From b3dc119f340faf871099c4c6518b929f6ab67586 Mon Sep 17 00:00:00 2001
From: Archana Choudhary <archana1@microsoft.com>
Date: Tue, 9 Jul 2024 17:02:45 +0000
Subject: [PATCH 1/6] add support for confidential pods

---
 charts/latest/azurefile-csi-driver-v0.0.0.tgz | Bin 13537 -> 13611 bytes
 .../templates/rbac-csi-azurefile-node.yaml    |  53 +++
 deploy/csi-azurefile-controller.yaml          |   6 +
 deploy/csi-azurefile-node.yaml                |   6 +
 deploy/example-cc/cc-deployment.yaml          |  53 +++
 deploy/example-cc/cc-nginx-pod-azurefile.yaml |  24 +
 deploy/example-cc/cc-statefulset.yaml         |  44 ++
 .../shared-pvc-across-runtimes.yaml           |  72 +++
 deploy/rbac-csi-azurefile-controller.yaml     |  23 +
 deploy/rbac-csi-azurefile-node.yaml           |  45 ++
 go.mod                                        |   8 +-
 go.sum                                        |  21 +-
 pkg/azurefile/azure.go                        |  16 +
 pkg/azurefile/azure_test.go                   |  69 +++
 pkg/azurefile/azurefile.go                    |  11 +-
 pkg/azurefile/azurefile_options.go            |   2 +
 pkg/azurefile/directvolume_interface.go       |  54 +++
 pkg/azurefile/directvolume_mock.go            | 120 +++++
 pkg/azurefile/nodeserver.go                   |  95 +++-
 pkg/azurefile/nodeserver_test.go              |  96 ++++
 pkg/azurefile/resolver_interface.go           |  32 ++
 pkg/azurefile/resolver_mock.go                |  62 +++
 pkg/azurefile/utils.go                        |  25 +
 pkg/azurefile/utils_test.go                   |  65 +++
 .../Microsoft/go-winio/.golangci.yml          |  27 +-
 .../github.com/Microsoft/go-winio/hvsock.go   |   6 +-
 .../Microsoft/go-winio/internal/fs/doc.go     |   2 +
 .../Microsoft/go-winio/internal/fs/fs.go      | 202 ++++++++
 .../go-winio/internal/fs/security.go          |  12 +
 .../go-winio/internal/fs/zsyscall_windows.go  |  64 +++
 .../go-winio/internal/socket/socket.go        |   4 +-
 .../go-winio/internal/stringbuffer/wstring.go | 132 ++++++
 vendor/github.com/Microsoft/go-winio/pipe.go  |  22 +-
 .../Microsoft/go-winio/zsyscall_windows.go    |  19 -
 vendor/github.com/golang/mock/AUTHORS         |  12 +
 vendor/github.com/golang/mock/CONTRIBUTORS    |  37 ++
 vendor/github.com/golang/mock/LICENSE         | 202 ++++++++
 vendor/github.com/golang/mock/gomock/call.go  | 445 ++++++++++++++++++
 .../github.com/golang/mock/gomock/callset.go  | 113 +++++
 .../golang/mock/gomock/controller.go          | 336 +++++++++++++
 .../github.com/golang/mock/gomock/matchers.go | 341 ++++++++++++++
 .../kata-containers/src/runtime/LICENSE       | 201 ++++++++
 .../src/runtime/pkg/direct-volume/utils.go    | 126 +++++
 .../moby/sys/mountinfo/mountinfo_linux.go     |  50 +-
 vendor/modules.txt                            |  14 +-
 45 files changed, 3300 insertions(+), 69 deletions(-)
 create mode 100644 deploy/example-cc/cc-deployment.yaml
 create mode 100644 deploy/example-cc/cc-nginx-pod-azurefile.yaml
 create mode 100644 deploy/example-cc/cc-statefulset.yaml
 create mode 100644 deploy/example-cc/shared-pvc-across-runtimes.yaml
 create mode 100644 pkg/azurefile/directvolume_interface.go
 create mode 100644 pkg/azurefile/directvolume_mock.go
 create mode 100644 pkg/azurefile/resolver_interface.go
 create mode 100644 pkg/azurefile/resolver_mock.go
 create mode 100644 vendor/github.com/Microsoft/go-winio/internal/fs/doc.go
 create mode 100644 vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
 create mode 100644 vendor/github.com/Microsoft/go-winio/internal/fs/security.go
 create mode 100644 vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
 create mode 100644 vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
 create mode 100644 vendor/github.com/golang/mock/AUTHORS
 create mode 100644 vendor/github.com/golang/mock/CONTRIBUTORS
 create mode 100644 vendor/github.com/golang/mock/LICENSE
 create mode 100644 vendor/github.com/golang/mock/gomock/call.go
 create mode 100644 vendor/github.com/golang/mock/gomock/callset.go
 create mode 100644 vendor/github.com/golang/mock/gomock/controller.go
 create mode 100644 vendor/github.com/golang/mock/gomock/matchers.go
 create mode 100644 vendor/github.com/kata-containers/kata-containers/src/runtime/LICENSE
 create mode 100644 vendor/github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume/utils.go

diff --git a/charts/latest/azurefile-csi-driver-v0.0.0.tgz b/charts/latest/azurefile-csi-driver-v0.0.0.tgz
index 50e43d5ea84d2232598dbb3836d6231fe8a1e467..bf65de26d8136f751dc741ac4012e47b7eb3dbd9 100644
GIT binary patch
delta 13282
zcmV<8Gaby~X{&0GO@GwIaxYIfHZ+pjt<!E<A;~>wPP;!ZRFxz#DgreCiW1xHh<T9R
zmzyW~0++g@ip7gAmRaAo(-sSrNC1gMBJ+m?{ypX}AR&0ZAYQ=91o+nB2y@w;;&J%h
zDxO}i*W2IQ)Bo-DdgcH2c6Ro^+uqxMz4vN+|JCm9cfIXbJAZpS-=W@0YM=4MLSp`1
zZ|S<qjr&R-9Fbpu3&Ln0O}0016s3QLSb~rn0SKRyNb27Xl(?WDNC@bVQHco!jxHqQ
zcnIi(O5g+R1A1|Iaq=?#{Va@!gl<qghCXr$+{Pqjq1Wwodm9hkE8ouJoc|LX#voRv
z0Gj9j_TKL9UVnN1zv{hO&;R>)$QTcyzk$#d7H|#`>!Y#HyJO;WCfGoBeKy`e*{oGX
z5#kUrK_uhTKH9qeUTpb-Y!yUF7n69HsuA^f6o=s%3yDANqm#iYlV=<RQ1#Lm<czZk
zQEC9VqZTH_)^&UZoPq?Qs!)}BQT9<*<>Xa&yW49~<$pN{^7}m1aq~g0s_pLf&g{BE
zG64!goN;#L>O)6$$tRKeBv;{1cYAMkg_H$wq-XOv42h5&&(TWtvDF10Pd+cQFtg1Y
z&z_-k7yt+A1Ck6e3W#wuW*m?JpMw<Y=PN+5fB@Z$fNE-l4w05hp-6BT^wCJlNc6XI
ztab_83V)a{wj>tUV#{ZAK!z~~FJgh`Co9vIqUUL1Uc|`+OGw%?-P+K<pT%K#VYum|
zUw_+phCE~zs`1qJ-1H}ynj)uo3>&J5hYn*Q*%*cR3PRlu90Z6^$<P=i4zR=<zAo}k
zm*}I<Up5eWhOWOC9*&}#b#OxfpAa7oe4oWss(%slIbaEWBzX+z8Ty;*CiU-4WXmFK
z3JY{Y!cg_6`6NIC#?h3;U339bu{gk?07M4rM|6X!{xKGy{^p3?(5|YFQOQ{t0`IFC
z;^p{E-*^I}XGrx1Vgqzx`LImeK~0!oT#v66$udnXX$w&k6h~sj<Y9^5<o6}n-QZW)
zFMs#HYDCe9+1SYSSNgiH-xRr!#lfK#*G#4?K~KLlDlMolEh6kgAF0XUiK&pF6?7P~
zo8xgLr-#`$Dc2mLkoZ{i(T?gm$+3jt^l}<OADuHj=RQOMma6QC33&?ghVkoE>g0$B
zBtS|vIeiv~f$Fn>2z(VnphPNbBnlV^M1Pq?0YpFp#3=gt;w1Te1F0Fpi7(C=mwmMJ
zpZnW;ZVfpC9LiBvO!3ZR`kwxbg;e9M1v>fB3c^{4DP*s(l-M7g!#`ufA;^9Y+3+1q
zAnc=8>aYAH#gsCMmA#w%60x8#jUyHuR0?qrEapB4!@O%jQ>`2mDU!bs@}szqwtv$<
z$1v84`Bks?GqJyN_-72F`cZFO`D`cos=Tz_XT=wG0?N57-&wM9hX}Q<dwa>cO9s+C
zwOQ!^-%j;TN6GGBKq!$@E0apSUO))GWZeEFSqR(;t|sfDYnb*?N2_AaLg*Hk*|DB%
z9m@iX)Ypny=lGTgDUug37=SPPsDE?HF8mP$aR{AO^sVNI)V#g(TD&Ey+0YBvO#L~=
zw;w2;U=k|jXvX|uw7!0OLPJ8~7Z%22_z9*5z7InDjmXhS090yGNpxaGFTZN1mv>A0
zbR$`VRdJwtjmT<AcN}%vqK$<rvd`>S#xngrHT)Z`<3iPkg%!LF2M!x!5q~ZmCXD_l
zGa~9LDz4|VB(k)=xmLL98dtN*Ro1!Inr?RqO}8-sEMpFtK)nTNWcos4Wx89DH!sbb
zpOty{ma{lYUk`--I~k92z`@@*k?@}SpytF67pez0HjFu*8FWgqcYQ&+ddAv4v9a$z
z2;c`ppwepKIQjb`9t_BBAAfb;UtD-22*;gdAN`hH9R2hzoiLpadWKSkfsFG-{rrM5
zHLt|WO>}hp*AH(u(aGr#?>Euk4$e<cPTy{#<MZ?P=gMSL`=c|?Zl{(B^+WdeMo4IU
zTbPWtKLT;;Fj$qIL(fovVa%uisXIZHrXuONBN*T~lupL&yG?W$#(!$*_<?Xy`b+io
zkH*g2M5l~`UCTm{eY7>fd@CeZTlN>%Iv1#o8SA3}t_Y@1Hq5I{G=P9{tkj#5hcn<~
zB7~9X-s{(|(_TsT$x7OdvP*jD4y?mgrpl^plUiTE-Bmf$97?{}TdE?5G2>j*9d?kz
zQaVU}+DN!jdxoQ!6Ms6iW&okXlObj4&&Rjm$J#Y+S<KgT34EMujEBZp`lI99h=Y~D
z^c~7f7^yT6Dm+=6PMJKRrMFh#OTQ|56T)STLob;~8#jao>_)g$K`cPc$TQBAfsi`)
zMGIZw-4N>17wL?Ce%Svw!Te)Lu0GlypSx!Dqo0Vc782IIWq&5(>?(Jgs%$+G7u<;K
z)lS6B9xs{VOe|{Vucxt{#*ANw3<s$RuQv?@s608cQ|TG{mFbur4u3-@10+X)4i1hG
zj<n^d-dJB3_plITNFhLDOz{u`L@ZrIj3b9o{k_0rKoTgX5@Df#^39^IE0iOkNKJoJ
z<m3q55INGt=6|czR&jEq1k2JghK!cxLk_wm4u2pam_5(WI7+uu90E`K<{mn>@-;lp
z_@9Jvq{B8_r|&P1FS_zpE>p*>`2X(yb}9b1|9Wq49sj$J=Thl~Tu}ew1ep~|&HbVE
z_y!P#YzhIA%)|=pwC`?gTr%X3z`w2`60txaA+e0bCVz@Tzyc7DX@4VG{$+?fk0$<&
zH=jSF?m6gk-PG%WzI;)v7-F6$tX_W8!BJFNTNI@V5%lFt2YKF&Qrl~#P<&?0|4$<b
zBjBPdqs5^BGv@!!-ri1W{=eSeeZ8Ll_wjuGy!9VwLdJc)aw|blhRd6=>K1<lee@q&
zU%qT?=u=|Hw-Kg+UeKuxrfC~Mqs4T&&!0UMz<^Ldom8^As&EH+*?a9e=o*xno}k@d
z4B|wUd_MusNdV{%W%g4a?eFS;lCklqppKUj0~+XmYX&zCb(0VYo&q>XlduVYf7{>P
zeO+AtceZz5@2}VY`*=!|Egfg;9@I0y^Sq5bP8df7ZY5Cd{ODePZ&cX!#x<cq-y);V
zt()x#v@?b<x{&~*`X%R`iN|GVogq-I9<O2&2EYsYankF4Z$oQ1A|8$+&L$8P)oCAf
z62#b$$WeUN_1U-_!&5Eb6o>gxf1<{VZSC*B>LkD)!ssO#gOGR}^%0H3FpUXKbdV|e
zI@fi=z@BZ#Y={UnkZ5QkQFX-(S=$??CvAYseqh~|LjL4<`HmzI%P{6RtZ-+dgd@gH
zEIIMfP3#LohjEB``Lhj#gwG=AqjWD8Y@o!T(o{TzgMb)E)0r}jfFCLvf0-Y!fFD1h
z0r8b)Q9`GEO13Js-Q<9SX&w_O8RDS&2@tldb*+EwAA->{EJuCRHQURs{`!)A5Q*E(
z4AXh}XQ^YPSB!;#sguV6!id66#v26)L=h;qX)sZCi4%FFIQ8J^_UT!G&VD&W1J1_i
zW<>mv#Zx8ZZ?Hfw7*Ftfe=n0dTy2fO?;4t2wJ#$=0=1FQ!w{44sd2q$?Z424&we>9
zG+#(=uvqTar>x=73<_xXY(t~<zjdjEu6l|>ddR5a7O|^;fG?GGY(n9L4hx@WbELTg
zCNAnV9Z)LOvNO&T7EN2ngpzSQMuPmV+iVy}UCc&aN7H~SBTNl<e@+x~1KuRVTG}tj
z?`0t_|2~WJ%hJ%4Mk2&QByRp}OH?dW*ZY$yscNU^-?n7=w4U9f;7FEEqjJf#!);Ne
zkf@!zMD1N!7o8b56jdg*9AT;S85yMR>47e(#1Q*3#$h;3iQ0h{#^t4oTroK+v7q;y
zZvG`hKt;^6z<~Z9e{(<)BW5CCi2(Z}#N-Hg7yZ@p^7Ds_OQn7cuMntxDB}jei-#q(
zLxgRAy`){Sm<CQR>&J4gsgo|72HCBKO1IG?)RSZkMfE4~HPA#1V;TStr+GzU7fWQ2
zPxZ~pFWQAh99CbL7Ni&%FHbJ9Rk{@`pg{FtSVPR32nGcsfBX@QaX$-s(Sx&-Uv@7F
zKciyzm1K$tgmu{Dc{*+N77K_H6Kks|=_z({E|`>dH&Y5eTRW^0+eD0~f-jjW!ojQ6
z$OuK8MZhH~hOBaCVj+-KXxnque7m<b`$3~#tz7|u?J=Vav|(V?upWwXRBeDTP2^pp
zyVZtMj5JEwe`j<8T&*=e8&dLnN?WT0RcY>cO7>_whT_l!<u>({9^)zEptVX&bM)+C
zDfF{4QwSZf?7YH|$izJM*?1gNBBut4NUmbZxY!C{0^yb*Ll1L*L?rk!=CGw~Tg^Jv
zCUSQiJWJ!&&kMX(rlEPX0ogDD%7!#TWj-~ns4mIpf5#V>X~<j;M!EM(Yq`jVKy?_Q
z1K?&5wfUo$c^YUTwE;wu>6BDf<Et@|siX_7wh#55LEDBJ*cNor2}Or^4B;UbaOVS{
zdRlm@W7`cuV)xe#fqGvM{{V!xBK#5N*q6Z7-1CK*u<7(o7wuA?T}`cqaCU^_<c!a#
z50MmGe^$3{8AXuphr~129wK`ZOntZ58*aUzJ46dnHNaiy7AtA0bJRK~)as$l|7^J^
zpK{@B+^rBr=u!(Eflv!N8INPB@nLu%Q;o@JH)}_QMtxKC+dA{xRk+m3+HZ3WFB#WP
zq6nS2DAiin)?m$cA~jTV-E9?V*5O^#vua19e-wxi@z|KYS73nxHAFRhAPw~;2!hf=
zm+0}_=ot=bh+csXT$Fc{=^2z{<DxXUV;koZ98@nn?&38HAbD!HDJ=x0_S+gk!8PqE
zEavTZWtdj?bgsr__Ca;v>W0W}Eo<nSanr-bXgIZFhfAh_61bl-)t0NghU}7qX<nM1
zf2zD>6y6V9_#K{}KKiv&JM%lg&G@ob6e?fVY|v(C-sg@jqLwsL-RL`tIy!UK{?bK8
z*QhLqE0-DxVIUDDp_;_Rx{}Nu&McrNvRK^ZW>Odn_k=${LoxxHpc-`bBRl~#jzdYJ
zFr#c3E>_@P9T?5Nih$=Z5nbbADe1jbe_@$<?V1+2Snp<ugz<A^%cI(&8pUjm#=4k{
zCAvv^4-3J3qL<VH3dHEneE+r^{Tw}u1H&>;Ibl?fis}=6GFXn3F;Clym{t>dCxq=F
z=4#MZdx5AP)hhss#+YAMY$(Ha(#}n@Y0Sn*b3DK#)Rc!nK|6Ysl2nFb7wMBYe-4_~
z#<plWeJsZw&y}gdDw$EJNfo7Pp#(fM#*@Q1t!ON>U2ZT>O@W+UZ>;s0bG23|<C2e4
zhY5D<56yGPsIm{#ZXg!c(=tu>nO7ih)L^uApg8v)LiMYN^|_`&9HJLjQ?;8R0k&oj
zmh-u3O0}51O2IAj5?#SS305pje-#yni~Y3LfNXZZ%+l1&U$;=$&W2`Pn)k2~;Wp8n
zuC<eagJ!1H2n3sm$W(QUOn1BM7-2nS97Odb&PF|)nl3f2i$()y3bKn%-(McP)b=Gq
zc*014A|?b;+XVrB%ncS+#2_}2-z3sbPUjPHw^%y}uUgR2+`>MG$|}awe`W}HzGx!N
za)v+ArFL`Pvl<6u*|CUDC<>+&kBN^&*{57>3-Ymm&72lbSG55N^~w0O&Xk$TnZf*%
zBBnb@6`xe&I;np~#+=$suU_gp#WkwqpgBB0J48MX!!G(kFO*KtUPCLE<x`c@yuKqs
zCY*{!R+HU=0VE(1M-k&{e@;kkDpXa9aW)yX;vk&rnRMi|51LhjkTJccHWfzkF)N<&
z@wz3hLHL1l#%D;qE|Z9Rh=tMw0{8?1`zp|96>^ef+p_6sFc~0Br-kiUnzvyDVWd_{
z$xs|A<1~Z`ggL<!FGv@<F0y$be^&mbA{Bs70#LJ4yQJj^ra3RHe<U;pRB_&FS;9n1
zqOpf^qfyMvafJowWD;5%Od~ydx?`MM4<#?gS>c>}M#QfHA|<R`>jJG<lr>jFl=*(l
zMKTP<Nu9crK13{CnCzS~qgS^rO%3)C@B(hAF$j?!s4hQ6v%wZE_<aMAn1pErmg<}+
zz!RCP*+$n%q7u7we_q;EHsP>-SErtk4TowftHp|>UMFhD3=@h3P(dV_K;HUvEJ0|t
zM@BlAph}0y=H<r>>kSt9ZgV>oX6ufbTsOELGUUSy4U-kjnP4q|7_KgKKr>v6XZ=#y
zFcsP?p1CDRv-?T1Pq6^ks?v7tY+flF42&iVpoUGulv8uHe^@$aE|jhnL2ep@?uOLZ
zEW)IT>Rj>|I*xVLNfeC%TPTQXAfX`2A&aI}wTi~ccSVYNs0w!DWGP8~N~XM@odM`@
z%e`5UQn614Di82zoCz*_av3vHi<r~q0n||~`*byxAlloIxq09qyO<4`&I1R<nM}@{
z1#SbV&VbZ8f7Farn3#F(K)OU;kAjt#Tuem+G)~`ZkcJpzJuuquWM)Pgzf)qB=vk68
zY15gS``+l$)C-l&P?utwwcXYYXquN1mJ&GaqyO{b<6r*pUjEmM7r*wr|NQMQFFtnl
zKmOz8f4%%8`QtAyU%q(p>rX$wy*xYqjlBHhR~nD6f6ZTiy!aK4e``tP<;(y2Q-zgV
zF9+RJJ3hueGw;)b;knUqEt6G$nWwvGqxLIfcjxHaePaHX_^Of$#k$qZS>!b|(v1@Q
zCLxjEJQQ*bfxIUO<VvBBtAjkQ66*MrAdX)xwDAfgHu%P8#><p9GaxCDp1w>Di<-Q-
zDWr@De-tRq;%D0Z89F#S$z#9Fa3_Q~_&_FV*}K7<>bROsPoZ&Vigd)Nu*+daJhyaP
zhM7HSDhkofglcMnDwAKM)C3x1Jq41s<@qdDM;QH^q0>j5nj;@u37IO^GvoUI(FuC%
zDU?1o+uw%+oIW9#>1u$bYba?wlypVl(KTGOe+^vp9sr_`3ljR&0HDi4J(mP^E(zaU
z8mRg8LNZqXzFZz=xip~i4xy6|f>&G?owy1t;_}GDrE!MKq6$}tA-n^`;IjC@<<WrO
z683M!XurF{_dQ`m-}3mq6`=K2g3VhRiTAaN+hfAitqMW6BD~!4=(y#va4SK+tqAA#
zf5cI3E5WcWk62qCpSA)t+A6STj~i*W45n<29(&B_u@zv&R)P$Bm{npn3rj2#%Obj-
zIDTstXswmW;*v<L<t1@xl+}tbRm&o%mc>i0(NU{HM<rK!<=|1dpPKPenHK{4K133N
z({ld1j)`U_Ded&1KBERxWv**AHAC=Af0B|;{kYCoI6GgVZybnsp0zMTztp8J)Fo!*
zFSOhmxpHJN^wV0>zo0p_Ve*B|Z+MvAV=-TH!yK-{rW!VaZo2#^|I;iq$q`84V;$a0
zb|iJ)l4Q#vN1VmOBCOWs1<l;f0fZov+m?wG)-&TmAn1Y)IEsEl7&TXc72E52f8}WR
z<4v?>`zsCPM402T8W_7eV29@;?^@M95M}iW)5STQL?wiCkksSPIP6Zc#O2m&uRY3A
z7>6LCRX2YUhjS2yJZa1UQAV>H7=lNDyeO@4>jYm8JGnRu8^)qoQ0>B7Y8jWSv8Zzv
z(lsTr^_mA=82d6E0WGYZb5Q&Fe~uopj#fC(DH~{Mp=594bXzCd)Hn?UibhjGd>qyt
z{AIM>?WuXYhDdf(rdm~As-l*a*_D?RcJjEv4M5{@Ie=u?F8ydavXwxlS7z1;VtTDi
z1rTmqV@v2B8(|uRT5VKP&N-y64#cs}j`vvMPT9g*9EiNZRp*SXbsZETe>U0Dt%vd&
zrk)wcF^<f(xFmSVa$Kq|M@ZjlkSyt0>Th&80s(n7#UlLA7}OG!LsKla6?58K`bFNl
zT)`QZwx?Dejm`V5+PZ7x_1z$^jQ}kJzt$91g~48AFS5!V$jbK}k8`)N#(5`wde=LO
z`_SR@>>5_JPq>qv!7BCwe^0{tf7JH=`Ut~UV$*;1R($(d%R0L9@X-~c!|x%yl5-=~
z23Sm)Ss@n7a(#>?``3)nO3Krc!IiHrJwoY>ywApwT2%|d?u>1UbTGbwt@%#Et1cW`
zRWf^@?OIxEERR$<<t>m#6li-d@I1S5ee`|>Tk_f?_lFlJ$-0q9f02ccXlSg%5X<!T
zyob7VTb6X6G^7jAc61R2p0a%fA)`aFOmc(zfYstWw*jx0-R23F-HKJaCY{4T-|yPc
zqB$C4j>9e6qUBnmd1z?PX{pTD6_d3+RKk9l6cwn$s231%-EoC&(xVQ|^YamSA<BV+
zb<A@ewt0kGycws|e+!4yv&m%eq>VnIQfJLRX5w}L)FarN+*_4)%yx0LSevq^(UsH2
zkaEymiF3@w>x$fE^L9fE2bzQAid<?A%I%$OKQNxahjq#%wFxCg=R4@8{)Q@O7srx~
zv9x4d2;;+xlLnF!I1(fPALnt$MXR`DD>RcdsK2qvXWYbde*(v;b>o9m4R_*^#imX)
z;Sw(m@=eYj=R2SftC&Zsl0~vUjYHMniRyfwsLt<+njz~h|0ini18v-RINChFBC)5a
zY;G+F$uz|S&asz9;xhR|Z$X}g@sLnuRK9p=kl_Pos%SkO1A7|1eta7Gb>Rdd$%(Fl
zo8SfG+0OK(e}mzgX^a@Jr2SL6<R7t+S%x&6^Ags|Y02!n`z$3%`+w9f^%m!riXW7c
zTIlluNr_J+=;SY+Ej~486=pAaZdp=KlE)<LXLqlr=_4Bl8)c}ryT~rmy2JCuUEOWo
z+s>|02wAl=Grr_y+??sHyFn4H^dh|F?@lX9X3GoHe`*RFonh9PpII<V#axt%CrW&*
z{#`uAax-E%$bh4tlC#v>`d1@jbE^IOU;pz13Bk;QfB)-$mDc(9zy9a1A@i^Q{jdLR
zosheT2C>S~F!x*-j&o;QiX-fzn2vc#7%)XRj7Hezu$V`!FP8CTRz{b)Y_g6<)#jH)
zr)h3Xf1`oZWq{D(W?j{e8tlo`#75VrfRp&QHqHVv7=X^GAwZ|gGbXuNS+I+wi2c!K
z{&4G+TA?)&A9SJw=~Yh!FFr2k;FyvPxsc9bP|{yccbLmiSinJ6&ewAhf#02#?lb=w
zK^~hm-1cIMd2$kZZjmqcB)Dr=MgqdYH&Kmzf1<-HFj*v==lJF`bvF$YI#E_T|6{$?
zr=>fv32Acdj&Kw~d+WqOc~N_%&e@hc1^GKTJ1N85>`*#)i!)bl-BRrZon80ylYyy>
zXSpm1n4w60cZg6S0S66c5=B5I;gF85(Ot%al}kr}HQq`K5&C~G-k)y0Wi=$tcwwCe
ze?T9(gE3IKsr84+Xrwa-UZ^+SF{WeyLUwH(z{RgSztx!oN_gQGkE0MalR#W*f+cf^
z2-6)YMXm508!FoaC}K&{@EhG+wLB_25nB&lNUoueI@$rAvH4j^{}<PVAL@BwvIKTi
zp^jlLb&uv3l8i~?Jm6$F1ozz!$ZnH#e}1QzN~IIEBIig@o2(~YqAN`Qy7OBt$Ho3q
z>p0w^9kWFzLiN&1J0r!EN_?wo@|Cqw*Rwj&o1V=RWe6za1j5iu_Wn0`s(K+AIGfHD
zbJ-}ZX^Ox1NALTFGbK<%n&h||5T*M}!mno20vWex5+m_Pm=4o?gM(Pc92QH_e^B)l
zCy&EpTvi+p=5uY?INB~x;q!c?t+8=Uxj)$i_=LdC)(zv=gbqC=nx0LSw58Xdt!Mf_
z3%5ltU~L;zSnckzRjMAbwNRsy&_erl?D<6kQ!0I1vW!w4TQix6Kw}(0mOAH-MOk&I
zP7CKxJ&W1#Fb&kdO{!9Vx=;_sf27s){cv)0KLQ?;h30DQmbWg6UkyqOxsYP0F72OJ
zHOn2Lod>!SxZe2t#_tC`yg11_@?Gp!T>I-gLg&hzmO4gi+~374YDFIj*epzG_&#%k
zpbwPXI@dPJ1o%uRSyU8(`YbR>MKMK$%Kg1AdQbKDn+alUtPH3B4&2w6fBxmq;?Jl5
zZM&{G{|wKxP^%!y9N+%W*FCSd?e(@D6nnkC{{QI1<zanxIL&K~ddtJkvgg4rJk94o
zv)fdiQtfNYhgP$~uW#ObQn}Oc<Gy#Zv?w{2p!MCG-{9SwZPT+g0-#+jvXJNnGqO1y
zdUH#3B~98)L3sdqo}bB;e@gRG`QB<Hrb}gjbGgfx&k5(W6x(KrYqp+j?!rFm&1G24
zisv`Q@=1LVKc_QXJvkFyvRF6P&+(C3+)Z3mjgyI>*)f;Ied8-t2HTK>5OV~*))$7Z
zPsGf9B4&jrVZQbgFzb^q_j>YWed6UYpLkhkX1SxxELLQe%FSYEf2=G!%bcf@zM`{8
z>x?MoS*MNoy3Z7S&8LVS$mCq7&uMwGXX$f1D>${Yk~2DUoXBak<DT#VoTZQ3EPuG>
zksqa5-NBisdrW4j12M}Sefc^Mxh#2{<uTt}yXZNFRi9c|`i#O;IgxM==MR=YZLrF-
z1<Rf!Sk<|K^(le!e<^{b&I7Cj`M(^-e_1sD(zyMVAoQ2P;xB``Uj|>lM$*sSxHXb~
zjig^==GU0{HD><t-Tyt?MfT0!0bUF$E`wTM8l%1}BK<4HpFcUY`TF+lr->lH)4R9l
zM2D~M-+oN@Z?6Qyy)0sTCHU<1J=$OGJ=$L>LV9UD^s?yZf5(A!ex%obfBx(tpaJr}
zeA)PJ{WL%L_n5<ggy8vtct#^_Nf<{O#I>b<%oRzm<>*fFIBZ)-uh;AC@9pXT_Ikb2
ze|L8Gc3yqAy|@2*@74DHtKHr2dON$@yS?vF?{1rJo>)lCzw0esSGjRt$z!J45kw)I
zj)BV3)h?0Pf0}F;?rJem*Uz6(_ZNfN%L#>cu7CNmk@rUGqUR6-7SPT7j=EHcuOPH@
z9!Jq^vIwckO{gEn0iaGQnO#GvgSzMsL<tSl{&P=#qsr^0+d<cSWJ>8TCHp%bhv*Mf
zrl8cx3}U%EYz(i3OKn<KkU-%$L?Q99sOypBy{Sn+e+a%zw!332{n5Kz&(?NY^4&W}
z=j|sQ-g0Dw<XFPcLgLJl;r=Emc{z>jw~4y3{O5#CJz=3Kb4kGWStD8tSX#v(EqTNE
zb;xjVqKFbX?Hcsu$x(s4;v_BFCAREVETE4%Qf&YV^jnBj#DaHu5w+6O&E)6%IRrFf
z!9iI@e>LMJIh|b#DuFgfOvqD^s_k_>oGX&mtn3Kl!-21N;HPE9Qhc4GmQkQAfQy3k
zYxAMtx@Mw}LPF!)#@@+OYTey6@{*sZF?~;e#zF$ml~<K{oP|)lscLJi3#OJ&PE^`g
zc4+=S3o(TjRVERLNR@A_IpTzIBBvS3#TvVwe{b%0@_bHY?!F)aeyl%WRKl&y#z%m!
zc9mzGshOKM(2d?WkEtYMI5LM18i!4?5O`Ulb3e9}=tjjp(07(ib2G;NGRJhO3>z8a
zA)LiwcmX~Knd83vrcg`W*Tu>!TE_g4#kljfzFE+fp_c*o_=aV7gvFUsu(znQ)hSlr
zfAs}9%f3)+5)(u+KFv=J+nzq^<Yu<{{t62?hlrssUn=jKX!mE8mUxK1eCe1m2nDp{
zXLWTJwF5$!4@Eg_)$t~8b~=?GwHc0sK<(__{OQHP(b4(w#l=fU!4Pl&+|xRXFgm+L
zcJ1z)I-ATvM9oAN%QxFQy`FHqhg-?9e`io*Ub1$-DXw>EVWoRK91-uIk$Cf}*Hq#v
z=0d*N?zsvL0Lz$zH&lC+H$O7U_}MS#;D?xuO&GAk0MJQ!1nikE)5B%hnHuUoQu`nE
ze_g@+>#_`~`Df1opjqM(rDcnfF|iq?V=5~WGFHEu18Rzg5{HI+#TQ5~AbBT9fBq`S
z&t6$~6wF9lu*7c8gxcOIGF+?F)#Kv`Uy+bFPfl<am4EZl!Mk@(Rg}+!)u@Wnh-upG
z7ulz)(n)hv(r^9Q+*<1HxoD@i+G?o#QBWl<y4rc(G(8(8pnB?O?_$$4H)sz(Jvj*S
zduuD<+>~Cqh2W&?T&a_ii(3Xuf7Z3yndP(`?qj+=_sq@Qo|zaPp|Jo@2UFi@*YESn
z2RZveRNod?@^kRn1h|17AKyk;Un=|qCSlA$FX_)8c1cghc9G@$p7n)g^<i~ING3o*
z2(`7if;Q?R`Ql7{uv(4LK)O1Si-i}|8>_0ZjrJ(+9O|Upl+>e<&dgnre+&%#bC&N$
z&A}oshT=%d$V*NrzX_R-L-kqT?F}k6bp$w+qcg^3x^b>_v8_dy^diRPn*}MCyV4Mz
zyxEyc6%?y^?AoBf?ZYaB)L+|17i7-emFj^Sveg-x6<l!sFI!VPtHGPpO$Ii62NMY0
z8~b#&{^`Zx#mT4R)1$NZe<!DxE?2`CBqzQ|wM(z7|6k4Qwx#W~tJ&lGj1I`KhViU`
zn}7*ZDv8Pyu%~0KGvDP}30bUh)&ny1g!Y_yWg<B)bn!!7+PK+H=cb%lS1rjmIATne
z7%vvUJv;;|9c?#dJ_z6ks)U<RM!^&DU_fpigyMw6g)ZSHgu{^Ce|RvC<h0NOH4WCq
zk5%cztm!4n8VFMs@zigrM5->rP?S2Sv&0rDy^A=L%x7UAT^^n#YKg*PD`6{En-(b-
z-=@UxGx@IQi$X=kUL6>t`f|iUj93`-(W}CHwV=NRS=Q>2S&|Ztma-d6;HZyMYoT1%
zf?Zf=K_nFO%scD>e?o~QI6Q(7PcIB?xsP^>5F~3lrLVV(uOr}u1@4dQcP;<_hx6l4
zhv&yf$ETMk2k$=paPschwTJnEGe<TBGxdJP(N8dS9+P#1?)9>B$U(;{argrX;V>an
z?LGBe!?dr3!10bn=4fgzsZ_a*`Gv;4J&P&1?Qd<>+ppCLe`-~hKDctm+3gf{I@OtJ
z82It>^6cW%+4=kb@9*yVtEw<Zw?wo?fEqb$!{Ge<&BI<%-rm0dbaC|4r+4q)etLKO
z%kjImwQA9M%Px+7dY4%lbJ@_D&2z8L@$$!<F}c;nzxynjI;ogfGpK;{b0?;@Y6!&~
zJimOmR8@!Se`s|#AVPA6Is*t8$F%|@L^&5~nJ*#2Eg!0>d^zCYJq@P~^Hqq@i>}MP
zTdp9wCR;xCB#(vM((xd_dZT+oZB9X5V4ssp)I;oXjIcT)t4=A@M$-}DHuG!o3#Y`*
z_`)GtYDul0QjcZ}tck)O>0|?pPv3KcrryYp*PIgTf0ovn99BiQUNUDAn<1t-DST*9
z-aS5Z;XkeJp9lN--Aw#vZ@ahqx`hAS+1cG)<3I1?@jR~p`K)Bo+%O2y!;2G}ptlhW
zTHJ$|AfEGLH%r(wMZy=vu+i*pNxUd1cN}1zU~2Mxf^x%BVt;g=UM^j;!7Y?BEr?if
zLI><Uf7ND8y7-yZ;vE@)KlMX>rF5F)`%I06NUwnP&~Y?^F>np68i==?#gW6RvZ0i2
zp@aokvTLB{Hb-Pq4UPi>)K{xVMEYA>2deiDjxJT%<6DzK;#<;$-{v!y{?{PF8$tti
zBRsX<Mx6N|#Ecc8S^sbE?d@-u^#7~ZyL)T>e}5m3wdF7kGPtuD;4V;n6+-p*Siq0U
z)-q#%n1TwGuCd1nFpL?!fCWwyB$Wi>bcKfrTvS(ZmLMU!{6T_*(n?PenDoCF1!TTj
zst6r^(616xd5mvAP&~mTR3l#KIW^_G#rH|~RY3l_Y!%)=^LRqL(OTvh!+a+U+VV61
ze_4duabE${KS%10aQ^e*^_4U<GP)w{w)w8@NdQ}UJy%N{1jysU>*jY3Og`5U1I5;X
z3wQ2dKPi_{-R_|lIDWmnmq7fF0JgrWa|Fpt+g0zQ+`b~`LNLo(#ZARydLTXs;HJwu
zr<ds9!{v|f&rdG@{_*3*-!CqYe@-G<e}w}vIXY@o4jVxD>iyRk7|(3N=>B5l)k@1Q
z#MwURI?uDsaZ`!4N9+c;7(p0z;no3g_bWf0!i{$#VT|<u>P0bitRe3V%Mm*4fBZPX
z{Nu-vTz&kgR8|P`<HtznffgS>)^4vqenj36jQa&f?##j2bb3T<4#S+sVMvq_lWi&p
z0rQh~DljUWKfO3QKl$bO{L}gI+fNto4}bb}c5wNli-wVSCyBFnAKspvY7$2$=abMX
zEPws@(OJV!AO3p$>Gb{4@u$;+pXZ2V>+~x%A?z&muC`3|Y{^~Gg<5HS*A%N;37W%D
ziC|<gC<pB|;_j&#7Ii8&rDSGEOGR6N@991C%7A-{8VTO~=|yoa)+z8Rd@HZ{9te@A
zd*m*#c=d#z912f2wGI9*6)}7jf;R-2oPYEX5=-&M5pFO=--5IW<5jsvqIv(ZXC26O
z=S5opPmP1B7IOMT;8sbmIm)aOc6BE<&l<6{BE;5R7*u%&{bc*DEUr~qR}X~ndBPdR
z7LNbTfdZM4|7&Nvw^Pplwfky&9sj$Jr$zkl1!b~z5b)(X3b>8}uA_kKDBwB@_<w|=
zfU6C`J%X5GQ!t}+XgzCE%kv0_{f~7g60C<iAgzKU>$C6+o`s(~dQm<Q?<i7p_T2dE
z>QAHHN2KDguYLVahySY1vd_Cydqii>*TKn$3r;?o*rJ|v<-D$ijm~+Fx{=zpXKCTK
ze1UyUh`?~O)fky|e6T<dIH`<T0Do`Xq)IDY%_-RZ=2Nh{J+~0tt%iF{LDeS_@|>Nv
zB$1)Uyd@oHCzq#Y#V)F)=P;|1&kM3Vi%7ok5)0fq(EH7$R$0ep*Rk0r8k;qY5*iYk
zCilCBsb{W|HurlbDec|NpXhH*ML)sxK!5l*B1cKqe0RmmM|kH<88d6c=6~F`x5>bg
z{eI_ZS4uAnSxxe9)~QS$QEa{0hFu5ApLme`@g!b(I(ENJd!grfBLVkr&E9!%JM{*_
zi%0}sWpHz3K7Q<eRE0j~J|iJmuX*XqY87I9wNM@EyV57mkQ{*kt-J)n9MVhSbPOs$
z1IG2ejaU-Buh7@g!t^;emw$qmh%p*YlPd{zxMqZtYv$BXS0FK(*h|#yO@oIQCrGo`
zx?dHQB|5kId1DXHUz_RX@^@beKE?dIHUrHJId4jw(pu=-3jCavm85@VlD{IUpGV@C
z>E<G>xkP`V4tLkr;AUy6r4^_!J4{ftPK&9CDlEBIq{X?Jt8(Y+wSRO^G&modxT|Do
znz2YW@mX0h%RTXg0de2hGdKQk?(9!9@qfMj?fnw|Z+rjs8vl1MPbnm361iFA-zt!N
zHZ$BxaeP&pD?srXqRV6W44pNCuV$Pc4!`H-X7T$(%faOPyd>1LWd(4-l+b-#4Vv?z
z1ynfv6LyG_cli_$i+^Aa&9_V55o&n48$6)Z6?cUO%vgVnSiqXzSScR#i6af$WIkTw
z3?J#8JLLi`uF#n)c6E36+BAE`%ru@C3AhI9HFNe*V7<BvX)DE+gQz9K+OQpY1o%8h
z;YWkbn-$i5H77Q2p-c1@!Qxfyzsx1JWnE%hwJx#6Zt`0#8h>tqOS~3=u5B#@Tq|qi
zd0=a6WZ5^0EX(HM8dvtM;mR!dODi64$XOiKBg=ltbfeBWevg1P!(Rk^OoUMT!m9il
z-I<kma>%#U<IHAU$Tb^<w&-SMjZ|A-y0u29t<h<1t_5oZ&_tX}NC-m+95Z6MgBJI5
zAz9OQ$hkS-EPuj7y(#FUzmh=5=(S34vY@}whUDGdXjUW?z{L4+02AUvg^TrdXbW72
zR^H{!!l5~!Vl8ni^Ka3MYxoS%O2bT9oW+GWsF^5BcT@^=T8yn)e?c>2OWpU@Fx_X=
zTAurLh^hvi@Z>L>dsr-03;a)VRhE~#>S`_!(2V=vUVrWH?UwU@^?K|3-|popIo#80
z(URm}UIqe!C}h(y&;?LHDcR&7hnXm;!Ycv>wW?+XSfQqRmPZgZQC}&ph(i<-AB)y~
zn0&Ax9;oH;ECUhJ0P*z7Ka^=Kbi?R#iLL;RF~5cYVWDlX6azllMu+D|22>trASq3g
zQ1t9oZ-1{q+so4?VTj<CNQ4IxIKrI8G(fMruheFR(LktLh}6V<tQZ*(8Widk49O7@
zW^0ASh{a)`*d6M%m?JsDRQ-=4GA8s~@t%+FAS7A=#4ch!gg)wJzZ4*2X8%}$gf$Ia
z6)CnHP^-0=tRVARQ(Y^7SIr>*C^EEFSz8o4Wq*yJS~QU##zF$WH$YL&URe>UsHuuP
zjLVLs3!C+oLzd>7r;YK#`YTwAOU^2Si1XLgpZDvz!;SaNQ|rLwjw4zT0uF$CS{D#T
z>k_t?ij{(JE|ad)+R4#unb<EI4&F8S9$WS1LJrACo^g7{{*PZ_-zy#hnSU2J>;BiB
z?SH+}{%^0hyFUMMFHdQ?QRCh9waJ;=`W>2u`<#VP*!$_yIF=*E$?tk0&D|T`xFOVE
zS_h#Aw-PwTp%-yBA&N9`k27t2FLQr5k3%!(JcJ{nBh;dge(iLA+bC(9UprBH>9+Na
z+CmfHSGvFuWM>m~LL&5kZ`5{2{lj#Y`hQoH{1iY45;TDYYW71+#;vP2XG2_d6>oBP
z)oe@n%1~?B;FfKI2~fE}7uwdOow-o6d_k1my3z(MMKD{qX7X-@&wkKY<0>msI(^oN
zIqLHn;{l=hneVDgFZy+~Qz=Ng(axTNG?XXVZyTQHZB(_>UkMEe9o~hKvPYy-{eN_2
zt6EM)iTLUt;7hBeOnWX0`!h|pYI_&=aDHX)*2bBpRIH6DSM~fdN;?sfhR)xp8NoYU
zU$B(eAALoOOTBhqxsuYjkG8s%&;eUq9kx_XX0*ohtRyR0KPt6v35jLAN+!NF#hFgL
zwbrarMUPcwCKiIcf34{@BA2rsoquMq@r}8r*-CA!<;?7r+jd#M%~oWYYN^+&%ko#F
zW!KuYqD}L2a;;G76;*4UdcP`_gCM_ueMacKYIO;}#!@vbu1D@`5qe;Kb>Hf0h4TIc
z^i-)g9!5v0VW}Omv~!Y^RQIf?8tk!5rhlvHl@-YHe4X>HEWitiOdIL`{C_zKO+Iui
z<Xe2^kN?e|1a1cYb8maMod0d-)$3R5_}_gzGva^uy7K6p3y*Hid7zah-x-f;jmc-%
zx|h|(Ar|wkEB7zN5ex2pd&hzr@qIAqRlTql-Mlcgky|xftw*KG)&k?i{ks%aZ7<aC
za=8I<w(ySrwq(~NBEMJ<t$zhMCns&?_@S+v^)u^fYyU5E2yB-9|GM|8eE#coZ+~t7
z-^XL^e@uh=Ghp`u4y+Nfuft2ehWf44LB5W$-fxU`^%brZv9mA}twTX~x<_(pwMS)5
z)}H`dscqSy-5)Lr;$q4iVoA@i+~ErJfRVs^7x_}Ju4h1#u-#kWWPgVJZ~F<Gep>J(
z&<y*3yZ3shWdHAP@2>s-_wtnUKa}E$nXzBWGUl9W%{d^NLzVMqe^?}q!#o#uw7aaM
za9q3TGeh1ZLGd22CN5@iEP>)S9Gh}8tIm^iB&d1tTs7-w_0KZ;zilLVrvBfrod0~?
z>#g<weLN4Q|1%f%T0`@%HUIi~pl5#lKYt`(hW_vE?Uwcbey{g>t^e=inaBTse~Uxi
ge*AuxinX3wKkH}xd<)P24FCZD|AIU=bpYxC01#+S!~g&Q

delta 13208
zcmV;JGiS`JYT;>+O@EXu%e_3|*w9F7w@$ldg(UZ!Ij#P@P*sw|s0h>mC`xR%Bj!PN
zUv8e{3tZ}sDi$xgSZ00SPFpNgA^{{4iOe4o`1hE@fP~=rf_MQZ6X071Bg|!YipSx1
zt9W|7UT<%ASO2%y>y`i8+u7OsZhLp{&CcuH*W10F?|R#>cYj{(e201~seQ&13yJx6
zy`}3aH|{HWa72CqE(oK2G}+$3QI!4}VhKWS1R#7)BB_7dSK@+xAR(XwMkOW`I69Y%
z;~}79DuEBM59r0g`SHv2_tP*Q61qY082ZR1a2u19g<iMU?QJ}CuY5a?bN)|o7=u`u
z0%)H9+q<t`?SGc%|L&XD>-m2l4;kYj^fwT?!UE19Vtq9Bd3Q{F&IB9CuFu9BD4Vsa
zC_)?}CWvHw+DBX0--|6@kgb9!>0%NOQ#GRgj^Z#pWg+pWeRMoHVe*uN0IFX4f}C<T
zAxaGZchtg!*t(9dfK!klR28aHFUmg3s+_#;Zg+bvs((BKL4Kd7I&MD5RkhvS-kDuj
zNG3o*h*Qq4Tz%-MF8L%<pX4gs>2B}Nu8^_-4)tt4gCP-;<2hQXKDN5R<H_em7G}12
z<JmKG1_R(geL#{SMgcL7#*70J;B$~d{d@%|77(DD5l~Hy&>_-NDHI6~gFYHb8HxT@
zj@2$<TYmxb#g@e4T5S1@4#+U(;6*I({A6X?QuI7c%!@dgU<pZkrdu2O_tQ8G&kZ+y
z^y_aM&ya`ALN%V+o}2yzQ&Z#wk6}X<@z6mmBpag;UqPtbfr9`MDj6Ds!~vFg!`DUL
z>k@tR`O5}E&(QVv!oyKivkq<u;1lA*zVEY`N`EzCJ_jtJk0g%)Jwty}-K74#iELSf
zO<{p<NEoXAG@k@$z&M(+xQos~Di#Mg6oAM;{fKTb)j!4p)ZZMj8`@R%F)BF=L*RWi
zL%bZH=^IaA^bD!qKx}}{EgzO?JE#d0jO+2WB3Y)XC2b*Ug5pSwm^>))oBX~cyBqup
z`+w#BSB)qdF&i7X{z_lh^_wCWvN$-<;+n~nCFtpwMx_PyrA35&=p!{5JTVm#w1N&p
zc5^h2<n$o>Cgqw#6cQhcKH5=TCpnfdoL)>L=%X{H=iJ9Az*3bRF(FSt-Y|ZhN}U`L
zfdojYCa2HhFi?FK5P`2k2$V==jYI(hfqy8ID1ZoPfEYzTpC2cmZy+^8IPt|P<Fb!-
z{&R18*R3H(fI~UTiYeZCOh3?{v5;!KwLm97T0uAsF@@|EmJ<7;Gx%prI0V`6AsfDj
z350$0TK$!uq?l4Bv9foQUm_M1rg6lA{YoJYg2mhiVVHL<XsVTCB1Q5SLVgtY(SLUO
z=NQIXF~9EhekS%;4*!fnR6pvCE1&HoUzL}(`>gofPCz+#<vUAO?hv8Yb#E_OcgaAy
zr#34c;M=L*=_uJ93<xE1YGqQX*K-KLmyFw=BnyFC!PR6vbPdx!>S$HWSqR<YGCS6j
ztz%hWk@{Lu>m1z@Aw}{61_SVAAAfaD*ttJ~AP%9^ioVqxk(#%6UW>OxH5+;Xo2fs?
z`1T{k6HG#-9L<<NjMmq0k7-CK{KCR`3_rni-}ga?zY#e)4uDE6Dv3_4=;hb#^zy5c
zKHW&xU{xHbUL&$v(j7;gwrFFaitID{m9b2}PYwS@>$p($L16`N!-2!bSbu~IhY6!U
z%8ZD*ii+#`EQu_wZ>|-ty2jP4a+P(iwWfQugr?gV0G2U_OrYL@G%|fIu`=DQ$eWku
z&Cklbd&gNErLPA<|DBA-8Q|b=oJjaUeNc1ahjZ0~8ym(P&kQ=H*t@<UT|Hy%p4iy;
z9|iFJAy8>GaGd;o9uEfOwttU0AI{Ic5rpGTvX6ep&JTZjpH7%g2R%cn!a&CPqJDls
znVMJP<t92j`s>Gco9OuDhYy?RZ~JE_$0zSL(b3u2hcjiesr}I@XSY+!g!&=-dm|(?
zzAa2f+aG~AaTu&h&!J~1z%XW1fYhC!N>h>a+#w8b97-qS_T45r2!CU>bo@ZLDE+1S
z`bT4DZlV)L!LDT?$UfSdV7?WSt1bJBYn=<!#*Fn*09OQ4CmZI~CK^D%I9BRS$-^n|
zF%iN@bnnfZH)*dV`(!2UM%g93bO+X9D^q1vwn?oo;O?rNX$~b{>@HQ2!<ccd=?*){
zVJYn=KW!x3s6E4B%zp_TS~Gyq;qj2N^yi~n@MG;7w=Cvsx&S`THO50@Ed9~ZZN$M!
zVEPVaCX7@X2o;{JO(#qq)6!cj@TFfBy$Rtm#-W!?q>URw19l@^svs7iX5=Yn%0Nh+
z`=W)e@NNio>5FtmKR@VSPB6a=$<?L(@wsbOKl+LIdLd!mU4LdG&aU!RQ<beJ;({BI
z-P(zm+2bWsoQXxv{Pi@p)0pw=kl`RT;q|700F}pwb}BtXzcL-O!{Kk}c!1;x(Ek1*
z!jZNd)f?;U;vN=)3@HR?j42*MfQY4wh;if)s=pU_3`hdSR3a?&Prg~yb%k;S6shTN
ziX0!J8zM)#*nfPr+A59@m0(#~#*op{e854M#NiJl1heP)8As`MibLRO-`qpTR=$SE
z8UK?oj&#^&>*T}5(Ro+i%4O=975{&=w_S?=?Y()myN>_e$8(|dLN2I(evHftrRM(7
zdVB+jLN<i}NoHaNcG`D0HZB<QN8n%A5Q$hIkdRo$Vt*4wAz%TB$F#qZEdMe@o<|e^
z#@o-IQTGgVxo+z9KwrKnRtz!E6IL(3?cgXXtu2aDg$VlcrGq^0Myc(!QYbz%=KrS=
zgb{GjmC@o*fEn|DXLom}H2>f1?Yvpf|ND48f8P2JG$G@@Ub&SZD8uFLSapj(f<F3>
ztuJ3THdJ)6quU76KriUj2Gg_+pwVKw+~?083SdAepiU}TT~)Y)yzISp9dr%KOi$46
zF9va<N`9CC=Oh61hcf%AkM>^af0D8BsGyFQ5d#|Ne`^Le4s??b37!JjPm`|+e}CP3
z_3BM={omPswYRrk|L@}|O}2ELt$R?<0MGL_@;G4}5xA8=wezEU{k>6P+Z)$}27QZ+
zI<s!JL(t9`!stc<jOv%1cP1W}p>>8pwR*gYNf-bx=*LN~`@IdV;fQ!Ria47<P*kUV
z)JYIyLn24<Ro7?Zatu$kfKwdiLw|`HFSfO}_qvk+e+Z)&WDG*$anwgN4#PAiG|@q(
z<m+752?Kk!9kU@K&_JT0iA2>EGh}UVn4Yu&F8hIXR|@%)<K=sjKrF+U<FLY=i4u+&
zH?iczM>nxA2pz^D=H<^e5E4F%ppVkMSg?T-gGy8J5Do%j98IUnGy;C0Xn$mWzyf~!
zm<GgGnnekn_9@w_)OM2t4yJibpk#=H>L)<hvevc!v403gPq7^JQP*rQyZY-3_E98m
zH#1CU<)5XFkzO$t0;WzL2M8kyHyLjfAP_~M*rvfm*(FZojpEdUr`xAz0XqHV01Y@B
zqni=&M;1?&kiWqKy<j}S?|;2a>TtC+0>5i$cGbR&2np0iLJvYr#wW)0p0)p67e4*v
zpwN6Fxxr$&Tc5IqLo+C#-Lnmi*8kR}61wUs3h4o(id)34{sF#J*0BkN6FMw>p3RZw
z4w$&8*K|OsRLjmdOIS2*9TQ5%@fZp6yKb{#AayYtc^ypyu8c4>+<!Sy$PIXt3~OmW
zC%>14xcvJp&M!(sQyPg73z4|_vn^4vP+jj&s-&u&o`2ht<&%1Li-IFrI*rOD(+;;q
zl|rI+?h>_kWnFY?+)z}R)N+KS(r09lx~B)aq!L5y%NU2@G$m>WS{Rp?Dssi-sKkQa
zbGrGL3;`7}&jJJbdw<LUMU0q<fF%O#j}Vh1;9c}r%gfIn&o7kvF}y;c_Mwa$052Yv
z)D980{q>S|#bO#bxvU?{xu#CKY#L;@8Y<mJk5EsNF%;FG#MeL*F^p*dJe=kgiCrv_
zK|a+tE5B$L8gWp4VOo%4WV}4N#8&B6tbhX5{b3C;Ya$pFjDPS)Fvk5X=tcKWkAHb}
zUicXmyRRfuL?EogCePDptG8G{l$cmsMM+PwlXJnOw7Z#7@Y&j7mDna?JQaM&R1pqd
ztwu&D;w%C#Nik%VGZPDetU}wKtLEFit=SJ6^=j=32yBlTWuOfMtA_PZl%r|`glQu0
z8r`inoMNO=%6~qi6X0sC@!61)-&5LJC8$bs$5XOL+c6Y}CMdV5r}P+45eKbRVw$68
z4@;q+m6<~5fMw?uhD0XjvCqcim=ZZPNJMfKOUA`k022te1Q~jm`y(R3mobMeW!q}j
zsWy?j<KS5uw|-vWwK5IOqYcQ05l}Xy5i0YkX+?EOK7Ttpzeq#odN9hpUs}sWHUz4}
z2ps@7gQ(3Pz0A`<3#kntl1!(hvKn8FiA*J3XtjNy_YB%L)WEi&i;gKez+(sxuz))s
z0M*mNQytrG2ok%$ZV1%-g7^m@v=!lxFvq?GuI8RE%!Ey+Z@Org`s`|IHH5Px94BXd
zMtz8+*nhIRb;~G%bU!4Xx%Lp*lVIw*#olo11>GT9h^hhZLbq5+Q=OyMIiXe$ZT@G=
zMfsEqXX9>#C_)!n=m>;b(8+ilON|f11DR?}M!Q)%Dm3bwqTkk;->$-?R@Q!-Yk0}H
zb`nMC)J3V*!nOu$wiBtLn(J<>NV5*_nx0iV8h@oggoww+^t}QL6sRGp;R9)?FF_EL
z7P>@_=SI(PP($<zbl{@An@rE3BpVl{!5!N;m*Aj!;c*wQQ2@zPyG>~!D7D|#2nw!g
zPhl}{zbnJEx~FqBF0&7+16Mahc57Kf*NmGUHb%p#9Xnhy1(d-3l&Q8{<uzoN98B}l
z^nX<4C8O|R;KJ|l^z_lMo!Xh-`EACRwW3h@vSx!eL-Rg&Y!S7jk?Ka@QPk0yv-X!R
zGP*`(Ib6BaNC*RoC<)ahCf1c?_HbqaHIc>QE;p0HShy$rJ{pn<&;-?>s~_PBpm7{Z
z5``IM!*H<z_v*lC_EiKthl%JK7fVU+rGE;`%xl-Qz{PquOC*e+BU>KT7S$+bb2Qe)
zWGvB5(tB74<`cc77EmBYcjo)I-RS4&SsWOadCCc+dQ?=O=##;6q>OpmR>ZWL&^sY)
z2QgQJw%Q9s^{8F}P&CH;x?)2awv%>lnoVOiMw;URCZVQ01Pa>Gqm-mF6uU^D#D8(n
zv^KUy)9GV5_IR#L6;{cNLQSeDRSPBHp)sBu#%V=kneB3ed1?ye?0RFZ$DFIRLK&BQ
zoH|UfV}EF#14fm7pmqbXu%4D_y3f1<d7}oStpmlm_YkUIMXb*?4dM{JxSFcn3<<C`
zd$63(O;f7H>{SYGnV0Aa21>AEVSlQqI9%+fwFYFf`(>7<ZvMK3!ge+^>(ac3jR?1i
z=5(zc4;(Zztwtc&L`0^lTV%T1UB?LPDdQljCvi6F;nZ}gaa}YTI8%^abn@Zi$fdR~
z7{U`q0u(VJh}td)@MCVUup$PriToy!c5*tOkh{g&L3q`Ij^-BjIaF3Lo_{t&!1F~D
zX_hnmi7vI9^Pbf>7|V`DbWBk&rFcwyB+5SJYFm(x1#ITDc)F?$NT^T7r*)>xRL%_M
zpA<3ONvimy8rMnvGcxAXZhG}n*D0=19S6<f+35lDaTs>d4|<_=diEMxu`HjeoaXgC
z5i;RaG_soP77QQ(i8zWFSATOtYEz-AQjD|7s1*m{RL`U%r+v_@8ib7LHMOZQijP_G
zjE~nXaSg%`oHIT{>UEh!+(RssCJ?|U5ZG6NKC6(EB-@rvM}x@#VLB~r$I`qFBM2k4
zQc8y6NExRgOd!k&rg%ZR&~=f`1NpP^FBPc(d=h|~o!TWWM=;HKVSgo|F`$a`R?8A5
zS`v*tlpBp=W{xW?Kqr&X+F%;#(bFB{+<GW^G0qC-+%qD64G<||<yseL#iFda8luei
zV=j_mC{F6so%Atc>B3~^lo`FcZE0$-hkzGwLybX*^gwm_DVhzoXu<CrfW#zBBd}EG
zL;;@2T+KGRP7;;arGN9%uCfV-^}9OtglsreQ&}xmB=tH`J7$<rB!CJc$prG&r(+31
zvpq7>xdc@@Og1k+W>{~q$akCDsW4l2%;dVk^^hSSW@wnKV9o?<0mN{1p#z%XT0HBQ
z%7&@XX7S7|L7Lr9l6{H=xK@?6YiILH*<fHaSpYR`8m63@tAEAPIdh?Otq5|{7<4zJ
z#%2*FO;qQC$Ix-CvreLD4A??JR09bGQ4U!&t*TWtPQEKr)I(LU8z)Oi>Qgf1{p<`t
zhg<H=f|QDVGEjMdN8?Oz*^|qdky^x@HV>eVYT2i&sRYs9hRn?a2ie7J$aEe!D9&VZ
z<}7d<Ky?PB&VQk1q{76^YX{OL@_H1kyyRjk8lZ9VL4!2J80&%2ekU_C%J`iUt3=O|
zoJpI`)ZF(*kEULzWQMvF)2!{bZa~w#jIflzX&?Qc7ngte!+ZH(FJAoG^ZxU<zr48Y
z>VN#l%l~@$NAkyCUcP+s;@6*kes^(t^c#8k$FDRVUw@mw{&?{#9R1dk$jg`i^`{Ce
zw_XmqsdjvfduHCJ2g7rt<60)G{xVN@(MIi8#_rD1xBJBWFY#3+6^eDMnX|}iXrvn@
z_)S70zj-L+8UlGw5XhB6A6Ex?TqV@;DM1{+T4>`HNNn(p&y1HTZ)QMJAU%DV92PZs
zb5lqe5q~I9n#Iqw`!lqEdYs38nc+?daqxjm)UtPjIn{ABo1Q}B&J^j0QDK+EjCgM8
zwhS|S(o__pn+es_1XU)#MyUxj#(D}QZOijntd21HH$$h7IyFZ=wh}T`tY^mc|DzN1
z)>9~bY_`7-2RMB~Fw@llOV?1+dMN3Nz@uxpXnz~H=sf^L9~UI_sR2Njg?cUt>Rb}O
zxinDo>xE>l0DQST%yMZ!<sCvN9|W(sEIM%&Sj6R#hfCuOmqit>5JPweh{0v?fy<)-
zza{M7iqU>|h3|X9h`#0Vdn-WetpuC5G!pM?6}QKPsaq9-Zbf*x<<W7=W8qeUd|MID
z?SF}*+E#*LTOP5tJU(p&XtY&e&mK3@Y#B`18a?)y(PJyXime10_Asl&Y!;SSB$h>V
zJ#qZjD$rUhlf@;GSj$V|(kQDHVXBrzP%Vp>TBD;@g^o(D^vc1baz8cWqcSf9_I-#X
z1SjSEcO4VWOj6qEKYd0GrpjE`YHEhymwzNBo%(T|uW)w0Lf<$L?>uW^hJL9_U8qaU
z$X{r=HFD+1V(6!}q<=wkYQy9Uo8Ryty~kp{<c2w1g-tbV1l@G`Vg9FCXp%#az{fhg
zm+VODyd}w&LykC$hecSe%L|&hodXC#CbumUDXeG4g+R~+9dH!=hA?Wb0xP!H^?%CI
z?#G*G%l20q$cZq=V>K{#b-)hKN8YuneIUx}6{d@GIEhLKXFsXOpK;ioWQohI*Is*+
zr7#XbLaT26Bo5~w40+O+1EP#(H!uW`0C`bb<JJkj9CmVX7B-AUv7p+8x70E&S7TA<
zETn5nWa~8#Iyd%ZIs#f)J7=Kw^M4&ZVjZn;pi?%`(n87J#_6_Bw5f3#2o#N`g7`SB
zJNV0Jz1vgsb`6p2rcAY}yi`RkE3+#vDeUBNgByUx<8lDWuwDAmbYv@mOs~wW6U6jd
znF=7>w#JswJvPEL2({X%q?~g|T^)#HogMG7!kw~(wKx!YgR9ONS?f9|LVs+srCSf>
zHB3D-j$<5|ZE;EPlI6HmU5=2x)gW2Yv((?{Vgv&6YKleppE0N<D2Jw4Y%AupxAcp=
zb-98wENxG%JQ|z#TeWr9$m_d7UK;^g27aw6tO|p@$X;ZXJCK#{J09n5V~z7p`t+`M
z6!)RS=h-!^YM*c?JA+m11%IA|_5Y~t{q+%suf(SR>aF<pv6gjo<>8|%Mu*=+cqQjX
zstvH1GP6P~mgV{wOZKlBp_P=UC4(zpU3!Gl8F`<LBekj)g54S06zO1m16%W*gjZcS
zw5nwGKHIgl)>s~?a>`pEjVRFeUf_9l<NE0R3by36NA3^KkCSyHk$)l!AJNcQhar~f
z?RgJ%>$WWEK50l7pzY`)3_NA~3PMJQVwvOy^#QBJd2Rz<FT2eXEV~t}c1=2ifxh3h
zp+$2v#vF%RwnfXeMDx(loRd<SuPY{Nd#Hr{GASxhhfyye;=1Ds+oVSwn&;;u@IsUW
z2kV&UI&AX@w|Fy7secy^sb`bP;7J>OLZ!}{eayt|0H{Z>H@UYe?U?Q2YOywDPopcR
zjUnZrxf17?i`Nyo%jWHd77jEA$rZWO9F*HT*?wR=fe-7HNoo^HjLvt^P5lj3&@PT8
z8)Iq7xDdt%=f@2sC2%B206xy+j*C`t$5v=2X;6P-lh3$`=YIr_Q|rbDryB0WBa2O)
zXu>648swXtJ<fMPAyzSuR3(dKeHw?VzZ2E@JW-wB6E#EDUH(th-Ur&a@o=<xennzW
zQQ6#D4w7k#2b^Osjl^a0hu(oa4dWr9%BXzt(jdbJ&Q#HQItKPMdj0q`^y|V2LXs0*
z1vkM9#<QL2OMeH$HPaX|UP=3>bjd$rA+ro=IOip-mD7^hclTLJlJ@_oUFt2)Efqf~
zCAHA!1CkP-NYKe&JX?Hf&MM4a^4zkdo+OV+*3a%<P18p<4mQeAZFiAfq;-eqi@Unp
zytkcQqY$!cXJ&lK%eXnyTX%yZTIof2%io<=l+2bFrhnBGHaf$sF+a0lmWnwq6;G7-
zSpB<rjOAv;a*zQ>KP6|Wwe_z?#O74{_rLz<2NHsr1^@on|0=EX?|=QzUqj|!|NCG6
z+d3h45e;IMqhap3FdXO3wiHL$MKK-ok}zP3a2SoS&0#T*T3;;V%dCtpb=hPcjjGKr
zi%!zqn14nCr^^7L!_B&?9W~gKsfmrQPXQ<KZ*80fWH11oQA2=EmuF0Jv$9|pNfG;_
z&HUlkE44yvB0lIu3DT>c3SN9%&cHDx8*(9?!JwqSobE7}p|F61temgsJOaNvE8S=Q
zF@iicYq;&j6!YXH^xPs}>`8Ffu8ahPgKwf5`F})*S75S8IM4CTXX<VmCUl~#cK*kD
zt4~XJU=z~h*d5_0g7(&lgYu&GN}aPUc?$Bke|lVox!Iv~?iOdR+`6UO3p%^*=f?w6
z8P9TA5->xN`tA^+LIMsN%p{6{O2Q!>U8B2<2P>D30BgLJ79#Zjo_{#mddF%=n(@Lq
z4S#?>atC9ea#QOMlhH_L4m?+Hx?@bq0EFz?I)IB`cYdog2bA!_EgnZ9Y$k!Y)C5cB
z5D}(3Qi@vPIW|<b2T;V4q~SNZxoUY-b|SVOypUW&A9b_?JY(~-lKwBQ3qREJ!ej~T
zs6rjXT<RXpFC-b0#(BWWa0u?ZACTQ9>3{rAFO^CsYDLbGpf*`gx<pr){&nZKT8@kT
zrPgt{MLTATPK4^Emv%;qDV6wE)#NK{qpoLlqBlL8C&~~|#tDR>m+bv-@Kp6eGH^DX
zE9SCMTGJGN9}YkC4QEQAhBV1>H6Tj&nS@`>rUf!?(IiIVk1!pk`348Ej5#cpqJN?4
zDNY`T$GEIG9?a+3vT?Lsp2Fw(NLyp$nsR@#3GfMlo2?thuL&J`N;Ey2DrrlvKU>fA
ze->_wUclNmsIc1IWvf&@Vr!vBC834(>)7-21g2E_wqzNlI<{sq5rM`yfGl;+9gDK+
zP@NXepL!Ov<6#=8f16aL{&b-pjDJb1>HG2c@O}h5CJW8g+AVKg62BUh7;+)SP+i(T
zuWFV%LOTz1C2+m*_l@5VdT@T6cjUX+t+@8rcZANBJ1upL)VRNkS=5R?60ljA((rxe
z20<Swxpl5>lnL;ePO_*d0`*y7l8R!A2$g%gUG#zK?>7^~*jO1({~frmF@OEbpT(a~
z{@Zq4asC;eX`xm@lsUfrpKp3zZ`<o_J1F*gef|H@$BTpd>~Nab8ugZkon_C1U3i+$
zfo8X<I;GmzmJh9Fg<s#i`J{5E;m3XNW@%A!EJ5qLH^0HVH`}IXYXm^MT4W*73ua_<
zI`rn2=t`QjnS$~F@;pD2D}R;drSiSiMogE=0OxX-FP{_6X(_hN64z`!+1!PF)SJt&
znibD)ish5~Abw6~xO#FXx@56#te@i}wYZzOs2V2|L9=5niTlP^stmRv2O;JNdaW-E
zU7v`V`$WtNPr`idCt%hmU+(qf%lgF2V?Ob+&dhR0nOUsJER~zZ(0^E2c9uC$C4EI_
zk=7Ye%(G4#@pYdm`kGG>J&?({PM_2AWY5y)cvf&~XC-HJ<~WhlXvaO_12{_`w^{yh
z%_Bcbv$}&bPxqM2QU_v|Ir{Q-9&%aoILl+cxpvWW468o1u=E*)r*b0U9?l;uf7)P`
zXA71+NwBJO1M5=)<$qHGOPvQ;3G#nAjQ_G|{-tsID?#WlgT-G4b-xV0evPD`yK!qI
z{TfNX#>}rV^J~of<GcTRwu|hWy#u@$R9ptNzBERCSw#9*ia&pHX!G^$+fNfgey4YD
z&xsCS-@pBs?%!SshI?7W_Db;C>wC1n+IzIWQiSx<c<5!(&wq~t>-<Qs|Ni{hLqG%M
zefhHS-TG;M@b58)0SUqL1@VkV+LADiG>B_U{g^9~Udz#);&Irvj$W_V+uPmM|Lyg9
zrT^}{+TD5m-S+O@o1NFYueW<U-}QE0ZSVBHL%q9gx_M$DG5@Z&bY11feI<{XYKIVo
zY&r%iOIN!@Vt;G0UAU{oKwUq7M%`ZwW-lic+PVJa%SPTCsf(UL2v|Tj^E>KNA-;mp
z&UqX~v&kZ)CO4se7zcnlsbqEyr4H(%KM*A}Q2Wna^^Gd8mu?4L^N}f~zm)9ncpRcX
zP?>^KCo_oU?yxbu7B01ESwRAY;}C_!$D*!BlJ}-20e>O*GTH8qvGhmpb3I$zX~}o*
z9i6wAba=~=5t3sGLko#BONRTKq~ygkvfn1^#`2#NHuZ#srpzS)-)D_zEnsOCgS6xg
z<JTd>!LcGr<g{zhm&b<%@`{tRXqVWsTd{yX>PWQ#D9~>qQV|Q@=S9>?PdAgF@8=NE
zhz0v)8GqG`m*jMIEvN+A95EqJK&rOa^>D68R<p7rh!6X|-hrQ#6-)7Tj#@^6vH;Et
z(yz^jg6o=zJ_-qqZyS3jPpNfx*T_qLqQ>+C{TT}hJXc;-=5ZE6@usS+u`ZZeJ~>fo
zU)h2A`!vK9T2z@tAR<-1vF3;q#)+I}C>Lw&dVjvT-^ueik-7VV1o*N3fKdszG8-QO
zzS>oua;9c(-at2c<1D6<jN#B6K4=^^$wJ^|iO&7lQlc9b`#|4WHqFf#`^y~Dr7~<}
zjE8U<hv7N+9Au9B@|!{}bzc`NuV@+bLl)!C+xlifSB72&+~XUT-4Pb2O2OWu&Q_;b
zeSg;%<TU$2tw~G}$@nxsHEetOsFR!7=KCuw;0z*$zI>^?YogtsRa)X9`tqe?#vl~X
zlAqPpS=0^)VLlY)uvN#Kyxr+ke$-|-4g$5ad;6ys`-g{TN9X4+9R)+c0dP<2EW+sQ
z64|x8Z|iI_2N5+BSuEdf@AP`Y@g8m^$A6wdjd{u1{kFK?rG=I5@o+@Ee@5c%>t0id
ztC$P<cDv^)Gyp7P4&G4hQQrQ@DC4KUoPi%=GB#nr3IjkV<q@!Fx=at3VP|Tn`$+A7
z)c<t_^RLS?q~@PJ2Y_aYN0gQ=O2))yl#Z#aNXS_IY7VF=9!eY<?iF7ky@2GMAb<I*
zAU}I$-BB<jZNU<|ITLDor^s-vQdf_UBYZ_d;ygLQSycYbL;LUFJ5^CW6IP=tN+YIe
zx1VR9u1Y7(QAxk`XLD<*yXT^v-fF9%?ngnDwCHN*dDHZ4n1Jf3pS_Ds&)lFr{Pg4?
z$nUMKgfmlm<radIu5+bMN-l00EPq+oYG;<ya=4G__S`c!b9-iDc!b6RJRMAZt6jg(
zD<9<S2T^@nT*=SCXA|HCdVF*nVSTCa515282fd^}f7m5G8QVpc^Ly48meq&V6(N}b
z1tHYd;tJZRi{y(_^}%X2Mg!^UL@pLyP;acN#x~lcxO1qJa#K=|MmjTJiGO5Z;GeU6
zH);+Rc`+16Qbt~KLiugTd>pFJ`fhJfv8f}#p&XquF4K*3rHgGXx}+B|F5fOlx!je8
z@Z{~zT&kd0&12UF1#TZ!A*BA=Ho72l?ygi1)R3*t$gJRk^MBcz+F1?Wq;4{>;d_`s
z=-$|;v-M9e4$hB19i1GWet$SVxp27}#vnQIMXFtTUH$)RX16VEr(Mk+-)D3{hBb_5
z1>6Kom{Lhpo`5|aYn}Nn*GkA@jk6w*p(nKG%qtVgaiNPJ=+ef`b}~2R%(`kxzQGY=
zvc!0?0Pf)-Q0Zv9Df3YP-&ZBvgfa@AhzA35>mU>-B+hjSHz6E`?0?3CaU`dO9;j)s
zE`Fp+A7o80QPx11vWTaCOC?fu5r(4FIh`f8Na<a~nPff-`{?4}G*L?w7F!8hvD&mq
zx%f6EexJ#AMPC#uD)#EY7}Xae4r0W@ppRY`-m3-u9muj)kIa&kaI}=&U;;;dlv)er
zx)$uhItwD9m}lN$4}TC!B*Eb!gm`*xV9R~<st7@{rc?TQyZAZ+PFUdnxPI62|9?C?
z`gCx1ba-@falHTj(+|h*k6e40A2@SlQ!rESXB_<mQ|B>RN9bNJI|m$etP+PmkPr?M
zGS%Kw&oxZ@S_mBPSY(c-=8{U4+n8Ty+}pF5lH2~)R=xdNoqwQKW$A+}r<~nRQKwU#
znTCNMFD_2cKb@X^`2YUyuD_}Zb975YYXqo~!!``g&)+=k73J;Shfn8+KYe=t;oYbA
zN534sZ(FMtop<c~@Td2gl`)qMo!LD1>KreB%o&qgUHrSxqN$ULc{PIyNI!RCYO97&
z%)#@^cS}`usDF-DcLO3MXQ(rPfN@+aFhZ1bp_cg)BHZ$!n#z|04nELu+Av>*2)*dK
z+`HupqHD6{V^8u}$SoZY@~bzxH`L}7)CKlAsYE@*9>)l)BeLq0LTxl15^giU7Qb*x
z+>9?AqNSG9>M8YTw!oSw{Gm=Z!1(k7H)!gO{CLeNv43u9oylQUbn7K^Cb1b}nv=qZ
z2Ibx3GZ+5T>i&7KpWn^IfA+R}uiljKpF2A{uh#g_`*=LhD?mOgSu{5cLiFJL*e2+0
z1cMg$;3bIXyx7eWHcgT61u<+iyIT@33d$V^m?xN;e4n7)u$0&zou!vc*KBYLrA!MV
z797(7`+q>S8Ivx4X0>=v2H;QqP+uvXCiy;9V<FNjU_EpcjbIF11FHt&9cOXmu&Qh*
zrCTUr0ha6<=$XwCnN)-0fB^N?>JgFt*4Do2z5T-rRrcuCWRUolG~u`T%%%S|i13Ec
zfZYgBt+x?pJ_s>mMQGOl+q=7a+a>+~`pwSnT7UoF$75|dOoI&WYzDXs6kml<{XG`&
zqq4Qk*dL^zLZxf$aRLluM$ch^(*#K+fjC*=VFDM`6`UnV$S!}7AfdF<Qv@dc?|A{4
zua+u8hadH;#8e*R+m94aFbUO&7kW-j`EK!j(tQ<>zb;#a_s=|@&~CJrImR&G34^x$
z%zu9tp?2I?0QJw2x+9$be0Y5&4ULSh2)k{*YkLyFR$kB55(feDxbV99odc84b;Lli
zweP~6JJ?UkWmLC&s0EH+FYhG~|095{uj(8@^3rzIhbXtN$hi>AvQ}|Z@tE$5j{>;q
zvd+l`+W&a*<A<~3i@#r9p8x&);^^ljl7Ce=5R;>$M&+OZgs<Lzje+sZCXDVcMqaJ7
z>_VLFgRb*D+Z;EQSbM~7fQu1?VHa*40C&Ig(+S*o#}dX!|F2#YQ^y+ePO%)JgZ|~^
z1oO+wkX&6}DwP$2yu6Hb9%ylSS-ZWyyhPp)jQa&f?##j2bb3T<4#S+sVMvq_(35T|
z2LZE_b}BF`+dsWHJUjm7=<L(k(YsIQ9}a%{bh>}>ql<=-cqfU|_aEOKpJ)<?$7hq!
zDlC7!ymZ#^)5pIaeLDGYc=YLH|K~X(**g77O$a+ny{j!#JzH{DbfH#S-!;YRR)Xd*
zR3aEz49Y=!jktSihDDvqO(~ff(o)eD;Cp%xy)xjQqDF$Ze|k}zi**XT3g60Wz6V0&
z=^nWYEM7g~Cx^n*O>Kj}OGOM{h2RZACMSPAgv3(3b%YyC(RUzi!gy7#k!aq3>{$nL
z-FeX#z*FO(s)d|B5x7;-YmPFjgk9Z<&9g>qtq8Go7Y0?{K|k5PD~oGY*3|<ce4cPd
zv4!J*bD%(G<p0{)?(LNGf4$n>UdR9L<7pB9dqJ6O9Rz&2jsmWufa@sWItsXs0zQAC
zDBx;CaE~CS*c8kt9a_(t)bc#SLI1MuM1u8j2c%VSWPKKX!L#slM=#0;;vGe5&Yl~8
zUHxga`-oH=^tG?w>F{6GS@wB%YLDp5`8qiHaKXt(6I;}iuAJAku+cfoQ8!ZC_AD*j
zmM^fc2@x1>wi+X|jt>^-0VkC)3*djPn^b9~t2qU`*L({0RnIL1cdOwZQ&9Cuggj@b
zElFgkF>gu7*~#UpS+R?1={d}*<nw|o&mxj9yu<>x4)lI=sa4jo*>!C8iN<CPqlAWp
zrpf)TVd|Nyq|N=FNlJS+^T+yIQ_)W_-Pa%fjmS}wHQ!zF@)6!SQ^w5NusMJC?QJr!
zWWV2e+LhAFLRORfn{_IaM-*Fcwqe&n@+Tf7e>{m-o{rsb(_ZL#-blc`TeEi_+)llL
z@FEg{R~g(Knaj)Wr7Cop`;3HOz2>Dat5t~c)k1Zs?@FIMLvjQHwDJ-Nb4V|R(=n(3
z4H(z=HeyNizCvF|3)AP^Tnc|$BF1PqO|B%=;hGUnu9;ImU4g`CVlPp*Hw_+~A0y3P
z>wZ;KmgwB-=Z!r)e{H6l%inz^_!RT++6*)^<h&_yN^7BSEAVqxR+9deN&bqYejbTm
zrkjhj<`VsdI^11fgPWzPmR6v`>@Y#mIxVIms<7l<krwA>uF9RO*V2DI(cpY+;;xdV
zX~rVi#Ajv2Ece6{2E=`1&)oRGxwAjb#Q*j7w)aZ-zwN!fHU95jo>EB6ByzLJzf~al
zY-YHX;`pjGSAgO(M3=|#89HkOU(Gl@9DdKu&EofomV?Rnc}b{g%L?FvDWUtg8Z_ra
z3#f4TC+rX<@A4@i7QufUns1l9Bh>J8H+Vp+EA9#nn6dsCv4Azbu~Izf6Gs}h$$Y%V
z89vfGcgh7?T%j{p?CS3BwQ2T>nQ1&P5^xRHYv$~sz<PBT(pHKs2T@CewP8E*2=IB1
z!jA@<H!H0BdQNQKLYL?*g2k)Yf0;{c%eut2YF%QB-Q>4gG~9mzmv}7#UE5j+xK`H2
z^T5{D$g*z~S(eSiHLmPi!<AX^msUL9kh3_dN0$AP=|-J%{2l>ohQA2-m<XZvg;n`A
zx-%>B<dAQx$C=HzkZU#yZPCrj8mYFvbZd=HTcgw3Tnp9+pout{kPwCtIA+9h2QBXB
zLb9gqkaKguS%iOwdQ;Fxe<gvA(QB39WI=zU4avK^(X2=)fQj?t04BtT3K#3^&=$B3
zt-Q;dg+p^d#aiN4=HH?h*YFvjm4=zJIExE$P%}}M?x+;#v>02p{(@%4mb&k)VY<(#
zwLJIh5LFF2;mKb%_pn&17Wkj!sw^*e)zw@epc(hSz21M@eO12y?aiC@{crd3lpOBq
zwP;E5FE0ZDK@_s-80Z2hpp<O#kAqB<RN)l?gIZOy0<2I|J<B7Any9Z7SHvL-iH}9=
zK1@DX5D(OHc$R?(X@Gco<sZs47P?{dxkOih#+YA2fUwXuSc(CkY@>s-Ljx+0Gmw;~
zNho^uy0?E@pzY;plQ2YZOC-Vr2^?Y0Vj7?~-PdZf!e}5=EktT!K30qj2n`DL3Wnr}
z2(z_9V#MMwQ0xx%TFj9gVXFQ|5g8MDrg+ascMuY-0AlAcA3`7XvR?|2F|&WHK*E}a
zu8I^}4ye^yOjeM2t*NdRz^i7Ee-s(os;n)Fow9#MP%WCs4`U&L-y5JPXRoXXRn$~P
z9>!%y(uK|X${|bh&C|wsVf_`X#U*DILB#p%>d*W2+~LOi=BagHa>o&^2muGcJ*^7}
zqjd?}OT|h-IG0J+Y3<}_woL4o4F~U<e2=Yqb0LT1BhNTJWB<pmu<sQQfy}=PoOS=}
z&h~$9Y5%v|+gYFgxR<B2+^F&H`r72oZT$|+!hOa<DD3@oX&lQD<K%a}kml|UZ`=^-
zFRg>ngIful;?RpYn-E1BxW}0`zL&W_oX4S=a~{GG(GhCVN56JDzipJX&99v(y>#39
zMs1-9@GD(l2(q(@Iw2AIzc*^TqyAw!OZ|T<N`49;1PPkJ0yX;~CgaxCo3kOVx{5cs
zyK1&2d}XM$Y;emq!33yWpbKql(#~9{S-v33Ze3}EmLixfTr+vM!e>8dtZ|hUDV;uR
z#2oecjPZcb{LFXNr5F7=+Nl&I-Dqb|K^n@F?6(ci^ERs5>92$agbwdQN!cUPseXUD
zvQ;goqC|Z45AdbcQl>rUh5eZ(TeZE5dpN(ccWdKJQ!3WRl&gAv8Ks>FNkivv)QsSr
zt}j?h?2o>p#id@muUtuK+(%p8O6Y(st`1u&Co@{(c~+8@tRI!yw}iwpUL_OXn&M0+
z-dbzcsG`TJG7}3y-oMs#8<ERdk4}Fx*!ad=(`=<S)^cX{%5A%>-)1YaOtsYO)n)ms
z(Xwl8TG6KYIk{G-^@^&sPQ721%0ZCdzdj>$UbVV}Ut_5n7S|*9wFo`1zPfL9wL*D+
z0(z>{8xNzS)UebJS=u?tNveBRR1Nl6Cey#w^vVikdA`p1Ru<reM5c{&fBt`*geD(4
z7V<4V^T+?@PXads|GE8Yw;cc5dA+yBf8NV8BmQ@<E04~(@aWc@2U=<Jo$;vFn0$7v
zds$r^VzFLVR`s;i|H~W#n4$l7-}GLW@BiL=v$xj&_whLH|E`<?xEF9pjgWmEUXnG`
zW2Fv~wU7ONeeA2RaHSF3g_(b7?Fzh83(uw19+gE`e*$2o_FaQ^e>g9gizx$QPBF}P
zxB@+(C-~k)zSOJh8PFtb_qM^AVgK8H!ls`VM1s%q|McGMl<fb#?VZ<a`~N<k^7-GA
zKRGk@OIc=|Q?2<7aI>p={?osU9OIoQVSBq|?S<odO`jR^9tn!~z%+PqF^gjf6u05n
zl$%*~o}42=!Gq^2SU;<OmeK!hBLOq@|6b+%&)%EfTL0h2^I-Zvb0e=c|622}p9gy8
z*Z=cJ0%qv{-tMci{(t@E&6~CUzmI1g|Ns3h4t4wS`&la1dT#x!pY`)CJpVTU0RR8O
KseOw8<N*M7ln%}S

diff --git a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
index 4e1fbcde94..0b0f539a49 100644
--- a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
+++ b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
@@ -27,3 +27,56 @@ roleRef:
   name: csi-{{ .Values.rbac.name }}-node-secret-role
   apiGroup: rbac.authorization.k8s.io
 {{ end }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-pod-role
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-pod-binding
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.node }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-{{ .Values.rbac.name }}-node-pod-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-rc-role
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["node.k8s.io"]
+    resources: ["runtimeclasses"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-rc-binding
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.node }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-{{ .Values.rbac.name }}-node-rc-role
+  apiGroup: rbac.authorization.k8s.io
+---
diff --git a/deploy/csi-azurefile-controller.yaml b/deploy/csi-azurefile-controller.yaml
index eaf570e9d0..b4bcea5f67 100644
--- a/deploy/csi-azurefile-controller.yaml
+++ b/deploy/csi-azurefile-controller.yaml
@@ -161,6 +161,8 @@ spec:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
           volumeMounts:
+            - mountPath: /run/kata-containers/shared/direct-volumes
+              name: kata-direct-volumes
             - mountPath: /csi
               name: socket-dir
             - mountPath: /root/.azcopy
@@ -186,3 +188,7 @@ spec:
           hostPath:
             path: /etc/kubernetes/
             type: DirectoryOrCreate
+        - name: kata-direct-volumes
+          hostPath:
+            path: /run/kata-containers/shared/direct-volumes/
+            type: DirectoryOrCreate
diff --git a/deploy/csi-azurefile-node.yaml b/deploy/csi-azurefile-node.yaml
index 90dc090bbf..4576f334b1 100644
--- a/deploy/csi-azurefile-node.yaml
+++ b/deploy/csi-azurefile-node.yaml
@@ -138,6 +138,8 @@ spec:
               name: azure-cred
             - mountPath: /dev
               name: device-dir
+            - mountPath: /run/kata-containers/shared/direct-volumes
+              name: kata-direct-volumes
           resources:
             limits:
               memory: 400Mi
@@ -165,4 +167,8 @@ spec:
             path: /dev
             type: Directory
           name: device-dir
+        - name: kata-direct-volumes
+          hostPath:
+            path: /run/kata-containers/shared/direct-volumes/
+            type: DirectoryOrCreate
 ---
diff --git a/deploy/example-cc/cc-deployment.yaml b/deploy/example-cc/cc-deployment.yaml
new file mode 100644
index 0000000000..8c246691b1
--- /dev/null
+++ b/deploy/example-cc/cc-deployment.yaml
@@ -0,0 +1,53 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: pvc-azurefile
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: azurefile-csi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: cc-deployment-azurefile
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+      name: cc-deployment-azurefile
+    spec:
+      runtimeClassName: kata-cc
+      nodeSelector:
+        "kubernetes.io/os": linux
+      containers:
+        - name: cc-deployment-azurefile
+          image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+          command:
+            - "/bin/bash"
+            - "-c"
+            - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
+          volumeMounts:
+            - name: cc-azurefile
+              mountPath: "/mnt/azurefile"
+              readOnly: false
+      volumes:
+        - name: cc-azurefile
+          persistentVolumeClaim:
+            claimName: pvc-azurefile
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
diff --git a/deploy/example-cc/cc-nginx-pod-azurefile.yaml b/deploy/example-cc/cc-nginx-pod-azurefile.yaml
new file mode 100644
index 0000000000..1a03193afe
--- /dev/null
+++ b/deploy/example-cc/cc-nginx-pod-azurefile.yaml
@@ -0,0 +1,24 @@
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: cc-nginx-azurefile
+spec:
+  runtimeClassName: kata-cc
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-azurefile
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/azurefile"
+          readOnly: false
+  volumes:
+    - name: persistent-storage
+      persistentVolumeClaim:
+        claimName: pvc-azurefile
diff --git a/deploy/example-cc/cc-statefulset.yaml b/deploy/example-cc/cc-statefulset.yaml
new file mode 100644
index 0000000000..61d2c35b40
--- /dev/null
+++ b/deploy/example-cc/cc-statefulset.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: cc-statefulset-azurefile
+  labels:
+    app: nginx
+spec:
+  podManagementPolicy: Parallel  # default is OrderedReady
+  serviceName: cc-statefulset-azurefile
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      runtimeClassName: kata-cc
+      nodeSelector:
+        "kubernetes.io/os": linux
+      containers:
+        - name: cc-statefulset-azurefile
+          image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+          command:
+            - "/bin/bash"
+            - "-c"
+            - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
+          volumeMounts:
+            - name: persistent-storage
+              mountPath: /mnt/azurefile
+              readOnly: false
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: nginx
+  volumeClaimTemplates:
+    - metadata:
+        name: persistent-storage
+      spec:
+        storageClassName: azurefile-csi
+        accessModes: ["ReadWriteMany"]
+        resources:
+          requests:
+            storage: 100Gi
diff --git a/deploy/example-cc/shared-pvc-across-runtimes.yaml b/deploy/example-cc/shared-pvc-across-runtimes.yaml
new file mode 100644
index 0000000000..efee0e14f4
--- /dev/null
+++ b/deploy/example-cc/shared-pvc-across-runtimes.yaml
@@ -0,0 +1,72 @@
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: nginx-azurefile
+spec:
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-azurefile
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/runc.txt; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/azurefile"
+          readOnly: false
+  volumes:
+    - name: persistent-storage
+      persistentVolumeClaim:
+        claimName: pvc-azurefile
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: kata-nginx-azurefile
+spec:
+  runtimeClassName: kata
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-azurefile
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata.txt; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/azurefile"
+          readOnly: false
+  volumes:
+    - name: persistent-storage
+      persistentVolumeClaim:
+        claimName: pvc-azurefile
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: kata-cc-nginx-azurefile
+spec:
+  runtimeClassName: kata-cc
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-azurefile
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/azurefile"
+          readOnly: false
+  volumes:
+    - name: persistent-storage
+      persistentVolumeClaim:
+        claimName: pvc-azurefile
+---
diff --git a/deploy/rbac-csi-azurefile-controller.yaml b/deploy/rbac-csi-azurefile-controller.yaml
index 59a0f8c2af..dbbc819f2f 100644
--- a/deploy/rbac-csi-azurefile-controller.yaml
+++ b/deploy/rbac-csi-azurefile-controller.yaml
@@ -192,3 +192,26 @@ roleRef:
   kind: ClusterRole
   name: csi-azurefile-controller-secret-role
   apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-azurefile-controller-pod-role
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-azurefile-controller-pod-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-azurefile-controller-sa
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: csi-azurefile-controller-pod-role
+  apiGroup: rbac.authorization.k8s.io
+---
diff --git a/deploy/rbac-csi-azurefile-node.yaml b/deploy/rbac-csi-azurefile-node.yaml
index 3752f36aa4..432e91e7a5 100644
--- a/deploy/rbac-csi-azurefile-node.yaml
+++ b/deploy/rbac-csi-azurefile-node.yaml
@@ -28,3 +28,48 @@ roleRef:
   kind: ClusterRole
   name: csi-azurefile-node-secret-role
   apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-azurefile-node-pod-role
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-azurefile-node-pod-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-azurefile-node-sa
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: csi-azurefile-node-pod-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-azurefile-node-rc-role
+rules:
+  - apiGroups: ["node.k8s.io"]
+    resources: ["runtimeclasses"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-azurefile-node-rc-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-azurefile-node-sa
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: csi-azurefile-node-rc-role
+  apiGroup: rbac.authorization.k8s.io
+---
diff --git a/go.mod b/go.mod
index 20bc77ca13..6651456928 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/container-storage-interface/spec v1.9.0
+	github.com/golang/mock v1.6.0
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1
@@ -65,7 +66,7 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -74,7 +75,7 @@ require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
@@ -104,12 +105,13 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a
 	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-ieproxy v0.0.11 // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
diff --git a/go.sum b/go.sum
index e6464d869b..eec2226a62 100644
--- a/go.sum
+++ b/go.sum
@@ -672,8 +672,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
@@ -735,8 +735,8 @@ github.com/container-storage-interface/spec v1.9.0 h1:zKtX4STsq31Knz3gciCYCi1SXt
 github.com/container-storage-interface/spec v1.9.0/go.mod h1:ZfDu+3ZRyeVqxZM0Ds19MVLkN2d1XJ5MAfi1L3VjlT0=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09/go.mod h1:m2r/smMKsKwgMSAoFKHaa68ImdCSNuKE1MxvQ64xuCQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -836,7 +836,7 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -862,6 +862,7 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -1009,6 +1010,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a h1:R+RUmZNLAxUevzW/NQH8pQOkwYjsL0xK4iRTB/KokTc=
+github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a/go.mod h1:E4YBwwlTgi4TmfBfGDbMRhVaD6iHRaMLM7v8g1reHT8=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -1060,8 +1063,8 @@ github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8Ie
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
 github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
-github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
-github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
+github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1167,8 +1170,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
diff --git a/pkg/azurefile/azure.go b/pkg/azurefile/azure.go
index 953bd11104..f48b877264 100644
--- a/pkg/azurefile/azure.go
+++ b/pkg/azurefile/azure.go
@@ -27,6 +27,7 @@ import (
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2022-07-01/network"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -49,6 +50,21 @@ var (
 	storageService = "Microsoft.Storage"
 )
 
+func getRuntimeClassForPod(ctx context.Context, kubeClient clientset.Interface, podName string, podNameSpace string) (string, error) {
+	if kubeClient == nil {
+		return "", fmt.Errorf("kubeClient is nil")
+	}
+	// Get runtime class for pod
+	pod, err := kubeClient.CoreV1().Pods(podNameSpace).Get(ctx, podName, metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+	if pod.Spec.RuntimeClassName != nil {
+		return *pod.Spec.RuntimeClassName, nil
+	}
+	return "", nil
+}
+
 // getCloudProvider get Azure Cloud Provider
 func getCloudProvider(ctx context.Context, kubeconfig, nodeID, secretName, secretNamespace, userAgent string, allowEmptyCloudConfig, enableWindowsHostProcess bool, kubeAPIQPS float64, kubeAPIBurst int) (*azure.Cloud, error) {
 	var (
diff --git a/pkg/azurefile/azure_test.go b/pkg/azurefile/azure_test.go
index 7127d6af55..cfa218dcaa 100644
--- a/pkg/azurefile/azure_test.go
+++ b/pkg/azurefile/azure_test.go
@@ -33,6 +33,9 @@ import (
 	"sigs.k8s.io/azurefile-csi-driver/test/utils/testutil"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/subnetclient/mocksubnetclient"
 
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fake "k8s.io/client-go/kubernetes/fake"
 	azureprovider "sigs.k8s.io/cloud-provider-azure/pkg/provider"
 )
 
@@ -42,6 +45,72 @@ func skipIfTestingOnWindows(t *testing.T) {
 	}
 }
 
+func TestGetRuntimeClassForPod(t *testing.T) {
+	ctx := context.TODO()
+
+	// Test the case where kubeClient is nil
+	_, err := getRuntimeClassForPod(ctx, nil, "test-pod", "default")
+	if err == nil || err.Error() != "kubeClient is nil" {
+		t.Fatalf("expected error 'kubeClient is nil', got %v", err)
+	}
+
+	// Create a fake clientset
+	clientset := fake.NewSimpleClientset()
+
+	// Test the case where the pod exists and has a RuntimeClassName
+	runtimeClassName := "my-runtime-class"
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pod",
+			Namespace: "default",
+		},
+		Spec: corev1.PodSpec{
+			RuntimeClassName: &runtimeClassName,
+		},
+	}
+	_, err = clientset.CoreV1().Pods("default").Create(ctx, pod, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	runtimeClass, err := getRuntimeClassForPod(ctx, clientset, "test-pod", "default")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	if runtimeClass != runtimeClassName {
+		t.Fatalf("expected runtime class name to be '%s', got '%s'", runtimeClassName, runtimeClass)
+	}
+
+	// Test the case where the pod exists but does not have a RuntimeClassName
+	podWithoutRuntimeClass := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pod-no-runtime",
+			Namespace: "default",
+		},
+		Spec: corev1.PodSpec{},
+	}
+	_, err = clientset.CoreV1().Pods("default").Create(ctx, podWithoutRuntimeClass, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	runtimeClass, err = getRuntimeClassForPod(ctx, clientset, "test-pod-no-runtime", "default")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	if runtimeClass != "" {
+		t.Fatalf("expected runtime class name to be '', got '%s'", runtimeClass)
+	}
+
+	// Test the case where the pod does not exist
+	_, err = getRuntimeClassForPod(ctx, clientset, "nonexistent-pod", "default")
+	if err == nil {
+		t.Fatalf("expected an error, got nil")
+	}
+}
+
 // TestGetCloudProvider tests the func GetCloudProvider().
 // To run this unit test successfully, need to ensure /etc/kubernetes/azure.json nonexistent.
 func TestGetCloudProvider(t *testing.T) {
diff --git a/pkg/azurefile/azurefile.go b/pkg/azurefile/azurefile.go
index 2c0bf5f521..b9b3dd7d29 100644
--- a/pkg/azurefile/azurefile.go
+++ b/pkg/azurefile/azurefile.go
@@ -120,6 +120,7 @@ const (
 	storageEndpointSuffixField        = "storageendpointsuffix"
 	fsGroupChangePolicyField          = "fsgroupchangepolicy"
 	ephemeralField                    = "csi.storage.k8s.io/ephemeral"
+	podNameField                      = "csi.storage.k8s.io/pod.name"
 	podNamespaceField                 = "csi.storage.k8s.io/pod.namespace"
 	serviceAccountTokenField          = "csi.storage.k8s.io/serviceAccount.tokens"
 	clientIDField                     = "clientID"
@@ -220,6 +221,7 @@ type Driver struct {
 	allowInlineVolumeKeyAccessWithIdentity bool
 	enableVHDDiskFeature                   bool
 	enableGetVolumeStats                   bool
+	enableKataCCMount                      bool
 	enableVolumeMountGroup                 bool
 	appendMountErrorHelpLink               bool
 	mountPermissions                       uint64
@@ -270,8 +272,10 @@ type Driver struct {
 	// azcopy for provide exec mock for ut
 	azcopy *fileutil.Azcopy
 
-	kubeconfig string
-	endpoint   string
+	kubeconfig   string
+	endpoint     string
+	resolver     Resolver
+	directVolume DirectVolume
 }
 
 // NewDriver Creates a NewCSIDriver object. Assumes vendor version is equal to driver version &
@@ -288,6 +292,7 @@ func NewDriver(options *DriverOptions) *Driver {
 	driver.allowEmptyCloudConfig = options.AllowEmptyCloudConfig
 	driver.allowInlineVolumeKeyAccessWithIdentity = options.AllowInlineVolumeKeyAccessWithIdentity
 	driver.enableVHDDiskFeature = options.EnableVHDDiskFeature
+	driver.enableKataCCMount = options.EnableKataCCMount
 	driver.enableVolumeMountGroup = options.EnableVolumeMountGroup
 	driver.enableGetVolumeStats = options.EnableGetVolumeStats
 	driver.appendMountErrorHelpLink = options.AppendMountErrorHelpLink
@@ -310,6 +315,8 @@ func NewDriver(options *DriverOptions) *Driver {
 	driver.azcopy = &fileutil.Azcopy{}
 	driver.kubeconfig = options.KubeConfig
 	driver.endpoint = options.Endpoint
+	driver.resolver = new(NetResolver)
+	driver.directVolume = new(directVolume)
 
 	var err error
 	getter := func(_ string) (interface{}, error) { return nil, nil }
diff --git a/pkg/azurefile/azurefile_options.go b/pkg/azurefile/azurefile_options.go
index a0ea5808f5..c331a90aff 100644
--- a/pkg/azurefile/azurefile_options.go
+++ b/pkg/azurefile/azurefile_options.go
@@ -31,6 +31,7 @@ type DriverOptions struct {
 	EnableVHDDiskFeature                   bool
 	EnableVolumeMountGroup                 bool
 	EnableGetVolumeStats                   bool
+	EnableKataCCMount                      bool
 	AppendMountErrorHelpLink               bool
 	MountPermissions                       uint64
 	FSGroupChangePolicy                    string
@@ -67,6 +68,7 @@ func (o *DriverOptions) AddFlags() *flag.FlagSet {
 	fs.BoolVar(&o.EnableVHDDiskFeature, "enable-vhd", true, "enable VHD disk feature (experimental)")
 	fs.BoolVar(&o.EnableVolumeMountGroup, "enable-volume-mount-group", true, "indicates whether enabling VOLUME_MOUNT_GROUP")
 	fs.BoolVar(&o.EnableGetVolumeStats, "enable-get-volume-stats", true, "allow GET_VOLUME_STATS on agent node")
+	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", true, "enable Kata Confidential Containers mount")
 	fs.BoolVar(&o.AppendMountErrorHelpLink, "append-mount-error-help-link", true, "Whether to include a link for help with mount errors when a mount error occurs.")
 	fs.Uint64Var(&o.MountPermissions, "mount-permissions", 0777, "mounted folder permissions")
 	fs.StringVar(&o.FSGroupChangePolicy, "fsgroup-change-policy", "", "indicates how the volume's ownership will be changed by the driver, OnRootMismatch is the default value")
diff --git a/pkg/azurefile/directvolume_interface.go b/pkg/azurefile/directvolume_interface.go
new file mode 100644
index 0000000000..276b4cbbf5
--- /dev/null
+++ b/pkg/azurefile/directvolume_interface.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azurefile
+
+import (
+	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
+)
+
+type DirectVolume interface {
+	Add(volumePath string, mountInfo string) error
+	Remove(volumePath string) error
+	VolumeMountInfo(volumePath string) (*volume.MountInfo, error)
+	RecordSandboxID(sandboxID string, volumePath string) error
+	GetSandboxIDForVolume(volumePath string) (string, error)
+}
+
+// Ensure the existing functions implement the interface
+var _ DirectVolume = &directVolume{}
+
+type directVolume struct{}
+
+func (dv *directVolume) Add(volumePath string, mountInfo string) error {
+	return volume.Add(volumePath, mountInfo)
+}
+
+func (dv *directVolume) Remove(volumePath string) error {
+	return volume.Remove(volumePath)
+}
+
+func (dv *directVolume) VolumeMountInfo(volumePath string) (*volume.MountInfo, error) {
+	return volume.VolumeMountInfo(volumePath)
+}
+
+func (dv *directVolume) RecordSandboxID(sandboxID string, volumePath string) error {
+	return volume.RecordSandboxId(sandboxID, volumePath)
+}
+
+func (dv *directVolume) GetSandboxIDForVolume(volumePath string) (string, error) {
+	return volume.GetSandboxIdForVolume(volumePath)
+}
diff --git a/pkg/azurefile/directvolume_mock.go b/pkg/azurefile/directvolume_mock.go
new file mode 100644
index 0000000000..b835ebf306
--- /dev/null
+++ b/pkg/azurefile/directvolume_mock.go
@@ -0,0 +1,120 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azurefile
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
+)
+
+// MockDirectVolume is a mock of DirectVolume interface.
+type MockDirectVolume struct {
+	ctrl     *gomock.Controller
+	recorder *MockDirectVolumeMockRecorder
+}
+
+// MockDirectVolumeMockRecorder is the mock recorder for MockDirectVolume.
+type MockDirectVolumeMockRecorder struct {
+	mock *MockDirectVolume
+}
+
+// NewMockDirectVolume creates a new mock instance.
+func NewMockDirectVolume(ctrl *gomock.Controller) *MockDirectVolume {
+	mock := &MockDirectVolume{ctrl: ctrl}
+	mock.recorder = &MockDirectVolumeMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockDirectVolume) EXPECT() *MockDirectVolumeMockRecorder {
+	return m.recorder
+}
+
+// Add mocks base method.
+func (m *MockDirectVolume) Add(volumePath, mountInfo string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Add", volumePath, mountInfo)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Add indicates an expected call of Add.
+func (mr *MockDirectVolumeMockRecorder) Add(volumePath, mountInfo interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Add", reflect.TypeOf((*MockDirectVolume)(nil).Add), volumePath, mountInfo)
+}
+
+// GetSandboxIDForVolume mocks base method.
+// nolint: var-naming
+func (m *MockDirectVolume) GetSandboxIDForVolume(volumePath string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetSandboxIDForVolume", volumePath)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetSandboxIDForVolume indicates an expected call of GetSandboxIDForVolume.
+func (mr *MockDirectVolumeMockRecorder) GetSandboxIDForVolume(volumePath interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSandboxIDForVolume", reflect.TypeOf((*MockDirectVolume)(nil).GetSandboxIDForVolume), volumePath)
+}
+
+// RecordSandboxID mocks base method.
+func (m *MockDirectVolume) RecordSandboxID(sandboxID, volumePath string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RecordSandboxID", sandboxID, volumePath)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// RecordSandboxID indicates an expected call of RecordSandboxID.
+func (mr *MockDirectVolumeMockRecorder) RecordSandboxID(sandboxID, volumePath interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RecordSandboxID", reflect.TypeOf((*MockDirectVolume)(nil).RecordSandboxID), sandboxID, volumePath)
+}
+
+// Remove mocks base method.
+func (m *MockDirectVolume) Remove(volumePath string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Remove", volumePath)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Remove indicates an expected call of Remove.
+func (mr *MockDirectVolumeMockRecorder) Remove(volumePath interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Remove", reflect.TypeOf((*MockDirectVolume)(nil).Remove), volumePath)
+}
+
+// VolumeMountInfo mocks base method.
+func (m *MockDirectVolume) VolumeMountInfo(volumePath string) (*volume.MountInfo, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "VolumeMountInfo", volumePath)
+	ret0, _ := ret[0].(*volume.MountInfo)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VolumeMountInfo indicates an expected call of VolumeMountInfo.
+func (mr *MockDirectVolumeMockRecorder) VolumeMountInfo(volumePath interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeMountInfo", reflect.TypeOf((*MockDirectVolume)(nil).VolumeMountInfo), volumePath)
+}
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index 36c44adc5c..3e4c1d49fe 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -17,6 +17,7 @@ limitations under the License.
 package azurefile
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -26,6 +27,7 @@ import (
 	"time"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
+	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
 
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/volume/util"
@@ -34,12 +36,14 @@ import (
 	"google.golang.org/grpc/status"
 
 	"golang.org/x/net/context"
-
 	volumehelper "sigs.k8s.io/azurefile-csi-driver/pkg/util"
 	azcache "sigs.k8s.io/cloud-provider-azure/pkg/cache"
 	"sigs.k8s.io/cloud-provider-azure/pkg/metrics"
 )
 
+var getRuntimeClassForPodFunc = getRuntimeClassForPod
+var isConfidentialRuntimeClassFunc = isConfidentialRuntimeClass
+
 // NodePublishVolume mount the volume from staging to target path
 func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
 	volCap := req.GetVolumeCapability()
@@ -95,6 +99,42 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 				return nil, status.Errorf(codes.InvalidArgument, "invalid mountPermissions %s", perm)
 			}
 		}
+		if d.enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
+			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
+			if err != nil {
+				klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
+				return &csi.NodePublishVolumeResponse{}, nil
+			}
+			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
+			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
+			}
+			if isConfidentialRuntimeClass {
+				klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass %s is kata-cc", volumeID, runtimeClass)
+				source := req.GetStagingTargetPath()
+				if len(source) == 0 {
+					return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+				}
+				// Load the mount info from staging area
+				mountInfo, err := d.directVolume.VolumeMountInfo(source)
+				if err != nil {
+					return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+				}
+				if mountInfo == nil {
+					return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+				}
+				data, err := json.Marshal(mountInfo)
+				if err != nil {
+					return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+				}
+				if err = d.directVolume.Add(target, string(data)); err != nil {
+					return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+				}
+				klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
+				return &csi.NodePublishVolumeResponse{}, nil
+			}
+		}
 	}
 
 	source := req.GetStagingTargetPath()
@@ -147,6 +187,13 @@ func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVo
 	if err := CleanupMountPoint(d.mounter, targetPath, true /*extensiveMountPointCheck*/); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to unmount target %s: %v", targetPath, err)
 	}
+	if d.enableKataCCMount {
+		// Remove deletes the direct volume path including all the files inside it.
+		// if there is no kata-cc mountinfo present on this path, it will return nil.
+		if err := d.directVolume.Remove(targetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
+		}
+	}
 	klog.V(2).Infof("NodeUnpublishVolume: unmount volume %s on %s successfully", volumeID, targetPath)
 
 	return &csi.NodeUnpublishVolumeResponse{}, nil
@@ -367,6 +414,44 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		klog.V(2).Infof("volume(%s) mount %s on %s succeeded", volumeID, source, cifsMountPath)
 	}
 
+	// If runtime OS is not windows and protocol is not nfs, save mountInfo.json
+	if d.enableKataCCMount {
+		if runtime.GOOS != "windows" && protocol != nfs {
+			// Check if mountInfo.json is already present at the targetPath
+			isMountInfoPresent, err := d.directVolume.VolumeMountInfo(cifsMountPath)
+			if err != nil && !os.IsNotExist(err) {
+				return nil, status.Errorf(codes.Internal, "Could not save direct volume mount info %s: %v", cifsMountPath, err)
+			}
+			if isMountInfoPresent != nil {
+				klog.V(2).Infof("NodeStageVolume: mount info for volume %s is already present on %s", volumeID, targetPath)
+			} else {
+				mountFsType := cifs
+				ipAddr, err := d.resolver.ResolveIPAddr("ip", server)
+				if err != nil {
+					klog.V(2).ErrorS(err, "Couldn't resolve IP")
+					return nil, err
+				}
+				mountOptions = append(mountOptions, "addr="+ipAddr.IP.String())
+				mountInfo := volume.MountInfo{
+					VolumeType: "azurefile",
+					Device:     source,
+					FsType:     mountFsType,
+					Metadata: map[string]string{
+						"sensitiveMountOptions": strings.Join(sensitiveMountOptions, ","),
+					},
+					Options: mountOptions,
+				}
+				data, _ := json.Marshal(mountInfo)
+				if err := d.directVolume.Add(cifsMountPath, string(data)); err != nil {
+					return nil, status.Errorf(codes.Internal, "Could not save direct volume mount info %s: %v", cifsMountPath, err)
+				}
+				klog.V(2).Infof("NodeStageVolume: mount info for volume %s saved on %s", volumeID, targetPath)
+			}
+		} else {
+			klog.V(2).Infof("NodeStageVolume: skip saving mount info for volume %s on %s, runtime OS: %s, protocol: %s", volumeID, targetPath, runtime.GOOS, protocol)
+		}
+	}
+
 	if isDiskMount {
 		mnt, err := d.ensureMountPoint(targetPath, os.FileMode(mountPermissions))
 		if err != nil {
@@ -440,6 +525,14 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume
 			return nil, status.Errorf(codes.Internal, "failed to unmount staging target %s: %v", targetPath, err)
 		}
 	}
+
+	if d.enableKataCCMount {
+		klog.V(2).Infof("NodeUnstageVolume:remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
+		if err := d.directVolume.Remove(stagingTargetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
+		}
+	}
+
 	klog.V(2).Infof("NodeUnstageVolume: unmount volume %s on %s successfully", volumeID, stagingTargetPath)
 
 	isOperationSucceeded = true
diff --git a/pkg/azurefile/nodeserver_test.go b/pkg/azurefile/nodeserver_test.go
index 51fa6de733..d0d9a48fa4 100644
--- a/pkg/azurefile/nodeserver_test.go
+++ b/pkg/azurefile/nodeserver_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -30,9 +31,12 @@ import (
 
 	azure2 "github.com/Azure/go-autorest/autorest/azure"
 	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/golang/mock/gomock"
+	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	clientset "k8s.io/client-go/kubernetes"
 	mount "k8s.io/mount-utils"
 	"k8s.io/utils/exec"
 	testingexec "k8s.io/utils/exec/testing"
@@ -107,6 +111,14 @@ func TestNodeGetCapabilities(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func mockGetRuntimeClassForPod(_ context.Context, _ clientset.Interface, _, _ string) (string, error) {
+	return "mockRuntimeClass", nil
+}
+
+func mockIsConfidentialRuntimeClass(_ context.Context, _ clientset.Interface, _ string) (bool, error) {
+	return true, nil
+}
+
 func TestNodePublishVolume(t *testing.T) {
 	d := NewFakeDriver()
 	d.cloud = &azure.Cloud{}
@@ -120,6 +132,12 @@ func TestNodePublishVolume(t *testing.T) {
 		targetTest = testutil.GetWorkDirPath("target_test", t)
 	)
 
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	mockDirectVolume := NewMockDirectVolume(ctrl)
+	getRuntimeClassForPodFunc = mockGetRuntimeClassForPod
+	isConfidentialRuntimeClassFunc = mockIsConfidentialRuntimeClass
+
 	tests := []struct {
 		desc        string
 		setup       func()
@@ -235,6 +253,25 @@ func TestNodePublishVolume(t *testing.T) {
 				DefaultError: status.Error(codes.InvalidArgument, fmt.Sprintf("invalid mountPermissions %s", "07ab")),
 			},
 		},
+		{
+			desc: "[Success] Valid request with Kata CC Mount enabled",
+			req: csi.NodePublishVolumeRequest{VolumeCapability: &csi.VolumeCapability{AccessMode: &volumeCap},
+				VolumeId:          "vol_1",
+				TargetPath:        targetTest,
+				StagingTargetPath: sourceTest,
+				Readonly:          true,
+				VolumeContext:     map[string]string{mountPermissionsField: "0755", podNameField: "testPod", podNamespaceField: "testNamespace"},
+			},
+			setup: func() {
+				d.enableKataCCMount = true
+				d.directVolume = mockDirectVolume
+				mockDirectVolume.EXPECT().VolumeMountInfo(sourceTest).Return(&volume.MountInfo{}, nil)
+				mockDirectVolume.EXPECT().Add(targetTest, gomock.Any()).Return(nil)
+			},
+			cleanup: func() {
+				d.enableKataCCMount = false
+			},
+		},
 	}
 
 	// Setup
@@ -272,6 +309,9 @@ func TestNodeUnpublishVolume(t *testing.T) {
 	errorTarget := testutil.GetWorkDirPath("error_is_likely_target", t)
 	targetFile := testutil.GetWorkDirPath("abc.go", t)
 	d := NewFakeDriver()
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	mockDirectVolume := NewMockDirectVolume(ctrl)
 
 	tests := []struct {
 		desc         string
@@ -308,6 +348,19 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			req:         csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			expectedErr: testutil.TestError{},
 		},
+		{
+			desc:        "[Success] Valid request with Kata CC Mount enabled",
+			req:         csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
+			expectedErr: testutil.TestError{},
+			setup: func() {
+				d.enableKataCCMount = true
+				d.directVolume = mockDirectVolume
+				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+			},
+			cleanup: func() {
+				d.enableKataCCMount = false
+			},
+		},
 	}
 
 	// Setup
@@ -407,6 +460,11 @@ func TestNodeStageVolume(t *testing.T) {
 		"accountkey":  "testkey",
 	}
 
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	mockResolver := NewMockResolver(ctrl)
+	mockDirectVolume := NewMockDirectVolume(ctrl)
+
 	tests := []struct {
 		desc          string
 		setup         func()
@@ -701,6 +759,28 @@ func TestNodeStageVolume(t *testing.T) {
 				DefaultError: status.Error(codes.InvalidArgument, fmt.Sprintf("invalid mountPermissions %s", "07ab")),
 			},
 		},
+		{
+			desc: "[Success] Valid request with Kata CC Mount enabled",
+			setup: func() {
+				d.resolver = mockResolver
+				d.directVolume = mockDirectVolume
+				d.enableKataCCMount = true
+				if runtime.GOOS != "windows" {
+					mockIPAddr := &net.IPAddr{IP: net.ParseIP("192.168.1.1")}
+					mockDirectVolume.EXPECT().VolumeMountInfo(sourceTest).Return(nil, nil)
+					mockResolver.EXPECT().ResolveIPAddr("ip", "test_servername").Return(mockIPAddr, nil)
+					mockDirectVolume.EXPECT().Add(sourceTest, gomock.Any()).Return(nil)
+				}
+			},
+			req: csi.NodeStageVolumeRequest{VolumeId: "vol_1##", StagingTargetPath: sourceTest,
+				VolumeCapability: &stdVolCap,
+				VolumeContext:    volContext,
+				Secrets:          secrets},
+			skipOnWindows: true,
+			cleanup: func() {
+				d.enableKataCCMount = false
+			},
+		},
 	}
 
 	// Setup
@@ -767,6 +847,9 @@ func TestNodeUnstageVolume(t *testing.T) {
 		targetFile  = testutil.GetWorkDirPath("abc.go", t)
 	)
 	d := NewFakeDriver()
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	mockDirectVolume := NewMockDirectVolume(ctrl)
 
 	tests := []struct {
 		desc         string
@@ -816,6 +899,19 @@ func TestNodeUnstageVolume(t *testing.T) {
 			req:         csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			expectedErr: testutil.TestError{},
 		},
+		{
+			desc: "[Success] Valid request with Kata CC Mount enabled",
+			setup: func() {
+				d.enableKataCCMount = true
+				d.directVolume = mockDirectVolume
+				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+			},
+			req:         csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
+			expectedErr: testutil.TestError{},
+			cleanup: func() {
+				d.enableKataCCMount = false
+			},
+		},
 	}
 
 	// Setup
diff --git a/pkg/azurefile/resolver_interface.go b/pkg/azurefile/resolver_interface.go
new file mode 100644
index 0000000000..368297cd78
--- /dev/null
+++ b/pkg/azurefile/resolver_interface.go
@@ -0,0 +1,32 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azurefile
+
+import "net"
+
+// Resolver is an interface for resolving IP addresses.
+type Resolver interface {
+	ResolveIPAddr(network, address string) (*net.IPAddr, error)
+}
+
+// NetResolver is the real implementation of the Resolver interface.
+type NetResolver struct{}
+
+// ResolveIPAddr resolves the IP address using net.ResolveIPAddr.
+func (r *NetResolver) ResolveIPAddr(network, address string) (*net.IPAddr, error) {
+	return net.ResolveIPAddr(network, address)
+}
diff --git a/pkg/azurefile/resolver_mock.go b/pkg/azurefile/resolver_mock.go
new file mode 100644
index 0000000000..d8ee8e52f2
--- /dev/null
+++ b/pkg/azurefile/resolver_mock.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azurefile
+
+import (
+	net "net"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockResolver is a mock of Resolver interface.
+type MockResolver struct {
+	ctrl     *gomock.Controller
+	recorder *MockResolverMockRecorder
+}
+
+// MockResolverMockRecorder is the mock recorder for MockResolver.
+type MockResolverMockRecorder struct {
+	mock *MockResolver
+}
+
+// NewMockResolver creates a new mock instance.
+func NewMockResolver(ctrl *gomock.Controller) *MockResolver {
+	mock := &MockResolver{ctrl: ctrl}
+	mock.recorder = &MockResolverMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockResolver) EXPECT() *MockResolverMockRecorder {
+	return m.recorder
+}
+
+// ResolveIPAddr mocks base method.
+func (m *MockResolver) ResolveIPAddr(network, address string) (*net.IPAddr, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ResolveIPAddr", network, address)
+	ret0, _ := ret[0].(*net.IPAddr)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ResolveIPAddr indicates an expected call of ResolveIPAddr.
+func (mr *MockResolverMockRecorder) ResolveIPAddr(network, address interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResolveIPAddr", reflect.TypeOf((*MockResolver)(nil).ResolveIPAddr), network, address)
+}
diff --git a/pkg/azurefile/utils.go b/pkg/azurefile/utils.go
index 5afd8908c1..0c2f077fa7 100644
--- a/pkg/azurefile/utils.go
+++ b/pkg/azurefile/utils.go
@@ -17,6 +17,7 @@ limitations under the License.
 package azurefile
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"regexp"
@@ -27,6 +28,8 @@ import (
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/volume"
 )
@@ -317,3 +320,25 @@ func isReadOnlyFromCapability(vc *csi.VolumeCapability) bool {
 	return (mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
 		mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY)
 }
+
+const confidentialRuntimeClassHandler = "kata-cc"
+
+// check if runtimeClass is confidential
+func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interface, runtimeClassName string) (bool, error) {
+	// if runtimeClassName is empty, return false
+	if runtimeClassName == "" {
+		return false, nil
+	}
+	if kubeClient == nil {
+		klog.Warningf("kubeClient is nil")
+		return false, fmt.Errorf("kubeClient is nil")
+	}
+	runtimeClassClient := kubeClient.NodeV1().RuntimeClasses()
+	runtimeClass, err := runtimeClassClient.Get(ctx, runtimeClassName, metav1.GetOptions{})
+	if err != nil {
+		klog.Warningf("Failed to get runtimeClass %s: %v", runtimeClassName, err)
+		return false, err
+	}
+	klog.Infof("runtimeClass %s handler: %s", runtimeClassName, runtimeClass.Handler)
+	return runtimeClass.Handler == confidentialRuntimeClassHandler, nil
+}
diff --git a/pkg/azurefile/utils_test.go b/pkg/azurefile/utils_test.go
index 48109e65a5..d274651868 100644
--- a/pkg/azurefile/utils_test.go
+++ b/pkg/azurefile/utils_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package azurefile
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -26,6 +27,9 @@ import (
 	"time"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
+	nodev1 "k8s.io/api/node/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fake "k8s.io/client-go/kubernetes/fake"
 	utiltesting "k8s.io/client-go/util/testing"
 )
 
@@ -749,3 +753,64 @@ func TestIsReadOnlyFromCapability(t *testing.T) {
 		}
 	}
 }
+
+func TestIsConfidentialRuntimeClass(t *testing.T) {
+	ctx := context.TODO()
+
+	// Test the case where kubeClient is nil
+	_, err := isConfidentialRuntimeClass(ctx, nil, "test-runtime-class")
+	if err == nil || err.Error() != "kubeClient is nil" {
+		t.Fatalf("expected error 'kubeClient is nil', got %v", err)
+	}
+
+	// Create a fake clientset
+	clientset := fake.NewSimpleClientset()
+
+	// Test the case where the runtime class exists and has the confidential handler
+	runtimeClass := &nodev1.RuntimeClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-runtime-class",
+		},
+		Handler: confidentialRuntimeClassHandler,
+	}
+	_, err = clientset.NodeV1().RuntimeClasses().Create(ctx, runtimeClass, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	isConfidential, err := isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	if !isConfidential {
+		t.Fatalf("expected runtime class to be confidential, got %v", isConfidential)
+	}
+
+	// Test the case where the runtime class exists but does not have the confidential handler
+	nonConfidentialRuntimeClass := &nodev1.RuntimeClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-runtime-class-non-confidential",
+		},
+		Handler: "non-confidential-handler",
+	}
+	_, err = clientset.NodeV1().RuntimeClasses().Create(ctx, nonConfidentialRuntimeClass, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	isConfidential, err = isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class-non-confidential")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	if isConfidential {
+		t.Fatalf("expected runtime class to not be confidential, got %v", isConfidential)
+	}
+
+	// Test the case where the runtime class does not exist
+	_, err = isConfidentialRuntimeClass(ctx, clientset, "nonexistent-runtime-class")
+	if err == nil {
+		t.Fatalf("expected an error, got nil")
+	}
+}
diff --git a/vendor/github.com/Microsoft/go-winio/.golangci.yml b/vendor/github.com/Microsoft/go-winio/.golangci.yml
index af403bb13a..7b503d26a3 100644
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@@ -8,12 +8,8 @@ linters:
     - containedctx # struct contains a context
     - dupl # duplicate code
     - errname # erorrs are named correctly
-    - goconst # strings that should be constants
-    - godot # comments end in a period
-    - misspell
     - nolintlint # "//nolint" directives are properly explained
     - revive # golint replacement
-    - stylecheck # golint replacement, less configurable than revive
     - unconvert # unnecessary conversions
     - wastedassign
 
@@ -23,10 +19,7 @@ linters:
     - exhaustive # check exhaustiveness of enum switch statements
     - gofmt # files are gofmt'ed
     - gosec # security
-    - nestif # deeply nested ifs
     - nilerr # returns nil even with non-nil error
-    - prealloc # slices that can be pre-allocated
-    - structcheck # unused struct fields
     - unparam # unused function params
 
 issues:
@@ -42,6 +35,18 @@ issues:
       text: "^line-length-limit: "
       source: "^//(go:generate|sys) "
 
+    #TODO: remove after upgrading to go1.18
+    # ignore comment spacing for nolint and sys directives
+    - linters:
+        - revive
+      text: "^comment-spacings: no space between comment delimiter and comment text"
+      source: "//(cspell:|nolint:|sys |todo)"
+
+    # not on go 1.18 yet, so no any
+    - linters:
+        - revive
+      text: "^use-any: since GO 1.18 'interface{}' can be replaced by 'any'"
+
     # allow unjustified ignores of error checks in defer statements
     - linters:
         - nolintlint
@@ -56,6 +61,8 @@ issues:
 
 
 linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
   govet:
     enable-all: true
     disable:
@@ -98,6 +105,8 @@ linters-settings:
         disabled: true
       - name: flag-parameter # excessive, and a common idiom we use
         disabled: true
+      - name: unhandled-error # warns over common fmt.Print* and io.Close; rely on errcheck instead
+        disabled: true
       # general config
       - name: line-length-limit
         arguments:
@@ -138,7 +147,3 @@ linters-settings:
             - VPCI
             - WCOW
             - WIM
-  stylecheck:
-    checks:
-      - "all"
-      - "-ST1003" # use revive's var naming
diff --git a/vendor/github.com/Microsoft/go-winio/hvsock.go b/vendor/github.com/Microsoft/go-winio/hvsock.go
index 52f1c280f6..c881916583 100644
--- a/vendor/github.com/Microsoft/go-winio/hvsock.go
+++ b/vendor/github.com/Microsoft/go-winio/hvsock.go
@@ -23,7 +23,7 @@ import (
 const afHVSock = 34 // AF_HYPERV
 
 // Well known Service and VM IDs
-//https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service#vmid-wildcards
+// https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service#vmid-wildcards
 
 // HvsockGUIDWildcard is the wildcard VmId for accepting connections from all partitions.
 func HvsockGUIDWildcard() guid.GUID { // 00000000-0000-0000-0000-000000000000
@@ -31,7 +31,7 @@ func HvsockGUIDWildcard() guid.GUID { // 00000000-0000-0000-0000-000000000000
 }
 
 // HvsockGUIDBroadcast is the wildcard VmId for broadcasting sends to all partitions.
-func HvsockGUIDBroadcast() guid.GUID { //ffffffff-ffff-ffff-ffff-ffffffffffff
+func HvsockGUIDBroadcast() guid.GUID { // ffffffff-ffff-ffff-ffff-ffffffffffff
 	return guid.GUID{
 		Data1: 0xffffffff,
 		Data2: 0xffff,
@@ -246,7 +246,7 @@ func (l *HvsockListener) Accept() (_ net.Conn, err error) {
 	var addrbuf [addrlen * 2]byte
 
 	var bytes uint32
-	err = syscall.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0 /*rxdatalen*/, addrlen, addrlen, &bytes, &c.o)
+	err = syscall.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0 /* rxdatalen */, addrlen, addrlen, &bytes, &c.o)
 	if _, err = l.sock.asyncIO(c, nil, bytes, err); err != nil {
 		return nil, l.opErr("accept", os.NewSyscallError("acceptex", err))
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/doc.go b/vendor/github.com/Microsoft/go-winio/internal/fs/doc.go
new file mode 100644
index 0000000000..1f65388178
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/doc.go
@@ -0,0 +1,2 @@
+// This package contains Win32 filesystem functionality.
+package fs
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go b/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
new file mode 100644
index 0000000000..509b3ec641
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
@@ -0,0 +1,202 @@
+//go:build windows
+
+package fs
+
+import (
+	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/go-winio/internal/stringbuffer"
+)
+
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go fs.go
+
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew
+//sys CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = CreateFileW
+
+const NullHandle windows.Handle = 0
+
+// AccessMask defines standard, specific, and generic rights.
+//
+//	Bitmask:
+//	 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
+//	 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+//	+---------------+---------------+-------------------------------+
+//	|G|G|G|G|Resvd|A| StandardRights|         SpecificRights        |
+//	|R|W|E|A|     |S|               |                               |
+//	+-+-------------+---------------+-------------------------------+
+//
+//	GR     Generic Read
+//	GW     Generic Write
+//	GE     Generic Exectue
+//	GA     Generic All
+//	Resvd  Reserved
+//	AS     Access Security System
+//
+// https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask
+//
+// https://learn.microsoft.com/en-us/windows/win32/secauthz/generic-access-rights
+//
+// https://learn.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants
+type AccessMask = windows.ACCESS_MASK
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// Not actually any.
+	//
+	// For CreateFile: "query certain metadata such as file, directory, or device attributes without accessing that file or device"
+	// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew#parameters
+	FILE_ANY_ACCESS AccessMask = 0
+
+	// Specific Object Access
+	// from ntioapi.h
+
+	FILE_READ_DATA      AccessMask = (0x0001) // file & pipe
+	FILE_LIST_DIRECTORY AccessMask = (0x0001) // directory
+
+	FILE_WRITE_DATA AccessMask = (0x0002) // file & pipe
+	FILE_ADD_FILE   AccessMask = (0x0002) // directory
+
+	FILE_APPEND_DATA          AccessMask = (0x0004) // file
+	FILE_ADD_SUBDIRECTORY     AccessMask = (0x0004) // directory
+	FILE_CREATE_PIPE_INSTANCE AccessMask = (0x0004) // named pipe
+
+	FILE_READ_EA         AccessMask = (0x0008) // file & directory
+	FILE_READ_PROPERTIES AccessMask = FILE_READ_EA
+
+	FILE_WRITE_EA         AccessMask = (0x0010) // file & directory
+	FILE_WRITE_PROPERTIES AccessMask = FILE_WRITE_EA
+
+	FILE_EXECUTE  AccessMask = (0x0020) // file
+	FILE_TRAVERSE AccessMask = (0x0020) // directory
+
+	FILE_DELETE_CHILD AccessMask = (0x0040) // directory
+
+	FILE_READ_ATTRIBUTES AccessMask = (0x0080) // all
+
+	FILE_WRITE_ATTRIBUTES AccessMask = (0x0100) // all
+
+	FILE_ALL_ACCESS      AccessMask = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
+	FILE_GENERIC_READ    AccessMask = (STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE)
+	FILE_GENERIC_WRITE   AccessMask = (STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE)
+	FILE_GENERIC_EXECUTE AccessMask = (STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE)
+
+	SPECIFIC_RIGHTS_ALL AccessMask = 0x0000FFFF
+
+	// Standard Access
+	// from ntseapi.h
+
+	DELETE       AccessMask = 0x0001_0000
+	READ_CONTROL AccessMask = 0x0002_0000
+	WRITE_DAC    AccessMask = 0x0004_0000
+	WRITE_OWNER  AccessMask = 0x0008_0000
+	SYNCHRONIZE  AccessMask = 0x0010_0000
+
+	STANDARD_RIGHTS_REQUIRED AccessMask = 0x000F_0000
+
+	STANDARD_RIGHTS_READ    AccessMask = READ_CONTROL
+	STANDARD_RIGHTS_WRITE   AccessMask = READ_CONTROL
+	STANDARD_RIGHTS_EXECUTE AccessMask = READ_CONTROL
+
+	STANDARD_RIGHTS_ALL AccessMask = 0x001F_0000
+)
+
+type FileShareMode uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	FILE_SHARE_NONE        FileShareMode = 0x00
+	FILE_SHARE_READ        FileShareMode = 0x01
+	FILE_SHARE_WRITE       FileShareMode = 0x02
+	FILE_SHARE_DELETE      FileShareMode = 0x04
+	FILE_SHARE_VALID_FLAGS FileShareMode = 0x07
+)
+
+type FileCreationDisposition uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// from winbase.h
+
+	CREATE_NEW        FileCreationDisposition = 0x01
+	CREATE_ALWAYS     FileCreationDisposition = 0x02
+	OPEN_EXISTING     FileCreationDisposition = 0x03
+	OPEN_ALWAYS       FileCreationDisposition = 0x04
+	TRUNCATE_EXISTING FileCreationDisposition = 0x05
+)
+
+// CreateFile and co. take flags or attributes together as one parameter.
+// Define alias until we can use generics to allow both
+
+// https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants
+type FileFlagOrAttribute uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const ( // from winnt.h
+	FILE_FLAG_WRITE_THROUGH       FileFlagOrAttribute = 0x8000_0000
+	FILE_FLAG_OVERLAPPED          FileFlagOrAttribute = 0x4000_0000
+	FILE_FLAG_NO_BUFFERING        FileFlagOrAttribute = 0x2000_0000
+	FILE_FLAG_RANDOM_ACCESS       FileFlagOrAttribute = 0x1000_0000
+	FILE_FLAG_SEQUENTIAL_SCAN     FileFlagOrAttribute = 0x0800_0000
+	FILE_FLAG_DELETE_ON_CLOSE     FileFlagOrAttribute = 0x0400_0000
+	FILE_FLAG_BACKUP_SEMANTICS    FileFlagOrAttribute = 0x0200_0000
+	FILE_FLAG_POSIX_SEMANTICS     FileFlagOrAttribute = 0x0100_0000
+	FILE_FLAG_OPEN_REPARSE_POINT  FileFlagOrAttribute = 0x0020_0000
+	FILE_FLAG_OPEN_NO_RECALL      FileFlagOrAttribute = 0x0010_0000
+	FILE_FLAG_FIRST_PIPE_INSTANCE FileFlagOrAttribute = 0x0008_0000
+)
+
+type FileSQSFlag = FileFlagOrAttribute
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const ( // from winbase.h
+	SECURITY_ANONYMOUS      FileSQSFlag = FileSQSFlag(SecurityAnonymous << 16)
+	SECURITY_IDENTIFICATION FileSQSFlag = FileSQSFlag(SecurityIdentification << 16)
+	SECURITY_IMPERSONATION  FileSQSFlag = FileSQSFlag(SecurityImpersonation << 16)
+	SECURITY_DELEGATION     FileSQSFlag = FileSQSFlag(SecurityDelegation << 16)
+
+	SECURITY_SQOS_PRESENT     FileSQSFlag = 0x00100000
+	SECURITY_VALID_SQOS_FLAGS FileSQSFlag = 0x001F0000
+)
+
+// GetFinalPathNameByHandle flags
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getfinalpathnamebyhandlew#parameters
+type GetFinalPathFlag uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	GetFinalPathDefaultFlag GetFinalPathFlag = 0x0
+
+	FILE_NAME_NORMALIZED GetFinalPathFlag = 0x0
+	FILE_NAME_OPENED     GetFinalPathFlag = 0x8
+
+	VOLUME_NAME_DOS  GetFinalPathFlag = 0x0
+	VOLUME_NAME_GUID GetFinalPathFlag = 0x1
+	VOLUME_NAME_NT   GetFinalPathFlag = 0x2
+	VOLUME_NAME_NONE GetFinalPathFlag = 0x4
+)
+
+// getFinalPathNameByHandle facilitates calling the Windows API GetFinalPathNameByHandle
+// with the given handle and flags. It transparently takes care of creating a buffer of the
+// correct size for the call.
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getfinalpathnamebyhandlew
+func GetFinalPathNameByHandle(h windows.Handle, flags GetFinalPathFlag) (string, error) {
+	b := stringbuffer.NewWString()
+	//TODO: can loop infinitely if Win32 keeps returning the same (or a larger) n?
+	for {
+		n, err := windows.GetFinalPathNameByHandle(h, b.Pointer(), b.Cap(), uint32(flags))
+		if err != nil {
+			return "", err
+		}
+		// If the buffer wasn't large enough, n will be the total size needed (including null terminator).
+		// Resize and try again.
+		if n > b.Cap() {
+			b.ResizeTo(n)
+			continue
+		}
+		// If the buffer is large enough, n will be the size not including the null terminator.
+		// Convert to a Go string and return.
+		return b.String(), nil
+	}
+}
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/security.go b/vendor/github.com/Microsoft/go-winio/internal/fs/security.go
new file mode 100644
index 0000000000..81760ac67e
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/security.go
@@ -0,0 +1,12 @@
+package fs
+
+// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-security_impersonation_level
+type SecurityImpersonationLevel int32 // C default enums underlying type is `int`, which is Go `int32`
+
+// Impersonation levels
+const (
+	SecurityAnonymous      SecurityImpersonationLevel = 0
+	SecurityIdentification SecurityImpersonationLevel = 1
+	SecurityImpersonation  SecurityImpersonationLevel = 2
+	SecurityDelegation     SecurityImpersonationLevel = 3
+)
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
new file mode 100644
index 0000000000..e2f7bb24e5
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
@@ -0,0 +1,64 @@
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.
+
+package fs
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procCreateFileW = modkernel32.NewProc("CreateFileW")
+)
+
+func CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(name)
+	if err != nil {
+		return
+	}
+	return _CreateFile(_p0, access, mode, sa, createmode, attrs, templatefile)
+}
+
+func _CreateFile(name *uint16, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
+	handle = windows.Handle(r0)
+	if handle == windows.InvalidHandle {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go b/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
index 39e8c05f8f..aeb7b7250f 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
@@ -100,8 +100,8 @@ func (f *runtimeFunc) Load() error {
 			(*byte)(unsafe.Pointer(&f.addr)),
 			uint32(unsafe.Sizeof(f.addr)),
 			&n,
-			nil, //overlapped
-			0,   //completionRoutine
+			nil, // overlapped
+			0,   // completionRoutine
 		)
 	})
 	return f.err
diff --git a/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go b/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
new file mode 100644
index 0000000000..7ad5057024
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
@@ -0,0 +1,132 @@
+package stringbuffer
+
+import (
+	"sync"
+	"unicode/utf16"
+)
+
+// TODO: worth exporting and using in mkwinsyscall?
+
+// Uint16BufferSize is the buffer size in the pool, chosen somewhat arbitrarily to accommodate
+// large path strings:
+// MAX_PATH (260) + size of volume GUID prefix (49) + null terminator = 310.
+const MinWStringCap = 310
+
+// use *[]uint16 since []uint16 creates an extra allocation where the slice header
+// is copied to heap and then referenced via pointer in the interface header that sync.Pool
+// stores.
+var pathPool = sync.Pool{ // if go1.18+ adds Pool[T], use that to store []uint16 directly
+	New: func() interface{} {
+		b := make([]uint16, MinWStringCap)
+		return &b
+	},
+}
+
+func newBuffer() []uint16 { return *(pathPool.Get().(*[]uint16)) }
+
+// freeBuffer copies the slice header data, and puts a pointer to that in the pool.
+// This avoids taking a pointer to the slice header in WString, which can be set to nil.
+func freeBuffer(b []uint16) { pathPool.Put(&b) }
+
+// WString is a wide string buffer ([]uint16) meant for storing UTF-16 encoded strings
+// for interacting with Win32 APIs.
+// Sizes are specified as uint32 and not int.
+//
+// It is not thread safe.
+type WString struct {
+	// type-def allows casting to []uint16 directly, use struct to prevent that and allow adding fields in the future.
+
+	// raw buffer
+	b []uint16
+}
+
+// NewWString returns a [WString] allocated from a shared pool with an
+// initial capacity of at least [MinWStringCap].
+// Since the buffer may have been previously used, its contents are not guaranteed to be empty.
+//
+// The buffer should be freed via [WString.Free]
+func NewWString() *WString {
+	return &WString{
+		b: newBuffer(),
+	}
+}
+
+func (b *WString) Free() {
+	if b.empty() {
+		return
+	}
+	freeBuffer(b.b)
+	b.b = nil
+}
+
+// ResizeTo grows the buffer to at least c and returns the new capacity, freeing the
+// previous buffer back into pool.
+func (b *WString) ResizeTo(c uint32) uint32 {
+	// allready sufficient (or n is 0)
+	if c <= b.Cap() {
+		return b.Cap()
+	}
+
+	if c <= MinWStringCap {
+		c = MinWStringCap
+	}
+	// allocate at-least double buffer size, as is done in [bytes.Buffer] and other places
+	if c <= 2*b.Cap() {
+		c = 2 * b.Cap()
+	}
+
+	b2 := make([]uint16, c)
+	if !b.empty() {
+		copy(b2, b.b)
+		freeBuffer(b.b)
+	}
+	b.b = b2
+	return c
+}
+
+// Buffer returns the underlying []uint16 buffer.
+func (b *WString) Buffer() []uint16 {
+	if b.empty() {
+		return nil
+	}
+	return b.b
+}
+
+// Pointer returns a pointer to the first uint16 in the buffer.
+// If the [WString.Free] has already been called, the pointer will be nil.
+func (b *WString) Pointer() *uint16 {
+	if b.empty() {
+		return nil
+	}
+	return &b.b[0]
+}
+
+// String returns the returns the UTF-8 encoding of the UTF-16 string in the buffer.
+//
+// It assumes that the data is null-terminated.
+func (b *WString) String() string {
+	// Using [windows.UTF16ToString] would require importing "golang.org/x/sys/windows"
+	// and would make this code Windows-only, which makes no sense.
+	// So copy UTF16ToString code into here.
+	// If other windows-specific code is added, switch to [windows.UTF16ToString]
+
+	s := b.b
+	for i, v := range s {
+		if v == 0 {
+			s = s[:i]
+			break
+		}
+	}
+	return string(utf16.Decode(s))
+}
+
+// Cap returns the underlying buffer capacity.
+func (b *WString) Cap() uint32 {
+	if b.empty() {
+		return 0
+	}
+	return b.cap()
+}
+
+func (b *WString) cap() uint32 { return uint32(cap(b.b)) }
+func (b *WString) empty() bool { return b == nil || b.cap() == 0 }
diff --git a/vendor/github.com/Microsoft/go-winio/pipe.go b/vendor/github.com/Microsoft/go-winio/pipe.go
index ca6e38fc00..25cc811031 100644
--- a/vendor/github.com/Microsoft/go-winio/pipe.go
+++ b/vendor/github.com/Microsoft/go-winio/pipe.go
@@ -16,11 +16,12 @@ import (
 	"unsafe"
 
 	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/go-winio/internal/fs"
 )
 
 //sys connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) = ConnectNamedPipe
 //sys createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error)  [failretval==syscall.InvalidHandle] = CreateNamedPipeW
-//sys createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) [failretval==syscall.InvalidHandle] = CreateFileW
 //sys getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
 //sys getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
 //sys localAlloc(uFlags uint32, length uint32) (ptr uintptr) = LocalAlloc
@@ -163,19 +164,21 @@ func (s pipeAddress) String() string {
 }
 
 // tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
-func tryDialPipe(ctx context.Context, path *string, access uint32) (syscall.Handle, error) {
+func tryDialPipe(ctx context.Context, path *string, access fs.AccessMask) (syscall.Handle, error) {
 	for {
 		select {
 		case <-ctx.Done():
 			return syscall.Handle(0), ctx.Err()
 		default:
-			h, err := createFile(*path,
+			wh, err := fs.CreateFile(*path,
 				access,
-				0,
-				nil,
-				syscall.OPEN_EXISTING,
-				windows.FILE_FLAG_OVERLAPPED|windows.SECURITY_SQOS_PRESENT|windows.SECURITY_ANONYMOUS,
-				0)
+				0,   // mode
+				nil, // security attributes
+				fs.OPEN_EXISTING,
+				fs.FILE_FLAG_OVERLAPPED|fs.SECURITY_SQOS_PRESENT|fs.SECURITY_ANONYMOUS,
+				0, // template file handle
+			)
+			h := syscall.Handle(wh)
 			if err == nil {
 				return h, nil
 			}
@@ -219,7 +222,7 @@ func DialPipeContext(ctx context.Context, path string) (net.Conn, error) {
 func DialPipeAccess(ctx context.Context, path string, access uint32) (net.Conn, error) {
 	var err error
 	var h syscall.Handle
-	h, err = tryDialPipe(ctx, &path, access)
+	h, err = tryDialPipe(ctx, &path, fs.AccessMask(access))
 	if err != nil {
 		return nil, err
 	}
@@ -279,6 +282,7 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 	}
 	defer localFree(ntPath.Buffer)
 	oa.ObjectName = &ntPath
+	oa.Attributes = windows.OBJ_CASE_INSENSITIVE
 
 	// The security descriptor is only needed for the first pipe.
 	if first {
diff --git a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
index 83f45a1351..469b16f639 100644
--- a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
@@ -63,7 +63,6 @@ var (
 	procBackupWrite                                          = modkernel32.NewProc("BackupWrite")
 	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
 	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
-	procCreateFileW                                          = modkernel32.NewProc("CreateFileW")
 	procCreateIoCompletionPort                               = modkernel32.NewProc("CreateIoCompletionPort")
 	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
 	procGetCurrentThread                                     = modkernel32.NewProc("GetCurrentThread")
@@ -305,24 +304,6 @@ func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) {
 	return
 }
 
-func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile)
-}
-
-func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
-	handle = syscall.Handle(r0)
-	if handle == syscall.InvalidHandle {
-		err = errnoErr(e1)
-	}
-	return
-}
-
 func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) {
 	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
 	newport = syscall.Handle(r0)
diff --git a/vendor/github.com/golang/mock/AUTHORS b/vendor/github.com/golang/mock/AUTHORS
new file mode 100644
index 0000000000..660b8ccc8a
--- /dev/null
+++ b/vendor/github.com/golang/mock/AUTHORS
@@ -0,0 +1,12 @@
+# This is the official list of GoMock authors for copyright purposes.
+# This file is distinct from the CONTRIBUTORS files.
+# See the latter for an explanation.
+
+# Names should be added to this file as
+#	Name or Organization <email address>
+# The email address is not required for organizations.
+
+# Please keep the list sorted.
+
+Alex Reece <awreece@gmail.com>
+Google Inc.
diff --git a/vendor/github.com/golang/mock/CONTRIBUTORS b/vendor/github.com/golang/mock/CONTRIBUTORS
new file mode 100644
index 0000000000..def849cab1
--- /dev/null
+++ b/vendor/github.com/golang/mock/CONTRIBUTORS
@@ -0,0 +1,37 @@
+# This is the official list of people who can contribute (and typically
+# have contributed) code to the gomock repository.
+# The AUTHORS file lists the copyright holders; this file
+# lists people.  For example, Google employees are listed here
+# but not in AUTHORS, because Google holds the copyright.
+#
+# The submission process automatically checks to make sure
+# that people submitting code are listed in this file (by email address).
+#
+# Names should be added to this file only after verifying that
+# the individual or the individual's organization has agreed to
+# the appropriate Contributor License Agreement, found here:
+#
+#     http://code.google.com/legal/individual-cla-v1.0.html
+#     http://code.google.com/legal/corporate-cla-v1.0.html
+#
+# The agreement for individuals can be filled out on the web.
+#
+# When adding J Random Contributor's name to this file,
+# either J's name or J's organization's name should be
+# added to the AUTHORS file, depending on whether the
+# individual or corporate CLA was used.
+
+# Names should be added to this file like so:
+#     Name <email address>
+#
+# An entry with two email addresses specifies that the
+# first address should be used in the submit logs and
+# that the second address should be recognized as the
+# same person when interacting with Rietveld.
+
+# Please keep the list sorted.
+
+Aaron Jacobs <jacobsa@google.com> <aaronjjacobs@gmail.com>
+Alex Reece <awreece@gmail.com>
+David Symonds <dsymonds@golang.org>
+Ryan Barrett <ryanb@google.com>
diff --git a/vendor/github.com/golang/mock/LICENSE b/vendor/github.com/golang/mock/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/golang/mock/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/golang/mock/gomock/call.go b/vendor/github.com/golang/mock/gomock/call.go
new file mode 100644
index 0000000000..13c9f44b1e
--- /dev/null
+++ b/vendor/github.com/golang/mock/gomock/call.go
@@ -0,0 +1,445 @@
+// Copyright 2010 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gomock
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+)
+
+// Call represents an expected call to a mock.
+type Call struct {
+	t TestHelper // for triggering test failures on invalid call setup
+
+	receiver   interface{}  // the receiver of the method call
+	method     string       // the name of the method
+	methodType reflect.Type // the type of the method
+	args       []Matcher    // the args
+	origin     string       // file and line number of call setup
+
+	preReqs []*Call // prerequisite calls
+
+	// Expectations
+	minCalls, maxCalls int
+
+	numCalls int // actual number made
+
+	// actions are called when this Call is called. Each action gets the args and
+	// can set the return values by returning a non-nil slice. Actions run in the
+	// order they are created.
+	actions []func([]interface{}) []interface{}
+}
+
+// newCall creates a *Call. It requires the method type in order to support
+// unexported methods.
+func newCall(t TestHelper, receiver interface{}, method string, methodType reflect.Type, args ...interface{}) *Call {
+	t.Helper()
+
+	// TODO: check arity, types.
+	mArgs := make([]Matcher, len(args))
+	for i, arg := range args {
+		if m, ok := arg.(Matcher); ok {
+			mArgs[i] = m
+		} else if arg == nil {
+			// Handle nil specially so that passing a nil interface value
+			// will match the typed nils of concrete args.
+			mArgs[i] = Nil()
+		} else {
+			mArgs[i] = Eq(arg)
+		}
+	}
+
+	// callerInfo's skip should be updated if the number of calls between the user's test
+	// and this line changes, i.e. this code is wrapped in another anonymous function.
+	// 0 is us, 1 is RecordCallWithMethodType(), 2 is the generated recorder, and 3 is the user's test.
+	origin := callerInfo(3)
+	actions := []func([]interface{}) []interface{}{func([]interface{}) []interface{} {
+		// Synthesize the zero value for each of the return args' types.
+		rets := make([]interface{}, methodType.NumOut())
+		for i := 0; i < methodType.NumOut(); i++ {
+			rets[i] = reflect.Zero(methodType.Out(i)).Interface()
+		}
+		return rets
+	}}
+	return &Call{t: t, receiver: receiver, method: method, methodType: methodType,
+		args: mArgs, origin: origin, minCalls: 1, maxCalls: 1, actions: actions}
+}
+
+// AnyTimes allows the expectation to be called 0 or more times
+func (c *Call) AnyTimes() *Call {
+	c.minCalls, c.maxCalls = 0, 1e8 // close enough to infinity
+	return c
+}
+
+// MinTimes requires the call to occur at least n times. If AnyTimes or MaxTimes have not been called or if MaxTimes
+// was previously called with 1, MinTimes also sets the maximum number of calls to infinity.
+func (c *Call) MinTimes(n int) *Call {
+	c.minCalls = n
+	if c.maxCalls == 1 {
+		c.maxCalls = 1e8
+	}
+	return c
+}
+
+// MaxTimes limits the number of calls to n times. If AnyTimes or MinTimes have not been called or if MinTimes was
+// previously called with 1, MaxTimes also sets the minimum number of calls to 0.
+func (c *Call) MaxTimes(n int) *Call {
+	c.maxCalls = n
+	if c.minCalls == 1 {
+		c.minCalls = 0
+	}
+	return c
+}
+
+// DoAndReturn declares the action to run when the call is matched.
+// The return values from this function are returned by the mocked function.
+// It takes an interface{} argument to support n-arity functions.
+func (c *Call) DoAndReturn(f interface{}) *Call {
+	// TODO: Check arity and types here, rather than dying badly elsewhere.
+	v := reflect.ValueOf(f)
+
+	c.addAction(func(args []interface{}) []interface{} {
+		c.t.Helper()
+		vArgs := make([]reflect.Value, len(args))
+		ft := v.Type()
+		if c.methodType.NumIn() != ft.NumIn() {
+			c.t.Fatalf("wrong number of arguments in DoAndReturn func for %T.%v: got %d, want %d [%s]",
+				c.receiver, c.method, ft.NumIn(), c.methodType.NumIn(), c.origin)
+			return nil
+		}
+		for i := 0; i < len(args); i++ {
+			if args[i] != nil {
+				vArgs[i] = reflect.ValueOf(args[i])
+			} else {
+				// Use the zero value for the arg.
+				vArgs[i] = reflect.Zero(ft.In(i))
+			}
+		}
+		vRets := v.Call(vArgs)
+		rets := make([]interface{}, len(vRets))
+		for i, ret := range vRets {
+			rets[i] = ret.Interface()
+		}
+		return rets
+	})
+	return c
+}
+
+// Do declares the action to run when the call is matched. The function's
+// return values are ignored to retain backward compatibility. To use the
+// return values call DoAndReturn.
+// It takes an interface{} argument to support n-arity functions.
+func (c *Call) Do(f interface{}) *Call {
+	// TODO: Check arity and types here, rather than dying badly elsewhere.
+	v := reflect.ValueOf(f)
+
+	c.addAction(func(args []interface{}) []interface{} {
+		c.t.Helper()
+		if c.methodType.NumIn() != v.Type().NumIn() {
+			c.t.Fatalf("wrong number of arguments in Do func for %T.%v: got %d, want %d [%s]",
+				c.receiver, c.method, v.Type().NumIn(), c.methodType.NumIn(), c.origin)
+			return nil
+		}
+		vArgs := make([]reflect.Value, len(args))
+		ft := v.Type()
+		for i := 0; i < len(args); i++ {
+			if args[i] != nil {
+				vArgs[i] = reflect.ValueOf(args[i])
+			} else {
+				// Use the zero value for the arg.
+				vArgs[i] = reflect.Zero(ft.In(i))
+			}
+		}
+		v.Call(vArgs)
+		return nil
+	})
+	return c
+}
+
+// Return declares the values to be returned by the mocked function call.
+func (c *Call) Return(rets ...interface{}) *Call {
+	c.t.Helper()
+
+	mt := c.methodType
+	if len(rets) != mt.NumOut() {
+		c.t.Fatalf("wrong number of arguments to Return for %T.%v: got %d, want %d [%s]",
+			c.receiver, c.method, len(rets), mt.NumOut(), c.origin)
+	}
+	for i, ret := range rets {
+		if got, want := reflect.TypeOf(ret), mt.Out(i); got == want {
+			// Identical types; nothing to do.
+		} else if got == nil {
+			// Nil needs special handling.
+			switch want.Kind() {
+			case reflect.Chan, reflect.Func, reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
+				// ok
+			default:
+				c.t.Fatalf("argument %d to Return for %T.%v is nil, but %v is not nillable [%s]",
+					i, c.receiver, c.method, want, c.origin)
+			}
+		} else if got.AssignableTo(want) {
+			// Assignable type relation. Make the assignment now so that the generated code
+			// can return the values with a type assertion.
+			v := reflect.New(want).Elem()
+			v.Set(reflect.ValueOf(ret))
+			rets[i] = v.Interface()
+		} else {
+			c.t.Fatalf("wrong type of argument %d to Return for %T.%v: %v is not assignable to %v [%s]",
+				i, c.receiver, c.method, got, want, c.origin)
+		}
+	}
+
+	c.addAction(func([]interface{}) []interface{} {
+		return rets
+	})
+
+	return c
+}
+
+// Times declares the exact number of times a function call is expected to be executed.
+func (c *Call) Times(n int) *Call {
+	c.minCalls, c.maxCalls = n, n
+	return c
+}
+
+// SetArg declares an action that will set the nth argument's value,
+// indirected through a pointer. Or, in the case of a slice, SetArg
+// will copy value's elements into the nth argument.
+func (c *Call) SetArg(n int, value interface{}) *Call {
+	c.t.Helper()
+
+	mt := c.methodType
+	// TODO: This will break on variadic methods.
+	// We will need to check those at invocation time.
+	if n < 0 || n >= mt.NumIn() {
+		c.t.Fatalf("SetArg(%d, ...) called for a method with %d args [%s]",
+			n, mt.NumIn(), c.origin)
+	}
+	// Permit setting argument through an interface.
+	// In the interface case, we don't (nay, can't) check the type here.
+	at := mt.In(n)
+	switch at.Kind() {
+	case reflect.Ptr:
+		dt := at.Elem()
+		if vt := reflect.TypeOf(value); !vt.AssignableTo(dt) {
+			c.t.Fatalf("SetArg(%d, ...) argument is a %v, not assignable to %v [%s]",
+				n, vt, dt, c.origin)
+		}
+	case reflect.Interface:
+		// nothing to do
+	case reflect.Slice:
+		// nothing to do
+	default:
+		c.t.Fatalf("SetArg(%d, ...) referring to argument of non-pointer non-interface non-slice type %v [%s]",
+			n, at, c.origin)
+	}
+
+	c.addAction(func(args []interface{}) []interface{} {
+		v := reflect.ValueOf(value)
+		switch reflect.TypeOf(args[n]).Kind() {
+		case reflect.Slice:
+			setSlice(args[n], v)
+		default:
+			reflect.ValueOf(args[n]).Elem().Set(v)
+		}
+		return nil
+	})
+	return c
+}
+
+// isPreReq returns true if other is a direct or indirect prerequisite to c.
+func (c *Call) isPreReq(other *Call) bool {
+	for _, preReq := range c.preReqs {
+		if other == preReq || preReq.isPreReq(other) {
+			return true
+		}
+	}
+	return false
+}
+
+// After declares that the call may only match after preReq has been exhausted.
+func (c *Call) After(preReq *Call) *Call {
+	c.t.Helper()
+
+	if c == preReq {
+		c.t.Fatalf("A call isn't allowed to be its own prerequisite")
+	}
+	if preReq.isPreReq(c) {
+		c.t.Fatalf("Loop in call order: %v is a prerequisite to %v (possibly indirectly).", c, preReq)
+	}
+
+	c.preReqs = append(c.preReqs, preReq)
+	return c
+}
+
+// Returns true if the minimum number of calls have been made.
+func (c *Call) satisfied() bool {
+	return c.numCalls >= c.minCalls
+}
+
+// Returns true if the maximum number of calls have been made.
+func (c *Call) exhausted() bool {
+	return c.numCalls >= c.maxCalls
+}
+
+func (c *Call) String() string {
+	args := make([]string, len(c.args))
+	for i, arg := range c.args {
+		args[i] = arg.String()
+	}
+	arguments := strings.Join(args, ", ")
+	return fmt.Sprintf("%T.%v(%s) %s", c.receiver, c.method, arguments, c.origin)
+}
+
+// Tests if the given call matches the expected call.
+// If yes, returns nil. If no, returns error with message explaining why it does not match.
+func (c *Call) matches(args []interface{}) error {
+	if !c.methodType.IsVariadic() {
+		if len(args) != len(c.args) {
+			return fmt.Errorf("expected call at %s has the wrong number of arguments. Got: %d, want: %d",
+				c.origin, len(args), len(c.args))
+		}
+
+		for i, m := range c.args {
+			if !m.Matches(args[i]) {
+				return fmt.Errorf(
+					"expected call at %s doesn't match the argument at index %d.\nGot: %v\nWant: %v",
+					c.origin, i, formatGottenArg(m, args[i]), m,
+				)
+			}
+		}
+	} else {
+		if len(c.args) < c.methodType.NumIn()-1 {
+			return fmt.Errorf("expected call at %s has the wrong number of matchers. Got: %d, want: %d",
+				c.origin, len(c.args), c.methodType.NumIn()-1)
+		}
+		if len(c.args) != c.methodType.NumIn() && len(args) != len(c.args) {
+			return fmt.Errorf("expected call at %s has the wrong number of arguments. Got: %d, want: %d",
+				c.origin, len(args), len(c.args))
+		}
+		if len(args) < len(c.args)-1 {
+			return fmt.Errorf("expected call at %s has the wrong number of arguments. Got: %d, want: greater than or equal to %d",
+				c.origin, len(args), len(c.args)-1)
+		}
+
+		for i, m := range c.args {
+			if i < c.methodType.NumIn()-1 {
+				// Non-variadic args
+				if !m.Matches(args[i]) {
+					return fmt.Errorf("expected call at %s doesn't match the argument at index %s.\nGot: %v\nWant: %v",
+						c.origin, strconv.Itoa(i), formatGottenArg(m, args[i]), m)
+				}
+				continue
+			}
+			// The last arg has a possibility of a variadic argument, so let it branch
+
+			// sample: Foo(a int, b int, c ...int)
+			if i < len(c.args) && i < len(args) {
+				if m.Matches(args[i]) {
+					// Got Foo(a, b, c) want Foo(matcherA, matcherB, gomock.Any())
+					// Got Foo(a, b, c) want Foo(matcherA, matcherB, someSliceMatcher)
+					// Got Foo(a, b, c) want Foo(matcherA, matcherB, matcherC)
+					// Got Foo(a, b) want Foo(matcherA, matcherB)
+					// Got Foo(a, b, c, d) want Foo(matcherA, matcherB, matcherC, matcherD)
+					continue
+				}
+			}
+
+			// The number of actual args don't match the number of matchers,
+			// or the last matcher is a slice and the last arg is not.
+			// If this function still matches it is because the last matcher
+			// matches all the remaining arguments or the lack of any.
+			// Convert the remaining arguments, if any, into a slice of the
+			// expected type.
+			vArgsType := c.methodType.In(c.methodType.NumIn() - 1)
+			vArgs := reflect.MakeSlice(vArgsType, 0, len(args)-i)
+			for _, arg := range args[i:] {
+				vArgs = reflect.Append(vArgs, reflect.ValueOf(arg))
+			}
+			if m.Matches(vArgs.Interface()) {
+				// Got Foo(a, b, c, d, e) want Foo(matcherA, matcherB, gomock.Any())
+				// Got Foo(a, b, c, d, e) want Foo(matcherA, matcherB, someSliceMatcher)
+				// Got Foo(a, b) want Foo(matcherA, matcherB, gomock.Any())
+				// Got Foo(a, b) want Foo(matcherA, matcherB, someEmptySliceMatcher)
+				break
+			}
+			// Wrong number of matchers or not match. Fail.
+			// Got Foo(a, b) want Foo(matcherA, matcherB, matcherC, matcherD)
+			// Got Foo(a, b, c) want Foo(matcherA, matcherB, matcherC, matcherD)
+			// Got Foo(a, b, c, d) want Foo(matcherA, matcherB, matcherC, matcherD, matcherE)
+			// Got Foo(a, b, c, d, e) want Foo(matcherA, matcherB, matcherC, matcherD)
+			// Got Foo(a, b, c) want Foo(matcherA, matcherB)
+
+			return fmt.Errorf("expected call at %s doesn't match the argument at index %s.\nGot: %v\nWant: %v",
+				c.origin, strconv.Itoa(i), formatGottenArg(m, args[i:]), c.args[i])
+		}
+	}
+
+	// Check that all prerequisite calls have been satisfied.
+	for _, preReqCall := range c.preReqs {
+		if !preReqCall.satisfied() {
+			return fmt.Errorf("expected call at %s doesn't have a prerequisite call satisfied:\n%v\nshould be called before:\n%v",
+				c.origin, preReqCall, c)
+		}
+	}
+
+	// Check that the call is not exhausted.
+	if c.exhausted() {
+		return fmt.Errorf("expected call at %s has already been called the max number of times", c.origin)
+	}
+
+	return nil
+}
+
+// dropPrereqs tells the expected Call to not re-check prerequisite calls any
+// longer, and to return its current set.
+func (c *Call) dropPrereqs() (preReqs []*Call) {
+	preReqs = c.preReqs
+	c.preReqs = nil
+	return
+}
+
+func (c *Call) call() []func([]interface{}) []interface{} {
+	c.numCalls++
+	return c.actions
+}
+
+// InOrder declares that the given calls should occur in order.
+func InOrder(calls ...*Call) {
+	for i := 1; i < len(calls); i++ {
+		calls[i].After(calls[i-1])
+	}
+}
+
+func setSlice(arg interface{}, v reflect.Value) {
+	va := reflect.ValueOf(arg)
+	for i := 0; i < v.Len(); i++ {
+		va.Index(i).Set(v.Index(i))
+	}
+}
+
+func (c *Call) addAction(action func([]interface{}) []interface{}) {
+	c.actions = append(c.actions, action)
+}
+
+func formatGottenArg(m Matcher, arg interface{}) string {
+	got := fmt.Sprintf("%v (%T)", arg, arg)
+	if gs, ok := m.(GotFormatter); ok {
+		got = gs.Got(arg)
+	}
+	return got
+}
diff --git a/vendor/github.com/golang/mock/gomock/callset.go b/vendor/github.com/golang/mock/gomock/callset.go
new file mode 100644
index 0000000000..49dba787a4
--- /dev/null
+++ b/vendor/github.com/golang/mock/gomock/callset.go
@@ -0,0 +1,113 @@
+// Copyright 2011 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gomock
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+)
+
+// callSet represents a set of expected calls, indexed by receiver and method
+// name.
+type callSet struct {
+	// Calls that are still expected.
+	expected map[callSetKey][]*Call
+	// Calls that have been exhausted.
+	exhausted map[callSetKey][]*Call
+}
+
+// callSetKey is the key in the maps in callSet
+type callSetKey struct {
+	receiver interface{}
+	fname    string
+}
+
+func newCallSet() *callSet {
+	return &callSet{make(map[callSetKey][]*Call), make(map[callSetKey][]*Call)}
+}
+
+// Add adds a new expected call.
+func (cs callSet) Add(call *Call) {
+	key := callSetKey{call.receiver, call.method}
+	m := cs.expected
+	if call.exhausted() {
+		m = cs.exhausted
+	}
+	m[key] = append(m[key], call)
+}
+
+// Remove removes an expected call.
+func (cs callSet) Remove(call *Call) {
+	key := callSetKey{call.receiver, call.method}
+	calls := cs.expected[key]
+	for i, c := range calls {
+		if c == call {
+			// maintain order for remaining calls
+			cs.expected[key] = append(calls[:i], calls[i+1:]...)
+			cs.exhausted[key] = append(cs.exhausted[key], call)
+			break
+		}
+	}
+}
+
+// FindMatch searches for a matching call. Returns error with explanation message if no call matched.
+func (cs callSet) FindMatch(receiver interface{}, method string, args []interface{}) (*Call, error) {
+	key := callSetKey{receiver, method}
+
+	// Search through the expected calls.
+	expected := cs.expected[key]
+	var callsErrors bytes.Buffer
+	for _, call := range expected {
+		err := call.matches(args)
+		if err != nil {
+			_, _ = fmt.Fprintf(&callsErrors, "\n%v", err)
+		} else {
+			return call, nil
+		}
+	}
+
+	// If we haven't found a match then search through the exhausted calls so we
+	// get useful error messages.
+	exhausted := cs.exhausted[key]
+	for _, call := range exhausted {
+		if err := call.matches(args); err != nil {
+			_, _ = fmt.Fprintf(&callsErrors, "\n%v", err)
+			continue
+		}
+		_, _ = fmt.Fprintf(
+			&callsErrors, "all expected calls for method %q have been exhausted", method,
+		)
+	}
+
+	if len(expected)+len(exhausted) == 0 {
+		_, _ = fmt.Fprintf(&callsErrors, "there are no expected calls of the method %q for that receiver", method)
+	}
+
+	return nil, errors.New(callsErrors.String())
+}
+
+// Failures returns the calls that are not satisfied.
+func (cs callSet) Failures() []*Call {
+	failures := make([]*Call, 0, len(cs.expected))
+	for _, calls := range cs.expected {
+		for _, call := range calls {
+			if !call.satisfied() {
+				failures = append(failures, call)
+			}
+		}
+	}
+	return failures
+}
diff --git a/vendor/github.com/golang/mock/gomock/controller.go b/vendor/github.com/golang/mock/gomock/controller.go
new file mode 100644
index 0000000000..f054200d56
--- /dev/null
+++ b/vendor/github.com/golang/mock/gomock/controller.go
@@ -0,0 +1,336 @@
+// Copyright 2010 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package gomock is a mock framework for Go.
+//
+// Standard usage:
+//   (1) Define an interface that you wish to mock.
+//         type MyInterface interface {
+//           SomeMethod(x int64, y string)
+//         }
+//   (2) Use mockgen to generate a mock from the interface.
+//   (3) Use the mock in a test:
+//         func TestMyThing(t *testing.T) {
+//           mockCtrl := gomock.NewController(t)
+//           defer mockCtrl.Finish()
+//
+//           mockObj := something.NewMockMyInterface(mockCtrl)
+//           mockObj.EXPECT().SomeMethod(4, "blah")
+//           // pass mockObj to a real object and play with it.
+//         }
+//
+// By default, expected calls are not enforced to run in any particular order.
+// Call order dependency can be enforced by use of InOrder and/or Call.After.
+// Call.After can create more varied call order dependencies, but InOrder is
+// often more convenient.
+//
+// The following examples create equivalent call order dependencies.
+//
+// Example of using Call.After to chain expected call order:
+//
+//     firstCall := mockObj.EXPECT().SomeMethod(1, "first")
+//     secondCall := mockObj.EXPECT().SomeMethod(2, "second").After(firstCall)
+//     mockObj.EXPECT().SomeMethod(3, "third").After(secondCall)
+//
+// Example of using InOrder to declare expected call order:
+//
+//     gomock.InOrder(
+//         mockObj.EXPECT().SomeMethod(1, "first"),
+//         mockObj.EXPECT().SomeMethod(2, "second"),
+//         mockObj.EXPECT().SomeMethod(3, "third"),
+//     )
+package gomock
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"runtime"
+	"sync"
+)
+
+// A TestReporter is something that can be used to report test failures.  It
+// is satisfied by the standard library's *testing.T.
+type TestReporter interface {
+	Errorf(format string, args ...interface{})
+	Fatalf(format string, args ...interface{})
+}
+
+// TestHelper is a TestReporter that has the Helper method.  It is satisfied
+// by the standard library's *testing.T.
+type TestHelper interface {
+	TestReporter
+	Helper()
+}
+
+// cleanuper is used to check if TestHelper also has the `Cleanup` method. A
+// common pattern is to pass in a `*testing.T` to
+// `NewController(t TestReporter)`. In Go 1.14+, `*testing.T` has a cleanup
+// method. This can be utilized to call `Finish()` so the caller of this library
+// does not have to.
+type cleanuper interface {
+	Cleanup(func())
+}
+
+// A Controller represents the top-level control of a mock ecosystem.  It
+// defines the scope and lifetime of mock objects, as well as their
+// expectations.  It is safe to call Controller's methods from multiple
+// goroutines. Each test should create a new Controller and invoke Finish via
+// defer.
+//
+//   func TestFoo(t *testing.T) {
+//     ctrl := gomock.NewController(t)
+//     defer ctrl.Finish()
+//     // ..
+//   }
+//
+//   func TestBar(t *testing.T) {
+//     t.Run("Sub-Test-1", st) {
+//       ctrl := gomock.NewController(st)
+//       defer ctrl.Finish()
+//       // ..
+//     })
+//     t.Run("Sub-Test-2", st) {
+//       ctrl := gomock.NewController(st)
+//       defer ctrl.Finish()
+//       // ..
+//     })
+//   })
+type Controller struct {
+	// T should only be called within a generated mock. It is not intended to
+	// be used in user code and may be changed in future versions. T is the
+	// TestReporter passed in when creating the Controller via NewController.
+	// If the TestReporter does not implement a TestHelper it will be wrapped
+	// with a nopTestHelper.
+	T             TestHelper
+	mu            sync.Mutex
+	expectedCalls *callSet
+	finished      bool
+}
+
+// NewController returns a new Controller. It is the preferred way to create a
+// Controller.
+//
+// New in go1.14+, if you are passing a *testing.T into this function you no
+// longer need to call ctrl.Finish() in your test methods.
+func NewController(t TestReporter) *Controller {
+	h, ok := t.(TestHelper)
+	if !ok {
+		h = &nopTestHelper{t}
+	}
+	ctrl := &Controller{
+		T:             h,
+		expectedCalls: newCallSet(),
+	}
+	if c, ok := isCleanuper(ctrl.T); ok {
+		c.Cleanup(func() {
+			ctrl.T.Helper()
+			ctrl.finish(true, nil)
+		})
+	}
+
+	return ctrl
+}
+
+type cancelReporter struct {
+	t      TestHelper
+	cancel func()
+}
+
+func (r *cancelReporter) Errorf(format string, args ...interface{}) {
+	r.t.Errorf(format, args...)
+}
+func (r *cancelReporter) Fatalf(format string, args ...interface{}) {
+	defer r.cancel()
+	r.t.Fatalf(format, args...)
+}
+
+func (r *cancelReporter) Helper() {
+	r.t.Helper()
+}
+
+// WithContext returns a new Controller and a Context, which is cancelled on any
+// fatal failure.
+func WithContext(ctx context.Context, t TestReporter) (*Controller, context.Context) {
+	h, ok := t.(TestHelper)
+	if !ok {
+		h = &nopTestHelper{t: t}
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	return NewController(&cancelReporter{t: h, cancel: cancel}), ctx
+}
+
+type nopTestHelper struct {
+	t TestReporter
+}
+
+func (h *nopTestHelper) Errorf(format string, args ...interface{}) {
+	h.t.Errorf(format, args...)
+}
+func (h *nopTestHelper) Fatalf(format string, args ...interface{}) {
+	h.t.Fatalf(format, args...)
+}
+
+func (h nopTestHelper) Helper() {}
+
+// RecordCall is called by a mock. It should not be called by user code.
+func (ctrl *Controller) RecordCall(receiver interface{}, method string, args ...interface{}) *Call {
+	ctrl.T.Helper()
+
+	recv := reflect.ValueOf(receiver)
+	for i := 0; i < recv.Type().NumMethod(); i++ {
+		if recv.Type().Method(i).Name == method {
+			return ctrl.RecordCallWithMethodType(receiver, method, recv.Method(i).Type(), args...)
+		}
+	}
+	ctrl.T.Fatalf("gomock: failed finding method %s on %T", method, receiver)
+	panic("unreachable")
+}
+
+// RecordCallWithMethodType is called by a mock. It should not be called by user code.
+func (ctrl *Controller) RecordCallWithMethodType(receiver interface{}, method string, methodType reflect.Type, args ...interface{}) *Call {
+	ctrl.T.Helper()
+
+	call := newCall(ctrl.T, receiver, method, methodType, args...)
+
+	ctrl.mu.Lock()
+	defer ctrl.mu.Unlock()
+	ctrl.expectedCalls.Add(call)
+
+	return call
+}
+
+// Call is called by a mock. It should not be called by user code.
+func (ctrl *Controller) Call(receiver interface{}, method string, args ...interface{}) []interface{} {
+	ctrl.T.Helper()
+
+	// Nest this code so we can use defer to make sure the lock is released.
+	actions := func() []func([]interface{}) []interface{} {
+		ctrl.T.Helper()
+		ctrl.mu.Lock()
+		defer ctrl.mu.Unlock()
+
+		expected, err := ctrl.expectedCalls.FindMatch(receiver, method, args)
+		if err != nil {
+			// callerInfo's skip should be updated if the number of calls between the user's test
+			// and this line changes, i.e. this code is wrapped in another anonymous function.
+			// 0 is us, 1 is controller.Call(), 2 is the generated mock, and 3 is the user's test.
+			origin := callerInfo(3)
+			ctrl.T.Fatalf("Unexpected call to %T.%v(%v) at %s because: %s", receiver, method, args, origin, err)
+		}
+
+		// Two things happen here:
+		// * the matching call no longer needs to check prerequite calls,
+		// * and the prerequite calls are no longer expected, so remove them.
+		preReqCalls := expected.dropPrereqs()
+		for _, preReqCall := range preReqCalls {
+			ctrl.expectedCalls.Remove(preReqCall)
+		}
+
+		actions := expected.call()
+		if expected.exhausted() {
+			ctrl.expectedCalls.Remove(expected)
+		}
+		return actions
+	}()
+
+	var rets []interface{}
+	for _, action := range actions {
+		if r := action(args); r != nil {
+			rets = r
+		}
+	}
+
+	return rets
+}
+
+// Finish checks to see if all the methods that were expected to be called
+// were called. It should be invoked for each Controller. It is not idempotent
+// and therefore can only be invoked once.
+//
+// New in go1.14+, if you are passing a *testing.T into NewController function you no
+// longer need to call ctrl.Finish() in your test methods.
+func (ctrl *Controller) Finish() {
+	// If we're currently panicking, probably because this is a deferred call.
+	// This must be recovered in the deferred function.
+	err := recover()
+	ctrl.finish(false, err)
+}
+
+func (ctrl *Controller) finish(cleanup bool, panicErr interface{}) {
+	ctrl.T.Helper()
+
+	ctrl.mu.Lock()
+	defer ctrl.mu.Unlock()
+
+	if ctrl.finished {
+		if _, ok := isCleanuper(ctrl.T); !ok {
+			ctrl.T.Fatalf("Controller.Finish was called more than once. It has to be called exactly once.")
+		}
+		return
+	}
+	ctrl.finished = true
+
+	// Short-circuit, pass through the panic.
+	if panicErr != nil {
+		panic(panicErr)
+	}
+
+	// Check that all remaining expected calls are satisfied.
+	failures := ctrl.expectedCalls.Failures()
+	for _, call := range failures {
+		ctrl.T.Errorf("missing call(s) to %v", call)
+	}
+	if len(failures) != 0 {
+		if !cleanup {
+			ctrl.T.Fatalf("aborting test due to missing call(s)")
+			return
+		}
+		ctrl.T.Errorf("aborting test due to missing call(s)")
+	}
+}
+
+// callerInfo returns the file:line of the call site. skip is the number
+// of stack frames to skip when reporting. 0 is callerInfo's call site.
+func callerInfo(skip int) string {
+	if _, file, line, ok := runtime.Caller(skip + 1); ok {
+		return fmt.Sprintf("%s:%d", file, line)
+	}
+	return "unknown file"
+}
+
+// isCleanuper checks it if t's base TestReporter has a Cleanup method.
+func isCleanuper(t TestReporter) (cleanuper, bool) {
+	tr := unwrapTestReporter(t)
+	c, ok := tr.(cleanuper)
+	return c, ok
+}
+
+// unwrapTestReporter unwraps TestReporter to the base implementation.
+func unwrapTestReporter(t TestReporter) TestReporter {
+	tr := t
+	switch nt := t.(type) {
+	case *cancelReporter:
+		tr = nt.t
+		if h, check := tr.(*nopTestHelper); check {
+			tr = h.t
+		}
+	case *nopTestHelper:
+		tr = nt.t
+	default:
+		// not wrapped
+	}
+	return tr
+}
diff --git a/vendor/github.com/golang/mock/gomock/matchers.go b/vendor/github.com/golang/mock/gomock/matchers.go
new file mode 100644
index 0000000000..2822fb2c8c
--- /dev/null
+++ b/vendor/github.com/golang/mock/gomock/matchers.go
@@ -0,0 +1,341 @@
+// Copyright 2010 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gomock
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+// A Matcher is a representation of a class of values.
+// It is used to represent the valid or expected arguments to a mocked method.
+type Matcher interface {
+	// Matches returns whether x is a match.
+	Matches(x interface{}) bool
+
+	// String describes what the matcher matches.
+	String() string
+}
+
+// WantFormatter modifies the given Matcher's String() method to the given
+// Stringer. This allows for control on how the "Want" is formatted when
+// printing .
+func WantFormatter(s fmt.Stringer, m Matcher) Matcher {
+	type matcher interface {
+		Matches(x interface{}) bool
+	}
+
+	return struct {
+		matcher
+		fmt.Stringer
+	}{
+		matcher:  m,
+		Stringer: s,
+	}
+}
+
+// StringerFunc type is an adapter to allow the use of ordinary functions as
+// a Stringer. If f is a function with the appropriate signature,
+// StringerFunc(f) is a Stringer that calls f.
+type StringerFunc func() string
+
+// String implements fmt.Stringer.
+func (f StringerFunc) String() string {
+	return f()
+}
+
+// GotFormatter is used to better print failure messages. If a matcher
+// implements GotFormatter, it will use the result from Got when printing
+// the failure message.
+type GotFormatter interface {
+	// Got is invoked with the received value. The result is used when
+	// printing the failure message.
+	Got(got interface{}) string
+}
+
+// GotFormatterFunc type is an adapter to allow the use of ordinary
+// functions as a GotFormatter. If f is a function with the appropriate
+// signature, GotFormatterFunc(f) is a GotFormatter that calls f.
+type GotFormatterFunc func(got interface{}) string
+
+// Got implements GotFormatter.
+func (f GotFormatterFunc) Got(got interface{}) string {
+	return f(got)
+}
+
+// GotFormatterAdapter attaches a GotFormatter to a Matcher.
+func GotFormatterAdapter(s GotFormatter, m Matcher) Matcher {
+	return struct {
+		GotFormatter
+		Matcher
+	}{
+		GotFormatter: s,
+		Matcher:      m,
+	}
+}
+
+type anyMatcher struct{}
+
+func (anyMatcher) Matches(interface{}) bool {
+	return true
+}
+
+func (anyMatcher) String() string {
+	return "is anything"
+}
+
+type eqMatcher struct {
+	x interface{}
+}
+
+func (e eqMatcher) Matches(x interface{}) bool {
+	// In case, some value is nil
+	if e.x == nil || x == nil {
+		return reflect.DeepEqual(e.x, x)
+	}
+
+	// Check if types assignable and convert them to common type
+	x1Val := reflect.ValueOf(e.x)
+	x2Val := reflect.ValueOf(x)
+
+	if x1Val.Type().AssignableTo(x2Val.Type()) {
+		x1ValConverted := x1Val.Convert(x2Val.Type())
+		return reflect.DeepEqual(x1ValConverted.Interface(), x2Val.Interface())
+	}
+
+	return false
+}
+
+func (e eqMatcher) String() string {
+	return fmt.Sprintf("is equal to %v (%T)", e.x, e.x)
+}
+
+type nilMatcher struct{}
+
+func (nilMatcher) Matches(x interface{}) bool {
+	if x == nil {
+		return true
+	}
+
+	v := reflect.ValueOf(x)
+	switch v.Kind() {
+	case reflect.Chan, reflect.Func, reflect.Interface, reflect.Map,
+		reflect.Ptr, reflect.Slice:
+		return v.IsNil()
+	}
+
+	return false
+}
+
+func (nilMatcher) String() string {
+	return "is nil"
+}
+
+type notMatcher struct {
+	m Matcher
+}
+
+func (n notMatcher) Matches(x interface{}) bool {
+	return !n.m.Matches(x)
+}
+
+func (n notMatcher) String() string {
+	return "not(" + n.m.String() + ")"
+}
+
+type assignableToTypeOfMatcher struct {
+	targetType reflect.Type
+}
+
+func (m assignableToTypeOfMatcher) Matches(x interface{}) bool {
+	return reflect.TypeOf(x).AssignableTo(m.targetType)
+}
+
+func (m assignableToTypeOfMatcher) String() string {
+	return "is assignable to " + m.targetType.Name()
+}
+
+type allMatcher struct {
+	matchers []Matcher
+}
+
+func (am allMatcher) Matches(x interface{}) bool {
+	for _, m := range am.matchers {
+		if !m.Matches(x) {
+			return false
+		}
+	}
+	return true
+}
+
+func (am allMatcher) String() string {
+	ss := make([]string, 0, len(am.matchers))
+	for _, matcher := range am.matchers {
+		ss = append(ss, matcher.String())
+	}
+	return strings.Join(ss, "; ")
+}
+
+type lenMatcher struct {
+	i int
+}
+
+func (m lenMatcher) Matches(x interface{}) bool {
+	v := reflect.ValueOf(x)
+	switch v.Kind() {
+	case reflect.Array, reflect.Chan, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == m.i
+	default:
+		return false
+	}
+}
+
+func (m lenMatcher) String() string {
+	return fmt.Sprintf("has length %d", m.i)
+}
+
+type inAnyOrderMatcher struct {
+	x interface{}
+}
+
+func (m inAnyOrderMatcher) Matches(x interface{}) bool {
+	given, ok := m.prepareValue(x)
+	if !ok {
+		return false
+	}
+	wanted, ok := m.prepareValue(m.x)
+	if !ok {
+		return false
+	}
+
+	if given.Len() != wanted.Len() {
+		return false
+	}
+
+	usedFromGiven := make([]bool, given.Len())
+	foundFromWanted := make([]bool, wanted.Len())
+	for i := 0; i < wanted.Len(); i++ {
+		wantedMatcher := Eq(wanted.Index(i).Interface())
+		for j := 0; j < given.Len(); j++ {
+			if usedFromGiven[j] {
+				continue
+			}
+			if wantedMatcher.Matches(given.Index(j).Interface()) {
+				foundFromWanted[i] = true
+				usedFromGiven[j] = true
+				break
+			}
+		}
+	}
+
+	missingFromWanted := 0
+	for _, found := range foundFromWanted {
+		if !found {
+			missingFromWanted++
+		}
+	}
+	extraInGiven := 0
+	for _, used := range usedFromGiven {
+		if !used {
+			extraInGiven++
+		}
+	}
+
+	return extraInGiven == 0 && missingFromWanted == 0
+}
+
+func (m inAnyOrderMatcher) prepareValue(x interface{}) (reflect.Value, bool) {
+	xValue := reflect.ValueOf(x)
+	switch xValue.Kind() {
+	case reflect.Slice, reflect.Array:
+		return xValue, true
+	default:
+		return reflect.Value{}, false
+	}
+}
+
+func (m inAnyOrderMatcher) String() string {
+	return fmt.Sprintf("has the same elements as %v", m.x)
+}
+
+// Constructors
+
+// All returns a composite Matcher that returns true if and only all of the
+// matchers return true.
+func All(ms ...Matcher) Matcher { return allMatcher{ms} }
+
+// Any returns a matcher that always matches.
+func Any() Matcher { return anyMatcher{} }
+
+// Eq returns a matcher that matches on equality.
+//
+// Example usage:
+//   Eq(5).Matches(5) // returns true
+//   Eq(5).Matches(4) // returns false
+func Eq(x interface{}) Matcher { return eqMatcher{x} }
+
+// Len returns a matcher that matches on length. This matcher returns false if
+// is compared to a type that is not an array, chan, map, slice, or string.
+func Len(i int) Matcher {
+	return lenMatcher{i}
+}
+
+// Nil returns a matcher that matches if the received value is nil.
+//
+// Example usage:
+//   var x *bytes.Buffer
+//   Nil().Matches(x) // returns true
+//   x = &bytes.Buffer{}
+//   Nil().Matches(x) // returns false
+func Nil() Matcher { return nilMatcher{} }
+
+// Not reverses the results of its given child matcher.
+//
+// Example usage:
+//   Not(Eq(5)).Matches(4) // returns true
+//   Not(Eq(5)).Matches(5) // returns false
+func Not(x interface{}) Matcher {
+	if m, ok := x.(Matcher); ok {
+		return notMatcher{m}
+	}
+	return notMatcher{Eq(x)}
+}
+
+// AssignableToTypeOf is a Matcher that matches if the parameter to the mock
+// function is assignable to the type of the parameter to this function.
+//
+// Example usage:
+//   var s fmt.Stringer = &bytes.Buffer{}
+//   AssignableToTypeOf(s).Matches(time.Second) // returns true
+//   AssignableToTypeOf(s).Matches(99) // returns false
+//
+//   var ctx = reflect.TypeOf((*context.Context)(nil)).Elem()
+//   AssignableToTypeOf(ctx).Matches(context.Background()) // returns true
+func AssignableToTypeOf(x interface{}) Matcher {
+	if xt, ok := x.(reflect.Type); ok {
+		return assignableToTypeOfMatcher{xt}
+	}
+	return assignableToTypeOfMatcher{reflect.TypeOf(x)}
+}
+
+// InAnyOrder is a Matcher that returns true for collections of the same elements ignoring the order.
+//
+// Example usage:
+//   InAnyOrder([]int{1, 2, 3}).Matches([]int{1, 3, 2}) // returns true
+//   InAnyOrder([]int{1, 2, 3}).Matches([]int{1, 2}) // returns false
+func InAnyOrder(x interface{}) Matcher {
+	return inAnyOrderMatcher{x}
+}
diff --git a/vendor/github.com/kata-containers/kata-containers/src/runtime/LICENSE b/vendor/github.com/kata-containers/kata-containers/src/runtime/LICENSE
new file mode 100644
index 0000000000..261eeb9e9f
--- /dev/null
+++ b/vendor/github.com/kata-containers/kata-containers/src/runtime/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume/utils.go b/vendor/github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume/utils.go
new file mode 100644
index 0000000000..9e13a4d227
--- /dev/null
+++ b/vendor/github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume/utils.go
@@ -0,0 +1,126 @@
+// Copyright (c) 2022 Databricks Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+package volume
+
+import (
+	b64 "encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+const (
+	mountInfoFileName = "mountInfo.json"
+
+	FSGroupMetadataKey             = "fsGroup"
+	FSGroupChangePolicyMetadataKey = "fsGroupChangePolicy"
+)
+
+// FSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume.
+// This type and the allowed values are tracking the PodFSGroupChangePolicy defined in
+// https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/core/v1/types.go
+// It is up to the client using the direct-assigned volume feature (e.g. CSI drivers) to determine
+// the optimal setting for this change policy (i.e. from Pod spec or assuming volume ownership
+// based on the storage offering).
+type FSGroupChangePolicy string
+
+const (
+	// FSGroupChangeAlways indicates that volume's ownership should always be changed.
+	FSGroupChangeAlways FSGroupChangePolicy = "Always"
+	// FSGroupChangeOnRootMismatch indicates that volume's ownership will be changed
+	// only when ownership of root directory does not match with the desired group id.
+	FSGroupChangeOnRootMismatch FSGroupChangePolicy = "OnRootMismatch"
+)
+
+var kataDirectVolumeRootPath = "/run/kata-containers/shared/direct-volumes"
+
+// MountInfo contains the information needed by Kata to consume a host block device and mount it as a filesystem inside the guest VM.
+type MountInfo struct {
+	// The type of the volume (ie. block)
+	VolumeType string `json:"volume-type"`
+	// The device backing the volume.
+	Device string `json:"device"`
+	// The filesystem type to be mounted on the volume.
+	FsType string `json:"fstype"`
+	// Additional metadata to pass to the agent regarding this volume.
+	Metadata map[string]string `json:"metadata,omitempty"`
+	// Additional mount options.
+	Options []string `json:"options,omitempty"`
+}
+
+// Add writes the mount info of a direct volume into a filesystem path known to Kata Container.
+func Add(volumePath string, mountInfo string) error {
+	volumeDir := filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath)))
+	stat, err := os.Stat(volumeDir)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return err
+		}
+		if err := os.MkdirAll(volumeDir, 0700); err != nil {
+			return err
+		}
+	}
+	if stat != nil && !stat.IsDir() {
+		return fmt.Errorf("%s should be a directory", volumeDir)
+	}
+
+	var deserialized MountInfo
+	if err := json.Unmarshal([]byte(mountInfo), &deserialized); err != nil {
+		return err
+	}
+
+	return os.WriteFile(filepath.Join(volumeDir, mountInfoFileName), []byte(mountInfo), 0600)
+}
+
+// Remove deletes the direct volume path including all the files inside it.
+func Remove(volumePath string) error {
+	return os.RemoveAll(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
+}
+
+// VolumeMountInfo retrieves the mount info of a direct volume.
+func VolumeMountInfo(volumePath string) (*MountInfo, error) {
+	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath)), mountInfoFileName)
+	if _, err := os.Stat(mountInfoFilePath); err != nil {
+		return nil, err
+	}
+	buf, err := os.ReadFile(mountInfoFilePath)
+	if err != nil {
+		return nil, err
+	}
+	var mountInfo MountInfo
+	if err := json.Unmarshal(buf, &mountInfo); err != nil {
+		return nil, err
+	}
+	return &mountInfo, nil
+}
+
+// RecordSandboxId associates a sandbox id with a direct volume.
+func RecordSandboxId(sandboxId string, volumePath string) error {
+	encodedPath := b64.URLEncoding.EncodeToString([]byte(volumePath))
+	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, encodedPath, mountInfoFileName)
+	if _, err := os.Stat(mountInfoFilePath); err != nil {
+		return err
+	}
+
+	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxId), []byte(""), 0600)
+}
+
+func GetSandboxIdForVolume(volumePath string) (string, error) {
+	files, err := os.ReadDir(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
+	if err != nil {
+		return "", err
+	}
+	// Find the id of the first sandbox.
+	// We expect a direct-assigned volume is associated with only a sandbox at a time.
+	for _, file := range files {
+		if file.Name() != mountInfoFileName {
+			return file.Name(), nil
+		}
+	}
+	return "", fmt.Errorf("no sandbox found for %s", volumePath)
+}
diff --git a/vendor/github.com/moby/sys/mountinfo/mountinfo_linux.go b/vendor/github.com/moby/sys/mountinfo/mountinfo_linux.go
index 59332b07bf..b32b5c9b15 100644
--- a/vendor/github.com/moby/sys/mountinfo/mountinfo_linux.go
+++ b/vendor/github.com/moby/sys/mountinfo/mountinfo_linux.go
@@ -5,15 +5,19 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"runtime"
 	"strconv"
 	"strings"
+	"sync"
+
+	"golang.org/x/sys/unix"
 )
 
 // GetMountsFromReader retrieves a list of mounts from the
 // reader provided, with an optional filter applied (use nil
 // for no filter). This can be useful in tests or benchmarks
 // that provide fake mountinfo data, or when a source other
-// than /proc/self/mountinfo needs to be read from.
+// than /proc/thread-self/mountinfo needs to be read from.
 //
 // This function is Linux-specific.
 func GetMountsFromReader(r io.Reader, filter FilterFunc) ([]*Info, error) {
@@ -127,8 +131,40 @@ func GetMountsFromReader(r io.Reader, filter FilterFunc) ([]*Info, error) {
 	return out, nil
 }
 
-func parseMountTable(filter FilterFunc) ([]*Info, error) {
-	f, err := os.Open("/proc/self/mountinfo")
+var (
+	haveProcThreadSelf     bool
+	haveProcThreadSelfOnce sync.Once
+)
+
+func parseMountTable(filter FilterFunc) (_ []*Info, err error) {
+	haveProcThreadSelfOnce.Do(func() {
+		_, err := os.Stat("/proc/thread-self/mountinfo")
+		haveProcThreadSelf = err == nil
+	})
+
+	// We need to lock ourselves to the current OS thread in order to make sure
+	// that the thread referenced by /proc/thread-self stays alive until we
+	// finish parsing the file.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	var f *os.File
+	if haveProcThreadSelf {
+		f, err = os.Open("/proc/thread-self/mountinfo")
+	} else {
+		// On pre-3.17 kernels (such as CentOS 7), we don't have
+		// /proc/thread-self/ so we need to manually construct
+		// /proc/self/task/<tid>/ as a fallback.
+		f, err = os.Open("/proc/self/task/" + strconv.Itoa(unix.Gettid()) + "/mountinfo")
+		if os.IsNotExist(err) {
+			// If /proc/self/task/... failed, it means that our active pid
+			// namespace doesn't match the pid namespace of the /proc mount. In
+			// this case we just have to make do with /proc/self, since there
+			// is no other way of figuring out our tid in a parent pid
+			// namespace on pre-3.17 kernels.
+			f, err = os.Open("/proc/self/mountinfo")
+		}
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -158,10 +194,10 @@ func PidMountInfo(pid int) ([]*Info, error) {
 // A few specific characters in mountinfo path entries (root and mountpoint)
 // are escaped using a backslash followed by a character's ascii code in octal.
 //
-//   space              -- as \040
-//   tab (aka \t)       -- as \011
-//   newline (aka \n)   -- as \012
-//   backslash (aka \\) -- as \134
+//	space              -- as \040
+//	tab (aka \t)       -- as \011
+//	newline (aka \n)   -- as \012
+//	backslash (aka \\) -- as \134
 //
 // This function converts path from mountinfo back, i.e. it unescapes the above sequences.
 func unescape(path string) (string, error) {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 5eab9d7161..44ec41a4a5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -147,10 +147,12 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
-# github.com/Microsoft/go-winio v0.6.0
+# github.com/Microsoft/go-winio v0.6.1
 ## explicit; go 1.17
 github.com/Microsoft/go-winio
+github.com/Microsoft/go-winio/internal/fs
 github.com/Microsoft/go-winio/internal/socket
+github.com/Microsoft/go-winio/internal/stringbuffer
 github.com/Microsoft/go-winio/pkg/guid
 # github.com/NYTimes/gziphandler v1.1.1
 ## explicit; go 1.11
@@ -179,7 +181,7 @@ github.com/container-storage-interface/spec/lib/go/csi
 # github.com/coreos/go-semver v0.3.1
 ## explicit; go 1.8
 github.com/coreos/go-semver/semver
-# github.com/coreos/go-systemd/v22 v22.5.0
+# github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
 ## explicit; go 1.12
 github.com/coreos/go-systemd/v22/daemon
 github.com/coreos/go-systemd/v22/journal
@@ -237,6 +239,9 @@ github.com/golang-jwt/jwt/v5
 # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 ## explicit
 github.com/golang/groupcache/lru
+# github.com/golang/mock v1.6.0
+## explicit; go 1.11
+github.com/golang/mock/gomock
 # github.com/golang/protobuf v1.5.4
 ## explicit; go 1.17
 github.com/golang/protobuf/descriptor
@@ -333,6 +338,9 @@ github.com/klauspost/compress/internal/cpuinfo
 github.com/klauspost/compress/internal/snapref
 github.com/klauspost/compress/zstd
 github.com/klauspost/compress/zstd/internal/xxhash
+# github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a
+## explicit; go 1.21
+github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume
 # github.com/kubernetes-csi/csi-lib-utils v0.14.1
 ## explicit; go 1.18
 github.com/kubernetes-csi/csi-lib-utils/protosanitizer
@@ -372,7 +380,7 @@ github.com/mattn/go-ieproxy
 ## explicit; go 1.13
 github.com/moby/spdystream
 github.com/moby/spdystream/spdy
-# github.com/moby/sys/mountinfo v0.6.2
+# github.com/moby/sys/mountinfo v0.7.1
 ## explicit; go 1.16
 github.com/moby/sys/mountinfo
 # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd

From a82e15e93f1694cabaef6fd0c502de6e62ef3d04 Mon Sep 17 00:00:00 2001
From: Archana Choudhary <archana1@microsoft.com>
Date: Wed, 9 Oct 2024 08:20:04 +0000
Subject: [PATCH 2/6] add SC/PV parameter for kata cc mount

tar file update

go mod vendor
---
 charts/latest/azurefile-csi-driver-v0.0.0.tgz | Bin 13611 -> 13612 bytes
 pkg/azurefile/azurefile.go                    |   3 +-
 pkg/azurefile/controllerserver.go             |   5 ++
 pkg/azurefile/nodeserver.go                   |  41 ++++++++------
 pkg/azurefile/nodeserver_test.go              |  51 ++++++------------
 vendor/modules.txt                            |   6 +--
 6 files changed, 52 insertions(+), 54 deletions(-)

diff --git a/charts/latest/azurefile-csi-driver-v0.0.0.tgz b/charts/latest/azurefile-csi-driver-v0.0.0.tgz
index bf65de26d8136f751dc741ac4012e47b7eb3dbd9..2d64209b31135f926d93aaa6a11988328cfffb1e 100644
GIT binary patch
delta 12633
zcmV-fF{aL|YOHFIy?=Y%+uqxKy|cgfU2pr<&hFlKsJD{ZXFRcxn19z>x~_8LzLEz=
z<QL$AFxp3x?F}47>7OB%Aml~>!sjHC`nLlmF6ajm0y<<=VnTtV3&}Vh0y?1*_yGHW
zUL0PWyi9*T3*#Z78x)VBk6Z$`F-ckIb$i|3#zXhYxAQpX|9=FBF^H8ZfadwXy|=r&
zSDycSuV1g{|9w1UjEB(QK<Ek!IERS!(b(tRG4VMQY#_Tn8*iX&)~cciafp~8lJRLD
zZC!sawtPXh3ZkToNjyx|i26H<!|;rS#Gm%j$>5a9GY$f%dg%*t#@U1@H2~aE3ln1N
zI=%u<L4r_KsDDbmDEla@a`LLX-R-rg@*D*DeV*#L`5;%-c6WPcc3mNv00kk=IJ<K7
zp`*IwlSqA%t8k~gy*Il;$^tmjv-uo`L`aV3Xr=nt>H?1^pBGt}+2)OB&(JvxfCKdb
zNro5&#5fu=4oHB{K??Qr6`)u^fNn-WH8nzqNK2(qB!4&z`e-C&B>G!9R=b341<V&)
z5{qlG<uf`U!<d5?vB2|_m1#@S^E5Fp;$(s)B<-1QZRp?6;xN20-1O0}zim829x@Bn
zcxroY`V&k|kyAW|4OPTLhp~`sj6!?`p>78b0z{}}XbchuSmF&|7kQ^k^wH-p8wfo^
z*WU{dM}JYxI=CT#Plyi(zRzMR)rk2Vu!KI6JO=a({Y`a~`u8TXWf3-o1-c<&sQS}<
z5}*O&Xv*R)x&WzI9N<s@A_Mg!y1`Wc7z<E;bHr|FSJlU;<SYz<_tgyXa(t$5Jb}?O
zq<RCf0lKh!Sf=fuCQLA{$JdHvnWmPsg{TRNBY!bs^035j^81qPZtyGYm-}BeqG-fy
zY~=bYeO=dYid@Lz;82TeCR3K6r(YVC7Sxv(5%!^v)MW6)R7lVYIt<y(@i>yx!|a=s
zYYtIJd@TBCM|GX#Si*36IgOx?&Y7NbAEE$DRd&RLJOz2f_;o6Eazq3YAf=j|K8wRZ
z^?zAF1ilI(P$HEz5(NwdqD-OyBA@|c6#aa0l6<~_)C}Ro7iWyiKHB-u{p~%sh8zJ7
z<tQtrc;_*FPk+Wjs`1tWo&0D8;Vi@yvR7D2?2pdjpE2POWWR@O_zorz_R%Z#SALRW
zN}0sU-c5dqSWuY85ep6~g*XTnb036Z-hZ{AsaB4O6v<x*`BB_Q+v%TU7;DA+s@MCO
z*k3vPGX_!ps5h>Bwv&8SUfS-n;tM+g<=mC;ELpijgj(0Vy=2`b1L>aHtaN~Hr+TNO
zWOpzil*p--Nu^#dAOv4BZhw+21a1Xall9OwO#7&#RWWBFbc@UESWmW&Wr0QNYkx(p
zb9_sL6v+!148WIt)H!7r{s@9Ngib5^R&zvZ-rjjF-V)Vp=ml)1{v6}m4-`)@36*j*
zWBxE&U%x$}A))XK3*#~T1k(fG2O<7O<me;-Dz&I2I<cacU$xWAyCr?Pk*vY0I8ePt
zWVNI_jyi48#zGa@XZ9;&nSP%d{(p_uaiQwN!V2Do1BZ>V2p0|$Mt_tU5p@+6*YjBt
zSz6y*D_nJrt6AkL>s)J1x4VR<+ZX_rF^5c`-hwnTeIc<j-L1%*m*&mS%Dj8aSsbOW
z2SWdyjK?|P;BTBrcu##$bK-{!)q@)w#vIQKI;GgVz93yaW9^>U*!Ld<@PC6LP-!)A
zocw(e4+iA6k2>!!F1!(h<4&@Ve#<V7etMTqm`(>hL#e_*#`&UtenFX<SK{R+Iy(OA
zhqs&P<n)L4o9J%`=cgy9Z#U8L`T6^EWwNRL(HUpAQ_F<<A^UqHBs9J)Oh(%ufjD&-
ztV++JXDGlhW>kRGouEonk$?2u5e#q~N+;v?-6lE=W3_brK)5LVrTY3uV`pxnQ%1qA
zWg*Bu+L~a#6_Tqh`-^Lx3)IGp^-%y<1XCv)=G7(|K)^Uw>P^YR8SpU?!bo)Q_3PJZ
zuO$0qCGAGpCB1Y9)?q7CWmUFGtuNs2s+?&KC130<RguG(ajxkOJAcSwDIFv~Z6w^N
zJ;PDV2_0H9fY9N|kh1jW<6H1!?Hac%=4-kHKF&49Lt`xc(eZ7>!AfBI4rL~cR2m2s
zo~%u$OrFrvTPyITUlqLx;WEadmrSIM8$ttiBV4K=7NBP28E48sNS*tlg|6^!2zBX;
zbVffv?0=kK{xKw1AAjwS&t0?n(NDxz3kmDqG81ujmAg$<ww{O!ZbbHKCt_xgmrQXc
z7B%zN)7Va9#;-$$gVcoAn+5_@o*db!^bGyVbj%KizoC->k|RI|2S*4;+HzEHtgnlE
zSO_wt5TG%pcnAR^mM$X3kwd8dUf?kx2^3R_u+TsGW>MD_%6}11q^7?qa&m-jh#cu+
z^VMprI5|>+Woa2hMoaS{2VD|}Kadd2p66#ArQ0bEfv0_Q4;@?i8Xjl-Pr^9TVVkYf
z_m{^PU3n{)sbg0Be|LYo6#v_Qy}Q4T|J}!Psq{iFsDE*S%nGIE{?K}S1BgO4g#bxr
zVg+{EcQ-aJ8GrIe;9u7eiC7?zkXXiI6Gb6l0f@)6zmY8eGDMz76aU7W&!18E9CW#E
z>h(Zhz9?1<G0ziLFTd&FC@QTjic*CL`tqfNJnu%S?X^-UJ~QV3rxAn^aM6{~;!uDY
z^M7Y=Z>Kc>U+?d3ujl`LJfA;r{Rf(mabK_8N)VLc@_%Nmy2T$sAN|MHmoFO|y4dk;
zglV7`bZUcX+6K^QF<tKSXAcE1AQVt1m8`BR+(BOUUb_yu24$uvX!jR`I8i0vPk?h0
z0Qy6j{nSVMyZWDGY&<Hc<7LEv2KwKc!Hq*5t1}E478So1T%=4E9cjLrW^9`+MR%it
zdtEN8F@NHO$^q*9S$KaIonkA@zb$|Y{h{4-N`H0!(m|b1okd#2#$%?eDx>m5Bd19z
zvk5XJ-72z=K7U5ZEUyk#7dgKqR7gyH^L1In)-!K*ZH=6VIgV8cLj5of8XH%`qtC_>
zquL#pi>p`5MVL#E4HoMNYq5G)(_&X7q2;6%gMUOM4pLa1n_!B6Q`9P-{DJ-%Gg;{5
zFJCrB5RSWIw58><wjEY_yLq1MWXt0d%xfgs-|;wXD3R7)7;U2-qBsmwWXFJUl;SW1
zY8d+{Ltx|tAY-!((@?cnpd0!lj_D8@ze6dyLv?gblS-|7XbpY0&y4lo=Yf|GL@a~}
zY=2z;xA*pUcV8FR|DEmK*S+=ne;-e2vZdo}-Gh1tc%HYB#|h(zz^w$Togdxn?~MxE
z-nb?-=v!pexplK0fp*3aMmG{*RKMiBGx4|#tuq9w)#Fu6!T@+dKTdkx?`>!eN5sQX
z#MuObqB`xPPJ$R45;=;mx;`71V|c0soPXjlA4=4Cv9106SDgg-Lm0gzV-OOLqduZ>
z7^X3yi4HO)U+20`7}&Gzm<<tu1`-WTB&x2MA!~cX^rQ`N*$=F{QpleiFW->_Vj0F9
zhZXKjlyJnji6tjKx`};3=r9g3FMqayknmXqeU$FSf(?`yRGNy1a1apVXgX7-5r6PQ
zMI-YA7VzUIG$6jxEK2CKPsvuLwwoMqFwJ8EB|{ukKLNs)wXXG#{X;N%hUKV_x@LRX
z)n8w-4<d29nPECF|15Qk^op?%Fm>`cKp0WD$#|mxfhYpSHVr1qE^#7n6sI0M-99}F
z(Ah7CXu#PR-HeDovUsY5{0$c91%KlSe(z;chpVj-_+3M@tM+9?NT4<ndKh9dJ~giQ
zto;|d@Yyeih2{&%4HnDY`jj;snn3~Wo^5Ef{<kib&{a=SNDmoR+#+`M5Adb3j!h_>
z&|%^8Y>qT{z{EwprUOc)T6V^H!lG&Gm{2l~$4HRhb(;+Xsf*dj>u4HqWq*XJ;m(Od
zZor#lSWEi_`MoT}<=<y<epwot(ny3@h{VmGZHbD7>Uw`tB~|V8{M(i+pVqTm6dcLY
zX;dzmcDOC76cV*_m#Dof>!LH`hN8-(mLn{cJ|lzFJw4DRl^9}Q#yAY8DN#Gn!nnLt
zkt-%gB^LCa)6KtR2&jm87JnGf-(wCaV#G`YED>OTgqR!w@1nn2UVi>?ajDdg;S~b4
z4`ti{c=52Lc8IX;ua~qd7Sq7VW&K#rHFeTu(;&OmQ0X>$gnE*Up{V{Oz6P3zVN3(y
z;WV#E>|%)w@~OUA`9-_Xh{Ng&(}ENu<K@XEwo12R1r(?r3~Pv46Mw;=V1z${G45wU
zFM4ox^2_c;;b&CrzLHE4fv^snJWr>s-eLh!Vq$F-B|XJX&IOaw?q*8CXKRO5Vw;HZ
zRPZHJML2l18X2L8vk15(#gJ9bOe_Sl3T=C?ns4{EW<O}utF<d2usvp!fi?`R8rDNm
zj;ak1rir|3bhp}Yihq$tDf^60fUC8}XG2PUPibqFpeoHBPstu_$50%apxmaO(qlYD
z9JE%6X^x&fEQNknW(uJLmYr7^5}BCCJ{yl?O61fa5y@3785dgtOd#A6Wawe;kB9_c
z#vHbkZL3+Q+C=V-gJ)^n`gwuZ$}}{OHXs{DK-rK+sLZFP6@S$w`TY3eG7XvQ!6^5B
zX)PDo5U36#bO788qBei@GEW07q&9#^GM$pjYJ4>&GL>|p)%Ky@GicjT1KWZwI-%$g
zk0Ct70`7bOR8I>}b!@vKNbLT)AyDrN;vay}R)jyo9QzWuntQ%56E>Z`>7rfgv#Y7q
z5YCQpoSg9)^?xCfV$15*Eu#q1{g8O(+CyYdf~oHod&8|4bcbjmss^|V-C`w8b&gu+
zgjzkc`JXKp<x?)4jk^`12wiHSBM@pqC*yG}H9iavWU4V4?Pl$$(5P>Uep_dLy9$?D
zS^I6S;U(kRNfe<o7o}PY+ZwFdPNarvuDh)w%{shmdVf~!Xp{mGA|4yl_X;dfpoXZ1
z52T^K1VK<*=n_4i8$H884bdymfs68PGChNmY+RHEcWmQaf`jUX$6dTe0VGfDHl>B2
z)P7qdD7dCQg~h!6t_;)ap3c>{%s!|NT-^}atz`{eGj4j=7!9X(>~P5xPy+W;rrL6q
z*N|OuFn`TU(^Hj~jKceY3%|qD(?`E{YG;1uw;5m7ibCbfnhn|v&HLQ3Mbwf;svCVr
zQAcOa+F!cJ=o*#faOF}XAq*s<Bvg}_SXYwS!<hxtL>7y?+)N5%;hyjZXh<eN6I6q)
zeuO80#&IY~6lRnS!^H~Rs{^CiR}t_WCZcOxEPo}vmntkXuU*pu7wg?DkuZLaY<W~$
zRHK;9(O4Igu|zjX?_nXBPxO*nK!F(DneX3rqo1Q^abQ^HDJP8TQBi%OPX^18GUjPp
z5z}fy?}V@&#9R&9YA+Dgqk08E(HQgViVbDhPTIL?HjUXBX^sb&gqrdYC}>BIQj*G0
z?0+JC630Q)+SnFNr;p{><GC_bSS2$GHL0RhEtG(V#&~iVrxlH5w#yCXsVR`N>y5P@
zbFS73WnA)c>M+5M{h@gd8CCXy+6~0QdRnIGKJyCXjT(%$4ix9!L#Tcgu|C%{h(q+^
zYN~cKB*50}!E!z~O{o^MS1Gt<UZN`)D1X6<g{h+AaIv4(8j#KImsy&+`Rf)6+u6{p
zOY<H!BHSjL)3tUoaL~-O8i8OF5t*uPk?C%C9V4u#jDx72#M!8aQ`4o!b<t?xOhI<h
z>HEuLm)gE$2u~OZP{f2FYP%r7kGa9ZiWtNu@|#53$?1GT?iOnY;Z+Mdnp@cCP=8s)
zc-jmB&lgRkS<dh$y3}sYdsgFMEISs_2}Qw_;xX}&DEpMFZ9zU3u$j~1>8ds$p*|U(
z)|oO>IWw4lQp9v8sp6ArTqpI<$e2^R>D5bJr?^IS95jdLXNSngVc11K=!Meh*=uOU
zvV5v?n%8$k$b?hT$ZE1%Fn|Ok;(sV&T+IooO@*pTG0rBVRvd&=J(G@{_Cd315HhCM
z)TY8HK4!%;K3=!PH3&a&&iD+e*JToM53x|1KmeaWU|$9LtU^wbY+E)R4JHGG>9nvN
zOY=62AdJ*XDH)0*Wt@gEfiNeS;sxnK*F`oD<j=~#RHOp%NdRhgYL~Pe!GAR8g_VTH
zfGW;gElZeaNi_CQZZwLSIj*n(olHV&gK4BkPj`%S>!IYuI4hiU&xrUnK%|6~Yh9of
zi?Zfwh%(=gxk!egIH^;2(uatp3zMBwX7uW|rK!Ol0$#ukH3lKl1J&iHXg1iQ1;1|q
z5|c2Ez*3zP1$ZKJHQVSqNq<ygm(EMO$|fAv@9NYOvf)roWwlt5)ayj;m|;SZ04j(i
z6UbYijwJ}q_Q*)*5>)9h*}VLiVZFg3-)(NE!ff3!lj{c8Lxy~qp<%LuITNe}5X04l
z4rqpJ@vL7e8>T{=#WS}AX?8zJ_9+(NT2<Pvoy{v{gMrax0o1T*n16C=t`<w@%!Sgm
zBFIf+(A|(4n?;y3QJqU3L&vesI*Fn&U<(CN4I~sqIb_kas#eiB`L0M&4^_c#oGc}&
zPsx<`voio4Zn-xLQY!YzK;;1*jWfYzPcCCdY7ukVJb*f?WuLC55=46&GB*z#WEZm`
z(|O>aIFrelv%qZt)qfd~I)|E(3KKK09Y~kR>rt@sl8dQmfX3;24bl)}tOrK>oy^QA
z<9AA|5<N?DCT%)XbKe_1ntGv<8R}9@v$os10ZsEV!cqdKee{1`eEiEF-pl`b@#5E>
z_n*K0<;BOY{>Oj3{I8dPB!B$n<;xc@e*Nj^x0h$fzmb=J{C`U0@wNHuj~Bnf@oz1O
zynOjzf2y!@>*b)EYRAX8XXbr+Fg!Opu4S_7FY|O4ZPb2c?Cu<WyHCvj5?@tPp;)(?
zIg7l8M!Hdg-y|gRn}<TKA&~b3fm|u{adnW#RYDz~62$SVg*IM+#0KB^%y^mdW(Fh$
z($km8VNsJeH-Ckc5rG1wS^P}9KSKv+Cwc6b8SaD-2Or2pEqgbZQyo{c=_xesOp%Tl
z6?Qqyi077W%P_MiO+_KPnNUqlP-XIKl$t<etfxTIwmhH3>IkEMGj#f>Q*-2FD<M<G
zdS+bzKRQ8gJ%!T8X8ZeafYT=gGhGd^bPXk~hmx)cJb$`|i?)G_-UC4NaX~_#8US=z
zsOOTP&L!cSO9M5(UP$H&z?aLzESCmU-XV1ILGX&pq7zqvMO+?vxHQgiSybT)F@$%3
z7+e+~xI7y0Tf+XW80~jg_`WBM=vyAYw*s`@O0aoLBk{ggaeGXdx>X_QR)m*Z9v!zl
z7H%cTw|^Dk+@3h9Z6z4C<q>Pk<I`4vMq35;>~SN_mcf**(PNJpJ+=a@*h-LL53@?l
zW?_j%Vp&Aj6UT3@0<E<&SzHo{wY(%Qjj~!1rfOLP)v|c0H9Bfl=&0mMuN*uo_fs=I
zD)T~M--k#-a9YlP*D=w|B&D7H(`VFRs?2q*rhjG#eo0c&sUO$*3TNjl^o;}Y&a)O~
z=$E?Gg}TIy{DqcVBUg?rhJIR0`WG~(HcY;-`3(=#do1QlZkWSW*i^$t&`p;g<$s!m
zCOHBLe5}KJ$&RGXTas)!<cPC)ScKKOyr7xeIe-vka@#VI!g^+02n1cw0Y}kq2&3jI
zuzzBEU9TMNe!PjcY=5PJoCtF~Rs&;K2kh{C<Xx-U2coQAVY)bnlc<Dn4w8EO8He3T
zmblz{?X^c)3gZwYwCd(h;&2YakSC2fAj)WV14Hl#kQb#jZk^!EVJ8=7VZ&Gy3#wgs
zOD*GaH5PTwLb|3zwqEm~3u9lVBcO$~bAJwMKi|<K*3k+FI%NYbEtKqSoNntxn;NHq
zK+$L_h>yd%gTIW{yFE2;*AU5W%2cb$OI6geGQ0AU!cHDHxB+N9E(eed+oc~(N465k
z^vcXSK}@fesQ|)lYitSKV<Sw1P^*nf$~lMB)qyzH+3_AL+$mdFivy82xaypdwSTUI
zBE%+Jy7f?A!_+h5IL49L7MBDsS&mE9<p}9p4U#22OZ|;5M<5`trdWjk8G~Aaa%hUh
zwqj0uOTWllmn%5K()QHKqp^9vRa<wByuKUcwGp6Y;MbbMsxa7#>_t|&16ldL<8kgb
z);RB^Pw#q1aUVK-o?XML_6c{gGk;jcUf@Ys|Bu?<Ums!kN^JVC-imJ@YgtEE9zMEa
zbof1lS8{Ho+5n3wGb_YmS+0+<WdE8GT1k0YGPv^9rAH{8k@wj+Qmbkq*qyOWkq*W;
zur=RFc-4hNt4e0?vt3JTjpdOlr@RHyhyrcz1)gU&u8-cYU`t+m<o@vDB!5{q5-GCq
z5e<!X7-E^;p7&6<Zp)JHlZJEw+Kw*5z*DxbAY^nXmPu|<AFx`S=QiN=vfDhtvRkog
z*Q9e8==)t8S~N#v%yGD7TeMtDG!G5UIW3j>x?-}nhf3HllcEB381(`ot~;)<O?uR!
zd44_uFGM+Tu#S1I!#0m_i+?xclzQQidN!F1p0v>?RO+nR$4uM~fO-UblY6Vuj@d4*
z7Hd=XG`e!y7*Y<JD{+pwcwLdZY~F5Y;XrecT#-x7LAkw??FYsa_^?iyq&A_%=zIs=
z)Zb7A?c!LnF_xB$3t@bCane9i0!M-b;Nv{*xM&r3Y=vf$2K6^K`G1U?cuwFrwQhWH
zs^LyNve?v#CS2mBLB7e^<9r7cViog9RkBFdr*WwIJ5im_6V>@WQ8Q%S<^M$OeV~mS
z4@aBlS0wfnmCdc?Aep9kz&ZBPNL(g==q<>zFdh=BjLH`;4KjS-OckxCV_;9C*N;y_
zzb>30BstMla1*>>Jb&AnzH~5LGmR1Bm9&3Km;56ZGRu&Lb6&z)IW3uecb}ysY5$Mf
zrQYJ)Qt^XQQVV@PASv;Q1fBfFv&E<8titRi&n-*pN%ELv{p{}5G<{^_V51Dxb{E-2
zT6cK9xU0L(d)wJH3L&d@X2zGijGHsPbvG!Ym0pCm{M~6q$$xBlVOmXLqchAJ^D_%(
zshEpW@kEJ_)xV3!SZ+ov2N`hmQ*xGCTmNcAY)-X*|LcE#AR(Ap@b7>9uhKgI{@4Hf
zHDvzvzyI~WtrKz=(I8ei8s?r0!*T9xOL2r<6w@&;2?M4GhtUYz92WDa^~Ey2%*yCe
zmrd5usM`Fp=zlcLjcGJ+x(pCH+^nnGQG-31n%L<26mSy%*2Y;t1_RI;H3aB%dB!9+
zD+_j!6tO?r%pY#OQY*A3;)70<Aie6T;Kj$~92`@!As5m)3`+XT=?-%l3JW;M%K3UO
zBJjJj(tYM1BgkX3hTC3DF;7lH&n@!Bo&<O8%1A&s_<ts<kxz7Z1tyDx^BmuNrtYR;
zLMO^<=YOoX`m}ThHX%)p-4Tu=Xm6c3C@*TS)H&Odryzd^XD4Ntn;lB$ZgJ+yty`+S
zptI|KeljqX@hq1m0W%b-?+y_vB;cUIOri*=BplMwHM+}quyW}Lu*O?yAwvJ}#rxB(
zx2%Sw8GkRV(*WorcQ6JjH?{sS8I5%2zzg-JJI0g@K*+AG1GxBg=eIg@KnXA0;&Bwh
zW)g@?O|WDR5n;L`rKlC2V?$+o07WcG8h)djtCmM)Ct~Zt3&}O~QAaz#Gd4df>Hp%o
z@IyT>OqRfoD%3H|rS8%ELXt6QoCll?hv2^Z0e{(TlFsk+QmJ&JR^%KBYLoS(OLT?l
zUw3}1<+#{iY8{7Lv}3mDM5tbRX=kLEQi*R>O}?@=>UvfudegIcq6`6LoIn_Q$=?44
zPgO4@1838@VlEq{HBIsN{^)(*aHa%mNRu2_1EO@FN%+-lS|H;VO=2Ye2-9JjZ*UOH
zn191!DH^Jt;^c97jLVAS!F;YQ8%NvaDSV!fv^6%aDfcIv0G|-J*}7r;n$V%AMANgW
zlD72vv-M2>XW_Q!1*~m@3ai~+wo26_wiaqs5?W}#jy=CfU`nNLOO{cpV{0Z85onA9
z$WrIru_&t!)oJ1Usb?`e9;Si%w@Fp%Pk$Hc!I-p~z8_AG?nl65vd~<u-SXBY@vA|J
zAs12%)usLOs%E((wDUk$0@oXV-}wEYhZiS#N4|^Qifey;N9bI+(^AJsjr+TpMXl%~
z0h@&>4c}*O5cGkPTj$zFnE;>ZB#Vk7P@e@RsVJt1P`SU?MenKpeltOgjg{f_-+zJo
z8q>f0S^W9*zirnQ=bz!37HSnlnd964`MT%zw!PlAgJQ4O*Z&`VxIC=S4ySpoQEz$J
zS@t~Gg{S!(Xm*>bQ>uM!`Os=s`1Q@3PbzmBe%$wNmKG()612X1^BcT-vu%2|MgX*{
zMHUjhU`95lLvL=0uB1tuDJTyh&wukXxl(CfD&Jde#B`|)a4vWG@;Tw0mSWp1an06~
z&0W|>y}1mlS@Ha)SU#x_;^%aRt0!loOBU<K`Z+#Qi@S-7s&O(AG&|;!xNm%=%3vFE
z5Mqv?*ZRWH^@*6dPsFV7B+S=-0%m>k<z7#|tWUf=<`XaL%q(}5nZ=6CQh&Kw42_j#
zXPNU<(pPjAX`K<pJnOU(U-y}!ulW?w1DTxb^f@h0_AGslX9cHrR&qvXjuSbJcH9#_
zfV1>*o8=GJJo2M7t2;RJbdSj_bs%P$qc30QA(thOvpnXTYZpDou<BC_OP^7ADkl=|
z;rzk!rwvwlwqV(l1gknXuzx-!P(CHF)OmoFApe)c_%Dm*UmCZ+5`_LTSo~#B_sihx
z*GT%g8@EQ%uaWd?%={WNzsAfzzWcvtyU4!TJHU%U#br?IOJmfRMWlbF`12=+HecVq
z{WKBecY62soapfN{o9Y}{_T}uxR*t2uLPgHzDN73y+`{iMMy7=hksrc{rotv&X4r^
z@6Vq-1T;Y2moFRNt)J!x{~mJ~kPtjy5YK3&EeYdDgSfWTkGUf0wH)0k9*1q~==FNN
z{k=W?-(Ig*`tQ!}-p;G<w)bB5w)b{l@9gh=*W20M-r4yM_3pOm=81*G{JY-Lb(I_U
zl{{vu9YGYb=@_UiU4QKoiLJ?Y;jR_~b^ZJqb$>CKy_`^J=lYi~8+mV}E_x0jU;*9C
z@2E?K_zFTh=W!IxCX0}o+=TjJ902O1lG!zsI;e~OK$Orx?LYU_H>$i|x*c@QN2Zki
zQnJ6}aftpvWeQ52%pjJ#!^ZGhxYVX)1ql?6LlhDpi@F|3-hZ2#1cczrWV<`Y(jUFc
z^=xgYCEvYsbl!f_;Vnl-NRA~8EhNq?8SZbAl9$uSew(Np%YRPT)Dsq(GM5B=pEaVj
zfTdLo(vmlfUxy3_CyFSM)2=~Zo*Wg(D^Aj)U1G~_#RB@MBh?0=K);1ZMJ#xi7f~xc
z-AsPIpF=<+7JnR+WmGd>lGE9>pb}_v#DqKrsoGxG!?_|^&B~4-J{<UZ2Yy;sEXCJ3
zY8eH}0=OthzcwEVu4^XxC?qt#ZS0*qrPkeDBQN=h8q@dmXDlS}TzOTQ$5{x)o2s_P
zx?pPg<V2-?WrybPvk+5gQDqW=h*bH;nj=maCvuvhTz{;w>-pw>C(q|Z=I#p;;K%v{
zMkU<JY<vXxYFBy2nVPwI1KsG2^O#C9h9h(MpmEqF3xSs<I`?BsiEdQv1AS-NG&f`H
zFLO+n%CM0!9>Q51h8N&-kU8$lZwj^4eO;`)qGikvS&Tbx>zf5#8G0FTk8fCZM_8OG
z1$&D+TYsHm^<7_(v+N7CCNV)I<J0`qu<hxiPHtwK@2{|cbBGxF@}=^wiFSWhX^DsE
z%a@KBgHS+AepXj!Q9B@n`B0R@RvmBhW~Wp6QJdj72-ME*&7WQz937n>UtGL&6bu0e
zz&)+A2&1!0WY_M#sk6x(MAS@Vv3#?=)9VSxdw;l<9D4>e<|S+Qo8o$x7FN2)!x8cR
z8HqQqdQBy+VlL#H?VhX90I-ZXctf>EdGjNqjGz5-4t|Kq*n|Nq3;>;!N5G!xGCf>|
zovESjBenlg|JN1Fzb?y=nt%2j0GcHpQChYr855gPI;OHBA!GHcIiRL^C~;`GSA2o=
z0)LWsg5<A){Opx=N5PD=1xxJaOsMUhBEz*xT|GXI@D&M(^W+3)QTaCy9lU$zR7Lqr
zSdFSEjhLq0evy5;DxEY(CH>Z)&8?;Go{M&RtF4B*9|cv?qN|<fP1Cbs0;;Ee_AWL(
zbA$Hq)02ZBzqhs$&Q0l+TL@0N&XqbTxqrB2uw-4Uomo!H;XbC@bI;t&?U{+;5gH5d
zbTIXecKtrDe2}vrMD=ZPB|itBO@JHd@$qeh^`*i;U=qe0^pgJkVVCq|Y!_M1?^$11
zRv%VZgk%B~giu?HD`=xGk}uBG2dmW>4Wz3Rxmb8Xy|Jnq+h~vC&Y@1qO-Vf(>3_`J
z70JNBKWF)F)Eq4GVknNJjJ)K8@|%$PI8>kY-QJ*LQ%8V9IXYuprW@x<7u#BNNiSkt
zzFClRxhoCf$(x<IR6((t$F2<u+&-*ANd2{KbV26aU8x?ZAzPi1S-}P8|FSi;vl_ff
z-DF_HcQAp_y|GVc>z`g6UYvY7K7Tzrdw+6z>2fuUL2}}YRJ-)L`v29;Zd=+;yP7?|
z&**>*YZ%W8xCxjrrIM&T0ed>uI`dtwm5{|6XFVW8PiW7XS0<9<LKi>OrHz~IbZ*L-
zb=8u5gCoXdiSc3q+`~hl($RKP=7Ru!ph~z2WfVLS4+iAcK`2g0T<8*RLVq|6*^LL|
zNKOkqP}5*t{8*Jf%$i=Jtbs6P5l{V=N~G!{3`MDPI!kPk(z}Q=$$S>}(dFS;qLwHu
zwi32twP}%Z@oh@{K9lc?z9>{w?A3uWsxL<z#E6AKAH6EPR}1=EkY%kNnI$RVXeqnF
z1djSBwHC^CE!c&17DPfZ&wsqb9w3xRg2N*S@$|yLmiuV82tl%@Q~G+l_&NekSm6G+
ze%JE<e>gw>ba;MzbbNYwa`5ic4=3-AU3-`xICErEFjMbm9Q_1S=P_AF=w2^7ha7aQ
z5{EyK5DpVE)!tLjHB9?j2psQNWR9lhl1i1^m|tkz+q0OG+y2&8y?^~$ouF1_>4Ph0
zoZU`Qr&FDohJhb1FV8MMot?k`|Nic-zp4szbW22Q1gMe2HVn?s-#qLU<?ZeJPZvi&
zeR}u)?WcFgzZ}17TdNkGx9sBRr+1l^F_#UU**y2^94~*&8IxOG{JYPhsgsI%HG>LB
zKX+nktA<d_!Sl;^OMg{$sE$^510p16s55|oaa=1fLX>l%miZDQ-14EC%9jHU-qUc}
zFkgiTz395!yX6X^YqI5IPx4sEEgcW?t2eqg)aDe_1@<|qL_NeF#|Wz<vg(vVZ8RMb
zZZp3Yzi>+2j4vFbrIys{DfMW!z?vxhkxn+i`1CzDXzGppcz?|)v2JOd$zfG=>m_q0
zu^D2Tlfs7v<=x{m7yi@g{&}#U-_68-_O^SwuS@vPot>RmYy9VZJf7zjAfJ^ini~co
zdU$bS6ZAHML5q9v62x;}>}Cm@rbzgL7&e;SEr}Ne<&Fc)6HHCMPf%`HO6-r$)61o6
zHn@dSrUelTPJifty{FoYNf$q}TD&6z@TY#Luar)ce4nYY5a|`L9y*RjFb1xHRRi&s
zvp8~CRW_8;EtIeTOLh(P+~$Z(s=;wUfck3nh)92H>p=D1!O^8Edwgp$NPJ70@Y{Um
z(*GJnctdEwZiJ`S+lVtCgqX1+H0%HEy}kYIlKy}7dVgnst^e=iv9=thK?Zj=1Kb6Q
zuR^H)9t-$U*;;1o4^vQ~(lz!t0fsT77qGx-f~1l_oUZUNfs5)2&JrYKmp@35P+I9J
z0+astqJYd-OBJER5BgPNDv$B)2Z|?{glfbKJ*TF8xA;Ekz6!`+m#xD4XC6;zH(JXa
zW0>!RL4R9*=0A&2JMJrh`sYa95zc=;yuOl#Mn+eJ-8SE~Jqchdujgusg8+G4c-{QY
zfyw7OVxZVMaN*7!>?h?is@px(0>`hH_Y#Qz5x~}0b&eo;X}juul-pP2TnJ`atGKCn
zOb^5d0o-(1=kyXCe7OAa{rSn|-#>o5`1{4>@qf=rB&%>BCPzn&%3%WtU%met1LK)Z
z7~Nltyjp45g*e*>UFUhWIc_Sk_K4j87b6J6F5Ef*?tbN`Q@HU?B#e>%U%e=%jy2?+
zVL3vF{f{3fn1B2jlB<s&mC6c1e*75eJka9f$J*`n$B)SSfpNdU$elSjn@*2t&0(1H
zIDZU@G6GtmL)C|7Lw}xpwpy8<SwU6MT%Rlm0J)3W%Tit^t7_}!9G9}_)}Ts?VANR<
z5i7Q7EgE1NVL5v9rx!=(C%+t@e>y*Y`|0BS;ZL8=4laLm(J&J4Byslc!`qWnP2%X}
z-1Tu=9C+&xq{9HTjZ{-FnVt2Mvj%-<FMqpobcvgrCA32$2gM#;r0!34pr#)`I&1jp
z!(Wd-oxVRh{&afq^Bj?EoqnYzgq@|{)t0HAEx9YYP%EwPnqqY;L30=?5sWMb<)FPr
z+&wkJqE6+el*|lisb~xEJ-vrs8E{WgBf*<Ly(rGbIt5;ZZ{;=L10nKskK6?ouYaEK
zlSAR@rnbS~r6Pu}Lhyzllan4oVkzD@!VRYATaY$kyeij7H19w5tOL33yl4yHsc}%%
zLQbCu+$!lcN10W^uI|L<StGVqgxI<ZgDUT!pKRZi#kDHy>VXhGPdKC4!tuX3P#`n%
zf9-7dcFOs`cK3GI@xS|cTEzceP=6*{2LWHMqk!uu;5rJpjsmWufKMn2xY`ihBZw(B
z1v5&A*0UzHJdbeL|5$e-!Fsp@(keKzJ`2C#S@^l57v%%-jv_T@&yByX{xsTsL@EyZ
z+Sl)N_^;|L`@B1~M|9?V9h`i);N+u;E$T^E&g)v(=$z-M8>wx3mKJWy7k}8-ga`~b
zTaA%f#|I1afRoCY1@OjAs<hJ8oPynNJ_Wnma|^-UYPiP~RDBX5&)I295*cdDTheiM
za(QZ2?4nwF4znuxydcZ7h~x_|vB0eZz297Fm33@(9h-fkv01|?p&_AZa=&Ysdgdx=
zbH8Vj(%#MdiT>79^b<@E^nZtcBXX2v&39M4e1vz-lrgh5Y|edqn+z=3?{}VdrS!6p
z)g=FBoyz19#nzi`*maQni3iCaPvVuQWB1#%7kZvI5^(R<?41X<Q*R)=h(zF31~*6M
z<HzntRp?{xGZKRJnwP$;Rw2e$3)P{%D}C||$q@+9%1a>3A-xn%$A6##G+<oc+lVF6
z`wD#>Eli(tb17(v7^C4dxsp(aYeqP^W={Qd1rno)y+qyKG<bM%f;4-r`&Cg{qI0XC
zH}>%SwV7@%fA^K(Q_R0>GtkVC^QOcpt%bg=z|UD(N%~hN`74t8c_e<BZZ6WAOY|4&
zaCdzTZkDE6T7e3)!+!)t>$I4PsKSzaMOvJjxhi+AUQ72xgY&V8yGoX(8H;2SpOqD}
z+!Ie25ciEebL0Q!&i*tL|JU2!-Y?<*w)gkf_`iF3N+B_m$ju`ER)OTRnc-H7<EzqK
z0gBHMT^_?{=&TWZHRJSf_&ql_i{B?&4kq8{C84G*D}W28gn#biYS5eyEug~TpRhxe
zyvwJ6SOjxuzFqQ;P{Y&R-~p|!xGOYZ#`<H#0@n1#O7Wmi9BJ4l^YI#I_(<>EDHmvQ
zh0a{DtGm0`rr9fIrt!Q;z%^K}nX`ui>(yOITPe02L@g24hV95Bz~?y%KN@V_tg!B@
zIk9;QU81)L7Jsi||79+*E$b57s&$Dic9Y*~(Qpe~;<X5LZEGRmT3H*<16x}o%f3-$
zSvC*XxUz2zS7yOqTJd;8&f=&ZS@uh&8+Fd{djzZ*{vzOGB81u(R^`{|&aA|fL%yvZ
zXEx(PuGuKGMK>#Jq}uw@tu;DrjZSNGEm$LfCgNm5LVp-S;FuB19kjTg3(1<cL(a_s
zXAvIiO+g?1l>|CQuT_GR1^taSB=7D<vm&7YCeDuom=GT-T&%A{Ti`mh@-A-{4$T1-
zYl&N#e~VsR!)Jh28fMDkEH1=B%|uzcqf(&LVr<p=3z`{Q>b|#z={}>@^4zaOR5j>?
zCx6-8!yIC%THt?@tFpY@RabL?fM(qP_G*7`w|xKG>({gTFM9z2v$J+F5CVVx>vjC^
zKAsuzzk6MIbk2oGx8^+1N|W!5N43V}vuoYU>f#WK`PP;D7vhKo_rASjL5=u6nDnY%
zSc`667~06K8m`u(Qe|s_apL}63ahpk>UX)^fH+%tM}J$gYZ8%PtcTWuoRgEba{SQN
z&H9=3w6*`2IRrM#{(s$jRkDBocVG8<Yy1B`9&7(&8q}WwyBBa^jgWmEUh*~6Z>0|M
zb&U0XW2~#MaHWWyg_&p_3cAxhl1r;SDr>U-1lUS#%LeWKa8VE!Q|1s$dWPi=SD*)s
z1m3&ImwI(Q1Db^G-U25x?0?%&*!0taCxK?z|J%LSJ0<&ne|u-`|G$5ir=0(x6i>{I
z{Zf`O=TvLX0nr?)oIm@+B554vxv-<%WgUg%+D)Gs@*W9__kcBVF^gjf6u05nl$%*~
zo}42=&4cHvSwE|PmeK!hBf&HE|9<8C=l<)Rwf?`4=fU)U=E7cU{<Y>`KM(ZGum9(d
z1kBL?y}jMC{@?HQw$~~8|3031{Qvj2IMnUO?`Nr4>$&x_e%8;o@ciEZ00960%X;Ck
H0O|n%b*0dY

delta 12632
zcmV-eF{jR~YO89Hy?@((z4vN+|JCm9cfIXbJ9|6dq25YrpYg;(V*Xuk>AK2|`$`@h
zkzard!e}2&wl{DTrGJK4f{+^l2%nQk>fa8OxS$_M2<VVei3tUcE+pf42<U`L-~;Rf
zdU1Gh@-qGXER2VQZcsdiK5_}%#w2B-*X?zC8xP$p-_GNl|9=x4#voRv0Gj9j_TKL9
zUU~k%>b+Xe|ND5z7!RSpfzTBea1Igcqp{DsW8!lr*g$rDHr_zltW`x3;t(-GB;(UQ
z+PeN;Z25w06+}rFlX#e_5%qTzhv69ui9hY5lffyIXB-4j_0kvQjI#+*Y5=&S7AC~j
zb$kV!f&`(eP=A$rQT9<*<>Xa&yW49~<v9rQ`#jZg^Fgkv?e6x@?7BiS0SZE#adzeE
zLq~PVCz1LjSK&@~dvA7ylm&34XY)A>iI5!6(Mt8P)de0;J}<H`v&|dNo}qIX00-&=
zk_<5lh;cM#9FPE?gB0rLD?qV;0Nsp$YHEZIk(NrKNPln`^wCJlNc6XItab_83Yagp
zBo^0V%V%^zhA{^(Vu9x;E7O*u=V@YI#K{CpNZK>q+R(qB#bJ11xap%`f7^J5JY*KC
z@znO*^e32_BByu^8>)zh4r3wN7=`!>LfsA=1c*?{&=@2Ru*4g_F7i&7=%deHHV}G-
zuD=%^j(?(>b#OxfpAa7oe4oWssuA-!U<rLBc?{?o`kU$|_3uq&%OY$F3v@%mQ1z$z
zBtQek(UiqqbOBPaIKZI*L<Z_dbc3n>F&3cy=7`<UuBwkw$ypcz@2eT&<@ikBcmktm
zNc9F{19V~euuR)QO_*R@kFOQUGEFUM3sDmkM}K0(<Y9^5<o6}n-QZW)FZaJ{MA3-Z
z*vR!)`ns;)6uFSa!J!t{Or|VBPro!OEvPRoBJ4vSsmb7psgR%*bQrRm<8dUXhuJqN
z*Bqjd_*nGOj_Nwev4r9DavDJ&oijb>K12bQs_cjfc?$A|@#|FT<cJ6)KuR?^eHMp-
z>VLC<2z(VnphPNbBnlV^M43bZL_h<?DEj&0B>8*;sTsnFFU}a3eYEqR``deN4LJfF
z%28HK@y=uVp8kx5RO77$I{DEG!dZwZWUsK4*dLw4KV!ln$bJvm@EuGb?4wueulyv%
zlro8xy_@_Jv7j)GBNiM~3ULrD<~|6+ynky!Q>`2mDU!bs@}szqw$neyFxHCsRj>Cm
zvA=ToXAGkHQEy!NY$y4uytLhC#TRx0%DF4wS+a762(_+zd&#;>2GTvXS?K`ZPW4Vl
z$?jl4D3MbulS;i_KnT8M-2Nn42;2&;ChMVVnD$Xet76VV=oXjRv7T%l%L0qk*MEvy
z=lGTgDUug37=SPPsB_9L{1F6k2%T2+t>%c-yuI^Uyd|pH&<og1{W-?BA1Iz+5-R0r
z#{6NlzJ7Z`Lqg#f7RF=v38n|W4?_Hn$k9mvRBBO4bYev>ziOwKcT4(oBUyu0aiDsQ
z$ZAP<9Cg~FjfE<*&+J#mGW|X^{C^v*<3iPkg%!LF2M!x!5iT4ijQ%JyBI+tCuIIBP
zvb4UrR=DaKSF_4h*16W2Zg&Yyw=n=LV-A@>y#;Ax`a)u5x?7PqFU^~um3jA;vp7m$
z4}|_Z8IN<o!QVKM@Sggh=EM&dss}eVj5(eebV{*zeL=c<#@aoxvF|?!;C}~0pwepK
zIQjb`9t_BBA9dbeTzDf0$DL#!{gz!E{q!!KFr5y1hEj!rjPphP{DLwyuf)qubaedJ
z4{tZo$>|U8H__h?&QDKH-)^Gg^Yi!T%4AdfqchHKr<MuzL-zMZNN9Xpn2feR0&(gv
zSe2eb&rpD2%%}jVJ3*DEB7f<*BN*T~lupL&yG?W$#%k&KfpAg!OZD}S#?IVCr;LJK
z%R-QSv^BweD<oH2_7~SW7pRRH>!Sd!2&PUp%&Sc_fPitV)SHrrGvH$)gpugp>({T-
zUP<=JO4^OGOM2-Jtix8O%BpOWT3^83RXNifO1{`zsv?Im<6P4nc7Kq=QaVU}+DN!j
zdxoQ!6FRhJ0HMQ^A!X^$$G70e+BI%j%-3`Ye4J~HhsId?qvP9%gO$Ma9m-4?sWcEO
zJXxDgnLMGTw^rawzbbkY!exv@FPTUiH-rZ4Mz~Z#EI`f3GtQKOkUIB83ti#e5bDww
z>5P7U*#9`e{9{P2K7ZODpSx!Dqo0Vc782IIWhUb6DtDWzY&{Vd+=%SePQ=U}FPY*@
zENbSjr?H*Jj9-Tg2dN3KHw^@+JUOyc=^6T!>6jf3e?un&Bu9V_4vr9xwB@MYSYH?S
zun=TOAwXkH@el$;EL}v5BZpA^y})BY5-6q;VWEHW&7!U=lz$_jNKJoJ<m3q55INGt
z=Bw3KadM;t%hEE2jF#p@4!R@`e;^^4J<rcLO1D!S0#Ezq9y+%2H9XGvpM-Iw!!}!|
z?=O!py7E>oQ^&0M|L*>FDgL+rdT(zX|GSUpQt5?UQ2*itnH5US{h{^v1`vg83IUSL
z#0u=R?`~{dGJoWcz`w2`60txaA+e0bCW=D90uYaBe<NA`Wr#eFCjN~#pFgASIp}iT
z)a!x1d{L|zVxA|gUVhWTQB+!66r~Cg^yNzjdESju+iRszd}hr5Pa_B;;G!#|#i0N*
z=Ks##-cD)$zuw<{y`KN~@qGTg^&e<L#(lkVD?w0(%YU1(>K1<lee@q&U%qT?=wipW
z5vGA&(5VfkX&XSJ#dNvPpFI@7fKWi4RI<9Na0hwWd+j>t8kCuypxs{#;zX5vKLO53
z0O${8_ER72@9KY&vGJ&&j+YSw8t8v(1~(3Mtj;iGSXBI4aFH@ubfo!enz3!R6y1#m
z?sd7W#(#(tDhH_ZXW{)>bc(Go|F!@s^oMrSDgD*?O9yp6brxw68;_Z?s*K7LjhrT>
z%qGZ?bgRfd`urIsv%ES~UF7_dP$4n(&DUiOThF}NwKZ}c<~UX*2=&7_Xlz^!k3Jhm
zjB0mWF0NiJ7hx_vHdw49ti|eGO^aQTgqD+541W@lI7nf2Zh|TPO;M|S@(227%w(aH
zzkJykK{)P;(Uz9a+ICp!?dEy1lP!-=Ft3qhf5+pnp+s7HVYH2Uh~h9zksSlZQHsM5
zsA24*41tjofQ-#DOheUPfo|xJIHp5r{0^n)4%N{$O)9nSp*8f~J~P&Tp9fw(5U~&@
zuzzv=-`?Bb-F;nL|97@`U+=Hi|ND4KlPw)*>mJlI!1KI~JWd!#1a2iz?fmFoe{WRS
z_Qo}#LEj>y&aIp62(&YXFuIWdqxvQ1or%X~Xq_QYtsbvp5(dBv`f<|hes4o-I3ga7
zBF-id6xC@TbrQtbkjPPd)%Dr99K%yB;C~c{`B0+9i*4=izv?8wAHwJ*8H12`9Q6^6
z!!V5rO>~ec`8wBi!oZ$w$83lQG>~X$B2jh43|ZS7rYCKH%YI<pl|ugHc=?Vb5X&&;
zIIM7IqJ$&HO)NR_(M{|NLWgmPdHJ&qgoMu`=%aKm7Hpuzpwd)4goA(>N7I=yjeme2
zDjJy|uz(*wp#kxgW>G??eM+_}wcX@^gJ~WUC>i3Q`Uw!WtaYt_>>q;BGb~4a)HU17
zuKxOxeGrM;%?#6d`DdwPq*siEfT@$m0m6vFO~xAq2t*MmwrMa?c8L>tqd4{8>GtVa
zfX;q7L<7#o=w?Lxk;PLb<ZrM*FMk+M@Ov+lI$Ujy!0#HGU9~SGLISms(8Cau@u_jW
zXYIexh0lIDEHqz8Zm?MH)~BrD&<qM__iRI>^}ltggsysuLVC!k;uf*1e}FHQb!<Z6
zgboXzXLF>v112u&H62hY)v`0r6BbQd$Apq`JVt{2uG?%FNL|cEUPse_D}N(Q4R=ly
zas%EZ!&=%e$nRw#F8@A@^UKoEltv=NLL_efY)e!uRM-2HDyeFx=ijzu`Lv$hqTooD
zPNQ<kw8L#trI4tdyF~3>Sr?rdHxyMSwH#ro^cfkX?&*Opsl*WbGR9#zO^Mop7RKeJ
zid-={DzTvVoNoRlLqJ8$vwy&V{vLBc5hG?IV2J?xBgEtgco+TE^78YCi%X?`46hKV
zeJJAwz>9|^wL^q$f4!t#v6u!<F6+l~uBnqQn+DmfhDx{5Bh-^*3`O-P@iovy3}YGq
z52txWVi!wfkWcl^$}if5MjTdOm=>fM881&Ru~oViE1*F2U|2)Untuoe1ta_sjB!5;
zdeMWklV5f(3O}P__myOd2!wUm<as)6^%e_=5)*5yDCsG7axR#Zb~jTBK3hAi65B+K
zr-Cn;D#F35)yN1%oJGJTDTb_aW?~_bRcPCD)qK0RHTyxMUaegLf$cG)476cj)vz9l
za#U@AFiqrLqr26HQ-6#!O4(<00$i;%J{wZ<drDiY1XXG7cuMwYJBH%W1m!mMlpf<L
z;-IxkOmp<?VJY;pGE)d0u<X3TkjTV5_StwGQzEAZiAb(u$+*}GU;^QmAVUvxe?%ns
zGUl+QY+KDb)h2Rx96U?o*3S#PR;HnOv;o;L0?LLoLS;TRt$(O4$>+xxmubjc4@SB7
zOKZ8vhCp=~p#$J%5ViTEmw6g!A+-TSlIfIGR^zKNk*TB$t+o&Ko<ZA&8rT+e(FsL|
zcnsko7I5bSpn6((s$<&?L1OpU4S{-J5dQ##wj%ry=Gd3O)!g%inXu{fO&9G_pIuF@
zhH!R-<K&FbsDBTU6kAreZW%?8?uW!P*B&B!5=?!!*c)!WpgTkhQ8mC_=oTw!s&mvj
zC)Dbp&Hrq<D4%lSY}~C7Md(rs9f42_IvI~+sqtZWAXAOWXg6y|g+_f-^xHb~+f}&K
z%Gz&p4KEqjPNE2%xhU0I*w$dpb|N)YbKPwfY1ZLg(|@ySN23&o5b@ZUzE@y@0yRW6
zd>{?=B?yAjLYL_A+~^q&YKUHe4qTLXlj#|hWaFYVxMLgV5*$=7JnrH(3LtrEw<#?I
zrS{tzLBTccDJ<sgcV(DX_jIntW%faJ;Od6RZY^u*nsL*^#%MUTV~0zofD*W$GS!x=
zyoT(OgMVpWnx3k>WE9>HT=*THo<91uQ#<oJzs>lvRun2<)@;ybXx`_JEuxk*Qr+k~
ziaI)T*8b8(M%Sn;hbxyF31J`+C83(c#JZBq9?mSFCbC%E<z`YC3-^RSKtnPCnxGnV
z^&>n1G>$__qA;Uu7%o=eUL6?CzKVe7FcDqjVt*;=y;NbDdF`4OxLEIIiG=ZUWXq%4
zq8i0)j>fu}j3v5BdJhZ1e4>}s0t&?F&V2v28~q$Tivz<lPdQ;!kBaIOeKJ^%lrc}+
zikMatdMAYKAm(b&R(pY{9@Q%VipH2<S8OQ5cGAvGvuVu6NOL^EB-E6LKtVftl#*12
zVt*IulQ<5V*2cDII(;n19?zAj!YY|js7V#2YM}%?G{%#|IIU<bvt4d5PfdZGU2m-Q
zm~*vODC3fkQ-=w5><`Uz$f&Xp)NUXa*3&Xg_nB89Z`5G4b)Y!+9zyl2i1oRqK^&qN
zS5vi{Apy2#50>+}X-c)2y-L9?^AcUbKz|8VEKC&@hl~BR)_`nwzs%Cq&0n`r*v^J#
zU7Gi>5#ct`oUXN#frDnI)d&Qeh{#lRi%fUB>lk4@WgJBHB+f=XoSH5*u8T$kX9}{5
zPTyZ1yVUk2LwLeSfFdRYQQHLpe#{LPR>UASk>4cJPEO|&a<^DJ2(Mbu(cHp5hkwc{
z#?xj9c)n;N&2ol6(WQ2C-m@A9W7)BYPACed6px9IMA@fYZ42_TfX$p1Pgk`83H8bN
zw9b^7%9+9ZlOm=&Nfn<|<2tE-M#h}lO|M?+I>j}r<DfY_KRZM|4#O_`K`)d}&t5|-
zmgQ5G)4aYTLMEJwMpl#Ef&nBT5r0P!<7!SwZ7Nh%ig7j>wc;S0>X~%pv=5q9gOD-3
zrZyEu@i8l&@$tGPu0i;LbH-;#y)Ki8dx(Y71OoU30{be^XBBdiWZSaoXfPQdOs9qI
zSemzC1Yx9BO36?hDdRMR34}Sp6fZ~@x-PPLAb(c=r6Lu8PXbW0Q@f<)2!EzIFRUaq
z22^q0YFWZWOQNxda-&hq%yESU=wuRF8%!fTdb(qrTMs2K##!N<dq%{s0U{-=T<Zd@
zSd=waLzMY`%tbN`#YvsIlRiW&U6|~gGNV_wElmyf5by$Ss4)nU9;hxqMYF*cE%<!{
zkeGyN1eWTYD8Lh$tJy}^Nq?deyL4XKRW{+UepjcSkPU}wDyzkcq+Ta##|#sS1W-XF
znLyt9bSyz=wns)fm!L|A$>!z94C@UR`EGMN6=v&>nOrxx9x~*^3=NYN%$Z;<fEcbW
zbU-s)i)Z~(*)SE_ES|X~NVEG%vQM!9*Q(NX?QC8t8w`vl3!sKg!+(@hbG2AHXD*bk
z6+vzqgYJgZ*et@NiRxVP7&?x1)=3nN0b3}DY9OH?${~xURke!7$#+GHdZ-F^<76pG
zeM+XhpPd2daLc_}kW#Tv1}YEmXq*WydvX~wQj3_=<^j}EE&Fsel_1*Nkhyu_AiJ0i
zna%?T#hFaboCR(JsDI9Y)H&3QRG64~?LfLjUXOy6mt0Im12j(GYmkN*V?8k1?__31
z8NX9vmFQWLGilSAn)}}9(bNl-%uttNnzh~54QQH|5tb4-?W6zm;^SZb@LvAcix<E4
zy#M^|FE2iJ^*{dO<$t~WBl+VmFJHcR@#{}Nzr8#={*Ao+<9}BgkFU*Nf4uk=j(=-O
z<mJo%`cs9KTQ3LQR69P#Ju~mqgW<W+aV?Wof0?JdXruNkV|VB1+kImGm-woZ3dOqB
z%vt0$G}4U{{3aoh-#ip@4S~ET2;@qkkE??`t`h3_lpu~@Ewu3pBsTcQXU5BvH!~n9
zke<Fw4vU(+xqm67j0hAc&EjX;{TVtqJIQ0e%y1`!IQT#&YT3KNoa(rmO;4e5XNq*h
zsIbdnMm)E4TZWlEX(|fQ&4g-df+~|=qtpZ%V?70uw&nROR!129o1xQ3oth&bTM3ye
z)-&V!|IrD0>nW5zHrwBa1Drk~nCWVOrE4f@J(P4s;D6CIT(k{b^d11Bj|&p|)BvE%
zLOquRbuJ0tTpFnP^+GaN0KQxvX1O$=@(!Vs4}w=*7M-{XEaLLW!=-VC%c2Tbh#|ZK
z#Ne{{z~#|^-xBt3#c02~!uLI4MBnoGy%nJKR)Wo28j1I{irZtt)U66Zw<5gU^60qb
zv2ZIvzJIL<=k~-=Z7adBEst1R9-p=XG}<b#XOA0cwhX3hjUIc<=&==G#a4n0dze*X
zHVaEE63ZgGo;ZGM6=<!M$>NeotmP$fX_VE9FjdPUsFuY`t<h1dLPsT6dgb6zxu2Tx
zQJEJ4`#wYxg41&TyN-!wCMoUopFX1oQ)RAeHGefj@Jo`CPW`yfS2#Ogp>G_Bcb>H{
zL%-CeF4QGv<S(?`8o6?0G4#_~(!ZcNwPEsw&2M;^-eWOea>E?1!loKFf^NF}DF4$e
zG|3T2;A0)$OLio6-jZa?AxE6W!y>HK<ps^$&H;oVliQYw6xK82LLlgZ4mgT_Ll`wz
zfqxa->w4vA_v1~pW&0})<V2X`u^Je=I$($ABkx+(J`iQ~3e&|ooJ1vrbCA^I&p7N(
zvc%=qYp*@ZQW%FIp;b435{GjThCFG^0Z~S?8yJE|fV?QJaq9$M4m-Ix3me9wSWxZ4
zTWT4XtFfqa7Sc5(vh|t=T^Rc^9RV$@oquys`}vL@v5r<a&?y^eX`y6q<8)gm+SE7=
z1d2veL3|w69sFgq-tDP*yM{=1Q>I!~UaF#&mD!b-6n65s!3{v;aXElw*e?BOI<l2O
zrdMXx31WJ!Oa%~bTVqS;9vfjAgj#J>QqDP~t`5Yp&W`t3;ZE7YS{#VH!ByvstbcVK
z6d^X*(yfQ`8m68Z$1#q~wzwpC$#Pt(E=Ne;YLG1HS?X_eIRXKBHN_(Q&luDaltWW2
zwiR>QTlz)bx?I5-mbRx>9*xcWt=hV4<n`SkuZ;jL1HaZ3R)xV{WG}MH9mvY}9glOj
zvBr5PeR|hBiu=&v^XwW{wNJQ{oqxe9_5x4B`hV2+{`v^RS7OtD^;UfQSj#%P^6=3W
zqr>kZypnSx)dpBhnOPwg%W{2;CHvQm&`QeFlEIa)E<Hl&jJ(grky=#?!S0N0igYl(
zfvx#Y!mBPET2(T8pY2*&Yb=jcIpr;oMigj!FYr9OaeefD1zYmkBlm|FCx6Mhkw}q+
zk7#JD!w}2#_PmF>bz7EnpERTk&~|hY2A;Bg1tFtDu}pG<`heBqJhuU_m)+(Gmfea~
zyC$8(K;Q4$(4sjSV~)cu+oI)KqIqa&&S|O4*A<hsJygPenG_YM!>AV!aour+ZPKF-
z&GYjScp=JxgLTYv9kzLdTYtP6r_>9F)U(NC@T84Cp;BkfK4#)}0MsMco7`KKcFcBh
zwOE_7r_q(u#*lK*T#0kc#p{aPW%G7J3kRBm<ceHs4$AGFY(Frbz=w6pB((`8M&~=|
zrv8R1Xcxzljj^<3TnOXCi<1VD5;zhh03YXZ$3?5SV=FY1G^oF^$$w|u#B&12sdeLn
zQw?|Gk;SG?G~p624f0LS9_Krt5UZF+s***rK8-`w--+sco~X|6iJBqnF8?QL?*nbz
zcsSZTzap`xsBCU62gx+W1J1FRM&dI0LvKNzh4GM3WmLX+X^`OqXR2sD9RqtBy?%Te
z`gP$1A<2oZf}7w4<A2%C^reI0nrVy}ucZA`y5t|RkXeQ_obwXa%4x~$yZbC9N&A1)
zF7+1YmWm&gl3M8V0ZEBZB<SQXo-IB#XBB2Id2U%!Pm;$Z>t}bbrs*Ra2ODLmw!6qK
z(z?U*#a-QP-rLTuQ3zSJGc&&AW!#+Ut-C=Ht@I+i<?l`_N`Gd{3)5-}8=Ya+n4eiN
zOT}E2iYH2Zto~g*#&R=aImm#cpOUlG+WJ=`Vsonf`(OX_0|~**f`9+(f0fqx_rLz<
zuOaiV|NXE3ZJm(2hz7CB(J=R17>;viTZ$v>qL_|(Nf<CiIE+Tv=CGJYtuL1GWmZO)
zx@@wJM%Ct*MSrJhZcL+r(`A6r;bvXcjvDOA)Wk;Dr+}0Aw>HiKG8ll)s3Ab7%QGgq
zSy`})q=@~|X8v&Nm0F=S5g&A-1nE^z1us4>=ir!<4Y`ocVNlXvPIs8gP*}i0R?gRR
z5rN;GmF_eD7(pJJHQe@Mig|JpdTx;~_9VD#S4IND!GAYVjeMfRD==9koagxFGj%r&
z6FN~=JO5+7)u*L9unB2$?2d30L3``OL3vSorOw%wJO%kXI6EoB-0V;~cZ)MuZrxJt
z1)W{@^OJ$8jAywl37DZseRqgZApr*sW)ej}CE<{cuF+k_gOy81fHmGq3laK%FW#SS
zy=65d&3|}dod!T3xq~rKxvBMs$!MfA2VST*-7%(Q077<c9l*t}JHOSL14?+|7LTJ4
zHj_YHYJw$mhzQdiDMhXD92+Xz11Mri((oJIT(vwZI}uwCUP!K?k2=}`p0W8^N&gqu
zg&*p9VX_2vRH2SxE_ILQ7m|!g<2>MGI0X0I4}ZvRlXQNkmrA7*wIb(8P@AkLU7{;Y
z|GM*AEyu<FQtLR}q8+nECqnhoOFJXQluCT7YVwt}QP;CN(VL#l6J-b};{?LcOZNUZ
zc&d6K891BH6?54rt!awC_ebyhhBGBlLz?8c8W5%XOv0~b(*hZ{Xc8mwN0<)Ne1n5n
z#(x|ZOVLpE6eo|vV_a4o59V`i**MxRPvP@?q^+@WO}RhW1o(u&&DIU$*Mtr|C7Pa1
zm9(YTpRH&5KMS`-FJNsOR9NlqvQ?@cv9(a6lF&l?b?o^?0#hn|Te6H&9a}S*h(Kc;
zK$be^jzw8@s7?##Pd$s-@h}b4zfG!Ae}B4A55}a`^!;#hbUy+flZEDL?UuJLiC+y$
z47reEs4nfFS2fEWp`8c161d*@`^N7FJ-j%{JMvxZR$Tk*J3{Bmot8RAYTVz&ENVp`
z3D_)5Y4|>KgP;$T+&b4b$^`gKCs|Y!f%+^kNkuV5gv$NBE_zS(_nQe~Y^)5Y|9=kL
z*O>n0&*IOg|82XjIR6aKv{0)c${gSR&(}S#x9#<|9Ta=LzW)E{!{uRpb~w#zje5(&
z&a&shE<DZWK(pIaol@;<%ZFC8!mn@Md{Vj7@Z-LBv$QBVmZ0_Bo8REwn{CsxH3Fbr
zEwYg41v9ca9eQ(1bR|vNOhI`7d4Hat$(2g;Qu*F$Bc@AbfOEOam(L03v=rNBiEFl=
zZ0^E7>dj?X&5GwY#qvpg5I?6gTs=7xU9wm=*3a>gTHH-sRE?8~pxH5(#C_u{RR-IT
zgAj8Bz1A0ou200weIjOsCt<$!6EN$OFZX)#Wqso1F`sx@XJ)yh%q&)9mVe64VrZ-^
zJIkD>lD?v|Nb8I!=2@qW_`1&&ea)wc9?0Zer_X75vS;aYJS#Z0vywA9bDYR&wBw%e
z0i30e+bn;$=8+$zS>3^zr+Z9hsRJ>~9DVsZ54kLPoaHg!T)XHwhE<<hSo(~@Q#p}v
z59be-KW(tevjxkZBv{qCfq(TWf$}MVrOpGa1o^)l#(!Bf|I)bql_2z&!QwB2x?cug
zzedu}-MBT9evPDGW9HYG`88(#@!kJD+eP-x-T__=DlUUsUmBynEF%3Y#h*VpwE6n>
z?Wc(#ztg+7=R}9E@85n*_iwKR!@VqGdnNen^*!2O?LFFGDMET_Jb(1E=;z0Qb$+DR
ze}De$A)o>BzI@sEZv8Yr`1hE@fP~=rf_O$FZAlnM8pO4we#{j~ujS}Y@i=T-N3YlG
z?eFdB|Mq&l(tme$_jX==x4pOjdhgZt{;S>H?|M7C+q=E*Q15P=Zk||3%)jd`U01nr
zU&&*p+7Uz{n~s6X(tp)1k=UAS7w&2?P}k3&QTG>v*~<xqcCLT<vXS>j>Z0cm0v6EC
z{EoU*h_4{Da~?<0Y_bTc$xWyq#sQ#CDw$nFse`)c4@3zK)c$i%eWS|jrQ1Q*d}K=L
zFD3gs9*5`;RHmTR$qZt-J8TTEg-dN(R**p9I7A`wv8d~j<bS=XNk9m`Ot!mYEd9~D
zT+h~aTJqgHN9XM)9o}+egydMl&_d$OlHvX)DS0`K?6--!vHa(RO+8_uDRW7{_gN!a
z3s_pkAT4>r_;tu|aH5D3Iqe$s<;hWjyy7G++9kH^RxF^8I#O)_3iMluRK$XJc@eeJ
z)6L}P`#A(OVt>IwSw=PEB{`j43o3y&M@-05kgDx<J)A3&)vW9Y;=_Tjci^XG#Zr8o
zqn1&iEP#uG^lS5>;JRj_k3vG@+s59>Q)=DaHS&_5s4;y{f5t)r&y`n|d7On%ys2ty
ztP7@=Pfk?YS9WOrJ_|907F8w@h)9)htU2O@aU!P~%74WgyPj|Eck+BrWbVEo0e-AM
zU{u1b%*IE6uXdGZoT-_cH_(mVIFG3$V>mL04;qI}vJiM#qH{mCl;}pqKG1iTO>;BG
z{xZjOsSFz#;~|{IVR!*P2btr({H9P#-Pgs+D_X|<kj1$3w!T@=m7$jb_xOfocZ9{6
zQn0tEvwzhoR^RmnIm^CKYZ4PgGCs{u4cneR>f~m&`ThzEIERR#FJCI}nrQcDm6mvj
zzI^GJF$e{;<Y#qt7PSLHm=8rcY}N55Z+1GBAGH~dgFx-<-u&ss!O_wA@x{eUN5K$q
z0Nm3$i!eI7M0V}&n>w4!K}5|&7Rxu=JH4K8ynlyV$+2fpV_vd$zbUSFX<?;%JRA}4
zpOJX;s@GKFD&|7I+3vXt4FJoSgEv%rls7*z%J|tY=irB!j7=D@!T``oc?9g4F4Mzh
z*qIvYK2rN1^?zN#{Ohs|srhHm0iapp5v65|k}<IvrDG~95;9i5ngeQzhZ2W|d&L(>
zFMl9;CrJJ($j@F`cNEM>Td>4#&V<_DDKcEE)YaqT2w#zqI8RP+7L|YV(80TRPF0l8
zgw?2u(uir=?HAdntI|nxRMKz#+1y&{?zw2Ex7uo``%zFOExOuy-ZVWMCZKxiXYXRu
zGdE}tKRr1J@_TD5;oOv7xrN}Q>s+aml7EX^220kp+L`6F9PVSfJ@?Gb+@6^j9-*-S
zPX|-qXxH!a$_F|7K~&!sSMqc4*#x+O9v|OESYImq114e2K`-ggA9hJk#&(hA{GRoN
zW%XfoMMx$<K?t?AxPmt7BKhJ>eXv@M(LlO7k&A^F)Eld+v5od9?i}i*+?3R#k$=w2
zU6Bk7{BxG?M$N$@FNWes%E(JjD8C7rk3;oY-|Y=5HgyCzl%q4oWx8>$bg`{Pm-HgW
z<(ma5m%Gvsp1j$aOBEEWdF<Mt!0p2-gw$W#Mi*qx-IeNr8nV?HnH5}c{x4foJFCH)
z)J+C9d<PQ<-5dLKw*KkG;l;_P<A2kmv-c;bmo8Vs7$hgYNVQ9^tN&lk?6#%tw5!?U
z`-~3Au!ixhfSZ5`Q!0td6R@Xatux={S_xUKan=Je^n~`Dd1WFwE_CrjUD~+WPUoha
zSywH|H#lNUmKZM<z&$(!DjjV%Wj+Yt2daddP)5NM@nAr19fab9#Dy;5CVzy(kllDN
zj^wn^12qlS#gA3#!>s8g${Gk$7V*??sYI$S!cdetr?bQsDZPt0lgwvfA6*`vC2EPn
zVk==QR+|<n7vHAD?=$(X=!-%{#a<m4qxy2hL5x@!^wF!rd$pjy1zFbWky(-wj+U|;
zOyH=GQfr}H*MePGXF((s^MA}c>;XcFBse^R5Kk`*Y`Kqiix4DhI;F3-i?1W#gaz)8
z>vt{x|A+JAPlxBnN5`j^CkO97{c!T`*tLiGfip)o1vB-2#?enObsm#-gzojSbI3u*
zDslJ&3E?myQ|&$VT*I`lg~0KSMdoN~E~!+xjroPfy*-O5x$SRl)qmTs)d^}<mOi+0
z#@X!@bvo6VX&CtN^78EB)7km^|L^ba`m3riN4G?@Mt~YQY{TIE{LRB&QQqFZ|8#Nm
z)2Dau-+p>`{LAsXwzX=}dCM-2etMT#8FSgtnay*r&hhfcoH4o8#lQP3nmVbNS2L)9
z^m8YswrU8)96Y~#w|`Vshw5l`Hy}cChB^ZX7{|2&BSbkDYMCz~!Yv=FseC!$;5`ke
z4f9oq(2K6iy<4szx+Ysb_9Tym+|uzNzj~v4Lv2n$U0|P+O4LK_ag4A!BCAd*)JD@0
z;WqPY@e8NK&G^D0T53tHo>Gry3#^I4AL(QRj8ETlgQnidkAK&k66==MnH*L{w_Y-5
z5}P5WIVpT-P~JU0bKyU&?w<$y`Q1$XXK%Z=`?`ex+}YXPUE@FR<MBMN0QszB(cCZy
z(Zh=qo1nK53|icSmmr?=VmC|JG)2M}#IVuqZb`f-D0duSo?vS7eS&hsQeuB}o?b3p
zv%xKtGA)Q$aDPGv>^;?HOuG1))#4o)fIsy^eWi4o<oisGg-EY}_0VxNf-!IntQv^7
zoW+sDs<NS!ZlQz)Sh8!N=Qc-VQVos+0@PQlM@0HtTL-H54vsEW+2dQ2LE>A|gx}^f
zm;Tov!W%*Zb|XBs-bS4HAjFInp;`ZL@9phxm-PRu*MGZvYyE#8kG1764Kld18Q?BZ
zd=*0V_gKJ>%GNStf0%*_m9DYJ2{4Qqy?_Ny6C{-c;&g?F30zcHaF!q;yZk|dgwje+
z5t#J97X@U#TB-;ge$cNHQ+bSUKTtfuBvd0_=s7jzyT$iO_f<gtx@;BRKl6A(yU|+a
z7{h!g41e14GyhqH+Hqe2)IUe+j&T0-;q{d?G%~s(?6&!??MVPzc|BK490bVY!t3UD
z4op7R5d+26feUx;U_U9BQQhvL7C3&ryq7@yj{vs5s&fR%OWRfNqujnC=Rz>cTE$Jp
zV|pMy2;ip6I;WTD;KSvQ@6S&z|Nimg#osS3kAHtoB3Xq4F*!PFR1O<J`0D-F7#PoN
z!sz~D<kd>cF2vbB=sM4{&2dwSwMXm*xEMhgcH!0maQ7=eox+WGB4Ld5|LR3Cb*v%p
z49gKZ?0@_?!TjULkX(KIs8m)6^5e%y=YbX<Kh|!qKYm2s4~+W-M()hP*>rkDYYxMl
z$A4i+lo8Mh9jZPw8~XF)v(?J<%nGW4=K5qo0LWd`UY7DYSyfv%=eU$bw+2;G1f$M^
zh*+^rYtaDH2+Pr%KfO3QKl$bO{L}gI+fNto4}bb}c5wNli-wVSCyBFnAKspvY7$2$
z=dO?2;=o&nARPvvZKRrd$?UA3oHgh>dw<!Lqf6Y}ETJ75IVkq%B6WYV12z5l(OJV!
zAO3p$>Gb{4@u$;+pXZ2V>+~x%A?z&muC`3|Y{^~Gg<5HS*A%N;37W%DiC|<gC<pB|
z;_j&#7Ii8&rDSGEOGR6N@991C%7A-{8VTO~=|yoa)+z8Rd@HZ{9te@Ad*m*#cz^YT
zpBxHLH?<A^E)_9+6@oVenVj?x5=-&M5pFO=--5IW<5jsvqIv(ZXC26O=S5opPmP1B
z7IOMT;8sbmIm)aOc6BE<&l<6{BE;5R7*u%&{bc*DEUr~qR}X~ndBPdR7LNbTfdZM4
z|7&Nvw^Pplwfky&9sj$Jr$zkl1%G9-brA67ItsXs0<NQg>nPwl3iyPgfU6C`J%X5G
zQ!t}+XgzCE%kv0_{f~7g60C<iAgzKU>$C6+o`s(~dQm<Q?<i7p_T2dE>QAHHN2KDg
zuYLVahySY1vd_Cydqii>*TKn$3r;?o*rJ|v<-D$ijm~+Fx{=zpXKCTKe1Cy`O^Cp7
zv(*@xb$qZu4>+leSpaX`q)IDY%_-RZ=2Nh{J+~0tt%iF{LDeS_@|>NvB$1)Uyd@oH
zCzq#Y#V)F)=P;|1&kM3Vi%7ok5)0fq(EH7$R$0ep*Rk0r8k;qY5*iYkCilCBsb{W|
zHurlbDec|NpXhH*ML)sxK!1PuHzG$#)_ixx%SU+UOc^t4!{*$#x5>bg{eI_ZS4uAn
zSxxe9)~QS$QEa{0hFu5ApLme`@g!b(I(ENJd!grfBLVkr&E9!%JM{*_i%0}sWpHz3
zK7Q<eRE0j~J|iJmuX*XqY87I9wNM@EyV57mkQ{*kt-J)n9MVhSbbkygKm*40y^UBB
zy|2*M(ZcjOH<yBzh%p*YlPd{zxMqZtYv$BXS0FK(*h|#yO@oIQCrGo`x?dHQB|5kI
zd1DXHUz_RX@^@beKE?dIHUrHJId4jw(pu=-3jCavm85@VlD{IUpGV@C>E<G>xkP`V
z4tLkr;AUy6r4^_!JAX`2v`&kuh$<|(SER+cnX7W=>a}!FG&modxT|Donz2YW@mX0h
z%RTXg0de2hGdKQk?(9!9@qfMj?fnw|Z+rjs8vl1MPbnm361iFA-zt!NHZ$BxaeP&p
zD?srXqRV6W44pNCuV$Pc4!`H-X7T$(%faOPyd>1LWd(4-lz-5DTn(D@p#@Yp{1bMF
zl6UzO5Q|_A&9_V55o&n48$6)Z6?cUO%vgVnSiqXzSScR#i6af$WIkTw3?J#8JLLi`
zuF#n)c6E36+BAE`%ru@C3AhI9HFNe*V7<BvX)DE+gQz9K+OQpY1o%8h;YWkbn-$i5
zH77Q2p-c1@!GGda?7z$<wq;#nTeU8+#cuLjEgEitOS~3=u5B#@Tq|qid0=a6WZ5^0
zEX(HM8dvtM;mR!dODi64$XOiKBg=ltbfeBWevg1P!(Rk^OoUMT!m9il-I<kma>%#U
z<IHAU$Tb^<w&-SMjZ|A-y0u29t<h<1t_5oZ&_tX}NPh@J2pltFxq}w>b0JyNcF4Io
z;4H#Jy(#FUzmh=5=(S34vY@}whUDGdXjUW?z{L4+02AUvg^TrdXbW72R^H{!!l5~!
zVl8ni^Ka3MYxoS%O2bT9oW+GWsF^5BcT@^=T8yn)e?c>2OWpU@Fx_X=TAurLh^hvi
z@Z>L>dmLCSRSW!2a#fa>yXtB#5YUYK-(KzS?UwU@^?I}VFM9z2yR&vN5CVVeSL^uS
zeLOSbfA_lb=$s3WZq0e1l_uXAk7|v{XV<!y)x{we^Q|lQFT@cG?tOd5f*SFCFzHpj
zuom6CFtm|dHC(MnrOMU<<HY^D6jp67)bDb+0dcnQj{de}*CZmpSP!iQIVUG=<@lkk
zoAop6X>0#4a|mpf{r|f6s(gR`>veB`ZU5iLW9@%TgZeXI_W};A5wfqtOTLEst<*uj
zj<McvjCJ)Dt`xDeFcYmqL3g@Ga%r_kWlh$f09&bT*`VDYE(+pe${b=z&#>I#3iN=H
zz<U?@Qm?LOK$EcDTi|4d{crmTn|@mGB+v}|f4ld3r)2-{Z||=C|M!3Ll=DB7;)$8D
zU&=D(oNCQEAeuv!^JjlpB#py77k0F}tfO#TyXiAS-XlTr9<U}ZW^pWm;x-(cax<&W
zlXE1fdGK5{>u2@PGWx%5BzUI&->;nieBJA<_5Xc552pV!7xr57uQmVrd7x*0{Xc&s
zV21wh?d_KJ|9-FcdaWq`@8g-r|9^jrL*0J-ewK>0o?AcbXZ?H&&;Jbo0RR7jJT`Rz
G>Hz?B7Y1tp

diff --git a/pkg/azurefile/azurefile.go b/pkg/azurefile/azurefile.go
index b9b3dd7d29..e6d36d22f4 100644
--- a/pkg/azurefile/azurefile.go
+++ b/pkg/azurefile/azurefile.go
@@ -192,6 +192,7 @@ const (
 	FSGroupChangeNone = "None"
 	// define tag value delimiter and default is comma
 	tagValueDelimiterField = "tagValueDelimiter"
+	enableKataCCMountField = "enablekataccmount"
 )
 
 var (
@@ -221,7 +222,6 @@ type Driver struct {
 	allowInlineVolumeKeyAccessWithIdentity bool
 	enableVHDDiskFeature                   bool
 	enableGetVolumeStats                   bool
-	enableKataCCMount                      bool
 	enableVolumeMountGroup                 bool
 	appendMountErrorHelpLink               bool
 	mountPermissions                       uint64
@@ -292,7 +292,6 @@ func NewDriver(options *DriverOptions) *Driver {
 	driver.allowEmptyCloudConfig = options.AllowEmptyCloudConfig
 	driver.allowInlineVolumeKeyAccessWithIdentity = options.AllowInlineVolumeKeyAccessWithIdentity
 	driver.enableVHDDiskFeature = options.EnableVHDDiskFeature
-	driver.enableKataCCMount = options.EnableKataCCMount
 	driver.enableVolumeMountGroup = options.EnableVolumeMountGroup
 	driver.enableGetVolumeStats = options.EnableGetVolumeStats
 	driver.appendMountErrorHelpLink = options.AppendMountErrorHelpLink
diff --git a/pkg/azurefile/controllerserver.go b/pkg/azurefile/controllerserver.go
index 249eb2ccdc..b921140c89 100644
--- a/pkg/azurefile/controllerserver.go
+++ b/pkg/azurefile/controllerserver.go
@@ -278,6 +278,11 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			accountQuota = int32(value)
 		case tagValueDelimiterField:
 			tagValueDelimiter = v
+		case enableKataCCMountField:
+			_, err := strconv.ParseBool(v)
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", enableKataCCMountField, v)
+			}
 		default:
 			return nil, status.Errorf(codes.InvalidArgument, "invalid parameter %q in storage class", k)
 		}
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index 3e4c1d49fe..8efe6ca583 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -99,7 +99,16 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 				return nil, status.Errorf(codes.InvalidArgument, "invalid mountPermissions %s", perm)
 			}
 		}
-		if d.enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
+
+		enableKataCCMount := getValueInMap(context, enableKataCCMountField)
+		if enableKataCCMount == "" {
+			enableKataCCMount = falseValue
+		}
+		enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
+		if err != nil {
+			return &csi.NodePublishVolumeResponse{}, err
+		}
+		if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
 			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
 			if err != nil {
 				klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
@@ -187,13 +196,13 @@ func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVo
 	if err := CleanupMountPoint(d.mounter, targetPath, true /*extensiveMountPointCheck*/); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to unmount target %s: %v", targetPath, err)
 	}
-	if d.enableKataCCMount {
-		// Remove deletes the direct volume path including all the files inside it.
-		// if there is no kata-cc mountinfo present on this path, it will return nil.
-		if err := d.directVolume.Remove(targetPath); err != nil {
-			return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
-		}
+
+	// Remove deletes the direct volume path including all the files inside it.
+	// if there is no kata-cc mountinfo present on this path, it will return nil.
+	if err := d.directVolume.Remove(targetPath); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
 	}
+
 	klog.V(2).Infof("NodeUnpublishVolume: unmount volume %s on %s successfully", volumeID, targetPath)
 
 	return &csi.NodeUnpublishVolumeResponse{}, nil
@@ -246,13 +255,12 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	// don't respect fsType from req.GetVolumeCapability().GetMount().GetFsType()
 	// since it's ext4 by default on Linux
 	var fsType, server, protocol, ephemeralVolMountOptions, storageEndpointSuffix, folderName string
-	var ephemeralVol bool
+	var ephemeralVol, enableKataCCMount bool
 	fileShareNameReplaceMap := map[string]string{}
 
 	mountPermissions := d.mountPermissions
 	performChmodOp := (mountPermissions > 0)
 	fsGroupChangePolicy := d.fsGroupChangePolicy
-
 	for k, v := range context {
 		switch strings.ToLower(k) {
 		case fsTypeField:
@@ -279,6 +287,11 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 			fileShareNameReplaceMap[pvcNameMetadata] = v
 		case pvNameKey:
 			fileShareNameReplaceMap[pvNameMetadata] = v
+		case enableKataCCMountField:
+			enableKataCCMount, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", enableKataCCMountField, v)
+			}
 		case mountPermissionsField:
 			if v != "" {
 				var err error
@@ -415,7 +428,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	}
 
 	// If runtime OS is not windows and protocol is not nfs, save mountInfo.json
-	if d.enableKataCCMount {
+	if enableKataCCMount {
 		if runtime.GOOS != "windows" && protocol != nfs {
 			// Check if mountInfo.json is already present at the targetPath
 			isMountInfoPresent, err := d.directVolume.VolumeMountInfo(cifsMountPath)
@@ -526,11 +539,9 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume
 		}
 	}
 
-	if d.enableKataCCMount {
-		klog.V(2).Infof("NodeUnstageVolume:remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
-		if err := d.directVolume.Remove(stagingTargetPath); err != nil {
-			return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
-		}
+	klog.V(2).Infof("NodeUnstageVolume:remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
+	if err := d.directVolume.Remove(stagingTargetPath); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
 	}
 
 	klog.V(2).Infof("NodeUnstageVolume: unmount volume %s on %s successfully", volumeID, stagingTargetPath)
diff --git a/pkg/azurefile/nodeserver_test.go b/pkg/azurefile/nodeserver_test.go
index d0d9a48fa4..317fe9dc7b 100644
--- a/pkg/azurefile/nodeserver_test.go
+++ b/pkg/azurefile/nodeserver_test.go
@@ -260,16 +260,14 @@ func TestNodePublishVolume(t *testing.T) {
 				TargetPath:        targetTest,
 				StagingTargetPath: sourceTest,
 				Readonly:          true,
-				VolumeContext:     map[string]string{mountPermissionsField: "0755", podNameField: "testPod", podNamespaceField: "testNamespace"},
+				VolumeContext:     map[string]string{mountPermissionsField: "0755", podNameField: "testPod", podNamespaceField: "testNamespace", enableKataCCMountField: "true"},
 			},
 			setup: func() {
-				d.enableKataCCMount = true
 				d.directVolume = mockDirectVolume
 				mockDirectVolume.EXPECT().VolumeMountInfo(sourceTest).Return(&volume.MountInfo{}, nil)
 				mockDirectVolume.EXPECT().Add(targetTest, gomock.Any()).Return(nil)
 			},
 			cleanup: func() {
-				d.enableKataCCMount = false
 			},
 		},
 	}
@@ -312,6 +310,7 @@ func TestNodeUnpublishVolume(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	mockDirectVolume := NewMockDirectVolume(ctrl)
+	d.directVolume = mockDirectVolume
 
 	tests := []struct {
 		desc         string
@@ -344,22 +343,12 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			},
 		},
 		{
-			desc:        "[Success] Valid request",
-			req:         csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
-			expectedErr: testutil.TestError{},
-		},
-		{
-			desc:        "[Success] Valid request with Kata CC Mount enabled",
-			req:         csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
-			expectedErr: testutil.TestError{},
+			desc: "[Success] Valid request",
+			req:  csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				d.enableKataCCMount = true
-				d.directVolume = mockDirectVolume
 				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
 			},
-			cleanup: func() {
-				d.enableKataCCMount = false
-			},
+			expectedErr: testutil.TestError{},
 		},
 	}
 
@@ -764,7 +753,6 @@ func TestNodeStageVolume(t *testing.T) {
 			setup: func() {
 				d.resolver = mockResolver
 				d.directVolume = mockDirectVolume
-				d.enableKataCCMount = true
 				if runtime.GOOS != "windows" {
 					mockIPAddr := &net.IPAddr{IP: net.ParseIP("192.168.1.1")}
 					mockDirectVolume.EXPECT().VolumeMountInfo(sourceTest).Return(nil, nil)
@@ -774,12 +762,16 @@ func TestNodeStageVolume(t *testing.T) {
 			},
 			req: csi.NodeStageVolumeRequest{VolumeId: "vol_1##", StagingTargetPath: sourceTest,
 				VolumeCapability: &stdVolCap,
-				VolumeContext:    volContext,
-				Secrets:          secrets},
+				VolumeContext: map[string]string{
+					fsTypeField:            "smb",
+					diskNameField:          "test_disk.vhd",
+					shareNameField:         "test_sharename",
+					serverNameField:        "test_servername",
+					mountPermissionsField:  "0755",
+					enableKataCCMountField: trueValue,
+				},
+				Secrets: secrets},
 			skipOnWindows: true,
-			cleanup: func() {
-				d.enableKataCCMount = false
-			},
 		},
 	}
 
@@ -850,6 +842,7 @@ func TestNodeUnstageVolume(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	mockDirectVolume := NewMockDirectVolume(ctrl)
+	d.directVolume = mockDirectVolume
 
 	tests := []struct {
 		desc         string
@@ -895,22 +888,12 @@ func TestNodeUnstageVolume(t *testing.T) {
 			},
 		},
 		{
-			desc:        "[Success] Valid request",
-			req:         csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
-			expectedErr: testutil.TestError{},
-		},
-		{
-			desc: "[Success] Valid request with Kata CC Mount enabled",
+			desc: "[Success] Valid request",
+			req:  csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				d.enableKataCCMount = true
-				d.directVolume = mockDirectVolume
 				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
 			},
-			req:         csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			expectedErr: testutil.TestError{},
-			cleanup: func() {
-				d.enableKataCCMount = false
-			},
 		},
 	}
 
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 44ec41a4a5..2dc270ea98 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -329,6 +329,9 @@ github.com/josharian/intern
 # github.com/json-iterator/go v1.1.12
 ## explicit; go 1.12
 github.com/json-iterator/go
+# github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a
+## explicit; go 1.21
+github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume
 # github.com/klauspost/compress v1.17.9
 ## explicit; go 1.20
 github.com/klauspost/compress
@@ -338,9 +341,6 @@ github.com/klauspost/compress/internal/cpuinfo
 github.com/klauspost/compress/internal/snapref
 github.com/klauspost/compress/zstd
 github.com/klauspost/compress/zstd/internal/xxhash
-# github.com/kata-containers/kata-containers/src/runtime v0.0.0-20240702121346-ef3f6515cf8a
-## explicit; go 1.21
-github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume
 # github.com/kubernetes-csi/csi-lib-utils v0.14.1
 ## explicit; go 1.18
 github.com/kubernetes-csi/csi-lib-utils/protosanitizer

From f337f3fe04880c8a2c31ea49eea3abd518699455 Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Sun, 13 Oct 2024 02:44:01 +0000
Subject: [PATCH 3/6] feat: disable kataCCMount by default

fix
---
 Makefile                                      |   2 +-
 charts/latest/azurefile-csi-driver-v0.0.0.tgz | Bin 13612 -> 13685 bytes
 .../templates/csi-azurefile-node.yaml         |  11 +++
 .../templates/rbac-csi-azurefile-node.yaml    |  35 ++-----
 .../latest/azurefile-csi-driver/values.yaml   |   1 +
 deploy/csi-azurefile-node.yaml                |   1 +
 deploy/rbac-csi-azurefile-controller.yaml     |  22 -----
 deploy/rbac-csi-azurefile-node.yaml           |  35 ++-----
 hack/verify-yamllint.sh                       |   2 +-
 pkg/azurefile/azurefile.go                    |   2 +
 pkg/azurefile/azurefile_options.go            |   2 +-
 pkg/azurefile/azurefile_test.go               |   1 +
 pkg/azurefile/nodeserver.go                   |  91 ++++++++++--------
 pkg/azurefile/nodeserver_test.go              |   8 +-
 14 files changed, 91 insertions(+), 122 deletions(-)

diff --git a/Makefile b/Makefile
index 1fd27ad06b..74856c5afe 100755
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,7 @@ CSI_IMAGE_TAG ?= $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
 CSI_IMAGE_TAG_LATEST = $(REGISTRY)/$(IMAGE_NAME):latest
 BUILD_DATE ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 LDFLAGS ?= "-X ${PKG}/pkg/azurefile.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/azurefile.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/azurefile.buildDate=${BUILD_DATE} -s -w -extldflags '-static'"
-E2E_HELM_OPTIONS ?= --set image.azurefile.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.azurefile.tag=$(IMAGE_VERSION) --set linux.dnsPolicy=ClusterFirstWithHostNet --set driver.userAgentSuffix="e2e-test"
+E2E_HELM_OPTIONS ?= --set image.azurefile.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.azurefile.tag=$(IMAGE_VERSION) --set node.enableKataCCMount=true --set linux.dnsPolicy=ClusterFirstWithHostNet --set driver.userAgentSuffix="e2e-test"
 E2E_HELM_OPTIONS += ${EXTRA_HELM_OPTIONS}
 ifdef KUBERNETES_VERSION # disable kubelet-registration-probe on capz cluster testing
 E2E_HELM_OPTIONS += --set linux.enableRegistrationProbe=false --set windows.enableRegistrationProbe=false
diff --git a/charts/latest/azurefile-csi-driver-v0.0.0.tgz b/charts/latest/azurefile-csi-driver-v0.0.0.tgz
index 2d64209b31135f926d93aaa6a11988328cfffb1e..aaf2ae0ae01033e25edbbf3eabba077395e3dc4d 100644
GIT binary patch
delta 13205
zcmV;GGiuDNYV~T6Pk-_(PdGL-lG>wVx2%xlo-?Q2pBJi1k{A_%8URI!?RLaG$nML{
zlYD_o-BHEjMHkDg@7rmMg-RrVL?V&-LjwO6a~O~iJYNtm;A8@P>u`j*>`w7G{9zSO
zuh;AC@9pXT_IkbYe|tMS`#)^&z3%Po@4ec7{pyF__N$%U*MC2t-b!kp@x(%6{zGr+
zy2_3FMjjlIpMeX)Xdg|sH*gfCe}-6skQ)IApOZ-H-wu?xpdU#H=#Wu~2?dTWB;$Ap
z=!8n(1MCBOad>g^GX4E5jE977P&|e{atYkVBxRx3?R9$_58W%@&*Pl`6CB1MR;B=&
z=l}NJ?*8lY{C|J7-CNK9`*_G0523$-&=nSN4iW34vCq3>;&Ue0Kz4mL-ay%`RYeiv
z5HUd{<I_Icy8g4+@&(x{h>|WQ@i0{*>hCBH!!s5Vf7(YUgHtBYI0&HXr7y@CXA`2-
z0B}bwOo*-P_zE}$2|`t&D)pl5qpZrwtL}EU*P_aE5P#&id8*^)gIrbH-R+&(b%kUC
z6ofeA?8?=Lj_Q(6BK1kG!kzB+-s}n~3*bo4=5rVlAvvC-mFi=w3p}2DUSwfrn>U_4
zL+3C64%7!E8DbO=<7mt{AOSuHDb&wbfMNjwx)}l0)Ce6SEtNu%;4tW;k(80>Z{=9+
z61EjEUw>>#EUv|t&**>*V-8-#0?$uYrY%L!)5N@plL?lPv}d}tp?^P%!|=jz(?`Gj
zy73Ho$ShRjsqMMxJD8dxr+5q-s)&aUV<FiXh4>0W-3}ZCh)~JU7$gp`#2daY@?Mwd
zqc2}K5PF8L|13NlMK$Z-h5$YxJ{<Tyi>Xv2=6`d*68cE;7|=8HH`Pt*-<!ymMc5P;
z=!S%$>QD1YfCh}CDT}-40;FPbfI|U@4AhV422=fGEI|Fu5xb#XRUf00voHkSS2M)R
z@tMBy1V+!0>J7vO=)&@0nYM$PFu}MUUn`Pjnp)Bpq9!Pg#E8km62HmsOR~GcudrY4
ze}C18q7k#Pk?XJYbzQ$Hav_U@LoKeEOj&}SerZ%%P+wX^*oQt+lfe^HAwetXFl0B!
z<48^qvu{$aIYc4xvFM{6)pe3%3B&2-G=e@lXL`<ki~=lG*%1@+6yy!#*QwOW5fMm$
zlxlMNEDi(JX8{rTDuh6ZRMtooFc63`iGKo!fCh+B^wY&j^7#f*GlUagoG~u@Xy-ro
zxA)u{as)V(qpX<XoyYV8{Rs=H##;+?@}m`mvk+6rUSTP*KRSnh#)LzV{T{O6dze7j
zN3Yah`ALc?WfCiUH~A%EL17w4EI6nX;viVeeGrCu*Mg>6IVMshe<9>YaUX4`e}9f)
ztQGUCUhgMjf93Gc7)14>-njDFPV!ZGX}iygFYE-Ab638zWaSPKYF+pCl6991q<d<!
z(gD7m>Ya{~-NArRBBxd+m3qB^5PZqF{YkPAxD{MY)<f4Y?W2xX#hiuEEiSWTJ=r>z
z1s18V6}8UsEfG>AFJLeLU-nVwlz(0LBM9OUI<4qi%@L`2d*`)yOH{L=7qFT7bBu34
zQar&VRLaqe`NL>^{q}^0gu>4(jK}Z}rU$+cLi~-$(MbSQYEemaB2dNgJ1p_x;ZNHB
zNMBV{_N#U(d$*)&H<IPKpVpUC%IRjLPLZ@RUPbnq{mK}ve@^!VjfQif>VLz+;@*Y>
zhxxGx7Y^%2f0Wr5brltt`dPwSTKZgzUv>GbSpX|bU~46~yMz+l7yy<rhfJW}f;8fO
zA+fUR?QAeF%^NM<Z#j#j^z}gKzmxGe2ORv36A2%v4{Eync%gc5W5ZbLnXRXEe%BYI
zt0%MFE*sPTqX2#|1T~Mea(|AKzc1p!fZX;`=flN?H-d27Nw(N;*~QVj_vwV`bkH-D
z>Jnu9GV13Sl&N_oUT&hJ<G*}-yNOOtfBdkC{&sMFdUE=96CIzQe>hjxoZ32_adtbk
zOsF5Szc)fc<J-bywEYo?Q->|9R3LhW0t{nD1xVcqsx%cz&mF-4$A6)8GH%~(qQfv&
ztICgri_%}Jum5UH&`os8DA;8#1ldPh6U?_la<yfDaV>#?+Ox4f3gC)h>SV*b+C&2g
z7{^MzDS0>pJ|;pKiSE6A{W|THWDBjN-6*@Hm+ruDY-Po)%51516Wm>uGcBd$i@l{P
za@aY}<=$Z;IgF@-<bS7)gd4S;IEp!;Lu(-rIy@Otmi~Nv3x2G<=9a~LO_#vOxyE>C
zjHN$1zKu9o2~6Li%({_E1EIo`wds_}6Iyy}1-|sFqBkL2#yIqniL`M;XuxiSOBKWd
z)QmjiOxX^p-(R%Q72XY@E`5>C=;w$1PZP{Ph2-j!{qebLR)0VGiTG+EVclD1BF?UI
zx2ek36LG;k%3ke6%uMx?mCnSXJAm~xw$qsL>yY6fweIzPf&i5#M|LVbL%%Q`&cora
z=wyK82++a75yFwS9Mv1^2IC$Uf($7HXpAWyLV$>+i-_^@5URfycnnAa#Z)3J^iRH7
z)OCe&1Qe<1Z-0uM9HAQ`N4nU2wc099j+9_oTE>vk(tOB4m&D<ZBm}b^`UywrPK!g}
zX}8@&hg}}c<Bb1F7)Ls6vvvC6^7x`FZ{;#|%!>c-?r)dkfBUcZw%75$`*<$Z<j)25
zFHVqIhSUTfT90o4QOKqcAjwRuz|QUN#>OQ>{s{c*8h;`Y3j`7p%UEopC<H73@tF2E
zk~Ln2$n$98-+1%o3+kSOF4s-H9_Z^=#fl;3dBQ5+Hys>Br3FM$st`e6zjl!4-6-9>
zp83UR#{B<0f-nLux-wcE3NT~-@9gdEl;;2I{oTFw{J)Rq%a^VHKoc_V>*ZMqg0fED
zj8(VzBY)_l|JeHabz?&pJHCxD4fLu_Z7@wQ^cpRu%YFIcp#TPi0_voa)m4Q%$jjbq
z|3KHE%=859{%jB@s^o_Wa83e1zbo6G`e=Vw|C5Z3+XQvIj2O^B|64P-aj0W;h9SeE
z;@5(UlwG1D%~#WmZL@FaZZvSO%Vjl2oKQJHoqs<H?~kHWY=!x^1yG^iwJ%QTug;%3
zsPnnANQ>Bb%#`V5RGw($G%00vI)<cMMfTB`FDRMi)uHMl=a+;EiK%bCE^F9&=FQfu
zk@GOeu_{5RAI3pr<7#;H**IcU``mJI^=i2YbLp|cVjW@4QtxV7?206`oU~$)h{Qn(
ztABG7O!04uTIG}9(LZA*3!VJ+>&6JeaaWACw0zdK!%A;A&y$^Od3=I-jU@X!9)}Gj
z(%K87ZPY^)hhd8B7%+}f9ELy*V;^M*jGO>uY?fgfs`d(WLx03E9YW)GC`EUuj;?7^
zsdW#nq3`yYvHtr!@bb}yg)o7Q>;LxN{#@>E3IDgVz59B1z5d_FQ<`k)I9nf}o&lcc
zZRBynI3jQ>focy&_xjI9g>7$K6B_g_GV0v=(vCoTTnM8Z2{5W(^3a)}TZYyd0@dpA
zDkfn7yr3T^z3!iF{0x(f3K$6kb*crN;xHdCldTFEe}SKgjwB^t=ekZ9*t6}J4H1C`
z5)DnbsjiqIYkR}=q>W<P53Em8$ajvH?@0o&3}cSN3U?+HIAYwyk`qVV#J(VO7>Agb
zKifb^_$-1xO7~*H21*PnO~pev2#E0}ohj1@_@SbaIr|Fu@e>*lUuhO4blP!bt5Vxd
z4mg<Re=&iQAr7ja0Ab5o*E+%eAs9Wwa@0p%v%T!<uP@n0k@(ikFrAlwmO2o6#aIZK
zI(Zx*j40e>yitHa6oF!!1`}nMIFUDsQ#YM%pPmKi?B_!?;B1U;M#LXkJXJ#e1`G6p
z@dUs3GO5GW)(HHrq1jdYG9n~U8}2*|F&Up4fB$;c{tI3B?B~Nm^M&LFi{);8${G&M
zpn&$lHZ)rQTbD}cs;4NVhm0z25xe>a_)=NNCf-fxu<&^{N18ie;-X&D0i{wcJL5cI
z(X@3;C>h6NB*<^N&4z*0k8I?1G!3{i!qjl*L?JieO){*d{et{f7UJ^nvpByj4NYkz
ze?lxo;>*vrM8!gNy+5gvs&;z*ZA+F<>)9;|j%4XHDwj+<+!j>|iQ2hK)ZUeK(V1~W
zQDsug5td4ykwNN%9_W%v46!d`9EQ`Bs2ylwTwbck6_cY93wqD#=3g=dRKz^<{_F2C
z2NW@4CIXfSus=dfj(~U3Uo0;_eZ06-f9l8Z3W3^(GHw98cvw<9MA-J%OWGBSY2f6t
zek|vjI_a`$klkvibQ?WFJxRt;RDTj*15Ly*rUCG9npY%tu|x*>RNt)pqFrdjVfBS+
zK?;QN^5ha*rCYHA3RDk<HN>omV4yC-AHf*+v&a@bI6L`y_oDDKDt2E<riegTf5%3i
zr_)w%v4AKsv9^kmo?<8GB1UO<Go|3OwZkg0O~iOA_>!q29K2eMj8Mc`1YDA0Tq<WK
z7NS*!wmnzPw|iT&A2jOK+7%Gk9y7{78wOSl>!B!z&ISn6MBX*JTWvVSNTZZ}Mkm14
zTH~`JCBLP#wMtNx=8mUikG5kde-2ILZBtL_F`gn0TC2n~N6#LXLO&@ph0p=Z&MORw
zOw41SjmI%1a%zx><SLeoi>&}A5N-)F^f32FM1n744qM8$)vQx(B6r8ZvotvUyufQ^
z8k$ENkPRcCY)B(i=2O#(>XLkZd~un^#r0s6d%v`ni);u~hY>meZU#}Ce?NMer-2qy
z8zm%}PDy1oz8VvmO1jW$`%v#0v~8%-Ye5&CP;`jL5FTOycRm2Br-i3Fw%rgUc7NRv
zsP_f&4?t)u!XIIdeF<F6Jztm!n@-<!(JuAb)zoSTXGb_r&iIV_5J|CRb?cT<1nGWA
zJag?KvM0gRcZ<E@)(g5rf3y%)qu7ORv67}bN3C;0tsdI^&z6hwDHqPh-3n2JF164R
z2(_S-@i>+m1cnDP)tHQSvvyQy)Hg-Htuwz}g-flh{WjO|l5y=MiqM&hQmut;4c2TY
zQbRS@-Byui9o{uPt9CR>fd~<gjp=&@77b8CRAU6vP+tNQC@pk}e;&_`p5dT|=oRR|
zMR_-wo<T`AE=q$tws9`OLG{ApE?%PmlBaf?(n3&bzpW7zT+^PyV%~mNhG}(A=W1ML
zA5;gfZiwvGvWBi1H$7~OhEqFsxMT__fqR#!wp`^kWS1OF^V0NG<t3x=Vc-Jk@bvW2
zFP++%-}!aMm$jl$fBCXzgEm9+K6h*pwWN{iM&D7?(V4UMmo758MrAo%xztDq1BoaJ
z)g&g?m1OpCW&t&k#o{hElfqcIC;R~#k_pfR)u5{%;R&E|97+;}8D+z8u>$w%z-abW
z1U!d{=o%MGN$;f!%gk%nw7|uBH%lappCely)fUw#W^**wf5l`h(M{5OSP145y`&aU
zAVzoQ`?uZb=jd6m7nXU-38Q*cRG;XR!E&UGdD>RQw3^U6A#4XRSA(|N3q<v(UI9=v
z#{9ZsLm9S{c5a$YV>U*b;{hh2raS}++R>wwq%st{NT0-U(6lzTh0N(=Irez2Ochqi
zj6zMSC{+t3e{`WSo*c$$MPr%ma)Wtl3gqm1W39)WtF=NImwcQ$Ot52rXr4nxm3^Rg
z1F^84mT9`ryaIWn2BWP5#kuzos$WH{&ovF=5WTpXs@)6;ur+(IoX<^Ds>SS83T~N~
z=n4i(uwr4Vs5o5gr?m!Tv-@S1rf&Yag~E0=H0#p5e}|0-w~6L-t(^=UG&8M6AlO7i
zrm9<Hy4zjH2<s{1AgU*EHtONjbg6M&G#WTlkX>~8;qus}wl5jN6Gj3QF(HWBE(q{r
zZUC<$2C<3!CXse>I-iic#o9r5)q;-Z7WO$*RxzG7L%{Pz6KR$+{E05LoAaL4I2g;0
zMRY<@e=wzZOnfBDKILj#kdFmy=CpXastrh}PsXQprp#0h2Iij>7Trmz_^cY&N&Pc2
z=G1O_^-|X<u2CHa&EfgkA@Xq;cF~V|p>%ro8d|X|pQ@bZ^*s?X;Z!uTn(P(~AOVRu
ziWpaOLTXc?s#1)z$*2_v;Z)D0Bd2}PtQv%jf9W-~sW6I<S@DdI*DY}k!VjD?K11qt
znMB+}ER-e?z$XycSAjl|kdq|amQ6>4$pB$GEo{fqybU7=BehaWhT=#Wry)!r%n7D=
zLAua&k<Fv^v+^$$sQ`QufSR4!B`rrV&3R!Zp)sI}^H$3eCR!4WJ(L@bVrGsjEI=od
zf6&@s8tKu~9pl`3D0wl?3g_H2B7O}JDPiSW7ih(zthpMZ%=cq1l3^%L>eQX|F=FY$
zWapF_y}E5_YOsfZ7jQ$3L5TF!bonWo4Yp{(?;C)`Bupc)ROdtip2%FyHo8s{mDr{8
z(yp=zhxNNU^@MCVR8v_kRwVU0Q9EXse^4ZV3L?n_^46zg2|}|yGSayORXR*IFF$5j
zZ?MRBo7<@{TX)Rly2163As=RFn5<yV1Zx4raCM;rn&DbJ>zB%gsnBNe%q>Bh-OrMJ
zjs>_@m9}eV^GexZU^H0(HEbHDoSLh}(m8XXbgc+-(-?F&q{e0uCQVf5lE=_-f2^}k
zqG$}*LP1mm2?bFOSv0MxRWwe%D^k=$Rj?Z;OG)ZeGUfg33_yol?#+UfihVLrd4Nab
zOmNwg%b1Z`#GEz{ppI(U=c}m%(cXs4%>xJ7#carQ9yln@WOC*#a2r5%2BglRW~9Qz
z%xeeICGvU{ti0r6DjJ}1`ay#<f5aH;fzf^^Gc(Hgof4}=&yt);o6gkS_ePJVUZ`Y-
zx)jr_?Y3?})4YtZl)z~p{ht?~{`9-|^1oiZ_@(Fl=dXWy@u{o-@gFb$>*epsAAfrJ
z^2Li^-u?9U^6dCm^78jzXgt0)fBpXA7dZa4C6Sje|LYGGR&Ko<bW`p4e;D`7yiZSm
z=SIi1OjiA6p6;TJ+OLe=ouhB}iTPjRt4h8T>sB)dj@QsgH%jokghYP#P{=g|@}3}&
zD}_F;4)VB4sN++DIDWIx#w(E6;2WPAFH_#kfTTcr`Z75zYVzi$kTN1rpfro0Y4>O7
z;Or!i{W8Oy5aQqinW$y&e+F}^<7zesg~pvJ(h;M=E{7TM+|q3sX7;41C`30Cs;LR8
zOn!}06KIU}6iC{Z=d)NHVf1f?P9Jq@j(lt-WU5%tjO+hLC+MxGQ2N+xe;*ET`h;Mn
zs{xj-p``Ut(iMS6*KpA`aM61Jh(0bz=u-oLE(`Ts64bdQd~<1_f9AIf$y@>Wa(S5L
z(tyf4gibyPUU6A;;wrF+%Oek$#u+Y)DqJCk@D31z%i;r<M+1IO*uNE{{q73i_k<CB
z%j5S}fYw_HHg9Pp-nS}lj|o$^Dg@n%@N&ze<Ce$5tpxeDBAnY3N42d4!?rwPZFzj!
z3eae)z@9yBq}ei<f3h`t>@lOqR)7^-2{P<qR*BgxEU`!|i|Bgd_^nl-wN@sJOCqtB
zm&Bz}Rx83(EsLO97B96%N39ASmE7BvgGc3lYQ{%pUI^^_5J?D5%lYp*CYqU~w9|k3
zj2cXpxvtgJ48hMyN;>u9I$z=Je1*PoAl`Y_!VLXVm%31wf0&WK&~j_!%8|v;Pism4
zg67nQ$rm=i;bD4N#eB&PbGQndYS;+6>GGrePqWY@M<9WZb$Bn?k<@uhk}ZcEaTX7Y
zuv(WFG;=!#5Q0o@TP9Li&x{L!pbI+SDEbXy)ZF(~Y_IE;quq};(U$G6G>{Wvj>l?X
z?CO9Wo{zk1e^vWHl+`Ot7w2#il@QKBQjb65usg{Tms_vB_9#nX9D;;a-TX-$&OsRR
zq%j9X8O?5B2p$3QqO``X6MQ-B<l-!B7>i;-wF_^lWn8YtqRv@J*ObWCYaVoA?8|fn
zw6J#0LG9-|dc-<f;XtQsprwV9y^YgtooG|zG!Q5ne@zAPaaecom(hB+r{?V%BH2xu
zYE^luidt4?S6))s$>Rn$0FB4x0Fq(5^rPv>Rsxyci&-a#>9sNyK)7v<EunjCglQ0J
zwNXhq=a9NO5XU+@-eZM3WeaO@Ao2!Roino5bx?%ZWJ|Xm%4?W<W*o;jGTY*k;3dm(
zsk$5?e|@V#vZQCJztQCg1mx8ei|{{VP)kq_O|jTk%xQ1w7kTS)1!q{=o?3Y{Ht+Xp
z>#mX4cZ0k(0<;YLT2ojR278gc$SQXrE8llK&fUfu=biNFUGFIFLx<0^YgpAj;ZAl2
ztJn)X3G4q++xzPy4Bv=N|IJ(R?PD$L=*q)Ke^-nSzlZQj&W%(XU@>K8g;*@h^)Z(0
zUo%20DNjoVSH8LQ2&FUfJ{w1BRV@U&Gqx$x!T1KY<~s?mx^QS!$?Sc$YiX^qJW}P9
zw?G<EpzXcD^X$g;(fbu_$!m|?A6}d!>qa6)7Cxe(u?|Bl)7$eN>eg*p(tXm9E<oGS
ze?=I0%Jvn6j1I*z$qniQR*Uo82E1N&n<rRyD^~5AbPfZ3ziUH_=4gyL4!3NJmTQUT
zp`kgar83`EOxE^L3HxPIRG<!{UO>ck#}&3ok2*BZ&qv^eC<hMKG0%0_<`Hi3W}H$l
z98%9FlfjcV`h-fIHT#%}+W}CIU~h77e^uHs+r`ylZOWcTS56y4%0Y7_&M_CSD{`03
z+YK!oXbzGqa;Z5ew|BDr$an%D)+v+JCX^VR@1UFd8>*mP97{IF(voo@j1MnP8c0gu
zNRR-0oW~s(t>TWY&`i>x{>CPsaTCu89H-We4^B1QiANTjI?;qnyfnx+IeVP%e}F=)
zVjihV7RmZF4po0As`GiGI=?4shOE2%pQybLv~lC%X!HDv#GazExwRZ5(-aRl$6gwV
z%j6He1$h?6Lqe5N`QoKPh7X*nqV;qP>}mA+@oDJSg%gA%C%Ou5f)|WuJJXjAhHIuV
zV!V>}PwA3>#6o5n(s0g8SSzO`f3xrIvy>$5|EqSXw>Y;{{GgQ7LZ1&vN_-|kCx7v5
z@u@khFnh^!%aVGMJSJH`yL&ZFAK5tAC_}Z~MRt+a9iA`l>TdJic6N<I$f}*0@g*<g
z=1gzh4T@-`7vU{`cUn<0TV9w}Q`qPXv&Q_yf>|o&qEtLl;$!vi;xU$+e-X<;1|0pA
zoTb**zZwynQ|;gX`kx<32xb=i`(OX7w9dc(^*?_JnScH7fBkRkgxp0mh*ge;x#z-g
zoIBf69AOv5bj(Y_fGNUZG{QEA#XM?#v5YUXGP=}dlXWzzHoq)7O><)!4V*3mgbp|B
zs&>?1Po^d|x;_P*#J{z1e-@Cz0CYwT0XkitG0Dx!f?Xs<?2k6{hg+}I3ayFwpc5rX
zuX-wY@o_l^$CPZyg>(*slKyhK!(4{K0uHirzMhK+{O+uDpZUiK^4P55wii>(latVM
zi+r&s!CkvD5)cl)iE88%9bSRSBH=v8H=n7yX_(N7vfB9{>#aU5f8BviNRwlCgrf-B
zTPF_6i`px7&bH(!$lt-)Ng3v5htj!QoVjxAmTE8P?7E+y3`}J_%VkNx3`Od@Lxc(m
zIA}1FC;}=8hjes}?lK;%Tsi`*@m5-h(Eoe!;dJXQt08H|3+prh`p6xOfyzy-KTJj=
zojLGAz3GlIB?Az$e{1UiE`Hhhway$+!V9-}9EGr%1maQ?ESW<@nC?g^YK7<6P}v?p
z5lfPW-{|J5<x$y**n03nat(dd(GKv8%`Zy&zq&5`P|pjKC9tCkbqsT<do;h0WK0_8
z0Vl&DxbJ>IcAKR0JH1pYov0N#M}pd9J?Ro%VfvSyUu!uofA*JJ$Ke+3m@PUHs+V5c
z87Zbz;#*adudI!_p4Exo^lY9eLqHiP5Qbi|_rJkY)eFhM*>tX$%SLHUQ~Z56`p`F=
zDS;Z&B*)c&DBWigel?pG$hbw57>Pf^beQHF9K<r_uvm(Qs;4-493JDc;&?EhYs<#b
zc6kb)=Ob;6e~oL({mCZ4Cj@S`ZWzBNbm%G3^lYl6ExrD1J=6bLxGj1CYulj0YIm2d
zQuT<fg&LKF7TT|4&o2^~Qt8{0Wt8gJn#n{28sh-6)H!!7%Bn+kS~!2|S<H@yX`udX
zQkDACg?cb1t)}nClcW0)@R%$#S8KPtbxHhcP-4i1e-uM?Y5%;cS?&n!JkXWE^~T?K
zen05p#Yx_g?_#&&+F#!hI#=$r)G<=y{w`)wEBZ*lW?@Rh_n8|6eWc{pxwcUzz-Kzi
zqM``YXMss7iYX#g?(cQc2dcl{Ob}yZWjOtJ;J(K6Pk$7DJpFImb;bE-c&3F~1ySbs
z_J6+ae|f!auea@>*z5K6|3@D$59_nTX<lp8TOM|nJr8!_X+8&<-KOf4YTsHuw3-!u
zee>p%%AJNE_r05?Mai)Qt?%Ca4)5M<o1U!^0PSj#g+woyk<IDQn_HqQY0_p2$^*#r
z{7kM?nwQG=RvR&0Dg&I$UA}xyIH#r9HcMQyfAwT@7xqzaF2ib8JijTHPwIpCIi2C^
z$(iVq#k#S6j*ryhZsMY9oJ<7Gj=3c68(*n1*oGX0m?P-5zA$usB4+LrF)KU?^R1tN
zS)Y8l*OM>n6EBbX#LGG}%N=EAu_CinZWcphW!YKgJeBkfokdz_L^01gZN#^Irs!Kf
ze?{~_Cg(bRPRo-$OP}Le!Ks~<oY9%%L{6g}_k<7NEPdQ&`NK7j{3y-p4$eH?V=_w}
zh*{?7%eQ&RWy#|#kNM`>Mb9y;`qaYGXB3{wiG+JNf3W;%gH@g_SoS2rs?H6pPYIMy
z2`qIUU?s@^<uLxsqWPD`?XLu(zYG?Ce;L&MGWhy6l78;St&#L=B>fsQzsAh3G4qe_
z{_oi?vhVf|@M2JL8PxjH81-cl>E9^+{K=us*SBv!O$7O!-n~61I(&Wq_G7w#dnFj|
zWf9ve!Dp}U(f(%d(f&pe(o5r^mqkB64y^Mdz5e^l7Y_jqkoWcL#t-YK`N6-%e;fuR
z1kV@5Ga6}2!Z^|(t}XRru1I<<M|X<HVcR--y<TsBZ%_ZX*Xx!3yR*Bu^XiA~z1O{+
z{k>P)uV4Mp+u7aTdG!P8-EGs&6AOv?551-9DmU&MdCXKhf+%FuF;H2$+9eWOlkLJ?
zEe7iP<qPWmY%qH{q0r9tuU|Lvf8I!4^c+IK0=k*sQI`tw6@+%q<0zU<79lmc3H8G`
z0Mtn(vuh}IP#67<D4~Jcf9|PoRC&F0JLsB^Oey`PWPiuw5dDtI6qGudK`eKNjp4O$
zsZGlY5-1#pC?q}>bv=^2H#G?e!I#N)cZ{V!dY|jr+D=Qpd++GH{iMTNe~yfh97`Bl
zNSs+R+}|W6FQ<|HHc>a0|D3R?CoD8&E(!Q^)`->umR2!HOWrVk9Wor8D56A8y9RxE
za#SF%I7y3ki7mSo3+SVcR2zT-{T3n>vEY4PM6L96Gx_=R90D4#;Gis{n(>mH&aMTO
zK${~b<S9ti_PQR<70GH=e|7}%;lS5B@YAwlDZb88%P3G5z(qm&wfRtRT{F=~A))bY
zWAEfCweId3dC5=In0}x?VIhI%%B#ve&O#{ORJAqM1yjo>Co1hLJ2Zcvg_uH%Dw7CA
zq{=te9C5-pk<$$2VvSwTH}^YvJ|{AFUyuMl)*mn`;Z|njBfwX?f66n?)XdEr=tggx
z$5fIr9GSxhjl(8c2)r!OxgT3fbfaP)=sU}%xfx@BnPa+ChK-Ez5YFN-ya1nr%yD0S
zQ>dlx>tf{<En|MjV%&LK-z@0L(93{(e8aLk!s1LR*jv=u>J+Q*`huKgU#K;S2_hMv
z=BI{jPak!1GuwQBe}x5{L&VV6ua$RAwEMG4OFTqhzjn+RgaTUfv${Hq+5sWVhoT&|
z>UfhkJDtjp+6>1*pmug|{_x`9=;-|T;^L*FU<fz>?rEJx7@b`ryLR_YolWK-qGlqC
z<(uuDUQamQ!>#1lGpI2yS-am9*SoZ^(mfuIi1*J(ym{4Ye=2bmb0Obs_gsYrfMv|V
z8>&6Zo4+#3_}S0r;D?xuO&GAk0MJQ!1nikE)5B%hnHuUoQu`nEe_g@+>#_`~`Df1o
zpjqM(rDcnfF|iq?V=5~WGFHEu18Rzg5{HI+#TQ5~AbBT9{wl~XURie(%t%|X#BR=n
z+TJNLT&vX8f8*l_Uy+bFPfl<am4EZl!Ta}4Rg}+!)u@Wnh-upG7ulz)(n)hv(r^9Q
z+*<1HxoD@i+G?o#QBWl<y4rc(G(8(8pnB?O?_$$4H)sz(Jvj*STWc%f+>~Cqh2W&?
zT&a_ii(3Xu*0tK1<+L2`W4b-}%+1`MnHV0Su>em8e^cLR*YESn2RZveRNod?@^kRn
z1h|17AKyk;Un=|~CSlA$FX_)8c1cghc9G@$p7n)g^<i~ING3o*2(`7if;Q?R`Ql7{
zuv(4LK)O1Si-i}|8>_0ZjrJ(+9O|Upl+>e<&dgnr3=I5pmhVQ*!6Gk);z-KKOHL@i
z37L;WfAv}4?F}k6bp$w+qcg^3x^b>_v8_dy^diRPn*}MCyV4MzyxEyc6%?y^?AoBf
z?ZYaB)L+|17i7-emFj^Sveg-x6<l!sFI!VPtHGPpO$Ii64-*L88~b#&{^7;p#mVR6
z)1$KwC#RP#SHl=2C%#CvORuZ{U(M{crR}t<f7#>vj1I`KhViU`n}7*ZDv8Pyu%~0K
zGvDP}30bUh)&ny1g!Y_yWg<B)bn!!7+PK+H=cb%lS1rjmIATne7%vvUJv;;|9c?#d
zJ__Ims)U<RM!^&DU_fpigyMw6g)ZSHgu{^CcrcFSw9o@J4c5hvRq4a5=_Se<2vZjE
zf7EZOM5->rP?S2Sv&0rDy^A=L%x7UAT^^n#YKg*PD`6{En-(b--=@TGGx@IQi$X=k
zUL6>t`f|iUj93`-(W}CHwV=NRS=Q>2S&|Ztma-d6;HZyMYoT1%f?Zf=K_nFO%scD>
zLWv|eJc1BUFAQwCk9La?Bx^dQueXb@e<R?81@4dQcP;<_$MfUQhv&yf$ETMk2k$@s
zc=G<(wTJnUGe<TBGxdJL(L0zrkI6bh_j=hm<e+1fIQ)@>aF~#(_MUpKVcOS1;CRO(
zb2K%VRI1#@{6gd2p2d{h_P4g`?bqrAwJJ*=Tsh<Hc8WTk>dZ6@{Pptk?Bes;fBA?1
z@9*yVtEw<Zw?wo?fEqb$!{Ge<&BI<%-rj!rd~x*d^ZO5PKfgcz`S^X?TD9oBWfw>9
z-e*?ETsCxO^W3X*y!<g|Om21YZ$68rPAcZr3@RY~+=;2J8bUD#&oAFCRn?(7THOtZ
zkes2;00PEwt-uIT&V^d$ONemGe}`%+Uk*6<K*MRnd=(<}qU&<+mMe&^$(D~j$zvh6
zbUetf-ss*?n^RC1*yp4Y^$>d;Bdm_ds#6NJ(R4((&HP&Y!YOexzHo?^T2ia0)T7w~
zYohQ+I@ti@(+}LBsW<ZDHK)Y7rFABURne`N%$dYyh-pp=9~zW*kI!8A7Ei1D=fQsd
zFcbgT+wSeYF5y3Sc6NJ{ASh1@eW2QmNf$q}TD&KddMHZ-Pnz)ilgTI}0(X0p?kE?3
ztFpDs*dL~#LZxf$aRLluMlWE2(*#K+fjC{^VFDM`6`UnV$S!}7AfdF<Qv@dc??nNb
zua+u8hadH;#8e*R+m94aFbUO&7kW-j`EK!j(tQ<>zb;#a_s=|@&~CJrImR&G34^x$
z%zqZ4cHCD0_0N&IBb@(yczq=ejf}2;2)k{*YkLyFR$kB55(feDxbV99odc84b;Lli
zb>PCCJJ?UkWmLC&s0EH+FYhG~|095{uj(8@^3rzIhbXtN$hi>AvQ}|Z@t7Wnj{>;q
zvd-xxI{0|`*AM3>mw*5C>EiDfm&ZRPk*vajm>eB7Du)dqeD(fY42)+sVRV0gG4g7q
zWf$UXA9S7P+2**Z#M&cv16+(C47+ga0J!^=pHAV%JCQI(`hWGJm^#*wcZTH%9rizc
znqdCvQ%J5peNrkb1o`Pxr1L<FPoHYH*PlKi??=Y{0wZ_k;A}cQqBVzM&f_p7$_QwM
z4pkqT4gGoY*=l8aW(8G2bA7UZAOPepYA;K9ovf;@n{!;sqFaM1DS}aFK}4+BrnP8*
zX@uqI%^zMIouB-CeE#|T`0eM54~OqQpB-HO)kVWdypzP)`;Tu=PBn?6lXKU{ZE@hO
zLy!&w&^A&{y<~RQPtF?joxSYJ(Iswfme3B3929$Wk-9(Iftr5$<gDR;-N(Nie?I+i
zbo}}B;HNnv**g77O$a+ny{j!#JzH{DbfH#S-!;YRR)Xd*R3aEz49Y=!jktSihDDvq
zO(~ff(o)eD;Cp%xy)xjQqDF!@e|S-xi**XT3g60Wz6V0&=^nWYEM7g~Cx^n*O>Kj}
zOGOM{h2RZACMP|F#8SL}afBO8(YGLN!gy7#k!aq3>{$nL-FeX#z*FO(s)d|B5x7;-
zYmPFjgk9Z<&9g>qtq8Go7Y0?{K|k5PD~oGY*3|<ce4cPdv4!J*bD%(G<p0{)?(LNG
zf9>w=uj7CB@wABly`W6C4g$VhM*-JSz;zUG9R*xR0iRG5aJ3<SxJM9EYzk(S4y|WR
zYIz>vu>Yy<M1u8j2c%VSWPKKX!L#slM=#0;;vGe5&Yl~8UHxga`-oH=_O-9y>F{6G
zS@wB%YLDp5`8qiHaKXt(6I;}iuAJAku+cfsQ8!ZC_AD*jmM^fc2@x1>wi+X|jt>^-
z0VkC)3*e2LRB5GSt2qU`-+T&ox91juyVY=yDX97+LY}kJmLxLNn75?k?Bw#)tk^}h
z^c-eY@_9j)XA#L4USfe;2YSD|)GF)P>^e64L}RmtQ9?sP)8u~FF!jt;(&m28B&EHZ
z`4j!EspuV(;VfAP)2HqyRp?WbK`m+ljgzb`Vt<`IbL0Q!&i*tL|F`{WzgNQlZSU`|
z@Bh4)rxX%1iQFvmZxu*Bn;CAUIKC>)6`=SG(d99GhRzznS2Iozhu?E^v-o|Y<zVuC
zUJ`2BvI4kZO6WeW2F>}<0xBH-2|Gl|yL<|WMKFiv+a>P^H9Xx79?<HFyFvqItUpF9
zV1G?-tP~IW#F2(=G9RyThL7~lopON|SLn<YySlr3ZJNDeW*X0n1YCplnmKzYuwLDT
zw3TAZLDUjqZP<=H0(_pM@T0-z%?j(jniHG1&?S0{VDT#UU*;0qvM#Z$T9?>jH~Fm=
z4Y$B0UW-82wiW`em9_Cau(dU^>^nu4Wq<Q<jVt@!aAg+!r4^4i<SdTrk!3$;x>4sG
zzem8D;V%L{CPJuvVO4&O?#xO&IpkZhf3LB`p6{EUsc>ovy~7e89_j%r(ONxbZN}wZ
zvk`5JZhY3LxAg^HYoyy6>DK0ou|_aX#L0w&FoeJ{BbGa~aX*)vHEpe&8x77PJb%<1
zj6V7c33R+)s{|(t`WtPO-renJMM42goF4};AwE>NSYNHytl?%_2n|EQW4dKbj?}@u
zB}SM-uw~@N8dK%2vA7-eWkb0Iu7oS^bZ24l9B{do*q!;^6h+%(25_fghA+<ILLAgg
z@TEH{1$!;VR;|yZnX#qrylYTXGk<C=>#RCdS%WTn@)z!v8rohjd9CzGBd4tu+5DFz
z=A!P86)o2S|CL;o=H;$Bn+pUs<Nm)_`+K|P{BP>@8vk_<Pie-b*Wx9~-@FV222seS
zW1tJ5z*4fwKMpfdQiWFp3~N=*3b0~L^(>DdYofkVTp5QbBt90c`!M-nL4Q10%i&oD
zBBl=rq*p$oOk<%NMxRS`1!#=<H3SF?Z8xW904Ce$@chUeDu^?XoTf=AdiJWfSD@|X
zX_GKSa7!e@0|^{q&SDy%*WFiYgUM(hR4qhmVm?-k3<wPh^$LdMhzPSCMq<R`Fi`9c
z^|Hc|9AT>dM-dqldaiiSM}PMa60HD&7cn0~AN8_d3Xnmw=dVBln})866kHCd*IG<g
zka@4Et`)%RW{`gr8TzWMEsCA9W>qbk%nxHBf!`aTEN8E*2vycpMIOdyN79AO`^F(_
z^Uc%7cyav|yu~GF6+z_r>*~+@_1xj+`{t>2V0y<9WC{TXz&))C2!Eq>3HwXMN<mnc
zN!MxZ;Ayr@?3WD(FPr?ut$K4IC-NiDI6h<l$FH#O6%PT;zYCmo|L@NBUTOcg*V|d=
z|Gt-}wA`ri?)uu~%x(P+&BA@oLMZJ0bZH#R5#!`Hy^!Yajc?o#>MyNx)Pq|IoZ`@n
zIGYef8o0-qHolj+KYyObp_y|Y!V%F31<^;pbUMFol(fw+ohZF@-Fka$p$YISU0?{Z
zvxzz(5&FM3YP+NUVLD6wD@uL}AOs1TzydY<AtvM2)tj?HuDXgh`MYYiC46P5wQO+9
zHo*j_T%ZeWYtqhKs9C-s%5Gh0gO(zgEnG8sx58&XXsmIS6@Mw6K5N7r_4$nPfYAKR
zch#jA{W{vI6eQhfXHP*I%9HHZ4bSs7s@mx<ga(8T??Or0Bl4+!y0TR*r=moB^$+l+
z)l#NC7lr+qCR??=i+eb~vUh9aOj9b>;sC08ei@~m2uVZdZ`6$7ovtrfO6-rmp~a<M
zyRTeHX{=6L-G55xfGw^LTPi0rTH|?El9j9<mD;z2#4=tb6W^QSOefx2Yu2cu$Eq?D
z3qjt$)^r<@%UO?3GuZgXT+?i&Hr8@x_R4L$tlwrUvP`wq>(yoXtI@J+ZCcT$`8l~(
zsP&4fwNAZXmC8Yo-@ZK~bY8W(gkNK+8Wz_h_q7N;uz$X~Z*{dod4B?Ws?-|~qodTY
z)DBtNImt=7dsb8p_E;v<zt;513S@b{&iP&z;Dtn{jdXwcl7uE7Iu`OhKJ&-_=1&4R
z1OK_(d$nJR|Lweby|a%0-N!Q{{&%k{kIuRA=+>MET50l~@u=3Ae0H^aSzR1r(Pmvy
zgJz|>`F}XU%H!NK8*_~%_WgU`0J5O1lS}th{mz6N;9U!k*4^zm+II4K?v%u>{oKh=
zk82C<sXlG(zhw>q&9MLWUiV&=&;Pvc?XK;=`*`dMiD^)O2IyYEVKqYbZFou7P_LCb
zNY^p8`;D=!zQUCvHWp^0btvFYtyGs*dsJ3w{eKCdmD;Ec+Wq0Y;4Y@jA%^q}!yT?b
z4;Tr$cabmk>Ust=3ERCn&S%*Fwx6)+rv*=f%&`Brd#`s&_W%C&?%Mx*FHiaWe<_}n
z8T+NoV9u%5oCBaaR5kzU|3!}R&vRi%yURKX$90=NGvqxI6z>6R;$jxZ5-4uNu_-sR
z>S{bWNBWXSp2=kWEb=U)|Jz0aXX^j`%K5+j*X#Sg?&Wzf{hztQ*P4H=`Pa__J@f1T
z`6B@{^nY(}x2*s7d%eB2{=biB9{>OSEe>`2@%vdS)_QLJte^GsJv{$600960pBJFQ
H0O|n%B`HP|

delta 13192
zcmV;3Gk47OYOHFIPk(YRPdGL-lG?4)ZdoD8J!ek4KQC03Brz%iH2{hd+wF*XklmM?
zC;0-Gx}%E4i!PQ~-?!5i3zbL!i9{mvhXnpT<}e^3c)lQBz{v#o*5L?q*`4BX_}wa=
zUa!~N-`msw?e%))|Mqrv_P^WSd)?dK+kL&WzxQ2l`_<0w-hX$fx02dtJh70Nf7e^O
zu5#nPk_SiR7vO?0+DDV^4ID-3pCOhY<VFC(=OmK)w*w_E=m!!4I%HI0LV=?T$v7SY
zI-wHy0Q-Pm9A2EfOn*NM;~}9N6px{gTmrW-Nm=N1d)?l~L-)$J^El`K1cxz*l_`Mc
z`M<rlySrDO|9^Y0U$5u?eLQ50htS_Z=n4xshlusj*yr6b@i`N0AiF*rZ=h_}s-g&S
zh?pRf@o67zU4JjOd_lGfqNIySJWSPy`a6ol@Qj7TpZ3wo;FQTT4g#op=?ikk*@P%H
z0Nhav6JqN+z5-4`f>2ecO1&uiD64Yvs=M9owW#tO1b_K`p6a;yAXn9PcY9}cT_KqO
z1tHEjyK?oRqq^jiNPUv4aHqSyH@ia00yxsM`5cBsNRH=drTW<F0*@!37g?Cu=8b31
z&^Zi%1N8w(h8P9JI2tn!NPy2l3ib09pjbeFZbm>gHA06-OQldGI1Kt|BxNM}TRB#{
zglz@P7k^t4i)*pvGddu{n1dIw!1I%pX-m=bG%+vYWP&9m?U`<E=-<!cFuX9_^wF=s
zZ9GFBG7HssYI|<_6HHB!Q#^(ZRm4Mwv5;(xLVN|GZU+tmM5ttF3=#)e;tgLHd8bSC
z(dRE42t7mB-wO{%QO!EIA%IVa4+p-_Vk*^$`F|X+gg%ly2J{U5O?8v{_a?Gs5jKSd
zx*=hx`qO+8paJ7(%Hl4%0I66U;7|Y}1N9@i!Bqbk3s8S^#BOL;)yJshEDVA7)eP}+
ze5P+afzdOhdIPZmy0Cm$rtP36Ofas;*NSABrk1pYs0oTAF=Fzt#BcKZlI(8qE9{s1
zUw<{CXvA!6<oYXpUDt1lT*%_!P>X9OQ<k8oUmBGb)Rz_!_Mwl|WbnjPNYDy84B5@`
zIFi%D?3<Kp4pB&aEc$3ib)Do`!f<*yji8UtnVxeWq5w-(cEp4{1$o2xbt-joL<ABb
zrJ9^Ri^D+mSwIB73L#J;l{FFt3<RP~qJID)paEhO{d{qfe7=Fy4B^BVXN=1}+WF7@
z?LD`K903mHC@ZFT=P`Xxf5t+p@zw&J{AdN?EW{MDS6E8ykIvzrG2swozlUu24ki%x
z(JS>=ev)EJnZ(N8O@4`3P?*LM3l1uUI0zPVAB17vwV<h1j)@e>UkLe8+(+B#pMPT*
zYsLJk*ZY~+Upf3U22uT}H?DlPlYCWP+U~RB3p)Yj+?DSvS-C@mTGze3WZfkL>7LrG
zbbxQCdZ(jgcQ7E7$f=b{rCu)}1Ya_4f08T&ZUtA9_0Tm;`>3N;F=ruki_7d-PqvO_
zfko<TMXhsuON1233m6Q*mwnVZWq%j`2!c3-PAmFWb3|(1-gzzF64h+z1#G7N9OK&$
z6i+Y-m2xy={xDi!zdfNLq3{a}<1zdM(*xfJA^t|>=p+CtwWuUIv7(n>wbRSHC4IV)
ztih@{P`yTEwWK?aI&IO$LKWF(_A6tVexDltjn;9Y>chec-i8B*jj;$94u2Cyf0P*!
zbrluY^H~yETHjnNTy>4BS>-D0Tx(6YyM(6O7yy<rhfJW}f;2LHA+a*ut;m~~=FQK_
zynD-89Hp-ZLjRqN$2s8OZ=6VYPkm5x;)e^>gBu&h9M23orP#Z^AYDCU?Vi}!_a6lC
zgCS69HE^8#eGv}^<hGAG?|&~Yyb*-sPO^`F%Px+7dY4X^P6s_hslq_U`J#S)L7AFY
z;^ihfI{xd2x0~qX^oRGG=x+z-rzfXxH_`F=`TKKavZ?*i8E3as%Y^zN`+FlKG`=lN
zM%y2OICU7TO3$HZD8MjgRDjf-ph{Db^xP2)a2!e}<M!PqIt*jAbbtInxG4Rl`uay>
zXKtcXM!~LSA;>=3nqa;alB+HIi))<=)W(eUQ2<v2Qzskd)g~H1z&KXwP07O<@G%j>
zNObS@>(^<oB>Q9~?MB%py>tiGVJlN*Rklg3FW~N~oM{dvU+gVak;9mAuIUat$YCiR
zBtLB=+^9XnQOpS)T7NTu(Ba9Dvh?TUTkvD;8n-OwYq|tJ&NaqEV=VpA@omJxN?`g9
zWhRVN8VD7htWBp(p3u@;EAXXX6}<`JGRC2oOr(t)LIZXqT&f@zpl0M5XUafGo%^DN
zuJCRMb?J+AMn6C7f1F_cF(g+X?T^o0v-;6b#8(Rm>)tXGaesD|yG>QLo`?%>MD}VY
zVrGw*OmQX_HS^cg*iK`{uS14|)P&cY1_D%`9NDS#4E@S<%npaYp_2iUBR~fSM+isS
za#U}uuZw$F2r{G)pfRR+2mvCNE+WQ}L#X~<;4vTx6jO<?&_DTRQP&m95m2P2zbSHZ
zgl>o&>0<NMYJaOZIZ}dUX&FOCOY<QIT@r^skPytC=Vu(H+bIr#r+sq|9b5St9%uYd
z!Z^}lo2}FLm&X@fc`KKxV^;iscYnJS|J#4PyT6YA-N$pO^g=GEe{q7$3Z>@$(0Y6W
zh(b1n07+(I1$NqZH#ROA@<-rb*AR(VAdrw)#$ppiA%9>2h{v?Qku3i*M4m?z|Hhlo
zpHcT5bh&Qo^*~>~C{_$H&l6TJzv<v8Dy=PwQiTZm@}+}3??$QZwNfZPGv@!N5rh$N
z(UsBSP=Fcpe`jxRr!@ax@9%D}=l^{?pFeN?2bz#^U$5Ls5R~EaW~{o!A3-1e$JUoG
z8ymXV@qcZEX`mN$YJ+Lo2GD3RUGDQ|4+StF6i_FXtgb5DL0<M=yAHYrWu_-+_ZNdW
zQ6=9`fO8T6`a_xh)JOZf`k!QMJSwQ;WyF96`rn$tjYA!)GYlCP6~7i-q)ZkaX}+3f
zY@01bccX!OT`sFJ;)Kcp>ik)Fe-@o$E6l$wfPV`8q1|*!e|7%SL7h*XMOwthW2USs
zqw+)}r%5TZ2{I(zDzcA0e@4kHuMSlgIlm-SNKAe6by>sKGjDcnjhu%$j#UXl{V)z1
z8&|`l&&Cm>+8vjRt5?fKm`jfh7V8LWv3gh2Vpk-g<)jsZL?jMUSe=_-ihonoDxds;
z{(l)WS?J_1Up7V%j=N&CrRB4>9aeg~d7kWK%i|NwYb4p<@i=TKk=9-qZKEEdI1E!{
z$AEE^;xGhi82czgVB`cKW3vp?P_<W}8~P)T=@1&fLn*pLb#zUWO09cn4Sl!IjP>8=
zftL?NEQAScT>rQC_IGz*7uWxt?cLYC^?&+*A5UqrrQ>YfgL(#dp0|<53FC;stpuu_
zAKmNkjSAb|xF$5{TV&L^b+a9TcE%7!Hxgh}zvR3#@wg1FGX$#D<5f(;0C+(^PI}$%
zZD<Wg#KTd<*#v^3I_;xQf*2bTIf}2kJ{y-~c&Y`Q;xHdd)OfM2{ry*+1o%T3y?-QQ
z5E750KB93LrZJ(34l*TQ=ekZ9*t6}J4H1C`5)Dlxs;-zJYkR}=qz!P{53IXV$e$c9
z-;o4j8O9uk74A%waKyNYB_}?*iG4xnFb**<f3|^;@L2?Xl<viX4U`yEnu>>T5D?>N
zI#Z?*@Iyr-^8*&}<0mvAzS1m8=zp|N$yTMdn;dX3&0_*3LmX5;0m7EGuJw=oLoj-V
z<*1LkW_#JyUth8hB5}K!VLC7WEOm_Zim?zdb@Dhs7*V*%c%uM;C<4Vc4JOJiaUyRN
zrye}rK0OQ2*)NA^z}XnxjEFz7c&dc_4HoDH;|YH6Wm1Q$tr7TLL$j;)Wq(9Spf(bE
z7-BL$HLmxp{TI6M*)NBM<_pOU7R%lGlr<chK>_WaZD_Rqw=R{?RZme!4;fY5B6jr;
z@TIbjO(>kuVd3*^jx=|`#6`WP14^Y@cE)+aqG{`xP%@6kNRZ!kn+*f0i`mHQXc};3
zgsI`qi9&9`n`Br^`vv*EEPur1-)C`tSsI$sNQ793#Lb^=iHe2ldVf+SRqgcr+m<Y!
z*0Wm_9LdsYR4$ozxGky_618)esJ$!eqBG-$qROO}BP^9ZBZJgEJ<uhU7-C<>I1HyL
zQ9IDWxV%)6D<(%J7WAIe&A(&_sEBzM7|`Ei4k%*8Oav?uV1I;|9Df1tqQ6>Re*SQA
zsnn0*6#}&nW!wOG@vx+Jh_LOim$WMu)4<7P{aDU5b<$<iAiLF2={9<VdXkKxsQx6r
z2AYUrOatKIG_OePVu=j$slHkHMZ3_5!|Dsuf)pd;<;f+sO1EMK6sR5yYlvAB!JuG-
zKY}stXF)G|aCY*`?tew$XH@LIl1veSunwC%Pp7TkVgXTNVr>;AJ;hGW1(VY5W=g?l
zYll^0n~3pL@Fi14IC!-h8KH=?2)HE0kX6o1ECjL&ZF{boZ}+xlKWNmewJRX7J!X`F
zHVmv9)<aQ_stpjPiM(rcx7u)ukwz)|j81^7wZ>;dN`6miYk!rXD$N~F$sTRTP#l_|
z+@_w=V?0G1v{s2}j-EX%g??6M3ZVm*omUtVnV82u8;@g3<kTP$$yF>F7h3^LAlwpU
z=wa@Uhy-889JZ8gt68VoMDC7*XKCE}d4bo;G&GMkAR9(N*^ox4%%`Rm)g}4-_~J4R
znd`wQ_kL+D7k}9hs174^0Nf0sHh=UoPXjHaHh@Snos!CGd^ILAm2{!i_MzT0XxmT&
z+k!4Sq395gAw0wa?tB1LPYX|VY`Y;y?EbnTQ11)kAArzSgg?R@`x3aCd%iFeHl4od
zqFw5<tEtrx&W>=Lobeg;A(CRt>eelz2-5wKc;?zeWPeYBsqYqh!>t!|hiD<H2Dl5|
zVkJ#=j#}r0T0OM+pDh>VQ!bp1yA`4cU235t5Nbgu<8drCJ`4|JsxcYuX6>lZsBemX
zTW5Z|3YS`0`)#h_CF9yj6rnR0rCJNy8m!q)q=ss)yR9P4I=pLoR_$n%0udq}8`Jj+
zEKs0^sDFkJq@lh9K~P%g5<Q+9J;Ol_(JRn_i}G$VJ%f^LT$BcPY~x&lgX)FHUA#sC
zBv0)&rG=o>ep@3bxTZaY#k~El4AbhK&egcgKBx{{-4NNWWer_3ZhF`l4X1YOaLE)<
z0{2s<+H#fGkX>>x%}di$m6wdd`+*C;!_(78zkhaWXMX3m8DG|lLgmYv4cZLN``ocb
z)RIQ38+}JnM`zC3U%JTX8kOa6<x(Rd3?!l?RFjxkSCZMonFZ8D7K^*wObTP+p6~}~
zNG3oNRD-U5geQQ;aVSX?W|R%X#R}Z31Ebkj5%3%)qHA0%CB2s_EHkfN(*hUk-7JwX
zet(W^c~o0eqnORnSQnGAL^nzAVIi1L^paXYff(JH@85Q#pQC4SU|8lUCyeS*QGKFM
z2FsB$=4o3I(`rKRgs>gNTn*Z4FA&wEdIdny81w6j4Q1F)+PP^qjoBD!jt7{8n(`1R
zXh)AylFCr*B7G9aLDSmU7EPy*<=Er7GJjQAB{K>&siIUZlz@lEcybu06^&)K%MIqK
zDUh@4jkO+guGR`=T=H@1Fu{)fp?MA&RrZ0}4aCBFTBhkf^9tmR8jQ9M6zASUsD2f(
zKG!seL-gWms&+FZz}D=+ay~arsTQ+WDY#``qAM6E!HR{cqT+C|pVk_X&F+_3nt!_a
z>lO;z+0d*@^By)L+$NgSwRSRa(9E<NfnXC6nW}D)>27x&Bdn*4gQ%Xw*{Fw8)1}6B
z(P-dIL3YvU`^#gO+P-86PZ$YM#DpMfyCA@ixxvDU7{n&>n?%~l>3l-&7HbFLRSP<r
zTiEANS;ctT3<1v<O{7`Q@F%*|Zhy{uR^wnSI~LIiMZuKfG4YWo`;@C~K|U6+nbYFw
zsx}~@J{h0ZnKDy3Gnju;#B?XA;*)AzC-u+Bm{Ysy)k|HcxJGpxG>7MBhseia*hN3+
zh0^KSYiPx?e5!Jq*LOt7gj3PTYO-4}fCMDsC}LdA38_tms!B1=CZkpygnv^#la8GB
zL9=QQGN#wmrot#bX2ml;Ubn<G2tRPn_zbDnWfE}@u~3>o0G~i$Uj_QCLQaxwTQ(gH
zCIf`&w6GmZ^EQkijMPdg8HyuioQ5!gFejMe1?fW9MK%xQ&&t14qyq3s0BUw>m$V$g
zH0OntgvNj>&RZ=@m}p5f_J2@rG>VxyuCM@|OhRjeX{1L_cZ_rEq2$FlE1YxBi1;-?
zq=c1gU7!_<vgT@tGT)E6NQR*}sZ)2-hlr&Mlbus$^y;>yslgrsUce1C1|iY|)#ayX
zHrS#Czi$8%lQ50IQk@e8cp`H(+vqw;RAQITOS{S@9M<pZ)DyDdP=8HjwOEnV>qPCC
zVM37rDu^T#$XlO|B?!&-$VlfBROv9;y!@D9y}=^iZEmN+Y~3-F>ju|DhJ2WzVX}fb
z6RZUg!_|cjXohR?tY0b{rb3&=Gq(h3c0Wn>DHh;bRobqd%`0Vtfzf0E)Uauoa%!#?
zOXtjm(zPPUO=HmAkbfGRMVK^Eol71=$Fa^jiJ~!J3k6XPBostBWYM&$R?#^5u1HZ2
zRl#nYEG4N=$&~lAGXNcKxi<?^D)z}h<pCazGr?s~E@MV&5p&u+fI6yWpRT47M0*=D
zHxC?S7qcPLdElTplgXL0z-<848IU@Mnvn_<Gp`*;m&of;uz&KBi>YXU#_4+v(hy^;
z2S)py%*-g`cS@`hJxg*XZ8}qP-y1!edZCgT>QYRzw%fV^P4hCsQUa%a^nYG_{L3HS
z%l~@u;@6({pTGU(#mBDx$A7&1ua|!$fBfa;%NH+x{pshomuJVnk(Yn`O5^dh`Rk7t
zzryivEs4B*`F~%3s<3kF<)E8t$H%y5=6!lFJU2S7WwPoo^K=(&)P7~`?i_u)Pt5-k
zUsY0}Sht!vi@b(Lx>17PBqZ{iheEC)koN?ETq*Q%b&$tZLLHwH#PO?zHeP|m2H*J1
zc$xBM1|$X2)0fF%QIj_}g_IG20;O5}OuIir2WKaF?0=UT?t~BrAIL;4dpDR<9appI
zDKzd(k&YM@b~((5=az2EFtaC3MIpMGP)$uxW%6s3nm}W$r$ExSJfFqt2%~>9bo!`M
zbL3+yAydVAW?cV2Izeweh0@1n`}=T!(<cNoT@A2w4JECIlCB6mx`vCkfs5V)K=g4z
zLZ2D{bbnc>=aQh#CE=S(12w;1NahN_m&?N}mj+bcA$0OV@QTZ#6IX#nTpoG2G|q5Y
zRN)FSgm-`#Toxa=JR0y@!v3uo?RQuBz9)?6TOPl+0<_*ruz5=(@xE4ZdrX+RRUznB
zgqK?$9k)CdZY9XK72({TII3+W7`EjRYs=%)R)2s-TLt#)aU;!^!IZ7hV~-g<wgRl!
zN|0d>vr5cnVTnazSwz<p$8W6yt+g^)ToQ@3yd*A-vRV<QYFPx;vUsUAI%-wusN_no
z96T!bQ!_p)^Fm<Xhe$$jTF!shG11H<rJerMXVhS-%yq4%W(a;sQqrj(*ZB%(=PUG$
z1Ap<(vleFPm%7x2y2On9g_c_*SB@-(ep*ZV7c{3fOun%B4G+_MEappYn8Q`rRKrHl
zO_v|#f0~6RIRXiMtiyZBj-<|8l59ETh_iTDgw?vdpqbk_fDmMI+cJ^DdS+Y*1YOVp
zN6~Kxqvk5GVtZY$9PNI*iMDKirGcCXbALQm17lYQ?C^Z#U8~v$qO4wFx;TfEsDyA1
zl6w3Zhuuk*xZHZ}wMSVB;}9gY>gG@4a1O$dCyhBE%4l{2L+}WY7o|0Bo#4x1Cl_a7
z!&npxs$F<XE#q=E7In@-x~4?7Uh|*}V_&8tpoO(_4r)K&(IeK;3I{r611&9-?0;>X
zZtFyw8mECk(P%1&kHflyzl_$qJvDFF5Xo-JRIAEMRn)RFyYiC4P98V70cbof2apWg
zr5{a4wi3wn%FH@JOs|!x0K#o+Yzf_CBTR!(tBp#^IfvBMfjHLL@g6JODO*^J1Cckl
z>YS0au7e`PCR@7oP+r5-GvheMk$>41mjo|aj!V_$2<cl5k|jM${f#b1ARw=%ScLx>
zgIa=eXo|(QVorNYzsOscD>%c__SDLwv3b8$TX&7Tz8mDV5ujz@*P6nrFxZRiMOL{3
zS^2)>aqc$OIPauS?|MgZA3A)VUBjyO33swHSjAr8Nm&1n+TLFuVfadH`hTz9if<ol
zSw~kMKDuIb_&tPIa&DyB0E;OzE5u@1u8*-~|C$k6NqJf_xboGdM<|_<_t`j7t7;+G
zov}@k4#qdIHQz~i)rCW=N@nk~T}x|?<&i3<yam#T0&VXFo@Y0%kKV6fOI~~A{_x@?
zSvL|XvhWcNjdd7encklFP=B{>%aZPshI9eijxNH$Q?{=lWOOK&Np4Uduv(nwHsJNL
z+dRRtTd``_q;nYP`&}DaG)H61akyn$v|LLx4-L&ZEtUDYVzRb}O4u)xq5^do^#UTU
zJFc)zdeotLem(*(L^*J<j(M)bHji+NH{+Cg;gEVZnGBw^(I-^utbf_ZOxzBDdIWou
zd#lop*)FaYYg6_#x^mhWQVyCcagMooU6H$N-fn2&Ky#2>kxR`%xxJI^2gVcluuhqz
zHlf7md<Wgs-%thZ;#jgVmX?eQVSIRT(m+xIM}h?4<2>%TXcc#Cg=Ufl^*1*8jGK5)
z;5fBzd~mAaPCT;M)PIR4T;ioczRB6+d<PU_74t|{vPjmaaj5z`QJv2d)%iV9Gi2T6
z|3vM5pp6?3N1NwYB=!`Q&8_7inWlKaIrh>>Tqb|$Ey%Ml9ulgI$`>yUGJN1n6|JXZ
zU{9mhk55CtE}S4FInh;c6TDzN+nK&}FkCZ@5#yD#e@d79BYze$%aDe1Ucy>AEt!3H
zpQR*e|Bu?G-s0R+@q<!Q3w=HyDe;K}o&3eK#i!=1!t5o_ElcW2@|a}(?C#YxePrWc
zqYTw{7uiKxcX+<ItGms6+u1b=A**&~#+ST|n=`$2Hz=Z&UWB*&-DyS1Y<Xc?O<|)m
z%o_7E3udX9i+@t_M2U~pzl+CMZbmEz8F2Jda+X?K|7t{RPPKpk>wkVAA(&b4?|=QT
z(mMbC*Z=%AWd8NP|MkDE6LJ^PAXYgV=AH|~aqetOafDqI(=jgz1EvUv(Fofd7W1g}
z#WKFk%IH#;P1ez<+WfNUG|i1^G;q2M5IWqftJ+b6J%5>+*y#Eca1#I4##ulH1JD^Y
z1n6{m#w0f@3wDtdu|L|(A8x%;E3_u!gHDtnz3Qpp#mD6w98<C(7t%QlO8U#`4s#g_
z3pmKi`FbuQ@Vm3pedZq{$YZmH+g?mDPfkM5E%L>l1b6MqNI*FFCaRH7ba(|Oi-hwW
z-+ZR-rhj2VC(3H)f2_Cqv~&kHAx)0m5so5gZ=E<OFKVyUIopz_Ab$sECuNwM9ZKhJ
zapuacTdKXFv+I6-GBB0#ESDt#GZd-s4iPFO;Gn@wq6nxY9MaJ>y32U5a_I=L##?D2
zLjUi@`_rwrtcIi+FRar5=p%P91}ZnT{xBJhbbsc+3-zWu#*_>|$gZsexcGJFw>on`
z2`}8@aTLO45{OGpuw)JqVY(xws1=@LLuGpaMJ!1gexsYKmPchLV(Y;R$u;y*M?1hX
zHa{!r|KhsvLp?7{mcWiG)G^GZ?$P{0k}+wV2b>It;J*6-*=>@}@AOisbfQ+|90_WZ
z^?#&GbcN|(cYdqoxY%E69fw=AW47o-s9t($XQY@?iEmX+zOpvzdR8ZT)3bS^3;|`F
zKp1+--v0(qRWBq1XVbZ2E*qsaP4V~s=zZUCrUYt8lN?tAqI920_|<G$AmbKIVkG_u
z(_xx#a1hIw!(u5Ks-EKHad?c&isQk2u752XN89Boe4dZAH8!p(_a~bGpAfj&x?%j9
z(4nV9)3d3Pw)Fb5^-TX~;kM`ntZjn|tKD6;O4TE_7HU)yT4=wHJ-<j`N~Ld0mQku>
zYbFyBXp95MQs>;UD60<DY2o~-XE8e-rh)pmNmc4k7wW;7w3@yjPLA$Jz+<w|Tz{?I
z^42Bst3in&7g7w>rTz1&X1OD@^FUVu*BgJ|`2C=V7bkf~zKh+8Ykz%5=v=weQpZS*
z`@5J$t>_~Gn}sP2-)C+R^nsFF=h{Y@0H5h3i;5ypp9LnVD5i)|xxd#%@2UQNGeL}v
zmErW?f%_WMzx-MJ`SibS*A?fV;eVMHY86D8<J<rFy65$_z23HiVz1ZN{~vw0Jgm<S
zr+KYWZ+X~R_B_~yr}-RccAKhGs(o$w&}vrr_05}4Dt8)w-1lyl7A40Lw7z@u8@zk7
zZF;sw0JN(`781Q+MmDEIZ*GaMq)D48C=Vdd^E0_pX<jPdTW!R2sSI!~cYpcvIpLg^
zV%scn&DN96UD!vxxeTjW@%*M(KB*7l=X8dvCugEd7VF0PIX+U0yNQdcaWWA!JLZzO
zZ+xZ7U>kA}VveBK`ohrliI}-h#H{cn%-4PbW_|MIUQfQPPrN+l6EEw`EO(Td#fr>Q
zxmgU2m1Sp{^HkDTbQWoy5r4%z>$DMH_nD%v`4rIunVjqNIW152EPak=1*djaaz<y4
z6FH4`+!H>4v-EMB<qy|9@}o4XJ2>-nkI5``AZD4PFJI>&mnDz0Jm#Bg7d^+Y>Qf6#
zpHX-!Clc=A{K4|44OV%!VA+!dt2#HZJ|$2-C9u?afR!Nsm&5oki+|={8n?d^g#I#E
z{AE!0%i!zRNcy=Ow?@*hk@RcK{2DXA#>_vy`@d(q$iCS-z>7h}Wl-x&W7L;Lq<^LO
z^CyQkU*Ep{G!f)?diVC6=<xOZ+mGq~?Ui7-mql!^1fRXWNBgV2NBb*9NH2|tUKaiQ
zIIzx-^!o45pFIRLK!4tsFB{*jpXLYu9&;Fw5IkQH&uFAA3FAnExVF@fxgzPc9Nj4%
zhi&WV^?JSiy*>TkUawdB@6PVt&a3aX_g?q5_jX_J?C*Wo+u7aT+4&Cj?zZXXiG{@c
zyWY}ul^ge!JZ7pLK@_s-7^o~=?GlNt$#&tc76Wzt{26tBF@Ko7oKR@z`j;;od2ggH
zdJZ9A0o}~+s7r<T3PL;QaTLuai;$Y!g!*9|0P3WY*)^0psEhtUl+Zx!Klju(s=Qvh
z9dyk{rj-6tvcKbTi2guj3QC>KAeOts#_(FW)TU(x2^5Y)6cQhcx*kd1o0<fK;LBvY
zJI2x<z037%ZGWdF-@S8m-hR^IEk{O3jwK8&B+e`u?r)Nkm($38o2VPhe@@uc6Be2>
zmjryDHKMhErBw{lk~fTBhYSZNiYSrOu0da(92LkbPST=XV#{vD0{W;U)drwIzlBIe
zEO?g}Q7b*&On$zfLqH=I9F%2LGhUL@*|ne&XmiAbJbwkL+FsYgxguH3%8npD9Qb+%
zep*&6#n(A%83oD$xF|@!HXjPEYbN?ABs9Kl?43NN*4<qrFZqcY)A#geEF|z;c~zOm
zSqR0Os<y_uU~2i~M5TRYhvx6I5L0MTWfFmiRQbl5BTg76a+;xBtg-9)=6)y7=S1f2
z3liYR`hNpPCEUtvd<6JvS9!*nnz?xc-RO<;m`XB+BXjtmao8jaftMvZ_hU<mZdB|8
zeP`J;H)HHCb4-`Yu#qty!dV=K7vOV{Iqu7E3boXIU97yKWy}v*j5}}Zn+07NdKqw!
zZ&-FmSez*Zdy6_-onrM}Uy!rx3$-ROK_uhT{D0K2?dhXVZf2YBudsk~h#30vrSh(c
zc7IlBiHGRRmyQ{OP(Vw5R##_HJ0OJlP?W<~9dGhxr&IY+o8dSJ)XwhBpI#gs9i1Ov
zT)cD?3;_qgJ*~3{qq9q7*Y3Wlv&kGp)J$Zte6zjN>j}quxRo4x1~uj-YxkStdY2Yf
zx_`&R5%K;Ri8rr$O(m{kF65i-o~zIRu#7o)L$ybF^CP2-pZ#(Ueu&A~gaIoI0G*Ua
zz@F(cJzR#JsiE#8wf|B7*A>jaF3XUbfA$;znk61lTDB+|6Pr;wrm`X-WA&>!pr&{z
zacH<#e1Y@=l6QjSuY&ySm32qKjI;$y?0@D=sO_C1!?j9XJwA@`6$y#+<OF9?`8N+8
zynE+VMfprvjjAY(n5Nx+k$t)<ois-!{nnq&t)=dsi*|aet%kZE1y$0btDWaf)3ad$
zs;7STE;c=LgZA*#lY=0?x3&__P3e_e2u`}rl{zW8xMi?pU8|j0PRrpwrrUGR+<(mN
znTg>M8Vm4rF!hag{XVaJkh32|^=)w_KL?*pfE(!X@oj|lrNTd862=_#lK%W*m-J+8
z7g^5lSzlOIA68d{WC9d~P+N;DXrnHYFV55ltJN3{q^lFTSa?Cbv8o!|XpiE~p-#$8
zNj)0r%-j{pz`#Fe`EJx4Eb?L~j(?<#yyS%Pn~?c9RG;<T-k@SrM}R{)I%8a>8|O+F
z+gfx<FJfH2S&(wMD-Gevo1M8-L9v?0t_=#@KCD7W{k3g$LFU|DsUD~yTb+?v!3F34
zvNg4{8oWu}WMIR0FoDp$u}^2~pI#hZoP0VyJvw`Ta(d}<HH<-W;)_(f^nbeg|JBTH
zTiQ;$nmxYH=zt7s7|#m0379aYlBhfZdpg!S^Ifi$ki{BjJs?9*XwR8fCX(Yq7eCac
zjhpRsZpxW;)slRJBgSNj@nQko!$Y9b(RNejg8+V@O1KGS6g&|R2ISU3C{9RR=n`&1
zI1Jg12jfUi3q4TNU|sxJm480WnqH!;fiPtePyLokr0OCJMX7T-OKg$SyNEN%d=~c6
z<>6VPmMAQ?61HNsX_0dAZA$z;lkbYYC{$GJ)qydpFGn22h=oBPy(+v{3;J7-Wvw2W
zB`M)(DZ9Z0j`}FI7Rq%k*oAc#L_#soyu%(Klt_ZZBM9;I!oZgMXn(f|L9(V(`g*(g
zIs#5u;QqLN*Yf{=I6wY$cz%3ze0q6u@b1$OC-073dzc?Mb7WI6Q}1US{RC6zF<D3G
zUN1X`9CWM_hd+=I4ihrf-c!#tO#5009Pe0Uj;7|4N|oD~UufLhvzU_G{?=B#{aT%%
zR%PjfD`%YDPEn^*oqw5zfgdj~&n`ZloxlJ8{_d{7stR*-OGIk~sFA}q49?HrJnR+a
z?d|(d7e_yRdiVbAr+3G{9KUN@s}`NN?BeLBcbSzjmkpiSJooAxFMrG#lUrT<yU(Jj
zlZtsYg9=DLcVcR*hEUAG^UHTjRduM2R(As;Bxk5IfPisaD}OLTlyjk$`4S@B@}Zi_
zmje#o({S1_Uxf(0=(^my<qD!}vgKn>@>s|%9S`!WH@Y{}<`mQg_Bp9UJ;WZz2&*Hq
z>XbrlG#wFcGrtzUa7x^aFC3z!melGg^=P)hnkf8{PBy^!^gTCd>W%z(%_*^NX`RVo
zRdnkmb0)DFVj-H7!iNUs-QzPC{?qFId9a_~&BTB9wtKs;OZd;7ot;;cD=1G3y{FoY
zNf$q}TD&8Zg(yn|OPcW8lhi09e`kNK|L^0mwj8EG26r|C+y#oSLa6>83;0plT4wAI
zQ&6GOHTF0GhB2cTu)t}8q>@0KuJAB{i|Pu_5+r1oKS+>JTIneQlm7RjfXr7*6`{iq
z`c+~okMZpXiYJ(aYQzgYr>1<j_&({r3dmoVt-||f9#3dDTFV?`nD2x^e_MX$KZ{U1
z?kj-$=SbZV&VN3<zLJJUMpuO0Hs7^931BO)=W2<A0C`+^-Tcmh$>%y^px8Qa;m#fG
zC*?A#+db3*$FG<75{Um1z}8oFjv#qyyXt+E+gIdV2xeKUxT$zd55xxn+;myz^b#F>
zxcu?``N`$qKYqOU`^Dw)f6qxIt8gGDM@NmyVFL(Xz5f~m<C#qu-CvBnT4~vZINJwZ
z=Xtg{ZYr_%h}{4eBM8GT+&Td6e&wfAxbaRTjFJ9dy(p%RHRPRPIYNj1j~^$PfBYDd
ztB)U*$_hb#{21vx(Bk9A+U@nnkI4IhalgRGojEw0PLF8KVVLtce+-E-0$QO%)rV$7
zf1Z4{TA7|%K~>OPpDYLfxr^G%QeG#kYU}14m$K;Aph}8h)L9S_E4FDZ8eke>IePP_
z7f0tOzZ{=`IzN8<>Eiw2PoK^XE`M~<FcR-1arW-R+mlmG;^^eu^>JGqc<T_P!vM66
zR8udRo%NHm27PBQf4g#YiJO}xv_m5Y#U5Rx?oW20rXN2#YxwEIUynbXzCSwtbb9df
z9Fc6Dex)Xaou%H@mZ_dCxhuL*E3NOEVs$G)a~LWSj4TG_puI-iJvGCkPUWVQ%nWI%
zXbbQ?y@y^Ia8FSq!J9w5D9*(?1zv@3<u%^}A@X#O+yxe|f1dD@L*ePBw!z<}B8IO*
z@P;6hlO951Dc(534W{T@kTzkwD%VIf??3je1G(<JXba$}aZuGlPM-+eD(N*xnN`BB
z?!@L<BeqtA*t!dYD(|45Y~Pi|wJPiCfe=1VIHTCY@xM7xAT#oR?QHjU%K5)`_jcFu
zzx#Mv#Q$DUe<oW80bj18fa@sWItsXs0<NQgPbdnw+7R3$h$%J&GfIcnvnI7Xk8s%k
zSa%}9dbk79Dmbz}3%}r5__?DO<pc4KA~k2vjlZt`G}?VcDh~VF*Y9-ruj(xOygRi=
zbmn{=oP4<8<fDl#>Pc75>sr|8oad+;scn0f7H-QIf7sWA2n;t{jgeW$2MhFolggL{
z@WxH5w9?g_g57UE1-sjG3&GuLxW^P!eG(zh*=b7>8EVX1(s6cjd1_YdqFQ<mvnu(#
zAj`9e<O?scz^wzl-&|^yb!>JWn|-3OS;HuyA)#q<ziXI!<|=7(zh{!t-p%}p{?=6V
z6HE{ElkY562jj=?M^)%!lT0mY0hN=tEn<I-J#*v#=Fa{!6aUxS-`+3b|F-w{*Z9AC
zc}gKMlgP~?|5kzIvzg&misP%&Tmg#D5M3U_XXvaEd^O|raQHnpH;dmVS`H@P=Ov-0
zEh~TvriAX}YS5eyEug~TpRhxeyvwJ6SOjxuzFqQ;P{Y&R-~p|!xGOYZ#`<H#0@i=@
z#!B&^PaJ93CiC$cXZT3(+$k4mafQxYv8%hg*QVJkW~TAHNWe8%ubH!l0_)XXNLwkk
z97HV<)`soKBf#f53O^cb-mI|ht2wcG3tghO2o|qm|79+*E$b57s&$Dic9Y*~(Qpe~
z;<X5LZEGRmT3H*<16x}o%f3-$SvG$U*SNB84OeEtUs~~aL(bx;9$EHFrW<w6@p}ZU
z8U7;RV<Lpw7gpuh=+3OflS96(9%nY=Lax~;v_&^7Yoyxx(ycW*ZH-QAb1hgSfF|N(
zLP8iq;FuB19kjTg3(1<cL(a_sXAvIiO+g?1l>|CQuT_GR1^taSB=7D<vm$??04C0l
z1DFsWDqO6uLtEfFwDK-*77on;6>EuGnSYC3T*GI8RvKo?;w&!2LCr*2x}#E{(_(DZ
z`U{#FTk5{IhUq?|*7Dr1LsT{BgeQO5+{0q2THt?@tFpY@RabL?fM(qP_G*7`w|xKG
z>(}f1-|popIo#80(URm}UIu>xf+%FuG0+82Kq=YeABUMJslqD)2DPeY1z4e`dX`5J
zHBnzFu82bv5+94!eVBZ(ARegY@GJun(g5-F%0HB8EOf)@bBV41jWNH50AZnRuoMG6
z*+z%wM+Q_LXCNs}lTh^RRd26A+so4?VTj<CNQ4IxIKrI8G(fMruhf5Lh0#E$T8Pxd
ze5@E55E>Nf6%5G{5oT+J#E8XVpx7PiwU{G0!c_f_A~GiQT=AZd?jR&u0mLq1K7>B%
zWxo_4V`l$YfrK>;T@@*|98jyZn5-c4T2oysfLF~R|0puFRasjUJ7tZaS~QU##zF$W
zH$YL&URe>UsHuuPjLUzHqzjw%l|z>1o2QNO!ul&%i%ZTbf{63i)t~q4xx<b3%~R{Z
z<c=d+5dsc?ds-I|M(Yx`mx`5wa4wUs)7r_=Y?;_E8xGzz`5s&K=0Xn1N1kzd#{Q3A
zVc#nr0-1joIP3n`o$bBS{%^0hvp)ZEFHdQ?QRCh9waJ;=`W=6oh5MX^P}uwF(m0kQ
z#>ww`A<f+z-nb#uUs?yD2e%S9#i18*HX({MaE~)>d@pl<IFCa!=RAZXq9fFzkACfR
ze%mN%n_oLodg-?HjoLyJ;8(i95M*Z)bwVQae{a-wNBzTemikwe{1iY45;TDYYW71+
z#;vP2XG2_d6>ooXchzi5_{vag+2EFKf(cN$Ko{E9q@B4?vwT66-MZ2SEk!U}xMuQh
zh0lJ_SmP=yQaXLsh&k%>8RG$=`I+ykOE3C$v{NZay3x*_f;5yT*>4-3=WSHA(_aY<
z2p!&qlCnpnQ~h*ht6EM)iTLUt;7hBeOnWX0`!h|pYI}bd_i%n?@7Bhdrc|trDOdIU
zGD<rUl7`OTs2RaKU0<-2*dKjGi%Y$BU%8UfxR18FmCylOTphMlPG+>m^Q<H*SwAYZ
zZwZNIyh<j%HN}}uytUS>QALkcWhNGaynn6fHX@g^9-U^e@r}8r*-CA!<;?7r+jd#M
z%~oWYYN>zMtIP6Nqh;6Hw4zP(b8@Xv>lIaNoqE42m4hI^e|<*iylQm`zs6EEEUriH
zYY}>2eRbdJYK8Lt1oTv?Hy%busbQ%dvb1xOlT`Pts2c3COs0RU>6I18@_e21tt`L`
ziA)>m{`@%!O+Iui<Xe2^kN?e|1a1cYb8maMod17q=hgn}b^Px>o*D7KdtG^S&V@&}
z<~-0!lkbd2wZ`PLYu(H0;t-4Z)|LAg;)n(JzP)2Xjrcy8^r~K1i*8;R+Q_XMuGXVc
zWov<P;{II<tF{;Fce&hvI9qr}e_OI^5|Ll5ht`6elasb`{Lt3T`kD2#wf~nn1UAe5
zf8Bq3RkHtgU-x=z`~N;3YyV>!)Sm&n7jR&WkbNCq@-@_Nr4I6SjP-tFtgEkZrHGw{
znP?pfy3;+9ORGI9YqI_X*h+272JQZEQ4kkX<`7GIhUE@dpa+Zu-n+<`dUZVmnuP7%
z0w*)<f7?&k^wWYTfo9nM+r8I2CHsGWduM;`|G$@~od2N|Pt1({QkF62RBO%w(HyFr
zKl{TXX&mOcu%q2&9fjlCO`jR^9tn!~fHiS3i(?5Cx8c~7n^|?9oFhTagXgMQKdXP1
z(f@5D!87&$e&zh<{_CB!{=bjs!SsLT!d`3swdP+x5A@8h|L2bc%+UY6z1_0@-|sB-
uw%7XqKAw5}|M#~z)a}RbXQ^20x%IPt*3Y-_{NDfo0RR8Xdf~7D>Hz>a<mQk7

diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml
index 5a16724fcc..9cd41af37e 100644
--- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml
+++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml
@@ -136,6 +136,7 @@ spec:
             - "--mount-permissions={{ .Values.linux.mountPermissions }}"
             - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}"
             - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}"
+            - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}"
           livenessProbe:
             failureThreshold: 5
             httpGet:
@@ -193,6 +194,10 @@ spec:
               mountPath: /etc/pki/ca-trust/extracted
               readOnly: true
             {{- end }}
+            {{- if .Values.node.enableKataCCMount }}
+            - mountPath: /run/kata-containers/shared/direct-volumes
+              name: kata-direct-volumes
+            {{- end }}
           resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }}
       volumes:
         - hostPath:
@@ -223,4 +228,10 @@ spec:
           hostPath:
             path: /etc/pki/ca-trust/extracted
         {{- end }}
+        {{- if .Values.node.enableKataCCMount }}
+        - name: kata-direct-volumes
+          hostPath:
+            path: /run/kata-containers/shared/direct-volumes/
+            type: DirectoryOrCreate
+        {{- end }}
 {{- end -}}
diff --git a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
index 0b0f539a49..107b421bd9 100644
--- a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
+++ b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
@@ -26,49 +26,26 @@ roleRef:
   kind: ClusterRole
   name: csi-{{ .Values.rbac.name }}-node-secret-role
   apiGroup: rbac.authorization.k8s.io
-{{ end }}
 ---
+{{- if Values.node.enableKataCCMount -}}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-pod-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   labels:
     {{- include "azurefile.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-{{ .Values.rbac.name }}-node-pod-binding
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.serviceAccount.node }}
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: csi-{{ .Values.rbac.name }}-node-pod-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: csi-{{ .Values.rbac.name }}-node-rc-role
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
-rules:
   - apiGroups: ["node.k8s.io"]
     resources: ["runtimeclasses"]
     verbs: ["get", "list"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-rc-binding
+  name: csi-{{ .Values.rbac.name }}-node-katacc-binding
   labels:
     {{- include "azurefile.labels" . | nindent 4 }}
 subjects:
@@ -77,6 +54,8 @@ subjects:
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-{{ .Values.rbac.name }}-node-rc-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   apiGroup: rbac.authorization.k8s.io
 ---
+{{ end }}
+{{ end }}
diff --git a/charts/latest/azurefile-csi-driver/values.yaml b/charts/latest/azurefile-csi-driver/values.yaml
index 65999320f8..3409a8b904 100644
--- a/charts/latest/azurefile-csi-driver/values.yaml
+++ b/charts/latest/azurefile-csi-driver/values.yaml
@@ -116,6 +116,7 @@ node:
   cloudConfigSecretNamespace: kube-system
   allowEmptyCloudConfig: true
   allowInlineVolumeKeyAccessWithIdentity: false
+  enableKataCCMount: false
   metricsPort: 29615
   livenessProbe:
     healthPort: 29613
diff --git a/deploy/csi-azurefile-node.yaml b/deploy/csi-azurefile-node.yaml
index 4576f334b1..d0658a66df 100644
--- a/deploy/csi-azurefile-node.yaml
+++ b/deploy/csi-azurefile-node.yaml
@@ -100,6 +100,7 @@ spec:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--metrics-address=0.0.0.0:29615"
+            - "--enable-kata-cc-mount=true"
           livenessProbe:
             failureThreshold: 5
             httpGet:
diff --git a/deploy/rbac-csi-azurefile-controller.yaml b/deploy/rbac-csi-azurefile-controller.yaml
index dbbc819f2f..b3baefcf04 100644
--- a/deploy/rbac-csi-azurefile-controller.yaml
+++ b/deploy/rbac-csi-azurefile-controller.yaml
@@ -193,25 +193,3 @@ roleRef:
   name: csi-azurefile-controller-secret-role
   apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-controller-pod-role
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-controller-pod-binding
-subjects:
-  - kind: ServiceAccount
-    name: csi-azurefile-controller-sa
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: csi-azurefile-controller-pod-role
-  apiGroup: rbac.authorization.k8s.io
----
diff --git a/deploy/rbac-csi-azurefile-node.yaml b/deploy/rbac-csi-azurefile-node.yaml
index 432e91e7a5..a2c47d2882 100644
--- a/deploy/rbac-csi-azurefile-node.yaml
+++ b/deploy/rbac-csi-azurefile-node.yaml
@@ -32,44 +32,29 @@ roleRef:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-azurefile-node-pod-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-node-pod-binding
-subjects:
-  - kind: ServiceAccount
-    name: csi-azurefile-node-sa
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: csi-azurefile-node-pod-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: csi-azurefile-node-rc-role
-rules:
   - apiGroups: ["node.k8s.io"]
     resources: ["runtimeclasses"]
     verbs: ["get", "list"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-azurefile-node-rc-binding
+  name: csi-{{ .Values.rbac.name }}-node-katacc-binding
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: csi-azurefile-node-sa
-    namespace: kube-system
+    name: {{ .Values.serviceAccount.node }}
+    namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-azurefile-node-rc-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   apiGroup: rbac.authorization.k8s.io
 ---
diff --git a/hack/verify-yamllint.sh b/hack/verify-yamllint.sh
index 667f98a733..fd1d9521ee 100755
--- a/hack/verify-yamllint.sh
+++ b/hack/verify-yamllint.sh
@@ -21,7 +21,7 @@ fi
 LOG=/tmp/yamllint.log
 helmPath=charts/latest/azurefile-csi-driver/templates
 
-for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml"
+for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml" "deploy/example-cc/*.yaml"
 do
     echo "checking yamllint under path: $path ..."
     yamllint -f parsable $path | grep -v "line too long" > $LOG
diff --git a/pkg/azurefile/azurefile.go b/pkg/azurefile/azurefile.go
index e6d36d22f4..7372f228c2 100644
--- a/pkg/azurefile/azurefile.go
+++ b/pkg/azurefile/azurefile.go
@@ -234,6 +234,7 @@ type Driver struct {
 	appendNoResvPortOption                 bool
 	appendActimeoOption                    bool
 	printVolumeStatsCallLogs               bool
+	enableKataCCMount                      bool
 	mounter                                *mount.SafeFormatAndMount
 	server                                 *grpc.Server
 	// lock per volume attach (only for vhd disk feature)
@@ -294,6 +295,7 @@ func NewDriver(options *DriverOptions) *Driver {
 	driver.enableVHDDiskFeature = options.EnableVHDDiskFeature
 	driver.enableVolumeMountGroup = options.EnableVolumeMountGroup
 	driver.enableGetVolumeStats = options.EnableGetVolumeStats
+	driver.enableKataCCMount = options.EnableKataCCMount
 	driver.appendMountErrorHelpLink = options.AppendMountErrorHelpLink
 	driver.mountPermissions = options.MountPermissions
 	driver.fsGroupChangePolicy = options.FSGroupChangePolicy
diff --git a/pkg/azurefile/azurefile_options.go b/pkg/azurefile/azurefile_options.go
index c331a90aff..52b24e467c 100644
--- a/pkg/azurefile/azurefile_options.go
+++ b/pkg/azurefile/azurefile_options.go
@@ -68,7 +68,7 @@ func (o *DriverOptions) AddFlags() *flag.FlagSet {
 	fs.BoolVar(&o.EnableVHDDiskFeature, "enable-vhd", true, "enable VHD disk feature (experimental)")
 	fs.BoolVar(&o.EnableVolumeMountGroup, "enable-volume-mount-group", true, "indicates whether enabling VOLUME_MOUNT_GROUP")
 	fs.BoolVar(&o.EnableGetVolumeStats, "enable-get-volume-stats", true, "allow GET_VOLUME_STATS on agent node")
-	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", true, "enable Kata Confidential Containers mount")
+	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", false, "enable Kata Confidential Containers mount")
 	fs.BoolVar(&o.AppendMountErrorHelpLink, "append-mount-error-help-link", true, "Whether to include a link for help with mount errors when a mount error occurs.")
 	fs.Uint64Var(&o.MountPermissions, "mount-permissions", 0777, "mounted folder permissions")
 	fs.StringVar(&o.FSGroupChangePolicy, "fsgroup-change-policy", "", "indicates how the volume's ownership will be changed by the driver, OnRootMismatch is the default value")
diff --git a/pkg/azurefile/azurefile_test.go b/pkg/azurefile/azurefile_test.go
index 103c81273a..a727fc4f08 100644
--- a/pkg/azurefile/azurefile_test.go
+++ b/pkg/azurefile/azurefile_test.go
@@ -63,6 +63,7 @@ func NewFakeDriver() *Driver {
 		KubeConfig:                  "",
 		Endpoint:                    "tcp://127.0.0.1:0",
 		WaitForAzCopyTimeoutMinutes: 1,
+		EnableKataCCMount:           true,
 	}
 	driver := NewDriver(&driverOptions)
 	driver.Name = fakeDriverName
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index 8efe6ca583..ab55f1afbd 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -100,48 +100,50 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 			}
 		}
 
-		enableKataCCMount := getValueInMap(context, enableKataCCMountField)
-		if enableKataCCMount == "" {
-			enableKataCCMount = falseValue
-		}
-		enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
-		if err != nil {
-			return &csi.NodePublishVolumeResponse{}, err
-		}
-		if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
-			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
-			if err != nil {
-				klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-				return &csi.NodePublishVolumeResponse{}, nil
+		if d.enableKataCCMount {
+			enableKataCCMount := getValueInMap(context, enableKataCCMountField)
+			if enableKataCCMount == "" {
+				enableKataCCMount = falseValue
 			}
-			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
-			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
+			enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
 			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
+				return &csi.NodePublishVolumeResponse{}, err
 			}
-			if isConfidentialRuntimeClass {
-				klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass %s is kata-cc", volumeID, runtimeClass)
-				source := req.GetStagingTargetPath()
-				if len(source) == 0 {
-					return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
-				}
-				// Load the mount info from staging area
-				mountInfo, err := d.directVolume.VolumeMountInfo(source)
+			if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
+				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
-				}
-				if mountInfo == nil {
-					return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				data, err := json.Marshal(mountInfo)
+				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
+				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
 				}
-				if err = d.directVolume.Add(target, string(data)); err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+				if isConfidentialRuntimeClass {
+					klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass %s is kata-cc", volumeID, runtimeClass)
+					source := req.GetStagingTargetPath()
+					if len(source) == 0 {
+						return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+					}
+					// Load the mount info from staging area
+					mountInfo, err := d.directVolume.VolumeMountInfo(source)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					}
+					if mountInfo == nil {
+						return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					}
+					data, err := json.Marshal(mountInfo)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					}
+					if err = d.directVolume.Add(target, string(data)); err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+					}
+					klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
-				return &csi.NodePublishVolumeResponse{}, nil
 			}
 		}
 	}
@@ -197,10 +199,13 @@ func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVo
 		return nil, status.Errorf(codes.Internal, "failed to unmount target %s: %v", targetPath, err)
 	}
 
-	// Remove deletes the direct volume path including all the files inside it.
-	// if there is no kata-cc mountinfo present on this path, it will return nil.
-	if err := d.directVolume.Remove(targetPath); err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
+	if d.enableKataCCMount {
+		klog.V(2).Infof("NodeUnstageVolume: remove direct volume mount info %s from %s", volumeID, targetPath)
+		// Remove deletes the direct volume path including all the files inside it.
+		// if there is no kata-cc mountinfo present on this path, it will return nil.
+		if err := d.directVolume.Remove(targetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
+		}
 	}
 
 	klog.V(2).Infof("NodeUnpublishVolume: unmount volume %s on %s successfully", volumeID, targetPath)
@@ -428,7 +433,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	}
 
 	// If runtime OS is not windows and protocol is not nfs, save mountInfo.json
-	if enableKataCCMount {
+	if d.enableKataCCMount && enableKataCCMount {
 		if runtime.GOOS != "windows" && protocol != nfs {
 			// Check if mountInfo.json is already present at the targetPath
 			isMountInfoPresent, err := d.directVolume.VolumeMountInfo(cifsMountPath)
@@ -539,9 +544,11 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume
 		}
 	}
 
-	klog.V(2).Infof("NodeUnstageVolume:remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
-	if err := d.directVolume.Remove(stagingTargetPath); err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
+	if d.enableKataCCMount {
+		klog.V(2).Infof("NodeUnstageVolume: remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
+		if err := d.directVolume.Remove(stagingTargetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
+		}
 	}
 
 	klog.V(2).Infof("NodeUnstageVolume: unmount volume %s on %s successfully", volumeID, stagingTargetPath)
diff --git a/pkg/azurefile/nodeserver_test.go b/pkg/azurefile/nodeserver_test.go
index 317fe9dc7b..ab9d348cf1 100644
--- a/pkg/azurefile/nodeserver_test.go
+++ b/pkg/azurefile/nodeserver_test.go
@@ -346,7 +346,9 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				if runtime.GOOS != "windows" {
+					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				}
 			},
 			expectedErr: testutil.TestError{},
 		},
@@ -891,7 +893,9 @@ func TestNodeUnstageVolume(t *testing.T) {
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				if runtime.GOOS != "windows" {
+					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				}
 			},
 			expectedErr: testutil.TestError{},
 		},

From 3ddde6bcef7921c269bb56af02768dd0e38e0993 Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Sun, 13 Oct 2024 03:38:06 +0000
Subject: [PATCH 4/6] test: fix ut and refine examples

fix

fix
---
 charts/latest/azurefile-csi-driver-v0.0.0.tgz | Bin 13685 -> 13683 bytes
 .../templates/rbac-csi-azurefile-node.yaml    |   2 +-
 deploy/example-cc/cc-deployment.yaml          |  53 -------------
 deploy/example-cc/cc-nginx-pod-azurefile.yaml |  24 ------
 .../shared-pvc-across-runtimes.yaml           |  72 ------------------
 .../kata-cc/statefulset.yaml}                 |   2 +-
 .../storageclass-azurefile-kata-cc.yaml       |  20 +++++
 deploy/rbac-csi-azurefile-node.yaml           |  14 ++--
 hack/verify-yamllint.sh                       |   2 +-
 pkg/azurefile/nodeserver_test.go              |  18 +++--
 10 files changed, 40 insertions(+), 167 deletions(-)
 delete mode 100644 deploy/example-cc/cc-deployment.yaml
 delete mode 100644 deploy/example-cc/cc-nginx-pod-azurefile.yaml
 delete mode 100644 deploy/example-cc/shared-pvc-across-runtimes.yaml
 rename deploy/{example-cc/cc-statefulset.yaml => example/kata-cc/statefulset.yaml} (95%)
 create mode 100644 deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml

diff --git a/charts/latest/azurefile-csi-driver-v0.0.0.tgz b/charts/latest/azurefile-csi-driver-v0.0.0.tgz
index aaf2ae0ae01033e25edbbf3eabba077395e3dc4d..396e7a37f189ba21afe34d3d2ed0875f90bba339 100644
GIT binary patch
delta 13674
zcmV-wHI>TsYV&H4O@EXu%e_3|*w9F7w~lRDA;~>wPP;!ZRFxz#DgreCiW1xHh<T9R
zmzyW~0++g@ip7gAmRaAo(-sSrNC1gMBJ+m?{ypX}AR&0ZAYQ=91o+m$2y@w;;&J%H
zDxO}i*W26O)&K4FdgcH2c6RoD*xr5B+j+Iy+u7;;(A$2wvwySm1M01$_8CtsB<4T#
zmaePZxNqda5%~qUAdL3WWP1ZgQTk_yB?!3@fbcnqr2cJRi3|FPgn$khm6%ZA=v*?6
zhk%Z$1U|q%pl1i?$IsK>Ps4af=my1O=p&cFZA?-Ydfi^Pw{hRS^8Gx{`9Hy73}R&p
zpn3jp@4nc3RezrUyRTlX=l@+iWQ>Q<-$3XR3pj&__0ibp-7)bw6Ko*6J{xbKY}Trx
z2yuv*Ad>NEA8lRzD7Jh-whE%8i%C38)rk5#io@`fg~Xrs(edDf$x{vjsCwxOa?06+
zC^Z1wQ414d>ngqkPC<fDRj5k6DEla@a`Ljf-R-rg@_!5j`F)=1xcMMg)pmD#XLem7
znE(YLPC2`D^`WD><daB!lB;m1yS+QRLdpU-)U){vhD1n?=V+z+*y;k0C!ZHtnAzry
zCr{8B41fdm0ZE1!1;jWSGY&|A&p`_H^Ch5IK!C1CKs7Z&he%7MP$W1E`e-C&B>G!9
zR=b341%J#JTM~;avE?&5Aj6o07qP(ela*;p(epGhFXCi^B_!>cZf)q_PvbB=H{A5m
zufJ_PK^`&-)p%-qZu%CcrpO5%!-gv2p@UdRHbx=7giyBw2LU2fGBgH>11#}|uZz6X
zCHm;g*A0Z8psOE+hoh)w9o!JWC&Y(+-)AwEYJbFh4p>4TNge}wg8rtuN&R~h*|G?m
z!UA2BFjW0%J_*o(aWrLd7oCGtEDmre0Fi<E5nW@de~bmFzd2&pw5#f4RB{%E!24>3
zcsV}PH=e-g2~xd**Z`edJ}lFAP!lE?*W+tNvP@G;+CtO>#gP~>c~Igv`F%-tH~1y?
z%YXf^8c{T2Ha2qomA<a)H$^UFad4o;HIpez(9<uCN(<^siwOJBM`|*7Vk#tP1s#U$
z`e+=<=|T2Q$~A{5Bt8~>w4=ICax7suy_iPOM`ujWxsOqRr7AmOLY{!UX8bCZIyoW&
z36N4vPM^hLp!zHz0$+v@D3Qt<i2?=!QGX^;01?mtF^b-wA19x0AT>ic@x>|QvX6HD
zb8mastszH%LpjQdDc*TZKhXDBNHyMCppzf1Ae@GnLiP$viT%+T{4*vTg6#K@4d1~8
z!ajPb{>o2MOevFC*}KUv5eo{_IAXzmr4R?fV(x=5%)1se)ygrEBKZp;KZ^TkJAeIi
z3}daBU-o+MiT#zsKVuNpk9y<EXFJJP<)!T|D?YaqP|jWX&XScoM5uM$+e_A6GLY`5
z%}NLOcB*$eN_GbWLW!JOnN;fa976CV<Mt=XLf}?#HCYc`!L*M$S`~8^Lbtfgj`d{g
zSQc2MzE;#aM>j-Bk-UJx0DRd;oqrQ{?vEgdL+G@kZ#74x=IyQ5;w@3lhF-vC>d!I0
z`AG2ulTax~Gv@cB_4V6h8WIY>urMCOTbS<qJ_zwQB1gvoP^m>F(TPA6$8WL32M6!9
z{gJ+^sO*>RRQ8LKs@+JI=YCpWPAR9Gkvc`v#&{LkXZ9;&wEmdx2^tOOLVwi<g~h!M
z2M+UN5iT6ojs7UJFX}2PF7>m7wY2oP7QgE9SF-?CmcZ6Z@Wm2JaAN>i#vC$%dIQpk
z`?<u*s<*SjyfkmLbid&&j?&iyq5n?C;|y@{H%=scpgySS^3%EM!Ho@Lsb{vH()nFq
zkglH0cDrm$|BnLr{t(nW(tpZ1PX0cR2Lp1`N1YGn=iUgyaVObgzhUQxZ{MX8rqe-B
zP^wFi@yn>6pHZgfm3Y314v+r&@y#YWKKbdxCi>g{*~#(An@x0dcJ|>+S#xUZbjsPy
z)H0!d$o}3435{<GlhO7^AWj^%tWtsK2?{Wb85JOPC#cd?Bt3Ts1AiQc(#g1ew}}qI
zSgk5Q5iUx9slNW%n4p{Jgi)}|TnMs{wkDWwh2(O}{^D8!1GQ&keH6eY!PLoyd9{fK
z5HOCFdQ<Xn3Vck2FcRH+_3BmHE6EmGNxM;YNiW@k;n>QGS(VvR>n6CpDrZ_s$rrmz
zRphX9oXfq#L~<BW`+vz#8wodRJ8>9uLWkBuAar;<q%8gU=mz{)d(AD2`I;_(k8_Rj
z&=^a9baWGOuo9TQLz#6Wl?FnECu`FQlgG65)(U*-S4D3^xQub=B@=1mn$Un<3zsU0
z1*jQ$%9*kqQop}wp)0&=LS6bIozYJZ`kyA4e+tRvC;Q`5*MF>j@DuUnLc+Sc%tV}B
z<%^~&TTjFV_b9uy6EQQ@OIA7)i|zo{)7Va9#;-z#gVeg$`w0S69v|AN^aTCNbT|)(
zzoFv+k|RL-`-cce+HzEHtQ(AbSO_wt5TG%pcnAR^mM$X3$3v+8Uf?kx2^3R_u+TsG
zW>MD_$`MecrhmUFa(sxci5%%-^VMprI6hQ@Woa2hMoaSn2VD|}Kamj3cIZ8h(w!EE
zz|(HK`wqK2n8z9alQ52S*k<eG!^P2gSKi2F>X;S(f3de+ivR7s+Sy&l|L)?sP?J9w
z)IUE)W*Jfwd}uws0Yo92LVzSQu>w1{yBix94EZDQuYYQYL@W?UNGxNqiJ}m&0K{Y3
z-$>SY86wZ4iGSnumoKP$2D)4~^?IPMUll8cnCA(rd|!8P6qObbMX5pref`=&o_DQu
z^LpkNpBeN2^9aHSxai7gaVWry`M<NfyHlF~ulBZIt>^z;JYT+S{Rf(mabGXbN)VKF
z@_MYg#eW|`AN|MH*RLBJy4cZ8glV8xZEAyQdZE{7F<tJ<7Y_w6AQVt1m8`BR+(BOU
zUi$~S24$uvX!jR`I8h}(On`F|0Qy7O_S8pvFZ4gj*tktl$IFNT4fMY?gBu4rR%aM8
zEGm92xJcP0I?{YO&Db{khVDiK_qtqGW5fxS1Ao-{v+({bI>lC)e_H?*`a}ETl>X}c
zrGq-3JBzf4jmJ!xPDbU4MoyDbW~XCFx>aN!effftSzaBgE^>ZJsF0ZY=IgSCt!LhB
z%^Eoma~!J@g!*9|G&Zh=N1u%&Mzzl^7gw*Ai!hfS8!Xll)-3fdr^T*FLd!`j28l@Q
zr+=_IH^CJDrl?gu`2+nkX0p)9U%zgQARKqaXiLjyZ9A;=cJn;h$(F|_nAb?MzvFS(
zP$I3pFxo~vL~$6V$c_QyD8*q2)G+o@hQP=PK*nYnrlD%DKsWS99Md5*euq+YhwA8>
zCY4%u-x~UMpBd}F&jT+XZCD5s*tq_0?|<&Scu~Ut?QFkzxwl^b@8T&<wsf4W4^Ynl
z&+|6&IAI(SxRF4$hogJ-qfueo8&`w|eT$4bv%a)L&>k1U=tcsJ>X$rpCg_%-b%sE-
zdc2HD7yvKm$4RgIqm7^8h<G@PIGaFFRHuE^Nf2X0B1iFM*JtB$piZ@bQyk{wg?}0^
zwzaqSvXcOR2%{Hd3_{{@)JHT9!!+<S(UGL&>s;3f1ADd|vmqkTK%$`uH`Nt0WNmMl
zp0rUc`+@aI3i;OY@*PPamSN0sSmDlu0!NISSaRZso7fkG4&xB>@@E?e37<vKN9kTH
z*g%OvrKxxb2LUnOq*G-Y0Y6YQGJj`Z0Y83B1L7;qqJ&O6j%-zGyU76u(>x|nGQ>gk
z6Ci9^>slw+KLn$vSdRLrYqpnN{q+U=C=%bA8K$%H&r%0MFBuB~QzwrDgb{`7j5i7p
zh$2vI(_o_P5-0LTaq6bi?bEXWo&Iuw2Aqx2^@#W*i>FG+Ut@uuF`nS}o_{BGxY`<l
z-!(M5YF|c#1Zu;b2O%co6XRdc+JCMKpZ;=CXugo#V6oh-Pg%pE85Gby*oH>yf9p~S
zUG)@&^ng*tEn=7d0ADKW*u=XD9Tq;%=16k~OkC7!I-pdlWoMivESk2C2_@rrj0E{z
zx7jd|`jL&ij-~-uMwlAzoPQ|f2E0jzwX~m;-^)T={(Tnb7p0*ojYNorNPPL(mZ(^$
zuJ<QZQq@k+zir9#Nj<wo!I3PTM&*)ehufk`AyGSbiQ2oeE;==CD5^|qIl@xuGcrhh
z&;wmki6Qo7jKgr6614*@jLS<Exny!wVnOdY-TX_2fQp!B-hcf)=6`@9M$AOO5&`x{
zh{+M~F8ZtG<^9L=3#EPxuMntxDB}jei-#q(LxgRAy`){Tm<CQR>&J4gsgo|72HCBK
zO1IG?)RSZkMfE4~70^TsV;TStr+GzU7fWQ2PxZ~pFWQAh98_PJ7NkHJFHbJ9Rk{@`
zpg?thSVPR32nOmR{C^RQaX*V}(f!loUtXLSen!RaE6EfQ2<zC$({$SEEfx?ZCe~I_
z(o^i@T*N5tZl)A`wsu%0wuu-|1z$2%go9VBkr9eGi-1c~j7#Or#6q;H(6*<l`F3w>
z_Jc;fTDt-Q+hax<Xv4s&VLcS((AfZCn#j9GcdHGj7-^KU&wuCyxLRv`Hl*bDl(tq0
zs?yx?l<d)V48@^|ylv_!J;qbSL2H$m=IGhOQs})hQwSZf?7YH|$izJM*?1gNBBut4
zNG@Z^xY!C{0^yb*Ll1L*L?rk!=CGw~Tg^JvCUSQiJV}GoPYb+OrlEPX0ogDD%7!#T
zWj-~ns4mH8M}OxRX<S?nM!EM(Yq`jVKy?_Q1K?&5wfUo$c^YUTwNXNn>6BDf<I6FT
zsiX_7wh#24LEDBJy%u!QF+~S>4B-J5aO(r0dRlm@W7`cuV)xe#fqGvM{{V!xBK#5N
z*q6Z7-1CK*u<7(o7wuA?T~4iraCU^_<c!a#50MmGR)4o{8AXuphr|=t9wK`ZOntZ5
z8*aUzJ46dnHHuy67AtA0bJRK~)as$l|7^J^pK{@B+^rBr=t2t}flv!N8INPBL11_w
zQ;o@JH)}_QMtxKC+dA{xRk+m3+HZ3WFB#WPq6nS3DAiin)?m$cA~jTV-E9?V*5O^#
zvua196n}^i@z|KYmtfHVHAFQ=APw~;FoDuSm+0}_=ot=bh+cvYT$Fc{=^2z{<DxXU
zV;koZ98@nn?&38HAbD!HDJ=x0_S+gk!8PqEEavTZWtdj?bgsr__Ca;v>W0W}Eo<nS
zanr-bXgIZFhfAh_61caSYRgq#Lw3o*G%rn0RexSG3Lge8kPc5zAN|^?o%x;LW_(#I
z3Y9NwHfS?6?^DMXQA--BZuA{R9i2IAf9WElYgCrQrAv*3Fp!9nP)%ZDT}fsSXBJQs
zSuE~yGbxOPd&2LdA(;S8Pz}2J5uN}V$Dt%qm{B$i7b|eD4vc1BMZj~Ih^}$5l=NPz
zuz$?Fc1;Uhtar0S!uUC|<xy=>jbb)OV_i(f5?v>~hlOB1(MxIp1!8n(zJJ?|evY06
zdtsTUoG_|KMfHh387xQ2n5S(;OsfgK6T)^7b2VtIy+Blt>Lmb0W6ZBAHk4sIY3HWd
zG-hL@IUZmVYRW^PpdCF*Nh(9Ji}Xnx2Y*d#V_V3aK9*yT=gL%JmCPvAq>56tP(l|P
z<H=#1Ry3B`E;pE`ra;cFH`aR0xmqifammN2!vs6_hvqq8RM`h=HxLW!X_=<`%uA5h
zYB1V5P@H=Yq54(C`drf>4$-sAsoKqu09&&M%lX_irCQ8hrQnu%jxJ%K1S=M%ihqj3
z#eQ0AKsLKyW@+l?uUjZ=XG60t&3o90aGPjO*V^&GK{L~81cFUOWU9JFrn}vBjIf?E
z4x)MzXQLiYO_v(iMWcZ;1=&R>A1;nuYWspAJYgh25fg%_?ScS5<_7R8Vi23iZxU%I
zr}GK9TdW;~S1sshZegE8WfkLTGk*j;Uo??sIm4gmQoA|tS&f6S>{vv{6a`a?$HYgX
z>{G6`1^HOOW=@NztJ;8s`eb}sXUa_FU|{}9VbPtWiqEQXozy=gV@~a+S1)y);u_U)
z&>Wtf9v~lwVHf?R7fPpRub~yo@~O&cUf&TR6HY}VtI2M`01}Xhqlj@eCx4_i6{;%5
zIGc=GaS%@ROgeJf2hFNM$e3PHn+l`&m=(|Xc-<1$ApF2N<1?gQmr2Au#6oET0ek|1
zeHG{f2{}o!ZP|1*m<$l6)53Nv&D$`7Fj6a}WGIf5aT>w|!kl1=XQT^V7uh^oKP&%S
zkqW>k0jSxjUD9#{)0`Jp5`P*4syJ`8EMcN0(bz+|(I{r-xWoc<G6}5>rjZ^!-7(Is
zhmsfLtZ>dfBjQ&8krGy}b%9na%9^Vo%6vcOA{mC_q)y#QA0w77Om<G0(W~2*rUrWm
zcmX%m7=%bqO_!gd*<gzn{JsH5Ou{q*OLa~Z;EBxDY@_QWQHfnTFMsVSn{Zgat5Z+N
zhC?-#)nY|buM@Rnh6zOis34L|Aa8v-mLN3SBO{$lP^H6U^YUYc^%{$Ox4E4PvvtQz
zt{Yqr8S-I<hRF)%Ot2O}3|ALApc$^kvwo>;m<nwc&)gEE+5Ifp=U9MiRcX6+Hm{To
z21b(wP{XES%Bi_pEPtId7fRQPAUBOccTH++7GcsvbuM@e9mhKBB#Op>EfhpGkWdii
zkVVs~T1DgJyCOwBR0X?nvXrDgB~#wd&H!|{<=!kvsn{n2l?Qk<&IFe|xr`a9Ma*gQ
z0P3igeZHJZ5bbTq+&plQUCf3|=YfObOeSZ}0=EHFXF%#4YJWy5Ow7D?AYCG_N5RTV
zE~cUZ8Ydq#NJEUV9vJO+GBcx$-zl+5^eoAlwCPOEeQ)$=>V-;Xs7o=;+HUIxG|kHh
zO9`Cz(f@h&=`VkH&;RS$vtN7OfByEDXP>(IAOG?Ezn=e*{PCCP&!0W}_3isN7pF(R
zk>`K>O5^dB`G4z=XTQSHZ!L*DfBs*8s<3k7<)E8t$H%y5=6!nlJ2yJ6WwPoo^K=(&
z)P7~`?i_u)Pt5-kUsm#+Sht!vaJ+^_x>17PB_#5@heEC)kaq-uTq*Q%b&$tZLLDCy
z#POSjHeQ0n2H*I^c$xBM1|$X2)0fF%QIj_}g_IG20)M4h{7kz)LHno2dF+=N?t~Br
zAIL;4d)Js#9apnCC^YU&k&YM@b~((5=az2EFtaC3MIpMGP)$uxW%6s3nm}W$r$ExS
zJfFqt2%~>9bo!`MbL3+yAydVAW?cV2Izeweh0@1n`+I+Y(?<j|T@A2w4JECIlCB6m
zx`vCkfq#qM0YLO&K|&uJ0CZWX=aQh#CE=S(12w;0NahN_m&?N}mj+bcB6RXz@QTZ#
z6IX#nTpoG2G|q5YRN)FSgtvegToxa=JR0zO!v3uo?RQ)FzDJDcTOPl+0<_*ruz5=(
z@xE1Ydq|kNRUznBgqK?$9k)CdZY9XK72(_-Ie)5cB^b8l5o^oi(^h~+TLt#)VI$3!
z!IZ7hV-FcUwgRl!N|0gqvr5cnVTnazSwz<($8W6yt+g^)ToQ@3yd*A-vRV<QYFPx;
zvUsUAI%-wusN~+R96T!bQ!_p)^Fm<Xhe$$jQqF(ZG11H<rJerMXVhS-%yq4%W(a;s
zQh(B^AJ_Q`XXh*QjRW!4vleFPm%7x2y2On9g_c_*SB@-(ep*ZV7c{3fOun%B4G+@G
zD&|XWn8Q`rRKrHlO_v|$f0~6RIRpuOtiyZBj-<|8l59ETh_iTDgw?vdpqbk_fDmMI
z+cJ^DdS+Y*1YOVpN6~KxqvpP^VtZY$9DnV8xQVuGf2Dz(2y;AE17lYQ?C^Z#U8~v$
zqO4wFx;TfEsDyC#lY0Cahuuk*xZHZ}wMSVB;}9gY>gG@4a1O$dCyhBE%4l{2L+}8Q
z7o|0Bo#4x1Cl_a7!&npxs$F<XE#q=E7In@-x~4?7Uh|-HV_&8tpoO(_25LXw(SIY>
z(FzATWdkiOl<aMsZtFyw8mECk(P%1&kHflyzl_$qJvDDv5Xo-JRIAEMRn)RFyYiC4
zP98V70cbof2apWgr5{a4wi3wnUd%c{Os|!x0K#o+Yzf_CBTR!(tBp#^IfvBMfjHLL
z@g6GNDO*^J1Cckl>YS0au7e`PCVyMH^-x~H)HCBa#*x_;mjo|aj!V_$2<cl5k|jM$
z{f#b0ARw=%ScLx>gIa=eXo|(QVorNYzsOscD>%c__SDLQv3b8&TX&7Tz8&PX5ujz@
z*P6nrFxZRiMOL{3S^2)>VeU58IPauSZ+k~^7dm{NUBjyO3AeH{SjAr8QGZzf58B>e
zA7S`LZ2E8Bif<olSw~myKe}Rc_#K2-a&DyB0E;OzE5u@1u8*-~|C$k6NqJf_xbn@V
zM<|_<_t`j7t7;+Gov}@k4#qdIHQz~i)rCW=N@nk~T}x|?<&i3<yam#T0&VXFo@Y0%
zkKV6fOI~~A{^0yLSvL|XvVZUq4UKgeVwv8a_fWTP%aZPshI9eijxNH$Q?@T5WOOK&
zNp4Uduv(nwHsJNL+dRRtTd``_q%#=k`&}DaG)H61akyn$v|LLx4-L&ZDV6!QVzRb}
zO4u)xq5^do^#UTUI<BxydeotLem(#%L^*J<j(M)bHV<%%H{+Cg;eU{NHkk~bw9zM2
z>a5wvOxzBDdIWoud#lop*)FaYYg6_#x^mhWQVyCcagMooU6H$N-fn2&Ky#2>kxR`%
zxxJI^C&m-_uuhqzHlf7md<Wgs-%thZ;#jgVmX?eQVSI3Y+(1$SM}h?4<2>%TXcc#C
zg=Ufl^*1*8jGK5);D0!^ZhUa6;Z8iV*wl$8T;ioczRB6+d<PU_74t|{vPjmaaj5z`
zQJv2d)%iV9Gi2T6|3vM5pp6?3N1NwYB=!`Q&8_7inWlKaIrh>>Tqb|$4an0l9ulgI
z%4g3FGJN1n6|JXZU{9mhk55CtE}S4FInh;c6Fg%)+nGLhFn?S#jS=IOw0}yM{38}J
z%aDe1Ucy>AEt!3{pQR*e|IgZ`-s0R+@q<!Q3w=HyDe;*Eo&3eK#i!=1!t5o_ElcW2
z@|a}(?C#YxePrWcqYTw{8`(u#cX+<ItGms6+u1b=A**&~#+ST|n=`$2Hz=Z&UWB*&
z-DyS1Y<Xc?O@CpdGt3(Eo&~d1%z3GJqQuAQ-^F7r*CUpL3^@8JIZLgre>EaDr`o^&
z^*=w65X>z2_rLyEX`O%n>wo?lGXLt||N7t73Au}C5UU&wb5DigICr+CIKnQ9>6n*<
z0aJv-XoPJJi+R-gVi{j%Wpt^_ChKTaZGKsFlIF%V8h<!l1_&K))>ZAO!JbS_Y;=7J
zIEjC2<18S90qBex0(81OW0ISd1-nR!*dJ}?54T>b6<QPVK_^O(UiDP);^T4#jw#uY
z3+W67CH>`ehq(-e1sr7Md_Ct8_}y9QKJ$+e<gr=9Z7-&nCnuq&7WraNg1dHQBp@7o
z6V=EkI)A(blSRULj&D9wchfMT6J@pYKh|4)TDk+9kS53O2uBgLw@w_C7qwUFoNdWd
zkiY%Y<1)<64yALqICJIJE!AGo*>yiX9+=8_mdlcW8H&_*hX@rCaL`~TQ3O;H4(aF`
z-DNyjxpV|r<E^w1q5t>%!^zegRzuQ^7uIP2^nZ~%7z34?T7Q^~Mmlrgxq8zbV@d`f
zWY^XKT>QH8Tb((egcok`I0|7i3B;u)STcu*Fx`<-)C$kBp|U-IB9<f#zt+uF%cHUr
zvGw4E<O=$zqaENGn_rale|25>p`K?ZOJGM8>KNuy_h^10$(S_G15SoRaNqra>^4c~
zcYk`WR60>Ba*hPG$$HWyy2A9YJHOR(T<kBkj>8SwF<W#ZR4+ZZGg3^c#5bxYUs)S<
zJ*yMF>DfF{hJZ3oAPl`^?|+S_suz-hv*}zhmyObzruh4C_@Qq&Qvx-lNsg-lQM%70
z{AxBWka3G9F%o}-=`hVVIEZD;VX+hqRew)$@;E%kWyNuCKG&9wqwVq(KFvqk8XMP?
z`;$$8PY7IZT{C_~=+IN5>Dg3CTYCN3dZPcca9i{O*0w=~)$TT1rRot|3pFYUEwo?9
zo}MQ#rP8-0%P7^cHIs=5G{ymBsdH{wlvRi7v~d2^vzQ$Z(?I>(q$>5N3-w@3T7OO7
zkH?31Bj7PvXs*_7dFzt+)u6<X3n_-`(*Ai>v)mEdxu+|E>y5wf{C?1b^W(fD-^Fgl
zwZFb2bgtZKsbi$Z{awtWR`ij8&BBz1?=v?D`bf!*b8VwcfX{T2MMV*)&jOQF6jMZ~
z+}rJ<4^)4@nIOi-%5eJcz<rJBUw{5A{(SP^w(E-X&+tqOwF;ul@$LV7)$@AWUT@n$
zvDfSC|BpUi9Morr)4bNGw><1Dd+zPR(|iszyG_+8)xNcSXf-SR`sU3?l{*bT?0Yv$
zi;`mrTHn3-9p1g!Ha%M-0NT|e3yEGZBb(EqH@8Gr(xlB4lzWip`I%g)G=DFZ@2xgs
zx>N=@m%DuVoN!J{v2B*PX6wo3F6^V;T!z)Gcz#nXpVSBOb2`J-lQYpJi*;lD93QF0
z-NZ%JIGG5V9dk+CH@;G3unjo~F-OpAePQVOM9kbLVpez(=374jvp)H9rzc<5Cte=%
ziI;U|mRriqVnt@D+$@I1%73!6%y}y58#;@$&WK{3b=rt;`%KZde2VCvOwM)soR%kh
zmOjU`f>S#yIioYjiJV3|?hzlrS^Bum@`r04_)(hG9h`Z*$7Gf|5VOqDmv8fs%aX@g
z9`en#i=Jax^{IuW&nP^W6A5>4{$Tmj2CF<<u<S{KRh=7HpAsma5`S3gJitnj|I1<g
zmqqh0joV)dLVp=7{xYchW$^WDB>mitTO;Y$NcuHqevO%5W9A>;{ok`)WZ&%_;KiWg
zGN|>XG3v`A(!Wvs`J+RduW#ReoCxw;y?c93bol!I?T2*#_DV3^%ObW{g3n&xqy5d^
zqy3E{q?g7+FN=PD7=Kvj2YUVYmoFXy8X)iM*Nq?6PxFI+k2wrT2%ay9XEf55gmI)n
zTwChLT#@uzj_wqX!?tzwdcEG>?ymlCuh%R6cjv|K&dVRRcVG2(UhVdFc6vYbc3y06
z_kKXV+ikjeVj(gAp|^Bh<;Hy@kC|$R5QS_y1}aNeyF_AZvVUE;tHnTFzkEU6Ukqk1
zCluPb{`Kod-W#clo<Rs$KsWO{>QW)TgwW1;97VIqBBUlap?(+#fI6vUb`7Nt>Y_go
zB{Wd`&t3J6DzBGr2VL`#DW$)Z?C*FSqCZfXf>I|lh~@6EF}xNowP{&F0)^ucg~Z3A
zu1AvhrX~R)_<u6l?vAnaNAGeyTia>LckdjXx0iHy%aIY1V+lhGi8D)v`<tZX#Wb?t
zChErWpA$CqgoUQeB>_KXjc6@kX%&OC<Tc}0A;ZD3B1+`6YtWa+hXwMAleB1;*s@!(
zfIjL-wE-y5Zy{0<3*O~L)Jjh`lb;{w5YUJP`(+u`jDMHpbapMM1lk-iAx}W6w%7G=
zu1Hq1vLlEO`@Y_RpOh6#@pX<`MuD;b&I{77&4+^Pnu$IN35{<WdnZq+b$8duOMarp
z^aFj5g#?}}uPXC63!!*Z)z(-SOf8?BsI;%_!2Eq0VhSy)Od=4GD&JUh#0ld>PBWB?
zHFiDU+<))n`JBkyeL({JSbxB%gd3TSj{sloDo;66GdFLb8@+KBQ%S~fXbvAV4x3~l
z@Uleberzexjf#Ds?<||<W{mx1j_FbvHZsOTIE};b9DEKk$9?%tp_aO@i<MWjjQJsp
zap!G)v!E+OF9YuJ4a@Ebi&LdwZ%}8eQ>?!03x9H&eWBJQCWvHwnx7iBJ$=;4&201i
zB^Gc75kp_UR^Bzy?$0VM@eqCe+A(7g3TVmC>gp_N2ZS&migMVh<4s=gbSgh;GaLtj
z+S$GS)3g1<!?UCF^XHC&A>aVGr*#%#basjC+TGW6HkpHnnu#oyueW!4J>hr{H<Dw|
zpnt}^WbJ-kT<_AtO80m;BHlkE@%m-2sl;W>g?zo;a}^o@mN5r!sP-tYe`b{N(_hZO
z4>1{=FkpoNpp)_l*fU+Ghs&@tHPn5i_CM<Xx`O#vWf@ZQ&z=K7v&17x%N8YLVlzs|
zR8}NptbR2I)D#aT4h{E;FOXh9@=lQaRez9Qyt3{nn31+%iQSwDwY^hhxK^pF$Hx)A
zBq4F0oZu`f|K_3ncki64D4z+dQ5B^T)3n>qvrkv0ljf+T-}<w;wbbo%(N1r*)lhe%
zph{YFwe!4bdNxcz_0-Sa#inO&(C&YFauDSA)>guqDZO$F!AaM-QYR%Bw+xo7Yk##f
z%V{~>#dLe>nVY#iGci0uV*#EHroPs$-=~!ia`uC$zAdigXW+95a05L)x{0v9RQM-M
z!kB|z(x2Y%lAet1BFp(5>kG^3{pyO4On`zAYHM)`ZPZ2b#i{yWwHl*=baf&Z3oocQ
zR#jsg?NQu0)JeH1sYfH7nJ+{#Fn{pRS-u-J2aCKIiX$l_FFB$7I%GZ$)n|RTH>lXu
z5#UgcP8pZ!#<|kPwiaE|ix`)$7o=S7N<(<^dS@<GP^{*mYl8x}_p1<6e{CCGkU4i(
zst0PwR%c{ZaKZV%Y)$Q~25(X~8QAb0Odxb`?9<u$r)LM}$DfZ*4o^QEpMPAqTn%H8
zocJQuF1@b)e>Jn)mbTNbW{>YPIv~Ru#<K!$0wzqUBq~q9o{qK7e3xq_WU<Cs56I9H
z+H>ZWiR8G@#Se68<7PXVn{sAdwItu*h%s4WyjTGD@DQkUwB3~XD1h&)5^h2n1y96-
z0l9GyiW3s&x`dk$4nubB!GAcC(?So_G*}luQl$^Frk5ydAWT`rQ@^DWsk#V5QR<w|
z5?iG7F5*lwpM`yNad4WbB?^nJgsoU@TBKZjn-agz<h!CT3KbQ5bzqF@ixCGgVqwrn
zFAMM0g8l|%S*u58NlG|c%5E@$qdrQlg>qdBc43_bkx<Mt@3035C4Z9O@DM^gJvXrB
zK6+7vAX(EXeZ5_L9RVjSaDQCCYx(~_o*jKYI6FE#I=MLBfA{&P<9A1{J<Ly>IkG93
zsrMd7Z(-^@ChG{@>t*MFgN{|=@Fx<&K|-e5d+ND@X<rM0;~k64(bQa0sd5|h3yphw
z7E^N5-`c9TU#k<;s(&nfaOIS<n<?sasx#9t@bksR>G|i=vk(8@-`(|BRbh^9iD-=g
zHFDU7!TI@{hrOb_z4`F@{P6APcOTw-es}cC(Yv;_YSDSa&JW+d%dCvKZ0OA9xl`wO
z`D4zQ-0I@reHKlfRLrXxR6zQ<6H{9?gklb!U%p$aszY_Ox_=uGAvr^x0R)WWT7eOw
zoC~$gmk{BW57kt@9B}Y~hSP@mDn#f-SLNO<R}fv1EgyT5$3kxDc#vPc(Y>KIr=Tvd
z&q*cfKK3|9SRIj7rxa?V>5y=n`L+0kQ{rZP;Sepgq*hO<N3#XiMBxv0vH`}YAGkqN
zZ{){oPKk9(>wioRtD;*knKOya5YwC#-Zv=k4xhR3pH}zJgZ=zrCjPUx-Fxw>g#X;x
z*?zIcf8NF8d0qkXS;?ZgVGyDR=f^fdZzCAAxCbvmJm<x3mau7xgfEC;quJe(cu`R9
zIKVu?)a3gF<%Xri{^%^dT)Jk1TPS5(5V7Ex4%i2(&3~A5@iVK%J2C)&>WBJD=`_jr
zsTvEBUIFW&qi6(U;2Kyp5N|k(BZpOGLn+-t2@9}fS3u8fj>x1M90vrbuU3zU^tZP5
zRqyQ|UZ}E1HztF`_oNBG&u1?EuR(;@ga+(dcxt_kIP*b>87o4w{@>o+-P<nd|Cg_}
zch~y=E`J_t%V8R1aAz~XU7+|fgzE3HfS;AEWyby>1r;h?V~-PH7&Cef3!ElMDhb5N
z3J(*wsIK5FK|*%<g9Hhsm7XFn>3`1)$b7X_5jy;+UnQpU7~g!Pc!Ei&M!e8-YRY$u
z@00GUfc$mYD!hN@@q~7xwahVw`A!(L<!Ao02!FNXz5=L!j?^vT{O7~#D`{wCbVb;0
z^IhAM0Jidau9i3mkjI7B&F>tTe6Aw~imiPY?%ctCQZA#q-9s&K{CasWf%qQ)Y<*Sd
z2$Gk!t3E`zeMQcNV3xItn~KMDUwjn6O_y~}F3|qRi=RK79bf$Y)2H*lpI;okPa;``
z1Aj3&I%-r78bJ8!{kIqx&uqfz?qcNCO3N<9**@qx&$G>OQ;D@l>>9WjK^S)7#sP5m
zD?gpUwRbFGjP(ENMKN`(A@3B+5jyC9`ZU4()2EPJe)^<TRtWObr%3047N0)VZm&Om
zLf%h|`vpdB&B57pdPHju!<@%qNR$!K3Sk|pJ~SKpv*feY%Jj?%s)FYFWI+JPZPZ?t
z@;X^nTQ}#plts4&RZ;|_&Vq<ou}y2y0MiJ|(d$1wJ3Kr7<>>75+0mQN=N}H<em>p5
z_}N9nNW7E8>AR0_j!!g+!{alP+bS`C?Z>|!eLnecc=Y*X|NR`1Y@L3kCWM`(-qn_=
zo-Mg6x=<^v@0wzDD?xJ@DiMq<2IZi=M%+C%!=g^*rj*PKX{l%n@IAeUUKwytQ6s_Y
zKRqkX#X1FEg>U6G-#sDnbdTHy7O$T0qeJ28rnbS~r6PteL-2+mlan4oVkusKJHid7
z=o^qWVZ18WNHp(1_N)WB?!0IV;Hhy?)k01m3EV2_HAk6M!me(`=2;`QR)pBP4TCE0
zpr35tmc_Ly>*}5mK94w~*uwF@IZz-o@_+4Y_jbzpzh1o9UdR9L;%O28dq$aT9Rz&7
zjsmWufa@sWItsXs0zRTB;A%sEa1S7+*c8kt9a_(t)bc#SLH|?Ti3IE64oIuu$oee&
zf@k69j$V`x#5;=AoIN-Gy86>-cM+*L=xblU)8W6Wv+VQk)E>~8^L23Y{(_SaCbp<2
zT{*97VWV@Fqi&?O?O9s5DPLe;6CyC&Y&Aw^9Um;v15PSq7QkyasnSY+S91z>ulW@0
zi=JBuZdb!Sq@e1f2zky<Taw67W8RXEvy;nHvtk$3(sP(q$>#-Go<$^Ic!>pW9q9e;
zQmd?Ev+LOGBaO`(MhOiGO_Tdw!PGNXNt^pUla%&u=8yHarlPkn-Pa%fjmS}wHQ!zF
z@)6!SQ^w5NusQebZ8ETbWWV2f+LhAFLRORfn{_Ia2NYXxwqe&n@<$#de>jO(9*^B`
z(_ZL#-blc`TeEi_+)TZJ@FEg{R~g(KnNOd(pH!hwxz9)l)@xq+vRZ{0UoKRK`mXfJ
z6C_6<Kr1hSFo*O~I30ru(13A$ZzGmO?<@3mv@m_j&846vVvL4=)8tA*9j+PS<eEA4
z(<MlZCiW6_d(+^-`7zS$weD9%Wr@zMe%{!_^Vep&x%}NXf=@C3uFXI*L(ZELr?eLO
zwgNwAWhLofndGlX>gSR8WxBaYYcA1WsKed$HMm)tYH0;3%nlP2t<z#Eq6$my6=`v9
z=BnJedM(`(4bI1ZChjU(nr1ALO?*~X%yLgWVnEz?_RNj{n>+i{O#I*W%e`I+|F^yO
za((~jojj$Gm`UVjk$<Z|^4ZLAE5-3uX|4dpXNWG3;WKpB2)>$ex<CA$o14Y&6D<dm
z@A8sR)0P#$1ye$IaW!bphZa!b@K4wwO5WvDKrDheG~X_Nc}J+>>2~mdR#)5>8Zcx1
zAz}e*dSj({&_|9mY?JwTjWc|pckYx6w75cNuGrP>-D}hA6*JR#UL@cetk=xheS!7r
zE~Kp#TMnX@2y4T3<N@IG9EBeYHg8r~_vM_}yoD~&TLg<&vHvoc*p_vPZPmKO7Q4xB
zwP?5nF7aA_1iH4h5OA%mjpu=_t&wHlDY7h^hihEf_l7I8;4iIsydh_CRF5qCCDV;M
z=lC50)(n3U@G%iW?F*~&YjkH;;?W`Biv4?qCH8#Z^h||QQ|K+0_~1YfSc%r^F>5m}
z_nM7pTXf^IM!l^s@LD6?)=0NDSBy1+aUxD8B!nS<1dbW8+@X!Tx!kO2YvtT%a2DaA
z-eC06UrC_j{aPhBS<v5TqxAM}M=KHvVB-8ZfC=%T!o~V(wPp=B(?Vz%3LeufV{)Vp
z?kzFG9D*$)H`bUcca6pEs4pAJEpR1Vd8a!Ii|2sLwZ!hs@1`i)9y5SD4KsXk78l~6
zW`Zw&-BBsnYcaNJeJ0I}Ep_KzgPNLAYguR2p~@O`*`vR3uhh`?ddX|0PZ~LGt;puT
zBrz9tf2e4=7Wl8^sx&Wm)!AGiuo?INz1-V<QNI80)!zF4zdLzKGcLUrFG>F9Wgsw!
zLN*-(T>u4^l1=_`kcpBiydq#&t7=w&6>F-0XL$r!6ZMti$~Z(J@v&&#hsg&E;=x)D
z&oU4(eLx_+@)2bk3tcn%RH92jW6ZB0Kv-zIIXwd~*+vIvhvra0oPp#tO+wL=m%ZHr
zZ7)xogdu_(A`u=);0SXT(*V8dzEm4bMgyU0AyO0bv0`LEXi%tEFeFDrnC&nUBNm5$
zfns;4mlclW2vhYxipZGIGsSy8x`&Wx1rR)s`4IZ3m;F+J44OTE1rpdabXBC_azMS-
zVzPqFdrft%0A4qP{Da8QS7mKc?3^{LYSCnV7z+vf&H!aOdu2tavZgBXFg`nyE^OX6
z4q2OTo;Jpd>#yJ~E;*|RBF|q}f8MWu=MFdDHBYSr(>snJQwTT!?rB{>7_Cd#Un*7#
z!n#blPHP8Gvt?qxY&dw?<S%a3n+rLSA9%*`8T&teiG8nl2x$IY;H>+9ceZy+`@h}Z
z_B#Lfojj%GMvZsZ*CuCf>vv!l?lTrbVeh9)<5-RuC%@~3G<R=&<AzXwX`Q2g9^6Ra
z6o+2K*@P(4z&*~i@x9Fb@jMRAobwQlh(;)gKKixO`E8@5ZGP=U>80z|+hYq&fM4nY
zLy(<K)Cq~u|Gie*9rX{>S?XU=@>2jINYDfpsM!xO8Mm(9oDFi-RlLdHRkJPOD?_bi
zgIl%<CP3u^U1(dAcIHCO@&!?UcI!$Tv=qT?;hM?26+ZhxV~wk<Na^%hBj%{jXN(7g
z=4ZaEF1_g2(N3ix=|($y3er%XWWQ~Ap0`oePJbmdAar;eO3EIQPxaHKt!g<HCF09}
zfG@3<GVM7p?9VjWs_k9e!}*oHTN`JZQn3~XP}TFxDD6Z@8ajWYW(044b$!87Vt@1v
zEiU!iedS6@V|Ci<Rze4Cadp^IIhoNK&$E)OWc{erz9l4<@hX}4-V|p#@zz?iMio6&
zm6=!w^6s^!+lXAwdUTq>#y94gW-GO^mNT<gZrf%3Hd~Qps-<49F3VqymR)PpiZ;#9
z$+beQS5&Qa>fNeT4ubrD{_Po|^QzS){2EKuu(%$%t3~LZ_0?Ugs};)oBhXW&-nbtf
zrG}+;$kNV9PSV}6qH3_mGMWCZrdL)V%ky>4_p$&lBr<KJ`^%RkG<n~#kni!CKmIp=
z62KYw&lkOyugdt(moN9$@xQxxX2k#Qbmh@GHy+%Yb5AQxzB3+w)Ebk|u68G@i$g5h
ztSf5J+MOp@d7yh{Yp$@wzJKRCKo+$1a_OF`-<oiPyldgoy1gw&+fH6jo|3q=pFA1t
zac!bK(x<Kcx6C1+8TQ}qtKQ3!{r6&TZ*BkG$zxYYOoRF}Kz9NTs}Ztq!%Mn`dacw!
zx{k5kZH#U86|NM2v9T}{twRB~YNWcf+JiDm>rVi!)I@F2?)T>fcQIuSF{Ec0ZgB;=
z$4Jnfi+rh9*E66=*zU}6KEwXE{e(?FEqD@ShW)?Yd$m)t|M#}HU#{){yLigy|4Z?t
z%-Anw26Ile<{SXcp{n^$|1WZkf1V3F+FjOBIIi3DnIZ3ek)U`FSQ8hsIF>+h8;(u6
znN{b>IntLr@JuG_XOU+a{oghcI8*=cRnGtI?XB<sx|8SL^nd0FUu*ug=3hVe^vtjS
z=Z^%;(Eq*N7iInb^3~p}wf?`0XCD9m-7OAv`|-P3D%N^#{j8t$^F2KOHvj<t|Ln}x
I;{fUb06-z#PXGV_

delta 13676
zcmV-yHIvHoYV~T6O@GwI@+?m{HZ+pjqhq(MkmQ~-r`?|ys!Ea=6@eN6MTzZp#5~CE
z%gvK~flJ*{#o|R5%dGF)X^VwQB!EOBk@-Uc{}yu?kPtjy5HH|l0(|Rmgt_ca@i_cp
z6;H3%>+SFD>Hqe6z4Cv1J3IS7Z1279?d<Qp+J61&hu-$9oqyfeKcL=9YM=4MLSp_y
zZ|S<qjr&F(9Fd=a3&Ln0O}0016s3QLSb~rn0SKRyNb27Xl(?WDNeJkWQHco!jxHqQ
zcnIi(O5g+R1A1|Iaq=?#{Va@!gl<qghCXr$+{Pqjq1Wwodm9hkE8oxKoc|LX#voRv
z0Gj9j_TKLP>woh6f3@9P&;R>)$QTcyzk$#d7H|#`>!Y#HyJO;WCfGoBeKy`e*{oGX
z5#kUrK_uhTKH9qev)J+l*(!*VE++9XRU_)}C=SCj77~BjM<;_*CeJtspz5VB$Qfr7
zqSOFzM=eZ<t?T#-I0XqpRiP^NqU@ur%E_zlcDL7}%71eZ<hOaM<K}~0RomU|o!NDT
zWC9d~IOFWf)rXGil20P_Nv^`3?)Kj73MmWVNYCbT7!n~lo}-oOW2*~1o_t<pVP=~*
zo;^e7FaQqJ2P7F{6cFQR%s3zcJ_jk(&sTtA0Rg%h0oBw99U?82LXqGw=%bO8k?3#b
zSnU$F6@M^aY)LGx#g@<LfDB^}Uc>^=PgbTaMbFd3yoi$tmXNe(y0xKyKa0cg!f?|^
zzx=xK40*^bRO6}bx#>HYnj)uo3>&J5hYn*Q*%*cR3PRlu90Z6^$<P=i4zR=<zAo}!
zm*}G}UpEkXhOYlCJRC(e>)?g}J|R9F_&$rNRDUDpbHEb%Nb(raGxRsrP3qs9$d*Oe
z6c*@)grVwB^GSdPjH4-wyXXR>VsU^&0f-FLkLU(d{bMXZ{ml`(p<PuUqmr{Q1m0IO
z#LMxSzVQS`&yea3#0KcX@?n{_gPJhGxE^0Cl4Y7&(iWm7D2~L4$-@%A$?r?DyTPxp
zUw`g@)rg`Iv$2uuuk>|YzbSGdi-SWgu9-|(f}Vb9R9aA9T141~K2npx6H_5UE9fv}
zH^<{hP7kwhQm#2fA@Q;3qaD?Cl4A+O>E$$nK00T5&V7smELGVN6Y><~4dd6T)X5PM
zNPv`Ta{4R|1J!2%5%?;EK#5e=NE9#-h<`GP0*HVHh*9*@#Yyt{22wMG6JMM$F8gTb
zKliuy+!}HOIFzHTnBtws^aK3~3#rCi3v}|M6@;@8Q^;OnDX~8~hkwR|Ly-L*vf+D}
zK-fpG)L;2YiYa9hD|<KjC1OEg8b>TRs1)KLSj>G8hI!Y5rdl~BQY3#N<VSHIZGWeK
zj$y17^Q&I(Ct`o)@Xr`T^`qXn^4U)ERe5Q<&x$YX1e9}EzO!WI4iRcy_x6%?mkgwP
zYO~S-zMblwj*{KMfKVc*Rwk8ty?_vW$+-PVvJkixTus(P*D&p)j#kB-h0rZ7vtvEk
zI+g_%sjn5a&hae~QY0^6FaTfnQGe%@UHBsi;t)Em=v&PZsd;<nwRlTZv!NHTnfh~#
zZ$DBz!6a15(Tw@SXnp<mgocE|&n%3`@D8R2z7InDjmXhS090yGNpvDm#qm2V@!{c5
z+WtsiRaEw?b}D<fq-r;k<+-2Mms85=W~5G$v@u>q_L=?47_EO!_XLfGbAO@g!@}a;
zh69KBu?QCq>qdW+*%x&c6_@&1!dhDTT#H|I`Kws~D@$N&CAhnU65JR7mNAD+px%Ns
z;(j5qvg++@FfYv;E!}T9i=*`QK<K}d@i+$@{EZU{AE*y%y8L*ddT?XISn8Rrr*wYT
z7o@8vv)wKm)BmFYelP?zkAJjsj+4JH;=zF2_EG1<#f3M5aNJ3@*l*dz(YyEQgz0q9
zGnDEQWc)Jf=NFWzc_m(MqNC%#e0;l!PELRPu!;V5aDIAn`gRi?pPzp?SJs@`I-PNL
zJGD%xAF{tULPF!)!eq4l5r|WVEvr-@dWHfFV@3r?-3h8R6-mz>!G8e9p>#5C-)*A9
zFjlL|kA#cTU#hSFYD~~gbjm2$WiABSM_Uujw?cBYWq)xkfq~kyu|5jmieTzw!@Sx=
z0|*$$O1&w0I0HT=LKuney?*^V?UiH;t)$&3yQG)yz;JA3#jMI~sdW?FU6nH}rR0mf
zr7CjRInL$YVInz<sDFdxr;UUgwVgPMIiW*qArLw|8B&)1e0&Rjti9%z#e7Ydz{k19
zcxa5JKRUjRI9Lfx-=WO9kxB!h!jrY>l*toXdTRx~^sAybAza2d^pc6RaYJapZiGt}
z!~)ceJmXB+4yoT?w9pma4WTZ5k<RGnhy70z%s++X>XZHPxqoX`Kl+LIY9V3WTV^88
zu5!1j%GMKc!9B`e?L^E>^^%p&#G*TZ^)$BAnDOh7;UKl{^?rf?l_y7bDm_ELFdfdr
z;jidqfaD0!!NC#2k+vMw8|wz+9u|TODFkSYDIP+Ah^32&@$nF<zZZB6NCL%FA}sVz
zzFE|Dg>nQGsekEjikuvw8zM)#*nG9xDo&1+U|CwmkkQh7$U&FH;g2K)vmN>gN9j(B
zL*Qw*-9v|69?j#7|4A4}I&8Cb`r-2UqAPFZGIh*~|L^W^m*Ri>ulKgs@xS|cF4g4E
z1@$jZkXeS*1Rq+DZvauqrVt>>Osv4p?e50LB}4uQ{D12jA`uG&5)#W;Y@#RxECBJC
z_BWC>UWUl?XyV^^^W_Wbo`WveO}!rI>sQ5!A?A6)D&IF997UxCL{X{`L0`Xikmubf
z-MpUp#b?I+|2%>)0xr5TS{w>6WB%{#?d_E2|LgtTz4iRRkLSymt^Yt1GVbf;SqXx&
zPTq`Fw}1E}=%fGG`ucTaLl--~jW7-Ls!eS$O)vBsEvCzT`Qo7f2806Yq>|NDg*(X0
z-fRCr*PzVw1nvH85GShShY4^_0zkhj+n)Mpe^>vLjE&m_b-aui&_MrNGq`c6V|9ih
z!=mEXf{T=0q9e^$(~NDiZ|H6`aIec{HAb9JIe$Q%KML=UqEl>z`L_j7q2IMHPU)}C
zpE{`XxwA-%*m%s8>10%%Xyi00Wp+A-q+3Py(U&hMndQ}?>LTZtgbInNZ@w;T*m~y8
z)~u29FvqbfL8u?bL1W`;c=XvgVpRLwa&h%)xd?OVvB6>;Va-zSYFg}yB($8gVvvZ$
zL4OLXa}!MQZ;D#wli$%lV<roo{PpX`2*Pn!jJC9V*0#e+Z#U1Aooso0f_aT3`#T<o
z4JFdr3!`n+LllQ$itHFLj#3<kKn-IbWeAL%0Ay^IVH&FT3Uot%#4#O0<98@Ucc_l8
zX;P_m53Ql^_L;H%`#kXS(T0UEfsO0`_J7{~?rsVHx3j(bdUw74-^Wv$Z0R^#AE2HA
zp66}kal$wva4Ugo4@dX<&qjr9Z(I`^^er;#-1^dvKzm#WqZ<h@s$cTZnV?&S))@lT
z>hUTjVF0|KA1A%;pKbgMN5sQX#MuObqB`xPPJ$R45;=;mx;`7119hqeoZ>JaFMrf{
zv9106SDgg-Lm0gzV-OOLqduZ>7^Z=riH;;CU+20`7}&Gzm<<tu1`-WTxT&s~A!~cX
z^rVeq*$=EwQpk6Xm+wgeu?%C5!wPpM6gXns#F7(7+{C^hbQp)2mp|J;Ncb#*K1%mu
z!3IhUDow>hI0%UGCY>qM2>79*k$*Y+3i$C88W3M;7A17rab&Af+f5EQnC3Bok|7SN
zp8#RYTGu+k{vjAW!*bL|U9-LH>aQ=^N0Io}%rKpof0jBBdc{}>m^yhJAdD#7WV}&;
zKoo&un+6kQmpG9(ic>e8Zl9h7=<Mf1G~jHEZbrl(Sv*xj{ss&5g7E~u_kS{}!`0RZ
z{H~$dRr@j`Bv2dfJPa`zpBn#q*8U4!`0VGyLi2^>28-oxeaadR&7gqx!8SBn|67+z
z=&GkEq=$?uZV|is2l!H1$0puQ=&<m4Hb<H}VB(@)(*dPYEj!~pVbQd8Oeh)0V<gCL
zy3K}x)Q@cBbu<mQGQ!kw=YK>YH{eY&tfl>e{8kp?^6#@azbp++X(U1{MB>ZOwnW83
zb-h2SlB#xk{%uQ^PwUw&3XWvyG%A-&JKPpk3W?geOVr+#b<vq|Ls4Z?%Mq4JpOHc8
zgC6LTN(`|tV;qLll&BqOVO(CS$Q6^L5(|3I>E>TD1XRR4^Zx7aF@FaXF=8eHmI$yv
zLQIZ;chO%gFF$>}xK!%L@Ct$2hca#eym(krJ4D#_*Gt+Ji)rBGvVJV*nmXySX^`D&
zsB{}WLOn^wP*i^sUjt3VFs1?UaGF;ncCkbT`BdMm{GwfG#9{S?X+a8v@$%#nTcumE
z0t!?QhBd^jiC~~E!havZ827Wt7CksS`FZ!E@G~lQUrDBjKv>5{o~P4RZ?S+VF|oFa
zlAdBG=ORXFcQd8nv$ex2u}#EyD)^GAA{@M0jf_ylSp-~?Vq7X`CKjSqg|<Cc&9{47
zvmZ3-)!G#h*d8;=KpO^D4eOyOht38F(?s4ix?62H#Ym%+eSbzLz|~sgvmqtFrL?t5
zP?hG6r(}<|V<-+y<ZV+==`o%n4qB_kG)K=KmO?)%GlkFr%g!qdiA>C6pN+>cC30$z
zh~z4kjEk)RCJ=53GW0O_M?``zV-8!&w$-dtZ6bHa!Lu|t{k*_yWg41C8;}hnplnDZ
zROVCDit3Vlet&#%na0KSV3d2mw3dr(2vmm=Isk44QJX({nWupkQX3^CnNCS%HNF}X
znM%6QYWq;{8MJMv(Q82$olta$#}FQ30e3zCs;7mgI=0;qBzAw@5UBSB@ee>~E5aXP
zj(rJS%{^b337byebkQ#L+11o)2xmt)PR{s@`VdL6Wq)<+mQe)hen>oX?IE%!!PIw)
zz2Vjix<j-ORioI2Zn2W4I!CQ@LaiR!{Lhw)@+lY2#@z~0gf6wv5eT)Qlkqr~8U%(1
zGS!%jcC&U=Xw)}FzpXRBU4=`nto=6E@RD)uB#O|Pi&CwHZ4K6JCsIQ-*WFf;W*y!&
zJ*##!N`HX}5s!`Odj%E^P(xH>1kzAn0uv}Lbcr6%jh^A4hUgXOz(sjCnVvyOHZDqo
zJGOBy!9n%H<1SvK0FtM6o6<s1YQL=!6kOAu!eZWjSB7bIPv>e}W*<}su5O6z*0P4K
z88<y_jD}M?cDQ5;D1m#IskU6@HDs3@O!Lz8RDb0qqwrzi0_pJd^wBS!+L_<^b;g&q
zqEPv=W`j0E^FDWM5w)a|>PFvD)X|x<_LnX)x<+L=T)EUp2m^^I3DqPf)|F)TaApBD
zk;URJH<Q9xxF`Gp8j=an1l6FcAK?k0aU4n#g&AeTaIpgS>cD9BRRlbTiRc;^OG)pg
z3V+MYYuB{E#d<eOB#fUUTOQRG)hK3jG}gsrEYVHUdsqnO6TPGsP#{Kk=KHtZ=;!EJ
zuosqj$_b--R8*hnlfiPNjCtBt#I%~wJ0WZbF;|1O+6zSWs9ph3G{*e8VnZ3WlXh;J
zO=C7jn&SZ`p{6_p3fj@5l%z5gyGWnJaevUXHnxS#>0>$ec&<zpR>_P)O{yqW3ng@+
zF`gX8X+>k1?Q(;8Y6|4+dSk7}oU64$8JB#VI!v%*e`uaVMwNY_b_21no|b94&%6S8
zqXwg`1I4-b5UO8Atj{$K;t;*KnyTFl39vPLu$<3LQ>w-6RSIsIm*@%xO0Z&Ks(+|B
zT<oW{24u7QWtOIH{<?+2b~ZHY(!7U_2)Bvmbgi8X95genMj+TkM5d}+WV+j3#|Y~w
z;~=UhaW?AV)O4wFT{IdvQ;=PB`r-1}rM52_!V^XU6fq%)+Aaw2V{QPiA_lRE{3elh
zayp-oyT#f;c-4ZA<`(ujR8}#bHh)9F^F<SBmNWc`F14HUp4B)Q%Z^2KLQycKcuagG
z%0A_4Tab?hZ059hx~dIGs87bHb*9Wz4hH6*6c*h{s`#uL*Gc^|GUn87di7G*DXvi+
z2hHL6*&*_A7<SQ*dZBcB_8MBTET5{J=Jh=hGT~G-vYPA`3?KoCIEolobALi=Q=zI-
zjI+t86$jx|&!i)#ebB5LgpBDmwW%<Qk6H1IkJl}64Z;tcGd@G=b(uumLoAdg5Wpu8
z*jIr*kdTuk+m=m7gUJA4IxTF+(!32L2qU#pN`~S{8K)skAj}D-ctN_*b&<`Z^|SIX
z6{!Gx5`dbW+9fSVFwJ>kC4ZqYpo;TW%MvD95{*5S8;xRSjw>ucCzH_HU>fPs(;eg7
zdMJ4@&I;$;Ga`Ns5Gi5hS{G==qO7?ZqRjVWE|Os=PU_U1^f6-T!er-^8NIq~X=<>C
zfERE>jX{X?)O7hNnhmyS!S5S@#3W23uvF(n0iMWQ%{IDD5|!Ac^MBH=vI&RvyE^rR
zY&cX?SuIv1^*T{IW|&YUfC?hX1oGCWV+lgDJu=d{1XVgrHZMPBSZ}b%cbnU(Fk5%b
z<hsH2kRcytXqc>E&ID@##Bg<?1DfGlJnNUrhN;kI@ysnjn%&QmeU1gVR+YAEXY)$g
zU|=*^05xnHrkt9q#edQ{bD?yt2y)XHbT_2NW)UV$ROgb%&~dD@PNHZG*g`>60|^CD
z4p}s<s#P>jzAIAHLshUFCre4{Q!?fK><mDMTkg$*l!|>aP<eny<4kbblgpTqTEv_-
z51@`}+2^aN1kv7x%*_J_*~M(gbRIY;&SY}tEN~k@bq1u)p?_wi!o<vL2ht_-dK9d@
z<YFospmF*^gEYh#>w(dJCo?n3_?;4~M9-3(Nt@2p-1kP0re3IIhPo8ftnIdLK-0X8
zu#~`QAN`*fpZ@f__wv79y!fT({pYWLdhw~N|M4F$|Lf)N$sd1u`SQh!U*7%n_VVob
zSMu`rUuZnOHh+Kp{^A!n{<S5MmoNY84;5B!y&QB??f4k?%)C!ef9FQWwM<t1WuES$
zjoPn_-JPRv_lfym;;Tx&6YEwp2aea!NH<FGyM#o3_fW_+1oECBkSm2gt`73JN~q&g
zf;fJ&(8eo}*x(zV881`b%z&godipXsENb%RrjRlsP=BB_i=S!tXXxPUB#-?v!<`V~
z-~*YcW$y-as^e-l2ZhF+Dbf+6!Y+py@!ZmF8D{pRsVGD@6RN2Rs!V>3QWI#5^%O|j
zmglor9bxouhE5-KYL0wtC1k2t&y4H;M<?j5r%?LXY=0jPaQcK`rmF##uA!v$P|_8F
zN7r!CHh*x@djN<&E=cH81As0I^;{Cvxg>mZX`tq}3&~so_;Pue<<fx4JA_U?2wrhn
zbmA(oh|41nm&O?`iz-|phVTv$gUjLrmq!DBPuRZ|qy6p*-}i(OeaqwbR)E%92{vzO
zB;L0wZjT95w<-kPituvFqvMvx!mR}Pwj!L{6MsjwtpvliJYsEmeA)`oXsf`UJ#M7g
zGMKV8dh9Wy$5wz9TM07kVOELREG)4|EQ{!R;`psqptV*ei%TN0mY2k(QC2I$R4t33
zS{5(0Mn|m*9hKbMm4ip+erm=?WnKvE`w&S8PRsf4IwqQ#q_oq2`ivS(mAS6f)C|GT
zNq<T@_2W8U;p}{czHuPldDg-V{Zf~@P?wmIztD1P<jRr7&`)bg|AOY!hRGK;zu{qe
zS;c(G4Rg2(n`+nyy6N(x{7<vcBu5~Dk9Bx2*^$(FOOh>z9B~#8i?CXk7c_G_2M~fx
zZd)c&SkH_LfuIXI;3)bHVbt9BRcx>8m4Bn%k2lel?XNVD6Jd_WYGCZ@fE}KXylYka
zK$O)hOc&>H5|t3nK~j%D<FGr)5|>-Az4j<eVH|>lR^9wb9L_-)@}w~bL>bL)U<e)o
z@}jiHtrL7X?BwDsY#57TLA48SsbyTQ#-h$yNY|9e)@vSgVeHFv1hlYr&Oz<xJAZn_
zI$GgCr);35g_6CE(`}t-Q{yxcC>l)#@o`vp@R!kgx2NXq8Y0<EnQB#esft=wW>;QP
z*vaDtHvo;t<p7dlyY!>!$W{WG-iui$i0QR56+pOcjV+;jY=mhLYPC^GIp>hNIuOS?
zJKkf3J7o)NaUk*rSDiDm)^$*X*neb8w;sxCn0jU$$2c<E;*#Jc%W<i?93g$HL9(Q0
zslU<X2n6KS6pQdbV^B*_4o$JxR?KN{=@)tHas_8t+MZf@G&b+|YU{3%*LQ=wHUhK^
z{90336$X2ey~rweAS>T@JkH(58t0w#>0R$A?n8&qvujw@KH*Mw2CLW$Jbwx6|54lf
z>mv-`h)w^^Tk-8<E$isY!$(()4!?)+O3sZ`8(=YIW`$TR%k?pq>|ZlND=AM)23Nkh
z^a!Oh@;)0!YE>-+yEC>a(!ux!w&pttuexw(Rmtpqwrgpvu{=`cl(#?{QK0R;!1L_J
z_0jtkY{_en+#g<?B<n^ZMSm7PqM@-4LoCzV^B(HfZCTQN(vU7d+tEcBc*^z_gp3Zw
zGRY0<16GUk+y=Z}cAF<yb}Lrxnsg2WeZOl%i{@yIIS#jMi<WDN=AofEr=>FAR!r9R
zPzn2GQdFQ0qh3J7b;lL9Nsl@-&(BBTg(wFO)-lg@*ya&#@n)P-FMk|T&nA<>lQ#N<
zN}V<Pn2Fl~P>*15a&J}IG26w}Vr|NvMpsT7L&`yOCC)JyuPbtw&D#wv9B2-bD{`qh
zD7SaA{m6I%AJ!?8)FzY|o$sKV`WvdCT^vg`#?q2;A&d_%P8vu`;7E`Fe4NJ}7p>xs
zt<X%;p#H`tpK%k<34a`?){PHNHQb3u7MnWJgiE|M$TvBAobP}_tYRLiN*2lbG!9jN
zC#v&#qB_4PYKE-4{GX`3543UP;b`;xio~9xvbnV!B-0cRILBTZiOb{<y#;v|#zR7t
zQTgJfL52^UsiO6C4D4z2`tfP#*M$>=BqzEGZh{w#XFJoE4u6JgrZHl?lJ-yOl7GZP
zW*O3O&P!M;rzNxR?z5C6?f<KGskb<{RQ#Zn)Iy&RNJ@MrK_`FlZ1Jf%t1x@XbIX!?
zk~}6^Kf8N1O&{4f*eFA_-9>hh)*YTN?&@yy-gb74LddF}neinr<K|3n-3^Lpr5E8X
ze|K6@GFx7lR)162=nS*Q{KSG;D(0e8JW=9f_3z>_mYWgFK?WTCl$@p3*1sANn^W!I
z|N5UFNeE^Z{QF=3tF+F)|MfqA37LQW?|=Po>xA4zG>BD>hPmg$aGX2aQXF9y#dOR|
z!hk8lVKl-vhs8W<eX)!$vogBWWs`L@sy4qYI!$w98h;I(E(3%PH|wf))L>7hCN{c0
z1)RjcwQ&}Z!2ond4FNh`o-xVI%7R@aMeL6@^M_ln)C#SM_@EOdNUwS-c=2&L2gj6b
z$c1zcgOdJoy2D(C!U7Jma=xC62>kA>bf5Xh2=dsh;kFl3%#)MQbBlbjC&692G7=CD
zzKLq&6Mr3EfypA_JjXYmsk>>I(226z`5)`8J}upWO-PetcZ8z|+FK_M%8S}7b<Vcr
zDahZ!*-07ZW{1+bTb#La>y~OS=<K?mpA1Z8Jj-QCzzjv|yF-Ku2{>pllPCfz35Rra
zjqWlYtXw(*tnpS_h|vFg@!@pqEvq4E#tZ8-0Dt<(9gKm>O|3snMkAd$@It-mjxi+z
z5VC9Q04{#n`L)g*P{IqhcpQbWnFQie6D*lSM40YKDQbo1*ihLXKoLulhTrJss^wAH
ziP(DZLUIj#)X@&`jLk1f`oFp^{7}yelO?dD3Uv%~se3fPkYr36=K&|fA-L~;Kz5s?
z^M5<NR4SdQ6*)(O+GIWH5?x{Xmz`g0IWG2>TF2oQ?U*e(5vrG7+8HUPRN`Azldr6e
zx}MdE-t=sqC__LQClH2SviHBiQ`HN}z}a-Jn9D|KO;h}RIQq~xoGF1C(j>>#fGFK(
z5`HzC7Rb0olNgCV!gQGC8yv(k=CD|bhJUK3IC&f%<Fev-FrRD7#?f|p3ZLgAZH<j<
z%KgbEz$XN5wr&`|CUod2(e!Mpq%FPvY(3NeS-35F0c+c!!fJPyty1-ft%VwugcjPb
zW6v)Vm{RH6l4X?Y*qX^i1RCQ2veY?uEXt}wby_%o>RHT=hiRbxZBmu`(}j94CV#D_
z@5hs)`w{S%EHqbZx4d;p{Ay5Q$b}R`b!q>+s#)#`?L5$x!1c!8cYZ(U;l)Ybk?&%+
z;@V%|5jt1ywA3+D<NhvYQ7igLz-D1e!}pmR1bw9B*15J(CctMp$)chN)MtT7DvBv0
zRPOI}(Fdx(-%Jo=V`Vt~ci_Ip^nXu(6n{MZZ`*an`Db{hg<1ts=J@u1zV3OwZLhcO
zpxEp6_5Vj7FAwXp!)ab?)LR~QmOT%4;b}exn%$=Alxp8vKD3$@etq-ilggcjANReR
zrA5iH1g-Dh{0{HlY@42~5diIKk%dGrn32ut(3@MLD{0bZ3d#e>^ZZP%RDYV6%J)_q
zF<mMHoXcIld`>v0rPwx0T(k9La~JkeZ!W`XRy@BcmQU(~_&J^7>dBetlEu2QevXgS
z;%?%iYMe|2&5pSw?i*jJGT4S3gqS1fwZ1TPeIjP=6EQ113G=O=fLWh>x!02~>k}`J
z`NYdQGs_)iX0al(RBjeSV}E7YS>`;I^bMUwT4zKt&pK_yw|%DQTRuhfKqlupeNM}h
zJxibCS;48Dm7LL;<3vuQ9ruI};4FRIX8FT4kNhaj>JH94-D5IK9f(=x=*zcx$Ysgn
zERXr-+C|SXtoqc#(q|N&%87(~IDfGGX@gasEm-y>!K%&;tWOD)Pk#w4bsk_P$p7Uq
z{>!5Im&Wa{1fjnS7JnJk{WAFaHIjbr#;uX`Yb5;|Grz{nuQBtF@BZ)EF0$|T4)9`7
zaT(P5(irt+5$WG3{`|?I&DXbYKTQPro!-4YCpvt6|Mp|Le|seu?qw0%E5T>4@6rBd
z@6rB75z<TJp_fHJKYtFa^CP|f`^y&(0S%D%_3OqD>!<m_zr`E|Bm~bF#4{RcOTswP
zAg(R-W3EVgEk}2X$6?z#dc9t6e{WC!x7X{H{=2igxAW?U?Y-B%o&CL6+pk~!(A(MF
z-g)%{>fLSA%@YfW`47FN>nb<y8+puBJAx==(=kw4y4ocYTYr=7!d)!}>iXpi>i%pn
zdpV)d&h@WfH}c*{UGyA6zyi9N-%*ze@fC!2&f_SWO%@?Fxe4{dH~`d1C9`WNbx;@m
zjwqpl+JEk;Z&Z1`bUWypk4!23rDT7{;}HFh$`q73nL#XfhmGO2aH&np3KA$BhbSaI
z7Ii(6yf-xo2!Fws$#!>)r9XO~>)F~)OTK&W=)C=;!&{DwkQ_@GT1cE(GTh%JB`>Fu
z{WeiImj9fvsV6KnWiAQ$bJmE~0+v=WNK4)@ejPF#oG7A1PP+zud2&=BuQ*AIc8M*!
z6$|L2j#L|f0{s>u6|vxbUPP_*bTj$+^Be*ivEZOAqko$5lAO-21(iUXBPQf2NY(bb
z9?liXYF2gx@!`PNJMh!8Vky4PQOhV$7QjV8`nCB`a9uOeM<Jo{ZDa4`DYfqI8hOc2
z)R=ytKVcz(=gO<fJkCNW-c+?U)&*0`CnqZHD?2oQpM{u0iz<@{M5M|$)*NxdIFZu~
z<zkIp&wn@fJ9$1QGIw8)06*3rFe>3zX5%BkSG&qH&eY7!8|X%FoX1p>F&vr02aUrf
zSqQu=(YYU6N_3-QALu*Frnwnof0<*tRECX=@et19FuVYtgUoSXep9HW?(1UZ6)j_a
z$YR`iTi-0`%FxSzdwj#PJHp~jDcD=o+3FOl?|=G&oMm6AHHir#8K35-hHXzDb#gP?
ze1C-noI}LW*RPd#O|<*7N=rOMU%z(D7=!{^^0T@+i`oGp%!i^Jw(5A3H#?omkJ=2!
zL7;YaZ~pM&;OOZ5_~PQFqhJU)0Pbm>MHro3BD;3?O`T2VAfjd>i{+c`onB8k-ovfr
z*ncyqF)vxW-xSxow6M}W9*&6j&q%y^)oUto6>}lqZ1-G+27qPE!5gYQ%A3D3%J|vO
z=irB!j7=D@!T``oc?9g4F4Mzh*qIvYK2rN1^?zN#{Ohs|srhHm0iapp5v65|k}<Iv
zrDG~95;9i5ngeQzhZ2W|d&L(>FCcj*NPqq+$S+=5cNEM>Td>4#&V<_DDKcEE)YaqT
z2w#zqI8RP+7L|YV(82rnPF0l8gw?2u(uir=?HAdntI|nxRMKz#+1y&{?zw2Ex7uo`
z`%zFOExOuy-ZVWMCZKxiXYXRuGdE}tKRr1J@>^>w;oOv7xrN}Q>s+aml8ajgOMlk2
z+L`6F9PVSfJ@?Gb+@6^j9-*-SPX|-qXxH!a$_F|7K~&!sSMqc4*#x+O9v|OESYImq
zBPL<YK`-ggA9hJk#&(hA{GRoNW%XfoMMx$<K?t?AxPmt7BKhJ>eXv@M(LlO7k&A^F
z)Eld+v5od9?i}i*+?3R#k<QFrk$(&f{BxG?M$N$@FNWes%E(JjD8C7rk3;oY-|Y=5
zHgyCzl%q4oWx8>$bg`{Pm-HgW<(ma5m%Gvsp1j$aOBEEWdF<Mt!0p2-gw$W#Mi*qx
z-IeNr8nV?HnH5}c{x4foJFCH))J+C9d=C={-5dLKw*KM8;l;`4<I|(F4}T}8mo8Vs
z7$hgYNVQ9^tN&lk?6#%tw5!?U`-~3Au!ixhfSZ5`Q!0td6R@Xatux={S_xUKan=Je
z^n~`Dd1WFwE_CrjUD~+WPUohaSywH|H#lNUmKZM<z&$(!DjjV%Wj+ev2daddP)5NM
z@nAr19fab9#Dy;5CWOO~-G6v6j^wn^12qlS#gA3#!>s8g${Gk$7V*??sYI$S!cdet
zr?bQsDZPt0lgwvfA6*`vC2EPnVk==QR+|<n7vHADZ!`I>=!-%{#a<m4qxy2hL5x@!
z^wF!rd$pjy1zFbWky(-wj+U|;OyH=GQfr}H*MePGXF((s^UOQ!0e?b?Bse^R5Kk`*
zY`Kqiix4DhI;F3-i?1W#gaz)8>vt{x|Ht#=&xhy7N5`j^CkO98|9JBL*tLiGkuyg&
z1vB-2!qGdJI*-XZLic*vIpm;Yl{oy7gm9RUsrH_Fu3_5OLg0AEB6Bn~msG0U#{5F#
z-k!yj-1fJ&>h0I+1b?+EOCMZ0<Lq{dI-TmwGz|Rp^78EB^V#`_|L^ba`m3riN4G?@
zMt~YQY{TIE{LRB&QQqEu_<V8n?(_Q(Z$H03{`vTQ+gi2gyk!?h@7`xt##}aZX7k*u
zbG-a9XH0H&@ozqhrcNs6)eI^i{oIMEtr|ix2hT6xEmhT_I)7T-4TzAOq0RsT#&NB{
z2vN?3TINfLaLb2kDqjvb_&~#H!+aGY^rGu>@0KfwuE~~<J;`Gsw{$$nuioh1P@7Xw
z7ue^d67>*!93!lb$f{Ecwb67$xXt`p{K6@5Grn+$mReG)r_`g_0&Al1M>^R6<I@k^
zps6?V<29$mx__m0CWlqgt(VN1#Ab+TP6{6yly{HMT=-9``{%)a{xB2&+1u{zzAoWE
zcXoDrYy9VZJf7zjAfJ^ini~codU$bS6ZAHML5q9v62x;}>}Cm@rbzgL7&e;SEr}Ne
z<&Fc)6HHCMPf%`HO6-r$)61o6Hn@dSrUelTPUwJrpnuwoNf$q}TD&I%@TY#Luar)c
ze4nYY5a|`L9y*RjFb1xHRRi&svp8~CRW_8;EtIeTOLh(P+~$Z(s=;wUfck3nh)92H
z>p=D1!O^8Edwgp$NPJJ4@cVq`(*GJnctdEwZiJ`S+lVtCgqX1+H0%HEy}kYIlKy}7
zdUt!R|9|h}v9=thK?Zj=1Kb6QuR^H)9t-%ZvbD_EAEux}rEBbQ0t{nDFJOVw1W6@<
zI9=gk0vFX4oFz!eE`N|9p|sLd1Sb9OMFE+wmMTJrAN8xmR378oj}%WZ3Dt-fdQMIG
zZt;E6eHD<uE?b57&pe*cZnTy;#xUOrgSPz4e}5LCcHCD0_0N&IBb@(yczq=ejf}1c
zyKTN}dlJA_UeDDM2LbZ9@Vfb(1C!5n#6Yoi;KH3d*iXu3RJVJm1&&`Y?<ElbBY>^1
z>KsAx(stE{D7UZ3xe&~<R&i7Dm>!6a0=Vh2&gmsO_;~r(59cSBfB*F9;_nxi$3G>J
ztbf9Rm>eB7Du)dqeD(fY42)+sVRU~n@@l1J7vgLmbe-qf=D4ZE+9P%YT#O(LyKw6O
zxcil#PT|HokuXO3fAyl6I@XYPhUEwy_CI}^VE*Y-NUlD8QYtG1`RP-n^FWJFpK7<)
zpFSb)N5=gEBX{QDY&t!nHHTr&<1i%32xDl44pkqT4gGoY*=l8aW(8G2bA7TP0OT%e
zFH3oytg5Y>b6m=zTZ1Yof>CEdM6B4RwP=88gyrbXA6^`tpZt7${`vg)?dOXRhwnb0
z9bEp^MZ-wElf>Ekk8e*-HHo8>bCcOBF@N31zZ`!){cv>r`SjqYIU?CQ{Yp&;J4?N*
zEmJ*Pa#wVrR$AXR#p+gq<}g$u7+DO;L3@q3duoP7oytuqnHkbj(H7u)dJnxa;GUvJ
zf;WG7QJjl)3cL#6%4@y{LgeWlxeF{_J>e&Z!qZJ{gTG5f3}1!d4M8R+J%q$kynk_o
z8%)u+AZ@~URj!d}-hb>_2Xftc(H6i{<DjaAoIVk_RnlvYGOL7L-HFY!Mr^GJv2_;)
zRo+2A*}f}_YgN|O10j5#a7M9(<9~CYKxX9s+S%^yl=FY>?(MJRfA{gUi2uEyOtuaJ
zzFbEE*HOTA6mT5{Tt@+)P!w>rA%D0>5L0XlW|R)CXH9B(9^tV6sqRFA^>7EIRd8f|
z7Jk9A@N-8m$_L^dMQYBT8-HE>X|(%@R2=rTuixqLU)5Rmd3S1$=*;;#IQekF$ww1g
z)RV59*R`<GInPlyQrq?{E!>tbu&)Ub7;d&2BeRYV7U%&dl`#w8jhj?yrGKkA1-svT
z3U;^W7J|FgaE~dd`XoZ0v(uI&GSry2q~q-5^3<%@MYZ%CW>xZeL6&C`$roN?fm;W9
zzq`~b>)7l%Hv2?lvxZSZLqgN!e%CPd%vI9ne$OPOy_@+H{jI6!9ZV1Ohkqk-lw{3!
zSG;_Lcg~bCvo>tbeS4b>EPvVWcb;~o^s<oEB>!fe%H$En)|+kEb&&jt2gx5#;+3ak
z_uI4=dY(5DaPQXaod>s5Zy>ygMBr5hH%I2vr|u_J=u_@95`y)bm%gl4A;wn=)uFyC
zeew*+5eU%AOCZc4y%bKzpaL{tT;JP>CDHo|eH|@KpL265Xo(o3;eRx_l2C_hMmV`<
zPW^NR5~GQ|MBUyrczAJwG<&W4RZ&@@bE}^>_VE0*nQktB_l@9F%)e_h(9DqYro<_&
zg}$x8&skYX`d23TE0X$oBz~E0F4CGy^cU)IcYO_RmZn--feN$31V!t#n2M;vl6ys3
zoSV5ScdlMb_e6v9v44rXN|vS>i)0g@l@+tx6Hgcr_nkd+<NxN){xlQ+xBY6rSHk~o
z@9(eg|Gbx{6cRIu+${2M6-Yjt8E&OGzADWXp!f{Y<uQDQ&Kkj2GfoeO-*a=b_<f?~
zVDf!l5^CDA0=QsG=svCn&H2y*Djfa^J4DI5d<uv~Fo)*bC4cV-H9Xx79?<HFyFvqI
ztUpF9U`=nV6c75uk%nzDAFpwSkMz!+a)B0C=*$(ny1RRAn!RFX8qbRaT!ZzRIeRFu
zUfqSXm14_5)DmHB*p55`e4eB5qrv9Q3hTa_6PvftC3=fs@hbLT<`UboF0rjzm)K%A
z`K=ZWx4<P{i+@1ZwiW`em9_Cau(dU^>^nu4W%F>2EBoGXWfuIU6^}RMERO1tWj|-S
zQRf`LN5GolF9JR$La2RVRep``%t|~t<Xf?Sud&3Q@0*^faB2#@!xA4J>H#a!T0LfM
z#^qkK5p9cZeAcM9^#xvQq}v+l*5-<_Mlepq$%KS3gnz&>BbGa~aX*)vHEpe&8x77P
zJk%SEKKcs@bi7}y1Sbpn8*P-{-R)>aLIF&i9|tfYK2*3^U#-@x;bvM04MV|Wx@Am`
z)WN+aMwmmeW#q;hQ{}F)xE=LnL%9X6ge&iKXJPRiaJiP)o%!7qMcZQraHnC0FV5mZ
z9MnwkrGGmr1$!;VR;|yZnX#qrylYTXGiojCtU6R#gD!jW7w(lB+Fmbtt@KGFr>zy)
z{Ffx=qVA6sE!P77m0XqP<*quL3j{Xf{=ZlId%NZQZ|e0L|8);fX~w13;w8!7ybJ^e
zQOKrapbMbDQnJZE4l_|wg;xX&YgNq(uwqU1EPsz6YofkVTp5QbBt90c`!M-nK|EN?
z;aLVErVj|DS3aUlW1$;HpG$NFXpH$a1PBXlH>YO+Cfn%n{Ky<Ch%=C!rb#Gz_Nup6
zpzY;plQ2YZOC-Vr2^?Y0Vj7^=-B)UZ$!H){EktT!K30qj2n`DL3Wnr}2(ukVV#MMw
zP=D+W^|Hc|9AT>dM-dqldaiiSNB0mCtpI`-F&{!7^|D_IkU_KOuRsEuhOUYfTn?z$
zT1-}ud9SIi6~OCekbe{z`l_rgik-7&RV|v#4`U&L-y5JTXRoXXRn}BR9>!-!(uK|Y
z#vyC-&C|wsas3s%#U*DILFD=C>d*W2+<)Qb`{t>2V0y<9WC{TXz&))C2%~ig`%A@2
zL0Feb*J<tGX|_!4mkkFmoBYMCdUGKs@*~eUK4bsKudweG4*|`;3!HWT@6PsKY5%v^
z+ga!TzL%%8+^F&H`r72oZT$|-!hOy{DD3@oX&lQD<K#EJkml}<Z`=^-FRgRbgMV8I
zoZ`@nIGYef8o0-qHolj+Kc2^-nR6b(5zz<*(MP{@I=^m|w9PM_D7|#udV6f43Ggdj
zU<k6ai8>(>`oA}7yQBVLI!pa4N`49;1PPkJ0yX;~CgaxCo3lZ#x{5dXyK1&2d}XM$
zY;emq!33yWpbKql(#~9{S-v33Zhu{AgO(zgEnG8sx58&XXsmIS6)BxQYs4J&`Hb;^
z(EQAI)uk8xI@+leB;9CdPeB^WlkC?G&+|5_+UYNZ280gpLP^;p@~M8hvQ;goqC|Z4
z5AdbcQl>o@h5eZ(TeZE5dpN(ccWdKJQ!3Wt0IGU^8Ks>FNkivv)QsSru759BO6-rm
zp~a<MyRTeHX{=6L-Ad?yEv^n*Dkn2q<9Sw+m8>6?+P8$nGF~MU-<#r0C*E3X)~KS#
zsxlJ`LEgXCbQ_V&S&vRL*!ad=(`=<S)^cX{%5A%>-)1YaOtsYO)n)ms(Xwl8TG6KY
zIk{G-^@^&sPQ721%0ZCdzJEO<bY8W(gkNK+8Wz_h_q7N;u)ex)b+tlye*$`{)Ef_@
zqtvj}4q4hc$w|6<R#Xl4SSHiI*7V8>WO=^M`Cb;_g+!)}bbtAhgeD(47V<ql^T+?@
zPXagt|GC?HwO@+=?Yw%uvyT7W$1@}Tcdsjt&bjgE)|>}gY4V-%sDIX&e0H^aSzR1r
z(PmvygJz|>`8dJK<J>bFbB!hT{d?a4vY@S#OZQa$&V(D_T?>!a-R(HqcJg}el*Fz5
z+{sXnYYXkEK5gy4Wex$&u>ba6_g<CH|Ge()uI<13c<c&^X;6O#=w85KHA41ncuCh#
zua!DT*D<#Hjj^r1!he+_HWp^0btvFYtyGs*dsJ3w{RyCz+NcfM{o%aeE~d;OhV%@>
z9j-tR7zw&}kuUY?dImHJ+r2r?XW0L?pRnnt1y6#^u>ZGvuXjrJ|Ni#w+W&hmPx<_R
zDV~%W`=!ia&Z*X%1E4unHUH`VMUL^$b74oj%Q_0jb(=mj<b6F76z>6R;$jxZ5-4uN
zu_-sR>O46|`jSVU$z=U3@+_nO+eQLs>i_-9`M>?w>-)d%<#{mupSi-<nt!eN*Utkz
z^XvclBLOq?e{XNMtpE3Wy}h;mzmI1g|Ns3h4t4wS`&la1dT#x!pY`)SJpVTU0RR7=
K7ofrb>Hz>XzB*a}

diff --git a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
index 107b421bd9..fc78df006c 100644
--- a/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
+++ b/charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml
@@ -27,7 +27,7 @@ roleRef:
   name: csi-{{ .Values.rbac.name }}-node-secret-role
   apiGroup: rbac.authorization.k8s.io
 ---
-{{- if Values.node.enableKataCCMount -}}
+{{- if .Values.node.enableKataCCMount -}}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
diff --git a/deploy/example-cc/cc-deployment.yaml b/deploy/example-cc/cc-deployment.yaml
deleted file mode 100644
index 8c246691b1..0000000000
--- a/deploy/example-cc/cc-deployment.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: pvc-azurefile
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi
-  storageClassName: azurefile-csi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: nginx
-  name: cc-deployment-azurefile
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-      name: cc-deployment-azurefile
-    spec:
-      runtimeClassName: kata-cc
-      nodeSelector:
-        "kubernetes.io/os": linux
-      containers:
-        - name: cc-deployment-azurefile
-          image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-          command:
-            - "/bin/bash"
-            - "-c"
-            - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
-          volumeMounts:
-            - name: cc-azurefile
-              mountPath: "/mnt/azurefile"
-              readOnly: false
-      volumes:
-        - name: cc-azurefile
-          persistentVolumeClaim:
-            claimName: pvc-azurefile
-  strategy:
-    rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
-    type: RollingUpdate
diff --git a/deploy/example-cc/cc-nginx-pod-azurefile.yaml b/deploy/example-cc/cc-nginx-pod-azurefile.yaml
deleted file mode 100644
index 1a03193afe..0000000000
--- a/deploy/example-cc/cc-nginx-pod-azurefile.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: cc-nginx-azurefile
-spec:
-  runtimeClassName: kata-cc
-  nodeSelector:
-    "kubernetes.io/os": linux
-  containers:
-    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-      name: nginx-azurefile
-      command:
-        - "/bin/bash"
-        - "-c"
-        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
-      volumeMounts:
-        - name: persistent-storage
-          mountPath: "/mnt/azurefile"
-          readOnly: false
-  volumes:
-    - name: persistent-storage
-      persistentVolumeClaim:
-        claimName: pvc-azurefile
diff --git a/deploy/example-cc/shared-pvc-across-runtimes.yaml b/deploy/example-cc/shared-pvc-across-runtimes.yaml
deleted file mode 100644
index efee0e14f4..0000000000
--- a/deploy/example-cc/shared-pvc-across-runtimes.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: nginx-azurefile
-spec:
-  nodeSelector:
-    "kubernetes.io/os": linux
-  containers:
-    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-      name: nginx-azurefile
-      command:
-        - "/bin/bash"
-        - "-c"
-        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/runc.txt; sleep 1; done
-      volumeMounts:
-        - name: persistent-storage
-          mountPath: "/mnt/azurefile"
-          readOnly: false
-  volumes:
-    - name: persistent-storage
-      persistentVolumeClaim:
-        claimName: pvc-azurefile
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: kata-nginx-azurefile
-spec:
-  runtimeClassName: kata
-  nodeSelector:
-    "kubernetes.io/os": linux
-  containers:
-    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-      name: nginx-azurefile
-      command:
-        - "/bin/bash"
-        - "-c"
-        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata.txt; sleep 1; done
-      volumeMounts:
-        - name: persistent-storage
-          mountPath: "/mnt/azurefile"
-          readOnly: false
-  volumes:
-    - name: persistent-storage
-      persistentVolumeClaim:
-        claimName: pvc-azurefile
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: kata-cc-nginx-azurefile
-spec:
-  runtimeClassName: kata-cc
-  nodeSelector:
-    "kubernetes.io/os": linux
-  containers:
-    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-      name: nginx-azurefile
-      command:
-        - "/bin/bash"
-        - "-c"
-        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/kata-cc.txt; sleep 1; done
-      volumeMounts:
-        - name: persistent-storage
-          mountPath: "/mnt/azurefile"
-          readOnly: false
-  volumes:
-    - name: persistent-storage
-      persistentVolumeClaim:
-        claimName: pvc-azurefile
----
diff --git a/deploy/example-cc/cc-statefulset.yaml b/deploy/example/kata-cc/statefulset.yaml
similarity index 95%
rename from deploy/example-cc/cc-statefulset.yaml
rename to deploy/example/kata-cc/statefulset.yaml
index 61d2c35b40..ded4bdefcb 100644
--- a/deploy/example-cc/cc-statefulset.yaml
+++ b/deploy/example/kata-cc/statefulset.yaml
@@ -37,7 +37,7 @@ spec:
     - metadata:
         name: persistent-storage
       spec:
-        storageClassName: azurefile-csi
+        storageClassName: azurefile-csi-kata-cc
         accessModes: ["ReadWriteMany"]
         resources:
           requests:
diff --git a/deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml b/deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml
new file mode 100644
index 0000000000..a66859f0cb
--- /dev/null
+++ b/deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: azurefile-csi-kata-cc
+provisioner: file.csi.azure.com
+allowVolumeExpansion: true
+parameters:
+  skuName: Premium_LRS  # available values: Premium_LRS, Premium_ZRS, Standard_LRS, Standard_GRS, Standard_ZRS, Standard_RAGRS, Standard_RAGZRS
+  enableKataCCMount: "true"
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+mountOptions:
+  - dir_mode=0777
+  - file_mode=0777
+  - mfsymlinks
+  - cache=strict  # https://linux.die.net/man/8/mount.cifs
+  - nosharesock  # reduce probability of reconnect race
+  - actimeo=30  # reduce latency for metadata-heavy workload
+  - nobrl  # disable sending byte range lock requests to the server and for applications which have challenges with posix locks
diff --git a/deploy/rbac-csi-azurefile-node.yaml b/deploy/rbac-csi-azurefile-node.yaml
index a2c47d2882..61f0f0c8a4 100644
--- a/deploy/rbac-csi-azurefile-node.yaml
+++ b/deploy/rbac-csi-azurefile-node.yaml
@@ -32,9 +32,7 @@ roleRef:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-katacc-role
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
+  name: csi-azurefile-node-katacc-role
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -46,15 +44,13 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-katacc-binding
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
+  name: csi-azurefile-node-katacc-binding
 subjects:
   - kind: ServiceAccount
-    name: {{ .Values.serviceAccount.node }}
-    namespace: {{ .Release.Namespace }}
+    name: csi-azurefile-node-sa
+    namespace: kube-system
 roleRef:
   kind: ClusterRole
-  name: csi-{{ .Values.rbac.name }}-node-katacc-role
+  name: csi-azurefile-node-katacc-role
   apiGroup: rbac.authorization.k8s.io
 ---
diff --git a/hack/verify-yamllint.sh b/hack/verify-yamllint.sh
index fd1d9521ee..e45794b212 100755
--- a/hack/verify-yamllint.sh
+++ b/hack/verify-yamllint.sh
@@ -21,7 +21,7 @@ fi
 LOG=/tmp/yamllint.log
 helmPath=charts/latest/azurefile-csi-driver/templates
 
-for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml" "deploy/example-cc/*.yaml"
+for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml" "deploy/example/kata-cc/*.yaml"
 do
     echo "checking yamllint under path: $path ..."
     yamllint -f parsable $path | grep -v "line too long" > $LOG
diff --git a/pkg/azurefile/nodeserver_test.go b/pkg/azurefile/nodeserver_test.go
index ab9d348cf1..9cfdbc2865 100644
--- a/pkg/azurefile/nodeserver_test.go
+++ b/pkg/azurefile/nodeserver_test.go
@@ -341,14 +341,17 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			expectedErr: testutil.TestError{
 				DefaultError: status.Error(codes.Internal, fmt.Sprintf("failed to unmount target %s: fake IsLikelyNotMountPoint: fake error", errorTarget)),
 			},
+			setup: func() {
+				if runtime.GOOS == "windows" {
+					mockDirectVolume.EXPECT().Remove(errorTarget).Return(nil)
+				}
+			},
 		},
 		{
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				if runtime.GOOS != "windows" {
-					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
-				}
+				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
 			},
 			expectedErr: testutil.TestError{},
 		},
@@ -888,14 +891,17 @@ func TestNodeUnstageVolume(t *testing.T) {
 			expectedErr: testutil.TestError{
 				DefaultError: status.Error(codes.Internal, fmt.Sprintf("failed to unmount staging target %v: fake IsLikelyNotMountPoint: fake error", errorTarget)),
 			},
+			setup: func() {
+				if runtime.GOOS == "windows" {
+					mockDirectVolume.EXPECT().Remove(errorTarget).Return(nil)
+				}
+			},
 		},
 		{
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				if runtime.GOOS != "windows" {
-					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
-				}
+				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
 			},
 			expectedErr: testutil.TestError{},
 		},

From 6e32cc608ffaad259bbf6dfa772af564d5c3b831 Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Mon, 14 Oct 2024 08:28:30 +0000
Subject: [PATCH 5/6] chore: refine kata-cc mount

---
 pkg/azurefile/azure.go            |  5 +----
 pkg/azurefile/controllerserver.go |  3 +--
 pkg/azurefile/nodeserver.go       | 12 ++----------
 pkg/azurefile/utils.go            |  2 --
 4 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/pkg/azurefile/azure.go b/pkg/azurefile/azure.go
index f48b877264..2f8131a57b 100644
--- a/pkg/azurefile/azure.go
+++ b/pkg/azurefile/azure.go
@@ -59,10 +59,7 @@ func getRuntimeClassForPod(ctx context.Context, kubeClient clientset.Interface,
 	if err != nil {
 		return "", err
 	}
-	if pod.Spec.RuntimeClassName != nil {
-		return *pod.Spec.RuntimeClassName, nil
-	}
-	return "", nil
+	return ptr.Deref(pod.Spec.RuntimeClassName, ""), nil
 }
 
 // getCloudProvider get Azure Cloud Provider
diff --git a/pkg/azurefile/controllerserver.go b/pkg/azurefile/controllerserver.go
index b921140c89..42646912a2 100644
--- a/pkg/azurefile/controllerserver.go
+++ b/pkg/azurefile/controllerserver.go
@@ -279,8 +279,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case tagValueDelimiterField:
 			tagValueDelimiter = v
 		case enableKataCCMountField:
-			_, err := strconv.ParseBool(v)
-			if err != nil {
+			if _, err := strconv.ParseBool(v); err != nil {
 				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", enableKataCCMountField, v)
 			}
 		default:
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index ab55f1afbd..d1e3a0d424 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -102,18 +102,10 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 
 		if d.enableKataCCMount {
 			enableKataCCMount := getValueInMap(context, enableKataCCMountField)
-			if enableKataCCMount == "" {
-				enableKataCCMount = falseValue
-			}
-			enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
-			if err != nil {
-				return &csi.NodePublishVolumeResponse{}, err
-			}
-			if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
+			if strings.EqualFold(enableKataCCMount, trueValue) && context[podNameField] != "" && context[podNamespaceField] != "" {
 				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-					return &csi.NodePublishVolumeResponse{}, nil
+					return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
 				}
 				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
 				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
diff --git a/pkg/azurefile/utils.go b/pkg/azurefile/utils.go
index 0c2f077fa7..331e200548 100644
--- a/pkg/azurefile/utils.go
+++ b/pkg/azurefile/utils.go
@@ -330,13 +330,11 @@ func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interf
 		return false, nil
 	}
 	if kubeClient == nil {
-		klog.Warningf("kubeClient is nil")
 		return false, fmt.Errorf("kubeClient is nil")
 	}
 	runtimeClassClient := kubeClient.NodeV1().RuntimeClasses()
 	runtimeClass, err := runtimeClassClient.Get(ctx, runtimeClassName, metav1.GetOptions{})
 	if err != nil {
-		klog.Warningf("Failed to get runtimeClass %s: %v", runtimeClassName, err)
 		return false, err
 	}
 	klog.Infof("runtimeClass %s handler: %s", runtimeClassName, runtimeClass.Handler)

From bb47dce21029f1c62807fb507fdca10d3392552e Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Mon, 14 Oct 2024 08:28:30 +0000
Subject: [PATCH 6/6] chore: refine kata-cc mount

fix
---
 deploy/csi-azurefile-controller.yaml |  6 ------
 pkg/azurefile/azure.go               |  5 +----
 pkg/azurefile/controllerserver.go    |  3 +--
 pkg/azurefile/nodeserver.go          | 12 ++----------
 pkg/azurefile/utils.go               |  2 --
 5 files changed, 4 insertions(+), 24 deletions(-)

diff --git a/deploy/csi-azurefile-controller.yaml b/deploy/csi-azurefile-controller.yaml
index b4bcea5f67..eaf570e9d0 100644
--- a/deploy/csi-azurefile-controller.yaml
+++ b/deploy/csi-azurefile-controller.yaml
@@ -161,8 +161,6 @@ spec:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
           volumeMounts:
-            - mountPath: /run/kata-containers/shared/direct-volumes
-              name: kata-direct-volumes
             - mountPath: /csi
               name: socket-dir
             - mountPath: /root/.azcopy
@@ -188,7 +186,3 @@ spec:
           hostPath:
             path: /etc/kubernetes/
             type: DirectoryOrCreate
-        - name: kata-direct-volumes
-          hostPath:
-            path: /run/kata-containers/shared/direct-volumes/
-            type: DirectoryOrCreate
diff --git a/pkg/azurefile/azure.go b/pkg/azurefile/azure.go
index f48b877264..2f8131a57b 100644
--- a/pkg/azurefile/azure.go
+++ b/pkg/azurefile/azure.go
@@ -59,10 +59,7 @@ func getRuntimeClassForPod(ctx context.Context, kubeClient clientset.Interface,
 	if err != nil {
 		return "", err
 	}
-	if pod.Spec.RuntimeClassName != nil {
-		return *pod.Spec.RuntimeClassName, nil
-	}
-	return "", nil
+	return ptr.Deref(pod.Spec.RuntimeClassName, ""), nil
 }
 
 // getCloudProvider get Azure Cloud Provider
diff --git a/pkg/azurefile/controllerserver.go b/pkg/azurefile/controllerserver.go
index b921140c89..42646912a2 100644
--- a/pkg/azurefile/controllerserver.go
+++ b/pkg/azurefile/controllerserver.go
@@ -279,8 +279,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case tagValueDelimiterField:
 			tagValueDelimiter = v
 		case enableKataCCMountField:
-			_, err := strconv.ParseBool(v)
-			if err != nil {
+			if _, err := strconv.ParseBool(v); err != nil {
 				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", enableKataCCMountField, v)
 			}
 		default:
diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
index ab55f1afbd..d1e3a0d424 100644
--- a/pkg/azurefile/nodeserver.go
+++ b/pkg/azurefile/nodeserver.go
@@ -102,18 +102,10 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 
 		if d.enableKataCCMount {
 			enableKataCCMount := getValueInMap(context, enableKataCCMountField)
-			if enableKataCCMount == "" {
-				enableKataCCMount = falseValue
-			}
-			enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
-			if err != nil {
-				return &csi.NodePublishVolumeResponse{}, err
-			}
-			if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
+			if strings.EqualFold(enableKataCCMount, trueValue) && context[podNameField] != "" && context[podNamespaceField] != "" {
 				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-					return &csi.NodePublishVolumeResponse{}, nil
+					return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
 				}
 				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
 				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
diff --git a/pkg/azurefile/utils.go b/pkg/azurefile/utils.go
index 0c2f077fa7..331e200548 100644
--- a/pkg/azurefile/utils.go
+++ b/pkg/azurefile/utils.go
@@ -330,13 +330,11 @@ func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interf
 		return false, nil
 	}
 	if kubeClient == nil {
-		klog.Warningf("kubeClient is nil")
 		return false, fmt.Errorf("kubeClient is nil")
 	}
 	runtimeClassClient := kubeClient.NodeV1().RuntimeClasses()
 	runtimeClass, err := runtimeClassClient.Get(ctx, runtimeClassName, metav1.GetOptions{})
 	if err != nil {
-		klog.Warningf("Failed to get runtimeClass %s: %v", runtimeClassName, err)
 		return false, err
 	}
 	klog.Infof("runtimeClass %s handler: %s", runtimeClassName, runtimeClass.Handler)