From cf7e272a2e2e21201dabc5ca669f897aa5bef7f2 Mon Sep 17 00:00:00 2001
From: Ashutosh Narkar <anarkar4387@gmail.com>
Date: Tue, 24 Sep 2019 10:59:37 -0700
Subject: [PATCH] OPA security assessment

This change includes the documents related to the OPA self-assessment and OPA recommendations.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
---
 assessments/projects/opa/README.md            | 111 ++++
 .../projects/opa/docs/document_model.png      | Bin 0 -> 22460 bytes
 .../projects/opa/docs/request_response.png    | Bin 0 -> 31072 bytes
 assessments/projects/opa/self-assessment.md   | 564 ++++++++++++++++++
 4 files changed, 675 insertions(+)
 create mode 100644 assessments/projects/opa/README.md
 create mode 100644 assessments/projects/opa/docs/document_model.png
 create mode 100644 assessments/projects/opa/docs/request_response.png
 create mode 100644 assessments/projects/opa/self-assessment.md

diff --git a/assessments/projects/opa/README.md b/assessments/projects/opa/README.md
new file mode 100644
index 000000000..e60e283d9
--- /dev/null
+++ b/assessments/projects/opa/README.md
@@ -0,0 +1,111 @@
+# OPA Security Assessment
+
+Completed: September 2019
+
+Security reviewers: Justin Cappos, Justin Cormack, Brandon Lum, Sarah Allen
+
+Project security lead: Ash Narkar
+
+* Source code: [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa)
+* Web site: [openpolicyagent.org](https://www.openpolicyagent.org/)
+
+## Background
+
+Deployed cloud native applications have policies that must be correctly enforced
+for security reasons.  The desired overall policy may span many different pieces
+of software and configurations.  Open Policy Agent (OPA) seeks to consolidate
+and control policy configuration in a consistent manner across the different
+components of a cloud native deployment.
+
+_Maturity_
+
+The core technology is in production with a broad set of companies, including
+Netflix, Cloudflare, Chef, and others ([ADOPTERS.md](https://github.com/open-policy-agent/opa/blob/master/ADOPTERS.md)).
+Code contributions are primarily from Styra, yet there has been community participation
+from a wide range of adopters ([77 contributors](https://github.com/open-policy-agent/opa/graphs/contributors),
+with Chef engineer in top 4 and Google engineer co-authoring RegoV2 specification).
+
+## Summary
+
+**Design**: The goal of OPA is to centralize and abstract out policy
+functionality to make it easier to manage policy holistically.
+Policies are written in a custom declarative language (“Rego”) which is read by
+OPA agents that are queried by the software performing checks.  The OPA agent
+may return rich information about the status of a policy check.
+
+**Analysis**: There is a clear benefit for adopters who have heterogeneous
+infrastructure or high rate of change where lack of policy enforcement would
+present significant business risk. The added complexity of OPA is not trivial.
+OPA enables “policy as code” and Rego policy expressions require the same care
+to develop as any security critical code. OPA reduces risk by isolating policy
+from business logic. Concise declarative policy has the potential to support
+efficient review; however, that relies upon a reviewer who fully understands the
+syntax and tools for effective validation. Hence usability and security around
+Rego and interaction between aspects of OPA becomes more critical.
+
+All questions from reviewers were addressed in [self-assessment](self-assessment.md)
+with non-critical issues captured as issues and noted below.
+
+## Recommendations
+
+Rego has a non-trivial learning curve and even in demos shows there is potential
+for confusion. Examining the language’s potential for confusion and mitigating
+situations where these problems arise would help to improve user security.
+
+### Recommendations to the project team
+
+1. ([OPA-1699](https://github.com/open-policy-agent/opa/issues/1699)) System
+design and deployment guidance to include “gotchas” laying out potential issues
+in a way that is more understandable to users.
+   
+    a. Common scenarios or design challenges, such as policy loading to handled
+	   race/error conditions, initialization, and queries that require state
+
+    b. Deployment Checklist: these so that one can check more holistically that
+	   they are using OPA correctly before using it in prod.
+
+2. ([OPA-1700](https://github.com/open-policy-agent/opa/issues/1700)) Rego usability
+
+    a. Make it more difficult for users to make policy-related errors by improving
+	   OPA toolchain usability (testing, playground). Related Issues: [OPA-1697](https://github.com/open-policy-agent/opa/issues/1697)
+	   and [OPA-1698](https://github.com/open-policy-agent/opa/issues/1698)
+
+    b. Make it easier for integrators to understand the security ramifications of
+	   different OPA deployment models, including models where the RESTful API
+	   is used to manipulate policies
+
+3. Expand security response team to include participants outside of Styra
+
+4. Work toward better security by improving OPA tooling and Rego language
+
+    a. OPA decision logs may contain sensitive information by default e.g.
+	when used as Kubernetes Admission Controller depending on the configuration
+	also secrets could be part of the decision logs.  While [OPA configuration](https://www.openpolicyagent.org/docs/latest/management/#masking-sensitive-data)
+	allows specific data to be omitted, we recommend that OPA create mechanisms
+	to make it harder for users to accidentally leak secrets using OPA.
+	Related Issues: [OPA-1781](https://github.com/open-policy-agent/opa/issues/1781)
+
+
+### Recommendations to CNCF
+
+The following recommendation are where help from the CNCF would assist OPA to
+increase its effectiveness in cloud native security.
+
+* Conduct a study of user practices with OPA policies and improve tooling,
+scan policies, and/or work with users to address common patterns of insecurity
+
+    a. Are failure cases in deployment (e.g., loading policy from an
+	   external system over HTTP) handled in practice?
+	   Is the current guidance about setting up an external OPA service adequate?
+
+    b. Is the method to load / add / change OPA policies appropriately secured
+	   in prod deployments?  Does this need to be automated better for users?
+
+    c. Is the Rego language understandable enough that users can correctly specify
+	   policies in a way that an attacker cannot find ways to subvert them?
+	   Should errors most commonly caught with testing now be forced earlier
+	   in the process?
+
+* Collect information from CNCF End User companies that integrate OPA into
+software and recommend integrations where OPA would have the largest security
+benefit for the cost.
diff --git a/assessments/projects/opa/docs/document_model.png b/assessments/projects/opa/docs/document_model.png
new file mode 100644
index 0000000000000000000000000000000000000000..ca4ffd4ffec0916ed68ebbf256a1fb02a37cddca
GIT binary patch
literal 22460
zcma(3XE>bS_Xdv67`^v8N_5eCACeFfEkTqZdI+QUK8TX&1Q9(!n&^fg3}QwXC5%2Y
zO7szJ^fRCD?>hf;o%8BEFFemRd-k*UtiASHYv1c$UOh6_qoL%a1ONau5A=0R0RSSx
zBhZ7KlyHOI{IMb2hy(6EFefKmk>oDP001B0fzBQC(4w8iut?jGsQsIn)1rcL_k5w*
zf1Sd9C%G?QN(gGh8Oa5!E8l3(&fhgCZ(4vit=&CqZh8Z6IwH!q!Q5RTqKM6`6THRs
zU`J)i(i$#gFx_b&|G|3n?CL=CHA^2H&XJ~Y7!6^so*g|Kex<NH7DC4G|9y!O3oiqc
zll$LD5m^8Wz~BqwI%P6cE{QP(EV;kOqTcB+XxS#DTRi4#L$FZizUx{UQiVF0+xdoR
z`Fluf*KSQU*qk-@Q74F=Axr+Dv`vKL`Hr}~-r|?ThJ1jERIy&mN1NaqIn9OTyj<tO
zKktdPbzEW(e^5UYj^A*_{n$AoQt9-`Ft{y_%IQN5gaG*Y`Q>ij00=V*v?Dzt($rS|
zMF9mZX=TXn5Rt|mhJYjyEimy7*+g5sjPGV-$s@u%lMO9}lz^=ucYrr34=IFbLB>Qj
z6ww7Rh&6y|0hE9@#I_nHva3C%K+pBVmk$9tIxcNsK3a`<$>b1V3}q^S%`kM)5+)LB
z4=e?G#G{r03sf4kkr5O1%QTlng^wa>lZ%8Cse`xpySq+7yzhKd{cd=QHbfBfA{yQ>
zX`&30{U{q8zSJ1cff+%F#FZ{5NtSi-fDiX$gAg~s5&%S94C&*bb#od!Lz+<xiUi`F
zF}E-?i1xURYuZo1Yx+=b-;<XCnt;ob&(eJhqCkQ$HwOWgh%|&h#uc$qPl34C?HQf?
zt$3d(9aQ_1HINI|LR63WPL7+zXz~&*#d?iu0c?{cnN8gMXPcSaf5M3Yk#shgJyJDT
z2C#*6EQ&^j7oD{G5U+_zLx|UHOQyEdw<_V!o<jYzDF3v}s~A(G=@w{GO)4YFKhZip
z1a;AM@K`b0CRu`#;>ON5?np>>*U!h+U=DJ-WzXxsfm=#f!iQf!|4(%S`|79|qj(Fc
zU&hZX$9_P^?ay?3h2Tnf9jO{~5p$U48xD<-5ZwMZbleeL{KbARoOOYvBS!6yHifUE
zlI(YeLKy6u(G5h&&nn&P1zxX=T0Qy}No$8ny-c?=R;vZbOTBjkC|r$HX}tj`#aeOM
zW=K2R$RXegwkbxbf6x|LF|;KSJT};y8<+`c>9I95rRNpJ4Ayw(c;L1WL8IjCSP%@)
zY|Ti~M3-c6;TU3@x-L2uDiu1L-Y80&<SRv-F*FXx2X}QKQM!Xyg4fx_Nq#bLqqiZp
z$?T$5H(tTN+~5IRi`2=sb}8bOkpn&Wc$n7aTkNT(gL@BFv!nGAjAXscC*HsV;C%?d
zlWs|(RAUuo^j!2=#TeiuypyT@E_NDo(*GH9Wcz=sE7#GKNsJeQlSTsJ-xn!(E@XpY
z7<|MMl`Zg6%9qAh6{n1j!^_|Tpm*MpB4HcGOsG}%Y3Ga83<s($T*XGdLr%O4Zs}FR
zo>BMr$Y&jD-fwawiE_q5+MWdFXnW#R@5i4mk|{WnJu-%%Hq#G3V@~{_r$2uqJfJh$
z)9%#&?V9{CgQ2tlmDz=87C7q#WJkLb0yToX{#Fnpu7cEypRsT#TxpLljR8cm&39Zs
zh31@pHk4Ai;j!tz0odRzoT*0re0tK=(Md+M$dA-gz@>O2qC{2IL;%!ZPWJKJ*Hjvs
zD~FfL!4f@o=v7hfjy-b<X7sjN=isDeeLQ0qY!~9*2d{9+efqy0$%tmyvO_=j6A9f3
z!x*5uVf%e2A-sJ`D<A7Aw7Ha2@jg3<4mAfd_^)*53&g1-*^ehq7n>%{4<1Xx$1ZE*
z4n^wisBT{G+LO(1++?6R10MJe$Ml}mYQ=M>hKeg~s*qk%t7G=W5ha*_invzHs#TI-
zx!FR7gByu$T5%QL4;nYl@{^6in`vkf_wu5++f9XcJ{$*xGMaNlB4gD1n%^@0pEiv-
zdG3v4qDkjhquqNvy}PGBX+nWZY2U_MoT-+$>O9E<oj!h#-Te?l9?Akoc&@JU^$d8U
zPCgf6zyckCum!jJMLIW<F|FZ&cc&lgzfrR}*ogAb@GPen*ZYbo-3jAVR|4)ZBMyME
zfS7@lp|K1{suy+66jD9Y=nIvCH!wS`70k<veGqAUY3<LNufELl-2Z4C0_bl9&^qE@
z|7Sc6cZ&X;JvKJp=bF)2*+8i_QwJ{~%xMj=iVmLtB1U~v&A2~`wWfI%9__a><?OW>
zwsjSniOA%P%_?kO{~YVe`CNNk^gk`pXD}t=<L5Vh`QLk)xttLy4q!0W_$pjXpA*E#
zZ>kfyETEZ(IGjj5YMxjQl94}dub>wrSTHfx&M{vTakA1gASzfx8#QicgdTxbkbkDq
z)~OI>*N`@fi4cgl(-W;-{*}7uyRm%8U9g(;pDwT}Ior;(mdkjH#_fkSYLHiSC<w%J
zE9^(DS~-0>H9*9;Dw|sy{x=^9Xf!sDSLEU;9lcns@x}F~MYg6qD72tS>(_Xsgwn4o
zp`G*~f=l`T>ync;{GS^W`@!8x+`m5kLs(@=3UlLn(AuEyE)8JFN{|fS{5tv_n{D|F
zf1cRf{K6+M0%*9-jtb=2HP*tXq4xIGmTHO1$p8EK)@Valub{OpBN`TQWy#*5VQ*!`
z0C=WbyQ-<Wn&`aI-_Y8&D3XjITDR2;2z;)zc<_cQwYzlpq^AM@zZWPp6armTOEY!v
z|L5cWpLI|mf25;R<t&C%bD*l*U>^HH=}tBcYLDGjeT|L8cwk~o!Xqhg;SP4bTHHSm
z#WA7jPS#UX|E=NVI86r-j}|Lw=f>ZI7W{jP>6ip#rD4(|vgzV5EtNj(cI+w0hp2|w
z8*oh?N{nw;Es-y^Ao$PACvduIRsaJ-K}{)eU$YNu2^4|ZgT{aY+QgqoZK37G04buL
z?tsS*LcV+|i9o5JaGun58h1cCQHDwArFjbaJ3<DIxEZ3zxS_$ZVjQ8K0JO`B8r1ag
z@Bzx2av`;t>&yX%Zo}a9ggdHu(7fPnc3%!(DID>y*It!YbQ*mrHhfY<Qhm>Alj2eD
z5&tkMA<j0^(O`{`2e@+(Q@Wp@Z)dvMPc5(ibMKu*mr}TH%!XgSQR|HmMnu~LH}@NT
z_l6vP21)mNpig|$DH6JDim9z9!H^(I9c-BYAh_x!sY-tuKU0|`PQ+DQl#+V)2{UyO
zK`0l91A%LZdDs~7!6GnH5FbY2%Z7tsPGNEwY`5$(z?L_%lMdinM-d0=pbF(gGlOrw
zAz}bsfNS<p8hBYP9b`MH{?!<-^U&%Ys8gUa?la~oloE1igpkAVU>tmxmT5;-owtYx
zUcVre2>*@ZbeSd;(Gqu2sA_$$lX{*L2ZDNqX#Gm`dhn@l`YkG<E`b|StSy8S#n~eq
zp)EaL-QS;Y$@nTM0l#znCAn5l{v4Y_a#2cTggA}8h|PCySDtpHTJifT{4-h!o`8+U
zsCRqXlPn~C>#Oa9lNO~Ikp=^oX=?`7&@O|0!pz*=*bHJ+hd}5RLz!$VPYm%6LYPI1
z=8ruj#q<6Dv>@xEZe(M|sjy`kpdquVh;2TSg0>)HNHdlJ=8idW2Qz7ftz+FAFdB5v
zH_G`{`vfD-=Z%qf7;Tn*aL(Vw8DR*q%VGV4AtN;BF%8qwDHvXL1%H4lL{qK+$3V+8
zdpELh*!5%In|QR#Iw$lGE)=I49%~F0?{!8$zu_evyCEvHk_1Lm968#U14!#Athnmr
zL+wz8Qb?8m*=Q!4*eG;&Fdzv1^xOqP-+M9?FX;oWYN1%<id6=2)svk30{<Z?Gz0@~
z$6bgBYbbMGw(}H<8V34uqE6~bj#{Zjn2KKIIoRl4i-_1P)6~(-KcUA?4Ww~(cwe?H
zrW-jx;*2=o)q&)>J~C{ld?MI1o#*^%lI$~}eZ=(Ld6UDrfvaPPNFmOwqm?lnC_?qU
zy)NO{rru~}nc|t&lY%v}1EV7)=*Wd7I&K#C$C}b04iyX#%2~Sj&X+ep5-=+^s=gOU
zVN4h7i(x_6WDUUxUI$<KF>LH7Hlrmol1Kdn1BNpCQUr&ur+y~+Z+H*3V28!Dj=-m-
z@+(RZ8CqyJ7<p2;4CCJIB2us07Y%lp$9tmOD5f0s5M7F)UhIY1tsj#IP{K5pPGrZq
zPC0KH>%XyT{bcQIaU?sYak#+PCvrEnaL+d!FhRQ`x#12`02_5eK!hHpfLw$Qb^jbw
zIXINxJVVuwTrYz<VUn#{td~$@Kd^Euje`xj6dg|&aVr~M9y$}3(gqMrfzWj@Ug*8e
zSnKJcyNu!)73ZHkl!3#bfRcivg#h&RW;FD@O#SyOF=%<TCOq>>DfrPdIyi5KQ0Ss^
zEWx*;?nBEvXl>|2fMX^6Rnbt>dY<{(QY35Zm;;qz-N^3EYi<|3CAubo*RSE`y0(52
zti_~p`kU`LU14MgmwFlQ0=*s?7ht?YgiiFz<84vIQ=?!p1l=x0je6s62jBTH6t5B?
z(y{+y2h&x9nd_ib$6^ACiV_$=ov~iG3hFnH`k1qW(9fCf?NKSQ;b{W)+uw!EEJmGO
z&HUJNt@X09RIattLCO}XOpJ7OT+G{>&};p+b<T2P{;{_w-gP>t+_`fst}NAe*l_rJ
zt(8`i%%r00VzzW?egb`+_rH_Wdk^5JWR<SNdS$!w(cj0vZ=nY4h%hQhsQSWM^x3s0
zFG@*W@^*SWn;3;_PZq921W=wi#LnSmDx7@}$qq(gRA`aEAJsWMF{ePx4t*H%Zug(G
zX7m0O5-^K*q&CmfJ^ObRvGp<fxM%eunCah{%cYZNCgVUxy;XK>$*uIg7mB@6A35u!
z`pT>rVQJct5eCrXfVAT04hj!y7-3ug$Tw=g2{A%`v$HT{T^>Z0cAne`)(Xo^ch-c4
z`Pv8E&c$1IVzVzrUlW(X+m805_wx?z%`B}=vy3lB%co<jOMBV%1t-DV;C0QG5|g~P
zO&uLyq}v!*e8IiNzM;@S?)^%vmGUkseBSKy&!mFhr~evSS#*hhJu-WIoo?y%%>R1s
zDK;!K<sb&hPI@1OU&%3Yk&BK-j;83}@}Kyenv*K>AT@nu3?A&rSD-&WzR+uS>Z6rv
zCt#lt!ytY{j4^>FUX3h%g)0Zk$;gp*mgY35a#GYcz=>vL`;=Sm>i7?+`?WT@ZZMG*
zKBWz+*vJM{Fp33)&eT8KX=<@H;?C)L{EGrnSi6WzkMM5)Tb=3rexS)M@xDmyzqj1C
zW>$D(T8q2FHWY7P=nBp=qE4EwF6uSCw4U#Ir9gszcm4>VGhl6xGX_{p=g-(ShlRO@
zDHuwTHR<)xYK3pfnC+X2@ym%vJT8~Cw)jN>>&7F|*Jrk@!$|hum%2JGkH;zLt>1@t
z5keo~|2&<}>qmD&fcoAA2dV?ej$b2x!lH4lKlURa?D6{-?9|tIXMX-{%ZC6Li&R<a
zKss3sdI8yN48A+~%hqj`jn_1R%}4%$K3u<pSgIjzsvx_2)sXhs>l(+~`EMRKHc?{T
zr(P!OL&SiY*0Slh2=bht)`N<64;s<Dd86yT6cQJBdn732+2|_)J8<M4IrqqqpL(eN
z3b~g(H0Cq&(}aLwfH#fM`9W&x>_}Xy<LsQ8Q?Fn6+&KsLYo_#<qLLY=Kbl_u{L8*Q
zX7fNUZ&k-k<QdZ0*t6huvcAP9622DGGg^mtOVoj&E>gr>`H%@Nm5#=O>(N^e#XqDT
zW&DYNyt2xE{m#^>m*NC6+5gv}sPd}^g<h{h_1BI5JqzR?XVn`S!U3@Py%7NH?7Ntw
zIBtlHalEi8&G~v}d>xipL$>fB$yz_Mj3|_;j!^}887PtGp@NM=LaHGVss@%brWV!@
zg^O=7aP`uBH#g6h%hQ)-HE4+ZVbG)zw}1A=BF}$bbLR0=hQ3dW4_u_Cf%(8qRUQ<8
z1EW$GQFCYDkJ%dvm^1Z=U2o*Zc)ZTt#K8&j+V*gPpeK(JQoDu2p_qFrtC@xou&b~{
z4Tm=g?S`-<qet%%{(Q79sj>y1iE3(UBM+jG`xiPxA0DBoPJxlUTNYB?dR#)UhIQ@i
z*2o}%hhe<xZcmH`3ws$qreoi(*K|)=#(cjKk=%{%D(s_o%@Q3XhB<66z57Q#Q`8c7
z&kMApF?Vmwp(u7-*1I!Oa*TVc!cBCPhONeFBkS3q!Cl*^C4Y-)%i)UKHxg7ay=iI=
z)b1qFB=oNmYYVsTox5HBQ9TZDi_S<kbQHpkj@J(lZF{^IIyQJ{AlLZTRQ>v+9V<;^
zO*#Kz&PKYf%^X=H=O+o;z5;*)s+<Ou4fWX)&N9TRV8S2_Gi$RT?&_MaWpbSBNhV4M
zRoi1d0J5hS*3WFbLoN%~U-;u08Y<cFTGG+|hXW&3ulVI6XigU*m&o=yo=+zF_TMT#
zcpg<&Qcm0zc|`Bic`eb^P~n~u``&WuW=*;J(|VPG#o@NyH|o?>S!M${Mw7#>A&Y>D
zs7!bXgOsg3YP8DxA-~i{&FA82z)9but(5-v{&c<<qaS`W=R<8D_A55dV}`XAb{d+h
zQfY?1_Tx*c;#lh68v-K7+(srI=2_%Fe!{x4J~WeU=%()$DaXM(b{gj4qb~4DAs<@(
zv8|fe+2MgM#V9ieOqO)Uk9-!GI7p)7Qp4}l={V`-)B1eUuF%4~{Te?rXvhQrZKk3+
z^B^aRr?Pp2?waZRmPHf*C93rMwvoJF2Khy9=&1!Kd3?gwW_4_nDivLWaiu;Nbz^vC
zH|m3W^Yz}FlfUk2xd*Z33o)DwV!qc6U;a%T&iqc2va-}e7TQgA$tIf52^9SM%e^!8
z7A!VO42WA*#b2F983%`5(EC$+=9hri_Kcj%(kQ%tuVqb3lBr*_;+L&yt#w}K?2|RV
z*`;fQ3=V)szWuooDwDv6Mb;iGVQz@h%sNgv9pr;yN7t&lw*sp6N+k{=*^MfaGb&LZ
zuU{p*JP7vKwpMuv@@1=|{zU0*Q0G~4Nmuso$cF@T7xUZ!yKpb-`|UYa7*tOCrvL5f
za>kz4!XocHNz;b9Fhdqt6lLKH=}+m}fKXp51wXF$DO$Org)cl_3jjVMlA%K4-gnEV
z%i=qgPu5EJW~p^xE=zGt3<HvM>~D{(MBo}?-Aacys<?BEDjA*umw@>J5#bVm&~(U#
z8u8+!yFGmX5ZY>*XYFiwaGf+8?<XrU;9Fr4G!}vlOBJ5@iJGX;q?5*C6R8he)R;QV
z6S|U_zdVLE-e@`Hzz)`4N+YF&u30d_4kIs5LkalGcC6M){XA?2xKC0-b$!JICBjKL
z5Vtb7+n#kfFp&rWtSg8eC~KTI=HaJl6N>cCf+b+pCHaLPA3lfpngsa#dvz~r39T=Y
zVE0IGouB=|rbE|b9hdG`ph`56R{HLteZ1Yl5fjrh<*?RRt<8F7-w+)7YwU8*^`<m%
zDZ`7Vl?Ts?W5$(8#L(WMK)gs}yCk!@2<xnuU!2x#*zWw8uHfypr53lS;!O4H&4vtB
z9F{#53xGI(aCX5>X^A$-{B{hXjiQ1hV@Pmr2vvCvV^Z}p`Z7*(=b;a7u{;<*sDB-U
zdJRSjLx#9{XM>k}94i8lw^{Fbn`3lE80!0ta+3Uo&3W|It{&YY6%<r5@VHEO=rnRJ
zJ$SsKt9TC%c}f?8&zwHu%L2=jrgjheh8UC0NAgna`GBs8@H{vl1TXQJiH3)2@MQff
zTj(7hn2DeN&QxKY8HFb-1}V%D;zY*26vqgwzWtY&FLyv?ph-^^p10ZME}+(aueSU8
zR)svo`7^bbroa;0{vzb)IOznEe$}^7So)W$l*>Q#Ttr<3e<{m3JvA`{$(*~GT9I}j
zqk5&E&b|}p#vN5Zr7xkG<CQ=I$CX%>@%}uyiebi+!@I6i5cW<R=gV>5*4*k|#l~|>
z;A_!8SC|kCJIviSv6g@vLYUY}r|-~Jhi$}v@+T!J20%4`jUWA*b{?lvo|<`c|L*vN
zezN<6<ht#SM}JW$)1Nsn+Q_g1bQ%Fo`@GTkODT*zS~z;(mNWIYBsHs$CCWrHr(Qj}
zBD|8)CSw-ZpZngab|l7rZ~ovO<`qYWA_aK8GQOA>AO#$y+>2oe74a2-4+V+`KeFcy
z-WYduV8fN7*Q2yl*7M^|Z=`o5V5d$fs;2j^?@Y4<64kBw?sLH}Cu^5TZJYg`9KTbq
zU3k>&sOw6IN(8q!QG(f<Q!DW9l~ONHj)j1x4S=sS&Z?yM8M|TK&l$X${Vb$Imf-N&
zx43RW-m!alZQ-Ap7%aOr#0WERxWQ640y-kzmULSw!(qj*STW5XLoZcu<rJq~><hvX
ztn>L=d!_O7F7vS=!!k+*<%F21j$>m6R?Gc@Yc<77ecFjEcgmr#&It_-{<0>X^4cdA
z8`0|EZ;FpM0<=9ncVCKds%~-qs}3m`D<gTM)8HMs$S8tFF8B?jm)7^bW$b7iIF#JW
z(I7;94h?x2VYj;7{0N(iInu)Su0jmUhFT;t5aFDY+XtE`itqPS)|=Y%RFE>i6v11Y
ze{V=}mev%uI&pqR*qBzxW~#}lLn;yuoC{B!4X9S0os(}OX|GFXu6Hs3xNtgMy`tNX
z+VWMReUibwDb61tcN|%D@Ge@e*wI(vf!T%jCCY@C<LplcJOmU`H?pM%lfr0wV{`ko
zDPS%`^L1u%!oeRG;&&6n*n=9Ahx25mkU`WnSj<Jq;*Tj~mmc=`ZW*<_KcS~GddAeW
zmt81Y?u$|9q!Oae6gz#rRiQTkeWgh9_PCkp2N{G|SG3~!k^rL^_%jmTS^x0_&R|ky
zU0+co^yIOvGrK|6CTHqopi?H3=Do!+o*nc-bJB@c{9@*YdnYJA!OOe-ZVI|m+XtBL
zXaf+Ya?GbqD_hIfeZJi?tziBv081i1UGqtDo<8lRg#&p6hn7;dK2J=b32Lu6sr}R;
zXAgTuYoSAF!xFrbz6s~Iqq@`#j`AVIf$~AXe(03r#^1!c#@mTi2PGftwxjGbxaodn
zHU1?8vVtN~WY^^FRXtE0*kJ=(dUA5|aFVOF3epD@Q<8us<QXIkm&zZk295%kNU8xP
zLp=xKbr;FCz258ubnj5V5#XY>MK~oYui-gmau$25oJoRPWF(CV(Vxj1K!2c4Y~`wV
z`1l$^QCkZq@4%<G!N8COYXhtrdXv@kN(s#6_Z~Jm+i-BgyqliElJ!RkLGR>uP%C3Q
z-RWMK%CaMLWtmKHeI=5gU)P8NR%FbnLaYJF*Z}`zz4jsZ_G{9uOV&3Q1!fNH{glE5
zklP51C4tb^WZU(U^a5e8@97Xg&kiO$*A6L!svG|>*KI?Qk|B#|byXc;{m2wOqGR0r
z*#wemqTE4>kJ>TqA;j$@1W2gP>=FP6jhs=hDo_WHmmMQIFB1vB*OWb)4)3|c+|gIY
zV^zG*M*vOLgMiE}is+!L8>+v<0TPqVl%Za}Obl7prfk}NUx++lQacJ=eNF$KiNM7j
zXnf-~y>un``Ex{pqL6J^3$Pi@a?SeTN}Iafsf?9|k)a^r*OYV?5hJNLsT`s)EZwyR
znUjC&pf!`xzuZPbm;#lBCcI4Ir$wn2$<qI3pu_sk5_Ia&vM6azqb>9(Z=V24u!2U2
zL?dSa`HpPAH^%}bzE4rSaYiXG6mM7&8awVnY4g}p0GbGS=IeLovSmc=DUKw+-Y)wR
z8l`gf0fKHdy{y+6tLm8=?7Z6;VlBFLWiSDV)w2U6Z2m@U*UxXVeqas`$2{MG_b9La
zUmJzC;}<d>;*!x2zOd;;uQfF)tHS?=)A3)w>)_lOZ{@HRo1*f4C5r&6-U$=HS?@eO
z^Y_>XExr4n9Ek{WOb>{ybtwF?HWi)jbt}xR6GTXw7NjU5&d}r6a+<CP;T?rL3|a3h
zg8;0x$LOr<Ttv-fV#BA3Ix7BL$5RG!;J2_eeH}r%DU!NSJ7PSd6JuXcaHou-71aJb
zj-bkMaApE3M)77<HSca6@YDSWa>9p1!AiJj2fI#?m^K?Ir2K%H-&C-P8FzWkU6wwp
zIGa>ocn;VBWXnf(fiCG)ASnUT!ubG8N6(|lAES_9f%1Gu6xj~SyF|f^_80Jy=x<@)
zg|5!Jk?1mzIftr7ef!FCIeIfOdxDW}xo|u}b1Wq1RbVBT+-F~vK+yB^2QRnVcEZ|Z
z|NT8J@p_M70+7|Tua#^sb?tRLY4#Rf?N+F5^fC08uv-Z$u`%W3R6>pzUi<(cZz-_{
zoO-`lXg}`O)PqSjo)Z#ohpT}Uh)RSJdi|Fzos2yC`}XqaLD;_<Z|jjSjndXFZB6{I
z_s2FHrbkx$y!$J=BFLeVEx&$OqtSKYhb&wk#hFx%?W0fRqvB-~S7INx&4ovZjUEuQ
z0hQ$%^YUl?Vc!tFs*nu*JL+~sxG!Ui0V5x4+kKxrK%QRNUaQje<%|}WM!U0BP(pw*
zHSt`*egb>8OfU{VJ2qu=uslTbZmT0IL_n%$JA2Z8i6T|@Wsek6_R*V0xuR{z>E72H
zl;XxWtGMo=Sr!@Oj@GpE^_Kd4=iH=LHL<n}t#Lk}ReXDJNU8QSP1rNq&bv_vZPyoX
zvqCBL^%|pIC-n15A4jeKNPau^QeZ!BTYb6o`&+34gD@d+&!M4F8yl|fv60%AZT7(r
zj<%rI`fB|Dn+x!)-@UG?A8cd{@P5`6IiT6O{cXv=Zt_8ehKBS-%phs6FaN+d%W7BM
zZ>%m%)=dljcAojVd!JHu#-cjwzq&}|4&3>g(tR3rH@$aANf{PPDYEMMrm}y*&=@d!
z^>dM}>)=a(rH(0wv|9@C_w<!mw+#R404oYuKfi@No9fMn+V&lqnP+wHk*BiXKb>*$
zDdnx7^)7<Fc%2?Rp>VYHeEVwn_bM@8$8&4f)wrM_Z{*Mu_2zQH9sgFZGIsTcx|9!1
zEN^#&ztF|^93LZtV^_=iezE^?esP|}gmsqC5u~~cFc`eY+jY2gtekMSyqQiTVmJ&s
z^Q!2m^jsS%(YxOnE>9|Xm#@L<TWw18pScu^MN?}Y>#P2gyuW#%V%3XL{VKVI=(X^>
zw?6ixtdm_V$uWOug7Oy+UI#>PUp60?$g=13W`_-R(}pK8o!?`%{`o9;>C4bwNARJi
z)Kcrzp~kYG{}jKE%)-T#V|db^DRZ6Q9-`U0w_pwW{dQ*d163?fjD^YKuZ2DK*!fEy
zV!xhCH@H8^&1?0{vuG$U9~=mkx0&(~PL2KYkCEk)Usa~0WqaR1=lQJ`d+skH$*bv!
z6R-Ov);gEU-o4V_bC-sZ^rv^rbl>cN-FbPPhpA3cmS+E=E<ztm9_0v0QwP`QzdLxm
zgUvAMsAwDIH+6plkkEcLE?AI?veFoMv`^kl^ZU({TsgG*u>OsxLEaN4$qaff<3~>{
z2YhctD_I!sI$muQNiCmpaHl$hdwrM53E;_tdy0fD^>IW>)~x+~A_3O(eUPlLaMwxU
z&I?^;y?|f36@X7atzhTvi7I{-RLZNS-z!p`FXpV;JSezFG|i{pG@cgpR;#+HMwCK^
zhrBy8;l0Jxnm$5`$GKn1jgw*x2eAZ{rWYjp-jyM8StRF#o%?l;VTCWa_wS>k5~iz{
zcW)`#w!SMliJmU)x*ZzTsr53sf8o>ZMg+UFzL1%VDaU;>XYl;|YbO7{FL=wUI<t+~
zYJtmcb#5;^(}7R9)c<<%A`ILVoIKt^^(Y1Jqi~v~HP|TXK$@K7G}#5M!9k-TtFU0u
zL6$7z2j?aw_+)TJ&Uma!CmYn|7Joy(<Qw9$N84s!-TpaAW5;I~44^VVh=jfUm}<Tc
zroRU3GQpAUEXG(bYdWB?l00-yWkHy|`_fEeX?uYciCdt|{nJ;`*{_((GkdM`Ybrb1
z-YhYJD$HIW|2)X97wp_8z*e)N<4^y?u(r5L_QZs*XGHrY-=>M7yR5U`%YKsr%*Y12
zyxYf~MN7TYLNR42GT%SG4KfGCkOl(hVf*q=dR(bR-l;wKI3ZzUGei*DO6TKg?`NZ5
zjE3B`=0?iBP*x31uZ4y@$@3G%Y9$1U2Ql{-dW=3aNH7>o_+yA&b1Mlz)cB07zFMy1
zSz<V@d^=Ry;giiXqp%<`7R9wGiLWl7LIkZ|pHQ>Sp@1H-%0x3jA;cBJ7~y(w6YU1u
zGgk|k<JL$6qE;`}@9C_&4-zASsBP$i<lgBsQK;J1)ueCvw=;d*xPYtvE&|JXQ8%8&
zOOrr!93$_<eFIt$)spd}rEh4SA=R;PRJyau>6f(761@j6UVS?j$<}$u|MJ7F+n(b3
zB9l4~ds<iM6@yq>9rFk0{Ck8Pk8e!Of}(`jo&_j*_Y0Xb@^hH1gz=0|kRxR!?97sY
z{FRO!sTtTg`+>FXd`2mX;_HxkSpLbw*zH(xSUw1ZVE1KBIB4Gmjr#I8Z<(8Lg6ehN
z32?_B(FlE#NU3|_s;Iao1PJYn8lh^GiYv_(OdjrfAqb$=iaHVX`EdXa=G`r?>Ug;l
z`f`2rmXua|?CAC5xr_VOE!C7T=i+$V*3OdG6FBPYvMX84V+XN>10mHCfC7jt)(z%`
zl;wT9l{St^VMNfV>bzfJ+sl7*UsO!<J53vQ?j~|v&MOVV<lSFh{pBd(qLM{OI=r)5
zPHm-`X?epq3@Wl(0lPvxE@S&dMhlFnqu6uW02R2SqZU7xD6kXk)sE+;+wKHqdI%jh
zj7Kr|@%=wyN>a7&LsahUKZ^T(%tAOQo+l#F9c_vKCX%zQvceRC*kG|Aitk-I*-)X{
z6IElpxR=9@_@tLRilmpj;zv9^x=&}rKjpl3f6LOmrV;Wf$I`YgJ9*o%@yT38w-x~W
z7Q12X&QlbMV$T`0<ddU=rYXHLIxivaELw*7f2<Z<h#3^2c9Da4Y4(DlyB{<dk%y5d
zEk|aij7~G-JYOCP2+H$l&Cd<@aczlGv{Uz)*#?cu4Ze4CcVx(_eiu$(Mn|LQ+Ho>S
zQ`Fp$7@I|Gv<uRRX-%=>H$n$lJvBq>^CxVandj!pfG;&b36HkfI4sE(ujKz-P2P;0
z<EuY?#jFoa6OgwzD>|>EP!}o-N(g-oU6s{G)|}53N`9V}!}%XdWbw~jWG45g7|jx4
z&LFiN?kw9}Us|u<=Z2PydDbpy_Xj1v<R;b2*-@LjXXh%$WobUC4&LZcG)R6~Rdc1D
zUJs%!aB|2^mZ0pUW2tl;wX^FzPrUtQ$lx!>>&ZuE59M|rTXU9s^4+)D7Zu+ceDO)F
z(nqj+_N#}e<|LjH0IHEaVKptj<5E*)2#_m5rR7&6gD^X}2DqqFBXJL$Mn)=Kd&Y?j
zqlw?hnYdMBQyc+-<D@Y9{;|%Jnt+v{zA`+`)UN>GJ59V?-)uE7-o2IddV-uQ-*V*)
zQbOnaS)o1SuF9(a=oik>r%&$P-hIp%96yNIbd}@Ln@b{yJr&7xK1yHkLF^_ulJ}v&
ztw_Grxw&v+oS!U0cY9mK)0M{HtAQUl+0eO+8Mdt!xxI3gQT;`7Ih|WVgr5W<ODgiI
zygj`;XeT5N_)tJ9-}{S5@j<*`H+>0mVi3tL$Ki9N*QI({y&u-zMuy@US#zToBW)af
ze?@U)k*oJfN?HCL66@egy#w8f@O3jAV|&gNpDZB-f%DZ$NjpXgeBF$6V~3hPe#*$H
zwxD{XZ8`Q=YfZ&G>%GjzbA{!W_~@!3K+@9-xsr{0{SUII8H4%zTq0-sHf7jN3#j$x
z^nSDrX15;vs4pTFG1XcB!7B;&M?$WfKbDX*(p_>NMnyAN+nR0~?o2L+pZLklBbE#H
zLv<*1M;QT3JFY(9_<MDyZLt&Cj~GLlFS|y6f7f;KlkL9YpiXywhQIa&i%L=m!S>^C
z(lnC9OdmD81E_S<-YQ5<+PI)j6@IY?9##mUxhRg3?TT^v?=cOy2`#a#s(N5{sLd93
zpBnCjxqxttEs@@5R0yJVO(%TW?n*XBv?Q=(aXCwSnS<XtKleZD`X7KmaF5;NM~7*P
z@mi7a7kD=lUM_p0WBTBV8^1C-_c3JH+Az|_ZW#aEIGYKXI`b4Y)AZ=JuW)cFA7S0c
z)tNsu#sorboHu@%lt7g582EZGLaL16qIjG(5TJRMYF$A;A_nvY7yeKVp$TaHrgebd
zo9->Wxvq)Nyk@}#X&WrBzrwQr5eSaCz`Mtte6RxyM53PPr^<$wp#D0fu3SG3pC|k4
zy=&mCe3ND7%iU{ryZ2y^Aw8HnRReE(SWd7iAzCgxz-#HYVE#j4VvNe@%ekSc4*`p1
z@W~0q;k@|WO-)pIaO7TBize`rJyhZ&!_XV>%nC03c{=YFpAz#1J~lXJ%q)o)r0`eH
zAXPS%w(rH<tl`+JXwr!Lvlmn4OX=$+_MnS@-1apbBJ5b_s_Ri1^vkKk6$ekPdAg9a
zJ;=n5D=MwID+QO%q(vzkopoz+jMawkrx?Ll+2C8e>K~V{ACsvE$JGa%ayzR;I>9cY
zCx4b>qsF4H*o;o^{>w*9cSKRD4rr?tJRdVlGnWzr#cTaiJo4n-myQ)Uqpi)PKBo3_
zpO?+6t#xbl32ka|#d{)_iRvR!d7g{$^}igT)XS&#N5!%wl&Pot>d4H&P_W9<*gcz!
zs#Birs6T}n3Rlb%bj~dUtXUcqz#UBp?$|~vXxYlz==k@3yI*g^*D<@j8vAE!7WsM$
znb^01$ioOyY(epe=4L5m5`1wMfFck^sWeKLajtSGcD3|VBFJZRwdUP%&8{uzRuq*?
z_CA{Oex}PYoQ_d4<yUyCC+>SvaLjakOn->`;o7xZdek=IkE;~AZs(tkl->8EtwW2K
z(~@7QpXBO+XZ#FrW6!vwK5P~n5k}NpUO2_U^F(5$iN@B{gBj|PD1ZjB1~V7?s=?`Q
zXkR|Y!vR#sob2SOu!{ypX(4G>b2$9L&fpnLtMTZGW{7Q4=jg5TIkGFH7b-?kLFVX!
z*?Pq%&T}WRs0b?QnR;uj@`cv)Nd1*a_*2@zOG{an>(~p}#R<=@)BbqP_V*CfZ$x+*
zZ8CtOj08=i0ia$Lf5f2LY(_(LY2=$DvF*j{%hjT6X39D6n8;zq&V6pS=a6ncW*8Nr
zF7q~?Nz#f|<r~?2uh2Mo`gUdtHG=&ff8HuCJ+B00lO9QiZ?7(O@eAW`ebvwZe)Hj>
zC^N;C?(W1EsTOv`{R&I{vOm;7zTn6o<ri`9R?AwGbTC+cN>ffLkF!0W-*DA7^oh0W
zndkf5amo%3ADR7#=qiok;UaFzghKEPb-=r>tU%K9_KOVAGHN<dSBI5F2$0gt>(K5%
z3n+Fs4wNz{>g^ue?={xDcz)eOz`(w3?k<X-1&Y^^;yHh%acB6E)Csmq2QZQDk=CGU
zlxEU*yPn0_Dc`}`=~VEE0j=<+h_SE(m+hf?5)10~hwp}$JRF#OsYB&LtGU$km#Mr9
zI&_2yc+_Syg4-?hng;_vqo{Ov;^_AMP0{+9A|e9TxGu@hkQMfafHJ987RHL#8;yTF
z<lbpAEGTXP`t&@*PD*M;fafKB$>0VATAsrvDhJ1>BuzlN(iKGx2l7yPUy5HZgAEI7
z=3!~*gzBdsLw5;W*<VT1pV<hBnOS0q(v=7gn8}AdSivWdha0{m2(7anxJbZ<QeHm=
zu%>fjB+;MUz2rmfiPY)qh*aLiw^9z+)X$vp(Gz;k0B0Q9iD=zar3iEUC<~xM71nLb
z6}|0?pmS=cQgZ%CK4|cRyWM>Em&9@x*WW&=49!UkPKGQJJxKtS9;Z#e!q^HsSN$aD
zi9yt7e+R7-&M^zFUkOIU3QKo&SQUi;XCVS7UA@4vm~@mHuo^LK8X?vY1u!n>Y^7Gu
zkBMaI`_A6$?a@d*KOy&XxSf%JIuR2(9pA>}q8Tm&B#V&T2xB_1{j`$uJgpS1Paphs
zQ_kWOre5^tcQj}}w$BngHaafP+^Myrzaflu=X2MvRdq&FycMBr^%TxIrQGNzR}G)(
zE|y1n_ihmgcya=s0g;!dfYP2CcT4D9G{epJH`~~h<ki$R!1}TW#u%#g?*v@>m1Evb
zv-8!Xa`E2ulP=<R-F;h>xuFoymaKy)B26zK5<&>D9<w1X+bQNlIzo6xf0IGGy?G;<
z;4lf7TEz4qSA9I+Mz1{jMXd7h<e836!(B<hp*ZD~Gu4{&VdUO?ELC09Ov3F%JEmLn
zQP*yN9GSkE5;7R88YMOa5yV<L<d==)AI4@lwewMq>=Q|kh0vp4ByqCw@u$Q+1+1ft
z5Y6bS%~*}TUunCPf6MEtzWpGZuWZO&I6X62d$`kNOxLc_NI<zNiTO_RfGvO|nA;)P
zKr0xG_=YY3qO2CSiQhOEF2uwywka<^tpm|pl4yBm@iAoavyy)K$Nf_<gs2oTZN>I=
zzHZ?6U9*fumHt)r{|XGoC14BZGVnaLc^Y^BH5B>>5$ksN$$noAu7#dzmS^W^=&-(>
z>~*q){zHKO1{OUR(|LaR(O){4J1*dmyPx`7_h`!v&8!VXmF<4LC-K6Y|1e5pU1xy5
z8#g@D?(Y@C(xHXlTjVDG@2DX0l#`9wiBrhBO+RTJR+6)B64b1pnJghnRZkHlo8mwQ
zqjB0ulqOXqFb5Zb%Yy+D9~;5yzOpoz$qA+AM$A3e&wg4jfTVOQ5CkeiyLY#@*8E_P
z*LkT#tewV34)ym-Lp~}W137}P;_T4l$0@JKY+qkdk7x^btt2N~Jp?qkaTAg`Vpqy%
zG_J@A^pm3+P>oZx<wRjR`C(U&z0wn)rL&vl4gpo==Z7)Epj;rH=Z@3wKMKTpdDwSf
z?mUsnZE?D|3aJZyYHnOfrjAiU{_*T4h;h=2s)MtAH0G8&0`9VEM&3%+9(XW&MkBQC
z5nFjidsjzC5)jZx)XJqkckx{Vl`Z)J%|bK=vdAv|9BfbzGH(GIg{j0y*`*hUtvKep
zu`&!$eFMoT(-3rGL#%^gX$|oeHZyz}=7S2Z)Sv(tYy^xY8ACnCpO*=a)f0%URBP%m
z-5Q2=WQ@de>?$Gv5e^mC6Z>8ozCpy>^K2*q?(d|;jimKRZ3wk=VrCF~$_6YQ4xv9p
zbPEHs!c=C4Vp{-(>npZYeY5Coae}G&xtwzo>woxy2KOBLC&w!neYcCfu(y`znq6Ir
zP;c_=1wCfitA}>!Jg5Zw)+ZmpRcAIw+88)2Lm>XI#ANnx>B;6QVI+1od@AseuH@A$
zM%bo06(Kd1yo-_)c1AxTq6zMTL3cTP#UGJDNx}(T`_^Sn8tFC&TFDUhnV!G~1)b5l
z0DTFzsBwjVhp~%D88EY<PR=04^NvJD)6#LHDn@=eRsz7W<M2ZXgF@%U7NE&(lkMcf
zJcIAqOid7qGG;>RC50sUQ!?8CRjfp6b(4R>|AB|@j;DS5b|T-H5O){h85`~(k`fWN
z3{_9J6Z%yyGowWy8k_GSr4GfVn^`}VtVDdNqq<_A``0<U>V(pD&yr#o5Nie$E#ap-
zy*}L!z8#P5jty~Sik+74fCF3E)zMybzw!_NvP$!|3-_>~r*mzk5rX`>51UgbQ-EV-
z*XYkb>pz^0sgE2Q)VH5|y_c~x98Li4P^K#Xw;{!BIf?P6mFTlQlXdk>-9OzJ`+#>F
z(tx(QS5t;$)U02*(bL%zkz|B?h2b^*{He4&*2(j1JN`l(7KC<vX_61_pOVsb7S<6Y
zn<BwE)pmRDex17+cCAaeZbt9HW}Gcs4c@ctt@FQbBO-jqTt1?HsP3v(?~q%+<Oios
zVd((hV><O8`~D6TnE;-?y&dIAodEUVOWksEpt7T7P7wufVdfG!7<59GF><u8M6yF#
zQoM4ZQvrKH4GU6)!_TccLDu9J_JP~&qn(#|g+m^kJ@Qet`Nq0G%o~Q&bexbB_KG?0
z2W1nxODy2g`#H<0A1QAGt=i5nx0ixOhxXgPHMIdRH<gpwoi7bNs;N`=U-mc;*D3a~
zqo@Ow`hvC2cYWxB!R7?|wY2C<VgzuoUh!7}XP?qV*Sj3WQMoGnUjKT<#W>Cdi^j-%
z$6rQfB)+{suf`QTj#a!9=3A(QZ9RhTtraLdX;fVyV*OHWZTBPm@HpuAkP;@MV3x=2
z{tOes&u)%R%QD)1eoTB*MP>f*wLb9nOJa-wS4}H+V&Zi;>h$?r5IZ)lkIb?%$C;**
zrFokhReXZc!m0?~CoLZBwQ0$qg<s3V={oq>aonh5Fe)gDSLSdsVV}SzRKc(<yan>2
z@JK(I^xjC?S2F1-*tTnEqY7dD6EXn{p-YNB(MHD&$D`0rY=@!RDwYdHQ>yqO{fRUC
zmNx~*Os&V<#Ca*AKh>m@z)4h%SxeNabu09FhMQeKWBRhdmNiKbO_|HU>&8J3OQ;gQ
zag!vpJGCak58RVwI(U2ggS$*6f$%0r7z~5KBiXTIZmLjlM5Fl#BSV&MCEql#-(+*!
z>~GpMLD5<%`3dZM0+agj|EFvrnfca#tYCg!{r_Xq-%fr3%N9WrGfC4R+0{jQ4rP!I
zsm^RihnfhCv&f6N<^+X+KY^(nrGskGMpu}3YSIfWGyAKGB)A|WU6({cI&p{n-fhTT
zHO<8Q2jerru!%u656cpR$kwEi=__*yYh%~l+orD`zt0U4)FbmVcu1i)B>Pl-Qz%td
z@c#KhRK}E5YWJwXn`wy;-fQ0p<#euP+w8f`;-9S=vUMUeCmJ~A3YalwrWQH-I9-=4
z0#gU^_TbB3u{|z@mKYBtyHl^`Q3zOAc0y0^=^f!*7YQYu$cp?gZOun5$`i{=`X)m>
z)6YVgoDXh&$@g{`_-BL}cKNu%?+7MU%gAKk6oAa>HAPYg{Mh|Ts`enQFF8-Tyz58S
zUfv>gFpuk*wX}e(X}X^+r_!^UJQjw6toNKC3`ujPdF0E$+t)qV0lZ9sIZ^zr9G+eW
zoTiUdJDf!$B1)qpFk8PV?x#L4MxK?cCrCiTF5*_u*D<#;EcuGNDyZ1#sMwwQnycRc
z4}YPR^I+wIr~J_yystDyb}FK%VKCgHC`hO>_n7(=Zu<0z$?~gsf?R}hj6ZAY>O8M@
ze@dWSeK<tZ4t~v-MgLCSk5GVi6lE<bIo-2k$2J7+k~ArMInTBk;I0Uzg+{K6Taihf
ze8)|D0!nBjHI9!J)$jhjBfWn<FU!85FV_3xTk25@la$zp>Tr(n*H7oTS{k;B@;B6v
zNcuC4``Eevx_sIe6>?R4X)s8UKwugc^W{9uOs0`TFB&>El|B-D7&hWRF`yD9LThT#
z$iK|1t;1UWM<0;deX2=#*Q3TrrryPoH#0SY#mVCx8w}I-mz;^=Pyc$U_t$gNWu?+Q
zw(cTLEpG_U-Q~}up#EI{*wk5IN@DqC{sSi7t#YS<hqt$<Wmvf?x*92*slSf?V1<1-
zR}_qUzDp4y+D}F8Tz@AO`{+qmqKn*pr;5_Sw%_KzYi~gohO|+R{FN-#Y8xyn<>ckQ
zZ?gY+-1gv{dLhIwZvm!&ZN%<lT_?<EYWw`ar0q8B94fJXb{?Ecjz#oW+-WZ#4tC3e
zmrvQhj<rLUv!owEhNkTv3bTkXi}kYKlY^u(y{1op^CyghFxi(qkHN}>RZ#JMo0h+n
z?zc!Gu-NyHLigckyC5k=8ZL_5H+N*{fB6XzB>1V?-asvvkNI}D-#vV1lArDEJPA5v
zohS)?R)H9v81Y|~Xo(xNsZ{?3N$-^ix!#~(s^>?Gv&8H4`-EAFey#r4Q5DPLW~WOi
z7%B*qd+Sk2<SD1je2Y1qcrD$e$!UPf>=LYO*mSuX70->^Nc`XqTiZ<NseG&dLZ)(z
zUQ#-2g|n@k@$O1CTg@q6QL&sckg$!F2-!izso2+N4+-10nQcKw)bwEt$}z86Bk5hD
zk<L)Q%+%!F7rK(o;$wYjI%2g?2UVrJsFazzKYc$}xMX{xX0JiFsAZI3PV&3JsKYy_
zw!G#uAt%)>0_fa-{H(DkyMgoWiYQW6XUG%5PI$_4C#ig5;I}~UEqZrxFo5u&IHWYE
zYe`5<Q$8Z}0w7ghepr(}%9(>$0C-a=N*YhOXPz-)RXp&7vsT;_W(okJ;$&-5ON3zM
zh^M+G3Ag_hW&QtJxBsVJt3U4j=X^po_CshDaFFP^OnSYijQd*Ojto*NXg5&?**#85
z%`f+g5ilT*ZLKh)xZgHUFxcfkUWh|dSJi9!hS`$>Z+AaBl_iaM`WHG^!U6S3-B6ce
zu(o;w7|!k{ZlC+?q-cZm+f@6fp%<+2a^H>6edRBl7g8MOv#Jj78$8uidk6P(xfqjS
zKW|SLwh6vk9WbA`dC=+1l$D@MfiNT<`O=wxOI2wQ{g-dE{_P$0hT+%PR)zgAc4hOs
z!a4u$Cxw?jsKN`@i7(en-bb=CeuzJU@1kh(F&EKJt*3Z_&lNYSn9q?Y5q_!^LewUg
zcx08DbshZYo+fp$@?`MeO_!k>y{EC`kx4D=t`lO3ZH0stFX7qSM^8lKX6%VehC^&q
z@*O3V^r3Z3ky?wtJ1#8k^jczoEZ6-0ln((_1MEq$qXG)v-!ll?K4hrG@Nl&B`gZYp
z;aR%md@7c-T_DjPZWQMSCcJuc-~A}U7`!ks1K+ln=ZMZMY+NgK?olx&N6}!pq}?_i
zAoc!wFXg1CooFsa<CJ4S8u^VmulnCt5j(t#lpgW*5nodj*Z=q@kazjYL2cw??8YIt
z4Lpc<ag8VZWXU&d<X=&cH#<t$d{GY$$r;3jAWQ-Rsz|ywHOK!d5vJJi<-EuXvUUOa
zAwoMI9XOv;e|<9cp~qflw2c0KohE*COf$e>cQ62~<@WnYFWOz}q69CsDA|5BDxe;-
zu<VCP`>r}0=PO$mw|NsC3Zv?{9lFm7ZEV!)lLcek8tDQK$b0+5tonw{zEIb(s&Jvn
z0)5Yq)v4*pO30T)`2C+I{362q)C(_0KQejL_|A*bH?cl4y;t8}{aaFWj>qz8zckaU
zpCWEy*?mrI@?6O+9QY_qt~L{nrA(5{Px9&K0{h8VOF#+G9$9owbD2)XCziWJzd{3N
zJ`A-Lo~m6-%vt;hy!|efPCDbwlje4Bl@)AP1=2%CSZU$jcBdYv*{h#jz@!GouoV@m
zR?sK1J>7&DxLv$a4ZMs{c-~M!-$tlY%ad;(%LYz^y2z*jbdH7ACcl4ffl#ra#@7vX
zQN*o`qGZ>s=&WU5%29dr_JtkhgSJm}F9U-Z*dBOZmvEy=IF5~nY2ozH(OX7g>6P>x
z7&F8vjBZ_(l|hWpyAx!^$Bz&~-`#nEnY~PG6g4O60+|Eoi1c9B9rw*!&tr*k<ZVd)
zY@vsM>ML#bQ1GYj6W5!Y-9_ztFfssu&E~)V3lQOJdmMFoa60=t%W^Ka$#WoEXec|&
zwSo^C353RnLF1(byGhAxv&CpK6>=Wz8_p|uRUI~sX_%=0sNDS3L{pF`Xyk4{^HPxh
zR_rc-7KudPZ$QZ1@2AWYDjynb+uPNMxeR8r>1UhGw#XmzL^?-|%`TtSjHX8~AGUWE
zPb61$jyXnK)B=LU(p{@;$eEpy7LjlNSn0SVJ|e<pf!=mnu+=e&5^b4rj!zu}o|~UT
z6lNmjBoKx}8VQU51`d(Ah-2)DLmMy;pl${pGCxuso^+QKenE)XUbqVzf{Mtcfgps%
zFkiKZ8Q18W169L-qeJ&z9zwH`B!KON69@L?_KkV%TtFG@)TSH#>UIpF$%F#Y$Nf_R
z8X$>tc<ub4atu)U_Uvlzn~9DK=_4ZF7kaW+i@L+3f*9jr)2<|0I{^ab0ulwbYFxy!
z$zCnfRjA|*G?6qCEsB5o$Hq|b_zl3eGyd&w^x#`=Nnk0lg~R#f?;UA=xn5Bqdm$4d
zLq-xvCm-PU7>cBhj^xrjOGzFkAPdMn!RJpMAUF~}`R0|>_U5+<nM=LHafFjKhdu=&
z_r=fZn9}&!uTjD~U&x=k^{LCK^IWqx+Po()+O!}3ziPSicqqHDJ;pGyO(+skb|p)c
zAzMPPvb|^-iLoa;*%^Z*32)Xxkwn>(J=@sHZYpG(42`UVFbp%_>G%Ep{rNqA&hyMU
z_qp%uy6*cq&p8KDK7AiAkCvxM7Dn)XWS>YxjWbXKyFI|t>#|Js>c;pwB}2RyblY5L
z=;VDaci3!~B^})C05?N4@%gxQEKTt~yQ#D)qz>wWT|NQ+DVCyl3{PEx=d`=aHgPH6
zLaTe*71F}lnjkO>A+VCph+h&ydVh>6D|M`1h*EInRsYuIHz$?T^TfL<!NMa6bEslV
z7S_xDJDkevTuijAhEW}i78&6KL$RReco`<#sX16X-X*g5M9-zM8r;rNC^okM$<M=M
z$Ri2iBj*B(rO+r4kzUqX=(z#*h)27?y#=Wdqf!^8!IeOCz}H(f3TXblqOQ_EAb(Y*
z@?zusPX|GlIygD4Q`_%h5ElE4<F~;;t8&1taYPuLFil4dG|~DjVPTT=jSZ&el(2BH
z3M&dUn$x2czvj;BnfcCbh(#+VGmRqV9gtiOrUEQp@nZXSuD{_*ft0>}vJ%cpfzq%~
z4eN7&6ZmdIr0&9kSP8rzU&g%_qn`aQUT}@^3ubcz?58~!Sj>!z(Z#)nksXq;h{#=^
zmhNa=3&V@4^)&gD)7D9*7`*Jjp1$5faY2DP7PT6on7_5bw1sUZnH8$q%xVyWzmgTi
z#01{J&er5~Pe*^lX~G^=d}{L0VWOye|2f|ekS}QD05SIxpvZfRfBbp=%VZ?Vg~&xr
zD@nWww(qG(LW%@B+$F;}f$c3(mul_Pg=V>$G(2C%J?ni@Adf8~N#mTNwG)2#&xL1h
zOtH!(wK6E3PrwAQasn^5Xi<M);6;s&RK{%ChWs1ei6p=n9zkYFh{Z4mj^?Y0X3}oP
z2WMkf6gdv9*NE4EFP(rdjfd?D*=E@|nJ<ec+9Iaeh3Ci0U;t90`7rcyardfN{mH5*
zw7n7j{J>CD#T#kHWV@k1MC{TwK*bN6uF}H*ZDPmjLLEPWT=6Ah_Y}UG%~kpakD%%u
z;85N2E~B=7het=&Z*|n1=dg-W=a9S+;l&>n)4nP>Z>V%$GV)FDpkgBIab2%(Dz51N
zdEvMJFHyx=@}}e|v8rCn;wAInDOUqlsq;T--0m*^`gJh9UR0y6E64ALKp;Yy#>U2;
zdQ6F!_#27u?Cj_#iE7i=^OLj=R456SJ<5IS6SW>w8?ymZ9{pijx#Nqzs22`Z;d1=9
z;tld^r`EU|tjjlz4oe@Zoc3^Yqfxp9Y{T|5S`QZkl}I=B9Qn-zAk&nQ>xl53NVrJ-
z&cRAW9eE%#WjRP*@=Whd|Ks9niPvx4y47~Lzs=D~->E=2ToKFS@|<i5r{!vI^@^_)
z7Z*?0dXSKWl79N?WYzYC3m0yMYuP#*8xLkE3Ehe7<y2ka!yX<UHm)~q4_#KBd7Sb(
zJ^jiWCfHQ+R=S+s_OC&w!NI}Yu+_?*oHmt<!w<o)ll%L_5%j`rua-$JqyCNIrr_=R
zqur^hkdTntuV25e!Z4}JI6cSt!2=j^cgm}x{#TZpdq%%L7`8u>kVQf+EG||$_9a6H
zT42hWOfsleOnBeracc)=!Y++3!JzNU7km2Qez1H-iTh^^H;-U8s#O5%F_kHjB>l~9
zfGv^qUwZn}9#Unb>|Dkr?n@dXrU$Ro{0bLS7!B6)0<PeS)IndFR^_>N3<9aV=WfOQ
zv|5fMqd&&UxC~4$2##O#wwQQwNUT`Mk!s<%>rfn?q~~Z4HeD3T^}nsF%joVl7|PKs
zv7J@!EwXsOw6s*eD$mmY>7kojenCNuH&UZ*G_Kbu4~FKoUNW5dRJu*KUfLNw9|*>1
zYKo|6rK@XdYG(MC6-`(vW?Qf3<j`QY78cjT!!=+2vyeQ;qc|5s>PhnZv-B@39G<eb
zZ$BprmdR?fd5fXa^(A=ofC=76BWGtR6bgk*jP73)JHgJw$?78<TUsioA%aLGDJm*L
zbYxE4%vsq9F)TGb9;dgovC%``t_<7v1s8+>7v*F<7NhIv==fjS&Zv7EosK!6(JDQ%
zK?^D*yDf?H#K=e{R#sN;#+jgIn=t}`$!`ukAt)l!P1+opnHj|6Aus=t*r&I(T@&tU
zBX8TG_+5r`Snw-5^S%u-7cWYlV1JpDGc+=CJl%<hJ2u71+0pUcua5ZM)B+ef>R!6O
z%!&D>(flUbdZV5g53m}5i?5)d;Lq-^@6yOQlh^7jI@hi-mE0*4Q&r9Ah(+*mvbuVC
z^?>$~+$DD_oPV~*yela1Ii&iS<Z2DR)sIK|{o-U{Vd=D2N)%RWkK>a*b^5fJxOjAp
z+qk)<W#@0g`{3<C)nlyD6Sc<r`YdT_X~id`41qrz8ZsSv5=W=p_@^$&%RBFHEmDs#
zSy@>hDk|OsUk7jh`s>}sna6>Fgt4)9F!Bcv9&jQM7I*F#goLO|o4h*9AMZ2cKVJFx
zw|Pits37R~I2)x6E;=$fnHiQlx8c(D{G^<9y_sR|Gl?P&G}J#JVC!&un6$nBp|li?
zBIby;N0^%%&buBv(HN-E)zu|uRsHPgQ`X(JsU9NnY%D_5d1JO23~g(ByQrjuR8}{8
zb9ZBXsxB!pkvppGESy{TO+`ggVWCt`_$~^-w5jRUuV2oO+}wg0M|(wOWd$`gX@IiC
zosgoUqMr+WDaD*pk^PHro10%RFF&%ne_!_E#V*q3$G{DnL{V)MfYX|qn(FFmGcz+C
zH@6EO9v<~Go}i=9-PND?NM-;WMGcLC@&}E`Aj;Xv$w?5lPcFkEpFe*_25(99B%aA{
zY|I8;-JJFtR?^TgGBM%4ktqE0+g)4Z0NH2HuvQSM7fvX>{D0N2UOg7uae|-!lONfn
z{ikAcb92+~54W&+zFhS0v4TFSSpl1%$g~T0c@qqZii_uGLpLOkv!PM^w7m_No#k(j
z0|Le-CVD#%+AjbRgt<w+4b(0LOj{HS$HZs<3&Fv`sTmm{Y`USLR}&HvfH|7r2MbF}
zJqrsye}Dhfv^2^4ryT8(iPsGbSlzyt+5v3=3bYA2+8nyNF)}(DIki?;QWF3AYM?m^
zWeC~<k_UK4LIMm_VU9v--6z{ONj<KQ9=(10HtOR2S~IYmk6@~847^x*@5Muv=OiRp
zcF2Fxs&giA?)9sz$&nE}Acj`1!Z&TOl3fg>x#K-Py@P{`7P$u}fKgw+eN*z9)$nZI
zxdU7h9v<EV1Qci(YmX0GYzGX=1a!=^F8kFhVfQI1-Z-<{x4UvQLz9gg{m4TFA3i)w
zOiWzZ0kM#gl|84a`5LGN2BU>(&AlGWJqoxBo}Flo(1rlQ7Sz|{9zH(5CavNpnVvD*
z9I6U><K*TZ`~Ll@6AB<6V3e{S1_A|i16XLRRV3Z*D?!gqOVbYsxROXB1~dX{^i4v^
z-0Yk%=s>1&Y+l|u-WBVIk)k|m8NAqIsX@FYA3nSRc=-HT9Yf#F_3OV_hn~7};cmGj
z;02HZ7Z+*3C`TtJp7^e0@%A%4=dNDOe*T<&d3l*i=|G@r-37IBlXiD^7ixe|baZs|
zJ<kKp@kyHiq0_Ok5fM`LbOaFxLZU?_G9O~Jtst)RAo+n10~lL}uGN%U)jS7M_4Mge
zZ(-@okCItrhsudyi+uy3Bkkm@9sPxy4>|F$O1XHzr{a>5-zzKm)zztQ-->~(MWG#~
zrlyWePXomM9bbAnzm=6$@?d?OHUuOSxd)$9fj<3}hWV~|Lw9w)_^xMN_LjGAk4{Yd
z<KQ3;$g>KVnqi9(tQe2)A>~z7rM!5-`F2!>i;D{ueNC?4e47FD6OPTv5dn0Ny>KD_
z-Mc3sXaH(?X3vt7d4ck#Jb;1<;+4Ap`CwZEt(qSD%7x0#BkeufrLD#kr0E_?&%m4m
z4+BZy@Gxv^YwJUKxs<YU3J~`16}G0q!D_&Rfay75TYZkU^ru`xl#pf^G;-mOykei8
zo!z;30R<`G^{A*Q$2m`c7Ws_$+a-5KfBg8eKGO&iLraU+6^|c!PEL|9|9KJ(NBC|n
z80zL72Y_<|N^Df)k>nzl(Vr%~gtD;c0J%TT3Dp;R59sb^|CJz8f+`Txo>~uRBqTF4
zbD}n3ZbKR*!Qj>-jCNc>EFbwttuaVwKfO;))oz9~la06k1Zhx@=p{C?W_r%x^?*-8
zsV;)HyH;IWdkKkrHoo$=*B}j%FJHdYGw3u|4-ZNH_?Ow)w}9!j9#u~L{O(g)8yP`B
zclKriMM0SQJi*wY0jm?&&K^Gt(n90<=Xk<<Q)MLb9}^Q3-yg)R%Wn6oAMyYsf&>9P
zqNb+yNIeIZNcxCwgRVF4*$ll>`<rYP6cifnC3#GhK4?rI8#4!@h-noCX77i+d;h*F
zoE89>^2{KAflRLQn7Z-_1bZ)Hs@4Or7621CZ*|q(vvKVTZ}$C$8Bb7w$$+A(T=|?B
z6x9FLfK#9~qQhWSLqo$rw(5pM4?72k_ILLc--e;k86V+GAgK9NzW7c{OG}CDUA`IS
zS`Q0zb6r<gS#ON;7R)?=haAu-D<}8v!v{8GL_hJK9H@otHs`y@{(Ta3lj*s8at1)@
zK#s|uWef}qEYOrelVm`{v&Yfv(+#I#GGgS+onu%hRH74#?~agqqF>wSu7G+#p6yq0
z+t%rp*}iq=M23b-NB%FTi0=5?Edq_&0*$TtM-dC5^0(>FPNh}H4Tx2>Sa_q+Z|W*4
z6#iCaao-R$8Z8zZ3F_Ws0ME2o-dh_cE}N6^pF=}KZI<9QF~#9~9b^?0(v0o|p+KP0
z@Sz7+ZM)@9CjhYZO#pEciexTIbm2W*-s}<ex>x5pQ@FL|+v+h@lt_O5TFviiAxMD4
zhs6#&FZ+~M_#njhrkXonJtB38g#Pr4*`OG*I5S**BEi7b(^KT2&lKZZ|M~MlCa@@u
zPHvn#THo2<-@gxv;O00kOksQ{t2xN4$SSw-@?2)^TmD93m(&Ua8yBfXR!u>h(b=kA
zHWp@P|AC6QFt`5{OLW`FX#R~kkZi-*sXoP|Oviq&rp@lT*^hP|Tp$l+y1EjiE4X8H
zD=pre__zESyH$~c^qGg_<1Bk5#8R%GoY^mj|9V@=bN8)i5FDAktYhxT{Siu025Z#$
zk3)z4&UNU6+1UU0%USutHzqI_kR5py%SpUUY#maoh27%{ViF)i*6;-JFB1?L*6Pg$
zbiCn=419W%5y-^Q?7lan^O%$D0^Ng_;p4><FT&HIvDl|dshJ$sh-%2jgN3HsST13R
zy@QOcp25$SKj0h*);U%Yyrr3qkz}~48T>J1kGYlO1e66YhPF7=EDN(_!knR=A*xWm
zvy|^dD8=dCX?m5gxu+M|k-@W~j3361EMkyG?VG1Q%G386TG+!_mSDR{c>_X`wmlNp
z1rACfwyfz)UQp)$?eZpgEmZEcbvVC3#<s%fY}CLvywqr_nxB$sW$1iQ3;Ymn#_1lP
zTgAL>DGc>&>D_s*SjIdDYe9rb(-{iP7Zk*2FM<z*$PMc&X6#h#{o&wd;d{~hVGRy)
z1g2k1lNm^be``go^|~W@Aul&Kj~T^KSt$bet9Upbfo)}4Z?k-*gg%7?UwI!X#_1^h
zC!nx$1+7F;ENnQ^6-Fy!1_iLvie->4`~g+%>b#P0hejI1^>By59HcnI7YI>>L?pS|
zL~sz2E9ar(36NoEMA(p<D)V@!gQ4XJgChke%#;Jy3LM(s>#_}HCg|F4|9iJ{C}{si
zq^NxsoiBI1p?CPYUN_j(*-Mpy^V^><f7udSL`=8i#Xd$eIm_Wgj8=5GNBFf{p%$(!
zQAHFHK?gZIBPVNU7>`Be9XsC0IcTke6^9s39-Dz>oY5vL<2US*Gb<9z1MH_qXq#>l
z)10f%BU(DulI(MqGaR~E4wVa??3pQdb;Jwf9R-~^@n(l$U%FA$V`eGT!RRUN)@RnN
z;L|6mBf4lcMBZD2m8z8HBT~qVfl=3}t#hn7oqu8#;B<L<i?rg=fx~6EMH~iBNdCyH
zEOm~}I$qG5jL!MUgyGb9V#xknX$IjZZ&n)<9OBh2!O^MRQ5RVq)DW-4EE3q6#88vU
z+vg)*BO)m-xb!3jG;4m*v*U#;Rg2<=lMoY4!967A_9AcI`il}hgf}bUq?z)UO%<aU
z>l500iiNxZU2}VShfNW93AQA=^Lj!AD{pDD@XX43EP}+CeJ&_BffY1ca{lvN1))qL
zsuVU7?T=RZ3%B3|bMNDXkWG`r%W#6&$mRKPF5G)Y4pl8KGHfH)Z@mWhp00rA{m&TZ
zd2ELk|3dk%Kl1sJalcm>?|FJ!xDMH=EQRgDcq7F0<(p~<`-9)6_U9RADKy-*n0!fy
zIIS}ROed+JbB5}m5%Gd*q8*k4aZ(4Ja|L)8rITxW*t<#&?DF4qgV>dCZ&qL<I#o#0
zU&0ZDGN1B&oL-)&@-xMAe1wbkcHPEL6d#=IpC_lIS&hpZ^)vuO!67c)!x8p{8=CP&
zA9Zn<RbzZ>_pnb7<Hh$TdK$IT>qSsAjG#bw9pH?Haaa^#F5B2}7s_G~g>#1prL>^a
z&ROV_&IVD^bo$SrrW^B44NBr`3>e`_gnR0#2Vs9y=nA+ecCyZtpUZxUt%<IaR8^wW
zfDFR}2m5e5Me)!=<9n=P+L1D@kfGp^{Jd`72T-C4wYgP;iR(q0LC;>o(D{_h*4=PY
zt9C{)J6y#3n|>w^SzoT+2xf5MN%>7SNkwKEei-No)=<9X6eB_gqoMSWA~?WyFl^5+
z<g56AOK_9KNI*rLWm{$W4sDIxZ>F&4C%G(<^DncW27J6Rq!s`r{9uw&+CN{&k$*zD
zJWq*EjtjEx!d3DqbXDwWIbUgK#_`8U;xpzKkIswGC^9~AU_wuD+x(1<HJXzwpM_mf
oXlh@1;P(=ock_Q-Rh<lYNLMFZ!oX=59LEbW)Hl&9*F{JD56u|{PXGV_

literal 0
HcmV?d00001

diff --git a/assessments/projects/opa/docs/request_response.png b/assessments/projects/opa/docs/request_response.png
new file mode 100644
index 0000000000000000000000000000000000000000..787a91d10112ae72b3d8861a0fca7a46925a0d55
GIT binary patch
literal 31072
zcmbTd^<Pxa7x;g%5Cl;dkPuK}DG`?LkP=vy21Qc3r8^X)Lpqm+r9o116_D<wQ>7c}
z-p}Rrd4Iltz}LrvAKZKInKNh3nK|>EGa<?dSwegYd;kCl<=#lC0>CXO_{Vqu9{5YS
z)K@nEaA%a0l2CV>-a_KKsY}lUGDdt2AobX7etI|e1S-AGq?;S^VOO`LU{YB{O8OhC
z!ESTdTb0KTj^}5v?~;7e9ZgL_<nDj1?4Cby7D-%?tuz}<PeZy7T(lfS!oWuU|NoO#
ztW={yT_YTk2*-w@^(O&MuN(w17Fie$R0pEa%NYQkixsX_*I`&t5eP9<e*X2l8p|>C
z=2-EGtN%U1Yl$~S`siyh9?Q{FArX<Q@_>MVh1ur)Xbcj;m1Zf(u;+XW@Ix~6Q^s7x
z#KicRkK}eQaG4FvIvkB@&8((-4zwJNzdxRHU8qUrwRz3-btkB9!DpuBa75uaKh?Gp
zm&$1<!DV~;O07t}P=C(*Fb#8!AUU<f0e(cP4z3HEy%DupXt`Pld&*v0j=pZVI-arH
zRua21_Pst^6-Qt0KX^UE<Y2cZdbZQJd#lZ%pJ!rH)cf38PEPJ@SayE;AIWXNuj%V=
z#)$WvTwJ~adp~a1mAtPT@WEc4kUg%(od4^j+3tv-+%80=TUw139ibZ0)UFgiCI|tb
zR@Mq7v@u$EaB;SpVaI1TAO1q(j8yLIe6xJ}XhPraeVy%9V&h<Xdl~?U+ZOQKOK(rt
z_|`AQC~TQ!cy|PZ?(2rO%z12<*4oU}hNjKhyx9a_<TaOD{kGf_e_=hGEiI87AV*9R
zr(Rs`b>@)g>|=j2mxoC9x{CumPZ90z?jBT37k2MGKiZUA$h<WXMB`%~C35^WH6~_1
zvJsnqKynB0yHAc#Na42FZ)2;Q{os502N#M^XX0Tb61%L}o~hf#&R)6ttJ$=Kf&(qc
z$jB(h<GQ2MXxMfSs;F*$euz=pUPoovDkQ$T%5NlM+}8jl(xbkN6=__U{|Y6MSipnA
z)!(X?$JSU)Oh2R&EI@a=2Ob{*fPK^mf3L^U#?eeplxUA}2)=HSMT)R{rRLh~pV8oQ
zdO+MuP3XmoKk4fj)XapQXGF*ok_OSUC5Y#U9HWi>$sevApRInaC&2TT^|+Lj^CcBo
zDw74zT@k3f`r7$Qs@>MFr~1~t32YaEjWnGH@pph=yYpNW3Y|I6K;wG}gD|i-6_&|~
zC|Zt}oRu}wnC<`f$~_Zf;}W5Zttx+#C-AreCc&SUv1m|D@83I}^<E4(z~9uLkBweG
z@Cbn606;iiYmxyR3@)S39AHHI!6fb*-2wnI$p4<cCW8RLkEG|}cmQAkf7F@;zS?oe
z@c(}CsN)U*a6tdx7ylFRzc2nj@&A4C;(r1<?ttR`U_bw##M<%<-|H!#gMPl_HX^a=
z-KK*`@6FP>ts94wrSUdKgYN!&^_TPO>pwv>p9h~`oi0X^L2iV#7r~<cOjcXOHvbJ}
z-J1MnWCNPYCZ0vZ`fPvM28>{9Fx<8R@E}{EB&=JWyUk|4=j*5seB=u*Gd3>!OWiJ@
z?5dM_Pxk+G0=}8UjX8JFSRWy;(~s}7Uf%_M>;nV>v3dQvl@~jP?k(7=nb14_iAzI3
z`{<Vmr)HdScML-<0x4MguFBK}Z1jJ6Wy9R}yBW9BJ$EeB)YNRWwNvJ7>gKjy1U>tZ
z_)6EZyye`|vzsAt(*0m%O0!h^E}E{pUHE)0=NGi*0GuW6W=Q7edS4v>Y!3&`1cpmE
zIb<yMnPVTURy9w)7M{%Ma(#Jryqu_CtM7Z|%#m#M1mlZ7-(bBMRa2V!x7hjK^}1H4
z-r;!CD2mWhCA7`Bq+qCVw}mpPkTKn@)o1S~?*9}`fw^zjOl++U=lF9gVy~~ZC5c4h
zjIM(5Wp*2PMQ5ta2A?-`x$PNTfRad3@!kzndEYDKfBNqOIQp6G6cA|%<2T0K`S9cq
z`rb!lI==eFjw=I5N-4O@g12iU=yJ~#!)b|$g!lZKcN#WttY@`bznX3kA4SVC)w~kM
z-cmuyYkl8mwU-@To#C|~;(hujXuC+G_;X4E-+~v{*8!E)==V5fw8D1iE0?{-R6e_h
z1FIM%u^Mn5^!OM)D25g8JkYc+pI2Hf`LNKq)4<BluDDj8OihJNHcS6jH|wDA^_JSV
zZLlRWud=tC|2cE;JEQ#(1@^l~4B!kYK`$j;QLmVt@||aD^TgOv^!juWdl{KPo?+iX
zUJK3%KYOV2d~!h#x>xKOcS|)Fy4il?tTQ;b@7+0KEwX#}{bN?CZllZB4@G*-4Rc0O
zBA<<TZD%K`?b{!J`q$k}KkI~1thHNcsWs}1{Q1pTy{u_peg>RMelHvyl$1wD3v8BD
zeLgAFuGv7ZB9oKJ(@yL=sh%dKl<YFb<}5}$6X4`us5I%lPTjE_%KQZShxcu@gxD8t
z{{>>Z!fJ)V&(8*&8h<u}AJcti^p<9I;A9F_Uy6I8;@#7i%w+@4vo?jQdDf-cHMh8)
zV=x6ObgAj-)MSKga+<?7hp_U74VIZ~=?62pa<RWpj<ls6W_hae6cQim<y6N;4wt^?
zYXlc3>p_*rp>$EgoNkJ%1ITSE*V)G<Jp$Ov1An89Q%>gLaus9ARknlNgR*y3E9g}=
z$E?r#rEf-drBYdRQ3nG;>>LUnNKGEF-vh@xb2H#_z{|lS7zGB;UDi)d)c<$NSc>_q
ztVE=k8=6uuF6FJj{g1|JNa7e=Yw9*9%85b^>s()wv{JiF8h&C{sTMDMk>{XpUepzu
z%_U3ato}&jD_#n??4lnB2g8Po$QAcO`OP`S{scg_OcHfXl|+t4e;DYv{rOUB*cSNH
zGtGS^S>m7V_<^$h=1`WT{~#@0*8NC=PXtmC6g;>5iEZFc^DICDbM%>V0G-3UJbAZx
ze-ez2Lp?M%&1KpGOM1`hv)15Kq~poXod0MPEj#B+dAUONaDqsm`5f7(A8-<9q9iH~
zC>~-RL4s60+qeb95paLka<JSUomqD~X~*ilWP3VJ@41R}z4xmmREA0ZMQk?HCt85>
zmb@<$epXxnbZ(0vQWYkTG=Gx7tU~;{89}Q;sMwXVW};^d5QiueONd4BLPNhYIcEzJ
zj-{+!8jEvhv3TdID>*ng7(7?!iaFAG)qFUTsUMO}{Z!|p#G|S1{-my#Qhol}oP#1K
zv%IUN6UAM8G5e}LG8x<PT6%b*D1xsWHnvUwI&2yiH_)6;oH(WL>mFvSh9XQ{uR@2C
z`VR7Q64V$`e-Mso0}c)S>jEef#L+3sZGc#xh5yJwu)`t(V}(dXwm6(Ku(56LzTLbm
z>XuhJ1?T1m6a^Nl6Z9`*pXbohWika>if~I5|4_?+(J-mbL#FLgQXL4Faru><QetvP
zz4Ha#$F;1W>-Sw0FsMg)8os^8VAfh-c*J>hK`ou&t*qBtM>@l>dk>$P)3`51`%;#e
zn8A&o9o8w+=lWcoOGrT*wI7kwkux|)j_nqZX-<e+P)e&3>-Kbi1bav60wzC11mTwE
z*=ld4E#PVH7sFTH`t~047C9IcVnOI?<1h%5aqX+W+0O$2#B?!f+Wb_@hq;)ihzuc-
zZKpiUV?-=5th=jgk}S+~xr^IeH9<wWG*}a}hNo{ql_y}VOs`l`g!#Uf9d><1AfE_F
z3LY)Q{o1Zupnk?E#5|U*O-f}o``un5lyN$Vsq*<jw3@MusZ_oc8l|pOEfM<COtV@x
zI=Sm?*%&_Wi@nP1(sX`)o~HdN_WjA*vGO%EC(8zXaa;^MZA6GuddgcbulUg2sU<Y6
zM5n&;jn=wUxZGTWvzYzKB8eU+{d;4nsx@5H0kUV01Q%cu4b08K{6g%W7IgU|a8o$A
z_2vpo)GSb{h_*DCyTG{X(*%{FJNa*dE!on&kEb%-)MM*t8AJ1#Y#hP0`5wAhFis^$
z=B}ya`g6r``7vY0ym!PVL+yO#Lz&MNpV+{SKUWtqq8do^?1)vO@utDGcl!Z*(_Xp7
zyCygLM>Q&sOA{_+2*eQ`QqfTsnEbn|BG!`?2K9D&lo+H#5A!EEH7A*S45-24H{qhO
z)90I5eXoDNq_xdr7~-pb6sBNA5lRAA@xPKTx9OM@g`AI1gury*c@dSxic>yj20^hD
zA4ap*|0ac|9a7o!D&O_#0CP-sh<fa|5ms<fd#K9H`MgLd+FnJs<Le8_Yvd5^aQtlU
zg4%Ft0<|n9g!}<{c-nd3+QN}zUi{$&3%>?cu&PSvbQd@C6S^v5s_m|UB=ax*q8D3`
zw6O5_Y(DpTXy^zNeq~OER{qwk;~?9JcVH#6kK$fOeICXFK_g2Jk=CGg@mL60Pycn@
zqGWI%0D`HA$I}g4Tg3_g_98t}Dr)K7h5TLm$RMS00;_3`pYK@}eNtAZXOAY%Q-~`Y
zHWsoN$$h?EWjoi9$)pjRtl3`hNYm8BQ}s|X)~gz(awrk&YD?H(ZJDo>Av%+5UETLi
z<ykT`PcxelJ4*}2pp=M2!z|7A9SCV3$3m2ZVH^^IW=CS(y{lu+sy&RPssd9bJ#tPg
zyWBt4AEFkJ)E_r~kIqrrk;gy1yvi6*1_0&5wL*t47&9n*DxAa6(7=IOpN6YL3MsF_
zR5Xp7Ct6)36&<wQjED{n#v5iKEma=A!ycPm9XP_pA{al_6;@f+(;WsIUMl;nmKPuQ
zd6=4CzLZHiw^f^D(zKMQdmyQxw|K+c_@i-cwUZ#~Bn}4?P-awYE9EQ67Ulx+Qnst2
z%i!xse1J;&7(YOal1$_DJ}l2hFVJurUd36WQaI_sI3+A1n(AH0Ln$IUg?RR{Ep&$4
zNib*%J-A&ue9n-q9pX<UI%zvyZP93f<gpsR6VYq@dNf_nTj=l|ZLc5Cztw6MS=G_s
zdu>ESBW#KKKJH)fr&Wxy4~BM&?`x@QOH&fCe9pRNddK&)uREzAQ0C~RJdMS>>V|gH
zMAK+PwTKA8DHfKT5Zzxt1@(_~Znj!g+n*^d7R!+lo#Et0QDWC_7ncWvPlH6E4XB!M
zezuKk#9qGi$(5X__G!|N1&s|3;P*N^4Nq&V;JZe#^)avEw5i#>#iSybN^X`u+UI9L
z8AFx!a;5!Zhjkd&kzFW7fp0L>NO7NKNnKk~MxxhZ%o-kO^0z%if}X+3NxayHluets
zNi&*)4L0sPsbWN1xTb+LAmJIdd`eC{_OVOH*n1%@Jj6$dHF&g7@mIC>!?YS*pIokz
z@VK&AON&t@>3fp9<=kHr2#d*e$Ae=<6T@|k-K#a}q(hy<>{lnGe6dlE9>W&?cwy!k
zG8O>9rzWW^`n@ZHvPyF~QHl|IfB96cLkiSPkA!Wg=rQ?2XATW*DGNfL$Fbxpw|SHA
zEB*#oJnw=bb+ND{U|ToG{0l*lDoaXN4S9OPWKWa1MVX~`3a<@Cla{gj&OojMtur-a
zhL^+89Ymmns&^P%(nZ1B(Xt}nDKc9`(5^IHrS9!min+$udC7b!9)9_muBO5VHpbl*
z@UN-@(NL?6+d1YDKKbbKhOwfIP<V*oe9?Owy@oYX|AfQn;2vtIb$kBb$=GH?a3pSt
z-?o#4kk<PA?hn~t?{0LPO?n@nbMW=?SLUImvfv=iS##QPJ@%OEI)V@%=mDo;Yd|KA
zoKt}K%4<l257dbEAp7{Zal7_?#d$uM?f+aVH!8@N*43wDTXyY8dXsV*ujw$s<Aw(J
zkAgEHVthu~Ckba?heyuV`9qruC`<Zc6E2DdL&`pdC#q@<Z*Q5XR|{)rC_v>h6f?A-
z2pO4t=?u9mRflP}3bNh!oLxy)R36lt_IrEby*6Ax{5mzJ1Hp=%=P|^c5QO^fuffdV
zw51r5IpzM~zE4m?#i0~yy6trmMdbs|8uy8j*)&Vo=(>8WbI?Po&mr1S*?gHB7iUS*
zxC5OQUwamZKfLo(zPkWQ$F5*GHmUflIQq)Fnu4kEuc~w)@tirhWj2T#U3%GgpqV1q
zKSSG_<via&dd^qc6#Xq2;ke$c{yy6SlIKR-_+-=Bqq!`3Kw<6!Niy?>w*$U81Wj-E
zcW^KIS6G@QXE*>XWiYE4FL^+YZTKex*3&LocEYAap`5q08;ZNHvx2Dcp?2Fsblu!c
z(%G*yq-h*d4UV{yA1eNhUStx?CfzA2SC*aFf(K3aTRBH1JX)=7v>!iF9esVJLENnj
zvqG#W6n}NHE-e`LTy~lljPxir-`9*H-X@}_BQ4D9E;TAkxYPS={h+7B+&Kn6H0NZ9
zIjix(=0(<(6N1;!{*(bxLyiCd7v#P9xPl>#x%b5>mo`w61Hy6cPb{A^yEP$2x!6+Q
zndokwbN=W#H%Bh+^DFah^V{FIo1x{M6NAQSw5wFjS^9cHD>8bGITIyhl(E4Ag;uR3
zLYznPo9aeyaDYkoILe8Z7xD`)Ujk~XFT?RzrdY&{p1>H7kfg~Kbo<QEEq`#YE);xE
z$wo7u<M11_FZ!v}j1Bl=cZXELiq!hh1I6!gryMAPKr)a4<(NcuCUabt+-mX2|4kud
z2v?TlgT5|yo)*;IKCHxR?1FNQf`;E-w@txNLUkx+XNj$!Dum;O;u_J8GSmiPkkGA1
zLO&|bXn-Fs!?r&L&wo}qz7QS*1vQaDvLdc!QYwu0w-Ke}4glaF<Gxpe7)<?$jv9UK
zrUXi1G|IjovQc;J>M^!{3)Mp)0svU)nZ{y%rQXjqUp(tyd+7i77T7^cWw#WJ6?9e$
zMJ)LU_@Sw;l}*iHck#0_fw^gxuj9_IR9J}Dsv!T|+F=}?TES>40Jxp=i!3@-sR@ah
zlai7_h@(2B;#??JBDx8oTduc&M<)d#)6NKXfo%(XRN0*y+VLXZt9suVwTK)civgae
z5AXlVfhV;Jv=b{nrUsj+f(@&Bv2~+I)&*!JUgX^d?8DBP%<m3p<o~{i2T@1|y{GzV
z5d|dAN!?L3C<_nx8_j~4NGVnD53|$&8Og6k*kcmpLrz2aRSued5Z+J{v!w4HCSV@t
zn_n>fCm>w2Xlj}T#hBK>3C9r^&N2y&;-52Z)!+}2c6)V$V8E3W*^Jb)*S5qjPkaQ3
zM`tHYuBKFc!|-FVVNY(@jkUB$0I5Lf$$}ETAx>sH*Qf;&<Bo7PGWgvFB9?B=QOSZv
z%p#&L<)eTYARZ!pw|pY$<Lz(PP+t74d(z?Es0^PTsgTgVq)~9EM;ab7q$ddaOxuZ<
z+IK=C8~~qCS|&fGVgpNtDuOxad5>T)8DiVjn5|A4-##f2c`bOKAe;AlSZ%;<)4cP^
zVjtOAS*@$~;-Q}!B#<3o3SqLzu^HcW-gqLZWJm?_kPP9Cf}9&1)A`@$UI!7)V2*5^
z%xPjg-PzG~Lfa<xhRM=_TLl6zS(q!Qn$_+Yr;tmoYO;bTZKqHTW$O-d)nq1>EQRO>
z2!h`*tdS`G?-se_;{j6WtfVaKnl@)Rj<{TQG)5OnKxkF?@dE)eHJyNcb2z87JW6=~
z{tY*4zTEExDaFYZMwXbeW5`wVVg>Hxfmt`sh62hl*$lWB=H1tbWuv`IQuSiZZOP>`
z5>2y8sV{jTcpEO$Yo4yPn%Kd0rFq5s1s$?{oDEe}oXmQsI5Ewc2DTlNFl*GB7i9C{
zrS_97HF^1-#VXVO>HQ8$I}XF_*NTg2V3Nx#BBFc5@NJThek>y~8_Gz2o&t#D1t&cF
zeOMHg&~C}t&52m$wwXSh(J0ouTTGwCts=1rj#lN#f-ib|s%n*H=eltqpuhh^wCVLF
zHP0VYFbIAnoFiNXOL?UiJVf~pi6<qC9ii}~y+JVhHUM$48B|F<bNah|j>zGVWF3eS
zSt-6L5%`LY7Wu^Bozx1Z6yO2GTHIX&$HPxby9ysIt`?7<25A(jujedA3JrjXQ%E<2
zB&p@}?}J9CbyXgXi}^WMg*295d#;i)QpFCoyoUO*fdqDd^0PwQR>gC5{SjDT#=RWe
z1;LPzki@ZaeXOVR=eZ_#u2`lXSMRH%2^SDg)H-jD`_eNo%o(<3kGzd~-Su6`)uS_D
z&Hx7pC803Z;6UlhM+N^w{VY*Q*R-vCJC-TopK-IFe?E)Q#$8UVron)K<c9WLCxTe`
zYvY245W~~h-D+x%9j-r>D=Y+#fO6VU%<p3O_x6e)X1yySZn<jb6=P}8XInBvy&Jr@
zzIASaP`<Z4)Wzc69&35i2M`{Av>88<1<}dQzx-Tv*tu;1?C%Tc);*y}!-qg9WIA(K
z8e*HF_so?sUce$LDalQBs?ub^YNmEu%<>%;#LAe}JKKBryf>Jd-2Q!-Y4&slq2iZv
z<hrh9Yu-U#=+p`Au$Z~<B8~6}`38{5pNW56h17GP&>_HGSd;jkjTwrIi_=I^PT{et
zH91@xJ`U#^sHmHBN%j64!nmct-fTQkt{<hG30m*&z2gC)-D-t|m)~L;m1+kjr+eaA
zu^>|}^3JYq$ZKG3(N(t+ME;=>_TZew5w{l?A&P5#XB+B!)Uv-(=)*ysmX_va>)~-8
zHjsO%)9i7?Mo7V3p_sz`O)-^M`sTzUkdSg3RAd?iVb|%=(cgZO&#=P33+Q`8YTelf
zdTrFwWRfak510e<+5lyOY=WXmt*5=r(Al7T`mev~#FFQ&o#o`^DH4;CzW+#$H%dc%
z6ny*wWi;pgZD@{WLm|6b7J}*#jY(2|-SWV)(xn;C72j-~18C=#_nzIsEjea5w2;qW
zo>JoG)H6|>945_jxb|UMq@(MG9w&D15}b!`ER}S8#E>5Y&lAWus^{0q+8kc{#f0{a
zg9)9AZw<3Rv<kpv$TXHUr=st&VHPTDcMq5pP<M6C#~jS(g4@SuM@Z@uCFLa~jyx|5
zK8;N)?PSjPXTT$?f}Ia3c$Dn@+=h`<fc&wmUg_bOs{VT=^~D%K{AJc_v{hQV)AU?L
zz@z8XLz<AF)Q_7XhB^;{V20^rjtQ?aHMUo{;yRh>P{}ks4ns^0{VP16{Z?q?%a79r
ztx(mxdV0YAU@q#AyS}&ZRpK4s15Td3t%FB<-0VC9@KwZ8(5(UwBhXe4>hi#e^G^%E
zS@Pd{LmFU9Sbmkj!DHa-0FED-_;B<WD133tq?I86c%*OSHzL4_+~Ll31TuqF)Ohmj
zsd)`?URpf!JC%H|^6W!v*`OrYIpw%&PDAMy!ItqQ2cUiXc2By`Oa7m6eOI4=%p{K9
zbsLm@;21yfFO)XV20m%NZHg+=c>*vM{WSlA;ex*OV~Du@2;CK)X5LyL=lTj4Aii6J
zOm}IRRo=VzXt%(|j~2C=_7D^;uENn1V3Br3=(z~A3l*`hZyow!I8g+kC5U;$;NLCu
z*(JYG0s%td`hO3<szGi<LD!*M?<&RvL<j(&N2uS`W6FX)@iu@T8|kwrFs1y72zaq^
zOK37c*FcF=N);#bQSy3qcfg#Ug1rFn!&;ZuD+t2^;nlkhFcH7v{BzBZB<u~qF<`Ap
z8*uUH2_Pf`*S2TN(Yt(xtmhp!qm^BPr?tU6CKT9<1AO_p1D%B|@}qigp3r*K8E(LV
zOy$g$JAlLM!ns;RF|v$nG#L<oQPCb?gK8w(Pyl|T3s?``5lZ|#i(rQ(vacCj1?GDE
zZUX|Dg4MU-Z_PO4K*@LI6i};3glo~jGT>+ZhR4vKM_Q8zCZ&m!38?6H3nA3tWFj~~
zS7>;!HlFa7(>FZ6Q?Lt<BJDlq3d_}=fEI8NFTGO+`%_E8b2Ea<N)i*Ns7#l@y_djJ
zcx@5?R6yavF{n1v{n09^h_Nyk%O7A<I?6dU@4)P>`RR=fKR-mU3nJIlzknLmXHv_0
zrc?mOA0-1w0DQkUe>ROJ|F8l}k>SA&Qeq!kn`@Z-?)rJH-iMI3Jp3rX;s7Rp%H?$1
zoL-GDdhmg}dxwt6V2061evAhEw$(7!a~9w6z*hES2_QS(5}jH=7i%&CH?;z&<-7SA
zQrhZ18*s5S3Q7{ER%V+Pg}zM5=mV9!G$ul6r9C`Qk^q1i$r|$_IW_iJBSKb3;5iMs
zSu2SEBu(B?0C-N+73}2T(KVDp4eTdNBK4dp%-=@e2Ha8gm<R-)kj9P2`Pi4?v2Hd}
z9CzXPHK|Pm3_m&I$`U06_V1EMZz6Z>EseS$x5ej&(*-t2OCMI)fZ_F(hUwCy4pW1O
z01aDlJI*!5u9cz9AN<c(ngZAe1hJY_VfX|P*Bg#8B<Z*6-ctwtbO~2CZ9Mg3A;&K(
zpn|U8t)BFO{PHu4H+OG~i*mFFD114pj{OPtjq3SNv0345rvx>8FveX-oUOfj0~#No
z90ULZT#Hqw49qfY|07*hocRY<kJzNaRpPLW$Iln|+XD*IJ_&CFKM<LEP(F7JroWCV
zs~b}YK7Qo0+p9V1T2?5~8TS{r%CezJ7bz94eR;4wa-4l62AOWZVY_B{3lNGto^EJe
z_kp~kc_nYj&*pqSwJw3Ol=c$!nB3ev%)^)=s`mdRnWT{lT&*115_rk@d6^~Sy_a|8
zHZ*?(7|0G;w*0!rLFo~sg~3NMpgJ~hMec>m(VzyAqAt_y8R6X)2y{|~=p&<B4EWv_
zqlj|^DgpGsNxUL{D!bNrfl?TBCNrp69t!_s-qzM|_7R>J6emh)*=kNu^GP|IX|;Mf
zHTEV5C-KxLvb1@QIM*X#-Q#I-`#t4O?v;G>g3!AaUxHtG+3a#M3T$tWj$&UN29^Es
zO@Dk8Bo}#pf)8CCm1;nLvbqqnef^Lxc0bRPKf;A#cXUu_URB^(U9~S(``UHnYO}`E
zj>xyE>q2vWKrv;@7hQ|}`&8;GsHM6nUrP{0UH1&wTDm=8Z3hn|9g!;kr@OuigIe#6
z_eaIL!=MzqHIPa{U84Q+iOb4VJWl}|yKJSsgUFQ}LmwXslh!f0<*FvppMwu-F6-mF
zSKQ>Tg&Qy2O+QCfaPv%+JIL?ts?7}Y3G@>(`?QQa6CBoO?U&VXa8vx8QAOLSczB@9
z<}1qbeQcwDT)->xNfdOO4qR9~7S<uCs5Cv8VP4IvTKv*+frwyE{Dvf}zVSdq0XALA
z6+7+if|;pHS6SV;L&r-`Yi>hZ<?|l_?xV3+ipZm=nK7k9r3<WgAZGKrCN-_hzF}hB
z1fm(SN;<A)xvYtOXL`==>w_6uSAp36)e8GZ0=Rs360>MtVjTNS-!Jyu(zm?sYVte;
zyHK2VY_FXTGCbqC@hEq}1)`jlr!|Uix1*xd+b&S&-B%7`G&YeQSCk0W=ErX$J${5A
zy1TcE<;qav<heiO{sRr(mG(|2x}5Z_Kih4+gPi$!eMPf(V4}I0|LqD6$)6D2>m2>2
z@$w?mcQABHn1JZ0Q^N!O3EPaiay}pR9Uz3xwi=(faWR}56?{I!!r#t12H~AJ4oja+
zugjx$)2>&!`>p%GjUDh!EFe~wIg>X#F2*gw(A_zS-5XKPpU{7<IShwK91&3$Vnz6o
zEwDc$-+AA`6@7gnmurJ6ou|E<G*~-r-s5KMGfBncGl{v1gUg7$JU-RC(Xw#|-s9`^
zYKLQofU>aMk<v)Y+6lYCZSE1Vua?iQr&2$mu5K^Y&1W{H_``<Xj}K$(JAUh5ZBic?
zHFcaXT&6kd@DkOoi*jb4V7t-S)ayUCNU{8ZO?Rwkh>z`X)1JQ=T0o^!ZFKPtiv6;_
zX?5`I1-9PjpJTV0C@rzXaA?(K+P+G{Ak%G3_qw64sPC!3I<uXs=m|Ez-lWhsDT>!7
z_VSV$;#imwg#I^S;hzz8{ckn@hs2fJ_n#2&+$AetBi+S03tc<Gb5FCgQnZ_|sS$ks
z`038&HW`GRGWA!|T9ii<cCq`=9C?~9nmaxebdER@n^3Ip3tFYkYQ&j;cfB5k&BuBt
zhck#i<DHcKbbTCI>%hB;qCA$tG7OiY72!XZ9=jgs7tj%Gui+T1zByi;R=AdH$y^Dn
zoxij8N#pU_m+L>uNA{u0R(U;I*Q@U$Li849Wu<%$AiHut1f!GleF4KKGnbntPmaSV
zTzUAa4`MH{XF;Q1uG1*agPH`c7qELOAs#9nOR{2&eG!6svSNu{aU~pvhb>uA>P{a8
z$I&ZVViUPC<gry({zsiE8L*#&vP9>OapZ!X`l&KL)Rcc$Yp`eT>YdEUUrE;g%CX~=
zY4+C#HGAdyi>m_*R{{xc8|SGPb~IV$@eC;{JqvGk-43D`I&$OrAifv(6+N-CVJ!m1
z9+Ln3u}{K-&)a0eyGeIB<0mkxWtG>?4ztOk@ch&hX{<@NrJ!+#-U(k+Xb*nTCj=i>
z^g$E(Ent!yGt?P1*GW7i8Q1Z{|B}A6`%+mf0V<Q6b3UJTnH&Kd*5O!?6>Qlj%GBr|
zCzi|I$*uA|jc5{mA~$fDvF&?(MYLyR`eBr(;P2ojAI;t5n~3yOJaUX5dD+}wyPiTX
zMpL9`TEz#^s564gdpaIAPSjuXbc41S8+3F%n_x{Dp`$d~kIJAFJacD#!Ll(rfJ=1!
zZ=#@`Yh3B{z1N!xCth?;m}>)eakUQiZmmrpec>qAyHbO99hIk?s>&UflTA3>v1GgJ
z1*trHLbHUe5Od>8NmyR(Jk3CFN=Drsi`G!+k2_B>`CFZY2e>5P!G6ubEsa(DNxWh8
zvUx7*OeuLw?S8kY;GPF>M{ZeE;N>8?#r@&Eq7ptL-*Y+N0BrL;mB3|Kthb6yOjMK3
zpVbVXYePXsBhI!#iBNc7uW3uj%LfVTRu;A6sw>8D<N2MFg9Y5{v?|F?75ObQu?e=G
zj-<=ML7S<55pq$7yamsN_Mb(WT;BA57-?2|*6;0Z6H56|Ky+s{uCLJhe3IV2eI=Hw
zcIRT=lO<)o-qkRHxurB}i$7>#PF{unT0(~+cfR5SWf6Jgt;@Dz7wP&oZ^eOMdN*lG
zbfDQKS^5HzDxOcD_l#1$*2><H<)xdu4XIHK@exO1$XlK;MMtt3p5)zaUnR%BkZVKO
z6NaG+eRBuBe}#j3n5aeada_u0-+rI{13y(+*2~-OxK%vz=}S@MS3XnZ5ZxSYpPlmz
zK6|-(9VPGaiA&FgO+}Sz*zjsbQro85l}`OHS<e`S^Zw?Z1?7}k%9Z`ja@*SRtffSl
z+#%we-3~wfgwF*`dK-0`2R-b#pHz{>-ktY0lTE=oT>VAAq{_C<ej%#5U&VY%<y+&m
zMMYD?+&_sA2+1+h$i4lrk5<-)=(9ueW#eeYcoOR+csx<YFetN6n$`={$YI7RXRX5K
z<*tR7-pT?x2+J375w!iIel@NKcKuUBW=E^4CR2U2;P2d+=y~phW{*SPR=8Zdu=EJO
zncZqrT%gAf-~6YS&SAVz^x4@<Mk5F3I2g0Wh~3Vcf*m$HPKQw9xPQJsE_tEl$)z={
z3m2&zLf)%(-1WN48Z&N2k8R+`y}#7y-PHC%(9CA%gSiL%o#>OWcLWL&nW-QBeP3sK
zJ_oj57Imr}o<527#`n?!k14xSpGe<vC^jnm9U%$Yaguj5Y9`wJN8Jqh0#B{g-5w2<
zmDY3Izx8LvaPHLtvtZSAt4puFsEOU{1544yZW_85PmQwOU-!mf2U9~AYaR7KAIm-Q
z_$BLJNfE0D4kn38M{fHd6{|Pd#?`hIyyq+x%4bwb|I~<cPU-qxgk0{PrUhvpU*NJt
z^VNm1;&R_4qB<wRw{>W>d47THNb&7qajHV^Pkax&U1A97MI=~t_2X40$~o`OE3UH)
zQqA`4az2KI(>JdXj{c$QQ9U2vv>h_#*r}*Gck&rr&o+{fq_@~>+~rtUh;S}T<$RZK
zNBulO>B-}`H}uj6uQx%RradI-)a<8S1{8MPGctDd_8k>9jYc3wPqM?#g3#{M%MJ%T
z2Lrstu)@t8wsRxBv@mcgu!}3<fx3F;WP0gCd}p_r8yNN?$so<Eh1aGU8#2=Gd)94^
z^R2!!pC0x&*|o}mbwUPD%{My-S@C})nR{)obuMQ#opm#NXHG{RRDsJ*nC<l^zLAv|
zbWuj0l^H>T=O@?0OX*O#6R3HUuj08&c*wuu$U9<;aYsa@+gDy6Q5l2P%743b!b9}*
zJJCVZ*5xw;N28uhCV3-YWG~%6z#R<2v9~vfzWKhQamz>l1czhVCp-Q@)A&+T-!Z4}
zpQ^GRfi@bght7jK^XMWpZ1g^YIdxyi5H96vC+~Ce%IgdE@+A55rtXu7fh!)n&+@R^
zTR#vZ9ZK0+$)5|u)TI8r5{qW>P^JsQ(;_M*GJ`?ST}c{6O>4`F3KM&8=Y*<ioxxh_
ze7zxJ(N-hq&ZSwFmUL`=$I*kPVer(rONZ%8j&>WD;&CzGk@na#pFgX?tPU{fYaUjm
zv$F#m8j&96TVpe+R3gFb5u7q)vDO9Kl5aUli}q~O6i0I_(ciAYiEYhH={%!QCP#v|
zeB$XE36>gMM;$CPF2uGdV!e?HF?@<N9=P7Bql6VX9a80u{R?+`28$kP@Gu7b-<}=U
zxs9cAfF*QWFH5hI+-sPV#&0M4=%`Cwabce))?6cYh2~QIN_xL&h<j9KP`2z12W>$|
zQ|5Inp851zvjJnX4rNmf#I8=f<r+5qckIN~Sw4REjoJzi={RAymN;b-V>dC2;b!z+
z99&J?CX409*3+(M<WweOxibnEdgQU5J;LGP9%A8g4_}nJn_98zDo*P*wPEhstkb<f
zyQxKwC9SpUS=O#h#SMgTTNM9h{Ox(A7=wg$?>#)$!crG|spmM2_H)l!+qjqH)p}<`
zkEnQ{A=ffjt!Vw+MFWZBS0Scld=_nBJz~WJ^R(u+sKL92aBe;)j`uU%1-v_e9siRi
zd*wSH{AqlvC?F9i&r{rS^yQ>Ce6$U<LRMNPyg(VeaCNEnV&h2U>a@gO`@MVkiAqFQ
zzQ^L_Kawv)MFT6)Rf<@3yZhIByEW6+jdrOWi*r{3YgJwwIgIt>u~IZs?{*b~R<d)N
zr$VLVjs0F749AFFJxdIMO^M>mB6o5gqt7Y#L}{o!e+l)~IR+;M+nR3r2rOJo2(R1a
zD$aZNczKyzH)<j1ja?hjhCcuJ8eaQbc_(erVOt!wqqzqLMw6t>ZEIgC#i}%P5L@rY
zn6Es7;rMxRLW{3XHI(})G;p&-+~<Q+z=&N~#x_nxZ4M@Ho%BS9kZpE4_0#Bk(Ah^#
zcvRKMEZRd}eTt+G(x~Fcq<+F4M8`5-&So-QU---`FL{P%XgP2~1<N)JUmY6x8kc!?
zQ8wZB*Iq2AnbeNM!Nr$0(Ddt6!+oiYe|LQ&xT9KDqE5uHcBMI@bREV*>IXY~e?{q3
zC*^vFO+6REF=XCGE+gmLFBh?UzGrf7Wl;`IJ5j@|3Qn}$sj)`Qg=cN(LG0P$<&s@{
zbH8t0*Uq9Hw0YMUtUsw35$%B#+9aFemp|BiDH#F!uVCrb_wU(2XL%Ps>9&ANmG1_2
zW{@yc(A+shRhaQ2Xyl@=wx1Ppx%4XMW6jj`1U)DEa=ky0*U!f8nz9D5H~i)Cyzu4k
z)%dP?VUNN0O)w@1&(sO;d)JjY_FkPF2Y<T$@#!vf_Db49b9ahe?Od!PQ4>l=B-c#0
zIe8^VGBjLD9+JJPLjJsF$<DOaCNg0wM>INbWDbmJu&|E`V)lTs=iI#Y(XMKZmlms*
z`r+t=@xmF8N2T3w#UO&#YoC3aZM!}vELuqV%iqd*Km5nFhbmvYz-dKH^ES3~@Vvo6
zRDHY~Eea#bP~+QqvipHVz#_GCVi}jKZ(KtFESsBrH+{;ux14W~`dS7mlV{)|712-8
z78hFho9@2$V+=R0W7b4*y2?da#Qs4q+>U=5Wbf}M)ce_wu5>tlqOtT??50U_6s>7d
zvzSZ#%T9$uQ&c=3+_I?f%`vgqV7GAGAm_vyPtBz;ro%YnSn1d_KL;CraW=@`K4=y1
zkaWUwzUb2R%Rna7OX%#3<ps6fDY5UTksRoj-V6*n9LYV0ZW%@B{V?_oubdBGs<Zey
z?9tx1!&Oyp{~)GNv{jM@>;nn61T&RGJ#*7GTXyFOk{nG7&Fe!9JPz?eFfC#mS^GKY
zoL`aqly!5QVKziI&ES7D+4%P@;i3NPF=1EjRv%yZl1gV0kIy^+i;ElmvT>%xcT{7s
zNPQd*=-qIgV(q`I5e_MQ_d*kx_};&jE`O|k|F{;*?zs&77|4$MM2e@=_4XE7>|Zmu
zdQf(#m4;ez(h0jA;{55)Rpq&U8M`>Q9vnZUw8HxuPMK!j0xkdVQeUL-DJ=`fhdvxj
zD<jlXISXAwcmq_uyUD7Y(a2UQ(>IS}yP%)J!&!e)Xn|``_76FohrzOkPUU44iecuj
z7f7C5)ffB9(?B$J&4`E1lr<VPm;3kxc3JNL70ob35%$sfKW-3IF*gt@6zz={6LzXl
zg7CLwaVqF`*S`z+%?|PB*Wz!`Iq-u_&E+oJKef}NJ8Iv1<8U&UGS$yN+QC;qRA!*1
zEWd6KspTuXVNl5DmF~#!ZetKzZQ*ZFldX#=CxQe}=o7`~{=*LA8@%drcP!rAH*6D0
z0b*1GMrF#=+s&}`Ht=Iz32(J(@&uQ=HaF-JDSlD*%%)XCfC>a>6|CmcLmCL8qzXQQ
z-b)Y|4d=U~QY*f;z-}axI9qy+1k4y?$iTe-@fb??L#t^t@$l^*uN-qRf)JNaiZ@8{
z;Yj<sAWA5W<pzjpsqkFgLp=@@c?B4BT7W3t!$wLw0aUdylpy4|*N{#O+(!u}SI~?+
zQETE=zw1XPeX-nR+PdsR@*lc0&v>?dT-G`fdx^ybCK<E^MHZ{O0>;3aeRt`{F)C0U
z7U7$YpGokbF4D@JiUz?RQ9W<i+|&ahR2Px@UJ=yF3IwrPiFm*g36GXgD`o7f{~j4j
zy>jvBvv8G+Bm?#%k7u;E4&&4$Z#dx7PX6Yt(TSnnJKzJsX3OL~BtqkcD(b`SJvuGy
z+8o4yE+HG_j*IqxRPHR8mZ4mT>bH72sENC{#X>qlDfMIdv+Ppfs~z`=fA71%=2yUT
zyEtCMI1Pm_tKfJ%7gI5+@k}dowQL6!7FHgxh{QXYo{qigN{9=ICeDmMVw+GQ5Xa!6
zU{YgFPoKlE6b}$@amdDapyuZbz_Wds+b9#L_0Zd}n{Og`|6xphj1-fE?g3p9U7=~k
z1gs7~Ca`AO8r=N{L2{%01MN?k!2sz4M#}6GKpBMT7X=s-g!6xo)}i5*meK<^7?k)9
zGlDPWqcg%v66Xd)XBUN*Sw^K%gGOUwB2DH%=6nhi0XZ(?M)Jp~(jWrQB|sb}d#FSk
z6U9aR<Cge9!Jfv&qK?rTDIsvT%NA;#;8db!0tz<vA87&U`Du|Tl(^-V_@}I<f432=
zgj5DN&pmsRDt>Da!D4SX_}79mDZ<!vrw#KPT8+()EVt}BO~cD60f4(b5>V@E-u8<3
zOu%I#6fq%K3Ul(h>-Sn*F;>r2+q|{^3IJ#e(sLW}JgIdJm|}4KUT3C&NV^xgaf6#f
zxlwq~682=9Hz&8mUx+-m*nKdTT)hfHW@7D9l!oWV=`<2F=a*kU5tPV#l;BZ;0c!-Z
z%%!2X@F5rg_+g^Z5-x#0=9_VXhUXWtI_0*|$1B_dzI-`P7T&7v85+C;ysoxiXo1ew
ze#p-PPZ{tZA92+Wt(%|*Km&eMcNOekCr8bJMpvGM!wkhB&Mt89l%bs`G}3(H-+QF3
zLs2UOj$dnjJs#`sQ=zfnH_xVNWPj}q3L>p1X>fs1fTVWLx>Y-tSLdPMcbR_Dr%4>m
zLNTC5(qA-}tv^!isE79AJgO_We~pj2fPXh812W&NS+?SP*-T0!$e)X<u;=I@qLM3^
z(s@AwW*q0Jy*c(7{30>VK4s@H6r<k8X$UaAuC{(V9HWK2N8a$`Ry*Cso<|EF9d!F<
zfJP6Gl;k^;K4uUA!8Fz9rbH-Q#kWSP37{RMBN~3puUB_~Ct1OKobXA^8zROk0*hxr
zFizZnzyJ}vjiA^O_#4uIQ26gx7+5dq`xEcK@UoYnk2v^>hv6p&Po{!Ns@p2GRThlQ
zYwtZ`mn!d=8vNP;o{o7s2u>0yFA{pL0`0d6k*~N6PgZXTbudqy{<tW458nhh1;w2P
zJudC??C@Q6C&Teek~Gv^PR`&ql%14%g$EW+tj~ObZe0qefF}DEyx)6~#DU}*EEG<>
zliBVw@gC#_PKhsG;{!0b2*^>LbJWzpQ@;=?p|IU$n%AQ&evyN~qpE_SkOYEqM+y`9
z6;nNm04qUfUc-fiZ-`hp8QbfBY;(9Q*W<P`bImGBY@Zfzq~8p{487&}0!4se=LUX}
zRi`qw(kJ`L>T45y0Z6uTZo`GZr^tCHkIr@7fF@o+o4pks#m+LWKcO`b^NqP_;D`B}
z%#iW8c*CySes5)k9<n=nv=SM}{qlOGnR;bpBGZ!}f1as^DMG_(M*r?gV~!^)tqsLI
zuT=cE`#T@j)Mb88-0`Q3r2ddd!}%k<S^tF1F{thgCA*n|)_SRS9(%_q{a7V%;Mb*)
z%FlIii0!OE$RF@%yw_N?BVg=2NJxVvKSMG#TG0v8Gi{l?o)NV<c35um;9`bxfXZs2
z!6Ed@Y0T$%=Kbnq#!ix%?>oAF*{<s*kMyhST7lyOO4F$bEybF_SLAl(Vh$BZp4_8_
zqvFI1Ugj5n>|OQ2nKO^fhf)2o=w7I6QpH*gX&V(l{FK|E5VAD~B`|zim)ACijD)ks
zU&^D8oqf=UKU$9C6;8e_%yQ0L*B%2G7s&g|x?;1U6D`|)TSYm6lf!eA*mu08qZgtc
zBj1y}*+;zMmYh*-q3%n#z+VEA;DKWmkf|rlGb8esa`8=67gAvb%lbrV-x9C(^RHm^
z=7~phrH)$%PvI3ok?Y^{Jbs0<&w0CiW7aF4pb%i=Gu(!=1_}U7w&p*YC)V#l#x010
zyt$1tAC@cUALhHa&0Jqyet~R7?N}trkt`?1?WnNq1$YbD73$XaJr#9OeWpt5F*(G-
z&GuLn6W2E;11Pr+;|Js@eixKbU^enzRUvFz98q9Ib32QNq17of&mTk8;ug-wQe)dX
zoi9<ZlSdVyTbUG_Y;!eIZ&|nXIR4oF1#3p0j3t`;my;kAKL}fn2*ZYFXX|vg7j{IQ
zjg_DNpby38bl9K0ySUvxuZV>s<lROCE(Y3JiWt^+6}v}1?0v-nzS4Q%3l9f~h;<0$
zb*{Oyy!8GU5xP#3E{00H+6sIJPcQgwg|JP9luTOamj89#xqffmn)m(N8$uN3rr@Ek
z;vVn|Ifp!yDlmmd7;#&U&@;a<Jkpz^xY~VpLVU3~eFje}P(D1~FLe3Y<>HH?XD~nL
z6@^i-t=qJ|DrfOBA$kcg9W!ltS`x@AR>!%knkJ7DhM65z=+C~XzC*I3`Zr#dppvjy
z>vVQ5s55DD#x=hId);E)Y6ISQ3l$0dS}?Or2QA^TAT?5fY_B@HTy(^v)oeoWA;}yn
zhH||_8SgmfAMQ^7CUT`IJCu2@`BhGJJFH<`Z&^M14*?*L9~xusD7IX{m^wMFFG<C3
zM>SK`t-tvyx&7u+AdL>!95rwLqS$=XE~(@Kp^c_{V3f;4zF$V&U`1B?Fg_ADO;ezT
z_Zx<=*2KY~l@51z?x(Fb?7!=RqbjFOQ_a@eg~mMe&mPk)gb|}8pe1beqs*}{z?LcG
zlM5nh9L5|Kw@Sp<cAx=fO35Q*J`Ptt;LX1`8}KrIH@{L<QAHsQrI6@dX%W<ev~*_*
z&?taBOA&jBHIUyB`<CgD@~evAa$eO*&K?O##Aw&<bQ|uJphi!NS!?ODPztsK8mrb8
z2JMbM`DXyrHzr}>{(u^2r+`M-Cr1i(UN)1tzgH&kW3y~2=?`#CYJth|V$I{*G>R|f
ziODT&TVLz29qhioX;P4-K<x{55!z??^eCOuAIk&f14{>o$znG@bS5zgR-%2~h7z8v
z6TAbIM^uJ4A3<J8sH^Da(E8Bc)UwG1rxZFnH_TW>;PEYh<#Z3K!*;<6lizmv%+t?!
zZ|)@4%5W)h{n<BQ+hqTxd>8m9#flO_?!XMGh460b{iIFd>U#}|QO1@zEgJ+Xz$3fd
zQxvDP;($YuQ7AOe9|qnBg2(CE7`0MMTJDcy+7THqz-sKgN{l;n%Z4^qmGnl+mq^V{
zs%@Glq!jpiIL`+x%vzlWuAncQShwOH{#P}qf-gH~TGRMVvv<ts%`HDSS!SdhR43gn
zOYOGWcV;TE#8JyA+ey*0isuVvf>^ioDIgBd^5#dldi=8Z#5}7Dhe4V2BIIl!Wv%Yr
zzPp@c;Jww_k<oQ1WT!t130E)zOAm8@3_ZD8M+~05F|i4J4*1!q+^>(q6KXBv`E$Jc
z<*{Z*Ql=XhbfZ@IM}V{LbYoGhA<08Pytd$xT_B!hZ!i4&y1v9jssUVCm>go0HuV!s
zy&2PFQnMFGZvoHq3zwXl@HQ1kscK1Y%({P9TDtmffD3`o{JJ;_pFjY_-l#GR19Yo6
z^Jf+3%_}Z=($r%P*G#CV@VC}_v03+k=ezy|f+~7;t$&5{TsdLj9nnfm*X-cI0*W;)
zB{h3a7y@KYX6byVC@bVw>d%0td^`}lsb}0Glb?Y9TgagVtH&4E0bo+1y3s-m;u5HF
zyWrnl0|W=OfSxjTe|}VKqk6h9(Qv{5+?u?;f(ObZ$A<V+{7Tx&^=UFHySnUn=W^i8
zwcR<fYlf~jsl9UU_kzFf=7OH5!}k^_x0gh^i1mCy(>;mcC87N5l<2#kYS}s_L>4Q&
z5j3+pt;IgqS;p^_DdM2RDCDiIAoNX1t<es>;<B^Hd)${ix9yGEH4(FyS+1)QNR1=Z
zg4b$M3I0fj<-D&I?4^>O*v~%m-je5=5_K6MYjj^GxKN;uh=OAvtC2OUgX<*Ec55NW
z)fsaf4~!}o3!qk&*p@X<uE`1k8Zci^g%FlSr$9=_hl@Vzvi)WS4_oSLa3{gl&{-y{
zj%unV%SKZOqxmY)v^O_zvU=1wbw~YGPF$%*efaiBNrQ-i)O$}f7t_K#C*#cGocG2X
zA-6h@TGPC6>%7I$Le-A(a?JtW@>q)#bCos(<>bh`)0XnZuZS6ROKMrVY1GFKx$=pB
zGEO!IH2g-pza0(W`{6DRz|z$?3<VtAPyEcfXWbL6Z`C?>mr;lZ);Rv6ww)qYe`27H
zT~~ORnzO;*M!WGdn=VVYCR41X5Ko~c<Du<`RYE%>Ga@USldX{-yd^60`SJ3#By)oo
zwWT&-dhvYb%@<lSs=3WM=PHukgoojXVvqP*m9Pd98#>n}`DOVT)o!_gJMopeDOz<}
z^+qf<aj78<uER_-InIiyDKW$a9>1JC&kt>PoE<r!GqT?D8>tmUU(dnf>>9rOJ3yv^
zN}_zt(D*g=MrXxrA&QTUES9O+{><2OsNh&)Ng`ir#bCJFRzhkCOcC&CneEs!KInfp
z&u;#gl;yJWJE1n=LYMsWT#9DZ#53MKF&Wwq@F$QbTft?7+efm5-%iqaEh*=mH{N(Q
zUNqliI3dlc9{w@rL0g)Gq7LJ0&jwF6Q_W_ojyG+KP4Z_}oLTPOW65y}rNZQV({=5p
z50~31$kdqO*RgE97E3(CDrsqfGmp3e)mYi}8%VzM4)32p<FWq8-7^*1i0;Ils<dtB
z*}bveyU||_k()E`BPmVA8f^2gOpa=gsL|46na}tvPM$~5I&zMZhXf&`gAqBGR-ndP
zX(BU|C*{f1qfy3VO2w;p^H-7?7Ps%1Aym^~h1#NQ1rlfT%~~$2mz7*JMV@l(NNdI;
z3sNZ$V^!k#cRqW-MU@b=gZ{m`66bh;Me3?|d+rxQISxQPD`qVsSd+?}JXcjnA?>*9
ziO9ND>oZT1SZ@*e5N;?Z@ok~;8fLkWT7@dh;|`<1r4*TvTpwN?*slTSz#K1`!sjFQ
zt)fW(&y!o>-A#XNwu4yBtX)T%PyIw|ZO1A<2_$p9<mP(ktCTMp>$rIyZ++Cq;hl4`
zF<)e=jGN<l{ycT!S3OK6E*FWRMWK*8jwz<C)2zJ9VC@ubj~iDu>CB*@$Zw}=H7h%1
zZga7Ce+%a5j-|$#l{?WP)A7BNmFsz*HTY?Cgy@vYHL8vJyXmYaNXKp;zzWpn3{3h5
zC?M<Oizn4o6dK>;c6ct1txOl*@}7yIbKVR*HWHeuERwa*oGTNsaQkYRB9>hWI{(zp
zaAjcgLEPi|GO|!QqwJI-4@8yXcY@RZ)7@7_wbga&(w3G&Deev}!J)WYaWC%B;_iXs
zEflxnPAC@KU5gZoy9O!l?gTlTzTbDoIA`2HciivS&5w-ion&S0xu-mHtvR1aVCQkE
zE2%_MK0(ObQvTf-iA-Ex;^Hy;Z99EczTSU_Tycp{aKoh>`4u9zTp{adU&8h?-51*g
zCE=qvb#E-cqo;=`D;J|^?y57Gm+{m;wDo%f%_PNq9?~ChQq$rH7*&0G2qTNzPPb-_
z_kN;*{j0~%zB29UYAPZppc%S;T>3+T)57bx#0-nLiE}WHG3rpbGUHva=+LjPk+ltc
zxWowrI`n6#7Nlg&_!jog8pop)b<?V2)>xqEcbTnq$j+zKK(|(@@du~}7iBx*cG_03
zl!0dk?Ml{7q|<ipQ?aAmHZFcE`PN2v*P|O0!U9p*jjiLR=Mtqb@y~YY#w=+tel0US
zsI0c<;$FrD90nA;?^v?AT;6;w7#&;QWJ$xY?-n18E>r{(fBvkOy?pk~rj_b{bf(G=
zUn7VNWIfT@CS6|~cDxx#jj;eqmI}vb6{X^3<lI}{5@P2HR6mu1s0ToI6BXx{O}hcN
zJi=9yPAIOA7j9#|)Z}r4Mu-iLS*SKj(Pyhmw4E+@Di4)9e^V4mghe83Jzh)b-|<oj
z$QWwr>eapbN3mV2Ol6^n0nKvwXH1R~<(S4Qbymqr3P~|)eUA0qbYbas+@F+-P<!dI
z?YgIb6=eNL0NjlhVO)SBxv8-{j_5UH`~@_KO_s*jASS$5p$GN#z!#w+kXNpR>lFcz
zX4x*V#>8UznRZ1Ri-(6~v62#LA`kQ~8}r{6b#}W{BkfNLNmIW*P-EGO%F3D^s4Td6
zcX?VIP$rAH;Ch?UKK7B*d)%5^Dw*_7&rGr)Q)Q@rfMmX}br)4hh67YnWJ0@sRXWbD
zxZC2c;T?AqO|r`|R)C9%h45uXCMGJ_Yvt@K`JO%NC(J!e(7dg>Qm#}z^w>={hP7dN
zi?UY1AL#id8k=hcb~ez+#k>{f8jau5@ENmhwRMa4XnYf+OBrB;$!?RMD=4c0%>{*+
zyq^!z+MWIsk7Di5X2%Nytu=|XDzThYCnsYLgcU;)FMzJ4x47++;WFv;ratdJg>Dc)
zc@?wMZ$7iD%$DEc1F(QNwp1}Y?ZwSQ$rA&K%DERpDzsWFR`Lftj-N*;6gED|KH!OF
z*N`f#>v_-o%yiIrULG2npXr(!9K!D!F@V~X3SY9~e<%a=MG!WDl0_X0=S1I;vlDXF
z`WWe>&CUYzAefAN>pt#ya4)#84-KD}3`N)<uhTB)lgiu72Q;;Yfx4_aXFzI^gFzyD
z(m2Nw0YMf6c`?m~Wleu2yf+pI;&=QL$l)O<QV;?Ad9(u|fnny1$<C?#B+MMm$kYkm
zU>lSDTfRn5<EFXf%pUxxkg=IRcNt9|{k-o^ya7-$j0#$`S=zj4aGe#s^Se0b)0EKF
znJOV*WQx>)2dew!4zsbyQudzhZJCFTF9ZOtf<R>@Jmkh#o^*stx~96&kWRXP4eVyP
zJ+2Oa{=7`K$0B~f6zKxa-BQWkAK<JzRcyTF4JaK<C%$9w!6_yIb=Ujcb93-O-6-@U
zE0Fhm$chLdDo*FE@_hG|;oNbcYhhoC!F<D=dj)BD9(G}=$^Y(&H*B&3J)PGhk*Ih*
zj(JS+*Uny{%V<VA@r*SZ`5A;mu{shA5hFFJanZ8ON~hcT^_P?&=R39Y@$cDIYHz2k
z{rO^#51W|VuVYfHtu{tjN&UCPufr!YGv3Ti00j!yHwm*BXM_tj@h6s|uWs1QT<Vq<
z`OKT{w5uI6$E0m{G|@D6Zv+1lmB_HpbRBj(U<>DpjLAU}Ye0oay#>yN8V&h}zq7U%
zY+`kApNeJk#lsbstW!BY_z+^3j1Vpr$za@VO;t*kzi~V>`^xK`7YlMjp4+pYUKYDJ
z_}F$-!}1UJK-cF9@n6tF+yWg+!5RNN^IaX$(9MF=?&r3foCUtFoyD0F%^D{b{(`t!
z^fg(z9sPJ0Zf#ZjoW1DAS##fk{1OF4zh=zr;YW#oW758F-t{t^yA%tj{lZog1|R^7
zf9Ov_{Y?-Ink|e*#Kfbq_r+A}WVK=aggD@D>FcOpiOM7P=0<Am)u^>_vulraPCU22
z-tBGJ?5Lb{CRua}<%Z#$e;E87aO#1?;Bs=JGZ~-Xn?ls4?i?s5$pBRs{?~<M^13_E
zu4TqI?XXwxX(*%gdLR5Gu{e(mHJN0(_=0KcpKzg*9IJm9=z6z5+L*@#QKo+<;LcQd
z$Gx+B*+$qP)%iy-Xy0H-$isCpn{2K}3L-&jIvJ-xY8K{+$@s|lveKO-u0kOT%dZR8
zXwBcAeFPP~cd0PTXS#?lR&Qrpo{F7ZoY1weL3F!})-nD4*Bj9@DlT1LX;iU;h)a`<
z%D|gHF7-T5Uc!^vMfsh=xzk2ff@V%H4heD2eH`{t|0OKrg%FJmFRul8bCJBcX=WJr
z7E00Un`%!7gB!msx9Tj(fPB8Gq3XbC@#3Kp4<#nsdoWVe59be<Wjlt|s>e!2GVA|~
zd*&}&&A-TN{*QDwkI4-1oySD)A94P_5#NY}7=H*1?`1TXx9dvE%wh#G0O&f0{!xhG
z+lfHZ{R?1@se>%N3wz`S@^R^2OX++u2LO`h&4V88f5>`DbLFT7omX1Z_ob!>O|rxT
zO3CdY)-1yLkP<Dfb0#<8gU-JkLY8T9aYuh{0qn%z4`ox%dOxkneQ1wcAt$5gF}e`t
ze=YkIp^H0Nae9BYq5VP7tsU`^XUJo-u)y^`*wwcQek26t`sXKA6lu6h)R+5pqsYyC
z4Fsclv2as-bol|5xFCR)>8ArMRrLb}RE9DLU#>vymRiZxafwk&(5i)Irx(~DdJb>T
zej7k}y=~72TuOfP{-g^5*pLt=<mEZ0FYI)8r-O#(VfU40La`wFD~pivMmf-|jCbl?
zd|aGESra<{5kSF&5WQDzZ#Fx@9hFfIOSmk}80rc^(X-leTW(&gRg7nY)WZ)gpa9_k
z0s_Vl4Wq1v90h;bB}4BS5%}a_RkDEcS1$FY&1&UZO_)v_4fWf3J6ezD2wxa!>z3Zs
zsEv68{`>k7=Iy!F4Sm9rxMt2pfe87gkxmyKFA-YOu{6N#!jZ$u0fwYn(I00Orei7@
z#Lc>Q!iPML^>-V1R5Y}{Z>W_R$*ci<T$`&hJ9Y?cMsUWKkpY`5;?JSpX}s>WZmBvC
zb!T5%FYc`Kkox(OwMLmI<K}t#7rpl0@n^~T`_d;c-PJY?qq!EgYoa}}ZMj303wmX&
zbtg)$#?wC8?xn;^&J5cnt)rq~GtRNn?c^CyOGWOQxLK?0N1ct)DK){Z8&$!rRtN~+
zHOJB#-x4|N{HnApJ6x>3c^CvxfB{EY)MU&GkU3TXezoVm(aZ-!K~(x?QpR)13otbJ
zn!E9SJkn*|E6Libmbr<WCLOaIq>vD^f~K+?{`ge}fZmNi^prX;VLU_8JOO}Mg`Xl$
zmcaJvtB1?_L^jDY(1LWX@_=;Sdg}LI^U$p<FSlU>kvmfsa)-4w_jU&Sr<(u(+)bx!
zm{|~8O(!Bu$p?7Nn6pB1@>G?emWnj|`r9tLD(^d5dS#H&c?1c1Jh*sSKV^^iJNl54
zIb8Z*G->a<)Ql4<R;9n-ndB~Regd>*Q~WBZR5gaWDmL+gL!1kOPko@{X^lPCH8TqZ
zEvoELD}dI`6fk2HbcN<uY1Mru(Vw;%fMXoW^Yl`O8)0aZJi%X1Ia(|=g4^bCJevLQ
zO%UX9ec&?)0kYaq<Fr=SN>F%;o`nSwAOZvl5jiMv+WlF#xW`06l<Lz&B;X{<tMku<
zn`b(4bkVI2Iu=?HPanT6O%1GS`V1J!-@EE8PkfgHR2d;a0vq7oSai9W|8`DY$T=F>
zz>wZZGzKiBAbgO{H<U5QF70dhy=@HLP47-B7h@)#0Q62I8tA}bf?}t$0ox}C0B06(
z4q)N}o`B}k$7f)#`;n;Y@#Uk#1n9XQUp~6E|Jx5g(oFs5M+N2^Oe)LE>0%YJB1yyB
za_ADGYF;X(R~Vqm2}KMP0k&T_Sed{&`z}bKuUhubvH_gT-$3R_<2`Nf$TwE-REz?l
ziwJ&&yhHYY=uJs~+&Ht%cE9LYgsZrlcHmUliSZJlq8kT#4lw%>@lQ%p8-UY^cqUhM
zx^gd$HrB{|(Sf$EG}h7aaULkg<8BPJH7e!Ny#s=K6dNG4N0I%9jyiy10zi!a8WFf#
z|NH1a_*?&T{(k?_-&)D|hLs=8N_ZF{BXb*$5RRlfNzs=yvFZ8xgFwL^$B1PaR{pEB
zMQ6UA)YzDdYrrTSWY@R?y*S>gr`_;IFa@R@0?jP_il?F5<^(Hh5xSTwgvl}R{@g?z
zh&Bl9ZPpNzjbf_Goj6Q;o(exiN;XwBWRiiD$m{gotmS+QnqRV0f~w4Se^+|TdoCj_
zt&<v)a_^xdX;z`K9X?Pe2Tgq7;w-rxzFGRUJ+I16-)ul%GGGm&To%3LCTK5tc|5=f
zEkh%j9Lf+Z3es;DrbkN|YilUcW?co`9Bhd$9Y$~xf+K-H-luVs(|hp7woC?^{az&s
z89K*xXEqmCU1`|Z*8bE^BG}XT<f_4VpT&9uwsa_ffcs3}ckLsrR@5{cd5t@?RU!XF
z%QB63UWPHc-tlYtw}Wjf&P~(Hb+GW0$#<YfiaX$r|Ai5c>zaQ_^C%9a&-@h>Q{EV#
z9BF6oU)Bv)2rshY<5u`I8fV;r`9YY*PanD2L>$EfZ2X(Ac_@%doNnBg7fJWrt2}3^
zoj)k=`Zcudw}eT~ve=~sus#V#?ncZMkKT6C4+x(?PnjCJt(I5_eNaB-OJ3qGP+x`!
z0$ETCY@)ISHYF*MpHX71ed$)gj#O7!rq_txjrcgfFIWL7X963bCSjJ0r5*$4D+-*|
z#@kGvuc9Q2xnI3qdq0OGf0PIO3iWW3{QlC)a8y~U%%}zH$TatG?Ko0RwdejQ(EIb3
zRPHZ+GWL5Uu6yio|2zKUw;!1TfzwZZqfbD@`3J1H2cJ2QR45+0+Ue{cs^+=Y0GUaM
zk%$i3ZHEN*ew5n)z;E_AR%TZw8FiEzz3$B}9+<&ry3r?h@65a31NXsZDL-`5>CZul
zRTh;76r^t3Qn<dyTjlW>FaHXrBS|ELNQCS4)(7)`ATz3BSP%~|G7QT*#5|+p_2{s3
zJ?$eT!2U~Z7{_SL=4r9Z1Sy>xzHf9DqJQCW;CEcBnVNDzU@kAz_3yb5#(pZPGfBh}
zsVD$eDgK1ZF#YS={&FBb-tvE6H9(2@mqPL9KT7cL!@rvFSC)U@{d@TACBQ%E$NJUC
zQoi(t&$Hx;=uuFA-@?gYoqbqQa6NpZ38OqM9mraD-MYnfy%L?CZHcO1IB=eeb-kcI
zoPDn89e=p#@biRazqw!7wdbD5_~}0iNRbiID+CoZO?88OWSFw3EV1IM!L{bBQs1eq
z<xF+0QQ$i?ZHnMsjO4%f;rE?|UY{(o@xl$OM<e<6G@3U3toNI}_?Z8>dF@FetehZh
zMX%peR#StZ+#Ejku>r2VcLUb>B};bSOU5hfN_5K76<7>8Kg2Fb%_;{i8ll&poa+17
zOUOtv>Y47=?ilNyXIO3O-BA8}NQCa3R0Rgz-dbWFm?Gc0V_DDqFj=i}R0Dso*`CnK
zJKbCZVqN-@G}{Tw`t;9ZZ<_S{vp62Db!Ou1q;{5U70}CnWGQ1I&ql9Sx6qyO-MG)R
zjoN-zNOh<Jw~)JXd%X}*(sZ#>sq*@+%wNX4mYo!?f0U38Zil%JjiLMT#n?t&gO8kB
z%&k0lVb!}^6eZ3-;|)#V_s%RZ8*}}uTF=23<`#>C%Pm0W{HW*Mh_cPBAq0`zVbib+
z|Bbmdm0a6>Ji)!SamcKhX;i2&?x$_;eF2#JM0D-y_h&ZHAFuYvvZJc}Hw`SIY1e-G
ze_r?b$Z^fI9$XTEN$^O@bo|jo&rD_jc|Xzgx+vovu~rL)dC$w#j+gt}1W}$oQ=KqB
z;cfREWXhy{^=MXrMq!M1i^rau5Ao<3kN0a<B~KE=D2HsseYkcz+-x2Q@n<}2Z;)!}
z)pu&ZX4x$zYE1!5nhm8TYDEpU!k;r1E~}x>VylJ=ln}v;rVLY+At5rgF3F*_R(BV*
z;H7O*7x6>R`)^2obFqD3Sp8}>>Ofee?hl>pKS_mO3EAA-kD7oW`X~zHr;cXwZ%g{3
zzdB&oE*K9uil#_(e_Z>)4eJBzz$)XdV6}i_eZtOC4NwH456Ct>sj|5)Jb#8g=6%~M
zx?HTnc9#dSCkD@rgA!$(^Rlz|c`c(CPBY_0yG(9YG;MZ;04!W!VqLd|dn+$#ag=7-
z?mlHZ3CoLPHYVnAX4~Hb|MyIeE#yJzH{VL8^B@X?`5*aFGstty)QHENR|-UNvL!A<
zT<3UM9#ShueQ6-aX|}5ava;LZnZLmo)Tw?GQC5<T5&W!-KKpzi+CX)t(1D?=p9nRt
zat!FBsrw2Ql3UL1erCq?785dBFYX?}{;J-i1Xf0q@(*SFFZ^w-ba-KQKW)qfT3?3h
zUh?g6!K@+U`-@WZ$B@!WfOQO0MrN@5H9uMv`>^kLS)cp#MUumbuf{r~)_r`s$CTXA
z9%JPl)DR=bwK64eRI2p#82@_F#4Dn90Jl8)>Tu*P<F2*19{<)ix$JDVJwIM~nXK)8
z<Q$yu7e=vC$V)qJ2DlmTT)W!2=e|}Y%n3@86HjE&nvQ4QVeqduPdjshqT_i&V+LB+
zy!r3uHTSzz$zI71k6dd$2UZkM^QR<~Q`()&0POPUr3kQtrHt7Q>ftu=jkdRkkSqJJ
z8wx9@E8E)s{5Q5?cGyqfWErXF>d;SGed^b=#wc#>En-zB?TcfF)OqJIqK%2{q-UX3
z)90x>+WyiR^v|FNq74-X=&|TR$Yo>Ebx`KbeRd5^RJmI^-<Z&r&;8gh?2@77Y0lHr
zb#LyHB(p<dZ<fDF3U}QA+WmeH|HdqInB06igRR5IVerh$lLd&DK;65q=6YO_5xX@<
zh1jM(?k#*?jvGl~#)afgp256&B~QJq*Yy%J=mlLy?Vb5-+{78h>uNz`s;caKxztv6
zKchLP_}%BE7O7xTVn)paq5GUadZr#vjoHizf$&NTu%r}SRAo1D*QTea-9@?D>kPWu
z8Z2B`>cS$oM`y_PL35t?5h$Q3eeWe$B)M4-xYU00V741rG_^XizX?YI7M`1G^X(1=
zOiezfJc^Zew%cUm+8(h*yh8{i=%1x=2X76_K)#9o{c)>J3|$K|$7`ZUJYvK|#ADwx
zFDePuse7$PFQPXs_Yl^qI{X^NriM|w2DGCMD1V~=l5(ijuZp=I8V*pRu{=U3zzWmq
z8fdG-KMn$cW;VcVw!>4L>6it$`E{!3mk<10rB+26(shKns(#3t(Q$`%sa0}^p4Xyx
zHo%hXeOn9rlc++zha&~H<h@rWl^9r96e3@2L@1tMy_5l7VYo_n;8A=F&a^?Xh|B$w
zPpc;KMD&Ab#jjj--GVErk{V{5iV=WyOiiskU*sBJr!C`fprLng&?JT;3B%{`)C>Kc
z^JT+;`)1mqS0Y<1)z(qo)9X25SB3Z(9Fjj0N{d|I@2^q25RIOuR3;sLP*CiBV-mI{
zZs5Z;i_Nx+3704I;bT=I-zY5SW#{Vurn%af_NHU~V1ZF1RB=y9wX3ZtF^6285+tCW
zw43OlC<~9nRBLRoir2)8rL1!6HNU)?rLz2a7J-3{K%^pHjHju?)0j%qINQc&_yYa-
z$f2LzZEY-6Mv$(xCZhPjj)T61l+?Zc`;ajAZeeI|atrlYSJu~RD_MKKvk}A_A49sw
zsg@eEE>jXHnysf$kYMv_JVb*S`K7O4T`1qom`+rBvs8Lq_bw+@oM`hx8M?kvQ&QyA
z6dPvIboD`z?5~K=A+^dIf%T0Is%m;5h1N~)1~SdiefDK@r$F@SH_LsMjHIz$@N_ti
z4C`{xixa1l1_4-WLZ{5?fk!-FUIY!kCO7XyEGJm73-L=J4z^Meu^=0F5!F&B$-HNU
zlPn90?S=xEFALqfG;AY-gZZkeEq+RzrI1T4MynWnDWi_|erLPhfK3we!{^8Mmsap*
z^2Mb9`oqND^WjtjZYf*%*Cd4C-Y9%*&*-YRJ8=e?Mt;RI9Y!OS-byFPsPTft%Ez;D
zo~Nbs!_{=(RfCaYCdV~Hr4qi!QgRD3$Ev6XvSewb->8T<RL7+_RFrhYx7BUt+1#jI
zxE`UBlf}pkWGE)b9whq3C|3sxcs>0sT#uW(vBd1G<z#-C<AXijx4J?}wq(Y%=9n90
zh{pOPlQj&vryVY-x|vVm<P82{TW8i!hL&C5Oh+^e05qUr_2;}GYy3fKG_$8}q&?&<
zVpg>V>#}Wgy%CQsWEv7_n@pSANef(W()-~>&bX=gvuKzhYXglS8%@}v$4B{J6%H!<
zi`4#>!z-dj*S%=Jf={hJ^MnS4@$_C;^&@v7&TkoYG*H+!ZN$|1O4t06gapaf8@zla
zRo7l+dKl7xC?H%G`0MMb;%Cy*6Qa4i)M5<cMP><5#mPJ6SI3vZGaN(}TfFdr)Dpw7
znUlN98wTNpr1fC)MVw-<*ibd)+MnO2D!D;#>7zTkxZLy5X{IWR-<sg{FTe3|RZPY}
z4n{_Z(2~~@Sjo0s+t{FbE}r;Ai0l6H$iTKhzh5L2^*Ear6O+p@S)89nSf&(SLYX`n
zos{O)oD^Egr_yvJGS|dWM|B<lYkB|N*m60^L^k9#_U?7>pZ&Vm=$W^RwwA;D{#z3n
z+h;xJt80!fA;@_PE1cN^+s8$wowQAIZ(l3eD)?fkI4?J717^h95X!p$HJhW}riny_
zRcgs^veHIixOLe?we*NSNR7lMXx(HjYtxjH(`UpWF-?UIy_p$(;mD^RL+4`RT&;X1
zqVJr`TQ(c7O?rDZK~;9~X@jt0B@@g;7LCqP2EI1m5XX@ze&4IaLsoUhUD?`Of3l=3
zxlBaF<#ws=Yk<~;C?a2a@?j`Yn{a~dccR~|;P!P>&{$nt8eNc@78{=wClqhc+rmcD
zQ-`yLyM$$5F09)nn~d~*FDQX!AT;-qjL2~G)rz#d&;n<?Q=>%m<ceez6Tye*+rAcx
z6{6rfk6!WlhHL$;ugTt)3XUmhOkKT|j86qhuD|g>LS{+nMtc0sHmQ5T5u5EjP0}yX
z%2fH@e!XwBr3wTJadV=PHWM9kHSlm(9hB0IbivyVG8^$;pjdnNKqUpEZ$C&7h(5>*
z%r981uNhPt^ae%YXducxLthpUpb7JEvlBHS!y}3r(`g;*d>i!5=4gP_kj0IjG=*X<
zo6Rzw_|HNedJeO#f9^oJ^wy>_IqR}%w%DDiJ?cYxkkOeQmfZ}JTU6eNh`swQ<RDEp
z)!bZV_nq%-)5+Xiw0hvTNISY1_)F^z1^$gosQpEPh&)0U;uFBcDngJqBhC(R6j$Nk
z%&fgg-1Y~uBoYN%9YpDCX{?yzF571e9vb!d)B?YyE|N%^-PCZAM?7^t*P@5XJd~Df
z`42un$HFEXB81fmy1$~N$6h%dz35f1eYmU2J-f;xNnsZVaSa7u@i`95w{^Yb{gr%q
zI;lF&kl<@`kFY~A#LZ5pBHKPm*8S*vke?bor2uJ)%IoQIpd3~7X>)%X^x7Mpm)dZ2
zP?8vqWXj3k)B7%F7;HR>E$PnFwFHw5NUoR+R5-g@Pj8q2F^XJxkkt1q`YUU)E+bAY
zrgxgA$M2tB*X#(A7#<`mLS8=k^8(_j%u}|OfT{l*?~jD4Ghe>}mchZ<IQ7YAca2ff
z=YnhZ@AL^o<S9@eBgc=VdR;wBJxNdA?2X0k?Te&nMf8M=_>d9-!6f3(Lkz5?!g)&k
zyv<b~)ws1OO7a35jf*yLu(qff8hwgRRCcI9hjs)k*cJ^^o74S4lMSvYG{YyTS>L$0
zw8H{|5*H1GBga;CRA6{d-X{d|q#dBLKEc371pK=s1qhrRze+2a+w(nfk_ubj8Veim
zDIUOt=6z6l6Vl6Xq^~b;pqHV!`2#;AYoN;cGep4l`jjTj@~*fQ2X{v)J3#)<a`l_F
zN+%GvC_pcRk-sEyWG2az<4E}!Xz-dC4Lywbd+OFFQc=xBU6he2m;E5g;Oy*_E@ft}
zJosIQmH|0+b3|)XMn{~0tab{%oriZ`v!rErT(d}MSFp)k+{XyHSY2|c`8>zK4hDSX
zmpl;28Vc<tWENn$+DGb9_oRBKG_2260VU~{!S!noDZt+WOzoP=T@co%Ehg9PR+fO@
zA;urYLL|-GtL!pfF3y*CBEw_QV*WO_D^LZhF=(l+tR!nkP7ftMtu}IQ=YG5f3JMSc
z#}iif)BDjAx~?>y{z<Kei>(|K-ep40HeL4jTw`ez{qD4oy)>P}?T(_bag$*w*`RmY
z73wT0-JN_rwTf|IIiAt;jb$09mr}yDEUrq~1@95G(mwCJ8y-vM%{j5`esp$UlK>mB
zFf!_>GD%R{p<`(2u13wdelPU-x2fSZ#vBiSY+zn(bigPZ_M3p5@M3A6lBlF3c=k9<
z`8xz!Jk_Tf=ML9<6A)H%Y(t)ar&!D>6rJQOU2h_&8MH1ykm1<1elV=(KS!-e1tLVo
zJS(q9YrE4Hy7O?)VASc6X&7c4%!MYR=IM4dNCaGoJ({c0)1MJ<KxyTDEyzr^txohu
z@f>pk3Rk5aIJ{|{F+Y_k59XM)5)z^?+o@N59i{9f?vapQz4z0K#8$hO`E{a2#*z?H
zpeO2jxgvU|6tC3L$th432z~1oY$LfJfN=a>UeD$Gfc|pITip$_@l7QhP5xS8+Y}LP
zeX8~1Y@d*eIqJ<a(ft?(pylaf+e2P=p#EMW!LhfF-qq|xB-4<KHU5oyVr{!2sJ6m;
zl)mfGnNlt2m*6{{Z#4J(fNcXB0%8HE`#Mzpc+tN>*iRR56@RR6&hP2-X>EMPLEmG<
zR%oCgqDgTQv)$_*A-2zmxy{Fj8;<*shS^hT+>X%LL>s?&cYPI#QhB2qwuD{gXx}^N
z9>PJ_^agj+CC`acoCVo(SqBtpHhW}4k})<QrXbgSnNJ{Vg=)02x_uvV<wcHPA=%}G
zxlV-_R<F?Y6!TO9C(MGT<MjjSU-^o};>W(S;tBMW4X1LTZWqL4<YS~`MDQBWyIk}0
zH+45$3chn93l(~P<<}>-Y|L9X>{#{!{rPb?5!uD^-BIO`hlrL#Jqn|yXMBwu$-s^!
zE$i{6(-Mo&QY+Q1#8v1K=5nr|r?h~0eV9YL@AF3`LvRoamQf97_cVX$p3EGS#Pg7=
z9!!pF(%t8DHC^c1iyIPBcTRnL?fT0WjRFKHCIv`=r(UCPXJt{1i$hrvcS8VY$nv@|
zBc$a~YefO2{gQOMHREbs%P4iYyUk24RPP|q%~xBql_F4%{@<>EBJIUyd~wpes?hJl
zP1CzIcAo(y!F#$clhE%`-fn2o<6nJiY?5yIX<i;C35zH~E-uRd#tb81cQK~`X*1fv
ziD~%V4P8JNBPh)Q#{DDr%JXV{Vy4^|9D#h#+zKAyu81CNwcFTr>>Hc}7hQSruW%tf
zdI|&#>@H4xY)$;c%dX8jg{~GVjo^B*qBIn*u;6>Dr;e%59(4s!n3a^UkYAJWyRqUH
zNe8d~<-#b4z9u=0R)3i9MlkaG@~@cj_vQifvILEvV8`<QNMIOt0_*rhqH7M^nU%Fz
zF>5wYuKpB!Q{c9V_g6}4xUoUP*`Mn6DD59G{(2RwjF!%<_V>rX4lK`(BYRy;oGDvc
zd`MbqUE{pa(1m+H0}$~fq~{jVEW_{i=RoU;wr~;jA`ds#bF?y~z(rG;J{~`BEWG{r
z(f5{?&MmB*zG}Bcr2ui8%~zkx(J$Ph(;Hk;MldWX`S-hi0N@djE2LvVMCt4#0AwZV
z@5!$vR9{YrFTmei@C9v=KQyDwlXhP(Neq2qLJ6gN#c^Rf?-TMv`h44X?&$VDGn#xP
zAA}75Uf-$ddlhntts!8?u9XT}KcxWY(DOd^+6!at@Z9H1-8refQok<Qft`K5?z};r
z);wBcLwz$yh}#Ek=rg8IeZ-TlwHKJtwuZ{vc}fAnx7xwKi#XOc^e5^*;(|%FBv}^%
zzcaB#3V5gLk8valhYnK^*HL{*ntzFPGS7JJAmU?m9E6VFXAotcuraog%5DkZ8xC&a
z?VzlI$ix?JQ9_V0$}<}qlha`;8y{cfql#8zM`w3+y~9lj0XjeHZ~<DQ_+WlcIF8|g
zM>;6$Ll*(&HC15nZ_H?FDphe|OmFcsl}?`0$9d)yY({!11~B*<N{G*$6DTtApJk0q
z>C?XDi+(Bw`yN)5`W<Wk8Kx=KQwN5p!7|w4&Tv^%rI+aK4r6q}qF0-ygw>zD+)~&w
zSAFZJv#sTSZ|8q_h<essa`-3`#?ozUDz4x^KN5JULgPN>gh*pxzRAiB-k@rhs9)AV
z#K0C;0RBn^9yel-QWLz*ES^(zRfSZu%@(`@SI8sl+)!3|z(R?XtzTQQ8qGyK4+Auk
z?sb28@GTf7?qRzx?O`-3(g@{=up5%Qp=@&-cyO~P_W-fY9F`f7CHONl&lylt$VtfK
zvjRK?n6?s#VMh}mi~-P#Axza*o0hfw%16{k6cYy*A|WU>uQ>aQ*kWdWA+GI6yD#O0
zLgLqXlZoTyN4n(abWbp1K^Ow?^)6%8trDc}vBwl=|I7tIlSj`k16?9f_;9hdyt}L%
z;Su#3QK4EOqfj$)l@Rr(Mgd<C0ByumJ{jqmsB_@FhGo%aZ;=ssZZfb*vfS6`%dW74
z=|q))IIK6^LIq$dW@m8&1Ku>Q#fhkmh&|csmbrWW0^6hQ5i=oQJgN>cHew0JH5P45
zL2>cWqtWlvPY}A+XhP{Oy+s_oX=0eNu-6xE)B@s6G!N-S6(5IHI^Jh7AEV)K&@@36
ztodA?M$OI%Jw^9k>1>NaIe+-w-{~YW(`~%s5f?@~vM0v&Y3ub91f#L<%H=DsQS2eI
zK#t1cu`Tyr)&NK41R>`!XJ{j$s@f`onvIMyNmTouznt@s<6<I;W%QK5(t)+2pq=sA
zRMa1#CWEPD#dE?e0?04{FB?JA)@9Jk`L3FY`T`=FT@N*}l2Gc!lzxO!H+s>@P8S1*
z(-A)&V>IXZm_>JHJvjgchU<`DU3E?O-@Vq<oK8;>)CN}vf5sH0Vywpn{4z)1ZH%8f
z4hEKjcXwH_v<nzqx1+KW1$)gQ!%7%4b`ylJxz-z+135^cj}>jOvNXoWWS%ZnTJ^5=
zqP0zm7p)85dJmwdd;Zp%{r*29hn*T>urdz#0AVR+M~z4p2OLKqbr`sTmTTA4L8d-3
zr+E7Xm-+k=Djn+j%6ga_GV>D6BxGx+=U+;dA2KG|#?b}l9eriU=NdjD2>MQcxM}m0
z8ijBvW=7R2<*7D7d(9j4EWUh7W>*@{Y!l{6Mhh`s{*k;;_c{k|cJ>2Em1x`CU=NRh
zUm<KmsHa(g5w5SlzL!j$(ju+xw}a~#6#l4AJ}cHK<+ot%rf=qJ;$3<Al_Ih~Un6X)
zIDnN)1sZ1u2iFP7l`fwR-Zi611zr1&wRmp{JI7?R;F@)hkx(MI;pdL|=XzWA+&(!A
z<9AvQPw>Bt%yZ)o&qgPw%UO+5%u;ew{K1lu27<iqG@ZNFW@W^SguF3kS@$tJL~TGz
zbbjcs4SD|!WzAv0UUPk%-AFi%yfP24L(<uJ(AloYT@2Ozq)^r@zUUJJ^3RRB2AEVG
zo$R+FO)^v}64e;X&oKcFa}wN4TpNVR8Qiy<RCwq+)u^E^U9I3fQy?wn>kIhF^R+O-
ztW2@*8eib7os*v{G|)FHX!4{Ik_b;7^b!;bM!kUZ(|peZqX~1r<J~#QKO;zq84m&S
z$+3>nh5Y7s0U8SXOr9K5ucDW?>(PgMvzVN#x**AwUhurxWT&kFPxH^S{I66j?(<7I
zoTUYDUt$uajNP<(ujpn(g`wTBG5&^s{t|UANKNU<;YsJlybS2g`Yih*QH;hD3l5_d
zYywv{A!n4=$)|`bC`Kd2wv|~$slWP6H~!jl{io%O7hza<_fZ&>Sz%_rv^eNd12`30
zT||QhyT&w^wGKi^{r*wV^~|V5IIPuR>hiX^B<Rk&n4IhKl!s{T(4FJw^lJY1@a&Zu
zVWiKx!bg|2tt{U*ZA)`@whu0JGw4=#b{chUoWp`^sO-k~hNF5_v9Nyluzs|7@ueHt
z*9{f#^$xk$GhHv!u&wZVzn3V7NAXG@xA0eVT1#ew>_=3eiZHb>GQJ=yg!(!2=vZH9
zGt*JAiKAk%>YcY9sXBzI;S?riz70wwES_4Pqa>C1#z1+Z1{YO&i7-8lPJA!)2c@^}
zjgK1Rhov9iu@Fi}6XSup428>wrlK7|Q9bwi<sibx>WKfZAN8!qIMMV}a^g;}`)9<(
zQ>g}exw0queqM8)l=Pg`>Xf>Bzbx*l?U*>3h6@f&!^RM%iGT_f!6cfM;^2NN#ZU^&
z9*MP-1X$@JJ5pJ!xek|1iyLC%G@VxjXwumI9u-Y5*E@0ASQiNxft_&2LyG%n4NzF~
zK`McPGTHoUeW(p*x`5?4I*(<iuDVbV#7F_3;0iaqA{KAXGEnL?wTm<AfaoidCJrk1
z133=@f*yNTJWt%j(Y+lel*1FhzKX>v^`?VG^<iUODU4Rbsj>;J2P^+Aty0Nw#K)v%
zp1}yCV*hC>@o;q*vdakVv1<c9ty~GQuGs3j&2K90kS^&O;X#KX!aP$F&b3cF1lK%_
zU<~ZAIlHeq)1&5p_L@1V)7-6yNAre-dtK0YcRs6-N{2UyMyd915FB9MRZWyh6zYIV
z(PD7&hH^!`CA)`nGGF`%R)-C9lKLx#>u}e+U}ep4W&{8%0#Skl)zIWoKq+^*$(6c(
zYSNZpXT+Msq{z0fTY_~=q4)+VCQArU-fYm9vlp<@@BY_X8~Jw*QA3o2LLBjCJINzK
zS)X|iF!{DcWUcr#Qu$hAt=f9xC)SCG+*Pn#-!t_;7?{pTW;8AasWlsfC0!Nnr)j_i
zN=hS+oBJmmn{yKci_}T|<W$Q@RpCwfrSaE|a}$o_?0dUkG?Jq}k@PLY*Pnx#ktRH7
zP+xmWl9mP#E)E&gEKN`H?yHoMDo?|+mf36aFIfuLql$(>gD$?i(;MF!HzZj@I7#47
zz(Tq}DvmJXV51ok$S&>OzT2M~<aCvIBs3|qWq8Fx=piGZ-dX><S17W;c2}N_bEYOl
zrcfsHOme$egI7ReXXgBylKxvZdDy&eCo8jN1cX%?4B5eC3k|9G#GpC-E334Vu7-3K
zXhStAvEr}|3_L4dZax>t5J1`_&A;e}&zm&XCQfoiOoO8}ILT={CPs*V<>(=ce-p(r
zcvoB&)(aXxZ_)}&N@F{V!7Z{a=G<HT{wdXY!o8blaj7(NHtRr6#mGiLGCPSx1yc8G
zq{(UO$Q?*>5HbOzS<7O;#vu)s@riJtKu%SAwi~Qf)9el!>GcTi<(s4>3ZR>supsty
z36EID^A|}UFQmD(3cQREq+^wBMN8^>+dJ_roBNyg&f%v#vgm%ruC*i$!R3k1i$!sa
zgv0!jMFX#8!R1O}e3DAzU?z=~a&c#YJtLghH!nWDyDX(99O55puL*Xb0uhril3Vk+
z>3=lj4v9KumsZUJcZfz2@YV~5PuoMV2!MPFfde5jkUjicvd^f!W*Zy3T8`CZ&t3oP
z$}G27h${s{B+)BpF?CJW0-2=no&$@A*y_F?#ZS+}TJj2VS_@f)vWSkVWKjl;u=G0{
zwp&EZ6nQYQrCR9L!2*ZwiWl1!x_Dq8=xfLly%>75vOF^%53@14nk3Wo`yvT1E1gAJ
z5DiC9)weV24Qcvth;m@8wHvTh0sMii|2>0HP2lDEZ9uSxm$I{eMgNG%wqw_k+=O(D
zzhU<P|2a;q=FZ4z>~bdlTH4LzZK%Hi!kebJV1if!%}Fu&lZmClYXN9_Fml)!$+&g5
zx1F*e5@&SLg=J}MOrC+Wi$2qik5*~vAU)EGgGxwLc1GC*L|Q)5V$xaT=_FsnPKy{P
ziE(w~iyV(6D_~_2m=XfFO;7cX{+>*s=0{b*)_m}&BL}f*hKy7AYfA2)a`J69EU8^<
z^_J<_I_IBWuGYp*y2hplhb-3bj;F6$VV17v8Gm&5D2g;PQti?Dh=pj*3u=;I`LU_J
zwW$yAIPQ-UFR5C=xWER+uMc;{1bacO+C`=Q(VBq7nX`HJR5oq*^mVch@P~nUauvX*
zRzz}a13g)%T+nx5XOkqGLdU#i{y=$|NGE2V`jF9VDG^f351;lk>!w<koduo2=aXlW
zW1|D%0+T;W)g$^@OLiPY3w7MetfXC%+0ewAOV>VSgsSEl#HDnJ4|nD>A%9N%ft0OP
zl$PvV8EKToy|_8SnE{;=-V~S5niMh|p@$kkO4pl}l7!y0Y#N6&*7nr&b(v%*<rG*q
z>yr-aoD-VxVgwO%p0BUYWlk}<QsHXq%2Q3S9$hEq!*?n*cun=&$d&SkZQ^wn>j$xF
zhF*a8ZsfCh{%R#7-g%Kn*p1T$%T5{*Vu$u%gha}zpFXfd%&9syQTB(akd<T8VC&G?
zIJ$_4c@>^fs60ko#x`EI?L-r?qOIz`@lpxw1DkYQ%YV_R*MgsaPiBGj>eRYnhlIPp
zAdENVw8L~%7VFHp&&gqtT5$+guXGCEuudu#g75Dr8NWYy8#@y~x9wPM<3d^%uwep^
zOc)+791<Bb$J>U;1p32)is31`<#+b%oeo3RHHBjQH4BG8%(0_TycLglU#Ow&{QMCP
zWQumZmAsP`D&bWEYKwtKJ~()_rvq3Ky&G=8$J4WWJoi5z)4>l<P^X4>gV;J3AK#IY
MP!unH|IzQi00K6HwEzGB

literal 0
HcmV?d00001

diff --git a/assessments/projects/opa/self-assessment.md b/assessments/projects/opa/self-assessment.md
new file mode 100644
index 000000000..954ca9010
--- /dev/null
+++ b/assessments/projects/opa/self-assessment.md
@@ -0,0 +1,564 @@
+# OPA security self-assessment
+
+April 24th 2019
+
+*_Author_*: Ash Narkar ([@ashutosh-narkar](https://github.com/ashutosh-narkar))
+
+*_Contributors/Reviewers_*: Justin Cappos (@JustinCappos), Brandon Lum (@lumjjb),
+Robert Ficcaglia (@rficcaglia), Sarah Allen (@ultrasaurus)
+
+This document elaborates and explores the design goals for the Open Policy Agent (OPA)
+as well as its security analysis to aid in the security assessment by CNCF SIG-Security.
+
+## Overview
+
+The Open Policy Agent (OPA) is a general-purpose policy engine that enables unified,
+context-aware policy enforcement across the stack. OPA empowers administrators
+with greater control and flexibility so that organizations can automate policy
+enforcement at any layer and author policies that take external data or
+context into account.
+
+## Background
+
+Every organization has unique policies that affect the entire stack. These
+policies are vital to long term success because they codify important requirements
+around cost, performance, security, legal regulation, and more.
+
+Enforcement of policy via human review is error-prone, yet common practice.
+Organizations often rely on tribal knowledge and documentation to define policies
+and ensure that they are enforced correctly. Some hard code policy decisions in
+software. These approaches tightly couple the policy enforcement to other
+required business logic in the underlying software. This practice:
+
+* complicates the release process
+
+* makes software policy compliance difficult to audit 
+
+* makes it difficult to modify policies
+
+* limits visibility of policy throughout the system
+
+Systems frequently lack the flexibility and expressiveness required to automate
+policy enforcement.  Every system may have its own complex authorization logic
+and as the number of systems grow, ensuring that authorization rules are being
+accurately enforced becomes a hassle for administrators.
+
+A better model isolates policy as a separate component of the architecture just
+like databases, monitoring, logging, messaging. And this decoupling makes it
+possible to get better control and visibility of policy and security throughout
+the system. Standards such as XACML promote a similar philosophy and this
+document will [later](#related-projects-/-vendors) provide a comparison between
+OPA and other authorization systems.
+
+### Goals
+
+OPA’s goal is to provide consistent policy enforcement. OPA helps disparate
+services to author and enforce security policies using a common framework which
+can be applied at whatever layer in the stack as needed by the target system.
+OPA aims to policy-enable other projects and services, regardless of domain.
+Additionally OPA targets to achieve the following:
+
+* Decouple policy enforcement from decision making
+
+    * Services offload policy decisions to OPA by executing queries and enforce
+	the decision returned by OPA
+
+* Run at the edge to make policy decisions for host-local consumers
+
+    * OPA was designed to run at the edge, eg. as a sidecar next to every
+	microservice. This helps to achieve high availability and low latency for
+	authorization decisions
+
+* Zero runtime dependencies
+
+    * OPA stores policies and data in-memory
+
+    * Alternatively, OPA can be configured to fetch policy and data from
+	external sources but this is optional
+
+* Multiple deployment models
+
+    * Host-level daemon, sidecar, embed as a Go library
+
+    * Allows for easy integrations with other systems
+
+### Non-Goals
+
+* OPA does not provide a control plane for management and distribution of
+policies. However OPA does provide the necessary tools and APIs to build a
+policy management framework
+
+* Provide a framework to issue identities to workloads. OPA does not
+perform authentication
+
+### Intended Use
+
+For situations where your software service supports an authorization plugin
+model or you can modify it to ask for authorization decisions from an external
+service, you integrate your software service with the Open Policy Agent (OPA).
+Every time your software needs an authorization decision, it asks OPA.  You run
+OPA on the same host as your software service (as a host-local daemon or sidecar)
+so OPA shares fate with your software service, providing high-availability and
+high-performance of authorization decision-making, even in the presence of
+network failures.
+
+### Use cases
+
+Examples of common use cases for OPA:
+
+* Admission control in Kubernetes, Docker
+
+* Microservice API authorization
+
+* Unit testing Terraform plans
+
+    * OPA makes it possible to write policies that test the changes Terraform is
+	about to make before it makes them
+
+* Access control for data in Ceph, Kafka, Minio, SQL, Elasticsearch
+    
+    * OPA provides fine-grained access control over Kafka topics
+
+* OPA enables authoring of custom security policies to protect data stored in
+Ceph, Minio etc.
+
+### Operation
+
+With OPA, policy decisions are decoupled from applications and services so that
+policy logic can be modified easily and upgraded on-the-fly without requiring
+expensive, time consuming development and release cycles.
+
+OPA provides simple APIs to offload policy decisions from applications and
+services. Policy decisions are computed by OPA and returned to callers as
+structured data. Callers integrate with OPA by executing policy queries that
+can include arbitrary input values. For example, an API gateway might supply
+incoming API requests as input and expect boolean values
+(representing allow/deny decisions) as output. On the other hand, a container
+orchestrator might supply workload resources as input and expect a map of
+clusters and weights to drive workload placement as output. In general, a
+service will query OPA for a policy decision and then OPA based on the policies
+and data it has access to, will evaluate the query and provide a decision back
+to the service which then enforces the decision.
+
+![model](./docs/request_response.png)
+
+## Project Design
+
+### Data and Policies
+
+The primary unit of data in OPA is a document, which is similar to a JSON value.
+Documents typically correspond to single, self-contained objects and are capable
+of representing both primitive types (strings, numbers, booleans, and null) as
+well as structured types (objects, and arrays). Document is a term that refers
+to both the policy and data that may be provided by the user, and sometimes
+refers to intermediate results that may be generated during evaluation.
+
+#### Base Documents
+
+Base documents contain static, structured data stored in memory and optionally
+saved to disk for resiliency. A service will publish and update base documents
+in order to describe its current state, and users can do the same to include
+relevant data about the state of their own deployment context. Users can publish
+and update base documents using OPA’s Data API.
+
+#### Policies
+
+At the core of OPA is a high-level declarative language Rego. Rego allows
+administrators to enforce policies across multiple domains such as API
+authorization, admission control, workload placement, storage, and networking.
+OPA’s language is purpose-built for expressing policy decisions. The language
+has rich support for processing complex data structures as well as performing
+search and aggregation across context required for policy decisions.
+The language also provides support for encapsulation and composition so that
+complex policies can be shared and re-used. Finally, the language includes a
+standard library of built-in functions for performing math operations,
+string manipulation, date/time parsing, and more.
+
+Each Rego file defines a policy module which is a collection of rules that
+describe the expected state of a service. Both the service and its users can
+publish and update policy modules using OPA’s Policy API.
+
+#### Rules and Virtual Documents
+
+Virtual documents embody the results of evaluating the rules included in
+policy modules. Virtual documents are computed when users publish new policy
+modules, update existing modules, run queries, and when any relevant base
+document is published or updated. Rules allow policy authors to write questions
+with yes-no answers (that is, predicates) and to generate structured values from
+raw data found in base documents as well as from intermediate data found in
+other virtual documents.
+
+#### The *data* Document
+
+All documents pushed into OPA or computed by rules are nested under a built-in
+root document named data. Since the data document includes both base and virtual
+documents, it is possible to query for both at the same time. The easiest way to
+illustrate this is to query for all of data at once. Note, OPA does NOT allow
+base and virtual documents to overlap. For example, if you try to load a rule
+that defines a virtual document at path a/b/c (which is already defined by a
+base document), OPA will return an error. Similarly, if you try to load a base
+document into a path that is already defined by a virtual document, OPA will
+also return an error.
+
+#### The *input* Document
+
+In some cases, policies require input values. In addition to the built-in data
+document, OPA also has a built-in input document. When you query OPA, you can set
+the value of the input document. For example, when using OPA for HTTP API
+authorization, the following information about the incoming HTTP request can be
+provided to OPA as input:
+
+```json
+{
+  "method": "GET",
+  "path": "/servers/s2",
+  "user": "alice"
+}
+```
+
+OPA can then evaluate a rule based on the policies and data it has access to
+and the given input.
+
+The below figure illustrates OPA’s Data Model and covers the concepts discussed
+in the previous section.
+
+![document](./docs/document_model.png)
+
+### Deployment
+
+OPA can be embedded as a Go library, or it can be deployed alongside the user’s
+service – either directly as an operating system daemon or inside a container.
+In this way, transactions will have low latency and availability will be
+determined through shared fate with the user’s service.
+
+When OPA starts for the first time, it will not contain any policies or data.
+Policies and data can be added, removed, and modified at any time. For example:
+by deployment automation software or by administrators as needed.
+
+OPA has no runtime dependencies which means OPA does not need to connect to an
+external DB or it does not need to talk to any external service once deployed
+to make a policy decision.
+
+### Features
+
+Along with the core policy engine, OPA provides rich tooling to build, test,
+debug policies. For example, there is a test framework to unit test policies,
+interactive shell to write queries, a trace functionality which shows the steps
+in the policy evaluation, expression profiler, IDE Integrations etc.
+
+Although OPA does not provide a control plane for management and distribution
+of policies, it does provide management APIs that:
+
+1. Periodically download bundles of policy and data from remote HTTP servers
+
+2. Report status updates to remote HTTP servers
+
+3. Report decision logs to remote HTTP servers
+
+OPA’s [configuration guide](https://www.openpolicyagent.org/docs/latest/configuration/)
+provides detailed information about how the above features can be enabled.
+
+To make it easy to author and try out policies using Rego, OPA has a [Rego Playground](https://play.openpolicyagent.org/).
+
+## Security analysis
+
+Organizations have to strike a fine balance between giving employees enough
+power to deliver software to customers quickly but not too much that the
+business suffers from security holes, financial liabilities,
+and operational mistakes.
+
+The challenge with achieving least-privilege authorization
+(not too many permissions and not too few) is the number, complexity,
+dynamicity, and heterogeneity of the software systems that organizations
+are embracing.  A single organization may have thousands of software components
+that require authorization. Each domain, vendor, and product has its own
+authorization paradigm, expressiveness, and interface for administrators to
+control those authorization policies.
+
+OPA provides a unified approach to authorization giving organizations
+context-aware visibility and control over their authorization posture in
+dynamic environments. Using mechanisms such as Admission Control, OPA provides
+guardrails so that organizations can impart enough power to their employees to
+promote rapid innovation without compromising on security and safety.
+
+OPA aims to solve the problem of fine-grained authorization in diverse
+deployment models and technologies. It however does not tackle authentication.
+OPA assumes that a user or service making a request is authenticated and then
+attempts to answer the question *“What can the user or service do ?”*.
+
+### Attacker Motivations
+
+Today, many organizations follow a microservice-oriented architecture to design
+and build their software systems and use the public cloud for deployment.
+A typical public cloud account can have hundreds of microservices, thousands of
+APIs, and possibly millions of resources. Because of the size and complexity and
+ever-changing nature of the deployed services, an attacker can get access to
+unauthorized resources and sensitive data by exploiting the simplistic static
+policies that may have been enforced by the administrator.
+
+An attacker could:
+
+* Get access to a sensitive api endpoint. For example, an attacker can get
+access to the payment gateway for a financial institution and cause permanent
+damage
+
+* Change the behavior of the system
+
+    * Modify how containers are configured and deployed
+
+    * Change host-level permissions
+
+#### OPA Attack Surface
+
+Following are the vulnerabilities in OPA that an attacker could exploit:
+
+* When a user is setting up OPA for the first time, it does not contain any
+policies or data. An attacker can access an unauthorized service while OPA is
+still loading; however, a user would typically set this up with their
+own policies.
+
+* By default, OPA does not restrict access to any of its REST API endpoints
+that are used to fetch, create and update policy and data. It’s possible that
+an attacker can corrupt the policy and data loaded into OPA, thereby bypassing
+OPA’s authorization checks altogether
+
+* If OPA is deployed in an insecure environment, its effectiveness can be
+compromised by an attacker
+
+* OPA can be configured to fetch policies and data from remote HTTP servers
+using its *bundle* feature. The files inside the bundle are tar.gz compressed.
+An attacker who has access to the remote server or MitM the connection between
+OPA and the remote server.  This can cause a Denial of Service (DoS) by
+providing a bundle file that will consume the server’s memory and therefore
+crash OPA or be used to add, remove, or delete OPA policies
+
+* OPA trusts the authenticity of the policies and data it is provided with.
+An attacker can potentially feed corrupt policies and data to OPA
+
+* Policies that rely on existing status of cluster resources can be raced due
+to the design of the validating webhook and eventual consistency model.
+Attackers can potentially bypass these policies by crafting a series of
+requests. Suggestions to warn against such policies - or a warning to require
+routine checking during runtime may be required
+
+* If policies for different components interact, the user must author the
+policies in such a way that there are not problematic interactions
+
+The following issues raised during the assessment have been addressed:
+
+* OPA decision logs may contain sensitive information like usernames, passwords
+provided in the input to the policy. OPA now allows the user to mask sensitive
+fields in the input from showing up in the decision logs by allowing the user
+to define a policy that specifies the fields to mask
+
+* To make it easier for users to get familiar with Rego and also to make the
+policy authoring experience convenient and less error prone, we
+created [The Rego Playground](https://play.openpolicyagent.org/) and more
+recently we’ve updated the [OPA documentation](https://www.openpolicyagent.org/docs/latest/policy-language/)
+to make the policy examples interactive !
+
+### Compensating Mechanisms
+
+* The OPA daemon can be configured to authenticate and authorize requests. This
+could prove beneficial especially in scenarios where the deployment environment
+is untrusted. More details on deploying OPA securely can be found [here](https://www.openpolicyagent.org/docs/latest/security/).
+Additionally OAuth2.0 client credentials can be used to authenticate
+OPA’s REST APIs. See [this](https://github.com/open-policy-agent/opa/issues/1205)
+issue.
+
+* Since OPA does not contain any policies by default when started, it’s
+recommended that the application fail-close in case of any non-200 response
+from OPA.
+
+* To prevent an attacker from loading corrupt policies into OPA, users are
+recommended to sign their policies using a mechanism that best suits their
+use-case. Related issue [here](https://github.com/open-policy-agent/opa/issues/1757).
+
+* Since large bundles of policy and data have the potential to consume all of
+the host’s memory, OPA puts a restriction on the size of bundles that can
+be downloaded.
+
+## Secure development practices
+
+OPA has a well documented development workflow which can be
+found [here](https://github.com/open-policy-agent/opa/blob/master/docs/devel/DEVELOPMENT.md).
+
+Some highlights:
+
+* All source code is checked into GitHub
+
+* Every pull request kicks off a build which performs unit tests, benchmark
+tests and language best practices enforcement
+
+* Each pull request requires an approval from a core member before merging
+
+    * The reviewer makes sure all checks and tests are passing
+
+    * The reviewer pays close attention to any new exported methods or
+	interface definitions
+
+    * The reviewer sees that the code follows standard coding practices such as
+	adding comments, grouping common logic in functions
+
+    * Based on the changes made, reviewer sees that the docs are updated
+	accordingly
+
+* Pushes to master are forbidden by convention
+
+* OPA asserts that it meets the passing criteria in the [Core Infrastructure Initiative (CII) badging process](https://bestpractices.coreinfrastructure.org/en/projects/1768)
+
+* Release process is partially automated with manual portions assisted by scripts
+
+* More information about the release process can be found [here](https://github.com/open-policy-agent/opa/blob/master/docs/devel/RELEASE.md)
+
+* SHA-512 checksum files for release artifacts are not provided
+
+### Communication Channels
+
+Both new and experienced OPA users have multiple options to interact with the OPA community:
+
+* [OPA Slack](https://slack.openpolicyagent.org/)
+* [Bi-Weekly OPA meetings](https://docs.google.com/document/d/1v6l2gmkRKAn5UIg3V2QdeeCcXMElxsNzEzDkVlWDVg8/edit?usp=sharing)
+
+Announcements about OPA releases, new features and general OPA updates are
+shared through [OPA Slack](https://slack.openpolicyagent.org/) and [OPA blog](https://blog.openpolicyagent.org/).
+
+
+#### Vulnerability Response Process
+
+Security vulnerabilities are reported by sending an email to
+open-policy-agent-security@googlegroups.com. The OPA Response Team will send a
+confirmation message to acknowledge that they have received the report and then
+they will send additional messages to follow up once the issue has been
+investigated.
+
+OPA Response Team:
+
+* Torin Sandall (@tsandall)
+* Tim Hinrichs (@timothyhinrichs)
+* Patrick East (@patrick-east)
+* Ash Narkar (@ashutosh-narkar)
+
+### Ecosystem
+
+OPA has integrations available with more than 20 open-source projects.
+Some of them are:
+
+* Kubernetes
+* Docker
+* Terraform
+* Envoy
+* Istio
+* Kafka
+* Ceph
+* SQL
+* Elasticsearch
+
+More information on each integration can be found on the [OPA Website](https://www.openpolicyagent.org/).
+
+## Roadmap
+
+The [OPA Roadmap](https://docs.google.com/presentation/d/16QV6gvLDOV3I0_guPC3_19g6jHkEg3X9xqMYgtoCKrs/edit?usp=sharing)
+highlights planned and in-progress OPA features. Current features include:
+
+* Extended WebAssembly support for OPA. Work related to this effort can be found [here](https://github.com/open-policy-agent/opa/issues?q=is%3Aopen+is%3Aissue+label%3Awasm)
+
+* Update OPA’s documentation to address security concerns around OPA deployments
+
+* Policy language improvements
+
+* [Support for OAuth 2.0 client credentials for authenticating OPA’s management APIs](https://github.com/open-policy-agent/opa/issues/1205)
+
+## Appendix
+
+### Security Audit
+
+A third party security audit was performed by Cure53, the full report is
+available [here](https://github.com/open-policy-agent/opa/blob/master/SECURITY_AUDIT.pdf).
+
+The issues that were discovered as part of the audit have been [tackled and resolved](https://github.com/open-policy-agent/opa/issues?q=label%3Aaugust-audit+is%3Aclosed).
+
+### CII Best Practices
+
+Currently, OPA is at the passing criteria in the [Core Infrastructure Initiative (CII) best practices badging program](https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md) ([security details here](https://bestpractices.coreinfrastructure.org/en/projects/1768)). OPA endeavours to reach the silver tier by following best
+practices and guidelines outlined by CII.
+
+### Case Studies
+
+OPA is a general-purpose policy engine that has multiple deployment and
+integration models and is used in production by more than 20 companies
+such as Netflix, Intuit, Capital One.
+
+#### REST API Authorization Example
+
+This example shows two simple rules that enforce an authorization policy on an
+API that serves salary data. In English, the policy says that
+*employees can see their own salary and the salary of any of their reports*.
+
+```ruby
+allow { 
+input.method = "GET" 
+input.path = ["salary", employee_id] 
+input.user = employee_id 
+}
+ 
+allow {
+input.method = "GET" 
+input.path = ["salary", employee_id] 
+input.user = data.management_chain[employee_id][_]
+}
+```
+
+The first rule allows employees to ***GET*** their own salary. The rule shows
+how you can use variables in rules. In that rule, ***employee_id*** is a
+variable that will be bound to the same value across the last two expressions.
+
+The second rule allows employees to ***GET*** the salary of their reports.
+The rule shows how you can access arbitrary context (e.g., JSON data) inside
+the policy. The data may be loaded into the policy engine (and cached) or it
+may be external and fetched dynamically.
+
+#### Kubernetes Admission Control Example
+
+This example shows how to enforce custom policies on Kubernetes objects
+using OPA. The below policy prevents Ingress objects in different namespaces
+from sharing the same hostname.
+
+```ruby
+deny[msg] {
+    input.request.kind.kind == "Ingress"
+    host := input.request.object.spec.rules[_].host
+    ingress := data.kubernetes.ingresses[other_ns][other_ingress]
+    other_ns != input.request.namespace
+    ingress.spec.rules[_].host == host
+    msg := sprintf("invalid ingress host %q (conflicts with %v/%v)", [host, other_ns, other_ingress])
+}
+```
+
+This example shows how OPA can be used to enforce admission control decisions in
+Kubernetes clusters on-the-fly without modifying or recompiling any Kubernetes
+components. Also the *deny* rule returns a set illustrating Rego’s ability to
+generate non-boolean policy decisions.
+
+More information on how OPA can be integrated with Kubernetes as an
+Admission Controller can be found [here](https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/).
+
+### Related Projects / Vendors
+
+* OPA’s policy language Rego, allows policy decisions that are more than
+boolean values. In the Kubernetes Admission Control example above, OPA returns
+a non-boolean decision, which helps to detect the violation and can be used
+later for auditing etc. Another example would be a service querying OPA to
+return the fields a user is allowed to see based on the user’s profile,
+department or some other characteristic
+
+* OPA can be deployed next to the user’s service either as a host-level daemon
+or sidecar, or, if building services in Go, OPA can be embedded as a library
+
+| Project | Open Source | Decentralized | Non-boolean Decisions |
+| --- | --- | --- | --- |
+| OPA | Apache 2 | Yes | Yes |
+| Firebase Rules | No | Yes | No |
+| HashiCorp Sentinel | No | Yes | No |
+| OpenStack Congress | Apache 2 | No | Yes |
+| Ladon (XACML) | Apache 2 | Yes | No |