From 5019db4558253cdb067abc1449fd7c40ab4d7edf Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Fri, 24 Apr 2026 14:31:15 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-04-24 14:31:14 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-04-24 14:31:14 --- .claude/scheduled_tasks.lock | 1 + ...PLAN-AND-QUESTIONS-2026-04-23-archived.md} | 2 + .../PLAN-AND-QUESTIONS-2026-04-24.md | 186 +++++++ clients/cascades-tucson/PROJECT_STATE.md | 2 +- .../phone-sso-pilot-runbook-2026-04-24.md | 361 ++++++++++++++ .../docs/security/risk-analysis-2026-04.md | 452 ++++++++++++++++++ .../docs/security/termination-procedures.md | 95 ++++ .../Screenshot 2026-04-24 115936.png | Bin 0 -> 73992 bytes .../Screenshot 2026-04-24 115949.png | Bin 0 -> 28621 bytes .../Screenshot 2026-04-24 120004.png | Bin 0 -> 29566 bytes .../Screenshot 2026-04-24 120020.png | Bin 0 -> 29890 bytes .../Screenshot 2026-04-24 141248.png | Bin 0 -> 47180 bytes .../docs/servers/fax-whitelabel.md | 76 +++ .../2026-04-24-jeff-restore-ashley-access.md | 133 ++++++ 14 files changed, 1307 insertions(+), 1 deletion(-) create mode 100644 .claude/scheduled_tasks.lock rename clients/cascades-tucson/{PLAN-AND-QUESTIONS-2026-04-23.md => PLAN-AND-QUESTIONS-2026-04-23-archived.md} (98%) create mode 100644 clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md create mode 100644 clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md create mode 100644 clients/cascades-tucson/docs/security/risk-analysis-2026-04.md create mode 100644 clients/cascades-tucson/docs/security/termination-procedures.md create mode 100644 clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115936.png create mode 100644 clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115949.png create mode 100644 clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120004.png create mode 100644 clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120020.png create mode 100644 clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 141248.png create mode 100644 clients/cascades-tucson/docs/servers/fax-whitelabel.md create mode 100644 clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md diff --git a/.claude/scheduled_tasks.lock b/.claude/scheduled_tasks.lock new file mode 100644 index 0000000..0af4149 --- /dev/null +++ b/.claude/scheduled_tasks.lock @@ -0,0 +1 @@ +{"sessionId":"d6600899-b6a9-4073-b362-d7d5aa0dd8dd","pid":6332,"acquiredAt":1777065966112} \ No newline at end of file diff --git a/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23.md b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23-archived.md similarity index 98% rename from clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23.md rename to clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23-archived.md index 158258d..6de05b6 100644 --- a/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23.md +++ b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23-archived.md @@ -1,3 +1,5 @@ +> **ARCHIVED 2026-04-24.** Superseded by `PLAN-AND-QUESTIONS-2026-04-24.md`. This doc contained drift Howard pushed back on — see Part 7 of the successor doc for the honest drift log. Kept for historical reference only. **Do not execute against this doc.** + # Cascades of Tucson — Master Plan + Open Questions **Built:** 2026-04-23 by Howard diff --git a/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md new file mode 100644 index 0000000..0eda75d --- /dev/null +++ b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md @@ -0,0 +1,186 @@ +# Cascades of Tucson — Master Plan v2 (phones-first) + +**Built:** 2026-04-24 by Howard + Claude +**Supersedes:** `PLAN-AND-QUESTIONS-2026-04-23-archived.md` +**Target:** Pilot caregiver phone usable end-to-end by Monday 2026-04-27. +**Goal (Howard's exact words):** Authorized user + authorized device + authorized network → no 2FA → M365 sign-in (tied to domain account via PHS) → SSO into ALIS. + +> This plan was rewritten after catching scope drift in the 2026-04-23 version. See Part 7 for the honest drift log. The executable path is Track A; Track B runs in parallel; Track C is later phases. + +--- + +## Part 1 — Status as of 2026-04-24 + +### What's genuinely done +- **AD hygiene (G1)** — idempotent. OU=Excluded-From-Sync, 4 role accounts moved, 34 proxyAddresses populated, 16 SG-* groups created, display names normalized. `reports/2026-04-22-g1-execute.md` + `reports/2026-04-22-g1-post-verify.md` +- **M365 orphan cleanup (G2 partial)** — 7 orphan / former-employee accounts deleted; 1 Business Standard seat freed. `reports/2026-04-22-m365-orphan-deletes.md` +- **CS-SERVER preflight** — time sync, TLS 1.2, WSB installed, rebooted, post-reboot verification clean. Ready for Entra Connect. `reports/2026-04-22-cs-server-preflight-verification.md` +- **Synology discovery** — 10 shares, 35 users, 4 groups inventoried. 7 shared-credential HIPAA violations flagged. `docs/migration/synology-permission-inventory.md` +- **Intune MDM foundation** — MDMS@ service account, Apple MDM push cert, Android enrollment profile (dynamic group), Android compliance policy, config profiles, 7 required apps (incl. ALIS web app). 1 Samsung A15 enrolled compliant, 24 more in box. `PROJECT_STATE.md` +- **DMARC p=quarantine** + post-DMARC spoofing recheck clean. `reports/2026-04-21-post-dmarc-spoofing-recheck.md` +- **Staff CSV + working list** from Meredith/John. `reports/cascades-staff-2026-04-22.csv` +- **HIPAA review + risk register** drafted (with some accuracy issues flagged in Part 7). `docs/security/hipaa-review-2026-04-22.md` + +### What's in flight vs not started +- **Entra Connect install** — NOT started. Prep is green. +- **Phone rollout at scale** — NOT started. Pattern validated on 1 device. +- **Role mailbox conversions (G2 remainder)** — have delegation lists for 6/11; 5 pending Meredith. +- **CA policies** — nothing live. No Named Location yet. +- **ALIS SSO** — nothing registered. + +--- + +## Part 2 — Track A: Phone SSO Mission (pilot → caregiver rollout) + +**One sentence:** one caregiver, one phone, full end-to-end flow proven by Monday — then scale. + +### Phase 1 scope +- **1 pilot caregiver** (Howard picks — must be confirmed-spelling name + willing tester) +- **1 phone** (reuse current enrolled Phone 1 or fresh Samsung A15 from the 24 unopened) +- **Entra Connect sync scoped to `OU=Sync-Phase1-Caregivers` only** +- **PHS enabled** (Howard's decision 2026-04-24 — reverses prior "PHS deferred" call) +- **CA policy: MFA waived when user ∈ SG-Caregivers AND device compliant AND sign-in from Cascades WAN IP** +- **ALIS SSO live via OIDC App Registration** + +Nothing else in this tenant is touched. No office staff change. No password cutover for the cloud-only population (that's Track C Phase 2). + +### Gate-by-gate plan + +| Gate | Target day | What | Blocker / input | +|---|---|---|---| +| **A1** | Fri PM | Entra Connect install on CS-SERVER, staging mode, scope = `OU=Sync-Phase1-Caregivers`, PHS on | Howard at CS-SERVER console | +| **A2** | Fri–Sat | Pull Cascades WAN IP from pfSense; create Entra Named Location "Cascades Office"; create CA policy "Cascades - Phone MFA Exception" in Report-only | Q38 (WAN IP static? — discover from pfSense cfg, not Meredith) | +| **A3** | Fri–Sat | Email `support@medtelligent.com` for SSO Integrations kickoff; create App Registration "Cascades of Tucson - ALIS SSO" (single-tenant, redirect `https://cascadestucson.alisonline.com/ExternalLoginCallback`, ID tokens implicit hybrid enabled); create client secret "ALIS - Single Tenant Secret"; vault creds | Howard / portal access | +| **A4** | Sat | Pilot caregiver AD account in `OU=Sync-Phase1-Caregivers`; add to `SG-Caregivers`; assign unassigned Entra ID P2 (no new spend); verify ALIS staff profile email == Entra UPN exactly | Howard picks pilot (T0-1) | +| **A5** | Sun AM | Exit Entra Connect staging; full sync; verify pilot user appears hybrid with AD password live; CA What-If check confirms MFA bypass fires for correct conditions | A1–A4 green | +| **A6** | Sun PM | Enroll phone (QR from `CSC - Android Shared Phones` profile); pilot caregiver signs in via MSDM; verify zero MFA prompt on Cascades Wi-Fi; verify Teams/Authenticator/ALIS web app all SSO; verify sign-out / second sign-in works (shared-device proof) | A5 green | +| **A7** | Mon AM | CA Report-only logs reviewed (zero unexpected blocks); flip policy to On | A6 green | + +### Phase 1a (post-Monday): expand to full caregiver roster +- Create remaining ~36 caregiver AD accounts in same OU +- Purchase Business Premium seats (Q21 — tenant-wide preferred) +- Add to `SG-Caregivers` +- Factory-reset and enroll remaining 24 phones +- **Blocker resolved before 1a:** Q1 Ederick spelling + +### Track A blockers +- **T0-1 (Howard):** pick pilot caregiver — name + consent +- **T0-2 (Howard — discoverable):** pfSense WAN IP — confirm static by inspecting Cox circuit config. If dynamic, plan Named Location update hook. +- **T0-3 (Meredith, cheap ask):** sign Microsoft HIPAA BAA. Doesn't block phones technically — Meredith's covered entity exposure is the driver. 5 min. +- **T0-4 (ALIS, lead time):** ALIS Integrations team response to `support@medtelligent.com`. Send Friday. They may need 24–48h. + +--- + +## Part 3 — Track B: HIPAA Baseline (parallel to A, sized realistically) + +**Scope:** compliant-enough-to-survive-an-audit. Not gold-standard. Each item sized honestly. + +| ID | Item | Rule | Who | Effort | Cost | +|---|---|---|---|---|---| +| **B1** | Microsoft HIPAA BAA sign | §164.308(b)(1) Required | Meredith | 5 min portal click | $0 | +| **B2** | ALIS BAA confirmed | §164.308(b)(1) Required | Meredith → ALIS support | 1 email, 1–2wk vendor turnaround | $0 | +| **B3** | Risk Analysis document | §164.308(a)(1)(ii)(A) Required | Howard drafts → Mike/Howard sign Security Official → Meredith counter-signs CE | 3–4h | $0 | +| **B4** | Termination Procedures documented | §164.308(a)(3)(ii)(C) Required | Howard drafts from existing process | 1–2h | $0 | +| **B5** | Audit log retention decision | §164.312(b) + §164.316(b)(2) | Meredith picks option; Howard implements | 1h | $0 (option b) or ~$3/user/mo (option a) | +| **B6** | Synology shared-login risk acceptance | §164.312(a)(2)(i) interim | Meredith signs paper acknowledgment until Phase 4 cutover | Howard drafts form + route | $0 | +| **B7** | Break-glass admin **DECISION** (not the injected YubiKey spec — a decision entry only) | §164.312(a)(2)(ii) Addressable | Howard writes decision entry | 30 min | $0 | +| **B8** | Security Rule Implementation Register | §164.316(b) | Howard drafts — single doc listing every Addressable spec + decision | 2h | $0 | + +### Audit retention options (B5) +- **(a)** Microsoft Purview Audit (Premium) add-on — 10yr retention — ~$3/user/mo +- **(b)** M365 Compliance retention policy at 7 years — $0 *if we're on Business Premium tenant-wide* (which we would be for Phase 1a anyway) +- **(c)** Monthly export to immutable Azure Blob — $0 but operational burden + +**Recommended: (b)**, stacked on the Business Premium tenant-wide purchase we're already teeing up for Phase 1a. No additional spend. + +### What Track B does NOT include (drift scrubbed) +- ~~FIDO2 YubiKey purchase~~ — was injected; Emergency Access Procedure is Addressable, not Required; documented decision (B7) suffices +- ~~Per-user DLP policies~~ — not in Security Rule Required set +- ~~Defender for Identity / SIEM~~ — nice-to-have, not baseline + +--- + +## Part 4 — Track C: Future phases (not this week) + +| Item | When | Blocker | +|---|---|---| +| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window | +| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch | +| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) | +| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership | +| **C5** Wave 5 hardening — BitLocker fleet, LAPS, password policy, krbtgt rotation | After Phase 4 | Previous phases complete | + +--- + +## Part 5 — Open questions (slimmed, re-tiered) + +### T0 — Blocks Monday +- **T0-1 (Howard):** Pilot caregiver — who? Must be confirmed-spelling name, willing tester. +- **T0-2 (Howard, discoverable):** pfSense WAN IP — static? Query the appliance. +- **T0-3 (Meredith, Friday ask):** sign Microsoft HIPAA BAA. +- **T0-4 (ALIS, send Friday):** kick off SSO Integrations engagement via `support@medtelligent.com`. + +### T1 — Blocks Phase 1a (full caregiver rollout, not pilot) +- **Q1** Ederick Yuzon spelling — Meredith +- **Q21** Business Premium tenant-wide vs mixed SKU — Meredith (approve PO) +- **Q48** Reliable Agency shift scheduling pattern — Meredith (determines per-person vs supervised model) + +### T2 — Track B completion (parallel) +- **Q17** MS BAA (= T0-3) +- **Q18** ALIS BAA — Meredith +- **Q19** Synology shared-login risk posture (a/b/c) — Meredith → B6 +- **Q20** Audit retention path — Meredith → B5 (recommend (b)) +- **Q25** Reliable Agency contract → workforce vs BA — Meredith +- **Q27–29** Training, sanctions, termination procedure docs — Meredith + +### T3 — Blocks Phase 2/3 + Wave 4 (later) +- **Q2** Stephanie Devin status — Meredith +- **Q3** Dax Howard identity — Meredith +- **Q4** Tamra Matthews exit date — Meredith +- **Q6–16** Role mailbox delegations — Meredith (G2 remainder) +- **Q30–35** Synology content + MainOffice group — John +- **Q36** John's email activity — John +- **Q37** Matt Brooks cross-role delegation — John +- **Q38** WAN IP stability — John (confirms T0-2) +- **Q39** Dell R610 replacement — John + +### Dropped (drift — see Part 7) +- ~~**Q23** FIDO2 security key purchase~~ +- ~~**Q24** Second break-glass holder~~ + +--- + +## Part 6 — Executable now (no client answers needed) + +| Item | Agent / effort | Blocks what | +|---|---|---| +| Draft Risk Analysis (B3) | Howard, 3–4h | Nothing — parallel to Track A | +| Draft Termination Procedures (B4) | Howard, 1–2h | Nothing | +| Draft Security Rule Implementation Register (B8) | Howard, 2h | Nothing | +| Draft Synology risk-acceptance form for Meredith's signature (B6) | Howard, 30min | Nothing | +| SMB3 encryption on `\\CS-SERVER\homes` | `Set-SmbShare -Name homes -EncryptData $true` via GuruRMM | H3 HIPAA risk | +| Create `OU=Sync-Phase1-Caregivers` on CS-SERVER | Howard, 5 min | Track A Gate A1 prep | +| ALIS App Registration in Entra (A3) | Howard, 20 min | Track A Gate A5 verify | +| Email ALIS support for SSO kickoff | Howard, 10 min | Lead-time | + +--- + +## Part 7 — Drift log (honest record) + +The 2026-04-23 master plan had four accuracy/scope problems traced to doc-generation drift. Captured here so we don't repeat: + +1. **FIDO2 / YubiKey recommendation appeared without user input.** First showed up in `docs/cloud/user-account-rollout-plan.md` line 160 (commit `c077d58` — a staff-CSV ingest session where the session log has zero FIDO2 mention). Escalated to Required HIPAA finding H2 in `docs/security/hipaa-review-2026-04-22.md` (commit `6bd4166`, auto-sync, no session log). Then to Q23–24 T1 blocker in `PLAN-AND-QUESTIONS-2026-04-23.md` asking Meredith to buy a specific YubiKey 5C NFC (~$55). **The §164.312(a)(2)(ii) citation is Addressable, not Required, and doesn't prescribe FIDO2.** Removed. + +2. **ALIS SSO marked "Optional / separate project."** Gate G8 labeled optional in the old plan. In reality ALIS SSO is the endpoint of Howard's goal. Promoted to Track A Gate A3. + +3. **PHS deferred indefinitely.** Gate G5 was labeled deferred. Howard's confirmed intent 2026-04-24 is PHS enabled so M365 password == AD password. Reversed. + +4. **SAML / Enterprise App vs OIDC / App Registration.** My old writeup described ALIS SSO as "Enterprise App with SAML/OIDC." The ALIS doc (https://support.alisonline.com/hc/en-us/articles/34831696021901) specifies **App Registration with OIDC implicit hybrid flow and a client secret.** Not SAML, not Enterprise Application. Corrected in Gate A3. + +**Anti-drift commitment going forward:** new architectural decisions must trace back to a session log or user message, not be drafted unilaterally during document generation. When a document auto-adds a technical spec that nobody discussed, that's drift — we flag it rather than carrying it forward. + +--- + +## Revision history +- 2026-04-23 — original plan drafted by Howard (now archived) +- 2026-04-24 — rewritten: Track A/B/C split, phased Entra Connect sync, drift log added, Monday pilot target locked in diff --git a/clients/cascades-tucson/PROJECT_STATE.md b/clients/cascades-tucson/PROJECT_STATE.md index 8bf4998..ba67b25 100644 --- a/clients/cascades-tucson/PROJECT_STATE.md +++ b/clients/cascades-tucson/PROJECT_STATE.md @@ -10,7 +10,7 @@ | Session | Working On | Status | Started | |---------|-----------|--------|---------| -| Howard-Home/Claude (Howard) | Intune Phase B-1: Android compliance policy | IN_PROGRESS | 20:40 UTC 2026-04-21 | +| Howard-Home/Claude (Howard) | Track A phone-SSO pilot — Entra Connect prep, OU creation, WAN IP discovery, ALIS App Registration kickoff | IN_PROGRESS | 2026-04-24 (day) | **How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale. diff --git a/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md b/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md new file mode 100644 index 0000000..518ead8 --- /dev/null +++ b/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md @@ -0,0 +1,361 @@ +# Phone SSO Pilot Runbook — Cascades of Tucson + +**Built:** 2026-04-24 by Howard + Claude +**Target:** Pilot caregiver phone usable end-to-end by Monday 2026-04-27 +**Reference:** `PLAN-AND-QUESTIONS-2026-04-24.md` Track A +**Pilot identity:** `howard.enos@cascadestucson.com` (AD), linked to Howard's existing ALIS admin account (`howard.enos` login) + +> This is the hands-on checklist. Each section has copy-paste-ready commands / field values. Check off as you go. + +--- + +## Pre-flight (already done) +- [x] CS-SERVER preflight green (2026-04-22 post-reboot verification) +- [x] `OU=Caregivers,OU=Departments,DC=cascades,DC=local` created 2026-04-24 +- [x] Orphan `OU=Sync-Phase1-Caregivers` removed +- [x] WAN IP discovered — primary `184.191.143.62` (confirmed, matches historical sign-in logs) +- [x] Master plan rewritten with Track A/B/C split +- [x] Risk Analysis draft saved (`docs/security/risk-analysis-2026-04.md`) + +--- + +## Gate A1 — Install Entra Connect on CS-SERVER (staging mode) + +**Prereq:** Domain admin logged into CS-SERVER console. Fresh download of Entra Connect Sync. + +Download: https://www.microsoft.com/en-us/download/details.aspx?id=47594 + +### Installer wizard — field-by-field + +| Wizard page | What to enter | +|---|---| +| Welcome | Accept license | +| Express Settings | Choose **Customize** (NOT Express) | +| Install required components | Leave defaults, Install | +| User sign-in | Select **Password Hash Synchronization**, check **Enable single sign-on** (optional — Seamless SSO for domain-joined PCs; safe to leave checked) | +| Connect to Azure AD | Sign in as Cascades tenant Global Admin (NOT the `howard.enos` test account — use your normal admin identity) | +| Connect your directories | Forest: `cascades.local`. Add with domain admin creds. | +| Azure AD sign-in configuration | Verify UPN suffix `cascadestucson.com` is verified in Azure (should be). If not, fix before proceeding. | +| Domain / OU filtering | Select **Sync selected domains and OUs**. Check **only** `OU=Caregivers,OU=Departments,DC=cascades,DC=local`. Uncheck everything else. | +| Uniquely identifying your users | Leave default: "Users are represented only once across all directories" + "objectGUID" | +| Filter users and devices | Synchronize all users and devices | +| Optional features | Leave defaults | +| **Ready to configure** | **CHECK "Enable staging mode"** — this is the key box. Install will run but NOT push anything to Azure. | +| Confirm → Install | | + +### Post-install verification (run from CS-SERVER PowerShell) + +```powershell +# Confirm staging mode is ON +Get-ADSyncScheduler | Select-Object StagingModeEnabled, SyncCycleEnabled, MaintenanceEnabled + +# Force a sync cycle (still staging — nothing pushed) +Start-ADSyncSyncCycle -PolicyType Initial + +# Check what would sync +Get-ADSyncConnector | Select-Object Name, Type + +# List staged-up users (should only include howard.enos once the account is created in A4) +Get-ADSyncCSObject -ConnectorName "cascades.local" | Select-Object DistinguishedName, ConnectorState | Select-Object -First 20 +``` + +--- + +## Gate A2 — Named Location + Conditional Access (Report-only) + +**Where:** Microsoft Entra admin center (https://entra.microsoft.com) → Protection → Conditional Access + +### A2.1 Named Location + +Entra → Protection → Conditional Access → **Named locations** → **+ IP ranges location** + +| Field | Value | +|---|---| +| Name | `Cascades Office` | +| Mark as trusted location | **Yes** (checkbox) | +| IP ranges (IPv4) | `184.191.143.62/32` | + +**Note on dual-WAN:** if pfSense query confirms a secondary WAN with a separate public IP, add that as a second `/32` entry later. Until then, we let Report-only mode show us which IPs are actually observed. + +### A2.2 CA Policy — Report-only + +Two policies implement: *"skip MFA only when SG-Caregivers member AND device compliant AND on trusted network; otherwise MFA."* + +**Policy 1: `Cascades - Caregivers - Untrusted Location - MFA + Compliant`** + +| Section | Setting | +|---|---| +| Users | Include: `SG-Caregivers` group | +| Cloud apps | Include: All cloud apps | +| Conditions → Locations | Include **Any location**, Exclude **Cascades Office** | +| Grant | **Require multi-factor authentication** AND **Require device to be marked as compliant** (select "Require all the selected controls") | +| Enable policy | **Report-only** | + +**Policy 2: `Cascades - Caregivers - Trusted Location - Non-Compliant - MFA`** + +| Section | Setting | +|---|---| +| Users | Include: `SG-Caregivers` group | +| Cloud apps | Include: All cloud apps | +| Conditions → Locations | Include **Cascades Office** only | +| Conditions → Filter for devices | Include filter: `device.isCompliant -eq False` | +| Grant | **Require multi-factor authentication** | +| Enable policy | **Report-only** | + +### A2.3 Verify via What-If tool + +Entra → CA → **What If** → simulate: +- User: `howard.enos@cascadestucson.com` +- Cloud app: Office 365 +- IP: `184.191.143.62`, location Cascades Office +- Device state: Compliant +- Expected: **no policies match** → no MFA would be required. This is the sign-in pattern we want. + +Then test untrusted scenario: +- Same user, same app +- IP: `8.8.8.8` (random external) +- Device: Compliant +- Expected: **Policy 1 matches** → MFA required. + +--- + +## Gate A3 — ALIS App Registration in Entra + +**Where:** Entra admin center → Applications → **App registrations** → **+ New registration** + +### A3.1 Register + +| Field | Value | +|---|---| +| Name | `Cascades of Tucson - ALIS SSO` | +| Supported account types | **Accounts in this organizational directory only (Default Directory only - Single tenant)** | +| Redirect URI — Platform | **Web** | +| Redirect URI — URL | `https://cascadestucson.alisonline.com/ExternalLoginCallback` | + +Click **Register**. + +### A3.2 Authentication + +Left sidebar → **Authentication**: +- Under **Implicit grant and hybrid flows** → check **ID tokens (used for implicit and hybrid flows)** +- Supported account types → **Accounts in this organization directory only (Default - Single tenant)** +- **Save** + +### A3.3 Client Secret + +Left sidebar → **Certificates & secrets** → **+ New client secret** + +| Field | Value | +|---|---| +| Description | `ALIS - Single Tenant Secret` | +| Expires | **24 months** (max — track in vault, renewal reminder required) | + +**Copy the `Value` immediately.** It's shown only once. Also capture the `Secret ID`. + +### A3.4 Capture the three values + +From **Overview** page: +- **Directory (tenant) ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (known from existing tenant records) +- **Application (client) ID:** _capture after registration_ +- **Client Secret Value:** _captured in A3.3_ + +### A3.5 Vault the values + +Create `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` with the three values + secret expiry date. Template: + +```yaml +kind: app-registration +name: Cascades ALIS SSO +tenant: cascadestucson.com +tenant_id: 207fa277-e9d8-4eb7-ada1-1064d2221498 +application_id: +client_secret_value: +secret_description: ALIS - Single Tenant Secret +secret_created: 2026-04-24 +secret_expires: 2028-04-24 +notes: | + Track expiration — IT admin must update ALIS App Store SSO settings with a new + secret each renewal cycle or sign-in will stop working for all linked users. + Rotation reminder: add to calendar 30 days before expires. +``` + +### A3.6 ALIS App Store install (YOUR SIDE, not Entra) + +Log into ALIS → App Store → search "Entra SSO" → Install → on the **Configure** tab, under **Outbound Connections**, paste: +- Directory ID +- Application ID +- Client Secret Value + +Save. + +--- + +## Gate A4 — Pilot AD account + +Run via GuruRMM on CS-SERVER (I'll execute when you say go): + +```powershell +# Generate a random initial password (you'll know it; caregiver won't need it since +# they'll set via self-service or login will SSO from phone directly) +$tempPass = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 16 | ForEach-Object {[char]$_}) + "!9" +$securePass = ConvertTo-SecureString $tempPass -AsPlainText -Force + +New-ADUser ` + -Name "Howard Enos" ` + -GivenName "Howard" ` + -Surname "Enos" ` + -SamAccountName "howard.enos" ` + -UserPrincipalName "howard.enos@cascadestucson.com" ` + -EmailAddress "howard.enos@cascadestucson.com" ` + -Path "OU=Caregivers,OU=Departments,DC=cascades,DC=local" ` + -AccountPassword $securePass ` + -Enabled $true ` + -ChangePasswordAtLogon $false ` + -Description "Phone SSO pilot test account — Howard's ALIS admin login target" + +Write-Output "Account created. Temporary password: $tempPass" + +# Add to SG-Caregivers (the group from G1) +Add-ADGroupMember -Identity "SG-Caregivers" -Members "howard.enos" + +# Verify +Get-ADUser howard.enos -Properties MemberOf, DistinguishedName, EmailAddress | + Select-Object SamAccountName, UserPrincipalName, EmailAddress, DistinguishedName, @{N='Groups';E={$_.MemberOf -join '; '}} +``` + +After run, vault the temporary password to `clients/cascades-tucson/howard-enos-pilot.sops.yaml` so we can find it later if needed. + +**ALIS side (you do):** in ALIS admin, update `howard.enos` staff profile's Email field to `howard.enos@cascadestucson.com` so it matches the Entra UPN. Required for SSO linking to resolve. + +--- + +## Gate A5 — Exit staging, sync, verify + +Run on CS-SERVER: + +```powershell +# Turn off staging mode +Set-ADSyncScheduler -SyncCycleEnabled $true +Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier "cascades.local" -FullSyncRequired + +# Open Azure AD Connect app from Start menu → Configure → Configure staging mode → UNCHECK "Enable staging mode" → Next → Configure + +# After exiting staging, force a full sync +Start-ADSyncSyncCycle -PolicyType Initial +``` + +Verify in Entra (https://entra.microsoft.com → Users): +- `howard.enos@cascadestucson.com` appears as hybrid (Source: Windows Server AD) +- The on-premises AD password hash should now be the M365 sign-in password + +Test sign-in at https://portal.office.com with `howard.enos@cascadestucson.com` + the temp AD password. Should succeed. **May** prompt for MFA at first sign-in depending on tenant defaults — that's fine. + +--- + +## Gate A6 — Enroll pilot phone + +**Phone choice:** fresh Samsung A15 (one of the 24 unopened), OR wipe the existing enrolled Phone 1. + +**Enrollment path:** MSDM shared-device mode, QR-code from `CSC - Android Shared Phones` profile (already configured in Intune). + +Steps: +1. Factory reset phone (if reused) +2. At first-boot, scan the QR code from `CSC - Android Shared Phones` +3. Phone enrolls into Intune, joins `Cascades - Shared Phones` dynamic group automatically (rule based on enrollmentProfileName) +4. Policies apply — compliance, Wi-Fi profile, required apps +5. Wait ~5–15 min for compliance to be evaluated + +**Test sign-in as pilot:** +- Open Teams or Authenticator → **Sign in** +- Enter `howard.enos@cascadestucson.com` + AD password +- **Expected (on Cascades Wi-Fi):** no MFA prompt (trusted location + compliant device → policies don't match) +- **Expected (off Cascades Wi-Fi):** MFA prompt (Policy 1 matches → require MFA + compliant) +- **ALIS web app:** should auto-SSO after M365 sign-in completes (ALIS OIDC app redirects to Entra for auth) + +**Verify in Entra sign-in logs:** +https://entra.microsoft.com → Monitoring & Health → Sign-in logs → filter User = howard.enos +- Column "Conditional Access" → should show "Report-only" results matching expected behavior +- Column "IP address" → should match `184.191.143.62` when on Cascades Wi-Fi (confirms Named Location matched) + +--- + +## Gate A7 — Flip CA to Enforcement (Monday AM) + +After review of Sat–Sun sign-in logs: +- Confirm no "would have been blocked" events for legitimate sign-ins +- Both CA policies → **Enable policy: On** (was Report-only) + +Run one more pilot sign-in from phone to confirm no regression. + +--- + +## Parallel: ALIS support email (send anytime) + +**To:** `support@medtelligent.com` +**Subject:** Cascades of Tucson — SSO setup, BAA request, and PIN feature availability + +``` +Hi ALIS team, + +I'm the MSP IT contact for Cascades of Tucson (tenant: cascadestucson.alisonline.com). +We are setting up Microsoft Entra SSO for our staff per your documentation at +https://support.alisonline.com/hc/en-us/articles/34831696021901. + +We have three asks: + +1. HIPAA Business Associate Agreement (BAA) — Cascades is a HIPAA-covered entity + and we need a signed BAA with Medtelligent / ALIS on file. Please send the + current template. + +2. User linking workflow — your documentation says users "link their ALIS account + to their Microsoft identity." Can you confirm whether linking is triggered by + administrator action (push) or by each user's first SSO sign-in attempt? + We are doing a controlled pilot rollout and need to know whether installing + the Entra SSO app will trigger any automatic re-linking for existing users, + or whether existing ALIS credentials keep working until each user is + individually linked. + +3. Login PINs feature — your docs note this is "limited-release." Is this + feature available to us? It looks valuable for our shared-phone caregiver + workflow (faster re-auth without full OIDC redirect each time). + +As a secondary item, we would also appreciate your FIPS 140-2 attestation / +compliance statement for our HIPAA risk analysis documentation. + +Happy to connect with your Integrations team as needed. + +Thanks, +Howard Enos +Arizona Computer Guru (MSP for Cascades of Tucson) +howard@azcomputerguru.com +``` + +--- + +## Rollback points + +| Gate | Rollback | +|---|---| +| A1 | Uninstall Entra Connect from Control Panel → nothing synced | +| A2 | Delete CA policies + Named Location — zero impact if Report-only | +| A3 | Delete App Registration in Entra — ALIS SSO stops working but ALIS credential login still works | +| A4 | Disable / remove `howard.enos` AD account | +| A5 | Re-enter staging mode via ADConnect wizard; re-sync to remove pilot from cloud | +| A6 | Factory reset phone | +| A7 | Flip both policies back to Report-only | + +No hard-to-reverse steps. Only concern: **after PHS is on, existing cloud-only M365 passwords for users in sync scope are overwritten by their AD password.** Phase 1 scope is just `howard.enos` (new account) — no existing-user password migration pain. + +--- + +## Open items / decisions as of 2026-04-24 + +- [ ] Dual-WAN verdict from pfSense (Howard to check after lockout clears) +- [ ] `72.211.21.217` egress IP — confirm or discard after Named Location Report-only logs show actual sign-in IPs +- [ ] ALIS support email sent +- [ ] ALIS BAA received +- [ ] Login PINs feature availability confirmed + +## Open questions handled elsewhere +- Everything Meredith-blocking → master plan Track B + `PLAN-AND-QUESTIONS-2026-04-24.md` §5 +- ALIS password pasted in chat earlier → rotate when convenient (post-pilot) diff --git a/clients/cascades-tucson/docs/security/risk-analysis-2026-04.md b/clients/cascades-tucson/docs/security/risk-analysis-2026-04.md new file mode 100644 index 0000000..c578f2e --- /dev/null +++ b/clients/cascades-tucson/docs/security/risk-analysis-2026-04.md @@ -0,0 +1,452 @@ +# HIPAA Security Rule Risk Analysis — Cascades of Tucson + +**Document ID:** RA-2026-04 +**Facility:** Cascades of Tucson (236-room assisted living + memory care community, Tucson AZ) +**Covered Entity:** Cascades of Tucson LLC +**Prepared by:** Howard Enos, Technician, Arizona Computer Guru (MSP) +**Reviewed by (Security Official):** Mike Swanson, President, Arizona Computer Guru (designated Security Official per §164.308(a)(2)) +**Counter-signed by (CE leadership):** Meredith Kuhn, Executive Director, Cascades of Tucson +**Date drafted:** 2026-04-24 +**Effective date:** On counter-signature +**Next review:** No later than 2027-04-24, or upon material change to environment, workforce, or threat landscape (§164.316(b)(2)(iii)) +**Supersedes:** None — this is the first formal Risk Analysis on file for Cascades of Tucson + +--- + +## 1. Purpose and regulatory basis + +HIPAA Security Rule §164.308(a)(1)(ii)(A) is a **Required** implementation specification: every covered entity must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity." + +This document is that assessment. It follows the structure of **NIST SP 800-66 Revision 2 (Feb 2024) Section 3 — Risk Assessment Methodology**, which HHS OCR cites as the de-facto framework for Security Rule risk analyses. It is intentionally sized to the scale of Cascades — a single 236-room assisted living community with roughly 70 workforce members — rather than to the scale of a hospital. The goal is an audit-defensible analysis, not a gold-standard one. + +Where implementation specifications are **Addressable**, this document records the decision made, the rationale for that decision, and any compensating controls, as required by §164.306(d)(3). Addressable does not mean optional; it means the covered entity must either implement the spec, implement a reasonable alternative, or document a reasoned decision that neither is appropriate — and document that reasoning in writing. Decisions are cross-referenced to the **Security Rule Implementation Register** (`docs/security/implementation-register.md`, tracked as master-plan item B8). + +--- + +## 2. Scope (NIST 800-66r2 §3.1 — System Characterization) + +### 2.1 ePHI defined in the Cascades environment + +For purposes of this analysis, ePHI at Cascades means any electronic information that identifies a resident (name, room number, date of birth, Medicare/Medicaid ID, insurance info) combined with any information about the resident's health condition, medications, diagnoses, care plan, clinical imaging, incident reports, or service authorization. It does NOT include food-service-only data (kitchen iPad meal orders), facility-only data (work orders with no resident identifier), or marketing data that has never included resident health status. + +### 2.2 Workforce members in scope + +Based on the 2026-04-22 staff roster (`reports/cascades-staff-2026-04-22.csv`, ~70 rows): + +- **Clinical workforce** (handles PHI directly): Health Services Director, Health Services Manager, Memory Care Director, Memory Care Admin Assistant, Memory Care Nurses, Assisted Living Aides, MedTechs, Caregivers (approx. 39 net-new caregiver roles per Phase 1a rollout plan) +- **Administrative workforce with PHI access** (billing, admissions, records): Executive Director, Assistant Executive Director, Business Office Director, Accounting staff, Sales / Move-In Coordinator (limited — pre-admission assessment data) +- **Operational workforce with incidental PHI exposure**: Front Desk / Resident Services Receptionist (visitor logs, message-taking), Courtesy Patrol (incident reports), Life Enrichment (activity attendance + limited health accommodations), Drivers (pickup sheets with rider names + appointment context) +- **IT / admin workforce**: MSP technicians (Howard Enos, Mike Swanson) with role-based admin access; internal `sysadmin@` global admin. All IT access is subject to the Business Associate Agreement between Cascades and Arizona Computer Guru. +- **Out of scope**: Culinary / kitchen staff who do not enter the clinical wing and do not use ALIS. + +### 2.3 Systems in scope + +| System | Location | ePHI role | Owner | +|---|---|---|---| +| **ALIS** (go-alis.com / Medtelligent) | Cloud EHR (SaaS) | Primary clinical record — medications, care plans, assessments, incident logs | Medtelligent Inc. (Business Associate, BAA to be confirmed — item B2 in master plan) | +| **Microsoft 365** (cascadestucson.com) | Cloud — Exchange Online, OneDrive, SharePoint, Teams | PHI transit + at-rest in email bodies/attachments, staff OneDrive, planned Teams chat | Microsoft Corp. (Business Associate — **BAA not yet signed**, see §6.1.1) | +| **CS-SERVER** (192.168.2.254) | On-prem Windows Server 2016, Dell R610 (2009) | Primary on-prem file server, AD DC, DNS, DHCP, Hyper-V host for VoIP; hosts `\\CS-SERVER\homes` (user folder redirection target for PHI-generated documents) | Cascades (MSP-managed) | +| **Synology NAS** `cascadesds` (192.168.0.120) | On-prem, DSM 7 | Legacy file store — `Management`, `pacs`, `Server`, `Sandra Fish`, `homes` shares contain PHI. Scheduled for retirement in Phase 4. | Cascades (MSP-managed) | +| **Workstations** (staff PCs, ~18 audited) | On-prem | Browser access to ALIS, M365 mailboxes, SMB-mounted CS-SERVER / Synology shares | Cascades | +| **Shared caregiver phones** (Samsung A15, 25 units, Intune-managed) | Mobile | ALIS web app, Teams, Authenticator via Microsoft Shared Device Mode | Cascades (MSP-enrolled in Intune) | +| **pfSense firewall** (192.168.0.1) | On-prem | Enforces segmentation; terminates Cascades WAN | Cascades (MSP-managed) | +| **UniFi Wi-Fi** (CSCNet, CSC ENT, Guest) | On-prem | Transit for ePHI on phones and laptops | Cascades (MSP-managed) | + +### 2.4 Out-of-scope systems (documented so the scope is defensible) + +Kitchen iPads (food orders only, no resident health data), kitchen thermal printers (receipts), resident room VLANs (personal devices, no facility PHI), Ring security cameras (common areas, no clinical content), GoDaddy-hosted public website (no PHI), DirecTV entertainment infrastructure. If any of these systems are later used to process PHI, this scope statement must be updated. + +### 2.5 ePHI flows (simplified data-flow diagram) + +``` +Resident / family intake + │ + ▼ +Admissions (Sales / Move-In Coordinator) + ├── Paper → scanned → email / Management share → ALIS entry + │ +Clinical staff (RN, MedTech, Caregiver) + ├── ALIS (browser on workstation OR web app on Intune phone) + ├── Incident reports → Management share / email to Exec + ├── Paper MARs (non-electronic, outside this analysis) + │ +Executive / Business Office + ├── M365 mailbox (PHI in emails re: billing, hospice coordination, family) + ├── CS-SERVER homes share (folder redirection) + ├── Synology Management share (clinical admin docs) — LEGACY, Phase 4 retire + │ +MSP (Arizona Computer Guru) + ├── Remote admin via documented BAA scope (no casual PHI browsing) + ├── Backup storage (WSB → Synology — currently the only backup; HIPAA gap #1) + │ +External disclosures + ├── Microsoft (platform — BAA pending) + ├── Medtelligent/ALIS (EHR vendor — BAA pending confirmation) + ├── Pharmacy, hospice, hospital partners (outside IT scope — paper + fax) + └── Reliable Agency (contingent caregivers — workforce vs BA classification pending) +``` + +--- + +## 3. Data collection (NIST 800-66r2 §3.2 — ePHI inventory) + +Per §3.2 the risk analysis must enumerate where ePHI is created, received, maintained, or transmitted. The following inventory was compiled from `docs/security/hipaa.md`, `docs/migration/synology-permission-inventory.md`, `docs/cloud/m365.md`, `docs/servers/active-directory.md`, and `PROJECT_STATE.md`. + +### 3.1 ePHI at rest + +| Location | Type of ePHI | Approx. volume | Access method | At-rest encryption | Notes | +|---|---|---|---|---|---| +| ALIS cloud tenant | Full clinical records (MARs, care plans, assessments, incident logs, imaging refs) | All 236 residents, historical | HTTPS / browser / phone web app | Provider-managed (FIPS 140-2 per vendor attestation — to confirm with BAA) | Out of scope for Cascades infrastructure hardening; in scope for access-control + SSO | +| CS-SERVER `\\CS-SERVER\homes` | User-generated PHI (Word docs, Excel, PDFs dropped in redirected Documents/Downloads/Desktop) | Growing — every office user | SMB from staff PCs | BitLocker status on D: drive **not yet documented** (audit gap, master plan item) | SMB3 encryption is currently OFF; scheduled `Set-SmbShare -EncryptData $true` in master plan Part 6 | +| CS-SERVER other shares | Drive mappings (S:, M:, P:, etc.) | Per share | SMB | Same as homes | Folder-redirection destination shares must match homes encryption posture | +| Synology `Management` share | Clinical admin docs, billing refs, care plan exports | Active | SMB from workstations | ext4, not encrypted at-rest per audit | High-risk — Phase 4 retirement target | +| Synology `pacs` share | Likely imaging (PACS = Picture Archiving and Communication System naming convention) | Historical | SMB from workstations | ext4, not encrypted at-rest | Highest-risk Synology share | +| Synology `homes`, `Sandra Fish`, `Server`, `chat` shares | Mixed — user homes, historical director artifacts, staff chat logs | Active + legacy | SMB | ext4 | Contains PHI based on RW grants to clinical users | +| M365 Exchange Online mailboxes | PHI in emails, attachments, calendar invites | 34 licensed mailboxes | Outlook / OWA / mobile Outlook / phone web | Service-managed (Microsoft) | Licensed under BAA once signed | +| M365 OneDrive | Potential — users may save PHI to OneDrive unintentionally | Variable | Sync client / web | Service-managed | No DLP in place today | +| Staff workstation local disks | Cached Outlook OST, browser cache, downloaded attachments | 18 audited + ~10 more | Local | BitLocker broken or missing on 13 of 18 per audit 2026-03-20 | HIGH gap (master issue #12) | +| Caregiver shared phones (Samsung A15) | ALIS web app session data, Authenticator, Teams messages | 25 devices (1 enrolled, 24 in box) | Intune-managed | Device-level encryption required by compliance policy `CSC - Android Compliance` | Per-device enforcement verified on pilot device | +| Backup — Windows Server Backup → Synology SMB share | Full CS-SERVER image including PHI shares | Growing | SMB write from CS-SERVER | ext4 underlying volume, no BitLocker on target | Only backup that exists; no offsite copy (master issue #1 Critical) | + +### 3.2 ePHI in transit + +| Channel | Protocol | Encryption | Notes | +|---|---|---|---| +| Staff PC ↔ ALIS | HTTPS (TLS 1.2+) | Server-enforced | Good | +| Phone ↔ ALIS (web app in MSDM) | HTTPS (TLS 1.2+) | Server-enforced | Good | +| Staff PC ↔ M365 (Outlook, OWA, OneDrive sync) | HTTPS (TLS 1.2+) | Service-enforced | Good (Microsoft side); depends on BAA | +| Staff PC ↔ CS-SERVER SMB | SMB3 | SMB3 encryption currently OFF on `homes` (planned remediation) | See §6 H3 | +| Staff PC ↔ Synology SMB | SMB2/3 | Not encrypted | Phase 4 decommission | +| Email sent to external partners (pharmacy, hospice, hospital) | SMTP over TLS (opportunistic) | Variable depending on recipient MTA | No outbound DLP to enforce mandatory TLS + subject-line rules | +| MSP remote admin (Arizona Computer Guru) | Multiple tools (RMM, RDP) | TLS / NLA required per audit remediation (2026-03-20) | RDP-without-NLA findings have been resolved | +| Phone cellular / hotspot path | Carrier-side | Carrier-side | Conditional Access "Cascades Office" Named Location steers phones to Wi-Fi; off-network use is flagged | + +### 3.3 PHI creation points + +Every clinical shift generates ePHI. The most common creation points: +- **Caregiver documentation in ALIS** (per-resident tasks, observations) — phone or workstation +- **Incident reports** drafted in Word, emailed to Exec / Health Services Director, archived on `Management` or `homes` shares +- **Scanned intake paperwork** (admission, advance directives, physician orders) uploaded to ALIS or Management share +- **Internal email chains** re: hospice transition, hospital return, family care conferences — all contain PHI in message bodies + +--- + +## 4. Threats and vulnerabilities (NIST 800-66r2 §3.3 — Threat & Vulnerability Identification) + +The following threat sources are considered in this analysis, aligned to NIST SP 800-30r1 Appendix D categories: + +- **T-Adv** — Adversarial (external criminal attacker, opportunistic ransomware, targeted phishing, credential-stuffing, insider-turned-malicious) +- **T-Acc** — Accidental (workforce mistake — misaddressed email, wrong attachment, lost phone, accidental deletion) +- **T-Str** — Structural (equipment failure — the 16-year-old CS-SERVER is Exhibit A; disk failure, PSU failure, software bug, vendor outage) +- **T-Env** — Environmental (power loss, fire, water, HVAC failure, theft from facility) + +Each threat is paired with one or more environment-specific vulnerabilities drawn from the audit findings and the 2026-04-22 HIPAA review. + +### 4.1 Threat-vulnerability pairs specific to Cascades + +| # | Threat | Vulnerability at Cascades (grounded in repo docs) | Source | +|---|---|---|---| +| **TV-01** | T-Adv — credential theft / phishing | No MFA enforced on M365 historically (Security Defaults not enabled); 34 Business Standard accounts; some without recent password rotation | `docs/cloud/m365.md` line 14; master issue #15 | +| **TV-02** | T-Adv — ransomware / malware | 6 machines >3 months behind on Windows Updates; BitLocker broken or missing on 13 of 18 audited PCs; LAPS not deployed (same local admin password fleet-wide) | `docs/issues/audit-findings-2026-03-20.md` items #3, #12, #13 | +| **TV-03** | T-Adv — lateral movement post-compromise | krbtgt password 569+ days old; `RestrictAnonymous=0` fixed but LDAP channel binding not configured; Protected Users group empty | audit-findings items #20, #24, #25 | +| **TV-04** | T-Adv / T-Acc — shared-account abuse (anyone in a PHI-access role can sign in with no attribution) | **7 Synology shared-credential accounts** with RW to PHI shares: `Accounting`, `Dining Manager`, `Front Desk`, `mcnurse`, `Memcare Receptionist`, `memcarenurse`, `Nurse Tower`. Plus 3 workstation shared local accounts with NO password (NURSESTATION-PC `Nurses`, MEMRECEPT-PC `memfrtdesk`, RECEPTIONIST-PC `Front Desk`). | `docs/migration/synology-permission-inventory.md` §Shares; audit item #5 | +| **TV-05** | T-Adv — impersonation / business email compromise | No Defender anti-impersonation configuration on Business Standard; DMARC now at `p=quarantine` (2026-04-21) but spoofing recheck only had a 26-hour clean window at time of write | `docs/cloud/m365-impersonation-protection.md`; `reports/2026-04-21-post-dmarc-spoofing-recheck.md` | +| **TV-06** | T-Adv — third-party / BA exposure | Microsoft HIPAA BAA **not signed** (active Required-spec violation under §164.308(b)(1)); ALIS BAA not yet confirmed by Medtelligent; Reliable Agency workforce-vs-BA status undetermined | `docs/cloud/m365.md` line 12; HIPAA review 2026-04-22 C3, M3 | +| **TV-07** | T-Acc — misaddressed email containing PHI | Business Standard SKU has no DLP; no per-user outbound warning for PHI patterns (SSN, MRN) | `docs/cloud/m365.md` line 101 | +| **TV-08** | T-Acc — lost / stolen phone with an active ALIS session | Shared caregiver phones issued in a 24/7 facility; high physical turnover; phone compliance policy enforces 6-digit PIN + 1-minute inactivity + encryption, but the human can always hand off mid-session | `PROJECT_STATE.md` Intune rollout; ALIS web-app policy | +| **TV-09** | T-Acc — accidental over-share on SMB | `Everyone = Full Control` on multiple CS-SERVER shares (Culinary, directoryshare, Roaming per audit); PHI may land in the wrong share via folder redirection without the user realizing | audit item #14, #26 | +| **TV-10** | T-Str — CS-SERVER catastrophic hardware failure | 2009 Dell R610 — **16 years old** — is the ONLY domain controller, ONLY file server, ONLY DNS/DHCP, ONLY Hyper-V host. Ransomware / disk / PSU failure is an extinction event | audit item #2 Critical | +| **TV-11** | T-Str — no audit trail of PHI file access | CS-SERVER Object Access auditing currently disabled (`No Auditing`); Synology ext4 provides no auditable file-access log. If a breach happens we cannot tell who read what. | audit item #6 Critical; `docs/security/hipaa.md` gap #17 | +| **TV-12** | T-Str — data loss from lack of backup | CS-SERVER has no offsite backup. WSB → Synology is on-prem only and on the same physical power/fire/theft footprint. No M365 backup. | audit item #1 Critical | +| **TV-13** | T-Str — audit log retention below 6-year HIPAA floor | M365 audit default is 1 year, but §164.316(b)(2)(i) requires 6-year documentation retention | HIPAA review 2026-04-22 H1 | +| **TV-14** | T-Str — permissive firewall rule bleeds resident-VLAN traffic into staff VLAN | Floating pfSense rule #4 passes all IPv4 traffic, defeating room-to-room and resident-to-staff isolation | audit item #8 Critical | +| **TV-15** | T-Env — physical theft / loss of workstation | Low — facility is keycard-controlled during off hours — but any workstation with a local cache of PHI (OST, downloaded attachments) and broken BitLocker is a potential breach | audit item #12 combined with building access posture | +| **TV-16** | T-Env — power / water / fire | Single DC co-located with all facility IT in one room; no tested disaster-recovery runbook | `docs/security/hipaa.md` gap #1 | +| **TV-17** | T-Adv — former-employee access never revoked | Audit 2026-03-20 found 7 enabled-but-gone AD accounts + 5 disabled-but-not-deleted (cleaned 2026-04-13). Termination Procedures (§164.308(a)(3)(ii)(C)) not previously documented. | `docs/servers/active-directory.md` §Account Removals; HIPAA review C2 | +| **TV-18** | T-Adv — Kitchen iPad / resident-VLAN lateral access | 9 kitchen iPads on INTERNAL VLAN with access to staff resources; resident VLAN bleed per TV-14 | audit item #29 | +| **TV-19** | T-Adv — stale / unauthorized remote-access tooling | TightVNC on MEMRECEPT-PC; Splashtop on all 19 machines; Datto RMM on CS-SERVER; N-able Take Control, RemotePC, TeamViewer, GoTo all present from previous MSP | audit item #20 | +| **TV-20** | T-Acc — workforce not trained on Privacy Rule / sanctions | No evidence of annual HIPAA Privacy training records for non-clinical workforce (drivers, courtesy patrol, life enrichment, front desk) | HIPAA review 2026-04-22 H4 | + +--- + +## 5. Existing controls (NIST 800-66r2 §3.4 — Control Analysis) + +These are the controls **actually in place** as of 2026-04-24, not controls that are "planned" or "recommended." Planned controls are tracked in §7 Risk Treatment. + +### 5.1 Administrative safeguards in place + +| Control | Implementation | HIPAA cite | +|---|---|---| +| Designated Security Official | Mike Swanson, Arizona Computer Guru (MSP Owner) | §164.308(a)(2) | +| MSP Business Associate relationship | Arizona Computer Guru operates under BAA with Cascades | §164.308(b)(1) | +| Workforce access controls via AD security groups | Security groups `SG-Management-RW`, `SG-Sales-RW`, `SG-Server-RW`, `SG-Chat-RW`, `SG-Culinary-RW`, `SG-IT-RW`, `SG-Receptionist-RW`, `SG-Directory-RW`, `SG-Caregivers` created 2026-04-22; role-based access model | §164.308(a)(4) | +| Termination — same-day account disable practice | Implemented 2026-04-22 for Britney Thompson (prior to litigation-hold remediation) | §164.308(a)(3)(ii)(C) | +| AD Recycle Bin enabled | Enables account recovery within 180 days; confirmed 2026-03-21 | §164.308(a)(7) supports integrity | +| MSP change documentation | All changes logged to `session-logs/`, `reports/`, and `PROJECT_STATE.md`; master plan in `PLAN-AND-QUESTIONS-2026-04-24.md` | §164.316(b)(1) | + +### 5.2 Physical safeguards in place + +| Control | Implementation | HIPAA cite | +|---|---|---| +| Keycard-controlled facility access | Standard assisted-living physical access controls | §164.310(a)(1) | +| CS-SERVER in locked IT room | Confirmed via onsite visits | §164.310(a)(2)(ii) | +| Intune device inventory for mobile tier | 25 Samsung A15 shared phones enrolled or queued; dynamic device-group membership via enrollment profile | §164.310(d)(1) | +| Workstation siting | Front-desk workstations visible to staff only; clinical workstations in nurse stations not accessible to residents | §164.310(b) | + +### 5.3 Technical safeguards in place + +| Control | Implementation | HIPAA cite | +|---|---|---| +| Unique User ID — office staff | All M365 staff have personal `first.last@` UPNs (shared mailboxes are access-delegated, not shared-credential) | §164.312(a)(2)(i) | +| Unique User ID — caregivers (mobile tier) | MSDM-based per-user Entra sign-in on shared phones; each caregiver has own AD + Entra identity | §164.312(a)(2)(i) | +| Automatic logoff — mobile tier | Android compliance policy enforces 1-minute inactivity screen lock + 6-digit numericComplex PIN; encryption required; root + SafetyNet + App Integrity enforced | §164.312(a)(2)(iii) Addressable | +| Transmission encryption — M365 | TLS 1.2+ enforced by Microsoft for Outlook / OWA / OneDrive / Teams | §164.312(e)(1) | +| Transmission encryption — ALIS | TLS 1.2+ enforced by Medtelligent | §164.312(e)(1) | +| Encryption at rest — mobile tier | Android Enterprise device-level encryption required by compliance policy | §164.312(a)(2)(iv) Addressable | +| Person / entity authentication — office users | M365 password-based, MFA will be enforced by Conditional Access post-Entra-Connect | §164.312(d) | +| Person / entity authentication — caregivers | Entra ID + MSDM + Conditional Access "Cascades - Phone MFA Exception" (MFA waived only when user ∈ `SG-Caregivers` AND device compliant AND sign-in from Cascades WAN IP); MFA required everywhere else | §164.312(d) | +| DMARC | Policy `p=quarantine; pct=100` deployed 2026-04-21 (Mike); SPF and DKIM in place | §164.312(e)(1) supports transmission integrity | +| DMARC post-deploy verification | Spoofing recheck `reports/2026-04-21-post-dmarc-spoofing-recheck.md` confirmed quarantine working 26h clean window | §164.312(e)(1) | +| Malware protection | Windows Defender + MSP AV agent (Datto AV migrating to GuruRMM stack) | §164.308(a)(5)(ii)(B) | +| MSP-managed patching | GuruRMM AutoPatch running; 5 of 6 critically behind machines patched overnight 2026-03-20 | §164.308(a)(5)(ii)(B) | +| Account lockout | 5 attempts / 30 minutes, enforced in Default Domain Policy 2026-03-09 | §164.308(a)(5)(ii)(D) | +| MDM compliance + restrictions | Intune config profile `CSC - Android Shared Phones Restrictions` (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no dev settings, update window 02:00-06:00 UTC); `CSC - CSCNet Wi-Fi (WPA2-Personal)` | §164.310(d), §164.312(a)(1) | +| RDP hardened | NLA required on all remaining RDP endpoints; audit finding for ASSISTMAN-PC + DESKTOP-U2DHAP0 resolved 2026-03-20 | §164.312(e)(1) | +| Remote-access tooling consolidation | Plan in place; TightVNC and legacy MSP tools flagged for removal | §164.312(a)(1) | + +### 5.4 Organizational safeguards in place + +| Control | Implementation | HIPAA cite | +|---|---|---| +| Business Associate relationships identified | Microsoft (BAA pending, item B1 — this is an active gap), Medtelligent/ALIS (pending confirmation, item B2), Arizona Computer Guru (executed) | §164.308(b)(1) | +| Policy & procedure documentation | This Risk Analysis + Security Rule Implementation Register (B8, in drafting) + Termination Procedures (B4, in drafting) + Synology shared-login risk-acceptance form (B6, in drafting) | §164.316(b)(1) | + +--- + +## 6. Risk determination — likelihood × impact (NIST 800-66r2 §3.5) + +Likelihood and impact are rated on a low / medium / high scale using the following rubric tailored to a single-facility covered entity: + +- **Likelihood — Low**: event plausible but has not been observed in this environment or comparable ones in the last 24 months, AND existing controls materially reduce exposure. +- **Likelihood — Medium**: event has been observed in comparable environments (assisted living, small healthcare) in the last 24 months, OR existing controls have known gaps. +- **Likelihood — High**: event has been observed in this environment OR is actively present as an unresolved gap on the day this analysis is signed. +- **Impact — Low**: small number of records (<10 residents), limited to non-sensitive categories (e.g., scheduling), recoverable without OCR notification. +- **Impact — Medium**: moderate exposure (10–100 records) or single sensitive record (e.g., memory-care diagnosis disclosed externally); may trigger state breach-notification law (AZ has a 45-day notification clock for >1,000 residents — Cascades is below this threshold but OCR reporting still applies). +- **Impact — High**: bulk exposure (≥100 records), full facility record loss, OR operational continuity hit (ALIS inaccessible for >24 hours during a clinical shift). + +**Overall risk tier**: [CRITICAL] is reserved for pairs that are High × High; [HIGH] for High × Medium or Medium × High; [MEDIUM] for Medium × Medium or Low × High / High × Low; [LOW] for all others. + +### 6.1 Risk ratings per threat-vulnerability pair + +| # | Threat-vuln | Likelihood | Impact | Tier | Rationale | +|---|---|---|---|---|---| +| **TV-01** | Credential theft / phishing — no MFA historically | Medium | High | **[HIGH]** | Controls improving (DMARC, planned CA, planned Entra Connect + MFA) but baseline today is still pre-MFA. An admin mailbox compromise today gives full M365 tenant access. | +| **TV-02** | Ransomware / malware — patch + BitLocker gaps | Medium | High | **[HIGH]** | 5 of 6 critically-behind machines have been patched, but BitLocker is broken on 13 of 18 PCs, and LAPS is not deployed. A ransomware hit on CS-SERVER combined with TV-12 (no offsite backup) is an extinction event. | +| **TV-03** | Lateral movement / AD compromise | Medium | High | **[HIGH]** | krbtgt is overdue for rotation; LDAP channel binding not configured; Protected Users empty. Post-compromise blast radius is extreme because CS-SERVER is the only DC. | +| **TV-04** | Shared-account abuse on Synology + shared workstations | **High** | **High** | **[CRITICAL]** | 7 Synology shared logins are a present-tense Required-spec violation. 3 workstation shared accounts have no password. Active-ongoing gap; must be addressed with Phase 4 cutover + interim risk acceptance (B6). | +| **TV-05** | Impersonation / BEC | Low | High | **[MEDIUM]** | DMARC is now at `p=quarantine` with a clean recheck; no Defender anti-impersonation but DMARC materially lowers likelihood. Impact remains high because Executive Director mailbox is a high-value target. | +| **TV-06** | BA not in place (Microsoft + ALIS) | **High** | High | **[CRITICAL]** | Microsoft BAA unsigned = active Required-spec violation under §164.308(b)(1). Every day of use is a continuing violation. Remediation is a 5-minute portal click (master plan B1 / T0-3). ALIS BAA confirmation is a 1-email 1-2-week turnaround (B2). | +| **TV-07** | Misaddressed email / DLP gap | Medium | Medium | **[MEDIUM]** | No DLP today. Small-facility email volumes keep likelihood moderate. Business Premium upgrade (Track C / Phase 1a) unlocks DLP. | +| **TV-08** | Lost / stolen shared phone mid-session | Medium | Medium | **[MEDIUM]** | Compliance-policy 1-minute inactivity + 6-digit PIN + device encryption + Intune remote wipe make data-at-rest exposure low; mid-session handoff is the residual concern. | +| **TV-09** | Over-share on SMB / wrong share | Medium | Medium | **[MEDIUM]** | `Everyone=FullControl` on Culinary/directoryshare/Roaming is flagged; folder-redirection destination `homes` is already scoped per-user. Remediation path exists (security groups + NTFS tightening). | +| **TV-10** | CS-SERVER hardware failure | Medium | **High** | **[HIGH]** | 16-year-old Dell R610 is well past vendor-supported life. Operational-continuity impact dwarfs the confidentiality impact. Hardware replacement is a Track C / Wave 5 work item (Q39). | +| **TV-11** | No audit trail of PHI file access | **High** | **High** | **[CRITICAL]** | Required spec §164.312(b). CS-SERVER Object Access auditing is disabled today; Synology ext4 provides no file-access log. Breach attribution impossible. | +| **TV-12** | Data loss from backup gap | Medium | **High** | **[HIGH]** | WSB → Synology exists but is co-located; no offsite; no M365 backup. A single site event = total loss. | +| **TV-13** | Audit log retention <6 years | **High** | Medium | **[HIGH]** | M365 default 1-year retention < §164.316(b)(2) 6-year floor. Continuously out of compliance. Decision pending (B5). | +| **TV-14** | Pfsense floating rule #4 / VLAN bleed | Medium | High | **[HIGH]** | Resident VLAN can reach staff VLAN today. Any infected resident device has a path to staff resources. Phase 1.6 scoped-rule replacement. | +| **TV-15** | Physical theft of workstation with broken BitLocker | Low | Medium | **[MEDIUM]** | Facility access controls reduce likelihood; but 13 of 18 PCs lacking real disk encryption means any single theft = potential cached-PHI exposure. | +| **TV-16** | Environmental — power / fire / water | Low | High | **[MEDIUM]** | Commercial building, HVAC-conditioned IT room; no tested DR runbook. Likelihood low but recovery posture is weak if it happens. | +| **TV-17** | Former-employee access not revoked | Low | Medium | **[MEDIUM]** | Post-2026-04-13 AD cleanup and 2026-04-22 M365 orphan deletes have closed this. Formal Termination Procedures (B4) will lock the improvement in. | +| **TV-18** | Kitchen iPad / resident VLAN lateral access | Medium | Medium | **[MEDIUM]** | 9 kitchen iPads on INTERNAL VLAN; no PHI on iPads themselves but they could be a pivot point. Restrict-to-printer-IPs rule is planned. | +| **TV-19** | Stale / unauthorized remote-access tooling | Medium | High | **[HIGH]** | TightVNC on MEMRECEPT-PC is unauthorized remote access with no password — a direct admin-level foothold if discovered. Other tools are legitimate-MSP but over-installed. | +| **TV-20** | Workforce not formally trained on Privacy Rule | Medium | Medium | **[MEDIUM]** | No evidence of annual Privacy Rule training records for non-clinical workforce; §164.530(b)(1) is a Privacy Rule training requirement (operationally relevant to Security Rule sanctions). | + +### 6.2 Top-tier risks summary + +**[CRITICAL] — must be resolved or formally risk-accepted before next review:** +- TV-04 — shared-credential accounts with PHI access +- TV-06 — Microsoft BAA unsigned (continuing Required-spec violation) +- TV-11 — no audit trail for PHI file access + +**[HIGH] — actively being remediated in master plan Track A / B / C:** +- TV-01, TV-02, TV-03, TV-10, TV-12, TV-13, TV-14, TV-19 + +--- + +## 7. Risk treatment plan (NIST 800-66r2 §3.6 — Risk Response) + +Each risk is assigned a treatment posture: **Mitigate**, **Transfer** (to a Business Associate via BAA), **Accept** (with documented residual-risk acknowledgment), or **Avoid** (stop doing the thing that creates the risk). Addressable-spec decisions are recorded here and cross-referenced to the **Security Rule Implementation Register** (`docs/security/implementation-register.md`, item B8 in master plan). + +### 7.1 Required specifications — must be implemented + +| Spec | Status | Action | +|---|---|---| +| §164.308(a)(1)(ii)(A) Risk Analysis | In progress — **this document** | Counter-sign, file, schedule annual review 2027-04-24 | +| §164.308(a)(3)(ii)(C) Termination Procedures | Documentation pending (B4 in master plan) | Howard drafts from current same-day-disable practice; Mike + Meredith sign; filed by 2026-05-02 | +| §164.308(b)(1) Business Associate contracts — **Microsoft** | **Active violation** | T0-3: Meredith signs Microsoft HIPAA BAA via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 5 minutes. Target: before Phase 1 caregiver pilot sign-in. | +| §164.308(b)(1) Business Associate contracts — **Medtelligent/ALIS** | Pending confirmation | B2: Meredith / ALIS support — 1-2 week vendor turnaround. Parallel to Track A. | +| §164.312(a)(2)(i) Unique User Identification — office staff | Implemented | Preserve in Implementation Register | +| §164.312(a)(2)(i) Unique User Identification — Synology | **Active violation (7 shared accounts)** | Path: (a) Phase 4 Synology retirement, OR (b) accelerated disable now with workflow disruption. Interim: Meredith signs risk-acceptance form (B6) with compensating controls — physical access control + shift sign-in sheets + monthly SMB access-log review by Howard — pending until Phase 4 cutover date. | +| §164.312(a)(2)(i) Unique User Identification — workstation shared local accounts | Active violation | 3 PCs (NURSESTATION-PC `Nurses`, MEMRECEPT-PC `memfrtdesk`, RECEPTIONIST-PC `Front Desk`) with passwordless shared logins. Resolved when Phase 3 domain join + Phase 5 shared-account replacement completes. Interim: same risk-acceptance form (B6) applies. | +| §164.312(b) Audit Controls | Partially implemented | CS-SERVER: enable Object Access auditing in Wave 5 hardening (documented in Implementation Register). Synology: accept that ext4 provides no audit trail; retire in Phase 4. M365: see §164.316(b)(2) below. | +| §164.312(d) Person / Entity Authentication | In progress | Post-Entra-Connect: Conditional Access policy "Cascades - Phone MFA Exception" (Report-only → On) gates office staff + caregivers. Office staff get standard MFA; caregivers get the building-only Named Location exception by design. | +| §164.316(b)(1) Policies & Procedures documentation | In progress | Implementation Register (B8) is the single index. Each policy/procedure links back to the Register row and cites this Risk Analysis. | +| §164.316(b)(2)(i) 6-year retention of documentation | Decision pending — **three options**, see §7.3 | | + +### 7.2 Addressable specifications — decision record + +For each Addressable spec, HIPAA requires a documented decision: implement as specified, implement an alternative, OR document why neither is reasonable and appropriate. + +| Spec | Decision | Rationale | Alternative / compensating control | Owner | Register row | +|---|---|---|---|---|---| +| §164.308(a)(7)(ii)(A) Data Backup Plan | **Implement** (in progress) | WSB → Synology exists; offsite is a gap | Offsite backup target to be added in Wave 5. Interim: accept co-located backup with documented recovery runbook | Howard | Reg-01 | +| §164.308(a)(7)(ii)(B) Disaster Recovery Plan | **Implement (abbreviated)** | Single-facility CE, no distributed ops | Written DR runbook for CS-SERVER rebuild; tested annually | Howard + Mike | Reg-02 | +| §164.308(a)(7)(ii)(C) Emergency Mode Operation | **Implement (paper fallback)** | ALIS outage / network outage → paper MAR sheets; documented in Health Services SOP (not an IT deliverable — flag for Meredith + Lois Lane) | N/A | Meredith + Lois Lane | Reg-03 | +| §164.310(d)(2)(i) Disposal | **Implement** | Decommissioned drives destroyed via NIST SP 800-88 sanitization or physical shredding per MSP procedure | N/A | Howard | Reg-04 | +| §164.310(d)(2)(ii) Media Re-use | **Implement** | Same procedure as Disposal before re-use | N/A | Howard | Reg-05 | +| §164.312(a)(2)(ii) **Emergency Access Procedure** | **Documented decision — current posture retained** | Two named global admins (`sysadmin@` — Howard; Mike — via his Arizona Computer Guru admin identity), both Arizona-based, both contactable 24/7 via MSP on-call. Microsoft support portal provides documented tenant-recovery path for lost-admin scenarios. **No specific hardware requirement (FIDO2 / YubiKey / otherwise) is prescribed by §164.312(a)(2)(ii) and none is adopted at this time.** This decision will be revisited if: (a) the admin pair changes such that both are no longer geographically diverse or availability-diverse, (b) the tenant adds additional high-sensitivity workloads, OR (c) the annual review finds the current posture inadequate. | 24/7 MSP on-call + Microsoft support tenant-recovery procedures | Mike (Security Official) | Reg-06 | +| §164.312(a)(2)(iii) Automatic Logoff — mobile tier | **Implement** | Intune `CSC - Android Compliance`: 1-minute inactivity lock, 6-digit PIN, device encryption | N/A | Howard | Reg-07 | +| §164.312(a)(2)(iii) Automatic Logoff — shared workstations | **Implement** | Planned GPO `CSC - Shared Workstation`: screen lock 10-min idle, sign-out 30-min idle, Fast User Switching disabled | N/A | Howard | Reg-08 | +| §164.312(a)(2)(iv) Encryption & Decryption (at rest) | **Implement** | BitLocker on all workstations (Wave 5); BitLocker verification on CS-SERVER D: drive (audit gap); SMB3 encryption on `\\CS-SERVER\homes` scheduled via master plan Part 6 | N/A | Howard | Reg-09 | +| §164.312(e)(2)(i) Integrity controls (in transit) | **Implement** | TLS 1.2+ everywhere; DMARC `p=quarantine`; SMB3 signing | N/A | Howard + Mike | Reg-10 | +| §164.312(e)(2)(ii) Encryption (in transit) | **Implement** | Same as §164.312(e)(2)(i) | N/A | Howard | Reg-11 | + +### 7.3 Audit log retention — option set (§164.316(b)(2)(i)) + +Per the HIPAA review 2026-04-22 H1, M365 audit default of 1 year is below the 6-year documentation-retention floor. **Decision pending** (Meredith, master plan item B5). Three options are on the table; no specific product is mandated by HIPAA: + +- **Option A — Microsoft Purview Audit (Premium) add-on.** 10-year audit log retention. Approximately $3/user/month. +- **Option B — M365 Compliance retention policy at 7 years.** $0 incremental if Cascades proceeds with the Business Premium tenant-wide upgrade already teed up for Phase 1a. +- **Option C — Monthly export to immutable Azure Blob Storage.** $0 licensing; requires a scheduled script and monitoring. Operational burden falls on the MSP. + +Each option is reasonable and appropriate under §164.316(b)(2). The master plan flags Option B as the default path because it stacks on a purchase already planned, but **the formal choice and Implementation Register entry are pending Meredith's direction**. + +### 7.4 Track A / B / C master-plan cross-references + +The master plan (`PLAN-AND-QUESTIONS-2026-04-24.md`) is the operational artifact that remediates these risks on a schedule: + +- **Track A (phones-first pilot, target Monday 2026-04-27)** — addresses TV-01 (MFA via CA), TV-04 (per-person caregiver identities on phones via MSDM), TV-06 (Microsoft BAA T0-3), partial TV-08 (compliance policy already live), TV-09 (by design caregivers don't touch SMB shares). +- **Track B (HIPAA baseline — this Risk Analysis is B3)** — B1 Microsoft BAA, B2 ALIS BAA, B3 this doc, B4 Termination Procedures, B5 audit-retention decision, B6 Synology risk acceptance, B7 Emergency Access decision, B8 Security Rule Implementation Register. +- **Track C (later phases)** — Phase 2/3 sync (remaining TV-04, TV-17), Phase 4 Synology retirement (closes TV-04 on the Synology side), Phase 5 shared-account replacement (closes TV-04 on workstation side), Wave 5 hardening (TV-02, TV-03, TV-11, TV-12 remaining gaps, new DC hardware for TV-10). + +--- + +## 8. Residual risks (after planned controls are in place) + +Even after master-plan Tracks A through C are complete, the following residual risks remain. These are the risks Cascades knowingly carries, per the Security Rule's "reasonable and appropriate" standard (§164.306(b)). + +| # | Residual risk | Why it remains | Tier | Compensating posture | +|---|---|---|---|---| +| **R-1** | **Synology shared-login exposure until Phase 4 cutover** | Workflow disruption of immediate disable exceeds acceptable operational risk to resident care. Phase 4 retirement is scheduled but weeks-to-months away depending on John Trozzi input on share usage. | **[HIGH]** | Physical facility access control, shift-based workstation sign-in sheets, monthly SMB access-log review by Howard, Meredith signs risk-acceptance form (B6). Reviewed at each Wave milestone. | +| **R-2** | **CS-SERVER single-point-of-failure until hardware refresh** | 16-year-old Dell R610 remains the only domain controller until new server + second DC in Wave 5 / Track C. Hardware replacement requires capex approval from Meredith (Q39). | **[HIGH]** | Daily WSB backup (on-prem), extracted warranty coverage (none — hardware is out of support), runbook for emergency rebuild, PRTG + GuruRMM alerting on CS-SERVER service status. | +| **R-3** | **Audit-trail completeness for pre-CS-SERVER / pre-ALIS activity** | Object Access auditing was off prior to Wave 5 hardening. Historical file-access events on CS-SERVER cannot be reconstructed. | **[MEDIUM]** | Going-forward auditing meets §164.312(b); documented in Register as a point-in-time baseline. | +| **R-4** | **Third-party BA chain** | Microsoft and Medtelligent are BAs; their own BAs and subcontractors are not individually visible to Cascades | **[MEDIUM]** | Reliance on BAA obligations for downstream BAs per §164.308(b)(2) and §164.314(a)(2)(i)(B); no further diligence required of CE. | +| **R-5** | **Business Standard SKU limits on DLP + anti-impersonation + Defender** | Full DLP + anti-impersonation require Business Premium / Defender P1-P2. Tenant-wide Business Premium is teed up for Phase 1a but not yet purchased. | **[MEDIUM]** | DMARC `p=quarantine` is in place; targeted protection will follow the purchase. Mailbox monitoring by MSP continues. | +| **R-6** | **No immutable offsite backup** | Current WSB → Synology is co-located. Offsite destination + immutability are Wave 5 work. | **[MEDIUM]** | Physical controls reduce likelihood of total-site loss; still not acceptable long-term. Target: Wave 5. | +| **R-7** | **Conditional Access "Cascades Office" Named Location depends on static WAN IP** | If Cox rotates the pfSense WAN IP, CA exception fails open (MFA prompts everywhere) or closed (locks caregivers out) depending on posture. | **[LOW]** | T0-2 is to verify WAN IP is static on the Cox circuit. If not static, a Named Location update hook (scheduled script or MSP runbook) is required. Documented as Register row when CA goes live. | +| **R-8** | **Reliable Agency workforce vs BA classification** | If Reliable staff work under agency direction and access ALIS independently, Reliable is a Business Associate requiring a BAA. If they work under Cascades direction, they are workforce and subject to Cascades training/sanctions. | **[LOW]** | No independent PHI access until classification is resolved (HIPAA review M3). Agency caregivers work under Cascades-employed caregiver supervision in the interim. | + +--- + +## 9. Methodology limitations and information-gap flags + +This analysis was drafted from repository documentation and MSP onsite observations. The following items could **not** be confirmed from repo docs and need CE / leadership input before the next review cycle: + +1. **ALIS vendor attestation on FIPS 140-2 validated cryptography** — cited in §3.1 but not in repo; requires ALIS support confirmation (tied to B2 BAA work). +2. **BitLocker state on CS-SERVER D: drive** — documented as a gap in HIPAA review H3; needs Howard onsite or SSH verification. +3. **Annual Privacy Rule training records for non-clinical workforce** — §164.530(b)(1); requires Meredith to confirm if training has been delivered, by whom, and whether signed acknowledgments exist. +4. **Sanctions policy for workforce HIPAA violations** — §164.530(e); Meredith to confirm if Cascades has a written sanctions policy separate from general HR discipline. +5. **Reliable Agency staffing contract language** — workforce-vs-BA classification (R-8); Meredith to provide. +6. **Historical breach / complaint records** — whether any past OCR inquiry, state DOI referral, or resident / family HIPAA complaint exists at Cascades; affects "documented history of incidents" in future risk analyses. +7. **Paper PHI handling** — paper MARs, pickup sheets, incident report forms; outside the electronic-only scope of this analysis but within the CE's overall Privacy Rule obligations. +8. **Physical safeguards audit for remote workforce** — if any workforce member (e.g., Executive Director on PTO) accesses PHI from a personal home network, home-office safeguards belong in this analysis. Not currently observed. +9. **State-law overlays** — Arizona medical-records retention (7 years post-last-encounter), Arizona breach notification thresholds. Addressed at the CE-leadership / legal-counsel level, not by MSP. + +Each item above is flagged for next-review closure. None individually invalidates this analysis. + +--- + +## 10. Signatures + +By signing below, the parties acknowledge that this Risk Analysis has been reviewed and accepted as the current risk baseline for Cascades of Tucson, and that the risk-treatment plan in §7 and residual-risk acknowledgments in §8 reflect the covered entity's formal position as of the effective date. + +**Prepared by (MSP Technician):** + +Howard Enos — Arizona Computer Guru + +Signature: ____________________________________ Date: ____________ + +**Approved by (Designated HIPAA Security Official):** + +Mike Swanson — President, Arizona Computer Guru LLC + +Signature: ____________________________________ Date: ____________ + +**Counter-signed by (Covered Entity leadership):** + +Meredith Kuhn — Executive Director, Cascades of Tucson + +Signature: ____________________________________ Date: ____________ + +--- + +## Appendix A — Control inventory (existing + planned) + +| ID | Control | Status | HIPAA cite | Source | +|---|---|---|---|---| +| CTL-01 | Designated HIPAA Security Official | In place | §164.308(a)(2) | Mike Swanson | +| CTL-02 | Business Associate Agreement — Microsoft | **Pending (active violation)** | §164.308(b)(1) | Master plan B1 / T0-3 | +| CTL-03 | Business Associate Agreement — Medtelligent (ALIS) | Pending confirmation | §164.308(b)(1) | Master plan B2 | +| CTL-04 | Business Associate Agreement — Arizona Computer Guru (MSP) | In place | §164.308(b)(1) | Executed | +| CTL-05 | AD security groups for role-based access (`SG-*`) | In place (created 2026-04-22) | §164.308(a)(4)(i) | `docs/servers/active-directory.md` | +| CTL-06 | AD Recycle Bin | In place (2026-03-21) | §164.308(a)(7) support | audit item log | +| CTL-07 | Same-day termination disable | In practice (Britney Thompson 2026-04-22) | §164.308(a)(3)(ii)(C) | HIPAA review | +| CTL-08 | Written Termination Procedure | In drafting (B4) | §164.308(a)(3)(ii)(C) | Master plan | +| CTL-09 | Formal Risk Analysis (this document) | In drafting / signature | §164.308(a)(1)(ii)(A) | This doc | +| CTL-10 | Security Rule Implementation Register | In drafting (B8) | §164.316(b)(1) | Master plan | +| CTL-11 | Synology shared-login risk-acceptance form | In drafting (B6) | §164.306(b) | Master plan | +| CTL-12 | M365 MFA via Conditional Access | Planned (Track A A7) | §164.312(d) | Master plan | +| CTL-13 | M365 Security Defaults (pre-CA baseline) | Planned fallback if CA delays | §164.312(d) | Master plan | +| CTL-14 | DMARC `p=quarantine; pct=100` | In place (2026-04-21) | §164.312(e) support | `reports/2026-04-21-post-dmarc-spoofing-recheck.md` | +| CTL-15 | SPF + DKIM | In place | §164.312(e) support | m365.md | +| CTL-16 | Intune Android compliance policy | In place (2026-04-21) | §164.312(a)(2)(iii)(iv) | PROJECT_STATE | +| CTL-17 | Intune device restrictions config profile | In place | §164.310(d), §164.312(a)(1) | PROJECT_STATE | +| CTL-18 | MSDM (Microsoft Shared Device Mode) for caregiver phones | In place | §164.312(a)(2)(i), (d) | PROJECT_STATE | +| CTL-19 | Conditional Access Named Location "Cascades Office" | Planned (Track A A2) | §164.312(a)(1), (d) | Master plan | +| CTL-20 | SMB3 encryption on `\\CS-SERVER\homes` | Planned (Part 6 executable) | §164.312(e)(2)(ii) | Master plan | +| CTL-21 | BitLocker on workstations | Gap (13 of 18 broken/missing) | §164.312(a)(2)(iv) | audit-findings #12 | +| CTL-22 | LAPS (Windows Local Administrator Password Solution) | Planned (Wave 5) | §164.312(a)(1) | audit-findings #13 | +| CTL-23 | CS-SERVER Object Access auditing | Planned (Wave 5) | §164.312(b) | audit-findings #17 | +| CTL-24 | krbtgt password rotation (180-day cadence) | Planned (Wave 5) | §164.312(a)(1) | audit-findings #20 | +| CTL-25 | Protected Users group population | Planned (Wave 5) | §164.312(a)(1) | audit-findings #25 | +| CTL-26 | Offsite backup (immutable) | Planned (Wave 5) | §164.308(a)(7)(ii)(A) | audit-findings #1 | +| CTL-27 | Second domain controller + hardware refresh | Planned (Track C Wave 5) | §164.308(a)(7) support | audit-findings #2 | +| CTL-28 | RDP with NLA | In place | §164.312(e)(1) | audit-findings #19 (closed) | +| CTL-29 | Account lockout (5 attempts / 30 min) | In place | §164.308(a)(5)(ii)(D) | audit-findings #18 | +| CTL-30 | Annual Risk Analysis review | Annual cadence (next 2027-04-24) | §164.308(a)(1)(ii)(A) | This doc §10 | +| CTL-31 | Audit log retention to 6-year floor | Option A / B / C — decision pending (B5) | §164.316(b)(2) | Master plan | +| CTL-32 | Emergency Access Procedure — documented admin posture | In place (this doc §7.2) | §164.312(a)(2)(ii) | This doc | + +--- + +## Appendix B — Cross-reference to 2026-04-22 HIPAA review findings + +| Review finding | Status in this Risk Analysis | +|---|---| +| A1 — Synology shared-login accounts | TV-04 / R-1, risk-accepted via B6 until Phase 4 | +| C1 — agency shared logins (reliable1/reliable2) | Resolved 2026-04-22 (not created); individual accounts required | +| C2 — Britney Thompson litigation hold | Documented in Termination Procedures (B4) | +| C3 — Microsoft BAA unsigned | TV-06 — active Required-spec violation, T0-3 | +| C4 — no formal Risk Analysis | **This document resolves that finding** | +| H1 — M365 audit log retention | TV-13, decision pending (B5) | +| H2 — break-glass admin account | Superseded: §7.2 Emergency Access Procedure decision (two-admin posture + Microsoft recovery path, no hardware prescription) | +| H3 — SMB3 encryption + BitLocker on CS-SERVER | CTL-20, CTL-21 | +| H4 — drivers + Privacy Rule training | §9 information-gap item 3 | +| M1 — automatic logoff timers | CTL-07 (mobile) / Reg-08 (shared workstations) | +| M2 — Security Rule Implementation Register | CTL-10 (B8) | +| M3 — Reliable Agency BA classification | R-8 | +| M4 — Christine Nyanzunda dual-role | Documented in Implementation Register | + +--- + +**End of document.** diff --git a/clients/cascades-tucson/docs/security/termination-procedures.md b/clients/cascades-tucson/docs/security/termination-procedures.md new file mode 100644 index 0000000..910b0b8 --- /dev/null +++ b/clients/cascades-tucson/docs/security/termination-procedures.md @@ -0,0 +1,95 @@ +# Cascades of Tucson — Workforce Termination Procedures + +**Built:** 2026-04-24 by Howard (ClaudeTools session) — closes Track B B4 in `PLAN-AND-QUESTIONS-2026-04-24.md` +**Owner:** Security Official (Mike Swanson / Howard Enos) + CE leadership (Meredith Kuhn) +**Review cycle:** Annual, or when a named system changes +**HIPAA reference:** 45 CFR §164.308(a)(3)(ii)(C) Termination Procedures (Required) + §164.316(b)(2) Documentation Retention (Required, 6 years — Cascades posture: 7 years) + +--- + +## Policy statement + +When a Cascades workforce member separates (voluntary or involuntary), their access to ePHI and Cascades systems must be **promptly revoked**, and their employment-period records must be **preserved for at least 7 years** from the date of their last activity or creation (whichever is later). No workforce member's mail, file-share presence, or audit trail may be destroyed prior to the end of the retention clock. + +--- + +## Why 7 years (HIPAA + 1) + +HIPAA §164.316(b)(2) requires 6 years minimum. Cascades adopts 7 years to (a) buffer against state-law retention overlays (AZ medical records = 7 years post-last-encounter), (b) accommodate civil statute-of-limitations carry-over, and (c) provide a safety margin before any irreversible destruction. + +--- + +## Procedure — at termination + +Follow this sequence on the last day of work (or as soon as termination is confirmed for involuntary cases): + +### Step 1 — Disable sign-in (day-of) + +- **Active Directory:** Disable user account (`Disable-ADAccount -Identity `). Move to `OU=Excluded-From-Sync` if they were previously synced, so Entra Connect drops the hybrid mapping. +- **Microsoft 365:** Block sign-in (`Set-MsolUser -UserPrincipalName -BlockCredential $true` or equivalent Graph call). Revoke active sessions (`Revoke-MgUserSignInSession`). +- **ALIS:** In ALIS admin, disable staff profile. If they were linked via Entra SSO, the SSO tie is severed automatically when their M365 sign-in is blocked, but the ALIS staff record stays for audit. +- **File shares / VPN / ScreenConnect / anything else:** Revoke per the access matrix in `docs/security/implementation-register.md`. +- **Remove from distribution groups, shared-mailbox delegations, shared-phone MSDM roster.** + +### Step 2 — Preserve (within 24 hours) + +- **M365 mailbox:** Convert to **Shared Mailbox** (`Set-Mailbox -Identity -Type Shared`). Shared mailboxes do **not** require a license under 50 GB and are not at risk of default-retention deletion. +- **Remove M365 licenses** after shared-mailbox conversion. Free the seat. +- **Apply Litigation Hold** if the tenant has Exchange Online Plan 2 (comes with Business Premium): + - `Set-Mailbox -Identity -LitigationHoldEnabled $true -LitigationHoldDuration 2557 -LitigationHoldDate (Get-Date)` + - 2557 days = 7 years. + - Cascades currently on Business Standard → Litigation Hold **not available** until tenant-wide Business Premium purchase (see Q21 in master plan). Interim posture: shared-mailbox conversion + zero deletion = functionally preserves records under default MRM retention. +- **Hide from Global Address List** (`Set-Mailbox -HiddenFromAddressListsEnabled $true`). Active staff shouldn't see former-employee addresses in autocomplete. +- **Configure forwarding** to successor(s) if there is ongoing external correspondence (vendor invoices, client relationships). Forwarding does NOT satisfy retention on its own — the original mailbox must still exist. + +### Step 3 — Document (within 7 days) + +- **Update the employee record** in Cascades HR with termination date, reason (voluntary/involuntary), access revocation confirmation, mailbox preservation status. +- **Entry in `docs/issues/log.md`** or termination ledger: user, date, systems cleaned, who performed the work. +- **Add to the 7-year retention tracker** (spreadsheet or doc listing preserved mailboxes + deletion-eligible date): `retention-eligible = termination_date + 7 years`. + +### Step 4 — Annual review (every anniversary of their termination) + +- Verify the shared mailbox still exists (no accidental delete) +- Verify Litigation Hold is still enabled (if applicable) and not near expiry +- For employees whose retention window has elapsed: + - Privacy Officer review: any pending subpoena, audit, or litigation? If yes, extend hold. + - If clean: formal decision to either (a) export to offline archive (PST → immutable storage) and then delete, or (b) delete in place. + - Document the destruction decision in the retention tracker. + +--- + +## What NOT to do + +- **Do not delete** a workforce member's M365 user object directly. Deletion puts the mailbox in a 30-day soft-delete window — if not recovered within that window, **all content is permanently destroyed**. For a covered entity handling PHI, that is a §164.316(b)(2) violation and potentially §164.308(a)(1)(ii)(A) Risk Analysis failure to have identified. +- **Do not rely on default MRM retention alone without converting to shared.** A licensed user mailbox whose license is removed can have content auto-deleted by default Exchange policies. Shared mailboxes are safer. +- **Do not allow the 30-day soft-delete window to lapse** after an inadvertent delete — restore and remediate before day 30. +- **Do not skip Step 2 preservation** even for "short-tenure" or "never-logged-in" accounts. If the account existed in production long enough to have any ePHI touch, the retention clock applies. + +--- + +## Incident documentation + +### Incident IR-2026-04-24-001 — Improper deletion of 7 orphan mailboxes + +**What happened:** On 2026-04-22 as part of a pre-Entra-Connect orphan cleanup, 7 M365 user mailboxes were deleted: `ann.dery`, `anna.pitzlin`, `jeff.bristol`, `jodi.ramstack`, `kristiana.dowse`, `nela.durut-azizi`, `nick.pavloff`. The deletion was HR-confirmed at the time but **did not follow the preservation-first procedure** described above. + +**Why it was wrong:** The 7 mailboxes contained (or plausibly contained, given their roles) ePHI or operationally-relevant correspondence. Deleting them without Litigation Hold, retention policy, or shared-mailbox conversion placed them at risk of permanent destruction at day 30. + +**Recovery:** On 2026-04-24 at day 2 of the 30-day soft-delete window, all 7 were restored via Graph API (`Restore-MgDirectoryDeletedItem`). Evidence: `reports/2026-04-24-jeff-restore-ashley-access.md` and follow-on retention report. + +**Post-recovery actions (in progress at time of writing):** Convert each to shared mailbox, remove Jodi Ramstack's unnecessary Business Standard license ($12.50/mo recurring), hide all from Global Address List, place on Litigation Hold when Business Premium is live, enroll all 7 in the 7-year retention tracker with source-date = their original 2026-04-22 deletion date. + +**Preventive control:** This document (`termination-procedures.md`) and training on it. Future orphan cleanups must follow the preservation-first procedure. + +**Signed-off:** [Security Official signature + date] / [CE leadership signature + date] + +--- + +## References + +- `PLAN-AND-QUESTIONS-2026-04-24.md` Track B (B4) +- `docs/security/hipaa-review-2026-04-22.md` +- `docs/security/risk-analysis-2026-04.md` +- `reports/2026-04-22-m365-orphan-deletes.md` (the flawed action this doc remediates) +- `reports/2026-04-24-jeff-restore-ashley-access.md` + follow-on retention report diff --git a/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115936.png b/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115936.png new file mode 100644 index 0000000000000000000000000000000000000000..582713f18e6eb3f6c64bbba5aa6c4a58915213b2 GIT binary patch literal 73992 zcmZs?1yoi|_da~nB?6MtAs|S1cc_4XfONNX+;q1zBGRp-lt?#7w{&-RH~fd^^|#*l z`PMgU!Chz0nKQFz?`vQCI-eBYNu#3@qCy}L^f#|1-a{Zr><|cC2Qnh~#+0!t4ZOfO zyq6Y(6b}$@fe-MeqH>}TNLduxtv&+yjAHv*-2no5+V=Pd(`l1u1c5w!eLeX1Ug@Di83nzQq_Rk;wn%#@f}(=RcLWI$ zHw@0WQ>Ut%`|8#?qXYYRtF9#`^nqi6rQ_LazlV?w{l>iRl4J39$4ulf*& zoV66_sGP~#_kyyicW_V~^g2E{S)>0uHu|jFTaTHhs*}~nZ?aIs^l7lJRCIKh?CpQ9 z8T>uyI5s84a&>L3ryZP20{2;)Eah?X?X3W~P}e_Sfp1q$Yif9jGv9!>@$f;3607** zoNT<5vH!W_ykD!UMh@t5;DiN-1SZd7bXV8xBxwFKY(?{xrcN+7d0B=DZzS4t%n2Vy z_;=ys_-tpL2Sc;MzEU_V>aubd<|FhgQqcJaz4VrW73I^`XQ|yR)f%d#vP@suGst)--~4ty4_cC)jCR)hF$d z-jx|vGhFt#F}g1c{5}+EEZ^VcF5Y3_8Lp)7lpYO2T^{_~s~_&^%*F~3a4I~c2_CPf zd7>k|doHJT*2bN{WA0JoDKCcHiKx%0goD7S$<;P#$G!YjQz}!X5Klp6tkVA%h9YZ7 zrB&^*Y88E6M+8x(`3OxO_z^$hWI@}@xYTZ%aNcqv6bK&a8EJ`I6+zB0LPLlx-98pnG`-(7N$MuJ; zGHPdcQKf1<6JMsSrhm0`rZWU~8`;w>R39-5*gp6(8LuhE(nJh>Gp8E;p@^|3z}NhK1K}zWT@Vi-Enj1Ddg~=c#g+o zGh{X()K}jG0T@!`r`V2_X^RrkijOL5A0f^24L4=mH)MzX+zS-6v`CPl5?!)--V4t9 zlL1(d%a+b#CJE9js=gn1O6W?t^HF7n9U`3S-tHT}KgA~8tZOMp7W!wX=G2Dj;=K)tB-7I zswK4D_r_ct_KAS42n1l}sh1;?rkrDbD7sd(*06lS-n~Fz^8QVpQZ84cRt+o`){=dk zbYh}#;%#rt%8YgRo6WP?0Qc3F|K`yU% z4i3ju7kcFK2s{V}wX#jnIX=!RFcsUx~v?yux9UWB$ z9Sx3G-Anb`$XxWc?}Q%Kg8y+to9|DzUzL#4&>)(dn}Zv&@ZH;tF+65^Djh}qYRIei zYtd^N8S%62v7>GWq_a8iR+mA1I!Qf=qXe(3D=c>j z@^P`^zV*aqvwS>_0LyD}dDMAO3Z2n?^fHg1tM9KZuC(%Tpu3YW!uO}zF~zPD5XZr%ZkVpwwsIk3>v@Sy>H84K-{oba@?Cnh>}eY;6@Bfxe?(a9k~M~7c(+v0wCxgsAOA5Y7TWVy8Q z8)b!6e;Ga?SkrrpoO%sb$Mp)={8p!1x(NZ>^`~=+=Q5 z7P8;yPPyN3K$>5na(m^nJ712p;B_L%Wqm7C+=1p`V)#2`3F1>`Xx-lEiL^=s@u{?$ zSu8gugMrMu+pyyG>Av8mgF?5*TQGz@l=Rf;bj_23EQ(1#jpW|lu>X3od+SUzkir{Q z7^J)NvTncD;&692x3}Nnvc>-<)61Xl^}BbC)p#_JP5g=9qtH1llj){$=-hC}fI(Tt z$FYJCepkeuajSYYERhsx)!G$-?LV#`r^c-`vY>?@AU>Wq7lsQuI~S%I?|Au_w+j`T z5-hSi+fzHDgl}Kq$0L_`*^d^g;*)t*!$Y@6gSw5x6ry*C2XQ}P!otEXEnyLGm_b_G zJRcZi{){(z^7naoAO>Kn)tk{-*P0W1-9d}=qfsC;RR_(CEBn7O3cbV>6r!oRUeL?k z-CVToZkS}+uk`=`*1~Vot94sQ!Pu78m5@Y99sAAok`)q^Trinxh9TA2MJ&? z8UOBc0a`&S@nZU)95Wntfkmz#2)%BXOn;~yQ5UEbYLIs^pq*nS0FU5P3|IS3D3p)=amDG53qUeqE~dh{(ybe}%&tq%{E@BD_6qI*N^LO}gB<*C`3k&FRB+DYl zm9-88-MhBNHf!y(#Dkp(c#rwQiCt5vy5N1ri!^w9_?^rSe#&Pg@SZ5{Fl*x&CWALM zGtZPZ<)c9STF#DIkd8>=jQ;vH=*U^F_5Kd`LVrIHEx!^g!W9`Ey)8o&4)ghQ3T`xl zmX;Qmtu_3NJX9TTE2eo*=ghMzQq;`%_7re>u@0{@=i}yDNvB_A96g>_;Dzgq%2mA*`RjlA|ZQEy!SOD*W zFoReN>8b(m+^fNy_Cj@1$eze~Z@1n`8o7Nbq_&Yge&`1tETSubI^=Nz#) z_I$V)v6+GkxH8mBNQ(gAJ)zn@RXOp`0CZkq>ys&mq!^57#C_0(Y zli2;VMHfbk(L5MZ*WWHhdK-o=CqJsc&AF_cd6977kdj7%P^rVj#9m=B(OP%1AO?Wv zyRiRFS4-$6)1dS zFotU1mT~I$@84_Sli(1~rN6(8TQz}M`l{KHWj)9Dh`T(FyG`vYGJ%<{R7@0E7(I)N z>xf8(K!mPVm0r+N_m1hv$i8k3U3&$AfS40o2=^`{2*I}}J)0t#%iK3dPNS>csE%1i z6aa@aEBp|E(6y2mNTc{2Rr^V?EpDKG5{2Be`U$K@#n7Ej~T_ z;~4$rO4M11us5qhgmAhKIuTbE2y&Opy|^wm!?5*7>lXj?x$Ki>wOfWCEl?R*Bam24 z_PV=SUQf399M-@Fo%S@Fug}-oU5?jfiu_5u$#MN>3Ya#D?!(V({CGaorn_1^G<=4R zR)nyl=|UTW+3FeAox}~|v#NQ%f$t5wImy!5y52h+X5RUhRZ67b1Ar|%yt+kr_h`uM| zKf_Y4UQTnl=uaK56>Yxp%q&O^u0JpDWsQ2`Gcmp0>SP#*&7iw#u~VT#{D5^XIRL5k zS`x~XyG@Pah&1(NmgPU!E=h8i@KHOygc ze%&rlJSppgD2K-s{or(OW`?@!cE677aErEgN#MS1!BCVBx*xFMt-FIv(HTh+wo_b( zCm#G%G0;)r@8 z#ZRtI=Ofh{q&w4*^9srcQ9@iK7_t=uwYX-a9z$mb3jjMmBAZH^g{Ak6&>b$>#*Ic; z_CP_Fv6DXCriVt-=g$)%KJ%V#-D40RUw=fNMxBOh)%e<0kDI-V$c@9eSJIhatJq`X zmzxUvgUH#_4wEf6^ZCYgydVyGYN5U}lqqQMV9#p3YZZxEsnpp!^j!wS<93*q$!ZY9 z=baL=wLkkmts9PR4t8K5b9HqXw!MDsS)z(Ko3&5nM#ux27hC*?e;Uhx?4N>}8G}*d z*W)+9Gr5Elu)_KyVRTg6t+2SAngs*|;2?8wn*aLf>a^HQ0Wy-R%k4rN5(^{P=Eepj z;x(kF#P(Ccp&cxJmLT7qf6!wsQ2r$KwkJ@Asq2@+Qx0)IaTZ%W@2HcE_{#IWnM|pO z?a4Z4=13BLCe^wM$L<>@VTRNyo2Dxr>vzhOPj{>CZEdD{Zer}K=Ddh>JdO|;G|%ZY zewppRw3(~rge*40tVj-i>QZxks@8K-qjc37{W&CrKI>I6L1>%w)5We~f3>E2XX&f! zv!)gBfyZOjr}x^1dJkk_08Z~udpz7lT^_>iw5?QED@7h-(?-nTkM(m$1krT`Y@{dq z1J{W{Ra{HxkN8wHinL)U)05V5e{{_Fvn&@B+O0%z zF9mMsO4!=6fK2_>fs`^Oj-=>dnjp*Cd|d-7Ev{q>8gpOAWEpq1O#Fa7G|^(Tnj(p- zVgS*k%JszLcZYSS=fyh*4|(hPUkDhp59F1WQ$c$(+D-B|r&|#r$b(8*#hRvfyw3>< zHS~;(jK04<-JK#SMNqAC+H=ak=;+4Am)=(?Cf<8*dNDrh41uT=NUTgv4R(#e7r@WK$()zw{Y_NtEh*a!81BiYL0|T9q1YQA$WkQUFj5K;km>bE9cqq$E+%76KM>TiAX)#v+QL968NZ`Yaz) zGN*+s$rcue!)Q@}O-f~^<}PGgf2hmDKnllf33mdcr-Pg8NhPh8K51JlI zy&ptV1fB=~4tN3b8D=KIfn$&&z}{0%lO6)P(W zHqC5c{>W_9TV))CK|x_OFqpP7!_K3_HuhB-?(eaNiy^PhnpFmA&Bo0M~e99jB#LK*;&gC+M9w1V>U$jQ|7&7>J33(0I`e z+}75XeffJ%fW{K|_JsNpPf!~#Z)Iwd@5&ZFo+x1!y500NOA7kRsKK9uzq!yv z_LV^!9w6h*@XkjDVsR-rcd7BF$U9M|&WU6{)t;=cQuq`{QtzNq5E&J$qi9~U^@Q?VJoA>*-%?o*2`)wf(wrllF-x{=ZUL6B(6=cj}wp09WzfC(i z>#HlhbFqJN<7`~7vHgP7o&I7Qy?GJbYXi^$tJE9kiD35Z8=1zY)NZKM&5ef6 zsQZF;gJO+hVy?Y=s+RTWd|sb+O_lL}PsBj?Kwd+Yz}`-AajCtjJ&`xvF7bN9S>+7Z zVQEvJ62CKaJ`E0Vr|P8-f_4CUlo~s<=#_~2U#m45sQYpf4W{xx5?V{E-8}L3kj>$8 zq_2$Sk$$JA7lWaBb}K<@M_2a0fB#-w@OIY!^UXc_OTr88leZNKAJu-Y3Icu&=F_K7 z)k{G{cI&6=HHp%3^avfy3rbg`8KR!`4=o12e=E1$9C(Mg+B8^rstI0M3!I!<{?It1 zN^|$ZlL{w@H0+EtyuGZ8`AqE6dncP<8$W}UQ|PVZpC~VY(4Pf(i2Cd8FaiOi=-DTb z!{rp!qpJ#~_Ld5=v=)h-|>y@ctf(#CD^5Mk1&p=w+IU+BN zUOx3idqOc=3VnB~flRX!C#A;cEdXvM%#Jv2`hbKR%60CJXmnabGkzC&v+v%FWdth% zwmc>d4m@PC$~ir|zB-(=hbS)Y#ZBA6GO_B@s#W`Jwwj_kJy|bChpKce=g#w>*{0iR z?Ci>RUVImqh2xzp`~A)4zJ=Crx%vWS~l8voe=jUu)R;ZZU|+`gd7&=TMm;62NK`X48F8HyN8>mQ%!qA3TGflJG4~4jWeQ zPZN1OW&0Gm1GY-BxkBdM;8LVJ&xn)SY2;z zG)Uh23e@Q;n~j$TbGh7*#ml2u1V7oyoatXge2%4t0V5}a!eI+uH&bBZnrBYtp&nK* z7#Y#!1?=oXr|@;%NTVZ{ZlUUcii-_HjgA)s%eB_7?fmXHNGkp@C%~XR+}EK2+iBrH z7y!If0ATC8xs#dKFKfGP0&vtB5 zdsdo#{i|(TF0iuNm$pPJZdqoCr0y-36Q_Rk$u_g{IRt=P<`#pgQBBgPoh zVIFwOZzzwyU75X|tIBm?+GTgDisIJPPl=+dszUlaa94vyx3)5U^LeKBRlM%ZmHlHP z>AQWJ&mJjqa=JBAy_J(}cRl*NMm?W^%kpJM_;agjZM$}bnwr7AyQRLZ@@oCnm%lqY zvfiamU#=&Yu-ZmnP~jjxCG;t2)cKUeX+h4#g~uIEy!MO+J1z$}9TxLtqi^4|npf#! zZO=Hzx8M#MO|z)FQdsWOe9+lo$nQPswcsaB0OUWSr66aq`{M#>K79}jO83%WrMNjmb&>@z3osVe43QbCh`aXf~OTjzx~k}CP;>53hN zA`O-Fds$?O8eZ3~L2mw>kTDK)=}2PH$Nb5pk06|cA1{^PS?b-pr@)WB*L`)D_`y=6N<&I69`x*ega2&IdU}n5%U;5om zvP?oENYqfU_getWfq@ihRJIpn$nK-+y)dH6|@`vu8Y?@6Vr+ zGW|QmP8+H(-v!;zArQCoT?*B!AHhXYa7gt;=kHcAh`6ocAzEHFJC2x-MUS(uGbFz2 z*JnhwgMvz^@QI~&-!ULumZeOe_b`s(>`l|Qd$Oq{)eOs6()?;gRGv*xMAx8w5SUv? z+kP8c=fI3|j@hF`utw}OHFLS5QNy3c?oC=EVB1KuKVPo3&lJwFTwHYfT>gw@jXBiy zA46IOh6I9RO!ZO6urZ#|`SuvxBb@3tlzMKhw4WNF)4(Kzaa7SD{5|*k%DAR=XMu_^ zNO6hL@CT$7N}-4p@?zrRrM62R0fB+~V+CZkJB(FSf<>0`9F%-cyF48WoG5hNba|>J zOppv`1)<-Vy zoF`1*Cgo6YRUX3dX;xV~Xhn(o|L|>JY{B<094kcAWj^VO$(|&wYb(3ETp4sZ8{@WH zi&I_MDQS#Lt~&z+2)~r?yjQ2y=DeV-6xV*G;KGT~M$-(c<@{mJ!Ox$DolOuQP{mj) zu&3tco+z`aKf~dh`g$GU zJMAB@zuLH4cV+!Jq?F2jRUbakU&AcF$HX}>(Y)yvf68g!h!Gwc^_~YX%9P$8M`}6U zPIs5=EM}`wk~qvYGPLHWe_1m+AK(M3Dmo0+)_TRl-Me>?d!@x3gNlw71=LoND;a~A zKNS=JoGNBuKnV(hEV*;pJ{0oQ7U_Om(b7iKVBeCupWkl0AO9{x3rH<&dEpcIpr<5H zAl2IiuUH+{pNtl1B7vjq&6}VW41fOo(dwC1FJI?|h=5|OVw0EPlV5>JfFSq{*r#vf z2n|)XtTeLKon?ZoC*~gKTWr9^MJMBJA9beLdI;{d+-Pt2{F#Q{6Zw$8>TV3n24och z_qhqA`Fv8XrdI1y7(YV!lwWi-rWylYUP0*Z-x40zTe&Xa@91?qXV^BbV$cW=_gytXd`;*?E+ORjc8Y^?NUSXQFlA6tP zqR`5Bh$7o{BPN}bV`IYL8%;B6p7TQVG+0S9HNF6s$ft;#~0J0iT7n*_%>d1OAcSZ1GVd%C_sskb*!*^OoF<= z?Tld7^FksZIJj5EhjA!{$Bqq;No!S2X5_X0-Iu_s^~ROsTEH(|+OMGkhPr}jE!&1L z5cidkq~kBBln}q}{oInk*seH+oaEW|_*!#HuT1Y_e%Xq~+}mz!ec(-f(O3N9=DZya zL$>A5_XGW{KNpAhNMVO}1tp4AIwZHJBOlwKO1)?l@b(TTfa2d$J9$>A+u>`4Q=Vh) zv!`CvZRD3@UaI!PVgm6^(`5EbRHkp=D7a}S%I<06Qn6HZ*VM|Z@@7H`i$-GN5!+a> zeV}Cc?UD)lE;Bez+u5drkIIK_kQ`Ua?IiUMTFweI@6a| zsPgI3uBaC&a2oQ-eOK3rpG5?j!Cs@+^t?HRfmlxclq|OIop%!P-f?r6_`Y^cRNU5Z zG3O5hcipY>6bz^xV6HjD#KWKIe=4ms8H8>e6J-)TNo3Rke-l4(P+txK*vgsiWHsH} ziIT3HZ)|sw!k>6e_}(lvqA$cDgenD=QuleFsIFJpvt%wSCpsmG;ix4Hlk(@xO{WD~ zT9)92zHi+Rj=ZN;d*wi4!dmbFDP1+Kf>BvNUoN z1NZKM;v_Un1bOKtH~k2dB($K}2(@**XxtcuH?Lr~KjkXVuzxl?oxeucqC{aZT4pRTDbNVF!(x)cEeFN7Ctf z-OCqi%VKx8Cm-V{fLjbc*;vu;c{|eAnT}db=i799Y|)0blQ!OYsvHk?B6HKN1}MRV zW-az5mT!(8u{mzLJg?OqM=EK!&M^!yaE(t&3M$fk5LH&jS;UdpuC*q3JKdWK*WVNO z%5Y{p_4Ug15X?#@Qm)}rt7Q8$she%>tktI@0uw;1yelorqzh=4VQ%ng@h@`lR+RuX zThS`(IZII!#PNqRETDF>#e*Ze`a|CK-(I1WnnXaaBZA3Xkz;8WsJQI_IRf)oSDSwz^S(tv!(;f8 z{3Ya%OM*2HVV3}ctSxqA&5DdB!LNAT-Xu5V-EfzgfrU`FS*pMvXLJ+YCB1&R?wzS3 zwHILpFK^t+qZB9C>EJmit73KC-%k$u%Y3Tau|9py8&4G1ZDqVaedYEDiHut;HCwaa zf7^NeZTXR1f?T5gfdKspoc07(U4N~R#_QKC_uMO3x3?ov1Ws!#PwMOmyzaN8Z*4lL zkWtDIh0A6PzLF43=UdMo zG0Ra05m3vO{J3|G=$!b@2)Ikq^s6sgS~-0t?AC;W@0ggL$&CO?eA4H6oGTrGN{ha2 zla*(>5|S!G1qDM4gzy0}dMGm&X^-XTBuW2*f;=r=!kNnb-@b6cPo!~_rY38lL_nUP z^}}lC!-_7?OO!0D|NR;bt{5oGT4kCvXu&5A0L&VR zuj@goQt-id%CZC0S1{|WkN|~_D5*GHFR65Tus{Z6QLvWYrGlr6r_V^nq~e24PnRDA z0R7PNb1gm7u=6Rz$ENA->7c*~1KS@Uz63RfCEx@Nfp7~3RK;yN8LMU^Z|gtbA(dBQ zWUd8IfF$;8L+gW@u+)t>VLxrK$+^OC;w<8y#>QPk(_bYgLi;^?;gKl*mGh@7TUy~g zDXw+E1WuSaetZO>|tBjp5sHA>NT!_}$s$r`a|JZKs=!~!}*y*s0F?1*m=m9xAPxjtE z(n*gRnySGYa~whQxmw(;tgKRShvB50QpHR^Sq-ID)>*Sx4e--T)IQ<9YJ?9RnqL4> z?o-qKdC((W zqu9;)-f+38&5Pf(J=*R?@2MxC49%cGN%UvbkZ1Io+gd@2`{ zkT7(oqzr4@e9Nu21(q<;W#vxkV792$O*X$_8g48|91f3z(JPDBkzO}6_Cf%kbr^(O`(4z5NzS|u{C7oSjCQY}0 z1yrz-X7Z97&;*njzkwEt79P*-a4nTg2`Q;&%gQf>J|$^fS@YzGhYYM?|XZ^yYSFJD$q#f34EOT$t!eyDXv_iqg_n@ z6*ySCouaBGpp&v!i2+dLzASmYDeWHBVat*_vhS)8g7h1 zM3;$YXa|Z7;s-BuG_>}%D1iW=RlycRww%EW10|@IZ%LqB#@%L4(9q5j>v8rQJIdfx zF3lSygQd3Ea3DqXa1H+zP|}J&(j*{R^^G3F1VzZcJ_cZ5h^7N6afLlvprl@!z(~No z?*w3ma`Ac3Uv-U(`@9E(_O-7T3FdA#i@(4BaJDHohnWIWl8LB^NseKvZ244pSJ!I@ zteu@{nbnRHNLX+QTAt^*omM{qvcXsQbqU-yLY0WOMg zgmulEX4|LKL|h+zzA`3fx}DK?_58eNdnX|Q|2g(OU?Jgn^ofeJb^K)OTKtjt5XZXS zzkgq5J$LYUH@R8*kD}!D0~YK`I=7rz{^wvfihx+`b+x9-kkAC7eFwk(g}QwyDkBK2 zfb@O!MLv19`8(tKbr7E9nWevb~kKIe*6nG>0|QuS^Hi z+Oi~N4*Mq-x>aDhNfqcr{qPu*GG$bE{^&pKP6mQNtueuY3rP@)NoVPMk!A4e6U)i_ z0`Ydw5<20Y>Ak7 zcog_R{fec6Oq}>A+b)nyMgzY0pB5VRz(flU3=Ie8$4&0Wd4d0^lmktX?q8DaoR_G6 zewP^F*ndv^2MaoFOb!hc6a@E{1*O#+wXQG<>qsR;Zh%|D}f zJT(dmI{HeU>|@`<%PP<}IU_?aAmET&?630vEx-dW{rvpa48Sp2s9-99*xl9^S=#Kc zf<7)|Xov+KDfmCK_Wvl|>%d8Xg#J+lrX~5frl3jU;NTeDTyRN0O7Dli`-2n3A@2|- zEdlQo5FM=m771Ar0Hy!5F7!;~N2zE)0J!QiG4ZwNstORJ(mVrS{J>O>@ay7X(D;M9-|2^N|mr(Hmaww1e+xVD7KFb#4%=(Xi`~H1d zMeturJU2I)3r-jp%l-9NivPEB-YT;DFFNw+U;C7jUn(KxBDPx^i^l~bnqX%Br@{Rp z@AETcWB$q$m{`jh`z1(U=Lx4E?bkGmzf=16bU#oL6PzjuXEs664~lP|q)t-%6dnPA zf=4Z|8|R56r>IKGwXMJJU)}zrA%Nz(EYuYM{irSt2Qyr&vJpnb4khQ|A<);)Gy|1y z#M6T?CT;%gH?bXgA1df^Y@R(nKJY(H7_&$dS{czdiuL@tZ%%*G@&Lbedt6&d^vvJY z{LfXe;s}QejA^wM;VG$JE!FOnbQnenwPGdwYqFHraYUqzj9%>5I}n=;-0B7*vq80k zi+6@N`u9w1#Q$}y@0(8`jzK51{pl{|sV3rx&KLg}lm&eeLq?{^co{m=KQA=_RpUU% z(`6@^p_1}%|ow1@p)NqC?XB((~VOezK*f<2VC-U12}su%Mx6@+SxG&k-+n!>3tQVr(k)Ho(nW_PeFX zzV^*}IfT3Ox{q85vqO6x17pq+ce`ELfp_3q5Q+8XPgI@Q4{_s#mlan6NQ%t*nN( z{nb0yy;y|Hd?c2;_iZi)OQw@vhj~;(#8XYQX~{f@oLSjg)6-GqTg_Oq9v9dtGV)bl zU!giuWV}MfQCa*+6Tz~w-Lg6N1FO}~FJp@j2QleilTS^f*Cq?$aXaRi*Sr^O)V`s8 z|EC-RgZxrKmY!yg12#&YFsw9MFW!?w&Ohtr`gKhuneX%?o zkH2^qCrri52^Wf~K%OBkU6epi;HcgS3kZalp|D}?e*0EQ+0Hi~FbhzYC@9S4O4DXX zMUi2&Cx#pKwM9mV*9al8-2sGglnRUt@K;F)GTaBh8`3?)IB%Y^b-noSgaeBfg~5JY zdASk2O0~nYLGQ)PDVwFi$vGfirRe%52Eh!4;P@tu6=ZnrZAac2oqv|9un;R>6`z2@ z=La^8k;i_#6GMhiR@NFWM$oCfB4i-+W}mNf;LxeJ+21Wf{ku!$DC1kk6t)%%y@%r@*{u3{%ug)mo`_HXYW^bH z!0NoqSzTeFsnylpc3R@y@ma1+0SBf<@!#w2h0CIEqT?kr|KNeUUVle1KueRU*pNiP zT8h-6%}(I&?kJ{g6u{{?%9+9!9};Ui2v<4uK8GH)4-f5Wx&WLcD+NC@8ClUi+*A$F z*Gos&+;yQ?PP!ux`BLm@EG`uWXE-_HFeI)2*#Y zqkWfY@A8swtf(K#@vl&K`+~f+ub=;Xv8L+lvd4Q=>smMDwE71ojsjgGik23ZMDSz> ze75Kw;pTWTHJC8}mE1wYgEH(q?FK@=ijVZp!QL2Toib#efpB)FJ@gmo6$X-xECJ^6p>wfOE9y+#!>tnjso=^nT2<1Tzr&#)h%4? z8_CG_aN(%-OqqshGeV`Y?}GoH*NCAxMn3hoPe}zo<;yojrrtzm$el>JtR$Lmj^^+_ z?rW_SgbAUy_H$oTt1Z@Fb@lZ619@AoJG7<3-z{6GpTKBib$L+xrfj(?f+zhmV&=;s z1c;_E@cXJb$jHdCu*fiSO_!WFxMNvVM+3jhs`MGfSh(R_%d2*r=&c$@yq2c`3ZyL8#Vp0 zKXogp;L@o0zEJ`C&U5VCquD5nvNH+dfMU@RPGm`uksp~K8;h5|3v(^KK1S#Sk7fN& z>vG-(`J732AT=W`HwKyK5!{D|vTj1e>7Y03$^Dx%+1MXDlmme{P`%{+2nVRXkho*$ zcdH6h@N<*#Ia-L(!IQ%~-k80U6v3|)8L2eM!K^F^^ues;WFsN6+_BKOP*O%f8t5?W z{G`N_{x$L>e~ZUa2uAoo$mh!YHsTB^N*pdDkKR!&st{RUJ4y*slk^mwkI7~{uNhhC zUsHD+IkZL*P5pX=<7KFy_XTO|YNt-?Fm^7?3`eP$BDpd`w)B&hlM&j?_eStwX&gxu ztgY(q zO_Z@Zai@8lc;5cBBf`m?kupX_Zl4aGDIL0vH+k^65id^YC>_SLwmWaPK zktbb5-><0V0N4bk$PUNniTN)dp#h}8DoJBzQ-K1Wqn!)4s6Z_@qoN59m1E|$LT8t3 zJKs-bRh&E;Ts)YN4D!)JoKN!7x)B4=kM@rLN*rRM-ZJ+6l4rdc?n!64Icx9g>JgP4 z>misf;jjH=^NEmE#ZHLgd2;1JhmE(Dw3~G#XTdL|sM1KE(LkRpWV2GlB-n9I)};gu zJY*CU(X~9}(PABRl`KlE$K;b!6knvVJ^a@$@e5-kDj`nv#2VMiXeD2!A4=oXQTZtP z+W1PFL%3s=#WWd(G$M9sfABC1y0HpSB?EI%ku#T<=I0LkqUTG^2$gd=MgHyV%HN}~ z?`1zz8euSun1c z9tu&$Rlqd^0$i;ou0~=95kC+!f>HyH+Q6Q+g7_hPR;fXZ!5sq-7Dk~Pj6y&lfDdLK#6lDv@wdCRBe!3{G zBlaX3UE6%j^Z(n(zP$ZuLKac|Fl0w8=!$5S%-wS6+wjC+*1eK%eLB-jxeCwm=CxEi z-(4X@Z`@J2PzwdSxapaUiD1Y@x+j4@^G*nT93@a=!H`dW%YrscyI8K;dT<(|rjc^O zrfyI8K84Z7R|tUeY1)i8j6z9ji-99j@8gM&`9xy60@GaENc*pCUTB?n2GcdaMtN zyaz;Q$w!<@oGdw#VU94fQ~NY5CsRuK1r7RMnB>K*-y1l03O-64yiLr?Gu|TKoZjN` zc7ar&+t=S&$lBpa`QjHoEAaBIFUh}cFya{o`(CF0M>m>tGG3I-JY^bQfx-n9avA=R}G*#Ob;xGoh!9tS?xJS^5(7 zoc238D}QGO^}nX9Mrm0;N88{JLW*EI@|;0OOEztEYO<=HO)70G&t_mU6OUn z;q3broEHkKjfGi&s*Q{+skVay(~bi#r-Fq|8d?>E(aOn~Br;M&LHDn@cFh?8al zoAT$2b`$q)YDaT63OK&AvjW7tcBm0VqmtQf724Bi6op#v$^J5M+zI$$Y4i z)>Kn)b_BcJ$kB=J%+dN!o1=4l;l*_SPE5RKev$oz`nD5J)miS+TEh+4*Un}U=MhBY zG_}vzema!7K45t?xFT_p@%WwY5|0+@;KsFzk=#v3Q3W)2uj1VPvJn1b4=V7mp&!wd z0wDoD3OGC7dnGDktOiQKk!fc;88Ul>On3j{cVgT@z;bB6Xwsh^v1$H>s>U!5r6(FM z3Y?LS5=rmn%ldEzo+!nSf_ir>Cvy_n?VhSjDE#~s6o{~&Qc*$%v}_?RK(h~wuk%d`PE6Vf}{$3V;*?<0Ic`dixKK}yS>o{ytA zSaqKuuvm_WZyJT7^s38F;Am`c((d>Pxg`~|m3|J?CGRiSAsSFPfn+<0LYRM|+fIxS9ctUnK`RYJ45W%E;q&B8@ zA4db0&oY|`cS+6pnV1MZY(atEHc2*%VQW82K0Vjobg=2VcPLfv;PSfuo!v#(l9_UD z&dE~4=d@J+iw`B8H%$+LXj8liZew}^wqtq{0q`pa;+-s>Qx}u?>B##0!gJpsfpYAH z^gaqd)(ZS+Z!Vg{=jTvm3;&nAiLV5YEnvse%6|>({cW1=83d|~J?%IdwP$4X_;E>- z=uO>{)LDzIvD6YHjvz}{DuJz})1bh7MjRf!NN$m;kij1j`pdK^6ti@*+5MGQ^A4GZ zFWH1m%Zd%7q(Kitz3oG4g2O{DX6^xVLP%n>$kmo}nLc%h!7K*Y4_>+$?o{?}f>GX*kC^z82EyD?!Q zJ<6Y=!2bDs;N6HC)pSehheL98g$KCWUuN&g#IK#CM}nZ4dGzNbe4*%?5AF9NMPbT@Nbffc5LwBxq^`S@ zQf=Flf|UFJ@7Cy06ilM|8Rt0^2!P%k!*uE@r?a0^3On5g7&lZ%PqHBXQd@XTlA?Dl zfwb`#mw2-@7v9x_28KLAQ*&>>%m-;A5V$a?Ju`G+YL=9MXuWY5@%25H?!P zj8W1PAyV^s2%`JqcicCBT}H6Y>O6?|vJoh%OQudvZH19kIIkAzDL|XkMP2)+g0%Z^ zvVUKah-TaE^uuNoay^p?zbc#!j7~Z2kmw{e6FAATbR?N??bN!Jae7>_%}~Bx&7)R; zx=i-V&(0-54dF+$RgdP*>?}nq9F6Dtr%qZQQTGqKb~`?HhE^|ah`McN!7fogogc2f zzqvYxc;De4K=C&==`#$}bqyxV%>bDKwHHOzv|Z?Q_H@*4(19HeLF|?1YZWt{DPT=O z9SvaZ8Hyy+0e1Eo1^h_xi|LXO4bJMZS|Ca zu!0xG0g|5y_V4l5=+7AEIo~a`QvhyBF&k^Ed+;=yD416;BP{_!la zgOy6qqul`v_RZ1nlp21Sny1(9w@N)Xn=%%{ZV!Ox&4ftiV9vz+EhFCwlS!YtH1CHJ zXJpR^AqqoGhzZ(p8`6w$jW+o|=FBcpmXw4Ar03q{rn^)u}==dN|) zB1g2W-xL&%cOn+d(w_e0DsxE|w^rzCX_#lVo^yZ6RJirV23uXcteBjXlJFxqJk}-V z16k2B-z>Qe@M1B3qyw)w{OEm3VDG;v~jy&LSYOxlx_Q_$RPS1#MkE3=V*O_|?Kk+FN zNDIeX>;EwaC1?Kaa&S#=54R3G;gr>H=frT%h-~<+TsO8oCJBenT;Q-Ps>i=Rp1g2N z2@}v0b{^}P;rsStY{peu#<@(G<83*5X=$ll>0FJlXZpd4*wI&ZlnAg;9cReU)WeIy zSd^l1YXeUTlZ2XO5^zU<6w4h3!YD|s*oQe$K>}v$#Y>$a7Vopqsy!ZS^d427JlH8B zeiNY@^AoMCxb9~U=~|j?-Zxsg9IY1YPoE9O3$A{c9?50>@LWcJH}BBJXr;f}tBG;^ z`z^ZX92CMM_V#0g$zmbB$aYhfF@@M>rKSp6ddui+o~|Few;F+eK1+VURI_aElYgR& zzAy=)HQautr@WK7*`z5!Wkcw^tU_66zkROu3ai%`b~zh4!iu+zR#u+z$KIH%^zLJr zzc1$Og1*(9Q}sAlTV$r7e}BMtgi>5}y3=r~+mpnP1F-+a+Kw-IYHySMEVA4SwD3Ij zX`?!Kt9Yx1l!4nR>K~S;Oj=>y2C1xI6UCE&AXYkZ7V2qTmdbDEk0UC8T+3g{p4)~R z4pKQ_A^RB3iJYFS}t=Yj4;r)QDTVp~2PdUcT(Gf)l4o=C* z+;z3{LavL=hTU&5Te4;%c=HpZ!jf=o$K<&1YaOP_dHj=Gp-n;=*W(VGk&xgLbsNKf zB3@E1vSZB$3n~21vXoK=U&zsUiT^yP5Z9X$E_i{%op%)54hcN1H)(a{^2*bl%GBko zThy&u+|f&wO%)*}e_{cF+!c&3K0TU4+JQ&T#HyStxqR1@J%N-s6_VUpISH)hbAQ8{ z1iyys&f$F!N|(yBnkT&_8bHu_3UXNAd~#3`Xaq&^FXfXZtl*^VV2l0S3e42n%7G~} z4-tjDJ^gqe>sbM+BiDAIKFMq$J!F3T{Q1vE54B{Vlg-lZnjb`qj*}g9oMn^DBOg*8 zgTf0+YHeY??$;M1Vda4d(pgG>2Po@9#sr3_zKhAB{29zOCSLQaSM%(O)Xfw9uRYV( z3p002G^Ur(HXX4XPS9HFJ!hGBpqn^X-?Rn2h@{2Mp`DWMih`U< zCbyHIiEt?UkxuDPAlT)vg!|_y$MNp_Gi`l>!w#% z4Nx2cDFKOBI%AXx8J3Lb8Bc$ZaS1iQ0P%_Wnd_mv$iXO@0EshEetxq-DL7K!ui@{H zwCgQy?~c*%v0~yP*5-gFp>{!mw8+@wtHPDhPbKg0$)3y5vOFYVm{KjT&6LoP8wl{W zBHz(r7C_%N$fwm*(;u`@8UM%eA$_6yq~9py&Dxk9dCfF&>Iol)KzLV|M0#?N_yl$R z`FE7e@19)iTl?3Jlq>zxvmK4e#d*2?+BX!-y~NVn;a#tMt9HkT`>qLA+*BVPR75pK z9NR9JPN#8>sl#Pf*ayz-Qhr|@!$a(6kiwyXFUP+Jqfxp1)o2EKn5?Q7P|MB7`nFFt za?^w+$tOzmk%-tdy?IRfI@CB2p^ECZ;wI>lR!;IKOI3}PEt%#6+vduNvIE=EnVFgT~NQk4{YaOL;m#m11xZe4i zGVfSGxsOJ5YM+2GzY|#pl4u~I>Vm#QIe@>tIr6ipY+oSdi%&}@vp`a+&*y0oZLTC* zx~u`3asT2rZND$vY8hsU-8lc2$g(P!3L=s=_bcoLG43(W*j5!Q)z}9!Rh|BX6=!}H z9&3_=x{egy4j|$T|1MrBrVZCTI&Lbh!r5FtjPAxL;9=osiP@SrrmmUp(@B$FN$py; zvnD-$6Ww_lc?Dl_GqIa$cG<)XIMVps-#RR|vxD!v62L8_ZaZ6CmYE#mVPSpB$~mor zzt;Z@j@lPuFS_hGb8O_GaMm?*dGvD%I-Qcnxgu@Uw<7JxRUOzDHretHaCRX6Y7W5M z?-Sky7-5$M6p{U(_;xW86=uVzdLH`$+P?>ibc7*KWo7S+-JHGWH68e&R0Xg!vPn;{ zAYAsVvSH->eM-cp%a`pl(AAIAGOi4BmtXVBi*)iHnxAaEF;^=Nk+)1js;uC+ovy`< z>~$q~?vMAYqlV%sz-uAqPb>nA2XU#$eAi*Gym1GPLVaLGX5Kk(WW+ZS7Z;~X2DTfy z)8F_h#?X~qYEn?epNgq}yT(-T+7tAgu1CV~KMvojOwgw^w{vr{eXE6)C+MnKaS7Sf z2yg3Qy;xc?4_sU-9b1aA<$pKp*s|wxn_8WtD>pr!Lkd_oFkUpi`RCAB=4>S`)l7!I zex){bRNF_M9bKTxTPnXrL1uZgxFyMVK7L@XckbrFlDg=rEB$J7)*&}3Y0&1Y4oo+JygaF3=E5vQ&uheOYJKR&k^!QhWO-$af!%$X`!5w6)Z{+WL2qW zR!$s!t&Fs^+$c4!#=PIOFjcJT5UfEX?5g-Fx~|tELKr1C`k+!YsPRkSc`K$va3z8` z!ktDPDJ7IBRNC_;-pzILR9o*{o|$bm4kVAYs3JQQ?%@uLH5R^Sm(vMCq`ZCf@O>M9 zde?D_pXWjZYfv|L59_ID?yUaY@}j)K((7l~av}kYJ6*3O zUN-0@9J;d(vWtCu2#Z8k@kYu@$B-KysMA6#w;DxH zv@CoLsvYDi=;fx`IQ?Re@f745Fvsq1gmzy#v=ol%M8p}(wuQZXkEg@@KteOu{}*4c z(LFg6Az-|7w!nyn@KyOk(kI~e__UZdYH@Q-PWX5VMb{PCjV**7i4I4tC8VvW*bUNIYI~5jFx1?9G4yni#&_^T{mQ!sRd;{V`ZN zF@-RS!WUqmr#Wm}E5y4#I_!^4!^4kOd~?IEzAJ7pbxC)F3flYcuA27*N2IZ_fz8eB zpYDt0Ei$u}FmIqu2T)QYJaG%IU+P_Z`}Wn+&AseXEnN~Fo|vAJ4-Z`<();qasp+T_`$R;Ad8ns=5eon02kLJ(V9 z!<<6Y+LDNG7HV}2MHX`yI^?6zp1(j(XR3@&#_%`LK^v*%$n~Y5jIYzj#0IczH2S|| zUlyeu#EwtOn(1#exn2=Z$W#bMGCaPRTz8aG97nR&qn0O9dwHriNO&Un#sBF=4~8(Y zJJhyFMZY~gG`ZN`wn#9RV|FRP9iWc)_S>nKx;Yy^7ieGYdfnbZIq%NLDy@nSzqC(k zu1}`!(718m4{~60yTCDx`bj1`ruSCM3{+9@<(rn*%>&Zq8n@>n5lE_6s!Uu#`?{4EBgxiUB>E4(lT7g02cuZbQF-LNcZQSjGg6hpN`65TQjtJjBVLxZbmVT`}yO)kO966%T zGCX3}Ll=JJ&KyIHT5}18Af0u~{&@AQ&vH7Tb*GC{Epqpuj0WdJzKX!(=W&rr@yM_w47P;Zf{AH2?aupcIn7H2=d>7hG&BpHXA z6%+y&v2jrU927ZAA&EWz8|R0p=)@NZ}P(tLkCn1+9rPjwJI}hJLGCsiAV=b`i!m@C zD@s|~65g%H2QYW%dcdo~o+Fop3W*oAX8`m{YcNbhscU%L{@T-btYy*Ql!^D4FB&9q z-(C?&i}&Rx=4_vAG@$kO?#z}@BZTGq9`&%XX&sY`UEc5;t}dr*U4C(aUWmqDt`o?T zxISvr7KA9sQ}_{biUrmcHBf-GlT_*Ts`p(f%#=)#?=i*p=9qLY!|?!34vWJNA*pYc z<;I{z%cj?e5+m%sHSc1~9;szIY|qzUt+)6c=6!Fgy{7+_C!yw>wR0 z*R@(f5|{`G026}?Do*+MagJ((N85e1~vr?WDY4Oqt(}ITX?eGR)y|o;!3pm@5qX+@6M$I;-%KwQy@iu!8jwUx7v|502dPu@iQiqo1Vp zhx=pIw;N;J=bak+d-jKWgJX>}VuFMcgzLj!DFctz?*sfoem+;;C|>e227Cbel64?x z(;cK9#9Q!o6qKD7f$`6J%*%(7jU!o-|B@UQ;u~x*QW5by!8E0?XN!O$XlR=>6owPQv@@esz%5Ouf^aiPz}6; zE@LI;G#QlMIJ;DxkW3V?I><>%xS`$%+59ZgtE>L3`ZG1SOkSw~W~$!6VywqU0!`wz zasL+%1uqFo>{~GUWvfDIZZg?TYW2nI#7uA-r*9f+d6XC&JY9BM|5*}KaD*oFbxdv= z($%H<{Jmf^V|`5809*l^qlY=-w@)f}#31@wr^ z#+ABX5im4<$8}doZMh!Pi)go^{uo80;*&lI5(`QMzlA(8-s@@k+mpUopRGrjO>w|X z91XKI!-TwXJ$ErWrgky8HU>^>9AAE9uJnEBTjTKMoWD~ke}C4sO*O7G>iz;#&HDt( zCSS9&=R2b5p9+HSGKrwXr6Tq}UEC1;Ts~AQ4Zxv7!k{{`%65jVcYB4F&g6}&s7jcq z$hFYMy1&?hZ#mopXjUuGGR-S*{DM~Dk%yfdE}jRPvT)D%*TQc+J_t!SltbM6+K_5d zuHW*vLp87@iizZKsVKrk%1~q$@%KAdw_R@gHJ7)9iZ%x@BC*N6BaT0G&;0Fi{r%b1 zvh&lUcwy%vZEXh7TNVHac{*DOzvOb2lsDHd?m65%Dl9Kj_z{qB^7JwHBSK8EYt&FN zy#Vd9R-t@lz6`nH3(bow2i`or_CYG|_ajDDx?;xcZ+xWY3Vjp_MI6UWWhwbGf52n~ zC|NmZNwf5Hf+g2t(j}1yd?wYh28*7Fssh{%MHz}as9a@a8zQ46a8=4Mig>g_cwx$K zb^wXq|E>h~cl9GNDv|puRVR==QKQN8r`;~As+5~~vxJ$k8lKfEo zl1TWJI`B zk>oQNA@RMSB*)@;z9v4+b4#DSx-6*#(Lo2Oa~&q{mk6>9$jpfBfWdU6`*Lwo-V%>& zS*Vr$&moOfkoI9{>G^>>pq~R>HdOvV_Qms@96#^NY1t|FUlK>f zC83ppwia|utY;~2f8mi*tqM5l>WcOKWPJKG-KvlbV5!?Lxs!SYpd5IlZxR58>j@oQ zGo>TMX7R{%d2J=jbA}ASmz?tc3F`iyirUYF!acGt>b+Oyu6;`e6i4!OC;?AZM@NtJ zniKnAo+YLXfXKdRL;e*i4h$e zL!yEuHaaFL^zdV+>DYJDokn|t$%+pc5P`TTe-mA;u=1n(_1Du5KUG7WkW<`GsGG9v zXPauy9@g)z6KD&<;XVQg67FjL z&Cw!koiW?Z9@i`9J%QSC^N)8p2Ii`{V0|R_g(g40?Sk8aHpnlT^UyIW zBWO^(J<3SuZfo&^BHL-jXi-Y*P9%qUWi%74x!<3{C11RJEfdAuQA+)vjYCM^;}Axr z>YYx54-Pp+0+eXHh4mpg;Rp4|ri}Nt5tXI4JAj2R`fTpAR;l|OZMKP_(8UlhmY3Dc zM_7kV7=;)vA8^C&x;F?NKeVM=pUR_SRR%&q#|R1vVAM?(vZuPcCs3qrCq#0i8#2Qf zn@^{CE*&VTMhF<0Xn1)^GH9D34zV$@N-IC2OPaze#F#q#2L^D#Uj%JpwC9NaxFpk6 zH<|8wNPNc3~wJH4Iq+TMB&IG<_Rkw_CJ zU}Tm$V+R%=A%Ip=x@@!Xl&Q+iC#V3{W8sTLTy&bT(%{%^**eyHFnLy^z`_`-N)(x@m`a z_BS*N^h-5uPT9w@EDsq3T-dPN<=>wAScc3Vg|Vp?J_t~pa!Y7UK92kIVPVZocJXG6 z=``R*!1T5>y5lTVg->x=Z>*XAs;8Z-D3`yy=-=^!DK+FTITl+{me}{x8m zm0zR5c^D8yHFGWuEddsP8w?hdMf{lkV}(X~c2RsCVNE1Oll;tii4Q_I2%JAWiWPcVoaP~n6dq9;e>@WIJvkz zUQlbhOL>J+aU=8Jrw#@f<=S#TQ8tu!*SDeVFZ+9*PjA@6^r{&0pUWUr;-vvwa^^gz zkDMfHItvqn(Cla<5~w-)C%B#)v)%mG%FZ#O*|88=<#^*0u5}v#_$=U(?UeK)OMR(m z1nJVUgiImLO8-SB%ZE@HPfCho@~RfRC6&C;4eSQkHSg4v!E`J3cBVG}Wgsgv0C!X| z1^x~mOu6O(*;uikW!(uPBr}U8!)lxC?ERtB4;YguH9X@hUk^yB#QajpiSKx-{N7jDGJ4tx)X) zr)}Zj&m;FCKhA#|!a{uC{wkzb7G(L)w64?j=VhP~kM;0Uy}SnjJfq_Tb!am}5Gyj?Sq3}0ecRF!bCoa=Ps};&>p3*G}nNZZbs&LYffId zJBcHu#BF!>RD|n>fwxSKJ1H^sW1;Y^SVLirCC@l~P{VzH!@(wQ)Ldwn~CZGNhTuYNB3Gq`Z*WOa() zQ0SxQZ(w#_l_U28E{R02vLMl))_(A752t=kF3q3{z`1SJ?r7ExF$wTa%5YSj()#a> z$2Amc?|5L_BnoL*q2)S0*=`?loZ+tc)*}`|fZFaIWdCo`{I4;s9XWdh^!5I{4)~WA z{QkTvz*Tg|h4ANv^3e9;$n1YW$bVjqAd@WWu3n|dR-(!FR|@CZnB#cd(DJ9m=c+^g zxDmG)pvfEq6i9%`3TWes>0D_9taX#)r?xwP3rPKK-&jziKYeO0{}kLMtFBJ;y{ruM ziUGEHKy3}^URI0&H7hvEtdQgYH^l$ncfL)vF<>%C09pAv6)q4oc>}G%o}T9)KIBgm z7?(|O`%a6wO}qZ#Z)b+wu_(lT{Pv9vXasb&LcHtiMS$c}&F7jVjHEwoEei)w1yp4K zcd|l9Y}a5PZ-&E5Te#Kj{l~!uGq@w$FlrX7_$F-EFbIAE60+xiHk+!k-O+ALb7B11)CpTO0B^hEOJUGe{7>TU z?#5w@cX#v06;~dXto`#5!~3;T0SiHw`$2s_=>dJ_lJ&<0l)aq)zZ9YwZ>d6CoIwx#WudU`QSv^| zR>uIY_QY4pqOA#1N#V+8FQQ&rNj$n+K(Y70F#hjSC2|74xkO#~^NU~mGE1aECLQRggDVYg*JfX6OU*XMJ-N+Ojy!6{t+h6V-n{U(AIg_m= zu<89{6akUO0Cvj9_HfQVPA4FW#EAci`+O#Hf1$Q|x4E!;&2(Te3+n%G zgyjza&}@gNRP(D?PrN1=Ci@#ysasM#k${(IM+liuWksVAqSNMhQtr`0lq}0c65Iz; z^i<@IvD&hp%B%W0RV1bl{+j83)}JwsF{Z=8AdX&bX8fOr3^6}B*v0ab zl|pBO-(sVqC)Y&OW=AX%`dYC<7O*au`ju= zW~^O@vt)46ihTyx-mjVKIi>bx!5j(V?@o)quV~hygqMW(#(J`cK1E0S0DXa_kvtUv z=mjs3!3)hE;bjxI4rJg*9VoShia0IVgh4H%wO5o1*O@G!OU%3^x8gNjt>#PC&1V_V z6$2L3z=Waof!DFc`sss?hcaBhH$*TBB)KEyzOpK|^n790>XH%@w3+wT{&y!V69V3% zXs({@PnAIG(qaxy*&aa|Q(!|U(^5+is(l|~I#)tPMb1Z2RSzeDa9KUY8HvmT6nAIb zPQ)k40^x~+O5+C?F{Zrwfzv-*=dlY*4ocm@jRb<0Os7!ZaJFgWxW2HH{kTt?Rhf3! z*eS&+SGBycE2VjhOjc3%w5V^^|2TayCaZ1f?~=E%tQusfpf)4aZYrA-i#=ns@mg)4 zB9>VKtY3=W4`V;ri`gYAUPS{1mo2C5xKLR9mDuCqnRP)0fQ_2$r%sj>bY5fR5z@=L z4w<}TOVbvwCXHR6o*m|17BYcT^phWy){EjOB+q4eh|TIEnb--N9EeFo}-|11v31xA0 zP}YchabeU=Q??JE*I}-J8?Nc;WBOKhSn0K92UuyZyQhyAA_i-!w_1i>&)%9iXs_8h zZ?D*w^RUEqFN<|HJOu<*&sKeq(5@alzsUNRI-&LmOzYk5Js$=Iz7n7gQ8Qjxym%OG zEYfY^!(~5IaswkHT^M3uAmuQf0j6MRM5XZpRIozhtC-I`^a( zOetOedy~*-*uEi|5B+G*uj)m=*w?XBK`+d=^DP5KEM0&xcVPc2<@$ z=!*Pc?dia<$?u~2`n@AkrE?7>KiSLL6u8waOCj`kNZJ3)M|9bBZr?&u@9liJ_1HW- zAZ;OWZ8hUGOwbg%8v_%vV#$w43K=~W`#8(9IuCxdaQBkCmx5n;cbjK#=d9X%@_WJ$ zERxPv&x-8<+pCJ*lJ3ftdF~_A3FHvm7qZKp4Xr@!#rF6z;H^?moL;?S-Fb_OOU-%24b!6_L@N-o8+^7$GwTMUwT*0!?p$mtdZ z$>mUx{Zt5%&>ef!-KEqi>_v-Z-*`)yrT5mmErv>Jm(-q1e-_Q`FE0{N(JSwPFH~+q3wwohRHXK7_=>UO;~2WfN$hUI_;)$hEJ>t!C*>t&&V<5JG6! z1YT_R<{LYFzMG|QV2O9^KN{IDPos#6MZVr z5&OZ?#jptY)vZMn)BkJuPI>w6GUT^id>$7Lt3TJDYOLN^LAjfm_yz;Q(VfX4usUiI z`T?mM%!VT=g8>O`l}aH}9Xp3MekAMAK|a=^3%|HDW?xBp^QS z@<}gFK4tB?dBi->ms^ki`Q7*GW$&q(%TGveX8BbINyA~hEcWe!T*t=Z5ncZ}htBm_ zZ&nmXX*nlzXpi3Z4rvy4&_?Rd~! zdu6lCj1?Z`%#V4UELyx`0YZFue*0(ZcrLr}Day+fxtFatTDJ}3(Q<~S=wzzJEW|3@ z1cHEfPvoLchemZW8HvT2TxT-GPJDcdd*I6a44DbH!VwR0C-w+wFz=zAB8__c@V#YatAaA)$$C5)Al#nVxrQj&-VW~%!EXi!`$KqAVQ_FA% zWe({|gHE^}>Kdg^y5%3DWo^mF5xI)WT0eOsMJ=UCHaujf`mY%#%n_hXp^&}E6u7*| zFFDm5cO|IwlEMY$6(!Ez_Cjm6wvT5IYidU*h43TqzLR1<=Nz_4KL_~cK)zR!!zm-5 zg+U=T?5^;x2JuGNektin5ItvVG_0^8 z)m@TNucTC#x$v!g0RyivFbLm2sVBb|3Nq_ciSD|Z>65q8Qx-Y4bV%(p+9@i|g--9Q z?&cN2>Nkeh>oMJTpRc4SnVPTV^}W!~;`yJVc{JmWZ(Sx6+x??#flH#cII(cV*Lo+M z{bDyzd^dTVp6IAK>zR)`V7Af>oV(RjgF#cG3J1%(v%LkNg8fDNH*R)5$*;NsZS9Bq zc^fVV!`3$4TcP{SpkLLC+GFF1K(RXW0}Tf&RavV|vybYK6UOQmPzpXihn;AJ@oxa;l0=$WUHfg0vFPN~_^mmCojL*F6(AAcMG~oY5d?-6C`v{r zBn4^BX@`|0o@}xJ^So>T%5#}Yy(C9w zGd;PM2eC+deWFzzGc_(AM`~6w{>p1ZB4LWfX?9+%f?o#V(nf!uZ_ndG0Iy+})YrD8lAbqjP>iIX&HVg`Ka(1%TvFdHPLO-_AM>Epu zt-@2KM~^9ht7_+%QOj!?Tuj|athAtSM=1CP?jdOK{{4ypah6P^G>}kRF_7%%xTOO2 zUyh>}K%;~g}N zO;k-(rBxF#Fj;3}@tc6=if-jS!$*!c2kWw^|3+J?s_?+l6(#*$Zd}BkPflkRBB}SSPKbNKc-BKL(Z)V)N#(Ene8{n+Hr{Tfh!6PW)O(o>4EV zprbQY)P0$bI3puN7wF`0EwwGI55Q8j!(zQ!7Xt-%7lD;_ZJ4=eGpKr&^HQy39WG2_ z_$BJEBjN?vSdWDj9G@G7pRRpvbq&#UPO{gs27qG`{q+}r&xa~E(4YNj6ho-4m)Lc2 z*2<@p_AEhUiMr8S{iM9if@rhcfw#O2L<~59d=VqDD*+LOzXElFKkPy3#qn2R>5N?VJ%(FW zyZATbrhJ!geNV!f6a|Z8H^NSLzP{AO88(%~Yw67VtupFC%Kql_smVyL66xQjA1_+; z+aUoWk(BKPQy1Kh>o)~1@u_InwJJew4Cj0s7z~M=)8RVojd5uX79!V#0^y*erYq*E zSA`hP4Cjc_eXhi2Zzk-1J?c+d^Q9DW02&5r#cv5cuJ)e$qoQ=GdD`~JB5`?|>ea+w z!8(A$MH>Y@j6H-)O{8_CB_qiR{#+J)CAC7~`GwF`H7_^(A14_mQecXZis!sLSW};g zk_eVy^+}EEUs2-$OdU7|%fx;3yzNI@y4lPoIBDU)e<1E?jjIPh-fk%lkY_1SFI+Y# zKC+%dZ0zyuC_W9KL)J~R;nA(Xmagey?c7MX3p|XAH3RU<<|Jl>sh5l(})M?H%`A+Kfes0nv9b z<}SBm;@rOz_y>Ncw%bmTzveo<)GIZ+#RH5p-M!JVNkNS#lx<0Kg-zpQL>Zmg?Kazo z)=Oo_Nmx@Fs-D+YtDlpftIl?25w7%7u07?9@|ATB(Y|BQzgpR%vHs^^Q7v`B&qSfq zlc6VKL}%-Rx9T5Jt=N||KKY=PT7S7D^lhd>fdgCM{e>f^a(aznFY336^EB`%KpKhq z;NSo-JNG8>$Ax;R*S#|Ob~Yz^<~l05K2i+_9I+o_>GlsOvv4olRMzJz1GKl*-JGyf zb#6o_XHN-oy!KEkDGx+2e#L-Z|7N6JcFA0`GOpX)xs^?f&SL!>o(L=Y%+~>;J@(ir zqcoJvG5Z@)4M=3SL{-q<0N(1q2%UW zn(oPZjmz>fF$Erfj-GQp_kwXvwW4$5A@>92;g!YLeX|YjE18H_Kp*?qbdY3A_l&v{ ze)Dh^@Wo_ZI7o&H@vRucbiO`Dbv6x1$dZ|F&&^#JaJT0&)ARyG6+4xxn`w9Sh8upg zyRaysCKX9b4`d>iIu#n90S9{zG*s9*2G9Yr+p7~w_F|rOOG-Q)w+9a%EN3F-YZULC z2?3QHa7f*e)D?0(WNC-IX*tG7ujBV-FO3pIDkE1luY%& zx}^|hCU&H{y?udrw!|LX*L?f`v6&3Kj;DrgNl z4T}loWG*x5mj-D{VDf>o835IT)s7d`-$u{JN?y42OWFm9S8rD&UwMe^?~k3m+t#y- zoy!aHZI{MsmmJeUXbm!1UJ1|xIYT<@*i$ZiDfFuldp5l@`ul9JsNuht@(TX~@qtw7 zU!1mT4_oi?h|g7HsStV45nukC(`SHKobA%=Xzelob;gHSwuDAz>a^6_?LWFxr?Fq_ ziw)HQ$}glgOokytSrewMRuntV3sTyuH|Gx+ zYRPq&S=qiFRZ{<(rp*%yG zDwKnCwr6!BPld4t2t10BN9rpyDs4Vvuuz$dh`%QKG|U5(bizSSQ3;O}#dhaxsPY@i zTW=E6wZG_2Z%ualS{@2_``U{C(s}6!2!AC4k(<1ySzO{5t(@(RUYmzzF2i*vljiS%`8PX*faA;dpp!9oLAQ4OJ9NKf?tJNNb#^nd zC#6!s>$qOib7gC3)4W(NY4wW%!w;ck=*dJyKv&L5VUC%GaYhjq1OoBy-4Gtr#xM44 zcOTlT)oH9HQ*hhXqg4H7;dV7UHJgCVr^b03G|@MPW|HElt_?l@1>To2&BKn3gCl1_ z_hLe$UJS0Z&;4`GxjU&1<&x_v~mw} zymzK)g4n9ul)?Mh+Q{H-A*UHla3c^4F|Xs@TfWlBb~fuCZIb(oCcBPR0^7^@!lIsw zXbQ|Y6I~y^)0c-vdhU1cN0&8z4&<*mZPQbUR5wYuG&fnefdECDjX+pyYpbTFW^mI@{}0X^i>2%s`44KU zN&GsYfks;!S}?LK7G0BMG4MEC#bReoI61WOTBo&R4MU1qmsf4O;m3nTg4QmZ@7r!} zx{h6%sT&1v7Fs}c^6lE%uKlUN(!I!6ElES}vxli?V_w%|ydK^lmwleCQ^m2D?x7JwO3v#E{D$Y6)%X~f|Lz3I`gIoM6!5#P0$u*_MVzD0- zlbdzu_9#8Jp`U6>@8)LQ1AZ2c$)Mg57T>tr!*(@yE5usVuyes%zoG525U{`F+$fAi zy*zsgcizQJh|@VwIs3&w;+4HsXyqZB4Ba_57mh5}(+Q7EJB$_BFm7*UccP%oP4O^z z{(SljRfeiu@~k{YAq;Ki_;N9Y)8j3L^GI}O$8k~Z>f~9hxa(`ORADD$MDk2dVV>Nt zubZrf+Sn-~rZ{tVrkyB-DGSWKz&*wjI~jjZaF|IrUu<-hxoQ%gO$r2(h`Co1A_wKv zn(pwWwKSqJow>pnXZYeSuj*GeA{AOHJkKNND6Dnb`+9(WMK4G$+Ii`vocYLC*IxbbEWjcTBZ$wB&gvh!f;eiU&Uo?gv- zGm>56)kLw_6DrTh^Rwz%idNZol1CZwqzMue51A?vz{4#m_89VPyzLR$o@gXb6FyBc zbFnbvKC~7;EA2x`M@x0f6<8VN2hYQx)Z;PI;M_(nzP~oKmtzCO#@e=YPiqBEr&o1~ zaiHsxOLwzGwiElhxcc$V+2^%(ctMeT61L51St@S(%pU6gK^2_GNp$PpK7GHtl*lUl zR0I~EU_Y2(Lb2zu@~L|&-0o3; z0YlQuID^%@MP_yRvyaj2nJ)M<@-}e6b*o{0{s(YNCr)&L5MRE9Hzcokm_IN3M z>gDuW&cdwgw(u=|>S>(y>lU;GLv9|r#ZOR;wiexs_We1%qPdy3C;gmf71izA)-i!= z5{=@fB;YN>$My((1j+%PvY z-O+aZrMAC-<0YVbF%;LPcl}GRl~6-FI>+$3r~gWp!s}|^tlGJ+ZhcXpV9DIs(JLD2 z=*Wla*HkNJW;3-u;L?8R#V0SY7!^oMOu~h+>S8M-7Lv$}kA17^wjT1tSIwy@j~PEg&tUNDak8QA!Z0fk0G9kgfy>gaBg#i4Y)$009!n zU4fZ>&%O6M-#zE%d2E>XUFBVC{eR`Z*30#D_HJ)tR|Y8&*V`iO+FIT;H7Q9(m}mIt z&FTp5gejM>EZ-G)_r7vFc;y1+ZqUZ3-PW>@%|(-eyTkvU!!oGOgS<(9!qLFU_Rq3H zVhDdg8&|Q>*F$l%)|V!=EyQI-iZCca3>>of*nn}S&_dIpGkVllP1Y&$Z42ct7mR=9 z)B5`*<1sO@>#$=6hB&)6iW#1B*5^0ANK5JWOUjXz)ms}wC%F(e#z8RcP&t{Hpki>L zZRx|93obPohj8(U*+@qpaA05F%qhXc$*83^b#ny+NCXj*Zk-E*e4WsoQYG3l0N`rb} z1jUzW;4M5)5LI$hsI7b(#yZD^Y1_(O0Z?T#ns!sGb*VDL&`_}q4FId;Q}Ttzsj@#) z7Z^Gv3%}Ky8gzGx*6&{!v$+FNvk2gg$>GCkm1}Bk`_n8mq*bTNIF!GmD8&;ZDtA&< z(JMNNFayV6AWdxu^}~$UXJj6l*lh5S2_AGquZ+cIHNXlv%X$#;mDuIqf&f5hSy8MAKA)iSIDT*N z{O$Iza@De%J)XVxydNi9=N4CIvWUj@kXAYFYOi-HW^*%$tmq|fMiQMD_BqAPdy}@% zSk|k?uLIqbkDeEM{o3K}rnYDnfGAynM7(5w+IMf7tD&AbAGHbojaM8NA2o<})nM|=+?+}o!;x>wT zCZH9$=0;Sn$$5y(66qR1fa86}Z~rzo)}SY?dIP*!J^&c7tyYM-vV--1_tId0G4^gVtN7mwPRn%hih=-*y({?gVPNKdS5H(p@nJ6&Np7rOa zm)sa%1W(CH^e(9Q^MrHH-;Dp|qamr~K3U|8LSdaNV(n3x1F2`k`*Gvq_Vu$@*9Vkh57L^i^(SNO;dN{J_}ufaqIYX;arFs@9FBR zm^>wjnb4lc2@*9ovYPg0d~9zd^+;BI-h!fyy0oCcN8|M&Kerys^-IfWykt3&(%?Kd z=>O$RM&Po2KYU{&6OokjfGF(8kZe$MXa>dGO0PBe-2*tkJue#TL54XIZi>2ga`!h_ zuVmM*{RqBoo3i(z&Bmy(^mE0~&`=|IUkp_(%PSf#S(T8>LoTJS@;5~N;#lC`T1oGh z?ccznAEJeKnh*QT>G@ep0!d<`hvfp5`Jqk5;*aGwT+r8=MA7nP%x$NruPEjb8^PrgV#&$kDXVBo0i+_*HqDBd*+Tcv_^@9 z+(EV>9#n~`?Y;JEEC`Qj7_^9qT$|1+J(e06)$Ku^DeV`m6=Y_K=50vjlbZ{Mp2u|j zHdkfnW?q6R+YYK8;b?1p@Fma4nQ2}!dX;=YSGWC@CjI0lTboUez~MDiHGEV_Jy{}p z8{?QvYmm}HOJ`h-uB2{KKkwF@m?Fb(bz|Gj%ovI449AEjXUnNWG7lA7zMSLzOVjd@ zquKNm!^+{Uc+_Dr@hJXbVsl~WX{Fhz#~aO$Y!=t_NZp&Cy%{o-yaLmOm+DMrRrDzl zC%Hha5Y=nX7}twCZ@Ca>BZpp2@lGow_K!0mh3M$KyY#fsm&4(>kX~g{AAnjt!TwuA z?xQ!6A0bvDip3Kd@ip~beLai1t#-|;jASN?8{-|j+6HmNYFSMmb9%VnF}wftNNp@T zH-J%siSkpzJz3}>usb!$lcM$gR9ZiX<&k3vg7$Q^C3W5x7qJ_GQEj72g`rV-o2C9_ z@kVMX`Tezhlk^xnI)79z71R#sRy~$Ja5?W7ruM*B&({W9QABFwL`2gxPts2;Gqc&3 zFBr0z$g`H4Jd6`oYh!$J1Exe<%-n1C6Cg>=^P#;_;?n-K1j1BGBpuSKzt_z(1vQD+ zvR;3nM~V>(Ymm!zRMJ8XQAOM$ZZ@1;`D}&kYz?2(!$$uBBkD=_N|P>ZJ)LW962zJn zUr*SId=7Ngg}VunWP<`(TeYYgv{3Leqm0#&4(rVL20~#|$1C{Dnhbm0WEs>#-s*@V z@gL|lu2}y5gHr%z6Khu7I%hguo7&c8H+m0cy!I41pe=ndt z(iqd&!;`XR_7WNaD6BF=!e9!P$=rE&5y>Xj*K+EJfBSxKe&)`_ZX9uQ-7xf?1zn_p z9IS7ne7zz8Q@kQgt7FpsEy8iG;~9?$C($4I%#jzl$?weAvHag8^!lKG+%$u-la?smP#LK@(2tHhp=%+T(AX9^X)VMnRG3f@auK z?rM9RqmOuP4o8qB)vG<`gRbW9_g;68#Oq5G#O~Q2qM#>y`7C{XrijW8gJ(qocGhEkV3cSoHaR z-oFDyKi$H5y)$wSLO{;15nI2^$jb8GPDU@g&-FUR#9B@T?naj~Zo0&22Ce~Y^4UlN z;gXxV;>1sG>oqpQnpHa6IxAl0?tq;pX@9}je;E>rVIkvTNDPR4u`{9!u$=ctwclq* z(DvE0u~T#6R1OY8w2YvUF^`U|e@T8!QHv(tIRqGog^PE3 z{4m|8&(R!5pfgE(-ez>0RFQ@SXj0$mFn5I zg-o{rJQ>G0;$H+_sua1>2074=n!=QR&WUPMp4jJKm@gioyg#G1_7(4yj9`MFY-s|ScBNLJ9dL^InQ@(y4w>%uxlC>C20Ok{sct$E2ks0F{2m8`b%+z*~OZxn;+L$5>TV(Bad*+P7jV z5W$ktrLJ8r*!a5JIBuP0BJlc$V0C%&VS`ABCT)@4m>E910OAze>%n+f6=hG8t46!9 zYT{;hz$4Gl=K~|`&+J}XDz(XvPfWzBp{@}451f)c#v3;x+#PAEfk?`#kZpZzuj*b( z3EpT3lQRy^&OF6y!sPVUIlOr5mg23}9N0HKJ$>JYU$NlYy&g_SdB|{>zJ3yHaWBtX zoJ_>np!;`I?iO>2%e}s114pF=WN{q-H*$UvplLf9Q8xTP3<-x?!Q#-)6>oA&KkuZ^ zI7TFSi%7jZ*%Hd@;Le-8uag_;t3A}#N5&3AR)J{j$TG(%MP0_@S1ik&o0J2ORU(yp z>et{9HS(X5n4PKtZj))vL7eL-xh>9hFAwDcQ;k5;k{Q3*>)Kgg&cBG9vG>l6_h-D(Chjj>@4_QdGtJP1{(=gc|g$MShVk3^*Dq-KqE4TNP)FYbZI={DTXpQ$bi_WhK$4G}L+j~A|95Y1_O z6~>zsqt_}+N#joDhopmE8uVKlfCQiPc$u#${+8-#Hk+%4mhxP44u$v6{@6p-qBU`< z1Z`7TMixO493Uk)rNm6mgd@2Y`A>|4634w)gDpP;WyqWO^?5D)@D}$;C9X6!w)F-* zHbyA59PL-w^~_o^K2w11pTbQEtwMI;4x6k%oXt$KAp2E_$w*;XhMI>GX3BK-$}~Ie z*=><$;IlmMv}y7dvb<)#fX=cY`!2-v0};(~Lz6q%eA@49yPc+y;x}ReT5KZiFzBM& zc)}}^HO3q!it@HXVI5b5p`G@d(^J_50@r?<^LZ1YHhqRnF0S*Tf*&E^NB*X z>5N@}GG+3vU###=H|0r=nPir`*(~2%EwqV4iY9y^2P0Z~btq4U7f_|?3{2r_2=4*4 z#jxP(y_nKo?7)@e9KJ?_c2&8t@6`8jL}h8vXc76K3-sOH%f{=gTa(|l@YA8TRXzo+ zU!S@csNfTq#`a=NHfT(xJ@LxZU)y9b`<*QHr6JdpEDXFiRw6oHImI9eA^oKTC1Gpj z;?-a1%W%E42JR+U3!QD%>g9-`Vn~`qE!nEcgs8To!vL~!Z#4(9{;rX#8l>D{7HF$t zZEl$6szkEufG7%D`14Hm0!pxIgAwtz){E9fHc?S5Fe&&4rb*Bj`o#fZuV|1w{*BKpWl8NYrbms3Q zQY}1C6_h!#iFHcFs)n@HzH$jf3&%>I?Ud;Cyt*os4q#u4Tu*r$VG^~&esiU8pyVNb zsf*jLxA|F_d9Hclkuf6CH_h^}T5yB&)~XXZo(@qBLQhnYJG_=frUE^$gA!cIAbRnX zc{2T|V9}@j5P6B9Nybd9O+AdeFmIXTs$a7@(p%EexJLQC&uD&4;}}d3jd}K^VKgah z27gdsnZcJg+8RWDY>BuN6t~WdX-=+ACOvpCvRt7_7K|_Y!JWB=^FY5_1!`+yyt$Ay zVb9p17YQW@_ZQk>OBga@UJI{=C|Fb+&<{yajs8UhY-Tw@6B9ux@iO0BW%?Q_6@T6tyHZo=a3)`(jPueZ z{1+cW%mIsOv&~vgWKX%+@~VpqMI-uF9Ga8U7OSjMKMt8HAX947sWj zm%x&Yu!xo~2e(&}<>6~5636H)V-V0JLNar)ThFPj(rQ*9Htbtt?Se5XZPnOS}dgN7IV>Sg4M6=KD#zw3lQBUv!^4cKl-$1 z%=j|zenSiNxN7h(x#9PK8fC?MsOP|nvB@cTrC>0oFh79d(vNpNsD;Pg2{fNDWW9W> zHdZl5tK&SyC$phdg`p@|zq2k8?zmO05~c)+iKyBIiZ+`&C$o%~`}D@e3CtGaMo;5V zD#i}WdY{jYWdjr?!MQ*+G@B&+=vB*6g-0GwIIg?37LM>|72CVj_=&3>n7EUN4;O4C z?k4$iBiwW2?g0WFDLNRGRF1M1zCCY)%4@Iq0~!( z*d+o&epl}z=ZJ~8sGsr^d8>-oHo!WNN{lA!bp#YF@sUd_2sl5!c~svdg@{_IY6ptK zBjg8$56#jf&6JU73eFm$eBGhjy2@Bx?XW3`57-!hv>e0X7n%&|cKF1#S?~4HM#<9T;1K1KHZXg@#$!M+w~t3+FU(7Qyx5caNvh;Wra2!s*IkmarT!^t1Ed&hQ4M^UzhsPJ-V=Mu0F#W=e7c)?hB>&B|NwPg;-M}D z4C+SgoB(YQx1JF9qk{3Zwze<7Ul$E*piQl#$a|P3aqI7}CBGk(MRpx4Edrw!$XOFB z^$o?JE2v_QkaAI5QZw;5XSc6FyRe~tzrnI1ccb4_Qo4WKm)%sKQk$u`>c)%Sdz&So zv`2suj2B)261(!5^-Fm(j@@}n%%8W`9H}PL&yA|QbxrZ0M)Xz&Frc~7no?vNZC9430(Y|=h^v*s zviv%y=unBEU?`zqaeXdZqEOt5SA@kMFA^{ovmbUQVWFFINr&%{ z+a8V}GoP2r$RMs7fOsMfBrJ4d(kPBNabE}0@(-|jd0R8H7|B&Y5FB1S!z7!G6qMZ2 zl6an!i^Cl@o4m+zj+Y|45FJO8la=*v6|2Kv4qQ8N3)+5M4st};4M+e@P9pa!NBD1Y z*R*+~RcHfg%Fbn%z1!vQm4}$DOT@p{MSneviRH5X7LX65T$HnyC~WzGQL&=;7`nQ| z4nj^~<7~Ekp+6vvA-PR()tI?zBsT`)`BTptLy>r(Dw3ql=rQO|5w8`BA8Ld5Bv;OF z6mGuXfj7JV?nkw7L34Y8*CyIsUSIvNZqpra0!pAM@g-8mCg&P!%^XbwZOg}VAgfEG z@Ixl#P={++Rv7R)yzt*DseIyw@e6U-GLbb`48 zJZbX#_oshYLGO**);fRA*F$sOuaeIxcFf*xy>QagGZD*eyrhC&x&)_WhV~j!+q=Ct z7e|^Sf@p(ZK&o-_i!^hsIQ~XqS^%!Uko)f1J{vq=$Q+eHU#$PpjV&|5n~3C164W>6 zTp-FaL?C>G0FDY+>&RNgM3KyG*X)wr0ems@_ z8MpxA*wGNm3FV6QB#F%?CG|E=Gw<$c%RhF={L)tG83&6C8s7riz>zS!Dq&QTxRNKF zZ$WO%-X_e>bJMKE!lA}ip9Taa!ar_Jlwo*Q<~VT2oMNvl{Vlsb0BCkViT`*;1}4N4 zltX~&{r>%Xn(v7NBRStm3Oup10pE-8nQTSzmaEWKh_bM?Fj=-|)K^0{r;BHFHNLBFV|<$c$t>}+67&Y8R(XA$Z+!PTfkd2JyCRwb{uwI~P<1mTShme>$NLO^9b|m}q+o z^`PjbOT4xS0*ua|+P^gl0qg16fl@y#AK8c(!y=_IG#wzAdWV zTU$vDidCOj%xq}y`jy{N6DQ0aitKo>JIawA$ahDwDyJt_za3*Ha6>Okq!?uXSmA+&mYGy03C&Miy&pj^k??Oou;Q`?K1^=t z_Bx^G36bJbq6b~{k=^%DyQ)>A9#Sty^@@ObMulxsb`n?Dv&gCSkVo;OKmP}%ARA4E zMZjXG)FBTgOAWH~NLEpAfG#o6Xmj(ooyj@XVhe*p;RlFQo2;zF2JYBxz42fb-E1Q( zUS1PhJ)J*4h5>dQDoo|13h+z>0|#`kq80t-#D5<}3kTVZS5-pJmTST?Qp}G!ujF%o z$a~wPl6na?FdQh&4|liZM)fBH=4=Wu8s$l1;z<3zM`KBgO=uK)%f?cXmDN;5dx{o! z#+f?emwSOfB!NSs8E43Tn=r7@NDN6K2+DD+gt*t$zvBgq+KlNSl)q@;U{IOP4VHCR zW~#qG(EI1M6{C?nNt6d3A)i6u_az6#GL?~=YwQk?4I-M%2w*VooA{F@K0;)ly4sU? zP+l$vmz-WG!Xg<+lQcBy6NSnEU5gTR0Qq%4NI3z^S;r34_ln%+!<%1Kxv5*W9l$P* zSeeDQ&RjWvYtDCIc$EBy;ZZq#5WU&JD-ocMN<)^$b8ZF+t7;fon_nDw@uk)pYEk{o zCB1IiApW42oVdw0F@oJp3+fb6*?>&~K0xH`eJ(bB^xCp8a68^z`(}ZU(kyHElT(9UTdCFabpZ(IBd!iaPI$NKEX1w{ktEYMOzXz^v!XA@G)oUf z|NN)5cJGyt*F0gCW_jnBB)NtoUbbO$m4lTd4p>`THmDl^Md?tS9?L|x$+UpaLML)< zHXiV35u3K2VGgXCJIb-*${;n($vF*pw%W_qMai56%gLcO(t}7kX5*q#T4G`lEEY~M z8_i#ngm?gVc#XnoVP4GViO6APv2LrF>U99Uj*|gTH(bw0pL>&PwiOBkB;~=KBb&CJsYKyy*=RJM#YlWUZ+kQQjW-qXjFa%?w?qm`em+i})aT zavMA5VdLu~zKlnubwX=LKVYM5)$m@9X|%9jf~s=k)gO=NaM#-Xna{gdND^>Mr4dDy zdzdcXXg>+hC3$Ra5E)Gzs!RKE!k0@n2SMDErtIG~W2B^ddMI&=9SlE{rt3;+N9X%Q z$%0M)yigHRq8*YYXt-dBMofW3lIabZUD#`VI9wH2NuWkspPc3ZLm$u2p? zXMnQ=oPID3g&@4IOm6xTxM*ud!CGrN<2&?X=2k!=Zv4^V6ZYFVkliw$paaF--#jok z-W>79MeXSWpx^^64mQM9Y!KeO`Nw~z2g^!Xf4|ie*Q^PvK@+m*uW5o3AW8BmY7iMb z7M6no6KU%UQU-$G3Q@N#=bzbR0*Oe+$>l?y;$Mxwlc*?~JHt3A(~MRs$OVK?LWVm9 zH~M7%bR49NdxAE5oZ5qQYz(EH=qqiR3~m8moA)BZ+6?i$O<=|ekZdnIWlDfeW`hsMafs($3$YdpkiRVcd*3`aqQV7q` z(bm-mICR<-Tu#h95(FcE#DXg?!i;qF-I z-&xrbi}KH&xTmoP9EH5~c`EZ)@7(hO8Ft%0jJEr81WSE6@>dr>&HDfPBK$STj~FsE z{mvp{;li29E#kNX`|-b+33qLuZ1u_(=axDlE_q`RLO<+_wb0eXd(^;tXFTyDLrv%syel~k z|A3zRJ&f#Dm2VM|W;GeT9)8Kh38qZ>s|Z6kYJ}gg{GbLxDP$hdU*S=Eo6Y)LRUS?- zk23o}$G~xpYE8LYzX_b*8n;!!d%d^kd|2n@?)h2y>wCK&uh6=+K*#f+x@PF&5p_EC zj+dhYS-pg+E!jotnt`&=*Uuk%+}`2&*DJc0hv8jgIk9KqYf)LP4tTRL6s=Z1*z8fK zcDXt0ji-1iGNj84FA80_;v93x#7S%3J1fg0U~uVON6$8T>m^U*biQkn!!=DgzV91w z{5URcVHy&Jfc83HO;faSna=DeOL9?l%8KeLOM9l`B#)R;fv#=$tYM8o&3Tv?%%k>} z9_O*gOHO)#_V8)6ye8ZmGL&u{{VCzSVcD0^fCpZO@YV0Z^%H^2BY&|1z%+*%0Ki5=8 z_+9Ok-#O;)G^tCItN0%Jpd2hHAb(D`<-KW0ZKuwaO6`-(!D)qo_lThb_(N>D7ss>uBYJ^JVo)Fy8UAf)1lt;J2WkbM>shj{<#{c? z$tpS|DV6oMDLDsTt)X*cNItJ?fF4S)Q@F2T#41X1g$3`yTjO0}gkN=S6tx-fio`7F z^c3UMM+Iq)9W%_g7=hosiC+m#dE;q4X~gjJj5%pg&E2;|$wTPWKwFw;9qvO?2(*q#FeU3~;s|^R<9%SAB!WK2Z0@U-$UT@Na#Y z)I?1j%=Vy|lG^E}l#e$Z9A?R70onl}IKQyKt=me~H$7A^@I}iW)%jaSvP~G`(kHZf z@vdQO#gpA-eb<$$%qQ`#%6J~Fpr+P4eTh~(WNe~JMA&RyJd)yQK2ub;TiL%nU;I$f zVC;+irI$x97Gtg`1!;95YUvB_7ad2ITq(@X>0(rF(b|m4v}+bp-C3myt4_|=jKB?; zZrup$gm*Q;JZOgFmO-X#5^%p_=0A~5Id;M#>S07x`U;1JuE`eos!4*1k#zW{D=NS4 zaYBq;PWq+hlFNaLfcvW#40UvUPMaZ#RwggxPI+1=ao{M)$f%z{YX7a>gE*oQX#_t3xk1!WK7NM!#KBS zc5c*f`7e*Us%^Za$V5LGV>@6^`#nRbfqT5R#xvY_GO68|Ji}5gBCfJ8nk!@2>yhR% z{Uo)yAl;n4->r(ioT9*f{yS?r7)#r8&I1~lg&gSc(_i-S!+zt6RVk?wSv|UmAO`%y z_&!`w)McT`Nh)<1XmxmSVdPHNgPz{0qVGh-Ewg$|P~h7sd5e9?wnO6dtdOqi(@3YM zy{_q3jDn&T7Mm!(BY!8Y57(r5ipxSCbxqf)YMXf7SS)A2hM$zpTF8`m^`sP;W-ffV z@)IX3_>_T;PYHGJ$bqEHk9WM1^YFx5tf|fSEe9np{X?$FyO4{sxXIlhQ5Dy`&{S71 zNuikqBF{j#fF${!@~T$Wy;e}A6ApN>qEjKeb|$O);X%2=S=K!E`99Y?%yNZ(gd?Z# zoEcH8szOUsQG1F;K3H0Tn6S*Y(>Ksc%ETW~t~%;oA~P~K-0Ts2b-<{ke+O$wUXn7g zu@=I3Q7F0)JIiOcw*tS5>WxNK;Be&G+1q)--XM}K(1$_zx7p7wK%b&Xbh(nlE+U`$ zzQAgW>R<8u+~xjm;`}T~JKGJ+{_(i)bAE;ZO%g8mcM9e=m=n)%JU_=ep)$~ms25VM z45W({^?K4W)f=Md6^aCT3VWDuP%iCtRG1>WD%PUUdoA2Ee67`#@wJWdy79hq0HW21IJMVH&N4vZ{;u1otR3YZV`&4Mv7|)q@p?7ELki6p^XnHC$-d6P>)iVTL?QwHVgKR`0AF|{{p*K$cm!y8c49EEyiDqNFPTnzt@`A3YY1^_g^k8iW&TLYa=f;ElnAuC?h`|$s$wxENogu%Y26Nr2E6q zclFbVoz=)e>9mwHGFCs$OB61Hq52OQ3Rdh>&`%l5IYUwTB$XP&M_?y}-&MJlvZORv z5vkK0mXz$^`_AvmTwh92Vh%Y60x-LRq5|WKvdTddt3cc1Kry!0n^c^1Ukg8bRs}UE z%_!+uNCXN*>VsYAR1gHN@kcH+e_6+k;Iq3(EVm(KpL)bUrQC06Y1BVb&>WLH)?MJm zQ^mr__j*}hZ1dwjzDQJ*Gi3M6j_pmx&H*thWa(11QaN&FTIeH`9b=GzT^<0j=EP%yG^0h^&LYI z07^MujkUa!@A>E-u7$mxA1l_o=ltFnni~e9_)O-AZ=f7_bE2gqVY-)*t*j=0-%u9x zmGRF!F>BfuclSzr2xd_{#wKG)Vj-KQGfY*SSug7gQ=D1T>lm;tbMVsj&*QrrIXXIf z=^E<+&}QuF{H&%TFv3rFugAEb?yajiY+|;;xA#v;t2#KpH~!`9HV&rPAamotPB8|bA_f-Y(ga|LeT5A(>-MfKs1o?xjVhNfAxfv8}! zPbaHhwOphs$TN#j19`Qm36N+z=i>6iotoz0%(7v3`Gm>}&yVyAeSM-`XoG`4d|NGP za4^%C(e5#BnPw__?drMY;sRQFuhMTD@BaM+0&oJbeZ(Ss&Q%z7^X8HNEO+ugH}2~- zp8u!>s6-BRdp(YqIRQ4PK&zsmN?z&OH;m=?CXYYHx0+4UOX9-jp&TtXby=^r^PljM zFASz(_}%&_NEe*1XG;0a&v~<=Wx7(VQkoY#W;(sM!5-`9N8iF79O$xm1&YkW!m|Y- zWk455v{o>1acNOK4LRx;sJlg^?u5O_3C0t(Rr->;QJzU!>!z@k zk05n#ZE8Ck9Ngyrh0gq!dC&jli@9$4Arh-*TTGGqc;mHye*vILc44G$@Uqn6L)Vf= zKzl&GG-%s!+{FKnAia%lwr+H9&7>|r2N8bVxNh4gk@BDpCgmWG-P#6=Qf3mCv@CZN zwRHTB^q=CU)UA`%KCI~Pv(1unU*rFJx(>szp1e@mnmg{hdYg>cthvYDeGX&apL2x9 zI1VW_rBu5e*V7B?WKP`K&T1_!-Gb9nBad~>`6-5j0m_^CIm&P<4i}crPeRTsm?=Hj_&OjlFK9y5TKCJ z3XZQ|c~V%qVX6;oeBpzqhwjy@%hjcD0zB^uRrF?wb|v+amoL^D#^1x~Ox;++M;=nu z>vb601MP6m=$~5sGf_R;3SwY!9e(Ndgd7LbaAMR5jbEy+ZN6>2x1r*e_F@RB<&ExI z7{?AetCdLw3?ot7^~f#=lQ-~(uD;Sfji_y^D}Kf^T^D2`&wgiQ&J9;^zzN~U#B~ z(BWOAZrm=12iDuy)SHufj=}lWb%xIZ6^pFy~ONXxk<=cpYlQ z@W2{pcra`pzk>7KF7>0$eXE$2ijsH8EAq+V^EBwFg3g#`Wp>s4NEj#i!YBRIV%k(u z+3-c9^SRzxE>wjaCg*Wsea7_S^P7RWl)9FS5tbLIttcTN0brWcukeA}=?jM+10qby z`4>Qh(O22)i$v-xC@A=xIB@oC#fDq>(hEnYGh5}qJ^~A69fZH6YFzE9NLR@0l6!nD z;7^I;-l%gAy$W~F%@(=8{@Xt#j_j5wZ9g2x!hjR1^Xmewt~_L$x`Qa4>#lELE@wE# z+U^V~j}DMR^6B}-(ZOvyOzMtTZ>fSFcXh zbw1o1RozFgwbGoY4F7mI{(ho|suHsMjQaWeiB(?vc|;eWcEZ}1;UM+R96ygQgbCM@ zO`6+wAYKIrI?{-U&7$GoR}dC~kFr>Uz0eP;XB^GL(@S`lXI8^DD0I75SOd+7g{}bm zj&hF(=RjHkpM)KM2KBl@)*D<7qLgZBYAl)W%FaYiB-04uVkT=bm|3)O8IQai=34}A zP-~?%>~=&|Z)lKs(Zq550GtS)O2fKPLEVR@PpD1ixE*q-?IB4S-#32nu3p3Js)u$2 z>gN@G9O+cMw4#fzka1hZJkd2}$TawnPsi8hbB-VfUbE#OG_$_gBz}Mm<74S7^nSHa zzLu(beoY0gGS#Pb=}~%s6Ls>Z{8G!SN!#9=co8CZ`q3#jJbL6ZY-JJq@QXW%%Pq?OQ#TGX(HzW68d zH9l4XpBcrcHC~S*&dR>QDD0NCzdzK-JHd$GBm3gr?c;k72fl7pGC7DNf8I0MyF=<) z(}40_QtxYeZ`}cPqTNvBG#hT|uO1j#%*kab4OEA)TYqPrY+dri2?!0HJ4Sw`5irIZ zs!u;Y$x54?wrasuel$dw_nHTk*s96x&Fn=2kpvbAMF&{&1cZ)HuC z&eJ0gAkWSa%@g(>PV+Q1-7EF83I8s?lt5mdkfQ%m(~5Kr!}+zO*_FA2YaY{D_mB0c2{`dIm;IhTp2}%e+HFhsO&bS3yeR_s|rd6s{KslnQ0cSN}Cj&*Mg=nt@KPP)QU+Y}B5);212=;FwC(XmE{ zag$;;<4499(vYd&b)$N{^T#W28ZV@zE^4;SI7if!aeANQ)}X@_6Qfr~mA2z%UR9~) zC2mI{9?^L-d^hZp2o;(C%>|G3&EXXy22b#;urmjJFaZs8z>h>vlk*1kIyZ52#;P3^hdk;IufA}>>K^~(8<2P$zMh)YjgyhhIrnU9J%O?BS&}eB6?xtDm z1b=vtcv~7))Nv)^judKesbFZyD>psHN#v8vrQs-p4X;{c*58mz0=#b0>|Hedg0SCDxKpVB*rCiJ1v9t8I7NB-|iM}AT}CbtC&G;wk2!~R8;uzj zRCL3LSt54@|LN{N6RR6W=kNdB``LF=zh_Nc>$Y0I_1FaOhw?=Z8#DEbOQKR{xW9O$ zdr|z*`QLart#9VWT(J{6jx}6AAq4Yz-jfEJFbF1fD|2)9aAI< zW$UD*Dx4+*|K<>El}?BnJ|ArmL@VnXs-RX6U05eXbnY6tP&VPz%}u80dO=f1Sym_- z=T1%h%bY5N*saVxKoMo8unsEn)K=rt(uIy+3Z1&865WZCa$j3-Cyl8 zy5Hzy#8_YTdc~R(%uiT~)HtTvY$-TS)pwX_qOdteeP+M%jhRuqvx{)t2Vvq$ zh<`MH%TUU;pUzP>hqjoTELEJdnLaij91HX!?sD}O@5ARj2 zAg7TM)fHlcG^BnmThQ=uTZ?z5X|{Z)AZ_xpiN%i9=j-1{S8AwSlx|;C*Q91z#KS-I zrh9Z>&Gc%cFPC+9Pdo7m5i?mh{f4XeQa`S=9Nn<^1@BD}ULR6{g1O5~Wu zJ!aezzd}DidD7={q=m&XnrHfK{s1zYnU4DZ2eZQbXJ-}s(QF}1vgzJZNE44WZrn0* z^je?bm%FI9hRsJrc*SvYgIVv=tbSs!5-P~mZHZ^>v%ZE*K3o++cY8Z;;V`mf|98$Z*guAh@J<_(cnaV%606ZSd(NT27 z26qSJ;a<9$rGX2ln5wIqtt@#vZreRMZUY+baBy-Sz<= zbq^PM=x#jKCwPYQv%GZc^_PVDad``~F}dN~;4&7VgbqRxv={4~;n6@2jx)|55;?9o%Wug21N*h8}#_x|XfHl=O$@TC;w$YPU_H(|jh?mT2E5HS}bXKCa|xFZb( zcG}#EI|klOtxeWYb}1)ss}@o{4U)9lS>Nkrfes{FEKBXxqG^~f&bBGOY5BtCC{f8b zzD+nJb>t=h-I5Q>Ll4l=T{;iSMqT@(9Fre&4whG@X8)O%Fp9mUZ=mz5!nqPdulk%l zm+{O#l5uisW2UnHwizo`qyNdrugw0lZWcDV_cT;Coc`X8iaCR@a2g{lzcg1w^!lW3 zmvqN*zqX&kuI6!h$PRaxAG+n6!nqUqsZRFQo5q~fp4{^9GaZ%5N`)BBK=X9Dj%+_rzD%khR zGQvE5DZ882M=`E)%+e3WUrL9_qXtAc_TiJhCm{blx2VsYQ(?GmcY6%HDlN#3k47*^ zJs;$0T4yh_;d;h76orv)$$bYOvG3L*Y z`~is7Y-m?i^K&QVFy?ToGgU7mEuDj9UFlq|e4I8q*x(R1#<_G9Gg{(A74^R4m<6i0 z)Q5HP9es5uhV#pg0iqHP#n2lnrq|th@x`Q)nXia4--K5jK{;Fqp38%)?Bw5^NXpp{ zsOkH@9)VKHEG>C6DO2*~luPwY%(JqxWSTmG(~H6*gRAYpL1fAD!3as{o4g&&P9Du! z5q8veR5=T1AR?uvnhr-*PlPmoVxcxp?Abq-Gg|xN4GMy|6oTn6K*F!t!vAXOcJr=ST>W4f|$$J5xYg*CeO22AC?g4^Fd6{ojk`v`8 zcHWdL?9L!zsUveV2M-Q>-KqBJxvASNtfD+$(#Y3%2j=;JzzWX_NB5}!brW0Ns~_s7 zeJ<@!=nZ_~B_t7MVot5cDjCmakLD2yvNe6VJw0%(%b5}GtZ-O~oZfXlt;fP(QdrSJ z-tby0q2)g~7emo)$61(CL~lx3UzOC!512KxYzH*0FgG21cS_wkg4kn)haH}FjpiHm z>ez?)o?b&NmZh0c8!GZ_7LXl(TkOtVUpci9=G^{*q<;k{y$4Gj96cO-jp~5=%wphO z-Dm~YPS83RlJhjdnELWVa&C3<%9|#7Q~ie}9f2MD*AVq|=MS)~H+0ua)i_+hZFP_y zkVOgC2}78{_}v4XJP$!Mt&H&?bpBF0mSPxpsMo$QVyGTHMnEo2FF#>r4OPDQJ*|*c zJpanjMvFBLjm8`|Ooe5x=uEM+x_d7Pnm*LYQ=8^jZz9&GSaSncKTOLF&~JU{hg+N< zBOJ{iW3b;WDP5`SeGfYQyPsQX_qn`GDh-apyUt-;>KvQ{`#dWyQm^XM+N{vjQ`8=;%Ye#%Gp5!S9UKe}p7iEf3SzQZ3T2E-luWW_U4iFuaw5C7x3a4| zNilf-Tm>$bkh9P;*VT7ngisG=3xhql@oTej`J#q=(Cu={U{zU5fF%^jRNqRy9vU3~ zLCd3W?q6jb4{Bz5cRwkZ#yY0~@+UGaSclb&P{D}wB$K*jyK!?4t*Z=o>KQz*WCfQ? z4!Es1I6X}Zu6|Q%g(@h!U6oYY6%~f+qE=~DX?anvs+mBknu=8c_PVuDgufE^(y#FZ) zf!7bNPCfp0n$<)4J`4d2Qah6LGrJGtSGq`ksQpQ)m%>mH5;1SsHroq#rv9X;%wGO@J`k|-i`3x=5-mBzY{9IuyDGpw3?`|T z!>?o2V=R3bh#>%k#AwOfi^`1q>Gry%|7A1EpxL8MB``I4VM`GH`suX_sCD>E_4ikrOl2k>i+~ zRy36mY#y@iU~?Wt1O1{dN~gFAvlOKW>vI~igj=H2bjWE*d7c%i^&7d1!5#0H09g9& zXA4Ax=0uQKaHa%fZATsMF#1O7#6gmDZN14rlCovk8iF6(wb7NtPA9y3q83A~JE=Ug zj7%k)yqYYu_S#wX$Zy6hw;g|*pL;v^#jPNNs~II`8m~l?joCap>TzqD1}}Q{aDK!v zzp5j8m~Mo=T*j(Q$|~;g2%~e>giOObOCk?&9@5(Yl63KYW%ApiS)!xrh>j?ksG#N{}JZA4s6Mgg91N?=$co*juB2j^4JVf zGFk6pveYg(VX3DMwdi`x&_d0e%sBHlLG=RxzA7`^OY7P3^-O>uGwM0V7BzUy#t-%V zj-fV+FmQXeJp@G!OP#T49sNSJ&sr{`YM`zhYoMm~$4YqBGvi&Y#%9V0wc)=@y=4)f zr7yT=*TPfq@=LrhD$D)qbdiZq^DRng9>oZ)L`#``Lg}DN_2%L@MbO@?n2jl)n^0f* z-1P{fg-8bu{etnjt4Z``@6&E{A$cP|QNcIpNl92GJA1|vaNne)=aZ(*24gF3{VJTH z@V-<}b+AA|>DNX-C?8Wci+DD3p7K+zRiCwIIvhK#?+An#SNw=+W`H$ASFxY;J-*)a z&Oe4j3jBxsY3q$8sfLyOPppmTmXN9jv@%Hrkyd&lIcym^=Ih-bb1A=`=@78_KDZaH z-tfBmz%MCV?8b-jhwFAo-8qK{#7za(mzZSHYK?lK zeL>hUV?C|m3{D}g`MAmXtol4d;<1RRsI{los4ES9O}@vkEb9#BbFWZh5#*yFP@9|| z#~&@XD8cd5u--#nFT1q+U4}Br-ICC=2TnBRmm&bHuewfADkE!kgj5?N!e~p~(^Ed_ zx4S#1OS{+>8D7{cLrt^f;~revi|Z+;11n16@YXk>9R;_sCTUI8)UnKTmdP~BYxhim zRxe!10Gd&#T!TZ?hK;-e%ik0j$+KVGPNSQCdR-DKG8`Tp4x7`$(?fB=9$H{6PreXX zn^zMsW|$W}`wB?^AVoX-&GWCrbyCzL;uiVIOF797m#MsF)=sI5K`y-!e;=w#RX4dh zq=I+7u{g#Gt0suO|DcXX&X#q%mkk#rFT;k+D$L2ZZYfiL>gZ0*NR}__JLQ5m3$8wm z(^1q8xLxJEG;e+$x@pQQt4BWR__gYKV1Zq~4OauHJHRiPJ!wmE1-RxasaZ)-cha%Y zJY6j)x2d9TRs?n_H%$s|eZhiJof{m`ng4>0WKS&)RG0ZYD622w{GQH&rskJ*b?0Nv z5h3M^WsD06`Cw1}NQ%VZyf+G8r*a(T2SYYl2?6IOBOM$uA$u+)a(~9<6pLpv-Em z$d-n^v?^MJpaNlqfP#b(5+pG!SsmEQRFRQ{p=<&Kkr_asDv3Y>N`Pn*Kn)2(L}ZBs z(DxS-Y|ndpZ_l~!x%a&MrSRm*?|FXf`~7~#uR%fXG%Co65uAP)GF~(4sV-)SaJOL>P}xLbS%3g^3hfcWl@67S;%INoj~ z;fKA!m|7jAm&AMEV@Uui*H9!81#Ma2+&h2_`vM54pGetpavjmcH@%F4kEwaN8R~xmj2R7jP*WbYwqzPsA z-cI{Rhx&gw3;Rp0R^DrA=9*oiyOc}7Zy*FR-TeU;eOTy+(rkZ8kGx&g7}p&x^{DH3 zvDC{ja~z3r+3s&V$u~6dacD@j-M+hLwbg6w-tq2_`a2oU9s@ZUJbL7vBKv~N?k68e z^Cl#qK@~#3t$p+>f!jq$$|#;fV=IJObzPV2y%2h&o~X@)1lts8%O4yus4c|)X-d_Y#%c9#v9Y#*{@)(FUnEM z$C@*n7o26F`N7eBNS8A0H}dLz#0y2;{DBmz+Jq8$$SIamW()gEtE@D#AC*Xe+j~5B zu9O0%*Q>WfO7{)#beHGu+eC!J2lYnC(!T7d)I=h;ciyhM48hD)i|F`<+|o6A9q50? zSDlR2{^^hHHxtV1;@x03gOy5cBN=3~g3hS^aT}ezH;;<-Z@(59P0Xx~7dfoN=guAa zqsZXW2aosA%A8z(3AFIXB$L~q^xD=|Pi|(nz!-#(g+4mQX|wo{<{@Y`>y{qhCOXV|-gKmQlG=jos#bo9u*m%}Z< z$?^q{T5I61R%bP0O``jL$Ih{?c8ndCkKvRlH)3*{W6RIyc#ayD9;bw4oM)7@p=Y^X zX@?>i#xc#pkfVscQ00mGDyO_~B^03~usYm>Z-U4#St5(aDSpZ}?SZQLeB0`$b=66t zz9Lopz$vhPH=H%t)^OE!yIRj)qYaNBSPo2`0X1kC#LtQD{fdlN)11|8L~LMYkJngORW)_ zPg#oT7qkupE)%B~+ z(|v>=ZMp)c?Hh`%y!z&JrI1=hNMXsoOzr1rd8%(;=MdM$Ph#a7Gx)kBQ#pV2;cMc; zw}T!P&&o^Kh^){88!u&;FNo6(RlVH@->_20w^I|Etr6Jek{+{(q)1O(hPz6S;dp>j z3*~mtg~MbF?+{>Gq6#U$9%c3jjY2x@M+tu;d6LqUF(}6b`-TR+gnMLOXyR2#pUD~b z8e(`tT6gDUkxiR17B}XT04Nm-Mxl>h7*E!FGe~WUMSZ1b3R4NO=T;wgzhL~N>vKEd z{=(}MXkjkFJBpcv+UyTQOUA~=PC%2r7JgAU>lo;;OS;1jjImV@>v`R;ANPUMCO(vV z;Q#-1(pwi}l~K%YsSK)u&5ix;F$~8Pv8%f$NIhLC2t0<&NyH6>t=uw>!Q#RKwa2iV z0x^bT<8`WqXs>I%=oy@Q)D|*Fcm+`4^@}YGxi9peD7(X za|*^x0i6U;GD_?}uSguPG|98pckb-rfb#&vFxBvZvGIWvh`zY)ZQJlZonGkZkP(H9 zLdc(h31FSa6h6@0{aJLy7RR#A8snQvN^`wr0myc`V~b zNuGJXUa_Xx80i~i0nzyO;YWKztlA6HS8{ovdV}k$nC+f1bSV=#ea9^*@pgb=K$>P$ zZr;{hBdH9fuT3_@FthkpEWHyxcIl-o2GtOq!loLy0$>W1mnO`y~9(#sIgNz>* zgPrlLgu-);SFvUQ%9W(Fut+F~vkZr}r!h>S=<)_oByQ#hURBmFMUR+H(kMX{&1w%H zlwNMIfwt$6d7hSvqM#fDGPtFL=TE89@){g626=Q6elRS#8AQwg*W(Dk&n0XD^pyJ7 za>$UJQLvo6vZ{SlZd$$@fdTnoMQHD@k}kb|l6RW;6Aw!E3?2yydgw5?Fns$$xF1{{ z>Qj}z4ITAPh2%S20B|Rxc^pi&WllWsd zPK$)Zi zChPn0c_l04$dWVRv!5#OT~#6pYJ%%Z07R`O4_>Tc9rg9Zf_;AYsk{nNYl2~(b((_j zF&hWHp`+YbXe8D5Ossutw!7<_eQg)2SIQhsw(fTq+$sJ*cve24$yQ;t`At8{E4o98 zICMo}dxiM?&c*=c(tTzQfICxC*tCoNn&ugLw@j}c?d3rAcAts9YEs$nJKgMp{OYzf z<>8yX3(G7z>WNXmj@7YrQ&+T?6BM_73QZ&T8`Ae=yi-<$fASBdo;WWouhI0~^CKo#tl?3?ODs0DFFArF`3>R!7&mq51%i4|x|^o8hI* z|1K`ApKe&E+K3*htV5i*VsdG;-Zt4Fq`UeyZ>F^R;ryxMKwjtoGs}r#F@aC6=!xo| z%dsZg^IL0|Bslm%(lg%CNsr)Qlog%3i2JMD{!fjUw-n6I3=SJAvkhsyP2xArD4cEu zwqLmgQ8(e#J3&0K1x*X-p5UY6kx(|ipDgUT9Se$7+-%!{Ma;Owvf95fv0L;lzV+@YbAG@9OZE3$H^8vkRFs z+mSVtl)8s>la!_Kq1MvyQzl2n9!iU=O?uKvB&ieTE|%bnI6?z&S?DCkY5;DgK%WRW zV}OD6U%O&_j*81fNaFPXt;F5#!+Lb=E?p+d>1@ShI&Cx5w`3Jq+fwn7SGI3unK`1< zcCkmoRQ=W>qY7ga6xIaJBEircqEKtRk%Z|%lSVGXJMiNLl`pfKdo3`runRY|sx7@?a3%dl!Fi^B(JF_L z-%w0llau-&HY>X$@a}el99&IXh564g`i?DV zK5;ApaG7cj4VpdITCdUjL8tJEZ3uc1etNDM2x!M0{Tv=tvolXcXZ`k)pOLG%adh9MRZdC2!$Y6uc!spCcc;~D-%Ab3;>1~`qBv72pyPv{1kD0Tx#o#yUJ zTt;OE3UamY<+2?geexPe$|NcG-xJY+E9qJy;ij=pgqGX8uEhRRHRrzyDF1(|XstE> zw4M3FfD`LvHS?^$P-40*g>&T&R+R(Ct3xF}$YjG0I)VNZXiuG6Wzy9lKdny2E%5rP zS1UVY=yaXY41ljsmq*C{pNs-qg-VN*GArh)*Rh&<+ZPlXZlQbG7hPS`2#s; z?I17Ei)39MDrPu_Cd1M~ler--;x-wtcB^5!57Og^mZGtLc~5H~Ch8MXC&-j))0jcE zUdLp23)lIxqMQ+YdDkf-Bqxzga8)lBV<`V-Gb=6NxRHQ4| z%E@de!OHp8LzuVNRvqT0i#0s}s2&suhOQl7E{^Gc9bno>UAaGIv$ydjuV_^?TT;_d z6#%3Nz|t9<=88H{U0Hdrzu!?pl?BI80IDo-o%+KfKnO zn_uTjOJ+#GH28Ef@jHA%i&kL%aPe?lXP@AaX*cc~y<5I(Z&lDR3`I5<<`z#s3&wq7 z6Kn25^fto4VXHke1C>L6mELR+P4z+U(zQ$}^n8#=yfYdl*mP!ME>Jta8v8vZY2K8a z7@u%{rFrE%uP!8=vdVfLxOSolC?!>JZgtwXRXnoFw(iCzH0y1ko^NdnaJn`n;z(2f zh97_`QMBoB%oVsV>5dE8?qyVQC(Y-!NVh@WVgu`#mg|ETT8Ow|H>%OtH8#v-WY0n* zKrtjgq%Pp10~5P3Cip~bBHmbD#ov!dWi6bTbn9MSb}@Z1$B|wr#(+VzpipXjTpb){ zeD<}C`etn4nYt6G->wJ-S7^m(J-fEqF2=*vyVz#XI=|Msx~2~$EqFX9$%r9)oaIsC z*1I=@&|sKamVv6FT~ZvH(=D=1@BaDNdiOC7QYA9UGB<#kNDYcc?L~X^w zl|acE@0(H2eqe;!3eaibQYPs+eu4d(*3dcFLLZ{XI5C!GJ`(w`lz*anw2nPc>gzve zDxK6&v_BGdqr~$kZh*kZr7GMJOGl&%I6Xki?1*?;6{t#mZPfEclzIh;0V=B6G^^yLZX?2!b zyTdRF#cMD&e&!~sT#OJ7x>#Wz1vqgDI|+ASH%=tv7y=X}JOLEw*&zWJnBwao^PF*Ji6}j$4|i9mkZZ`#@Wj;W%Al1%IxdlS2$8Qx zjbRCL<~uDZ)NY+rKOzp`vFs7S?OiYv%nfL-PVhZ*W1rrEqg7`Lg?>1o-Yy~sq$@;* zy&U~DljeU0h>J5sI%8l@bv6jYq}Ejh}ocN(?6e;bn+QD=IQ{5HXuU)L2_5m;IB z`qoWL|!N0u-3~Is~{|nNYgKhoS36MbIp6l15OB@rWD6C@74Vgou<}2kR+`rDRa*7hO??tj6>RipW?nRy2HdoicI&)Nt~q-E$?FRUncl=YZ@DR2wSBW^o|h_X-F~Bj$Lv zPS!hG_O137Q33c4w30KnRT_$*R$wND6%srz08rf*9DoCXC?#fw`QI6;1$}zd@iWgp z2Rd0bTcX34@9P9OfH&SGyE_wNabr?ER1eA#xSE`X$SYmY{47B#^_OGNd{1uCGblR7 z5kN-`x5%iI0ZOIiw<}6!h@8#%NPwMH>HunxJW#mwa3H@R2@R=R9iqzW5h;k z7yugDtmL0ewwAPd4M=ybuTR0JjQb$!RSWg1$yHiyc@2?g{6UTR*;&MmZKu7867ITB zg)!tca6nM@=y)Q@KK*jbDWH?Qs0=r(Xl`o>n<58`3T-R#U-&*aKot>_s@SH}1nBe> zf=0YJyV9dvXBU3kSgaD30T0m|GU-%GV&6Ay|McNyZ+7Nna~`NdkghfOHZpzRGAgql zAEiDi@Aw;|aM4;+uA)@@D=FjUP>i02 zBI%+rJ>9DZz}y0Ab1(cmK5!5)2y-4A^Fh~5v9D!WC4kAfHP@zLa7ZV7c@K|7eIVlJ@ooB;r&pWy|Ri=NKM}df9FJPSyv{>-GhG0AA4& z?L?@P)*1l*SC=&a{NX|XEQ+&Tl^S45R%`Im!lrfu4s3a&tHd71y zBEyjs)zfMjn}061-LB8_2@scERRGqb*Snfb;`^1|eoNyc{~Kw%wt#Jq8AkVc=guz> ztjUH|XchdNVEddylq!GnR^Gg2X_^+OEd*~-c3~v<>oI2wfB7)j7@yD?YA;cM8Rs)& z)61fx@g}`AqZEV2AFSJ6ay)y;IrBn{BB<2j0Ga+UX@-OqzfrpG&cf%`k(aR5`JR=P zL6wJ`-ce|()q%Nnvhxy}&YeM9*a(_-`sr*T|m_?itB%$F=Nhd94Wy1c0`-x%GbXX1Rm!>ZxbaTOJcf zZU(W23|-CI(HL%PnVTymuKDFH-VOu@+rLu6llX4`dvf+Ba_U!$&Dzg87s@BWiEv+O zShbP)6lH(j5>a@ZFKEz0)2f3|=Izwbf-}&GH-VMqRiZ~QEOo+D(BMpjXDAYQ0cQT} zhR9GUBe)i_?Q}Oe@h55oYtd6!$E@yF_6HPE@fla<;un8_eJ`+w8UKUWcXcK65v<)8 z7K0ntjq$pNoiRtxRm{=|5Dk-~m=_Jz<3RlH0;@bZ=#n}v?6RFB(;Q#|K`%77feI*L zp+YGF9xO$`gT#t6e~N%#`cDvWR`{vjZR#eQi31JFo5c;Wgw#WGUor;?7diGE$hPivZHS5A3O`_$8V3^)!k9z-X9lKyhAZK8JT_`U_axoZYZ}+g*^hND=3i%0IyIwT2Xw0;*gVC?%y(9bTEb7w9G@XiW>B~P2f;mVnbXVZ*5`$xuCL@Q| z06RXcrff%{4!iM}Vyn6i1T zxgFnwt8}hywxp)LVA#%yo%aMeH3gZ|jD3&%-0D7Y*PN4+&O?>{BA`G?2GXjHN(E3%D#=>k z=ahkL;HE=>FG63CQt(&0uLf*4X9j*Az^mDN!|se0!XK8;Gf?O^DDcTKj)cyQamcBS zL2aI~m=~Tp8YU;)ft+{rJQT?0!&L+k?t@K!6Q<|?ueImDvW^Btaw!R7E(8>_$~52F z2dSKHTR-OzigaP*YzGt+mG?GmPD}3vI}87?yymwH1A(!cgfIVK0DUhVYqq{d zTL4Y&pOS=2d!5k^%*Uk9AZMTco1Mi!?0fM~UuXzyw9<#vf^(|E-fom~I{sN;Vy(UB zVX!^s%P(qKC-rmB_uD$bMW((d3QoKv)~Q0G{5J~a7w|wcT_4%$YF4F#qFDGk>ojaEcJnKk9<}EothO*OpuULmjbI&=S zoP{)2seZIfoz;<}mFOI!=?vt4Fki_rz#F&QKjwiA&iE%O+w9=zz?7FA7u#9qIqK-)*+ zuL;2H@%@1_;u6Y}^oHU-E-kUZNeMN{KFYSHuJFW(5lX23;uBmRc|qWuLP)CC0Av{F zsunFTkkxv|!n{b2EMFPaN(YP)*5*232a{r{IY8k|%508Y76KzOj|=zA+1VDQ0D8&s z&Tw_fNS8<+_{mN~#vy9!Bii}Ce0z3P?PAEAWh18}7Ln*3 zh|zM5=$UG=14&JY3s&?pT~DN~_^qgDJXVQ)y{EZlA1#+gTwbrfpKkvLe2ze;tu_Dr zz<=}~TK8kQ`MohquenV-Ob^hbB3)UbrX9^Bq zsk)r{_^5dZ>|H1w!_~+lQK~KrVO=Ti_v-~hJ6wSukU%#mVnzFUQqo`B;&wy4IsSRS zbHseaAOg0+6#NSA8>_i!%yvMrOSDQrujTYrQb{w8_C~n6AoN9kzvZdySe&Xa zU2{m|cfMc{|IX_YDBSX1jVTu0aA=z+Dwgg#oxZLiB-&SHyX&1zb-HHxv`c?Sh5CN= z_e(|o3byIEIYW8DZDg%28!uHA(I#hhg@l&lm*_h{E zy#d*|Zqf+d>&3`%og=u4JO5x1cDF^m^~Bc$o-Zt{=GQV@67H1zZJ5|buO(TSHPB2gaRGQysm za+Qe%(6a^dQ%Nj8N;8i~Bqt`|$%*NJ;v`U<6jl^{r%TN-`l^@LH>bm(m z+SCHFpF7M8)>>Y5+$n!e7lEn<+61<3H9V{By3B;gkT6MS#0I`QR^(!}+v&3k*4N>; zX__xHnAj?Q_C4_sPFK3o0z=RwLi&D;LFiXS8y>XDFP4A|KUum7bPNqu0KBGY1uzzP zEzjHrqxuh>iPA|QC^?tiJ6hLf>?@so9XinZ>`2fPCztPQDsstKWO?gF@*x8{hQZ**Id1ZF41jxOl{SqH4!Q@(qf2HHWXCF|rGZZ?BVIPO79wB&4Aru9&=AdNC|s=ulSbPF+Cdi!QtM_Y1Ypf9Z0vzNKveAq6y4$Ef$w!2|D& zeM-dZE1(>I(#D{cncDMS4=Q|^auIIIgoR2QeHtg~1Un-IIrsEYMI2$@Bu3XxF7wcPn z%;RPSWWtw_K<1-7;+8JhlR(Ux8eq^@Igd`kkJo`i$ACO!?XyIQa9QvEm=At(R>awR zqdePiYDr_4?nuVwnn0bwg*W6`F2hKhYJ?dRPkQ-M>oM~0zcs<|fsMxzJEQtzJvq-W zn*@S#?j-((rfz=*+auO`YR;sGN_)s&C}v9)-SN}z>|RDQ!Y}Yj)$!pS3C3o8GS^5^ zeoElxu|tx>feKMG?^eV3UZ&l+c7?LGsz#}vhDivZv4zwHq+QH0MkjbWIJfTIB$#2% zba%6NsaB}i(Z9oiz{eeypMsPbUOzaC07gS&o1DwZZ!F!syu7r{i|HPE0Y>sy$+Imv zq!Kf1f4zJk9q4xFO>uN{=2FD~;zvF9E|^+HGy|P#5ECQlg_)Ur!btbsUj$>RRUr7gIIm=n%4_If z!c`~n%*w?(*IxGNkz@oTxWd!EOTNt5sixR8vw?oiLY>tg1|_*uUS%Z}BO`P77Qc*G zyIM}zc_fhl?aZr-7$}K%4p6#KSm%BL-f5A8larF9`99TGCOLacMg^e+Wu@Y}N2MdEe&l| z{bSY5A8T5-fg{$XmgLv<_c}6O_~h*FLFyia-s*5Mq3MKA;&Ur7!=TgAV?zT%r7^Jp zfEanl2H0q*K+%>(&Dsq3Dnm8c+lO;3&ZG|_+}&Ngwu_4 z6%`i1>^J7--`AA>!MqNPMy`VG-WrR_DbHYQN{rW zzWQkj`P}2hx$*Zk15ji+T2j_upM7iOZO6)Q!C77QPQnjo&xQrLbarq5<_zw)e2aEN@>Oqb~Fd%9Xn(wCRW{K=EuZL}x}|&3z6#O%Jx3*tj(z^=fw;Gpt1*^ph11LT z%|N>ykArqoLx0ZqN zO2zjqInDX_Se13nfaBiYzM32FV~x`J2I97~9NbvWSH;^ki=Q{^aT-!e0(b9rkk%AC z<}P$)|1H`|7Oa@k(Q9X?0!xoS9B27&nfCGUH%#fkd!iy+oc@!m*9%A|zn0xzuI%c% zTdK3IENYP>?^!Q7{mCHzf4H5|&v%~|s(jSc=-nQh0cOMupFT0oL~i?&8L=M7%l+@R z_K#-x`-d+Uo->WU_G5lMcPjS6?a}GD3tRTTSrECJ&Ht=^AU5aiNU-t4#Td}v<0_iP z-)Y*g@edo&hR|)FhekZih5MxUV~t#DUlHHM~kn2*qOQ|gCL_Ivqm*ZE5L$oY|U z7nM^(WpEj(zJl2Hv|&tmlv>)Sv|TgWJnY-2wOiso?XK^RhpVY4v$dg!ao!T2VRjsc zyWxU?NT*q~e?~6BspJC>C?+M+=|<=db#>*R=|=78yMi)r)aF3&y3+aj>JyhVg5Svs zrV`ur;=S_kOx55Pds4&wX-5oonM`RBA)Z*J1_?2Eu}4Qe%`tD0gZp$Y%jao5N|rcR zkhPGp^=H`69FvnFHM5`VS-p#BEcrzmadp&2e#cOuH-vM^m{Fne!j;b zdNxnPBDVLUI0-+Niel zTPn-VRJN)Mp7>vT7`$Je8MG+~$5w@~8@W?^>2`umNn zMU!oR@n+s%Ko*x*Lq63TUzWb&C$Q-E>x=2J_bbhS%GRILu%BHwCNcN^$+Gw!wEMR$ zS<}Vhv1qEqR<^D*jX<6sv&uIYIEAs$hOR)(^U9LdR(#y#Wj zk&8ByP119-e(yW<()-yw1MpdvFmtY#nd{gVhf$MWYuN&>z3TBJ_iGFFEMcT-$D zNZcHU;~O;zIW!9`J11XRYr73_7BkAJ0@2rO2BN3mq1)~d{}q9rc0sGpC}(e|o!7sgC{FUK0?nTl5%^e)sTvE zb=(xS`?_i4-CC7=BCfY;dOaixbz&qZyfQJd_78eH;06V6JC=LHEHy(=pXRO4B;iEM z(pBimW5cy^{G`5H^#^{3Nvqy?GT=4xxl=ATKYSKpd31E~3J&ZKMb~y0Z%43gxBwA> z9=SImO|m0mO{N(t%G1s&UME(q{DXSegQi!jRbN0t{+5cH&Xrk^$$8z?GQf4!x5(mT zIUi>B65-?$VNv?B<*IK;qbT(=EyDms>HPC))yR1d&l$zIGwQTuJCNHSj^Ov}&HqL` z^V>8d-hKM&)YcCMkhPDG{K>ln>I><+_@9fjerwlnxyk#;<+mu%5gdDI-TkX%bH@hs z$F}SLEVp~N&!0a52tTrpGBoe(-M@D|N}=|kk>M@F&|MJBCpTpCY7TCNr0m?q_LK$C z5qcFg#)W(I3o<`(xq*`49U?S?n?-$EXtNaZ$D5x*K6BS^YY=9S2^GKY_0B#ku5<_ z+FV+g!8|i(%1*@|#AWur1ALwmpLXuM>`)M@M}oojy+%D#J*Ro19L2TwsQNxtu(+@It>y6&=}{jLp*OtFP<* zO#f#yC-%7s4}-b4P3K}GDb$%_qn=17k#yR>TCG%q_zE7?4VgDKpEY^n{1f~xIM0#l zGI4c!-^*wz4Mi?mzk<&Am0DJRmieVPV`$}*mf@Fa^c+BYVpIL9`n38E;J5IHiB5Fs zP2Y^X1P3;4|62cVK5Rye4S%{c+Os11oh~ZIC31v{+R-lIA4-0_dL|8Un8sn}G7qKp ztYbjPdhLdj%#I;q3m6OK_YI8{ygxIr!?A6KKZ34(D4tyt#AqFGJ<6!D`|;7&f0^>i zpSX(i4r10H&!WUkSgu_p=cbF)>nwlz2-DaCpKqbPQR?PC-Rg^@(Mv`yoDfhkW^qex z@F6XPST%z$;LR@VR|rq0OFueLC<~%8o(5J9y)g`D;@I$BZ(`$loxKG?W-eNNs@vwW zdM(049(L>tU7XNgTg&+dwF;x7$l6P7(;%KV8wc_Ham{8*QUkg$koe0lEXdleU#+Np z0qN9u;v$=Bt$BkOh%)3MHb|Nz%RR|~0rY~GB!!~oUPXZrR#1fmEc~G_*C&#@E;93T zT;k2YMQ8pNjEyo{_nf6kZQ{UJVNwYn$gsV0pPJCuM7AHWUg{Qv*} literal 0 HcmV?d00001 diff --git a/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115949.png b/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 115949.png new file mode 100644 index 0000000000000000000000000000000000000000..33ad0b0778e8e555680519dc8be005419774a5b0 GIT binary patch literal 28621 zcmeFZ2~bnn`Y#%%R@+$=92lH{mQj>ZAgG9n7*PQMNdQH}03po~<^Zkj7$FMH7$7QB zlR%ggNEozbkTF6C0Rp5YKxB+z3M7QQ9X#jUSMT0){`c0qRqxfSx2h5?iek(6-T)({I=R-e(K%gDgS1#THfqvQo0&TdtB&VeA%&QG$xbxp`W?}I?dd)61v+lRVNOCrh<&aeYZ z(L%6z2u=7?V?y=$rsw1U`*Xjm**?-gzmoGJRy3!#{>7tpa-BbwbUSVMki)biv5INGF7n}F9}p(<|;QGd~y4{@|b6W!~W;SNfz4hh|X;Q}8>2DwCU zsk3-wIKUIqe-Ag2)-p-0_r<8Ar&$d&Kglk*|HVR*a)RdMgteO(wP#Pwq7OTdKx}Pj zconRH?#E;b5E2TrA~mEAk!Z?+Etp@1bs+4n*@fYB#QF{Ti9G!V!$j7?ix+YJ2t8GJ zgs;&2@?1JQY|$E3!=I$iF!XB&!fZS=APD;hOnT|JRouu9WT@rJysb3o;>GGwZR87e zu;4{Q#fEO*#UJpE3q6Vn6|j#RQ|kDx2LRzGttotJ&|aDFRS zPeCr#*pOwc4Fbi$?A(@$vr_rK}t=n00qHp`qE&ib2Yq; z62U5z-klMbbqAXAmkCsxJbG%(pL85J$v+0uXRn_%fbGZ%k#H0VOu@|D$hu= z+3EYps6W8^43TD}6AS=oh|Cyfmjl|Gc>!d;DE6}`hNsIqU|pe-{*8zvt! z!0(rJGOD)jDwtwvM&_AE&&^QsCsf|vl1K-t0tJH{$)I3!^!Lqs_Q+n@Ei(DzX~d^z zRoU1o9qcoGHN@j~Rlp2CbX-;VQUnaAZW2>kx4qRDcUn8(9Sl~kTiUBn2hS(#6c^lr z3k9WdAJAZG`(|g2G5Cuf~$mf!2?qeP?}JjGx-W+7|l^JE^*4 z@uEd{*fl;b$irzNus;}|C$yw4yur{DwJllP>8zm+GoD9sHt(23N(-;GR6`Wes~{>_ zf73woQtWPkA!x1}c- zfeB?O+^72M4&?J)=x>&Ars}1vn|I1@%Gcl-O*?SN5u2CmK)nuC^u;>zVorS(dto-E z7gR-eg3?1RW!-fMuyp# z&A!1_J5eBRx6;8;Y06%RE<>`jsMjsWA;Xk^1h7zfOm%708+7t$KLdN4fP7Q^>CtjE zaj{BJh4=-nYtN`a zv^PF%T2z(c`P>77mxE<0z^4rH!pmmEdju;y3u$~Qv8eWJ=6tq#g&!R~6R6v#?x4B_ zyehypg+w-m)Z?Yg_`IXVZ%zOXw%59ItqL4>+;%H!|kc35|R*gjW`h~r$3mC5JtPH zX0XA$0^2DwvYWxeu;2GHk)Ig@ttVta9uwlXN}#oGaz|Aqn2E%H;18 zL?V+b^vmWXB1uw~GQW~bc}CuWl^iYPhO#<&r|q!~sOkg!(Ru+44huh4InDu?{j zPArL|rTiwmqz?}(jrP+jzP@)O2sBka?=U;A$x9Y^iwGH>Clu3$V$V6tJ0Cf8@2=OI z)zrc}P}oA4D=OOZPu&Z`ir6Na4y5_Fqw&~zp5iWUVo~I%Dt~*Wpz*M7zOAGeD{)%+ z6uq?TFoiF!cXXN~LfpLKnW-@P*71n4YABW@@@Tao#3sy{1+i z@j&~LPDJO!+tQM|MFBZD9pNOQU|3LQ-9*z4;Av^&P`Cz^c^)xTdHQ9vKzG&3OfqhZ zeg0ffiO!$jpt5xCjy|IayjZf-TDQ_#9_o?PTw9CHA^H2pEnYSUf%cK$H=~^&sBV3r zdN}ml!o;MA=o%=c4-RcAlYb*}{Z9Ako90uUh1}D=U1&oeEeFXl9{je7+1sd01ruID zQqz*J#e$v1eq>my%dl+RlW)U@W!=r4teu$z^S8a4WTRNHkY+GvIfHW$a4l}3)_vqu z;WC&Xg&TpTV!feEvc^ApT)ZjGFHh=bkGEP0_a#Y1m7;Q&()snoacLDB=Qrpv-4$(~ zdvYDa-jzUZy6ZA{BWW;7Wt^+-5IxmqIuj;rg-2-Z((8eA2URD&i>s&)G__#?bLldI zr)QuU#qJP4*`}bgS~qU<2)|UX-nheP;I+Kluua{(4OcySR^0+Ky~HqsJ0Eq0a+IlJ0g-5h zXFgCuIzqUL0R@vu%C^^QYHcDFFq!Nid=UFKq6um=Df|_+v#ZjIF3!!54*F7Bdt%8k zYSeL9RX5B!-84jJcs^r;ZbV;eS8>jQMfQ9xgfC8qqDimX&zv11m+uFG=3ncG9ACtU zE<{SCC%4VA^ZA?L=%XiUetGKIqD^+dewz2PGb^~j;Sl#@?F>KCSK8?HlWtPc^XH+h zE<<~5BZuV}ub-GNmSAg^q&#zen84Cv-ckW6o#C(gMM{Oy(Ey~F&(V$Lnej{%CJpEb^)8*uHWGKT~oUmvZr^@AV5b%!(T4?~HHp_OERS{2?>yZeJ#7bhPfs{e}=`j=eh z?mc^?-&7=7Ht`$SzJKzH>)d|S@XH04dvC|NPr63dvyY?I&xwAX5=oEGwIG}lt>htQ zx1IBHn@CNnxQF}sN1i`l`g^m*0c>df@vh-Q^yc$0Mqq7xM_~Y2Ahcu)wAh4>s#1P}P$R7cy91hk>pm@Z%N3bE4sbCiz2NM^Si3U}L~wi#^#B6!sD_|+0w;O=f;;ubmOt{Rg)z%LV}d=F0Dc7^1R=Wq z%g2xBp<$zm@Xxm-qi(C7E93Z8c)dLEg;{_6I)wG_kgnkEtz<&r2>^5eWvalaRuC&l zuvkuj3+`0UCKkOyN_vnGOvr8adND!%gF>g_s;3Kc`OT5F>w|j$*D4P<9ZfEPZs5$T zF#m@A0=jhB0!t)OH46LT5X=_Ww-B7Znw6}4nK5dH^7) zt%qU;Pl2OXBhxLS!8*{&-3mI;=Ugt=7`&MK%P zdas9mR2bZ9TpjV_nwNos<4-ll5o<^8!dHwRt#B9qe_(k2Wh{r3fWqhVn}W{9jt3n| zXg;BqU_CWG-4JRP*ZDALZ>UHP^!DQB&70vj)t^0k2EWNC2OxrO^3@Sp`~&^j2>NLx z2PTG_&Zx~z**V|mcz({{ST!Y*`+8gtu^mY5wTRJvr;D6bc6XB@l7_|>*;qgjI-*L~ zplA^2_9vO2G938$@nb`5@LXnAm;%zqY2$PtxTigE^ddg+i@H20W^iqWC~dFWJ&;pK z-bBkq--3zYrJrld3JBBR`c}=jX?WMPW7o^P3h48Sl=}4mX>dD)UnXJ9c?Yl`U}$b^>jc zb!@R}*OTg?o3G{2@|SrI{j|;G=>rTw(md1}s{{h|Uy(g`4<DN10-0&nRI0gcdQMSH?n@N^42ogO+)(dn z`E@uZz5TTOGG%&jLr$Q|I?y>&nU5g%-@r)o^*=z^ zd1zFx*-0z!RLyNZChj;q%}giD_|^d^6@gmVM?`x}#&2A#Jhm!E?j3 zHumBT-ov3)T1v<(6HDw4P|VlR&A^=Z3H(*mX$~`#XO#B>)A)~8nLV66Fq=rVENAA# z>gYk_`$Ce!6!HSOfA+U9ne7o~5RYj_BcVdc#|4%%o*vw16kdoL(2yn{VbjT5nk+$VYbuN10Au(4R3+fWg(*x; z_%lamY(b!h$7M!ir3LaEGU+WBw0S7R9j(AL{b6@ucmpVAbZwybjz7wK^6_hXxbR#~ zq2J-DF4~cRE|302F%di8yAJd=_8;acxq9b&!6Y??la07rjbtMb2%=6?&3Kpiodx}=Ihu^T|{Mqx6e0m{D5GD88%|F)I!zkb~wm^fV_ z&uZd_+nEX}MD4_$(R){uf#qX#?~b*K{y==+ z_|dEg%$GAQB480PExze$*pJ&lEqV_hxhE*(OseefM!i8Zv;tfy3n^biC^ZAbhO zcLS={cO!JSUHDh1)B_Jc*0dJ{-Wu<^oGd6;vdytEUAxkkk{DJ0H1fniv~D99X;c$cZh=r{;}qlK7u(zu{)r~{Ia)oHo_l>suk#-w_TolA`%vyU%BNtZ3~ z3zT5aTi~AJW(*H4x2|mapz_*Twny>CkGZv?C|6vtB7{ew)-=EPF_eaM_pOhv$d@pl zOd-0;57gOQHNLcVOWKaKBhNgMRys1jlo;_I@X)*WG9{;hn6C~>J%g}BGbFI}yHwmAcs4HrM9{_E7eI&+!D#*oY zpZF_IQ2i6guoDpyY3%xa)@2yGIvFv%8pu0#iTk|smrGgx^`SulrpJbdE9wklPAlS9 zjpN2styc<*!l2b(_gm~WGMhgNKLRqn`UuqXXX}OGhx#wMT!!`GVgc2xXdUSGc!aBf zuw+!XK(3SyEI;owzQhHp)V&9Q^>KP-sKkPxy0v!`3ySiLWZ2;qZPCMyO^(rh$&EX9 zRe^Ol_(m^_5ahsWC$>pN+Kg}DOL-wpMJq!p^=?tKc6u384Re{xuR`0g)h7@?$0z{+ z#;4o!=*>qUvQ0A20Q7;d(q1R54i$=b+72B(1vo3@-V%yJR!#E;X;J(}1&+htqG*N4 zP86$g7g&rN-o*L70C&j3iz_G%Qqi`$eJY~Qm$}VYljoG0uLkffAk#}f-t+y&b-u|u zbRSTR!_tHoI%1{SE%Ma8$h3_q*Y4??1X3Z#7CY)6BKhU3zis@Df2=o(E*9lAV$G#} z{(bYlcMKTj!lA=PHDB8WMNyJyta@bgajuZFWG8#X$h_rGfOm_535=vebIMnCPEA{- zo5*FIVH|)6J@jj|E-_j?s-yeHr9zLOV2ev$dFt#`_^Xce3dDGDt3_n+%7_pgLK-=D zvEGvbU+K14y}44xN1tCw-Zij?6UuF6>;?rt-?+}^$6|NyHah6lI#7(Ksj=}=HNxR` zAB%u8C(jS$u}^E$B=2gzUv@*ymR!hd{;hMw_Z9t`huI)jFkgDWR@NB(J-hSx8V9B` zW&%ZfE|RDF{laD_4VcV@SMx{pk`;W(SL;7aHU%ppCGC`q zsDpx`=D(z=WqEwXUJJ<2*F5x1B4*!MMyRXk&VK+FSPSpZWC%O3ZU)&PUD;u4tFm`n zSf`Q2ncB(2s}_PXq_}43v--?6;=0~-dpG)SRIvPXN4S0&NYU{SRRN$FL}xh&X1lML zmNp}W%s)!z>;>jk^lZ+j1nXC7UKaeU#}hBsZT)SqS2=i)DWKPJr8uzSPXZ6!(CbiC zdxaniDQYMOZ1HcKmj~@pckLl>iH>(hCngpaD(zhc$&<65xmgU|lh>ok`I$v!!(&X( z?fGGgsVoigBYT<6va=?k@Vlb~TCugL zUBe%%#}QIJ*X5#BNaS~^P?wr!uqpqJ6BZ}%x=%O-lSGK`0M^8$io<;?w^4t1&O%>^H0 z1l#$tN^(8nV!bS^J@XO+jDm6B=M+)Ni(SeKlMDTl zd`OjMtMguN8S=YkZ0hDz1*OP{2WHY}kq8(H?XlxeonCrhz^$g|ApU|nLeeH(aL|?W zpS+rH3-WW9pi{YrQ7bwz`Xue(n`n`>2X2^=l4}f#Nq1BQ=U{J7XTdcmjbea=#&x-@a=v2f>{(?J z>L2A*H;>(n-oJWm+sx!?eoEb<9`-sWY4{{o{4!LkqyoXL>kZhuQOgRwJ{>o2I4)=U zJ1K!r)+-EeLlCS4hGi3z0VP$XRtxYlA733E$DcsO(_PCC8TaO?zWt#SU4fM88LGGp z2*Yf_mmVT@FGWP`;npPl{_)|yJ?vz~l#tFyWlUrn{jB-S&0V&@gNZ5&-z&KZcM+)f; z_Jk83KmMeCno5+O2u(LPn>riCi(wld-c`uyy=$f=U= zi>#cYA^d*)L|2mxqqj8A0>J?LGXOC=pQ5KTTm-E4>Q zkbi}yiEQOeai@B$A_bq6ljKXR0#p*Z8zNR$$mI`D4$Uc08a!0OEbnapkd$!5T{9

e<2|$k7D%E9~+`L{{nUqA0?_^587S`j|w@}bh$yl!obF_4(hDxNFkJrjr6x9 zYHJ|Q)YOd2ALKKn{Rzk7u*Zjuhv%D`rw8BE9)H{VKAdU`kZ{_q$Iu+nP!{lDKQ#ZQ z*|fh~s{DrH(My*vUv3hM#WHpQh=Txj;Rijer;OFr`RttHagYjqJ94kfI?#c$50_Mt zc=;LC{t%lSJs4{=s91zv(1r_C2_c*HYi!E5^9}Nm~-B6rCZQEc65$m@rObQl68eoJj>k08=D z6}HsqaGFk`4bmvlApkXAIq_hD*;HY>Dyl@9y%4O9>J8PIUGfqhSM$234_*d8LQRxj zanp{c-#Jw@;nm7&K5)D{T91T_O)9H|A0%`zJskcjnWp+wF(Gzf^f4X?9g~ zGgk5c8d?8jn>t${Xl}e7K3yaU9th;4;esPGRl?d(29k5gVqTkmjR=w<006HSpFpT+ zmv5J0S;2r8`1tV3vN2eCF8=S4C#Uyrq)o(`TI|=AEJx$zcMa!QNcmh^=AzMXnr6|J z|5FuZLr1?X3M}WsWneUOCFSw+IboBaD$qajYkJ6@eSfzjrJq72$ZB(K*UyvD+-ZL) zTG$X`F^9}^08MRK3(TC}e`4r*bRaC%H)|jxKKTr9b({Tc3=WB|uL@M>|ML1oZ&*?2 zWYNx~6KfT%(uGP5lXXHX zSDfG~=y8ix3FX#hh)uW3I%MfLqg8gObh97EZRsoD8o)(*KYArAYPv$I<+qYsC$}r@ zmACbyZF$y!ObWIzMv>k%8{dq4VI=7=?IPSpiZVj#8E&gwfrH!pZoVSum-_!Yl>P9l zU-kG{=rj>&jrmP`ENlnJ_dPapxFfWIE{R;}iC(VblEk_f0q|?jTFJV3v2u*#z=HaR znN1d%AFTyesJJGy;1l=hBqj4aie!g}+2eu^a^{S58GvHrVq| z>Oq^{{3GsR9CP0+Beii;kh)d2U^CzRm5?Lol&v@~=#ew4mAmu89$^aBO_d5B?sIfC zjJ*tvMwu148v9Lc^_V1@^D zB$PJAP<`NF2-gCET2GuWezJ4dt}=FY0t%Q>C}}^jZ@*4&t8( zE&=@k)N=~^88aDr=-!JI?qK*hhL`fBOpoGQknuQ)l!F@SP>4fT&IyE)d#yx7nSMpq7 z24m1`ep3(u+?S-4mtO-G=QZuqZgNGy96YWF-R}F|B-%9n;X@f$9KE;h+#~nRqiXxg z)V5%*%cu3*Hg)ZzT;Y^;V@u#r2PnQIrvzZylf8E)uNL^EZ6jOrUQ`8(`@5?qsu4!9 z5nIMf9C;@lT^o4wFOc3A3Wrn4j)fD^$`Fr^M2G$fk@rM&YT8VbT9u%}TzM>UGOz3Q zW)N!c#!aaqkG`O0dsWrK>vx=Fd9g~>5G4o{?rmDiZH3bdh1Q2y`*4jT_ZZaNl=L9{ zz$#P95ak+b!aNw2WG5#IplGOv;cL{vXx5-V%ZvYFjz@PZFa?9-BKR~5*;&CjZ3ajR z(4_I`b;g|`e#sb>d;X_behJ_bB6+H00bZwV=$NcY1hO3c_t+D`)-xt=G$%cJRyQjZ zAp!xF9g$p8!E8S}Mg^Bxo>AY_3k6#J5C__>cm5%+pu1w>OueyuXOEEDMAl+TZgU8; z_IAF6eu_5P=2}9o|49GCmx!~q&`3Mq`;BhLZ=K-NA~)Zn>Gr$n-rMF$;HQf0*N7d>>HFLRt#|Kx-@5Vc{sfi|_rM(#v@8yxiE_lsX}7(RAa)VJe;W?Qt{VxAZG z>#m3^&_HJ5_zcLDn5NR9fjKz$B;C8?wIAjRFOPQ05yHE})~c~3FRWTO)k3%y4^xR0 z=8nRNyt5(9FyD!~Lcipcg!R5UTOTR?fpgDRP#-62!0W~he;*Jy5~2bU27|Q5Z&T+l z95s)=N&DQ&bO4z2G;uP_P&szEMH5g?LPHSHkoL#i4qNnD@UP-$TbsR@s4!AeZE$aUls~Pv)-ju|e#g##4xelae#_ z9!JAZ#C7>3y9kaGh+q4`V zu3G6C)MK7_=l8t%3XU`#5{vVEZg|Tw79lsPEQf9b1W_--lT)a<)`Is0e|<#pHd5#p zPeHM6r4FfXal$x`yEG3AX-af7`$aiGV&Fe$uq&?lzV6_r7(1ro{XLi|i;L3MQzKAc zIcyO`Qc3Y&u_VNypEvz=j8GLJsXZ{Emv*(tx=U=q;_dbzx@FA|hSZ1sj>9WkR!po*G=**P2TeDcwQgLps&v4ch_w5lH!keou6) z&r)73UV15=x#=%KvFcZY(w?q=-D&7pK;K0O^EjIf4FdP|NZ%tU*5X66DHCb^cbfDZ z1JFiFLh1}2g+oO$O~yTL<6sU#YsPJ?bA`;Pv8k%&ZqEYK=NwK0R%P}d>F|t^Uy1k+ z0fV88c0s=*Ctlu&pcY-#>~YpP-9b5(3KcJG^}3VkLvbBaRSTizYvpO{I3}AmhQrR1 zKGz#2emY$}njC#bS(@mkjFl2D=Q(IHgdzJurwYQP@_BP?odEGjOF-JNC@F-Al9DUQ zRKv1GoP*oAoIs$%0g;%jPu*>Q1D$s|m{39{iA)%s{_{XX>ck;cDBPjXPLEEeR zvlpsT)W)NjQd!j-9Sf3@_he)qXdN=L#OxcBLOKK>ZgKwZ2fyjlRgl}^VUvS! zcrfkA>Zb2z$yW&$;JQZS^7eADS0-B2`@0ETYY7TE2LPbBW{9g_Jk*G&9Ner1eYFhR z1e&b)%o&Dcm?9@CKePXFDZufqb2)+@1#(lT>MT{xZvdqO3L?Xy0>?dJIeP#N8^zjs zePB4qY1h{E?wa;R0WAof6F}w_4=5*M(=H>soIr0+?A`dG=TDt`U28d;ZvgySD?k5F zaPh@ZqoJU{I~$ANxQZuSx{iU|t)NE5er|J)tKpGLi|pY~Dpc*lJ0^3tVwV3Uy!j7+ zZB}Vx@uga)?ZFAU)*C=c?G+o%KCB#ekJ<~I2A)**V*AtqfM|B#-)8dn?*RC__aEx| zmy$|b`~0s!DsvEct6&)32S1+%@ASzVsI4mXY+XoI<{oQed*XHUKp@q_X6H}&1h8%! z71bgZV~ZwfNFA_aPcCwWfKqY`U-#N?GU>1->6ILy2G_n*Wz}@*P;BX8_4I8Zr&<6c z8k?E5`O(fQK(J*|)o5%L(rm8%H!tR88yZ5K>t8mU^~tG=EGlP{bGk%iCs6PG$7)+9 z63T)~fvkB-tV;!Iaqxj%lR^2s-kXTX;uP3CZ!v zsuif>3^sSbHHv(^jgIN8UNe|3`{p!UP9HGz$;3CZDAe2%M+E4D;X$qQuW^6mc;ezu zI8kclB(;LJrZ62#)Xgu3{zY!*K%k(`#R(yFuwdj|z9N`C;;sA+Zy!aL70>ce#q@5;`!Yjhp-}BuQ#4&ZN0{-bT;&#&1fVyuqFeVUeDl$NRw=@Ll!>xAeY2k zLC+*(4fC-9*$TU*B6Udlg27gj>pC~Yf+)y`VPF{B+R)R=9zMo!#p#nzf@9$r8}+&I zD2RA0TRgf5nGDqH+|5!qOzh#^(||)=d~<9f57}YcB^C(v8kiALXYc_tPcIQLkQstNW&U|cZ09e%AUWb<0cjJ{r;LfS)w3$hV zgP!2Y(mR#cT4kqXP!Nnc6I&=ujeFNc;Xr-+AMD3rnk#VL{S+OeMiRHRVMITJ*ZoCu z$%Zqo=a|;`y3we@C7;v5q-Vi>7lOTFiOR`7n&#I*DUKYI`#QC0D!RvhK-wNJ->P16 zU@GRHJS&OlNp};qy`eU0yZEiL9Pr#t00Gv$@jUt-L%;7%qW8PXF2i-No?1JT3gU^a zi2w?ZV*493@J3qL{jN_34y5TfjI}73$K@Kb{dVQhFOmUXS|<_Ho`~x7sw0(DRYILB zdQJb(L5$u@)A=Rso?TU`y-sdE=iv)v*KNmS3{Yjhjkqesss;3x6g61#tvWEZzpsL16ACfUgiG@3OWP0sP=)ilms}mKR+DfNN3NFan388dv{8*~(F`J>b_rdsKi{DZ6 zCVxC`yF52v!yzy9Cg)F{pdr@du9q^bmyY!?k+?81ATP7h&f)-5zDmWhkY7@Muv8n= z(xqR7(BNxkSnBrsHP21Vo9Tq>c%A$Tb)3sXxEdEVX8M`Xeys-WZoR%+E3lN={eWcV zcpFY+Kd@AEJbPF9efy`8tS|y1wade4#F%ig`xv5tO_c|;n0#uEf3Ko^q z-}TRgTj+38o)+hG*Si~yjFGEKQ#@*;UN3)ZgVNC1fg?x9S|@L}v)Ec(Xh(b|2V%iO z1m=*b+>xwTQnFn3lbV0x@&f_(Rw;qT<6!%YMOLo#PR}^9y2%-FLR*Nd{rJmmcBt2Ff?xY;skyBFOl5Fyw;0i6V_E;AKGXVVE>1{cX zqJrz(o|8&8oMso!($Rt}y3=fSSYq&~F_4dl0`OLF5*V@YVmd2-P~+r{y6>M8nUew2 zK?eNV)^8Lf4$XChe=gb4Cl6}tLiwdN=1_Rd?(25Trwa-6a{RyO+h?anR@96x&v*=a z97J6?3p!{06J+oD~qAZzV*-{aG>Wijd7n#9kA5#hmrxlUJKprYN zcWW4_+Q(S|A|3@c^I#6m-pjTzg>G8kVlCS0H%B^CCI+{&j7;ck}7b}&+*XGW`Y4~k^hn$lWcVdCxl z3du$~KmAq)s8(e2&fwo??jr?QH@3=02-B-Hu~GTHd?;}%jMNSmRFx8{5+JTN(@- z3@Tt)yn|bFgVnR%T)q1EiCeJ7WTK7u3ReTd{oFvQV09x^W3dN?{^e74&CJW6^q3wD z5!4j(O50H(HA)j6X$OVjW$E$iv5dg%Ib2JD$!)?*gtzY5wv4pJj1VoR6jxrsBD)2p z*fzdebj}RJZv&WvvR2ma8bsCTlDup+Aqf86fZ_Da~lYAaOL<@5c#A3bi_{+ zYf7R&F8mWy$y9~1@}G3x{}D?65bu4e0u&1}=5DP=09o7P0PS_VPDy|Iu{jQSz`oD_ zP_q3;{e|wyr)%N|#xYRu)-_gs4`{<$ReX@Fs)9}#4|in(iUB8Q#3P+ zK}Zw`cepRFke;l)@js;d|6_@}`!gj)#cZoRd806LxY^q4)2tr7JqIW|@sv>@Y3DAN zqw8z!_BX(g1)cf#X7o=12%G!&-*4wGMB|;F267=rO=~icfj_C=3ulNVq04^O!e1tc zGI*Un3DSRwioAnQm|>hi5D|6GB`~`G{TaNosJv$SDY$1o%BM?MRjPwlF@c`amXynr(J490fK1vi!YVOB^8 zYOMtrd>!*r|4?i?M!WQL;5rchNbkwb+C}N!L=T!)z{ddNCfa2JCVQY~RL{YD@xe5% zC(lIzCZ3SPX&(OTbU*YdM9C|>&H?)d+DCS33{7S}@beLyCPa`NJc!b36lj=3Pq#ub zZGtYI53yVjA6)~FH9M#)=I+ac2L6EIq1ZzSo42=y{p4G1-Nxq7t+a7O{oN1`XLLh+fIxPETL^l;umq(bS4@ITveg7aIjZ0TjU4K`*yf z@8qwr%3qJph^EZfs6rYz!WP)~uzGJ0*xEc0!I7+;m2o8lAsk8a)HY(*LdaDB#!g^X z9B?vj*1=m`lQBf{A+#n^7H%dtRy6F)v59sFJH+0nV(y^{8xHiao(yz3bf$d3bTc7j zUpIx+B?%Dc0x{~t=aX`{s{m+C1XA?mE>&=Be$&`0o}4g50(OW30Ev-uH96(aSoK&W zJI|UbHA8^D;5UBUdG=53D6)2(t_=&5OZKmbrA0*|JT1Ks*|Z&)e4P{)neU)z>)2Y0 zOuqZ3=_2ZlllHl8g_BR?ed;udx?35QSM5yE`W1R30&?>LCrHJ9O)KDgof*6!9f+zb zt(8~ua$Ml%`|TRs{AqcLHxnyeT(x)+QY)?zWD2F$186!=#tkZ1+>@zS{;yo+r~aI} zz^C>V8LQAlojMAGod|Wlo(!HSdDFHn?Ovd${t~^!>Jw+4V8#?W$t&5^n4Ol8KK(Lh zzA=A*wuNBD4&nq!q1Uc6R||UIiDQ#$86G74*rTyXZ_2H@3?lwAqjzGu z&ntP^9VT|=6_I<%)OSJV6a=;e8paA%xVca=74;2SN>Olh6}+wd_3MSml@8lRB^60% zJ72-JVs)4y+3e^9B1uxg4JtaIz))L2UVU?aj{d?iUH zA5cR}mFE$ri9Z(nL^9Rh#h0X`ZG+S$+zC~>noJJRgJ9YqCHYWi4FyIwvb( zEl<01B+zU4(svym*MaoI)8prhJ$9Zcy3m}6csa5DC}lKT!41}4W~-sZDJUte4CC`X zji*B2)I5ir9qK~WsPrq#;pS7u4^gf;NG(@~pbaKND6fud!%uZ10jhMt!Cxxj4KJF4 z52@76B>)UB_^`^#m&?Nmc+s^fTYBRsmBrVUV+2jc;N3iCbO=c#Y%h&Mve*dI%=yq~ zinhshn<1lb4!XFZu{niBR!yZkb86ei29Y<{a1vx2SI^^X5euET7QqI`F;tStD~- ztwu+tdBV(2pNh6Ra|mJ#08v2KTR9+fXG5}l2EG6e)``^{@br)kTQKu}!oy?2g>VN- zXSQoj2mVQ>>DNS z#I2Fa*_d5OtieiLSL|%7Dq5|Q zn)XVVH?e3V1O4kZ`~2|mJC>V*quICFrBdCfP-t{J^X|zQ$d^SZU9#$fQMr}Ov8)p8 zILbmM3yJ{@9L-dCMtrgW{MtYPkpn1jJkq?Nb5k2WJOJbvg*y`*JGv>N`zD1%vJPU0 z!MLAy^k?wco6KkL?3<`s2wou&t)crT3NX9W2WZ9FEZ^%tKB^sU)+*$SLUJC!eLW;UF|pdg44RAn}X0L7t26LPfY zVWQ>+VU2DeV!QVA@fuist_M=1XmYQe5#56j&o1J75Uokm4^Lv(i60yQ=rUQdf;-diIR6|mS=6m`n>$5yyT4fI;|-9$8f9@lx6%3kJ=&ZT?jSqh zIp-I8W$WuzQAD}6UnceQ{GJ^W{f2gLi$jZr< zhDEW++OuS4PQc`b1vEoM(3w6SOVp1&uE6PWwW~|i2YWaF0ge235s?cN4;Y2&^qD)N zLL3hu%{QFb;vOrycAx6{%PBKnrswQZ8g{Pd+9S~0?Q^RD;sv>vhj{Bj>eWa^ z^2LRhYVMR!zYQQ_5LBEg+wb`YupgNG>PbCwR>SjlLm`d1s0k;+i`RhY!b498y-AJmq;y_Lw6;(@In zUP(G=NB=kTgE^9KotI%cwHin}EJPTa6b$?ZOBA!Z%-RK};$Q(`6LKU)fm-=NW&ks6 zHT{>~ufreSn}eS8E^jXcOty3@Xg9yE^J1L44n?$*A=#DUcB8pz25{bjAB2 z0L_PgRd0Bh3-o@!PeP+%L!KVQAGJ`KE9o+1h%|Do?O^>6WbvG@U08WH3SlIZkg&>; zKrol-?{T2C_ACE0Wr@{gewb(l=5S;iZ}olBI93lb`|Mdw#{&QIOfkrGUTE#k;p^z7 ze}-A?fMsf8p7!R>mKSt+;d6WK?VxsH*GbacS*WvJ7_iT{(ZDwBPLKVNy}VNY^r2)% zIg$XRTe0LN@F+;NKQ&~xzT}ogx_~_N4_u?MP@>;pzw>n8w6_bnypCK;^neraO$C8x z${#bfUZSo80ouS08(QNI?F)#-8q;0)Yd8n!8jUdD~??DM1r?=(3LC zq5hN{`hty%uM12=0jD|no*o7B2=oVnm;i)gaHM0$`A@^a<>l-Xj+6rb5!r81nPBQG zlst55t?^DVFv^*&j}ZEkyIk1hYjC&mBs*pWB#3q=NDA&(16;#YCW>AvTajx+;Kh3t9co;S57g0;yr~!i%-=7I|3`ag9@W&f@9|V`tG8&qQUwGR2LxpZ zA~S}dRYawM>j06NipUr+0R&7!6t6&yfCT{s1qA__QHDT(L@E#!1R-J=6H6Ea1VIuY zkmT+Y+TNkPeO>R}``+qXN< zWinR5p7Nc7+0HI<*-m`NM|rg`GCjr%rsmIYdQ#-_4bq0!yDytql+Ovbi*F3>-9Wyv z%Up_?vkd7&37X5F>#cad00P^eDlAT$VnW7mEnZF4A}7ymHx!)E4ZJ?4Ns-n+{agy~ zz&@mm=p6>dvo!^n$9}5?!d{VV&nsHt%n8R)FISI7x>DPAcsNA`6Am4pD)AInz{j|1 z{mHu~HTsQS-;d09^b+>M*VoQBoAKULZ^p<+mB9olVB1ONP6>l9Ekn zsH(OuR{^7~elu(Q!$cyU05^+sz!Blh{Kb`Bo*?dbsg+5>3_EiZU&FCJ;c4LDk7Hm| z)Z7RPz?|@LUg`iiq9MCI^!H{k7(U>nR>gmdZp@~a`xG|x&YGi}mEAa4|AJ>*$xXzw zUSmxAj4nGrWwdDi&YY40Cac*5RDs8PtXL+nsO?ZmapG>JWq;qdr<|6|?BwuirS8e; zStwROA@&Iv159^qHjgysG#H9JS$kM5FSo>~%2FFC>{C zTnv<2|0Wwg(jBF@0@jiMM_OVY2d;KeD9+b=!{u?0&$U(D(Q5V~H^+L|FVuRPVz4L= z?*c#HlECnDJRH&9(Wojc&Ji%u)OLkS|T zNsgELG=(;dosL2;9qoJnI{M)iSZVw6g`$aVTCN+V!xXjx1nTK2GrSRTN>i3M7jde;l({ZjOna6Xx*FW6Ck+T{ z8@&T(o=OYU>Kj8h-Xe;nmMj+)i}{Jb>xzVDtX#X;2tJFgARX6TI!PGasT!+cF}#f} zjAA|94qG-3gSoFF3d(5al0jXhk{%MZ0)VQicTM}%*WV>6zh$gI-B$kC48jXL0xY{G`&M{j^=KvxQy{8|&)$Kp^8P(dBHm#ZP2$S+0w1 z9lo%x-7@jA99Re*CGXfFL%Acf@!!SMG}%i9bgZ7~-qgFXK!L7jw%@#4-OGlJ+MDjY zB)JlEB0*)h-`aPig;ku*(htT6bDi{FsZfi)QCHfX5wAiYn`(%ca7S`F0evZZq{DA+ zDLqorJofr6>(4}h9kiq&*r+W|XiER|cVR8kSqxTMEvLcJyDTZ`W& z%n$wS^px`Mxm0PjEeW^OASZEktSwDhnx)5)=2RsfOC!cKqpg?vD|`%L{(pd;J=E z@8rG)FO{fo;VsMM$&f)3`g|v)dRm1ZvFF8=m>5W;9ZeHEOs7f5=-GBZ45GqmodJr@ zFs1X=6FE7SDf#Z_NKP|pAeRduR2z919^B!uGjTgMX>(U^Ov8b@@Ci2ny16|u)Dapd z=>icxJbuK2yT@nxe!4VN5^bVir_G)nr{A;x=;@K0+dwZyAB<;SWL0?rIK1jybDoA# zhYnCjz%zBm+KrL{pRs{ssBV{(y_ox0@WerHEV-#=e2%@4VWS{r;B%+8nS?7I{8Bw7 zqVV-6yH=e<9gEDFu>=zI2o!)^IP-&adD46KFk?TgFcAt{PY?7c)QyCMg?0J0S2+eF z5s2Dze!e>uos!VJA)mfl9Cu7#n9~*PjKWqMr40&8UTO(u42rj=`FZUoVHsOA$Wm@% zywdeLeT`$0(`sks5>_U8s;$I9diQ@KvfOvd=FFOH6eYwh--9)NHAIE^G!)K|#8vh4R|cP|*Wuky98&*d zK$VaO5j0i&)cKYXzAgEq9~yk$vC3^Ya{8;8^`_M{s`lNIlj7RbP9baZoVzoV+lLW7 z{IdFghNj4&5H?%BAqCaOKaBfi*|rAu`VccRh&YYR%_F$l;m0C_s7h{}w+|v*&)>Tm zTzlw-IfPY>*xkG8DIlH4sqYvVdjql+EPLa6rKllJkIGwbQpDDw&c^IZ8kWE3|+Nx%R^pzhgw;ayv4-uaKby` zev3N_I*pSV^XCwt0tmLVU8`kb$h<;FdqjcIJJ9V~y-1CJpsMJ$R2rRasp9i?KyojT z=mJrjxs6xxZ5fn6y!7;X$xRfA$|dn)0+E$)6^Y%#aQsZiyF#vb}lYNvF3}hrX_@S3yAsNtg31S;F|t8 zV?(P8*ei5e20KCy#otvVaFX2w;@1fpe=yD(^XI#Xj=gL z{vAAU)lzW+Jt>SQ7;KeJayHJzX@L1Q=Be?=$hx}3KV0!!v_?$ytYXx-1_e1AnWx$7 zOh7M5E`5o?HFld8V_zkqAA&rvzLo&G0lV0+b{+93V(v~`j0p)D2OK4ube@4-Bb5>)dEfl5oJI4jXHeF3uO{ir2mXTmDqpVrSweYw5Z500f$wkVu;|_A4?J zTP>YU0I3x#{vy)w(uZE@URS9~peHfB*UZ0IH{|(EzUhij-A@AAi z6baA$SR_l@)XS9;I45c)c)EVkip#N(ix2RU9EHI1>2e0rEUvAel&~A>g6`dTh!(o= zHM&-S=B{GT2SR|2b%9wm#16`S7OPh2M0^)b*MJg+%<2{99xY~)7KZ1$rCf`q{*j$W z67|>P@p{T=w=;;D#>TIsT^8R}frNmR5npz(?AiTOF~(wH(X@;0q6*S}_2r@+%WdNC z%&5|Loer{4r3>67Q&r;@kZWflI zVexs!LZ2ABy~9}k%*yAoQxs2TSc3q~fY?Kb1KcEgzoR~S`c{@&Wb99ZtakN_?9Y#~ z%pdijvM}>+bOVwFo8OY%-cOhG|9fNe`oD(Lpoy`!c|UtPu6(tE@K!EjmriOLV>eLQ zdjxO%epmA!bTIsN+Z$L}EqBY*QL<61oa_6@^3hDl57MXI60>NRFD~e+6lPkbxeV~A ze0@Jc+Q1&$@Z*jK6inES)~qo}dWb5;+#cHJeaQq!OHZ%;A>BHlMf_tRq({qpZZ_V`FJ4*_flOp?P2;y{ZF-bv{u`ggGz_Ycb~FrRKa z9_~rp!>E3Q2@AOxfHlyFwGO0={bW2wGdnCLvwE**ySz1R$Ei(8=bkf0HD!Ksuu}W6 z&b7?zimvp4g5aAA@?766XXN>77^d(x21rBz z4cE10`9o_mr?fyu4+^P%LcJs|>;kG1YPfJudvTpv+N-^T1!d+(9HO?XW)-|!ekwLI zptSG(eJ2O@E@Zw7;fX$#qLlSvh0E!7?`@hKA23|q2x?rmPI2C5*u^W~zf7#kQdd$4 z30~}2Y6}b(v|;HQ?yhYyxdR2mm8B_#02wK(pmwBs3o`*EsMdkr!n#G%Pi1MeqMei`^$eY zKK-;^zbBw=vO)j9HL?BgXVoI;|521VDJQ;63aNNbOLOmK&_AsXx~1imLh~3?0bZAB z0MUV6KEgtdG-5}b+*10DLJkI>Vl)y&>GmamCJi;z{`$N@t)_YGt44!kb47!I5XFpZ z#oBs!Z6Or{XbnDTypPDZQJD%buGU6YGj7rHSyiSL0S=G-+LZsSZ~8Pi&K>|Uy%Sn@ zRUNLl-R-qrpJLJjoyG+880&xvsvnPz$)FZ5QW^z1Q;rIE#Nbdnd>1-H%TFslikgG1 zNDAHK$5hAw+JC#D_PtHe$xiT%k71WX-a{VFgmh21Yb#TDQ!c;yBHuqOJIsbD$t#8| zSvc5`*dnKLjzemXTeLGB!|2(-kx|lTc0mhK`?G9IN%)-g+RoP3$)?4gmFCT6i>{TG z55LGRqBR5K*V0d+G4wCA)7{tRSYD)X(W`N75!;Pgg=jF%kISP?=Fgg>gcp+8y5O_^ z%j4|{PrYcTLn!gpc2NwPB8-pQr|upFWSQDJ>Z8^m>SU&!s$Xi%8OxKP0U~HE`%b>u zdGDl0CwH{QyC(l|eJut}{tiQJn7AIY8GI7>fxylfL(MgEtXNI|^n-R!YniPZidg8; zp0ql>6z5w{U)8Z`uN zb^KSzg<*eA&bihi`ZgqB`+l_jiwe_%x_pFL?WG!a1l(xSLNPIsk3KdRs7wleRN!}= z{Mn>IXLhQ{-*;zhyyMBU?eoqKcCIfvb5jSHkIT3C*}W~d)npynh1u!Y1H7{A{$WLb z;RHXa_32EQ26)HEf1H8<_?Jb5-;M?Lk4^uF-hod1qMll|f&CX&1hN76t%gL<_@DJx z_`OrI5%_&F1Z7T7HjyzlZdHvspK^C<9;rzm@`0-L-2j-}w_9BZm5R N%+ls?@fYrqe+7i*_%8qe literal 0 HcmV?d00001 diff --git a/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120004.png b/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120004.png new file mode 100644 index 0000000000000000000000000000000000000000..e791831025d5625449471cfe4c00e4c83f4b11b1 GIT binary patch literal 29566 zcmdqJ3pktE+c%n?rtNfkZfQ%IF-q%LO0-3Erc|p%OGAU8NF75_rxM!fQJva4R+K5F zB?v)6Xwqp(N{T8G5~P(nMx;T4M3Vi)%=^CI-rxV*`~U5|uWKLHbs>44SnGc7wbs4v z`*;8DBwuu}-TLE!A3-3{)^lgAoj{-;c7j0bf;asDTsfQEbO-peCeq3FcTjbg>J;#1 zz5j3azkxut8CzDaZUEkIzJ3-K2?A|8G3E_*!rlq#!VYuz|0Gir{`1szWtu{ zVBKzX?!)^_ACFQn<8vlH>mQ8JYJN)oI%U+6##+$7;$7<$m)hgh=29+u+FP1 z;9VBiD_e3{;xJ5b-DG03jyW4Hw6ukHA)PNc$Ds`*CT%9!{`o%W4z9S>n%aoZ>wU?q z9bQz`j|f#BeAOo;VYx)d-X+|;3*~Y?^Yuqek^i8S(2i!Wj4$0*U%LJ9VJz33eV{vj zWWE|BzaO@AKX$^Lz29sk*0)76%qLZcZX$o*Lf*k%>13k&fagBC`h3_uId{T zd-rP_Dlf+5=|vk+ zvuN4t`=RH2Y;Qv7gV+$mn=+;0Fn79DWvN)+mZHqzl4iN1xk<~pziNz9RKi+Bq4%K7 zd)w2Gs7J!pwj(YK{=hoFYYpg@bCri5d8`fF;^HEg>r~>94zCaf6wDS0Lg}T_-~(BQ zOefH) z_{OVQ9G(GJ+lXFKp^Rz*+u}=wWJE;aLONb2Hm4q;Ndj1A=k@#$=o)>_KBuU^SpKXt zXwuJomi*#GZA(~3+EsdYAPeO=vVE-IR;ehv>URc*S2EJ2G2vU3HBr1G#|jf(*$;Xa zMY==I(2y+Q3CHXg>A}zDNk|IEHus!u$)$u|GgNQG`roZvQH#UM3hC&v{dI-(M(JdR zY_ehLqd9xID|Q~uR^=zjCA11|>X{N;07fs~DmOy~&;FpSyAE_cAHg=gex8?-RmT#} z*^_@JiDfh+jg_Y4QPq_q|+*a_Tl(Yp5H+)PJWFh9KadVZG zl_~d89dmZhXjq&(3^oGoABX6wTaAV13ZoD+7D!}Ufk>&zizy1cSzwagohfYiDCpNW zF2nJwCA>#vkxpdwj>wCIkIRQy$ROSL3k&oc1xVs-uL%h<27|q^z@&Ur?MDcn%=GRd zR3(1jm~?bxq0G$2x^*$3d$BbJ#fZuNB@!j_Pl{ey%8oiwcDR}4i6eG8`D_wf6? zjmRz%RY{179Xn+Z$DfP#LP`8j&_=wTK`p^(3-VVwn>(E}OjWTdx@5jlQk&CBe)YZF_Wb^KX+?H>L7(C~S zr<>Ge-yd+oq*dg-aw%E9XuKZ(R1*;El?(osVqM_(u@@X}&50_Y?SDkDY{%ZY^vdg4 ztk*OR$FfAVoD*Hu(wMYgbBC?CCttzXrw=RZvXu1E9j;fQRQC$?UZQyD2m3_?OUh;h zo+O~UU_}EqGox{aR+VG!WT899#_(oO1FLAMReKa+7!O;aB`q7O5XcL;vd>Y-ti;I& ziIZ*`Uw>6!J_`tJnB2@KHUA{Zs(o8_P6Grw#iK8d@hbG<5s+rAM`egODLURA>RUhv zaHcc5e~W`mhr^?IMPpeLgci$scHIbC4eeJ(vOc;womkvQg>So)J>4?l6SxtC{_G;hY)i;cChm^$b9 zs4@TSl1dUMtW`3yNaBjRDQnT1faw9X+X}O=Z@tR=~O1GH!}(nmzafft@Ic5|;9%Bm6Y7 zlpv4hh|<_gX@bADCw_NZv4zY%i5;YQDs8u1_!Px^3w~k^*nz$drGYwJR32fH+;MlE z#DC=XsS4$saiO}qCXTEes>OV1^lj zWs+P%wi*%l6DZ_mGkIAhv5Sx-Ay9J@+H(^+at#;+_pmoYB8oH~Owxi#d#$8I9K3FF z9@Qhow_^{fZ)vJV!WH(r7!c%qK3-jRniY#6Fw}OMYB93rWasW5iL874Bp&qS%W^yoesir1>ye=h6Tb z60I)-miDC;#g@Vbmz2wq^a)bv&5t$13TcniJK99k(W2pvij#h7RC=*PW-JV+?>;CD zj|zOy`%7~kKk|ha;e$<5E~MigKj>>YGQ7fxlEWf#BNAO-OcSP5a~DrHZ7r8A1y1`9 z&YSRKn}ZHaJoX)~pNlmXiVXyCz4%ZXssriTa4>SXh5ep>;xH%2lFurW8QEZfXDC`} zFG>wt&IwCSQ8ql|f!g?P)tFt?V=c*Bm z>yG!_kE{2$J!1}y} z4le%O*FawbYMMK^5$$pPjuxDBC2kXJ?Th*jnQOUhTS*9pYATRiHD5JWFYL7XGJl}w zDl=$@_C|XN1%~tu!3tvvGQlKz<)qvj^U=6|vO%hLl+A=dx;6nu1Xw83>i#!w+}QKr z!2`qxJ9y*uUlJE%lFWP_Sak*LL~g!=w|)-}G`|mZXPkHnY=59RG&Ii=bxC{)39C2q zkO9~dLAKX&HbO8GzKSC#{~Yj_|fTdT}_08tgfr-xw?Kfi<|84c~BH zDM?z$7_H4fg}@pZ`AVaVhO-Xl=Kw_l4Xkrs^Q=b5Mz6}B6mQ?2$=-Zt4vgkJU+oWc zszWhlK)aQtI7fi?_#eqYPJa&xI%NkqM~ZeLE@)-uIlN*>3od9ed@4{C($xpM zB{d>m|N3qyM#G~e)~KvE&{yM^e;&x2e?#nW7ua)@((}2ab7Qpdh={o(DyyT^B%M68 zvts@4mj5VWhA?vOuFjJkI~j*|YbvdN#G8D>PQ#D?`(u;8<&yTBC-2zxx8|?w0QdSb zH~z=llQ$eRvf6>U`MYy3p!4Eio~*tB&0rnQ-8GK8IHCxqKp>IhtA8fzy7=t>d*|eT zVs!-F`1C%f^z`(O zVu$pM3|jFB5`nyNiT^63gujoOh3u{iV8bPW=CfKUGtRJUZ0O-`zJ~8~#09ty^Tr_A zA}21N`OM$b3d!qY5ze`zv*VC4fhCvmu&|O!wEq*?dAN9n)vd!^5Bl@D!f1qi>gnle zNQ+J>EU{5`YSz0O=2pZRj6xM@!#T~At);<9a8ACSBoAIDhe)E+cn6d%eb<2Ux`91) z%Na`=Fll|~URqv-Z>uUp*}=tuxR0dyN(^suP^Q6g^DBbtcK@b#6mLMKA1brYl}adm zrfs%VR7YN!h?rW7!F6|NaDqOANAN_u!KBh7q`vwjz3>7=$Z#=oE$CB*Lc+>Hfj|)D z4sY5)**h554g{b2;A=#^#?TZ4Y8@sARcOLvUnUvYOU<%lj9Pv1<#K}w^OV3KYnzdJ;-$9zE*P zqXhz`D14WJwPVGuO}8j}QA)d%8$SHO*9w^*7$~r}GH~gUuc}aCf^O+weWAz5xfqC{ z^>v5i`PG^`bmr3^^j^(el=_hS|JBr`e=G>cDikQT+>Q117^A1d4v3*bVN%lN%Uz&+ZNg?+whwI$-8V ztenW&Dvn#fPP*@2Kw&ki3bPgM)O3_qA`1TnA6)#ZQa95YjjIBbEKG1Ewk|aMr%L`T za~t5|YTZyuM#@cAIB*>fUQ6>Wdc~KbpQj*-n#bnJ$YA4z#%YNk(lF>rEeKRYR@jUy z$q`o@kiPqb_rAeTV#hcyhNg)IIfOO@ubKu<#aNKXTo_z2Oq#aviHRaSC( zhIK!`ij%c%Pri;@t zVF_r`MEnPmE+$|%=+>CR`h+|&*b?*VoN#(3&Rty?ITXXL?hqhY6?Dl!E|sp6;hT*# z{8h!(1^**=dL!r-PYbY@HKqNvpISP_s!5Cu^KqN+R`X_x;g*Fni3d7#Se_IuYQqIK zCN{OI*d7EDudcRTN;EuQHG~x_cDwOgEIRYZ>2!Zjr$A>Wh3-Q5alUI&hf<@My(@5pHGk_5E za~6@!RaLz{Pa;2=hVFz@dM_7F?QX7wprX=vbH_c;l^qDbV`OptnAX8SkH& zoSY<9ReK!2^NXIiQAhb{9W}&xxfm4<6}bk+Cz@tsZ&n(8YU~h4p_Tn7!E8eH%A!G(va!fYEI?PNq%WIFQ+{N#TS8Vfe#`!B%TP(e1@s9LCnV z>h-vo)H7a=I2K8L+EEj*G9E%yrOP@Jwpja-gsGW{?V$QIz#Y=@sn4^;)X#V?cKDgk zXNEO+HlN2ecv;BS0^cJ49+YI(tgp6zRlh`q&vk3-NeG05e|`<6tkdk~C#Y?IjO67T zWc1iuU^_W5b zoh*GFR)2eGpaJ{;?&kluouB_aX#Z`MVM|I%aFZvgR4Sq;YMkfQ!Nf2>Opl*9c`|4y z>_crsyNFwXT(QqN;ib?jXy$&J*3OPLLBwyw$_!1dAKX4wFVYFm@it4pP;(l3gsP^2 z!Ofk;l2v!A#vCjPKO?l64ARYxf_)5h1rAR{``=EF10hXwr&8SBcmP;{qGqQ5xXBh6 zMp&&5a{XqdWpYjD7KSk6&@^!e8JTke+kErm>b**eTjnNK!Kvd_L&~ccOklygeu?($ zxyfLseX@xQX}(Tgy$(B@AIwN7Km)lWK@ zox7{lEDF6__U)8cb41JEtt-I3=tUiA5U2=jnhq-Rmxpm%Thxw=LP*iiQlx0m`c;+nkww5S0DbMZSQhbXjtUj>YZD>x_-^y_iPy+^I0?q zbgN-&zxulGAJvP18`y`~r<(_Vk8&Rd4^Ui1X8J2(oGYvM2SQ7>C>s=H-78f97k~Zr z+sA8ld7amco;&!Sd`|H*P6nL!lAgmFqs(qn#|HlAmJQ$IB)K?|lJrASoCFyZf*_+r z`Uq(*ueW=j;%@-}s#Li>LzlO$t-c36N5&_c{(qxd51}s+xhjB>uZG8aM-3qF4@RCpS zlar);wpxZq%O0Zx)Bub0eU2Iw&OW$wKciZ1+hDy`@@1T=MsZE}Izd&2@FO{q@_}Qc zcx}ipp%!^<+Vbx&8YfPxr_1Ne`6*sv;bN5icz*Ipcp(u6YpT zUz9yTCWW^RFDCvxBB~1`i#K#+>bBoL=8q+<`}!ql)LW@!YEV}_%%o}V(wU6Jf=g20 zw2~pCmQ!dCTAfH!*hE+Y&r3$8S|v#gDI2XKykJ}3sy(*$_HXo_rW6bJ zj>T9P6ci+MfWw|7-4Hfw;i`tPj(VV)qI{)tZu@$XYp;}?<|(USP<~Z5gfAC=n=(1m zTURt^WF!1``{iGWA&w-WK#(EpmtTgc{vdc`m=tay8h0OUX3t?ebU>oFigPxSoF@GK z{gblpvApTg@_av6>_Er#v{2aStr7c9QF$j`(naRZTWt6wKB#tj@dr6=IoHFT8J++VS zBQkZ4seIIns=ksWgTXeuP0zIU_QkpSAa=`)+m9NS=^2`~L6aX5Z<0$ZpWE#(Y6GV= z^&x6&3$0(vKi1QEcV?DwI6GlHCiwG5EEB$stWMnY!E#mJnxvg5n138XWswU9sX;DMW-S`553P0Y1fwrlt@vWMO00)=29&i&bhV{jiGWGymk zekh?gP0%b~i9!gz6bek)yVydgmy)4Gom^kJ*89Qo@n6AZ`3pH#6M^W<4CrpIxL+&9 zDrhN$r95J)xkr?_uT@zQy=j`uXAnZ4z4fN*?EzY?K{gHDb5#jixtb5+;4>C>ZqJ| zacQ4sj(ig#GmQLYdC|7UDDX(s5=7 z(cu$|Qa@`%J>Yqj-Jj^fXwb`SLm;3|#n_0Vxo7|t2Z7K|UAAbYN;3qD;_O=343Cko zD@yGNNErJyMJp39r8_z8*)QJ(?Ah6zd+N%KtEio{gqNSREG1KpM^aoyBa38Njf*8k zhf~%Jgg@OBV%@9RQl4jt2_b0f0w+?D2zdfU>T{QJ9+jMF!=+B@(yh1UTJ@4LV`gza{y32cHEsEj# zJq8(8Sdk`l)CjUPzbF#WKvZG(uJc-xxCLcD0amKe*tp-O446;^&)O@jVI` zu(9HBiJ4;O;=()x;pnK57&BMdAez)KIG{^ zOkO|?FnktEt8zYDnjI8QLJG(ppRi%2)x3s7>np%S&29PO4-3f~K%(xl@mNg1N%zP` zG|^?U*iN&L@Pc~t+D)zEd}=zymC)l^DFGi^Kiv_t=3|Os)ReD^<WFviQn-ydA84@nI$D^RUtbB2oVw@{&e_VG>(cAzw?MGftns}!% zfy2xk+;uvB=BsZt$thuB621LtoS-_$?HhLF-luwmWF|9yRuTZK-?f;RZ zu7(2~U4bZV0m?@*ZJrawT<}@^1USKnb|46j8XS-FhNFJF$)dDurB7D3?JhRIZJLZ5ivgw<-#N94N zImWf0Y}Gv7kgYsrUs?po&GkPmt-%yjE0#xIGS z=<0l~ud1d-`InJE0&-2~?*}lS#x%52j%fEoQO+T-eiyZa({_LiTw-XGQqyv3uOYI_h!CE?xRnl-WJz)f+z#Sgv@`4wMwbdT!(t(!%PWRy z52(HS)Q9$Q?x^_Q5dG|PQ|k;zmz_~_4z4tZxwjCPG7XisG}>8`&J8-`4&d|batCmH zNGNHFvNW6|BjRGOcgK&#P_blzdR7}~=J>hw0}*f~6^zXsz73#DToA1wgN^};=2_F$ z#w&ScbWWEj^@4LcTJrGXI4MJzJa&US*YX3%As63zD%&HVg3qOq1^hPik@*qb&36H* zOw1qlJgalf+ytrd_L62|r4_M*Tf8nR0m)x0d37w?a*?vwvVfuKfT9Zq*UUUINTJ&s zX>aukEok#cWaH9qx<50nPSxjjeRrL4WL`q_wCd!kE~4dAKsbL zbTIIG)R=GtNS5fb+S{|!-YncN5;w&Ht{!dlx7DqZQxxx?!19vda6jI%{CO2KQt1;J zoxxmZWftx;T*fJ%@gVNe&Q-J5^oU!Ns`-vYTqI?*#mGL8^;0$qo?Fd@ae~Q{-IUG; zX4z2C%o+tG3L5w`j&Bkmd0k@jMrKYr1d&IkYZzGW(gt!j?PDn;Y1e;T`EH(gXk_6S z|8Pp~Tv<_^t;O8;_kt)dk+Q-gxw{%3h717b(Bm%ri`|>D3FKv=V5mF6t-vEeb9A&# zmw(~$*@1X$B8#k|_vE{xhZS}5GD}bvwv?}U7LCr#JnqFy3*k)N(E6=4lAYX*+3 zX5X$qlJ=>{t`5oeCK;(6J4oNPITx$7OLMn~zMaf*9bHc1Hwbcyl3Zc*X~i@yjk-!R zmu9+Si(`HU73>21^NrOBYYqUwfe%T-Cut^1A9$+EyR9T~;k`HZgbREM{My&EJdulu zfMMau`RW-~;wbh`_Dx1co1<(ROXau7PcuedeE)KK`|4{!CRxlCRK-ZISn#vi2l>qt zBTIv>Np<{FpyM_Q^a1@}0=Yu>r7qj=q&N5;)c^)7iwu z)8TwutDQwl?`=mTtUZzj!?t=CrP-DoZ@H@Ehh^;N51NK5 zLJ2##WcI*D5C}D%KBk&5*c6KobHN9}ipGo#B3t01saaOG=G46cQeYIWsJDs z?1AtMap^A$!FJ1F34<>9DCjKV0|`mQ51Veg)oZ`&>z?5JpH1vF@<(;yzBCcqr@8f~ z@)>LuyV{7}tykS*pJZUX<`%Ra^7NHB2}-Dpa5&MoQga?XW@Os7wbW5UkK-$xMOykB zHP;+}WM6hIigOGa=j;&|pAASMTrwmOgFeD8fJJ3X#$a8VNdv=QK9^TKHh`(Z1pPE7 zqor0En2VfxPfQyFHctKAUFV=D=UQ>QAC-w{wI*%)y^9w1nT<~D+HAmwn#l>;<|?ZU z&fkJRGLZ~xMj^Q#Q9XDx#q#dl0A@Zb+g0!kBCzNA*FLF#6AG251RRKTaS6n5G39b- z5K$fN#|e(NxIv#tIJHvG$+tTA6z;0k%|1Q9X;$~iHGnAZP%h;u+pmPJ|&h5 z!4WrM?b1(ek!GCqWL;Al#$w`p(XQ;amiaon@s}Wg%y|1@PTRn~fL%RN#=ZUBJ2+R) zxU59>w(EWtTMlhf^URV86=yZR%!*qywa zpV%GGF-zpejNaZTKWgAbQU&<0KmvSM3|sP7>|*?g%IYU(wNUoyi5pG%kCE@!lE>`Kyvgv-~3_okV(ZrxZH5p(NJcBguAX$v+;24m-3 zt*#x8=E(*d1R|q_T2uIg`u0M8N`0N<$8&4&xtePkS;|M@hS%;FPG+HE4pMRH!C0lR zX^d(&kwUrFFib}LF&gk?VqN9?XUBRQdA&vZ%&cU!f)Bqca|+|F_9$c$BulLJCw-S~ zr`TGFl8@&-PkUvtoE$#yyPY;lB2Hr6K>6wEsoJb z*%2z~JjW{N8HPaLS~dOZWDGqnWSU%6?UXS{mrx7#c*md9C~z9oeA#mA2qEf-M4#}B zAJwZ|+^*#@cBO+?ud9t2TTWr#^LB9sY)j~@muN87JY^#!+7!I36#$&}9C$oDoy_39Jl1bHYrYV84GfmJsOK z_>|Dz=R%Zvh8RH&=xg+ALOyp2eu5SlChJrX+CZ-=cnUNA3C? z^LyQSk+9L_5V{il{Jq!@ANV`#P+6bJZ)&6AZfU==ycua{O7c>v;WUn#N|9iyNNHnT zodCf09&Rs`pS89gnp>i_`CCl&j((XL+?Qd05Of8LmG#u4hJ!O`SFlHYr zt5$PIrleL~PAdt#gSy`98~RW?iCHDM>#nA*9llGQEWdrcWy(mv;aS9}Q&2^i4j&V2ZXa$x7DaC@KLSQSG;O=4V0)t%(%AlE(kD~9 zb~i`}q&33_KXy_4AwqoY=iQ-cXthY+m0GL0tk`#*85x)MZ#q@MRmG<2h8b3rKQEhu zGOdfExRX}gUv)7i02|$GN`<@?AMWY-oLb`d7rBzAdWeye4TzQaoLTP(A53bZb45>1 z9C;i41UQ1m)|W7uN>B_jq9}+ASmdzY{zOJ&wN(G}nfpJ`I*`RZmyWkEUQwh3k4Q*m724Z%#EAb z-Mm?0H2nXKtf_0nUvx+BhEOu6EA~Ct(_P7|LhIq+H$vdrk;`i5;QfgxC$}7bUO%n5 z)sKMgFh+*M;L)i~5gq{3UlAJ6%=Ppk!wxth!iw<3_crzS6Mm-wj| z46IbIz18V99wxwdJtstYe8XRLIB*`K4Ei2^=566&uit>YkKXJ6br=M41t3UX~^&clJK_T}w*VdR-xSmI#Q-B=R)pF@U;LFg*A@zTThWwr z%l28)It5AP?~DO%T|5Oq)vs)f+}8Lma*g+if5Ybl=UX2?dD6}dh|N)q3FfPoYi=Uu z5tf;*dqZXS+`ilsBL81vPLPxv(Z z?b|mdep^Y;BoV?zpPLgO?*`Q*0fe_qJP~#IU>G~Ngd})1*wTb5D{rYTA8x!UeHzI0 zAFQ^`F`A#h%Wmcs8s7HTzYayBjjsA z{rT31p_$(za2^a7h8Fs+>o^^Xy&3jsjT${_m);W~{}wIerivRbN)PzKpz%WFCOA_s zqx?wdVHDHro4DFyyi8ihsix+P+4C+Ffo*T-J5r3w6zk5i#w94Gr|`-+>?Qy64kYL; z{)+pq7hKI(!9y0TF9zuZH?d16zdRh+rp*X&X2@w*!v@ z(^$0EBRen3lTHLy=lTnw7cy}M=z&~buB86RB2A>vt;-8|$ldL(1H7=?&rouo+T}&* z^R1KT^0Elrae6kZMQmL5`H)r+=Lm--3Ur!f_npbj3)t`ehJ;K4J!I-~Xhl&eANOWF za_+GD|N8LWK?eix=jXub8cfs>oezez2 zgCqk?{)edNUxaB`j1O1Nk5Emy@O#}-MN8kFW{1Ij`RUD%0BqZ!Vv6KhI!y-)?m_Vm&Hj52N4FIpK{e=>DgeZO__V=Q#*J9vGn8grX=pZTROj zJ<>V%5O+8nIC+@kkkff)>usb$dtg*XqFgAl*8X=QqecC$?|kF+X>p7@{uN!}T{2i(EA6#?a;)XPOEoObWO`qk_UCRbkB?KX9n%>j=09o*kr`G8y^PX@}2}1(vHRDMWW`+=bI_ z(H^It)1U+6wQFkR;x1dv3EroU6A?|wjvZ8%iKBWk&n9aEKjeaZ(&V8T$%IrayEJ*l zHDeGI+%|haH>^-V3iw5b&;6z_79dWfD?0zmb|js8$?`t<*@b=jwb$9uhKC-mBc7CE zYR$~r#bRkRGz}X_(~G}=!A&-bTdP^%jIE$6T{_q`(U*FMA`2sAOmGI$iIPib)}hvX zxH9b$rLUl&dD8*o6o7t>*iwlUoSw!#E=UVwbedngUl%+<%s*PB*?wCK8qz>t#O5O3 zm5Je{NXs%CO2Y>T7uV^#&RY&OJOiT`OSS_{${S6I++w~!n9RfQuYjv)LnLlgD-ItB zWHGS7AP@bF8m9I#5kp$pzEkFZaaFAD+Ar+aExdy5C8^q?%aU)L*xbEqGYkgxL?RJF zV&(H{rQw*pQW3H)Y~|$E6Zl_P(-px*09nPmm)K=bYn&4m=Q9I!yh@{lFp=|rLcu%k z7pNd2;e=NwmdK4ic1hyg+f#I@zso+EpX-NoZs)5WJza3%8tlcRdU z=58J5VM7;v*WE%u8Me0VxxD^~O!^AR)2y`t`rmkvG^QK9sleZPf|%8rmP7Bq#%jSJ z$+Pc@h$1@|^{v#)8Nh)M zowMKFMfn^#+nA(Z?Fe^qIU-5DpGa%e({d9B>4bfrP!I}U+f1mA4ZSuFo4r!ugJ!1W z#JQFRvTdkNQt~dOv8SnNMZUNB* z|Ily#RdK^z=h?~0*Lsf{-9``?>Z(#|yfk;71(;b$K#Fi3=q*^sYsHDAC~cm+_U|&+ z+h+k6aJt~9$=$T;|7}=ekdBd5aHTG7QEwUzSRqVoDo}KIY1X~pzXO$@g>2xN8REGo z(!a@`y>etVhfezH^9fq0B3<<7#oFFB9oEN>T>lXgQWyoDX^}b9{dbSOAeH<8k6MNs zE$|6e{08ZeKmo4GP%;V0>lycNxkN9rr%l_$i-8NXAAl!3u%2jFNjlkZ>oqTGNc` zdArXgl$9s!w^fOS_O(D*)6+zX=@c;G3v_KfX8Objp-XtRWZ;GzId0hp=7>C>f zCv2x~t+W+2ztqFX9gc7ZTJVxq_8sBtUF(t98mu-zZ0`MS*Vn8Ht*>LK+ElmU~^5(AoOF^a&-fa9{9r9U#|f zE5qBvPL^_3;`VxaL-}~Zv$!Y;#LA;zN2d14(S7X;2aPo#hwbOqyHs@BoKko@nPnSr zWw^2}O=U}3$fzhdhZuA~jt?dl-M?6v2|)>yhqHp76eDXjp3Yy)r9%-22_oc8<&m<= z;77@asK$3IJIiET;aGo}V@N501~5z&!9UEe09921zaIk>#Wl(^w^OM6q@QQy-|mD@ zeJ%}-0$@GCr}r7HimQ-B`8vV(_Zc1p!^-mv_7ON|yj**21sEfDjpFu+;+qvVEjODW zyyQx0XxmnLJ_#DPpS4Hb(pMKgT34GT9CV@lq#wWWcVX9EaX+-l3m*n6YO_A=Q8eHL zytv%ah##=aT{13HLrcjauUg<{*y^EidahBnfzc%u$Ng-)V`hZhh6(!93RnWuukojt z_**0$xM3y0^ajt01r2~_7N}?BUwPVXOpx6lZUL_nli>FdYP;$8{2I<)^7^pPu0Ij# zS)Q94o?R9#4hZu7z(HmT**DZL3rfqD^uW#yaH$oLx8w#7hDSrK3a3S%P)7?KWnWJV zypjO4bC@3&wn7P$I#_)FqD~p32t06lKf5oqG|?R6W!*b4&FfNewKNFESacEfNILxD z^6roX&`*v4A|HhQ5Ly!Dke_S0k*mrD4~RI!B7teSfey=0h*YjnFdAI(j_h!7L#+Wy z9F&5@sMs+gS)zTkj%IvwYDETg@pMveyXLmAn-@Gt2`3;4Y+KIAcGPi*03gzh0=2Za z=hc(97s$^hi~{I%nM&A0m2KC?W@|19*@0-8)JZmba5{!-OeRQLqq5royh1FqoMc5G zQKW&|bC z)eUQ+3!i^yY&B{!q`HJ&j4ANAY%ssCItv-<)&RQ5c0eQey-v#m`$xlj+fL3li}@dW z#j%56PS4?OVML?CSgw9Jw=*L}0uc$8r16j)a)$cQZod4>GJrmYvoeeJWF!swa%KjP zDP{$;!s_k2=2DmqWlrZn8{T|mr&Wia=FTm8JNwdpGR?trhHdG#eSHL{22c@QzhWlx zHNM&426i;>{?We1oMH7_ykC<+rl;*?jwujjGhxb7?~SYVp}>NvRyqPe%16{Cm;|+~ zEjFdokg4D&s2r$pFxsMW1mNJe$Ep%6W@`oei)4Y}N6l3fXz9|I)&uU#x`49!H_{&?CQTokq-vp51*~!Tf{}n*2tuY698=LJj$15zF zzXU#Qp!>_?aH3z27={(O(C_t}T$sW*h9Cy1JvfQ${eU~eJrm)*i$?HiW;b{$GBJq5Dz1Z9YNI-&o|xZkG`Er zM<9Bf0Om(WRaJFrId|9YgOuKvAyz4!fQJTexh(aIGWzs~r!xzF5Igx!H@MEx3+0nr zd)5k;z?K*X`vxG?$9TOjrv`v;RUx+a>Cfd=_(_DQ5Yu*Mdd}Rwny~vu2hv6XZ5OVz zYPYJ#i=8O6EQO!D%gUrR4i59YoeH1K?fxF=D(Q9PN>%BZ;+kXZ~ zC{_gPbl(7K0vXiDTN>cZBfcH1?6SEFxdX;!E%1(MAU=17ziBygZ4(knpxZnU6ZN7^ zJ~cbz@Fk_Hx9BPW6dF1kw)Fn}`+r>!iIr+BZaH{g;qOvbed^=%8{yD)12A(`cb=Jc zA7A1t0eBl_C`@CS*pAiMEZS@7!xCdm+7|RP)Hshc!9iPo7)x9YzeW<@0DO)L8gt4G zNQ4G|#ybKaN<+5o1EQ022;3PB7{I=40xOF%L-f*=^qV%+eSl=g0VQU#`kP$Gl@N=G zI$136s|e;&WnV-NtHFp@wpCECNf3zaxy1nYA&saf3p=+;P1-txtqzE)>Un6MD}^9r zUuN`$Iw#c6I5T48lY>B+5;>Tq^apF&Zcuy*1-O?Lx{|{j9ed7)Q5G|Jn&3pS)&Kgm z&6Wnqu7n&&FINM+WS-tJe5JwDL|sIJyGIcb0N_RY^`-s#a~_~CmjGCMOnf1l=y~C& z#Y7==ZpkfmzW>6mHD7LAS%^XQHlT9b+y>471`pKuPSSlf<1#jNtte#z43M_98~B#5 z!$5DRfG>!M|KP*98P{-(JK8k-eBuxQCjWGL*Ba4Bfm-6#FZf6jY-2Ysu|OBNz7IgX z6=3tfD5DPgH_{fX#a{oxj{wcw`-knmE<%4zhB5!|;4mOU#MtFv$eATk@;tn?Ed4+{fu-aF%)gyv|aY7$-I0zdY<)kzpT% z>CWQ$ha)Z=O6km!nDKHC+Li_u+2I{ECthSVpr2!_5zl~V^w=torR{m8Zh6f|pzH;2 z17@e(KcQZOCVD>54~9!YZ%>}p@M!qp6Rs}YFk6Nnr`x+M%&OEHiE8pYMy40nk;uu-fsC8va zQ2`YV9R;lmSlPlBf2Lwf#YF|k88f`Xx z=I=0r3t{8nQC`s`$6$pL2lOQl*s6VAnL1+pE&7!xf;Ks!m@#zT2`ve=mGvq9sLi2J4_lhXA?9iRSg!oLKtUZhkSm9)Uzkvwlz)8d(IxFThfptgAAs8;U zNg<{Altd>BPg)}+a~6IQ`~JIKd1Klj5WSbV?a1`fEUUSO-G-FFSXL6nmT7v;BGWWk z#P-I85kk=1S2mnTV()p+<28$L?e2h(+K=gdi0O{7t9zX1=YgZJi?`tUEkGw}Tz=A4 z_(yC4sA$_B2V&!XW{an%d&;1EyN;8Mlam7m>>psH{3%0Dn5T7@<8|B6kYCarLALjX zL|uIyzV2FKK#W6h98d{QTn0u!C7vCKMmB-ME9dE13s@ErC5{0~RO=2_cI$9sDODBjV2M9iUQCl^l|rfg$%dw5&7I|5Ce{6OE%2i;>3H|p zUUShgAn)VPVXkZp0;%^1{EF~tON`q6p;Z=>OY`+os#f}2e(w#`Oxn@|=L14={~$V4 zFmSE&>lOZlArA?rTG-t40~6I+O|3Hay7hu5me=lM#d>LX9up9M4Ad{)WG$SOXSQbf zTJ*d39UR8ty5H@&O&fcaS?7aD8q^980BgbO8bkxlG#=MR^N6blqu$&wbx>~K%qFjb zg)0gMON)x(+69A-8IMY9nC=7g5m}E0GrMuP@ap%+X~8R-3#_P<@{CO;61HA~#wnt{ zkmxdF-=n_3zRWt&EV32BJ?+%K0~huzkLkG^VP%bwj?sQ(Fcst_<@@^{Y&cE~T5~ji z0jwgo72Xo@wJ#?-hlz@Q)U;k9uZ!cGH{#Z>;fEw>h_&OpwXBF?*~}b_U{a=yxGqWX z^2wnShctGNXP`RB!6qC%eOpfo!M*_|Lr9|6VI?2|U& zI=9#=DDL)C`@#NU+33u;+shIl(>g+}vC`@D*0q^>uR6ERWHoAY3qG3?>1)W_R zlFrO{em5{+K3Q|yPvln{CoMWTFuW>!*fK=zTvF}Kb&(C$(x&7YMM7xp=ZErJnEKI) z=>z4_%>u(JL(-OLEDi4ot-xSEaKf)e-qqk~!wtj}htYIRzzn~CbQ_)jX?YB7G=6I8 zfjgE>((iuGi)dz%8GbPQPDpY2+Q!>S_5xng+GYI6@pM~+dGXi=LSxHT4TM7X5@J%6 zzMBowy4L-g>rdc`L1!II9Drt)o^q7`yp{A_y^l3;x;pct2wSue758{t%vyUX+gTq3)WW{@v1WC;rn-6_th z&&<-z=`W7AWflYH6<6DBYh3w5mGc`g$h7OvHn0CFjr}QR7~8?{q0{3PP15#)7~cU% z<-^8;+}c-@zOCtAx)zd#uZ2xmYdlqTv$X)0bqk`eF!n!n-ZW5!8j9&(07A(<5bi*^ zMW&~Y%B>8n1qhWm7NCcc?ikfJ`v3E2`B=huEqGQ7Mun-2$V|iZKvoG62{=6uK-O6$ zo0-Kh6i2V0HA_CQm&EP3Vtq)lH)TWEn=^`4qj!DfB{+51;7V1+H-8+L_fxw-k`Nd7 zxx0u!_T@IZA~X;sm!I10*kZP4|gs04|`L zcDG8E83|wQZ@(BicrLhVeQ0R#n{kveYKnXq@O@otyQ;4{sFZO*sEIc+Bxk%__7EF( zX7(*|?vk^tkLzZ1@7XEN;LTC_h%AA*8`k0ov5mDBTa!)0TvYx!lP^yp5vU{<{T7Q`L29U8RO&|#hH4L6G>G{ka~1Y#mh5ghv$R{#pqS# zQqw=CDi0hVoiyf@uUrtGt#U4dr8o74PNTUavmFStn4BHUX^rX@_0H|IHF0~vBN)x5 zKzs0_ll1|_0GE_fG{(3wI?+0{#VqF5?2~tnpUALtJy?=*8USPtrMXJs znYkH2ekx-N6*_Zn!Bd?fC!nW*XdFD{=G{9>{f}-}Yn5welJ6Umh)LX%Z1;iw;ULr1 zspF=hwqWv&QAQ5!zr3UR!g+(c8=WmSI}_I*Ih`4}*=7W_zf3rbobIY8hsnn{E^y?K zQ|N0fa5`J1Gze8NjGx6_EPI%>Bs^OsS2-bJCF)@rhPlR{0R9h-Xq!gqv(MA{gyRBlwDq#!XT z7H-+v6(JJI*g11!GSOuvD{EnRHe?h6%UvQk5+=SD=G1;@Cb#gOLr?PiM=sJcVVgG< zT^&7n$8}GUTv8*T?m{oSQDe7lRabwP5*VUN{GF_i`~*_o#+_H(O9yWvcSSFiGC8ua z=)HMbU68yRw+@D1487Fh-}z%?K(efT{P=NDt8d5B+IWS!0UCs;SoY(1UJFgeFnE}m z)y9d*roM>YU9ji;S&nS@GFoj>cZ~p;G!c!DoK6>p-DrSsUwzUd>IQ8L7d)LRFJ*de zpX2o^Yh;osBh!uru5l{xxH*GxF8C}ERhPjN=r`X1$CUv#&4}3ouJ(|~Za9UMUf+`B z#`iOy#`>YshdNVWU>AnXIvVNo166wJG4idx}0HSOZdI#KnlPOiO z+;ysQC+*q0u==f3G0ir*FY!{AgdNEwT@v5O9JwF2jC?q_R)8)gZweWIQjS~A(A*mP zO??Ogs$B{>cwdVAMiSo**0NkhROq~9%aZk$7gXhyFlUO%_Yv#E-qxJak7mCrT~ra` z8|2aiuDf=A za0_DmJ2>OPqp6{x&uUJXC7U@b{3Mf;UMIIroY=gN)gbsQ%#*8*%D^k@Yw_`}e1Wuq z{b}eG>8V?%EN1pmd`}vsWa(-GB?pk`L*Wvi*LsCCqDdt}7(2Ar)zqALRwJQ{YuG(& z7~2>0I|&yZdFUJ5uACg6iU<98N+~h!rkB632T)P&I+gy-#1`n^f;Vi~@C^7`0Gln~ zYXRA8ft`rVMVJ5ZNbUyChOp*L!r23-Hrp^2JQ;19S$>m1{GxvVm<#U{1Zo65^ubdL z@rP_3io!I|)O%@{lqW@&MiHp;SuLeYY4_m~V0uY1I9Oqtg*sUp9Iespw}e|9Ni1bkB**75*i?*AcgRgQddiquuW)W|e~x zIwx+_ygjM*gr)FL3Fdcq30=Z2K+K<=-q4fpH{C{t3QVI?L!`!BhzSya#+E(<&45|P zic=<@U9F*(eF6MI_ZM9OT++ixaHA9a>}+kwy*H08kAxtiM`mNgoZzdvOv2uFRtrNL zQYl};TUWzvA#4- z*M*l9+Ou)=`O{TgVTcI3iw+7=jcɿx6QQf3m*M8`#w&4A6El+Kx@!K-f(D8z9i_Z6k&_cOU75(gg82XMeLPmbuytn&p*XQUv%c%NQHIh?ncB12! zIrj>DX9DM890)|T-MI=i@lEgm#uUzx&IEGFp)*1%=n4uTUO-EdFDYNAD!!Q=SB`|m zEY&v$g#K1A>LfbSVbe5IQW@t?oAjA^>ZLSfM~O{<%)oVeV*0@a&1ItUcXg+t9; zE+8{iuk~TXwC8N~Nc+Z-;1ORgQbFyEQF6yoJIjZ1LK2Z@m$>$-x(p^H^3N!pXUBrb z-4IUOHq&tC83dUYZjflHWi9ZiPCL7yp0ICF7+7m=W!0S1;t%Co6alZW3dd%a5Xt37`CfTl)7@l3mBg&W$nq?gBedx^6Lz zz&XhZTPJRInefaz<%|)A^pJd=N?$JqVHKRcg4|%fuf218xSP%OcEUW2@zOkwaSAH& ze$MSXconj#2HNb`5@Z-L-Tdp89R#w70fYqocX^`FdFQK&V}q6SQa;-9f`4pN!4SG% zQ*5Ze*SC`>E%A7cCXQ6P=abo7ymNLv@ADH2J^Tpdv@Crclg}c8V;I*V+d;4}E*vf% zV7MUo3&jt-8p`ucXY2ehL$e9}&o8kL;4 zT^3GT^wdky@*w1mYAnK8bhwBN3>`BenKVDJ2DRbo!NJPj7lD{r-EN+F(`gMci)>^; zs2y-mWEZ^nA=Q`zI-#65Q_NR5qC$CMe+QtILi$<{=dJp0mGrUI%Qem5UG*(9CD=cb#%@woXdcPnQas208jQ*Yphr zjZ{m&s~#NlO+9={bvh-<)M;(*jr8^h?LxbjG`w@~oIM ztQA;CG47n9)8?T(tPn~?6Qhgx`DKKN*;lQYt1*)ey`c=QQTr6ZfZ$I-b&GcX1;aw=!~;noiw=P5dDj{ zy)S-wo+_q;g_Cl>=4=^`Au%Vi!-5T|g#QA%aZ{$C}ps*h_fkE)O;Xo)w z&@ul~fpFu4G4Joeb@v~$bNzbRS4HmNp6GYkC;y5YvF;FLfz!_W(aNq_uxIAtbqqpz z(4%*kjyS&D{hih-7)%T-vS8s4q0>+`bSx?+3_N(pz8zgPQD!<*4K$EmkdJ3Y?T-=P-z*g6p%w;hEaWZIpr`+Ar$->`)aA8!+#B)5=(G!vNUA!OdU!!Vo zr(3Zb{s?X<2B3O==_|N)A@yb*egW%|?!o-_d|!tIuV|ls4k5LeF;h?_)f;hy*UZ^s z>|AQV%{+U|Gs8y{?L?$9jR>RA)%D@Wn+vn< z&1ky#rFgY+npoh@M!FF#Y$?Xg+)IC?uy`&fm^9O5C^^(=2UYH>hH#5Ty2V(pjDQF> z&o7%fL^KjjWwN$!(k4hTlfWa@ABtaH)3bxNeA`iZktH)hUi6gC@fP=OsXOa`T1voD zxJ5j7%w#ASB3mfE>AHpPY(JFg2=2M;i}ht4z~_iznE2A)Id+?RaYo(cqM^FgF!Jzk?YhcqCj~ij!CaZSbW}UW!&@B92X!$kCam>Je zZw?OtKQ@y?Lm55(qOL1yBiQwfpx08@W8I1=etuDHIb}<${Y{mKJp_=KncV&H=G^^A zVxA6n6}UxL%@!-W$DbCTPT~(b)wK4>Z_VL5?|TpeH=;3}RReq2r9eo60-eqN1CApZ zva(C1u)J>hYD4|;(O?)j@=^QPmw4!@u@G z{5R{6|1{@OL(%142nTrc=G`pPs*eXEPc2bV8Nf8cukkH(b%NLMcWYQ!+1v~s6b_*Wq0gg#r>sIo+` zNVEA(V6)oKX~)0$g^Z0{KNl+6C%bj3tS8y9H_PA{$-rC8?k@xXmf3HjDmPr&JD-O7 zJ09>iYw!>Jf_J@erc{5vYn)XHHW(~6a=y#Vh62K_{+x}NmBG~7>6FM7R|}#4JYjBW K#yH}7?Y{usf8yu> literal 0 HcmV?d00001 diff --git a/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120020.png b/clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 120020.png new file mode 100644 index 0000000000000000000000000000000000000000..f92f77265a1469d4f19784e163c6f90145821262 GIT binary patch literal 29890 zcmeFZ3s_R=+b@ir%gh?5tUQg=l+!`Y%5%z;QTAsUR6;R?FcWV;(rG@fxJqjXp8H#{E zR)ie!I06DyXKK#}uLS;H8*$K}=$c zsSJN~Wv>@n{N~BZHM-L)Z*Sb6XteKT#~<=F$1neIX6r@7nLpQZhi<${4+*Uf3-&*b zU$bfx>*&j%-3`k!$BT5X`fhxhtP{L3n6a@f=YjQ?@A?iV{px;nY}1%+G}w}aJk26?aSLY)-BhR{IYx*dg;uSUj{ZTeb8CM)6#tSQ|o_&n>2?t z1`@lEgOXrTadG)Jzu7xFx)&VJ%r99mErVzH-+BOjUL}wFs|qE32l(l zHCF~Nj^ueOB-^vS+vkw}zf&}!r4$)AYo*owb7WZ&bA3=>n^ zSh6h6)LDO^M_(HO-RT*+?FB2XSO0Ui;$&}!_kl|SQ&fi00bzKDVL=rl3p1KieCxR^ zcO8t~AE~ZZ#gMj}{hqNq?0P>4WEUs}2Bz=9t5>he5s=UUx_6{-7yCR@ziPB*eZ0^s z&N!O`AMWxXAWE{kJS%`9OVNzVmLGLyHkk7Q9#)sCm{-5LCvm7QqYYZ1{kFhRHQ#(T z*zcV3n)_F}<9*w;S9CjVx(-gbG4qP z&4o!QXO~jIW}3GG=8&|~f$aE#K2}^}e{>2%t#9nL5_VvU(V~qRTA-wnO~4f|^+(s8 z=>FllNsA&1V$Se*U!8NgYYMQwBY+h(o1VDU1G{gGQog@w{|qI4I=z*AP19=QN_kx4 zX#*`##>cW!|Lp_G$4yRp9X#&g(f$aNT4P*)xgkH_Sv1ttzP0{7p&mYN)l=A-pMT{P zqJ#z;@3svQE1ig#-qi0prqEp z9hZQ{g@xvEb$n2RV&C$|nO!Gq?Vr)V+it`tMFB0(JF4lHiymto%E!45Q3Bkd!(ERf z)4Uaszw$M`w%cU)a!`betzF@EvWL-L9V>U(smCGjXux9{+wEWqQKdx8wRK^Xdt{I< zm*nSf$G2^Re*s4Rmvbmynttmqd99p5oyf(`12NN+^DKETZzvc8F>pWe`8Wl8O4t+ zo^?2_lyCJ`AP`wXpYTq6M#Z77UE=kRN#l`)QR_jVFGCwN25RT%7$4~vgPVwX;nBi+ zm;*yRQBasO4f*23mKQ_;&y*T_n7#(sgXTCi09>Rw{?|CUplDTXg3tl6LUYR`Nc=<* z(xYHYr)DI8<3GDtUpyPG8CcDsM``{4l;i!kb;OsCnc<6Ts>S2u`w;8O%gf);Of^3j zKG%^VhkDW;aEa#yO82rt%cXu$v;rP`W|h>Qeh|tv(HDBY}MP!!BX(bSYFDb1E$NFi znpNb``c9KQ@F)559OYAv!_rq3?0;H{(TapZuY4agQ=ub)k3PTPDVY4#dT8l8F9rFS zXQ#e*8Q~1XTZDv!lvGEn{5bOJWty`u<2#qny!`Wnll5f?Kfk-X`}4QeJ($q!)DfXS zM|g&A7n09x`@Cdf5p|cfc~5aGKf;!Mb(zC0E#aW40_zA9y>MjrnfuN$jV?n=r4h52 zb$G2UtzW8NEAO+umAwRC)&;Ik{)nrW4YA!9kA1uT{j2Qe#_z*T9>VO7FID&*`MbK* z4A2p8JnHK-2R5wxZOvdy^3)*N zAE{%htkS>TG*Q0TJ%Of85pkD5hCsx)dZajBrq}WM#w11uwC`i8@$89MiCD08v9~E6 zTbD56wx%*`xaKt?lhj6FN1@U5K1v}_Qr%~;vj$UYj&k+)#;Y8;h%12p-c-4 zZ}+CFQ?jyN`r!$yC7vl#!<$@W{N>pc;^MoBUg#ul&>gJKOsy}TDU5jUk=ydLB=K;< zEX+i=Y0gn?HUF;ZI&@apG!GwC&kma;y9*h~NbJbo7F~=CUGAb4k+ec;_$WW<^uPuc zZdA1$6y(47s%c&_h-r$BS=gWep6h^izKs&LjPd5m7mZwI%w%!;btX3%)TxXKC&5>p zK@wC=3ibI2p8teSRWF*TGY55@mDLm3md-k|#cC5bcaYuwZ%sCfNL}!n0($bL4pjNV zCsi=V7w8TSAAg>>nBZH~6ajNIX`yHbM@xC>i{;DEB_lL7Z2{ioz*8Fuz6+;CSxL4} z_YGyH#$(5g22B=t>hEduQ_g1d@3@Oc{FXIqZK^|^3A<^3!*M)!saGjZ*F#k86mh9? z4!G;$MPEom>_U@ORHljf)bD*3R|IIRjF{j(+vU^vBf?mM2QLsNlqOi$*tuMuQKG^e z3zn=J_=PvS*JAu0;IL{$p(#q2OMpA=kW5ccA0#6_jRtVf$6pmuJZtScof6^LAr*EY zG*~q@|0W`G(94bzkxiV4d^G5B_qYDjjXUdwLdvYF*INPS{`4R!MRT?)e6Td@*kx60~+ zlcS?54S%VR8&>F&Q>>P@MVrJ8>=-PP#m%IHGvbE26x#Z&V@wZrt+wq=#gsk~`*#OL zY+^Rm{SP_?zl`{F~{JTY)v;FMflKA|UD9GUp&c{nd-c?4*M zboIM}d%=@WFEPz;59|m5fi9n47ghh-F|~4f*7749s&0#zd)F(*u8_~q8JO%qiIg!z z8H(@^7D3=N$x5`dV}pp808>U?`Mk(Zgx5(Fjx94y3)mC&AUlwAD`xPsL3-?w?Xnf` z_^_3ME3JYn3JHm?+~u|0*WBpULzrwoe5v0vL$sv}7_ z`=gh~y$}+=ZgSN8{{60dGR|_!E6Enq9lgD_ft=h#KBDsR-gmvnua)ouNP+5B@b><% z8EVt2t|HyRmN()f@$(%D?OcN3Q(~mF!trTs)vo4@i*}F~mg$?hsY(=+HZ3m9&woxN z6OnHvwf)~Mwt6<$Bf_Pb>R#CfbuBXS(rkwME4X0Y>1bbuCX)yq2921MFyCdQ4q+=8s4L(}!Hk3Q8j6`^k zv{gAtt%BpfJl^};cH3G)00b|<4BQY0E8E-U^*jco&X`(K*tGaq8vi{R`6NDf_7N!F z#|ARx(>N;yDrFhpuAidoJW*Y8gR!KDrPi1erJTu)MZ2=6Z_TVs24oW1gGwo?I z@xANe^2OuSoNq29uKiwMo=xXxcj$D>M6;QRTY**|YT1m_8ETL@2{|_1ruHD$cZRM- zes}Rc#GnEB1j(x|bprN6hh|7q0Zg%)sY?&!CQY|5u^HjaMAY!JCNJX$u<$L5Fi_Ln->tO6xrY9;VSM4pOz{j^Aqm13GL z`uDE4-`hYBHU3I$NoPbf(eS5Fw}eH1=g1r@svGies;u*v3>uYAdz~ria*SS#D%=9g zxHg5m7uvlKaP!wTHPvYSX?{bssU31Z#ooegFHV14MAqgz_Sc_(%zzSgKDwAzS*{dY z4}w9>&YWKBex4iqQ)-ZpY;)M(9~$dPf#T#T{iA=#bkCdFl6#N*{tP$Ku(z>3;kol~ z2kGBADQ5M6CmF}j--+Ow=Q1yY6ot(TCu(RDhkp;fZ``Wb&HU4uAGtyXYPKraaTrfJ znMA83S)858nDywogy$8_;Q5M<5MJH#>+&8C$?7OX;JUwu_!69XEyHwf;#SG2g3FVG zo(TsM6sT~|Z$r4_fZ`_ll*AXtj_h!|aadFBTyb-FY<-QjWv~-&t{eJjUohS~L8={i z-=^9%(&V1^(1Kc($}GFkphkngrwyZ|->dXn|tg zL`rGYt;|)s)2)B1g%Zr)$q{h8#`Pe)aj-I|CI68;v9n}R&$NnddOLcJ?ILPH-1?xu zI#AE6T=l3Y%{q5CN&%%Cm!3L4^MNXeTBE`nF(9lJ!)@f6@;&?yl0ynv3S(CC_sI92J&KUBkarJ?|-2$ zmQtVlLmy^%dvksCdV9)Hnb%bK+S}?0J>=^?L71r2D-uD9ggiH9FiZAs3iN?XQDPfC})4P!X(HZ2B#N0Scgo$OVcmLN{ODmRazrM-v~W z5)&pv*Z5eb%Cq+dVCl3Bs=(^3;v>BLCMjD0X>Byx=pA)sjp@+EPif1;}-bPHAemeFK3&uEf! z2VEBnn(||`B7RxIcE^hVFmc?b9D1D#USp|#Sl_CAHzIzm>aAphxfsljSm6(igGFGy zMHY8a)K(%|>>KjD-6SVtw>!_qo2*mMHmSs+wxHF=mtf%RrC^RXrGvFPJT(78j|#2d zMAh!s?Oke3$!xK0O0Ak1-%SWy8aCqf1>F?O#VR4?mC?Y7Di&MK)Hb{wFKx7J80kcw zD!AdKiIjbxWF~%oJ&}T)^&Zq;l&H5G(-O>qNcpIp{o2ajJ-2~>FWu0Czwi>p=7Yas zmG4_M%gV$<1}3;p+!c~qU9qLk?1Y)~wtjWJ$+{-x4Z(({uLVt;7w-{cug!7= z({9)wHV^!DbV#ziW{#cUaxlEVmv$SGFa*f-N0^1=PjIE zHtQ1emtS&7f5L9S0~H%-e8)OVY`cCka&Zitm7^80;@|Ld#(#{cFJ9TRS_W)`+zUWk zMCQmu7-t3O>YW*#iSOAsP=Q_@Y694JIqPfxLM)jVp_6kHKkDDkO`PP1vRShiR)XqB zNO=(d7VFT7M$rDpnU9wC#s3b1Z>MZtn4YewL%g>Uy7hKJG{7{BVAKtts9=AlU{DCu z`_9M4Lyv~=pUTTF`{&eb0VUZRVFrwkt^uHiPl)b&P#{&%2f*DS0k_b^H@auz3cdT| z)9|Z7L5a&|jDatiUL8DY)72{Nb!L&G-7j{6njilCvhf*Fwh^K1hg}60(y8z2bnVF6 z7!YV{rA#^=AUM;PSk+dXRW0w>iy_d7DF4%b-Y@Q@grN`^=49J=Nu?+K9fHJMu=!Mb z9ExzjR%`%5yh=}axn^K69Xn^Lf1VUn zBVSDC|J5rG?#vTeWsmu7JD7M_MpA~MFcg@Kg_BUMs7y|^+`hW;TyCOM`8372L@i=% zW*1hr;~USFutqtNZbRvxz)oc!P~+DsH?!|c!Iu#B7!qYlkE`{=&IscD_>bn0M^Tom z${J>K+C14_FA5IK+-I)z3>)V#{Xigvdqax5n)@4d%Xn6x*=U;)yn_9rAOqru))rOM zryjvG<$ymOvMsM$Ijn*zf|fhpV%>Y$IJqZfPx4H@rc|? z!_>szFdou3|sb=brPJ=y@D(gd-?l_ zS|Z;$P?btA3Mar|-|IPG>wXZ4IbIhd@td8!RkB_;VSH$?6bMLtfc3#-uGRB)=KP>p ziwn@>;f*7s5mO$yOup8J^HQbhbWP@FBDkLWJ;6E$Auuk%_{+B9Gx5{T&pf3nOxCpx zci>)0Bj42_e{Sp}HclWhXYY4G>N6_39MGn@qi*b1cv7`LCKI`Rw8UmHF$qx@F_=&% z&UCWmEsk?rM&A3hq?*k7eyf$!{FT`S@az=;q;UE^oEl}-FtL)MT`N#@M4^*zZ6@lb za$1_@M^86gK2f`yDeiWuJMTdxDK04U#>GQf1WXAF%R%A$*=)Z;v*P+#WA~{UIj*h8 zBK=zxecm>%Dc4tt$mXI35$mXQ_Nkqx^s^PjooZA+-QwtkEuAXc&DQVjxmrNa{l|UA zxySYwp>I1PvFBqaGMzUk%34j%;;Jpc~sS<;5YOGaZVeI3T zLG@*UbV*A!WJeC6wLV2Dyic>e@J=2d;2MtMGM!9Bao?&iSK;^r?S4$>!skH8LCHUq%5`({-$UYVCn+WX>pt1%e^|fl54My~ zf6|LOlua``X`<#8db4cGZ0-togu4#{bKv?4sS{Iw?p#GvkMntn9ggZ1@6&MR=iX6^ zU)@OdIF46*d!N!J$JyB4+PZXV)?%_{lj5~Uu0;w%HD2E`Re}nslW(iN%~137Q-pvK zzI4;pdi$cW&0WkS+Wxk^yvMm5((#FuK8HdLbDnrXD;j^ly71k;N$TNZdiN>2V#P?| z<$nL;qWFhWRS(k{BAOTFC~(kRr6L(HvrC)mW*R;yR^G3+;#*jbnAnk&MQf<;YNP)^%v_I-a>PD$nNlQZ|Y-^03sr3u4hzbuk8g7_JI2EyNPco zaIx2!0DpG2RPTUlB`X8D4fN9AJMdm^oTQ;A`a$h&ICKAGycP&Zhq>-yoj)pzfCwHyMQ=>#@E$~3%y%#q{tdqiY7#d?@?1y1tAc{q~V<7_^KRGhE;EoR6; zxGaeU+_&}9rwcKTJ@AjycJ*{eMIN2?>XW?x4ED>mTBM*R{JHbFs+~sgjyjD09*L}S zWzx>~tE8}f@|#yH#9`)*&!yqx`uY!3Lr8wf^0*>?!*x)S;$mMQla2o4^JE4Fd5FB2 zrvs6VJmLUbzLbr{^T-!9j2_Z$1Jo$F6waxk)kkNujOhT-alk$Tdb3);3nu=QHq}w4 zSa{+1hE)ko2ww_+OO51IAnCjSMn!%!?ApPX;i4cpU8 zI&gX3qhEld2XMe>9-mXwcrMa~%J zLZqr}fs%jbxq)|qn+j!p){pI@4T4NIo=^%19)!)F2TSD6zcpld(9Q9d_@eh^uv}J= zTPExZEdV3py-}X4aQ1m0Q%75#BraAwI52s0*MjWak!4p|6Z~h)e zG)2iLm9ckubvt2UwTKQ*Bncxt-~(j>!6W-Oe;>FMo@d2ANs2~^>$eyl7>(5mGPydx zO==aJuC#c5bnr(r_7=c-BFsnHWR3(c%xOX+a@>BHb;j#OC&|+(gPDhc)_TPU`}*s@ z*?-`jqy)aVy_a0KzcbxnM5!Fz*PA;n$1$h2$?+j+ygqAYG!E+d+rjgMvZz2eQbmCO z9v|;~+v%R=&G)6Mj0$!UYRsSgkj)R_iV2OQGXHKetD!ymR2<$eN>cM;9=o!uF$b{~ z)c|@K<*CgR*5!HJnlpuo{rlb&;tMZ3-@PP=>3BN(L6+I31^G9;|_o!JM*_2W+rUK^YNC750B*z&&dVUF-ru zYxvELQAZxZ8Kh$vjH>F*HJtvR=52@Fo$u}pN4aGNzq|G~bo|sdSZ>PEPah`2)2Dxo z9*gxJkCd`Dn65uvqEDfh_fEasTl8wA546#NO?5#8-xABaJ6v}HTa+D*$HT8RHozz2 z8X1Pd$P;mixrqc7Axo)bwbLi%y{s{Vr$nS4UyiPQXrG}EB1_tvozQ0=!Nr_Z?Sd`J zt|NFz!0oQ!jG;eZhVQ1XWK*7^$Bw}a5AtJz^{3iUx$la^)t_Mxxo&R*dvM z+o%NVwhnC&${^lpJ2BMXo%o;|;p1nB6gf1$=_@$FKu|jo-S7&IxU(=8pDoQzguvhV zkxQdAeQtnFiH|$-3a?!N`56+x;`AQ70!Nv+CTuWrn<##Da$wu7PTX?{8qS~EQoBXC zQzxz4-1>5V-6&yNyt}Om2hS1)v&*KIfmESgGa%KKZt!;McoMFagfodxz2Z-MApEiti{8nF98l2R=^g93@&5YZ0kAf6spB!hyf@J49EFYnUr z%beL;xKE?ZDa!kgYl-2fprJf31Scme<1sLAyyAbJ#-TEtGHT3?EVpxr!vL6~y|kW> z22!*eq_xK+#{w%XY!iRxIWh4b><^n&k*L$5?%AWAC*dw;38!b?lcGnIs3BKt5{~pM z4)Y`c`^W%wh2RCopE$#sWNwuQ(LR!GAN)7z z^!IT0q2ywC?eiL08T^jgLS#ThHr)>Z=S-(F5^NR%K?BsYHyrozEiBi!1vDQxEuf_9 zf59z6_B3Ai{p^=}H5Wi{n}=B@$IHv|p@%KsX;toXCiAPDs@#%HtZ zyQK^MXB<%Mq3m0l@E7L+irBb>T6=&F4L7bh{3d#J^Qa~j4xoIDWG#@#!mwx4-iGOW zv>$*UveWhCHnBnT{Crii7>Hm`4gEv(_;>joI|_@7%REeZSBRge@}(*nZn+V^e2EY< z!qEZ+-C-IWV;TSylq8356vB2#Cnx-dE_x5MtFNidSa70^{z7r>UNi~$YqyoV3KxxG zS}`%*i-l1o52LDR3n^i6#}p2Qc2vgWgNGO&XqW{^ zb<7nSOp&EYYcnmCH-R5CM+qmtnut78IT~_IT%rrZj;`+&Dp3g4?;T2&aVy7a^w6kp z4B{Pw(;Jp;lf3chM2w2s8#WR!{$RI28&ucY$PQ%`Ibks4xx0~|E}L1b?ccUW6#S_D z=8||9AP5khe;PxuB2ma&Mz^9ixI;peb#H_x2nc9Lbw8!81A!qPq{v8hWGS}WoNdf? zLusW}sxT#sSN{N;FsTUc2v7Crs61)z&3^k@{Q1g@TRr^&-lw~1glvZJWv4pEDv(LnAeXM z#@NQL24&o8Zamr$3(sR6)L@gpFNvG zlci(c7N!ycpjX}Lp744EF29C&PHz_hm(0t<&DAf6SRtnnk61V;I$P-`*;!D9s-m>v z8sTh0a;gbt-_ka{HPd+uA+S;TyCAM{Lnio|{Zgq0ML0b9_ei-!o9m@Ihy%!_wudrd zZCE-DF{YvvCGvk8drz9_{Fn_OcVw@F(5s$scX{ydh;!a0{_dO-E;FAMi6+y5oSi>D zs)^BLb z-q=p_Z5QyvZJCm@wNChZZbNBjw?7@3RJ3#|jniN$J+nMI~k@h^QAhD z2PhAgYwKd4wl)Z1^EBmP)1ku^uZoebHd}_cGPQE zb_narBheK4#zTBtKG-Kqk8bh;;e`D1*wJb9c}+?U?NE5nf&;th4wFM2+JLY0&o$WV z)I|uuTqT~(KUnJw;^@`seyRWB{{#^jblPb(H$eQ|zJ=Ia8tviiswz)Hlgxwfi<_js zlN^jG!da0obp&8Y7!1Crm`fA-5*lN8yFVME7_G5F27o;@$hQHhCivixZsLK%6V;ii zsm9k21yJIwfz2g&lk?Zqk~O+c^C#-$IR&kqwh%XTYSGx@DXyH6I~{_oEWvvxhG$k( zW>01=)q8F-#$y@-ntV@`4o1Iv0 zqHThm$Qmq7HPLBOuQt&snSYwvqCtoBX#>{>72M*-(haNes#hp37&)q>@QrF^vCJU^ zr8u8`%PanE6{4z|&a`FskjCGYY0a0ZJgn&rF#5igoxwl+(VqgGDqqB#8DBBtBcNiIVb*Ngr z*m0O8e9tVbIzRXrAaE3;g+_y2+>*^e;?6T!pqg-PQ7cp?8?X}}!Rv*L5^Z$jz}(;` z2Gu;EA=Z>{6cg6PE@tLY6ie{@Z-(*j#K#d3xHWNgy`TT-O478E%=E5_9+U57Rn;X& z>?wNH+ea#$Fr@b!t&H~In`pT3ud2`MzoTF5Ft{N#=!eDWRU_QvH_&aTMKM>I!o@d@y8?`F397K|VKt?-pBHcy~Iuz>8o5m1c;mPvegorw8nq9WB~t;qs_EpI$pH}r|I zu0%dBOewGkTyJJ((b|{JWIQir7kkC0^Xe#M0tLF9s$_lqZHju9L&iiaz+78`DDHSixDf*p=b!cYbWUa=c0bCZE?## zL_2K!F?}0c50wcnFGc0PI*FlrklLxaW%8-A5npekmZ5GpCC{^#Qj@UW&$+g(s*;>B z$5*Bmv}zZ}hs1UnF*b-_ZYYVHeK67CU$O}x)p1*kYQcLoU@w2=mlIe8a>zQUipLN} zH3DEVg~B8~j2E3&N&d?@z;= zE)Nr4cxWX|4Yq|)w>ryS$<{HjT}6Ye5Z-srY7}&9F-rC7RxNAa5y4EHR0xG)+^xZ> zkz%;1EwVGtHwWSr$bV_Qs+U5B^z}BN{Kl*he-S(sT0x%xR@dl0%B!dK(U#8Lw7TB3 z-mxFahZ5i0+dL>vJ^#773ny!k%MlklVqsza1*$@1D~*V)q8Psd_VG?=TO(u@BvHNp zKLRn6i%w!`e~Vw9^Q(0)AY2+}NUG(*!_L4h^H8*ESSB9&Wa~4)ABG4yR1D=>7=kJ@ zoXRjlU0tvt1^Bh4$g+`90|n@zpZh-4rW&hjm%ZU60ZB-b~Cs6s#tv>p>#slp8%TO!lHe#2L2V zJfbjA@%FT*8^v*4S}CD0046H1fULI!pz9W4)0bDR_*$M}R}o6|=C4PD#+F|Mw08^Z zjQ}_CCHiSkE}V#XFRI*YdsODcf53 zTilNCMl3p1V^2%3xde}&u}^#iaK~&}*~+K1Xm;1;<2{N_{p_$da_T1Wy2qRk*HJ~% zT=+dV41W@c02-<-ZBHYBgqRPr){|h#X0eU;D7|nT0y7V%xG!>Vl4cQJ#WdajR9gvX z6I8#t(5-v0Rf%8A1)Bqv$DkVnm2c4H5dVXtaveo)Uda(YhnGkp|GZ$&@u@utecQ2V z-PEJ8ls4UD%u^Z$rNYTEQ@KjFp`0-nhBJWm>F%I^;S7f$pjSBT+;_=O`9K)km)rG# zbqvU-jj7u9b{gR1rBmQK`wP}~sh0zsaQ)`$B`z^ai3SY4vC|FYcK z>l@wuzgMa?hXAxy#fYxa-10-3-9kj{Kl>2mWU#`yYLljHE8{=j+}t>OLnRW0#woGBk zZT^ICe2NfpuX*N z$7prMZHeZ7zwB+i5x-~E80K{x6k0-a>{cn=+E}Or&Dmz>z7Z97HZdVM|#xu~5&-HkS9XP_M-(9soOqo&af3pKkEqdcJ4(+-IQ3;dl(lD%jVw-8C+ zl&!cEsk+^9{lrLHXAzM@F8t5*jLNHflS=*qRCKtv5Lt4IwTa;q&dkr|S5br>@@PNn zFo2PyFPrhW*=t1&jtH$PrJeB&0dmoW0siNHqQ8{v{N8frz~iV=TO_<6Ypa?g=u%VUBI;M~yw2)7VjfYNF% zJPzm~e!ku3{wTh*i-fqCbuDbBy%z`(Bcnr->-$_h7tT?vl&rHmYY6g5%_+OK za~fxagXN4p$p?~WUqqEgwza)(GkYce-g*vnuNR(NRok*4)YIiN_SpToZQ}sC7i;Fa zhfOvop%~X!zcYj>PMYK*7`mY5hRXi{M810?UU|#e4Qp5KCb5nj8s$9U-8*(N;YK?G8%K)93wO7OPtyB_ues6Rip0cEO~)l1xHybtsGXDu zOfG@$Fi+b9>QoRKecC@An3rc~wjZ2X3^IshQ%J9UD}Sj(76!z3DwS>5j zMtoBT_EA(|Gv`&J^LsJIF}3G9w)yV$TUy~e1C*)k^X~18V&NU zv2TQP)HB{4XHS*j^8F|ao(9kp>=WzB)Q)0kX%*)$eedXlg${(oMYW=^KuaEUHd6DrQ%ct#v^|zpa#> zRUY+@tNujdQJMP9(i~QKw0HVrM~Nm0F#7ycEzS-~O+gR=C1H#kJ95&2NW|Wi&f+Lk zb^$J*f;b@9rMlW(DE4oGkrD2WGz76+l~)ozVH}@@iKN>_8@WWHx7jNnV#^FgoV#-Df^fIWv?)9^5`xcrr zjL{n)HmJ`)I2P>w1OJ;NKuLM*?dPe?LsAtLu%4C1$<^J@|812l@07ioq$-ORv8~-yQ9#^L!J*!-@M!8kr}21?#P{TU_^-MRRlfz2DwGhg!vj(Thb7cr#G^XdOZK0{Q)l~?B#=P zFB8nmi59gPr3w#jq;kv+{zbeu-Inb1yD}2hMy_#E^wt3U?*Ic(bAV<6#jJTX6PykL z)t@(b7}Lu6u=Z;ALN~EqseBSuOsH0s0ddNV{FrDK;-X6FSj1u6;JZnwN1>rKFN6os zE$>NMppIh$T}M8p?vFQNtRl)BVwzz3b#6WcTe z|2O5C{}LAiAR$pbXrd#VgDytTHfARLba?*lQ;kX}*y!k*N;7rp&Ht&4>80&bPI*7` z|EPFLhTf6yOKiny3tLN6f92jbiEo`rsV`PH)NBN8@mS(h?wFU`&i^uN)-)m2s6IBH zHw%uA{H~>)vJuz`jZ(jZ=_TR!uDMxzw;V5ytV47x+* zV-t=|DwSy=Z%r?wM7MHEKm4lD#SX2JV$^?BpBqT*C>dFlKvlhii?Z3A2n}(a{U^Z6 zJog?%vw z`;E50T(G;P*m!g{9y?Odf~Jja4xPG!Tmbl#Z1t>T%loEb>BKAKoC@Hy?z^i&#(fJl zilp7QH?{!Dan6cYDg%Lf`JfSaYRWT30#vzmtVQzxK!&r}BCqFrc7f;SB&Jmls}|~R z&NR(n7l|!cl^mL7gB({cGO(r%i)M*?cp8Rmf*PtK*BF4dxM;?D-|^j7WMP}BK+--e zgXIPf{2G@_CHpPOjNYh6Y*XL+5FqL_Kxfp_o(#xuL}doSDtSG(l@c2g-%zz0AwC||xsjlQ2mj&3Pn*&~| zfVM857n#7j1Zv%J@{Erc({?X@M$dOnR5nc_i2{D&ARy_g`~I{AKgubhDPl;fKusRx zB3DRU=dBJ{)(u@4gsMMa3^12f_cfg9gg1gZ+XT6OV&E)x9@=zJvMTAA-AMyrWXR?K z)XQP%K)PvGN(KMYOUE}}?8ctx^hx3(U*+Okbi0>gfc-)KIX&~Ci1%r+$K*tMsY-fy zwyV||@qRbS)nx%AopXmey7vKeR9h%@>!P9(y18F&pmvrlOM0_JmAI$pGD(YQ0Mt3A zD_+}scdacE$-(oQnY@?1T#gck&jV&!o(ddMtMD?ad`=7oWKZiIG;BT7?*hM+Qo)7&VaL&1vMNee8YcTMW zI1*0D$v=11eMW;5yI6~ISXak#u?x0@RFRobBN17!m;p#y-QeSwj|9iR_?`+pHTJ(z z=R7KrfnK_65-vg2%A>;`MMXvF>w;l_!~<`kOSAu{II~q!;XmN83r+JuDV0dsx9B>9k9-0Gu&%a$-kjO7GaPlHOM6sDEDA zl^hW%jRTpee;G4|8~xohe9Tg#&cIp51;-9#=>i*|muocb8Tk3l4`j<&OH%6TD@`kw zBE~4mWX6;!tc~~UJu5$I!bsQ}Gh1l{`1+o!P$pmEOFQHMSOLJ}!;N-^=F+_L;% zHw$`jaienxC_X3QC%14y{ts~lRN>C>$*o=#as`kT(Zgh3I9M4mbdX0xR%(QuMSo}1 zD8KL%L>D=S?g6y$!+$_yKoNNwhtzyJdl@f$Yq58j;GChQPDFP^eZA!9OvC!3TTzYX ztm2IBiyaWiRsUM(ByQ0t%aJQr2t0TPL)oJ68C3@_Q1mgsODRkIv|VXWIci zl*!`XX00J$p`vEnzici5dZs}8jB4x?ltPb7V=?YAFt4?lWyiL!d#}+NwHgVOkWdr~ znC{?5Kt&ds05!nQ5|j^TJ?P%j+g!Go>bSe3_m)Sa?xH;`A>l<7@PvK4Bi%7Wd^yOIXn(U1zD-M;TfEty}+1M)FO?qEWKA+kTUVMh;~@|9S{K zn~&Ten7o^d>+Eb;$n7^+97;7=0|wT@)AgXBO-oDF)y^JJ0@r!|V`g$LO=&$inKi|B znQ^y;>hc&x^~QB3Urf&Od$gso=V#gAC}`ar^Gyx>uO&y=DaP(^5bLOOBUA^G9`#y5 zo8}#ifyS(p#w|{@)HZ(IY#PwGo#jJJiI9Y?0ocsyyvGBJq@Lxvi)UwPCCZRcl%8P5 zTfMJgbOd|8Z$tBwCGOdu^nXV+;s#ugEmmCwf54>nPZndhX;dRwHlAO1fYrqjb9c;I zunX^+?#E~~KUsQJPf&9`c09Eu7uzqqEzf>$8bFC$$Uv9Ie>CWyJJ@-2#$;}8=C*pS zHqmkZEq2NWP}cmjyq=rQu3fk_@zs*zSVat=88<+ICa?)9FKL?^rVb&2T*o(o$dZbt z@*OZWHfhu&p|b-r%+K>fYALat4|;h5kUIc9kv4(G&KnJyEjFotJRE6#yLV38RO3+0 zCUu_^=1qJ5*7R$g&=P}~&G2d1C)pFHvTU?nQsrp+ghhV~dg=2|;N=RQ42o?9&sR)n zs})!sT_|l!3+0=#d(SHA(U~5NS~E~y-gG#j_nvHn_Q(O|y6PQ=1k%h|{aRwE7&ElHhp*67bBuLAGXgr5&j zi{20Voj^wEHw%{%3%1a8B@2Zisg`qv^(`8S*I+@DlJV>k=$}AQ^U4o!{yLx!fKc{- zrYpj|*#GH$paRg-!it}El#ZaH z4F1`i{6964Fa3yYag7F|OuBSk7B48UG4FyyRh$~pNn|{i%PcdKOZ49?zz~Ai;J@>% zqah^KdOUJBP{&-HhXFTL_+^({=FA5eZzez@zQ@dG0?LIpu8(=iQ|>=6xw$;UVbjQa z_TSzqitl16dRfugoD0sHS0;f#<2NvM@pg?nY}xt;7BDJY7#uE+{7>zjc~sL^xA#-6 zRV!%qabO5gwV+fPA|OTxSW+htK}A7kno=YfrZ7VQt-@_3pfbuRB2hpRBP2{35R@oG zf(%Ja2!lWZgai=?LI~Uww0)j+@3Y?Z-n-Ua>%Q;P^A{`p_~mzgoU_k9dw=)mBuF*J z`}gQgYW9JZDK=bkvOFxX|EL5! z2#8a)%87!!ykfV(nHggq&2HnM3e`)?LaXlJ-czE^1{jDc<`vobCKbX7NzaV+EVZJw z@{3T#DWUB{*%on~q`F`nP)tP^gcKko2s zUtb^beb4a1u5@94H@SBnx1SF0vFJtQZcxW|0*RFcg+d91BV`+BCsQ-RH%&HSLrRT} z?Fv>G3y+l`#AW4XI)8u1hYZJjo@QF?Mo=FBCvk7NUJtt)RD4(QKO!HF8QeHa68En6 zC>=ChvGD`(xnUMp33chKCNIpExVrhCN^T|h6}JwSt!Me6IRPt%$myi?_zm$-XrOeVdtsD?#xFs}U;^=48_p_wG|_@=%xjlJekg**%5dX?iQx z96y;N7o-pXI;LUO%YmrWj%Qn=9-z`CKc>{mk(4*~ZbVCVvky1X^2EizSqU0nz+^qZ z7aUPqQ*f@?Jv$@rX0YPzCPn7fQHtp_5`ko(R*{eF{QHYty`@PM!XtFGX`RQb(_882 z#{moZ6~!yHL-fH0CcH$taYnmb6+->AZ{Be5U<0E^z&&`TE`wHk76?98 z6|6)LqVF0!l=R{9%WixT5tSK5EHCT!$lh&2&}TEc=3_1kIzCL35y$T!TZN+sKiOny zykRQ5QpxC#PyY-$G^~J|9vjxA`~=@_;Y?`bHvv{{oClyxwnK(LfOOa5OPZ z2*&K?OyKi-Zb)bh1EW{k4P<7~u*hQI9XHOXTM(AJ%} zqTU581&1x3^%Zwa34t`qZS3hzqi_|KvTjE;Gsk{Rt9ZxPqOW(4V?%vyIRmgZ4Lgu? zEd?QAjKX-e?N9g>W%b;ZIQSkz-nY9|ya8O~7rQL+Wd4jCi8Q;at6=h>5cGl%a z`{Q=vy4fBTmf-dL3SQ5^zg;$~)cE=bl>K1`wsSbm_z@;3`5i2@3Yo4c%%vZm4FVv< z8pZ9Xo{VpvTu{1QMakd>&O8sNg_b>!7S~$oB#|~Vv9%iaFj{_U69K!2*Fxf93QJ;? zV-ycX@kA=>SN-=z^oLBS=+Bjuz_->NVi|MnOhI9c39yF^w|*;>9=yEes{a$FQ!zYj z^R9|{gCBs~;;Xoai{bHC2=6vs*)hH5tR@{1Q2M}}lMr)iE^kBd$of%E=FnQmK=sP= zT}o~UY{@z&#RsFh`*ibpRq4GP3ZMh1&k!ge!o47UJv+js?#wflA5IrBDYLpgnF_^a z4&Zcw2>U9CVZm8Lj`CIP^FRPdz{8E*FK^lwz9XE@>;Z-M=-^KIy^!V31>{i=5V>$j zIyVkPxcl+9Sc#`!SyEOszOHdVKt?Q{bV9lK7C87P?bX;llLVX*-gp0)BQ|Q`|F)rx zo(Fn2aa*w|1x@Y!@pJ!uDA@l(_wyg8x1xjpWbOE)>;Ez?`Csqk|7`;AzxE>i*DO}N zf&Zz^@?Q?_U-6{>Q*p}5#__LZ^uId+%la1wCLbxBf6zRkpF%|cK!o?44ekGk{-ZYf zzd$g)^llSCN7?z)Ppl-rAq_wKzRHiqDSg^WLr$Ijnr$OaR1l^W?T<0e;dHo7Amxca z{>RTxi1{K)s0A)mV8k5sWco4~-!+CIxtC>z?(4fUi z+#}XdniAg9TZ3PNmCcpwIo6lZA`^yLXQEG|MG4)>M$$ux&AbFIYTupOxXQ6ZNa0iC zKEm|%-zUp<;;@@E>AGqT9%aM+%F z03EjI()nTmTM+HT4Y3E?ekeuOKSS74wG)Nj^g3%u^PJhS@TdOYo;CBZZKpYn2X$L) zmwD#U4Fyj@T}ncAvUXxxPHqKEmQ*rg1djv!V+_Dsp5g>}R5xiHa^{jCY{o0O#<2dcu%QG9y|wCv0&_YxH-#)hG*6Og z9?ipC4v|I&`>~Nr8n>%71J;9KxxWSW)s-AhVjx;QWiXeS2`WR&p{+59N(0t*w{f+jU9Y7 zx^34-10?-YSgGcx~2oz*ryh!j*ZygctimOXWB2yE;JxnT{KYr*}#3%=5l_N}LN zmZ5h)u`sBX?po@*6H!$Y`1s{wIbCF(Qh32v1DRs$aLy6iYcd3oOD4|A+m0o(YpEk} z{nrS3b5f6KoQFrZV;4J94NO|eqSBq(1VB}xpQ0T0pbT}h@ablbNHp6}nC+6X9ul}N z3{Y-lZW0iCKJio{qfNfnt6grGyxe=Vqa)7`mEt_kYCUT^`YD$JZ{f(%-#*TieHslU}o;!lOHuFl4|ymO_$cg0`v z=|7l=$sd}TufW4?sI$+`?*q^y)||^>y1rJbwvARQ24MlRt1#`E{4Lbu=LG#Aj&Nkn zU`yDGY4cg=h7e*-lxF57UwUQvY|^}{!-7Sra$DlU+z(^WN@D?RaEvw}LXll5P5tIk9o~hbD4x9?Jks1J1Fa>i)2p<^h=iVxIV; z->*sN<{7(UyibPTXU@hrHg zXu_%PP+vF4q(X@=WNguD(l)O$C5u80rpVB;S@>l{9~o-_0!!yGS?(^G6?TPn4H};J zF^Q+oNtSrS!~uV?4wiaQ@Np8XQu)0REm_z@Jy5Ucvd}7LJH|m~kT~c*&>AACk*7eV z`~<2Uu~f*Lou97#0s^hm^^&H2Be!4Qd!@)oY8yI-|46jD;{X19#ZrmiY2;isya+}? zwZo-_yx~a0V+-bYP&9b+<&rQQs(^m3zJSgM9}N})<)hCy%IYnL{!=N2xfT*QLHKg! zTrBLdZ5c_{>s07o>ADwp-le7=rEd0!=Cw@fYp7x+77Dik~gj%OCbIp?#$N(EK&*(15!lh%Q2F;EhG zN@hV0Z8_ICuDf%d{5cE*y`t+SgA%^{Xk(V~*{3-|(jENhnxRswP`HD(u{SL+it!l7 zAcwCAvw+QY&;D@Z8vJvB;}y4AW0aSLa{2s~6Ce&LBgopl|8QdzH-RK6j<-;>|CEhqcteGH1^F^IH5RTtU!s%{} ze@FfXR^kGnaLljBFFm&_uK3+63LO72v2Vq-?&t>h^3WjEOF~H^IY$-3+4HF?Lm&CVa2h z@c@-pRvF+Ced)3EteZzP$Fq+tb~7=77t5Qe>``77$zUre{#N|q?UmmT1oeIO$wM|y zPtb$&rP~WncvOF=ZK+GGDyd`@XJen`BqL_B=Eiv8r)?ti`{I`6MeL4nnzb0W&@37+ z+eZmNchLy}c-(@N7ox{IP$_*#B9@W-$Ar6pK(^t{?>n-`SbIQ@F@U?neR~9Rjh+|sE@@2 z*%ZrzFmPW!2L|Y^_fa8imOT8VKcGo1W(Os{K-tpEHKHemF7jBWES(gl>$|At6DfNT zg4=~dr|D2L3&>DNoDO^Okyxg>QE!CEOgEomgdT zs#{|E;DYd5Yi4*WK;cm6!sc9|sp%x4Q-}=j#XwtWhgsO&fotP`Y~4`NEzk1|B*JS2 z*?XQHDL^wq88FGskB25(^o4!bQD*M(xUHnPTAogrTrCIWTK( zEzzGbyAhw~=eLtMxpYO;G!r3kYQ0&*_#rL-*9|XttIS$C^Tm-Js;S;?>#@-TLnWUv-KI`6W1Y{x+ zX1VO=VdjSp8(eA`5QQRs;BRTK>637Zr~H^AfVb^Qlh5A;cc_g)(Ub`dlKqVgXkXQnb>RTw7QCwcnq z*)iA9{%_l#Ep@6vF8Pf5%-b*De#ySodoaY+#Kh)F`|N2riITCjP>;ucb9m6lhUXlO zcAU0K26OyyMg%M@Zp)Eoy>#iE+Yyj@hq;^-{wCU|I!-!sIDb1z_#((=`q)@xmaKQv z9Z}5XT{x@*Sec!O66S{)VdP~|ox5t0zyvkn*T;#XmI+{!Mxo2PVe(!z8Lp}fOSutQ zHOuLS@~Er>-?<%c2g{qPfgAEM>noXCaelv{(HTFd&W4fnoKLWC#v)kVa?>|+u8&}$?KuoYXy4;Om7Iyx zQVrBN%IHFWE%jN3;RheDey-^o(>@ONjVX)zD0av+76ttJ2G~Q~V7~JX9#)RS@t1Zg zip4#m(GUF}T8@{sf?Q8R(%T0PJd8n48X!@zkz#G!EDl%L;laCrW>R|4k+Cv`M)Zr0 z(~ED-MtlO>X>&eTGg!b+LXA=k7`*b<*JAbb=H$+$YC!$bF?PA zF!WkuEE(}LEBAYGjvpvxT%Si?Xilm%K?(1a2GC%Blj?gOkYd}OPW6MrnuPJhg~Va0 zf!GE6NZUk~e9>lacj9`Xj$=PyM(v1_<|#bMqMo@`d8H+KJujrLz%{RmJ3-V3HJSNp zrRw7;3*!n62&fI2=_$sIv2no^3I?|@E?clFw8Vf)%@)vMbm*Lh86#^Uo13i$;oh)} zlS986xT#q5IE5bx*o^=*!>+FDUWlP+1|)5trn<+86lVjjEcDwF8XIY56trY`T;!4+ zp-CXtOvdOx??BNU$~6mW(r7!Zg@*y&bdBfyqSD%d4#i!QFX+EgKO2>L$oO=>D-x&8 z$0anM@UuaWTTiDYY3y+ez-QyoXe$Eo7x|b4u+yDRg@G0c&F#89iEYjc=pukD$tE{8 zJgu4P;yR^LkK=|Ce~*O-Mudit#7{Ah%K!@#j}-oiRQWS-~Q|?$1d+Z@DZ4 z=Q=2S1<0w-t`Ovs=WOE+TF2+3s|;_gxC{UE6rPv_vj$B#9KN0z(QMRMY?Ime^2Uy) z*RNxj`ew#^$_77-v<`L^EQLf2-#XqHB`#Lfe{kXyes|DVXK^51BOH*P8O3hV;+FJ% zgU{D$DcPA%{m4}uw78=CiynCQ^2Q*;Y*J~knLnub9RRR$`}$O4gM+sKxLtL`)VtLB zBOgD~Ej9H$Xt^0+Zw{Hj%NO^rir@Xjxx5im#aB={)HLH3r`~f=Dc8#!NfL}gUao-4 zI+EO#QxH<8h{Y*-Q%{*=lj3r4TW5uCZ$-$rA$+>sRH11l0s-aC@OTee%>3)2+K{oc zT;)Hn*}dHi=c+FFc{|aSrgmY_3Urb6KFLL*#H=1+ z06uED*EaoY`!Y!uk@znm6Dd7@?$c_H)kjE)no*;#>&mpEMhoAM7NsQE#k~95T41}j z@MC4-!QtVb&%`;*d>Gj`*fLT!C~(Q&cKU+6zU~>7wtZ z5!~OrxW4ZltLjDF;Q5_FeDBUta;fv}6DOUuL)*N+Wj(L7ggzOchsvjWZclRUA5mZO{dqCc2h>fiXcR~xojHC#J_RuVFTB+!aOzd-4bG>i?fOF0RlUG~?H z7#^!vNlg{t5=~a?kowFoX`SDyZuMU2t2ySj&6{t<+7IaOvb(T#jc7Kz{TJlL47&Hc zU95?X*k*vn6RYOglBGdfI5#$#Crmo#L)WhMRod{F@1J6`YuAS@*N;F~VTB(JHK&6P zkKnRDu;86JJ8ZpqPkhyg3!LA&bz@i}{vz~ePYeX@e<}aBgC6qqIt10fKmX4kU7~$vC2`M!-g>I6WDxw9a-stZ z%MW&TK5(!Y-{X08D)r&c@r23BC+eSe+26f${C>lHdXH46GJM>k{^@ae=tA z_ma-PYsBk0j|Y|hwD#R$)Xc5IlP^BE`ueADn|Gi4iTQ!VYsBJBDV-+JBRm1{y-X7J(B zSKk-K&0MfNsXTL-+0YR8*GKL|2?RM*|QH&p9*hQp9J@WPg%)HJm~8548(3$}~?4fA`z2&W!<%NuA3P~7BsL}XNik=j*;)=|}`l^}?bzCERbZibte(gkx! zo)A-g=xA<_pX#0Wo#R?-5GAF_B$8gX1C;H%i)9w5D2wF?fj3+S%-sy|={8ulw(_Z@Xu!X$) z54P`j;VG@fE|!OPu48tbUTv{GV$?&U=@7M_}!+%Dg)44Zc^aN$X16lBaxI8rf zr@_cH=o!kX^2FK#F*Uc1g-z-+_Q)#14cUGG|Rly?QV6SyV40! z$$SCWU)zVFeJBMx+K;GGGFG@xy^@GWd*Z9p<;(W?1lVX$;E+*jI0~J3z&g1g=6 zaTlMm3u>o2=Y3{jifffdnA{4g7J8_Unv5lW`pq*4N5p*v#?+a6Gu&omv%=ECz0W$g?)$))Hx))`c58Ow4X(Stu`H%`TOIMb-GLwY zD2&+nYfo_RSECR_zdr6ehF>6zxmjOY`toJy<0})p^GoP-Us6M2aq0t@*}gODDa6$j zHH^IZ3MK6wjC(Jp_(SWlzSO54sbsE+8Ow*R&FiN9<@O-7+AgsfO~6(k^kiH~5nV^c z5V$uDZC%qey!Jrfs_Abof6%bYslR|UGRm1-^^Z}$UUeL{@8vRzKp`!BQ*2IqAeQ@4*e1X57vGRc)kE-Ku z3m&r$K)(#=tuG^@;tTQ~4=GQQuB6f;(}vc;th;lUTQsZEW*(mSBJ_@CoB-#pRUQbZ zb*(Cg2ig}N9~0zH7ivfFN z<3vOP(J$Ks4h|~2DVonKOSxOoa1`^+?P0eaHHyq&yVdsP$zQ6QN+LRULggXuv<6q! zVKq}$uAYSa0`)c{0fL?xV^T8Lc(*GA#Z^z0w6$VZAEw(tS1&YUF!0+QBlM2opQH-S zeB;GMLlhYXL6o5EpO9#W zGQe~mR`Vi~x9Mz2426xprtMUB?nEZ0T z@ttFoPG)*;H=bmr<29$U3rb3;RMd&OoaF#4l|$F~P^%0?iliPHBI65kX^Z#}-kJgflTaPirbHhi#tX3GGl{cV6l z&&(O~V5Dld*Rw%%->cp_YCSy(VS$DdrcQ(d(ADvs-po}uM&rU*2A0QPdocR)gg1Rr z6mLK6OZxfci6_@oYD%!n?%3t!cwlV*!Cih8RJFYTDu{ex{%8A(aviSpCPadX?fa)Ni#07xaJ;3;ngb@ViJ?ynKqlk=VM2z&5wvZoIZAHH{pZ zsHyOPq>=h(D(ySTL%XHq8vbWsc2a1s*b_<|6S=vWy<%{PwKTPKSJbhR=kaWICN)Mr z`{eJg&k3GTe%x}=9;3FYAp|md0bzhBeacoHu+oH}$cJuOy^)vkE?b_HRU5oO@Q-(5 z=ymea69~Vfm|$(#^`uAFDRbN>^3Fle%mqq9#3Xt_C3VitAVNvqYvI%zV0%Vc@T^{n z=id)4x4QEdte)wZSqxQF9XD zSI7LVE1{u0rDYy3mzNf#sE?-gvca749k;R7Ud-Nj@}p}wM6jV-Am#x7@a$l!n$dV!7Qbb$Ru^rIA|9+e_5nTzfV+RaOrA-UEu!hkB2hZ z8X05{)qDPM`A7fm#^c(6hs4u0iX~suX^(Eq%4Z-dEFxkW+12jZ)ZCnQ1gyO8&`+cI zFcWi%7wMGq!D<@4m~a0!7X=JNee$)2uhakn13Px?*S5uMVzW$WPTv$BYx**1L0UtrC`%t#u?1jAI>Rr>8Lk%5CpF!*s!1fPIO#kwcUZ z-zX%u#L|Zr-R==KtnIp6Ygh9osqZ{^21==d*4h(P4}<m&^@il@|sTey|XX1C%N80aSK8jpvUMe8Q`>gYF?d%dnJtbOju*I)UznD6Dz%EM@ zI0%)`EiC1`=ykcu<3Oq@@mGqIHV|nP8nTJ5Yj6kK7vY`U)}TTI?zsnI~P+O1QlKr!w{N*U;6B?7f-P z;}sTP;CF5f5w8Ca$9z+5UguV0zCsbAx>^4uJa4Q8hrRJLR-Bt?Ct0%F_%(K;Z8Lh- z_8%N+GBU4KAn?IUUktZ>-|`8@ygLq}#X5ydlFH#xh<;9f;MNEC{toA*-2=uTrS#ly zq$TCoPKvkg{q-5>QOqf`cI+f8UBoCG-<#vDCHa%^dNanp| zHvh~KwO<@~%=zT3CEg32@MX!etK9z88|64Z!Y)7o*A2DbtWZ>@FHNO+Mp;MLiF&jy zaaMRpC!*xNxKt}aoQx|wp6`62xAR^ zb5#~{5AeE{xzjhM-fvAuyitK%mn?m3Tb@|DVz=8Ea zrF~Ac`N!gU&Zf({g57fA_O;Bm$UM%2FQ8}WOpeK0c$Pt5A99FoNoe)3NQcFE>k}1? zvti`Kcb`@>po3ppI~HM*3o)l@$c z6URxm%ao4Tt^Ts!g^l%z`X*6K$bF)P1Bby*nYdNk5bzE{9$a=H)4mwvgONCY=aouG(>j9NMdsWhe6cu^SoK zOlhi4O~%KKqvkX6)sywT#C|Ku9!|VAyA!fd=);AlN9|#d=T|l5ka_tl^4@=;qU<{( z^^1pCPy2v{gF=H7r_Yo)au#yLBn*}u!uTB98(w_7_ZyeQoG`+dcploql^^Mqwu_(6s5Lz% zQO*SdTMp4D)l*Xh>-k9Ouj?#xS?u~ddpqT(yib4O5{(iBg;*O&uQB#iq{eNJj!K)1 zAIC(bIW1`aICviXvW0_J8`=cZsd;0U$=iLl) zbwQLK|E*0V|0pTd5FY7ALaYr8N}l~2n_SK2B7}K}2|dyXFfPm1 zG7x7ZENs3?czMEQG?m6(XI@k3Ke2C^*)}g|ou5c4=l2QML)V?86MIm3r#Fl2M5Qxd z5)(c5X;l|L@|p9G=ESZPX>g_Wy2XVUt3-%`dJZCq{c=Bbbwp43NgRD}G1eC~x7lp& zX6v4Z=aa0o&U3`3ZHg}g+r3&vJ^hdCk*Y8E%y^`FgmEfJ;?&gCfXyr#1`|v_&>o5J zv!}`f<6c+&8%MA9qHPe- zZom<>ZMto3jF*93d+gS!OE$8eu!QTuMh@9HYPSg~lwDxVn}bv7tVAy!Pka~CxuTAt zGy3+tyR{8b_DtX3t58~O^?hA29<}@jR`$n?Mw_%t~=)j;Nm$&*5|I9W@iyRIQ9_kyG}G3omE-gqG$>!T*U8In@ja{T}?{=V z^~IxhPJ~rT?>IIHi{Y!(by0bG!@-2Mxye26qPGE?%apdCNn?}@A=^|4qSb9sl zsWD)(KI@ym^;*SNkNlGhA)0!TY(pLlk6W>0Aq(r=g94d}kwJlWWEAx7)D`b5SIDw+ zkj1Xt++35-@OJ?#5h~eaz@0cBdb;t|IirPppz>d5eZwzqADs&R0+Zyi_LR1WQn|BH zYzzR1UGg;$MFCVFB`w18V~bECPU|G+2{4=*Q6{s4o9S5LfwH#65#zM?E%$DhF7owM zdo%fipJz{!~&ITeKVa3S!l|+Ku2eT z?>o&PC_%o}p2)cOs#I<;<%Yh0!*(-Y#WsNaldJ9u{X4hW5`pg&>a5p7zlS5ic)qRF zjG~kp8(y2IHi|+}{hD(I;x@tdj&j)PFH{%i;q_kkQWXL-F@I?fO%#&FlVu|4-62Bw zLc^9@^O#$!BrRS}HB7bo9*k4BG_w`8Xe?#6Q%3up*4WO^p2Te7Wq>*2%@*BY!XInAzt3~ZnXjRb<)P*-V?xA ze9Tz(-NGiY zxxPbM5qXNmL9{9L_;OsDZUl}atP8qzff0xs-u3Pj*k8|1M!AK5n73YDS_UvXCh;SH zUoDfvc86c8=gA$yfRm(ODh%kOmBP-JArga%5e6T-^1tTi6%bi=W=1PR;g9mH%*t4H zQDcoL`XUOee;{d~?8Fy8WIs9zLDf7Lqvx{psLetZ?hi2pK$rmz2AH~EEV5s4EfWDU zEtrrLmZV(UKiGs7!Dsvv*B+bfgF-{WN%FX71!5+P(|i9c5!-FP5Yi6rVW2;U)c;7W zs?wKz{G2f|J?*!zs2Op20qkP)$cR<;qD>#1p# zV?NZTkJ?ZX=r5~>sOA%0*;UhJ52EqqWS@%iHl00ChNr=wnoV-ts>1y_dJalD1EQk# zz$T;bdOeBe_2wbnY-?0P=|uB$+L$JWC+M2%njuxhxV>pw@c?w{#UKX*J%%EEnDy(; zX$lt#-48;kwFTzBnII?qV2!GJ8vuwGm}4!e%Fw%mz~+V;Drr0WUwddaud<{*T1hbx z>tSk6-nfEc;WOh>STN}X$;6m~jtzfgp-tJ5H2EnCJ0l+OSEhTq94loS<;)1B{lcwz z0I}^=p?s62+xLxqXV1jj#Pag%>WkNS?4@`(ui9KE%7JN(@%bYtZv5^&l^eQ2s1VeKsz9yoV}om-XNY5PpBWg*uNwaPwtj(Q9!T6sjG(9vEYHK1M5z6e z-G;HP(iwGK;xQ=nDcI=j)H4Pr{gRvOoefwTFN@=fMiypA%J$y#jK?iEo1x-96zzi8 z1f9g8@juI7pud3B^}wJTgDUSntB9ezzb}q7YW}>?#7)IPL(=rnJl^HMXXMsxQycJi5tQR*kvKu3Z14Y;K6-SWj@-g5nRi@jR9b=5fs;A%*Vt*}yc%OVqZ_%I?nHb2)-vk_x3RelYClqNB`<#Jee!%96dGH$cMn{G z>DYNLPzWEp7&!c#aVaR!(9P7J(eENNxl2Ddy5TZ<(J)7kcrDO>dzCNu5T^Z1+OpL| zj}WpTj@B3L_pC}EO&4*TJ1nz*zaIH3aps|{>C?d#W$}rj&y!H6s!rsm-pAQ3Of5f7 z+tpqfzGL#B>o(-OCJm` zbW$fL56&%;TO{vx%{bD?LCm%cSe&45uJ58L z#%btC(I3Sv4$}_H!-Jhm(zZ8f6x=UfKSV8(ssx3$AveaE9k1W!>0MyxS~I%Fv#+#J zsK*Zv`GO>wK+mDL%2j~?s2mIBC{>y8ty_F9BJNjOd0M)sKcg5R$>cJ!&@G;Wh%2b$ z6p!KIJ*j7D)j5UdxM9Vt*vp2%ZUjt1N#k)s;apjC#ILa_e^w#F02w1Hg?8V`@xw=Hj@4_d$V@G&$~+LLsN3ZQ?%=H`Q9EA4@_=1adS%FL+JN;)`z zKBL82E2W#7qgNW`%nzG7f?d^RLr}7BHqK~H1KuOJmrfRmR{ag#1c3Bum0nW`UNX$> zQDb7P?37Z^B8+lxf{X;s_raZOKg;bqwuN|z53W{Xk(wY;A+W!gZyGu57F@rG@)V^YAGDjfgMB1elur*sJLkn@MFFoo}`Z(#ssV^jCAgt)(hq|O%m}{?w+ew&t*IW zzkyOZMt?Z_MbZGvHE*`%8!?BB*;L$ z5pnq>TC%U5lp?!ky`n{zqCh^{s#};jC9++aY2uW`%sb8ncRlA1M-Itqx@b+V*|*!y z=N}DzDGHTP+GUUn)9HL_3m_}Q zsSY3k0&x(14I)ncQ(GYlya|)R^Z+|yDws}cE zwSx46>L@T71nkHCovy5W^Z?+!0VV(bEVHQDy5qs($WADk_e2`;wUFJr`>)NXGhMp0 z&5B3YmFR@W_^MM;PTYpM?(Z}bt|j~|tDA7gQLUjehRuK9`@z)^c!(3BIm zw{^J+d0&b%k9Xa-3!3fwppjXn^xjQli%kkn=t?b7JhNwpn=Z^>ei!ZI1-*+urI0C5 zQXbZjvsNeEo8$hxiCpXVr@wxCbNqbFY%>Kc{Y{XK0$2Ax;7;DyVw&$bvZ&yyqkNv! z4{7^{Djx^eLj$C*ly!ZI^tPsNJ7oPMtUBt9rl1vmVJ175nf|cuR*Dw?qkQatYZk&Y zsJ}Fzk(l_Yw=OoPc<_J0Th|XCf-LrLEfx~2>@o4~HK6UVBFgkZ>I#Bf4`AmMP#+9t>yjD_ z`RfRjS{JPpq75G+v5l`bO&; zm=$Kp#;rF+ox1TOabG6Ae6$s=wtp#mYo74qzOZ*Il7eaOFP?`|c0WRJT;AM- zBec5SZagSziScCU)3Z@t3owaI8Ltb_ZY0ubnSO1+;Jmn4af`AjSnh;x$+?G*vWM%=1&w*c>zTO+Wi*IK7D_Mp==bWgB;LoA>PbLC)2a2Hj@D`a!Y6A#opAp=e*7Km2E~Ww8T!fYR})jsj+qZ%j35|xEpgb6#y0cPvgMe^MPv$($C|-oF(ljN8#e zf2glu)TGxu)*4klOxX+6E8?)@ahBT2s|A!PaWs|BcDF1;?OOTU0#qhTUnvYkaYi`f z(PnQIse>>54ciz^?|Hxl=ewv`+{L*QU+>X>LO@0b&I^LAA$QTbw z9Mgvc+cfdNXB3U&9M?lMrMpaeizVg>J>s5lLPv^}=n1N2zh zjcz-Uu%Ts}hTC_nbjzG!r^!gb#~xGC5g$=DTzu^M{9eqc(lB}seF0y7df3Ismgn(A zZ^P`E(sQ~dVN)G>*7`u9WovW>n)p(iwoIYk@J7#D3NlJ+=hl8(Gpebn$uapysH2hb z0pa5ikSn-vkSj9QSo-^LtgTu8jX>U?&Mw-T&;c1=>jJSkK6utLS~(lXHb~7R9pF{A(7$#5_rE0J^y@T` zH9b`&&r*bb^ody;TdJ2zjPG5GoDGp|Aj7lHcHJU=Qn3rKoBbmK$S~ED9~(Nzvm}|j zUlglDAC^A|kjiJ&@1IFX&`gjBYP6atxYK-#e@SRI4rJH?AMrrcQ{sZHjFIFM6208h zf1sJ?2N>hccC=5<#HWvwwlZp{i_&q$O!jBOqXEJ0t*HL-Kc6A(z4FG&=q1rWlHuqa zvw+r8{wuOYlU}~8d6Raa?=ca3C3cozmnca}C|ti{$J&!zvn&mw9Y}98wa~WP)QZ0u zJLhg=cjs;GaN>|?;DBroNK@EXtP~|dqg*TP_s`T5uJvm?fJD;@1Jg8P<#vn6iI>&f zu?ce&y-?sK~$y?*pYml}a-Krh9D$8g*0gLpX z1QR$o%hXyJS${f=sJ;zk2y9*E4R!xs zfeAU81oJ}Cxzp+xhHK^QF@`dx|CM*epM{ngN2=y*cv%S15KnjGA{<7ha@T5T7fs3| zGaipL-sDjYhSn#;21np>2^`fpgFu_4rgXAq-dHkffi8}|SrOgGRs{;i+r!5SRNbvI zicLz{NYe;)LNsf@&J0_jqjS62I?B+Tx12Zfl8q;jPz&K1FutDa%Gdl<*v;!TE?t*2 z==XX!wq6Sj^InOwLFOYIaSO+EM4Y1)H<}Lfb)Dp(Tc7!*W+u+qGm>{^I)FBlyME`z}2=QAebq(kQ{hP;=DK zgvfGyp9i90VOMHE42+dRXS-Orc6NAVfXoyAIoJC#cvLVAv7l0=0VtbEcnleD;p759 z%n&Q2BE4^J#F{MsEZZ?VjB3p5Y*tY#B)atUklePsShp?8C&YlEJPM;YHradE;~$$L z(`YL$)+sSn&*9U}G>?lxt(Sn{<0*x&j;5gkD~t3{z6NxZkCP)JtmZhcH>lp15S=!Z zQL5ClP|=KV#OqW7Pa7bp?;sJP30IVqFz>^vi<~dmt+Ty|C_}%?p^kyo8VV^@9f!2} zTM0_Bq&I|iLhVzIaI<#l!(47Bz;ACXKjOkKWj86+xmm|eL3WF`#wFFJO8+k7zi@5L z%{5NRCb=##kl)aUI`C}Aqj4Yp4&2Y0=up5d0vm>#4-@UI$7c`X;Q{D>5?UN)y6y#_ zOFK!!i?JPH@a@1qfPM&9o;{$?<3;M*Di&6m*)vVbfIIzL!kCC-6_A(VbWPqL; zm~K)KO&-kJcsf^M@PxHDZ@LKB(yPe74PPzpw0Te_{aF{)jYN#7pZ*2s58oIOZ}@ou z%7Hb`v_#=(6l6VBB<9VHj7`c@V%r~N+;tV+t&mGl$iq!+VAuF`^|1Mo&C`PF znB!(K`wENoZOf)kd##1FA{a;VEsGQ04z_AunUs8uq(`ifZVJ?gDe}?i7WYKknlBgF zu~vPW&pewO4w~OAwB#3>i7h$+C6LorJXKV4C*6ZVomt98Xk`nx3nt6ZkhkEmG{Cm^Dbf>tCK9etcQ-AE@JPNQAoTDURQMa&4K=nMt)Y-sJk z9G)1fe!38^AJLkO?qr1FtD+bQs#e9Q6BJqfCVRB<0LXF)H&MopcH%q43v$ykXwm|HlKmH~4W6^DLSeT@_{5X#sUOQq94@xSa>v7J1 z))e|d8OOIAoP-S~gtc8#bOk9Ckp+J=DuBPby>f~1J^DWPw-O`(x$)^ns$0NKxcZm- zlaLsif?S|*9+v;&I?;Qo2S>f#Yrq&NKm(2MA=Hm`vpuBni~^P_R7&Dr*Y~MR$Ibm( z+4j79^K?~Oml-)ZA}G9X#Jh$5woo~Jy4sR&wlrU=R9HoEYcv;EDkq{v1T+IrMy1RZ zLzQg4I8aGA6UV$>jdeC%nQK>|k20d{XB(KCsw#vYcaSJ;j-c z(mg&865pL})d}mCd-NGT_MPGuCX)+PV9M_9?ma4>S?Fx}DJ6t5e(`oqMXFC&e6Qh# z=r%boGo_hrej3|1SU?*8h8Z9ldLAA-2}gIXc*FgKrAzBWw{rcQ_8t-#@6U71l}mt(ac=39Ay zDrL3Fjsby&8<4;-l3#ouy22oz_`-03J4FrGgv!>g#0aBD6-CxOUilI!ZC-LmZrq+>VkK+i z8hfGFAokr>C91e931j~gg_8c=aKYhPxZM_50MfkGmTj$?r5mZ*^PJ&B<==mH!%w(joVIx(@ThTZvP4lii;aD@*orLaEwgWX zU%C~nv%iGeZT`0b9e7E%Gkwywaj~r=alItr6p$t+T1RUAYby@nEJqkSV&4mpfBLNA z{X2po2n^b}ds{WQ8F$(^ zA+k~8$Gk{f>*kk+B(8}P9Q2{~g8yyqG)p*Z9sK^SSY|j;Y&z4@CeB|{(^?B$pOcHO zK73PhQA;}b9nfc{=wS|1u3D4YBel+qPkfSqoUQ+Cs$36iNR0k5 z_GJ|^X9DckpSQ9n60MNc%B3Fc8oEEEWdS{4FI#UbvK5^nI=sY6Do;16=UGr!X9#$-q+OF5{!j_s>O)b|z9x{BZ!uIx$EM(UWogiCbRUp;4AF#TSGy|m6eFTmqSl4sc~K*JY0E2lVo4>Mw83sbWu1`-77U$)UkPr z#K@XJrSKmqmK2nq%C;Kf^jjGf4@Vn#hWPXi`ULRpc>gr1Czk-)2w>SdHV0!sXf0sH zlQGUK_9%g4-%!f%)L0%o)v3=aQi@*a2eoPiZAu}111Y$B#LGb~&wr!B{d!%nm(aa~ zR2(-<{3>c?+U~I%HZXU=nW4+Smq2Yh38daO8^T{F{l^B(QIiWDt;NgyrQvn1s!91F>7`O3;J`sDg+$@;tT_#)IXcad~cv=YtE$=t9E`>w2#7I|7N z^Twji|6gn-kkG?Gp%!C;s;CX0{wWS9nc0nVF4T5)Q7kH~mCYbUi~uyvi)J>HqYYX8 z-2@t%Q~<=KWHw%OUoYk~C?hfRZ#{*IHw>wk*AD4}Cq!N}Bt|;?9fYJ)5ep6HbQwr+ z5yUv~1?QlW7BIPXoqP(tW2~Y4ZcVWRFXRM2Z+84>fu#bQO%qKV7V{qo7H( zMGBT-4)duCDutsy=B&qNHFCicg3D&t&;t002CNi5yHZp?$SWLmEE3S=K}eCFh&)x& z=8f;U{mMXD6;1L84NOmu@q2h;1Dvc9DIH8~gq5-`>e}L$9NDkyReTQ(gi}5uYD@%^Xy!RRH7y(^QCh{oLpWdb69OTcHl)E83(ca}0Ix2l-#J!|>=k-O(RtE?7sN(u=`)-I!q3lMKagW0#)K`qiS zK(t0LO|&UYfa4@+efbqAVK@r}C`N0K1|RAgyA2z8=kBJskqBu+JPV!VbxR>4zHM;A z{BrNy;Y^wdrnBZ~O?_1a^T!w?rbOJW$Bhfm7T++qMO$el&;MYp3?ii9?w@8UDYaqq z5v)%_pg+Aj0L++0Y?b%3nztS5?aw3TldQ}Vi6{Jqeg~~@+d{Y6fXfffjHGP~auPUd zdOHLFNZjspIM)XgSlyyao^(vNxm3{yFSL_m<$@9RbFPV;FtqA>rB67i?d3mfxk3$| ziwPcH`6X@~8^te`@r&ZJ^}c8pV2%ZUz}sllbgk)N0?M>jJK{_FW@{q z-;Qu(S|A>?Q!^x#UjEX=uC za6CSwM_$lvS+m!w>cnoHkf}a9RX}gFYkC8Dq#^3yJG?xj^13VF$}jWjxypA$wv=hqTJbaSIM=(VT85wki8^ddNZJC7xP4 zAxR^&bms+n5#1SDqh9(xA8i=0h2!%u)ls-x&x~hV_JEquvp(mWOGSS;!;nEO)&Ao- ztVA;ypWW)U;B2TKCh`YKzzEPMY)j@^w-~jv7t@ zQ?wO)G&m!GRvLsI7K9K?m7LTNk4rZ_dug=ACT&zxn(PBAB>g=Qnph)yy^Mry4xr#X zLtHnORY(!v{QvYvlElg26zdVAZ?tv>IEL&jPZ3k0s!(%(QVZO&N-p7Cv5R{p{ z-$v9RLqxDzx7w1us9ex3U0VIdsq^3u*&zQDsgu~OGszu)K>G5T{`8gGE&q8)bor#7 z36O9??UCvc*A^cnYgHlK!ydi#9RTq-B?=MvXe|F5p9{ZDwgbxY7S=Y_A>hroG- z{$Eh6+$v5USIAtO^omo+q~7&RoJGUT64e9o^{$_#FN|1LoJ4-~_=c_VzukY>B-DVX zv>5*8gdJi5aV;#Pc+Gb|I56M`-w0S>hO0i*X{A|*Fd+@=iH172FSYA}NLOBob89l} zL&i1S_Pft?b>Ml{Ww>*Fan?EC>21GREdXf%dYQo^Jx~TL{|Wt=QF{WmT$E0qQknns znIlJTpZ2*f^E4izCgK|FWt$L12$IM59@c%s{L2N@Wixg7Fr>`f!H zO{z4U3?uJ$znC(a&F!NC)OG0h{jY41xP%%T?RkC5Zv&M7o4oDLt!g*wk9#vi@r;TS zhlQOzw~5}*(aZj1?!;hTL4`@nM#atad@KIg&TDw{s`PZ~v?iL{ik_=h!iiWbE(HaT z$v$Q*&PRP*MRq26MfM?WxIstf^omDMdQ8;^-Nh`e1<#&ztsSbEMb)rkgthomzUpX7 zZdrH$x?`uOq3weo^F_f(aJwfjOk^8Tosg$p}%V( z9>BJRpcjMIWGTYnG?&cIS{+GmNrc0~Y7mYE59({YKkLSM#CMg2bFEPeBdY~0wp)DQ zY~w~vdQiTqGT+CXXm3lgW@a@+W{|mW8sjnq&w2UXRdXhG%mf%~tCAX6dwErWbLH5y z;;2no=hRL|7kyqwGu!7Z{wM{G!jUCs{jOE2BQsJl9b+SnCOM!wSd=?w;of^?n7s)! zsCn+H0{x+I&8p@^a!^?-eB=ubmcr4!Q$ z_a*}ZU}4e`P3L1FUfhuue(M&kX}vOm8SL%~5Ou&F<;jutZ0?Jx&(~Dk->C;RLYP@O zuh_^qZ*U{XOW5j`&9BjLXO57=N=a+(+2YgWdK4y17)&Mkei;RGPmbBYMKOZ?nluOC z;#EKD&$j|-MYUIl;sQZP^Q?0-9mK~U1<{wkaR}u7KtF6jxP#-Q=u|_AO=Tr_xzz!F*E$Z%vgu$E9S*MYH?Nn!{R?`^E~to zI)|w%vALuXx!#~%D%Wd&HF~@QUwcJ4tY_Jb99iuDk&KL(n^^m8!1+IQ*$`AHSABN# z4(0c^?1TsPmI<$V*$3f3+WyT0++rHtBB#)D{UZ6hiLvE?vd-u0=A=l(HE%=ln|osS zAP3>bzjcf$?xgsEs`)07KIL(R^vo|-HK!(nTSr#q<+<=wddtuXfXpy6)oY%;4s#x?@qv5+DCRS#R) zrk!zb&ctsXAJ$UFOCw&HlPF?*v6O%bOC#-8E8>v50C$#jMp0}NB@BzlS(K4|dePG> zQ`0LRj&6*4!!Rab$M0=xn&^nmZj4)JH!J{w2EBkb%f&Ti=n;{*|h}W^lI= z3+Sew|KHl0DS0iN{O77b9`xyP>9vhs^1^0_CI1eI*RMtL?8G)<=WCf2Qu^g z9KRyMD1cv~w5x2p?mFr1;_kPrS49YZW8`JY{nE z`48Lj70=H3uW!;k`v$3zUrDTKz883s(6Q#kruSmK*<4)sZbmWq1*oNIdeO?qzf~ub z_Rng*7G18HT--g%Iy;`T_)~~_q4C%B)W1xO3$5H4`32Zn-(}mSVnH|uMK9UtiJr@g zW5Ppx-UjE3RI|BZ_Jqx9vB&q%&3c)4?rw91MKD#<{e0^jBKtDNxmMX zR~zij#?=~wiOn$F@ZwsNKoM`x`ESsajAJ~FKcWpt8bRFE0L<7IcKR)LZ~`8#h%=%3dzIl=vO$>>oiY_47+{BTab9IVLvzSEl>DMcmUc9~I-t--aD+RY;7CQG#$(6SSTuGMn{w`DkaoWkHd%*CDhQAh>V0HL~012 zj-%2tN|mZIfRum%LT{rcks1pm7)q1?QA5bk5<*D$)=nJHd4KPmbDj4)*LQutZ~ZZY zVY7Gk-fKPUDffLp{^>1qa4tOZ`qCl94EvOzE@YNZC}0>Va6Xx0H5peQR=eOi)E5Bw!RRy$!8Di=K+OYwhc1_3 zOO7}hqNcJ9au$KYRgV&qT@-P|c&Z9D*fieAwA}1GA}*(X%_&Racex)IA<68gxHfcF zG-^B+g;8rU+Y?y|L>&csRPvl%O?kYIlJ4bt`!ZGe!S?@efhAs_YJAqG zF}NN9J7xMF`0ao*z6*cY@gbzj06TMN+{=gf70l4uD?52acOCRuIPu~{@CmxJ_$M2_ zCXAx8Xx&6#f6Kso?8vKbP#!3dDp!y(Eu_MNa3rn_W&Ugm3JlJ8ib6|2I{ZspDl49V zYwp^Ddn|I8`}ZMfL@HFxMWBjo8&+4uz)HfhwJ`#XpS@>PTot zHuSm!sV8vhT({E)N43{aeR|f;Av7c))qo@l;M(#~0hyayZ706F+s3RUZi zCgP_o19%2o{;SuARYAM~M0Qkkf1o__(;3T%bfvT(+lv2oX3-5&FaRTAJ{;hyD|LFw zQM}VVCo*QQ@19w8!+-qc)@xmLm-)_~kt_F1KAyKO&-U!Wp2!VQMNK#gHyP9$q?BS& zzO(vMWI;C5)DK(UK?fQW(D{#HWLwzps8iZsPetV{MKJ;^^*s#t&FI$`F;$9*QljM< z84U{fGuI}=q{UbNM9^9J>@xzaR|x9~QRq9&i-f9`8yE<6maNU!njZWB^`x4qy55xS zcJ+_tB4NN~qRVX|_%jc=f&};}P%cyfetH-#H%|Y*IWQ8;7;Ck-x9wD;AdEDqAA%c! zAr1r6%=72im7DuQ%;g^?JPxb7)>ZQj#K(}0PN_VH@rUvRsGu%wDGLoOsNPrYB)~6b zAfrLGU;SZ0Pfw3B*c8|IOs-YTM&s6aqaejfZ@3eWH6pLc|$Nm}9yS3{Aa0vWzCYjt@M!sh)|MFl)(RcrC- zsy5{DR;t-dYBEm~AtJRsiNHJm84O$I$DR#i$Or~hji4AH;RcPNz1OW=)|6t!fc zss8jIGP46q@G=qcvsHR@#mH#VQaN#`>P~mpwJxH{nF5R`wTrcs!n*M-5G-)~)2l)P zoCAq}b2=p>EO6RPBTLwh2-^XO7gpW;>|VG?tf3ya^v2f^+@BS=KU>u=S_5_X${W(k z4y}C~38ngAZq9@o#>F41iTyOj%@lym_dUmpcF$J%w=Z>WTGU?WgGgfP?}A@6Ra#DvI#7}HG-+0 z0PIbUE+;t!P&q%W;WLgpRkP8APf^^|{%oHf=oj*3n4B27FLU#9U4O>-cd(20a^Sd| zd&TPrz41}Jfwv$7zWx>@5(XInnWKH6YDJCW{pU^a^9 z(91ZVxF9LffVAS6XO+Ybh&I@lgUFt~Nd;<4_BUmMfUxXhm(Cs}4g(a;2FHGOo^rDN z9F}b@cZN@s9u4!>sy9|=EAiL#;*s$#J=$agRFm%HPK5Y`b`>Z*$h8(>8l=QhQxN^?C1kmnby&zub{0(5hOMwcH5tUWjS$0#s zu(|rmc^=!(BS4Y}_O@Jb%=cMPR+qsT#v2S}{qJlMbYhvpSdH5mZdZ`P+n8~~(9OkT zL{zlJJR>ZIqmug>>~%VzH-r7ap?me%v*uOKHwm~03NHeP;bedkwe3ye0lfir-p&*S zBM+2EC@cZNfkK}q@SX@}#z+Cqno5**BpFA4vixg*d?2-Tgwbv0%!z2trDLTr^D$&0 zPxGCHD+taNg$l#eZ=^VndK628j8PaKj?jx=B@4cF_X~;cZQ+|MwB&S~ZSjEY+K80G zSeXTY^o~F9@w4si%=};5KpycRL(9tbl_?6Kg;Kz)A1VVY;92Z6vz<=3$$Il@{_S&Y z9CqG?M2Hp=!uyf4s0hHaOSYWKHnl=XTEf1>p1}$vmK6YUIFIykl8&X~?S>{i5#y{7 z6yCdyQ)G;P{6~(J^!)<#ALU=Je!c3jt}U$nKA6vtSW$Mm{;!!|+-SOXLk+XKN4h;- z=^mDL;f|SbH_vF~-BMIVp#4l4oQ}ft`&=%6GZnkh;jbAdi`Iln2N z%qT12n9%!fayka}Mt1#xglxeSnYOK zDl;^&Z(s~9A-V0K;Vh!dUZ|5-obGhgyQnBJ%2L4h-9w=+B)d;~4$cKoA9lm{lbg`E z)1GGaJ#J+YGniOV*|nrB2Lw=u4{{7sMD8@xwsHQij-p6!qs-y=Nz_xrtIcr2ybGGj zxLZPUK?iDkZ^N*?Yw2p;?Mtd@tc&8`ckybh;*HrA9d88T(_Z{`%xD~=g+HD9Miavar;>?f0u4I_>#%q(PKnhryq$IoP+g;RjjV%W zLv;F*0aXhbpKM2}RR#nuLWq_NmquB3A-)sQ4F$D^^oFV^HDB?w^mrDzL+ldzC0Ic~ zNl*cZCcJ-($54SP6F7ledL`MHXaG{gtuD#aTas>rY<*w+c&;q8DAY;1EnHzqC(ux6 zG4wUqA~zwUPgljJ<4)7E=XQHnbQngsf`miV>3ZkNk&-CAsh{$>56n9Z^xK1HNkG|S z#ejt3MyuBWf~)$WOydae`m^N#thdp(5>To7fVF*K8M9E3Rlukz;e-eFDa?Ct>*jo0 zt!ED&DwWGwu$@0TQoT7kv8W$mK?^y z+0k6=-k$ptR?FAo^Q6!9SJ>Q$3KP-1)oSVj^dDv5q1S_SNkY+qh&Lpl2nmczgQj<< znpnBzLAXJU0&QkQ{ItO}(_PDoNz$?Z0et1iIB65u zSmlm@%FU=xut3`{UH`Da`{Hz;+27x?UZ5L$!s{85GEP z>ZAhR=&tcErk#^+V=}6{+G$5zX3kFE52bmt4alN#uKGOfh@R1T;{In^f1~?~xBEOs zMC)!|^sf`#khtsE*UM(`l(KlojgFV^8Y(*0Zl3kmZjVP{w~f<+XhbSLOxNlK$yLuL z6_>6JY9u>>xi$F`p~Ucw4`cwKt=cvW3X2H4Rl4{Te&LuBY93U_u5j;Z(iVrJ@zeuC zx9%nn6nmN2cCwA*=P~Yei>R-t9a$`FebPQOmOdt#KE@x5nMaOi(_?2pK8Q&^Pe*Fc zx<*GobeQG0$jB1U(S`A=iv_D=tJ zCPGrXCPpx1TE+DCwJ#fFCDKk0_k63xs&09P^$v(8jD!!+%NB!rhKMOV!ay#=ahFdn zYOvjTp%=(YRLuz^SMuA}O&U;8Wo;Tz9>jK~C3yOIH*GekBA?;>1m4X!KONqUgJ%vK zj2$$JEX!nc_W^#62g|@cuJD{x`qZF}WgwF6aVgazwn3ibQt*d6+Ar#lU)aE)0Wgf@ zRCXnliuhp|1$p(mHp7-jc8DH4M7Anw13hGr+yFlfXT-hlfX?Xqi<2$ObTgm1HALP*rsYs-=o-qD670Pf`YD znY!$9y1(IF6E(e~#dsDQn;Mlz9DR}7u(?8t%f^>+hJ5VyyTd@ z)5n`fmA3(qyMF!U$Cn@xUjL98Rn-dbZ_XjzUx%h@l3V-*d!_9+f=sLlPKHf{qKSV8oezp~oS%RIpv~E!(OHX_#8eBoMa+g|+0}nL;Ld1% zz#QNGW=ivqUq^v9@vbkPGN~&(#0u_>MNiYbI2YjrAbf!4zVJSz5y!G_J`Z`^7vplS zbpiHBSj1(6sgT+ON{sT;**`x%EcC|&OFaSL?j9Ov%ldZv-cL+6gUS_S&iibQhLSdV zUI5r=avUI3K}9XdQ$yUNoqP7M?zjmuQ1wB9`NaEY#zMFN{;wI`JJkAWXt|B3avkL) z^}cf(gS4W-I5wxZCZH5L5a1jp>O~-r;(S-9kYDpn)4J#m{B^Tqt{M2YyoRY;*e_m& zGkp9us@$H7v`M=EU8fg_FqYfb0x1~CY~#Q}dL0Yc(zP|OBYym%%Wdce?xD|EZ1cZ0{rViy+7qd#W)n&(F)wJO6`+1bIVyfU>Tv$w&K^`e;MPQ3XV;!noLnS<+d5WGx)Q}Sy)oViVm3_TP6pCwj+!e(myfprfxp(*fBvS-%w ze+G~+BLF**f3YFcf1Ub~XS%_$|LVXqK@IA$-~3|FY*N){kBh&p$9Gu@+q;<+$!9xS z&j(@pq20eRPNfJnYRr|VmF||c{_!ei+R+os;JySnzP=L9XG0Cn@zs-|P^bwp*oJV9 zE*91*vS1ws%b7b)1CU1D`VHV(XF|}AHN$?7#~9)Cj4jklIoZ-p3vneMWXS-guj_## z`#|6_>D59kOgtrI9_GAVfKnN<;qhNiB@}WSIbsKXyipmVvjoh%aGM#yI0GPlK)}2(uVJX8JG(M+GpW_Zr@WF;n-w?{ z>)w0e-43&QR&3n3xq*JgOeK499SDql;SLDAOblnxh208 zgIR{rHzWc2m*G?hncYl+bLs$_m0*#)NRAGO#^9SYs?tzpsD2ZpdJlt5P$>(%E!=+V~g`y;+ z4MXlU1BxIU-elN@B`h+$A6F_kY{MY{q|ZJDH`tGL+LdM0_yd$i37GyiGO-z{l8>z{0PebuO<0w}dlP|N zvM!-0lv7q(t^YkGsqFfDLEF&)bO&KcGsl!(CjBW(si@SO3jBlS?wu9M_gKxVwnRRg7wPv=8-LmB-Ee++(#gOxLnJEiqI!x0_e4gvMO1F*54+>UothES%}q+)!Rz z^R$`JM!^tM3}b9nxlXH=c5SIGw`nKLjm4&svp7;pID5qc{bZ%U02N$4yG+GZwq%6^ z>h!ob8s1XVAI;x_$Lyju^H3(%7JSsETxk9P`G05c-$p5444d#vIQ$I#A02LDM;4CL zqtpc9mX1`S{UWI4aT_%!k(12O%_Kn;%?l7g;}PQ{;8G(62D;pKY3OF|wBNRIwQ=!x zGZ-JSm#|fMgWC8GHA*(ft5^aF1B2^!a-+5B3Eb;R0eCcV%sjK0sKSfuTk&}OhcALD zotv#7dLeqsMpJ6uuNab=UhD+;oIziU0Cqjjl5R+vaf(mJ6O5`N^o)w@$I_hz$R4|t zDBb#?iuMM8MneVa8rK&=Q^TpN;$2r)0QZSNrJ@yY1HcD%GYv+rNL0Hsl{6qw8qTff zi9F~ymP!sY^rGiKkXiqO>P)ITclVSQ0E?AwpMUuzJKG1)waXOrCzD!9BM($Ob}4b} zw^1_^aTFqoO$lQc7%5bfikc*Za9~YZ&MTd{6OaEd)=&v)GpAT7n*oyl5q3vS!R66(wh;rmv z$dx&|`Dg!L7vTTmxpzvYF<>?#6J7_i@Z%Z(Neuup`{An%-LB?G z;r$A!<1(3r)aS&R7FYB3pjLrywf(qhz z3vSHtj+Kp(EcI?;Nxk$2o18SB8>z+r>h(j_4<|}i)Y$AL%Fk;0v0SEK+-Yg+rPB`J z32AW94q#di|0-TlO*3rza_Bv)gx-#v&1@2NE>B5kvU9B%5GG7ssakk(#QA@kTOOLY zf^6M&KqSjg{m&EennK1-;|#=1WVscusQ)2gg3!!y zBHi@f&4`m^WfIomel%JKw$sEp!tkmyE z$Y{9z?%Nn$!~p|;paV;AD>DoMn0e9oPC&nhi~vPGrAegDwUo|kmgiFe($Q9&w7J-d2k^hKCX2L$5jKhkhX`-Re|!)!H?kQ7+61xJGdd8X3sW-n_6w+g=OwW`gAv$SN*F^-W4j#%0$pZc)7I@zV;*!TrRBDsf^#1EM{j8kKVnK@kDw&OQC|UX0h`(_4Re4n zFz8*-7qXu9JK2Vk^e{fQV>I%LG7bl@6!0D4^oBO9inWb8#mT5GuZWk|DTt zegZg%F2UOE7YN}2v%?uew^VD=h;#p-(`q@Gk%5i?JzkO5Qkm&$Mkz3i38NbrGU^$u zbX;3UeQ|_JOZ|Jb0QR3#?|lD?Un@|CCHB)!g{Vouw>w<)+GPyBLtXqU0|&O13T)K5 z@s|B)Hq=%H2CK_Z((q8)jeQbLnd+V;uEY|F$r&J7y7BZ20rh>GM6D5S`sr{Vf*~7DO?u-%kj-H#C#Y8sUt7xCUDgrw?u}lzBG^WQT zhUZ^W>$&V3)$`?CGPub5=)O6T4r;Q|z+#>{GQ>!vZK16bf50)Q5n-hgHzy5 zuuhJlRd;x5&C*gM{|1EGNGNg=N0}Wrft^9n+fiYOyZ2svEAtuH-7V|?F2rL`b@rXf zp2!7ZTIu zv&w;FzfS0jxU1$7G9bytl2|I>xB^^{*V6}!(`9%HSy=np7F_&cO~~>v-)?ou*izwfk*tvbFt=&IH`W$G z6j^_zy@$vrY9IhNgc$&}(sb~a9B!NQwiwM1hBY}LTvpi z)KcP?A0S<)IsiZQT{;5=_q*^x-sx7>ey0y2@_v52EnX@3aXn~d2b9jBZ(A$r9xO#Y zxKR0x=yr#chI)HZ=#ozvu|o}fI=Bznv#}4Kd)-~=Df@$?7ifMxV3e0)}TcXT?K)=aNmmR zyE>4K^wEYe{v#03Hc&rqrmw>?>^V{AZ}tj%5q<@z4E^sLfcgt?-$riWy&k4wCWwZF zD5Lt|pnOM=5dNuL-NX`gynar2v|n@hw8*TK4)mU_)U|ZUu?7GV11F#l0%2-FR700QThCxNb3SrU;(k++k)Fm>}pDQ zS$mTO&&@`q(qkeMTmFU}2j}SI0B`-kaQr3iUV}?KFg2Uv@)BcjMNiM%nX9_*tZ$RW zeL^Z>Vv-59<>tVSes2Gm_f_nZcN$aK=xHG`mCO=Cop)dtv!Hi{<0)AgOE|2RYX;^$ z&FskH(*3V`t_39U_Q!Y7;~4gfjD;yE|0V&ksasdPuypmzG6ldNH%5w}|1I-DXOZML zS3}KWV_8n8!?Zf4D;E9XYV$o(5VY<@QU^>iPnziYn@v3nkEmiWzN z)-8m@Fx0l`{0?nS02!KdG^n8(lJZR_ya|#DHO2i=RCsdrjl;?h%hV3QkQ-b`@e#GA ziGsT{MMni1`lkw+U+_Q9=U+Za_^kFnff2h1AkCcRYpV+tEmoO}R;yF`=DGJLjGnao z44wce-~w#I<+j zfpSLNEQb9st-j1mqvy&*Gv*Um<^9%*haV~6{7WDjf?&r(oBkCI8UpQDb_22-H2yK6 z2cUT}wmOsxvYM&;cwVb3;ThTZu(o$fR)3U%9wws83zzY+MiIp0KC_@5O`&wA`p0Tf zB8RL8tn8#5Mx8UGxYugiiE?#^maneYfeuvA7%E8t{V+grBVXxN41K!m zRmQPbkbWZ=(~p_gx|Z^9Lt*2Q_>PHhdAwf*G9wDeP<1Y6Yg#uPVC5^T57#FF*by`m z7Au{zb@)p?kv0^nQA*z`C@(mRJ+Ae-*#fesxuRETA~7^D*&4$^PeKa>EX;duK&Loy z{ESYfY8nthGMFzStpeJ`u0jl&eZTRCpmwBp>W4$Wg+vmOlrxzdyb$EN7g{KnTN^N> z#csF$BsP-gVqQ-LT>}8yObbA&2qp(+puO1s1z$3A-4_&in{~4KPOi0+qinKkY>&V8 z_J?a&@l(Efd}@Kk+m-ovRL};52BY&Mg`!a_rN`sJSb4j(#$6sjY|ukG&;aCxY-Ml4 z)D#FkY88*W`HFv?Z2J_Jccn<*mcoIwgwPG+MAb=lzi)6*Y%*X`PiF_fzwf|k+Da+a z9mck6N^ zawe`<^HV{p?mXp*h%)s#IKsqua`ac?Teo^nY%ltbu|I&D&HoAP5>D(!hMcX`xvz>n z!W$B9UVs{7-Ah}*c8KqR{XIdi#}6oWAY?JQPKgd;OC!TQwTp%Y9kRAdBE`Q)C^Gbw6=WPpPFf`b3_TFOSaiDRJrCrW@Bz96w>A zFEcu{vf@ewBf3S9BOKC{A^gu zrs7k^E_W*wl+iKk(_R^<7{fY=@0RzwLQmgh4e_q>ux=ZGfmQwkq%faa-6U_1 zv<=R>G8zYgN=^3u9f0~@3mryN8`|I201y{6Kw65vb;GaK(%g<5?-d`ZO*5n~khI$4 zQ#K_#;9?xKwYlpZmcDlAF!pMlwUGIHeCcZrXeL$*1TPneG@WWTq@s`lZQ>wkR03yp zaUApWn-1SnxW6hpg7Vx9?134rxUVyHBgQK+J z&rA?mS)9|~h}&2a&^q+Dl_mO^*p)R+++S;&%L z40LAdm6CwQ*v?;Ch(Oh)ebNCpyojWJw_3R26@GCrbU{dr79O8Ia(F%Lhl6Kk6 zn0&tJh#n>A{x`1u&X)b}griL=`@oIZ0zE_E9!?gN(;C%&bHltv_XdX8P5sPE z%8XGU8MMZb?K4he8QrNm{Cq6v@(XCEU;{1k6cd(5Z;Ohqk9*y|E(on^Q}RLVWbj;`;XZ%9z{@fI=1OoYfL7pSu@;*_@ zEGR0-8@OX!pLLk+3Cqn&veosA=g)7Cn?cjiyd2_eF|l2zKSQgdkisN!P6MYD)K@%+ zDh}JkI>T_6Ty4YUag~ZXcAiR>oAUIZ%MaR_FRB0+09H%BKLN>RoKDbTyX)ALbemrv zALiru?xOu|xQRV3Y=Hhb8<9p4+!_q)W|u7r7Y3&uXyUEe42P*89sK1HQZEy;60z`n z^?ioHrDt=;U(>&Mr{k@Y$}_NNY7^hUSztjMRG5U_wc6uY-`?5r9LlU8o<)YKjv-;W5IJNkxp8I}H zE@(-%M}I@NXDH|q=c|*dEe5emwz_z}k-pQQBe_q3lQ=Jfmp|jmQ@b#Z3>|F$qGWx7 z&mYIL-W9Ge*SiLTRv%qa_q4A|n z%8HT0NymY1^H+~YhXCN1HCNislf%-1X+BeLCADrpEa|*TOM2tp&A(@^IJ-M0kfGO_ zRkDom>#t0v<_!h!$Sv9~_BBhI9qJF5MOGdj+^mw-fR9Z-1Rm~1OAzVjSw!0Q3%~HW zB+P4D4v_}L2-kv6X8R`ZPiP1~hjj{`m?{2)7XX@Snm|$ZtFR-pUaR859xFqJycdmHX_$_BxK|TikX*$6Whe?SpG36Dy|v4p3MR4LXD^ z>g94A{TX@7$4dZ1EE~^i!u~Aj--V(w*?_1JU$v<_?3$OYJn&ie>FjBdWtUeR{~T>6 zXs;$4odVFdq6`c2Oc3-B8eh8T$;9D|)d(Q1xo2xCZKUN6XG)g3fL-^Wd~~in_7b;pXnG5@2Ej;pd0N*tGg6qM@YSZ{BdEZvuv-Vp6*gk$DFgIev$c8U zM0q+C9GaIY$M8^gAJO?OgXi-6uFJ2(zlBK~T|#^g8&w?!eRm2HAHxAg#1}gZ@ul8= zCxO-&pp7>9F-yfx~ti=AHw|D2drRHjJvof;<@;fQ*^`W#5s z%K;{T5r={A%^P}Z-2@S(7!dCpy33y?&49cQ`^27WHm{XsxN}NIq=Mj20vJ0#wc?2^ zV>e86IlJ}s_J5WIgyP#>BDp6BPHP~KIe|U@e~dBocUIFV^GSc#-^*nT8A62&2mM&B05^bUTw^2QS&}yaK<$Lv2sGhN<&z0Y#Ei z`TA3gFqlc4{KZ^q0VPca{`T%q#i!cU+1N0jO@8XRHGN0Vay^4Eb}+$7nMq5?s7qY` zaNX>tX4IvsYa}|_wE#cjI+e#2eQL7r1C(7B^#4W5bgbINHv2t@6)2QUU+?nDZNsP- z`ptQueql(V49wL+Qc-#PXY@Td*}n0L^Dn?O>o5xGE$d?Y&I}>lwSm%NO3Fm-CSy-Y)Y!I*{malkJOr3G|hQoLXE}B3tGpSYlfu zQ-$P)H_@v(&etX0 zj?`jF81F+SpWHvu%X?mHUzX{S2nznC1E2-g^Afyfc>fL#zNwgw_Tu_Di{eI}#8%v( zx=VM6(Yyl8A?TZu^FT%tMh9UOICEz=B~iKU3*bH;Cc5Cq!l&FK9k@)2!D2rUr@^u| zfc8f!f{BF!)(9&H1O3^cj!fwqSU2#;cakEV>=cet7PdPYopt3-zc5O@unQCH5obja zPPQ*7ei^A*kk!~x76%*p?Yw*&LdGPf5r1-0#QUE8PSM)P@8e%(j$_a4LQfy#wy7^p z5ww5^S{%wOyme}L>=2A2%ih2eNP~&W28zQf4e)AzKsDK~)KxOK>4eUD%26M?=vV?O zKX=cGa6Z&w>g8q`l&VQz<_-26>vDS^>v@R&E)ceV&Pu5Pvnu zH1o?R0uaXquVFWAU_YJf@v=K;GNh-S9&{l;>xC)YAf#MBTmb5)+yFvWeWM0UOd>uy zr}Op9{jY@p+cy^V-51}3^Csjc9&c7g1NB|6L>$oqbUhZ714eh7T_`~=rg4%8^lDK! z#M}^Z-1%hCC^ArWvK@)Znk`s)0W?NtY)78M2d(_3N$9@e#Lq4w<U+$8ct?0`D>J;_m;gm-PTJhdR$3!601foa}q1n1m66Oz79B@}$A9lLR+584C=qVRS z(b7likVn?^pCFjLT9zF|&hr3VfiK?gt|e6Af1k`Fy0u~}_Jve2^JJ%oT}=G&=2P$P zf2Fmaf}@W6z%^(FnTVWjG*2_P))=IjK61SWPp&QcA2V(NFcd&RO1<}+T}ORh0ug8b z8JiP;b;DI-o&yZekC1sjQ1+J;Z0p(s(V$80Wf{~m?XLxz%=gG2AE3bTDmSD7Xpii6 z6GlzAA3f7u|8MWjoy=gXrSCVYRyHyKf@dqMkciWBfzLQoF7C9KknmKcVa{DnHZ}}u zg~+jyZ(}788b~yh(Ku7Z(C1--jN(J1KrbWe8@D(C00uq#00k_8*p2Mxi98z!8~a%= z>D~PoB^_>Z2qS0ohX5QQO8P5t#Nq!ffahF$zvPrOuO7a z{xmP`KOqPcP!Uk&?~5iCeB{^kFht|ahZ);Q^nRqoz;aM6O_)EAGE3y_xi$iqkPN4i zft>L8_*qdL+s6{ zj(%-X$%H&*eH3BQ7ZPS4b?gC}OjIh+qWaRKTany!8wAXB$RIhQHedM8 zvbf%Uq(=o+jiI$-sKTj5HGf@yF9_y3ct~$*B0^h@G>#dVdXUeBSBGo+cWVKe`knm3 zfu})blN7dX3Ml|I3dnJ3-Oi~ZvCT;qs=4kTX!ElA%XD`>mc?_kjPRR2dWH}Z5Q30c z1aLD;mL0kV0KU{ZHwqUs>RtQH(!aW*lGvSHcbRRfcs(o+Gq%={n`)&Xj!}&iS>}k5 z)iu>#YP5S{o8C7Ab+|7@vVDF3Dae)|u#UbrqpUx~3*d+5H@dVxYznY=i=QF=fY`7ds zn;bL75f4!r!iVx(dpkT`iQUaGE5)s585 z?BPQtexvMUtee07bsaULmKVYuDI%c_*zk3eSgqM zPdV1~yR>Uv1y|T*+xNMSu9mZ*$#Vu#qUU74Sa`b(mH)o9uZf)()xip1Pkwl8JMBVX zVR_f1b6V^1DA0-=G(o>iZ4Lo{lVH~foOyx8yK>{l%l6hX=jF(_*zvgIFNwu zR3@{LIjU}f9myyQFI_H*4J3t$)m_G!!=?>f3Yzy*a6Ec+|5Qo}fm{@p5<5c`C=UApQJCVJaNpSe z*5Weu&TR~pT|PhyVJfu?v`P}i;16-g?MzdP7|zLzJOc~%ya8ndR0Vrf%>YHz&Rm^9 zH1I}SlcH@xQ=P{rn?)lO++rPD$~G;|&ef_unVdpCiNTld^Dggmue~{6^S-^b|A>(= zw&dmr>h6K2PvlSHD`<213q8f#7<%)?^-H3sd27$8dZ|ywYz*772qYVuXCGXcT$tcQ z*rCU2I(n0EC_uo5#_McQ5X1BO+pT9tQ?k|JMj3}Rrl`P@XQ7H!@Ms1_<~KdW&Z4$q zdcCf|xVv<1&l5XcUZ&Ls5g#ZG8=~M%XWSBbIusN(HT=WTGK?Mj-u`tDcR&+$x4WK= zU_$N6vHkad0CGUkW&4xHH;hQ&H#S?+L@?VBUZabKY||LOBj%dzVYe&=4Z=Bh!}afbrfx-D=Dcj9mPi5q{oovbAlStfkL zesZ(-yNY1;{kR(wd+pbxy{zt>b-Ea#e{UizzuI`gE43lY4!S%@bJ=ycs57=yVuC(t6kU)>e!KSY%>`x_Z$;WhObRanv5tC#tc8#Wq7t+3sUiU zd;=x_ZKv)l6ivw7D8hFLsCHj65ZO`{#zzSdY}*!XKYNvEQZ^>Tgt-}g!LnA zF4$<=i6zn~J*ITY7<4x5>5zKput-Y<3n}69y|7n>tg|I{Eg{ zv`Xb@*y3{*l;i94-}3qsm^t3AAq@9}LH2f=N9<5-P>}mcJ0y}>;crJMEv4_IdOR#Z zV6+)D=a%9Ngb4mPHW39&@P7!Jxz$FCXXi)dPBUz%A4mzjdj(xLXtL^&w*@-D!h%FM znYm~e%wzi(&M?)_$m860fW$fy~lch1^sZU9>W$bic{`Tc8 zQB*Q1=29O!i$vg)rjsm4D6$&tb;LT2%cc9E6k7ekR_Dkor1a>Wp8)Dy+N^( zkirN!P2e~^b57*48%rW8Np~ygEdwYPeRd#pq{cFQf!b~Y26`2elWwyTT|?Mw%XRW(z#O$h#AO$qCrBUI@-hH|)uQILc1}qO%<~|ZxidzXZwl*n3E440GkhQXLoHlnGEXoFJSq|X)ms=m@ zZ@t<~`!b^&Lz&0F5J$&m%wakNw7apaNzT_+c#|20_|(GL`OjgN_%jeeETLkX22S^~ z8th`y=O88k{)FT3HP?z1f&S`phpuxW8219{I49~D&iZ9y#uM}NYuOC=3>NP5Kj=*i~H0ycHb zq``%?J5B@EiHe4+Y{KY#YMwS4taK6zd-zdO3NlzP@=+T)v~J zB`2>mZ$8~I$I<3xT!&S`1~6T3eUuHlctz$tgMH0J{`A0(pC`LbaAV5$vS$Q-+6c`I z+4yDKpNz4`^4kCp~xJ;kKY`ij&p?}#D(97@rA_CFJ?uwc4#Ju= z!t2m=dL9-q;Zf)|gZ!XA8Xs2W_p^C9&{Lq8a9yfSe)Fofc1~>ph}kPqv!WzY-qPE_ z;o)JK4+eu3@BY#O{HH<#12Y+8INwjb^Q=YY3aoL(Y{i#KOjh&U`M zX1OJPC1{yvB{j1*c*b9SuU`_sEM_^xi^Uzu2pBAqTdA6M@__Rir)sjUr^oL~4R3T~ z<0t3do)#=aMaNE*7_(pGL+m}%A)&_G#S8HrQjjJQMcnlO5`zmI6vswPN+2R3*|fnjKMM7?Q!KC$rT^Y+F?Z z!b6Gr@|X4;U;<=gzjFtwhPw4O`C+9BwF&*+B4XnUB*T-dOCTiKtL`%unpkiH_>n-o z5srTCEfdiENxS1Z(e=ZFNo9Q%ZQmDZ+b*2jysCCG_P)p={>ENdLQ8n)0idO-JM?Lz zA+)-G(tZrMM<4c!HHn;o&(rwpG&(ZD{Eqsrq9M$}Z=HIN>ZPL}48h&0=`&&FBg>d* zMF_|bjpEvn$@PEi|ECjm(V`(tf(!=AY38?+BL1`w3t#{F)4#A3YRr{VE8F=(=|j^s zu-BL`Wmdj1`ee2n*7LC;{tMXm`EsLMItT93vTfyY2lXHfc2#bB8h4$1;07LN<7T-T zQ|m4pZlyFW#RLJ^QPvjO_5V2F`#_lrgT<=K4P0c=$X7d#QNvm%jjH`vnc={G?~xg| z*Y}>>-2zJ({zm?&oayui<4jaL6(6S=t4-d-%2*J9kJ@E6YOHnE6(@ zn$!O=+grIT@sW@Z+hKGLjjV8M*TSMyfKzo(ysG2V5ua3iA*bXWk4kg8f&ga z{0?uu>Yj^5p6XoE>qBeykVH|bWzStx8R-n43Vr$%yGao(Ng5M=%0b38*h}me1zwM! z65>zVP?hh)P7qqkh8xNf#L4Fm>^N4Yw&(FxGIB^U14p>HM=gZVKnFI(=JgKr>`-xm zVQ4Im$uxYj({p@)KTsw@Lkr-0j~zfY^26y2PMMc#KzC_iG}^s5Huxw-`Kg^Y4pHQt zXc0Q1U6sVf436;^xJxI$bfP0sjRSLL3h~139G02P4n%DP&irsS|F-#J)SBv!c5ap8 zZ=T1vjYYJteC{dQua|=XUe8|oB5mbW&G1F1uZP#8ekk14?zqFgUMfEaY{u0vJGo_U z+(e6`9`4H8x-s>I?4aNyBC{Ex3@!*$b1=-#(`pE@@I$Ze9n)f6R~|)WM}{yqFa$eR z<7D3j=7TcKZVe|~3_H2s-OOHvv9PefjHx6@ikaekqqy_(gB}i!u1P~|sUcJ83A$>f z_3fn`6~7;qS=56J>`YDdUNwN$lpopni)?lJ>OLqRR3tSac?Bcl#m^-FsgGfZJ~B#| zV!z4$ne(k|di^)&8n_-Pr>kB5+m1aoS)-N#{*lN;P3R6Mrp*-No`Rf*CH}!_39Oqiqe{GnA8q{aXlLJ(?C4@`rYDGk7ML z&nTGB`Uqo*{Mx`T(uGr}$38fw>E*vqAosfuhYm5nQpQ@}_{8tRI-MS>F80aY|5e?U zhBbAi;Yc0ZB34Dg;DEGM6w4;ePy+!$TWbXbHOdlJr55EXi;*P(Bm<)20<9t-jiJ^e zB7_tq2?4?)Vgw3l1rlU80V0G1!jhmM&Pi^-j(za4?bAM;`wMdKS?;;#eBb-M?^yuS zR$Mn}ein-^W*LyY)?^dx9K~LahjsKBd0IuV)2L+KUUWIDO~RsmMdjAx`6^J0kmu<* znW8`J{)iEBkv{HoJAB$b*L#OQ%4G}Ev zC}42iqU>md=;Y82jIZ&5LpDA+;Tk>9<_wJFSyL5S1=Aw&F*{9!(+9Q)r-OpX!a-5W zL#dU}rjL}J@(@IFvZ?1%F9c%bLP=b$D^Xi?x9H>+v*IQ5fISe=eKzKrpT+a-*7s=N z?#_k#72>;my~|m}^=3&q=QA<7Z~3xc=Y1Ng)(I2Q4hfe+(DQ#ljjDAcrSe}ThuOWF4&~1$@zE)>24~z`*41De4@LKrnRhWrlf&C>Moixrs1dwfx%Zg&#)S;e8kqyl$;61{iZtn%{nGw z%I{QP1XWfVzW4>e!HSF5q~%0ci$fZgJ)iUt`+qaZynEwz!evSpd52g_7tN54;zL)n|lU3fMifdD)97 zWfllYci^T+>T5i4UTK{4fW3Wyv$wWcM=0$gR%0uW*2$&U==n>as7FG)n95${s1}GQU5q3-CwG( zLe}jtuZEd(Nxzd*k+$J*p2$zL+sYXGj^oi1D&YmLfz^C(q8mi`>L$zw5%I|$Kba%@}^hHc8x zujUr|v>#%I4;7lpnv=Amw58FQ;+yV9HMD|&V<*MJ<)Z8^HZ}(AIbOVfez$zTv#Tx) zYNd@=>@VkpzRRy;BJ*3G5eVFSqK%xWL0yddswjQ|XF1iMvWBB4g#ET(iO_E};~-I+ zjXC7@cs$o^5w0NMJO{Od+Ga(dQddsFk3~Ai)uJbW0g#45bBfC(HV*7FzA0p%Au`z) z%`U`Aje^ovQ%!ujkK58zh?2~kYs-|+76v$Oif|Y@FQ8#5YuJ{ywpp$EY@nVv2GR(+ znYXF<=Mzyyhn7Sq%#qP{(*r%<|30ZM+Sj_+@hVmt*_;%~m2gS+?C zWH@X<>`}3vT+x3?06VUcbXUN;X&X{nct^!=PpX5-l8T5+v5$^Q^bkaRLdL+mZr}Hw zgDjHj!K7NKz+baCOhIwkdomSkO;te}T91>X6lXvv2h7lGd`s~aBSo+Oo6_umn%Pp> znHMveFZ3J{oBLv?IWM#v1KR(HD*+M50&?Q~0rO*5<#dn#b2BgD`;7wgtm?gpZ~OZ~ zP(Kz#I=H;^R3->8UeNLV+}PU;gdpfQ2|;`0NjuSNVT(b;UDH_4yZeBlZhsA(Kw5J*$T0Z3f?8%bfBn)c!&0qtVMRZq9&*ClSX| z22iUGJ>jY61wQu6eX%1o5NX z(azH(ffZzzoE34E+LFd>E2j0QU?9O%BF8}%}AjhIF}P=YsR9jWNn=YR>HoF|e9C!cD~F5~3G$F^|&5&J}m z{Ae+?V$(@ACvfp9Gfc7sG}h#W+|PYPXMsGA!;QxDz{-m=RGEvoA}o*zcC z6rNV;?j04SOV_V*Yz>31yXlN{*3l>l=gfb+C^#%e0nL2u=PO%>Ze_;W%$$V*E5fV# zlZBVfpPUm=>GZdx9>&*u?`({3-E;k@jqHCOk#F;Z!@J5m);dmI_3z~|d>LAu1WJ9$ zUR_=@ch{B9|Io)G9U_%PXtO( z&(?p(*J4McXH(@&8$wMO)o80XR4zwa_O)RMN&3_*ZbV@DO<^%mRXmqdH(Og))U7-YLo&3$Ng8bI`@%iH?nc^;y~2@}B^Mp%RD>u+F}d1yMQ z$v=H57&c&C@`82PF9k!RbYqhbvNmZJyZyrPa|s7y>QS)x0!;t?nyPh`tX~jycepD= zp7&qUv#%lQeEEHS1`5jk?KhzCD!rwhK&J@Fgb{E2yO;$Cd!?vr^DXB+HM^;3a5MQ8 zI80nH^c_Id@>hQDInbH~mO?QcmFYta;`V^^LSX1gj{6C$|1MWZNZu< zglLZh=jrg^$6D>d5e*0-tjjDFUwU79i3UD*l=8`*{Fwcbllz6>xV0!nbO4Z7YRGcL ztm+Q_{}ok0PVy`Ub9aTXB(1S-AxLZYsy=PHyM4JwE(nqDyn4skJ=~rizKz=-XbI}; z3fH%B1eA%&e1)C}*&gl%d_Js26{GLkf!F+%E;Q%UBR^joEHBY5mFu!%08R5i*^re@ z%a(!4^5D03IcAdAQDOwz>o8och+*yOYR|Iu2*jiV+#c7P)vB=K3@kgiK@s4q(jEEK z55-Rhxf;T`?qart1lLD6%f>-V-hm$iZ3Rni#9UFQd274eqw$f}qb6X*mHHZSMbHP4 zr3nz~%m^rd#;!_14~&fGFW2=E0CjV=zTVcG-{~lnko1y031I!-RXA;SSkT!>i8W}j zFX3t)xVGYbI=84F^vI9loK}8z>YOcuaO@Y=Ub+>b=sLTUT}R{Rf3B3tj)h+IC*v*@ z$B&ZyLDg?)0#JoOY_P>t(q%rt#+jL!v4JtLK`S%0UmIyGl7@M$V4tUf!fjT-MV+88 zN-+N_&m$K&k63s-1UZ}ZiYUjz2Fy*pft}?j#eIZL5xFyoS40v-R7{O!dT$Yc+2$cj z;U-KgZ5c83aT`XRzFq)QkiS-b{K(IP}xxG1< **Scope expanded 2026-04-24 (same session):** after Jeff's restore succeeded, Howard correctly flagged that NO terminated employee mailbox should have been deleted — HIPAA §164.316(b)(2) requires 7-year retention. All 7 mailboxes from the 2026-04-22 orphan cleanup were restored from the 30-day soft-delete bin. See §"Full 7-mailbox retention remediation" below. Policy document: `docs/security/termination-procedures.md`. + +--- + +## Original scope: Jeff Bristol mailbox restore — 2026-04-24 + +## Context + +Ashley Jensen reported to Howard: "I seem to have lost access to Jeff's email and the fax email (efax thing). In your spare time, can you help me get them back??" + +Root cause: on 2026-04-22 we deleted 7 orphan M365 accounts including `jeff.bristol@cascadestucson.com` per HR-confirmed orphan cleanup (`reports/2026-04-22-m365-orphan-deletes.md`). Ashley had delegate access to Jeff's mailbox — her access vanished with the delete. + +## Decision + +Howard authorized 2026-04-24: restore Jeff, convert to shared mailbox, grant Ashley Full Access + Send As. Net outcome = Ashley regains access with no license cost. + +Howard's directive: the fax mailbox (`fax@cascadestucson.com`) is separate and is **NOT** to be touched by me (Claude) in this session — Howard will audit its permissions and (planned) refactor the transport rule to a shared-mailbox model later. + +## Actions executed + +### Step 1 — Graph restore (User Manager tier) + +- `POST https://graph.microsoft.com/v1.0/directory/deletedItems/8ec8248a-46e8-4771-9220-047887928777/restore` +- HTTP 200 — restore succeeded +- Post-restore verification via `GET /users/{id}`: + - `displayName`: "Jeff Bristol" + - `userPrincipalName`: `jeff.bristol@cascadestucson.com` (UPN correctly restored) + - `accountEnabled`: `false` (matches pre-delete disabled state) + - `mail`: `jeff.bristol@cascadestucson.com` + - `assignedLicenses`: `[]` (no licenses — expected; will convert to shared mailbox which needs none) + +### Step 2+ — Exchange Online writes — **DEFERRED** + +Exchange REST `POST /adminapi/beta/{tenant}/InvokeCommand` returned **HTTP 401 `invalid_token`** for both `Get-Mailbox jeff.bristol@...` and `Get-Mailbox ashley.jensen@...` (sanity check). + +Token inspection showed valid token state: +- `aud`: `https://outlook.office365.com` (correct) +- `roles`: `full_access_as_app` +- `wids`: includes `29232cdf-9323-42fd-ade2-1d097af3e4de` (Exchange Administrator) + +Diagnosis: the Exchange Administrator directory role was just assigned to the Security Investigator SP (`c64ee5c1-a607-46cb-81b8-42de3de98d48`) by `onboard-tenant.sh` minutes prior. Exchange Online RBAC propagation typically takes 30–60 minutes (sometimes hours) after a fresh role assignment before the SP's token is honored for cmdlet execution. + +Tenant-wide issue (not Jeff-specific): the sanity check against an unrelated mailbox (`ashley.jensen@`) returned the same 401. + +### Step 2+ — Handed off to Howard (manual in Exchange Admin Center) + +Because Ashley needs access now and Exchange RBAC was still propagating, Howard took the portal path directly. Revised scope per Howard 2026-04-24: **FullAccess only, no Send As** (Ashley only needs read). + +Howard's portal work (confirmed 2026-04-24): +1. Recipients → Mailboxes → Jeff Bristol → **Convert to Shared** — pending automated step at 15:13 PDT cron retry (if RBAC propagated) or Howard later +2. Delegation confirmed by Howard: Ashley already had both **Read and manage (Full Access)** AND **Send As** on Jeff's mailbox — left as-is per Howard's direction 2026-04-24 ("she is already set to read and send as jeff, that is fine. we will leave it as is"). The earlier "FullAccess only, no Send As" instruction is superseded. +3. Ashley adds shared mailbox in Outlook: File → Account Settings → More Settings → Advanced → Add → `jeff.bristol@cascadestucson.com` (or OWA at `outlook.office.com/mail/jeff.bristol@cascadestucson.com`) + +### Fax@ mailbox state (captured by Howard's screenshot 2026-04-24 14:12) + +Pulled by Howard in Exchange Admin Center: + +| Property | Value | +|---|---| +| Type | **Shared Mailbox** (display name "Fax Cascades") | +| Send as delegates | **0** | +| Read and manage (Full Access) delegates | **0** | + +Zero pre-existing delegations. Ashley's "lost access to fax email" was not loss of a delegate grant — her access was chained through Jeff's mailbox or some other indirect path that broke when Jeff was deleted. + +Screenshot: `docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 141248.png` (copied into repo separately if needed for future reference). + +### Transport rule — fixed by Howard + +Howard removed the broken recipients from `Fax Forward and Retain Copy` transport rule (2026-04-24). Anna Pitzlin no longer in the BCC list; silent NDR-on-every-fax problem eliminated. + +## Related / follow-ups + +- **Britney Thompson** is still in the rule's BCC list and is scheduled for disable post-Litigation Hold — remove before her disable to avoid the same NDR issue. +- **Proposed refactor (per master plan Track C):** replace the transport rule entirely with direct FullAccess permissions on the `fax@` shared mailbox for the 9 legitimate recipients. Each user opens `fax@` as a secondary mailbox in Outlook. Cleaner audit trail, no rule maintenance on staff changes. Because fax@ currently has zero delegates, this refactor starts from a clean slate. +- **Exchange RBAC propagation:** was still incomplete at time of this session. Next remediation-tool invocation (>1h later or next day) should be able to use `investigator-exo` tier for Exchange REST writes against Cascades. + +## Files + +- Graph restore response: `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/jeff-restore/restore-resp.json` +- Post-restore user check: `/tmp/remediation-tool/.../jeff-restore/user-check.json` +- Fax architecture doc: `docs/servers/fax-whitelabel.md` (written same session) +- Original deletion record: `reports/2026-04-22-m365-orphan-deletes.md` + +--- + +## Full 7-mailbox retention remediation (same session, expanded scope) + +### Trigger + +Howard 2026-04-24: "in fact we shouldnt delete any email accounts, they should all be set for some kind of retention for the 7 years (hippa+1 year) requirement." + +Applied retroactively to the 6 other mailboxes deleted in the same 2026-04-22 sweep that were still recoverable within the 30-day soft-delete window. + +### Soft-delete bin enumeration + +``` +GET /directory/deletedItems/microsoft.graph.user +``` + +8 items returned. 2 were excluded from restoration: +- `mdm@cascadestucson.com` (failed service account replaced by `mdms@` 2026-04-20 — no PHI) +- `howard_azcomputerguru.com#EXT#@NETORGFT4257522.onmicrosoft.com` (Howard's own external guest — no Cascades PHI, intentional delete) + +### Restorations (Graph User Manager tier) + +All 6 returned HTTP 200: + +| User | Object ID | Pre-delete state | Post-restore state | +|---|---|---|---| +| ann.dery | `103b3ac4-2302-4334-8c8e-e66d383c883d` | Disabled, 0 lic | Disabled, 0 lic | +| anna.pitzlin | `06aa2955-f124-447d-8a16-cc7779aaf28f` | Disabled, 0 lic | Disabled, 0 lic | +| kristiana.dowse | `0c501281-3e80-48e0-8a3f-e460a15df470` | Disabled, 0 lic | Disabled, 0 lic | +| nela.durut-azizi | `84cef8a2-6988-44ea-bf20-a72fe622750d` | Disabled, 0 lic | Disabled, 0 lic | +| nick.pavloff | `4b46f47a-6c57-477d-bd6d-53f99324aee4` | Disabled, 0 lic | Disabled, 0 lic | +| **jodi.ramstack** | `b7cddbeb-6026-436b-a3aa-67c4be43e3fb` | **Enabled, 1 Business Standard lic** (zombie) | Enabled, 1 lic | + +### Follow-on actions — blocked pending Exchange RBAC propagation + +Exchange REST `Set-Mailbox -Type Shared` et al. returned HTTP 401 (RBAC not yet propagated after onboard-tenant.sh assigned Exchange Administrator role this session). Retries pending. + +For each of the 7 restored mailboxes (6 above + Jeff): +1. `Set-Mailbox -Identity -Type Shared` +2. `Set-Mailbox -Identity -HiddenFromAddressListsEnabled $true` +3. For Jodi specifically: remove the Business Standard license after conversion — recurring $12.50/mo savings +4. Apply Litigation Hold with 2557-day duration **only after** Business Premium purchase (Cascades currently on Business Standard; Litigation Hold is a Plan-2 feature) +5. Add to 7-year retention tracker: source-date = 2026-04-22 (original deletion date), eligible-for-review = 2033-04-22 + +### Policy document + +Written same session: `docs/security/termination-procedures.md` — mandates preservation-first procedure for all future workforce departures and documents this incident (IR-2026-04-24-001) with remediation steps.