From 278fb1630d9239ae3107f882de6df6d7b740e71c Mon Sep 17 00:00:00 2001
From: Valentin Tolmer <valentin@tolmer.fr>
Date: Thu, 19 May 2022 15:34:01 +0200
Subject: [PATCH] server: implement haveibeenpwned endpoint

See #39.
---
 Cargo.lock                                 |  14 +-
 app/Cargo.toml                             |   2 +
 app/src/components/change_password.rs      |   5 +-
 app/src/components/login.rs                |   6 +-
 app/src/components/mod.rs                  |   1 +
 app/src/components/password_field.rs       | 152 +++++++++++++++++++
 app/src/components/reset_password_step2.rs |   9 +-
 app/src/infra/api.rs                       |  46 +++++-
 app/static/spinner.gif                     | Bin 45404 -> 0 bytes
 auth/src/lib.rs                            |  11 ++
 server/Cargo.toml                          |   1 -
 server/src/infra/auth_service.rs           | 164 ++++++++++++++++++---
 server/src/infra/cli.rs                    |   4 +
 server/src/infra/configuration.rs          |   6 +
 server/src/infra/tcp_server.rs             |  13 +-
 15 files changed, 389 insertions(+), 45 deletions(-)
 create mode 100644 app/src/components/password_field.rs
 delete mode 100644 app/static/spinner.gif

diff --git a/Cargo.lock b/Cargo.lock
index fc9fcc0..9ab7f32 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2404,7 +2404,7 @@ dependencies = [
  "tracing-forest",
  "tracing-log",
  "tracing-subscriber",
- "uuid 0.8.2",
+ "uuid 1.3.0",
  "webpki-roots",
 ]
 
@@ -2418,6 +2418,7 @@ dependencies = [
  "gloo-console",
  "gloo-file",
  "gloo-net",
+ "gloo-timers",
  "graphql_client 0.10.0",
  "http",
  "image",
@@ -2427,6 +2428,7 @@ dependencies = [
  "rand 0.8.5",
  "serde",
  "serde_json",
+ "sha1",
  "url-escape",
  "validator",
  "validator_derive",
@@ -2530,12 +2532,6 @@ dependencies = [
  "digest 0.10.6",
 ]
 
-[[package]]
-name = "md5"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
-
 [[package]]
 name = "memchr"
 version = "2.5.0"
@@ -4404,9 +4400,6 @@ name = "uuid"
 version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
-dependencies = [
- "md5",
-]
 
 [[package]]
 name = "uuid"
@@ -4415,6 +4408,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1674845326ee10d37ca60470760d4288a6f80f304007d92e5c53bab78c9cfd79"
 dependencies = [
  "getrandom 0.2.8",
+ "md-5",
 ]
 
 [[package]]
diff --git a/app/Cargo.toml b/app/Cargo.toml
index 854bf61..74ac4be 100644
--- a/app/Cargo.toml
+++ b/app/Cargo.toml
@@ -19,6 +19,7 @@ serde = "1"
 serde_json = "1"
 url-escape = "0.1.1"
 validator = "=0.14"
+sha1 = "*"
 validator_derive = "*"
 wasm-bindgen = "0.2"
 wasm-bindgen-futures = "*"
@@ -27,6 +28,7 @@ yew-router = "0.16"
 
 # Needed because of https://github.com/tkaitchuck/aHash/issues/95
 indexmap = "=1.6.2"
+gloo-timers = "0.2.6"
 
 [dependencies.web-sys]
 version = "0.3"
diff --git a/app/src/components/change_password.rs b/app/src/components/change_password.rs
index d6d59d3..c9513e3 100644
--- a/app/src/components/change_password.rs
+++ b/app/src/components/change_password.rs
@@ -1,4 +1,5 @@
 use crate::{
+    components::password_field::PasswordField,
     components::router::{AppRoute, Link},
     infra::{
         api::HostService,
@@ -254,14 +255,12 @@ impl Component for ChangePasswordForm {
                    {":"}
                 </label>
                 <div class="col-sm-10">
-                  <Field
+                  <PasswordField<FormModel>
                     form={&self.form}
                     field_name="password"
-                    input_type="password"
                     class="form-control"
                     class_invalid="is-invalid has-error"
                     class_valid="has-success"
-                    autocomplete="new-password"
                     oninput={link.callback(|_| Msg::FormUpdate)} />
                   <div class="invalid-feedback">
                     {&self.form.field_message("password")}
diff --git a/app/src/components/login.rs b/app/src/components/login.rs
index 91bf41f..ad9fe9b 100644
--- a/app/src/components/login.rs
+++ b/app/src/components/login.rs
@@ -149,9 +149,9 @@ impl Component for LoginForm {
         let link = &ctx.link();
         if self.refreshing {
             html! {
-              <div>
-                <img src={"spinner.gif"} alt={"Loading"} />
-              </div>
+                <div class="spinner-border" role="status">
+                  <span class="sr-only">{"Loading..."}</span>
+                </div>
             }
         } else {
             html! {
diff --git a/app/src/components/mod.rs b/app/src/components/mod.rs
index f78dcf9..2e00630 100644
--- a/app/src/components/mod.rs
+++ b/app/src/components/mod.rs
@@ -10,6 +10,7 @@ pub mod group_details;
 pub mod group_table;
 pub mod login;
 pub mod logout;
+pub mod password_field;
 pub mod remove_user_from_group;
 pub mod reset_password_step1;
 pub mod reset_password_step2;
diff --git a/app/src/components/password_field.rs b/app/src/components/password_field.rs
new file mode 100644
index 0000000..504c02c
--- /dev/null
+++ b/app/src/components/password_field.rs
@@ -0,0 +1,152 @@
+use crate::infra::{
+    api::{hash_password, HostService, PasswordHash, PasswordWasLeaked},
+    common_component::{CommonComponent, CommonComponentParts},
+};
+use anyhow::Result;
+use gloo_timers::callback::Timeout;
+use web_sys::{HtmlInputElement, InputEvent};
+use yew::{html, Callback, Classes, Component, Context, Properties};
+use yew_form::{Field, Form, Model};
+
+pub enum PasswordFieldMsg {
+    OnInput(String),
+    OnInputIdle,
+    PasswordCheckResult(Result<(Option<PasswordWasLeaked>, PasswordHash)>),
+}
+
+#[derive(PartialEq)]
+pub enum PasswordState {
+    // Whether the password was found in a leak.
+    Checked(PasswordWasLeaked),
+    // Server doesn't support checking passwords (TODO: move to config).
+    NotSupported,
+    // Requested a check, no response yet from the server.
+    Loading,
+    // User is still actively typing.
+    Typing,
+}
+
+pub struct PasswordField<FormModel: Model> {
+    common: CommonComponentParts<Self>,
+    timeout_task: Option<Timeout>,
+    password: String,
+    password_check_state: PasswordState,
+    _marker: std::marker::PhantomData<FormModel>,
+}
+
+impl<FormModel: Model> CommonComponent<PasswordField<FormModel>> for PasswordField<FormModel> {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> anyhow::Result<bool> {
+        match msg {
+            PasswordFieldMsg::OnInput(password) => {
+                self.password = password;
+                if self.password_check_state != PasswordState::NotSupported {
+                    self.password_check_state = PasswordState::Typing;
+                    if self.password.len() >= 8 {
+                        let link = ctx.link().clone();
+                        self.timeout_task = Some(Timeout::new(500, move || {
+                            link.send_message(PasswordFieldMsg::OnInputIdle)
+                        }));
+                    }
+                }
+            }
+            PasswordFieldMsg::PasswordCheckResult(result) => {
+                self.timeout_task = None;
+                // If there's an error from the backend, don't retry.
+                self.password_check_state = PasswordState::NotSupported;
+                if let (Some(check), hash) = result? {
+                    if hash == hash_password(&self.password) {
+                        self.password_check_state = PasswordState::Checked(check)
+                    }
+                }
+            }
+            PasswordFieldMsg::OnInputIdle => {
+                self.timeout_task = None;
+                if self.password_check_state != PasswordState::NotSupported {
+                    self.password_check_state = PasswordState::Loading;
+                    self.common.call_backend(
+                        ctx,
+                        HostService::check_password_haveibeenpwned(hash_password(&self.password)),
+                        PasswordFieldMsg::PasswordCheckResult,
+                    );
+                }
+            }
+        }
+        Ok(true)
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<PasswordField<FormModel>> {
+        &mut self.common
+    }
+}
+
+#[derive(Properties, PartialEq, Clone)]
+pub struct PasswordFieldProperties<FormModel: Model> {
+    pub field_name: String,
+    pub form: Form<FormModel>,
+    #[prop_or_else(|| { "form-control".into() })]
+    pub class: Classes,
+    #[prop_or_else(|| { "is-invalid".into() })]
+    pub class_invalid: Classes,
+    #[prop_or_else(|| { "is-valid".into() })]
+    pub class_valid: Classes,
+    #[prop_or_else(Callback::noop)]
+    pub oninput: Callback<String>,
+}
+
+impl<FormModel: Model> Component for PasswordField<FormModel> {
+    type Message = PasswordFieldMsg;
+    type Properties = PasswordFieldProperties<FormModel>;
+
+    fn create(_: &Context<Self>) -> Self {
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            timeout_task: None,
+            password: String::new(),
+            password_check_state: PasswordState::Typing,
+            _marker: std::marker::PhantomData,
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> yew::Html {
+        let link = &ctx.link();
+        html! {
+          <div>
+            <Field<FormModel>
+                autocomplete={"new-password"}
+                input_type={"password"}
+                field_name={ctx.props().field_name.clone()}
+                form={ctx.props().form.clone()}
+                class={ctx.props().class.clone()}
+                class_invalid={ctx.props().class_invalid.clone()}
+                class_valid={ctx.props().class_valid.clone()}
+                oninput={link.callback(|e: InputEvent| {
+                    use wasm_bindgen::JsCast;
+                    let target = e.target().unwrap();
+                    let input = target.dyn_into::<HtmlInputElement>().unwrap();
+                    PasswordFieldMsg::OnInput(input.value())
+                })} />
+            {
+                match self.password_check_state {
+                    PasswordState::Checked(PasswordWasLeaked(true)) => html! { <i class="bi bi-x"></i> },
+                    PasswordState::Checked(PasswordWasLeaked(false)) => html! { <i class="bi bi-check"></i> },
+                    PasswordState::NotSupported | PasswordState::Typing => html!{},
+                    PasswordState::Loading =>
+                        html! {
+                          <div class="spinner-border spinner-border-sm" role="status">
+                            <span class="sr-only">{"Loading..."}</span>
+                          </div>
+                        },
+                }
+            }
+          </div>
+        }
+    }
+}
diff --git a/app/src/components/reset_password_step2.rs b/app/src/components/reset_password_step2.rs
index 5a75cc2..0519e87 100644
--- a/app/src/components/reset_password_step2.rs
+++ b/app/src/components/reset_password_step2.rs
@@ -1,5 +1,8 @@
 use crate::{
-    components::router::{AppRoute, Link},
+    components::{
+        password_field::PasswordField,
+        router::{AppRoute, Link},
+    },
     infra::{
         api::HostService,
         common_component::{CommonComponent, CommonComponentParts},
@@ -176,14 +179,12 @@ impl Component for ResetPasswordStep2Form {
                   {"New password*:"}
                 </label>
                 <div class="col-sm-10">
-                  <Field
+                  <PasswordField<FormModel>
                     form={&self.form}
                     field_name="password"
                     class="form-control"
                     class_invalid="is-invalid has-error"
                     class_valid="has-success"
-                    autocomplete="new-password"
-                    input_type="password"
                     oninput={link.callback(|_| Msg::FormUpdate)} />
                   <div class="invalid-feedback">
                     {&self.form.field_message("password")}
diff --git a/app/src/infra/api.rs b/app/src/infra/api.rs
index 50410d3..af7d10e 100644
--- a/app/src/infra/api.rs
+++ b/app/src/infra/api.rs
@@ -1,4 +1,4 @@
-use super::cookies::set_cookie;
+use crate::infra::cookies::set_cookie;
 use anyhow::{anyhow, Context, Result};
 use gloo_net::http::{Method, Request};
 use graphql_client::GraphQLQuery;
@@ -74,6 +74,19 @@ fn set_cookies_from_jwt(response: login::ServerLoginResponse) -> Result<(String,
         .context("Error setting cookie")
 }
 
+#[derive(PartialEq)]
+pub struct PasswordHash(String);
+
+#[derive(PartialEq)]
+pub struct PasswordWasLeaked(pub bool);
+
+pub fn hash_password(password: &str) -> PasswordHash {
+    use sha1::{Digest, Sha1};
+    let mut hasher = Sha1::new();
+    hasher.update(password);
+    PasswordHash(format!("{:X}", hasher.finalize()))
+}
+
 impl HostService {
     pub async fn graphql_query<QueryType>(
         variables: QueryType::Variables,
@@ -194,4 +207,35 @@ impl HostService {
                 != http::StatusCode::NOT_FOUND,
         )
     }
+
+    pub async fn check_password_haveibeenpwned(
+        password_hash: PasswordHash,
+    ) -> Result<(Option<PasswordWasLeaked>, PasswordHash)> {
+        use lldap_auth::password_reset::*;
+        let hash_prefix = &password_hash.0[0..5];
+        match call_server_json_with_error_message::<PasswordHashList, _>(
+            &format!("/auth/password/check/{}", hash_prefix),
+            NO_BODY,
+            "Could not validate token",
+        )
+        .await
+        {
+            Ok(r) => {
+                for PasswordHashCount { hash, count } in r.hashes {
+                    if password_hash.0[5..] == hash && count != 0 {
+                        return Ok((Some(PasswordWasLeaked(true)), password_hash));
+                    }
+                }
+                Ok((Some(PasswordWasLeaked(false)), password_hash))
+            }
+            Err(e) => {
+                if e.to_string().contains("[501]:") {
+                    // Unimplemented, no API key.
+                    Ok((None, password_hash))
+                } else {
+                    Err(e)
+                }
+            }
+        }
+    }
 }
diff --git a/app/static/spinner.gif b/app/static/spinner.gif
deleted file mode 100644
index 9590093e9e6d32e5605452cc6cdffee3df0d0abb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 45404
zcmeFYWmsEZyY3soy||MC#oeLM21;=#Z7EPnk>Vaac!CCZcMmSbiv%gIh2kyN7Asa<
z3Wxvu?zQ&%aMn53+Mjp6WX_TCJVWNVM&@tc_f%F@l9DzB00F>{q=4b!VH65gS68>Y
zyW7>(H8V345D@V6=~G)<+c$6C@bK^?B_)-Wl~GYq-QC>*0Dy;ggj&yaUO$u9el8*)
z1P1=QNMBPMqG;-7djBo^6b>^rv$Jr6e6X;xag<{{_|(M;u`!op)f3kg(u6&;u(nb0
zcCmQvt)*k;ZD%HJ&ieETL>4XscYrxqxS2xW4)%_&GH^LoQ*);e7Bct8{}c<dLjG07
z%}$P0{+}Np|Frqc$;AR9E+D~gCM+xrk(3q?7MBtg5$A)52nmY|3P}qJ3-JpH%Log}
zhzLRc*N64KH5YSBnOBNR|EsP0GdWgkH#eA!prEIxr+}xZfRl@rps=*Gw4jiPpoj?n
zeGPtBFGn|1IKQJS+ka$Gv~V?Zv4OeSI5|T8$!Pk)$=ywk^}eV79)bhxKhrw83jAw0
z0%lGQf^buqps;|@KSTPDikh1L-&GwP{<F5L+bfIz-QWM$#I8DCFbly~7Oqb2E@l?@
z)!F`O3MTW+#lqCh$wkM>$^JiPQQO+d&B@i;2?lxg>|e76;nFlUvvK^Vko#Xznwm1I
zj;?N|j%F6BigK*?c?4{1%w^=CO9{!#KNk~LkXH~Eel8&`@?1nwOkP4nN=Q;%RQ&mW
z#40+OxjR@my8TD2`Tvd;|8HaeSr87e`<4|gTx>in%#~c693cN1xQxwz-xrbpHsAk>
zHUIDXBKqIP3f^}{@Sn^3UoQ856y2|(e-8h1@!p^O=km93ykGM!_lp~Ncl-C|`s(uH
z{Ot7P_|MVd!T#Rw-JR{N&0jx%Y^<-Xu6+NtytKG5KR5ezX8Oz2<iz;c=*aNU;6VT9
zzTTd0Ojl<|`=_?nmgc6$hL81iwKdgMl@;Y>=+ctnqQZjwyxg4Ztjvt`wA7U3q{M{y
zxY(HJsK|(LR9I+8a8Mu;5#aCV>*MVO_w;agb9HfsIXODm+u7P!TUlC|n|&}fF*bT{
z_|D+1zMk$Io!75kYQNCZ)KFJbRZ&)YuJ}wr9{Ti&oa|#6X(>qwaWPR5VIe^Qem-6v
zZZ1xaN9=5@4<RhfOpFZlbhI?oRFo9t56DPKh=~XZ@bPeQu(80P`z_+(B^EXofE2)Y
zzgqzQ*?0h0cZWl&6&+H$W1sF!xMIw0a;(d%?RPt2d=qXCD{vA*EC5+>h@%Q0{Tn1R
z3?B<Gb`nj=b0J*wq}Od^ug!N3Cc4U>Il)+=PXsAkfeAkAAOWvm+{7Ev?A{^7Wc}Pd
zkzptv-(U@`@YuMAkx`mN@u_JvIEhKn^xX8!><^&4lDL9G)6&YYvU2s}s*heZwK)x~
zOgMx<LOhwK+IlG<5eU@Lrc5{p8W;yTiucq?VS};fm%vyf-GfBy8ykZLVqXjUL;(wn
z2Z!HQB*uQ6{TSNH$`(Joy~F-BhW4ykt>YB_;%<Q3%Y+F7naPS;$K?}-+?WI4gLQ~z
z6#pH^t4b~~8(SnFt=kVN06QU=RrxywY(GR*NkrE}><4*>MmpD<<=+%y*x)dkzm31c
zS%1Co`C>w}M*+5Z6@ZtX0K1~ho$=!|C2JX;N|+@#{1oA1Nx?TxqdU|o>f@nk&^WO8
zJ>pcsaiQ(qQG&g2V@xErKg$<vqIChIjNotN?hhoLk)NaF@JjTP6xYNb^54D7pu-v+
z6a83l!B}#P8V>hLxm~?DQXkUMv!`UL`DITEwB2~$eHCFxhVtr7{QFLHC%w;^K{sF4
z$o11iK0&gUTFCIu;u9m>c%~gOiqAD@#9r#jMgPx{VwDM+&-#a{E0GZWCoA|@>P48G
zJL4-;8e^k7=Q(<UPsp&h$WM5sx`95});%EbF!mZAZZ)<BK7bsyjB{c7(bNPtCQTl-
zzVPNlB&R>d*dxxXB+r?{9G>hW+>^?Rk}Oy5@gq5t>WP}T<WxZM80BreQ7WJ{PNb?;
zQ3wa4sf%$--K9W@j46Z5DJ*XAC?`Xlp*}qQgmB$39W{U@o}w;IX(k0E+(4(K%;q89
z3yzS@%%^8>^HFZ=sXz1Bu~OHA==Jff!=qA6IFenxC-Yonb?F0x-}^yqa95C$C8ZXD
z1T$XoSK(+}hXS>&BpYS|GaPpwPfp%WzEwLx>o2QYNd~s-<q^p0nQiF2lo00bBQ|A4
zZ_Ui@FrwixrZuvn*{HV6WxfrT^l>8PG2&y~q6wz)Yf}Z0c=>Igd<iedCvv&XjEb7p
zXD2)RUEQ6q?J!=K5&23nO6YzkksvP^^!t|AnfNH?2Ym-klEM3CezICvFYyNCXmEx^
z$NBkMOoV(ma7ajCQ0Ot{$drBV#<3~n1Hu`*^-s#aH%sqwE%;>KUbLHkt2I4=8f}m4
z;QO3cJE`;ZlN}x&ZI$?V!;Y^#4&TS}z=1cZdqRY_wwfZ~4}}QK5O$qKWfd(JKwLTO
zr=7>wp7JV>B@RRSL$I+i;*h}mKvR55v}mt+?4ixBLr9E1;-SCjN4kc)b>Z{BEi1fS
z{QBBK%Pu@?N#zjCuPo2+7n}Z~LM?c(39*(8`EPQI6N8VwdoOHZZZChc5UCe7xMEzc
zz-75Yrw0*p5ZT|F4<ajg07Nl}{SN5~nG<0v=Bty~kI_bZKZALh08iOW%JD&n6`2ij
zMUBqcUx_9iIB!nkKjSR>DC7S=le_G$v=E0a|BdPg6kS@sSWAEcFnKsEwKZS{Hsk@3
zzQh%k12Xq9`4xJG$ZGkw$uOP#W2r%D((i!aS}@~Xf_YHR9#<eWoR0APmjdG<D722v
zXnM83lpZFC#ju<|$%w$P0*+isvevd>5JX?r7z|ryy)!GMm*H;yAUy6E`nlRNun*+~
zGN1l{J472)iF|3NkcB8u^8nWqnJ6m1G{eoD$HwkFGOpi+N=fx9;aF_N(2f=`=YH;!
zx^cE+#ETIfMn(yYLmws6Vg7I(wm&C`_B4VQP06hGTk+)~4beSH{z9xE_Nl~Q32z|~
z4z+}#II5c9M{JUGVJx#QAKFw31)AZXpWe8bx03x5I>jD_G9DW@XcsXvVMY`ycheu)
zeHJ<Ws$y_am(rf_izM4!UE5?@uM*QQ@qnAmfLSymb>33){kr<g6p9DySh*hoW<)Rh
zkH{{wRtiKmCSGIe<Eqe{WC!@#;^W6MbHNXJH1j|EId0u$&WLgmwpz2()_(}Wk==j`
z5e(>JC7F^wdaXDj8Tl1oN0%M@7vC?dA?DV2BvCXL>GK_qkYOE~Rz5v7i#NrB1{Edg
zD3;wp)fum1e!$^PKi1duXj_TXa{aM#-R9x1)!wHSCd3u`&n*!38K;%jniU3f!?R5}
z03Z-mVYsO_*S2_C4Ii_6UuZxdBE4FJAg(mQRiE#nKdVJDq0#G$v;8t>b#eT>IyJ5W
zeFkUsX`k(nSVtDdy*=tb4pmw!t1os*hyrpnt85t}7r!K(HP*`U9Z=UUE-q46`9`bQ
zdyc%rSOS2}#MKV28Ii+hXDu~VnXuG~#btkR>*O8(UJwbw;Fp19eV+q1pkU<Ns0TsI
z9C3}=$B~HrjPrVGKn;AZLU;1)NBg0;y?4dP_p6Mrt*xjUf9w&q)5Ye_efJ@MT>B~f
zn{x~h2OoL9v;w}P>6$Wx`EKr-oF&ZVk%t~&Z@pXFHJYbn9)WpYa&?nLp7)lJIeUs?
zOet__K9|f_N5uO`fE(sNSA+<MS}iXT&(jWcyYt6-ej<cy()K(M-j7qhMq&xg4#q|A
z!gZT}j2blBNX%BGG>=-eEz%BIy|hgxtQe}xxE!_C`j{~{`b*-|<rpjm5A=&@Sw^%N
z2p@ON=~df&axKm3P12C_X=hX6TpGAS)^JyF9`zNA_G-#i$xVP-a~nrY9EgKxDCv$u
zsrk^q$^3rulwxiB)jRqZ`C8(oK+~O9i9=K6B;vdV-*%Y0WoGN2gn+Ey+u^Oz&y}u<
z*Q^}d8LHD$_AsA03B9*B$z)yV5zzb?;P?9l^znjwy2r;LKL`6yic4eF9vp4Nd#Gjl
z<#B(B){zb(w-=wNb~`2bm%sgf=_&L5w*+=aDZiup#?n%n)OqK$Tx7t=WAb!ncpZhq
zq3^`2wXUY~76uZS98`9lObgL3S$)LMwYmYp^}^*cI+Db@S#SLg07;GiiD7y8Lx@xw
zSH<X$NM6<|ofLG$bN|mnM#wLy9%j(yPRlNT>E>7Y{y8>$`~*z&a7+6fFlF;CB$4g!
zl%}Q3v@77WI>2P7Bc|u;YvRCUJHO3}C-QT1x9+u>S9oSGT5-qy&loDd?LuImD#GIq
zTg>FJ+~(Sd{r%6;VbFuzaru?Mw^k3ZjCQpSFhGtMmqP)0hj1F;I(Ia<pP>yamgWYB
zT>J9NyBu)Z#Lb$d;1+|v+&%|h$Cj(()uQqfaG9hmzCMdJ1H5yhF7@xMjg!wb?|TsO
zV8_1a#P#dx)pMI>#9>$fa{V34`7r4fe#XI#g!dEd=~92}$^btibK`3+la48tU*{W-
zpWN_w{k<46_C3yJ+2WbMIX0~U-CZ0of=~4PsbK*Z%^+`Oa80ul|7rj~E&`|@Km$bx
z4}ct-1GqLpM1wAU=ZF$q1UZ*0zmPi~+<70@n{Lqg*8s99%#Y>5SrF<f4saGS@!&-H
z@aX&S%?Iw%1QII~pKv%MJOdf5f+Y35>GOgF@W42mKKl}2g?ZNp`oT(RLHu0c3lH$B
zZs6*9Fhd^TmA=<|RInJ-QTotPG|$x#9&D`Qh2{)3+k$DJZK2kI3Mg+oxVJJY_%SV5
zyi_1xBFs%c>^(f}k8%h(9IT^<m0<}mXhGOWp**>~yiwqA8thseJDI~^ZIxiVEns3A
z7};bOl^>p?g37tL3%6E^D5ecBMF-iGghxvOjRqsC^h2ylA}Z#?Q^O)mu_GZuk!>xJ
z)l#}GX_3aXpkT=;lb?}Y))5aekw$N#`nf__^TK>u-h7dYel7)?M86rmh#J?Ab{u@O
zfR2__0nMt!ywFFb(!{Kzqu!ndPjLb<@Tjf%==y^2-}5mIgV7uFI@VmMt*w{?yx7YN
z6nG)_);ccdPc%MV)FVV}5Nj-#cI*t=gZ$F=CteJJS1eIDC&N%Y8C^V`4f{jxgfsp4
zyDbjj+aPX}_$4&xkryjxcmmC3g6LZaNtp*$csvUo8)Yj<$SX!6J#iyHmQN^&XC9>F
z#U#(2B)5H>*hKpXk2~=tcQQ-Mqc@icdf~}f=wyMRr1v%;Ue!d?^dvLYl-D+Pba-I3
zA*5q#3Uml@J($e&Hpv)2<xnz~=`e+q7CZ#^cU%t;Sxp7%r+Jm7PV1%FlqD=ka*5G;
zi<+dJNTx67rP_0+CoZJLq<a%z!o{KKKlH%JArCY;Tmq5-vQGE(e6y|$F2_ffwfepd
zNze336-QV(pMmOH13!7;cZ3IZ(cyP5AbaugKTC%Uq~i_YhmKt0WnE@jlVyLg!D)G$
z?In~je~HW8njJ=#_&ps@oh~O1>Yc2blUkdx6^?I>3fsNRIo#%W@GlO+{}%@d0I&g*
zfJ?yt9|u(*_#WJ0@?iHI6gybtGGs54JBfBvt1_sWuk;w%^X^)$g=+|8PHZ)Jk2!u?
zIc)LOs#!X?X!oBuxV}Rm1A~G?Lc>tu5s^{RF|l#+35iL`DXD4c8JStxIk|cH1%*Y$
zC8g-H@`}o;>YCcR`i~8bP0cN>ZJ*jZI=e94J-vOO`v(SxhDS!n#wRAHzD&=2ot>Ls
zSX^5E_I+h_ZGGd%&tIEc+dI3z_x2ACkNzB=oSvOuTwYz@{Jp&cfC(5?YV*2-@F;i;
z2W#_t!^qgwvQ+8{K1b4u+Aa^)6%NEgWS&JZs@4|`C33wkHyo-j9!V848_rVwSTdF=
z<+`&x^s#gz7aBysq}G6*DpX12c|Y7xHeIS+cpLtIf|a7OU0e6l*+P!zt<oPqXfKmF
zP^5EMX;4#xb{oNXcbUYb@DgWEtO&P8IerSkIi**HFC8>oW<(rZzj5)Fa}Nj!WeM~N
zi;SWPHxG_Zh>SJ#O-u_w#-^s{cqG5e&MmUa3@<D$r+Y&5R2nN^wM-0z)m&GhNZ3vY
z>}Ur{)_;@)0a}It4Q-;Bi3y3)z)^vrxfa0tG4bljmG;IyxvzYK^IL%B@zuQ^k&Pc>
z_fxwogtvDkT6gr5`xNy3%F`*hGw5)gJH8HT0(HmMyOEg}$bU*l!lb0L7R}m1JAHRT
z#@7wm=#A!<-C6pju%<xEfnA`O@3Io<zo8UUOC`EGN-nNv`4TOv*qd_-xutwCV@a6$
zTpl9VI%6{J#1~2CUWfQTWB#&2tHmH5TgT3L%7SV)pY5#)zrr~FNWQs&z5VkRzY)7V
z{MHEl<>#rX+$+|+<J5G%Rkdrq9XBZejZgvJ{vr0q-)mEAW+QooIG1i{|A59=x!%2U
z))BM)QmJtcYN5*8dRJRDtd)O(1+ED){)sbnxo1aO{(OPj!K>vrEWj>vmD^h?eBC^D
zF4_OD1oGExopCftTkyHctopOr>W7z<6dunBU(}pm-jH=DXO%kj+?wxSczLqi1@y@c
z<gfw!C+RI$A6y^;9zQ}c!aSw%a*+>Gl(Rf>4N$<~3)R7Hf9A7uLtECS0n>1r;n{qw
zOD`yEBs5#aFoIS)j4nFB^aAPgnQQBPkn9s{vv*PkLT2%Em-E0l6-p`=OF@zCLDvIR
zJUh0!fofo4mIHnv;>}+&1Q16fDG0t{Q<jhO{);vg2p+ZBM9AlrZRX%W5Mb0^cp00S
z)V$4BzG4Q9BR8sG+e*^p1K9>Pp@?p=SD2-3=__fm9qtVL8Gv=nyMFwj67*tvFDTca
z9#eRzXxm*xMdVEbfH%eMRJ*QE?$lV1V=P}IJIjhZZw|{Vi7^s{yLW_zvk`?=o)$LI
z_4A9h)*q{$Fz7W<Ov-e}37gmnlnU98R8{!(0IIRHhl7x1+-Y`BK=H~?)y?fg1ceG)
zFSWN#Qe)sXt>7OO2c7)wy9t&jS{{cTVzq5Ty?htf(DrIWsDnXkg3wVnm2taJ7dsR8
zp42gGMb98bs(pQDP5m#{V(njQrUtVqfa5`t311O{UT;c3U!REyX8iS|E6fCR8qzSt
z#n8x5mSv7P(cyy1iL`BNbsVO@X?7Q%4L3g&eue!4fS7wZomV}76}rf7ZaUuBy(pJ_
zD6ve@>_GNSbgAn5o5elhFS8sW?Z8!`O(Ds(<&-M<DJ?mhzPn#cBKvU`amv-t0Ew?j
zDu1$g>jrI#gg~KN6r7A$pyJHiiZv#a+i0NVGS%0W+7-ek5}U<NAv~uw?KRx)fg8o6
ze!Xf)oph~#v=&A(cJEM;9qN7ZWsXXROohL?qhtB8{Nsz|^&F(yvy+bV%d-NY+;!Kl
z>e%T{{9r-c6Hz_P=%L(=yLx~<{Qk)o28u&+2&y4mt>0gj1K$$3Cqkgv>}lmEji!Fo
zCrKOZ59CP-A|9L*uH|^A-~-dh-jLor!+tYZ`hfleP;e%R6ROfH7SHM<t%FVa#`@XQ
z7NM{XTO|VGK?Nm99f0{H_}tb?_QemO`#TBN>j-!l`JGxV&qMoyhX`~>58ssA2R<yi
zpyqULCBf)`LskaY!sl(yM<f<Sv3slfsMVub27IZF&leYAlco<O+>7XN2=OI39wodh
zI?PCAhYadI_(LZ2xF`hFTCFayZjxa>#ilnHeWm#doP6_HZq^$8+8aYtlsU*Gdc+{J
zz#UpWS}fo>G-7o1Cly0fA{0h9@`3(1ZBU~`B$ZB`RQxcV*bpL?%ROdeaGWu(*pJT`
zf^hUc&Riubl^ReTck!ME?7I?W<6y=;+K#giqe^8rRVO@T^0ZimN}rq$P52AAu$>a2
zp}1<=3+{O@ZZ*&f*F&G$0eN|3(Oio7^^*|>4R={NGa)#ShNoi2DN;#W&??GTnsxA#
zA})(kuo(19ictd(cl5TZ@amTg0k@RgxH7Fr-oVVOnOx%MLt0@3Q#rRM=wCPZFH?E6
z3t3Og)<)5sX=-1+3?M-5u^q|ci129L(~3Q}a^3vlud0<4l_q~zuxe#yD^rq#t)Exu
zFL}>2tFcy_Gy)X1BXo+_8_T_a^1cdci~o4*j<zjEn8d2-BbYtVyd9VdYP;8IPdrMQ
ziz?L@TqZ{PlfW5FHl{MWZ(}_m4TA0(Hk!M@8J?NyHlg3P*ctkyhx=JAdmIYq!%NGo
zdChIa)iC7s(uzci80njB!2ZzkPnqU>tn{mPD^&lstu~k4J6i40Jo0Vd`~1@?aSeRn
z@sQr5)%MN5RoYCL?`Pj#)9|1*zMDRz=Zno9kZg0`&5@Op{<BU%C#M!u@c1pgR9rb3
z6hULJ{g?Tod%LeMkn=ZU@sD*E*%KjduF<ud65L+8Cx^~-`6eW<;Q%l-A?lg$YQTDT
zpOE8WnBM3IVk=O;6v@vQwxb&lSU>~N+YJ)0Wit&*z#ufGE+Tx?oQ;ich+0WiGF`)*
zrpvVTg;IUYQ+YEUE7~T@!9R((kd|j|3nO%A!D$~W&EHVcj%jutWqfS^`Sb#RT&Jm?
zDMoga&*y>+e)cEydi0k_=EF&&+2gxN{4q;aEWnhtE_N>6-ycs4fnUOBu>oBCmJe}(
z(;B)b4{Jxa+0TJ9`TH0zQp^rGtC;{-8w$3Rv%_|S0Ez^}qY7_ABnvY>KdFX-3^eUO
zh|144Xh~G%7TNI|U(N9uv4bKs9n5g$7v@VEtAO+N5C(6Y$(SbG(D!>Tk@VOLTIZE=
zal4K$TE-NmTw5-$CtQ{?zshJgw~-#Ic^(+}9h1~0A2=M~4M10}aOA`PYMQE#Kvv0S
zMY|6i4rw5=YmhXtUK&0u)YFzs*0hTb2bi;;69d-X_ZB~|zpz*asd;*`%fW#$TWl`G
zSE^>{kgy|VvS7<NCrr9S^$y}1;R>0Rc+vLdMKv<JB6IuIku<^?;&z$y4)k2`0w-ns
zv}luYL2IH3UrgY1@Jrs#cE=UCzS^A#(y{x#<^tH0<A{!g{A6ebE}HHGo0cAfVWjOK
zq9>khk>4aO0uC15SD)cubS&f0w6BVqT)35*Ouwo@4lukx4(KiIC6Kmv^X5AEmjVvP
zW_>Z2B%q0aTTp(k>~Garhj4Tj&L0x7&Bq5<AC#Y*!D3-+HZ=~^eC<o+%BTChlh+^2
zAV3W16C6~HJ&nneQ_;bWy!Vs7A1Iz&y_fupjW+hB$@3p~0gLa3fA{l!%5q~!(}j)E
z^1G}t0TzdP5<)s|?g$%LHt7yM4pZGUmHl^dzyo3a-ndp`hXH4t_TUybdT78sP4YoK
z-g<yxP5vCK2!{KAW@{v+2?Cc3yg6Vh4YgpLM>5m8K0v#@Qx5c)Bai;YD?1y&auL7?
z@Dqf)GD49JR$wd>TPWs(<SIfs%w5jfl?f6gi9iBM0tn}gcie+z;BM+tLC4C0ta#u}
z&X7(QtE3_@e@oEYEg<_mKnCi;*G%$b*5A)FlnD@AG#ApN6KdHK%n}#6@)O}P=&ODa
zmc1GLEhJ1I9mWC;OV&f(r3RCsP(CVw%ND4x`Jjh+s8CK+t73REEiywN=qsh+H1EfX
z2}*(Ag&Rs~WX*>^kOJl7Y4}TlAW{f+D5|R=qEaQ24H52!8yT(Q=CT!$u%+IT7AANR
z{?Q6CsL%R2E%ML`RFkG&IPc352Oypd8fgi^L5FC3i5kcA=fp&sma0#0dB<EJyY)d$
zQmWsrqXbc)^)0srYo<Cl=p&y0v6O%B)}y_P=&4lDQH$%P3jN=$n5s0;lnUD^3UrPa
z189xmdliR+9{^5|`k}}EbIWU!HY^Smw=~E`z8#Ah00G~+P_<G%l#aic2a%~l=q};>
zlW}({3D?#S^#(yA(g}Q*@ysrXye1JjgMP#FiLgPx?H16ZGAD*@+UKnS%B`Rup34cM
z@)3e@iTRw#2xY%zDaIK*ur8f9uCg!Rp9B#aFw`qfFfJ)<AS#CwY|IVUe~U<NPM(!d
zQKA7mar>Csz@LK>Nzaq`^HLf^<L&1Vh}OhE){i{4eM7^e#aG?jT2--{ljJ?q1ju4P
zCB;i|CDet1-L`_dDAR>tDQzl732~_~n$!|6Y&5=S1vh@tWmL@&UKL%yN7YPqmGovC
z9Aryo<Yav3C2k{rP`4LeseV?7P*y>Bmi1&t`B0V?B4cs^&-gNH8sARUGkOj$V=f*4
z(bw!%x}0`O;6FOrzxj~>KnOSi?EPPUglPRA@}pX|T4VXw3jL3^--a72=4woOBbe;?
zLH~29@|M1P{jTjE(REJ!RagrDVag${L)9vS_g{X0@VZBIhAL_e0Ux^cI<GP2lIgvc
ztWbZe&5N7i>e=f%7I)uQh>%d4AiuCkL}2(+P*g%dOzgYFG<b5XVS0{TX81i*(gWp`
zW%7dxB|spen)qVHQk>=%SwhJQ-zpJcEm3b@ZG#N3b+`p6(c#f0RMR)}`Qw1t(8!Xk
zTZ+mQ|Mb@%y>s(Igv-lgq7zPQd_RwW-9zQY{>sxMo}QDR9t(CzQWg;1!IzU~N2Dg=
zX5e$mQ5v@Vv=B~unMw{JRssi#yVf_$rR<^o(KF*-d=JQtLA2D3ChX4Sj~bIXXBrK0
z6Mq!bNHDFNx4M2)rxE@*N+}QF!sN3@)QbXUHouUGXZHunfQoc1aNn^fyPQ7Lt+Hs<
zy5M<L`G&?SyL@lhBlBH?jdUMzxr-xijk{CG8(|4GBVwP+D=MH=ZF@8C<oNEVG;m<Q
zJ#Haa)(@f3l7yj`)$KshrNOw@>`KxZ4WU>i#kLaNbXf$G`DG7a{H%u}J!LO`a13Nt
zI~j7@9>12mv2=cr8cX<{F-!5-b|PB6G$wWJv}z$=Jy+|K%=AHTkKI#&Wna9Ls;^x!
z@7>OP&RJlRv4T%~;eXh;^vLh<-}w$02hdIG>EMHI#d>VH9;zs~eOcI)56a0;%?aMU
zv}E$Xe<ZmUOb|+m2w^n2$O~mtIyFW>YyrlRkCLRO!dcNMsz|Yz!(1SjW!?rZA++UX
ztavA0PaHEXH)R5Q49yR0jZhSGl4?w|c@(vj>I72X5|EjMgsCD^UxaKIq|jtYcSqS;
zw!X)GV~OC9(_Rb2<lrqQ^v1sK+_pr{A-PEbC~_#EAapnmkQ=A47(*-(s#u!onGysB
z1Gsj!OS4IU=0!#O(%VFo%rskIcZ0lqD`|h8ib?>Mux(jO4*j!YiehVyEKy47-P+vS
z@ZCC}SK_^C18ZDtcd1uDIiSiM5A3Q6qDv6Jn^MOPH*l(60r)iLQV0>%!pp;ZbzAiq
zJNXF@tIcGpWV@OIiOLG6Puu_=b`-s3<kyb#o~!QgtLlnM!h=_ek5K94xRl+L(|L|P
zOMmPXa@7o06N9MQBPc&p&h7B`)7rKF%3|J-bR-~*)2JU3$&32a!!5MLhx5dg%vp^m
z5`q{Nd1rq-#(OhR)BfJSnZZ<XM8maBd5Q6)+ui^c{Ale)gJ|ZZx`W$S-9pTf^USM5
z%{kUzlpgcqaeiXs>|*Vji|bDk<QwvZPdsLD0wA7W-NNE*-}7)509O*G&OB#cKbC=i
zg$F?1|Fm7IL*C7SD*j$9NgB#}_2`+IG>b6W=YRhCTrINIDBEAljiiubzc36*R49Y@
z;Hg~gZ$)LtpshyUQT_Kdk;$2O!eEwDGCZ1Cmp{~uozo==77VVx$6qtTyS}hFT<Xp6
z*1TzY=K12!IbX2gt?~0@ftc6PB6<E(x_qlo`a{_26K`O3Lk%*u9oG+t5b~(+w=HjE
zupb5CRa{0Ev{*sy>S}QM-a*Q)HifT*Oc@KfSHL_fwd2AMgXn`Pae3o{U+b??VbRjl
zZz=ZpgdY+RXqZ;lns(8r?1mZ-=992BDkxpl8q&Cd2;B7*pD|7uaIgoFg|(Cxny~u4
zNTMS9DfIc_op)g1TMbs)Hgq?~4lqiYvXCxi>xo8QeDKQ~Fx`?=I3Kx5WI~$R5!oOP
z->i1Dx5>tji<VGH57IaU8T$gB4bHP+ftaGn4c15U3bG`M2@<`*R{)ctWG)fY3^!(W
zIcXWCY9JiUIK>(NGkoHq3#4K>kMoA>qh5kYVlIrGa-)GdX-XlrUhR>f&k(<;04Ob@
z-ooO<I`;VkLO`L;&xM=dM0^gl^xn}DiRPiP|6t0^z}WeDR{x)hOo3QrpR^iX10&as
z3VzW|c(;87jE|N+UXz~CcHjd7i2q^A$w2y(JUphYoSa?+h$s(07L8WqRGW%0IJqmJ
z%|>I$;wEFfPYNMFi2)*NUlKA-idX<;YI?)35Y@xXY;t89R%+8glcHj&F>ZxuFQSaA
zlTvnU3?QL&x`19h&lOnyDphTY2zG+j9^=+aQ+rcF@B;L5%vRkvW2D@h3QYqq*B#h-
zS?#@EVO?ByzyY0Y@^<60iRM+~U7c-XrmS`u<5l8^0X|*5$+N5~G{SxNlJMrVHr7B@
z1Ak;5bVya_FJ4T+u%zFsFk1~T{%ykV^S0Si_oJ7ez10xCzGk3Ajh)4=^?=OR>3%Bk
zhxdCg)id$uN>0nkQC0Tt89Gb4?f{0#J;%3gv@5R~!M(}07E#yJz#?66&z+{Df>*C$
zhDd#cz}S8vh-bFcTkq5A-+hk(2BTB~vBy|(ThAW08HLsBbsYND_<rMEIa_Qlm|!aP
zKOb4Sy*lp#kkle@HCET}?^*D)YN>G7wQ-3s-C$I$6h+)BfgZfO0cIU6Il30+KivbV
z7IHX-B1kgRdM}Azqx33GUI73-oH0j2Z#B%Y5?TADe!<eX3^(X~SO=gnwPrpu8?0s*
zWD3MCaj&zoSsz~l(zNT7kV`DgPg@6G=F}(kn*HQGhxb`<)uj|iy=#PD4x4ZUg$}g;
z9L`!8vB3dnF36?|bhQpT-}Yo|%37e8FGmwqL~<JqEnnSSj-?@v?((jqVxDzf4u;Mj
z7tm=EJbt`5<b@NI#;Ixb!tiS9>93P4!m6+rE0_HRImfITew!MSB42%Rf{Wk2|6yiN
zKWo4&!ffqlsS*I1bG7_K11H`hVT1w)m71b+4^42TmKK=5Bl3`%+ahF3Bc0XI`sNM?
zE}FH4Rg&gvQHYH#ZaUFir%Mwz%--?Sy9EU<Xv^kbdmbmua_gBwTkdb9N7wbY-O%pH
zZA}<19I*1$qo*_b1{iR6{Y{z{-n}j7NSws5CgRxB6HOEt=3@wyO1tQjM;t*O=dH`k
zOQp!K9>#uJ!WpBM?%4A?OxT=XZF(gg{e03T)pH3)Bo}UEf0tvHG!5P4C6U7M-9I9Q
zd;)4aAwcclka@9&STvk%uFi-Pvc$YijTaJMMe`8oOt~FMYSULjtsNrkzkQNvjl-H`
zXJIwhzu}VC^ZaDTjT1{)PMft;#*?R5xq#p9x!yP=ap(Q&-}d}DrN)%W;P}%3V2GX!
zF8SSo{o~tX+AW_S-QQFR%$Zgkl#$Cd*`U6;4j|W+?3N%DF-0MZjV$fnv8f8gg59pD
zr~duTZ{p)^ti7weB1Pzbx8LysdeK`0J=*RFwApxkd2NZ@r8w}#hprsa#$B9bXJ3(K
z8O^l4XeLY}Jt9o{dmTN1x#-;k`ED$~?BkHVZjENW>+fYb_%^_Etmh<X;<!Cvn;{9h
z9&m^}4*=kKfwurCbH79hI6uZ#xYp0T6nMLdcu9jGCqs@?gEvbpBx-$#QjvsQ9*kQ^
zZ!2e3T1|R{zXZ%$tTu3{3COe+2%!yRRRKr#yXQ%O>1jQH%|XobL2T@S)cSsfXPi5h
zU@4S6BO;gt9ZU)dJeLG#r?@og2E9hR>0Sirw*XkByhQTM$yKl_QW3mDAvUE!0vAXo
zi1##SkY<9}PZ~*F4<ji+*k6e-?XZw1v`86<O;0HC^Fg=Z3xFA3Ks1-rgO;!*EEJLp
z6`dCHbjvvMUID&9t)zw%VS;Zh!c(R0!qP7Q9{Rq2zlICYfb#JC%B({lph8(BLdv#K
zf%AY?u5d6a3~xPxWx(}QT4aVbYMnib*($1z%eSA)e`7AV*F1txFN!TMWUVO5LlQK`
z<<rlFc)%5H8yIP96`jNxIB#zGS|9Z7!fQnzb!-*syzaBBACsmJ>XZryN3qYSM4jt{
z=Fysq7fuIUz`ZRvc584VTJwiB2zLRF?-d13(*!U0hFQfBxr9!mf*zDb-r>QwXgR4a
zUAPY8yyoJ`rTza%v9b+0aM>h~qCl5Y{z(^%e+Oe|y+FWl_LG)CuI+gA7HQF7EaN|d
zrN`6sgpDwE{!3RLSdt+64%8rp;4Nb&zD$x12US@6V5G=2(}NaMleuaW$z785FXMRt
z(bIFRr?e^7Wgym;*rKE42v6jPR=TyphsNnizdcgTRFl111BC#|ZWkahS4?#s!gnFn
zsTK6D)dQtUPnd@EPX`^(v9h(MMbRaJnv>YRBxZ4fgQZa-LVoev^x(4e%%LE>?g+Ua
zukzLm)xnTL+(&uaE_K|QdMe;}&x{G@OifR><RMTTcS4OmxNs;^h|_fuD{DkIsP}CE
z7H2B9ZgliE!TYz_ZK|P*UU)<4ncwKJR_Jm<gmQjd;vNj7Z@#siYR$2%joc5<aitAA
zO2>88&ka}&JPCi43y;g0Y|gz|$X&tB1M=kc=;ej2=2|M};qln1e9a@H&$lK2FK~(n
zU<4cjrvERTLd5^)aB9<q_kX~ktf=m5{Oo&~xEd5%^o0ycpF6olfiyHo1eSS>xIZeN
zvja@=-`izj`uDo#*pB$MW(`HzpZ4zYgXwi|^|$`PAv_4AerROWL%DF5=!8TXc$}_T
zQbtm2s;+rveq>6HzI*}NKf72pudK$cs5rg0kr7|ErCPG0@{_oZriM?`^Cz-{L+z+=
zV5vAEA?ei2%x9T_p+#AVj^ZvMyssNygXYARwwG50>T?=IaEN}K5E5;QF6=B#tW~Q2
z)~7`)A2N3`U6YT)JckyD0?ERe%;UB5iJWpk<p@0I50Md6cY-2>SO?exDCRc^qU{6Y
z3R+I-5{<e9i%;?1jGcI7iK`lvZMNlh+pjjlbC?2Bq#!fv%2{4&%<^iJ=vTxVnIsOI
ze~Kf$bcTetJWro#S1mcV%?z<tPSmqaIu_4=9Z+sQA?k5wm;5%}sQY}is##BQ#m)SM
zNjoJi)<pLPJM}G0YL6f^ZoUK|t94*LoZR@ndTAcKIhacvrsP3a&RE8Q$w^7cIIwjT
zQ+3K>s&aE6Xm&2dEb}=VE|dlg5a)cVa3XFm<TmzSYGIqRGl_)DE-kx}bw5hfC)$<{
z-OA|-s;;K>p&er@5EQC0Qh;4i4RZFp080NjIrW0w>zZe+oH)p7MVeLkd2*gH1dF6-
zHE^ctR~|A=e-7zODKcni*cOfXX7k-0?|WFNDHmSAt-K{GzEucLf$PyxKOm4vB5mD(
zUO{p#lG$KO1qEq9(IB8Xr~(8JPkuHI`Ja>`e3@5DMK({h-sZ<?{MpiXTeq=cNM({m
z54b9=KPtf&)>V3&sDHu167xZK2$}Ac#G#d9hr?}_4ilMT!)7!}#^kp^WUL=|^IrjS
zT*Rn<+Dr36FvV#i+68109_3slS1n#vc`tOe(ZocC!<h2Q5*~nq0%Uc&GHh}3m#L?b
z7jv3~{^CweB>{q+xPdwo0~8OA*v09KZ{WJ~7RSotshu&(2&$VWx3hZGW)N5M&dt#T
z(=e05`<ocoq+(w|U00#}rH>l-v+|#_4EAY4=!%*`lBP`K=HNdIfi-8;S>;vN<&k^}
zw_20-TJ%~O%Y+*QcCc>HOdPCdO^i?eeR0krsFj96<99z}GtADI7TTr+{j=r+>UcEg
zD>BSolgBqggRsvY<W_liJV`f!5FI8gt*tktjcePr?@iD?n$%hGbsO*XVnmNlIT(P3
zbc_ufi1b*hzBuqpZl4xPltW$T-!QyyT8OBd6XmrV7+F}1c}pZYRhu9uIsP`R<YB0<
zx@_79lRJKio*)XNo-YcI{JKG7gEvQa_8Fd&EgP|OagIOSVryMr2ay~bY}&tIT-nSs
z8<im}O5Ni$U>18wMBbCM?Tz>4ipghLa>oBOr6n_&sEhpO7Wlh2voff%zfdC=Eq24%
zvotklzeiT67h9h&bRIGHJ6K`GuMu=O7I~47I&?zJc1GEV{kq2ZPciZ-@a_WiC4!{$
zIV~yrML?Gf4NcGaQ$Orlj%N@P@%=fLwR`1-K<pV<lA|jkkCa1rAr4#6x>~OT>CG^z
zTYdH*#F}=<k7a`ye_`&aWYHv&NkvDXWfGs$4H_znrHgY3d&Wo|WFpVEhC89HXciJl
zf}3S}%`w&Y;p>NBRU&F^d}I&L9qSI2%4h-g>$T5X9iT}0c1og0FZ%@}6r!ruSELtF
z1Y)e(F%(B1m_AGO$x2MQBtj8Pg{A%Vln>$(@HUw2&`AOjr18;Yi`dsKG&s7X2~lJ}
zn6MA~^lqGDzww&;_2CY$y?iAX)9{T!v-SB;Aq$w5+j4OVno++*A^zITJRt^`5Tw1A
zWCvQMI+tvE^47#Sy9i9S!38kT;(pnXfd?{tE~t?{nPw?Hn}2V40zh#8Q`gKm&f3x_
zl~K(@{1;u*yD3pYXDj$ga_xlf;c@OQ5t<YrqaBd4LyfC~R-hT443#;_CyU;CR@w^y
z0aouBbPTN|d9Q2UGbsHdgy^GxGwAZYeO*8ek<xZjEEN4O2F)0z1YjK^K-$C8IcIJn
zAWWHNnA%JMeIr2Vr0kwSzjO#e(Mr+fI;8}FbK!ft>>DmaU735kY%=;@nbRHc{#p+`
zt+3YIRTsWzP@Xs3RBtK_r|ESGTTZKG-weOq9M&tFC96U3ml<8F>6cNz20bRO{J<nL
z-y@TPrqQo7r<0)o|30lt3n{}UfBbfcC$BzrtkRlo>Fv;MUwwh*o&m4+;*f-HV}aan
zuz}rTZZLIIFgBT$O{88i9-uiL8_)?S)c*)NuXAtYbv`gi*^p@}|8VzS;O)7~yG;)&
zK)pqkTg`C0oz7gF(q~89rjeN$eadztssr4?>*+;4K;afPua+w2dr7%6GuB0w|MAGm
z->c>>z-<iztYPxE$tC-qK?7+<S8*O+bd$x@;?ir=u5rOjk2KKAIWh>4TT3tYpn&wA
z*MuYWY9E)DbJ+7JP4eE4v_t^s2rJ)p;FgP~K#UbXEp&squ%&lxv`*Hv4nTL^G5{Xr
zjtP;S&||zD;(l`IM1uL@J^Nr-fB%r)?zM$a0cgbJ3<l(yu^=z(88r2;PbhtDNfX%v
zu!;GY#QEhH<7+s@^BC8xX5ToOC22~~q-z$Eh~}xNG^H1{+g;XN7Wp$48A_OLLyp6;
zwKC!5Xo9X=F8|*xZF7Suu!;bm)cc=0Sb(uyoMV7KAO0)Pg`u*PlW3Z?omah}uXW>p
z(zsvRz3c4(w2X@<B`%|kt{17hsm~Ji-s73Ee4+)ZG}Xt-+KEbCe_^ynG&NW4O(;F=
z2g4BH9yx%eD**5%=Pc^k`!KuB7VvV6WOFoZ$2s--`%mU`YMQ)#dC@kaeSgoUpPDcS
zQhC5xe{;{!Hz26!(+am`;{%YRC7kAFT?Ts5BkAu%D#f^N`b)Hp%h4j+h;c*81ll8A
z4Z}rwgST)lYmK$A66QpUsiiK5oH2iL9_OiuO#JC`zcX?54ux*YGy?&;-;YDWAdB*0
zE{&$zCmbwH+mCDHr~RH-;rGezsHC(ImRD~)Fp=A3<f?C(d$M1qj@W*u*MjOK@t}&7
z#WoM%#2?RbBSvTKA!s}o*O<?JNxy+*t9>G-{DRsKX0Uvfud!2@FNRtCK~n;<BbtZK
zpK~w%m~md?vkG1kQ0DzXdwSt8R$q=~LPsN5pu~!?pf82XAS@NX9l@HTS*PVadOXA?
zA;6bHM-IEG%MaVF=K7fI`+2>xeAF(<71g{U_K=_yj@E?l%)ugP!l?t?w-0O^$-<$u
zl0U<bLGDZ5fhIRECiF~h{R{6F`SqV(^CMt)=Y=`(JTw7>%B~z3r%g%lMQXs6q!SIs
z@0JFRbpZgiz>Wt%NF3*LJv+f#1kpT#RNrew4+xY(UYvnWQ*9p%f~rGZA7PM8*1)wh
zB!VWeL^<&M7vM7usFud={eV^$HCVtJMz@L(;d11@0IY5L2*uk?r6T<~zyxH$o}oZt
z{or+_AaU!UpSpfrP(YcIKhI&XC?tdd8vGm{tbz_%QvyFmTS;qMibFzPtAyybc<Ac`
zTT4T&(?A#r8^v>bC~YvKNvKFmm~Bg_cpSXk!;@#rQUV&vs2!pU4=YIsuJQzDpPN(Y
zxy0gyTj+-=%>$WBLZndOY}~sKEVDtvt6IdX4$`aP43O~WD&ec8p;U128HPt1kI-f7
z-qwZm*>VrV3;l@|S%()v0*w^1jwG3l>_kO%a{;~3A;WO3et1-#el!&f)r>Nky9m#t
zjixXO&nPt+zW~;A1udq97^p<`pG2?fhpkJ+jJ9ZPqGASHV&HI;A)eMDZLF?TECnWd
z=OlJsKkSMt@CU6YzVxGWJW$sK0wf*R)DkK9Ar4nM{84S3vy~Ppe*C09s1P0UcPlPX
zAGCdeBz_xNq@u-wpRi^PN-qtepo7rTg<rx!j0<kx<~b#$Q4ilD9xu4wqoyDoi2D-p
zyfvx_9Wi{A2&KDA<Pu7fJCD&$kN=nk+A0Zq;+4Qf7JsXkNCQp&)6AjF4N~0>Q1=2>
zDo1~CNq)&4%L|R;*bd~2OWAKup&<j94>_y4q_6=}_Bm6QtRkcIX<-XM_=2DJg1_y2
znp%9CGhH12WD5IyqJ&K<e{I?*Zo1h*0tah)qF1Q#R4Rd0yv16wXL_OlGy?5Km9Y&9
zT<{BS1(u{c)!=6m;(@cud~)8VQJ~UK>oSFeGDr0?n^Xg#3R!}anPumhv?l4DxY^A4
z0U{<@ZDCnM_<kg?G*r5;=xWw?PB7tQssSixjxI@9C?SM1i%G#-43Yz(&CSq@unc#v
zPRn^k7o79MI`{p8=h0Ax7@5OFYSc!NuRS^^9PTZw@3_cq>XsHwwqrvelb-;|MJi`g
z^I*@Xdy}^18%*YJ;1?u73XW9^q7OaYx01LPu?Oc1Xbi$M@d_ig!^G$dL*Ru{I{~8Q
zg^{aSayx~QaXzDZ2@1owBsB0ok0PsCXN{{OZ8fd`>fglzZ~!g<^ZyrdA<+Lh;{MCO
z`)~a<`rniKKYKa!mYy_0_G$3HUJk_xb{V2%zNcN`$w~pQFZZTsHG?i-HC*F6yvx|$
zYwUZ$%6OBnQE*}JNxQ#gz`-4Y$Il-b68bR6_};}!s}uglHaaoPDo!1qlyPt4)yvEa
z$j-q_&o6aI$tgis(dla?h!<8!6E-)K5>_ic!M`^}OE#p|ivV%%P0`Nn5}n;sU1P%K
zsg**&!I9;mamg=hn2$wiVoTq)=U4dG_woDr`{IuHx6g-mfAbvdiynucR6)aPma6^s
zuEH}-i4!oC*lesCXrbjg7qy*Y6{rwva}dSdOPv!M@M>Ndr!2K1-IrdK1VN3nDR@DW
znlJzJPQw<kS(&}$QQc@daB<vv!S@T_g9eC7!NZuI-|MbuRE%b_T*y^7dd6A6eDSRe
zE3Z~HTW4rtXn`rlLw_vcd8B-mn3vk#(4J+o05;g8uugpKjGZvkC-qX3L4O|84yJH@
zH`;O(OBHf`@)MH2WHJ1bKS1dr^|&Fa^UuKQWjJi1Tt$ZWom@}F`?-f|UD6%MLVKr%
z=crrk2NK&W?Ln_=tEkU$zgZ`kL6;X={}A;mCl1<MePsJFXGhvR4)o4Q8f*+Z$K2Sd
zZ9ICF`ToU+cKl=Ac0H&-_HFRltN3$*J6~4qx%7ZjVj3263uIUxyZ|2#^n`730t3jO
zSj&5`uhOW7k=Sy9OdfQG#)sULakBal7=2#F?fl#H0iQ7xy2fxdl=?MFV*xiXOcQQp
z@`3J8i)rLU$2>4V=}iAa0%st?G*OJTl^yvrMCB*yi3fn4qFuPv0w2KqXf4{arO52H
zS%$Wmmzrg*rMBXa0&EcOkFrf5&#?9{El>fz67DmOP%xNiHBi0a1$*sgq4)Y>368OU
zLUEL&5E-H%OTgse)40%#Qet)kC8J`sS}_aaaE~1x@G}$-Z?5>wC3)6MN1;-+=P3|G
z1!g^=x3Z5J`Ye?eFC&+(%a1_euA*DX2b}YHd>FT$IxhmCDXc3AZkWR1MG$|bUgCWE
zf+Nxb`%^hPxMfXE9o+bn+{aOE{#9O;QpoVvUEITd2L4J>DFdfQA&uevHj0MbDZ(xS
zz9SIUh{<6$UbD%rN;UWOTJUzO(9s~(0OF|oT){fMt<_-icNYVetV@enmahomrP}JW
zXIeSrcvNh{<ajJl|B^;Y)+bY;51Q!vds1<?;g4I9#wJYuiPK`kH1;z;m*L<D-Pi#&
zlUj_Eklx|(>=cf6{g6?BU*J5LqhM;GKD$<8Nq&y8c`W#?QsOuI)ogu$3C;NVtmKWH
zTQc&k<TOs`LGl^cM^K>Vj+o|gj7y-0*J{ce+?cr5U)`O58#Z0o$nW=hxTm<}ok+CI
z<TJN%?~WdEt7ktShr+J*F!XhgS6Pz0DM?a-pt4KR%q-%#41}TJLrLI`>|{AZ{-=|^
z9y~OO-aGM|vj`7T><ipaeZmj+GGcH0cGQpLuIoLtr+$)oHBjMfX69zk!k*s9^EmIV
zu@E-Ile}<-AdV|mXbG$_a^WOGPuBuVCB!KeZ8Q;Jup)NkDKQy=MxaaHDjr2M9$rE0
z10FF5A)#px+~z}YLB<-3ZCcywRkBy5tEQ#ec)ct;s$pIid1TyY#B4FP6zc8R59Cc1
zwfUSQ(3pJCz-mv)oiG6p+j0S|JtyWft#*{**7~4z?-Mac`RJpb4_X+j&zpY2vci4(
zOyQ*uCmzO=G$(G@-cl=e;)_TbU7IlzEtCx82Rb`sU^WefKdKnz8AK5E_3^z;1zG+f
zo1&-T^f@Mc()u#7N@0deZ)jMz?N4%TR572Gs`?dU{EHZoG=a;$5u;xsFFyUS5DMVd
zFgg43l#&7gpsm%gka?XxdP4;)7}8MW|CljpUm{VMu4(n^b-D(-d=4da+(jbqU$i?n
zbnoI#%<3l~5r6P}!h7*!#`);Ii??jTjsWxc;NLD@Y+rJ!$seWvqFsaI+$-LD#g%6Y
z{^jRg2FX9PtA-$EL=-@X%O3L+P(?Z3yLf+=atTAeq_j0;;btqU-7Bs>)iWR#zcQ_7
z!&Hg0C#9TwTi70IIuSYKWR&3YS1)B|3S^S=*t1bDQq{hOeAfZJ7%PW{i+nBj7SE-T
zD%Blm8_)7Rtt4zj=-<x+ya}rc_SNe3((o+0o~;^QRcf%kIGe?nSK(Dvj(xGH_YsG>
z+VzpW?p_-yhM5|z=LglIy4LBh@2!h1wlRMs^mdrMu{8bE7DskhXEIc`EHjzi#@+U9
zS&nWQ^Lq#NcMRmCohkWcRS5fMYD>-Esf$}Re>;K~-xbgTa=RLB{VuR3e(|gpPTsjY
zy5*{W+xd0UHk&Nqp0A#DDwGJAAi8()s(=5JA=$o4?8rYi^8KvsyyGzX-o?8+>|B8T
z66?a4k7^Qedr!LrX?Oq}4Frgk7O)e|9&k6ZdQ0s|4gx@toEmE&mRE{|j<uoS-vs!2
z7rhj-g2^O#Yvk9dy`_M<2=3o}i{|rvkNjZ}+S+ycAWwC{(7N!~_GS#maAE1$x^Rnj
zT;R#YAZw>qT!`TZ%Gc|I%1T0kDWgA_oIu0+T0(kgLko%lHzK8ek(7YnMC6{Aqr?~W
zw0)z$j9=o6!E{Aw2r$27rb9+xXZ0LAqgMQdpb4+0KZ%#4Rw67tqsUOvJ1)F$o9scX
zQ%H|L?6RX<633v)IO>xeUQO$#V9<2>>`96A`z?l0nJ-m&Vr8F+{vY<v@-3={Z`W&P
zU>F+d29X##B}8xlr9liDBt$~G8-^Zw=q~B*MjS#)Km?SbbVM2i1f&f1+|T>&V?X=j
ze)iY*k63FR*ZN)Obv{x>Ud=OazOC64vU-^H^<$H5Q`sZ&J>7V*1^-NU5EQW`PK|{~
z9eC%FI}=zA`7baqA|Vwz-yI;FBn0q(rCrB+dW)HvkcNWbX$sonrR|Ciy;uZb?fGk!
zFxxtNfc%B+vgOKph+EIO!gmlA=ri!ehln2GD!#mIv#!{hfQMd*w(%`qQJ{r1>4h5Q
z&9COs($KQiqu^h^pkS2j@I5itxJIK1J&a7#Z3;}1Br6eD%tep9o<~~k1&$XXHR7#p
zL)?}Bm7`Lr<M}oF5f#<SrXqXzgy+;T85M3zlyU(10C9?n=Uh~`aHq%&*{yH{b{}nF
znuri*EtHsL>&Ac&YI-Mi53!%%*zP1PH<zYE(=}!Q37MSsZK-7dUUFQ*z%xFbUyys~
zgKon8>BC~R-a|BBFBB~5M;)~AoksN+*?Rw18n^r(+de^rTn__2JV733bl%-0H-ik{
zV<7|suSdlJ<g6O|Aw41(^ED)F@QK-p818o{T{39#FmRK$NnuBv%42m%o)Cn&dt`yT
z5(xYQ36N3j5f}5>P$~R19U4N?<Z`^zi#%B%3Ok!K4?0u}`SvwbhBWA&<4LFG)(+9Y
z*1{q3`rzZ|Kj@f1TEOqesIxF4G~YH<NH18Nm-4roa|Iu0l?WL`6hc_#%=N^Lqzg<|
zh0na9ds!gbix50I$^b_SB0^dXB(;ek&F4r8WcavDcyJbougZC>6AZJrlL8zifQY#Y
zkd#q`v|ofo(@T~vWR7YOr=Blmc7&vC<clm{ne0eDH?M?fPj<BZr5zZt?WPQmdLrwu
zdLf*U329V=a8?D=<KfV35U*d@?WPD0+bB^t+c%KN8?pf|T``ru5hhiFMz%2nd^XzZ
zU<)iLcsnN4FI)y0#dl8d)Ca|V<Ru1=NZyLxG>DS5w5d@AsOeGsM`qm81hG}usNijo
z3@TO%@w`2nUUw`sqytsc6?a&UuLH-oZ==4qM~~RKKY~Ydh<P!Lq3VYLJR(|s0jeDf
zH1&v^sEXAwif&C0rW}jo>PndOi_pVr&M+npGJ-qcTK(|AzRGw`su)7J))!dPV_ERG
z3r!3Ao7>q*KgKl2U=btPiL>h7GTRB1vq@K#iGRo9Yi$yLtD$ljla9t>Yq`;QP?X#O
zo%uAWc+}}996St<$)p9wjlfLCXa*R10+e!-D)nYl${v<i^a77;g5dl~D_CA$|5O4E
z-+3%|b5{rnQ#5sK8Xq=|r#e}HDvhf<Rn<Brp)yJ}C-of8MS66d0-s5j@DJyXrN1o)
zerlXSc#+y>6}vD7HkC`{!zO-B$uRLxgCC{;1x4CwfS)@g)9!G<s)L^~rI2-lkySUn
zFXKh1vN(%Vr}@&Gwo^H(GWn^}nO~*r5kZjS8Pn&PZ6C4{ViF5uvSVY@K}_LEu{k+R
zA%ZO-sSe;|e($ep*<MOH_k6P)F4Kg8TuJL7Nxj^gGePMwx$&TY%p7nVagP21cMX$|
z_)K0uzsGa1cO7wR;W+ras#nTzc5gR$SdL3vM$^&HM^>z$;>6`Z)grVz|8qCd5>ufW
z{^D9qxanW`7+ttaOc=~q@O>P5%@@_hRJ5Iwb#_T)4HGH4?1mm<i=xCLe-alPBO(X_
zV6=Y4!ev2*)x~BrE@+ut3KAHjYzcipiSxgoULp8i@FsBbKe?1s?f)y6{&z2UZ~Q+w
z#`2DTID!3hjIE*SE0ee(b*D(L)Jj7~x)jgs-mVX5TyFA9PzrcY+!Da1TDo}T_hJ8R
z;?U3JPXQh>4YY%XMn-XZg=twvCnVCKVhxhglF%u{5$U;+=2@wE#r~No@g)^63ktO>
z>sY-M@5+_N=E%UHP*^93wEjMf2+!;i$y67Xi}$>n>;d)54bKjai?oJ)6z-l{>70>P
zn44P^TnJnjSYBQIBDr=rAUT@VE(Y4W`1xJv>(QL#=5Db{SR)P-%=LR9?Z(X10QD}J
zhsxN)uf0-Yn<;V42y4YS<h4-$lZxFr(quxV3Mzl`=Ng=6dTUQ&!#Bp#M8yZtIjOv{
zA=2fqXR^1gP^h~(J13VQ`xz@)3ucA%wq?nRTZM70nVvO7W%}O2Z<mzzq!KoIUXs2`
zs)JS9#y4}uISZSXyL=hpiI#q#BK2Hrr8i#274>>}vqo4gJLhX1DylqVqWnioZL-q+
z%zT$-i+7(T_*R6nET=JCm=-$n950fdt;b{?3Aydi*>auV3g6nvwm)}p;10CF9SGW*
zp-&WrpiYMgz7U9=$V$7*`?sN@l}T1z#NS*xTxX^WB2TD$-vnKof4=Lm7Sj}yy=oNn
zi*!p3sV4a+?DW@xF`x2vfIikv$wQwBW=VL-#`A?}U6|3*<`$JYp&N|1yf~5;LudGs
z(gVR^#p0o^6v1xPbwBnx=VC7KW>r<BAzPTit9Y7XJc8Qyc8ooV<}u6)#bh%!mx$0T
zE`>_u&MQS~K)V-+?$(^sr9ax`!TDACi>;ZfhY#jZXg$+=K}XqM1rf<saz}#QMyipN
zvVK)`K@3vFX{a~t8W1ok0rFjOpX`r{e3Z1<7WoT<;w^!O-$p9naEg~Z#jnZ2wktd~
zH>WdScy$kCIbAYEfHI!d)KuSg+kKf|IEXZ@qs#ZVDr@_QMAX!rF<1CELTiCSVJU%u
z(rrfmG<ML@?%s7x0*Rn-^UW|5!4&HG>{_xZ#l7#v(&~aD^@5D?LTRZK8~dI8(SiqE
zV%Tc^6l^LpeQiknyN1S#7Psx*qn?@V(yHol%9>xiE3VxDMEijFMWLf@kqBpg)1cJv
zWjD-*h(?p^vPa3`+xH@MgCp>JE4gU;^~kUmcyp8BxKv&r^#s4+yOvTOeHC|->;!Gk
zai(wiCz^RTOdmscLikQ+-rEYOfK|WMwGbUIt+(=pE#{?9$t#k3&(|9`-yTkRq-81n
z?1Xj|>(=WiJw2ZpWwhFxQu^K8@;Q~%ik_Cv(2A->FpKs0K{IHQFv>w3r}7Qq_c7X6
z<^@r=SvK#r755~WKTb|h;d1e&O+B7aVtadzOb*p;!O5T$?@W}gIzYZTht2ftaWja^
z?-=DpsZ__HrUD!PjQ^IO@Rq!IdR)x|v+5j8BMT;N5xsWVpv<1mqR=nz3jF!ynP}}9
zMWE#zmBgZq;^pt$dyuQ0-dB1jlKTozutyeTYG<dU1{>>ygnxup?iTKG^sXCL0&%3F
zqb911xgUk<m>!089Yu_=j`1JdUJGXAriCOnDN%4uFfcsjB>1YQOfwQo#~=9x)(jvR
zL<DF_VI`f~ACxI_m1DlYd_cLgrF3_l3YBSMbt@XBs5gA%DVYwT2_+)owng(k;WmT3
zGD2`)r}D&m3R<%!p_F)(Aqi1)1WYf+n5A42;vf21A7+0W@zqZW`d(eymhX30vgbi^
z!*MCAAJM2Qa2#2JF0FaxHD>jP$|am^`lfO7NF-e<zYFa*4r{;hdzxBlkucicmZ$WD
zaFR#GHj!}scBDElF{76?iKrh){_)arX4k(#rl&x@?Ssi<AxjXMIvz3|pR~Pmk~5RQ
zE5U>SKas}eV*gJec=;*9&E9{~<G+uw_;~6S4dnj|GOezfY&$8uz{k^M4IK(rWFbHf
zN4(8pfbO3Z!xZfA<=w&`V`=kU#O;;wg<x-y(`zs#KAtvf=oLN17lLowLF>9dq)O8Y
zQj=F}^2LGDdY%?n=MzB2x@U6_=D?y;{D|Px$9ed<HrbEWdS7=w6fyrSRAQ@n+`afH
zj`e5tp7!qJ%7Ceg14xb0gUYAXJx^;pA}Wldb`84kJZ<c_RcFN}XzXqBv@Nb3>{#&9
zboJ$Yye?;hN@De`?W<2DXxc`Rw<H#cxgbpcd>u?2W9huq7|QHZiYixs$YA=Y*96y?
zOlNPSBw;+kHQ#bEUZ)~CXZ(KmiR7ztJ2y?or7F$X?7;4u-mf&4mzFv@qDU%SeBUj9
zzB=o~;33nPcrb|85};rNG>H)aXnr<}^x6&SRjFk@PJ#g5^&NPJ#hUE~81_s=jewi9
zmY;!fz1xJ1q78wjp!HPHPGX~%vC`*d3CrHH^u`cUOOjvGG;d^g8$vc5<F2lJb40i>
zNCwttI;^s}q~V9*d}Jh$d$PU7FA|Y_cX1>ZjJXFdbV0J(Yf$;Mp>}e2TUzZkYRADr
z_+Qs(ed<;EPV8_Z(mmn2*1E_EJ3=!ee#@)x+x3;rFruRw9b>k>{P;egq1zIZm%qm3
z$^|@1l7Lq^S?qVLjT&!?fs_X}MDo`9tTH8X-tAiuRT{sm<dn#Ju@4h_lQUS4KFQD7
zSy9GbPD7q~z)$<O_OC!wNS7bi+462HV1Sbh%n1PWQ=l{YJ8yl_Zm%?c+f%Um0>w~o
zkIP??>XPU4sRyS}nA?uP(AW2Qx{bwxM>~4Ucjjy8!4SQvy(e3DAdxQK$wSC>BS}9j
zV^@2NO2NuanC0y2Bp)IZXH!kPu(u=6jv6JK_FW=!=Vg&TZKbcB$@Ey}9#y$_5Rti1
z_$@C}*vpV>D;xxb7I$xj*cKH4d)^OyKQRE9-Y;wi0W2#M^e~?ikPyNBU-JF1P7LOY
z@F62=8TXAsslPOKpPBa8*KOf*=u3qkFJd@9emcOs75}`4;tTpVz28NqNa3+-uma(U
z>6{d_TmfJF-cmdV-icr9f(?eua-Q`oO}!yKB45v6tA+N=hxLO3C>54OMv;SyeVz<L
ztG(vF=X1TmC&b!+_U|oVCK{(5X;|5Iq%V5B-u(@04$M2Se=onfFzvGm=G@N+2_(OI
zy;C8%bntlu`T3;qnE3P$?roI+x7W{3Kz9uZP<*{>49PxZLde79qTjFtU1v;b@#ZTA
z(6}VW?v&@>eJ-Lu-&&``97yt@l$F0=My|)CeTs*S=s(|#n|@N}{Uz9w4ubi8`9&gz
zJGW;D-X0D99Vp6rKGGjV48#03CE~bhTDUqbtq-P7@SXlB3i|4tA3)>v<r5dt^`f0Z
zh(j;#x0&ueVpewB>y5*|f9kgaj@7(34MO`=1DQu(eD4IiZiaFL$l?kRMAn<x66wqU
zDPwppjR}>GMrIR*^~i)Fh}?Q@!zRl^Zz4lEI*>wCFStg*R9G*7Gu)vPWMGGsLR!O7
zK{C>QoU$HLerBwe;e19A%8rOi2Ag0{FqkN;kUp}955!|1zM&RG5);Ya6k>D{28`M3
zVL|uD%w&qgB{suEsVp90!L_47&(tF(&i(J(N4pR`*I*#jxd@k_ieLw#9N-|Uv2am0
zi(k=n;@B8UAnI=?VAU1%=v7SMMHIVR#7`o#s0&aK3>?30>Npn2i9~UVML}VJew9{|
zeJtAV+SO{zG;b{6rdup$G3x#piu!R}#db8;QA`hAgdZHq1qXxBu`3&qHNJ72oUwC6
zfEJ@A6%0j>i!Eh{?{ACCQ3E%?!NvAS4;W_~Hcn|9Ne?8HT}1p+OW=nkb+sj~Fh=qs
z<GY{6^57Ddi4r^KBhBr>AJxGli~(bQTH<4<b0e?gY@S(^9~?;LaZCJ}mB`GSz;~1k
zXha&XC6O;C@&oa_@OYQ7q<Qru9&~a^7I#k-n1U&p{=!#QIr*>?4D|=IU;33YvN9Wk
zC99GIEt3EVw9hE`mOom0k$qf0SwJI22$Mw0m87JRCU_K2B^QtIPv_cBOkw<u{vMXv
zH=0l|mcq}Ou`v+LzXO&ZPvz~3f2EW$cL5eOPNPSq(0<5x7MsD3M00d=-W!j@^Pz%A
zPT%-4>%!9X46|JLS$<Y#)rn`xIk<=BfQ5<uSqB3Q<iI|1=~q<=&+Sl$e%Yu?zwmL^
zC^^r}oD8R|ocSMK?0o5x=<L)_*(>7iGDjIA08mT>knme~oTbSfWixK)ra_&DH?q{b
z^O7*R{fk5$O!>iLX;SL>NeG}IHs8HC|Mhr&C@z1LxFGr{e}0EZK_+Zr9QL}aAi4>F
zz;ZupK#%zfziAY{iOJpShC-VB_AagM&r=WOicXD-&Kw~Begvfkh=BLN+5d!1PMQBC
zY&!i%w@>z%*%O6-!es?=Y<&Pvn<grjdtKrejOwa0<M6a;?mx7t@7w3C0Xp{`Y4*GF
zGu<BkLz@=jX;bz`L7M;2rr{ClF$poTad#6_LzB^IS$-LD+4)Yn5d|fzBxU7gaz#OM
z#C7%FukKg0l*?56$TV~l!`zx=6<P;wcevc{8LjJ=9+<3@9Jcow8=H7PHT52?Avw4D
zQEcI>#EkXI>f9HRuM6Ln;>EYNb_Dm<a0dv9AD>V7f9{_jxw|(fTfCvU25M+z#k7<n
zh%~r|&%#&e8T;7T9T~-k@5c#W3!Pb&xHFF?aVUnDjUGMFu;F{;qc`qUf(RF_9;a1m
z<t0t=HCeyg;d%d|)jiWx)|y)UGE__IXS0Fyswc^MIvQ^~+g{ezK5V^nQYjU+U}otb
zSN_1KX0dgAw#K{`Tt!RgX8bn2)=Jnk@`VoT*mAt6K@WVNT3HF(bpK5(B#qMyD-L_}
zoJW)W1J=W+8M&%^uz%TveJv>y!)d<cWk3_xnPIugOdvL_svlTv_DkHQut$F8AehO+
z<pZZ5%{3Xb>@lVP4I$C6OIgDkk&hl8nyx-~BOmIllnS|&k3L$1ct3Rb9DaN{SrQQ1
z4^jyF`9`h1^62m1mEXbNWx}q5|4!X63^^^x%JL!f@U=t|KSSVT$e&`7RC~@;%kr$+
zj4F!yaLcbKx-}$I1f>(qI+#5*5($F!G2TkZAXZvSr2llx2^CPCwR+ZtVf==^KcY^M
zr2edHGKv0l%raDhmY*jDip{o39kM~G2MWIu+sL}V>9&!rnKZ;rsM`W#h~wP{Z|3PQ
zAvW`E3;C6DnaH3v>8@uEHsqeOOc9xMxL74syB|B1MIKNA`v*SEyU((?gkJ6xNyygl
zm)S|QF_e#+2k?{UX4XvSq#hI15WR}id|93M_kI;YPyK{aZGAt9W1Y8mz-pOWH>$Q)
za=*v15tzMlB<v{UTfc59ReZkR9DDgPHaxZh_}<i`>-e&Ls=JaL8er=<*f9g%6>gvB
zsTG3Xg)Z~<41IzP^~?>@9}pg;2GZv--qjLq-d!Vg>}`yCl#r{Up%#vTSiE$tfVS>2
z>#&(|o9T1k@2k(IWBJ7~Vq`V?<0U&K3*XpH(|q@bK#`jSjK4C_<{c43B{hZi2Q$eA
zU0i-^nEZ)Z>JZ!Sl^PJu7a^%e=8!U#Zo=;sUJXWf|2WTIla<`4HB|c*^(l!uSZ7j%
z6$zJ6cckjTzCg28Ew;**bm+45k#{nAykAv<a0$4L#QofPZO<N@R-N!Q;cv=CMw8fI
z+d03xNjC7*2>#gX4Ox%W%k+FVT`u0D82-3z9^J<Q3F!~RuXt+T-|E@T@wJir9?g)^
z#r<;Y;OUpXy(xypu7$o9E9IfTo_m(<bwLyFqJm=cAeAwVTifie!Ts2UWgLXdS6N};
zO9bU@zHc(mLI^!c4z#W;8X7_CJKVqz^yE9y0hB~ZIey|Fk3JHqW5CQuNZ9El7|_GR
zkeD#4pkjhs>I1|kP2r4vI6_hY`DxPLJO0%TVgQGv&OM5RYnPB1jt$b+xB;YM+JLP+
zl6m?lT6VI8!gp+l{kSO_T6`16h#TZ${((~W!T_`3NC5Z|tC#SKwo?7AfQdND`5h8S
z9eXQs?cpA)Tk@4|RDDFk<O9Cy^@?F(OqD+T5wEUPDeIQH8hP7~BtNOIEVqui?p*yy
z)+a;I^NAtvGPfkU5tMN;5Dzmx!=cfqYwTMe?yH(mqtCby+%h@CNoL1sp>2qpavGWp
z5}aJ_1myzb_F<2EQlkhE8v=IzZw>m7Gx-uWlpbrmd#3y$vun6q<kx_f1v5?dK+uNR
z)+6obXOGjz`(6MxJKA<8mhm6F%K2&?CY2O9^UCvW?g)%e8AC0tO9||_Up&?|(WQax
zCfI;{W+#0F9;2D`p5OfepN>G!6~^B$g`Rdllzzs80$x|1i8Ud^8=8yYmv+h<sP~lU
znd=g@Nc%_O>MDEzv?Uzm{OW1~v#F`4WjE=zVT@ysDSFz<#e%D~pKH$LETxCB(juHu
z_g@#T9ah#s1Vkfu=Zcv>dJ${mY14`MiaS56^%7r#8884CKTejk{+#2r90r`;gtqj?
z+?~4t)QI5f?A{6(Zft!7b^WY&quX0+iu=@4;SF*WM)Q81Sm+-dY(Ns${Y7CH29Iyk
zhUo~IFg592FrGELu?g<eY8lr^`^Y&*3E8k=h<gk&TXt>&Mz^(=#zW59-dSPnHENBg
zb=TUO%rP%E2A7t4K7tON?mJn%L-rj+Ms~E<>+&=&uO7dMA84<KWICV-Xni}ouUE&x
z26<+mD6(!$2fH{i^``9xbVj5e)%jTME$aaby#wAD{#g0XThkFu+d2)7i_4$aRAp#E
zDAyoSE9BKn-;RVC(Ev8|$0Iy=nvJbRzJ3?m!fw?2wfrF5QQkuPu3z8z&xlCA$t4oc
zwZWzD-#H}SS#7*LZC@k&;jkc2M3`mNy|9V^7%@mP`L7RJgc}K-l37V>8^(%Oi22DN
z0N7)<F;ycZkSPQ}#f*WC+lV-SGh-HCt05)nIx{)WC1}9qJ8~Nr3bG~}=Df>EodaZg
zHLEEbL)fq}uW<ZrVDnCdKkS8KYvB~@bMhwtUUP&?zQ!KFJ-0ZG+AO}NNblQHo$Gqf
zgutX<=VJwa`_0s62obsEZr`CqOiFOJma38Os6Wh|^&vbWZ%Wu13de;NbezPR&#XU^
zHvtGYF$s^%jb+{-X6i$nswvqV@3Y*2f~wl<SrnY^o%FOQySX=A_L$w!?!=-Be-a`Y
z!(RlN68s77u=WJ@9o~4q<HGn<dM1X|fN`rwP(-U>v6Jhe|7T{S)-J+82xlHk!~Pi}
z<zu3~-V@6(ps8k%fdVP_y!i9kC&~VT*M~h<R|FKl&z<=iKt?ou(<k(ZK?YrqTHY0B
zs$|)s`u(st(NEC7g+3(@F+0f-i(hFuF=JZOC(j=OAb!Kk(udbLT%1KdLCtNM9xb#*
z-tr=jbiI3?E~KiMlx+cy{n_t;{$U^}j@$9+sT}A(sm@{r3_7kp>g%~T5cMwccXeP7
zgFw*q)qU>sOUS&4SAG^^Me3-h;t}pgcOVnQcT|38dG*}1mYLweb?b6#-zhEG%F#1+
zpEWvHkERpz4OSvh4IhWio9Fl$Y}@TkxrazA$(|q7c9&lkwIL3qj0eJq*I8DmFrcpR
zWa@9wunGs5K(8Arp6t3|hyhk*^bRSH6!!c-?=K7$zPEgT2le7jIHBMp=(KM!wCrAR
z>ib_;=b2%~dyWANQcvG}f2ed)aL@HP%i`+^{q3vwcOlo;9z}%aS<hw`f~RF1&wNAc
zvs8a|dPq{aD136=DR<6f2>HPf{HD^6hA-$$HHf#^yN`#Uj@}S*6e^(SmtE<|fbylW
z3*P1fxU<3R>c(_%NC#iIWEc2$jQ^qxh{!LLwKDAUNEqDhrT1F`KumK-3Q+a~pHv1y
z#v=IbeOR-cNVjd|x4|QwAx8So4RDq!R3X&%VK7uEyIzzEAAyQKEto0<Y6ns<3K=Gf
zeAf}V_dGoM9ONn+JiKM2kMh>^_Rk&-WJkx;jfQ#HJ9-&$>TCs}8KRzyh6(uvhoBIa
z_%T~p&`mc~StddU72u2wOoDqWSB2`U#}dM?!C9y<F3V`$Gruos5z)R8bm%w%S#YlG
zOQ=nZrwq6a9(9W<wrMMzfFRzJFTRyAZe9)CIpzf6_U%yvzrH|m0||*)wjkP&hy~Ph
zd;QohUt4TqeRK5md8|Zq0?$GsVl)mYi`Qj{F78SsHUihdfd*MNB+7rp5A*>Z$A^EU
z`0nj*d)>E7+Vlm_V|~-GoLIjoI4l_l2mOV+Z+uJ0K96K;N*-7Dx>0TS<w>lu8k+PR
zO?8<_?vWhLmulUW2-k=sHR1$0cnTm>wyMA<7vV`(sn&cbjvcgMQ%aBzhv=odAZHrk
zxR0Vk)Q(cZccWwm;#3=K8h7_K8<Z-2*EVITDpd%RnmUFKDoK~#N{ZM{U%`Uac5Ie!
zgupdG_nA`LKE*66WneeKj+f~|M~T}0bZ(0dx8PaUOvyIg$iXgF|3wE;v8?C(Su9N1
z!{XU3P)PJnR_J25?+$I@c6M-1COtYS)jrKIEMUwhN1Q4pJBLEH+U3$dwwNh570#Z}
z9Vl^>UFrZLibdrU)34ckw#Vk)<%e`K=AGcY3>L$xnINs>3Fn|RNgz*3FW>$Xry8T9
zrV(U912R71t0kSH3bm#5g3K91bTd7)Ml$dpoI6`D$g?2$-{Vhz+Dm2TJ^qL`x-5*r
zj}BiF;qzsHThT@AQ=&&Q(Z?M{NJ}8tKNr{~v?d1DjEgOS<bmp9%b6m@?cz`%m0Y02
z(lTkwp(La!`MSE~j46t3w**=2`S{%Bfd7>x&gLe+HGJun$ki*cxc@7(65*G37l57r
z39Xz`|IeXSN`>G*U{l#O=YEm=OXc#Uuh^qnofY5KP17*fY{WVVKKd>|vDD-@`6FOp
zz0Jf?y79}=^JTWiWxH|zpVNnpr_XdlA|g4F=Jru>@pNV}fe9(`$>yn<k^bqLS@}UZ
zxyl8v+={hJE7_FDYn9~64P;@&#6(1`u&M_{wSBK^V<j8&q}$p@M#H;h?)6WV3=F=P
zfQ^3qI3Yc?^jfMYS8D##TKhOwbaHumW^nb}!KT>GF*!!$bGqNb)se`_vBWw1IK0Bu
zOfH1a=W?01{y|%`Fv+ews)?W{s^6O6ZrP)?{y6xxSVcsY^{wJ0_R+6k2W6X{0G`qT
z^=elhEozaug0!7*P91j{t@RZs&D$Zid-~9~a!>OV3WZX8TD#}<o_IehX+XbhszJpY
zvdGTIMGERQat&T_84s2fqHJp)-8WTr7VWsTG9Al&&b->@<L}JlIB56fRj3S{EI}sn
zv$QECi`HGPCLFEWJI#g%#>3XViTCbSL|991O<M@Z3+u=>I?QVevpBO2x>;avVV*q@
z%9V!A^|`z1y<U3dO4;#^<bCa(wzY3;NYP|A?6AG)C!O~NpG*8rx8p24-`8Ks%Tv#e
zKIzorYDKNvek?U)yBiTWy0&2`a>(?X5chK@Yv9`MrJUVB@T(0zPRka#O^aJQ!d)EC
zDGJZ?!l|Q+O`kw@k(@*~Y-O#yUmIgVL1wX7`e2@ZkFT}@9m5s^l#0k#PsJPTjbk_{
zP&c(8w0J|13e}cUGQ-LR&5af(!$^ppD$@&)oFCCz#LZbtL|Us?ETFGK#<`LGh`K2u
zgW1fG7<Er~ZX?f4QDZY-PXaxaa28g%o_gDjc&msQX$&cdyd#DnXQ80W%|(|jR*;5(
zNvc4yC}ViZ(`iea+?nqhb7U!+0y}st^<_;CbBRAFmBxm+x~eI_A)>tESr39Nc5}Eo
zmcDC3xvDwoj(vSQJ2Pb=otWkWXkozm`ZY0>K=8Xz`m`Q^XH$2S8$@nyqT(4Z;*{Iw
zGPNM}*iQn8dt;9|6FS#&0jKU)v*?4@6e~R$H3$7I=6&3gTCT4pae<A^0!~YUUG!3W
zA4t|Iv=6(XUuvC6grq0kT9T7Ee~i)^1~nF_en%<sqr6$eF&smh5D*tjf_N0)lfh-%
z_W@My?@mdslqaEfFK<j;fBp8&YUX&wqg}F?RH~z@VYCGLrQ=bNjht(-)O(q`=FR<u
zDOCfkAWZ}CJJZns$mFwc@oq35!V843zK!sJm5*tY=aRw}fLK;amQA<wP^mJ51)eB0
zQ#e6F4torAoQJ-07T0%`DSmOQzy5X(1qStHWfQbFvO@FyDRezUc9!G#b5-K*WQqLP
zQAw}4)1gdR=}7T4C@z0L*zv=~_X_2HP-mYPHtmqrh@!8~#!0uYx^Pc1`B;+9rt{?e
zmt)o4xwP@C@%s-zMXRyC$^L9ZF%P%in)vdMWVIP${+#?w`_cI;Dm7u^59Zw$=CaXy
z5*rOPKzaf21p^$>9nli^t$_EM-hh)dXm{g35?mq>q)Ev)m}oyj|KKn??p)!fEH`gD
z*$q@Z;EHs6{FQ4-<~1cfIQsK*4Wd|IV#bha0Ujq)N=f+8BN%6p%CLo<z_u(4wQ_9N
z;>{U~E*MT+M^>qCftUx*!F+8{M-wFY%CIb3<eM=#YKG<!J@Lk{K!<ihx-oK6HARtp
zvkLr-`>Dt-3@)o1lfW<>-S%6ykeZ8IFSu`wO@<R6u{qU6>R@0pgvJAr<J9cQGG3YS
zaovF9v|_Ri2#l&sE%!LRO1oU(pSCWPIHak>2C&t5XEHqtbky;Pcxt>eUz*M8+vnlY
zz^NPlv$-o(!F1iib0zoBIkZBmQbXruG)8Y6e-3TW$+k84XLHw1R@fi(*agp~I+a7V
z*L2+f+1y=0%FSuK56GPr{2qyK>&oeP=wb?ic02tGjhS%e)&P3AErOv($B1jVm?{bm
zWz_uO4CTSIsT+LCd}8n80_HPh#_d$qNOVa7Tq)eSTxII!<J6v~x%BGQ+J@t)SxarX
zmT4Gm-++nS&!?3$lRFUFi6=Q%v{mX4kb3bGbEUjLE0uW!o+#j}@rra+^xNA{1(|1S
z|DJ+PAM8AMef8Kw^L8Cz&Z}&qX%Jxx)RWcksx04`C4&JCptpSHw|3tX=hHTxmT3WJ
zCNup8K-0Fib}_8?A=PiX=25e1L&iPbA(vvnF3Jhr^<*5t9k&*e3)`y+ntVt-Yb(##
zuy^O5_|$_}xg^#**=ga=p`Re6m^$=tqEy0*Oi<=WZrg}5(@D)UTCyW29(k4(R=V@<
zx7P{>JoHT~yFSvcq+r0Svv%1GzR>gOrxPzRX7$+mjP?tms2@?U`bm#rLxOr^z|gyA
zH(sCj7oZP=KC%G&ywQE<!LEE~T9%tW;uz2-fj8+S?n;Dc0G8Rnar(~k@0m;-RrC=L
z+|25)bSKx+R8zF@hp*J3nIeg_?$M%F)->`LyaEQ|@up^L##iUm;s(u;zc5zJ?+yEY
zkGUtveR$4sosIUPI!0GI+AzQAqR~uhHu<)^P9JzSLYvT%^q?6h(0egt{HY~D?U9Wr
zN6roFq-MQXCtE=aKPrc3$L!1dn~KB!@7OpoXfA$2s2BnuGm?aEJG~Ioy7|_Zz4`hs
z2!T|U&jp^a58|b1NZ{gZHr$1v#5}=<h5OD>N(H_-{%8BK$`TBUX{!-m4byPx8I(@?
zTzO-1ixj;yU-4O-%wWpVK<4mcle83tZN0t!+7&k7lTu?=!44@Pk2T`-30J@XHn&U{
zge=cm?xB%(GF@|g=(AuIb6v+<d7Y9oXDuIIgA4-$-?*}ak#EgEn>ZqX&HfJZ`6;Ix
zUHE;Z)opTRZP$Y&&M%)R2Fm`hf;CU_7H$EueV$avaF*XV*h5(&0*w2;Kr>*f0W-Al
zy;<U(DehCth3EIFu$OkMi!2wdqjm>&Nol6wTVH%I+!UYDtw@l-g7CYO>)#&P%Nd*M
z*B4Na&yGHZNn7t8$dQGMl+kqcZFegM%yzQB)RJUdI}Q)v2`&WRXShpfB-29(Zu;4A
zEeEmKYM(RY^=T<ZY+!9|mfYDKI(rpn-HGH${(g6^?nL5-r+>|!PoI+ttsH6`2I34~
zg9)<xCZwo3*W@r4br!%3+VvM9tK#LChT`SJ>ATG_BH@Hy{qrf%;O!KOi`id2$Da*?
zUl}L=SdeFiBo`@6IpS3=cz27f^j*?T;mxTh%jZdjz57x3PW00HPsOlp$Hr7!jEFZM
zK2<7ym&E;Cdmnt{_4zMJE(ati)B-ZVaJ?+)_Gi3^<Il5C`RD>l@byCI_1|NeAT7h7
zenNrlEeE+Xi7%r8q+-EqzMelB{A6OlRcg=W#B3$qy!(AaDXEYjM?nNeNZiqjJAl>i
zg}|8w4|XF@{0<VUk$)DEO~T1DK3VVqQLrduC?ytj)84nM(?SsrnLIa>YeLds!vtkR
zS@c3W&clV>v>w?x7-H-Ragic!5&de;8h(-ZNhK9ahg~}g=8FJ>s)+f~D9V|L)^=o{
z3`nCYQkWs!9;NYo%n$DuB<~9Mtcq@W8~tYsX@?Dcwr%1)=BI>;48XeG+&1}36zrKD
zZHf(uhie*L1aKWiCu5@svSX<qqXO-sXpynEFfm2zG4({(sKL?L8;rii**7z={xRFp
zDY9{CSd9w5xLEag0&E=kI4;2uY?~d&(-i04sgbxHm=6cNf+h5JY4msb@=_(VW+hCh
z$HlM5I*i8CH6=`{BfqsH4P@en@Ftnl1P6wAdUOoCIv!O`6!(Z9f+wxohv1DYaL&Y%
z(Igl3Bqoo9#>!+_zT^)^@eO{Cnc3hKd+*<HPOOoaZxwi#5eY0N5%6;!F(!4R(4^Ju
zn<(#X{1}-(_@IhiHQV{79D1sXgU#4W7#TO1?Mye$23_>0(E#1x554V>#$U}Yc^NN^
zMhhSk<SG;Oe*|+ddGh%upJE^IZ-YU&)XR%qu(F)T6)4zB7L4cyYmKK}!yv}h8Rcr}
zS}9Sznd$tNfv>Ut){7v#xFsyhT(R3xkJw*ME+EV|qhP?#aXizODg7<{rh<cuw_HFl
zaf)^&7lj7oLOm-k$J39WwKUr8_DrTQBEy#!_%vew%OG1!!{gg+?qcHzZnrdf6omBL
zl+4#u1d&s-NL0pzsvn2N@AyVA<vkS3N^r=F!{qib5%n$RxgqmHiSna3^Ixgu3$}%i
z8RyILJH6wFj%awkH-<^b1UkzWI3A@xiY<uOD@ZZSTOlU=ykke;mj2bha66}Pw;KHK
z$4^243M>LY|0hRsD*iv`$p139{EGl>{Z9(E0y>8>B>%dB`n|FFW{H>L=#<mK@KT(H
z9Vyhm7I!mAMe-Weo702v7MGVl0(C3PzfJUnyctZsM26iAF$s^3VT^o&N<b0EJx)vw
zOGay?Wd~$rD&`cr=H-(Ym9Y_0R8>I;WJ~hph>2QSVdeM9Ak{t9gwhR}G9-gTLkR5-
z+3wzVRkz=urH5x{$D}7F@swQL?YYlG#2+QF>l6^l<w&0|`)gvA8(2VMCq$BH|MEcO
z$HwWa0&Cp6(F1HhEpU}0PgKgz&O|`W{?uLPYYQXAH&{ZID;G)p-|J^KPiZ2aD@L$u
zAh|~o+!%H-XzppWL^&#B-K;-SytQ=dhU`W+Bmd}wheh{P2;NGcZdB0|Cxwt^oo>#)
zATy*Ao>$(Tui+AS_Mjd4_R|9)n*bgt{WjLzw!p_+u-<l=!g`csM!=VF)xmeQU+1lF
zWn5Kg%p&>Z&99bEUq8-IEaMV49kJq&Nn2qcw0;*a?rK@Q$Z9tP7ow!W8=XJ4@bPXb
zm7KZSe`3*;KU!Igd`Z~p?ub0k&LCdQ(*13Fi#759`&unXm$lCy3NF8uhWM*;>AJ^l
zCaS=$FzmIAQ$v5s*C#kfa%WcZDFwM{?QGneuh8=D*PmM6*c!NY{dk$B6zn?ntq{pN
zW>>6P{xyafw)H_D7r|&*nd8IJN0bJmu*RA=G<lC%LVwkJm!KHaKRqL2S0q$M3B@6c
zpV1cjDaAeeY4|NPc|+EUh~TeLcyuy9tTc&k#-1A;kt16MrK`EHAqIDCD<yEq=1>C!
zRK+$D+#+&3Q2jIbeK7I-V?rOuI`vk*+}%-7*8Px$38A142ZDT0DDyVC%(EA)8QO}t
za<U-l3BDWQssh{D-|lyT3Ym}KAL9z;cB_RHO>XT}dCj6XqO&BrxAlrT0uWV_w20k0
z_gPCjX!a}Pb%lnWT(bH$kL|&L<kv<@4GeWX%8iqQB#`T-843hH=^CN;7s4_2UwN%D
z;(PT~AHXa__4GDcVJ*%6wIZEDR8%fqqOzGbP_kE!;XM}~CgF95s)9}=>js>bxp^(Q
zjXhGQ%ZDZWRPxw2)P2J%1ZQz>M*~tvwPJmO1lr<=_!~j#{j6pQ?sY7Jb%S6N6SqxB
zE_-|3INv(}F+rk|Z`>T~Ceci=tf_kP_I7r}$sh*^D=EcTr7F>(VlgSwuI3s9PIWCA
z^P0>2K>zct%QVjAqd``&*W9i>u=Ls@F9@>8zc)EhZ5&fF@?MA6KzUi};dk%~f6RGi
zv;60;kk9non=-jUbNLY?$a6vLV=`YLGQsrkZRP84yrO@@ffQFE8EBLVZ9)d8+ktFZ
z$@w0pjoIvh?89d}wE<hYZ4E6%MiJ=|hHRfhnzkZ$Mf{1BcBooqhDj}2=|(u-D77;X
zH{TU!xKrfH^dW{ckZ``%nm~=s{>^J98DC1_XX{TD?+e|X-{`)Cy#aM!l?703Z{O#n
zqRV41{?d7hyyt%N7Cm@hpOZvgfT+ur8m5h_q)1VOlDw2DLKPFR@DP(~?$WS$rSskG
zdZTSG7Fo_|B_eTS(D-R-IN5J@9uq$*YGt<w>1G_aTQ==)tEL;oeeeF5bgG=hRs=rq
zDs=N2eWQ?%cEvHV;Lf;W`BbM6DrBs@%%fZ_*SAwBoo{`nc83m@nD2ld2Qly)_^J}y
zh=-OVFqca(Ma$rn8wO74jG<Dsj{3Kfn~O{NZS;}gyEANm1NE^4<729Kj#JPHW!!uk
z<C-mSZ2<n?iP9r2XWs^Xk9b1G8j9!Q$_1XpBK2!pGO80c1Yc-q8TCBQ>=-TwsZ#-u
z|7CI6<kQJXmu}wqFN@1R1zXRY_<hV&q{h@slP77}{{OYOd*y&$z*}5`{TZ(P@rm-(
zR!US1&wqNRwaTMFv-m`L$FqReuTpW9U&R-DQUoaQDsnWv4^K+V9uu=eFlauUWjZbS
z^qW|PFL&Bo0>CFqx(Xdy%@0W~b6|q8D)r#S_p$+}WlL=sb;GOi^y1U<DKZ41k>;FE
z4{e34!Y0Tj_kHd^RNxf<Lq0Lhq9ocXrKlY}9;(NsNo{3iIQz#6FSFwB=$Ek+2xu?*
z<L!AT$tDW?ig`==5z6hfRth^|6EA0K$}(Q{nhBbIA<p#gzg-L|Kmwb))4kZA4L>LM
zv@ZjuS`WT8A|LR<V5U0vpwQ-6ogJ8}98%e!qa~7i{l)D(<4Kpy)<VMi7xIqkM~ujf
zR;LX?{dkl42A}qZ#QK*O@g`bJXB}Nr_5ZtIOG^a+m~>hK0#1OGs_xcXf(kLK*{0NM
z+3!xqz4K}!m~QNph%%4(>cOj)9xpPa&uF}cso!~Dl@quB0t@fsF8bGVgszDMn9o-s
z;Qot@#;^v{FIRUmZydgL^(8O1*dsu6{rT?7OE8J+x{B#1J`nZVp|XS)bz%~%5Ro!{
z<_b@-gADW(p>p{+;y0jSxR2QL?PW9Sg@s`kM00|^86B)wc2LYEBEdJo%H95AgmwA{
zlaKZ~dz$qy;&T&v3Sq-F*TpQYD-pwY1If#<IQrP<M{17K1~1DZ)xBwn*v`of5ep_7
zQdCQ}`+h7WyL<ehbY$*=*&4Og+K?;#QPwJz?H$3KxFU>a;Ry>$@t6OQ55?(qab91H
z6i4nbl06YWW@P~v!p(9}oxXa{vL!Kj`C&iN3p%Uq0L>1V&7co=hqx^n(8zvZs5-8A
z(PziU$uz%Dhy*O1LHN$~0;aI-M$+D{HBA>Jx6s?y-#lusgK=SB$D0tT^ZjM~6?9m-
zqa(*W%tkP<<JpB&TYI20S$faXwk@LD4)fBv_ZOD!LK-C>9PiF|0ol^^?eUyB@MY=!
zG@c<7;V2AIS(fkZ**qgWu6Ol%zWn7cG^~@b!Ht=9<;_j|u91a5VAPvD9Ch|Z=Z<hh
ze2j?#v#Z}*VdP4NVeuFCg$@{4#O?PkW__IpH1y=zcZ#;(vj~}XBFk%bPeVh0f|drk
z0QV!Od>YIK1MYG}4mhnbHD99P4ESJf4o-Q$1l1iC`LxCB9ZZ9N<2GJl+xxx2g1(Sv
z9Bt&eA#O>5#rx!2vXI&7bHMWT_XDWhy9`Afb0pg?Ggj`ij<aUJJo_A@r94hU(Q7cm
z)JayY4@%#7=zaL-M^f_d_3PK8WW%cy^lvV(N*MoOQP$JsQ4CmB)RQhhWVAY_qrte?
zZ#t0utoiWv_ryPEl-%YxNh;sW0q%?8PWIIpg8py#-F<5r3&`m8olT{Bf6CLslhRDZ
zFXG6FUC-BqoeW~+WQ7|aOMhR^KkK|uNd}#CUR|-OU(Y%q&aYVx*`Z%zd;?@c@x|D)
zg_mOJVDsou&f*~1GcR!<l!7mi0ObSqLxS`IIE#^XBcYE!1#@wR4RrX^*?YUigh>{M
z?!18PXIc7Gg1KN$EPCO*RiF*K5H&u?RTkuruLnItM1l;n6wK=~CR_>=7C91uvW0+*
zd_*q*6+ees--t6ii2Am9Is?Qy++7<M$vgrol8GF%jg&?^=`=-s%Yf(@`LIz%p$#L6
zP>{OlsJFfls?Ct0wWtGzXsK-wk-8;wHrORAYOFZsAspm_@(Ue9K3t26frEmK!Z{F8
zLs=1>4}hc#P%PZt#vWg@^~7%;xxm2bM!}swuVe2nSkW}amcjj<M^Rkiar{~CrHtTs
zdyQyDaGiP_BO|IgJGM<W(huug0Mo!!#kVtp%Vh&HFVtIPy>DhGbQmQho+cEifqU)Q
zL)B5Y!($PQadW(h6WI7<uLMbks3Atjc|X-|b#RJN7;jTTsbLJ%I&r}WyeJFqgsX2>
zv9H0w$1uOC3+}UQmm0>9M=0<wKUG2pXZTSP0UQ-NhW;Z9zElT;F5~*g7>Ujj$xo8G
zo6sj4QG$@vTj&&188qdqm>u<SVu!%JZ4SEF<n1mnyxaQ}#q^mm0tb&2B~CjdikJR?
z{xJ$>@CPrWZr;Z)9|0*R3t$=JYcIx@G-_<xQ@d1N&eWae^f%H%M#kVrJMNrDbnJ^@
zwQ96dcPf{C1{*GYjgQ*FI9dDxY!{pPkuRO7Io)Y7(;_zgqfDlTQbs=!#5)#jwc~=k
zq=C+$1IM%OExNbGWYK&;OXy`sYXrvT(2~vsB<^HeS4E`p<*<uqXBemP%lhBriZAf@
z4bB0#c6#UdGdQX{+_uaS)bo19l>MdCQ3#tWc$9mHFV=}U3~S`eTIShy1H(RM-Na^;
zxXjtD`~+nF?6_UOae*@ixMvt999v+4DERCEU0^DF0TdK36s*S*KI+Qdxg;oBEDSm-
zJX*9TKoy=;7e4ea!Y@JxpH&x`1A!~sMW2k3V3T5KKr!t9zGFfFYTy|7`ak)TQ|13B
zfBs{D`4smbs6_utyv4~zfH;c<@n%+9+^ExE#_=jIW^a=m!W#VKuK61beuQWfIS|nj
zAS{wUpw|%;5>&Kvad*o3dgLcE3?6Kc51}_BEl~-H4A3}>e^H(W={Yf(Svt8z$oztP
z#pPbFN-JvE?kW%x63A5*+#w<F?5x#rQF^V2AeC;-lIiFg?dp*uK=e;58cPkONRNFQ
zpSZ2{enn}vv`}i{Tlb>)<m!&(T-@6Fw@vY>o%a-AiTy~)!^0mU3a34C7^0+c#gO&i
z&Djh`#%&CjS7Qk5!;;kK9q1s+o)7vqj{f?gC0SQ9CqE;{I6sWv!=@)tM7CckN8;u?
zY7t3gsp=08bn;}>*0mXGqbB7QLkCF(yx^UMf=MDTOK9OwsC0W3p5D}_{#din5J!a(
zt4+3i<R3y9uf30Iv7IZs-JK~c-N^|I|J=Y)#x)okVcVk(30CU#9s(n6)<?~QT&D-$
z36ZrXbV-NGBX{J~*QnzQET_#}Bw^5))(RLK1>p{~BF~2%mqp+h(V)?o;Oy67M$`GQ
z&~GX*a((=a)<XIRv(Jyu1@~fLA_@dQwzyyy4P*gwv3uAD7YzqtcRY{2KCJXvDsUk_
z-BAMe$(}@B9v*!QHM%$7;k#G1qZWSc^MUU6YADA#A1<UdrE(yc3*N;k*zc^*9?qtY
zkCfjQW4=PCoQ=Sta%|h|Fy^?ifuJ-dEGUvavWknCyN3Xrzyy`OMLeoAvKr4}jb2M)
z_44}~%Q~jM4kMjMr9?5|ss_+nE@JE^Eb9E+8MQ)3B#4H2)rd4kQ0#j89ePhB*r}tN
zg&Nd#ypi9CVp2(V=gE43riE)n<RN?fBLT>aLzN&Di?BsdXcm_fnpIG3mpRibZI@(|
zJc1avDj5%y23N>I%FFs4RDdY!nwOxTZ!K-ogA{RmWaXdYRBCE#?f{wcLYmZdcFF>~
zr0w*MHDvYcJugcnE>u~rn+Qwfgh)r29V1$>XGf(B{Ys=sZAowSoZD~Xa-AFM8<3U8
z6kY0|s@58@gD$D!fP?P78l0d469E%H>||Oi0yr;xCq!B`)gesC@pn%N1DZoS4PYs7
zE?OU~j^4pZAL7J_9F^}jcy8%wyZ7)&F%=Y41qTj{GNZ`cUvK8-3*Ue@F=ka#B8Ma=
z8ODS>$fchI9TETXi2xb5IWdWlC{w;x`=DyU3ci!}qUk>OW%M0Jy!J(5X!z+D$1S2(
z{LcXnJ1uk$@y!^vX7bxv=0B*ox%(EN!tV*z7P!ZRPwRbHR-1{^ewYm`8MJ-BZ5l=@
z(m`&+P+0%gwRySy8VaVu$xYx4ZilZ+Fbp78GoSBW5Z>vXud+l#w6E6hY-ikg8*5YU
z_xM$)Sm2Jvu>Y^u*?|}b-NuEC)crT4+Jpl`EM!-NDm;z9)hJ~S?=mbsNEVH`C5Nt}
zxaVE`XXQEeAh;pd1KEyv!xW}Kv^CcoowX+@k2$3~ogt&Thb^MLu<E}uj;F|)_|js)
z7e*MA1mwjlo8F<4fn<_U?LNVkBz2IGvg=VX&2tt&#T1|TH9aM=C-{5czUm@)EwXHa
z0Az$!rWq8|D~8=9WrCwvz%S{fey5W1eN`bW(__kbVo5;x=zi2BIx0pblG6Cq(6+Ho
z9G^`bXuVBQ=h}}-R71OfVb3o2fLt_A`>ut1o$Sb$C_7M<<RajvN-VRx<rM`X+>y3X
z%`3SPZ?$}bfz(z7cY|NoeKK8u%($Eg*K7^j=DcE-0|AzTEN7+Mdr&6cP)70S+!YL%
z0HFy!a!Uy(`LDC){~jTVWg`&c1pb}!G(!*<os4s())IgL<o}^OE2IkiA2hT6UzF#n
zHUgHq)BSIhr#HAbS4IPn#j8XEmQGNtdbaZas6?;QfY7!v1-wc$eDkCTrem)RVNMRm
zPwwL8k$B4UQOGmGe<pYBrNu3gz6N;8lMv3P^6EpXH7(?(&W;*W4@p|jd<nx*m8RX*
z!_3^Za#^-2!aHjC$z2*iYyN?5jOIhqi_@y#>qUC86Hi@5D5~}JD<7LK&DYpI$)`ot
z7`&I$*EjlEON7}a=)fQ0y?$0$w!b8tsL?NO;jY(jM*ubxp9<F!%iLb<67I%5&3kpb
zQSLPWxp=woBv-i*8C?AdCjaD3!0l#UI!A3LmdB%t^exP*7&Cs;M*yQwb#_!0(doEx
zq=^AjNiZBn-!$nFaN1rNA&hvgwY<1w(9u;d?2_UC3C$_pev-Zg17m>4%!a_*2O|7w
z@9-*7L%d4V89zcKXue4yDUC^l3;(-HblIFB`}~#a`T;l<FBBp8*+h(L4B8;of(T`S
zE~Z>PzT^=TOrF0vb$;RgQw#T-%a94sbwl2kn*htpzB%%W4CiD0qMAhAO*wsJ2U7Y<
z@$JcdSXW~-hY)g4_tg+Qb3Z&=-kSV8bBJH{M>zA!8vPqtO7Us;05Inob8q$=v1#|X
zdwop5tg)lg&=&Scp>-@7<G9`@g0vhnMrIYJahZyt^c?MVG$Y>il6jmN#X6pM$~bx3
zr;+!!ysd!X`nY|xN9@~`P5!*03HQtszCn{MeqUo6i|LaL%HPD&=Q)!VvaQ#}!TB#(
zIRf6js36E^5Z+3ez5L)~@HK^B*p7z-Joo&sBs-aygRbP#97;^8DvuTQIB#hrx?YUw
zeqxxus~lxRNPGNNAIP-97xbo|hi+2K>4cecmbnQp9>Y90e{Kw9jsTE<LMTLjsRiEA
z5xWY~7i4+cR;Y}U`R>GUg6;w}b@YS<M>_YifOs2zc6tj%n`QN4A~z8|3sZ;xtG)Aj
zWc%;ic!m*M?JY*_s!_AmqQk1yp++g%+M7!32r}#~lu%WIR-@FWp*A%-h}xq@tF;N$
z=E?8A5AOT)d5)ix?_cmexjygfdcD}H7iIxRq&7SA1eW=T?y~NNdK!f2P6c2Akk;77
zh<BCW#?3Iws>oZ<Zllaj={Y%cAaYKD(sH`XCwKQ!bVmYW@}Mi6wEg5`ANg!|?fL4*
zI`4e}!I+p!VD&8`y9G6MH$~lKjrCp=J*zXqQLX)w9%EA?z1TjTl!L1#Ol9OMVjmS;
zvT>86l?>hvX1b=gDoqGShNbS5wnl;+k6IY|l@D9cjvH=QB1mQ>hsR$_elp5_`*L;R
zN7L(wU!j(lKJC;TwePiWy}<()hS+?01ftgjN?Mn=U+?!`{JY~-VSuUYc*3>$dw0Ty
zvU*P((YZFeH;q4m7+#5Ub8p+1zuMlyTXXznS`SHt!KSW|+%qS=cav`X+P+c}@uc|G
zQAcCz4{pv=@@wbSMGGL_+&6^p!h_lTw7;voPEo$+V^+YUe;=f$xy=+if1PIxoh~{5
zxAkGk>2zppqv|;}>fuoH_$*({=kk#Kdokv;Kl`4~d8^2h2KmAprfagGZT^_l+lYgT
zkk5IDwF6Lt4VYs+02&a!gNE_RMJHFp{^bSZ%A*w)VziDzhh-6)C^&;H41NTVTMt(v
z#`xKQr}NwZ{ZG{7ZWi2)(<FQAXoFe%A8Ril8G5}bD)Faxk>jv9Z46RF#qH`EQo#s(
ziwwN89$|xv(_IJY;lNjLK`I{N4+#D@v_of630j;FO-N2ZdjOA{z*pC46VGt5^!Q+7
z7yGf0kP5IQC2DOFy?lh0lZ#N_c1R^~`a)3t9x=%{#2JF=RSa6Z1e55Vz?~kKv2L0m
zi;%FTVv`s_h$csFff$JeY+*%WwVWA)3N{jx$S9X2)SnnZNo;~7@~R}g4#9k2Oy&V3
zg}Ns{BV*n?N-ClxNd@@e1k6S#$pk_&cX}+7cH-SziSy_bZbY(?HmHkW`idN>B9|JV
z9r4ZB<gHv>zAf;(2X>`Dx%y5@1w2J&EY(ahVMi`)j1qL(Bt^lc<v>z9<<QynSUHun
zN)OOi9O9R4I>RvvlAqp6HeMq{cnhQg!$9C>=$0IU3J0?1CqX^aF22cVsQ}4_W$<xk
z?kuJ$A7{u{rVB5n%r}D0H-pr$qO1d1nqgUjIuf@aSu#4=*RU~?T-k<|X%{intet0B
zEqUnoFS2Qd3~s~Zb5kI_DUgCrmYPS-J*FIMyKGm_MCI)qXKe0<1VS_)=raI1BN#d3
zAtcQN4i3w;mxuBQfN7DF2+Mognd5jbv(Y2>q%Rv}nByo5j+MuyG)jE97hxL~^`%il
z$`hVjiQ@!DC<KKCZlLf?K`Ce)yfgnGC_j@a_}VT`gEK!#@X2g{<}NzB!?u9N*&^79
z%xU|!+vPImgST!torgZ{m521_7b1v-!}*LO$AuxBMIYrEKid^~2V{0)i*6&5Ec=R3
zDrrqj_}dHVD`Ai&ZTy-%Jp_>Sy&1n*iP>T*p0z_hGAhmj_}{ExEAB%T|2-}S2$kq?
z{+Hf`4gdx$|3CY-FAb{lze=9X*Z(gulbK{ip-23SbsHZWG$2B2&&t)C+|^~Kv2K4<
zg-6ZM+Ox+61M49a_d~AF+fB7mxzk(fn(YeRzp3&OPZ045;>ZW6#3X(Y#wj@?Suf3;
zJrkFZopUoEAN{n@w74wjSz+FbDiIKU4S*h`Q&FgUg`NF*^$lW8M~A;=eOjdkeN+Dc
zdsM3y-Mg_4FssJ<G)?f}*QO6$<MSOCCNLV)t3$JDuNF4dmm_-qS$wK)9=%cBicp{0
zTRpfxBP{n&TvQPFw<wq^phq96!die`GhA##DTM3MRaoAU6#!9{@GPkD?i(0o>F8(u
zhAUl}vKDhv1BQ=F`TOpJ;_VDq+xa!CiFcl5iCJ=8j%k3{e@l2*`ZZP3d@!)G@2oPP
z{;a$P9cR_}ODEBA*B_cFM+3yG7NmR*AKkFm^ZbeTU;Q;+f47&=@|xv@Js;Ot%w@7G
zi^^jAJ0zh}-w-}tZd{mL3rR_>Et6|oAz~`9{I+}<Iy0;N3iY=}H0-<UJ{DL8G#G}w
zU7HYe=C>7bJ#^v@yw}(J$Hmc;r{ioMG3u!{!|bpz#cz%rdU*}uGIYZ+^li|ln94<&
z;dZ+94j?IQ%sl!f6GH>K`uvDf_%W^altuYY3HNXR>;gbgeaAN{azmx08w-6IED{!C
z!hgCu#<9EQE<}lw)<hGe+d@U+#prE2!-4|IpW?*j1PqP4@{N&!d`Oid$Z>O%xKA4s
zMuHJsllwd+<ypTJLgF)IC0x6_={bXR!SxRrys7+R8DfMRQ!uOO1()QjH`Ze_>?Ds}
z^6rIkiag$RxkfA8auVI1md*m6XA2LLfjAAh5`A#wZlx@bZ;L#k#8)T)9P%jqvw=nS
zA95Ek>V|^nnK&D-%9t=nSZtB-f_z+A$qn6jKyI$?dRBg}O$oh%nx{jd`ljIbmuxGX
z`X%M7%+-1YHY9llAt#f#m-QbL!8Oe?7vJZG__at=>G7BCH|yViB?8_ItR{N0w0xr|
zR?|hBo_pK%$h)S5&_L3U8VSc5)GKga^sD`b_x2A5)&5Y-;a4djH^}#2+^WAo_9m8S
zA1HLzagb5pn9|uV1#~is7y2=`yl5u2N~w{N-O$_jYkQQ|&0?K|it};3XCbU=%|og8
zYXOu}(xxMz6$WgRYC2ULR_ni{1^^^&kgJ4)yWaSwhI8(WN+c;=7?6{@Z_6N7yrBMB
zpZ~(!;Z`A0TZSBMtC08Ej!In<_qp%CpS(S(bZ9TMZov4F8{*LQ$=B$Q=8RhLht3Zs
zdY59a!Pkm#Oi@=;z+f`S@AcPE`dn@LK1fdxm0mH66uRs;B-p&NhMEN~s%hvMaGCi;
z8)PXTu(mAg-ZwkxN77hyY=8N3TInN4m21zG%|)vKvM0?O+0G)jo44x>YY{tAvh(L{
zwfB`XHv}(n=n<G7SzkI}2##sDoOloTZ6*q*wwEpXt6n}{{i_^nS;exFxyVCD{ae4o
z{r+@4PwDqFcA>+#*u#d!7N(}H7&Zu0P(YtFaL!cT$X5J`7{uTrD-rpE3vnFzjaeLO
z$<j!o7tkhkQbkD|;&d)AxcVWG5i=wl0^oS$Q8jeEG-3X|1XQm7{jFoGGy3sjGOo7W
zx5%7`VrNN68U!Qz(G-KTC9x+pm0MD6RqxC~CHePYXz7NZ2?yzt2LufI{2^0{z?3Wf
z6r54ZRTXMa<A$tzpwIukp1iXBTm%p4dq)WLLMDUhwru%N9(N`8xJo}Phg}r<3d|f=
z=Y*cwxIV`FQ6K&Cf$X%5$pPJhw?(|YJlnN_#LBLi<rC>_&HQs_pwfglte?P!Q{`?X
zuE>^Q(*BLfp>U#aPG=+l2<Mb@a9sjKe9Qs`<qvz=@BIfRRA;~nSpx|W5rL^$g)0{-
zbb9hFLhyS<>pU(Ohp-kfFV(2$w8xG^9a^fqZF$PNe&uLm6lqac%=lB*;6c+U(}fE_
zh)OK2a4?dn=1eW+XOq1yUqHKcetyo!=6PLpa6B{g&T~rk;FT8xG}i6E%`SFAos7^d
zkSuSd1&n5PIr&`i+-~FMKV}!MFJO^BG_%X#onqZ!-hY{0PGoH^(9AA9-*1~3(9AA(
z%Y}`-Z2C+miu?{T9++3#A7mp~vuS%zwhikE)5&^Q{g;6ss%_TnCp#<-YQotzom?^j
z?}Rj~__QmW`CIR(g&PvkDM~lbk;sDz2QQNlFCS@DS1?@52EpIH^e|%P9w}&eQCvjw
zxF>vTSaPSn;=qUA)@(Yd>slRA&&TVmmBU2K1Sjq6`CvNn(_Bq1@eEJRBVm{OL%VmI
zGpOwVV1dKbb2|Q(P<o{&;A!5?lbnLq89yh_iJTwdN3VrQ1o+U2g9+}a?fOpy-__Q+
zA+>Vi_D==K_lPftK^pHcqMg@hc2STph4hcvg{|;ojr2nMS`NwYoyj7z1Eot~govWq
zMcEnk{Y3pR+CwHw0j|<O4ySb>rq!IQmD0lks8!gnToUr;?$ws5J?}ld%<G_Dq|+N1
z7dyQy8JBlepFJqu%w<K!-DJS3d`<S&%p<93xj|d8H{w;p-=vmh25fEK$P#8AOVtTn
zbY`#1eCxxgmNzv>wyrCjQbKFJJ01$c2g_{wxc8RPoU`S@A{3uB_4g~I2->X^&ot|f
zm)0FeqQK9Oeb!YjpN!`R?3J|^vR`|kJBTmYDHndl{3Kd;G(&8kz~snmSu8YI#(7XR
zf8X<Z+sQ|@-1u_$58v#monIQA_7vbBJRBH>Kea+NpGDEESmGD^4#;ocJRROty(CO4
zu@Zp|e-;JIfIx_TZIi^;SkK!+?ByMyxfeMRv|Hya1B4X+g!5P6v~bTi&7-361)nE*
zxY=#?rdA{4xbXSuxxHRQ$I$(sQWS?#5nBXFR%}Z`<aCMh3sKMSw2YekwdgXT)+2AR
z&F_4=BEFzq@nUidT^F_@HLAgC5xpDluK(?BwBgVnb9XvY;fhv?&Y%I67+9#44S_y@
zL831Q2@B}23p6$}B&P03Y@UA2IMn$h>$J<{BRsR92>?Cv1IAtbGl$}e9Z%W}<db$J
zOOtiSw4kBH>DgZ*+P}w)h@oO;dW!z&z^b!QSYnoA7tAt}tW^R_u85+$^PuT1h~pu*
zbjddNm9{0Vt-VUEze}>1(|T$LXps7w4mTRfpgnrR8u@prY!o){?R*kguK%NwMnAF}
z4c}`Q+m~N&&AT0NV3c*6zL~%27(Rc(g8OqMm)g#F?VXnpUGz4eaR*7&3bv|vdD0Ty
z(M~g~KX(vcA-_W$J{gVL^8dTT%Smk)@7Z~pTSAe50e?+ehEk7$#lWMo(c2ZEOq$k(
z|M3P4$Ta5nW6iI6Ehdo$8Pf8Tardi-`7rfIvGw~3Lj5^$@M^8tC7GynBcCjow<<B_
ztE|5$CH5bYC^<Aj-CGR<s>qEMBF3_lk;)htUKS~B45|wSGZG%EmBj7X_|gQU3k|e?
zAj-fP^ttb$hH)eU6&HezpX!Zw&V#AiCa4>GX#)Z;AmUe!0A~I1BHQurv=FLLlr|^8
zmM_G39mSW9(jx>ufP)?R63%lz>VtvZ`u*;c<Gm>f(E{PubLn}XSnQX_DfI*4>qs#Y
z>a{ys9bm2KhB2~6i>YA6DZmF1)W9Q@8ibn2Nde|k!mtE0JO!H|knkMt5=Q|N)?=W=
z#1u4ksvcqQkyI-HY9YXQZIVc~7)b<Xz6?3QkL~MEkW@)_pG;KVO@sy{{bCGLHBJ$6
zO_W5W%xQr>LY~ZcK=Y20Bmk+yvI!9c^IjY+LZ%L4%-6_>5lC9UF=$yXWNJT^0!cZm
zlJ=!Lxfzy5C7{j{(=Oag9dSvaO}g6n!+#3g{7XsM!KFXwPm(cAAAo^4ry_H;GVE?;
z@a3n;l%#9$%ZTKMvtm*FVVSgte`&i+02T!Dlv1>V1N9U6w=<})2rW-Zc2Cgd<}gK-
zBu%v}j^j*C!8pxZX{VFaOm3^}Gw^IxPpD~gwhU9Y#ef8>M;fi~dcGfYuTqSwBF<$X
zTRuI5XE#T&KT8Oj3tIy%YQ;KXb3L1LY&`RL-o&~Sax?}&a$y0pWW=p7v{!T9(mmV<
z2smgXPDVBcjWtr#&gb36ISPPxD>9lEb1V75xB+YiQ<Th7zQa-8S<Zr7yU;REN!GE9
zl6>5w;|NXH0u^*YrTkMxtGw{W0s)t&JVxLuJ8(+gS(0FYhDu>K(~}xVuvSUoP=017
z&qF_XbRglWnzKI#DPQ777G$a@2~f1)30cy?$6Mi7j~QtN+Gs@4rXXYZF+PS9x4XeO
zYlJ;8fgI&4CLWtW!pOz(M8GphNdmDLYC`*_LIxpcz9evd31cZ>x*_n4$Nrhse}irX
zXd!f!Hsl1*QMU(7s@t`Hd}yUQ%cVZ@#CufL`26SyP#O*Korl+KMQ%|^B{W_R?Mzn|
zG(hW$juApkX<bnojCF|C6<r|0Zz?|>U9S)S;MY38-4to@dU}h}7CpN4n~I1<#>FR~
z&=_oDQgTXaT6#uiR(4Kq9xlJ&X<-q*xa3*s^RgG^6@<#F>X)x-UK4BI)YZRjXl!b3
zX>Duopt(Z2-go!(_Vv?TA;TX=M#siKe){}nVv;=db$VuYZhm2LX?f+_>e~9o_aB=-
ze{F5=?C$L!93D}QPkx{N`AY?WnMI6=C7p2)ZiV~(#Aol(oKmKR#<itANdoF#GyS#C
zX(3ege-%Qr_)`84DU_W>-x@#{`>zxVDh|?-`zM8ln7pEGIA2x|-UZb!5OJT*@y9RM
z+fS<pGyZ5gU03E_rCds}I{$-;P>gc>mvJSUW?bQm#NJQIOi4?>lZ8Y1=9=Z>V{!^F
z7ncP;Ee&{4B}(_|l5Rz*ZkqXn>Km+d`mfpm4I0nhXwidv*n7Zz7LD4#*0!-%01x%r
zLe2iEuRX(>E#nJqLuwQ0mFm+Q{j=(ezuH)TmKLpl|IWUty7l|Zp6S8i=C|M-p9l4x
zE2k+R`Bk8AW96BJlKD7p=oqUBX~q*=OFISlsoXu#a%-p&50{={M872NMX<6dg9t41
znrTj(l0w;l;c9Qe*?^9Rm69t^fy-bJo5E*D0Kf9NcH^p$4a`&Xt$G!EMmOs!nO7*%
z*ZQSIf`9{pP4V#R1k3@}0ByE$n6CEkJfl&YC7al?@hh=kxaP$SFQW07cQ`hnzFm`}
z+Sn&A5CTk%IJZt1t7aOU;&Yfw&*xw1%(NV%*R#J?^O0`2V8Py9&BN~%<NJwl&?{q}
zYWX$3GtNhzjYYR-di73s{T3=sl-%b;y8Y&)BgKpK+D{<EM6JA%pR3*b59VH7;V5Xk
zw%xs9q(nY<G5+v!abDkO$6v1y&QI8ec`8FsXJ{eA(HEJbXmE7nQ~1NTvW5t@UB;&|
z%#L3i6WCE`dla`?{~}~EYCR3I1=N&eVo5)HCo08+(uq<GwY86jjx-e_G&J3ykd-r_
z5{zCVz{%4xEZsRwcMj#0ad^;YknRZ2HAsA7VAqwA3Ir@N+zB0*_O|zvKZ~Tgs1)UZ
znHI_ctW8))w%0if%k(ZcJ_1uT0SlyJgf3~BEl|yQ{TX^h2b`DsBwd!*$438|R;<m5
zd)Wmg#Cmz*ob&x;9WPP^D~qky_u^{-Ro|b1A_c+E!@`){3Nn=|)>-HatGw9*YQ9%L
zt?96mEO_RG_+}rmUZr$dYoCU+t!sQ^<?aTv*j_(d%5{tc3@Im7){mlws#uAuFFN1u
z6LhNVXG6W?>XuN#FPZoLU^+7&JGaz8e>VJn#k|A7y4k?tiuiTq`<$jn=pW6S;5J}V
zL`g!v0qV76>ShE8%m%x8wHqp|8wmNtB~xA7W1-?$e^&Za?fWE@Qm`3OPbb!}QH+I;
zrMY8fr(dRDNqtN-TjWO@qwGyL=9!bz-S>v*O&KobD!M5wzlVrnrN!^lz|Yptt^D0I
z&C<Iy1Vrlg-5oDFg1eoKA`P3(bIt)}l`e)Mi+z8e`ZEU_neVqh@`m1J@Ot0)c-~P<
zm@=jm>>M&H%zEq9U{?kwf;yBO;Tu<;hBkL~6UDi}UL{(R!<MzX`C8VYH<fvU%&w(|
z=Spt3w~RLU|85zJdn)Q(Tp2;y`DMZQ&hXj0xMaI*yCN~}U+R)uN8ABg=XV%GVm@!$
zw^#eLkM40Twj7?x^EddCu!wm1eEHqW)9H1V$T0fNr<!zkuLq08G=6;VbojlmvhvtN
z@(65v6(k3w{;{-+i39CHC`w>Sh$1Ac%TnQp6n$2O1zfgJerX|zivh?YZ9Uy3rjKB6
zP>i(4l|b%3?sU)|OUSif6mS!$IsUVV(q_FwHwnEeCTYss!czL;G7il-LgX>MzzYU0
z%1B9?0!#+4@hEC^>r-t5<MHIB7oX8gvR<QTZ-6V~xGh9o(=y4ra7i}N_KIez0oGBP
zp2G!)hGy29^Q=gT-Ip^CZ8`%FNG@i#H0&cyS+nj8Jv3(*tTjRzq&Pk-b#`(eP?4_n
zPiQma6gkF@n0!>bdu>J5p8WRqDk}5d=SNUAyK*KHmqj(HjK|w9_J$vG((u^XlKWF7
z)*p#ka7x*WH~nU;7$wNvmsnNh>%(sUokI7XBEu5PFI<leR3jCxU#igkG%)g{MZJjE
zR3F3%9Sxhv!tZuh=<S7#M(@(xDy(u>dKwT&q5Tqw`M>?5lAo<USR+6}`s0cA`~Ms}
z|M81jCn+od9D)hPMl`?ZpqjX-d8O&S!CUl^C1wBkMOngcxe@ovwLi#TH)x3s9@($Z
zf4uG(LQA1RpI-<%>jRK9>JZ-@rGHYWVgaziKBv+qfBjCQ{T+9wgKBk0=6iirx65n*
zFFg|Et=MUP(Ybw)XUY#_@6x-CUvr-GrB^!%+TXtU`Je{T?%{M~Y8yWxO~kZ&fJW@e
zy@yY@uqi%ZK8KNBzQfwgbRSpwi?J{4Lto>3<K5191HqAe^&z6?oEO9Gn?c`RSBX~J
zDNcW_Pt<7eedXob>BZZylv`c*c+>Bdkp0cm+-hNgn%nu!JY+GgitE(d%2sS7fwjx9
z7tr*Yn+^|WfB0Q!65p=0>@#uN`MBS<uHhf{X=v`iuwIwzpytL|=8==HM;(+8ucMEK
z=Ks=ALr6P)0LU2t;-I9J8Iyq0gA3q*+@}l}V!Z5qXF5w{r@)AcWgQm49AVqV=XMQc
zl)T8c_vXF0MPTebgC#z*&)rt0h(vdh#al|`9%a-{qQ}jLs}@VW+P$@@jPb5wqvXC6
z$eYXu_n%1$=l9}`Ntt<<R%ZGs1C}>-B@masLGR_OTJ#2`sgHkCi<wez;Zsk!T8LI_
zJsuWmep668>~^W?_ya6|ukgnu^u>9>kw)V>eAuwN4rOW-@i(4Y!uVl%DK&No{VVA5
z%CLt<1n6T1KB!dCdc%OfWi<arh&<n{r&t!~(=+^ToUp<7Td$jWDpTvF<$ijp#@KVz
zUfwVNV&$#JffH<=cmlPb{lUQj|5BA6MBGaD(HLtXUt-s<GxG+}*$VgAiy<#@kbM0{
z>%au3(DXGcXAgHlplDM=%a?XnDY>TU?O&QLI-Guijqu4EDq6WrGqGN;f6q^pE1y|1
z4}ix_&ppO#@?c(VLBw0ZKtNOXE4_H6!%U|bL95H?Wq{<R*2P{ttVLFN$LIaRk{lJ$
ztCi{^pDnzikg5$iH4j281Aubx;C<&vK?>r)RXsimqX*S#FNURvLB~=DVlx*^zj=v)
zj-jQt`W&(}YldOVqNV3LDJ1vGEWLG}Zo*?_P^rV8d9kKLz3U^fFTINvq}O%3c8Wl?
zF->&t#guVXtI>|5q9tK?>&ND~5dLM-FRoP>(=h(XdutXHop!1RJ`Ycd5d{bFH?nmp
zhrY=|?4)osF-TjU_`8?v@?SAn4K_a-ou1u;bLf%8uf%@L!~f*fZ~taZJh5twrYow@
z3w(4Xf_44VVaApAUo3d!oV)IAecA1AI{J~=J<;PAYrl8%=TE!h_%~J1f0*<wBbOgu
z`OP2j`>^=~XsxxGf$iQYbCv)8kKzZrO~s^>#StVG{|T}8RwjlfPI;3DJTeMDmIeOi
z_y4p89CY)iGWvd81<?tFce&HpaN&cEh|M+7FD<_dW8O<zG5d{vf{0i_TqLe9b}lri
z^Dv^@+6zPm@si<Pv|}d@8C3yPBFCQJjup8FW`#Y{B7kTBTUkO}bYGkv86mlic+(IT
zr-{4(kDqi4(jmlOoQzXx3dvZFmjxika}mnU38fW4J3{>aM4ZM#q@yj!73Zoh0M@|4
zM4-O*a+coxNM~)372%P;cJwten&gfW?FD)g;ud;QnqyC5;UJI<`Vj<-(#G<nW8|AK
zkr?p7Ax6>4itg}^juqP7J%}4Y#R}pAli|U)8k_~tZf>^mc{p@9AyJ9&pv>b5ZOK`$
z9re92hVmAGl1r*HPBLpuJh+QhpG@j&!XEGj);1;gl9NR|9t_H*gb9G|8)GiIVOnj0
za9qk)O!CZy<i~x<_l;7gvXidg^B}+x(ftXWZmDb9DI4&l>F!jGqp)>Kyg9*q%p;*2
z1KfhgoQ0-|xM7ke)BX}tAD5;{AEnR@q#xO)OkPVn^+*d`OTP}v;MR)fnM$YF$^gUS
z!B~`pT?Px>m6<71$OQDRDQZSrNK8IZ7Mpp#IYY`$dU8E;sXszw3aVijDQA_wRsn)c
zNu9HU$ya9a*-4q%QM1hj(+oC5&)Oliu$bFAAd{&_*77+zo*>ocNOdM2+IoxY80avN
zb5}>i9UBjB%JmtD&BY1(Z@@3e<ta2ri@2iBJ7<%R;zVq7Wf${!2ze3BQBHP9Pi%@k
zJV>z_w@*{AU?Wvja*=%!{!_TrN>qAt^phzecX@D*XM`FcIm#}o42!eChR54+S2Y*7
zOhped=Fn?{UovI292J<I375b<ZIOq!F(uhB#*hRH?Ts?8yMtd~qc0$Wb+ihdZDO>>
z3WaQo-q|KiNf#AWVgM763Hh*jCVZa`-jx%t;DJXW@MZ)&+6w=xlD=M`V5gFyFAsZQ
z2dT?fE)EVTW*8_w*~kY7K^ApN&<n*Qo+SxZ`OLcB)8)<wpG)#poZrd(V_dQScM$!L
Rv=Rsa(t;>x`#Rv_{{VR*Xr%xE

diff --git a/auth/src/lib.rs b/auth/src/lib.rs
index d51af8a..b6960d8 100644
--- a/auth/src/lib.rs
+++ b/auth/src/lib.rs
@@ -102,6 +102,17 @@ pub mod password_reset {
         pub user_id: String,
         pub token: String,
     }
+
+    #[derive(Serialize, Deserialize, Clone)]
+    pub struct PasswordHashCount {
+        pub hash: String,
+        pub count: u64,
+    }
+
+    #[derive(Serialize, Deserialize, Clone)]
+    pub struct PasswordHashList {
+        pub hashes: Vec<PasswordHashCount>,
+    }
 }
 
 #[derive(Clone, Serialize, Deserialize)]
diff --git a/server/Cargo.toml b/server/Cargo.toml
index e79c451..3ac73c4 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -59,7 +59,6 @@ version = "4"
 [dependencies.figment]
 features = ["env", "toml"]
 version = "*"
-
 [dependencies.tracing-subscriber]
 version = "0.3"
 features = ["env-filter", "tracing-log"]
diff --git a/server/src/infra/auth_service.rs b/server/src/infra/auth_service.rs
index 4f7581b..81d9989 100644
--- a/server/src/infra/auth_service.rs
+++ b/server/src/infra/auth_service.rs
@@ -1,21 +1,22 @@
 use std::collections::{hash_map::DefaultHasher, HashSet};
 use std::hash::{Hash, Hasher};
 use std::pin::Pin;
-use std::task::{Context, Poll};
+use std::task::Poll;
 
 use actix_web::{
     cookie::{Cookie, SameSite},
     dev::{Service, ServiceRequest, ServiceResponse, Transform},
     error::{ErrorBadRequest, ErrorUnauthorized},
-    web, HttpRequest, HttpResponse,
+    web, FromRequest, HttpRequest, HttpResponse,
 };
 use actix_web_httpauth::extractors::bearer::BearerAuth;
-use anyhow::Result;
+use anyhow::{bail, Context, Result};
 use chrono::prelude::*;
 use futures::future::{ok, Ready};
 use futures_util::FutureExt;
 use hmac::Hmac;
 use jwt::{SignWithKey, VerifyWithKey};
+use secstr::SecUtf8;
 use sha2::Sha512;
 use time::ext::NumericalDuration;
 use tracing::{debug, info, instrument, warn};
@@ -205,6 +206,24 @@ where
         .unwrap_or_else(error_to_http_response)
 }
 
+async fn check_password_reset_token<'a, Backend>(
+    backend_handler: &Backend,
+    token: &Option<&'a str>,
+) -> TcpResult<Option<(&'a str, UserId)>>
+where
+    Backend: TcpBackendHandler + 'static,
+{
+    let token = match token {
+        None => return Ok(None),
+        Some(token) => token,
+    };
+    let user_id = backend_handler
+        .get_user_id_for_password_reset_token(token)
+        .await
+        .map_err(|_| TcpError::UnauthorizedError("Invalid or expired token".to_string()))?;
+    Ok(Some((token, user_id)))
+}
+
 #[instrument(skip_all, level = "debug")]
 async fn get_password_reset_step2<Backend>(
     data: web::Data<AppState<Backend>>,
@@ -213,22 +232,12 @@ async fn get_password_reset_step2<Backend>(
 where
     Backend: TcpBackendHandler + BackendHandler + 'static,
 {
-    let token = request
-        .match_info()
-        .get("token")
-        .ok_or_else(|| TcpError::BadRequest("Missing reset token".to_owned()))?;
-    let user_id = data
-        .get_tcp_handler()
-        .get_user_id_for_password_reset_token(token)
-        .await
-        .map_err(|e| {
-            debug!("Reset token error: {e:#}");
-            TcpError::NotFoundError("Wrong or expired reset token".to_owned())
-        })?;
-    let _ = data
-        .get_tcp_handler()
-        .delete_password_reset_token(token)
-        .await;
+    let tcp_handler = data.get_tcp_handler();
+    let (token, user_id) =
+        check_password_reset_token(tcp_handler, &request.match_info().get("token"))
+            .await?
+            .ok_or_else(|| TcpError::BadRequest("Missing token".to_string()))?;
+    let _ = tcp_handler.delete_password_reset_token(token).await;
     let groups = HashSet::new();
     let token = create_jwt(&data.jwt_key, user_id.to_string(), groups);
     Ok(HttpResponse::Ok()
@@ -403,6 +412,7 @@ where
     Backend: TcpBackendHandler + BackendHandler + OpaqueHandler + LoginHandler + 'static,
 {
     let user_id = UserId::new(&request.username);
+    debug!(?user_id);
     let bind_request = BindRequest {
         name: user_id.clone(),
         password: request.password.clone(),
@@ -449,6 +459,115 @@ where
         .unwrap_or_else(error_to_http_response)
 }
 
+// Parse the response from the HaveIBeenPwned API. Sample response:
+//
+// 0018A45C4D1DEF81644B54AB7F969B88D65:1
+// 00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2
+// 011053FD0102E94D6AE2F8B83D76FAF94F6:13
+fn parse_hash_list(response: &str) -> Result<password_reset::PasswordHashList> {
+    use password_reset::*;
+    let parse_line = |line: &str| -> Result<PasswordHashCount> {
+        let split = line.trim().split(':').collect::<Vec<_>>();
+        if let [hash, count] = &split[..] {
+            if hash.len() == 35 {
+                if let Ok(count) = str::parse::<u64>(count) {
+                    return Ok(PasswordHashCount {
+                        hash: hash.to_string(),
+                        count,
+                    });
+                }
+            }
+        }
+        bail!("Invalid password hash from API: {}", line)
+    };
+    Ok(PasswordHashList {
+        hashes: response
+            .split('\n')
+            .map(parse_line)
+            .collect::<Result<Vec<_>>>()?,
+    })
+}
+
+// TODO: Refactor that for testing.
+async fn get_password_hash_list(
+    hash: &str,
+    api_key: &SecUtf8,
+) -> Result<password_reset::PasswordHashList> {
+    use reqwest::*;
+    let client = Client::new();
+    let resp = client
+        .get(format!("https://api.pwnedpasswords.com/range/{}", hash))
+        .header(header::USER_AGENT, "LLDAP")
+        .header("hibp-api-key", api_key.unsecure())
+        .send()
+        .await
+        .context("Could not get response from HIPB")?
+        .text()
+        .await?;
+    parse_hash_list(&resp).context("Invalid HIPB response")
+}
+
+async fn check_password_pwned<Backend>(
+    data: web::Data<AppState<Backend>>,
+    request: HttpRequest,
+    payload: web::Payload,
+) -> TcpResult<HttpResponse>
+where
+    Backend: TcpBackendHandler + BackendHandler + OpaqueHandler + 'static,
+{
+    let has_reset_token = check_password_reset_token(
+        data.get_tcp_handler(),
+        &request
+            .headers()
+            .get("reset-token")
+            .map(|v| v.to_str().unwrap()),
+    )
+    .await?
+    .is_some();
+    let inner_payload = &mut payload.into_inner();
+    if !has_reset_token
+        && BearerAuth::from_request(&request, inner_payload)
+            .await
+            .ok()
+            .and_then(|bearer| check_if_token_is_valid(&data, bearer.token()).ok())
+            .is_none()
+    {
+        return Err(TcpError::UnauthorizedError(
+            "No token or invalid token".to_string(),
+        ));
+    }
+    if data.hipb_api_key.unsecure().is_empty() {
+        return Err(TcpError::NotImplemented("No HIPB API key".to_string()));
+    }
+    let hash = request
+        .match_info()
+        .get("hash")
+        .ok_or_else(|| TcpError::BadRequest("Missing hash".to_string()))?;
+    if hash.len() != 5 || !hash.chars().all(|c| c.is_ascii_hexdigit()) {
+        return Err(TcpError::BadRequest(format!(
+            "Bad request: invalid hash format \"{}\"",
+            hash
+        )));
+    }
+    get_password_hash_list(hash, &data.hipb_api_key)
+        .await
+        .map(|hashes| HttpResponse::Ok().json(hashes))
+        .map_err(|e| TcpError::InternalServerError(e.to_string()))
+}
+
+async fn check_password_pwned_handler<Backend>(
+    data: web::Data<AppState<Backend>>,
+    request: HttpRequest,
+    payload: web::Payload,
+) -> HttpResponse
+where
+    Backend: TcpBackendHandler + BackendHandler + OpaqueHandler + 'static,
+{
+    check_password_pwned(data, request, payload)
+        .await
+        .unwrap_or_else(error_to_http_response)
+}
+
 #[instrument(skip_all, level = "debug")]
 async fn opaque_register_start<Backend>(
     request: actix_web::HttpRequest,
@@ -565,7 +684,7 @@ where
     #[allow(clippy::type_complexity)]
     type Future = Pin<Box<dyn core::future::Future<Output = Result<Self::Response, Self::Error>>>>;
 
-    fn poll_ready(&self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+    fn poll_ready(&self, cx: &mut std::task::Context<'_>) -> Poll<Result<(), Self::Error>> {
         self.service.poll_ready(cx)
     }
 
@@ -636,6 +755,11 @@ where
             web::resource("/simple/login").route(web::post().to(simple_login_handler::<Backend>)),
         )
         .service(web::resource("/refresh").route(web::get().to(get_refresh_handler::<Backend>)))
+        .service(
+            web::resource("/password/check/{hash}")
+                .wrap(CookieToHeaderTranslatorFactory)
+                .route(web::get().to(check_password_pwned_handler::<Backend>)),
+        )
         .service(web::resource("/logout").route(web::get().to(get_logout_handler::<Backend>)))
         .service(
             web::scope("/opaque/register")
diff --git a/server/src/infra/cli.rs b/server/src/infra/cli.rs
index 0a3b94d..fc1a5ed 100644
--- a/server/src/infra/cli.rs
+++ b/server/src/infra/cli.rs
@@ -81,6 +81,10 @@ pub struct RunOpts {
     #[clap(short, long, env = "LLDAP_DATABASE_URL")]
     pub database_url: Option<String>,
 
+    /// HaveIBeenPwned API key, to check passwords against leaks.
+    #[clap(long, env = "LLDAP_HIPB_API_KEY")]
+    pub hipb_api_key: Option<String>,
+
     #[clap(flatten)]
     pub smtp_opts: SmtpOpts,
 
diff --git a/server/src/infra/configuration.rs b/server/src/infra/configuration.rs
index b483a57..bd75eba 100644
--- a/server/src/infra/configuration.rs
+++ b/server/src/infra/configuration.rs
@@ -98,6 +98,8 @@ pub struct Configuration {
     pub ldaps_options: LdapsOptions,
     #[builder(default = r#"String::from("http://localhost")"#)]
     pub http_url: String,
+    #[builder(default = r#"SecUtf8::from("")"#)]
+    pub hipb_api_key: SecUtf8,
     #[serde(skip)]
     #[builder(field(private), default = "None")]
     server_setup: Option<ServerSetup>,
@@ -213,6 +215,10 @@ impl ConfigOverrider for RunOpts {
         if let Some(database_url) = self.database_url.as_ref() {
             config.database_url = database_url.to_string();
         }
+
+        if let Some(api_key) = self.hipb_api_key.as_ref() {
+            config.hipb_api_key = SecUtf8::from(api_key.clone());
+        }
         self.smtp_opts.override_config(config);
         self.ldaps_opts.override_config(config);
     }
diff --git a/server/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs
index 43f65ea..280815e 100644
--- a/server/src/infra/tcp_server.rs
+++ b/server/src/infra/tcp_server.rs
@@ -19,6 +19,7 @@ use actix_service::map_config;
 use actix_web::{dev::AppConfig, guard, web, App, HttpResponse, Responder};
 use anyhow::{Context, Result};
 use hmac::Hmac;
+use secstr::SecUtf8;
 use sha2::Sha512;
 use std::collections::HashSet;
 use std::path::PathBuf;
@@ -38,10 +39,10 @@ pub enum TcpError {
     BadRequest(String),
     #[error("Internal server error: `{0}`")]
     InternalServerError(String),
-    #[error("Not found: `{0}`")]
-    NotFoundError(String),
     #[error("Unauthorized: `{0}`")]
     UnauthorizedError(String),
+    #[error("Not implemented: `{0}`")]
+    NotImplemented(String),
 }
 
 pub type TcpResult<T> = std::result::Result<T, TcpError>;
@@ -60,9 +61,9 @@ pub(crate) fn error_to_http_response(error: TcpError) -> HttpResponse {
             | DomainError::EntityNotFound(_) => HttpResponse::BadRequest(),
         },
         TcpError::BadRequest(_) => HttpResponse::BadRequest(),
-        TcpError::NotFoundError(_) => HttpResponse::NotFound(),
         TcpError::InternalServerError(_) => HttpResponse::InternalServerError(),
         TcpError::UnauthorizedError(_) => HttpResponse::Unauthorized(),
+        TcpError::NotImplemented(_) => HttpResponse::NotImplemented(),
     }
     .body(error.to_string())
 }
@@ -88,6 +89,7 @@ fn http_config<Backend>(
     jwt_blacklist: HashSet<u64>,
     server_url: String,
     mail_options: MailOptions,
+    hipb_api_key: SecUtf8,
 ) where
     Backend: TcpBackendHandler + BackendHandler + LoginHandler + OpaqueHandler + Clone + 'static,
 {
@@ -98,6 +100,7 @@ fn http_config<Backend>(
         jwt_blacklist: RwLock::new(jwt_blacklist),
         server_url,
         mail_options,
+        hipb_api_key,
     }))
     .route(
         "/health",
@@ -133,6 +136,7 @@ pub(crate) struct AppState<Backend> {
     pub jwt_blacklist: RwLock<HashSet<u64>>,
     pub server_url: String,
     pub mail_options: MailOptions,
+    pub hipb_api_key: SecUtf8,
 }
 
 impl<Backend: BackendHandler> AppState<Backend> {
@@ -173,6 +177,7 @@ where
     let mail_options = config.smtp_options.clone();
     let verbose = config.verbose;
     info!("Starting the API/web server on port {}", config.http_port);
+    let hipb_api_key = config.hipb_api_key.clone();
     server_builder
         .bind(
             "http",
@@ -183,6 +188,7 @@ where
                 let jwt_blacklist = jwt_blacklist.clone();
                 let server_url = server_url.clone();
                 let mail_options = mail_options.clone();
+                let hipb_api_key = hipb_api_key.clone();
                 HttpServiceBuilder::default()
                     .finish(map_config(
                         App::new()
@@ -198,6 +204,7 @@ where
                                     jwt_blacklist,
                                     server_url,
                                     mail_options,
+                                    hipb_api_key,
                                 )
                             }),
                         |_| AppConfig::default(),