush;
+}
+--- request eval
+"POST /authorize
+username=foo&password=bar"
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+---- response_headers_like
+Set-Cookie: border_session=.+:.+; path=/; HttpOnly; Secure;$
+Location: http://localhost(?::\d+)?/b$
+--- error_code: 502
+
+=== TEST 4: test failed login with Account Service down
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+    echo_subrequest POST '/memc_setup?key=BP_URL_SID_MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*' -b '/b';
+    echo_status 200;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /authorize { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+}
+location /account {
+    internal;
+    echo_status 500;
+    echo_flush;
+}
+--- request eval
+["GET /setup", "POST /authorize
+    username=foo&password=bar"]
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+---- response_headers_like
+Set-Cookie: border_session=.+:.+; path=/; HttpOnly; Secure;$
+Location: http://localhost(?::\d+)?/b$
+--- error_code eval
+[200,302]
+
+=== TEST 5: test invalid service url
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+    echo_subrequest POST '/memc_setup?key=BP_URL_SID_MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*' -b '/x';
+    echo_status 200;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /authorize { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/authorize.lua';
+}
+location /account {
+    internal;
+    echo_status 403;
+    echo_flush;
+}
+--- request eval
+["GET /setup", "POST /authorize
+    username=foo&password=bar"]
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+---- response_headers_like
+Set-Cookie: border_session=.+:.+; path=/; HttpOnly; Secure;$
+Location: http://localhost(?::\d+)?/b$
+--- error_code eval
+[200,302]
diff --git a/t/borderpatrol.god b/t/borderpatrol.god
new file mode 100644
index 0000000..936d444
--- /dev/null
+++ b/t/borderpatrol.god
@@ -0,0 +1,69 @@
+# vim: ft=ruby
+
+ROOT_PATH    = Dir.pwd
+TEST_PATH    = File.join(ROOT_PATH, 't')
+SERVICE_PATH = File.join(TEST_PATH, 'services')
+SERVER_PATH  = File.join(TEST_PATH, 'servroot')
+LOG_PATH     = File.join(SERVER_PATH, 'logs')
+
+GROUP_NAME = 'borderpatrol'
+
+# Watch the api service
+God.watch do |w|
+  w.name = 'api_service'
+  w.group = GROUP_NAME
+  w.dir = SERVICE_PATH
+  w.start = 'bundle exec shotgun api_service.rb -p 9082'
+  w.log = File.join(LOG_PATH, 'api_service.out')
+  w.keepalive
+end
+
+# Watch the 2nd api service
+God.watch do |w|
+  w.name = 'api_service2'
+  w.group = GROUP_NAME
+  w.dir = SERVICE_PATH
+  w.start = 'bundle exec shotgun api_service2.rb -p 9083'
+  w.log = File.join(LOG_PATH, 'api_service2.out')
+  w.keepalive
+end
+
+# Watch the account service
+God.watch do |w|
+  w.name = 'account_service'
+  w.group = GROUP_NAME
+  w.dir = SERVICE_PATH
+  w.start = 'bundle exec shotgun account_service.rb -p 9084'
+  w.log = File.join(LOG_PATH, 'account_service.out')
+  w.keepalive
+end
+
+# Watch the token server
+God.watch do |w|
+  w.name = 'token_service'
+  w.group = GROUP_NAME
+  w.dir = SERVICE_PATH
+  w.start = 'bundle exec shotgun auth_service.rb -p 9081'
+  w.log = File.join(LOG_PATH, 'token_service.out')
+  w.keepalive
+end
+
+God.watch do |w|
+  w.name = 'memcache'
+  w.group = GROUP_NAME
+  w.dir = SERVER_PATH
+  w.start = 'memcached -vvv'
+  w.log = File.join(LOG_PATH, 'memcached.out')
+  w.keepalive
+end
+
+God.watch do |w|
+  w.name = 'nginx'
+  w.group = GROUP_NAME
+  w.dir = SERVER_PATH
+  w.start = "#{ROOT_PATH}/build/usr/sbin/borderpatrol -g 'error_log #{LOG_PATH}/error.log;' -p #{SERVER_PATH} -c #{ROOT_PATH}/build/etc/borderpatrol/sites-available/borderpatrol.conf.sample"
+  w.log = File.join(LOG_PATH, 'nginx.out')
+  w.keepalive
+end
+
+
diff --git a/t/health.t b/t/health.t
new file mode 100644
index 0000000..438694f
--- /dev/null
+++ b/t/health.t
@@ -0,0 +1,33 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (1 * blocks());
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: heath controller
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+    location = /session {
+      set $memc_key $arg_id;
+      set $memc_exptime 10;
+
+      memc_cmds_allowed get set add delete;
+      memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+    }
+
+    location /health {
+        content_by_lua_file '../../build/usr/share/borderpatrol/health_check.lua';
+    }
+--- request
+    GET /health
+--- error_code: 200
diff --git a/t/logout.t b/t/logout.t
new file mode 100644
index 0000000..c6dc23d
--- /dev/null
+++ b/t/logout.t
@@ -0,0 +1,77 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (2 * blocks());
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: test logout w/o destination and w/o session_id
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /logout { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
+}
+--- request
+GET /logout
+--- error_code: 302
+--- response_headers_like: Location: http://localhost(?::\d+)?/$
+
+=== TEST 2: test logout w/ relative destination and w/o session_id
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /logout { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
+}
+--- request
+GET /logout?destination=/somepath
+--- error_code: 302
+--- response_headers_like: Location: http://localhost(?::\d+)?/somepath$
+
+=== TEST 3: test logout w/ absolute destination and w/o session_id
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /logout { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
+}
+--- request
+GET /logout?destination=http://www.evil.org
+--- error_code: 302
+--- response_headers_like: Location: http://localhost(?::\d+)?/$
+
+=== TEST 4: test logout w/ session_id
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /logout { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/logout.lua';
+}
+location /session_delete { # memcached
+    internal;
+    echo_status 400; # simulates successful write into memcached
+    echo_flush;
+}
+--- request
+GET /logout
+--- more_headers
+Cookie: border_session=wfxLNdl2BrLN9NVuQ9_wiA**:4lcaas0Onjxsn2D6kDVPTw**
+--- error_code: 302
+--- response_headers_like
+Set-Cookie: border_session=; path=/; expires=.+GMT$
+--- response_headers_like: Location: http://localhost(?::\d+)?/$
diff --git a/t/redirect.t b/t/redirect.t
new file mode 100644
index 0000000..8d235ce
--- /dev/null
+++ b/t/redirect.t
@@ -0,0 +1,105 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (2 * blocks()) - 1;
+
+run_tests();
+
+__DATA__
+
+=== TEST 0: initialize memcached
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+}
+--- request
+GET /setup
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+--- error_code: 200
+--- response_body_like
+OK\r
+STORED\r
+STORED\r
+
+=== TEST 1: test successful redirect
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    set $memc_value $arg_val;
+    set $memc_exptime $arg_exptime;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /redirect {
+    content_by_lua_file '../../build/usr/share/borderpatrol/redirect.lua';
+}
+
+--- request eval
+"POST /redirect"
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+--- error_code: 302
+--- response_headers_like
+Location: http://localhost(?::\d+)?/account$
+
+=== TEST 2: test memcached down
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {b="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location /session { # memcached
+    internal;
+    echo_status 502; # simulate memcached down
+    echo_flush;
+}
+location /redirect {
+    content_by_lua_file '../../build/usr/share/borderpatrol/redirect.lua';
+}
+--- request eval
+"POST /redirect"
+--- more_headers
+Content-type: application/x-www-form-urlencoded
+--- error_code: 502
+
diff --git a/t/service_token.t b/t/service_token.t
new file mode 100644
index 0000000..8d2d7fd
--- /dev/null
+++ b/t/service_token.t
@@ -0,0 +1,166 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (2 * blocks()) -3;
+
+run_tests();
+
+__DATA__
+
+=== TEST 0: test getting service token with valid master token and valid service name
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /mastertoken {
+    echo_status 200;
+    echo '{smb: "tokentokentokentoken"}';
+    echo_flush;
+}
+
+location /serviceauth { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
+}
+
+--- request eval
+"POST /serviceauth
+mastertoken=DEADBEEF&service=smb"
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+Content-type: application/x-www-form-urlencoded
+
+--- response_body_like
+{smb: "tokentokentokentoken"}
+
+--- error_code: 200
+
+=== TEST 1: test attempt to get service token with valid master token and invalid service name
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /mastertoken {
+    echo_status 400;
+    echo_flush;
+}
+
+location /serviceauth { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
+}
+
+--- request eval
+"POST /serviceauth
+mastertoken=DEADBEEF&service=junkservice"
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+Content-type: application/x-www-form-urlencoded
+
+--- error_code: 400
+
+=== TEST 2: test attempt to get service token with nil master token
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /mastertoken {
+    echo_status 400;
+    echo_flush;
+}
+
+location /serviceauth { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
+}
+
+--- request eval
+"POST /serviceauth
+service=junkservice"
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+Content-type: application/x-www-form-urlencoded
+
+--- error_code: 400
+
+=== TEST 3: test attempt to get service token with valid master token but missing service name
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /mastertoken {
+    echo_status 400;
+    echo_flush;
+}
+
+location /serviceauth { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/service_token.lua';
+}
+
+--- request eval
+"POST /serviceauth
+service=junkservice"
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+Content-type: application/x-www-form-urlencoded
+
+--- error_code: 400
+
+
diff --git a/t/services/account_service.rb b/t/services/account_service.rb
new file mode 100644
index 0000000..e99c7e6
--- /dev/null
+++ b/t/services/account_service.rb
@@ -0,0 +1,89 @@
+require 'sinatra'
+require 'json'
+require "net/http"
+require "uri"
+
+KEYMASTER_URI = 'http://localhost:9081/api/auth/service/v1/account_master_token.json'
+
+
+post '/' do
+  $stderr.write "apiserver #{request.url}\n"
+  service = request['service']
+  username = request['username']
+  password = request['password']
+
+  uri = URI.parse(KEYMASTER_URI)
+  params = {'s'=> service, 'e' => username, 'p' => password}
+  response = Net::HTTP.post_form(uri, params)
+  $stderr.write "keymaster status was: #{response.code} response body was #{response.body}\n"
+  if response.code == '200'
+    $stderr.write "account service returning: #{response.body}\n"
+    content_type :json
+    response.body
+  else
+    $stderr.write "Unable to Authorize user!\n"
+    halt 401, 'Unable to Authorize user!'
+  end
+end
+
+get '/' do
+  $stderr.write "apiserver #{request.url}\n"
+  haml :login, :content_type => 'text/html'
+end
+
+get '/password' do
+  $stderr.write "apiserver #{request.url}\n"
+  haml :password, :content_type => 'text/html'
+end
+
+__END__
+
+@@ layout
+%html
+  %head
+  %title
+    Account Service
+  %body{:style => 'text-align: center'}
+    = yield
+
+@@ index
+%h1 Welcome to the Account Service!
+%a{:href => '/logout?destination=/b/'}
+  logout
+
+@@ loggedout
+%h1 Oops, You are not logged in.
+%a{:href => '/b/login'}
+  login
+
+@@ login
+%h1
+  ACCOUNT SERVICE LOGIN
+
+%form{:action => "/", :method => 'post'}
+  %label
+    Username
+    %input{:name => "username", :type => "text", :value => "user@example.com"}
+  %br/
+  %label
+    Password
+    %input{:name => "password", :type => "password", :value => "password"}
+  %br/
+  %input{:name => "service", :type => "hidden", :value => "smb"}
+  %input{:type => "submit", :name => "login", :value => "login"}
+
+@@ password
+%h1
+  THIS IS THE ACCOUNT MANAGEMENT PAGE
+
+%form{:action => "/", :method => 'post'}
+  %label
+    Username
+    %input{:name => "username", :type => "text", :value => "user@example.com"}
+  %br/
+  %label
+    Password
+    %input{:name => "password", :type => "password", :value => "password"}
+  %br/
+  %input{:name => "service", :type => "hidden", :value => "smb"}
+  %input{:type => "submit", :name => "login", :value => "login"}
\ No newline at end of file
diff --git a/t/services/api_service.rb b/t/services/api_service.rb
new file mode 100644
index 0000000..b35a1d6
--- /dev/null
+++ b/t/services/api_service.rb
@@ -0,0 +1,48 @@
+require 'sinatra'
+
+["/", "/first/second"].each do |path|
+  get path do
+    token = request.env['HTTP_AUTH_TOKEN']
+    $stderr.write "apiserver #{request.url} token = #{token}\n"
+
+    if token != 'LIVEKALESMB'
+      halt 401, 'Ooops, request not authenticated. Did you login?'
+      #haml :loggedout, :content_type => 'text/html'
+    else
+      haml :index, :content_type => 'text/html'
+    end
+  end
+end
+
+get '/login' do
+  $stderr.write "apiserver #{request.url}\n"
+  haml :login, :content_type => 'text/html'
+end
+
+get '/unrestricted' do
+  'This is an unsecured resource.'
+end
+
+get '/unrestricted/1' do
+  'This is an unsecured resource.'
+end
+
+__END__
+
+@@ layout
+%html
+  %head
+  %title
+    Device Login
+  %body{:style => 'text-align: center'}
+    = yield
+
+@@ index
+%h1 Welcome to the First Server!
+%a{:href => '/logout?destination=/b/'}
+  logout
+
+@@ loggedout
+%h1 Oops, You are not logged in.
+%a{:href => '/b'}
+  login
\ No newline at end of file
diff --git a/t/services/api_service2.rb b/t/services/api_service2.rb
new file mode 100644
index 0000000..19c9495
--- /dev/null
+++ b/t/services/api_service2.rb
@@ -0,0 +1,48 @@
+require 'sinatra'
+
+["/", "/first/second"].each do |path|
+  get path do
+    token = request.env['HTTP_AUTH_TOKEN']
+    $stderr.write "apiserver2 #{request.url} token = #{token}\n"
+
+    if token != 'LIVEKALEFLEXD'
+      halt 401, 'Ooops, request not authenticated. Did you login?'
+      #haml :loggedout, :content_type => 'text/html'
+    else
+      haml :index, :content_type => 'text/html'
+    end
+  end
+end
+
+get '/login' do
+  $stderr.write "apiserver2 #{request.url}\n"
+  haml :login, :content_type => 'text/html'
+end
+
+get '/unrestricted' do
+  'This is an unsecured resource.'
+end
+
+get '/unrestricted/1' do
+  'This is an unsecured resource.'
+end
+
+__END__
+
+@@ layout
+%html
+  %head
+  %title
+    Device Login
+  %body{:style => 'text-align: center'}
+    = yield
+
+@@ index
+%h1 Welcome to the Second Server!
+%a{:href => '/logout?destination=/c/'}
+  logout
+
+@@ loggedout
+%h1 Oops, You are not logged in.
+%a{:href => '/c'}
+  login
\ No newline at end of file
diff --git a/t/services/auth_service.rb b/t/services/auth_service.rb
new file mode 100644
index 0000000..c54c6e8
--- /dev/null
+++ b/t/services/auth_service.rb
@@ -0,0 +1,49 @@
+require 'sinatra'
+require 'json'
+
+REQUIRED_PARAMS = [:e, :p, :s]
+
+# There are 2 possible scenarios
+# Get a service token by itself
+# wget -S --post-data "e=user@example.com&p=password&s=smb" http://localhost:9081/api/auth/service/v1/account_master_token.json
+
+# Get a list of service tokens (using a username and password)
+# wget -S --post-data "e=user@example.com&p=password&s=smb,flexd" http://localhost:9081/api/auth/service/v1/account_master_token.json
+post '/api/auth/service/v1/account_master_token.json' do
+  $stderr.write "apiserver #{request.url} params = #{params}\n"
+  REQUIRED_PARAMS.each do |r|
+    (status 500 and return) unless params.include?(r.to_s)
+  end
+
+  if params[:e] == 'user@example.com' && params[:p] == 'password'
+    resp = build_tokens(params[:s])
+    resp['auth_service'] = 'DEADBEEF'
+    content_type :json
+    resp.to_json
+  else
+    status 401
+  end
+end
+
+post '/api/auth/service/v1/account_token.json' do
+  $stderr.write "authserver #{request.url}\n"
+  $stderr.write "authserver master token #{request.env['HTTP_AUTH_TOKEN']}\n"
+  (status 500 and return) unless params.include?('services')
+  master_token = request.env['HTTP_AUTH_TOKEN']
+  (status 401 and return) unless master_token == 'DEADBEEF'
+  (status 401 and return) unless params[:services] !~ /auth_service/
+  $stderr.write "authserver service =  #{params.inspect}\n"
+  resp = build_tokens(params[:services])
+  $stderr.write "authserver RETURNING #{resp.inspect}\n"
+  content_type :json
+  resp.to_json
+end
+
+def build_tokens(services)
+  resp = {'service_tokens' => {}}
+  $stderr.write resp
+  services.split(',').map do |service_name|
+    resp['service_tokens'][service_name] = "LIVEKALE#{service_name.upcase}"
+  end
+  resp
+end
diff --git a/t/session.t b/t/session.t
new file mode 100644
index 0000000..22f14ae
--- /dev/null
+++ b/t/session.t
@@ -0,0 +1,128 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+plan tests => $Test::Nginx::Socket::RepeatEach * 2 * blocks();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: basic expiry
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+    location /exptime {
+        echo 'flush_all';
+        echo_location '/memc?cmd=flush_all';
+
+        echo 'set foo BAR';
+        echo_subrequest PUT '/memc?key=foo&exptime=1' -b BAR;
+
+        echo 'get foo - 0 sec';
+        echo_location '/memc?key=foo';
+        echo;
+
+        echo_blocking_sleep 1.1;
+
+        echo 'get foo - 1.1 sec';
+        echo_location '/memc?key=foo';
+    }
+    location /memc {
+        echo_before_body "status: $echo_response_status";
+        echo_before_body "exptime: $memc_exptime";
+
+        set $memc_cmd $arg_cmd;
+        set $memc_key $arg_key;
+        set $memc_exptime $arg_exptime;
+
+        memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+    }
+--- request
+    GET /exptime
+--- response_body_like
+^flush_all
+status: 200
+exptime: 
+OK\r
+set foo BAR
+status: 201
+exptime: 1
+STORED\r
+get foo - 0 sec
+status: 200
+exptime: 
+BAR
+get foo - 1\.1 sec
+status: 404
+exptime: 
+<html>.*?404 Not Found.*$
+
+=== TEST 2: set and reset exptime
+--- config
+    location /exptime {
+        echo 'flush_all';
+        echo_location '/memc?cmd=flush_all';
+
+        echo 'set foo BAR';
+        echo_subrequest PUT '/memc?key=foo&exptime=1' -b BAR;
+
+        echo 'get foo - 0 sec';
+        echo_location '/memc?key=foo';
+        echo;
+
+        echo 'set foo BAZ';
+        echo_subrequest PUT '/memc?key=foo&exptime=2' -b BAR;
+
+        echo_blocking_sleep 1;
+
+        echo 'get foo - 1 sec';
+        echo_location '/memc?key=foo';
+        echo;
+
+        echo_blocking_sleep 1.1;
+
+        echo 'get foo - 2 sec';
+        echo_location '/memc?key=foo';
+    }
+    location /memc {
+        echo_before_body "status: $echo_response_status";
+        echo_before_body "exptime: $memc_exptime";
+
+        set $memc_cmd $arg_cmd;
+        set $memc_key $arg_key;
+        set $memc_exptime $arg_exptime;
+
+        memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+    }
+--- request
+    GET /exptime
+--- response_body_like
+^flush_all
+status: 200
+exptime: 
+OK\r
+set foo BAR
+status: 201
+exptime: 1
+STORED\r
+get foo - 0 sec
+status: 200
+exptime: 
+BAR
+set foo BAZ
+status: 201
+exptime: 2
+STORED\r
+get foo - 1 sec
+status: 200
+exptime: 
+BAR
+get foo - 2 sec
+status: 404
+exptime: 
+<html>.*?404 Not Found.*$
+
diff --git a/t/validate.t b/t/validate.t
new file mode 100644
index 0000000..8b0a330
--- /dev/null
+++ b/t/validate.t
@@ -0,0 +1,161 @@
+use lib 'lib';
+use Test::Nginx::Socket;
+
+$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
+
+repeat_each(1);
+
+plan tests => repeat_each() * (2 * blocks()) - 1;
+
+run_tests();
+
+__DATA__
+
+
+=== TEST 1: test valid sessionid and valid auth token
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+init_by_lua 'service_mappings = {auth="smb", s="flexd"}';
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1595116800';
+    echo_subrequest POST '/memc_setup?key=BPSID_MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*' -b '{"auth_service": "aaa","service_tokens": {"smb": "bbb"}}';
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /validate {
+    content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
+}
+
+location /auth { # under test
+    echo_location /setup;
+    echo_location /validate;
+    echo $echo_response_status;
+}
+--- request
+GET /auth
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:1595116800:9Wc0CzZKO7Mq5Y2NbTaHrIp/gMg*
+--- response_body_like
+OK\r
+STORED\r
+STORED\r
+STORED\r
+200
+
+=== TEST 2: test valid sessionid and but no token stored
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1234567890';
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /validate {
+    content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
+}
+
+location /auth { # under test
+    echo_location /setup;
+    echo_location /validate;
+    echo $echo_response_status;
+}
+--- request
+GET /auth
+--- more_headers
+Cookie: border_session=MDEyMzQ1Njc4OTAxMjM0NQ**:Mv+cEjtny9UIrLFYBKFKWQoBvPk*
+--- response_body_like
+OK\r
+STORED\r
+STORED\r
+.*401 Authorization Required.*
+
+=== TEST 3: test missing sessionid
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /auth { # under test
+    content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
+}
+--- request
+GET /auth
+--- error_code: 401
+
+=== TEST 4: test valid sessionid and valid auth token
+--- main_config
+--- http_config
+lua_package_path "./build/usr/share/borderpatrol/?.lua;./build/usr/share/lua/5.1/?.lua;;";
+lua_package_cpath "./build/usr/lib/lua/5.1/?.so;;";
+--- config
+location /memc_setup {
+    internal;
+    set $memc_cmd $arg_cmd;
+    set $memc_key $arg_key;
+
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+location = /setup {
+    # clear
+    echo_subrequest GET '/memc_setup?cmd=flush_all';
+    echo_subrequest POST '/memc_setup?key=BP_LEASE' -b '1';
+    echo_subrequest POST '/memc_setup?key=BPS1' -b 'mysecret:1234567890';
+}
+location = /session {
+    internal;
+    set $memc_key $arg_id;
+    memc_pass 127.0.0.1:$TEST_NGINX_MEMCACHED_PORT;
+}
+
+location = /validate {
+    content_by_lua_file '../../build/usr/share/borderpatrol/validate.lua';
+}
+
+location /auth { # under test
+    echo_location /setup;
+    echo_location /validate;
+    echo $echo_response_status;
+}
+--- request
+GET /auth
+--- more_headers
+Cookie: border_session==MTExMTExMTExMTExMTExMQ**:Mv+cEjtny9UIrLFYBKFKWQoBvPk*
+--- response_body_like
+OK\r
+STORED\r
+STORED\r
+.*401 Authorization Required.*