From e23467faaf4b4e5033344d7e414faa606f97df46 Mon Sep 17 00:00:00 2001
From: Sergey Ivanov <delta_001@bk.ru>
Date: Thu, 14 Nov 2024 14:54:04 +0500
Subject: [PATCH] Intitial commit

---
 .github/workflows/build.yml                   |  32 +++
 .gitignore                                    |  79 +++++
 Readme.md                                     | 270 ++++++++++++++++++
 build.sh                                      |  10 +
 buildConfig.yaml                              |   4 +
 description.yaml                              |   9 +
 docker/Dockerfile                             |  50 ++++
 docker/docker-entrypoint.sh                   |   5 +
 docker/libraries.py                           | 201 +++++++++++++
 docker/requirements.txt                       |   5 +
 docker/status_provisioner.py                  | 131 +++++++++
 .../images/status-provisioner.drawio          | 114 ++++++++
 .../images/status-provisioner.drawio.png      | Bin 0 -> 38319 bytes
 13 files changed, 910 insertions(+)
 create mode 100644 .github/workflows/build.yml
 create mode 100644 .gitignore
 create mode 100644 build.sh
 create mode 100644 buildConfig.yaml
 create mode 100644 description.yaml
 create mode 100644 docker/Dockerfile
 create mode 100644 docker/docker-entrypoint.sh
 create mode 100644 docker/libraries.py
 create mode 100644 docker/requirements.txt
 create mode 100644 docker/status_provisioner.py
 create mode 100644 documentation/images/status-provisioner.drawio
 create mode 100644 documentation/images/status-provisioner.drawio.png

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..db72edc
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,32 @@
+name: Build Artifacts
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  multiplatform_build:
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - name: deployment-status-provisioner
+            file: docker/Dockerfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          no-cache: true
+          context: ${{ matrix.component.dir }}
+          file: ${{ matrix.component.file }}
+          platforms: linux/amd64,linux/arm64
+          push: false
+          tags: ${{ matrix.component.name }}
+          provenance: false
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0307310
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,79 @@
+.idea/
+# Temporary Build Files
+build/_output
+build/_test
+# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
+### Emacs ###
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+# Org-mode
+.org-id-locations
+*_archive
+# flymake-mode
+*_flymake.*
+# eshell files
+/eshell/history
+/eshell/lastdir
+# elpa packages
+/elpa/
+# reftex files
+*.rel
+# AUCTeX auto folder
+/auto/
+# cask packages
+.cask/
+dist/
+# Flycheck
+flycheck_*.el
+# server auth directory
+/server/
+# projectiles files
+.projectile
+projectile-bookmarks.eld
+# directory configuration
+.dir-locals.el
+# saveplace
+places
+# url cache
+url/cache/
+# cedet
+ede-projects.el
+# smex
+smex-items
+# company-statistics
+company-statistics-cache.el
+# anaconda-mode
+anaconda-mode/
+### Go ###
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+# Test binary, build with 'go test -c'
+*.test
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+### Vim ###
+# swap
+.sw[a-p]
+.*.sw[a-p]
+# session
+Session.vim
+# temporary
+.netrwhist
+# auto-generated tag files
+tags
+### VisualStudioCode ###
+.vscode/*
+.history
+# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
+*.iml
\ No newline at end of file
diff --git a/Readme.md b/Readme.md
index 8b13789..488d1f7 100644
--- a/Readme.md
+++ b/Readme.md
@@ -1 +1,271 @@
+This guide provides information about the usage of the Deployment Status Provisioner.
 
+Topics covered in this section:
+
+[[_TOC_]]
+
+# Overview
+
+Deployment Status Provisioner is a component for providing the overall service status in DP/App Deployer jobs.
+
+![status-provisioner](/documentation/images/status-provisioner.drawio.png)
+
+# Common information
+
+`Deployment Status Provisioner` is a component for providing the overall service status in DP/App Deployer jobs. It is
+used to receive statuses from all required service resources and specify the final result to a preselected resource from
+where the DP and App Deployers read the status.
+
+First of all, `Deployment Status Provisioner` checks readiness status of resources specified in `MONITORED_RESOURCES`
+parameter. If all resources are successfully started, the status condition displays the following message:
+
+```
+All components are in ready status.
+```
+
+If some resources are not started in the allotted time, status condition contains `RESOURCE_NAME component is not ready`
+message for each unready resource, where `RESOURCE_NAME` is the name of monitored resource.
+
+Then `Deployment Status Provisioner` checks the result of integration tests if it is necessary. If the integration tests
+fail, the status condition outputs a message from the `INTEGRATION_TESTS_RESOURCE` status. If they do not complete in
+the allotted time, you will see `Integration tests have not completed in INTEGRATION_TESTS_TIMEOUT seconds` message
+in the status condition. If the integration tests complete successfully, the status condition displays
+`Integration tests are successfully completed` message.
+
+You also can find information about monitored resources and array with failed resources in the pod logs.
+
+# Usage
+
+To use `Deployment Status Provisioner` you need to create a resource inside your Helm chart, which creates Pod with the
+latest image of `Deployment Status Provisioner` and the following parameters:
+
+The `INITIAL_WAIT` parameter specifies the time in seconds that the `Deployment Status Provisioner` waits before starting
+to check readiness status for monitored components. It is important for `upgrade` process. The default value is `30`.
+
+The `MONITORED_RESOURCES` parameter specifies the comma-separated list of resources that should be monitored by
+`Deployment Status Provisioner`. Each resource description should consist of **two** parts separated by space: resource
+kind and its name. There is ability to monitor readiness status only for the following resource kinds:
+
+* `DaemonSet`
+* `Deployment`
+* `Job`
+* `StatefulSet`
+
+For example, if you have Stateful Set with name `consul-server`, its description should look like `StatefulSet consul-server`.
+A complete example for this parameter would be `Deployment consul-backup-daemon, DaemonSet consul, StatefulSet consul-server, Job consul-server-acl-init`.
+This parameter is mandatory and does not have default value.
+
+The `MONITORED_CUSTOM_RESOURCES` parameter specifies the comma-separated list of custom resources that should be monitored by `Deployment Status Provisioner`. Each resource description should consist of **six** or **seven** parts separated by space:
+
+* `group` is the group of custom resource. It is required. For example, `netcracker.com`.
+* `version` is the version of custom resource. It is required. For example, `v1`.
+* `plural` is the custom resource's plural name. It is required. For example, `opensearchservices`.
+* `name` is the custom resource's name. It is required. For example, `opensearch`.
+* `expression` is the JSONPath (query language for JSON) expression to get custom resource status. It is required. For example, you need to get `type` field value from the following custom resource status if `reason` field is equal to `ReconcileCycleStatus`:
+
+  ```yaml
+  status:
+    conditions:
+      - lastTransitionTime: 2024-02-27 10:06:13.746985042 +0000 UTC m=+199.958634385
+        message: The deployment readiness status check is successful
+        reason: ReconcileCycleStatus
+        status: 'True'
+        type: Successful
+      - lastTransitionTime: 2024-02-27 10:06:08.714381731 +0000 UTC m=+194.926031082
+        message: Component pods are ready
+        reason: ComponentReadinessStatus
+        status: 'True'
+        type: Ready
+    disasterRecoveryStatus:
+      mode: ''
+      status: ''
+  ```
+
+  In that case required expression looks like `$.status.conditions[?(@.reason=='ReconcileCycleStatus')].type`. If you need to get status from a specific field (for example, `component.status`) in the following custom resource:
+
+  ```
+  apiVersion: netcracker.com/v1
+  kind: ComponentService
+  metadata:
+    creationTimestamp: '2024-02-27T10:02:51Z'
+    generation: 1
+    name: component
+    namespace: component-service
+  spec:
+    global:
+      podReadinessTimeout: 700
+      waitForPodsReady: true
+    component:
+      replicas: 3
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1024Mi
+        requests:
+          cpu: 100m
+          memory: 1024Mi
+      status: Success
+  ```
+
+  you can specify `$.spec.component.status` expression. For more information, refer to [Python JSONPath Next-Generation](https://github.com/h2non/jsonpath-ng/blob/master/README.rst).
+
+* `successful condition` is the value that should be considered as successfully processed custom resource. It is required. For example, `Successful`.
+* `failed condition` is the value that should be considered as inability to process the custom resource. It is optional. If it is not specified, `Deployment Status Provisioner` will try to find `successful condition` before time runs out (`CR_PROCESSING_TIMEOUT`). For example, `Failed`.
+
+A complete example for this parameter would be as follows: 
+
+```
+netcracker.com v1 opensearchservices opensearch $.status.conditions[?(@.reason=='ReconcileCycleStatus')].type Successful Failed, netcracker.com v1 customservices name $.spec.status.type Ready
+```
+
+The `RESOURCE_TO_SET_STATUS` parameter specifies the characteristics of the resource to set the final status of the cluster.
+This parameter value should consist of **four** parts separated by space: resource group, version, plural and its name.
+For example, if you want to write down the status to `Job` named `consul-status-provisioner`, the value should look
+like `batch v1 jobs consul-status-provisioner`.
+This parameter is mandatory and does not have default value.
+
+The `NAMESPACE` parameter specifies the namespace in OpenShift/Kubernetes where all the monitored resources and resource
+to set status are located. This parameter is mandatory and does not have default value.
+
+The `CONDITION_REASON` parameter specifies the name of the condition reason that is used when setting the status condition
+for the `RESOURCE_TO_SET_STATUS` resource. For example, `ConsulServiceReadinessStatus`. The default value is `ServiceReadinessStatus`.
+
+The `SUCCESSFUL_CONDITION_TYPE` parameter specifies the condition type that is used when setting the successful status
+condition for the `RESOURCE_TO_SET_STATUS` resource. For example, `Success`. The default value is `Successful`.
+
+The `FAILED_CONDITION_TYPE` parameter specifies the condition type that is used when setting the failed status condition
+for the `RESOURCE_TO_SET_STATUS` resource. For example, `Fail`. The default value is `Failed`.
+
+The `POD_READINESS_TIMEOUT` parameter specifies the timeout in seconds that the `Deployment Status Provisioner` waits for
+each of the monitored resources to be ready or completed. The default value is `300`.
+
+The `CR_PROCESSING_TIMEOUT` parameter specifies the timeout in seconds the `Deployment Status Provisioner` waits for each of the monitored custom resources to have `successful` or `failed` status. The default value is `300`.
+
+The `INTEGRATION_TESTS_RESOURCE` parameter specifies the characteristics of the resource which the status of
+integration tests execution is stored in. This parameter value should consist of **four** parts separated by space:
+resource group, version, plural and its name. For example, if you want to read the integration tests status from `Deployment`
+named `consul-integration-tests-runner`, the value should look like `apps v1 deployments consul-integration-tests-runner`.
+This parameter should be specified only if you want the result of the integration tests to get inside the final cluster
+status. 
+
+The `INTEGRATION_TESTS_CONDITION_REASON` parameter specifies the name of the condition reason which meets the condition
+with the result of the integration tests in the `INTEGRATION_TESTS_RESOURCE` resource. The default value is `IntegrationTestsExecutionStatus`.
+This parameter is meaningless without `INTEGRATION_TESTS_RESOURCE` parameter.
+
+The `INTEGRATION_TESTS_SUCCESSFUL_CONDITION_TYPE` parameter specifies the condition type which corresponds to the successful
+result of the integration tests in the status condition of the `INTEGRATION_TESTS_RESOURCE` resource. The default value
+is `Ready`.
+This parameter is meaningless without `INTEGRATION_TESTS_RESOURCE` parameter.
+
+The `INTEGRATION_TESTS_TIMEOUT` parameter specifies the timeout in seconds that the `Deployment Status Provisioner` waits for
+successful or failed status condition in the `INTEGRATION_TESTS_RESOURCE` resource. The default value is `300`.
+This parameter is meaningless without `INTEGRATION_TESTS_RESOURCE` parameter.
+
+The `TREAT_STATUS_AS_FIELD` parameter specifies whether resource status should be treated as field. It is necessary when initially `RESOURCE_TO_SET_STATUS` does not have `Status` sub-resource. In that case status is set as a field to chosen resource. For example, it may be applicable for some of custom resources. The default value
+is `False`.
+
+# Example
+
+`Deployment Status Provisioner` job with only required environment variables looks like the follows:
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: my-status-provisioner
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  template:
+    metadata:
+      name: my-status-provisioner
+      labels:
+        component: status-provisioner
+    spec:
+      restartPolicy: Never
+      serviceAccountName: my-status-provisioner
+      containers:
+        - name: status-provisioner
+          image: artifactorycn.netcracker.com:17008/product/prod.platform.streaming_deployment-status-provisioner:master_latest
+          imagePullPolicy: "Always"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: MONITORED_RESOURCES
+              value: "Deployment backup-daemon, StatefulSet server, Job server-acl-init"
+            - name: RESOURCE_TO_SET_STATUS
+              value: "batch v1 jobs my-status-provisioner"
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "50Mi"
+              cpu: "50m"
+```
+**NOTE:** You cannot use artifactory Docker images in your Helm templates due to external environments, it is necessary to use `DeploymentDescriptor` values and to add deployment status provisioner to dependencies. For example:
+
+```yaml
+  - type: find-latest-deployment-descriptor
+    repo: PROD.Platform.Streaming/deployment-status-provisioner
+    location: 0.0.16
+    docker-image-id: timestamp
+    deploy-param: deploymentStatusProvisioner
+```
+
+You should also create `Service Account`, `Role Binding` and `Role` with permissions that allow `Deployment Status Provisioner`
+to work with your monitored resources.
+
+`Deployment Status Provisioner` role should allow to `get` statuses for all resources that are specified in the `MONITORED_RESOURCES`
+parameter. In addition, the role should give permissions to `get` and `patch` status for the resource from `RESOURCE_TO_SET_STATUS`
+parameter. So, according to the configured `Deployment Status Provisioner` job, the role should look like this:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-status-provisioner
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/status
+      - statefulsets/status
+    verbs:
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - jobs/status
+    verbs:
+      - get
+      - patch
+```
+
+And the following `deployment-configuration.json` can be used:
+```yaml
+{
+  "statusPolling":{
+    "resourceType": "job.batch",
+    "resourceName": "my-status-provisioner",
+    "statusPath": "$.status.conditions[?(@.type=='Successful')]",
+    "statusPathFail": "$.status.conditions[?(@.type=='Failed')]",
+    "timeout": "${ CUSTOM_TIMEOUT_MIN ? CUSTOM_TIMEOUT_MIN : '10' }"
+  }
+}
+```
+
+The example of status subresource:
+```yaml
+status:
+  conditions:
+    - lastTransitionTime: 2023-10-31 07:45:28.487195606 +0000 UTC m=+74.412108827
+      message: The deployment readiness status check is successful
+      reason: ServiceReadinessStatus
+      status: 'True'
+      type: Successful
+```
+
+A complete example can be found in [Consul Service Templates](https://git.netcracker.com/PROD.Platform.Streaming/consul-service/-/tree/master/charts/helm/consul-service/templates/status-provisioner).
\ No newline at end of file
diff --git a/build.sh b/build.sh
new file mode 100644
index 0000000..ea91cb4
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,10 @@
+DOCKER_FILE="docker/Dockerfile"
+
+echo "Build deployment status provisioner image"
+for docker_image_name in ${DOCKER_NAMES}; do
+  docker build \
+    --file=${DOCKER_FILE} \
+    --pull \
+    -t ${docker_image_name} \
+    .
+done
\ No newline at end of file
diff --git a/buildConfig.yaml b/buildConfig.yaml
new file mode 100644
index 0000000..e51abcb
--- /dev/null
+++ b/buildConfig.yaml
@@ -0,0 +1,4 @@
+type: image
+builders:
+   - docker:
+      file: docker/Dockerfile
diff --git a/description.yaml b/description.yaml
new file mode 100644
index 0000000..deca31c
--- /dev/null
+++ b/description.yaml
@@ -0,0 +1,9 @@
+build:
+  networkRules: nc.product.dtrust
+  env:
+    type: microservice
+    version: generic-1.0
+publication:
+  docker:
+    - latest
+    - timestamp
\ No newline at end of file
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..463222c
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,50 @@
+FROM python:3.10.14-alpine3.20
+
+ENV STATUS_PROVISIONER_HOME=/opt/provisioner \
+    PYTHONUNBUFFERED=1
+
+
+COPY docker/requirements.txt ${STATUS_PROVISIONER_HOME}/requirements.txt
+COPY docker/docker-entrypoint.sh /
+COPY docker/*.py ${STATUS_PROVISIONER_HOME}/
+
+RUN set -x && apk add --upgrade --no-cache bash python3 apk-tools wget sed
+
+# Install kubectl - it is required for vault-service-status-provisioner-cleanup job
+ARG KUBECTL_VERSION="v1.30.1"
+RUN set -x \
+    && wget \
+        --no-check-certificate \
+        -nv \
+        -O "/usr/local/bin/kubectl" \
+        "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
+    && chmod +x "/usr/local/bin/kubectl"
+
+# Upgrade all tools to avoid vulnerabilities
+RUN set -x && apk upgrade --no-cache --available
+
+#Add unprivileged user
+RUN set -x \
+    && addgroup -S -g 1000 provisioner \
+    && adduser -s /bin/bash -S -G provisioner -u 1000 provisioner \
+    && addgroup provisioner root
+
+RUN set -x \
+    && python3 -m ensurepip \
+    && rm -r /usr/lib/python*/ensurepip \
+    && pip3 install --upgrade pip setuptools==70.0.0 \
+    && pip3 install -r ${STATUS_PROVISIONER_HOME}/requirements.txt \
+    && rm -rf /var/cache/apk/*
+
+RUN set -x \
+    && for path in \
+         /docker-entrypoint.sh \
+    ; do \
+        chmod +x "$path"; \
+        chgrp 0 "$path"; \
+    done
+
+WORKDIR ${STATUS_PROVISIONER_HOME}
+
+USER 1000:0
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
new file mode 100644
index 0000000..6dd7263
--- /dev/null
+++ b/docker/docker-entrypoint.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sleep ${INITIAL_WAIT:-30}
+echo "Status Provisioner have started calculating the state of the cluster"
+exec python ${STATUS_PROVISIONER_HOME}/status_provisioner.py $@
\ No newline at end of file
diff --git a/docker/libraries.py b/docker/libraries.py
new file mode 100644
index 0000000..c059ca4
--- /dev/null
+++ b/docker/libraries.py
@@ -0,0 +1,201 @@
+from datetime import datetime
+
+import kubernetes
+import urllib3
+from kubernetes.client import V1ComponentCondition, V1ComponentStatus
+
+DEFAULT_TIMEOUT = '300'
+
+
+class ConditionReason:
+    DEFAULT = 'ServiceReadinessStatus'
+    INTEGRATION_TESTS_DEFAULT = 'IntegrationTestsExecutionStatus'
+
+
+class ConditionType:
+    FAILED = 'Failed'
+    IN_PROGRESS = 'In Progress'
+    READY = 'Ready'
+    SUCCESSFUL = 'Successful'
+
+
+class ConditionStatus:
+    FALSE = 'False'
+    TRUE = 'True'
+
+
+class CustomResource(object):
+
+    def __init__(self, custom_resource: str):
+        parts = custom_resource.strip().split()
+        if len(parts) != 4:
+            raise Exception(f'The description of specified resource must contain 4 parts: '
+                            f'group, version, plural and name. But [{custom_resource}] is received.')
+        self.group = parts[0]
+        self.version = parts[1]
+        self.plural = parts[2]
+        self.name = parts[3]
+
+    def __str__(self):
+        return f'{self.group}/{self.version} {self.plural} {self.name}'
+
+
+def get_kubernetes_api_client(config_file=None, context=None, persist_config=True):
+    try:
+        kubernetes.config.load_incluster_config()
+        return kubernetes.client.ApiClient()
+    except kubernetes.config.ConfigException:
+        return kubernetes.config.new_client_from_config(config_file=config_file,
+                                                        context=context,
+                                                        persist_config=persist_config)
+
+
+class KubernetesLibrary(object):
+
+    def __init__(self,
+                 namespace: str,
+                 resource_to_set_status=None,
+                 config_file=None,
+                 context=None,
+                 persist_config=True):
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+        self.k8s_api_client = get_kubernetes_api_client(config_file=config_file,
+                                                        context=context,
+                                                        persist_config=persist_config)
+        self.k8s_apps_v1_client = kubernetes.client.AppsV1Api(self.k8s_api_client)
+        self.k8s_batch_v1_client = kubernetes.client.BatchV1Api(self.k8s_api_client)
+        self.custom_objects_api = kubernetes.client.CustomObjectsApi(self.k8s_api_client)
+        self.namespace = namespace
+        if resource_to_set_status:
+            self.status_resource = CustomResource(resource_to_set_status)
+
+    def delete_job(self, name):
+        self.k8s_batch_v1_client.delete_namespaced_job(name, self.namespace, propagation_policy='Background')
+
+    def is_resource_ready(self, resource_type: str, name: str) -> bool:
+        if resource_type == 'daemonset':
+            return self.is_daemon_set_ready(name)
+        elif resource_type == 'deployment':
+            return self.is_deployment_ready(name)
+        elif resource_type == 'job':
+            return self.is_job_succeeded(name)
+        elif resource_type == 'statefulset':
+            return self.is_stateful_set_ready(name)
+        else:
+            raise Exception(f'The type [{resource_type}] is not supported yet.')
+
+    def is_daemon_set_ready(self, name: str) -> bool:
+        daemon_set = self.k8s_apps_v1_client.read_namespaced_daemon_set_status(name, self.namespace)
+        return (daemon_set.status.desired_number_scheduled == daemon_set.status.number_ready
+                and daemon_set.status.desired_number_scheduled == daemon_set.status.updated_number_scheduled)
+
+    def is_deployment_ready(self, name: str) -> bool:
+        deployment = self.k8s_apps_v1_client.read_namespaced_deployment_status(name, self.namespace)
+        return (deployment.status.replicas == deployment.status.ready_replicas
+                and deployment.status.replicas == deployment.status.updated_replicas)
+
+    def is_job_succeeded(self, name: str) -> bool:
+        job = self.k8s_batch_v1_client.read_namespaced_job_status(name, self.namespace)
+        return job.status.succeeded == 1
+
+    def is_stateful_set_ready(self, name: str) -> bool:
+        stateful_set = self.k8s_apps_v1_client.read_namespaced_stateful_set_status(name, self.namespace)
+        return (stateful_set.status.replicas == stateful_set.status.ready_replicas
+                and stateful_set.status.replicas == stateful_set.status.updated_replicas)
+
+    def get_custom_resource(self, resource: CustomResource):
+        return self.custom_objects_api.get_namespaced_custom_object(resource.group, resource.version, self.namespace,
+                                                                    resource.plural, resource.name)
+
+    def get_custom_resource_status_condition(self, resource: CustomResource, condition_reason: str) -> dict:
+        resource_status = self.custom_objects_api.get_namespaced_custom_object_status(resource.group, resource.version,
+                                                                                      self.namespace, resource.plural,
+                                                                                      resource.name)
+        conditions = resource_status['status'].get('conditions')
+        if conditions:
+            for i, condition in enumerate(conditions):
+                if condition.get('reason') == condition_reason:
+                    return condition
+        return {}
+
+    def update_custom_resource_status_condition(self, new_condition: dict):
+        resource_status = self.custom_objects_api.get_namespaced_custom_object_status(self.status_resource.group,
+                                                                                      self.status_resource.version,
+                                                                                      self.namespace,
+                                                                                      self.status_resource.plural,
+                                                                                      self.status_resource.name)
+        status = resource_status.get('status')
+        if not status:
+            status = {}
+            resource_status['status'] = status
+        conditions = status.get('conditions')
+        if not conditions:
+            conditions = []
+        is_condition_found = False
+        for i, condition in enumerate(conditions):
+            if (condition.get('reason') == new_condition['reason']
+                    or condition.get('reason') is None and condition.get('message') == new_condition['reason']):
+                conditions[i] = new_condition
+                is_condition_found = True
+                break
+        if not is_condition_found:
+            conditions.append(new_condition)
+
+        resource_status['status']['conditions'] = conditions
+        self.custom_objects_api.patch_namespaced_custom_object_status(self.status_resource.group,
+                                                                      self.status_resource.version,
+                                                                      self.namespace,
+                                                                      self.status_resource.plural,
+                                                                      self.status_resource.name,
+                                                                      resource_status)
+
+    def update_custom_resource_status_as_field(self, new_condition: dict):
+        custom_resource = self.custom_objects_api.get_namespaced_custom_object(self.status_resource.group,
+                                                                               self.status_resource.version,
+                                                                               self.namespace,
+                                                                               self.status_resource.plural,
+                                                                               self.status_resource.name)
+        status = custom_resource.get('status', None)
+        if status:
+            conditions = status.get('conditions', [])
+        else:
+            conditions = []
+        is_condition_found = False
+        new_condition = V1ComponentCondition(
+            type=new_condition['type'],
+            status=new_condition['status'],
+            message=new_condition['reason']
+        )
+        for i, condition in enumerate(conditions):
+            if condition.get('message') == new_condition.message:
+                conditions[i] = new_condition
+                is_condition_found = True
+                break
+        if not is_condition_found:
+            conditions.append(new_condition)
+
+        status = V1ComponentStatus(conditions=conditions)
+        custom_resource['status'] = status
+        self.custom_objects_api.patch_namespaced_custom_object(self.status_resource.group,
+                                                               self.status_resource.version,
+                                                               self.namespace,
+                                                               self.status_resource.plural,
+                                                               self.status_resource.name,
+                                                               custom_resource)
+
+
+class Condition(object):
+
+    def __init__(self, reason: str, successful_type):
+        self.reason = reason
+        self.successful_type = successful_type
+
+    def get_condition(self, type: str, message: str):
+        return {
+            'type': type,
+            'status': ConditionStatus.TRUE if type == self.successful_type else ConditionStatus.FALSE,
+            'lastTransitionTime': datetime.utcnow().isoformat()[:-3] + 'Z',
+            'reason': self.reason,
+            'message': message
+        }
diff --git a/docker/requirements.txt b/docker/requirements.txt
new file mode 100644
index 0000000..a26b668
--- /dev/null
+++ b/docker/requirements.txt
@@ -0,0 +1,5 @@
+cachetools==5.0.0
+PyYAML==6.0.1
+certifi==2023.7.22
+kubernetes==12.0.1
+jsonpath-ng==1.6.1
\ No newline at end of file
diff --git a/docker/status_provisioner.py b/docker/status_provisioner.py
new file mode 100644
index 0000000..277feb1
--- /dev/null
+++ b/docker/status_provisioner.py
@@ -0,0 +1,131 @@
+import os
+import time
+
+from jsonpath_ng.ext import parse
+
+from libraries import KubernetesLibrary, Condition, ConditionReason, ConditionType, CustomResource, DEFAULT_TIMEOUT
+
+
+def get_resources_statuses(resources: str, kubernetes_library: KubernetesLibrary) -> []:
+    timeout = int(os.getenv('POD_READINESS_TIMEOUT', DEFAULT_TIMEOUT))
+    statuses = []
+    resources_list = resources.split(',') if resources else []
+    for resource in resources_list:
+        resource = resource.strip()
+        print(f'Processing [{resource}] resource')
+        parts = resource.split()
+        if len(parts) != 2:
+            raise Exception(f'Resource description must contain 2 parts: type and name. '
+                            f'But [{resource}] is received.')
+        resource_type = parts[0].lower()
+        resource_name = parts[1]
+        start_time = time.time()
+        message = f'[{resource_name}] component is not ready.'
+        while start_time + timeout > time.time():
+            if kubernetes_library.is_resource_ready(resource_type, resource_name):
+                message = ''
+                break
+            time.sleep(5)
+        statuses.append(message)
+    return statuses
+
+
+def get_custom_resources_statuses(custom_resources: str, kubernetes_library: KubernetesLibrary) -> []:
+    timeout = int(os.getenv('CR_PROCESSING_TIMEOUT', DEFAULT_TIMEOUT))
+    statuses = []
+    resources_list = custom_resources.split(',') if custom_resources else []
+    for resource in resources_list:
+        resource = resource.strip()
+        parts = resource.split()
+        if len(parts) != 6 and len(parts) != 7:
+            raise Exception(f'Resource description must contain 6 or 7 parts. But [{resource}] is received.')
+        expression = parts[4]
+        successful_condition = parts[5]
+        failed_condition = parts[6] if len(parts) == 7 else None
+        custom_resource = CustomResource(resource.split(expression)[0])
+        print(f'Processing [{custom_resource}] custom resource')
+
+        message = f'[{custom_resource}] custom resource does not have successful condition after {timeout} seconds.'
+        jsonpath_expression = parse(expression)
+        start_time = time.time()
+        while start_time + timeout > time.time():
+            cr = kubernetes_library.get_custom_resource(custom_resource)
+            match = jsonpath_expression.find(cr)
+            if match:
+                if match[-1].value == successful_condition:
+                    message = ''
+                    break
+                if failed_condition and match[-1].value == failed_condition:
+                    message = (f'Processing status of [{custom_resource}] custom resource is {failed_condition}. '
+                               f'For more details, check custom resource status.')
+                    break
+            time.sleep(5)
+        statuses.append(message)
+    return statuses
+
+
+def get_integration_tests_status(integration_tests_resource: str, kubernetes_library: KubernetesLibrary) -> str:
+    integration_tests_condition_reason = os.getenv('INTEGRATION_TESTS_CONDITION_REASON',
+                                                   ConditionReason.INTEGRATION_TESTS_DEFAULT)
+    integration_tests_successful_condition_type = os.getenv('INTEGRATION_TESTS_SUCCESSFUL_CONDITION_TYPE',
+                                                            ConditionType.READY)
+    integration_tests_timeout = int(os.getenv('INTEGRATION_TESTS_TIMEOUT', DEFAULT_TIMEOUT))
+
+    resource = CustomResource(integration_tests_resource)
+    print(f'Processing integration tests status from [{resource.name}] resource')
+    start_time = time.time()
+    while start_time + integration_tests_timeout > time.time():
+        condition = kubernetes_library.get_custom_resource_status_condition(resource,
+                                                                            integration_tests_condition_reason)
+        if condition and condition.get('type') != ConditionType.IN_PROGRESS:
+            return '' if condition.get('type') == integration_tests_successful_condition_type else condition.get(
+                'message')
+        time.sleep(5)
+    return f'Integration tests have not completed in {integration_tests_timeout} seconds.'
+
+
+if __name__ == '__main__':
+    monitored_resources = os.getenv('MONITORED_RESOURCES')
+    monitored_custom_resources = os.getenv('MONITORED_CUSTOM_RESOURCES')
+    namespace = os.getenv('NAMESPACE')
+    resource_to_set_status = os.getenv('RESOURCE_TO_SET_STATUS')
+    treat_status_as_field = os.getenv('TREAT_STATUS_AS_FIELD', False)
+    if (monitored_resources or monitored_custom_resources) and namespace and resource_to_set_status:
+        condition_reason = os.getenv('CONDITION_REASON', ConditionReason.DEFAULT)
+        successful_condition_type = os.getenv('SUCCESSFUL_CONDITION_TYPE', ConditionType.SUCCESSFUL)
+        failed_condition_type = os.getenv('FAILED_CONDITION_TYPE', ConditionType.FAILED)
+        kubernetes_library = KubernetesLibrary(namespace, resource_to_set_status)
+        condition_library = Condition(condition_reason, successful_condition_type)
+        successful_status_message = 'All components are in ready status.'
+
+        # Update status condition with 'In Progress' state
+        status_condition = condition_library.get_condition(ConditionType.IN_PROGRESS,
+                                                           'Computing of cluster state is in progress')
+        if treat_status_as_field:
+            kubernetes_library.update_custom_resource_status_as_field(status_condition)
+        else:
+            kubernetes_library.update_custom_resource_status_condition(status_condition)
+
+        # Calculates statuses of resources specified in MONITORED_RESOURCES parameter.
+        received_statuses = get_resources_statuses(monitored_resources, kubernetes_library)
+
+        # Calculates statuses of custom resources specified in MONITORED_CUSTOM_RESOURCES parameter.
+        received_statuses.extend(get_custom_resources_statuses(monitored_custom_resources, kubernetes_library))
+
+        # Receive the results of running integration tests
+        integration_tests_resource = os.getenv('INTEGRATION_TESTS_RESOURCE')
+        if integration_tests_resource:
+            successful_status_message = f'{successful_status_message} Integration tests are successfully completed.'
+            integration_tests_status = get_integration_tests_status(integration_tests_resource, kubernetes_library)
+            received_statuses.append(integration_tests_status)
+
+        # Update status condition with final state
+        received_statuses = list(filter(None, received_statuses))
+        print(f'Failed components statuses are {received_statuses}')
+        condition_type = failed_condition_type if len(received_statuses) else successful_condition_type
+        condition_message = ' '.join(received_statuses) if len(received_statuses) else successful_status_message
+        status_condition = condition_library.get_condition(condition_type, condition_message)
+        if treat_status_as_field:
+            kubernetes_library.update_custom_resource_status_as_field(status_condition)
+        else:
+            kubernetes_library.update_custom_resource_status_condition(status_condition)
diff --git a/documentation/images/status-provisioner.drawio b/documentation/images/status-provisioner.drawio
new file mode 100644
index 0000000..688731b
--- /dev/null
+++ b/documentation/images/status-provisioner.drawio
@@ -0,0 +1,114 @@
+<mxfile host="app.diagrams.net" modified="2023-11-08T07:07:51.033Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" etag="L0LDQDVxLOY-KXVk-Opl" version="22.0.0" type="device">
+  <diagram name="Страница — 1" id="9KN6D9DLXYpE19z69_vw">
+    <mxGraphModel dx="913" dy="499" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="zlBrMga1oscnO7P-FWvH-27" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;" vertex="1" parent="1">
+          <mxGeometry x="240" y="160" width="230" height="360" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-3" value="" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-1" target="zlBrMga1oscnO7P-FWvH-2">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-1" value="&lt;font style=&quot;font-size: 14px;&quot;&gt;Deployer&lt;/font&gt;" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" vertex="1" parent="1">
+          <mxGeometry x="60" y="110" width="120" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-15" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-2" target="zlBrMga1oscnO7P-FWvH-4">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-16" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-2" target="zlBrMga1oscnO7P-FWvH-6">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-17" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-2" target="zlBrMga1oscnO7P-FWvH-7">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-18" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-2" target="zlBrMga1oscnO7P-FWvH-8">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-21" value="" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-2" target="zlBrMga1oscnO7P-FWvH-20">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-2" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" vertex="1" parent="1">
+          <mxGeometry x="110" y="192.5" width="20" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-4" value="Deployment" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1">
+          <mxGeometry x="270" y="185" width="120" height="45" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-6" value="Job" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1">
+          <mxGeometry x="270" y="250" width="120" height="45" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-7" value="StatefulSet" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1">
+          <mxGeometry x="270" y="320" width="120" height="45" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-8" target="zlBrMga1oscnO7P-FWvH-7">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="410" y="440" />
+              <mxPoint x="410" y="343" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-10" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="zlBrMga1oscnO7P-FWvH-6">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="370" y="440" as="sourcePoint" />
+            <mxPoint x="370" y="272.5" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="420" y="440" />
+              <mxPoint x="420" y="273" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-8" value="Deployment Status Provisioner" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;fontStyle=1" vertex="1" parent="1">
+          <mxGeometry x="270" y="410" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-12" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-8">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="370" y="377" as="sourcePoint" />
+            <mxPoint x="390" y="210" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="430" y="440" />
+              <mxPoint x="430" y="210" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-19" value="Deploy" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;labelBorderColor=#FFFFFF;labelBackgroundColor=#FFFFFF;fontSize=15;" vertex="1" parent="1">
+          <mxGeometry x="150" y="240" width="80" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-25" value="Check status" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontSize=13;" edge="1" parent="1">
+          <mxGeometry x="-0.2857" relative="1" as="geometry">
+            <mxPoint x="130" y="455" as="sourcePoint" />
+            <mxPoint x="270" y="455" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="190" y="455" />
+              <mxPoint x="190" y="455" />
+            </Array>
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-35" value="" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-20" target="zlBrMga1oscnO7P-FWvH-34">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-20" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" vertex="1" parent="1">
+          <mxGeometry x="110" y="440" width="20" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-22" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.25;entryY=1;entryDx=0;entryDy=0;exitX=1;exitY=0.75;exitDx=0;exitDy=0;" edge="1" parent="1" source="zlBrMga1oscnO7P-FWvH-8" target="zlBrMga1oscnO7P-FWvH-8">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-24" value="Write status" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=12;fontStyle=1" vertex="1" connectable="0" parent="zlBrMga1oscnO7P-FWvH-22">
+          <mxGeometry x="-0.0966" y="1" relative="1" as="geometry">
+            <mxPoint x="-22" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-28" value="application namespace" style="text;html=1;strokeColor=none;fillColor=default;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="290" y="510" width="130" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-31" value="Check resources&amp;nbsp;&lt;br style=&quot;font-size: 12px;&quot;&gt;status" style="text;html=1;strokeColor=none;fillColor=default;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=12;fontStyle=1" vertex="1" parent="1">
+          <mxGeometry x="350" y="372" width="110" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="zlBrMga1oscnO7P-FWvH-34" value="" style="ellipse;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="112.5" y="520" width="15" height="10" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>
diff --git a/documentation/images/status-provisioner.drawio.png b/documentation/images/status-provisioner.drawio.png
new file mode 100644
index 0000000000000000000000000000000000000000..897ed95ca75fbc5a09fbca3713028a13d04bc891
GIT binary patch
literal 38319
zcmd>m2RzmL|G$})tPsj7qU>?3>`}-H85udY4#ytZA*&M-Dl41HRyJitvc-`VvI!xZ
z|N9u-?)u*Q{r$i9`@7%o?>_FW&*y#KpZ9w0=j-*p!K%ua3Gu1%(a_Kc<*&$GLqkK4
z1^?yZ9s?~12UltE7rMi>%Tj1Lt*58a&@Qby%4$1WyP8?TOwpKlr4OE%c(^R!4vtK`
zGE6)?Mz*#bCYDC#_D0qY95$wopb7kL4L7kgvotk1=)=Rs!^_Ui&CVsL!6m@NE4lv%
zzYqrxKd<gVe<O2Ko5KN>;I}PdFe4@&Ierc<FcgcHrHu*P#Q{7jYk)tvxj-|o6nFwZ
zK==+GT_Jp|pheQw7G|nt3RScO>yYE;72x27fMyoOD;i2ynRukZGtBaqDfsKMsqrm1
z>Jw=Td$=`dk>lnT;s8VM&#7)?W@K;q!w{%FnK~MoAMD3M7pA4FaLp8=VJT&0qweUy
zr)zPr4`)+*2TQok;kJ1WhC_Yq=w@qr&}w4pY-tQ8<YD5KW#W<qzoGu+l|DQ~@M2>G
z7PNo3Ofp<dlH5!(+)RQz`+stwTBHvCl-Yk4+;4{*wu6ymd6)#bn1uMiK->q5vOFY%
zkfJg~Mo8wWwvMeVx6o~fkfF27FV}Ij8f(|f_C~fAN^lcX7#PXK^<Y6l+`I>4nz$V_
z@CgYWG??2TO>;OaszKfI_Tf&r!7fqfVD4mTV(M`4?O{hpI2`6^Y5Vg=W4MitsqrC8
z9CkFaw@2~8{>dCRnZaR)n>%c<1)TJ=9;gO&V<XtFTeU1r94!v|3i1dXEDzQDim9c!
z#nH^%ki-318y$5%+=+vQ5n#)M@AsR2B<H~~9v!AV91h0&f!aU*eALO>RoWDWI_slz
zJe&t`;XnWF_tUWdE?56Q!`+5S*(;eFal;*qZBztQ+2ypHudpATnX?hh>4;zVY3$(W
zc68kKa3>p+eKmlRSr-dSM^klMBf$Q=GA@9>K%0f5H4MCQgGZocVA60H+#bB!z->S$
zDH9_Hi~Y}0zaNkYh?t}4Av^xYHuszU@mc?L;+IW<>^s`Kfm1&mk%#Z_oDTV$8*=#W
z@)Ni4@E*2V{J<%^M;(n0In@07*eJgLGgJh94w>K|uOFp{f59uiNuWbf{YUgMH38Cb
zNG`a&qXpa?Zes+K{i#*z=M?;@&s8`akZ+%ER;G@QZik|7<m3qdIaN(<Oe9f)`x8+?
ziyR;|Xh1Q=0aZ~80S(~g_h`z)<p6iG-)9}r>o+%i_^G3jy*V&M`=kA4KR}S5Yu{hX
z<8Shay(!Gd(bD<n3;p}h`*8a|qc;Qw4noQd4y-FU!0&<yv2#MHr2QY*9rm>}$`Wz&
z*#bELBsuyWJei~V$(Y*0;BKb&;C+8Uz^Vsh9{hYj!=Hxd`8n786LQbQ!)sz>Drja5
zCUtPMhu<<i(g@%eh_Rq4)NFr&D4F_eHNlZQA1Q((3-*H|;6`x?Y9&8Y1cz;ZBfjAO
z1N!`rq#CGA?L!d;Hpbpf2lc|i52&;MDuYs}DEU5kL!IKkSlaic7<g8HB<;Wx`mdCB
z;Mt;h?{}r{zniN2yZ^^_@;_3CA3CD{N2$8M`~O0!3jUv#)&1T7_fhr8RsEU6^$V5!
z-{oNcS(AI<7yTDf{6LKV5yAfpJYVi3SNF*E72*MY-M+K&gY)~J;rs48e;`!&38Od&
zWvo%S$UpX<{>i9?-&D|q@3*2BK^`bC1oCf+T6hEw!;d4{3I3XLzZtgh9rpYCge`~u
z?GL0=fJ6T;(2R%wkcK}<+kXhn4!zeOXr}IH<Y;Q<1XDjs4g9WW`(Gh%yhm#BKaX~Y
zK=%*y`L{SPhd2TX;Qimh5e|LxKg1FK^4R3h_)AAIEr3*wP_Xrpy0(Q|+Bkw7*`Gr?
z4n{c|%i2{H^)(pn5CrG@g#*BM1d9JLiv8ore|mggzC)<`pBtYS<n!bX4&u)o-F|nF
z*E+)G|M546z4vkUKkE7C;P|6M{cjVnKNOt59IE-p^!bq`QK^$(Fgx!rJf`o=ek584
zX@|qFP~qJ_%cXxfC6B;&2m5H!gG2rQnDnnz5U4{y9mS!S`TflPxuf}g1@VjVc?AA1
zD2PKt^n>&CW30l3@}!)Aisw?bhdW!M$_!BX7!(zL&?tX#_=!sTs2^sLj?ztkZ9evw
z(s`ss|H!{OO5Yp_)c<}umK%`j7u5P2J6NW!mX4_W&c0s;o^^go?|`?TvOB03lot3G
zCwKmG$nalkGk66K1D_*q`wMJ_(9cya&ygS;P5C#s7)Lb|f0f1f#rWTk=by7k|7kAe
zVa)a`lkqD}14?F4dHf%$ZGN6zKdiU;jS?Iqn58+Ypv@RWXTad_N}<y3mY||a^6&?1
zOA`}Rz0Yr!_x#)*!Hl4$Fe$jbiK+b$X??l<f4~3-KN}g}GT;B~x4P^bpo6M1Zd9)M
zV55I+B>?vk9&^aM-)n?^utA{YZeO|oy(<BD4ne*j_(j?RR6_3i5C`7H|DuKZUM=v0
ztwB{5{A6tQ-;S)!kF3D^ofZDLkm%27epH<BJy84}7qfG5@CfoBs`@`&4D@H_`(00%
z`xknRkN+1q?Z4jA{1QU`)s%m4OT+yOL-~FA|C}ZGeTw{R#{VZR&99epWcT4_W)4T#
z>Yv@>|27oD`)fV)D~t7S@s0m&rHMxY?H__Ay#J-;N=FCqgX#Gd$$#!F{FC{Bzem;J
zFLS5gk&z#Kg`=bRoBIm?yWuJ@wcl$AQU1X9{J`&c1HT=w3ha;ZZwpxeL^a}H9@wI|
z>yK{?fIk1yT63OXC)%~_LAC!s_AIZW;sM~g{ScP?`EbMD6cjESLHDm3pj=1WgA@oT
z`{tKo;+Fv}KYEBDF>>(!hv?Pe)sw@Kfs#6O?QM;Ix=iugW##)4^Jm<>-*qp!gg~Xh
zkI3pF$oB7XHrY`#qXK~cWZ#14*Dxx$qXq*Jt0U@W*1`2Ehy6<^`+NNXJpCU8$tI>|
zMo#-B@qeCif6K7_-1Hq#;jfKqd4A!?@*e?8KUk{o(Z}E0RPi1`(LYuB9EG(&N$lSm
z0k}ED$l4Yt0UM|T>aU}l3{d-h6?JrD>FDAEN_G5rF@ooJE=D*Ug7PS-`8#sb|4aq`
zsOt95_J6L_cz*$&@CqF2m>=2fi1q&FZ1!s#cOa-g5FT9N16LV;4-Nal&i#nAp)S4r
zarxN4Uqx_pf6q%ELSOtx#_&h#9R_nh67PthM~39D$iD0cvA=V*@+iRl=??3U9K8SQ
z(S6&49}YhNQ~|U@-PFv83rt5tqeqjMk<@TCn2*PMbiF=mEsVK<>SXF5#)SuVs#MrF
zuupTbkiEYAdgCrLV=M-BUlDq~rD<X9h1j{+;2;v>laHye&&tVSoV%iNCm5d@m!kxW
z7%M_)++CS_HGT72d3U8#OxfB_@A4wrPS57^nJw?OEOjT9(#Z(^^SG=XSY{{67&^vk
zKS`ir&7HT!4^^^@nVnx?y*(BD`X19PE_4j<48AWK?)nup=-An-G|%rKk%AYe$Z$W?
zp$93|OrC~DF5)#TO3*W7(L=Z&v*Zr?BVCyS?dj1lyhweJ>+)SSW%LjVW&AQM3^y=F
z<f42a@|?#V?n}f$cwmI9%<paqFhC5Nl1}6L_#}csygG~WID!xXk#{(JC1}AI=R7(Y
zAb5#4j}u`*rReSRh3r3bA!vjiMej~@;5SB#t+`)-Z7)<k9mw~jLC`|N<?hAHQSPNy
zaXK|5kp?N9HpBD8^8HMfCkNX#d}}lAA5d@fdN4i<w#{aUg#(S;uD?fe2Mrgg_*yp~
z+_tse#B50rzMKBu?SWPI3t8ohQ?L3L(vwosRiiFwTJBX<t~BF>X3g)-%J4Erb@aFl
zF|RsgAZ>Tw?38tt@pA_EJ-)Oh;HaoZsc>GQ)oXDNUOt|YrK8E7*B5p#=}uu=T0OyJ
zNLz;ZrbcS?Nj4gH?~Qg|;>PnB*FzB}!$%)PIC{+!1eDJ|VQvXvu^q(`$=F>Zq=eRv
zzL5_h^WLqWOvIPmg!Nu#70_)d#FrV`n?ovfGc|wRyHUK8TQsj{t0o%J%X&%KZWJ=S
z*+qBFGw3$ABrG`ry@&{d{x#MM3L49%yii2f9-HCA0+aQ<XQ$-Rr^PK?-_57vqff@T
zL%cVZV^<nxXPZByg)}Z0>c?+xH;%yl>r?R)y2jTA3Kgfuh{TDLGw`1hDjtU#*Rnk&
z0<_L2iB%CBl3!b^uB^GI|M8Q;$TMhuL^3@lT55d_hDPD_?1#vT#p<?HHbxx=g06e=
zDN{*HycWYT?(cTC9@mGdFNFsN1zdKj%!;StN<9ws8$M5rhECil@!Be1jXlP(CrFr?
zKQ{}hk)^9t(uurd6fu@s)~_+!)I=Ul=+z6DSK=un`ty1@Cu`5eV(alc*m2To*{7&D
z=06}B-r&wrkI`c)i!XdshkaEnPAG$8<-f@#$Mr$O{mgtb8!0HAIPSMQu<XS)pc$vZ
zJ-SyI`urQVle#<iv#2C|l~-u!R37yGa7U*ue0LF3qM^tT9tV74w%CEt6GC9>uVFs?
z(6LM1tZUG2%tx)Z<FjyBe8}d5L~?_z1wK#c<45wGNp1FcCWTPsjM`e536d`+0Qq^C
zlSJ+~27P#}#Aj$^dFXAS&eDz*h4i+1D6jD-r#c5;WLYv>s6`RWbc!`N40#|tM(lYs
zN^(g{NgXB3K}ve&Cw7kcnvnP)Qy;512V@((Wc=E-=f%b!grGaAh6Ch@)weDP!5Wkr
z4P?&AjGKcvh!V(L#YD3coB@&(k%Wfp1J+LuL6>-$r4WQrD)g=Lk=Wgrxi3G-92%4?
zGWhF9r67csJqr#7{ipNjL5M^?_7?<D<B`;-iuB=uU<|xON1zbSpQ^?5eMC$QKB-EM
zrNw)H+R^Xr1D0bLfJt_V1;^`x$=sMA8FBXb<9*>fI;@%4SYQRmaV22KKP9oCDB|No
z3x=mX{}}@v#R6RPX!+befyv-|@b7If(e1c!0@OzmuYJ(!8qjD%fb@dzrocH&*-3Gr
zK0-ss#2}`@bY;OueMJBCG8#1HEnX?=qrcx|-$>TSIlbjgO-+-Hx7VbJM9=La68$iH
zq#dg%1qN&}C1G>!2FaI?VQFimzCNYlhdK%|(oe&RL5MI3HO&<)Wuftt!gixFD`zB$
z!2aHWgSaVqE(EQPS*<Jh&AA}(AQ>5)6gLp-OG9`O9czveP2h?CvhNV;v?Unv^4_9H
zD=}tJ`0by#JD|nfV}g~s^BA@%8(5?te0;*NKFKYUFh48sL&LzDdxW!sffWauYM)#=
z3D_w)oy<?37(CozCX<%rqwWF9^a`2{AB{P-Cu&4re-a5Fi5ljUwdg3y(BMhHU~%Lt
zO+jeM9rqTKxNxzg&}@n%@{&7Q@aQGz6*etsuz1KMe9*36P6lfs<&Qsg^$zNR@9`=8
z<c_>!60haJ()#wz5ZJ=Gdtg<hkfc*5P;3CEh8mB(c&Z|YMT{`>Ckl|HCkDN-?~q5y
z$)llTsC8cMrw@M&KFJd%l?5`DIbC;?R0cdeZK_ixM%?8`!+?<b(6lt@NG75fhTaH^
zm_9rYuih5*2Bs#aLG6r(kyw-O<5W~7ViQsGjqFs1P1R0(QBk06ijFY%RJ03*8a8eo
z@}&NaxymsXOMYMTJw88rh?%-S8al5Ri!~MCaZ|Df;a?<R@6VG$ja!NNwPolP1gP0)
zLMiUF>H8udp$E{k+@n+QlL$c@uxK(kPE1p{A?xEqCI0XjIP8QMV1zyyY1sSqq@n;o
zjY8XNr0q<g?Huzv#J8G;cwIg(o$GQ$QBjuTm8F*Y*&dB1MCe$!NM1_$8N9j%4+t3<
zz3oDGZ)OuY<zupqYHEYM=0HA&cEYL;fgv>vX!&@74plEP^0^b2WP(v{K}+zqAt7({
z3qRz#9B)O)Cpm&JC$X1U`P{MdGNm2J0<dOw+=t(k(K;-K`s$O;)iuDPNy$<2d*e8Z
zwH%;JL)*7bunnp^NRts9fhT>VA<y^*EYu=YoXb(W3!ou{8o#>3#)d#cCpgc9u73yl
zNQDsti-*hK)VQi7ITIa9hQ0c^7!Rz;IEWDJfm}xebHIW^N$yS=SZM6kl8#Suyf-9S
z;u(F=d`&oyf#cX_lmIiox}!=BjXZw~JVH8%X+S%EL7t<kO_3iC(Y4i?54`sUVa;ZH
zRXcpChOE}wg-Lpe6ryYA^gpa$XyYw3-co+TYY8Ew5x)nVf|1e$dVIM)0WiqD8pJWM
zJxPk_6O0l!dvo+1#}ES7GL+*j8p9bZWzS#8pBBkfQP5jAy0re~4Igydw(SntIHqW?
zeMkYEI99JPa?1e=*W{+ZMbSX$+lJGUL4;w2rp?hsMzzO;SG(1xcefUD>4hOdgli7t
zg%_t=dWVxc)zUQ56ih!>Sn@iRr<Ff?b^~6mxgFQ#A3-+t^&&?~1_ei&^#UvfuaGX?
zS$4j0LqbJsx3YLRZ8BOs(aNv+h4wbvpyoEg6Nrs&z-{r3MY1PCb`<>O`BX}Aypq~i
zFW)~+?&-QIpc1-!CG_g6y%gSOF<Wz^iX6&1_Ew@s*^)sBA<LuFmj*|u6br$dorr~3
zB|X!8-Wg1G{$22Wc4$gSeHG_gSBcS>#S}6LxHZf5wL1gLtx2>yw?n)aHeF*}*Pm~=
zUPz-scyq9)HRn`Z(%gNOP~3sUd3&w;!LH+y$_&2m*h=B6Y#CZ*HY+v-Hb*v-uZ7QJ
zPvWb^t~FkY$ZhlV^rye?WqVx7%`s%1s<`jDVVg!3r`TR#=0c%<qU^+IGc#msZ6O1j
zfTG=VZP2^}en(&5mxjIBBM<yPLT+a3^WGhjQShN-N%Z)N=ef7DmQ2ScJnXr4W_7MF
z(yCZQ(x{3;_e)=<4d0i@3y@hueZx2Jj6zL5wfoj!L=bs#yd~Nbru>j}46)0;DlxoN
zd}f^O6h%O(`XrvO?&kV6tIi6%eB71<!BAmGb_KjAFM2JRnjlY#VH__`_PJP&4|L{>
ze#q41WeR6A8AvZmhLOeQR&9nbUwtGId0r*GOIZYQ;*9Xg>CK{2J1n39VFrmktL*W}
zyv3ENj#}z`HEiGd^rAh?alrxttCh1U7DL?|bwn;ySHqQIanQ679D<J7S;Gv-o?E1C
z(kh*Om_;BvjSie6-|m<|9(HQTneu+v$yiLB6SxtNc}zoWpMUjp++JVO(9?qrK6#lY
zO&og~>bKU1EYMipideAWb84Fy*Q`D}#A&1z^(2*vft`4DuPmCdSHN@o_=udy^G|Fe
zU$3#Bq{xRsQ_4oVtJ3;;3+fA~kWl+~4~!y&Jl6B3Zc9p{doI;e*1UX{uD3T?QTkO-
zyzP3r?n|r9Y8Hk`f1m-#zCIwRD)l%)Y%7<tv^SnW7>aR&vto~7(Bcw}J*UjXSmOA{
z!idrO)ykq77iez4Y%e*@WCG$N+&LvHsTZOHS>O<pxOn}=Q{%Vy(<pdCPY_`2wFLJj
zK8f2?iMhOH{&;5eTP&ZY)UBQuc)OJEpJD?6^a-@!^V1|Z>Y%S{m}sBWn}l^+@KDuj
zrdfUHHWR-bY-ca$*W>`1PVNwVhlsp@waqI49lIyjOhI^_J@#xMQD`NtGS4&i7ikUX
z7_h#pae``d9gD(|(JeaW@v`n~UkIOHB>y<_G^(&otbbGVY>*N~zT1{JZL;C^C}nr{
zjp9ZMQflYR^eh5TtOJDy)mRhzS@8{KA8cKMWt|hv>aeJwU{-o^Za1hhNL@LpBjxgC
z3IqjCK8lm!xHljI1}jXWn^P$(L+%S5gD%7DyNd$2=ZI}daYa`8OpaZxmy4bhYh1p>
zyb~<l=a|%H=)LnY&v8A>YT92kK`@9A1Is=Lah%w7xkVsgYI{bjI=TEynWDBxuYtQY
z@)rKQ&Q*G4s4=(Pt@7ykIKse7%Y{atUi(I@&_T&~zHu24RGPQZ=4WcVa+H21HJWyu
zLvnwPNG^q8-LX#@Pd<^~B+D|C*ze&dak}o94WCjov;He4#c14)jk&@$|Eau}4h>Z1
zbz1@#&?|`;B_wbN>f{2ic`O6NIC%mcgX+}RgqBvVjP@=Sadzbpa|I7WiW?$|F&s+4
zt>jvIMq<2~Z^(ctJP%`e=m-2kk6;N{L6B0KN<xPC?oybP?M!!8WE8~Em{A{AkyzWK
zT<+Wy*2!&nXSWA<LDiSk`sIN|FN^{&cWJB#O6*qZ$W+>S+b&6K8MviU*j4rT2LyU%
zb=F_cy2g}U(0Eb>coX#wLyqo*`5jDAVsyzJe06sV-zSPE-X)}A#tMY*eo)G-_!>eS
zPig3(HaDHOXnPa=+E*aH4+Ju1f`AXOOpxDklBTsm%3(IUIHY<|?y2=~l|B~PV&e5|
zUA&HszBVs2h&xMsG_d>HrzDAekdM@q;%Kr_cA7*@p?WulsL73F@_BC61uXM9WPW$K
z3%u9bb8EghYgu^iy78^Rwt4!E%fQ*$&6iQyI|mG~Az?5cv8&OTGCOrO+r^Z?ckc=&
z#+UgD&0CTK)D@=-nmI1UxHLzzOWA%Y89PBO?3j5ycA6(!_oYG!5@Iv($Ua}+_6>Hz
ztn`~m;DKx7?Jr7Q=^k<_x!v>BlBxTx-kh|_MDHr852xK4?l=rO^#;4>K1y{NayxH2
zpXYvGAJ!5pAdtnA+gyW)?(L#Oeqw-_S&)s(b;%}Ogy<QDQm|(NqFU;kd5m2oPzEzw
zjMM~_wV1zuyT;aZ(XLf!^0XeB)m6R$d}4ZHj)lA%e#l28DjGgM9QXpz+J*Q@!X1}k
z&ls!TocLFGUW#W8ITL0VGi>$*>8g1#DSgTqC_D{<lvW&wO^5&q92p?g+j93$%b!+y
z<+?O_uM~%f_J!xVdP<W9g&x|>-JYfj+murCyQHPSTeatX7mW!R*DD|(K;zmqsdy2W
zR&6QTT@!)~quRSq_-9SkInj1{y?3-mpbj)%*}d1c9ZK`{c22Xi(TH1q)S?7jsZ31&
z^v&XUjA43$s5>cq!n_>TH9Mk$;7Bd_gwZ}%L=UmKPWE*MgkDn*-o+6?Q<}nuHSJcW
z)SigA*z}M#$8csO?rl#doba}CmNluxemZR_J1ytH>)l8rj&b&5OL0M$YrRiY*XYja
zhNZE$^^apMyVA!iZaTC);g_<lpxt%!I{{81DWHNr{1S#8F%1@OiJr@8CWyznElGUz
z#mb#;{Zh79iM%JQF7L!~qK&gaPBb@QKecIO;KZ$q0fN<8%DXzfHuE7AA0NNY{jEcq
zez`N=o29Wu^PE@RZ663E(xyH)V?R|Z?HG7Z^z{zFaz^PPL2}DnV;<>u2Q4cEmb(&n
z`OFD{dqHw%taqd>j_?B2?(SN3#!!AFC#BC5ugA8vlx~u*kD-<~0sLg5=K;g;T3-y0
z+{ZTfqkx$G6~lFFc}sLvXb-dFMHVX5i(OxQm4re0^`~AC0lpNIIG&7OO)KZonx>W_
z2PL{JfbF!dUhLT#vqB&-BIi&@9WH=}T9$1J)r+DtBF?xj)Hej!gv(ePYZJ>nKY4iX
z%o?iqoZvunl0E@e!hu?eObS)b<Hx+_Avcl?Z%;F6@i)~bdh|;GVbPCT72)MTTa9Iz
z!SuBSj8Ze6J@~}XhOh7DY)^K5Y3%4IbY9H1A@78D*>pEh{TE-v16`j!l<)AZ&%8W~
z@hf05SuyM>iN=FPZRD}6n_4M7;Uh7J&wO}3`K*D92z;sy=&`!h>`!CUNPwY69OQ@O
zqLfM5$P->q_W@ExaI4-r1a&-g8yKn^_v1_S(D3s+;`Ki(;sd>y#!J;*n+ceqJ41zT
zl-RtO^;vDA&E|9k+QZt6=UTa6(nD0g)*vYG&G?`szQ7m^Scq{va+>W?Q&Wqu%~&GD
zv{8Q;C_cCn#ffHm%e=3^H0z>WPRS^~fF?aB2-d?6$!u3s`mD3_+Q&+Ffu%F11_$5h
zRH7BxjWsYn^}%Ec2jNo<6NoBeik)vsmUfunQ1e+xq{tyiuix)AsU1-f@GPFjP%Q!M
zbNVZ@@4m4pLc30#*iOfF)5o<#cl=$HXz|VF5tTN~pv;@?hRlrA6i={y@1Yhj;3kuT
zofowAZT{jH`dBf~GPQZgnO#2WD?tGa5QZ8#_3J>3YI75ki;y(b2C0lMYeMD>M*E|c
z9$eaX8?D2Ov|{9JHjk(&K|5(v)R;ki2KVvd0x0V{(-bXh{P9M&5tgI1i2_5eDVF>Z
z(JGtRPa|q%$J~_YPeA=FihN=$fcsycjgfLW>{}X>SImjt(%Y*u_^a85)d^4dZ%rtQ
z6p;2UkeroUzn;5)_#2|)uz5cC&_MBK$}@|VcSCCY2xn<VuH?b(a9#V}<8=*Za@*|#
zN8}>?HdeY+0z?p;GbRELEFVB?iM%znUs?Cd#S1$nKX^dOAm^1vUnlo%{?i-3tQ#3^
zKv$9o4`$yG7|XdlE@zz2TGlhT<J#aSi=9N``b~uwpt@%S20)Nz8S@#w7)r^R{_<9@
zRZP=E?ntDqml&+C+S}U>S>Uy^*<fvlEg6FNC@Ic~M!4MUFAO3oPQ})b3iOZ(bw3L}
zhr2?zEQYHpT?6=T&@!{eB2SBXJUT{5Ez@i0?fI@Of`Z79;$3jt-j$eB-VFkp%WhAH
zDpksSs39<I<ri_#$Skow=lPE>)mPm~o`aJ;YdSyR)T>`p@7%)QTOxHV-!6dQF+Y$j
zK1tIi5NMe{Dm+$IkT_`R5k<H+&u>abGg&)mIW34SiT~DZGX6YUE^s7+tARJ))V-&f
zKeFixm;FN6RFx+ZhW%a#qGedf{prT3&$nI-8ld3|Jn8)qVBZG}^ZOp00SmKjy{Lps
zZUwe!OU*qM>3T%Any1%?Pscs|GIHgXS;IZ5WP*w|UiWWv-Me93!uCCHO}lTRQ_#28
zO4SO;JYUU9%nx@{(i0$P17<Mc_S^diN}n3Ugwx$IwG$xbR0)#f9h)q3JhXGH#ZmqE
zj`b5Dyrbmc7dts~wNtY}++2W~Agt_dr1DJ@&u5|cn;pErlupuKxOg#zfU`oih*jUx
zYhf)<wm#W-7W*kNP4ROfgAHItm$CD?!PqP5O0jheD$W^8(tXyQeTCCQl_L7Lr_*YZ
zN4(8Ll-09O=R(I`NbB;l-DERq%@isgQ;JFCM2lKL%DbSm3|M%n%AHY0`9l2Y0#B&K
zRnmZ_mhUfyQ|6p6X4T?*;%KS){Caj=R7B31QuDDG8ic-SXXglJCUCW{%<q(($*|dd
zOY44BTV!r`>?X#E#EGq`<PvN2XvCKn^}KYz1`ZL^-)wDnA_QiXktf?>vNh*jnUML|
zK>Os~ZY7V>x1(A<KBsXBXbGNCZ%kN))ACe*eRr|u<4A3eq30@j<=*a=V-r)1Yi5%>
zNf5%t*^UK;0|3NBNV=E5V*6`zccHn89q$U2d0dkI&^#f=HCq!*>yJh9IyBQ#i67cZ
z@7YWh3i~)RW{67E-t*qu8m^DM_V{A?#lDaGE|>Om13LgbW|T|-*rDY#iX-kR5S<nb
zzfUWw09MQY?Cq_QtL_kk*~szj5Gmg2x4_T_xFfR9I6n`tLuaXLFlm_MBmgkPSuET~
zOS~6ah-AbZc)<#;4B1jWM5YpyLNH9V9|1ku;kL8dtG*>nsb}kJluaHg4fD8cr5OOu
zei}G?OS~K{u~W5yM3fztM(3;R<&K@^v;O!nT{&I>P=L_=N^<4Z4hu;`pyq>3%A{|d
zgc{$aw&COTs(Se4!*fdVlPB8&%<7rNIef9nNguI{q3WE!VdutL$J}?32x=@=jZ4gB
zZlQq*-z*eC7(QrN%V2m+(#Qm{n)d=?0oE_juLy7@b6fyRwU^vIpWrHmg%2Aj=_tw3
zBX1P&7Ta0r8ujFnS2Q@`^o~Hn4IbDwV^W6ZxVO90og|I(L;y~^6mM;H2YJq#DT<B=
zz(8IjDDJ;CegBNeHK6h9XqDT8hqs%gc+K9Qn(4|=X>X}d-_@h^@d6?EN-f>4YTSq$
zaA##xW3Lj&BCi%^+?Rq~GEyX$Lcw2#iVMhm>5?vFnNbIx@KWsq?8*BgU!EpO2Ob;L
zo11BKM7IE`njqN>fTOI8hH^6N!oDr^t4MD~T^pA4oO;%vWg1s|rr)JAPQK6*xo)J9
zVunDryi^W!2qwHy$!{gY>s*ngZhq`+<5)umo%5PmYaFXhz=VMN-3Xwon6M_xW^+<l
z)zkeuOg>q=+NGGzK3v9V4<Mi<#i6n-8jN=tlD}jg_rRi00=8Sq!xKz6to`PV=v?$f
zEZe%&$2@gZ6jYR_6(HvhoB@hSn{~!!uFi<Fm;FC24w`M#Bi!+4n(N-ud0!>E1afw3
z-h0I*AYn6|k*GY@fFN^-B7!=6Zd7~1Wsf1c6Pr=LPAR&Un&+Bo>QJw#)$Sk2d~N60
zs^z;B^{LUsZp4<o!s;+91n0!*r+8${L7bKzlyud-(;u`95hfMDyE*2E=6faj@`T(*
z_LBq0W8IU_h^cBK;Oy8sjjo2d$@ZyRs?gfpTP15l?!iQ3&$6ziDb%T1$4<LlD1*dt
z;(FP3X4P8uy>~aE^<3Hz&vevatz7$7&bRr7TS`Nau*#k5rA>dx=0I=Yb+PgXLmoTq
z5xELc-d}D_7g^q-Wre^#6f`bwWqB?7(GiPJZH(R+!WqBOm~w?UmL>C65pZ6vq*%_g
zp<;R9>x9})adiPJHy!4^okAQZ>@?%wR|L1-n3o&7|I)fYdR?qsT}3oXTW_7AHh9fu
z{T;)Qak(2ZDwrY`08Dz?{Kbwi&KFdc<9dUs;naMa0@MPq(}ZV4G_-lyt{KyvR@_n8
zJl{}el;8LA>q(=XW#RB1_Ptndt@Rw~$DM=1U&hT*=uo`d#N(Re*64jta^qXjay6q^
za9acvX6OGH$zGR)WE0#@=0BI5rWn)N8ZR<E;Lt`+nejDNY6HGH%-cgKUxd{2XsRc_
zgN^LWa!@<N0I~9s5DOusYmE-BZWoS>Nz5m2sSbO4|4e8llAgL{^!#+0(`;sD=9QAJ
z^}D`YWaak`V$GDCaC@>V?-E)jlwzk#$J+=fkrB0l>KJ1U1tX%TKXf)Jwe6mMMuWh_
zKq4B5RA1S;F5LISMDEO+cfQniT;AvtD0Y&B4UiHDd0SetF7<^0pv-@O2al2#=S1E7
zqB*e*-<frJ5*q${Zo@HK&B1axqOk@$x385aI|mOHM%)^i&8?<TvtSdR`!X8T3g7}I
z^DK+W4swz~kB@{n;UqRiXiqowP5q7$)`d1A-{FbWFD;sDxZ8sv4U8+^7=GOQEcV8~
zkB9($B$WoyGuL3oXV>a46JOeNa`SyMuVv>s-B+;3xTJ!6+smF?{2x#QS2?{mmIZMI
zF2@U~hwQEoI%XZgn{KjMqnDgS-a}qn^EEHc+(DLFOnPa~Fh@E*@WdI?FMQ&WIYCns
z%Y|@*nL9|=Bntb-Ri0ZRESb|?8G!>|n<hpb*U4;(u0&rMrD<V;NTRi)rjlGyD^@P)
zaFmyg3sZ8cdUqFal+#<a)YLP(E3rlofXOVBm+}N!TSo>crfOA1hjn&3=CNe~we-}}
zpbJA?13cOJ0}fEBL_r9u>UPCt#j5q|=w7S#51S@x6M^?%%JZNf0yLzJJsmIlQ7r&U
zTT<ShRuSLP00d7~t~TBrJkiion}|znD-zk5D-F_F(yZ>Zz|8O-e|gO74W*%XHPB6}
z{Yt%$5P{+hkO<CD8E1fXi)9njINVL@ZLjilU&5b$@Zdpvzca+5e?+CEgVB&Qcn$=1
zFx~z6bf$qi!grxIG_Cc%96##1-UT<qC0>lp)L)f^y`R8D$1vMwWN+y;$-9U!d}Ssb
z0tTsmED76Yw$ehK!3N55g;pGSH~^GbXxyqf6CNnO(J*tF*6rK_u{Q_`yl-^^C=&xM
z>3F{`YjC?OU1>D@e0dj$+t0Xpmtd;V?Siu;Z>G142ji)*Vqm?elGCkij5uovoO?#8
zmh_V!MpQtm@;SYbCrCK7G1WE18GYtINkI|PSOkRa@(|@qOtsUy{xmJmn8F{m0`D%J
z6lENH9!_XcEZ?&1i*JBO6tVW*1{;+7<py6|5VidzA$)s<r6pdZ_nDWSIqcH*w7|I_
z#IVf#GhjR+bi_2gUe}{0)}og8V{El@=ktcnrt0{!i{}R{AT77;H&K}gMb!Ruv~Jgj
zkn@2MdqlaAJHT$83>^c~>ao2Aawdt=DC!kGyK7K+TTN2Z*Hyd>!8%o&s1|}iRCJu*
z!@XxAFkJnP&#Kdt^@)ubf*G>~BOmW1d_8Jmuv`mRKkNFnjJ`*AE^Sjq(X`05PN`Sm
zO@##6RIymTMo=*Ap!Iu=2A`LC`nmx@g9)pDVdb{I{Gzax@e3y@Ncy>9lrbj9aw=5e
z5(ho-dTs48hm4@+w>tOD7N)FrX1C}u-sUlks}fo=j?1$0<WMrE9iRT8eB(gdjC`ls
zWMhY~%lo@+<J+9L>w}Ukhptz{ZX<Hbv6-f;EpbBX1NbfQZ$+XTPV2nS(9ruglD(JC
zKE23Twvo&XGBcUx^q;=nD7Im59Xv@%i8JuPZPg2q43HDkD$j3!z|h+o#IgJRieY_H
z-(zA*+glSKVrfz2^*EvGcLvK*Rz|?^VagpEc7;ubSE9~y+8-<23ULGPOXCA*;<Vt?
zunncdeSp(f>m(|*_Da%86!Q#9sU8i#BeqS2b8O1ki)>%u)jIu=GV<b|U-f3+xGXCx
zTNB?PaJ-JeO=ufWK=-s6g=aUz{w5qh9=|{|U?CatvS{cq=w;W=d)-NUeJ;8mC8j|w
z-N`9Jxcdaj^gSy<KSPCEx&s2E_Dr=D|0uGIx-ZqD?%(!tM&Q%6Af1Ag;>^fBTjUPb
zszd`NTRrYSunRIO7O#EKS6W3DR6zhNZ8P{nC?2Ib9&^iCx*trya`~8m?!%R{uyXit
zl?H$*pNM(h_OD#*DKZQcuY7s`8a**Bx;{xq3#CEZ#aI4lzAV$1k>5as#-39!QW*<C
zM_D8pTxrX0z3WCZ3pU0G$^K!Cte%FR#eJROZO?ECq@qUS1w3|{@3VHHbjPS*?39D>
zArrj=dQ5)!&Z~0g`3pAWr$lcTVOQD>2RH_bFPYYeUVfMtc}UTR;9zbaV}$JiESLNX
zUsYygZc(tYJ)kDC&W@sEGW7<e=DFi2a9%g~KDeHWN}Rt;=lPI=)8HzA7ZLM3szlxi
z!1S)POB2;QvrP%&Uco4%2n8(P1ON;s&(M!H`=O|#ynL{1rF}1XF~BW8+#jGP7CYGf
zF79q0V{%7wDqO7}a35+3@9ys1cjy$|rkdnVUf7U4<P?yEVDfDK_&ppPjYH~*+kQgZ
z86ol}E+*{GQa|5XD>=OU=wM@{OdyHbS)4ad!LF+s!=az)vM@yPO*vQ5Ugbof_^K;I
zOyvQecAu5?k?7{VskRjhu_g_?)E9rf+}S$xcKR?mKN=S3TFQ{&dDIoKq9|tcOL6<p
zS3XvGmItYZf}@(@^IXp0@awoZc8hT4KKJl4!a_h?18ZNJyIV!5{ZMj1QLL}6&BE9v
z?D7R>$GKWg(GV-H0}IJv?^!r$-w^V;(EEubG0lSdT{QHCIa2+vhp;5Ri!R87l5zJu
z9p1*vm#^b#62wI%P^CbQnW=2$wJ+xMR7VP*%a;Ld1aJSKg~8BvmWXQ*f+Ndy0-&)i
zG^mh?RDTnhZ|t}+9@AB1*_8=E!hEV*IW&xSgu$4>Eu>4`YACRN9G^krb(|6OmUccA
zn~+XSucT}AfqgLIbl@<`e%a|T3~l1&FEuE!gW%Tu(G)enQe?5Qu}7V-?5@}taKDD{
zt^kc&$9&>>tvek9WT?+h9;I@}Wv46M*FrAB1pOZ^s3__J#D;*9<76=*9}L;Pyhsm8
z=%`NyNgmh}5R5i(!WEWlU56^%P$-qm{l2i;MB-Q(4n+6U1DKwBEJiC$#Ch%tf|{Sy
zT@Z3!03^Xqr=wN~$;Dr;0*3Ka4Z^H}GgslKm?WQn`WSBNY;_aLPGw)LN%R8UgcwoV
z9qQ(Cn7C?pk*~V1tH*>9a)~(?HP)*fT<=Y=&q-X=UbXm(YzB4X%2_#HEn89Kf*DCG
zQOfb$Rxc`hT@7S^skyoH#w%D7ND2iN3IL)hvS9*dXMhCj<3n$vj4`TEpt^$nCw-`V
z`<>%@<XYZ3lQoYXNQKWufwVxZA<8YO;212jR0nYw(NZlk{c|8qi%<d(-ZsIp<5vBz
z*hPWxGm6wTq-%ciHU#H#73D6(^rro&BasiTVq)<iq(!%NvUT~5I<^-B#ZUHt41IJT
zQ4TPf4zEx#=c8i&htbiUUk1x9-`v6O;lfpbx%zmlJ504FbyvE(Y<|e~lFf*Brfzx6
zd$~e^CK|yHYK!gz3!V>HkZQt-kdT`1Dad}Q1E222Ct`mZr8CHI2I;AY%d|-gRa?s2
zB|3#>MF6&HtT%i6EuIgg+>7Spt&<IlhrBLE-M^4_LGuEcH^jUXMh)>g^&wN|?AWF0
z2@(6xEJ~+@d=qwCx*Qk6-7`U2xwEI#t;_7T&Bk(;7b>!8i4(jS<<jAx(y58aeOG3K
z3Mdc5g|2$>ESf&*W+n)5P*MQWxA{?gP{4L(V)>;5$3;KjPI8&#Ub*?<nI_-O*JvZk
z&w++!BtfAWQmR_H21>(TTkP}0)rrb+f(#7+zS1ONTUr^W4W3hqzh)tKk1pZ1>$2ZY
zXxknG?MmYO=6kJtBlJgNUdISs^8}x}W<d*WTgS3?ub`XQX>7&WEFn1{AXx}9$R5(0
z7jrA5oMyV0=3Vyn+C~pI5jhY$Oumy@SDpe}A!U)Sl9-@<se*GA1cZ3KeIp=v7<-{t
z%Ci(Yp$xC$<jEfi+#JYSwiu1W%L)`HXb0K+sUe27&KL597PU_ZyMf2f*ml2q{;5r|
zBd56$Dyjhm6qcnPTU7&z1<@ut9Osrlz*Q5E5z@)Dv2P7O{E&+O-W^_jkuBC&8mF_!
zu4`(BIiNddDse#$D*3rCI>L&5sSP<(I`^(wo#JFM|9A&$gpPo6^W9#IVSh2VuO{5b
zs#3qXRBy%S&KjcJlZ}r;F;S8*Jq+n@D_AFJFR>UDHMk3a{87kB^>7=$p~O)wv*lu>
zmZ4|VI<~`hV1RR@x;`Tr&F;50jJ!!Y_fD~J&9zemxS{Rs`O@`%?uS(t&u*g2tAW~$
zu)Jsu#p%Y8TGn2QNp*e4>AJhw&ttT9?kjAGhj)OYNupkE5a~kM_}iWtMS)05Dz!20
z_Dt4jC=SlO7y9MVIi(ZShP_q$(Z^2=(RS5G+GissTwg&gogNb_Zfq1YhfS<abnW!c
zi_e{n0Lu*x@S~fG(@>=EH@J7<#ItflHr)r^YqOs=$HhW&ka@FLLl|%9#C`S(+b%r`
zIVdH_uQzQ@XvvAn2<lb45;4NPSl#F3{Pv7X5V!o=Gl%R<@yVSkkl2i*b^Y{N&s1UG
zX1p6#w4nihQJch_j|(4PJ}=SqSrbTBFbY8k%k?LBX!KIw;C;3_GLRYb21_|#P2c*N
zPgc)entU}kc}b&Q-R0;O^&BDoHW0&ww!tW42{=l8zEmtLcQ_e%Pe0gP9(x-`7T8&+
zc|1ROMxI2fTut<z)G6K1N*<fj8KY(v2Oa<;_Ox6xB!Q*=E<3gIj8{-ueh&VfE@+ck
zUuJ~K43hUlON7m{8_Hk$R;aoICzRr~7@qnpdwm@_?|7rFp9eq08XaSfC)$S3D>{#6
z9w6nEZ_vwb8T67ai5Q-&4l7V90Tw^8{nZBBy9Z2){zM{)*B(O8`k{XoJMJ)vBNU2_
zgOwSLxB$_7cAcDNF)mK+);8}D&VwBGmtwnDol=@Ic}kNwXCtAtP7Zw3=c$<4_08ul
z7)NNV!Mdk}V+Sli_DzL-I=6aPm`Qk!0%Xo-r(X6Nbm@Ne3JtRH)Qu-#A;ZAJz=&P=
z@CrU`AT#;!;ls~_Az-%*B5i$*Q{1m0pZ(&O5nd)ITVjO`<03{p<J}cDyWo41#f(p`
z;ve5*msLm@R9o|j>$y8{ar9EW`+(fS?zkv}!87Dy0;0?FtqqSQLMWx<v-#J_8$$z7
zO};03NH*a}W~F2Rfss@bO>Zx^wUtgd)xTNr5E7xdc`QiD$9B1N<{;optQ@JXy}B_a
zM-U0GdKERRItidOe-Wkg8|;i_tJ5p&nU_HQoGis^$TH5H!dOgpz~khPk)a<8@FMNR
zUPURw2Dm!NajKU~r;Ul-NDvfQn%%6pMHU@W12jD#2y73MfJsTmYY_q~m_f5&>1INo
zXW7MU*BCiy2@(${0>}m|l5Vz^%K_t}egcI(KkT9BI&gbL*bOSQ&$@UNf}m!&v};-j
zRU9yJ30RY{z|JRF_yh#9Cc2ZY@%)N)oHTXJUJeuKZ;5FHiY`n9fN)gWQVGK&O|dOO
zG(aR9co0w0DolY!rV)7fP8rzJS5lx_42;8pyV%lrIgB=~)M2uWWnAnc2G#(tbnpO3
zDV9==zw<@&)$?C0<-}U2WvQaN{jtchJ7-Wl_wibqeHtk$GE}1@1Ho!8CJKt~ek$*i
zJ3%MrQDU2c9R+ISLSSCKC{WlN<(?!J;b2tWUS;$mp)xdklnQ+Db1i1|`M|_YP@)2C
z)sL9IATGdl`S^9bxqin|UY<BM^}Wfa-F^>HKu44&O8SXX6+mHOATK|afA@VosLedX
zdZ8`>u|y5Z7Edu;SX4ljzI11*oy`v%GY6PyBA;5!Ike^m4|aOsg)mqxO56n4(x{xp
zD;sUcZ3SYQ>MO~#QK;exQ7{ix^06?i@1W-<*u!$@xfx&Ndhs#v7{+Av^~zI_9~>P}
zva`#7OFhQ|+(?lLhD?Lk1>9#t_sbjSF@4!@yb5wDUhazp$G)Lz%%>><OCF)U{v3qQ
zpac+<K+co-<{Q85oM?%a6)dt0=|q@)ba_}D`#Q*Z*>n2oFsE!+c3VuV`wJ`^zOYZK
z@4YcVnOT~c=cZ~Ht?0cAVHYG`XLhl~X<<2{xLQqG4&_+;e8cwrF?DG`R@ZP*=pjL<
z&oE>14MXj*=I#@9%rjIHTdWvqX=z37Yc{%hH+{`7fUNZ;ms8lw_kD5%*W)=A+EF15
zoplCN`%_6wYSG(#PE+mZ{u1;NSlbjNgPY0z!Kf%IWxfat6+K}dJ5KziNFnNiFDdT1
zqanfpfC+ls!`cK%Nq@7=mFXPTH;4&pDt!N|ui+#e*_@w^qHmqBLDhGIUMSOLb9Z7t
z94loEKttCm2^Ye^cpFAXnTtFH@?||eJFS#&RGaz1)S2dJ^BGKw-RdgAhF8SA$Cv?#
z*Dhs1j2i}OeJ}M`G%@++=$D7wz!tnIA@Bx~u86-OL4OGpt^~ZLW_P2{yVc7vqC6HV
zyrDpox_vIsbqPAtlYPT#5n%JlAVV3n2S?`l0vum?wl_D!tmO$6rm)947x2EWbn`mR
zXgt$>`OGdp(+3wFLmRt??2)*)7`sk^e@~A7El<M^$vwP0%`H&d(^+8JoC&<KB9{dN
zXlSv`V42kMq1&_UL5Mx1XD$hJOyruzDJ<V_^ZlV(S7Lxxd_ikd6c+@_-1}cyqhc)X
z1vakf2SqUCM=Bxv)W!mfj${q54WYdXzzTKOuK^?fPDgedRd<6gS-x09(5wRib#oM}
z!tCcQ(LI4rlbi!UYn6wSy$OYBQ8}U%%6)H#D&1oW<9IwLiUvydfQlrwwu6d!I0)a^
z^B9l3@Oq|1BMBffFIk@7mw!ncAGfW|1*)JWNu02hQAzz#*;^jp?(VflgCdl5NB<t5
z&70$arX2Z3z0~4G8|W>j8*e!4Lx}L6f5{IM+q~idasLLpz{Ymf69}sys;tH$Bv)k=
zr}TnB0ns(s`nY%J%(eQCz62}ZC8w*;f}VL!Z0czDF*S~LkkGL5%zcgYY=m%7q>^8}
zu0hOBu^MYrmZi7lr3}Hq+D;8F!#MkTn5!?UffE$NVBPI|7BU!wIEnT0Jq^4f;`Y-5
z?Im*+v5nOAt$Iqst2;Mzg)h0XGR{?vr+y*IvhAFo7u<UO>aF3U)cO?Nlb!4=^#T2=
zvk}n`*dkjC)Y!#eDmm#XUsNM!V)fcC3v;ZQ=}iXrd1Ogfv6P?6hEjB=DN;fyWzw+(
zbU$?w>tfo}F%Q<Rqp}pG*(Moj<@dxRDO4f(5gYN*n!><wFlzml>aHAe%DdImSyw0>
znxZQY&e|ne*!P-VoafpNN1!U_dyf%rNZ$Mb6P&*sm01hLu=xh-3`TSns0BWeZ%hrE
z8z@yT$=_UC;2f~z*;MLDGVU{xy0~`P74C0{@LH%`OCK;xhelfJ3A2@2vno86>6x{c
z^zi|=7bvOFhi(pnXxf&ao+;6%-=gTMO*+Wwbz(EI-vQZ6Hm97>H3-u4xm>L&SuD&Q
zGD9n0MvrA_YPU0!pj0M2E=DrxbWBxHmZ__xdsk53>G6xRksm;2Iw`Oqg5(pSzSkAU
zF9W4gbf4rxVY(Q%kZ!GVh|lj{`L^b8c3JRMxm@*JHz%X{!1KvlB&AG4E2_(0RovkV
zSyNldy?d9`Q##^0ZqGdW;QV=4HOGSQOS$1>^f}Iw4vei;iF!#=R}fWanYSg>#9s$S
z#9oPkn*GYxOd6~TP%ZD{;><$D;OmQt(+MIZORxyySlmf;B|jeyPzA!l`nfRVHPE+p
znviYkJD_$Tee;;W6U{FFRv#aFGy!S~sTX*Q%#({FwE-f8c%aVR00Wme&&8&lR|#dX
zNX^ODov^Nen+MLIL<uRxITb~Kar#x$m!k3Jn9!}RPjU|EL^_i6=TJHZi@F6%@g^wW
z0>urNMwfAd<Orhqt@h5Ni*<diA>d5?qS@SVw>DzqsYN=0?6NPgwqK2+mv7z!1v#m5
z2<qU-q4UadjeaD?L29H|Trzahcc&7D!t5^@6%pp+`SE<jjeCtl=RrSU>9N~Db>fWc
zm<4@4R;ubEQ&ik~UP=X%?vMjB(PR79As$V!m##K#1;bhz{T_PUL={$#550-}f}x_L
zLfpG^nOg^_dC4=@$K-B;{C<)BxWbYR(K%u+rcV`n_i}TZoU^a$=um+QDn-8MRiBiq
zS|t)zdflug+Ix3m3+!&tqGQ+uGgPl)tqX?%^j!^@!&OgNoO$M_RW`3T3JR~<@U2>%
z(P;=pVtEdFBR?}hjL0s#`;txd7jug4u8)n*DS@NKfD;j(i}hKy@?xcL73ne&+w}l7
zeE_cDLchzo?06R9k$3}4c$wSyaIp$L)shG*-n$U^5L-=Bgv4tij2Wir?HtNU8ukyd
z51wm2kN%eZR2WQNDI}@Cwtz##=>+UP0sq7NXrJSr6I$cnrn>@fuS^+P8+LG);|c1U
z&KNYO#Te**flN8Vd*6SSYyS4phbw0*EJV1D`NCHV0b-1=s*@lERi~JXjBg;3yh8se
zz=xMwsdCq_th_tssa-eK<>YwxFQudJDMQ1H90hMH;S=M~ES5ix%OwoY&5iD`7%;ES
z-CC=8Q*?a5A{|R@$m&M}{9#9CQi6UOb<tvls$o4-((f3wHfp##2n&Orm=N4{;2Y?$
z^1+I8NkIj6$Bv%@#0NQE{5(?)LU4mB7*!}q6MQ!Oiw)n2z#I_20t3NrH&*X6dim4(
z(%5LUJr!-dC6?D@=#!HeSjpfv+`>g)N2tT%CrP^~!iB*is}Jvbzo}B;mN30GcWf2g
zf(biLsrDp$O*-_eR4+?|BuB_5BUAV^Ii`x}>ce$N(<D3`Tvfr?ck$KkQyp0GcDzMT
zO^@ejILGOIB{U8_6GTiu0R0}WbU068q4LLoZPm<y;gN#V5#B)~Tf8CTI2-yvtd1F6
zd=VkWC>`o<!kLX`(~$z0Ct<3m20lh9fO-9fH|$q0Hnxq(5j^0Sx$p1O8Y>KHGdK+x
zT3j?4d?k<vj!6w|MxiJcE&vWKhP5z+q068m7|(?|v9ffopxMKkF3MMe1EXy8lS`G}
z4*sS?kW#z9ns+9aJt)UA2Vjy+_1@0H^u}c3TAKHovS&-oZPnmP)D_V;F|GU2z(%KA
zSk!C81j*?TCO?V8VwO>RnXWph`oQ?@E-TfcYZ%~)$k`yoS`$#YKq-N%Ha~)$DI}7x
zdy6`TrvQ{CyYC2EGob4WJed<VTm~sQXFKu=c~F1RURccrP`djE4mt&CJ07vE^VYNH
zImrytcU6JIFB%4_n5gvG@BuWGfrpMUaa_$$7ONttrJ1w(DsZ7seklSabnesugCcu{
zJc+tVLJm?z3|4tTJ~zO0n?J#sdMYWtNY@&QSSf&<W!>4ob#p#wUt9LYf&`&Da7XmR
zjzh<&bza~D2RWT!-&Gej!n*!KTM|{L@rAD#4>}gDUGWvvO-z7mallV!KlkYaf;q7B
zxfbUI78c^%v$m0-$kU>plN0Q#^=My<r1Vcu7=r+%CjOPjhP|El6Pr7r1T@54EC{ht
zfx<}lSDb}hRHfk1yRtmdl7gTSumY<|L0pKYVt`C^q3WW7sM#2A&d5bdPb2fs@>_LZ
znH!k`NvjiS>k}YJ)^Y}g%&H2%!4g~lggK&YJbPF6yw)A$XU3BYZKwjGz<sYh-WCHC
zWIT<!s1+jMKA`}vr}&TV2!Yk^g1`)fCQ=w)r5&H!b&GA3K+RUl=;-K+lmMi5$tjOH
z(z=G@%=?p|dST&a)_yE7CE&O0l!>d%0w`Ali8PE&@3@#V9@O{*$io~^Yny_G_TwXN
z<Eb|9U68VAeF$y}v)@5OUF8V`Ny7bIeJZ9=I+1-?zc>R-+s6(w(%3Wo#T`E7B3<DA
zEr*uPv_o}9O~c-o#{&^(11$#{-z0ChtEp!yL_JHG#V?~@Tg?|z&%D)E1u8wVi&{k2
z=19w`_vS|n6>0S3yXZVaICkYdm-dPwJHBEYuIC4@bu-=4a{9O=d>wV;@qF_efbbHf
zEeE~+AqkIe{*DRavRW>_n)i_CI@z1xNaTAjljD`E8RG2^g;dhXX;>Rg$IR6#6=%9W
zc@1WP>!bleUaw})GW1-izS_*8CBocH4mFkv13om0G;O#)Afs~7v6CTZ1FK1hkWROh
z<tpV#9uSR8u<LehzU0K4MO{dyATm-`Zf>xYwG)jobkhv*U~{fc;MLJ4LS5e-9oBbW
zNh4wMl&wrT-;(CCTksg%l~ya;ZRlZ*Kvu)yJzl%L*~ML(y#}OXr?^t@Z4L{>73i>$
zGTz`Q9{k#+LABvv?p~lw5j9QLECcDQ9<DAci!<f3n;0uH8S#h+bdzrg=-n-!qCEeS
zwuwJ70KnE;rh)tMHUS>iIAFu^LV=3FE>H}#lmaSo)r^c7vUmH#GE16Q$%C$-+j{ZF
z4A;CB{d)0<s1s}^X}$B=o-!W#UU>BffwHnJ*PB&a-^`X&6TnUC?y`CBC^C`^>~LjO
zZN1i9Poq-%0owB1Zebl0?M$nlXG|aAU9T_)`{1?#_Sf>_b~N6;&dJlG2s}xX^LC@%
z<?C3*UZIDY(DT5pw;0K<)YGh9+V41pAYkfe%ptRY8^1LlAP%p>C5X{6X1KJz$8+%N
zo$DptuHqSzTM-F$=_Q{TjMN%&;%BZsAadV$Y(+vy3$BUZ6WJh)4`|%*iMfvM9a+60
z?ww#StKTs-V{gN%`7o~LwNqjJ_zS-^<<3=gv6T-vLJNxHq%;{(Z}wbtU8d`Fbp@W)
zpB;26gQmQSvK9i`!@G}!9_B?RkA`+i74`oGxOs3h&?0{%2?R<p7qoKN<XT)Z_1(s!
zx>J{BRG<!9`fHt>Wv_B2!r2KkxJ<}shJ3WvWHs_5t~ZrV?mXfs$uxLp54GzckDYx|
zeDZn}Z`y1IW&X%*O@hm1Z@+n#X50}hU~0gqMaQ{zd{7tifa!)Ek7>U&$mr}n01E<e
zKqxNOyj*{|3+H|f9=Ig}C>uBh466pnUTx;S2`#FZBS&zEZnlTJyQdDKxs-)h=tArl
zK6}S-lF}@6QjhN7>F29upEcLe7S^I9i1cus)rQQFj&48K$|iPKh%@o=>2jKKM3ma4
zWX(5uGC6s_D@_H8sroZ2*&#iB>8xs+0{JGWmYfFoUIxJW?^kV1&@2h;ZRglkf1sdQ
zjjeXT6dz1z>6?r@51AHU?}w<kLtt+*-(bQJSKhRf)5MF?OwZWg>dPD*bsQIBr_oe3
zQI!xDpbpf2?#3j-Z!7slNN6p;6B`tpzV`w&xQP<^d#~e!94tOJM$|kJ0(AjaE5PYU
zE~hhy*Mt?s7cP;GM{%s^ke{5?A%DEr2Df2zxhty$Lkhq9&~_EvfO^|m`Yeuv{pG@p
z`RPma?2;2r8~CkaF*ACucBN?e38$RK4CR*QH(fK3-U^h6iO<;04a0^uK?rauB^Dd&
zj&sTxA$xxi+{zW2wIq|BSH>L?8oS3k^{rq}=^}*r3Xg1oTNbbKq<zIb&MBTe*n8aC
zeMQB7j#$nIjVLxZmx{*(w{oe026ZE6M(B3hOX%6PbM~I@#kRuP(?Df=TtHQ1?%zCR
z%a4#YD05`p8Kta#N}H0frVnGQ`G2ik_dk{W|BnbEBHTrY9LZkiP&h`EtYn|8WY$Sp
z*`p+@6C%P1nVE;EIA((niIcr&HksM$`#Sf1f5#v2_3(=am+O69=epjn*Xy~GHpxCz
zaWIiHT5*hfCdtnntIfaSPr*vtkBiUUEf13(4ab%5IC~CiCL5zq`iSc)t{aXksw8eT
z$0bc1a-y8I$tJ7nKq4b}Ql~b>D^o{o-36(($F=H~);X+Lnik~IObx?k7dB?)nrgcO
zb9SGjr)f1D##4b57d1-2q!t()6x{7vO(@82Znm@aN46@b!|ZziyG?Jo?eE{QBlD!;
zm?;O+vVugiC)lb2OwH{hh4b3CVIq0PtJOWXeY$q*GU<nHo(U?|YX5j8w*u3Tu&@8)
z+Pti+%ts4@B_Um(^t{nvb5&7-T~`lVNmghOuTaxwR(kXZ^NENNCelR{2sRlhO);K%
zO(v|3w=yPMey#>NWzXAo2B++9EV6xKZ>*XVKH52Nfse;^?7TEi@EM-IioT>a*fCXw
z(769~`+7()O$`e@c6Vf0*i%k+#wc|9vHa~Yony~T&8H%TBhIWg;j&Yn=?Nll+HUQz
zO;hOSq{S(EMR|E$COF3sWFK1AA9lpw|8DUlHv;EJk+fh%ocEs4Iaa07nUG<ZchxfC
zR~5y%0@-KNk54=OuNBrhma}F1$n@c5LYBUT%j(7ighmv8(dn2S-u)6E;}&?W<v+i3
zyKfNbuWZl#RkMUM$WBh4+_$&#I}nn$%4OcTS4@5t7ih^wq(a`f7lzo0WJNo{_ti%m
zyw~2l0bx5G>Juznln&7r+2)3`VqI}dF=LOiX5MW>J$0z)`OCJl5K~=Yh7q6pa5#9Z
zvJWqw7~K19K7q;RXi0caMAyvy8e*HF%<Q6Jvwh#gXo^Vc%J$Ak(e1}6Lf^Fy%q<^h
zEdHJ`MdAgA=98qWU+~UV4q5j(?ycH2QKB%)VE<8=?f)QLXjzRZ`<bo7iK+6E1imfu
z1doz7XwT9?rDi#?!cVQA!?Pce{=$!u8Pu+Q8(0`qhJKn@*!B(HnJrp&n7{5oLd5n?
zfV*(gy6?)$fL%8N%*V@XJ399NB2pKHgfzqH=v!j-l!T~4^|t#jAaC+seg2mU42jLe
zJg?{V_4P7$8W{4dYHRwA|EX}lVIyt#{S<L`u`(BcP$yrm^%Nbkk}*<g^^+j9XN}3T
zz^O89=QYU#bK;__dPb9<E`9wrrA(3ZEtxal8m6sYGv|ZdS_BEM0(RL|wOfd;RbWex
zenZqzbH{PwYR@l6wr^!S9Q-=<Mxq{}?DwvJdYU3A<@^y8CjQlE{rk3(6Pe4!>UGY@
zgA8I{xfYfJ@KK#VMW9fS0VMC`CckF06L?uVi*Kue*6y^0*I39T753{h#?C5lH%x7S
zKee#BC~4g-<;xdU{eXkL?Q|Wp7a_4$><yY9jc(kCc0IXDO7R+}Bm0!(Kc!tPpY3n9
zlkeN2|L!IM!Y3C&_QML`I-A2!d~0YhTO;UMrqCRG;64QYeYCW9raU3D7vP*y{4Lzb
z9a1+lJvF*uk~?Z=^if3OkKNuoQQ=ZmOoo6Rx=wbT`~DI51hFe&ySI#u5tdX9;hWJQ
z8=SZANj-HbC+Hd~$zZ0OJ28Q$QN(7p|JQzgxd1yR<*2U6LEa3*{(7=kz49QUQ$6q;
zQp`H5>3B)gIb`W#WgFWV@E}uz&DTC95|kRZN62*g@6C5l>elmB&tDdtAFK^TukZ*N
zwzf9=?YVVf#t$7zzuU?Sh2_1Q3)3NP;7zhBDbL=vuUWOIu1_EYI`lZI{2C^sF9I{!
z`vLXJpqih7@%lJ%pu3X^l|+h%4nFA&ZmNtb^Rm_>J!0`zVKiWi`MjrYG5}6^Z92tQ
zYzTymr}>9$E&HCiclbleofP5BseCbS*TZ#7iD>iHTl&Lv6>^9$5|KtpRUTN3-Al^a
z>iU&q_qFz(L#jXW>?QXL0lW-8&yPH2SgsN)a;Ko2HP-_6lBZR-S>ty~M?E}u<*oOM
zDiApy0?nE(wx}K*)Q}+<hkq@PYZwHdH=GY2SQB0tkoQ*!ZviQXV{h^8-cm`g-ftD}
zdZtx~l4{uTDweRuB}NP(QrKcfI`Rq#z&o6$@>S!UNg9mFQ&n>{5oHnxUA(DtY)W%x
zX%Id>ff(vGo0VY9oJ@9)3D0FjDY1+Vg3^jjg!6>E^|_bcSs~wiRrhz+g-vqYNEgBc
zLLJL^-=*sk!1U9i3Fy-Hf`%K0ff#z}jq%enIE01cs)E)>M=2-KT=vM0ClBL!WbYbY
z)V`&WDvBw)W_nFTf@{5@2>HU)7rd5Fw;sN1yT?`0uqcq2z(2o50u9s~7R2`H1cQOd
z4*nn6Zb+B$__!JvDeYM(C@I2mePwCxTy$Ia&HfXk@^Y5}XdDZ&^BqfVW_sxY3RCn}
z73+F3Vsn}-xd{I6^n$a7LCXK<H*4E!GMHn}0>s4DoKzW!Kq?V4qe+Yu=u|+)+|-7@
zR0RZ<{&90L3llD}03BP20q1Ppo*(x_MsFPslwFy%b((hvm&7k?+QdF3Q$_YCDabYr
zwx{hvl+4NhrW~kZVMr5h{L&5q6mmjzGf>{KEMpqb#TD|>Yw;`BebLlZP5|3ZY?xyi
z1H-<#`BcZ#Gw#stxNDwE<)jQyVp^3{4l)zGjvW-?ep4k)Gn5v~=q<v>oW<F~$1rpK
z2-Thsc}?fP<FYG1rteJU51=QGQdm%uwdDYrxBZGjTaL+g5j}XVwy0M1u@L=`R%!ds
z)jpymi`iGG-|l^?`q8zalo5D^Ia$Gs8kVo;ZU}Pt+yH><-NEJg6F^Fs+%A@Zr}z>W
z4ZbcO>t9pm<*5hjFcUqs`T`<a+zN4BORIjK`vnhL?Ax<LD`R8(&51P6Cu9wE)MZHu
zO5(hn6}JXa;bpuy&y?p#jsN)ih=`07G!?i<OT#*QsFy?VF+3tgJ*aLD4UKtFY-6gg
zRNi*|`gKR(X;iTRe=>N&Il4;dafO`I`Q>-yLc*6^;hzsWhFf+2W!+Be2S}_9Vd{r8
zDHGP(22NiUhc_Pa4_lTwgaWjLE4!i>1frwB7bfG|!|!v9(uqzxNk+2@;|uos&QA}l
z&WT{hv|md+CR<RM(0j#RcBq%tu%wMv96=EnN)vpyQ9P5g4Bh^~gW4<*0cLMFlLaCL
zoaZa){(dm*H<PX`DKIzYh_hnbmMs}W(fswH<QqUbk={05s?lb^2oDM4wMG^pz|S(b
zzTQ(v<<=O}|B#dA=bBNXZcy#x0Xo-rimX8?6X#*AM^TtoyT=T?*5ZH{SG&a)I&5D6
z|7PSgMxCId%xoR`Of4;nOP-QXlJ7`Kc$;maJDal%tItM4iy-Puq&6s|VEN+Bu8Kdd
zl8x#1k*9`Qba+#1w2ON?3(R7n7UMae-+oaa$-$bsVg{wAi(r-duZfN2!zHkXak&Gm
zU>+$|yK{Qv_aoTzB6s$#4K{%HDb1tR5lT`SxNwf|!)H@5*Lbz$HX=-;`GeH5cLD80
zY;SR6XP%MPAUCu7c&Hn|Bu=o0z<H%#9!@{v5XGG5?r&A-+nG2e-f^(jLN`dWc&kX*
zx1BE4Y1jF?8n9;(F2jC4f7N>>DR?TT4myGW!cUoljV(M>z7`$&KxFhA>P%y5$!Kx(
z4-hAX=?xJ*oS+z%**3AbG*jF{?n$$YC7RX&A049p#oLI&O^izDBG@Z+C+B~@RjYUp
zqBM4t4Z*bJ34jQQRatEB4O45-v#G|}dN2Ay0dA(tHK5%-e4m26-ygP8(&(!LxBp>=
zw}mJ~F0nJyuDz}Qf*^c8t>h;M=4y*C5u@MISLdw`lK{EqKOiyfG{p+iOTLVc?nrv5
z^wX>=^Tz!l;)lVnR_cXQz7V)zP^2it*ZzKNW9t<?%o8m2X4a+?<qvrL|HM3`xSo*G
z!Dq1BU}rZB6qDwF&-afCU+^gU_}m%F^fqiF-JhdW3e0luGtpbd2R*e1U20CA>gA%_
zX%52Kfrke&z;cx=efE{#dvIW`v|yxfEzFzTD;J`Q5g)4bBoycHiC)YJiGk)8BhWs+
z!iNOynq~#PfP8F1mn^u;y9>;IIkVW{LG=2oNv)@YwGkdER@ytY&j!XeCmJ8@L4nRr
zu=LR^&ze95ZcDSDW#>ZK@XwFZ5R-sZ+D|+snrIU7qRcY0SMy#7wf#T%d2w9Vqy|>b
zOU2`~tAK0N_c(v0YF}Ds8HEzot4DlYKkMY~q$L<rq90CjhYfPXFgeb$yWQ)Xd9F-c
z_lgQt&$X%zm^3%f>s?W^ARZYawsl^U7qXs{^Vo?{5TxTh!zg@CAKuu{Iyppn0_N<j
z`7LKC(Q<bErTUvVeEQg+p8lrA#zG(eMvzoRn;}Ok1G2Z=C8K!I)~sT4g3IJ#S*(fl
zH-xuaQV;)k6bkb?wh+U*I@bKV+5cqD5xY{Xp>X)n&DJof**w=5q|-PA^;4@4X%WNl
z{LKQY%ck#u4PU-jwjD{kX@t3iWoufMN_)JP=d8-E>M;_!oAE+X`@qGS-nmSU#JzKZ
zoP#BK4y4zwwNDZ0$UnIt;5A-bc)R38SBHBRLP5E4666Cl@+wgb5W`f*%o`D`tPF@e
zGqb57=f4>IMcN5?`J2>fQ~yH_B`Qf0b4TjY*5Tp>S#h_?F<i=V<Rb+9%K(-?Lg}pv
zu}XrhZ}h%C<rGb|=e&cXrvUA+l)+365|W4<GgLL0X<tDUlWIM#;R&pVE=gjJhT;L-
z*5UHEaarV4BX^shg;fY>XD#*6#~{P*2;~?v#7W8F+m8R8-zE#Yo26c$6b%y!BQ?#I
z5rHC~LNRd0{|qo#b?-r&K)#$-Zxw<9P*+}5p*FnC5^zvmkiLI8oPj<8g*i%b7Fvth
z8>-y@q=)gtp%Pz0zrfkx`x30@Qe3p4G5mF8m;2jNxGv{1g~S=ZGcX^lI(?MvmLo@8
z;qB@DTgWkOtS6;{l+VLaG1gZzRN%IXUU>hG18BNNEmS{~-Y$i|@80F5&KoS`I5Oor
zw#QYp%)JLuo-;$F;moMb`#Jj~3)xGxXqB84pW|KcjFma?>*DU)-X<M-txluIxugbk
zf@;-Yy?Pa{yE?+8_$PYH6CcpJ|7!ollMTQNW|{<3GeOYW20KqKgpZK7!5*Fa10QuH
zQe^M3|L!XlTwemEVMP%=bvtWV2eIXk?`Ho!g1*g=W97#0G>#E7jgf#re1Q3y)w|KF
z=<GS8d+oV7dqFkmm9u9Rs-iZy2Gvs+M|9B&>oUY#6~R1<HJbuYW^kw9#Qy72TvxC+
z!tzR_NKUDLz7o+ga=2pRGli?@oJr@LO@Gqtsyh+tJDh<IEPoadpkuX@;C3MD5MT?U
z3R)4%s@LQ_GRe8O_#CK6o{Lp2tAbUWnT?&joeamoW(n#dzB!oqG|xE>mP<n7iGQxt
z`g~80c6<x)`|5pN`6dQHI)n|_o*df)t&AR{FO&m!=se?_n@8$$bdnJTTn>rwx2*J>
zf{PEJ?l=L;Gk*B503uG!XKQ(^V7q-iR8(5NNV-)nn4G`TQ0K9^G*ZjO>8xF-wh<L#
zvR`3)0~o32_%|Lahlx>Tr@Xnrl6JnI)cIm(?LxQlU-uEZ*xr|kE8m0R%H!RK6FHou
z_r~i&%e<%a4fl9{g=7U&Q6f){(u{(#+JGtW0F|@5RBNR`1tM!9r8_3ZE-sQSuO-#|
zTA3=+)A?5FCP^T>73AJ|P`z$U4R&Gn9s!HH_`_f(rL<cQs%4D?>0e<;WYv5(u3>-l
zBap?SPj4K5z97D-vk@E;6cRfhuNk33^xKn`*Ki2*G8c*1D^B=*9SL%H9Z5rZ&Cm7}
z3q1s$AvcnujrMzIXM$Sj2{U<zITC8b&!9*t<r7S?ZL&S)v1fw&YYg1)V}i5&HSxXJ
z?TM(e$yl6wOMRh5>2?QAer_9ekN($7Jr!b+z~Lb%gs4`>{K54~FC1(@q&b6@>$@An
zbTgp$(k2!HCCWC;4LQsaC1W&~d&Gy_Z;J5vE=aba`>a0b&3;3eC^;E5el*46(|<5|
zcD3JWo+m3B=m=%@<tGAqr459Tx+_}$F>_7uHd4CT`DXFDQE}IX&QQ|rB9%|~1$439
zHMK7v@$Ar89Q;B!oBgazt<iNz4LI>(tLITsbNUflDoy2pj#PADK;G#`Xw4FR)Rs|6
zO!DSJH(>lX-(}8gpJnP18nWDTo84$Sk8BOCaG%vlQ7{X8yZ~8BO>yD|fp{j*CcZbl
z*Ag<ha@-R&^R+#EUAVjE4AkGuw|1t2d?Sukwl98;#p7dYXEotlcuOk!;OM?x4}!Qe
zZd??&InukrB3saLDjs*w^#ZdD#WZS6J05pR;NVyh@ow+kQJNa}&GHf~UQ7Wk!pT}P
zR+HbYh1B9p?k$d#NEo;t>IVJDhuw?_obIj)Azxx%58sO)EIobk$<e`uKEH#mP`+zv
zTj++{B*YK4u#aW5?`*#A9@)E}gi3qk%ZqiA+r&ced*#5~7wP&nm8Z`9(+`p_5+KJ@
zhY6gMgHDgOy@pCxw6OU7wh!1&MNW1bc5?iOK6KWzW1&2{)bh)(<(m{aJqGh0YQaZw
zb%+$>d%x9RqEBhi5mS3&!?u5;o*lC?m0@VQiJp0aIUIEV(fKuM!<p?f#aY6vS_0lJ
zMDeJKp7Q7+tz5>pt+!hPBL_$iT@Bpg%a|MO9v)MP4lI=;_%^%QR#1f+v|bY_3eFgn
zo5RkwXN^Dpp}A;Q9<CvMlC$D%N)fuXIvwtwG)C7hgINAvy-l+<FS4Ua(7@0#``xEZ
z;!m$P=Ud;$=n1alTefBA+WNZY4don4cSi;P^c^tGlo{w{Amto_X?z*z8fh$uYKd}3
ze~mn~|FvKx+*Bk~V#A+<d%)~9U5c7vbqTIZ>BO!wQhMAycq)cIyo)c?+&H86XNDI!
zrVT_N-fg_Tf$QYmzcVR8SOA)Pfw0wo%8ES9Uaowq$Nnif2GFe=Jh||9h2xEm1s#_l
fpY8waVS9nb9>{{<S$l~`;7e0o_eznf^^^YsgVMdv

literal 0
HcmV?d00001