From c651d53419304bb556ed3298fa4b3f66ef22eaea Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Tue, 16 Jun 2026 18:10:29 +0200
Subject: [PATCH 01/19] assets: replace extension logo with AIO mark (256x256)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 static/image/aio.png | Bin 40347 -> 48124 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/static/image/aio.png b/static/image/aio.png
index db8823b8d68f8c01eed78c7438bb046ed35bf2da..63dc24b815b25f84d5c551b5ef2f9b7690c51a53 100644
GIT binary patch
literal 48124
zcmeAS@N?(olHy`uVBq!ia0y~yU}OMc4mJh`hM1xiX$%Yu3dtTpz6=aiY77hwEes65
z7#J8DUNA6}8Za=tN?>5Hn!&&zUNC1@pbY~916z`}y9>jA5L~c#`D6wL2F?PH$YKTt
zZeb8+WSBKaf`Ord!PCVtq~g|_zvWv}ZkFET{P)fBdt0?#ZCWJ*Ysf)C7DfRET@S8B
zk{279QloP`FJH;()a||V<;#~9*Mrup2ENK$Io<89^6{|AzMNl_G~F*W2zXxTU{lzm
z|NheR;>35h>F4E--x2<J@ARotr^07Oo|&s{6z6hhN8x+J-*5iD&415a{-p2DMC&5=
zcPC_bDh~ulQpx-`)4LPi+V;P%Uaxzz{okpx`)*km-6(Qr+~f1~Z{ecZY|FA2a9!0?
zxUlCy@!dcc{dhyLj^63>|7Oi#D(76mC?fDd^!k;@Tov!u@YM@E>0_#pJe|yRi(fd>
zCdp>YTp<C6Pdf9<?r(PBU31j={(q)BZPrEACuLbb7>T`4Fkp#g%?u1@<~pW)jCH$%
z;~wVq1~VHA69YmT<~K$&UvK{ZgZG2{{(ourFUsz`SakeUwdBd)`>lR_Ut|!?zT5Z3
zLroK|Yf82KA;McqA3XL6SG@6;?N;0mzx}Oc3|}tp;+(IYkoKYdeFBrd^v-0)Jv~Q`
zr(3h`W<96qBd9!Mp>vh+1<4;=hNek6N^Duop}e-uJ;w}YG-)_>Z{fRK^?~<{&7R+n
z%VV0RPkytJAuN*7CfM!ED&1A94z7NbX1d~dP~hg43(JohCcC*dC*62*>g>Mx_63s;
zSMeP=<gk!+j?y`n)CPz9iWXZ86RJ75&MlVM(6oYq&vdhehSrS8C9zFjfu$=p8@xQY
z>vi3K{{Mf@<~7<!d<y@sv}WzW$^D0qu<kkb<H5N~#%RaOEYsIrZ(h}OlVuHK*+H51
z`j7g%KA&7^nqkw?ysh<S&Qz}BJ&M=*R=)8OIch4pXkJ%Wmud?muW{~;Wyj5#_H$bJ
zT+tLR3k+Lfd0te_eD~eBZIeVDgc<C$157(I4=Wh31-56keCy?Gc9ON=&*imn5Kum-
zyg?y1L?vqRGOlO)qpmPT2r%DbVk^^HA-kqx#wppQ1&g2P*Xv(l-ciJPrM)wchv(M^
z{{O5sx3?eil7H!{5uO{ta!c~nA|`>xk7mF2&2M}E`}4x{%jA|B@AxmhXp{XWrfbf(
zm3lW{(7SlaeW{?~=7I^U8J0L1=y3BKy|~CkYm0=8*lM=LUDsphT~>W})W|t7&Bpzx
zmiUc5H{Vv>KCQpc+D1AdoyWuA?Nz7L38xfqHDoR{TOpO9b!8vh6ZOLifvoFVL{pg7
zFj%*E>fdL$s`g0s65oY+{1yk-w0Q;GXa1P@L4w;_tV&m>dIsm8h4DLX>X!UIHNQ$<
zCc0_)ItDg2(Kk7VZb=1kAB)NfO%%;ptk|X8)zxAr#Q6ThJ$6;ziuWItGM27joU3Iu
zbK&aa7qT==@0mYfeebw8^xy)Hxa{0Jf(eqRT|X|;dL^i}v0~-QqX`>$SVBZZ`yUlV
z6|(ui)~(1WJyvV=n92E9MOKy1jYWHJzOB7|^5%XX`QIW60nrliZU3Y?T(wv;4}J~!
z?ziQ?{ox?~duGkwWsmCBPs>`lNQ`6do;DK(vAL0Z99Fk&`^)q;U+#GA-}ei5pLSsO
z|D!VJ$8V411C}dvl0-zs*=DhC>+E{kw@2aUJ$r8V>km#oZ%W;E`M?^-S8~@RRy{tx
za?L?0N3F(FOkH1iUTM{=UeL9O@w{nhgbdG$84_;;R~(4ozsGD^#}mia6A?AD;q#WY
z7tCyX`ep<!)JXWKA*bA>5Y$+;(%@2Z!_n>lc40yBbxisVS5`#0*v!*Retx6q(7N>&
zy$6jCCN>y8&o7g|bLms^`?gYk<EEwGe5XGY?`!G2@uq3}g5?uW+js8ctoStbM%L`c
z+z7K%MN4%!d3r7xd#QFAUi|f0=%BM>Xh7>WQ7N6rVK)mmB=cHF*OtBC?NPmrzl!sR
z^8#N3&9?$lj!~}JOzjC~FV_8!{{QxD-ofbLe?R28^Q01s7O`#Y+Un%rBGtW7>}}+g
zFos00C}vT{?H9RnS-#4B{a74&#iistht`9ukJq+*T-;>kx}0zAfeo9to@qH-pz7nf
zW&)%7%z~M6t1E1p4rX*e*x0k^Ya&PNI@U!mu0Aa3I+);kKqIS}DLO1ewqy1uz5E{v
z(@bsJguhhuJ<luKf2YWZt?y!CX<ec06=kc2XVWiMSAB@^-Ma1EtI3Bh9#oUAO}!%g
zYMzql3axw1;lgY#Y3#@Rf|)+)d+B=dr|xVOjyu>aZB?evztiRD(QkF@Y(C7NVY``S
z{eBktf4>&^{%W~;a<_P0e|^9c>;D`c`Yl<rHUAuWf2jI?pJ`iN?#ocoV-f~zM_GcF
zE%D41$X^g@z_(THgIP$^YgP_6(SCu&yFV(vI+T8|y}ei?*CMTdO`%W&8>5Y`Sbs;;
zm5>M>Q)Xd1;TFdu3~6T=+K;>cR@6{n6gVj5xO9=>L9L9r$=5WV-|gVlF=lYnxf{q5
z`0wuamZ|rCZt%Lnw(P&;FFv`Q+&f=ePMdCX{B>9I)WntS$GEagX4GpQk)Lnc+mW%V
zbg_zzip%xDpgZ@O<vxmK^0HlUyCHk{=e44DZvyr5ZJO^D3(osx<-*$|y(RALyN7+O
z4EO)uEqKWE<?)mCzdcm1T)XuC>&jPL!I4*@LY919vS}0B8s7R!{v93P8>$$^?^pzx
zu*?6t#Ub(G5?k1g;6Eij#m0NK{%&DpPcqctohMw?w)}}kt!;biQH@g!g3Yc5k3OFH
zpcUb8^wA8r>5j~8IuF@(oN`&Tn-Uys{G{d-zL_=aSfrZq>8INgou|q!NIG@y?7Qu=
zwd}uLy&&&&xA_^<mHm7<2cFuMrM4?GKV7$Q)3xxPtrf`uhAY?#JUC_qFmUn;g;%z2
zSafFR>xmL`!h25$sr>pWae-^4Ocu-SCRy$}rI;Iy>iYaUcl@zf_y2fe8K2&qHv3}M
zy2Xv^vU|Ss7o<Fh-e+mDifNr|&xP0DC3x7bG}}d8&4|(5==AM;$l>3sDy~}0^sNx<
ztzEsMmu12-r&xU#o-6I|I~qi%NbbwLxb3K^am;!pjfu^Aw_Z)~=Ga=vw#Oshy+JT>
za>7GPR{yDMSr&Sp_EMPKwcy4F;YEU;9A&<u^Y@xx$zr;;@rk6>3?HdwzVlUkZXV3)
zcS|?l&7VJO&;P$4-2Yi@dEfr5?#(69zPWdv&YQTw%pky0YU`GLr%uH@+fr4dXg8}m
zQ6cTJ{>}8D3}#O;#}KiJ(mGlz#6>dJK62~&@*u+B((2B$Q(r{<<Nk4^huihv{vr0`
zB<BU@-|Qk1f6jexd4BES(e%W}7JCmGDQ9ok=9J6t?s{Rp&<;tvEj0mGE^;+rP(LTQ
zWfSjwc3(Lq^JC4qf;u}A96h!$h_ps>Z{~a}UN8N>Yx}Xfew!xCmAV}otC%xaxJY<*
z{0(2EFfYvcfd$Xpg1br&l!bK}+7*;SB(yxIEmb;c+VR*ha*64ofM#~h+S41v=E%R8
zy=TKog(QK0`~g=UJeO-&UN0Y4EVJ*i_JjVqrrxcF{A;b=#fnuiFWkzu-nOYx^vk*>
z$IktKKGSc;pGaQ?&tQ*#>p#nWw)EM;wk25TQJ|^hmyfm=8jaRW3Es>3dNbqW{h#j}
zR9^qj^h_>6wC+o=`EJ*EtDo1tAJ`}taIl1XmEhNmnN#EXmtN$!EWg04Ky#N}hoX()
zLr?23ajFF-Eeu~C+CHjvxUt%*r2E&K_sk2reylh#Te8k<>C4^^+R_W<|3Cfx;Je+<
ze(nqGF4vfTEjSjUb2(XZ;lYO=By>EaB5(ctu|vRaN`hj`>5VremWdRu$k?E@xO<V(
z$D3@2-E7#FnjX5L^*Hlv%9=I5SH`$)*i!W}?fd(Mr~B77txwDpU$@36B6mmr(ZV!O
zLsOG|r}o9ht*m8em=rlfZL7+EduB$aSI-4*?>UoE!1(O?>kEkweJ{V9@WzY7tusNS
zL+h$bp>^Bx?L7T_YCh{^*rR^DTb@^TT5ey>VRIINr9v}IZ#-;xn9!MM>#&MT|D=AO
z;_jA%9&e1J7ltj8TyMB7?+{B@p3{$c{9KFWPyVSB5@|Ah_;+UON+;{YXR^i)$Ne4u
zTl{&@Uv_<WKhulkNY~5;w!<eR+$7jaKE$066Yps;RIXrY=e@<z?`#;c(Ng+qH~)Rl
z%l2A=taCWrctrV<_AnayR2|~UC|BFNT<z)`7O(zUx@!8)w?00XZ@Rya!|mZ-_lL{p
zJwBqfC+n*5D$(U?Sw8*S83o0z@*UQ$`C(%D`FU!8_q5YC4=(<QGGS~H3W)zR=jwz>
z?k21LHt@J#4#~an@0jx1<-3?}PuH^hF8)vL`M-<*#h3A}**mkw@%}HPL#+Eg&Q2&1
z(X*9}$}&jE;Pu`scS-(1uKo-E^%WaSx}rDDpI2kN^=LNJ!DF*cCYtm$W-PoZ5hpC)
z*Uve>r*W>PuXSn^zjMR})_>>!7ysM!y_bncBH;z=Jj1T#=`D>CY+Q^fB?mtXIIDKK
z#4MO(@V9wkzQLuPGwjy=Q&VDXI_RZk|4?w{3Kb0@{{lsqo{H?PE2Foi8QfiE@yO;j
zhwU<(vdzE$ww+|}KVU50D7Zy^qqO+W`s8D^-eP->E?;_GAZb<Rp=Y77&L8`YcAs{Z
z%J8&&@#xTep9>`sLW@5ynRmiywtah9|C00&ChrSYM>Nx}D}-yw?YDTseOh;IwX=lk
ziPP?kdtUP&{Z^*n6&fAJ=3KRxF)QcH_6-a3RTey5_|-<M^v!j@iP|k@UN?F)<_Spo
z?C1$&GgY|wC0w{8GDPu&-ek$kC&hwy%WSe+t@&rO{N3ueW&5SGGBamvI>O+%^5zw@
zb>Ezp%Jp+6+H&rzoN-4jis9s{i8-}hEJYI(E!M15a(&*)#v11C>a@@z!2jvgy4Z{I
zl2PVQJFjhMN}W1OR3_TInrDy3&qn1B6|C+JnWsPeXt};lvs`zkz;=JT=~H;cOjM3K
zyDU<@d2~Wc$|BD#556-MEu6bqOVdx1$IS3yzOt;HMBnA2o@4(fISIJvL`g1rZ)uei
zk@-7kroZuQt)6*p^85Dg?zR83c0-6`y~wSLQq!tyudylTT;;#G%l547pBkSn8;%^Y
z)A}iK<U6P2Y^l4ef6Vh@xUKTE+@*&hFhg|axfxZ5uUvWfS^h`jkGuYF>iMUwKGCA7
ztR=&IV3o7W$|Eg0K`he88@f1?wUe0(ncSC(=PNWcTLuZNJ@FzSgmDXpnPXA)qHGl*
znT3pAwnjYKhbx{*W@PuZU+sE3+g5I!cikrr6Sg?h=G@a07whKV$%uS?)gs^dg|G6A
z<%LO0Pp+!$dVX~~^A}S&@%hF{(!ZUoS*_W5g6hPq95#t7%JQxFxM$VFiR!iA<vz~Z
zAZPwTNBZfLviWm+Kfj5KX#KwKQ2+g9D;4Aa_A*Xg|C=GC^sHO`kxK<E+xqORPl|JI
z{C($I>m|RxUd!!O+uo~`w)L;~W#V1hE#PuWU&CnLp(}>9?_@SV4Ls2K?<RlzUpt-i
z%E?kyYaVRKDGvK@R?8EoV{4;imn`Mhlqer~W=|KlU9#Jx*JoYL6|^>YC46xS$}&_r
zd?>X0V3%;9{?@LL+NI{7&PZLnR(X@nl4<)))ep|@&fo4d2U|oJ|C;f*_xOVJDvNl=
z&~#4EPv=#y{WO+z74xYn=@r{>b&=}lQ$ZOSqAq9m2zjQT%($FnvoP4~=bo48k2BsV
z@s~W`)b-vv>$OE?YUj=Bd1;>)OMkeV{o(O;!8xCw|F^kv`a!gWJ@;3k#k-DAJSY@;
z_prK1Xt%(<Ig$d0Yc<{8pA_Dc{r!Wip^)9@ROQ)8O@g|d{XWtX{xkobu0Q)mHlO?B
zmik}L=j-i1{b^@;Su8cf=&90a8Ph`tEZhW@ix!34wDDbCCS!Q%h^9Wv)fa^e)Gl?{
zvM$qII?v?h9uuK8y*8XZ0aq7Uv)$cyWAgR4erJw1O}=7NxB2)9)06ux1g*a9x8k<1
zo5J2_ZnK4Ntzt@mrSN;vu7rXsOD_4QXtML){rHM;x5YOuV_SyG>fiA~?5g#t?-tzH
zIm<tI#^0GfB3rB9c#3w)l<>z*<eYKZdEbZY`@8l3ZU3*g=YRUVJvVJX{rO}X&mDbv
zLspf+U%TwXirR+-&xKW}yh!5|4zG3j=)0-S$K*fff*2lFwm)WHR=OF4A5}JMXr0CM
zda9$(hrgjV_gIc<ZRYG*-edn+Fl~KR@Q0uOzxK!7wvFA)#2~Rj<~3u5T7>qRE+d!B
z2@ZcWEmZ~oy4$+#u`sm~$Y(N?73|aq?P60A7k1ptDk!o{P+#bT|D?U#$st-2;ipQx
zUvp1i8XLH!{bIL;-kmoeix&J@ZRf-GA$|RU{&k<bg6CbA{p!;gmK)ai==6-3#&=Vn
z2^uU{Xy|(x&(?PO@u?FB52b6akPcVsT<sgR;n0(Q{ZHSM9lLn`Es5{H*tTSg5+loH
zrOUH^<;*`{b9!^l$N#&muL%A4mY!F3UPdSX|Evi=u4r8d_}V5Tt7{k|b#cb30|AGF
zmfdrY2`j2^si}SRpl`uE(}xnKH@{!s8IYGy)@H@uByn`M$FhxPPg>5DN$B4{{N>c+
zhkO2il2Wg?_{%+k^EOADq*&^8%d$W<r4U00j~=%bKYBuE7-V1V5}xn7IAEdE(lc^b
zlD_)CbC$?<bMgIP(94?4!kB+`wWQgJOI=&s{T6IK6>u@V{nnk*&BxE|`_#PJVC{qR
zb@G3%2*wpgRlePoe(9P;`0;PEzY9C-tFDz&pOTT|bYu0g<RALBPI=|*pEmB;l$}_v
zs;u}u*v>ub>(XxHvIR+noR2PZ%}BBlI>r8@L;HtR+q|;HPan>=J*fTfO7H`nKY#X`
z?=Jr~eS59y4zVTtuOz>=&54OxY9F&mcTR@qziOucCbQmaO|%l%HC9bvI_GHIoYqw}
z-TwVAy*VL5pH?k6=RW;_!e+6VK9c_*mK)ry)cSIed*+|tymPZB*|~FM<vJbxDCM?n
zVehqhosWf8w)OSvtrXT?IHgD7m1<<StiDnt!z70w2EmPsI(|5``RzLBvTRF(;K$8U
zb5||2e1GQHx{v;hZ0r5+y!kl!X?;9*^JD$E#`%%YM33{Vj}?^C-*O|v^5=z$oA=`*
zRxPcbYiU<q72I9kwc((W(%e8T-5UQ*tP3<3DcpUfcJ#Z6?zg8uOV6twIsaJNtX+WN
z=sT^eKN;s+e3I$6D~i`h|7z=h|IIwEPtUfu?iKNQA-?fYRQ`!u8Io%k?ax24dYjjE
zj?8)OWn783T|WBGtX=36{w68;a95nhzXN+GN&HjZA=Ea3^@WYmY@>TMvrb;Td|~~A
z`7zDs_iJ2V%D_;yCdhcvB6ZzmWeejNCw`pn`Q+}S<RcR|U2t_#-OQjoOVjR?ztT7L
ziEmo?C65Xw_c>~I-cg)?YzbGAR%W^Go0v^+Cr`IkzmhCj(0bChjPu`8LmRUXHObub
z<%`bO>gLCYN3AWmwQyIljI8gsneTq?clgt_^KL8W_h9~?fA>}??VD!X{*F;_Nkx8N
zs>kv*lf?9OM0#rqd-&^&np$3nm2tmeJ^X(D%#T;r%eU*7fA}_g&G!4>zD+2!T$%7{
zL$l&>H)XeG#kD6luDy|>HtXw3$)?h2r3;t5*!%L=1&?#r&Zw>5x^RYj(Z)$a9dlQO
z79AJKO!HYDT=qM(;e7oI_jT{>*6-H((BrFPn^uu4X>M>dKzc)=Z-18dr23kMj>9f~
zPrV;a;K~aMs++}dgeNWiv4XyAi}Rvn5iOM~0o|9Yb{<_XTlnnWWP{ZPhn}2ZUEz1P
zB~j!_d*6Zjm;Yt?LqA9!?hNj`p6}4z@}y0~zn^zf`*e|w-)5}7fAs!t_Z6St3%+Jv
zsIpFE$>U9b-#R<FS%q`)ihZo^T*7-Q`P1R#qPU7Rf$DZ;aaQ&clg~Ns5xYOvS+&mB
zAYu*2u3HcKtnYm|!*x7<D{uPw!@sZRN0onkrq91J@Aknb@;txhNa`9&>9KFyJ!x`;
zf?2H7>)Pi`B{h3nCA^*fFJ@WeGqFrexbDQd@U9&zvQ}KS2tHHcW_>R)=h2lN_fGO(
z7hu~n%V%fPhQ6grI%%c-5z0Fx7GG37VKU9;;Nvg;*MhyA#hp6@R;*YtBf!l;>Fz;^
zgAoU3Oh}*7;MnQ5W|7C!g>qfDLTC7-)|7YOWQt^~%?$4Os{P=z_(SVA`;$&@u3P`<
zS+K&sV?Q0{y_lq_^81SFgjqhXFPI&Da!dbC*uK@vx<y1L+57M5PI8^TGdW12-S4K$
z1pNfFyBGBS`?WbWK7F!#@{72Rez7LbhkCLaVN)JQi$2fkzbWx!<45mXp?jWJFL=eO
z;JZ8^bj`P4b0pR!ta2=P{GE4Z&>HW#O6ODN?d25P8M~XqFG#L#;YF+4;-xcQvfSVH
zCV^?okH_}^9=-eNs>#qG*w)3_ml`S+nzPnWvxDbNXN$tdvdM9i{yBA+YJ7T|WSr0<
zaq!jxmL9<zHP^DU(}SXm!nSf;tD5TAIwSN(;g03Yue=V(cldpYbzZzV?}@_O$rXn_
zZo7Qp_@xZdqz{=}Kg{Ji{qZ{o$1+y)H6n(2^Oaa%KD@k{vwr!v)2E!fuD{F|4x9HS
zuIJ(GPoFI|`YO$JEaVfGShH{UzW@_0tCSOW-h1&BK7Gxv|M>7jwt0;eeR1n5)(PEu
zAJaI$qVvnw+xyw%s%?&(?@h>=zc{pCxjA*uOIQ7EGiFP&_^vu2BBg&fKI-7s-+9;W
zI(}43H**bjdFEbr{egln^Vyc%;EP`N7wYVPo)j;?uOG#DW=24v$idC0C*Rwo*S4yw
zA>-3a#mO^*QalA_OSdw}rQNqbcwgvMgtT#aS4g_c<td%_CLOzPRQN(N&_{kt)Y7O`
z3E4gCw4U9&aQR(9r}O)G?vDS@7^<s|O`n%#dCA<TR%6NxhlT4n-2cRVI{oSQtmwsy
zUtZ+hHf5se_i}NE6OAo0F&fife2V!z%i?kS%nK7^x=Um)tu5=EnAUauO>z9P-Riy1
zFF*QqMdS2ZgI{MRq=)nTvQ2+b+s<>p=BByJ=DUr8S+}33<ew<AJrL-8X4904{hb%X
zF5TOFHF;O(Y~6WF48?BQtZlGtHm;Z0T6UtN^X31p%;;@L4OZ)3(fxCyJLd00HVuY`
zHr=diFAAGxozf1nJ~GSaFK=6Xmuj@jC7o#<+#1UQL<HZi&x!aOEai0l+|wOh&UQOF
zgZA_{1fDsN%zpaEL4o^y8>b$RY5S#@p)Yr8!LJ8aF=ihYFutxhyRq#z`@D_YZ<?H8
zOHKSW<yw5+gbn-7_<nfzZ^@6mtj<IGmj`eyvk*U{*){2Zd|dm>h8Zua&Rp)=eSh*J
zYuN>wp0ekCCoRe7`o6dGIOo1^YreOB`<K4+$D6w!rdNGvZg-Ka`y0)`{+K&K$9vhM
zC9*-c<<@DeQr~8Lvv`G8tG{;{m&+CXnHCfG&HnLO?cj~OEblj5KhQl{gz1Z5@<z7D
zQOn-8%ss^<R`-Ur?Kj^f=|v0-Qf4bH9lPBN<Bon&xx(#r%I>PY$7A!p*$0?J3>O_c
z!m&WmM|6j4sNu%V_fD8Fp3IJFmu*Xw-mz)YTIS2&Zv@IGhb5%9&B?joyFvPa-u(}a
zU;E^AtascgdgF3hI&A7S&bZx;lf_HD^5Zm)Px6>m@zQnUBoTJ8sPz?kYBNOi9Dhc)
znp^+Z;{D+wHR)Z=(eKZvI2OwO{JyC(JkH;!^SNR3l+zCS3!bRYi+cL0VDj9TEceQr
zzfY@tZtk2fVsf#|xnw4<WWgRO#h`^3O}X+SZZRufn)6&Ln(I=?#cL~hpG9wZEywCB
zQ*T&&TxDANvAA1o@1wRIX$yHMzu$4PeBJ^khKT1Dv$s@yTy<$h;BE1&+`^@A<02La
zh1U!6=EN@)TezvsD$I#L<>Wc053U*lk5uNfpX=T!dfi=m@h!KNZemrdH}L-2$@x#>
zgkgjo+h*zH?0=toFB}f%IUGE1yG(J&x<k7I@(de`PX^AcH~8*xc-fh2r>8lu<US=3
z*XDZp`^%ta?_CC;Cs$AWAJ6tpb?)ZJyLB0QCV4u=9!pd)Q1w}`!t#RV;z#=y$LerI
zS?jbVPuH54r+q6ws(t=mN4eXx@3HpV^Zm7xIO@l9d~4EOo)1B(haSmI+iV(}oYo{_
z=-J+I>v>GWBHv53$2es(ZpCh%_**OYi{QD|z$2C^W{KVl-(J<1`w~4xdKE*N<#{9Z
zMoHV+O9y9_-tcn0($RI$Lqj-kv1p3R#tZ`%m9}q5Z!c_l<h=dU<fbK)csJQpZ8hi%
z<yf+~sCQCM!>xS_%0&0yTYUHC(x|XIT2~H>zZLrP!ODlXW><gZiI2-J_dVXav~XL5
z?A8eG2opw*!X&Hzu^s!ivM_maO@H!Ut@u#6U6q-xiAe7Xk+lcH+19eGJ$SuoJxe(2
zzHTX{>9&8<9?WZ>^={pVkB^nxq>C?3e-!1iCF1S(o!4^w#IN;sE|@696?x5I7T4kU
z$fq+G8-Ll$^#7UbwDvvUc`x`mU)f>wWyMZ!ww@*8W-C2dEtk&T@j1=+x~uF{MVUF1
z)_aN0YPz2!Jn6k>%7QmnmL&=t?wrYaW1GbFP1ZAwBICH&_eNaE4}5ZTe$x6cJH&ZY
zoqV+yi>9hHRV-fV;32EcqNp|TR`wF+Kb!vfOx`_1dEbX!Q!G*#=REO!?ZTSvd!|8u
z!mUGA!O0oRZ0~%NSmvMfO7kD*ioV0=zHa@LzgKGC4%WT02R?OOo@c(cQf+N#$j=wj
zUHzRFoV;GlTANOAm1y<|&W}$wi`=6;v9F*>)#pXyg)hAoUmuklzOg7d-Zf`^PmIIr
z+@(^hH}<yNGO4}N?{asN;PyqA)^%@s7!@{ULx1q<OID`4*{qpwyKUBW6;G;3?-vPk
z-xoh~|33xIgDW!@cPPxxJ^dl_@cVTf{WXVKA6T3y4eQze`)i=1p0jE4&2N^O?GeH3
z=S?@h6RKFq81}Bi%H?Rv#8pbIuAyClGj{%AJ*ckE!OFK^EmiKeLTF{s{9BHJ*Oksr
zN!xaK>OX<l$maQfI>k+OzfW}zWMHs8ccJZ-z3s$@MN4b9&iD~0x=qknOUh!xrK4Yb
z)1NJCTwlrMePV9NCUZmg>D})dFTSu_a_6K-gGOwMa74?w@E6;f-!3;;9ev{Fhq-6Z
z?|V@F?|<(hg_%*;<iqY&Mr~Mo;aAe6>Dy}C8d}%M<QOiz`b;!tQBZ)em#*j1jNA{*
z$Iq<HJlA>E|J$1nhi6<|9u-@E?exXde*Nz?+{@=iXNO+jb7E5XTkTuSD<^JH<n0p9
z=<!fi5@t?bz01_#*(Z*3Yom)FZZVx6A6)qH?4`I$+q$w-+aJ`Lid6+KEt1+MFrlLM
zr(DdO^S?D2CL6xDk?>t*>QOLt&GKC<b}XL~Z@OV;s<Y5l?uqMb&1>FW++cQvZRXWA
z;kJGJ(*%Prt9@Il=<^}TCDXEz^ZIjb=D&3}o+uUm-XuO%#6jlhv68eh#|1uT4z~2H
z{&hfZ$^_06B|Y<fb|mqv-TI-searnv3pE>NC0D#$SjA#`+k0xfq~p^$E@3Mq0=*-?
z_6n}ybn)zbF!$KWbt`MVV|4gd7VLR4v$faDWuZ{BVM>7kbKAxLVV*K70r85x2XpP5
zKkt5Su%7dMzkTi5@4q*%{=icZwqbo^`JSX>6Zb96U3Doi{hW;7#!W}~m&d$h4imWK
zV4Cvn+rhOOo3BZH_e_30-~8%Ce&45G7W=*5|KzW>)YaY5S9wEY1FuFUXIh>R_I<wo
z(SeNtQLnTfxcX$b<SG}f)Bp5k)5GrXk)Kak|N6Evf5Nv<hjTASy<fF)c^=PH@9i@6
zzK8#MC26YdbN)7UvDJAlqr3Z=m-EaMoA*=n>GrtHkH>#~$W33rHeT+Zmc{R!2dA#<
z9=kdx;YgM3p{2eSdpI9Ng)n7JPI{-d-7Ui^fpNiJxk-KA$_APZBA33Dl>X_QY`d*w
z*`Z}u9(eS9WvFZ05^T2D=-<!z?e^b}KXA`i_)s3O{C<I9k$6~jL`Yg%$(7lvj<+%{
z+-@=T=J`2uj#X;%<ZYQ14tz3acQRe{xVGn4`+1=~VXoQ=k~1d7wqGb+X7D8^H?utZ
z%caU~=WRXfuU?i9jIEkAZFTzc7k59*RDT$({h&2`?uR{f$~jNnXA9Y!$`tqgZgOl<
zk;m6ddxeU2ZG7QTuv+&q_qAXDHTGVepZjIs`E9@2wD0X-*IGUImDQ@u`u2d}(z;3e
zFWBi#ZPuBio^Va-_>K-^rRmj5{<_kiU$Sd`?kxZQWMcl(y*1x+o|T8N?{-?d&p9zD
zWC4Sm^Ev1Af6q2dRDUd$#$Dwf`sdw(ryEb-{-D0@p_|`cF*ng1%NN?U8|N%K9>8W1
z-M;pm>9mzw3RRX$WXw7;@$&k%fI@RE#;sy2bMDORw%O&tA$fOWUUH+Rif#C|jcz-v
zLVtaIHQ{E@OuwBeJ}cyZ6x)A)^!$-y(F!hx1<&ek&2x5T|M9i-MZ2t{uNH^Y-@4`t
zS!)s`Zl9X@A&P5L>bJkOZ>F()IvT{i(`cTUT|L*jBQY&k_}fZ&)ee|UeNa|yGJRV?
zxZL4&KB?b0x9pNG+h6g(_TTE{1gQ@js-k|rN=|HMo9>*R+1l=MhcSFgs~XR*Exp0_
zFY+b+iaGyl{)DQ(>C0{YWW2s_6jr-8*mmivtt~$<7JcaY7v!;Rj%bfy;k6mX%E@-c
z$7cQiQ))W@N3fN3dH(HLu@ZhQx7gKvUoK+mHop+b=&9Hux9%L*<mEj3gAT5X`jH%d
zGx*yL>BFsC#j5&JMc*0Ku6cXeBj#i91g1_dhb~{!&aWXVzu(+t-m~>$M|Wt=>J6pl
zA7fVLZ&hGR{h~QL?B?Z@7g=-DUgR8NopP+|M=QTf9lPABo(kRFtIr>L+5O?fYO{po
z2E%o$xuwc^xKlC~_J%eY?Fl*h`b_nWmStZTDVkdJ%v``A^k*)U@6zwfm_qNY-l9`7
zm&uS-^Rl_=WNqHO*M_f*!ykA~;M(>rEbPzG-w$`n{+Q!>&*<4{fAcvnxr4=*yY($r
zf82KDyF;u@O5293-xy}iGkiS1y!8M4Rh2J{&(%NO_C5Ypi2pIG1A2B3ZmHLr8O?h>
z<F%~zrVr(7{%A=|<Yu1Oe^>d_!tYUb|I~eU$97A<k^1$j=<Gp`+NSN2U*4#BDouz;
zd9-rAvCXf&>z{o8_fB}jx({ccKhuBqV|Jnqr}Uj39-~}~N7;Te6oalRawYkmyWm|{
zUL<$eVKU#BZie_rGulLLc{fj3vN&vkxDL}nmi_YaHR_ftJx{t{^ZNGlap7goOFlb{
z=58!KZyRv^!{PtOOMP~UE3~g;V2H3}+Z-C8b>>rH3P<OIEY*Swu_i}l4a0&yT(8;q
zYjQ#ob7{<3Q3J!>Q9@=8cQ#F6II6<cK9xmJZv&gF0gLt_<p<h#`Yyb)JN72|`38Q?
zdj~$ToGZU^z<&M1FAOzj_o_$lt2t@-QB(Ys(lX}nO?6$RcNj~>v<g<Ada}vzt^LCC
zXZ9wa&MlYv-Z%66_tjbb8&2tq%@EDIv#NgW^POU>8!GIa8w{>=*=$Zcv%Y@o)c8NI
zOMicfJ$H3>+d}5#WKKhULy;Si-ZK-G*$SK9RIGZgvp;c4`f;&+uY<lPOUE<iN4CfB
zW^rDc^^iw2``D!$R-gY|oweuFv-r)0D`tvhDr&R#et8yB6<r*=FKIC!a|l}wYv|Oo
z=R%I}cbRYMDz(YUU`4j!?b{}oW6xbPt*hj$dw2it0=a#CetSO#*-J#RZ*Pf@J$}tD
z`ter5Ij3q^T_(?{k9~80$w_(9mfpOUj)Ye;>fZz>o|;l0B9YHJQT6kMM*+s3o-Wyk
zkL60;UU@Xv?)Xz~{|&nyNqlj>+Qq&9Y`qQJ^v0Qq1^;`>W#=0dI0;|;J>~ks)TcdD
zM0A^^H6E*L-~O}r*uB52d+RQ5dlhc^w4)*XYRbL)0fl-u)vCkt_*WPnE3Yz)`Ohn*
zJuTqbms1{3?CUdg>)-tk-8#Q|@s_JBZpQK}*Uvq_EHilW8!b)=_rE?zp9$O6m2%En
zn)>5#|G^KY582DA4Geffce-b_h58CNn)U8}meC_yx~HA*<#nU8I*J}@O_MLqKYwcF
zgVYp<^I-|f^^3L%PW5VGe0xKu<hfhJM+xhDPv>y#zI9;z|5Ls1e*Rrr^>O(QH$l!m
zqs_4~`J8XBCVDgSFB7`rdMD(->~r<v9W$Fhx~SbuPfb{v9MUb?<G*9IN`YDMrH;d^
zgD+j&6!3^IXJxtQp5^u-QpJ;$uL_vSyS|-qveM$0TU@&RDfQzIvf_4{q(&xA`g6_X
zaEQ{UwJX?`9MtEYyu2s(Usm+~N7s-2o4tMR|Dw=XR;fdMe&#WAil=T3d%yqxzh}Mq
zHIKi1U0?tA!-<K?i&hoAyrlZ~$8meRzfaWdBkjN4NG`o>;wgCNgg58A?pK%Az1nSW
za(R8_`JVf=!B>Bq*ROwX_j$suS6zuF$|3@)DJIW8UDv#j+)@^L(}L~$_w<@~6OSi+
zJ?%90-qic;-%4{V4oj{zER{8wlwzlPcKW%Oi&dv}mvKE3wvax&?&LM2WefCMzMH(=
zBhnwJo_O9){G8^-0*@cP9tB>fj<}mG2)W=h@#c)XtByx7tmRK+kWtW|%gV6fk5mTB
z75;?B63h6`rdBcK9@x5vw^2gcGBkGe@sNoLQSD2Dx$N&ht0`T@bH*v^tMN>Y<~CJ-
z>m7=rJsvCAwkx}8H}S?_&O3kMbo`R?KSpma|Ec&~xF_}Ll_~3E=O-RzIaj={QO<PF
zMvtc#8!z<DmHf{iQoeux)%^XBzRq1`wZ!;y{*H?GzM-Mt-saa=f8Kll_ufyX@!w1T
zPFDBt>oMf)>u9em|M%zTGiUi<7v9<bUH*T|-=*=tmd-2YOZM4ZaO!z5*Lm}0Tmf_B
z4CFfgJlmc1`||zxt^Mn)(#v^kA17xOuhI2b9&)sK@0I1XSqIpw+veI=viwp$bFO7_
zoJF4Y6^T8D0i|Xtf<L?y_llHVdGdaC-|BTI@Ap?YZsRa9G<vy)LHf5%--$nWqc(*m
zyjtLJMdY-A?!6F$d#+`AALc})HHZGV`d$8*$Bp<r4bdMzm)J)ijb#7SDptRy?OuZx
zYlG0G`CWA`*$2+>N*EX>O;9U2$K>)UeUdkaXZvpN!Zn_HO$!$*HcvhB>fMZ20<k==
zH<t4LUA*J$w59iN|Gd38Ke6UzalXYPi#)9usb3fG9Cnx9oL{KD;WzWP@-M%oKHs~a
z^=H0xb#1PV$-6b>p%b6~%-MhbsAc$Eo64Yl|9|g~|M&0y|KHmAm8YYxg@uK&2}v{*
z>os)TSh{rSuZQjOa(kcKzTe1i^Wne~W%-{SF}q4u8XfylTlap!@z0)>bC{R3hSwc@
z9lrnk?XBEFweR>N>jS6k5<E3w&#_07Iu3uIvT*gve}|1fopJZ`xEt~Ao2a|t#w`CX
zr4nU@<$B7o4=?llKbFy)b;f<c@47eVJe*X8FE2_u@zc+8qx#(Y=TnzF;SHJO6v+B~
zgYW5Y1<kn|KfK!g;IRC@!s2&7pQwg1^qmfnb-j~$WV`NEon$sOx9H?9hpAbeWs^;h
zzPZfe=cRbDLop{fV@WXEEcLoK8+_Ebjz<T}%r_G7{FyoTkjE*-oZBlxY@1EpKc=5K
z?Eg3FzvJb7+wu>4xkk+0B*C1$;Wy{1o8Ql@D*t;XWPkqU*SABidKrA@*KK(|XY=~H
zud83n|5_+7Rdc<(_IlC!>$}qqZ(8^Im-qfJ-tO^#ug35FtiAt}cJ%XebETz{*Qw4b
zuwBH$eWEW^{$I!S?f*N%HveAx^NaM_a^r>1FK-iyEtRa2i~oM}$Dhn?^_5GlmaWyX
zKJs)=tdY%~r@m+6_on<-*X6XDA3Rl0uW?7FXGdM_%vp0cp89ilU3jtTX&=@vj8{Tj
z(}HiUe4KRo!O?@~|6Nhs@*xxyNDMo?BmSS-@G#X>uqIz~VU=aFEn~Hkrm%JDS#`Pj
zN6x&;E1Gp=r`MddSBkr17@T$$h>9{?@GaSO|7_Ln1(gy`yz(z!f4q6=S9s2C{r$W5
z9XhbZSY1NA!$ygz*56v>=CAi#%YVH;_oLh2vbH}sR!N{`(mabPC*SX#9=zP|qqF@N
z=fCTJ&RQ>7SSuXvH{WjWm#y)?x9*nzae)2L&f@1)+|v&9P7ATEPQCs5_Wk!yAKo{;
zD!%{buk<RZE>8A-9jhAV8&ZXTCO!OjKjP)w`CrzuS#4bq^loW$mHqz1ehpJE#g_ek
zCE8uf#Cs{@jh#l{T<^zk_uX`@?b!C>4~MgJVo0X?jGKJZm!uk%ec1i~r9kv|hRT<s
z3=94W?qEw>cl63(i3JNUtc;DhH|2<&inF%B=YPs4!jCTUnY3p^Q^nLZO(I1m7bCjM
zT-^Sj&UwFS8=uEN-S<=D{P+Jo^yP{6tb5brGR@s;mqja=soN<X)D}Jae8buKId9GX
z?7F<)=Ibwk#HrN_4gb7;9g@BJ{r`XO&F_DWy}$L)SKog+>V9(~D$i!eJ^uH0|KIIa
zbNwPa1Y(M(>&F~_^mqFF$^+I{cgq*nJngrBEx+ZP@p{qwW{K9BJ&xz(o}N)Xd@?oh
z=9RBU``7dz+j91fe#$ZTkmuK)$OL&Vh}kCjxKzaFN#C~Eo|a3h9(>A6|Gk*vaA?}0
zzpmU)F*?8RDV^2Ze3Nf_&jRn)AAUT~^Z34BVW%b+Lpfs#^QwJGQoLafQ<Ds31JW<2
z^xN%?oU!KG60XXJk((REzH@h+F27}c-eZNPhT)CNqVjz8&(Cg}^eFLPc`fVTQ*-8h
zd$T=$&llCx23ad#pUx}gJzuhTyK$`Gw*Q=8Z`IpB-d}a>b$Qi#X2Hzv-S#~v=hqfI
zkNImF|Jn5M{_o%a-OE~k{q^0B$@@P|UH``R^BH67{Xb{#-`T<5QndB_dXbd**TWC<
z3YlHHA6ENWzoPPKYuw)x*E{!H$Qs$~K4&|<TBf*Zz0I2Qdwy<xdhljv?}Bdki%d~X
zEyvm`(jWa$pDi5l)-3hp$}_GqT3RhGj2z3~d{~*Ze#<(Us<xIzUng$1ZQQnWmTAm_
zw6^B^KOXc-^XR+e^)WGQIL^qPxBV!O`;5A&-tp&t{>cnIH?{FZLp<C6N!!zRS=c|V
zRJxJQeRuwy7Qgl4$7X5XVH6JO`2Mi!^}M>*JGIl}Y_sDvAIPi?|5dg~{aRG)%zyh=
zbMyZ>;<7*g_-}J5L3Pdk_a9#FV)9sj-T40l`9IC~UdR9cHC4Lu-S2n1&;PyR|98s$
zd-vR2LW-B3cIH&^wA#LEm)N_X8LRVuuB|F~C##;A^|$SF#nlNXHa{uRSiAqv#HIK6
z&Xw|oNogDY<>{IlyZP7r^}Y8kzs_us+jC6sh0XMR7SH8HmNIj(n?AR1d9NY&SSl@U
zXNI-`-@HAZ)yi?-_c7>4-8$c}GO^^6@de#An>|Fm>Tb&{)7IEk(k3<0PNt+dTwu%N
ze!-UqH7{>q5j^QO_oPH_57P_@uAVN1#=ezrT=!23-hFOgVfpu|iOnAJ-*;cRxz6<8
z`&-5L|15O-m&9ByEf{|1?bS^m*13O+w!CVo&Tsc4;q%n^pHu%z-;L$B{c_>c?t5SL
zRvQXt?ECYmTllS+<?L+z(5pYJb&sw2w{MpH&;NUNe0e&(WJ56b<{OWrxWBEvy}A0j
zdT_JF3r`O{?FyyNP0t&{E`|k)3-`@Y(pz_-Fnj%mwKEm^0_<WL-#^ZFozuRI_cwb5
ztGK!S*<TL)--=_JO@h}|^#2m8`)r<Hk{`SKjtwh=fwXfz&)&JRRreCJx(yYl@ArCW
z)2nTFF<;zyS$L-4z0+4OJ4Z`5?aW^!n(#?${@tCH2hOLgUd*7t*|1o2;kLGa9qacO
zJ$+L6l%u0~%f3bT?UL1h?GM}kS#<y5pWAQln#cR=?`PLPe>P0`_xD`py<gY1Z`!!A
z@UUou;julR=f0ow;gDgg%}oAZI_thvKl83R9TvKE_qJ`{UL;uD`g!EY{=fUJqxZiK
zo_sN9LC?~qU*~<B^6Fy#-K;)Eu~$vogxx1zH;BBvBz!{3wBwxjmO322IPKo&7MZa7
zA3cRKHMDzObUxjhDtx+2dFKCy@`&q3mnC;wMBLnQ(e^9T@2}7P{Si;hO02q)c*|QN
z-Ee2cB$2D1lpEA#C7%08zM6fUt*52SVXnM?+}FcL_|JFlO6*$oV`rcC+(iNWVt&2S
zzuV^CT<vh>Va<HU-<;L^zWbj!zW-(5-Kq$eWrbI>e*OK&ntUcCw0Fsi4_l9)`tD(9
zpYpKMFYfcK>t8HXuD^TOF8|Iw;$iC@_mXAbOvO{?pFjP5RowdW)Y{s=hS_U{C&a~`
zpO^b};r`-@?|&UAF^Sr^DVt|s`o!(Nw|AT0nlUlIV_nP&{fTNxXDs-or7}-g=!e&b
zyYNie@h~vr?$Q9MNp?Q7YpUj(vx&|>;4*)0_lJ2(_muAyALajWS+eHAeK|M(*xh$h
zSQ*wty?EOcck_^6S_O~ZJ1Ozpk3Eb_Hcsrct296Aa%V=r+>A|X36?*(%MV<L6zKeW
zmo?XE(xmbPt^cCw<^BAj*Oq4lU!MIpt~Bv!`%~lp+q-?<Z93M&sXcc^Tgc~w2?Z<H
zy)HDG{a7}Bx~V|;$>-K*)~;JOZ~wH<vHddkb$_}H)7oE$Bwbf(RZVC={IIpRxA(a3
zgQ_PRZ>@fPlCS8~{Fp26e{KBu;>E0~Z@Fe&J~c64=6v6S0?W{vbKU;eV%6FoA5!t1
z<}_<XhnV!%Bi}EbvwgK#sH3~@``k|+VQxBS6gp*;<Z8Mz(|uA7_+4#(?9RVhbbV~z
zKBkIi-yNncjQqain^0YrmBP7_eLrhX=&cu&4YXly5m~s;<;zQky*+Q;cosyfPAcE9
zV;AStiOQFkRb`ad?02m7&Hr=yYH;@dD7(M9w=d<)*zoE3Y9^l$CL<X>{i~&WLu<;e
zipqTZ+WFirt$w=`!`rV_?b{ZHg@zjQ*-z1I(9zeo-@I|-$1R4-!a`r~6@PDgF=)cB
zRcgGOzU({wZ}<Q2b069&XK!<t`#b6Fw-nv20pWrceN+DwO^lel&1lYHrWl`FL9@%l
zyskB@Xz_7b-l6<}^`y`TyWO0c;n8!QUN8LkaOc$z-*edBPC0wB?1aXj2Z~dFRw)*J
z7G-F#lrMWZGw!C_ZMBqo;e!W~q&r)lEU|UHz^B7gw|}9KbLyuu<|!BdZIO;k5}vgq
z^x&M6@n>`=GH`us`!vma_woM9@-55c{x7Qibi)60tNo_6XSp_h;&1pqFN2XI;qig3
z%?BTN?Z3ZYXKs;Y#;5f8GiudtFfNF$oa2)HIKX9+=+^&F>H{5?uUfR~n1ph6cDDbz
zb?f3j+`E3x^7UTxm9fdUnL4(XT~qpcKJL@|pY79sedh@=i+@}CckbgfR%?YNaZ|&^
zboM_n|CQv~Sy%V%>1~J0zF+Q&a7}q5CNR}0V`9j)Jv#UGILkjcyq>Tu@zoUBR=?hR
zDLYL?4(#-AeB-qD$%e_NGm@=C>`hlp@~%`p;GgUmHnDPpziH0Fi3j&BVF?QTw8h{1
z<#YAcMNT_st-dgSMcvJ3Pu7{b{c`+$XJY+n@qMLEyPXz%_LA9iQRYkLf<>zy?KQtw
zef#y-vfqFI9hDH%DL<$6^yj0;zdLQtzm`_}{Xl>{_BXef;KplF+qZ4|cH+{dOWVHh
z`*!d4B3swcvrUsk1vB?_)c&7V|K9%AtNo9*c>LzQ{rGXn)`MY&F)^ZwPj`GQ<k45J
z-(R|-_~88hqtQki)i-loUL_yfc)~!$KE6ZuxnzdMM_s8`zh`et-CU?){9~^3x-Z3R
zi?THs7|N}lG|sxIwl({Mnh3k*@nE+19X-89N2VXxcjVs$rSD!`#Tyv-cCVVU$)H44
zY>6<N+r16D_g3wHE&DUKI`7B(pMT8#Gp4i56brZi{?_E@<-^tabBedET6HqPV26Uz
zyA5HlvJY_b{r<B`|AEq@jn|@XuUWs|-b#i~{oGD1t#eCUQsuQ5gfOk`y74{#_xnG`
zXE*PTH!nMUJvaVktL+)z4a}F@HZ^MN6tAhb+H&tV6NicA8*_18kKJslIS!YP^gna#
z;hikpXVbL&;0E2&6*l#&Ppn<cuxvk{|Gb8072Soi7pSFVO;0uLx@x)feU!2U_coy%
z(JgyBm+o(Q@OxtIAHAI#jqQ>eF(>4vWZVdK+y9D7U4G-^hrgdpj^BPb$9F=c%;U^8
z?<HrnvQ7xse?DjHHM7MRUo6_XEtY{j{>>>_{TCl}8VaU<+9UiY>L;Vrk%;W_>({T#
zzx-O&Tf9zOy*}!rYv^;e`iuLX?woZj`>S#EJL|fAl6xLWFW-Iog-+7v;z~J%Fekfd
z6GLk4etulLsMlTE_4Wbw6N1dWHH|+ew5X=6bLjdj{zQQ>!*EMZ=i&LaGIrmDmi@My
zf5(c8;laXUgBz`3>ld68zuhqT;{PZ6Z||tw`m7`S(|zl5#r(Y34Q#tVpLORGIJw$6
zh^J$o<o6}tE?>6KvHMmU{^!RQ1!KM$Yr30F)+LD4cYnXv<zX$uryrG_ekS~R<-*C~
zAxA0<!!~YPv`oD{-1m^wV&;{CFR#Y=EUh$t{WII^Y$5ORHC21>RU{`r?p(F%O7(p8
z{omu}6bETE*Q)Pd^~kxDmvPp{&x_?P-|u^S=;y_|<wrN=Fiu;$Wc43*S$UVHnS7iw
zB1t9(N`>uy|C04y@R(PmW#LZUjjLyzTBdt%dk$y8|JQtLtJitQ?do#4uH;`Uac+<7
zykBcM-S2H|z4lr|&%EZtJk{m@mK_XhV|-q~Y#3|b&iq)v^vod_34gtoWnCq5s~WA#
z-n}{1|GItuOUeDE^AE@zl5_fJbiCbvnqy&v)B45<E0?cI>iKy1;fF^hR<YT)%Z}XJ
zRnOkl6ll2Z(56*~UvkRk&b{=oLh|ih?bGdS`fI(;@4tPwI`R0<v&YX~dysiE^41j3
z^A82Sc7C69Yx|T>rHkBd*X`fGciXmaErxD;zJFbGNhhrCTQI}Z`}e9tLzOS&Y<u_P
zyp4K&Qt5@?Jn1(MZL{4nDW=bqd1m9YwJlwDUjCi4Q>23Fm8m$-$(%`3q$f;RxrIAu
zSG=$d<D8_c#g#?kXKxvQ*ci?5Q~&9;AO-=ck3XUhoYQ-_JljCy)3#G5<DV2b@^Fd?
z?@h@&pPIK^<HI2d-f6Bc{MwUxPo3$tul*SQzhd>|_Qt!d+PuxGT8)oh9hR4knycQr
zs%=fG(^9$Qp7-B>i-(5Z-X<#>(6m}2U&6rXQeE}-b+J{g>*B0dF1{%gnriS>EPAW0
z3&(+q{62-NcXj;bzns2(d&lSWRI3Ufvv9e|+NYy^v_jv1uewn!GW+e<s_?Mz@cANw
zujj1RxU(Wfcj|lH8GoK0(O;~;^5C-YWoMmd&(Gg~oafj7?)Za?qDo&j?tAg?fS|`W
z7AYaSPU&mHVdbWZPsF$Vn-s9e#PO(GaPRqy<|+~4q;S8B+m4G?8@90Io9_H7a=>^$
z=l6YltGJW(_9d|!M=*v4B_*6YE+n?<+l8Os1nXXMHBAs@yc=%Stq{JDPas*oSu*w^
zxBcg<z4H6rU5=&5M^9u`-~Po_e2OC{51XII7PduC6M77-BzW}vmj~zGF6%req~V{!
zdb+KzEN-E@-d->BvTHA^k4pPTn_DoiGM;nzgd(4@=uyw+%?egWPHC5}t!-U5cmJV}
z#r-FyUQB;-=~iXg^cbBplk@g&nBcSj{{5KP*jg_at@pK|i~jsx^Fe6;bhRBKlkK#-
z9!<2WSQWQ_roWHe^zD6hAxmR>uP!^_KBvBatJsGH1<!8q1}-;Abje)veg=bGXmH8S
zW4-mYuZoXs$&t4|R+7#$|M!K5U(b9!wRSm!LJ0r94-JpLay_~x_&P~q`GW6aE9%YO
z7th(n!T4_Tr}ka`bE5@o>Nkl;==ML|7{9Oo=CgX)@TWUP*GOC_7LMsM*||c+gfGB1
zf9k$$n|4vb`0HO&Lqp&H?OOHgM4?er>RtZr@|PArk6-D2Ou6dV#aoiSy?X01d=fcd
zKj77UvQt4bY1Zqt#=H{)cDt<2zwmhX`fI&w)l<^H7#4rLv3Zl_r!85#(+vOC{r~jp
z)vMxTGejP@OW3KddvnqE)Z5()M4pA!a$PWuO-ZaZwfMK@&%Y;vwccL^rR=$0Z{>B(
zI4vZvbyD<9<q^$kEQS+TaPU66sG?Y?p=<3Fu~_DT%rOhI`L%r0uJNr8kL$TJi!0%H
ztL?&!?TMLfZ@)8}CMOm#%gzXwnwR>=-f`o_)DIW4jRoaD+%)1i9=<nB&pvMB?>FBW
zU$3%?o%3dbdd<%;si%?rBCGEyRjSn+MzOFhxc)kKd#?7{?C=oRuo8>f6Y|yHu2$7#
zJA`iE^0h~e--|(h<8z^x7CwcF%;x&@S6as0Q9hjXW_3w&+4|_(N1KZZUkX1vw6S}W
zbx_o=z4v}jojSF6Ro3loYrPos*Zo_%e*SGu*>H`9THWSaIk^{x-|naHUr>M8HsJjQ
zp;f=jUpr}dUKjmn)OqpkZm&%b)l&DZ3W)KZB)jUNUDCwBqg{&&Pp#Ydp*7y>&Agp<
zJ55Co-0VLb%imbNVCmdgwqo&&+gA&_b~&61jo<Z3`(>$?`aQ;G&L3|B{ug*0kaUXt
z)H&z(Tl=-Q>Nq!4n|`|++Ld@_?LW^(k=6UBd8y7jUiJRv&8j_DzCGO%f46e3eO=<r
z#%(*YPW8-KYL)(6%ITZX%BF1v8Db5KEUrZFF_%<ZJbUGWuH}hoI>+`n_WQ-X44eOB
zMa+$gWp?2^6Kgkyu6?{j-M31t=I^H14z>SHn-=_tyZF5LhIdt7;JfSTv+ebl|EiC#
z?s2M@KH70)u7tB`R%hd$7k*hj66du0-3t7RZ+k!VU~w?0eP(!RlV(%>JDKfk?#$w1
zc<@LwLfU!l^n>%8<~hvf`FDs_BP~Jl*=c8|OH7dsjgq{t_Pq|B@Km?*(ck<FH{X>D
zXzu&H=1chGBB$r(!6^zmSwHUGnH)OxR`|1u-6qw|^XihCCw@M7#a!-dXFpe`%v@%9
z)*BTao9E{Q9gQ|%J+-ovd$N=xV`gDm!`1Z{cI)MtXa9Q~?f+Fy{!Q5ARo}FZWh8zR
ze`a&Ex_kBieaDv_KlDVuaPCU0+U+$t&+T7Zht<to8Gp{%y@Tgt(yZqk6B|qtCs!Le
z8%$->Pgs%k`}+;SMHRuDH4oUPKiKHbw=p@c<xZ4ML(nn#mQ?2Db=f_;-fnmpbZf8r
z?ZiT*?CsCJyBIo-nA|_Xx*^J~@OkC|g&A?$*6}YkR{uLM^y=#Kv%A(Gs<!M9p3JDb
z%i{k&W-~+9_T2L}cjnxwoPDpjaw;Ql?$f6D_m5e+Ju@C!KA&T}U-m<yaAQ!8sqajo
zzj`YS0^ZCvOip9BTC;!4&i%EY&s{95wb^{@+>zB?-*=^d)&KkFQJ@>U#_dfii4%Jk
zv8pO`ygF0AzNV<C$#MO`Z#nDqZ{|J_bma5h93wLMW`pL`2;U2maZJ${-1qI*S|nHK
z^;E{%-|k?^7M}jQO%LKHMTavwM7*9?DgHpealK%2QeT6M-u{yZ792e?i;>%=e&Uwb
zqIa*ob=_5<#hzET^TWjVE`JY~sP6teRi|y?spmyoqxLk{UU;)}f@oK4vGTn)=VB^n
z2=8V~j+)bw<$Nz&u6O3#1#+S7tK2_k1hH}QSokO_L`hCkuetLguKVQtXr;BcTYhmi
ztd#qZ{>NJFyU+PIQWMkCLX0o-zqdVSIj6YW;r^YLd+a~wb93nL;rrXL?Lg+a^Z(}L
z{8rPsYWUSUeZJSF{LkFJDGU{&w`S-+i1GRFdnIwcbHk(PC4qYD=QqAw_%!XF#Llgv
z2cFjnW-;3qx6a$PLZZhduKbp=Lg*(=pFb(jp1(T49olT9Z7^xSZ@p4_{aaC!$M0E|
z#k5W+o*;DN`DfeXx&ieEllymHeJ1;_@pHO`QFg$`C%)O;@~@hB3!jGeUR|gBBTS>w
z*@VF*=<4d$+}YnUm)FEfoi1*x=k@E`r1(BZUSfZeQBmmaFguOLBR}WQ{-er0q4i|E
zR@gK3fBP0XhR$7eef@Lc+3ydW@Y`@xcS2Bm_s5C#>QU1Sw=K^4Aap6@)`WMfCu+_4
z#N1PE(!1$3i`@U-!>{|K6}N9=VyL+Nw;)hjt6Xq}6Vn7!SFL=;H=?rhUbk~pF4b3P
zn)A2uqtEuJZS#IkUa_vAU{RXnr|6pZQBxe+qZTJ!x$^y2^5yNXna{5^D&p1i%j*5A
z>Qc+MJGDKuBhKf+hV<(T7H^bW#^!N5F17lm%6zTNyR}O<u<cQ>T6$HkwsQ6U`aio)
zPRv|iIJNB;=gk`Xj-TSUFUlmazKQ(necHz*gyry!znYavLBW#qvsjj#a&%qiAs8Xp
zm1MZ2+P80o`kNe?$xPbsZ_au9=-!X(d~4P7X59J3^`Q9tp+NR^I~z(DF4^wOX>)5T
z&uguX&h2eSKWfc=IbSJa;~Vb17mv*Oy>@$N{yj&=Kce9i*uy5Cw@?4}-uR*E$wR*t
zect$fZLr??IkoEkPPwTjTU4yFHZ7feR({nfk2S{EfAU_Mt5+QK=!%VxaD#}xuI`kb
z((iX%v2-!MA0+4ap+e`{KF{|vYi_=|vgG=YQ<dp^><g~W59TSjDq6q){3MeDhiwdh
zs{OjE6EWq;+ZSC~K|-J14VKnTW=hc04rJ+ln^Y)}c$w#+@&893svfzWT)UpZ?$_iE
zOAO}ZDOvID-m<)Ne#8E}nJSG}E6p2xxck;MlpU8?Y*e=?t>|I@rK=aCzo>71Bb*fV
zC+ED@lqn8U{~q<$9+-cx$~IlE;>wnai%GXi&VN>jzLd%OVA}D-<px1MuRkogy-+*W
z+wAl6PR5I0=I?*hBYq@v$)mz=TdUH3rM``QT&I1lI^6G@ZG!w~Ve9&1_d4TtvFpgJ
zKJ%ygY4Ky_kVghtyMjJ=u}pqhHq%RQxh7ZJG24{gyBKzeJx+h~?RU@G*3a8B-t3<e
z9nZ+{MgP#!#$+?=_RBkp7ij+Zo3U?c>^;v}w`cwQ%d8?I?yGw2O+om%fA_49?!GP<
z#`YqtYDZPkxjL_e`{y@vu1b=-@OXCqqj}wG=~iX-SJwWEiePeD<tcgT)K-JMUGF{k
zJl;xvF^~A9W?s-B8gS=wBfCqsgXq<1VRF}mADizq-o16!B&izH2mE{yAHQ!tCARN<
z!|tamKbk99&08-lx!RL8-{sN2b0;UMy#LrOsLSK^ae>ycl{>d=O`dY{;kQG*lWsdR
z#_W=w#g_KgQtSB!v$nibO!HiS=(jUy-qV)J5_Qx%|Ln1?Z2Uj7(7Dm8xavQ*o>I!)
zAw8pOZ?t*YzLx59>`uMsg>4$|$nM&=VLzv=VW^=7TfgAhGt2knKU-MVoONpIIlYc4
zZyK6sE#8tNCZ+i+cU9M9^P-|ZRrOgpHTU*b+@B!FzW&$JqZ@wQTVxUSU-wz@WaTSU
zxz+ZI`smKkx;E2ef1Jp~lhHRMJEi-&`zN|}n`!Nej9j|wf57fXZ71I@WRUxtDe>*$
zpZqsU?~Kmfe()(v{IKuctAFQCxWnfbt}@B4CCkEa_WX+FE9wJ6rL7kE{a~vO<Lx@n
z_euZzSLe{Ha@V)sl-~KjM#5lU#M?me@E?EGYFExYCF?5u<N2rGHw|si7$_vBubyH%
z{giI{1|7+ZvQ75_)0Q}MoYI-Y7a)3NpX+<M{g>qDA8l#=tM;WXH%6=T=j*%fiWAl_
zJmop>bH8_``pqln7bIND&1~#E>U!C*@X~T7Q?9Vq+(MJZyiZU0>V2<WTU4#Vz;XER
zz4c7?w(ZB+F7s%56lHFG&sCdtzy4jVbLzym&$G((>V%gtIH?P<ew)zn?X%<ad+{u6
zp;y;zIwM_q^rzg`B@*?VJwKZ~#lych-P!yiy4*E=($NKi8gIg`9u^cd5tw}8(e~#D
zP9AO3y!-Bxo>#g0-RZ}bx9pi*z5V^C*Krr8sKv~C;jkf}QQ70G)S0?kO{GOEE+4Di
zTvM0Lt8I7Xm9JQGq<6rsO~pdr7oXTx|E=?g^v*}s2KVgN$nE%8^jo80YkSgJhjPi)
z#y+V^j0Q}`nf#51cs&$n-|19qu>G2Ftd)Pi;C(xv8(YP1bpKP=RQp=D;$P#URYAeC
zufN)xeqG|6)ShLR3SBqeESbfsmCyB+^^?EjM(@YIyE`>5&3$j6dS<au>Xn>hhwnT(
zFXwiNF_770>3z1;7m|v5ChuOq=CwmfU5{K!tt`v8w=b7p>EEa=Td>~7_McSN?#bI*
zxFi3&6wj~W6w3Bq*4~-uXzFHYY@M=P>cAI!`6BZ>4m)c_4ygZAl!<IU_<DKBH>GR0
z8dz@>HF<|`UwY%w>NQ{68$b4?*F3!264P;rZK^FlpV{}D&;Rc9Xi0d(T=nWxtjx{4
zf}1(tWgEgj9WSjb)%U;ex$)Jsbq<gCL~h@a@AJ54`}@_s{<O5Bbbj3fMQ0u}&svpv
z@xqJ3wzs#x+|#aIt97@Vd5YNeeGB4W`9E{Kduf;V`l-k2H`{Ezeb~c0%HdK{;+lk2
z0YN#1|2a(A@>#Y{&42Us<<WVw>s|!dZjjd7-p|Bv;}%=3m`~|6t+EL>4sgG)%A0p)
zqG$uJO~b1Dr=I%XZO*>uvhkPu&GJuE(w>C&MbBAT)_nEmYRlq{N4*z)VEdJqt|Kn2
zeDh?~zfI4cS3Zy9R%L2yP@Hi%l_||Fs8Y9hiKOPU<!4?Vs_8l!{7Np|Ng%WES*VQc
z{wV)9T|t}s*Vi)yXrKT5{ZYBhhpft+-`+27M%o=wiK=uI)w|p9<$Sy0vaNd$1xVCB
zervikZ~f}OZ+<%mCA>A?n8%|wt)}OI?=8k-63rXMf|qL@T*xdsVb#R9>i0BXaD6uX
zTpO5rWAh}N`9cB*u3UMhxc7C8t7~^xxA6X8mW4%EoX*(KQ@N@ocs0*;uJ=F9!mkx#
zofBIR3v+7Mhood~dUsodJGJ8FJm=tP$EUq6cQg=MYMTG-%u{6@OV`tX`PPd)j{jpF
zUg%YABF1IAvvlgaUG^%%7Xxgz7<sJcR+hf~kZ~q|LU3AU>x@{-q~k_GW%cjG*8DCN
z-MLqU;lTVK?FI`E?%Z7Q=1<q+kMou|=lja!xH%p<c`cZEnRWj11%KXczFL~8G%e(k
z>*wPA+9C_A*1GG<CfAm?X?t;%9_%PG62DoKnSL|FZu)s6amyLo6}E&Zv@d6NF)CPI
zIeU-Z!}R(2A~#&;{rM=hJN)yK?sq0~`q?3SLf`L=S-CZK+7TJi>iGKq3S!TkEVnNa
znNx93t3PM%A~U;Le^2gxqvNZ&O~N>Ag4c?y?jpzYD^ESs-E{Xn_k`R2jDO<mWz(WJ
zY_2rB@GN)6hlS2Qci0z1R9q@rW$@<wjvp7<3*XkVux_xZnDWzctAzhMv6p!t&U7~Q
zNSN{$eQy=pYIp3<<&(Q-)VoiKWML_N=X9yXu{*h|>f2nSPVs_@=w{bjsXrvIPT3w1
zW&Cnh*Xt>++RLlYFt^U-U$T?uc+astU0YAy&FM+b_^@Ed|Csu>+oeA~s=n08bllRs
zPCC@|Y-`#jt^19qgxaG|b!~W%er;>`nr%PKzwxbp$?uzI&-$UWo;7S?WuEloGJ#-L
zR)uBBj2_~*z1K7}1f0KN`~7LtwWq7*pE=1|qj9p)uhhok=hBmVwtO%6bEsoqeqrj0
zzM`V@`>(Hk@Hy<@9#!vWTsm!x#VT0~Lq73}`CfBV)1CU2GiYzq&g$9m&%dvZx+eJc
z`CSIxdf$CM?{^z5NT2fal_PtOb=<euc~86FPgjf<Y@GRDYv-i^pI;K99Y57NL#EA=
z()zgTrP;eIt(gb;-xlpY`F1%2!!-5{-?I9DZ0@-B*~j5+SlyDvS0q2i)RcJE{8n=j
z`k~&cU!kyOuR^Bd2`^=P&Z|a?pXJ%srFI!}e$)@!m1OpOYW2Dk$Nwz${_Hz><?TE@
z-{X0Yj=cHlT+A4v5HLwoG?2;sxg6)k<s89fdKd0E^KTP4v?e?ADNpmu+MFC`29~D`
zxxUMLe7}5s9=xI3?tHe(kHw-_ub)^Pt-d06HuuSrFAo}YBePd%Ip-!%nz{GPHCL(n
zYQLqoKd;hf+Qn>S*PR>fb2X7sQ{~1}c9zpyuV<&e=3X!ICsQn_?sP?cO|6332L6lc
zcA8Cw%fH@eoz+;p@zRp})(0kgu8~!kv2E(*MPHU?tz?N|;k%rfwCjVCr^lBM&+6Iz
zj;MK_*jsY__3jBOQ8C_5Z@#(uTKOnH<dofb;<<Zr-1_Bu{7c!x<G(%^`SMvNT<%$5
z?9)T<q&HZd^PAx?QP1bt^gV_qJ*AiOE^hmAfB)VC`&G6tXR3I#Jn?4p|MJ^Ep4l7=
zx#?~^S9->ONo9}qQ}24`E3HxJK2ZJRP?B$B<;~BL3k`UhBwsGDU3`3<$(BovshLyX
z=`_0B)AW}<Tp{^$zWLYZ2M^^nwYHd?txBD@q<HbtfP{lBdJf+gMJ24u7FaEoxsBOl
z>CES|Ee^eG4K+;H)M%7GpxHLrc-KZwN$wl3{bdAJYU*sgR203(wB*^nV>=2j=BoGz
zdN1g?(&7=UYmr=7HSwux`6vIob<64}-414SxNz)O?ggLu2TcwAvUlzMTa?$(lDnvU
z{gpGv@)eH!Tffa`+Oq$Ts*7DFO)}E)D4nA`y`5(ccj5oqu==yh6YouDdlq)>$mjDl
z|Cd<&*{86u#P4%rR~E}xml`$Mx9M7%8<#|~u%G5RW?AR3@4oBbTX($=G4?Qg&HnP_
zsod3hJWGtu9B(SJI3RUnHwVXBjrEh&%da_W9ym0~=SBSjrgo_XQ+KxHTmIhnaG}}n
z#8YoqGyLJ4k#p$X)XzW4x;(D_{HNB&^!V_#xUzW`z2)C8Ed0;#yLHO5IDMhxmp&`4
z2nl>$Xj`@N;OrEs<yUuAd)(2qTKnyUjp2&fFA|<jao6G4#PBcmS%Td+gUO9dzipSQ
zPT%3W!t=sir;B?Q)-BB6ZPn&_>GD0-nuAL<t&VprHZ3=vC6`+1^x@;u89#oju}lql
z_qX9d>tox3m~*~z3)bD<v2@Q&eogl;@qb0O?{3b#aDVSn?*Fl_dGV|ttnC?Ux#NFd
zSC1%XT)|Pi|MHd2Es1Qp*5_?HeyM(&_4n!NqaO-)e%k!uu1$l8sdmq{>5=nHDs~CP
zPJi>b_=e7ppN7r)N55;<zG^jyEbHoKS!kPgaG%}T-swgUJvJxKpMN@urSpWz^sg_T
zFJ|rDGxx8u0jK{5joKr3jvouVAzXJ}{CnxkbxacP_Bu|Kd;G05VYb1NH%bB;il2_C
zx-GZie<zdIEx+l`J}!m@A3sd2=S=(NbLa5ZgsiDk<Mt-ke4P6G$O5m6t8>0=%)hz*
zOU{O8JLGn&G)|IE{<O^CeejC)-tAuteP2EDeR=EDj-6r~>pEQ>i&7faHDm~y*@W;a
zNSR%J8^q`Jda=pd)N@=74WT8ca_hxXmir{#7P&ZSLe=$0XZG&eXS^i5$jHh&(XKuD
z-R5kOrC<3szV;0)QETTm2>WnP@f(v>vwPnD8}*vow=-2dVZN|>;il&sjoglusYRb*
zH(*;feeIdD_uWgs@=aN-Becn2h1D1Nsd9hIoXxkTnPkrYnbbP_`^WBC|6HXCc5YhT
z()qsIAks3@>XH8;0js6OJDxTyxvamjCo*nk_bryxw4`0vwrpkJc=k~3PTTME4O(~3
zY1*0nVTI+P4R;eV7v23am-%m!)CW0*4^l@vKQ-($kPMWZe_ChRn;=uswQrPm`KCU+
zp4NWjQM>;3?Mw_2k*&w$ja`>LcU00m!O^)iJTmq9%+#3TNzK~-&aM5xe)Y$E=D$X_
zbjm#4cbo2w?0&>mTq}3Lo8!Nnah!Fqo$oxO{q_nMW3x6~nt4$&xa0Y`H9HOq3SLps
zQC|PZ)x!Aa&%0lBt9ZNDO*k#q`;L)Wd<T=|svzZ}>3KQQ6L<b;c=3M!gx~fY>=tQy
zzJ5VBn@);8Zj95Gs^{DP=I5W>pzp7>ihgT1%+0m<m^tH}jpQ8$<sTB<CQ2c->bukZ
zId+}0d-fp7$9^YcD&GM{p$qDUWxZFmrIJ5Oc^{d+a2E^1xy!Y}x88I2D5(A~Q9b14
z_1JES<l7BxPbSN+T5-K{nIq@I^6w_;8$IsqSN-+5buDxEokq)WhFwjHNAokgCmZkD
zb$9VS=i7CP|Nhkki@jgT_vO<Mo~ebOS2?oGx%6CVTVs2E{%83(KCTDb@3W_|)zvWG
zkx(w3VH{>~Eh#&->Z8eveS1r{ZVU=&{jP1)`CV@DwY3{}y*#ukR_yZ?y))C*-q&30
zJK7oI)5Th#zj>A`*M{A*3vRx$xKfqC>ZtgbVUl5wQJFsXW-p&xD-!Kj6{Yj8wA$0Q
z=GdOO9XfiK<ka0?__{~=n}odBvv517#N2J)n||oAWUz{M|MCqxX04<B=a6yxja&M?
zcXrKg-X~yL#kTDi@2*NYi?&3eKOXr7_q>hmWDS=5eSZA2u0;3z^j`*AreD{rU);(6
zvrX#pqouOD?)R%j$Ce~IsYI*zEuQn`@SJ@oqAyOK!Emt2;DurpgG<wTy#!uay$inY
zQx-0X%DH=L-};G@eEx(ywvFQb$=5B-=l*5mu650KyEpAEe9Qgs^ZmpsvG?!NuDKaV
z3JcDeb!|@So`pVU{Ojk&JMH|d%g~@b{os7&nYNu)%@W<5jb(RS3eR>Ptt>q7&W_!P
zK|K3PcZWpsD#pVb6K;#mZ``@5XZo|Fd(JS-QQtqsPVcVJY{q>I>!#i;^DOK*Cm($&
zgWu8R%F(l4i~r9nSD*FVP~@%50lWKG9Zray-S@2gjKQ2_p)x=BO-3RIWKuJgN_PIe
zUM0@mfAl=Z*|qAa+t(fx+Weo#_x7b-pLa;wY$?h(`zPqsX=lcoAMObW3uet*y#98?
zO3zM*x~PX~?l<cX_t^a8zj2cNo9yLI0|lciOJ&<rocjBhX)m#9(35+2*lkni3+2}P
ztDma$X{Ya4v$HcehC%i5GM<yNX)+CKc6e=HR&D>HiSN6Hviz)KmO~$lXEu60e}Dd|
zsE$_S70JFZvl5HdM`pFw?H1&^@c8epH#-=UI<|UcA3Li$uc|~m^8veE`HHuHf=-@x
zW@Om&@oj>i$&GKCJ@1vJ%osD(Y-4tB%IKWFx-E|N?d{|L-)A&xStVI?@)b_JeZTdE
zmlDszzpQ4lOdobB$v@mtvTusm?2C1pwQusGTs~cVc<z77lh-vRO0B<Ltlv1j{PZjM
zM1h?6NA9moTyh6vs##qd%3Y(kS%keXuU%OjzVu(!!R=f8w==Ka^g3)q=!gGv!+P#+
z&an|V#jwZc$<xIQ`#xx995=|7=X`u7qDSHFxdMAOg;vg}B|qL-=KhTQS=lhF_Zp9y
z-mh0jQ||XKoqq6Ok@nikFV*}VVLP}JosRxt@N9^06nyete%X?U+8~zJN2djQKFvGb
z)>nVLR-mXwC6f8lPM4ck`a4}8R<y4={X9rA=xo)EwkFOU{K=np<poc*dwf$XRCUFb
z1%31OcCgmH{OFwbbh=-h9oGZ#|K<`AE7YDJj6ZP0?%1NU*95NG9bK^Fl-RxBCmrW^
z9<*BhcV_o%8I{TA3vQ;)xh<Z!=iK}AzZpB`M@xG9By1G9v8Pj3^XSGYHy-A3CH>wj
zytw!3RK2qK?{_{ie^T^x>5;O9DyCC^IOa@mZBi><|NNc&f<wP%t-83k?l1S&=5J{N
ztFBq)hBtXW{r%uva=(wo-kKS{e<qzit;{tcWpnGji(-%Wd8jU5nLYJo8UNR($L2@1
zeP8q<v_R$V|E*ntmm4x=?v>mwUb#$bN0)zncGPvA*r&JkuE|QQ-uK|LxIulK=kD^u
znuqLmXYRk-qARmb$bm=msJW}nC-<YF<#$?xZf8|0zw`^S`qw0I$x>V@?sKnusv-lM
z^V+L1Mb}GD)k!qHs4zPa*&p8gBDkk4@pVA-ch%|Br!z&oJy^jm<9|uMqUyAh@mkJl
z=kBHccWvo++Hk{6YFn$x(Ie-LHz@Bv<Nrc}_xjPsdlRpVUVh3iBCJ!Z73o<q>7uL=
z_t#^sN4|MjXP?iDy>)NZqiYG(o!>rdDX{Zi4&6N6C8f*k#i2G!OC>iM?q80_I}O+-
zdTDQW(3`<8`R0CU_-~u}@>dt~Rf(>Xdt9!U!1C|$a{jfo`E7e@Vi+3Y|E6!a#x#FF
z%bca}z8^7Xe);ZmRrv9ohhoy5NlQL;?q2tKU%pwH_y7F{w^JFFZ!oj`YU11TVa95n
zJ?u5sM>G~xi7rpfKVWooWwp+vInTVOy`0l^`pNu`?2IoTx2E{1#R{m32TpVmdR4f9
z^+OHs#(0TMKLUCsBrkntuKFe;{rybE*H;U-zCAl>`gB%?4cl1voV@HO=laC=K{X5O
z15L5DoBmukJ)v}>r9t9I>sbq#oAdgg)lK?2b^qtd+(8@E;;+9q{jWOnCRf(8bJN03
z<oO?{c<0>9yriP8yt;Lx{q`N_ilvr(iS635=+pm_b5{Zz+H7|oj(f#zxu0vr(F)BP
zj<_Ax8)kUv1fJ~v7`5~4%_%R>3ICAYvG;S`x2e<TGg<tP%8+OM8o$7{&fK{Cykq;m
z0PzJOQXlo%H$E$udER;MHtWvIv+jv9@~%Iee)7uJVlI}8HamAQL@qoi^xt&z`$r#7
zDGD*};&463qEq{GhMuMU%+n{=PkH6rwfXG-HWyb3$-bjMU40%}H7aO%&0JnlyM62T
zt*d@5yZTgp-p-;gJKgnm-<zPmzo7d0zxV3;)~p|1tpDTx=ZjXz*)xAP@819R)bTW7
z{Z$(T<aWjV-@k;v<$q7rp0=e?CKr#*kiPNz<NfCkj5^D5Z2DJ;eAWtR+U==wvDKiJ
zQ!Xr2x&7_c%n$#)wH40K_);}*!kojclh$q7ES&OiZppqiF3;Df2*0={*m5TI*p}eQ
z+`hB#b^JVd{oc`yH(sUe`5kZf{mGZt%lBn1v)*jJ?m%{2n!<zA+{_H`p3Ba;75C^&
z%F{39_P-*|_ibN(^g)H;>c=rl6h8j2b@D9My;1-2gbcU;d097wi8{hbj}_-e6fUW1
zn3)jVB5--vOt0>#uEu=j?FqdSe-AxVE8fbv>w0m2)5aYVD>a0dc{v0WADrCBd|@MJ
z?S?&j*z_~}Q<r}VEMSi7n5kg<KK=bpBU#>UPrh6-`}5@Vd4`IgnhpPZ{Xa$SPcAEY
zyN_Ku-~Y_9lSO)&`}Nxlr?GEdwCqIp^uAwK)0fZR%(8pd&uZ?PDU(-LOxgKW^KQkv
zSzSH{b_(21?1%{VO!eLNEixo$m8R&eR`+%B4?dZuxod6rTzN<A=dJDs=|S6G*0#s5
zVbwVQ`Nn#_C-deou)5v*U9EOW+RFCxXST|}4>m-7dv@})7h}zY-wdY>&BCN#DKqbh
zcAwRH_>01|`=3uTJ&iHtvzs~lh?61X7MB;r3>#LkMhG+?iY$J)ehP~STYaQdPGiaB
z6AqcIwl2aBdq3Zsu5D9dAGzhA%w_#+-}Fz-%yfKl@_VpGTVDC}Pvu=F=SNP}y;pK@
zX7=RTUv>I?3tmm%yF*p`(rSxuPmQM?=d-JObs_5evJ)UDNn3w;VZ5MznR_npskT{R
zP2IJNRnCX@Z@zW0;c<H^i^GdaExY#qIpw;%guN!*Um=>=lXFUF*{Kalw>%an-;<A%
zxlsM})uE?HnbcZYjn6+|R<1tW(ye;PyQBD?s7AS4-*L|j{`o7f=*BHK36-2xD`=F?
z+0n61VkW17$rm>vi-!GWCw7YIZ{4#-<iP#ZBgH+wzW>)rU6wF7zQo*kl6T|Y3yz!S
z>(4y;ILkl#P~+!iwVj{Kg%65!E%50(IbCh8(#xd3g2FRy8y6_v)R=zD>d04lqhI}2
zD#zXwv!*=T*ndtn(uXN2F;#!<=bvroue{i~=|!it0rO0+?9lILztkxH-F@S_!Vl4l
zo~!3IUgFdJ{^y!i+Ty+E;&-_|O<m0JPtpBm>KTUpYA04T1n-GlJWI+ah@m=n|00<i
zc10WHIbR(O)%E>$_;hG);q!YxtLmOEc<0rjE5_-&|FUn<r|;dboL!17+xYnVIaIDm
zt?Vf={dd`PY3`|Kjt(>De~~==V$C9<-8a0S>VIfDq~!5-^{oY$E`;sbF+1)E<D|AC
zcU@uih`?D_yOiS}MXVOB`+Q@e=|^upeQDMY;X4ipIk&vh`>>Tgx0&gN=tN2OAIGjY
zvZ@$$Ypu;qxy1ZfbJOQj%+~dm%l{u!nPGXwhVQ}AxlPX**0Zd;*miYa0LQAvNjb>@
zZzddB{r%kYAN7on-kz-UxmnA7(zfJOo}c5fM@pZ)3x4h`S=PYcQtP0$W!uzkLhEib
z-RO7XQD9R`zp(aN!k!21O|o0(NNxG>SYO%c!f7|gKi}s(OU}93b?|OeAzy0KjK{ZT
zOI)4%eE0S2K$dQg$&Z$%+K8-Svul{5QOX!mDza$Px!TCb`!zNMF1p)2wZY@LwlW`I
zP4_QX;XiKORq|T1j{K@CxxPg}$j4f)b?uRFa^~?5ws3!cs^O_uWF=pu^F7L-u08VV
zBc7%AcASg8Z7q}X-7ayv;E_;|wI<shuJh;mwpL&H+nLi&jDKR^u}$Iq<(_qB*3m6p
z7nGjy{Eg(_T)DM+ub1h9Pn&He8WvqLkZk<=`F*+F>pLqSIo#HNBd+fDkYjq`x1U!x
zcAI!G8kAWJ$}iKgIwgDQyxiuv?|1DB?0zmU<_>yezx{AhZ|fmh0}i+KCwAPwG|gtg
z>!TH7u2~OHHE%V`y%FiuyYTJdV;?17Z<hS?W1@53i|HP5V!Pfr>YTrr&c3(0W$K15
z2~n56fUUMuKksyVVCR_=p4|C%b9asvJA?7f*gn?PMS<Sm{#>{k_B3Rz$@Q=O*>Tf<
zPj_(g_sTxgR$AiTu{$&?%8cLLrO5Wb#rx+wj?YTp_25v|+ScOOciNjA82LW9?(*;a
z%KNOCdvjjTM!(hJHzdnep1fXq|MxBiu4Qiecbl#BJ>CWw?r2onJ8idH!NZH}oVTys
zfA(q91_nFN)534AIG>U1&TZ;{`H{o)1xIC-o>lqZNggf-wFF{Lr##8<xp5{~?9r8z
zf8Lv&?)dj>-`Bt0S8b+?cmMxnTAopncJk?aP4=dl<}M+E(_`nXt4rM2<HoHn+*BZ|
zsKxSkv8#c+(i90rLrxuCj)2dV>?dt!J-j*Pu3+Zuqv8+PZ1e?vCaNAbKCZm{Cij*F
zwx?4{55%5d6D(i<>%y#`s#9;rG5)FTTdd)H<|0>QVaDxajRF?Gvdp*Cb-iZq@;bRJ
zt%!ThnX2A5Uk+^RQgNxjD5B@{%=W;15y{%0?lJQsDp{{g3cC}^{!XN0k-pdN*u!t1
zv)XDbJJCFA|F@%6byA0BXogK!|Ht^Jb6wb?^ONn}1BEJHm1n%sdpvQ~wtLm_6@}NE
z*>z;r@8a|S#<Ez^(D~|uP}k}^o2r~FuYLb;Se<X{#(1HfZ$%H-`dA#ZQeJi0^rVaL
z(;a)}8%+-WGSBG5m#X^35nn%NJ6v5IK4)e@s_Vg@Hmtin=gA$AQ=QPDclM?6=av~o
z?h7A%ZapZ)mHkY%o!^k-g61s0jb{yWJSFS9cXG$})w@sRQ^>lm_p>hI#KsxjJsK+#
z{<z+hJD0I4!T-(aul54hHD@gNt;sDo@tcUv!x$6Kr1Djc(+{rQa_8%`+#3~=78kbf
zW%{9`ZFBf&oP71E1;)B+`wze5TU*)7cP{eDDaY^CUl$#yj!5hDnp5$#PHTF9+gD$&
z&t>bDY@csjDej!G?}k!NzF}azKu6Hq{eGQGQuVLDu(#nn>0micKAZnU&AFyu?`~PU
z*w1{I_<VlR^~Yb<hg7|+xGAhzXc2lOe!^MN{_ow^yl*?Nys4Fa|KvcsV99gSMd|8J
zOH;TRoT8rHsPg;s$LjCt_TC-)Sc;;x8}=WS)M`<EbJ4C$<-#vZ?T}1?-%-DA*FKd@
zxL<YdcVfeD7B)U3-P*(7vJU6jKVrySs^2%YXV%ooyKi4Dzo&IU?_7KWduNXE^L+86
z&cVmtDqdsh-Z(*NN~D_2(zz4AXRhGseHPR3=-!Rj`=<0bI&18jq{FqCS8IA|_1X^#
zUR?RF_I;^ZXPdHrMastu0bhRKnSOoO)wWH|j*J4PYc70S5I4VI%e({U?^S24{X6MI
z?pg-FppRMCR<3-%?r@6MwuNH7!a?tn9)ugjKVV?ppz(Xn;_%B~UuCY^7!wn`r1$CC
zni)6R7QKr%O#I9xX|H{{z4gX+rEZzVNAHh*xp{O~W4mhcv$~)#%U=@?)p5$`m@{dv
z*q3VLpD3BCG;hiOXNQ+AJh0;6E7qG*Z%$M+oO}DtX8KF@qPa%{L(gvdaCG~XGc`O3
z$GX;ONtx-%Xy*A^e*HQ<;j!6$r3c$W8TOyz63_UdA^uDB*$#!?*ViUJS<8IkaG3hm
ze^<5|9E(dx@|3x-N?1?k^Ohr4-%?{4G?!H}ZLfJQJpFd|(q9a*E?E~-BWiSvSVQ@)
za!;7@Amqo-pN{N7DoOzdYwql>^<T*%_Tr-95{vkws&8)R{JC6IxA@|+D}vp%C%!T@
zDJiMz%(u-uG;P5~5APKpgepC2y?5VveuVv9dPUsB$^7z3pz+OZTo2M`GU(dgT5P-I
z{-e2R*=wUS8SXA!dw;>{cox0*)3)lH3l(!K4AWxxbnb81d#NCG%ArQalh=3l+L!!0
zUHFJ4>UG_c>4((gSPs1iJHKJMLlW=40){`gTwV7F*PIFJnJjKE|H<d=y|+mrKfV^<
zIA#-YD|hX)WY#4|4=FYNH8&N1dW!9WSnZ~Y$K5;sx4K>ZBq6phndR7eH+$n|De0Q}
z-h~c43&mzXV)Lpucp72ac)$A9g;{?tJlz(`@cO|2_RU`&rnFkL@A8<#IZtbqX5GHt
zS?g2Y9twEceP;6fB{9>vmfN>oF&5Zx!tC_?<NNnsy45+ye%*tv+Bah6M|3Xy|5CaA
z^I0cG0ihKhg8BMCS*lkaDeAav?{VjM!0Cuu##=v~6kF7Md9TFozP{r^wx!|o_sb8k
z?>eG5;hW^n4SQBkmg~BI{LK7nS<#)-4#l}%EVYkV{p-p04m;CUFNdp(c0Tb4VaU2r
z=e_$%!K?hp2szoJ#qx{pOyhdM{<fn#;-A*vz*ZU2J7*s6Irnzq%1mRv+`xAWKONut
zUr^|x-qFpj-+uhzesN!JTSR7(81w0~Pc8+X-_e&`p10MT)rl+Ea&AEPk21@NrH+{*
zc?}}VHZ7ZK@tjv?nTx!$sAqJIYWea#?Lx0FG=E}ymY&?Huky!v$pY)wBJbx<D?YyG
zms#m$Mw54U{JGzsEsc6p?;OPua#ritMf*F+ub56MPL#7+pxP(5aZByf6Zh{VW?Hqz
z?|DB#`rm{n+d>%jzh>iEDH$+#g+Z<V>qlvuEU((FJ80PS_|KG?wOhZ{+kayG=G-R!
z-%q*deME228V#<B^IPmEKJSx$B{Av#<R6RKeVg)TZ}@PVH7f2;#dPocf>|y??f0Hm
zDYh%S9qCwE5SjQibnceWA2m;vJS9A@r>)!=<bH5o^_;^dMN5wCSZ=v}&q{0Wm#@!n
zp8a_q$H7CttM}<Ey>nFFznf`l`GQG@_2%mF={0s8|2lP5d|{T#hmE(Vh}A@EHJI8=
z58Qm_(o3$}ReSUg?2pk@FJOwg|L70jxjNm`{nxenSG|&ZV;0t@`}jz){Pg2X?Z2zA
zugqUQ$9kd9>ju_0?6)`<&S-Pt%l4S<+qLKjyG&|ZOqkHF`HwurSGKQUSXEb>^z_6l
zFX^P8mc{Fnf4}wQ*6VQG<R6_Puz5*<`0)zfQ)hom`puv8+|M#*-k;Rp@&f<w`*UtM
zU)bRhd+=udwqHMeIi>E1ax@=1slPzT+*MBER_enmo0Z@E&2GQ?s$F~gT&5q{5jJh6
zRjZwUy|!z+Hz{%6u|S0-KTdFcG3ltC@$}}bS@+|1<X_!UAe-PNXR`2HW&EDxJNKum
z_e*OnFMgb#|MC2~6Y0xYx~>}fPuNoIXSnm(fkS%S7tTE8y^|4m_2inFTVoHGEcBQ!
z8n%stODkWGZBzOr<9hq*O>&}JmOVdz>gUwlvS~?`+bwyXEr^{v^Sb#;<!ATwAGxNv
z{+Rn-=EYP`*QKHn0m>^(6>ob5cN}X7OK2^-xp|LS;?|i5_S;oO=+;*h-PU9{SjaEU
z^B_ciwc?iN!IyY%p4DbhZ4grqUh;hdU)|x3H^&5vww~OS{wbbSTH~m1#k-W#Y4$sr
zxYf^g>VDq(@7up0doImj|GDeD@J|gfDO(q%3B`5gR+(wBC2O9jJ+D5MyWf1vbyw?e
z_hx&hp5t~+cRA>vS=p8D|9cPnX&Z&vlNr{%6MCbqv`DC-;b!(nd7H4ry(dL47)Q+B
zq+fey%R%l}ymbkNTMK^mw0fIw`t-zGW&2#FhEThMo4+>PGdyVCa@BCrsheCHXOdMz
zC*EALa$oD>e*RE9?kjKXJHLPZ`JHhJpU~GcRo0(g+*O=@L_=hz4MU~SlmqwbltZ8Q
z>92mjq*M6(#az+44!s7`w6*q9JheIJBOX@tbu(o8H@|sz=56zdIZCG&B>H7}O>@d{
zf6i<By~Cz5XZGC0jlbltq_a0R{r(nd6%v};YWFE!%Wn7DFFo&nOyOkd2}uY^YEfEa
zbL;)XFm1ouDxcaT2R7$hthr_{vvaM;f%t{T1x{Q2?N$65P-xs=9^_NkKi~VX?|aKR
z=L&32Y_MIrH{SJmR=TXj<M<Os+V=ZzDP%8?u`zpgQrYY6w^{!ls&~Jhqy2uX{M>B}
zcb)}xD}S}D{qB}xBd4)#le?St;-!4EJ-j?mAM@<ejZbgqpCUTRx~jzJzc9BzPgTId
zUEMKKbDr)LZrM@)YIW_@m`Ax&ZtvF*nDDH2Q-xlr>2X*4FTKjS<+@j6^2_g^+3C-u
z)s+;eY@$8y-$uFPZA|-1W;Zr&pUU*&@~7=T`PxpL)N;EfB7e9(Zt?l|$sPv%s~>c;
zeJ-56?fcYSe-s!0TEmw0!Ljt=w+~D+Zr3OGpOM$T_x4os_lj*<&QEv!)js{-*kRg9
z=S-#ZlhY@KUf#&Ldv3|;Njut~|39AHS9<XCI$Q2{ojMU#OFZ0;usUr~FkNz6+Q_GW
z3Cokh%0E8N$|XAInBNDAtL!a3u+GslP=Z-}|GH=4vR{OLJYTf)y}0fA6)cxNJruP!
z*>c)+`ToDU8_H&<a@;fHdQiWDq3sWEU5dd08NryxyRCk3{a|RA>X7hlduZm>N2N~L
z`<oX(pFWX)K~(%<|M=5g`+x9sefO!du6bv7u)0&UOHBQE-NfHUN*g9H9I3f_$Ms6>
z|Ic?dGG{%Td0O1u+<D=hoo^3%PYOEuBDy2)Om4*{{?{9mdAYV$`^Z`EJNb;uX}7<;
zOv<I{4;Hla{^Rp|6SQL5MgG5AC)#aRzOv+-&(rQ*4h3AsnSWwJnO2_U+AO%{?`(hL
zPY0Ioe{*5igSOMTiy7qdt9xE-bSX`72vx5SnE5y}BZz4hyGPjltVbamzp&?D{W@R#
zMo8#p0l!=AJOAxTc<6Y1OK;3AiO)AQz281t%&59``)00hj>kV9Et}n~xov4?(G7_y
z`F~Ta=5DpS)E~T6-eb4Y^q+hW0zVdimt5QNVZtR@jl+#iTb@7Jx%7F(yB%HUoGune
zE=hYok-6-T=ElaIb(bC#`|LmS>9cyvDes4IOBzFyrn~kAi3Ug~2n62Q6tF%-CO+uL
zo5$^U1kD5Tq*((le@ZU$%zBd2nmapz$vGzS#h=Xg-5ZKJSy?9EeCc}Z>-=Y5COiKy
zT`;}wvDTT5oAUlFlIbvFZ;8AeTlr~S?7RrkRb>~i^oDso6go41i_0l~jbAH8^jcm$
zyvq8Xx9Yo`Wns$Vvw9v$a;-IOm$t_3csE09O>64qNbb3=3mQH~=Ungq{K8gut@hzr
zzZq((|LOhtZ~1Dyq1y6_Cq0fYdRzGaU!7=IbkpF&MMa;mx;=k-vMYkyVitE9JPfR!
z^{+?x`80#m+3i=E&ExX8SwF;YJ~Tlte)-;|a#yu3v^eQzY<Df2?&BPnal&gsM54rH
zqmcCdF75WYF54K38|KfbInml$`L6O^^--^>mpDW+OLh9~E);B3zhM@ky;O4k%Jr2?
z<1KVEwbv!3FZ`7B_^YJt89mX7UTX~b-cNoysmzcs%qxf~R(jdWuoj!=UW?q>5>FYF
z@b=nh_1`g`*eN>mJiFHIZ&}w4*ooF}`QfujO(5Y{+G_i+%jzCXNc*y%X_tz^S0=xJ
z@Q{*jZzmOj#St;<6H_ZXr>@PdxPQ|5b(^%-_Ex4J-*XE2z1J9687@j+6ciTBvu)k9
znrqAxdA7tK(~3#i{y+Xjr@qe0KV431SCu3u^9PuGzxSxv(BS!s!?ByXR-9TQb^3Yy
zN}t|<oe_>1@9e&FPuBH%sh^!*C9ZkAUH$Bu+FzfJp7j-ear`E0q3o^od>373@6?!P
zWv+bMqmBLgqJM#vPu|Jil;WK9=ijEi-%Y}U*v>0=zHz;{e6Ql4WB)ClEEZn6NzM3A
zk&x%F=)+!<)%QJnk^P}C=*Lz**|JY77>~8z0Hrf-)(>%gA2jwwrB)nL@||pcFrbU+
za&h7TmtbGL<>z*@XiSY<biI1B-v2d$cb900DP1>MbSgAWQT@S!d<%VR@7>RW`K!{7
z1-SAW#EX>3h2EEMe4`eyZprFI)4qEL6g$iF%8h28-Lhgs+_kUz+5dj}ywhyFA@kKk
zy3J!%zk)=q&%TQ9sh0b>rdV6aU*Qp1|5Zw)aaER<oYsLKYeoM*EA@`DKDeUu`Q!}N
zH+T0~Hu`iha<V#2dgjXdR{B=z(<jT9U$JUX-}h=m)uUr4b=Ncev%a<>BXZ%*h(kOq
zQSQ>qJ=i}uu44@lS-`>Nkj#~Jfz3}jMlIUs_4|v9`(*+@dn*McG0t6CAbN9t{-*s(
z9bAh`i&9g=?Y?RqzoK#M?C-yyTQ^!QDBzzEw&0&EheSE6g$b)d*qV@QXT*P;*>b<>
z@&qH1-IE^t7B%7Jx)T)qc}va5b*G=*5fq%otoF(A+JR7IX4m*ssSQr~kv|^Xmwc6e
z&iqTX;~bI9{g>9ta5R3NEWy>%nQxQj>=V4!xpz@mfp*(LxA}{indN^xO8k1HcXD(b
zW5b93n<*aeU1V2h&d!+_cqO}~<z~sXDDgHe1qNPEHN|;%nLqRH`X(%DqpS4PZE`Vl
z_CZmN$sQ>mH`hG<t#G|*OO~E~|Jmhn4{wO}?v_}p@BVt}j*h?T^)pSc|IG+*dSl=c
zdi&Z=vui9JdL2)WCw;uUM8;~4!gS~USzdb<*{H_vc->U_jw9n<>H3`AwYSRWH+X*E
zTk9TJaxvtpl*RvdUiEL*MOF7c+xwW+=^?*raNTJK-&MSm=7$D8Zju%_+?*G2QRlnm
z=YDnr8JVc?I|e(KiXOP1G}Z9K^9Xs~7i*i%)-lgE`Li_3c<uT%`=`I$c2VzL0b~F7
zzA)DFqRYPZZ~AmcbL)S$6=Ke=C6o7mc=?^@$j<jMtP8wuIIK=9uFSIgy5MmTzt7~I
ze<VMgHf1tlw~CzeC-&c7|JAR*UOTj#?W14q>pxBt`Il-xz1#XN=q+<^;r~4IhXQsg
z@9zIt^7D_a_?gYGIe29jyl!Zo^2X`5-nU@QMXQ=TYD0dUd>?;tdD(*WGc|1jcTdTy
zRdy+P^cAzP3e4ReV`9Q*AUI3)_^Enjo$t1P4$VCLs#jWh`xd4j8nf3VMmqL=Ggx-e
zy1h!AQ#Dn;{PzX1i@X24x%_%Z@`Qed#MSe{wk3Xui~Y+#_0@5X#DmPQ&mP<-{3j}G
z0n<(~hbYtChiCr1vwH8GXu}&4ZSMk3h)BNZ$}UrUb#Bc$!3nl{M|!8NS{K&tz1Z>L
z^YkQtt@>$;L^GGqUv#HDOoHw8a-+5LOy=*cza10dH~D`<#Q(akQvdr)9w~6&j}Ey|
z$~*tpZ0EXj+^4lXK0UwuO#bAOD-w4_gzJKMB${t|aQdBey62D`kbdD>LvT!dVx;A^
zyoBFk_Z?qM3u9QH(5imJkolLpPv76|b^(d1c17z~D?C*`TEzLU{v^+p7i=9|qRDgq
zYQ@g7U9nf*V8iLFum7iNvL*kldRMKP<7&8ku~C3vrlGL)*7@~MedKHt4~g9uTr1X<
zvTV<#a>ZUFLye2s$|6M`Noyk|d)k`cnQz^3EF-Iw)$zHRsc&d)%c=a6OP?-(n;vJl
zG5nX(r6u1qZv9e7-7x=*Ytp)+9>!bkI`%(~x7A&9SZa3c8?Qxhnaau!?mzMv*si)<
z@Ha7T{3x_<_P+PLR}OMnm}RcG_OAV8Hs5OZxIK3^aXrZ2;ML!?m}lDW8w(%Z4$1GE
z@K|2AanEYMsOYUXwsGALWZq?eh~<-}-1~;jKMvl%wA+4H*H2ETWeO$#>h`T;KGgJk
zU6j%O8Smqb<O@As-+pz{IQa9--z~9%tJ?f3MbGTtq$E)J>F9@LGHJRD4KKG;{<`zi
zd-|?`lw}`Z#Z_&3^!fjy0L$(l+TUIZr?1w(bN7bfu^DbIHJP%y8mHG7oZhyZ%go@q
zKX>h=XtO_e?4z#U-<>3(qTo5%-81pj^xbPGtTLT2N$<)L?US;zBAp+Wxn{6WYvjmY
z+b+MeV8-50kDg2mWl;DNt7o*tDzQ;*%3m#~T1EZ?$8T(Yug2q2FhS4iz@0niPnzD#
zzTxe%e9M^(w)#1}^WP}XUl7c6H1qTQ>I3_ZCV!Wn^K?Os!j=^hv$k37w_0ugdBNo8
zVF!FVmn_V4JCn{;)|K#%kN+$ahgR@j_V)twKYibQ=GYX*8IxO%wEh)J55BqT+;_Y3
z>q}pCmTt{cQ_2<G6@0?gZtDgPG5hE@-JibRDURGOxT4B!--o@*mG}Qn<-4MwsWs)y
z!9UiG{1ZOann-cXTG12d7|W-vy5ByM_u;|{!yQo;|MuJQd0(GYSTy;`v=D~>x~I2T
z{FB$=uRbC5!|l0RQKV@2)rEF%=Um>&u#)*R-|i!SHnYrGzVCb2XST(&Eq>?4&fC*@
z(0=;~zJ$}c2gFhpnHWA#uFo^j_o?|7`E}3MvPWm%6=d0cU$*k+7iX=<r!LIrG7G<@
z`)+p+lger~3mb8U#vQLWO|$&}St>B(0DH@QGrr@MKM%#8pVeRga@)=wS!-^J3Qkum
zxoOwE@z2q1u?*jX0<SY?TOH|NbKuMAs!#g=E}h8Fll=9{y53&w+Xas_7U6Gfn>Pwg
zQ2n6oda~zv#;4VrFZy)K&C)kuS@3rInt%8EH-}jMnE0D-ZFt<2JCnE`bjv*EV4n6;
z{-t6VGq<sC#?l#=G;^*!s$Icz>*%t_M><kh2urHk?peO!hts--%jq+}{_m3eeMIxk
zZ<S@-`b$`+Z#r(IarSDh#*xYk%fBz;e6x1zxoZ28wb5av6_(}Kuhjfm8~pib^&TJF
z8){8&N>q<*`Jg>T$@o)%%F$z&m(16XY}=KfT(P0|_-^0IPcJM#Z#3^YYrNhi=KR(?
z-_YOJZkf&e_vWZ)$--Jbty@u1VX2JQU03=?{d`%!<%!*{l{~T+^VKg@PfeQX{~(^@
zXX2%2?XIiZq^^`FE*B{F`*~|6kLkjU4F3&NpZ=(2I&GZix$~*Wf%wEDdt;t3UC#2T
z-EwHl1Cxyg)(ZWXLW5nm_C83Mxr$3*`?YUPD!&R2m79q2`%0IXRhVV6*L(K=KV$Ta
z*&$!>P4om?;kx}(bt1Wcuc^se`}N-M)aQ4ie#wTGo?24&=|*<iv*h?|GmiUd8H-l+
zCM2iMG2&8KCGqs9<L1}XA8<VXa(B~=mF(hSHKnsZ-T4*ydE@omneOp#Q_?xMth%*g
z)%>$*?t8x1X6Gs^-IG}CI$LL(f8KXyCFbI;MK%6Tw(IXXJhA`Zzxr3co0Gnqj_1{y
zByP1iTYu+S`3p`yyL;UdnMMn-rEmW4*rejB*%rC}*^A@tU$(J-c)dMg>w@TYHIA;X
zqI-^iotG8=QCPg$N0C4FsBl@XiuN;(%K}pxxw)+LxRo>=W~^yDqSUgdO3Q-BjUhAR
zOzo9_w<G^Qe}CD#-1=eYfu0?w-fVuDvXbT5p;J#6#M#)b{g-=toyGHMp;tGS8(627
z-#qzveett5+pY@xN7{Z~lV}kbBYNqgGh^?DG+8;egdU0Ho(aK^coimw8?IC@diTTU
z+}tmlb_=~>o|$ZQ?Dxc*Ib}<(zm8qAD(lgl)g31zRHOUzT&Fh`yPmnp;4$UiryHNj
ztHkF0J7@R*i?nvG9%pmXRgdbwnQM$zY-A6<wLI;!(Yk+jjcoyHHj5rwOEx<-ZTj$V
z)tw8M;$Ieu95<G)eYBzKnd_IAXZJM(*&X2GJMTJY<yE=nZ6CKtbvb%5{jb^1-jL;f
zXHpFJg4=R?RxcK3U)09qr!8C1%I|f%vOucCwJo>iuk5Z}rTw<w&I?qtuHfVNJoR5%
zUH$z1n*HX-Dw26}Z?D^$yL*b-e@0*7jpyzLYWLe&Y~KI<+RUF<n*H>2H1~y`30W8z
z@<&mtp>BQovm+msv%7K^WZAq@kCDkel`g*{$?n^-&dM)W<F<vrxb#>2Hus?;S6`M?
zrI^jujm(Y}<cug`|CV!pTY~7BNG4XbWYL*+F*oZ!*{}bx`L<JhQfhq5iyQ2d?R90{
zm?9>y<+a2zFj%K}x;Ta`YJ6lB<obxCVshaBGi*~*>W(E(YJI3ATdHAlx}eDF;Jk?D
z@B2S(sCxeE$+S%jb!^8wx>Vo1YRKX+$y4msk4T*R=)F)=Q*3}sp2y2og7-b^HjDRY
zxYhQ|aSso0+Uu^**X(?A(aXKHPaBWRPyBWK$*0Z#U31pQOtXp)sJVAOT=%3lw_ekh
z+}+RSye|B(Z0XZp=0}HDs@3ZI-+%t}&E7)^(Ir2dHWXd_U8h>KK&bL!Qcq9L{ChJt
zYsZ;gpPM85@r~YU3+XjUncqDZzOdQY`hC{2NO8gF>tCnw|JHmTIpI;)`lqj3i}j)y
z*jOaj{Qdo2=8WC;yZLQvl?w0gNN{lxH~1A`*HjmKLx1h7g)iLQ*{7sT5=pc_>C%zo
z`sDlJ_a@Df&30>~kGFojl=$`B*OR(S8Q3`bH)yU;|NDcXQ1SAn#W61OaVmMvSKHY9
zxNKaDRhn8WFP{+$>{b!lm~o8Fx?CaT{a2|~H?{-?o|Kr%US4+R!$b3$nm2d-PhZ>l
z{fO!@`6C|I4HJUgm}L&~#D!m#J0E`{UH*aL+6jJB-l|TW8){L$U&(m=^m*26{>?Of
zd^+9SzN#c?o~7jTC2UvXPgO?*ME$<!K5N6i%vqrhuXgQww0Ap8`GF~C_61CG47!&3
zZBxkA<NO+RmtSOjo!&2N`>i@(zW$!S?*o}?&kYV=Zg;QtF|6bDwDVvvWA<F({h#;5
zrjiBo)w&f~os|3)3|S`{+^9N~v-12!^=v)4!uI70*1P9Pia*f5aD3sNvl%H91-Gm{
zzVbnl#`@q52dm6u+tOa~r>ygH(73&<f_L}LC3i}fFSy|$zUiRanVkHCi#Uu!-p_rz
zg}<jf?bosLI-l_Vzf2uBkDu3f{#=~+YtmCO_5Ga=5wd6hy`K2!`%z}z3U=eyf4^M#
z72?7cx|BI|{l)$F`|p(K>Up?F2jtFP7CF;z`Rijdu1P%p#>qRaqkiV>iTAvpZ@DG^
zch|gqudm;~kP}y#`gHCu4vwFDG*_Pgw{MZ?#2b${uV0^Q^6>c~mxJq1+I)HuzDz~o
zD`$|`pUvymHAp${R^jQ}Eg<yg`t}QDkGA(PWn}(LzT@6&8P&e+TiUvRPA^#4w=CS2
z6Ls*jVdkfDj{W*<X<Gd6w)WO9zp%hRd18fIQ0LpQ*0%N4-|ieewRLL!UF*8w>E?Bk
zyjz*OuEvSQ3CBM_nAP)fRn+;k&5H|{RvW7B`K~eR%l3{vGd{<K_85Bqt^2Pq{i%cM
z51a3Tn|N-QRa(uJGd}jBNhqRb%Kp%8<xBrwbpP|Q+TJ4I$!>M=^PLK>lH8X+nb*LV
z9q^~|p7h~b&1wCsAH7Oiv{Iwe;OU3SE=mcBiYlrPil?;+c(qHHC}i9(`g48`Q#tp|
zyW3lserR7aNa~b-vhpCq?z|7Z{cq)_X3YFH`xk@NckO)R=^PHNt>)slF3w1OZm{!8
zj<{^Yq8Hs!J${m}XPcL+tDA4%E@1p&{r|52Ps00Z0!&5wwCWZ|OzbiARIEt$c|GU#
z*|g2P@Bcb}e3dP#DcAk}eW%484^6L6Z?~U1&0X<EeO>PDhZQz<TnRm%(Y(_Hr`hJp
z>aVzV@5AALFJ{g^9JaT5>)k(9#@SJ4dp>N~RUUfAQ1C=|TGeq8&7w7@M1pj~=JafK
zQMbS9)E~y=V!x%K^{U3(6C3}WpO<KItF`{?t;4UDimPpJVT#x`?=es0F?rczDl?2M
zwSBz&-8V56?aJ|b^Ks_Y=ifKk6vsAvc~f*v>d5Eg>{-l<jpr>s^x(&-<?C(KH%oqL
zWB$MN{V)GrHBbI3D#>l1I4^!?(@IH+{BxG(S+mlvwg**(-;RE8)FaB5f9?EbmtS6<
zt`~dDrbDuldENcW_rD*1{L%4UF4;$kC$Y!#c*&l|4}0gWXWze8{oODA8Bx4zYmUE}
zxp~>KUn1OoiTm$(%~hK4!26MNQosu4fCw(d(=9%_oo^h))^Mp#7kc3o>~PD0as7)0
zt^1z;sJ_Ryww6)1xTEN@=z;iz14ow~4}O-kpFLaj?G^XBy2$hTe(!uZxbFMyU8&(`
zt0(&F!`z?qyUmua*}CRM^RaC^A|7ci5#Uq{?qn{^IMcFzM?u-=6X$*?ox3U_`9r_<
zdj5-vm;Wo4m1JH~Reivad%Mh%DYiSh|2~IicnG7)v8(*9%Pzl6v5|WpzVZ13lRZD9
z{{EI-&)r`AzSef8Pv6$uXvyR`hH9#;Q@g_UWS#%+CjV*qyT9LW$#a&juaCFh`Qh$n
z?c2K*;tsoL8~wQA(f*;@HF|-lNjkGzPQwu^<$C^LgTF$*bWSQwm}5WTp7&R#Ll)eL
zE6Q$e{54rVDKl00Uw<|K>gDTV^L8<12*e$puyB39j^d-@Oa0w5cv~ai7rRb7ajU1=
zIAh)c#;Na&Qmx<BJIcMg(-Cv;)>&ir<c5o`*UxV_<+A_JqowIg=^nh(Cf45#ue~9^
z_qlrLnHeisxR%UcmU->=w%D|~3Huc$ypifZ``1#g|2p65^=0Md;Y&2;mL2$d&Q{Fm
z`?{z5L_Vy_O5c3*<Fd>)!@?D3cuZEUs@w2~``?#Z`33i12ZsM$6?AWR?YEa(Qzo(R
zU8nZrp@i_+x)YzRpE51k-z}>Cd;Wxp^+MSjG(={-=2+I=d9fiTX37c^t&*b)PV>6&
z-|QaP`svw8-%y77m0Sz=pU=1*zcA|c<Mgi2Qk<42pYRLYtvS<b$$vBIb=P*UhhhR#
zYQDUS>62J8A^%BLR`+GeSGPGhe%*Pmc-lcg>d2noJ2y`cpZzlRN{FJvMZQ0)@BNW1
z|0VkWR=4f?#N~?b_nKe4|Gv03;r{2Jr@N0o`&aXB=kvDfKWCrU_P6=il0R!%+Ipwi
z)iMv-_5}DiFs5z3c`U^!GB8wKY3(Yh{x>_GD%-#HzyE*s4M+Z8qCr=`o6Z)$ADsL4
z97`Z~*2EM2KGC)9EBed+)!%tzyylYPOO+q_`y^^6-Z@;;p+B)@*K6IAOH<D;xv<c2
zsk?Q^wEBYCfws-^KPMf2u`+x5>{SeU+<UrI!!GuQiuA6oH(wa6d;UrAO1ES4_?PaT
zvutk0r2X^FR_o|&O=+yuJhhWub;6}?=bGi(*>hjGu3YD^qN4c7);(`;cK0vjT5H;2
z>|uT7cl_@;)la4CZ`}O#d0p=GTifmiT<yxfasC}!7t_D;y65F-zL!n(f8|skt$pDv
zKg)8u@^p5;d#>UStqMCsPTjVC9+tlOreLV-ijC=Cf6SEszWn`foo!MI$C7%s=7sNn
zd#Tu8?xk{6;)aCUln-9>{@kqc(XQC3)#1jr;C<3x%XfEj?@!@4y>p+-^GR;C0`}ta
z!d)g2Y<4@O_FZ=m&ocY>h2J4L;g37t!tLt<^JX#q@D}T{JS=|p=f6!mt}?FU6rAmF
zs&j?+r<b2o{Qh2B`(x?UX=Y4kB^-Zk)?f<~W8?Ij)jO{~;(h3Cfjl2qiz|&y7deym
z{oQz6FZWH3ZF|M+y(0I&eLXRAX7yd`x+A>db}Lp*b=&hvYb#@ZO}f-$`#%r)Z|m26
z?7l2r`_6m1o^Sm}@%oJ+S?s53`j$?6_Wx^#o6v<78~6He<=^wL{r1Jq&0B7{A4#~X
zkR^ZPuHA3jocC7EA49+W+~`^x+Iib;>jJ+Ml2?V6?-9`c?{Py}p}FeTTl@LSEGu;?
z9$s6*82P{_^<yWC!^)Kz*R`kBztT5~xz{rP*O}gTYqO`%UdFJD>HmfOvqRVRty|S`
z_~(wwlCrJ4%!;LonC2`Cwcc8qlwG#0{`pDquz8>U=f6L@*w%ZM)&28*7SGM^80OzQ
zbE;7%YuN&g1#2gXX$0hC#%*6vVjumb@l@8qcIV{VYrj2K+_EX=uZ-NO5RRrGr;FPz
z?P-s)iP*Klv2oc%DGj#ltn71VPCa}kTlf9nvSOugzm=8FS?-@58Il$nrg}L4`mWV=
zKc)TWbllkZy}bVWy-<rCP7^MF4#+HA>*35A=e;VbJk;vaq-me_vdi!C-!rX4f`_gB
z!c5&Azh))>TJ`@!`=<YgwtG)oyE<#NpjmcS)5#@Go0;#f?)Z^>yf5{7eEnasQtP*y
z6@Pu~udgZj{dW8IHCy{dj;=UV62E@m{g+)1eKQv7y#GDn|8)DGao_*cSGCygX4sg(
z6M1@@SNxxp_a~Z*i&Iil?q@#v=WWEuX?;<8%a)HU8$*pJXsz?PwV_v{=&?y-#-d~0
zmqliMQtVvf#N?_Jt@2fxLq+U;&5yH^%$qm-Ir_6;uKdm~I_IuQp0I3GjB|H89c_2e
z_O5J7wN*e*;lv5dniawZKMy?c`On#L&_i~&IMeoc&bf1E&1_8k*Q)ks-Yd?Q`q1;&
z{;!&`D6zcTMA7Z&3DMb49~7Vd{C4dfy@kgL@69vS+m|xcFZ$z?UuWuT`a{2qM%r$h
zy~sjf|F0)u4p%eIdqwEVY+hA$T(*3M`2HV9)6UPcU3>i3QU>=vnV0{+`2YX%?BU_|
zUc+UM8!f(;s#N7E`~UYb=v4`GxwY)-PH(;1YwveX|9eEdBynGBuJ-PESJG|7%(m}}
z_>|t`CsVUn&Mq*`P=z}*vEShvf7yQJYwx-v99l1A-`OsBv0p7sG{sBn4u@S|obRnC
zjwYgfzF}FRhBMkuW(qK|`t&+py?m0Lr)RmumWSv2=JwvSGOj!%df@-e!yc`>mrm(^
z`6iO#b-_~hmD%50c<(J>2;b4oSvG%3XvU*^tFq0Or2C!f$zSKT_T`ICryQw#eoN-a
z6H+~=G!`&Q>b{(C`KF9`{5|9S*W)Wra*5Bm&%HEBN%P9?ZTnwnN`HFNZJ*9}fB&h1
z3dvQ)a}?PXzNy+MKUGlrQnmNZz3TU}`@byJUwZkajhbqJ$k7+R`BlOH+obbOtl7HU
zH8wBGq~B?0=c;WzTNmdf{yhKnr+#&L;o0u~=5r5J9ZD+Ms=xDQZhf&%?o@pJqi@yo
zSDpL4;h>92-hmhImoA#m`E>d(ll6ao{g^58dc9xcDxS~~wa(x9mkclaD6Fz(6I|PI
z<(p2c+$xTy&WlY8FInA4T)g<hthpcJ=RNq<=)Z&MhhC=f>O*=db%L9Xm&=$ZeY?V<
z)jQj0>O6z5jJ~U$URZE<nM95Y%PW=n87#+yZ8SwavXoW7OQtw^UU}sjVAPZHglVRT
z$3BB+N0!HZ_%gNV{=T0Ps@guQdn?`VrCV8R|BF2Tca~&MZQwOOokyoWbGG|O2`}Gj
zc`iYiQ{k9I`SsZHn{n%>@Bh%Me<o_}wZ)qZPHmFe_w#JN-Is0K_pWu7ZEB9{w0-n_
z-a@7mEE~7o-D$e}&CKh4|F5q8ckJ!G%gZ!wB_@gbeEGwY_<YXX)7`V{A2#ZLb(wLV
z*;D=FhmU&4zAt_C##{7pewweDlUHUA*UA`+i*Jq`Ge~0oxtgm>?NY$6c_Ae#hRn%E
zjcTV`HVBw(-m*KOto7lEL-n;yYa7%<82<!m-`U#uvCQ+cEjLG3vE8qS3lGgP`O_d3
zyw>;kTlS2(cSPe>1~mmY@|WCBH&GK*dm77HF1^r2;oEv)qmUw_#T}9ppGv>@DEV&B
z@AL7WE(x!Q>&S2IbGo+tT#@4*!9C~ys)pwj+`Md`AKoXoWPc^Y`)RAaEw|43@+UKI
z$+MHIx8Et^{(i6e{j<&U|K{x9vEzo_<egEmv3IK;OW)t|@!Ix%TOZeY?0RfsRx>rQ
zaMS<#Rp*yI*U5;^sk@^0ey3mjr%(Jn`#%4C9rfd<fUUpVY_5Ap6!t%RQDAUq|CgWF
z>%Qjq=V|Vg5HtRuCgip%$1eEz6JbW3+$`VBJuTmte^#9J`D&-YV$Q42gB=^ZJWZVZ
zuCDF4;iSaU*|729?#}BMcwZiyYr0VVL4289%@@uPCjS*oKk~Lub}fB!;!)Er%Vufo
zj}t8gH+`P;HB?b2ajuK^gC(mb@Ct0(c_6E1LEcowMQ8KZNEL9LT{=sr<;aumDNmjp
zOWwqr(EDj0dqhn^PTHUJ^*fdvSfO~DU*VeR_IMAD4(*fK>(=JITVHeU@1`A}Hy6FR
z(AMM5?ov82Si5n<H>sjo+jlUTCViDDf4z2l+WbFH)Vo_-TR*yr$Ev(7t6tRp-R$DS
zf*1dPt^Z&3dF%Sx-1o}zKRvALX4)TpKj+i>!oB>@f1A%YcJMy3X7<me{h#~y{r>yZ
zyY7dX`EHBj7s>-BN7-DNyqGJA^_c9j=<Nn(?)5L$o&TX6>-U9w&PSbdEx`w>g}Lj3
zaxZO3@KCcAJe!{v6V%vojC10j>MU+Y)mfij7P=~R<$vOo=8*T8*(iL+SI{K*Q_w~A
z>0jPQHTc^!o^?6L_M;@~Q?TV3>u#rgx3_=OSE|!Vet)zvkkc^O@#>O0QJ%URm|sk<
zsan}peWbHvdF8J2Y^&aFRyw$gqhEdD{x6kN8!TDwDD0T%#*(a~B&o!A_WFf~Rz=?{
zZ=8L+#bQ(X%-3<>Y9x50bl%nq-h9NAYRT2IxNW<VTASb_&S}s2CZ2s$UsKdx^Ywk)
zqUgQvgWpf%Sn>DzYOa!9MUyJu?cH8E?{sK*Z0Mf{{Qnlz-}^l8`pySU+_&!LnF|Zb
z_PP~)cyRFGS@ZjE@^?IB`+4WNo%{Oh#eyI0ua?_~ZFI=%d3o~8o#$UJrT?w0JZo>e
z>e#uq7|Y2wA_`YcQk76N&5q*P7WVS~_xmT(PTT*R{W_z!ZBK>ypR3L~?;B5-am-BV
znaj(wzvOA}r;nj4^je>5i7Py1P&pcy|F48~>L&xmB@*{uH=kCN;_l0unj&{kzPr=Q
zBxq@m*Fk05gK}bWBB>=zKXzK5zcjawrP4{{fOOH0@CUk&nfG)*-d&dXe9Fg&4~rfJ
zaxREYxF5~=d`t7MBmNsYS&G6^Wj#2~&AcL^|8G&}T&<oXtLzKy{LLzw&g!WwRpgMo
z#*tLiBfIdM#^J4|Zr|Ug)YY&b`WbQWRAR-|^G@aJ9dZjcf4JKr`7l;#+SP)RE;Z@N
zH%?7>%KEtQe%&+u^1|oS<9zBrR|oE&eL?DXPTPl73$32>Bv{Sui;s)jHrMYs<363!
ze|~&?yzc&c>Cmr+vgN;}ETw1PX9_#AX2#5&|MjNF{0u+(z2?8-{8Fo)<FY;dC3C(M
z^YUz~I>pgrwC&nIu_p#ctzy2%+3gX(#(K_t!!+aFr;Bg$C2q^r+!JtB`cqV(?ctNM
zi3cPWt<2beGQ{W1My;O)dv-qJF*#c&{!@9<1UK$u?N!W^qI!=8$2-*O7);W%IKjsm
zoiA7T<f^5P_MS)Ujwg!FNpg}auk7L|=BUp$x3a$SZpP7Re6CB^Z1Xx4H7jv%$r<xQ
z4HJU{*?C^qRcMuNOK%lb@pHVycsr(J*Pe(Md8;Fg3=cMKnLR=Fux$x{^!K+a`nt)-
zEbckCWW|5kf9RUnox=3~&t<wvpPpXeR(A5}ox!~Ip<tV27SoomhnDkwi9Em8^GMCH
zoZLAA;d<S_RGso1m3jVtJ)B{fbl}K`ZJuYge!o|3W@c7WS{fP_9-dlTd)NAT(5p@M
zy#0?KPC0n^=TFOoqqo}696Bex<I}9~)9rsG&)3)AyD6l!xMKRz1O6pEL5%yK%}B1B
z@q>@&{qqy?caGg*JdyU`*!j=#<_|?r7o1dEvsL3-i|Fzvi_Scqc=vhs6uZ<9o}15x
zfBHIGI&^mOx@lgynhSUX0uFea9)5VjQ~F+rTFz7(k=)B#RSaA9J8Ot7lwg#%{TNYp
z_vOjQd5nA3u{!JXgq;1U_5AI(ol|d!MQN)3eEIQ*yMW;=*Oq(7jYE<TT6S7E)<!vp
z%6n(szwePEWX9kmXrQ*L`;;ed>Y*H?|3@!PVmf<GvxK|;L;1~!O5Nfo9M>;dS2nD#
zw0$DhqU!V9H6^#RH~;mjPofQ?)1yOO7dRS-1}8||+MS<0Tfg?(%r!EV3;Wu_SCn&q
zyt}gIV42Flob$hLTD(l&%d4X_J1Khm#*%yKUuT~G-L?DEE4dqHM;C}{NT$us%8rZL
zbX%DrQ}wvWp&j1~_v9JeYx*8%{qgYp9U|A-5_tbOH^y8`dv7#n{{z8|Q!f7bwzRif
z?Z>QzJKH(kngX8xcke1-{c_YHB~*&1-zr*l<q9=x<4F^Z<Q+~td9VC+P4*@whqdha
zC;co=v2*d2>#Uo5u>arR$QixvI|bx6|2etz!&2u3wF^%~#FV8a#%*52VfsV4Tq!5t
zS>ug%!_kga4^}PSylQ9YLxz1^pO<qzIC;@qZL#abQ+HQ+*D3BZ`rRCnWAZ!n*o{9D
zuKzWTHnY!=v^g<BtnK@Te;=6te!TAV+Vg?gx`edjp(Sqw^cU`mS)~xU@#Nzs|6@Ki
zD{tLCHf_tM#+)^k#jl@#KV@4U<D36=cZtoe9S2o4Dl7aB9&YU7|9<D@r`NM**C|B)
zW7y0c|KyMN{s;dq7Rz6GT08C1*#&yeuEI&eO}YY!GfuAdK4{6YZ2!c{lnUj)pH}aA
zecdmu%H)Z?e8Z&!p~*j@W*?n9uUm}wZP_u4N%dL6_DA3PDu*lBh3}oGaY#sdA<G4g
z4?Ihbi5ZywkLS(09HC<Kt!dYkwQ8mpG7fEBQJkWE=ojPRTjHX(#QuG~e(n;_+-HX@
zvOn$e(b)Sy=jT2n>-@-GeJ7><ER9c|U-lYW2=0;KY+rgzVBUh2hB3WguIg?P{t*5(
z-{-W}H@+29np+l~pJc?wlI+B_VbxKOzOBq$oAvVEc8KwB&6sY!>EzTcJNw)hT>F1z
ze|sF~?8QB{r}Y!+%Jh?tU3unyh(+bdyd{0p9cyIvUXc3mDW%M39`D(Yhr{+2J(hd7
z^RwiporR)De<Xda)2x`e(YicWw#JsVVAan$71n}PAL6YxEB_R2pTWE7P2J3y`&<8t
z*Pe|3`KI~b0aiYr=^t0Lu3x4sRUnwXzS+ccd-hTVZ6*D#%VJL-SRB6UfBCJ|w|8y-
zf1Hm0e#pK;^9##2@eAc!$`4Hz=e3TKTq?fjsuyEO*dEV)b!W}juQ+Phc_RGDJU8uS
z5+BxIZdyE5V7A$V#kMQDs+zwW&bNJODXejbfycJU$#T}yp6zK5MgKnz%s=Qp<+v~7
zo;1#=T8V}?Wt;ZA`DEi>t8wVTm5_De7E>qRo*J{%;IEwETEF_QhWpk2?v`pW6k^=Z
zxkqD<Sa|HTFxizSJ67L1oXmD$S5My^Q}d|WOKIM{X<sBivoG&H{`bQ9gE8U>ovl0H
zE5DDrGX2L9)`?ojY%cCwe=0VMWs%BSo1pi;{@02kj3;dkH7&2pjeGZhzWAo9CtPp8
z>n+sbd+=8&V|CP~t#UO>p3Kdicy;o>xoRh`t@m!6$b0hB;Vrwizkc*dw(4N&_m`>R
z>t3$=%lFlCabe#tot!rkzTWD!yN-BSn$`Pm@wy(+^i$t1*&?7V`aiGo>L+sde(zpx
zs{8*ws{zN>hcCI))ZfGkeJe>)KA$Vvyvp}h2geofRe|~k*tMDRnJcDLym4b{VLWI%
zK}Un{`C}gIE0L?rk_=rIm}zl{ziWs*FJXV-X~ps*w-xt%TAjX!)!$oAob|)}X%CjE
zRvf%5%lGu?ouHX#w_lxl&+15X@WGBQiK9nXbxB6v`Tz1>1&e-C=p~_Vv;6+C2rQk$
zYuF_yUy>WMRH>6!LZ_u`Pbb@c`+xJ!R!un?*w)T3akJ(^3vYdHW!tom`un*3?y&r9
zO)#79mi;g*$Lz_HQ~NhAzIf!ie@@5A&$lK_@M~hs6iJqijC&BPn0-9t-S7FaeD}-e
zt&y)cn!VSyhpoEcsob9XjAt6kSfZpZh04|4V{W|feySx{qQgUeBJZX*JJQx3HZuON
zu=|_rC0l>1b-(rRT#5bd^~q+rPV^6>)!xbGs~=rm7JWySGwyQAn*e{ct7ii_8@D7`
zIM+W-dvWL7&)Ee(Pd_}q@A;PHX%(h5Z#bqf*?(fVQ=n)qX8ZiSlb$7?@cJmN&-I7=
z{ja76i9cAyxrn8HVN_4)39VMay+@LQ_nnJ8e*C_-+PYaYtavipmYgtj*WH`0v*F);
z`KBBW`@-)tbx&TNc-)ooPmuUAzB!8VdT%b}UBBkk#?@sm<yXWhk+JI6^b_VUUu<3x
zA)qgpdBH*|hu8B)g8<j%<-g_U=a=+|wD_<be7sRGOKw3V|J(ix?L0<y8miq{72lO-
z{^3`*|7j&5wqaY+&H9g@XGY%f&vQ$>B`w&<`FVcZS?4Yx0d7Ipxf0&ekJM-QI$BD!
zA5HY_G*rDOYIG;)n*WnEGTAe~PL;g*>a3BRPDXup<G}^G_qGS-DknKt1lcGl=fCmz
z<QJco#<s;edY|?E%SY!%zqw(WQn~%|Ih`4Inx6G^^MptAv}}^jbXiuE|76Ki)sJ7J
z7_VILEtOwX_GKmSlJ^F8tWG^!cz)7(i%({M9^RI_`sL3@Rs*vSPZ-xcFG-j6pO<ZH
zJvnd+XO_v-*r2COb3$$&zkanLn?>sdll}^eRYECQhtq5R^aOks%3+b)yFhS;m&5d=
zMCXm}Zfi=6+SZ!=>5e}4OmFS-Cu>f<e(vn&qj{olp^omfYY{zGnyUml`Co-<E!wI!
zMJ}i0tF988;M7T0rn8?|xcUYxcCgF)Wl$cvDZoWUp!4kk8^7BXyE{*G{rI|giuUfU
zPj_$8-0WNT*~kCi+fQBd8^icsC>2}poBl1QFKgmD+qH{={Tw42j50fqD^||$$yl^g
zA+&JGE=QrO%8C+h9+D6F`UTyybXI*d@oR|r;M3fyC~+iu%Z3W3`Ri8AoTazZXu}Fc
z##}dxRXcN6J<~F6&b3n7>851(`<~{!o<;E&?*A~kaJc`$ulw~rmp?D}Z!N#iw!cE~
zi$Zk9=Ov$ItgX6=BU69<-m$_Yj3>zV>54;3m;bQut=M`jAZP`Ppv~E|V~KYsZ_o>v
zHLEu(m4Pj;!I+DAL$=)8bQ$vpZU_A5q=r9ObB(#;GM|Lxk4D|ZWhr^bR-f(td`v_t
zX7>W0wQQfZ_qJ8<i4VONqQM|_D<J&LAC{%F3R>D65;n;{D!!d%bmi#*CsT!jh&{3o
zZch62BL0nb|JkmO%$k-5er(LIYgit~W-i-u?Tyvqf73PG8Piq>i3JP3Jav8L!QIau
zJ7izD!ESiP&GTfcRAGp*VRLVp=*R7Q_-mRsWf<!1;yGT-)Bd@Kja%d|t6Ow;kD0hc
zo}SSw{Qy33jrPwXha<ZR+b=z>*cv)*YcJnA!?Si;r8>S@&dV>Iz54jXd#9-v4h9$&
zTAR+lzG~;@gS^oqf7d76vVA9i=ycr|L;v&rclh=f$n}WqYWvja`YyiFnfa(hyJ=rY
zo!tZV(mVIVUp9Q?)ojaGS}^q&`=n3INwy5~Ydco$+R)pvpD|pr^`a2RKK;1B-~c_T
zGd|s|zke;Xej7cn(yaVV<Q9g1@A+h8oXpv`Zh7u4_H0h!F*6ODsPtbgeYKh&F9khX
zn#nJ<CSna^|Iw@W7CNe|XtQ9N81U*ahp6O<5Npjd%@Y#e9GJ3}SL4_`WozEQzkNGQ
zW1{D*^@y1A|L^^SZt`~jEPq_AFEhP+)Z5@EhhXQ_<5Cf_CyhK9`>Om787?$A|MS_$
znN1oWb9n^}BiKV77?t*j_}|c45!I}e`MN8kHP}RN^~afSUoX3M@M5ZZY@#sp1x|xa
znVvpP4G%*^P9;u1d++X=zh`~V#IHP~e{kz^_CIsi{n_u&E&V}WzA3tF(*|ctgY=EZ
z434p=A92lDWW>Fwsk@tZ<@6j4J*fnZE3EOCBMLTJda_2%?06C2&g8Sj%qPTZrNlh*
z0IqKnF75VsvH$)-Zt(}9@fOzKAFR=AsK3qi`lR&M-CU6opQMUXd`+ZlTML(dUL;rh
z;I~K1nxhLR9d(N3dh#P;wc>`aDhx-PG7QchIx7@7nP>B<7d)=EYi<gh?Y~)c;r!o=
zcat^uJ(<!ic(3%@p$E60)c?*rA#y5kcI)T317|Mr9q9{vzuNbvit>viAy=fA_~lOF
z{G*U-k(qa)%|w*vV{xcNkZFY*ukb#u-JZQhNBsR}eS9f*UB6vgZ{@Wvvm2kTD){+5
zTNBe@F>gjjHiNdVS(sUb{WnP?>q9*cf7w^XEPL6ey&yj!lP7xGxtxRlR2SYB><aqe
zD!O%TY1GlT{?F<c=Or+)#=gjD?oEq6>cCSR$+)NY*dndc_@;u>O45F;#aEP$8(lM6
z>hR#I`TV&b=Zk86(ARAX{5JQ*B;(E83X?)bEu6Ejr3kh$to+rHsQN8_&Gnd6X7#%L
zZ8IE8kBcZ@ja{$rc&V26zlWce#HJi(Q~sGnU$tl2Z<C&r-}v<dd;jHo><?C(A2MFw
z^ls1L-=%Br_HS9dYf|p=*GCLi`2Rh2F1u>M)%GO|8IrbaUU_+Y`iHh{?OUrdjo2rt
z@17g8`LEo}Rae|TN6*f`rnRckMJ6d}p5M81e9n9`>t~)VU_PGkn0rgq>>l?I$FJMw
zUH%f^cW|}1a|^@57}J~*rn@EA80<<qJ$HFe?pjk4*>&a0d(LZ)9fmKDyfyJye6-@}
zi<<{pR?lenSRtA4I`X35ik8XirQLEH<!^Dz*S^@;|KBi~VgDW(y<hj1A9&|u&An(_
zs)^*(l@87Bxo?jx&I%1VG>4rz?)9p*VM;tQyYK$y;M_go^1@|VcO8p#rvzNG6e)Gt
z5W%GqFZ%WMi;1cCWA`3d%&fnsnA`40#_ghcol_3n{m;P7t-a&l^u&yVZ9b2GMRYD+
zQ59~+<FNMe1y0fRzW+Z+pPVrz<m);|Z61lHu;<gWR_uDGd@Am%SLc0^2JQIT!lreT
zrma|fzxURvm!I#oH=PPvp1x#OH>bKsa!y=!Rg`RmVb3<BYvy@JOZ_gyHh%l_*v|L=
zAH5x`SX-Uk3*YaY(cX7(VJQE)jx+Z{G*{&D38`o`xFmV@y1OXHgqDl0y4iFkhRL(X
zFMhk2l23kubemDglLya5b_=KRe>?2<^Fp!w?;G-ySwFPxHDJ(_Iq*j6t>x0Yp8tG{
zxMM@gI$x}Qnd4!XW?;M3YWJ!)HcK9TX75%I3t4!M@q=QzN`&abZTTL86BM`A9(wVj
zB1|q*d2w>t5vC9OjxSF5cKBp?ew%oWe2;m;+w<2lV{<mF-Fssi`}9jfS=M!zQq~7<
z`DJIS)A+1<Hh;+{&xK|DOlOlW=}bsF<$c-r`{an0UrW|V-48!%s(w87uhVC#fRx*_
z4}E9zx!bi+V(ZPQ{geIwznlAJx5OsZivQO0CanB5ckzdZqCXzm7TlD2^Oc8R`q#OO
zXQzhA)zk#3KfGeBaCBDi&X*~yEt7SMI2L4n&oBuO%?aUoXd^6Nyg+Bg5jTmA8Jwyb
z3p+CHE<43n3P1Jz{b0WSq2qn_zY6WMcpiM+{qSGqjv7|CX*p>Q+pXP9`7I{!PZ2uO
z+{=BaeNm9xMFy$k7OSpL*)N~<udN{V&=gkHDaV9EH#yvK4u1Y^2TQT(B=(lmYn01k
zQ;N^-xGGk0#5n%hA2$Cd@A6M%*RioNN5pS@Q+?~|nYT9bhRQKVm@mbcyv_@m{b|XH
zgl4DgMK}L{_2N~NpHpzSRwqx_>Sxv8<XwN+S1<75&^`8AxlQMBOYZlduk&*f#IDTu
zm7IKXl18`L-mT4ZEb4^k?m1%h<1+ue$uFz^KmD*Zwc?=Em#I1X63*{QU6)<pwrbNA
zsXWJksV5D)9<JFE=^V=-&NO?OUpS|y1ET`R$+d<%f<&cCReWMjU)U6L)FE-A+=jpn
zmbaHx6tGx7e;8W-`^B+eD|8y>Tk?Nfdr)VA?inA)bUnU9?MY`dXZnat+T;<ia9`Hq
z+Zro{l9NwP7m`|<I^{y4_EnB=A8WQeYEIUc>_~Xi7U<WpZlCMjU&TjOR6IPS`qZ9J
zZu`2M{W|9NIl}FP%iacU`dGNBM*Y$}_V;QRx!2mh>MWRb#qi79AC94Jfv=vgs<!($
zCyX!chlkM)hQ(LEtLPZSx)k^*3uM0X&AIgcis43s%1b{!F1ap!-PSXuYwFG8mW#g%
zi)fo)$`fC4p#A@gIlkBDuRpN5XvX#g*88V#l!$GemnZk8LO$l^DYjLc|JI1|a(G{H
zuReQZ+7mWYvrD^PEzosSn0)Gp>b`ZUey^IveO!-5AKlHgJ2a?_^Wl-{ZyNh$?LKdu
zw~_Tjo9zaZ2Hyqg2G&!qEjoNesmEf%nPYiU>&yy#IX9jYo1(O;<5tD*noo7ES6E)<
zm+UyAVZqtyEX1u-8M61|q@O-IGdX>{@~am;-Swg~GXI$STJ_I|c7OS}V(mwbr&lMc
zq|98r`SH#j?{x0<9Zt())7$<q?P}WELk(A~x7xKNi%s>L@pMwwi@^V;XFq3&=5XKd
zoR<@#a(*?Np#L_p6s9>Ik3B=4aeX>meXuKFSI^q5a?Ok59X9FKaMoA--8pZim))-~
z3<7a=67O!DJToV`^4z5D%&uC;-X4ncd$a#ah}ugJsg=jf0y?f{ayW7=vHKhv-)M5s
z@1jvi>jjT>pPwxJyjDBG^!Rt4!_y9?vwe&Bkv`vU^T)Y@96w%*AHK&YviU*LnMD`o
zb(Z`-u_G|>%1(#c5;L9y0(^C%6L^ePXR%IYak_a#_oCI7BoR)Q85}>aW=vsn^L_EZ
z<%C#LU-vh2-^w-2kNsm~FTCB6zve7|!NY$6)(Yp%F5VOWIGed8Y=wM;uE<)y-<@LY
z7u(m}DA5#}`)JX}|DqRH92A;m@iTaRjMV(8v!<l<gvB&C{NijBSC&#+8ny7?`xQQW
zUinLhd9UrvdK%d8oVjo|v)k+Vl(e$$GPd8-<X`I9E&QavUu@Nc`*n(2ihr&CY_sKN
zT0n!YvfPCgE{j9AL~FY&eJ7FAT>8M|oB9H-X&J^#jTai-YqMw2WNvz;yd%SShWHsi
ze`~gQ%fLg&<4V#VTjz>D__}+cFnemWN4iJ)G7dG~BVHQIzA30aYgFxa%MG=#)@c=q
zSB>gp6BMshNxa*&GOFszOZ&{s$et+@yBX82?zkuWwkUbK@cppVml}Kit}#Du#r<ie
z|H1G780PHY-PEf1^a0BT@srUVD;*z6iCG-YlyXhIy)S#u{xF4;%ky`Mmd1WD5nP#b
zQ>EHpEvAt(InZw#pW30um!(frx?7eUEAINou>C9Rue#>u*AG4ZJV;*r%TDf-I{!g!
z@dGIdGIduLy%*J<*T-onJwI!<ONqTJYf#mOTPIjUlV;z__;h;<zlss#;XWQ;uiQ1d
z0!3bXz2~;&yl_deofVz4EaGH=T!i*R{de|%H_n~L`r+8=#B!bVJxe{VEx&s1K)N8$
zNi7EDosC*&O_LS&wr40!JyLe|V4Xk9zAkyimq(0OneEfRlz4SQrsruH@vDcIS!~=K
z`sJHw*mc2sYff43JIMEs^XJ+4#_l+V_Z8L>ySsSyGaRm)@oUw`!lubdFIzaz&lJ&^
zccb9pwO31=R!sOlt1t5JYRUaw_uaV?d?Pq{S6*0Gp?f>ByZ3d*s*Y1kh6-XvMkU1#
z8^4uXY(Lj-&$PaR@y>_FVq0r|?f;MXUc?BvrE>k*8{3!5dEAVNB|C}DxoCk&sjAU}
z$l}lKm${`KZL?%oo1L55|K6Knq4=KD$v2C*Q&=WBupL_z+ickPZ5ijf@73$A{ubIQ
zv3)pJ+j!6W#L8)Yj&_eHI4vki2<GbQ&nb|1Ruz2Vo~%@9#US$0b;;T#pZ3Y^nI6Cp
zC3KRjMpEF=0)aI<7!po*oLQ%wC%gTk(<$HN7Zp$M@|^!_Wm)@k>iw4ZzxEGG|I1n3
z<STh*z0r7c!m*C)w***LiE*05zH_TFXlxf&&#$UCF_NCW|7QKtdz(M<a_(E3@Yhqs
z{;K~xg>Pol0-1iP9h!2hL+VG*$75noU-|N+_P)NyoBxORhkw4sb>pI2pZ?qE=Ion0
zyC7xSH@@SSY@W<KUM;+V(MiL9vqcsAjtR^Sxeg0^T>@11EY~s=Tg_s*K7%oe>&As|
zHX5B5l6aH@v^IqX-6?MR_%3yV%rnure;gMZ*S}`k^HJ%>%fqexMk&j9X2+|f6&#P4
zd&{D);**xgA{W08|2xH+_$M;ult}075sKIMVqSPKX2DmN^q|zs6`N=7Jjms`zV!!R
zuFvxG@2B2Bar~d=6XW?UH(7tIH9vgyykyX~e#JEPNoSKc?O53?E6J5+wute>67B%i
zry=EiUY0rO-&p@Bl-gcDHEV^4lk;VX;!V;44+U7V6(jh+ehr-+@6^pFymeB?gVSb*
zr<VH3>=Qg`_G9sPCe=T`*3W%?(?a>@hr%BV|8CeOzbksj*`9se?UD1^(}Y51_$~2U
zdRBkqmWa~bwHp?gs_{-exTpW<+lxji8$-9A+LJjWoNFeF&BD+HGmk%sJ+q)U-+lG(
zr{V|Q-&OwDXtRd(gSLO8t$M;@>1BIEFT9$zFsXX#wd@1^4!0#9J09Pdx7x90Rl!rG
z=jwWb$_d9Fnww0LU9~KpYaLJ9zQ7|a4X#`VdqUnY+*$VGn(8|1eP{UuTW#ZhKC`s;
zQ`}#wd#6(RiDl2WTQ{C+&y2N@pDjLN)4W+8^<TCIe_UMBRIzkbLzwG*Y26P(*Y~gL
ze6{sglbgsUB|gmr=c51L7942_IkITV;tMl;dKDHLwiVq-D}HOR_-ph*o)^3iBgGG{
z-}^J>{DH;O{{P{5QKg~#=fm`ezm{LV_i#qM(G$rjLJWBynNr1c$_;yik~h9s>izPt
zkcg|RX;_V*CHuzxj!)R#*>&grd*tjW*l<X}S)*E(OIoPs1WVk{lfnHDr*J*s4R^SI
z=#yBF<Fn&WiXR7j-RHBgD`U;?TOuO8vY$9?%s(b7C#&pWTe4!~vBP%Po){$>cCWNe
z_}J=trNelsWSUm(;fmA7C%kI*bIbDQznuSCwP4zl<#mk5m`_+=_}+GO=jj<U>$R4x
zUBJ38$Dndi4*SDNow1VdZXfQ9vY+4ApAwkk-Xyem2Pc=>d$T=pj|E?TzhvbxjZw-$
z{^%q2LkUmw`tDV$e?F}`%Q5W0@B8)Z-v5c5_<Fyxh}2EP7GDEv-py}&{I<K~tjL=1
z>E4yuRvl7#p;xmR#MdO6N}X^{WfJ9$N?ReOn3U$L5_&u|F{xB3@I=i6zBSKxG%hq*
zkj8VXHT>_@lh^BnIDWJ(Z{2zCDtB7_^~Bu^f2}O9?BTgtp%-CL8KLfXapQv2RW(8k
zJx}`B7MyRj|Ju81b?M3_Q=a;r5Hi@LnibYk#9OtNF?uJ<f34qPxBf7^ua>TP@ZB-m
zU~=WW&-Hf&549|AI<#G_I7eFj%{Tkp53f59E<CVf#X*M^|791KeHFj*a1CdiL#w)r
zmKT@afhA5WyOMX$FnMx|$J~9*`uj(!?|u7T^33~~a>Xyx`$n_n9~{qT)a2;x=KZ%c
ze&P0OX}O1ur8HCc&K_Pky~x0Hsnqi5=b~R5ZCAKxAFSNcbKaBbq-xX4po3dZ8VPKC
z5EbwwBYMKR!&5$Pcxzd4-`?`)Ep?rS`@4kP<nr<lAGKY=oR-#dLvU8*kt1qVs}!d^
z6u!K$LCLwx<Lr6nSBkDjICA6~?7CiPwoPcS;1qLO6}*^jW0!@2wB)Vki*1Q}Hanb_
zJR$Sv*s-1S-W`vu`}h3t77O;2;verWzc};GJxcDNYE?$X=WiFJ66BYKm32h=drc0%
z@Z{yPJ1Uo6hcLdjTDi5za|HvZ{AX64X^Z9u^7R?r_@Om-r`+D;hcA8|D1H8m&wkyf
zgV{|x_Zu{AHQcmj%d;td*C!mUjx!ZgU6s?>u2%VU$;$5;3mq9#6fZ4M=AOA|r{k#v
zRhGFqhvU!aTuR)av?siT;nw#bW#Y0^AAYDi8-MM3^(0n<$p@!8FInxe+a*`}s-()H
zR?+XL+2og%iOW9eRS;4<w$dy>?WBVdvl;*ThXJb}R!6a|arJ7B6t>Xoxpq6}+&9Tm
zQCaB<uh+K|J~QumEW6=1*N-dn8OkO<v^6)fDKcJX&UXFa><2BT=J}_53^P+r8xAcC
z+2Uio^P{?%X{pD0uD44aN_o<JHF%^%5|ah4r*3%oVtvg_;qQNCz536|CY05l&aZ2j
z|3gMcre$F>--{k2tE8J2%W~E>OS_jxoDPt5QZ^2d;`Q9qJ#($vu0M8R6DLG$i*Y_S
z$5U?`+p@J*B`J%x@_Dhnl}U^4V77F;a8Ul&zhjd!;{HUh<H=caMzM~iwYf~%nKO-h
z3Cn7ap6A@DDcVO1=9LFzdHg92YG+vMzQtwEdQPVuH+q5@yCo%3E(d?HS$ul?hwpla
z^4A~Mf786(o~!S(`QATI?;mit7y6cRys6mu#GBNVyXwi-Y$ugGW}JD)=2kF?SKx3<
z=NsWY7niWSQo7-}n_XtPU|P!W*MW&DQPTwrbi4Ki<=7o~_0c-=-rl3XJ|5uT|LEq2
zw)*0A?_UV(U61Fj_KMiLVSh{gi=?!L#_^Yo<dPpLcCLKCO~|j-bm5MSM`A8Q0S~y2
z7(EwhSgmm+DB{ls=c$);*_Mj_i`NoiyRVy=@^Gp=_jQXz#y336jb|=UYhNQ;cO%sx
z=WqgF+vW_x+gg&GuK7uG;(ayp8Vn8h-T3ge_RWe#s$JZg6Ot$RHik;9mo(eI`1pZ_
z|EGcqTwC%lpXL9szlML$^SKk=Hhkh(@ul+9=lrD>-z0yn{{E1y>B6zw7m9Rteh7VZ
zcH90V5B(DlcU_)uR@$W$@@9&QOI87k(i4%3s}tIHh#j4lxS_D4ckB70xB2&*Hb(FH
zyq&r8pR@drZFl}K*w+c~`4M*G)I(wR16uzc>Ha#Nn0(dvhQ#Bx#{!4-eJyO}KB~QC
z-WKvbuy<uK_a095%6Y8Y_prFJ+2^!oIHp`vTM*{DAob$50~X6qU16SZf1i@g5B_@o
z{gtjuen)+H{9^L+j_)1P?h9@@uXfm^Yrr~#r%-LznvV*FW@;;s1x)2kkr#BG<L)N+
zlDkf4imTtw?d|K%9&nS6Qr%PfG{*m~`GP;Q=kx!Y6uje`?1x?PF>Yyki>}^m&rRQW
zdDY>^+S3v?yL)U9dZpp`X!WFs*Bh6FU)`>-$i1|yXpX1wm7Vg@cWx|x+^*5~{lnJ%
zaZfkZFY5WtDEaTe)^v*l`L#bEm>SG$o|(KM`r$psOIZ`ki#KgkJ>A*r%p4fCkx_ob
zR#5@3l@%E~4MgJ-Rel8a$)~HF_ciWyy_VKw^kKodR@<43_C?M+)PBy@e()*z!^_$a
z)ASEp>$fYhpDO5D&1)KST4MKc*2#9#&So4ka!GgWRZS*bYBUX!w++%TG73ofk=Xf~
zGjC-}BHM4i0~?(`ME5V;aBzF?pDWo1ry6W#sQ(%E<6r&mj{Nt>x6gCAHdp<$<0mFz
zZ=F^Al9xs8mp9&9KEr;ALHw)vN;@ikd1swjB>Bj==AmS-*@Z_2ss9bO*X7P#y^r}+
zU_|WwO4C1YR-gYG`>So*_gK!qJYvT#i0&w7`!?l<&xW-;x6LGynUf8+hsvccJ->NI
zX0*hX6M@qgCrf`~7pgZYR-C20IUzSEWzoY0dNDU{+m|t)(6<-elvnXdH=a-Y$7=Bd
zk7QCDnNM1TSWdmc#ktzUu4Rq9P{pbPA(EFGV*?_C7@WJ^Ki*rox=AjeL{+P;vhgt2
z`$*gC!JmB9-tS?|`)#~o?t!0kZZq@WxtNreslImR-jus@Q`Smu(qaEtq5JWb)WU-v
zA2O5JR^AAm`c!U}^%TFt*2Dd7FDhCuz7UYsR=-jFbH>`m3DJ&<w$G(1&YnL1b?(n)
zlV0zWzQcKeZ;Q<vrgxdj-A#fAw~1Uf^0@7`MrTL<EZ2mDoC}3*<!WvB7Qf8*VPLWS
zv5EBthw$@)9O1Nv$j17w;uCVKB5YhAWR%K&%6lMp`^L(+nv@qi8D5z7I(O<UyR@j)
zQMSU|P2S+e(_{&ux*z9`I?Sjz9jTG=BUgL<@5Wyrv+MZIBxaNztEl9dZQl~T^}@W=
z9Px=Yf+>6xC3{-(975kkCh-Vm?C*M%(qnYU*zL4$$(AnZb;0YtM%F|f{NQ-v)`nzZ
zHo3b0<%gdCfAIGCuXQz-PwvnA@TLB}WkCVU?&fEucZJGlx89YT8R`?wbR*w8<EO)d
z&tfN>En=0QS}2!=b0|7$%376e*vRK<T~xtyN4h&Xb-5RN2<OWF#YSy^Oj>>(Y2V~_
zSV)(n>)@@3-OLhPzh>5cxa54H|NPs}jM_JDFy_|^SQM_y|Gj<2pM$$!9smFC`a)CY
zbJnMdm?!d16O(`Nxn6zFe(mM9*V$%2u3fQf-O9$Mj1oyNH>*VnXHI>bl&$yCM&jW7
zHQaBnZV<5h(*C^a%Kf5Gn|t{V$X5vFylb=lKGDa}od2Dy+`jz{H$wvTx%*~rKKQ$c
z>#dI54a4RukrLA;Ry$|h{N5^OldbmWnx?1n{wl{G_1yyQXNoku4D>Ptyd=aAe)@dH
z^kNL-VX;5Qnm=SuKQ#OQ!<hTm@{23azFv5>=^{stq+gz=qRgUX$wwPDE|1Tcx!A0!
zURHwd!R~pC>u1mU{@m-{ciY7KqRAP@YhQ4-m)zrxThO^=m#nUYN5M;O-hTGfA36Hn
zGn-p_|1aDB%j%><@XS*o`zoKz)#qb~pLhMw+WCKv?A*6%rBA9BNM@PQ)WN}gdfV+^
a{p;lnw=(v>Ok!YQVDNPHb6Mw<&;$UCimPY<

literal 40347
zcmeAS@N?(olHy`uVBq!ia0y~yU}ykg4mJh`hQoG=rx_Rw{i;GDN`ey06$*;-(=u~X
z6-p`#QWa7wGSe6sDsC;ElQ~Uh=f<V~lSQML+?Y4W^gRE<SM~F6Y{jHWUZMWW<HWmt
zjFc}i^Ub(>FrlFQ-~0bN-^u^~;m)yg*6F2YuhZuJFFJ3__wUl5@AoU}+2-G$|9*eG
z{>S(AzxVzA>+~eLbN$Qb>~Eg`-M>%1F8;x9qaV>fuXC@RFaB)*{tKVaf4wcQ_vN#r
zr*hYy)c-Ln{>Nw>ec$?_xbfrNY1{9;+JEnm&Hd|tU;Ewqe*0yA$o;ML@lX2ypPPE~
zc5D7J34gAWpVPhUnLU2R#z_4+`onn1G3mp<tDogI-~X7d;&WpD*~{<$TPg37%KCTN
z{O|2mfBr@P`22pi{kpI|`+U#(87aU2e)Zq~-s$J((8}Qd`t#@9K7aqw{(Adk7W)PN
zCVu<+``+DmyVKt#r6jL<`+Qm5-BZ7%-#=E0l)o$EY#jeHc85#teyjabfqNsizMVe*
zPt?Np6Ge9?9OhHLQ*iIPsF?Gak2@k3w{1_Vx}UT1m|Xa!U#Wk&%&%R!?APlWmw&Uk
zYyWYfd&kT6-}$}enELwz(a8^z8s&f9-hb!*-^S{xT#7%wRj-o>@0pd;ws7j@`Fnar
zIlrd|ou2(5e*eE8^RJn1Y;xVaM&zZ>n?HJn-apiZmTbS!X)d;}?xoPHe>)k1kGPAo
z2@7c-Sk)TR#2TNxM$uqmFRK)f?J^m4Z2_;&*^X{P$0MYTI{TlwXI13)s(#8n{+-b{
zY|(_&sas!WZiuiHf3*CW8&B^fFTJG^E0<1<Yg0WPc4o~ihr%l%n^!N5TD$dXoV&N~
z_DgH7UW>|Ke0(0m*-LA$->Z6`{9$IZHh*2!hc?5sIhoHQ?`(-opIzJM`eV(WQ=3A=
zqicI*%Wpk6zAd)=c5S~f-@=kln#cWY-+nRHTUa)E_s?nB+wYbAmfauzHa+tH<Lmb$
zwtm>0^>OW#dlB{PrS7l&dR?{Y!IF%#5gT3<B^+Hnt)ZbW%J{z1xj^mZrk`ymiK-f%
zSY&$JQTrIzGvTD253k?a`D5*huy_Bn@5Y?{zb)@${q7<^@9*Z}@9eL?Js+0a-F7W{
zqdvFkO1p`*d+Kg=<aWII_jvX1)#Cr&UH@OVu<+XkzfIR<&&_4~(rbNA_u;zIbWQDV
zrET8Jw`BY-i@%nTne*%Q^_lzb1z)?Wd(>jb=ef>rb#yD{z23O#n@xA+&Gzu>g6&50
z*Ic@>@5;Qx8ttBT*YpAdo%9w8g#Vh=z2p1(eY=95eUW~m98?v3RBN-9->k9+KLgYG
zmrH6_^EY}kl=TWZ9_T1;&G`{7y?AFF$IeZ^&*b)Bkcj6LRrxeK^z3Vm5Wm&CdI}|{
zT~+_Ysk9<R)Ns~$j>BEnEK#fG{+IOJx7`11+J(2poL3xqHb&h$Ssqj`^vJtsl6w53
zAMft!uziou-zV{qIhslQ-m`6j{%2#JuDku|Y}rKVr!wwlGh6o_dSH52U$Zo5U-^#}
z_4D@>U-Hcfs!8?8KIdbzB)VwcT+gR{GepIof4Hr6p+-s5FQxsY&BQz5I>$vN8s6@;
zNnHE1?X_p4EVKF9T-o|_F=u1a6A!&{aE_k5a-Z9!R%_`*gZKN|c~}LU9y1C5Wplo7
zbHZ_c|BXh?{Kl;Xy0>Sz1e(U3s@!wbc5h4p+ldZs16$3l8!rl-e5aR^m6o!SZTHe;
zu{%GkIWg<*rL>aW%OCw#+PFM4p@&ufMN_W&_I(a&*Lp5!p6JOoj+QOnp1Q*6f_>g`
zt7W}+n4NBY+&X<$esYk$$}}hI-M?E59zK5`aVM8o=TevQ`PmUhy2lwp_H5o<^FsY#
zU+&weUmJ`|g;(C6d(OsT;`--DPMaS57WR#I^E3vQ#aRvu0(G`LlkktIlyOwcpJ#e-
zjnoIWjkkIYUal#fxcuRS|BHWJ_FR6_siA^rTA<9bGpcD@=4@#A<Q5Y#vo`;}W5Bw<
zleZ?-{|n;Ss@xeObh-F|pHNaSca~CiO>1VJFFTV5PnMs8<&}&-oHO*9Ut3?Wc4B?X
z__Uzf|7A#W)&c2!NzH2!b^Bj?w9B+#J(LovC2;o21U8m8IZq<*o9a%pFr04Ax37QB
zY2)~M6A2~z)a{E^r|tV@us&(c(K`VJrfVi$PT<j8@M*z{r90oB`MWVzfkWx5NQH{p
zzh~A4hf<W?4qQGlD>T@_J|%_2G*WW;WNlrYHz#i~PqfZbH;7N0<g<JlWBJa&Z}Xmn
z)aZZs8!I)#XVRpJ&(~Bf5J-@GxU$nan<sB;gNhHcVb!j6bJu_V-L!N22dnEnGZTwu
zKXtj*yIN2y=51a0?6Q+j1D?b?Xg1k5|Jyj(C35?-nO#vvEyr6s7BE^0btRsg^xBVc
zf_(Rih%+^J?}S85_Q_t}<Z6C(=fbG#9IH0-Ynnz(WaesS_2|12b~yg%l@k|(I<;;{
z&2s3{7h&3CCE<II%iMtT;5j3v-=9;imEG-o#}K8vU3E%w+yv?DcAHZ7GC>|QDV0Jm
z_5SAl7S4~E@63DbYy8siUECRlIUEZn@l+djStVb5a<l2mw1cH@dBsG$SwtT4g)ZA8
zySiTZrQy^YbC3RyxVGr}^v%zh=Gh$FlQ7+Fj`6pXw-sX<R7?FgJ?Pfo!)7JGm%BLQ
z*DZF#!@Jb)b6nqc?(5!dGVfzj!~Sjk`PpD)Vd$jq>jI}wFxyp`Z0;n*kPv5GxP|{h
z=fdniM-OPY2zl@oIP7yc6C=DtQG-b`Do}g*g2q1XHAiz~MW-yRO_N*pq<F&X?i(?4
zw>%AwXoz5!IA#9qO2v66u}ufe^_`yNU01AUJeV82zj~@o&iBOlB*q=gDT+@F7cR`o
zRC?2qz2%zoaW5hBAM17q<TxIaw!XpjtG_jyC3H_)N5+ZuPqi1?vrfGuy(IOFr^~t)
z&mW6oJ5~tIwpLxL_jck8{*qO>aR#@SG+p@4FroWGN10$N>!Z^S1|0Ku{&F(A$NW`M
zXG3HR%gG3l?~U4PTr&<Wcp#DD;G*cVY^q3O)H>$o&)mOu<))atVM>!&rMG3ZiCe^j
z2UEYD<vw|)rt1dh5vC36IF?MZy|Zg-S%-hn^68Qrw=KEs#Ir+_<#j-4&-2RF-$J4q
zFGr+pP?tMoEu&Pjew)7c6_4~ozb9BH2+rJhfsrrow1S$UchP*uWBzItS2-7-yKS@J
zth;2+w8zctpPt7sbq30ulyR{rxhcC&ar>9VOEX_8?A+PT>>2igNp^3p;A-hJz1xj;
z+g3b#H|fy_<A{Snic8KoGOJy1ewz4tx<tRfTF{BjEmN2;CI&3~ywt3jMOBw+A<HHM
z!M#R;8&6gq<NC2dXLc)_S)ifv`&oz2@y<{=zP4M%ylD~lc9*n?3CyoQSgU9VH(z+P
zT>Qw+t)CQyJ}54-bXdICitom`kBXYULMN9vy1A%TJPrPJWV6u3f+CMY;R`2xVO*B7
zJs^8Y=zcHp)%-P42~IhwK9XhXM|q7W9S`_&@UFn}%c_?)C@xdkcZBPonX|&2h=j=z
zKR6}sXs!2BnCx}9TRb|TW}&V?=aJxEy-;V-#>~K}imEn=>`yjMyTdERu}NQCoMH1q
z=>w{2H;upgZmJYJVqq?~Tlt;*d`5wlf>$%nXLkz7%JRI`kk_>N)O|Gd@61R6p{hyG
zw01ZAXV6?+{J3t-sh(2(J#T+Z?f09evZ1qJc|?9?FS~=vN?Ql(?i2r99*F6corvAX
zd-u^X9j8F&FEV^-UmN%*q;799P`v&4YDPd)aguhF^U}H%te?#q?Zw^RPdu-q8pgSi
zU-0ma4(GiS3!ZRSg-f;UK6vfhoQV$RzVE&qYcsl=w{^DgqbV7mA~@beIHl&Uux=_o
z!YiY^)!C?F#jI~9x9&Pqe9LQUxBBBpX9O!d&-F=^wrGWYozs@>{{54iuf<Ip^XVFo
zGPkH2%L@KyOk(-%V3D9wy1b@MP$jg@L8trsv&6WtP&L^Vvf_HChsz_Usn(ux@zCUa
z8I}BZQTYz;H^MrXw=60YV_@PB|MfX_YL4Mk-gh%q;%{y^JN3g(A4SF59&?SfMTaf!
zoN8LY&01l>7u4Hums3)BLeb0cQw|FIgP#SnOg(dV-jy9I1lw3oTy2s_oVI@I+yaJ<
zJN%Y*cUEkwbbi#LeehPpESbwOU1cY#dtP!pVGuBSu3&drglA{dsoA$*PvTBL6CL1P
zsckm#hQ7)qn<o=Z-`sT9tlxOlH$n2i`MVi8e>BRf9e%X4D99VAKeGFK`@%fcO-dXu
z%Q$vCFZYZ-zDNE*ZE~y8&-0t6?u!n$5W4IzlVkURE&<M-B`!Pm9c;7^ZDZf_(XqpJ
z`q3IrCzjo|^SK2KtZT%C*Rz~Ht$bku`*c%9#q*yf79aRf{IGdp`pmUYAMCo+pT)v4
zRd|NajP*`|Vh<-VtjY8ExtqhICPCnYglL=C0cOATU(&AK2@GVi4C1?%u-0wWtW9#Q
z&07zCY$+D_-`np$t29o3&oOr8KaOrsXRhiMTFh%Hep2hI=7jcRZ$B%qdbGgt>nSeJ
z%^M%CV*D8<pm1k<mCll&ncBNF?d2RCStK5~v3$O~Mov6Sxka_^@Fq3Zja?~fZ>L|l
zw$Xpa?T+Gt3(9VjZNFAo-;>z6;ith-Az@!T#!Hjd8%v#8Zt&p!4W~0rf|4E!cybT#
zy(}}yVB#}Q5yp=@CY{OM)Mec0dg1Sd3xRL>j`OcGU|_lx@N&<F(BDi~1g}05*xD3j
z5a#A}Zw<rBRbT94BcJX_Ewc?27YYm5YFhGrr;l}~Wx<uoDNnB{&6=mAW_tNczt6$G
z8`0BZ9M*2A=t((UD>XCN_>&czQQOv@Ug-{%MFNvT1lKMKc9|ddE$K|k!fzhG8g6y0
zSF&w>5-G{_w5qsDq;$K(wU9gK75gqY?J)@m+0Yl`HEY={w#KLh_vDl2U6M2K<!=5N
z-rMbeMk8m2_=Nr+b#ct%8zjAtzUJ*O<QJU3=k=L@|1zH(#U1ucvgFXu^wNwuu=k1P
z!rX(h7g!~`<pVZwPng->;-q#-X~(3{27%Tv(Pc+crv6ThxM_aX?<c3yg|^3O3sjSm
zQ_q+_mhL>+%2Bxb(x1l0?LA4aX1&f@qMvb;-?p<i!u|Oo)6L9jLT&OJd0n}z#Do~w
zJej`7h3wV;6EfXXNK1I#-xJ@ihd14jbv|k`^YFZfhm+rZdS+m9tx)h<rh&ahtIY*_
zY4&3!#g@TWXYBEw-g<gvT%-D)itfWt<wO5|c#?g(`q>2!@0lH|91{L6;7MC^%y89H
zE+zK5xFqS=jqc6`J{7)g_Mfzpa=bkqDtA|vbR>xxCd<Aw*crZJMvN<an4)WTkHn)0
zX~kO=+qH}N9`S8>XE-6@gi({gOwS2kp2_XUJ4{7IEwp0tYFHX%6C8S`w@=(qU1-U#
z!KCT&BJAm(fD7VN_C{(dHy1P=X-U`UcG$`oe0o;HvkAo^PnrI-^ojj>BgvHEBC*;{
z{KLYQSJN6EzJ0<ysb-OeW9*OFEb=p^?KV8s{yw8V?ezME8=cp=ZgVbO(fQVQ&538L
z+;{u=*xxvlzIw*)C%-=2->Fm6sWSJZ;r2MesHq9-c==BS8D6}t;;qfR+G+DWPp_%d
z7GC|yb&BckhpwttP6dsb>$b+;I1}Lf=krJRsmUvova?mXE50>%IW5?_rfJG5jVPO3
zNrhLFR#~-ha9%TyJ90Qh^x*yvG9GnlGh72Ft~kk^@`P#K>E`x=-wc@&TNWg!i(1VT
zT60n7HgAx;hWwAsQIi*S&VQE2WpQS$(cLhuH}^VjoUfc@^MGNJSeMEr4+)_HtALMH
zSFRsQUa`i|x#kDs&!l#@Jh_?8so`>;)YdeAn$VdQV6kA!<X34E1r;y;mCKM>u<2W=
zf#MABBf7;6o8EVXn5;<A(&F!VVbnWuW+bom=?n3xYpvr0L>$<hFXSYCni1W$<kE4~
z=E!Azy|Z4(PEmD>m|bRYy;h^OA+Rr5a89^n>gs>~5j^|Lk6sgh#xAIHL8+Q?>4{S!
z@5ELHFY_^;^y;bZJmJ=c)?&rt?r3er<%#Pzv^)*p%IR+F7b7?8P125|d#ls<PsDf6
zxaVWN<)lKz?%7((%0HQ!9KJH&R%TOamC?PU`XivS_V=~WSI%B?EDLL_Z}hj#Wq<k7
zu+HbB<ib2b?bFU#sxMiR>ibn{4tQk6h^|pf_?Q`Cw&KbL4uztFJvp(b8kesXR{Oi6
z$L@D82ZxJ&v-*{bR+o2`O<I;9AK{vH)<~eHNB&<+r@-13`p3N{bBq7wxxMO<Op5os
zb84&D^CXKR>Kv_?iMqQ?p1wZ8>4H$v1Fr|A;Y+7I+t#D8+xctqoP}F^<(XdBt=gxt
z`1A3<on7~jcr9Z6P<K#<ucq(H&))lU?l4z2Zk0$6yOYS5qIZ8+rs4vwgWC^8Jvq<z
z-Q!8tEwv}t7R_GIx6NV6Vv}S!hQrym&0KraK3$eyze~5z@u`)8_WlX0`g5KZ2uxXM
z`6T(O-JB_nT$Z&8;YQk>XX`e4vlL9%VYE;D;rb=j$#J!F!<U)<>7O3z2_3946B6}#
z6uRfAi~nQw&@C=(USU&s)_8qXb(#KZulBd_RDaRcWfHGTtG(y1>#28IBPmtgk@x;u
z8_T_ozMV2*T>&f$%=kpVHW+c8V7jWcZOgx1d0P&h{<P_ZVA^bn5P>7VR6K)Q7wgvv
zSh#QcI<a)SbIL`P=0Y8fpo;sco2r#JGQAE9%|Brwq`|%Cuv6a4Qk{)9NwyjMo7xUc
zWuB<O?jG=5_GLEToYc1)pWjk;Pbfc`rB)y=A}+u@T|v<7p!$=EPR>UJN-LDFamc$r
z5Olm1&-{$<yNT5N`ssJfH}o`Yo-L(R`e^yO7NMeotm=vN3)ze|Oxq&f)G588kC~k%
z=;3W4=C=+n7CkaQCbGcU#{R0b(#Jas-`%mcl3eNg<*|EXKxpu%+aHA|EM$MOTkvFT
zwZMjDh1*wc_q+MA;f}2Lxs0`T+~&Kb)OPhLoDE7~Tz<#l`&W%a4B;CmXRN*@<<#@D
zE!8$GIe!W3^mLBbKcn7ihb{HjWK?L%ocvAAgZbpt6^e~4Dq?RA=uQyHIN12#Lo3(4
zdsW+ewYA)HH_SVe)0Wpd!6W+)+cVLFYaT9C7O0)!y{u6rIkV9}>|L^}{KiMO*k*V}
zh05<fvhMg^-N}ojKCNb0qszc9SE^jT;wk%=T&?o&JSF^Z4hQc$am~W0$nyuklvM!x
zLT823vQO7<dhYHnxs<WkCiAbT<->E~ZV%E9+CJge{4n{(flg;xK^_aK5~pYtkxMdd
zPLoS=Pc2$(_O9L1aqTDnJ&M2nuF~L`{bq5W>AUx8>c4Dn)fi8Z`FBXQYUd2Tucm5(
z(aQU0T)69;nj_(6y+Wlz_U$LLseKdQ@%77QUE0>85Yt+lmhTskoS7ct8hK|ynfXQK
zsZ-Sa588%A{VnLvQGBpj`K5vM>)X{kKDgx7@BD3lP<DR8`fe9p#{-|cDt+QE$*H`w
zF<^GqW1ZmC=umWFhv*fxpQ}Rc&vWtA?NZ#b-D`P74TA)eLm+?glC4L=|8NyA+2B=s
z!{jZqxajjk+G_WgCAqIZDPPBQFyO+$$=Pd~efu*lcoxO5HZ0-QDJVHHTcImhX!Fr?
zfBPEOo$@(Q>H1Z(aJz{82@#W$sm6uheED{qm0ED7wQ;SgMb(2hUE4w?urv!eR#q02
zElN|r*)zXK=*t66gX^KmpLa-KlW>$cDzxC>(JhO8Ri^AVxgH*wvQMXLKI6C8t=`Qo
z4zpr%?RG?_WItn?FCLKADtToQ!-p5M{Gu3ZF3e1Q(6M#htt<;c@kc*XOqN$HizxKC
zu~v^OPxiHw(&F=CB@Lf4J!E$#B}?u5H2GA)op%ZMK8NHMoickDo+7v{&Sb-b&IKWB
z)qN|UFVW>c5&uQ<RL<?yKR#*gj+}Z(ySiQbAg6KX@xOJ3sWW-RybiSHd(N!hck#49
z(}tj4Cq3rWS<m_}SWPkwwF>6d5IU2<)ZG<*!7U;~D_+=aeVUuohihlD+?bZHUh2ME
zDf;^3UEJa?t#6%84Gmjja&H^sgSE9zZ?hg$@6r&DWvpb<ROEfa-l^-&J~>TPw&1{4
zj|!{GyM64eIzE{*`&OnIw6DKpz-%hXWvIoiXXwJhRJ-g}#&x#Sm;GDzF<<sj-@tL3
zHL@{Jx=CqPT<R6?(}I(CZ)e+VqkhPnBaNjeDtv*;GC9M?AsJ4wnSbQY-RKPXawx!U
z##ZKYyB<tlc<ZNfz*XaezD6H-yqUdyj>_@<Ea2I!)f{`IQ0sz#uDQXnmH)aWW_KMu
zv8OvZhQ&2VUu@yUQ0~B}$^I56R!be<d24>^y{prVw{q^<vGc(FlM7by9a{FQe-?+!
zm5mJofBNSq+a#7gDYSTfdHS{wcmD^spJ6yDxbIV<;R4GO?;BM7?Aoju>x=pf#GY&s
zn^KX*Hc>+2pXskPAuJ_4{Hr6k2)t5k>~>x9`t7teVKPN;Ci?d33a4k!zf^S8D|@~}
zsC6!XPHqB2PlU2XvbURVDMx;8;J&r~dAuqNy<!6PR~s*ePl%R(p}yyRQdhuUH>vD)
zIrY_NweJWpZBFp>I;GYxu~7LQ`&ogBx2g`gG6Zq1tPFkjtnQ=mBF`U^&)1nLy!G5?
zx1g<EsG~8-S4_#P<<L~yB+pl?k9|t+U|8ay@TT#2&ubH9<BPBC3l?3PqQC0@2_|Fz
zbC1t?&0Ife*{)^V6uP!u$!?DBHv7mR8X05|)w)M};qPycQ&(ScX1`L_62`rzWyZJc
zXstUZ>>F9@!kVYgD*gGhfK!P@@PMcz?-%Y3%X(Mc+5C7Jr}dF)=atGO0XG-q%)iy*
zqO<4H-j1ZWuRDLth%1%Me{fZ4`J-Ar*2&K&oSE=6<h(O`nV-rzhA)@=uDr9G9M5UY
zGvUjlkX$xrxh;<SD~`LZp8bu#zq;33oRuMck;%+XX1D6LV>~XkE?1J26L+Y;Jv3qF
z3eN{qRh>=<+cd0Y60(-qAf8p=Tzg;{V-G|6s;=K>ZU)Sk*u!PIay4)C6y1X5S~ZH<
zd@mLBidpXN4J?gmS-4ELAY|{31sqNHi{@~Le+v`UiaR;)o%X3uX%qNe+WlA+l_hOM
z-aF_Rcz*EvbJLXj_>7Y`uHI-_`G5ZJzjOXA+VakSr;TZRQ@FpA()UGq?2D9|o8oJV
z)OVTcUI@{2mlfKe!&hL{Df!IhD09l<@RKaE&n^ZZ;hdLJ_cgDfVgD){AGr?Y3$y>O
z{_QP!@6EjX8OyFkD70iZS~@bn`QSFqu|2}EOHI7GujjVl|Lpl1cCyWjuf>_&R7h`A
z-MIFysw&$$?;X(wc}BUbeKlsBKRqM<>Sm7EJ$#pYF6+FKW-JP^J@%V-N&U2cA;Hqq
zU#^-}RCy&;dxFEUx;EdcoIPARmTMOJPq=a;q(80Wrs*=P3h4r^EUgvcV(Ew6-@aCT
z>G|Ssd&@P!$${Yq>?dD+F}Znu$^JN9qwY^3ZyN$`low51`tsFWg^sENYii~OEjqe5
zY%`bjmFv03bF!aHeC^?@l-L|%`bf#3*U0wa&QD6)mcQ}k$Z}K^n*BreOXJ5~E1UV)
zN*`bC6_-%o$Cz-cV!P0$ZDQ6ojHd0%&$n$|Znk5^!Uw#OrhHQxR9ipwJ0BC>u}<~p
zK7p%mCtT)uG3{Q~3<r~mpL<jzx#z72UDuEk@PM`Jwq;g^)OA6P4<9DX4`|)~p#1s~
zGtIBNXUX{;6LS4w-+!m`-jq;Vmc4?uL8_dS3zlScnoY?{==hvI`#?yB(wAB4=6b@8
zThekrEEIZcs<@WZ?3Ze6&6Vq2b>(LMO+O+hubHY>kl@Y9>mwmNNpL~i^uAy75{lnW
zTWQ;2ZC6y=TjTzrc`M&e#^pu+KezswbbQ6vFIRg*N`I_gU%ASh?P8b8w+HgiEN*B2
z{jBvc^YyN2y7y;nTJms`)G?NYg<G!n&zkaf?mxx%2YL(kABaEOmy&xV{@^ipBe}L)
zLf1Z*ny8vy@UnkD&!@L!{qum{`Rtwjc@w8JHWaOUHzBYyV`}u{X;+gkK9IJM`4KJ|
z_dBU$qvDiZGn_0QPudgUSyj7KTDXO^)S>L;6ZcSI#W>-@IqHowo*a}k&aa-u?&8?n
zswnnGLhhQ&)zwRwHBP7$>2A(D6(z7ia~g}l4~Zhi*PFebB|R;jw`JvD`FmAy$y3!o
zZ>!Rba4<Ttv24fs*3YfoL9X*W85XQq&L)-|vi+vJdu-KQ53xr|Q_Y__uHCcZ$*GP@
zf_7DB=B%<}p6OaKv4i2+ttP1z^Lawtmrt@{o+6*u@xcCp!AlnQbv0{m*G;;y{*CfI
z{#aS*WlJw^oOWuK=XAA`9j!b!=J!PWOO`1qo3PKdX8x`c#e(OhJ}a#A*xtTkPnJyi
zclC)*M&h&`t_iZoyKOssi>59)x?*x@ScuK3Rr?n$C|GjwRM?RSMWLx{ete&_|NM2m
zzV}*LOBQ+==y|Mt{^W4N+BjW_8cp9vfA*~1w$k-V#_v}g!fPilG`~`$x0g9<g<+^)
zv7*~*uh}cyf_{hz8p*SU<dzCPezJ{0JbCG{xEAh%b>?34wuCBsI6De<Zd`F<(-rwV
z2i8Z=Yv;dyIzhDa*2btEC9+eJmIjtB*!f;)>EcZ9_6@Gz6PV_51uR`%9JF-PbxY0i
zsU?S!Tdzm3HyHNrF#jAR=M-+Co4Gt@s>=z3XU{fRgzq-<X|YN_(Rk<N|I*`52P^-r
zYzf@$e|5<tG0AIN=3QCU^x^HppH}bhP2aq~cE@TnsUYK7JWk3xLoymG9zHPGI@^Us
zC-qP9Q;#$2m^Cl<zuNZA_KI$Q-6ifz?^(|N(p>xE#?5%~ScmC%_RWhoFKtbGE!z-q
z`}id`8}0SBVVA^h<gdHu7Ki?j=Sy()<u$8b9HX`Jg}6eGXznBtHzwvDiK!9y_jQSs
zI#e$3ZYx{7YuCkZjY7ur9ovegulbgJD%iNSIb?lRrvIgHFW)CwM7gxPY{<KMuaEcp
z{fFX__AM+Qm)^4KaXj`ZxNg_{b!j>$#7?hh_Inyv<1f{*fkT1o*z#MJ4^<16WL=Jv
z{~oo-H1rhvl>gV>t=jed!zqTHLe_ig9;`aMVqx87xr;F!4}SYCxS^JD@yP4|)0bR7
zbSwi;UO34*x6|Q<fToXl1;5hKRczlZL$W97O<QjDaYgbz)=X<r$x<gaj<P0}BZdyk
zYj+>WTCjgt)nV%@o0ZYQwo`lZ8jf3Y$?P^`Z;W-~GHuw!{BzE?NlWIiuHDOOEqz+@
z%0&4q?=&CxKYGc#eX(!T!7ncqG?VoUC+rO5Jy&!3>^Y&jZJfLZ{`~1Sd7O7;Z{vjH
z(h1i%Zg?d<KfhLTgUbB1aqDaDgh=bSw0{@v$xA5tC+H^Mwd(3pt&0MA90mQVHTQfy
zx>!nA9QdK{(3RP*c~sTH)3CmGh0FabZkzgKIlfI>!6eFb|60ntJDVRRO`0!V#GPfv
znz}qfsmh{FHRIMz!7nclgeq3|^X2gDta_(h?lx1dHCb_s`Rl7&vtGD<O<5_bDe5$t
z^*T#J1#@6$<Hapm!Qc75_L!ZK*%cb=;cQi1dwWuLe}{rZ<NTOL)xg;ay|+GHb}F0T
zV0z@~Nx|G1d%MiL;+)T1myy}OA!r5T`ST08RQay%ai8-s%|K>?tC4_#kM%0Q&kbF@
zC!94Tf2(Y^S>C;<nrZDTo0dOIqt+SdF((S&+c#_Dq)M?;{-n&q*=~|r$CpKy_@%Bo
zYqvYzv~=#I8@DC|1V6m3$;v6bI&|5t`sQ!Zr==Et<V-2Coc;9Sw*;~EyVhwJDJZl)
zY&h|zLBN4IC0ExxH*4}nPUaK~zxez2W}T9<%sY^I{ZP8%&vzm5x$5U7;@)PQ{lPuC
zbne*=7o;{mV|+bt>$X|<uB_i(6n6RlOZ(We32R;-y02l$ee6HGmU3uyI6K3QC3i)x
z#=pLJ?EQ*m%-VwKSJbl~c8I+V{`ul!&xiQ$I!EH-_J;CY6Nq^%oBwK6LyVEvT9a_~
zV{u>gm}fB_eYme}*OGm<bN^j%6FRhD)x}R!)&>dBvPph2^M=~wcj@0<r|w+GWVw!Q
zt#op6cy7)rpEAvd(e}aIdqi`kj@Q+F@{QG7ruKBvWydqh0WK|lH$9{`zw_(NKffya
z^0JqIt3G?){uI-!x+pA=kNZV%#80;Btm%3`=Rb=xy=|&=`$KMUINQ`#8PBb?6IMT7
zQ@Z9?AV;DI$6149rG9lqgU=Ei4|_M-w{xHEi8DMQTVZ>l%_-e>HGgr&<2dyfW(t#?
z&ODtf8kjDjvCcU;%iL6ApM(3E7aX3f^Sn<yzN};Xz9wvPbN8(~D_60uuJmlHn3&2U
zud@1V`{Pg*$%WRkKK-`J*E~Zb=KEM^+3Mz6EoRzo5`HyHaqrA~3wezN!=Fga=J~MR
zwqT`EmO;(gx#p8*XYAoMS$#{gg>@J6+ixN(*uS+Kg*L2aYFhf3dl%P&n=w}>atkeA
zvEz!@bw$6o{mXyxZC?E{l-0APe^$g(IR|Umt<7g=+3|RuKC3#tB*X7-;>~nfA%zo+
zl5_j6<dw`h&TrAT;&LAA&Fu%SAO0oj*%^6s=E)h4HgU&oHtT79n0O`r##QUn>CHhe
zS4hUGw;kP@zG}Doi~ZjXnDozeS?}JQ{`R|bQ%8ozf|nZ0*DxEh&TuHIST<8&QHJK6
zo&M_kK3A{TOUyKV!}w{*YPtL~69pEF&COEWIepIKTV8B|%opo#U(7RkIeDs8Px?vb
z^K&LdXPGP3UjA}DRPExHEuND+cw0Rdh%D%nVLrHcS=u7+lk0ydxpd!p#PmV#miAjU
z$q6qD+O1ZuN_N$s8<MLYI3bAHwfX}05B4S7S1^?--@EdVb*rn>qf1(=OvD~_oDuNq
zwt8fJbMYh<r!(T3r?vSt-d)gp!!(gYw1zoPuxx(B9k&06PKfR=>o~scfn91<xOGR>
zqN~|`vqE%*_tqYn%#)J!{O#Kf4aTgh^N!qd@GaQ9g3D2@C|jcZE7SCzd8(^#rEGZq
za$Cx)-IsTEc1{U1U&6$Bu72*?C7A`j?fK5Zl5c)o4`jXQxYTM}$BFKYG^b-88P^2Y
zeY~|OE8kqe$)km{kkfCs@J{d2RjaczT8e#_@4WhqUG2oN6&GUKt{k4wKFj&@GV^fR
zuYIbE=7z0&Ffr3y?N!UqO9w^fN(Cz4*d9MO?)`5k!`Fwmu3b9qX6CY5mbdjYHC#;V
zw;HZIS^GC5N7#bfpj0S!MZ;CL|E0HB;wNO;+$srKytS)*tM0W1mpOd;Td%s6mri;*
zcdEP9viBPv)wG-5s@Tf1X+pq<TN<gWtpD+=2Yhj~;-7VwSu3Tn%<5X`^;hKumEPHl
z7B%m;l3IJTiRFa22iNE8`7S#f*SuVQ`QG2nSO2||m^;g9f<$2Ys)*3J#m|ygUsnu&
z!J^?ffm7f@@@bcNZ-wV)_saR$1SmwTlbU$(z|+M!1<{KZ?)$5I(^b@?c-<|9y$32A
zBbKMEEX$s|@X_=xfm>zQ*tj1x{gkd-9o}AjX`6w$<o&m8ueYWKUU`&Qw`gDdY7z4{
zEb~3qUJqogc#@Fyr7Otbq3PGTtIo19%r8mLZDg0#bJLi*baQdHjLN6J$-i#-K7GWz
zXJeDZ|E6yTs`VrfEWf1^ntVyH;l@=p%aS`xYcd@ARXA6^NYI>{Ce_f^BDyRqb>@ww
ztDp92ia$INHS63FSy?sSGh#O+wj68@$u!(@{m32FX<M%E57qzhT~uM;vDAydZrg9%
zS8~Dss)tc>gTRUVvzPYi9FSfy@vm~|(vszA6R-3Ca`^qC;&|+)Ro>Bm^F7+j?>$>}
z(mV9X8oQXM@q6z?W!x7_taD$uJ*p(}?2RjS7FV<SquE|v{U)q(G0dAmFUZ~3zxz&#
zs@J7`9aW4Gir(+{%-AKReyVTv`}xYdvO-;$7e?1}y52D~TxMkar14+hk-$TpEAKyf
z`}<|g!d*srq32uOy_}hMcuqatdqLwC&%bk;jyKi%r`*3+TFC1&V~I|p=0W?-=k|$M
z&YrMl^-1|@Z+(URzkI#B)wyPCboHh_%iimD-3im(F7xe^lGOV=d+EjB9!%v4j_J#N
z(zV~6aGhJ9@v^+;=;P)`*LMob$;rxAz3VNQT4W&lV@6iuCat%gSLHJoR9`u?Po?7d
z>web^@9sY`%&Sf>6+fBp<=VeJO-0&a-?I1bP0oj@E_|KK^U=C`wVv>z&DnkzK7_7S
z@Vi_2p(*uU<A%Dsf?5XrbH$qHwN9~$FP~)f^lI|nD*+NAm)BIq9PZk%VO~R%lL>>?
z3Srm&9*tcmEes_i`->HJmj@nRf4y_jA3m0BW3|;gGq)_V6{~n+b!KIm;WeIHLObp+
zW3|Zp);I6pzlaEab2jD1`>!h}l$11ae+XsdmQY;V#&@x}R`{aQwuw`+G|uMg?q6V*
zAp3Jkt%b<$ZTeDPOWfD5Gq8&gDZ5*9*)lSLg{jWxu4MFIUi;eIo42ah`Au+&x4$Y=
z$7VN4?Q3YQ>z&o!F`E}Z5c<D1gJtuq7kb;||GGJuY*_rS>$!IKg3H#f)!cic?ltqD
zXnpu8`a(hB6vLMW?;4{^7~)y`7s`DqFY&m0T=#XyazBHJpP3cB&t=V>e(zqrr=Gp9
zB#MileTm-O#q+aDt+H~jII8(CO1|rxy6M}G;+(Ih`E&bcosf4wWS%&+uUz_1_re`j
zQKzGFO&GMlUT<Hh&e`B1kb1)^%rQmA^!ydm{hw3bZTT&$VSQ`<=UYXrKGn8{Ic-ee
z_v&q4xa!YEMf3H-DI5<1mMSWh3x?h)nX&Eap*^})wtw9ECwN@ywUS-tRnwiSZOo7o
zVtQ%E-pR{!J<rZx_)cYR#;mG6&UVX^uf5uJak6E=6(fO{oEP4o*y53x_(o?|)Y8&(
zUrcZG^*uSktGj!`@sHK3SS%L(V-Hw-bor9H`@F`hjrk0+FDdI}by~e#mj2{LI-7jc
z;gUf2O(*r6#GYRWz5TzmLSEs+q)K1jAKe|-C8uq>Q1GgDWpK9fmGzzXzxX}l`e5<?
zBFmjCfw5wo&U%yNX4rB{oJmxR5qa(~U&?FZ^dR$SUXu%1v(DA03o`_iK7A-LiRBY#
z-OGURfAgA{!i7A8C(eE#-s>$EyF7oH->Y>+vF8@rM%5kn*xJ5wmFnkDeg#wJ-WP8B
zcJ(mZwkkadF9!7slW(nc6I<~=-Qi}|u|o?U@_pi|Qjwf&tGepqhpe1n&6YO?TW77v
z{AY6ZORZpKXRnND&YNA|4n^4}L^OzPdBl-)=(maNb3O48Ijz<6m$_RNgx}xx*(uq5
zuBy<|#qVM?9ode5E)S?=ExmW8akuv*=>tyRJk;*2Jh$y-z|;?NUrS4pX8f6BrP*#$
zxW3zeMqk5KWyU28b$mLdUuTM^@+?^WNjiM3obPVc?9kgstdH-taZ|87QLuu)`}U!E
zWpf!1-%$U<bLL{a^t^NRxrPTX73RNnjdHf#)2^_hPddu`#hdF!b+gaKrO1Brael?f
z5Nuy(ZtJwDW>ZTDzrorg#gqAzbbr5CyW;-VN1N8ZJZToS-S?VL+zp27m-!Q1ro5cJ
zso&ZEpkh<bYHv|9$%sgsZ(o*V7go(WdRza<Odk8)QspznO}X?RNv76*^Ut>}mgw4R
zU@q(9zJ1PWV=;~05ByY<_psz$5U$&j%WnSck>C&4{=G~=UuLvwr7nDS=kD?>oxmj1
zweJP=m2Prg_+-EJsCCDiivrB%-{y7%sPF#vc<c0=rBbc(M?S7RvHW<xOzE+T&@C-$
zF*4z*p++w2s$_c1CT!_G;&7;ELifBmlS0oNTcAAQf!F*kIaVxJ79UQ$vQ+rDV8ZE%
zD>~1rJSgCMe_?r*_JVAeBWK=!NT0CZbpG!T9yzkc7Z_E(^To#HK6t4T!1B7AeJ%eq
zuXd?Zx3i<T7SG!(#ro>@qnr1g|7|&3CHCWW;;r|4$|Wj{Y}(GRei^dG>r+vevtEF$
zn(y3|8neTTvwz!OWr*O5U|;m=giOAj=QjIIhwgCBWIf7s-uJ81y>-3?wuy@OkH7a-
zTDsCSV(pEM?yj%OOgBWWp8P*4;B(e2pMUe`?7TA7ca@->)vt~<+*VA7lfJGM+hKNp
z;(3Pd7dP9Md^6ZO%OIC)yXN-0i@EL!OrPbu|J=a<Rp-5OSAO(O6IdU&Zn=)S`OIA9
zZ}-yXaBX{X_;%ht4%ch-tABDVI9%s@Xs=Pyy9D9xT{Es9Zv64~O2`tP6;(-oVbT09
zTetjWdt5K;=*g?1mA!D6u}rtKnXJo($dVBD$?YkH8z$RcF8FeX!=%4s3QNG#^bh;X
zn%ImocuX0pw!Ra;{5iTr;p<m9_J-y+-*52C8l(jsx63MPyS8!Xe$G$Eg6l;rm(N?g
zATBh%Gw-Xi?_8D1jKvLMVo%#u6t{dWIC*-xXU_38huhh0*E?UiWqNhznf1EI?oF$h
zRDI@FjpK&J(w8q->So`N%9+M@?A4i5hnM{13krLg=vMiq#7m|50K@gj)CPkoCu@$#
zdiv~jxoIl4f@3@X@g-}RU2FH>>L_`9(OKb&LAO_&bN^GNZTnc#{#=~8j$OL&@e}29
zPFjYi%@^KH^m_OC`@Mf*j4L&z7FBV^^Sb_Rn!%(pOZna2vg(UMS+h?4O^v%){C&%3
zmf62`3_H2?W-7RMi!?<)7uzb_a{U^!--VkF{?{^Z&+M0bxxDxII`_?rKBaHm(wz@3
z)GV5`Q}O7uIrFF7NWD6}EW1joO~SR5(K5B=dKiQ4s;}(}7jx{gT2RUtoF}0>rE8V{
zsuGXTwM+SCt~ix%5tOr|d`)8D{g{BY3M*&N6H!l2m&p>>w!d58^WtasK8x?arPoLm
z9_(t$`dT_+LbkW>%hfA1S7vRFI26R6q_B)#BS7N$tEp#d&aVwD|9^0T!*Qz!$2^tw
z$>OhsT*@+~9gaWa`{rbQYFBPu5bvh-&(5FN*&=QB)cES%70NYLZziwe;CU>oXRI&F
z=6gKcrDKwN$AmRZ%g-H-KAkaT^6uYqGep=|e7HZa;6$#f=n|ET$z1zi&5L)w+bJ%_
zIXR+L>fp~sX`38OPV(gcf7{{W(m1bs=U0J%X{{$}?uG=0p1Sqrf`aY&GcS+q^P3@_
z+q<|gt)j^K^@+}1MO!M@Ip3=BKmNj|W9diUtrf2rb>FL8mz-%CG`mDJrCwX+PksG`
zhx2Pn>%X)Ad$RhJ)!o1L2QF^daBu!MKL!TI)=X#T08eLU*v<+DhKf106Ky>XJIEZ3
zkKU>j>S*0zm9l~_$uZ<e;Oc-Du7zP4R}Vh9#J|wfdD5dt8au>f{zR;?+F|kf)dMY#
zCV7Q-O_LXOPx-Nb$pxij&5!H$?Eb!^n*GOW*JZPGlN(k=x*5p{Uz#bZ_@m40%K~m?
zi3u}Sp6^Oxn)mp%oZY^Au9efi@3ePcKFL(_fpACqjJ${=ua5-Jo_4NszQq}?NlrC>
zHdz-~JLPxk?f!Gj^8JSS>219sMST`NI!|Ut<Ryg}ggo+m)UhaQ%6tFaYYOf?S|fIP
zO`ZS0LjhsYagVIdIv&~B;MyUeu(*d;BvH|8wOd!G%G={MfByExt4#M<$7@h@W-*KC
zq{r<4oA2M9wX?I(TvLQODn93TG6%;yrmbDM_42pN-m-AmFo#DSj$g%edH#}csi-F$
zFYdAFt&^U$hdt&UL#_X=6pucU1uxG(ZTN2dYZ=dlYVMLXyY^oFUigb)$%@rScnb<R
zc%ExkpM8Ay?b*G5tC!uo&)=k3wDz*Dj3fht(5cLjh>{3jAFJg2T)o7U{G?R9irfMQ
z5U{bYC`e4sPAySLN=?tqvsHS(d%u!GW{Ry+xT&v!Z-H}aMy5wqQEG6NUr2IQcCuxP
zlD!?5O@&oOZb5EpNuokUZcbjYRfVk**j%f;Vk?lazLEl1NlCV?QiN}Sf^&XRs)C80
ziJpP3Yei<6k&+#kf=y9MnpKdC8`OxRlr&qVjFOT9D}DX)@^Za$W4-*MbbUihOG|wN
zBYh(y-J+B<-Qvo;lEez#ykcdL5fC$6Qj3#|G7CyF^YauyW+o=(mzLNnDRC(%C_oLb
z$Sv^og&Ut&3=M_k{9OHt!~%UoJp=vRTzzC6#U-v~CHQp|hg24%>IbD3=a&{Gr@EG<
z=9MTT8<CO>*I!UtlmqroO0s@xPHJvyUP-aOp`Ia%mF}Lt0dO6lAV|;5EdcAP$Spuo
zS(2HC2rLxefMmelL3T(*ZUNj}6xA@lgB63r$jT)@xfJ9)PZwJyko{IE`N^3nR$ykD
zsd=J-X>zJ=qGg(qu1Tt~fo_tKp{1^IVxpO0YNDm7sbLzDQJ#6lC5d^-sUV{&atrh_
zGgGWAQcW!_5|fg3jV#QJbxkbNjC3uMEi816Oi~RDQVmkg6OEFQjPNhYOwY_q%t3Y)
z$f%Ue6f4tY(=;<nOLN_nG~*;)6LZTXU5ms-Gmud!DaOW$mWC;2V53r!t=#g9auZ8z
zl`?Y^(^K^e^3uT)pa8dW4Dhs7GSV|Zhy>&$mZaqu<=QIwWagDtAS6OEb5ny$5<#J9
zXl`m?WNL0<Xk=h&VQgxMP!yJ0RGgWg2Qt&pK+hOrE+|^8{EISE^GXsy>C{#UqN5_W
zz{<HOHL)bWC?r2W$5sjCBn2ZqLx?tzv~OxjVoG93qDx{)s;!cdfsu)op`n$bMTnuX
zm655Hp|Q4sft3N0`uvp4v`Rv%?Le8s1`_2SnZ+gfMU`M7NRA3lErjqO+?-61Y6S%a
zaHg<IOon)&II%1>1?+LSRB}dQUV3VZtr9f3!n9;!NeW3uNd{(#DQ3E<mS%~%CdMh2
zx)x^1NxBB+<|d{oMrP&~i4b4GO)t(*D=AMbN_9+6%`350a?i{y0Ed-=1~{TLQQcCW
zkqU|h10y3{LnB>d!w>^YD`QJ5BLirF>C@hesmZ3sMrkQ#x@n1t=DH?HDT%s?sU|79
zX35D0hAAdy28I@pbU-aH8X8-fnp+v0(9es;W(LUyh6V<@rsgIox+X>jX1W%shGx3S
z21({ghRNn;Mv0Izfl@CT>lzs98W@KdT3VS}SQ!}6&x?tv#>p0GNyfT~$>xc=CMKy#
zx|T_)7P^VXMuvulMrM{NDVC^7kIaN>3`(d5W+6s~R)$7a#%A>MqOpOcrFojMsjj6_
ziixg?d6K1Wl8I@eu0c|2TB<=}vY9b@PAAigCb|Yjx<<w!hDKHfW>$uD^rC@rlA)yq
z$YW_1DY_=fiKe=VsVPRfsfLNh76!@2iOB{=REb3sT|+}%MEOj|yqIQcYMz>8WUgy$
zlxha5T#a>;Qq7HZ4J{IljZBP_%?uMEH6o>X(Nx#K4D3ZSD-&ZYV<T+?BTy9tEm3Xs
zL9H-Y9b%)8QOiISAT`_UxD+5_K`w4~TsHdPwj-z=2`!>Q4LKTOXzfNr8x#~2MlB&J
zd`E+8G`L6#0g@DtrmoT8A}It&QaqZvs1{sYhykk9ycAodawU5^CmZuy3=9lxN#5=*
z4F5rJ!QSPQ85kHi3p^r=85p>QL70(Y)*J~21_t&LPhVH|muy0O+6w3WtG+TYC@^@s
zIEGZ*y0bTZO3Lw4wI6poD%5II!={<PmEH55#iK)kF-mZXhSki8k?UN#W?ek7#zgz=
z#f<Y==_zGfrj)q}xi50*lnQF|Q*q^QVBoy`fo0dleY;MFFD*asa^$Z3%&W0?LGXoI
zL*?^5lh<o~p4n0TzI=c6V>cTng@R9RJ1nFhv+uvi|H5wl(`_GDii@s)*r&Y5YTNa!
z-7^?YTz7bWQTxKmKT=t@PrnkW<do})Ph7g_`h>0j7u-7fI<Vn-((%2Q@*3h#d+k}o
zP}0bM)c!%=;_wB^KSS?qo31Uc#_%fiO5u7|mx{I9vd=ybo4$ehW$3ACFH^aGT)nmK
zYux881_5gyFDvO>)2yGk{DOAQ&-HEFKJMJ7%y5q1=;H@_Nx>T3t#23YZ1}7yGo8uk
zCHsxWKg>!;#SbrC`#jRWnDLxt-oL0*?0?SB;@T%-lrZP$|9CB>A6^qxcb%B~JuCD2
zX-AGIPUgF%_vYwLZ2hp><%an0%AZ0u`ms8v<7*wi>zFSHU+_3iSL49?iDj`Tj6X%G
zeE7k;J@=3E*2F*mq?bI8Nmu1}j$%x`9X5;0#YDEa`2LrL`m%Ok-n@Si-e7RC_0O~G
z=DgkW_h&t>I9FU|)uiSaBH+LjE0bfqW0B<XRf&7PC!c>~|E;}!+FPsEzs)(<XYH?j
z|9^Mr-EZeQeLJ_@dFLTDy=9MrpVtAQ<a;gOR<hd}Z~cAVz9?XQ+yAQ^4tMQ~c051!
zJYOL0QT@h4DQhl-YWs9Ay{5x^uu<u#-Of2mM`taqQ@eCE-{#}e_#5Ka=G9+q^?Dri
zVBzmP8F`PY?;eiVg_U#H<}%*dI89l==Y5VQ%T5I^4#gmy3r0P6z2AO#U0(O`<IBw4
z_|n|jJ8m9#x37J@&F5V0;wd}CHt?;<6|!K6)@7W=vXo_Mj8LsmMoaGJ=k_}vAH19R
z^+&QX;|B%@g--L>`X8|Yul~+@6zThL&e9b*sdt(#2rf|#3s_>o$gcS?s4wOecmFTN
zw-+O>+kZY0zxN^QyRR?#8O+XS8MfamJpE+C`@P`|(<PI&uHEV~+?F+ScH70oXEQo|
zzB}o7Owi`!RMga6`a(G9N$ZqK?>~o<wEuj0cHXY+%hbGJ@y(q7Up}}yed(_`^1??Z
zUz;__blIU}*AjBM&&Y1Nz|<h}X2+zUzC}&yM?3VNuIT*{{Ql;b2kDPz+15GpGu*5B
z`bT!jp7<_7xhqOGITz+_%?R(|xaAYbbM#2p)PN^Wol63=c*DO;RPVYp-T9EPv&z}e
zy`TR1+x+}4zv7YTs#!np=<fcrTb=FRa)<SskLhIRif!5Gz458nkvknXw<T{|$e4XN
z$FYHhQ?sS0!=~Nk($p!1Do>{hF`p82b~?3)&Hl^Pl~4bFTzvng@SdRD-%s1~Py5D9
z`>m<?Lo4~~qKj1rvo@zBt($ei%yL_<ky%r#7|*mW+4D=6%%AdeiMm^@d!Coa&Z8}V
zj=$Hk`|zQVbw}nW>CU8w$LzZWrY3R4UAbc+Q=Dq|%**y!RYvaZO_v0MJd0#iW3C78
zn=a5decHO|;`59h_DN0TwA724cwyN`@%}$2`E9>4H=LQQllJQE_B_cCcl$SN49d2Z
z&9;_~h|7wO&CI-=ab(wB6Sb`D#mvcT8($thG|5KQ<<dm0w;tw?SEP7#`2?-nv)<r=
zMN)`mmQ2u#r3$|$_x}IzVxjjNHb3X4|DSKnUgw?m<h)ci)8faOva>B^Z!O)Cs<lhl
z-1l}_iNtZMEw_$c<M8zO;k4w^CGTaSW_Opj8Efv;e0b`#(50944=+CD|9eY%{%Zk-
z_xrS`-9P2@H^O7?bCd0HJZ~?BNcc{l^((--XW3S>(zbLD&i*AnTo0eMOny^5C*)eO
z(99{HgljMP@&sIxoyuvdS!;Swr1s~^^M8KXZ|}1`CC+Jfo~!@#`(2N}dTQEdY>Deg
zsx`S_b9qbEMyZ!snq9L`CyMB8U7X=59o)E0m)Gn94}(xw5Z4rOFP<Gid@3>9U+j$A
z|9;8un48n5WnC!GJX3mgNl4a;)HnBeYF<5T*IVRmk$ijGz1hp>|9o=xySDqC<)tQT
zm1|A7&gR@P@eZ_I)pmBr)d;@BWtLsHMYA98+7{@&`Qn2&4T~NvS$@p?_sK&I*XK(Y
zm@g6jv}w!hn4?nj>)ih}>aTov_p0x#+^d^3CG)0lU3W$5;lZ%2AALgf<Tp6<KCEgf
z>6$Xz!E5P>+}(kTB6;p!iFoksYx$gz_|uNdj(&)qcBjwF;(N^ZfB&l!{%`;PNdKAq
zf9v9vPIGThlB<1rZ}$6g&hM^?B`Q~*c|_lSxvFov*x?;kx8H5)H(C6`L*(Vm6}hM9
zZp+;wxsc6xeg(&Q#?(nIPD+}`CUs^ke$FNx9A_}=Lv*v}@~i1{!!9j&TDfg<$=vxG
z^$+^~Roi|4@qAv6Yt71AWyja&PRalI^>iIy)B2Y#7ys=L_HE6z7M^lw=>nmvr@7yj
zz4ef|+Fx1{(Uo&0$FSVQhdamVLlNJWEn5>JzHfZa`BXL4@?qDcZQEXX7791$YclW%
zJw8)4F){jD+gy!xEpsy*r=LDAnPAUsD3B`g)N^6raw#P?$+cXrx2IcXO**LdR@~f;
zt@Xmvm<1Z5QANt?FXMK;oj3m{$ANmQ|38+Wac%S2b#3yGOSAK<=5yE8iX8jhbV4p~
z!^}9o#YbnB1=vTtXVGU%EZGojT)ebnwOEYhW#%IZs|-JFoo1;L_03^__BIyF+DNOu
z?MFH@Y;q4PSv$@O<#=}E^PJ!NJ{~r&EdTR(@%%c)E8<&Y846D8`=6+;f4hl4`qA4$
ziM=AFj}AM=o@eQPSd_c*u7+$5`_jE@cT}#(vif{Wi?b-!f#buMz#DGN1u`F&mCf{4
zo+o$jLHo@;ZzT@vp1#v`z=9#}B(nvB&Vja@Qr$DwzBRbOBJjQL5{p3a_n*^rcd*5-
zn(;KNcQP~YZSkqTPWhK(B(C{XzU|o3xpZUSmu>mGzc07HvdZu8^<(?of9Om*_&nK_
zIq1Rc{GD&_@)d-O9Q|#z(Kf=ks>-fItl#8z@AIs;4~}kF%CBqwCWvQU(+mZN2?Yn1
z-|b<@5YRHvh(7&vDTnt~)y)BCTDlh+hDYU^Et~w&U~`&<8e?v(|J}bA`tJ$l{{HQ5
z7j5SA{3YMHAHQ?ozgfQh&$CeZO)1;m6SwHUI?~>>Y9`;a+ozYl3`_p_Gc2NN<D%xp
zve8j3Yp*uAFxgmgE;L<n^Ucc=9u{ARa-HLbo3|RA$zj;$vLsB%k)=Rbp`AmI^Qp$f
zDSc<S7BMFEG3pp3FuL$mu!wN1FbrV!IlS#TGvDC}-J5c^<`z#<*O{E=o@yE9bE<It
zj#q#8f4%qq-?`}j^KQmWIdi=`fA`zG{ugHpMc%%4`IZoR{CHn!)6u`ZVUJ%%N$k0>
z?se;=M^<b%Tm2t<OyKY5=(71CFhM)ffFX&yS%6Vu7ITZt!sZ~60-M_#zb2Wkd#$s5
z>qCv%k2*ygg(kn>_5JPNjkmR$=T|*x?4I~Uar%dU_WOVC)%nq-(G|~S{qdlmr+@jg
zLrb43_da`c`RsyEhc;!Nm$Wu!-nLid=!b&ua)ozFbDbERofm{mJn_ERMM-l>NI}O5
z)d`2s_%g)mGTi>#bfj#;8Lv-9eZd}TcPD0Kys*-nzFDn{UE<CwwuKA~(;E~SRM|`#
zl5?~e_1zX~x;SR|aD+`xSb0*=GIMEY+^O2Xy8FMLH@^S7|9#Dir%6w)MCa|*(L7qc
zSi|lP-`R&<hL?}udicnD>V}Uc&TYZHQ+lP6mHO>^l+`CGIc63ubzi6OaAK1;Q&Y#T
zvx#XD5!X6q<Q`BwzU}13%-d$$1Gir+l4M^ztCzRkkbMJ#PV=V#ArWiM>y`f}e!pY1
z|D$pLyV{+(zrQwrzsK1gcfWH{ZJ@Q?ow#epYm*;dderDvoLO$V=DqIhTQ;9B1?8Lg
zGyeUnaQ&@T!}G>%IgJIu4R6X<=0`j7z4fSgxyH+C-x-h2H3CY9#eVlKZ!#^Hn_yJA
zx<x8wriSIB^;5laHa^jK_<N^D$7!_%u6aj9v$IOw1Q=f^D>xreVlHLyKBMcDIjuDD
z=_x0Upb1_Zg*9LA)coIU{^!_zzxV(4^2_bJz&P1Gu0D6+{bD<r<5k;)Umo6i!|!~_
znM(&(UA`6k_VU@NHm;8oj30=kG+oki)STK@AXDLWC~(q}DNY`f1ejuZHzcGnXRk4B
z>oM#o?FleXe9U)i*J0k=sMO0nVio;)8OOIoZ8~teX^m2%j8akezRwfe?-zZ|zyI-R
zy0*BL!k3HU_ja80Jju^iSfY~U?jH5DVwvsr$a%JRvd-CG<U4F@8XIq;S92<@@u1^`
zH&;tHa|eV4?Xp+?b*y%x{MV-s*pAD}eh=<k6Z}EAC_vM2g@=fh?q3IUCZ;PvwdWtT
zHU3_o>Uh{k#+gfd3iDGH&z-C<f4M$9wZ`M*6c3e24!4|hl-<^FdI(&2sp!akL5?Z;
z;mQ-6O4fXdRc=iRa&ibd<heZ0yC=79$Co$GyRLuu`i7w){-%M({mq$grmr>RP%2&^
zmz=duSFAr|(^}=LylOf5fs&g~pYL9~a?y+vq8UrpJJkNw4Af9tnXj<YsM&L>l%Hn3
zh3?;pTT0r4FG+iK99f_*?CQUSd!EPl$`fhAQ%<K$@LigzFmdUk=|awaOn)bpOlz_@
zIH~9B6vKH8+DV$MPunhcuAY7NnsR@*)gG@6ue0v&{(t;y=f>5a_sdDg@>)M^^gHXv
zy7}RuKM%udpPlr(aWB}o(DcF2pX-8t+8LOzD6(*H9+33yywletvwPL~xjU@h`o&E2
z>dEz6@~eGs%&z;=C!WmN*rIOstM8VQ=b3-+{O!K3+*unqo#onL{bKDoKlM*udGVh4
zU6_Ej(h?TS(_NcPo5Q?sJE@yJo~seZclTV#l#)rip7=*cuQE1pIS}|x>yJ(G-RG&5
zS9r9zZuebRaJSm0Z1Xm#DQ4H6ikrRmTkm`R3-7!AoV9;{;n%)$q0a#lGsUGB&X}8D
zJ$2<P2b1{OB`F3^_>a|cI__+7j*B|vsTpvrV2bYNLmo5J)uOf;T@YHz6f#Gs_ELLW
zlPbs44E8#Kt4-6^|32mUMOU;UW!HSSwA!NAQg^P1n45k#&o#MpF@*Qobnz{RgC{O{
z+T~)Q-Rk)(=*=(tyxTv&^~=^g`TYE{-c<1$W#3=;XPR{!`r&b5%jLO83s#z3&O2j!
zom2e#ww~*GAA<aUxEycgKgW40_x<$0(Y2-<4wiprUN_xmwTsqkl{+myszOt|e=T~k
z)8v_D)?(!)`z<d2)A#@9{dh@}fX$BQT}OAXuY0+DkIVo6eotcMghe@uI$OdgDg_2l
zS!FqAwWV2fcxO&9Yipl^^i)~*<DXR-nr%1DP-A$|^=wkH2mg+f0cvw+1zh@Q<8_4Z
z(z@62wU^)jdD`3m_gVG)2z{q_d!Ik^T_^CpEwN^S<c?x*$6aQ@vc^+SEnC9D{?})U
zulA=Rh4uN@WbRp|ev7L-^X_IH$N7G<jC19l2Urzd^@^^!S8eQFvT1@#$IOeJs<Y-e
z-7UG`)M3UGWFwS!NYr?8()E9yJ3s$4+*xU_5qLFlU0Ptqw4L@Pg(r3$ow>@T*w16`
zN1LzHY~SyDIWzYEmm^oIY!B$${e3ojK|!g=5q&mU+q;^s-CtY%YTq3V+wmi5!Rf6=
z{R|$<9j|It6bL-AVBod9vVZXcw{@O7l_#Hc(R#mRa^zIsWg+LjYd+UHwX^HfJY_Z;
z&GuNK!cxm0Yv<ql`Qp*3y-#1QT5y=VKIrt4ynks{rq8_HV>M+h)uy}=_Ij!i>gJ)Y
zxO8>P>xm)zM2!yem0OgV%%1j^SNll@>(*T9gyjdlehRD<;eI-yU`dOLzv|!U$+OF9
zmT&pp_#<bo@`Fd==6MD8tOEahce@?7d2yfKw%^{zwQes8Ds@-lJKo)=*K;lB=_>WF
z&F_B|{psYdIr`_Rbo?Xt?dL8ptntZx>TpQisgdQ_l%p<2$Br>2CI==c=^M;o*`zn&
zfxsl*4#p%WX<yTB=byIUHm>cTrGLNdfK7dMO7q7#5)RYcIn3U^($MA6w(w&KKXNH>
z&WWGrN*&qxZR1|uDCX_^dm=sGkN?eyf4eREo-gt%*${i}_^r)zFa4R9R{d|L#jM$}
z2@EHgPN+HT<6m+~!Sqq*!PCFzZj?6qcVk+Kn)MU$&93Dtb0<$;IpxljFIUy>ht3vS
zck7AQ%%)@8=T}#}?5}(I?C$B+KTmpcF)(~ydj1G||KEq7RoM1V@$0o`Kj^Obc2CJ1
z!-p$)CtMPC;(Vwj<|U<c-s`rZtf=w!vzdbaGDqHYFg#IFtYLTB)g<$9g3#ZS2NzD9
znP2-ZGh*|y{E~@6l{_8(_x63vo%C{3+5?&BES@Q8t8SO<+@>qrs(iS;d1dr|*}tFr
z|2O}8{QLWd<Y=uK{$+_l4IU0g6BriHZwzFY@E211%@KaDQvKcE`~QsB{XcL%`N^%>
z0zUS9f-M4K3779G3+QmParih)eJ=dF;`=i9v*GdK+o#5QMlZ0*<y!0K#qH{K<cURN
zk!t^aqgjXJ?d9cr5>J#AYcAjFpVIm6@89gYLkGUO&i#<Ed)acU%X60=WnTO2%sW4e
z@{F4qmt_x~|B|GCowak(l1ESfW<9x8l2lQwHe2=^+h$hNiC!zudfvbJic7Ni%<jm?
zI~Oe6|L3j0{NLI4YyJkGxB0O0Xoc>#mum%A&nuhrc6a-_oqxZ-7wY?7cJ|;Lv$cme
zYRYpT-q~7~yXu~ny|hkPx@ovnO%`8EQJBc_?UpOgPFJ1WeAsn;z#Wa^ld*os_UmL#
ztNVZQ|A%6BzuGk{o38Xb{#qS<oIPKw>wa$el{Z0a>#LS+Te>si_L^^I+SdDIYu@Vm
z&sd+AxW@00K-CjDAqS}*Cc(C)2P%RRHfa=`KL1DQ-j|2>9hB~}Gc_NaVY^5C|Bu!7
zz0T)t`fqMJS~Gj&0$r_~i;MJ*rhdsd=Ox9^BK_2s{r-dfKTlg1x9)9jb*@@dp<o;k
zA?3g9%!l&lKepGslQ#BN)hS@-wY#cX^Wvy^t~Y<>e><*2wsWg?EVmVw)0EHAk+0rz
zZ(iLdx$9A;yOlZv89W*0sA|QTu5img^W$)|(an8=`5M#1g*p9mKFOLcy8W!X{@Z@L
zzYmK42R%1cns~YI>C9D4ezttg&NFWPzu(uB`}4q*$IIWfiRf`AD!BOQ9o1<Gi`o8G
zV@pT4IG3TKO2o|s_oWd_Ckw1oJ`u`isq}J5aQId6XL4N6`{d4_Nx$IUJVQWw!{wh#
zSHC&`Dk4qm>%UJmx!rSDiLvhw_<gPVpWdI#<uY6Kzpk(Ii?dwvZV|gD8&{LTB96tL
zjUVkgum3%y|M=|wAGbdUMG7#wuqY`^mOt>L)I9myQFei8t2#=>Sxw3<n-;$NI&+s!
z&eLVaH5)eEwy8*#IC(MgO~khc((bK?N)LU>2<xf+`}5;+9UW<x4uN?mzSR~)#C&{r
zGXBc3EsM%3HUwWg9(8%`)1$U$zx~-fcSnd;vH$Tt<%Um<cls7d?bCbPn{zT{lk>lX
zbqmylIk#RdpEEJc@>h5KtsfWOwbm+LQ~o2$8ewZW<=j%9<KO;&|8!&8ce$cJSESb}
zIJQVI3AS`JMr_U~zL8-(BV2T@LCK1nrA`y3r%wIkxocjN(7rEMj{VbKx9)t+*Uj#n
zLY5*K9MVtRcAfd#Y<)$P)x0Kr?alDWHMvIjbxrmEZ@zVZ-+#`(AKGqYS+S=3RfV)S
z*f2Wx9dK#e@Oc%}x;@|Z?tFgupSx}sf71@_KcVTVzuFCUl(P5L{bxL~RcuRQ2JaCb
z7X}^1GZwy_JknM<@iLW~HU+u!)SDem1HRAc^Z0eKPg>3B_k1gh2t$J$f#PsZiTA%B
z&E3u&en+D9;z2)UJE1eI+)tIy9=mgSZpOcYlM&heTusJ7N}Dy++t+*UcD}vo<r|MA
z1@i|!DneP^?^kuEY5w|OmwLPW+uZ!M4_0z*uv5M9J^X2BtbJsW&3`>H0~VGwJ}iqk
zmZdVaTr;y??Z?Y-+vz}0i?YJ+q6w!24;9A*DJcryGkv2jH>LX78v(PEx{r*~y|bc!
z$<AJGFVf;!zRxPhe)Eq@uk8Z=e~IN@_T*@d(sX|Yor|m5RXCW6czC=H6*xV5YhNh6
zM7!W}b)9&!wH~veLdIII2)Fwe+$53(kGo%pSfSV@vGJu=!?HZ5KSwxACV86fd}SwZ
zyH(g~^4&MSI=}K%xK<XN{_MW~j_y_?!)UXPpSSMME>X{u{lU8SYtW58zS3!rXC5or
zz3E5JX5;@(-rJwwuBkcZ_Fk-Yp`+B!L*;GjPN@8HoBVgDV!F=Mpy)~ScB`(L?f>u8
zH1_%N{YU4|niCb+V9fd3=Tt*-^}oEbPp9U4ak|H5vbrDPh?sT3NNHjAGFdjUi(c#0
z**2Wun55wEyi_>g<dg~PmV0<kk1?Hb)8OPQ?ce=5V!Q7MrdR(;U%&3oq|mdwm#vok
z`0?l6{2y7LFZ!CU)l6x7TNxZBcxaUxr&5Z9gvy}~b%Sf~6El`H{Ct*n=l{fd?v*MY
za}4y<;#{S7y;GPef4q7Ae`%k%-~*o;wYIP+al5c&yfWmoisXE8<OI{%8OqI1Eo5##
z^wmrGyJE+}84*?n#v7MJ-0Dc)_f-G*d$rcHg#xl%uRd-}(2I$(yO5!0BkIz9e44J<
zffEg3ueM(9G*K&CcICuY&;14yU!CTwR({!YYs!baxobXtSpVk7H}jk=>t+=D@+n-;
z{;4jX?XvN1_?#Uds}xrpIKn8%E}(Y7Eqjxw^tIc2jIME+FdXSf5|0aWQv0P48_sdP
zFoG-GGV8g*9`)nPj{PY#joXv_=_vmhvlTx+{yd&{`>x%U@IDi(V@}5FHyxUsJEP-)
z@#6U$&U}dmiwkZ`Z-2ORdEdin{B;u3?-taaf6vTxB~;03uK4mzkv3nhiVI$icgj;~
zJ(j~A$kTGB!{4>hbXP}5!1k$EYC>dhzv|cLUD|xG*?rw#JCB!V)=N&^8N1*A_(!K3
zeao6uZLiPB3!OeMlYMiwmfQKPHns_j2VZW>tT@~tvHx0m`*xMfFDD*J*yiu6BJ|FT
zebdjQ|F=AU%r3X$b}{F#Gl}1RIv(>BpMCpx;pI%9`WUU{3NiIQmNOaEC!SX=O0F|9
zUZio}_Vbz>kJmYD-x(Th5}0dvX>Qu#ZMROpXxS|DV%m<n>$!(bF4iA!TPiIcb#dAL
zxQaK=Z0GI_(Y?lz<Nss%x!i@qN8%Yz2n9@OS)^X@J9f8$Y3T8V%B3R5kMBBU$M=`#
z!mGrG!WWr26F#ld{%~b_+5*o<r*4}oycRN2_`%~5w_0pYg5-rWFC@C7)@)pEIsMm>
zFT&>fW`}jR$8Re+Ea3Zvf8W*JcT0ANZa<R~^7QEj5wlmuZ&%c47|bnd7yP0Z@%mMy
z-R$Lu#FlbNPuh3?{qsqdrVpyJ?o8aYp=8O|kL&**+!DF`!*v@mafKg~`{e&GFV~5X
zu8XvM*YZI~dEM;S-!J`~5-m~w`RAe+t7cdh&Wn5IcVSy#rP;NoQS4vCTtg4LZqIsV
z5w<(1bzfog;_}+0y6<1Bqfg%}5?P$7qjY-1>f;~%KmCsFKF6Rj=|F>X#pBuQoHN%o
z)}BA3$Z+`cuEVJ=ubn*<Wv|Tm@aFn*!;lk7uQ{HmC|-4bHknPcs@{O%bk7N+S+^F5
zWWLGOsh)4~>q)6taQRa6)MKFyb8X(AIr=&4;<>`5rsCyU?2C5ny0IbRSmy;_W+#p(
z>XR4kxLR)Psy|i3;%}W(&#t~%9nAkO)$jQ?v30t({nl6Ww;cPpYsQm(>i-^PTj%}%
z8NK9jU!=-vzVD`g-UJA2S4)c2h}?YVy0j_F;V7rwXXi%UeDcTZ$)X#6=DE5{U34?=
zHqDEv`MaF2{_j5Li;Lp>lCNxWOVHs7i~O&7NWEmTEh~qJ?4f51SvK)KemVVF;?C?(
zWudDx&Nd0y83s2ou1)qht#C5qy7Y|=OZgAp<BFOlXn63;or9+eKAlRFG&sZ2<7#?M
zfaOTp$$a<t`qSs4k3X9${`>T`&#Tw1y%w!|InQ5lm29H$lxETU*Y-y6g}l%XsM{RU
zDtP}pci#N@lbYA9c4Kw<%U!?a`Rj_xY_Sh3jhoMvFwOP$e767p^s3Ka-~XQCl~#Z9
zfVSrBl@=>w4!@M<F8&%ByY2|jX0P4ap<<nZ6XUL!-A@emQSoKtEK7P>_xFbVzl^Q5
zCU*_Re3LI2iU~&FczkBQU-C-520IQOtwRM(1xKIW4xF{#!Asoy%`Rc(lf4qY{Bze`
ztqI!pXvt&We{Oq<A1SZ6p*rRJo5S0rWzWd3T)0%1$@hY7;_G0EgPbA^w{A5>Dx37I
zvYS=+@_~5$m);*2_ka02L3-61X+}vy`CA!@oq>wGe>J8=1>Ikw|I1wcuFwAIUQa>~
zetx<^`Krfek-s0e*Z*I!kKu)Vt->pt)>=2!ANTI>`@GcJ{>xh1pq-1a{W`twWa!^F
z0oLdGkNcJ0Ja+nJT%_cK%zm!5Jf9Nhx!ty09=}A`bE04U_MbP+Wix8BQ;tq|o3`6?
zMsV$aEtP;5Z8ff*65m+Vxb@V^<ND48@?YPVD{M2{@djJWacjwco&LMT=3WY3_c&3*
zvcu4nYvxY5lh%zdU)eAGdm*nRr{@NfVQKHRIhT%Zo36{_8(x@vdWFzJ+s)NW)|>oX
zc3t$InePdeM;0%yNG}LUmgK#=K;Z1Vsh1q;HuQ7NmR)Y}<Y(RfQ<ZkS8t%QDj?TNk
z^IhZgxW4<xHH(?!`yTYmZ_X@UZugzPuI|Tn-ra{UE%VYVDmAy4OVc*q74k0PhMKU-
zrW2PVH1*xMC%<#BnRBX8tzM(<-!%6o|9cB|ynd;>nEm(NIhV3t$Im>W#;783LNL*T
zGv~yv9nbb{U%cV5p2S_IQVFvcslO}!-tb^(nGn#mfTekj+ZU69-?i@#xYg?J`}8GT
zU`qc2Rh^clp)X1vMV)D2I~?V(xwVrqFQR7kKYnwcE9HB4+}yb;WlebQj0L7qc`mtE
z-U?aqNOUY(u&=X4C(mog%R2L?sVN6PKG~q`y0B!)U&Ffz`y>vrA9(ci!10y)EC1x*
zH)Wr3_flbd>vLX>sV9HVWIV6=b<>syu(bd^o{=9|CO9x<Y9&SVobXIvadrNgqc@xS
z9{a}U)<3GtRpMIfnxUJt&0yPVj&CCE`#0@dd)#3b%dgfWp|{H)J(I69H@ow>?1eJ#
z1lBc6=Y6_hwS4V7kq70)EQcHv+H5ie`2^H{nLVhz{!b<EUV*rc=Y-WpP3j8|aLI4z
zIT4j{)?i^PA8+l_Z{^?H*JcFontYyrtNLW+qDz`dE-Dk%R2mK?IEt9<HnM+HnKys(
zXIsMu8m4DvmHofB_5RHL0YBH2>csIiMr3D)_SeQ~O%*>S8<eN?UM*PD-2TzCUu>*_
z6F2P*$#?8k-8ALBcSik(iQnw^S6|yVB~me9T4BtGJ#K4!6)bpE95os~IGgWhUcdjd
z?TP&RoWX_<wl(xJW-})5p0A#hCi-Q)XZcT;2zMTDwj5n0K8N4RTi*3e@c6N#{IK-L
zYkzL9^=2t#Q+*KHb)aqc?$k3krW^Hd+5h8Rizk2T#P_emlRF)KPU&!|{1SbtW^-}>
z&2nK&^{2~R<8~H#aL$akxbx@F>8a<Bo?%{7`R9rH{rx;<yO$QVwY(Nx>XrUC=i+Cs
z$Cu7Oa}ive<j}jb)?~sb&Aax=d~u%}{<cepoo>0F#kiL5CxiTf2Cv8W_k3NvBlEhf
zfS=F|odf#<nt63f&KMXTlxTXVc<|@7S7osiTiY5<d46`Zd2k<@tQf*pas7zxmw%1&
z+r2LAJiIJe>U+cAGrXIhJutOf`n%X<f>cOy-hLUeqm7Ig_aB|QlkxmyOZC^4n_g&`
z9+_7D|KVAF{rH^9&Tdz=u-ReDH-69$vaAex*HALK)=z12$tUM?4tXKpk|)2Kd^k?%
z<{a+)2NQpAzrVn7p1G5QkK=Erja||I^$Dk6gmI`IaAiDV=X3m!OT$Gmx9E)C$LpTF
zIb?78`|eZuZO32TWVjWvLf=K8e5b<s1J9zqJbQS(Q(pg{^zLgn4&5~C4X}}^|0t`s
zr%`0n&N(vQx?T#JnwThjmaaK|-qKTF_xBWKb{W;rPiLMJ5C8h@=p%;Zs!e)a@)eKv
z|36_fxz<r5J-{Mwf5{|C``|CXjD-E-i|(8ZG<+GXRe$8o&TpLmuCINq%k{1*qj8JZ
z<Hh;EG~9%p1!gHMW${%zs9%zx%)DAs?cLj5-7II8bIdy5x1>jo^KBt#Hiy!r2df&a
zybQu4TV6^`$$c>Iq4mpufBJ8Jp3D7>r9Snw;O6I1^MiicX{mM3OiWMEc%Sl1c;D<&
zqjmbfWZii;9pwK1^A)?e-n9Gn;+%UlY82jG`5&qks&f2oxS!GUUo%szOy8sl{jH07
zW~{g8(Bxmy-{-`fDNJKsFz<(K(T9ujzshHv=q<N3Wen0f!pW%>d7~r2B*8Sn^k9}#
z%C4{)w+Oqx{04$NmpSc{7`KUqN#9t1RA6>c!hC^cw-@Xa+FSa@w`6g>^!#{rBiohx
zzq*OXDe7*X8IyJ4y}ZZHm0RWqWKJ!Xxww9b&Ni)&`{R7}*Q*Jg5dZvRqy6s#bxLQv
zkIM?In_V8N^mxgq&NZ`rHD{if`sUBH<8Q;u)_DKet77N)AU*Fd$2Q(PcJ5c_vIV)S
zLJm$-UDW3&Q-1uz)@Aq97x4O>|0{TIL(x4>)(vM2d<>=~RQ24;a+ocVw7qf9cKI;D
z8@v-V&Rp()ze_gqp?vtYuQ~m<*T2!Z{ZqH^)27;!K3Y?KRrhR}U1)pCx=%_W;T?Zo
zeZv2x6E5yt)G&Q<?1LR_*@yDER(3h<WL-MxX3Km}Yd<yJlP{|s?W=zOs;%Gdynbc{
zd)~bo|8h1JO$V+G1s8AXIkt1iXuj}J>|-s_5y)<|ShkMaBKq|;1vYJtgdN>-(|%UC
zB=Q{gk(7`;xQiu>MXcpvNMBvj>u80R28D~EcQ*6eIVg+hzi`hFzjXGur}^A3!kIHm
zHm%eCJ$2I29m)G7bzX4KOxdFMv-4}o=~khmH`Dijn=yguP+`}lkDpI@rkwm*>=f{@
z^546yujd;d4p8bezyEQyL7br5uMJKIy*j_ivRxEp+$__~d(h~h#6@R@CNrj64A(xr
ze7*Q%q?Ctt)A2%)4byh5bKssa&Fzk%z+%n_O$N^d&O5j2CAa-jem?29=k4M@C$<I!
z-t#;$XLiBnb?Tq{lz+1d%Kblc<*~Tehii)aO+6pDel~31|Bc;nbES{Rat)d73QJ~-
zubVx48~b+oL!1A;-tBe$|Ngh@{x@tqlqS)axNyPJhIi}=+!ORYW>^WZvdD7InD-!A
zSs=RU+1HlFl3CmaJ#tJ8(^hV0Heiuue7HU8#J$;Vk|7382bvym@qf?X^P6Ymn_IUN
zZEo8;|K6_c|0KofnXJ3Wk}0mzk1y)~y}kG2(gzvKCmrx^WMXL8u<u916fJ+RuiVE^
zAD;MA^IrMWT?^+kJmq<`OZy(@?RAF_D2Opl40+&dc_aVm2HCcYwyVuwIPHIT?Egm9
zjOtGvcV`BqT~#>z(NXqv&7DtgvqTJ7rZgnak9K?1Cex!J;dr5`FtUu<Y^U?_m9H&-
zHZb&Ey0^OJeC5mqdmf*t(@fcCcE9pNkV|Iv&Ia!`CjGiM%b#~tgn5LvEanOe{HO6P
zS6IdGwb;h2c-`6jf1b2IoXxW3BF9a46$V`qpD?97qY?*og?R2GZGI8^--?wQ%{~8n
z_O8eL>N@+sXI8gdU^>Qdjp3t^<MPF!cC8OI*z@P@dD`-Sxv|N*?{fuOlD}LEQ}K<f
z)bLR4O3C=<zrLpGUC_^e#Y>y?rMN0iFc<!aT^M3-y-C1o*MEt(vUb6If2T<43vk}J
z#`a*Az{e%s4wf7-^3SyRA8u;e#<Vf4Be^reJ41K3%mJ<p=L>BD(HqMoD#CJ>JboDe
zy;xPfK~A1QLqs91g|mUR`GRV_!l85fdS9Q~EG+0D)OYdTM2o90#W`>5x4!6){&H7k
z(vB(D>bDtua1u#6d)B?_&-?c`bz3|lrvK7jWpr-}?|EkDInA1a4K3CTJ0~2U`2O01
zcU^*>yv7d>pXOVz_qI}>s*<jNWM>4oi|zgUPZ@+JieA|EdjI)sWvh9o&23o>w7C))
z->qBD6gn{@Bx%Fxgja6NDx614<gP#6o*bI_U-DtRMa#DEZ?En>+VR2Hkz?YF-%e@U
z+m9@bTKRX+;RD<uY)$<lMe%l08p+?I-M@vpX6h`A`H`-1*3R_HZOczpKh!ukuVH+B
zKw!fCIqrWKwB)J_xUYKtSvBeM?X9mg4|Q&2sE+f$8`>bsbYi*SLE-xo4Nq+9&u}`l
z&S9^TNBE;}Cs+HON?cc}tjKXl)xxuN*JcYfn|IE~Z^!@6F!WGp{TyTQbWiHC51+Pe
zp4QLlp)#RG-DcuyxAWVC?v?5;kJa($bl}j)-ko|ay)&r$Uz&nS$CCCMt;RERHFs$C
zK3gbI=gt__*uyBzEWx^sB|GQ)WuqHqtIN(EXI^vW;5MHP3@6sD(tN@DP1v|YSB1O4
zxXHsf!m{HILlBdm@U}1gjn{M>qFMiUEr?-M*A=Y#s`Rrqw>syA<oQAuB|j&JLr#x_
z7JUB6$3Fl2vIPncCkg50{`1S;FQ8)OH$%3mQJtgf#TvVgjtL^l4Idq%5`T3Ze0JJ6
z;+B8MD~Bb!>+Fq~HcstW>yWeipZ&AEAIpD!>6-gBM@(Jk?t>!}HpRAb-6_`XeI6Zf
zThvGF!4~GH6#|~E8@1aWel=>|5~j@R(4`Q|Xuee7=UE*=&VQG+`86I+YVpp>mEN1N
z{<ZM*SBEU@a$Y-ca{lMIZ6@C`o76vyw;T0YQuNR6{#JB5_D0AQ))r=qmZRbv0zId`
zH%16EUH<xaVqizF)k2m#t+lzki+}T6u3Uf1WACr}IMM&JL%9;F4_)8zK$Snx&#{Wn
z<|&hxLw}UZ?1t6H*V{Iim5auBG<{*2GlfNci~g#=!H-UBYTs0p|F?AOh0i67&x3XE
z{9fD8&?3;p!fCkWK>LktvH}N1nLf!luQ=1N!Slrlr!5jIV_4z^ZW!@!H*j9ln9#d>
z^PM$}I$s~`|LwU~G1hK2*P4r)u3qb#$29S+SWndLxpi(n4XP0yDl+nyUN)E>bW+@7
z+4eK3XX6)^hWBe{R;e&~FkKQY5Mp|h<^J|&#f1q1P8>q&=Wp#6(SNw(3YXi1cRIBK
zEWLJ$Y3AmqjtSlkS{1CFS<(AB_sszop1T_}{5c&YR%~Hv;b&%NV>!HO`j^Pgzu}uI
zwDlVF8O~L)&fm)^zioS1Ln`BGrekI0vf2T`3#xn$?K5OutYYPQtVlNFs;$bLKPL~_
zUuFHWh;1QD!qh_hovD2aiVLce=S~lEnJ$&+cdO{EK=i5K*Y>B$ab`##j9|XT;KX=Y
zh3EY#hrD;qZB99y3lm$GMb}D4D{Q;lIQtz(oIm5a?`u0;)HnWnr<V|Mz@cPnpQ?$r
zOJl>oRmcAAa{W2a=7+5^hg{i(l}j3KM4RX3%{BFqSt9?!>&f&8MhTW@Q!{0!_rI5(
zD$;#p-IS`&nOAo#_fp#?E0KMWMMB+0o2~4w>cf0Lr7qP&GXyf*w(*>`@cUJwpS<0u
ztDI5cLMihCxl?Q2FwHtz_%Pd}MdzZ1<`%gSizikacsZkem0xL?NPRqMzI^fwwHsyG
ztZTPP%;bHNx;swlrQf0pwr>pAOR?@~2%i-ZArX;%bJJGknas1-h87-=a=CWsgXJ92
zXqG_XYsW5#C|9>S8gI)ueBeCOERMqSpG=u=efr2Kb6I%LM)io_Kl9iu82|eiyx_XO
zp{1>*ttoMNxz2*wo+-}!qJeHQf>s+3CS`x@(VMw*H%Duy#IodxGbVn_Nc=B$`dZfM
z9KV@8b($$l<Ju;iuMFl^aA0sY6#qR->8W0x$uZujV+tE$V-n)3@7}v-W3=Uwt3*Eg
zjSQch@(&O8PdQktr&g{haWp|lKw!f(#i}#DUru%I-e^_z{lVvB>+<9pcAe>G>0o8x
zd}oz!z}cX(M&QD_0|(eAy<ic1<!%)a&Kc5gB-VV>_>xIln<<a5WW{Nz3x4XhJ2ouL
z-{2d}E!fVH5Pw?F!TGR4Qm%5{;cLsc9o!_S7Md^BeBqO3@ZRf}?A&x`F@8_GAv3eL
z@WsXC8MS{j)<m}nN=@6nzIMZc$9YG;xP9W8UtlV}==K?wcN6Wn8JRhKnP#aZ1zlLQ
zU0eQ7ntZR-!hfNix32$wkfXCu_-a7kvt4~3eDoHW$2;g9onUo0LE=vB+jqLR+|~$g
zjI-t}xybW%l2${jBYSR(%&mn-&Y0fnn6;_)v~KRM$*MncA`j%L)ouLBGecS7UBbJU
z92eLE7qj*&M_ezPUTAoCQ|{&2-U+(%r)+rXC-Bhp-i-3BAB9CXb=R*EVk=Bi=kyhF
z)5v(J7-qM~h3)KFJFCrhO}pAwW+{|i;90$5)=D{<wM!FX|K}@p?^yP5#+^-_uDKe;
zZ)P26GjovsCi;Zob!FodOYPUz84v%x{k+fnVAxt$)7FDCrx|vHt^HDH#usqy{Gw#9
z1#ZGKbe$`Na&)B5vh^rMC`n`|u6f&g<Kss!xwx4rn~bjczviFHdF3>#z>ggtc55WG
zG)?4N^GWbGXNZ1zzzw^Wb0Ur{EE4P=o%npa&U@OeNh~<=f`!dfZcb-%;Kz{k-_iLI
z1=bmB)t4;)JmsdO=!2v^cK^2My0qUn*j2+EeY>+)N42ux*2ceyH8Qi#H!<9Ox-_7Z
zziBO7-?Rxu5|=b&s+RQ~vK2FX+~oQ7*z3YQ)9PEJ3;NUN=v#d{wJPC-mSnI$XA6Tj
zdsyX#dHo9WTdK>&-X4#=Amr@DyIp>T&HO_LFByKAxqO$*e5)f1Ta$ksULrfkY@^oZ
ztq1p7i>>3o_^_MxYx*z0Jv@!;(>*1pTy*ogdAn!p(i<l>nV!5PQFcb!&RjQI@Xo|v
z=82Xpw>kW_G9DG%s?PeThIQle#2R+DHBF)0HtdbG<%v^m`TTnC)YOML{TDU~YzR82
z#eVGL!poW_W>yk+Cb*<tYe;I?(xA}UYMbk`Ro?ph4jtnN<71V_=UhD*v?leYM6}ng
zXWxvX#IHOTf5h}6)#;4n`McHE`ve)~u1=fI>}I)TlaZtK_uHl-2iDyRk3O06L*vv%
zyA7QQ)3ZD}1Tv0x%#tcJbW2fo=*T;<Qz&xH8Lekqm3y~FpU6%(a@gQhQm&dP%dR%l
zq56z-<@D~gH*GTR9mwK#WO~~yb@f|dOW9Q>xoop_zqh6yV|i;MAQ8#Qd+J(&XT$OR
z|L3iB*1!DeyqdL@Fw+IsJ)CZn{=HsnDw><4X%fS?c16$Wx#!n!cSt^37QgB*cTcCn
z359w24kb<{%Wj>BJG(*eaDaJM+HKc{$;+l)^14vF?u_MJH>TYh7jCyQXtS%mRFo+R
zxaqXx;Ws6|n)^;VM-2jdb_go=nZ#+-XWw0sJkvm}%uZZ#Rm-%~QMV^;U1l`x>-$4D
z??3m^cg{O5_+V1x|N7fIZw4MXd+f&36Ss<v-^xnJ$&JXlyS;Or-dgWJd&8~HxSUV0
zv|(6ls?l}OvEkQu-cO4ST_z>4lygeod|bDG_o@lD=IjyO3ommXPYkbU5NUXPASI?m
zP2`1_c%^yw%=OnCdO6fCbuc&2Jmx)vd!C)(zqyb9&3-xSl0oj>>lb6PrK5X!r}u1A
zb-%E-zT$Grt_l0%^~D9IpZLYeP?vJ}#n}Y6oHs=Wc3rwuxHor4n$Gm~BHQiv-m7`T
zHM4r%PfM0%oY$m83^%ZtXvub*WeF4V(Vp0PREw))>vZ-7r6$Fprs|#>f(-UK*(h9`
z6SCv&ufj9$vYV${ZFnmoBYkDD);{y^-=80~UMH~KK6i%p+#A=T3PZSi)=A|~pSkwO
z1JTFk^YZt{udz9BT1j&8qzBwTosZ2}_cc3q^{WLppZFPX+Eul4*Hb~(^XuLh?rzdK
z%3iqSt8K*U-9PV@wOl&fve9~S!ui*!FLxE}opivO^YM9Qo+nd18g^+<+$6BU>)<k#
zCeKFecapBT7oDFrs_hUwd`#*Lo4#(nu&;4-%-?f!yS~1C`f6Ic^5WIJ!Y0{)7qVvW
z5X+1<yQQZp`_oz6<Ks0|`$ENOd*?lNf4?hL+ORD-cN&w~)K#6cr|!6`d9zCU!HO_}
z!|eG&-}i1=Cpa_I<m1j;_KUOnm~tEi1<tj12p&-5jPf+-6rOwEdiqZ$t=Ov57fM7E
zkN)>Ah*H>V+xhy}FN5zMyf(52wwbQk7LidSe_y|T<MfhEubmoZAK6>Yo%AB$K;qgp
zuh)7lzq|5ips~reHCrRuKHqrAe{ajvpc5H;0}rrfhTkiE|2oQEe|zuBsgD=b`dnY^
zwL#{}&TAb4)7FQV*Z;k<`ul?=s<(8rZ6g1PFs(Zr#mtwia?!1L#sXP(woev+AII6s
z30|`dZuj?MDZMX~=y;@o;l{*-^Nv>Y4;ptHR_tQFZD5etQ}tUzZq~2hHGDROeE<Cw
z_Ql=(+sl!-^WaxEOAXe`j>bBziMvxvbo(lAN(5{DIJb9t)8e_EEc<f)e|j|6oY(tM
z>a7<?C*<y2=9{d@b!c&#<-C_VM@@CMGv|exor?9p@9|wWB0Zq)&ib&&$`#wbWVUQ$
z?bCU-Uq0bU6zgoi0~UO10&L9>9A91ZGe_4#mFva7va3>ugc=qL{N~&8eu2fK$46~T
zU+fgvCA;9JU6(swEziQW-&pq9{jXQPTb{7^&exIyYrRBIzrA@bs76KSX!l%&HSW6v
zv-Doy(D7QNJ^%N{*X;VPQ`GdPJed13f<eOjNB-qwAxek6br-K*s*xqnx%fvw`oS{^
ze&J_pZaD1~Q;gYlxbnC7xs$A6TvlOgpIF?k<M}PNk3+b1h3!)XQvv7aoX5g#ojhz0
zUaoxn|D*9qrbA8|++tz{4bLnNtHf^kX0q_K@0O_GANLyj7fQ)m+1|3~{;FN^jqkba
z{C)wwZ2{{;&(>J<TGsB^oUlAAaEr`~vfD4ZuI*XUyV57^@AgZo1=q#rGTT%h=XK@W
z<(R!$AYyk+w{Nap*J0<t+h?xcE))D*=6T-5G%kzvj!y3>-Sc}K_oRQH^}aLuazypa
z+HEsd)r<ZXx9{H|>8QW6VEy(7cI<C<G)#D*r_lX**2?Nl+#3`OmTa7ma<Ee(`redd
z|DMk}5W?Ggio2rZ{r~2y4dT;G3qB=nTh1=BTIxI7$9Z=b7k%C=n>Q_c&y}c4#ut^I
zz0Fyh%U9;K`2yFWs5P$>dr}vlZBp3va$|XX?2Ztb2aBH0G+!QMpR;zQ%Q3wzYu8SB
zw4zpnV{vlg*=aWlWL4u1OwoM#(r>QzRgSZ*yYFoOf7v28pTlW=n1F)fuJ`t;R+6k?
ziDt|eVZWv3&HtBurha+z$+s+5-#adm;aIrKv|T%&^<bnM^Z5oV7aqno1qVmxm~#{Q
z`j0LbGuZwix90l+`GuEmvG2b2y5Ogah-XvZ^?wr;d@g)D7W?k@e?zC@g$JKzdHR=&
z8Kl0_C~W1G&%OR;;jX^v%{#7M+a+^+Pe$*`+}Hm5KPUBH@8}jtmizyoyZnyDqK4O7
z%|0`J4${5$zrH$NPW5`}wV%6h-(Iz9^{Vf&udZcfZ&ZE1DS1wdiW(1}8mFSM!30hf
z%QF@%ZF3rp4@mM^TJp@{RB`Z_k<xIo@R37~F#8)7x!)SwlCAHlL{C%AejB#E>iw!$
zQTM9e|9#e<cT(3qE+sn7V$c42^6OvS%inqb@3;I+CBMguGgF>v9dl!FGRb5#E<5Iv
z;w!~(yf1)PrtlBjck%qsJ5;6@YbYK#vWks+&it2RHfwK1PcWUa*1m(i|F5Og4CjUN
z0hO!|Pfc~>O={)*5y`Yqzs-;P9K%7zlR7rpf%n`h(mrO|l>XqZD0#Cw!!#{1hs`QF
zWTvo0`h%usZ?<<u9Mca^ZOZ#l_i@_+!DP+&6=pA8ERxkWv7Wgh;G4xbW3@!}o~f@+
zrp>ytY0bP8ll(0+C-O|U|G99k?Rur8-^uSkZ52{=J$55Opyq-^uxIbw%$IA7CNEpN
z(c-My;$4v&&RZURy&|9`*(}WHtj*0yCstWseQ~(^BD>z5+`PSO7RDGT9nkq+u9zLp
z=DbEmJ4%&#O{1^Ul{ERovHeds6yMh431eG0OXh;ilqiXFaWPjmZl2G>-jKlJ9`z;u
z!Q;kjwm<I8{onM%g~Mz<Q{g6~y))0L*j2B4)vnF<uApG2&5CbrKaL$Q+ojCEJ!99Z
z%w?jF1EiK7&yk&aS=UfpCu7gnlw+^_Zp|-_a$TymZkln-?RBQE|C=q({af`lMx(TJ
z-%rc^r?0>8I~aUDc57sVnR?Xw{xx&seKs#$Y0=rAnrIe&dPQZMsl1S7u)t0;Ef00=
zRR&rczCB}a^4>T9$m8bwrG8&d>a=<aMNDIw8RzyTa;g^7OP(t^N#B0&-nd`gA@?`S
zwX0Sa-Ty8S@Nf`lntyjo1*2Yq%!e5blVql>ezfpm?T*Kd))VEr8&~pNIWtZ2i_YHm
zX`la2=eBE6Ur@w!Nqh%a^m6+d@BYY5PUg+j4xHkb=Hw%s8hql?hcEJ`jAyPISxxi)
zS|H*6c3#Y<))|w7{H-tD{Pd-MN6z6B*X1m~Fddk4`M0*LWHH;ey7CqN`*tt?t+v|N
z_R_ZsRqy4;4lmiI&$GDp;-Y!kf@`^QHt{v^ms-_yKVNZC=4b8B9T(oUE}bO2^(ohN
zx%<&Ew<di!5o!0TZ03(?^U8OwbNZ3#dw)UHd=}}KM-~68^vT}ll^5DqRCuyl-{pM3
z@y}9j^Iv|6T)U^=*1DDb-G2W2X7?RF*M^=^6Ya6JWwlOq;Fc7ab-8-cb3>KsGIvrZ
zG`2*Ceb^QIg`dy7-gV#q*V0!~jHl0z`&6{K)ME2miSC;+>t}~)AAIGwtBYZokjT{j
zNy-uD1P?uS;_OrSaK$xH<nI5)KPSYk{dw;ESN3$_1^f3_{@v{ua$<|+%`ItpidVOu
z)adP>=@G8ornTClpZUdygKbl^*@~}8p4i?rFJ|eDx%0KQZa@3!+K~_MPMg(zSXXp^
zSH#pVfkys!D^iyhlpbz1PGvX|5pcMn*Szr2zUqJ%I!Srm&GkX|58V&{FC&=0=S_eC
z^I;*e5B*DL2kumIzIC_p`1~rdvbg4~U#=bXt1d7L%xee^`A`-6WzFl}^?M)v+AVcH
z=hoeehG(m-mUY|yJi4v1Xo|E}mgyVIMNj6Kos?kEVGLO<VHM^7<z$$UzS_+oZPVh&
zH2<a*Kkl!;_ha(<R_6ZwQL+j5uTKBEqi28k>l~#mWxJ-Obzd&LWF>U;rOWEHx0`;}
z{3@Tz@cPv6n!T@AGxq<Ml{=+6wQT#(!u(T58;|ZVym_?Cen-Ob-u~%T*N$zPz+NtE
zpgJ#@%RiFkjnCxSLd-f@4=Oqy^S?j#U|a8nzl<f;?8R}X<O|Z6J=OISt5n>!=O3HL
zF7F)Ho0!FR#U$dTW%0K+jC=*{&d*rx@Uh>`u9~EMf9vayW<38A7T%k4qNQS+uK3rf
zO<Q(fc3rvOm+keZzE`@x_7qR`c@*K7IiF+ow*ph|<%gF<p55d%=~m|4m!AF`=HL9h
zaPHmw74i?t*?u3rrSKzkajELHvQ6v0{>ho7*SmGnkBH4HUxzBOE!d-!X~Xc=?#7Dg
z;?4UWm+W2@An@Xg?6vhGMdf}Mn~hC2M(ok93Mm!u%isCqn7h@kYujDUu?KVc*qqm?
zvE$@zxX`4VVxazNMNfZn%Il*i+F~<O;~wmpbN6$?R7ZoTCVkm0t9WNzXh>pKdFJ!z
za`C#XW79?LA9AiRYrVIy@!Hh)d!D)9+fY5{Z|KX5k+UN9RL`kfA@XTn`@g2sR=aIO
zCC*r%%dk_wRcr8migxYJTBd1QF2@gDkcsztbW<ZX%Ij>*tV>HSE;EYyWdCb+^sXbT
z3!m+Mw6T!&*p0Q*-~V7>&-DnZ-H~_ZN6w@(vbkzsZPyxD2CbbH+??fqmghC=4UhD=
zH(zew@wME)_Ih#k?I{tjEzj-h*zkLDzn;zNj_AClY15xPy0&0@>V>-%S3;zhF1;4g
zH%<EgJWbYl>-VfZvr_5g#YIvs<#Kby^N#M1-Y%>h>wI2X>T8X-!Q8ZUe~Zs2*~K3X
z_J8MSBY*H*>Vj2lmo{Jdk!TrqfVKUD#hgXWUte!O7ymW*x{bp2<zYTk^Vi;!k)L&n
zZ~H#`VwGP@yJr-!-uFvU-n1sw;*rPfEm<dA6k1YFFffSwgU$swJLMGv7en;KIUN%n
z3i(~9D?jI`@F_T|xb#W(I=Oco|6X-=Hs93l5!|!r;6#QSKW?wzc}M(Dn~rzCNw4L;
z2}_NW6N743NgiVt6E8h$XU^cx9Ki5e+i>6A{P1XQ#|>&9tWG)cv96O6b@~-=YxM8x
z`%tkGuURYyMfz9mytSJvy65~{!RLqm?%buHHmiO2$qYCBOFw^>JZLvQz?gK=Vcq5)
zZFjvR+xGG5Uyyuf`O)8H!?g$hUb27et<HDM-Na}+o9Q!K#ySz1d26rC)}LLi_5MQW
z>~;6|f3}_e@4%ZC#UfuzUJJ+GpEJ|`j!hbWTCs$2Y+Ox}d;UvxMvk<Vt}O=5zEPYd
zN86^Toxc7|Q`**>@on0ZgO2wePARsCQJe8VpigLeT~77?KhM9-nNz1~b-=Q}kM+Q@
zd)u;;BTx3HSxNJ6wT(NuX|npGl#dR|T;H$0zL_Gj_S(&v3=wgSxjI`<&)vCax7~Bm
zYMJHw?>hvq7hW^p`uCc@?WTMkN3PzEAg@l-lP9!yr#+5)E~Q(N8<A6yX0j_`+od^j
zSueXjKfY8gD!fKcZ>hwrJ$-k#GVj=uukCiKcJ<kI<26c52`3(1tG$0P|NgJ)jCnkX
z%Zx9Sa9!b<AW*kvQmekVke=nQ&#!0O@BJzMKlQBjH9M*Ib0(MV2)&YgF5IuC?$;9u
z*%QwU(xwG0-t8B5MtwWqv3Ww_O*tIhVuoVbt1s`GwoKCP$lIB5Z#1?kgeyFl!{k0e
z-NN$0gE=V=R&4+Ks<qaA--jnBU+s)y)vvDjvU2*y?Qd`0dAZ6zW9@R~-2SU2R)#ZG
zKDSE;7U!>?x=!rxa)}1U7q7qkI9eANJK_6h=Y6+BCl%c&zhZUH^~cKN^Y;8)Ss=OF
zP)Vgj(>15L`Zf1A=GSe;_scRThTXncTC;p#S-<?RohRQEtZ%j3%qzcE>D9|e|DJ}e
z>oodt?M(lMt$PHet=Q)8w!85%KzYm79X~tsA1=%P&p7EMN19dh+;a`Adux83SNK;P
z-XS#aZ|9}+Z!6C~i{Ekc=FwwP)BU-OZ)K<-m$9hI{5=17p~39KoYC%IOE#wOy*aDm
zd&c*vJSUoSIFc47c3i&lLd)oO&P-#b87>Z|RahP>=_lA8U3<JWv`6r90oS};@2+qA
zBKQB#<lye-Nuq1g8pKuq_2#mc-CuWlefH!}hpkR8Q_AhX>SJa&by>0d?7(DyZ67`z
zof+36!%m7z-k<e4K>TU(zZLJNT2D2eQ2u1aV+&>D!cR-%tAD+aob5MJ!Lfy9A@4SR
z*~1ARV>>4wn>jg5_Vjb}+1~T+OpC1)(R@8)neyA^N#^#;geBHY;adNNOX$GbV*do+
zb^Ou0uIpq+Y9DjV;{Eq;WBq~rzn|rmCG#EqRX1GbG?>rmyE&$;#%gni-%t4$MumSb
zelM;0^X#m2*`2$4a+d8XxyrfF{F-&e%_-UbF7xl#pEmBToU=siRr(!S{}AP0FP`0-
z%o@J8yCcbsgHcQ}ZL`7Cs)<UcCK*Sse9e=wvBN>{smSKOlxw1QJPgh{7`<Ql+OG7Y
zLs7x9qDKMB)i=E!L`pvBUcC6z>D$}Z{JuMJtN6cjw;uYwmw&N4kSThTjx>L-ZJ2pg
zk(TfCK9fhs=A~)Zr6oFszwQ72s3<1Ed1dSyo=^AM=G?#be3xym*P5>}ThBGvmL9yz
ze{b@<)=U$jBOL<o?PSF6*Rw8e$oIXoWTI8!)RM5=^H%<GIqT|bgk!Dr)<(}*xRH<h
zaM;mLVgEX&iEh8bbn}zM_V;IO`xfauXqp$eBWB^OZ6A)x|BL_g?)yKclM%9IN-Vyr
z2b|bU&TJB^zE$ir;mp?X5A*FRnty-HkGuGB-t8YzR-1Md?}^-56_YYMTXxZ5o>^z^
zZ2jG({w>77nKLTg)M0;JLe|IqF*bM9Eu|Avl-+cgoO9M*)m8S@?OanEH%GIxG2ocX
zF~#r$7LzjDKl%uGORgzga^qw1>}vgg>!<TPwXc0y@ZZ;(ZO+zxE9%RWPVSo^RKdo4
zXKQWthox(y>mN?)yOjT9PP}?!Am8oOEtyB6`dg3nUEeZqp5LXPi`TB$xm{F^eO0LO
z^i&Z&|3xXQpKGmudG53KAG36CyA!;><H93PEj%#w^^%a>?`L&u{=HxJ?2`B-f3{gk
zM~-;N>&9&QsrC4V!pBQ)Z?;eCIh$o;w)NYZ>>}>{k3P<Q^!B&ah4ovv=7!GVJP^K&
z$AE1a<FrTxlZ1(EshscTRY}~h{1$h|{-1_j_50}`*Sf!Jw7bU8+kPN~DeUBdSz<cT
zep-nx5~<?4af|D|EtI~~Ut8N=ez&~I>D|m%w_ff%>V5q1tJ`WJn|5AP+?5fbA@=^~
zWafI~j~`ktdc<A$Eg)DBTYh_Uw%5V0J&oK>DiTS00@1!{osrSmDd`b&1RWwhI;N^+
zPYIo~<%!N?8P3f%Oo5XHD}y%ldTsD7>f7^g(!opq|F@rR|D6B&r2M|0H!J_vti53C
z`bYSBobjEfJNC0@Pc^J^i#A@b8)~{jEIOKhYvd})*!ljKpH)b>S4SsS6(l;ImvrWB
zNMqDud^5#)@#^SJr~l?X-?S}egW?D4YMFB1gMzbT&+jepe7&Bp=6!qrz8LmvuJylX
z3SPbY&03AGe^XV>joCi_WpW&^YJYzYnWMSOQAlJ;X}8}qvE^qzepP>SF!!;=j*k-a
z<W_V^_G_~iu|zy*@Y1{R^3XQz1A-1Ijagj#1em|FteM%E)H~^2kNbwyEM7eelQZUT
zr3Dtd8%@0uG*2hB?#7yRv-`8deKvgf^wVswrA&d<4Yu>sUoTqup+EnA+4YapXLlBT
zvX3iGb?l7yoAkv&+lW1Va>}0zK|4O&$Puv%n(hDmxrtzdYeN>pS0)|)4fEoTn*DzJ
zX_4OX$lx!3-p!e;uNBJElJQwYpR04xgf+2R7d4l>NN!RuPW&}<YkXZr($s5P&M>%_
z#a^|QV5!gAnwRF*zx3L?p0%+aYa+XPa<6Xb%ZhR@_MFsnJhMur@9V;&uF;#P88!H=
z*^y?^5ZE9tnJms<dRqHaWqq(-#{2TSjf;e&ZLjaVP*hj(WcT;lm09O?L!VEw{`baB
zV~?}@+VmCotd#th1s^@U=HBNm`CXS&135m|>FNFA%8PS)IwRp{&(fn>XTP4?{BmL2
znv&~3YRW@(%0jO?t$b&)H)6>l(^K12f3C32U0*u$-%CAXlWWQB{iPfBP41dwC7C6W
zvR0&U^V6$~Rjzlfl1}q|drETRyO^wG=}UFno!5M4DpmA;yZ8Q^-G9FoH?9sglKJ;E
z`=9aVG8Ml`>8~c*+Q_<3X3tLi>b^N}%XX{v(^t7XKHVH}fPqK<yPxyU=FPmVeEatK
zp4{qs{3Vyn_9veEpK#rOZuFch@Qcj7l_Js;`eX$AIQ*_G^3VTe-+%7$l{XLOYl_@x
zkgw_L=`>#3f8>~4_Kciet4g;n+q_}cs}wWeuRhDprc8RVGVJuZtx;w%d2?EChSu$@
zYj`S=JbU-9BW3o_*YWOg+P>K8a}&Rn*Sf@}+q;)P`}Z%Vlb_-EzjwFG*Zlr*KJVea
z&Br$A_*4p=JsoyuLig82Gq|`fx2DaUni{=2cBjsB%Uh*0Pyeyewu^RY=hl-6DtH)`
zx+E}6Vy8^dvoMc|T-w0`LQ0dP)=i#q$igowu+5}%rRep~Q*%}ZTs*nVHS66ft(?;}
zriV_g()qnq{klQY=KjCuZOi9q$8gWuP+jvd|NhQxpZjIp*PV=(EuA=9C3lH(a&D6K
z%abK>-?tp_Tlb(!Yy&gHdflj7^5<Xw)JgYGskD8tG;_W7;(2o>rG{Io#)sWnyXxuM
z9KkJ#b8@A$e(wL+7x(@9`?;PT3={a@-74L9`UY>*>%*O<?ys$+=X*`wxj1mk7W<yV
zwP(XNZNGSiPe<?7#<a^}n{recxn{8Yx&PY5c#Us^@7uSZHaVTU8^Upm&35~4m8%=x
zpZe;x^59F0pLe$Mzm2V^jFe2zTKlolFzfc#)cMzA_ub=q?GTV<GgqZ<+Lhw1C5p5B
zUcW36dgUdg_Ep1WuW0ZMp1D=ZkJc`2iQ0O`tvhp?&JwHHn>*(jcFsGwsYK0t@y#11
z&zz#7GCsXZYSs;tIvKPzY5D8VC5tR&Wjc?YZoj;9t+CmjGRLIVCs&&8iQe)#QNQ52
zw&v-p%U9Qbx}pB9MSu5?1ksxNHrpoDrUc)gXyzY#Uc!-KWrEGrrqrhB$rF~ONeP+=
zth2bz<6y~P#ym|*@~mlenHBF@AGXaig2MbuR~b((>boKuqkT;B`4cZqy&Z|c?+@D7
zmL!ESIVc<{O*ykj&01d4IQ-<MQx`SX*@xsGY1bCrJY(6FsB2>W+Sg4R#5Ug9!_BaZ
z;of11+js8i>F1u_J^NE#-Gy>%?^BW=RO44qiMnj`EnE71?T;VYCt|F6Pc-lUw_i*A
z?l<>(&C~z#v+{%v`ljtPTY2i{8Q!;#CI_GFJh|A)UVcd~x9T)!>F<{tPR>yl`8*?~
zi#y0C<@{G|bpak7$!U|8ok=rOlU=4}B)D}$iu7F5Emh7Px?Vq~bKl&yZbGp0qVDNW
z7d*CB4qEvy#qi(e-Sv;=x$fE2&X91~yso6=m-6m?avEO~m1a-zOiejC!%Qi;v!U!m
z>ngWy1O6LU4FU`J8m2N#J9fY+CnIg$vVLm^_uY%lOSWV?r`T%l(5{HfG)wPY$<kM2
z-LU-0rc`I?HCuVTw@it+ydur2#;j-3@$~esB7$evO|e|Vx`TT|iR(k_xvV@J;uLRO
zJLk7iS$v1|r?|Qc-*??=mEus55A<4l+F^J5{_h9=R`AYKuYdQQ|ILqg>G^_<-?>$K
z!Y)a1I6p|uIIi?<`J<nImW16)e0}!Et&4KSuk37g^f(`CJpQAo=GB(@M-M4E@-!`z
z;9S}<;na*r_c{XiA3t@Q%jm|-9R~vzKHz1$yXp-4-2<|vGNy~1YfsC*esA$1>!A{Z
z^}cTx-u>ObDf>X-oLHWj&kEKE^h`<kpqek%vSj({?qh4E%(fOWq%(3&GoBH_bU`Aa
zlIzQvC2Q`@TI#o5|Ly72z?)Nh4|MD@y&@p=+J9+_;A0zqhp7!A(J8vwzPhL1*a-Tr
z_c|7)&0#HiUth1gcApx@57woV?o9i9cjBDz7oYE*+ccqh-=oD|D|y>C*2-6AoYy_+
z{e{_by36ss@;~IizuWPc|MaEO`%8DKp5*mtIw;=r+(Nkh&W>wl%O59POVU%lB4Joy
zz~M1xui;d-!$sX@yKN@zIsUM9qTju;M89X-MECr0Soq*;)!juJ>{FLtv-VoM_)6XP
z`P=J%-<uv=_(|x4Z}y?}_5WYy*Sxg7?R6?}HmBy)g$;L#=5^|`oc5mgrhNJqd-<D|
z%)7TZO}_V(;gXl7t^x0aEP<?JGcIK0I!HDK38eNce7!};!{w&e50?VAg%Zhj&vo|u
zl%z0xIxXW?cJs{Rw+vrBPP%)mZnP9%@wM?eFRS0e)1}t8mq>hB67kw1Yj5hC3+dnG
zf6cC6b?v3h`=jE2r_Iv5{ad@f=Cy15?=6$&{Vtm{P1|*n<%BbD=RB?q6`va?Gqor)
zIqhOXm0*amOK7pxg7UDUDU4Griho%}7RJW?5Pv3HukxHV)^Yabw`Heo<V$MGLo|1u
zOS|#+@Ap5abJH%)(T>qS^=12<h)u8SOTKvTuYI~}w#@aLCnAoWj`2J>vxIee<x%Om
zjUDs9PI?ouI4w=<R@c)I7LEok?Tg{83hNo<=V%`Df2vk&P;g;Wwf8y;Gj+-2)PoV{
zp5D>te7NrO--_z$-Mm_&yICegZM3b`oOu3eMEm0o#rxB<W1jM`_+5Bxk*n%n`m{yj
z!;*-_Q=|-es_j0XS-Aes$<CLbFTU(})2aIA_mSuMH~;OopXqVFdi}I8O;5ezhaVfx
zpEL`dY@7GQS8P(nK4<giucvA0cDr$?NY0(8_?+X|txp`cYUOxX?nFNJO3yv_ao67i
zuRnO_?S3(>Q6^wr)M}Y@-KF2oRo^Rr{`Ta(7hB)G@nrZgbNRBZ313?8?@Ic6TsAy6
z-N(A=aOi`$1xIR5PX79D4v+h5zp6#LSEuT1_Px7E<7&<dzIl=X8yU9kTRyk{*;K8{
zQ>Co@7U`D9D*GBbFMBSW^+NFI&-Rv7*~STPW&5&nQua;j*?3Xm!sn>TED?TQ*VI(?
zi;vxwU1}x!bepwNc*v$HlNX(Syyt#kQG|!#6rsC6AF|8uf4gq!wQSSQCu^=Z+8Ov)
zulxD;wqDf(ezDYZzf~7M@Sgs3#_{4k2cA`2T)FaI%;lA0lM*)SUj2IEg~7&UQ|GQS
zWVD!ZLi5>HZoOSL4@-8P($qe$`Kxldj<;W2iMKzW#X707mNy$G{<~HF``<_Q^&wSz
zV{ZKWa8h#f_DjEB@84bb`?sur?0MGDOE*~RKi+Ak`FwZHa<iBdQQU#kLYyXt<{UKJ
zveh^Dq`->PqB*{PCoh_rXM7Je6j(Hu``SrX{Y>xjdEZ$6J$TgpSKHcZUrtZlnJsn~
zF8#VO>15ifTUVr`)F*DdCg518S95Tw{>)Q_PoImN{v9*L_TcU*4{C$D9Q9hmum95C
zTW<g1$ZD5Umdg3JZRg8PoqN!C+R{U_QZBu!@OoWwZ<*&+m&n6zg&B`jt`;sz+`_t)
zh1Eb)vRop3-4vq<eWy-4Jau(^>JqtQk+;>R`%{Yo4D&Yqe4+pTZo%)1*SVJkpFdN-
z>(!(^+VxkngfrKwm%3f<T=w(CjI7fy(zJ~OGknCdFU{QOX2j-i7+0_~{98!$#lXFd
z%5F>4^#uBK?$_5m6n?+&@5~=l)CIPd@A;cGf3yEfANi}tWcp9~96c5i?7fgNRr_aO
zkij#LbIeC8;|!;WJdbtyn5UT1pL%0^{mOsa!)?ACxm4+N##<@xZG6oI?bzKP4;Q?-
z&9jvIn%d@+$(7lcR&9+uJWEH#sB^0svk{ZJft!!kx|YK+4>veyg$Z~~Svo1!>yzBk
zRCV)j|Bl{O-@ozu-|t8BMRNLU65KP3)88r2NnCv~?OKL$Hji$~tgM+!m$mWo1}2@9
zGMMln#&Qn(Jb~2f5C0w#TzqNr;)&blXa7IM%)hpebpb=dtGVxYTul7&-EFp}cUn~R
zstj-4q%AVhDL#d4{l?QC&k=2Xkg8X~-q?G+^c#Qn`@av3Kc3D$>Gu5blr?qR?$lr2
z@QTmQ<xtK>kJVz4tW$I&m-sgIb-bL?V)}q>jw8o8nS(RWv!3==?3(nsOx0y(^sV*c
zhw6VkY`cB@e#VSxQ_b2s`{Q;leQ;`i`hvvlH;W9nd9_W`3GCKUiZaVMAR!{Iqpq6$
z-0KUc>aXBM>qY<n`DY!b|6)$mjw2F%vEPNKvpLo9EMSU^R^GIb)u=%t*~jQy&9MqT
znVF2=^ip5`-~I8RJHM^a^5?>a>p2S7+&;+q|I0+jtFnJoEK4K{Co50e+VN5#W_g$d
zbDjdjLCIp4<i;mD>Ib6k+&KQFrs8{Y{{G}kelN{sb9Ud7t@&JQZ9c8$tKYc|%nF_^
zx|>AS8!!|)7#?KOtK{st9=-D4r(65~Jrq9soat~$7vs5z7v8V0pPVl*x9f^<k~;I(
zbt-nPTjq#a-n{bb=500g<9Sv!G5fh%F8s7oP5-^@!|Uju502}}PfATUwlq1?qC43n
zwSY-|Rnex<b(x2*J#H3`uSrV!SnU2*`_AW|Ew9(yulxAQ^i!?)m;NU)8v~8ZIQop3
znGDi864fq#>zqB`>gNyj_twpETcViuTu{4_ed6Sos(BN_f9mc%`oQYC?WLQS4#j6B
zmd%^swBFE3;@o@Ze1VwtqP#DDN;>|rng8c=Wz;$I;0v>5)`jbG#;q`Tvh~)P*SUHd
zuV>EPE)=7$#d+>2SH;5o7rYJ+Uf0TAn9Z{;+__tRH`9^XES34KlmCacy<JmnyOep)
z6{j~giY@1qm2OD;yfJ6a(U)wGJj<~DcxIKchW8trHy_t7V%fJqw7|~nW806@|EFp-
zKJS%V&gC568|1oPS?K0$*1~+D8*#e6FMbL&>}B;oE4`Fq-_(bTKG(8dkoFMxCZ_sB
z`VoJHAzOv<T!n9J3jOz-Htc=$Jf^gvo;U2k{)1m_WFOQVW&C%RtD^W&*|B^7?V}|t
V<Uh1dRsmf!<>~6@vd$@?2>=>-vLgTh


From bb473f538504c47d7d97c2ee0506569a71df0ce7 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Tue, 16 Jun 2026 22:47:42 +0200
Subject: [PATCH 02/19] =?UTF-8?q?feat(pairing):=20m010=20schema=20?=
 =?UTF-8?q?=E2=80=94=20bunker=20pairing=20columns=20on=20dca=5Fmachines?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Schema checkpoint for seed-URL pairing (S0 / #9; spire-side bitspire#52),
model A1 — the spire's signing key lives in the operator's nsecbunkerd,
not on the spire's disk.

dca_machines gains:
  - bunker_spire_key_name — the spire's key name in the bunker
    (spire-<machine_id>); used to re-issue connect tokens on re-pair.
  - paired_at — last successful pair; NULL = never paired.

Both nullable, idempotent column-probe add (m009 pattern). Machine model
gains the matching optional fields. Validated on the regtest dev db
(columns present, migrations clean); 191 tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 migrations.py | 41 +++++++++++++++++++++++++++++++++++++++++
 models.py     |  3 +++
 2 files changed, 44 insertions(+)

diff --git a/migrations.py b/migrations.py
index b8e6ec0..da8ba07 100644
--- a/migrations.py
+++ b/migrations.py
@@ -735,3 +735,44 @@ async def m009_split_fee_fractions_by_direction(db):
         await db.execute(
             "ALTER TABLE spirekeeper.super_config DROP COLUMN super_fee_fraction"
         )
+
+
+async def m010_add_machine_bunker_pairing(db):
+    """Add NIP-46 bunker-pairing columns to dca_machines for seed-URL
+    pairing (S0 / aiolabs/spirekeeper#9; spire-side aiolabs/bitspire#52).
+
+    Under the chosen model (A1, decided 2026-06-16), the spire's signing
+    key lives inside the operator's nsecbunkerd rather than on the spire's
+    disk. `pair_machine` mints a per-spire key in the bunker, issues a
+    scoped NIP-46 connect token, and hands the spire a one-shot seed URL
+    embedding a `bunker://` connection. The spire then self-signs all its
+    events (kind-21000 RPC, kind-30078 beacon/cassette-state) as its own
+    bunker-held key; lnbits' path-B roster routes that npub to the
+    operator's wallet.
+
+    ("spire" = a bitSpire machine; the legacy Lamassu term was "ATM".)
+
+      - bunker_spire_key_name — the spire's key name inside the bunker
+        (`spire-<machine_id>`). Used to re-issue a connect token on
+        re-pair and (once the admin client grows a revoke RPC) to revoke
+        spire access.
+      - paired_at — timestamp of the last successful pair. NULL = the
+        machine row exists but no bunker key has been minted yet.
+
+    Both nullable: machines created before this migration, and registered
+    -but-never-paired machines, carry NULL until first pair. Idempotent
+    column-probe pattern (same shape as m009).
+    """
+    additions = [
+        ("dca_machines", "bunker_spire_key_name", "TEXT"),
+        ("dca_machines", "paired_at", "TIMESTAMP"),
+    ]
+    for table, col, coltype in additions:
+        try:
+            await db.fetchone(f"SELECT {col} FROM spirekeeper.{table} LIMIT 1")
+            continue
+        except Exception:
+            pass
+        await db.execute(
+            f"ALTER TABLE spirekeeper.{table} ADD COLUMN {col} {coltype}"
+        )
diff --git a/models.py b/models.py
index c158fba..90df810 100644
--- a/models.py
+++ b/models.py
@@ -56,6 +56,9 @@ class Machine(BaseModel):
     is_active: bool
     operator_cash_in_fee_fraction: float = 0.0
     operator_cash_out_fee_fraction: float = 0.0
+    # NIP-46 bunker pairing (S0 / #9). NULL until the spire is first paired.
+    bunker_spire_key_name: str | None = None
+    paired_at: datetime | None = None
     created_at: datetime
     updated_at: datetime
 

From a77f5bcb5c853ba9294a63b89b08922f9d99f7cc Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Tue, 16 Jun 2026 23:17:48 +0200
Subject: [PATCH 03/19] =?UTF-8?q?feat(pairing):=20bunker=20pairing=20servi?=
 =?UTF-8?q?ce=20=E2=80=94=20mint=20per-spire=20key=20+=20seed=20URL=20(#9)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Operator-side producer for seed-URL pairing (S0/#9, model A1). pair_spire()
orchestrates the nsecbunkerd admin chain via lnbits' NsecBunkerAdminClient:
  create_new_key(spire-<id>) -> _ensure_spire_policy -> create_new_token ->
  get_key_tokens -> package the <npub>#secret token into a bunker:// URL +
  base64url seed URL {spire_npub, spire_pubkey, bunker_url, relays}.

The spire later self-signs all its events as that bunker-held key; lnbits'
path-B roster maps the npub to the operator wallet — no nsec on the spire.
spirekeeper does steps 1-4 only; the NIP-46 connect/bind happens spire-side
(bitspire#52) with the spire's own client keypair.

Scoped policy 'spirekeeper-spire': sign_event 21000/21001-3/30078 + nip44
(kind-less via add_policy_rule). Local _ensure_spire_policy (no cache)
avoids lnbits' admin-pubkey-keyed _ensure_policy cache (policy-name-blind).

9 unit tests with a fake bunker (orchestration, policy reconcile, seed/
bunker:// wire shape, error paths); npub<->hex via lnbits' real helpers.
200 tests green.

Known gaps (lnbits NsecBunkerAdminClient): no token-expiry param, no revoke
RPC — re-pair works; 'revoke spire access' deferred to a bunker follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pairing.py            | 268 ++++++++++++++++++++++++++++++++++++++++++
 tests/test_pairing.py | 240 +++++++++++++++++++++++++++++++++++++
 2 files changed, 508 insertions(+)
 create mode 100644 pairing.py
 create mode 100644 tests/test_pairing.py

diff --git a/pairing.py b/pairing.py
new file mode 100644
index 0000000..6725a80
--- /dev/null
+++ b/pairing.py
@@ -0,0 +1,268 @@
+"""Seed-URL pairing for bitSpire machines (S0 / aiolabs/spirekeeper#9), model A1.
+
+Mints a per-spire signing key *inside the operator's nsecbunkerd*, issues a
+scoped NIP-46 connect token, and builds the one-shot **seed URL** the spire
+redeems at first boot. The spire then self-signs all of its own events
+(kind-21000 cash RPC, kind-30078 beacon + cassette-state, CLINK 21001-21003)
+as that bunker-held key; lnbits' path-B roster (`nostr_transport/roster.py`)
+maps the spire npub to the operator's wallet. No nsec ever lands on the
+spire's disk.
+
+Division of labour (vs. lnbits' `RemoteBunkerSigner.provision`, which is the
+reference for the admin chain):
+
+    spirekeeper (here)          spire, at first boot (bitspire#52)
+    ──────────────────          ──────────────────────────────────
+    1. create_new_key           5. NIP-46 connect — redeem the token with a
+    2. _ensure_spire_policy         freshly-generated *client* keypair; bunker
+    3. create_new_token             binds (client_pubkey → spire key). The
+    4. get_key_tokens  ─ seed ─►     client_nsec stays on the spire; the
+       (package token in URL)        signing key never leaves the bunker.
+
+We deliberately do NOT run the connect/eager-bind step here: the spire is the
+NIP-46 client, so the binding must happen spire-side with the spire's own
+client keypair. spirekeeper only mints + packages.
+
+Seed URL wire format (contract shared with bitspire#52):
+
+    spire-seed:v1:<base64url(json)>      json = {
+        "v": 1,
+        "spire_npub":   "npub1…",         # the bunker-minted spire identity
+        "spire_pubkey": "<64-hex>",       # same key, hex (consumer convenience)
+        "bunker_url":   "bunker://<spire_pubkey>?relay=<bunker_relay>&secret=<sec>",
+        "relays":       ["wss://…"],      # relays for the spire's own events
+    }
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+from urllib.parse import quote
+
+from lnbits.core.services.nsec_bunker import (
+    NsecBunkerAdminClient,
+    NsecBunkerError,
+    NsecBunkerNotConfiguredError,
+    npub_to_hex,
+)
+from lnbits.settings import settings
+from pydantic import BaseModel
+
+from .models import Machine
+
+SEED_URL_SCHEME = "spire-seed:v1:"
+
+# Policy granted to every spire's connect token. Scoped to exactly what a
+# bitSpire signs as itself:
+#   - 21000  nostr-transport cash RPC envelope to lnbits
+#   - 21001-21003  CLINK Offer / Debit / Manage (payment flow)
+#   - 30078  NIP-78 beacon + bitspire-cassettes-state hello-event
+# Kind-scoped rules go in create_new_policy; kind-less methods (nip44, for
+# encrypting cassette-state to the operator) are added via add_policy_rule
+# because nsecbunkerd's create_new_policy chokes on null `kind`
+# (rule.kind.toString()). Mirrors lnbits' DEFAULT_POLICY_* split.
+#
+# NOTE (reconcile when bitspire#52 lands): confirm this kind set against the
+# spire's actual createSignedEvent / finalizeEvent call sites. Over-granting
+# here only widens what a spire may sign *as its own key* — low blast radius —
+# but under-granting makes the bunker reject the spire's events.
+SPIRE_POLICY_NAME = "spirekeeper-spire"
+SPIRE_POLICY_RULES = [
+    {"method": "sign_event", "kind": 21000},
+    {"method": "sign_event", "kind": 21001},
+    {"method": "sign_event", "kind": 21002},
+    {"method": "sign_event", "kind": 21003},
+    {"method": "sign_event", "kind": 30078},
+]
+SPIRE_POLICY_METHODS_NO_KIND = ["nip44_encrypt", "nip44_decrypt"]
+
+
+class PairingError(Exception):
+    """Pairing could not be completed (bunker unreachable, misconfigured,
+    or returned an unusable response). The caller maps this to a 4xx/5xx;
+    no machine state is mutated on failure."""
+
+
+class PairResult(BaseModel):
+    """Output of a successful pair. The API layer persists
+    `bunker_spire_key_name` + `spire_npub` (→ machine_npub) + `paired_at`,
+    and returns `seed_url` to the operator (QR + copy)."""
+
+    spire_npub: str
+    spire_pubkey_hex: str
+    bunker_key_name: str
+    bunker_url: str
+    seed_url: str
+
+
+def spire_key_name(machine_id: str) -> str:
+    """The spire's key name in the bunker keystore. Stable across re-pairs
+    so re-issuing a token reuses the same underlying key (create_new_key
+    is replace-by-name on the bunker side)."""
+    return f"spire-{machine_id}"
+
+
+async def _ensure_spire_policy(client: NsecBunkerAdminClient) -> int:
+    """Find-or-create the shared `spirekeeper-spire` policy and reconcile
+    (add-only) any missing rules. Returns its bunker-assigned id.
+
+    Mirrors lnbits' `_ensure_policy` but with the spire rule set and **no
+    admin-pubkey cache** — lnbits' cache is keyed on `admin_pubkey` alone
+    (remote_bunker.py:157), so reusing its helper for a second policy name
+    would return the wrong (cached lnbits-default) id. Pairing is an
+    infrequent operator action, so the extra `get_policies` round-trip is
+    cheap and correct. (Filed as an lnbits follow-up: cache key should
+    include policy_name.)
+
+    Add-only, never remove: the policy may be shared across spires (and in
+    principle other consumers); removing a rule would affect them all.
+    """
+    policies = await client.get_policies()
+    existing = [p for p in policies if p.get("name") == SPIRE_POLICY_NAME]
+    if existing:
+        policy = max(existing, key=lambda p: int(p["id"]))
+        policy_id = int(policy["id"])
+        live_rules = policy.get("rules") or []
+    else:
+        policy_id = await client.create_new_policy(
+            SPIRE_POLICY_NAME, SPIRE_POLICY_RULES
+        )
+        live_rules = list(SPIRE_POLICY_RULES)
+
+    def _norm(method: str, kind) -> tuple[str, str | None]:
+        # nsecbunkerd stores kind as a string; None = kind-less rule.
+        return (method, str(kind) if kind is not None else None)
+
+    live_keys = {
+        _norm(r["method"], r.get("kind"))
+        for r in live_rules
+        if isinstance(r, dict) and r.get("method")
+    }
+    for rule in SPIRE_POLICY_RULES:
+        key = _norm(rule["method"], rule.get("kind"))
+        if key not in live_keys:
+            await client.add_policy_rule(policy_id, rule)
+            live_keys.add(key)
+    for method in SPIRE_POLICY_METHODS_NO_KIND:
+        key = _norm(method, None)
+        if key not in live_keys:
+            await client.add_policy_rule(policy_id, {"method": method})
+            live_keys.add(key)
+    return policy_id
+
+
+def _recover_token(tokens: list[dict], client_name: str) -> str:
+    """Pull the freshly-issued `<npub>#<secret>` token out of the bunker's
+    `get_key_tokens` response. Match by client name when the bunker
+    serializes it; otherwise fall back to the most-recent entry (same
+    defensiveness as lnbits' provision())."""
+    matching = [
+        t
+        for t in tokens
+        if t.get("clientName") == client_name or t.get("client_name") == client_name
+    ] or tokens
+    if not matching:
+        raise PairingError("bunker returned no tokens after create_new_token")
+    token = matching[-1].get("token")
+    if not isinstance(token, str) or "#" not in token:
+        raise PairingError(f"bunker returned a malformed token: {token!r}")
+    return token
+
+
+def build_seed_url(
+    *, spire_npub: str, spire_pubkey_hex: str, bunker_url: str, relays: list[str]
+) -> str:
+    payload = {
+        "v": 1,
+        "spire_npub": spire_npub,
+        "spire_pubkey": spire_pubkey_hex,
+        "bunker_url": bunker_url,
+        "relays": relays,
+    }
+    blob = (
+        base64.urlsafe_b64encode(json.dumps(payload, separators=(",", ":")).encode())
+        .decode()
+        .rstrip("=")
+    )
+    return SEED_URL_SCHEME + blob
+
+
+async def pair_spire(
+    machine: Machine,
+    *,
+    relays: list[str],
+    admin_client: NsecBunkerAdminClient,
+    bunker_relay: str | None = None,
+    keystore_passphrase: str | None = None,
+) -> PairResult:
+    """Mint a bunker-held key + scoped connect token for `machine` and
+    return the seed URL the spire redeems at first boot.
+
+    `admin_client` must already be connected (the caller owns the
+    `async with NsecBunkerAdminClient.from_settings()` context) — keeps
+    connection lifecycle out of the orchestration so this is unit-testable
+    with a fake client.
+
+    `bunker_relay` / `keystore_passphrase` default to the lnbits bunker
+    settings; injectable for tests. `relays` are the relays the spire will
+    use for its *own* events (kind-21000/30078) — typically the operator's
+    nostrrelay; supplied by the API layer.
+
+    Raises PairingError on any bunker failure; no state is persisted here
+    (the API layer persists on success).
+    """
+    relay = (
+        bunker_relay if bunker_relay is not None else settings.lnbits_nsec_bunker_url
+    )
+    passphrase = (
+        keystore_passphrase
+        if keystore_passphrase is not None
+        else settings.lnbits_nsec_bunker_keystore_passphrase
+    )
+    if not relay:
+        raise PairingError(
+            "LNBITS_NSEC_BUNKER_URL is not set — cannot build a spire bunker connection"
+        )
+    if not passphrase:
+        raise PairingError(
+            "LNBITS_NSEC_BUNKER_KEYSTORE_PASSPHRASE is not set — "
+            "cannot mint a spire key"
+        )
+    if not relays:
+        raise PairingError("at least one relay is required for the seed URL")
+
+    key_name = spire_key_name(machine.id)
+    client_name = f"spire-client-{machine.id}"
+
+    try:
+        spire_npub = await admin_client.create_new_key(key_name, passphrase)
+        spire_pubkey_hex = npub_to_hex(spire_npub)
+        policy_id = await _ensure_spire_policy(admin_client)
+        await admin_client.create_new_token(key_name, client_name, policy_id)
+        tokens = await admin_client.get_key_tokens(key_name)
+    except NsecBunkerNotConfiguredError as exc:
+        raise PairingError(f"nsecbunkerd is not configured: {exc}") from exc
+    except NsecBunkerError as exc:
+        raise PairingError(f"bunker admin RPC failed during pairing: {exc}") from exc
+
+    token = _recover_token(tokens, client_name)
+    _, _, secret = token.partition("#")
+
+    bunker_url = (
+        f"bunker://{spire_pubkey_hex}?relay={quote(relay, safe='')}"
+        f"&secret={quote(secret, safe='')}"
+    )
+    seed_url = build_seed_url(
+        spire_npub=spire_npub,
+        spire_pubkey_hex=spire_pubkey_hex,
+        bunker_url=bunker_url,
+        relays=relays,
+    )
+    return PairResult(
+        spire_npub=spire_npub,
+        spire_pubkey_hex=spire_pubkey_hex,
+        bunker_key_name=key_name,
+        bunker_url=bunker_url,
+        seed_url=seed_url,
+    )
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
new file mode 100644
index 0000000..bda1402
--- /dev/null
+++ b/tests/test_pairing.py
@@ -0,0 +1,240 @@
+"""Unit tests for the seed-URL pairing service (S0 / #9, model A1).
+
+The bunker admin client is faked — these exercise the orchestration
+(create_new_key -> ensure-policy -> create_new_token -> get_key_tokens),
+the policy reconciliation, and the seed-URL / bunker:// wire shape, with
+no live nsecbunkerd. npub<->hex round-trips through lnbits' real helpers
+so the parsing is exercised for real.
+
+Async is driven via asyncio.run (this venv has no pytest-asyncio), matching
+the rest of the suite.
+"""
+
+import asyncio
+import base64
+import json
+from datetime import datetime, timezone
+
+import pytest
+from lnbits.utils.nostr import hex_to_npub
+
+from ..models import Machine
+from ..pairing import (
+    SEED_URL_SCHEME,
+    SPIRE_POLICY_METHODS_NO_KIND,
+    SPIRE_POLICY_NAME,
+    SPIRE_POLICY_RULES,
+    PairingError,
+    build_seed_url,
+    pair_spire,
+    spire_key_name,
+)
+
+_NOW = datetime(2026, 6, 16, tzinfo=timezone.utc)
+_SPIRE_HEX = "522a4538f1df96508d9ee8b14072344dd4a566acfe03c25a92a39179c6fca891"
+_SPIRE_NPUB = hex_to_npub(_SPIRE_HEX)
+_RELAYS = ["wss://lnbits.demo.aiolabs.dev/nostrrelay/demo"]
+_BUNKER_RELAY = "wss://bunker.internal/relay"
+_PASSPHRASE = "keystore-pass"  # pragma: allowlist secret
+
+
+def _machine(mid: str = "m1") -> Machine:
+    return Machine(
+        id=mid,
+        operator_user_id="op1",
+        machine_npub="placeholder",
+        wallet_id="w1",
+        name="sintra",
+        location=None,
+        fiat_code="EUR",
+        is_active=True,
+        created_at=_NOW,
+        updated_at=_NOW,
+    )
+
+
+class FakeBunker:
+    """Records calls; returns canned bunker responses."""
+
+    # pragma: allowlist secret
+    def __init__(self, *, policies=None, token_secret="s3cr3t"):
+        self._policies = policies or []
+        self._token_secret = token_secret
+        self.calls: list[tuple] = []
+        self._next_policy_id = 7
+
+    async def create_new_key(self, name, passphrase):
+        self.calls.append(("create_new_key", name, passphrase))
+        return _SPIRE_NPUB
+
+    async def get_policies(self):
+        self.calls.append(("get_policies",))
+        return list(self._policies)
+
+    async def create_new_policy(self, name, rules):
+        self.calls.append(("create_new_policy", name, rules))
+        pid = self._next_policy_id
+        self._policies.append({"id": pid, "name": name, "rules": list(rules)})
+        return pid
+
+    async def add_policy_rule(self, policy_id, rule):
+        self.calls.append(("add_policy_rule", policy_id, rule))
+
+    async def create_new_token(self, key_name, client_name, policy_id):
+        self.calls.append(("create_new_token", key_name, client_name, policy_id))
+
+    async def get_key_tokens(self, key_name):
+        self.calls.append(("get_key_tokens", key_name))
+        return [
+            {
+                "clientName": f"spire-client-{key_name.split('-', 1)[1]}",
+                "token": f"{_SPIRE_NPUB}#{self._token_secret}",
+            }
+        ]
+
+    def named(self, name):
+        return [c for c in self.calls if c[0] == name]
+
+
+def _pair(bunker, machine=None):
+    return asyncio.run(
+        pair_spire(
+            machine or _machine(),
+            relays=_RELAYS,
+            admin_client=bunker,
+            bunker_relay=_BUNKER_RELAY,
+            keystore_passphrase=_PASSPHRASE,
+        )
+    )
+
+
+def test_pair_happy_path_mints_key_policy_token():
+    bunker = FakeBunker(token_secret="abc123")  # pragma: allowlist secret
+    result = _pair(bunker)
+
+    assert ("create_new_key", "spire-m1", _PASSPHRASE) in bunker.calls
+    assert result.bunker_key_name == spire_key_name("m1") == "spire-m1"
+
+    assert result.spire_npub == _SPIRE_NPUB
+    assert result.spire_pubkey_hex == _SPIRE_HEX
+
+    created = bunker.named("create_new_policy")
+    assert created and created[0][1] == SPIRE_POLICY_NAME
+    token_call = bunker.named("create_new_token")[0]
+    assert token_call[1] == "spire-m1"  # key_name
+    assert token_call[2] == "spire-client-m1"  # client_name
+    assert token_call[3] == 7  # policy_id from the fake's create_new_policy
+
+
+def test_bunker_url_carries_pubkey_relay_secret():
+    result = _pair(FakeBunker(token_secret="topsecret"))  # pragma: allowlist secret
+    assert result.bunker_url.startswith(f"bunker://{_SPIRE_HEX}?")
+    assert "relay=wss%3A%2F%2Fbunker.internal%2Frelay" in result.bunker_url
+    assert "secret=topsecret" in result.bunker_url
+
+
+def test_seed_url_decodes_to_contract():
+    result = _pair(FakeBunker(token_secret="zzz"))  # pragma: allowlist secret
+    assert result.seed_url.startswith(SEED_URL_SCHEME)
+    blob = result.seed_url[len(SEED_URL_SCHEME) :]
+    payload = json.loads(base64.urlsafe_b64decode(blob + "=" * (-len(blob) % 4)))
+    assert payload == {
+        "v": 1,
+        "spire_npub": _SPIRE_NPUB,
+        "spire_pubkey": _SPIRE_HEX,
+        "bunker_url": result.bunker_url,
+        "relays": _RELAYS,
+    }
+
+
+def test_fresh_policy_adds_kindless_nip44_rules():
+    bunker = FakeBunker()  # no existing policies
+    _pair(bunker)
+    added = [c[2]["method"] for c in bunker.named("add_policy_rule")]
+    # kind-scoped rules went in via create_new_policy; only the kind-less
+    # nip44 methods are reconciled in via add_policy_rule.
+    assert set(added) == set(SPIRE_POLICY_METHODS_NO_KIND)
+
+
+def test_existing_policy_reused_not_recreated():
+    existing = [
+        {
+            "id": 42,
+            "name": SPIRE_POLICY_NAME,
+            "rules": [dict(r) for r in SPIRE_POLICY_RULES],
+        }
+    ]
+    bunker = FakeBunker(policies=existing)
+    _pair(bunker)
+    assert not bunker.named("create_new_policy")  # reused, not recreated
+    assert bunker.named("create_new_token")[0][3] == 42  # used existing id
+    added = [c[2]["method"] for c in bunker.named("add_policy_rule")]
+    assert set(added) == set(SPIRE_POLICY_METHODS_NO_KIND)
+
+
+def test_fully_provisioned_policy_adds_nothing():
+    rules = [dict(r) for r in SPIRE_POLICY_RULES] + [
+        {"method": m, "kind": None} for m in SPIRE_POLICY_METHODS_NO_KIND
+    ]
+    bunker = FakeBunker(policies=[{"id": 9, "name": SPIRE_POLICY_NAME, "rules": rules}])
+    _pair(bunker)
+    assert not bunker.named("add_policy_rule")
+    assert not bunker.named("create_new_policy")
+
+
+def test_malformed_token_raises():
+    bunker = FakeBunker()
+
+    async def _bad_tokens(key_name):
+        _ = key_name
+        return [{"token": "no-hash-here"}]
+
+    bunker.get_key_tokens = _bad_tokens
+    with pytest.raises(PairingError, match="malformed token"):
+        _pair(bunker)
+
+
+def test_missing_relay_or_passphrase_raises():
+    with pytest.raises(PairingError, match="LNBITS_NSEC_BUNKER_URL"):
+        asyncio.run(
+            pair_spire(
+                _machine(),
+                relays=_RELAYS,
+                admin_client=FakeBunker(),
+                bunker_relay="",
+                keystore_passphrase=_PASSPHRASE,
+            )
+        )
+    with pytest.raises(PairingError, match="PASSPHRASE"):
+        asyncio.run(
+            pair_spire(
+                _machine(),
+                relays=_RELAYS,
+                admin_client=FakeBunker(),
+                bunker_relay=_BUNKER_RELAY,
+                keystore_passphrase="",
+            )
+        )
+    with pytest.raises(PairingError, match="relay is required"):
+        asyncio.run(
+            pair_spire(
+                _machine(),
+                relays=[],
+                admin_client=FakeBunker(),
+                bunker_relay=_BUNKER_RELAY,
+                keystore_passphrase=_PASSPHRASE,
+            )
+        )
+
+
+def test_build_seed_url_roundtrip():
+    url = build_seed_url(
+        spire_npub=_SPIRE_NPUB,
+        spire_pubkey_hex=_SPIRE_HEX,
+        bunker_url="bunker://x?relay=r&secret=s",
+        relays=_RELAYS,
+    )
+    blob = url[len(SEED_URL_SCHEME) :]
+    payload = json.loads(base64.urlsafe_b64decode(blob + "=" * (-len(blob) % 4)))
+    assert payload["spire_pubkey"] == _SPIRE_HEX
+    assert payload["relays"] == _RELAYS

From 761f0780537b3ec9194ec869ffdd2525c48dac93 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Tue, 16 Jun 2026 23:39:18 +0200
Subject: [PATCH 04/19] feat(pairing): POST /machines/{id}/pair endpoint (#9)

Wires the pairing service into the operator API. api_pair_machine:
  - _machine_owned_by ownership guard (404 on miss)
  - opens NsecBunkerAdminClient.from_settings() and runs pair_spire
  - maps bunker failures: not-configured -> 503, PairingError/NsecBunkerError
    -> 502 (nothing persisted on failure)
  - runs _assert_no_pubkey_collision on the bunker-minted hex, then
    set_machine_pairing persists machine_npub (= minted spire identity, so
    path-B roster routes it), bunker_spire_key_name, paired_at.

Re-pair supported; revoke/expiry gated on aiolabs/lnbits#54.

Adds Create... PairMachineData {relays} body, set_machine_pairing CRUD,
and 3 endpoint wiring tests (persist+collision, empty-relays 400, failure
502). 203 tests green. Pre-existing black/ruff debt in crud/views_api left
untouched (version-drift churn avoided); new code is lint-clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 crud.py                     |  31 ++++++++++
 models.py                   |   9 +++
 tests/test_pair_endpoint.py | 120 ++++++++++++++++++++++++++++++++++++
 views_api.py                |  53 ++++++++++++++++
 4 files changed, 213 insertions(+)
 create mode 100644 tests/test_pair_endpoint.py

diff --git a/crud.py b/crud.py
index 9646f8d..bf51ecd 100644
--- a/crud.py
+++ b/crud.py
@@ -202,6 +202,37 @@ async def update_machine(machine_id: str, data: UpdateMachineData) -> Machine |
     return await get_machine(machine_id)
 
 
+async def set_machine_pairing(
+    machine_id: str,
+    *,
+    machine_npub: str,
+    bunker_spire_key_name: str,
+    paired_at: datetime,
+) -> Machine | None:
+    """Persist the result of a (re-)pair: the bunker-minted spire identity
+    becomes the machine's npub (so lnbits' path-B roster routes it), and we
+    record the bunker key name + pair time. Stored as lowercase hex — the
+    roster + collision guard normalise either form, hex is canonical."""
+    await db.execute(
+        """
+        UPDATE spirekeeper.dca_machines
+           SET machine_npub = :npub,
+               bunker_spire_key_name = :key_name,
+               paired_at = :paired_at,
+               updated_at = :updated_at
+         WHERE id = :id
+        """,
+        {
+            "npub": machine_npub.lower(),
+            "key_name": bunker_spire_key_name,
+            "paired_at": paired_at,
+            "updated_at": datetime.now(),
+            "id": machine_id,
+        },
+    )
+    return await get_machine(machine_id)
+
+
 async def delete_machine(machine_id: str) -> None:
     await db.execute(
         "DELETE FROM spirekeeper.dca_machines WHERE id = :id",
diff --git a/models.py b/models.py
index 90df810..68ffdd2 100644
--- a/models.py
+++ b/models.py
@@ -81,6 +81,15 @@ class UpdateMachineData(BaseModel):
         return round(float(v), 4)
 
 
+class PairMachineData(BaseModel):
+    """Body for POST /machines/{id}/pair (S0 / #9). `relays` are the relays
+    the spire will use for its own events (kind-21000/30078) — typically the
+    operator's nostrrelay; the bunker connection relay is added separately
+    from the lnbits bunker settings."""
+
+    relays: list[str]
+
+
 # =============================================================================
 # DCA Clients — LP registrations, scoped per (machine, user).
 # =============================================================================
diff --git a/tests/test_pair_endpoint.py b/tests/test_pair_endpoint.py
new file mode 100644
index 0000000..d816c2f
--- /dev/null
+++ b/tests/test_pair_endpoint.py
@@ -0,0 +1,120 @@
+"""Wiring tests for POST /machines/{id}/pair (S0 / #9).
+
+The pairing *service* is covered in test_pairing.py with a fake bunker;
+here we only exercise the endpoint glue — ownership, the empty-relays
+guard, the post-mint collision guard, persistence of the bunker-minted
+hex npub, and error mapping — by monkeypatching the module-level deps.
+"""
+
+import asyncio
+from datetime import datetime, timezone
+from types import SimpleNamespace
+
+import pytest
+from fastapi import HTTPException
+from lnbits.utils.nostr import hex_to_npub
+
+from .. import views_api
+from ..models import Machine, PairMachineData
+from ..pairing import PairingError, PairResult
+
+_NOW = datetime(2026, 6, 16, tzinfo=timezone.utc)
+_SPIRE_HEX = "522a4538f1df96508d9ee8b14072344dd4a566acfe03c25a92a39179c6fca891"
+_SPIRE_NPUB = hex_to_npub(_SPIRE_HEX)
+
+
+def _machine(npub: str = "placeholder") -> Machine:
+    return Machine(
+        id="m1",
+        operator_user_id="op1",
+        machine_npub=npub,
+        wallet_id="w1",
+        name="sintra",
+        location=None,
+        fiat_code="EUR",
+        is_active=True,
+        created_at=_NOW,
+        updated_at=_NOW,
+    )
+
+
+class _FakeAdmin:
+    @classmethod
+    def from_settings(cls):
+        return cls()
+
+    async def __aenter__(self):
+        return self
+
+    async def __aexit__(self, *exc):
+        return False
+
+
+def _result() -> PairResult:
+    return PairResult(
+        spire_npub=_SPIRE_NPUB,
+        spire_pubkey_hex=_SPIRE_HEX,
+        bunker_key_name="spire-m1",
+        bunker_url="bunker://x?relay=r&secret=s",  # pragma: allowlist secret
+        seed_url="spire-seed:v1:abc",
+    )
+
+
+def _wire(monkeypatch, *, pair="ok"):
+    state: dict = {"persisted": None, "collision": None}
+
+    async def fake_owned(machine_id, user_id):
+        return _machine()
+
+    async def fake_pair(machine, *, relays, admin_client):
+        if pair == "error":
+            raise PairingError("boom")
+        return _result()
+
+    async def fake_collision(npub):
+        state["collision"] = npub
+
+    async def fake_persist(
+        machine_id, *, machine_npub, bunker_spire_key_name, paired_at
+    ):
+        state["persisted"] = (machine_id, machine_npub, bunker_spire_key_name)
+        return _machine(npub=machine_npub)
+
+    monkeypatch.setattr(views_api, "_machine_owned_by", fake_owned)
+    monkeypatch.setattr(views_api, "NsecBunkerAdminClient", _FakeAdmin)
+    monkeypatch.setattr(views_api, "pair_spire", fake_pair)
+    monkeypatch.setattr(views_api, "_assert_no_pubkey_collision", fake_collision)
+    monkeypatch.setattr(views_api, "set_machine_pairing", fake_persist)
+    return state
+
+
+def _call(relays):
+    user = SimpleNamespace(id="op1")
+    return asyncio.run(
+        views_api.api_pair_machine("m1", PairMachineData(relays=relays), user)
+    )
+
+
+def test_pair_persists_hex_npub_and_returns_seed(monkeypatch):
+    state = _wire(monkeypatch)
+    result = _call(["wss://r"])
+    assert result.seed_url == "spire-seed:v1:abc"
+    # collision guard ran on the bunker-minted hex, and we persisted it as npub
+    assert state["collision"] == _SPIRE_HEX
+    assert state["persisted"] == ("m1", _SPIRE_HEX, "spire-m1")
+
+
+def test_pair_empty_relays_rejected(monkeypatch):
+    _wire(monkeypatch)
+    with pytest.raises(HTTPException) as ei:
+        _call([])
+    assert ei.value.status_code == 400
+
+
+def test_pair_failure_maps_to_bad_gateway(monkeypatch):
+    state = _wire(monkeypatch, pair="error")
+    with pytest.raises(HTTPException) as ei:
+        _call(["wss://r"])
+    assert ei.value.status_code == 502
+    # nothing persisted on failure
+    assert state["persisted"] is None
diff --git a/views_api.py b/views_api.py
index 079794d..a37df74 100644
--- a/views_api.py
+++ b/views_api.py
@@ -5,12 +5,18 @@
 # LNbits instance can never see each other's machines, settlements, or
 # clients. The super-only platform-fee write endpoint lands in P2.
 
+from datetime import datetime, timezone
 from http import HTTPStatus
 
 from fastapi import APIRouter, Depends, HTTPException
 from lnbits.core.crud import get_wallet
 from lnbits.core.crud.users import get_account_by_pubkey
 from lnbits.core.models import User
+from lnbits.core.services.nsec_bunker import (
+    NsecBunkerAdminClient,
+    NsecBunkerError,
+    NsecBunkerNotConfiguredError,
+)
 from lnbits.decorators import check_super_user, check_user_exists
 from lnbits.utils.nostr import normalize_public_key
 
@@ -23,6 +29,7 @@ from .cassette_transport import (
     publish_to_atm,
 )
 from .fee_transport import publish_fee_config
+from .pairing import PairResult, PairingError, pair_spire
 from .crud import (
     append_settlement_note,
     count_completed_legs_for_settlement,
@@ -55,6 +62,7 @@ from .crud import (
     lp_is_onboarded,
     replace_commission_splits,
     reset_settlement_for_retry,
+    set_machine_pairing,
     update_cassette_config,
     update_dca_client,
     update_deposit,
@@ -80,6 +88,7 @@ from .models import (
     DcaPayment,
     DcaSettlement,
     Machine,
+    PairMachineData,
     PartialDispenseData,
     PublishCassettesPayload,
     SetCommissionSplitsData,
@@ -274,6 +283,50 @@ async def api_create_machine(
     return machine
 
 
+@spirekeeper_api_router.post(
+    "/api/v1/dca/machines/{machine_id}/pair", response_model=PairResult
+)
+async def api_pair_machine(
+    machine_id: str,
+    data: PairMachineData,
+    user: User = Depends(check_user_exists),
+) -> PairResult:
+    """Seed-URL pairing (S0 / #9, model A1). Mints a per-spire signing key
+    inside the operator's nsecbunkerd and returns the one-shot seed URL the
+    spire redeems at first boot. The bunker-minted key becomes the machine's
+    npub, so lnbits' path-B roster routes the spire's cash-out RPCs to this
+    operator's wallet — no nsec ever lands on the spire.
+
+    Re-pair is supported (re-issues a token for the same spire key). Token
+    revocation + expiry are gated on aiolabs/lnbits#54 (admin-client gaps)."""
+    machine = await _machine_owned_by(machine_id, user.id)
+    if not data.relays:
+        raise HTTPException(HTTPStatus.BAD_REQUEST, "at least one relay is required")
+
+    try:
+        async with NsecBunkerAdminClient.from_settings() as client:
+            result = await pair_spire(machine, relays=data.relays, admin_client=client)
+    except NsecBunkerNotConfiguredError as exc:
+        raise HTTPException(
+            HTTPStatus.SERVICE_UNAVAILABLE,
+            f"nsecbunkerd is not configured on this LNbits instance: {exc}",
+        ) from exc
+    except (PairingError, NsecBunkerError) as exc:
+        raise HTTPException(HTTPStatus.BAD_GATEWAY, f"pairing failed: {exc}") from exc
+
+    # The bunker-minted identity becomes the machine npub — run the same
+    # collision guard as create before persisting (fresh keys ~never collide,
+    # but defence-in-depth keeps the no-collision invariant intact).
+    await _assert_no_pubkey_collision(result.spire_pubkey_hex)
+    await set_machine_pairing(
+        machine_id,
+        machine_npub=result.spire_pubkey_hex,
+        bunker_spire_key_name=result.bunker_key_name,
+        paired_at=datetime.now(timezone.utc),
+    )
+    return result
+
+
 @spirekeeper_api_router.get("/api/v1/dca/machines", response_model=list[Machine])
 async def api_list_machines(
     user: User = Depends(check_user_exists),

From 9c5f07c72e103a6f6c12b0f9498839b48c769fcf Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Thu, 18 Jun 2026 18:31:21 +0200
Subject: [PATCH 05/19] refactor(pairing): use lnbits' public ensure_policy,
 drop fork duplicate (#9)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adopts aiolabs/lnbits#55 (merged b5fba561): pair_spire now calls the
public ensure_policy(client, name='spirekeeper-spire', rules=...,
methods_no_kind=...) instead of spirekeeper's cache-free
_ensure_spire_policy copy. #55 re-keyed _POLICY_ID_CACHE on
(admin_pubkey, policy_name), so the shared helper no longer returns the
wrong (lnbits-default) id for a non-default policy name — the exact
reason the duplicate existed. Net -45 LOC, one less fork-divergent
reimplementation to keep in sync.

Requires lnbits >= the #55 merge (ensure_policy importable) — already
true on dev/demo.

Tests: FakeBunker gains admin_pubkey; an autouse fixture clears lnbits'
_POLICY_ID_CACHE between tests (the shared helper caches, unlike the old
local one). 203 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pairing.py            | 59 ++++++-------------------------------------
 tests/test_pairing.py | 13 ++++++++++
 2 files changed, 21 insertions(+), 51 deletions(-)

diff --git a/pairing.py b/pairing.py
index 6725a80..833de3a 100644
--- a/pairing.py
+++ b/pairing.py
@@ -14,7 +14,7 @@ reference for the admin chain):
     spirekeeper (here)          spire, at first boot (bitspire#52)
     ──────────────────          ──────────────────────────────────
     1. create_new_key           5. NIP-46 connect — redeem the token with a
-    2. _ensure_spire_policy         freshly-generated *client* keypair; bunker
+    2. ensure_policy                freshly-generated *client* keypair; bunker
     3. create_new_token             binds (client_pubkey → spire key). The
     4. get_key_tokens  ─ seed ─►     client_nsec stays on the spire; the
        (package token in URL)        signing key never leaves the bunker.
@@ -46,6 +46,7 @@ from lnbits.core.services.nsec_bunker import (
     NsecBunkerNotConfiguredError,
     npub_to_hex,
 )
+from lnbits.core.signers.remote_bunker import ensure_policy
 from lnbits.settings import settings
 from pydantic import BaseModel
 
@@ -103,55 +104,6 @@ def spire_key_name(machine_id: str) -> str:
     return f"spire-{machine_id}"
 
 
-async def _ensure_spire_policy(client: NsecBunkerAdminClient) -> int:
-    """Find-or-create the shared `spirekeeper-spire` policy and reconcile
-    (add-only) any missing rules. Returns its bunker-assigned id.
-
-    Mirrors lnbits' `_ensure_policy` but with the spire rule set and **no
-    admin-pubkey cache** — lnbits' cache is keyed on `admin_pubkey` alone
-    (remote_bunker.py:157), so reusing its helper for a second policy name
-    would return the wrong (cached lnbits-default) id. Pairing is an
-    infrequent operator action, so the extra `get_policies` round-trip is
-    cheap and correct. (Filed as an lnbits follow-up: cache key should
-    include policy_name.)
-
-    Add-only, never remove: the policy may be shared across spires (and in
-    principle other consumers); removing a rule would affect them all.
-    """
-    policies = await client.get_policies()
-    existing = [p for p in policies if p.get("name") == SPIRE_POLICY_NAME]
-    if existing:
-        policy = max(existing, key=lambda p: int(p["id"]))
-        policy_id = int(policy["id"])
-        live_rules = policy.get("rules") or []
-    else:
-        policy_id = await client.create_new_policy(
-            SPIRE_POLICY_NAME, SPIRE_POLICY_RULES
-        )
-        live_rules = list(SPIRE_POLICY_RULES)
-
-    def _norm(method: str, kind) -> tuple[str, str | None]:
-        # nsecbunkerd stores kind as a string; None = kind-less rule.
-        return (method, str(kind) if kind is not None else None)
-
-    live_keys = {
-        _norm(r["method"], r.get("kind"))
-        for r in live_rules
-        if isinstance(r, dict) and r.get("method")
-    }
-    for rule in SPIRE_POLICY_RULES:
-        key = _norm(rule["method"], rule.get("kind"))
-        if key not in live_keys:
-            await client.add_policy_rule(policy_id, rule)
-            live_keys.add(key)
-    for method in SPIRE_POLICY_METHODS_NO_KIND:
-        key = _norm(method, None)
-        if key not in live_keys:
-            await client.add_policy_rule(policy_id, {"method": method})
-            live_keys.add(key)
-    return policy_id
-
-
 def _recover_token(tokens: list[dict], client_name: str) -> str:
     """Pull the freshly-issued `<npub>#<secret>` token out of the bunker's
     `get_key_tokens` response. Match by client name when the bunker
@@ -238,7 +190,12 @@ async def pair_spire(
     try:
         spire_npub = await admin_client.create_new_key(key_name, passphrase)
         spire_pubkey_hex = npub_to_hex(spire_npub)
-        policy_id = await _ensure_spire_policy(admin_client)
+        policy_id = await ensure_policy(
+            admin_client,
+            name=SPIRE_POLICY_NAME,
+            rules=SPIRE_POLICY_RULES,
+            methods_no_kind=SPIRE_POLICY_METHODS_NO_KIND,
+        )
         await admin_client.create_new_token(key_name, client_name, policy_id)
         tokens = await admin_client.get_key_tokens(key_name)
     except NsecBunkerNotConfiguredError as exc:
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
index bda1402..82eb4a2 100644
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@@ -38,6 +38,17 @@ _BUNKER_RELAY = "wss://bunker.internal/relay"
 _PASSPHRASE = "keystore-pass"  # pragma: allowlist secret
 
 
+@pytest.fixture(autouse=True)
+def _clear_policy_cache():
+    # lnbits' ensure_policy caches resolved policy ids on
+    # (admin_pubkey, name); clear between tests so each FakeBunker's
+    # canned policy state is honoured rather than a stale cached id.
+    from lnbits.core.signers import remote_bunker
+
+    remote_bunker._POLICY_ID_CACHE.clear()
+    yield
+
+
 def _machine(mid: str = "m1") -> Machine:
     return Machine(
         id=mid,
@@ -56,6 +67,8 @@ def _machine(mid: str = "m1") -> Machine:
 class FakeBunker:
     """Records calls; returns canned bunker responses."""
 
+    admin_pubkey = "fake-admin-pubkey"
+
     # pragma: allowlist secret
     def __init__(self, *, policies=None, token_secret="s3cr3t"):
         self._policies = policies or []

From a5efdf22a144220913e0039ada37bf455824b199 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Thu, 18 Jun 2026 18:51:54 +0200
Subject: [PATCH 06/19] feat(pairing): optional token TTL + revoke endpoint
 (#9/#12, #22)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Builds on the seed-URL pairing in #21 (stacked).

(b) TTL — PairMachineData.duration_hours (validated > 0) threads through
    pair_spire -> create_new_token (lnbits#55). None = non-expiring.

(c) Revoke — POST /machines/{id}/revoke -> revoke_spire ->
    admin_client.revoke_key_user(spire-<id>). Per spirekeeper#22, revoke
    MUST go through KeyUser.revokedAt (revoke_key_user), NOT token revoke:
    lnbits eager-binds (redeems) the connect token at provision, so
    nsecbunkerd has materialised the policy into per-KeyUser grants its
    ACL checks BEFORE the Token.revokedAt filter -> token revoke is a
    silent no-op. Returns RevokeResult{revoked_count}: >=1 = cut, 0 =
    never bound. set_machine_unpaired clears paired_at (keeps npub +
    bunker_spire_key_name for audit / re-pair).

7 new tests (duration threading + default-None; revoke routes to
revoke_key_user and never token-revoke + error mapping; endpoint wiring
revoke happy/zero/502). 210 green; new code black/ruff-clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 crud.py                     | 18 +++++++++++
 models.py                   | 10 ++++++-
 pairing.py                  | 47 ++++++++++++++++++++++++++++-
 tests/test_pair_endpoint.py | 49 +++++++++++++++++++++++++++++-
 tests/test_pairing.py       | 60 +++++++++++++++++++++++++++++++++++--
 views_api.py                | 49 +++++++++++++++++++++++++++---
 6 files changed, 223 insertions(+), 10 deletions(-)

diff --git a/crud.py b/crud.py
index bf51ecd..6c4ef53 100644
--- a/crud.py
+++ b/crud.py
@@ -233,6 +233,24 @@ async def set_machine_pairing(
     return await get_machine(machine_id)
 
 
+async def set_machine_unpaired(machine_id: str) -> Machine | None:
+    """Mark a machine unpaired after revoking its spire's bunker access
+    (POST /revoke). Clears `paired_at`; keeps `machine_npub` +
+    `bunker_spire_key_name` for audit / re-pair. The bunker-side
+    `KeyUser.revokedAt` (set by `revoke_spire`) is what actually stops the
+    spire signing — this just records the operator-visible state."""
+    await db.execute(
+        """
+        UPDATE spirekeeper.dca_machines
+           SET paired_at = NULL,
+               updated_at = :updated_at
+         WHERE id = :id
+        """,
+        {"updated_at": datetime.now(), "id": machine_id},
+    )
+    return await get_machine(machine_id)
+
+
 async def delete_machine(machine_id: str) -> None:
     await db.execute(
         "DELETE FROM spirekeeper.dca_machines WHERE id = :id",
diff --git a/models.py b/models.py
index 68ffdd2..f56cbcd 100644
--- a/models.py
+++ b/models.py
@@ -85,9 +85,17 @@ class PairMachineData(BaseModel):
     """Body for POST /machines/{id}/pair (S0 / #9). `relays` are the relays
     the spire will use for its own events (kind-21000/30078) — typically the
     operator's nostrrelay; the bunker connection relay is added separately
-    from the lnbits bunker settings."""
+    from the lnbits bunker settings. `duration_hours` optionally time-bounds
+    the spire's connect token (None = non-expiring)."""
 
     relays: list[str]
+    duration_hours: int | None = None
+
+    @validator("duration_hours")
+    def _positive_duration(cls, v):
+        if v is not None and v <= 0:
+            raise ValueError("duration_hours must be positive when set")
+        return v
 
 
 # =============================================================================
diff --git a/pairing.py b/pairing.py
index 833de3a..b65b760 100644
--- a/pairing.py
+++ b/pairing.py
@@ -97,6 +97,14 @@ class PairResult(BaseModel):
     seed_url: str
 
 
+class RevokeResult(BaseModel):
+    """Output of revoke. `revoked_count` >= 1 = the spire's signing access
+    is cut (KeyUser.revokedAt set); 0 = nothing was bound (token minted but
+    the spire never connected)."""
+
+    revoked_count: int
+
+
 def spire_key_name(machine_id: str) -> str:
     """The spire's key name in the bunker keystore. Stable across re-pairs
     so re-issuing a token reuses the same underlying key (create_new_key
@@ -147,10 +155,16 @@ async def pair_spire(
     admin_client: NsecBunkerAdminClient,
     bunker_relay: str | None = None,
     keystore_passphrase: str | None = None,
+    duration_hours: int | None = None,
 ) -> PairResult:
     """Mint a bunker-held key + scoped connect token for `machine` and
     return the seed URL the spire redeems at first boot.
 
+    `duration_hours` (optional, aiolabs/lnbits#54 item 2) sets a TTL on the
+    spire's connect token — the bunker stamps `expiresAt` and rejects the
+    token once it lapses, forcing a re-pair. None = non-expiring (the only
+    invalidation path is then revoke, `revoke_spire`).
+
     `admin_client` must already be connected (the caller owns the
     `async with NsecBunkerAdminClient.from_settings()` context) — keeps
     connection lifecycle out of the orchestration so this is unit-testable
@@ -196,7 +210,9 @@ async def pair_spire(
             rules=SPIRE_POLICY_RULES,
             methods_no_kind=SPIRE_POLICY_METHODS_NO_KIND,
         )
-        await admin_client.create_new_token(key_name, client_name, policy_id)
+        await admin_client.create_new_token(
+            key_name, client_name, policy_id, duration_hours=duration_hours
+        )
         tokens = await admin_client.get_key_tokens(key_name)
     except NsecBunkerNotConfiguredError as exc:
         raise PairingError(f"nsecbunkerd is not configured: {exc}") from exc
@@ -223,3 +239,32 @@ async def pair_spire(
         bunker_url=bunker_url,
         seed_url=seed_url,
     )
+
+
+async def revoke_spire(
+    machine: Machine, *, admin_client: NsecBunkerAdminClient
+) -> int:
+    """Revoke a spire's bunker access (the "Revoke spire access" UX,
+    aiolabs/spirekeeper#9/#12; security model per #22).
+
+    Calls `revoke_key_user` — NOT `revoke_token` / `revoke_key_token`.
+    lnbits eager-binds (redeems) the connect token at provision time
+    (aiolabs/lnbits#32), so nsecbunkerd has already materialised the
+    token's policy into standing per-`KeyUser` `SigningCondition` grants;
+    its sign-time ACL checks those *before* the `Token.revokedAt` filter,
+    so revoking the token is a silent no-op (the spire keeps signing).
+    Only `KeyUser.revokedAt` — set by `revoke_user` / `revoke_key_user` —
+    actually cuts off signing (verified live 2026-06-18, #22).
+
+    Returns the number of KeyUsers revoked: >= 1 means the spire's signing
+    access is now cut; 0 means nothing was bound (token minted but the
+    spire never connected). Raises PairingError on any bunker failure.
+    """
+    try:
+        return await admin_client.revoke_key_user(spire_key_name(machine.id))
+    except NsecBunkerNotConfiguredError as exc:
+        raise PairingError(f"nsecbunkerd is not configured: {exc}") from exc
+    except NsecBunkerError as exc:
+        raise PairingError(
+            f"bunker admin RPC failed during revoke: {exc}"
+        ) from exc
diff --git a/tests/test_pair_endpoint.py b/tests/test_pair_endpoint.py
index d816c2f..0d50d95 100644
--- a/tests/test_pair_endpoint.py
+++ b/tests/test_pair_endpoint.py
@@ -66,7 +66,7 @@ def _wire(monkeypatch, *, pair="ok"):
     async def fake_owned(machine_id, user_id):
         return _machine()
 
-    async def fake_pair(machine, *, relays, admin_client):
+    async def fake_pair(machine, *, relays, admin_client, duration_hours=None):
         if pair == "error":
             raise PairingError("boom")
         return _result()
@@ -118,3 +118,50 @@ def test_pair_failure_maps_to_bad_gateway(monkeypatch):
     assert ei.value.status_code == 502
     # nothing persisted on failure
     assert state["persisted"] is None
+
+
+def _wire_revoke(monkeypatch, *, revoke="ok", count=2):
+    state = {"unpaired": None}
+
+    async def fake_owned(machine_id, user_id):
+        return _machine()
+
+    async def fake_revoke(machine, *, admin_client):
+        if revoke == "error":
+            raise PairingError("boom")
+        return count
+
+    async def fake_unpaired(machine_id):
+        state["unpaired"] = machine_id
+        return _machine()
+
+    monkeypatch.setattr(views_api, "_machine_owned_by", fake_owned)
+    monkeypatch.setattr(views_api, "NsecBunkerAdminClient", _FakeAdmin)
+    monkeypatch.setattr(views_api, "revoke_spire", fake_revoke)
+    monkeypatch.setattr(views_api, "set_machine_unpaired", fake_unpaired)
+    return state
+
+
+def _call_revoke():
+    user = SimpleNamespace(id="op1")
+    return asyncio.run(views_api.api_revoke_machine("m1", user))
+
+
+def test_revoke_cuts_access_and_marks_unpaired(monkeypatch):
+    state = _wire_revoke(monkeypatch, count=2)
+    result = _call_revoke()
+    assert result.revoked_count == 2
+    assert state["unpaired"] == "m1"
+
+
+def test_revoke_zero_when_nothing_bound(monkeypatch):
+    _wire_revoke(monkeypatch, count=0)
+    assert _call_revoke().revoked_count == 0
+
+
+def test_revoke_failure_maps_to_bad_gateway(monkeypatch):
+    state = _wire_revoke(monkeypatch, revoke="error")
+    with pytest.raises(HTTPException) as ei:
+        _call_revoke()
+    assert ei.value.status_code == 502
+    assert state["unpaired"] is None  # not persisted on failure
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
index 82eb4a2..4deb5a0 100644
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@@ -16,6 +16,7 @@ import json
 from datetime import datetime, timezone
 
 import pytest
+from lnbits.core.services.nsec_bunker import NsecBunkerError
 from lnbits.utils.nostr import hex_to_npub
 
 from ..models import Machine
@@ -27,6 +28,7 @@ from ..pairing import (
     PairingError,
     build_seed_url,
     pair_spire,
+    revoke_spire,
     spire_key_name,
 )
 
@@ -70,9 +72,10 @@ class FakeBunker:
     admin_pubkey = "fake-admin-pubkey"
 
     # pragma: allowlist secret
-    def __init__(self, *, policies=None, token_secret="s3cr3t"):
+    def __init__(self, *, policies=None, token_secret="s3cr3t", revoke_count=1):
         self._policies = policies or []
         self._token_secret = token_secret
+        self._revoke_count = revoke_count
         self.calls: list[tuple] = []
         self._next_policy_id = 7
 
@@ -93,8 +96,16 @@ class FakeBunker:
     async def add_policy_rule(self, policy_id, rule):
         self.calls.append(("add_policy_rule", policy_id, rule))
 
-    async def create_new_token(self, key_name, client_name, policy_id):
-        self.calls.append(("create_new_token", key_name, client_name, policy_id))
+    async def create_new_token(
+        self, key_name, client_name, policy_id, duration_hours=None
+    ):
+        self.calls.append(
+            ("create_new_token", key_name, client_name, policy_id, duration_hours)
+        )
+
+    async def revoke_key_user(self, key_name):
+        self.calls.append(("revoke_key_user", key_name))
+        return self._revoke_count
 
     async def get_key_tokens(self, key_name):
         self.calls.append(("get_key_tokens", key_name))
@@ -251,3 +262,46 @@ def test_build_seed_url_roundtrip():
     payload = json.loads(base64.urlsafe_b64decode(blob + "=" * (-len(blob) % 4)))
     assert payload["spire_pubkey"] == _SPIRE_HEX
     assert payload["relays"] == _RELAYS
+
+
+def test_pair_threads_duration_hours():
+    bunker = FakeBunker()
+    asyncio.run(
+        pair_spire(
+            _machine(),
+            relays=_RELAYS,
+            admin_client=bunker,
+            bunker_relay=_BUNKER_RELAY,
+            keystore_passphrase=_PASSPHRASE,
+            duration_hours=720,
+        )
+    )
+    # create_new_token tuple is (name, key, client, policy_id, duration_hours)
+    assert bunker.named("create_new_token")[0][4] == 720
+
+
+def test_pair_default_duration_is_none():
+    bunker = FakeBunker()
+    _pair(bunker)  # no duration_hours
+    assert bunker.named("create_new_token")[0][4] is None
+
+
+def test_revoke_spire_calls_revoke_key_user():
+    # revoke MUST go through revoke_key_user (KeyUser.revokedAt), not token
+    # revoke — token revoke is a no-op once redeemed (spirekeeper#22).
+    bunker = FakeBunker(revoke_count=2)
+    count = asyncio.run(revoke_spire(_machine(), admin_client=bunker))
+    assert count == 2
+    assert bunker.named("revoke_key_user") == [("revoke_key_user", "spire-m1")]
+    assert not bunker.named("revoke_token")  # never token-revoke
+
+
+def test_revoke_spire_maps_bunker_error():
+    bunker = FakeBunker()
+
+    async def _boom(key_name):
+        raise NsecBunkerError("nope")
+
+    bunker.revoke_key_user = _boom
+    with pytest.raises(PairingError, match="revoke"):
+        asyncio.run(revoke_spire(_machine(), admin_client=bunker))
diff --git a/views_api.py b/views_api.py
index a37df74..8dff07e 100644
--- a/views_api.py
+++ b/views_api.py
@@ -29,7 +29,13 @@ from .cassette_transport import (
     publish_to_atm,
 )
 from .fee_transport import publish_fee_config
-from .pairing import PairResult, PairingError, pair_spire
+from .pairing import (
+    PairResult,
+    PairingError,
+    RevokeResult,
+    pair_spire,
+    revoke_spire,
+)
 from .crud import (
     append_settlement_note,
     count_completed_legs_for_settlement,
@@ -63,6 +69,7 @@ from .crud import (
     replace_commission_splits,
     reset_settlement_for_retry,
     set_machine_pairing,
+    set_machine_unpaired,
     update_cassette_config,
     update_dca_client,
     update_deposit,
@@ -297,15 +304,21 @@ async def api_pair_machine(
     npub, so lnbits' path-B roster routes the spire's cash-out RPCs to this
     operator's wallet — no nsec ever lands on the spire.
 
-    Re-pair is supported (re-issues a token for the same spire key). Token
-    revocation + expiry are gated on aiolabs/lnbits#54 (admin-client gaps)."""
+    Re-pair is supported (re-issues a token for the same spire key).
+    `duration_hours` (optional) time-bounds the token; revoke via the
+    sibling `POST .../revoke` endpoint."""
     machine = await _machine_owned_by(machine_id, user.id)
     if not data.relays:
         raise HTTPException(HTTPStatus.BAD_REQUEST, "at least one relay is required")
 
     try:
         async with NsecBunkerAdminClient.from_settings() as client:
-            result = await pair_spire(machine, relays=data.relays, admin_client=client)
+            result = await pair_spire(
+                machine,
+                relays=data.relays,
+                admin_client=client,
+                duration_hours=data.duration_hours,
+            )
     except NsecBunkerNotConfiguredError as exc:
         raise HTTPException(
             HTTPStatus.SERVICE_UNAVAILABLE,
@@ -327,6 +340,34 @@ async def api_pair_machine(
     return result
 
 
+@spirekeeper_api_router.post(
+    "/api/v1/dca/machines/{machine_id}/revoke", response_model=RevokeResult
+)
+async def api_revoke_machine(
+    machine_id: str,
+    user: User = Depends(check_user_exists),
+) -> RevokeResult:
+    """Revoke a spire's bunker access — the "Revoke spire access" UX
+    (#9/#12). Cuts the spire's signing ability at the bunker
+    (`KeyUser.revokedAt` via `revoke_key_user`; token-revoke alone is a
+    no-op once the token is redeemed — see #22), then marks the machine
+    unpaired. `revoked_count` >= 1 = access cut; 0 = nothing was bound."""
+    machine = await _machine_owned_by(machine_id, user.id)
+    try:
+        async with NsecBunkerAdminClient.from_settings() as client:
+            revoked_count = await revoke_spire(machine, admin_client=client)
+    except NsecBunkerNotConfiguredError as exc:
+        raise HTTPException(
+            HTTPStatus.SERVICE_UNAVAILABLE,
+            f"nsecbunkerd is not configured on this LNbits instance: {exc}",
+        ) from exc
+    except (PairingError, NsecBunkerError) as exc:
+        raise HTTPException(HTTPStatus.BAD_GATEWAY, f"revoke failed: {exc}") from exc
+
+    await set_machine_unpaired(machine_id)
+    return RevokeResult(revoked_count=revoked_count)
+
+
 @spirekeeper_api_router.get("/api/v1/dca/machines", response_model=list[Machine])
 async def api_list_machines(
     user: User = Depends(check_user_exists),

From a18f653ca7efef7a299429ec28cacc1134e7b8be Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Thu, 18 Jun 2026 19:23:22 +0200
Subject: [PATCH 07/19] feat(ui): Fleet Pair / Revoke spire UI (#9/#12)

Operator-facing front for POST /machines/{id}/pair + /revoke (#21/#23):
  - Pairing chip per machine row (paired / not-paired + paired-at tooltip).
  - 'Pair' (qr_code_2) opens a dialog -> relays + optional duration_hours
    -> POST /pair -> renders the seed_url as <lnbits-qrcode> + copy, shows
    the bunker-minted spire npub. Re-pair relabels.
  - 'Revoke' (link_off, shown when paired) -> confirm -> POST /revoke ->
    updates the row, reports revoked_count (>=1 cut / 0 never-bound).
  - Row reflects the bunker-minted identity immediately (machine_npub <-
    spire_pubkey_hex, paired_at).

Quasar-UMD conventions: explicit close tags, ${ } delimiters, :style.
JS syntax-checked, conforms to .prettierrc; 210 backend tests unaffected.
Needs a manual browser smoke (superuser-gated page).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 static/js/index.js               |  95 ++++++++++++++++++++++++++
 templates/spirekeeper/index.html | 113 +++++++++++++++++++++++++++++++
 2 files changed, 208 insertions(+)

diff --git a/static/js/index.js b/static/js/index.js
index f510e9c..52d3a3b 100644
--- a/static/js/index.js
+++ b/static/js/index.js
@@ -191,6 +191,14 @@ window.app = Vue.createApp({
         saving: false,
         data: {}
       },
+      pairDialog: {
+        show: false,
+        saving: false,
+        machine: null,
+        relays: '',
+        durationHours: null,
+        result: null
+      },
       machineDetail: {
         show: false,
         loading: false,
@@ -781,6 +789,93 @@ window.app = Vue.createApp({
       })
     },
 
+    // -----------------------------------------------------------------
+    // Pair / revoke spire (S0 / #9, #12)
+    // -----------------------------------------------------------------
+    openPairDialog(machine) {
+      this.pairDialog.machine = machine
+      this.pairDialog.relays = ''
+      this.pairDialog.durationHours = null
+      this.pairDialog.result = null
+      this.pairDialog.show = true
+    },
+
+    async submitPair() {
+      const relays = (this.pairDialog.relays || '')
+        .split(/[\s,]+/)
+        .map(s => s.trim())
+        .filter(Boolean)
+      if (!relays.length) {
+        Quasar.Notify.create({
+          type: 'negative',
+          message: 'At least one relay is required'
+        })
+        return
+      }
+      const body = {relays}
+      if (this.pairDialog.durationHours) {
+        body.duration_hours = Number(this.pairDialog.durationHours)
+      }
+      this.pairDialog.saving = true
+      try {
+        const {data} = await LNbits.api.request(
+          'POST',
+          `${MACHINES_PATH}/${this.pairDialog.machine.id}/pair`,
+          null,
+          body
+        )
+        this.pairDialog.result = data
+        // The bunker-minted key becomes the machine identity; reflect it +
+        // the paired state in the row immediately.
+        const m = this.machines.find(x => x.id === this.pairDialog.machine.id)
+        if (m) {
+          m.machine_npub = data.spire_pubkey_hex
+          m.bunker_spire_key_name = data.bunker_key_name
+          m.paired_at = new Date().toISOString()
+        }
+        Quasar.Notify.create({
+          type: 'positive',
+          message: 'Spire paired — hand the seed URL to the device'
+        })
+      } catch (e) {
+        this._notifyError(e, 'Pairing failed')
+      } finally {
+        this.pairDialog.saving = false
+      }
+    },
+
+    confirmRevokeMachine(machine) {
+      Quasar.Dialog.create({
+        title: 'Revoke spire access?',
+        message:
+          `This cuts <b>${machine.name || machine.machine_npub.slice(0, 12)}</b>'s` +
+          ' signing access at the bunker — the spire can no longer submit' +
+          ' cash-outs until you re-pair it. Continue?',
+        html: true,
+        cancel: true,
+        persistent: true
+      }).onOk(async () => {
+        try {
+          const {data} = await LNbits.api.request(
+            'POST',
+            `${MACHINES_PATH}/${machine.id}/revoke`,
+            null
+          )
+          const m = this.machines.find(x => x.id === machine.id)
+          if (m) m.paired_at = null
+          Quasar.Notify.create({
+            type: data.revoked_count >= 1 ? 'positive' : 'warning',
+            message:
+              data.revoked_count >= 1
+                ? 'Spire access revoked'
+                : 'Nothing was bound (the spire never connected)'
+          })
+        } catch (e) {
+          this._notifyError(e, 'Revoke failed')
+        }
+      })
+    },
+
     // -----------------------------------------------------------------
     // Machine detail dialog (P9b)
     // -----------------------------------------------------------------
diff --git a/templates/spirekeeper/index.html b/templates/spirekeeper/index.html
index b58714e..7bdebd3 100644
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@@ -131,6 +131,17 @@
                   <div :style="{fontWeight: 500}" v-text="props.row.name || 'Unnamed'"></div>
                   <div :style="{fontSize: '0.8em', opacity: 0.6}"
                        v-text="props.row.location || 'No location set'"></div>
+                  <q-chip v-if="props.row.paired_at"
+                          dense size="sm" color="green-2" text-color="green-9"
+                          icon="link" :style="{marginTop: '2px'}">
+                    paired
+                    <q-tooltip>Bunker key minted; paired ${ new Date(props.row.paired_at).toLocaleString() }</q-tooltip>
+                  </q-chip>
+                  <q-chip v-else
+                          dense size="sm" color="grey-3" text-color="grey-8"
+                          icon="link_off" :style="{marginTop: '2px'}">
+                    not paired
+                  </q-chip>
                 </q-td>
                 <q-td key="machine_npub">
                   <code :style="{fontSize: '0.85em'}"
@@ -156,6 +167,17 @@
                          @click="openEditMachineDialog(props.row)">
                     <q-tooltip>Edit</q-tooltip>
                   </q-btn>
+                  <q-btn flat dense round size="sm" icon="qr_code_2"
+                         color="teal"
+                         @click="openPairDialog(props.row)">
+                    <q-tooltip>${ props.row.paired_at ? 'Re-pair (new seed URL)' : 'Pair (seed URL)' }</q-tooltip>
+                  </q-btn>
+                  <q-btn v-if="props.row.paired_at"
+                         flat dense round size="sm" icon="link_off"
+                         color="orange-8"
+                         @click="confirmRevokeMachine(props.row)">
+                    <q-tooltip>Revoke spire access</q-tooltip>
+                  </q-btn>
                   <q-btn flat dense round size="sm" icon="delete"
                          color="red-7"
                          @click="confirmDeleteMachine(props.row)">
@@ -821,6 +843,97 @@
       </q-card>
     </q-dialog>
 
+    <!-- =============================================================== -->
+    <!-- PAIR SPIRE DIALOG — mint bunker key + one-shot seed URL (S0/#9) -->
+    <!-- =============================================================== -->
+    <q-dialog v-model="pairDialog.show" persistent>
+      <q-card :style="{minWidth: '480px', maxWidth: '95vw'}">
+        <q-card-section class="row items-center q-pb-none">
+          <div class="text-h6">Pair spire</div>
+          <q-space></q-space>
+          <q-btn icon="close" flat round dense v-close-popup></q-btn>
+        </q-card-section>
+
+        <!-- Step 1 — configure + generate -->
+        <q-card-section v-if="!pairDialog.result">
+          <p class="text-caption q-mb-md" :style="{opacity: 0.7}">
+            Mints a dedicated signing key for
+            <b v-text="(pairDialog.machine && pairDialog.machine.name) || 'this spire'"></b>
+            inside the operator bunker and issues a one-shot seed URL. The
+            spire's key never touches its disk; its cash-outs route to this
+            machine's wallet. Re-pairing issues a fresh seed.
+          </p>
+
+          <q-input
+            v-model="pairDialog.relays"
+            label="Relay(s) for the spire's events"
+            hint="One per line. The same relay the spire publishes to (its VITE_RELAY_URL), e.g. wss://your-host/nostrrelay/<id>"
+            type="textarea" autogrow
+            class="q-mb-md"
+            dense outlined></q-input>
+
+          <q-input
+            v-model.number="pairDialog.durationHours"
+            label="Token lifetime in hours (optional)"
+            hint="Blank = non-expiring. Set e.g. 720 (30 days) to force periodic re-pairing."
+            type="number" min="1"
+            class="q-mb-md"
+            dense outlined></q-input>
+        </q-card-section>
+        <q-card-actions v-if="!pairDialog.result" align="right" class="text-primary">
+          <q-btn flat label="Cancel" v-close-popup></q-btn>
+          <q-btn
+            color="primary" label="Generate seed URL" icon="vpn_key"
+            :loading="pairDialog.saving"
+            @click="submitPair"></q-btn>
+        </q-card-actions>
+
+        <!-- Step 2 — show the seed URL -->
+        <q-card-section v-else>
+          <q-banner dense rounded class="bg-green-1 text-grey-9 q-mb-md">
+            <template v-slot:avatar>
+              <q-icon name="check_circle" color="green"></q-icon>
+            </template>
+            Paired. Scan this on the spire at first boot, or paste the seed URL
+            into <code>provision-atm</code>. Shown once — copy it now.
+          </q-banner>
+
+          <div class="row justify-center q-mb-md">
+            <lnbits-qrcode
+              :value="pairDialog.result.seed_url"
+              :options="{width: 280}"></lnbits-qrcode>
+          </div>
+
+          <q-input
+            v-model="pairDialog.result.seed_url"
+            label="Seed URL"
+            type="textarea" autogrow readonly
+            class="q-mb-sm"
+            dense outlined>
+            <template v-slot:append>
+              <q-btn flat dense round icon="content_copy"
+                     @click="copy(pairDialog.result.seed_url)">
+                <q-tooltip>Copy seed URL</q-tooltip>
+              </q-btn>
+            </template>
+          </q-input>
+
+          <div class="text-caption" :style="{opacity: 0.7}">
+            Spire identity:
+            <code :style="{fontSize: '0.85em'}"
+                  v-text="shortNpub(pairDialog.result.spire_npub)"></code>
+            <q-btn flat dense round size="xs" icon="content_copy"
+                   @click="copy(pairDialog.result.spire_npub)">
+              <q-tooltip>Copy npub</q-tooltip>
+            </q-btn>
+          </div>
+        </q-card-section>
+        <q-card-actions v-else align="right" class="text-primary">
+          <q-btn flat label="Done" color="primary" v-close-popup></q-btn>
+        </q-card-actions>
+      </q-card>
+    </q-dialog>
+
     <!-- =============================================================== -->
     <!-- MACHINE DETAIL DIALOG — settlements list + per-row actions      -->
     <!-- =============================================================== -->

From 22678dfb4fd7c25644dbf996ae81e7feb1d8d81e Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Thu, 18 Jun 2026 19:27:29 +0200
Subject: [PATCH 08/19] feat(pairing): authorize kind-22242 (NIP-42 AUTH) in
 spire policy (#52)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bitspire#52 consumer review (2026-06-18) enumerated the kinds the spire
signs as its OWN identity and found NIP-42 relay AUTH (kind 22242) missing
from SPIRE_POLICY_RULES — a silent bunker reject the moment a relay
challenges with AUTH. It must be bunker-signed (AUTH proves control of
spire_pubkey, which only the bunker holds; can't use the local client_nsec).

Adds 22242. Records the confirmed set in the policy comment: live = 21000 +
30078 + 22242; CLINK 21001-21003 dormant but kept; nip04 unused (v1 path is
dead code). New test locks the required-kinds contract so 22242 can't
silently regress.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pairing.py            | 17 +++++++++++------
 tests/test_pairing.py | 11 +++++++++++
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/pairing.py b/pairing.py
index b65b760..8629de9 100644
--- a/pairing.py
+++ b/pairing.py
@@ -57,20 +57,25 @@ SEED_URL_SCHEME = "spire-seed:v1:"
 # Policy granted to every spire's connect token. Scoped to exactly what a
 # bitSpire signs as itself:
 #   - 21000  nostr-transport cash RPC envelope to lnbits
-#   - 21001-21003  CLINK Offer / Debit / Manage (payment flow)
+#   - 22242  NIP-42 relay AUTH — the spire authenticates to its relays
+#            (must be bunker-signed: AUTH proves control of spire_pubkey,
+#            which only the bunker holds; can't be done with client_nsec)
+#   - 21001-21003  CLINK Offer / Debit / Manage (dormant on dev; kept)
 #   - 30078  NIP-78 beacon + bitspire-cassettes-state hello-event
 # Kind-scoped rules go in create_new_policy; kind-less methods (nip44, for
 # encrypting cassette-state to the operator) are added via add_policy_rule
 # because nsecbunkerd's create_new_policy chokes on null `kind`
-# (rule.kind.toString()). Mirrors lnbits' DEFAULT_POLICY_* split.
+# (rule.kind.toString()). Mirrors lnbits' DEFAULT_POLICY_* split. nip04 is
+# deliberately absent — the v1/nip04 path is dead code (bitspire#52).
 #
-# NOTE (reconcile when bitspire#52 lands): confirm this kind set against the
-# spire's actual createSignedEvent / finalizeEvent call sites. Over-granting
-# here only widens what a spire may sign *as its own key* — low blast radius —
-# but under-granting makes the bunker reject the spire's events.
+# Kind set confirmed against the spire's signing sites in bitspire#52
+# (2026-06-18): live = 21000 + 30078 + 22242; CLINK 21001-21003 dormant but
+# kept; nip04 unused. Under-granting = silent bunker reject, so err toward
+# inclusion (low blast radius — only widens what a spire signs as its OWN key).
 SPIRE_POLICY_NAME = "spirekeeper-spire"
 SPIRE_POLICY_RULES = [
     {"method": "sign_event", "kind": 21000},
+    {"method": "sign_event", "kind": 22242},  # NIP-42 relay AUTH (bitspire#52)
     {"method": "sign_event", "kind": 21001},
     {"method": "sign_event", "kind": 21002},
     {"method": "sign_event", "kind": 21003},
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
index 4deb5a0..54f00ca 100644
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@@ -305,3 +305,14 @@ def test_revoke_spire_maps_bunker_error():
     bunker.revoke_key_user = _boom
     with pytest.raises(PairingError, match="revoke"):
         asyncio.run(revoke_spire(_machine(), admin_client=bunker))
+
+
+def test_policy_authorizes_required_signing_kinds():
+    # Kinds the spire signs as its OWN identity, confirmed against the
+    # consumer signing sites in bitspire#52 (2026-06-18). A missing kind is a
+    # silent bunker reject. 22242 = NIP-42 relay AUTH (must be bunker-signed —
+    # it proves control of spire_pubkey). nip04 stays out (v1 path is dead).
+    kinds = {r["kind"] for r in SPIRE_POLICY_RULES if r["method"] == "sign_event"}
+    assert {21000, 30078, 22242} <= kinds
+    assert "nip04_encrypt" not in SPIRE_POLICY_METHODS_NO_KIND
+    assert "nip04_decrypt" not in SPIRE_POLICY_METHODS_NO_KIND

From 76090ab5da8d8fb959670158759663f8a9b6bc87 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Fri, 19 Jun 2026 00:59:29 +0200
Subject: [PATCH 09/19] fix(fleet-ui): wrap pair-dialog steps in template
 v-if/v-else
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Pair dialog had two interleaved v-if/v-else sibling pairs
(q-card-section + q-card-actions per step). Vue requires v-else to
immediately follow its v-if sibling, so the second v-else (actions)
trailed a v-else (section) — illegal, throwing compiler error 30
("v-else has no adjacent v-if") and breaking the entire Vue mount.
Wrap each step's section+actions in one <template v-if> / <template
v-else> so there's exactly one adjacent pair. Verified with
@vue/compiler-dom and a live pair/revoke round-trip against regtest.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 templates/spirekeeper/index.html | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/templates/spirekeeper/index.html b/templates/spirekeeper/index.html
index 7bdebd3..45d47a7 100644
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@@ -855,7 +855,8 @@
         </q-card-section>
 
         <!-- Step 1 — configure + generate -->
-        <q-card-section v-if="!pairDialog.result">
+        <template v-if="!pairDialog.result">
+        <q-card-section>
           <p class="text-caption q-mb-md" :style="{opacity: 0.7}">
             Mints a dedicated signing key for
             <b v-text="(pairDialog.machine && pairDialog.machine.name) || 'this spire'"></b>
@@ -880,16 +881,18 @@
             class="q-mb-md"
             dense outlined></q-input>
         </q-card-section>
-        <q-card-actions v-if="!pairDialog.result" align="right" class="text-primary">
+        <q-card-actions align="right" class="text-primary">
           <q-btn flat label="Cancel" v-close-popup></q-btn>
           <q-btn
             color="primary" label="Generate seed URL" icon="vpn_key"
             :loading="pairDialog.saving"
             @click="submitPair"></q-btn>
         </q-card-actions>
+        </template>
 
         <!-- Step 2 — show the seed URL -->
-        <q-card-section v-else>
+        <template v-else>
+        <q-card-section>
           <q-banner dense rounded class="bg-green-1 text-grey-9 q-mb-md">
             <template v-slot:avatar>
               <q-icon name="check_circle" color="green"></q-icon>
@@ -928,9 +931,10 @@
             </q-btn>
           </div>
         </q-card-section>
-        <q-card-actions v-else align="right" class="text-primary">
+        <q-card-actions align="right" class="text-primary">
           <q-btn flat label="Done" color="primary" v-close-popup></q-btn>
         </q-card-actions>
+        </template>
       </q-card>
     </q-dialog>
 

From 554b2e2e1714467a987d901c4362fd4e78713f3c Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Fri, 19 Jun 2026 00:59:29 +0200
Subject: [PATCH 10/19] docs(pairing): correct duration_hours TTL docstring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

duration_hours stamps Token.expiresAt, but nsecbunkerd reads expiresAt
only in validateToken at connect/redeem time — the sign-time ACL never
checks it (materialised SigningConditions carry no expiry; the policy
join filters revokedAt only). So TTL bounds only the un-redeemed connect
window, not an established binding; revoke_key_user is the real post-bind
cutoff. Same ACL-ordering class as the revoke finding (#22). Tracked at
aiolabs/nsecbunkerd#24.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 pairing.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/pairing.py b/pairing.py
index 8629de9..ed5684d 100644
--- a/pairing.py
+++ b/pairing.py
@@ -165,10 +165,15 @@ async def pair_spire(
     """Mint a bunker-held key + scoped connect token for `machine` and
     return the seed URL the spire redeems at first boot.
 
-    `duration_hours` (optional, aiolabs/lnbits#54 item 2) sets a TTL on the
-    spire's connect token — the bunker stamps `expiresAt` and rejects the
-    token once it lapses, forcing a re-pair. None = non-expiring (the only
-    invalidation path is then revoke, `revoke_spire`).
+    `duration_hours` (optional, aiolabs/lnbits#54 item 2) stamps `expiresAt`
+    on the spire's connect token. NOTE: this bounds ONLY the window in which
+    an *un-redeemed* token can first connect — nsecbunkerd reads `expiresAt`
+    solely in `validateToken` at redeem time. Once the spire has connected
+    and its per-KeyUser grants are materialized, an expired token keeps
+    signing (the sign-time ACL never checks `expiresAt`; same ACL-ordering
+    subtlety as the revoke finding, #22). The real post-bind cutoff is
+    `revoke_spire` (`revoke_key_user`), not TTL. Post-bind TTL enforcement is
+    tracked at aiolabs/nsecbunkerd#24. None = non-expiring connect window.
 
     `admin_client` must already be connected (the caller owns the
     `async with NsecBunkerAdminClient.from_settings()` context) — keeps

From b193f6262d9ab3a365cd45b10f2a6414140d3300 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Fri, 19 Jun 2026 23:23:11 +0200
Subject: [PATCH 11/19] docs(pairing): TTL + token-revoke now enforced
 post-bind (nsecbunkerd#27)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nsecbunkerd#27 (deployed 2026-06-19) reverses the #24 finding: the
sign-time ACL now evaluates token lifecycle live on every request
(checkIfPubkeyAllowed step 4 joins through a liveWhere filter;
applyToken stopped photocopying grants into SigningConditions). So:

- duration_hours / token expiresAt now bounds an ESTABLISHED binding —
  an expired token stops signing post-bind, not just at connect. The
  prior docstring (connect-window-only, pointing at the now-closed
  nsecbunkerd#24) is corrected.
- Token-revoke is no longer a post-redeem no-op (closes the #22
  mechanism bunker-side). revoke_spire keeps using revoke_key_user
  because that's the subject-level ban cutting the whole binding, not
  just one token's grant — rationale updated, behavior unchanged.

Doc/comment only; 20 pairing tests green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 pairing.py            | 33 ++++++++++++++++-----------------
 tests/test_pairing.py |  6 ++++--
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/pairing.py b/pairing.py
index ed5684d..be7a6a4 100644
--- a/pairing.py
+++ b/pairing.py
@@ -166,14 +166,13 @@ async def pair_spire(
     return the seed URL the spire redeems at first boot.
 
     `duration_hours` (optional, aiolabs/lnbits#54 item 2) stamps `expiresAt`
-    on the spire's connect token. NOTE: this bounds ONLY the window in which
-    an *un-redeemed* token can first connect — nsecbunkerd reads `expiresAt`
-    solely in `validateToken` at redeem time. Once the spire has connected
-    and its per-KeyUser grants are materialized, an expired token keeps
-    signing (the sign-time ACL never checks `expiresAt`; same ACL-ordering
-    subtlety as the revoke finding, #22). The real post-bind cutoff is
-    `revoke_spire` (`revoke_key_user`), not TTL. Post-bind TTL enforcement is
-    tracked at aiolabs/nsecbunkerd#24. None = non-expiring connect window.
+    on the spire's connect token, bounding the established binding's lifetime.
+    Since aiolabs/nsecbunkerd#27 (deployed 2026-06-19) the sign-time ACL
+    evaluates token lifecycle on EVERY request (`checkIfPubkeyAllowed` step 4
+    joins through a `liveWhere` filter; `applyToken` no longer photocopies
+    grants), so an expired token stops signing post-bind, not just at connect.
+    The spire must re-pair to keep signing once the token lapses. None =
+    non-expiring (the only invalidation path is then `revoke_spire`).
 
     `admin_client` must already be connected (the caller owns the
     `async with NsecBunkerAdminClient.from_settings()` context) — keeps
@@ -255,16 +254,16 @@ async def revoke_spire(
     machine: Machine, *, admin_client: NsecBunkerAdminClient
 ) -> int:
     """Revoke a spire's bunker access (the "Revoke spire access" UX,
-    aiolabs/spirekeeper#9/#12; security model per #22).
+    aiolabs/spirekeeper#9/#12).
 
-    Calls `revoke_key_user` — NOT `revoke_token` / `revoke_key_token`.
-    lnbits eager-binds (redeems) the connect token at provision time
-    (aiolabs/lnbits#32), so nsecbunkerd has already materialised the
-    token's policy into standing per-`KeyUser` `SigningCondition` grants;
-    its sign-time ACL checks those *before* the `Token.revokedAt` filter,
-    so revoking the token is a silent no-op (the spire keeps signing).
-    Only `KeyUser.revokedAt` — set by `revoke_user` / `revoke_key_user` —
-    actually cuts off signing (verified live 2026-06-18, #22).
+    Calls `revoke_key_user` (sets `KeyUser.revokedAt`) — the subject-level
+    sticky ban that's checked at step 2 of `checkIfPubkeyAllowed`, beating
+    every grant. This cuts the WHOLE binding regardless of how many tokens
+    were issued to the spire, which is the right semantics for "revoke this
+    spire." (Since aiolabs/nsecbunkerd#27 token-revoke also works post-bind —
+    the sign-time ACL now evaluates `Token.revokedAt`/`expiresAt` live every
+    request, closing the #22 no-op — but per-token revoke only cuts one
+    token's grant, so `revoke_key_user` remains the correct full-deauth call.)
 
     Returns the number of KeyUsers revoked: >= 1 means the spire's signing
     access is now cut; 0 means nothing was bound (token minted but the
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
index 54f00ca..080f5f9 100644
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@@ -287,8 +287,10 @@ def test_pair_default_duration_is_none():
 
 
 def test_revoke_spire_calls_revoke_key_user():
-    # revoke MUST go through revoke_key_user (KeyUser.revokedAt), not token
-    # revoke — token revoke is a no-op once redeemed (spirekeeper#22).
+    # revoke goes through revoke_key_user (KeyUser.revokedAt) — the subject-
+    # level ban that cuts the whole binding, not just one token's grant.
+    # (Token-revoke also works post-bind since nsecbunkerd#27, but only
+    # severs a single token; revoke_key_user is the full-deauth call.)
     bunker = FakeBunker(revoke_count=2)
     count = asyncio.run(revoke_spire(_machine(), admin_client=bunker))
     assert count == 2

From 73bd274979e879d05e5bdc8217de5e1039ed8066 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Sun, 21 Jun 2026 12:31:55 +0200
Subject: [PATCH 12/19] feat(pairing,ui): optional machine_npub + bunker_relay
 override + fee decimal-input UX
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three changes from the nsecbunkerd#27 bunker-pairing smoke (validated
end-to-end on the Sintra, 2026-06-21); intermingled per-file, so landed
together.

1. Optional machine_npub (model A1) — register UNPAIRED, bunker mints the
   identity at pairing:
   - machine_npub now nullable (migration m011 rebuilds dca_machines for
     sqlite / ALTER ... DROP NOT NULL for postgres; UNIQUE stays, NULLs
     don't collide so any number of unpaired machines coexist).
   - CreateMachineData.machine_npub -> str | None; create skips the
     collision-check + fee publish when blank; api_pair_machine now
     publishes the fee config after minting, so an unpaired machine clears
     its awaiting-fees gate once paired.
   - Supplying an npub up front is the DEVELOPMENT self-key path (a machine
     holding its own signing key) — available to anyone but the form field
     is explicitly marked DEVELOPMENT ONLY.
   - Frontend: npub field optional, required rule dropped, null-safe
     display (shortNpub -> "unpaired", guarded slices), empty -> null.

2. bunker_relay override on POST /machines/{id}/pair: PairMachineData gains
   bunker_relay; api_pair_machine threads it to pair_spire. Lets the seed's
   bunker:// relay differ from the relay lnbits uses to reach the bunker
   (internal docker host vs LAN/public) — needed for split-relay / dev
   deploys. Without it the smoke had to mint via a script.

3. Fees are decimal fractions, not percents: relabel super + operator fee
   inputs ("decimal fraction, 0-0.15") + a shared _assertFeesDecimal()
   guard (super/add/edit submits) so a percent typo (3 instead of 0.03)
   gets a clear toast, not a raw 400.

refs: nsecbunkerd#27/#36; aiolabs/bitspire#52; coordination smoke 2026-06-21

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 migrations.py                    | 71 +++++++++++++++++++++++++++++++-
 models.py                        | 20 ++++++---
 static/js/index.js               | 43 +++++++++++++++----
 templates/spirekeeper/index.html | 20 ++++-----
 views_api.py                     | 28 ++++++++++---
 5 files changed, 153 insertions(+), 29 deletions(-)

diff --git a/migrations.py b/migrations.py
index da8ba07..d3bcece 100644
--- a/migrations.py
+++ b/migrations.py
@@ -82,7 +82,7 @@ async def m001_satmachine_v2_initial(db):
         CREATE TABLE IF NOT EXISTS spirekeeper.dca_machines (
             id TEXT PRIMARY KEY,
             operator_user_id TEXT NOT NULL,
-            machine_npub TEXT NOT NULL UNIQUE,
+            machine_npub TEXT UNIQUE,
             wallet_id TEXT NOT NULL,
             name TEXT,
             location TEXT,
@@ -776,3 +776,72 @@ async def m010_add_machine_bunker_pairing(db):
         await db.execute(
             f"ALTER TABLE spirekeeper.{table} ADD COLUMN {col} {coltype}"
         )
+
+
+async def m011_machine_npub_nullable(db):
+    """Make dca_machines.machine_npub nullable so an operator can register a
+    machine *unpaired* (no npub) and have its identity minted by the bunker
+    at pairing time (model A1, aiolabs/spirekeeper#9). The npub is only
+    supplied up front on the development self-key path (a machine that holds
+    its own signing key). UNIQUE stays — NULLs don't collide, so any number
+    of unpaired machines coexist.
+
+    Pre-public-launch: no back-compat shim. Existing rows are preserved by
+    the rebuild; the column simply loses NOT NULL.
+    """
+    if db.type != "SQLITE":
+        # Postgres / Cockroach can drop the constraint in place.
+        await db.execute(
+            "ALTER TABLE spirekeeper.dca_machines "
+            "ALTER COLUMN machine_npub DROP NOT NULL"
+        )
+        return
+
+    # SQLite can't drop NOT NULL in place — rebuild the table (same pattern
+    # as m008/m009), preserving every row + the indexes.
+    await db.execute(
+        f"""
+        CREATE TABLE spirekeeper.dca_machines_new (
+            id TEXT PRIMARY KEY,
+            operator_user_id TEXT NOT NULL,
+            machine_npub TEXT UNIQUE,
+            wallet_id TEXT NOT NULL,
+            name TEXT,
+            location TEXT,
+            fiat_code TEXT NOT NULL DEFAULT 'GTQ',
+            is_active BOOLEAN NOT NULL DEFAULT true,
+            created_at TIMESTAMP NOT NULL DEFAULT {db.timestamp_now},
+            updated_at TIMESTAMP NOT NULL DEFAULT {db.timestamp_now},
+            operator_cash_in_fee_fraction DECIMAL(10,4) NOT NULL DEFAULT 0.0000,
+            operator_cash_out_fee_fraction DECIMAL(10,4) NOT NULL DEFAULT 0.0000,
+            bunker_spire_key_name TEXT,
+            paired_at TIMESTAMP
+        )
+        """
+    )
+    await db.execute(
+        """
+        INSERT INTO spirekeeper.dca_machines_new
+            (id, operator_user_id, machine_npub, wallet_id, name, location,
+             fiat_code, is_active, created_at, updated_at,
+             operator_cash_in_fee_fraction, operator_cash_out_fee_fraction,
+             bunker_spire_key_name, paired_at)
+        SELECT id, operator_user_id, machine_npub, wallet_id, name, location,
+               fiat_code, is_active, created_at, updated_at,
+               operator_cash_in_fee_fraction, operator_cash_out_fee_fraction,
+               bunker_spire_key_name, paired_at
+        FROM spirekeeper.dca_machines
+        """
+    )
+    await db.execute("DROP TABLE spirekeeper.dca_machines")
+    await db.execute(
+        "ALTER TABLE spirekeeper.dca_machines_new RENAME TO dca_machines"
+    )
+    await db.execute(
+        "CREATE INDEX IF NOT EXISTS dca_machines_operator_idx "
+        "ON dca_machines (operator_user_id)"
+    )
+    await db.execute(
+        "CREATE UNIQUE INDEX IF NOT EXISTS dca_machines_wallet_id_uq "
+        "ON dca_machines (wallet_id)"
+    )
diff --git a/models.py b/models.py
index f56cbcd..d779633 100644
--- a/models.py
+++ b/models.py
@@ -28,7 +28,11 @@ class CreateMachineData(BaseModel):
     not against any fee total. See aiolabs/satmachineadmin#37 / #38.
     """
 
-    machine_npub: str
+    # Optional: blank = register the machine UNPAIRED — the bunker mints its
+    # identity at pairing (model A1, the normal path). Supplying an npub here
+    # is the development self-key path (a machine that holds its own signing
+    # key); see views_api.api_create_machine.
+    machine_npub: str | None = None
     wallet_id: str
     name: str | None = None
     location: str | None = None
@@ -48,7 +52,7 @@ class CreateMachineData(BaseModel):
 class Machine(BaseModel):
     id: str
     operator_user_id: str
-    machine_npub: str
+    machine_npub: str | None  # NULL until paired (or supplied on the dev self-key path)
     wallet_id: str
     name: str | None
     location: str | None
@@ -84,11 +88,17 @@ class UpdateMachineData(BaseModel):
 class PairMachineData(BaseModel):
     """Body for POST /machines/{id}/pair (S0 / #9). `relays` are the relays
     the spire will use for its own events (kind-21000/30078) — typically the
-    operator's nostrrelay; the bunker connection relay is added separately
-    from the lnbits bunker settings. `duration_hours` optionally time-bounds
-    the spire's connect token (None = non-expiring)."""
+    operator's nostrrelay. `bunker_relay` overrides the relay embedded in the
+    seed's `bunker://` URL (the relay the spire uses to *reach* the bunker);
+    when omitted it defaults to `settings.lnbits_nsec_bunker_url`. Set it when
+    the relay lnbits uses to reach the bunker differs from the one the spire
+    must reach — e.g. an internal docker hostname (`ws://lnbits:5001/…`) vs a
+    LAN/public URL (`ws://192.168.0.32:5001/…`), or any split-relay deploy.
+    `duration_hours` optionally time-bounds the spire's connect token
+    (None = non-expiring)."""
 
     relays: list[str]
+    bunker_relay: str | None = None
     duration_hours: int | None = None
 
     @validator("duration_hours")
diff --git a/static/js/index.js b/static/js/index.js
index 52d3a3b..c9878d0 100644
--- a/static/js/index.js
+++ b/static/js/index.js
@@ -581,8 +581,29 @@ window.app = Vue.createApp({
       this.superFeeDialog.show = true
     },
 
+    // Guard the decimal-vs-percent trap shared by the super + operator fee
+    // forms: fees are decimal fractions (3% = 0.03), capped at 0.15. A value
+    // > 0.15 almost always means a percent was typed (3 instead of 0.03).
+    // Returns false + shows a clear toast so the operator never sees a raw 400.
+    _assertFeesDecimal(...fracs) {
+      if (fracs.some((v) => !Number.isFinite(v) || v < 0 || v > 0.15)) {
+        Quasar.Notify.create({
+          type: 'negative',
+          message: 'Enter each fee as a decimal fraction (e.g. 3% = 0.03)',
+          caption:
+            'Range 0–0.15. A value above 0.15 usually means a percent was typed (3 instead of 0.03).'
+        })
+        return false
+      }
+      return true
+    },
+
     async submitSuperFee() {
       const d = this.superFeeDialog.data
+      if (!this._assertFeesDecimal(
+        Number(d.super_cash_in_fee_fraction),
+        Number(d.super_cash_out_fee_fraction)
+      )) return
       this.superFeeDialog.saving = true
       try {
         const {data} = await LNbits.api.request(
@@ -699,13 +720,17 @@ window.app = Vue.createApp({
 
     async submitAddMachine() {
       const body = this._cleanMachineForm(this.addMachineDialog.data)
-      if (!body.machine_npub || !body.wallet_id) {
+      if (!body.wallet_id) {
         Quasar.Notify.create({
           type: 'negative',
-          message: 'machine_npub and wallet_id are required'
+          message: 'A wallet is required'
         })
         return
       }
+      if (!this._assertFeesDecimal(
+        Number(body.operator_cash_in_fee_fraction) || 0,
+        Number(body.operator_cash_out_fee_fraction) || 0
+      )) return
       this.addMachineDialog.saving = true
       try {
         const {data} = await LNbits.api.request('POST', MACHINES_PATH, null, body)
@@ -713,7 +738,7 @@ window.app = Vue.createApp({
         this.addMachineDialog.show = false
         Quasar.Notify.create({
           type: 'positive',
-          message: `Machine ${data.name || data.machine_npub.slice(0, 12)} added`
+          message: `Machine ${data.name || (data.machine_npub || 'unpaired').slice(0, 12)} added`
         })
       } catch (e) {
         this._notifyError(e, 'Failed to add machine')
@@ -741,6 +766,10 @@ window.app = Vue.createApp({
 
     async submitEditMachine() {
       const d = this.editMachineDialog.data
+      if (!this._assertFeesDecimal(
+        Number(d.operator_cash_in_fee_fraction) || 0,
+        Number(d.operator_cash_out_fee_fraction) || 0
+      )) return
       this.editMachineDialog.saving = true
       try {
         const {data} = await LNbits.api.request(
@@ -772,7 +801,7 @@ window.app = Vue.createApp({
       Quasar.Dialog.create({
         title: 'Delete machine?',
         message:
-          `This removes <b>${machine.name || machine.machine_npub.slice(0, 12)}</b>` +
+          `This removes <b>${machine.name || (machine.machine_npub || 'unpaired').slice(0, 12)}</b>` +
           ' from your fleet. Existing settlements and payment history are preserved' +
           ' — only the machine row itself is removed. Continue?',
         html: true,
@@ -848,7 +877,7 @@ window.app = Vue.createApp({
       Quasar.Dialog.create({
         title: 'Revoke spire access?',
         message:
-          `This cuts <b>${machine.name || machine.machine_npub.slice(0, 12)}</b>'s` +
+          `This cuts <b>${machine.name || (machine.machine_npub || 'unpaired').slice(0, 12)}</b>'s` +
           ' signing access at the bunker — the spire can no longer submit' +
           ' cash-outs until you re-pair it. Continue?',
         html: true,
@@ -1515,7 +1544,7 @@ window.app = Vue.createApp({
     // Helpers
     // -----------------------------------------------------------------
     shortNpub(npub) {
-      if (!npub) return ''
+      if (!npub) return 'unpaired'
       if (npub.length <= 16) return npub
       return npub.slice(0, 8) + '…' + npub.slice(-6)
     },
@@ -1601,7 +1630,7 @@ window.app = Vue.createApp({
 
     _cleanMachineForm(d) {
       return {
-        machine_npub: (d.machine_npub || '').trim(),
+        machine_npub: (d.machine_npub || '').trim() || null,
         wallet_id: d.wallet_id,
         name: (d.name || '').trim() || null,
         location: (d.location || '').trim() || null,
diff --git a/templates/spirekeeper/index.html b/templates/spirekeeper/index.html
index 45d47a7..53c30d1 100644
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@@ -792,13 +792,13 @@
 
           <q-input
             v-model="addMachineDialog.data.machine_npub"
-            label="Machine npub (hex or bech32)"
-            hint="64-char hex pubkey or npub1... bech32 string"
+            label="Machine npub — DEVELOPMENT ONLY (blank = normal bunker pairing)"
+            hint="⚠ Leave blank for normal operation: the bunker mints this machine's key when you pair it (no nsec ever lands on the machine). Only fill this to register a machine that holds its OWN signing key — development / self-signing. Hex or npub1…"
+            color="orange"
             class="q-mb-md"
             dense outlined
             :rules="[
-              v => !!v || 'Required',
-              v => (v && v.length >= 32) || 'Looks too short'
+              v => !v || v.length >= 32 || 'Looks too short — use a full hex/npub, or leave blank'
             ]"></q-input>
 
           <q-select
@@ -819,7 +819,7 @@
 
           <q-input
             v-model.number="addMachineDialog.data.operator_cash_in_fee_fraction"
-            label="Operator cash-in fee % (decimal, 0..0.15)"
+            label="Operator cash-in fee (decimal fraction, 0-0.15)"
             hint="Your per-machine cut on cash-in. Sits on top of the platform fee; cap is 15% total per direction."
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md"
@@ -827,7 +827,7 @@
 
           <q-input
             v-model.number="addMachineDialog.data.operator_cash_out_fee_fraction"
-            label="Operator cash-out fee % (decimal, 0..0.15)"
+            label="Operator cash-out fee (decimal fraction, 0-0.15)"
             hint="Your per-machine cut on cash-out. Sits on top of the platform fee; cap is 15% total per direction."
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md"
@@ -1368,12 +1368,12 @@
             typically a wallet you (the super) own.
           </p>
           <q-input v-model.number="superFeeDialog.data.super_cash_in_fee_fraction"
-            label="Cash-in fee % (decimal, 0..0.15)"
+            label="Cash-in fee (decimal fraction, 0-0.15)"
             hint="0.03 = 3% of principal on cash-in transactions"
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md" dense outlined></q-input>
           <q-input v-model.number="superFeeDialog.data.super_cash_out_fee_fraction"
-            label="Cash-out fee % (decimal, 0..0.15)"
+            label="Cash-out fee (decimal fraction, 0-0.15)"
             hint="0.03 = 3% of principal on cash-out transactions"
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md" dense outlined></q-input>
@@ -1627,12 +1627,12 @@
           <q-input v-model="editMachineDialog.data.fiat_code"
             label="Fiat code" class="q-mb-md" dense outlined></q-input>
           <q-input v-model.number="editMachineDialog.data.operator_cash_in_fee_fraction"
-            label="Operator cash-in fee % (decimal, 0..0.15)"
+            label="Operator cash-in fee (decimal fraction, 0-0.15)"
             hint="Sits on top of the platform cash-in fee. Cap 15% total per direction."
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md" dense outlined></q-input>
           <q-input v-model.number="editMachineDialog.data.operator_cash_out_fee_fraction"
-            label="Operator cash-out fee % (decimal, 0..0.15)"
+            label="Operator cash-out fee (decimal fraction, 0-0.15)"
             hint="Sits on top of the platform cash-out fee. Cap 15% total per direction."
             type="number" step="0.0001" min="0" max="0.15"
             class="q-mb-md" dense outlined></q-input>
diff --git a/views_api.py b/views_api.py
index 8dff07e..1a5bc62 100644
--- a/views_api.py
+++ b/views_api.py
@@ -248,7 +248,7 @@ async def _assert_super_config_cap_safe(
                 HTTPStatus.BAD_REQUEST,
                 (
                     f"super cash-in fee {effective_in:.4f} would exceed cap "
-                    f"on machine {m.id} ({m.name or m.machine_npub[:12]}): "
+                    f"on machine {m.id} ({m.name or (m.machine_npub or m.id)[:12]}): "
                     f"+ operator {op_in:.4f} = "
                     f"{total_in:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
                 ),
@@ -258,7 +258,7 @@ async def _assert_super_config_cap_safe(
                 HTTPStatus.BAD_REQUEST,
                 (
                     f"super cash-out fee {effective_out:.4f} would exceed cap "
-                    f"on machine {m.id} ({m.name or m.machine_npub[:12]}): "
+                    f"on machine {m.id} ({m.name or (m.machine_npub or m.id)[:12]}): "
                     f"+ operator {op_out:.4f} = "
                     f"{total_out:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
                 ),
@@ -275,7 +275,13 @@ async def api_create_machine(
     data: CreateMachineData, user: User = Depends(check_user_exists)
 ) -> Machine:
     await _assert_wallet_owned_by(data.wallet_id, user.id)
-    await _assert_no_pubkey_collision(data.machine_npub)
+    # machine_npub is optional: blank = register UNPAIRED — the bunker mints
+    # the identity at pairing (the normal path). An npub supplied up front is
+    # the development self-key path; only then do we collision-check + publish
+    # a fee config now (an unpaired machine has no target yet, so it gets its
+    # config at pairing instead — see api_pair_machine).
+    if data.machine_npub:
+        await _assert_no_pubkey_collision(data.machine_npub)
     await _assert_machine_fee_cap_safe(
         data.operator_cash_in_fee_fraction,
         data.operator_cash_out_fee_fraction,
@@ -284,9 +290,10 @@ async def api_create_machine(
     # Layer 2 (#39): publish initial fee config to the ATM so it can
     # unblock past its `awaiting-fees` maintenance gate. Soft-fails on
     # transport errors — machine creation has already succeeded.
-    super_config = await get_super_config()
-    if super_config is not None:
-        await publish_fee_config(machine, super_config, user.id)
+    if machine.machine_npub:
+        super_config = await get_super_config()
+        if super_config is not None:
+            await publish_fee_config(machine, super_config, user.id)
     return machine
 
 
@@ -317,6 +324,7 @@ async def api_pair_machine(
                 machine,
                 relays=data.relays,
                 admin_client=client,
+                bunker_relay=data.bunker_relay,
                 duration_hours=data.duration_hours,
             )
     except NsecBunkerNotConfiguredError as exc:
@@ -337,6 +345,14 @@ async def api_pair_machine(
         bunker_spire_key_name=result.bunker_key_name,
         paired_at=datetime.now(timezone.utc),
     )
+    # Now that the machine has a bunker identity, publish its fee config so
+    # the spire can clear its `awaiting-fees` gate. For a machine created
+    # unpaired, this is the first time it has a target. Soft-fails (mirrors
+    # create); pairing has already succeeded.
+    super_config = await get_super_config()
+    if super_config is not None:
+        paired = await _machine_owned_by(machine_id, user.id)
+        await publish_fee_config(paired, super_config, user.id)
     return result
 
 

From 7b55dc152b771a7d77d0e06c2b2e8c47292165ed Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Sun, 21 Jun 2026 17:27:58 +0200
Subject: [PATCH 13/19] fix(settlements): process cash-in (outbound) payments,
 not just cash-out
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `_handle_payment` cash-in branch existed but had never been exercised
end-to-end — bitSpire cash-in payouts only started reaching it once the
withdraw extension learned to stamp `source=bitspire` on an LNURL-withdraw
payout (aiolabs/withdraw#3). With that wired up, the first real cash-in
exposed two bugs:

1. `payment.sat` is signed by protocol direction — negative for an
   outbound (cash-in) payout. It was passed straight to `parse_settlement`
   as `wire_sats`, which enforces `wire_sats >= 0`, so every cash-in was
   rejected ("wire_sats must be >= 0, got -75795"). A settlement's
   `wire_sats` is a magnitude (direction lives in `tx_type`); pass
   `abs(payment.sat)`. Same in `_record_rejected`.

2. `_record_rejected` hard-coded `tx_type="cash_out"`, so a rejected
   cash-in showed the wrong direction in the operator dashboard. The
   parsed tx_type isn't available on the rejection path, but the
   authenticated protocol direction is — derive it: outbound → cash_in,
   inbound → cash_out.

Verified on the dev stack: a stamped cash-in now lands a `cash_in`
settlement (net 75795, principal 82386, fee 6591), pays the super its 3%
(2472 sats), and correctly skips the DCA leg (principal stays in the
operator's wallet as liquidity from the cash-in customer).
---
 tasks.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/tasks.py b/tasks.py
index 4685c84..eb874de 100644
--- a/tasks.py
+++ b/tasks.py
@@ -130,7 +130,11 @@ async def _handle_payment(payment: Payment) -> None:
         data = parse_settlement(
             machine=machine,
             payment_hash=payment.payment_hash,
-            wire_sats=payment.sat,
+            # `payment.sat` is signed by protocol direction (negative for an
+            # outbound cash-in payout, positive for an inbound cash-out
+            # receipt). The settlement's `wire_sats` is a magnitude — direction
+            # is carried separately by `tx_type` — so pass the absolute value.
+            wire_sats=abs(payment.sat),
             extra=extra,
             super_config=super_config,
         )
@@ -205,7 +209,8 @@ async def _record_rejected(payment: Payment, machine: Machine, exc: Exception) -
     data = CreateDcaSettlementData(
         machine_id=machine.id,
         payment_hash=payment.payment_hash,
-        wire_sats=payment.sat,
+        # Magnitude, not the signed `payment.sat` (negative for outbound).
+        wire_sats=abs(payment.sat),
         fiat_amount=0.0,
         fiat_code=machine.fiat_code,
         exchange_rate=0.0,
@@ -213,11 +218,11 @@ async def _record_rejected(payment: Payment, machine: Machine, exc: Exception) -
         fee_sats=0,
         platform_fee_sats=0,
         operator_fee_sats=0,
-        # tx_type is unknown for rejection paths; default to cash_out
-        # (the only direction currently wired). When S8 lands the
-        # listener will branch on tx_type from extra, and this default
-        # gets revisited.
-        tx_type="cash_out",
+        # The parsed tx_type is unavailable on the rejection path, but the
+        # authenticated protocol direction is: an outbound payment is a
+        # cash-in, an inbound one a cash-out. Use that so a rejected row shows
+        # the right direction instead of always reading "cash-out".
+        tx_type="cash_in" if not payment.is_in else "cash_out",
     )
     rejected = await create_settlement_idempotent(
         data, initial_status="rejected", error_message=str(exc)

From 607b71e79687dfce63b04c4606c5cb0fe78446e8 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 12:17:17 +0200
Subject: [PATCH 14/19] feat(cash-in): secure `create_withdraw` nostr-transport
 RPC (#31)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a server-side cash-in RPC so the ATM no longer supplies the withdraw
amount, fee, or attribution. The ATM sends a bunker-signed kind-21000
`create_withdraw` with just the gross `principal_sats` (the hardware-
attested fiat value); the handler derives everything else SERVER-SIDE:

- attribution = the VERIFIED transport `sender_pubkey` (never read from the
  body), matched to an active machine on the authenticated wallet;
- fee = round(principal × super_cash_in) + round(principal × operator_cash_in),
  per-leg rounding so it matches parse_settlement exactly (fee_mismatch=0);
- net = principal − fee → the withdraw amount the customer receives;
- stamps `extra={source:bitspire, type:cash_in, principal_sats, fee_sats,
  nostr_sender_pubkey:<verified>, nostr_event_id}` onto the link.

The customer claims the NET link; the payout carries the stamped extra
(aiolabs/withdraw#3) and `_handle_payment` records the cash_in settlement
(spirekeeper#30) with cryptographic attribution — closing the vector where
`lnurlw_create_link` let the ATM set amount/fee/attribution freely.

Registered via `register_rpc("create_withdraw", …, AUTH_WALLET)` (extensions
register RPCs directly — withdraw already does). Soft-fails on lnbits without
`register_rpc`. Per-tx cap reads `super_config.max_cash_in_sats` defensively
(getattr) — the config field/UI is a fast-follow.

Wire schema pinned in #31. Depends on #30 (consumer-side settlement fix).
---
 __init__.py         |  11 +++-
 cashin_transport.py | 132 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 140 insertions(+), 3 deletions(-)
 create mode 100644 cashin_transport.py

diff --git a/__init__.py b/__init__.py
index 39de3d8..d40a411 100644
--- a/__init__.py
+++ b/__init__.py
@@ -4,6 +4,7 @@ from fastapi import APIRouter
 from lnbits.tasks import create_permanent_unique_task
 from loguru import logger
 
+from .cashin_transport import register_create_withdraw_rpc
 from .crud import db
 from .nostr_transport_roster import register_with_lnbits as register_roster_with_lnbits
 from .tasks import wait_for_cassette_state_events, wait_for_paid_invoices
@@ -13,9 +14,7 @@ from .views_api import spirekeeper_api_router
 logger.info("spirekeeper v2 loaded")
 
 
-spirekeeper_ext: APIRouter = APIRouter(
-    prefix="/spirekeeper", tags=["DCA Admin"]
-)
+spirekeeper_ext: APIRouter = APIRouter(prefix="/spirekeeper", tags=["DCA Admin"])
 spirekeeper_ext.include_router(spirekeeper_generic_router)
 spirekeeper_ext.include_router(spirekeeper_api_router)
 
@@ -57,6 +56,12 @@ def spirekeeper_start():
     # wallet, not an auto-created machine wallet. Soft-fails on lnbits
     # versions that don't yet expose `register_roster_resolver`.
     register_roster_with_lnbits()
+    # Secure cash-in (#31): register the `create_withdraw` nostr-transport RPC
+    # so the ATM requests a server-priced, server-stamped cash-in withdraw link
+    # over the bunker-signed transport — amount/fee/attribution derived
+    # server-side, never client-supplied. Soft-fails if `register_rpc` isn't
+    # exposed by this lnbits.
+    register_create_withdraw_rpc()
 
 
 __all__ = [
diff --git a/cashin_transport.py b/cashin_transport.py
new file mode 100644
index 0000000..a912180
--- /dev/null
+++ b/cashin_transport.py
@@ -0,0 +1,132 @@
+"""
+Secure cash-in: a `create_withdraw` nostr-transport RPC (aiolabs/spirekeeper#31).
+
+Mirrors withdraw's `lnurlw_create_link`, but cash-in-semantic. The ATM sends the
+gross `principal_sats` (the hardware-attested fiat value) over the bunker-signed
+kind-21000 transport; the operator side derives the fee, the NET withdraw
+amount, and the attribution **server-side** — none of it client-supplied. The
+customer claims the NET link; the payout carries the stamped `extra`
+(aiolabs/withdraw#3) so `_handle_payment` records the `cash_in` settlement with
+cryptographic attribution (the verified transport sender), exactly like the
+cash-out path.
+
+Why this exists: `lnurlw_create_link` takes `min/max_withdrawable` and `extra`
+straight from the client body, so an authenticated-but-malicious/buggy ATM could
+set the gross amount (no fee), forge `nostr_sender_pubkey`, or request an
+arbitrary amount. This RPC closes that by computing everything server-side.
+"""
+
+from __future__ import annotations
+
+from loguru import logger
+
+from .crud import get_machine_by_atm_pubkey_hex, get_super_config
+
+_RPC_NAME = "create_withdraw"
+
+
+async def handle_create_withdraw(auth, request) -> dict:
+    """nostr-transport RPC handler. `auth` is a WalletTypeInfo (the operator
+    wallet, roster-resolved from the verified sender); `request` is a
+    NostrRpcRequest with `body`, `sender_pubkey` (verified), and `event_id`."""
+    # Import withdraw lazily so registration never hard-depends on the withdraw
+    # extension being importable at startup; a missing dep fails the request,
+    # not the daemon.
+    try:
+        from withdraw.crud import create_withdraw_link
+        from withdraw.helpers import create_lnurl_from_baseurl
+        from withdraw.models import CreateWithdrawData
+    except ImportError as exc:
+        raise ValueError(
+            "withdraw extension unavailable; cannot mint a cash-in link"
+        ) from exc
+
+    body = request.body or {}
+
+    principal_sats = body.get("principal_sats")
+    if not isinstance(principal_sats, int) or principal_sats <= 0:
+        raise ValueError("principal_sats must be a positive integer")
+
+    # Attribution is the VERIFIED transport sender — never read it from the body.
+    sender = (request.sender_pubkey or "").lower()
+    if not sender:
+        raise ValueError("missing verified sender_pubkey")
+
+    machine = await get_machine_by_atm_pubkey_hex(sender)
+    if machine is None:
+        raise ValueError("no active machine for this signer")
+    # Defence in depth: the roster already resolved `auth.wallet` from `sender`;
+    # confirm it's the machine's own wallet before minting a payout link on it.
+    if machine.wallet_id != auth.wallet.id:
+        raise ValueError("machine wallet does not match the authenticated wallet")
+
+    super_config = await get_super_config()
+    if super_config is None:
+        raise ValueError("super_config not initialised")
+
+    # Per-tx cap (server-side; the bunker ACL / usage caps cannot see sats).
+    cap = getattr(super_config, "max_cash_in_sats", None)
+    if cap is not None and principal_sats > cap:
+        raise ValueError(
+            f"principal_sats {principal_sats} exceeds max_cash_in_sats {cap}"
+        )
+
+    # Round each leg independently so the split matches parse_settlement exactly
+    # (platform_fee + operator_fee == fee_sats → fee_mismatch_sats = 0).
+    platform_fee = round(
+        principal_sats * float(super_config.super_cash_in_fee_fraction)
+    )
+    operator_fee = round(principal_sats * float(machine.operator_cash_in_fee_fraction))
+    fee_sats = platform_fee + operator_fee
+    net_sats = principal_sats - fee_sats
+    if net_sats <= 0:
+        raise ValueError("fee >= principal; nothing to withdraw")
+
+    data = CreateWithdrawData(
+        title=body.get("title") or f"bitSpire Cash-In {machine.id}",
+        min_withdrawable=net_sats,
+        max_withdrawable=net_sats,
+        uses=1,
+        wait_time=int(body.get("wait_time") or 1),
+        is_unique=False,
+        extra={
+            "source": "bitspire",
+            "type": "cash_in",
+            "principal_sats": principal_sats,
+            "fee_sats": fee_sats,
+            "nostr_sender_pubkey": sender,
+            "nostr_event_id": body.get("client_ref") or request.event_id,
+        },
+    )
+    link = await create_withdraw_link(data, auth.wallet.id)
+    lnurl = create_lnurl_from_baseurl(link)
+    logger.info(
+        f"spirekeeper: create_withdraw machine={machine.id} "
+        f"principal={principal_sats} fee={fee_sats} (super={platform_fee} "
+        f"op={operator_fee}) net={net_sats} link={link.id}"
+    )
+    return {
+        "link_id": link.id,
+        "lnurl": str(lnurl),
+        "net_sats": net_sats,
+        "principal_sats": principal_sats,
+        "fee_sats": fee_sats,
+    }
+
+
+def register_create_withdraw_rpc() -> None:
+    """Register `create_withdraw` with the lnbits nostr transport. Soft-fails if
+    the transport doesn't expose `register_rpc` (older lnbits)."""
+    try:
+        from lnbits.core.services.nostr_transport.dispatcher import (  # type: ignore
+            AUTH_WALLET,
+            register_rpc,
+        )
+    except ImportError:
+        logger.warning(
+            "spirekeeper: nostr-transport register_rpc unavailable; "
+            "'create_withdraw' not registered (secure cash-in over RPC disabled)"
+        )
+        return
+    register_rpc(_RPC_NAME, handle_create_withdraw, AUTH_WALLET)
+    logger.info("spirekeeper: registered nostr-transport RPC 'create_withdraw'")

From 9abf695fd5f32dcbd8a593f7f2ad9d205fa9fc9a Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 12:51:59 +0200
Subject: [PATCH 15/19] feat(cash-in): super_config.max_cash_in_sats per-tx cap
 + UI (#31)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wires the server-side per-transaction cash-in ceiling the `create_withdraw`
handler already enforces (it read the value defensively via getattr; this
makes it a first-class config field).

- migrations.py m012: ADD COLUMN super_config.max_cash_in_sats INTEGER (NULL
  = no cap).
- models.py: SuperConfig.max_cash_in_sats + UpdateSuperConfigData field with a
  >= 0 validator.
- super-fee dialog: a "Max cash-in per transaction (sats)" input; blank sends
  null (the PUT skips null, preserving the current value — set 0 to reject
  every cash-in). crud `update_super_config` and the PUT endpoint flow the
  field through automatically (dynamic dict update; check_super_user gated).

Why a sats cap and not the bunker ACL: the ACL / usage caps (#28) gate call
*rate*, not *sats*, and `principal_sats` is necessarily ATM-attested — so a
single in-rate call could request an arbitrarily large payout. This bounds a
compromised/buggy machine to one capped transaction.

Verified on the dev stack: m012 runs, the model round-trips the column
(GET returns the set value), and a negative value is rejected.
---
 migrations.py                    | 15 +++++++++++++++
 models.py                        | 13 +++++++++++++
 static/js/index.js               | 24 +++++++++++++++++++++---
 templates/spirekeeper/index.html |  5 +++++
 4 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/migrations.py b/migrations.py
index d3bcece..6ede0eb 100644
--- a/migrations.py
+++ b/migrations.py
@@ -845,3 +845,18 @@ async def m011_machine_npub_nullable(db):
         "CREATE UNIQUE INDEX IF NOT EXISTS dca_machines_wallet_id_uq "
         "ON dca_machines (wallet_id)"
     )
+
+
+async def m012_add_max_cash_in_sats(db):
+    """Server-side per-transaction cash-in ceiling (aiolabs/spirekeeper#31).
+
+    The secure `create_withdraw` RPC derives fee/net/attribution server-side,
+    but `principal_sats` is necessarily ATM-attested (only the hardware knows
+    how much cash went in). The bunker ACL / usage caps gate call *rate*, not
+    *sats*, so a single in-rate call could request an arbitrarily large payout.
+    `max_cash_in_sats` bounds that: the handler rejects a cash-in whose
+    principal exceeds it. NULL = no cap.
+    """
+    await db.execute(
+        "ALTER TABLE spirekeeper.super_config ADD COLUMN max_cash_in_sats INTEGER"
+    )
diff --git a/models.py b/models.py
index d779633..99ee552 100644
--- a/models.py
+++ b/models.py
@@ -482,6 +482,10 @@ class SuperConfig(BaseModel):
     super_cash_in_fee_fraction: float = 0.0
     super_cash_out_fee_fraction: float = 0.0
     super_fee_wallet_id: str | None
+    # Per-transaction cash-in ceiling in sats (#31). The bunker ACL gates call
+    # rate, not sats, so this bounds a single ATM-attested principal. NULL = no
+    # cap.
+    max_cash_in_sats: int | None = None
     updated_at: datetime
 
 
@@ -489,6 +493,7 @@ class UpdateSuperConfigData(BaseModel):
     super_cash_in_fee_fraction: float | None = None
     super_cash_out_fee_fraction: float | None = None
     super_fee_wallet_id: str | None = None
+    max_cash_in_sats: int | None = None
 
     @validator(
         "super_cash_in_fee_fraction",
@@ -501,6 +506,14 @@ class UpdateSuperConfigData(BaseModel):
             raise ValueError("super fee fraction must be between 0 and 1")
         return round(float(v), 4)
 
+    @validator("max_cash_in_sats")
+    def _cap_non_negative(cls, v):
+        if v is None:
+            return v
+        if v < 0:
+            raise ValueError("max_cash_in_sats must be >= 0")
+        return int(v)
+
 
 # =============================================================================
 # Operator UX action carriers — partial-tx and balance-settlement features.
diff --git a/static/js/index.js b/static/js/index.js
index c9878d0..053133d 100644
--- a/static/js/index.js
+++ b/static/js/index.js
@@ -103,7 +103,8 @@ window.app = Vue.createApp({
         data: {
           super_cash_in_fee_fraction: 0,
           super_cash_out_fee_fraction: 0,
-          super_fee_wallet_id: ''
+          super_fee_wallet_id: '',
+          max_cash_in_sats: null
         }
       },
 
@@ -576,7 +577,8 @@ window.app = Vue.createApp({
           this.superConfig?.super_cash_in_fee_fraction ?? 0,
         super_cash_out_fee_fraction:
           this.superConfig?.super_cash_out_fee_fraction ?? 0,
-        super_fee_wallet_id: this.superConfig?.super_fee_wallet_id || ''
+        super_fee_wallet_id: this.superConfig?.super_fee_wallet_id || '',
+        max_cash_in_sats: this.superConfig?.max_cash_in_sats ?? null
       }
       this.superFeeDialog.show = true
     },
@@ -604,6 +606,21 @@ window.app = Vue.createApp({
         Number(d.super_cash_in_fee_fraction),
         Number(d.super_cash_out_fee_fraction)
       )) return
+      // Blank cap field -> null (the PUT skips null, so the existing value is
+      // preserved rather than cleared — set 0 to reject every cash-in).
+      const cap =
+        d.max_cash_in_sats === '' ||
+        d.max_cash_in_sats === null ||
+        d.max_cash_in_sats === undefined
+          ? null
+          : Number(d.max_cash_in_sats)
+      if (cap !== null && (!Number.isInteger(cap) || cap < 0)) {
+        Quasar.Notify.create({
+          type: 'negative',
+          message: 'Max cash-in must be a non-negative whole number of sats'
+        })
+        return
+      }
       this.superFeeDialog.saving = true
       try {
         const {data} = await LNbits.api.request(
@@ -611,7 +628,8 @@ window.app = Vue.createApp({
           {
             super_cash_in_fee_fraction: Number(d.super_cash_in_fee_fraction),
             super_cash_out_fee_fraction: Number(d.super_cash_out_fee_fraction),
-            super_fee_wallet_id: (d.super_fee_wallet_id || '').trim() || null
+            super_fee_wallet_id: (d.super_fee_wallet_id || '').trim() || null,
+            max_cash_in_sats: cap
           }
         )
         this.superConfig = data
diff --git a/templates/spirekeeper/index.html b/templates/spirekeeper/index.html
index 53c30d1..01bb973 100644
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@@ -1381,6 +1381,11 @@
             label="Super fee destination wallet_id"
             hint="LNbits wallet that collects the platform fee"
             class="q-mb-md" dense outlined></q-input>
+          <q-input v-model.number="superFeeDialog.data.max_cash_in_sats"
+            label="Max cash-in per transaction (sats — blank = no cap)"
+            hint="Server-side ceiling on a single cash-in's principal. The ATM attests the amount; this bounds a compromised/buggy machine to one capped tx."
+            type="number" step="1" min="0"
+            class="q-mb-md" dense outlined></q-input>
         </q-card-section>
         <q-card-actions align="right">
           <q-btn flat label="Cancel" v-close-popup></q-btn>

From f67cb49bc36e78c08f94cc5e1934fb510324c089 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 15:32:44 +0200
Subject: [PATCH 16/19] fix(cash-in): return bech32 LNURL, not the raw URL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`Lnurl.__str__` is the underlying URL, so `str(lnurl)` returned
`http://<baseurl>/withdraw/...` instead of the bech32 `LNURL1…` — wallets
need the encoded LNURL-withdraw (lud01). Use `str(lnurl.bech32)` and add
`lnurl_url` (the raw URL) alongside, mirroring withdraw's _populate_lnurl
field convention. (Note: the encoded URL still derives from LNBITS_BASEURL —
that must be an externally reachable https URL for a real wallet to claim.)
---
 cashin_transport.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cashin_transport.py b/cashin_transport.py
index a912180..c041f48 100644
--- a/cashin_transport.py
+++ b/cashin_transport.py
@@ -107,7 +107,10 @@ async def handle_create_withdraw(auth, request) -> dict:
     )
     return {
         "link_id": link.id,
-        "lnurl": str(lnurl),
+        # `Lnurl.__str__` is the raw URL — wallets need the bech32 LNURL1…
+        # (lud01). Mirror withdraw's `_populate_lnurl` field convention.
+        "lnurl": str(lnurl.bech32),
+        "lnurl_url": str(lnurl.url),
         "net_sats": net_sats,
         "principal_sats": principal_sats,
         "fee_sats": fee_sats,

From d52a3bfafeb5624a0bd35153ad202ae9a717ab88 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 16:45:29 +0200
Subject: [PATCH 17/19] fix: guard every machine_npub deref against unpaired
 machines (None)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

machine_npub became nullable in #29/m011 (register-unpaired flow), but
several consumers still assumed it's non-None and crashed
`normalize_public_key(None)` with `AttributeError: 'NoneType' object has no
attribute 'startswith'`. On the demo (which had an unpaired machine) this
broke the platform-fee update (500) and spammed the cassette consumer with
errors every 2s. The #29 create/pair paths were guarded; these were missed:

- views_api `api_update_super_config`: the "republish fee to every active
  machine" loop → skip unpaired (they get their config at pairing).
- cassette_transport `build_state_d_tags_for_machines`: skip unpaired (no
  state-beacon d-tag yet) — the cassette-consumer loop crash.
- crud `get_machine_by_atm_pubkey_hex`: its `except (ValueError,
  AssertionError)` didn't catch the AttributeError; skip unpaired before
  normalize — the cassette event-handler crash.
- bitspire `assert_nostr_attribution`: reject (SettlementAttributionError) an
  unpaired machine instead of crashing the payment listener.
- views_api cassettes/publish endpoint: 400 (not paired) instead of crashing
  publish_to_atm.

Verified on the dev stack: with an unpaired active machine present, the
cassette consumer registers (skipping it) and runs clean — no AttributeError.
---
 bitspire.py           |  8 ++++++++
 cassette_transport.py |  6 ++++--
 crud.py               |  5 +++++
 views_api.py          | 14 ++++++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/bitspire.py b/bitspire.py
index 9e0c70c..1609052 100644
--- a/bitspire.py
+++ b/bitspire.py
@@ -126,6 +126,14 @@ def assert_nostr_attribution(machine: Machine, extra: dict) -> None:
             "missing nostr_sender_pubkey on Payment.extra — invoice was not "
             "issued through the nostr-transport path"
         )
+    if not machine.machine_npub:
+        # Unpaired machine (machine_npub None — nullable since #29/m011). It has
+        # no identity to attribute a settlement to; reject cleanly rather than
+        # let normalize_public_key(None) raise an uncaught AttributeError.
+        raise SettlementAttributionError(
+            f"machine {machine.id} is unpaired (no machine_npub); "
+            "a settlement cannot be attributed to it"
+        )
     from lnbits.utils.nostr import normalize_public_key
 
     try:
diff --git a/cassette_transport.py b/cassette_transport.py
index 9f60d9a..e6517a1 100644
--- a/cassette_transport.py
+++ b/cassette_transport.py
@@ -141,8 +141,10 @@ def _state_d_tag(atm_pubkey_hex: str) -> str:
 
 def build_state_d_tags_for_machines(machines: list[Machine]) -> list[str]:
     """Bootstrap-consumer subscription filter helper: returns the full
-    `#d=[...]` list for all known ATMs an operator subscribes to."""
-    return [_state_d_tag(_atm_hex_pubkey(m)) for m in machines]
+    `#d=[...]` list for all known PAIRED ATMs an operator subscribes to.
+    Unpaired machines (machine_npub is None — nullable since #29/m011) have no
+    state-beacon d-tag yet, so skip them rather than crash `_atm_hex_pubkey`."""
+    return [_state_d_tag(_atm_hex_pubkey(m)) for m in machines if m.machine_npub]
 
 
 # =============================================================================
diff --git a/crud.py b/crud.py
index 6c4ef53..6eda100 100644
--- a/crud.py
+++ b/crud.py
@@ -180,6 +180,11 @@ async def get_machine_by_atm_pubkey_hex(atm_pubkey_hex: str) -> Machine | None:
     target = atm_pubkey_hex.lower()
     machines = await list_all_active_machines()
     for m in machines:
+        # Unpaired machines (machine_npub is None — nullable since #29/m011)
+        # have no identity to match and would raise AttributeError in
+        # normalize_public_key (not caught below); skip them.
+        if not m.machine_npub:
+            continue
         try:
             if normalize_public_key(m.machine_npub).lower() == target:
                 return m
diff --git a/views_api.py b/views_api.py
index 1a5bc62..35d35b2 100644
--- a/views_api.py
+++ b/views_api.py
@@ -1081,6 +1081,12 @@ async def api_update_super_config(
     )
     if super_fractions_changed:
         for machine in await list_all_active_machines():
+            # Unpaired machines (machine_npub is None — nullable since #29/m011)
+            # have no Nostr identity to publish a fee-config beacon to. Skip
+            # them; they pick up the current fee config when they pair
+            # (api_pair_machine publishes on success).
+            if not machine.machine_npub:
+                continue
             await publish_fee_config(machine, config, machine.operator_user_id)
     return config
 
@@ -1147,6 +1153,14 @@ async def api_publish_machine_cassettes(
       500 — anything else from the publish path
     """
     machine = await _machine_owned_by(machine_id, user.id)
+    if not machine.machine_npub:
+        # Unpaired machine (machine_npub None — nullable since #29/m011) has no
+        # ATM identity to publish a cassette config to. Fail fast with a clean
+        # 400 instead of crashing publish_to_atm's normalize_public_key(None).
+        raise HTTPException(
+            HTTPStatus.BAD_REQUEST,
+            "machine is not paired — pair it before publishing cassette config",
+        )
 
     existing = await list_cassette_configs_for_machine(machine_id)
     existing_positions = {row.position for row in existing}

From 8dad72a00dc1c92d110299e7e49fa8646380c85e Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 16:53:45 +0200
Subject: [PATCH 18/19] fix: complete the unpaired-machine sweep + regression
 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Full sweep of every machine_npub deref found one more reachable crash:
_record_rejected (tasks.py) logs machine_npub[:12], and the
assert_nostr_attribution guard now routes an unpaired machine there, so
None[:12] -> TypeError. Fall back to machine.id.

Every other deref is safe by the attribution-gate invariant: a settlement only
flows past assert_nostr_attribution (now rejecting unpaired) for a paired
machine, so the downstream distribution / parse-path / "landed" logs can't see
None; the collision-loop display already uses `(m.machine_npub or m.id)`.

Adds tests/test_unpaired_machine_guards.py: attribution rejects an unpaired
machine with the domain SettlementAttributionError (not AttributeError), and
build_state_d_tags skips it. New tests + every guard-affected suite pass.

(Two pre-existing test_pair_endpoint failures — #29 drift: fake_pair lacks
bunker_relay, and the test DB lacks super_config — are out of scope; filed
separately.)
---
 tasks.py                              |  5 ++-
 tests/test_unpaired_machine_guards.py | 57 +++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_unpaired_machine_guards.py

diff --git a/tasks.py b/tasks.py
index eb874de..e3865d2 100644
--- a/tasks.py
+++ b/tasks.py
@@ -235,7 +235,10 @@ async def _record_rejected(payment: Payment, machine: Machine, exc: Exception) -
         return
     logger.error(
         f"spirekeeper: rejected settlement {rejected.id} "
-        f"(machine={machine.machine_npub[:12]}..., "
+        # An unpaired machine (machine_npub None) reaches here now that
+        # assert_nostr_attribution rejects it — fall back to the id so the
+        # log line doesn't crash on None[:12].
+        f"(machine={(machine.machine_npub or machine.id)[:12]}..., "
         f"payment_hash={payment.payment_hash[:12]}...): {exc}"
     )
 
diff --git a/tests/test_unpaired_machine_guards.py b/tests/test_unpaired_machine_guards.py
new file mode 100644
index 0000000..78ae196
--- /dev/null
+++ b/tests/test_unpaired_machine_guards.py
@@ -0,0 +1,57 @@
+"""
+Regression: `machine_npub` is nullable (#29/m011 register-unpaired flow), so
+every consumer that derives a Nostr identity from it must handle `None` rather
+than crash `normalize_public_key(None)` (AttributeError: 'NoneType' has no
+'startswith') or `machine_npub[:12]` (TypeError). See PR #33 — an unpaired
+machine on the demo broke the platform-fee update (500) and the cassette
+consumer.
+
+These cover the pure-function guards; the DB-backed loops
+(get_machine_by_atm_pubkey_hex, the super-config republish loop) are exercised
+on the dev stack with an unpaired active machine.
+"""
+
+from datetime import datetime, timezone
+
+import pytest
+
+from ..bitspire import SettlementAttributionError, assert_nostr_attribution
+from ..cassette_transport import build_state_d_tags_for_machines
+from ..models import Machine
+
+_PAIRED_HEX = "82341f882b6eabcbd6b1c2da5cd14df14b8e91dd0e6da41a72b78ad8f3a7d3b9"
+
+
+def _machine(npub: str | None) -> Machine:
+    now = datetime.now(timezone.utc)
+    return Machine(
+        id="unpaired1",
+        operator_user_id="op1",
+        machine_npub=npub,
+        wallet_id="w1",
+        name="unpaired",
+        location=None,
+        fiat_code="EUR",
+        is_active=True,
+        created_at=now,
+        updated_at=now,
+    )
+
+
+def test_attribution_rejects_unpaired_machine_cleanly():
+    """An unpaired machine must raise the domain SettlementAttributionError
+    (which the listener records as 'rejected'), not an uncaught AttributeError
+    from normalize_public_key(None)."""
+    with pytest.raises(SettlementAttributionError):
+        assert_nostr_attribution(
+            _machine(None),
+            {"source": "bitspire", "nostr_sender_pubkey": _PAIRED_HEX},
+        )
+
+
+def test_cassette_d_tags_skip_unpaired_machine():
+    """build_state_d_tags_for_machines must skip unpaired machines rather than
+    crash _atm_hex_pubkey on a None npub — the cassette-consumer loop crash."""
+    tags = build_state_d_tags_for_machines([_machine(_PAIRED_HEX), _machine(None)])
+    assert len(tags) == 1  # only the paired machine contributes a d-tag
+    assert all("None" not in t for t in tags)

From b55fc8bc1cba852f488f8707cca98674dc533064 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Mon, 22 Jun 2026 17:18:24 +0200
Subject: [PATCH 19/19] fix(pairing): default bunker_relay to the spire's
 public event relay, not localhost
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The seed minted via the Pair UI baked an unreachable bunker relay into
bunker_url. The UI form has no bunker_relay field, so pair_spire fell back to
its default `settings.lnbits_nsec_bunker_url` — which on a deployed instance is
the INTERNAL relay lnbits uses to reach the co-located bunker (e.g.
ws://127.0.0.1:5000/nostrrelay/demo). The remote ATM can't reach localhost, so
connectNewSeed hangs -> BunkerTimeoutError "Signer Unreachable". (Flagged by
bitspire on the demo; the localhost-relay /pair gotcha the coord thread called out.)

Default bunker_relay to the spire's own public event relay (relays[0]) instead:
the bunker lives on the same operator nostrrelay the spire publishes its events
to, so that URL is machine-reachable. An explicit `bunker_relay` still overrides
for split-relay deploys. An empty override now falls back to the same default
rather than raising.

Regression test: with no (or empty) bunker_relay, bunker_url embeds relays[0]
and contains no 127.0.0.1.

NOTE: relays[0] is a pragmatic default; whether the seed should carry multiple
relays / be sourced from the operator's nostrclient relay is a follow-up.
---
 pairing.py            | 32 +++++++++++++++-----------------
 tests/test_pairing.py | 22 +++++++++++++++++-----
 2 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/pairing.py b/pairing.py
index be7a6a4..c2d923f 100644
--- a/pairing.py
+++ b/pairing.py
@@ -179,26 +179,20 @@ async def pair_spire(
     connection lifecycle out of the orchestration so this is unit-testable
     with a fake client.
 
-    `bunker_relay` / `keystore_passphrase` default to the lnbits bunker
-    settings; injectable for tests. `relays` are the relays the spire will
-    use for its *own* events (kind-21000/30078) — typically the operator's
-    nostrrelay; supplied by the API layer.
+    `relays` are the relays the spire uses for its *own* events
+    (kind-21000/30078) — typically the operator's public nostrrelay; supplied by
+    the API layer. `bunker_relay` (the relay baked into `bunker_url`, where the
+    spire reaches the bunker) defaults to `relays[0]`; `keystore_passphrase`
+    defaults to the lnbits bunker setting. Both injectable for tests.
 
     Raises PairingError on any bunker failure; no state is persisted here
     (the API layer persists on success).
     """
-    relay = (
-        bunker_relay if bunker_relay is not None else settings.lnbits_nsec_bunker_url
-    )
     passphrase = (
         keystore_passphrase
         if keystore_passphrase is not None
         else settings.lnbits_nsec_bunker_keystore_passphrase
     )
-    if not relay:
-        raise PairingError(
-            "LNBITS_NSEC_BUNKER_URL is not set — cannot build a spire bunker connection"
-        )
     if not passphrase:
         raise PairingError(
             "LNBITS_NSEC_BUNKER_KEYSTORE_PASSPHRASE is not set — "
@@ -206,6 +200,14 @@ async def pair_spire(
         )
     if not relays:
         raise PairingError("at least one relay is required for the seed URL")
+    # The relay baked into `bunker_url` is where the *spire* (the remote ATM)
+    # reaches the bunker, so it must be a machine-reachable public URL — NOT
+    # `settings.lnbits_nsec_bunker_url`, which is how the co-located lnbits
+    # reaches the bunker (typically ws://127.0.0.1, unreachable from the ATM —
+    # the localhost-relay /pair gotcha bitspire flagged). Default to the spire's
+    # own event relay (the bunker lives on the same operator relay the spire
+    # publishes to); an explicit `bunker_relay` overrides for split-relay deploys.
+    relay = bunker_relay if bunker_relay else relays[0]
 
     key_name = spire_key_name(machine.id)
     client_name = f"spire-client-{machine.id}"
@@ -250,9 +252,7 @@ async def pair_spire(
     )
 
 
-async def revoke_spire(
-    machine: Machine, *, admin_client: NsecBunkerAdminClient
-) -> int:
+async def revoke_spire(machine: Machine, *, admin_client: NsecBunkerAdminClient) -> int:
     """Revoke a spire's bunker access (the "Revoke spire access" UX,
     aiolabs/spirekeeper#9/#12).
 
@@ -274,6 +274,4 @@ async def revoke_spire(
     except NsecBunkerNotConfiguredError as exc:
         raise PairingError(f"nsecbunkerd is not configured: {exc}") from exc
     except NsecBunkerError as exc:
-        raise PairingError(
-            f"bunker admin RPC failed during revoke: {exc}"
-        ) from exc
+        raise PairingError(f"bunker admin RPC failed during revoke: {exc}") from exc
diff --git a/tests/test_pairing.py b/tests/test_pairing.py
index 080f5f9..e3d2999 100644
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@@ -218,17 +218,29 @@ def test_malformed_token_raises():
         _pair(bunker)
 
 
-def test_missing_relay_or_passphrase_raises():
-    with pytest.raises(PairingError, match="LNBITS_NSEC_BUNKER_URL"):
-        asyncio.run(
+def test_bunker_relay_defaults_to_spire_event_relay():
+    """No explicit bunker_relay -> the relay baked into bunker_url is the spire's
+    own public event relay (relays[0]), NOT lnbits's internal bunker URL. This
+    is the localhost-relay /pair gotcha: a UI-minted seed (the form has no
+    bunker_relay field) must embed a machine-reachable relay, not ws://127.0.0.1.
+    An empty bunker_relay falls back to the same default."""
+    from urllib.parse import quote
+
+    for empty in (None, ""):
+        result = asyncio.run(
             pair_spire(
                 _machine(),
                 relays=_RELAYS,
-                admin_client=FakeBunker(),
-                bunker_relay="",
+                admin_client=FakeBunker(token_secret="s"),  # pragma: allowlist secret
+                bunker_relay=empty,
                 keystore_passphrase=_PASSPHRASE,
             )
         )
+        assert f"relay={quote(_RELAYS[0], safe='')}" in result.bunker_url
+        assert "127.0.0.1" not in result.bunker_url
+
+
+def test_missing_relay_or_passphrase_raises():
     with pytest.raises(PairingError, match="PASSPHRASE"):
         asyncio.run(
             pair_spire(