From ad9eb72915f1be40da3ebe287274fe2bae62e46b Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 5 Aug 2020 21:09:40 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 CHANGELOG.md                                  |  45 +++-
 GITALY_SERVER_VERSION                         |   2 +-
 GITLAB_SHELL_VERSION                          |   2 +-
 Gemfile                                       |   2 +-
 Gemfile.lock                                  |   4 +-
 .../components/grafana_integration.vue        |  10 +-
 .../jobs/components/environments_block.vue    | 255 +++++++-----------
 .../jobs/components/stuck_block.vue           |  71 +++--
 .../snippets/components/snippet_header.vue    |   9 +-
 .../enforces_two_factor_authentication.rb     |   9 +-
 .../oauth/applications_controller.rb          |   3 -
 .../oauth/authorizations_controller.rb        |   2 +-
 .../authorized_applications_controller.rb     |   2 +-
 .../oauth/token_info_controller.rb            |   2 +
 app/controllers/oauth/tokens_controller.rb    |   5 +
 .../repositories/lfs_storage_controller.rb    |   5 +-
 app/helpers/issuables_helper.rb               |   2 +-
 app/mailers/emails/members.rb                 |  17 +-
 app/models/clusters/applications/runner.rb    |   2 +-
 app/models/clusters/cluster.rb                |  27 +-
 app/serializers/cluster_entity.rb             |   4 +
 app/serializers/cluster_error_entity.rb       |   7 +
 app/serializers/cluster_serializer.rb         |   1 +
 .../project_group_link_create_service.rb      |  18 +-
 app/services/groups/transfer_service.rb       |  11 +
 .../projects/group_links/create_service.rb    |   7 +-
 .../sast_ui_schema.json                       |   2 +-
 .../project_group_link_create_worker.rb       |   7 +-
 app/workers/authorized_projects_worker.rb     |   3 +
 ...-file-call-from-lfs-storage-controller.yml |   5 +
 .../unreleased/220303-public-snippet.yml      |   5 +
 ...e-stuck_block-component-to-use-glbadge.yml |   5 +
 ...d_dashboard_path_to_prometheus_metrics.yml |   5 +
 .../unreleased/sh-update-gitlab-shell.yml     |   5 +
 ...ate-gitlab-runner-helm-chart-to-0-19-2.yml |   5 +
 config/routes.rb                              |   3 +-
 ...dd_dashboard_path_to_prometheus_metrics.rb |  14 +
 ...210506_add_text_limit_to_dashboard_path.rb |  17 ++
 db/schema_migrations/20200729175935           |   1 +
 db/schema_migrations/20200730210506           |   1 +
 db/structure.sql                              |   4 +-
 .../graphql/img/sample_issue_boards_v13_2.png | Bin 0 -> 93727 bytes
 doc/api/graphql/index.md                      |  10 +-
 doc/api/graphql/sample_issue_boards.md        |  44 +++
 doc/ci/yaml/README.md                         |   4 -
 doc/development/documentation/structure.md    |  34 ++-
 doc/development/documentation/styleguide.md   |  62 ++---
 doc/push_rules/push_rules.md                  |   7 +
 ...import_decompressed_archive_size_limits.md |  28 ++
 doc/user/project/integrations/jira.md         |   4 +-
 lib/banzai/filter/label_reference_filter.rb   |   2 +
 lib/banzai/filter/reference_filter.rb         |   1 -
 lib/gitlab/base_doorkeeper_controller.rb      |   2 +
 lib/gitlab/checks/branch_check.rb             |  12 +-
 .../ci/config/entry/product/parallel.rb       |   2 +-
 lib/gitlab/ci/config/normalizer/factory.rb    |   6 +-
 lib/gitlab/ci/features.rb                     |   4 -
 .../decompressed_archive_size_validator.rb    |  90 +++++++
 lib/gitlab/import_export/file_importer.rb     |   9 +
 lib/gitlab/kubernetes/kube_client.rb          |   8 +-
 lib/gitlab/kubernetes/node.rb                 |  21 +-
 lib/gitlab/markdown_cache.rb                  |   2 +-
 locale/gitlab.pot                             |  18 +-
 .../oauth/applications_controller_spec.rb     |  27 ++
 .../oauth/authorizations_controller_spec.rb   |  92 ++++---
 ...authorized_applications_controller_spec.rb |  20 ++
 .../oauth/token_info_controller_spec.rb       |   4 +
 .../oauth/tokens_controller_spec.rb           |   9 +
 .../lfs_storage_controller_spec.rb            | 160 +++++++++++
 spec/features/projects/jobs_spec.rb           |  18 +-
 .../grafana_integration_spec.js.snap          |  18 +-
 .../components/grafana_integration_spec.js    |   7 +-
 .../components/environments_block_spec.js     |  70 ++---
 .../jobs/components/stuck_block_spec.js       |   4 +-
 .../components/snippet_header_spec.js         | 104 ++++---
 spec/helpers/issuables_helper_spec.rb         |   8 +
 .../filter/issue_reference_filter_spec.rb     |   6 +
 spec/lib/gitlab/checks/branch_check_spec.rb   |  23 ++
 ...ecompressed_archive_size_validator_spec.rb |  58 ++++
 .../import_export/file_importer_spec.rb       |  39 +++
 .../import_export/safe_model_attributes.yml   |   1 +
 .../lib/gitlab/kubernetes/kube_client_spec.rb |  16 +-
 spec/lib/gitlab/kubernetes/node_spec.rb       |  52 ++--
 spec/mailers/notify_spec.rb                   |  18 ++
 spec/models/clusters/cluster_spec.rb          |  83 +++++-
 spec/requests/lfs_http_spec.rb                |  18 +-
 spec/serializers/cluster_error_entity_spec.rb |  35 +++
 spec/serializers/cluster_serializer_spec.rb   |   1 +
 .../project_group_link_create_service_spec.rb |  23 +-
 spec/services/groups/transfer_service_spec.rb | 119 ++++++--
 .../group_links/create_service_spec.rb        |   7 +-
 91 files changed, 1512 insertions(+), 504 deletions(-)
 create mode 100644 app/controllers/oauth/tokens_controller.rb
 create mode 100644 app/serializers/cluster_error_entity.rb
 create mode 100644 changelogs/unreleased/213289-remove-uploaded-file-call-from-lfs-storage-controller.yml
 create mode 100644 changelogs/unreleased/220303-public-snippet.yml
 create mode 100644 changelogs/unreleased/230734-change-stuck_block-component-to-use-glbadge.yml
 create mode 100644 changelogs/unreleased/rc-add_dashboard_path_to_prometheus_metrics.yml
 create mode 100644 changelogs/unreleased/sh-update-gitlab-shell.yml
 create mode 100644 changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-2.yml
 create mode 100644 db/migrate/20200729175935_add_dashboard_path_to_prometheus_metrics.rb
 create mode 100644 db/migrate/20200730210506_add_text_limit_to_dashboard_path.rb
 create mode 100644 db/schema_migrations/20200729175935
 create mode 100644 db/schema_migrations/20200730210506
 create mode 100644 doc/api/graphql/img/sample_issue_boards_v13_2.png
 create mode 100644 doc/api/graphql/sample_issue_boards.md
 create mode 100644 doc/security/project_import_decompressed_archive_size_limits.md
 create mode 100644 lib/gitlab/import_export/decompressed_archive_size_validator.rb
 create mode 100644 spec/controllers/oauth/tokens_controller_spec.rb
 create mode 100644 spec/controllers/repositories/lfs_storage_controller_spec.rb
 create mode 100644 spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
 create mode 100644 spec/serializers/cluster_error_entity_spec.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b320e66535..c11311d3d07 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,21 @@ entry.
 
 ## 13.2.3 (2020-08-05)
 
-- No changes.
+### Security (12 changes)
+
+- Update kramdown gem to version 2.3.0.
+- Enforce 2FA on Doorkeeper controllers.
+- Revoke OAuth grants when a user revokes an application.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+- Prevent a temporary access escalation before group memberships are recalculated when specialized project share workers are enabled.
+- Update GitLab Runner Helm Chart to 0.18.2.
+
 
 ## 13.2.2 (2020-07-29)
 
@@ -1035,7 +1049,20 @@ entry.
 
 ## 13.1.6 (2020-08-05)
 
-- No changes.
+### Security (11 changes)
+
+- Add decompressed archive size validation on Project/Group Import. !562
+- Enforce 2FA on Doorkeeper controllers.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Revoke OAuth grants when a user revokes an application.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+- Update GitLab Runner Helm Chart to 0.17.2.
+
 
 ## 13.1.5 (2020-07-23)
 
@@ -1573,7 +1600,19 @@ entry.
 
 ## 13.0.12 (2020-08-05)
 
-- No changes.
+### Security (10 changes)
+
+- Add decompressed archive size validation on Project/Group Import. !562
+- Enforce 2FA on Doorkeeper controllers.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Revoke OAuth grants when a user revokes an application.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+
 
 ## 13.0.11 (2020-08-05)
 
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 5cbd1279d16..2c46e56f22d 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-c6fdcae2d1c5d4914a010dfe7ea5dbfcfb8bdabf
+1bd1bfa6673eb784b856d580240f8e5522b86467
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 74302c5119c..d224e69099c 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-13.4.0
+13.5.0
diff --git a/Gemfile b/Gemfile
index 9a23c4f7d11..8ef21d1e4e4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -144,7 +144,7 @@ gem 'deckar01-task_list', '2.3.1'
 gem 'gitlab-markup', '~> 1.7.1'
 gem 'github-markup', '~> 1.7.0', require: 'github/markup'
 gem 'commonmarker', '~> 0.20'
-gem 'kramdown', '~> 2.2.1'
+gem 'kramdown', '~> 2.3.0'
 gem 'RedCloth', '~> 4.3.2'
 gem 'rdoc', '~> 6.1.2'
 gem 'org-ruby', '~> 0.9.12'
diff --git a/Gemfile.lock b/Gemfile.lock
index 257cfb6b52c..79f2d31bbf6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -598,7 +598,7 @@ GEM
     kgio (2.11.3)
     knapsack (1.17.0)
       rake
-    kramdown (2.2.1)
+    kramdown (2.3.0)
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
@@ -1308,7 +1308,7 @@ DEPENDENCIES
   jwt (~> 2.1.0)
   kaminari (~> 1.0)
   knapsack (~> 1.17)
-  kramdown (~> 2.2.1)
+  kramdown (~> 2.3.0)
   kubeclient (~> 4.6.0)
   letter_opener_web (~> 1.3.4)
   license_finder (~> 5.4)
diff --git a/app/assets/javascripts/grafana_integration/components/grafana_integration.vue b/app/assets/javascripts/grafana_integration/components/grafana_integration.vue
index 86ac3a5b580..8d1e542b8ad 100644
--- a/app/assets/javascripts/grafana_integration/components/grafana_integration.vue
+++ b/app/assets/javascripts/grafana_integration/components/grafana_integration.vue
@@ -1,11 +1,11 @@
 <script>
-import { GlDeprecatedButton, GlFormGroup, GlFormInput, GlFormCheckbox } from '@gitlab/ui';
+import { GlButton, GlFormGroup, GlFormInput, GlFormCheckbox } from '@gitlab/ui';
 import { mapState, mapActions } from 'vuex';
 import Icon from '~/vue_shared/components/icon.vue';
 
 export default {
   components: {
-    GlDeprecatedButton,
+    GlButton,
     GlFormCheckbox,
     GlFormGroup,
     GlFormInput,
@@ -58,7 +58,7 @@ export default {
       <h3 class="js-section-header h4">
         {{ s__('GrafanaIntegration|Grafana authentication') }}
       </h3>
-      <gl-deprecated-button class="js-settings-toggle">{{ __('Expand') }}</gl-deprecated-button>
+      <gl-button class="js-settings-toggle">{{ __('Expand') }}</gl-button>
       <p class="js-section-sub-header">
         {{ s__('GrafanaIntegration|Embed Grafana charts in GitLab issues.') }}
       </p>
@@ -93,9 +93,9 @@ export default {
             </a>
           </p>
         </gl-form-group>
-        <gl-deprecated-button variant="success" @click="updateGrafanaIntegration">
+        <gl-button variant="success" category="primary" @click="updateGrafanaIntegration">
           {{ __('Save Changes') }}
-        </gl-deprecated-button>
+        </gl-button>
       </form>
     </div>
   </section>
diff --git a/app/assets/javascripts/jobs/components/environments_block.vue b/app/assets/javascripts/jobs/components/environments_block.vue
index c78738221f1..9166c13a4fb 100644
--- a/app/assets/javascripts/jobs/components/environments_block.vue
+++ b/app/assets/javascripts/jobs/components/environments_block.vue
@@ -1,11 +1,15 @@
 <script>
-import { escape, isEmpty } from 'lodash';
+import { isEmpty } from 'lodash';
 import CiIcon from '~/vue_shared/components/ci_icon.vue';
-import { sprintf, __ } from '../../locale';
+import { __ } from '../../locale';
+import { GlSprintf, GlLink } from '@gitlab/ui';
 
 export default {
+  creatingEnvironment: 'creating',
   components: {
     CiIcon,
+    GlSprintf,
+    GlLink,
   },
   props: {
     deploymentStatus: {
@@ -31,7 +35,7 @@ export default {
           return this.outOfDateEnvironmentMessage();
         case 'failed':
           return this.failedEnvironmentMessage();
-        case 'creating':
+        case this.$options.creatingEnvironment:
           return this.creatingEnvironmentMessage();
         default:
           return '';
@@ -39,17 +43,12 @@ export default {
     },
     environmentLink() {
       if (this.hasEnvironment) {
-        return sprintf(
-          '%{startLink}%{name}%{endLink}',
-          {
-            startLink: `<a href="${this.deploymentStatus.environment.environment_path}" class="js-environment-link">`,
-            name: escape(this.deploymentStatus.environment.name),
-            endLink: '</a>',
-          },
-          false,
-        );
+        return {
+          link: this.deploymentStatus.environment.environment_path,
+          name: this.deploymentStatus.environment.name,
+        };
       }
-      return '';
+      return {};
     },
     hasLastDeployment() {
       return this.hasEnvironment && this.deploymentStatus.environment.last_deployment;
@@ -74,201 +73,107 @@ export default {
       }
 
       const { name, path } = this.deploymentCluster;
-      const escapedName = escape(name);
-      const escapedPath = escape(path);
 
-      if (!escapedPath) {
-        return escapedName;
-      }
-
-      return sprintf(
-        '%{startLink}%{name}%{endLink}',
-        {
-          startLink: `<a href="${escapedPath}" class="js-job-cluster-link">`,
-          name: escapedName,
-          endLink: '</a>',
-        },
-        false,
-      );
+      return {
+        path,
+        name,
+      };
     },
     kubernetesNamespace() {
       return this.hasCluster ? this.deploymentCluster.kubernetes_namespace : null;
     },
+    deploymentLink() {
+      return {
+        path: this.lastDeploymentPath,
+        name:
+          this.deploymentStatus.status === this.$options.creatingEnvironment
+            ? __('latest deployment')
+            : __('most recent deployment'),
+      };
+    },
   },
   methods: {
-    deploymentLink(name) {
-      return sprintf(
-        '%{startLink}%{name}%{endLink}',
-        {
-          startLink: `<a href="${this.lastDeploymentPath}" class="js-job-deployment-link">`,
-          name,
-          endLink: '</a>',
-        },
-        false,
-      );
-    },
     failedEnvironmentMessage() {
-      const { environmentLink } = this;
-
-      return sprintf(
-        __('The deployment of this job to %{environmentLink} did not succeed.'),
-        { environmentLink },
-        false,
-      );
+      return __('The deployment of this job to %{environmentLink} did not succeed.');
     },
     lastEnvironmentMessage() {
-      const { environmentLink, clusterNameOrLink, hasCluster, kubernetesNamespace } = this;
-      if (hasCluster) {
-        if (kubernetesNamespace) {
-          return sprintf(
-            __(
-              'This job is deployed to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
-            ),
-            { environmentLink, clusterNameOrLink, kubernetesNamespace },
-            false,
+      if (this.hasCluster) {
+        if (this.kubernetesNamespace) {
+          return __(
+            'This job is deployed to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
           );
         }
         // we know the cluster but not the namespace
-        return sprintf(
-          __('This job is deployed to %{environmentLink} using cluster %{clusterNameOrLink}.'),
-          { environmentLink, clusterNameOrLink },
-          false,
-        );
+        return __('This job is deployed to %{environmentLink} using cluster %{clusterNameOrLink}.');
       }
       // not a cluster deployment
-      return sprintf(__('This job is deployed to %{environmentLink}.'), { environmentLink }, false);
+      return __('This job is deployed to %{environmentLink}.');
     },
     outOfDateEnvironmentMessage() {
-      const {
-        hasLastDeployment,
-        hasCluster,
-        environmentLink,
-        clusterNameOrLink,
-        kubernetesNamespace,
-      } = this;
-
-      if (hasLastDeployment) {
-        const deploymentLink = this.deploymentLink(__('most recent deployment'));
-        if (hasCluster) {
-          if (kubernetesNamespace) {
-            return sprintf(
-              __(
-                'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}. View the %{deploymentLink}.',
-              ),
-              { environmentLink, clusterNameOrLink, kubernetesNamespace, deploymentLink },
-              false,
+      if (this.hasLastDeployment) {
+        if (this.hasCluster) {
+          if (this.kubernetesNamespace) {
+            return __(
+              'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}. View the %{deploymentLink}.',
             );
           }
           // we know the cluster but not the namespace
-          return sprintf(
-            __(
-              'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink}. View the %{deploymentLink}.',
-            ),
-            { environmentLink, clusterNameOrLink, deploymentLink },
-            false,
+          return __(
+            'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink}. View the %{deploymentLink}.',
           );
         }
         // not a cluster deployment
-        return sprintf(
-          __(
-            'This job is an out-of-date deployment to %{environmentLink}. View the %{deploymentLink}.',
-          ),
-          { environmentLink, deploymentLink },
-          false,
+        return __(
+          'This job is an out-of-date deployment to %{environmentLink}. View the %{deploymentLink}.',
         );
       }
       // no last deployment, i.e. this is the first deployment
-      if (hasCluster) {
-        if (kubernetesNamespace) {
-          return sprintf(
-            __(
-              'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
-            ),
-            { environmentLink, clusterNameOrLink, kubernetesNamespace },
-            false,
+      if (this.hasCluster) {
+        if (this.kubernetesNamespace) {
+          return __(
+            'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
           );
         }
         // we know the cluster but not the namespace
-        return sprintf(
-          __(
-            'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink}.',
-          ),
-          { environmentLink, clusterNameOrLink },
-          false,
+        return __(
+          'This job is an out-of-date deployment to %{environmentLink} using cluster %{clusterNameOrLink}.',
         );
       }
       // not a cluster deployment
-      return sprintf(
-        __('This job is an out-of-date deployment to %{environmentLink}.'),
-        { environmentLink },
-        false,
-      );
+      return __('This job is an out-of-date deployment to %{environmentLink}.');
     },
     creatingEnvironmentMessage() {
-      const {
-        hasLastDeployment,
-        hasCluster,
-        environmentLink,
-        clusterNameOrLink,
-        kubernetesNamespace,
-      } = this;
-
-      if (hasLastDeployment) {
-        const deploymentLink = this.deploymentLink(__('latest deployment'));
-        if (hasCluster) {
-          if (kubernetesNamespace) {
-            return sprintf(
-              __(
-                'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}. This will overwrite the %{deploymentLink}.',
-              ),
-              { environmentLink, clusterNameOrLink, kubernetesNamespace, deploymentLink },
-              false,
+      if (this.hasLastDeployment) {
+        if (this.hasCluster) {
+          if (this.kubernetesNamespace) {
+            return __(
+              'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}. This will overwrite the %{deploymentLink}.',
             );
           }
           // we know the cluster but not the namespace
-          return sprintf(
-            __(
-              'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink}. This will overwrite the %{deploymentLink}.',
-            ),
-            { environmentLink, clusterNameOrLink, deploymentLink },
-            false,
+          return __(
+            'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink}. This will overwrite the %{deploymentLink}.',
           );
         }
         // not a cluster deployment
-        return sprintf(
-          __(
-            'This job is creating a deployment to %{environmentLink}. This will overwrite the %{deploymentLink}.',
-          ),
-          { environmentLink, deploymentLink },
-          false,
+        return __(
+          'This job is creating a deployment to %{environmentLink}. This will overwrite the %{deploymentLink}.',
         );
       }
       // no last deployment, i.e. this is the first deployment
-      if (hasCluster) {
-        if (kubernetesNamespace) {
-          return sprintf(
-            __(
-              'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
-            ),
-            { environmentLink, clusterNameOrLink, kubernetesNamespace },
-            false,
+      if (this.hasCluster) {
+        if (this.kubernetesNamespace) {
+          return __(
+            'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink} and namespace %{kubernetesNamespace}.',
           );
         }
         // we know the cluster but not the namespace
-        return sprintf(
-          __(
-            'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink}.',
-          ),
-          { environmentLink, clusterNameOrLink },
-          false,
+        return __(
+          'This job is creating a deployment to %{environmentLink} using cluster %{clusterNameOrLink}.',
         );
       }
       // not a cluster deployment
-      return sprintf(
-        __('This job is creating a deployment to %{environmentLink}.'),
-        { environmentLink },
-        false,
-      );
+      return __('This job is creating a deployment to %{environmentLink}.');
     },
   },
 };
@@ -277,7 +182,37 @@ export default {
   <div class="gl-mt-3 gl-mb-3 js-environment-container">
     <div class="environment-information">
       <ci-icon :status="iconStatus" />
-      <p class="inline gl-mb-0" v-html="environment"></p>
+      <p class="inline gl-mb-0">
+        <gl-sprintf :message="environment">
+          <template #environmentLink>
+            <gl-link
+              v-if="hasEnvironment"
+              :href="environmentLink.link"
+              data-testid="job-environment-link"
+              v-text="environmentLink.name"
+            />
+          </template>
+          <template #clusterNameOrLink>
+            <gl-link
+              v-if="clusterNameOrLink.path"
+              :href="clusterNameOrLink.path"
+              data-testid="job-cluster-link"
+              v-text="clusterNameOrLink.name"
+            />
+            <template v-else>{{ clusterNameOrLink.name }}</template>
+          </template>
+          <template #kubernetesNamespace>
+            <template>{{ kubernetesNamespace }}</template>
+          </template>
+          <template #deploymentLink>
+            <gl-link
+              :href="deploymentLink.path"
+              data-testid="job-deployment-link"
+              v-text="deploymentLink.name"
+            />
+          </template>
+        </gl-sprintf>
+      </p>
     </div>
   </div>
 </template>
diff --git a/app/assets/javascripts/jobs/components/stuck_block.vue b/app/assets/javascripts/jobs/components/stuck_block.vue
index 9aa98525a4f..8e8202246a2 100644
--- a/app/assets/javascripts/jobs/components/stuck_block.vue
+++ b/app/assets/javascripts/jobs/components/stuck_block.vue
@@ -1,10 +1,13 @@
 <script>
-import { GlLink } from '@gitlab/ui';
+import { GlAlert, GlBadge, GlLink } from '@gitlab/ui';
+import { s__ } from '../../locale';
 /**
  * Renders Stuck Runners block for job's view.
  */
 export default {
   components: {
+    GlAlert,
+    GlBadge,
     GlLink,
   },
   props: {
@@ -22,40 +25,50 @@ export default {
       required: true,
     },
   },
+  computed: {
+    hasNoRunnersWithCorrespondingTags() {
+      return this.tags.length > 0;
+    },
+    stuckData() {
+      if (this.hasNoRunnersWithCorrespondingTags) {
+        return {
+          text: s__(`Job|This job is stuck because you don't have
+                any active runners online or available with any of these tags assigned to them:`),
+          dataTestId: 'job-stuck-with-tags',
+          showTags: true,
+        };
+      } else if (this.hasNoRunnersForProject) {
+        return {
+          text: s__(`Job|This job is stuck because the project
+                doesn't have any runners online assigned to it.`),
+          dataTestId: 'job-stuck-no-runners',
+          showTags: false,
+        };
+      }
+
+      return {
+        text: s__(`Job|This job is stuck because you don't
+              have any active runners that can run this job.`),
+        dataTestId: 'job-stuck-no-active-runners',
+        showTags: false,
+      };
+    },
+  },
 };
 </script>
 <template>
-  <div class="bs-callout bs-callout-warning">
-    <p v-if="tags.length" class="gl-mb-0" data-testid="job-stuck-with-tags">
-      {{
-        s__(`This job is stuck because you don't have
-  any active runners online or available with any of these tags assigned to them:`)
-      }}
-      <span
-        v-for="(tag, index) in tags"
-        :key="index"
-        class="badge badge-primary gl-mr-2"
-        data-testid="badge"
-      >
-        {{ tag }}
-      </span>
+  <gl-alert variant="warning" :dismissible="false">
+    <p class="gl-mb-0" :data-testid="stuckData.dataTestId">
+      {{ stuckData.text }}
+      <template v-if="stuckData.showTags">
+        <gl-badge v-for="tag in tags" :key="tag" variant="info">
+          {{ tag }}
+        </gl-badge>
+      </template>
     </p>
-    <p v-else-if="hasNoRunnersForProject" class="gl-mb-0" data-testid="job-stuck-no-runners">
-      {{
-        s__(`Job|This job is stuck because the project
-  doesn't have any runners online assigned to it.`)
-      }}
-    </p>
-    <p v-else class="gl-mb-0" data-testid="job-stuck-no-active-runners">
-      {{
-        s__(`This job is stuck because you don't
-  have any active runners that can run this job.`)
-      }}
-    </p>
-
     {{ __('Go to project') }}
     <gl-link v-if="runnersPath" :href="runnersPath">
       {{ __('CI settings') }}
     </gl-link>
-  </div>
+  </gl-alert>
 </template>
diff --git a/app/assets/javascripts/snippets/components/snippet_header.vue b/app/assets/javascripts/snippets/components/snippet_header.vue
index be4efd10e45..feae17ccc23 100644
--- a/app/assets/javascripts/snippets/components/snippet_header.vue
+++ b/app/assets/javascripts/snippets/components/snippet_header.vue
@@ -68,6 +68,11 @@ export default {
     snippetHasBinary() {
       return Boolean(this.snippet.blobs.find(blob => blob.binary));
     },
+    authoredMessage() {
+      return this.snippet.author
+        ? __('Authored %{timeago} by %{author}')
+        : __('Authored %{timeago}');
+    },
     personalSnippetActions() {
       return [
         {
@@ -178,8 +183,8 @@ export default {
         </span>
         <gl-icon :name="visibilityLevelIcon" :size="14" />
       </div>
-      <div class="creator">
-        <gl-sprintf :message="__('Authored %{timeago} by %{author}')">
+      <div class="creator" data-testid="authored-message">
+        <gl-sprintf :message="authoredMessage">
           <template #timeago>
             <time-ago-tooltip
               :time="snippet.createdAt"
diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
index 6c443611a60..f1dd46648f1 100644
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -12,10 +12,17 @@ module EnforcesTwoFactorAuthentication
 
   included do
     before_action :check_two_factor_requirement
-    helper_method :two_factor_grace_period_expired?, :two_factor_skippable?
+
+    # to include this in controllers inheriting from `ActionController::Metal`
+    # we need to add this block
+    if respond_to?(:helper_method)
+      helper_method :two_factor_grace_period_expired?, :two_factor_skippable?
+    end
   end
 
   def check_two_factor_requirement
+    return unless respond_to?(:current_user)
+
     if two_factor_authentication_required? && current_user_requires_two_factor?
       redirect_to profile_two_factor_auth_path
     end
diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 6532501733a..8158db282fb 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -2,7 +2,6 @@
 
 class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
   include Gitlab::GonHelper
-  include Gitlab::Allowable
   include PageLayoutHelper
   include OauthApplications
   include Gitlab::Experimentation::ControllerConcern
@@ -19,8 +18,6 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
 
   around_action :set_locale
 
-  helper_method :can?
-
   layout 'profile'
 
   def index
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index f6ad2bf5312..6e8686ee90b 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include Gitlab::Experimentation::ControllerConcern
   include InitializesCurrentUserMode
 
-  before_action :verify_confirmed_email!, only: [:new]
+  before_action :verify_confirmed_email!
 
   layout 'profile'
 
diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb
index addec71f0bf..3f476c0d717 100644
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -16,7 +16,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
     if params[:token_id].present?
       current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke
     else
-      Doorkeeper::AccessToken.revoke_all_for(params[:id], current_resource_owner)
+      Doorkeeper::Application.revoke_tokens_and_grants_for(params[:id], current_resource_owner)
     end
 
     redirect_to applications_profile_url,
diff --git a/app/controllers/oauth/token_info_controller.rb b/app/controllers/oauth/token_info_controller.rb
index 492c24b53b1..e37f8992d92 100644
--- a/app/controllers/oauth/token_info_controller.rb
+++ b/app/controllers/oauth/token_info_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Oauth::TokenInfoController < Doorkeeper::TokenInfoController
+  include EnforcesTwoFactorAuthentication
+
   def show
     if doorkeeper_token && doorkeeper_token.accessible?
       token_json = doorkeeper_token.as_json
diff --git a/app/controllers/oauth/tokens_controller.rb b/app/controllers/oauth/tokens_controller.rb
new file mode 100644
index 00000000000..012fa318eea
--- /dev/null
+++ b/app/controllers/oauth/tokens_controller.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Oauth::TokensController < Doorkeeper::TokensController
+  include EnforcesTwoFactorAuthentication
+end
diff --git a/app/controllers/repositories/lfs_storage_controller.rb b/app/controllers/repositories/lfs_storage_controller.rb
index ec5ca5bbeec..0436b740979 100644
--- a/app/controllers/repositories/lfs_storage_controller.rb
+++ b/app/controllers/repositories/lfs_storage_controller.rb
@@ -73,9 +73,8 @@ module Repositories
     # rubocop: enable CodeReuse/ActiveRecord
 
     def create_file!(oid, size)
-      uploaded_file = UploadedFile.from_params(
-        params, :file, LfsObjectUploader.workhorse_local_upload_path)
-      return unless uploaded_file
+      uploaded_file = params[:file]
+      return unless uploaded_file.is_a?(UploadedFile)
 
       LfsObject.create!(oid: oid, size: size, file: uploaded_file)
     end
diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index 62bdae39a37..095a5392aa1 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -29,7 +29,7 @@ module IssuablesHelper
   def sidebar_milestone_tooltip_label(milestone)
     return _('Milestone') unless milestone.present?
 
-    [milestone[:title], sidebar_milestone_remaining_days(milestone) || _('Milestone')].join('<br/>')
+    [escape_once(milestone[:title]), sidebar_milestone_remaining_days(milestone) || _('Milestone')].join('<br/>')
   end
 
   def sidebar_milestone_remaining_days(milestone)
diff --git a/app/mailers/emails/members.rb b/app/mailers/emails/members.rb
index 06d2219d6a9..07ce9bba784 100644
--- a/app/mailers/emails/members.rb
+++ b/app/mailers/emails/members.rb
@@ -13,6 +13,8 @@ module Emails
       @member_source_type = member_source_type
       @member_id = member_id
 
+      return unless member_exists?
+
       user = User.find(recipient_id)
 
       member_email_with_layout(
@@ -24,6 +26,8 @@ module Emails
       @member_source_type = member_source_type
       @member_id = member_id
 
+      return unless member_exists?
+
       member_email_with_layout(
         to: member.user.notification_email_for(notification_group),
         subject: subject("Access to the #{member_source.human_name} #{member_source.model_name.singular} was granted"))
@@ -45,6 +49,8 @@ module Emails
       @member_id = member_id
       @token = token
 
+      return unless member_exists?
+
       member_email_with_layout(
         to: member.invite_email,
         subject: subject("Invitation to join the #{member_source.human_name} #{member_source.model_name.singular}"))
@@ -53,6 +59,8 @@ module Emails
     def member_invite_accepted_email(member_source_type, member_id)
       @member_source_type = member_source_type
       @member_id = member_id
+
+      return unless member_exists?
       return unless member.created_by
 
       member_email_with_layout(
@@ -74,9 +82,11 @@ module Emails
         subject: subject('Invitation declined'))
     end
 
+    # rubocop: disable CodeReuse/ActiveRecord
     def member
-      @member ||= Member.find(@member_id)
+      @member ||= Member.find_by(id: @member_id)
     end
+    # rubocop: enable CodeReuse/ActiveRecord
 
     def member_source
       @member_source ||= member.source
@@ -88,6 +98,11 @@ module Emails
 
     private
 
+    def member_exists?
+      Gitlab::AppLogger.info("Tried to send an email invitation for a deleted group. Member id: #{@member_id}") if member.blank?
+      member.present?
+    end
+
     def member_source_class
       @member_source_type.classify.constantize
     end
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index 9f2ce09e9c0..2935ba46666 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -3,7 +3,7 @@
 module Clusters
   module Applications
     class Runner < ApplicationRecord
-      VERSION = '0.19.1'
+      VERSION = '0.19.2'
 
       self.table_name = 'clusters_applications_runners'
 
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index 7641b6d2a4b..874b0bc9646 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -218,6 +218,24 @@ module Clusters
       provider&.status_name || connection_status.presence || :created
     end
 
+    def connection_error
+      with_reactive_cache do |data|
+        data[:connection_error]
+      end
+    end
+
+    def node_connection_error
+      with_reactive_cache do |data|
+        data[:node_connection_error]
+      end
+    end
+
+    def metrics_connection_error
+      with_reactive_cache do |data|
+        data[:metrics_connection_error]
+      end
+    end
+
     def connection_status
       with_reactive_cache do |data|
         data[:connection_status]
@@ -233,9 +251,7 @@ module Clusters
     def calculate_reactive_cache
       return unless enabled?
 
-      gitlab_kubernetes_nodes = Gitlab::Kubernetes::Node.new(self)
-
-      { connection_status: retrieve_connection_status, nodes: gitlab_kubernetes_nodes.all.presence }
+      connection_data.merge(Gitlab::Kubernetes::Node.new(self).all)
     end
 
     def persisted_applications
@@ -395,9 +411,10 @@ module Clusters
       @instance_domain ||= Gitlab::CurrentSettings.auto_devops_domain
     end
 
-    def retrieve_connection_status
+    def connection_data
       result = ::Gitlab::Kubernetes::KubeClient.graceful_request(id) { kubeclient.core_client.discover }
-      result[:status]
+
+      { connection_status: result[:status], connection_error: result[:connection_error] }.compact
     end
 
     # To keep backward compatibility with AUTO_DEVOPS_DOMAIN
diff --git a/app/serializers/cluster_entity.rb b/app/serializers/cluster_entity.rb
index a46f2889a96..06e14179238 100644
--- a/app/serializers/cluster_entity.rb
+++ b/app/serializers/cluster_entity.rb
@@ -20,4 +20,8 @@ class ClusterEntity < Grape::Entity
   expose :gitlab_managed_apps_logs_path do |cluster|
     Clusters::ClusterPresenter.new(cluster, current_user: request.current_user).gitlab_managed_apps_logs_path # rubocop: disable CodeReuse/Presenter
   end
+
+  expose :kubernetes_errors do |cluster|
+    ClusterErrorEntity.new(cluster)
+  end
 end
diff --git a/app/serializers/cluster_error_entity.rb b/app/serializers/cluster_error_entity.rb
new file mode 100644
index 00000000000..c749537cb94
--- /dev/null
+++ b/app/serializers/cluster_error_entity.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class ClusterErrorEntity < Grape::Entity
+  expose :connection_error
+  expose :metrics_connection_error
+  expose :node_connection_error
+end
diff --git a/app/serializers/cluster_serializer.rb b/app/serializers/cluster_serializer.rb
index 92363a4942c..a70458d2bcb 100644
--- a/app/serializers/cluster_serializer.rb
+++ b/app/serializers/cluster_serializer.rb
@@ -11,6 +11,7 @@ class ClusterSerializer < BaseSerializer
         :enabled,
         :environment_scope,
         :gitlab_managed_apps_logs_path,
+        :kubernetes_errors,
         :name,
         :nodes,
         :path,
diff --git a/app/services/authorized_project_update/project_group_link_create_service.rb b/app/services/authorized_project_update/project_group_link_create_service.rb
index db2db091374..090b22a7820 100644
--- a/app/services/authorized_project_update/project_group_link_create_service.rb
+++ b/app/services/authorized_project_update/project_group_link_create_service.rb
@@ -6,9 +6,10 @@ module AuthorizedProjectUpdate
 
     BATCH_SIZE = 1000
 
-    def initialize(project, group)
+    def initialize(project, group, group_access = nil)
       @project = project
       @group = group
+      @group_access = group_access
     end
 
     def execute
@@ -19,19 +20,20 @@ module AuthorizedProjectUpdate
         user_ids_to_delete = []
 
         members.each do |member|
+          new_access_level = access_level(member.access_level)
           existing_access_level = existing_authorizations[member.user_id]
 
           if existing_access_level
             # User might already have access to the project unrelated to the
             # current project share
-            next if existing_access_level >= member.access_level
+            next if existing_access_level >= new_access_level
 
             user_ids_to_delete << member.user_id
           end
 
           authorizations_to_create << { user_id: member.user_id,
                                         project_id: project.id,
-                                        access_level: member.access_level }
+                                        access_level: new_access_level }
         end
 
         update_authorizations(user_ids_to_delete, authorizations_to_create)
@@ -42,7 +44,15 @@ module AuthorizedProjectUpdate
 
     private
 
-    attr_reader :project, :group
+    attr_reader :project, :group, :group_access
+
+    def access_level(membership_access_level)
+      return membership_access_level unless group_access
+
+      # access level must not be higher than the max access level set when
+      # creating the project share
+      [membership_access_level, group_access].min
+    end
 
     def existing_project_authorizations(members)
       user_ids = members.map(&:user_id)
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 885f5c1edd0..22d7a0a99db 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -37,6 +37,7 @@ module Groups
 
     # Overridden in EE
     def post_update_hooks(updated_project_ids)
+      refresh_project_authorizations
     end
 
     def ensure_allowed_transfer
@@ -136,6 +137,16 @@ module Groups
       @group.add_owner(current_user)
     end
 
+    def refresh_project_authorizations
+      ProjectAuthorization.where(project_id: @group.all_projects.select(:id)).delete_all # rubocop: disable CodeReuse/ActiveRecord
+
+      # refresh authorized projects for current_user immediately
+      current_user.refresh_authorized_projects
+
+      # schedule refreshing projects for all the members of the group
+      @group.refresh_members_authorized_projects
+    end
+
     def raise_transfer_error(message)
       raise TransferError, localized_error_messages[message]
     end
diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb
index 3c3cab26fb5..3fcc721fe65 100644
--- a/app/services/projects/group_links/create_service.rb
+++ b/app/services/projects/group_links/create_service.rb
@@ -13,7 +13,7 @@ module Projects
         )
 
         if link.save
-          setup_authorizations(group)
+          setup_authorizations(group, link.group_access)
           success(link: link)
         else
           error(link.errors.full_messages.to_sentence, 409)
@@ -22,9 +22,10 @@ module Projects
 
       private
 
-      def setup_authorizations(group)
+      def setup_authorizations(group, group_access = nil)
         if Feature.enabled?(:specialized_project_authorization_project_share_worker)
-          AuthorizedProjectUpdate::ProjectGroupLinkCreateWorker.perform_async(project.id, group.id)
+          AuthorizedProjectUpdate::ProjectGroupLinkCreateWorker.perform_async(
+            project.id, group.id, group_access)
 
           # AuthorizedProjectsWorker uses an exclusive lease per user but
           # specialized workers might have synchronization issues. Until we
diff --git a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
index 1154a4c45b8..cce2b28529f 100644
--- a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
+++ b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
@@ -15,7 +15,7 @@
             "value": ""
         },
         {
-            "field" : "SECURE_ANALYZER_IMAGE_TAG",
+            "field" : "SAST_ANALYZER_IMAGE_TAG",
             "label" : "Image tag",
             "type": "string",
             "options": [],
diff --git a/app/workers/authorized_project_update/project_group_link_create_worker.rb b/app/workers/authorized_project_update/project_group_link_create_worker.rb
index 5fb59efaacb..dd24a9602bb 100644
--- a/app/workers/authorized_project_update/project_group_link_create_worker.rb
+++ b/app/workers/authorized_project_update/project_group_link_create_worker.rb
@@ -10,12 +10,13 @@ module AuthorizedProjectUpdate
 
     idempotent!
 
-    def perform(project_id, group_id)
+    def perform(project_id, group_id, group_access = nil)
       project = Project.find(project_id)
       group = Group.find(group_id)
 
-      AuthorizedProjectUpdate::ProjectGroupLinkCreateService.new(project, group)
-                                                            .execute
+      AuthorizedProjectUpdate::ProjectGroupLinkCreateService
+        .new(project, group, group_access)
+        .execute
     end
   end
 end
diff --git a/app/workers/authorized_projects_worker.rb b/app/workers/authorized_projects_worker.rb
index 62eea8e0462..f5132459131 100644
--- a/app/workers/authorized_projects_worker.rb
+++ b/app/workers/authorized_projects_worker.rb
@@ -16,6 +16,9 @@ class AuthorizedProjectsWorker
   if Rails.env.test?
     def self.bulk_perform_and_wait(args_list, timeout: 10)
     end
+
+    def self.bulk_perform_inline(args_list)
+    end
   end
 
   # rubocop: disable CodeReuse/ActiveRecord
diff --git a/changelogs/unreleased/213289-remove-uploaded-file-call-from-lfs-storage-controller.yml b/changelogs/unreleased/213289-remove-uploaded-file-call-from-lfs-storage-controller.yml
new file mode 100644
index 00000000000..4f79d23351a
--- /dev/null
+++ b/changelogs/unreleased/213289-remove-uploaded-file-call-from-lfs-storage-controller.yml
@@ -0,0 +1,5 @@
+---
+title: Use the uploaded file set by middleware in Repositories::LfsStorageController
+merge_request: 38167
+author:
+type: changed
diff --git a/changelogs/unreleased/220303-public-snippet.yml b/changelogs/unreleased/220303-public-snippet.yml
new file mode 100644
index 00000000000..53c1da717af
--- /dev/null
+++ b/changelogs/unreleased/220303-public-snippet.yml
@@ -0,0 +1,5 @@
+---
+title: Display authored message correctly on public snippets viewed by unauthenticated users
+merge_request: 38614
+author:
+type: fixed
diff --git a/changelogs/unreleased/230734-change-stuck_block-component-to-use-glbadge.yml b/changelogs/unreleased/230734-change-stuck_block-component-to-use-glbadge.yml
new file mode 100644
index 00000000000..55dbc092802
--- /dev/null
+++ b/changelogs/unreleased/230734-change-stuck_block-component-to-use-glbadge.yml
@@ -0,0 +1,5 @@
+---
+title: Change the job stuck page to use UI library components
+merge_request: 38618
+author:
+type: changed
diff --git a/changelogs/unreleased/rc-add_dashboard_path_to_prometheus_metrics.yml b/changelogs/unreleased/rc-add_dashboard_path_to_prometheus_metrics.yml
new file mode 100644
index 00000000000..10564b87012
--- /dev/null
+++ b/changelogs/unreleased/rc-add_dashboard_path_to_prometheus_metrics.yml
@@ -0,0 +1,5 @@
+---
+title: Add dashboard_path to PrometheusMetric
+merge_request: 38237
+author:
+type: added
diff --git a/changelogs/unreleased/sh-update-gitlab-shell.yml b/changelogs/unreleased/sh-update-gitlab-shell.yml
new file mode 100644
index 00000000000..6d3249bc52a
--- /dev/null
+++ b/changelogs/unreleased/sh-update-gitlab-shell.yml
@@ -0,0 +1,5 @@
+---
+title: Update gitlab-shell to v13.5.0
+merge_request: 38720
+author:
+type: added
diff --git a/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-2.yml b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-2.yml
new file mode 100644
index 00000000000..ee9a3055aaf
--- /dev/null
+++ b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-2.yml
@@ -0,0 +1,5 @@
+---
+title: Update GitLab Runner Helm Chart to 0.19.2
+merge_request:
+author:
+type: security
diff --git a/config/routes.rb b/config/routes.rb
index fa84b5e50c7..b1ab4ec6bab 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -25,7 +25,8 @@ Rails.application.routes.draw do
     controllers applications: 'oauth/applications',
                 authorized_applications: 'oauth/authorized_applications',
                 authorizations: 'oauth/authorizations',
-                token_info: 'oauth/token_info'
+                token_info: 'oauth/token_info',
+                tokens: 'oauth/tokens'
   end
 
   # This prefixless path is required because Jira gets confused if we set it up with a path
diff --git a/db/migrate/20200729175935_add_dashboard_path_to_prometheus_metrics.rb b/db/migrate/20200729175935_add_dashboard_path_to_prometheus_metrics.rb
new file mode 100644
index 00000000000..0562e8d1c14
--- /dev/null
+++ b/db/migrate/20200729175935_add_dashboard_path_to_prometheus_metrics.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class AddDashboardPathToPrometheusMetrics < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def up
+    # Text limit is added in 20200730210506_add_text_limit_to_dashboard_path
+    add_column :prometheus_metrics, :dashboard_path, :text # rubocop:disable Migration/AddLimitToTextColumns
+  end
+
+  def down
+    remove_column :prometheus_metrics, :dashboard_path
+  end
+end
diff --git a/db/migrate/20200730210506_add_text_limit_to_dashboard_path.rb b/db/migrate/20200730210506_add_text_limit_to_dashboard_path.rb
new file mode 100644
index 00000000000..a236cc68988
--- /dev/null
+++ b/db/migrate/20200730210506_add_text_limit_to_dashboard_path.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AddTextLimitToDashboardPath < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_text_limit(:prometheus_metrics, :dashboard_path, 2048)
+  end
+
+  def down
+    remove_text_limit(:prometheus_metrics, :dashboard_path)
+  end
+end
diff --git a/db/schema_migrations/20200729175935 b/db/schema_migrations/20200729175935
new file mode 100644
index 00000000000..65aec146116
--- /dev/null
+++ b/db/schema_migrations/20200729175935
@@ -0,0 +1 @@
+5f841d2032b55f01e944c50070a6bb102883c2e4da7ba155fdcf2e90f3b68707
\ No newline at end of file
diff --git a/db/schema_migrations/20200730210506 b/db/schema_migrations/20200730210506
new file mode 100644
index 00000000000..b140941092d
--- /dev/null
+++ b/db/schema_migrations/20200730210506
@@ -0,0 +1 @@
+85eb0a510cdb4b315aef1665f05ad3b93d5d39f4ddfe11ed5ddde63aa732f874
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index d3fbf7a202f..991112e8564 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -14657,7 +14657,9 @@ CREATE TABLE public.prometheus_metrics (
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
     common boolean DEFAULT false NOT NULL,
-    identifier character varying
+    identifier character varying,
+    dashboard_path text,
+    CONSTRAINT check_0ad9f01463 CHECK ((char_length(dashboard_path) <= 2048))
 );
 
 CREATE SEQUENCE public.prometheus_metrics_id_seq
diff --git a/doc/api/graphql/img/sample_issue_boards_v13_2.png b/doc/api/graphql/img/sample_issue_boards_v13_2.png
new file mode 100644
index 0000000000000000000000000000000000000000..caa68c820720ab632469444e58ba2825b3075e1d
GIT binary patch
literal 93727
zcmd43XFyZi_UMa^B27S=l!z#ZbdcU`2nd2m?;S*h&^rmzkrL^hsEG6~y@VpYDZPgt
zS_lvbB_!Nz_de(Ceg5y<_rBe`K9Dt6R+(eWImR4gtY3(HrLIJI{nm9NA|gr^<!7&n
zh=}!wh%U2`5)+PidiT%}KCZewQPCzPZ2qLy5rj6gyQ03k7SPt+%fi)$$j%AqXv6Pj
z<!WQ&<n{*Wj=BPqCnCB{r1I>sws+>vyqCYW%}m!m{BByB^$4%ZZ8DWdq|Nq^Ht$3P
z#aK>`d+1G@cpQ1?naq129lSgo9gN65-|4qrCcS_E-i;R<pYOd7iGR{(9iMp&`L4q0
z5r3%+h3!T3$sO|y``8XOIZ)YkCC0~F-oEp<jo<QtfPlCV5gk+5`(Eop`-!owqB6Y7
zq}QZNL0QY0G-_PWEFkNcaIj^_?}*SqG@or1!OwkQo=C$mDz@u^WLi4?`Nc)a5)@AZ
z7?0#AI`RX8gvR-dxd|uZ63S4eE3eH0jyx6!cQ|AF$9-|J+l||GV}u8!K#zx_3onWa
zD07BHw!Hk|+S=Oh77srWdUX6F^%dcIjhdFmSk-`|@kt-TeYUon2v_}e)8Bo>C1)P<
z@bHLvl`11d>FMd22L-wQCg$!FM!kk)l2>kuY6aR4l3wJ#{`<#TWZc<i13=5d!eUL7
z<8PO7U!AWXsdh(v_{ZsgUd(O2l}C;;mh#-uUlaY6-(Z%WL+BV(Ex?N{g`gr-!(Sct
zGJ%_P=MuhZEd5ItCjZhx>9*cT7OzSFiud3aulXN}@0~;y;tB~8n*9ITDKja><kj1Z
zp-x%~K7DExN>fuOXUW%{ANK%(<fo^lR@c_F^tF{WHEBXa6^TyHX7;L2Ez#99Hx@N&
zBS<e_zC8E#eAl$GUsAhBw*+lk{dQa$rSp&7`5H6`IkP3B_u%5p3|D6{HjxA?M15#U
zLDPNF_OxM_a!tHKLgjq8q50s!15yf#yLa!VZfx8y*5#F#mnXW($Y@nNOBk2WpFRa1
zZENlC?cJ7?jL6Tw9~2Zcx9pwx9|Ms)qGNEXbTKpgfFfs?pP|siDC7F|>ocCf&&nh`
z0s^+Eh31>|^fYYqSsy=|pW|=^=kFfp2L!)q5V(JTu_rFa+Sb;*YC0k&rlg*U^WWp>
zTKUVX)SaI?zj>L^XWQiD<VuH0fsv6BQZllo@1yaNF)?k!!_*x@g`fwSAYcOqjph^=
zPaaj5iTU{P2I0J^YF@VRj$dotf1fme&Vo{9oclb4M?nF0kalD98C7_&<7^EL6O*!~
zrDd}dPDXpnp~cM9bZB>elQ0;+@-zTVO-(a$wlx3Vygtk5HRv|W=(W~=Gc6(5$S*;H
zq$^!9&y<uBK7Rc9BMElqmH)jIwPbOJgX4WqkFvPq%rh00$XQlc<KeuA@qgH68QS#U
zW+DMznB;TNme)OfI<8?;(z1PK8n(o4){=AXVQp&4-sp+^q5+k^N=$6Qq>f?`^ZKei
zRy4Z+iH>fcoz3|E{h{yiZcJGjFoo6Y@#9NM5cb@!U$5Fr0fE4v;NX2UdbG*w3udVC
zpT;qAL>5@E(8&-j4MqrWjc<7w!xK|d?1(&|H^vK1Udgahi95~p@Z@DaF*m=R#P~GR
zEVHx-eQ+>UVa1I*ySKEqHeS#Tg+hnlUm+pAe*KP+&<$#8hyZv+j;6AyDYL0b*451|
zGCKP1?c0yg3%zJ|diqcp44jwAU1(zVU#2pf+d|&guR_*6ABp8QS;ZLjo*DNFQ4mHp
zB4XpYwY7ChG>52Y!qaf7xWqBWgx<09>ulD?yYnX}CpTDFX6>=EX*=_cDa*^2zL=fq
z!lQ>M<miMC<6lD<H&o#?FKuGH`Q)g@O|iiJCA+Nm4FG_JX8w*)^bAU^Apdmt=H#TN
zrlx)g0~M>}&w_5V*RKiEe=?G#=C&lhdeyvkRt#k#gi3<ztg^3Y{?k8+tNk&<5Nuv^
z`x?)T^NWk4O&Uj3UcA^ElX-rNj+J!)gPbKJC-3O!$kD?1>@7Zi^7LtiVM$gcEFq?2
z={7factk{mZb_aG5D?zc_W5bJp&aU8rZFP*M}KUfw09fa6sO7RfpE~BoIAp4YGPjT
z?mCu11VhCj;c)wIvyvicxS5ge_Lj^2|L~rrFaGFXiUpHL%T1-~t=M96a&jsE6CuuJ
zrB|9qOgd&Fz_I=hg>!W-R|pCdyRd8l!Rn7Pw!O9|V#FLKZcLZ3EG#StKp|lUK%Xr^
zGZVXm>3J^^prD6OdPQjGFVtAUK%M#3`N5YZ;B%xzGkm4k>(Ge3{)qp&o%|3Ep$+<B
zG*rpxgXtLGks=NTV}VX`9ks|=;1_E5<)+|@Gv-o1Te)DMZzxN+#0VTm<F$a5S|<mr
zw`~6MSYK;#YnM4cX)Gj22v^efGDZrlyecuQ9`YM6)FG@g|JwB$@PX5}n4}Gbu}#nU
zD!Qh`w6TrVyXDT5)d*nY{J5h(O_pb*nr#rTNRe#?lT<~1_|Ts3JC~o|lJNCl%T%#>
zCO_YN^jpk8n%kAKX3VW?*RD~X4VJ)-;npI*_(dw)yvpkQ<qJFV^R@KGinfo*n1A@_
zne|u0>XRMH>XUixpxyZ!cP7C5e8&ptD<l~PumYrnw?B?|?r_p;T2r@iA^R9*J*2wr
zFp1vn-Rrdz6<^S;2c1&2;N7qJH7Pl-9f6md?!p-WdfV76S(F&d+sANwQ$vtH$>~|k
zwzsRjMMl@8J#MSRJ?EHy+_7xlhP6<qXu_w=u=;J*@xOMrVr5V=qqV%FJ_kss!@=Z0
z(HUb0QNrk?1=I62`tpfm<PP>!RQ`NNN!MwveJHwPH6>^q4rQOmjsQ=X)ub-`xsHz<
zRxl=0Ug@cQjckT3AWZGC+qhg5Y3k8^;JoXDWM5oUR@BKx$F=ivTV5HA?MJPvx)-l}
ze{lU2^tp`4l1SQ*#8cLq)qDWI%;+d$-alUormnwNK#s_x#C0ge{)B-qq`CbEGafb1
z_!tqHfljZfCiAUlx((Y*6i=7v!%jiU%A^?*z;AZL*#dGP=Z2Mb?ITH#G9ihcbkKO$
zxv!{eyMBYrabD)&CTgJrM~<j4@0Tpyne92F=c0hDIKrH4kyDRpg5P%A_gVS*QiVvy
z%%=BzRrQrB@rwR(hg8;sB0+uI%xB@DpK-~y9wZOF-n<JV{Z!F{HhInU0I{}gs?)8}
zA3NNVf@J>g<L^;9(7HMudjyfVcqk7ml?VQ@oc}%8A$ZU~BZxnv9+^_qd7T9lC42D9
zS`l`9)&Y2tLBA<0R*MPh8wyb3x&M6y<sgSYD^PI7_hWfH*o&vtto4NgNV;4WPM*bI
zHdesL?)vEnT8oIG!)ueR7ko_{u>jd46JpQSTMQa74ziG0zMHIr))yF^0eIbqQ#Ui4
zv1;nQ6Q~CF7f#IVdxMf`g=Z7}(PI76KHrJ9hgqiVqCe?*z|MtKv(I?Jexga4BCQNB
zVDIxr;KZ2or#l)(o##hIsTW;E(G3`s?0)#K5Fcqr_@+t`E7Wg5OSQ7R{05zQwV^N}
zhA{I;3V($y{i*CIIe+VwzJ5<Qz`r%VGb&BYL7cEC0zGlbV+*>xOvH+ciUj}c-nU)I
zCH%n5jGp*NkoDn)Ou=mJNAIoM?J%R(Y?JAq5}7Z7b3bwla_ZJ3Y#CZ=0+DT^-Ww=8
zIwvMcOquxt3EH57KfK9R^u4A^bh>yjbDpA=xa%ptBE!dl?h)6qSz}-;8RJif)4XCA
zBH3Ob=%MI2wV<086m>dT0@QrCBD@=uH9QCryhptlu2g?UqMYt7odz$tvs-(yJ|SEq
zy|RGEyp%0(;+~ZECAYegF16dW-pRk-90@W#YLXpl*6L`zTEDG;7#vQHuaOA<@}Upn
z$|Ah~S|BYm!m;0I?y%=L$?doga5A{9Vtl%aRJ;CAvkoV-fL-;QKn-w|v0iSxCu})F
zVH*wUV5EDlNQ}ngC0bA}a<yG$i@6%Fm!g@U;Upn)c?*3jlT__H?*6$73LS&PdBPj(
zU{SmLT$^s-TX+-iKfSsMbO=0KfITie^H^cDFdV(`w2{^r#O1D6gzP>(-~L8+GR?=Y
z4-=tNqP8-mctw@l8M>o7yxfh_t+1XJ5U6+J)624SnLaW3bzJE5T}E{R-43{D)pFR;
z_tRL6odvERj5b;kasr$X4;0qgtO4%&aDh*ny}Ym-<FEpOnJAHY3i3|G-m()l5PkgJ
zshPtKKL}oaT@fn{`H|jDu79uyJRS98o(jeaZ4ZOjh8d~u%=OzVVLHD0A3QvkZw{mv
zoE!2`)YxA~=F$EftCO~8m%c*{kXLh7Rz?bs-Q_RJT3ub;J4X-i6VepdaUH$UGVsL&
zu*{T=mA0L*NJd0PZZ=Ko9I==;%dn>JOlE{j2ShQ8F6KKEneUee29S`;hi?>2iU>c5
zebf=SqbPg&(`aW?JUObgG3X8I4(9w&7yvsYm7+g(S?PK7+|-9r5h&Z!6wFzV=_<HO
zeASY9n_8nq@$LD&Ik6nUmL+q^x6dy(+d5<AT$+x1jCPp3DQh)Qk^FTZuQ`A%H~Vx}
zW0;l9k49`}4Jrhv-QaQ2q;J|>Bt}qUKEPGV@AaU;rqtG+^K?6CmXhfOv+-&8v&(~u
z){ZCH!wTL(#@iip@v>R7K<B-&epNEr<1%Am*=SM)Aq;3J0W!=f>dGft+8lJ>h{g|`
zJ=}C5_vG7(sgnXPtC~3`=u5C_S_)lHnjStfpWQ|B0Jg5M4YF(wxY1EE-i<KF%{=^Y
zSxM+^U_E^|c)11j&-ehJUMb3oYJbu1Lpv(*o+nr?i=Cz216zxpQg!e_9VNMAxAnhW
z^_nU-Dec%bR`Ek>W}8`cr#s6Jw}2Q|o<0C{`$(yhKDC=4WD(|=I~t;)#gX@roEM$R
z;Qg*K$~Py)QTq=n6brh}j*?IL=Tn36hx8y8z51-6v0)#4$?%B<QXB)Q3?78CH$NBJ
z{lc5-w)E(77N&MHZQA(6QhH?<m(ESguvf+?j|h+1Tum{ERAy>3sB&7Qt~#68fnl!M
zU%EbZxKA!C=S9QQNM%(U8ZYU6Ck5^;DvC9{HT3imV5s3FQ5urM7m$vX?`w71?%*GW
z^-%`%rK%mR&)(|$7=>CHT(B_qz|FqP#@-%=_(5cz`|4q~Wle~=3F%+=b#gLFvXacn
zzRyp`9hSYTe@%@iJ!teot+!xzbIo9&IUzf$C5t7;mf%j?Dwo5aIQ2B@Xxkyt2N&h@
zd;5im`A?4(ys%WReU20;c4A`hwD&=BLMy_htN`t5W9DtxS?0sxrSr{X2PT?V^&r?K
zmsB@=*DM;w$$5IGK?!qrpqpa-_7_Xb&0U*z(&+ZdD+3_S!{}`TpFaX+HKqxoFIMg4
zK7rE;nNz9yYFu=jN+D?6a#FFhY_bZ6PIt8fWr30-MY<FdG?}&54aU3Py!FFv)iyqB
zWxO2xm6XKXa|SeM@RlhtH?Jb^PAuA1!_HdUMxg*q>oU(!AvYD<%S{M09}NWZ^TlSn
zv@kvADT1A)vr#P17?s+nJz6`7KkII9YxD*#UG`LKiho8e$d}!^d*^H(ETdIeW9EBy
z`(4p%gSgi{5t=PYD-R5Yw_Yk<&6bY8TlRcGAwBKF7NPOaylpzyo~g9C=U{%Auxfhg
zyv+J37ZDC*g_J?+*RZ9grE&Y|jmOJ1{jrtkQ}+e4%#Ky^jt4Aj-TKw$a;UOCTf5RL
z?^^C+BG;DDB(85ijuIbGAMA5)pSrqTBI&y=@*uu<G|bJ#4As|yyASuT$%bfAyY1;q
z={HBJM6bl7Nt}HpG-h(Fc8x2_mOCJ|md6KnXHX|g<GuY9YUS*Xs@^fRH%BYF4r@sQ
z*wWhi?SwVwnVYu6UfjQQr-#ijL@9IUQZjN+nWZ*mxs<RL!}EiEC<gS*yh4TRFuLg&
z@m{~E7U9@-ef9kCzFzZ3mF42JIeAecs$7wa7-}D6_V~LYaHvEnQcFgjNN{SuZ*UH4
z&%@ab9bC(KF%7e&f%BbyY^+(O+xvx6qbfB7b&$**9U#uj-|<RCFSenecD6!HT^#GM
z+K&M?AHB!T>TN&f_MQ^$0X*euhmC)X18w(yVO3KTWJ8JaK-E+}Ez&$l%<BOL)nJI`
zm->clh}HGMjQY(k7G@bIRy|V}`j(a!emF?SQ9Pp}CAkJGX_PoPPd2U%_%!#}!jwai
zU1!B>HNM`488xgLygMr8_o*HelxW8qd`2=+YF3l+o!=*wjwEgs`RV(5Fy$4MTQ?}7
zsN4M1U#_r#v&PFD0A9DCqk>@;Kewafo`DshNky)bZZ9N>X7$QAy2T@+NU-h$O?AEt
zltd&2KwJ!L<h$f8C}UZ<^SiGV%Ta(08LOMkPX+>Gevpl3?!GIsVIodMaX2c`+@-Sf
z4n&`{Gfyd`AIrnr)`N*7HFf+VnSQiJ%-}Mx5SwR<FLci{Uo7>+O$Cnd7pV|Z7HwDB
zb*e1DKMPQ~GGBScJS=iOyow(Vk2Er_G~}Z3>lB{ZjL*N=@hCJ`MUYH-yKWf-pU(2M
zI7?;-!d|REhm-eyUS#!|vn)#f$Qb5F1o+)&genA?%2SOb1J?&rQp{ode5G4tMe>GS
zFs<e^Pj!(zr3{`yxq*1#i1!|BO%~KG6hGhys6~@#TQDW*H5r=ZmD#R6ZoP2lg4nOB
zP8%8O;r6}J+zP^{P$0TBjYA#hzTUDYCDV^fJ8zwp^;3U?JWFXBx|h=Ys1I9qFgUIu
zDp%)=)tSYDcvE0|3}C>TUUf5%8i2m*9wV%^Z_?BX9|{qg-we8;7?sxO&oJ!o&64w^
z5Mw5uFj-pvL1{w30$+KV3yLtSzqnN8y@w}ql0~EZ=_V4=QD1BGDlMDYnwHaKb1^|0
zqus!JK7Chd;c5LtV*M%=8WzQ!`EH08YbP^%=kA&&#>UYpd3y77&3Gxe@_f2PSgyi(
zYx;PR6n3XTO$z(Y-?7DmQE~`RsK=D2Od0vhI+kR?_YD2km;<9vWls>Nl(BN<$2Uta
zaEd>CwOa%zuI!QC75da5E)=Ka#4btIG6Vo$_;!#TMsrC_2DZ)=6o9hE<*C(Iyt4bc
z-X@T7a;3%1BhdSON!IFV>e|zu6UD=A;(M;dKDAct(k=_UwYJ|T#~jk)H+1~Ml|0xD
zdyP;f_P*@u^$~E5;Z>Mf%TTaF^Gow%)4P<+LsR=!n=D&8sJg=LG*u_|sWW2BB8lBk
zi;wOP-zg)C?kPMvzf5-EZa7pVXr)eRw|PKcJjBwQ8u)rdH}~~T>9Dv+N9b`W2%tG%
zQQa8*^#85Whex+GkPMkMEC?Uz^?U7|hx3SG3&7nk9BK)r2j7!X-WfXab+=D*w>j)c
zP$fJZw(ZY$rMSPlo-WKYv1+$h52My_Vpo`CyTYv;Mov~gNiZ%*rWeuj3VK9uS*^F?
zicXhO-U&nsSAq1%K)5gwJ7Y*8PEqJiSIQ5{HGNid@9Kb-rb6y^q3Csmpu9-XCVqZL
z@QTB`%VhHE;3>zYvufN6%&wi=%kj{p8PNR%Am~HLQ{v_!ijqcC)PD3f?lMn?XO%sq
z?Qn7H=s~R=5-gt*b5PWHak4qUioeX$4_Xcv^Zb@&-=-~k8O#ND=FEALnS8v{+cTPD
z;V6w26&0q)gAmO&hGylOzub5lWH-JK=((LkT7LM|>@vR$ejz~Rd+Sh;8fJ|t)mIzW
z*7U*%3N77AnL(xws@H~BFSfrhy2-#G0$fn?#~n=?`>Z8JGmF+J&Pw>D@$i>4)h+j(
z7A$~_XaghS&eto2L-gRe>lR%M>@ST|OV&SSrbzfboQti$=saHw`tjU$Sj{_R^z5ix
zQ_e#SGFirA8u<QAd;;C+$;x=~v_y=3tXQ$s&7M8gguS;2fA@(dJ%En6rASA(n24j_
zvCuGGo{Y@aa1^x)0vDRcWgXw($zPB$S+#_%H8>qSR?Bo_)T5{nlZFv#KNM$I(vjvz
zOgq>A(Ci>JYl=v6aAg+tr7n`7rxEkL8_AAL1xomtX~KffcBKXW{TATwmB!jS>alZE
z6FmnF+(2W|sjZFgOEx%RS#@F!CoHRq+Y-8Zax>51bXA>KgzobPTgg;S>n#n|UwN|4
z2UL%+E*HxhZ=|*Wuqn=9o+cXRFtH*G8s(t+c+9JJ<A(Qsgm}BY>la^`yU`k|a_Pk9
z^1Nkz`RsnzXyr^1CQ@kpbO*O}&2X$%54R02Vn%hHIk4M|R0Aqt#dvGOG(5^i*3<R~
z!+Y%zX@dSGRgERTO{n{-6qokztkNf07Umb1=n~1~dLnRoKp;^hWf$PZ@yRQF&s3bB
zXyDa6i0)R$$4e8$-6#|)oW303b{5>!`)r}q9h34Ha&nT6^8cJq<R@ibWiDLn4C1#f
zHhtv7b4_tPAWxyS=IC_uOG~fym!>b56M8ov@D3d>JT#R6EsK@q=O5free>qNiVDu~
zJM2Tc1iRj_1|1`Dx(ZQK&W70i$b8%6GQamZXE74dtwhd=8Dy%;cQ+)l1!*36M-JOt
z3g2Z0ZFG?S??3taE%oLopB*~tmd!tfk7&DI4s-J`EAt$DYB%H;yz;ITK6ZfrMZwC_
z`N?He=wMRx_%pa_qd!-T*;U-4nof`YeaN*Znoa_WuMmy)u8`FrJEEmaF=jstr_FYh
z<2e~CosqXHpB{ho<@+GqTY=2*`aKztf4%AW`!x8oLNV*PpeHyRw`Hck$-Xq)Arad#
zoM)wQy|~mhmR>I~oST81mH+<dv5t%z7rs$GCpUJ;yAM?F=Vo%AQthF+>UxpBqCQ=(
zYMQd!v4VoD0RXczOzdJbM`Wg$EECK#cBaVlzyT_0$G>Uhh}VCA-hTN7>+>vX7Ey{T
z=PS%2Z?6trILX^hz7@B7I4A$;k@KS!tU|+kYBNxbkE(dNR27jQE=tVQqgIPwb_(`u
zpJeKCV8<!~P}G>6cMWK?(rpH{VA`3hVUf|L)z~y>Y#Ia<ahnTvnqK#=HV3Jy7RB}k
zRoh-r9#5{GIgLrAsp<1Eyg+)&2KaB4Y8`(}Po18qn0{vrI;9u$Dv^X#72u|kp2ZBR
zSxP2i3XVg%PI-7q3dnt845jtb2Z9Yhd>?61jcblVR1OG7+b1ND7MsG_e=SO~(#P5!
zkD9~UI+S;D@)t%j&};V$LMR)<?z&+SIryfAcMBPV>1<-s*>Va^gF%@s#==(KgG&BO
z&}Wv^qES=~n%e8KFr9#5{WDBWg^&$@kz2PASGjLv+Sk(lpr1U4l#c5jOEjvku6$+#
zW^E+w;XT{(ajUz8O7jt7a(=;UOab(d!qcDc@cw+=Rs%g|b5w>p`D5Lr#~XY3?{i?C
zX+Uzu-Y&W4LPnUBr?uv^vIS=pDO4l;*%`YLHkeWhU0{!;#|+3cKs4(Z%>Kh_@|fcr
z8{8gsi4vNsYxhorw&c;7?#PE*o5$&GD}u7!QNtJEDTN1RIolu!a>-^^3bzj2&64#v
zI4-Ucejb_GLpD&4l{fXrtKg4k+?w!kzxr<q-O~&E-DZujhJ;b`)0x=Om1{f73KXWF
z@BYA!%P;V!?}~qN=gsh{c4qg|0W~q<f87lcll`17L*@0NLr5rtKXD4l6sGAGuB=*>
z`%avN(b$;-qOgBAM+ss-4%+dQv90P{Lu-~CZR?dyjT||6t{&E<wb(&b<E3J#vq7<f
zAaxt`H!(i!o=Y~!i&^Hn|9*j?K<hBE(&!0j|HZ_+zOQ5DG;gkS*Vy>)qi;>11l`%y
zMY|b$$~6OoQ6~K}9TpTC>N|&%7PE+En{9~=neq4R;Zx;%U|G!B6W!8TwV5z6KHMtI
zzw*)-VrtF_Itn<^yVh(dW4Y`2EzGK~@SClNv@zQ9-cADWvT3!MZ%KUKn?CZ>gePn!
z@J<#Tx92OA=8wj!SaUl_tkPs;swJ{C0sfh^KQKvP!-?9yp~k!Fh-9-Td3D`nkf}o}
zs7}>iypgHtcj-3z*boeWJhHra)4)vp`2B+ZgBOw?&432o!c+`FWiU#!j$m`J=qjUY
ztEQKf-(z8=>wTH*=ubxe6o_oETgP+qF$lpAtyAe;+(!K~E^5T=YzNP}GSyxAUVRTc
zB^NcUVISX;H$}f`UPChst!43h7UwuEAEn^Cjzqacod!1VLZvg~a)@bnXHR^Ir0TE5
z#BwUs5)oaPgY&vs;OYr0ZeOb$QrP(9RH9vc=R`iPw&~vQU!4tQxo_Vl>xAFs_Dp`<
zT0Y8bSpb8VDrg#I=oVd5vbSHe(h;mnwpNW{mrKX)HbTh->TYB}O2)Ajvq=4tWPwzG
zRuonpTmk%bmb7)m$>lnVgjqe&XNX$x&gRDBL;%J7Hj4upb*EpL26X!G#X#Fz7oVP=
z|1y?8ks=Sb<Fm_5P}BZJ+~SSB!T=O>y`|TT6BiMfT@<GH{sPRT|1TEc5>4;j?&{sT
z3^|msEUG$het)t|p>%8Q%1~YGtbhiWPyok;-#!^T7-J)Ueh>0v)2$A9KGnDOG|X)`
zRe$P~(hY9b6DCXd{LtD7-)}=v^=*HxNMrA$%I%a(=0h*6F$NxU{q1@{;ah(TP8Ics
z!BTOnOBRl@_}EOZ|42-VM(DdJVwQR@WUAI>bgxITog)<#%6U0!JC1eID`L3i2NvJF
zqR@*jIe*3r3vs5EeW5(>T{l$OU1Jw#du;6tebt)K()_eys_N9<!5;Yp!)NMyNWSjx
zA2@Q(C-3bgW@al1>`X}gapQ^X14-SvmI^)4$K+poqO*oc*?B@Ml{8ImsJ9^RT^D)j
zBM#dxAAnu+(;WqEzt(EVr0f%%3la{EWZRJNmz*zxJ#1+JFDii+o^Z|<&8dTCh&@Gu
zLZnxEEYX;b#Wf8}f8{~np<A(y-!x|hmF*CZZ{u&$`e%02_Zcw8tmLl2%h9-Q?|{C3
zWBBmMs%-MEcS^VX6s75}fmFHJz%Aq?i$>OpC;IUCIA>A+(&x{gwPQ0GY}|kp0cVG6
zBmDxL0^+5%rxWjB(hxS@RyZ7{wVtzX<9N9v|BZWn7*2Vp89_f(0AhPs1=<+^@Ann=
zfpC+N^?o8%z!$bP1q<6VK8?b5E@&9n<mT*iTr5@zU-}kCoXT|o7F5qSfxF#+VUKxV
z#`f=As>q8eZdmz}+dZ!g`-T3cgLX2%g(1lXPq$jXwZu)4*P}Yg-%e5&O9*nY2wMrP
ztXHJSl$fEaL}G}DP4=m?>zh2W=Iz{0mtplDmN_dO*6l*=sRy-sss5Rh*VxT>vj%#~
z#o57h(EWdwP72)19#TviTSr2uR@)R}*Gdt|ul0BG>st>N0p0OG<?=lUtMI4H0He{<
zb^W!cxt;fR-~oa6GF*8M$(BA8g^SKLZV9B6U$uoy^#=5VmN*;~hGLGt9sax|Z&D6v
z-)&Bln~JtzI-x@L6JFcww_*GDWioqi!)Ql93qul}_yP7&$|^4b%;9_!tT}`;!FNRB
z2i<kFL6ti<*1tV1YvWhxY0>ErJ%amdL+OQJ8e|d$!e^b^oB~g<#|rz$@VTB+*g0Sl
zI-Ww5hq@)41h9gqcQ#?SRGX^WsoJind~jK4LHke6w}743jvK5|y?3Enr1`syPD@85
zh>B5?9);&15Se+20id<zl+*OwNgDF<deO9L?=Wi5<-v`IAF9H}K|TRmSfHzaV@*X7
zYjMT?-Slk%fDqo+N!o!DjPqr=$VPJ?pz5Nw^SZ{3B@5<2WZ0B*2w3(+L3iCqrQtxm
zRAF$&{Nhn#HneoZYn!3BW!!<lG;|nTW36@CT4SZ7>(5OweGY92$m;rej!7>h6t<sO
zS_bvU!rHQk#=+)gUQ0Rnv#fEiBTyAXK(C>anQa!$cqwwycuGoTeSREQ$!2yis4Lo0
zs#@v~-T8!U+-iCStHS;n+`~QoHwcSaMrk5pnA@%;H)b2n)R6PFmI5aC-+3%8MFKx6
z1P?K_hbGW&vMe@z4W+5-MngVnFW`OHj``gKA%X!|>ecs~c^}P74F_2J=p`~^*QzM}
zv4e&!-=8`kI~niKejeD}Bnxrv%oHsjfd8m9D_st5cjc2`INV_Fk8vXwDIJnG8t$)u
za}qLE0+~JjVA}=5M;)1Y9kkl9c;hhey))Psl`XcHb+FJ8LY@YM58`u(bbX^+qG5CU
zenTHT7C^YAarvKCbJp=@Gp!?KfMw$0lFac*=twl>dHEYkOytFCi|Mc{lDE;|?2N9-
zeb1e1klm~bH1gy9P7~^_fXT!6F3nGQq{`o;T23OfPDC+h4otI){o5JR_^=h3#FmUq
z5#<fG@Z7e`9BPdyg{fvdgk&AKcr+`xlx3&RQ4iK=$CXS)RZhX|uWVyx+WMh!leh#W
z;H}4jqZkL9eWX=w<tVhvhiWyQ1l)0Bd%p`Fi>Rdx0HXTZ2sq6O5;@;<>*d%{4c)C<
zeLe`Y)(z3;5_MI%in9)11q1}TIy$Zp_>8{3zFTbI@L`S6OI$*QsDZ-5#zIs&lA(gz
zgWS)HAJHFb5c2X|;W>#;$z(PX05sJo_wmwE@bY>f;{~+XXN>BNf_BzFb!4l;se|CJ
z;N$<BDe-Tr2_?(s`rhW}eR<!)BpJ-1&5tq7=+v13*Gn`5EeC40664e#tT9P(FOO&2
z`h^~p`Rh37IU;-OFTBGmL}4}y=bd~;jqlm)i&S`PXm4yOc@Jz3)V-0k;(obQjQ<?t
zRMwIXI!=>4<CDeAHJ<McUU=^~@XGm8+6@4qYwKwNq>}o5HZa*AO(k%l+A(OGXcwJn
zbKC-KDYr;`Z#fE`ial_mN;2A{0ZUIBdvZ#sM-?@~zG2`YY_lU3SD4M@+6I~P+%{wM
zL`CN8L3}O)-g|8Ec|$Anr>gpC4H-~I#|~3s^Lxd5z@dg6if<-D!BuCv0mrIYrzK~(
z14Bb*AWJ)~D-{N*6FuIIl>)rHoU*dfoJz4b=;_Cuoig%^M!UPiRqS5cj(n{upMIx3
z=0|70iMdq-VU>DP+e6Aq72c1?2^&><YB5$MQ;({|B_nN4WdzIXZb$zRo^+WHjZBq!
zgZ0Snr*mI0nH01^)C%sk-x9S57+MQ+7`oF}70?ZzIn_nt|675_1rgvuo$u3>vwgDh
zi2bC4X%_@C$YInsZU)zuR8>{QoM{a7#><%2ryC5v<6MHEgivQE0sxJd?5CMh2-$&=
zgG+O`&3@xsNUjxEO#u@O=hHBXwvLYA<kX8(I|7&`jB7#@QXhW9JTbzXT>VB*{*~^S
zYZNJfi*GM8Hj<{u6~M6c?xJzNaIz~oqh}`7@R~z3`N4Fx1EY$H3io*vR2g@E?(d15
zQ+y4Z82k^gsM5`KzQKcnT{d;7l9w~35o+|@BJv8689-DJE_clgpqdxcmgT+RIqP__
zv-P;H?^mM6=^movDpWjpy2I##*;!zPE=+FCiXqP~4j`7q9Gr1hTt){Sf16vLAJJ~r
zy@v))yJU~#QR7G`THlFFz?@mEZETiNC?$7o>p`WU`q%2}RBaq>`Xv+VjLF0=R8^&1
zS4o$amIeiPo}m}yb8~Z9rDo3l#s#?$Xq-EooHCB!wo3~X$k~`R9;{2Ej*#8@tFuE2
z<ab;n3js=tS+nk+8BTMB?2p-!+L=6z6%y1xo=6y&9UWhBF_}Sno*i#1+3FHgg<t6q
zYB=m(a{ic>))t7z-RI%iJUIOiT<AekUyZHZg*NEf)ElP;YbH947-YO~UH`BO2+?Qf
zf6{Leq><Ie=hfhLt-K5Rq&4{(-$GqNCpklf%cS@Ozk#|s<k#I$_oEHz<nVA3f=mP*
z(A=7-))VpCnNrubzS-9Hm_TQ`_sP4tx{^{&u-$YVFO|`Ih;p3xI}-J4+N)HXoNAA&
zCD+UrOj|@K%vPt5<d<sv1R*({BwOAH_--h&*Zba7Nmc{lJ<0mTZQ{*#1y;7}K=$@L
z!NgQwzkCTAh#qLrJ9!YTUL-0aa$k@)2Ydla0+38ZqP1`<O-+?H1_3l`=mjyf>EQf=
z-Wbs6zox6=*~ib<AOuE<T_U=0ZQRQMo|u$mQ`eD#y05W&wS3zDbbS^W8MUqQ=n+vC
zkDwq#&JW{^Nvyj6;K3KdHX5rSCzll%NJQ9|K1$VKFfcG6;CykZsrf#rXO3C_5jEQ&
ztlz$U5KKbZ)%pexksDc3Bb-nC3LP@`P`hY%ab|RsE}=JAF^Z9nkx|3k{LxyHg4TGF
zJe@!R!5UOF;GJJZxnFB)J|<k1#||c-cg)PpAt51)C=?_-Tqy;%pG|6@tNYx-f+L)Y
z?G6_gv4VoapdaI)pIwVazNg85N0?wBoG&rut+7wsSvl*=AC&FN_4&NLz00k8Uq9)1
zLPia7-o#U_tvYY~<miF`loS=E2opeH-pq=S2`k02a`5s-EiW&t!!IHS2)>L!hdp`n
zgrK6g;|=M@H4ei~Q3TZNk4+h&{PN{^XOe(5VIdNs=#ayAem|IuV~DzDW@g49czUTL
zu&z$BHKcblHUVR+7}~bb+;}Nf(n6L1btEPxx=*`c&(5}@#%J@tehndDcY}W1guDL_
zMxnti*C9<rRMZ3U!ChKVP>=wXPSrTd*c;W*va_q}>+6qaJY5s{)>rn{UdNG%SV}6q
zr?;1@00=lclnNze^sh}#7o<o$S-G^<lyX%1lTuQwn2>%^BTcoYN&}65iV_h~m%MAd
zX~_O)5b!IpZ>X=bQiO^C5|o)nW{P@TU$e0(HmZ#s7*HeB2Er`NnTYA>pAVwCi;$i&
zX=%*Gss>6vX~Ay8QW*=)el90_76gSfoO{1dNBOx(vi3399-)hU6!zCm{uyU)o{ect
z;!;IKM54EhA`1(2=hLbOZ9Cv_=)eG<xZ}b=Tk!OWH}(cAZFE@~z|=I`+t=5kLjS&?
zVA&Z@PH}OjRd;Nh-{Jkvd!6o45uXTlL!e3Hpinck9E(YS|E}SG0VRLqzw>8k(?5V&
zt>@3few|z1DYX$v+e4!}Y^#<wH+u<k^!7<VA~3~kYik568lQW=ytWpam&a{tYI<^d
zO3TcwsHR5U*Wb^>$M?0oynHAl_Ft-u=;?j_2Z*hABp7yyOKX&zfI9PH>FJ3HINZ&f
zH_a>b2}mx7wDc{49N+XV6LdxJaU9%;8&pd6DKQt%kbm*wzkzg6_tD?!SJ=v5#c6mo
zB0viwRxNiVQ)7nC;^oq^(VaZf3OJG}0@lv<4i6(1+ky#REiNfZ(bH30N=k}=f;bag
zHGzeEWNXVcJv~jZ?Iq{LhQSk!um2#i{w#0)y$-fM?1up4pBG%zot188U{G+g)98Oo
z8xhe%_834uQT=w;_<y)*0{ZN;{1w!&+x;B~Z|Spp^6dZF)JgxC+CGwu<9ba5G&|s6
za#w_k03>>u{%PADi1Gh=zyyYv)0_9HRwC%w!dxWnE#t#{tv}#<ZjJxu9{&XVLH$F1
zc45Ev?hu8YmG1bB$qRpL&`2!6)8+lawe$VgYVV)w;Fm#VSV@|(y@GXMzj<s=uz|_`
zjX2ZLxbPB~e1fNW2>VnQQczcS64G23pO&UV@E>~APk#$8-Iguq7ZDY;vhgd&ae<I!
z$rAut8E5U^tg36JTjC6h?6-cyf1#^?e3pEQ;{89_=07||K)07a{B6LMRkOSnd>ZQh
z-mQ^a|Ixnw|J61%kt6z>_Gr9no#q?T;RHYT_eb$={PWTO*SEdv-M3Hul&2Hb36YeP
zPiLZEm&oq&{tur9_cEAe?mO(V;=(ys=warQpy7a!3u7AicrfiBdXU;*Enc3VRIuzU
zWj$cU)h(sXGOf-2^(Bqh(nu8VTD{+Ng#tC~r}CX?)h=PZ-IqP4JsEB(34UFab8c9o
zJ3)6Ee4qUu7Vb~4C%~BN<eo>XO;T=5ENto@1&aSvEM1DJ@qRR0NAXl2{8$jI!Ki1<
z&lyZ{he^)<PM$kztL^t`nfV7j1AIXtnwfHS+zq9Fj`dO24|sii|K|(S&XHB;mJPO!
zFK~IaE{CeqI~EkPqeTon*z`mWJfF{llA&}1Fc~7MmpVaj{m|U>dgFyu#=YJp|G35B
z_TH*#NrkL~v&NU;54mLc^8?LW%n%)ZxJ+hfLYW;({?nd=E@Tfe3ob3Lbt0Sgg0?eq
zmU0)B$AlZ3UQew^ovmy6-AAHa$-cICHRhXJpZ^ri$Q9{T`dvj>O6E9WcCj!t^yif1
zlP05@q#%jX<rI?Fq?u@nyqK7;t9f}-XH%Bu%G=@E@$KtH+*J<8uPpHgTvvQMDuCIR
z+k;xp`e2KV)lX-<ACJ$+Z&KEW$zL=xD!^$E82JN5TD>mI<te%>MosqO`<1^G5@56?
zOAIJ3)Nx(x*>^OwYjfuJEIyw}MA%gvzf$Q4176*qcSlA3?x#DSL{pvRXFfkR-WtZq
z0LgN|sBdTWJ31Sl9iJ74)DzkcRMSmhplDco?7~;j>=_OHU}N~aL+~aZgP>qH^6}u_
z`L5}`v;A_bziia*fPZSMWQDXjEKXyn4OWOjiGAOa0JaO%6T>8+*6=S%5$UEr7T;E9
zCwqr9?pUlV%Ni*>BYL6Aniy1C`bU3y%3|~EI5xMnBzOFerEKqL$Yh*MI2F&m&$%kJ
z4c7l1@F=g$?OC<SM&6SA*dv`1z~>J53H_KHi&4Jr)7ZQ(6L7g&qTwoy%h}JB;;}?p
zDt;3+#er)-GI#xF)oxhyKD98puEcVFMGAQSE!)J+BKLhu$_+O|vhei)wY5T$o|6p+
zN#rd{Y>h<(QRpV0VGT_<ST=9NZ%2{fHdiORB(g6FA33=l16M0-lj0lqNp$TpBBM|R
z;M%*tCuWRmhm0N(Y=I&gKJXsd{b0M*lp^NX{`BnBN0O)r=$sWk`2O)Dmz<)9{ESNM
z<tQHA?1LxGres3&O7gEzu<53!Ut+5Uy&Hxz`zB=IR`3>wO%sd&vw{!Z`9?0~ZlHbd
z34`pOlBudkpqK0@5X;|Th=oJ`G&EU_JMr-mQz=h8nFG^$zRF*%U56$(f`Vt+v9X!1
zq^!R564`9KUn+i2h@QwHIl<CJm9bXPvu_ve?<;i|sxRNT5y9-d%69E7jJh*B#R%Be
zRr(|`aK4_Zot5+umN1&#oJgGFEgQV=w4)wpD?i)sw<Y!r=OE4u{dPkaBXD|&QP}@2
z4&`JYdAn=CCq$lkR{x}{h|k+fJ_pboa#91TN&P*{k$n=`UsD~e^B8N8rAej;H!Lo%
z%I?Un>2z9Yz{ux;ME0-bix`1F#gdUY*DrqnYGzJdoIGpPC3+G@J5?281>^gMp=)%N
zI@Eg6d@WcgJaA?2{Y-e@Nbl^fKTTIgc?I3xRCDZQ2U>jd7Vd{q4KnAle;%#dW7+P7
z#w<!eu0``Fq?t8}WhVIKF<rgu3{j67$J!(G_HVn$^p}lPmJTHq6pafo^qIUKcrRj)
zy_s1U=l?vEz5;~vOo@K|dmUBxFKu?qZ3--Imb!UGDK;rsQ*CJ1B+)NW;|;6krS8V&
z_JsUPPbK+93O&3^h`cH9?QRw9;IMMVK2zZ#6^|v8TUuiQ+W}G^^k`{%HFr$+F3Z^6
zqnWKr%>gb9wah<KLt54_AII-4S=X4#vtW->XeUG?4mdYiXX`?CIJKDZQ@Jq<S4K0-
z(^8g?XB2t_S!PNFE6dimQRLQIGmA3jzk3O~=f9$IYc*1;lnt7+ZQn6TJjEvY2;TUo
zFQu%*EWcPXo!~R;pvgIV&nkYAdgal{p7WP8iPI!h(mCzM_GFC-)(pp$Hx0C0DUzsI
z7X!Ytx_AUNYF6>N-EYqWyn{cWB{Ptyva$u%gx#g_>}@{GZU~BD$zo)A0k4Of`)yfx
z%3b(*+9f?wmIVcO(+Rs-&t6y+O<sF;=o4Wzp&H5jb0TKU<`OGg70(}QP#oPyZkot_
z6FJg9S~OC<^@Kh?0)I1^hUYfEF}z^`11Idm$^yRn<8>$*$<rReE^<f8hJvLIi(#3l
zSC%Mz;8bJAwBtE{^t^{^e^?#xQn=@%Jq5wsw0<@I6$20Z+$K)(-#=PBaIk6HA)`{_
z$=w*D|NS)ko&cEJ+Fjl3w60%f@)qbUjd*}7Guh}J8QYG}G|!w9V|X@idJZuB;S-*L
zLNAk13wN{(er4xD{<UO9u#6DWv5yxso#&G12N)a3m&q!~4f?6aEU{TViguXW*wNYg
z^^yMiwfRG;nesnfUu0+-V#vDOM@$fZT5F8Mf~%gu9q#`gB6YRS&d%rPsQNrY>O)IQ
z+u+NzoA>?W9A{|aOi%=Ax%<(Z-{UO(<9|kVh9E>8r$o4MW7;RD$7kL`e@GZ-#-mig
z7Dxyj$7R=NP{whk7W?<^kJJ_^{r)|sYr7~(DBZ$%@QvT<sLg>~qx-%0=O6oPCdPkj
z(%4^PG&SbAXQy<%zvVO<0*Cfz00-APhFg~M_@xpXobtF!9HF2ma{xwkR*oBnzzX?h
z<2@Co`3>s)6##G_sahCx;ZOwQ|9bZ{l95Ybbzh6|;KZO{=Yhj~Diy4<$#wpZ0|oGd
z>E(ki&u4v5h6w=)S9+fM7^-wiu!rI9Sg5T0uAgakLSG*=%1}bcPNqs9-)Aa9ehY|b
zKB9v_OrIL^LYi^0A4L(&p0c&nJu7>I!{xZmdF}5G88)l<73P|S28<-aougac<na(h
z=@zies6DoKxV(BR&($AU?m{N>t)>0F$Dp9^or0;FXcH~7J5~kFNEROW%k^TrsiPT}
zp{-@U*p`Z*xvUu2Bh~d56ST2o);TM)LJcDH9b$uRxcn$q+t^e3`)aDpOV!~vV+J{Y
zO0chuRX6^kZwKnL{od#VCzc|LJqR~2or+^&q>1~6MD!#Y?9}`5I)BVT3|k(vv7}$X
z&21cd*@dE-sR0PE8DLWL!-9VbCplG(OMsoDY#7z+x_!}X9JXZO6q#h~1=m}39|8TI
zsp%^XDC2@2+y3+tR<g)@phtl7fwfg6yl=v+Wl8y$^*1W=?ok^Vg;V|D^G&w3@alwJ
zv6)5?ordE}^TQwP&mN+mtqBA~olbY0AjeL)QhKouV^EB`LVJJ?rm4~Byu8q#x-Dl<
z1lhY#-?U%V00p7&^j|+->k{MLD9AeLZ-QWvUZ(GCbMPF|=YD)N*{`y*`q#ZMmFMfm
zvCZDZ31Q#y^oBK@2}xyB`{}f*-@!$C3QOK$;pY2Q;sHrDO&`CU7WHh?sc$fIP^N54
ze3+UHw@d^q?q!kNciWUCq-LFaNvuR{DvdEuc)siYpr=N<-nx?M-CfxO2GX;~b&$Sz
zSC@Hw$~fZY&usnmqtEa+&uGPTh94W`+z0zO;C|<-Qr-O;&KiTh86QCru$?U9ygMCT
zqtcD9WoxuFQuRq|ug|x-Z&Dzi{+ymypM&t;hYuov{y%(CDs#@qcb9{Xa1wu*>$1GD
zmrEyS5QmoC5@7L=WJ}9(|8$FP;@xaJzHRBp=GKd-&KT$qua!pMn=$t_?AjPvgdqfi
z;&QqvAJB}(eY>l*cj;N}kq!dL`4ezo0&v`(sh1k_sP)!V&_(q3lN&PMSSn13=9OPy
zmIn=FrcN})SHhpw?_HH*_Fe+7(0|{)72o+Gw~@XNy)S8TQ3UVwEL+<s6nQ5>)sZKM
zO3T)KChMb!?OH}ejZ@#BG+Q_69r3zMXT?~)*k7%dAxfdzSevTag@2;VI(Ybbe`A`C
z;EuyM6N))+$OX`HE;oAp<!-i|m*BDdClV)CjS3u(<(=zNElDzkYD?dp#c4sOhf~ph
zTIXob7KK+I#3V!P5z(vJ6`#Fj1T&hm-7d19)bi$ua`J}e>DpG{n4X0kFAgbaEPg5P
z>pZ9_Ml3*T(a097RlgIVPr%Ey#<I~WL$#5Tp27$X)ziAO(XwKffdJpj2?IwY`U6|n
zioD-$f^^vguE8D+vAR7tRtI`ds$i01WRE&MTU3WRS;#9iX)@hBMZ9A7!Vl!;eETie
zC+6hKL*2^Y9IrM9|HT5lJ}t@vfLq+SyfDSJ+sG*W>`m1J6!F9JE9TRWTQZwszo$cb
zX1Zl^3gt08_di6nus;jZL%L2^DY*<%jti!{*34Ih4A){7`)aX2OR7p;pIxJwr>vxA
z&?LROd>frmQhc&SI^Br8$q)>L5YY<kbks!!7iRmBusE6gXt$}(FaZ5}lB|bg59ntS
zXdKYBleov?g<ccgd<WOPPV<=J6n&!$;<#EG5|1l3sfaN~dB-c&;~`(xW?xI4%n7p2
z+IQb%P;aFV;PJC3!xW@^bas3;{zRsyZiANqgOxlqf4HwPfxY59BjP!q9+Y!d-H76?
z0qY(4nFGGSGlIZHLtvRsw4U=xBQ9~LKd0%YY=h#GOu$VV#)nO$x)ne=k_F?(cyXDl
z;VTk;vh&}RzAy22tM8xNSP#!e;y$rme!9mjnz-kHT|uri88cslw7giK0J+0DQ_d$}
z^UNhfEGjIdz}GAEx)&dlBWf4$<nqe74~rFO=(ZHFHd8R8q4%}5mI~ToO2eihYPIp$
zL)|7+bN0q)Ap;@cVXOW28mFBqXkRCYB|%kU>GP<ky_fIR$ZH;9dqg(_%q}KyQIl6>
zdO)H{?UYiIu`_L!9U^tq9FsA3KKV7<6*Yada#KKT<YDjgW7<WE0TvRmZ7|9UzH0wj
zLn`^&WGfk7=y70?pT)yU<IeYNtiJa2r`wQMrdy$Q!|Yd0MYH#oju2Do`+B^R55Xk&
zupfl@#0ONGN%8Y<f_#0)1<;$cl?wAFr?>Vimgwo;U+8F&0v0A@Vtn^52>)-wTU!Tz
zvhU@}Et)p)HC|0wndALU!rRMB<d1nQFPUst5|+Da<QCrA!?CESu_&q(RB=b(`o;sk
zh}#cHUnG%!zWe==GABoZ^iwV^5s6b=+*K}0<=Z!LP1)STqHc&ew_!Qaw0ea9u9V%t
z-hKH~OMW9e3flqZi<QRwk}CiJe+fuF<i-=@8)MNri3*LZM$hS=aasENUp?ZtYaP6Z
zI{=q_u~p^R{qjI4l`x87pA1HYyCh5_Z3eh63fJl~*5~GMwDo8ffRgFslUS_q8=`lT
z4E|5nz@jc}LOC<7G6FO(_?%jgiHhA%<?nH|Vp+yYH^@3jXgB?~<kVj{o>QXb&_<Mm
zE|7ABNX`!J$DHaU>dv$=g%`|kTgl{xUoUuDof($wBwP`axp~dkuE3MQUu&Sakz2Ge
zC2Z%2rQV_KZD!Z@>Ez-Bca`57b>gAgVkAje{NnZ<H#?4QZmyyEp^`FG`y6j5VmIo}
zfQ9W+rOCi~N>;rFgtMdou)v+1VwO2X_XuBGR3GrPsDnsgV%V$=$)eNsmD0vZK_OGg
zHMQBAzgBwm<ltMxN*kbm2#_kzO``Nf1Tw(-JYM~t0ypHE-wPLtqi(&(<utoIv~yNp
z&9L6V#^?L%vhoqyKqAV=Z6y$pBqv=J@Ik@8<IR_JeJ6@m%sCU9heMF!DVi=ZAco8M
z(oJYr*!;C`GqJhXA2z!`bdQ>N4Qf?cyeGGbb&v}qDo0ASCrfRfPl|nDhKXO6KlJhC
z6Bb)Eg?2VgtB18nr9O_MG<X}7PNM6qTVdnL7T~neFZNt!8fAwbH9MwlvA!K(NOh&4
zZ*kO1VcB^~`%74N+|*{EH4z?Gf88X4?3K`hC%ru0Vo+v)xAH#7l}+q(09n8TvXbrl
zI)LK5Zw;M{p(6=<$Ka=_g|0i*5FQ5yi-;df&jz=t-`=Cw0KFG;lC3y?zI5%=$(PMN
zA4zA{%FoQ>(4R(^_x7(HwSxK({GWe%kjsJTm*Z-}wtO~EaBunIL~j~zkMQ`dfXA4D
z+=V)U%d46Fdaw4L^UM_FL@=?a1?;l-Axb`fx@rm4uxESqoxT1110Za+n+_Lo=>>Vk
zx_FCc!_oGpGQ*le-F~yzjW7lht=iI@#c`asnMmd?wP*O8Tp|n_YUCJa1l9a80J!>=
zW1VF3dwp!U)0Wte7`LZu>>uzSV<)pD=ziVY8D)`{PwM&g+Bk&fBm;jEvbE=`ZE4h$
zw5%|`cr>JQ!Xh`aJFlL`8|nmZA_n+zB%$)O&c6~5X5{?z`U=Q>81;o)+#K?**o^QM
z;9b{3B?x&f6{;Vph*aqb&iTpmZj5hQtyA<O2M?97+8Rxqi9t3GOIH2}^E?o02eX8I
znOHm#CZBae>@R+3aA6BYt$u0tq@b~SvR7EMJd+SrG;qnASWkTg{4<#69{ng7W`#9n
zv<iC>9)IIWCe^s18YnI2h@6<tWeMRhmrd5OLj9Q%a@k)<_TYy6|6=PK!z*ioZewd=
zb7ChmvF%K3+xCg=iS3DPn-kl%ZQjhx`+fKRxPQ)bo^v*O*Ir${YISurzuZ{oNBH~?
z`xDJ{I~3@5T{d+MG9`M?fSKuS?YdlC&9B=Zk3s+`ephzbVz&pB(aw?{i?KIM5MQsE
z&_z46rsy9|Ba(^_?a}z&;#N%%GnjHw9~8<vt6HICXXbE-sh5oNxz;+edpcPMMLQQl
z+(>iP4yL*2)kn3>WmMsN`@d?DG{5}m=}6lk&N8iy(RhmknJ~26BKb(u);1aFjc$->
zwP$0jkoSAX>(yFXeR0PwOJexqW`}R*ta@M%HaepY8~B@{-Nkin2dkD52R9z_W>j{T
z(FLefr3<G!<XSWYTnrJEUO-<W;Om+136@4z01<Up(%h#ozB%t;ATr!mBNMyLk#k>v
zNgJO>76kE0*rP(%>o8cmp;MEKGK>-Y7)g0hLwJgLd%B<M9^^a<F6d)Ab0w4{V)(V?
z`ozIEg}grY@pYzgi4AZF<wzhI&GPb&3g~^i1gG&@&o*Tcd9<q`B^Yn#z;#Azln<_L
z3*)vibZ8n#YZ~dr_Luj%eeo7NJZK*2LUM#$s5W$B-0PId#(@Wp?;^B?bOT*~40`#3
zxwOvM9@^}}kQ8ZMw20YhZjVn#<c)ZXHKlY=-0fmGeZ`k%?TSo$QS1Up@Ga+vm|U2K
zIs!(D)Yj<UDtu@hmPA2^YLcs)G`4Ba6<pDREJ3jWZ@c9Hv_NKd12%lYc$xB_3Vh{U
z_x9!M?vciI0@K+D(Aww;WOv8l^Mo-m{oF4NsL(IE-JYtH57y}FlS}#o88(@S2~IbV
z#IP_U$Cdcc+u%y<6&UU;tE2lPFLq`=$FxVHXy|SivEJU9$_+B>65f?4W`<CFGhbTm
zT0ONIg70m-UuuK&e)tegJu0HceW-;CUqp9eB)B#{be6GZ&$0fx18D;V#koH!^UVvv
zK5Qn!HmE~+v1!y_W5@rH<mv?LfpR-$^6SN(KB`x?*IpFvzt_9PbbHo8k4nIrUF?O*
z*i-9Nw$HTC?mQ=8s!DwP@;GhS1HrOub86D%d4Qov%OliS7>mtO6Lp?zsRo`}T1md|
zGBwEC8nh)ocI|LRpD%+We5pnGXaP*DYk2bwUgnK=QA!GzyA7w)Ah@A3bIwf8!j2uN
zJVN7(z-t?2SY$6JGlh$X^<B=(WoY^q>k-yut|X4fE2oaf)1oq~2^;SlaxiJkW}^u*
zD(EC)#<)~>1iFiIWLscJOeRk3rDRz*<26bN>qH-e94s~{PYi_Z!e%)zy&ywsa>KkP
zH2LM;p!#lB*n%&dMB-b>i7!R8edaT6OGGU?M)qCI2E%7h5`ePXVmDb^H8+FU_;5tE
zx{$<LX>At+_7M>3^m62FOUN6<5m9&ll}SVBfIy)hba%X8-JSK$9m(cJVWdJ^UT}=f
z!Is$|$ggC$-+CE&G>$m|49}g1X|OuDEr`bOeydW=a6wO&#)pq*WzNE_W@!(`_%TAn
zO;C^zln_`(ADFX1UWflSxip1Tg5|*enCxe2@MEMur!ASjf`aF2RaSO%RFO=Ed+O|H
zoYuIP^U3g{WWd;tRjM`{B&L3Gb+SC~Lzshv@l8gtg-kx$m!l-QxXzuqMRxBZyukUk
zjH5f$Ga8)uWoO~7PuYl17Eu4P5|Nc|;ne&>`Ql1Gmy*y_ngOq1RK(W=-w4xEP@;f(
z>rcYP@kQWL5<Yu-ME}%z(hcx7yOeg<v047$%1oQjCc($aSfU2$XDudMcQb8w?jkUO
zzP95#^@wP80y-7?OuHudq)y(l0%2hJlu(?w&6d5*P1mx-LDSML=St5$t89Ic9C_TI
zR;-y3o;M`kUV`u4i5f0Zo0WOU28XZULkXIDX~bLchQ=^WVtHn-aKN4`S9%47&R$JW
z<TJ!id&~;s8UE~q%b-vhJutbD2lq_z`b>e#sTv_D-IMK;surREPiQM}EAH>Nyx#4)
z;y~&BJ)`BS`tT(vn>jNuOF4_s58gJr4tcyta#DD%;^OhD2+=NSFr#(+6B29$aCW~$
zF7{q}@$*z(cf=w)eg?}f+8QPkZJFQVv+h$EK;+%5@mbZ@CCs+HKr4ka+wCdJT{y~J
zK;Uj_X~W{ZCRTD*WezWuR$1}*smn>WuYg+<7QoC&AE<{(fHc0|kXRq}Rg@R8AXKag
z;p;_2!*k%U!~Dadaz@-{nEBFR>V>nx1y5KgNv@3Nl8sch&MJPCu?i~};^|m+QyjSA
zI5@agxU-s%O!q>$etBRb$`T|*Lo!TB=y7fdgyR>E)Q#{8Qa(tTLKH~b7U`~7Dh!0V
zp3?(fL+9`X+!BG3_Uhh_<v{Qdvr5ej#Zr)Uj4Q5p{v6F`dD))tFxcMkL~<ek?w64f
z7&T`Xbm16o%$pB)6s$Z!K|JA$!W$<Mt=6T?bk<a5f&&iI?`Z4IyV>Ivep5c%SQ}Hv
zmmNs%2GsWow~q^py)V;eG1ZSw3tM|<1;*VN$;@lC^K+9qb;%AgR|`JJ1?%A7=H7C~
zcHemLR215A;zC|W4QP|i$(?)}bA*BVCmC7<%dOeZP>?nk#*@rNPZlDruAFh7*M(#d
z%-(87#4}(~{VUW4I~zOCK~#r_Bj5Z#<Ze?y-^L6=G0`FhR6yt7a6P#)IOe2l-I*IG
zYCCddX3b4%xk|ND1%D5qXgGGh!E<}h-O?UskIS4q&*7-gR;IO>oAffK;wk#;&-#qH
z0q#ZSwzKi^Qk5-&zZXVGk{rj3#aFI|KBbJ!mcp!uwnKYba&>c0oRZIr0w<|^90#2J
zP9M3@dBv`U;TJsLj#gM!Ul4^N@{&Q7@_g2%8tOWQxXkg$`sz1v0Iy!CD4j6|&Y!8^
z4BP>M3OeRT9p%j<``Z$uWzc58Q4Kc?xJXs@sE%~Dl<sio7(jYLnR0KF&ZvTPI}CTr
z2+;=gf-@o4k;1Y-!<iJ8$kRU~d0nLRddO*o&U(u;0gn8aFXX~&5oi{V>%BE<6hq<n
zBqWh-daFm`1crEd;)qsi0_7<KDPqi{lfahE(cxkT`mhkgw%iYwnnGWLnna?&x`L@{
zs%B)*9LaE2fgs`k>Q{l@3FX!5d1Top<L{2#`)&>mMw9Tp>nJ*cowA?rC$Kr*-0b9(
z#~znkBe%QAndN0JC@S6-XzQ1mac@5Z3r6t4SF9%iD*xPQ47i(SiWT;~@J4OlJQl@?
zXg34$_osq_i^2kqh)tCls8F-z<AGw16|pm+`tO}<^4$9n!V3(MYH^1hjvpqoSL2ST
zpdFc6f(C+{x$FDC)Jy`$#JRH>op*Wb{qHoYvxaTTObcbLJ9xz72C^fTG2u*~TZ%b9
z*A+2x0M(<OAfmZy@uc8)9(fW!#;r`s?aVQG*2fuNB(^i!8s5Tbnq79@hyV&&qj^<`
zxjBDgpEPa@+5XC*p*>OYZ<K>{*65{3-nnSRsb7ZgAoo*}$fnm;+^hg=aX{v{jiV<q
zzc$KVwzXUmKEgRlHVNK(c;1}J3aUWEV1dMhGpQ2c+jh)+e^EuS(HdRt&$>Puh<UY3
zUwxtucuZmLn<9S(+V5=$*PVs&`C{XbE}=Q*-Md;}lsPik^q|mQhg5kKJ@q#Ah1^T$
zq2cDm9p<<No{ef7>UG=8FRC)*uxGF0XjU!VDrSdZ{|Q)hu~wglfc68iG?=&d*X4~C
z)nAuGlzOuKGmtx4dc%6ZNQZYoCsRO7)Vi4Evs%%*t8aul@DH^twb3h<DE09mOU@2P
zz1xe)sz^e4gE}_*=$h`@vsjIxAoD=I_T?tYx35y-U%u+<siZ{pg=8yx7ZltZ+M*it
zZWi8JBBYC4l&*{Vs-wM#D}Ybs1p|-fCr=cKE<pP8veDq<?OEgO`=5a^-13+f^{RPZ
z0|gIE;K0|jMLTsEmY}RYX5U1J&c(;ftQVn``vq~VnotvNQS1)RZCtGdfi8~ACtA(q
zT;M<n2hQShSJzv+&_yw`V+i{vp&x4%KKpzFgFUvQ<ru`7Yh8uUgW?MISaK*Hw<OU~
z>hEY@B*}s?XDXkh&RvSvH3gk26frP;K0%r08o<B|vSDj#*kegk9&V<^z#uw|<(Rfw
zuYRtlAL|m4^{cct`Q?ioWRokf76p=yue7=9RrfTjhL>*zWmlI@SB}>1$4cdt*nqHK
z(1G5j9#LXvJ(fQf&EKtOE+NaM<buA<7hEBGb0I)Vw%zBEfbDA&Vj@&m>?LWZDq~sB
zsTffz{Ps+idRc>EuySS>HP<|Qs&pk0#)hw}AfGo$sccyaE5oask9pbtnbt`1mfaKf
zBDEfVO_Gd<gofgDTz57Fp%*4@*mpOBg=1{sA>wiJ0!7p}5$abgOH3AtxE4ouD@P3k
z0f4;o0sXA%@E&xwE^8GY-sw*68VL6N#nY*L?AJWM1vWt&AZLB)9%{(FG29)FB6C4`
zE@jq|XC_<~2a>gN=f&v=wO*-WW{*I`aFuV`T8gCMp0M@a`7EL8uQGv@G37J{UmqV~
z!)iN;FD3;b9E5QgVqd*g5u2kl;gAav!yCE;#^@?a5ZTXaxIDbZoj2LL>JH{*I4H_I
z+CkBvHTJfLG24m5QcoL1v9Z+a9v7JZXv%omSP}K&qj8Bk-YkkuR?KV`8X0~nZSp?S
zRyIMa@p=J9r`Z_N@?PmVE^t?Fu{(&o>O(!-ZdlS#y;LANsl8UMxrQv5n8-0&Atxe(
z(sClY>7X@yh@nD2CFq?#=AMa-PY;pp_qtDVDO(&feGSFR?QdX7y5*L^9W)<$vgK_J
zUlHG+4M^7hQKw6fl{QSdtR?KGcA_mc)@7aSI5?E-5CY0sLa}VsKRwSE9LE3$)BUSh
z|KU~MQpPq(DduY7ZMP1^Y5Mk_91O<;V>hm|Gxd7aoW=xcHHXTd)L~=)?BjhXh7Lb=
zlhX_d!hmv*zN|ps0=Oaa2(>*+QY$>$G^0Q0qzHULj=BWamc5u;-)zy?Y>AS<$0j}M
z`HYitMKyw?6Xf8F#tBduvfl<D?=ee(!8-@W%DVpP6ZtyLn2)KW1fx>8y<Ky5MQ(DK
z3ahTgiRX`O>oe>y^wWdI27kr2me^rIFU-O$ec&tQCn2P7+%V481&8%os*QX4TCd-Q
zVI{8cSwgZi@qVA)o+KT=DFT#yCw}RH)oBjCvw`}~#Qu<QmV1ppQ)Px_Yk0MYs;I7S
zaZoBZ1=vKfM9o*J+2LC)?pv#Q4+Qzd-kdm=+^5>@t8CI(kxU{Z2kLxV#Hh4jOKR_D
zqgow28Dr=|bW(so3r_dJIT*M@r7tx-s92V#(pHu3Pt=SmUzeInf17<cm9<T?Sg4zL
z80N>UYgTNF3(Q-VUYpV!ULVihTSzosB?RfQsA_A7ot|q}wE5lh+QSj06pX~yz7Pte
z@$ep?jpOIBCjq0qA~QD+Qqp)@`1+A(Yxoq3fWHDMN#W|mjAnr-pP}aCbYwm}Kc5YE
zx&-*D2-%E)x5>aQCdC6wB8|!m2hk<x!C#j3H2_I#97#0m9aJo`eNwdi+vJ)%n)`-S
zNv2x#42YBPN-<#TB*^JK)pYw32PL4zl3mHe$_I9#<SBV$tiN<DOA4ih2jY04JlB3s
zFC7x*lWgL5Ld-;9M<_c0our@5a%5K+@+w77<PX>f-E@}-|DsPBf&5S#kQphC%Zkk+
zfauz5Vi1}ABO3@nZ55vsfR~o%&gKeuf<rc1Z)P7@X#3u#A@^r1z)v#_#I4T9vmN;7
z9?Y9jR#9f8=qwYlMI1Fo?xf^onEKq}j<#)3x4m|Ha<Q5a$V6ra?4s_keoL-HpbyP8
zI*p*DiCP>#y>PkeQgKe_;ASkajvz>1wN#Ye^s%Gy`WCRHV|=sR=9zp_*LTan=w`24
zT08_I8o9YAh?CN8PivM{nvLmZI1fL1yu_8E_Xs6_FhOb{il$I`YDu0g@OmMSWwt(&
z=rLbCWlH$m0wxkwU$d`^^ZPq+1fT;k5d-n+jUddfRM*{<hS_T^_qxY}X^(!c%#|dV
z{+tIYEHj57VyC79k3xMyTk}PQTxVjb-vf4Sa*XeG_Up9Yebsg_%e3gj*Rv^uGVP|U
z4>}vu4iO%XL=7A6R*N;q(4VNp+KQA<o#pY|wU9k|P;C~dL9Fvz(;1H?MJW%AqRQ?f
z#nY5+%<WrSq$)9&Qn8}5%Kjf2JJ2PIetY>7MUKF};zC~A)eYhX96K2bQ01zE{Wv<h
zcEG&@GcWz|LF4DidP3v&Kd#pocIg}h#4x>7qKIg0@klk)GeZalHV}F}?%cyL=J;$~
zA`rF3AMEh5w8dGSV5Z6j+gzDNJDvR)!915;iM`UMugorGYQ6AutP7XX0?pj}#Pc?W
zFGoV2N#X(NGFOP!@qJ%g)>4G_EFfjem~&Gpy<btNV7Z(%J7QP&;1N9ulEqJ*@b7Yk
zCeOO{W;@~npAcKI(Q^pcGXoA3Qj>%kr_Lsl<X(oAhclOC+mD+e!XQ2%3y_`%IH=w)
z5%NnAvUu8|++EoQGnZDMg`VLCzx_(SR#Dlkv6w`_7wP*H@?5?#d`T4O3zw02w_$!_
zt?>QH0JnfJ@FRYmD?2-S;P%?EZ9{zUdH_SQ2u5NeGl0tzOV5+b8~Hotc}L74ej24l
z2j0yw_T=-{Od)Hxf=s{>AhzdH-903XeMPQRsSQMMQinbB+~tnT|IS9!(0b$-i#wHp
zzD$NX6p@f5Oo6uDK`T-rJ%Fnqus)ubGb@+p1404U3sFkYdlMx(4Xh3`(<5TDa9=+K
z0Evb<35Ubqb(&Va#?l!nRgd}Z$P2tL%jP_hRiy|Tqk`12;{}IJ=tZ@4p)CKr;H~he
zOe=KX^-zEnuzJg5R5~#iniT}QOUC(+Z!K>dHLgrNxCdq^D=G>B0I$U;nZ;$1a4#;5
z3iz$QCMYfMwpLGOQ-x9=lwr{ycF+bBA7OL&nwH)t4{hpf2}|@cXPXrGcHPu#GV2*>
za_^4xayu<vp#?hWiFXzgpBWeQMOYr(SDoSKw%&d%&fvk?^<OwHR00B=#6$a=b=SH|
z5jz9V8a{T8>T0V+!cz8R-!r3c9~du+sX1y^t3RhRY_G4cKiBK!*VNR^xT%&aOKp*B
z{gBk8z)gExxLD6UZb@?UGLOE|!v6b2SFp+_=1oh0!6>}JMsb@XaLInauXF(954E9F
zf-|tMqLUwfFl9idSb(>0vG2E}Bg~ch#>ZGPq=e%nID_x48Ov3sw~WBL^m~hgD|P_|
zlLpBErS#^RA{|dzVqUky+ZqS7A6Hp<u81K$3%|1Qf9GBM3%W+Og#kgAY0knd(3p5k
z3T3iegik=~!QA<_rx?aZ>q)UbWukwIJ298g#IpqVr)z>!0r*1NxXkU)e;OU419imM
zt~*!t$V=_U0{NrvD_K6nL89xjmfsfOm?x(7yi(6X8f|DXAv_tPM6#M@Lr^Ux&b^#q
z8CYDXjSVL6ebysffqmt!G^b;e5Y3`N-oh+B%KX$d_d+6;{ytnCO{s$<+3iE=Yi2!W
zNFx8j>S(rq*5$<u>!r=c7p~iL0xS|d#n0G`&QU^Vx&YqjV(=!#X#xO1w%N)rBqMo<
z`RlJkV11=v$v)frD$rCis>ogk=7f0s*uww$V8B1ky1j}u7pZ7wH$_!Lq--hw_;;dl
z?i6&X&vPHaXCP7x0Xd(K8vYYqP%OC&=g)OMZ%BcsMX&a6H24R|PdOPw+K>8gp!k13
z@FoMh(J%rz=dZ?+Bp(g80Q=r`KC<r*XeTZh29+l*dH)oPPc}Jye|PJB$jMU=(#pzs
znq!l)@w8{sB4R~{$lDTPrlU4Kc9m{K^J0%N0yB3%ql##IAo#Jjbw)LdyWJ6tesw8J
zF7BPU#FTV3p!44K#_T<2lcghm#LijsmpdLxXf^Fiz$e0RN;G0V58zB$WVh@RzA$&>
z&+_<M1dC=nu5}0gJ@Qk*w^&!t?FH>}jZ*jcZUlIiMhEWxt%>6V+`urW+3`4WaC$4f
z(@{7b0*^p)3P=+FYlU<)Elf>l;=M5OU#`{?5re8PSZNLj@?2m2V6T={{xg&iIb{sj
zz0mFxU4LL+L&!EvNP6nPWE1{D>$krq+on10+59Y?bE^)1tT?_#cnT}KK1`3<I2vt&
z4@Kl@#$pk6iiA6m(Wu#72K>BpG^)m#(#{bL|1`I&QhEpy5rLK7gR(##dkC9d^Sl-~
z`c2f1x}Sz-p2_Q&Vc@{#U@yYlFBX#V!B-L46Pvk=u~t_c;)ZF|P(_e0IrK<D^s+C6
z5HKMs{9kj&i8*gf==X$U-I!`3o_Lkye;f#2>}qqlDR_%Ox)vy@y=;9nRc2${SWnlU
zhJylJ`ht{pMt)Z3skutK3f8E@jwD*|tVJ*(C=2p6>XJp`^%<xHY^SVs(<}eHkGy-l
z=~f`CHI&yaMdk>%cQbH9A3<1VXl)OT3f(`)fwWVIZx9xME$vwDZpF$!29JpSpIiV#
zrTH9YY|QCK3`7}8<0=AFKy6qZJ(V3xzD`|oW;izf@iV;1LVNq9QvnQ~=wkEtG^&kE
zIJ|WfL6hstUoC&;Ty@ThXZ}JjBz%}1x}t~<qvW_xzADY?i7vvfJ@hd@T3s&O%_1Qt
z$;$(t{v^8EwOieIY(?OsQ)?WxGw3U+Fq)!M^xjkqe*n0-oici@?Gjl*n%-D%Xfk%K
zeX<2q7JF3ZTT=`#;2o4SNvkKFGtBMWU#qRX5b*;$+oyNb;^Q?niAu2Pqs5ME2Jf1g
z$?eI%viezbq7!1IzvC|wn_P?M^{+>8%XJu%LtuG#=&oS}HHkl(v`B>!g-EX#R<wR$
zYLGkNFAu(MZneEh$x7W5uP3*rysRs$UJs(WH<|{sTY+=6i%s-Vi&jyLW0Xj!s?Xk*
zWGLNq?rcfXvPxt1$I1Pu@*t?Bd5ZFP`qY@ugf4%%ETjF>$=xoZ-R|$S>0MQRiay`z
zSi-V|joPc$fQTuntv!0t;(9B9$M5t@Yx!PKTCV$^e&O2kV?tU5e!DtTq^QDB!5w;q
z3fqr*DoJ}dh=?kx1Q*|n8+N0#a{EFMd-+=jhv!XK7*Beu4MCJmI!KG{d9x>5U;PYW
z{i)$qoA7R+Ozz;%%<^N&zd#Hj`;?ukjj!fvtQ2QKDFVJ~4=0f1{j30RD-=Y2Ef?+G
zX(bzAx=6rf!40B}bSS<{vt_sWzC!M&XHNOX%Q4!RC}eG6Ir4ZPvNsPbmpluVxuQHC
zV0RU9mSZydVZW%Q2@3kkXd`9f9Fy4U#p`SG@_pW`2D<&p0bi>=DHsxw@IF1G^`CPv
zNy=ShYh(7eZ#+;YXhF;pTYaLMT|&nl@7t1&7L?_(7ANR8=sXs-;qAg4Ggv^YHXjGx
zHzB_P*oT|)*AE}+=nNZBMp^}&`*J0&KB}7`T%0@pwBO5r<);0mr(sXgkw4<*y2itz
z#p5?6z4UYheFJJ<e-?phS8Xm#W)Zr3w-LR+JfKJK?_t5n+vxi+pI|q0`va&9tJQ6f
zLDORp?bXwEX6W5k1W|@3CPPLx8R2q%8x{;RLdeCUFyRPg=x|HgmypCixbaKOG1a)b
zrqBG~LA>~1*Vosdf8tLa<SHTyl~XVumG8>yac^TBsXUV4PvW%%j7}QzK7~I4dIy#*
zuT%~aNgI#N44ZhWuUC*_86H+!p~v(cl1SCUr{LbVvO!O*BTIl#9pn|L4$Q1;+ZLFP
z<+Ql#3(~}GM`nG6iI_YT4K?Wua5WQa@;|JrVr`2>u8%wfbBk0y4#r@=jkFHU1qT1z
zKDgo{i$}E|;?jiwO<Qox6vWI}eU_NQTp8hy*;FhWGN{a*7w129R{FIRL?r9{_|zOL
zt;PacEXpYN0HEJu8`RfR_+%81EP?s6xe~Qh=j+1VOk<M90(92s%?(*rMw=oI<bpME
zG{e9kL`DYJKTCk;eOe+c^XIv{fKSn(EAh9HM<xrL7k4e`k9md5_uNBuc*Y0K(1I|;
z^~Y4Tej+X=D_r`AZ@D+XOx}h)2jAIFxMJNKT~DP20V2T1K<SEj3OP(^M~H@vRKflX
zCFz8)mH(g}p7bfA5J-VzC9eVTI9|jFRXr5nzhF&2PnH$$<z*{$sVl5d6_00=S7mV6
zFDs=}fHj2JfnnDBfJ;h44l9}rYJ$#3jNN*hI)pFyh+&`;!X?Oi&>r3;(``Rgm>wx`
zwSSFP?~m@7F}4%DxX~j1J678@WbA;S5ixv4%73Ro4~Ow(^0jImbt@b4ty`(koo9;{
zK7VMEtx@oB1bd=>ycgTt@rZ@CnG=(P`Ur$<`8)piP52N+@k~K75H!5$i<SfZ*y#cx
zM^A5Ttt$D{*sF_+9o@n4=xFZuSIXz;_$0G+(pu}sG@^ea=DtMfuP1zFV(jG=>gje0
zB(FoBI*&U2w2xuIA{pczy#bA?GU*5KsJ{~^BYFpkZymJ$AvmAx!t%Jq!}oaBc!vSI
zNHLlENBiyJ8{Ks2u0y_ZKX3pJcktoL(oZ#hoDs)NzeGk)!O4V#xJp=J#@xLuUgXcY
z!ao<m;00I65|Y9uXd!<S_-yugEHaByrmHpg4=J*aUjvSo<zKWcDT>(^>l%9uN;9Ni
zsO%uX;*h7$E6OQzB4jSRH4Ou;eQ(d#Und;e<7amnKuW?@TV}js;nJ?}L?GGL$~Cew
zw%K}QPv)=Q_AM<<Vxzq=W9&f1TNxu4m;FzdJw%%SF-O=R3z3?|%l#@Fc-@$D{yzyx
z-03kA^McuvRU%pR*~D|SoOiQ=&*dVH8o~oN&UOp6{jrW+BJN6A7+?4fYM8Z{A|P43
z$Fg+Pq~H5o2LjCOlnF>UA1F#oJubUPg`lhc!&lblYkETicum2=C|~cd66gthn;J)6
z*H91mP8Enni&4v)P~~b2$JXU(!E*BfP-tS2$k8=HuRQggS|H6*9euAeO<^NVn5s0k
zJxFst$H$Sj$qTDr71_@rhRF@Od`5$(jrAdVbG6(t&(yxf>&X8t6)}@nT3tig9?(UZ
zWbYC$+7N^!@3+-HrdAdfR@lhTU&xG%xB5HniH7rOn>Tz2HbW?S3;LF4#slQ-l>vxO
z6keCDcl0010)L(OQG2b0hL>&HUhzlmFWMEus0$LVDGV@Fd2_vMId5h`_xI&>;zZu@
zwl>|#w%Q&?z)4GQ+OV3ZG#8cZJUykl?jpv8swH->qG`CU919e(#v&Q$_prr*DgOuL
z0Ka0D)hD_>xBPI){ojug>#B9W{xUZ1<b@0uDsP-$C?=Wh2GH6%9C0ox)`zFDp`Z}<
z!_1PdchNFT`5k5V&v>7&*TXzVKfXnSkb{9?ik;#8c53HBca{@KzUop+{=;81m{gyY
zXgLgk1fTD>s}u8#;(weslLq=rB3u<N)K<^?R&3ZhudTpp4NAJ+e<D-%FGyaIU6;=8
zpKr86#y{%_5cBZ7126>tzE>zagwM5^UvO|Fjg0n+Q5t*A>-AwSywD|`h^m>r@8z{`
zu>_tkP-M%R?dg;VKJzzi{ErqGFXZ2fXFgWhS*|KK+J)zw=x<(U|Cf8_#+hr$06Cv7
z+5ys5MM?e|Cjcq;#=PV=hvvY&pfI52TbeW&!&iO~YM@83FUN?&9uGfeulkw)bD3qI
znh?r=%>U}f#T3J(El!jY2?=S`i521CeCS522sU6ksm@Gr>E#Mwyv9tB)u-WlRQx+2
z<HG)5r(h<V@%#JjGr)jhqD^jcZLU&ME$WW0LQ-4Q{_6$wXXfj4ne6|Eq6QqwtHTlL
ziK+hmVf#RE{=eLo{~AIRa0mol@y}-e6Q>9`b~VFREIOz@9Q_GLA|k>ZoM&M(-Ap(d
zx$A!}dhmXIZ6sjwoU5*2|7pITPtNo8YOSp{$;1k+G^xVqISV7!^&+^B=bC+HV}1M>
zcK2;;r6X>kgSHRQ0ZaT3RN#X>Y4r5^r-h_^-!Iy0Li7kQGA;z1CZE`YpT{<S*uL3E
zspWXBV8c}Egw>ZtI+8vqj%iCwon6Fv_j17yXv!?r09MU$QjBd14xioPtvG-C-qaMU
z{|wD*$*{N5672qdq0q9lmNH{5!!30reevVg>|lYFqdW5K;`0(?obcYPqj{Gxd-07b
z7zh5}<6=*6PAc39NLkzbpMq<DME|kQqZ+5EMMV?E=;FYX``#+<xxSpn(CL%f>G4!n
zb7v^=DkO;C+k{K8%;x|CSy^c~PeiLgcQP@;UB5U&y?AMWU=amJM!O5ZK)QA@X7upp
zGN=gY`AWe3&&++z^68;Zp^;4hV#ZZA2rX9d@AL#Kv1f}S14x+b#O?Elq*R#wi(ZL$
zZjjYp+Wre@#gCa^*T5wSqCWgVCppTRoC*5ww^SBgGzA_NiXX*1r2o7{j2s7KO}S{}
zsyi_#PZZ75#T^ce;5N2dT#`=gXGCdIT7HiX$r&QI4XfQfPnenW%pMJr+rh>SmZiX6
zJN&;v@Sn>ZD8Ub|ulXrN5<Sj|KL)c{<HzxJDN<W!u{ej~@jc>zjvEn8aNBr0=51dp
zbp2!j`sf&8fA-cWQpJ&VP2G5+%lN}ugo2$sZH3Eq7v_5p708eWjh!8zfaw8l)SbGk
zu`p4Cg!}Yg0baemjI2^7SA7Lj)O603;s<-*-7G0wa+o2QEPudEto{_stu%?ED&2UC
zPkDj{09rFYXqN^X!RJ&xZ{gZ4al;FR>(meiW7@ecmt{|*u!j9!o_{X7#@LK6|7QLe
zG472qFEeFyf;BwN?|obWLxB%2*WW9Urzt?i$1JglDMi<rsF_o)-n}76xrs|THHSJx
z@0m+N+zEvy14*04UG7=*-eug+Npq#lKZ+l1yWN#QC(EyX886yDvc?hN8<0UiuhpFc
zXYzU#GnS1s9g-c}L5!|2;+Iy~e@V8#=m-i9ixD+m>nh76_w@MBYXF%8e_VvZ8%E)d
z!>J%#SXKV&I+GsuQG9ooWTI>taI8n8c_9wZe;FB~anUWmA!-q2W0l74TceB=q=`D$
zU*15_!^R%!&M;E#(RVwR;Fe4}HHhQ%!D`eTjsumcqlIz4*iNW)SaSRqaK;Paw-N<*
zXW&=sk=R&pG)EC42O)l)ewg)eR2OHN<5X-TzZ=9{-mdrYF^;@ko<LW4m77V|SAWfH
zj+-RP<YZ&NUkz4tm%=b^e!!!NjP^8M7wD@8#-qw?G2l$l!5>Jl60R>nI*oST1@iOG
zh-fgnsb~Q^IlZW|rp#MkA;=mDo;r&H1B~~y`=*XSZoW*ZEP4;|OH1aPU52$-aH0{M
z^}0P`I)xFWdbLBRv%?7rg`dNEkTy(ASHIhWxw!4P!O0L^B1Fe<-%FJ6F8eqcKwFoF
zC3O>!5=C`wMD|QxxBulYhuL(96^ds|eO|FmOq5V#?-e}D{Y3X+(7zB}3>pn@g1t}u
zEDEnHx8PL@-FHIGy07QUjGlAtkq6-Q&yl<-hPU?e(~`BJE%2rKW{Gt^t1WwHR+?Pz
zN~*3(BBJ%vSep#%iF%PCwq<soKYjst$r4vfyT~e??uD{rou1ESB@u)WuC54s@iT5H
zFWLzR+U5^PJ<CDi8WL~)`rK=%Ecxa8!^N!qO8t&28TPe{(e-tqjssuD@OCJFMiDn>
zc#_FYSH#GYZBkFgcV32@5rX6lThIwI>TIE_(b^feCK;oZ18TS1AE*xa1VSaOK0(==
zGPv@8y?00!9ydxM962c=(4_s-uPvdMde3Trtpa*l1y*-%F)$l~(bZ)z)+_03Uu-GP
z0Z2uCj9LN1ZtVLg)OX~frlIkn?SzNU!Rwb$uKCj9sm)EoH#aX42AlDX!QL#<>sKoS
z%(pi(?I)ICEKvCn2#LmugZb$2sXNL2%D5irs-&x<Fq(5$oJ6ivfr}lhpEJCWv&1Z(
zEJ;d6)vM`_#@%R@0jPciAQ`}I+X~QLL!t8|9dcP(ei}-Xq`^B*VQqklOrc#i);l+>
z_>TA)5g5DyQ5$}n;FjA9c8*4f9fvq5({$xg>TCmFG$0pkth+CEk2>gKWI{O|yHInm
z9fOuZ=dz@%CtrVbE=%2!`a@@aN4Br2qIr!%PKp}Z7)*ZxsaPfi<Ytpq;wHhkgC9FI
z$X^2>oW$Rt)6x6~w0o+f8x-C#FtjVR!gLfSg=l-PKP!qszD;g01a*DoZ7WMyTtM4o
z$bzb1L-!Ky#|H1@96&*?%&(|JUbshIRqkSL(hnipB*N2%#-0>KzHFtwl;9ApErR`Y
zrrWu5^(wG)FN>*0<i?iX0;p9kN8NP99qv*cK8@%)d?vT#EOq_myd^1t7GZW|h(_xX
zJn+8p@f67BrI?L0;ek(~T*x!T8|Dd&%;XHEItJQb_(vsj&?L`g@LjDio;*b_pGJlB
zxk117qy1{Vlgi>sru+?`7WA1EI>zje&6&sn^{`++%@X<q<iK=#n-)LNN#<;^n5Zvc
z^Pc{)U|8+dLmF|`x7q@o6ulYa1@D_utsvk0+*)tBr~v+Z4Jfb+$s5EMfR}9weX+ms
ziu+FoeC(f@Zq=c8XXQD`u-~?$w)_2hH*E_71aW&%p#3?qWK|H4)C2UI>vp|<Xxs`X
zGpS&^sgY<!zf-L(4IA;u<nBr@Las3cvmt71OT(Hkv|R?Xm9U2nqZm>_y|qRU!#D`1
zf2Z|Zh#F`s;(T9!__V#PkvygI!J?(<qKiFUI)|G<d;O7(4Yzl1Os9fVS&*Bf4U{W&
zg^u-3I=s>1yX*H1zjee&{Hg|C)IMrLAZegkNK+tq300ufM2iMTpYvsEob^UBPmj&g
zM2Foo%hP$oS8h<@FO&g1-+;<N;NV0lU+DL3ob}Vb%+P2ZJbo`@G$_rH0Y_!MH&Scz
z+&N^iK!qUTLj?4uqw>ZCI;}ChR#+$Vlvx{a4Bnegeq3?%419ynIrjCEDiM8G)?6CQ
zejo*t4YR<+ikk)PG&aMg1U{s<;UJnA{L978PI@-OGSbUAix}YbED?{E&Kbf}vWAJA
z6cuZ~P*oRy`ARdQuTlZ4|EWpfkR+!AuCJEHNm5qt)G2Y|UC~FyEb$yepmI9N()uM?
zkePWB8QZ14Ho(26lMQak*D%^!NU%niyARyLce}{4r|dB_>|LfQOi%MJ8}x-YW&-h6
zDM}v7{BtE0NO)*Hp%up9adN&Ooakshs6YvRYie!HEk4quETiAy<-knvz!td{Ru!Qp
zflZ+=!85eO5%>yy6#CU6QPHY@!{m|ou|Oze_XjZd*$}KCXk_b%4ay3LZzg(s_0i&O
z+|U$tKd*`^o>{vVH0yE1Fpuw~E6$PPYBXgWTZ!5wmCok*!61d1gGaOCTzGL~e==&*
zNqD%yml5K0_D$YPON=rYlPK72gGmpmkNr7L2&*o-(<Rbblwgd_MZ0(oLAao;7H0=g
z-nuKV%Q3oP3?DmFL`S=B3XBE&!avq-@^MnL6{a21)u@j7RjNNVUsB{#dnJQ6cP5}z
zPl4=UmNgRy3UzH`SAAGWj#M?v=DV*F*dfBrUx=A@#wPD;#E1HJzk7LI12(XVIt92D
z7bDo`D!RTNwp>rm8lxcxg9x@ek=}82F8T;%a_v1gfH$(Vxec4C*cKux>R%237Qy==
ztR$V*n&Brfa&^GbmD7--`q%hSc0rEov^ZGs6B&^c>1w=o2Oe&R5QUe!@wV<bo<P)D
z9gV(EC4+%2euMR|p#$0DIN23j;`MkAc!spv64TrJqE7Stb?x_->GDa}_Yb|{Ovh!`
z*r}^tnCHz1Rz~<r6Gq=Mj@;yz7&4UYC<ZhJQPMY~a|568a41qVW-txeyH_ULxQ~ry
zfn|=*qz|0Q%zu;u`xC6gWOEeP`m4lO^gEh!pn}e>r1IEVAD7WFJZ9v|^7~)lsmzSA
z;+-HK#e24VL8VRI@`rY_?Fw~L`%8H^ibwpYzbnH!*ZZwe^Xj>TFWi?s2XGe<t+Fu&
zCZ6ntinIh#HkL%Och@GGpQ`#`cE+vc%ye{lk*L1v(n};(ZXVOKUTbbxxEAZ&5K8OX
zQ_+(aUL#ZO3kE0O9LctQzYu*U&u1JXxMZH{<SZNd9#=jvU6}!^o}tYjT&jfBufB$a
z$??U}j2iULmEj-EKU0#I>&kunHeJ!*I0Cx|RY+a<OtuL{xXEk+iC7D+RB>Rrj$i3s
z@$D+Lw@l-En`%e&G<#pQBrMs&eup*oJi%9>5)>Ho9-g<x{w$SQ1ur~TF18_YTf6cR
z@qacar{HM2Gs&UuRuZ-%LRu-ebBsW+;htTwoZVWIDC4j9UAW?lhPVKtT{Qopv}`TI
zG6i9fY)2Y|#pgtN|NThOt0^#S!UM@IxXhIP(}p3;4g(gG^@H?YU~v`cU0~6jk|?0S
zBz7d^3}&uvV9GLNlYNucKbs4YY6th*M)hl;e|b;HL>bMWKnW4qU9)9|G~RT-MwV68
zC8>7LQpb=Fq+L1@<n=Arafh6U25ec3>y69O7VgN~ePhW5?DQN4XTYoN;a9FKRTYAW
z^0CUN8N=Qz==TUK)r)@XmmjyLHW9kW<144Kc>9OjDI>+tiG%h;pb44tSCDz<eRm$F
z*ePHt$Z+$}b9}K2bnhwPjEwiLf$p)BM=vc7;V2nnyB6YYhFb;Ok17<6J+;vV(Qa5)
zrwRpftE3TW?r&h^QKdP?7HVm~Pn-$5o!V0N2b%K&IIJjI9+@cw6|5~>wyUTP2l`nD
zMExfFEr?p7MDIc!?;vmN)X)IPJ<-voS9ptfHWoY$<>T{Mjf0pG@5kMTBz&}-^TrHE
zbwx{MUfu{c-j}p)_JY};@yb>Byb*~Cswb2lZ7%se46SQ3Ly!p4e5jedw;U=;V^p;6
zdM?~~I$|^ebdOqm?<pD@*srMl`NZ%g7q$<=^A-mR3+=}k@_ho`MgLHEi`LWCp<Ab)
zEEIl<ariXG=ydc!*3c10UiuG<S0rxwFAH2RTQKQQzcul8g4=7-tyW;6lij%|?m?wO
zSHGJQxOl#SdSBvo-A%zfVR5>-u|_l#?e*#3uMuNnCw8}eUs2nz0P1ZkRc$gQXf;c|
zF0Dn@_nR!IH(YNF1iNF-y-|ijyd$4HfMY`YJH80G{t%N!5N%{mdgATB-ks!24-9rS
zlB3%n@8bvbG#{i=D0{YLYM8%VrU7>cY~|L?4mWrjC0DfgZ9E(cb(nuSlH9K;p-D`8
zfg`DDZ;qS@0|Gh63VI8rRph$*tXJGV1@7BI4x0qq7R_qET15JN7W6Iw{!5&@1?f35
z_~a(uGMkn%N#)^>Z@2>;Us2xbxqsAcqM=3<^y}h3WcDtqJ3T{Y<Df;6QK9Q7Kz!FZ
z?}=f;)X|~7H`*{*nz>JLMKh7Rx54vGf)pI*q1nI{WPX=_<)~fvSYu32LsZbQ=&gSt
zY^Wz?xI`A1P8FFnozzM5Gd6%optmYGU&cfgg`R`0v2{6-J~Sd1S^ivh1^1C4S>0A0
zKfMi%iTs+=f;{*P(q@w?^n>f0l<z%vMKaqhbhjzokF*XvjcW9>x=VD0XeT}^%2pN|
zWAb{qw=pn%&a~)1aW0*^R#SF6n?m&ty$Pd+tMeG0v9)8)3=S5H`8Nk^v0uF>U5)*-
z!AqSSJ&(~|yHhsOG|5O{1q{z_Cbh0^__gJ9pJ_bB;=f1R?QCz3Isq+q9|UA5wM_o(
z8ZK9d<`{<&aA!CZB;2XUM=4A<RO`>LqWfjbL;9RxV8IMq1>Z7LHmfPx^|z-uA!B%X
z!&kCaKRYbSOyT{(yq|PkvT?KE|3Cf54I<^g>E%@DRzo%$73;nJiOzx#07GCP(^bir
z(MN003n#M9Edw?E&+xzo;i?CcrR-4`2HMcp{@X%e#@)6{WD#)kI~L#E>)9gjQ>HnN
zYns5+n>%v%40d52)kyAb2Q5B{U>EmGCp^hT0^zGpd#LWj7h<_L=oB@P{#e@N1(wrY
z<{Nb4in|EMqFK5Zgo$QQpveIwCR=0?1GaAOj`)_w28HJ|$IClWX0AYMmqQAV#ybX_
zy<<5{>e?bePJ}ywcU@cs;cgUuMjA-(CzJOEfU483%jG=2yCd^23}j!y5%wdJzf!`Z
z!PZp08esg5GvAI_95Ba>0~7?H0mdA|g-5tA?#z3zT1ZF%&Z;oJgE%8zrg5*;Hlw-b
z!thRXmr+ptF8hYjJ~HHr@$yQLJf0Af8uKxKx|Y{e+o`ihp=fWW&1YG{zQL@(tD%2A
zE(G?o)E$0xb+w|hvsVRa>0B6P+e<MD43Q8{$$VR%0f7qR`|nPB$qN~o1=>G8K3t}}
zRF7jCkJA}<W8TQ(|Iy`M0Zof(DUlOh7AaqS(f$M#7_$FYPW)U>K}ws4|L!Aq(2Duz
z-c5u<Lw}C?*N(pqIt1b8X4wDx!>2w2DQ5e>LgBx^azVc~{nP0F_v9&Ht(I)htsvP)
zy1_YfkB2X;4o0yJ)QE4)`X+Cw?S>Eo4j+@*%oFEg2$lJqSPn)6LC+a9Im5B6Jlj(S
zg5n<zR0YiJ1-+xON`VZnKr{OBab#l}^?r6AGmHm!-wGZxfAhEcg@fvJjJ?`0v1yu<
zxDIc)-P||bXi@xo1di@cwXkw`riohBJI?n(TW!2`jh^)FeyAaillswdN_l-%OWYTQ
zVW8%+e=36KY0tAzmDOvoN>+>OJ}Gn+&pGj$3*f`5Y*>3-1@Azc+!D-mHSNpgEDqID
z>ku;TkXU`XLX4T*Q!jU>Sab*E!c*_>!&z|SZcq2XU5&ODp>y>-N#_cRopQ68u~t<L
z##GJ+XDA)qB~wrv-vxW3n~#;QJ=qGm>OrYVFl|&w_{Vfp`7Pg?KzuqNK_LhAxOhZF
z_zB2-6J`qLtE|rG_WK+;sk_lc^$==1OZZuz6}!<sRr9a>F6ir}pOc0i%fh;1$CUom
z?s){zYxRdM6_Jx}`;{r3n;*3<7j|;<ZXbg>BYkkadJtbA_+^NZaI&ch$#M&}_lZX8
ztQSu2f};O77r>gcEaQCCa&6weamRU~!OGgA@npU-uJyPj%~*Z8TQD_Pp39aAMFAKQ
z+7B+b7Y_dI9S98xO-|_M4ZsCpbI{s2d3n=JdbiWMY3|6nz@~a$olxkM?%Vg)rX>GU
zOC@GR<Y-x%t9fZGx%v$Y#T?8ZgE48F+k=_Pp;P}<qm=?Wba!12I>1A*_GU#N-I{7^
zod;Mm`&Ie`kF&2$_NLk~gxAwP9}o4y??IA?5llY4>Ikr`)YX1NH1Sz>9$(*LOGl?W
z;7PX~4<dEt@^7`6Ww8}<m5LhVY0^|eG{V+V%%Qe7V<!6RqJ{`ynvtd<|AyHP&(mHJ
zk$t{xjz$-Tzolp}WbMq*9HC4M)hVEp#xFihRBE%54$kyVY(ZejoJhKBy*w^l2M8SM
zKgtp$RfmBV;eNo<w|hMAN=Pp68TBq>Kfb}+n!IuPdxGTXvb3ebg3c^&!~JQ`vhrth
zj+@tXo6@a&R#e5kSY+FEx>7xr6!rV&rzAGsxt}(=S=xX)-eNoGtxSSj-+eBWk=t_K
zYi+(=yfqVe!UNIS^KJ}9I6)3QkMoD3Sn>lK-e3HV?{0W5UZg{B;|PYdmyP<kMY*_i
zd^?EH5MlNX(OFAM6~Om2B(2SG(rM3?RY4yWKEI}SbAQsdAJJr!79r+X!t_+&#TPG1
zJCkoR{PKn#ui*LmQ_TS?Q)$EI!LcI+NyVk2Dfw*}7k^E8V;pHf!-N7>xrRI1i~zmL
zvM~cWLMUJnljRpibm4RT>vKcU3b?EOEtiGlzt^7Cn!F*S*2^_`1rHvPs`}%h+Dxsg
zMqgXw=R_M`LOkGt-&Kskz*@=(0EnZ6&VPz<r-NKsJi&5fNIJqnsHugq<R_Bys-kCg
zvZO<TJlU_@es{7SSmpj%41MRxG4iClrK~-{(>G4VN@hc#Pb`qaK$ZY}_r})fIWi3c
z3Thp}o1$85a&65e*=aAzGeQ5Hi1rdCf3zhmpoxki;$*-#c@^h))&03i+x}^Hs`wST
zaocPHqXY9@O84qij$SL6_L+8nnUcqnBc|n-7^!z7`p@N{RgW{#zcn2(53Ydr$H~pD
zJuSt}c2^hboqlH>dm7qMWcN^q&DK!>)Mp046Fs0V0~ICxBY`IeG1h4zJeG@%`u^a7
z&dDlEv-mkk_Q1MSvLYGu5I0Mp@)uIYp<3sj4ztk!x_ztjPCuj|)V-~oBEV;27>_OI
zeDI^laGy8JC$AyB@uMb|J;UQ_DVYIi6rYTS99c;QCJYyhob>V*iPx`vYcmt1fc7<@
z)k1{9JDFG4a4{oq=?CaI?Fr`VI^(%FTilA@i95qfrj*1c)_}r9gfTH)VrOl#iHsH#
zq|fn~j{QpK1G0-2l}*930gtlqc$C2BzAJodf)cx3-Ih`>_=8&@_yBgu$~2Kn3H3Fe
z+TX4GvAsiw9wKpap!uaLOwVyMIvgJN<{}e|!cLZ4(W^6YrP9`6&S*>?8kBRzUQV73
zyU&@Bd&+;Tv3qS|JaqXDnFhUU$S21vz{ACKwGU}{mR#iWM|s+7e-@*i2}PyMsfZt>
zs~e^)PaNCB&8vk)vJ%elF5{XQBd2O3Q*e?=Sr?BPR9tKNbE4LJ;R$8v>G19qFUf$S
zpx3%rkrkcHCxXg1-)TTyR#}sO+mWLXr(u+DRl`FJtS+V<^h7AGoLR0rhip@2^EB5u
zJm^Vq)BF-j&tJ9ELvVSg&6=jWdObh?;g=qq{2<5k(7CU>Z!?2sn;1JhW`};Zd6$jP
z^&m#okk{Y#x)0&S+X#AuIQRuD;NfB-6_s@ktu^`4oJX5gbAmwOc>9(q1&3UDv^%1c
z8@`ebf&tv&;>>Jv)Cs&RbL_S8KpvAVew<P+N#v=400>b=96g0Ay9GJSqPxT#<I_>u
zr<l#`h7}8%R5Umf519`fR&2LsG+VCJfOw2eG!wChNN(X*YT;6t>^vBYAW9m$0@ey<
z1H?qWTN*Iv!+!Hy3G9U2Jd!rd)?v<gVmyu-9T*%4)?H?e_Fy^JAFMLm2BI$|h~ca6
z2g1BWye46)YTkrX1%0d99@qd&Cu^3kDvTH|6=-@%WP5f8Srj|NUu%j<!b-!~)a!$-
zdVc<bwfHJHcJ+A4)B6GAf@Skzf+3u<_Gl^3WOpa6fI^J5XFXX#y3mNGIrrTuNpR_J
zU9#p=tWfb|38}Zn<bb#=Sti}1&2VrE7Odk;IS>G}js1vrN_~c#k@o79F2v5xi8I+C
zCZ(4#e62Dn^Hye&f|nxwRjB@W##O+AHzK0d{#Kt>|8R3@a?{dK`@_RQP6d1xY01!v
z2P&~b@+5DY7rHpZ(QmuRmMWDNARU?xlNNMq<%;EQV+BlR?>T>>^*c`|$Diz07_}_Q
zjM*PpoTizS@z9OVq}^bShr@zq;54tdKxyfAaE!oY%=~0BT=Z%H0Q7}x>eruz3Ac4S
z4x9jS84F>qGm0JpHlSu1F|PN5d{7o8V6v)41Is^SP5E5G?}Y4tj!1M!xRYtDo5AqK
zI_}_}K7Jvc;*;fIu*tI$kbQbp$-Zncrk3RpPU-0!(vpWW{pFrYwVILfZUegXdLNt;
z&ZZ(qK@G!dV&d0owg;xOvoSW0;F#%pk{A<-2u-NqhihTVU+cIY#MSl!y%!jd&mgvr
ztkfMtc>|S@cIt!Le|uj*8!=}>0pD~hOA{q)AX9d@ubXi2kc(){>h3%Do=FTjGWD24
z)%6CotJ|QQya<9ttST@=9OiN0&B)oS-j@g|7&6k)uzV$Yfu-LY8vc|t$+tnwio^oq
z545^l=e?6*yJ3`*5>ozUv2*ed*P6c>Wioo~h`<qdmOi&S+yXkF+bcv$L!3zxoCbpW
zz<;j?x%Qe~kNH!?vu<5j!y!M4VCoC7B~`tGb?{+!Ex}bD>ZO9Ql<m!SEXX@csn1}B
z?io^_mBI6sqq#$^!gyDQzqq&h;B}X3CU%n4gf6pd({GJe=s1{F6W)%5vSQC<he6|l
zavI%X3--k|2urybspe9|9gar1*!<x@ypXC)BboQWwhqP1D}wjnMtk$FQdknQ4Z-WD
zd9=T!;-02#ces>6$qeFZWFTma5p7#!D!Lba`t1`1rt0U)Ug&<NwX{6`AIjb;AdaY6
z7exYu;3T*OcemgK2oO9W!5Ibyx53@rHMm7^cXyWog1fuB+a1Wi@7d?xvmZ`B%mdOr
zU2BznRqHF@jEeB~NK2m!6Jm@MntnEYpt`0_?b8@xDrq_u)x(diZt5tlr(R$cJ}h3`
z_tu?L%0t5ap4NBfoukHqSfR+N3U~?{(HQLbLk(0Xk^ZViPEBO<4Y&b~fEs2BLedDI
zt^U^R7~r!#AgJ%{!?}J8yv0zxCSsVpmH-4Pt|QF<aJysX+%!0;scHE=H<1*^AGq{%
zP}iWo`Wo0T<c^PL<5rO3qv2SA!HyRZo#`=ks?uWitGg{?zQozk0bQ}tjCw8j(4M-P
zg-eH0rPbpa-)b||?pHDE_1KlSh|NVaiQDO6irf969tYsI%VdD)g~C)z9W}90sBNbm
zAnOa&bOw?tAO}whkS*<?#}0#xlu#t9k0kWO#YCtjqbY6uDHyC30~za&igqX9!2V!p
zv`}9pSVtGwBaCJ^(_7C0V#gvW9fzK>iw-?WQ{YTlSPq^bN=3(u`}@9a_4g<;P3#FI
zIL>e?BsyEqwY8s$jsYnLS+D4L%G0Nc(kQ9xnYh%(1X>RW99L2LriPvl`$~Oy@xC9}
zI>{YD?`!Vl?&;?nC+|qKJ9(YUCttqq3ZuM6*goN^?vbp{2tb6Vng775zu7e=r)9%&
zMN7C+>N}b(KGjmTQOGx(#6{A+P4r5g2xWR?wRp(JU9&X@gs)wXw%!7k_IuErK3%B0
zdLbP=1;ybTbgc?@)`N-WGs)(L`xh*ku)L`%ce|)4RdnFhekbzNV9yN^(|Bk^oY@UF
z6=h;b>*-_u_`#=O&O>cykl8iZKU`B$k=@5Ww05HL`Sn?+x>J;W58*!R>~K8;JiRu5
zYEa+m9`bkeeOiSH`9;9p&YCH*FA`1b%>zQdpi)z0;joC&#4TI|Ad!?cwcvfbN`hM1
zk&kCwTk8h}d1yO_+U1iW+gZ^toq2-~>a&U3$~rJC{<e9xa|)#!N<%J9WPeopv{Rh6
zFZk*sy$I#04B(xhEAt<bKnN*0)hq<asynm_|Cc>JOhKOLE*f92GyRI2llP8;sWYe#
zNHJ|#tV#8_tB~ok&SumHK#Y9T;ZW!|W6OK0%l%jDqHqYd^K0+@a5D|a>NT$7am_8L
z0Icc0{yI*<YWa6N@;E;o1D{U^JcI^p?qRPesg5G7n=BNhJ7q`JZrWJ~#v3cwnvM~d
zHorYypNsB9XS0>(A^X&cy=T^{4|QQbn{~r|vG1-vc#VQATL;_9Dc>cx?(4Q=D?L@G
z{GxPRARN3W;0sIHT#epq4`OSeXJ*pB{KaOtgrz-om|6@TxVgT8p{|{EkcoOBv^407
zAs$XtRAt}GFe_cemo1-ZtB>P@6qFzTZ9P5%06JrS^vk+quwRZ{$VC#huNNb>4i&b5
z--}SCo=c;w81f?2%{kYM$DTu4W06vx1J@XP@FwTw1jFG0iA=2#cUJ=jv^JUONE$}_
z8Xo?(C%Tb3W9dl<#nq5*Wk?*NsU=!Q9g`=d*xVP7P3A{$h5<GY(l;$<rM}^7j9=g~
zvyE_rlir2_7Y=W&l^W~0p(e^T`#BnK*g3oMgf6DZ>Mkqs=X7C@&8lBHsJX!8`uh+r
z(=pAUKZ?q|>vTyIZ_scuBKYx2v=*5GqpiVNi3GMK*vxQ0`K!%j32h4DS5LlL3kJ$(
zS)}Gv%N9E!VCpXn9tzdH``%#fiqEd;Tbr%;MyUR_W~MX&K@;;cDFQ@CtG7}HPa!s`
zvtZ5nY*If)q3(n`iZ34{@|(r_AaDG!7}_$?psVMhlny-RXqxJw^>L@q#JSc=yM7r*
zuA?Gg|AIQ!CWSzNDjE+=Z`7Zo9tP0iC8Al2AAyj4Rb@0=a}BLCC@N@!y+QS)AcH9(
zeYoEA+{MPn`U0ya%(%`vbMxcFe4<;CzJ4a>!Dg@W5<kZ@bb58em*XQinx;mQ2BOCL
zoU=i{4~@_W*lg#fdr^|pmekYKV*$yG>8NQu=THmQ?8*a@@vgNJ1Lb;PZjL^W8+&A?
zyHxihZI4jSo~vb8tFtiw3;pzcZK7DxtrFrS0v{x$CS->j(Oj2Yu9-D1kVRTZo3f8L
zo3j~+0KVr8JzqMfSeTQO!y{9%Tx=s#`L3)EAO8~_mBgJS)|D49Or7h>Z%d2F_V5Rs
zRP{3|h7i8`rzj$7Wf~JK?o4>glF{<UCjqC&aJbZTKxb#y*>0{Ss`2q?GBve-f<wvH
z&6V)4Emr`Q*4rLGZ*Qo62xhC|!__&O!wKNI4S-5;mDEwPGr4RI_hz&A7Bl280Ex%+
zv>9U&?cjJg(&J;+W%d$V<1JVf3@2WckTl?Fz<Ea7k*m0bt#3lY*DomPA_t4N>(6Q-
zO>`IBv2wk#Kgc3~cXdR|&tKov5yjXQ4=q7{C56v$4u7&dJYaav4Na8&{rx2*C2g*c
zS5&UPsH+DvUkhe)hDxUts6E0#Np;$O<_)v+Y;u`xJnu0r3GU*0u~N+%OQEuZ)#5q|
z8@@f`j&9x4>iy<(Q@nq}Lhk8mulY-0hBFpAm8hTdigoPl^$=;<PpJCiKiOn(ALARk
zBS53`3kM|8&o>R~jSP!ke7m#?emhpzjuHaBOD}ct0kr+?W(3+(Sn?=cA`tQQi^sc!
z8q13plF{dANupRnrZ^~-@ejshn%k_vo9DOrcbU*KpuCXoJ{wQyWrP0Xf1{G+Lwe5n
zW@U%)WYyWgJQaq+n<7W78=)jP7Q%(8fR!FHEaxQ-;e1O&qt84YN3MYlstp>GNv^Ds
zBB$s{PxK}pPi5GKPiJpAJRdM9j_!~?w|GR3j7^<RI`q`_{ChH9P}&qARd&f4$(v!(
z$(cpysqX2%e!eAeN_f6)6NE=0jI^h+aolZqH<N;Ese9dVbfW)w6RDA!Hf#oE3UR3p
zID8P~Ghpe!BjtbksQKFl$x-MYOk?Q)C2X&ITB(zR*yyB|S(lxy5eQzT++9y-KMk&X
z9@I&%Jri$h&CWUu;z*I}xHX0>h`hqGwSV(*ahd<Cf=LzpU%lmnE-0D0IV~kkhyV7V
zXz8GgU(3n3_94gPWrCv9tpMX1Vh#s=r)U?sfb)z$q)(`Q;bfC1LjFbSEVx^bV%eU%
zt>cUl`bTH`kOSb^t{VX3sP$TZFKNyt8Tm-RYtud*1lLuk!`bvc<oxm1tF)7(PA}%a
zVzpgo_ef3SaV((2#*68ara<~w?AMiuRgNz#{t13Oa>ccLQ4PThOO6y4)5F0vl?&1~
zmgWTTYVp?I{G5Kry>EGWTflb?iws<Bht1@TG4t<lI5KG`CI(v!>_38DqQYphmcLGh
z!dRZxJzTHO{;sd!IYKVWJw@)2e_wg+1tD7;z3^4DkXR&W<uU)t&3$A04NR>v8{~dL
zYnOsD2B=T};xWk8t1UljW-!lrVMrQm#eNsZCs<$PkwG3-0~pkILRmay=+hY7=DpG*
zitpRUf+9w5nlq2cYAXIT%a2}ks5ulAS-S-m(6vb`wdPf5G&T}8BTlwY&-)AVn^0Gz
z&~rv{nZFv4v==;Sa#>=@X6`lo_z{Pi8<FBSMV+U)V)rL5&JM{JfhTV<ZTb3ZIt$%l
z3KYyIHo6A|zcy%3{Dx@v%IX<1k(+lojoQjc8aTVi7?X+sDrAEf5}?@5U9K0-QhY^4
zIpWrL09EHF>!V&vR6b#OeMj7+u{YD|noDhM+!6*8o|obJLuWggQ@qT8TlOR}l5S)#
zT1P=Elwle!TXX|x77air+b_)QG-=g4A!ip(&#Q5yMr_rFfO86U7lZq|{vk>u9f5%!
z?v$~Vdyej!WI7L1evmddE{<casiC1B*_zYa_^+oJQ+lTt<QvJwa`-r&HipCMC1A#H
zN0hGOusDD(nc1IK#`-N4a_wQ$odB@0cF%7=^l6S-m3ZTa0O~8X`Sp_9C=1sCYhX7a
zwz!N2M!Vab`8s1jl^JGm)!dBQt3S!kLDOY9VKTN-U&Ua;!kUe^2)LE%U8w(vn9Sh&
z@2T3{6~ar*+X;cucY1@}q`q;S>BvFPq<i5#l}7k%uA-p4kB4V+0&@!W(8SE#*ae5<
zb{oD1^&d&vc=~>3jnka8nL={V6X4AiuzDZq`k2_&jXok*_lI^tu1Bpx4@I%@D?&>{
zx^<58<%=Pzvq>c25Db46ionJJG$veGB!TLm^9Uj791sWzZ*pdVNLMWkZCV7<6~pnv
z;S<>0y>8BhHM&F$V6|g=Y<mpLD<R(4m|Jcu*=Iwr1FlCI>+vVHnHVkPyU{f70yp38
zpdKSq)U#jZIpv#SaGG@!Zu(~*kL1?xU;{`cna~zT-jGdaaGO}>Uv1h>rF7-+DGGoa
z>(Y6N$>m5=WPVSCKQwd{&N=+R=Iz9X5vNnmz;6?;vgBdC59@IVJl*ZIq;i76FXbsT
zCK(B@8}3xrc8yBVnYE(mvk6JIF&tEDi*+3gt7}Gz{p0p)mu-)SRA2d~Z@qt}<mkk+
z7}&j(9-xW`pXgI}b;-4DlU#3bX};Mal+fP#%T6IUU!Vs?v?TA@MRQF$^x@>7;92h9
z?B$hfi_dz!L+!aNvyf$BjBg-t5#Loeo$gn+FCQ7?4NTR>iCV_kK)N<gN$CXWO1RYb
z&M6~kV{fZG1w<!IL`uUP#cMh7`WL9$49sK4Sk|Qz_!3g7zzBv<!-X$buN_$@v;3|<
zTScQ5Jk~{DOYd(ptr|Vs#SFOk47Bsn`SYlOn*y6MnDO=uguc#xxc2q_PXAP|WNoje
z_IlfwI3BBeiS(c+_x2Q$S4M-bpxp=ApbjGfnPr2Ympqy=I65)&Hi<}7uDx%V_Iq^A
z6`e#j+b_=#_BS!W(bzS@Dh_owWTaGFcwp=7NW$@^p?0VJ+Js~vVl1gfNB!36O>OI-
z*C8SsKJu>ds~VI7B>TNQJHf#e=Vy51XMfO+U5>hKVk5jIHX^l^l#S>@b@4CM?Xl8m
zSXm?;CebovHvBS#YwX4OKfzlk*9>LpD<fGpvMj7e0V#*Xy=1YGA_cEv)8|Xw)CY>e
z3$-evV-Y1nYqB=8U9OsC+4TX0FoQ3?(j?OYuM$bCo8`U{3<paJLq6@Hw<TicSnlqL
z;gj5?8HdX`y-i>Md`!pAKglsZND#dC4sGBMTiLnhunC!`x~#B{-ylo*Ug?2Qv(M1w
zA<sXSOrxR!k=_kjaU03;<JP<^&t8TxJFPz34uHd*w-Tz5n$?(LRdV;jGqltN<&e64
zfR-Ei>Sfg`7W^-gjRUv^txGUnB->JjsDA*(cV57%=nD4#FZ?01H)Z8m>a31F#=B2j
zQW(&mTu;9<q*1C;4|A4;0Y+0qDQi1ENzinjVU71L^QQ7kR?G;i6Fsd?__{;V-<!#q
zHs;^leBl##vOm``R1xbUbyaG5z+>vx@b=FenCEaJyi(g{gMkvU6@NTWxa?~WKEB@t
z?OmxVvG4IF?wja%PAG{+h^+yiGq+Ul%q9i*Y;Up!HRd-l%dDjIvPYw%Y=XK5V$>tt
z*5p*?#zc}Xlm$%@<ax$c$<6mfNxojmZx)lw{CY%Y+GAj+G7{BoEQ#H?%(yuV#1eVR
z1gz1>giRx@|H57tPH4F=?RE#&c@MELi1z(Q9vo4ErtdlB`5?0~9S<3k%jd^b<U2Wn
zyeup0_2kT}G@c`Gx>;=5m$w$2xbxt7Vqqh2PuB}>lw2=KHE6v8yRUjGKV<mJPMytq
z&I3<%rJuf~H?UWFRQLLCW{-b?H{`4y8$3l~*}rJ|%b<2S`sbdq1hJ8V;PjYvXK|Nz
z?b&8~q|UO`t*(WZz~;~H)2PEx{1MQ*`{|eJ4qM2lzji3#o^<&Lu%X;v2TVjaP-;wp
zyXBJ_xgo9ls<>y{g%kR6Q2*MB@OpYIW3IUB1XBH`neWw>a8dVQM5HR4NvL-N>26PM
zHoLRaTl0XROb-aDgJ~;`BA7yPhT(a6C<ad}IrQ~)0>WNJ%&6B`GAgq4uaqhJsyo#C
z&!?;jLq?h7)M7ZDE&`5YIi)Ur(|9~?@<4QJN2msZ%S-~j?OE!APdohCj!j8MZ)ble
z`*^>vp#4DnW4xUpuvTg6%I7TSswAD#!4r016QXyMN}Va<$QaEa{ERQyv=c1-;bTQ4
zO7lgnm1+4?*#@^BG5U311iuWia?k982<aE{On`yWV9uv?Njn-!mas4ol9Q_}!O+l0
zs_Ih?P4^~Pk?w`0e!43_cH<eh|6v8`<a9LUJ5m9A+qPy(ucT!ah(_LGb2O3&9j!?x
zOuB-xAy0Ulq-0}sOcM^~wxX8wnn<*_M!=WnmB{?w_}}o08H>~7RzISgiaOtg4`!_c
zIVZPtUCwtiGxI3Uh~f)`WZag?&_OA3B)$Zkjf}yh-0u<^6lRV#OuPtrC${($^xQDx
z^B<TX!WaB$lj_Cb(C<f-duPMyRn1<1ijEL6yoMxb06nY$TJT8aeZo$pY0tL({&m$#
zGNa+|w|c$W&Ec#n1kxdB?M~)obJd5wUR2m(=luf+D>xFvLzbjVc3zM&_fi+azHQU3
zbTk%<ViZ0;*+1PMgCAUpMR(YFmp6ekSa0Nkmu$MoY&<QGpGApT7n>s?yyZ^koJ41V
z<3(~NtRiBcn3Y_^LNu)SiQkd(!+Euokg2f#qzlwsq$8*2i}_gg_{!BoapV&2@zS3}
zR*#>T*b}QDtBizkJ(#yz`CWQzN^mJiXC|0UzWGr?1I;UXh1Z^P&7Y~eX?59qk0SWO
zURmA2FV)BW-KX<au&<^n!%JYi-mhmgxx^bqhOOX|>2Fn$;xm8HsJZ*u#gMatK@2`f
zmlZ{I|GhhqExw@Dv<!P44WB=XbgQe7c`j+H0Up%;^MgR(k_W&!`9jg{^Y;2@0}oiR
z{v8L^^xN3BAm;6B7kW#X0b={lQE%`RS^*|GwGgOlzD+5^_sR#~96*|0Jurp+z|<-H
zR%SUdWzJy-wAs(w`_<{E&R(=ITo`v(23Yg$>+mZ2a};c^#DJlyTY_LpGQD6w{ISd6
zJB*sUd)atK7&UcppIO4m`aF(PTsLQCD8X2n%%p{2kiC;<cVN}(ZS@bKlut)PS!`Bx
zX=8f9e8W;;G7<34AIT_5(BTDGST|V4V+aRmzw%HI&4A)V3OsJ<p>sf*pJ&7PiIYVm
z{7g2&_uDfQcyGc{>$4A6-cybQm^{E@g9Orzzc)EE3oT90ZKD<TWF+fcwGj@uvR?c;
zGO?^L%5!%jcf`7KD@|_cT<WD<!D)Qx*8^M^fBZAS__;u5l?ntg-o&`{4N@cBS=0Lr
zfMxaA_<8CIACIoWftby?lU@5(`AL&Fr6~-Y-)cF$6>oG#)Rp)WfKOzAr76I|hl3D|
zQzzF;mXK6n+4U$hPuNIVGCTFNIT__J)T_TPwK+q7EX_~uCoFws58U3~OPp^=@}GtB
z*w6Rcc(mv-f_TRVKYS+R^WjTs_KJqBIXBpCsc^EGbxSY2pc14=Jz2wMdl1S=DnmoX
z9|;Z2uRcB$$T+cqA}xKXTVtPjVFFPIwd0-tix(jA8iG5?op@1hdx<R!b6m=HQ??@b
z4l%Ki%8@~TahBNd`?s~u*yEwLXCwoP$dXLN#JAfv@UlI`a--^OBSI10+lz3yh*$F)
z5SN3u0Lu@)paa6&;-b4mVbfQ(h_{o0WUV9^fJloS6~L1X3QEEx@U$w*MqZUBBNyNn
zF;zq243{%>_8isJl|OW@Sl$0!{8%~p_;42-5n*}6_H17y)+y+in5Z~7VmbmbYU(5V
z`(@1A2JiD(C<X@}Jq3>wEY4GI-+(}~0{G9t(dC!5{FLqn=s=jab6lP;H-LU5Pq9O}
z=dbx)hn<U7o&|mi`m_FDL-Dv+3q^PVcrrVIEn963hnpu)`zA+0&;QDTY*D}YUw@`G
zbpQEbgG`#l^+!lYPwq)|wWH|strA{QtN!OX>yR+vYoxnM$9FHkK#lv~rp@pnL9vAY
zcBT4OGoly{uXKFUq<{KVmnK=S<;dtxiE6=fPt9yZbJbkx^JkH#J~Mpvu>ld=(ERA<
zzsG3gK@;@{OU8HssWa1i(!-2$*fEl)u7bR+6Uf%$aICUw+0N{9UR1iHpwfIM?068N
z*A|;cRRc_1HOPpr>+LP@+#SXoqxb!ioH9%%JkwF{E|mv$;*B5}dQ~Y-5B+!S@^>O2
zbBmwM#Yaiw?XpMhI*iHYS6)4jM5O4sPlrBPDY}OWy#-z|WbY|nd(5C5?%CWPo=vv)
zhKq8oFT4U=%*lqVq?tpp#*j$wK2-X$<2zx@x#OfdTopIu5)ZVS?_RW25^bP|Uy%$6
zP!rz!X%rfsAHDv{;bzS>qXj5Ux7he-SFQak7{}}SX*0`&S1E=wvZeWf=IPpmmGme_
zK=gUjU`5BGPQx+#X$rDRg8{;TPCE`g(`*lMgG<#g7hBfsT4S1f)%QI4^oy=h{wZ(z
z$Ou1$InH%E<ek3p7qJ&fx`zomu{h2`1@yyda?K~aiq}v}KpAHCStVM*7^GI~*EJ<g
zEQT|R)gGu=){z3L!BJg*G(f%=LXwPc8~uX$<q2G4!aUzV@HJ-Tg6=0AKpUmSjSP1Y
zF*twZ*;C_vgeI1P56C;KOHL`StV;%U><$s+qXjn|#jhpF?geg^$+)~aopny+zaU!$
zOu779-eRr*AZfDTy^lTKcmpfhg{7q;4vOl#uh_}0<w*5d9;-sFPTi4qYvwGTHr}9y
zZ%Kt#w)X^tc3zH0-mlO4<UwmcZ!NB;46o(!N_qJ74`r-qT1!h-9%$|m(Y#U~h-htZ
z@pYwf8(lFy$l%7?V@Q-1kh8B4h(tg5k@>^ww1tRA84E<l;zGr1@(YUga&>4o#{M?t
z#2V4nYCBUQWLq`yBXpE^MS9-jP}9XTkL3I~gHyQAlW6cKh4I(-uEGSov+^olq8=&T
zTb@ve3BrEiQcBcJ`>5uScq99oEua{6V<K>rU=*vht8r@cZ0_K~LQpJerjjYKAvs3o
zXDmj}JGEo3zqvkYC?Lkia}Wm}iLikoBIz&4y{%_Js`T`S=|*#uv8h8NWp%V`4g9D@
z-z79O>f9=f!HK)xMI}*x)pvO&UsA#0e!H{vEltTOXsZZV@-<21lNj;*KmEG<;$ke0
zbKWEhqsDu<n>zA5Dc5w_70OosAchqqM0Ljrf3zs<83-_$d;z+s@Yw5C^`>g>tZq6n
ziGGj&vk1MB0ep!kH90F2T`<|e!zLlL`f-sf0=Un?Y-|PFm|3r|$IqveJJ!kkI@eq4
z$p$E)Np#Y45`B6qOQb->F|<AX5s-3%P$JNtbYsPeX!oJHqqkQ;G712nWj4j;pw8Jt
z$kge;u{__LM%!|1V57nIF{iNaYl(lEzma}vValDpO_y_``ca`#x)D;l;{ElJ-opHF
ztyxpbxwlZFb2!14w~(ApWq?51gE|}kwf^a{+*A#{E6>?d`oD?*R|NpVSBfXP%4?5|
zt0{H;2~iN&J>Hi%%JG%CHRhs~EBCz#bLP3XFpb)5JN_w#Se2CT3?1olD3#L{<MkN&
zwfwsejLV93z)-KyvRBX3dS7cn)@3GG96YwVZ^zVp&S^diQA%Q1eQ%f*_&0$odh)C?
zCf&g;!iTlb1PyPKEow9io{5>dgeDy}-O^$6P&WrmCtjbZ`$T@4DvY}Q)iW$7`e%fs
zm8zb_XT9a^kAU>L5cMS~4qH9eQRZ;R6sBf-kyF=<Voplla2eeNh&&X3_i=tYp`u|5
zI?t3o++Naeii_{wJdnK(UehW}X$W!t-X`~8&x;*FR^uozTp}U^X>EfLt7oW%pipOT
zf;bW^x7PN2>vpaU1lKMs;7Kt_VIvX5ev^HOZ1sWG8oQL7>#M%)7G1-sz_ch@Xf2wJ
zX{fCt$(F#HYU1~hJMoZFc)V#bW-FlPLED5~OK2CkaQ`IH(YP`Q$$U0hCX{&0gI~(b
zXtSzd?RE&Q$^shC3HZmdLNRbORZ9&su$f-e>U8bhICqrQmM+f$QtF*EXcCczg(dSH
z9W#HYf-=(Ac8!s;Gt4m^%`P+7rdrT`UT~c4>nM>&52^uD8Ib9dk{+GWiqsy#V~fu5
z$%@LQdWqA43r(>jr;R!IaNEwtbtl4izq9>sWvk>yQ9H;NxrE+mY*7UrUogyQ=@IGZ
zai{t$xr)O9Q*fRHQL^Lj;c+)J+xV-eStZrO0zL#yU^_3H-TV2e<&l<K7`X>RkC`Xp
z7&7$h1*xbbjIk0kEkNOWqHeHPXFA&+Zekqr3X(2FkIvX+^%-wm7t~HoVyxQOpVvkw
zQQjW4<8EL~#vo{^&uBDy?AM_!S}6fEIbC1q#ID$1QvL(uS%`jlXC}VsWwlwh+c#3~
z5&haM&|42Gdv#DP?(`vekeS$%=X+ou3M$CUfVE<Ci__+7yEE0hu+C0LYMN%oHShj=
zrtZfkuY?2=z22gt0`3hai0-P7uO9|+Z$;mx<edzI_6IY@q{mgQY+j+_Nzrz8UM-n|
zxZBoJOtpH9Q&U}FtSYx`bqA}exE?ssLw?QusMsgQxVD1wTZ5N|)#T*U0URr6?Xq^c
zgsip2RQHxSYShY;yYU<W6R9L;YB&Np(2g^cHK66tZ^s(%dj9#flC8hQFdiONS2T=@
z=2RNrvvhkUpy4?mJ^A85>9J0ZN%ZZ?M%05}(r&DqvJ+G)K4QS4d(eH1xLSP<N47D^
zUNsqw8yJl}xLSEi&jeYPid9~kwuvqDOUcIBv{W0Usq929YO=gjijynXYbVPgwet6H
zzFxW~W5y~AJrln5?g>vQR;<+fSm<e)R=3@iN%RCIy{un`yE@a3ZHdG0=?DOdW?JZB
z8q?~q)JX4dQfQD4z5Ski1*F=@DE4aHF^-r55+Yj9HFa|p$J&57M0)T<k!v_GE2K(R
zua#_`Uy{WqG)l|5;%bh9I6xs&g2%SUiQ4uEG!Tys9g}A$CrK=?Gx@9-(8%7JEf#wN
z>b*%foyBgaful`Da!aS&)LH3N)zzKeIaqt&fgyWsvhWxjrZfD22(tF^T3hFO8)c16
zid<0a*7qLWHw<l~U2ccLIF2}HhVEU06iLof#4CgApM6$+f_0Ic4J5mB0IfzF(B?gN
z_0})SMqgcfM!9%LD5_GECHUZEFTGXSsCcH0SOeH)z080rOWhj{KZ`SvdD~c<!Shd$
zNT3M}WDkDjBW+Df%R3KML{EGK-aFm{)MGdlB_+6tRJqb=jJ6>SX_E=$=R#F#L$zY@
zH@xzSY5y`?)ac~6k<Kq#+{<fQ1)cxA$bD{?-GP^ZIynmS2n5ad{SnX{#a2y<ZP<Y?
z$vsz4%fAUX*B<ETJGSz(w(t#1K?!TTAtwnUcEFWkdxU{pM%t%a@F>AD%J>JmB0FWY
zAEdVMmNNbMbUfY(fmpIglr&mQX;q25^W^jA6+mowh}Ai!Yzy5oe2#yh3sQ!yxqygv
z$JrcO81Y*vr|*0M1rb+3D#7s@7WKEd!{dvtwPuHJXgu%+dhvDS6p*^^Fv>WVS`&lw
zP>tpDxc+-_xjJ7?<6?@9jVM6!V;Gs$yZFuaH@t#w%+nFPOo6U=9SUUE+OG@e7Jt5_
z%#@m<)}#<iF0A^B(x&R2K=8F)kw#jj&<k1Mmm<R}GM}tK1ya4eSM-lwIEP{RnsXZf
zGJGP$Z|wp)-U~?GrvGuu7U^2n`!juxODQ|pZyo5rhyGKO=umo&#CPK4DXZ<D*<e1B
zXCiHs28(`m+ncK$NV=G%ZFDPbvo@Rh>u9mibN+=gk@IhYp)=y~-vi{rJ6m+cAvD9b
z>teNX-l&ryk5sf|p_`V_Jz=%qNoQKDqiB+dsB*xqgf6#6ia_=6+#iIRf`U=kW{_O1
zq*Ocjx;L}0fz)wTmYahQVa{lv^VbHO8F!qWZ(F5rr`sTCL%O%KZqTNW@UitzPD(KF
z9=LP$+{P@JB{0&*URO0@!EcZKIx(-6`NPmm{+1G-rYaryExC_oz9mb%V%#2+BPbiA
zzb-yJs!}hl?rRpFYHK95&j6FYDGY1@2O_8Jt;)U*<h^ZI!ht}YZFJ~5EqdTu;3fL+
zD(HN9MLRn?*T4~%LqS8~V<zW^$6m7<N0Xy}(>7U5{(lA9+A)MMnU{dnW8YNEzGTmQ
zq5h(?+SVyhf~E2gg68#R5G{`;^zQ$wRw^N(u}#5b%$n2d8XK7Y<cD2D`*=cGo1<u3
zaQ;#y|CjspW=Z$OU1IVk)8>S?ZX0zh<uv*J)Bl&xXxm@wGOld5Amt>Z|MlbOff#71
z_P<^Khh&NwMa9*xi7#ckeotUuN_%-nR&)#BBYrj<(>5i-Ey=0^cq@`<M->;YNTp|X
zWW~aD1t5L8;8@HzHOwFn!UNzBEx_V=Ot*K1Zr5~15_podS`CkJ<<E4%W0V+vlwVLS
zIkt4W{KjF8#}RdVwlr;oKVbPV^04=;$h`&yJ_f9U{UQ!7dT8NUPl-D0{39(*|HhEl
z6;|rnbjk0;;}lMB{vP9|KR?<>iTku}Iny7qVHtqF_t9%}5V!-Rp42x#Vw?S;`b}^Q
zagL39-k2?RdkTOBn;zYG4KdDMHXNMq68tg}QT8H9t#6O#p39M1woVuYk0-piO$~nI
zcwoxWzl+u{;?@#|Vx(U+hl<4nUS<8|rN-qH&B1glkX8SoEus4f18x>L*}l;wx_Q7G
zJF}=;S%uCMa1qj7(6naU={2z#h{KCu_#eo(&d2E%32T>3!f+N__;J|da_Z;5?75fE
zc&;1>gGh;XG=io|0K<EqIVja^H}URto02i<pzv-N$GyHB$YPV=**7+D6{ES?Zo+{*
z($~G6a(f~z<~zeOVZh|X8cLukLzim<;<&?}qYnGLR!q%V+B{gJGkTRJ#z9Kjfr5N7
zH&5NjW{+%JJVbR>TpGJ@FxORyFvCQb`#ZB+RN@=eRpdcmZBPKGxdy(bEODfTmLij8
zc~ZrKLRMe@&yQ0a780)~-%b^UA)weKwiNlLilZ}_g-iGaTFnK0Bb7GgN9!JJ+Yb-Z
zRBBD;;I014c1UW=jL}(>O`7Ig7|F|FaRK0ouWOy^|Jf|$Y$$<Wjrde|u(WvsnRgRr
za`+esW7$BDZNw<~QXH;R6BG(p()1lzSp3&}papnFtFa`^&0z#=tIG@&F@^Z=R)ot#
zix4*O#m9nn{u)y1+zNI$?Iw-Lb#|RP;+};S+!#)zw5(Tq9#J3Ge_NEh=y59yNhR@r
z_k+(n7CEf&N|nQ;$$L)nVy){nCAup@ij6FNJ{(-i(Oo6_y7e$w#q>0JGQHz@X37q}
znTq*JuxkFY;}j>$@w^`VvMX(zlvem#G(>onqW}|Lq%%Cc<7E<fHQO5R)Qy6=t&Rz~
z&?f(!wY|BCZ_&znKaE;Q=MBy}mO8q4Q_7vKyEzz0o1%L_MCYouUU*BkXUp;rwM$p{
zX7Tzb=jS+y>4ZZITb1|0p{$1Pod;$M`uf?YhB3TD?hT36K<XMk&KoN^>4mV=(~_if
zQ(QCiGQkTV7gi7Y@g<U`+M(C9ErG&|>3R8Jakk*MrGCG&b)PzXb07N2?M!@u$5xF{
z<cLhxm8E9n5!$Z2C-e0t#cPa8_08pvFV5dzJ1${M=_tYw<t_Y4spJ<^_=01%)0O!#
z`l3Qd47&BkR5~|S|6tgtN#c9DR+9bM%?ZowPX6%0o|-cufz2}PfLO0UIqeSTb8NF|
z<4AmK`Ibw}_<J&JfuDGhR1?gZGmcIayoG9g$rd=6OJ&90j#P?@LFVJ~rj1Fz4`kJ%
zzPGQHk)vJW<J+CVknVg>*xn&pp#k@+Ha3;}HT0y4J7m#C8cnKTrSOIEf~zK|zpi!!
z6{$<Kblor!;I`9=OqaO`45Y!z)zx6EnZuBubIt7V{VCl5{ZniG^z`)BFQ%zpimp<W
z&&h(#jq%vJOc$@tv9l!(?B}Ms`dHR)hak;Mns`riU!=~p5`=?cI*N9(P+Qiq#l^4+
zM|^s10qmWHO3ZTJ1^$#gK+3Q(3efHfTKc*MU6^-y9b!+KJL)#kB<oHh&NYc`6Cl`L
z{!sEk(+mX_hzRm~^Gf+~0sbxy$e91xl&tr^%eddw?OsK@WRU8Bp@$4@PDG;Itcv1L
zN7T<EOjwqZn#BC#u%lW_M&vXuB-ghKz#~c(m;K>p>jhURCsV_%!AZj*>=$(9SXTC0
zlDf8c&LD@M&O0muO@Y0cQ%DGf-gHInB`d;9QPijU#bof%59bmY)+M#~4^XR=h5{{G
z4b$}|WD;oW^%?#XMGd1+W?ojLryDm$%}~8M78%DwBR%<pj#L32P74EAWxzn&ArCM#
zM899#9e?WPx{5Q3f74}=!(yeVka@mhoiQIxGNzvTcvXAh^M!CAtl59BhuzJK8sXu1
z6?K)7h(t%|Q~9SEd~}89`dpoqE1OEJns!HBGd%52pGBm&^iHfW1FMvC>q+I*!6KGo
zgjDjriSWws1TG?7Ffjgu+RE=)3!~YJBetTxX44vPi9jN&uV2sri_p@#;(~tr(%XOF
z;`%6#^V_SX@>r3UD<%w&<<Hwew9YG&xt9?yPI^6N%Aqf=-)7(P_~K~V>7#1_&QivH
zH^BPUvB<&*oY()@@S92(wXrjNtck>Sud=L$pi?-s8hlm5w(|$Gx%R?|@K>EgJdsgH
zs$U>)n_-ajZqL3hY)&PQvr7hXMOK-%s2R_@ujAzLH&=GF7uP$rBuZm)YZ`bsJzj4)
ztx~_KzyrE%Z*}nY!JPw`oj-bR*>aO4;yjVyf$d8@FdK*6d;R0})?9cg&+e=@>$e@w
zlSU&Ns9%kgWHIe;>(9#w>1PYDUjEm?zpfF2@11|jLHOu##IL0=fq@7y9NUTbvFVf?
zEUU2jC_zc=ptLJ2F97zuML%rYe*Zyj@@Hmz1{M(uLp~v~F)L+Fd0QDG5y6S1%%zIx
zPZ4YK@FxjG9`)QuEsy}KWv;bvUEh9`kUvw2d9gErSv4;mj-d$j&=w}vL?u-sY-|E7
zF$+UV@SKDF>$2%SK7IZTmrnm{&>0+C4E_#EV1J*$C|fo5>Ax<pXj!$v2=h0o(Wv$I
z_zMkoG`%G^u8*T=wuv`a1d!qU+Fq=e@Lwx=)^alh%*CE&tKQ-&G%)zt-V91u1kzN%
zVzI?5j^L`9`I}I`ODUCW=L3(2qwsU`<Ci`xVp1TFGw7^ffK;FP+Rx<jeSr2@^y>nw
zt!8bx0UKRebn+7kpI<&T*(KB^wp0XP9wnR_ZfFD|d1b@(QB9&GxADbH|KctJnv+=T
z9ddG{5NtOsY4HdP{q^*(<rjLL$V075J~%DcOY6BWe2XU`&jFHs!fLvn13uXX6)mn{
z$Gd%6<5opQq$rM{>MO}o9TcrG6JxWO>6+8|boPzaGZosQXg$e-&XYo6S8@Lk*QoSX
zF<^;3-m}u*Af3FCV|&~OxKNDVR_=f|CR}Rm8N>RRZb<R_ewU_6g6i~JhW5Ph9*Fb<
z=J2+fh};n9-2tP4bFufFhb?nbI_4Cs_s5J9&}@ri)Q4(DsMBCO5JA|7iP3Ng`DY?#
zMs^8JkK68;HvA%S3@bbiJScp@dUp8?m@iRN<%-Xxq23*OTdDoqIR~)b1P?EwBIl&S
z=X1qF$@L_><?AnV*Nb|V>T_1Gmu>+f(HLH;ksfYmA|p<)|3hyn;$DK&+qsFz4WgQ}
zaT}z#C0}YfFQP}rSb739Y&Arp*u&kABZY338TBNxQbd2G?AEGR?IB=%t^cViM4M5o
zfvcIeD>Uc49DX2Qom}Vom5P<B^1goN_F`r5v`UcEkzKU~q53^hN8r^;v7#zRg$ZaF
zGkado;Krv4!ek3VL0j8FhPM4XnYK&<rZ_-Lrs>yi+%-(FjenAaipY`>VJO{?@Q3cB
z2IVy4I(%hGKFAwVn3E9vAXelZzEyx*P2_3o;ykOi>d3TTCTd0VeT)A+M*QP|;=iJ=
zdumy>cj)No8#ZX;UwD7Oi)Vtl|Gy~Vq_F_MCDeorr|Yh^xYa&A(Tv^Mv9{LLu<uQ=
zmJ08a0utTQREFL`L;h$+h42E)s)HiUn)K;O2ebbaQF^lmzRNf)dK{y)?>YxKxSrkI
zO4B9%iBo&Y68MVI27LZy9lcpO(AZq4U*y!Zl`&|1j-xJnr#=|%(_%jgc+q9#_rI8p
zn6B<+|4`U`I)N77AEg}|Pik(LowNUwsB_8wYkz=#oiIgFOyL6(zZbJ*AopKi=w*8a
zrNaNe<)D}FW$5EvJVJqx*vcf@`r&QF>C^CHQ;(E-`VHArB0DD^d#s<n&3h!c&#$Sx
zL`9Kd*MEK*G5wP8i76z0vOayfTr;jXWHPS0k||U~RyI21dwl-8PndDO<M=<6sW2tr
zyosYfi*bm@^g-B8uB3eA#FSnKT3t8mumVaTv3JhtdjzLF^R^39_5yAA#0oV(%zF2U
z#Fw3$PP&SmHX6dz7W@;Q9N(=y2nZyPSy`cgbeQyyI~>pSmd@Ncd0m$@TVpWJJ}9Xx
zPG2t_j|zR>y32kMk}AFc>mXpTJafd2gFVsTR^@bSJKDUCw)$bE%Q@`n!2|JOUm;z#
zr8FAwI?GH%Z$E@V>)@W{wEoCRXDA@&hmLTx_)0ExMtJDPkB-ZxnvfGSV&*b}+Ji@d
zMBd|h%OA@1mz3SjX8Maqk{m;J_uB-I;i=+>3!a(HJibwdD_U=q4WY|i$C1{v9+DuQ
zBBBTSm0-Cej!%LURG~*Z*Q^%#kdjiHrE`7LP^DFGPFA{pL2Mc*)XUidX(cp0*ncVS
zNpy-tT^plJdJUnkyS-ViCPQD&=28Bxtgp7^H%8%nE<Fj@L(nA0c+AUH2GuD=xL<Hw
z{%%07b@=eO#S{5*+GHrTWnBh@)eyS-T8?n=0)CAR#;!uoSWRIl0pUj$2CV{FOlHxk
zO@CR8kONoV0{=^q5(^9VJx@4-VwSzbyRC$b=pVuh1b9<3-j!JI#N05Kx%F-r+n&X2
z^9y?SkhRyBAYhpWU$i(oHr`wGuDBnn;`2D#KbAL+Bbem?0BMCPJTr6RE5*i$jGP-D
zIok@`1zf`tMw*=2aQe>nW!N1-TO)=%SYeRxV*5Z{;Ph?P+Z2?-=#?-MzC>Ef($W0d
zd9$^yqypzZQ*?{c^q|XKz3OkSZN%*hvE66;qLj-9;2|T3hW0$MsvAXQBwM92>5<`9
z{jigRHi1CFLam%6_V1#3>$%sYioEGvbE}B=?D?0P&znDUEUvjFpsc`DV-x;S?&gMm
z*5`Wy$5xTs;>=d-CI^rQDK<L38{+B`v(H&*qX^sL;V4oUxNE%}$vrPNSqdx2%m16&
zdU-P~VQEuD8@@LwT~dF*IYM!Y(<vz-slpQ2U*k`uP+c+zdd$HwFSry9O8TM>e?1{z
zCP6qPSbgLuSZ%j?Q3C4g=BS?V;wFzKxB?7VMAJ&D9MS_HZ@=0M?9vsPwd<qP6nGMH
zdQ8Wz^AKPs6ogQFE_Al1aZlg-^!3Ya)gcQ7AGN0Tez%UgVMK8<(h;f#d34ftavl`J
z%7vXJ{c+x#F4g0-t^QUvydmWx2|f%zPrn(|$jfm$!-Xc*F&yiJdIDcp*0p6f_WQ<p
zNkxuDh&?VnlReM(LT_@+kgwFerYbKyWK{THKlFjzVg*v_n;MRJlIr-a`J+Xe$=;gf
zr9QwMl9P=b1dP9pZcdWf_!SuRSkr_2;n8t*J{WYM6>&J!Hn!YevWM?e;u&!45v(=g
zE%jnMJ8qyQJa0U<>ndUMV@?=_U1C6KwQBuprj2LUQmom3^#Tx7(YjZ2jzVR0JdlOD
zU>h_8c6Q#b#uCII6&>0w5)|+h$~Nk@^^_gWb6P+=RMU{}4}xVP97kXXNo=A>5HJNU
zQ08%A*nUx4rOF5M4@c~YeZwRcR_mR|A+u`PQdw-~JI~Z?Xr669KgG{hxP^TpL5RBx
zozXM)=s1`YF*r5rQbR-oj;t$bW%)xq3KFrwdrt-32N~8^O9RqP!m*!{e!b!uk8Y_+
zY&XTT!tIO0?Js(<xT%WXVMHQ+b`=C{9J|@%ok(f(j|?8?(l!B3CQOXL-QT0iS_4Dv
zpHkGe!*n+@<v5rC`#Mum4Gp9zcrlTR)TWoGIw)uK(lT2&84|kOwe-vakXu4pmJc2I
zsJwNuB6_<ttm=P|N`ET8FBV5ida^{ns*^0gkI0SROEWZwaWXNtTFo^Rx?)ElWWOP{
ziQC^8j)r%7JdrEB$bzU>COv5oN>2XCTcYtb$B`<P>N@Mi<cv0?ES~LP(yU7Q99Me#
zEB$(1cRC@qryQ0*khh5J$HA8W_mrgBcfI+a%Zx75-I@ZCwl>R{nW70|5u<c%Vj9>p
za&+<opYR7eiwB2m-Mb`7=eG^V<;4?|^nco!3AZdNMeb#$eNj9DXWkSQyuTX!RG25T
zuH$OYR;SmSz1JatY+*Bcy~6x0VP35B0YmT9ETRi&xs{r&x4W3^@7b~=p_SpiqDDTn
z5O}jG2R$s(7v1H!TzW;R4;k?L)LO=hr*wCj#--g9-z%K6h#>{l^<wia*1Az@zo>#%
z04NYF!tYY{eFm2G5M*iWsOd`CW3E%0_jl&DGz+7KiZ;E*id7IE<iQovQ(~bYfvR|1
zz85^K-q_at@V02V>ZH3~ympjBT`<ehmV#O+;+-Nh<s$uZc+59aMVRe&KYCEovg=MI
zzTC!u6Hpe*6%0jiQUvCR#GJSLbmfe1!V--SWN2WdoR9wK$<$|;U3#P55_+BE|2BPW
zyS6`6nW7U^3t!vCKWyQQTX}?0;eehM+jHz%*lt7X{})}Ps!GP(rRUB|D~No;38asb
zeyemv!kj0_z0bc+?Jmc!j96{1Hp&_QrDHZsK&yjC5vFEoI?|ds_J_C0$^0Z#i7t=Z
zvt44OmRf!0H1h#pL7y)Rb@%UF)y{nBEK&G;r(u$z!{j|xkH4mLtYzP$pafj&tICxL
z+Ndgy%8RNgl9GPy4Z*-D8;rX>Fg)J*6UbRI@%=acdXe7osNST23&#lW7tEyo#y*q5
z;Pgs5Chmg7sD?o9HBenqlb=|_e4%<(C|W1S(MlnBm?+V_lZP?TAIdLt67kxYZewDY
zSdFtH$x+$u>@ME0`%85)9>Xl)jO$5qC<*4C3HBP6lycdq8#DP@$hCO7Hh-8=t>@e#
zkL`1(Q)B%GSE#k1a|NHvwAk@_3zl``CyB^5C80!0J}_|S?98^*O$oXkSfrra0ejwe
zeVcW<(vwm1PsI+N#qVECkrr7B&Cv7|p56Tp+a1WMLnhz>k**1|Ykz3oYm^Q9#W>^c
zCj1*pFm#AmfiYXE+htl)Rz=7W(7iGz#LP|^@Wb&<ugG?Q-{u+7Kxksas;mm$4Bz~6
z_rxowU+j?Z4it-}W3P1NFca`e_}1&W{w6h~PA*!NWO!=Mj*yGBauxBn*kbGr{fP}u
z0>!_qQFmwJI)7HoOXNJl?1{|y=M2DnE!mE@ehG6DFg-cxzm#rPuqKXC`;X9LW%eMZ
zr-lW;q3mc0!a4F#xW72jr~VW*Uj@?9R6P`e2tx!psD4kluPXlz^1OOK*S}m{$r*&^
z1w*6I7(X{_ZVV0wEB9gRnoP_N=<)bWg%^3h-QY$0&ZMc{TD}msZ_BlE%Huh9M1d*=
zzZ}a|mMwAf?JqulBJRia?hf;U<?~p^MFtxbp~Nw4f-Tnw`jC&orG=RxG893ATA#cJ
zL|u}>-^2V1D}f*A>ueBF>E&)0%;fk(W$l7=;9v>dhkx6vQik8zT+`??v<bNnSTMc1
z+(z0vwXSQ;9khIQ*d)+Z6MIiTLs<r%?mR?$0`hvXrvj$VeVBEyjBg__M#$;U<!1+{
z{Ot!znEOzrO-uSWus4mUD!=DdBHO|!9cAN|*3Wan{nDOw3qg6)2{%ooF$<o#;&^bZ
zD-4xhN$P_qAjWy^0dOd~_uBD4V4Yx3@ind~o!R?6iSUcu;t}i<R%yXv*hkz=q+HGE
zC{C`}_#<+`taVl>nl>99WK+W_Up`*GIrY@dctiSHdUcWjgYDSH<mu%^l+6sv)`|%w
zJM_4B*IkO!jy!9k4*@Sn?3O3K>u&@VHHI^f$<9=as|qU<EX9UaV#2mgWbq_Ew)L<>
zW7}G5ZoWhjSNgNL`=JT__f0F;3>9NxXsyH2ZeN+ymuh}BwY54bs_rx0jJc!>6L)vi
z7@oN4v1J!{FU;Y$w9ho+4+Zj-%FlR2MZ*YA6V0mAJ2J>Cn4>NC&PlXL@mAfCVD5FJ
zOYqc|@!sg7S-NZ6_Bwu}(H{TJ_9|`g2E7r@Yb|m*U2}fZF}zhRc|O%-nEyG%6-(_|
ze}joHwK?cGQc@hx&-+S4j6L21lH&K5`Mg1xiZEzrE+@-ngQHLb*4RdQ4u-azn1wi8
zR8*FtL!SyJS7`V5_q$3&T8H=Kxmmu)L-2(T0cV}?9f`!YZcz#CG_2vN<eqPT(HPrR
zeeUO~c4Ve>m(uECq%4MyjBOHV(VyJA5xmIv-_N<VHAI^iBX~Sp`di?}O4e8(#9dNM
zbyxEwGpdf;{^E*z5k|S=O|H5)(5$|b8Ft-iI<ItSZC>4D4QFLs1HlUNYjxvXt+E^5
zzV|l=g1F7i;bG&^gBFbnS@L4-raXG5p}_8Q@-R~)l5}c_5r=hhSsG`YK_MT^9~whW
z&~)%JLyM{BNy?wav0G7JqJ|8Sc+MTvWxOEn*Q<A^1}EXPN1=MB7*wS1dxN@4kQ)l@
zSGy;is)=SD(+d=Cw7roPZnY_wDsMG8cxjD(llHhwk!ZP(UMm$J+9<R`GtKCMzX+ez
z@x{fEF)*m3G~PHQtf9+N?7X{Mc4wsWZx#|`8P3On0dw=Yx?QrDkx}FjW7lh@%z3F7
z>O1&rHw={Cq^dOTVfw3WPc>!Luj6|mR~$)XmWA2p<Z9d~ATs)5qfX11zq?zks3n|p
z)E*Lv8ux~GX6ty(t-v5)wYOYsO?5#u7zyt43K2YQ7Ctk35vueSr+v8I>UFyQwKJX2
zs&E$_eDr6bBx`pn8buPGo|8362>GMZR_EhEWBWichX6}P1*P&I>F%LoQ_8-P_}Ir!
z>Ay#p&-Dak(>J?JCRIpaQ`d3FD_sKC%<nKNhPTvfj`G@9$cBDa<8aYX!a7-hm`k!E
zpy-u3=}}qnDyD5AJL#D#>5`1HJpHQlb&R3f0%>n9{NQ||0zB4Ze(!{WW7ODxq_3(?
z0@FimRL%bIS?mPGD;qHb?XZcumhnIs1ov8cXfr=q+bJv$pK|W8BK<xqxF)K~(>V#D
z#7*KPD<u}%*BfoS+^ACQ1U<#oM@|_XFB-PU-z<ELgJdec&CT$T$)ilmi5Y8+CjJ}5
z(gIzD#=^TEM8J7w^g@=meZi^P9$5!jccnRxUa8GhB0etbAZQmmQJC(X>L)B)Rg$*U
z=&l9i!49UT-+ku;Tj3K1^K9hkX1?K536?8OlFMNOf8gsj0wf-{HiRIzbOCi!j$QUv
zc#7^$e%(Bp*B083u(k)$^Yb~3$hefnrxcr(_8<~`@osgd$2W)2Rkh0S#aMrF88$qP
z-&6!r3Z~5#YGE2Wpog(w*?`Dso#rsRmuCYA1`>d`JwFpMnZ~0VPGqYI+7qK!E0ip^
zw&ov@!*<C&x#++Dkgs<6sJlJuTbTQ{12OB9-mD9>dGRgOOuf?lD9n0bth|7g&<**8
zlvHmg6zQJUe$YprsHGsom_Mxq1g?UT!cIk=!;ATMhr+$d)hJC6tS}igzK0>DFJ=1n
z%)ps$xN6!95D-XGXU5Cv`9$BXdbm+G6(-0rjk<A{6sxItYM&Hlrr8Ioj=@1Yn*tjo
z)zQ+EBSN%0q<M&7DA&4;qAu<PvzyoTXOEp?#2Y{4@6A-T_>9(mgb-Q4DhpnrGXh6*
zoEyh!Q%pW1%J6~>Ru(HD*iMYo<!)GJ`Pes8i@w1^13bgsiOpJ7_RLbeP)aqKcOD)z
zsK0{o?^~Yc!31Al?^|wcA9hV6UA7aiWU@QrUQBom>nT3LD*oLF707kp@Q6Tb@olx@
zT;lq%Oh4Q<V+B7cKvQWsw3$ccIY#5KOn$aVG*oKl3)LYlg(0veTP)VmlulX2-{3n2
z%J`sHhzn7l>o2%k+%a}O&L&kYHrZYG9CxPSPBK6JK$rj&mRSql^|H}OrQ*kYFnk9-
zBN#3o*z#6fNQ4u|7vu^}IFb`8>vNa$d_4Aw&53`CZQEN&gy43gl0f#&L_oJgoEQV6
zp7<q8R|FL*{|{$x85YO4We-Cjc<|sBGz52-0KqLlaCdiiLV{c4P7*x0yF=sd?%vQy
zaC;l_yLaY4Gxy6|&jVkmDo!2QXYaMwUZ*s7RZDkhoQ2=s2u*s$qUxv5mHiOu+jAj4
zq;j5?WD$B}Gc%SeiO|(azw0}E=+UdFXQDd>;QV)9Ot0xS;BZphV)d}d1HOH9DB_7|
zw9CQ2zq5VMFwrM<G<HE;`x<MNAq-z=&{(s2^n#p1k_)?H<3VYMkH20PIwwD`eC^Wr
z+I5!|jiB2O&3fZ|ouK}S7Ie;))HYxo!`f?<3tFGjYT^xj<bc^@{%ihA0}4iEs8a|)
z&`A9~VpFd(%hno-{cNNuEj4R2xNsNBQE5^WJbI>sf&n?l2_cFLsUEEMx?Z*eMH<}i
zRCjm2mKGHkL}P}gzcDVNdoA;(wkWWFfMCF>t~WD%h~*ob%>bG7>if0t-+Q=I_1Dns
zOl~3>;&%4faqh|ezZYGW8*8xSGBT$H_De=>UuO1VNx{Lb@W#HjHXWg(O97uzw3@l)
zp`dMkSCGGg9u*ROqCueZLFxs1UEc<ZpZpD}!LHP5h-Bs<Qs%|1&eNohxj-cZyldDU
zL9GIwEw-Vlq!X{zor4P}o<;{=7Z*kZ$+d%I>#wZv8QKkwIk5}WC*b8Q<C;nc3AW*v
z&bBk}Xz4^P))y6(v22Ox5meEU+~(J^4@ZpRqn@Fp`L3=nigJ!Dw2X|@EG&T3)KoC3
zHxg<vjMbFX>hJK7^uz@hCe}^6nuwGe{<zr4Rll##(-MdOc!&D8p7&`_T`%Kckd`Cj
zp=FQso2D~V#nt)0IsT9k@4?}uCZyB09Zp*%LkQVoD=dF2Oj{dMoXtR%sP=7}@j*_%
zte)qODvFmm1HqOeP<%jdAFtJCEI<@=5TlgTbl$WZ)`yS0y^wVuWR*Xq?3F{}79&{s
zl7jfVarb=cf7`%~ABY%<dJK9G@dW>M$^WW-R-O6xW%dsx;CX&RE&$tD#a38d;xC(q
zVyy>MyVllkR5FR@4J8jhM<)1ZTCS+e+Aev^+Ac^)!TjIO>0c!}^=Sd)qMs5f>@qim
zz=k`FMh{t;Mz;zyY#tLTk6dL{FfZTH5I^T(aj6u<#D_9fVLze-_f+!h0$qW&?Y>8e
zy4egIk1(2^<n~w{uj_QFI1iYt^Al;4n5`Ou1`U~<WRq6p><|UJOWR(Sc%<w;ZJOO1
zA4I2|`oS|zMLrW&asqj4cf;~yVeSSBk;5q$4z}BWUIu&6)t#*ixoy^7n)LPAb2q2i
z=oOn0Z#LwXaehdODtZEO;FQo&7!AbTle0yYpN#xXPeESxVYbqFo*FbO(2g}Z8Covp
z>iSY^ekQ=1sEsITFw~6=)qFSOu%_rmm$HNnzDH_e2?bEV$C$%n8Zr~<$d4RnVCTP~
z8E@MR7)%&eHSEHQ>DVJ=3t@A0W&hjrW<P&@MIy)NJ@AY*;`<9C@+4T5HtZ~B@g-{W
z5bF|db20@b!)7tHMRrq(8@|6wJ(HH43I;lL_s?)>CEty*)~YnU>+Vcm4@_~fB2w)N
z{e1b*lw4Eoe<i()jx(}cN43Gbuc>=!dmEua7v5iZX&9-nb&4U5)2u6Y`2q=JQG~l$
zn_d1Uca%P~zlM)Z0RZFTZsX>Ab{!+9>HVzen0Dvi7oQs<p}eD_joObZGqM)z&6?Z1
z@NdKL>$-}5;b#G&oEm<spUukAFKGl0GbI-fIcKJg#ksHcI8Ns_S2z2ccoEM<-C&Sn
z^>mY(vNAA~UnGC|UcBn}%?A~&v<OC0;b=s`4%}PcH$w^{&MGxKVP#^=&)-zf8m(ML
zwU+bkz8cc+7@d^lgo;AKVH`B-CxPdD(ib<mFp8<mfG=P)8PU3Ft{M#(Hfgs;rKVtr
zOu70)*^q4~ZN$UJiK|37mNE2h8S!|}CCbVX=JDDJ`WIw{^igfzQ>mr99`K`2<RZhh
zAD$YXaOtyaAvFI^Z_Jh_D{sLnT+$Oik|GU@be5B(<X>z4<Q?jG-XHsA>AWxrRFOh|
zK=`ewIiz8b%f1exFCrK54r;A0Nj9r4fyfGJlz%GlTaYNdFHN+IyyR&^s?Tmd|H-T&
z-dJ=Jja!e(=WfvU_jq?L1y}1dPWxTGL4>`e5s;P<GuNE^W`_51CK~vmQmBxjtM1VV
zW|9lP-m4SAlm^dX!D_y?DmIpPjXw6-5Rj9%Hb;rZt8irAhwIZxeKvcTzA||q<FFYV
zW6KF6F22nE?fOT#tHkkOztOxuN@m&&+Q8*`=kH-z8zkfD9CcZ!QY2k>+F&ZVilOAW
z=#K&Nj$B)8yW1CY`O!w=N`qTJ8iPbS>wUD*V!K{-n9#TxK}QceRjw7%i@&aEa8M?e
zN!$YPzt8aC`i`;hP;L-h<q?oPJJKn%dm{1$4{envwium;aAt?44R&wG3xf|C*T(QC
zTTn_IYk#?Wg`bY-@v*11ZfYERFIDc@qE~Yc{40k-e!u9nKQYS9K9|JJE$*~E7+m8v
zidQqUJjfpga3L0|!TA|PUyLMVPQ5=(+^zI}fR6C7-AXj35N|(n9rtzY>0?>Mwf<mT
zb=2~2Y)XTwDfz;JnAXV7bX;d<M@(9ih&Iy=zoOEAnyZ)jCo<?^mt>})(_<sQE7|&W
zh(US($XZgk597{O3tHIxBFFa{v_JV}LNO!~Q-C_WJHTBx^XNN>_-_OQOPrrz^2c94
zZ#=swmLeW(ppjioPJ$od*52Pxxx_d#O!iV5=9*}mf~$P3-LeTI9#g%aEi?iYoTvc2
z>(*zVp{oL+aZw;(O5>x>R0QRfz~=@)`XlidB0%9#+L97OEY9~_)3;cTSLLSO^mQp6
z6)tFlzhRQk6gej+Qmas4;v(Zm1`PUdl}J2(csXHG*N~no`7jZEQY{W%+C^4Z-ZN2o
zs>KfzmwgDXT1(t4s-&0Y5u{qG3Z|lBwpHR}3*sE5tHNvnrPV}gugbVv&bjo-+$KBc
zp;*rsRG86c2i2UX8+?u+biCgU!4lGg$`nT<f%@`-s%f*{Gxq7Ah)2M|1Wg{S8<XYP
z>HX5m^@(sEl%%=u6!Vg*@No$dp<jxfj#ak+B;$y7R#?`?L)FiJG0taU4FZ+Y0AX`n
zjLN~mZe@`+RJz5q4#S}dI6imkS~a-Y%@IWK#(IlYR237yyifvRmbbuVHazHJZMFgI
z$4qM}+j^C*ehjXo^Fmd3heR{Gvm044V(AMnSwaM1drbUOn}MaKYA4x|WDcr<eAce^
z_G$!j0oU3u?4<Kw40{d2$cpkugPoM=vtv=XrGLM_uB8izJF*foJMeo7>}b2@Ya!8*
zF55kyU)k!}Infw$N!Me}hO5>)*40!BjAX7<^1%V67~#L2H2u+*694}FH3)gfn%>0g
zdsW6vA2GTM+bDx?q?(`G)x28C6shrMe$(kU%Glxq-{*~126$7X%~GpUP|uI|i>=}4
zcxY!c;ZuD8diMU*Zcxq`mj#y|?hHp;EhQUSVao?x9__=taVxW9CqEP0v{eqzH^$s8
z{^1Ma2nei(mk(=ptdJAwsCxChw5J-$*mL9rBx3-ItFsarM3<c-ZA=uWU>h(Z;+tL?
zaX40*M}IY0kLF5_Xn0jW`RoqKRp0%g%!RC>T9c>M-aDSQtXnTZJJ_eaasJ!M@siEw
z4IDt13~dEoQI|O{Cx$tpX>?=itQI~jPJvmBSBAw$Y!7Vt$z!!)dE(z6k~{5X(@wMp
z&&V}AywHr@+>|M0wH(n{L3(~0WWa&{qcu5y_pPw9mm6xgXIQOv6dV^Ly}IVZN(dE#
z`H29|NY|vep{7QA*cI35M4B%1Yc^YB>d`0W#6C86(vcR;na9gj51S<TSD5%$do6#|
z7@y(EtyqW0Sh@flk^7%pd!L)XIo<R5)GbGyrwRXR@>Z+t7M5KV6eFD*n(bAoIn((i
z5($e(?y(^h%#xR3{K-5Sni+$@+Mi-&rl>l#ncIg>>R#?!>W|ve;olW-Ts5s_O|Y0I
z%*^f+!~EliTPB)$WLd;V52E;fv+secui2;0`i1Jwri9LtTR#LT99L$}cM-syw1>B?
z&%p4|YgEU6vU_9DJ_`4nBl&slvm?v@a=X{HhCldH<A}<0uo$1kRbO#;V}xj#iJbiP
zzGEA>0=p`If3jiE8PGqcZ2&G=f8dAT378*hqRO;OTKM8m%)LFdhJ7yV6oY|fOQ2)F
zVYsq0YvU4Wvfxu83!^<9ta19Ns(a0xbR*!`?X;hvfkZkmmc_3i{pp?6s(NQ5mulR_
zy-rCJ%yWDCJ{{iY(xa$0YP@l8WBdtP1RpG8C#h_3e40GEOGNmdGgc=N@>{hvxJC_y
zcCNpS6+nRHIU!^P<qwGHMlay)EX@|AA+4?$bjvg@XMNw{Us4{Cv4R!sc3fd_?jcvl
zT{*0aG`K`r?KCPjNNWo7@h3`~0hF6q=eniYol$EXV9Zu3$5g?%^M}6W`8oIA!(-L6
zx4I>5(7wR;_Hg=9>`G~Rpuup_FWG0+_xQ5XN8v5%lRaDy2WkJFZ3pN#xm(+4@Ocmt
zC(((ae8>+TzxAH&0DpaoRsj@gw=d;o%fA!AII99EbgoEYKF9mN4e!>$f}>L$VWE(N
zUDtPi{*mM>>62G8;?WX%OpZ)LDg<ADK|lqI8v-xx59<Z(&Eff4X`UA?MuWR^xns{T
z;EdIBd9B3pmF>ZYu=l^=MeQj=XBhnf-K{NiH|w^XencUB9GG_7wyp24Fd;G)p{q@w
zvjUPMtne_2vmuR%jp=}Z*Y#%o1irrSBl(mX^&L4Bm2~?XGvJONqYv>8(F!RbvZ4-*
zPEV~#5mEwD=G@&&T*&jte;zIk1D4JL#c-Nc`b3dM-FI$FlLwGf9#ROy!2%CP?&c!o
zMURaEeEj?T%;j`|`oikzN)tD#&s<Oby~<FQ9wv|Zpo2t7*DFQLug%^yM!4Z0B8{W@
zx_&39MtpNd3=&6kF>`ov>>5yB(~LJ|K|hIoDM@Eb@bUn0P(-6}ir)C{Y|X@Z>riiM
zYC5LC=dql2Mbh7Bp(c{%F*A=z9S3<QPN#UdJIf@5y^AQGf=b*vGMFD@rUri8kMj1t
zsR#s{<M~($OeQBP4yAwbhzKKTfA2(WmAG5=3-x5VF2`1=O<PfXi^BmW46#FmxPh?E
zIPF~oKCM|r$Y^Vzo1TueL${nWVXWiKT`8;^;;Rp*>2YriUM7slp1Nahzx?<Pk?Wnx
z$N1e{Mbt5y_i??>9Z-1WZ1@75?K{mr){n+qutAeYspHy<T=##Du_gkmmH*5oY(}7D
zv1Zm8K|pFFL9`Zdw+Rwu$3g-N%;cUMf9TuHfhCEhA<e{IhDoP)l<8Wwl4f5SvP80q
zG;UFi#(m&STjEAxoLbbeyiTs8J<Hc>3}pooSq{fO7bDGgfTq9mSCOH?ix=xK80XPA
z_SSjCktun)8Z0LY@K=q5ZsH|VbTw@20nfy0e*<2=#hY3GC}nE?qqb^n6+H8)`8%fj
zT)4&Q4r7xy+YO6G3Y4E@D~7ze2?x)-6B!o!yrZG5v{Bf66Z^ZQdaF<&z8_C|ir?yh
zjMM7QKDFNl)<y~^5AkHy*(m?}!0)s|!@wH)==`TU@LVaX=~%l;UhZ~9`M6p7e}EzW
z%(pP@rV82P)V#zmjsedxblX0NjQ97iUtdWCJe^(fl3IYHvlHMl#!L?b{x}6TCf8Qt
z>&347vo4iP_51fQ({bw0t2#_kTU*x9keq{qgSa)QYrUPo1>jS}Sh>k`fA8nYX1GI|
z9KST*@obnRwMee|serq7qFxQ`9;l}Sj)XrgSd7K+?1>nS#)SsT|B!Yt;7S?3CL6Ns
zS*=QH{^|*LiF^#Qf9^psG2T)uO2E|Fc2wXLjhh4;(eo}Ap5@90;6$mn?itd#hvwq1
zi-nwV)(HUg99~_Rw}7Q-kcl}1w3L^MpDt7$O(qmHVrJ(t{?d+|6_+G^-F@g2zz?`+
zaxGajtNe3+|JHY<sKwk+Jw0p4cL2n*q*C!pd=AC6XQpsu8NH4@Ev*PnU^PNOh9J;O
zeMZjrg|GeFG~C!lmOC%y7F&+`DAerIST9YK3Ha;6Jomu!l@9$s2uQ-c3tv5~Xm1U<
z;8E2abAVBkgd$}QSoJdtrs>(q&0k?uR8^Ja;r2QI#Raf%+u)#NcHFq2Bp4C2Z&2~j
z5PaguBONv#RK~A<h~wF{&N^SndWu%KTr6-gJK4+1qSX3w`4V94CK@p*`(3==xjWX^
zUHC}iZOE2K`_$Py<ivJEr*ns4w93H>cB8;I<E2Rgl^+d0cI3baXk3U1Y1_38ep^1J
z_p^lB-}TDWy2EHoY5lgW>rWQ+xS_y5_r$-d{5(kVg+~2v6{z4Z6O?grq^hR}14NI|
z&Sw(K%ZB77XU%`n{%k&`Cx6RhWLw+T;-7FAmwd999dT?*rSeZ1UBfr3)eC+!NWFhd
zZWYCgk*;*1Z@`S{Ob(@ma=$9sY=7s~)P;iB)j;?2X16l^N!jreW4Y$Q;K5Hb&N@^{
z5s$xxMh#Q=O=6h%h4Yb+PM0)0REONA)l;-;(#`jg|6Gw<OBK7av=h+)Ae+ISN^=K)
z8{zz)m^ob_llxOUEq9YT;xs=5BXJaCdx*Q^TIn*3v-4OL!7y!$P{C|^t#7(a5M0x>
zePPQlw+6QBZp%)3sj3Ay0sn7q3R@;5VQkbDHas-1)FYTgx{u$|z%}7@)^mVbWxubQ
z2y)OrM>ADX6@p8!F_iCuax~4s@bK0aeLJYSQ)Mji_U@pa2*2Zq>y4p!-s@FVqXaLc
z>x-tlegTze7{B6moXVg#YYpQV&h=RH>&w>n13@ge1VMR0u76%cavU*~96!nL2y~Oq
zemmJv@a+S&XE#6G!ewgT<3BulVQ&Ve24j~kwiC+~N#V2je+q0A{)ADbw&f`Crr3+J
z#)Ijt9fRM!AEEmU&d6pQF!mYgx2k2nB14A=QgUU{YxD?YdG?c}_5W)9SU&*C1$)D|
zH3837y768u0N+1P$BnK-ZZWAZoBeGFwXxW_UmkaL^sy(8@kNAVp=Cec|H*t8Gi91E
zHS6VWZ%eY+iJ8J;0fkRZ(?EFcahvOT9X&1!LRvGq3yb8hA0IAA3u0#L7v7)o_HFq|
zg4-J20;1Qb2jHRxv)G7mW{WIul@6LcLjOn`WmbF3^Z@qUnF?aDxmPq5hwNkmLmHJN
z!B6hKlWkOm%2i2En#l?um3T*=D3OXf<Sgb5W@fn^J{E0BL$LSzS_S4)|HB37drpqz
zYh`+bq9;p^vU?Nwk6peUV^dZm#{$pA`GD}SSh|TQVW2{NRK;?tU#p)sdH60izzGVN
z52H(HSIqZ~jv=l`*^`S#X<}3Ibc%H&<JHQ0sqIr(eFf+;?5=Cl=$(GhPUzUlu`W{9
zZ938FVgkr;Cf_9|q9x^%n?@QIt%XC5`-(~Tz$?{NqONa@#O^3%@NN|PD$CFIs&9Kl
zzhJjLivM@?4ao(KXCHSgFI@p$XxsPVcfDNDhz4shF`O{}#YCXDW#b|x{?A+lCnbvE
zh-_;PCY5V#TQCU@iN6C@RSHkBM=9Vf+MTJ5Y2ax2!01`B-uh^KR;011rwln2$5;P>
zg!^5I@BB+bEgs9W>jbqPuj(Iwz7aAup$rU}iwhnqP8*?{dG+qL;fG^<FKOZ=?zRzB
zVMdW4#oHUzMD<rJo4K{6x!9|=Mphigf5NQfi>oDvLf*aRyMbSZ!p2oIqDTj^XT3E|
z<OW`sQo>m45&uF*t~1uq`cgod*Aru3oXS8&?12DD@gCmXTlvL$QXAYqVm(`{EhU_E
zF>&uS&t1kNqPUUu67ssSKpqBwgK5@g-g`JI5euoe2~ZFTM|*rph470)oQjx)na10K
zKl*PtJNphc*=Cs~0B<+>2IP)23AA_AZ57TlFko4kIZy^5&(siwJu?vi5GKM%Y{^?t
zk!x05FDeO3pjuKhkkl{l_p_k_3`TxX%hAb;8(8r1Bx?Gbn|CHbeaX#h`(sG7q=}0l
z+SHg2i<vVk`fc>BYjQ>E@;PPQ(K#(H)r?z_b?v_%(ceta33tE#j#lpR&Ux(N-mv-N
zZuHrB0%X$vSDcp)+8EpFo`H&Lmiy!7temzAU119nHV!28iX)v_o5^|_eg{-7X&`!I
ztF2xRdlSXV*=EcAxDfeJfNL3^%-*t>6QeDrFSK$_N1xy!WMw!Ke5X-g9g?r3j~c1J
z@$Kgj(OfOkGv`Q5tpDvkLL30<$7KPs_Z<lrcLfaM$Kgp5r*Z(4Hn)!bFUp?qDmgk(
zfg%NTkYwids6hnc2IWr!v-)hG17iM%v~{Andx%7`F0fLeY!jEF+9T(AVw*5=hpwD@
zRS*}bO%L<{nb57!yRYyEHVC`qZ)^I6${PgKVlcw>uw2y+U#pe^X9yS40wa>`jqKXZ
zMB@`@S6L1B4coC71ADG=^#y3hP1_HYKN<bs+3%&i`xh9#`lpMw;|{$lYg1?GvdNq`
zDlXX47Cc?%<<#$E7+tDfQFZuZRIFeeSSwn>WOg(?AzwToW+}TT^;8VmOF4rK<s`Qk
zNS8ZK`aElQeWri*zA&d{A|ZpLQml4|wJh_64)?7ntOo7l+y|nuX%R=~L%&lUtp(SA
zWp+26D&rujU56W@P%wT#0)gWdw*pZypR8?BLlB_2npt+5BR*BW)y&Zup_O>R`zsY|
zAq`t;boW+a*A931uHgM^LP$6y*JL%i@!|?NvK;7dhow<$n@lx!Xl=tTO?|=stb!J_
zCW%?X&=l<z?O2e5Nn@Wgg1pLI$glow7VT9NHKvhZR~T#qH(v3Q0CiB0%z1JnY#tg?
z&zH~LOJ5|I&5Rw~L<Z~QoqaRayFqWY@UYmDD|WJrZy{=}rGctxHI&9DL*?Yh8kIp=
zq|%#F@r=pZZ{p+CDsA%vnw~a!fv(01o}%a-9m3i0T;{7U>x1s2J!Z=t{)vJLWUPDo
z>QC{F9|WTdnRrq-`7^iBnW7FnU60Csu-l@ai)*!GkG6CnCI7J?VY=uy)r<|87}nCL
zuXEW(5>QS~ROy}sZ!rfuiw8IK>u9yta=Jw}+d>IFcnc^zfyJdEil1*Sy1%IPwr+G;
z7et$M#Agm8CT3(gUC}WA_QT!>1gsSp&ff+9v_h-=#rrsQp;xk<pyrCs4#Gt_%Jz9t
z8DgX%hVVJ(X&2JFj<ab{6aFh`v0z*)Wirqj;f(Tj@>Zd05-Ncub5x{c+1KGEX>k7C
z&64e&_RQH8MDsoXV&iqL{nTjoHaiGy4t*DY_hf@z+GexfZ>GBm{e;fSHtAkIs)|!>
z`Nq`vI{vhoxGLj$Q{3~RVN@nVoGFdKPZn>BqWpWF3zA9u0vqHo(3nfH{E9VPXnO6M
zV5-3|T9<%%B3W@q`noIr72CP?b}flY|KTAI6RL9^2ucqciC;HpJ_!Z)(93%0Q<j=&
zX`Ed}(zB=FCkXgU+&j9jC$EOe8{{F7_`1`d7P+1sz-wvjo#-PWQS&f<9oN91`JncH
zr#f@2<bFU_aY*&%hy2N#;VZNz?*Gc%F=}$Ej(8`}z9Ka~EfdFDnqPmuwNK-Jr|wk#
z@I**660A@(|5+t1r}tpbf-tEZ<HEljN!**>V%EDsw>9fl5kA{M<o-?93};!wg+Y_9
z%~NKNvn@Nlrw6cK7r{E3-Z6O@ZyKo766G&Nsp0){>L{N)n+Brk5W7-2PnKGAa>JGN
zt-H=E*S1@-t5#Ek?rf%0;ir+P7p;te+<~_Z#SK?wTUUP9LT4WY(CrzbA8&Atiyms9
zTTUgFK(|rke7MX1VDP%>1EIs3g10O-R<9W=gTTq1LM!F8vesuA7%1_tofL@EOE2&I
zYF_5}obV&Bx3ZbyB!DFSrhza1d(!)VVuu{I0)}Mmiin@8#TkDK9iF@CIcIs#%Lnyr
z`2V>8GNJ$E7G4%TIl0*nBb$!q8f>46G?-vI9wnpR{Wm{n>k+jVe}iMw27F$FXg~a{
z%!`5$nNlhCXRM%7EC35v8`4hyz4~C1r(^K!ri|smoLVb$Kv9P2`M&|^6dy|6+)d`i
zUDZ@Jq|&>?6;@@9&EQ`Y)I=oW=rW~IL3H_y^s(keNie|+_>;y)qqSw+n3=*#;!Gm<
zEpvmd8%4vUjydb%wgh;g>mb7<nNUA6#BrQouXz6vsA-^dM>{(%va6ubr$>9Vqz^R!
zNEbhUdEcjOqy7YcY@n<xbbFH>F+A$L0?DS?c52%3ukd-A@3E=EYX^SiHeiy0TZz~L
z&_F`A7F^lTz}`RU)Gej;!nHAskQNvE6e&m{0Kv;AsX{V@JPhKE$%`b1BJSp7Dtr!}
z!nt%wZ5s(-h`&a`{z`xAu~&W^XGj-F`c(T}&2_QjCYaf@TNsW@XHNZZG)TVTvT5<^
z35p}(uU|OoAzNCVpEy83^NrGAdUumfWaAB2xyc?&I@Qh6dH%*Fyoc4z=F?((RjoZq
z7JDLy@lCN-)%OPYfNNy@7gDwM@Bb%J)PXBV_A=fL#X4hK1LG}=b3WaYbwBsN-Rbo4
z$>bv<bQ3^L;j?5|4rRX5r42e2A{maG4}d}eALpJFj`lYwI=ncHRKx$<VSLZS$B1Uz
zz6V~N|644bzV$ViyE(zbdg+z}xMdwg1Fu`KI6(EIzMg<^-8lc|UPpZcFS~Z&dA>O|
zevRu3K{NL$mf`E&npi6_TMg0<3#EL=QeBn((qf+e*M-`r3s>c~5Ax~bqWEq$L<b1e
ztwa~L1c+4Z-B$&nWBNZ@<G#LN)-n<Q)0a_U@#`;CKc&lr<ZgP=#j+3;9L*ffB%W(O
z$Q>)sg{BMWHsYc=ohYr*jl}cDKE)AQbP-uoLgC6Mfj={ixN4fd$knGSLH3wUtxL7f
z(*sm=u0uxrT!*;#?uyJ!YOMncT^WBh>ihaf?0$D?$R10iUGo+&8Hwj&*>ab;#mT7r
z%LBOT?hq$jM0L@XeQ5wKtNu|&*oCFvFRwz&?bvCm*tr}lJg-@GOo6+;C#7xB%U!4Y
z`dZ9f5(9$;E`fCei1md<?|&7LpmYEzHJkkFVw<BK=XR@OmKHn5E6JmLy;=b$_1q#g
zOzS2i;U&MJY1%Qk7=O&@$~YuI*Qbt^3)91qQDtP&;IMf0-~hW(Op9;c7d^IS)Ez=u
znE{!e|6@}68l~qI+get^?*tiLMf48;rV40;<G)~rnCAY!QMatVM8(W3Q6AyCpRy#A
zuLJWFrJHbDc{*E%c|hj^PalwddV5*O?&-;s!dC%IH#b8iTi4h*poc@GL>N4Jex7p)
z{!A!5k%p&L@%7t9oJ{W>4w4hJcWi8t@ORcG0h)o&NK79-%U@`$ui?kQ-+({l|A3>O
z8&2*Bjg5;Nmz*pqCnpzNwr<Z|F8(R2t6;0yVrU!f=~BYdE^FAS&h_x`r)(kZI5f%g
z=GDCD079NVJw>DXg{<P;kcRZ7`g!2{K8gQRHHOh}jd#oJDnbpoOFY?9@EcO_ZAl#%
ziIRHuVsk#hb5%blD<Kz8o1p|hFq~p(inL-<7#)y7{Bj71B=Wydoh@=xN^btxH3$vm
z`PuH^|G)6h0bifoJZ=Msk*^a&g4nhU+DMXnIkxN_n?R6ouFLbgApwlH6UgMCthL>H
zm3T;ouP;!+8pyt_mz-o#|HB}@^dY1IOptQb1c+eESntocMS&15ZjfbWkABqu4j3cl
zA5Hf=@`XNrPCh$2KoF81<^BMl?WymdFl{azA#{j9f^t#^!@X4DERuJyx^G;9uTH<L
zNT~4It<}C`(VmO0d>IwU!{YyeVuAZTic0O35*{1NYbbE53lX=motfhM{cJn(<ts%?
zG!cHg%0hF}V7MOie9()Z4H=W3qW{UI0EA2Q#?ld+l8u@BQ!}j~dl~JctQbD}+`^p&
zo3KoO>HAtD@%|LA50a0cS7zNKwD<mzmO*N_zP%)B{jd-^{CcL(9vDS5gvF&^0p*T%
z3c@0dnQVbi4D10}Bklf_qMa(8AJ}k&N#TlEyFg?iYBM(Sz;H?e>w6dwb4CYzI}YXN
zwqTCKipV%qeco%H+xVx8Bf^I%CS|g7uGUhB@B_g+`meNZrfk`EKSm|FUK5@tpF7Yt
zOq0mIGljcQFxoj1kh-+F*#2K|Pi2cnIV4GWp8RC-dhxdax}mAc43w{nGChD;Ct^;0
zBx?Bk6r3}Slcd{MKKB$mjs|GI`-jm>k>{RIN<ywY51l;%9`Q?WuZ+&CZctOwrr>=k
z(Plw<N>Pxn3uu1m%(!>bMC)4|z_R-7BVPZW-T`x(E5i&-*t0k(acb>~uBGbT{!nD4
zrB^i2_i*)Q^EgIYS35b{s2c$%64hY0@s%o9H41NaIK1z<0*;!?_O7z{>7{7O5{4pB
z*>A4>@Cz=e;_p6Zh>q7&?G<Ei_ZPjn9<|{hHid+%bqe?rBgKTt7+SqDWp*ZVU7_!C
z37wMvn9^QO`O>?aQ=S8Z3>KSHr2Li@w(GK+t@SDZ@LUU_q&(kxgqjjV^8)WZ17XyP
z2pju#ZZYCk1W+E}%h%QcLw6tXatR&l?RwT{j1;c$p+J1@UZ>=`9&AaXyY^qQ6JM0&
zt6d-I)QDa;KRtWiF#2TtE|d^8(R?&hwb;!4Arh=f?EqGLGPiutdSMx=K{lN#R3o#&
zfI9VcW*kmnp*KF7HLW3d7)Hv5Cw+qJ`{}+;sPy8<MkAgtJAKqTCn4=&`1Jssvs=|c
zhW89+FX@vHEEfInu1Q`pH@_1M^2~fP|F~xdiO$P%<xP18Ul_1pMDVyNx3FPg@UFUK
z#d}`CvYJ@)%j^(S*1-aEp;ta6`gr519Y8&@(<VszSF6WH^WfdBkR&EtY^`(u_!+Mz
z<fK15WV#}EnhZ5D#66&TF7kc!XyCt<v{0n><^p3u8eMZ&SLHkKpO;+urzU-aoJJ@2
zI$(YbyaZONBYuul_3#>8-zL`_42Ax@ZE9QS=FJ8W!UNxTIDVH50f%ibs=@sdK~dbu
znL(aO>`{%}{xqa>N>vmNBC@sLw0zY(hPMM;uUZ(uoVr&tLS^^wmwXTTfzs8E^q&<U
zA>m3C6sW)HmU~AQ)UmuC8OUj^{@L?ovWRJ(R>ffKo-YuEq)>xgblah#KGdp--p1g0
z*EvUnu|A!7dCh$R1#wdlmHuisAroLo#LDQTH_m+>sNk6E2sXGh*a5u5xOT-3R|qA4
zTn@CR3tXJwJt6wcb-uKb#%B+~?$IhwCzqeHTD+p8E1S=so(7guQifz%Q@*80k-cL{
z79P04`=|&TFI_a<qgjnpbfIXY(|Fuy+tlc~xL~KHHd|8LRI5`mP_|)EllfT{oj&9f
z&nNu~DJ(20GI+;iB5JlczMBUC6rvOvA|=cz<osQCe$(TIomRoCp*KT5KF5bn7@=9>
zwO4;YN|4bv&cVCg3R@@Rnf}NcBj`$$ZKSt;(Xu%2cWfdn$G_iX0$WbltDpvU_jOM7
zdeEysUtKY4;R+_z<%;8>MJ-PTc^ugs(=&TDg9{ix9c}o>AXalIV|=@fUNP#dTRmJ^
zft~1_3i!v_p9pM`SO+oAQv76Q5H`Gbs6*r>qI?ygk5~TDDfyNY*;noA5ZA4_L<=*Q
z6`gttXKg&IY<+yw^GyxDtmU!nf!HTvF#pL_@d{Qzy)2{7g<M`w#=Xw7&B>zaYW^WW
zNljx|P5P^K<(n8oGr8iE1B)G8+|8rhd4ugAKneA08)^oa<&++&Fc{W6?LN}h_@zyg
zrfI1iTHs%zQ<kVJp@XoG5#C;9pAWO70Q1avinGIlWOemt(t}JQ#2RNks2*^wL7jWU
z;Rrtt&)z#0+SJ)WlAYyyEXM(4_uZ6yji;fs^ryI@{wb>FXOsL{wC;ybn$&2`xvb>}
zD`q1i?)2L))ES!4p!%l7H?}<Ow_iUNx0+vT#8_pY2@|^uM362&DCDX2?7b{aWAr6m
z)2Od4cWAB}%_M@0v!7S298Gs?fOt%CAZjletEOtC%7@83+wiG7V1A68fEVgwpS&FC
zw0G7ebx^oE{&XA|X}zE+JW1vTy(TSB;dJ&%+i72nyFP9CZGJf$#B~5*n8&cGbxy?-
z|6oKhbwNj%RM!>zjD^QYn(_!+FlcrZ#JVv#DS6qw8G@+nSCHHpD{h^Ap8UhJWP;W~
z<U<w14gdKLG^0jlR9i!=Q1MO7tQOR+@RjN2pqi{n$Ee^&qaT{%-KUhT?lf3bt{6Q<
zaSNcw{VY}HJMO<HBjJyuFwrqeukYiY-CPn}FXG#ZY-gSAE!Nc2Y*%dbc`{s9cso7n
zmM&Mu>B(ugGibnN+1!P!K5W;g^-ef7n62b5)tkbs^2K*0%%9GQeiWoD+gWabqif|#
z`xK}l*6PbuCRh`M31*!*bL<oBxg*d)l>ZSXxtAmNyygYf;F7d0it^1DO)oi!7F814
zQds?~J+$j6p}SI~XOaoR&~O|J-b>E0mp5QaWmNm`EB6BIH9M0q4F0e`KID---A{N8
z&7%X4<&FEBdG7C<(dy4PJ3w}<(NFFDMrEM&E5G-@*kNtm_?4X|8a|k{&%Xq57#L7M
zM(uV2!Hs;vEBnP61lRm<4G)j|vjL|jdPh6v^Rw^#Ku!|x4Gxkw8hBpEJlcLAF@+wK
zXItjEpB7})<6=j%wJy(ETo}HA93n2Ls?0r6<KW}e@yS)mh>pmfXU_;TONV~Bz`{oq
zRSyrIO<-iWE8g>BA!kLAmX_`t8p^4yz1)htLq~u;$<N6I7Kn-0FFy?*Jyk>_gKykQ
zhok;dl*cg;uhM~h&i|Gy=$p5RM<aE)Up-b(fatM4Pa?p-T~>^Jom-Js$8o&hx=*;R
zPMdYt9mrYYeB{q}v2~K+{>x<r07kn&b}OSGtF(e58|n?&2-g>n*zCV4V|QCK^3#@@
zOFZi$I|3Com?1Cu*9Cz7s}%XNP9VRGq2M5=R~KiS&kBao{Vpghp)m)ttxs&H?+SHz
zef?zZ?ZTG3E|%wggJepH#;A{PcoXe#ILbM;^(QW&E`8BfTegv5;p5*dY&yOx|CK~3
zgJ2R@t5CvNcv+?Qs=Ds&F1{?Qr-gN*)2cw)oZuDaO8vxQbW2+ES=w$xlL1^Bc%aA4
z*lCSv$sNqN#HHQC<Rr9R3%2X>eVD!82CeW4=vWrsHSJoYyW{WIQ7b-0TbcK1i!Tu4
zcc*viYUz2ToK3sNsxeWlj7M`}Tj$;%Kg=DsV1SF2_wf8p3BZ0)sRvRyg7Lv6WzkIP
z(id*C6Rf+e6SfM3OQ)&1Dt=B3>$z$yJGZT^ccx#<!0*^Uz>hZPWHRmA?X<UeSsZ#>
zHh@?s?Bob#*`dUA-2s84RLlnrx%F`F2V%OO0MXHT$@`1#`W9zjrkm>2j5jDSGD@#z
z8YU$*Q^HGxR*#quR~u#*c`(WUT%r;PzNgVvl(A~>ZalM!Xl>keoAE98Usyf<;h{%-
zln7gVo*(PnWehsi@pRw1Qfb3FKGnT*vm@IMzhu-Bscx=JS(pv8C<#pd!>+BDrJ$7A
zw0Jk9(^Tk{A8-GW0}yDCESObIs*rc5#_w-5*BAwZ_U(k<h3EA3A#GC|^cA=ibiMLP
zEGMmlN{##rHg4j0@)pIkos##7u^obw{;n%(4ca!E5D$Z++F5&7(&v;XqUifa2UWjy
zeqZ~a2M2$>dX)5l)kD+bMS>&Y5j>V-Si{L9^<OOfiq*mGt|3iMnyaC2f4DrLeht80
z8iY?#hi;Do9Ct|af0Qs~W3W5Uq3xB}fb_4=_Q<;nE@cZYx`H-47>2;8ZS2=Fh|Rik
zL$3!Vxo!OgT=zxzJzSZ!Si-|Bt~aSa(7n4@S*mgZtm=*eOuvFb`8|IOvyO9*TEbRV
z7u5&W{pN+o`Z^z$J-RvHV!3-Fe{rc05Q@%0S>iG=63|qj#-Zq4v2g>a%_v>CGgPPz
zQF(-A^fjU(@RuiElIndr>o)QVw_a5!C&RI_C78)GByWM69W_G706^m}J-IkQ$YKB(
ze~tRgjlc^UYg>|q{@O}o>YZ=%HDzY5x+7$qxS1-rB&+1qLRV&jv?Z{Wzlan5#uxLw
zlIu}TtwcxfN8ST}QAKEAM`nt$x0EN%j5kC?hptTgiwlry2X4}+kGM^u3u&;&N2JXk
z%K(T>jH;z~qC%x*%#FJ;6NZEue!iNCY_dRgchH-5nu*;`M@jb>iK02L3@OnOod&-8
z8la82B;e{2ba+T4)p>5mwE<l)H{8L{LPM>|bxh{Y4Lv)G8^`?)r?1_1#_{Bo7*?>K
z%0nax=s-dQDJZ^5@Ip>fdQy5lq#5#*w-lxEUKv#F>&76*gdKa`wUo`KykV>P@m9`X
z<KwW~t#s)hFdoE+=m$NDzp4tlx9Q=g){(~1n&;Re9@sbNvJ4EFzw;Y>F`wiU!EL_X
zJ!rU!b2rWtJwEZTk>er760T=|9-$Ical=Ql2I#BIs-P`sjjn269c+vkxUTS^co2UT
z#&>zDNdXeORBH*$C2nJ=)koc~X#?-QHFtlAh6LSZ=3Msq`!i%mPso;hTU{0zuKFbQ
zLC&zU(%!EEEGBu^p+s=SiN!`8cpW-|)$5_p6o4iNs*^qR5+-C`UH<5lk@RgFzn4L2
zQF?0`jr-mj8qh_}g0E5EW}JUI`+8X>@n~@<08C1^{q}BJci^i}Wx^TQjkeH5pE#>!
z@n$X~@~V)E8=keQw>bB-AI)Ov%SS5{Hk-W2IS@+v>`)im!}VxSj?1Cy2UReQ_Z%g)
zK;Snm+*t04=usZ+k89hGhC57D27mfrg;D{bWX-{jBz0=o%2(Z}sb^Le;dtt-6CrKB
zAFt-%98uui>`(Ye4ZW{EXu}KUJT9|prnPU3lAQ+2@WmRM`sYoj75L?Uox$O&aH3u(
z@riBIe&Cnz#3iq9Nxl5sz+Dynrlx14pZxL^&HSc-fcnop*AD>{mX-uVCPoS(sKuoS
zqwN+VBYU~J@#ft4M196mw(>uzA$_~UF*Irimo1|-vike5Xcbu~E_Q#1lw6d?>)4tk
zdC!m@o!1TyEy9iE@;YEHqOkbpGb4k|TmI|z+H9#r+aXWitHt5_YTi)3*2b9g&A{fn
z5qT1Z*HL<^U4Tvo$QdAvgHT>bb-om6mA7~gC9A{XZF-`iZuk~eBk#P%w(BtMeSKJF
zD4F!vnoU_MPFFTf8K;z<o@Ow)*Qg$~2JPL`EIcge0u=l~rAMIdRTqXRvg+1{HkH-|
zuV|Y^&d)cJEQvQxlC8_gpS%kF9ED2qKH6=L9(lPb-%0W$ev)yJ8{++lSf-k)w;<CU
z7j8F>7|U$>`l2izi_MJX_|K-{V(a%X38eC&45_mtTE)t&Tbe7Q)Lx%<teu$Krou5*
z`QcT&Uo~~Um1Y}$)|l1PpP$OCECkKo6|NFYVze3b;_bQN6jOMQ$uA}C7+&zPL@=+H
z@F6Tc5!eW|gl!?}1o?KFz-C%gJvLI+FAu}&%}GB*&tRUDs%;!oc^KNxe{{+XzV;jW
zRoBmUw2p4`k&wkSd8YGW%Fcq?bO0q?BJm6%@w3w^Z|V@rQr&3Bv1Q(N0vaOZ{YQ}Z
z=TKC<*}{t=8bCg@81C<J0&5r7GOr&|Ro6jRPn>OOqPCGxAE$n&^m&)q2PB?q(M0}p
z@o;rcv>!e%Z1o+HmZTUC-8OeQgbJAUjRW;7Jb`)s;A+-Di%Mx9ShCc;rCWzHX=~d;
z0*lsW+a);<>uxVfeIc-<o7*r{&P}vFvCn|4#SAZBRCa_iRyAPxHOnS-T=j=<N5yI1
zDal#+gE$)|>a%RT0*$qq6O3WLiY}z2>vCG-Ak-B^yy(@1^kEziRcMdj%w-BD(s>fD
zRWF=GRtDhz7^UJux;%HL)%HAkb(}iufP8zCLj7H6VdPHWGO6#zBQ!%{BP9jb&pZ4b
zdN>2quDMbdFJ17aT9n0VT~d%j`{QyhrQQ+?0;n(Ggdq)qc$O1*L_PDy$B%57y;Vsz
z%@4DckIxKMR-vQ7Cv!k8YIPCn3yA7O7h&;@vcsRm+<jxn$ee#fD{XR&lA&auyq1Qx
zd6aSor%I(m%PLURUgCey<z?jTlD7^c9%^izP2gFej_C1E=H{!QJ?<z2V`hCiYgr!j
z=#_JrXgoAY<@yrC|I?~=gzPvdmy%&Gxo`t-R(dOufxT5D;4W|T;77_dtnP>J%{`RH
zmn$w?{kuFTTNS&Bv}`BK0ylg5aSc>iJJK|zq&i>CEPGXZ#b|bHtSr16lDqv5?u+4_
zQHU3o8?KL2UH>#!o4Nv5)n(T*c<I9v*LB8OVES36MHll&vECm&aNl}G{b3N(!eR!>
z%l_~m09%vA3nopGdWAZC^pXj2C4(!^F+*=-edE;_mu&B!c)@4k?a1&pGKuZ>7TeJO
zG7tSID4=ItdJm0B=|;$aNa&hCijgom!{^OgJAzXQ=_{(-wJ>RXAq+rO7do}tS8SWb
zPmz8&xH%T@?y8~y;;M<^v#vJ!PV??KId2YTzrXCGA%8ZiCNw`tZ6u!RSl-q5mYX{>
z^(O>K-e3wnJ|xL=H2YdC>wP5DCDIw>Z0JQ#`V_r2AeHj=TbL~U`D7zKB}urCCsN|9
z7b!-awl@zxZWg<=rtZAVT*7y^eni_gt|ANf!uU%KWQXX(8_oJ36t$(>zpN)G%bS&)
zE1`lu(v>W_D&9%6{EUTL&>D)W)TZu+?UaDOfM#y)mOD~<MNb=8AHgt%OY|!t-ZoIo
zM$2u?nGAaOH_<J@bZCn;Z9lU0n5AK2!o&$k{x@m)=95A1*OT?HmJ6G}wZ5ZDvtGOn
z$2Y0r9}v=bi2HvB5Oo1sag8q|ub~xHKU#$c*xV*FN>x%4DP!GAmi~b(O(q$7oTQJk
z&Er;`^tLyc8;$&KjD2L6nY)EvM(}cjNf@MPM>@LE4s)TQFf!@D8AxEmE}E##BDC0l
z8F(stZAe`k5{meZcTg*}#6WhE^Q5qpHA0)d{)Y4Neh-7B!HF%pJEQma>LU#DhWw-a
z-}r&2Lf9!8J(SWl?VBORI3l|QZ2`2UmG$ec(A>pNMpt@NINe6_C222M`qN8Wm<bkJ
zv$E}i+Y(Qqi^H@EUl-~Ttm4n(wKiOlREYJq!^bI-2*Kuu44g?vQ-*wU3$=FZW1|oo
zn<X{jg0H>|$6`txpjVtd&tJ-%Vjy&U7uJJ`1}h>l8@jJ3vzDv0kUvVrk`HcWFj5NP
zt6UkLLLtf)iC=9Cye)}4VeqfbL+1wd4sYyB3XVA!k3ti70Yn|HbX$vB#&d?*%j+A_
zJT#Vkis>dtowmApg=Y0bF0YB2+Zq~-sx+j%lzTxrt!C5>4kPDEb!CYsAIae98TnXD
zVQf0otq02}eLN%vB@OUUV8Vf>kgi35bgc#I6c)SH_4TmX&2|0kWy=Nq-F;R4?Sz#1
zLkZiLWC1_z;h;u(Mm-k+<jVV;eW8~VCNTh$ok!IMG_o=X+`KzhuKYqW>KjJU3GaD5
z9Y}xKFmrU+xYDbdBa?8&kf4xq?FljeoIOX>V8g4S--j)+gv{CGOIjxf1&~SdmZWv$
zPg}P43u*EUwUfEqE#wRL4enqFa}G|QQ&fg2GTK{Dg2wzCGa+<Rm6lSW%_1s6cm}s$
z{NiqL!iqX;3!eBpKrFBNTF*wMXn6`JR@6~JLM=7c21p`K8HP8A;ue9PdL^ibnQt`L
zXw~fQbXPV1F@u7}fD%2;P*{o>BhH8mOKld@0-8c#z1w7!*G^n;0>}ysG>D(@EXU6y
zks`0b<UxnhB2ax=6MYN$a<e|$O8Y3jXcHNx^;kwfoG1m@js8?G#KAKlZG|H>+u&S7
z73OU5cCk8hW-+@$88X7(2&At)Qh)|g=mNyR5^aO>r7C*^+igh+C_%_oX<-E|+CUE@
zY;B8#^BeK_fOVQ$QNF+(osX?~&JkrH?02a1Jkd=~qmh0q?h(9<g}WD8<W0Z|AuLjX
zUsJ$bE}KJ!eoE@4&J8>Ef&=5|(F5ufMTL*Hc)bk$x=!$IM2Q|sARb|LuovkcAz)Mw
z9Q*gCgz$qgX|Flh;3_Sbn9EKjk(w6JKrwZFkqlf}ZG<9i_s(_W)`wTb{dtISlIgtV
zUXF`sGX|;pQXol$ImhPiY8CXQ*=;;Rp=^^jDOq`GGsJpmlCFN^9K%R93kLor6C<{t
zok5v4cOFsc>BPPCOe{6I?0$|QbuFRyc?qx^re1fxMH(`bGnOIehJ2Ml%BlpMT;J-j
z9sXb=Cr&og$qsd+Y>dQ1*T4{Z+;TnjZ`y$lFRxU^w$2UzGlYdA!P>g{Sb;V(M@B8%
z?8e@@r5vRbq=L1MP>;Ehpz_xo;QI^PP+ZsuYsGkCiF7~;Z){=7SOiJxh`G6vv{<Fx
zPa-qur87Fn-6-r@;ztJ~+Yx~V3cvp!WQnBHaft<s2Ec3}bfHk14NMMoQVCgm0+D%p
zciD%`EJQ&+%y?oAsSb5PYnJ#M^qwq)c1YcuXu$d=DjXdaMriUPA)Oa`v=H3Zf3R6?
zN?XuNGSb-U<fz$&Sl1dp^LK$;g9?8F;LP2B`d@;0>hrHS#5O1&!-!s8fwxb(<T2Z}
zsPc@3T)>=HdsQWz!diIdhv_BbQ^Gl&;wb2wu13y;G*az}7TG?Fx(Bt54v{q&5OEaZ
zBT%bem*^5U%^N~D#q+2DtKtm2BzUhz;t(oZRRWf_6@`Z#YjFnqN!?1w;de*9po=Ch
zM1hv5g%kFTC5U@>8x!M#l4;V5Q)M?gn!k?47v)8h;XGDwG^vzYH_z8P8TgjHr8SGw
z4er#5FP08?U&yWJo{^{bzyx%OD{o4*@OThSP2=y@OPTiQ1q(;7QxX|TUH=OHU00{X
z<wP4Ahe8gv&ht&0H>#C+8o^*j4znmU|K4~I1*;}S8<|!VT0w=8wA%w^$dnqoxn0Bl
z=m?W|=vWRXUFethHF+P|L1Ay{bC2zZV>%!!6U?GHO`@d#Se}CUBdj&oaEHs*eYr_Y
zJ^%N$O;V*BEqjGfs^(+SR2Y(tGQm=39hcW~cQ9i!!dA$NUdcPduhq+qGBN`gTAzBE
z^@EY;8%^kj<DBXb2C+_2Oi3XumI??Qv2Z}UP@CeT6Z>d#lST_8nbzwfg9&#PUHNzK
z@0%YgUf<Vi84lDj`(Zsl^jeFTB(v?_F;jyGO`Lpowb6gfiLU|tB%okY91c0n$w}r|
z-q-DylB8KYCFYX{{?T&;saKXuI}-SC=0S;fSb#>VHPrMF_$FRx&WGys7F_(3gp3w<
z6${w`PrqL)#BUnMGSernvR96N-=e;>52(F-_w|xyN?rCL&81t{8>19U#mjOvNnukk
zu)fL3OOL1}&Sb{>zUar!JTXygZ+C2l=*9pMfv=A25P&OndTRBY{0)3#v%?WDYUz=?
zd6NrOVUmju4JFR*KzK;mviPJZ(<D0F(!6_?=GXIj4rwB~q*(PjKv3_@1U8&01LZ?-
zgF4ja#&>r#yI+?TyEh=A_6>y&kBd*;ZIw~LO|<UBpgTA;hN9U?MGM3J0kTs)oDIQL
zEsMNUzst!?j<{|O8d6qEox0Ei7vgB6CB$y|6bJ#@DMTo?$UX;fznQC^IrnkX$O<tT
zE-?aSNl4w_th3?)Z4XcWLt=fxAYKp70f~E%aQH`1HxXu{N1@(qu7=PkhX2??B$02v
z%)&_vT7gIO@v53PT=t_2OCki*It4&NcC3&LA=1^l#-R{LkBVr9oSS9hYFOEYH-w21
zDjVQbnThYqf#tdtC|M0D3tU2LCz|Cs`2hPXZ~oqdQmZ?6_+ZlGGq)U9p&B$0JVn4a
z_|_-}GpJr>VVCJIV&$<sx{y+X8}BegxIh83giNY|!9jd3TkYyDyp$mUe%HI`d8c)z
z>uD|s8uMH_5Q0EOMP+Pis-(r2%*#UjDgf#+ergggA;j58Rr$`1X@dRq85!g|<;4<x
ze>M?L<T)a~QO4A}yqojQl;GGeXyKp`0wvCB{QCX0u%aa~Pccj>=(>$~%iUCsYrVa;
zd{^<<HG9giX9RtX@yl;F<PXD;MBA+v$%8S0-_tpmdHC&-yO>yzD&>-sLGwGUG2Ibc
zISBVTrz322)nT`Lw)K(&3K&H^D2gV4Jv{aoq}@Wn@USD4lM@8ZBjSBSXt{%ygBR#t
z#c%0G@^`uU5~1T;sVa|o+>-L`5yY%5zLtVSuRKxi@n&H_29X~!{nC5t#mCycWk>jd
z_YS&{uEBZWlgLppeb<CcVeEHfNd?&ooFIz3`?jN-OQ(}{h3qBnj!e6GH^f+cS$>Z<
z@8MtAbdZIbiubj;xgiA@I9zSe6`KH&S4TdHs3*s&s3v_+eR7Pd2}8|di&lGsd|Ed2
zS;P6po0Zye(vKhG2%>WFOWLF(r^%i;fy2NW(U-sRT=@CxM#w%O|9$)TkIMg#v9AD%
zvunD<0wFjgxCITt-5~@ImW1H$?(RW?1c%@jg1fuB4(`q%gS!mA1LS?b@88<p+NTOA
zMjpA+xBJ|4y0vX>InX>c%>I%G9{cO84|5;txfz~+4^jQk!j8zTEB!tR4zKs;#BD_1
zuveYK0i3DS>yuA!7n6u)Zs`bqw(~Egx-PNPrDzj;o3?G_S-Ku|ase`O@R_Ws+=kBA
z8Rk>}17L?p@TT67Ph+PI5G<#C+UinLX||$cygNmvN)atc6yLywamxj7A}Aj;LofgO
z_}+3xWH3MJNNa|hPAAp|96N22f8dP2W~;j%(pG0q6?7UEh}S+MTb$79QII!3c{PD6
zJSHC(y%J{nS-3D^W!LRxXnz|kV_rB%)x_Q6DVuC#$e9{e?n4hdn?3{ieptvmFD(ep
z(xGSF7bEee>xTgw)s@6~(rXevAvJOQaU(+vFZ-|%?~a_#{_QoL<4a=0lU3a%4<Lr-
z_2D$v;cAS2im2e;^A@cLRBx)t$t2C^=?})In)sfI(ns~Qk{YX_!0%1bVBV6hQQfhN
zC93zSp{k@EJ?7aPfE2b3@X+`5Sjcu<f(hgfY6)Wtd!bwD)a8!buCdM{dbbK~z~8=`
z_s;Nnj`4dob1?=_PZ9p6^ZAFPXnP@f2276geG#Y?E4ARuXbb)!1GlLqs_S~zUQSV0
z29+(2GY@&bF&)U+g_vZR&It4+X3aT_gV8xMh@Q6;dO-^DO82Lt2dFZ@xN&?J*Kz3T
zX&*uI=!Rw&VkK}`)%;CP%I(GQo4s7)bQU;IEzID};g#Yp%>^jK7lL=I@Jqvk6lLpB
zZgWw!=LKuIUPjb%By90jTkf6@F|YSh+>m3u`ZG%QH)7hU-mB4v0B{HBm4>xNuU87h
zC+;>p97$fSC0S!&$;<9X<8e_J4^-qWN6C%Hs$wb;(#lQNTM$$+zQ%lS`5Um)$z%3j
zvPPD?xZ<1AR-aL>^ZY<Abu7@<es+TzQgrm*v(Txele5H5BC{;fe^Si^{M%;=N?9xi
zf@ncY;-DIKiv^C%q2+qi1xgs;E)bia=0sMq;LMM5B_b|VB=TefB};xEH<_x=?{&(i
zeHgQF;fjJ%HE}(XM2$0A$qdm>Aex^Bt<uej-NnMkvmiV)jh7PP8EyA4Kkica4s#tZ
zq<kD;bwi9{^Yub5PKu342JM|(t&h9vtFN~52)NapmhloC%1c?BnnU>haJXUXpVp`$
zT*VUdI-mp<y%RP_1}}7N{qT|O4mr3p^oLUbuvi))FFt|*E8fQp-4`q~gzxW=TFwD0
z)LxtfUgJi5U@*tMfea?71Yb_vlTv!s8~Zlewhk2Ke2bb(cSjrET;@Hm+S1D^g%y5K
za8w$q<w+jC&uFpHM(tauY$Fh^u)pD!ba6V>MWen7hq@1{4sa^xr-^PTPHEG3i@4<6
zuv;!kTp_`!(4A-vhyK03nB%M~#X4@8+R^!XdPR^+3I0IAQP)<tjT!#Z2?vWcokSQD
zPg57=<r{@@S@A!=&zl?wU29)UElKlDXKKUI8Y|zuRS;yByt<M$ho4~_B)f>YW3xhA
zRn-=(Z-@nSRo1f{NgwX<Dhus<l#G7f?s8bfj2c5$6<iRy>nIsFyu)8|xma4;5!T=5
zdH+z5IAdUk%PtsnF?KgmvLs?anYolS?}5I#=8oTlbbL>hG?P7?d)MWf?}aJV-vZ!^
zW#gU+u>oQ79a{XkI6jY$qt~Cvw>2eM64IWgXspmha712ZfhnPgum>qPYoM?RREO1z
zbLe@Q(-b?Cx>4QtPzk9Koj=saZrWi-T^BJEA>wy<F340Ma<w$$nnmF-S!-6r&w!0%
ztssfm@ic`K)yp8o=-x8F(fR|MG~1ir9zI)R2YViwrOq)PVCl%!RH#ThB2xQ;>&J5A
zUl5<yX;Zm)%iUa#WZ;cQOn!Ozs#S?VoTMY^w)#OY?aGD&!YncVaF*kD=i*w&)lm;<
zCV>}jS0r^7;)p+_a-tUNxZQwU3;>z#wCLgSP#Se+CuES4LUhx%{Hy%$gG^RUWdTlj
z9gK%uX|y~>R)d4pU#>C$x0ZVBw8bZ=x45#@9ie)ok#ANS1OyP1h@=QBIXU!T%2ru+
z(&(~1+ST2i<T^~DGBM&Xfh&s*h~{ZOIT^9LH&&#Fb9AI=ERcBmLv$2J8mpkCmS6}|
zoZPF6mp|#15rLWpaM=r35t%2E5Yo~wvYJFT0iAQpdTg}D&UJ*@gFQ|+>tWDwc_uUM
z4utAWN&ZplQ7jFWP6m<AQViA3ttp}>DBN&fm2s^-^2f4==FthFA2s3O^>XLGhOPy3
zbB(3Ir7@7&|Hd<{LvTixO`c|KecX0$;tOu&?}9^WV<%$T>&%{ML)K#^r5b|3g$?0;
zl62LLgkgih<wO134@MB?H46-~iES6>HjKMQYK~FXs`IWw_2F=i{t0HciN?)%e@u)h
zeo5I?N{e-yQqS7gi|3kR6z}(zM9LeaaV6~MTao2wk;QkMfAkA(jB>tmE~riI*Y<<3
zPlS50s7A6D?EX}&0cZD_S}n;jAU~+lpI<T+xU`V^@Nz~=HEh!D(G2$cfj$-Fwa@Qg
zH@0MZ+;H-p?+Y~^+w-2d{Q8BN|6+HNJ0&Ovm3eKfwC)5EXF@0y=Lo32LV5J{Eg+P;
zvq$)b`UM+_Bc_uMNE%tyWL81O?JH{WwuVtImyPuC*M@qZ&*+7B^i3GKWa@}zI5`dk
z=4G-ZQhPfoen=l9X0y`HUPE?A!`||~puGut&DMJ67Z!T#NcTZnosL;d{14(@C)e+$
zE<!N#OjN0Xy-DnPC#i_q?--pzLI_=!g$()hAsI1bK*G>XfuH@H$&#sMFVhM{XEa&m
zwQ6K`u+fcElz9iZ<8!xAtju^$@^y8~j0}`Lb6qJ}xa;Luk|FNlr_E*=z(K%{ZnCmi
zIcP6NG9h-FPTrUi=0!J!o%8v|A*>Bj%r2grYw{pqqLSuEeqV>_00Hgk(WAFIVJbO)
zn6Rdw*A&p)?b}$$ltK`#v^j>s_Uk>=L_uVXmR?z7J7x<>mD+4VyjLdO=4|P%f(lxT
z%TgdcV>55hX?Cku<M7JBa9YaEaxB<N_8(k{DzMhLi$;Dk$hsk6dVFNrr^At_q}?ks
zG^3`dJGi>83tRa=)F6HUyxxqJl(EI3`){)39IXv_#RnU->c$xN2U=E%%d3oMW;Dd<
zA}g)&t4WNm-8~%A6WxJufPNSfq+>OeabhEQQir5)g)cM8>>QUb?r87PbQ7>=O;#pq
zhnzaD$Eb7A`FrnA(Ml$cN!7tCwU_l|RM;4LNoY$kZ{ETs3K(~@a0b+7SXJnC5=3w#
zE^E|vUd*I;kDjjWB@IkPLYX2%59!S(eXNA_->uD*`c00fXKylX=(v~jAbZLT@dqVZ
zP^@gTio(XC@Jq8-rTARz@Zyi|Q{2a*y4a^RhXyC2Yo58ik?%}il&&6p#s2x3`|y5p
zkApW$3z-oFQg$ikgUT3sd&9=y{-x&7!%@lq*nO2OJ1e>Q?m{jwn-j@|y|EVLWcZSW
zwUl}T>zd84jBcNTB!*zR{WVNMu*r3+WGM$UsQnkirR!W!(gCHR1AAmG1>qf+KrneM
zZXz>m>+wK$t;fvmNM*sVse<S*)LIco4>4L|Lhc?)CDdP-g{eVRcHGI;;R7aJlIpTB
zcbrFhTR0u0-SGRXQ{$DwkGv40h`tymb_0Z5BwrOGxOTQ!oG%k_{sZFKg3vH-DmBfo
z#a;3HED@?N#PWZ>qA7%5F5K2Pjj0$fuA}@2hr<Bsn}2qqCC+N?zQ!BuZPe8asNBXd
zgMB9XF56|N{I|UD@-xiUuQ&RVA4X&?Zxtfc7;vQ=8zon)vE1%ehm5u>z#Bja(NFm#
z=ifE8^7ZuZ3ue;uNj59`@AdE>)h@>xY5mUYvnaBink}WskNxRT`5VK2_OfAaW^3aD
zDv1jzE1O`}b_OI9oz0!f>?+Cx>VCAYam<N<fc*zc8hcSLomS4F*KSi|t_locY`z!u
zP?0{iKHkXgPMeOjgV?M#bc%XNp#@IbceeQci=-SKQiZTgUnOd7k!2pv-zv1QSTkA+
zOG2LyE9fOuMfgdF$;+(ZB(3fs>n8OZJD0~_6hbhc&aniK-8gSz;Rg!sfy&Wl3q}XE
z#oF$<K<2&9Fvom!h_5M;^B)ibrH3PC!zvq@)Pi`LUa~b%syj|u`Z$L~eoj|c)tn2{
zLpoV77!TwsD|Ix6K(GJA!zZ&fluGGjRD`cPth!VwrSVzZH~g}M?8$ONez3$Ff46Zm
zBiMP|z<F_cW=H9c4O27UwZ6x!?sD+Gf_+rJHZC!3|3&|tam+tlfVk)x8$F3yH>x0{
zsCtyG9?jZc-=<M_G-u=%VM)gPQGx{#=L^k&<KgpZPK3olB%d2-rT4}N_j<G#dA~|r
zAIEeGT)stNG|$ZAKt6yAv7zCL%REcQTT2<tRd68mbVUd_yh9Ix1A5&%L{Zx}nrl?Q
z79{z6a}qF7h~_)syZ`5hvsLdtHx#Q4RVv~eIARrXv*47OZC2d##e^AnR~f+(y{$Oq
zWLieDW=8@Uv?gg`Tx+8>4^u?hP;SUPg+j+dhM$*P+8g|)sX0_@v-XFm8!y9hziHw6
zp-%Z6jHYbe9)tB1nhXj26O*g)Zh64LK;P2jr_+*+PDrn$PEO#RO5PmnFOtwes7%;_
zes0A-Ico`U*9WnR^~F8$YVVxC*~<JUKGg3;KJ>X@f!lH3y+1q=@q`23COh5XBoxkT
z{^vs?{vlDcM*L_v3-?T{Hmk?A@R~^qf8X|x#JZGg3FV#BfjmSn%@<n(IP1`pwV#gY
ze>c1z|D<85+Wn2Hp1!6J^<0VS*)fJVR^QuVUa;=Io2v>3{(Nt0x{H{2EM05Q4Z3nO
znRotvn?fS5tSPKV%az=hDVx~yVvRos`)Zc%f!XqI7CtfAv-~91Zay?vvPP8m-P1WE
zF}iOf#H~F17N<nq*M>m(1T916T9v*}LYhczYu3MP9^52}e8J{J$2QFSvnhB-BA*Gw
zig->VY%EqxW;GvQWGBB~jXqek2VOz-NYTaa9+f*G`AYKVWe(3J#Ke6U^f1)2V1t+%
zRmFGT&p<Z%teFt=YXhhU4e0d!B!n7lKYvY9c$gL0*A`wQzmWK8DK0i@SK!Axar`7C
zxqPH>D~xDJA=b2CiZCjp&lS@|^!>_KPp+)5Vr_ITX!mFtbHcWbPo4}^a(=p+T~<-l
z*q9h0NcxLzmK;YRM__!t)3fiQzco{;3eEZ_;fZN#tBP#7`N<2;EEf@<qCw`u(lx~c
z!Sp4N)W)8p;>0k*)5lczzq*OcC_g=^4)YaOcc$r~;;TL~t5Hfi0Y;>r)$rNUd-D9j
zx4Tz#x*dkz)>2$^-jM!=93jSv1#eW_MeOOH(kkS%jZiA_{IF0_w{D|g=?S6YcjLeT
zNO$Bi>U-6Bj_PJc#%%ntoQCI!qj{<#1936Fb%zl6R-KS@Y)t2|J>`^2E>D*#?wn(S
zN@9#zXK0#f6u{JLpO|JxQ<*kG!$Goa4(+n>+Kl9FX`3$g3Ix#qZFCX+^<(;bR9YiZ
z=fl;OjZK2XmE*<H=RBB0hQc+QKWS5)Ve#kv3j;7n2U7)$4TUwZ<4WpNU#NJF0sjz1
zKRr-y?|9|i3(W;$Dx<6S#fi-DR-c}GJhEaI@@&Y0CIY@=`NH24w!tA`fVTYiJM$L$
z6ube2yA}Q_-9srcwT2$SZ;-n6f*tvu+m`&B&b{SM6OxL<6=8X(@pD;3qXr?W{~H^&
zwXIfi*1ge_#A{BUiLxi4s4m2#p`X;{RkYadG#wj8*mv5uk1*cj5&8DDNznK4AM$a3
z9<OGLkIYavrYJXB4cIf|s?MYHVl{v=Ijyyngn`!%NdQpd;F=FG>d$wFGov8%nT)F>
zb5_msJXdvpzFRV*V2EL-6EJ)LoDT|^2>bfk8CI+(N7vjo{*3>w6Z)6iNk*;=-l~c#
zZhoB5>-HnJk?&03&-78FDBj*@8V5X|i^X<w-%v{u&a50wu2S#mb}@9euq)%5_g#{C
zJ+C=pvfs!ZY%H*82_8P%2U*@zVdADc3;|Q<0w;VW50^y4r|f*aCK!+QF@va6J0>oU
z)pDWMIDpxDmFK-#`wZr-v-&9Nqjpqeeed(vuOAH!sj8}~e3!&Y(Oc7^T=6raSk>a|
zf4Y)gh`1B0Rr)^NNX0h_!ksc1R;52}n{6e#+>b9pTGOy28W{X+yjWmN0MCv5^d5xQ
z_W#QSJsisxNSoGL6qPBVt)J<w-!f(BWrCl)D`kBc6rL9BL`_0?sKc=a6wx-26g-W(
zz+`Mn#(S*GCe0t?Nqv=+T1FdL+{SsI9<R(j4(U_Oyg#+2A>9-td7jZg-=<0%LnbpJ
zzP2@v>DT54TA|@=4=Pd0&`gHb^BpaJPDTtBA5K(=-E1&fEz^Qxg`Xh^?j{z-J7~0_
zf<H$^51VD6)VFq1Xe!wTPq}N>ky&fkKdGZiDXv3lV;ARuwLOM86wxv&_!est5V+1F
zAsH)@25W`R2`M?$Jq1<n2bB5lMTxmTixIJouKyj3<AWP*ppz9fwj`y8Gt`ZZ@6XVd
ztv}uryVBtBD;f)%2xf+q3ge|uI1sz_oBku$T>5hZgy>I&sX|9qzw3Eq;gXF7>qr;-
z(OjG1=_tW-XABQb{1?a>*n32&gdhBlPe0087PVO?h0)GcrHI2A5sUd>9PFjx3t9{^
z`g{V?$I}_5>PXp5ym|9=GFE!3uCHTqBSJ!u6J<ADutLWu<<pZEFE9`}CX<i_i+peX
z1eH?e?~uxDSd}cUocye;4x3Tl`-w1?I3UDp`@Lm<aOtYI+EsT|&B@G=@w4a>5^&B^
z*#e5R+LUVjZ!ER?0GBP23YB_K3&!?qUc!|4fD3s-CJ6w6c)PVdmtSHv|3JljyEJ%C
z&>FDEcANLtT#4wzu?QO6C06~SW?WZuQkRzfiKg|>dDxKq-bBNC(Nh{{ve1q*pDm)4
z$vN(44%Ngr+;8%A6O2A-vmqoyzx>&r16ZcxZZj3G*-4{{e2d{D;1G{{Me~qC1%C(b
zlMvlK6{Va`IX<zR?B~zmcloF=I`{*;sd3*p?5*a$eq1%uF*ljj?@qC8{DNbG=sWO3
z{vX4Wj`ec{nG5S$wh)RfZqINxwrEe__YalFX{Zl=TzAy?MdvvxN~DOh{>uu9+oH9}
zA#qRakkaxJZIC~H8X_@#D5Q4bmsU_9!WAf|&NqHq1(4JJV}}mJ<;4%a77q}8V>J5B
zgn?D6Tqer<Jg6fh2a#d5`M)&1sEF|JGU?{tR&8d{R5E$&bryGc73@8`d`oJ#pXAC-
zp5OYO(iDj3=lap~EsMVqaL<q(*=yCjFVR89(Q=3^9(}wUePxsmp9}KuS4PD3$8YZ!
zAo*pGi?8~T0e@?J<H2k&E)RH={6cS&+<d`lr*n;nZ=?wrCT?+^(S54d$4y3si(D<v
z8`$=qk<n<O)}~`bKE7Vq!EcQZ%>U_m#)}9`N+KpCBuq?Ap}LZIe}MA(v||$TNw&fN
zeSTsQS2SO({ne9r+~~Um*Mwe@Vewfoid??noY3F-;*KcbjyQ_?@$r_|J1aN;$NYf$
zr(ob?Ge8;w%9j?&aOz8?8A;b0g^7tNEVi`->uuX1-ey}xHCTj`nu>xg^m7@V((dTw
zSisq=Jl;On`HEa7xQ_QKCyv(Usyx2z%+<2qoUb^2|54BbIb<`k`Ad#E?UH7cG({;+
zRXrV-<BtCEz~Fi9D8Gu@=-`Ex1!Z2Z-5BeCt+In95GZbs<qrN4r{3P4VDh;+7-iS#
z>o^Da_YL`OImt-@f>*ChbmGiyK+f!E?#jErkhY1wXMcg*9a=*|x6I{za#~Tn^7A0%
z)_WXh|C`OSV1FGm;cJDBGuYn-9l?_bj(xAWsPRd15jiRvfdnjB#|PFRzQsxF2_{(1
zE<_$lJbP{<qW}qR1T*cy4IEZpTKc)sr)IWiJu@rD<p?R3)8kF+LUtJ@D&&A_-()(c
ze*RL<5HgkttXVSsT;$W|&zNcxXzz56Bcr3Gb?yZmJ$LlPRACH-F&bW(mWK9`^P2R!
zKI-5xB8Tx<ts};EVpADwZ}qc`&qW_!#o%u8XQ+drkW=aZ%29qSS8^ih*25w0N-Tx5
z8Nu|6$jJbfK!=QeHSGEFEI?c_tgZ$p+uEvKMcO=<xTrTpzt<=H$o!y_Ch_+rp1R2u
zcdT67A?-FOl!P;i&ww~MPO}|Yhb76^m~u{VDbLx7G)EG{mr5t+$M5Bu1kBdid0G!d
z{No^*w)NKPt)#XLl9GuAsa`F6q+z=2>%0El8k9g2j#Ed(DKm4!OOEal9k-K^Ba*oW
z&(d)-!d95$G<*s$!FWBdujuK-ecw{JnPz#5KfQQ~AJZ{j@zhqx1h5e0#`lM<1$Wv!
zt@saPBPA>}IVx8Jm$s*&HOJA@1AQvZKT8b7pF|xPk*WR%U&%iUHz6LUep$q+l#`|q
zppy2`=!kGw3{@GNmuu<vUhi6PJY)oS5d|Nk$qhes5lgbVio1?E==yzPmF*OM#k$)q
zSp1>2UxneK>EiX_H<5qO4q0SDt?+D9gxR}<G1e9+q5JTt0Uo{e2b)L4j_&Z$jB0(r
zJeACws`#wO`|s`5UwLSEzAaPyN^LyVuR`0_6JNNk?tb2-FZQbML2%OPDd7R@Fhq-j
zCNJ;!y`Cw4QixO<qOKK{(XMsZzs4f<B%C!Nsi<<M-6fKbkHAL@HP{<qq}=P({g}O0
zNi313O2!6#4@dbNY>DwHVQa;kY6B(;V=7X|gOFa<u))@+K3bee)`68MT8ncCFL1D#
zA*QMSgi{_qf+Ku4mO^`l6yzht>}X-6b?nHo&&phgiYcE{YQ6c*|5CMwBRS=1l1WV9
zf`<W+sLhtgc=Kr}C$~WaOJ(5rJI-m=8~y!4;%<OSdo8!`&c>NB60A0>?AYHj=tG45
zC<QMP$ySZUpBj9u<7ErZJL%&g{%^n@!S{1zPn`_`qEz^uv3}n^Tzpx=+}C~@n)L)_
zeKD{Pr*i5}`<&n$(11jXF?TTQpMP<+B<9HAxZ!RkFq>el110D31C_#GXFpS3nhDoD
z+!5VZ;W=J*^<w@kX;6WpRE`iA`)sMXcVmA2ibzP1w6NI!eTngp{78T6he>{34jy&0
zKE3%97SX|oiF!W6QOmA01aB$m=~U_al)4ThQeLkkW>47U$-Ci>4w)&}exCNvzlDYR
z{xANaSaGXXt<B`AyHx-pz-yyg!3?}4zF8V@Jj?qq;HQw}Twqjp5FNb3>__9iD|po>
z=$VvcrQWA8?8zg2_h`tIXT=T@pVfj8r`|MwNe5u3mY3#+wcKKdxg?_X9FlO8|HsTX
zL83%Ll2dFAk&Ad^gvZkBwwwR@s{+#kYM0nJEe9*9YEd)y-C8a+jW41a)gLBbEU<Tt
zW*NjcB{`m~bPqc}Si`wBCaH`=_MH0d`l_8w3^`5?2IifQI!s>)V^hi8!z`bjD|XZN
zhB-N&Y{lAElZ1U}OcDhRuPhnp9pU-%#mBNZTG9SyI3P3xrTCgfG;rtBBP*Aw$~im@
z5AxuDb~{;YxxdzK5V&+2;AzXPPFbxBDKaJmSHJSS3=1aF@}d#6VLLuK^#V2vx_7SM
zFsytv5|19{u-Kf#G3`wijOj7#6u!#g19x*27x{9wcrXyXsE~GSYz&&`_@Pos7w%S$
zEO7HK?Pl46Oyp7oaAS5KM^KZP+~N!$E@O|*1EvXYu1_HNh~%=J|2k~b?Ai?(>b$|_
z_|oj%F$1~96t_Mahol|h{Pt4@#ooa5^`E^D%TLvDmt065^bfcxSo<i1sqiF7ncsS|
zNpK-<P`o6IQOu`xm{e4A8>v#8wyY5luyEL)sy3@JBQYydn=jV*rI_`NHs(_oELqPF
zOjLFgu9p;1+N5v$Am@_aOy%>U@a{v5`VKdCcyr!Akl<Eacd+a*EYrHn*|PiOLq@I+
z#18J^^%2QoCh(A#h5H|?-}KQcM?gok8sUVl&h~_tX2BHGLk;39HfzWjFF@+n?ABh0
zd=i3p!4M3d`c-zarF?*g0=EoGu<#r!i62;#>aL`gc(niyZ|=V=(3N$n3^}wyiKsck
zPpxm8U$Rt(cPaAH9i3yjKVv4DcJiM)WKQ-fqA#k1$+dlq*fNm@J|jGN*bpaUovu$^
zfM>Ig7n<`6ej-oo>B;nGbtJ44ag2tnoA{3;E?}1$z6DQ6B7R8DU_YOb@fd0f)`s7^
zFdEbsN_Oa+Qije!8ehz%o5PulsApa5Bi4>Qk^>%$UJT!Ya)z5sDXslblB7&z2C0VK
z!aN@B7BXx8U#AQMnvlQQ6SqR{(>rOTh~yay??OMgC}=M`+)`mCY2k^F^#x{z9Vy0#
zQ6k(2Xjnh5U4RI~ry?~K{(s=He5kBbr_S(8U6;VCEv3Lk#lYdsIXA(cOz_)Rk59Qy
zmbL!Zz3QFi+UtZxk<kfU<jtx}fY+A(C_dI@LOqL_^>%`t8`E^VKHZ~!KCA<{(Od%1
z7J}iYaPxm(1{2X<$mkJwn-AM~yin12wNNm4e;}ieW+3rsN^tP#|B^b$Y&k3$<>k{e
z_i(9oQCqa;nj5D#W{LV@kQuQEsVLt#Fc&4xx=?(0w<$5lMdHGCWLcEb7}>|~Ii@?H
z4*w@BO0eaQgP@w2l&O~iN}Zggule@9WnDFT*uIY3Ik){IbA$z%=5H}+$i@8Ql1ffi
zovj!jj@<Ef2lBz=YHGDNRXht=uWIY;TCjU?1vq;EH%U&%<97f*)egdiTO-f97PF04
z8A#6Bu_=Q557=576=~-N3g)w?#I)1*j81~rMpHGYEJObMx2p*`SCdk_T!yJlSF^QI
z$scHo(knO~jpkL-AA`21ML<O4T4(UKj&C^a>VE#v_Hs&*P!?z0aB$_Apu5`~B2jhN
zc2Cvi4Zq)clloExm-T{0z%47_&?;mf04Xz3vg)#|nL4B1t~6bRZrjO9WdVmo1+uH#
z_dzR>;~?dmcygE3^?`{=N%Q_Zfo=Ku`DC1&PPrY=*-4RpH#R2k?V0cF><lf{qItHY
z*)R8=;>Pqc)qq;APQs-UE?XbgrW(_q00w>IN`JT5W7B^XqT3p#_$Cvl)BNH?CTLFz
z)z$w}s4i|@xu4`C%NAZK-5;N7tt1tMAv-)(U%`2?|4%27c}T4O9QFvOwM6->g_Aj%
zz&8Q?IJVVa{|k~vvQ{)eDsTAnJSv$ZgZ*P)JcSvMe;yA!sDHArJhvzOhkuHT2cF3v
z_b=P+u9n>%6Nvh0-okRmhOK5<$>{iuO6gVn3?QCq9ZHx!>LF;n+gj8=ANCr!3zeU-
z*Mc@l3Anqty7g_aSuP9dK?<|J<g8u;?=7E#-!!G1x#wlvr+G=quR4S@(+2rJobrXv
zO7%8U2iMwdv6o*P<STOFmgyn}A>KK6co%(J)bhV;8(vFsM5Tr&l^DNNv@JJ;A@^c~
zb<>I~sq;xJDa<mscF_0awzFPir_H@uP;C#6i#(of7Puh=m@QHMN|fuTlN*k^v;=PX
zQi|}VsunkdjXD{iQsG0XDmC?%#YkortB06<uaVuAVmxX4#M>vw(6yhnW;ZL<xo516
ztIQ`kV<_8h=LUUo?_Q0g{BY2;bP$Q24v~f~D2jqV5Mi_g?O(JQO~^F48?N%eFz&TJ
z$WlhCMsvwwP9?}6FU2eyz!Vo{`}l8k!8uK%n?OtD<Mf0=kalJ1wEIu^v4@Z%EB+Et
zba}*kNZBmFSi-`xG%c?=g~QdE#d%})?e`uq+k$CQjnMHi6ZakXFg<Q9EK|Eyq-(*=
z^22JLWj<?JYj{^{c$M^CVLSWW;MDjZYaO>$6lAuMU!LsjqY)C;i8ydz?Y1D;`M`j0
zb3jp;L8R=j3v)5j0CxI#J56<-q6|%Dg+0D^x!P<K5%dO%5H~}fDQei7j8$TwpyB0u
zP9)#J_^JAfalETjvbjN1d}7z&SfL)<uteIUlDxME{gf0A16V3J!_)@;u!Ao*(>vJi
zJz;yoJ9-h27yyVlnun330IOf4x~?|T7nmM7_2Ha1ChqG7JNLlWGH1-bI@zOX3;}$e
z7*g2Z2TWDV%HpMy0e0KcQD5JxDoD+c!0|-WI<Vc|sN(nY*B;d3597kxO%v~U)r75i
z@8UWrftqHQ9rp{RHlz8NH&dmLl8JLxDYplZf~*dB@{PAOcc$TNq@{?!=dUsFHW~U_
zcK_NB23P-Zw}YF`&*C;;n6cGmx_#2Q>;hZ!G08GsNu;c8K{TRK{&59CNi}{HTFZc;
z{-f2aHUMY@TH8sRXalMuvi7a|1pmnev5zO?fdPL(EM1(zYVxYN7Yi+d+2U!k^9>Z>
z9wur5hi}4eVwxZLc0*85?p3AIck=`OI?ToTQ2#|m%!3y1N|hmjA&hi`Nkzzh9G{@(
z+$F!`9#fkK)s!3nQq+zJujnI*#f{?Unk!OztwD-5+z$<?VnW2lbsjP=cuM64dY1MR
z*(?@B=5yWEvDkmSBO6QcWc|DDB+DJ%C5VO-t!Vd*BL-h9V-IR|F)AGZXITV$EEuo{
z8FW=I4cy@Kv!eLt(LR%S;VBK)B2RNWIw{_N+VQFm$_Bd5nbXX~4U*ok@ZcvJMIHM}
z5=EoF#V1jfT|5Z8oT<20PNezhd}k=z455*)QQ2^F*9uNKk!9{HzmTC60<x4#(CwMA
zG<1w&-ttNlI?3{^m5Xj(>-wB)Mp+K-R7+a;O`Xr@daObfRZ-cfK)!tNd%F)-BaV)C
zv2)ZaS+jrOI!`n9#e7XnzEvk(o`XHnVacKM-cZNQ;3OBq*IB)((Mop&nTCQOLNrYF
zedW_~>m`=pUww-u!IJvBiup>vFpAlO2vS7HG)^TM_SSd;3XWUUMHiC0C_;JENELy|
zt$x+<H?>9AOy@1{sY+|Yj0?OeX`?%bhxYO3KXh9c#_K)Q!miN{SQ9M@bzJvfY?O{w
zNZellFZ_ONQ<v((qF8;yGO^K45rDqTt+-v?0r8JDyaXJ6LkBRB)eU#P(pJQpnF=&$
zbH}`iYz&qPlySiAq=fPxCGVSDc7*aHubeHqE9lSX{h)1xyGxBU7l(?45y|kc72nQj
zOi()N_=uzTeMCIxsKbV#+dj>H@ICPA@bw60(dH<LrC^NycDwmXT+2-7r5PWjI@8sl
zthwPGL4)%jn62g_F`sZ=t0W=!FlbZ~r$r7}+w1sk^O=rdhymVMqSTjd2x%0O3#3}T
zJ^N@*{3!i2csnIxRf9NtK^b%_-bCT4gNV39O3!G~)q>U=Yyl!YZdQ{t_U|<-vAacU
zN@K3~fbH?J#T`iA4gr_rpvH`pHiiV6*xzt?G*n0NPuyj`8u00=ePuVqq(b->{1vf?
z=0zqw*J-Cy$Ig3THe)A$y_z{Mr~F+stg@l3L1&!DXHBt=6Bg-;`4_~3DUmI7KE`jT
z9}Hk4mxiJ_W6pA@K2)aqd#Onsm0yM2eiU=N^@r8_ou*>Pzp94{6coTxtH<hiiM6B}
z^59m2es|9z780Itji?0FB7S?!s<h^aV4_(S<9}F4dC<eT@+A9YpmOH>(P_0YqIN8;
z#wAiYE1Qf*Wm_8J4-f)U$+peb)hpOhQj@5Pw+^=7ZESO?3#lp|wmvi|8Q<Kq@THWY
z=p&~HtDI9s-okt(P7VSPQ#Dp3SHJt<7rSAWr-4OvAA992pqq8Rue<Z`8R1Oh%UFq9
zCZi$$Y6exTI%i~zS)NN4`D%2u=vbU?l#&B`<rLlwi}Y=Hv&338{vWO~SpvEK6jp1;
z%~i3DNG=OBhm!r@Hb6S{43xn|UgHIn>Lfi(qC1Oe7eK12Y?mGtu47^Jsg0KnRZzxF
zD!#c!OL)X~S5v8x?M$^c136Vrr5xQ*QdeL*h54t}z}{ute?5Wgz7&4{U0z~dvGCRF
z(I&R?SxKoX-|d`XdQQ||$L258-FDRvk|s6VnR(~eS0L%!v&6mn22&#!jwvGZSTToP
z2#t)o1lG<lg{n=i?3cN-iz@xPJyyW|x?*&uX%Vu$0Y@nWFCEMXK#qD2!pk@m65~4^
zBIDE%7gb^X-hBcg^~<*I4wp;tx%F@lyl?lMUPq3o#b*1~)y1!ry;i^6aFU{cGg0;U
zZhQ^bcqwC%R+^d|RCU0eueF1nwA#93_g!WAvY91k&aVs?9p@180-C2+TqmIzU;OyS
z=UWl#$VEo1h0lP%<FZ*EUobB=thKY}KU{#dgn5D4v<QOq^C19RlWOQq@Zu+$LHt`r
zh1QTC6b6@`J5w7i8(Syi!}M4=5snWVIaEo505?QpC*buEd*<sZ5}9}Qx=T&5*>Pym
zw_d!(=ij?WiUArQ<~*Wh7vrk;!oW$WYhD?|13r|_R+c3nKE3<&)^)uGOzTP_?sXX1
z{38(lx5Xu@Y;)R=n<dJb&<nsmL30JRr#)<6hWCfScT}Sa1WeS}t1iY=v2(9(2b{i~
z5@9We^K$w*McY519L=civ^4whKy`%O#b#wL<0frw8Syq?_4v@#Qf2En__}PNhcd=k
zpLmObM=>$oXbOGt6Q`!pIX$U@nr>5BPwcqPliqO#bS|{1b3(FUC;bz1li|$Vym27x
z=}1}Ao$9tVD%Jk>C<%QEvp{Pge9ab-{`?>y<y*&DDu|MX`%I!ZIYvchD<a51)^Jb^
zs7M&?p*(daKyIm0`KwUWC^RZ|lG0Cu+qp!bgNoD;C6rNNgu_DM;2^rw5M>p1zpRS^
z#~>{^$lyG^;)OM|NT4}mw&l6b$Bod+s`&i@+XQqF+Bkd;7N>t4_)k1#E1ycIkwx}u
zD}u<8LjuK5OL{76HbhX<)maR6xn@l~hTT3oGczr%vAYfqyP$o<{r&~YY6pU;aquu{
zI%zh@4;hGr>=TfWm~=%n`34qO7*q$^JbRRcs>oz^wF+>PQ%P>VO@EgczWzz@FtUO<
zoj$_v2H})9|2s<%iN)A;j0N0MF4Yw(iG86ow!=n>ELl{Luj_jf+6)_zJt1r1hlo~r
zvphxz;B`M8rWjtl7kyjHjzT^?iP5@DbJ*_auw$yb*a898ZY81mm7;)iF7iVGJB6cG
zJ*qJ+ea2O;_uYZJ4DrvvGocoezk~<|CNC!GK>etO*Xc8ojxcR+UzvXYBZI+|tXyxt
z2W*XkVnZvfu=cA~ET!P7m;TdJm(s)_K54~nz}AS@d6AdL<+gWht7?BkoY)_2y%;mi
z8i|gIu@8}m-Yw|z%KhQxJZ&RKC>>1r31U^5S%9}O<iCGV79ZKGW=dGyx^Ph`qky>|
z$@9>in_TtE^QrD*l^i;}S%^g@IZnA*d~FaJf&XX6t&7b(<-?qMApFOOl`X|Cy)GaN
zPd*nsv;R<ft(#VJK~W!tDZaA0MouH$fxtz~Hi+NWP!R}(jtd8$#dj=4&d8_dHHN(t
zpew#`>-~zJBmyVpjaKkQXm^x!(0aVu4Z&g8m#eut1mlzk$k5+9ccvCrvLL(mC##nK
ztU<$y4(qhkt^Xx)@!Ov@J;cHQD?%#Fv>>-3(pX6>j4J{NHuH=z_P*G3oU=jCri4pQ
zJY}Cx(;}k_Qe>Ks69!IX+6QiZz@mk6M8GBxNotVE<P2z#xki&V255e)ru!Oq#@vDY
zfhd%bDBA)kz3`(+I@-Q_>h;c7p;2tEnwg=vSSM5r8OGL|s=S=b87AM6F{!no;oWcE
zVlOKYt+^X0V*bnroAB&)UZwa56ezmt^<C)VBAC#Z1k`ELF(9xZ1SMM6XS^K!j(8jf
zQ6$6S3+D*H1WQ%wF%O2hZJ&W=r|y<^Mq1p~=|Wzc3;fQGn;wksA?BO{7YDdjLJyws
z{GrexAWA|n*BzGivF0!8fs%WeKOZs|w6dBm+h+1E5~3S_Wvv;g@KRKS;R{Yj9Nk~v
z_&z(NZcvy9l4rbUFyG(wU9mt<nA-cR(|M~3on2@c(9GnlGLpM;Zn}$;bY5u7&yiIj
zdqd|k5P=BV<Osf9t%H`#O{Y8KT$sWLc&>qM|NL^P)$6<eG=3RF>d#$dtWJxD%Q5E>
z@6&Fdr55iwym_tnh&`Q{OLszPW#_><=tcq6)`!veIozc)-XCsGlr=<+k&+@-Is+3Z
ztRSTD+~T<6LHtCg9{r=8_lOGL*#+qh!xooQ&G7}j*Z+8XP}l4$^JgQ*u3wlUxHZSs
z#+oKd>2=SX3D6r**<3Y;?Sw*yt(upM=>~HK5f+AW<5Jj{mKn`^E|D97NIn1Hgei^M
z@@*a+fBIOZ4LHa}F1rb2WD1ORXo?#wHzms^Qggg<sBk9iObD%v?J-m%_d{d%S?%1C
z2s^LQ7&b>0aU%ZRg*J8EOdRdIS<RvfBMZa{<z~bRpsp6|kr#Ym)V#I3bJ>y+SqG*+
z<rRd4<B_MmTGJxJuLC*8wLj+8C0v>%K}pC;ckV-VV_O?3a);mB;2?>~>UcK<2{u*6
z#U*{$<cvGWc|uD-G?xr-?ZgCJU}<=9f7iAnQiL*Q=v?v0;>+7)`y1bDFs~k<bi5^V
z*pF_BgvT0uX;_pNh{8mOtBGL4CE3V;@IdaCr^XsJ(UoUy%}6~x0o8QKw4_)bP)}V@
zN@u<Ley8rOyR!u|y*{(<b^=3gTDJm%@jz0To2`~Sg)C;taL+>%rYVVC)U6Gp4J0>y
z3EBmhQRR>v8?p#*K08ckrQ&=LEO5axgkeCIQfIh&yt>Kny2w&pZ?6*%wJ;-D<A(if
zVA@vZ@xHEXv(5_s8tG7sk6tBgDW)KObS?FO@ysvr9d%BN4TI!c6FkF`v?j@|S%--q
z)EI}TW4B|dAFGkS#wITfHd`EO;$L!0I9s=?P>22zfB(|bsnRRECm*qphJ0s;%*N0y
zsx@BT&u$VQM$m(3jTOtf)~B*?R){GAl1`eN2<sA-s6&M!<n6W|O|r8E?YTToG+*2A
z^H3SKJr1{TCTEAl(5J0Bs`=!fwZ>Cd-k1C~kw>v{L_20}#QnanCrVN1g7nbRg2)Nd
z%LrRJ{Am(8OuC_$a>pxq+W>>#(iAsGf?r!gEU9ksBD5v%`vMJx!-8*Y9+ree2`TtY
z)f5&>0@tF8jwVCLf;_fQG>0Sp(5hi&I5neLAlk3}TcKrOY>S+>#*5J}FG9e|mt)w1
zGFIQlV>LejJ5O0HaOsvirT_~1H^oM?Z)iYSauCetpWKFIWT0S|C?l_H{P1qY-{wo5
zF-h|zL(Mic!}QW{<O#z|>~SOg8hmGmEgQ9yU6pxjwH4YpEqvo&C2-!L^)0J@oFC>G
zJzH0WIi}%?9U|*f78jo3YI2{duE}+++?55QJb?L7pi*JRJlWIWVCh&lqdgBHA>q;c
z7`Y^6F(Y8T0GgfXA;DbQmvJ3@&7z+At@r9i%KLdm_KY%F@W+=pXU*KM2m_VenafDj
zTJN$ips}Ph1^Q}0<KT52AkVV#)Ci=QARBS0%i5d+q1ycYi0AZvNF#&e!z<dM`4X}+
zOI~l1CTTrfYtX94rfKrx#XHGb59Ypet8wszDvXZyoV%D;0~C@rU1E5RBdmkmUF@Y7
za;!bcP*O3O%{fnEJz8gK&`sEDRmDchH5)7`S?s<C9+Jzvg-;RL%Q2&|tTF2*MrkZR
z3+F!o>Mwd8aTKgz+~b683dc=MOcuQ3BVD?d_u1QdRbUxdDMjo9t078*+wFS<Hvfup
zOs^Zvud~v3XlWhGy4v)E)Fwf3{tnE5YnN~+zo}-KeFA2a4yS6H6QX)g%>(yFw4`Kr
zSF}(;0g2bVQ^(wyxAO~OC<na7@}tsYhn!q>wj>VWdw=Mcf-L6j8?}<>%G&rN;zf6y
zaP;`pq*pizURK6;x_m9w;v^Z)(R*KbJv*eh(otUT(|W-2M<?(!Q#*+@x^kX6awWUq
zgazhCy3k9>+BK-!4s)|J$dzfVmsXmWgy?6WI@=@s>82Q?Nd|#GdjSBV9j2%CVIAfj
zBO^60Z&H1ITOro?(BWnD0f7r~24*C~ApXw%l_<=Q>By^%LE;!9oKOFStt}dT`54iC
z$S<xTg8>2ZG6vw+?l3%zh++g0qi!cqjJSHTvi4gQ!yw4t{%#tTg(V3=D;m~agZO%K
zLKff6x%dpvbugdpvO=yUWW7=-T1_Qb%lilD5`oV;PuYiqG2uFiVtR?8+7jAY_8PN=
z!yW=@&4&))+O5s1a!a}%Nl~2VbXZf~gYwHDiv0ujKt+WWuL~xdaU3AN7}lxHRYfoO
zt}q>S&1Y+wpA58TjOb-Cs6EO8k#FjQ|Ao~=;3>llRW%ny#>+^*>?zx_NV;1y&~#Wv
zBGOujqpfLaNq1Udf@IqSj0Co8Ku*iu!Xml`%bnzM%WM;0AQjNx{Tts$3Y85d4fnbT
z6Lr1NzKpzGVTlUhL4~Xcb;ip6Jpa$S1hBvVabcbunO-R4;lDeJk)H20uiPy8`C<h<
zGXh6~y;i!%m>bWEXrycX9N9^tn8C|g*LL%z3tk8&SZH58df<TvcVyeAJlT|kpG*(c
zg@0$?nIsPcMW%V%^?i#natXXa7v^msy$?|Q+|sa?7wHX3$fBqVV9P~QiP&U6#QX%H
zHi$JsKMWr^>$R07PWXP<Vz|1sv1EF`{Yut+sP$&Iz$O*s#(3RLOX$HOed0w=?($7=
zX++)kp$`S@G=Xjbzu@AWW)e=@XiG_Qo86p|F4WF>NNO?lBVM-P|BM@(1wQaW80FOe
zMz8C@2u^Pd&a2<ekt5ld_$1uYr$(0A>wu-V$)6pgz*P{`f;p(U!g~kDpDqHa2YKvd
zhXLlw#8=u<r7YC8{XmS2s)<7Bqll^R%Bgn4OU&p<hoszP!nUiJU5UYJOe2cqp9A+n
zSs{ry-uX?*V9nVPcnEzJ=goiLz+M+OEeTRYZRU5dxK^g)B>b&iY$TuSR(rYgf-)5A
z23aqhI+=M!6e%IaR|If<%UqxetW8EV!_S~R2?g@Z&4^mkXz&4v%^xf^GHsp!GB(IS
z2-HCK3V7OZhwNQp=_o!-2QQE$wys4dIy-iJahwuzRphwzILJ^>bFA0s>(;mhdKJ(V
zTdq3492@7Oi)a0DgY9Yq8$ap(FmF{x$(yu(lF>+TZatl2YvQbjGfd1HU#-pYa4Ja>
z7Dg<rAnpu|!Biwcw&v5-k)FamXf%1n8D5R%%65KJQws8BGFdD6Q`!S}6#xh_Ga*Jv
zy2PAO7e4{y#O3@nUzT0W_w_^N#H`{jlc8<5o2CHr#_qg&#HXhlGw)5Ai~ZsmE-kWl
z2n=QpTJFxqWM$adif2BpRhyD|mWG_HHX1-`C;H~iKqhcQXnh>os4E}x!RtLpp0&Cr
zsGB@4A25ls5Wi?<NOAUd3O?BvgsHx@;{|?SIJ6Ibtr-J(Mg8rPlz<r2y|mOHrz4J#
z3?1#A+nIt~h;Bw?ze)6rJ+?)|_(2pKo+R|cG3f8nKDxpeGim|?@rL4eE8+rYkFzs&
zoxMDI*5b3uuRB=!eSdU_m_lpaU@G08Ab<6&dR^1NzpX1RNR(Dr6CX|6KPM>P5#*pt
z+^3ZsX7;TnuRyPh@TP|dS4+izcMBDNN(mG3J0*Ycx)mc;-t-Nd$mzIQt_ni&O&pVM
zBG%w5Q%f}|rjglfzcnu<mfSK&o;BPsY`eX*3+=nj{Y=1?0Z;KZRL`Mv@D@=G>j@8~
zt%wN2i+`2bXYxyfv|yd|VCD~78S>y&E*w4AgzqQ{dmtPWdGLXtmXPa;2eF4M@56Ot
z!0csM27e3Y=E^Ac81?I;R`#Gw>el0*m(IX&D;uYEJ-!;Qt8ZEeX8U}e^T>|Pl`-OR
zoOY*x3YQ%bM6Jco-D%iYwM&TZpSu^s_jPlqlWr_i+Bd=stIcNygauJrA5?k)d9Wm~
zAFi&Az>}M#(amfrAJfc^aE4-j+(7)yD@BRk*1MP=ouP+4zeHkj3ZT=4*(*l{Fi2dC
zh)DPpy$!m*eYHH+VN)8f)kUCgHUr+YecOZQ+T76A&=9jWdO5A$lXsxXK|}@YCo{0^
zsY@!zbK81@AMR!YS@8K1;3J8;*!ZgbbN3IAhiuP?l}J>li`T%zrlkxCvO9!m7H<sL
z3TIl6*O*S)e2Sx)yk@1ModlNBKsqRma*JM#k^rY7@V(v6c4l80Y4>z7)kX@+1pgh?
zro*XZQ_au%o}b5uso$Lv9klgcLZHMHKaknLQ9Ztit0~dB;H=+TURN!qcVk|rAUpJ*
zbGF-gRi8M3(K-&x92O}Ao+Rz_51}aZV=^NfQ5Oc|YEPgGy!Lh%G=vHXp@5o0waB?%
z)ez~yiM$2S6#^#NiXk45R!8TZv%pYi>SBOWlO#pU_g@G`x)lM4hjcmgb84hQJ}u5a
z=FSx{NorB$zVw_kvEUwe7G=g$(bH;f>YFg+EvNZ(umqM}7$Il4&+zMfG&pDKn6L2t
zY1(f1s`wZp9;8T4(+mWxy+BT`q3cZK`Zcf?6e!{JpTQN)>xMk-#OD}7+;Q$fudva(
zl4glN0Ee)GH^9$|dUR5+w}%|Mri$=^Y<ijJ;hPpz$mweCHNO*1oSn4|h6_=^=_|Xs
zYHhgfD>s+wzMgYd)_9LU{*5T&T-GqXsHZuC%>%A1&bO(v>dRl6nAwMijt|X&aaPmT
zr{&|(b$7%aSNgS*$|H5K?t5z$rM#t`!fNv9Sf&27Cd!`i)yJ%o4PIY+nsF04Z$1(>
zc%j{=h&mf7zvUzWZ8fo37L)SScqA|nn);{_lnus9eH4Eqxeh2|BXV4Ew?@nx=b>5*
zZnWOx-qC!Y?lASu{EjF?MP_Y4fyoBdM60>cqdn^#mRoJA9__`5vgUVc-s~pYfOTG^
zQfin3La~KNxl^Z4M-N#q57)yuX1OT<z3rsF*8p}3ce*scQQ5>a{tsKm=-G7$T=3LG
z!$Vy$i}y1gdZ_mZsN?SF>e0|0-jg6GR!D}rT4w~sG&gIkYhpCTI7u@Ha*H>UBIYU-
zuRTA2waG0~#iWxvjkvzQ1QbXGc7h_V0V?~F#4JH_NH%)}l;Gvmu!^`(VH{4-CYLfi
z>>O&2!%;CD<8muGX54kNLSroqZ?l*<R1CX-7Fq`YYn3)b?aYQURMU-``;fK(@?}!z
zBUtH1-0ZYXr~II#c)3O#G6d7W`bI9<MRLVG)|2f*-U^w4!-pnF<w+brgIw5WeiH_s
zCE=3(iSDLN^r9nE2O(Oj0Cql4dq#_Uis<q+k*Jni>ha}$Y(q^Ars=CSPQ9gF^E6Ed
zYTT95XylbrtZ>P9aPjQs+#^35NR!O;?66Tu#>-dle&Wj_+Y(0KuY&ka_g>u_EOCD;
zN=8eW&S>=cOf<6za+-a~&%lWV(O-c-c=TW}4%KPS{Y1kwHx(SKK7?vhr9M98dCwd;
zQr_UtA%|VuR~CIBi%I3WYR#U$3EjCRC<NwGrZ#fCqAIXB!7ZG?5<uUX^Q=S@mlhRM
zPemgTQbl7+6^P$zh3V{43u2wal35{TfSyww^bT)3XiI%_y08Y3xK5DZwSKtilW0#w
zHIzX={fuIGfEz_s&x|&SUWBTPFR3gJJ%PpZ+JAu#vtB)%ZqG7$3U;#ce5}dAa!4f#
zMM%}N+CO@Cr);URR84ooeRmkQuoK7Cn6`w{9OmZY>&=W>vU?GHAo}})w+zz(dPfD|
zpupZ2+5Z6v08D{`<Gc5lwGY(uDuQHj2$qm7JXJnr=}-4(*q0<BeT5_YW@pS=k@isO
z@6ataozZU_s=wMFP8IKGd=QI=Ck>VQ4B6m#0gOsf{$BkdJ{K`ktME4vXK^l3`#4Qj
zdj_<j?Uo+D5{4dxMCb>xwmW@o>}7WEDFSEpKg!@y3n)wt^sxq3Lm@UbP9%MZe+Nmg
z#SwI9i;f@y`<8UG3NFJ;G;oo0$e2Vgr#38Y=!SG?<%}MK8G+rumN@#-@DdgziOG>B
zG=I#as!G6oA_jbyOMOsfsv5>Qwt1p$2WuE;%-R|1XkQRvqh0%(9(||Esly}ILvoOG
zH3P2`$KTk+gf-MI_N<I#z-45Z`4NSJo%9P6WpY%|r8&d6lcK~Jr?BtsjOQ%BNppU5
zp8msI@xGGkzmgy6@OZfWVo5yfGO_*}FY7XIowbxA;=qsjM+G>oE0vg$*Bmi~yT>^|
zS`-BXD@5JOO|#FSM;CYIupWB2Q!_hVLo$aXyuTx%2KHgIBi=6Rr8$yrLW10FUJW-B
zCQ5HA1n+;*M2BFYeb$)lVK+OE^#M}M!4N2j{s)CgeKCsR{z5+lW1PXX`f}V0<bn)}
zc{9I7F{3DICj&RXPt$2|ReB@!lK3TNT<Z82k97!^YvKK2dRGXY70PC@L@lSn;B5#6
zW=oYH#`d8daCbNNp^q3yk~)zE+-_vP=Jqd?Hm_!BH#qOS>*}-_r<n7+U;u2O7dz;t
zMV!2agHV7;u>ZpwN*9INtJUM&K~*TbZxZ^3fvaf<n&;Bo2$;}65p(=sbzONpl<V84
zg%T+xGMMZKgRC*Ol59g9#MmawAWLLw><3u}6|yJd$S!0V`@YM1?8Y|P!x+gv!aHWv
zc|Y&_`#pa@&*!=C>$#r$TEEx#@Mbi44~bfVlo!sdm1FeezX|u=3u*X79m)(#dJYyl
zhcS|t<BjCvc+=1BIOQu>gylfay<ZQgXXPziyVZkKmtH!s6u89NqP@f5R)ZSZgArKP
z@S=8>>V*ud%!61+1zrNTd<A26565YeUybEcqS^WBr0$=_C^4Gk!*U2=yqYw&8U3yP
zWkf1*Ae^);I;ihy<!uKPAlz^O(H+2rr3r=M(pE04Idb<d;nkGVzjl;1zZ5Wj|FFJ%
z&HTJY{YxS2oer%@HfAS5cZAxZ2Bk}eZ1%pH)@R6@ZAi__^U>M$<%(&CtoQxtRfPlH
z@Trx&(Se~>Y8{{XDym*xfX!}hu{|NyLPC8UPRNglm#I148#wre!Jy8dwMpCN?TBe}
z=c8&U;Nx+Z&Iik-ac$FH9B^%RQ}O9yuVDMz_$RZU>AvH=9@Qv%vP6hzvg;=;08(ZQ
z69Y5}121^@g&XPw=_JpUv-=TLluRHO@RuzPx-Fwr-D;frxc9?Z72F-!hV!G<-Y+-b
z_E!!czB+Cc<}#=&7nD_9(%ao!<}H4dwWh4f__cG@6TCWHqUOEI$ifbVz>O#`CQv=y
z_A#c{@5l9Vt~s1Hqv4*VX*U;_8bp6&p5PM`Wu+PciHw|U_#XM<KGn;VwXZGObd%4g
zbbS0!v69ft9zOm=C;RWm?YtHImmL0%YFh}l>q-ds`pEdrSJ&!qt8XdXIE?FfS-ejD
zaF_!TuipF;8T0&Z=w*lsjY@^TS`~dT;BWaavx>}ZVBU;05y6Y2+6`46OvngF9?!pS
zs6ZsO>iIdM-UsjImVl0jQ=~I{IFRZ*d<M1ZQ!UnS{$Oo+@s2Ngum7J4&uc!;lsn3T
zaa;O0_En0uuPvg}>RY?iq1{HBHB%ZB5+Zyld4CJpddABW$3D%^X8nqbJA$MTXO3OG
z#OZ5`gDL^WE)`RtccMY-unk+h$W2Y(^K#qU?mqkNV##Jky$2l6s?AK3;~VL$sFU(<
zf~g_W`)U^}lAzDU)vA02zC4#V<K4>NydggDNb@jPY{j=C;15^OGCOYYhZ^ftzM`{m
zLDSQrwaZp!NfBvYaU6}oOEZANg2{Vxx#bs!f*L;rMy@t{5a*Z=2k#<u*YmS>FqZbf
z$^N>nA$kR3NpekOA`Zm+;ptFqO+d6Wsxj98Fn8a5{f}=llzP&!F&o2szQy5cug|W|
z^QZe*3+%kKQKAB)e2Qjk4h0xi%dYM9cS)cq-PosX3)*Df?y2xtQ1t(d%xYWs<2yrn
z8N+J!AS2kNQvAF8lZAO_jVF6Eu#c!~t1X<m_0nuh9_rFi^@>CLsG}b=VG+)}Gpd`_
zj&fKLRQ&wG;uQ~XCOWLFTH?hrStskEFg#^gBkXIlB~_7D*OOyMUR!f<fspxw!VeLt
zuZZ^Q+UVq@+_zU9sRoZ8J#ccu>jaa)S)5FFiA)a|3}$F}n68Sx9;;pDJdXjq3h{nI
z3hQb`gS&%8MyVEw?S}DwBhUKGHqc9_H5$^d*YW@GDdWEZ!t?$vvqwjYU)f1Hs`(^x
zqv>fmgGj&dJKsXgto*0uH!l)kkl3I99ghDRTJ6)sZX#w^Sz@%aul@YNxDJ_-k$AL_
zp+L%TcQM|LAmC5MqwQn|HU7t4gP+_6!9$`aQF=$=@4O7Ho~x;y9sF@!pofQ)|D#7k
z^hi?crWojV3wCo7TO!?UlSkynzNMhwMOUH}I641K@z8onCDIu;q2J#p&upTl{^hE7
z6vjs;zFgZ&!4#ImAY_6#86v|wdGn}RbkK3f+Muz=Qjza0B&9w$YxlIB5W!z^8A(BU
z578==HS|8JsSwvZ3fnDq)S!Z4b;$6vc(Gsk4fvRBg&RHH^!{Y^3$RC<4jGdg5B_aV
znqdwQL1{DTSm=q6BRB8<w@!Cd<?Vc4^RYrYB+<1bHkbY{ahM#kYjl|ug{g5_XOqF7
z7WV+-<inTzaYT*-70dm4WJ9e}-ldaWBN>s|a8{WCDRSQ?akPf2tE&_ei45?m$FB2D
z-T5J>!p&5EdwZA;4USTW6wxDZpS%|lYEKvJ$y!o1h3B~NK!Q7`iGqSoNL~4!K1p_P
z^PfJ)I>EQ%S!Ma_(5Yn56pG{D9!%2ODSmwil8%PZ`bnLVh(x|t*?)Z;A3T!Ou-s!a
zFr2cu<FM&MhtxTFjC1O@h6=M_Mt!1H>yNb*4kB-v7%H^O@}a;dlq5v-$}hc*d>t$p
zgnr{~BUIr}o12}>vf@WtqbHG&p8TPO6{KV-^7}c$NgR6VO#gRTzZ46xQS>s*z}Tee
zRFTx^f8E*9+8(X#iV)05#QrUJd#I7Lp%=fKm`%NLL6eA4K6TkWIr_i$UF)`L4P`{h
zIv?_)@LyGuf2ZocxnHUu_O6c!Pvp1}2}7rzvH}MDy9ybj&g3+my?v7e-^x#YHYc^Q
z*VQZPi92?2W|0WWvnN2k$a?GMJCy^vS{oCq{0dO@r{dC4-b73DTF^F(C*!#&I<7X)
z(^4o{*rdtOS%9-{?%4uBdt=q?_F-AIku*(6UAv&-K3hg=a+Z3sE5J>p^PKTm^@_^~
z`wF3o>r4BX-RQF(Rq;?hr3J#mPfxE)5AIC$L{08=0cFr}Sq5vZ;6tf8^zD*9`V7xz
z-x6<=Ye8Lj3p<$YC*HE-MfH&s=JtW=<M5{5dlHUIqxDd2>!AnzSZq&J(irUEnuBIF
zS0!jaEAfw45q7Nki}}Z}-f*zm2M_AU@7GtyjfPF+wiDSTl(m7yyxh?;PEw;F0nXv^
zQno>-Iebt;?VGAyC?&H8&tt-*qps}uBfR^E?ds{YDh}nAm0KS3?lvM-sE_CwuSC+%
zL2Hs~;D6Uxmq-iZXTHx~=2XBr;Z{o)H=>cY&uB?a(!}8CeHierJ&a>e6?#!0m-b?C
zJv*=Z<wOBMd)Azw)oD$L(R{c>3`%Ud-JV*hTTgZ?c^lkf_#1(RX<%XJlf9teUX8^(
zL4J@&!a&$Wf(yn`SE$qxYpQX}g7r=}PPXXGS3zdgm7V+;U><i={M2;W@|9o(3RS#2
z!YT^5ZGDh~wvI~B|KfEZ5IPUv#T|f(lK(_rJOG%&!^?C%%z?v(gzwwM0TFY>%iVzZ
zGs@YD(C%<~2M->ZXjz+#<jQ05*73&oF<MK<Hl;DOy}9KYp?x1({V}jSx`VOery>r=
zUz>LKJ!;#?;|`f*CyZe9&u5k8neFBo?fXd_J(bT;)`*OpEw(bBD;!9|)5(6Liwqya
zofii4j#pL6v;kOHq?nF6M)QMYfVeM{Ktj==ZA$Ks5O~@5!ABYThNDf=z?O)mPNM{z
zua)dNE~S&9tgx0wj7iwMW)rlut7SeJlJ6-0gMGN)QB3F`1RNN9mAZ27xmA?HHV*qZ
zl*^X?k_!6!s(gmNO7R!`hFuEJh<LW}gm!>~+-SFdsR-T{8|ty==>hQ`ch7vdoUK*~
zQfl>ePOmFtXEsM<nB+}KCS~&~i(Rwnv08cJ=K?2a<g^7t$neHUNW@L52G>mAzC>#N
zDPW7tjDdnouaCtn2@67rnn6Dg?Bt471}V^Fwdngpb>D&cnH<n@uei1Ya8;qGD$f-F
z*!TUDP*-R8z`(xeQ=W{B*uZCR-+NXy@mLR>$xKI$)h{!`F!~xD;z8&22zqtNoq=b7
z66~|J*Ve3r6!q0xBDE|WF&a}oJHF;TvWoHDE^}&6eIf>SxoWrEcA#F2`I+-~&lXI&
zz-_~<9F>F)x^lgo0d}c5IiZ<to&sG0*%8J!Wfr?b6Q^5S#y1A9D;(O}+wcmrj8!k5
zA8`WNJoX?y%}KNA9q>t)3~}MOp6Tt(&!@(<ritwW8#g@$h(po1+!F7LB*5AHPZm_H
zpwPK99EIG`QA68|4jN*@mn6=gx&6-96NqiRR6piIsN~t-ssnxaxRCew==n$rIOlb@
z9i$@jHt)Vg4}51*Ny9K6ae;a+u9vqYB}Li3QQF%?3h_-xXj6ApM*nJ4q@J29F3S91
zSI_PX{GNSaraLg9;O;tvNMtiItsh@l-+0ePMNFvYZNjp-GY}FWi6gLS<H3iMNKCBh
ze&oG$*{XILIBc7Ka;JZ%um8OlUAa$Fqlv5r|CDa;w2&WHtc#(r^|A!^SxrCb%tvM9
z#slY5hZoSZ+y|W^qRv}4S!_u~rWcK5Nb#}+?NU-cH2<!IGPmaFRg{wQM{`N=Wn=Ks
zL@j}vg>tsY_4De+bwp2%OV-YQ14G2<V18I@`w&k_M=_N&dKtMxC7z&Ay~HlEF_$T(
zP#H7(?Of)KB%Xw;f=Ic!8UV)qoBWD6i~DEHy`8-x`M7gjXIA4CJ-|0z3ga^x2{#?w
zVu=Km_a&5@$5Tp(Il@{Ix<!_9Kb~t7_4YUH<XXbR03I_Q6>B?~vlG+{`gvLOJOoRw
z(kRb;C8sKH4)l<oM|#ZKx+DD9!~x@jVe4l9CIBayPcd$>f+K;5?&6uP^sfUNCj&f*
zZSO3oFR||4)B4g|lnabP*IT)Tb0Z8G8akyPw-*~4Foj;cYbH5-70f`t9Rs}N*9!Ug
z$z=4R0^(9zO2%SqkchL~+#H9jac`aBPKl2Rj}?<EHgEcs1?6q3J&tr;=vS+`IK-=6
z$t#7{dhY;(_fPbjBIjECGwbBE!?94ays3dY38?Es9EJdJc=Lqk;Ifo?&%55J2pdZZ
zWdTf)D>YHk6GnxqEwy^#j<EJ*LHPYv7;M@%<VPE3ueX>0HO#VF%L)3y2H?-vvR;|Z
z*_+kt0KMz+Z@Z84{gh0lcosWLw)Q9$T^2iaTW8WKCl-UUK%Dn}5Cp&BoW8YI3a|Q{
z`XoIzGr$CTuw<+zY-tZ`r>*6QZt{ok;6aPAOI+7si<~deF$44s+mZa&T}5V|fU?{j
z0>}3Mau|TV65j2fNb>b=l(YG{?jwaa*4~Jjc-LRsY5i80rfp^d9c#vOm9^4POlon$
zbo&63!=13K_lg-?X=)VrWqR%NR-MGyU8_TL-~piFj-5cz9C%PufyEVX{+9?OpfqVr
zb)#VC5Xz|)i<7@jX(&+V6#6O7D#H<D>_hMyR-M@@5)I9xnw}^M$`p>hlk+A;AzA-5
zqr;pRZc4A)3t6h!18HR`usJT!cs3vP!4>tIIJ4;2g`iqkSdb5=>zb#@DXGN2H-@>_
z#*7-`mbQE63LFc5&P&2mG*qBp>Q-(z71s2&4d}W$zBboV<8c_*z0nK6idzi0hp?@)
zu6Tl)J1Z2T1fjYKp4J?#B5}pma|*8%Fp!jh8UFNV^C}~TGR(V?MWR4U`3&pfw>m9j
zV`rlFKy8`Lsnc;(0Q0<9>jS%6u}xi;M67y89f+}P+mr?L0#5xIxa@9;d@ENR;&21>
z?dtt+PecI`ZLEb%QDAEj|A)1Yr8sQy#+DeIBF>b7FN{xeT4S-sq=EyFEITR<408?w
z_Y%o__eZxhqfSeLCvI9&Kt(j4b{QS=3NTJhPjWrhab~-G_gbfM16!BP+gwR6lG+HX
z6Ol@%u%(;`GGxj7-I?`*MMJ?mI>t!<5uAy~d}>5m(~A@Dv+|$I>|@xuvF~}N%jQ~J
zqDN_)*+Nr&ZE3AFrTj`e9Yxm}cm5=eOd!giiF)&bulu4KF7$EB6umI#M092gDR?uL
z0NFYtav;`i?VnShDPLl&E-U`)v1DZGWfD;|aX4{a=_@Nf4y$p_f{riTLJzvGob0Hh
z)e34@@S>QIS-kaHFBnXFvZAY3mqo-i9j-fWXylS_T1X9MCrqf3qqmOlHiU>j{~R3H
zJZ}h=Q5X%PCxh8h`N2RR=xH!gxph;;ui4A>&k1Wfa{!mEDWq5DJkJvEkOp(%gyV0g
z*!S#dNZ3)h)H(A*bi*uyXB(j@OlRX4uv)J3ki`hYf1f<<T8;h`PZ(*@aO;o@$Z>dR
z#u`B}#=IZ7;l70|hCCeZqW|#^WC6|ckjD8ZZ%QX%C4}s~4;<T{?1LC~e(jv$vI3vd
zsn4x^{_)+du6J$FG^Xwct+PHo834v9|0|o>9C(kQ+7{_lDvGGdH4rvZw}a1X+VpF^
z?r@Utn69V#6+p0~L8Q4DA+*2(Rs~(Sd6xl^uf1=%<$R!tzn?>P8d<7Jr^30ZLOamD
zNQ=CJP{{s45}vRnVTmMbV(QDAR#xf~x(pQzCL3M$BgMVepH7;)-p?qAm->T;$^}a1
G{{I6%RwGXU

literal 0
HcmV?d00001

diff --git a/doc/api/graphql/index.md b/doc/api/graphql/index.md
index d653c4e0f47..c513dea239a 100644
--- a/doc/api/graphql/index.md
+++ b/doc/api/graphql/index.md
@@ -14,7 +14,15 @@ For those new to the GitLab GraphQL API, see
 - Get an [introduction to GraphQL from graphql.org](https://graphql.org/).
 - GitLab supports a wide range of resources, listed in the [GraphQL API Reference](reference/index.md).
 
-#### GraphiQL
+### Examples
+
+To work with sample queries that pull data from public projects on GitLab.com,
+see the menu options in the left-hand
+documentation menu, under API > GraphQL at `https://docs.gitlab.com/ee/api/graphql/`.
+
+The [Getting started](getting_started.md) page includes different methods to customize GraphQL queries.
+
+### GraphiQL
 
 Explore the GraphQL API using the interactive [GraphiQL explorer](https://gitlab.com/-/graphql-explorer),
 or on your self-managed GitLab instance on
diff --git a/doc/api/graphql/sample_issue_boards.md b/doc/api/graphql/sample_issue_boards.md
new file mode 100644
index 00000000000..4ac9317b01a
--- /dev/null
+++ b/doc/api/graphql/sample_issue_boards.md
@@ -0,0 +1,44 @@
+# Identify issue boards with GraphQL
+
+This page describes how you can use the GraphiQL explorer to identify
+existing issue boards in the `gitlab-docs` documentation repository.
+
+## Set up the GraphiQL explorer
+
+This procedure presents a substantive example that you can copy and paste into your own
+instance of the [GraphiQL explorer](https://gitlab.com/-/graphql-explorer):
+
+1. Copy the following code excerpt:
+
+   ```graphql
+   query {
+     project(fullPath: "gitlab-org/gitlab-docs") {
+       name
+       forksCount
+       statistics {
+         wikiSize
+       }
+       issuesEnabled
+       boards {
+         nodes {
+           id
+           name
+         }
+       }
+     }
+   }
+   ```
+
+1. Open the [GraphiQL Explorer](https://gitlab.com/-/graphql-explorer) page.
+1. Paste the `query` listed above into the left window of your GraphiQL explorer tool.
+1. Click Play to get the result shown here:
+
+![GraphiQL explorer search for boards](img/sample_issue_boards_v13_2.png)
+
+If you want to view one of these boards, take one of the numeric identifiers shown in the output. From the screenshot, the first identifier is `105011`. Navigate to the following URL, which includes the identifier:
+
+```markdown
+https://gitlab.com/gitlab-org/gitlab-docs/-/boards/105011
+```
+
+For more information on each attribute, see the [GraphQL API Resources](reference/index.md).
diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md
index dbe662c3ab2..7ab34b871b0 100644
--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -3479,10 +3479,6 @@ job split into three separate jobs.
 #### Parallel `matrix` jobs
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/15356) in GitLab 13.3.
-> - It's deployed behind a feature flag, disabled by default.
-> - It's enabled on GitLab.com.
-> - It can't be enabled or disabled per-project.
-> - It's recommended for production use.
 
 `matrix:` allows you to configure different variables for jobs that are running in parallel.
 There can be from 2 to 50 jobs.
diff --git a/doc/development/documentation/structure.md b/doc/development/documentation/structure.md
index 15a8728bef8..44df003494e 100644
--- a/doc/development/documentation/structure.md
+++ b/doc/development/documentation/structure.md
@@ -104,13 +104,11 @@ Link each one to an appropriate place for more information.
 
 ## Instructions
 
-"Instructions" is usually not the name of the heading.
-
-This is the part of the document where you can include one or more sets of instructions,
-each to accomplish a specific task.
+This is the part of the document where you can include one or more sets of instructions.
+Each topic should help users accomplish a specific task.
 
 Headers should describe the task the reader will achieve by following the instructions within,
-typically starting with a verb.
+typically starting with a verb. For example, `Create a package` or `Configure a pipeline`.
 
 Larger instruction sets may have subsections covering specific phases of the process.
 Where appropriate, provide examples of code or configuration files to better clarify
@@ -127,6 +125,32 @@ intended usage.
   single heading like `## Configure X` for instructions when the feature
   is simple and the document is short.
 
+Example topic:
+
+## Create a teddy bear
+
+Start by writing a sentence or two about _why_ someone would want to perform this task.
+It's not always possible, but is a good practice. For example:
+
+Create a teddy bear when you need something to hug.
+
+Follow this information with the task steps.
+
+To create a teddy bear:
+
+1. Go to **Settings > CI/CD**.
+1. Expand **This** and click **This**.
+1. Do another step.
+
+After the numbered list, add a sentence with the expected result, if it
+is not obvious, and any next steps. For example:
+
+The teddy bear is now in the kitchen, in the cupboard above the sink.
+
+You can retrieve the teddy bear and put it on the couch with the other animals.
+
+Screenshots are not necessary. They are difficult to keep up-to-date and can clutter the page.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/development/documentation/styleguide.md b/doc/development/documentation/styleguide.md
index 8b174ff1cbf..6a44f56c819 100644
--- a/doc/development/documentation/styleguide.md
+++ b/doc/development/documentation/styleguide.md
@@ -13,6 +13,8 @@ For programmatic help adhering to the guidelines, see [Testing](index.md#testing
 See the GitLab handbook for further [writing style guidelines](https://about.gitlab.com/handbook/communication/#writing-style-guidelines)
 that apply to all GitLab content, not just documentation.
 
+View [a list of recent style guide updates](https://gitlab.com/dashboard/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&label_name[]=tw-style&not[label_name][]=docs%3A%3Afix).
+
 ## Documentation is the single source of truth (SSOT)
 
 ### Why a single source of truth
@@ -1522,43 +1524,43 @@ GitLab Community Edition), don't split the product or feature name across lines.
 
 ### Product badges
 
-When a feature is available in EE-only tiers, add the corresponding tier according to the
-feature availability:
+When a feature is available in paid tiers, add the corresponding tier to the
+header or other page element according to the feature's availability:
 
-- For GitLab Core and GitLab.com Free: `**(CORE)**`.
-- For GitLab Starter and GitLab.com Bronze: `**(STARTER)**`.
-- For GitLab Premium and GitLab.com Silver: `**(PREMIUM)**`.
-- For GitLab Ultimate and GitLab.com Gold: `**(ULTIMATE)**`.
+| Tier in which feature is available                                     | Tier markup           |
+|:-----------------------------------------------------------------------|:----------------------|
+| GitLab Core and GitLab.com Free, and their higher tiers                | `**(CORE)**`          |
+| GitLab Starter and GitLab.com Bronze, and their higher tiers           | `**(STARTER)**`       |
+| GitLab Premium and GitLab.com Silver, and their higher tiers           | `**(PREMIUM)**`       |
+| GitLab Ultimate and GitLab.com Gold                                    | `**(ULTIMATE)**`      |
+| *Only* GitLab Core and higher tiers (no GitLab.com-based tiers)        | `**(CORE ONLY)**`     |
+| *Only* GitLab Starter and higher tiers (no GitLab.com-based tiers)     | `**(STARTER ONLY)**`  |
+| *Only* GitLab Premium and higher tiers (no GitLab.com-based tiers)     | `**(PREMIUM ONLY)**`  |
+| *Only* GitLab Ultimate (no GitLab.com-based tiers)                     | `**(ULTIMATE ONLY)**` |
+| *Only* GitLab.com Free and higher tiers (no self-managed instances)    | `**(FREE ONLY)**`     |
+| *Only* GitLab.com Bronze and higher tiers (no self-managed instances)  | `**(BRONZE ONLY)**`   |
+| *Only* GitLab.com Silver and higher tiers (no self-managed instances)  | `**(SILVER ONLY)**`   |
+| *Only* GitLab.com Gold (no self-managed instances)                     | `**(GOLD ONLY)**`     |
 
-To exclude GitLab.com tiers (when the feature is not available in GitLab.com), add the
-keyword "only":
+For clarity, all page title headers (H1s) must be have a tier markup for
+the lowest tier that has information on the documentation page.
 
-- For GitLab Core: `**(CORE ONLY)**`.
-- For GitLab Starter: `**(STARTER ONLY)**`.
-- For GitLab Premium: `**(PREMIUM ONLY)**`.
-- For GitLab Ultimate: `**(ULTIMATE ONLY)**`.
+If sections of a page apply to higher tier levels, they can be separately
+labeled with their own tier markup.
 
-For GitLab.com only tiers (when the feature is not available for self-managed instances):
+#### Product badge display behavior
 
-- For GitLab Free and higher tiers: `**(FREE ONLY)**`.
-- For GitLab Bronze and higher tiers: `**(BRONZE ONLY)**`.
-- For GitLab Silver and higher tiers: `**(SILVER ONLY)**`.
-- For GitLab Gold: `**(GOLD ONLY)**`.
+When using the tier markup with headers, the documentation page will
+display the full tier badge with the header line.
 
-The tier should be ideally added to headers, so that the full badge will be displayed.
-However, it can be also mentioned from paragraphs, list items, and table cells. For these cases,
-the tier mention will be represented by an orange info icon **(information)** that will show the tiers on hover.
+You can also use the tier markup with paragraphs, list items,
+and table cells. For these cases, the tier mention will be represented by an
+orange info icon **{information}** that will display the tiers when visitors
+point to the icon. For example:
 
-Use the lowest tier at the page level, even if higher-level tiers exist on the page. For example, you might have a page that is marked as Starter but a section badged as Premium.
-
-For example:
-
-- `**(STARTER)**` renders as **(STARTER)**
-- `**(STARTER ONLY)**` renders as **(STARTER ONLY)**
-- `**(SILVER ONLY)**` renders as **(SILVER ONLY)**
-
-The absence of tiers' mentions mean that the feature is available in GitLab Core,
-GitLab.com Free, and all higher tiers.
+- `**(STARTER)**` displays as **(STARTER)**
+- `**(STARTER ONLY)**` displays as **(STARTER ONLY)**
+- `**(SILVER ONLY)**` displays as **(SILVER ONLY)**
 
 #### How it works
 
diff --git a/doc/push_rules/push_rules.md b/doc/push_rules/push_rules.md
index 12c5bb3ba1b..43e892d4713 100644
--- a/doc/push_rules/push_rules.md
+++ b/doc/push_rules/push_rules.md
@@ -59,6 +59,13 @@ If you have other target branches, include them in your regex. (See [Enabling pu
 The default branch also defaults to being a [protected branch](../user/project/protected_branches.md),
 which already limits users from pushing directly.
 
+#### Default restricted branch names
+
+> Introduced in GitLab 12.10.
+
+By default, GitLab restricts certain formats of branch names for security purposes.
+Currently 40-character hexadecimal names, similar to Git commit hashes, are prohibited.
+
 ### Custom Push Rules **(CORE ONLY)**
 
 It's possible to create custom push rules rather than the push rules available in
diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md
new file mode 100644
index 00000000000..dd67db23d6b
--- /dev/null
+++ b/doc/security/project_import_decompressed_archive_size_limits.md
@@ -0,0 +1,28 @@
+---
+type: reference, howto
+---
+
+# Project Import Decompressed Archive Size Limits
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31564) in GitLab 13.2.
+
+When using [Project Import](../user/project/settings/import_export.md), the size of the decompressed project archive is limited to 10Gb.
+
+If decompressed size exceeds this limit, `Decompressed archive size validation failed` error is returned.
+
+## Enable/disable size validation
+
+Decompressed size validation is enabled by default.
+If you have a project with decompressed size exceeding this limit,
+it is possible to disable the validation by turning off the
+`validate_import_decompressed_archive_size` feature flag.
+
+Start a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session).
+
+```ruby
+# Disable
+Feature.disable(:validate_import_decompressed_archive_size)
+
+# Enable
+Feature.enable(:validate_import_decompressed_archive_size)
+```
diff --git a/doc/user/project/integrations/jira.md b/doc/user/project/integrations/jira.md
index 86a24713256..3a950a9f1c6 100644
--- a/doc/user/project/integrations/jira.md
+++ b/doc/user/project/integrations/jira.md
@@ -87,7 +87,9 @@ Enter the further details on the page as described in the following table.
 | `Password/API token` |Created in [configuring Jira](#configuring-jira) step. Use `password` for **Jira Server** or `API token` for **Jira Cloud**. |
 | `Transition ID` | Required for closing Jira issues via commits or merge requests. This is the ID of a transition in Jira that moves issues to a desired state. (See [Obtaining a transition ID](#obtaining-a-transition-id).) If you insert multiple transition IDs separated by `,` or `;`, the issue is moved to each state, one after another, using the given order. |
 
-To enable users to view Jira issues inside GitLab, select **Enable Jira issues** and enter a project key. **(PREMIUM)**
+To enable users to view Jira issues inside the GitLab project, select **Enable Jira issues** and enter a Jira project key. **(PREMIUM)**
+
+You can only display issues from a single Jira project within a given GitLab project.
 
 CAUTION: **Caution:**
 If you enable Jira issues with the setting above, all users that have access to this GitLab project will be able to view all issues from the specified Jira project.
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index b7801de6ed9..a4d3e352051 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -125,3 +125,5 @@ module Banzai
     end
   end
 end
+
+Banzai::Filter::LabelReferenceFilter.prepend_if_ee('EE::Banzai::Filter::LabelReferenceFilter')
diff --git a/lib/banzai/filter/reference_filter.rb b/lib/banzai/filter/reference_filter.rb
index 9afcfee2fe8..1959336ea1b 100644
--- a/lib/banzai/filter/reference_filter.rb
+++ b/lib/banzai/filter/reference_filter.rb
@@ -53,7 +53,6 @@ module Banzai
         attributes[:reference_type] ||= self.class.reference_type
         attributes[:container] ||= 'body'
         attributes[:placement] ||= 'top'
-        attributes[:html] ||= 'true'
         attributes.delete(:original) if context[:no_original_data]
         attributes.map do |key, value|
           %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}")
diff --git a/lib/gitlab/base_doorkeeper_controller.rb b/lib/gitlab/base_doorkeeper_controller.rb
index b78993aba30..0f370850b5b 100644
--- a/lib/gitlab/base_doorkeeper_controller.rb
+++ b/lib/gitlab/base_doorkeeper_controller.rb
@@ -5,6 +5,8 @@
 module Gitlab
   class BaseDoorkeeperController < ActionController::Base
     include Gitlab::Allowable
+    include EnforcesTwoFactorAuthentication
+
     helper_method :can?
   end
 end
diff --git a/lib/gitlab/checks/branch_check.rb b/lib/gitlab/checks/branch_check.rb
index 7be0ef05a49..ad2a718ef67 100644
--- a/lib/gitlab/checks/branch_check.rb
+++ b/lib/gitlab/checks/branch_check.rb
@@ -12,7 +12,8 @@ module Gitlab
         push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
         create_protected_branch: 'You are not allowed to create protected branches on this project.',
         invalid_commit_create_protected_branch: 'You can only use an existing protected branch ref as the basis of a new protected branch.',
-        non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.'
+        non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.',
+        prohibited_hex_branch_name: 'You cannot create a branch with a 40-character hexadecimal branch name.'
       }.freeze
 
       LOG_MESSAGES = {
@@ -32,11 +33,20 @@ module Gitlab
           end
         end
 
+        prohibited_branch_checks
         protected_branch_checks
       end
 
       private
 
+      def prohibited_branch_checks
+        return unless Feature.enabled?(:prohibit_hexadecimal_branch_names, project, default_enabled: true)
+
+        if branch_name =~ /\A\h{40}\z/
+          raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name]
+        end
+      end
+
       def protected_branch_checks
         logger.log_timed(LOG_MESSAGES[:protected_branch_checks]) do
           return unless ProtectedBranch.protected?(project, branch_name) # rubocop:disable Cop/AvoidReturnFromBlocks
diff --git a/lib/gitlab/ci/config/entry/product/parallel.rb b/lib/gitlab/ci/config/entry/product/parallel.rb
index da7079a8328..cd9eabbbc66 100644
--- a/lib/gitlab/ci/config/entry/product/parallel.rb
+++ b/lib/gitlab/ci/config/entry/product/parallel.rb
@@ -10,7 +10,7 @@ module Gitlab
         module Product
           class Parallel < ::Gitlab::Config::Entry::Simplifiable
             strategy :ParallelBuilds, if: -> (config) { config.is_a?(Numeric) }
-            strategy :MatrixBuilds, if: -> (config) { ::Gitlab::Ci::Features.parallel_matrix_enabled? && config.is_a?(Hash) }
+            strategy :MatrixBuilds, if: -> (config) { config.is_a?(Hash) }
 
             PARALLEL_LIMIT = 50
 
diff --git a/lib/gitlab/ci/config/normalizer/factory.rb b/lib/gitlab/ci/config/normalizer/factory.rb
index 972da4bbf9a..bf813f8e878 100644
--- a/lib/gitlab/ci/config/normalizer/factory.rb
+++ b/lib/gitlab/ci/config/normalizer/factory.rb
@@ -29,11 +29,7 @@ module Gitlab
           end
 
           def strategies
-            if ::Gitlab::Ci::Features.parallel_matrix_enabled?
-              [NumberStrategy, MatrixStrategy]
-            else
-              [NumberStrategy]
-            end
+            [NumberStrategy, MatrixStrategy]
           end
         end
       end
diff --git a/lib/gitlab/ci/features.rb b/lib/gitlab/ci/features.rb
index 67ff0beea82..0ce40d873db 100644
--- a/lib/gitlab/ci/features.rb
+++ b/lib/gitlab/ci/features.rb
@@ -62,10 +62,6 @@ module Gitlab
         ::Feature.enabled?(:destroy_only_unlocked_expired_artifacts, default_enabled: false)
       end
 
-      def self.parallel_matrix_enabled?
-        ::Feature.enabled?(:ci_parallel_matrix_enabled)
-      end
-
       def self.bulk_insert_on_create?(project)
         ::Feature.enabled?(:ci_bulk_insert_on_create, project, default_enabled: true)
       end
diff --git a/lib/gitlab/import_export/decompressed_archive_size_validator.rb b/lib/gitlab/import_export/decompressed_archive_size_validator.rb
new file mode 100644
index 00000000000..219821a7150
--- /dev/null
+++ b/lib/gitlab/import_export/decompressed_archive_size_validator.rb
@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'zlib'
+
+module Gitlab
+  module ImportExport
+    class DecompressedArchiveSizeValidator
+      include Gitlab::Utils::StrongMemoize
+
+      DEFAULT_MAX_BYTES = 10.gigabytes.freeze
+      CHUNK_SIZE = 4096.freeze
+
+      attr_reader :error
+
+      def initialize(archive_path:, max_bytes: self.class.max_bytes)
+        @archive_path = archive_path
+        @max_bytes = max_bytes
+        @bytes_read = 0
+        @total_reads = 0
+        @denominator = 5
+        @error = nil
+      end
+
+      def valid?
+        strong_memoize(:valid) do
+          validate
+        end
+      end
+
+      def self.max_bytes
+        DEFAULT_MAX_BYTES
+      end
+
+      def archive_file
+        @archive_file ||= File.open(@archive_path)
+      end
+
+      private
+
+      def validate
+        until archive_file.eof?
+          compressed_chunk = archive_file.read(CHUNK_SIZE)
+
+          inflate_stream.inflate(compressed_chunk) do |chunk|
+            @bytes_read += chunk.size
+            @total_reads += 1
+          end
+
+          # Start garbage collection every 5 reads in order
+          # to prevent memory bloat during archive decompression
+          GC.start if gc_start?
+
+          if @bytes_read > @max_bytes
+            @error = error_message
+
+            return false
+          end
+        end
+
+        true
+      rescue => e
+        @error = error_message
+
+        Gitlab::ErrorTracking.track_exception(e)
+
+        Gitlab::Import::Logger.info(
+          message: @error,
+          error: e.message
+        )
+
+        false
+      ensure
+        inflate_stream.close
+        archive_file.close
+      end
+
+      def inflate_stream
+        @inflate_stream ||= Zlib::Inflate.new(Zlib::MAX_WBITS + 32)
+      end
+
+      def gc_start?
+        @total_reads % @denominator == 0
+      end
+
+      def error_message
+        _('Decompressed archive size validation failed.')
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 9d04d55770d..3cb1eb72ceb 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -28,6 +28,7 @@ module Gitlab
         copy_archive
 
         wait_for_archived_file do
+          validate_decompressed_archive_size if Feature.enabled?(:validate_import_decompressed_archive_size, default_enabled: true)
           decompress_archive
         end
       rescue => e
@@ -82,6 +83,14 @@ module Gitlab
       def extracted_files
         Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
       end
+
+      def validate_decompressed_archive_size
+        raise ImporterError.new(size_validator.error) unless size_validator.valid?
+      end
+
+      def size_validator
+        @size_validator ||= DecompressedArchiveSizeValidator.new(archive_path: @archive_file)
+      end
     end
   end
 end
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb
index 467bb1be62b..9e3cf58bb1e 100644
--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -116,15 +116,15 @@ module Gitlab
       def self.graceful_request(cluster_id)
         { status: :connected, response: yield }
       rescue *Gitlab::Kubernetes::Errors::CONNECTION
-        { status: :unreachable }
+        { status: :unreachable, connection_error: :connection_error }
       rescue *Gitlab::Kubernetes::Errors::AUTHENTICATION
-        { status: :authentication_failure }
+        { status: :authentication_failure, connection_error: :authentication_error }
       rescue Kubeclient::HttpError => e
-        { status: kubeclient_error_status(e.message) }
+        { status: kubeclient_error_status(e.message), connection_error: :http_error }
       rescue => e
         Gitlab::ErrorTracking.track_exception(e, cluster_id: cluster_id)
 
-        { status: :unknown_failure }
+        { status: :unknown_failure, connection_error: :unknown_error }
       end
 
       # KubeClient uses the same error class
diff --git a/lib/gitlab/kubernetes/node.rb b/lib/gitlab/kubernetes/node.rb
index bd765ef3852..d516bdde6f6 100644
--- a/lib/gitlab/kubernetes/node.rb
+++ b/lib/gitlab/kubernetes/node.rb
@@ -8,22 +8,29 @@ module Gitlab
       end
 
       def all
-        nodes.map do |node|
-          attributes = node(node)
-          attributes.merge(node_metrics(node))
-        end
+        {
+          nodes: metadata.presence,
+          node_connection_error: nodes_from_cluster[:connection_error],
+          metrics_connection_error: nodes_metrics_from_cluster[:connection_error]
+        }.compact
       end
 
       private
 
       attr_reader :cluster
 
+      def metadata
+        nodes.map do |node|
+          base_data(node).merge(node_metrics(node))
+        end
+      end
+
       def nodes_from_cluster
-        graceful_request { cluster.kubeclient.get_nodes }
+        @nodes_from_cluster ||= graceful_request { cluster.kubeclient.get_nodes }
       end
 
       def nodes_metrics_from_cluster
-        graceful_request { cluster.kubeclient.metrics_client.get_nodes }
+        @nodes_metrics_from_cluster ||= graceful_request { cluster.kubeclient.metrics_client.get_nodes }
       end
 
       def nodes
@@ -44,7 +51,7 @@ module Gitlab
         ::Gitlab::Kubernetes::KubeClient.graceful_request(cluster.id, &block)
       end
 
-      def node(node)
+      def base_data(node)
         {
           'metadata' => {
             'name' => node.metadata.name
diff --git a/lib/gitlab/markdown_cache.rb b/lib/gitlab/markdown_cache.rb
index 21797bf988d..ac3492dbe33 100644
--- a/lib/gitlab/markdown_cache.rb
+++ b/lib/gitlab/markdown_cache.rb
@@ -3,7 +3,7 @@
 module Gitlab
   module MarkdownCache
     # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 23
+    CACHE_COMMONMARK_VERSION        = 24
     CACHE_COMMONMARK_VERSION_START  = 10
 
     BaseError = Class.new(StandardError)
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 40da523132b..1cc4c1972db 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -3482,6 +3482,9 @@ msgstr ""
 msgid "Author: %{author_name}"
 msgstr ""
 
+msgid "Authored %{timeago}"
+msgstr ""
+
 msgid "Authored %{timeago} by %{author}"
 msgstr ""
 
@@ -7650,6 +7653,9 @@ msgstr ""
 msgid "Decline and sign out"
 msgstr ""
 
+msgid "Decompressed archive size validation failed."
+msgstr ""
+
 msgid "Default Branch"
 msgstr ""
 
@@ -13629,6 +13635,12 @@ msgstr ""
 msgid "Job|This job is stuck because the project doesn't have any runners online assigned to it."
 msgstr ""
 
+msgid "Job|This job is stuck because you don't have any active runners online or available with any of these tags assigned to them:"
+msgstr ""
+
+msgid "Job|This job is stuck because you don't have any active runners that can run this job."
+msgstr ""
+
 msgid "Job|for"
 msgstr ""
 
@@ -24790,12 +24802,6 @@ msgstr ""
 msgid "This job is preparing to start"
 msgstr ""
 
-msgid "This job is stuck because you don't have any active runners online or available with any of these tags assigned to them:"
-msgstr ""
-
-msgid "This job is stuck because you don't have any active runners that can run this job."
-msgstr ""
-
 msgid "This job is waiting for resource: "
 msgstr ""
 
diff --git a/spec/controllers/oauth/applications_controller_spec.rb b/spec/controllers/oauth/applications_controller_spec.rb
index 38f46ee7b15..0a7975b8c1b 100644
--- a/spec/controllers/oauth/applications_controller_spec.rb
+++ b/spec/controllers/oauth/applications_controller_spec.rb
@@ -19,12 +19,29 @@ RSpec.describe Oauth::ApplicationsController do
       it { is_expected.to redirect_to(new_user_session_path) }
     end
 
+    shared_examples 'redirects to 2fa setup page when the user requires it' do
+      context 'when 2fa is set up on application level' do
+        before do
+          stub_application_setting(require_two_factor_authentication: true)
+        end
+
+        it { is_expected.to redirect_to(profile_two_factor_auth_path) }
+      end
+
+      context 'when 2fa is set up on group level' do
+        let(:user) { create(:user, require_two_factor_authentication_from_group: true) }
+
+        it { is_expected.to redirect_to(profile_two_factor_auth_path) }
+      end
+    end
+
     describe 'GET #new' do
       subject { get :new }
 
       it { is_expected.to have_gitlab_http_status(:ok) }
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'DELETE #destroy' do
@@ -33,6 +50,7 @@ RSpec.describe Oauth::ApplicationsController do
       it { is_expected.to redirect_to(oauth_applications_url) }
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'GET #edit' do
@@ -41,6 +59,7 @@ RSpec.describe Oauth::ApplicationsController do
       it { is_expected.to have_gitlab_http_status(:ok) }
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'PUT #update' do
@@ -49,6 +68,7 @@ RSpec.describe Oauth::ApplicationsController do
       it { is_expected.to redirect_to(oauth_application_url(application)) }
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'GET #show' do
@@ -57,6 +77,7 @@ RSpec.describe Oauth::ApplicationsController do
       it { is_expected.to have_gitlab_http_status(:ok) }
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'GET #index' do
@@ -73,6 +94,7 @@ RSpec.describe Oauth::ApplicationsController do
       end
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
 
     describe 'POST #create' do
@@ -112,6 +134,7 @@ RSpec.describe Oauth::ApplicationsController do
       end
 
       it_behaves_like 'redirects to login page when the user is not signed in'
+      it_behaves_like 'redirects to 2fa setup page when the user requires it'
     end
   end
 
@@ -119,6 +142,10 @@ RSpec.describe Oauth::ApplicationsController do
     it 'current_user_mode available' do
       expect(subject.current_user_mode).not_to be_nil
     end
+
+    it 'includes Two-factor enforcement concern' do
+      expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
+    end
   end
 
   describe 'locale' do
diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb
index 89b74675d28..23d472f6853 100644
--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Oauth::AuthorizationsController do
+  let(:user) { create(:user, confirmed_at: confirmed_at) }
+  let(:confirmed_at) { 1.hour.ago }
   let!(:application) { create(:oauth_application, scopes: 'api read_user', redirect_uri: 'http://example.com') }
   let(:params) do
     {
@@ -17,9 +19,45 @@ RSpec.describe Oauth::AuthorizationsController do
     sign_in(user)
   end
 
-  describe 'GET #new' do
+  shared_examples 'OAuth Authorizations require confirmed user' do
     context 'when the user is confirmed' do
-      let(:user) { create(:user) }
+      context 'when there is already an access token for the application with a matching scope' do
+        before do
+          scopes = Doorkeeper::OAuth::Scopes.from_string('api')
+
+          allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
+
+          create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes)
+        end
+
+        it 'authorizes the request and redirects' do
+          subject
+
+          expect(request.session['user_return_to']).to be_nil
+          expect(response).to have_gitlab_http_status(:found)
+        end
+      end
+    end
+
+    context 'when the user is unconfirmed' do
+      let(:confirmed_at) { nil }
+
+      it 'returns 200 and renders error view' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to render_template('doorkeeper/authorizations/error')
+      end
+    end
+  end
+
+  describe 'GET #new' do
+    subject { get :new, params: params }
+
+    include_examples 'OAuth Authorizations require confirmed user'
+
+    context 'when the user is confirmed' do
+      let(:confirmed_at) { 1.hour.ago }
 
       context 'without valid params' do
         it 'returns 200 code and renders error view' do
@@ -34,7 +72,7 @@ RSpec.describe Oauth::AuthorizationsController do
         render_views
 
         it 'returns 200 code and renders view' do
-          get :new, params: params
+          subject
 
           expect(response).to have_gitlab_http_status(:ok)
           expect(response).to render_template('doorkeeper/authorizations/new')
@@ -44,42 +82,28 @@ RSpec.describe Oauth::AuthorizationsController do
           application.update(trusted: true)
           request.session['user_return_to'] = 'http://example.com'
 
-          get :new, params: params
+          subject
 
           expect(request.session['user_return_to']).to be_nil
           expect(response).to have_gitlab_http_status(:found)
         end
-
-        context 'when there is already an access token for the application' do
-          context 'when the request scope matches any of the created token scopes' do
-            before do
-              scopes = Doorkeeper::OAuth::Scopes.from_string('api')
-
-              allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes)
-
-              create :oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes
-            end
-
-            it 'authorizes the request and redirects' do
-              get :new, params: params
-
-              expect(request.session['user_return_to']).to be_nil
-              expect(response).to have_gitlab_http_status(:found)
-            end
-          end
-        end
-      end
-    end
-
-    context 'when the user is unconfirmed' do
-      let(:user) { create(:user, confirmed_at: nil) }
-
-      it 'returns 200 and renders error view' do
-        get :new, params: params
-
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to render_template('doorkeeper/authorizations/error')
       end
     end
   end
+
+  describe 'POST #create' do
+    subject { post :create, params: params }
+
+    include_examples 'OAuth Authorizations require confirmed user'
+  end
+
+  describe 'DELETE #destroy' do
+    subject { delete :destroy, params: params }
+
+    include_examples 'OAuth Authorizations require confirmed user'
+  end
+
+  it 'includes Two-factor enforcement concern' do
+    expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
+  end
 end
diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb
index 15b2969a859..cb047e55752 100644
--- a/spec/controllers/oauth/authorized_applications_controller_spec.rb
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
@@ -18,4 +18,24 @@ RSpec.describe Oauth::AuthorizedApplicationsController do
       expect(response).to have_gitlab_http_status(:not_found)
     end
   end
+
+  describe 'DELETE #destroy' do
+    let(:application) { create(:oauth_application) }
+    let!(:grant) { create(:oauth_access_grant, resource_owner_id: user.id, application: application) }
+    let!(:access_token) { create(:oauth_access_token, resource_owner: user, application: application) }
+
+    it 'revokes both access grants and tokens' do
+      expect(grant).not_to be_revoked
+      expect(access_token).not_to be_revoked
+
+      delete :destroy, params: { id: application.id }
+
+      expect(grant.reload).to be_revoked
+      expect(access_token.reload).to be_revoked
+    end
+  end
+
+  it 'includes Two-factor enforcement concern' do
+    expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
+  end
 end
diff --git a/spec/controllers/oauth/token_info_controller_spec.rb b/spec/controllers/oauth/token_info_controller_spec.rb
index 4658c2702ca..91a986db251 100644
--- a/spec/controllers/oauth/token_info_controller_spec.rb
+++ b/spec/controllers/oauth/token_info_controller_spec.rb
@@ -68,4 +68,8 @@ RSpec.describe Oauth::TokenInfoController do
       end
     end
   end
+
+  it 'includes Two-factor enforcement concern' do
+    expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
+  end
 end
diff --git a/spec/controllers/oauth/tokens_controller_spec.rb b/spec/controllers/oauth/tokens_controller_spec.rb
new file mode 100644
index 00000000000..389153d138e
--- /dev/null
+++ b/spec/controllers/oauth/tokens_controller_spec.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Oauth::TokensController do
+  it 'includes Two-factor enforcement concern' do
+    expect(described_class.included_modules.include?(EnforcesTwoFactorAuthentication)).to eq(true)
+  end
+end
diff --git a/spec/controllers/repositories/lfs_storage_controller_spec.rb b/spec/controllers/repositories/lfs_storage_controller_spec.rb
new file mode 100644
index 00000000000..0201e73728f
--- /dev/null
+++ b/spec/controllers/repositories/lfs_storage_controller_spec.rb
@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Repositories::LfsStorageController do
+  using RSpec::Parameterized::TableSyntax
+  include GitHttpHelpers
+
+  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:pat) { create(:personal_access_token, user: user, scopes: ['write_repository']) }
+
+  let(:lfs_enabled) { true }
+
+  before do
+    stub_config(lfs: { enabled: lfs_enabled })
+  end
+
+  describe 'PUT #upload_finalize' do
+    let(:headers) { workhorse_internal_api_request_header }
+    let(:extra_headers) { {} }
+    let(:uploaded_file) { temp_file }
+
+    let(:params) do
+      {
+        namespace_id: project.namespace.path,
+        repository_id: "#{project.path}.git",
+        oid: '6b9765d3888aaec789e8c309eb05b05c3a87895d6ad70d2264bd7270fff665ac',
+        size: '6725030'
+      }
+    end
+
+    before do
+      request.headers.merge!(extra_headers)
+      request.headers.merge!(headers)
+
+      if uploaded_file
+        allow_next_instance_of(ActionController::Parameters) do |params|
+          allow(params).to receive(:[]).and_call_original
+          allow(params).to receive(:[]).with(:file).and_return(uploaded_file)
+        end
+      end
+    end
+
+    after do
+      FileUtils.rm_r(temp_file) if temp_file
+    end
+
+    subject do
+      put :upload_finalize, params: params
+    end
+
+    context 'with lfs enabled' do
+      context 'with unauthorized roles' do
+        where(:user_role, :expected_status) do
+          :guest     | :forbidden
+          :anonymous | :unauthorized
+        end
+
+        with_them do
+          let(:extra_headers) do
+            if user_role == :anonymous
+              {}
+            else
+              { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(user.username, pat.token) }
+            end
+          end
+
+          before do
+            project.send("add_#{user_role}", user) unless user_role == :anonymous
+          end
+
+          it_behaves_like 'returning response status', params[:expected_status]
+        end
+      end
+
+      context 'with at least developer role' do
+        let(:extra_headers) { { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(user.username, pat.token) } }
+
+        before do
+          project.add_developer(user)
+        end
+
+        it 'creates the objects' do
+          expect { subject }
+            .to change { LfsObject.count }.by(1)
+            .and change { LfsObjectsProject.count }.by(1)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+
+        context 'without the workhorse header' do
+          let(:headers) { {} }
+
+          it { expect { subject }.to raise_error(JWT::DecodeError) }
+        end
+
+        context 'without file' do
+          let(:uploaded_file) { nil }
+
+          it_behaves_like 'returning response status', :unprocessable_entity
+        end
+
+        context 'with an invalid file' do
+          let(:uploaded_file) { 'test' }
+
+          it_behaves_like 'returning response status', :unprocessable_entity
+        end
+
+        context 'when an expected error' do
+          [
+            ActiveRecord::RecordInvalid,
+            UploadedFile::InvalidPathError,
+            ObjectStorage::RemoteStoreError
+          ].each do |exception_class|
+            context "#{exception_class} raised" do
+              it 'renders lfs forbidden' do
+                expect(LfsObjectsProject).to receive(:safe_find_or_create_by!).and_raise(exception_class)
+
+                subject
+
+                expect(response).to have_gitlab_http_status(:forbidden)
+                expect(json_response['documentation_url']).to be_present
+                expect(json_response['message']).to eq('Access forbidden. Check your access level.')
+              end
+            end
+          end
+        end
+
+        context 'when file is not stored' do
+          it 'renders unprocessable entity' do
+            expect(controller).to receive(:store_file!).and_return(nil)
+
+            subject
+
+            expect(response).to have_gitlab_http_status(:unprocessable_entity)
+            expect(response.body).to eq('Unprocessable entity')
+          end
+        end
+      end
+    end
+
+    context 'with lfs disabled' do
+      let(:lfs_enabled) { false }
+      let(:extra_headers) { { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(user.username, pat.token) } }
+
+      it_behaves_like 'returning response status', :not_implemented
+    end
+
+    def temp_file
+      upload_path = LfsObjectUploader.workhorse_local_upload_path
+      file_path = "#{upload_path}/lfs"
+
+      FileUtils.mkdir_p(upload_path)
+      File.write(file_path, 'test')
+
+      UploadedFile.new(file_path, filename: File.basename(file_path))
+    end
+  end
+end
diff --git a/spec/features/projects/jobs_spec.rb b/spec/features/projects/jobs_spec.rb
index d962287662e..0a6f204454e 100644
--- a/spec/features/projects/jobs_spec.rb
+++ b/spec/features/projects/jobs_spec.rb
@@ -551,7 +551,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
 
         it 'shows deployment message' do
           expect(page).to have_content 'This job is deployed to production'
-          expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+          expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
         end
 
         context 'when there is a cluster used for the deployment' do
@@ -583,7 +583,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
 
         it 'shows a link for the job' do
           expect(page).to have_link environment.name
-          expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+          expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
         end
       end
 
@@ -593,7 +593,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
         it 'shows a link to latest deployment' do
           expect(page).to have_link environment.name
           expect(page).to have_content 'This job is creating a deployment'
-          expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+          expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
         end
       end
     end
@@ -645,15 +645,15 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
         end
 
         it 'renders a link to the most recent deployment' do
-          expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
-          expect(find('.js-job-deployment-link')['href']).to include(second_deployment.deployable.project.path, second_deployment.deployable_id.to_s)
+          expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
+          expect(find('[data-testid="job-deployment-link"]')['href']).to include(second_deployment.deployable.project.path, second_deployment.deployable_id.to_s)
         end
 
         context 'when deployment does not have a deployable' do
           let!(:second_deployment) { create(:deployment, :success, environment: environment, deployable: nil) }
 
           it 'has an empty href' do
-            expect(find('.js-job-deployment-link')['href']).to be_empty
+            expect(find('[data-testid="job-deployment-link"]')['href']).to be_empty
           end
         end
       end
@@ -679,7 +679,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
             expected_text = 'This job is creating a deployment to staging'
 
             expect(page).to have_css('.environment-information', text: expected_text)
-            expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+            expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
           end
 
           context 'when it has deployment' do
@@ -690,7 +690,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
 
               expect(page).to have_css('.environment-information', text: expected_text)
               expect(page).to have_css('.environment-information', text: 'latest deployment')
-              expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+              expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
             end
           end
         end
@@ -705,7 +705,7 @@ RSpec.describe 'Jobs', :clean_gitlab_redis_shared_state do
               '.environment-information', text: expected_text)
             expect(page).not_to have_css(
               '.environment-information', text: 'latest deployment')
-            expect(find('.js-environment-link')['href']).to match("environments/#{environment.id}")
+            expect(find('[data-testid="job-environment-link"]')['href']).to match("environments/#{environment.id}")
           end
         end
       end
diff --git a/spec/frontend/grafana_integration/components/__snapshots__/grafana_integration_spec.js.snap b/spec/frontend/grafana_integration/components/__snapshots__/grafana_integration_spec.js.snap
index b284f724b50..d528147a358 100644
--- a/spec/frontend/grafana_integration/components/__snapshots__/grafana_integration_spec.js.snap
+++ b/spec/frontend/grafana_integration/components/__snapshots__/grafana_integration_spec.js.snap
@@ -16,13 +16,15 @@ exports[`grafana integration component default state to match the default snapsh
     
     </h3>
      
-    <gl-deprecated-button-stub
+    <gl-button-stub
+      category="tertiary"
       class="js-settings-toggle"
-      size="md"
-      variant="secondary"
+      icon=""
+      size="medium"
+      variant="default"
     >
       Expand
-    </gl-deprecated-button-stub>
+    </gl-button-stub>
      
     <p
       class="js-section-sub-header"
@@ -90,14 +92,16 @@ exports[`grafana integration component default state to match the default snapsh
         </p>
       </gl-form-group-stub>
        
-      <gl-deprecated-button-stub
-        size="md"
+      <gl-button-stub
+        category="primary"
+        icon=""
+        size="medium"
         variant="success"
       >
         
         Save Changes
       
-      </gl-deprecated-button-stub>
+      </gl-button-stub>
     </form>
   </div>
 </section>
diff --git a/spec/frontend/grafana_integration/components/grafana_integration_spec.js b/spec/frontend/grafana_integration/components/grafana_integration_spec.js
index 2693f11e636..1c3ac5b6d46 100644
--- a/spec/frontend/grafana_integration/components/grafana_integration_spec.js
+++ b/spec/frontend/grafana_integration/components/grafana_integration_spec.js
@@ -1,5 +1,5 @@
 import { mount, shallowMount } from '@vue/test-utils';
-import { GlDeprecatedButton } from '@gitlab/ui';
+import { GlButton } from '@gitlab/ui';
 import { TEST_HOST } from 'helpers/test_constants';
 import GrafanaIntegration from '~/grafana_integration/components/grafana_integration.vue';
 import { createStore } from '~/grafana_integration/store';
@@ -51,7 +51,7 @@ describe('grafana integration component', () => {
     it('renders as an expand button by default', () => {
       wrapper = shallowMount(GrafanaIntegration, { store });
 
-      const button = wrapper.find(GlDeprecatedButton);
+      const button = wrapper.find(GlButton);
 
       expect(button.text()).toBe('Expand');
     });
@@ -77,8 +77,7 @@ describe('grafana integration component', () => {
     });
 
     describe('submit button', () => {
-      const findSubmitButton = () =>
-        wrapper.find('.settings-content form').find(GlDeprecatedButton);
+      const findSubmitButton = () => wrapper.find('.settings-content form').find(GlButton);
 
       const endpointRequest = [
         operationsSettingsEndpoint,
diff --git a/spec/frontend/jobs/components/environments_block_spec.js b/spec/frontend/jobs/components/environments_block_spec.js
index 4f2359e83b6..d90c9137a8f 100644
--- a/spec/frontend/jobs/components/environments_block_spec.js
+++ b/spec/frontend/jobs/components/environments_block_spec.js
@@ -1,14 +1,13 @@
-import Vue from 'vue';
-import component from '~/jobs/components/environments_block.vue';
-import mountComponent from '../../helpers/vue_mount_component_helper';
+import { mount } from '@vue/test-utils';
+import EnvironmentsBlock from '~/jobs/components/environments_block.vue';
 
 const TEST_CLUSTER_NAME = 'test_cluster';
 const TEST_CLUSTER_PATH = 'path/to/test_cluster';
 const TEST_KUBERNETES_NAMESPACE = 'this-is-a-kubernetes-namespace';
 
 describe('Environments block', () => {
-  const Component = Vue.extend(component);
-  let vm;
+  let wrapper;
+
   const status = {
     group: 'success',
     icon: 'status_success',
@@ -38,20 +37,23 @@ describe('Environments block', () => {
   });
 
   const createComponent = (deploymentStatus = {}, deploymentCluster = {}) => {
-    vm = mountComponent(Component, {
-      deploymentStatus,
-      deploymentCluster,
-      iconStatus: status,
+    wrapper = mount(EnvironmentsBlock, {
+      propsData: {
+        deploymentStatus,
+        deploymentCluster,
+        iconStatus: status,
+      },
     });
   };
 
-  const findText = () => vm.$el.textContent.trim();
-  const findJobDeploymentLink = () => vm.$el.querySelector('.js-job-deployment-link');
-  const findEnvironmentLink = () => vm.$el.querySelector('.js-environment-link');
-  const findClusterLink = () => vm.$el.querySelector('.js-job-cluster-link');
+  const findText = () => wrapper.find(EnvironmentsBlock).text();
+  const findJobDeploymentLink = () => wrapper.find('[data-testid="job-deployment-link"]');
+  const findEnvironmentLink = () => wrapper.find('[data-testid="job-environment-link"]');
+  const findClusterLink = () => wrapper.find('[data-testid="job-cluster-link"]');
 
   afterEach(() => {
-    vm.$destroy();
+    wrapper.destroy();
+    wrapper = null;
   });
 
   describe('with last deployment', () => {
@@ -61,7 +63,7 @@ describe('Environments block', () => {
         environment,
       });
 
-      expect(findText()).toEqual('This job is deployed to environment.');
+      expect(findText()).toBe('This job is deployed to environment.');
     });
 
     describe('when there is a cluster', () => {
@@ -74,7 +76,7 @@ describe('Environments block', () => {
           createDeploymentWithCluster(),
         );
 
-        expect(findText()).toEqual(
+        expect(findText()).toBe(
           `This job is deployed to environment using cluster ${TEST_CLUSTER_NAME}.`,
         );
       });
@@ -89,7 +91,7 @@ describe('Environments block', () => {
             createDeploymentWithClusterAndKubernetesNamespace(),
           );
 
-          expect(findText()).toEqual(
+          expect(findText()).toBe(
             `This job is deployed to environment using cluster ${TEST_CLUSTER_NAME} and namespace ${TEST_KUBERNETES_NAMESPACE}.`,
           );
         });
@@ -105,11 +107,11 @@ describe('Environments block', () => {
           environment: createEnvironmentWithLastDeployment(),
         });
 
-        expect(findText()).toEqual(
+        expect(findText()).toBe(
           'This job is an out-of-date deployment to environment. View the most recent deployment.',
         );
 
-        expect(findJobDeploymentLink().getAttribute('href')).toEqual('bar');
+        expect(findJobDeploymentLink().attributes('href')).toBe('bar');
       });
 
       describe('when there is a cluster', () => {
@@ -122,7 +124,7 @@ describe('Environments block', () => {
             createDeploymentWithCluster(),
           );
 
-          expect(findText()).toEqual(
+          expect(findText()).toBe(
             `This job is an out-of-date deployment to environment using cluster ${TEST_CLUSTER_NAME}. View the most recent deployment.`,
           );
         });
@@ -137,7 +139,7 @@ describe('Environments block', () => {
               createDeploymentWithClusterAndKubernetesNamespace(),
             );
 
-            expect(findText()).toEqual(
+            expect(findText()).toBe(
               `This job is an out-of-date deployment to environment using cluster ${TEST_CLUSTER_NAME} and namespace ${TEST_KUBERNETES_NAMESPACE}. View the most recent deployment.`,
             );
           });
@@ -152,7 +154,7 @@ describe('Environments block', () => {
           environment,
         });
 
-        expect(findText()).toEqual('This job is an out-of-date deployment to environment.');
+        expect(findText()).toBe('This job is an out-of-date deployment to environment.');
       });
     });
   });
@@ -164,7 +166,7 @@ describe('Environments block', () => {
         environment,
       });
 
-      expect(findText()).toEqual('The deployment of this job to environment did not succeed.');
+      expect(findText()).toBe('The deployment of this job to environment did not succeed.');
     });
   });
 
@@ -176,13 +178,15 @@ describe('Environments block', () => {
           environment: createEnvironmentWithLastDeployment(),
         });
 
-        expect(findText()).toEqual(
+        expect(findText()).toBe(
           'This job is creating a deployment to environment. This will overwrite the latest deployment.',
         );
 
-        expect(findJobDeploymentLink().getAttribute('href')).toEqual('bar');
-        expect(findEnvironmentLink().getAttribute('href')).toEqual(environment.environment_path);
-        expect(findClusterLink()).toBeNull();
+        expect(findEnvironmentLink().attributes('href')).toBe(environment.environment_path);
+
+        expect(findJobDeploymentLink().attributes('href')).toBe('bar');
+
+        expect(findClusterLink().exists()).toBe(false);
       });
     });
 
@@ -193,7 +197,7 @@ describe('Environments block', () => {
           environment,
         });
 
-        expect(findText()).toEqual('This job is creating a deployment to environment.');
+        expect(findText()).toBe('This job is creating a deployment to environment.');
       });
 
       describe('when there is a cluster', () => {
@@ -206,7 +210,7 @@ describe('Environments block', () => {
             createDeploymentWithCluster(),
           );
 
-          expect(findText()).toEqual(
+          expect(findText()).toBe(
             `This job is creating a deployment to environment using cluster ${TEST_CLUSTER_NAME}.`,
           );
         });
@@ -220,7 +224,7 @@ describe('Environments block', () => {
           environment: null,
         });
 
-        expect(findEnvironmentLink()).toBeNull();
+        expect(findEnvironmentLink().exists()).toBe(false);
       });
     });
   });
@@ -235,11 +239,11 @@ describe('Environments block', () => {
         createDeploymentWithCluster(),
       );
 
-      expect(findText()).toEqual(
+      expect(findText()).toBe(
         `This job is deployed to environment using cluster ${TEST_CLUSTER_NAME}.`,
       );
 
-      expect(findClusterLink().getAttribute('href')).toEqual(TEST_CLUSTER_PATH);
+      expect(findClusterLink().attributes('href')).toBe(TEST_CLUSTER_PATH);
     });
 
     describe('when the cluster is missing the path', () => {
@@ -254,7 +258,7 @@ describe('Environments block', () => {
 
         expect(findText()).toContain('using cluster the-cluster.');
 
-        expect(findClusterLink()).toBeNull();
+        expect(findClusterLink().exists()).toBe(false);
       });
     });
   });
diff --git a/spec/frontend/jobs/components/stuck_block_spec.js b/spec/frontend/jobs/components/stuck_block_spec.js
index 9fead4338cf..926286bf75a 100644
--- a/spec/frontend/jobs/components/stuck_block_spec.js
+++ b/spec/frontend/jobs/components/stuck_block_spec.js
@@ -1,4 +1,4 @@
-import { GlLink } from '@gitlab/ui';
+import { GlBadge, GlLink } from '@gitlab/ui';
 import { shallowMount } from '@vue/test-utils';
 import StuckBlock from '~/jobs/components/stuck_block.vue';
 
@@ -27,7 +27,7 @@ describe('Stuck Block Job component', () => {
   const findStuckNoRunners = () => wrapper.find('[data-testid="job-stuck-no-runners"]');
   const findStuckWithTags = () => wrapper.find('[data-testid="job-stuck-with-tags"]');
   const findRunnerPathLink = () => wrapper.find(GlLink);
-  const findAllBadges = () => wrapper.findAll('[data-testid="badge"]');
+  const findAllBadges = () => wrapper.findAll(GlBadge);
 
   describe('with no runners for project', () => {
     beforeEach(() => {
diff --git a/spec/frontend/snippets/components/snippet_header_spec.js b/spec/frontend/snippets/components/snippet_header_spec.js
index 0b991e7a5d4..af6631de9c9 100644
--- a/spec/frontend/snippets/components/snippet_header_spec.js
+++ b/spec/frontend/snippets/components/snippet_header_spec.js
@@ -2,45 +2,18 @@ import SnippetHeader from '~/snippets/components/snippet_header.vue';
 import DeleteSnippetMutation from '~/snippets/mutations/deleteSnippet.mutation.graphql';
 import { ApolloMutation } from 'vue-apollo';
 import { GlButton, GlModal } from '@gitlab/ui';
-import { shallowMount } from '@vue/test-utils';
+import { mount } from '@vue/test-utils';
 import { Blob, BinaryBlob } from 'jest/blob/components/mock_data';
+import waitForPromises from 'helpers/wait_for_promises';
 
 describe('Snippet header component', () => {
   let wrapper;
-  const snippet = {
-    id: 'gid://gitlab/PersonalSnippet/50',
-    title: 'The property of Thor',
-    visibilityLevel: 'private',
-    webUrl: 'http://personal.dev.null/42',
-    userPermissions: {
-      adminSnippet: true,
-      updateSnippet: true,
-      reportSnippet: false,
-    },
-    project: null,
-    author: {
-      name: 'Thor Odinson',
-    },
-    blobs: [Blob],
-  };
-  const mutationVariables = {
-    mutation: DeleteSnippetMutation,
-    variables: {
-      id: snippet.id,
-    },
-  };
-  const errorMsg = 'Foo bar';
-  const err = { message: errorMsg };
+  let snippet;
+  let mutationTypes;
+  let mutationVariables;
 
-  const resolveMutate = jest.fn(() =>
-    Promise.resolve({ data: { destroySnippet: { errors: [] } } }),
-  );
-  const rejectMutation = jest.fn(() => Promise.reject(err));
-
-  const mutationTypes = {
-    RESOLVE: resolveMutate,
-    REJECT: rejectMutation,
-  };
+  let errorMsg;
+  let err;
 
   function createComponent({
     loading = false,
@@ -63,7 +36,7 @@ describe('Snippet header component', () => {
       mutate: mutationRes,
     };
 
-    wrapper = shallowMount(SnippetHeader, {
+    wrapper = mount(SnippetHeader, {
       mocks: { $apollo },
       propsData: {
         snippet: {
@@ -76,6 +49,41 @@ describe('Snippet header component', () => {
     });
   }
 
+  beforeEach(() => {
+    snippet = {
+      id: 'gid://gitlab/PersonalSnippet/50',
+      title: 'The property of Thor',
+      visibilityLevel: 'private',
+      webUrl: 'http://personal.dev.null/42',
+      userPermissions: {
+        adminSnippet: true,
+        updateSnippet: true,
+        reportSnippet: false,
+      },
+      project: null,
+      author: {
+        name: 'Thor Odinson',
+      },
+      blobs: [Blob],
+      createdAt: new Date(Date.now() - 32 * 24 * 3600 * 1000).toISOString(),
+    };
+
+    mutationVariables = {
+      mutation: DeleteSnippetMutation,
+      variables: {
+        id: snippet.id,
+      },
+    };
+
+    errorMsg = 'Foo bar';
+    err = { message: errorMsg };
+
+    mutationTypes = {
+      RESOLVE: jest.fn(() => Promise.resolve({ data: { destroySnippet: { errors: [] } } })),
+      REJECT: jest.fn(() => Promise.reject(err)),
+    };
+  });
+
   afterEach(() => {
     wrapper.destroy();
   });
@@ -85,6 +93,23 @@ describe('Snippet header component', () => {
     expect(wrapper.find('.detail-page-header').exists()).toBe(true);
   });
 
+  it('renders a message showing snippet creation date and author', () => {
+    createComponent();
+
+    const text = wrapper.find('[data-testid="authored-message"]').text();
+    expect(text).toContain('Authored 1 month ago by');
+    expect(text).toContain('Thor Odinson');
+  });
+
+  it('renders a message showing only snippet creation date if author is null', () => {
+    snippet.author = null;
+
+    createComponent();
+
+    const text = wrapper.find('[data-testid="authored-message"]').text();
+    expect(text).toBe('Authored 1 month ago');
+  });
+
   it('renders action buttons based on permissions', () => {
     createComponent({
       permissions: {
@@ -163,14 +188,15 @@ describe('Snippet header component', () => {
       expect(mutationTypes.RESOLVE).toHaveBeenCalledWith(mutationVariables);
     });
 
-    it('sets error message if mutation fails', () => {
+    it('sets error message if mutation fails', async () => {
       createComponent({ mutationRes: mutationTypes.REJECT });
       expect(Boolean(wrapper.vm.errorMessage)).toBe(false);
 
       wrapper.vm.deleteSnippet();
-      return wrapper.vm.$nextTick().then(() => {
-        expect(wrapper.vm.errorMessage).toEqual(errorMsg);
-      });
+
+      await waitForPromises();
+
+      expect(wrapper.vm.errorMessage).toEqual(errorMsg);
     });
 
     describe('in case of successful mutation, closes modal and redirects to correct listing', () => {
diff --git a/spec/helpers/issuables_helper_spec.rb b/spec/helpers/issuables_helper_spec.rb
index 581c2fb0afe..9b32758c053 100644
--- a/spec/helpers/issuables_helper_spec.rb
+++ b/spec/helpers/issuables_helper_spec.rb
@@ -327,4 +327,12 @@ RSpec.describe IssuablesHelper do
       end
     end
   end
+
+  describe '#sidebar_milestone_tooltip_label' do
+    it 'escapes HTML in the milestone title' do
+      milestone = build(:milestone, title: '&lt;img onerror=alert(1)&gt;')
+
+      expect(helper.sidebar_milestone_tooltip_label(milestone)).to eq('&lt;img onerror=alert(1)&gt;<br/>Milestone')
+    end
+  end
 end
diff --git a/spec/lib/banzai/filter/issue_reference_filter_spec.rb b/spec/lib/banzai/filter/issue_reference_filter_spec.rb
index 98955d5cde9..0ad058675fe 100644
--- a/spec/lib/banzai/filter/issue_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/issue_reference_filter_spec.rb
@@ -75,6 +75,12 @@ RSpec.describe Banzai::Filter::IssueReferenceFilter do
       expect(doc.text).to eq "Issue #{reference}"
     end
 
+    it 'renders non-HTML tooltips' do
+      doc = reference_filter("Issue #{reference}")
+
+      expect(doc.at_css('a')).not_to have_attribute('data-html')
+    end
+
     it 'includes default classes' do
       doc = reference_filter("Issue #{reference}")
       expect(doc.css('a').first.attr('class')).to eq 'gfm gfm-issue has-tooltip'
diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb
index 92452727017..822bdc8389d 100644
--- a/spec/lib/gitlab/checks/branch_check_spec.rb
+++ b/spec/lib/gitlab/checks/branch_check_spec.rb
@@ -19,6 +19,29 @@ RSpec.describe Gitlab::Checks::BranchCheck do
       end
     end
 
+    context "prohibited branches check" do
+      it "prohibits 40-character hexadecimal branch names" do
+        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e")
+
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+      end
+
+      it "doesn't prohibit a nested hexadecimal in a branch name" do
+        allow(subject).to receive(:branch_name).and_return("fix-267208abfe40e546f5e847444276f7d43a39503e")
+
+        expect { subject.validate! }.not_to raise_error
+      end
+
+      context "the feature flag is disabled" do
+        it "doesn't prohibit a 40-character hexadecimal branch name" do
+          stub_feature_flags(prohibit_hexadecimal_branch_names: false)
+          allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e")
+
+          expect { subject.validate! }.not_to raise_error
+        end
+      end
+    end
+
     context 'protected branches check' do
       before do
         allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
diff --git a/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb b/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
new file mode 100644
index 00000000000..efb271086a0
--- /dev/null
+++ b/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::ImportExport::DecompressedArchiveSizeValidator do
+  let_it_be(:filepath) { File.join(Dir.tmpdir, 'decompressed_archive_size_validator_spec.gz') }
+
+  before(:all) do
+    create_compressed_file
+  end
+
+  after(:all) do
+    FileUtils.rm(filepath)
+  end
+
+  subject { described_class.new(archive_path: filepath, max_bytes: max_bytes) }
+
+  describe '#valid?' do
+    let(:max_bytes) { 1 }
+
+    context 'when file does not exceed allowed decompressed size' do
+      let(:max_bytes) { 20 }
+
+      it 'returns true' do
+        expect(subject.valid?).to eq(true)
+      end
+    end
+
+    context 'when file exceeds allowed decompressed size' do
+      it 'returns false' do
+        expect(subject.valid?).to eq(false)
+      end
+    end
+
+    context 'when something goes wrong during decompression' do
+      before do
+        allow(subject.archive_file).to receive(:eof?).and_raise(StandardError)
+      end
+
+      it 'logs and tracks raised exception' do
+        expect(Gitlab::ErrorTracking).to receive(:track_exception).with(instance_of(StandardError))
+        expect(Gitlab::Import::Logger).to receive(:info).with(hash_including(message: 'Decompressed archive size validation failed.'))
+
+        subject.valid?
+      end
+
+      it 'returns false' do
+        expect(subject.valid?).to eq(false)
+      end
+    end
+  end
+
+  def create_compressed_file
+    Zlib::GzipWriter.open(filepath) do |gz|
+      gz.write('Hello World!')
+    end
+  end
+end
diff --git a/spec/lib/gitlab/import_export/file_importer_spec.rb b/spec/lib/gitlab/import_export/file_importer_spec.rb
index 47485cc7edb..dc668e972cf 100644
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -98,6 +98,45 @@ RSpec.describe Gitlab::ImportExport::FileImporter do
     end
   end
 
+  context 'when file exceeds acceptable decompressed size' do
+    let(:project) { create(:project) }
+    let(:shared) { Gitlab::ImportExport::Shared.new(project) }
+    let(:filepath) { File.join(Dir.tmpdir, 'file_importer_spec.gz') }
+
+    subject { described_class.new(importable: project, archive_file: filepath, shared: shared) }
+
+    before do
+      Zlib::GzipWriter.open(filepath) do |gz|
+        gz.write('Hello World!')
+      end
+    end
+
+    context 'when validate_import_decompressed_archive_size feature flag is enabled' do
+      before do
+        stub_feature_flags(validate_import_decompressed_archive_size: true)
+
+        allow(Gitlab::ImportExport::DecompressedArchiveSizeValidator).to receive(:max_bytes).and_return(1)
+      end
+
+      it 'returns false' do
+        expect(subject.import).to eq(false)
+        expect(shared.errors.join).to eq('Decompressed archive size validation failed.')
+      end
+    end
+
+    context 'when validate_import_decompressed_archive_size feature flag is disabled' do
+      before do
+        stub_feature_flags(validate_import_decompressed_archive_size: false)
+      end
+
+      it 'skips validation' do
+        expect(subject).to receive(:validate_decompressed_archive_size).never
+
+        subject.import
+      end
+    end
+  end
+
   def setup_files
     FileUtils.mkdir_p("#{shared.export_path}/subfolder/")
     FileUtils.touch(valid_file)
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index 7bdf6da87ae..b3d7c0ab934 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -659,6 +659,7 @@ PrometheusMetric:
 - group
 - common
 - identifier
+- dashboard_path
 PrometheusAlert:
 - threshold
 - operator
diff --git a/spec/lib/gitlab/kubernetes/kube_client_spec.rb b/spec/lib/gitlab/kubernetes/kube_client_spec.rb
index 2e2a2ed1f89..8211b096d3b 100644
--- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb
+++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb
@@ -80,13 +80,13 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
     context 'errored' do
       using RSpec::Parameterized::TableSyntax
 
-      where(:error, :error_status) do
-        SocketError                     | :unreachable
-        OpenSSL::X509::CertificateError | :authentication_failure
-        StandardError                   | :unknown_failure
-        Kubeclient::HttpError.new(408, "timed out", nil) | :unreachable
-        Kubeclient::HttpError.new(408, "timeout", nil) | :unreachable
-        Kubeclient::HttpError.new(408, "", nil) | :authentication_failure
+      where(:error, :connection_status, :error_status) do
+        SocketError                                      | :unreachable            | :connection_error
+        OpenSSL::X509::CertificateError                  | :authentication_failure | :authentication_error
+        StandardError                                    | :unknown_failure        | :unknown_error
+        Kubeclient::HttpError.new(408, "timed out", nil) | :unreachable            | :http_error
+        Kubeclient::HttpError.new(408, "timeout", nil)   | :unreachable            | :http_error
+        Kubeclient::HttpError.new(408, "", nil)          | :authentication_failure | :http_error
       end
 
       with_them do
@@ -97,7 +97,7 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
         it 'returns error status' do
           result = described_class.graceful_request(1) { client.foo }
 
-          expect(result).to eq({ status: error_status })
+          expect(result).to eq({ status: connection_status, connection_error: error_status })
         end
       end
     end
diff --git a/spec/lib/gitlab/kubernetes/node_spec.rb b/spec/lib/gitlab/kubernetes/node_spec.rb
index 732bf29bc44..fdc3433ff0f 100644
--- a/spec/lib/gitlab/kubernetes/node_spec.rb
+++ b/spec/lib/gitlab/kubernetes/node_spec.rb
@@ -7,45 +7,51 @@ RSpec.describe Gitlab::Kubernetes::Node do
 
   describe '#all' do
     let(:cluster) { create(:cluster, :provided_by_user, :group) }
-    let(:expected_nodes) { [] }
+    let(:expected_nodes) { nil }
+    let(:nodes) { [kube_node.merge(kube_node_metrics)] }
+
+    subject { described_class.new(cluster).all }
 
     before do
       stub_kubeclient_nodes_and_nodes_metrics(cluster.platform.api_url)
     end
 
-    subject { described_class.new(cluster).all }
-
     context 'when connection to the cluster is successful' do
-      let(:expected_nodes) { [kube_node.merge(kube_node_metrics)] }
+      let(:expected_nodes) { { nodes: nodes } }
 
       it { is_expected.to eq(expected_nodes) }
     end
 
-    context 'when cluster cannot be reached' do
-      before do
-        allow(cluster.kubeclient.core_client).to receive(:discover)
-          .and_raise(SocketError)
+    context 'when there is a connection error' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:error, :error_status) do
+        SocketError                             | :kubernetes_connection_error
+        OpenSSL::X509::CertificateError         | :kubernetes_authentication_error
+        StandardError                           | :unknown_error
+        Kubeclient::HttpError.new(408, "", nil) | :kubeclient_http_error
       end
 
-      it { is_expected.to eq(expected_nodes) }
-    end
+      context 'when there is an error while querying nodes' do
+        with_them do
+          before do
+            allow(cluster.kubeclient).to receive(:get_nodes).and_raise(error)
+          end
 
-    context 'when cluster cannot be authenticated to' do
-      before do
-        allow(cluster.kubeclient.core_client).to receive(:discover)
-          .and_raise(OpenSSL::X509::CertificateError.new('Certificate error'))
+          it { is_expected.to eq({ node_connection_error: error_status }) }
+        end
       end
 
-      it { is_expected.to eq(expected_nodes) }
-    end
+      context 'when there is an error while querying metrics' do
+        with_them do
+          before do
+            allow(cluster.kubeclient).to receive(:get_nodes).and_return({ response: nodes })
+            allow(cluster.kubeclient).to receive(:metrics_client).and_raise(error)
+          end
 
-    context 'when Kubeclient::HttpError is raised' do
-      before do
-        allow(cluster.kubeclient.core_client).to receive(:discover)
-          .and_raise(Kubeclient::HttpError.new(403, 'Forbidden', nil))
+          it { is_expected.to eq({ nodes: nodes, metrics_connection_error: error_status }) }
+        end
       end
-
-      it { is_expected.to eq(expected_nodes) }
     end
 
     context 'when an uncategorised error is raised' do
@@ -54,7 +60,7 @@ RSpec.describe Gitlab::Kubernetes::Node do
           .and_raise(StandardError)
       end
 
-      it { is_expected.to eq(expected_nodes) }
+      it { is_expected.to eq({ node_connection_error: :unknown_error }) }
 
       it 'notifies Sentry' do
         expect(Gitlab::ErrorTracking).to receive(:track_exception)
diff --git a/spec/mailers/notify_spec.rb b/spec/mailers/notify_spec.rb
index e56cd488a52..9dde80f58d5 100644
--- a/spec/mailers/notify_spec.rb
+++ b/spec/mailers/notify_spec.rb
@@ -45,6 +45,21 @@ RSpec.describe Notify do
     end
   end
 
+  shared_examples 'it requires a group' do
+    context 'when given an deleted group' do
+      before do
+        # destroy group and group member
+        group_member.destroy!
+        group.destroy!
+      end
+
+      it 'returns NullMail type message' do
+        expect(Gitlab::AppLogger).to receive(:info)
+        expect(subject.message).to be_a(ActionMailer::Base::NullMail)
+      end
+    end
+  end
+
   context 'for a project' do
     shared_examples 'an assignee email' do
       let(:recipient) { assignee }
@@ -1388,6 +1403,7 @@ RSpec.describe Notify do
       it_behaves_like "a user cannot unsubscribe through footer link"
       it_behaves_like 'appearance header and footer enabled'
       it_behaves_like 'appearance header and footer not enabled'
+      it_behaves_like 'it requires a group'
 
       it 'contains all the useful information' do
         is_expected.to have_subject "Access to the #{group.name} group was granted"
@@ -1422,6 +1438,7 @@ RSpec.describe Notify do
       it_behaves_like "a user cannot unsubscribe through footer link"
       it_behaves_like 'appearance header and footer enabled'
       it_behaves_like 'appearance header and footer not enabled'
+      it_behaves_like 'it requires a group'
 
       it 'contains all the useful information' do
         is_expected.to have_subject "Invitation to join the #{group.name} group"
@@ -1448,6 +1465,7 @@ RSpec.describe Notify do
       it_behaves_like "a user cannot unsubscribe through footer link"
       it_behaves_like 'appearance header and footer enabled'
       it_behaves_like 'appearance header and footer not enabled'
+      it_behaves_like 'it requires a group'
 
       it 'contains all the useful information' do
         is_expected.to have_subject 'Invitation accepted'
diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb
index 4807957152c..2d0b5af0e77 100644
--- a/spec/models/clusters/cluster_spec.rb
+++ b/spec/models/clusters/cluster_spec.rb
@@ -1153,6 +1153,57 @@ RSpec.describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
     end
   end
 
+  describe '#connection_error' do
+    let(:cluster) { create(:cluster) }
+    let(:error) { :unknown_error }
+
+    subject { cluster.connection_error }
+
+    it { is_expected.to be_nil }
+
+    context 'with a cached status' do
+      before do
+        stub_reactive_cache(cluster, connection_error: error)
+      end
+
+      it { is_expected.to eq(error) }
+    end
+  end
+
+  describe '#node_connection_error' do
+    let(:cluster) { create(:cluster) }
+    let(:error) { :unknown_error }
+
+    subject { cluster.node_connection_error }
+
+    it { is_expected.to be_nil }
+
+    context 'with a cached status' do
+      before do
+        stub_reactive_cache(cluster, node_connection_error: error)
+      end
+
+      it { is_expected.to eq(error) }
+    end
+  end
+
+  describe '#metrics_connection_error' do
+    let(:cluster) { create(:cluster) }
+    let(:error) { :unknown_error }
+
+    subject { cluster.metrics_connection_error }
+
+    it { is_expected.to be_nil }
+
+    context 'with a cached status' do
+      before do
+        stub_reactive_cache(cluster, metrics_connection_error: error)
+      end
+
+      it { is_expected.to eq(error) }
+    end
+  end
+
   describe '#nodes' do
     let(:cluster) { create(:cluster) }
 
@@ -1186,43 +1237,49 @@ RSpec.describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
     context 'cluster is enabled' do
       let(:cluster) { create(:cluster, :provided_by_user, :group) }
       let(:gl_k8s_node_double) { double(Gitlab::Kubernetes::Node) }
-      let(:expected_nodes) { nil }
+      let(:expected_nodes) { {} }
 
       before do
         stub_kubeclient_discover(cluster.platform.api_url)
         allow(Gitlab::Kubernetes::Node).to receive(:new).with(cluster).and_return(gl_k8s_node_double)
-        allow(gl_k8s_node_double).to receive(:all).and_return([])
+        allow(gl_k8s_node_double).to receive(:all).and_return(expected_nodes)
       end
 
       context 'connection to the cluster is successful' do
+        let(:expected_nodes) { { nodes: [kube_node.merge(kube_node_metrics)] } }
+        let(:connection_status) { { connection_status: :connected } }
+
         before do
           allow(gl_k8s_node_double).to receive(:all).and_return(expected_nodes)
         end
 
-        let(:expected_nodes) { [kube_node.merge(kube_node_metrics)] }
-
-        it { is_expected.to eq(connection_status: :connected, nodes: expected_nodes) }
+        it { is_expected.to eq(**connection_status, **expected_nodes) }
       end
 
       context 'cluster cannot be reached' do
+        let(:connection_status) { { connection_status: :unreachable, connection_error: :connection_error } }
+
         before do
           allow(cluster.kubeclient.core_client).to receive(:discover)
             .and_raise(SocketError)
         end
 
-        it { is_expected.to eq(connection_status: :unreachable, nodes: expected_nodes) }
+        it { is_expected.to eq(**connection_status, **expected_nodes) }
       end
 
       context 'cluster cannot be authenticated to' do
+        let(:connection_status) { { connection_status: :authentication_failure, connection_error: :authentication_error } }
+
         before do
           allow(cluster.kubeclient.core_client).to receive(:discover)
             .and_raise(OpenSSL::X509::CertificateError.new("Certificate error"))
         end
 
-        it { is_expected.to eq(connection_status: :authentication_failure, nodes: expected_nodes) }
+        it { is_expected.to eq(**connection_status, **expected_nodes) }
       end
 
       describe 'Kubeclient::HttpError' do
+        let(:connection_status) { { connection_status: :authentication_failure, connection_error: :http_error } }
         let(:error_code) { 403 }
         let(:error_message) { "Forbidden" }
 
@@ -1231,28 +1288,32 @@ RSpec.describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
             .and_raise(Kubeclient::HttpError.new(error_code, error_message, nil))
         end
 
-        it { is_expected.to eq(connection_status: :authentication_failure, nodes: expected_nodes) }
+        it { is_expected.to eq(**connection_status, **expected_nodes) }
 
         context 'generic timeout' do
+          let(:connection_status) { { connection_status: :unreachable, connection_error: :http_error } }
           let(:error_message) { 'Timed out connecting to server'}
 
-          it { is_expected.to eq(connection_status: :unreachable, nodes: expected_nodes) }
+          it { is_expected.to eq(**connection_status, **expected_nodes) }
         end
 
         context 'gateway timeout' do
+          let(:connection_status) { { connection_status: :unreachable, connection_error: :http_error } }
           let(:error_message) { '504 Gateway Timeout for GET https://kubernetes.example.com/api/v1'}
 
-          it { is_expected.to eq(connection_status: :unreachable, nodes: expected_nodes) }
+          it { is_expected.to eq(**connection_status, **expected_nodes) }
         end
       end
 
       context 'an uncategorised error is raised' do
+        let(:connection_status) { { connection_status: :unknown_failure, connection_error: :unknown_error } }
+
         before do
           allow(cluster.kubeclient.core_client).to receive(:discover)
             .and_raise(StandardError)
         end
 
-        it { is_expected.to eq(connection_status: :unknown_failure, nodes: expected_nodes) }
+        it { is_expected.to eq(**connection_status, **expected_nodes) }
 
         it 'notifies Sentry' do
           expect(Gitlab::ErrorTracking).to receive(:track_exception)
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index f7771c7b0f9..0ae3feba4ba 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -17,6 +17,7 @@ RSpec.describe 'Git LFS API and storage' do
       'X-Sendfile-Type' => sendfile
     }.compact
   end
+  let(:include_workhorse_jwt_header) { true }
   let(:authorization) { }
   let(:sendfile) { }
   let(:pipeline) { create(:ci_empty_pipeline, project: project) }
@@ -1075,14 +1076,24 @@ RSpec.describe 'Git LFS API and storage' do
             end
           end
 
-          context 'invalid tempfiles' do
+          context 'without the lfs object' do
             before do
               lfs_object.destroy
             end
 
             it 'rejects slashes in the tempfile name (path traversal)' do
               put_finalize('../bar', with_tempfile: true)
-              expect(response).to have_gitlab_http_status(:forbidden)
+              expect(response).to have_gitlab_http_status(:bad_request)
+            end
+
+            context 'not sending the workhorse jwt header' do
+              let(:include_workhorse_jwt_header) { false }
+
+              it 'rejects the request' do
+                put_finalize(with_tempfile: true)
+
+                expect(response).to have_gitlab_http_status(:unprocessable_entity)
+              end
             end
           end
         end
@@ -1308,7 +1319,8 @@ RSpec.describe 'Git LFS API and storage' do
         method: :put,
         file_key: :file,
         params: args.merge(file: uploaded_file),
-        headers: finalize_headers
+        headers: finalize_headers,
+        send_rewritten_field: include_workhorse_jwt_header
       )
     end
 
diff --git a/spec/serializers/cluster_error_entity_spec.rb b/spec/serializers/cluster_error_entity_spec.rb
new file mode 100644
index 00000000000..43ec41adf14
--- /dev/null
+++ b/spec/serializers/cluster_error_entity_spec.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ClusterErrorEntity do
+  describe '#as_json' do
+    let(:cluster) { create(:cluster, :provided_by_user, :group) }
+
+    subject { described_class.new(cluster).as_json }
+
+    context 'when connection_error is present' do
+      before do
+        allow(cluster).to receive(:connection_error).and_return(:connection_error)
+      end
+
+      it { is_expected.to eq({ connection_error: :connection_error, metrics_connection_error: nil, node_connection_error: nil }) }
+    end
+
+    context 'when metrics_connection_error is present' do
+      before do
+        allow(cluster).to receive(:metrics_connection_error).and_return(:http_error)
+      end
+
+      it { is_expected.to eq({ connection_error: nil, metrics_connection_error: :http_error, node_connection_error: nil }) }
+    end
+
+    context 'when node_connection_error is present' do
+      before do
+        allow(cluster).to receive(:node_connection_error).and_return(:unknown_error)
+      end
+
+      it { is_expected.to eq({ connection_error: nil, metrics_connection_error: nil, node_connection_error: :unknown_error }) }
+    end
+  end
+end
diff --git a/spec/serializers/cluster_serializer_spec.rb b/spec/serializers/cluster_serializer_spec.rb
index ea1cf6ff59a..f34409c3cfb 100644
--- a/spec/serializers/cluster_serializer_spec.rb
+++ b/spec/serializers/cluster_serializer_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe ClusterSerializer do
         :enabled,
         :environment_scope,
         :gitlab_managed_apps_logs_path,
+        :kubernetes_errors,
         :name,
         :nodes,
         :path,
diff --git a/spec/services/authorized_project_update/project_group_link_create_service_spec.rb b/spec/services/authorized_project_update/project_group_link_create_service_spec.rb
index d30d9f1e766..961322a1a21 100644
--- a/spec/services/authorized_project_update/project_group_link_create_service_spec.rb
+++ b/spec/services/authorized_project_update/project_group_link_create_service_spec.rb
@@ -13,8 +13,9 @@ RSpec.describe AuthorizedProjectUpdate::ProjectGroupLinkCreateService do
   let_it_be(:project) { create(:project, :private, group: create(:group, :private)) }
 
   let(:access_level) { Gitlab::Access::MAINTAINER }
+  let(:group_access) { nil }
 
-  subject(:service) { described_class.new(project, group) }
+  subject(:service) { described_class.new(project, group, group_access) }
 
   describe '#perform' do
     context 'direct group members' do
@@ -54,6 +55,26 @@ RSpec.describe AuthorizedProjectUpdate::ProjectGroupLinkCreateService do
       end
     end
 
+    context 'with group_access' do
+      let(:group_access) { Gitlab::Access::REPORTER }
+
+      before do
+        create(:group_member, access_level: access_level, group: group_parent, user: parent_group_user)
+        ProjectAuthorization.delete_all
+      end
+
+      it 'creates project authorization' do
+        expect { service.execute }.to(
+          change { ProjectAuthorization.count }.from(0).to(1))
+
+        project_authorization = ProjectAuthorization.where(
+          project_id: project.id,
+          user_id: parent_group_user.id,
+          access_level: group_access)
+        expect(project_authorization).to exist
+      end
+    end
+
     context 'membership overrides' do
       before do
         create(:group_member, access_level: Gitlab::Access::REPORTER, group: group_parent, user: group_user)
diff --git a/spec/services/groups/transfer_service_spec.rb b/spec/services/groups/transfer_service_spec.rb
index d21c59e24c8..2db9bb0d50c 100644
--- a/spec/services/groups/transfer_service_spec.rb
+++ b/spec/services/groups/transfer_service_spec.rb
@@ -414,44 +414,117 @@ RSpec.describe Groups::TransferService do
       end
 
       context 'when transferring a group with nested groups and projects' do
-        let!(:group) { create(:group, :public) }
+        let(:subgroup1) { create(:group, :private, parent: group) }
         let!(:project1) { create(:project, :repository, :private, namespace: group) }
-        let!(:subgroup1) { create(:group, :private, parent: group) }
         let!(:nested_subgroup) { create(:group, :private, parent: subgroup1) }
         let!(:nested_project) { create(:project, :repository, :private, namespace: subgroup1) }
 
         before do
           TestEnv.clean_test_path
           create(:group_member, :owner, group: new_parent_group, user: user)
-          transfer_service.execute(new_parent_group)
         end
 
-        it 'updates subgroups path' do
-          new_base_path = "#{new_parent_group.path}/#{group.path}"
-          group.children.each do |children|
-            expect(children.full_path).to eq("#{new_base_path}/#{children.path}")
+        context 'updated paths' do
+          let(:group) { create(:group, :public) }
+
+          before do
+            transfer_service.execute(new_parent_group)
           end
 
-          new_base_path = "#{new_parent_group.path}/#{group.path}/#{subgroup1.path}"
-          subgroup1.children.each do |children|
-            expect(children.full_path).to eq("#{new_base_path}/#{children.path}")
+          it 'updates subgroups path' do
+            new_base_path = "#{new_parent_group.path}/#{group.path}"
+            group.children.each do |children|
+              expect(children.full_path).to eq("#{new_base_path}/#{children.path}")
+            end
+
+            new_base_path = "#{new_parent_group.path}/#{group.path}/#{subgroup1.path}"
+            subgroup1.children.each do |children|
+              expect(children.full_path).to eq("#{new_base_path}/#{children.path}")
+            end
+          end
+
+          it 'updates projects path' do
+            new_parent_path = "#{new_parent_group.path}/#{group.path}"
+            subgroup1.projects.each do |project|
+              project_full_path = "#{new_parent_path}/#{project.namespace.path}/#{project.name}"
+              expect(project.full_path).to eq(project_full_path)
+            end
+          end
+
+          it 'creates redirect for the subgroups and projects' do
+            expect(group.redirect_routes.count).to eq(1)
+            expect(project1.redirect_routes.count).to eq(1)
+            expect(subgroup1.redirect_routes.count).to eq(1)
+            expect(nested_subgroup.redirect_routes.count).to eq(1)
+            expect(nested_project.redirect_routes.count).to eq(1)
           end
         end
 
-        it 'updates projects path' do
-          new_parent_path = "#{new_parent_group.path}/#{group.path}"
-          subgroup1.projects.each do |project|
-            project_full_path = "#{new_parent_path}/#{project.namespace.path}/#{project.name}"
-            expect(project.full_path).to eq(project_full_path)
-          end
-        end
+        context 'resets project authorizations' do
+          let(:old_parent_group) { create(:group) }
+          let(:group) { create(:group, :private, parent: old_parent_group) }
+          let(:new_group_member) { create(:user) }
+          let(:old_group_member) { create(:user) }
 
-        it 'creates redirect for the subgroups and projects' do
-          expect(group.redirect_routes.count).to eq(1)
-          expect(project1.redirect_routes.count).to eq(1)
-          expect(subgroup1.redirect_routes.count).to eq(1)
-          expect(nested_subgroup.redirect_routes.count).to eq(1)
-          expect(nested_project.redirect_routes.count).to eq(1)
+          before do
+            new_parent_group.add_maintainer(new_group_member)
+            old_parent_group.add_maintainer(old_group_member)
+            group.refresh_members_authorized_projects
+          end
+
+          it 'removes old project authorizations' do
+            expect { transfer_service.execute(new_parent_group) }.to change {
+              ProjectAuthorization.where(project_id: project1.id, user_id: old_group_member.id).size
+            }.from(1).to(0)
+          end
+
+          it 'adds new project authorizations' do
+            expect { transfer_service.execute(new_parent_group) }.to change {
+              ProjectAuthorization.where(project_id: project1.id, user_id: new_group_member.id).size
+            }.from(0).to(1)
+          end
+
+          it 'performs authorizations job immediately' do
+            expect(AuthorizedProjectsWorker).to receive(:bulk_perform_inline)
+
+            transfer_service.execute(new_parent_group)
+          end
+
+          context 'for nested projects' do
+            it 'removes old project authorizations' do
+              expect { transfer_service.execute(new_parent_group) }.to change {
+                ProjectAuthorization.where(project_id: nested_project.id, user_id: old_group_member.id).size
+              }.from(1).to(0)
+            end
+
+            it 'adds new project authorizations' do
+              expect { transfer_service.execute(new_parent_group) }.to change {
+                ProjectAuthorization.where(project_id: nested_project.id, user_id: new_group_member.id).size
+              }.from(0).to(1)
+            end
+          end
+
+          context 'for groups with many members' do
+            before do
+              11.times do
+                new_parent_group.add_maintainer(create(:user))
+              end
+            end
+
+            it 'adds new project authorizations for the user which makes a transfer' do
+              transfer_service.execute(new_parent_group)
+
+              expect(ProjectAuthorization.where(project_id: project1.id, user_id: user.id).size).to eq(1)
+              expect(ProjectAuthorization.where(project_id: nested_project.id, user_id: user.id).size).to eq(1)
+            end
+
+            it 'schedules authorizations job' do
+              expect(AuthorizedProjectsWorker).to receive(:bulk_perform_async)
+                .with(array_including(new_parent_group.members_with_parents.pluck(:user_id).map {|id| [id, anything] }))
+
+              transfer_service.execute(new_parent_group)
+            end
+          end
         end
       end
 
diff --git a/spec/services/projects/group_links/create_service_spec.rb b/spec/services/projects/group_links/create_service_spec.rb
index 6468e3007c2..c249a51fc56 100644
--- a/spec/services/projects/group_links/create_service_spec.rb
+++ b/spec/services/projects/group_links/create_service_spec.rb
@@ -6,9 +6,10 @@ RSpec.describe Projects::GroupLinks::CreateService, '#execute' do
   let_it_be(:user) { create :user }
   let_it_be(:group) { create :group }
   let_it_be(:project) { create :project }
+  let(:group_access) { Gitlab::Access::DEVELOPER }
   let(:opts) do
     {
-      link_group_access: '30',
+      link_group_access: group_access,
       expires_at: nil
     }
   end
@@ -49,7 +50,9 @@ RSpec.describe Projects::GroupLinks::CreateService, '#execute' do
         receive(:bulk_perform_async)
       )
       expect(AuthorizedProjectUpdate::ProjectGroupLinkCreateWorker).to(
-        receive(:perform_async).and_call_original
+        receive(:perform_async)
+          .with(project.id, group.id, group_access)
+          .and_call_original
       )
       expect(AuthorizedProjectUpdate::UserRefreshWithLowUrgencyWorker).to(
         receive(:bulk_perform_in)