From 2cc04da549b94fa1c68810a23e09bfef121cecf8 Mon Sep 17 00:00:00 2001
From: Henry Avetisyan <hga@yahooinc.com>
Date: Sat, 25 May 2024 14:25:43 -0700
Subject: [PATCH] support principal domain filter for role/group members

Signed-off-by: Henry Avetisyan <hga@yahooinc.com>
---
 clients/go/zms/model.go                       |  44 ++
 clients/go/zms/zms_schema.go                  |   2 +
 .../main/java/com/yahoo/athenz/zms/Group.java |  13 +
 .../java/com/yahoo/athenz/zms/GroupMeta.java  |  13 +
 .../main/java/com/yahoo/athenz/zms/Role.java  |  13 +
 .../java/com/yahoo/athenz/zms/RoleMeta.java   |  13 +
 .../java/com/yahoo/athenz/zms/ZMSSchema.java  |   6 +-
 core/zms/src/main/rdl/Group.tdl               |   1 +
 core/zms/src/main/rdl/Role.tdl                |   1 +
 .../java/com/yahoo/athenz/zms/GroupTest.java  |  28 +-
 .../java/com/yahoo/athenz/zms/RoleTest.java   |  28 +-
 libs/go/zmscli/cli.go                         |  32 ++
 libs/go/zmscli/group.go                       |  22 +
 libs/go/zmscli/role.go                        |  22 +
 servers/zms/pom.xml                           |   2 +-
 .../zms/schema/updates/update-20240525.sql    |   2 +
 servers/zms/schema/zms_server.mwb             | Bin 53874 -> 54528 bytes
 servers/zms/schema/zms_server.sql             |   4 +-
 .../java/com/yahoo/athenz/zms/DBService.java  |  18 +-
 .../java/com/yahoo/athenz/zms/ZMSConsts.java  |   1 +
 .../java/com/yahoo/athenz/zms/ZMSImpl.java    | 131 +++--
 .../zms/store/impl/jdbc/JDBCConnection.java   |  26 +-
 .../zms/utils/PrincipalDomainFilter.java      | 139 +++++
 .../com/yahoo/athenz/zms/DBServiceTest.java   |   5 +-
 .../com/yahoo/athenz/zms/ZMSImplTest.java     | 126 +++--
 .../provider/ServiceProviderManagerTest.java  |   6 +-
 .../store/impl/jdbc/JDBCConnectionTest.java   |  19 +-
 .../zms/utils/PrincipalDomainFilterTest.java  | 489 ++++++++++++++++++
 28 files changed, 1089 insertions(+), 117 deletions(-)
 create mode 100644 servers/zms/schema/updates/update-20240525.sql
 create mode 100644 servers/zms/src/main/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilter.java
 create mode 100644 servers/zms/src/test/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilterTest.java

diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go
index d4aeedd2d73..5e11527b13b 100644
--- a/clients/go/zms/model.go
+++ b/clients/go/zms/model.go
@@ -1466,6 +1466,11 @@ type RoleMeta struct {
 	// ownership information for the role (read-only attribute)
 	//
 	ResourceOwnership *ResourceRoleOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"`
+
+	//
+	// membership filtered based on configured principal domains
+	//
+	PrincipalDomainFilter string `json:"principalDomainFilter" rdl:"optional" yaml:",omitempty"`
 }
 
 // NewRoleMeta - creates an initialized RoleMeta instance, returns a pointer to it
@@ -1525,6 +1530,12 @@ func (self *RoleMeta) Validate() error {
 			return fmt.Errorf("RoleMeta.description does not contain a valid String (%v)", val.Error)
 		}
 	}
+	if self.PrincipalDomainFilter != "" {
+		val := rdl.Validate(ZMSSchema(), "String", self.PrincipalDomainFilter)
+		if !val.Valid {
+			return fmt.Errorf("RoleMeta.principalDomainFilter does not contain a valid String (%v)", val.Error)
+		}
+	}
 	return nil
 }
 
@@ -1658,6 +1669,11 @@ type Role struct {
 	//
 	ResourceOwnership *ResourceRoleOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"`
 
+	//
+	// membership filtered based on configured principal domains
+	//
+	PrincipalDomainFilter string `json:"principalDomainFilter" rdl:"optional" yaml:",omitempty"`
+
 	//
 	// name of the role
 	//
@@ -1747,6 +1763,12 @@ func (self *Role) Validate() error {
 			return fmt.Errorf("Role.description does not contain a valid String (%v)", val.Error)
 		}
 	}
+	if self.PrincipalDomainFilter != "" {
+		val := rdl.Validate(ZMSSchema(), "String", self.PrincipalDomainFilter)
+		if !val.Valid {
+			return fmt.Errorf("Role.principalDomainFilter does not contain a valid String (%v)", val.Error)
+		}
+	}
 	if self.Name == "" {
 		return fmt.Errorf("Role.name is missing but is a required field")
 	} else {
@@ -5905,6 +5927,11 @@ type GroupMeta struct {
 	// ownership information for the group (read-only attribute)
 	//
 	ResourceOwnership *ResourceGroupOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"`
+
+	//
+	// membership filtered based on configured principal domains
+	//
+	PrincipalDomainFilter string `json:"principalDomainFilter" rdl:"optional" yaml:",omitempty"`
 }
 
 // NewGroupMeta - creates an initialized GroupMeta instance, returns a pointer to it
@@ -5952,6 +5979,12 @@ func (self *GroupMeta) Validate() error {
 			return fmt.Errorf("GroupMeta.userAuthorityExpiration does not contain a valid String (%v)", val.Error)
 		}
 	}
+	if self.PrincipalDomainFilter != "" {
+		val := rdl.Validate(ZMSSchema(), "String", self.PrincipalDomainFilter)
+		if !val.Valid {
+			return fmt.Errorf("GroupMeta.principalDomainFilter does not contain a valid String (%v)", val.Error)
+		}
+	}
 	return nil
 }
 
@@ -6039,6 +6072,11 @@ type Group struct {
 	//
 	ResourceOwnership *ResourceGroupOwnership `json:"resourceOwnership,omitempty" rdl:"optional" yaml:",omitempty"`
 
+	//
+	// membership filtered based on configured principal domains
+	//
+	PrincipalDomainFilter string `json:"principalDomainFilter" rdl:"optional" yaml:",omitempty"`
+
 	//
 	// name of the group
 	//
@@ -6105,6 +6143,12 @@ func (self *Group) Validate() error {
 			return fmt.Errorf("Group.userAuthorityExpiration does not contain a valid String (%v)", val.Error)
 		}
 	}
+	if self.PrincipalDomainFilter != "" {
+		val := rdl.Validate(ZMSSchema(), "String", self.PrincipalDomainFilter)
+		if !val.Valid {
+			return fmt.Errorf("Group.principalDomainFilter does not contain a valid String (%v)", val.Error)
+		}
+	}
 	if self.Name == "" {
 		return fmt.Errorf("Group.name is missing but is a required field")
 	} else {
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
index a0431166b81..d1f77e928c7 100644
--- a/clients/go/zms/zms_schema.go
+++ b/clients/go/zms/zms_schema.go
@@ -270,6 +270,7 @@ func init() {
 	tRoleMeta.Field("selfRenewMins", "Int32", true, nil, "Number of minutes members can renew their membership if self review option is enabled")
 	tRoleMeta.Field("maxMembers", "Int32", true, nil, "Maximum number of members allowed in the group")
 	tRoleMeta.Field("resourceOwnership", "ResourceRoleOwnership", true, nil, "ownership information for the role (read-only attribute)")
+	tRoleMeta.Field("principalDomainFilter", "String", true, nil, "membership filtered based on configured principal domains")
 	sb.AddType(tRoleMeta.Build())
 
 	tRole := rdl.NewStructTypeBuilder("RoleMeta", "Role")
@@ -638,6 +639,7 @@ func init() {
 	tGroupMeta.Field("selfRenewMins", "Int32", true, nil, "Number of minutes members can renew their membership if self review option is enabled")
 	tGroupMeta.Field("maxMembers", "Int32", true, nil, "Maximum number of members allowed in the group")
 	tGroupMeta.Field("resourceOwnership", "ResourceGroupOwnership", true, nil, "ownership information for the group (read-only attribute)")
+	tGroupMeta.Field("principalDomainFilter", "String", true, nil, "membership filtered based on configured principal domains")
 	sb.AddType(tGroupMeta.Build())
 
 	tGroup := rdl.NewStructTypeBuilder("GroupMeta", "Group")
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/Group.java b/core/zms/src/main/java/com/yahoo/athenz/zms/Group.java
index 817dcb39e24..33ec9b2031e 100644
--- a/core/zms/src/main/java/com/yahoo/athenz/zms/Group.java
+++ b/core/zms/src/main/java/com/yahoo/athenz/zms/Group.java
@@ -59,6 +59,9 @@ public class Group {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public ResourceGroupOwnership resourceOwnership;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String principalDomainFilter;
     public String name;
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
@@ -175,6 +178,13 @@ public Group setResourceOwnership(ResourceGroupOwnership resourceOwnership) {
     public ResourceGroupOwnership getResourceOwnership() {
         return resourceOwnership;
     }
+    public Group setPrincipalDomainFilter(String principalDomainFilter) {
+        this.principalDomainFilter = principalDomainFilter;
+        return this;
+    }
+    public String getPrincipalDomainFilter() {
+        return principalDomainFilter;
+    }
     public Group setName(String name) {
         this.name = name;
         return this;
@@ -256,6 +266,9 @@ public boolean equals(Object another) {
             if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
                 return false;
             }
+            if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
+                return false;
+            }
             if (name == null ? a.name != null : !name.equals(a.name)) {
                 return false;
             }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMeta.java b/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMeta.java
index 10790807549..14c9f2c8c5d 100644
--- a/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMeta.java
+++ b/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMeta.java
@@ -59,6 +59,9 @@ public class GroupMeta {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public ResourceGroupOwnership resourceOwnership;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String principalDomainFilter;
 
     public GroupMeta setSelfServe(Boolean selfServe) {
         this.selfServe = selfServe;
@@ -165,6 +168,13 @@ public GroupMeta setResourceOwnership(ResourceGroupOwnership resourceOwnership)
     public ResourceGroupOwnership getResourceOwnership() {
         return resourceOwnership;
     }
+    public GroupMeta setPrincipalDomainFilter(String principalDomainFilter) {
+        this.principalDomainFilter = principalDomainFilter;
+        return this;
+    }
+    public String getPrincipalDomainFilter() {
+        return principalDomainFilter;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -218,6 +228,9 @@ public boolean equals(Object another) {
             if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
                 return false;
             }
+            if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
+                return false;
+            }
         }
         return true;
     }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/Role.java b/core/zms/src/main/java/com/yahoo/athenz/zms/Role.java
index 55025b29fd9..bcba698423d 100644
--- a/core/zms/src/main/java/com/yahoo/athenz/zms/Role.java
+++ b/core/zms/src/main/java/com/yahoo/athenz/zms/Role.java
@@ -89,6 +89,9 @@ public class Role {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public ResourceRoleOwnership resourceOwnership;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String principalDomainFilter;
     public String name;
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
@@ -267,6 +270,13 @@ public Role setResourceOwnership(ResourceRoleOwnership resourceOwnership) {
     public ResourceRoleOwnership getResourceOwnership() {
         return resourceOwnership;
     }
+    public Role setPrincipalDomainFilter(String principalDomainFilter) {
+        this.principalDomainFilter = principalDomainFilter;
+        return this;
+    }
+    public String getPrincipalDomainFilter() {
+        return principalDomainFilter;
+    }
     public Role setName(String name) {
         this.name = name;
         return this;
@@ -386,6 +396,9 @@ public boolean equals(Object another) {
             if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
                 return false;
             }
+            if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
+                return false;
+            }
             if (name == null ? a.name != null : !name.equals(a.name)) {
                 return false;
             }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/RoleMeta.java b/core/zms/src/main/java/com/yahoo/athenz/zms/RoleMeta.java
index 380ed5da9f2..7b753d4afab 100644
--- a/core/zms/src/main/java/com/yahoo/athenz/zms/RoleMeta.java
+++ b/core/zms/src/main/java/com/yahoo/athenz/zms/RoleMeta.java
@@ -83,6 +83,9 @@ public class RoleMeta {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public ResourceRoleOwnership resourceOwnership;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public String principalDomainFilter;
 
     public RoleMeta setSelfServe(Boolean selfServe) {
         this.selfServe = selfServe;
@@ -245,6 +248,13 @@ public RoleMeta setResourceOwnership(ResourceRoleOwnership resourceOwnership) {
     public ResourceRoleOwnership getResourceOwnership() {
         return resourceOwnership;
     }
+    public RoleMeta setPrincipalDomainFilter(String principalDomainFilter) {
+        this.principalDomainFilter = principalDomainFilter;
+        return this;
+    }
+    public String getPrincipalDomainFilter() {
+        return principalDomainFilter;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -322,6 +332,9 @@ public boolean equals(Object another) {
             if (resourceOwnership == null ? a.resourceOwnership != null : !resourceOwnership.equals(a.resourceOwnership)) {
                 return false;
             }
+            if (principalDomainFilter == null ? a.principalDomainFilter != null : !principalDomainFilter.equals(a.principalDomainFilter)) {
+                return false;
+            }
         }
         return true;
     }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
index a7cd85af099..a9300d9f520 100644
--- a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
+++ b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
@@ -234,7 +234,8 @@ private static Schema build() {
             .field("selfRenew", "Bool", true, "Flag indicates whether to allow expired members to renew their membership")
             .field("selfRenewMins", "Int32", true, "Number of minutes members can renew their membership if self review option is enabled")
             .field("maxMembers", "Int32", true, "Maximum number of members allowed in the group")
-            .field("resourceOwnership", "ResourceRoleOwnership", true, "ownership information for the role (read-only attribute)");
+            .field("resourceOwnership", "ResourceRoleOwnership", true, "ownership information for the role (read-only attribute)")
+            .field("principalDomainFilter", "String", true, "membership filtered based on configured principal domains");
 
         sb.structType("Role", "RoleMeta")
             .comment("The representation for a Role with set of members. The members (Array<MemberName>) field is deprecated and not used in role objects since it incorrectly lists all the members in the role without taking into account if the member is expired or possibly disabled. Thus, using this attribute will result in incorrect authorization checks by the client and, thus, it's no longer being populated. All applications must use the roleMembers field and take into account all the attributes of the member.")
@@ -553,7 +554,8 @@ private static Schema build() {
             .field("selfRenew", "Bool", true, "Flag indicates whether to allow expired members to renew their membership")
             .field("selfRenewMins", "Int32", true, "Number of minutes members can renew their membership if self review option is enabled")
             .field("maxMembers", "Int32", true, "Maximum number of members allowed in the group")
-            .field("resourceOwnership", "ResourceGroupOwnership", true, "ownership information for the group (read-only attribute)");
+            .field("resourceOwnership", "ResourceGroupOwnership", true, "ownership information for the group (read-only attribute)")
+            .field("principalDomainFilter", "String", true, "membership filtered based on configured principal domains");
 
         sb.structType("Group", "GroupMeta")
             .comment("The representation for a Group with set of members.")
diff --git a/core/zms/src/main/rdl/Group.tdl b/core/zms/src/main/rdl/Group.tdl
index fa0ebeacd9c..994c0ad7f1f 100644
--- a/core/zms/src/main/rdl/Group.tdl
+++ b/core/zms/src/main/rdl/Group.tdl
@@ -67,6 +67,7 @@ type GroupMeta Struct {
     Int32 selfRenewMins (optional); //Number of minutes members can renew their membership if self review option is enabled
     Int32 maxMembers (optional); //Maximum number of members allowed in the group
     ResourceGroupOwnership resourceOwnership (optional); //ownership information for the group (read-only attribute)
+    String principalDomainFilter (optional, x_allowempty="true"); //membership filtered based on configured principal domains
 }
 
 //The representation for a Group with set of members.
diff --git a/core/zms/src/main/rdl/Role.tdl b/core/zms/src/main/rdl/Role.tdl
index 3d2a735e9ea..d0191a7a4ba 100644
--- a/core/zms/src/main/rdl/Role.tdl
+++ b/core/zms/src/main/rdl/Role.tdl
@@ -66,6 +66,7 @@ type RoleMeta Struct {
     Int32 selfRenewMins (optional); //Number of minutes members can renew their membership if self review option is enabled
     Int32 maxMembers (optional); //Maximum number of members allowed in the group
     ResourceRoleOwnership resourceOwnership (optional); //ownership information for the role (read-only attribute)
+    String principalDomainFilter (optional, x_allowempty="true"); //membership filtered based on configured principal domains
 }
 
 //The representation for a Role with set of members.
diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java
index bb4b8033d37..10fea7ae9b2 100644
--- a/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java
+++ b/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java
@@ -62,7 +62,8 @@ public void testGroupsMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         Group r2 = new Group()
                 .setName("sys.auth:group.admin")
@@ -83,7 +84,8 @@ public void testGroupsMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertEquals(r, r2);
         assertEquals(r, r);
@@ -107,6 +109,7 @@ public void testGroupsMethod() {
         assertEquals(r.getSelfRenew(), Boolean.TRUE);
         assertEquals(r.getMaxMembers(), 5);
         assertEquals(r.getResourceOwnership(), new ResourceGroupOwnership().setMetaOwner("TF"));
+        assertEquals(r.getPrincipalDomainFilter(), "user,+unix.test,-home");
 
         r2.setLastReviewedDate(Timestamp.fromMillis(123456789124L));
         assertNotEquals(r, r2);
@@ -206,6 +209,13 @@ public void testGroupsMethod() {
         r2.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
         assertEquals(r, r2);
 
+        r2.setPrincipalDomainFilter("user");
+        assertNotEquals(r, r2);
+        r2.setPrincipalDomainFilter(null);
+        assertNotEquals(r, r2);
+        r2.setPrincipalDomainFilter("user,+unix.test,-home");
+        assertEquals(r, r2);
+
         r2.setAuditLog(null);
         assertNotEquals(r, r2);
         r2.setGroupMembers(null);
@@ -539,7 +549,8 @@ public void testGroupMetaMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertFalse(gm1.getSelfServe());
         assertEquals(gm1.getNotifyRoles(), "role1,domain:role.role2");
@@ -556,6 +567,7 @@ public void testGroupMetaMethod() {
         assertEquals(gm1.getSelfRenew(), Boolean.TRUE);
         assertEquals(gm1.getMaxMembers(), 5);
         assertEquals(gm1.getResourceOwnership(), new ResourceGroupOwnership().setMetaOwner("TF"));
+        assertEquals(gm1.getPrincipalDomainFilter(), "user,+unix.test,-home");
 
         GroupMeta gm2 = new GroupMeta()
                 .setSelfServe(false)
@@ -572,7 +584,8 @@ public void testGroupMetaMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertEquals(gm1, gm2);
         assertEquals(gm1, gm1);
@@ -684,6 +697,13 @@ public void testGroupMetaMethod() {
         gm2.setResourceOwnership(new ResourceGroupOwnership().setMetaOwner("TF"));
         assertEquals(gm2, gm1);
 
+        gm2.setPrincipalDomainFilter("user");
+        assertNotEquals(gm2, gm1);
+        gm2.setPrincipalDomainFilter(null);
+        assertNotEquals(gm2, gm1);
+        gm2.setPrincipalDomainFilter("user,+unix.test,-home");
+        assertEquals(gm2, gm1);
+
         Schema schema = ZMSSchema.instance();
         Validator validator = new Validator(schema);
         Result result = validator.validate(gm1, "GroupMeta");
diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/RoleTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/RoleTest.java
index 74ba394cc9f..65e7fb11a8e 100644
--- a/core/zms/src/test/java/com/yahoo/athenz/zms/RoleTest.java
+++ b/core/zms/src/test/java/com/yahoo/athenz/zms/RoleTest.java
@@ -55,7 +55,8 @@ public void testRoleMetaMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertFalse(rm1.getSelfServe());
         assertEquals(rm1.getMemberExpiryDays(), Integer.valueOf(30));
@@ -80,6 +81,7 @@ public void testRoleMetaMethod() {
         assertEquals(rm1.getSelfRenew(), Boolean.TRUE);
         assertEquals(rm1.getMaxMembers(), 5);
         assertEquals(rm1.getResourceOwnership(), new ResourceRoleOwnership().setMetaOwner("TF"));
+        assertEquals(rm1.getPrincipalDomainFilter(), "user,+unix.test,-home");
 
         RoleMeta rm2 = new RoleMeta()
                 .setMemberExpiryDays(30)
@@ -104,7 +106,8 @@ public void testRoleMetaMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertEquals(rm1, rm2);
         assertEquals(rm1, rm1);
@@ -272,6 +275,13 @@ public void testRoleMetaMethod() {
         rm2.setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
         assertEquals(rm2, rm1);
 
+        rm2.setPrincipalDomainFilter("user");
+        assertNotEquals(rm2, rm1);
+        rm2.setPrincipalDomainFilter(null);
+        assertNotEquals(rm2, rm1);
+        rm2.setPrincipalDomainFilter("user,+unix.test,-home");
+        assertEquals(rm2, rm1);
+
         Schema schema = ZMSSchema.instance();
         Validator validator = new Validator(schema);
         Validator.Result result = validator.validate(rm1, "RoleMeta");
@@ -322,7 +332,8 @@ public void testRolesMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertEquals(r.getName(), "sys.auth:role.admin");
         assertEquals(r.getModified(), Timestamp.fromMillis(123456789123L));
@@ -353,6 +364,7 @@ public void testRolesMethod() {
         assertEquals(r.getSelfRenewMins(), 180);
         assertEquals(r.getMaxMembers(), 5);
         assertEquals(r.getResourceOwnership(), new ResourceRoleOwnership().setMetaOwner("TF"));
+        assertEquals(r.getPrincipalDomainFilter(), "user,+unix.test,-home");
 
         Role r2 = new Role()
                 .setName("sys.auth:role.admin")
@@ -383,7 +395,8 @@ public void testRolesMethod() {
                 .setSelfRenew(true)
                 .setSelfRenewMins(180)
                 .setMaxMembers(5)
-                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
+                .setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"))
+                .setPrincipalDomainFilter("user,+unix.test,-home");
 
         assertEquals(r, r2);
         assertEquals(r, r);
@@ -542,6 +555,13 @@ public void testRolesMethod() {
         r2.setResourceOwnership(new ResourceRoleOwnership().setMetaOwner("TF"));
         assertEquals(r2, r);
 
+        r2.setPrincipalDomainFilter("user");
+        assertNotEquals(r2, r);
+        r2.setPrincipalDomainFilter(null);
+        assertNotEquals(r2, r);
+        r2.setPrincipalDomainFilter("user,+unix.test,-home");
+        assertEquals(r2, r);
+
         r2.setAuditLog(null);
         assertNotEquals(r, r2);
         r2.setTrust(null);
diff --git a/libs/go/zmscli/cli.go b/libs/go/zmscli/cli.go
index 91b355b6996..59e83a9a641 100644
--- a/libs/go/zmscli/cli.go
+++ b/libs/go/zmscli/cli.go
@@ -1003,6 +1003,10 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
 			if argc == 2 {
 				return cli.SetRoleResourceOwnership(dn, args[0], args[1])
 			}
+		case "set-role-principal-domain-filter":
+			if argc == 2 {
+				return cli.SetRolePrincipalDomainFilter(dn, args[0], args[1])
+			}
 		case "set-role-self-renew":
 			if argc == 2 {
 				selfRenew, err := strconv.ParseBool(args[1])
@@ -1165,6 +1169,10 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
 			if argc == 2 {
 				return cli.SetGroupResourceOwnership(dn, args[0], args[1])
 			}
+		case "set-group-principal-domain-filter":
+			if argc == 2 {
+				return cli.SetGroupPrincipalDomainFilter(dn, args[0], args[1])
+			}
 		case "set-group-self-renew":
 			if argc == 2 {
 				selfRenew, err := strconv.ParseBool(args[1])
@@ -3057,6 +3065,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
 		buf.WriteString("   resource-owner : resource owner in objectowner:{owner},metaowner:{owner},membersowner:{owner} format\n")
 		buf.WriteString(" examples:\n")
 		buf.WriteString("   " + domainExample + " set-role-resource-ownership writers metaowner:TF,membersowner:MSD\n")
+	case "set-role-principal-domain-filter":
+		buf.WriteString(" syntax:\n")
+		buf.WriteString("   " + domainParam + " set-role-principal-domain-filter role principal-domain-filter\n")
+		buf.WriteString(" parameters:\n")
+		if !interactive {
+			buf.WriteString("   domain  : name of the domain being updated\n")
+		}
+		buf.WriteString("   role           : name of the role to be modified\n")
+		buf.WriteString("   principal-domain-filter : domain filter [+|-]{domainName}[,[+|-]{domainName}]...\n")
+		buf.WriteString(" examples:\n")
+		buf.WriteString("   " + domainExample + " set-role-principal-domain-filter writers user,+sports,-sports.dev\n")
 	case "set-role-description":
 		buf.WriteString(" syntax:\n")
 		buf.WriteString("   " + domainParam + " set-role-description role \"description\"\n")
@@ -3176,6 +3195,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
 		buf.WriteString("   resource-owner : resource owner in objectowner:{owner},metaowner:{owner},membersowner:{owner} format\n")
 		buf.WriteString(" examples:\n")
 		buf.WriteString("   " + domainExample + " set-group-resource-ownership writers metaowner:TF,membersowner:MSD\n")
+	case "set-group-principal-domain-filter":
+		buf.WriteString(" syntax:\n")
+		buf.WriteString("   " + domainParam + " set-group-principal-domain-filter group principal-domain-filter\n")
+		buf.WriteString(" parameters:\n")
+		if !interactive {
+			buf.WriteString("   domain  : name of the domain being updated\n")
+		}
+		buf.WriteString("   group           : name of the group to be modified\n")
+		buf.WriteString("   principal-domain-filter : domain filter [+|-]{domainName}[,[+|-]{domainName}]...\n")
+		buf.WriteString(" examples:\n")
+		buf.WriteString("   " + domainExample + " set-group-principal-domain-filter writers user,+sports,-sports.dev\n")
 	case "set-group-audit-enabled":
 		buf.WriteString(" syntax:\n")
 		buf.WriteString("   " + domainParam + " set-group-audit-enabled group audit-enabled\n")
@@ -3614,6 +3644,7 @@ func (cli Zms) HelpListCommand() string {
 	buf.WriteString("   set-role-user-authority-expiration regular_role attribute\n")
 	buf.WriteString("   set-role-description regular_role description\n")
 	buf.WriteString("   set-role-resource-ownership regular_role resource-owner\n")
+	buf.WriteString("   set-role-principal-domain-filter regular_role domain-filter\n")
 	buf.WriteString("   add-role-tag regular_role tag_key tag_value [tag_value ...]\n")
 	buf.WriteString("   delete-role-tag regular_role tag_key [tag_value]\n")
 	buf.WriteString("   put-membership-decision regular_role user_or_service [expiration] decision\n")
@@ -3644,6 +3675,7 @@ func (cli Zms) HelpListCommand() string {
 	buf.WriteString("   set-group-user-authority-filter group attribute[,attribute...]\n")
 	buf.WriteString("   set-group-user-authority-expiration group attribute\n")
 	buf.WriteString("   set-group-resource-ownership group resource-owner\n")
+	buf.WriteString("   set-group-principal-domain-filter group domain-filter\n")
 	buf.WriteString("   add-group-tag group tag_key tag_value [tag_value ...]\n")
 	buf.WriteString("   delete-group-tag group tag_key [tag_value]\n")
 	buf.WriteString("   put-group-membership-decision group user_or_service [expiration] decision\n")
diff --git a/libs/go/zmscli/group.go b/libs/go/zmscli/group.go
index 3628b21a86e..42f64589ea0 100644
--- a/libs/go/zmscli/group.go
+++ b/libs/go/zmscli/group.go
@@ -381,6 +381,7 @@ func getGroupMetaObject(group *zms.Group) zms.GroupMeta {
 		MaxMembers:              group.MaxMembers,
 		SelfRenew:               group.SelfRenew,
 		SelfRenewMins:           group.SelfRenewMins,
+		PrincipalDomainFilter:   group.PrincipalDomainFilter,
 	}
 }
 
@@ -677,3 +678,24 @@ func (cli Zms) SetGroupResourceOwnership(dn, gn, resourceOwner string) (*string,
 
 	return cli.dumpByFormat(message, cli.buildYAMLOutput)
 }
+
+func (cli Zms) SetGroupPrincipalDomainFilter(dn, gn, domainFilter string) (*string, error) {
+	group, err := cli.Zms.GetGroup(zms.DomainName(dn), zms.EntityName(gn), nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	meta := getGroupMetaObject(group)
+	meta.PrincipalDomainFilter = domainFilter
+
+	err = cli.Zms.PutGroupMeta(zms.DomainName(dn), zms.EntityName(gn), cli.AuditRef, cli.ResourceOwner, &meta)
+	if err != nil {
+		return nil, err
+	}
+	s := "[domain " + dn + " group " + gn + " principal-domain-filter attribute successfully updated]\n"
+	message := SuccessMessage{
+		Status:  200,
+		Message: s,
+	}
+
+	return cli.dumpByFormat(message, cli.buildYAMLOutput)
+}
diff --git a/libs/go/zmscli/role.go b/libs/go/zmscli/role.go
index bf796a50bac..5cf22c36a22 100644
--- a/libs/go/zmscli/role.go
+++ b/libs/go/zmscli/role.go
@@ -478,6 +478,7 @@ func getRoleMetaObject(role *zms.Role) zms.RoleMeta {
 		MaxMembers:              role.MaxMembers,
 		SelfRenew:               role.SelfRenew,
 		SelfRenewMins:           role.SelfRenewMins,
+		PrincipalDomainFilter:   role.PrincipalDomainFilter,
 	}
 }
 
@@ -1015,3 +1016,24 @@ func (cli Zms) SetRoleResourceOwnership(dn, rn, resourceOwner string) (*string,
 
 	return cli.dumpByFormat(message, cli.buildYAMLOutput)
 }
+
+func (cli Zms) SetRolePrincipalDomainFilter(dn string, rn string, domainFilter string) (*string, error) {
+	role, err := cli.Zms.GetRole(zms.DomainName(dn), zms.EntityName(rn), nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	meta := getRoleMetaObject(role)
+	meta.PrincipalDomainFilter = domainFilter
+
+	err = cli.Zms.PutRoleMeta(zms.DomainName(dn), zms.EntityName(rn), cli.AuditRef, cli.ResourceOwner, &meta)
+	if err != nil {
+		return nil, err
+	}
+	s := "[domain " + dn + " role " + rn + " principal-domain-filter attribute successfully updated]\n"
+	message := SuccessMessage{
+		Status:  200,
+		Message: s,
+	}
+
+	return cli.dumpByFormat(message, cli.buildYAMLOutput)
+}
diff --git a/servers/zms/pom.xml b/servers/zms/pom.xml
index e171fc1a5d3..a94f98dd1cb 100644
--- a/servers/zms/pom.xml
+++ b/servers/zms/pom.xml
@@ -46,7 +46,7 @@
   </dependencyManagement>
 
   <properties>
-    <code.coverage.min>0.9813</code.coverage.min>
+    <code.coverage.min>0.9814</code.coverage.min>
   </properties>
 
   <dependencies>
diff --git a/servers/zms/schema/updates/update-20240525.sql b/servers/zms/schema/updates/update-20240525.sql
new file mode 100644
index 00000000000..8fe9be5f82a
--- /dev/null
+++ b/servers/zms/schema/updates/update-20240525.sql
@@ -0,0 +1,2 @@
+ALTER TABLE `zms_server`.`role` ADD `principal_domain_filter` VARCHAR(1024) NOT NULL DEFAULT '';
+ALTER TABLE `zms_server`.`principal_group` ADD `principal_domain_filter` VARCHAR(1024) NOT NULL DEFAULT '';
diff --git a/servers/zms/schema/zms_server.mwb b/servers/zms/schema/zms_server.mwb
index 1911dcc05ef438dbf5df23a6af6cd8fd33470eaa..14ca71ead9e1504baa358a1fd190829f288107ac 100644
GIT binary patch
literal 54528
zcmbTdV{l~Q-?batPA0Z(CllMYGhqi4+qP}nb~4e#w$T&Y@67+fTj$jIbiUlXs;j$p
z@2b6jd#!b?TS*oi0s{mL1O}wWzFq5DNH(3f0t6(_91#Qs1O&v)!PM2x+}?%J&dr3;
z-Ol#Uhqd!J>BOs;-oCs*jg>!-Q>H6kCWhy^s&OOhakiamcnp@F26Je_fg!5o{ZLX2
zWp=%9G2}E6D$deol#t}78g{m57}){8!k;@NgTFrf-gk&*6ymm5fYT-|?|DLVLP>d_
zSB9U4U#1%RYLZmIsDqauJ{tP(GkIDsBXhPKJ^WQ^*kjmvzky#b3w3$h?_-8>pUy3x
zrYcNjeMBFfnM-9tTbz`i^uDi0U#>3qLfe{UX%BM`8yZPp`ie}xyz6?^Ol8>h)xRgA
zhy-<CoV#Dhga{ZczV6D(yNy`2!ZT%1#3<|6m8BA`N2>v;b4;bBeJcw>oN1O{cT~5^
zstQ!jHg%t$KN-07bLdN#&hi`t6&Dapr8E*?nCU4|w9{{MnuM)VGi-h%Hn?$`GUAZw
zrTu;@`n(tN>tyk<d+9VcT>t6q+aPGa{rx4_nMT}W!PQF<J8ORZ?1zW)D`f8nLY|?|
zVbid<Yh&$i`%IRuPwTsdK7marWk2g7+qw6aDmO(YF6^o%t<YblS83``Gmgvmb9sI>
z%YKW%EFtfo4?{&Y8i%zSb-$S=%HL1848MkM%djVtvi#QBcgqYv$NKa?f|$PET^imG
z3PA7E9!4Cv>I}aIkSFJF4cDW0ziu32Zn6?Q-)24+pp#S6J>)}i@cL3BUVWAQ+|?Pf
zjD5F`H|l)Os=9QHPcXj~VxIK*t#9VqX-+@C?=RV8<z0H4#L4YnU2ry~ds<+e;Dt{i
ziIL+*qY#=rMpqt+Q@;Mzrau|2#N{y5nJ;B%8qb>%wEOgZJyEid$p~AqLy=p+2oB9I
zhBOX>N=t#H({_q<l=-t|$6TEWC|Ep^b~nAZiMq@{GLLulQ!o@9GSsB<0O)*~_jK}q
zb*B1woGmwd=94^tAbP029#(f+4<4U~H6m?&9_R{W%^YV+l9lX@LqY0=H2&(c>Zi&R
zQF3suSCRg9>CGN3SDnuKsLyr@4AViHMXu9K!;U)QLN@aOmRu430*}c+SV?!-nCpaf
z<{fS?|MJzQ{5;{bwfD8%fe{cRt2OA+TWJc7o#qqbI+<kJPQ~8f`oSqyB*>sSshBs{
z*YR0lhmNoZ&c0{I!Sk_+i9P+4<(EmTJH7tRYr1%vgztATs5CzKKsc>U=Sn}A^tQFJ
z3a6Wb4oM11w1!*rA<0g@r{AsT!(QFP?cx5D-!1ATM}w9xAlE+gdV%TihRg4X{tt>X
zN3{aeOlqF4^TW{bZ^6}A0GCFVq)A3Z?=#14#XNCvp;63}Q3yvUP*|_miy%jBbTL}t
z%KCSYkB+`UwE=w@@Rip7IYe-_0a<AC_28v*n|*FFDDE+!G<$L6tcvk`ZD{6c&%&GK
z_SmGQR^j{t?=Gg|>}shq(_j(E^)NEowYjcAHWTS9C}u_IM7{kq()sF3`+g_7xUX8H
zpjb7UvvW+gWo-GgNv16Bq%7)ee_!1d6Z3&tYo=;)A?j=Cy%&hmX?HMkd~|eX4Q#mo
zP-R0FY;n*L6sl3+d{XG{61ro$GU)ZVNlT*<T<%o(s9){Y)7SI!UY{O3o2Er1*fGQk
zI@|Z;IQ?OwDjMH8y+IVkI7#o>#LXvE)AvMQYhc?Qndh7F_u)!Cc(8S9?RfdTBmQ!>
zUb+x=?t*pu+0*(n7k7o_!PZp+%l}}cx+!Pr?9b89Qr^)EJN&4y&bt8%S8_U6<;g>S
z?g_aF+3=8gG|*hfA#alb+LvTA3aRCSab7m5<(mXo4F}m}zYW|Ea`W)Mz`m!Y&Wxrm
z38T9fp^tSf9^&h99FL!Cpm&{X9W4~?E|futq~ZtayK}_PqY%9^OEA3`15af_7dSpC
zSO+3`#2O@Tk6}Jdo^1L|wMZt=Fd!S>_=wSXD^%xYMAR6AW+@=<m05^cpN;gBb0Nt0
z(xtdbz@)iF(G;XO2+>pqArc+^q}p}z?x~F6$)LpqYo%3K+<$4O;>4S23<?zma9bCv
z&Rb$8co&i8)x>+7k{gOkhzVMtc)x-7PEL{_ef|5(_Z}HJO`$=pa{kxjf$ESxf$r8#
zXd>_-r{B<DOS6ezTP2CMSYAr?V#2(koi2{HN)7zNdM0n@zt7tEenEOCEuA;lrglLY
z_SiDkAocgAh9bfEEz1scTL_CezmBy-p+`WBwZo9Q&t%C?g!iHDIaH$fZ5+h?!Sh?7
z*+;%vf%IECvIPM6aUj}Q-Gr$Z=TD~4g6N$<P&+_vnm{aa95r||L`5-TVMEw>#4%!#
zL)b=`JHV3Y9%(xE7hcwgGcYgy;G?LaQ;arLlfY4mSXK7_kPWaD=bv0dkwL923OvV0
z#~O2Q<j(rWuRWYJVvl<4(%ETCy~)>VYkBGq@~d!q>K4R+W!(xxoH<5J0Zy(#nBs{L
zl$#c08R`y>4}`hf>w~w)+w1*tr0#55_X$|#xA*0FzcE?lR#)hi6?^&m5F4SLg<3-D
zbZEY3{!-ejmAy1}r%!fg%b`1k{r%5aYm1BUtl9vsBq?-7HMod*5fUy84p2>lR*D2t
z)LCveTXjkrA10HpbUz!mm{g_V8|Eb3MzzdG!Rq`h$<Y~bu(zDFogOTl9FyA`-zu%<
zCoi8VD=R=vF5BqmK8~BpNfMl!3V^C*L*d+mjjGmSjTky|V~vj(A1xtqF#<d(GEixo
zldl>zx*-6jAUiI-k(&}9j+EIP5X_As7E5j3P>mHn^f9p4Y+#5#lbUs4Gd>5pKX`#a
zs6t96OM~}qz-eW(*}7GhphUP@dfa>>We`|(0A>;s5q;3rt3&vWl64<*;Q|=}*d*N}
z$QZR}@^R*_;j@n5=+fRY{XG&TNh<peMEe&6sWq|&kMjC30?maCt0TmIy1x`hDQ7H7
zxSHt?GBAJ*u|f4`d0O6@YpWJg|4@xQVPdDXi*~2p{`Yw`D;M5Ct^{GqBby)RTo(L7
z_?Sqz1NWn-`|--5++z6lQA6^og6=v*h8K=VG9$IA$gr`Qe3cpCm10oJc#zxcXmmeN
zD_9b!Dp6yL0!>4#BTa)%%~4`u#_aam4RQn_arrU?i0O}aTi`^56>@`SY5Z9hMNI<P
za#c_e=uD#FqU6^A!~4&SYmS12dSW3D%#WwB(-we6{#pe^4dBSgl_hv^l<pcIHJ%DV
zM0`A+Hn)fm*p*E2ucVvJuz8b6F56M@AsP#cSZ1k1wg3@Qs0e*GCFmZLg@IF&tp*m#
zv}Jc<{xr^r)BbrB;S>A_)xo*wh}R;~LZ$R%?oklsa#RWmnF*9gFE#E;;Xm!w)qPwf
zTV)3?`_0v);A)BICXfER)Y)bedMQh@puvc^{7r=A6FSa#&C2fO+>G46S;PUsH-+R7
z2jbD#Z6o{Ro~|B(w$1G=<KTnFO0n@~tiy-w;lvQ`v=mZjVixQ0WH|eda@@&S=on)-
zbTU;+{ZOVO3QE<VGe@0*+j<I|3lIC<8MffztG0G`@rA>}V5SBl*D<xaQr#V%mBbYC
zO~*PiLCX8(_2oFFG_j~rk@CvFpc+<Tqmm}4O|-Fw4zlk0Kb1C@_d!YKW~E|Kuvk%x
zD>94+;F$tYQj6VWlmb>1#zKZ+OKD>r57gvY)KR$<+CukY{!G0by%zhTiDcC<5UF(I
z1SK|$MUa16$)=TIp1|2%WKm3-8ZEj$E8i`r`1@NHgGDqtT9fY88(V;<uXnEjM;^dm
zb>wjriH3m8d=mC9zv7md-*VT^T9ul?l#_=_;JhmaKA3}&Di-bEN(%kvbnWi32H_U8
zUtco)9S+%fF;W*<Pz*8<0y#7jB=iK0OQ%NtT55zvdCp2s1)mHv1{H^p6pPQeVb?}O
zaD|wnaD9W97(rqWoI}lji8C;KJ*bHNd%R4BQFh`y3Dj7yh%5^WAXqXyRl_|vTrzwE
z%+Wv-d%9${3Uw|oU?$vq*~Y#ct3*D)ABH|ab<-a%d;M3F32dAAn0PN-6VezC$ohEr
zJQ9z^;g#~cCesena+SF${9c=UtT9TY<H$f(>93Gz+-wB-i5~QfS8Au>dIz=ZDu`p8
zSXAE>rF6M~d!SffBT6mf%EIe&Bs)yM-J?Lqk@h4650~Bic)$te_r}~4v@h`)<}61&
zkZfblJ!(+yto<7zuzJZvA6$COQNN9|1QkWC=4zgkBI0%pBhw^7>XvJk2zpkL_ZV0|
z^pK1o)8QR4wqc_EI_S^RvM9^WkC)jx!qfMoM)t<&5v~=culez*X)u&l?QWvBWzV^8
zH*MY;!4I#GGoh8JC`m?+%@#a>>YM>aM=q5|OD#6l<b3Q5a5)Y8QoHBUI+`$_g(<b^
z_24AMkw;e!IIY;@Q}L}RhE802ewhV+`4C~mVSd*M%ZMT>aRDPl&8<_V3ASZa!BWUh
z$g)o@<?NVFZrq6AZLQ*c>iu@;cpJId2YcsHyN8N&L(6+vjts_}JKYGzjHu@*cEaj%
zSzJvHz`C~pz3zGy-1#Zx*R!`{8cbxd=I7|^Q2OAs+(x0xJ!hBjIxVcVa_6bfRQB-a
z_{fl+ZSI>UDMBSXjB+88O*b@MHH#kfzLPsnnVmoPuw@6dsa@%dDba32$2#U-lttzH
zTOls?mUq?dNM3EJU$^#qUZ<kk;_CB-OnR-2>^3$NVE);o*_li*Iix`hHtV>;6?vkw
z-D)Qonu0%@UI80B@73jWDXHhDv|*3$O_kS&;nsT7YPSy4@5+ZVK>{y<G0&C*r;cZ@
zxQ$dU#gg2QpKCVg#+|jYe+=HgI_ZS_I;BU7p69zKr$^4KVd*->rplH|0aR&Jx*UJr
z7<qLuiLTp@th0<)OlWNJ=hjr)ACMo0#eIJI>UsMU-aW~xEm*W8wG927q?_Vwu*HN{
z$b!e>#9Cyr7YWU8zgd(beVnGNK7#2H9i+F^;Hy`Fu}X~Srxf*f{FY+G;x#l!x2ake
z-&t<%B>x+hjhMPYDHZ8|Bw5FbfpL~~tO1E<h~hD3uh+}I(00kT0?C;!?%CDYG}lMA
zD6dnQBd27UBff%h*4`_GLV?jZbRqpSIR%Wg*^N#&_)IZ%ZWMazoq#i(rK+H488hBR
zMhkA@kI@1ugzN~&+2QAX>`)XQd(6u!)xQd1qyl*tvnZw#06`YzmI9_quQc9M=5>M5
znsI!JQK<TCrmz>4#`0lzBDiPrc+<{J81+(^D*)UYTr&%e-Q&g|S~h)z?fy=aqoAz%
zi<3Q4Z7}FaBal<9bWoJ6c#Z9<p75}<KkgC9gZeTU6${@O7J@1Mk^hL5RGu{0%L3mX
z_p-_@oth=q98tM`U(dP{?+g!)pKf3Kcj)ZLBhrSP^F7iWpEuODF-J}<V_R3JyW?+T
zJE~Ls*fAbkHnY5bE`;Cdwuzt$+29EjkTZoK4$)4(wT5c8*mfLiPsr{OITU$+DD+EV
z3MVT-e~WU!QNvAO$HPk!+i_I%`Oe_;o1WztX<8Vzhle{SywNhOWl0iEanB>-zY`<Q
zad|`a?v>p&jofW>X4^#N?z!_1jY0oGe-4ozDUYBFcTNo26=T1YvGt5Vn?#otyht;o
zj>wLgWx^1&sI&!P%7G*i^`Ac=j7%#JZc(ua@Cto9$CkNJi=_>mls|hWSNCuq4fwhC
zqs;lh^`gaa)grUVFx+>~d6kV{$Zy-%7_?lX&rysoG!AK%>KeWVdsMtC0G(1;Nm*-8
zAZ&HhPnH)gYc=;J<Y*G+L-af+Wz&Ot%ObPO00LnN&S_#wYLepw^<z-r0Y1nnm^_Ju
zvP>kH@-A2gR)seqgV9;4zULAC--W`@F?l2T8W)A!Rey+1P`rka-NF+Q)GH>W+GeMb
zQxfyIqmc8}izUsAWP4edDhXa?82&0JDAI~S%N@fYzNL&9=z!q-wtg7#Dh!z<19=bs
zw8(@J05RGfxSRDc7|-o)gIQc`y{so|eeYXF(UyLEid|^<jPO1<eq_-=KRE_C+kc8W
zyZecXdvr<~J0`yQ<BwoKTX{^PbT9%tI;g0H%4;PE#r19s0;8qr)3k1OobviCZ?33n
zP$75M$lmVA!}YjqeDX6+GpF+2+3mJx)JRTZ^K*D{yFRgPyiqdC$dcRC0(sL7psr_x
za{<3c{2nVWpv|3Cz;7FAA3p?9@{m}NQ!kGceT3RXIvm9;nK(FkS8EETB{CaV!o<<*
z82xq)Cj`;?%-W*cpWfP@S0}*6EJ>TRnt2U=AMrK#?Hv7>m8kt;_q%PPcNCX-IjoU8
z<L|;H9mu|&3~Gi_p4Z@0bV2aEYww=SlozM>sXBsNnu%|*zc_4peuUN5-d)VEj}L1<
z+&r8Ql>)nf57Hkd+NncPf>_%OM7m2v%=KE2&mfbp2O(XxsVj4X9vmMBm5T~tV4^2W
zuO@RS4D8mI`m`|ep^mMFKK2sTCs9XBZaZApKnKEF8W&6GtyQTD{GqYeN|)9*yu$cc
z<crZ&j!)k8Ra?R8W#l(;yY3CY+H4nJ`Nh&=)fpA)CoVsI28+F?N%OpsgQysJWN-n(
z0nZ1Lx@AlCl@Uv4WqsSsv#-uvjj{zn4TB}1e1?BqhwD?yhK*czMP{OVU1d_K1=g9-
zq0_vvNCyyni*?aqe!G=@xVy)$ZmhkdoN@&c_P}IoOiU-2J~ig8Td%h8%KqfX<&*7X
z7FeOi$BoZg8wr}&&fgaz)rfVM^~{5!ofLpC*4-JvbH;u>sVkIH;kJA;?GVM*t|Npu
z!2d_y0N0&OKgX?-d{yv|6}A(zC<O|<9Fg)Z+ktKz+!772!sm1#lkQ#&>_8K-c*9M5
zlKHS9-MN*w3Tsjj!jC#MVg7oNdIo@r27@i{yr{>l&@(+CLt%FccBOG6+lLsAl`uo*
z<Mze0?y%Tvm)e@epkpT&@djo#!4Y1LxN3_omYbq#-tXkprlkak4>oFkweE`3?h&F1
z7&+NmLvnsCh27|SP>~w}iMqwwI3a+~VndZzs(?7AfubJZfgWlOx=ng0ey0lbo)|pF
zfX_nKUDcD}7#KXRLGV>w^=>ntE?IQhXgp?!o3r13ne0k)FnB*Qj|9(U<rg2nuRZ#W
zTy64NI48Gh*K+@G-n{LE{$)>9R8mmu_N2>=NdPQyE3GtNgCpQry(NG#hSd5!5f{KL
zX&xSUT~<shQi&v|E>5lD>Y}C|hhZ;SNviJ0tX@ZUDbl{az6hGY!G|q?37d#U7@P`)
zAA=CAKHwpb-$OM5Hr`oh)`B<AE7-Wc)@t_AmNTcQ68cQ{>}6P!#nWX2VXyo0X#d*M
z;3T}u#v*}+1};-!O>0T#NP=P%n2?>5pu+~SlipvphA_}3@cemSMo^^a9DDlx-c{7_
zMJ+4p^N)@BvHxzGN%9mebSCXic?91zCpt`mBNd`L5ApjbWM8i9d>+mFVAo3B!erZ+
zgW-GTcDHL^?<@9aon&7RzvmNeXWQ9nt>IN>swy9$j+2?W@&EO)2aU2kf4U;pmghl5
z*gOlZ%<!^dDNOG5lEV``9HoCuHkAh81|O&ATNjI4A%Ra5sLuW3Q9-R(jfq@Y8HV;Z
zk^LSvJe;4TnGkT$!K{o6AL@=YD*l7rIaaDWosE%l+1YIWQI5O|YF957+8^4<>-b;9
zFxK}kVz~bsF@*U4SH#eBb7IkSd#>!tqpOF%GD#_9_R}S2%h9EQcG{o@SadvpI;ZWU
zOrVZEGI4lYD7c=T_L=SXWBYyY>2?3f)8}Kxw~lj12MD`rZ0j@dN8=a?rd16v=^Y{9
zVHHcy!?5Z)7s#48SKREJO=>#^p=(1v_|v<-#UilYXS;rDvFwgc`_F5+N55p&(%i_^
z(ui`)yUXJHR*`iJzs`zZUo{tY-kKL@#Y)x=_KD=(Qs+DH_0;U9*TCSbRp)ms7Pcf2
zR#}-ORaKQAz=z<WJTr$O^(*h|Nm8Qx;|r59FRxCsB*X7={IHHFUnqWKgSVJXO(xM*
z4!lK$9Xs44!ZQMdL5rD^dZJJiFD_yfb3|?ib-vvM!#X;GOgAsY;O4oVJ~Zl~>_Gd$
znytU$beR(wCVcZ8CCNCxn|jY$4$U?ap)g)STp?K#B7mEgSb<sEIa)Z|3W5|20PJe6
z5;{M!{F##O3_@scckAz1UVbCr@_lz03!n93K*yRydIT3yP?r`p%ye*1%*f&h2EdKV
zHcYbb2-FpMcs0?&v$whNH=-_9%l!cx$%PpsUZgjZ0$vneFyVC;B!LqP7s@u(if`I_
zR7|McT7o7u^da54Nw1JPX85B3(b2X&r3bvQfIS0#43?ZAv*>$4|0q34B1ThwuG2|;
zsA=Jzn(6Bi%=e*+RvbJNtM-qrjEA?8X2Qom^+9vsqNEG_;)CSzhtk%n3cDqTkP*S@
zW@0ER#Asu|!?**76R4yBiQ{lFF_W<kcHrwr;V1JSyG#aKLY3%W+yztAD2be|PRZaz
z2w}ICY>C=M=#_}k@Znf&bYn2XaBOs_;W?(mA`z<tr=TPa%*;vIq-Jy!FoV=ud1#Id
zJ<7?BB+LgUYEsoa$3n3v5gcRhl4ASIQvBL=j5A@7`^%KbG@x^mrD!GbG7B>4zbJ5I
zd_YZ0$20O}qQklWh8Sh({@fDyznMXAIwnBxYhXR(YX^z}txaxH*m5xd9V;-waV3=1
zWXzLIkcfGRM3)Kt8DvSwp^m}BAr=GX9J-hz{_9X{Dttyw?5LNr0|``1|6Rv#HeuxG
zRBRDyD8GW0P(sa^2hev#y=IE%)b_{s+LgG+hKG=-H#uNVgjlcQ^C@3QtP}GzvZAtl
zragadHdhECx3zglowF<8k!D>e+h|#%+aw~B1r<|FlX8}Yr8~1w($bnRg9Cy=3rVqn
z0w(^eh*8somjG>TKL;l$A%Yp~GIPu`#Zd(dWSH1tR7&p2eB0Y;<wB4dOvsrDTAT8c
zWys)z^j#@jO7d9L*ko<F8A(p0{?RJ_!73UqZlaAW!D0|rXCi$m;tG{%if@q1*9a`q
zCFyZ2<kcDcj1mgW-vQn$b`z#U2;$v7>o<>Q`8033S^VVqP!r~AXlNW*5K)Bu@}R|&
z{1LZ&lh=dO<&M7~j;Uf<%*>p`U?T&yLc})n@&OtSrNEIFX5)RVQKazT(0Z%z``v7t
z#Z4zLN!EaDZ%2AFCT$6{*vMdx(!aS4v)SK+3891}Lhds5!_AAQtFqv+F!Sd8At=cW
zQ8JbGr(hULk!>Vdssu|x04g>ZX7BsN7ndkNPU#RY30)FK+@6^S)lIeyYX7f>c`h{p
z_+bcA-9jEjW3Pi#k@zd|1nvz4xy{QIHcso2zDS4*im;#qf)CL#CW%eBS0j8iAum?U
z310oLH{g63C97H>EWRD7Od_P0#*~=<PB-#?frjY=4Ac#74zUc@4HkysJU)Qz2y-Ck
zp?;W9ZpK^5&ZbSIQB$OsRwi+!MwDZez&Z>^NBSh1hVJ1w3`?;TB7CR35uGB`52u0O
zJ9iSOiK~+e0@*Az6F(HSo*s~%5r#M$pq(Jb-N#5t<`Y5jHwDcvhpnRx0l~)w$vWXQ
zChJ6#fgR!>6d>L8@G$S>u2YD!tZHJlgPv?8B7!4&T>_sm?&$8lxjTM6GUUzZ&_)>K
zgnv0$)?vzjVpJ|$D)Xxo`Z)0f-2CEP$tlz_(Rm=9ct{?va_!;PPW|a^Fx1;!|5DMW
z=)B>1umZtY-P90#r$dcGkqTYL7Iv8Z#G{;G-n~#aSIl~64e)%erd_e~+<<xA_Fi=r
zs9Sk((wV6>{GbT?!<__04j8#H5eq;y0EZ_}$sm!NC|#<&)yLtu!2R5Q4$Yg>_g&rG
zz;ydL%9LtO=dx%t=~e=)0h!c(VL>@AM^Hxj{6z&s6Z+jd8rL+E_F&=J(V>;Y0eo9-
z&gO`#&ipU??H<0824`r<sVLCSH88Rm<7K(j=xEvUxrn<nA{xh4H$nAc=doVOrZbhW
z(PT<YyUEA?$I*EoD27B}85Xh44WC<iiyQJ6?l38*)sH$7gijiWuibnsyscjv@*x#D
zKs_9J6m_`?lpB8jJRID>?(6wO_=0c<HT~7D659g^eDxC2T?HN`c#m!1;`+D!CnB*N
z^V3cp_5_*Q#<7E`YL6h-LQ+YdqYq9qqERGP(SA>wWL5T}GPXqj5tH-Vcl~oft&A!r
z^KZJj^%$Cx{N43WYxZViR3EA*TC9g9J+(c&BBrMKMLnt%F^klAWSVmuT%k#15^SE}
zY^_&X6fo|7CCl-u;lVe3?SnXqYr&HTxRJ>47`<-tM}+(R9v*!TA|=u}&BT9y7r-pX
zM=hkSIN?XiAK1(Z+(yYe%9W~_X7~F8&d;gYRlD%Np-8?~@AJaaeH>TRm+BMX2Jc&+
z{*ls8yYaUX3jijzi{x!sBXe)%^50D4LkkW0ip@}94TzYoS!eiuZt$hq_DIiJw;a_}
znOEohe?t&D%Kr&LX1qIVqgFHu3u42n&Qmvq^N4{P<EnO<1W8BZ8i-yKr^WOkF<)F>
zkvUaip8JJ@d_s(Z!f`KeBd&IAdSSduoky6XQ-#IDB8$_lP_7WR5w8JO6)_W$^+u0V
zbc@+>vvkRfrADeym)5vp1&$r==x|Oiv5>Mpdz_vjUgwyPJER*8ntx61(>>gqJn}^b
z+@`o=0K2`7wb6|!4YjPeHQ|ypT{fW?uRx>ooN59w&7O#rb^n~!XvTj8C&y!lA~HfI
zvsI^%mFLs#h+nsCk16H6=Jw-N-b_)J-J)*+I)U41@fyPSGC;6`ZuEM=6^VCO>rYmI
zhL3m8YyH{lrKgWdpH}L_bzxkH+vHg412h7Cs(@gB<EQ&x?G?_?W=8}0ulC;L`VaM}
zyB|IcR`FOGX>s}v-6wy_2#Ilg9y)Lva+y*!cYJpG>-suQ2-m(7xR{c)+#wJFtLE1(
zZD1661)IN_uDk=SOq*Wnb%g%lwDf%f-aszjGs~wRl5_da|Noe)7uTmPW!rz|$}9M<
zxjH^gabb4iIjhg#d<d||J?FA^(8V*^-fmqn-PB`Glg4ABWnA`=D?S=G(Z;(m>ChA3
z+4{Y-d9{|x1u0hZdf*jU4hnPovxl39MqxwVtJd$w_s9*va8}f$bXkDm_G^V)PgAUe
zuWt6h((4?|v9ZJLM1R)VdG|uj<fE}<S9}mEZGe{1Yj|Q_#-^v5);z_#6_F?NAOs4m
z9KP~rli7dSt2wj$FrP;Q)ac|;s&5#Mm~i#_?7K-b#N}-~S{22J`m<ZKo@Z@ev!s_E
z^(U8K;&1xvS#*AyZDEZT(w@rQxmCHv2;EGe1x=~SrRIzQ`#En-qO>G9HNNYY-!-lj
zWt46_Y+8rBd#wi_8GBeI5bB8?0L_amn9;ChWU{!n^oGI7pwX!q-Kr6@#U+ooG^zvC
zrGbdq@OHQpLO-P-Hvp8)N4ix)t^D7+JWl=>(;~SK`=gPC(X-rg^w_ch`}#U#T58*{
zblb6o^lZdDvCEB6nyBq2LNS`L4Cl2Avf)^NT(K;9s(I%W{yKzt;a$?2#J{WN3#flt
zC-S$e#z%QBKgoPGB7V`s8<mDin{<<-uun#ov8h%Qq`g*0gQVp1cUS>SO35}hi%2-i
zPcUa3Iy^OTz4t2En5&ve*iv@>)K1%T)!24oH>~>|yLqB=DCzUSSQi@_%axXO=gCtA
z4I|ao((Y#~F_#n|u9(cC$mn_NaPiG_EFP6ndU3dfwXz0jWF`s1dkP8%F&j`tF=;a6
z<X6e_&G<6zcP%|x!gt$4vfx-;dYY;Tq-jnS=jlWzIs4U(=<Bh#wMX8Lf@$`#Lnt}>
z{^)DVcvOR>g_GRn*_9fh>u5)VPO7STqQ#BCC>)t5=2~GY#Y9+29n_~Ox@-ih{(JDA
z!Sd>piBy1=_ji<L1PNK0K4@tMR}%9q>i<lHRv!Fqo4WdGcF8)Fo<Ym_+s+G;y@8`n
z1$$ViBGvYle-US-bZz<}uUTRhD^`*oGXHqX4kZa?he;yczXb>mF+jc&r0Asn*W|z4
zOV>hBgO0|Qe`c)aP;~f87xc@m7~oP1(QYk`6Z1EqncPDKPqey}Nt+kL&-9!`sCW>c
z)h>*CW1Q7W(4FN-?PeqrYta(^$j7f<2+$@Cdc<AOA9JDeD6PNUd!7ea{D@3TyivI|
zDCw%5;D2M6tF_TpC5YQv=f)E1F0GH`_dM(W^(S(y+&17xV|+QXjwOkFZ2A=&ZR77U
zspYwZ7D|NiNV6@f#_iK{B$4IiQl#+eb%?B-SYaP>Vs@^OhK7pwy=-PdYD$K`2Fa|3
z;d^6jT=jB(@bKz&7#bQGR31X`L~=iSNG$}Q`K7i)|3@(zE$k3(po83Q7F*En2BG)f
z7I5Y4Xyc%b$yeTCyVKC{1O98JXvcuC#|v|7!^LH#&TVRfr)q3SCbpQq*jA>?kpB1i
z!Aq^NM{6d-aTEzV;kphlu@z-OiDfFdtPX}16!P{kNUFJxfkHMN20lJEI~9khGmh0|
zW~6F>ni%cRqWy=Q4$%C+JQtKj*^DAu9V&5`Pz(m4+61<7LP18|{|ucKASSmc2KUbl
zzoWk_*rRF@>T!@l>=T|7UKI2?%xh>&euCIq|0UMxKFfg?NQug@gH158@er)KOz6rP
zW)QpWAX=I*{THB8ZZUm4xX7PKf2BZ|e9tG6Z`x5w*zC&tC;TU6)snS7!{0A7TF`GJ
zJBF|R{!Owahd9{K&o9Qn6P^wC-k5L1-VojN3oQYrk7XbZFYp?O@^QiYTqF?_=KEJU
z@9lgB`^8Lbcmhg_IQj+V|Dv?;V1?9H9N++ZiWbBqX!bss3*~^<V7RS}E(z?|cTowJ
zH$XHwy|Xnxxfz;ByCgCF|H{jSypRKMVk|-2&g*d(+PuzdX$QsQ)`zMew=AK=cEQQo
zxJHZ>Xe+W%tQGw#az|fRu|STBsU`Jj!KiVrA4EH6Zw7s@vPf$HN<^uBEkIj17+E(I
zmej2Rd{U!zOS<=1Y$erQn_AiD$?xY9`Nk`<ylQy%Dr2*gFwJ6yg}UDI|CML#Aa%WT
zTdKWZ6iPW2C3wa05Mpw8dW(38%)t%xq{wFQf?J8ym8l`lRW)?v-lhd(S<q@$3<7Rm
zI!M7qZ=;97h+MdRnlL**b#yEy!kmwiluJa|T?4Cc2&?}`yIH^dU+reGaOB|(Jon`6
zdB6A-^7lUUdNCERx^nC~_QT&f<<+Aqcy#M-ZCsrscqM#HLdC#>XQBSq9B|qa5}4e$
z7(z|Vk`ss-JV*aj6&!qAO=t`oL7Y^=4m+!MH$N8{U^*JmnhYejLt8Y0jVNfVSTFpO
zfQDuVG5y#XEcTb2P>|OLLttTfl@o+1YgL0R@;~9B1&z>zX=_!>gLGRO6c8_<dWMkW
zp-QPnPm~=mBXB8&Qi6+nyClLfvSMLvXx7z#eQwtF3~s;aonjVht`5<8->{bUU3Ay3
zKJkf-MXillUJ%0-&WhlN1+_n{`hYnkupYq+qgiR9P-pki_Fwwn*vj8`%+6h8wXL!>
zm~w5CriH>tMh+DaI84k+Tx&zXh^)?!E5A_B>29hzG{p2D8hAz7m3k;TH0<0fMX(W(
zfls=g?UAcm=L7PsSht_aQ(CwMnA1H=7szz4lHxJirOiFL#rti}1I(=x=hf<y0iJ)(
z?ybmbZ#K)IFFAG%hHxU&cf@|I05+U!Eer;k1HK_1tXi%9*fi00rneEa(!M*JGSR*p
zVzk-5ibPB07;8M%TE?Hu6cR>>G@nN9sqWbJR7)REO5?y5=4SQ~JDQ39Q(OIFYQVS5
z?pHj28b@oTkeDz9iyUwRGN=oB1PPw3Q{~M`&+CZ;Io;COq>RBHC-IBC0@6N8mo|KN
zH~go0^IJJN^0;Ia<n$Q%SplTXH-{v?KJ1ab3Dv6lKeVa(TV;(^OQmZV^a8w6M@x3q
zuKeLP2L|s}<Ma+Li<{Dpi8v?&=FIG<^*oqqlyta_664j%H?E-*<79_6^6_=QR($q>
z(-+4iyZ?zR)lYFE9x=)tYPVoe2j=vA%_`)cPH9k4$9X9m@nRaM4#=wJ;3hNU5dGdr
z#XEQj@<~O$(LqB9W>_OhbHfCxqR^UON3`GOaI%gb$6|&i7lGwbln?R?UTd?8Uz0p{
z23$!5d4N2(G`k3c6dRb$6hi#whfWBGnh6J$7Z}%u$z_%BJpjwkAq5$O?vIRt_D{xz
z*!={l&qPuUFU!dR4<w4%T-}9e&$f+tDG!q%0ac+aQRhuIR1Mxq-_-<!UT+Zk`Z@W1
z03E(MfTH}ETx2H1%X@2N5X*NSFYX_xe@ELV2};#9f?kMZRb*T(9P)#P_yGd9=p@MG
zfPcw&(5=iWN)lD@MKjzCI_772sqKoo`}(H*w_Z3!4vv{#xVSR@2z-(F#@y6eq+NU(
zvMKTj3eBSi=ITLbP0ZY0?oKzk<u}!kGCygk>cIt3)CXY5;l+^*p=$N!#G_-1M<lqB
zq*6v08cB@{l2~UVa2_mM1wZ_j7bdCQ?B|Rc2bD>5Wu^r5kn{d74;{e;1)VLEtcA+D
z8Bs`hb`j(HY?h|o&0{#DPS#ZS$FjH$%d|2!qU&5e>&*8HZj`-;2=_-%tDq4^Xq}8Q
zaizac?Ot*Q%d!o^z?+hlEh$6KMH2W4N7$^IB+NSNDA|8|i>80x!tV;cNAw=f%RR(P
zHRI$>zR=Pz+j0WuHT>WjwF_Z~>KZo$Hgh3g1X^Ci3bntzpM*BG+LVQ-!{NchLcm$z
z=K-4xlm65i7)xw`RCW+aM$oY+TBY2gO#V!JnV@Nw+*!{f?muFNJ7>x7nAZUE=)MuX
z7UYa(8JwTQjYQS3<n9Aj7hfjIF3;VLp9zn#7|5gmSKlvYkx9FE*Xt3|f>WSr<)OOA
z^aCc_9A%oMDM29!RfJYi3IhRXe^I5mDj{K1*E9H!QT@G)ydce0lAQNz{vqv{+`VxA
zA<qA>*1;5Y%_BE3rqy4e{tJ`=rZh@)sul{D8E#rnQ<$qUZoi6M&2c!nmXkr|lAm2@
zc&>Acjml?}x$lvl7Wr(88X8u%|3T($63?)ie!fiuo4sA{Ax~EE9Y_9N<0#ZOh}?pt
zZJ2TDU?W*%T;=q!2#6f_pW0CS9Xo6@js^*+o}t5ZbeQPzHRRLQtdLpOASqJwf>cZd
z-)9^Z1%^1m*u5@r|KVfYLd$0a{-FyBDWu<Q*&A>ILpScB3=)546WMkcE4FAiHHo~`
z+J&lCs2-xsowpkQS+W`#VLuzAhCer;sSjiDZVY5A9V&14aW)?rgytt3nv0)|RlbGL
zj*b5>%*DB(aY9hO{*+(R8&-bjV_?TgqyY^3D0q|+YAZqfT_?RxjruU9?wjB3(~=&t
z!<6QO701NMDS&YA4gp*W>(<Fr*T>GA7I$s1F8u;}>f|WAX?dvEahZeJt3N-dLg}0C
z%P*Y{_f#t2DMulRS2?WIIrRO1nXjd02mbPQttXa*RH`WR15T#2s?)BGj?6cKjoVWH
za&<rNx=B_de`1G~sHCL*`mN@Z*D}uHb^@X9j`nO9yyv5uyop6V;PY|Y2&!HUQH&np
zBY7P{_um32-#D-ZnP)xZTeK4FFxY}*^83{Na*^m7V}aybeG$77HdC+CpYYW@+>PEz
zolxQ$+40AK=kFx{W4=`O-2NZt>v@aT`>gG$UjAa!YkKo5>T#o)%gIKQ%gPQdgB+TY
zgJys2?lvbspZZ3S${K^k&3+cH;=ibtqRwBcwKsCovxda>_Lpk$J%y%|q#iSH&hVZ4
zcHxu|vj(6ibEUDfxf`Poo3Xa&1q&~zp8KjUeh_LrZ79X6=dI&z78PP2RmeBQGh?A`
zmx&IJ@VNJ-F9)fi**jDLYd)}QN8)NL3UaVAP{H^mHf;UbnAv3=*OZw`T1)1%R87@v
zb4)}kP#axG<7<8``<MX#Q-2ki{m=AIK`jfsg-blBTuY0f_(6e}NXm;h3Z4M<Z~C)_
zELDz5YLp@@(-MCBd@NQ_|L=Zlal8tYC8n`(5v^V41pj;@NRk}dNzc7D@v{VEZ->aW
z9dfVGhxN*7)=Idbm?71DPMzizc9W-%9+TxsRh45i6LcG=hp<wyvXyZYIH3xZu^!0e
zL|ihtgI0cUd$bZhIz~qYY9v`OX`2bZk{KEh>q>QNKkniF_MGz&q$NuCUy+Iy+lgE+
zNFh0pSUFIU#(!LA0>1@*knCTPY5>B-F&GD<S`>j4s%xv$Lr9=^a}fx7x!K(8A_XI7
zP(e?RGHw<D;Q?`_7D~_lFvVJerw=c-8;-(Vff8UUwwp{0h8mEA>fUIepNl-yuThEw
z8yIXokPT9+>dZqa&744fEg^f{!i>=NeGF2B23FM33ntX9&af=aA#Uey8@tB?=<D;q
z^lljE>*aBOsqW&iFsI+Q&B9Tlc2GbmX@O;t>Tn)4qV2=K!@)VD(KO<%jO<v_TvPHr
z(4sz*wu}UN<M2m445bv<=<#q&T%boZ{utym-W@S?;Bjq*mSRGr)QG)Wx5hFKNF)Oy
zfd;WOIx3;}tb9ob&Ok}OzY|ssmH}O8n!MzQSP6?CAiAq!qW%U&2_<Ty!mBxFT`I5+
z`(y*lrk!e|zNZ14lq792oE2UKXJZjU4YxW5ON~4fM|ScFhv0AIooUj$ha+8HG2ko?
zVN8YM%ZTXiEuQ&Fk52@`SBc1&_Mm>0&Bf(}oinvb4{Drs^ail0Nt^b<E?uac`|&yR
zuwQstcxQP8!t3{+!dA@0<w*)~5+3~YW2<%Boo$YGudpqj>`p$!6pj%NX@ETwPEKO~
zic!5n+Wc5m#P_@@-Ma|xMV}=dsOdNU-$i;lL~^+3YdkIDaXyBBiLJ>k0bgbA)J|ja
zoRHfnlO1^h;ftAmzIKL4q%wkGZ?Rn8YoV{t8vn!YHU#zpNOvd0n6EnVQJG;f?T7uO
zunc{&I0qhVsx;z!yBxzLi$^15p1t&%#^hj!I+^fh!s5S_7Flbm=zjCUng=EJk|629
zG3n;bNo7Mpc2e$sRQp=Z8bwsOe$=ae5O2tpm@$l`^yo?P%BIWjf;+l5Lq6?fy7%qD
z*7Ic}0sb#_eY_ph;O-o{$ovAlYkywpRF(IgwB(E%Ak96s=OL)$TmfIz1V=%V`}CvM
z%gqX5;#F+XOmLxzIzS}c_oL77hjNz+IYZUSs<}@aQ%1rj;@jzRF}S+p^|TyGAufs=
zGK@wB2DmEM2md5Q2H6$YJ#}HZMp?&VLO1O1CaL3lKfI3AT|W3d)bdDqdE)e}18^Xr
z;e|(>nYg*Nif@M@p*Ij#sLH=@Q9^99)y<-@iPp`AS%IVC+Nz8+>?&}1vJ+}eO{`}l
z#-0AHMg5f#VfJGN#$P#%_i%G`fA%mhB?->`)=7B{rUV6Tkmt}s3HQ1AhcBS7(4V9D
zrIKp6@?D!c%!@$3IfF4)#L%P2G_P^_HCX;0vws(_R4WX%-qn1nMn^QFUoi?U)t0pj
z7WV@fevELIz&x%S+Okc1y+(bMLa%72$74X$Ox&Y%tQn@kwWpE;81XUD%AiA4i*g8Y
z6pXoD{kR`4kD|WZ(|!^v>VJMT(Rm(ZJVuqA{xYq|G@|E-)%wvDz;}PN=AgN%K>52e
zu1=GPQ-4RlPVpRjvUJ{!2>vQHj^Pp+M~mLe+u!`-W>CLu$mPF7PwB3YkKO--p8fwq
zPxJjvAJg(i@ZjP)K`yf8yOG=TuB&g)4_r^h{QQd|T%0O=U)K%2v^f{OP`AYg-@90T
z$`8bHa%Le{Jq%qczwu4B)!F43I=6JFZru@%eoPx`Mrl8PIIUUUJe!y<3<<|c)*JZz
zs(R2~a=ls8Q^U@(c<rk#TRLlwOVNDrRHfWC-QMzfVULO6Qct?Ot>m?4{F8tr!AM1b
zmE0vb%kce!^1@E``_#t9qi1v$-Ob}@LS&RH5xTWUqZVfv+T;=K>*dedW8az9ZW`hr
zOGG>9!AQdKZNQOn>6;Dvb>|P&Zz`Lyl-qiG3cQH#x66v==Q*z4cN_c2waam%EXaJx
zno!$vnkPAEA?uQa7llX?<q#$TXJj(I$1Xr+5-NSt_{TYDGC7dF{zKFhA=NIQw3cWw
zo#le7pzE-G92!JLPU>CSVhivUf5l$MY|pHq6q)teknI|ibl-2Nb`VNLXWegpbG~Db
zl-9*-RV}m-+9pCu9npjZlOS#6G{2N1i!o+4@A#g6gs6!!>wGkCom6k<CC~2PaoUAx
z`z!<_#eM_>K~s+yVl#MuU~6SkBqd_xEv88Bw}VqvgUe^o#@evU(JnILB>fyP3tej9
zwZi_R)nTOKp#QDv$YXt)&(GuOb~>uBTMp2F5L%`rep+eeXjBNJ$${ra-|Xu=X2#;r
zZ{Vd%fV{unjwPgn{Y!Sd$*GxpoIDVvcKllmM0pH9ufZpigc&e>^>6IyWaDj{bB>C+
zSvW-u@+65_?#=gi+s7IY@w4=_dupbrg-+nFVE=?suoMkt%A)05()Uq_KHLEl-GiW=
z=-BebR9eC&v3JaO{Y4_C#{eJAFEgC?7S<L&2r>2U0`(h8Z%$rye$)(_0)9wTxtByy
zFs3A?*ccPh8)95cKJ^hVQj*$?nx8e1E63p`?&{sz;z*L1R~eBD4<&;=-@jkPaqIi#
zkYbeCBvE?%^3co;01ke+wC{gfk)EU;Lu1rr!3cuQb&{jm%^wj%t_cgv){{UP4YN*@
z6+n)ArP}MTaSpnu+97iBOT<fKJcZUHQ0gG_YZLiQNEcacZ67Z@xTXBeR$Q^jykg&4
zTuXNcyarUxPeXPW+_#|gW58zuEThr51s+{In|b1WE*HQT<XN^bI0(k#&2<*eoM%`G
z==*mZ<RzyVMmFb>HvS}<*q<4nq(0t3v$SD2%l>B}TE%Nk*Y!N@D6s`9i#)5Iq^dv$
zgR;omSD5ilGJJSa2c4DZ59VTha5;w3#Hny~Ugt-!OdmyqY-_=3J6fkqCPKIo<CZ#4
zk0ltNQ)7ps!gTY8)4|GpPY)n(A>(zTwH}P>C+mc<g&m3NFY1EXJoPdSrLjmi3ANU&
zSotT)6dI*-EoHL0%5^f28=;^TRjiX5<|(Bio50q1X<HRw8eRY11Jq`8jjnmCuWvt`
zSzxqu@z#YZP4<7!M({b?Nv5?Ql&{c~AJ-b75t}6%Wv3A5AW?EB;<NF|Z?dR)9ScC)
zd1rt!0_sWmqypi`$(r<l7fBfOm}V;xe0JRn1L$rO(3<J(Y`4QXy=v`lR&q~N04nAT
z+g1oLJ1oirQtnDN?kd;^nv-9Ul$ZC4n;o}?nM^^)z~&}iwW%+G#p=ait6E~n%FL7{
z|AxWu*Qv@BuEfjuMx2!;No&8Gly&hf`9T*;@e4wgy1cBkrX+k)mAoSP7neh!r-XBW
zFEFf1Av8GX^rA06M8vWNpbp@m!{vEkCcM|{5Y#4v@r|Kqoh4*y_)&260nySV)psK-
zkB!6U0RS?D($x#=Nd2#LzcHGhe+$tHY)To*soDnKifhT)a+!ga8epm<Z^UXCJiGU+
zD-ajkb3=QI$Wy{22#arQN`~FhXAXRIZk_2qo1ThivuH{T2X~f+$1dgRpAqOvx-lyS
zKj|DG<r5?Hx&>h+qV^|cx5-aEA*JE3JlI*+eBd+NaZP8%nhHBy>>?7i0Q4sHMk<Ra
z-Sj=V=`67SF`K{W{=SLa@Yr#UJASeU9_j_5n2&H)2bWNy9k3~rn};ocKVeAl2{2m?
z=EItMjiPV>Vw4x83MrE>MAmYN7&q9s*pe@JY}ayqKZz$E^KFs;Ei>Q{3Dg_Tr;P$m
zK;^lM=F%ivWK$vdF1EGY4YxI=_A*7*k01f=dY8D{!3lbFM?2ZL(B%GfY7u2Zj!Cf}
zPQ>#98dHnZ#a_*i6le~SKTC&&htmgGj|UtjW9IqkDwGY3<Zi)KW|Rz!TyDWaI1VcI
zJk(7fI6xjt{9W%_z7(v!(Gehztvh~60?%O%z$X*IWGkLsCRiQy#9#!W2!kAT#Q#;$
zG$qgj9b9%*7Yl2V&d>iO)&Bl3OOfoVlf_Hi_<G!`AcbFU9qS8TWaI(23yZ1|f~JBN
zXGVajO&4WGK%`yu;w~yfK{1x!2)Zl&0XTu^es%SGZDDm5K1>RAERqgQZ>F}3guovM
zOK)L}%Fju}9p|FFwHB1TwNvc9zI*`Q-(KAOCEcZ54qJ6~pCMnsIR~b=?ViX>JKj#<
z3SVf6ub8B9ozXaIGGua$@8rmSwP5ZQUYcdqnn`atbU60Lzuf*9pW;9#XhtN^NX5UU
zL|#G0vSpkVDrgoTlid=nfCquyO@3qzq9R=FkHiQt%MM()p`_r$lyo8qnO@O;#Fm%W
z!>P8MidQQ<`DlMv3ryn&TqsJW{x9~^E!vLbcmm6LfAZKAC^Se3cSQR5!yGKiBSx88
ziE(|pj#i#SB7^aza#-4q*82JxnOdI;$DP?(7r$gZhQIp*EC*DVs41!8mfevxv`pKP
zhL8MZYPVAKqB2+w<LYMop%WbK901%G8gxH6!7i4wQz&$Jh^zB8$VcGKlR(qpXIv5!
zlDaKf#Y%HyltQW54q{Lt$QgPV0u^_g(05A^L%(6QOq4gV-b1PACJPic%^!Du833!B
zGmg8K>`O8n)s-e9Eadkcpo&ZYFW}D6=9WE6|Cz@3ao9+Hp7{u<6DS1;bIjHQ7pg&B
zFKMqGlPHK-qecHdCrC#~z;q5|6$@kdzBof9hD(}EBKmLfG_qOEN0<|tM48LWLL6X_
z6d%de3;hK)CoBtoG!uL&7kc{24+R<C8O$GdztungUCm6=)<RexcXLn{p7Q#*I*EMR
zwzN7T1zFUyeE)&EI808hA=*-BIRizwUX3t<4yn?T(d*>ffNvzW-<ZoyTjkCE)$^@b
zm1iIvLV16^A{+v6$yy-%Q&jdlf#SwGH>MDOPN;PS<_e1b4Sp1mw7+q;e{NXLSv&}5
zN`wGYoys#%jetO%DwI?`q4G^^>F##I1z?ba6u4|xO@LyU(kjmy2962~S&$7@W(r~w
zKCAHji$StCHlj{dCZVqA0GNDEl%6TW%<&MfqB^P4u4Opg@QH8h0Q9HE(OaZxKuD%S
z8myeBOd!K4G2e~!Vq%`a$A+Yf!N4bitin}6p;-l_wfOdx3*o16v~=|M5E`|)@&!Q;
zf6t_tnMggBlEEW{W1ga%Wv8iZzsojJ<EAD2&7G=z*8jcJl=$~>_<1@0ujSK!<R>=l
zANjFb{Y!pOss5Y%4E=}v<a=)XB|ml%Xi45`P^1lzzJZk2D!ed)b5=dSQ|W?t%6GYj
zRA>+2p)A?>a*dQ!Licw4Ifgg??bN)dDET;z5?z?{ZV}|InxTB~ynEY!xAJsN@N{m@
zBvRMBsz{sWSX-OxBd|MPcu`ixX%_s!_}lgstcAs}aNq?*&d%oCzkZ^kL4p-5m5a+m
zG<7#wC7+*51uvz1EZs>>s|Isf8J9@IhGR@XW7G6vw4c)T%)O(tUBy+%etnTBbYp{`
znD*7IheMuLtsYbiE+kHy1xC4CF5Eu2CO)#La39~MIyx@WnUrPKyLP}rk=h_69Xy+>
zwaHodIw}y(lpk6Y@0p`9Ycv5SqqyAlIut-(!$bQ#%}^@$(|;%Lv)Sf-4OLx2<oyEk
zbNOK>uFp&n0RXgscMfwo8HLaExsPu=CU!?MQjdVBX&gVrZ@fh^<|f6_2sSP~I3*p3
zbc}o}Y8P4uBAu(+CjI2}5sr2dp~6fDIj^C%n}?8Vg$Q3XpsJET{PhdK;uN_SNoIDa
zc3@8v8s&q+vsileubUb|Y9lX7##N>wVr)`it@`79M@*LB|8RDeQFU$Ey2WMV?(Xgm
z!QI`Rjk|krcXxMp_h7-D-~@sP4Hk&JP0l%Wt6tsr=lz+XEz;O6WVI<{e7(>06jFe6
zxEMVfuo)8YF+o@62vMC=Dq=)PrE$Zcnv-N6JGb_t1~QM>(aQO^N)+h7o|(lEo~`F@
zN$T`qh!R3BlVxPGV$I;ozQe*W!$@~YFB40B{H+q~WSSkSDnZi*b(A1OWg2zf<fZ(X
zR@+)HGs}+Du=mZ~(oyJqQ=dBm!mEK%4-3{60lwRS@KJeo6m?bEP#JDczcg}$4eSxk
zh3t1_sOY2e-ptH_rH+23uiY<!Nq}X2JR*99-^4Zs2!#-Is{GB(Vdr->)O_G)W|M5H
z=${;uD_SheHD|d;G=VTvL$4!TR!j`)+8L|HUReVQ(S{WD@%}eAGUhd6Wn@cNg!nmM
zF_!WY7=caA)hLWWuu>}MYYlSF^y))28%Q#TAp*60#wS4EAPPe*_{h{2*Dvhp7KJrP
ziBuk`#<W8sv}!OUg_SnMD_r?JY+3lNx|p>{-0Z&8o`0CI-%&M<Ts!<Or3J{V&08(4
z($UWqDZKI_;;1FO<4SNhsx+ixl2q1bftgJbKNh4Z92OsCqMv`Uz0YmGp_3m4fg3{d
zqffcS1-AI;Rwi%^%+_};&!}w*D8$uhW!}XhppDD&*`jbD?~k*^jba-OEa6|TW_%aE
z$UhuDUSFxInjdz4izTL6y2i;J)1=+miT$baBSL%CSH1ByPr}Q^C=!LEvEb{2tU<2Y
z4GN+EKu^Q3?Mm~^dikZjt%T{LgKMF=oGoq6fG=meHMX0xgBqb<<pp(S-JigJic8AC
zB3$%hlRMxYw&OL3Uuy3Ha^livXdPp{%yO1_RP(SDxw`T&aCWCqFAJa*L*m)2r#R_Z
zsGyJ9pwYUaGI_z7Lg|TN;tvWg^#3&ew*KA@xfB>sYXouBbk$dM@8CuU4|!x0Yn&&!
z`0f{scvr&0DB^PNkZ|^U<1O#`Mk<t9O}1qPeD$<<aSl#3!R3vobhZ_?jvR=2xg7a#
z!~^>u#AEs25f3GfGwaWNIlo*2SUg_0I{qLYH;i@6B-75_uLc@9;N*+ig}G=K-_3j;
zcAk)ayyW`1!V{kt5fD`8>p$xlr_XsBA9^j_7VqHpMi@&I<jzK}zL+*v{q(5bid;Tf
z7j$TFd)QVQ9Q=M^%Z4y$%>2qoY;14ui+g$tw^obd)BdiuhxuJ@?77*p!teEmHvas_
z=DQjrrzuc^q`H?yy`1f~!nQ@$NRwu^9cpQK@~G@Xi0e9R53p*ltlz;V%ExcZDAC1j
z(O|$f@84?Sg8y9$S4L$A6W#p-d071m@`(8t<k85U%s=qm;TBr^Li#W>GXEn3q*F!h
zHzgaM%hCi-G*}7^@M4i8(BWIY`=N?7zah0FQ4rS@DhfjGEdr8#*;@z1yt8(EUbk}y
zVEv^+__s{MaL2>3Ec4%jNN~IK5oevSi_`=IlCZm=S~x)m4~}JHLR{73j34r*w>m%P
zEjorJtgJJck41)Ez=>9Uk{p~=ZDGf2-Rf&9x|#oO`6X+wQ%+NVsIjaNfr-!VL0YvP
zpE-4^gS!iaLmPNp?0(hUejW8nWgZ2Nay62ODuIcK1K1dpEu?)TQj@t2*jSB2Ik+Bi
z<xbzXOfQzbzUS#_Ojtn&k&R&S45H_N_HJGyL{grGC6#rIE^MW-M6K=QwU;_KC_6Ws
z)LDFm0|<8YXh0$QDm<2#l;o;xxCRl4W+hbn)I`L95L%(#z@wEh0mCcoyOni39plQB
z2;ugDxj~0TT!E0fnMp1We#t1scAVlq2xUnyM<HNF`GNecP_Ic{IpJq$^NQ|iI=3h>
zUer8&XEuf+1%Zk*%a10T8w0yV_N~F4>pZleo>-q~G!HG?<yXAzf)%r0+fK@l9v3Kr
zmkQl!WykPUn0R4H*#7kUlgZUXDJjEW^*6IW`-d47f03~L42XBTg$~CC#3e!Wv58St
z*I^>|gP=9Qmc7Vz`&(YHR6EM(bE;1`$fWU{=w)*f&6W9Hc-NESt}tJW-?4I`36DSg
z&>66WsI5>jY>`8jYC~_sMZHYu$*wr4DE9UY|IasIktI&D6x<d*a-Lh&bP!{Wyz^jJ
zTo%#V^p-fA*SKQLuIMg~*5x$3?)X)8kLTn=FJv|Cy@&>73Qkzs!7IvdLlqyNK`8SQ
z2eijL<1i>2%Kn@r=Aslng=t>~71taF%*8<PUi8wy3AkK2klb4|yl-FTtC%-=nR!<}
zKci&@1jnTeu4u1Lh;#tSIY{!wQYpA*D4|uWr4WSao%Oi!gLQp!THweibSEU%<mQs=
zN-6Bhzj&)zr-{5=D#IvZ6ldabi(o72%fpTe7esk#Nto;&q3dGb^ReJbG-Q38qY{U>
zbJF;cEB|Hh@dpJ6Jn?5I1~Yr^Wcj>z@7mAonXtzrT~Z5t594U_wv5V_i_@g*Sr+hD
zyWarTx$&{1RrcdaNyXgv<B*4JibgijKP`7H1J?O0CbBt6qs>WiZLa$L{@(cmmy2_*
zM<)%nyBytg*!;sUqO(oHFR-y6yGJ~X>9=_}8FvZ+>p-^nx417ol2{eHK%A4tMg1Q(
zcnGk*!(gyyZ}uMf$SIJxY}5mG`NL`#GiHNyQ3a_hCh+G|k+tcTrh~4u4kHJ@G(9KA
zYbFm5RV&+C7qeYiS5G;MtlOR>n)3=ZtHFy*$b*r@OzzflUpIH9l3za0TNS3wAh(4)
zW|Hm;rjJ|dR;acbxOv)*McA6!=f75|5YQ?WY*U`4#UIhObe(r>m2b*V_0nyXg^Yb5
z91wBFP4NVeDdWA;w~!EGCYxCxhi!j{+=Z~xRh9yLt&r!zFpn#9pUOF>4s6LzOP~hy
zAyoW0Em_SIK!fUuIi-IWUkiG3uQ^l5N1@Qeps{k7J}h}VSGe;k%gHeG0jBovhvFj^
zl~Cf!SX0C{#@R-dIf8GOWezF}TH>n~LIFZV%=EW(^!J1vV#>nrQL%hgiecY|6Yvl?
zjZ;2@aAFUMjd=-s0eS_)-%+mX=(Iv+Urr)S1k_G#-X8~>2_+sa3U5Y3UObL6l4H<|
zPL77kWP~CO8&Ex*QO371l0-QwJ6x!qKJw1ltjvWhDt;`jWAtXyaWR5UUqj7@nrK-!
zpK8cMm}wv^>=`mpQ0aul;CZ5RY3<2lVop%jrU{jKvNx}{18>K^0?kG&3rZ2B0T3g!
zki`yQ^Z5`NYFgQLvPhB-A)uTFx9C7ZVk4L20J-r~bmQBR1x`;NpP#g5${rF)EJ(4U
zjnWx*{3Bd)+J0mjjP7Mp4MoX$n01T>5rO8k`to5iR7x7z%cC@AV@^I&^26@b40!Q;
zmbKXddWb0?3;_{w5v?v$@Z)5aJK`b_^}T8dT0p5dNq|Hu_+sQ~FG_&b!$z6Wla;Z6
z04&sCnN0>aU(q}6ZVmn*J5Tj`4DKw6tR?i%JoL{Scq2}J&*A@f+pFCUUyHEaR2t@k
z6!E2*ix$be7c-il2Zm!%{sKq}6BQ-rf?gM06xL4anu@O!4_n%9CV@vnE=ryd9Tn$B
zd2l)+I)3R5Hpzy+T^YZ?pm`1MDW(sqi$1E-waAi-AMoQmmV;%SfQ?c!d1x6hSnPFu
zisYi1m>jsYQ##P19l2g>U+@qjIghYGP=AdSse@y8mrUwGFRg_eAtGBVgIeMKAg2ev
zdkVM2kT0a%(<RVb4_ETPZ+>e@6uR1a8{n3Xa~}7xM5ka2Nt7g$u*JU$*!;fx$pTcU
z%nOH=BKXdt@9*6hBkxo`zl29#AEnQFj+ah;77L1lm8HC@$Am>&hsXgGV!*@J2@#i(
zr<B)H?+W42<&)i6Bwan+p6x7^z8#W!$aJ&|n4qQf)JUm>mCd$v8ZUKY7%ij8omkdz
zXom#@+Uint5pHDVRYvGcfkopSD=<X9%QZ}E#EUSO*XixLu!SlFZG&E+n?+1|A)7@{
zHlYJ=+bmBbi_eaU``&B}zh9s89>i$;xqYsDi$llQl<ROd15kxU&%#H|OqQsc;-x99
zE%&W4QQc6bEQcw#TFE^z*s>EB-dpgwT>3LJM>+hMU>vqP#LqxD2~GY&96)$a;&m<D
zfyT3G_q!PsOZ|=ZQ+g%iJ<LE!md-ua#Ak+*4nf=L-_8!-ea%$#e>Jrqy?zg^VoKb+
z`!k@Rh81=E2)3P`W^nNN&an&%rD_VbcL=tNaH{NZCROFzOuz3Pj9t1j6f4XK;B9K@
zL)fH}g~t70zg&q}M;BcDS!@fPRZ4Wsly+L#f(se=9hXW~3hIW@8kH|iC!ZIEt|f`W
zT$WN}fJoCbA*G5@c;G7`m8vc=kmOPB`(wqA8Pv_rdPNVxV7o(|A2)s4ma-bEVu1K9
zTBh)0c5^qL1lNf^^*M4~X~{Kwt|MugH9p%Z3f-rey4>lHTxhSU?d{c&<h74E&!dpE
z=yJJcHVHKJqL@plC*;w{575$*S`I4Of&Lb&QWUz$b+20Wz$`VU`KZc8z+tFHQ5!rd
zuh)Lr!w}!mMugNSQgY>qQFU?Ex<G$HF82sQ$$~4xht}e-n@(0w5qFP_Z$${|)zfHU
zbSCW~N9Zl=^;sn&@QlzL%spCF5yE0UO1w*0XFba9LdNMnkJZ9DZ>@xiseR1&g3t`b
zDeE$9!FbFl&TW~iJZHjee(DOnVBeQR^BOGd>==a|nhLF4>UJ00>R%miDO<j(JXyK$
zI<`<1?oe|!aJLOu;<VK{(zo9OUd=;dQe7)w3f9LSWeX;5Y#d05+Bfl%y6#lkR2~^?
zCP3W=f`LHP6Fu%p77aVOy41|J{CIL@k*$3R{q3`AbB7*Yewy(QrI)`=2Q^{*G=@#(
zR4JjPoS|NeA-B=27~UG}q?!{FtMJ1!tGB8iVytdh)jf$CLcc&8J6y#2`nT$f`a!Ub
z{<B;?BpDKHWf`L|HB-FihDu*2C-Z>bj4=_JF~f|p<iOQ>fBCd*w)MnOI`|cHdxwY2
zCaM8cDIVQ0{WPfrqDdaykb<QVM?ti7M?y@!dIDY@(I@=f{=j^r0inRxgZ2C4`qzim
z|EVp$RPJ5kj;c3IsEZJp`an-tl$`ukTFlA*yR?X^ZfkcI<c*i2t!jZp?*~DCj5z)R
z#_a;kljoC~Q6a)%smv<ohhp)X9X&(Lj#BtKIcoRw0zBzW@dQlIk?BvyZX?GG<3jIK
zCWHg7=<DKFBt?~yA1Ih<ojrS6Spiz*&>CLb1@w)wndfSk4^tn`@BD+9Hs35w1=XBs
zxZ|Ry8ng^iP&Am3#8WI;CbHvUX+&7SlPoKKv8g$>c}%+A`7|O0%Ie&mpXQDe=Tg%^
z8w<QjC&yzT4F}JK(x(XAM18w{wY^^a0xiYh$=?Pn%;(Hh;nZe9DPn(m_=+}z^V3I}
zI54zK?prVEkdkRMvNV&U?5HVt&dgM_yBJ4;mdaPj87pu6)%T%*jBF=>N`Q92ua{M0
z*U1D98xeGE{K@}}=&ty`*4ZvE&srNlpB21ibb*!9?{s0+)-AK{)<3Mvv;0R$ccnSb
zvz?Jt&%u!OCjmksKMp@hON<wuO{dj_$XlOdCNdYpn8x*#Q{c_EvVICv%`OmDa>Vf>
zl{5c$gWhuDe;V|7E1(9w<FALJz<(O_Eq+m4Nlu)<51+3yYh%x!dpN-_udy6}&6(PF
zLT<I-S$@4L_aN!Om@nAME^dEMjbe%GFj|qA45}zjRC4VLoLsU*+{*b?Pt3on3Dz}@
z;laJmW=hm=^i<s&J=NcN623C_zF0{LwP%s&Fh>+|E?Xhx;NZ$OI)+Y(+W$qQm$-^^
zi*w%%YkFeshpFXrsNk-`#ZjG;e8;CE+t?OZaJDe<70XM4gVt?~`u6PO#DF01C!T@t
zH~(U!hW=utDmntZcp95;x4ugz#?L>+&K}TnpU%~z08RZh>v<k}<|C|d@KLUL-ViCn
z?0*ocb;Ty_i!t5R`MvG}b5Ks8+u+B~maDIUosF+QCzty*Uwa8ej!1*oLb(RLNQwnD
zO8lC5%k8qSGUn`ZKl9%!ZFWxE&|p}tPOR6W<ThM4{K>AB7OhW=^d6Zre20X=o+c(S
z(S6_NyguPV#FVGKEZoq!+Ofwd*tmuh8)0VZ@%@wR{!a4r3gW)W;LCQL&OFX^?e&1u
z{`%gw8`z`DA6G-(@ZYY6jK5tCcmHxVh+XoqIz=X)tRp&b>-fEd{{PTK-L6kWy<F70
z8ncU^YR}6ycu9%kKwWS~TCad2{fHOE&8>`xtj^BM2V5SUSx@W3cVlBciP3F>x{UG^
zMvVWJX#2NQy#BvV@vi?m#s5pyfYYUCJjS>qbu?!6*Ezm2;_@)wvl)g$15$Np6s=r%
z`tm2h&?8!4bAm9A6=D>#ib(Z)Yug)5^nBP%`_1-4H_8x6jA0q4;6_nUZBovsu^?r|
zeD8AyWG#9daU9Ri82y(^zP2cD;;Wvw-n!l6@u!-Nw1-{2kDTCSVziDb*!vFfka$lS
z0%E!`-{%x{|M)6}9iHfFpJ=G+p8H6)Or`cXi$m3g3sGDMo5v!2w8xfFb*7?2D>E`r
z)COAP(nw0v$AOC0B4f*JJGpr&fNxvUUQR87Ty+a^Pt;G1C11?ARk%KmsUQ7lccBk-
z=MI_WM`s|!rI)<LY=<rFgOv8i)_WBRm8?mKu1Pb;{_$KT$G2u9RdZ#-J%VbzGrkFa
zn?9CQJ_SY2R-y_lr7{6RRJpS0T#HvAf9IzkP-3eL4D-*wC84Dke_>0afOwKquV4(1
z_25zfpM2~<jt&vTICQfKqpso0R@q17Ak{P>6UZ--a#&JTO`@CeAt8azZjli!Gnp`4
zdqc*Z4c1nUUmn41&h+sGNr^3Mqs*qjWcfl_xr5lI#5>4OzN#nSdl^oQec;oQASOdO
z`F48)s+vnMO8CD?9<~S~uUtF2cwbVMz3!=Ce_Idekr>*Q*#{cuktjAgrZ^;MeJedb
z7kX&vrsEWN=`2+Y;1{-y;aioS-S}KVW7ar>Lpt~R;ceqFQnQ$xwU0+RhXIF;iz^3d
zO<b-_kA}l#=Aoc-1QSc{HFPd4>-!r7v=EhM=tmdRL=+f`&kvIDFyWCO+gqIlRb`3M
zQ*y$SGm%y7M~kcPK$N(uSz$zbb%B0w^neJ-c$CnX5XGcFQ8W9NyadohSUaT%dF$er
z3o9`-WUV9zzhIR4yqF7@fulz6*kYdGLI9cKs!^6_;&X88Fdaijgo2fwHaP~~32gLK
zUzY~*39x)?P@V1BOzc-HXZ-!+^x)~mTI9~K^!_FBal#68;0RM7GXEmzU1X5CpP~cM
zvVvb?*j!1S+Vqh)&Pt-AvIKgH9E0le=GJn2C2Awy8GMYKu%C>7rWCQwP}|wL!9sng
zP%+bp4yv4OFAyR0wqn9f&VHhkEocfl=rYkUX9wco_TYNWeejh4hM`4*RBk!53HZsq
z7Ynz2Msqon%_e6py9W1)v3(t${=oM^eUlC|mn00$l*>a@*%e_)i|H0}Il6Y%L6ca}
zrVx-$VUQz06Qju)x*Z2uYKJ&4evt};(5TIzS?=^l%cHcVFpTbi@7dK$zUx%ko0Dcp
zMk&?)H+UHqwx%F%q_B@t{m;=qf>C{~lM>^NfyK<ioVL2p2{qjmwN1JHQ$?rB?#Z-x
z`Py#)Ph)7DJpd}CpDX0Yp<u1Q2W2!YB}_&`OWL9@9l%(spr>rm!|17OKG7X$tTD>6
zh?FrrDC^;VML5Z8k7H+Y`)r(fCWzB3Wk3*LLnE@?Ck7HXT;b#QRK~tzJ;+NKgN7oQ
z#v%JxA>F20h}_X+6sb#l_ksmcJH06^-xf*}J{xs_*BQG`1L=z#>j`_NqEEq$^`kCc
zkFh3vrJl01PP$63gaz%c1b2C7I4weqBDF};Qf8Dct<QY9OPyTTYfaeCC#cQ3cx9b*
z5XyF~o8Gi{&pNzmFMg(G7wh#oi~bp_yn1n~POVMD^$*?pGJz2(EYxI8gMB$#l8@3j
z?x)(;`kZ;*jdMxJIJ0+Ml5ZGVF%yEMDr53a3N;4Rx#c-*o1K6TYum2hN;EY)j?MZ&
zjvyrm;)=fN0KpRB$O?J<Rm{G)<PqvmCx86!()9*AJT4h#TWSO2^1C!(k8XRvj2uHM
zEj+J~v$AR1GGr(<V$Kyxj?r7TpkJJNiNiu~=AEa&0B_gOM+H`AeA)e#zy;(0&4;b<
z_SERs^FvTnx`AtY{``-h=<ninXHE6b`rxsa30R#q5|(X`0y$}f6A;3D;a9u0H-4#7
z@}t*Hl^!Na;=dx>83M#r{x3!C%aOEsfqzG~`%50zD;-Ic3XQ+Db?>ga3H<zZ+*mut
z_#?3UYpb_^bMu*L(FBD~<GU}bFLmcV&zv?$|CJllDlc;?@8$%pZ;JF&p!KagW1-mh
z_4xncBC=*S=Tg!zsC&(lnNA&RaVf~0*1X@jG?@Ka;NYV!vQi^FFsREhYIMByaPXz<
z*`DVT<VHrKbCgDNVrHhvhY9q#sAPYb``-)IeE(OWTDS__&1>Vqrt-8j;L9-Fp(129
zZ^?m`ZO3&>hN{d~ShxQA*315nVs9zA52;9iuAUx9BBbXp9B`l|4*Gg2f|=3@Yx;gG
z_7k~glcMyWQgs&(j&0-B&i67y3X&Q_H=;OplyMv@I)-yjoM6>}rvRLPmbmP<CGN{}
zpWT*e$J-M3!8myXZ2AGaQpwQH7EKBQr&;1_LU7b*sN!4*HhoK7n8KCp*c@F95+WnF
ziXv1Dl06G|lX-ryt(xhPW!-k4a(b@vTJ7{V(Hic~_LT>6bA--=iS?TMx$2=|IDP-g
zIuExmc)>dLj85CKlB%Ot3I_R6fNp;N1|>?-26FAE=-Sp*U0pC3a63D7SP89qfEHFd
zm6E37C_W+XES^p=)*&_PL{i-$s9y*gDeUT1=sfM8w=l{-9ovDD6>m<VZ)|=UW#Gl2
z6w(PqoI89UmzuNTfm}YSzd6L71_RXI<9=@~#QOgnb~Zmi7%oe%5In}D>lE1y0^IZK
zEw!=aULafR%OOK5QW(z}1!c~7qcG{Zq^ySFjv;XbVMI}L%tMarP9$l=jt5j+r11VW
z0Ck?iycvLCM@Or&5+vkE6;x2gWSk4on<Omf+EXLU=}uhOn$0FhFSBJlk%p$?-V8uN
z&yMPigNJ)SpEI%-uEF18LmzED^t7i94;%lK)h>W;-JW1@j=-xR6>F}{;Yh@^+Z8ws
z+nWeJ))=^v>{bJLiO*RoI&Pt~gd_kvBMJaoxS>i{werb?HdSh5Rp0j78n|c@Zgv+p
zGF&-+SUMG^#<)n-z)i9ho#1X29u8C`mzZ-HY94$TsaO*N)cV7#<WJMCAZG!;NK7<K
z8bvii1AB5YE6OZdatoV$u2D-%juB@C);tD<sIOojgfDyU?+i4(hcQ{QJbO)gdUR%l
z4Q&YRVY;k)!rMcq+L|)x<cF=QMXF4OE^x_ooiGmB2<*_pOT|7Dy5UM^+OYZ6Wjr;J
zQhF;NCtZEy3{jd`Uo;RB0JXjgBSEe2GEPJiMw*o1m5yqgN+euq+A@<ogoMmz)I`Jy
zi7~w9toOVlV9kO&Ga{p4%>>xFLfeNeEx&e8^8)z`Sd>_ZF){6B-_$IC1V+{iUY(Cr
zaOm*7BakY!(JmRsjI7cw8qQ^iZkQ8r(o<4tu2oPiE>0UdTH|9cwo^!R6OR=rQOUYM
zeLbLvo});U{g412DLWP?ohlF!0*{X#<Yu9IbF)~wPu=v)PNH_hzBsJsoUMO-aTlz8
zhvYoc)jtafQR2eMu0+(dvZByV7pj;7wr*ghBrb>fCMIH!{vJgEMV^|K7$x#GDX2LR
zL_B;zZ+`Rqn6*S(OmTQ`m7V&f4yiJeHPvOWsGf&K#vO{8#rs5?OT3L)DU0y2tuJi@
zRf+TKwXt_>up94oHvcGEvVHLl*F-GbZpWd(wWy%wTFY`MB{6p1Q(#U&Nj9)4yM(EH
zf%%5XrnDV+*!JSB?hJYpZ+w#Hf#!VRl4US1>G`zgAr?9c?6|V^qIdBz{vl>+2XG&0
zti!*2aBkXSK0Ev2ZMas90ypTeU)fa>(_1lw!A2V8$Svs;vES;Z5UVp8bwhyjgI+<L
zkm3h5)aOW3W3L;cLZ%Gd7Y9u#-n+?G`Eow8peCb?$wUNagByEDdGccX*{V-8(9{G8
zY=vSmXjBC3)k%S`sVb`2BdbTgAm4E^40snbSiT0e%h(VUHUd~U^n5qW5!6SykCcpS
zPWVV*l8P4L_?)GX`>Ss16cD6Ti0Xi+sGyUh^s|FLexU(6U15!ppU*1KAS0_c^7PR|
zeBnPrRx^;0b@ENf3f}J({qI87j_xZBu3Fk_$+Qc)RP762mlnp$=e~#lAJcE@PK9p(
zZ(inTT60e5`evx}XfPTx4v#d(nSsjYslZQsMS6}xz@2)b=24HL6M@5CE=q61$wQBk
z(#6I@?ckTc^HaelARX`-SCdGJmtIzyVy)&;FRSeu$B+J7B;nHDA5Gnz3|C*{jB%ep
z6Y2CxGrYtazF<3A)asOLp?~(5ME@4%+rzI6@2p~3E@tmt-J1FB)}HEZ`0R*vxpecG
zncqF!qBgQ%4Gh>9_&Pg<#8wkL&D8)u&)NR0<`{?#Cw4MQSH9c2Yg4pp%cA(FyrA$O
z<pu2#Mv%<4m{#XdC~a~Yw*k_H50On^;JvT$)=#?$)BD+?0YN9q=LXn^>AeI4@7IIQ
z%pHot;O(OCBoj0jt4H7CaaQ(zZj76-6n^nL*aVLPr2uM$13iCc0#)l^!7k$$Yxy(z
zo9d>f3as5p%V_pFl811QHk?Pq`ux86a~H3DI{R9AS*YOQyCkFkBXG^ZOGlPNW5Q8>
zimCVckvd*M4Tz4op!3q@4X^#848=~z9EP#s?cyb>I)+ID6chp(T5#h27+Qj^o3Y+!
zeg8=s|Bs=?Gk!DVtEeDm)!T}P*5^RjFEgcAIQ7yP9s_)V%gzh*9(HQIL%P+yieBAR
z_%`uw$lR^{Lag7qVrq~j$7K;I_9#}^Q1Q2S>$9*23C-UHh@Htl1qk+2<fFd}5VPv9
z&5Xpmb_2dG>-wyXMuX3*{l6L=FLmvW>T#?zg`G}(6CP|Qj$Ch_h%*%&3*>}eFI(0d
zzI$+8p`)xCf=|J~w+`eBf}mIq-2(g7rph?wDYZ|$L9LaadVQ;Cn9p0k9Ueg5XAK(r
zuXBI!sG=y>H!9|l!_e}jrb!jmaTt;wCzYxX{W1by0kScy7{o6!P*Tfb<9?!z(Z-c@
zVa!Y4=OUwPU7Fo4((Y<BGQC!8A@U1<<B%JhPVSou3=~n&8DT|bN-5?IZHmlx)2hw;
z$IqH8m&I$@c`(zdG}IIqFhL7-uE4n-n<IqV*Ny+x&2j;9vnZD}KB~TsDY<VqryfI@
zSGtTUZ6R(IUz7Xy_WZY-1?%=NHw*UTf4Euj{&BNpHU0GX%gs{s$Iar>_j(_B20rp%
znTV?tp}#PNy?-!;+rKe|p?@%i2Gv&v($2*FxyI~G1J$$c%E0&E)>qB20|yNrbp;1L
zeY$5|I7F+{Cb<LM>*8VP&yBM>R+0Uy@xsP~|I++Ovwt@Y{yEFaYforwd^ESFTmBh@
zDIgom!ct_WA|p&0lALA~2c|xDl#?A_I`|2V&q}%#m${T4{A0c>M`OwO@7<;_>%RcO
z_J09_vi}VT61)L|ro^5!e*=O$z4jztZLxegsTQO#w8Ef$rCBEtmZxR!D9NRH;*tnB
z(%2~4k+A&08>t|^X&f0i6L5_+D`Vr`A_}fe7VNwz((0yvfdAJOBRwj8nv}~<93_&7
zD;*fuAU(^@R_=6=HeL7dcWWOA2DLMdISyVd+9Vl^Rt93C{$Bcye?k#`Z=ncV|J{~L
z*6FuUM5!=`C7ks8Sc=L7Su+VZylNg)Oe#|L>HUDD{rHk8w9EQo2#C_Dln%sjG6Bly
zOJ3>CyLt~Y{et@cOhfpJ+$M`-lXMRd^=CcoxjNWY+l}jjcAe5R#_IFXI5DBB@lf!~
zh;iKLlnf0N#T%}dNwuX1=a@hm>B&`_a0AJPD-7*Hm_6|(4+1;bQEdkEm{A6k5iS=7
zG86NJeZ1KjJ6nH^$#u5d_7qx2_ICqX=h6WElt9EUQ9~g^)V)uCHUAVx$fiq$1BC8{
z%1BEo_0a&(ipZp83ntlWs6sr=`-@?O$swgB`-EJ~0xC&Y_@Qp$FLT0Kp|EP(MRj<w
zPaf~V{^a!znPt+sAeBQI$xPx*y30_x4)wm2af%0@s17@sVZL=DFMGO%M-|WlyHI+V
zp1HNXz!I%u72U+GgX$NUkcd$M`R*fnXG1<lD!8o>I0~h))_MEnXrMZRvjT125?zV2
zdvCG&_;@P;J)JlvNcH0OM=;rV@g1z#L|;A9o%A$L{v(0&C=4p6Y!fp!uB&N$3#WAs
zYH+F8ei#|VMC4HPFr=s;>Q_)q@!}K|Q`DKkdHC98qy8S((dk=Il};8eT_<Lm6Fo?7
zJ%m9oG9`k^!Ko{s9AjQ`pnzL;a9YKS!37h6i|e^XQ@?&4S@pC$HwQkfOfVchh1fM!
zv#6E1&r6e3r$8-zBnS^T2>N$NbjK6zcYXsjwd%#4grVMcT49;|4*Ws&u~-<olfCmj
z>nOT6WadyV9tVLTyx>W|3Oh`asw(P+z>OMp(MNTL`slfD`58lgC9cNpHC~1gjqxVq
zH&i#aOifTm2nc?l2Q*k$MEI+}(uOXK(ctCxg^VDs>)z$ATwDS(N$A4XH@~V3zdY$o
z=iH!*gVocqtT@BeAwrd?jS@6gdzn`1*fkK)oIyvqmjk49b$_&jTQQX?OhcIM00HZ%
zhUWG0Mq?Nz4oYZtQSH5v5xW$1|Dz%*o<Wu!7D$Iv)U#zlvx78s7%~~mJ^NhKKNojI
zQT2H4<FZx8vY6vo!J3Yi$6_pz5Cex766ZO8?mNpxVrs~eUV0deQ`toaN2Q}=;;K$J
z^-V`BT?ZR0Bs@0a9k~rcr!)ZP!7F*QE<#zit7?pM&&H4?ziLuTR;A7RCpj%b!Xn&?
z+)=6=ooe{9xpJlS@A&2qg~U4R2p7IP#_Jbj(^<bdzO@*E1Q(9X&%;;}1+^QkEazMr
z&c8<``!`WGD`{ix4H4z=Na^*gr*uME^+fg;eep0^8V&-(l|5WCq;TK)jHl2@@t~uW
zpz2i}e`@88roz2vbN<*O`5X1;2bwz+eT8rN5z3={nHt%6Ib$t47fW)=Q=9eChit6}
zL&ssukX|@%fPw$W&DpP;v(*cn!JhTss{%nKLXcHPAntIXni?xYi2^=<6H&V^G|nR_
zvMyAR18a<bGSU#XyHGgFBdHmgeNA+ne-dT8u2~26`_Kg`N5?}|(vOc9q{duHXB4)N
zRmgX<NIZ;@+f-1SEiAANG4=sBQd?kG^x4w@05>#(9067~a1+l5S2Nj8YLvEyoMA5C
zGeN|1F6c%yG_$&^#bCNlyoE3wQmUL#rPVfM3Ve$J_Nx|8ktIgVDuHS{VJ*2AZ=&6y
z)(_`otto5w%^>%g5EJ?kgaSy6Xk0P~uW<_PiBU~vT2~KugCj8t?c`b=tnWk5QyQMz
zDd<&zlZN>`hY~zNthGtP>fsa}io**93gd~1^$kSHg^6&Hx)^^}OnX2u>IsMeL5IV@
z%_>5q#HKRM=ncaJg{{ML$e^XAMQ@{|AY%$j&o96=K5R-u0VwL#mqKn7NpZ8lS>nTr
z`lDq}toy~F65xYVoF(=j;SjHl29;R$hzA31?R>wj{d_q$ejdESjZM)(L}ugtIzA>f
z;Gfl_<G@6;^k}WZH?{<a;RBVNW}QI7#5qRBSE@u12~3#)<=;Dll4JbDB?YAE$+3D>
zT~<6Oo|4nv$;_89m$}!;8X*A~74bPuBPMC{pRi^5sMYAXrPUG~5j0)+i0Rqsl4Esv
zT<>p|$1loKgDtpV(bT~TqoG+s0D@r(t`g7jfI#)=H#<ge1A%VA7Sx3l`7i$Kw1hgx
zFGdyiP(ZqL__#EPFgA1pbUgN0EmudMXlS$u^N`|<EWieI1oODzHx&kcVq$V+*fCSC
zTp})4frmd~@5ap5yTk-Q2J^+N<ldK9JG%+(N7%`MPvhIan$hhTQ4GwxEz9r?<AG9~
zZeq?wc?76&7_76V&D;@wOic5XL?-b^de;NEK!We_!?CJs__3-TElu-dw6AKPcZ-Xg
z$M4+eq`q(X`IP8Q6U_>1&H|^qISc4bRG&k-Cx>BWgVnUg)r;a>eS)|$?Mi1F*w&?x
z%)MvuG%1cz-Mo;In3|67TF1AW+B5xrM1QtrU5`saTQTWi&Q(YYqZGrt(#@(6RD&_X
z&69xl9}#L-_R^M^nfVA88wFhxP7?tst5{5AE9YFDEAN=bWy%qISFjvVm(uo1FZ<IA
zX0t9qS%<267Bpd?HCt1aFQGRnb&c<=?RQn8>Kr5=V|L;E4NB00KnW8xHb(LY$x&jX
z_@~mStm@hmBMJK^k@thKQ65M+gt6q*2c+!90A@K7yd8^r+IkLIP_N^O(YodtH<UVq
zZhl5WrGn3HB`h>`4#Fc0Ud>>fU22g*qVdM24`jXYuM|~J6__(r5DCyN4rdfH*vyby
zpbWW>h$>=NLfKZwy}TbPf)A~D4XwaoF@Mp&PKv%q%*Jj_+?iuRW_GT@g#pbDd7CJD
zb;EI7S&?<a1{`|kNXH)<hPRyri0oL+ku3jwhlDh01b+tBC{(w~K^i(gnWk}gCYY7<
zC90*cd(#l<IQP{-C)Q_3Z)WGkeLrU=nRd3s3^n9V@p*EH@`4P_5#!sYUO93Z^|#Rl
z)fI~jvCJYv&IxSA%~)B&JVj))12F-|zLYb%a5!238X}_vD-b3et^<esQ!~tP+NzEK
zx}Efu`sL&WfTXfERn%76(Y*dJ+K}MsKpNpEZ%(--AH+lP%___;A*t)+k~|Krm4V4>
zoy)C<+Mju#TI8=B)jHZUs=WiKHQzOr|F~#}qUC}d;teh(4G;xTr<E4a#TyV|Xj`d~
zYD-V7X4k36d)nV@W!k2-wvK_VX6a}1QQk`ymhOjpD9NLSz}(P#J4<vGg`p>#^w+x-
zH#VRK9E$Hzh#`S=2YUghe)o*MRIi(FFsJTBH8wrix~NF82^0<!<VOy#IDr!O3=?9k
zAGYGCfm<K03u6?ovLf154~xkhL#}kIKVIazLfVISaJq{~%!IgnU<a?Qhd@Ju#xaX9
z$)cj;tL*y|mHJkI6U0Wi4GnhU&QA>H8VB=aLvdd-G6p74Tn~z4yh7l_ONBwn;&W{+
z7;IW52U$C|Z{~$WdjoixA2ro2_MSiSn08^s++4WKx*N_%_Ly&uth{M*%#jR<?9A>@
zYs|Clfm$0O7?hYS6?D=c_(H9_?Uei|Dv!Zx&1c~YuX^lda$`3`Gm)|}hMVkV-k1RH
zG7u9$gb!0|E|l3qw$9@{csz-yjceyO4T%k(owWfM69!dK6(a~~1641<d@*=bag)i7
z9>EX%I2(AjGxt#=PUV^#=FH3zqHj)niwn?K4BbYCh6jbAppJP@==-~hX_FZ3-aeIX
zU_GS3p@I+KTT(=$CF%{*SCJj_(WJg~$NC^+cM@7-LD~AZsB%A@L#M%2@-k4uOsdf_
zxoNRo>YjD+)qetAHbRiDJq3Up$7*a!-uBdmHW5_=rtiO_zXv?6Fnk?!=rI46XAd&d
zXV9tg^soF>U4W!*<tanL2koyMajF2~@_pF!kit*!a>FDYnEr!8l4&8*blz{nGc4SQ
zD&W^p`F=S_`WUs5DnD$@qe7_qz(LlV8uDAI;YX}?BK?hFN$F*;n+dpgX)0C^RHB9q
z0=Wy)I{<8mbhbp1f{hC<#EqNf1R2<MR#LPzf&z?@RG<2OR;CD5WddHKW=ED7M+s&Q
z-w7?4a1UnA-HHkraXa3lT#;u#e?9DCrGrh?A-oYm<w2y~y(~i-83cJIcvwYA+ef%2
z4PVPDI!8*;nyZ+aOdPjmoA`pO_Itl?%?UI@lw2rzO&n|ml$umYA+M>WdIOir!`M>D
zQ9<u;Q}a*uy%}A~UCR~cTBr+EM=`V2mngs|Ftq{U5SNFg1u7Ki)>dj{kB_i^+Jjdp
z16r1kC;_w|S(_+7<Zax_vX9cbQm%;8*2Aijd$AViH+9g7q=u!$ebq=Ivor5o24`mq
zHI{G~vdksDtIJc%aV8fiD~#>_)J-WKTN?eD3U9PeOg17}p8dXjL`Ym5y+t|&kvyj;
z1tQf9>@(ND-3%Zh8*#P%xskh`r6#r338p)Hd-uQ@9WlJyJjtX;Eg7>NCdZm1%e+;y
z04oi?5<+$JuIPzzL+ShsF7>kOQ39a34LPA<YD@72T~?Hlg1!P3N)sma@{wz!p;Nr=
z(4v=nxzDP_aPW+*Ub~zFTEYn)&W5pz5n};01x1Nq1Y{YzxVLsYjae?8zb^{r>>a|F
znZgV!fj6KZW>poGcI?OGKll@^J(f5IiCPs_$2A-<Z}7y`I#$lRX@Dpl(;it6?+nnL
z+-`sK@>K7O<s8)E!YVl*<$J1q>$36#<gA&ed1!E}dwH;;>r(7v455vXx;Y4GZ@7^y
zFpL(R{j)@1d`#KQl3y5&W(@31GimSGFX0$1D~p;1S<<ZW|6U;i);nzzcBT?1jtYsK
z&d*xc+m=>Lo;ee4Y_^JH`L(Ldxylk&^E9i>J@)yves-*>P5?aWRNe++Qn+&+qLKux
z^o4DrKboBtkY?vyKS(yA_RH!GENIR@(+L>(-YvRQ!;H3YxWm(=l+MAJZB2Mup)4=*
zX_6>&xB(HKT_6W99=1dsxZ;n=ubF|X9EK>u!9ywozv1u*p4DQclaCpV{w;bUP1(MB
z#Q$LN2t%J=GM|2>dXpx<X5+k$5iFEevz>djeNzEp;y{|g!@^R1Aw`69CUjCEBtANX
zO^rax4H+h#U#e0QSW9QC8K2pL5uv9^K|u!kIz5QfMm~CNAKH|(YI2`Xai}VFR~8@g
z!zWjbW*`;rct&Zd5f!4XCfOsusS}i*rgGG~l^T4#+NrcCZ+ksWDXZD?rXr4IQc4t)
z`X`evt6&>xc&pyk8o*yd!kE&re@{D|6-}$perjm1*(6j(Y}C}81^wi95Cy8I38Fx+
z7pk75Yp2*T`dzREHG!t+F(F())0V%yBCsnp=M9=3tqwcem;=8&QTuBy>yWE-f%g_r
zIhrZX>Tqk6t15aX#}vFQ(5%!LsWYniV+BW<N)}w>Kh&7jCbhuG#L^Nh2?36H)>9I5
zYd~2_>V-=i2*cdv@_wZvI}p*FV~n5O%65ZzJN3Xhmd?6i>HLx2#^$z;;yCjP^hUQn
z#J#=IaBW>#74R`wN2KoDCVi?&RZ88@<;najb(`xTq^a&5C@g-qo)s9MqiHVFQy_D@
zo!S7qb-C#@ORvy2E^&cur8I6<@?c7%_XHyL7x6Lb{|qFgaAOj73T?jvHEup~$hQ6R
zwTP}>3qUUlv}kG96l1Vrgeu2_J0kM_sDr1RE$tWrPevls@(?#8m26LB=7U+iLDvb~
zKvS?|<&;{8sQwcD7zgY_6|O+IZH32nBHjys-Y6Tfuv6&Rt+cqXUA9NbASR;R^Chq&
zQr_PL8Eg4JD_At9(EDRC+M*iNE>TaBs?X9!XZVD`Ta_NzG0}gyIDOWWXD<lju-G49
zZ9+`hFk^*rG`|eOtujdc_5q3#izrRx9oGgpu~|zR)viPlA|5Y2%o-FP?>m?^K)Dp_
zNe=?-lYy-TNp)tI3ppEn9_Br~4JU2`l!}ckda(Lu7b_2qm0Y{DW<rvOV_$yab5#xe
z4T|&nxm;-L_N&B!jtu0e_ku2Sv=2$R>!7RPg2~v@NTAUumu2E4f5k_>KdM%Z{y~8E
zJExKxFL?zU4F*0+PycoJ-O47uo}Hc4_tUlxcXv5Cn&EHMN%Ka*rO^=P(XC1O<ZPE3
zcCnNc*%-tShl;X13`Kn=L27pC^AVELooiV1`&FY2?H!xjN(6d#wcq!#Y#si*uKItV
z<*cNii<>cj84MMpoBkLKhtd<}?vni5s@l04wv-`l?PjZpf;+U_`CJ(wXmb$ypjd9E
zbVV|T@v!X4m9Ek|GDuStrK{?XEY#TjP&Qf&`1w(t$<av}Wr`U&MA<c@@q9tC;Spk0
z>9cFNcHM6UDn#X=9eA}jDuUS7cxPrr+L>t=H~|E#QvdCY+-Ewa#DIKa2gi+r`%?~~
zuqFCeQW2P)s8=6|jAXd6WF<X}1_+G5<PzOMPaqAXtzB^kwyhmf>c#H6y?*`Y@`B!u
zHIrWb*ZTTZ4`s5XQ`}-0LYo@%1@~1UaM!Y8s2(Hiw67ZlAvtRl+v;#5uH;CN@*YrR
zl2Gaql+KNGt+H&jyuRUGl{cLKaY5N1>g_eG?7e1EV>GZ61s~+c;ZapY>WMyd#t=v_
z(Ev(nu8C^uS}By$UzpamJZ{NKXllJZ1q}iFbF+k+x+p5?>8hlFD!!6?EAkE^tmW(g
zSIxCr81^+zm74tOmOzi)LEihSxy|d5{X-(YCOL*#&el`9rUL}7$}w~Wje%~hbE0oG
z_dfh^=~|-q7KHTm1v=OUS|+K?iKFSJj%po6obB5_)#?jb@_ZEra-}Ne9{$~FQpIu%
z^edO?Vmp6sjFd?b)0ZbwzS!)-64omX+BCs<f@*0kR~+?qj)5u4JC%_aPc52UHFSBn
zGjrsxU;5UsW$o~8?bf1MVtn`eJtJ9_TBI$sp-$Hcy~nGJh<N#vpylL80#rTUCO*j`
zZZ_h$*hLcyzM9D;y%kF$vWKrxZMxYK+5DJi8yNS+GV@L3LLsMT&l0|Bq$}2+gMgb~
zXj}nOX)K%Q1i1pvY?Jvh_pF6&b}3hF%h*sr;y7*imJ%g5G~Cs`P*T~k$p%T^O+qC^
zmL+whH0UsLp<ax$Gx>18$Z_}g627>ml+I|w`V%4&Y7li_7_E!Rr{yNUaK_xb555HU
z+XblR8@%V41b%U_N2dO??CgaYA{6ZM*}Z9q5uP*-V;|uoDccFAY>qe16JvKn%?xeo
zg#xRV>Lfo8v!ZCt^hVIi*kbVtn};$uxI)8LfUDvAO6&EH9!wy|1(s}D3a4FaOy`id
zOI38l((Z_^x%Z<K9TAdJq7dkfMmBQsz0W4j#*+>wC+)ZP<&|#Y*W1q-|C&udo%E;O
zP&!*Z<5ozVl@njRLHmg#Lg8zT*}M>jUsHa=2h6W*WI0Qah-S2)+&h->Kv*ZK4y|az
z%%=JPXgjf7037matsH8}&|5%^$vx14D<1N$7WqD!H97opd<xqyhL}?@@(<-nm9i2e
z+L9ci(u^jZ(n0rt)^#Z6;^5+IvcS1{7A%SZqxjljwVKzPPLen+EU>$>Y{g>1g$3~e
zWSUprLN?TB5`(S<$Et%`<j`p1cZRMF)W4`Q2?uEX8Bh$w#Gz}&HJVD$WlSU9m3*<P
z0O4oHXIOQ-Nq53-5)bo=d^tpPIsx6U-J+jsn8{RPe-Y?3PDLNw@g@f?7s<cBJFY+|
zO-iL)W2^4Mf-TYJYE4x=)hrhgyB`r%sX%n8hw#of*A0x)juD_p`%rhl2E<wqG1a;~
zZHcin9Z%I{qys(t`H{Y$ey)a?oXeOn#M6_XIJ@2ScVfnhvxJpsJGi8TO{ykhoI-^u
znX1@%9-{PHxrHP2hJfUU<%9RWG`u)nwNS}kh0&m~0<6lawT<=f=g1y>@eA7-`j?d+
z{NEjt=J#+Z@!cwORJFOaHP~S%F!nysGFlnz#4X(J^UN^wTqK{zOvo`YIO#|u)KQ~-
zoGC3;7FC&TVnico2ENN=5BDY#UBBztaNfG;O?04sQEG${V8}x#kL+Fmm$)epUSde9
zNPZ&Sw8|s(6BONqI+_m%**`MrBaFjKH}66h)NVZqr0R0|;<t~N&Ivsm3ZG<sH)g0x
zY+r;I21xsUK>5;SMX%V#D@%cxSM{iII};?U2T_^C?ydbp4677vm-6bHdS#pt^F(am
z=i!%d2WtM8@KYRO@1;*~cOQNz_*v`|k*0BqmoUm<F95oHP=GQ9TH4S>uMeOY*bG_Q
z2c;;+3LTYkCbYa&w6cWe8yUfd4+k$|UHU>)PiNljpP9`{PF3LJc}jH9@uKb%3Hkuv
z$Wx+skk`(yuW_&^glZh3C(eR%APZ+K1OzQ9YgN#YJ-MpLeiJm*OFm_35EuZi=xq>m
zZg!7=fPiHt9XbQ;PS0p?P)$TmH6g#x=Y3TW*|(H`8ut?}SUvH`j+;KCS;06>7H*dG
zLS|$cYVBC6f=XLl>5>OWw8Hntq{HH&mmo(GHwt1Gmm*^ssz%AMK$<x}7>D^VOtq62
z2&;@Z-7xx?Wy)8AD6dD2X{nRI^r1zteWL>}gDG+2Kkp(F6_k9mTpyi=oZexq-}Kl$
z{$4ZFsyq>^`<v<0T1C(9snchjAJ&&468Y}@)HmDM1>AsCqpb>!_GvN>W%CM|HN)h;
zrq|`vjd#oK-*qNZiS;O8l{V-|5)*>OutJ5@*l712PySpAE`s6uMb)+`IE`EOa7gle
zn5$i~j-FKm6#1z5q$ZQld~{kxQ$~dHKs;z3{pmIMQ!hx!a?{S<`u<e>b3t&pA1%ju
zb-17JD{E&xPhec9f*ih(1rs?OIfsr7UX(;DkAwita(-YOb$Yfk^!Ms{vAbEiDX+}h
zMv%DeFPXgkRC~4kFimRE89PBtYdURuJ$A}<m+Dj5&y0`Yzqj!Q+xQB+zodGATROmY
zZ}a`|*k}KF9{chD{I(M6hhd;V#1gGF9g?%UMh~&4b9#FWeqEK3?CIx;DDgIN`*-o(
z24swOw0^Lr3UGs5=b#d8k{E)W8s;a;qGGo$jLah16Yg)k{MCNQ`eLbKT!2Hs6Z&%G
zB+c9xaJw~4;^*=kdEV;R#O-W{hkDG{m#tq33u{__J~Vr+Ui=XG{6uY~8OQ8~K;6^y
zS)jKcj0U^|5gWU0rxm=1nxa&eidDE0Fy1}}%*ewXaUY-}qMy@d#<<~!Oxq-OeYJe{
zA|NH8RQa~Qu2G{Yt60H<r{g?h%BEw@AXreNE2zU9Hv_-upXGLNdH!=^gj?e`;>XBK
zQ9Kt1kCYt`VW+n=vW%L8shlWKO5~>Dm=EwZVdthcFAY1yb!{$BnHR$GYuah}kml@8
z#xB_hL63ilTN!I^9Uplb`fW6m_~4cLbJa)tFh77;hND9WHO<#mSt!Wqa>ftrSi)?}
zRg}KrxST@CZ}{*vr?puIu(malQCGJj^mxC8lyo|#9%(T}Dgu;&tN=lnZ<mT}dO_D7
z@7MqEHu$x1TTwvFVo6fy@mv-?eq%%UdAUOzhpS#?*;Yo8Vah%{M=P@4X4T1#=<ONc
zZ8!%HVO?qCcUEM0o7v4?zT{{TM!`%a(!OR#<=f~5^#AM@#j0gyQ^`dp)ajgB_)>q2
z+=ki>k3yAJ$RzVQ>bRWerw|wMc%?qjLI|)^W6yCE%(g$Qf@;9WD(l^}$d^%`8DlZS
zM6B-EOoi?iE1jut{}IZgR;AOn(7pEEv;i`i!RoHo1V=YFNYk};Nt&WtQVm%^Xb0f)
zbrzH=D)3E7cU6G4xcHP-TbEzty6VlRud302kB6YzZCeMWAxk3#x+vO{7%DnEXc%VS
zsFwP(9^6<`ka-L<gA!X0A<+YUgK9URc^%%5LZ!i1?7rA_bzw?VDteJl8y>qqJ_d{{
zBP1z1NPPv8gPNWJ9YO0-qdR7cl3jN8SSX&f<z$xo9kgWh6Q68p)LGGzy5d<wdhI5m
z3Sy&yrXm-;_S^P*>aWvc)@7n=daNpd9D`Ss53c;*G_n}<+8){sFMUos2Dk&?15qz)
z94?WojDQ+kFc0*y_V7@&lv53!$Pmx8bV-vQ?s_+vUkiXaN?}B$zUjp=>@>lKR2=ZC
zg0O}eXvFSwMsUaQ6B<22iscvAgqOVO4R0mzit3aY$wQ1ULmH5u4kXGff^m&~_3@HD
zM&6<irL*9SN{L3x;vdoNH^Io^AVz?Y9W$6Jqqj-&5;-9s{`xy-fA%X;@zI~EjJP81
zFQWJ7g?{=r5jB3$XlyY;9qtD=64OT==jnZJfl}78w#w;eKYp@THq}d1Ma!kk4@ZGd
z!KPwt&kF(uhbZX6>IKqei!`E!R#e^swm=Ou7)7HmGa>RKlI$u!>|x*e!Lm`&v@eTF
z#sAy8EcQ_260W?gXZBX{fM2au>9?&s*OVgAXykW(s4)U<O^m|NHUA86$f7S+jdp-A
zz0O1EO6?3<dap)fkH>F}qgsAw(RyEJlb<#3C6;A;siEh-!;wqCYe@p+zSU)O6sSM#
z!Iqe4emkSZto!wukjF?CIS&Xc_R2nowTfEZI&xZ-g84gMcieo6y}>R)cf52O^k*!-
zR+VYHGQQSd;m_nI-;(Vk&v#>q*jLYy>?v-h<Ps&Z(^Y8@B>o||80Kkw(h?$734j_m
z2eg{f&~t-%)h1hu{Vj~6gkzk^ex~kB^3Tk`8zUIh|HITf21(jIUx01fwr$(CZ5z|J
zr)|5ZZQHi3X-?ZlZNL9tZ0uIVQ<YJ5KV4Lw%$s?R9NPd{TY;XPLvLnAvFLSdlut|o
zw~M3Qwry+D*bu+;k4i>B|C+B~-o9u@W#Mt9&42`@<`W`1Tk-~#61NhPGI+hf{mExU
zWO*jN@n^t|T0PDG^t7xS;jomALf861q<5{2Rj!G&Mj~@>bm}X2yoUFa)MM08$g6a;
z)-5M0zwO#RoaCM*oB!Wr2TrIG+W)7M04!eB8LhEn=gm3S80hKx@PNuI21=v0G8iLN
zcutt9oF`IBl#NW+tiJC@QIM=Uo$g3&4(Ks_D~Vy@AM{-eP+}-Kq7x!2RQ_9tUG0Wl
z0zFZBKttsSz*RkYW;1tyinkh*cD<tbP-v0?{7q6MQHIrCrzPjq`21p#mOJyRRLvwI
z{!6y8CB1k)j7|xCl4jyS4RaquRNP#x{n%ldf`BzgSV}f07_&bMMlB>W6TOtgmvKNO
zVlnNSlmQofsf#qSOcg>ki>4k9yFVPdxFQh9t`dUEO*M-BLR}OPDZIS&7Ewd-;SfTV
zO1>6lJ6=1DXsiY{<^?v`$PvrKQ4B%}4WWFPM}{S4jN~4G^#4+s*3P@Wz1%3Uyo;;4
zZ7--f?=ofK$g({R4N;Z(7Vo49yK1&uTK_d*18Z&=v7e?{sP`~NtCPT%7%A~B2@SUR
zog!?7>#Ry2<aMC0LJVm#FS>1r*f0Zr^Yx6REC1^eX+f0F33_bg^3Zba)^m%t53+4*
zmi7@5aaT~RLn6iY(kV=zCdHP|u4A-UlToQ285~#nzc<46Wc^~JLtq#V7K9WKQ^}NX
zy4DxE$T#5NSVJ7DiCHk*zNreKnNi`PJRg7Oy(s`68aJm|<oOoBRyp9c@k2GB-PHO#
z0pRV$%!wF~viepRTXAR`7PfSFW|EDt*yLZ4c;@$IuCg-o67N3SI;Bz9lh`GA|JaZe
z7*7@Azx2B=t>w(!i)JZW{o#D8a=3(3@fDC`ABQWv=)Gf2)}{kh0U{Fgo3zrOqB?e<
z24i3hqkl}$B;Q?;NnRBR$0Z3P6dp%U1EboEJdijCrRv7u#k<;TXRQmvc8B!KeJt9e
z$L+NI#3V5FdPaTgTgUscY3}nl?1tibCl)CL%9E4e>|~O(=eWqAXTB0y?Mdy|Tc_F{
zG55n4@_~LwwFj&Tn+C_zNIqpWs@Gcm&hBD$UY0SP{G9xuB)swY%R|uS<Cu-{>QIJ_
zRYwWvrpeIyrf>NZQ(EPWTLaeU@-e``4&vQ2MEkubulfRUXuVU*4h`3;el2}TaCHd&
zWy)ACR}QNT6n-JuT_3=_Od`6WR5d+u6c1e1glB`2$G+rL@N~l?f;GJ8HUx1PssbAO
z^1ftN|0`F0$(lc-!aeFDeJCguo=fE^P&E<3N*3PAwqTA+o384qEGRA8yQL!o{=`mu
z7UFOYARxE}*S4P{KWsEwjx)Wi^ySV{7=Fu(wahbHv}Di08G$T;D}+>&I=}b$@?QPE
zdOu@}|3Y+gEwZXOar|^%6|D94oDb5-@xoPS&!)*qFRh$R){nJW9%+TB00t4RWZamr
zK;?5fA}^3@Lk;~=F;bgsBr+HNKEJewS=O|sng6-B`DH)k1GxHWPW%|L_EQPqx9t7)
zdQcq`;n~x+&l879j35K2Vw{>MArAaQ7U(>AmeTwuYxj%p(oF-Id#f=)fmE5hg5&Aw
zhlq6ht?#=|5Ma2|4Bf~4%dh{H;#2TUv+Wod2GxDV;P`O>(%CRN!1+gCVxIFiLC?Wv
z2ZvWQw)fthWPI+L{*4-^ZTRjpQO!$DPuUi2uXk3v{PvsF<uztoh<=Qol?k?0Dp_O>
zsi!>oxEL2A3sUI;P<?XaF7{;!%3&bBq6D`B{XE@NlTl}k7V=cQc~4UwZfOYt`sFSU
zV6B<{;>hiOx!NcBJ8N)jVZU|;k6&s#73nb0$-~|1>2wjjNxdOtdyD#o3YFpPfS(6@
zGUxtxih&AnBl`x@Xv<$OplfP@J?xj1gu{IT*xgDilJ;?SC`_((DSR?aJq!i2x{<%G
zit0<bt~YrvJ)UnAJ=eFrZ9n>W$BbuBRzh1A%3M<OG!BRe&CykIB*T{q%vHHBIqg7;
z5{M!XU~$NZEL_Cm(-p&<phg<3jjYogZ(qgzcGH_9NZ?9Yp3sc4W@qNp<lSZz;dWeQ
z*SE}7Gna41&%HbobwxhetpSE~gtr4PSD33?bRv*Z?($V3L*C5I8K#fjy45}+;tn=+
zY|glm|Ij?Mp`i#WINAQ$Edgn9hF-&6g#Syt#KAq4qOsNSB8XLim*1BqQq6-|ii4pg
zOD-OKzu4RD@w;=et;batWM5y}Q}N^^xoycTjezcbI|}S?Gtf7nOMA+{_>WV*Na7iO
zqWAfXO`VZ|Pl@&EA$kW@x>rqu{_sc@+vlrx)UTnHyGlVZf>m>L_u$@+%V$XYN7*r)
zl|xWpU34R>h9P>1H>JV5lS<Kz$o573_R8oy$h$w6zyhG#+m_8y-eVDLuuK?%LkODH
znU@QS!>3QL82(xQ=aizXYC@^lj7xQmpR-_~^b~?^Z8^VND`y2Xn>P>9%Bf!1g`=cm
zK;WRvyZ*SwdhMi$hnH}3*NE`B#2|MCGlV|#wCeA=-a%C1Ya1St_LMR7YaeITv68GZ
zG+!<L<v`xaSy}Qx){9rUyk=S1TFY64&Jv>{BZg>PH*HAB%ZWT|#O30I2~(YS3r|f|
z;iftx<6QV}+w*9GH-Vx(uf6}M0~z4DyPs6bj#3@%Il6*9UW6VZdcF8O9N=)KC?2ws
z^ILaK+8JkSN-@({&YqqPUZ9=}+XMV{a_x97F;n{dWXtc<+ZYYL*P_!M0b$>^V?8*4
zEysYX24U8tUAdRo@7bY>>0fxticCdGK5u-GE53IPc~^T0-bR$ikZ=_lgVBaNhJdgn
z0OJ`?<$ZMDpI5mtwI)HzXGf)-F2`5UaJBCX$7}nw!sTvFzQYEyXQ!Y}kG)sPYQ?^u
zE`W(f)q+{xsTGX@j5y%T0U+&0uJ6U_*E$q+wddshPw5Uari^pM_1%`WKrJ44B=0Kl
z;DfV(fKTHanDl%N&9M8U1zV+cEa718m(*1uZEx3rTZ_7oPYmgu-Pi&_=iiq-+Baa)
ziN04^)-0?u=B&IrQUgQug8ne;`Y`I9{34hA;);&hyJLcd-gm{99nLpngcQJqWAEX=
z_X|fxfXidwwk_b`kI$FkoOc3y8`QIV<c<gSWdwXf+nJ-I4?@E&pxv_j_up~vti&fi
z$>j|b4&ItN74n~kv|Ii#L&M?MH8nZDxq+5$zN)oo>O6eJfM1{YJ9TGI(YJhK>R!HF
zrQw9CBcl&^iiR}MS9|51Hxl=VSSqnUz5kPH4-S~S*AM=pA6unMyKVB0J1jeVL=pjp
zil23*7|yCAUDykw$clfW<uR?0NW7S~S&SyVQZouRD|jUvYb#}zo92dYzhW04OE=c=
zHYbh`+@A06?H2jK3gYMHb<f&X00uRJed-QRvm^Hxyek|xdTV9wEfrnt?G-z|UXCLt
zV-nvpO`RV-f^N%>>dpIwzI&3gwFc?r>*u+KjiH2|uA1=Nb1^gz7?INmVr1AcNCYO&
zF_lN+6o6%2z~d?5dByQP&%)p1^P)}zI>tGLo2J_<6OxO(l}yE1hHt#y=KcJv$C+~%
z4_FKSw5A`Tb;4wC?ys-8)4qUBy3&=i{KFz1ZB5Jk6|&lZ_h*=|L)&f9U)k)65;PS|
zoqXe$!eICV|HOh^g^OBbvX5@`9<VG`DcY^tCgl}1v%R0krvVbDfvCI1Sy!nn14Ho-
z!ndtgQ(FOrXS4etFDc;rDrwjxY@n#7K;~0s$}|aBHxiM#YENc18yd%2Wh-w_beRBW
z-(DVlIYE3wOzYB@bnIUH>Itlm)#W|^>^V-v)F}U>FF?!6M;l$e@7`W*deeN<o1y&U
zE7;Rmv^%<hVDi<L)5X<};5a>Ld_W3D+^-)2^pT1Cy$i+sp8Yz;&!Wk7ghdIdOl%~E
zieSYFAqsS@-xZ&I-I}4td5TUwuFs_c))Jx*(C5(%_{zSqPvU#K-S%c(L3i$F*)>&&
zj<brGm_2#JPr+%Jl<61m7a2WoZ|PRKt3l|ef9{N6lGr_`_>^S9pVT~yXL{xehw^*R
z)8_*8P!91qA*z3phzH2NFerAD6tY8jP2H!20F1DF*pW6N&8mTyC+!|XJB;L|`%J5d
zGeE(za<)|+t(zRogmbQJTayHNm1pBFEJ7%fy%mPu)Fa!xHH`{>{)#-E(-Xf7WXA((
zyXkLJbbFElw>Od)G9%F=^95L*SClqq@kCz5IehvaH4Y@F@YGWwQxL}Ayhi-c17f*)
zNQ$HQB$4|J&_sObhS_hyIS0O=jLPL6#EBr}N3*Cdl37~&3Swu^rN5#Nd#6Qih#|?V
zkx6Ktng<kGtj*@9qB$9f{E-9&K?ENwOCwnKq397b5k_AAQ;;&>kI3L7hP!)se0>8>
z9Q%4z=H@jxFo0_IrG_P-y>vy$nHNB12z@}fdkB3c-cIZ1NLA9@C~a0?MM#+xq9SKz
z8KNUq49OSCeTlY?&9;}yC6vmwN_AS$olks|fXfb!CZ9&6K)YqajvAY372UIgWiii`
zQf1WPlys`7{+@X=Zw~jy=BL~xb<a!S8PGnHJ4tAy#a9NAztv%8A_s}1v&9be(mDU^
z-PF_b6TT(#^au0Ad*T5XpUg@IgVGN6Q?&q=DueaGla9j%n_CK@6jRJO3VWqXtzSxl
zO5;@@#3x0c5;0HAhvTaNYd1(m&)3%dN9u|V_8Ucs#%AzOa+W37oa%KeHDMzPvedpg
z&FCU>95~`CceZ>=mdg`pzv}~NBjm;d>ALA33Ncr3Y9)1`VYm#GXHhB!PIVPXlSF>O
zV17kH4<euEbbj+m<uW=lX}HMklr^|rpqW)JWdhK{Z|il}o{?YM%Uj$v3{F$<XAh!h
zsPNHZRJRgn`Ltq?v;Tl{AZT*rwdW%rxo_z?Wg?YVna5MmF^A362MyDNedvp0O740R
z1r((SC8ZKX8V{VwR^37&>(tIrDkmRaG{{c!!UfF385nL=*hNkyMIva=qYyAi=&NFk
z(uAUdsjx(>ei1JfFduQd{S%{ieby1R24=iVV<c9Tfo{~ul&PAGl!D5o3`Kb8d~~I%
zC6w*;0;(30OqV_r_2LL}DIQ*OXv;NJP{3R|y!Y9569xH_0*M-raY;#gbDT^^L-E|0
z4zA8n;**j9NBP&!xzoK=$QJ-jOr=fG(>wwSjVJf3Xr2fSLy2r26@^Os#-0fb3x1|_
zYsJ~n8KP-MMq;X&Nsy@KwEHvrzm_iXS0Z13sn_B##h}Q>e;Zo+r2JaS;XQ85M;TPm
zaIQZ7K)x<%DjOnxNv>3gq-nPiQ*aa*mq?7M7(YKEpbG?3XUSoZ?>EDLC4-o@(C8<%
zC(9>sCM!bapZ`Z;AfTUXq(fbFI#xJ_Y$7isWPj*9!E)b2EgMLe81T$zo#=deHNPZd
zPsX#DBeOm98&#zU&nd<wf&7v@4K-VNc3*m-*gnd;<Ea3RzG;3+V!i)l&_4~^G6gv)
zABlf0f?o=cY!;D7VSkVZ*F5vQh)a`%#;H@9!D;p*r+gfR5ex5Kdk(Q5ALW$zK#R7A
zXgdVWoCe0!>I?;4SldEw)c_kHX2~DWr>C#x*$0&Q0Gde}bx(E%mZ_ytglEy;f%1r@
zv#m$a#Q4p~a@wCc6wOIbMX%6m-5i(cwx5EGB%h}9iUcpgtvH28qDI1!>cB{7$hDDk
z4F-{g^#^-__~Mprnp?Y$VUBrP_~=upr}cl0Zk^NKl6si{h7jm1sZ){6XPiXW{c&f$
z#S|5Y;~aW_N#}a{Xk@DboiZZp1LVYq(DA!rUJMbSN?+F^O@c6VY9SSF?-A9zk8M<k
zYJIh}GVXCav)TBBsVEXj6~66$951S+ZNvNR;Fe9v{GYNZB3Fb@rZLt^Tym~?h2ayd
zuF#HfipWK62N4ai0=?O#$>Y~yD)jwK$AWw@FQ7l1N$NQmSk??9OBQh$=SI~b+i%Vd
zakDc8tp%>m&0$A{L}Q$PO897N+loVrx&95D#w^n1niV;fEy&XdK)#~v1|CJJ<fX(+
zl6d5~_|Q{i#Zt%Xs%~xPpN{<9$1_WrSh{DI{RZ29tCZ@=Aa+dP6b$4fx6*8+<Jk9d
zHKg_dkK@pxrgO${(GD;X+2!MR^baI>1WjK>QB`>Zn>__93e_;*;WVF7rNg!4LdUB^
z;v;t?L615*xInL0MUs=U;^W^ZMi$Xh;yWR%Z<9dcfyyNW%0+`>*WohC<nSu&?qF8!
zwUV_{n_b6JihhR_I)%)s;H&SD=uV9hH!8X<RSFDh=x7#FJyU^OWlk~oStP@^twHNZ
zBvFx1Sb};8-`+mEjf429VSbZ_y=7bP_{JCr*?&Xcze|&rE{>?qhWGoq@z~HarTyFc
z-<1dRCimkaFNqj+iiZ-ACILS?0^A)46!dTA)biF0{Pz-So=s*M6OhU1CSoyYx0tzO
zFQi0mxKW>(JPo`u;<=d@DFU*&c%%{Ih4l4sAa?msMpoc5ncJZlYUVyEI<2rHZYO2D
zAvu}_dFXnrpq~SmZZ&2`)F7rCT!{o4&Zj7y7qC8@L7^-pqr!F`IReg{5=_y-=cDm1
zc>?fX#06hkxi88xu)Ea(J~$owdrC-SMbV^O;6n8oMHBcWKXY*u6`8exwG==ai12AL
zAZYiz!J<H1whY$494u=Pq``tTrKOsD)`u+Y(env#ys^pNYE8U-`9ROxw&d~*INLUZ
zAPO`%T{K{v@PH>@Xe~`Dmr+w~TLSn4(Q`M5PLZXi7>_d&BtoY%!t#Awf^_Nn-A~|7
zH|^MUae*^O*ivSj@J3-kBvO+n=nY^(dQFWmblb9F8G8ps?0tDYb3YlTLUv*1kL2{q
z4!sEcW?ZYWfjg10l_`z1Xxexbx3{0WKlX3g?bzcy^Uj;GwfzbSMf7}4Oc}*$(3%Tb
z^PF`JRjik3ixy<*TDMQL7P1VS75P@7hx{x4_K~XCO_3qpUoaYUDnvkGFpr>6z{<1w
zU8Nm;GGrPt;OCcXpB>O8d1Rak$@N+WL(sP(FQ~uzSQTJK<Pd!C2+}C)&(Yea;0Ri}
z6Q!TlXNVnLAFc;Xks2pV4j$7&)9y3SU}}I}i;D@+w$Qxua$c%yp0@03#@VWJ>rqU1
z#0(JgYpEX)@3k(@e2MmQemFo6|ED+dIR2PZ0?1#2d<Sd3u&V&93gh~x7SNZ(xVr{P
ziVYL^4RAkA0?YEP<-kf2;Zj+tN_&HEg5AX_;kJm{uj8~J<09GQj|+VkW$0TD*bQGI
zFzGgh;*?|6uZ|aB5fTkcL)I6BW1(_hBBD1jpJ6Ugg#G{y*6Ph74xYWdXQ-AN4s7?J
zE%!;I`1T!O2Uo^=)9~FV%0e7tBRQgN9qO2RBLSqlpaTvOe%J(}1;*{snu%Yxun}Ne
zV<*J=L>{@JImjKnLJt4PhIlxf$H+3&im4JBV2DMG3vd`4R;<d$>EFY)`C9+}Lv=wV
z*A?Z&M{(P;WbpvraewxVo!<d=Lp?5!PyjtssxC8?dKE|BhZ^-hmUH1+R+rvp{bzyn
z1lvh&)58>nMu6m&zl#YF59(4_8b@yD1#%ckHd4z3+a9Aq2B9e^IPBMzz&{;E6%C*4
zu<i@gWm>LFl^*c4-Ny*|?Xu_bc@5Hq?=m`Ua->B~h^mK`5VQt7TN4;+O%X}h&;`3_
zpP2wNsf8=R0dfM(#0)v1I*7KGHz0<H)}=l-NS^T+?dnRRBg#oJbhw?I?W^eqysN=<
z6N@B7mH}iV59D}?cN^@3rX<4rSK{{CBy&*-U9JLDj0$t>bQESd4LB|meO;7dUugih
z!M~6*oFDcVBxBtd&v60=xW$EuvYSZf1sf0HgCkGBy;x89q-h|VNds&R2n#U;6-;jb
zWHHMwuhce$)-&zmjCP;XM@-GOiIHvxWtAQKOlvNkiVi3{DHz#0c_0lIZ@V=@N^*>;
zVn>;2cM0sjG$|}QIAD=c{GH9jz)b^CNoez76Y)^2L-Mcj96Y7&P&n(@#wsr8U?rD7
z%urx)pfvoDDu-Ias!UUKaJ3y+!d;;A9KX3NyFrkmwAMf<g-lC;ln0>+5=Lma98Ryn
zZHDs5|3*G%$RF>c>{5!i!VoFBHTH>VQ_<ZckV$Wk_JjYX5(bjR3jYlj;Wu4$3D#Rv
zhM`J;c4&;%pa4FbOU9g^L_Wwou^gqdzsKeK66;2~*<_dF3gqhqoa`oOh?Z>bzXR@%
zdcZ7Bl~!&EqBPAmucu=4$1*r;coMm<Ya&=N^q28C2z3L9nl4-l+$%lwPyJfwpGXAu
z?VTpN*WM91FzY`4geBmCm%5K`sV<=_9(@am<!hjp24@jchroFfDhOlH5@@n**AnnT
zXoi<Lgr;4!IVIisyfAsR!J2exW*ifg&m-^b8_wL4V=$sf@lp_l;acwA?a*+%dO2DW
z)H!1O2WnpJN;Cy!VP>Hea3BvcFup=y?MU-D3Mg0Mv2qW^RT`hPG*rB<XJb^h=6dNw
zgBu?0`sxK~|81gm@nJC&%9>@N@=(eCQD*8qU<TvCZV3WXUbTM$>Z{kZp$=dbmzcj?
zJteSFdHUI>;^w;)44)G{J(3U=#V=LiQ5cx0vZZmtnFEJWarH<t$^7M}&Lq3DpQ{t1
zP(0y0IV*+HeQIYg_0@|jmri}b?igI$e2q3%i2@5P0#&91o40`mV;9zMg{F6~_|Krh
zPx*`YLkkmw*M#p_&UdguJ<@nf!ysv*ynGwt)11eFBT)v!(kTY)z-|~0DA90gDnP+T
zW?i$yLVlYXib8~lo9C1lhW9$pVR0Sv!}>v9NR8?Q%b#cA9Z)^kC5J8aT$f^k%G1&6
zKZO$GN!CN4;J^^cagA;h7am0(>#LRDi!e{%3t^2gVM+&*wd+l}%~B_>4?Oe#be351
z>y8~=bus5u%Du*NES$we$<pNtO+zF|k)UFdAPJlSHxH7d-3?QiV*SbX^|DMM!hw?U
z6LW+ZbneHfEF_X6x2W%e`iR(-dV=k-wZv5~Y{Mc#y@BZksO@@&Nk7i(PtQxhSXus1
zd6O#{SBsMXaDcl(fdES~v1l%MR`$U*!P#JFZBS0g8QiOjNF@Lq;%-c&TJImCibB?R
z7C7br|FpVjHw`wByYu9^SYMLAe@x11bM1a#k%_R8sLBwT-;N0Hx-`Jn5#+P$V(u5>
z#93a*rS3$hQ|5IZ&~m?=926{5C<^oh+y|~p{yENWxA;6GUB=ZB9PLAd#9+~K5djOF
z9vc;#k06$SuirHq&MhR+NK3OZ4@TT;)C;Z!=1eWcoI%e0<L2!dYoCYdVWOB6N&{6V
z%0QsUIrppSs%W|2RZ~!jB19~Q7cPGII1VP|$KkdxousPkM1sK<sOzN{NPsy);UdA&
zi9;xpjx3EE5GyhbwaXCAqYM@BTm%+Qf|wg6jqiV)hjJupmL+<kdb#6l|7TvA{FvTB
z>_4Ws{ExXw!S-V&dHk3((;SPEv5gV(M=KTMD`Ez@D9k@5wf6jvX|^eG*dgJdN$R&O
z#bs3zkE3gZ+v6C!qZNDN7z+>bGfun2hNMnmy*aAe+uyfk*h0hCzZM-JaE-@}b?1UP
zK`D35hqB$8p#Ag#f$@$#@!%lnr$3ReyNcldOZ{U)zG8>V#D1s#bUS+VdWBRnq|mkH
zb8jf1L)Env4w78_do2AhX|5}tu=m!VRWW)x2Z5#;UtUrF#b*h3hofgdp3hJ{KC4pI
ze!JxZT8V?OZP_bVDzF+_gNO;QK>H|y44RKW!%ngaRgh_b6|YIehT67u+Cwp7jK&#e
zpvjqLV(nt6oWC=23>AL+>-4A7GtbZu`R4XG9lkd7wD-L-m{vX<&ScNcZG@FJ(rn;Q
z!=iY)Fo>y<CtPThJPLi7#Gag6n9#S!bUx*c04^FW8B~1rEi-MkDc;9045*Mo9}=xE
zw@a%|&eamCqRl5lz5itNBLd%z{m_)xuhi@G5!FV4Rc_+T->qwJFIxxpiH=QPo-w2e
zwL^1|51q3%x98sKdcB#7nq9^4Gy#2C$5m4+SJ!LD=3WQaFNfSu!#;nm_GtMQwifB|
zAzi#~Z)++YCW)&}u)4OME>G?KTeK|P&2F2}?u{TY&fHN-m)(2y`E<BF^Xz=ds_gF2
zw-UI@f+&+9e-$z*;qU~alwzARF~yu8$hwZ7x<J$!upN3@^yyYN?OY$s_-pHzd~5_g
zz1rrC%-PJXjGgmEP@9Q+zcKWD7tC0&R!w@&Ja5^zFWi|`txG(`WIt362yWf{_BCH3
z@%#0!>C!Ik&b0IEIM1SbGDJW2V=^mF*c5d8SB#DWl|>YY#;_BE8A7?xUXZDlQFV#N
z>%#qPh^`=?=jW`Puot^x{=#a{zK!YE;nfzPr*&x`5c>AEvt@{Z3&<y2eYkvqVvC12
z<Hvq$rD_Ae`XLudR%jye=9=2F9OhRV5{+sy3X8Twu^T1Z!_4+$j>6KbsMJyP%mqId
zi-H`8e(j~-dp210)fKnTp3tf`{r%RV@(Z|C^UTt#U`PJj|6X9HHpJ%FDa_Un+ZD;`
z+fm!)msyjX<%WE3jwG8ECAA^_??cFU_k0FS&1fz~-HFYx2^Q|l%k0pAy<AdC-yB85
zN}KO|phCB%j^;PJKA7_Np?4a=OSiTxqdIn_SukGeLf}aoNT&ldR<XagWs3)jWfcid
zG&dfE5K(iAJ8p*C!&rlTO;69yA^?n1z%_^dTHbrpBa*}`wNHR@xVeoX&Q9DBg}$L=
z8>pxpC_7Mw0nt4^=}bvVzmg1eJ3M;-0m#4&Q!V4MnAp)-701>mL+iJy(m!#3cjav}
z%!uTcuulvL6)#;kZ9?apdA9j2c{-Ow{$0dp5A1#n((ltp9-nM<acE_a9wcf^24N^7
zEs8*9h!Q!Jf|NiWBt1tjcU^kseCWbZE}KKsiPZdC(if)sl#7wgBXQ-<sK=yxRYE{A
ztzr6KJpVW8s>7x9o(@=I_TFoK?e>ezDuS4Vf4<f64(AkDZ}y#3SqRCzVPVYA44?TQ
zbH04v<I28*J#=%D+UaM-K+~#qt*~OGQpWI-Uz(h&ih_q<a{)bYTB*J7V*p?!Sx_)E
zp#NUc4nJbnJ9;`0KlXnQ*w16<Xll#K$-&A2^uKW+Ku|zsKjXNk%B3%<{~H7h1pD(L
zWM;x>X6$CnU}kdVCtqEw>Avf64V=w|h4KxDHAoDNR%X`(2(XfET-~*mRkkMnB$q;O
z1x*i!Ib8k)hiqbGhq}mNGeRb_g1}=9nOdn(M1^0HETaxlL!)l9DNLDbrlNjc5L;QP
zlK+%v`}*ub^c@T}xb5-r+I70?*mu*l_tlnXdG++LVEDR!n%C?1v_YBY``J)dH~1Gl
zB073#PG27%0TU4q0df$4_!j{C>5CI!K+vnsfWWBj6dwUt4e%uQ_gOmTd?fsyJO=c9
z?xhEKz6mk{E{+4bK5x<iclUyZ-yc(gy`P-vfcJYt{qO7JzV6S{bim_%zTS87)L!o=
z1bBX>bXs@Ru7xTo=3y6lDN5Be&xh{>Pu)L4<o66cznIq$m#2T+>3rT#d6I-)kLQ_V
zd7qDUe9uQdbp)}jBmctWs(>-2n@cy*<n#Dp-1GJ5$DZ(GlS0=M9#+IGvj=L5jd3e2
z?|P2i^zv1ZskyTgt+TY0@+F@~OJ{o)r0hPNzm%$v7B;3c$HjPita~s_saM3f@1_si
z1<IsDTeBB^*%JR`rYQ^RDA=E@%TA9y;g<dDC;)EQ{}w<~jgSxbjpYAzf^_NZC%E}Y
z?>4l-yUh--dM8D?W4WgfGku-?MEHKrXt4d!AA)GmeLGo3_;Eb9_x%S^@cwVSZ~5Na
z;VO%s$M@a&_eV^}`+A-4bw$-xQk9~h*GEH{W5CIIdcfDYsN&A|Af>>|@>0Ct<C+_Z
zkL`s<*Ivavwr?+Bax@}0K&!9Y<?gGZXD{{R#%J#9Mc@87b8hGRfYi|Q@^0%rJ${1G
z@3M!{|Dh_L|84y+-k0D-@asgD@GA__phqjsQNZ=1Dc){v=k+AY(C?ks_u-6^AmH;E
z^O0D~E8?XOmGBM!70Pia!jD#fz@JrMx61b3ayK;IqX(H#@Cm}V`{C*JHEQkep`>9@
zd|NLBp<}ON`gYabU6#-7-Mi1-UF+JxA$;B77_Xb~Zk6m?p6<&9P0yzy<maV1qt9C*
z)lEnH3w=bKAwj@pMVX`E+w#@V96c^+3cCJm%Y4tz^NPMNugjEpy#V*U)^ETXu%OSz
zl)-hl%iggrLv1=BY!Wa;`^@m)ccYDUfS$`^1_J<QpGUj9=c|+F>%qnA6ZvFq=bNfJ
zC*_{+E2$u0?H_4=_j}d-M3p1QYxxA@_mb$#-b+G<`yA-w{?9GB;p_Aj<BqXa{MY7^
zqFq41k%Fbb!S$z$7uWXt8>GPZUG$!($;HZ#@>y5oqj@=<_!pZ*MktIY)U_baZu<GK
ztQdBxD`GLj)t$Q&`LYXkP27etS%!Rc&8kx8pSPNCFRLX0{`VfRAYy)#q26b&LKh}N
z#FU`#o1=f<)1N7yC-?8ak}vAbbwxM+=!O2*Y7=orDh};^LrUs!^%b%A(;a0Q2hLx?
z1lb1Nna;nODb<!XV@5fDFQbs3x#$_@)ErqdlfH-Exok8q=0LORKD%mMtiI5DUXKsW
z$F%pA*fFV?!OUos%T>CYfPZes0bUx@a{)I$%dxQrFnDfE@3Q?e#G3>b48ZsXya?X@
zj^zd%O4eq&R-mi3W}gXdA5a;wHbnuSPNujv43xT_ci)F{=Q~fppU@?>qhrE@n+wbY
zVFy11ZiM3{w~N>tC+$~+=%bNxvt*!0@^k>t?)0CvYq_-0zYvnXr3wGhllWSnaLQhN
zGzO(g0~LLd^{a19>{ldD%8<f;>?<)t=>$u~Uq2cQb#)o8g&P_u{wfUa@G=xCp=Ps%
zZR=#}A!h!V#Q#*@^RW0#Gf_U++|bVVw2zN3ex|bugIhjD=~o+wx@#N70F3ln!Kl#J
z#Mr?9bBAD!pH;&Q0e&MO@Ni5#oXoL|Hb-k7Q+!m6F8}@9=D^>vEZJ;qJjg=v&77fP
z+UdWCBg;C%LzsoB5QaH3C{=K4)kljzEx7+}mW)-@?`7oero)DuXL*trGLeC06_6iZ
zHFCVWdO!m)LNDiEKZ6A@DS!U`4c#8_Vkf0yZH%$@RYYBG3b!?Il<Qi)2QgX|^7irX
z3T#f{58aobH!|C@slUSVTuY`6c8Ji>$^kTE(_{S9KX3_Ek+l!V2wH2lWZQcMmjRzH
zRQVt_kq`XRpjOC-d^<MqIs@kW*?8Uu_^CHbkGH<`p3B#OpS7LZ`3(SE0Sj9015U5s
z65*c(1N<)GLbsEFm`*Dq_`D;R=@K^ZsAXo2ArMZNI|9PKPW4<sKKjybHgKLj1e@7o
zRO0P)SxoCqsyE<d(GOv7@m!Hk7rEX2&Ft5?)3^6Y`{Oobt4e8>A$Cdk8~R73K}cYW
zZ}o2ND|+NXzCHNpb_Mn)*^-Q9(SjbD6z%z?&sWKjRe3=LL+buHZlG0AkI^-RqXQ2A
z_M%{0LVLE$KrR9Kf};?mm;)*O1m`R43FR@G@ROKWuN^^efxgE{PdRgpl<F-<!(aj<
z0>%6W)qk)1F@=tNn<@^&(%%m{f}=AsO7BUHm%<^TrG^c7j5>7{cvK0Dor*3VdjGNf
z=vJ{Fw5PL}R=N%VOh<)<Ci?*~FY>^e8g5Bkzy}OF2g0!a5a4Ee!FMW5A9j|v;7sK8
z*bxC~NGx@fE!?YVw6FLQ?9bQoLxI_ulz&p3Sq<JT@97q1jDYqQ1TP_9qtWN9My2iY
zela{TpN`W4W0M<y%Wcd)GL36t3cLm(2ykzV9Q~B2c~frQSaPNan@kQ@)jx4?cjW<Y
z?*Ch|yZ<|meqaB;vq|{<6yW@t{3C(u;CFXB_;(|{vadZil)_nuSak#*wJgs>#*Kn^
zijRE7?t<Ihpr>+Uw&N%~tEP03UNZXq&p+{r<>e3?1ixr$vNuxp^|k8`k0s3S+zZSG
zmE^MV(hvEu6%vN$6|Oa%6YVb|4~5*1RZQ;Fq-@3m31`3gQgt?EMn`+HWK(+4*r90M
zC()%DhD5pefy@kZ91Pjlnq{_d8Y)diV2M-DZ6;4QJ2YK5A6<E8yVDrv@k+ra(&bfZ
zoUBDB&4_2awCAM*cA2rYskbItn~=J)Z)dsg$L3NN14@cG=#U^zoh{Pd^~@ydyx{Y#
zoWJv(XZ$NVG#x2v4{wngrGJAb#FYd`ZEUJM{ctI@IfLb+{UjA@BDR^cz4O-I7t;P@
zCy3BiyouRc2hf?W56*JU%HIgWbwu@fL;r#M#Zmjk`n5l>8WUQ%z}^CBy&FTldK$GM
zEBle%yxw><+ESTZgt$bde&{pFEnUY-_dcS`?2~Lu(L57C0wLO(0G%nRPzW0@Za9@e
zL9WD-!c^I?#I_Q}ZZ8w(e6noG{RDW+hWzYyx&RGu*qV0iK2zWF{-{~&o#u?IlI;1j
z&1y-C#<F^f1)+&ax{;>bFmGQ;`R+C7>2tV@Pnt#(F4H(lnNP<|nHT*9SD6;6KNL#h
z9Uy%UO$u?C#h0$dPyg=9X%Ynwi=qnr(6v}vsqxh7^t7YhwR%%5tE8GIW}}$Igvv>n
zu1B#7ZQkI#5Mg=lx~?RLT$ab-jYg~`=$@8xLbZIzV%X#~%gSMz>|MDW_)T2hjomQx
zdg9vpt3?w!D4IimnU&I%(u$vg^}{XIe%wJnf9azE->E%RSF%b#s1=-_62@O^>*Aa`
z6j;WY73sIaoFUBfSh<9mN|`P3bMJLo$MJmQ*w<mdZ~to0UE@rQ4K}W*Vo2J1m`u*D
z4(g~?=Y&snThuY<gtJO^Ve4+6Dde2mZE%hL1;AGEoSKc?s4OP$YQnewJ`8Q&;ClT5
z>6g~wZ7V!Uky+n#eu7>syQ!7!(gUU&|B)oC*Sd|Z>#N_||2eXb5P&1TfIFA(`Tg$A
z*N&m*OT2>#fOF4-{#lZyg?hEQ#UQ(q<ri6Gc!EwTw6@sk@>>IHL%=9GC%#=&mnLb5
z7JjRG0hOw&;^@lt_{d46{;)v*6INVVV&Rs}?Wz;W<%sD!7Z6KG_1LWarZQb<n<7$n
zF;BnLPHGd<ZP6x7ok@M;5yG}|7Y_eA6!W446RTxpG}QK{#(I<m1og^e_)Ba<i0)$n
zQz$X>dnl2<QDIW7oKQJ6=#~f_<j@AR(dTUob$|R6v&+i$#5vHGc2Ame>ayV4RA@i0
z>1=1#27(~52U<9sGV>pZ=GyEM%fqnoux_691H(Y`>N8-`mI10qPxd63{VOPj8WU|U
zxl<me1RX2Miv@pLEHkMN2wyzl)wE|Y1fW48PIuQpaX>jAN61h?=q%%#u0<;%|HpJy
zTh#lC?FTZiPdoxv%$8E7ZVf^nrz;rrzuIbxPRr%DJ5&MBpBbY#&+syf$iyHSB|=al
zRWR}fV*qi3sccYCn-fSddRGEpj>4ZuCbJnbY+>TsYxsI)_z!S&8GHi<{@y~SA0My1
zpXPV8N`Aga`1fBTtIt?GV4M_pf@G~x9$Cr=YrCP0C9GMiAEFal&>&g$0vXC7O~PzI
zr)@PpKquM3TLIft7%0uYnhA##SGJtjLwq8DFzm-WA3!XD^KDnLCMKD~?<0p~VCWTA
z_KN;WoEwU}EF))Yx3i%fe;8N*Q_LZ%4b$KxmMROyWH=u~S<$S@NL!hN$5bBGeNnGL
z4}URPAmGHm&Ihif3A33WPLh}c!jc6rxlbYw#w*SHYk&$xE?(OtT5WWw!!Ps?_<_`&
z1nDG#VE>lyY4xquhA`SV__YGgc&Q}ICnT4%gbh){NgR<z!P7@j5k%nq>!%#6+p_Ly
zERc{`*#cCkbRQ`=9jtzoTZ0^5F>?0@T>Z-R{Bgvl2lBen@%^5y1#iksl;foirEXhg
z?hG;QQ$LW`oN??Euqw#=dHvU((hxA)`XfAjg^i}^$zi&}iw+0p)37&7PDH|Dwqo^M
zGW+oG?Grx>%PM*KM_P^wUahoh!F#2c{!$uzkOE!yblGdCQ$EjiLjLX2=J)IB<CRk-
ztQca|bq5=zdC9zHo5r}|mNa-H)GHHIz4dNWMUdVMcq146m`-&}vn*3>rAm>{_-R4w
z^XgCRh0$i67=f{)x$r%!KhsT&Z5xl{ZG!<HutMCd@wU-rHbN@A^6GBeC-hUR*<lXt
z%wL*>2L-0TqxPhwAhamWPU!HSh4Zni$*Jzne#;7M7<qo;sv5Dv)!fCChhI?*+($8=
zfH>J^soCQCdu=QYh<{lo*ZQ%u6Mai5I@iL^;@J;XRTrqbl(-7!m@VEV-1mTeEsk<c
zbzuf7p*ZWaz>=({@h{&x8HkFFd#m;*xBG6pLWwIw2XmqbR7=<Hz+Bb4EgL@}ymVa-
zg1*Ux7KOxFa-$j%b=#Zdzc+{JrFFc(xoUUomeV@Wal2t_5hVaJG$`obq`OQi=s*p<
zFY0ZyY1XH;a@8P%H7R3jtfy!zgD>I5^`9E=ADqqmESSE>rRRTmzdO{`EBePW|LxB9
zimHAvpyR<&5bjR!=bR9>-#;mK|I)Ps>?15ISCw)EZCSZu%E`}pp|NUF_sX9}^Owzn
zQYt~F?;8ggrvv`OdGr8AL_)!BZ}=m?Sf3=PA48wR)}X=byhjz+YpeTiuY>W=hDxpx
zKO0yxDyf?C$}2b?(pI%?A^=nT#PRS#(DXx(P0sz13a?)E(f_Js<pox~a(zmJtaBtX
z2w8cz4_sh@%AaUq+u{v^EqlVshsD{7Z7*0Tc45Dy_?7{kGhyP_nF0H~c?e;7>vH~e
z9sU=k5n3RPrR<n)idh&*w>+rLXO(O3o$TOf25MtXn(T>c_C<6~;K6ikY=0p2Xrdue
zk4-IbY2I)J+faY9^+=;huxwUW;gWr}{m23fe2p%W)$?*WPQ4AF<C*mrVlC0;(j1#>
zuzaP&xGOqq#zby8Pb4Na?-DE5mv{BFFVd;b@Q3%9+A>zUG>AY7#H?bIZwyHlt2az#
zw&G#`{oqvZ-u^(6%(_W?DOarJM$N~JAKD7(lg>4+o~lyCmTw9VM^VpmnXXhO(jxey
zYn<e|ytwu%fYJXhFu%w5W)k+s|G43=YTk&fNek;a&f%cfkRHuwy;oopTjt~s3Ue=d
z<vUEuekL=YzD&wPM1F2iTMn<FGzAUASpK(8e|IWja?VgG>@zHC(Gt!cN&G8SuA@xZ
zQ`wBd!ccd;`gNt8$0*5l{x(8xeM9D`9g8AyYQ)t-R29C#hUC*?r87eGTyC8`{ked-
zlH1mzG!lPCyetzciJCP{pv)<iodDX|G`)Dj*(w3~5~5ldI)cDBO+sb$m9Y3o;LvGQ
zdf)?M6oI!RL(Okkf>qRz74ucf+%q$Qw314G-T0|qF*a}HfS|%j=Y!Qa8&aW;ys8&T
z7tPp`g&Co>H7>_0)?>Y@IA~^zTb<8x?jKHdfNbw6al?X*;UyPZ*&PTmt~#$>gSr(N
z5*<K^9mRzD$46iN1e+bjfUeg=Q2*H|K<b_o++{;RQkDS-|3@iD&Mq5#mX0W00s>1t
zZ@%g&rQ)DnuJgpq1K-}|I4SUYlfw}FmQ5VIN~9i9!CrTG3yt0-#sbY&Tm;;9zC8vj
z5i#9DeaNbP*IAU-Bn77X7R(PG!pTO`%c!B8HRnbo9bYt1nnJGES`L(hF9AlpBmanr
zi}Htm5W`l&SZ5NKS2|>Sf-6aoXJ1B(B%wEPdWLIf41PD|%^%{p33B9@zb-u0_@{en
zkH`-wT{9#cHlR&qqezof%t9CidYmUJ?vm&N7o<wEvGLDSJ+;Aa|M^FWa&(ocU9rkp
z^Rz^`@2HrF8*(~?eSFTS>NCBl9ka@^gRH`ti(X_J8a1ntAY_Q<t8-r_CeAeIc~^CJ
ztOWmOofBO0SHFnez}1<RojA6y6s{qV8GN!-8EjT5zc+Q@7>_CB9H>_*AkUf=qLyWt
zcXY!-E~|lw3vyird|rGxk5b{R6r4$53ypRf4+vHRP_)e4)2|nJ_UNm8*iy*v&5&&g
zw5;{T2+ise_)rMUlSmPXg4y48Su6`*htS&aKR3hp4gfs=gpeZuLEnJ5uiobk+k(57
z-8RtJbkunz0lK9Qwz4yW2mJE*MDKq>0xy$v8}IB(dG2CS^XxS?zOondZn2Jr*p02v
zKqB3*b6rS2>PxGWy8c1Hz48sXhGi5;aDfE=?3c%U2XqvQt(A%D;svF$2??}`)2O0n
z%t<;9qLc5n-}~9LTn&kTKh%nk+ikR{-zJokc@WB8iz)#vHYvEgiCBMR3?EcOuVD*B
zmXv@qz<?hl;pfyem2~q~=&vZZ(}8p0oPtz~OU&kD2eeM{ZA&9saZLWG<<?}!wiWm<
zll^A)LFMVaT>yO;|39$O<BNF@@aR>%2gHuu=XbOmMXL+0)y}e=i$DvXgSH8+Lz_>#
zo_{`0Kp$YIZzlkHJtDd6`Y+ke#g;|!>fX;6RQ_mJ>%!}Q{bN10CI%9ADYi+&rrT(j
z%W{tRaDz33S4Te(z~+Yz;j7c_j<vBsVIbjl6^Lq!#jT334JFFjlQ>jtcaXs{iq)p8
zc`ma*2!>cNWS6#g16N~b6$(GbmNibeP#4S}=SVW<I;1D9kaYzE;3X0T;&L5p9c{U#
zHA)a?)^fq0*QnuQ(auzc_bkjb?B{MYf-6*vPA<Qa@3*1DvowuxQ;G_tvjbExyG_9h
z*6$g?ANydO<;~#U^&*Z_=R9sGyy<a(m>&^CDncAXY9n|ik`XDd82dqm)a>-;m!!8I
zp`0l|_m9;u<{HmW(Vf-uGT28P?u;4>&#R<6K$(;h8*ns0Kc5)LL77ep?zjW{T5qo~
zcEpNZbPuCrqBuPBW4&+wc}XsK5^qc=xI%s&p`H9L>&DeCuI=i01EAcZ?MuY=OJ+!)
ztt<QepR3b1Fqm|^EuG{5dkP1>+Yv#5_CztZR5px<b6)k)p)O-AuoLDtk~TG#lfQ#7
zwuTsI9n+H3Qm-_q9QC^ohpm9Y$o7z3Pn<}z`XIXb(9$QnH!_Z(*E(*;>;^M-H9sx~
z>j0PO!~uT8Ceyw=!_c)s@Kg!Eox|ajA1ZrWNi#E{eDe2H@<eYquUgd0AKiqe$PJl4
zr!8UVCXX-)CrBBCvflHJh;%QS<>=Y$#DPz>kk#biN;xoBAtk-l(Y2>T^9pS(4b49P
zs4|v9iL|iOPM!%d!KB<c7Q$O4{j{sP4U7!i*Q^JX`MC-|qjO+mXbS7DTqiEjO42D)
zyOp|W`BFuWxAoV`vW2Qc5h1zNNVZ!>GWLXG9p``rb8iw-{gtQUGH%4)vuRRngwilp
zvY$fj>7LUVErn1U{2YAWR`9jK-kFwVYL0;J#u<Hh?5B;>##8xsw{@Km=L-R?Jsyh4
zBD&Lwo&-asMFXO&RVP4YImK&84)(7;Pl!AtNgt@nUkp?vVNs;kZfQ+;B2|?LHOsgM
zvZJDGzV&f6OoEl?wj6dvsbn3C{C>l#DAB}fW22n#m>9TFofVLAiV>z7qk;LX;1aYg
z_isyfWDtQxak}#Yjx5q@hL4(e#F6F?!1a%};HD`}2(NHDUw{d=rWjX%K5x}=7;U{>
z-Kw1}*rz#%wGF}y&7x*T6l9-bNKMv~6Vo=;wca10pQR9+U}_CIfRJ+FvrnWn;t-ZE
z$ujHdgK(r52GvNp6umOCx21!t2V7_wXp1h}Os-}@i6E$uh6hJf-}6xlPR7^~fvx;O
zNy(8?RS=)^WOR4bKiV26$l(r3vVGpdB0WMBz30fLC_rKw$}*`!Z_x|scQd#Xk;4g_
zJS1<7<?ytj^c-6yD^z1ywWf=KFk5t~NzjbZ4a+>h`6!m>Qvq_a`u9~~6R89@CKs!t
z&b4;3nO_rRX(I-UG?wuM1;Vygo`FU<T5S(c4BLTicTZ7~$1|#;PQXLjgW?|fk7G%P
zFs8eZmUC>)iqmkn0NEkBW;rnL;CI=*oeC6QN5w)D<hYT{4qU!ZPy#4vd=+#)t^gMc
zmRW4}pV411dm_;05NqPwDu!7=nc(tjrH3OpE-Mw_f%zk4EGmhAz6|r?b_yz_i=M)M
zusf+%yivE=)i=*ST1riz+k#{uXy#65+!(fDsV7mDI-A9MgT$fm88-}DJp=Z?rh!C(
z^-&X=2mM#QjWltCP^xoE%UxW-{|=Fjr)+B=g}srSkBGkxOnGJ&WTZ#iDg~wu#%kT<
zbL3l|C(CbBQ9t%(05@`9dw>BzI=~_N_+vz#^AuaOqB29!9Fn_iwo7won>+mycd3{8
zYu;YY5P<90`3&&6o%8WBCSUr$ymr^;=gq+j!YjAzx8di>uB9N*@!MO!vl01Tl%#5`
zBHEL7P$+P<GXw}DbvX9XCb#?dK~w_QVG=IZG>As|$nP`l)MQop#CA#`_<h4h@O8?(
z*Q#NpAZ#0r>WgT|QV=I8fn&2BFbeGyeRw9^eg<5^2?IzOJ5!K*uQCXs+Iy`p*PLAX
z=V}O%^Bc721u`%ksCI<y@@Muv>4LoF1{f(NQ0$q))3Aw5WnU_17_I?6Zo=4_iZzso
znL}3G^Q<Fojlt+BiEUj_LQNE5z<jBlTcyRH!oOc6NItG#WPPwUh-J)4thA0u-Hf{Y
zit;-ahPln`f+7{n>wG=X*z!?uG(x~);yOt@k`%37fVuy|jvI+@!1vEoAl(CI#_s!^
zPb>3?*%~(^D;29BODTrEUQdLrm$==hrS}h689Imou25=FMPA-WXX8EPezNQwDQvQs
zNU!XKX`59@8NMX!gU?<<{w{%@n7YO9FUu>t6pAoeR|698VATaBQ8@6tEwMWX?9-@k
z)M-HUddh&~%4cPMO;Ufd3tb}Z3rRQhiU4P`o`4thtF>Bcy@(WUoVwSdQ)<v2m53A4
zB)pcdnQ|gT0<iAd=jDEpOUVUNo4Nv-!v}8aQY}M!oTv=VkGn~67#^i80s@3sVs3j@
zIJqU!o2A;<Kkk80>BGw<JkTwKr0$$q{>^A0_0x%8i~mbN=zZ_;e8vyeK;GWf-ss&#
zkZ$g2?tQJw+X;BsYv@Hcm-i+zocl8Z7ul4n%3(>HcnG9>D*W_BhI(=TVELdZmFSL5
zD~b7A5pcM8$=C#VB+QkHjrpwA*)cK<lVRINkw}qwg*oY_1Md3-Y_Ha2CKUJJqF^`#
z`4CC*8Ib`O(LgzD0+JgkI=+{UHaq;MmWwzXjB1Z^aCyz_t<s68k_KeltU$N6w1=Ot
z)Z>8B_b1oF0|Q3TPD&#*&ze{H+;?8fOExT0=wg6Mn~)8i;)gYc^wn@?tr$+08<jkY
za%arG3he!NAWR-KiFv_=tp(0<xg37y1Z$`b!sLXT?a78xej5q@$aObnh2#m(74JC|
z07;a%El=eay<2^!$%I5bEhK={{t?V*@d%tSYGZcpOPQ!fsJfGxjXu!tsvrAMWb>6Q
zt#O#>#vZcCSJkq&nc|NZ@A*I1{4>i>KbH^NBd>siIzoppWPx7R?><kfn@ZM6*O%@q
z9{G`6(~bqdywv3<#hK`LrWJ8p8z-S8p_`@{*Yoyd(~h6r2b?Y2)_}ff1fGS<&$U~f
z!1i7-*Bjw-u)3?i3{|PVbMmNVTTc+lo&4uGiSCqosv(EwIE&}wtut%`RK(mJ&j^Q|
zH_*<&*ar009JBfkCl!@R+t_Atox`6D!E`#g`8lxe|Ec55!=e86I6l@&2t|x&BwQrK
zh>6H9hM2OAYAiDu#yXaW65=N_mIg6)k&Lk$Wlgs1`&i>AT+7fe8dA2o=KgNK=l-7O
z-p@bhd(Qd1&w0-CoPWOW&+9ope6zz|o&k5LkzHwX`jUu<n~@745?>#0q^?+QTOA7~
ztNMeE>%~Nwaz+*xo`}kk>r|orApGEe;NYwBI5KI8Y)>>;qh?!-;MJ99EuC)iM$}Iz
zf#H*eTex&Lg3Arr=|#^FPaJ<T#$sPKlu&wN$!MFrTn6cwH!CT+{dH-5dwPY@gtqJu
zqPMz#v*!7fFXTSzb6%j&<$CN|Q)%f{=ZVWiYr~O2)$PaYVy}RWnS_mA>YmS5-lni>
z8m=y7amtK>C`gVfHW(qjrc$M%m%v2Fm0-r4cY$GaCpbu^mTzK|2%WttS^Yc3PX->$
zaatv30n{v};-e+TTe2lV6?N>@QF5ew(W4uhB^i|yp@Bo5^;{jjv+UEOx@JL6tqI26
zAL{#QeD$sb!qRj*SNDyPK~J9xy0e%5AocXdJhB^^@8vUzcfT4i;WRe#C9>eMvthKL
zUiIsCG2l2=q=-Cpv3ZY#rM-n@BDk@|NUEoeT*Vu&IFbmtvNbH|naS<?<O^85^xAN>
z-qn|AD!6D0?e@UEnIf`A5qe4M&Vo@)L<dRs#-1I|RxD(@(6^znZ{cK)&RyYs)!Gy8
zd#`reA?q9~Iiy3wQ5%~|P%A00+QEoE;gH6<`_V~-OtkjFN3BKp)8J<ar~xTIEflPI
zL&MBGem0SEpt6y3Sy}_XgOS;N&)H{{<ojLI@c!Ls?^bjnw+h_qq#l%>U+SHE5&W=u
zt#n9N8LtP_5b?QVajnMVPMwKrgnr2QzMJEl&sG>G=%Y9E8<{KXZQjQNzlHkRTPQZI
zhrhwvDuuqWywM6+NNIl<>%V$oLH@A2pJ{_OHV88qccbC=KW#9kE#5yldewAa?4xTp
z6qKI(M^wt~g;i?zwW<>d4;D4pxVtp`Y3T2imraY(M7Kthuz#fHAC}itusVblAfBfC
z$Y4l4k7)vIcg<&Xs1(6#?jv8OiyDKDafuW+xD-cW<v8>mm6R8=&9qnp75EA-7=05h
zr^}?!pH0Tpp}r+6RD&HArK_ndZBihW+~NKrn0f!%Bg5sjo%p6VA5<FcjeoOJAb4u-
z3TUNHK5c#2GBM<qq&C}Nu^7kd02pBN45e2fD^>b&%HW^_u59<21tQeUKWCe1;~=Ch
zVG}>xuN^or9Uo)W!_O0@vtH|pbJr0$uI6>AZS%NJUgH3kmOs+grx@A=UH+bXPa9B3
zu}dB_fT^<?vT8m+#I+o@-9z}MkP&0?c_zWsco8N4y7^2ooig|9+J4oD>qe4xr!5Rm
zvA?R>(<9OawpQIWt+oQrT#7<~r(bm_9t+12g{N+=f5=>9oD>Mt2iJ$6BH9MU20|c*
zz>+-OgpQg&e{t&%nU%M3#_TDkl~#B7pE|<Wd9mx8S`C}8)gK<F72}se56qhqT+?(=
zX5K*iw3b`EwB~k#$0CeZAq!TRd9F3%$gjA?0t#T+>gB#l9fP+T*QenoQYHUsg133A
z1Ybz)0`3<nH;+<6#}Jq$^~|j2RPg)Is+3B|BEitBJUA*3HJx&-_K%?^aIf=sB1Fy>
z8bK{>wLcAXymUhN?$_-$o;Xa}P_kPko<_{RK_BgHT6Wu<xKdDxuF}Oc3A$(49BOZe
zm>>Mqz`rO+QeV@Bp>cz+49YNQCDn1ElT-I$so<Xcj1eHJYHaddYI#~wB4lQVgqF)|
zb148{vnFayE<>o7-miTKmz(kc@K|R;`L`3{t&gX!tG{T<ah)Q2+E#t~>7=o&14cot
z+ZyP${HIZ9pbWQSSs~!uhW!UGRN93+BOSF&*s@~g#Vbq)EGjGRQB{>N&TuFuf728^
z?D`c`oSiBb%X#zQbgMDP4BFtQwg@n1CqI~+V!GfDYO~C{qE9bdRmM@{+<^RHsO+p6
zb*`u#=;4!d0s5_~>=dUhV6OrXu2x!hJ=lERY7V@l2Lu+d3u>OlBgTo2E$?c?k+=J`
z$eXk2WfAh|(Vw`Tcw$~frQtb@AfW-SinSBYR27CR$+|~s^4P;e$A8dl3p958eCJ^T
z1FP-nBGlipk)$*}$-49l6n&F1?(BJtRQ#qe$p_btq*VJ!_hKdo>`LIjzn!bqYrOs1
z+`(irf%m3FpC(M23VxT}?qF;XzDdMiL3vJ9>8Zp8#E#3{TNtQ1y9I}p!R|x|h2HV)
zpRhJ4*NANBU{Guk5{L$rS?c*pyHbJKv+~1E-Nulv?5nQQP{Ev^s(9%#6^Cf?jnA-i
zdk`DOm_VnXMF+C)?OCnwxG`^rKy<M`yAQJOY_n~K7AeaAq;A<}NJT+R7M&we`~ax<
zu0F5!5pLxl1|L&vBcs`i&b<q~^xJmm(EF6~%qgWt&!qeh!u7IP-kGDz`%do4>F*+$
z#3ol^F}(9ig}6gj0>BpIPg(wwMouOfJ<eZKG3*^pQoU%J(d12b_wM-(-}R{fbya_K
zX=1Kujn0t1u2fQzHQv{MrAAm3qB*rj4~fgbQHVYKigWYB+6n9$8azMBq|du*v&VNJ
zELFS$UZC!BP?ILZpQl&08=-hSi}rlW_`fRX$L#F?oBH8Z%winWO)(Bm?r$E*-`~~_
z{mPcTzu1n|u9v7*JaxQwiM{0vtL2Q4K-+{jkPxW5t0Sbo+Z{xie?Ht_zrtz0cjfLi
z0{iI(uI?7W@M#tqb+?L?M5%THpBLbxg!PeYS~R1ouMpT-rQG(Yumf6=?I6+0DZrCh
zAth)duRbV9K)Zxb0O{%*=MY~k6qaMnRe8^r8{HlvZ^~@!psd)h9WS~e5RIjU%&9`R
zP4D~CLzI7_VkJ90{Cm*E!K>Wcbv~G<BO7Y+WWt4eDsuqk)u2V4Q2dx^n7FVDZ)ay2
zniUWVa)qu4D!EnVzUU;%^Q|cObO%&0_PQ40XgVnb^n!?MhR!F}kf0HdELPx3N#9ZJ
zvd7&h6WfK4dtPdgD-H02H*tpTlG3;(UOnPVhxpv5gTdKcayq3JeT>4v^WGhksx0D-
zUJ>K_ma;POT{N&Uml9D;jvaQBt&&|j^-pKz-XBRb0s(I$8`l&Zx1V1Wr>n(o=Kbhn
zQTWCU<W$Fd)^=6P{3x+$HZlWj<+%k_NwW-ox?xr%l@q3>2dSMOIFlXN!*JHSW3cVd
zJ()Oq$<s{}+|buKsbTjqC^FS_=wX{}Mn&<n^rhhhH`)3~B=(G60CsJXa;LtAhRiLQ
zB7ZULB26q^_p@oSFD@m`hR%PmwXH34Rrd{~8c<hxq2Ta?)><?~O_{9L*I**Qh80?D
z5h8>~NmgD@wclv@aWx!NEfHup_F&rBI!4;@(5(TqZYtt?ac6F-nR5{t#Ac?}cyhOq
zhO;)39bQ!9?Lj#8d=R~?FubT(g{U}s>4bFr`<F15mmQAtCn7@a=ueabx|g;EXDC`u
zq7Y1xzPP}H44Jhjr>YvGCubKJ?;92vUQdm&$vMl-VyvQJc37)ur}DBltkNbJqmzvO
z^NjO<hewY%(7%G~=t~Fd?2GpH!zwD@GG$@aW;+95;-e);_~?eVX)2@$0LVu20QmmW
z008+<nH?7|XMYc*r{86dK&Q(OJutu2%(?#ssWQiz5%$#eXiX-v`b+WuaMeHanfoOi
zDgFyy{Uu~3Ft_@Z$ZVNM`W5+43r7BaKn^A{d&JDL13n+MeMhsJ0B8`*(hOwd<?HT*
x^mKLwLA_j%7?7i{vnx6P2~xhS#O1*pQNTL8B0U_j5KyoO_C6Nr8-VoX`WGfW&p-eG

literal 53874
zcmbTdW00g>*R5N&ZQHhO+je!?wyV0jY}>YN+g6v&-qp{G@0{4@MC{o4V`aqrk(qI4
ztTpEt<5~*Rz#u39KmZT`<w`9YyFa51pNjzib_`(w5C8xGOzezZY)yYS)7iQi(Yf2&
z{Qk6d!j^P>j_TgY37q5JkNzCgJm}Pa<GI51$f~+&)LK5eeL)2ViL_~z^au8*9Yg-Q
zB8M&{k(!duD<@D3m|#BsnOmDWIzG9hmDcuk;rE9hpKdzNw?^&a)$z85f0jQ1|0^fw
ztL6`Hh7FmxdBxQ2nWGEi+Q$Wa<;T87bEclIO4QWt@qy`M4gbf-?Nra7$5Z~~iXFM~
zp@)@%oRo(1kFbs5!JHv@{!e{z@jvg+W3Q?%&Y#UkV}7a&Q}E&!Q|DIg0YiuRoiASr
zN&F)j{C5L$-cL3BB1fPJeL{;WfdoteOR++~WSGrj8lrvKSU;Q6znZ(-Usmu(!DTsl
zIh$PHpWUqcUhi!9vNHd?9^WrcF@&0+MgR;L0mX+<?r=f}o29iKZz6b^Gs}S*2Vcy4
z^r+(hc?`o|SV^wYermHFNy%7p_{0+(|8t9(b6(zg-9C15?_zo5+_sun9Z<tRT%wNu
z%HhDrsVz(QLyM{7%kp!ehi4n+z74a%;}g6EtXTbG>W(NmV7@mP@sfW`bW79k%cK6S
zN^9%mGU^gucKrvLTa%AR8zu2W+;z`a*ip?4x;guw#vcRUkLB8L?JH>J&xd#S%Vl2Q
zL(0-|O2$gfpWSy+%MW>3vHL$?DeEs&rCp!q*Pqc=>mv-WMUxvlCrj_@38K8`H5oqd
zO*30Ae*_GDSPt)2;x0Ds?KXbN)Bn)d{$qdQ<Yl7eXWf#$vdCP(u_9pNN<cJb5PXBs
zV6H++&ot*YZS7%InXY)>Mk>3`#Ql0dH1fDJ^9N_Vl5*j$9X8N1J#hACLL-6A>~4L%
z0jabcqFh8*2W+UUnGVIHrO-CU=X^dm-qK{FpGpq@uzrfUhp*nJX;WwWM}4o4@7eN)
zXDw~gX&$Ye)QpbI53RcGF9o&Y4L`pU@`o{<Pya#|p0!;63I#Mjbl8_eW{7iJI5jHE
zfh_p&cx3A0XrG1X_YNbm_tVIgiHa%j+a+VoEzh%zkvn@Yvd^ZIi{jt&P-1Tw1WP+L
z<6Jjom=_uNZdPIE1-KjPHEK(hX6B#M^0aRsQ7uP9S?jEq1-kg?6GJ2NSAB19CAwOD
zn($Tb+?<?$76~)n-XHPFX5{W)hV^)3oJM1rEd`K91Q_ziwXRuf1%A0{r6x{gEoexP
zf)pfhYu)`kVR-%g{do7OUoo_Hyu$B}@SL7X&&RF7F8i`ae)p2`=Y>NAUs_TlTVI!k
zkJaLR;BETHDy$#7+C_;`T0}Po-)`AFL2$l7%(FoVYv_f5PPdl>ZyJU&BUe`m=d<g@
zp;d!-U21i??ay0epIke9-|nTb3Du@*;Vkf+D_~j9ib!>iHI;@i{M&)47n{Q=v$ph1
z)ehEUYUKre@`^EM<*IF!j1;%mt{Cu~^JcW*H_ovAJUg`nJMuw%^+GUw8xLQ;GTkp-
zz9n2&Gj?j%H+v7hoN4wNvJHgtpuTfwN0;tb{>ST$*!&GPy-Iz(tQ>YcIX9lxu+RP)
zEI-fhov_3GdG)o*-{tjsJfyEz{GtJ@?K0&3>DbnG1-L%l|2pLeOS_|=9DMfSDQjVE
zq-&H|KDL1mEi@tG$=uV*Q`7Cj(oDZBHw@1&n}W_Bb!X-3Sl9jfwZQSm$#Ut^-MNL+
z&7rHmIU8ps@7cyfaoPXiwX!Me==Jx}k7BLRXIY-;u=e{tv!+987sZJ~9*%JtNX_t&
zc_hGW`vGsGKB_kPZluEtz85V*eep4MTGykC9v)0!Qd5XNpuQdQ3eRIcR)~w5EzH%y
zalk$K;n9W(xYU(Luo~KcVrEPm1WK$Lpg6EwcD9c*$bCDvkIyrCV1Qi01HfDYHA28J
z;a<(A?CRr<h7G*HzT;uI@G!aa#6~5AqzM9NNN^t&m~a?A4fG;%Ko1T!Jgg8N9BTNI
zgFQl083OpQfq|p*N^Wp$3{HYC2iaedeZtfAgFz$>NKja?gObEqzxXP`Kd`a?(BQGh
zCiyK#hx<(ue1!(}R8;W6fo5oM5&(FnWi^BbHOu(lj0LKK`UkpOHXsQ?hXCN<0^IV{
zf&!cYys%@=1?&dsM0&JTtL^k&mv=rOyq)j(4eyLOdg#fb$;b3qDel-_2Kd9m;v#@l
zr389R`G>!${B(dNLxPNTKoq&jb_ztm!3H6Br&<LHGyy>1A%qYNHo%6Et2Voza<HS=
z9NPp0RFuwPmWHVx1r#|1tDFK#b?MhUGl7B(;9w)j-mTl!2;dlEfsq-&P{JA>nTXPJ
zWJq7*Bxod)iZ<31Mv)1eRS8&12AYX<Pi`PgB+?oQU8c<Dh<zM%h$N47-(O`~&y-71
zXN}?>Nt=SfMF7)mOw+{cr53Y3D}X3o-jocWL@PbqCI%Y`6XbET3Fy1Idc1hJyS&{%
z=PzNm+nTBQiuiLsM^7KO-4%Id%hi6d0=#={BSM~pQ>Iy}*<HqVA9eonP}b*BmpLVW
z;`4i!t;t#7RHYA7oCv(E5?IibRu~fk<3dG^N`eqH-^u1QbI;OL{uBoQn>x@&gss`w
zSkwHXsf-&78;h&(x34Y)hAK#kC_sE65P1ynW&M(zxw(uOQ*2B$DxP+%i(OOt{x;QB
zRr7{+S7phNYyP9-Y->gra3B#PrDPTdLm36ck!{xrRv!j-IKudAIAv@>&^{#|M=WY&
z2{D&FjWw8%1BXJU+IJ7OspIQTrn@8*+nm}ZB;~75%&$YFaeL&=^aNf~gc?jw)G5}X
z?A+(#quB>M<fv&?13|{W#X7$Nk60R#Y~rGm-uHgIb!U5Rz1ov-FwY1>p(TswI03Bx
z2`Ms<SLvAF7=fv@o@BBcJ``_QN95khp+uu36Cy%$6+JX{*J5=WVSs)w3a_%cc1T!O
zD3($*L8?aLqA5{A?2Zg+qSRg7ZecR)G&Cm|zu&g6k;frQL4@KKvfoap$5R#C;+5T1
zUsrV`EL3<LYjx~T6)%`57SPf>7^5X(C36^IC33imFm{vZP#A6kh8PjPi5g#V^vd_L
zI{q85j}g2^6#~fd4kuU+Fggzn2|4pNG0;H6)Y#j8uwgh}udnPS91a_Gc@<+8HuLer
z#({^EU%UD^L!aIg0@tnHO+luR3yF|$soyd14P-m1G@ksR4Zdgy<$5PNHUbA8OB{;<
zipOHmzwR;Hss`O&3xl^1n`8KJ9t%GBWS$HWR|5;^G?UmtiX)w|%g@;W#eJ1y*+4P+
zv{6wh)B;CAvOKW<puYP{E6fc)PX6S?l=du7OclEUJXm6nMA=NcTo@dI&E#g%GndMG
z%5qk0&+y<Bf%3N2p|GxCa6l{?*Dds5&C0`N&F-+ZVGKCXNFny83De*qOE>|DI~A$K
znTXjsG%<#dgR{b*@NnI5j8yIm>~KugEXV70g{n(uH<zZo`u&7w_alLSL&KDCBnB{K
zv<GP4%D6q@?VD$LU?R&@x-})NSad;9LI1*VUB4nSN}nJ{bKt?)l4m!C^#1J>r=c6m
zmDR0(uZ2aS7zA`0gwo1h?QTel0EF~BH)&~aMOguG!SKRx{Es3l8Qa0C#jJRDVofKH
zCa#JnqR@thBjHF~V})PI;qfL1=L=$xVwk|0T*sEb*4$APaB+!Xv)N)<U0F2h5RFHY
z&0`lP4kniBzoL0F+1S`!B_gmXwdGR5Ws|`7IDze?GlVQL8^$=#6bXNLa|}8S*X_?5
zF%i$#Qp3iftGnc`P@`b4^AsvDidVHh?h30ANZc5dLK?W!F%~XqfyUY3U}MwbF~=sw
zAP43V_1B@|Ko6Q7IXx<Qm$y{`2O6UADF}mV*b;}A@^VNqgOnvg4pUO%_S@SqWbV%G
zOT?j(yElf5M{yh9G^X2}M-^-!&SeG9g!?U9|0qQ(k`3^Opb1dk^oPn^A8jy#WS0^j
z=|SdU$FXK`XUcaHj`jEejs&e3y1rj>RNN2(x%!oW5lp1xa8pc|NoWj4E}T_*EmF)E
ziNgqjgAa6DX<rGE2_@4Z0M=||pb3|vUSa9dc?4@@pOU5U!(*9AaM~rq*>SgR>}Tak
z+hE`v^CTY*I@oJ)&i64(!Ki_kHMr<KXppk_!K6Wk0ew|$EyZg%SO4}A7r3hx5aZIG
zx7a^IQa=hp$Uz2S<!S_h2Of(UxFOCi3PA+IEnx4-=U0rK5C3@{Fs)A`MLeP5?euvk
zUp2W|322x?`r%+5vohtSUVJ|`;#a}<HDcB6ao9cJlcCH!N1NN8P36&6erz5!pC~WA
za)N%P*?VOhN5b29GGwIY^U{b%XLfJd^p)43?_%8OT0tSb&Sln@o|*TefTc4HRB58<
zn4bUhT&~5+Rj8_NVGX`xW^?AzYW<pU#`9uBp6{6aD+Pb~*|&Jh>$MsBf){aZc)#Ba
zOORrq4@8*Y{gl>CMa-#XFyAOL0h!MySND0k@*?hG1sj1+?A>?y4><XorxvZ5u6BKp
z{8nO>K5Ve6i&j<nP-FU5=SPAmndgC2uV4}wp%jAAf2T1xc&8>v%=Z_X=bOqg8Nc7a
zJZ!of_1=2&Nq!kC2l-hEs@*U5M-MIR_kXI}K_r`E^qbFJZME;b9MI*h!s42L48GU1
zC5Id8@;5y(YGLbNRw(3&M3LX$zaAT>z-{rZS?@e7U7+)Kto&K4=DmNcSo$!ke_Jgw
zt~t>tan+$c_Pe$xzCSKgY0$6cx}=m*SA{&1CYasBaeW)or}7;-LDQ>ZpNQfbv_KZf
zkza1IZsXV}v)y@`AF6)|>Y<s=i0%ZdFuY8he%jmTUqsG0-@j{Z1;j1BIe{n{3%|6U
zxlFc8wKZC!g3DZ9p|_!FG~Nt^5p*~xix+{JW6zA8Wha?*G;0FB2nH~e0dyh)foM^L
zL~CHj@fiqs3tbeYO{hRtNd**)2&wmkxCzESMut`!6MX-c1zc~Tr`T6h?B36JLp?px
zS-QgWO}q0uaTj*&ZK2K|)q65|)*NsvwPWF1LDm!+cL5a8e3FntNSZk4*S*Y?k@x$-
zN8bL`hNfbtSYidd4Q#?nj|vaL0nBv<=@|N*0|-PTwgY+Xp)~6{I`05_j9Snn;tcgK
z8k7t}KuMckTo&ISEhD~ypgYjj7D}%-{Ln)F40F-|KQi>3nloLo*094_iP0W*U=NQC
zzrp(wuEdp<U;NXybg42Je4+}(He3cYOiY4V0RL7cdRF`}j{{Xq!#<c4p)+^=K5-(K
zrOcaVCVJp<Anz?a0_i|w83B}<F1fgTxihb~fhhaP1_HM^Zq=l?ATFG5pZNxneBtcQ
zszo~{?2Jh5lqhyY)P~9Gd6y8(T!w87fP6Y&^jDy{qCdMBr+MYxGTe+X52<mdcd5s`
zq7#r<IY9mc_o@cZVD5Ns;oNL0iDx+QBSO;yXTu;tln$QW;nCh2jlU*&W|Ca-Pq0fu
zwzRWT!u+ro7@onn6m+LeA)cX$FycFSeEbHl8@Pl>MPzk~6B6*gh*I8Ujb|j%Wb$Nh
ztb8|);ft{T5t$^|-J%8p5eNmYE#X_#q*}Fc8v8%?rQ3Onaz~{^tvc!@@=8fz<~SB9
zRjyns-7C3W17ys&UBVA=IRjsNN2H!%B_P-Mv6jy_bBrC}*R!66I*nKyhCm>wpy=C9
z;g3bFg~W9cu(RBS#+?BYT@Amu;fqdWe88jq^Rxuz(l9OCj(NU+jKVbog}4M0rja9-
zNa?*&X(B-pa@rYF3<!3k+u!Hv7QVgbbOUF-muY^DtJLYsL3aK33*#0|4?0O00mu4+
z2-X5f(-YzLH<_`6?mYar39%2hglmFN7(v53<s9tk0;WQj+Y0#<`U;f*y9NS0!-#(N
zrm7=&ce!C8f!kI6yG6#}xt==)rNwR&dWOyPa`Uul&7hmUa?t61yn9E+5)Da*6FZ`~
zVRd`mU^Xc-Mf?mfBN7;uk<v#k2Epr$?>n*yb;pj6yJgFF;R$K~30lzHirdLSz~=$^
z3kg4HnT(3Z4zF@XBa=!pszf649<(3qyH6_P_>S<%GGXI`Uo!vwGnw;eUSPb38_tdz
z+>kN1MRDRYURJ}m#Iqw62Y(?Dj#3ChQ1;cO5?Y~hGDi>YhMr=^-jW&7Wlcq+|0JDq
z(Wka=T4j<BMrHC6>=c}_FU>ZjQx4RI=NsfgY<*D)O$P`)*=N$KQoR|NR<>kVm}3^1
zxxsV~O{qAloJ=w9jCCKs<=PL&84Lw(xqjo(uc@w*(UIZn)a%x7@p1cZ_j)wrk*#M&
zdt3W;A)kQ2_o89&wWWMEn=VUT$!K)s3p>q8o?3|n?U|Kq_gGeWav^q_K@v}Ujy-RS
zzcjL@(KoKUZ4Xj*cyy9Zr}^6J;?vv0;#}0v?4C*02x)URV(P3Rnj7o%di1ODo?_Eq
zTK#A`ojs<O+9^~<n5drF{aDjx`fJpq=q^Ugu`l4jxOf7W?tJvB>BwwXavsg<HCL#6
zFRZvYb6o50%C)K{K)fg0I%>@HZTF`Nt1F(Z9Mw`biD;vBvKlp%uigY&U|cd9TWB8{
z?d&!#7=ExNBwUn-I&_~K5z$T`N3BQb(In5cv@~SB<8Is)*On^!Z2}@L0gG%`ADf#G
zxpY|0Kg!D*IB@5>H?(nCvOY~{^Cz#l&D~AeMM<~n@M4Yg{8s(}+nGj3udPaAgXhN*
z#fy=L6b@P(NAVhe%LW|O(mpfG17`RL>O~ZAYm0q$)wRrk=Rxz8NlQ<5FNz+^k1{D?
z>0X|6-U<a7997KcO~+8OeQZ$li>*=6y+ELN!%QRy;WWOx;}7~2yY0?0^yZXn6<aZg
zKOoZ)mdGNQO*16X%s6EcB)QuJ6e_zUgcv#h?<Yp`o}46zg9SO;C`+G(VArqDvQuIo
z>#(hd<e~YraI#XBzy}oIM1iaz!*#*eF;As0;=oPwI_Jotc`v$TJ$Sy5q4^BVk8+JS
z<P@nLzSb=1B6c3_4v!Q0YrSrd+msZ_C-;ZiIHupW(xvzss81eMjW3O;tLhW?RwG%T
z9bGY@q3e2AcDuTbm3`akRmrB*&Wi>UZUn)o2AtIVVEs5rgi!s@V`_mmTfo|^!p*V2
zs@4g#<Ew;?E?fY%p>?q{xCpw<PV!5L1eN-OX6OA2;sa`_IBFsao(l~L^us1spkBG8
zy0Pl0_5U1=VNg&CL!d!?@o6qGKbHx%T2pRy{L2BD8N`s3fT1WVrW>m24H58%6mxVH
zvzkKiGakrEBlvP1*~$500RYen1P}pe1~Pb6xsY`OVq<a=fRJI7GD`xMO{y6h#dXhs
z43=n32rb7!2q+NF9a@+`gMhi#>ye}1!Rzt4b@IGl{`@%4dEv+Zyt_NysyN*)F6i*(
z1u>Hw8IXw`q#2~yQOS4}b@6^%oV8IlegE;}A4M9SO@WmLW-b(g$BRztX@aNoYyGa$
z(g19Zlg(M~#=f518O}cjIp`lrdhi%>hc~-AJ4+bPczUR6vg=M~qB0yvm>uL0k2RG^
zj8t<O9T)9hxf&R40)WATIoGxyuvztwO`ve|*CqhI*zr5w{g+LUMR;n~aCbg;XvMaJ
zqaMYTX5#9c1@6$OnQTU{zNF|=_i&oOE)z?ZVRUq8rHoreFYTA@Te<V`wPJN|-PHbN
z-XpiHuYD1|=4;~<dMS4d2hpbDFyS2`>`@xW#7TSOG8f47Yp$@-DU--?By<y*XB>yp
zu>>Uky)(X}dRo5aZhcAd(?4!`qF|~fVQS9g_O|q^LwsRu-$M2Cvs}xL5AkKcP^-!>
zOCK+bPW?z<UEKVBr()>Qjy!5@&fDq1_xt7Cy!jP%L0uu9ur}m<`{%WXpF!yIPtEM>
zonsTt)Q6Keliw@AR^8_2GGSJg(yvNmtkR_XZaoxf5E&4QzCcDnMKn|<4;z{6{k3zA
zG#*hh<H)gT^FnPZ{1j4$?l*Uy3~!xhd#(0{Dd2vh7Op`P3=(>&Qmh1!45A>4Lgjem
zqYG5DIu1IT>6=aGLXAw!K_VlEllSI{o$?{_z@(Q3aH=btJOA9$(pwiq(cM8b3Z~0G
zElWblAxv04Z7Rgbf*>Niv{;l#RJ^or8QsIIQpNVk<e(k}9xOswbf+S%&`Fm<V}<Ko
zje{Wyqq;4P&qCy2BT;!H;Z(Vn_U#-jr~svLWFAibmBSxx<67_|5!`Fs1Y}YPZT6W0
z^LczqC{Q+&NJNs1(C3tHaA_QDWZC=i`xpZvKS-4^$c$23->1@-uJ0|EuG5U53&26d
ziajEOB?-n7=8H3XrN^K#AQ{KP2?_-mVxgi<JxIa&IEFtL-lzi+`&RF&r^?@a^t!H}
ztEb@D;3@S?G8N2FAS5sDxW@zFLxnw-FvlwAAX%Zr(CCxtG3aAaqufDJ>sGn+ekVoI
zM&lu1KtnQ*Q3^FH1rkIDK2id%%wvl}q60ZGi-C(prYML*{aq2Gxr1(PzFp_v=uzAm
zJcYrc_-Rs!LR7NUgv2QZ6px^BX=LVsRJTO`2xsY1;t-+%>CzchkzDJkF>BvPvWkX`
zF5&iItLOzG<QvIQp#FAW&J!?+M6#cS%E#{299$$!oxxnw(xpd#>O>&6g>1oxh8&ss
zKizdI&K?jbu8b~!1|OS{#X|wLiJ%d{j2Q%y_l7)WOBR$3A`i_0#veo&K@-3MhV9%7
z#OL<E5>jS<Pwg2QS<_aoIxS_~sBSGD660)gSVR}F%GMf|$Q22w#6g9mQ$))pk*QgX
zTx?K0Dmd1)6fj^>7&Og+#$6R&I?F5i7dQiPBPI9u^~ugB#?*gZhJ6U+Oj8B6*SBy*
z|C7i-^GFO~+9o;zBJnT@9wQuTqN3hHUlJ4e;LT&)ALhE(i8eppeg=+B`ZyB?6iO|r
z+oNa<Fb|R>8SxGOtYx}Cm7u&mbSO-5Krv(4hh0i$SMid4*!ebn1Q`|R3V!`8ts~HQ
z*tLWr&^?w++|dkOaS#I+4JnB;hQ(hBN5TTFgKFc*1aMTVDyeui<tIFV`)ibj)>?!=
z>}FOx?m7aAGX-RN+tZlPYl`8;#)M(X<A`ICSjiX<M#m&G@YJv^-5y!BQQ|j{lU!Nc
z`S-rSk0;Rh<p_r>E)Stg7o^VihC>HH>H8l20iWaGV%e8GkeIVzNJD&<cN^XxIvlu_
z)jhlt@Rs|49>%0^1eX&6$a4f42m-$@OcF88XcPI0iS+}Uffpa=k2(p%z-l(yZRg_W
z)k|7B<t4Hw2WiKtT1HB(LRFw;HaKTXPUbWYygkAv01^)qh$;y&79}XpF@jhH^y6Jp
z@fL%LPO}%zrv)^i($7ycIQLZC)*#DQN+j!~XXXNuyYaTKd^RN`<{~gbs+oW}ZI}74
z#Gi5++!gNe%za0Xx;U6&U!niAI6gT=h2W|=h~Kj8e$?q^%a!B((Q<y^S9zQvp84Tb
z0q-ia-H}c6U(p@)ExMQaon0+|XxD6|_lCHzp_z+CA+4dygJn+R{Bqhp5fM$km1_}8
z0ex|%8im(gPPky}swzUT<NICCRTUY=Rb{qP^OY#<nkfnVivuihsi`7lr58xj)Da?~
z-m)=!Q}Aajc`p0*9=YRRDgHE^^?93Mx(0>Ix_YO3=0n}<sOAe3%t<AT63l<Mr!{|n
zIDxru^X0LZ_K!~W^x45oZg}gHl{-GUpBkb2vHz$VwW9vm0DmQG&)9UZJ!GQT+MwfO
zBYSO>H;|EXl<-l{VK<KnYc_t#IggBohlQK)Wj36GiK{h@h}`9X#-n;<3?<r!b=?PL
z4YLx^iu0CAyu;T^fBDsRB=KgYqp!Q{D7td+c0?~u*XeURG4X_`AfG*ZW~aT@b+C4q
z55lm;n}_?`<xcKvbX&Z>CZq28AFJZ<lYYEk<I#T;yMWael|3G0LNJmkH{=G1<_J=R
z3Ppl$LgX^5F)K^K`nU7bz}3vLlf(6s;+@LlQcDMu(}>=e6uvOWaaLV!E3J*HP7>;%
z7(u`w0V%cI%odVTB&D3(%R_+cR)>X-Ut!O7uumNA$LHiNcwT3=T9oEW^6%Q9#YA&>
zqI{4^qV!y)+ealBg%4i1P)qP5@(an=IEc8~s<HEx5%V^3S8JvP{C9vj*_Gys$Ifi3
zKWsH4qTDRW^k3ebpO;e~Jr#7_df&sfZNB72@&}*(OpBqA7ef!d^+Cm$)we5gJ#p}r
zb#j@|wH@K{_%<|i_2}1ZJ>&gp#oCkVeD7ZUKQ_dn>%B_(8ohd!>ugCy`O6Pdn)BKP
z9?~ul9sQY{vG#2-&CJWiW*;#sQ`Sn{zBRt)2E6kKSr-QnolSo@<(CHd4U@qqmwx97
z_UJTG$%vrRix{|b2#sS31llG=O+>Uw0G|O&>^wUPU75aOn9T(y6yZFlTS}C}J6!1G
zHzB(RSnzXf*Burwqn&SMe|?JWnt`{@jM^Ht3sjc1GT*yDrKFG?InPs`pvJ)q#>HFj
zG^ZR-K)EMqVc9#UF`TB_=OK&3`qU;550k~<+|KXp`EO@}n0#Ip_2!y=qjZCI=?5SR
zuRnlQB;X<kP$@3hj~#WCZaqEiwANH__b%_AAMaOIE^1vGiKGq-L;W2?#?<e?V8>B#
z_y&qTtF0FmVYIY5a>YHm`f976Xv0S)O=&AC&=VCSKX|vjP#(g&4H|wvER`e=o;!E1
z`aauY_k0{@cbLLI&c(zmPV#$Kc1Zbk(AV);zHa`A)>W=8ig|qdbbPG!TKq5@y}WOo
zu&!QaSLeE_-r4zBGU0>n(W7mz#Luy<<i<F?fl!-x_GoKQZPfK!&KNV(tpTX1I6L%S
z9~!T)YNA8FVZ6TTj*4oEU{82++^ZPV^g)u=!uXabb;X;H0Y5O$*(~j}&yBaYn^z1s
zZO*aDnut+PD(J}O_ief<V%+OAXbSA?%(<Vrn~!7-6$`#v5BT~D!NWUsr)H)jFI*Q2
zFLKg*_gw{U&7553t$wGp_|i07=O1P4przQid9oyWtd?wIxijnPHMb|O@qAgJc`*o)
zB0$UFE8Y<&RMC0VvpGoIV+13T`P&=Zg^%NFMv1R{>z;??hk<FY5(P1-fdp8nRw&So
zYC5niZ!p2GsXi%ETMOVDF+-V_u5dEeZv6AMcfUFBk*8y}-6tu<Wg1EP$m@nn$?@KI
zBup-AOjE66B*yJFb?QQ-z_~H_4xiDnYje`}mqytQBdHyhyd*pM(aJdLW$sLtrb#s8
z{<BdfFzg9*LQ{YOQqXG^A{NWCu1)i1j3JvkUX!RSIYw=pXPdf`8PtN{%XI4H8-vT^
ztpDbqs|Rhs#YXs!R8OWJrd&OlnfNp2TW&gTb<0me#=!gs9VaHz*FdN+M&AbV+E1X>
zeHAY1L}fv-OWtFXxaj&sjKbd>l-h<d8k3_xLI&Qf-C)@290gtqvaQd90uG%lF~~7>
z=yn*BS{3;ys_KA#pWcXr{>>+01rnp?A;r=#OrNk!kC|j**(M6~p$}s9d?N2+&kN?t
zVQQl8k_#4=?)FE0sBS$MRf%o9Oq@Hrwe-Kwo+V-X_KKlBM64yHH+5;kLZo*!>DQF4
zb!JRKur?A!<dpH%W-gQ*d88XgYy%ei;i_bss6A6iMYdrW$1Gh<d7?0lC^-mR=G8kz
zfiO?IvhEm3&SF6rwxEw&<W|8FL6)?$RImU`gjB&V9;Q)BuP4kyUEL4h8G@4{uX?Ia
z!7kdt@H}Vu11RS^k~D*SR0scVLVRN|50zyn(+LF{JR%6K;R4d4i=e{f_Mi2#DF4`y
zvePl(m)L)e66}1t7Z@cIH(pMj!A*_v;!~{H0ahC(BSuQJ1S2oGNYX<UL#5w_<U_6-
z41<LlGLb`n7at5FkOU)mUP`qlsR?E;`AAX$NCsDt$GAa0O{L!_GSHLJmx-l!UGv6S
zF#X8XgkpB*`<KnmC6cDK&@){p5lS8$XLX5j#JtNEq+Q66JjzHQ(nG4Si9s%04ALgE
ze8!%?SAWn+%f#WD@5lB(XmqynR6eYlrdi>?kHy$pl^<#9Aj2PcnS)89dOXYr#IK>Q
zD6R!An-D7EH%<$s<1jK?*m$d^VsI;UtBtB3Ui^IVEST8<*Z)WIS|QuGasfTY`_FEo
z%n!GRhdcGZ<fb-`uGHPC8XsSByq1$w@G!DL<lhX2-;x98F_AL39MK5kRP|KU<Y1Kr
zOZD4_zF=d2!3cg_#`gRl1g8YWiU)*b;(BO$%S#9B{|Zjy{~erC2($bRPGy9oXK28a
z8!1j<@H!&^X(k#wGda{LG&%U3_s7it$xUg6*@&<=>Tcikbm1**EKdDLDe94isemQz
z;fX-N)apPqP05R>Rv#e8IM|r9cp7X3hxz0AVF81Q=kJeNE4XrXmv%02QjYSu!M-zB
z0vNNLrrfk36P3Ulnm}TbfXU?v5fw5_Mh-3*xf_c*P_Q!q0uIc%wQq@A^N++O_($Rb
zd`sNWe@k3>*uHwlNx$no`?|C&;r1@9VB-Lfa4km!PE-&x!9EKkO!IhBBE$e=;ax~P
z`sN6bFa(I~@4!z1p@IPgM~*@xYOv~98?zekD*Zda65w&JZyeHqFRs2K(tz7VLC<A|
z+(s57Asro<yG59R85tiq3zvgP6TyLl2s7o>(W@$6x=m)^is0abF=9;OMN!T(x*k&D
z>R@T9vZG!Z!3b<bR5CM-ZYz{ZrN<mC1d?V<`qRZdxng1@S8@dGrYYa81obLL{_?hz
z<M?lEC2~g;1!M0&*othy;~`w2GY{I9;^|x5=dE%A%APo%j<%;-S9sD>jh*(fVN;o&
z{?ZIzD|_G2B5-SW8H7srA4-L+vLdX)pCBSKSUQVXzZin+Xo%oVz!kQTIMZpMZj!mx
zbzjDX!q}fFp0qr#o(_LUNW;TSq@CJH`BHOsUmP}0CeECUhZRT#l}^BG9`I@y#_Vw+
zqzL0D+;4!t6m9Xh;7IDrmR3x>nJqsCd%jM@L)+<p+}*vG8|>@_W_`JO7eG2>wXbhM
zZj2d`ubjf&#N}COh6}Fc!iv<;qBJLh(u)8_oS{?_M4NH;j-#Mr8k$BDBowhg&Z^wc
zuS5nI4+k_SUXa)#EgG0ccDK}|GhN1yqsRu&f$65@kI9UTqiCc7RV4E+#sZgXv1RZ)
z&!cn=(S&I>RZ24Oi0s&N3GMt8AqFa=)_qmksoVn_KQ+k>kCRjC6CEx$6@G;6xL)OL
zvRn1ofc6o7faQMqciKR&^>q1T?$-NhZ>=LDNr>G6=g0o^fEzp?vFSK^D9LQKf&xbm
z?fsSit&QwM8^Ap5tT_)W@dIWXiwK9(CfudF?ipL)43Pjtf3k1vxOfELfq>62nNU*D
z6K2NbLoA<h%UK?hIiDC<^2PjsWbwSffxw(e=dC1_wS%XD#G_1!c=I+nA*Fr7_=A0<
z|H>lp#5_q+nE~a&1IFot1<}~;W(oKe$8PKZ#(Cimi1kX|Mgx7S@3?)3A<hOYH>_@D
zW^B^Jdv&H9shS-B&G^|C9j)P!^FP%($F~85zVS0~eNNq$^3~2i<7Yq+;AC;7AMx=e
z6`5bD@3E!}_+^G~T~@^jCL~V%!UjD4H);YNeE>zvR5`Fwv3PP*&SHZUR>k7PCchSe
zT88*hMeOZGI+%8SRDOjW77V4I5i0{4M(06|!nHjGm2r-w_N7;AEVxLp>XKi0X4F1d
z(3|RhH`6=k>WG}%uBPVBIYlS(K1m}1kd(ezk=|n!?~F>5QLLtBG4VAhN^Yrf$ACo9
zakz+jcDI~&0UKjw@Im!FW0G~{-0tppVi6E=r`LGWYL|z^@NjQjZ2eb|ziuH^VA8?}
zSYIB6Cf$q|#gEy45FxX4VI;V~U6f!cOmCuU?~<74y6%9Gy`$3`a+H0$%$E$JF9g5K
z8#m&^O<*8wt?$E0iN4-k5y(6{NJ1pYe9*r*`;Z1i9<!i#&QM`r^O%E?V#=LCB25qm
z4m>Eql0V7kFB=2$YcvK{&VOPo`6bS?^azE(R7tBy_?1-@Bo;2feRdTnz|Ya|^Md{l
zqyIRcOax*)0`xl!MDWs?<*WOa;OgY`jX=1m&y&J(Sp3-O_?v>AD$BG#abt8H4va=R
z4@FHdETf0eYC`hknm#OIF`2yXa>>|dQ&-}nVLH!yJzw@6i6e;Mc)yk>x4%<iG;;z)
zicS*wKyBrWuBlJE<5`|zS*Y@IiI)pF&BcO%+T+C1(bke2-a_Z*m}^gwF9s<w#iMY<
zPc<%ZB3sa&Mt~9&@cd4=eiFJg+-w$dW}D#oOfm2Qr~O?{YM)C|>P&iTbES0?{E+a>
zf>y1a3@usC=kQjo1n+Lcs0!B9Gm7faeJhRglRQ_P*ii0;g%i5+Wo;a%+#+8rkkRj5
zSHYMZ0MqxbkZMCji+hy-e8L)bhomT|J?#FyfpfbJpLILQpI|%eLh|gwyA8p2>=}xD
zySEtnt@v3LVLc-cZcsL&cX{1o`$4{GjNG7Nf<_1fom~V}>E*iAOdNwgd^2+52b`i5
zx?`IFj1d8n>As(nf=+~xs$^EAvragrC#xhqp0nA;32Cv}#GbL>SDa|Wc-QHMUO%hz
zQBSF22UKlXOrCeK?^JS&A;D9GeJTRAZieIm(Nafclu5nua_u-2i63BTYoNi!U;`Rp
z^7&lZ<}DeBB#s~>0u4E9^4>ya2f@MqXUf6x9zZ)g0YAf+gLwO!?Pb9H4KahME1F4t
zfaniLL;V-X0*omYsFls+;AX{nFb}Fk$f~G`>$=B^LBiX8OQpvGo=HH3Ly8CU;y4uW
z>mry&a(xEBlRO`h2gIC!xYiD~0YlGlcUlJ#Jfk4N4)8y-l6Ju+C_=SGVbK(;2O@!T
zJRLN^x0~>D{5S_wBKt{6k&vTmzuvsl0;gE~rARDu5>jIG{5TZ;)JE7$<$nH62|tA&
z;Bx}}T02a}1mD8Q-7y_Rz6^r|H(I2oRw}Hhk<k<2Yf`Q^l5e_8)y$WoM15czqC(uF
zvZQ4EYz?|kZvfGj!eTm>bF6hCecv{k^kl>8pQfl?cjCSIFZ-5!AInJVxU%S*cYHR6
z>3cM<wcc7v0{6Srkgp38Uye+=e0y|wf1|RZgSS`t+j~qcXmyqv^WA?=>B}BB+*~Z>
zPrTi(4Yvmcz{MFfdFP~5L`iNuns=qyEI&fsw5Q8Wm*`e@maAPb0lJl!drP-fv)!60
zRZMiHXD+Ry(^47L)W~U7Qo8x%YKOMVu5Tp2rM9$Ox?r$pXkC=J=I?ti4T)%FPN6s5
zcm8i$3Yf@e^VPE>Jtqsb<+50Eg`YKG=u%*R>iE2HX_emYQ^RaWbb`Hy_G;Jh(E{SW
zmcNbl#;m>5rf6b?=g9)i?SG`y0xcLAZ`JxB!PG(AyqNChYkxhlk)Mgpvz|3Z6bqfw
z2Ivv|5R(#Cwv9rsszk{CoWDF@Q0~9;qdfNlj^YizK{{2BYgVT}^yzkM+Z2tq^egKm
zOp<Ui<qM+?Cr8|Zf{Ob-a`O~MSDTfnN|1f0hhbZMXNS)XNao(_CAN%hcImV86FE=u
zwM_$hp3=AW=mjVuWcGn~Z(n9$^frO1GR4VJ2o~!l?i`}GH@x9t>R>|y*qAt4pV8(0
zR6`m??h>kzQ7Jd?-dc}J#jR~s%`0!%FBm%=JYlX{CSnjb7`9!c)4j7aeWv1FiR;N?
z#vZYCh)*g6hT@W|3y?@?klZBw)5++ju&1E4F|xP_`j`$>6g32#)#tY98bliTgp~OO
zhCB$CKWm5&sL8)ida-WD{91&&RRWHm{pyb^S1>k4M?d?eF*8+z0b|M=Ei-ZpNdd{y
zNT$8c8U#LK;QW*acdlOE7XYC69mf&;A$rvSI(2CMa%Rex9GX&f>00tE)v^AX`LhxQ
zv;Ah^JcTg*tpLeM_>_{{wE~b1m~$L#EJ{2ZIJ8(5x4H3>G?6@o`J?#dXG>4>Ch#Hg
z*c)5~7*yzvBsxKIiGc))f%268V_M@lP0;<sFe6~Xp(8(yLkKenU=TwuuMR)>c)PXK
zEAW0CvNSqN5Xk72(a<1_nM6Q&fLyDD(y%;EG8LT{kb~^C3XI-%+E)@BLJ5Ww*ueHT
zEZv>g<0G*#xkylu$Uq;1*k_$rFiQqTkOZ)6G1Y_^whD3yq3o|2LZgJb)##U`*v0L1
zzi@VWT=@Dv%75g<`FeOfT&X(SEzIfm-~n(CeIs|AzZ!lvcq`i;qc7c_DG%Hmab|qu
z7I@WJ-vO4yDU6!(5zC>$MI{_sABbe{YG&)LB14?w;pr^pjZNKmd=(IbT93H48XL1x
zj>DT<mzOsHMP*6U9|Ye{w~j#Eih`jqoxjv?J#-^<emY8Vo9j^dUg0PL9uugsX@ENm
zW?e<sovweS^|_b*d+;9|S4W9Bnu#E~N*cBtW?2lH3Q0J+=*TM?MSMg!<Rr%UD6jus
zY|xM!$CrxBz4J)cjVKmAh?W!@J<3Wu=42{HLX4W3y+UBs6wz-}>mccVyXnkZX@c+1
zH~3Vh6$v^m0dExWkNw(Yc3m=baSzQK4z}H_*TFhRwU^(LOMLGFY6?XM1=qJ|1S2E1
ze_b6^Ha3_kC(W^D%KIv%dzS&k{Qodq)vzS~KPGm=tvaE3{P%;BZy!0%yEXY?u`&e<
z{S#e`^1gOmrKaZG9Dg%o*XSHjr-gL8rAXcPMY3%Eu^FahP)Jj^Al@KtksxMbu^uOZ
zoZJ6Anc>Pr(Z8h<HAb7LL*w-37|%L5F}s78(`$cTcwqj4owTP)wdwEJE@GDnD*w$x
zp@3R<f>T#A>VWS%o*Fy)z610$zMmu$pH)D*xM*IF=*yR;^x(AJJPpy)_t?D_a_iJC
z?8NeqLFiTBx;*#0GOvwswgZ2b*YtbotCihJdJ=qH=C6p6B8&Pb8f8gNaJ-CyGV~*x
z%bZ|<X*{H3Gxq0)(rIhzl*2@H>}xm-Kre-Wk_*ksVP!y~vHtb}uAp4PqqJHTk@H#=
zt-+pjrm+eag?(0Ay!j7E)mBM(d1~%#HL|zJa@g*9#R}^crS+t<@Rv0b?z<q{y8-YK
zmKHn3enYS&APSN#Z$;lc)0!Iwj?&c3XxKya`G$Hzx1N7zud@H{z76Rnd<(_(9xz1d
z{2Flm*FgUsVHW7S&+#$1HFAyDDTY@#wv0X7zI{|b=O4ofn6fB_20^+GGiUt`P+1pB
zky@pKb$7*QSpXQfff2JzX;~4|c*Y1nVr3+<V>GUO(=2WeSRJzP)eQ`Uln`1;XM~Pj
zD|D##w37Qe98@H7@G#|K+`J5>{ki8~x#wFG=zqTGcs*2H9-rm6Ph*_cY4h_B;z}#~
z!>w=-mwp(xTyHe#)7SrRjK;a=zAjCtHcxXmzrp`B)9G|e%RNV?&&#*$%PaJ7dh&{?
zPBU!{J>KM6C%-*|WnqK2b7g5G7cPC9p7-V$eP1VetwCWQXJca4dnEje>iL~3X%TrX
zz7}lb6&f2$<9{_-64stY?{~VDBUarD=@nc%v(5h-!xI0xJ2PW_Fhep6{r;QM*x4uk
z|D`mViEf(c|La$l!c(9{nLb=z+MM`~G<Q<cSS{kaZHitRyWL+}`MRogwq%g${#gV;
zYZ-`S&!|XHGw$hpG*0tDr``Ezb`P0YDgc}s_;Iw{n{jqmuga%*k5H)j(g%?wK*Qi8
zG8UKFjESK<M}}gF7s}8Nf&eFjr}#?T)bXq}@Uzgc>79<ik0LjI{>CH-s9LC;-Rb*A
z3-nZ33#Ud|A*?ONHbv@LGv%C!&}01cUqr*r&aPhS+()}Y=qD)zNYcb9VtcfM^shji
zA_=M6N!}i(9kqXMo8Y^?XC~~-NJZaTPBae<c3TQ@!{^A$z(?J~mB`T^!O=|pl9Y^e
zIv-bd*bG2k4k(sEg=fPeLmkJBmc244SGY28YYPGl$CWARh{R>#G5LR^8DMqrgdxpD
z5a7iHwX^`QgXx#-Zt};xr5CI%OMf+1+-(<VNM|AswRlvE3=zcM`NO<~|N3ab!I7Vl
zNPlchEpuovE~%lp8IPk-BIe+({bBHUOP4`yS{ATS?qalg8Kp@vX}Amoh9!-HC8{Zt
z)g>j7y)#7RHy$BkKsp>GpxS93fk1<>se;cYOtAZu^8nl@RvbDah_bX1REn3QQh>aK
z9G`}?ri{>+NKZ*}!}PkpM?r=H|4Z?<FyGTl<))lWp0<4D@YIMu-?QY<UgR;mtXWr`
zhlho0(Z2Dr9U3RESvO&Ff1)A*i3VpyPB!ZOCXUSa%A#9;irbe+EY~ANB;Umow~)XZ
z%L0;Z5FlEk*n^~T*TWsNJg^ketklZ7b&oMnCf}Vq*py+;b9e0RR9Oy-^%^WAaAnKZ
zb04LXjQLZNStTnbA_W7Wlxj=o23txW8c?P#7t?K+B4EKdccEa+;nFDwFEuX`vz!8w
z^Vgt?;HZ<l%q8tAelrP4ae)z+RY%t|WuNonfSmZ{F{%+4)!*Xx!q+Lw^IaB}7dNev
zds^#WP%H!L_fO@*RjntN7XNgV3BoM1-OmC0TyavOic`XthOsb`@v$TJXHOPF)6qJr
zC+WkLQ!3B3!I3PBbu`2X=$&X-jkLh(haoA$or_nNMBYZnTk|pOs{?zcxQ2$VW}rk(
zP-3KPsxq+w#{V`a4@qX2iynPcX=Qzaf`Z7)8pkv&6AA-01A=jJ4ND|e6_L~!NNA8;
zC4xU)+O{78S3*NWN7N?o)`XMea?PAI`C>h@0?Y00NCAb&Acr*}=g$lRiN_f43pM#d
zt!6q;a%1QddP(8bOu!}W2|Y}bt+(h>1R?GhHTh(Dmby${AruXhXGR;m+xPbZ<_L%E
z>%D;z#>~E1SkDk9y1)XipoVmX9LHE4gJk(<nw%<nWxq4lwvx1^ZdbtWqKu?;gelZQ
z0oAT<ECw}qh;63wLb$<n;3-4YyE7*Z>`dq1VLzapG~$0e$H7e+`eZwAh(B2w4}2b1
zL21Ph*r}!lvh)!p)}V<rV%jiN0|cxl2IWqc03KIavGsSV9!Do?c@QwQ?~^A8X`e*p
z{5Fl)13nPLkeS4`Fw%RD@h6v?{LbleSnQH8P1BBs;FDZzCkiRu%}5zg>*0k&<ALSk
z@`_#DVoBiqJPo#~j;pqFTHf|eW&FJE`pfUv!m?UY;h1byWpjLZm%8`gc}uF;u<Cs-
z^|zt2NRZn&e37EjhO$yR<t`qfexYsOTbR@b!DN*qhRU%}r%PWaYeb+v6M;dKiNf|x
z%-=>}Cd{&b%VPO%!-TZ2!n_2;WNUF^iD^~{MKs$1DSIm-Mm}UwC07n!dvn9a1z=%v
zm@I`mbDFvYHVp0<VppLt{KO9rs4@ILGKyEH)nEKuokEEpf`6-mV>w}jL<)B&v!s3|
z83BUDJF<6Sb@(AZOk+74Zkq}ZCDLD?LA<LCzvJ%u$7zu5ZKdNv6MIuB1QqdECq%3q
zCF=Rjn4s41t9&BHFWPe{84(!GYNI_EHWdq4W~8i8NHH=f`UZ0;`Y1#p@hC^xOPTUE
z(n(8k7!sw{zUOwY0@=z&9!BeZ0B<{4JVS2-O(g?L)Dt;Pu-GVwzL8#I1i6avziu}d
zn!NA_FX|UwJhPZ=_KD~+pvB$fKZ-##sidw9c)y~C{w{bhApK2(g8?eJ1Rxv1P?chj
z^!Bf>?h;vEe{guA5<}jpqT~p}U=8!59A199@3N+Yxi&rxct3|F7+aQUuu#-enPgW2
zt+&!e6XY^+a<pge7M@jK`-Z;L>yxX?+w0?LXy$B6`}w}YZ~u??!^A{^TTQ-KM(oww
zBfw8i;{!o5aUC?B<zMvwLBTpTrjJYR%fnXd%8G!6%%>HZs##xfNFc~SHMG|c3!T+6
zXp9-cr|a^ZLdg?&^PC`TDu2d|4!hcPc7HAdf8S2R!oyVj?Tv4Ak{m7fJCpi60uGJH
zw9TC>**_^gkTBQ`oeB2M^2p#n7ayg7BY=oI!O$e`<e(EAwK-R%c$#o*5~u;*<AbWm
zD8M&*`+pu8bo||t4pO1S;MQpo+Z@o@<yuyPinYUDwf$HFE(CPoi9xpX;M$XklwRIG
zLYq-=HcnBz(7jr$K!B^6Nu*kw1eFHrBty^+34kfk8_vJt6L<tr3l`2GRHK=gw=o0-
z=I8f_UO@P`0rl1mS`8H|qM2xY>}Xg`*NK^EW#@sxXcy*9iutPmXr_WIfK=pIDwso=
zF;JyJ5K@h4xG$=P&lqRV=6GE>KF$KD#7d2Vsl+}>klE!aeq0)rpHv$yYD>iZtviQP
zi6MtliG@`eElyF3pc1Pv3jJL?-80-Hsl>pmj70n@-N3X@i^IDrFf<9UEG!E?;%CW~
z8Qb~t1V8iH>Sl<2RvH`;QP&VNFcs8?TW;n9Av^g#NhFywC>IXx6Qf8N3l!*>6o;4!
zEj4Y00Q!_XsH)w|v)g`W)g1ky+=j<n`!pCs`F=OHDl<_|{2_1_N+`)*nS7#3-wz85
z+r$%Sy|3&2yop_0q^2Y6JQPC17Y#5G2rQ1w{MZF+#9-^<Y;y#&#wFG47-S>b3>Q(A
za+GxT;pn&xZQxetDv+qUzHEsPCqjY}><E<^3n&FZ*NDvLI1yi8P+$|1h)Zf3@)EmN
z3DTemPnpp~6Mnzsn(k6!=%fuk*uR@E7h#&q<A9)+#1?_mM?nj$zUdW!cyg*iK{nd2
zSg(L&LRepW)NTFv-s$P5qqh8({ahaQxv~X=hk$CC%tNi6PE1)=M$yZVA+S(bx<Bm{
ziMW4SN^u+A0E&8sP|JZEw>uYLliaPXUSU`2uBzu59`Sh1?{sU@##2KURT65X$$8xK
zOpv=VIZbH$3n{@{1&pW;G$4@dMu`i8Z_c7?I+<EzcNL-ZhQcv3Adl$)5{A?i1M5j6
zcT#uiIHO=j^F};pDJxbkrJ^9}{6D;)Y|C@iiulBLZ+_xk%I}ut=6*{laB=bVR7t_F
ziaobxy{Oixno1eHX#}rlV|5X*KU&lv#sr+W@ZuwswwIz*$i}9Oky<qN=HzSLhdkui
zE58Lna?{oRRXgp(rANcAo%V9jF1r=q+A#%eR3N{st$ZR2iY-v6K#_(Tgb*?we5!>A
zy~e@DX2lbaLyisG*L&XvmW?~t3d`=r5oTj{;*Wp<iaP8L7rY2jsrr2YBQi-UUhKji
zXmmL_L$J7i{I!DL77z$H^6$licXJ6^%fEa-IA`+XxH-8~xeKv5^=5w;ge9_q_c;Mn
zNU2yP$%>u)OmYh!tRtM;cR1uI5VE!(L2;Ae-csHg8Md@u02h%$cUB63%-xQhCzI_p
zk@lCkbg5q#i7mvzr@Xas$Sll+*yJCYt%Ig`Ul-f@=lZ8fm1HUCg$k8`49%jgl#5`N
zMcIKC63G6kKSv+%5Sjo9Fu^`#pGj;ypaZ}-`$g69{jE*+ww~qXo{9r|&;T&ea^1Et
zuC-+O+)^Ez5V|}WqC&ejqS&(PZz6EJAUHk5X;hzeuH|)%YiEC%HZa5{zzo~K(FR8;
z%l-%(^(yu3(voW9EfIJRdY8(hF_a4p_F9HRu4UcZo8HsZ`n|<Evu~2-7f^yx=`#r@
zMlo(;P9^yfKaoVG@m6>2qZ;Ki7ox?x4}DRk8`HY_?icMwD;giD(!Q&aG3549^9v{7
znb9btBGT$Yy{ze!RK<Brh;1MEH&_6~VNOfkppFK1+RVJl!@7}vig+Dny8yKoYSUro
zJURGt_1M{jGAPD{)`$`qgO<|01Szjfh9J)7BEpteuh7c0O_}9u#85^QzV7(aDDYlX
zlcoYsXcD_XTh>!tgvuTmnU(f{dl;!xRLO|5BL9(4jO?1^=6A4`aY+NdtDjT?{m{WW
zP$7}e<7G9@r9xtNweIw<U4&o?-+E*q??uRP1w}}$Y=3Eu#O~{cgyLwgLJFVnfrN~D
zpD${jJ@pJXYThjaFWU+W$=m>f`WvpR=Rj_hfyXODEOajn-2Iyso#IL3{4dVlIx3EB
z?fS(%xVyW%2X}XOcXxsYcXxMphu|LE-Ge&>3FJ1}d!KXOd)|A$F}{CR4XTT#n^CoD
zJ@c9KSMT>07fTBu(FE_dJ!#E+l<yt=9<SGBEjJT~B?IvfS9cFSIGU|LO}8<YcNa~X
zYt(dOD%RWT-bOOlDZG6pmWytGftnZ8*3ihhpRAm5EtTV`M?P=!WQlMvWWS8gcdPO@
zS4VPX-ZzNf7_2UoB3u$wxUFf2ZMW=M4j9yaB$XiV)Q(MxOvD_uaZ!~CCd2n?Eh_pB
zv)ZoJLM%ctxn;#MxlOT?QxgK6)&j$H0;RM3Qv}gI2Z=dO(=ptCn&mh@|8NM%V{<#^
z=#Z=Uvs7@_mh^yOg$MMyrsJ!e#yNWJO!a$|LWam;a&HoFcY9#XZ*xP+6&dfa=K5N=
z2Rp{?Di<^QV2eL3_-s7->OPz`Hz$Wjj)g8y{5)&9s`;Z=Ya(#`Rbp5DXNfH*@lT1p
zcY4X;^ryrY)A}f}VV(WLU-@Hh^?a=)tK@z}Ubt@q{-ySpl3X5Tv352^W>dSyo2oDC
zzR(Af6F=OH&#?pOY^#>9QY%A!3y(O;?Q&K1^^}`?P8J=l-`<aE$?r6u9;{|f-=1uY
zH~R!a#p|?srY9DMiY{Inw`ADQyudwlWhs8l)2r#JR=TG9$F{ruBx_nA-;y~kN>op5
zd`SVZG(0#h8p?25hU_pcTQBOiEsyo|Ue^nCY%I4oS^T1sRojs!5!v`$;Fgc^-z9c)
z`aMv5YvuE*=FNs(hRd5WipB;!#g<KtoL2PP?UL=3(uazTzY9>Y3GeEp|5mY+^X7Sf
zS)h9{3ZWswr~r!T!lY{CFB+MQMV?Uo;{-qj{s|-%ekNug8g>kChTQvMhc-sqXVe)$
z4x&L2SbcqBra8j-77Ofw9g-%wDgV<54miu^BS{A7499WrhbQRn@reH75iI<#N`s?V
z7=@wF&@B!OBSGA(eaYQ!9i}|kz~y$pF4y(;RWqE8|6-*jZHGhF;^ZVZ10Vea4?cSh
zUDk|wRZE#-MoY1`4JzgoZpuo?cbv<qUS1S9A_C-%28J@?rHT#}JV#GKU^aVE6DOyB
zv+J(ZongD{X<`D^n>SFPK2R8)<_S<B;ZA!aQdwA(UDWG<UhR2TK1f*mE^!4mw>OQM
zeIj=RPA?bvDj$9tY{h46Oe37X?AVZurNU2u0|ZH|ukLpt*GsMz68d@JXf>35`eduw
z^W8M{k&-#&*Y{C2S8mZTS3IozE)aQ9AUi(Ol;S=0n_XQYHJzwyWajye!z3;dB3!5`
zy0$blg%UhvsYVk<LEExc+RXFQPcJE^fF4#W?M(_9c^O|UPD+I8^jnCjI>zr_l!YW|
zNvj-xsdzys%f8b77~FIiS}LqbAixWlg)N~6uKAAYX<3otluZf-!KgdYNYs+1#RkVX
z@CzI^4K#cfAHF^DZA9OJ?&lCdDCFs<`^lKHL(Th_uCty40$pM5FUxWAGi<n_)+;81
zMr)r+Ht)0D3MorAaXr>#TR#cQboMpjd<>bPu@X!dM|Jad3$ZHA+!Nd0YqFbSY8jp)
zC$TF0nrpJYUs3LC*Yv);>4mdz-Kuy^rQ8&dK=p%girG4Tb(xdG#-ZcN62T!WDU@j1
zB?g~@3q_4crB*31AR#k|BBNc;(&(M&E$oD=s&o0l$pC5{7|xz%!BQlW39yV-0e2Uz
zv9d4Tg4KkF-gGD0Iu(Va7ZFmc!k&tQ%S~t*G1AB@qZ64NoUJ@nFvYtT`DDjXtcpRK
z>^L~tp89voG~nObW&qm4Ft;L2jl>{#^r@7MKr^0Wgib>;ZuD5lae>B#d3{Oq=%}Qi
zy?I!QQ&b^=!qDKQ>XoYX&cD2UwK{ZMD0X8YLLo(Dgf@kdD-vwBCCj=oW?N?KB!WTg
z!GMtpK+Ro%<UrA;QaE#mDd-Ba|7GZnf3fTOF!XL&8Y;10NP*KR^SL5jkcVP=Qx#NK
z^%AdrqJ?V@bNi#4kPlE5*#5Pmr~V{V#w;FHn|xjUM+XKRcoAu_ZDZ#Lb7}wOvN*yG
zcK$78mcG#dj2VttTv1?0aJIkQ_CiZsgZ7SFoSGG7K&Cmfj0tc^Wbw+@X=+gqdLb02
z6$&Q3FKM3_198dPC)UN9vGj#J<%^8Tdx~ms^<Vvz#HDe{2M^8m2zrv>QHuSENLtcg
z|L7>*td39fpe%|^D6VknW!r62)BIGfLOI?_R`$E^?}<w8SY6(6^t+08AiOXUWV&9|
znssA5JM;?s2~sJa6qhc8qZxDNsH`i_D96o|UNR`J>C<itBh{QQMG%h}3kKQ<LhAu>
z-#L#6L=*``bd{<~9O?bO^toMLDx&IZYRaH_&{mueO*W_B14flV97R-?DFRy@by4vF
zsn}Oxt#lKQoJ?WuM_sXRhv!$yi=a9FKLdh(XE|WEL$U7ylIdsUSt%V6-`I#XWJ*4x
zgOLnldD4sdUr=DGU+^b7{hCm`(SL<&ijb=W#)U)1(?a3|u9o~hA&qXLC5YRZmSltJ
zBN*X|UejdkpwCN62CoID(W}av!!AhN(a`j^DNk#pDlv*tipw*id<xRc5gxzI(gCc3
z_wNoh88SY1YFKM0RR;j96W|C<i9`~){*2=S7C61mrT)c9sz+K%!iv`hHc8cRN^V(6
z)o~3Ht3--!&Ahc<z&66dkb`RJwt0e3bz?~>V3)m|SVYJ~&{Urq)`+x6hL@BBZ1Bjm
z<tg@OkrR@LfI<t)Ins6S<B7LNCxL-y(kzVjkOK{2f??s{W|68=dB;Y}T;PB?nSrc?
z5dDq8^2lL;!+>nSd;hG^T`3G$cp!s&i!4*vx$^jzsMNXrD}Sn2qp+umq|G5CadLz0
zQJKMl{a1U64TxMR1f-Ef*r>X)C0$=-q*T6!rL&uEd0@-p;|quub3!kPDD-O~woj3i
z4hPL@F%?81#1mqS42wqmh}nnxWXXmP=M)7O+Qim@26bg<-xQw>N=%qcoJq<|TH{P)
z0At_@FJLpLWIoi|oEhi8PfR#4-{*)Nw|hcJTsI-Qpz6A|Ot%105&|hi%hV8yOadqq
zkx4d?jAW$*Z220Bl6RtG2)pN2?}{R~@0!TOnwYjufYO~l5nF+>uY<*#A12KOqpa4%
z1s)xgOGmM`&vd6ElVns5P%+IJ<oPO-<@x+p##*H^2h`qL0+Z;eTa|me+9!=JArdru
z@O55d&9Z-N8eDjCwkYHU(9~3nR1k=I&WtiVl%F-_$Nfa&G}eoJZ4)o>_8HQ7A7Z;v
z*;g0srd4H25|LEcEE}Fa$$wRcWf4N#l5wSPGtC2`n=oAh@tH$Ta*)!%D!YL*6?@&9
zv>I;}HxcXfwvbgD;2V!}b9YuSYZ8=JFuUhZpT%G>epydcw{2Tz;LMpG_xsH2exgXX
z;+%?qL07WccyICQ*cGY;A3oGuByC__DmF9OJ4;D;L>M(0D9PTt=AjjV<P}d#QIkDA
zgjC;*kxu4et0U{O>%*9^QCJtGcQEfAFMALVaUuHQ{S+<02se6|9x|?)F~$uY2{U@2
zRQpY8^uY4f=pmF&Z5vS0*L$H>ihm4#0LSOhDS}Fsp54&tVXRCm@-X`=dSxkk7(~Sx
zJMx2x(SyGI&jK~yOw2Mvf=61_t3WqNCE#I3?VnVj)>6S1Z8I$*F^UR~oJtQ`@rn|Q
zBb4FH#Qx@jL8JMD7lWP>@n3PVq>1yxE{~NwUA~s{7Rnqlfrz>&G8jn^cW`{QeTkd3
zwW&C)|1f@bmX0$^7epW{mA#2uQZ4+%J+pRB;yKE8LVxCF@5z9^bxrbV278Y1!9&(x
zR;O6jIiFe{E`blLU9;XpLCBM!w2dg{$|(a=ln~B}B;`h>!o}0C7V3#ftW`dsxplP=
zHFzlpx{E5qu4d$y0GG-H3Ur2)(?ZBn&ao{!L?l*nwNc4tEIOqu=Vp>nEjrzis(dJ}
z`W93VYE;#j1*tnKr5i&i(^rW`n|hsWIfRNPXYe)sh6!C>Z)9u*h1XMb7(Svtb%J@3
z-)+PiaIuQ0VPzG}I?psrF+?u}md1m`hv1B5qr{MCj)*Ox@H*pBXqI{$MVR2BYEqnW
zqcsp*{4V+UHe6*{l2Tu5nSvD9gN&JgomV08lNP54^+$%6sdCz5l4=3J<b#K*9~u2z
z5<1!pXe<!ZNT(~Mvw$5b5z)vRn9^Oz1>W#e^%Ez!x|n3|wx4m1aSu4Flb+St!Kzno
z|Cq<8XJun`5wIa!;5rGUql?D{%g5@9M30gWPVX&D0AA(hZrSrZ<6PC+^`vQV4YT2U
z|4_0aR>YRz!y2e=dYkByikAZ7LV}c)QV0@LhAV6+x2&-7Olf$%@hD8?Z_d%Ec&fBz
z)hSGC@KV*i+Ey1<mWZgN9FU^Sioj}UgAkeg9f^Th(mlU>kmE!1aQElzomj*6|JU5*
z`fnxh{kpSsq@KuxH+c;yUE5^oQ0Q;R?bu(ATU7)h8Cg0!L^k1D>WC^qQ+a{GtUe8b
zUh<kKXR47ftZL)J5+aH3{AFBV%yRKj62mDbU25}}z)=9&lM;GG_yUflAdQfq21(!R
zV1R;HcXF{IAgaYpuhiwpI{v05d^3zh?56SB{FjLI#ivC}PxrCTvNN+!cw9O;1bKiH
zDjUWcJbowGs8{$I9EEl)Ev~uHm~Kk|o5C7vOF(D|KE1gcnzp%-hxfLHHls-+Ni4<j
z<;YC0h1t3BK3KQyrmcB6@}V1c@42Xk|Cyljxx`AlyexLS=ucPO^`uvx=I958SDA*(
z`pZ%x@pxhpiir^x)EFFRDl#fZgcE)v#m{49D`uwB`G#wEP0Jo?+Xva`*E4m$aU!0n
zB49}!OF|NusB3Hu!Z98?nemcYD`&_S?yVs!J*Cr}_os5n?_~fRth9;qoOJfZyLDr#
zr-p6CzcWcy%Y2%s#B}cTQ}4-NW2+-8ernQp!L_VA7g2olmQ?&$_9vp?tB=Ay03ue0
zM5;$&3QayT`qIBNjoaV{4`)VjpC5t0SpJ-*6Q5Jxe>rW~I{b#e%;3l6w0jY$uh)Xm
z;dPrR=g0H@y6D8h)kE(t(CIC~qj`RiztOjCiSVmiHwggbi8NjWb+eDMyK+q|({TVR
zLqryt0k<&GcFS)=2*)g6++4&lr&z$|$$qPQolp0n652q=4E#tVIeny&UP5v)lrY>w
zxUmF}wZ27JLojigGfPH9c3Lx2mvD0J&O@#}2&k@i0OyXI^0z$wWSJ%ayZalKGBB*F
zT*4O?&Yx9CPGdljdzkZ7{Rf3|-?o3V7@E7Re7Jq|&}I=jayyjEQ2MPq{kQw#&~~Nm
zFQ@jCI--|XAHMAnn2VE#o~r0t@=Dj{(*~rqkg+$O8Gtm<Eq{0V5ShDq_S>eD?(whC
zk=MUMN8c*6UU$D+M}59^v0ucp$8(YOhVH<xVtBuw9Tz_A^^VkBO98V#9%9F;_qDI}
z?Jj6xc4T_K_Im!Z`M9}wTIE$=X8P2j;nC`0!{pc7>odCxN?U<|<L;}pJlB6{^0NLQ
zwtmSImYTR|rWZs@TZ_*_+VyR#>7?)b|I13&{=?=x|1UB@@ZV$t{=dlt*UkTs3Boe2
zthQoE7-}W8t~%WAVXo}ot(bGa>er&{F2zo>FX6$tcz{(NzIN&8%B<CVKKpLcSflR0
zyy)V@e_?c}+N_ld{gfu`zU`><0Vd#Q_GaU%bVrncB~hoKTT1HWpP>`pB)_ng_MKc`
zf8>tJl<nrx@>cj4m|!jpBXWrO<<YIh`J1u!7AiX1X)F)n+=$-y^~GQ3RZlh?vK{Z`
z(6n};i1zI26xG9DJkLg$U+J}ao^5ZyQ!8z+=j;sZ__6*(bhs64@I6>zxiRyx!$8Pm
zDBl!YZs`w-WP#>*pA3SL2ut!V01=(y&F*Dv2;x}LtaZ9$dQ3mcuzz*EgD^q)7uin!
z>3TzLQTm^>{GK7a_iQ`6{4ENo&N3UTyn>dzt;y!Wf}!#`g*E+K$?#1!v@fAdsg8I!
zEWWA;F>*f}w#suozf}!l<UX2d%baGCH{D%Emw9QVxvzY-r^&$vk>+x|Ubwxr7<W&J
zzcp@}Ypa6(M41CXyd~qwk6e2lD(lwz3}z3UC3|$=^62BNETv~ndr@m}ZL4P(pa3fG
zQu>uDlKTFDd?nOWMQ_G&9*05m{AL7J4U@B#l{Lq8^wk#=o9ejg(IvwY`g`CN-6}jp
zQ%yL{3K_zbyv`K2LNX6ikTNGGjVs|2cq$(DaqNH(8U6bKkJVh99q9p7zo6t?61Zbe
z#=Wv}Lpy+1Kr}u0q=TIwUJ*-!$~gchfu=DkS6Zfc<l;ix1g6O;g|79LRs_9e!@c@T
zuKHE%#JJY>?IlsJuXqro$dJxazR@_4Bv%k4yFb&oa0~H|bLAN9pN1piqP+XK6lfGS
zyedgaL>RCbez{er>FZb#mmiURUpXM&m#lU_mku2~UFoW-kD$D4tNQn)e+%DItp5_e
z)gvlmPFaRr#b@lkW6<WfiGSFo!PE;$nEF^GvM3N~85xrxW_YD?Rfy@Wg3nfVxB=)w
zbceSfv8T^Be)u2`G;qR9aJD!h?{95(k_0#AEYgsJ!>CHT`I3m1&>Z0MxTghJh{=iE
znG#(C7b~;%H(;^k2%*sw9y;MRHe<uwWTzhW8#WU{4<cimw)lt)poLsiWCGs0Mw0f#
z8hRe(ZDTQ9!?tjv6ZJPv5hJPl8)exs$4?28;V$Qng>IeSI=HDL*G$vBnva*<LfvR=
zHQ%3SkCso%#NTy6A6{bJLM;Fb6)-tG;{#rgJe^d5L=6}<bLcr5EsV<XHBYb~$Gzbc
zS#-V6rJp|mWwWs7j7ND4uQG6ZuQ<MCjn7WESQ|S-1`l?i8>@u-mp&Bd3gCK}(_zM^
z|D=-4sT12jj^i9~9%GkqVS*2gSoA0hQ#eP9NL)QHQycGuCt;`@s)`|o&8n$*D6z&q
zY;NAKe#5_|bZ6q=H8Sch<y-J(R*I_GQl6XC5(X8ip@c%g^dP}SqzAndGLt)*U-F(C
z_9z848D|SC`?O-CY-z71M<vS{Pgl97vR8h_$A+}DCf{9Z75I>Y{o(KGUiLnX2!#|I
zp~8~urue%ONQpgRgB)lIQlYp^yd^*)UGlclzdA{zXiV1Y=+WtZ>q(uHua5eOcH%d|
ztxGOyFc?(O6!T~c#83u4ZiyUBO=jt#v{YWDnV{z{p-rTyWpECAoz)EJ%Q*uZu47f_
zWVp%(*E|k%%u_YMYr0P#*9CtHca<C2Lkf&OjErOUpG^pKr$)+XTEN#_W;yfP5WBj^
zc&YZaI4}WgMo35O;dDl?QenH63jV>I>iV2JY4NCu#oe_QnxaBd<y)pp%#8YjICE}S
zD9Ln)9EDKgM4FT?sq04$*Al<a%Ub9r2TVp)oOhM)hqVeY+IpoK*tX=mls6B3caTAY
zikw?GwpF9jqUMr|4UmhytRLEyN1*)_Q7l-`dOT2hV;~izWt8J>IkP47ZkP&Ti^FY-
zZWAU1a>o=%2@07-Ye&>NDJBK}QwxF7r63W|X4kP4R??-_16Sqkx5@uC+2^6(MyIln
zlLs)H?|$(CIG^7ng(<Yjfk}b`-R6>$*FqbVmSI~lBrQ#m$$$Yd4B99+FN5RY{Q0;1
z`N&kJw`%7d5pD=MK<D30919YQUol{Jp0mI7Xusv^tV+MO`X6tXy*BP!fmXIE1G*{S
zhD-gmUA^+nW$mX)3_Skcf|okSWh}aX0;x8eZ^L$xTF36FeJXr|g|+<6q-v#iLyw*I
z>raOqXS$KpKUFHam$@%|Q7yk^{aa(M{6}Mc{y%HX%I2S|&d_#T*|M|bJ2gC2tCvhc
zE>-GY)YxS{ZfR2*o`74LJyjDW%D0~X&)lh2Gr_-oT)M|YMp(YyJnQY-^>p?yk=PF-
zc!)%N0tbI=T)h9bafSc4jVl;n;|iD@p#R6l1tNcUU8s572c;@Nso*Jc7>htXvZ24-
zy+|c@hZu}Be8$e~C^8hgaK2^zX&}C2)wQ*z+cn@tI3PMHgaQZEp}CtB?;kiZ`0ZQ>
zJFh+Jg3Eg93Q=vHr1;kF$fL}54tLwu)El3<nkB-;njS*2bjbb4i6k`FjL6=yo>z#d
zIH|vAJLw;^ot6E0c)LhwKLBkf=bNdo$2$+MP;>Q?C?>SdAaXYk1TiuKI~S~0*=PeY
zb9=W`sd5tKv3@}>Oj4*Vk>d6JDVUl}9Y5<*D87>K@gFO1>e`GfU32&TO7FL)_h!a!
zXKDw=esptYYu(%+F+w$(3F~i4il{)?IJ#sJV=;*}N<_NxHNpjFf3UiG*J~>az&EOu
zAnKx~;hL&=-4Kvs&Jb!ALv7HLOb2IAPZ1f7`v;XmL#wlb4ulbnfBU5UuYVXn(n^8~
z70;1RgJYf`dsr9kbPT3(6TJ_IeE#~<KzHq~Zd+TZuZQ35jkdY&!a6ypuNEy4jV|r?
zsq%h#$f>2;YYs2-qm1EBHc>R+6_gqgERyJ3EPxYZBxu`Vf(ksw#o=bl@qP@R0<Ke(
z|Hsl`x%^>i;3i}i8*(940x=8>L=+0VOY$dUcCN{0#f24%jfsMorqzy%hXV={i-rt>
zbgFx@)2;5w-%<5EA%a-?_It7~@$j}QgEj{{FtKvg$61H&l&6g^&w;`j5=^AB9gg25
zFRD~)RVj#LQZPL&(BX)7899KHn{bb4Un0N)3j`@(1tRS1^w+(Ic3OMv%ap7w9wJP5
ze7N<#ze0tehGxHzDO~U|ESYCY|GsbLZ2rt%z`ll}1`!O>S6hX)ijN!oD=fTwqr1ec
zq1znkP~Q+Yw~JU{II&R5Qu5bDGc%SCgiF?rpb;$TyCo2K&V@-}s=^JjRi|{>#P?tK
z`)as`n**i`cvW~Rav{w!nlSv*;6mV_dLvL{UYVG&s~V94xHyRN*S{RHxUeX;@1Ejz
z=rV*mM3v73@$|*r7SG%4l-;Q>?e5}`*?sD=Bp{U5J0x=04RG`00v+i&^^8P$rEm#w
zZYUkA`u0#+(3v!BAV<8^f3{WCep^Z?{{uJ8gj9vbxvfuL4H6=So#cjBbAk>O0g1T=
zTCg(8D&~Tnw8X_DF7+7X)Dnp~j#7jsJuraQTpD?{;yLpwHE{;?o5!mf=&G3s={N{A
z*mttw5Yu5YlAu^10*Y{PsLVZXIp-!g8=>`vv9Ks1^MKsx`oGB5#f~(Njo{1S1BfXC
z8muv5!{wkUr-4=Mrgf6YI~iw_mJ;E_=;EP6Fw+F$5koL{7)X(HN^EN1rb|`7>DU<F
z`}YE}Lg}|~TT9_@Tci$2(onS4<gQ8FySw{Oy<wrTB;fm0M@&YyVl<pn6?Xupk$z1|
z<}H)=s>0^#0dT+#LAn>V?vj9sFWm?juo@Y-RAbR;kr>M6Z$j*mkYQzB7hD=_rdlN9
z;muYh3IaPTtw%%}eunpU8(NCIum!@F)hK3iiI5@Ep!fysgYA_k4kC{vPPunkD10&_
zixsEsd%!uRs#f?jtXCJYtgRrTv%>|Ii7>3DRnjwLr_os^QsXHM3KtKA3Lhs1H2^jC
z6BF3E|F`|fXOMy3><Bb*d{4J>Rthl0r3qwkC*T;^99siPQk4cQ0^l1ThoW>06!rp8
zA#yZk2hMVgf9Fr9k%B(ZpO^ZyHL;(!H&pKJOpnaapgL*yVzsTioVGgIv*r2UwI6Oi
ztKEGkk$dlkWU0cDt)Y<CtEqTiEnq#I-+Ore`bu4MwKKQT($kHQmBy^*e68h;7{kff
zZ_4PJ5aldrS$O4Q&6=JzUrzYhMN__J{k}y_wClO9^0bK>|FkJX_uGpy{Hi1QCy6~w
zD6vy&6FpE^QqR(_lB=v*@|T1XBPcUCSJx=*69{MC-uqMUPvMSNSukBbq}sd_Rcszs
zB#4#Chy2gXiv-UOwkOYraE|Q1yRKzwmog7UyL+zSCN$r6$p2z+VsPBNR1BR}zN|w2
zByUSwbG$NYpxn@`;cqE%ub<idK5;AgMKg=zBnpD%@DcX}8UY~+p8h2hOW(}Jf=!&3
zWfsSLVp0J+SOK-_2EVFq*a0tWB0rYv_5$?R+-0tIOi}Id!=h=mjtgIn{=3sb|2oFE
zE*k>ihXd%3VC#pPf<K*tK^Ay&33Fjom*{sZ{^GO*>Z?y{wiqh^{=0xSS`}fYo2jFk
zpagWHg7zj{3{uDogdYVuN-^gX1?^yGE0WniW&c2WR_<bW?>D`s*hKJ?N_+R>qZok6
zY(k8@oEaLzf_76UE2P>6B0wfWd{=~BZ$r0ImT71VI+uT@#yd6ogOr-tdsScjEm!lM
zFlBk(is@`E0q-#`1NlNw0<{B43<LwItNN`+Vmu-j2E0k3ev*(VaUOx;Rd(qcKmP>Z
ztTw<+xB}^6)6t?^^W#C~xz&@8eyy+G=jO-6iM{>NZ(Y}$M=P9fI(FRWvhN=xk^muZ
z*8d=pNFTg!{vnY>{x2jF&wq&mR}RPjkVqb9YGJceddmj%SaR=?oqYNH$j`h;OdVU4
z*B`MelNRe9!OUM*X1vNM*cXQm9UVcrWp=0KY!Z>ym$ByQwr6mPp=tOM6UPXv*mp>b
z5et_Dop!<I0dc}o<NHtH;R)an>=Ao7Vu~BE=42kS6600(tQ>%L<|4;=m+j-=hkbGj
zU@YL|tD;yx5ez(3DEOuok=i*YFw{k*JmMAo(Ww%yWadCkCNofSJx0aF{C+m!t;J*q
z;(WgPzhX#;|6oX#y(>0}DY@UFq$s2EhLHp>n4MmGO0FM3*2f0{Fr%}>SJ!oS^~%Q6
zp#s{7OnUS!I(+SQ0!BuCmnWde(}7`K{m(Xkd;0tPFFBa#KRo?MABF?ByPNlcyo%7g
z|ALUb{sSQq{u@Fv`!|Hd`Ckx{poL#<qZfe7&bnc#6#yZr{l9{c{J!j&_zOZ3_y<CQ
z{{IId(I#)E_}60ae}#~M5|{kLAi4S%gGA!L86>$M43ad@mGXZWBx$R>K$hq}3y>26
za0*`l>%PI3j$_F+Fyik)adTq8!JvuaD(|COyd5FHW5!4pz?ViJ5RcENBknNP|2(ZC
zH9Q95RCfb;$0IW+S!!)2<S<$&!wv`KQ(%5cwg(_ScXhC}fwEyn3;v_<5V}gDSea{j
zM<q{yIQ{|N)8+nBsZfZT2s8Uv-TII0UtiRWV&vCb>BwJXQPw<vp{$M=bq_$ROz<)j
z2S+X7Kt&)Urkh^#OI(X79)>+G<pJFt-;Or*^EPbWjY7nUmXvmy#k27`{7+jyet_g!
zXjYN0udf&XSr7F3g3|hZ6U6(_&#AeR99Vi($ih<<+Y&5HTT%%%9|@tx!!;t^5i#|F
zxSGPEN+t>QqO-W;7c%s#pt?>C9>Q@gEM-zXV3e8|Lug<eXRv7tGd<<~LZR`Pm<BW@
zx1^-zJs#@(zf=#9er_}mmTzS-^0^tIzA4$8e%Y%4uDoJGHPqLy<dBF;7IiXIVL6!^
zgqA`vqy6>uGjefXI~(KRfkIFM$J4gcLm-Lab=6{?uT%l(lSTkv@qk_;nGIAvh<4W?
z%Amank!@e=pomr2a&nf)Ay7Pn4v`bg@pudsDU7GEbI-oJn*u=Ot39I;;j@Xkw7B;7
zKQ2O9l7gJN0~t(1YcsGi72OBJ2v-<K3Nr@XgU%6(arV0(j57CAQ3?^jjZwP)gF39O
zn8)w$2lOXS@@BA76F7FlJ`q|Z80gYU9Q0$GTF$T%L5V{O@lxVaK$UtZgh76#lhi1s
z#A8Uwd_L*Qz+1LGjT!t<FmPb8NDfm1Z(U`(MW8%{z$LK4j6%q*sTv$@Y_j(Hb~#r$
zNia!`;#TZ_G-<tUiDTuPxxqsPtU<}CnDwfvH4Aitjc^5+m@;!w|Bw^_i}@75!pmtB
z&?~sGkQse^fJnqym*M62`8^AMHv212Iu1T^ea{yD>6xqvTgQvn)N7e39ARMrVT1cl
zv5Y`sshSo__78b2efwC|LF&hahlh+X+w;;MJ=3}#z`Zu8rgj+#0U<iZiu2*214FC-
z#VdAsxwDL3u43_$dn#6C)!L?|_WDh`$5hrMjL3f}3B!jIR1E?|k!mk`d7<;V$fuHl
zoZ<vLtSK42u!>Ls$6<+iyopw1iO&3{+{3DeExvOFVOx%3l;dEXuW&y&4){iv6Hjy8
z!1$TC2+lM{0%ogR#9~g#JKX0i+@9|esEK9MUUoGcnWT*B%+qnVh=C}phJra6DT_g0
zBqjn1D=^B<!*xJz6!R>k92XCv>uJ=rkE+iJB=Jm2C1<3eWw4<Mkv3}KCzh1*IG++`
zd1vQ>iR^~CVG#tNGCvDB5fN>X3M?RlLKM_=h!V?Fqs~>43a8G(2hGOcbf5Sz<!>@p
z;kfy2*8SDeO#PHO&EMoah){oi3*A>>=nMYhO^?0gvvFDY)ZofQY3g5QkzbPpJ!J(P
zAbw`5(B%;c3Rh5uWr%o)C7pw*OCu82Z<&88JiAA2CFcXD(_k|zEyCa^uV)klaO4Z3
zI!=+PnuVCvS1orm%_TPYSnqjER<+f0?cVqDh0Fp1VFip~9iPLz{w8+0!53PLFjgq@
zz*G7cz=4)If+@&~(W+?=TTS??Yv))5E~X%Kt~qhkB39BFH=9<qL@lNe^jNd>SxrFd
z*{0X4S$?*;T1;uRHF*ikARr@<YCg=&wAXNHmjwX9^&fS-S6_CbTYxv%FD77M*ui0?
zaM03C*RVV}n^Wb}Fhws+huY_-kVYr55cw^xnbC4ntkYd3QVO?vkMAMmz)l-lW^g>b
zngdV*7Ks!=@vIqIxr(g!^nKjx)yFMd*8E*20}ZGHVRJxH!ZC?J+=oeY#l_W80X;R{
zVu21~-TKGd0L7H@^ENUv3$!WST+wwA77yyGcrK-&p_XBB&G3f${h}&j%5r{sM5Bwt
zAVWi4onX#Xf2(+bwBBAYQ^I;m=*A5)lieqcGKJ4>MYLH3!7nQoVXiIkz`^|zXGu+j
zfW9JxS+6t+k%hg{9G6xtVz4o2{&3KD0K)NqgSH|7#jF|Rg#{S#a4#7hzo~3kS)IhO
z%LI*6rHG}Cl7tnB_|jVD)ANsExvp{24)gM}@6{jd*3BB|N}23CS4ne;=)Dl~MRr`z
z)pM`1QP#0q&IDr-7rJa|9~`cDSYG=(W@T2mi9kllNEMMR731=OG~aNam=J1y7aT<G
zH8<*u%mYCnO2qwu(c}#|51~Wh3h9ocM7mNT1z!A=6IV-hiW|cd)RZy>At?qji~>s)
z37ITN&eGP~6B5~5iR0`;8UCYA21KB+;8PQ$dVk$BVdtq>^r|SFKRi8d(3%|o%uVgk
zQL&U+V~M@I6w~_XJvzTKv~e94o}BelVeC0rR!n^?9qD@(A}-|*2(W!H8Q++y=v_VO
z2^L96t+8hlB|g{U3Gz8S?{XJUC*ry}Q&3pp8kbeHk9h@J&FKq$GW};yX77sQjk#Yv
z)I8c##WyOzk^LB3qVW6@Fi8!}IUuG<6QI@SKFnnD-#f{TuwQpKRfw+Q+<(TzP^r0n
zS?W4#?RO6SJZoS414T|u;bgVLhFK9g0m^jH-0*Zw8p~tX5t$4X=4X<+?;5dbBNI9m
ztO~3=9Av_&5dT6_nDR2m9%bc#CHf&>Do`EF{Jgs1X^-xVN%V#>TFHlE7nvkVLzSH3
z@7lk()e14f_q7)}mbJ9EyZ5g+LB~g&Ky<uL0t=nW+k*{XF1}&4kwIxmd*<^wv8k;v
z#YjO|IA@qlnNZZ6xY)8Lz0{dZ!V>=saEM$ors44*^I>{A)c68Le1?O=oMv7OqhQ3o
zMhMj(Z2ky`%|~3wr6O^vJrcT%A+jm1I8=IF2|8OOZVM4fW%wk32evR9ACueg*v0So
z{v#@MhRYcr6EN@dn7^qxY#1Vs79zh7m75W(U3DLooby_9uahNTb?>v1oYQGrZCq^r
zXLtSF-2kGZ#>sOp4Ik{HnZb<JRdNm&B7_Km;v<Q=y!y%W(H4%H&t?6db0_~r`>ivn
zRAU)taGnpII5XpzmqhUTU{{M;IcUW%A1N`#XH6Jg5D&#%qlI!Naz_VtuCQ>}i?$o7
z65nwQg(QY!{T>4;#h$#cK7I2v7&269UxwF`f+}P^b=eMlJeQ<x$91ckd55j{%zf<R
z3B?;1XvOpRQODPM&y+>sHN8$i4x?bJM%ehr3l?5DsV3?`Se4uqlDgqXUkPoLr6EPs
zFPmcZyz3&I5eH!zxs{-l81r!-WGsu$R*uIN(tNXA4#C(gM?!k@RXVeDC%wy_H%2Fk
zfEizK!5IdfwE_`Y{nh(|NczFalET1fJfq?LaZOjnVFXZ3#erHtcM3-~K0yPxD!@cD
z+;Ytdz-{m#Ft8+T7FZHF?Zz8O$@MdL$B2~IxQ*Z-zZE8(fMiff5==&HX9JQOx_V@n
z2af*uj)rJ4IcQPp)~FF@6&#4nph7eg5}e0z4)%`Q!YE<^wxeQ91PCs%5aBiKO||dG
zf7^}>b_!CG;|L|`LU2wyH))X(AHJ(+Dl;O<LyC(FgqH^Gljil$3yK(|R+a&Z=vwcx
zPcoknf;HT&30zy{7LQNu(rrxDRs&H;QQb>w><74lEZQp(0!d1b1kUValf6#4No8wX
zu8QHuRAlSnB|olI;W@yS8U_Eo?sCbwT-eEX`KPp;tRGpcTkD4XVmuX=@M3%~ifX($
zVKa5gC^%S3X1|e^G|_1i8OK24RQ9P=@LW5S1O^Mrj_a1)KIL@?`f-Se38D<6tRha+
zm2WY?h%SQDB$@J@*DRPh>9PPJYO6q7d9A<$FOK0-@!feD{DLloYo-Ba;mM@1ieVR)
zGGFdST>>tySV`-s$_U#)w4*#dYKEgp(X+V9-$3W)ll3S2R8=5!QdKqR%R-^QpfAx)
z0O$+g?LYkAybhaBuWr#XKN@eh5vI3{SwZ-Q9X+CS#h9%o3R`@(*KU;q*KQ$e=(cVB
zkeUw_wedfOcf+u}mS6eS6Vj_kr`l|*oh`pyafXmoKO^6|tle%O=lZ!_DXR6zrZsuH
zKUPuNyEF);QYOGy3X<0JiSG(rQzk+sQPIJRD}J$Bq(nW$Lt#d;4H)a4$a9Cmy+bZL
zSYX<39!I~k9Zs=#CT83=OL}IfKw0PzRSYGv+^qSC{V275#D11OVn6QrpDn*KiwGPr
z`_HH(v10+JNKM1B4ds%KE|nUcEgmg2>6Vn5jQUi6UcHfow456FaSq6+)v7|9>^jV8
zO|))muJn!qJI+8FH{9Xk#*z)I)HIE0s{QyJkw)w+<#n*LVl;VzYCNgfU_U%Oz)z0W
zZ_jzX{@%g!j-8H$52QF@h@b_p%!8MmA{<35E(D;JvxOm#2Hk7~HoID8k|voPNH*g(
zun+U#5zaHei~c8RzQJ_(Ws<i&ML38g^38&4l6t`j6YvwjX3EG-%|u8Ci6pBa86e5z
zf1U9ke0dSN&`0+lt(mKtW2=vudY6nGtt*Xg1HsV(odHs!N(<N)1rHuE5A<GY3j9GZ
zB9;?D_y%9LsIUyb;4kM$<VUpbq*41+yBZKvwV8?xp$6uS1723RyW{2&m(R*w1~i8z
zr_b2=iXJLlO8k%MfQh2PQ%ymzg>L&Sg*gF{Ou1Nc@di%54jBaOFoi%1LMmm%2y%z=
z!C{db-1Y~h<FG$o)G^8LADQ0G=+(`#Uo0uSmu@G>p-Cf~>oLoQ)W01hyS@*BA8Zr}
z!C6LpGs5NUOLkwA{JxLqj$UG{@>PXhxs{JDyh`mIdI!oduDvCv^1L1K7{}<iiQvO8
z?Kd|QZX#(rN#?RAf_|kfRi~xxFpFiRq%>%j1(^P$|Lz;je62qvX}jHbd^R6Bvx+d%
zXl^WL48s;jY(6^{1*S#qJ=F!WR>}ujGK4j7T{jc|*d_EacwrJlfY-q*07Xib)h3*f
zNPRJ>Q0)O)?F2%HRC>3LDSMBvr$Fg_aUpSu4pg@l${*>hH4mUM*I=IIoN>)f8LdN?
zq2JfVLN;+@Wx+-e-?0*#qy(6qm~x=7{LSnH;*fjR&p{bYyX&~AkjcmiVric}hEV}q
zCcw6Y(%~zJx-fEE1|7pV_DtlUs<E=I^)l-<V^3?FxEVV*9kj>*Z`dU1N*X05NwXpA
z4+Dh_<0xWvmMMh;tA(mV2+<m`VPVvEY#K<*xfJB;KG=Q%h4?<_41Yz6?nG9I5XYnA
zJsCa2EH0@>=m27MsBdc5I02)J_`qSr>fVU$8Sz#w#Oh+^-;3+=Smp^y5e%w-8nl@Q
zSc*fN%hNcaHSEh^#|@&zMk0ZWd3>UcJIF>SH=UOoHzx;#&7BqxR*V<`A4XE)pd#Qa
zQKXLR(138E@F($uapu3^#HL@7BLdk>zc&0GghXw(VsLV8%+}qe>UnR$$gkY2dZck<
zD>MQ#QcrMDwos$kRnY1^BH?5JXCy~SoK(ynx>iy$kBDX>OO8ZsKobZ<EUv{04b+3k
zV2*Ee)kF^GatHn1Zte8QdYskyv1n0NB5`Ji$RV=ZR8aPTNwkGXtx8Bi7w0jOI#nnY
zPo%TV!q+Vk&l{R$b&aZ`gv@UQ-j5CxaUCDxiC)NGSp*#O6Y=%B6w=Jbc$hsxH=0!5
zo4j<IPrkD?yVfvL*U*mr$gGto%m~c65rK!JGgCdReKjpJ`eS&zrWyzAX5x6Qv8F#y
zKQQy-8XP=7r!QC9X8F8MouABt9ykXVd<)-YQWaG?Ny5<=9EU*pSzEPmbQ->%H(JF$
zYrWwKs)P*_o5W&3<yORdn0YIcV7=QjXefWg(|(J2a(ejJInklH{L({+;mNF?Qqu<k
zPU8;&u5n)Ek-A(+v#$W6ubJAm0FHSvD#0S1A}yPpdt56h3E<GHyfG;yf({kxXO=L#
z+mdLDYz8IHcXD+@M2S;zQP_J?DMj!I8&gX0z>8)k-CdF3M3U%NOmJWpj7FB3w-X)+
zuug)D_YKFPKu+wH1kQ^S3)+<eN=_j~;zYy$sU<$rgA#a-L-s1S;ISgESYRS>uC2E;
zG2^s|=l{{$0{7g@QamMMs*%nF0Tni){0u`ZQ4)_CiHeH{elzHpg__lXMCFQP7#Bpj
z$OZ>ept8(g)X{{Qt&$oeCwW5Zp*QldO5?z)Xh7?T-k?lcLXmt*JSK4z9NO!l%P<8)
z$$*)+pmo@2I6IpXD589~prk8nS9c*^VXc*~q7JyFr=0#}1CW6eub{yuN-RQeV<S5v
z4h$k$16Jp!9uvNu1^mr6JBbI{@5K}(aYqsK;&!4yqRznSJK!c<u%pbJg@LkzW580*
zswTm6I&$P>jX&e)CW>o8fhmZA`vXw{XFaK~V{#8iOh&^wl4J6voMK|Kee52!tl3MV
z6+%5>Q?;(Ir9?V@2u>Z5!_ETEbQNmO-aY2&y@eA2MyYt}2~m>TDkL!Tu@=q@N?nu)
zCBExih67sKUn}l|ge|~4OZolloDSvpMfnh)JKE<Kq!pXnjpBB%^%LwCR`vDluL1?e
z!PpK(^sR#PE#4pp62jrG-L$M&dsF=`!91{n8gfO32IVn?MPUZxWnh<VrtDN^Xn;_P
zJNo1PKM2`2j_vEAiM02nRTk1s*eD-K!A{@f>)lnJ$YddNN8Bl+3Bjnj8p?~c&ZbI5
z$_uZRxtdKkG{rTvV%<LjK?sx}pf{Q1W{MgHVg)cy#fPamC74~!)vU8KtF<atP$as&
z?G5=oo-6J(uZ#AN@HCj0t7ll6%_<uVkyK2_lBJdT_--!n9I2k%xd<rLmYSg|)#hlR
z>!=wd(#sDe$J;5j<gqqyc$O>Aq<L^P3{FH)%XHxy@0p60Qa(h0xC5qC9&Nf>dT&W1
z3#;-&Bt4Yhd)^b+3OF`<IRb7iP2m~{a<f25D0r5Z7Rab4FDfqGYgrjBux!S{<Th_(
zG4e;Sq!(`pGkK$UFt|-bd%dEUA)|uA#Xot?M#pdvwY=)MMDy60@S`GU4U)JzC=*pN
zO=A*#b)qD;#0$ppDqi8h{L3yI5nOZUtz1s|sSvH29D13nS+KakNyag3!=oR_+A$9j
zD_$9Mn=0q;n&#2LO!1@Cp&JV1oRKgWyRt(hhbZK$FXs<tj2KS&lL^Z%=K)dkMPC5@
zA%8YMr0{Y8iX<QsYKt3!I04y-%v=x_O;b&Xyi{?s^o{TNZ1ep4!TC$4UJc!qQKNow
zZbTRo<r~=W*ZDq>MpA!9Ie!L~pusF<Qp-JETs?k0vQ^5v8yQA5#Zm5Me7U~LiB<oF
zp{x7_CRce~kjWA67oV<6_&Mbt`v4N5Jhf>-Qjun+$_B)6q@OHn(j)pB_CO<t)QN?I
z7o3Y1D_6?U$*ifDi5V{4C8GqxDgG2vRSbGt36popICGKXU&mB?Ue1FywlihoB!3Z0
z=+X^8ahBh@v|T=9O#UJhR&oy%gbBkQ>^79mfJ6_4E|o>o_?U#?Xr7O~I|VWUNY}Ga
z+C_L11%vDtgB+q56GNVH32q|_m%cp#p1k&w2r#6ClQtX0*%T3~RH-HxRl|mYUA8Ic
zX#dY8L)|IMzn2U!fF*<Fzm^OqG)X<D+AkFaV8ylYfbBXvkCcA?J=({xIIuiNPU-9F
zKc}t&LbWm@p7d)}r7{b+#r=c^zUbF7uHu`q?&?u^Q7!*Av~J;^YNke+;O_@omqQUp
zpDc-9%bDWOp1wc7DvnAbpQWj6L<}HxR4f3<g6dRph}{l|NmPY8l|XtwG|-9mlJ};d
z4jI8cZKy_v4Pb65mE&aDa!^equ}TOLD8M~iy3$<YTAt6bSR3bWajU~ouDew^ac4CZ
zYz2@M*G$krNfOJ$C6eN}DF*&%C1_#2io`Q=0Njierj^2{uz)kGhgYAqAVhIt;ekRz
zDaUich{8FOZ6(~_4cgudP;&|G3R7g2XPs5(!9O5uJi#T@Qkd}@*j@ZnLn*9+Q$xcQ
zWM+!|G35kFkNV=%1VzQ$i>M&59({Ncn1g<jXm7>ZG{ABkzsAcRy(H=pxT$esNFg}q
zgNE%$gBGh3%F;m!HBEC0LhuS^3?5JW2JV0xbqPeZry94j^Ab(JtvM`HKJ_{?Si)pL
zq7cp=M2-~jt_ZL|p;6uq$=@4>Rmf2otGE`dDG#xLl3POO3XSjR-oUFyiFqWpO~1;~
zd+W?#bPohQz-Lan-owxG@Lu0HJf9CZM$-KnxJM{GCWsmMY{LzB4jl>dP+(!r6P?~y
zZmiV+RlPuRqO^XIiF?EcF1g{dX+zAyfH<JwrMcbN3})O3_jG6yrM-0XP<~>&`l|_X
z8|LL%aS?(Wtf#O}eOF!yjGMu{NKSl=`o28TK44VbV_k<{03w;wrZ2$Ge1ekGKM?fK
zfS}KrU9i&|01NN1M*Us$T-U)LIDeh}mVnEXxi26SZwrUx-9t@R%~XoMgh0_RPdIQ0
zesi@E7kGM2st{R0O!<NpoH5JtTCqqas~j<$myj#)g!2H3^Pw-HDnL{B*Qx<$ThSTG
z%}%)CYBDE*Gt)>)q-H*DAEz@@W%eNyc24*IjAy2;i07EEqkadSxTUT3I)$5__+WI$
z{%E|+Y>1X^?!Mjb9eCQ(f(++Aago_+r&Fm0r|xcXMY2g1Hp>~7iLaF(TCV(FZrQ1l
z3$JyR_ii#mfp;JYpW9qYGRLP-=EX?37<6mvj?K>KB!J6GB#vJUfg@p=$O^Ahgs-Dp
zGFTBPLKY7wkXYoQ0iQAIoQKSc_uTszGI{?MPrv=^+2xb9iJ1qGNPDjD=-cEY{m=Q;
z^mf~BH;XP)rMY7wYa~I$^ggKx0n&_aqBXAcOBaieCc7mxerFY#es+zIGw>^b4xROf
zVLsdemNky<!wj89k5b^F8?Ll!LDwFHzX@OJ{+;N_*zecE!OC7d!g4}Z(t{IZ)9=Uu
zQ+&0|(+AbJ^B`{&9T~c-1UdAtToc*NkUb56Mme9JDP7RTUoG-z`1$S0C-!2aWiF$p
zgr1(tv-AW)4dNZpLxXJiNo1_1Y2V3sdxD)*x8EC1q`qu5we*qEnT~I_sU#R%Jx_;+
zKf4e8LNQ!k)^EPMx#<FC^7Tu(*(o(1Pil7u4>)FbZVPd`@1}F(4SO`16Hq_l%8=K%
zjZ7BoJh(hcWuh1%r(v?kjWjW^HXdE!c3?CGv@@EFXji>s80w&|=goIq-4k*+L2CiU
zl~Ozp5nJ(;ghakv=$K4E{f2*v)Qw3oBf7N-0=r;y-z=?MEd4x*#+k>7jDysYCo(uL
zITq}AS(;}$5jW1C{(!8UP0s6m?=RcQZ87lC_#*q<xzqMi`=2d$u4yoF^dco;>H?zG
zock^}pQ>*VeI0V1=7fFxVd6@&q8!WxN9P({j}L-3@#PuobjF#Pm2c2lqNNJ#!}8~I
z{_zc(X|`~Ck0vB1b6ddE!-6!>uB{=`S(<S2F}h%1-1p8v3zz0g>o0~n9FFYYPRA@S
z-h1%BUY`e1viA{M;R-I)6k-h3DZo{_GgZM1)xqn)RRU)72*Z3#^p9Z)Fq<pDoy`o@
zrCE_RH2N{o!i#_&iYL8E3?_yf`nIEWh&@-b_bDX8pKD%^&m2@A!8akc$DoiU<<d#)
zh8-1iyzw;?i&1&Fj+Yi9c8#+u<70y2!-4lDgC+(;;$$0ZdX-BIiyYLG5l=vq6UQ<m
zX(FL^3H4PHLF@S<kDm+Q0G`2{0_iI26Lm%RAV}IMq72E)rG^oDzvB@l!1q8(bC?Dr
zv4SL}mreaOL4CjE0+p;*OiU!H3sCf_&V?&#uO($e3L5Pi)B(3GS4>Ty3o!wd3}V^u
zjB~hTuT6quG{O2bPtgLmR<S@LW0iaodf71S++#F-1+9umdBaMG%qR{KUIxP=rlLlD
z6%@%`d+gydO5KI>Bw^>C-L3Nfz)rPbUXM@9$!arjb<V|a$DxwCtPBiC6Vw5SiJ9Xx
zIKZwUO7M8-tUTP{IjpWaXd~uyEqb9mXtLThX+7Vy>6%*fZJ+JP<HZ`c*W_+)G&8sc
z^@J5<3<ZfK+g22iCrYZgQCAnOYt(a~MCEGi!t><(2xf`^+q>Lg%9vpKNN5CZa|W=x
zVB^P4fyS#29x3@OUx0-1+0v;ZAwqN?<)Bw3dUa2>$Rq$$-%A@S-nIXaPJQ5kUMgOC
zl5Y~uXA6V`2E5w<tZfEEx#uxTCLr6l`v(T@WOWCCfgjl!U$T$uMUxq?C;R|J*ViwX
z4afB~8Nzn9fEZ@!p!UyveKq$eXqs3aO0e!gH#F1gkS=NCiW;wp1m_CCN>fnkXcgk9
z&IBeH$WZ==f-x4ErRe}&CIJ!AdeLisMOboB<i<T(2H=z*v#y;4<fDYhQF^oW6Iw+G
zE^r1?CUpy~R+gr8b0>qC*23#NR?M^WjO*o}qkRk?s}JfwM|2jsEx0FiGmES67oRUy
zd*_#VFH&P$Ed=qw>c5d>Xd$suIZTNo5=qrjD=B1{f6uzf>iEq?cv1<7&Yo2IagIc*
zCxDu-2F&!pxr(xhoK`V%SC9_<HjuhqQA#LPmXX9amAZ|}e?p7U|0Ma#s-=t4T7Y3q
z-CN4V?nuYSzB<;Al7tI`T!^&eDMpIwx{o4^iAgNoSp-bv?0ANoC2YyDpjoK6GJe;d
z(1_rHA?^#$9D``T?)XkO9AR1+sI;A6yM}%Q3zK;0Jr3R*b-+Ci*;~b!$1w$!@UKsh
zeh<q(!apyxuZ2!6hGS+=Eq+#+kufV2I1~^RLF;`PJ#!`^E--5mdH8)-B&E(}GLp_p
zD48AJ8}^^Trs7KF+XX50?^9Hd0HjTY!r6yTVXf;LI@rA*wDg+=vzcZ>=6+c7TE!Ak
z=s$@~DxFrfZmx}3dY>mi4j;Zxd%MMWrL=ITM+vN*5~M5U2$c|?3DP#H?)Z}DB`Qy*
z+EbbSW@$rRXuy^cPYZlO82_4-1r9~JaLdOUluRGQO0=rN3we0)+aLvS@}9q3$K-HM
z*R1;Z&511dwH+i%EC`{y(EyJ`yy}yOQ}M~WQY({^W|0PElSWS&J0=)>5bz2Tra2Q7
zB0I}-ypgS9>)#Bmo_`HMUCP9P6fJZ;(TxRB@e`X2^HPM55so4XQ&|mTN;#I4G3x+P
zkSA?D0$0UjXN?LnO|{7*b&J3iKmH(N&$yDukt(Ncm(vk;GyMWpNX$7!f|$}=KGckb
z#wp2|g#DAWPXR`_{8hNzok9QCYv=vJ9KX8X?<18$Z5h!K0%gSzrbP{-iYt5>u0!k1
zR=AALKz?c1mja@^Xu2F@weS!@2xXZlrnCsjXALt_ixLT}(3T~!MdUP!EiyDGLWsA)
z-Is7#`T&G=c^lU4S$UDqH@#?tfQJ<4;tuZXGJp{rOz~9DNb|ZdAT8o6Ues^m{VW%1
z9vM*cKKH@`eZW_|Li!kP45JViym<w>#fJlw49>&m2t;{&x$f}p@jtgJCQ!_K|03T9
zAtUgP_Pcx@@@3fO!=CVaX)C|;J6e35&J<jH<v}k)A8P<~6z;A|EwgB~Gr4=vO*ud3
zOu1i>{69Rs1yo!;7cLCNi%W5LcXy|_ySqCScXus=Q=Gxw-KDsDp-6FenE83Xd+$GM
zoi%4NIa$fh+1c4U$@45IqO*S(1?1~}5-pm4G@ZRJ+qNBmlt0$^AEF2UX(PYb>y{V+
ztU0zB&$M@y<kEfba=~wA0S1UUT2)#So%6BZ|HJekRDGZ@RYbaM#uskI5C)-lF$Ra)
zW{1utr!|v0%>8L>G@)X+LE1~#33&RlW_n}acg>}9Pkd4*VAOq9>IeJSd`b~_Io;|L
z#FY0s5eIr7<XL>%`H}nBFki2jW$3)Uq#t<p7*TfdubTJO@~~H;`Dhbrw9C!-3VX4l
zrn+jnK>5h}w)Up0t5lbZ>q95oD0`#nbZDs#Ak=cwcDPmj%BDHwF6P%f^4ic6XnYdL
zsJOED(oLeS4dya_y1(&ly0`aitlW7rx92csSXnfwt1auRc_p~i{>bDPFwK4Bl$_Pl
ze9$+JL$VC0VYjB~d*IEpG)}uN%8wMP30j4eV96-6Um>7LKeg@FCQ<gaUmdaFukqz*
zp-%x7iPSd|%T!*v(k~D@0*M_T?(vk5;wDbbm8TS244kcc`1CWHcAoEy0XSzM?A$oa
z`5d-NUyfz%pillWiDx3D4XQuc7ak04B!(@-_e=OE&`Loy%+$vEy*@REqX!>7YmPXl
z54Uj;x-XBYrn+fe`K#QgXL%VV6|xv6NHv-=&2TiI5vdAR-Eo`ro;x>d1fG`k@Q*nc
zlGu#-)z#yC5Wh%4&raZTkS*v~^H>CI#{~`uG|JO7o++veG6K&v%FXg<ozbL<ACSpH
zPEN6peup=qLoms8<EL^2mU)Sw3*;$A=U(WPmS=PdW>r_65dqI+@B2Wj1z>G~grT~4
zLlW^`1hDh#`bFTN8u5B_hskN!?0&B__yF{}+IvMT<V(`(NpugZ{?L1uf+El;u{K;5
zuJ}X9;mm);IcRfy6E0R@ye4V-GSHRhdSpC;IwM3&HgudXbX6l%A^eUM%9Q>QTG%un
z%fAR8?%A7t($y}+N;e;V(Q+$RCy)`b;9-lE>Y<|lY2~G_jC;$kM9C9%%P$R-J-9jl
zt8T(VNar5mhv>h}e7ld1`%wqob5f{+^pJD}fQKt}9+IV=kCYq>5Mn*s0simC^%f@7
z@*-@I9pwNC;!dRvdHXmQJPz;LcOpt018gOWx{*7RU)jQZP**;?aRBFqGwdtBw@)&6
zP^wW9Y^S1DR9Hl9E+L`E@uml*<YgMUw!jsiD`ZImarhAeAqBC8i+F6NdW^TPcx~WD
zy?PSmdAx2HZV`kWCX1<c3~x_-M|j>R>J;+vk`U?v{>^)`pK;8Q_I!_GS076T>hqts
z$cSg^s`&wOBN8J6L!@bCw#q=gVLx%HT6^B56vF6#SfA9j@WenK&VLT-%F%7g1e%*E
zlFM7XGHSY8lj=Y&7n?7}MLD+)nLjji$g&8(?Hhw{FE8Q%HKfi@#M<S3rPof9Xb$Yg
zsMw)L$@^Q&w{{%H8bP(f8jDqm5rpSyVO<8F=v+0|Aw@L>Mh*oDw;j#)c=RMw*JnTa
zE}L2&Mh@P)Mcgf)r|Xzsn^p@-(_VCgMwMm(X}u298QLRoms2`ic>tP?w3atH_%_xD
zQL%k3)TTGhy-mflWg{Ump5>_CQJJK&T5Ibh*jYealdy>0Nk`h<p{#LniHQ2D&}#8O
z=dmxRHcrphZ<fmZX`+HhoBB2}xA}75j`03iW!qtm)2c5=NBjAvku%9-wVshi&Q8Yf
zDa#-SW>qQUcm4b5YN<Zx_qqqS`BgOyvm|?xuC{U?&`ovQQ2@T(;^B+W%hTNslCeRa
z^HD%zcg?_#-(6W&z>kxOZk{^d|FG-=TB`I64DY|KYUDV{N|bMFAnepsE%T)OS*`)-
zmG=2NHtmpgcVV82+%IExx~I+Q{BYBAy&ak%Kz@qoOglNUa|`TQUKNfGpnVk)D#)$T
zKgUn+3y_DuD{o^l0v&(8R^S+r`xFrYc#0+HqF!<F7)9}|2D~x^RPZKL^}|)2=<&}F
zJM{n+W+OX)7pl*?C5qHg*!yJvs{>0;fC0@!nlB@}YW`*Bl{-b4Lj)R6PDFuGWIw^L
zaekXWXqT_P&3ZFtK{Bg+rUxZGoB+I@jMwZqvwz<aDvrn({u9~05Q%9mVQ?;+{lVL?
zhg=>t^Q~{l+gDw%yl(|c&J$PVd>w^WxEu1}&%~`4uBu4+^ZxeiLvkZgBvw$Xgk5m$
z^CEKDg%;!mYvOPdkqnf_&{dz_XC+gEZUDZVYzwBGLdG)P8(MAs5x}+xy6u8Cw?D<e
z-uass`gxU)@=w+pe;&9=@B_}So5#lk01(9YDstHpbhFR{nza@hKaGQyAToQ}hI@08
zICp&A+)R{UeDAx&t25(meB@}%KaTFqoV7Y$<~IHEgyp-d{`?{pAEY=kd`D;yR~2W+
zRj|MA3br0&+5N~h>VuzkH~2XgWnKwp({vD=y}9oopTCw~4gjR~4JB7@pFe7soqBa$
z{}_Km7BJw=Ltl9rJgJE*JA;$FxH^jms{;gT5hGT^HhA}e9u1c;$l{c!k@~O-e03O@
z8UmijCM#(Zk{V6Q6gN)<#i+lVStgokwD0cLr>f%8Uilyb{8M)(hw|Q6-5ySA+{(RX
zaEy0=KYWfW`Rl09Dh<QVZs)Y0up<H;u6G5ix^~|T;Xq0wsKj#b0nPbmo<3oDJ1=~O
z&mlZ*%UO57X=k|5vWTL;v*VHp4xi&`PQ)pI=JbP}?@%9>%v|#>uiZMb4C(;dILA-A
z&wpVaWydBft#NWhqGl7GC8~P$OfDTIaexU=Q_IdY%Vw`<1uQ`y?fJ?y$3cmA6YF+v
zH?n5?ujO@D3nIM>LKbaCFBT=KUyG;y{w9{3LyuR&;>DrVt7?`7&HPMq<+cosv$Eg5
z_wT5+O8N~Jp(pY1sn)LvjUqV>Lvz~5YXggK7Z1Q((joSjGOA12z*3JwOlIg7Yml<-
zOk?=51C`1$E;P<O`8&Gvnalf#jG1ST7n8<TOMjhwjKn(=RAG+yazC^gD=Dv{ek%?<
z_yBh-zIieJ_21pC#crBwcrjM+c!pk%nzq9b7E0URbUC}Y5E*BpND4}aRr31Zafkig
z%A^9peHNDYlF2oc1?lfucxcSPLDdOS>Tf!+!1uat?X1ImWtX0~$1?sZ8Ho>sO2wQ+
zTBR|&#TFiCf^|m|f87tOs);uq!10}8IgM-2ufv!1<;qufE9XEEonE=8$w(Z~Fl*2X
zd50Z!Nli@X+m4O<mAlPNdE3YBNs_!-_utXrZ=7K&f}zS{p^EDkwwdM`UhjX67q8X%
zUSaR;IG=k3KanraUM75A6q-lwgH*s3vInc!{L~Q#?K7pDx;6Ql26|U8QG=?EHrNJJ
z%_RSp9%>R<D*0*G0+Y7HF8xt2Gxv3*a^PtVd*LY%*3f)(??X{~p<N7A4`x6e#if8r
z*e^5nw}dtdf23UDs%gkFE7B0noVUnA;V)Am2Gws`vRKCHW_YeK5`A$n=v2fn&r<{z
zhQD}`%eAda852HPV*8@<(V8ZpsRBP>1=2j3GL4M7eIRebo?nQc3pepe|6?uUHQ>YA
z1yG|-0zyd4Zo^rJXF)f2MC3_tH^pv0x`%tvY+lr`1+~_W33&?xs14wciT16Np2@Z{
z`ni9qXs>r-DGQ;bPm0n~v9S+11k5y}zGI!f3m0g$uSYJuBre5hA>j1D5M|X#HPW@~
z48EI)L!zdocyBof+)uZXs%OM3d6s(yU;`#kjY%w|?JEHD?)yS&)=5hUGji7KQR#*!
z(HJ(NpHyRX=q?tzQ>4EGfp=$aJ?nvD*QDOPaNdLu{4i3J*=f-5x}gE;R*>Jz5&Z~d
z6Y-#DK?9gYG)lMP{uy#>wzAMudGvdUDY2G?jpKe$%Jh)6+Lj~ME7-5&2CyMT(CM++
zE+-{Ncmqwd+uVl|TI634x)nxr_y-&Q4Deew#i*&*_Ck3(1&ThB`t`#3RWF6x)RMwf
zehtoqR38k4A2}?OI~8SYJoc-%2D`#FTDPCmsVDMVl6{h99dtrlU&Gq8j>g>L;y%5Z
z&OTsox*CQY`!^0S@s!MZl`3;GVifihsQTBU5%Cs7x!_m0a9fH|EFAZ@ZPAiR>yDAC
zYZ;)WX(9ya!d`qH1Ww&}l72l;5l&1djj$N``@Q-S9@PlAK&A2X_^Rgn?~5p5%g7lX
zZy<i*olxP>w+Bf$#FPw8X;%4Pl44j$WSm{ewsW|*g!~>w8GL><h0VbL?<qhsO)0c)
zl|reer6gte3~}L5H}eN!?Acgq9SH=(+`OgQt4hA&uPxe!-HX;wocFtz`}TKYp6z7O
z-84~h_F}?POHj@&RRpxrN)su=|FGjjp!u&Ad9FNYXN|?-<uYVg9B)Lwz@_EUa>7Tz
zU?DWie4#q)L5_qdF5L0hB!2p4&AM4_(X4=YN3`I}Jk^&q!$NZmPZB=sg%H$yO^2q6
zEkuCmUjoN4Sr1^2B*df&F?E{t3Ra#`qt~xcc0)Nd9mW8;WDN|56782Rgns^6I4Hv^
zl{QfXo!eR#q-IjBRVt6+)u?o9<(71v^?&iY@XCIY`}UIf5|XWyKrgKj0~jfGa~h$?
zF<z`^)3EWpc2I<BmZXa)rh&sk)x2a>laOPyaJqv=W_%5Jhe(gH#E$YyQ#Ej<Hdzry
zD}%7yIFC)gd5hzdyJhYTNFGUDlX-VTcta4+9MUZ-<Ms_=D*8|OJNo&q+>6NNyG>mF
zSqtq#dVSB0iZ-vg4|PFRO9#@%7naIvKwD<9>H1l|=g;_p0$a8et^*<2j|JFeFb-uG
z5ZD{4CHZ~_yHovRYi{olv@(7-wwMXwh{AE!Q_;(HP>&<#IO(UOAkAiMxhBJpcYB;7
zB-bEk|LMd+V$7>sa0v~Yja!O0Pj*&Ma+F(>p$))2B6aI6Hqtkn)R`WzH?-=ZsQn!T
z7=TtRaW7QxOBm;KIp8I>m7@!Do5AiY=3UDef#+1IQBUT)i5_34a1*>qj6e&fH!k@1
zQ^r*4YqCb7(T&EtaNAfy%k;r3CtOz8?-yb>KGlQou~7s%OsJNpZ}R#2^;&QL(o|B>
zKdVl1<Sp%40}ZzkqeEg2U|pSqR^^{k9FK)hpIWaoNK}qjgUo-yf0a##Q}LzH9kC5b
zIZ`|4ac@?EGbcKjd5ZJ&sD*2R$%`vyqC|z^>#e0b)OGD4q9Pm-Llw48w>qK3j1XvX
zQoG^n2VBEaDyQF;SZH8(G|gVLWZH0-2|6h{1_b5fM1{F0t5PdZtunq4x8F&n_zFwx
zkUIB5Im^w}TIf3T-@W##J$@yuX;IVJXFO;G4TpEHi#Yd&5#K`rRxs4nUZ7`=p^L(`
zEVp?qr_~t=ta-l?)}fuJ@ub8`y4^f{U894ird-M=zD|ZGW27a%^IFrVfF}x{@d{S@
z8jjCISg&x_tzxvBNoU+l#Z7PRfK(y%LG<g6Xhws0&46M@Zj_u=)mxpmzkkg@?-$U6
z4)zRpvhjjTc1({!s<t#*gXmysu$yevi@&>g0Dnqi#~v~tUto2Y+#5}B7fNu4ozC_?
z*|Vom*#ef~%-(@&>nYOam{M9G%E(tHoHpVX<?Elx;_}fDG9!pj?)fr|W$Y%2r|hC)
zqGC$wU){U};_0Ge&j$H$=vgBs-K!3L`@CE}PQ5a>q&~e-v?y`C!`#pnKnnjX1YXTh
z5-Ww6m(Q3lJ>_gj+&-?AT8xui@W|J5=*3P+0cxlistpW{2wc{Kbs8U#DW-Y0BqW`z
zY83@G&aleY?1S5L-4l{5uyq~J*RrV*EB5W`8$HPV<F~zI5_%izCe>eVwC^$W!4IC(
zX9qFS+3UEAVA5cece4QzhsSkxC9-l2xc;S3d7}_5cC;xS!?cqiG%>Fp|EIVoP>60z
ze(ez|6C2N!Q14cCqWvJP8YpR&HcR6miXiRy&hw?6i(?WgtgZ{RSe29zym*0nM&e6$
zx+!~dt9;ZZqm4XzmnV8iqoJ{QGJ%>v^6cRg=-HrCjtWQ{sm|sKyf$X^*TrzwUH8e#
zWU-=hIbTRzfWb*y{v-?MH8##yp8SH`ytv;Nz{oSovw8LZaFhrcYEe`zFMpN~eWFJ$
z-v%Kc+VpaE#a}fw*|qrX2K*JtWtob-4%)=Hmua(K)$DqFWs-i^BL>x3y7E-s-GWvp
z#u}>)bA)yS!D&h9d_|1k%?*3%EC$AG<cGD*1hQ(hovc3!?oOMXST<V#Gl0ciy@ZRn
ziG4dakQHe6;m$5(Z~C@zI?YF<z%lS+k4D;N6^?`aRS*~Q9uM}zbl%CW3N(k~$UZKm
zPoOS;EM8`?YWXVXpZ)*CMEjS;wX*ta#BrCO#%MWiI4x7xXgksu%vXMhV(c5Oo>N;}
zwOfe{WM5dI<?A4@`Kl8uFw1}cTp`2G_cPvI53052{`=RhnNR!gZ8KGqqqgHlUO9zc
zOWhTo&`9UDBm%+e1&vOd=6|%)wesokGI-v`gih8>#R^jfgg4fmPU`%P$QYGlEly1<
zGe2Sw3l<wcfPv%c)mw^gZZ3y`p+9pdDYB~0+BuApPir955z*E3U@K=MrDO`uCTqr8
z+^RY;#xk{>oD|PW^##jI-`v^n)ET!GYkl?>KA`1!+GH(K2{R?_Wr=2|yh1~ZN-`J$
z(kaKj^b^vp9`fR2Egl3LuO_K_kMS9oQFWtNo_kJeJQz5aG&=1yUtua2f+t&4!l|(t
zWxu+mlhciGJiT|kZkZV%wq<x2(4^^At{}DrYISWD#083sY~<P8_O4J^uN?7@Nrln{
z648F++FOvF=BV9P-t&+FCQy}SMAg|tRzdVCNlb>yR~ckbwp(}p*i3N*unIF5=(}$F
zo>;xVyljp2F|X#7>vR|YXXeG=M#UtJv9HoGENa-9s=|Nr@9lqJjino{g)TrFY-(uF
z)ksAbLreKAF=7HI+zq>dgsZ31<Kx_2^69If+*>}wuhrN&FGsSum((pYY~Uk=6-W9;
z3T}>HiIbgZH87a%a17rUep_{JUj<~Gaa&s%2yDwG+HYUF{L~j|s@fXESssyX@lBPO
z{1=m!D`7$xTwlVxe}uJWQDUb14&Ll)J!*BNdfzeLn-Cz}V#(vkf)uSUcVEcOr@X?~
zD{@q%Qbh-rIF*AxAes+Gxv4_bFeA}F{-E2sOSy$O_Zgaa`N&0i%i_#2rLeByehEhs
z=xm`NZc#@jq)JbLW*{F%V>yvII=~x|ALpx4{qc=P3{9?<6E?r!Rn&4aWQiAR9*fZw
z;l8#5SF{UijysmuS`CI2qp%sKRn)u$LUj<~GKEUjWo>2~aVb(reh_`kocpIW;99uy
zwgWDtGVOzkK7?Eh2(=RFh-C097z3JhidAD+;9LURlIA+EgmWO>Z=_@{NvB-!xRv`r
zot=R&P2qwL4wN_Kwfmi?NN8%552k;X*(9}wX3>t5!Kt&~SzJv4{j26_76cXtGA96w
zlHD>CKW7}WuWKT-O<X|4A|zc0vJw+1{r;H=;oIb2UvYGyRTr<>#y@Y^9Owtn7a_U%
z=>9=EIGQUkc4M5`cq&~`OQWL*3GI;Lh;_K($jPH=*Xa~Y@Gb2-B7XS~WxkOcp^uCX
zMQFmlSs2Cc3ZW$1)v*taY0ZSF(1qjaV=;5QG&MYhWN;W|-%_{_lTlvM^B6V1mRJ13
zC7l!u79bbQS4m=|G)>eC@AxIL)J0?eQ%HX5CUN`56w|}WG>yKCPC&Ol-iBJl0qvaJ
zjJzQ&W=WKG3d-bfGS(~vV6IW47_0cepwQ1)x62u=6TPI-cx`$Q!BXKLUajtr@Ex|A
zb-4X)Sz*C%g_>OT1|}*`X`D#r5VCR@R~WMPi)2jYBsWeQP2$vYf5`r9SHf!Aba7|>
z&`h8&TYiDqH$3=Pl5a@^3yH)9m2L)WF^EjMg`0r<G`xj8pO&xUvcvIJ2^XK%8!2{G
z^=byUUB2C1uS9e`c?{>(1}};*cpQUS&6d#$%G(QFq;Sqgk%*MmBY%++SA$TGfc+m6
z{a?vE`+o#a@geFvO>=E+i53-9Yh|?))QRj9fDV%FI455=m7Mww%{HVx)=;kGITeV)
zLtOW$@KmS_FV#Z&Z?UqM5QDVg9nmnUe|(u1`O3o;XIigxQDb<|*7>PLdI^SlC&PDb
zG4p0J+lLnrhA~hvxLIAv1ozVDf@54V$el0+!c{vb0AA7vMIpa9k^fBxi#)E0b76(k
z+0XpIF$K>N00RrXJX%#Ted9PR_6-M~3h23jgOuL?m@RB5V468TVXGN6aP3VGjiG|Q
zApQhVt5HM{!s!vz;a^chj$lH!U;ieww}oE_LPpy`gx3~2GmV);2*8_R3koz~taLDF
z`EqlV79}m5a;?@7u$q{$Y==dfEdiFGhBs1uHluLkX8Kr++MLGu=3O0gv7WiE*6ZDI
zJW61c?(WRO?d#}sw>~uOx3yDQs}uS2@39v;Pk$gn9|<apMg2iIJcKU(2IjyLDyN-j
zDt>%B2WLbAOj#oPaL%eOi=<4jQZb}7rsNo2&xYV=C2gf&gC9^FGkHuUUS?JC)~!2x
z1)taB!976f02t;vWpc?U7NF7_{Ut{`W<gwsF<8qqBou#do7^F|tr-hXG6AcLtXC}G
zB+}KAYz{-Bu4fohLi0;{$co$*w7vZ1c-#r?j<k_N`R8^TvsaeZ6r4q@>V)o0BQD2-
zk$Ytu3YM}GF9IL7QY-xviXxEdf43bQ<8i=mi=R(jgnmBN_#XjcG-aLEYxKCFO=(he
zPkl{3kD0z!)eAv``mfKzmMcHA?U#R+$ag=Dp-*u8t|0+ZUz7SgkN1$6YVCi?Demu}
z+LV`+3oe%IG%)UQI#`g&zz}X9?{QDE;|W}EFj^<mE^cXiFqk*@t}Fs~y#V|ak2!)=
z77s~!31x-ORX`u9t5dRChgLzEduxy_XPvv7f%Ar&h#=ZnpSylre$V)`M^?Dg9|s7Y
zz*dZ3!`|+HfGBf}Xi{cErcbS#^G6zJ3fH(%f+@6?3D!~_0w%2lHI3?U4NTZ^)BW4N
z@tc@TUm&8kNAi+fko%&Wo^KhT4QpR`zIoX4{iq$=^<1K|j3G_+5ur(8en!W@h5B$L
zRlu-s!NLzvR>cW#tYb@g+=7Ta9>wk%6R004cVHVedrV*=kM2X$_vdrzpk;n~A66>e
zrC7}=n!F6TA5iMfJy>1$)w)Q1(73S3&HDoZZm!(X9HB3G7FZ8G9Srj4>@v?tJm$GO
zy}dZFGjdW?`*>My&orL7nnZ1ydL8~aF6Xd6F3xK-J8(WVbgXC{>JavRHxcM-b8RT^
z){hS|{I<HNOH6Zw^)zjNH1AN|NN`rZs@RY%tZT)qATFGy$pecxEuXtcN|oxjQpl=;
z&mYXV7|;GMOU8Yo4B-HiFLIS-V_u|*xje3$k!7d$b8mbPYGQr4^IysxY$0a?PTyFj
z>8kVFfFE~l;+xZr)b89yby}dfR+^;P&~twsm>jDCZ$qsS!HG&nJCuqWp!5mA;b9Z%
zBXbqbb&+K#Wk$k&)BoICvAr-;7X|};zdxDpm*5CoqG?D&s@@*WnRrs~>&-yz*wK6N
z2C)Ut=8f^?&c~If+u=5)h+&Zb)22rj==gYq5-jv*Mtu{HrdUVwVW&uKHluA_(+Eb!
z=7*Q)7KNf<2Ja(m=cLR|MtrPii-C4=@MOY9Z0AtU))~$BE%^M%W1(AH5(`Bw#o@NR
z_!II2U;%yUJ+1I8D20IDIZnA)dEIVLQ$3&F!SF~XRtKv%>7{($EhFJ>(~KJ-(<QgW
zOt_|%<=+s0j$&Q8X(cgL)qR>}^Exr_Z4irc%3tG|yC}QRU?JXgCICQ|&1hDr71Z6%
z%)NPtspwM4r848)L{|t&KaXN^hQ%Ri3a(0lFfg<fA7pr`kC>Mi6!dKJ^dt~R2G8JB
zbs>JtD}!&D^(B=*Tw7zfyC*~pm*#W+$%o09IX8_cUVmpDUgCfWo`4Az5v~GyiOL}(
zwP2xct3Wc^(eWBh=J!urR%KM}3loAz8SabPdn=so;-)8T$VfiESN35Wj#69-W%~|x
zA^l{(Ezg<k%|I438wO`@A6(s5R+63e7Lp$h>V`vvdSc_5i^|!DsC}`U^;!()c{;*K
zYe18WuHhC2Y(0M!xg!+P?#N<RP}OXKlVzdXeY!0$eCbSlx}LKBNPRMXd=wsCdhLAj
ze5ixc7Q!bRz|nOOS}Wzbt#Z(7A)<czdS`y#11^YK?G^(44te+R)Ga`5WNxC_%Q8&T
z@-5mct<NY1<q({`UES>c?KASNo;3Qn4pNbag2saQ?_;3WrehiTJrMTu{=W<Q^Kx)D
zw`b>M<Kcw(Kl#2uz(bUN=6jP)&n~3<FB2pL;^&vBg&B*5sfQ`Eh1o@be6^FT=T6XN
zh|^Ztz|nHI14=7dvjo>ettM|nkCqT61Eq-(H)dzu9tP%o^WwHsJz8vb8C#+`pP3oo
zEoGVo8r|e@V{QmX43<waty&2$o<(X5jcN%J216|Qq5j)eWFH9XWEURoetWqb?05NL
ze`VNZboQoIGZqzi6HpNNI<s7!?|pl-scalEG=+kL6IJkuXGq9w6vRu23kDN{`ub-b
z-+g?Zr8{`LZ3cvhUj)FQ!{-ZRfbn9`^BDkqd>dp4IynTlzq0_q54U}Wpr|RZ$IBHn
z`2E({7*sVC<ns~*0PlbH4=8Oa$o~Zn(C78Sg(93Ho6!@qV<n*)dozu)hheLb?bvIR
z2WUY>0bRGhvQE8?E}I`4+^#Km5&PXYR9QQTyu=vyd>nMu5yx?i{DaGpgTzU&L0-pF
z%x6Mz66T{HdmwsBg^e>ko{+Sz8mK8oCm5f)t~v5BC{V{MK5+0ovNaP6I9Vsi$!?w$
zig6r!kZ7QIqPChDrrtPFbkvAHl#Fpt&3bbUkWIsL<SBi%DT=qVlm4)wTFx?OU?W+r
zODzI~!VZVNy{RC1<{-VH={t~<t^IxNT|Ke4k#6*Aw?B=%{?3s-+uMO9xwU#G@?L7(
z*$ysj>pt9n0f+>=X$!j_14OR>!3jTuemo`VPq}P=j8(yrupXTb^}U{y*S5;n3f~;$
zZ7T1+94yzpk1oFzbl$Be1-=5yorC_ZdXoFu+g5E~YQ0bj@A_H(rI-;ZGB)aX-qF}S
zn+!wkJ{y3mZN2?ne&v5TKf4q7o(MV|`U?<wzr^W%Y1vf%Oqrkk11jJ32TAlj_g3Ld
z-cHk8`Jc{TbQ0_e-q<S##W@S#4F65qeW@0PX1KcEY5PmjhfK0p^IY#dI!56<Jk~`r
zIHueONpdx}{E}8TG`49RmqZeTEFAc3`RsjHb$v4m=P}WPK~mR=N>bNDLgF02C2aKc
z)xTR2=is9={i^HXSM9<S*t>t$=&=z1kn~v{`Ecgve7}9ZD9`V`J5cxf6cMJf@y91(
zOuqmAO;tJQ(z;$<*!N=@YV#Fb0QY`w$>P_6GYJK7?rb*#;n0IoSvI>Y{!5$c1wAza
z{JcMm-{<#M_ELuSQsV0NS8?dNPLIG<oqR7xP$cgWeG??_Ys<U1Bweq*VM*EVgCauj
zf1prv^q+)=ojZ8_Uz-ZL?_Ro)E*|SdK87EkWUhW36<=Pm0HTI!jJ^L+kaRpx)3h21
z$y9YP$Ol3EEUhT;MNLzML>>6>8+l__?3N_VqimbAwM{B#9<DfK*CT2g`W~H$&!9>>
zefusA7VJI&qkx}+3uI>2S(rgO<=b~rLx%;RKhA-DcP~?K51yd;s7KA_x+3SGZ-s$Q
z3J!j(blO|HrWNo|4i#?sd~I0jg0;qT=8LG#R=LO*2o`pE^Usqh_WPV0ytN{^RF6%W
z!~uie9S(NDneeQdXTFKfhXBO<O?Mtaic1kSZd^L<2x}$-YD~rI;DX&7@MlNdfqOp1
z`u4gzW%TIgT=Tj6c31e%an}Sm=t+}hGxL$;y~n=HFj_PqCksWA<?+iS#~JG%n=E%`
z?lljkJU{{K1qXA-K=aslwYa#*uut~ye#(KA{&0yz+x9_E)BHazh6aRI2ec+;q>tzP
zyuL7S>1OMyhL^j3w_IVq9r3RX4JrIJw%f2O>~PXofL9YAp^(|c@gYg4brsnON)H5j
zf%@49zT*QOgA?gcnK!7A6CY#IZaxkBI1Rl_QxZ16RM=kNl>kSed;{&g<9@YrW9!(M
z5)*2(na2_Uqu*hm@TQF(8$8l#gN^Z1k6#yxKY!q$nB%~VmGo@;?<JR<LDpk+!+q%E
za|{TGt~n3dsI~^^C2=$U_PLJ<LMl^HSiO>O&`__wD|{sbju*xJLr5pN@G9k78v9r;
zGtCS;NIaSMo;UE$($zzuHaGkA;fPNbH`P<R4<ELVeY87b6(7W=kT53#`Q&Vbl%!#o
zIl|RvgI)3DM3C9%j`CnX=G|hIkhG(8eXB9K0Pgu266yPUHs&>}l8gZt`Z6)ry8HKn
z2y-zGv?7Ay6$xSOfsta_!S*=JRe+bUiQz3X`18dl0$=^78rnDDKE6N4NblgS0FmZ_
zXBJ};0jQf+PKe;UB?)37$x7_+_K#RHGp4Wz$4fpg5jV#MZeRZPrCx2~KW<*_;*SEQ
z8o07{q}Ud#rD2i(B3@^G$DJv4KYgFusCWPDWtL!=CX$~>bRMvQ=Avz+qY2P1c)lqe
zf0o5-lwk9{7MON~|4c5Wp-&NpY&I!-3d!27l(HdlK@!7)=XM+E!qgIdB)>A`j|~a2
z5m@6rXGlZ2LlD9=UgXNai5grMOlT$-#cLzSf?>SdLnne24pSd;XIW@8HQX>@MKB8H
ziAAbYj)K8rzx`W)dl7)wA;b{<%*?XeJhHMMs44|I?>52PPJAZ{9Z}3Nb+d0pQ<+49
zm3T^ebR5*#i1}9>KVWZR@^QMIzqY5&$qpft{##%qZoXzw;lJU+75Qpa;P~Yo^$6<6
z{`D+HIOCbDW1<E}NS&#Mx&4j?QhSz<n;afbT4_+(Z;WjuSQo+%ir%oKHONj4D&(B<
zyicfXzDGG)U)f9%cL!@<T#IT%5`P)Eg4}a6H??o|YcY>+>qyqgsq8oOW<82Cwa4JD
z_fM7k@!kjc)IVde-}<NiJ^c6Mu(S`vf)eD)`#w@LOO!7n_-6Ki)0U<pll!B-aIZ5)
zU71S8gIa)rU8cz4B$vO=VA<ib8zrWtft(EUMS*m_s_f}{D$|8^YzZmvDfs6MPuqPb
zh+xn|+?v>gJJ#ZR+22ZZ96$D%<!sB;tMeJ)UH>cjX9;&w1}wFnJI%4wr-v<%7H%aA
z%e>v~nj)Or4it^HY`mCvnbMJ#?^?7EwO=Qf)kWv{h<T8Ri3p;Yq`RrqbJzIHk<6D1
z)`=^)6C;l++N&h|xaHq$Z}3a^&PICszqJgks=u$%82Rc+gs#TOnhl!#NmzMAGCo(B
zz?v0%aGd#GG2NUI{k1{fmd`oK#`2Uo(*X8#?0Y2r-h*SVgCQz6(<469GPc{0gPo7j
znT$R0bU2os>@rQQ{G0j7Hn!`iY^^WYX-)BcIY~th$NKMv$fDPYnWAz9zM<w@;;CZ6
z(5oPupO0-25!Z@Cj_XekwPq)J8us4O+(jGCp(5k+@bw%6u0kgeCL3;RgyQ&u`&Y;B
z#`i6uwrXE!h7gMJ36v$AbkvW>*=BM#7|TH-IUlokZGn$nt<&#E1V#-tZM!}XsL!LW
z51DPb`WX(eQSlG!T?5M_@ecAdj2=1vBt>R%ot<+#&4<N@Tx3_C57I1CDBT;P#FjA{
z>@!s&cY-J%!tr4LW_PE5&&T=bIBOV=g^2+MzbJMCD>ZvW!u{P>Y9I8SDJpE0%vw-o
zGh=d+<e4$g!td%`=cBBhnl@Dw@RWoc?`h3UKIRzdrj6Q1EPId0_-1ty6i<QTkRL-j
zJ{)FIH_OKk7pLnOp;(TuDzmxqdB0jSe>*IutR-)E3YR|x2>fwDXiL-z2zEgBRl@Rb
zYn?x(3x||*<#>)!nl=9VI94HT8dg?C*4lbm-f^VTH1=UW=HI^(a?`l%(HNRgSUMyB
zF-WE4T!YY~y?r3GvN?R4b503FRx!NVtq-$i_8!oydjKz``hJ~8uUD65d9)BVc@h8m
zeeo_j_GNU<G+}5{D>^#$gFQ&x4U5j)26*~{*hzd_oV~@QTZz(l_4+@H<#hwD85%>4
zN;2L7=k>kaUA^xqo`YBXYDWT<BPz`l<vkpI>DN+7@x?2%Xe`hR)Q@G9hCz6MEsuIj
zTcZRdaz2MDQPoH{`B7E(b2Cp1oCZ{v?XEOi=~YKAZ+l9%$9>^|bBHX{>aiKm4I{?z
zHf6M&JVKL_%Sj*B>!J-%ty!|g0qmBTVgj*4I4)2qGmB$b3fifL;arkqh}J@H<ZX1V
zpGi*zmpmEQQ9PNsUS&esigYPG#E~o`Eae>5#Q#a-+n=#R+^lB5M*e<o)jCTJ%ZJ$q
zbMZe9!ZbBjP20-jL=j{G6`5*bI;#o`O*ez*;zmRcH!S_^E6u@$8zxx3xxc@|T(`mj
zv>F5{6^`*;lJyK^&gKIJSjUsyzCH7Psb;!Bz<>xBbFy&{mI7A@avO>thtIIQ5Lh*#
zioE@1Xp4C*wSPkw(2qmGRj|{}lGlQp%~>CU|5saW)n>i)GLI?jJxawxZCB7?9hHSm
zK1%vSg+kWE7m4|c$JfdRB@Gtg>;8MwFH14VbLf<IL&h4=xmRn%{(%36Ga(i*_`u~k
zZR$2`^_4}$-7)ET`6;MiouV>(`iSW_T*sH}Rq6w4IWb)id?nJl#mZ3z;olmhbN-OM
znWX8^>j)Y8O?L>X4#+l;c0eP=nP&^Ju;R*=3Vo<RI7pmp84*`|TPVS;D);16OXNT3
zL#$lwgC)J9KT>A5AJ5AzIoloVXvXiD=b>j)No(QioJ5k95LgVBSg0zmG}*YSeiAV6
z$G16E=`na*MM?Q>d9(+?R*<7u%nhgdPD9|zgW-8*&<B%L=K@usM57muD&lQMIy8}0
z2L=MZ)MX^<r9crRYWCFomkIKltnW)N!y2s>u3ST~xhh#hH}8ZK+GYRq=U0OgdO!C!
z$?={wI!l5S5#MKo4OSQ+gJwbP$3K?*>A_CsI}5x!_1w>MpGb(|VfscAa^oO&_qRXS
zBquwoc%8e(y>QGB^q+C(I|8?XPWDhyorPXrpV|~J^=w&wwM$rWY4s=$^w;COT^M{J
zCzsHAuv0$u_Yw96&-<8WME7taW6Ht&w6$wi@@<X~0*bDcn7w=&4c)ehPlHZZKvWv-
zthk9%z7hNneOU-_Dt$uNysY@`c9mNzL=g6w6}}$06Ia-u=oZ4LG}VwnOW{a?D^r<n
zLww6uQPb0MO4mK&sCQ5(^@P5$TLR4Dp`>W3C@i;{zt%<;xBppClThtVS%F{B`iMHt
zQ_#I6C~lAhltw`ct#vB*W#kcE(B&d=@|Dx{x3Ag+cH%#01+zq+9=U76Ev>b5;pY=|
zR73Vr&n2TywppvUxW}%JWk3iSAWkn4)Hn@tt28X$Pyg<9G_ykt*5tC#+{-;uok>pW
zJ>9rD@TKp>gLKnKBe{<+NyVKoR4^kgm1~;W|CIKtC;9)RjV1o;NDoSc=3%wMR~SFl
zh>xgqSk0JP+BWTul$5URMdsg&)9=MK!r<9zPurH`aukb|zno+h;Bj~&sJ+yiEIwq2
zn)X-qc0ShGCF8KNFFj=`gK9jdII2CbVI{p&|7Vc82x9L0(f+=1_z~shA15~}d{?}>
zp=uHV_J7(n`g$YsId{A2x?N7{_0@L(Uo$VMR+aIGY<j!nC}__5U~#Oe`sdBy_$lQ@
zDg8oW9vA{m{%^YHrw=kF7ItfYpdSY(`A0du8U#+aMhJmH&f2cmif8X@oe`f+RBXkT
zLCg=uQ#72pgJ!y#!7s8Cg5SBe-#T0;^1;Wa5wI?u)~$KUe$}*gg;HplUe+h>?hW<!
zR6T1$k!B$Er&b5Ha>3##ow4;|akggdg-VA_S_~_`{}jllGV$%sM!;$rL!S9_xb(K|
zNkL_S>Cb4X#Nfj?25q`F_^o?8ZuDh^rh(GgcRZi^?pHDI?tep05+O+#oOY@;jnzR>
z;g{UVTXJi`j&#R~pN%5rGdW7<Tr=$lR=6<QOwk<P=Szv2Z9(+xie82lG_f^|P-D1U
za`>%X73++nk{5K54aHQOe&)tW4=*gFTW2^l<ur#yY@?iWP)QKFmE5yz!&selh3W36
z-If72?#wULHxvsMO?r!4(RRDQ$8lc_6|!f`-|Is~6>=?;j7|1}u6e3WxcFq*2$xqy
z@q3B<ryHQBeE`by`jl6#Ab18qLLhvo`~JP?hqR)(0k5;<S5u@aI9_@6_FVPjZ#1#9
zpMH?7vfAr!=93pRa}s$e$4otTZkGzNgv4zO<yxA(qayrf89|Fwt|BpnhAN90rU&vk
za*i19O4Fu&?c&p5S!S^zyszfg466HPnZwLDEV@X_T*F1f&(oEjN#RT34ff0zV&)p|
zTGI;X0@-m&9O#tlR*a4_WSlGBl#H4NiPU4YV$$^l(Xe>uzTvv`NsXi6e^hOFT^vqW
z-Ogy|_3E**2Nc}dcpKRr{W8qkNeFyJu?yiuTBvVJ|9o_|D89+s2T?oR^`B@oo+36#
zvHhUNG{><A9uM2U4@xHra62Ds+~oHBvabg*y=A;b|I~gnqbcM~0K=_UY?#K?h*N}^
zyudAtN0v4lg4_O^$<~6d_GeL_`Dj4ef!l2LW1tB;UxfSfstp%kbuM`N2pv))>9I?H
zrMv=OgeK2VOEY`t-y-w`ZNk!ttnE<6r}dreM@UHE9sWw?_Xd5*DhC4M1=pYkpG*`4
z)2yzGZl_I6<zY4Mj*3k!6~9!Ck?=o*)l9O?Q$Dy78Lgpui6J9Juoji1$llQ`>((9$
z_x71IGr^7hk#u&U_~k%r(g=qlQ94!`qv1aecrHOmOIMpOgsncP{%1aNh)k=4yS&bR
z&r{Cc7Y}0REo!pnW<K{NwkAlTsNdK-ZSVE2!`LxOPmlRLYga-9j#G1<xyujerT%u0
z3b-eKa@+kNj3hAr)%IraL1gdFB&|O7qrUQ{o7Z#EQDMc7bFXpSy+|n_+ydX{q1<jK
z8Rj1_b@2Ok*Qcxx_pK_!xIo$L!(T?RcylJvc_ji~wO|46{YXV9{)HgHMJpsigkgcv
zbt{GJURGYXHF2mp%L*ao+~O?!{$~fxYF2j$MxBp1wW0ej?vQ1RcTx$fk&pj69P%Mm
z%pdwJevhNfM8W=(%qEpngV=3MV%F^DUmN}3$kNmO2MqRud(Zs_24DB^J-$tr*M^LW
zc+aA61||nb-tMvG$-8GCaRr6E;sT>k4%{hHQfiDjE_BCoaShdF|LW^SmDzXuVvOtA
zL56$Z6nK$wt1W7!G8v1)?H;Ygmje-?p?*afBl}T3@y1Q4SKC==qF0=tN{<f<9>o-T
zT*)%Eky!?)2VGBp%N>co+|(#OY`4?ld!bWJ<Ns0q9J&P7<C@gm!ev9jcbw)y&t?h!
zswn|uf&u-TgiBD}5OP^?g6YC~OB*5&$t6U+xWr;EVL<0N&*mty6W^><a%REmuaJs}
z9mYsz4+66B^S=<E|J!bVf?M!YpUf@zVeHnpWaS`EQ)IPlhVxV$LF_basecVYrr>z#
z1(=38{Hf+--~f9x*R|jg+ohO_C|;w7<sRyN-D-Vg!vJTFLt8QkF}Gs73>e1s_TSlJ
zG8-O<#>gdKT?^v#!^QF!v7N(yD@aV@^2rOwv?UN!C0)Xs+VtWli0oz46^3ygnfkPd
z)L`OhL<cTVw#<K1S!RU5)3Rce60Oz#@Hf-<@u0wS#?v*-rg*kaLV`3HpnD_VEo;i<
z`a0n;Vyog@y3wy=n~MJ^&GQ!OWi^e>8xc>W{udCui-B)pmEf)v;?Ha^T*`f&2rb%h
zsQ&d|(6{~Uaoqc?&YwSLd9J8^neZXl?vsLnVa{Q-aM|bUQE87je;`Te*_i*Gl+^f!
z^QJ*wyV1v4>ptAY@_whbQf$x{%yh^U%t|MKfC9{G57`Cxtw>Km#Piwsqx`93^6!%3
zaisy;`=<!c!(KJ1UJ(gh(c-gE=HR(G1s9|a8r-CN3E3}s^6-F-Ve`Li{et%o&q_}u
zTK0PR^oF<o9*!u$IafMJs5s-I?J`l$Lnxb_GoGHMkj?1HGaTN-q%&2(G1@c61L-zN
z85QAtGCto+&C*ji+btUBlKM)M2A|b%qAbUlR?o-Yhh-^pFTDMFm@2|2D3*aW11Uaw
z38#?MT4~Y1$P~s$k2oeSI6*pzXX}KVvc1K3J9+koG~Znz+U{7L2TfqDqWJ}M+KlP-
zDMJZ!H&v8bCvo~1ysdFSShS}^o+G}lUP7c?ODP?}x!etVRSLRy4HW^R%t>J_-A>sn
z$PPCZx(LsH#p3SQ+DO8=n+d`hdSEMOiNvt@HNzSt6(D_$6R%dAt|_v+a*gbl1!ap8
z+4c9UmJfCGq^e&1e0%sh3~{q-tu%)vG*j<r`0-XG_*1)(vU9=GgX94_-<A>S0ZNP{
zSu#5J>r-A!oD@RBkjK#5)n6a$oShlj=9UQ1ojFlyhXIxvz@>@rRr=?s34w55w|t?|
znxqWdvC$EMa+H6Tw9b^JgBmZa^x&@+pdEbCUyzf(wq*vx<A>HCDR$aHWToPlbbc~3
zk>PBoGg~Qm?x{KkP3zu;FNs;UBD}X`^QNb8A;m8yr>F+2$T9^xs3EB%Vk6bjeV1!c
zJPy*rB>O{QI4nW5<m(x~Y}uy@-pl*}-u*8G>4nIULSJo4pX=KkYLbo6s2<u`labTF
z)cw#3<e+VjeI3;M6EU!yp4nB9%>|f}Wu!i;Zm8kB-p97aEGi+;7juQ8<jHRx$7Id<
zMXly((bEU(%p?Y-m3|JzRo}{m4Z8;RWUQ+uv*Utcpo&ZmTZ%6HLslg?JMqL`j0-R3
z352GyUP)J<N8FL$*2j5SX@av>`gM>!%{>bLLXq6PT!ugk{ky(wtx}3<m6SD4yBjS{
zy71OJ#-SKF{|sTLAzhkwc$7aOLN!Fejykj(V~hSb*6JFG=Y9$lL{!&KfviNh8Lw5P
zf$W|^o_)~D*L)y4lPID23I+U}L9v<J^Bm1GS2*K=RsBRxiSH>cB2du7iqp&qZQir2
zMHtsdO4}*1Zr-W4Ta020Tizffe?PYTwz`;=*G;q78a0_LH~U1m?F$*4G_f|O@M?gI
z1M4_Gk9@)fR&NBxBvNg{UdC%N3Te}?m`RUrNr_ti7KrPnXANI^b6YS@8Rn{w-GX(1
zshz4h^ci|QiEdW`f6&drR|sMc3{o;_9;dLBSJp6p5@1R;XSMc0y(vfD2tGht@fn&F
zp47qY_UD>w7fWqy@!Zf72i5~~BI&EQ<l3#qnOHKhB%#muzU$1<rd74no1aTj>t|~}
z%VO%YDpGz8;wYa7@qqg{9)iFGU}MlGQ^wUX_jWE0(qY^=>1TxUxH9L{um+fK@RR|z
zM(>xs`b^aWz?ZZBZ2%mt+r<AOpMD?jSNlmQ&wTPA<M)*v>s`3Rsk_3z{c^nx_m%hs
zyi3+F7_jxDc<|jNxMfXMpJR9xjre}NypstlqD~<;Lz$(fk`k9xY6b*naL_uoNrCr%
z9fkz7)vs!uRUA|Wm_Nz>lM|f?3XQZ~^d{WFhTOu9Jt*lqZ_o#KO31;4vc@0oxp`cz
z)v)5HS6FfLl+gI_nfy+Yj?-Qk?NpxCUoe(LrJK%tOx?<GNaS*%a!vAclScKH?PUj#
zZnBVh6mJP*Zp<VoE^9)PV#Y+l*JTbKl~#wfdmrRzex4VUeTa5m<!q@<w9dHR#tpvt
z+1b<iTNU<!;o@v-f;|X$iZNg4`ynMQmpE-6f17!M3;xrj-NbkB-=5iCmIE+B(qYg~
z>XLl2t)`9WO67AKO~q*Ur{%DPGWXNWwEi*c&&VO@7_FUE^6s8=K~+!n4V#@iol~BG
z^x9sSu|?aI^<~&D{K7rzJssjkm{IECs&ILSS{Wt#Vn7-hy82fM3K#wlJA$r}&#Bd|
zyAEu#i_`}|_M%vin!{gtWwqbDhGbr|8Z@GM51Pi@s54X#f2D2G*1eIMa`(9Z>NzdL
z>9+K!T^uUtjpm|v0St*4ekzh#G7|eadhA}DX(qJ3gc(=;_?OZW%i~XlulE{P<U#W?
zJgXvNjbhh6U;~2O06#MIlyWIBetFyG)kqz_pIzor{(qs>OV^j6v+G^dHsVjzt6t9@
zfOK;oOV8bO&YJ(_Ms?<7g=zqW;nGJSbaZ8{5?f(8dd^+P@Ta$MM)`Z{Gfae}kZ$+e
zqWDB?2=N=M;0YEP0V(r1aD6U&WoC?%aX5O_A_6VqSDsO-)rk8!8OLokjVYx~Xi+HA
z55=%CscG>6H;G_{6JqkK?~H;^Kpsb;ho5JOr`XkPRWOR`Ih&OeG1A{S94eqnx>j;O
zz0!QlpuNwT#k?x%bw80RWN7|P@&>rF%ZY>x8->zGvAW-hTIJCxSM+|YvRnu+)q`3V
zUw$}hSqJW)R3{eOw@=s$hIy5fnF>{c&S`{5XXN2ekLGlFG`pRQfBd)`uS&{^?`Z7;
z0gNh2-jSuUf!(9~x6XuAEi)v*#N`Rb`1e03(uC#lr57i1;7WNXhqeGLtdR}ZOkCxI
zGPQ1k%)%0q-CgxcV3m9GU+>}nC*QuhPcQe7cod8ibmnq4dwo-L10EUj)6P@P@4Bj4
zwWYr#o_aXCqtsdz;bO7dPL5kqaS=@wy=uC5KW$Gl@AzymWR84O1NMpuOg4cK?|OAI
z=PPiwH^OayWyfF%zOuy0-M4yK3UxSlqWCDa`hYLPoKJI7)ARAJIbt13{F^5s+GRSC
zXlpfV%a`X^#1-#^NrcR5RxVoyg59+6onu)&zy8%VJm(W09sxBjQ#b1NLiBnuszKM@
zWUt=C%ztbzVnjk(mHcSowUR?rP=m`0&=M-&4)8qRW#6MeYlkOdmVR2Tmo0U+T%f#|
z&~DoOmok?S)~ms^GGkc!K0e1T%|eXsEZxe#HWZy`J^xw#l|P$0^Xfoq*4Q&XibE2Z
z?B&k=O8webr=K1(@_wD&tqH{g9Kq+=ii)ygFBsuct~yh^YDHFLD7Lk!^c881R882K
zneaY3{aDkV_eRQAkT#TO*Ob7nPHz{W&(`9qsb%KVsGCQUSbT$vV&LMJ{BJENVxVlr
z;r54y^qZlgS5qlwW+o&N9Hdib%-M-cMd^ds4$=S;G^W<3FlXJ^a0gt~x(CihD+R07
z4fR?jw%H^mL!?CsVYht|N<$nspKY&U^)EtB<O^&X@`LI9L<4Nug~@De>&S6mgRX`l
z{HA;-8peltYY!c^-}ZW2wXTMFc$D~xU%HcW)%%uDU`JWC>8pO^v=0~c@>N>ZPoh8_
zeWOO_5}3@i=hOw1U37LRRMpB_lowL31luF7Fnj~pSkA^cEWm20Ax=!UqkZtnx#4Rr
z?q6WrL$(UTiYV4fG=Hdmm=QgG@jwIip|>snWQ=!O7VtHYxmz>H`tmwv#zCoA)h<2s
zFu?!76f4_w%-%`dL}&6$NL?;-72oo~@%@-v!43avUFlu~W?C)X?Qy|R-!RH$$oBZ3
z)k+C=WcHD);hwmx-F5J)VR3{Re$<jX`%p^$4~NZD8|oV*iv6xrZA1xVfLWT&hD09f
zsiZYcr1^LA-LjI0`+Y=aBu^B?GEXl03S5(|MqK9xW<xB0D&wt}|CUz)IQ!tfzb<F)
z1R!w3;+3&$4R_EcTechKcv)3fq2=-?SpDsc*_Q)6zX=G5zq$M#*#Q?LEFCdrc2yLj
zSPEJ}I{H$O%>8Qh{nPE3+{>0Cp0dHr<xam&H)8+4I?X$%$z=`Wp(6q+NDFYlQE8rp
zAcQJKQ3L^{DMXZz!~{YD2muKkQHr5AL5dOZ3P>O{>E!@|bT7qFrAQSBL3&Y8$Vsl_
znR{mLegE0-+kKzed1rQZ_xqk-MkQl+WpJ{dgS36qDe7j6PBN!40&?{8R9XP{s++SJ
zTBgghsaFo(D}h0Ikh}cwuZpDpP|Ge7mIre@7Xt63>&}0EIKw&$$@8T?e6)Lsydx1&
zPHr0juxv<iZQ>|cR&10Hx~UFm7_&||yu?wXVkaH3sN|(T3}$FKMRy4t`%nsq19ULz
zXE)bHy?2yWeh|JMd{nch>SS>oj{r%;dI>3UH7~@Hv{yMyD=Pi3XZVn7_E^;|O-v3g
z^G!da-aK+wgQV_!risA2pfr2q3s3Inr()gvP8wz<`)XXd*X`@eW$C^>i{Wv<rS;Kb
z3L_P>`9iG64-BYVr|APD#2osH_8ZBNA$&aWtqlKpH>9f`^62UrCR~!k)UN#8w|_+@
zR}(1>GbJ<?6>e<dfA+22vSs$gA@E@B;0@~oqhOgiJTn*G(&2e9I+H!sEbSQ;%KBSf
zNvkiJ?2!;Df^^0lxo&)pK!1NxwuV@i9QgiKJApBngi2%Y4=R9Ga8Ty+)!eZFoFrB&
zNlJ5})89LJ2-I!!MI9Du2<1(ytGXf3j)@#t%9kwKTPdhaA3F6C8W1|9eiAxf)jtZ2
z-z`G?Rz5Ol-RuS|43Hfr)A&*TL9|K}MUVUVf5#LjbZJs?k9d1*)xW27&6c8tZx3Kd
z4uPOy?UEml8GGsbTjq?j@iwzLq+IW{S68B)M*E#zi$PMZhOZ&Y@m)F;Xtx5b(8l6p
z_n<?@sx+1yrHw4hzBO)7)^BqmyQNHRJ6{xA(G21(=*<<}dFt5mXl(dwS>yDF3Rq7B
zrgp3CT5qs2#^6?K{ei;?QA|EiQBbvn0uWih-Ry~ZjuO=8EMwV_hJ?h<b=Fz}2Iyjk
zdXW&|6~)AM)gjaDqR6v`YI@>A&-N9=G6m`egy)&~n$XE|MyVV4=5VlNoM@_n29x|-
zi^EDD^#lj8YN>4}+nESoWOg8~YFHRsoiizEp0Mdi!zI4UU2FyOz)%J`#n#uXn$2na
z4=RC(7@WJ8PvXQo;95ff<5HpZqWYwvTa<}NthU3Eq<WYJ0VWv>m2`wC<DOg)x^3Qw
zedt@*pYEuuv!QIZu-)=PYG|sQuiql##HSuMNHHw<vIT~W-=I^yV%pG^6+Q~x__jW?
z;i5Ii^@(C96<fts)6qA=*AP7yY!wE86MaZ<&iRlHa_o6b{#f~4^*GJw5f|88U$h*(
zn(9QM@`CoMU(!pH+nW}SZvvSk$Y4^?23Za9D5l3dd85(cskkjBC+UZOhD*O42l>W;
z>!$AM!JVLEFIyrhwfog6O~ph_Fs`wIUg|O!^*!~Yto5;$WGFny*{doKI1J)%Xy0l}
z(cDf~jiF`1=XkX2HT>eGbg$8lV8C;y5DDB^p`*w^_;v{zPtmj}kv@xqv}4|<-}Srm
zK)pDs`$?b)C07+_a&=BJppY+B@eDv*x@fl^R9+dn-5Kv2*dFnmoEUa5azG-og10*6
zV_JPGo@H#f0;TGZM`g&Sc~27isn!bN9?_*)E!hnQeW^-a4h6L`8=PS90hd`q(m)W?
zZ8Lb+c->V{9J(d0)t__Isz(iH<z-v-tuw0`<O}yWxiJ~4)0N3|QDwPCGo-DzQ&!*K
zK8`bN^qV(7q^v%sqvZZ1t}bdm*(C{|vi}qWAsN|KlepD}Gul6ABp4*{#Jwdt71d-_
zY=P^72O673de1a-mxPq@U%an3&D{aDS@O>zip&a4YhUia<3k>^G#<PbdSN+`xHed$
zT$Oarq&he}tn*`HRDqZbJ*sO$-59^)FGCc5v#Xf8bwx`<SmMo9J6hp};`&!N8*V-R
z{7WL?EGFU$mducN`*~pxxj7`>kuc6kv4y_!q%(ZyS~)2*?zbGY-mjB6_#({uPU|sn
z6_bE%d3l17$s<cq0G;b1?$YU|yq++(%d|VeMxJIiRnZ4iH)Q<mxXRMsN%tAe@wS4R
zQnh*(bd0zfDp`)rWA~Lj0{ebQ8`7>32GoJzTt@m>1>;V-c$j7E>!Lj}^#+fa{0L=%
zX-hw*J%=X);wMMIxWl|>NgelgfM<9lEv3amlwWhgI7Pdwe%cdP(Js|`e+G7yj`!$N
zQVXLX*t;wKFC@Kl0_r09MnanJymooE(0OHu!`IRhfL)%@0L@#(YS_w^DA8a+CmbyV
zfQ_yD&Uw?M4bOD#@q}>)2>g=~EK&h+==Sg_LYwb=Esy;lX`}J;LXgpIFx{_TswhsZ
zunQuS((Kc}5oR8(0c-u;;dg?{@pGZE+=AcoL=-YVw8_B=m&T?>wi+|P?)*q}=yN<&
zEp_4&sBq^g&_}N5;`1*ro$l3MsXO%Rd;W=l`I^3G9?(k{!xFp4FT}`E*P3Uc=R<Ra
zOdDYNs4>yNV-I9RECAbCnF21Bz?@oMlC7m?=uEhecN<(KlbNFWfww<&WjSq2KVRx#
z@LK`#MP@l+PKnva<oYM^$$~fk4guDa5dr0mz3)R%RkJeZ;56hq31BmyR2K6&oe+cg
znhO9-A%p<O|JDEiIl=6gd!8s?ceIBO*xe5aCc5K)so7)yi!5dLvm+?@EafL>`b+Wu
z7}KBm?D;HNivJ=`e+k(M?5TbwvRigZzal4Cg7(h>dDxsQ3v}fM%&=NR*60O*rN6DU
zg}l9|Hx7yRK)K3Wdfr3h<q_T}SL_3{yc!rH;Lh#=5m2sZcLYIKKERy-C!oC_puGkD
E0tW&*6aWAK

diff --git a/servers/zms/schema/zms_server.sql b/servers/zms/schema/zms_server.sql
index 8b4da38a772..17220b07442 100644
--- a/servers/zms/schema/zms_server.sql
+++ b/servers/zms/schema/zms_server.sql
@@ -1,5 +1,5 @@
 -- MySQL Script generated by MySQL Workbench
--- Thu May 23 10:22:50 2024
+-- Fri May 24 13:53:41 2024
 -- Model: New Model    Version: 1.0
 -- MySQL Workbench Forward Engineering
 
@@ -98,6 +98,7 @@ CREATE TABLE IF NOT EXISTS `zms_server`.`role` (
   `self_renew` TINYINT(1) NOT NULL DEFAULT 0,
   `self_renew_mins` INT NOT NULL DEFAULT 0,
   `resource_owner` VARCHAR(256) NOT NULL DEFAULT '',
+  `principal_domain_filter` VARCHAR(1024) NOT NULL DEFAULT '',
   PRIMARY KEY (`role_id`),
   UNIQUE INDEX `uq_domain_role` (`domain_id` ASC, `name` ASC),
   CONSTRAINT `fk_role_domain`
@@ -408,6 +409,7 @@ CREATE TABLE IF NOT EXISTS `zms_server`.`principal_group` (
   `self_renew` TINYINT(1) NOT NULL DEFAULT 0,
   `self_renew_mins` INT NOT NULL DEFAULT 0,
   `resource_owner` VARCHAR(256) NOT NULL DEFAULT '',
+  `principal_domain_filter` VARCHAR(1024) NOT NULL DEFAULT '',
   PRIMARY KEY (`group_id`),
   UNIQUE INDEX `uq_domain_group` (`domain_id` ASC, `name` ASC),
   CONSTRAINT `fk_group_domain`
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
index 7f4e9d1ecbc..a16c4697051 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
@@ -6162,7 +6162,8 @@ void auditLogRoleMeta(StringBuilder auditDetails, Role role, String roleName, bo
                 .append("\", \"lastReviewedDate\": \"").append(role.getLastReviewedDate())
                 .append("\", \"maxMembers\": \"").append(role.getMembers())
                 .append("\", \"selfRenew\": \"").append(role.getSelfRenew())
-                .append("\", \"selfRenewMins\": \"").append(role.getSelfRenewMins()).append("\"");
+                .append("\", \"selfRenewMins\": \"").append(role.getSelfRenewMins())
+                .append("\", \"principalDomainFilter\": \"").append(role.getPrincipalDomainFilter()).append("\"");
         auditLogTags(auditDetails, role.getTags());
         if (close) {
             auditDetails.append("}");
@@ -6182,7 +6183,8 @@ void auditLogGroupMeta(StringBuilder auditDetails, Group group, final String gro
                 .append("\", \"lastReviewedDate\": \"").append(group.getLastReviewedDate())
                 .append("\", \"maxMembers\": \"").append(group.getMaxMembers())
                 .append("\", \"selfRenew\": \"").append(group.getSelfRenew())
-                .append("\", \"selfRenewMins\": \"").append(group.getSelfRenewMins()).append("\"");
+                .append("\", \"selfRenewMins\": \"").append(group.getSelfRenewMins())
+                .append("\", \"principalDomainFilter\": \"").append(group.getPrincipalDomainFilter()).append("\"");
         auditLogTags(auditDetails, group.getTags());
         if (close) {
             auditDetails.append("}");
@@ -6613,6 +6615,9 @@ void updateRoleMetaFields(Role role, RoleMeta meta, final String caller) {
         if (meta.getSelfRenewMins() != null) {
             role.setSelfRenewMins(meta.getSelfRenewMins());
         }
+        if (meta.getPrincipalDomainFilter() != null) {
+            role.setPrincipalDomainFilter(meta.getPrincipalDomainFilter());
+        }
         role.setLastReviewedDate(objectLastReviewDate(meta.getLastReviewedDate(),
                 role.getLastReviewedDate(), false, caller));
     }
@@ -6658,7 +6663,8 @@ public Role executePutRoleMeta(ResourceContext ctx, String domainName, String ro
                         .setLastReviewedDate(originalRole.getLastReviewedDate())
                         .setMaxMembers(originalRole.getMaxMembers())
                         .setSelfRenew(originalRole.getSelfRenew())
-                        .setSelfRenewMins(originalRole.getSelfRenewMins());
+                        .setSelfRenewMins(originalRole.getSelfRenewMins())
+                        .setPrincipalDomainFilter(originalRole.getPrincipalDomainFilter());
 
                 // then we're going to apply the updated fields
                 // from the given object
@@ -6747,6 +6753,9 @@ void updateGroupMetaFields(Group group, GroupMeta meta, final String caller) {
         if (meta.getSelfRenewMins() != null) {
             group.setSelfRenewMins(meta.getSelfRenewMins());
         }
+        if (meta.getPrincipalDomainFilter() != null) {
+            group.setPrincipalDomainFilter(meta.getPrincipalDomainFilter());
+        }
         group.setLastReviewedDate(objectLastReviewDate(meta.getLastReviewedDate(),
                 group.getLastReviewedDate(), false, caller));
     }
@@ -6783,7 +6792,8 @@ public Group executePutGroupMeta(ResourceContext ctx, final String domainName, f
                         .setLastReviewedDate(originalGroup.getLastReviewedDate())
                         .setMaxMembers(originalGroup.getMaxMembers())
                         .setSelfRenew(originalGroup.getSelfRenew())
-                        .setSelfRenewMins(originalGroup.getSelfRenewMins());
+                        .setSelfRenewMins(originalGroup.getSelfRenewMins())
+                        .setPrincipalDomainFilter(originalGroup.getPrincipalDomainFilter());
 
                 // then we're going to apply the updated fields
                 // from the given object
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
index a8737222a60..d868ae09346 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
@@ -285,6 +285,7 @@ public final class ZMSConsts {
     public static final String DB_COLUMN_RESOURCE_OWNER     = "resource_owner";
     public static final String DB_COLUMN_SYSTEM_SUSPENDED   = "system_suspended";
 
+    public static final String DB_COLUMN_PRINCIPAL_DOMAIN_FILTER  = "principal_domain_filter";
     public static final String DB_COLUMN_SERVICE_REVIEW_DAYS      = "service_review_days";
     public static final String DB_COLUMN_SERVICE_EXPIRY_DAYS      = "service_expiry_days";
     public static final String DB_COLUMN_GROUP_EXPIRY_DAYS        = "group_expiry_days";
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
index e70208d9900..a0be8c659ec 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -58,6 +58,7 @@
 import com.yahoo.athenz.zms.provider.ServiceProviderManager;
 import com.yahoo.athenz.zms.purge.PurgeResourcesEnum;
 import com.yahoo.athenz.zms.store.*;
+import com.yahoo.athenz.zms.utils.PrincipalDomainFilter;
 import com.yahoo.athenz.zms.utils.ResourceOwnership;
 import com.yahoo.athenz.zms.utils.ZMSUtils;
 import com.yahoo.rdl.UUID;
@@ -1863,7 +1864,8 @@ public Domain postUserDomain(ResourceContext ctx, String name, String auditRef,
         // to be the home domain and the admin of the domain is the user
 
         final String userDomainAdmin = userDomainPrefix + principal.getName();
-        validateRoleMemberPrincipal(userDomainAdmin, Principal.Type.USER.getValue(), null, null, null, true, caller);
+        validateRoleMemberPrincipal(userDomainAdmin, Principal.Type.USER.getValue(), null, null,
+                null, null, true, caller);
 
         List<String> adminUsers = new ArrayList<>();
         adminUsers.add(userDomainAdmin);
@@ -2340,8 +2342,28 @@ void validateDomainContacts(Map<String, String> contacts, final String caller) {
         }
     }
 
+    void validateDomainFilterValue(final String domainFilter, final String caller) {
+
+        if (!StringUtil.isEmpty(domainFilter)) {
+
+            String[] domainNames = domainFilter.split(",");
+            for (String domainName : domainNames) {
+
+                // supported format is domainName,+domainName,-domainName
+
+                if (domainName.startsWith("+") || domainName.startsWith("-")) {
+                    domainName = domainName.substring(1);
+                }
+                validate(domainName, TYPE_DOMAIN_NAME, caller);
+                if (dbService.getDomain(domainName, false) == null) {
+                    throw ZMSUtils.requestError("No such domain: " + domainName, caller);
+                }
+            }
+        }
+    }
+
     void validateString(final String value, final String type, final String caller) {
-        if (value != null && !value.isEmpty()) {
+        if (!StringUtil.isEmpty(value)) {
             validate(value, type, caller);
         }
     }
@@ -2640,6 +2662,8 @@ void validateRoleMetaValues(RoleMeta meta) {
         validateString(meta.getNotifyRoles(), TYPE_RESOURCE_NAMES, caller);
         validateString(meta.getUserAuthorityFilter(), TYPE_AUTHORITY_KEYWORDS, caller);
         validateString(meta.getUserAuthorityExpiration(), TYPE_AUTHORITY_KEYWORD, caller);
+
+        validateDomainFilterValue(meta.getPrincipalDomainFilter(), caller);
     }
 
     void validateRoleValues(Role role) {
@@ -2660,6 +2684,8 @@ void validateRoleValues(Role role) {
         validateString(role.getNotifyRoles(), TYPE_RESOURCE_NAMES, caller);
         validateString(role.getUserAuthorityFilter(), TYPE_AUTHORITY_KEYWORDS, caller);
         validateString(role.getUserAuthorityExpiration(), TYPE_AUTHORITY_KEYWORD, caller);
+
+        validateDomainFilterValue(role.getPrincipalDomainFilter(), caller);
     }
 
     void validateGroupValues(Group group) {
@@ -2674,6 +2700,8 @@ void validateGroupValues(Group group) {
         validateString(group.getNotifyRoles(), TYPE_RESOURCE_NAMES, caller);
         validateString(group.getUserAuthorityFilter(), TYPE_AUTHORITY_KEYWORDS, caller);
         validateString(group.getUserAuthorityExpiration(), TYPE_AUTHORITY_KEYWORD, caller);
+
+        validateDomainFilterValue(group.getPrincipalDomainFilter(), caller);
     }
 
     void validateGroupMetaValues(GroupMeta meta) {
@@ -2688,6 +2716,8 @@ void validateGroupMetaValues(GroupMeta meta) {
         validateString(meta.getNotifyRoles(), TYPE_RESOURCE_NAMES, caller);
         validateString(meta.getUserAuthorityFilter(), TYPE_AUTHORITY_KEYWORDS, caller);
         validateString(meta.getUserAuthorityExpiration(), TYPE_AUTHORITY_KEYWORD, caller);
+
+        validateDomainFilterValue(meta.getPrincipalDomainFilter(), caller);
     }
 
     @Override
@@ -3993,7 +4023,7 @@ List<String> normalizedAdminUsers(List<String> admins, final String domainUserAu
 
         for (String admin : normalizedAdmins) {
             validateRoleMemberPrincipal(admin, principalType(admin), domainUserAuthorityFilter, null,
-                    null, disallowGroupsInAdminRole.get(), caller);
+                    null, null, disallowGroupsInAdminRole.get(), caller);
         }
 
         return new ArrayList<>(normalizedAdmins);
@@ -4153,7 +4183,8 @@ public Response putRole(ResourceContext ctx, String domainName, String roleName,
         // be specified as members.
 
         boolean disallowGroups = disallowGroupsInAdminRole.get() == Boolean.TRUE && ADMIN_ROLE_NAME.equals(roleName);
-        validateRoleMemberPrincipals(role, domain.getUserAuthorityFilter(), disallowGroups, caller);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(role.getPrincipalDomainFilter());
+        validateRoleMemberPrincipals(role, domain.getUserAuthorityFilter(), principalDomainFilter, disallowGroups, caller);
 
         // validate role review-enabled and/or audit-enabled flags
 
@@ -4259,8 +4290,8 @@ void validateRoleStructure(final Role role, final String domainName, final Strin
         }
     }
 
-    void validateRoleMemberPrincipals(final Role role, final String domainUserAuthorityFilter, boolean disallowGroups,
-                                      final String caller) {
+    void validateRoleMemberPrincipals(final Role role, final String domainUserAuthorityFilter,
+            PrincipalDomainFilter principalDomainFilter, boolean disallowGroups, final String caller) {
 
         // extract the user authority filter for the role
 
@@ -4269,8 +4300,8 @@ void validateRoleMemberPrincipals(final Role role, final String domainUserAuthor
 
         for (RoleMember roleMember : role.getRoleMembers()) {
             validateRoleMemberPrincipal(roleMember.getMemberName(), roleMember.getPrincipalType(),
-                    userAuthorityFilter, role.getUserAuthorityExpiration(), role.getAuditEnabled(),
-                    disallowGroups, caller);
+                    userAuthorityFilter, role.getUserAuthorityExpiration(), principalDomainFilter,
+                    role.getAuditEnabled(), disallowGroups, caller);
         }
     }
 
@@ -4394,10 +4425,25 @@ void validateGroupPrincipal(final String memberName, final String userAuthorityF
     }
 
     void validateRoleMemberPrincipal(final String memberName, int principalType, final String userAuthorityFilter,
-                                     final String userAuthorityExpiration, Boolean roleAuditEnabled,
-                                     boolean disallowGroups, final String caller) {
+            final String userAuthorityExpiration, PrincipalDomainFilter principalDomainFilter,
+            Boolean roleAuditEnabled, boolean disallowGroups, final String caller) {
+
+        Principal.Type type = Principal.Type.getType(principalType);
+
+        if (type == Principal.Type.UNKNOWN) {
+            throw ZMSUtils.requestError("Principal " + memberName + " is not valid", caller);
+        }
 
-        switch (Principal.Type.getType(principalType)) {
+        // if we have a principal domain filter then we need to make sure
+        // that the principal is within the allowed domain list
+
+        if (principalDomainFilter != null && !principalDomainFilter.validate(memberName, type)) {
+            throw ZMSUtils.requestError("Principal " + memberName + " is not allowed for the role", caller);
+        }
+
+        // now let's carry out further validation based on the principal type
+
+        switch (type) {
 
             case USER:
             case USER_HEADLESS:
@@ -4430,23 +4476,30 @@ void validateRoleMemberPrincipal(final String memberName, int principalType, fin
 
                 validateGroupPrincipal(memberName, userAuthorityFilter, userAuthorityExpiration, roleAuditEnabled, caller);
                 break;
-
-            default:
-
-                throw ZMSUtils.requestError("Principal " + memberName + " is not valid", caller);
         }
     }
 
     void validateGroupMemberPrincipal(final String memberName, int principalType, final String userAuthorityFilter,
-                                      final String caller) {
+            PrincipalDomainFilter principalDomainFilter, final String caller) {
 
-        // we do not support any type of wildcards in group members
+        Principal.Type type = Principal.Type.getType(principalType);
 
-        if (memberName.indexOf('*') != -1) {
+        // we do not support group members and any type of wildcards in group members
+
+        if (type == Principal.Type.UNKNOWN || type == Principal.Type.GROUP || memberName.indexOf('*') != -1) {
             throw ZMSUtils.requestError("Principal " + memberName + " is not valid", caller);
         }
 
-        switch (Principal.Type.getType(principalType)) {
+        // if we have a principal domain filter then we need to make sure
+        // that the principal is within the allowed domain list
+
+        if (principalDomainFilter != null && !principalDomainFilter.validate(memberName, type)) {
+            throw ZMSUtils.requestError("Principal " + memberName + " is not allowed for the group", caller);
+        }
+
+        // now let's carry out further validation based on the principal type
+
+        switch (type) {
 
             case USER:
             case USER_HEADLESS:
@@ -4460,10 +4513,6 @@ void validateGroupMemberPrincipal(final String memberName, int principalType, fi
 
                 validateServicePrincipal(memberName, caller);
                 break;
-
-            default:
-
-                throw ZMSUtils.requestError("Principal " + memberName + " is not valid", caller);
         }
     }
 
@@ -4762,8 +4811,10 @@ public Response putMembership(ResourceContext ctx, String domainName, String rol
         final String userAuthorityFilter = enforcedUserAuthorityFilter(role.getUserAuthorityFilter(),
                 domain.getDomain().getUserAuthorityFilter());
         boolean disallowGroups = disallowGroupsInAdminRole.get() == Boolean.TRUE && ADMIN_ROLE_NAME.equals(roleName);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(role.getPrincipalDomainFilter());
         validateRoleMemberPrincipal(roleMember.getMemberName(), roleMember.getPrincipalType(), userAuthorityFilter,
-                role.getUserAuthorityExpiration(), role.getAuditEnabled(), disallowGroups, caller);
+                role.getUserAuthorityExpiration(), principalDomainFilter, role.getAuditEnabled(),
+                disallowGroups, caller);
 
         // authorization check which also automatically updates
         // the active and approved flags for the request
@@ -9846,9 +9897,10 @@ public void putMembershipDecision(ResourceContext ctx, String domainName, String
             final String userAuthorityFilter = enforcedUserAuthorityFilter(role.getUserAuthorityFilter(),
                     domain.getDomain().getUserAuthorityFilter());
             boolean disallowGroups = disallowGroupsInAdminRole.get() == Boolean.TRUE && ADMIN_ROLE_NAME.equals(roleName);
+            PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(role.getPrincipalDomainFilter());
             validateRoleMemberPrincipal(roleMember.getMemberName(), roleMember.getPrincipalType(),
-                    userAuthorityFilter, role.getUserAuthorityExpiration(), role.getAuditEnabled(),
-                    disallowGroups, caller);
+                    userAuthorityFilter, role.getUserAuthorityExpiration(), principalDomainFilter,
+                    role.getAuditEnabled(), disallowGroups, caller);
         }
 
         dbService.executePutMembershipDecision(ctx, domainName, roleName, roleMember, auditRef, caller);
@@ -10262,7 +10314,8 @@ public Response putRoleReview(ResourceContext ctx, String domainName, String rol
 
         // validate all members specified in the review request
 
-        validateRoleMemberPrincipals(role, domain.getDomain().getUserAuthorityFilter(), false, caller);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(dbRole.getPrincipalDomainFilter());
+        validateRoleMemberPrincipals(role, domain.getDomain().getUserAuthorityFilter(), principalDomainFilter, false, caller);
 
         // update role expiry based on our configurations
 
@@ -10464,7 +10517,8 @@ void normalizeGroupMembers(Group group) {
         group.setGroupMembers(new ArrayList<>(normalizedMembers.values()));
     }
 
-    void validateGroupMemberPrincipals(final Group group, final String domainUserAuthorityFilter, final String caller) {
+    void validateGroupMemberPrincipals(final Group group, final String domainUserAuthorityFilter,
+            PrincipalDomainFilter principalDomainFilter, final String caller) {
 
         // make sure we have either one of the options enabled for verification
 
@@ -10473,7 +10527,7 @@ void validateGroupMemberPrincipals(final Group group, final String domainUserAut
 
         for (GroupMember groupMember : group.getGroupMembers()) {
             validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(),
-                    userAuthorityFilter, caller);
+                    userAuthorityFilter, principalDomainFilter, caller);
         }
     }
 
@@ -10576,7 +10630,8 @@ public Response putGroup(ResourceContext ctx, String domainName, String groupNam
         // check to see if we need to validate user and service members
         // and possibly user authority filter restrictions
 
-        validateGroupMemberPrincipals(group, domain.getUserAuthorityFilter(), caller);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(group.getPrincipalDomainFilter());
+        validateGroupMemberPrincipals(group, domain.getUserAuthorityFilter(), principalDomainFilter, caller);
 
         // validate group review-enabled and/or audit-enabled flags
 
@@ -10813,7 +10868,7 @@ void setGroupMemberExpiration(final AthenzDomain domain, final Group group, fina
     }
 
     boolean isAllowedPutGroupMembership(Principal principal, final AthenzDomain domain, final Group group,
-                                   final GroupMember groupMember) {
+            final GroupMember groupMember) {
 
         // first lets check if the principal has update access on the group
 
@@ -10983,7 +11038,9 @@ public Response putGroupMembership(ResourceContext ctx, String domainName, Strin
 
         final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(),
                 domain.getDomain().getUserAuthorityFilter());
-        validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter, caller);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(group.getPrincipalDomainFilter());
+        validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(), userAuthorityFilter,
+                principalDomainFilter, caller);
 
         // authorization check which also automatically updates
         // the active and approved flags for the request
@@ -11333,8 +11390,8 @@ public void putGroupMembershipDecision(ResourceContext ctx, String domainName, S
         }
 
         // initially create the group member and only set the
-        // user name which is all we need in case we need to
-        // lookup the pending entry for review approval
+        // username which is all we need in case we need to
+        // look up the pending entry for review approval
         // we'll set the state and expiration after the
         // authorization check is successful
 
@@ -11363,8 +11420,9 @@ public void putGroupMembershipDecision(ResourceContext ctx, String domainName, S
 
             final String userAuthorityFilter = enforcedUserAuthorityFilter(group.getUserAuthorityFilter(),
                     domain.getDomain().getUserAuthorityFilter());
+            PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(group.getPrincipalDomainFilter());
              validateGroupMemberPrincipal(groupMember.getMemberName(), groupMember.getPrincipalType(),
-                     userAuthorityFilter, caller);
+                     userAuthorityFilter, principalDomainFilter, caller);
         }
 
         dbService.executePutGroupMembershipDecision(ctx, domainName, group, groupMember, auditRef);
@@ -11437,7 +11495,8 @@ public Response putGroupReview(ResourceContext ctx, String domainName, String gr
 
         // validate all members specified in the review request
 
-        validateGroupMemberPrincipals(group, domain.getDomain().getUserAuthorityFilter(), caller);
+        PrincipalDomainFilter principalDomainFilter = new PrincipalDomainFilter(dbGroup.getPrincipalDomainFilter());
+        validateGroupMemberPrincipals(group, domain.getDomain().getUserAuthorityFilter(), principalDomainFilter, caller);
 
         // update group expiry based on our configurations
 
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java
index 151a4f948da..836183bfe55 100644
--- a/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnection.java
@@ -116,12 +116,14 @@ public class JDBCConnection implements ObjectStoreConnection {
             + " member_expiry_days, token_expiry_mins, cert_expiry_mins, sign_algorithm, service_expiry_days,"
             + " member_review_days, service_review_days, group_review_days, review_enabled, notify_roles, user_authority_filter,"
             + " user_authority_expiration, description, group_expiry_days, delete_protection, last_reviewed_time,"
-            + " max_members, self_renew, self_renew_mins) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);";
+            + " max_members, self_renew, self_renew_mins, principal_domain_filter)"
+            + " VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);";
     private static final String SQL_UPDATE_ROLE = "UPDATE role SET trust=?, audit_enabled=?, self_serve=?, "
             + "member_expiry_days=?, token_expiry_mins=?, cert_expiry_mins=?, sign_algorithm=?, "
             + "service_expiry_days=?, member_review_days=?, service_review_days=?, group_review_days=?, review_enabled=?, notify_roles=?, "
             + "user_authority_filter=?, user_authority_expiration=?, description=?, group_expiry_days=?, "
-            + "delete_protection=?, last_reviewed_time=?, max_members=?, self_renew=?, self_renew_mins=? WHERE role_id=?;";
+            + "delete_protection=?, last_reviewed_time=?, max_members=?, self_renew=?, self_renew_mins=?, "
+            + "principal_domain_filter=? WHERE role_id=?;";
     private static final String SQL_DELETE_ROLE = "DELETE FROM role WHERE domain_id=? AND name=?;";
     private static final String SQL_UPDATE_ROLE_MOD_TIMESTAMP = "UPDATE role "
             + "SET modified=CURRENT_TIMESTAMP(3) WHERE role_id=?;";
@@ -411,12 +413,12 @@ public class JDBCConnection implements ObjectStoreConnection {
             + "WHERE domain.name=? AND principal_group.name=?;";
     private static final String SQL_INSERT_GROUP = "INSERT INTO principal_group (name, domain_id, audit_enabled, self_serve, "
             + "review_enabled, notify_roles, user_authority_filter, user_authority_expiration, member_expiry_days, "
-            + "service_expiry_days, delete_protection, last_reviewed_time, max_members, self_renew, self_renew_mins) "
-            + "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);";
+            + "service_expiry_days, delete_protection, last_reviewed_time, max_members, self_renew, self_renew_mins, "
+            + "principal_domain_filter) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);";
     private static final String SQL_UPDATE_GROUP = "UPDATE principal_group SET audit_enabled=?, self_serve=?, "
             + "review_enabled=?, notify_roles=?, user_authority_filter=?, user_authority_expiration=?, "
             + "member_expiry_days=?, service_expiry_days=?, delete_protection=?, last_reviewed_time=?, "
-            + "max_members=?, self_renew=?, self_renew_mins=? WHERE group_id=?;";
+            + "max_members=?, self_renew=?, self_renew_mins=?, principal_domain_filter=? WHERE group_id=?;";
     private static final String SQL_GET_GROUP_ID = "SELECT group_id FROM principal_group WHERE domain_id=? AND name=?;";
     private static final String SQL_DELETE_GROUP = "DELETE FROM principal_group WHERE domain_id=? AND name=?;";
     private static final String SQL_UPDATE_GROUP_MOD_TIMESTAMP = "UPDATE principal_group "
@@ -2048,6 +2050,7 @@ public boolean insertRole(String domainName, Role role) {
             ps.setInt(22, processInsertValue(role.getMaxMembers()));
             ps.setBoolean(23, processInsertValue(role.getSelfRenew(), false));
             ps.setInt(24, processInsertValue(role.getSelfRenewMins()));
+            ps.setString(25, processInsertValue(role.getPrincipalDomainFilter()));
             affectedRows = executeUpdate(ps, caller);
         } catch (SQLException ex) {
             throw sqlError(ex, caller);
@@ -2102,7 +2105,8 @@ public boolean updateRole(String domainName, Role role) {
             ps.setInt(20, processInsertValue(role.getMaxMembers()));
             ps.setBoolean(21, processInsertValue(role.getSelfRenew(), false));
             ps.setInt(22, processInsertValue(role.getSelfRenewMins()));
-            ps.setInt(23, roleId);
+            ps.setString(23, processInsertValue(role.getPrincipalDomainFilter()));
+            ps.setInt(24, roleId);
             affectedRows = executeUpdate(ps, caller);
         } catch (SQLException ex) {
             throw sqlError(ex, caller);
@@ -3976,7 +3980,8 @@ Role retrieveRole(ResultSet rs, final String domainName, final String roleName)
                 .setMaxMembers(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_MAX_MEMBERS), 0))
                 .setSelfRenew(nullIfDefaultValue(rs.getBoolean(ZMSConsts.DB_COLUMN_SELF_RENEW), false))
                 .setSelfRenewMins(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_SELF_RENEW_MINS), 0))
-                .setResourceOwnership(ResourceOwnership.getResourceRoleOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER)));
+                .setResourceOwnership(ResourceOwnership.getResourceRoleOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER)))
+                .setPrincipalDomainFilter(saveValue(rs.getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER)));
         java.sql.Timestamp lastReviewedTime = rs.getTimestamp(ZMSConsts.DB_COLUMN_LAST_REVIEWED_TIME);
         if (lastReviewedTime != null) {
             role.setLastReviewedDate(Timestamp.fromMillis(lastReviewedTime.getTime()));
@@ -6026,7 +6031,8 @@ Group retrieveGroup(ResultSet rs, final String domainName, final String groupNam
                 .setMaxMembers(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_MAX_MEMBERS), 0))
                 .setSelfRenew(nullIfDefaultValue(rs.getBoolean(ZMSConsts.DB_COLUMN_SELF_RENEW), false))
                 .setSelfRenewMins(nullIfDefaultValue(rs.getInt(ZMSConsts.DB_COLUMN_SELF_RENEW_MINS), 0))
-                .setResourceOwnership(ResourceOwnership.getResourceGroupOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER)));
+                .setResourceOwnership(ResourceOwnership.getResourceGroupOwnership(rs.getString(ZMSConsts.DB_COLUMN_RESOURCE_OWNER)))
+                .setPrincipalDomainFilter(saveValue(rs.getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER)));
         java.sql.Timestamp lastReviewedTime = rs.getTimestamp(ZMSConsts.DB_COLUMN_LAST_REVIEWED_TIME);
         if (lastReviewedTime != null) {
             group.setLastReviewedDate(Timestamp.fromMillis(lastReviewedTime.getTime()));
@@ -6087,6 +6093,7 @@ public boolean insertGroup(String domainName, Group group) {
             ps.setInt(13, processInsertValue(group.getMaxMembers()));
             ps.setBoolean(14, processInsertValue(group.getSelfRenew(), false));
             ps.setInt(15, processInsertValue(group.getSelfRenewMins()));
+            ps.setString(16, processInsertValue(group.getPrincipalDomainFilter()));
             affectedRows = executeUpdate(ps, caller);
         } catch (SQLException ex) {
             throw sqlError(ex, caller);
@@ -6131,7 +6138,8 @@ public boolean updateGroup(String domainName, Group group) {
             ps.setInt(11, processInsertValue(group.getMaxMembers()));
             ps.setBoolean(12, processInsertValue(group.getSelfRenew(), false));
             ps.setInt(13, processInsertValue(group.getSelfRenewMins()));
-            ps.setInt(14, groupId);
+            ps.setString(14, processInsertValue(group.getPrincipalDomainFilter()));
+            ps.setInt(15, groupId);
             affectedRows = executeUpdate(ps, caller);
         } catch (SQLException ex) {
             throw sqlError(ex, caller);
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilter.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilter.java
new file mode 100644
index 00000000000..0416bc2e226
--- /dev/null
+++ b/servers/zms/src/main/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilter.java
@@ -0,0 +1,139 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yahoo.athenz.zms.utils;
+
+import com.yahoo.athenz.auth.AuthorityConsts;
+import com.yahoo.athenz.auth.Principal;
+import org.eclipse.jetty.util.StringUtil;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class PrincipalDomainFilter {
+
+    Set<String> allowedDomains;
+    List<String> disallowedSubDomains;
+    List<String> allowedSubDomains;
+
+    public PrincipalDomainFilter(final String domainFilter) {
+
+        // supported format is domainName,+domainName,-domainName
+
+        if (StringUtil.isEmpty(domainFilter)) {
+            return;
+        }
+
+        // for matching with domains and not substrings we're going
+        // to automatically add a '.' at the end of each domain name
+
+        String[] domainNames = domainFilter.split(",");
+        for (String domainName : domainNames) {
+            if (domainName.startsWith("+")) {
+                if (allowedSubDomains == null) {
+                    allowedSubDomains = new ArrayList<>();
+                }
+                allowedSubDomains.add(domainName.substring(1) + ".");
+            } else if (domainName.startsWith("-")) {
+                if (disallowedSubDomains == null) {
+                    disallowedSubDomains = new ArrayList<>();
+                }
+                disallowedSubDomains.add(domainName.substring(1) + ".");
+            } else {
+                if (allowedDomains == null) {
+                    allowedDomains = new HashSet<>();
+                }
+                allowedDomains.add(domainName + ".");
+            }
+        }
+    }
+    
+    public boolean validate(final String principalName, Principal.Type type) {
+            
+        // if we have no filter then we're good
+        
+        if (allowedDomains == null && allowedSubDomains == null && disallowedSubDomains == null) {
+            return true;
+        }
+
+        // let's first extract our domain name: special handling
+        // for groups while all other types are standard service names
+        // since we're given the principal type, it's already been
+        // verified that the principal name is valid so no need to
+        // check for error cases
+
+        int idx = getIdx(principalName, type);
+        final String domainName = principalName.substring(0, idx) + ".";
+
+        // if we have disallowed domains then we need to make sure
+        // that the principal domain is not in the disallowed list
+
+        if (disallowedSubDomains != null) {
+
+            for (String disallowedDomain : disallowedSubDomains) {
+                if (domainName.startsWith(disallowedDomain)) {
+                    return false;
+                }
+            }
+
+            // at this time we don't have any allowed list specified
+            // it means all other entries are allowed
+
+            if (allowedDomains == null && allowedSubDomains == null) {
+                return true;
+            }
+        }
+
+        // if we have allowed domains then we need to make sure
+        // that the principal domain is in the allowed list
+        
+        if (allowedDomains != null) {
+            if (allowedDomains.contains(domainName)) {
+                return true;
+            }
+
+            // at this time we don't have any subdomains specified
+            // it means all other entries are disallowed
+
+            if (allowedSubDomains == null) {
+                return false;
+            }
+        }
+
+        // if we got here it means we have configured allowed subdomains,
+        // so we need to make sure the principal domain is in the allowed list
+        
+        for (String allowedDomain : allowedSubDomains) {
+            if (domainName.startsWith(allowedDomain)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private int getIdx(String principalName, Principal.Type type) {
+        int idx;
+        if (type == Principal.Type.GROUP) {
+            idx = principalName.indexOf(AuthorityConsts.GROUP_SEP);
+        } else {
+            idx = principalName.lastIndexOf('.');
+        }
+        return idx;
+    }
+}
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java
index 02bdd9b2292..04d7170dea8 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java
@@ -5934,7 +5934,7 @@ public void testUpdateRoleMetaFields() {
     public void testAuditLogRoleMeta() {
         StringBuilder auditDetails = new StringBuilder();
         Role role = new Role().setName("dom1:role.role1").setSelfServe(true).setReviewEnabled(false)
-                        .setSelfRenew(true).setSelfRenewMins(10);
+                        .setSelfRenew(true).setSelfRenewMins(10).setPrincipalDomainFilter("domain1");
         zms.dbService.auditLogRoleMeta(auditDetails, role, "role1", true);
         assertEquals(auditDetails.toString(),
                 "{\"name\": \"role1\", \"selfServe\": \"true\", \"memberExpiryDays\": \"null\","
@@ -5944,7 +5944,8 @@ public void testAuditLogRoleMeta() {
                         + " \"reviewEnabled\": \"false\", \"notifyRoles\": \"null\", \"signAlgorithm\": \"null\","
                         + " \"userAuthorityFilter\": \"null\", \"userAuthorityExpiration\": \"null\","
                         + " \"description\": \"null\", \"deleteProtection\": \"null\", \"lastReviewedDate\": \"null\","
-                        + " \"maxMembers\": \"null\", \"selfRenew\": \"true\", \"selfRenewMins\": \"10\"}");
+                        + " \"maxMembers\": \"null\", \"selfRenew\": \"true\", \"selfRenewMins\": \"10\","
+                        + " \"principalDomainFilter\": \"domain1\"}");
     }
 
     @Test
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
index 29e73dec606..3fedfa251d7 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
@@ -2253,7 +2253,7 @@ public void testCreateRole() {
                     + "\"signAlgorithm\": \"null\", \"userAuthorityFilter\": \"null\", "
                     + "\"userAuthorityExpiration\": \"null\", \"description\": \"null\", "
                     + "\"deleteProtection\": \"false\", \"lastReviewedDate\": \"null\", \"maxMembers\": \"null\", "
-                    + "\"selfRenew\": \"null\", \"selfRenewMins\": \"null\", \"trust\": \"null\", "
+                    + "\"selfRenew\": \"null\", \"selfRenewMins\": \"null\", \"principalDomainFilter\": \"null\", \"trust\": \"null\", "
                     + "\"deleted-members\": [{\"member\": \"user.jane\", \"approved\": true, \"system-disabled\": 0}], "
                     + "\"added-members\": []}");
             assertTrue(index2 > index, msg);
@@ -21301,6 +21301,7 @@ public void testPutRoleMeta() {
         rm.setMaxMembers(25);
         rm.setSelfRenew(true);
         rm.setSelfRenewMins(99);
+        rm.setPrincipalDomainFilter("user,sys.auth");
         zmsImpl.putRoleMeta(ctx, "rolemetadom1", "role1", auditRef, null, rm);
 
         Role resRole1 = zmsImpl.getRole(ctx, "rolemetadom1", "role1", true, false, false);
@@ -21320,6 +21321,7 @@ public void testPutRoleMeta() {
         assertTrue(resRole1.getSelfRenew());
         assertEquals(resRole1.getMaxMembers(), 25);
         assertEquals(resRole1.getSelfRenewMins(), 99);
+        assertEquals(resRole1.getPrincipalDomainFilter(), "user,sys.auth");
 
         // if we pass a null for the expiry days (e.g. old client)
         // then we're not going to modify the value
@@ -21342,6 +21344,7 @@ public void testPutRoleMeta() {
         assertTrue(resRole1.getSelfRenew());
         assertEquals(resRole1.getMaxMembers(), 25);
         assertEquals(resRole1.getSelfRenewMins(), 99);
+        assertEquals(resRole1.getPrincipalDomainFilter(), "user,sys.auth");
 
         // now let's reset to 0
 
@@ -21357,6 +21360,7 @@ public void testPutRoleMeta() {
         rm3.setSelfRenewMins(0);
         rm3.setSelfRenew(false);
         rm3.setMaxMembers(0);
+        rm3.setPrincipalDomainFilter("");
         zmsImpl.putRoleMeta(ctx, "rolemetadom1", "role1", auditRef, null, rm3);
 
         resRole1 = zmsImpl.getRole(ctx, "rolemetadom1", "role1", true, false, false);
@@ -21374,6 +21378,7 @@ public void testPutRoleMeta() {
         assertNull(resRole1.getSelfRenew());
         assertNull(resRole1.getMaxMembers());
         assertNull(resRole1.getSelfRenewMins());
+        assertNull(resRole1.getPrincipalDomainFilter());
 
         // invalid negative values
 
@@ -21452,6 +21457,16 @@ public void testPutRoleMeta() {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
+        rm4.setServiceReviewDays(10);
+        rm4.setPrincipalDomainFilter("some invalid domain");
+
+        try {
+            zmsImpl.putRoleMeta(ctx, "rolemetadom1", "role1", auditRef, null, rm4);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
+        }
+
         zmsImpl.deleteTopLevelDomain(ctx, "rolemetadom1", auditRef, null);
     }
 
@@ -22907,7 +22922,7 @@ public void testValidateRoleMemberPrincipals() {
         roleMembers.add(new RoleMember().setMemberName("coretech.backend").setPrincipalType(Principal.Type.SERVICE.getValue()));
 
         Role role = new Role().setRoleMembers(roleMembers);
-        zmsImpl.validateRoleMemberPrincipals(role, null, false, "unittest");
+        zmsImpl.validateRoleMemberPrincipals(role, null, null, false, "unittest");
 
         // enable user authority check
 
@@ -22923,13 +22938,13 @@ public void testValidateRoleMemberPrincipals() {
         roleMembers.add(new RoleMember().setMemberName("user.jane").setPrincipalType(Principal.Type.USER.getValue()));
         role.setRoleMembers(roleMembers);
 
-        zmsImpl.validateRoleMemberPrincipals(role, null, false, "unittest");
+        zmsImpl.validateRoleMemberPrincipals(role, null, null, false, "unittest");
 
         // add one more invalid user
 
         roleMembers.add(new RoleMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
         try {
-            zmsImpl.validateRoleMemberPrincipals(role, null, false, "unittest");
+            zmsImpl.validateRoleMemberPrincipals(role, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -22943,7 +22958,7 @@ public void testValidateRoleMemberPrincipals() {
         roleMembers.add(new RoleMember().setMemberName("coretech:group.dev-team").setPrincipalType(Principal.Type.GROUP.getValue()));
         role.setRoleMembers(roleMembers);
         try {
-            zmsImpl.validateRoleMemberPrincipals(role, null, true, "unittest");
+            zmsImpl.validateRoleMemberPrincipals(role, null, null, true, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -22955,7 +22970,7 @@ public void testValidateRoleMemberPrincipals() {
         roleMembers.add(new RoleMember().setMemberName("unknown").setPrincipalType(Principal.Type.UNKNOWN.getValue()));
         role.setRoleMembers(roleMembers);
         try {
-            zmsImpl.validateRoleMemberPrincipals(role, null, false, "unittest");
+            zmsImpl.validateRoleMemberPrincipals(role, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -22975,13 +22990,16 @@ public void testValidateRoleMemberPrincipalUser() {
 
         // valid users no exception
 
-        zmsImpl.validateRoleMemberPrincipal("user.joe", Principal.Type.USER.getValue(), null, null, null, false, "unittest");
-        zmsImpl.validateRoleMemberPrincipal("user.jane", Principal.Type.USER.getValue(), null, null, null, false, "unittest");
+        zmsImpl.validateRoleMemberPrincipal("user.joe", Principal.Type.USER.getValue(), null, null,
+                null, null, false, "unittest");
+        zmsImpl.validateRoleMemberPrincipal("user.jane", Principal.Type.USER.getValue(), null, null,
+                null, null, false, "unittest");
 
         // invalid user request error
 
         try {
-            zmsImpl.validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null, null, false, "unittest");
+            zmsImpl.validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null,
+                    null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -22990,31 +23008,31 @@ public void testValidateRoleMemberPrincipalUser() {
         // non - user principals by default are accepted
 
         zmsImpl.validateRoleMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(),
-                null, null, null, false, "unittest");
+                null, null, null, null, false, "unittest");
 
         // valid employee and contractor users
 
         zmsImpl.validateRoleMemberPrincipal("user.joe", Principal.Type.USER.getValue(), "employee",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
         zmsImpl.validateRoleMemberPrincipal("user.jane", Principal.Type.USER.getValue(), "employee",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
         zmsImpl.validateRoleMemberPrincipal("user.jack", Principal.Type.USER.getValue(), "contractor",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
 
         // valid multiple attribute users
 
         zmsImpl.validateRoleMemberPrincipal("user.joe", Principal.Type.USER.getValue(), "employee,local",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
         zmsImpl.validateRoleMemberPrincipal("user.jane", Principal.Type.USER.getValue(), "employee,local",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
         zmsImpl.validateRoleMemberPrincipal("user.jack", Principal.Type.USER.getValue(), "contractor,local",
-                null, null, false, "unittest");
+                null, null, null, false, "unittest");
 
         // invalid employee type
 
         try {
             zmsImpl.validateRoleMemberPrincipal("user.jack", Principal.Type.USER.getValue(), "employee",
-                    null, null, false, "unittest");
+                    null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23024,7 +23042,7 @@ public void testValidateRoleMemberPrincipalUser() {
 
         try {
             zmsImpl.validateRoleMemberPrincipal("user.jack", Principal.Type.USER.getValue(), "local,employee",
-                    null, null, false, "unittest");
+                    null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23047,15 +23065,15 @@ public void testValidateRoleMemberPrincipalService() {
         // wildcards are always valid with no exception
 
         zmsImpl.validateRoleMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(),
-                null, null, null, false, "unittest");
+                null, null, null, null, false, "unittest");
         zmsImpl.validateRoleMemberPrincipal("coretech.*", Principal.Type.SERVICE.getValue(),
-                null, null, null, false, "unittest");
+                null, null, null, null, false, "unittest");
 
         // should get back invalid request since service does not exist
 
         try {
             zmsImpl.validateRoleMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(), "employee",
-                    null, null, false, "unittest");
+                    null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23065,7 +23083,7 @@ public void testValidateRoleMemberPrincipalService() {
 
         try {
             zmsImpl.validateRoleMemberPrincipal("coretech", Principal.Type.SERVICE.getValue(),
-                    null, null, null, false, "unittest");
+                    null, null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23088,13 +23106,13 @@ public void testValidateRoleMemberPrincipalService() {
         // known service - no exception
 
         zmsImpl.validateRoleMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(),
-                null, null,  null, false, "unittest");
+                null, null, null, null, false, "unittest");
 
         // unknown service - exception
 
         try {
             zmsImpl.validateRoleMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(),
-                    null, null, null, false, "unittest");
+                    null, null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23111,13 +23129,13 @@ public void testValidateRoleMemberPrincipalService() {
         // coretech is now accepted
 
         zmsImpl.validateRoleMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(),
-                null, null, null, false, "unittest");
+                null, null, null, null, false, "unittest");
 
         // but coretech2 is rejected
 
         try {
             zmsImpl.validateRoleMemberPrincipal("coretech2.backend", Principal.Type.SERVICE.getValue(),
-                    null, null, null, false, "unittest");
+                    null, null, null, null, false, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23126,11 +23144,12 @@ public void testValidateRoleMemberPrincipalService() {
         // rbac.sre does not exists, but is accepted because rbac.* is included in skipDomains
 
         zmsImpl.validateRoleMemberPrincipal("rbac.sre.backend", Principal.Type.SERVICE.getValue(),
-                null, null, null ,false, "unittest");
+                null, null, null, null ,false, "unittest");
 
         // user principals by default are accepted
 
-        zmsImpl.validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null, null, false, "unittest");
+        zmsImpl.validateRoleMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null,
+                null, null, false, "unittest");
 
         // reset our setting
 
@@ -23152,21 +23171,23 @@ public void testValidateGroupMemberPrincipal() {
         // wildcards are always rejected
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(),
+                    null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("athenz.api*", Principal.Type.SERVICE.getValue(),
+                    null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("*", Principal.Type.SERVICE.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("*", Principal.Type.SERVICE.getValue(), null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23175,7 +23196,8 @@ public void testValidateGroupMemberPrincipal() {
         // should get back invalid request since service does not exist
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(), "employee", "unittest");
+            zmsImpl.validateGroupMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(),
+                    "employee", null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23184,13 +23206,15 @@ public void testValidateGroupMemberPrincipal() {
         // invalid service request error
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("coretech", Principal.Type.SERVICE.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("coretech", Principal.Type.SERVICE.getValue(), null,
+                    null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
         }
 
-        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("coretech", "Test Domain1", "testorg", zmsTestInitializer.getAdminUser());
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject("coretech", "Test Domain1",
+                "testorg", zmsTestInitializer.getAdminUser());
         zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
 
         ServiceIdentity service1 = zmsTestInitializer.createServiceObject("coretech",
@@ -23201,12 +23225,14 @@ public void testValidateGroupMemberPrincipal() {
 
         // known service - no exception
 
-        zmsImpl.validateGroupMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(), null,  "unittest");
+        zmsImpl.validateGroupMemberPrincipal("coretech.api", Principal.Type.SERVICE.getValue(),
+                null, null, "unittest");
 
         // unknown service - exception
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("coretech.backend", Principal.Type.SERVICE.getValue(),
+                    null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23214,13 +23240,13 @@ public void testValidateGroupMemberPrincipal() {
 
         // known user principals are accepted
 
-        zmsImpl.validateGroupMemberPrincipal("user.joe", Principal.Type.USER.getValue(), null, "unittest");
-        zmsImpl.validateGroupMemberPrincipal("user.jane", Principal.Type.USER.getValue(), null, "unittest");
+        zmsImpl.validateGroupMemberPrincipal("user.joe", Principal.Type.USER.getValue(), null, null, "unittest");
+        zmsImpl.validateGroupMemberPrincipal("user.jane", Principal.Type.USER.getValue(), null, null, "unittest");
 
         // unknown users are rejected
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("user.john", Principal.Type.USER.getValue(), null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23229,7 +23255,7 @@ public void testValidateGroupMemberPrincipal() {
         // groups and unknown types are rejected
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("user", Principal.Type.UNKNOWN.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("user", Principal.Type.UNKNOWN.getValue(), null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -23239,7 +23265,8 @@ public void testValidateGroupMemberPrincipal() {
         zmsImpl.putGroup(ctx, "coretech", "dev-team", auditRef, false, null, group);
 
         try {
-            zmsImpl.validateGroupMemberPrincipal("coretech:group.dev-team", Principal.Type.GROUP.getValue(), null, "unittest");
+            zmsImpl.validateGroupMemberPrincipal("coretech:group.dev-team", Principal.Type.GROUP.getValue(),
+                    null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -25135,7 +25162,7 @@ public void testCreateGroup() {
                     + "\"serviceExpiryDays\": \"null\", \"reviewEnabled\": \"false\", \"notifyRoles\": \"null\", "
                     + "\"userAuthorityFilter\": \"null\", \"userAuthorityExpiration\": \"null\", "
                     + "\"deleteProtection\": \"false\", \"lastReviewedDate\": \"null\", \"maxMembers\": \"null\", "
-                    + "\"selfRenew\": \"null\", \"selfRenewMins\": \"null\", "
+                    + "\"selfRenew\": \"null\", \"selfRenewMins\": \"null\", \"principalDomainFilter\": \"null\", "
                     + "\"deleted-members\": [{\"member\": \"user.jane\", \"approved\": true, \"system-disabled\": 0}], "
                     + "\"added-members\": []}");
             assertTrue(index2 > index, msg);
@@ -25960,7 +25987,7 @@ public void testValidateGroupMemberPrincipals() {
 
         Group group = new Group().setGroupMembers(groupMembers);
         try {
-            zmsImpl.validateGroupMemberPrincipals(group, null, "unittest");
+            zmsImpl.validateGroupMemberPrincipals(group, null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -25979,13 +26006,13 @@ public void testValidateGroupMemberPrincipals() {
         groupMembers.add(new GroupMember().setMemberName("sys.auth.zms").setPrincipalType(Principal.Type.SERVICE.getValue()));
         group.setGroupMembers(groupMembers);
 
-        zmsImpl.validateGroupMemberPrincipals(group, null, "unittest");
+        zmsImpl.validateGroupMemberPrincipals(group, null, null, "unittest");
 
         // add one more invalid user
 
         groupMembers.add(new GroupMember().setMemberName("user.john").setPrincipalType(Principal.Type.USER.getValue()));
         try {
-            zmsImpl.validateGroupMemberPrincipals(group, null, "unittest");
+            zmsImpl.validateGroupMemberPrincipals(group, null, null, "unittest");
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), ResourceException.BAD_REQUEST);
@@ -27942,7 +27969,8 @@ public void testPutGroupMeta() {
         final String domainName = "put-group-meta";
         final String groupName = "group1";
 
-        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Group Meta Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Group Meta Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
         zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
 
         Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName, "user.john", "user.jane");
@@ -27976,6 +28004,7 @@ public void testPutGroupMeta() {
         assertNull(resGroup1.getMaxMembers());
         assertNull(resGroup1.getSelfRenew());
         assertNull(resGroup1.getSelfRenewMins());
+        assertNull(resGroup1.getPrincipalDomainFilter());
 
         groupMeta = new GroupMeta()
                 .setSelfServe(true)
@@ -27987,7 +28016,8 @@ public void testPutGroupMeta() {
                 .setServiceExpiryDays(45)
                 .setSelfRenew(true)
                 .setSelfRenewMins(99)
-                .setMaxMembers(23);
+                .setMaxMembers(23)
+                .setPrincipalDomainFilter("user,sys.auth");
         zmsImpl.putGroupMeta(ctx, domainName, groupName, auditRef, null, groupMeta);
 
         resGroup1 = zmsImpl.getGroup(ctx, domainName, groupName, true, false);
@@ -28002,6 +28032,7 @@ public void testPutGroupMeta() {
         assertEquals(resGroup1.getMaxMembers(), 23);
         assertTrue(resGroup1.getSelfRenew());
         assertEquals(resGroup1.getSelfRenewMins(), 99);
+        assertEquals(resGroup1.getPrincipalDomainFilter(), "user,sys.auth");
 
         groupMeta = new GroupMeta().setNotifyRoles("role2,role3");
         zmsImpl.putGroupMeta(ctx, domainName, groupName, auditRef, null, groupMeta);
@@ -28013,6 +28044,7 @@ public void testPutGroupMeta() {
         assertEquals(resGroup1.getNotifyRoles(), "role2,role3");
         assertEquals(resGroup1.getUserAuthorityExpiration(), "elevated-clearance");
         assertEquals(resGroup1.getUserAuthorityFilter(), "OnShore-US");
+        assertEquals(resGroup1.getPrincipalDomainFilter(), "user,sys.auth");
 
         zmsImpl.dbService.zmsConfig.setUserAuthority(savedAuthority);
         zmsImpl.userAuthority = savedAuthority;
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/provider/ServiceProviderManagerTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/provider/ServiceProviderManagerTest.java
index 6c131ad8c69..db099737f50 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/provider/ServiceProviderManagerTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/provider/ServiceProviderManagerTest.java
@@ -31,10 +31,7 @@
 import org.testng.annotations.Test;
 
 import java.lang.reflect.Field;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.concurrent.*;
 
 import static com.yahoo.athenz.zms.ZMSConsts.*;
@@ -115,6 +112,7 @@ public void testIsServiceProvider() throws InterruptedException, ExecutionExcept
         }
 
         serviceProviderManager.shutdown();
+        serviceProviderManager.setServiceProviders(Collections.emptyMap());
         System.clearProperty(ZMS_PROP_SERVICE_PROVIDER_MANAGER_FREQUENCY_SECONDS);
         System.clearProperty(ZMS_PROP_SERVICE_PROVIDER_MANAGER_DOMAIN);
         System.clearProperty(ZMS_PROP_SERVICE_PROVIDER_MANAGER_ROLE);
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java
index b89dc650f32..c0dd73f7dc7 100644
--- a/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/store/impl/jdbc/JDBCConnectionTest.java
@@ -1027,6 +1027,7 @@ public void testGetRole() throws Exception {
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_EXPIRATION);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_FILTER);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_DESCRIPTION);
+        Mockito.doReturn("user,-home").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER);
 
         JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
         Role role = jdbcConn.getRole("my-domain", "role1");
@@ -1046,6 +1047,7 @@ public void testGetRole() throws Exception {
         assertEquals(role.getNotifyRoles(), "role1,role2");
         assertTrue(role.getReviewEnabled());
         assertEquals(role.getLastReviewedDate(), Timestamp.fromMillis(1454358917));
+        assertEquals(role.getPrincipalDomainFilter(), "user,-home");
 
         Mockito.verify(mockPrepStmt, times(1)).setString(1, "my-domain");
         Mockito.verify(mockPrepStmt, times(1)).setString(2, "role1");
@@ -1077,6 +1079,7 @@ public void testGetRoleWithDueDates() throws Exception {
         Mockito.doReturn("expiry").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_EXPIRATION);
         Mockito.doReturn("filter").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_FILTER);
         Mockito.doReturn("description").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_DESCRIPTION);
+        Mockito.doReturn("user,-home").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER);
 
         JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
         Role role = jdbcConn.getRole("my-domain", "role1");
@@ -1093,6 +1096,7 @@ public void testGetRoleWithDueDates() throws Exception {
         assertEquals(role.getMemberReviewDays(), Integer.valueOf(70));
         assertEquals(role.getServiceReviewDays(), Integer.valueOf(80));
         assertEquals(role.getGroupReviewDays(), Integer.valueOf(90));
+        assertEquals(role.getPrincipalDomainFilter(), "user,-home");
 
         Mockito.verify(mockPrepStmt, times(1)).setString(1, "my-domain");
         Mockito.verify(mockPrepStmt, times(1)).setString(2, "role1");
@@ -1117,6 +1121,7 @@ public void testGetRoleWithoutSelfServe() throws Exception {
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_EXPIRATION);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_FILTER);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_DESCRIPTION);
+        Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER);
 
         JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
         Role role = jdbcConn.getRole("my-domain", "role1");
@@ -1127,6 +1132,7 @@ public void testGetRoleWithoutSelfServe() throws Exception {
         assertNull(role.getUserAuthorityExpiration());
         assertNull(role.getUserAuthorityFilter());
         assertNull(role.getDescription());
+        assertNull(role.getPrincipalDomainFilter());
 
         Mockito.verify(mockPrepStmt, times(1)).setString(1, "my-domain");
         Mockito.verify(mockPrepStmt, times(1)).setString(2, "role1");
@@ -1160,6 +1166,7 @@ public void testGetRoleTrust() throws Exception {
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_EXPIRATION);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_FILTER);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_DESCRIPTION);
+        Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER);
 
         JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
         Role role = jdbcConn.getRole("my-domain", "role1");
@@ -1168,6 +1175,7 @@ public void testGetRoleTrust() throws Exception {
         assertEquals("trust.domain", role.getTrust());
         assertNull(role.getUserAuthorityExpiration());
         assertNull(role.getUserAuthorityFilter());
+        assertNull(role.getPrincipalDomainFilter());
 
         jdbcConn.close();
     }
@@ -1383,7 +1391,7 @@ public void testUpdateRole() throws Exception {
                 .setReviewEnabled(true).setNotifyRoles("role1,role2")
                 .setUserAuthorityFilter("filter").setUserAuthorityExpiration("expiry")
                 .setDescription("description").setLastReviewedDate(Timestamp.fromMillis(100))
-                .setMaxMembers(10).setSelfRenew(true).setSelfRenewMins(99);
+                .setMaxMembers(10).setSelfRenew(true).setSelfRenewMins(99).setPrincipalDomainFilter("user");
 
         Mockito.doReturn(1).when(mockPrepStmt).executeUpdate();
         Mockito.when(mockResultSet.next()).thenReturn(true);
@@ -1421,7 +1429,8 @@ public void testUpdateRole() throws Exception {
         Mockito.verify(mockPrepStmt, times(1)).setInt(20, 10);
         Mockito.verify(mockPrepStmt, times(1)).setBoolean(21, true);
         Mockito.verify(mockPrepStmt, times(1)).setInt(22, 99);
-        Mockito.verify(mockPrepStmt, times(1)).setInt(23, 4);
+        Mockito.verify(mockPrepStmt, times(1)).setString(23, "user");
+        Mockito.verify(mockPrepStmt, times(1)).setInt(24, 4);
         jdbcConn.close();
     }
 
@@ -1470,7 +1479,8 @@ public void testUpdateRoleWithTrust() throws Exception {
         Mockito.verify(mockPrepStmt, times(1)).setInt(20, 0);
         Mockito.verify(mockPrepStmt, times(1)).setBoolean(21, false);
         Mockito.verify(mockPrepStmt, times(1)).setInt(22, 0);
-        Mockito.verify(mockPrepStmt, times(1)).setInt(23, 7);
+        Mockito.verify(mockPrepStmt, times(1)).setString(23, "");
+        Mockito.verify(mockPrepStmt, times(1)).setInt(24, 7);
         jdbcConn.close();
     }
 
@@ -6598,6 +6608,7 @@ public void testGetAthenzDomain() throws Exception {
         Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_BUSINESS_SERVICE)).thenReturn("");
         Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_PRODUCT_ID)).thenReturn("");
         Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_ENVIRONMENT)).thenReturn("");
+        Mockito.when(mockResultSet.getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER)).thenReturn("");
 
         AthenzDomain athenzDomain = jdbcConn.getAthenzDomain("my-domain");
         assertNotNull(athenzDomain);
@@ -9133,6 +9144,7 @@ public void testGetRoleDefaultAuditEnabledAsNull() throws Exception {
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_EXPIRATION);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_USER_AUTHORITY_FILTER);
         Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_DESCRIPTION);
+        Mockito.doReturn("").when(mockResultSet).getString(ZMSConsts.DB_COLUMN_PRINCIPAL_DOMAIN_FILTER);
 
         JDBCConnection jdbcConn = new JDBCConnection(mockConn, true);
         Role role = jdbcConn.getRole("my-domain", "role1");
@@ -9146,6 +9158,7 @@ public void testGetRoleDefaultAuditEnabledAsNull() throws Exception {
         assertNull(role.getUserAuthorityExpiration());
         assertNull(role.getUserAuthorityFilter());
         assertNull(role.getDescription());
+        assertNull(role.getPrincipalDomainFilter());
 
         Mockito.verify(mockPrepStmt, times(1)).setString(1, "my-domain");
         Mockito.verify(mockPrepStmt, times(1)).setString(2, "role1");
diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilterTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilterTest.java
new file mode 100644
index 00000000000..1ce2542ab20
--- /dev/null
+++ b/servers/zms/src/test/java/com/yahoo/athenz/zms/utils/PrincipalDomainFilterTest.java
@@ -0,0 +1,489 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yahoo.athenz.zms.utils;
+
+import com.yahoo.athenz.auth.Principal;
+import com.yahoo.athenz.zms.*;
+import org.mockito.MockitoAnnotations;
+import org.testng.annotations.*;
+
+import java.lang.reflect.Member;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.testng.Assert.*;
+
+public class PrincipalDomainFilterTest {
+
+    private final ZMSTestInitializer zmsTestInitializer = new ZMSTestInitializer();
+
+    @BeforeClass
+    public void startMemoryMySQL() {
+        zmsTestInitializer.startMemoryMySQL();
+    }
+
+    @AfterClass
+    public void stopMemoryMySQL() {
+        zmsTestInitializer.stopMemoryMySQL();
+    }
+
+    @BeforeMethod
+    public void setUp() throws Exception {
+        MockitoAnnotations.openMocks(this);
+        zmsTestInitializer.setUp();
+    }
+
+    @Test
+    public void testPrincipalDomainFilter() {
+
+        // empty filter has no processing and always returns true for validation
+
+        PrincipalDomainFilter filter = new PrincipalDomainFilter("");
+        assertNull(filter.allowedDomains);
+        assertNull(filter.disallowedSubDomains);
+        assertNull(filter.allowedSubDomains);
+        assertTrue(filter.validate(null, Principal.Type.USER));
+        assertTrue(filter.validate(null, Principal.Type.GROUP));
+
+        filter = new PrincipalDomainFilter(null);
+        assertNull(filter.allowedDomains);
+        assertNull(filter.disallowedSubDomains);
+        assertNull(filter.allowedSubDomains);
+        assertTrue(filter.validate(null, Principal.Type.USER));
+        assertTrue(filter.validate(null, Principal.Type.GROUP));
+
+        // now let's test some valid filters
+
+        filter = new PrincipalDomainFilter("domain1,domain2");
+        assertNotNull(filter.allowedDomains);
+        assertEquals(filter.allowedDomains.size(), 2);
+        assertTrue(filter.allowedDomains.contains("domain1."));
+        assertTrue(filter.allowedDomains.contains("domain2."));
+        assertNull(filter.disallowedSubDomains);
+        assertNull(filter.allowedSubDomains);
+
+        filter = new PrincipalDomainFilter("domain1,domain2.api,+domain3,-domain4");
+        assertNotNull(filter.allowedDomains);
+        assertEquals(filter.allowedDomains.size(), 2);
+        assertTrue(filter.allowedDomains.contains("domain1."));
+        assertTrue(filter.allowedDomains.contains("domain2.api."));
+        assertNotNull(filter.allowedSubDomains);
+        assertEquals(filter.allowedSubDomains.size(), 1);
+        assertTrue(filter.allowedSubDomains.contains("domain3."));
+        assertNotNull(filter.disallowedSubDomains);
+        assertEquals(filter.disallowedSubDomains.size(), 1);
+        assertTrue(filter.disallowedSubDomains.contains("domain4."));
+
+        filter = new PrincipalDomainFilter("domain2.api,+domain1,+domain2,-domain1.api,-domain2.prod");
+        assertNotNull(filter.allowedDomains);
+        assertEquals(filter.allowedDomains.size(), 1);
+        assertTrue(filter.allowedDomains.contains("domain2.api."));
+        assertNotNull(filter.allowedSubDomains);
+        assertEquals(filter.allowedSubDomains.size(), 2);
+        assertTrue(filter.allowedSubDomains.contains("domain1."));
+        assertTrue(filter.allowedSubDomains.contains("domain2."));
+        assertNotNull(filter.disallowedSubDomains);
+        assertEquals(filter.disallowedSubDomains.size(), 2);
+        assertTrue(filter.disallowedSubDomains.contains("domain1.api."));
+        assertTrue(filter.disallowedSubDomains.contains("domain2.prod."));
+    }
+
+    @DataProvider(name = "DomainFilterData")
+    public static Object[][] domainFilterData() {
+        return new Object[][] {
+                { "user", "user.joe", Principal.Type.USER, true },
+                { "user", "sports.api", Principal.Type.SERVICE, false },
+                { "user", "athenz:group.dev-team", Principal.Type.GROUP, false },
+                { "-home", "user.joe", Principal.Type.USER, true },
+                { "-home", "sports.api", Principal.Type.SERVICE, true },
+                { "-home", "athenz:group.dev-team", Principal.Type.GROUP, true },
+                { "-home", "home.api", Principal.Type.SERVICE, false },
+                { "-home", "home.prod.api", Principal.Type.SERVICE, false },
+                { "+sports.prod", "user.joe", Principal.Type.USER, false },
+                { "+sports.prod", "sports.api", Principal.Type.SERVICE, false },
+                { "+sports.prod", "athenz:group.dev-team", Principal.Type.GROUP, false },
+                { "+sports.prod", "sports.prod.api", Principal.Type.SERVICE, true },
+                { "+sports.prod", "sports.prod.west2.api", Principal.Type.SERVICE, true },
+                { "+sports.prod", "weather.api", Principal.Type.SERVICE, false },
+                { "user,+sports,-sports.prod", "user.joe", Principal.Type.USER, true },
+                { "user,+sports,-sports.prod", "sports.api", Principal.Type.SERVICE, true },
+                { "user,+sports,-sports.prod", "sports.dev.api", Principal.Type.SERVICE, true },
+                { "user,+sports,-sports.prod", "sports.prod.api", Principal.Type.SERVICE, false },
+                { "user,+sports,-sports.prod", "sports.prod.west2.api", Principal.Type.SERVICE, false },
+                { "user,+sports,-sports.prod", "weather.api", Principal.Type.SERVICE, false },
+                { "user,+sports,-sports.prod", "athenz:group.dev-team", Principal.Type.GROUP, false },
+                { "+sports,-sports.prod", "user.joe", Principal.Type.USER, false },
+                { "+sports,-sports.prod", "sports.api", Principal.Type.SERVICE, true },
+                { "+sports,-sports.prod", "sports.dev.api", Principal.Type.SERVICE, true },
+                { "+sports,-sports.prod", "sports.prod.api", Principal.Type.SERVICE, false },
+                { "+sports,-sports.prod", "sports.prod.west2.api", Principal.Type.SERVICE, false },
+                { "+sports,-sports.prod", "weather.api", Principal.Type.SERVICE, false },
+                { "+sports,-sports.prod", "athenz:group.dev-team", Principal.Type.GROUP, false },
+        };
+    }
+    @Test(dataProvider = "DomainFilterData")
+    public void testDomainFilterValidation(String filter, String principalName, Principal.Type type, boolean expectedResult) {
+        PrincipalDomainFilter domainFilter = new PrincipalDomainFilter(filter);
+        assertEquals(domainFilter.validate(principalName, type), expectedResult);
+    }
+
+    @Test
+    public void testPutRoleWithDomainFilter() {
+
+        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
+        final String auditRef = zmsTestInitializer.getAuditRef();
+
+        final String domainName = "role-with-domain-filter";
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
+
+        TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("sports",
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom2);
+
+        ServiceIdentity service1 = zmsTestInitializer.createServiceObject("sports", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports", "api", auditRef, false, null, service1);
+
+        Group group1 = zmsTestInitializer.createGroupObject("sports", "group1", null, null);
+        zmsImpl.putGroup(ctx, "sports", "group1", auditRef, false, null, group1);
+
+        SubDomain subDom1 = zmsTestInitializer.createSubDomainObject("prod", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom1);
+
+        ServiceIdentity service2 = zmsTestInitializer.createServiceObject("sports.prod", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.prod", "api", auditRef, false, null, service2);
+
+        SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("dev", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom2);
+
+        ServiceIdentity service3 = zmsTestInitializer.createServiceObject("sports.dev", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.dev", "api", auditRef, false, null, service3);
+
+        // add a role with the domain filter and allowed members
+
+        List<RoleMember> roleMembers = new ArrayList<>();
+        roleMembers.add(new RoleMember().setMemberName("user.user1"));
+        roleMembers.add(new RoleMember().setMemberName("sports.api"));
+        roleMembers.add(new RoleMember().setMemberName("sports:group.group1"));
+        roleMembers.add(new RoleMember().setMemberName("sports.dev.api"));
+
+        final String roleName1 = "filter-role1";
+        Role role1 = zmsTestInitializer.createRoleObject(domainName, roleName1, null, roleMembers);
+        role1.setPrincipalDomainFilter("user,+sports,-sports.prod");
+        zmsImpl.putRole(ctx, domainName, roleName1, auditRef, false, null, role1);
+
+        // add a role with the domain filter and no allowed members
+
+        roleMembers = new ArrayList<>();
+        roleMembers.add(new RoleMember().setMemberName("user.user1"));
+        roleMembers.add(new RoleMember().setMemberName("sports.api"));
+        roleMembers.add(new RoleMember().setMemberName("sports:group.group1"));
+        roleMembers.add(new RoleMember().setMemberName("sports.dev.api"));
+        roleMembers.add(new RoleMember().setMemberName("sports.prod.api"));
+        role1.setRoleMembers(roleMembers);
+
+        // sports.prod.api should be rejected
+
+        try {
+            zmsImpl.putRole(ctx, domainName, roleName1, auditRef, false, null, role1);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertEquals(ex.getMessage().contains("Principal sports.prod.api is not allowed for the role"), true);
+        }
+
+        zmsImpl.deleteSubDomain(ctx, "sports", "dev", auditRef, null);
+        zmsImpl.deleteSubDomain(ctx, "sports", "prod", auditRef, null);
+        zmsImpl.deleteMembership(ctx, domainName, roleName1, "sports:group.group1", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, "sports", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
+    }
+
+    @Test
+    public void testPutRoleMembershipWithDomainFilter() {
+
+        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
+        final String auditRef = zmsTestInitializer.getAuditRef();
+
+        final String domainName = "role-mbr-with-domain-filter";
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
+
+        TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("sports",
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom2);
+
+        ServiceIdentity service1 = zmsTestInitializer.createServiceObject("sports", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports", "api", auditRef, false, null, service1);
+
+        Group group1 = zmsTestInitializer.createGroupObject("sports", "group1", null, null);
+        zmsImpl.putGroup(ctx, "sports", "group1", auditRef, false, null, group1);
+
+        SubDomain subDom1 = zmsTestInitializer.createSubDomainObject("prod", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom1);
+
+        ServiceIdentity service2 = zmsTestInitializer.createServiceObject("sports.prod", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.prod", "api", auditRef, false, null, service2);
+
+        SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("dev", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom2);
+
+        ServiceIdentity service3 = zmsTestInitializer.createServiceObject("sports.dev", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.dev", "api", auditRef, false, null, service3);
+
+        // add a role with the domain filter
+
+        final String roleName1 = "filter-role1";
+        Role role1 = zmsTestInitializer.createRoleObject(domainName, roleName1, null, null);
+        role1.setPrincipalDomainFilter("user,+sports,-sports.prod");
+        zmsImpl.putRole(ctx, domainName, roleName1, auditRef, false, null, role1);
+
+        // user.user1 should be able to be added to the role
+
+        Membership membership = new Membership().setMemberName("user.user1");
+        zmsImpl.putMembership(ctx, domainName, roleName1, "user.user1", auditRef, false, null, membership);
+
+        // sports.api should be able to be added to the role
+
+        membership = new Membership().setMemberName("sports.api");
+        zmsImpl.putMembership(ctx, domainName, roleName1, "sports.api", auditRef, false, null, membership);
+
+        // sports:group.group1 should be allowed to be added to the role
+
+        membership = new Membership().setMemberName("sports:group.group1");
+        zmsImpl.putMembership(ctx, domainName, roleName1, "sports:group.group1", auditRef, false, null, membership);
+
+        // sports.dev.api should be able to be added to the role
+
+        membership = new Membership().setMemberName("sports.dev.api");
+        zmsImpl.putMembership(ctx, domainName, roleName1, "sports.dev.api", auditRef, false, null, membership);
+
+        // sports.prod.api should be rejected
+
+        membership = new Membership().setMemberName("sports.prod.api");
+        try {
+            zmsImpl.putMembership(ctx, domainName, roleName1, "sports.prod.api", auditRef, false, null, membership);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertEquals(ex.getMessage().contains("Principal sports.prod.api is not allowed for the role"), true);
+        }
+
+        zmsImpl.deleteSubDomain(ctx, "sports", "dev", auditRef, null);
+        zmsImpl.deleteSubDomain(ctx, "sports", "prod", auditRef, null);
+        zmsImpl.deleteMembership(ctx, domainName, roleName1, "sports:group.group1", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, "sports", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
+    }
+
+    @Test
+    public void testPutGroupWithDomainFilter() {
+
+        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
+        final String auditRef = zmsTestInitializer.getAuditRef();
+
+        final String domainName = "group-with-domain-filter";
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
+
+        TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("sports",
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom2);
+
+        ServiceIdentity service1 = zmsTestInitializer.createServiceObject("sports", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports", "api", auditRef, false, null, service1);
+
+        SubDomain subDom1 = zmsTestInitializer.createSubDomainObject("prod", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom1);
+
+        ServiceIdentity service2 = zmsTestInitializer.createServiceObject("sports.prod", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.prod", "api", auditRef, false, null, service2);
+
+        SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("dev", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom2);
+
+        ServiceIdentity service3 = zmsTestInitializer.createServiceObject("sports.dev", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.dev", "api", auditRef, false, null, service3);
+
+        // add a group with the domain filter and allowed members
+
+        List<GroupMember> groupMembers = new ArrayList<>();
+        groupMembers.add(new GroupMember().setMemberName("user.user1"));
+        groupMembers.add(new GroupMember().setMemberName("sports.api"));
+        groupMembers.add(new GroupMember().setMemberName("sports.dev.api"));
+
+        final String groupName1 = "filter-group1";
+        Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName1, groupMembers);
+        group1.setPrincipalDomainFilter("user,+sports,-sports.prod");
+        zmsImpl.putGroup(ctx, domainName, groupName1, auditRef, false, null, group1);
+
+        // add a group with the domain filter and no allowed members
+
+        groupMembers = new ArrayList<>();
+        groupMembers.add(new GroupMember().setMemberName("user.user1"));
+        groupMembers.add(new GroupMember().setMemberName("sports.api"));
+        groupMembers.add(new GroupMember().setMemberName("sports.dev.api"));
+        groupMembers.add(new GroupMember().setMemberName("sports.prod.api"));
+        group1.setGroupMembers(groupMembers);
+
+        // sports.prod.api should be rejected
+
+        try {
+            zmsImpl.putGroup(ctx, domainName, groupName1, auditRef, false, null, group1);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertEquals(ex.getMessage().contains("Principal sports.prod.api is not allowed for the group"), true);
+        }
+
+        zmsImpl.deleteSubDomain(ctx, "sports", "dev", auditRef, null);
+        zmsImpl.deleteSubDomain(ctx, "sports", "prod", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, "sports", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
+    }
+
+    @Test
+    public void testPutGroupMembershipWithDomainFilter() {
+
+        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
+        final String auditRef = zmsTestInitializer.getAuditRef();
+
+        final String domainName = "group-mbr-with-domain-filter";
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
+
+        TopLevelDomain dom2 = zmsTestInitializer.createTopLevelDomainObject("sports",
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom2);
+
+        ServiceIdentity service1 = zmsTestInitializer.createServiceObject("sports", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports", "api", auditRef, false, null, service1);
+
+        SubDomain subDom1 = zmsTestInitializer.createSubDomainObject("prod", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom1);
+
+        ServiceIdentity service2 = zmsTestInitializer.createServiceObject("sports.prod", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.prod", "api", auditRef, false, null, service2);
+
+        SubDomain subDom2 = zmsTestInitializer.createSubDomainObject("dev", "sports", "Test Domain1",
+                "testOrg", "user.user1");
+        zmsImpl.postSubDomain(ctx, "sports", auditRef, null, subDom2);
+
+        ServiceIdentity service3 = zmsTestInitializer.createServiceObject("sports.dev", "api",
+                "http://localhost:8080", null, null, null, null);
+        zmsImpl.putServiceIdentity(ctx, "sports.dev", "api", auditRef, false, null, service3);
+
+        // add a group with the domain filter
+
+        final String groupName1 = "filter-group1";
+        Group group1 = zmsTestInitializer.createGroupObject(domainName, groupName1, null, null);
+        group1.setPrincipalDomainFilter("user,+sports,-sports.prod");
+        zmsImpl.putGroup(ctx, domainName, groupName1, auditRef, false, null, group1);
+
+        // user.user1 should be able to be added to the group
+
+        GroupMembership membership = new GroupMembership().setMemberName("user.user1");
+        zmsImpl.putGroupMembership(ctx, domainName, groupName1, "user.user1", auditRef, false, null, membership);
+
+        // sports.api should be able to be added to the group
+
+        membership = new GroupMembership().setMemberName("sports.api");
+        zmsImpl.putGroupMembership(ctx, domainName, groupName1, "sports.api", auditRef, false, null, membership);
+
+        // sports.dev.api should be able to be added to the group
+
+        membership = new GroupMembership().setMemberName("sports.dev.api");
+        zmsImpl.putGroupMembership(ctx, domainName, groupName1, "sports.dev.api", auditRef, false, null, membership);
+
+        // sports.prod.api should be rejected
+
+        membership = new GroupMembership().setMemberName("sports.prod.api");
+        try {
+            zmsImpl.putGroupMembership(ctx, domainName, groupName1, "sports.prod.api", auditRef, false, null, membership);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertEquals(ex.getMessage().contains("Principal sports.prod.api is not allowed for the group"), true);
+        }
+
+        zmsImpl.deleteSubDomain(ctx, "sports", "dev", auditRef, null);
+        zmsImpl.deleteSubDomain(ctx, "sports", "prod", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, "sports", auditRef, null);
+        zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
+    }
+
+    @Test
+    public void testUnknownDomainFilterName() {
+
+        ZMSImpl zmsImpl = zmsTestInitializer.getZms();
+        RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
+        final String auditRef = zmsTestInitializer.getAuditRef();
+
+        final String domainName = "unknown-domain-filter-name";
+        TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", "user.user1");
+        zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
+
+        try {
+            Role role1 = zmsTestInitializer.createRoleObject(domainName, "role1", null, null);
+            role1.setPrincipalDomainFilter("user,unknown-domain-name");
+            zmsImpl.putRole(ctx, domainName, "role1", auditRef, false, null, role1);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertTrue(ex.getMessage().contains("No such domain: unknown-domain-name"));
+        }
+
+        try {
+            Group group1 = zmsTestInitializer.createGroupObject(domainName, "group1", null, null);
+            group1.setPrincipalDomainFilter("user,unknown-domain-name");
+            zmsImpl.putGroup(ctx, domainName, "group1", auditRef, false, null, group1);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(ex.getCode(), 400);
+            assertTrue(ex.getMessage().contains("No such domain: unknown-domain-name"));
+        }
+
+        zmsImpl.deleteTopLevelDomain(ctx, domainName, auditRef, null);
+    }
+}