From 05a44f55339ec437eb6532cd0a02dc95e520050b Mon Sep 17 00:00:00 2001
From: Jarrod Lowe <github@rrod.net>
Date: Thu, 15 Aug 2024 14:41:02 +1200
Subject: [PATCH] Add WAF

---
 .github/workflows/terraform.yaml          |   1 +
 Makefile                                  |  17 ++-
 terraform/environment/aws-dev/main.tf     |  16 +--
 terraform/environment/wildsea-dev/main.tf |   2 +-
 terraform/environment/wildsea-dev/plan    | Bin 18260 -> 21243 bytes
 terraform/environment/wildsea/main.tf     |   2 +-
 terraform/module/iac-roles/policy.tf      | 113 +++++++++++++++++-
 terraform/module/iac-roles/roles.tf       |   4 +-
 terraform/module/oidc/main.tf             |   2 +-
 terraform/module/state-bucket/s3.tf       |   2 +-
 terraform/module/wildsea/cognito.tf       |   6 +-
 terraform/module/wildsea/graphql.tf       | 139 ++++++++++++++++++----
 terraform/module/wildsea/main.tf          |   8 +-
 13 files changed, 263 insertions(+), 49 deletions(-)

diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
index 3dea7ea7..f85dd0ef 100644
--- a/.github/workflows/terraform.yaml
+++ b/.github/workflows/terraform.yaml
@@ -4,6 +4,7 @@ on:
   pull_request:
     paths:
     - terraform/environment/wildsea/**
+    - terraform/modules/wildsea/**
   push:
     branches:
     - main
diff --git a/Makefile b/Makefile
index 7eddd28f..3e2707be 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,7 @@ default: all
 
 TERRAFORM_ENVIRONMENTS := aws github wildsea aws-dev wildsea-dev
 TERRAFOM_VALIDATE := $(addsuffix /.validate,$(addprefix terraform/environment/, $(TERRAFORM_ENVIRONMENTS)))
+TERRAFORM_MODULES := iac-roles oidc state-bucket wildsea
 ACCOUNT_ID := $(shell aws sts get-caller-identity --query 'Account' --output text)
 AWS_REGION ?= "ap-southeast-2"
 RO_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-ro-dev
@@ -9,13 +10,25 @@ RW_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-rw-dev
 
 all: $(TERRAFOM_VALIDATE)
 
-terraform/environment/%/.validate: terraform/environment/%/*.tf
+.PHONY: terraform-format
+terraform-format: $(addprefix terraform-format-environment-,$(TERRAFORM_ENVIRONMENTS)) $(addprefix terraform-format-module-,$(TERRAFORM_MODULES))
+	@true
+
+.PHONY: terraform-format-environment-%
+terraform-format-environment-%:
+	cd terraform/environment/$*; terraform fmt
+
+.PHONY: terraform-format-module-%
+terraform-format-module-%:
+	cd terraform/module/$*; terraform fmt
+
+terraform/environment/%/.validate: terraform/environment/%/*.tf terraform-format
 	cd terraform/environment/$* ; terraform fmt
 	cd terraform/environment/$* ; terraform validate
 	touch $@
 
 .PHONY: dev
-dev: terraform/environment/aws-dev/.apply terraform/environment/wildsea-dev/.apply
+dev: terraform-format terraform/environment/aws-dev/.apply terraform/environment/wildsea-dev/.apply
 	@true
 
 terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terraform/module/iac-roles/*.tf
diff --git a/terraform/environment/aws-dev/main.tf b/terraform/environment/aws-dev/main.tf
index a32f67c2..af062a9e 100644
--- a/terraform/environment/aws-dev/main.tf
+++ b/terraform/environment/aws-dev/main.tf
@@ -46,13 +46,13 @@ provider "aws" {
 }
 
 module "iac-roles" {
-  source = "../../module/iac-roles"
-  app_name = var.app_name
-  environment = var.environment
-  action_prefix = var.action_prefix
-  workspace = "none"
-  repo = var.repo
+  source           = "../../module/iac-roles"
+  app_name         = var.app_name
+  environment      = var.environment
+  action_prefix    = var.action_prefix
+  workspace        = "none"
+  repo             = var.repo
   state_bucket_arn = "arn:${data.aws_partition.current.id}:s3:::${var.state_bucket}"
-  oidc_type = "AWS"
-  oidc_arn = data.aws_caller_identity.current.account_id
+  oidc_type        = "AWS"
+  oidc_arn         = data.aws_caller_identity.current.account_id
 }
diff --git a/terraform/environment/wildsea-dev/main.tf b/terraform/environment/wildsea-dev/main.tf
index 0fb7a6d3..6399df3f 100644
--- a/terraform/environment/wildsea-dev/main.tf
+++ b/terraform/environment/wildsea-dev/main.tf
@@ -28,5 +28,5 @@ module "wildsea" {
   source = "../../module/wildsea"
 
   saml_metadata_url = var.saml_metadata_url
-  prefix = local.prefix
+  prefix            = local.prefix
 }
diff --git a/terraform/environment/wildsea-dev/plan b/terraform/environment/wildsea-dev/plan
index ff4b49b62a877b4516f3a564bc7dd2d48b31fe88..b31203bff753d23e1cb4dd11ccbf0ac6f088bf86 100644
GIT binary patch
delta 17862
zcmZ77V{l->8ZPSCwr$(CCYacq*!GHTPi#y)nb@{%TN69Ev-dvd)~#FXU;kazU%&Od
z-3xJ`ZzZ4z%JSe47$7kJzJ1q31VTXGy3_nZSJzf|)T_z%+J0=axB|@<z6j=z!W>mK
ztqQlC$!wvX_T#TK%AYAkX2C`*0(Z#-r`hbo>@G61VNoktoAwP>;*`_hFlw29+ov&%
z-g<Y!8iO-}xdxI+&ePGn&y+P;s{9ejTMIWi%I=Srpi9~(lT;SQ5%}8peE9^<-`QVB
z>e07(AFadtwR6#S43S($zLR>@>w_Kh^tUW3YD*(U6L8{q@HvWxbl*aI#5FMyBW?=4
zK6tP;drX<w4?Bqtd`rW0x{!cy`GHiIkXYmSr?LUaXUDpXdq6BlN@TF8LDxigGa5#f
zTtCSura}!Mhqzs)Y2B`}b6Nw?Eb*cul3w_!#>oUR*%TNC#H`6!z3CDK+%|`>IC4y6
z8_B}O!=@%`T@sAs$806+Bpg+IZM79tp;1wi8up6L(JTg2&x=-qN-|}!FmR3MJK9nl
z36k-&CRNr=rxOmG);T9D?4wbaLmq>c=i=bOaH(8mLFLKA>3poGoiBg`rpzekz3n{V
zj)2em)+LWz_|A`wWb*DB$$Ou`2$|U-Eb>#oK?<j}5S<l!Q(E3{?Py(Y>fpY1?-y>`
zt~)-oU;LQ9%w-i;-}$2%q;{q}_v9^oX(E%vkC_olsJ5t$f}l2b6@m(Ypz1X8`0F3v
z(uSzej99Xa3?vq)SX2QW<t$a_ZZ7{vJj%v8Ce?9cJ+etht8p`_;G4|eHI*j<DZ2_Y
zrV7Z2;NIJwXctX;$f}K_m8l>Db~pD>aH^3WB(8D>qSist@s2-JqB29Es0^Y?>RT`}
zL9H7g#Trc8@DWL*=<+CY=e|lH)8NuUXd*`V9Vavba?xVWJy<~BMy}xl@D?Me^Vt0@
z8_LCh@@q_$h6M8KJxR)>Syq6Z(?B_fT{G&o{d=a1rY602K{FpQ$g^c*Pellw<tVof
zQ+NS=j_i}0G`W!x!RbYaR<ZE>Hu34zX`EYGtWeQ#MA&|MKNK_rDZ%wcyvA1!g3V^2
zqkx9A8(|^8$1;#)p%fOH2o7H);3)c&FfN?Gzd^NowdWHo`fp0P{ui*<Z6MGw>Gw9c
zG#6bU>~%AmsCi}DZ&brb-xdlXBYSzVk=l-#1Sy5IuBO%Xt@<c%9sx3_r*A>ek>^MD
zm`U_<hq{%!^8}Pxy9S<T$@1)5hSq`<k>?0zPh#%{!Xz-I?-%hc8FOX}X@V;{zPTbt
zv+uVEOg1D%uX9Rn+ESfty$B|5^zTQ?V{k*0x~gxK(aL)l=ZXv8kxb2{{irzz{oH0`
z5j?b?>gjQRUDUQ2SxLH7c7!C|nrr^4q(-}pcXd~kFuk#K=-_^QjoO79Wst}Stq|;<
z?HOc1h^GResKdHh{>YLjA^r_?YRzqPoyTueE2n!6!xHuDZslG+?@CoTZtjQ!vn|Zd
zWq#rhHnornryiQAD436gCr9^S&(_Y>LZu1`M!9=RA*Q7(Q&uv(_X}tHf;LDFkFm%L
z%)o1c<raht%QghbvZQWKE=T?DBlvl_(wCkQ3ttFq8fmERc0h}LhnFYm8Y4}cT_cYx
zH`=saiHfY|=oJbnX{W;aJ_w;S@U5iP{)eOB#dTbcQ0H*ywo@Gn<PfZLhHUKKhHfQR
zW5uD)2n0X93$gaG<7^2*!YEu1BE!y2PQbyXxEgGsWyw!kB2B2)xP9a`E7ixImMH2}
z$-5PxIAp9)5znCI^d)l++!!_l6RT;1vD$4>qt^Wiv!cM#V+~?_1Z;`b6wme#bV}0W
zsbO`?U;0VC=cmRT&CNf@OyC|Aa_4RO+GXEG25eQ<lqqtk7jgDF;p%hak@4*E_r#92
z)+iEsYiRu_E%*kik>g@>i4=3ill#$Y3wrATRdIR)7myx}O=>ypMA^$zuWrr!LtVGL
zR0DaqWg{x#8@^SVn_C8Obrj1dTI$a|+V6Ya{A;h=(&EB=uMg^+9y?#O+BI&W9tb;g
z!Q<?I?Q%YT@H9}8Sz|(S|9FHhZUEYtH&aX4mgX&*HQO84Nwyu><i53jjSzF-d&!0Z
z7;+kh*L;4~CiiM4WKN&*$@+)_MPohILJraPDekdW3D^5U5fEELyD<_Hi4t`vB!kZC
z<Bv|b&F@B?zX-(tbT_c$onKtUU8VD1V-*lX(j~nYVIwh*UJGo$=1qrw?zd7)``f|e
zL&5Co8XG-GbGZsY24(zqPhr&-^*wI`dSMup<$sc<^5<F2l!Ynv7aNTaXFYU=^b(-B
zaQ_77qFi4YGFSO-+I+ln%NML{slLM3WMVY0U}}ojx`E*`&Pz*(dVP|C!_V2Y$5@_Z
zisW3jp3@hHc}QkG5aSzW)?SsdPOi@_Ncl6hJtHTKKwinI@4~7QSZm7Z3XGx!Tu4&r
zqg{A&wj(`x^Wd71rmP34Lg<9*wPnRACS(rpZ;I@?+o5U01@3%@_YpI0^2ODAy8MJ$
z+1R-L4cW3}@rvb{ftA$)m6R5io6K!TQqB~K{YW)yX9h1hZrcTp;-vjdcWQVp$LZ^e
zOW`i5QJ<X0l*O#8^V}=2tyN(lXWW_o{80y@R`s{;jy%;kn<iI}o08dU&u)UI%z1S`
z0w$U*IEv#`OGbAQGJ0cNs(4uN$feG$Dst#~c>^MfL?j%|?+CDOST4=)5T*_O7|wQd
zlBY&TO-F|(oE_QEsWZ&sLONx%yPd`0I)&V&CXu?+gj;BUXUD^Id^iz6{57P{9Jn})
zXKlIZ`DgwJRll9;Kx4L$gy__DaWkvN+wm%^0V)UYpxS9}8-3jML8KU3oMTRW?o?(i
zU<)Sh!QI1H4Cd<82L)tK#M5Ep@n%B_UNh+P)$9S`w&ikdzqE`?3MuAvcpc)_h)o){
z#(na|Cgs9acyQ}l<EaY3Fm4VNxbMhvhHtthOO<48mOQQLNo$RMG+4w^NGoy29Iqwf
zK)wx@aV1`?-ft^x{(8k|?ct7V{Jg23(H-8Jg<HX;AsN)@Fc|MRXl$B8Q-S&uRx%(p
z^_{QqE+UN*tZzrnLh0Wrk*DVKt8sIoEoj9JdVJ%F&)%E;;(Zr5bd)oJjf!`CA5ZUx
z^~;1C?)OnRMHmr9dWFy0<Jj-_mwz_%q)7%958K}j`Mvyi)Df+NT#<+9v-<CareavP
zGH<bmB!4?u&a8}uq32`MFjS!#Ju6=>5AZnglQ~Wyrp$XPPd=w>hSO7K7HA4Qp>28x
zmyp~N_J$LFa2N)3zYaZ5^5TSfZ=D!#v|M%_H4L?*pHsUcMt^(MqtrmkJlw3Vc@<S4
zgkao+5G9yVarAj*tFGrGarNJf?_xN*-6Ib7`)mK%vJ0`uf;Smu#$6y@^QJDG^?VZP
zXgGf0yWALKar33jS6f*RyB%DnS+)OtjcJ{=fYhY7R#ykaHlPq({(;X}$F1sD`}q5y
z=ZPO}X@;I$5wc$#)x>%gwE=;zc6vpTCS@P;W3V*Tg3b#4rlA5^_|eG@Z?eV4j5G_$
zG5X94LXKTC9sf8_Kj*T^W<Hw9a#1NxT}}99aBH4?--3$inQpT@yF^V#R7F$l^SF$L
zwENEYe0>@S-|`hwK8q8lX}o1X{PRN1xC;L3jv}>HR%Y2VQPkW=yX5=Pd<^x)9(LWS
zm;fbjV*|M>p6jJ!y2Y>MTb`zt-vMhOqyj!{7n7{6vxB8PBMeNl?ye^zIJr3=R_@+-
z5sK=v;M{KwnN>9n_pZb3NVdOy_67rOAO7}Q8IB78$}?-j6v!y#nK&ER(%#clQsJ*A
zUA=zZ!ol!lBk}P>TPyB5I=}|n>v>wOpxsoXMxKk{A;b8Z7UKoa!c>}lIkVG`k|{l;
zOK9H{H0a3=j*Pami!u>Rqwbg4esG`tk|i7F(5|<+Wb(Wf*ku9*kJQs3tK+Vw`btSG
zLQiJEiRtEbg$C|d+g62(tu2MycCGU-(U^Jp)IuLC8_l%y<Yj9l83VV^Si}n+nTLBM
zNP^!i?A_&mRdmfBtvgAO-CHWVGakf0yQqmSlxIbmb*hX;YQ*>^i#dNh4N~M{aq!R2
z!=&p*j$+^`X0Jo>hueX}{1&;j?kseTO@f{T$~KCd4itDk1@pO&mS!yX7846pClmEK
zw41=TK3>mNcSE!CNMYB*aQj_h^9BBLpzo+N+rFGAh6Pn1lZ>cAm*R_$9%wmFzjQ}#
zEHk(DL`MXWyNncLrAl-0!k8aD4C(2<s&!|)Cl}?Z!Zhc&lnk|BI+s^hS5LZ}Thu`U
zc|}e8W1j0qp=?z!wZ1}Ir9uX<lVM`sVRzQXfG3vO<;t$A+a{;mQ^==G<D_R6Hnrhw
zN+t*zhh^J-={M^bHrT@4DJvrRmGy)I0yguTAP^x14pjpH9Xl}Eb3Hv=sq;4V%pb!d
zlUC=nBdc|&iqpJ`R5!0?pKh!46OaT{JlNGqOPoQz&kk4S`9mib#eK##mjvZS*=I~-
zXoy2CA}{hLFw2g3>YA{*!O3Uj%kkOS8SMHyjN6{9mgFq!D-JH|S|ml@EKkK>6bFf6
zUtta!^wslAUiijkrAG~JS<#F|w`@K!pkB;;jH7i$GE#)2k)!t?hq)UtM}PxUlb~5i
zI*vP%k36e$Cb@8#rBtbdSr$@52H#>BrXBUFIt2d)tN8?z9J&Ms`RcIlehJ-dmccy8
zGgiYh7T_~Flq+v94!}#kqj@@TtO?Gn@}m%*+}1YnV^>xzvGZc+Yx-pp`upm=K8^a&
zRTy#_S@0q$5`AqtdxmUTS@{9&l=r3KGY;2N)MSh6fw^0j3~Sr#D4G4o`FIh6t)=lI
z*Sjb%-_wNO7W*B(md2}>4Uzn=52>YvZiH%dm<pRhs(^<JXBUI;XWzO>u&IOgN5sDd
zT!E8uV8!*uTnGV>*{3JrT7SBINU%=NV+Y9uJL|7th)AT0nF;Yva7h5adYb#nenNJd
z8rY4J(4EHNaOp4i#hy40=hX9UPV(??=ohw*fY#c5?IkZv_$rukW}=A|XNzeMA9Y5%
zw>Y-fagD8Jo1v?yOiDi&t6Ng0##Y0hGLgrh!M3I<u@6xN{CT7wew$JjZS+A!Qhams
zh@FX`<e72zkArQ{uTDT|CH4Gj$9LtPpXVE#yXy|y_g=vK{^qgc)mV-`Khx%|DBWgF
zzG_>6OW>US`+Zw;vR2R(+Etx^qay4xPb%HCh*)$K?6sfrX%o!Un#;CcFPCWQ^_+Pd
zje2SAZ7H1_IlL|M4X9fJNNR?8z<GO&^?I6t<#a-LZ@n`6z92AP*;KQlu;k0cZZMwF
zRVHf+%6T!>>4t65Kyd#s$ARJY=w;{WI~(qb7gfSIVmkl8@ms{M4^AfF#&~=*7GWQ9
z0v1Ig2V@2xZx}iLW52Y^MLY!aV$JWA!FRgLUFdw4kb%;%ot9y{cGaWk@d=`{m{C+F
zu0lV0sI<j$t`i9QiE4uE)QPu1_wqM5)0anPC|Fuso(OdDe9kYBaais5twQCR@XW!`
zTFc$)fZ16#^>MLHkj#m)zy(F`P4W^d-DCOLhPu+=ahLa|IhPvelj_$Kr^i(_G-9Tp
z@<4&|>cYODgmQp#MLiSKVK3E0d$Jcd>rc3v(PLx>>24sw`=dpp7C8b?Ede^Z=Y%&n
z-$)u5%q#O~d0Kt}x7cEfPlJ13nD2mW?~`O_tIqZkeiqt9Zg)XwT>=3gy8u@vj+guJ
zFy^(!s!tHPf2lrGu8P&-OXBFj>5-3ImoIOOEe%OVA^~|~kp_>ym%IC!3u2O64sj7!
zF)G)@7yx=j97il9-0e~2wy$M*nNhPS^!jqJO`T`_!{Mj+!{{k{HLgZpH1kVOQQrPf
z%9porAjsgU+}HiraTzVvFJ5d&Ij)B%=8(9ktEFyV())hwT!K^Wd*ak@;`Q%LTocZR
zyxI?o`83RndU>hDOIsz0XK$v#s}d>r8-G%ppMbghLj|wuCec;T7ic$(I6G0w$#bc}
zA{sz>y+GuL;x!k|TDpVx^%s#w3{|0^ez8V^jenuNQHr~riI`XC?Uj&crJg}G5M}rY
z62o*z$<m8P-d(J6*@eE<tp5cn_mcJ%j(Iqid~$oalTO3j8v_TuB9W5P%obBdOKP+X
z3z$r{6S&l=F?Cpqd9hNL1QSe|M;%h?livxaReY)<0y&V@@GN>rhaP1GEs`YLDi8E*
zMWVl6l1p!sLM>1<g-|5Cdd)wJn+c}a7D8?(!<Ip#ttDpHFT|AJnV7wm8vn#GLO)r*
z)~awxAi0oqNlRIqt85`fEOHaHmH2kc0>L!hwO`+VrPUA@SWPlGoDW4=)`@pEOC9>O
z^{&fY20#nx`#fic-@~PIZc?>%(uUZiE{A{|SYbE<@qA3rBh0^;9TIO52~)<N^a>cD
zv&2kH+t%FlXW17ja65m=aPDm}um~{{*m_DUU9Z*q?m>2|^#T<Qe)*l!t;O;;z)S%#
zPNNVp9}%D2Xo=Q|a(oK?K3YL==Wr!}yN(CvM{(aF-Hw6yF;qjFva(jGseBnW&b#va
z_sMmL(6((zaO*;|ZK^0Sd?yARsxHZ{Ih*Uz+%-|c{wsD!?^-ltUX@?)9OgAqgmk;%
zS7ln-7c2<K*O#(9G)(fHpOQQ}8VJZF4+zNrSLKqWQHlP?a(?=%>pV}-AO3I-pWNNY
zKcSKmAVwx!5+TQakLw09t)~&jn$Smzr0L006%%&70TioohGxT{Yhb$O?)bXW(sQ$3
zsc{Fj-8_o>SWbbsb_m&5_zw)I$Bq*%$XJxIk86)Q%?0C-dpJo$J*T*yL9{{W#RW}m
zn@!vR9_Kpaij7$FHCJ<U+a{Hm9d_SiOZO@fJ_SRHD2=4)j&J8OGY=ZW0n_(dp^rVD
zxI6W)Z6`dTJF&u>EJGW11%bf)Aq?>oXXLR3U0&pST^{tF&=3-&y72M==Pr=KnPn0C
z5#B;)6%<GJXu$z><M+3D_242{tfc8>G`4EMxJf9~BualM*o_BWGZw(IWWhw6yKk8@
zohRwbAtNp=-}Fvq3j6LX09PWFSW`ZxmmaDHc2Qy9#CKVJ>E7KqyS-uGF)HdT7@sf?
znjIOKV8SBPkDQNE5Z^&%0a1Nz`r^Zb*M`Qv*1>UL@4R$BbLq|Y*W9OJ-ToL~XDby@
zKKZF^)ZdW2+b;a{^d;26^I>CpeY>~wr=5MIIpLRo9%-zIno*<!>Ill|yfEyH-~D(;
zq_r@uh4D#n0P4k5;PA%GG>b}~zO7ij8FNhg1c9Ax^V)j#(xZkkS#78al3{K6z8>c%
z+c!N<s44ZLd25f%OO1w3uSHMOv1v*mMP^o7)c5-}!Exn_H0E{e@JMRuV*(0SG+pNR
z{^(MULUZ=Cqh6sTeu7hKnE~A)<iaF`s0Nuq9Ez__>x@F5hiPHWdm&)~VpV~m5%6fI
z(xD7u6LZhJuF|1oyeSi$$~dx3pUsyy0FKbSIl|?lprxOKq8Nc<_;()?k*F0QRfmy9
zq|Sj2x?rO)05QSR@bZ@Fv(%=P_+2Z&&B^bU3vThtOVxJj$3p*H#0)h)$lP6ZV`k=6
z7-R?=?Dx$kV-*t6;e|m^id1FXXe)4?xKc}37m%-NX?$Z2Nup<=yX?x0TmJ7!_uj68
zEKm=Uzuu=FAD1*LH_sn(qsKIX&oO26`xsQ$$isWI*eab*jw5e%RxA0`4oRXtWwL2|
z$)$YcZWcHTlgS_cwuBhuj0x8Ra`_S2H>5dVkg^d_$4RDqyaU`c&_@h*?jU~lZP4Pp
z>L@j*H(;ZM!eM>CsynAiDfU3CLs40cW-t^QVM1-)p|&)dg|A#y8sJrc%2joyj}ggE
zs*5KszL`6LmCcEJTGFNX#tQjWihd%)27&q*9nIJ`Zf&e*9oB2Z^n&QpHkSD(2e<|u
za7|08zxiGr-Cw5)YW(P_zUtFb=I_w*_=Ae4)@ZPosw*!OduAs(&2Tlg9C&2?u7jvN
zk19M+yu*$Xb3-*jgLW;zwOvL!3JD`xJkI0U?agHbx(+O07@d>b+N=%uBRUP?+>Aw5
zmL6KWV6?kN-U81Y43y(a%RGm8N<0Xqd9Wn5w@I7(?zQvwcJ{8XAIGOe%lF~asNI7%
z&M*jItY!8U=<nI@d|BkpI0~m){@%RwUcAVTHvV{Y!&AP<4N3s2($^ow_$EcrgE>d5
zUaHQCSmJm%lD-?9?Nd^7PeyKi^Qc{hYff$~iTZSxV(+j3Yx*4;>+v6-LCtwjRh6_p
zlB#hb<4!0_E6PSE*<#r7_2=)~FB?UcpLy>XWM_~FHg_{3_7;rzpH+*ySqiZN3JS9X
z3+y{^#NT;Db8`SzGD1WX00XLJLEFz*4@}TBjuf;4g_s@g`)2Jvof-Y`0zMI<a4tb`
zPV&coa5VbgPv2{V?A&aE-1Q5-z|WE3HsYB5fB8CnmNhp;n;eTIN)S>akv<*dT>l_|
zH7ST*Bo)sE2SS8XlBICWB7>xQgQ19J2j1?t0#y=UG!n2z0lV?Xe;qaqny}Kri1oT#
zP4wWKt9`TZ-jk^P19|%wu~B`T@SE+?*pw}Y$y|47mLIGGMDB*$U6SDtar*I&k*C^%
zxa#07(ci>_70g2y{ED1c!d^9JDzM^@VaTnat((8i{hgZv&u{{(%Es2TF4|^8lnnRg
z%5AEcyKq1ct|$pNCeCZ?0DO)k>amvRNfRz@E|oEQmRbRSdI-_?HRAz@?}8~*U^wDr
z2_-`~<a?+2S^2sW9Bxxnic=acZzi1?XV#>dzi4}6r%Cr*b_zrkL3@SLya=&*YY#M(
zlx2R<X3VDkGL3@HDN?qMixJmPC#RVex}W_r#tQ+QcP=O#kQSm1zt|lY`fD}sKcfs(
zVh?l93}Z}!%-TMC?Yp9wM)qTE=zk*;G<d&MdZqq8aEhdb=|k<kVojDgfaB>3MbnlW
z$|z#}*^M1R?Ahj`f(UjT5gmAUYV@=Wum!8?b9DAc<AvI%x&AJWenk50R``O7d;O|?
zbt?dTM%(Xb#lB-^GZC4>unq?LvpP=g=e6}vPIRiIx-TFj5-D|Zr+`~{dUe55w)J?=
z5l|xt_{@G_PO>+KBp2qmWe?R$60xy7VM&0XnTT^CfT5kvS>yW1^pg%Rp<d)6Dgl5;
zx#PDIgaIQz!pDJ*V<#K~pL_SQ(e#%Nk6_^FmR&D8Mg|?KWiDQCnqN`Y$HJ$-KRUQb
zaB)Xr!8VRuhT>7>!@bhV*a;sFlnKi-1UAiOasHz}c{?oJtEOe&5eX%fJSe3%NkD=&
zAk)ABiVlr*@gU-pQmX&!gL&SvUmUcMsF11Y!s&ouk2B{U=LZ>usloVhLF)40%rfw3
z!`NuvUYrRxuq3w>v`m-gpKc`Ix6tUj(NtXMw34J#A-B!DG4cv&)TfP;GK7yS)}4?+
ze!fSuT{gE!VLP`Vfm0q=Bc0S`u&aerR>yQ7%iMz)wPbWB<VXG!YzK{I!4dBmyMKRk
zSG!j`rmWPyA5N%IEs6O^hSz%R+aQ49=~%O7?{W7zfru0k9&%u7|8#0lC@Ci>m}>t%
z#YS*C=lP{_K3|B^Jt1Kz1Cxd8)Wd{>&PBf~0FE=K@F=2yZkkrL_#3V;Ayd1A!GuKe
z`XStQ`}p;H_K2m1ZRP6{i4rre1b^WD+I1`!w>@7(bF+OZ`jt{&?zO1y4i>--;XE-n
zV4!@tn!-e=rGpw#nJ;UE3_5C$0(phe$}LGesEv2yMW<sH=uC90-%Ni(osk>k8@OmX
zRa};!>yeBH_F4?3h652pe?(;)WECdcwYFfn`UYLTjBwIClZ_hy?UM=#s?%?v+~43E
zqp4GlU%j&^ag*sQmnAqy)D9@WgKVCj^GDtuoE?tNoTUm8LxGkqMSP!*{)T8a|5rno
zT21WlZOULj#3v+OmI8);t=ta?edih@*wW>q(<CcTMma{Ij?u(%d(=Gez~UGT8AT<n
z_nG3f_zl`(t>?<ifWbfQk{f3Bq{MrBh58VL|1z02ij6LbhU^I=2LYgfD;W^>33G#Y
z>0x_`y;a>}c=VD1)?j3dW0&ejjE;%v#3FZ;xUEm10Y0zGfciHP#W5&A!e1oj_T!Jq
zF>DxF<uYT1NeQc#GOm9`pq5ze9FBxG2UJpPbsZO7+V_FJ7%=AFd^s9r>$Y~B>zC0Q
zz|0w<_ecB-)P}Om5jYV4f}*O+utyrSN9bVn2#LAUd*gV#w^Q3m_RQ$6!m&#lPC05D
zD;eByYbgP*g1YQXG^VDK*~7+WF&iYZ(C-RHMpziIFZi<A+1&pWj@{H|I^|1#4B|~B
zZT>J0HL4<VB=XyPMrF!mz@*ZSJ`)O|Um|NXQD)_635>CC)(uE8)(TK8=@xLS+Y}Kq
zF{}k}79m%(qC4wszcY=3jEGA6EMVf#E6eP#Pmiq7_3g(S2lC@nJ8U2AT0?AsVweoI
zVDr*FtZWQpycHnB6r%I~3%`u?cYa8$(gAh2drTPRdXYo<=5PbfBCJo+F$*9F!A9Eq
zazEISUI-}uv;d(HK4VI;X&&5~Nug%U?JY#R(Y``Tp(!*cC9evgi<tbqL(WiM9ffB5
zg<zi!ZFEWf6_a)*HUX<!u^+URr`kLZGj{=kcUs`5oFCTgX#tESk+EC2<K22e0vuta
ziHRoWvO+skqc`ip4djkqjyL=(ysMMzycPvQ<J4_15P+162ur87Nt~RUBdR5?)L{B4
zk%qkT*=YsYR`L6A2)9bgOH?5Ng+wur$%7?p;##B>k&)cwsUXaHkZ->_$E3?Q@HaUJ
zqn|(03XAkC3uWB1nx+>qnBW=CiAPQDlMMd-WamT(%>pI`8yT9yGOOmqU>8zS@{_HA
z1YIRg3gDCwo4TEPu`{~q-%f135$(6Zd1hqNvES|_^hu7}Ms8<AkX}xDnV(L^=lD@%
zbH(bt@35(ihr#?Fsg5O0bR-8JLa@Hc$wMa7dI_3M1DPvl9vjRSc||cpyZu;Q3KMS3
z9cQm?@{M6W>Iz{!z&aP7h$vStsG+mj!soa<7>G_5ev0e;`!RSeDa4ULMepwE@9*W@
z)J|~wez5?et~ddq;-}@r%9#dQ-9*3Gv*p}MVcRG60+FpgTyk)t;gpwa>lz*^u^<WJ
zG}XfRZ0QJ*KA1re%ZoO@C&CT)Gh{SZsk*b5XXh7@Taz}*cZT$5^2$Lt_P8HjTz>jR
z89=XgKWrr83WRLzsQK`Nv8`P*8yzLImi<&i*ek3?Zl3ia&*t#K6Y?!)p=2b)Yv>ys
zJLs9A)iD`UEO)1tH;ooMmbd9tIYcgAnKjRCdgtTP<WV_$@9*u+VjK7o&M3I(14_?5
z^E`-UY$+9vv-q6mcI@Hy{^;Fy<n&N+ZlDpX5TOtbq#jhNz{fO3AUo2$Lj=w7h;wkm
zMvOFpAsf!8yl^ZV@4{7A_tL#`+uq?1k)sX`_`@Yvb#C&Bj|-gNQEb3Mvpfcb(9<h)
zluvtCi$!|zKB-2H^tqG9;SMF@5`3BIYtE-tgYl^BM$qaQxMsePA*$OE?=^J{3qYEo
zC^ErO){ng7`Y%^qcKURC{Ojo(t3!`}r@3HKg~XDm3}vby-}3e>%v%(}5k>FeIR+nT
zoJqcx(Ur_=PH7BGE%kHTcls~f(Bo=gg@Q%;rCc;GnkLK<I9QzOImuAdP^kpM$K0Lu
zfwZ|#XOVZ}n0r`<nh~6q7z)z70l7*DSk=?gDZfBc5Kw3m6EJ1wVa+4je2G$OSmfgJ
z4b8KP<{<s-cJ&}6c1E&w=|r8QXBl{d)52#Nngmv#Ak7z#@P~v<j92whzbAPUbZbd7
zjy}5lb}l%!qwHl7mCt-oJ&eBxoq0!gKKR-NTHL$;wIHM6Q|qU@gIk-!Ks55L*_Zf}
zS=qy(=To`M!pr_^i_606-yac5<vqk)pCrVeLgdiP7guH;Jp6JW9xZpnlf&cudzanA
z)XT(dKcxBDFFrojzo|Wq-?%khJ^O}jPO-juuI7Gr-Xyl%^WeC(Jwp(05Y8+;8QANY
zrD6C*VB>Kx@Eci$=_=%m0j!5)Hb?_Lzb*-6u3)-0j|AJuv4S<=G@aH+0=$E(>ka;d
z&HC%_+uTs)h8rr|cJ`Nf+T3K_MhC(*-xXiaSs}zLCAarYw_nFiZFgN?q|n|_&yC{F
z9H;7QQfpp7579dvt#?a}ugtUG@kt$D{S4l98+3fh`A3#=b8NA<KnuK{=De^9Te@Ix
zVLR)ID?BWgyuv^Rt@MWY*a8j`jWDMwOhFYxC~Yst;5SHS0knB7=>ck@TOCKYhSXkV
z+XtrA)>|xHJ^T+1p^2BHBP1u{^Een5lY%%ZJD9GD(~(^S+D`(qacP!Mp^Fb*fvxom
z;cfMLz?ja1Q1`7C7$0Y9{#$!Q;etqS=&wDFj`QZ+{VLjQC=_~nuK!0TIQCNXjX$dk
zjt@YGFZY)SQ^MKHWF|*so(>mv6e_#2qAA6;4X>MN51Gp$`W^Y4##J8#wmr^qMBDTV
zx7crcnkCJxXYDxsdDST>u-WbT)q!y3(JoJ}ehs}EFTr34oK_5W7_RHt0`5N5{x+4%
zRzJJ@nisI(D%a>1^|a=e){d-%>6gCJ-!ioe4D096^EiFMFyb|oIq8M?n_J>^vK*h;
zJ`Uu*7&II^HEc}VH`nd$ge7_fXFw|pZs+0_8s>ecU$&}=snytdx-J87@jy>>roOsn
zD!u=e=RImbp{(mO^TAT}Rd#}9l3M8)PAbgkD?)6(e3kJzLfmq*a(826{icKc<Lifc
z^YXT3pWU>becbE%rkz8>wwP|{6ilz4?W?Z8B4cBJ`|2tKmYj!<+r(s!m>5b<J{^t=
zUJ5xX3mpm$>ogwt5bp_#5VDR1d3Hut!fn30BlSFxGfj$yra<~2<4YY<5_Y(8n`I&_
z6><vit091`XVZL3nq1pvdRu`B<zVB|Zx_$^ZN*u7@(SvVvw3r=e0BZ8!PcSIsf?fL
z<m1<~JJc{FqrIz44lR9_0e?sGPjmRo9E6YR!5^N4@IGlbfu@I$!&AtLa^An%aw3!{
zmH#XPA25%4bR&x1W7GK(M@)wB%D2_2g92-gB@X14+GCjA6ujaZ2<pU&PIOwK-XyAx
zDL;<TKn)FFwBY@NR_JzkK)_^sW^tVSBnmYcza^??Mq*EK2u|iiHlC?aorAI&AS)94
z;)(`39~kPB?3(o@3hB89AIXlb^j3u8C-Wr&C|MF+zlE%2T;XLctM(97<0k_|YJ_Y|
zjOUA&GH!4Wh;BiUewENvplye3+N+x^Q7;Azn{!AXQ_qUNuDz>2kE+4sr$o$$J32<8
zYF5$y#lDn+86_>{Tvhd@@=U$igf)h27FkxUj?Ri8zE2Ha7;Ly1d`mq|la&NVJUg)k
z5SjCdQA%iHwpA@li9nql&JMIR*CQ7h=KtQlkI-~9B#^K!yir5<;=&d3A0pS6+cauq
z6s>@ypZ;DnOJdVG`?0X!n&LD`oamCBH}uesyUgZK<K-}H$<y89oLKpyg(`z`S{jQJ
zpv92JX<%JUceX)xRzK)g+%LZlZTWo$7+o!Tw~BstP^Yc55+yp{dFSZl9DXWPsQnPa
z)n~TwA|_8z*I0E<8}x#e@(O<uDmpv%+BGYwd9t>1Ixb_Zsdh3bVl)_fk^RV{;(>pj
zhxp>?Rk92^AK7iL@A!F4(23wMK)gLwn`d*g6!^aN**ofVV<W{Z+&jL}U{WIm)K#qL
zOqkvLAnK9uf?7Lf$>`$mAUJZ+cGa**y*>Y)YyHMY`}K+6PSRNUti$EiU;);BU3!`2
z@cc3TJiqs{5$iCc_E3Km;^BYt_&g80hn{VCWi~~9{n;ew|8&xUF;1Pld_nwLnToE-
z-hUB@%L+O9y`gfOF}c)y5SpTq;{&Y~3h`r+xF-=tmW;1^<LmYd{Qt@=WRJi%D@+iO
zyPy9*xYZ*k|37eR^Iy1q`@q<G-+s@vz>^U}BVnJ8W>8Mkx2JSH4ULnkPn95%uc4qW
zM%exkPGY{1bk7#iH5#9=H$5lNkDF5GOS%Rcs@5?6xo!1B)#Lx%cAy0wi?Z=(=t`=+
z^uKPaGi`k${m*Spivxn3kL0J*fx@MRE8=_jIEcH}*oDgJZtb)mo9AD;8k0ZblsN4F
z+L(q#lA|neN}{xF1hU;|ObLEqO+nO=l16}EkkHj<GY8PPawc55#Fgt|cxHdA4{o80
z@dvtUoH&NWZeOGn0ud*;sFfA!CR>_eE%w?Tf2bgqiiu?sXgb^CNvxnB0DTao_zp>f
z%5rhxT?^_IsOmrM*z@E92p1=%Dq9=YFSwf8*4rDoab;@CV4T;2*=Nze-+RkG6Jhju
zB&r_A<WGt-eBFop>6%ELYl60(XD<?RY{ozvIJjl<udjxsc?@EEQ(<U*?NxnUUHA7R
z52qi0*%IpM6Xi5Nd9Pxj0Vl|`b1)K+X`WFcQ8Ibm10u+~wL9M;K8mwL3*ZH$>I9*Y
z8vM8iC0IS`SqGCkS+3xYENz-+H|#jvJ)F_K$iZ5>yGzsD^xvp0_u7^kYHX^d8q^)Q
z&L%I<*Rt|`NeU#Qgy8lXye+h!dWC;I8*zv=A=JHv)M-cHq(F7x04ZS$Rnl`C{1VRb
z<R1``p5xCdT1mh5$kbRxDZe^vASIE{@|c(JN%;k^RR#J+K%<?ghB63EtUdFt(f4H$
zELdaIr4uhYuipF9^}<&%oZ<*E+%jH6FapiAG%|X{X(nO9_VT4ECqqFN@z7C0RVN7E
zH!X4-uT+aMpp5kOfSis-g4cBJmm^y#LI!ZuS6eU<@2*A-)p>pP0A(uC!u3)ejEG^@
z#(HR3TD38g%z!k_WbQWHfG>@rSQrjTtY^}PY*B?43|Luj!8Rg@|I+Nz)zy?@(dwz|
ze`xko&Jg`R2-P+8@Bj`mR_9Y-&pQ;SxkPS@4BCk%5io5c!=DM=#tCJwH)iMljTDuL
zm3l2HM`Fmk@5lEAjYj+c^^azShMH->%^B^Qp!JDdkzbt)NiOn-qvfzZU}>t>_@2+i
z$(Af9kt0Dn+l+om(wKEFy11`xs#M0F*+t+zG_eybg>#)P7&kX82F307Ji7l<Vy*YD
z`KCWc1<*dWDBTUPS?ezoZ53<pbeU~kr>kQty4jZ!ZylI7is}2a1T`Mr?Cz$st6V9h
z+^Tcp|GXteush%{nWaEmD`UC)**iL;r3$IZfrprA()JF+a7R;>?;N+AKoP4C8=ZCL
z&$8GN0wSB}IZ&sW9)B%Our2c(E_ZQ1(K&f`2jHVvgrG9#v^eY3a7ic1W7B^<lo``%
z`?n6kE_+TCaKFfb81JWF5OMQYo16MnE?x>LJ+%}H3yAne6&<3Sc$p|(icvrFzPM3I
z+p}i$)xY05Yuq|7{j*tIy739$^VPD1GC;dbT9+Ex8Q0Nj>c2D_4oC7n3-ga=O94+t
zcKu$Ae(fcj8pa3{rem201klB_VU?A%$qh&c;cIP8)yJq(0@y55=FGaTo*BMyE+XUg
z*Y4hpf`2x9@y}*G|JkgvxVsHG;is+IZWe|V7FD4o)ETa0C_F6z`S1izK^#<~Fr1*?
zNmUmMQ=p>JKbnpF56z-&*6smx#fju+4@$3jQ;NM?tGlPOhq#`?JS`x{78b+c$@<hY
zgnY_R!A|dpPDbo}efwlK0|FBDMFBLw57CS|qc2#c&>VTo#Y~X|k;_YAq|{yzOp8;q
zj4?o;#j+TZBXKNdMUyE4*N2FG48F>L+#@0!eKfO0R7Fl*Jchq-jaLEw#ZO;?3|u#w
z>65mrnTX*EZQQQy^t;tP`|a);x6#l0)*x}O)Lw!dDh$^k*s^hUDgw;~YZY6l3X~Ro
z;%k83f-XPL<(HFhT^^)iAhivh0;3sI@We{U%M^l~Pa&BeC=WS|St*z}cd};zI#VG5
zJoLBog1riKE-qQjwgw>bnxup<Oo3!k99IH_Tn2*8D29bB4yg?`ldQ19#mULNK64%W
zbWlRmWmZiRw8rn@pASKMIfKEt*H4_a%y?0%3W^G)h8hLds1d3PSmr!`cQL~_TO$yS
zL@J2>L{^<n7qnsacPTb_|IEuRA@c7oMP9zoJk!~#_>@$SNdy%3h%YTvTt%C<V006!
zEg&n?yP<2*(gf&W;RFDgI=?Xrw4Y#cWy)mYqcAQUWOq+sH{{YDOamm2aV;m>dGU|H
zR}x<KnaK=)N6&~`Lw+)(K8MHOuaej0hJ`O+xz=SfdK-}nMpoUi%QJ>#0K(^0avD!U
z*e&o|hF@jEBk&)Z{nk03E?5b0u7soMn+RH^9s0zzp6q6t|J3Po+M3eQxLhDXrp<sB
zm;6VwzpAdiC>BZ%*_sslg@%Vv2@LM1zkEHa&N5|ABe#yIE+V{!cW1htPF(v&n_oIy
zqK|IrH(+9A2)$bt;x{Jv6rFsqp+EM=i;}_r$*daiUz&ASd2k=MGIqpw{twMY{Fi3?
z_Zx&?hqeC?&5HkrW;di^1ELHZ;OH>^(QLvedDzE4nq9P<6eTJ|D&*q2a55v<L;Odx
z=41n=TO&sWnENIt)^Cl8S`GR^rC{~3L5(}HNhRBqjf2K#Qe5`BK{z~sEvp9DDRel#
zRX0cs?_Fn~C%NPaHkwPZKEdHzN?T?~?0F`P;NtA0@*KB3L39so6`bEWoMUt!=Sr25
zVRRYD3IrTy_S(*Gpl!Q*gg1J2LCsF9mpV=E_aFhS^taZE3^3>^_4P^jrM%WbBFBV;
z?8!-?P5D1Ek!59bvBFwFn7BUPrLeVMCiY(X&l7l9;|39eIz*|ENjM&6kb5gSACf{@
zqqG=HE67CoNd{Fc)P%yPBfj;gpIrykY}uIezq(jQ=H;Pw6-hds`1>!b*Rl2{bJj;Q
z+D*In`DQR$BoPA<8W!sJQ+>EX<)OngAol1i(N;u7e(OpE3W`1gc3aZ*X;Qv%QCL6A
zvcqkcC*fXUOQ|UhjUF=CuV@d3Hj6U@m?}UHeTep>T4C``Gfk3wlJOY5yTiP{1^OdT
z{shxnubhCLfpYJF%RMyhm?N-n3DT^OT0T(Cyhwap3EhLXR5I9>O`+CgR??_8ICUvF
zHnxtTdFaSk5aB}v92(ukC?S}Yw5zE9GApkZ7oJ$tl%Trywgyphb`pKVR_eD=v7X)i
z7H7*P>5BxB#HL1qD`@;z+>`-(6<wy@QF9$M+LBvRU}Qs#Y2Zb&9c67l<Hks|$|^vM
zvVeQJj{Dy%I%^jnp#QVY)|lthyyyRO-vllQaz9{JWAzCZC@l0Pj7jo3@i-1w?{|%&
z1Y<%2i$hHqd63EX6|P<J3M!B}cN71mWsGo?8fIus5;jxG0;Pf#8|Y~-Ulkiwf>F;>
z)B{_sSUGFGjL-jIe)oI!l9R7f@kzA_bR9dXwa1ugU;!hVCnDc+SQqLo2=3zKPq&BH
z{j?~NZ<HMdpx82PEXt;9H@j2CgEuRdQftGDT%w#p#S$~2^M?e*jfF5+Ih<z4Qpx{o
z$L{OnrUcew;3xhFZ$MnXO5N*^po0-|7ZPpG6BY|rv--s*%wQ<6Fj($n@kEx%YEYf$
z{w$V$7U&!q!0XJYJuGCP#^4J^4cmyE@v*N?wv_@LAOR=5Qc1T}5GM^B&lVZdKqc~k
zaM{r2_j%)j*ChS>n2*9flry7JF?7UKy7Hhef<ibhTWxWP^Ygkgo);`+5~aC7WKfO+
z46#&%0UE=_V?+j0Wcx0Svqp_;KVe!_A)1zAMaAE`rK7zwiDAHJ_2mIZ)9lVmu2@2p
zdC>w6DF3wr%az1FQiMr~j(vFcRZ~g!ldrKg)(#P-$%7miv-HMN6m%spni5zN@&4Am
z5i@8cZ)H;GF?P$GP68d9uVhx9p`DG~;^F@Kc(MnfN2vb^`#AO3;69~OKD`$?1s=Fd
zfTG}#o>3%5m<_F?QM5O1hCEJ5b91kT>Y(=txb$VQjQL8cAfb_|5hQwZWXN1fkVCVS
z9NiOzSc!I-(`TBumWJt<aMvlY%WtVnaVAo?%dT6ngiZ?dze;!DbQWV{B(>^M^rn_a
z=W|kE%qIU?AM067NFe>=5I7xMhPQVgH{S5kaJv<{jt{mf@K^K$|D+X>3D12wH!j-=
z7{7eAJALcNAKe&TzG2L)+eP%i>2&k3r+v7^{*<7LCWm$@0ricWyuu?uE8cKNj!Oko
zqG*s3{VCyrc9P<7r=hAP-D6MiP22Vx!ath@YXUtKSQZu%Y6ruHc3?(=0)oaHx{(z{
zzdjE0yo3-)f~!_OjU3(F>$?e@9i4~(kW|G9od4Nu*nezRy?^RIHap?_ADbO4Ik5cI
zqNK#t)-Oh8O&-8wv4P>cz!NlXq7WxV5Gm`QuiL87=Q&+Aw`GLkm>SQw$?%spP5wP`
z(Igai_%}~h*Dn=?MeSbLNQ4y}S^ebExbyy%HTx1ZIjFjo>@vg$bf8K=cyY|>cl^zD
z-T{3`G#cwY{1c`*m|FMTl$0LS*1gFosl{Z*bqr4t8jp4MuiY6#_e}og_5LNCaeJRE
zdj=A2nlZ*C>;-hrHwrgDQ;g7}&js&x!0X>QzUY4QOyze~wIZb}FNYAZ4J>fjhLR$h
zk`UA(x#4j+Gr3wQ08nI(6ho^k%fFXF>0S;gHmsg-W$DIpD#DlKcWsw0x}f=4C>D%o
zlP0{nM`rg}7<@@MIcQ)%-6y$n49q=P3Qqkd=xFJ+-gTAezU%(R#UK=!#jdNplk^Lk
zUL(hQ>J?U80jAUxg>};Fi=0Qe1q2)VdW#t0cV$;;<6ng(X8_7rVFd;4M-{FcNglWY
zp&u9BaXn29XtSk#u|YX7_MK1v&^GkKR>0R(^IRIUJIVNm3QfX_<c+^BClu|(O;g$w
zX1Hq%8QNhBiKBttiRk);mrF5r|Ab<7LJWE5eI@jdt-HvczK55D@00;apkS0}zl-P0
zf^ZAD@_a(+V}K;`6Rg#vI#*FcRUT|GR33yWMocxfK})PW(eXY@EZy9TH?Ril21HYA
z*6x!U7+P7*IK!$UEVDOltJayjrX(W>QTe0?^#9>3v-95Pp?^nxcg_Xp=<w3|=*?m8
zX4!cB?ZscyH{05qOV_Vrx4GBzqd#tQ&(GEI)8#-9aq}k`v9Ml35x%=e({^4C#V7yP
z+xg@CBB2w~_I^WFe8unNPF#1PcPIQkfBsI{{WvIg+h)bpvdW`_{v~RYc~yrM>wR`#
zR}Tq%VeeL_MD3&}QUlAGx{H7xEE~ROYGJh4+Abt(s&?igY|?)xxvpmkS#kb|wIt0$
z5iJ1twvCe=oCr_n)=w{4o=e^NE1uy>pG$k(gV^AQ_Q$eYC93Cnxx*fz$ZOY%P!8M8
zk5MVl=%)u5CwF5tl}YrE==-TOcbA4mKPFCpY7-W@JOu^ss{g+>OBQ?kKbkdWOXuw^
z>|C^IbonpMM*O2$(Xj;pf<W2VnhIMCR~t?>$SNqy*}#*gG%+qhQNXNm=ggd5UA$|t
z-Sc=%+t$g>4S$v8xIK%1K);HgtS8}xFOx(4ul_gbQpLQzS|K)Hi2Z)2<Ll4UUiYV$
zny3$W)z-?DH9+6My*?D+r2a{-^|CjvliRa`{kCYc>HmUJTI&L=THZIg`%DtszRI1v
z>oerPqT&gmqHsU6egCqadFtrRUOVo}(EBae=X(q%=i@vvwCA%nfCl$YGoMkiaz?Lq
zzB<PpZ{ISrW8izzAt)r=;rkz(MgC{AfltX7(hO;}_X{RVwbjf`!s|Iw&GqwEoI%~@
zibAHL>h`I0OaOzGjos~^Jk0a2algqwGqn--0~UyR`BBpJ<xvsSQ;ao*OG5-*3c{@m
z!qFIdWwR@5cJA)@?dLQtoP>37bj+tRg8Y+D+1Hz|USgcVMON?=GbkeKj-OAV28->E
zo}i^@vHksk5VyUXMTkUlF^4*pa%6(-)C|hn08Z1?4q)j5?S{{<+rIhgUbbG{%)eR9
zx8Zj2`dHV#zU9``j`%0}JO*WANEC>kuAp@HY}Q?W5wlVni);OtK41z>)u7O`p$=s{
zW8fgdCRm38RFL>$rh+wAVW@k*$!IIHx1^p;X%fT2QYG+Fw4wI}81pp0Q*FnS8oz?&
zVNOG80&CTJ7PsmiLB7`N!3_<aKe)rI`D|DEy?x-_&f48gwXSVFn%zBi$`^?a@BOuX
z`GbqHv5;M5QfcWk4cI$UGtI#-t1&)e2PGeLpdK0az{f}6(|!_Hh1{pO@nhwE&v&eR
zL%nEKOQ=3bF%*dmYWGDHxoOtGy0iR6?}abg4=C3>Q%>QsEh#_lVpN8xmxF&V4`pCa
zhiQ2o8<zWPI-mhMOoSo>7AF;PPL7sZ$04a<MWw?te~)mbP!%HmvkGd&lat5q?++Nr
zu>`;^Fl3)q`qgokF>{#KRQedoKE_Fm6bbDm>b0D776VPVE{a`&kP94a^|dN8@SABB
zDzMK!LU;gjkt(kegSHvAX`8ZCrSuCle9|&(N~tjTzVW5<uWG=KC@pH)xuatcs^$R3
zbCx@K$N|cH)CFx9TF2P)RR~KEe*VAP^Ml_8Z2S&MoNjDgZ~U#=e#GF21k>^9_QRie
zOVCF3T#s_9#)AChR(Gx%zZ|ems{lB8U;&J+P^E;E^N(cmYcQ|foZDe7wMHHK2^F(|
zXxCM1Hd$Q8d$wOUdVMYC@gv$x%=@qXF*c~e7#-ZpIFA1Qhh)M3Y&L>^?i;iT2wA<>
zl4n68UGGn_v$}sa`$0bsZHYE>vs!dv6@Bs_nzj5d&9Zf3{+DK7gm7bl^!ko?)DgBy
zTb^-~PKct8VZC&f2bTnX?TQ<NYDW8y--D@~Q#OAF$9aT@zJ3JF2Xrg^Wk!Dwp=yaD
z@FyP6@}8QZ--$ihUtfK2Vcg<N5ato!<DUd3PY$U)A)l%sG|4m6Y$?szp4n_zRMG;G
zc<-sM<7!`5b+M`!wM(9Xwv@89uDEgFeTYfsg03s=+t&Th9^!VZw<CW4FZS0zo?IUL
z{2c23RlG+zd2NE9u0hWb$LYEiccX8>MckGkAM@bf(F4T0@K3tK0rd$MU3PM+GHp8d
zhwvYBY7%<n6_?F3oaLvrpCEA|N+z=}m%Ghh#Q#@jQ82MQcjW)k?9~6CW)V2)z~rqP
zcsTh$!S-E~_4p~1b0v}gv-FFr4&r}H9RJ1J1C4DPa&8p=Cqvc?!at$jeyx8Tao+1f
zI6~z278GqPc?Tr;4Jv2le3F)gxSs*$we9nju6v@_@8~jQR!48<T`$Js8pmPi5H0lx
z4HNd57LmQS587-K5+I@vhW}nbgMj=i%^;R6`zB_-`_d{h8mdIG1ePS+`=NvZMYm;a
zM5#~4m*?SqFfPqxhY-@#e@yJNyrxC}WHg+gaM5h}vbOvv{;TpG0o{?ROw@_gt*=Ex
zK2dD|q-DXYLv&bE;cS4dh?129j%ueLJp)Uc6aI@vqKNLigar4EoyzLl9D8f_WNAav
zaE-(u4^}RNT+^@+yEmf=8)B9zFuN%QC|s`$-k)8)8jtyB8BVQyxO%fA)3t9T8UI{z
z7Vfx8{dW_mMKQ%OlT*{!4K1pr{tg+DQtVA_;Dp6iNh}v%d@R&pWz1wb?1H79rGn>Q
z!|Bhxf(YdxV)ZX()8PC3F{U3>J~PX}$+76yOWZTh;*B!q2(n}ikN*P+7#q`KAifT+
zU?*b|ty$k&{E+Md?IQauUN(KB_&qu}y#13o|LzWXKRh-JaW?q@rPwvM%0C2Av}(}<
z2}1<|Mpw*bV{&zxc<4<aiwH)lrM~Ewjg&*)ddEdaMp*W;AwAXqGm-AX*PkoCU4A|J
z)_M2Xz3oL8j9yKY2;<+&k_udPwzbkLH8~}UYu{V3mUazbAF^`ZuT?J+HeRy&b2=-u
z%vrzh@Whaf6+LEswiD_+M13S@mcBT#f2G5O-z`-a?3rJ`vCz7At|rb-l;22ML|oGA
z_Jvi}`F?4-7FTQ4lGdLKnxJ_%)T%9i{_K{NjF^k>d?z0{Wi(r#yVIWcRh*?_c)hH)
zReQ}<x82L<*H>lvn4XQ?t-UO&!L8T-Q?6fGa^uU29%*a6*q)r3eG89Expr4hN&UR`
z(f6IPwlBEv*8-8b)y9LTf0*rv*`F?5m2zU~bf4lto?X+W7n{B5dBi+>8Q=DqCwlW2
zFED!D_>IT!v-PH<edcG_raNxEUJ_}u`E>p2*DqsBgr`iEzbsVzG9t47?V0I8`41|u
z$4aVAzcTZos*%V8;}R8Dt(Xfj>24XybKalcT;5#P^u3TlZs{|B(;(n}vTw854lGdq
z)-f&V+b5v~4;c3Lx7UAPchq0Vx%2xcm)mL6WAC$@X6ZlKy5Uiv$HQ&vVI^MYIP$Dd
z*LGgIR<FHcPpa>>sw;77=aOc5cFkOP-ZJufRqMR_n<DvNTnbf<I+Gum==4!%dWwF@
ztgNU1=L9!jpZKzN?o#KOzTWO<nx|U7S->F6wEp=6`|O~NW^3gBUrdrK(OUFBdi_ZW
z!OL|QnF{8<zi9dD$&M}Yg4=&Q3)^qA_TB3yd(BGrw-v_o;sk8HKIX4ow^=fEr}nd3
zy&KxE*#GChV(-iLPd)X+R-Kw)+nUEqUhS}!Jv=pDWB)y!Me%W_E2Z}DuK&sUdOicJ
z6pCa0cE*f_f#D=C+WgQTTSH)pGg;qm1E|1xXlDc}e?;v~!9|jfgAPct${`md`O*Pg
zUWq#TF!Mbw;g5vu765G)n4Iq-4=$(zycwB97+`04@JAv~OR+Nm_Zh%JhcE*}Nm_A9
zVo7Rf2rC04=*$mv-2$SBl9LBTx4tG^w{AgEY8lW75o~5mR&<qN+G{u2-c?En(}u~}
zKv`9X$%byCppw@BQw4t{a=^)=xPjLdq|rXTD6t@;Fh{Q>4W~cW&eB{o1?Y28Mg|5c
z6f>rK0?kmwYVnI*S#gp;4f0G34ALl?YP`TMp6<qLh|R^iWo^}gK-(sOY(&xc+?!!?
wtb;UG>w3TcU#$nM2ohNt7=%%DwfIa{aF>#TSjEZ)ia{<Qd<k^dAAb-J04X0~s{jB1

delta 14842
zcmZwObzB=!)-Yg-yIUc+ySuv-m*Vd3UPy5(5?qVByE_yOg`&mX-JP%9eP#Fkb|(Ma
z-@RvMlAM`4d2;5t=)-L62V|8`P|(;A@PAeq2M{t5&{x09@<i9pUT@Tc`W1E6QN0NP
zv4GaRIIfV3D#15H3dx!3cZF_>xvHU4r?x`47wRbJtjkS^BNfx3bWz5$16&;1__$7Q
zSi|(Go=GQV*Pkn7RR*$A6x1$;gDtI^E27(Yfb@z%DHWaW=OZVdL~652B34NPd7ggn
zHTk#)oJi-Ze_wnj_U@kBtdvE#NG$+dX~-Jdf_nKT*&Lfx=5>4XMNxiae-<RmuX&kA
zyC>nBZER(6bz9e3A6PLI32w{o$0E0=@02y6p-y8!`WpI;O8wG2|JgjBV{QJohni-@
zE}vU=(os2%KrHQV>0=mM%n!WMx!%bMaC*sLV4NOgj0A!zyWg<6Php36SY&A0__ty>
zzZr_I1$+Cx6a&UmwH@b?>CxX7sF?P0=`p1-@XV1@`S>NM<fN2VMd1sSlhF&+D5glb
zw*2YprXh;gx1o*OX|uiMaZ3c58JzwMfXA8Iuwxfm_vD1(JQc9(7-8x)FZR--IB~c*
zFf;XP<$Xa-S{O(bWuGR>O2;RiFIr`NG&Vcy6h6GfD6NmBOWnD|<SkA*V9uQ0`-?W$
zIEKk5HoKonT`u-@IB!*Ng9KpjyKlU68mufXQp0q?!+<L*&)tka>Sz~=X{A^Sb4{I+
zFjL8}xw^o0q80vAKamQq8+6&jk$gS`WaLt`-3JZ9uY6Pjenh#C$pv-0?LV^@kYKQi
zG4yRJ1myvPs=_GZ&h`~khNv-(Su>3d#b>Em`GiVvOHMY9F48NKX2rW?nZjKnZ$e76
z6fHTeYiP8WkGcm+nUaZQZ9i-o*OFiSny}-cS8p4w%Z3xO+?!xRO(TU8Sj?>lVz>8+
zE%)89!;yW2ldOea)$}PM$DG)OCFOE`43MJz$X*9c)-`qyb3yJ*N&5l1x$jeKznQP0
zEb5|o+Hyn7>-yUuG4s<p^<)rV#|{vOPJtBW{Uk`*v|w0-Yv#K;mQ^+O?tLMrm0=Ij
zVyNMfJxp(S3k`3w3XH=}%tbOSkg}o8UQ1697WPM-BqYDtYTMbFww|A!mEQaT`%;WI
zrw5g-b1!ConWR_elNWip16+RDB!Ag4x<OmjXF(5g`frfh_&9+`V<*=184*e`ukuju
z72Y9Ml1xwUbtHh*uAly|)-yNLBj+UknEY=Lgs^T79~W^kNvWEyIcio>fRecQF!t&u
zkHQ`u@L7Ab=+L;udszc?+ZrkThL^S~C)jByBc4@^7rFD@aB14J(!|~)IK80069D*U
z=NlWhB6lFSmT|L=Z=>{SzFG>5_=X@ULQ27jyDvf}HWK!Mb`n==R)uq9-xYT<qjY2g
zQ+8<{;K#)Llf1Ry+n2aR;F+>6S}nsz#Ca_u=cknKRi+3<yMCkI^+LGku~e7^my;Tu
z6m!!)mnoZwql}Vip=ClHzrLF8J;BWg6}+<Ctx~8I!anr2>U#<KuiCY<s&d`nR0Tcx
zayT(B_%mcrR{P?>EJ}jD*W3#TNtD1n%Y>^qt(V<A22OYIO)@H10pYRw#Ug$`N6E-X
zVIS>Y3wzPtzfUn-#b3TO<QIoo^n+sq$*lH!sWW!wXSn2T%Z7Vk^d8t7E<>!@(wd4~
zg(1kwLaET#chJXejxlUA18OxJ^r)Nbp`X!}*1789ZIv%HI*Yhds{qyEuU&cSCEThH
zL~uxKeY|3*9A&B*K%e7gDF@p&T=u@n@qUm6YO4O&hje?$)<77+c6AJ&V|2|xS{)tB
zC>b$|1(z4;WAGRWzSgrGt2IVul8Vl+z`@O9;spgDEn{G9e}4*LQ&Z*G5%??+lS|{&
zx51c?FYxv|8!Gn_^jPEGjTRIl(18K*-RyK<Gvn@{UR=f$=&O^;aIOIxk;YW4l_V>p
z%oXb`f<FIqJ5d@5p4NP?$`9Igk*mmQN5RQuTu36g<Vj{SAL+G#CHH&YTDP8|3(VKK
zcI6}{vc#qBhJdQ5<eGVZ*d|=;>g4azsEgG$vDwzx-ag+0A)$4@jMj;)_xRntFZ(M3
z8(6Ng{f)Y+fKSyIB2>{$8s5VY%tEb#a7HuJMzI`v<oVL7&gzyxam>|igWu-g$0qNX
zJBoCxhF~A3ajP^^ms?);J~OdYFoh;8<0Y2(%KW)v796@6b;sNHexrx1c<iKGQkm!a
zAr=rqBU#zcjcP?nEl(L13PFck@wpkrV&#J8csUAx3%D97*~tO2j((=M#}{zY$m>CZ
z&UjfJ=vdexA+~)w4+gypK2YAcRV=cK!mlGS7?S8tKhvQPCbbk~jZzPGEFeo8$Lfxu
zl<B_@!Ft&4*`#6HKOPwRGnuf$4NiFMeN`MKXs**qm|YwJR2W*IBUTyfK0AF}<ZM{P
zmtp1^0#2BU$;%Y#>dA!rhCBK|m2ad4>pQs(*P0ErMG$67v&me^Rm?b~R%a3=PSER*
z#YqHO4D*`Yway7SE-NjJ_9pY8k0lScWldHOccv*jw4hGf4N!-a`<QaTOHeAvOFcbo
zW*DsoCrN;ORxYh!sD%zxaB6ErWYLh34MZvYfhE#U>@2y{c^v-1wEh7%Fg+Vzik+ZQ
zN;uMyBq+Mtjf;v&IoK;LysnI)?!A?n-lsL?g=H7bKFc&$I0zyLP74{1xG|i2YD2TA
z*Q;(KQIB(Iarb)6Ox{Ee<dw$He+rkQr(A?3-N<rb^OGT=wv9}dhz+K-$G^f8#;q=x
z1aga_Q`t&@s5I)#+1v)uSkLBK#H$sH($>;Dn0(lL!TPbU?mH#qB05%d)8Kp}-~0vY
zi@~|zj{89;66>c1D3A<Xx90+q@oilg!4fxdHIJY8LiKOg3Tst#G>_IJM^r5#-j*00
zhGc@lD!N~*Yw4ewB`S#|1m~6Ne{0Ww1;*l^omhV|6^C~`f2xI)h1%_MnHhEyVCd8=
zt5N=}OctwGA>`<5X@=d44{Vgqg{O8)+Oi$a>XIMzT_&CnXlb{!fF~5%F^gNpW?GDr
z3KC;$8M-kDWO55W2`*<zV^lt+PpLWMM7`nxJ#ZK6@f`O$zI&k6^)B4;yso{C0QH{N
zr(x4d@kxh1m#>X=ZZvVvV5*}wh7=7-_o;E`Z%14}elT$^FQBPPUG*wYx3wu~WM20I
z_tjs-%pV(~9rw6VWq`DUGGsV!uad2GbBgoJ4yd*GQR>5k-};MrhrD}?FoiHq$9H?<
zr!_dMUbuY8`61UZXfmSSY~7ENfmqXc!4kgg-(`PbUTWtv@O#W;!seTE3GrqLd+psE
zrou{xbDZu^S}J8L-<_!4_RNajV(YzqAfLJyIVW4bo6IY2L6ce&yrI0&sk)r6N*>Vh
zw^U@<WXA1pf+!OQ3a=yWw@4bvg5-~JDJDXYG;o<kn_(}AE&T|c|IBT^z^Kbc17D0x
z=0f%abpa94VX+b&ZrZx<GHQ!k(;AJjdIjn<`GzF^srvR&**9C5bK_@nl>A(Cz3yRr
zO(;jk>MSS`Yjbi?(Um#U?zVOudKXyaD6xg74rS)gL;UM{U^Wk4nq0u_O!AUVwOajX
zlcVZ#p{G>d3<GYn3o$(n@H5z+!|!6-5BEE=smNA%2=H;m%Ij?X9<YHsM+Bc_QLU6R
zc{ZEv*v{Rx6XZD#%Ijq^A~@hpBtAJlx>-F%(reAEzwG_p-4LF;v5w05IvzM8LR8AD
zx6hmfR<0OUNO9V5J9avm+9d$#W?NW(#Ve!ceYf12$uJwX7W{4t6iAmpSp+OJYv0FK
z)|a5F-wyCdZ!$3!gA|QM3W;dc>tjr`u%&h4`1K6`+<PI{b}r5<wPdU^gKx_yn_5^8
zK&kvnD9Aa)Lg$3;1uHJbQ%(0=>#Hq(1%_xm{yc!k;|r}j0yn0)VST?73st}1P@?dq
z$HV)%RPWQztHiayV=y?JrE6y76I6M_WB@#N?GV~P2i#q@^UU(*NaiLFc5P3yi({Q_
zab6e2+Q;)V*(V<O$j5Stlfc57GAVm<Gm@xS2S&P!0r2>HfzaZdc&iOFz-L`Az!j;a
zB6kWSt|eQ+J?mSJeMJ8ZDNM}x=gISdnJxkED}a{Z`Ew3%T}WKyVFe_i`0l}ZbuN<=
z5@0E$o7k}!KU(E3c%7V#LRG)h3wPLX7%dT8n(%Osi6tQcl@1p`uFqwfWr%uaQLM!S
z2>EiU2L8Cz(d%OdBY>*L)#XMJE~qd$$zVK7p6=hVw&3OYRs+n~aMD;Nj;fQ8Vjv<U
zIi|;6N)!a@;WO}7f+0`b+i*)_oZCR%@nWxs4R*$OwGI$sxUz<dHi||?I|Ef6oiYxi
z>CP_|rZwQ0?!KFADE}@!3IV73FA!_NPlTSEAAgm=6U`g{Vl{v)g%=!$_C{dV6Yfkb
zFh1g-XP--ddhG^*@<57o`Aj$6Uq)dJ#i0Q@qSU~qQsmWb(lnh}BsYh{Pp{8m=b=3{
z=#Ik2@-bf5$+B*4ZVh-MSwC>UfR<tz)WJf5g+>UmK)Sg~;aHhsats3tGn5`0u5*nB
zybF?rgp8>IwcOp<Os+Dv5y}W(z7i=$6F0F~*OBz1Ye;VqIj;MA-&X-@<_~yfd#TTU
zaXr9%n$px#%VHX-;4wm)1#jCJnt5kkqtZ;xa-CO^>Ow*qoCtOph_ao5Ipv-pS``^!
zNd`x9j=W>q1iqG{?<|^TTRv+-O4;5`r~*q0t9-I&MrPM|2AE16RD$=a@5YByv(77&
zKpe2S((7BCuySHOzDK<*px6PQfbR+NhzEZ1Jag5uDjO<^!uLG5E2CYv+LM0z1y%5B
z^*qm_6hU+c{*alVTe~gBUAK4h1%#MUM4eo8Tml#NT^Ws0$yFb5Et9j0AoAs>RluNj
z&kLvay9;fjR&@XXQD}R|f!AjpPeh33n0T@*@O958zRBU)FGux(194q+GfpCJRUNp&
zt&F2bAh{{bS1@Ly<<ju(cXEy@a~IiM+`|iayxXM7yYqS9a|g)p-q)I>1Pja@&9&09
z%u<?+kt|r6%ie-w`s~TaP_DRko51YZy|gTIxU{0<>y?Sl_DJ+Ls(9smQCBogIMk(#
zxd<b$G&5Ho=Lyf-8;lrOn4co%FoClP@0g>#w8u+>Ay=*!t(8}#C0{z;x^y0~SQDbG
z*!nOj-f1<fx`|ht^?T|W*Ds9FQi8oib~BTW@;f0CF<Y0GY3XYA@PDd__g1S9CZx)^
z)-sZkeWFg<*Cfqt?ip3{5rczy8z!GS$9Q$wD`o0+=1W>94F5$RXli%cN(FQyC|vUD
zM8f?psqer*I_AcGEzq^;oKirYRKv5fw5J)J(6ZPz_F47&{TW454AW<J#i!BTC|YCG
zK`*F6U)<fMs9Imuyia3j&9vydaW`0-x^3Myb16E8GogXDwGv%OO;`Q~8%%}Gec|0N
z2}t7eow(|)jEC&gdmd!^6`erJS>|FU#MT~Zy7G~q6)aBiSI<wvHDA_o#@uS@D7k-B
zXr?9$%4BEEw<MQJuijJRli;Cp-&AOcKxqkkF7{mS=g2i?+1qH@yR~uDS1fQUhLgjQ
zKhw5l#h#pOwZ0+9s8hO9x{f3o#L5KtNZ=tprP#{Onzm*IGX;wQg|2`_Rl2-spNMW@
zV!lVeNK%U12Zm&hPmhlG)D3)GF!F#iD<SXbc0^vHrVs%0a1+G>zMTxObZ4!w@yn3^
z*;P_WC*fP7(2l~}o14s^DSg|D{QaT;S4bo|OU|dJ?z%y6c+K?4$|u%J>}m!fVY~wk
zl(QT5_vNz3G5Jyl+?^m9U%7CcA-Uensq(J?$u<qEU!Fy;BZj}z1KxTdARyk~RX)MN
zcQ|{HzoA1wNDD$h{Hvj$>HHb;KMNcL0))Gzo4bj-g{B4!#D{<Aih+&WGWRtwN4f9l
zeb486q`h1U3-~7VsKU`<9N3h^AI^av5kjd=+6$3uKD2%QM)Eb>`z!V?Z{%q+hoYpZ
z3lnZfj{#%aGf#?UCK)qpK~wBpK*e{eEkG>3S6_YM{L13G^@4kwC_qB(SX+<jRe@E?
z`5Wh)VaKX_*nn@thnC~1wYuYHzf(`5ykZm+x5kEL089+4k#9G46EN1}J=e&YGVP~B
zp`pL8nNEsF&3j{I#yBA7;4avR&`kjlnCnQFKedaR6xrgsdD!C2{1pX33}6hW8o6sK
zCz)3fX`kaJxm(}6Z68K7sA+QZJfj#>z=oT^!fnd!VBE|XXd2}3qf3z&kEiM9xFstN
z=C7U31h*N={_muC)WFtN?@Y!pHCMr#B1du^)#TsY*JaR)ssr|o8Gg^;>>u-!X91@U
zVF||`Az7Xq`tBjv*-8oBP@xwFJF|Qg*4NPE>#rsYDQVMB9=&J$RvvI*?(N8hOz>wr
zhUMv_ya(}`5b|Tg+jiiqkL%T&z4PP!{PgX{O}+or=v{p28!+B9MpVN%(h9yX?dH%;
z;RgK;aV?}NN28wAJ#ZMl8L!u*`MfxUHienHSi2sN+MtiX;gl!iIp)Wkp(B}-R4(Am
zsnlY1_6@bYwalY3Q@3K;el9b{*X_Rej+^%U6D?>fF8`r$O=sT!B9&g4ASRwEc*#I~
zQLqv}3AP?T2^h9gDbvyB7PRw0<_Q7QW#Yj`JHd8~UV}}H;=Q8`Mhfky<|oe$nSc<U
zx?umvhjAb3y|ipoTi={BtZO+1E4~;HD-fWI_+?;!<?C-`mslcfl(eT1Y>>I+=d@7?
zdM5a=En`Wl)lld;ek=?q^?tyMSB}qoyK<cxeuRgM2k>s*bxx!Q>}ADqWc<-SPnjCB
za6!+Gt7(M`3c&)CGR(nN3git?C-jR?QY&ICj<ojR@F~b7dobc!ix5>ek0eq1nI46(
z0$P--ky!}t&Fz*=USC>YU$*0HX=%xc9@FwJs`%(T1mFI{)iowenhE$(uB#mXzDPb6
z6wI460%X$zp&azreCuyptW77>fuoWg|A9tM74MXF$!zd~5*f$uKgvdwvq?7=ufx!B
zDw+y65Zs+biztA9Sr6LvhD5FCj_rPkkC3_93!nIEXuvv0fnC3L#OrsOty&Rt<Pbq{
z+Z=QwLFllsIeGUPi9Z%<xucA2XyU1j+oLG05IDFk%!F0Z>Y?uEorxRxoZ!)8G^gJ>
z+m;;QovAm6=<wKwOxzTUhV~v5>B_1~uQg|HjwpivG=e6tl_+biV3NWCH8Ry?8C7k~
zok33J{`gUQPe)s98!$j7N6>+Z!PE3=Z0iF9m7uppSlspY_7E^}8S@QTN~!b{;PBaK
z9r%@x;+ywjfAY0!7grRiLFEfc4>H5=D;7>A(QUTywH>4nAu&emf{u<Y88NF>^OKX;
zA;UPA&Lo!~WBbXbt_OpbLP;O^Hu<sQ^^}U8ncwrXnp7q!jKMu&W9&%l+b8O@Gw-@3
zPR&ZhJM8hlvJ`#O;Y3hzL>~$;x@XiCMuEDPZ9!CF*NnE+OzEb~`?4{}ALderRTopi
zD@FDq=bBod?xIov2$^Oqy0z84Q|%$##3sv6%D_#P#s?=)1Pl+suqK~UvW_N@Cy={*
zM6p~tg?h_6?C7IxC=wljVwe#>FBTSqIFy(fx<W)so-(PMzD6#hOhIAbNt!H3320nJ
z_8}4;!V;U(QVT||kU?hR^t+eH9dobP`OcR66x8{XjMhf|g1~X+gmB>5RG=^5+jdO^
zROU1WG2TapJ+dewDM=8M7W%P-WgJ^V?zk$>lJ9|!sD~75KBC$;(7b<`4)o3^iw4{A
zL5~zDP6tj_hZoNc4`n^+1LN8^C*T-uJ+5FPGP+~95;bpv652)W;$X|n^6F^e>ej&M
z>7bb&bI@A#xoegtvecE!DqP9xb!SFKDbXebo?NVhYG-ra=W=0m1uCn42?9gr<ticr
zcc6d(|3pF!St8f&5H4b>$<M`*$4P*^Up~P211|-<c?zTiPhx7`HCsM5G7t`YlxJ9u
z#m#+6?{0;)E+#L4oGxk`!tRVN9S?6_%GMvjyF^1{9Tu@SIj4DUE2M#61|C##oBTY4
zqW`=_(G7umwF8ZQVwyhZLe@;h(IqOJ9BLj|JzMU+Np`%Fs!L9xytoH1?+$5jL!uyL
z<XIW~050>r90v-d_&)500fkql2+ParB~|UB;D{I^G~O^f<+V>sDQPcW$olSJ5@pR1
zdB2NAB2!UJOh+)TAq*;K$9nkU-)&;Fit4*pDwl-!e2JAV->(S6|Axw9w-ctrIub;d
z0rvnbyYyhZ-Di37aP+?Hc!MS@Lu5{k!w5|?R_-~_emy8*u0?1l0ha#?e99Xw@NjRh
zH}j}@4p+(lFduEH)4iV-P3&m>S)2;6A5&~G$Bf*co$tfS2~A2?{G<K5jQEgtw+Zn~
z-OoA~SQ@R>@%49pbqB@58%ZlSH$OYxcDr+Qeu-aohu<6oj1CTt&n8VN8sR+-Hq|Ct
z(_!RXfLb!E4Sk1?AmEWRGri|91|?=ksc+A2C#&(-ERJXxV$+~q@tB*P%6q+gMg|-&
z05e3svuu35aKbaKm<q;bacMtOVLRYg&rt32ag9yHJ}H_ioGKyVBnSJ3mjn%Om=4@!
z7Ee8&)sP39dlTD|?4XsFhPu*%wAhMQ0p&zTe$yh=>d2Ed1CSo}fT23M^d{IKx)B6t
zHu<GyszsLV$>RafhPS|3iLR2;UVlOGsMN<kEXue6S`r$fmi~4Y$2h9r*&erNVG9S6
zJ5ZdXP~^Z6;929^%c|Q}PQ>seIZLTG0fMwZOfW?Rw4zfVun!SC$H!+eO<bH(EmaK8
zsM}1EbPh-;0tvGvZ5=Y#w^%rK@i6=M`W$<?@iDkr;yb@im6QnvMbHFJvw!|{9Il^W
znO+?cf!)JH;ufFt@lycVfF|3}eau@{ENX~V(9QfR@tLEdUIfp5aUz@7@LTh-Xkr|$
z2Q+)X+HkB^tRG?lbeJLZ)|d$9qL^qsU4HL(QojrtR^Yt+{-kOw*)?|K2<mEOPL8pU
z+A~t+x#16r&=v1$4Xi0DoYF5p&GZp?Ow1J2#a*4$3Z%|S@(k4r*CpJF;fZ7T+z73q
z1PozT9+}d(w0Mx`HSM>!$dnR=et8?x`h30Hxm}g>alO4V2Os5rM-oC)FX$;-7%GJQ
zh2V1>3Jsj2_VyXuav^+!q0dZ;GpLd;0~$CF7)yPsk(n79ztBz6b&pA;$ONMsK?D{e
z<H$-Y<2zgHk4xP_t1+(JqIQt4fzi=iTjP;jgbVT1`~V!pA>$daQ66f3ZbW`q(ipkj
z0+OBL?@a3NZC-YNj+VKY6rKhysCg1Yc>`y68EBluD87=N^BHC4V+wq$EIhBYDER_K
z;MHs6-UdP#dDQ}noLQ)Fn$}T3StP!GjW~&<4kzqZ6H^`cSgP7Y|2IgQM*b@43InH;
zxlFK_S;@@enf>{f2~Xo^adtf3iO{r+FBotb*hG%w8}KTiY(sZ6*b*Sg?x@wG^k&dA
z0Ek=IG?zj&8Qq1^6?x@Qm6E4{Q-pxb(U2kpFG-{@Ogc*z#mgTcBFKN%EkKxd6wB)t
z?2nqe?TiiGqmTsfG5<hWAx&h-5=P#<hG04+M#{R`=F&=~U}u+$`*y)S!8M^ugK6@8
z>3205SzX08N#GHrePK%%U1`f!t%w8>F;FHoOH6_+a6HR6uByRj1!F?as><t2R#C-<
zx1UM`-?kFGMtNjgG@YkE9=hbP>z_MZKk3cqEwfk%6SqMJT9rD?7};Pd^a_Nbej;|Y
zz^VIA&1{BbFz*f$`n4%6f+w~TN<l}5-D&8<B0ou-vlO>SiFqpRQSy@lhUThg5HMy3
za7CMMo{+Eqyv{|RV56S7yg2`L<ASGOU3#Vg`gY3YD<7N=)?s`=+sEk9&sT$k=SjOp
zUBLj(AYo9RsilkMhS>Sm!_5&uKL<4c4z6pUGP@z=sKGn$TGF@`0(#~U(M_W?_*$|;
zSHm?OVDgA6FDR5eOqlu(xTn5h2O5D=gG1nPWD1E<sMUh4cOZ&qvxI|LVRr1Aw`@M!
z+AeDPLX9`p?gYA4M++`1E(xovFHUd_ifkF*M5(IC;<~1vf6o6iMa8QqC|@};NLWdT
zhfRHl%ppAI85|`EUNfor;=XwqCd!S*S_(uGYUz_2SgW(5uv&5TdTG9S1#VWEpY4o$
zM^W2*j}u9koUJ9PvAiGV$XdAU7*}(C{aN?1x{pi@vDweL65E^HiOY42vOQ6h2ACO_
z(a#O(vTgmt)Xr4<vpZe{3T<lJ*>9b50(~MPBcfX%T<}_s3|{WD<At9gD%2S1hvwyT
zqx))9E%mz^W~lsMp&u#AYk*A5sXtirZk38`7j?Q=5C}Ppgager1Cs#Yq?^MbX)kSA
zNe5{3{co9BaRf5X$#J985fp5r%I*waSHwAw8vKOc0M%DIB^@xrL#{ByIzP42+!&*;
zk17a;G%|5SWzBnk$R4FAc<LLC&wDZysj-I)?Fl-R=8#^!Xn?kN@PXUwA_xp2Vv%W2
zp=P0N5OX4qRus%ooL$I5JCz@=voWkRAZ5Vn9)K;2k~W@IqUImkXN_KmKN4Jn^Y!C9
zbF)jAX>5)e3TU%#hvzRhH@0d84&H7z`Mq9?)kx{BOG8BM1M{4ep(xPy^NC?(1t+uG
zwRt^gp%dDkP2w~)%7D+oRi0)wzwJ*rGxcI*RtV)){d*)T_8V`rVM3YR!bFeG6?VA4
z?A<D_oPm#)g@_Vji?s>j=C2t)^+gL*?kUN<biB-%4{Qmv@iin<G268FSk9E~Gb-Vm
zin9_0%UUycko4|O<FxWW9j~g25Z-bP^>grn(-F=3!{TYpz`#<dM@ZwN13MMI!Tds4
zh3Wp0E|vEr3-@+J`_L`>PAfAlLKz(W(b{@iY}u3iht8^uuh^Df^%xeSB>1H<qFvR{
zziJWsPH|H>#k#XjAlrtT0}iKZz9&6S(2yf-Uz3%{!&5;)%Tt=m6^uf2NIG<1AX0ow
zpg6$&y;ti#Y6MIaz{AAgMXsjB;bb4MCN|<3|7DG#mwo&U*<jm1WQNDqb5MbymSBt7
z^Q{2a{8{JFKX1XIDh7j>Np4y>2}l7e8Z9!?_8k7aIsfJxFhxnCJDk|iH@!OC2lrdx
zaq5hSv)d5xy=77lxMJ8iNl4P|=@N(dVseajwfTy}*9Elj>KZtE5xji=-A6JLx8OC%
z=M(PNLZW7|59fB$`R+h4|LW_KSuJq%vu?HBn4~5%@m`N4Qjw+8q$0-e;pQxfJHWlw
zC0!?B7@cL-M%yEmJ<U<rgPtO3ypj(+yNsKIGJX8PGV>k`#fIM~-kvZHOFRo_-vsXD
zLjHMddk=hcx)OX-ANo=AxYJ|w()@rW)^>hF*;B55Y^eXk2<5!xo&TJq$Bqb_?vm!$
zDBZ99WCJZKtrMCj2GzY~5$W-?8IA^i>HRYpuigsBfjJ`{|6~#xreCz{cXSK4H_B-f
z7D~0&P9D0a`awg8SZt<<5dyO58KRI;PT(DV+5(`gi9D;KtU79F_%i1&jOm#0N?iSQ
z`y$<udtba9eZFyu>Z)w%dGO=e9;yr8aUeXadG{T)BFY!78Ia9P$wPD;@;l(ibHk}f
z2cAraz)v3fJ2ZveYE!#+7oXolxNlbLZf~H^-47j%%El+rF1H2U!H?L*PJUC??#*`s
zU=pDHll;Sr0b}kH27xdJE6)Q@Li@sN_5Lm1Z1>HOc`qvbb+#St>F7to=yMyaPrMfe
z3T7#0$1<hFR-e`b+=fG8?~h*ZE`RTiZmeFjw~Cy6B8>DE84Va*zDi!xo!DA>x_W5n
zT3xg`acCjv1A<rHzTtds(=5l={x!c8(wGBGK6oFfv-F**(K(DfClD6HTCdEd|NO<X
zwlzwZ(CvZU#g$Gt8hgdFpss0sWzFeCM7mE1^Q)$cj~wak3Fn`8N3WHvcuO79#q~Oe
z(F?ke`$GP>w+ViS`)@dE0u50wU_e0ld;TXlN))5}uNoW!J-6lNE8x!(<3}LhzJmFu
zD+3OH75@soWmhJuSS%}6bOgCt(XSswN27+<Uqv9~BJtw$0W@{1?!}R^jE>PmXHIxX
zdv7rozp(~kEN2~cGM(lcB(nxSY!hoIEygr;H7V+)A`P-pdXASL%LLH{Nfbu(yW+}<
z!~^>sb?(ugU}S<|R>Y3xN_bK%bnc&&$LodmU?mq&fK`fYE-*puMQP%x9V*moW9c>P
z{bdlSl+Z3;4J4^j8elL&zf-$HPGTfSL*_Ifcw%UUUY;xSaLY(AQsz{F`D(*{Kfy;~
zc;eqLY-+45=HP*i=_w0GeW><}<w7{biGd2N^>5rd$VEG?B(kfL_4)K}09+M>+KMn8
zCvMMsg5}$o(`=#VzX(JXl-0bU(HMeV^*Ny%CKO(9XP%eB`W1g%BsgFhls3JjIdVo|
z#f7IhzmHYpaPH_}^{gYDAbJq0VtzWV^qkWZ7blW+$GqkQFuYY_=DycUN5yOclBj*d
zh(Kh#gbu`x7WV&+B_!F?&!c)ulgxlDw80US{n0rc%bN}(V;q-Ijqx{9VwH0w_uWxU
zm#@DQPfKhI`O57*&uqQp$-N04kLP%MUFNNH!+hxifdJ3la&0F=o@A6r)K;RemCpU9
zQTc;2t7t5;T?>NAOsT0hfxM|Ukiew@_k4GrE#Vn(NFzIlu}z~YR~|Vo+ZPh^a{dD~
znt0YI$LT=A)0eo|`zr_u_gZ0sO<-vDMtGHGFEMS>l%QggoX=P2A^d0ChX#Z#KnE=`
zD+)Xv`DjEXYod&XE;{niW`uluG<>-SwJB_I2;a-O@O33uj%g7q`tjBg@TAG@9|p9~
zdSv?1@xKg+;g10|2ZpdCU=DCM<;#AFEerOSl`m7f`z6`fncg`HMt`XxaFQ&gs~<!w
z+gBKZ&XqkWTqrmevsN-H9CJE5Jw2Nz)YH@ZDYeVc_-h`y%N*Lkgs)xPzaXV2qR3D)
z>#qUDNB=b-E<F&}LEj$(D${mL!_)g?K+!+$&HiCP+}T~>l%iGDJ87uOm-rSVl|`$~
zxx)jSeWJ10p;)or(<7#WWZ{}d;YN_MgA~3<<d&j6)M-Z;h&p!7E34pBF*mF^ZnE+P
z?$v;vd9SI@D2`4JoO#FX&TceZ#e59`)rto6Kx(?nR^{<QcE{C4G^ZJIXQTSF`|*tE
z6#kZ9Xijbwx_MQkS$ze6ruR*}G+H>UB3DhYbn!)SUffHrJ6B}L4{S?5j<3iDcKHWU
zmIZWb;;A`-7T-g0xF^|85)11XFkIA^(TY=2SxMWdx=ofU&g0I9vwBA!!sWMaCZ;WK
zfww5>9K8{#%=&yRT6zWezre}w+o>jWdI4hF(454s2XWo#qKg+)1KU47H>j@vwszb%
zHTnrftTi}bFi69T8ZNqy$8m%mw6Py@tRU*hmfqj?BF@K<mnGAiVf5b&L^;z_Im4qz
zL*n{T-e!`zYr>2q6_GTk4`TfgNLOsm)S$nKIbeg!wTx7pHqNI;At8FZ>xO;1%j!h7
z{L^o4E}<)*N~V8vF%GYiiM5eAHyCcQ?rkQ!4IBKHX&^3XkYnONY`?>~@aycSE>4@=
z+{mv%09Zu`s_cR^RAMIshT_*W>5qb`;ZWn-64}TQc9q@ckhHNu&Ppe2Ao)SqJOO5W
z1cb4)n5m~`ykxuU#LAt{v)Ml2#4GlvvM<p^wcnrr^Z2u8sz*<-4sH!fhx>TnqIjM0
zi8f3?b*94ki<*+ye69#}!e)0LDG=HLnt4^>-DnzG&=lpQL+CcER%ueQ-74JU%@duI
zreBL=V1L|-+`Zn(&A<~O1LxlrKT6F9g_l9V3hFdgY8g2H5+1ip1!0=wdCR(<L~Kz-
zCLweat)G39&Qx3@S&jYDyh(O&4oy7Fw=3~Seq;!6n3tN+el7#Eh>6Wdwa}^b_;Nzo
zP0&5UYkRZB55Fa?(?eK62P&|`gc(w&i_@qM`d~3<%#wSkQP^8A0g(?T$pWKii_bU$
zXW=a(j^X|xKfMvHOUcyML4V|D*J9t5ixtnV<B$9Zs}1>E0TIx1KHxpNLc`zHPLvnJ
zCnQ7~=6)R$uU8qeLE*gydEm-2f$E@+ouR4t!-${IiUUaX=HFhxk-nG9K)pZma~k&F
z@Z(|!jDllgKxTcz?Uu)1Zlz?r2o~;}<ol=mi2jiusEO&X6MyArCB?%P{dN<JS3<wB
zQke#>$3Ir)AMz86%3}L(^3(K3ew_Zw&$ZVohPWDzJ|nRiB3plVz;u24rLw^W`rbFq
zBL7>7#Np$EW}wBmt&s;>uB1>U9=INIoeNKBWvVhno_AuIf4u%D%D>3ZQnxbsKjp`z
z*CjC8iQSwp4jE}>7<xSY=;opETIQK^yg&fe3PN>}M)uHj6e@|d6n;ic10-6;{Cv}O
z&;ooHic#0!p*SKxGL}#g4&In|j|CdKy9?)B>vFr4w=#!){|vT^B;8K19dpxWfH$m8
z9;8og<i4+%uaEta5JeV}wji(Z)c3&aaMc^%(8~fnLMPpW8lS~|Hg?p)4ktsWr@UBO
z>@%x&tsU1HeT$h$(4SX6Yo`2_Ey^@X2i^9k7CbLBA~@c$#y?=Hd!nz<dly*lS$Tj}
z4Qx)MfKkO39l&mNrdA01^38vPoQy9sy>H^v>{?_=$*(LC?{Jw6ZegXFCGMUfBg-{<
z$`HkY)vrXXr1rX`K4d1M>fxJg%HjnUl_~RRZ3+YI1{hd$0W~6foctUqFXGY_rif~U
zU4*Aw(r|h=^UFu)_TMricszl_1!VVOeJT6miNly)f5m2?+K9kfm&M%!r3-#AxrMYg
z`m4E_WFUw5ByXH?Wl?o(#R}yfgEfe#T}MQu@2c<)PkZ%uMjW>5_GScAt_-~jO!v=L
zOvnDPwBnGRwL<CWH4*WyV%eVXJp~Lw0=GTxDFV+|#MWy)R=a9PY@kc|;-H;)7PVjD
zWv9v&ME3M?hxX;p(e7x*92qm(lW?&#P`xHv4yCYR>@!k)nc~G&($F^d3z7ym9Z837
zvf6t)sbYZKU$FtFZZ^?2Jy4U&pk|T^LqW=Yq>KOdopoc%hY5|3LbmSWvp`*>5099j
zf}}X{;NVx<Dp?LzAaU3@0c@1!mAV_zGsPdW30#o*LpF+k$%f(kc`I=-DROmKQ1e)z
z%)uYBF;1Ew|06ajF^ABfpam(R0pz5h{X~_=09}_0XbI5#adBcfImrZzN6)Mza<x_-
zT0SEI)b+oJ4NpBk*w?M$^LiB*LD!RK1+aT=Y3VKPv=<@7oY*-Xj*aV)oSB?fI4^lK
zFpXS*&*}VLX^muWlx9(EItUJcyJPt~8nt9-En-dbu{mX2r9A2vbXdAhG%<8ObFl>a
zA-WVGhl~V3+_av3r{DpX<+CXaH|4>H7;Ho>ANz$JDnYX#R_%fuL+@0O>4X$J4S0af
zwS-yR#HA9Q3nZkP*e%8S4NyL{UzU|UIed^QZHFK{aBxCAV&bctRFMg9prWZ)k=<b9
zSuv}yCw78x`(@)58(Z&=18^ciWV2X_`6|!FcF#IwxbY$AKqdAhrO6Jvo8`kEJUX}3
zN+2W-!*m*_K4e{%%0#Cy1r9vaI?!moP3`wL31KKVLj}^l>i#lScQ31=E>@92@GylS
z2rNSPn<~n;Ojun~vnAUYiZ4_!mNvbRcHzw{CdzzicF)t%PShKlV4JSsQ0J@fL3?kO
zY(=EIY|qL!@My|^iA{H~KIhjDAdso$^-c5Z<m2?{?#EXC!&ihm0U(@?fEClM)us4;
zq$m&;zIdBzuT%wYKQg7Mbcda<|B5Kd+m}Ah%ka%@C39r_i<BWMCb=4*&X+Sy79}5q
zl&0qPgxrrE-$FDrQ#rf1sQ&+n4etccpvYd|0aZb6{KO9VbA_ZqNEcaN+V`DR>99#)
zV8~4#2kZwP>ceFUI{#^1qjL{b{@sG;SRQCs?+CGAy#qfF=A+4Gj*qPa#VthkW26V`
z@_RAe$ivoyPc17J?kA_Qbhp<zHIbUQGR%AOP|$$PO@b4wLgNm!aQQ%*1QxRrg?s@7
zci4u<QaW1-Y@S$Zdq+j&@u)NLx(~ZR_61>~Q~kj4fr9aYvz*+8$L9+`<NEE}#JGv<
zM@yIHj@63E-9Fc`vt21!jdoTE$=lVAp<npajZ0-oF{``J3AJQMJ6N)xab!oQCFODq
z?cKveC1=GTTqavbA8Yx7#=j`U!U7^y1M&&m67L_=m5Uns7B}g0JlgfpRTxu&8=$!_
zp>)IbynLPIstQdyA3_FU?IQ{uN6m+CS4|yS)aa=swCyKn!k!Swe=6hfDaE?HJ=2(k
z($cb(1Z--X(2L%lH}FM_qbstAqw(4Ofb{D9nB1#*twAK?{oCOr*6RsOma?2F;O-#S
zCauaWYdEE}a+=t9o2-freloiT9^`rjOr15ow{?%Ll9gdcAQIA(p%dnk@NQ3y43w1)
zeZb7&XrZ=rL_rKRKTDV~!_hp#)OTy>UbdcXA&iN6qG0YREbU&;n{!)wI{PLb*XB=p
zJB;Z{D17}y<9IK9d-@$!Zdjc$M&{TjrDy~Emu-e$Iv$qI2lntjxmf}kKI#8*_Zliz
z|EZHTH5_8h4_!B<-&oT(v`N(}__Duh!t=jwBhml#*KJCX9+8cYjyeSY!8YHfCq}wt
z|FVrQqP^4~w(;1~_!qXxd-T!c`am}U(UMY)6Yd^iio07#3SEPGlV>Kq1~>#7r+u77
z9OeC$XCy>-ovy5aJG4)sl#DJ93!fxAk|3RkU>U*xWe-mppGszmp&qPy7}P`U#Y|3K
zOJcZ4XKfxd?H=$*|EWOA-lzH;X`&qL`AujrC|{XGR<2y`g*;X_{?w}IKGd)!nOpjx
zky1)T^(_V;0{lj9wPv(-TXhY*weJzD&Xg&bS=(G4UTZo57&&>~9UJ{bo6N8R_c;E{
zw7Na6aahTNG;(^8sus~tNYwLO;Imf#iTR#$_RjU@?IE+W?bYh$mrXCQoMU=FK(bwW
zws5`dzAEMwmA%LJ>^+C?zxW^v@IAZF%xn!-K2x%Ol?f-rOQ-Tdz7z*$hgt9-4IJ*N
zm#~YsjbuPwrrT0TB($kIHv6m#q6dpH6f(5gZ%Fv}TGs4WnYbHTt?!F4UO$|l5{Sqp
zzQdm{Z=J8~2y-XCaDH1A?nwhaws$=K)VV(}aO;tc6agtIfrM*L+UeU&MW&4+Io98}
zbbn-hPoHDs_hRY9Fz^5pGQUgiSG@FFf}|gt&q3A2z<hINx1gat>58`WPqo^n<gf}K
zT=3}BvE)TBtJ1TOEU@Vm5Q-6O#_}$#Gk@@tcVEWO1yy8LX&^lsp6}6Uooz+fnRR^k
zaO>`9lUNz>C561v$?cL;hgzR=H(x@geZwRj5IMZqbU!}7d)x$0n!TZfpIh6%?Ut=*
z+Mo6?vve%>zn}O`iu@YG0~YNdeDi0k4wxMV<n-S-+#cP||1hk$3|2Hk$mxlO(GVdY
zpb_5-d!JB#E?>TTJ^RLw7l?nmC~Okw2UEnsZy|9h<Y0;b7m#E#;c9;iKeugvxa@S+
zI<;XKu*lEf#d`+q@-u|J5BImBP(7#l9rxJ$rKknBp|!c0_ibgR+-bq9CFAy@N7@lM
z`EPXdM{dUdAvfCpL2g|COKxyhK6iE3EiC@|)g|<w<tC_$wfXG`enS@8JmCM(joNF9
zrNbY(A@ulnx=9=rrib*^Z@3la{{RW&kjN&=`L}5$S_}QpCRL)a6xu%?t;*6+v?F9g
z?>etR|Acx<)`9KI{$MOl8%T-jDW6LfQO0RlF_J)UbDCEB-ZdfLL72%I9>hWn9`<uu
zs~k4gV~J08h6iLJ$xwK2_c^><qbem=PQ1(C>9YPv3nZ%NTMn+t8jkTjED*DIfwQ0F
zmftR^FF(2&AM)_60frgoJd;~*<0@)E=GTV}7ZgnHZrOmHaJ?*YuD3Qvrh8dp62Lk)
zOt`PX%_w;D_8N(SY}AboyC3owT^%xeyXHpv2)V5!mHVpEP-tn(Ae~%qrSnp-w+Ze`
z5k_xqoAjvw1{sKI^pHpyIeA`dXUUQx`Hy%V9Yb-uLOr?xz>Xdt{j2liV;rD1v(th_
zwH=i2S>@dR&6+S>x*WnXJ`NK}PC1|~32;n1ZC1c2M@A;jB}G5&8%O=QaZ!I-F^PgR
z5X=$w?B%(RW1yP#bl{HGdD-ld2%=4yNUGA9cZT=iHuAsZZ#tL7iUXN9hA|9K0T3or
zYu=+BSo{2d-qeybq|9zxR8-V>Aya3pkK;O3gO^p+oa9n%jrpsfRwv6#4TD$Ic}n%{
z3-27cJ#h|dVk-$Hx?Q$Nod|T0>lHdWB`wOUP8hyrw6K>{yWl;-Bm+ef6p^%caNxqh
zz5Ir;7L|<vVW@D^xL+l+p^O;dVbKVDz-0r8c3KQHx^!dHJ`46h(I=BeUyeNe{YHCR
zU`HY(+;}X4O6AS*jDC)PXo=|A@Db3@*i<T!u$^Ez7hQ7O-*!745zcK-a*AWnk7dwb
z<sh!(KD7R)$n2k`XpY(PjtY<v5Uw!)o|gY!ibjxFFGv0-EfeSEYX4?sggpD-B<+;v
z`bW-Qe`5UGNv7cNw=-Vh9|_&5pa6vm<AA2~ztwJuxGE(7$YhmIA0V+I{`=8EG@XBS
z&A(-D|GNnMIc5HD5#0Zc{?}6r`QM^dDE=p!$=TJy^G_We_CE{h{(T#XBPsv|2(G__
z&72%9ZLC-vm{=T4Y#f>0E&r$X?%zYubPn{vvq{hp5PfJ65JdmBTWjt_R#i&YzXf~$
zH|SqK?|%<c5%?2?^Y>)O{Qm<J+f@OO7efCSajJ^^pGF|50U+mu|G5n{l>aos;LiwA
r(L_Hrz<=s3Qv*P)ib5pjDSRaO=K;XL{{0>h|E!09GDK7IZ|na7uJknc

diff --git a/terraform/environment/wildsea/main.tf b/terraform/environment/wildsea/main.tf
index b9254771..2c99957b 100644
--- a/terraform/environment/wildsea/main.tf
+++ b/terraform/environment/wildsea/main.tf
@@ -33,5 +33,5 @@ module "wildsea" {
   source = "../../module/wildsea"
 
   saml_metadata_url = var.saml_metadata_url
-  prefix = local.prefix
+  prefix            = local.prefix
 }
diff --git a/terraform/module/iac-roles/policy.tf b/terraform/module/iac-roles/policy.tf
index 927b0eda..babc7eef 100644
--- a/terraform/module/iac-roles/policy.tf
+++ b/terraform/module/iac-roles/policy.tf
@@ -46,6 +46,9 @@ data "aws_iam_policy_document" "ro" {
     sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
+      "appsync:SetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebAcl",
     ]
     resources = [
       "*"
@@ -107,6 +110,19 @@ data "aws_iam_policy_document" "ro" {
       "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
     ]
   }
+
+  statement {
+    actions = [
+      "wafv2:ListWebACLs",
+      "wafv2:ListTagsForResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "rw" {
@@ -254,7 +270,7 @@ data "aws_iam_policy_document" "rw" {
   }
 
   statement {
-    actions = ["iam:CreateServiceLinkedRole"]
+    actions   = ["iam:CreateServiceLinkedRole"]
     resources = ["*"]
     condition {
       test     = "StringEquals"
@@ -262,6 +278,44 @@ data "aws_iam_policy_document" "rw" {
       values   = ["appsync.${data.aws_partition.current.dns_suffix}"]
     }
   }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebAcl",
+      "wafv2:TagResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebACL",
+    ]
+    resources = [
+      "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "wafv2:UpdateWebACL",
+      "wafv2:DeleteWebACL",
+      "wafv2:ListTagsForResource",
+      "wafv2:AssociateWebACL",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
 }
 
 data "aws_iam_policy_document" "rw_boundary" {
@@ -326,9 +380,11 @@ data "aws_iam_policy_document" "rw_boundary" {
   }
 
   statement {
-    sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
+      "appsync:SetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebAcl",
     ]
     resources = [
       "*"
@@ -441,7 +497,7 @@ data "aws_iam_policy_document" "rw_boundary" {
   }
 
   statement {
-    actions = ["iam:CreateServiceLinkedRole"]
+    actions   = ["iam:CreateServiceLinkedRole"]
     resources = ["*"]
     condition {
       test     = "StringEquals"
@@ -449,4 +505,55 @@ data "aws_iam_policy_document" "rw_boundary" {
       values   = ["appsync.${data.aws_partition.current.dns_suffix}"]
     }
   }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebAcl",
+      "wafv2:TagResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebACL",
+    ]
+    resources = [
+      "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "wafv2:UpdateWebACL",
+      "wafv2:DeleteWebACL",
+      "wafv2:UpdatebACL",
+      "wafv2:ListTagsForResource",
+      "wafv2:AssociateWebACL",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:ListWebACLs",
+      "wafv2:ListTagsForResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
 }
diff --git a/terraform/module/iac-roles/roles.tf b/terraform/module/iac-roles/roles.tf
index cbcfdbcd..9bf09ec6 100644
--- a/terraform/module/iac-roles/roles.tf
+++ b/terraform/module/iac-roles/roles.tf
@@ -9,7 +9,7 @@ resource "aws_iam_role" "ro" {
 
 data "aws_iam_policy_document" "ro_assume" {
   statement {
-    actions = [ var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole" ]
+    actions = [var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole"]
     principals {
       type        = var.oidc_type
       identifiers = [var.oidc_arn]
@@ -59,7 +59,7 @@ resource "aws_iam_role" "rw" {
 
 data "aws_iam_policy_document" "rw_assume" {
   statement {
-    actions = [ var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole" ]
+    actions = [var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole"]
     principals {
       type        = var.oidc_type
       identifiers = [var.oidc_arn]
diff --git a/terraform/module/oidc/main.tf b/terraform/module/oidc/main.tf
index d3e0c5f2..b7b501d0 100644
--- a/terraform/module/oidc/main.tf
+++ b/terraform/module/oidc/main.tf
@@ -11,5 +11,5 @@ resource "aws_iam_openid_connect_provider" "oidc" {
 }
 
 output "oidc_arn" {
-    value = aws_iam_openid_connect_provider.oidc.arn
+  value = aws_iam_openid_connect_provider.oidc.arn
 }
diff --git a/terraform/module/state-bucket/s3.tf b/terraform/module/state-bucket/s3.tf
index 3e6f0de6..ebcb36bc 100644
--- a/terraform/module/state-bucket/s3.tf
+++ b/terraform/module/state-bucket/s3.tf
@@ -57,5 +57,5 @@ resource "aws_s3_bucket_versioning" "state" {
 
 output "arn" {
   description = "ARN of the state bucket"
-  value = aws_s3_bucket.state.arn
+  value       = aws_s3_bucket.state.arn
 }
diff --git a/terraform/module/wildsea/cognito.tf b/terraform/module/wildsea/cognito.tf
index 7f6f5932..bc16d35f 100644
--- a/terraform/module/wildsea/cognito.tf
+++ b/terraform/module/wildsea/cognito.tf
@@ -7,7 +7,7 @@ resource "aws_cognito_user_pool" "cognito" {
 }
 
 resource "aws_cognito_identity_provider" "idp" {
-  for_each = var.saml_metadata_url == "" ? toset([]) : toset([1])
+  for_each      = var.saml_metadata_url == "" ? toset([]) : toset([1])
   user_pool_id  = aws_cognito_user_pool.cognito.id
   provider_name = "SAML"
   provider_type = "SAML"
@@ -34,7 +34,7 @@ resource "aws_cognito_user_pool_client" "cognito" {
   logout_urls                          = ["https://TODO"]
   allowed_oauth_flows                  = ["code", "implicit"]
   allowed_oauth_scopes                 = ["openid"]
-  supported_identity_providers         = [ var.saml_metadata_url == "" ? "COGNITO" : aws_cognito_identity_provider.idp[0].provider_name ]
+  supported_identity_providers         = [var.saml_metadata_url == "" ? "COGNITO" : aws_cognito_identity_provider.idp[0].provider_name]
 }
 
 resource "aws_cognito_identity_pool" "cognito" {
@@ -86,7 +86,7 @@ resource "aws_iam_policy" "cognito" {
   name   = "${var.prefix}-user"
   policy = data.aws_iam_policy_document.cognito.json
 }
-  
+
 data "aws_iam_policy_document" "cognito" {
   statement {
     actions = [
diff --git a/terraform/module/wildsea/graphql.tf b/terraform/module/wildsea/graphql.tf
index ea4b03d4..26dd77ef 100644
--- a/terraform/module/wildsea/graphql.tf
+++ b/terraform/module/wildsea/graphql.tf
@@ -1,29 +1,32 @@
 resource "aws_appsync_graphql_api" "graphql" {
-    name = var.prefix
-    schema = file("../../../graphql/schema.graphql")
-    authentication_type = "AWS_IAM"
-    xray_enabled = true
+  name                = var.prefix
+  schema              = file("../../../graphql/schema.graphql")
+  authentication_type = "AWS_IAM"
+  xray_enabled        = true
 
-    log_config {
-      cloudwatch_logs_role_arn = aws_iam_role.graphql_log.arn
-      field_log_level = "ERROR"
-    }
+  log_config {
+    cloudwatch_logs_role_arn = aws_iam_role.graphql_log.arn
+    field_log_level          = "ERROR"
+  }
 
-    additional_authentication_provider {
-      authentication_type = "AMAZON_COGNITO_USER_POOLS"
-      user_pool_config {
-        user_pool_id = aws_cognito_user_pool.cognito.id
-        aws_region = data.aws_region.current.name
-      }
+  additional_authentication_provider {
+    authentication_type = "AMAZON_COGNITO_USER_POOLS"
+    user_pool_config {
+      user_pool_id = aws_cognito_user_pool.cognito.id
+      aws_region   = data.aws_region.current.name
     }
+  }
 
   tags = {
     Name = var.prefix
   }
 }
 
+# nosemgrep: aws-cloudwatch-log-group-unencrypted // AWS Key is fine
 resource "aws_cloudwatch_log_group" "graphql_log" {
-  name = "/aws/appsync/${var.prefix}"
+  # checkov:skip=CKV_AWS_338:Two weeks is enough, we don't need a year
+  # checkov:skip=CKV_AWS_158:AWS Key is fine
+  name              = "/aws/appsync/${var.prefix}"
   retention_in_days = 14
 
   tags = {
@@ -32,25 +35,115 @@ resource "aws_cloudwatch_log_group" "graphql_log" {
 }
 
 resource "aws_iam_role" "graphql_log" {
-    name = "${var.prefix}-graphql-log"
-    assume_role_policy = data.aws_iam_policy_document.graphql_log_assume.json
+  name               = "${var.prefix}-graphql-log"
+  assume_role_policy = data.aws_iam_policy_document.graphql_log_assume.json
 
-    tags = {
-      Name = var.prefix
-    }
+  tags = {
+    Name = var.prefix
+  }
 }
 
 data "aws_iam_policy_document" "graphql_log_assume" {
   statement {
     actions = ["sts:AssumeRole"]
     principals {
-      type = "Service"
+      type        = "Service"
       identifiers = ["appsync.${data.aws_partition.current.dns_suffix}"]
     }
   }
 }
 
 resource "aws_iam_role_policy_attachment" "grahql_log" {
-    role = aws_iam_role.graphql_log.name
-    policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
+  role       = aws_iam_role.graphql_log.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
+}
+
+resource "aws_wafv2_web_acl_association" "graphql" {
+  resource_arn = aws_appsync_graphql_api.graphql.arn
+  web_acl_arn  = aws_wafv2_web_acl.graphql.arn
+}
+
+resource "aws_wafv2_web_acl" "graphql" {
+  name  = "${var.prefix}-graphql-waf"
+  scope = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "Ratelimit"
+    priority = 10
+
+    action {
+      block {}
+    }
+
+    statement {
+      rate_based_statement {
+        limit              = 1000
+        aggregate_key_type = "IP"
+
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = false
+      metric_name                = "Ratelimit"
+      sampled_requests_enabled   = false
+    }
+  }
+
+
+  rule {
+    name     = "AWSManagedRulesCommonRuleSet"
+    priority = 20
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+    override_action {
+      count {
+
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesCommonRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "AWSManagedRulesAmazonIpReputationList"
+    priority = 30
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesAmazonIpReputationList"
+        vendor_name = "AWS"
+      }
+    }
+    override_action {
+      count {
+
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesAmazonIpReputationList"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "GraphQLWAF"
+    sampled_requests_enabled   = true
+  }
+
+  tags = {
+    Name = var.prefix
+  }
 }
diff --git a/terraform/module/wildsea/main.tf b/terraform/module/wildsea/main.tf
index a8e354f4..61c12747 100644
--- a/terraform/module/wildsea/main.tf
+++ b/terraform/module/wildsea/main.tf
@@ -3,11 +3,11 @@ data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 
 variable "prefix" {
-    description = "Resource name prefix"
-    type = string
+  description = "Resource name prefix"
+  type        = string
 }
 
 variable "saml_metadata_url" {
-    description = "SAML metadata URL"
-    type = string
+  description = "SAML metadata URL"
+  type        = string
 }