From 9d28489abbeab2de7cb5efae81faca78d2e4719d Mon Sep 17 00:00:00 2001
From: "blinkagent[bot]" <237617714+blinkagent[bot]@users.noreply.github.com>
Date: Sat, 30 May 2026 13:05:51 +0500
Subject: [PATCH 01/23] chore(provisioner/terraform): preserve existing
 AWS_SDK_UA_APP_ID (#24606)

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: Atif Ali <atif@coder.com>
---
 provisioner/terraform/provision.go            |  2 +-
 provisioner/terraform/safeenv.go              | 36 +++++++++++++++
 .../terraform/safeenv_internal_test.go        | 44 +++++++++++++++++++
 3 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 provisioner/terraform/safeenv_internal_test.go

diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go
index 592bc3c9cc..90c96403bc 100644
--- a/provisioner/terraform/provision.go
+++ b/provisioner/terraform/provision.go
@@ -381,7 +381,7 @@ func provisionEnv(
 		"CODER_WORKSPACE_BUILD_ID="+metadata.GetWorkspaceBuildId(),
 		"CODER_TASK_ID="+metadata.GetTaskId(),
 		"CODER_TASK_PROMPT="+metadata.GetTaskPrompt(),
-		"AWS_SDK_UA_APP_ID=APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$",
+		awsSDKUserAgentEnv(safeEnvironValue(env, awsSDKUserAgentEnvKey)),
 	)
 	if metadata.GetPrebuiltWorkspaceBuildStage().IsPrebuild() {
 		env = append(env, provider.IsPrebuildEnvironmentVariable()+"=true")
diff --git a/provisioner/terraform/safeenv.go b/provisioner/terraform/safeenv.go
index 4da2fc32cd..a42a899bc8 100644
--- a/provisioner/terraform/safeenv.go
+++ b/provisioner/terraform/safeenv.go
@@ -53,3 +53,39 @@ func safeEnviron() []string {
 	}
 	return strippedEnv
 }
+
+// safeEnvironValue returns the value of the named variable in the given
+// `KEY=VALUE` environment slice, or an empty string if it is not present.
+func safeEnvironValue(env []string, name string) string {
+	prefix := name + "="
+	for _, e := range env {
+		if strings.HasPrefix(e, prefix) {
+			return strings.TrimPrefix(e, prefix)
+		}
+	}
+	return ""
+}
+
+const (
+	awsSDKUserAgentEnvKey = "AWS_SDK_UA_APP_ID"
+	// awsSDKUserAgentCoder is Coder's AWS Partner Revenue Measurement
+	// User-Agent string. The `APN_1.1/pc_<product-code>$` format and the
+	// space-delimited append behavior below follow AWS's guidance:
+	// https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html
+	awsSDKUserAgentCoder = "APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$"
+)
+
+// awsSDKUserAgentEnv returns the AWS_SDK_UA_APP_ID value to pass to the
+// Terraform subprocess. If the caller's environment already configures an
+// Application ID (e.g. an operator who is also an AWS Partner and wants
+// their own revenue attribution), Coder's value is appended with a space
+// delimiter so both attributions are preserved. Otherwise Coder's value is
+// used on its own.
+//
+// See: https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html
+func awsSDKUserAgentEnv(existing string) string {
+	if existing == "" {
+		return awsSDKUserAgentEnvKey + "=" + awsSDKUserAgentCoder
+	}
+	return awsSDKUserAgentEnvKey + "=" + existing + " " + awsSDKUserAgentCoder
+}
diff --git a/provisioner/terraform/safeenv_internal_test.go b/provisioner/terraform/safeenv_internal_test.go
new file mode 100644
index 0000000000..1863f8fee1
--- /dev/null
+++ b/provisioner/terraform/safeenv_internal_test.go
@@ -0,0 +1,44 @@
+package terraform
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSafeEnvironValue(t *testing.T) {
+	t.Parallel()
+
+	env := []string{
+		"FOO=bar",
+		"AWS_SDK_UA_APP_ID=my-existing-id",
+		"BAZ=qux",
+	}
+	require.Equal(t, "my-existing-id", safeEnvironValue(env, "AWS_SDK_UA_APP_ID"))
+	require.Equal(t, "bar", safeEnvironValue(env, "FOO"))
+	require.Equal(t, "", safeEnvironValue(env, "MISSING"))
+}
+
+func TestAWSSDKUserAgentEnv(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NoExisting", func(t *testing.T) {
+		t.Parallel()
+		require.Equal(t,
+			"AWS_SDK_UA_APP_ID=APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$",
+			awsSDKUserAgentEnv(""),
+		)
+	})
+
+	t.Run("AppendToExisting", func(t *testing.T) {
+		t.Parallel()
+		// When the operator is themselves an AWS Partner and has set their own
+		// Application ID, we append Coder's with a space delimiter so both
+		// attributions are preserved. See:
+		// https://docs.aws.amazon.com/PRM/latest/aws-prm-onboarding-guide/automated-user-agent.html
+		require.Equal(t,
+			"AWS_SDK_UA_APP_ID=EXISTING_APP_ID APN_1.1/pc_cdfmjwn8i6u8l9fwz8h82e4w3$",
+			awsSDKUserAgentEnv("EXISTING_APP_ID"),
+		)
+	})
+}

From 8bec65a56aff25c9778e9acee117bc898b62d4bd Mon Sep 17 00:00:00 2001
From: 35C4n0r <70096901+35C4n0r@users.noreply.github.com>
Date: Sat, 30 May 2026 13:44:01 +0530
Subject: [PATCH 02/23] chore(dogfood): remove tasks bits from coder and
 vscode-coder templates (#25479)

Co-authored-by: Atif Ali <atif@coder.com>
---
 dogfood/coder/main.tf        |   5 --
 dogfood/vscode-coder/main.tf | 106 ++++++-----------------------------
 2 files changed, 17 insertions(+), 94 deletions(-)

diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf
index aad65c886f..ad576e543f 100644
--- a/dogfood/coder/main.tf
+++ b/dogfood/coder/main.tf
@@ -277,7 +277,6 @@ data "coder_external_auth" "github" {
 
 data "coder_workspace" "me" {}
 data "coder_workspace_owner" "me" {}
-data "coder_task" "me" {}
 data "coder_workspace_tags" "tags" {
   tags = {
     "cluster" : "dogfood-v2"
@@ -991,10 +990,6 @@ resource "coder_metadata" "container_info" {
     key   = "region"
     value = data.coder_parameter.region.option[index(data.coder_parameter.region.option.*.value, data.coder_parameter.region.value)].name
   }
-  item {
-    key   = "ai_task"
-    value = data.coder_task.me.enabled ? "yes" : "no"
-  }
 }
 
 resource "coder_script" "boundary_config_setup" {
diff --git a/dogfood/vscode-coder/main.tf b/dogfood/vscode-coder/main.tf
index eece70b548..791136979f 100644
--- a/dogfood/vscode-coder/main.tf
+++ b/dogfood/vscode-coder/main.tf
@@ -204,7 +204,6 @@ data "coder_external_auth" "github" {
 
 data "coder_workspace" "me" {}
 data "coder_workspace_owner" "me" {}
-data "coder_task" "me" {}
 data "coder_workspace_tags" "tags" {
   tags = {
     "cluster" : "dogfood-v2"
@@ -541,99 +540,28 @@ resource "coder_metadata" "container_info" {
     key   = "region"
     value = data.coder_parameter.region.option[index(data.coder_parameter.region.option.*.value, data.coder_parameter.region.value)].name
   }
-  item {
-    key   = "ai_task"
-    value = data.coder_task.me.enabled ? "yes" : "no"
-  }
-}
-
-# --- AI task support ---
-
-locals {
-  claude_system_prompt = <<-EOT
-    -- Framing --
-    You are a helpful coding assistant working on the coder/vscode-coder
-    VS Code extension. Aim to autonomously investigate and solve issues
-    the user gives you and test your work, whenever possible.
-
-    Avoid shortcuts like mocking tests. When you get stuck, you can ask
-    the user but opt for autonomy.
-
-    -- Tool Selection --
-    - Built-in tools for everything:
-      (file operations, git commands, builds & installs, one-off shell commands)
-
-    -- Testing --
-    Integration tests launch a real VS Code instance and require a
-    virtual framebuffer. Run them headlessly with:
-      xvfb-run -a pnpm test:integration
-    This matches how CI runs them. Unit tests do not need xvfb-run:
-      pnpm test
-
-    -- Workflow --
-    When starting new work:
-    1. If given a GitHub issue URL, use the `gh` CLI to read the full
-       issue details with `gh issue view <issue-number>`.
-    2. Create a feature branch for the work using a descriptive name
-       based on the issue or task.
-       Example: `git checkout -b fix/issue-123-ssh-retry`
-    3. Proceed with implementation following the AGENTS.md guidelines.
-
-    -- Context --
-    This is the coder/vscode-coder VS Code extension. It is a real-world
-    production extension used by developers to connect to Coder workspaces.
-    Be sure to read AGENTS.md before making any changes.
-  EOT
 }
 
 module "claude-code" {
-  count               = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
-  source              = "dev.registry.coder.com/coder/claude-code/coder"
-  version             = "4.9.2"
-  enable_boundary     = true
-  agent_id            = coder_agent.dev.id
-  workdir             = local.repo_dir
-  claude_code_version = "latest"
-  model               = "opus"
-  order               = 999
-  claude_api_key      = data.coder_parameter.use_ai_bridge.value ? data.coder_workspace_owner.me.session_token : var.anthropic_api_key
-  agentapi_version    = "latest"
-  system_prompt       = local.claude_system_prompt
-  ai_prompt           = data.coder_task.me.prompt
+  count             = data.coder_workspace.me.start_count
+  source            = "dev.registry.coder.com/coder/claude-code/coder"
+  version           = "5.2.0"
+  enable_ai_gateway = data.coder_parameter.use_ai_bridge.value
+  anthropic_api_key = data.coder_parameter.use_ai_bridge.value ? "" : var.anthropic_api_key
+  agent_id          = coder_agent.dev.id
+  workdir           = local.repo_dir
 }
 
-resource "coder_ai_task" "task" {
-  count  = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
-  app_id = module.claude-code[count.index].task_app_id
-}
-
-resource "coder_app" "watch" {
-  count        = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
+resource "coder_app" "claude" {
   agent_id     = coder_agent.dev.id
-  slug         = "watch"
-  display_name = "pnpm watch"
-  icon         = "${data.coder_workspace.me.access_url}/icon/code.svg"
-  command      = "screen -x pnpm_watch"
-  share        = "authenticated"
-  open_in      = "tab"
-  order        = 0
-}
-
-resource "coder_script" "watch" {
-  count              = data.coder_task.me.enabled ? data.coder_workspace.me.start_count : 0
-  display_name       = "pnpm watch"
-  agent_id           = coder_agent.dev.id
-  run_on_start       = true
-  start_blocks_login = false
-  icon               = "${data.coder_workspace.me.access_url}/icon/code.svg"
-  script             = <<-EOT
-    #!/usr/bin/env bash
-    set -eux -o pipefail
-
-    trap 'coder exp sync complete pnpm-watch' EXIT
-    coder exp sync want pnpm-watch install-deps
-    coder exp sync start pnpm-watch
-
-    cd "${local.repo_dir}" && screen -dmS pnpm_watch /bin/sh -c 'while true; do pnpm watch; echo "pnpm watch exited with code $? restarting in 10s"; sleep 10; done'
+  slug         = "claude"
+  display_name = "Claude Code"
+  icon         = "/icon/claude.svg"
+  open_in      = "slim-window"
+  command      = <<-EOT
+    #!/bin/bash
+    set -e
+    cd "${local.repo_dir}"
+    exec tmux new-session -A -s claude claude
   EOT
 }

From 6f5220202d3b2ba32ab9825c77310b1ccc4f5269 Mon Sep 17 00:00:00 2001
From: Atif Ali <atif@coder.com>
Date: Sun, 31 May 2026 10:03:34 +0500
Subject: [PATCH 03/23] fix(site/src/modules/resources): clarify agent log
 download button label (#25641)

---
 site/src/modules/resources/DownloadAgentLogsButton.stories.tsx | 2 +-
 site/src/modules/resources/DownloadAgentLogsButton.tsx         | 2 +-
 site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx b/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx
index 08f3f60e5d..b2c9114a46 100644
--- a/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx
+++ b/site/src/modules/resources/DownloadAgentLogsButton.stories.tsx
@@ -34,7 +34,7 @@ export const ClickOnDownload: Story = {
 	play: async ({ canvasElement, args }) => {
 		const canvas = within(canvasElement);
 		await userEvent.click(
-			canvas.getByRole("button", { name: "Download logs" }),
+			canvas.getByRole("button", { name: "Download agent logs" }),
 		);
 		await waitFor(() =>
 			expect(args.download).toHaveBeenCalledWith(
diff --git a/site/src/modules/resources/DownloadAgentLogsButton.tsx b/site/src/modules/resources/DownloadAgentLogsButton.tsx
index 6850578897..fbc676d9d9 100644
--- a/site/src/modules/resources/DownloadAgentLogsButton.tsx
+++ b/site/src/modules/resources/DownloadAgentLogsButton.tsx
@@ -58,7 +58,7 @@ export const DownloadAgentLogsButton: FC<DownloadAgentLogsButtonProps> = ({
 			}}
 		>
 			<DownloadIcon />
-			{isDownloading ? "Downloading..." : "Download logs"}
+			{isDownloading ? "Downloading..." : "Download agent logs"}
 		</Button>
 	);
 };
diff --git a/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx b/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx
index 7aab6fd56c..16509cb568 100644
--- a/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx
+++ b/site/src/modules/resources/DownloadSelectedAgentLogsButton.tsx
@@ -63,7 +63,7 @@ export const DownloadSelectedAgentLogsButton: FC<
 				>
 					<DownloadIcon />
 					<span className="sr-only">
-						{isDownloading ? "Downloading..." : "Download logs"}
+						{isDownloading ? "Downloading..." : "Download agent logs"}
 					</span>
 					<ChevronDownIcon className="size-icon-sm" />
 				</Button>

From 9c111a2be2ed87490083a1224e86f04cb7bcc6ba Mon Sep 17 00:00:00 2001
From: Dean Sheather <dean@deansheather.com>
Date: Sun, 31 May 2026 23:36:05 +1000
Subject: [PATCH 04/23] chore: disable release freezing on dev.coder.com
 (#25881)

---
 scripts/should_deploy.sh | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/scripts/should_deploy.sh b/scripts/should_deploy.sh
index 6259f9e109..003828b411 100755
--- a/scripts/should_deploy.sh
+++ b/scripts/should_deploy.sh
@@ -17,6 +17,20 @@ deploy_branch=main
 # branch names.
 branch_name=$(git branch --show-current)
 
+# Short circuit: we no longer deploy release branches to dogfood, and instead
+# test them on the stable deployment.
+# TODO: once we're happy with the new deployment process, we can remove this
+# script and the related github workflow stuff.
+if [[ "$branch_name" == "main" ]]; then
+	log "VERDICT: DEPLOY"
+	echo "DEPLOY" # stdout
+	exit 0
+else
+	log "VERDICT: NOOP"
+	echo "NOOP" # stdout
+	exit 0
+fi
+
 if [[ "$branch_name" != "main" && ! "$branch_name" =~ ^release/[0-9]+\.[0-9]+$ ]]; then
 	error "Current branch '$branch_name' is not a supported branch name for dogfood, must be 'main' or 'release/x.y'"
 fi

From 76d3181aba6c2be0e06b816265e5228a0d7b7685 Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Mon, 1 Jun 2026 13:42:37 +1000
Subject: [PATCH 05/23] ci(.github/workflows): bump action-linkspector to
 v1.5.2 (#25882)

The `check-docs` job has been failing on every PR touching `docs/**`
since 2026-05-29. `umbrelladocs/action-linkspector` runs linkspector
under puppeteer, which expects an exact Chrome build (e.g.
`148.0.7778.97`) in `/home/runner/.cache/puppeteer`. When that build
isn't present on the hosted runner, linkspector crashes with `Could not
find Chrome` and reviewdog then fails parsing the empty rdjson output
with `proto: syntax error`.

The pinned `v1.4.1` of the action was installing linkspector `0.4.7`,
whose puppeteer requires `148.0.7778.97`; that build is no longer in the
runner cache. Upstream `v1.5.2` upgrades linkspector to `0.5.3` and adds
Chromium fallback logic, but on `ubuntu-22.04` x86_64 none of its new
code paths fire (the AppArmor branch is gated on `lsb_release -rs ==
"24.04"`, the system-Chromium branch on aarch64 or missing 24.04
sysctl), so the bump alone leaves the same Chrome error in place.

This PR:

- Bumps the action to `v1.5.2` (linkspector `0.5.3`).
- Sets `PUPPETEER_EXECUTABLE_PATH=/usr/bin/google-chrome` on the action
step. The hosted `ubuntu-22.04` image ships Google Chrome at that path.
`v1.5.2`'s `script.sh` short-circuits Chromium setup when this env is
set, so puppeteer skips the cache lookup and uses the runner binary
directly.

End-to-end verified by temporarily perturbing `docs/**` on this branch
so the workflow's `pull_request` trigger would fire:
https://github.com/coder/coder/actions/runs/26732938434. `check-docs`
ran linkspector against `docs/**` for ~2m30s and exited 0, with no
`Could not find Chrome` or reviewdog parse errors in the log. That
perturbation has been removed from the branch.

Refs UmbrellaDocs/action-linkspector#62,
UmbrellaDocs/action-linkspector#61
---
 .github/workflows/weekly-docs.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml
index 0d34ef1f43..505c8522de 100644
--- a/.github/workflows/weekly-docs.yaml
+++ b/.github/workflows/weekly-docs.yaml
@@ -55,9 +55,14 @@ jobs:
           mkdir -p "$(pnpm store path --silent)"
 
       - name: Check Markdown links
-        uses: umbrelladocs/action-linkspector@37c85bcde51b30bf929936502bac6bfb7e8f0a4d # v1.4.1
+        uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2
         id: markdown-link-check
         # checks all markdown files from /docs including all subfolders
+        env:
+          # Use the runner-provided Chrome instead of letting linkspector's
+          # puppeteer download a specific version that may not match the
+          # runner's puppeteer cache. See: https://github.com/UmbrellaDocs/action-linkspector/issues/62
+          PUPPETEER_EXECUTABLE_PATH: /usr/bin/google-chrome
         with:
           reporter: github-pr-review
           config_file: ".github/.linkspector.yml"

From 8b7e040105c10e9a5bad5689da607c1f32f9c9e7 Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 1 Jun 2026 12:42:09 +0300
Subject: [PATCH 06/23] fix(coderd/x/chatd/chatloop): discourage doctrine in
 compaction summaries (#25850)

Two additions to the compaction summary prompt:

1. Error specificity: the "errors encountered" bullet now instructs the
   model to keep error notes specific (name the file, the error, the
   fix) and not generalize from a specific failure to a blanket
   tool-avoidance rule. This addresses the doctrine crystallization
   pattern where a single tool failure gets promoted to a standing
   "avoid tool X" rule that persists across compactions and model swaps.

2. Reproducibility: a new closing sentence instructs the model to
   reference reproducible content by path, command, or URL rather than
   inlining it. Content without a stable reproducer is still preserved
   inline with a brief summary. This targets summary bloat from
   inlined code blocks (worst case: 34k chars, 76 code blocks
   reproducing repo content verbatim).

Refs CODAGT-331
---
 coderd/x/chatd/chatloop/compaction.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/coderd/x/chatd/chatloop/compaction.go b/coderd/x/chatd/chatloop/compaction.go
index 503eff51bc..b267f17e2a 100644
--- a/coderd/x/chatd/chatloop/compaction.go
+++ b/coderd/x/chatd/chatloop/compaction.go
@@ -35,14 +35,22 @@ const (
 		"- Key decisions made and their rationale\n" +
 		"- Concrete technical details: file paths, function names, " +
 		"commands, APIs, and configurations\n" +
-		"- Errors encountered and how they were resolved\n" +
+		"- Errors encountered and how they were resolved. Keep error " +
+		"notes specific: name the file, the error, and the fix. Do not " +
+		"generalize from a specific failure to a blanket tool-avoidance " +
+		"rule (e.g. \"tool X is unreliable\" or \"always use Y instead " +
+		"of Z\")\n" +
 		"- Current state of the work: what is DONE, what is IN PROGRESS, " +
 		"and what REMAINS to be done\n" +
 		"- The specific action the assistant was performing or about to " +
 		"perform when this summary was triggered\n\n" +
 		"Be dense and factual. Every sentence should convey essential " +
 		"context for continuation. Do not include pleasantries or " +
-		"conversational filler."
+		"conversational filler. For content that can be reproduced " +
+		"(repo files, command output, API responses), reference how to " +
+		"obtain it (file path, command, URL) rather than inlining the " +
+		"full content. Include brief inline summaries when the content " +
+		"itself would exceed a few lines."
 	defaultCompactionSystemSummaryPrefix = "The following is a summary of " +
 		"the earlier conversation. The assistant was actively working when " +
 		"the context was compacted. Continue the work described below:"

From 6ecf804896f41e25344d263abd8955a5918f5b05 Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 1 Jun 2026 13:58:57 +0300
Subject: [PATCH 07/23] test(cli): eliminate race in PausedDuringWaitForReady
 test (#25858)

The PausedDuringWaitForReady and WaitsForWorkingAppState tests flaked
because the quartz resetTrap was released immediately after catching
ticker.Reset (line 174), allowing client.TaskByID (line 175) to race
with the subsequent DB mutation (pauseTask / PatchAppStatus).

Fix: keep the resetTrap open across both poll iterations. On the first
poll, release the trap so the goroutine sees the initial state and
continues. On the second poll, hold the goroutine frozen at
ticker.Reset while mutating state. Then release; client.TaskByID
deterministically sees the mutated state. No race because the
goroutine cannot execute client.TaskByID while trapped.

Closes CODAGT-482
---
 cli/task_send_test.go | 56 +++++++++++++++++++++++++++----------------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/cli/task_send_test.go b/cli/task_send_test.go
index c90cb335cc..1590bcab29 100644
--- a/cli/task_send_test.go
+++ b/cli/task_send_test.go
@@ -237,7 +237,10 @@ func Test_TaskSend(t *testing.T) {
 		t.Parallel()
 
 		// Given: An initializing task (workspace running, no agent
-		// connected).
+		// connected). Close the agent, pause, then resume so the
+		// workspace is started but no agent is connected. The
+		// command enters waitForTaskIdle directly (initializing
+		// path), where we verify it handles an external pause.
 		setupCtx := testutil.Context(t, testutil.WaitLong)
 		setup := setupCLITaskTest(setupCtx, t, nil)
 
@@ -246,8 +249,6 @@ func Test_TaskSend(t *testing.T) {
 		resumeTask(setupCtx, t, setup.userClient, setup.task)
 
 		// Set up mock clock and traps before starting the command.
-		// Without a mock clock the poll can race with the stop build
-		// and see a transient 'unknown' status instead of 'paused'.
 		mClock := quartz.NewMock(t)
 		tickTrap := mClock.Trap().NewTicker("task_send", "poll")
 		resetTrap := mClock.Trap().TickerReset("task_send", "poll")
@@ -271,23 +272,28 @@ func Test_TaskSend(t *testing.T) {
 		tickCall.MustRelease(ctx)
 		tickTrap.Close()
 
-		// Fire the immediate first poll (time.Nanosecond initial interval).
-		// This poll sees 'initializing' because no agent is connected.
+		// Fire the first poll. The goroutine calls ticker.Reset
+		// which the trap catches, freezing the goroutine BEFORE
+		// client.TaskByID runs. Release it so the first poll
+		// sees 'initializing' and continues.
 		mClock.Advance(time.Nanosecond).MustWait(ctx)
-
-		// Wait for Reset (confirms first poll completed).
 		resetCall := resetTrap.MustWait(ctx)
 		resetCall.MustRelease(ctx)
-		resetTrap.Close()
 
-		// Pause the task while waitForTaskIdle is polling. Since
-		// no agent is connected, the task stays initializing until
-		// we pause it, at which point the status becomes paused.
+		// Fire the second poll. The goroutine is again frozen at
+		// ticker.Reset by the trap.
+		mClock.Advance(5 * time.Second).MustWait(ctx)
+		resetCall = resetTrap.MustWait(ctx)
+
+		// While the goroutine is frozen (before client.TaskByID),
+		// pause the task. The stop build completes, so the DB has
+		// (stop, succeeded) = 'paused'.
 		pauseTask(ctx, t, setup.userClient, setup.task)
 
-		// Fire second poll at the regular 5s interval. The stop
-		// build has completed, so the poll sees 'paused'.
-		mClock.Advance(5 * time.Second).MustWait(ctx)
+		// Release the trap. The goroutine unfreezes and
+		// client.TaskByID deterministically sees 'paused'.
+		resetCall.MustRelease(ctx)
+		resetTrap.Close()
 
 		// Then: The command should fail because the task was paused.
 		err := w.Wait()
@@ -328,23 +334,31 @@ func Test_TaskSend(t *testing.T) {
 		tickCall.MustRelease(ctx)
 		tickTrap.Close()
 
-		// Fire the immediate first poll (time.Nanosecond initial interval).
+		// Fire the first poll. The goroutine calls ticker.Reset
+		// which the trap catches, freezing the goroutine BEFORE
+		// client.TaskByID runs. Release it so the first poll
+		// sees "working" and continues.
 		mClock.Advance(time.Nanosecond).MustWait(ctx)
-
-		// Wait for Reset (confirms first poll completed and saw "working").
 		resetCall := resetTrap.MustWait(ctx)
 		resetCall.MustRelease(ctx)
-		resetTrap.Close()
 
-		// Transition the app back to idle so waitForTaskIdle proceeds.
+		// Fire the second poll. The goroutine is again frozen
+		// at ticker.Reset by the trap.
+		mClock.Advance(5 * time.Second).MustWait(ctx)
+		resetCall = resetTrap.MustWait(ctx)
+
+		// While the goroutine is frozen (before client.TaskByID),
+		// transition the app to idle.
 		require.NoError(t, agentClient.PatchAppStatus(ctx, agentsdk.PatchAppStatus{
 			AppSlug: "task-sidebar",
 			State:   codersdk.WorkspaceAppStatusStateIdle,
 			Message: "ready",
 		}))
 
-		// Fire second poll at the regular 5s interval.
-		mClock.Advance(5 * time.Second).MustWait(ctx)
+		// Release the trap. The goroutine unfreezes and
+		// client.TaskByID deterministically sees "idle".
+		resetCall.MustRelease(ctx)
+		resetTrap.Close()
 
 		// Then: The command should complete successfully.
 		require.NoError(t, w.Wait())

From 1fcb4002d7c7a0a13b2c7cad00b1eff5ecbf9381 Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Mon, 1 Jun 2026 21:25:29 +1000
Subject: [PATCH 08/23] fix: show execute tool errors (#25886)

Execute tool failures that only return an `error` field, such as
stopped-workspace connection failures, were rendered as a generic failed
command without showing the backend detail.

Normalize execute results into transcript blocks so shell output and
tool errors both render in the *expanded* command transcript, and add
Storybook coverage for connection errors plus output-with-error cases.

<img width="832" height="482" alt="image"
src="https://github.com/user-attachments/assets/50b04b9a-b153-48e5-ab5e-6c2fa000f21e"
/>

edit: i've dropped the red on the danger icon, though it was
pre-existing. no point alerting the user to an error the model will
handle.


Closes CODAGT-530
---
 .../tools/ExecuteTool.stories.tsx             | 126 +++++++++++++-----
 .../ChatElements/tools/ExecuteTool.tsx        |  27 ++--
 .../components/ChatElements/tools/Tool.tsx    |   7 +-
 .../ChatElements/tools/toolVisibility.test.ts |  41 +++++-
 .../ChatElements/tools/toolVisibility.ts      |  19 ++-
 5 files changed, 171 insertions(+), 49 deletions(-)

diff --git a/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.stories.tsx b/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.stories.tsx
index d9b469ff9c..54a47fe050 100644
--- a/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.stories.tsx
+++ b/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.stories.tsx
@@ -1,10 +1,13 @@
 import type { Meta, StoryObj } from "@storybook/react-vite";
-import { userEvent, within } from "storybook/test";
+import { expect, userEvent, within } from "storybook/test";
 import { ExecuteTool } from "./ExecuteTool";
 
 const longCommand =
 	"find /home/coder/project/src -type f -name '*.ts' -not -path '*/node_modules/*' -not -path '*/.git/*' | xargs grep -l 'deprecated' | sort | head -50";
 
+const stoppedWorkspaceError =
+	"workspace has no running agent: the workspace is likely stopped. Use the start_workspace tool to start it";
+
 const meta: Meta<typeof ExecuteTool> = {
 	title: "components/ai-elements/tool/ExecuteTool",
 	component: ExecuteTool,
@@ -18,7 +21,7 @@ const meta: Meta<typeof ExecuteTool> = {
 	args: {
 		status: "completed",
 		isError: false,
-		output: "",
+		transcriptBlocks: [],
 	},
 };
 export default meta;
@@ -28,7 +31,7 @@ type Story = StoryObj<typeof ExecuteTool>;
 export const ShortCommand: Story = {
 	args: {
 		command: "git status",
-		output: "",
+		transcriptBlocks: [],
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
@@ -43,7 +46,7 @@ export const RunningWithoutCommand: Story = {
 	args: {
 		command: "",
 		status: "running",
-		output: "",
+		transcriptBlocks: [],
 	},
 };
 
@@ -57,7 +60,7 @@ export const LongCommand: Story = {
 	],
 	args: {
 		command: longCommand,
-		output: "",
+		transcriptBlocks: [],
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
@@ -72,14 +75,19 @@ export const LongCommand: Story = {
 export const LongCommandWithOutput: Story = {
 	args: {
 		command: longCommand,
-		output: [
-			"src/api/legacyClient.ts",
-			"src/components/OldTable/OldTable.tsx",
-			"src/hooks/useObsoleteAuth.ts",
-			"src/pages/SettingsPage/DeprecatedPanel.tsx",
-			"src/utils/formatDate.ts",
-			"src/utils/legacyHelpers.ts",
-		].join("\n"),
+		transcriptBlocks: [
+			{
+				kind: "output",
+				text: [
+					"src/api/legacyClient.ts",
+					"src/components/OldTable/OldTable.tsx",
+					"src/hooks/useObsoleteAuth.ts",
+					"src/pages/SettingsPage/DeprecatedPanel.tsx",
+					"src/utils/formatDate.ts",
+					"src/utils/legacyHelpers.ts",
+				].join("\n"),
+			},
+		],
 	},
 };
 
@@ -87,19 +95,24 @@ export const LongCommandWithOutput: Story = {
 export const WithOutput: Story = {
 	args: {
 		command: "docker ps --format 'table {{.Names}}\t{{.Status}}\t{{.Ports}}'",
-		output: [
-			"NAMES                STATUS              PORTS",
-			"coder-gateway        Up 3 hours          0.0.0.0:3000->3000/tcp",
-			"coder-database       Up 3 hours          0.0.0.0:5432->5432/tcp",
-			"coder-provisioner    Up 3 hours",
-			"redis-cache          Up 3 hours          0.0.0.0:6379->6379/tcp",
-			"nginx-proxy          Up 2 hours          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp",
-			"prometheus           Up 2 hours          0.0.0.0:9090->9090/tcp",
-			"grafana              Up 2 hours          0.0.0.0:3001->3001/tcp",
-			"jaeger               Up 1 hour           0.0.0.0:16686->16686/tcp",
-			"otel-collector       Up 1 hour           0.0.0.0:4317->4317/tcp",
-			"loki                 Up 1 hour           0.0.0.0:3100->3100/tcp",
-		].join("\n"),
+		transcriptBlocks: [
+			{
+				kind: "output",
+				text: [
+					"NAMES                STATUS              PORTS",
+					"coder-gateway        Up 3 hours          0.0.0.0:3000->3000/tcp",
+					"coder-database       Up 3 hours          0.0.0.0:5432->5432/tcp",
+					"coder-provisioner    Up 3 hours",
+					"redis-cache          Up 3 hours          0.0.0.0:6379->6379/tcp",
+					"nginx-proxy          Up 2 hours          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp",
+					"prometheus           Up 2 hours          0.0.0.0:9090->9090/tcp",
+					"grafana              Up 2 hours          0.0.0.0:3001->3001/tcp",
+					"jaeger               Up 1 hour           0.0.0.0:16686->16686/tcp",
+					"otel-collector       Up 1 hour           0.0.0.0:4317->4317/tcp",
+					"loki                 Up 1 hour           0.0.0.0:3100->3100/tcp",
+				].join("\n"),
+			},
+		],
 	},
 };
 
@@ -108,8 +121,12 @@ export const Running: Story = {
 	args: {
 		command: "go test -race -count=1 ./coderd/...",
 		status: "running",
-		output:
-			"=== RUN   TestWorkspaceAgent\n--- PASS: TestWorkspaceAgent (0.42s)",
+		transcriptBlocks: [
+			{
+				kind: "output",
+				text: "=== RUN   TestWorkspaceAgent\n--- PASS: TestWorkspaceAgent (0.42s)",
+			},
+		],
 	},
 };
 
@@ -119,11 +136,54 @@ export const ErrorOutput: Story = {
 		command: "make build",
 		status: "completed",
 		isError: true,
-		output: [
-			"coderd/workspaces.go:142:6: cannot use ws (variable of type *database.Workspace) as database.Store value in argument to api.Authorize",
-			"coderd/workspaces.go:155:19: ws.OwnerID undefined (type *database.Workspace has no field or method OwnerID)",
-			"make: *** [build] Error 1",
-		].join("\n"),
+		transcriptBlocks: [
+			{
+				kind: "output",
+				text: [
+					"coderd/workspaces.go:142:6: cannot use ws (variable of type *database.Workspace) as database.Store value in argument to api.Authorize",
+					"coderd/workspaces.go:155:19: ws.OwnerID undefined (type *database.Workspace has no field or method OwnerID)",
+					"make: *** [build] Error 1",
+				].join("\n"),
+			},
+		],
+	},
+};
+
+/** A connection error renders its details inside the expanded transcript. */
+export const ConnectionError: Story = {
+	args: {
+		command: "ls -la",
+		status: "error",
+		isError: true,
+		shellToolDisplayMode: "auto",
+		transcriptBlocks: [{ kind: "error", text: stoppedWorkspaceError }],
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		const errorMessage = await canvas.findByText(
+			/workspace has no running agent/i,
+		);
+		await expect(errorMessage).toBeVisible();
+	},
+};
+
+/** A timed-out command can return partial output plus an execute error. */
+export const OutputWithError: Story = {
+	args: {
+		command: "go test ./...",
+		status: "completed",
+		isBackgrounded: true,
+		transcriptBlocks: [
+			{
+				kind: "output",
+				text: [
+					"=== RUN   TestWorkspaceAgent",
+					"--- PASS: TestWorkspaceAgent (0.42s)",
+					"=== RUN   TestWorkspaceBuild",
+				].join("\n"),
+			},
+			{ kind: "error", text: "command timed out after 10s" },
+		],
 	},
 };
 
diff --git a/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.tsx b/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.tsx
index 6f0a3b18f0..70f2c9fddf 100644
--- a/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.tsx
+++ b/site/src/pages/AgentsPage/components/ChatElements/tools/ExecuteTool.tsx
@@ -27,6 +27,7 @@ import {
 	resolveAgentDisplayState,
 } from "./displayMode";
 import { ToolIcon } from "./ToolIcon";
+import type { ExecuteTranscriptBlock } from "./toolVisibility";
 import {
 	formatShellDurationMs,
 	sanitizeExecuteModelIntent,
@@ -37,7 +38,7 @@ import {
 
 type ExecuteToolProps = {
 	command: string;
-	output: string;
+	transcriptBlocks: readonly ExecuteTranscriptBlock[];
 	status: ToolStatus;
 	isError: boolean;
 	durationMs?: number;
@@ -53,8 +54,9 @@ type ExecuteToolInnerProps = ExecuteToolProps & {
 };
 
 export const ExecuteTool: React.FC<ExecuteToolProps> = (props) => {
+	const hasTranscriptBlocks = props.transcriptBlocks.length > 0;
 	const autoDisplayState: AgentDisplayState =
-		props.output.length > 0 ||
+		hasTranscriptBlocks ||
 		props.status === "running" ||
 		props.isBackgrounded ||
 		!!props.killedBySignal
@@ -75,7 +77,7 @@ export const ExecuteTool: React.FC<ExecuteToolProps> = (props) => {
 
 const ExecuteToolInner: React.FC<ExecuteToolInnerProps> = ({
 	command,
-	output,
+	transcriptBlocks,
 	status,
 	isError,
 	durationMs,
@@ -127,7 +129,7 @@ const ExecuteToolInner: React.FC<ExecuteToolInnerProps> = ({
 							<span
 								aria-label="Command failed"
 								role="img"
-								className="flex shrink-0 text-content-destructive"
+								className="flex shrink-0 text-content-secondary"
 							>
 								<TriangleAlertIcon aria-hidden className="size-3.5 shrink-0" />
 							</span>
@@ -168,7 +170,7 @@ const ExecuteToolInner: React.FC<ExecuteToolInnerProps> = ({
 			{outputOpen && (
 				<ShellTranscriptBody
 					command={command}
-					output={output}
+					transcriptBlocks={transcriptBlocks}
 					isError={isError}
 				/>
 			)}
@@ -217,9 +219,9 @@ const ShellCommandLine: React.FC<{
 
 const ShellTranscriptBody: React.FC<{
 	command: string;
-	output: string;
+	transcriptBlocks: readonly ExecuteTranscriptBlock[];
 	isError: boolean;
-}> = ({ command, output, isError }) => {
+}> = ({ command, transcriptBlocks, isError }) => {
 	return (
 		<ScrollArea
 			className="col-start-1 col-span-2 mt-2 rounded-xl bg-surface-secondary/60 text-2xs"
@@ -233,16 +235,19 @@ const ShellTranscriptBody: React.FC<{
 					</span>{" "}
 					{command}
 				</pre>
-				{output.length > 0 && (
+				{transcriptBlocks.map((block) => (
 					<pre
+						key={block.kind}
 						className={cn(
 							"m-0 mt-4 whitespace-pre-wrap break-words border-0 bg-transparent p-0 font-mono text-xs font-normal leading-5",
-							isError ? "text-content-destructive" : "text-content-secondary",
+							block.kind === "error" || isError
+								? "text-content-destructive"
+								: "text-content-secondary",
 						)}
 					>
-						{output}
+						{block.text}
 					</pre>
-				)}
+				))}
 			</div>
 		</ScrollArea>
 	);
diff --git a/site/src/pages/AgentsPage/components/ChatElements/tools/Tool.tsx b/site/src/pages/AgentsPage/components/ChatElements/tools/Tool.tsx
index 82c18f6fe7..5fce31cff8 100644
--- a/site/src/pages/AgentsPage/components/ChatElements/tools/Tool.tsx
+++ b/site/src/pages/AgentsPage/components/ChatElements/tools/Tool.tsx
@@ -231,12 +231,15 @@ const ExecuteRenderer: FC<ToolRendererProps> = ({
 	shellToolDisplayMode,
 }) => {
 	const data = getExecuteRenderData(args, result);
+	const outputBlock = data.transcriptBlocks.find(
+		(block) => block.kind === "output",
+	);
 
 	if (data.authenticateURL) {
 		return (
 			<ExecuteAuthRequiredTool
 				command={data.command}
-				output={data.output}
+				output={outputBlock?.text ?? ""}
 				authenticateURL={data.authenticateURL}
 				providerLabel={data.providerLabel}
 			/>
@@ -245,7 +248,7 @@ const ExecuteRenderer: FC<ToolRendererProps> = ({
 	return (
 		<ExecuteToolComponent
 			command={data.command}
-			output={data.output}
+			transcriptBlocks={data.transcriptBlocks}
 			status={status}
 			isError={isError}
 			durationMs={data.durationMs}
diff --git a/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.test.ts b/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.test.ts
index 03db7e4c80..e6aa89b3a0 100644
--- a/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.test.ts
+++ b/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.test.ts
@@ -1,6 +1,9 @@
 import { describe, expect, it } from "vitest";
 import { getExecuteRenderData, shouldRenderTool } from "./toolVisibility";
 
+const stoppedWorkspaceError =
+	"workspace has no running agent: the workspace is likely stopped. Use the start_workspace tool to start it";
+
 describe("toolVisibility", () => {
 	describe("getExecuteRenderData", () => {
 		it("parses execute output and auth metadata from result payloads", () => {
@@ -18,13 +21,49 @@ describe("toolVisibility", () => {
 				),
 			).toEqual({
 				command: "git fetch origin",
-				output: "fetched",
+				transcriptBlocks: [{ kind: "output", text: "fetched" }],
 				durationMs: 47200,
 				isBackgrounded: true,
 				authenticateURL: "https://example.com/auth",
 				providerLabel: "GitHub",
 			});
 		});
+
+		it("normalizes execute error results into transcript blocks", () => {
+			const data = getExecuteRenderData(
+				{ command: "ls -la" },
+				{ error: stoppedWorkspaceError },
+			);
+
+			expect(data.command).toBe("ls -la");
+			expect(data.transcriptBlocks).toEqual([
+				{ kind: "error", text: stoppedWorkspaceError },
+			]);
+			expect(
+				data.transcriptBlocks.map((block) => block.text).join("\n"),
+			).toContain("workspace has no running agent");
+		});
+
+		it("keeps output before error when both fields exist", () => {
+			expect(
+				getExecuteRenderData(
+					{ command: "make build" },
+					{ output: " compiling ", error: " failed " },
+				).transcriptBlocks,
+			).toEqual([
+				{ kind: "output", text: "compiling" },
+				{ kind: "error", text: "failed" },
+			]);
+		});
+
+		it("uses message as an error fallback when error is blank", () => {
+			expect(
+				getExecuteRenderData(
+					{ command: "coder login" },
+					{ error: "  ", message: " auth required " },
+				).transcriptBlocks,
+			).toEqual([{ kind: "error", text: "auth required" }]);
+		});
 	});
 
 	describe("shouldRenderTool", () => {
diff --git a/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.ts b/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.ts
index daaca9e269..32c17772fd 100644
--- a/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.ts
+++ b/site/src/pages/AgentsPage/components/ChatElements/tools/toolVisibility.ts
@@ -8,9 +8,14 @@ import {
 	toProviderLabel,
 } from "./utils";
 
+export type ExecuteTranscriptBlock = {
+	kind: "output" | "error";
+	text: string;
+};
+
 type ExecuteRenderData = {
 	command: string;
-	output: string;
+	transcriptBlocks: ExecuteTranscriptBlock[];
 	durationMs?: number;
 	isBackgrounded: boolean;
 	authenticateURL: string;
@@ -29,6 +34,16 @@ export const getExecuteRenderData = (
 	const command = parsedArgs ? asString(parsedArgs.command) : "";
 	const rec = asRecord(result);
 	const output = rec ? asString(rec.output).trim() : "";
+	const error = rec ? asString(rec.error).trim() : "";
+	const fallbackMessage = rec && !error ? asString(rec.message).trim() : "";
+	const errorText = error || fallbackMessage;
+	const transcriptBlocks: ExecuteTranscriptBlock[] = [];
+	if (output) {
+		transcriptBlocks.push({ kind: "output", text: output });
+	}
+	if (errorText) {
+		transcriptBlocks.push({ kind: "error", text: errorText });
+	}
 	const durationMs = rec
 		? (asNumber(rec.wall_duration_ms, { parseString: true }) ??
 			asNumber(rec.duration_ms, { parseString: true }))
@@ -47,7 +62,7 @@ export const getExecuteRenderData = (
 
 	return {
 		command,
-		output,
+		transcriptBlocks,
 		durationMs,
 		isBackgrounded,
 		authenticateURL,

From ca337915ccc1cf645e4624ee632c2f980c62551d Mon Sep 17 00:00:00 2001
From: Nick Vigilante <nickvigilante@users.noreply.github.com>
Date: Mon, 1 Jun 2026 08:47:29 -0400
Subject: [PATCH 09/23] docs: fix broken and naked relative links (#25825)

Several relative links in the docs pointed at pages that no longer exist
or rendered incorrectly on coder.com.

Fixes:

- `start/first-template.md`: IDE links repointed from the removed
`../ides.md` / `../ides/web-ides.md` to their current homes under
`user-guides/workspace-access/`.
- `tutorials/example-guide.md`: contributing link repointed to
`../about/contributing/documentation.md`.
- `about/contributing/backend.md`: the `migrations/testdata/fixtures`
and `full_dumps` references (and the `000024_example.up.sql` example)
used relative paths that escape `docs/` and render as bogus
`/docs/coderd/...` routes on the site. Normalized to the canonical
`github.com/coder/coder/(blob|tree)/main/...` form already used by ~120
other source links in the docs.
- Normalized extensionless directory links (`ai-coder/ai-gateway`,
`user-guides/workspace-access`, `install`) to their `/index.md` targets
for consistency with the rest of the docs.

This class of bug is invisible to the local doc checks (`make
lint/markdown` / `pnpm check-docs` only run markdownlint + table
formatting); only CI's Linkspector job validates link targets. Found via
a relative-link audit while investigating the docs preview on #25816.

Source-link version-awareness (so older docs versions don't all point at
`main`) is tracked separately in DOCS-268 and will be handled in the
coder.com render layer.


Linear: DOCS-278

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 docs/about/contributing/backend.md        | 6 +++---
 docs/admin/infrastructure/architecture.md | 2 +-
 docs/ai-coder/tasks-core-principles.md    | 2 +-
 docs/ai-coder/tasks.md                    | 2 +-
 docs/install/upgrade.md                   | 2 +-
 docs/start/first-template.md              | 4 ++--
 docs/tutorials/example-guide.md           | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docs/about/contributing/backend.md b/docs/about/contributing/backend.md
index bc159fe580..c568d53cd7 100644
--- a/docs/about/contributing/backend.md
+++ b/docs/about/contributing/backend.md
@@ -169,9 +169,9 @@ There are two types of fixtures that are used to test that migrations don't
 break existing Coder deployments:
 
 * Partial fixtures
-  [`migrations/testdata/fixtures`](../../../coderd/database/migrations/testdata/fixtures)
+  [`migrations/testdata/fixtures`](https://github.com/coder/coder/tree/main/coderd/database/migrations/testdata/fixtures)
 * Full database dumps
-  [`migrations/testdata/full_dumps`](../../../coderd/database/migrations/testdata/full_dumps)
+  [`migrations/testdata/full_dumps`](https://github.com/coder/coder/tree/main/coderd/database/migrations/testdata/full_dumps)
 
 Both types behave like database migrations (they also
 [`migrate`](https://github.com/golang-migrate/migrate)). Their behavior mirrors
@@ -194,7 +194,7 @@ To add a new partial fixture, run the following command:
 ```
 
 Then add some queries to insert data and commit the file to the repo. See
-[`000024_example.up.sql`](../../../coderd/database/migrations/testdata/fixtures/000024_example.up.sql)
+[`000024_example.up.sql`](https://github.com/coder/coder/blob/main/coderd/database/migrations/testdata/fixtures/000024_example.up.sql)
 for an example.
 
 To create a full dump, run a fully fledged Coder deployment and use it to
diff --git a/docs/admin/infrastructure/architecture.md b/docs/admin/infrastructure/architecture.md
index c409feeba9..7576712ef3 100644
--- a/docs/admin/infrastructure/architecture.md
+++ b/docs/admin/infrastructure/architecture.md
@@ -142,7 +142,7 @@ as OpenAI and Anthropic. Users authenticate through Coder instead of managing se
 provider API keys. All prompts, token usage, and tool invocations are recorded
 for compliance and cost tracking.
 
-Learn more: [AI Gateway](../../ai-coder/ai-gateway)
+Learn more: [AI Gateway](../../ai-coder/ai-gateway/index.md)
 
 ### Agent Firewall
 
diff --git a/docs/ai-coder/tasks-core-principles.md b/docs/ai-coder/tasks-core-principles.md
index c172d33907..771680cb8f 100644
--- a/docs/ai-coder/tasks-core-principles.md
+++ b/docs/ai-coder/tasks-core-principles.md
@@ -17,7 +17,7 @@ Coder Tasks is Coder's platform for managing coding agents. With Coder Tasks, yo
 
 ![Tasks UI](../images/guides/ai-agents/tasks-ui.png)Coder Tasks Dashboard view to see all available tasks.
 
-Coder Tasks allows you and your organization to build and automate workflows to fully leverage AI. Tasks operate through Coder Workspaces. We support interacting with an agent through the Task UI and CLI. Some Tasks can also be accessed through the Coder Workspace IDE; see [connect via an IDE](../user-guides/workspace-access).
+Coder Tasks allows you and your organization to build and automate workflows to fully leverage AI. Tasks operate through Coder Workspaces. We support interacting with an agent through the Task UI and CLI. Some Tasks can also be accessed through the Coder Workspace IDE; see [connect via an IDE](../user-guides/workspace-access/index.md).
 
 ## Why Use Tasks?
 
diff --git a/docs/ai-coder/tasks.md b/docs/ai-coder/tasks.md
index a39292f570..aedf76f9fa 100644
--- a/docs/ai-coder/tasks.md
+++ b/docs/ai-coder/tasks.md
@@ -11,7 +11,7 @@ Coder Tasks is an interface for running & managing coding agents such as Claude
 
 ![Tasks UI](../images/guides/ai-agents/tasks-ui.png)
 
-Coder Tasks is best for cases where the IDE is secondary, such as prototyping or running long-running background jobs. However, tasks run inside full workspaces so developers can [connect via an IDE](../user-guides/workspace-access) to take a task to completion.
+Coder Tasks is best for cases where the IDE is secondary, such as prototyping or running long-running background jobs. However, tasks run inside full workspaces so developers can [connect via an IDE](../user-guides/workspace-access/index.md) to take a task to completion.
 
 You can also interact with Coder Tasks from your IDE. The [Coder extension for VS Code](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote) (and compatible forks like Cursor) enables you to create, monitor, and manage Tasks directly from the IDE, eliminating the need to context-switch to a browser. After logging in, you get access to a dedicated Tasks view in the sidebar that lets you select a template, configure parameters, prompt an agent, and track task status or download logs. Your tasks run in Coder workspaces with access to your repos, credentials, and internal network.
 
diff --git a/docs/install/upgrade.md b/docs/install/upgrade.md
index 2559217edc..8c4282202d 100644
--- a/docs/install/upgrade.md
+++ b/docs/install/upgrade.md
@@ -12,7 +12,7 @@ For upgrade recommendations and troubleshooting, see
 ## Reinstall Coder to upgrade
 
 To upgrade your Coder server, reinstall Coder using your original method
-of [install](../install).
+of [install](../install/index.md).
 
 ### Coder install script
 
diff --git a/docs/start/first-template.md b/docs/start/first-template.md
index 3b9d49fc59..ba7a2a802c 100644
--- a/docs/start/first-template.md
+++ b/docs/start/first-template.md
@@ -67,7 +67,7 @@ This starter template lets you connect to your workspace in a few ways:
 - VS Code Desktop: Loads your workspace into
   [VS Code Desktop](https://code.visualstudio.com/Download) installed on your
   local computer.
-- code-server: Opens [browser-based VS Code](../ides/web-ides.md) with your
+- code-server: Opens [browser-based VS Code](../user-guides/workspace-access/web-ides.md) with your
   workspace.
 - Terminal: Opens a browser-based terminal with a shell in the workspace's
   Docker instance.
@@ -77,7 +77,7 @@ This starter template lets you connect to your workspace in a few ways:
 
 > [!TIP]
 > You can edit the template to let developers connect to a workspace in
-> [a few more ways](../ides.md).
+> [a few more ways](../user-guides/workspace-access/index.md).
 
 When you're done, you can stop the workspace. -->
 
diff --git a/docs/tutorials/example-guide.md b/docs/tutorials/example-guide.md
index 71d5ff15cd..5ede1a7344 100644
--- a/docs/tutorials/example-guide.md
+++ b/docs/tutorials/example-guide.md
@@ -16,7 +16,7 @@ repository.
 
 ## Content
 
-Defer to our [Contributing/Documentation](../contributing/documentation.md) page
+Defer to our [Contributing/Documentation](../about/contributing/documentation.md) page
 for rules on technical writing.
 
 ### Adding Photos

From 61a9c4a61d8823c46a4a30401045face91c0f3ea Mon Sep 17 00:00:00 2001
From: Nick Vigilante <nickvigilante@users.noreply.github.com>
Date: Mon, 1 Jun 2026 09:04:14 -0400
Subject: [PATCH 10/23] chore: Style fixes and nits across the AI Governance
 docs (#25793)

- Add the "AI Governance Add-On" label across all pages
- Use a generic `coder.example.com` URL across examples
- Fix a few typos
- Remove mentions of command access as a feature of AI Gov

Fixes DOCS-262

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->

---------

Co-authored-by: Danny Kopping <danny@coder.com>
---
 docs/ai-coder/agent-firewall/index.md |  8 ++--
 docs/ai-coder/ai-governance.md        |  8 ++--
 docs/ai-coder/usage-data-reporting.md |  4 +-
 docs/manifest.json                    | 61 ++++++++++++++++++---------
 4 files changed, 49 insertions(+), 32 deletions(-)

diff --git a/docs/ai-coder/agent-firewall/index.md b/docs/ai-coder/agent-firewall/index.md
index d5d2921097..8fe5192756 100644
--- a/docs/ai-coder/agent-firewall/index.md
+++ b/docs/ai-coder/agent-firewall/index.md
@@ -48,8 +48,8 @@ In your Terraform module, enable Agent Firewall with minimal configuration:
 
 ```tf
 module "claude-code" {
-  source              = "dev.registry.coder.com/coder/claude-code/coder"
-  version             = "4.7.0"
+  source              = "registry.coder.com/coder/claude-code/coder"
+  version             = "5.2.0"
   enable_boundary     = true
 }
 ```
@@ -59,7 +59,7 @@ Claude Code module, use the following minimal configuration:
 
 ```yaml
 allowlist:
-  - "domain=dev.coder.com" # Required - use your Coder deployment domain
+  - "domain=coder.example.com" # Required - use your Coder deployment domain
   - "domain=api.anthropic.com" # Required - API endpoint for Claude
   - "domain=statsig.anthropic.com" # Required - Feature flags and analytics
   - "domain=claude.ai" # Recommended - WebFetch/WebSearch features
@@ -225,5 +225,5 @@ such as Grafana Loki.
 Example of an allowed request (assuming stderr):
 
 ```console
-2026-01-16 00:11:40.564 [info]  coderd.agentrpc: boundary_request owner=joe  workspace_name=some-task-c88d agent_name=dev  decision=allow  workspace_id=f2bd4e9f-7e27-49fc-961e-be4d1c2aa987  http_method=GET http_url=https://dev.coder.com  event_time=2026-01-16T00:11:39.388607657Z  matched_rule=domain=dev.coder.com request_id=9f30d667-1fc9-47ba-b9e5-8eac46e0abef trace=478b2b45577307c4fd1bcfc64fad6ffb span=9ece4bc70c311edb
+2026-01-16 00:11:40.564 [info]  coderd.agentrpc: boundary_request owner=joe  workspace_name=some-task-c88d agent_name=dev  decision=allow  workspace_id=f2bd4e9f-7e27-49fc-961e-be4d1c2aa987  http_method=GET http_url=https://coder.example.com  event_time=2026-01-16T00:11:39.388607657Z  matched_rule=domain=coder.example.com request_id=9f30d667-1fc9-47ba-b9e5-8eac46e0abef trace=478b2b45577307c4fd1bcfc64fad6ffb span=9ece4bc70c311edb
 ```
diff --git a/docs/ai-coder/ai-governance.md b/docs/ai-coder/ai-governance.md
index 1581a972c8..ce786ea53e 100644
--- a/docs/ai-coder/ai-governance.md
+++ b/docs/ai-coder/ai-governance.md
@@ -51,12 +51,10 @@ being used across the organization. AI Gateway provides audit trails of prompts,
 token usage, and tool invocations, giving administrators insight into AI
 adoption patterns and potential issues.
 
-### Restricting agent network and command access
+### Restricting agent network access
 
-AI agents can make arbitrary network requests, potentially accessing
-unauthorized services or exfiltrating data. They can also execute destructive
-commands within a workspace. Agent Firewall enforces process-level policies
-that restrict which domains agents can reach and what actions they can perform,
+AI agents can make arbitrary network requests, potentially accessing unauthorized services or exfiltrating data.
+Agent Firewall enforces process-level policies that restrict which domains agents can reach and what actions they can perform,
 preventing unintended data exposure and destructive operations like `rm -rf`.
 
 ### Centralizing API key management
diff --git a/docs/ai-coder/usage-data-reporting.md b/docs/ai-coder/usage-data-reporting.md
index 9d8fe08bfa..21c1e42d47 100644
--- a/docs/ai-coder/usage-data-reporting.md
+++ b/docs/ai-coder/usage-data-reporting.md
@@ -5,7 +5,7 @@ The [AI Governance Add-On](./ai-governance.md) requires reporting usage data to
 - number of agent workspace builds consumed
 - number of AI Governance seats consumed
 
-No user-identifiable information or additional metrics are sent to Tallyman. This information is also shared with [Metronome](https://metronome.com), a Stripe product and Coder partner for usage-based and reporting.
+No user-identifiable information or additional metrics are sent to Tallyman. This information is also shared with [Metronome](https://metronome.com), a Stripe product and Coder partner for usage-based billing and reporting.
 
 To send usage data, your Coder deployment must be able to make outbound HTTPS requests to `https://tallyman-prod.coder.com`. Usage data is sent approximately every 17 minutes and can be monitored via `coderd` logs.
 
@@ -17,7 +17,7 @@ Example of a successful request (requires debug logging enabled [`CODER_LOG_FILT
 
 Example of a request payload:
 
-```sh
+```txt
 POST /api/v1/events/ingest HTTP/1.1
 Host: tallyman-prod.coder.com
 Content-Type: application/json
diff --git a/docs/manifest.json b/docs/manifest.json
index cbbeceefbe..6f2fbf33ac 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -1144,85 +1144,99 @@
 								{
 									"title": "Setup",
 									"description": "How to set up and configure AI Gateway",
-									"path": "./ai-coder/ai-gateway/setup.md"
+									"path": "./ai-coder/ai-gateway/setup.md",
+									"state": ["ai governance add-on"]
 								},
 								{
 									"title": "Authentication",
 									"description": "Learn how to authenticate against AI Gateway",
-									"path": "./ai-coder/ai-gateway/auth.md"
+									"path": "./ai-coder/ai-gateway/auth.md",
+									"state": ["ai governance add-on"]
 								},
 								{
 									"title": "Client Configuration",
 									"description": "How to configure your AI coding tools to use AI Gateway",
 									"path": "./ai-coder/ai-gateway/clients/index.md",
+									"state": ["ai governance add-on"],
 									"children": [
 										{
 											"title": "Coder Agents",
 											"description": "Route Coder Agents traffic through AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/coder-agents.md"
+											"path": "./ai-coder/ai-gateway/clients/coder-agents.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Claude Code",
 											"description": "Configure Claude Code to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/claude-code.md"
+											"path": "./ai-coder/ai-gateway/clients/claude-code.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Codex",
 											"description": "Configure Codex to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/codex.md"
+											"path": "./ai-coder/ai-gateway/clients/codex.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Mux",
 											"description": "Configure Mux to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/mux.md"
+											"path": "./ai-coder/ai-gateway/clients/mux.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "OpenCode",
 											"description": "Configure OpenCode to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/opencode.md"
+											"path": "./ai-coder/ai-gateway/clients/opencode.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Factory",
 											"description": "Configure Factory to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/factory.md"
+											"path": "./ai-coder/ai-gateway/clients/factory.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Cline",
 											"description": "Configure Cline to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/cline.md"
+											"path": "./ai-coder/ai-gateway/clients/cline.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Kilo Code",
 											"description": "Configure Kilo Code to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/kilo-code.md"
+											"path": "./ai-coder/ai-gateway/clients/kilo-code.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "VS Code",
 											"description": "Configure VS Code to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/vscode.md"
+											"path": "./ai-coder/ai-gateway/clients/vscode.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "JetBrains",
 											"description": "Configure JetBrains IDEs to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/jetbrains.md"
+											"path": "./ai-coder/ai-gateway/clients/jetbrains.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "Zed",
 											"description": "Configure Zed to use AI Gateway",
-											"path": "./ai-coder/ai-gateway/clients/zed.md"
+											"path": "./ai-coder/ai-gateway/clients/zed.md",
+											"state": ["ai governance add-on"]
 										},
 										{
 											"title": "GitHub Copilot",
 											"description": "Configure GitHub Copilot to use AI Gateway via AI Gateway Proxy",
-											"path": "./ai-coder/ai-gateway/clients/copilot.md"
+											"path": "./ai-coder/ai-gateway/clients/copilot.md",
+											"state": ["ai governance add-on"]
 										}
 									]
 								},
 								{
 									"title": "MCP Tools Injection",
 									"description": "How to configure MCP servers for tools injection through AI Gateway",
-									"path": "./ai-coder/ai-gateway/mcp.md",
-									"state": ["early access"]
+									"path": "./ai-coder/ai-gateway/mcp.md"
 								},
 								{
 									"title": "AI Gateway Proxy",
@@ -1233,31 +1247,36 @@
 										{
 											"title": "Setup",
 											"description": "How to set up and configure AI Gateway Proxy",
-											"path": "./ai-coder/ai-gateway/ai-gateway-proxy/setup.md"
+											"path": "./ai-coder/ai-gateway/ai-gateway-proxy/setup.md",
+											"state": ["ai governance add-on"]
 										}
 									]
 								},
 								{
 									"title": "Auditing AI Sessions",
 									"description": "How to audit AI sessions",
-									"path": "./ai-coder/ai-gateway/audit.md"
+									"path": "./ai-coder/ai-gateway/audit.md",
+									"state": ["ai governance add-on"]
 								},
 								{
 									"title": "Monitoring",
 									"description": "How to monitor AI Gateway",
-									"path": "./ai-coder/ai-gateway/monitoring.md"
+									"path": "./ai-coder/ai-gateway/monitoring.md",
+									"state": ["ai governance add-on"]
 								},
 								{
 									"title": "Reference",
 									"description": "Technical reference for AI Gateway",
-									"path": "./ai-coder/ai-gateway/reference.md"
+									"path": "./ai-coder/ai-gateway/reference.md",
+									"state": ["ai governance add-on"]
 								}
 							]
 						},
 						{
 							"title": "Usage Data Reporting",
 							"description": "Configure AI usage data reporting",
-							"path": "./ai-coder/usage-data-reporting.md"
+							"path": "./ai-coder/usage-data-reporting.md",
+							"state": ["ai governance add-on"]
 						}
 					]
 				},

From c8555e2163ff2ac8eff2e2e6751c59a9fe4ff2ca Mon Sep 17 00:00:00 2001
From: Danny Kopping <danny@coder.com>
Date: Mon, 1 Jun 2026 15:15:47 +0200
Subject: [PATCH 11/23] fix: deprecate ai provider seeding env config (#25854)

Environment variables used to configure AI Gateway providers are now deprecated, and we need to reflect this as such.
---
 cli/server.go                                 | 35 +++++++++-
 cli/server_aibridge_internal_test.go          | 64 +++++++++++++++++++
 cli/testdata/coder_server_--help.golden       | 62 ++++++++++++------
 cli/testdata/server-config.yaml.golden        | 34 +++++++---
 codersdk/deployment.go                        | 51 ++++++++-------
 docs/reference/cli/server.md                  | 20 +++---
 .../cli/testdata/coder_server_--help.golden   | 62 ++++++++++++------
 7 files changed, 244 insertions(+), 84 deletions(-)

diff --git a/cli/server.go b/cli/server.go
index b2fa89fd3b..e8b8768eea 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -2979,6 +2979,11 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
 	return providers, nil
 }
 
+const (
+	aiGatewayProviderEnvPrefix = "CODER_AI_GATEWAY_PROVIDER_"
+	aiBridgeProviderEnvPrefix  = "CODER_AIBRIDGE_PROVIDER_"
+)
+
 // ReadAIProvidersFromEnv parses CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>
 // environment variables into a slice of AIProviderConfig.
 // Deprecated alias env vars with the CODER_AIBRIDGE_PROVIDER_<N>_<KEY>
@@ -2986,16 +2991,22 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
 //
 // This follows the same indexed pattern as ReadExternalAuthProvidersFromEnv.
 func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AIProviderConfig, error) {
-	providers, err := readAIProvidersForPrefix(logger, environ, "CODER_AIBRIDGE_PROVIDER_")
+	providers, err := readAIProvidersForPrefix(logger, environ, aiBridgeProviderEnvPrefix)
 	if err != nil {
 		return nil, err
 	}
-	gatewayProviders, err := readAIProvidersForPrefix(logger, environ, "CODER_AI_GATEWAY_PROVIDER_")
+	gatewayProviders, err := readAIProvidersForPrefix(logger, environ, aiGatewayProviderEnvPrefix)
 	if err != nil {
 		return nil, err
 	}
 	if len(providers) > 0 && len(gatewayProviders) > 0 {
-		return nil, xerrors.New("cannot mix CODER_AIBRIDGE_PROVIDER_* and CODER_AI_GATEWAY_PROVIDER_* environment variables, please consolidate onto CODER_AI_GATEWAY_PROVIDER_*")
+		return nil, xerrors.Errorf("cannot mix %s* and %s* environment variables, please consolidate onto %s*", aiBridgeProviderEnvPrefix, aiGatewayProviderEnvPrefix, aiGatewayProviderEnvPrefix)
+	}
+	var activePrefix string
+	if len(providers) > 0 {
+		activePrefix = aiBridgeProviderEnvPrefix
+	} else if len(gatewayProviders) > 0 {
+		activePrefix = aiGatewayProviderEnvPrefix
 	}
 	providers = append(providers, gatewayProviders...)
 
@@ -3077,9 +3088,27 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI
 		names[p.Name] = i
 	}
 
+	warnIfAIProvidersConfiguredFromEnv(context.Background(), logger, activePrefix, providers)
+
 	return providers, nil
 }
 
+func warnIfAIProvidersConfiguredFromEnv(ctx context.Context, logger slog.Logger, prefix string, providers []codersdk.AIProviderConfig) {
+	if len(providers) == 0 {
+		return
+	}
+
+	if prefix == "" {
+		return
+	}
+
+	logger.Warn(ctx,
+		"ai provider environment variables are deprecated for provider management and only seed provider configuration at startup",
+		slog.F("env_prefix", prefix),
+		slog.F("replacement", "Manage AI Providers from the Coder UI or HTTP API."),
+	)
+}
+
 // readAIProvidersForPrefix parses provider env vars under a single
 // indexed prefix (e.g. CODER_AI_GATEWAY_PROVIDER_) into a slice of
 // AIProviderConfig. Per-field syntax errors and unknown keys are
diff --git a/cli/server_aibridge_internal_test.go b/cli/server_aibridge_internal_test.go
index a91e5b51d2..fce45aa674 100644
--- a/cli/server_aibridge_internal_test.go
+++ b/cli/server_aibridge_internal_test.go
@@ -1,6 +1,7 @@
 package cli
 
 import (
+	"context"
 	"database/sql"
 	"encoding/json"
 	"fmt"
@@ -575,6 +576,58 @@ func TestValidateLegacyAIBridgeConfig(t *testing.T) {
 	}
 }
 
+func TestWarnIfAIProvidersConfiguredFromEnv(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NoProviders", func(t *testing.T) {
+		t.Parallel()
+
+		sink := testutil.NewFakeSink(t)
+		warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiGatewayProviderEnvPrefix, nil)
+
+		require.Empty(t, sink.Entries())
+	})
+
+	t.Run("EmptyPrefix", func(t *testing.T) {
+		t.Parallel()
+
+		sink := testutil.NewFakeSink(t)
+		warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), "", []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}})
+
+		require.Empty(t, sink.Entries())
+	})
+
+	t.Run("AIGatewayPrefix", func(t *testing.T) {
+		t.Parallel()
+
+		sink := testutil.NewFakeSink(t)
+		warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiGatewayProviderEnvPrefix, []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}})
+
+		entries := sink.Entries(func(e slog.SinkEntry) bool {
+			return e.Message == "ai provider environment variables are deprecated for provider management and only seed provider configuration at startup"
+		})
+		require.Len(t, entries, 1)
+		require.Len(t, entries[0].Fields, 2)
+		assertFieldValue(t, entries[0].Fields, "env_prefix", aiGatewayProviderEnvPrefix)
+		assertFieldValue(t, entries[0].Fields, "replacement", "Manage AI Providers from the Coder UI or HTTP API.")
+	})
+
+	t.Run("AIBridgePrefix", func(t *testing.T) {
+		t.Parallel()
+
+		sink := testutil.NewFakeSink(t)
+		warnIfAIProvidersConfiguredFromEnv(context.Background(), sink.Logger(), aiBridgeProviderEnvPrefix, []codersdk.AIProviderConfig{{Type: "openai", Name: "openai"}})
+
+		entries := sink.Entries(func(e slog.SinkEntry) bool {
+			return e.Message == "ai provider environment variables are deprecated for provider management and only seed provider configuration at startup"
+		})
+		require.Len(t, entries, 1)
+		require.Len(t, entries[0].Fields, 2)
+		assertFieldValue(t, entries[0].Fields, "env_prefix", aiBridgeProviderEnvPrefix)
+		assertFieldValue(t, entries[0].Fields, "replacement", "Manage AI Providers from the Coder UI or HTTP API.")
+	})
+}
+
 func TestBuildAIProviderFromRowSetsAPIDumpDir(t *testing.T) {
 	t.Parallel()
 
@@ -721,3 +774,14 @@ func mustMarshalSettings(s codersdk.AIProviderSettings) sql.NullString {
 	}
 	return sql.NullString{String: string(data), Valid: true}
 }
+
+func assertFieldValue(t *testing.T, fields slog.Map, name string, expected interface{}) {
+	t.Helper()
+	for _, f := range fields {
+		if f.Name == name {
+			assert.Equal(t, expected, f.Value)
+			return
+		}
+	}
+	t.Errorf("field %q not found", name)
+}
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
index 4bcf9efda9..53ccf77f7c 100644
--- a/cli/testdata/coder_server_--help.golden
+++ b/cli/testdata/coder_server_--help.golden
@@ -124,35 +124,55 @@ AI GATEWAY OPTIONS:
           disabled, only centralized key authentication is permitted.
 
       --ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
-          The base URL of the Anthropic API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL of the Anthropic
+          API.
 
       --ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY
-          The key to authenticate against the Anthropic API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The key to authenticate
+          against the Anthropic API.
 
       --ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY
-          The access key to authenticate against the AWS Bedrock API.
-
-      --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
-          The access key secret to use with the access key to authenticate
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The access key to authenticate
           against the AWS Bedrock API.
 
+      --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The access key secret to use
+          with the access key to authenticate against the AWS Bedrock API.
+
       --ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL
-          The base URL to use for the AWS Bedrock API. Use this setting to
-          specify an exact URL to use. Takes precedence over
-          CODER_AI_GATEWAY_BEDROCK_REGION.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL to use for the
+          AWS Bedrock API. Use this setting to specify an exact URL to use.
+          Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
 
       --ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
-          The model to use when making requests to the AWS Bedrock API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The model to use when making
+          requests to the AWS Bedrock API.
 
       --ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION
-          The AWS Bedrock API region to use. Constructs a base URL to use for
-          the AWS Bedrock API in the form of
-          'https://bedrock-runtime.<region>.amazonaws.com'.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The AWS Bedrock API region to
+          use. Constructs a base URL to use for the AWS Bedrock API in the form
+          of 'https://bedrock-runtime.<region>.amazonaws.com'.
 
       --ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
-          The small fast model to use when making requests to the AWS Bedrock
-          API. Claude Code uses Haiku-class models to perform background tasks.
-          See
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The small fast model to use
+          when making requests to the AWS Bedrock API. Claude Code uses
+          Haiku-class models to perform background tasks. See
           https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
 
       --ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false)
@@ -171,10 +191,16 @@ AI GATEWAY OPTIONS:
           to disable (unlimited).
 
       --ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
-          The base URL of the OpenAI API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL of the OpenAI
+          API.
 
       --ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY
-          The key to authenticate against the OpenAI API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The key to authenticate
+          against the OpenAI API.
 
       --ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0)
           Maximum number of AI Gateway requests per second per replica. Set to 0
diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden
index 5bc02e0ae6..613b639553 100644
--- a/cli/testdata/server-config.yaml.golden
+++ b/cli/testdata/server-config.yaml.golden
@@ -874,25 +874,41 @@ ai_gateway:
   # Whether to start an in-memory AI Gateway instance.
   # (default: true, type: bool)
   enabled: true
-  # The base URL of the OpenAI API.
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The base URL of the OpenAI API.
   # (default: https://api.openai.com/v1/, type: string)
   openai_base_url: https://api.openai.com/v1/
-  # The base URL of the Anthropic API.
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The base URL of the Anthropic API.
   # (default: https://api.anthropic.com/, type: string)
   anthropic_base_url: https://api.anthropic.com/
-  # The base URL to use for the AWS Bedrock API. Use this setting to specify an
-  # exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The base URL to use for the AWS Bedrock API. Use this
+  # setting to specify an exact URL to use. Takes precedence over
+  # CODER_AI_GATEWAY_BEDROCK_REGION.
   # (default: <unset>, type: string)
   bedrock_base_url: ""
-  # The AWS Bedrock API region to use. Constructs a base URL to use for the AWS
-  # Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The AWS Bedrock API region to use. Constructs a base
+  # URL to use for the AWS Bedrock API in the form of
+  # 'https://bedrock-runtime.<region>.amazonaws.com'.
   # (default: <unset>, type: string)
   bedrock_region: ""
-  # The model to use when making requests to the AWS Bedrock API.
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The model to use when making requests to the AWS
+  # Bedrock API.
   # (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0, type: string)
   bedrock_model: global.anthropic.claude-sonnet-4-5-20250929-v1:0
-  # The small fast model to use when making requests to the AWS Bedrock API. Claude
-  # Code uses Haiku-class models to perform background tasks. See
+  # Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this
+  # option seeds provider configuration at startup only exactly once. It will not be
+  # used in service runtime. The small fast model to use when making requests to the
+  # AWS Bedrock API. Claude Code uses Haiku-class models to perform background
+  # tasks. See
   # https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
   # (default: global.anthropic.claude-haiku-4-5-20251001-v1:0, type: string)
   bedrock_small_fast_model: global.anthropic.claude-haiku-4-5-20251001-v1:0
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
index 3fb36c587f..8164222831 100644
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@@ -1700,6 +1700,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 
 	// AI Gateway options
+	aiGatewayProviderSeedingDeprecated := "Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. "
 	aiGatewayEnabled := serpent.Option{
 		Name:        "AI Gateway Enabled",
 		Description: "Whether to start an in-memory AI Gateway instance.",
@@ -1712,7 +1713,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayOpenAIBaseURL := serpent.Option{
 		Name:        "AI Gateway OpenAI Base URL",
-		Description: "The base URL of the OpenAI API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The base URL of the OpenAI API.",
 		Flag:        "ai-gateway-openai-base-url",
 		Env:         "CODER_AI_GATEWAY_OPENAI_BASE_URL",
 		Value:       &c.AI.BridgeConfig.LegacyOpenAI.BaseURL,
@@ -1722,7 +1723,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayOpenAIKey := serpent.Option{
 		Name:        "AI Gateway OpenAI Key",
-		Description: "The key to authenticate against the OpenAI API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The key to authenticate against the OpenAI API.",
 		Flag:        "ai-gateway-openai-key",
 		Env:         "CODER_AI_GATEWAY_OPENAI_KEY",
 		Value:       &c.AI.BridgeConfig.LegacyOpenAI.Key,
@@ -1732,7 +1733,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayAnthropicBaseURL := serpent.Option{
 		Name:        "AI Gateway Anthropic Base URL",
-		Description: "The base URL of the Anthropic API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The base URL of the Anthropic API.",
 		Flag:        "ai-gateway-anthropic-base-url",
 		Env:         "CODER_AI_GATEWAY_ANTHROPIC_BASE_URL",
 		Value:       &c.AI.BridgeConfig.LegacyAnthropic.BaseURL,
@@ -1742,7 +1743,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayAnthropicKey := serpent.Option{
 		Name:        "AI Gateway Anthropic Key",
-		Description: "The key to authenticate against the Anthropic API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The key to authenticate against the Anthropic API.",
 		Flag:        "ai-gateway-anthropic-key",
 		Env:         "CODER_AI_GATEWAY_ANTHROPIC_KEY",
 		Value:       &c.AI.BridgeConfig.LegacyAnthropic.Key,
@@ -1751,30 +1752,28 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 		Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
 	}
 	aiGatewayBedrockBaseURL := serpent.Option{
-		Name: "AI Gateway Bedrock Base URL",
-		Description: "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence " +
-			"over CODER_AI_GATEWAY_BEDROCK_REGION.",
-		Flag:    "ai-gateway-bedrock-base-url",
-		Env:     "CODER_AI_GATEWAY_BEDROCK_BASE_URL",
-		Value:   &c.AI.BridgeConfig.LegacyBedrock.BaseURL,
-		Default: "",
-		Group:   &deploymentGroupAIGateway,
-		YAML:    "bedrock_base_url",
+		Name:        "AI Gateway Bedrock Base URL",
+		Description: aiGatewayProviderSeedingDeprecated + "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.",
+		Flag:        "ai-gateway-bedrock-base-url",
+		Env:         "CODER_AI_GATEWAY_BEDROCK_BASE_URL",
+		Value:       &c.AI.BridgeConfig.LegacyBedrock.BaseURL,
+		Default:     "",
+		Group:       &deploymentGroupAIGateway,
+		YAML:        "bedrock_base_url",
 	}
 	aiGatewayBedrockRegion := serpent.Option{
-		Name: "AI Gateway Bedrock Region",
-		Description: "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of " +
-			"'https://bedrock-runtime.<region>.amazonaws.com'.",
-		Flag:    "ai-gateway-bedrock-region",
-		Env:     "CODER_AI_GATEWAY_BEDROCK_REGION",
-		Value:   &c.AI.BridgeConfig.LegacyBedrock.Region,
-		Default: "",
-		Group:   &deploymentGroupAIGateway,
-		YAML:    "bedrock_region",
+		Name:        "AI Gateway Bedrock Region",
+		Description: aiGatewayProviderSeedingDeprecated + "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.",
+		Flag:        "ai-gateway-bedrock-region",
+		Env:         "CODER_AI_GATEWAY_BEDROCK_REGION",
+		Value:       &c.AI.BridgeConfig.LegacyBedrock.Region,
+		Default:     "",
+		Group:       &deploymentGroupAIGateway,
+		YAML:        "bedrock_region",
 	}
 	aiGatewayBedrockAccessKey := serpent.Option{
 		Name:        "AI Gateway Bedrock Access Key",
-		Description: "The access key to authenticate against the AWS Bedrock API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The access key to authenticate against the AWS Bedrock API.",
 		Flag:        "ai-gateway-bedrock-access-key",
 		Env:         "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY",
 		Value:       &c.AI.BridgeConfig.LegacyBedrock.AccessKey,
@@ -1784,7 +1783,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayBedrockAccessKeySecret := serpent.Option{
 		Name:        "AI Gateway Bedrock Access Key Secret",
-		Description: "The access key secret to use with the access key to authenticate against the AWS Bedrock API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The access key secret to use with the access key to authenticate against the AWS Bedrock API.",
 		Flag:        "ai-gateway-bedrock-access-key-secret",
 		Env:         "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET",
 		Value:       &c.AI.BridgeConfig.LegacyBedrock.AccessKeySecret,
@@ -1794,7 +1793,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayBedrockModel := serpent.Option{
 		Name:        "AI Gateway Bedrock Model",
-		Description: "The model to use when making requests to the AWS Bedrock API.",
+		Description: aiGatewayProviderSeedingDeprecated + "The model to use when making requests to the AWS Bedrock API.",
 		Flag:        "ai-gateway-bedrock-model",
 		Env:         "CODER_AI_GATEWAY_BEDROCK_MODEL",
 		Value:       &c.AI.BridgeConfig.LegacyBedrock.Model,
@@ -1804,7 +1803,7 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 	}
 	aiGatewayBedrockSmallFastModel := serpent.Option{
 		Name:        "AI Gateway Bedrock Small Fast Model",
-		Description: "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.",
+		Description: aiGatewayProviderSeedingDeprecated + "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.",
 		Flag:        "ai-gateway-bedrock-small-fastmodel",
 		Env:         "CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL",
 		Value:       &c.AI.BridgeConfig.LegacyBedrock.SmallFastModel,
diff --git a/docs/reference/cli/server.md b/docs/reference/cli/server.md
index de694faa79..2de88e4960 100644
--- a/docs/reference/cli/server.md
+++ b/docs/reference/cli/server.md
@@ -1743,7 +1743,7 @@ Whether to start an in-memory AI Gateway instance.
 | YAML        | <code>ai_gateway.openai_base_url</code>        |
 | Default     | <code>https://api.openai.com/v1/</code>        |
 
-The base URL of the OpenAI API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL of the OpenAI API.
 
 ### --ai-gateway-openai-key
 
@@ -1752,7 +1752,7 @@ The base URL of the OpenAI API.
 | Type        | <code>string</code>                       |
 | Environment | <code>$CODER_AI_GATEWAY_OPENAI_KEY</code> |
 
-The key to authenticate against the OpenAI API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The key to authenticate against the OpenAI API.
 
 ### --ai-gateway-anthropic-base-url
 
@@ -1763,7 +1763,7 @@ The key to authenticate against the OpenAI API.
 | YAML        | <code>ai_gateway.anthropic_base_url</code>        |
 | Default     | <code>https://api.anthropic.com/</code>           |
 
-The base URL of the Anthropic API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL of the Anthropic API.
 
 ### --ai-gateway-anthropic-key
 
@@ -1772,7 +1772,7 @@ The base URL of the Anthropic API.
 | Type        | <code>string</code>                          |
 | Environment | <code>$CODER_AI_GATEWAY_ANTHROPIC_KEY</code> |
 
-The key to authenticate against the Anthropic API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The key to authenticate against the Anthropic API.
 
 ### --ai-gateway-bedrock-base-url
 
@@ -1782,7 +1782,7 @@ The key to authenticate against the Anthropic API.
 | Environment | <code>$CODER_AI_GATEWAY_BEDROCK_BASE_URL</code> |
 | YAML        | <code>ai_gateway.bedrock_base_url</code>        |
 
-The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
 
 ### --ai-gateway-bedrock-region
 
@@ -1792,7 +1792,7 @@ The base URL to use for the AWS Bedrock API. Use this setting to specify an exac
 | Environment | <code>$CODER_AI_GATEWAY_BEDROCK_REGION</code> |
 | YAML        | <code>ai_gateway.bedrock_region</code>        |
 
-The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.
 
 ### --ai-gateway-bedrock-access-key
 
@@ -1801,7 +1801,7 @@ The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedr
 | Type        | <code>string</code>                               |
 | Environment | <code>$CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY</code> |
 
-The access key to authenticate against the AWS Bedrock API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The access key to authenticate against the AWS Bedrock API.
 
 ### --ai-gateway-bedrock-access-key-secret
 
@@ -1810,7 +1810,7 @@ The access key to authenticate against the AWS Bedrock API.
 | Type        | <code>string</code>                                      |
 | Environment | <code>$CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET</code> |
 
-The access key secret to use with the access key to authenticate against the AWS Bedrock API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The access key secret to use with the access key to authenticate against the AWS Bedrock API.
 
 ### --ai-gateway-bedrock-model
 
@@ -1821,7 +1821,7 @@ The access key secret to use with the access key to authenticate against the AWS
 | YAML        | <code>ai_gateway.bedrock_model</code>                         |
 | Default     | <code>global.anthropic.claude-sonnet-4-5-20250929-v1:0</code> |
 
-The model to use when making requests to the AWS Bedrock API.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The model to use when making requests to the AWS Bedrock API.
 
 ### --ai-gateway-bedrock-small-fastmodel
 
@@ -1832,7 +1832,7 @@ The model to use when making requests to the AWS Bedrock API.
 | YAML        | <code>ai_gateway.bedrock_small_fast_model</code>             |
 | Default     | <code>global.anthropic.claude-haiku-4-5-20251001-v1:0</code> |
 
-The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
+Deprecated: manage AI Providers from the Coder UI or HTTP API. If set, this option seeds provider configuration at startup only exactly once. It will not be used in service runtime. The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
 
 ### --ai-gateway-retention
 
diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden
index a9062a426f..addd3dc256 100644
--- a/enterprise/cli/testdata/coder_server_--help.golden
+++ b/enterprise/cli/testdata/coder_server_--help.golden
@@ -125,35 +125,55 @@ AI GATEWAY OPTIONS:
           disabled, only centralized key authentication is permitted.
 
       --ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
-          The base URL of the Anthropic API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL of the Anthropic
+          API.
 
       --ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY
-          The key to authenticate against the Anthropic API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The key to authenticate
+          against the Anthropic API.
 
       --ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY
-          The access key to authenticate against the AWS Bedrock API.
-
-      --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
-          The access key secret to use with the access key to authenticate
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The access key to authenticate
           against the AWS Bedrock API.
 
+      --ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The access key secret to use
+          with the access key to authenticate against the AWS Bedrock API.
+
       --ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL
-          The base URL to use for the AWS Bedrock API. Use this setting to
-          specify an exact URL to use. Takes precedence over
-          CODER_AI_GATEWAY_BEDROCK_REGION.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL to use for the
+          AWS Bedrock API. Use this setting to specify an exact URL to use.
+          Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
 
       --ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
-          The model to use when making requests to the AWS Bedrock API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The model to use when making
+          requests to the AWS Bedrock API.
 
       --ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION
-          The AWS Bedrock API region to use. Constructs a base URL to use for
-          the AWS Bedrock API in the form of
-          'https://bedrock-runtime.<region>.amazonaws.com'.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The AWS Bedrock API region to
+          use. Constructs a base URL to use for the AWS Bedrock API in the form
+          of 'https://bedrock-runtime.<region>.amazonaws.com'.
 
       --ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
-          The small fast model to use when making requests to the AWS Bedrock
-          API. Claude Code uses Haiku-class models to perform background tasks.
-          See
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The small fast model to use
+          when making requests to the AWS Bedrock API. Claude Code uses
+          Haiku-class models to perform background tasks. See
           https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
 
       --ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false)
@@ -172,10 +192,16 @@ AI GATEWAY OPTIONS:
           to disable (unlimited).
 
       --ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
-          The base URL of the OpenAI API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The base URL of the OpenAI
+          API.
 
       --ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY
-          The key to authenticate against the OpenAI API.
+          Deprecated: manage AI Providers from the Coder UI or HTTP API. If set,
+          this option seeds provider configuration at startup only exactly once.
+          It will not be used in service runtime. The key to authenticate
+          against the OpenAI API.
 
       --ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0)
           Maximum number of AI Gateway requests per second per replica. Set to 0

From 82752844bc96c68ca5f8f9ca251a95c1aec624cc Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 1 Jun 2026 16:17:29 +0300
Subject: [PATCH 12/23] fix: isolate MCP HTTP transports from DefaultTransport
 in tests (#25821)

Use testing.Testing() inside createTransport to automatically
clone http.DefaultTransport when running in tests. In production,
DefaultTransport is used as-is (efficient connection pooling).

This fixes the CloseIdleConnections flake class: httptest.Server.Close()
calls http.DefaultTransport.CloseIdleConnections(), which disrupts
any MCP client sharing that transport. The testing.Testing() check
means every MCP transport created during tests gets isolation
automatically, with no caller changes needed.

Closes coder/internal#1016
Closes PLAT-291
---
 agent/x/agentmcp/manager.go               |  20 ++--
 agent/x/agentmcp/mcphttpclient.go         |  25 ++++
 aibridge/mcp/mcphttpclient.go             |  25 ++++
 aibridge/mcp/proxy_streamable_http.go     |  11 ++
 coderd/mcp/mcp_e2e_test.go                | 137 +++++++++++++++++-----
 coderd/x/chatd/mcpclient/mcpclient.go     |  33 ++----
 coderd/x/chatd/mcpclient/mcphttpclient.go |  25 ++++
 7 files changed, 218 insertions(+), 58 deletions(-)
 create mode 100644 agent/x/agentmcp/mcphttpclient.go
 create mode 100644 aibridge/mcp/mcphttpclient.go
 create mode 100644 coderd/x/chatd/mcpclient/mcphttpclient.go

diff --git a/agent/x/agentmcp/manager.go b/agent/x/agentmcp/manager.go
index 23cba06c18..cd6a705151 100644
--- a/agent/x/agentmcp/manager.go
+++ b/agent/x/agentmcp/manager.go
@@ -975,15 +975,19 @@ func (m *Manager) createTransport(ctx context.Context, cfg ServerConfig) (transp
 			}),
 		), nil
 	case "http", "":
-		return transport.NewStreamableHTTP(
-			cfg.URL,
-			transport.WithHTTPHeaders(cfg.Headers),
-		)
+		var opts []transport.StreamableHTTPCOption
+		opts = append(opts, transport.WithHTTPHeaders(cfg.Headers))
+		if c := mcpHTTPClient(); c != nil {
+			opts = append(opts, transport.WithHTTPBasicClient(c))
+		}
+		return transport.NewStreamableHTTP(cfg.URL, opts...)
 	case "sse":
-		return transport.NewSSE(
-			cfg.URL,
-			transport.WithHeaders(cfg.Headers),
-		)
+		var sseOpts []transport.ClientOption
+		sseOpts = append(sseOpts, transport.WithHeaders(cfg.Headers))
+		if c := mcpHTTPClient(); c != nil {
+			sseOpts = append(sseOpts, transport.WithHTTPClient(c))
+		}
+		return transport.NewSSE(cfg.URL, sseOpts...)
 	default:
 		return nil, xerrors.Errorf("unsupported transport %q", cfg.Transport)
 	}
diff --git a/agent/x/agentmcp/mcphttpclient.go b/agent/x/agentmcp/mcphttpclient.go
new file mode 100644
index 0000000000..7099c44281
--- /dev/null
+++ b/agent/x/agentmcp/mcphttpclient.go
@@ -0,0 +1,25 @@
+package agentmcp
+
+import (
+	"net/http"
+	"testing"
+)
+
+// mcpHTTPClient returns an isolated *http.Client when running
+// inside tests, or nil for production. During tests,
+// httptest.Server.Close() calls
+// http.DefaultTransport.CloseIdleConnections(), which disrupts
+// any MCP client sharing that transport. When DefaultTransport
+// is a *http.Transport it is cloned; otherwise a minimal
+// transport with ProxyFromEnvironment is created as a fallback.
+func mcpHTTPClient() *http.Client {
+	if !testing.Testing() {
+		return nil
+	}
+	if dt, ok := http.DefaultTransport.(*http.Transport); ok {
+		return &http.Client{Transport: dt.Clone()}
+	}
+	return &http.Client{Transport: &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+	}}
+}
diff --git a/aibridge/mcp/mcphttpclient.go b/aibridge/mcp/mcphttpclient.go
new file mode 100644
index 0000000000..1685bcf795
--- /dev/null
+++ b/aibridge/mcp/mcphttpclient.go
@@ -0,0 +1,25 @@
+package mcp
+
+import (
+	"net/http"
+	"testing"
+)
+
+// mcpHTTPClient returns an isolated *http.Client when running
+// inside tests, or nil for production. During tests,
+// httptest.Server.Close() calls
+// http.DefaultTransport.CloseIdleConnections(), which disrupts
+// any MCP client sharing that transport. When DefaultTransport
+// is a *http.Transport it is cloned; otherwise a minimal
+// transport with ProxyFromEnvironment is created as a fallback.
+func mcpHTTPClient() *http.Client {
+	if !testing.Testing() {
+		return nil
+	}
+	if dt, ok := http.DefaultTransport.(*http.Transport); ok {
+		return &http.Client{Transport: dt.Clone()}
+	}
+	return &http.Client{Transport: &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+	}}
+}
diff --git a/aibridge/mcp/proxy_streamable_http.go b/aibridge/mcp/proxy_streamable_http.go
index 132c03965a..108a710d19 100644
--- a/aibridge/mcp/proxy_streamable_http.go
+++ b/aibridge/mcp/proxy_streamable_http.go
@@ -39,6 +39,17 @@ func NewStreamableHTTPServerProxy(serverName, serverURL string, headers map[stri
 		opts = append(opts, transport.WithHTTPHeaders(headers))
 	}
 
+	// Prepend an isolated HTTP client when running in tests so
+	// httptest.Server.Close() does not disrupt this proxy's
+	// connections via http.DefaultTransport.CloseIdleConnections().
+	// Caller-provided WithHTTPBasicClient in opts overrides this
+	// (last-wins).
+	if c := mcpHTTPClient(); c != nil {
+		opts = append([]transport.StreamableHTTPCOption{
+			transport.WithHTTPBasicClient(c),
+		}, opts...)
+	}
+
 	mcpClient, err := client.NewStreamableHttpClient(serverURL, opts...)
 	if err != nil {
 		return nil, xerrors.Errorf("create streamable http client: %w", err)
diff --git a/coderd/mcp/mcp_e2e_test.go b/coderd/mcp/mcp_e2e_test.go
index 5b374e36b8..633c68582a 100644
--- a/coderd/mcp/mcp_e2e_test.go
+++ b/coderd/mcp/mcp_e2e_test.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
 	"testing"
 
 	"github.com/google/uuid"
@@ -57,11 +58,10 @@ func TestMCPHTTP_E2E_ClientIntegration(t *testing.T) {
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
 
 	// Configure client with authentication headers using RFC 6750 Bearer token
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + coderClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	defer func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -72,7 +72,7 @@ func TestMCPHTTP_E2E_ClientIntegration(t *testing.T) {
 	defer cancel()
 
 	// Start client
-	err = mcpClient.Start(ctx)
+	err := mcpClient.Start(ctx)
 	require.NoError(t, err)
 
 	// Initialize connection
@@ -190,8 +190,7 @@ func TestMCPHTTP_E2E_UnauthenticatedAccess(t *testing.T) {
 	require.Equal(t, http.StatusUnauthorized, resp.StatusCode, "Should get HTTP 401 for unauthenticated access")
 
 	// Also test with MCP client to ensure it handles the error gracefully
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL)
-	require.NoError(t, err, "Should be able to create MCP client without authentication")
+	mcpClient := newIsolatedMCPClient(t, mcpURL)
 	defer func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -245,11 +244,10 @@ func TestMCPHTTP_E2E_ToolWithWorkspace(t *testing.T) {
 	coderdtest.NewWorkspaceAgentWaiter(t, coderClient, r.Workspace.ID).Wait()
 
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + coderClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	defer func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -260,7 +258,7 @@ func TestMCPHTTP_E2E_ToolWithWorkspace(t *testing.T) {
 	defer cancel()
 
 	require.NoError(t, mcpClient.Start(ctx))
-	_, err = mcpClient.Initialize(ctx, mcp.InitializeRequest{
+	_, err := mcpClient.Initialize(ctx, mcp.InitializeRequest{
 		Params: mcp.InitializeParams{
 			ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION,
 			ClientInfo: mcp.Implementation{
@@ -307,11 +305,10 @@ func TestMCPHTTP_E2E_ErrorHandling(t *testing.T) {
 
 	// Create MCP client
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + coderClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	defer func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -322,7 +319,7 @@ func TestMCPHTTP_E2E_ErrorHandling(t *testing.T) {
 	defer cancel()
 
 	// Start and initialize client
-	err = mcpClient.Start(ctx)
+	err := mcpClient.Start(ctx)
 	require.NoError(t, err)
 
 	initReq := mcp.InitializeRequest{
@@ -366,11 +363,10 @@ func TestMCPHTTP_E2E_ConcurrentRequests(t *testing.T) {
 
 	// Create MCP client
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + coderClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	defer func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -381,7 +377,7 @@ func TestMCPHTTP_E2E_ConcurrentRequests(t *testing.T) {
 	defer cancel()
 
 	// Start and initialize client
-	err = mcpClient.Start(ctx)
+	err := mcpClient.Start(ctx)
 	require.NoError(t, err)
 
 	initReq := mcp.InitializeRequest{
@@ -520,11 +516,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) {
 		sessionToken := coderClient.SessionToken()
 
 		mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-		mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+		mcpClient := newIsolatedMCPClient(t, mcpURL,
 			transport.WithHTTPHeaders(map[string]string{
 				"Authorization": "Bearer " + sessionToken,
 			}))
-		require.NoError(t, err)
 		defer func() {
 			if closeErr := mcpClient.Close(); closeErr != nil {
 				t.Logf("Failed to close MCP client: %v", closeErr)
@@ -669,11 +664,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) {
 
 		// Step 3: Use access token to authenticate with MCP endpoint
 		mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-		mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+		mcpClient := newIsolatedMCPClient(t, mcpURL,
 			transport.WithHTTPHeaders(map[string]string{
 				"Authorization": "Bearer " + accessToken,
 			}))
-		require.NoError(t, err)
 		defer func() {
 			if closeErr := mcpClient.Close(); closeErr != nil {
 				t.Logf("Failed to close MCP client: %v", closeErr)
@@ -762,11 +756,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) {
 		t.Logf("Successfully refreshed token: %s...", newAccessToken[:10])
 
 		// Step 5: Use new access token to create another MCP connection
-		newMcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+		newMcpClient := newIsolatedMCPClient(t, mcpURL,
 			transport.WithHTTPHeaders(map[string]string{
 				"Authorization": "Bearer " + newAccessToken,
 			}))
-		require.NoError(t, err)
 		defer func() {
 			if closeErr := newMcpClient.Close(); closeErr != nil {
 				t.Logf("Failed to close new MCP client: %v", closeErr)
@@ -990,11 +983,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) {
 		t.Logf("Successfully obtained access token: %s...", accessToken[:10])
 
 		// Step 5: Use access token to get user information via MCP
-		mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+		mcpClient := newIsolatedMCPClient(t, mcpURL,
 			transport.WithHTTPHeaders(map[string]string{
 				"Authorization": "Bearer " + accessToken,
 			}))
-		require.NoError(t, err)
 		defer func() {
 			if closeErr := mcpClient.Close(); closeErr != nil {
 				t.Logf("Failed to close MCP client: %v", closeErr)
@@ -1088,11 +1080,10 @@ func TestMCPHTTP_E2E_OAuth2_EndToEnd(t *testing.T) {
 		t.Logf("Successfully refreshed token: %s...", newAccessToken[:10])
 
 		// Step 7: Use refreshed token to get user information again via MCP
-		newMcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+		newMcpClient := newIsolatedMCPClient(t, mcpURL,
 			transport.WithHTTPHeaders(map[string]string{
 				"Authorization": "Bearer " + newAccessToken,
 			}))
-		require.NoError(t, err)
 		defer func() {
 			if closeErr := newMcpClient.Close(); closeErr != nil {
 				t.Logf("Failed to close new MCP client: %v", closeErr)
@@ -1268,11 +1259,10 @@ func TestMCPHTTP_E2E_ChatGPTEndpoint(t *testing.T) {
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint + "?toolset=chatgpt"
 
 	// Configure client with authentication headers using RFC 6750 Bearer token
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + coderClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	t.Cleanup(func() {
 		if closeErr := mcpClient.Close(); closeErr != nil {
 			t.Logf("Failed to close MCP client: %v", closeErr)
@@ -1283,7 +1273,7 @@ func TestMCPHTTP_E2E_ChatGPTEndpoint(t *testing.T) {
 	defer cancel()
 
 	// Start client
-	err = mcpClient.Start(ctx)
+	err := mcpClient.Start(ctx)
 	require.NoError(t, err)
 
 	// Initialize connection
@@ -1433,11 +1423,10 @@ func TestMCPHTTP_E2E_WorkspaceSSHAuthz(t *testing.T) {
 
 	// Connect with the template-admin user.
 	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
-	mcpClient, err := mcpclient.NewStreamableHttpClient(mcpURL,
+	mcpClient := newIsolatedMCPClient(t, mcpURL,
 		transport.WithHTTPHeaders(map[string]string{
 			"Authorization": "Bearer " + tmplAdminClient.SessionToken(),
 		}))
-	require.NoError(t, err)
 	defer func() {
 		_ = mcpClient.Close()
 	}()
@@ -1446,7 +1435,7 @@ func TestMCPHTTP_E2E_WorkspaceSSHAuthz(t *testing.T) {
 	defer cancel()
 
 	require.NoError(t, mcpClient.Start(ctx))
-	_, err = mcpClient.Initialize(ctx, mcp.InitializeRequest{
+	_, err := mcpClient.Initialize(ctx, mcp.InitializeRequest{
 		Params: mcp.InitializeParams{
 			ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION,
 			ClientInfo: mcp.Implementation{
@@ -1489,3 +1478,91 @@ func mustParseURL(t *testing.T, rawURL string) *url.URL {
 	require.NoError(t, err, "Failed to parse URL %q", rawURL)
 	return u
 }
+
+// newIsolatedMCPClient creates a streamable HTTP MCP client that uses
+// an isolated http.Transport cloned from http.DefaultTransport.
+// This prevents httptest.Server.Close() (which calls
+// http.DefaultTransport.CloseIdleConnections()) from disrupting the
+// client's connections during parallel tests.
+func newIsolatedMCPClient(t *testing.T, mcpURL string, opts ...transport.StreamableHTTPCOption) *mcpclient.Client {
+	t.Helper()
+	isolated := coderdtest.NewIsolatedHTTPClient(nil)
+	opts = append([]transport.StreamableHTTPCOption{transport.WithHTTPBasicClient(isolated)}, opts...)
+	client, err := mcpclient.NewStreamableHttpClient(mcpURL, opts...)
+	require.NoError(t, err)
+	return client
+}
+
+// sentinelTransport wraps an http.RoundTripper and counts how many
+// requests flow through it. Used as a test sentinel to verify
+// whether a client is (or is not) using http.DefaultTransport.
+type sentinelTransport struct {
+	inner http.RoundTripper
+	hits  atomic.Int64
+}
+
+func (s *sentinelTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	s.hits.Add(1)
+	return s.inner.RoundTrip(req)
+}
+
+// TestMCPHTTP_E2E_TransportIsolation verifies that the
+// newIsolatedMCPClient helper creates clients that do NOT route
+// requests through http.DefaultTransport, while raw
+// mcpclient.NewStreamableHttpClient (without explicit
+// WithHTTPBasicClient) does use it.
+//
+//nolint:paralleltest // Mutates http.DefaultTransport.
+func TestMCPHTTP_E2E_TransportIsolation(t *testing.T) {
+	// Replace DefaultTransport with a counting sentinel.
+	original := http.DefaultTransport
+	sentinel := &sentinelTransport{inner: original}
+	http.DefaultTransport = sentinel
+	t.Cleanup(func() { http.DefaultTransport = original })
+
+	coderClient, closer, api := coderdtest.NewWithAPI(t, nil)
+	t.Cleanup(func() { closer.Close() })
+	_ = coderdtest.CreateFirstUser(t, coderClient)
+
+	mcpURL := api.AccessURL.String() + mcpserver.MCPEndpoint
+	authOpt := transport.WithHTTPHeaders(map[string]string{
+		"Authorization": "Bearer " + coderClient.SessionToken(),
+	})
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
+	initReq := mcp.InitializeRequest{
+		Params: mcp.InitializeParams{
+			ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION,
+			ClientInfo:      mcp.Implementation{Name: "sentinel-test", Version: "1.0.0"},
+		},
+	}
+
+	t.Run("RawClientUsesDefaultTransport", func(t *testing.T) {
+		sentinel.hits.Store(0)
+		rawClient, err := mcpclient.NewStreamableHttpClient(mcpURL, authOpt)
+		require.NoError(t, err)
+		defer func() { _ = rawClient.Close() }()
+
+		require.NoError(t, rawClient.Start(ctx))
+		_, err = rawClient.Initialize(ctx, initReq)
+		require.NoError(t, err)
+
+		require.Greater(t, sentinel.hits.Load(), int64(0),
+			"raw client should route requests through http.DefaultTransport")
+	})
+
+	t.Run("IsolatedClientBypassesDefaultTransport", func(t *testing.T) {
+		sentinel.hits.Store(0)
+		isoClient := newIsolatedMCPClient(t, mcpURL, authOpt)
+		defer func() { _ = isoClient.Close() }()
+
+		require.NoError(t, isoClient.Start(ctx))
+		_, err := isoClient.Initialize(ctx, initReq)
+		require.NoError(t, err)
+
+		require.Equal(t, int64(0), sentinel.hits.Load(),
+			"isolated client must NOT route requests through http.DefaultTransport")
+	})
+}
diff --git a/coderd/x/chatd/mcpclient/mcpclient.go b/coderd/x/chatd/mcpclient/mcpclient.go
index 16ef5ed9fd..cb7e0322c2 100644
--- a/coderd/x/chatd/mcpclient/mcpclient.go
+++ b/coderd/x/chatd/mcpclient/mcpclient.go
@@ -285,31 +285,24 @@ func createTransport(
 	cfg database.MCPServerConfig,
 	headers map[string]string,
 ) (transport.Interface, error) {
-	// Each connection gets its own HTTP client with a dedicated
-	// transport so that httptest.Server.Close() (which calls
-	// CloseIdleConnections on http.DefaultTransport) does not
-	// disrupt unrelated connections during parallel tests.
-	var httpClient *http.Client
-	if dt, ok := http.DefaultTransport.(*http.Transport); ok {
-		httpClient = &http.Client{Transport: dt.Clone()}
-	} else {
-		httpClient = &http.Client{}
-	}
+	httpClient := mcpHTTPClient()
 
 	switch cfg.Transport {
 	case "sse":
-		return transport.NewSSE(
-			cfg.Url,
-			transport.WithHeaders(headers),
-			transport.WithHTTPClient(httpClient),
-		)
+		var opts []transport.ClientOption
+		opts = append(opts, transport.WithHeaders(headers))
+		if httpClient != nil {
+			opts = append(opts, transport.WithHTTPClient(httpClient))
+		}
+		return transport.NewSSE(cfg.Url, opts...)
 	case "", "streamable_http":
 		// Default to streamable HTTP, the newer transport.
-		return transport.NewStreamableHTTP(
-			cfg.Url,
-			transport.WithHTTPHeaders(headers),
-			transport.WithHTTPBasicClient(httpClient),
-		)
+		var opts []transport.StreamableHTTPCOption
+		opts = append(opts, transport.WithHTTPHeaders(headers))
+		if httpClient != nil {
+			opts = append(opts, transport.WithHTTPBasicClient(httpClient))
+		}
+		return transport.NewStreamableHTTP(cfg.Url, opts...)
 	default:
 		return nil, xerrors.Errorf(
 			"unsupported transport %q", cfg.Transport,
diff --git a/coderd/x/chatd/mcpclient/mcphttpclient.go b/coderd/x/chatd/mcpclient/mcphttpclient.go
new file mode 100644
index 0000000000..c34ff59262
--- /dev/null
+++ b/coderd/x/chatd/mcpclient/mcphttpclient.go
@@ -0,0 +1,25 @@
+package mcpclient
+
+import (
+	"net/http"
+	"testing"
+)
+
+// mcpHTTPClient returns an isolated *http.Client when running
+// inside tests, or nil for production. During tests,
+// httptest.Server.Close() calls
+// http.DefaultTransport.CloseIdleConnections(), which disrupts
+// any MCP client sharing that transport. When DefaultTransport
+// is a *http.Transport it is cloned; otherwise a minimal
+// transport with ProxyFromEnvironment is created as a fallback.
+func mcpHTTPClient() *http.Client {
+	if !testing.Testing() {
+		return nil
+	}
+	if dt, ok := http.DefaultTransport.(*http.Transport); ok {
+		return &http.Client{Transport: dt.Clone()}
+	}
+	return &http.Client{Transport: &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+	}}
+}

From a85462bd4973efd96e2d43761266ccc8c3ebc60f Mon Sep 17 00:00:00 2001
From: Danny Kopping <danny@coder.com>
Date: Mon, 1 Jun 2026 15:26:37 +0200
Subject: [PATCH 13/23] feat: support adding GitHub Copilot AI provider via UI
 (#25888)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Copilot is the only AI provider type that could not be added through the `/ai/settings` UI. The aibridge runtime and the env-var seeding path already supported it, but the runtime CRUD API rejected `type=copilot` and the UI omitted it entirely. The root cause is that Copilot's auth model (a per-request GitHub OAuth token, with no pre-shared key) does not fit the credential-centric add-provider flow that every other provider uses.

## Backend

Allow `type=copilot` in `CreateAIProviderRequest.Validate()`, and reject `api_keys` for Copilot on both create (validation) and update (handler sentinel), mirroring the existing Bedrock guards. Copilot carries no stored credential.

## Frontend

Add Copilot to the provider type picker (with the `github-copilot.svg` icon) and give the form a credential-free branch: name, display name, and a free-text endpoint defaulting to `https://api.business.githubcopilot.com`, with copy explaining that authentication happens via the user's GitHub token at request time. Copilot maps to the distinct `copilot` wire type rather than collapsing to `openai`, and the edit flow recovers it correctly.

The endpoint stays required with a business-tier default; users on the individual or enterprise endpoints edit the field.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
---
 coderd/ai_providers.go                        | 16 +++++
 coderd/ai_providers_test.go                   | 69 +++++++++++++++++++
 codersdk/aiproviders.go                       | 12 +++-
 enterprise/aibridgeproxyd/aibridgeproxyd.go   | 35 +++++++++-
 .../aibridgeproxyd_internal_test.go           | 68 ++++++++++++++++++
 site/src/api/typesGenerated.ts                |  5 +-
 .../AddProviderPageView.stories.tsx           | 23 +++++++
 .../AddProviderPage/AddProviderPageView.tsx   |  7 +-
 .../UpdateProviderPageView.stories.tsx        | 16 +++++
 .../UpdateProviderPageView.tsx                | 12 ++--
 .../components/ProviderForm.stories.tsx       | 32 +++++++++
 .../ProvidersPage/components/ProviderForm.tsx | 61 +++++++++++++---
 .../components/ProviderIcon.stories.tsx       |  6 ++
 .../ProvidersPage/components/ProviderIcon.tsx |  4 ++
 .../components/addableProviderTypes.ts        |  1 +
 .../components/providerFormApiMap.test.ts     | 63 +++++++++++++++++
 .../components/providerFormApiMap.ts          | 49 +++++++++----
 site/src/testHelpers/entities.ts              | 14 ++++
 18 files changed, 457 insertions(+), 36 deletions(-)
 create mode 100644 enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go

diff --git a/coderd/ai_providers.go b/coderd/ai_providers.go
index 78ca50ecc9..0637822592 100644
--- a/coderd/ai_providers.go
+++ b/coderd/ai_providers.go
@@ -340,6 +340,10 @@ func (api *API) aiProvidersUpdate(rw http.ResponseWriter, r *http.Request) {
 			return errBedrockRejectsAPIKeys
 		}
 
+		if req.APIKeys != nil && old.Type == database.AiProviderTypeCopilot && len(*req.APIKeys) > 0 {
+			return errCopilotRejectsAPIKeys
+		}
+
 		displayName := old.DisplayName
 		if req.DisplayName != nil {
 			// Empty string clears the column.
@@ -383,6 +387,12 @@ func (api *API) aiProvidersUpdate(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	if errors.Is(err, errCopilotRejectsAPIKeys) {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Copilot providers do not accept api_keys; they authenticate via request-time GitHub OAuth tokens.",
+		})
+		return
+	}
 	if errors.Is(err, errAIProviderBedrockTypeMismatch) {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "Bedrock settings are only valid for type=anthropic or type=bedrock.",
@@ -483,6 +493,12 @@ func (api *API) publishAIProvidersChanged(ctx context.Context) {
 // Bedrock-typed provider; the outer handler translates it into a 400.
 var errBedrockRejectsAPIKeys = xerrors.New("bedrock providers do not accept api_keys")
 
+// errCopilotRejectsAPIKeys is the sentinel returned from inside the
+// update transaction when a caller attempts to attach api_keys to a
+// Copilot-typed provider; the outer handler translates it into a 400.
+// Copilot authenticates via request-time GitHub OAuth tokens.
+var errCopilotRejectsAPIKeys = xerrors.New("copilot providers do not accept api_keys")
+
 // errAIProviderBedrockTypeMismatch is the sentinel returned from
 // inside the update transaction when the post-merge settings carry a
 // Bedrock block but the provider is not anthropic- or bedrock-typed;
diff --git a/coderd/ai_providers_test.go b/coderd/ai_providers_test.go
index c020f90c26..e4f4f27a06 100644
--- a/coderd/ai_providers_test.go
+++ b/coderd/ai_providers_test.go
@@ -889,6 +889,75 @@ func TestAIProvidersKeyManagement(t *testing.T) {
 		require.Contains(t, sdkErr.Message, "Bedrock providers do not accept api_keys")
 	})
 
+	t.Run("CopilotCreateWithoutKeys", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		//nolint:gocritic // Owner role is the audience for this endpoint.
+		provider, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{
+			Type:    codersdk.AIProviderTypeCopilot,
+			Name:    "keys-copilot",
+			Enabled: true,
+			BaseURL: "https://api.business.githubcopilot.com",
+		})
+		require.NoError(t, err)
+		require.Equal(t, codersdk.AIProviderTypeCopilot, provider.Type)
+		require.Empty(t, provider.APIKeys)
+	})
+
+	t.Run("CopilotRejectsCreateWithKeys", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		//nolint:gocritic // Owner role is the audience for this endpoint.
+		_, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{
+			Type:    codersdk.AIProviderTypeCopilot,
+			Name:    "keys-copilot-create",
+			Enabled: true,
+			BaseURL: "https://api.business.githubcopilot.com",
+			APIKeys: []string{"sk-should-be-rejected"}, //nolint:gosec // test fixture, not a real credential
+		})
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
+		require.Len(t, sdkErr.Validations, 1)
+		require.Equal(t, "api_keys", sdkErr.Validations[0].Field)
+		require.Contains(t, sdkErr.Validations[0].Detail, "type=copilot does not accept api_keys")
+	})
+
+	t.Run("CopilotRejectsUpdateWithKeys", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		//nolint:gocritic // Owner role is the audience for this endpoint.
+		provider, err := client.CreateAIProvider(ctx, codersdk.CreateAIProviderRequest{
+			Type:    codersdk.AIProviderTypeCopilot,
+			Name:    "keys-copilot-update",
+			Enabled: true,
+			BaseURL: "https://api.business.githubcopilot.com",
+		})
+		require.NoError(t, err)
+
+		rejected := []codersdk.AIProviderKeyMutation{
+			{APIKey: ptr.Ref("sk-copilot-no")}, //nolint:gosec // test fixture, not a real credential
+		}
+		_, err = client.UpdateAIProvider(ctx, provider.Name, codersdk.UpdateAIProviderRequest{
+			APIKeys: &rejected,
+		})
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
+		require.Contains(t, sdkErr.Message, "Copilot providers do not accept api_keys")
+	})
+
 	t.Run("EmptyKeyRejected", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
diff --git a/codersdk/aiproviders.go b/codersdk/aiproviders.go
index fe34b9c03c..7b513340bc 100644
--- a/codersdk/aiproviders.go
+++ b/codersdk/aiproviders.go
@@ -188,8 +188,9 @@ type AIProviderKey struct {
 
 // CreateAIProviderRequest is the payload for creating a new AI
 // provider. Name and Type are required. APIKeys carries the plaintext
-// keys for OpenAI/Anthropic providers; Bedrock providers authenticate
-// via Settings and must omit APIKeys.
+// keys for OpenAI/Anthropic providers; Bedrock and Copilot providers
+// must omit APIKeys (Bedrock authenticates via Settings, Copilot via
+// request-time GitHub OAuth tokens).
 type CreateAIProviderRequest struct {
 	Type        AIProviderType     `json:"type"`
 	Name        string             `json:"name"`
@@ -209,6 +210,7 @@ func (req CreateAIProviderRequest) Validate() []ValidationError {
 		AIProviderTypeAnthropic,
 		AIProviderTypeAzure,
 		AIProviderTypeBedrock,
+		AIProviderTypeCopilot,
 		AIProviderTypeGoogle,
 		AIProviderTypeOpenAICompat,
 		AIProviderTypeOpenrouter,
@@ -244,6 +246,12 @@ func (req CreateAIProviderRequest) Validate() []ValidationError {
 			Detail: "type=bedrock does not accept api_keys",
 		})
 	}
+	if req.Type == AIProviderTypeCopilot && len(req.APIKeys) > 0 {
+		validations = append(validations, ValidationError{
+			Field:  "api_keys",
+			Detail: "type=copilot does not accept api_keys",
+		})
+	}
 	return validations
 }
 
diff --git a/enterprise/aibridgeproxyd/aibridgeproxyd.go b/enterprise/aibridgeproxyd/aibridgeproxyd.go
index cfcb2071c4..438d7c46b7 100644
--- a/enterprise/aibridgeproxyd/aibridgeproxyd.go
+++ b/enterprise/aibridgeproxyd/aibridgeproxyd.go
@@ -1076,9 +1076,11 @@ func (s *Server) handleResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *htt
 
 	switch {
 	case resp.StatusCode >= http.StatusInternalServerError:
-		logger.Error(s.ctx, "received error response from aibridged")
+		logger.Error(s.ctx, "received error response from aibridged",
+			slog.F("response_body", s.readErrorBodyForLog(resp, logger)))
 	case resp.StatusCode >= http.StatusBadRequest:
-		logger.Warn(s.ctx, "received error response from aibridged")
+		logger.Warn(s.ctx, "received error response from aibridged",
+			slog.F("response_body", s.readErrorBodyForLog(resp, logger)))
 	default:
 		logger.Debug(s.ctx, "received response from aibridged")
 	}
@@ -1101,6 +1103,35 @@ func (s *Server) handleResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *htt
 	return resp
 }
 
+// maxLoggedErrorBodyBytes bounds how much of an aibridged error response
+// body is rendered into a log line, so a large upstream error payload
+// cannot blow up log volume.
+const maxLoggedErrorBodyBytes = 16 << 10 // 16 KiB
+
+// readErrorBodyForLog reads resp.Body for diagnostic logging and restores
+// it with an equivalent reader, so the proxy still forwards the body
+// downstream and the response dumper can read it again. The returned
+// string is truncated to maxLoggedErrorBodyBytes; the restored body is
+// always complete.
+func (s *Server) readErrorBodyForLog(resp *http.Response, logger slog.Logger) string {
+	if resp.Body == nil {
+		return ""
+	}
+	body, err := io.ReadAll(resp.Body)
+	_ = resp.Body.Close()
+	// Restore the full body even on a read error: the proxy and dumper
+	// downstream still expect a readable body, and a partial body is
+	// better than a nil one.
+	resp.Body = io.NopCloser(bytes.NewReader(body))
+	if err != nil {
+		logger.Warn(s.ctx, "failed to read aibridged error response body", slog.Error(err))
+	}
+	if len(body) > maxLoggedErrorBodyBytes {
+		return string(body[:maxLoggedErrorBodyBytes]) + "...(truncated)"
+	}
+	return string(body)
+}
+
 // Handler returns an HTTP handler for the AI Bridge Proxy's HTTP endpoints.
 // This is separate from the proxy server itself and is used by coderd to
 // serve endpoints like the CA certificate.
diff --git a/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go b/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go
new file mode 100644
index 0000000000..397ed1cf3e
--- /dev/null
+++ b/enterprise/aibridgeproxyd/aibridgeproxyd_internal_test.go
@@ -0,0 +1,68 @@
+package aibridgeproxyd
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/v3/sloggers/slogtest"
+)
+
+// TestReadErrorBodyForLog verifies that reading an aibridged error
+// response body for logging leaves the body intact for downstream
+// consumers (the proxy forwards it, and the response dumper reads it
+// again), and that the logged rendering is capped.
+func TestReadErrorBodyForLog(t *testing.T) {
+	t.Parallel()
+
+	newResponse := func(body string) *http.Response {
+		return &http.Response{
+			StatusCode: http.StatusBadRequest,
+			Body:       io.NopCloser(strings.NewReader(body)),
+		}
+	}
+
+	t.Run("ReturnsBodyAndRestores", func(t *testing.T) {
+		t.Parallel()
+		s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)}
+		resp := newResponse(`{"error":"bad request"}`)
+
+		got := s.readErrorBodyForLog(resp, s.logger)
+		require.Equal(t, `{"error":"bad request"}`, got)
+
+		// The body must still be readable in full for the proxy and the
+		// response dumper.
+		restored, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		require.Equal(t, `{"error":"bad request"}`, string(restored))
+	})
+
+	t.Run("TruncatesLargeBodyButRestoresFull", func(t *testing.T) {
+		t.Parallel()
+		s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)}
+		full := bytes.Repeat([]byte("a"), maxLoggedErrorBodyBytes+512)
+		resp := newResponse(string(full))
+
+		got := s.readErrorBodyForLog(resp, s.logger)
+		require.Len(t, got, maxLoggedErrorBodyBytes+len("...(truncated)"))
+		require.True(t, strings.HasSuffix(got, "...(truncated)"))
+
+		// Truncation only affects the log string; the restored body is
+		// the complete payload.
+		restored, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		require.Equal(t, full, restored)
+	})
+
+	t.Run("NilBody", func(t *testing.T) {
+		t.Parallel()
+		s := &Server{ctx: t.Context(), logger: slogtest.Make(t, nil)}
+		resp := &http.Response{StatusCode: http.StatusInternalServerError, Body: nil}
+
+		require.Equal(t, "", s.readErrorBodyForLog(resp, s.logger))
+	})
+}
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index c4fae7a3d0..a42e1489ff 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -3240,8 +3240,9 @@ export interface ConvertLoginRequest {
 /**
  * CreateAIProviderRequest is the payload for creating a new AI
  * provider. Name and Type are required. APIKeys carries the plaintext
- * keys for OpenAI/Anthropic providers; Bedrock providers authenticate
- * via Settings and must omit APIKeys.
+ * keys for OpenAI/Anthropic providers; Bedrock and Copilot providers
+ * must omit APIKeys (Bedrock authenticates via Settings, Copilot via
+ * request-time GitHub OAuth tokens).
  */
 export interface CreateAIProviderRequest {
 	readonly type: AIProviderType;
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx
index f7bbab9761..176f8fb9ed 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.stories.tsx
@@ -1,4 +1,5 @@
 import type { Meta, StoryObj } from "@storybook/react-vite";
+import { within } from "storybook/test";
 import { reactRouterParameters } from "storybook-addon-remix-react-router";
 import { withToaster } from "#/testHelpers/storybook";
 import { addableProviders } from "../components/addableProviderTypes";
@@ -26,16 +27,38 @@ export const AddAnthropic: Story = {
 	args: {
 		provider: addableProviders.find((p) => p.value === "anthropic")!,
 	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await canvas.findByText("Add an Anthropic provider");
+	},
 };
 
 export const AddOpenAI: Story = {
 	args: {
 		provider: addableProviders.find((p) => p.value === "openai")!,
 	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await canvas.findByText("Add an OpenAI provider");
+	},
 };
 
 export const AddBedrock: Story = {
 	args: {
 		provider: addableProviders.find((p) => p.value === "bedrock")!,
 	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await canvas.findByText("Add an AWS Bedrock provider");
+	},
+};
+
+export const AddCopilot: Story = {
+	args: {
+		provider: addableProviders.find((p) => p.value === "copilot")!,
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await canvas.findByText("Add a GitHub Copilot provider");
+	},
 };
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx
index 6f21156077..dbdb31b36a 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/AddProviderPage/AddProviderPageView.tsx
@@ -16,6 +16,9 @@ interface AddProviderPageViewProps {
 	provider: AddableProvider;
 }
 
+const indefiniteArticle = (word: string): string =>
+	/^[aeiou]/i.test(word) ? "an" : "a";
+
 const AddProviderPageView: React.FC<AddProviderPageViewProps> = ({
 	provider,
 }) => {
@@ -38,7 +41,9 @@ const AddProviderPageView: React.FC<AddProviderPageViewProps> = ({
 						size="lg"
 						src={getProviderIcon(provider.value)}
 					/>
-					<SettingsHeaderTitle>{`Add a ${provider.label} provider`}</SettingsHeaderTitle>
+					<SettingsHeaderTitle>{`Add ${indefiniteArticle(
+						provider.label,
+					)} ${provider.label} provider`}</SettingsHeaderTitle>
 				</div>
 				<p className="text-sm text-content-secondary m-0">
 					Configure connection details and credentials.
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx
index 15713428f9..4d212d2b14 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.stories.tsx
@@ -5,6 +5,7 @@ import type { AIProvider } from "#/api/typesGenerated";
 import {
 	MockAIProviderAnthropic,
 	MockAIProviderBedrock,
+	MockAIProviderCopilot,
 	MockAIProviderOpenAI,
 } from "#/testHelpers/entities";
 import { withToaster } from "#/testHelpers/storybook";
@@ -53,6 +54,21 @@ export const Bedrock: Story = {
 	},
 };
 
+// Copilot has no stored credential, so the edit form renders no API key
+// field and keeps the immutable name disabled.
+export const Copilot: Story = {
+	parameters: {
+		reactRouter: routingFor(`/ai/settings/${MockAIProviderCopilot.name}`),
+		...seed(MockAIProviderCopilot),
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		const name = await canvas.findByLabelText(/^name/i);
+		expect(name).toBeDisabled();
+		expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument();
+	},
+};
+
 // No seeded query: the page renders the loader while useQuery fetches.
 export const Loading: Story = {
 	parameters: {
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx
index dbeb16003d..9991c3b8f6 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/UpdateProviderPage/UpdateProviderPageView.tsx
@@ -43,8 +43,12 @@ const UpdateProviderPageView: React.FC = () => {
 	});
 
 	const provider = providerQuery.data;
-	const providerIsOpenAiAnthropic =
-		provider !== undefined && !isBedrockProvider(provider);
+	// Copilot has no stored credential, and Bedrock keeps its secrets in
+	// settings, so only the remaining types surface the api_keys UI.
+	const providerUsesApiKeys =
+		provider !== undefined &&
+		!isBedrockProvider(provider) &&
+		provider.type !== "copilot";
 
 	const updateMutation = useMutation(
 		updateAIProviderMutation(queryClient, providerId ?? ""),
@@ -109,8 +113,8 @@ const UpdateProviderPageView: React.FC = () => {
 	}
 
 	const openAiAnthropicSavedApiKey =
-		providerIsOpenAiAnthropic && provider.api_keys.length > 0;
-	const openAiAnthropicMaskedApiKey = providerIsOpenAiAnthropic
+		providerUsesApiKeys && provider.api_keys.length > 0;
+	const openAiAnthropicMaskedApiKey = providerUsesApiKeys
 		? provider.api_keys[0]?.masked
 		: undefined;
 
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx
index 8fda28fae2..181a786a32 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.stories.tsx
@@ -64,6 +64,38 @@ export const EditBedrockKeepCredentials: Story = {
 	},
 };
 
+export const AddCopilot: Story = {
+	args: {
+		// The real add flow passes only the type; the form fills name and
+		// endpoint from the copilot defaults.
+		initialValues: { type: "copilot" },
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await canvas.findByLabelText(/endpoint/i);
+		expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument();
+	},
+};
+
+export const EditCopilot: Story = {
+	args: {
+		editing: true,
+		initialValues: {
+			type: "copilot",
+			name: "copilot",
+			displayName: "GitHub Copilot",
+			baseUrl: "https://api.business.githubcopilot.com",
+			enabled: true,
+		},
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		const name = await canvas.findByLabelText(/^name/i);
+		expect(name).toBeDisabled();
+		expect(canvas.queryByLabelText(/api key/i)).not.toBeInTheDocument();
+	},
+};
+
 export const EditProvider: Story = {
 	args: {
 		editing: true,
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx
index 0a609de2ac..7468d39b86 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderForm.tsx
@@ -81,6 +81,10 @@ const providerDefaults: Partial<
 		name: "azure",
 		baseUrl: "https://YOUR-RESOURCE.openai.azure.com/openai/v1",
 	},
+	copilot: {
+		name: "copilot",
+		baseUrl: "https://api.business.githubcopilot.com",
+	},
 	google: {
 		name: "google",
 		baseUrl: "https://generativelanguage.googleapis.com/v1beta/openai/",
@@ -164,6 +168,20 @@ const makeBedrockSchema = (editing: boolean) =>
 		enabled: Yup.boolean(),
 	});
 
+const makeCopilotSchema = (editing: boolean) =>
+	Yup.object({
+		type: Yup.string()
+			.oneOf(["copilot"] as const)
+			.required(),
+		name: makeNameSchema(editing),
+		displayName: makeDisplayNameSchema(editing),
+		baseUrl: Yup.string()
+			.url("Endpoint must be a valid URL")
+			.matches(HTTP_SCHEME_REGEX, "Endpoint must use http or https.")
+			.required("Endpoint is required"),
+		enabled: Yup.boolean(),
+	});
+
 const getProviderFormSchema = (editing: boolean) =>
 	Yup.lazy((value: { type?: AIProviderType } | undefined) => {
 		switch (value?.type) {
@@ -177,6 +195,8 @@ const getProviderFormSchema = (editing: boolean) =>
 				return makeOpenAiAnthropicSchema(editing);
 			case "bedrock":
 				return makeBedrockSchema(editing);
+			case "copilot":
+				return makeCopilotSchema(editing);
 			default:
 				return Yup.object({
 					type: Yup.string()
@@ -185,6 +205,7 @@ const getProviderFormSchema = (editing: boolean) =>
 							"anthropic",
 							"bedrock",
 							"azure",
+							"copilot",
 							"google",
 							"openai-compat",
 							"openrouter",
@@ -319,18 +340,38 @@ export const ProviderForm: FC<ProviderFormProps> = ({
 							required
 							field={getFieldHelpers("baseUrl")}
 							label="Endpoint"
-							description="The base URL where the provider's API is hosted."
+							description={
+								typeSelectValue === "copilot" ? (
+									<>
+										The base URL for your Copilot tier:{" "}
+										<code>https://api.individual.githubcopilot.com</code>,{" "}
+										<code>https://api.business.githubcopilot.com</code>, or{" "}
+										<code>https://api.enterprise.githubcopilot.com</code>.
+									</>
+								) : (
+									"The base URL where the provider's API is hosted."
+								)
+							}
 							className="w-full"
 							placeholder={baseUrlPlaceholder(form.values.type)}
 						/>
-						<CredentialField
-							required
-							label="API key"
-							helpers={getFieldHelpers("apiKey")}
-							onFocus={() => handleCredentialFocus("apiKey")}
-							autoComplete="new-password"
-							placeholder={apiKeyPlaceholder(form.values.type)}
-						/>
+						{typeSelectValue === "copilot" ? (
+							<p className="text-sm text-content-secondary m-0">
+								Copilot authenticates with each user's GitHub OAuth token at
+								request time, so there is no API key to configure here. This
+								requires a GitHub external authentication provider to be
+								configured.
+							</p>
+						) : (
+							<CredentialField
+								required
+								label="API key"
+								helpers={getFieldHelpers("apiKey")}
+								onFocus={() => handleCredentialFocus("apiKey")}
+								autoComplete="new-password"
+								placeholder={apiKeyPlaceholder(form.values.type)}
+							/>
+						)}
 					</>
 				)}
 
@@ -409,7 +450,7 @@ export const ProviderForm: FC<ProviderFormProps> = ({
 						</Button>
 					</Link>
 					<Button
-						disabled={isLoading || !form.dirty || !form.isValid}
+						disabled={isLoading || !form.isValid || (editing && !form.dirty)}
 						type="submit"
 					>
 						<Spinner loading={isLoading} />
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.stories.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.stories.tsx
index dc16ada480..1c3b04d28f 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.stories.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.stories.tsx
@@ -27,6 +27,12 @@ export const Bedrock: Story = {
 	},
 };
 
+export const Copilot: Story = {
+	args: {
+		provider: "copilot",
+	},
+};
+
 export const Azure: Story = {
 	args: {
 		provider: "azure",
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.tsx b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.tsx
index f84dcc8375..43bf922843 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.tsx
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/ProviderIcon.tsx
@@ -15,6 +15,8 @@ export const getProviderIcon = (provider: string): string | undefined => {
 			return "/icon/aws.svg";
 		case "azure":
 			return "/icon/azure.svg";
+		case "copilot":
+			return "/icon/github-copilot.svg";
 		case "google":
 			return "/icon/google.svg";
 		case "vercel":
@@ -34,6 +36,8 @@ const getProviderName = (provider: string): string => {
 			return "AWS Bedrock";
 		case "azure":
 			return "Azure OpenAI";
+		case "copilot":
+			return "GitHub Copilot";
 		case "google":
 			return "Google";
 		case "openai-compat":
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/addableProviderTypes.ts b/site/src/pages/AISettingsPage/ProvidersPage/components/addableProviderTypes.ts
index aebf2af08b..3ccba3cd6c 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/addableProviderTypes.ts
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/addableProviderTypes.ts
@@ -9,6 +9,7 @@ export const addableProviders: readonly AddableProvider[] = [
 	{ value: "anthropic", label: "Anthropic" },
 	{ value: "bedrock", label: "AWS Bedrock" },
 	{ value: "azure", label: "Azure OpenAI" },
+	{ value: "copilot", label: "GitHub Copilot" },
 	{ value: "google", label: "Google" },
 	{ value: "openai", label: "OpenAI" },
 	{ value: "openai-compat", label: "OpenAI-compatible" },
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.test.ts b/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.test.ts
index 3f7ab9ca59..6a955921a8 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.test.ts
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.test.ts
@@ -3,6 +3,7 @@ import type { AIProvider } from "#/api/typesGenerated";
 import {
 	MockAIProviderAnthropic,
 	MockAIProviderBedrock,
+	MockAIProviderCopilot,
 	MockAIProviderOpenAI,
 } from "#/testHelpers/entities";
 import {
@@ -45,6 +46,19 @@ const baseBedrockFormValues: ProviderFormValues = {
 	enabled: true,
 };
 
+const baseCopilotFormValues: ProviderFormValues = {
+	type: "copilot",
+	name: "copilot",
+	displayName: "GitHub Copilot",
+	baseUrl: "https://api.business.githubcopilot.com",
+	model: "",
+	smallFastModel: "",
+	accessKey: "",
+	accessKeySecret: "",
+	apiKey: "",
+	enabled: true,
+};
+
 // Cast a plain object to AIProvider's discriminated `settings` shape;
 // the generated TS interface is empty and the wire form carries the
 // discriminator keys flattened in alongside the variant fields.
@@ -173,6 +187,10 @@ describe("getProviderDisplayType", () => {
 		expect(getProviderDisplayType(MockAIProviderOpenAI)).toBe("openai");
 	});
 
+	it("returns copilot for a Copilot provider", () => {
+		expect(getProviderDisplayType(MockAIProviderCopilot)).toBe("copilot");
+	});
+
 	it.each([
 		["azure", "https://my-resource.openai.azure.com/openai/v1"],
 		["azure", "https://YOUR-RESOURCE.openai.azure.com/openai/v1"],
@@ -333,6 +351,31 @@ describe("providerFormValuesToCreate", () => {
 			expect(req.api_keys).toBeUndefined();
 		});
 	});
+
+	describe("Copilot", () => {
+		it("maps to a distinct wire type with no api_keys", () => {
+			const req = providerFormValuesToCreate(baseCopilotFormValues);
+			expect(req.type).toBe("copilot");
+			expect(req.base_url).toBe("https://api.business.githubcopilot.com");
+			expect(req.api_keys).toBeUndefined();
+		});
+
+		it("never sends api_keys even if the field carries a value", () => {
+			const req = providerFormValuesToCreate({
+				...baseCopilotFormValues,
+				apiKey: "should-be-ignored",
+			});
+			expect(req.api_keys).toBeUndefined();
+		});
+
+		it("omits display_name when blank so the server stores NULL", () => {
+			const req = providerFormValuesToCreate({
+				...baseCopilotFormValues,
+				displayName: "",
+			});
+			expect(req.display_name).toBeUndefined();
+		});
+	});
 });
 
 describe("providerFormValuesToUpdate", () => {
@@ -460,6 +503,18 @@ describe("providerFormValuesToUpdate", () => {
 			expect(s.access_key_secret).toBeUndefined();
 		});
 	});
+
+	describe("Copilot", () => {
+		it("patches only the base fields and never sends api_keys", () => {
+			const req = providerFormValuesToUpdate(
+				{ ...baseCopilotFormValues, apiKey: "should-be-ignored" },
+				MockAIProviderCopilot,
+			);
+			expect(req.api_keys).toBeUndefined();
+			expect(req.settings).toBeUndefined();
+			expect(req.base_url).toBe("https://api.business.githubcopilot.com");
+		});
+	});
 });
 
 describe("aiProviderToFormValues", () => {
@@ -486,6 +541,14 @@ describe("aiProviderToFormValues", () => {
 		expect(values.accessKeySecret).toBe("");
 	});
 
+	it("seeds Copilot form values without a credential field", () => {
+		const values = aiProviderToFormValues(MockAIProviderCopilot);
+		expect(values.type).toBe("copilot");
+		expect(values.name).toBe(MockAIProviderCopilot.name);
+		expect(values.baseUrl).toBe(MockAIProviderCopilot.base_url);
+		expect(values.apiKey).toBeUndefined();
+	});
+
 	it("falls back to the slug when display_name is empty", () => {
 		const provider: AIProvider = {
 			...MockAIProviderOpenAI,
diff --git a/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.ts b/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.ts
index 4f958fdea7..2fdb8dd8d6 100644
--- a/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.ts
+++ b/site/src/pages/AISettingsPage/ProvidersPage/components/providerFormApiMap.ts
@@ -98,6 +98,9 @@ export const getProviderDisplayType = (
 	if (provider.type === "anthropic") {
 		return "anthropic";
 	}
+	if (provider.type === "copilot") {
+		return "copilot";
+	}
 	const host = parseProviderHost(provider.base_url ?? "");
 	const match = displayTypeHosts.find(([h]) => matchesHost(host, h));
 	return match?.[1] ?? provider.type;
@@ -125,12 +128,16 @@ const buildBedrockSettings = (
 export const providerFormValuesToCreate = (
 	values: ProviderFormValues,
 ): CreateAIProviderRequest => {
-	const name = values.name.trim();
 	const displayName = values.displayName.trim();
-	const baseUrl = values.baseUrl.trim();
+	const base: Omit<CreateAIProviderRequest, "type"> = {
+		name: values.name.trim(),
+		...(displayName ? { display_name: displayName } : {}),
+		base_url: values.baseUrl.trim(),
+		enabled: values.enabled,
+	};
 
 	if (values.type === "bedrock") {
-		const region = parseBedrockRegionFromBaseUrl(baseUrl);
+		const region = parseBedrockRegionFromBaseUrl(base.base_url);
 		const settings = buildBedrockSettings(
 			region,
 			values.model.trim(),
@@ -140,17 +147,18 @@ export const providerFormValuesToCreate = (
 		);
 		return {
 			type: "anthropic",
-			name,
-			...(displayName ? { display_name: displayName } : {}),
-			base_url: baseUrl,
-			enabled: values.enabled,
+			...base,
 			settings: settings as AIProviderSettings,
 		};
 	}
 
+	if (values.type === "copilot") {
+		return { type: "copilot", ...base };
+	}
+
 	const apiKey = sanitizeCredential(values.apiKey);
-	// `""` is unreachable here (Yup blocks it, Bedrock branched out), but the
-	// union still includes it; narrow so TS stays honest.
+	// `""` is unreachable here (Yup blocks it, Bedrock and Copilot branched
+	// out), but the union still includes it; narrow so TS stays honest.
 	if (values.type === "") {
 		throw new Error("provider type is required");
 	}
@@ -160,10 +168,7 @@ export const providerFormValuesToCreate = (
 		values.type === "anthropic" ? "anthropic" : "openai";
 	return {
 		type: wireType,
-		name,
-		...(displayName ? { display_name: displayName } : {}),
-		base_url: baseUrl,
-		enabled: values.enabled,
+		...base,
 		...(apiKey ? { api_keys: [apiKey] } : {}),
 	};
 };
@@ -182,6 +187,10 @@ export const providerFormValuesToUpdate = (
 		base_url: values.baseUrl.trim(),
 	};
 
+	if (values.type === "copilot") {
+		return base;
+	}
+
 	if (values.type !== "bedrock") {
 		// If the user didn't touch the input, the form still holds the seeded
 		// mask and sanitizes to `""` (no rotation).
@@ -240,8 +249,18 @@ export const aiProviderToFormValues = (
 		};
 	}
 
-	// Wire `type` is only `openai` or `anthropic`; the dropdown's richer
-	// labels apply only on create.
+	if (provider.type === "copilot") {
+		return {
+			type: "copilot",
+			name: provider.name,
+			displayName,
+			baseUrl: provider.base_url,
+			enabled: provider.enabled,
+		};
+	}
+
+	// Wire `type` is otherwise only `openai` or `anthropic`; the dropdown's
+	// richer labels apply only on create.
 	return {
 		type: provider.type === "anthropic" ? "anthropic" : "openai",
 		name: provider.name,
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index 07bd064129..8682a63ed8 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -5574,8 +5574,22 @@ export const MockAIProviderBedrock: TypesGen.AIProvider = {
 	updated_at: "2026-05-14T10:00:00Z",
 };
 
+export const MockAIProviderCopilot: TypesGen.AIProvider = {
+	id: "b3f0d2c8-6a4e-4d11-8c2f-1e9a7c5b4d31",
+	type: "copilot",
+	name: "copilot",
+	display_name: "GitHub Copilot",
+	base_url: "https://api.business.githubcopilot.com",
+	enabled: true,
+	api_keys: [],
+	settings: null as unknown as TypesGen.AIProviderSettings,
+	created_at: "2026-05-14T10:00:00Z",
+	updated_at: "2026-05-14T10:00:00Z",
+};
+
 export const MockAIProviders: TypesGen.AIProvider[] = [
 	MockAIProviderOpenAI,
 	MockAIProviderAnthropic,
 	MockAIProviderBedrock,
+	MockAIProviderCopilot,
 ];

From 85f56e4944bd84fbb1047441444eb217de978899 Mon Sep 17 00:00:00 2001
From: Danny Kopping <danny@coder.com>
Date: Mon, 1 Jun 2026 15:30:45 +0200
Subject: [PATCH 14/23] fix: recreate `ai_provider_type` instead of ADD VALUE
 (#25895)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Coder runs all migrations in a single transaction (`pgTxnDriver`).
Postgres forbids using an enum value added by `ALTER TYPE ... ADD VALUE`
within the same transaction that added it. Migration `000499` widened
`ai_provider_type` with `ADD VALUE`, and `000504` casts existing
`chat_providers` rows to that enum in the same transaction. On
deployments with a legacy provider using one of the new values (for
example `openai-compat`), the batch failed with `unsafe use of new
value` and the server could not start.

Recreate the type (create a new enum, alter the column, drop and rename)
instead of using `ADD VALUE`, matching the existing precedent in
`000144_user_status_dormant`. A freshly created enum's values are usable
immediately in the same transaction, so the cast in `000504` succeeds.
The resulting schema is identical, so `make gen` produces no `dump.sql`
diff and databases that already applied these migrations see no drift.

Added a regression test that seeds an `openai-compat` provider and
applies `000499` through `000504` in a single transaction, reproducing
the production path. The per-step `Stepper` used by the other migration
tests commits each migration separately and cannot surface this class of
bug.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Danny Kopping <danny@coder.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .claude/docs/DATABASE.md                      | 35 ++++++++
 ...499_ai_provider_type_chatd_values.down.sql |  7 +-
 ...00499_ai_provider_type_chatd_values.up.sql | 30 +++++--
 coderd/database/migrations/migrate_test.go    | 80 +++++++++++++++++++
 4 files changed, 143 insertions(+), 9 deletions(-)

diff --git a/.claude/docs/DATABASE.md b/.claude/docs/DATABASE.md
index 84f6125fa4..331d662d20 100644
--- a/.claude/docs/DATABASE.md
+++ b/.claude/docs/DATABASE.md
@@ -41,6 +41,41 @@
   dimension.
 - Avoid `ByX` names for grouped queries.
 
+### Enum Changes Run in a Single Transaction
+
+All migrations run inside one transaction (`pgTxnDriver`). Postgres forbids
+*using* an enum value added by `ALTER TYPE ... ADD VALUE` within the same
+transaction that added it, so it fails with `unsafe use of new value`.
+
+Adding the value is fine; using it in the same batch is not. "Using it"
+includes a later migration that casts to it (`col::my_enum`), inserts or
+updates a row with it, or sets it as a column default. This only fails when a
+row actually materializes the new value, so fresh databases and CI pass while
+deployments with existing data break.
+
+**MUST DO**: If any migration uses a newly added enum value, recreate the type
+instead of using `ADD VALUE`. A freshly created enum's values are usable
+immediately in the same transaction. Precedent: `000144_user_status_dormant`.
+
+```sql
+CREATE TYPE new_my_enum AS ENUM ('existing', 'value', 'new_value');
+
+ALTER TABLE my_table
+    ALTER COLUMN col TYPE new_my_enum USING (col::text::new_my_enum);
+
+DROP TYPE my_enum;
+
+ALTER TYPE new_my_enum RENAME TO my_enum;
+```
+
+Recreating produces an identical schema, so `make gen` yields no `dump.sql`
+diff and databases that already applied the migration see no drift.
+
+**Testing**: `migrations.Stepper` commits each migration separately, so tests
+built on it cannot surface this. To catch it, seed a row using the new value,
+then apply the affected migrations in a single transaction (see
+`TestMigration000504AIProvidersBackfillEnumInSingleTxn`).
+
 ## Handling Nullable Fields
 
 Use `sql.NullString`, `sql.NullBool`, etc. for optional database fields:
diff --git a/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql b/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql
index a8b89359aa..ab84bd795f 100644
--- a/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql
+++ b/coderd/database/migrations/000499_ai_provider_type_chatd_values.down.sql
@@ -1,3 +1,4 @@
--- No-op: Postgres does not allow removing enum values safely.
--- Matches the precedent in 000495_ai_providers.down.sql for ALTER
--- TYPE resource_type / api_key_scope ADD VALUE.
+-- No-op: the up recreates ai_provider_type with a wider value set, but the
+-- down does not narrow it back. Narrowing would drop rows that already use the
+-- new values, and 000495_ai_providers.down.sql drops the type wholesale when
+-- migrating all the way down.
diff --git a/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql b/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql
index 104514d32c..30df7758dd 100644
--- a/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql
+++ b/coderd/database/migrations/000499_ai_provider_type_chatd_values.up.sql
@@ -7,9 +7,27 @@
 -- OpenAI-compatible endpoints. Native gateway-side support for these
 -- providers comes later, at which point this enum already carries the
 -- right discriminator and no further migration is needed.
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'azure';
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'bedrock';
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'google';
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'openai-compat';
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'openrouter';
-ALTER TYPE ai_provider_type ADD VALUE IF NOT EXISTS 'vercel';
+--
+-- Recreate the type rather than using ALTER TYPE ... ADD VALUE. Postgres
+-- forbids using a value added by ADD VALUE within the same transaction, and
+-- all migrations run in one transaction. 000504 casts existing chat_providers
+-- rows to these new values in that same transaction, so ADD VALUE fails with
+-- "unsafe use of new value". A freshly created enum's values are usable
+-- immediately, so the cast in 000504 succeeds.
+CREATE TYPE new_ai_provider_type AS ENUM (
+    'openai',
+    'anthropic',
+    'azure',
+    'bedrock',
+    'google',
+    'openai-compat',
+    'openrouter',
+    'vercel'
+);
+
+ALTER TABLE ai_providers
+    ALTER COLUMN type TYPE new_ai_provider_type USING (type::text::new_ai_provider_type);
+
+DROP TYPE ai_provider_type;
+
+ALTER TYPE new_ai_provider_type RENAME TO ai_provider_type;
diff --git a/coderd/database/migrations/migrate_test.go b/coderd/database/migrations/migrate_test.go
index 0b3e0c240c..f148860bc5 100644
--- a/coderd/database/migrations/migrate_test.go
+++ b/coderd/database/migrations/migrate_test.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"slices"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -1502,6 +1503,85 @@ func TestMigration000504AIProvidersBackfillOverridesNameConflict(t *testing.T) {
 	require.True(t, fresh.Enabled)
 }
 
+// TestMigration000504AIProvidersBackfillEnumInSingleTxn reproduces the
+// production migration path, where every pending migration runs inside a
+// single transaction (see pgTxnDriver). Migration 000499 widens
+// ai_provider_type with ALTER TYPE ... ADD VALUE, and 000504 casts existing
+// chat_providers rows to that enum. Postgres forbids using an enum value
+// added by ADD VALUE within the same transaction, so when a legacy provider
+// uses one of the new values (for example openai-compat) the batch fails with
+// "unsafe use of new value". The per-step Stepper used by the other tests
+// commits each migration separately and cannot surface this.
+func TestMigration000504AIProvidersBackfillEnumInSingleTxn(t *testing.T) {
+	t.Parallel()
+
+	sqlDB := testSQLDB(t)
+	ctx := testutil.Context(t, testutil.WaitSuperLong)
+
+	// Apply everything through 498 and commit, so chat_providers exists and is
+	// populated before the batch under test runs, matching a deployment that
+	// ran an earlier migration batch before this one.
+	applyMigrationsInTxn(ctx, t, sqlDB, 1, 498)
+
+	now := time.Now().UTC().Truncate(time.Microsecond)
+	providerID := uuid.New()
+
+	// A legacy provider whose type is one of the values added in 000499.
+	_, err := sqlDB.ExecContext(ctx, `
+		INSERT INTO chat_providers (id, provider, display_name, api_key, enabled, base_url, created_at, updated_at)
+		VALUES ($1, 'openai-compat', 'OpenAI Compatible', '', TRUE, 'https://api.example.com/v1', $2, $2)
+	`, providerID, now)
+	require.NoError(t, err)
+
+	// Apply 000499 through 000504 in a single transaction, as production does.
+	applyMigrationsInTxn(ctx, t, sqlDB, 499, 504)
+
+	var typ string
+	err = sqlDB.QueryRowContext(ctx,
+		`SELECT type FROM ai_providers WHERE id = $1`, providerID,
+	).Scan(&typ)
+	require.NoError(t, err)
+	require.Equal(t, "openai-compat", typ)
+}
+
+// applyMigrationsInTxn executes the up SQL for every migration whose version is
+// in [from, to] inside a single transaction, mirroring pgTxnDriver. The whole
+// batch commits or rolls back together.
+func applyMigrationsInTxn(ctx context.Context, t *testing.T, sqlDB *sql.DB, from, to int) {
+	t.Helper()
+
+	entries, err := os.ReadDir(".")
+	require.NoError(t, err)
+
+	var files []string
+	for _, entry := range entries {
+		name := entry.Name()
+		if !strings.HasSuffix(name, ".up.sql") {
+			continue
+		}
+		var version int
+		if _, err := fmt.Sscanf(name, "%06d_", &version); err != nil {
+			continue
+		}
+		if version >= from && version <= to {
+			files = append(files, name)
+		}
+	}
+	slices.Sort(files)
+
+	tx, err := sqlDB.BeginTx(ctx, nil)
+	require.NoError(t, err)
+	defer tx.Rollback()
+
+	for _, name := range files {
+		query, err := os.ReadFile(name)
+		require.NoError(t, err)
+		_, err = tx.ExecContext(ctx, string(query))
+		require.NoErrorf(t, err, "apply migration %s", name)
+	}
+	require.NoError(t, tx.Commit())
+}
+
 func TestMigration000498SoftDeleteStaleWorkspaceAgents(t *testing.T) {
 	t.Parallel()
 

From d0fa9ff9862b91b836403de32abbefb3aa3f49d2 Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Mon, 1 Jun 2026 23:31:25 +1000
Subject: [PATCH 15/23] fix(coderd/x/chatd/chattool): retry workspace name
 conflicts (#25668)

Retry Coder Agents workspace creation once with a generated random
suffix when the requested workspace name already exists. This preserves
structured errors for other conflicts and avoids surfacing avoidable
name collisions.

Closes CODAGT-386
---
 coderd/x/chatd/chattool/createworkspace.go    | 38 ++++++++++-
 .../chattool/createworkspace_internal_test.go | 65 +++++++++++++++++++
 2 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/coderd/x/chatd/chattool/createworkspace.go b/coderd/x/chatd/chattool/createworkspace.go
index de0d617218..f65247fd02 100644
--- a/coderd/x/chatd/chattool/createworkspace.go
+++ b/coderd/x/chatd/chattool/createworkspace.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"sync"
 	"time"
@@ -238,7 +239,7 @@ func CreateWorkspace(db database.Store, organizationID, chatID uuid.UUID, option
 				)
 			}
 
-			workspace, err := options.CreateFn(ctx, ownerID, createReq)
+			workspace, err := createWorkspaceWithNameRetry(ctx, ownerID, createReq, options.CreateFn)
 			if err != nil {
 				if responseErr, ok := httperror.IsResponder(err); ok {
 					_, resp := responseErr.Response()
@@ -703,6 +704,41 @@ func waitForAgentReady(
 	}
 }
 
+func createWorkspaceWithNameRetry(
+	ctx context.Context,
+	ownerID uuid.UUID,
+	req codersdk.CreateWorkspaceRequest,
+	createFn CreateWorkspaceFn,
+) (codersdk.Workspace, error) {
+	workspace, err := createFn(ctx, ownerID, req)
+	if err == nil {
+		return workspace, nil
+	}
+	if !isWorkspaceNameConflict(err) {
+		return codersdk.Workspace{}, err
+	}
+
+	req.Name = generatedWorkspaceName(req.Name)
+	return createFn(ctx, ownerID, req)
+}
+
+func isWorkspaceNameConflict(err error) bool {
+	responseErr, ok := httperror.IsResponder(err)
+	if !ok {
+		return false
+	}
+	status, resp := responseErr.Response()
+	if status != http.StatusConflict {
+		return false
+	}
+	for _, validation := range resp.Validations {
+		if validation.Field == "name" {
+			return true
+		}
+	}
+	return false
+}
+
 func generatedWorkspaceName(seed string) string {
 	base := codersdk.UsernameFrom(strings.TrimSpace(strings.ToLower(seed)))
 	if strings.TrimSpace(base) == "" {
diff --git a/coderd/x/chatd/chattool/createworkspace_internal_test.go b/coderd/x/chatd/chattool/createworkspace_internal_test.go
index 06c4a95a84..13f009d668 100644
--- a/coderd/x/chatd/chattool/createworkspace_internal_test.go
+++ b/coderd/x/chatd/chattool/createworkspace_internal_test.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"sync"
 	"testing"
 	"time"
@@ -855,6 +856,70 @@ func TestCreateWorkspace_ResponderErrorPreservesStructuredFields(t *testing.T) {
 	}}, result.Validations)
 }
 
+func TestCreateWorkspaceWithNameRetry(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NameConflictRetriesWithGeneratedName", func(t *testing.T) {
+		t.Parallel()
+
+		var names []string
+		workspace, err := createWorkspaceWithNameRetry(
+			context.Background(),
+			uuid.New(),
+			codersdk.CreateWorkspaceRequest{Name: "fun-dashboard"},
+			func(_ context.Context, _ uuid.UUID, req codersdk.CreateWorkspaceRequest) (codersdk.Workspace, error) {
+				names = append(names, req.Name)
+				if len(names) == 1 {
+					return codersdk.Workspace{}, workspaceNameConflictError(req.Name)
+				}
+
+				require.Regexp(t, `^fun-dashboard-[0-9a-f]{4}$`, req.Name)
+				return codersdk.Workspace{Name: req.Name}, nil
+			},
+		)
+
+		require.NoError(t, err)
+		require.Len(t, names, 2)
+		require.Equal(t, "fun-dashboard", names[0])
+		require.Equal(t, names[1], workspace.Name)
+	})
+
+	t.Run("OtherConflictDoesNotRetry", func(t *testing.T) {
+		t.Parallel()
+
+		calls := 0
+		wantErr := httperror.NewResponseError(http.StatusConflict, codersdk.Response{
+			Message: "quota exceeded",
+			Validations: []codersdk.ValidationError{{
+				Field:  "quota",
+				Detail: "quota exceeded",
+			}},
+		})
+		_, err := createWorkspaceWithNameRetry(
+			context.Background(),
+			uuid.New(),
+			codersdk.CreateWorkspaceRequest{Name: "fun-dashboard"},
+			func(context.Context, uuid.UUID, codersdk.CreateWorkspaceRequest) (codersdk.Workspace, error) {
+				calls++
+				return codersdk.Workspace{}, wantErr
+			},
+		)
+
+		require.Same(t, wantErr, err)
+		require.Equal(t, 1, calls)
+	})
+}
+
+func workspaceNameConflictError(name string) error {
+	return httperror.NewResponseError(http.StatusConflict, codersdk.Response{
+		Message: fmt.Sprintf("Workspace %q already exists.", name),
+		Validations: []codersdk.ValidationError{{
+			Field:  "name",
+			Detail: "This value is already in use and should be unique.",
+		}},
+	})
+}
+
 func TestCreateWorkspace_GlobalTTL(t *testing.T) {
 	t.Parallel()
 

From f9937a89316357610d3f2e70ee08ceb8c768dceb Mon Sep 17 00:00:00 2001
From: Danny Kopping <danny@coder.com>
Date: Mon, 1 Jun 2026 15:33:37 +0200
Subject: [PATCH 16/23] docs: document AI providers seeding mechanism & support
 for new types (#25855)

Adds a new **Provider Configuration** reference page (`providers.md`) covering:

- The migration from environment-variable-based provider config to database-backed management introduced in v2.34, including the one-time seeding behavior and deprecation of `CODER_AI_GATEWAY_PROVIDER_<N>_*` and related flags
- All supported provider types (`openai`, `anthropic`, `bedrock`, `copilot`, `azure`, `google`, `openrouter`, `vercel`, `openai-compat`) with setup notes for each
- Provider lifecycle statuses (`enabled`, `disabled`, `error`) and their effect on request handling
- Reload behavior and how configuration changes apply without restarting `coderd`
- Bring Your Own Key (BYOK) and failure mode reference table

Updates **Setup** (`setup.md`) to replace the environment-variable-based provider configuration instructions with dashboard-driven steps (Add provider form, provider list, edit/disable flow), referencing the new `providers.md` page for deeper detail. Screenshots of the provider list, add, and edit forms are included.

Adds a **Provider metrics** section to **Monitoring** (`monitoring.md`) documenting the `coder_aibridged_*` and `coder_aibridgeproxyd_*` Prometheus metrics for provider status and reload timestamps, along with two suggested PromQL alert queries.
---
 docs/ai-coder/ai-gateway/monitoring.md        |  40 +++
 docs/ai-coder/ai-gateway/providers.md         | 184 +++++++++++++
 docs/ai-coder/ai-gateway/setup.md             | 246 +++---------------
 .../aibridge/provider-add-anthropic.png       | Bin 0 -> 58934 bytes
 .../aibridge/provider-edit-anthropic.png      | Bin 0 -> 63605 bytes
 docs/images/aibridge/providers-list.png       | Bin 0 -> 82457 bytes
 docs/manifest.json                            |   6 +
 7 files changed, 260 insertions(+), 216 deletions(-)
 create mode 100644 docs/ai-coder/ai-gateway/providers.md
 create mode 100644 docs/images/aibridge/provider-add-anthropic.png
 create mode 100644 docs/images/aibridge/provider-edit-anthropic.png
 create mode 100644 docs/images/aibridge/providers-list.png

diff --git a/docs/ai-coder/ai-gateway/monitoring.md b/docs/ai-coder/ai-gateway/monitoring.md
index 703938a891..7b9e680905 100644
--- a/docs/ai-coder/ai-gateway/monitoring.md
+++ b/docs/ai-coder/ai-gateway/monitoring.md
@@ -15,6 +15,46 @@ We provide an example Grafana dashboard that you can import as a starting point
 
 These logs and metrics can be used to determine usage patterns, track costs, and evaluate tooling adoption.
 
+## Provider metrics
+
+`aibridged` (the in-process daemon) and `aibridgeproxyd` (the external
+proxy) each export Prometheus metrics describing the configured
+provider pool and its reload loop. See
+[Provider Configuration](./providers.md) for the lifecycle these
+metrics describe.
+
+| Metric                                                                 | Type    | Labels                                     | Purpose                                                                                                                                    |
+|------------------------------------------------------------------------|---------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| `coder_aibridged_provider_info`                                        | gauge   | `provider_name`, `provider_type`, `status` | One series per configured provider. Value is always `1`; the `status` label (`enabled`, `disabled`, `error`) carries the alertable signal. |
+| `coder_aibridged_providers_last_reload_timestamp_seconds`              | gauge   |                                            | Unix timestamp of the last reload attempt, success or failure.                                                                             |
+| `coder_aibridged_providers_last_reload_success_timestamp_seconds`      | gauge   |                                            | Unix timestamp of the last reload that successfully refreshed the pool.                                                                    |
+| `coder_aibridgeproxyd_provider_info`                                   | gauge   | `provider_name`, `provider_type`, `status` | Same shape as `aibridged_provider_info` but reported by the external proxy.                                                                |
+| `coder_aibridgeproxyd_providers_last_reload_timestamp_seconds`         | gauge   |                                            | Last reload attempt timestamp in `aibridgeproxyd`.                                                                                         |
+| `coder_aibridgeproxyd_providers_last_reload_success_timestamp_seconds` | gauge   |                                            | Last successful reload timestamp in `aibridgeproxyd`.                                                                                      |
+| `coder_aibridgeproxyd_connect_sessions_total`                          | counter | `type` (`mitm`, `tunneled`)                | CONNECT sessions established by the proxy.                                                                                                 |
+| `coder_aibridgeproxyd_mitm_requests_total`                             | counter | `provider`                                 | MITM requests handled.                                                                                                                     |
+| `coder_aibridgeproxyd_inflight_mitm_requests`                          | gauge   | `provider`                                 | In-flight MITM requests.                                                                                                                   |
+| `coder_aibridgeproxyd_mitm_responses_total`                            | counter | `code`, `provider`                         | MITM responses by HTTP status code.                                                                                                        |
+
+### Suggested alerts
+
+Alert on any provider entering a non-`enabled` status:
+
+```promql
+sum by (provider_name, status) (coder_aibridged_provider_info{status!="enabled"}) > 0
+```
+
+Alert when the reload loop is firing but failing to refresh the pool
+for longer than a few minutes:
+
+```promql
+(coder_aibridged_providers_last_reload_timestamp_seconds
+  - coder_aibridged_providers_last_reload_success_timestamp_seconds) > 300
+```
+
+Repeat the same query against `coder_aibridgeproxyd_*` if you run the
+external proxy.
+
 ## Structured Logging
 
 AI Bridge can emit structured logs for every interception event to your
diff --git a/docs/ai-coder/ai-gateway/providers.md b/docs/ai-coder/ai-gateway/providers.md
new file mode 100644
index 0000000000..fae50e282f
--- /dev/null
+++ b/docs/ai-coder/ai-gateway/providers.md
@@ -0,0 +1,184 @@
+# Provider Configuration
+
+> [!NOTE]
+> AI Gateway requires the [AI Governance Add-On](../ai-governance.md).
+
+Providers are deployment-scoped and managed from the dashboard or the
+[AI Providers API](../../reference/api/aiproviders.md). See
+[Setup](./setup.md#configure-providers) for the steps to add, edit, and
+disable a provider.
+
+This page covers the provider types AI Gateway supports, the setup
+considerations for each, how a provider's lifecycle affects request
+handling, and how to monitor providers.
+
+## Database management of providers
+
+> [!NOTE]
+> Since v2.34, provider environment variables and flags, including
+> `CODER_AI_GATEWAY_PROVIDER_<N>_*`, `CODER_AI_GATEWAY_OPENAI_*`,
+> `CODER_AI_GATEWAY_ANTHROPIC_*`, and their `--aibridge/ai-gateway-*`
+> equivalents, are deprecated. Provider configuration is now stored in
+> the database, and any environment variables set on startup are used to
+> seed it.
+>
+> This is a once-off operation. The environment variables have no effect
+> once seeding has completed.
+>
+> **Any changes to the provider environment variables after seeding will
+> cause the server to fail to start, to prevent operators from updating a
+> configuration that is ineffectual.**
+>
+> The environment variables can be safely removed once seeding has
+> completed. Visit `https://<your-coder-host>/ai/settings` to see which
+> providers have been seeded.
+
+After seeding, manage providers through the dashboard or API. A provider
+that has been edited or removed there is not recreated or overwritten
+from the environment on the next restart.
+
+## Provider types
+
+AI Gateway speaks two upstream API formats: the **OpenAI** format
+(Chat Completions and Responses) and the **Anthropic** format
+(Messages). Every provider type maps to one of these.
+
+| Type            | API format | Setup notes                                                       |
+|-----------------|------------|-------------------------------------------------------------------|
+| `openai`        | OpenAI     | Native OpenAI, or any OpenAI-compatible endpoint via the base URL |
+| `anthropic`     | Anthropic  | Native Anthropic, or an Anthropic-compatible broker               |
+| `bedrock`       | Anthropic  | Anthropic models hosted on AWS Bedrock; authenticates via AWS     |
+| `copilot`       | OpenAI     | GitHub Copilot; authenticates via each user's GitHub OAuth token  |
+| `azure`         | OpenAI     | OpenAI-compatible endpoint only                                   |
+| `google`        | OpenAI     | OpenAI-compatible endpoint only                                   |
+| `openrouter`    | OpenAI     | OpenAI-compatible endpoint only                                   |
+| `vercel`        | OpenAI     | OpenAI-compatible endpoint only                                   |
+| `openai-compat` | OpenAI     | Generic OpenAI-compatible endpoint                                |
+
+`azure`, `google`, `openrouter`, `vercel`, and `openai-compat` are
+supported only as OpenAI-compatible endpoints: AI Gateway sends them
+OpenAI-format requests, so each must expose an OpenAI-compatible API at
+its base URL. They have no provider-specific integration beyond that.
+
+### OpenAI
+
+Set the base URL to the upstream endpoint and provide an API key. The
+default `https://api.openai.com/v1/` targets the native OpenAI service;
+point it at any OpenAI-compatible endpoint (for example, a hosted proxy
+or LiteLLM deployment) when needed.
+
+If you create an [OpenAI key](https://platform.openai.com/api-keys)
+with minimal privileges, this is the minimum required set:
+
+![List Models scope should be set to "Read", Model Capabilities set to "Request"](../../images/aibridge/openai_key_scope.png)
+
+### Anthropic
+
+Set the base URL and provide an API key. The default
+`https://api.anthropic.com/` targets Anthropic's public API; override it
+for Anthropic-compatible brokers.
+
+Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys)
+to have restricted permissions at the time of writing (June 2026).
+
+### Amazon Bedrock
+
+Bedrock providers serve Anthropic models hosted on AWS and authenticate
+with AWS credentials rather than a registered API key. Configure:
+
+- A **region** (or a full base URL when routing through a proxy or a
+  non-standard endpoint that does not follow the
+  `https://bedrock-runtime.<region>.amazonaws.com` format).
+- The **model** and **small fast model** identifiers.
+
+Do not attach API keys to a Bedrock provider.
+
+AI Gateway resolves AWS credentials one of two ways:
+
+- **AWS SDK default credential chain (recommended).** When no explicit
+  credentials are configured, the AWS SDK resolves them automatically
+  from the environment: IAM Roles (instance profiles, IRSA, ECS task
+  roles), shared config files, environment variables, SSO, and more.
+  Attaching an IAM Role to the compute running Coder follows
+  [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+  for temporary credentials. The role must permit `bedrock:InvokeModel`
+  and `bedrock:InvokeModelWithResponseStream` for the configured models.
+- **Static credentials.** Provide an access key and secret for an IAM
+  user with the same Bedrock permissions.
+
+### GitHub Copilot
+
+GitHub Copilot offers three plans: Individual, Business, and Enterprise,
+each with its own API endpoint. Add one `copilot` provider per plan your
+organization uses, setting the base URL accordingly:
+
+| Plan       | Base URL                                   |
+|------------|--------------------------------------------|
+| Individual | `https://api.individual.githubcopilot.com` |
+| Business   | `https://api.business.githubcopilot.com`   |
+| Enterprise | `https://api.enterprise.githubcopilot.com` |
+
+Copilot providers authenticate with each user's request-time GitHub
+OAuth token, so do not attach API keys. For client-side setup (proxy,
+certificates, IDE configuration), see
+[GitHub Copilot client configuration](./clients/copilot.md).
+
+### OpenAI-compatible providers
+
+Azure-hosted OpenAI, Google, OpenRouter, Vercel, and any other
+OpenAI-compatible service are configured with the matching type (or the
+generic `openai-compat`), the provider's OpenAI-compatible base URL, and
+an API key.
+
+> [!NOTE]
+> See the [Supported APIs](./reference.md#supported-apis) section for
+> precise endpoint coverage and interception behavior.
+
+## Provider lifecycle
+
+Every provider carries an explicit status, surfaced through the
+[`provider_info`](./monitoring.md#provider-metrics) metric and the API:
+
+| Status     | Meaning                                                                       | Effect on requests                               |
+|------------|-------------------------------------------------------------------------------|--------------------------------------------------|
+| `enabled`  | Configuration is valid and the provider is serving traffic                    | Requests are proxied to the upstream             |
+| `disabled` | The provider exists but has been turned off                                   | Requests are rejected with a non-retryable error |
+| `error`    | The provider is enabled but cannot be built (missing credentials, bad config) | Requests fail; the error is surfaced in metrics  |
+
+Disabling a provider does not delete it, its credentials, or its
+historical interception data. Re-enabling restores it to service.
+
+## Monitoring and reloads
+
+Provider configuration changes take effect automatically, without
+restarting `coderd`. AI Gateway records the timestamp of each reload
+attempt and each successful reload, exposed as Prometheus metrics:
+
+- `coder_aibridged_providers_last_reload_timestamp_seconds`
+- `coder_aibridged_providers_last_reload_success_timestamp_seconds`
+
+If you run the [external proxy](./ai-gateway-proxy/index.md), it exposes
+the same pair under the `coder_aibridgeproxyd_` prefix.
+
+A growing gap between the attempt and success timestamps means reloads
+are firing but failing to apply. Alert on that gap rather than on a
+single failure, which may resolve on the next change. See
+[Monitoring](./monitoring.md#provider-metrics) for the full metric list
+and sample alert queries.
+
+## Bring Your Own Key
+
+A provider's configured credentials are the centralized default. When
+Bring Your Own Key (BYOK) is enabled, a user's own credential takes
+precedence over the provider's for that user's requests, and AI Gateway
+falls back to the provider credentials when the user has none. See
+[Authentication](./auth.md#bring-your-own-key-byok) for the BYOK flow
+and how to enable or disable it.
+
+## Failure modes
+
+| Symptom                                        | Likely cause                                               | Corrective action                        |
+|------------------------------------------------|------------------------------------------------------------|------------------------------------------|
+| Startup fails referencing an existing provider | Env config drifted from a provider already in the database | Remove the provider env vars and restart |
+| Provider returns errors with no upstream call  | The provider is `disabled` or in `error` status            | Consult the server logs for details      |
+| Configuration changes not taking effect        | Reloads are firing but failing to apply                    | Consult the server logs for details      |
diff --git a/docs/ai-coder/ai-gateway/setup.md b/docs/ai-coder/ai-gateway/setup.md
index 27aed7c050..d0050ad965 100644
--- a/docs/ai-coder/ai-gateway/setup.md
+++ b/docs/ai-coder/ai-gateway/setup.md
@@ -2,20 +2,17 @@
 
 AI Gateway runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. Once enabled, `coderd` runs the `aibridged` in-memory and brokers traffic to your configured AI providers on behalf of authenticated users.
 
-**Required**:
-
-1. The [AI Governance Add-On](../ai-governance.md) license.
-1. Feature must be [enabled](#activation) using the server flag
-1. One or more [providers](#configure-providers) API key(s) must be configured
-
 > [!NOTE]
-> AI Gateway environment variables and CLI flags have migrated to the new
-> `CODER_AI_GATEWAY_*` and `--ai-gateway-*` naming scheme. The earlier
-> `CODER_AIBRIDGE_*` and `--aibridge-*` names continue to work as aliases.
+> Since v2.34, provider environment variables and flags are deprecated.
+> Provider configuration is now stored in the database, and any
+> environment variables set on startup are used to seed it once. See
+> [Database management of providers](./providers.md#database-management-of-providers)
+> for details.
 
 ## Activation
 
-You will need to enable AI Gateway explicitly:
+AI Gateway must be enabled in deployment config before users can authenticate
+to it.
 
 ```sh
 export CODER_AI_GATEWAY_ENABLED=true
@@ -24,224 +21,41 @@ coder server
 coder server --ai-gateway-enabled=true
 ```
 
+_AI Gateway is enabled by default as of v2.34._
+
 ## Configure Providers
 
-AI Gateway proxies requests to upstream LLM APIs. Configure at least one provider before exposing AI Gateway to end users.
+Configure at least one provider before exposing AI Gateway to end users.
 
-<div class="tabs">
+Providers are deployment-scoped. Add them from the dashboard or the
+[AI Providers API](../../reference/api/aiproviders.md). Changes take effect
+without restarting `coderd`.
 
-### OpenAI
+### Dashboard
 
-Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-openai-key) traffic through AI Gateway:
+1. Navigate to **Admin settings** > **AI**
+1. Select **Providers**
+1. Click **Add provider**
+1. Select the provider type
+1. Enter a unique lowercase name, the upstream endpoint, and the credentials
+1. Save the provider
 
-- `CODER_AI_GATEWAY_OPENAI_KEY` or `--ai-gateway-openai-key`
-- `CODER_AI_GATEWAY_OPENAI_BASE_URL` or `--ai-gateway-openai-base-url`
-
-The default base URL (`https://api.openai.com/v1/`) works for the native OpenAI service. Point the base URL at your preferred OpenAI-compatible endpoint (for example, a hosted proxy or LiteLLM deployment) when needed.
-
-If you'd like to create an [OpenAI key](https://platform.openai.com/api-keys) with minimal privileges, this is the minimum required set:
-
-![List Models scope should be set to "Read", Model Capabilities set to "Request"](../../images/aibridge/openai_key_scope.png)
-
-### Anthropic
-
-Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-anthropic-key) traffic through AI Gateway:
-
-- `CODER_AI_GATEWAY_ANTHROPIC_KEY` or `--ai-gateway-anthropic-key`
-- `CODER_AI_GATEWAY_ANTHROPIC_BASE_URL` or `--ai-gateway-anthropic-base-url`
-
-The default base URL (`https://api.anthropic.com/`) targets Anthropic's public API. Override it for Anthropic-compatible brokers.
-
-Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys) to have restricted permissions at the time of writing (Nov 2025).
-
-### Amazon Bedrock
-
-Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--ai-gateway-bedrock-region) traffic through AI Gateway:
-
-**Required:**
-
-- `CODER_AI_GATEWAY_BEDROCK_REGION` or `--ai-gateway-bedrock-region`.
-Alternatively, set `CODER_AI_GATEWAY_BEDROCK_BASE_URL` or `--ai-gateway-bedrock-base-url` to a full URL (e.g., when routing through a proxy between AI Gateway and AWS Bedrock or using a non-standard endpoint that doesn't follow the `https://bedrock-runtime.<region>.amazonaws.com` format).
-If both are set, `CODER_AI_GATEWAY_BEDROCK_BASE_URL` takes precedence.
-- `CODER_AI_GATEWAY_BEDROCK_MODEL` or `--ai-gateway-bedrock-model`
-- `CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL` or `--ai-gateway-bedrock-small-fastmodel`
+Each provider gets its own AI Gateway route at
+`/api/v2/aibridge/<provider-name>/`.
 
 > [!NOTE]
-> These Bedrock settings configure AI Gateway only. To configure Bedrock as an
-> Agents provider, see [Configuring AWS Bedrock](../agents/models.md#configuring-aws-bedrock).
+> Provider names must be unique and use lowercase, hyphen-separated identifiers
+> such as `anthropic-corp` or `azure-openai`. Once deleted, another provider
+> may reuse the name.
 
-**Optional:**
+![AI Providers list page](../../images/aibridge/providers-list.png)
 
-- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY` or `--ai-gateway-bedrock-access-key`
-- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET` or `--ai-gateway-bedrock-access-key-secret`
+![Add Anthropic provider form](../../images/aibridge/provider-add-anthropic.png)
 
-#### Authentication
+Open an existing provider to rotate credentials, update its endpoint, or
+disable it without restarting `coderd`.
 
-AI Gateway supports two credential configuration paths:
-
-##### AWS SDK default credential chain (recommended)
-
-When no credentials are set in AI Gateway config, the AWS SDK resolves them automatically from the environment.
-This includes IAM Roles (instance profiles, IRSA, ECS task roles), shared config files, environment variables, SSO, and more.
-
-**IAM Roles are the recommended approach** when AI Gateway runs on AWS infrastructure.
-Attach an IAM Role with Bedrock permissions to the compute running AI Gateway (EC2 instance, EKS pod via IRSA, or ECS task), no credentials need to be configured in AI Gateway itself.
-
-The IAM Role must have permission to invoke the Bedrock models configured for AI Gateway (`bedrock:InvokeModel` and `bedrock:InvokeModelWithResponseStream`).
-See [Amazon Bedrock identity-based policy examples](https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html) for policy examples,
-and [AWS IAM role creation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) for general guidance on attaching roles to AWS services.
-
-This aligns with [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for using temporary credentials instead of long-lived access keys.
-
-##### Static credentials
-
-For deployments when explicit credentials are preferred, provide an access key and secret for an IAM User:
-
-1. **Choose a region** where you want to use Bedrock.
-
-2. **Generate API keys** in the [AWS Bedrock console](https://us-east-1.console.aws.amazon.com/bedrock/home?region=us-east-1#/api-keys/long-term/create) (replace `us-east-1` in the URL with your chosen region):
-   - Choose an expiry period for the key.
-   - Click **Generate**.
-   - This creates an IAM user with strictly-scoped permissions for Bedrock access.
-
-3. **Create an access key** for the IAM user:
-   - After generating the API key, click **"You can directly modify permissions for the IAM user associated"**.
-   - In the IAM user page, navigate to the **Security credentials** tab.
-   - Under **Access keys**, click **Create access key**.
-   - Select **"Application running outside AWS"** as the use case.
-   - Click **Next**.
-   - Add a description like "Coder AI Gateway token".
-   - Click **Create access key**.
-   - Save both the access key ID and secret access key securely.
-
-4. **Configure your Coder deployment** with the credentials:
-
-   ```sh
-   export CODER_AI_GATEWAY_BEDROCK_REGION=us-east-1
-   export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY=<your-access-key-id>
-   export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET=<your-secret-access-key>
-   coder server
-   ```
-
-### GitHub Copilot
-
-GitHub Copilot offers three plans: Individual, Business, and Enterprise,
-each with its own API endpoint. Configure one or more `copilot` providers
-using the [indexed provider format](#multiple-instances-of-the-same-provider)
-depending on which plans your organization uses.
-Copilot providers use OAuth app installations for authentication rather than
-static API keys.
-
-```sh
-# GitHub Copilot (Individual)
-export CODER_AI_GATEWAY_PROVIDER_0_TYPE=copilot
-export CODER_AI_GATEWAY_PROVIDER_0_NAME=copilot
-
-# GitHub Copilot Business
-export CODER_AI_GATEWAY_PROVIDER_1_TYPE=copilot
-export CODER_AI_GATEWAY_PROVIDER_1_NAME=copilot-business
-export CODER_AI_GATEWAY_PROVIDER_1_BASE_URL=https://api.business.githubcopilot.com
-
-# GitHub Copilot Enterprise
-export CODER_AI_GATEWAY_PROVIDER_2_TYPE=copilot
-export CODER_AI_GATEWAY_PROVIDER_2_NAME=copilot-enterprise
-export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://api.enterprise.githubcopilot.com
-```
-
-The default base URL targets the individual Copilot API
-(`api.individual.githubcopilot.com`). Override `CODER_AI_GATEWAY_PROVIDER_<N>_BASE_URL`
-for Business or Enterprise tiers as shown above.
-
-For client-side setup (proxy, certificates, IDE configuration), see
-[GitHub Copilot client configuration](./clients/copilot.md).
-
-### ChatGPT
-
-Configure a ChatGPT provider by creating an `openai`-typed instance with the
-ChatGPT Codex base URL:
-
-```sh
-export CODER_AI_GATEWAY_PROVIDER_0_TYPE=openai
-export CODER_AI_GATEWAY_PROVIDER_0_NAME=chatgpt
-export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex
-```
-
-</div>
-
-> [!NOTE]
-> See the [Supported APIs](./reference.md#supported-apis) section below for precise endpoint coverage and interception behavior.
-
-### Multiple instances of the same provider
-
-You can configure multiple instances of the same provider type, for example, to
-route different teams to separate API keys, use different base URLs per region, or
-connect to both a direct API and a proxy simultaneously. Use indexed environment
-variables following the pattern `CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>`:
-
-```sh
-# Anthropic routed through a corporate proxy
-export CODER_AI_GATEWAY_PROVIDER_0_TYPE=anthropic
-export CODER_AI_GATEWAY_PROVIDER_0_NAME=anthropic-corp
-export CODER_AI_GATEWAY_PROVIDER_0_KEY=sk-ant-corp-xxx
-export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic
-
-# Anthropic direct (for teams that need direct access)
-export CODER_AI_GATEWAY_PROVIDER_1_TYPE=anthropic
-export CODER_AI_GATEWAY_PROVIDER_1_NAME=anthropic-direct
-export CODER_AI_GATEWAY_PROVIDER_1_KEY=sk-ant-direct-yyy
-
-# Azure-hosted OpenAI deployment
-export CODER_AI_GATEWAY_PROVIDER_2_TYPE=openai
-export CODER_AI_GATEWAY_PROVIDER_2_NAME=azure-openai
-export CODER_AI_GATEWAY_PROVIDER_2_KEY=azure-key-zzz
-export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://my-deployment.openai.azure.com/
-
-# Anthropic via AWS Bedrock
-export CODER_AI_GATEWAY_PROVIDER_3_TYPE=anthropic
-export CODER_AI_GATEWAY_PROVIDER_3_NAME=anthropic-bedrock
-export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_REGION=us-west-2
-export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
-export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-
-coder server
-```
-
-Each provider instance gets a unique route based on its `NAME`. Clients send
-requests to `/api/v2/aibridge/<NAME>/` to target a specific instance:
-
-| Instance name       | Route                                               |
-|---------------------|-----------------------------------------------------|
-| `anthropic-corp`    | `/api/v2/aibridge/anthropic-corp/v1/messages`       |
-| `anthropic-direct`  | `/api/v2/aibridge/anthropic-direct/v1/messages`     |
-| `azure-openai`      | `/api/v2/aibridge/azure-openai/v1/chat/completions` |
-| `anthropic-bedrock` | `/api/v2/aibridge/anthropic-bedrock/v1/messages`    |
-
-**Supported keys per provider:**
-
-| Key        | Required | Description                                          |
-|------------|----------|------------------------------------------------------|
-| `TYPE`     | Yes      | Provider type: `openai`, `anthropic`, or `copilot`   |
-| `NAME`     | No       | Unique instance name for routing. Defaults to `TYPE` |
-| `KEY`      | No       | API key for upstream authentication (alias: `KEYS`)  |
-| `BASE_URL` | No       | Base URL of the upstream API                         |
-
-For `anthropic` providers using AWS Bedrock, the following keys are also
-available: `BEDROCK_BASE_URL`, `BEDROCK_REGION`,
-`BEDROCK_ACCESS_KEY` (alias: `BEDROCK_ACCESS_KEYS`),
-`BEDROCK_ACCESS_KEY_SECRET` (alias: `BEDROCK_ACCESS_KEY_SECRETS`),
-`BEDROCK_MODEL`, `BEDROCK_SMALL_FAST_MODEL`.
-
-> [!NOTE]
-> Indices must be contiguous and start at `0`. Each instance must have a unique
-> `NAME`. If two instances of the same `TYPE` omit `NAME`, they will both
-> default to the type name and fail with a duplicate name error.
->
-> The legacy single-provider environment variables (`CODER_AI_GATEWAY_OPENAI_KEY`,
-> `CODER_AI_GATEWAY_ANTHROPIC_KEY`, etc.) continue to work. However, setting
-> both a legacy variable and an indexed provider with the same default name
-> (e.g. `CODER_AI_GATEWAY_OPENAI_KEY` and an indexed provider named `openai`)
-> will produce a startup error. Remove one or the other to resolve the
-> conflict.
+![Edit Anthropic provider form](../../images/aibridge/provider-edit-anthropic.png)
 
 ## API Dumps
 
diff --git a/docs/images/aibridge/provider-add-anthropic.png b/docs/images/aibridge/provider-add-anthropic.png
new file mode 100644
index 0000000000000000000000000000000000000000..7a718be5e4a844bca277ccfb3973b047c0c20a81
GIT binary patch
literal 58934
zcmeFZbx>T(7B`9nNFYEGEP)^=h6M>hf<p)p+?~M(ceg<k2u^|px8OebU?Bu|*8zgt
z;4r`-Z*%WC_vW1BuUGZzeO2G3YG5;ackk}i-K*F7t>5Y(d0BCMTyk7AG&FpPw{H~D
z&~Buop<(#k#0I{3vuY8JhK8<XCL$s)AtFK}Z*OC4W(h_^qx<L-Stj*b;eKm`S^XL}
z`^cU9Z!^_D)N+3I#Ufx~%r#wet29Y-uG<m4afI{gMi|EpeBmqM_e{d<qol;bh9X)b
zG-92Ix<*MR*zVrNt0a`&D<Sc?PPb;9G<EwoJlv#7iMlt<`v(RI@zG76mAlQbDjGE-
zt-VKiT}K)z6{}~%Plr#Bz=#bnZ$*n7+11&!jti&B%PDI1yKV0=UB7*A3uqy+xr@Zb
z6|FCrus?lk*S1_9VDc=Prtyz$eYclV=WieORjjGvk>PD_G5SmH^v4+Ij8Z0`DZYL5
z;a2El84t-p!Atd))UOP$IR7Zcz;k<b$S8{|j?TRx5&e}ll+}*-Zo=n{Qx|WU-dpII
z;I9Q-m0A4rOH^yqHs=1(YJxWyz}C12IVy6aCM*$eK*xA#<<FKk(b80WV3GS5LR~yg
zYY;T%F#&X}4x=O1lzYs8v{k|C62>wzXbiyhO*HgCGqfAP6*}-C2R>+Mn4bdBaDcz}
zfX|yWjKA*QNKeE3>l(ucxQ8aJBqAXJ{8civ2ZOC0Ol=$oRs5%cs>aQf)g9Gkq<IW&
zteEwUYz)B6u2#0!MbP+Md4NkRu%kYWtCgj-1CJ~JqklcY16*H!&GLxmUynFi@IO+Q
zk*5){u?N#|GP5$XJ`%vCp`qckH!|i?d?WT}ao|7xN2ZRBwmd8>E-o(2E-#sF>`ho+
zaC39Bu(GkRu`vNpFgdtcJL<bKSvx%bcO`$-^9Jl-Xm4igXl7$gb6u~#fsK<R|D#9O
zFZ$2VzuO6RHT&<ItR4RB7SKVK>pLtjm|0o=Q#VkQ@A_LFc{5kArN$dGD?mKJI|Mk{
zS^56;{4aO@`^KM2s{gm-ix;mrelGgct$!9(aRA$k*jNGYbQJjS(EM5W=bL{P<YT$+
z`cI<xx19g=Eg)zCTt1fn44MG0{&<iB8k!KA#2aB{SM)77jwkWxRQq1wY~7=`Bv``e
zce6C<9_2cIx%p_qqp8Z{Xlm92f#1NuX-OkVL?X-+>}Mc+N0@#n>%&dDhK2*dSKV92
zQI?-%pb}oI2e){adwSw`q`z&K_j5;;DCZ5~g!!Ri+@$gO$1kC0xJ&)tA>|e~?g*iw
z|MOQ8nlPR9jemX%Jn1V<MsqV}{rkgT%iIz2p&>^8<2C>KS123r&buy01A>1x;`*-8
zonVjORYo(6b@Mft=LODhns<lhW-I^iDvMmlxRK75{2B9?{sOPM^KOCaca?QGqWj6m
z%l4rEP7*g?+Y$b*G9wt8aIQ4%3fixtMFZMUgY&z}*g!rs%GpE?Xupvx(1sbz-&GdR
zEOduqIEedqk_Coo`<KD{-!T1m!2Vwj6OA}ddN_Yo)q3FX7Ej~^1~=zTr{l@hDHS!i
zUZpu@+{8DxT&L6h<(C)ozYe_bTVKDAc=q4wG33uqm*cWH-S*$z=BSlTb{}iHdYTT|
zny&7zvYIv*ynHoh-1FJM1G$Y~B(?LVJJw`^d)2WDhq`|H7!hLSz1$U3{rWxbWLp@;
zkjKRHxnh~b@`i&gBjl_{4q~eEW#=9qF`XU~jx3c)I4px)p5{o5mH)c9>`R2g@m^zL
z%KPI8CjMYlN)z&8)U3!QyZ^wZ>8i04myFpmhLIZKrw#6oE&up<u5<SVF6r~N@Q<-i
z(!(k1rap>Of#n1*-UdXZs_?2;tcjyGO9UIf!c&Y0={GU3>}RavwoXeiewmmCL>&r)
zKCU=ves4m^u8ay)i*7RI>nz?c&}lF>)j`i2ma_pLZKf_^sNj(?mqrMX8`in(I6Fzk
zF(aVK=Hq!5s0K?0EF*zS*TT5d3YH2&?+o=a1Lr}}xZ39h=^}woI;%FucML2hc8%07
z#<X^zN1Nl5ygT(~rw6Om1e82ew`kc*GiC*1U9D1Be>_GV^jlpPi<FQss_wJZGapaw
z`c_)HWsl}641>dEl6gAEib04CkoQH=@u*sPp+RfrOl{-ILK<;IdgzPf{<@t;N}j$>
z+EjC^sfzMHM0B8;5ycCkji_yl>PFYSg|V#eQ|I%&Bg^hsrsAS>{Hqkxsfza;W<xXK
zuQD<$=Dr6}drazX!l#Ns9#fYWD68S@Fz1cD-mL~?fctD+y<tTek(}jxam%Ntg3}X(
zVv{LNB_d0g@#6m+P~Y!&I$jvQ1{<R>xY9@GISfhAYQ<z0Bw#%BTAyvG<}h~*?oGL<
zrSHg?mx_AEG_wIrq3PB*?PaU+iIsj-pVygLI){x{!qNKh+#KIwKC>CFkV>B7DAtDz
zCnV~0^?mx;90VCQol5GsIo6GLl7xV*^`>%-Q|>H;lpMkkBm|>K+L4$N#jH$(A0GC^
zSdo@?X`V9z#;Nxe%*-ft6wZ?m#Umfx#jq|=E3r?^cD#+%LhiN-%6KDj#p>KeFVkR`
zw(lXFEjVLOIlMJcBM)J&=^*E_HUK1N2dD5j+Mt+{C1Tr}EHBx-d<8i(BD-C8I8;!7
z5p8=k^0Z7gc@Yu%a;ipXCWXJQ$ZGm{tWX2bMc}20Y&AAM`6L#E8F!lH<u9r=(iMaI
z5s@Tj<R-nV$MM6B6{n+7u55<9ui~0*A+VK%#2JAYE63e=VJ@m@sJ${V@!%^3UC+Hd
zdP7N3^iKi!6mEtTy}N8t8(O0bqg!EII%V(iylpp;J9DcTPeg->?G7#l;U0%o2^<!a
z1tpDlx=!}SPfO;!c-uEdc?X@^hijA>o=U~q`xf;JBw8=FHSEMP={AnwF@Uz&!bqQg
zUX2yK%=8)i{9>oJm0V;K+FfkdT*1<G{*7t6+@z#o_uETro=U@>i%Ttwxl6vd_v|Kp
zmW--}HFeBN*`D{@)C=T)+$>N-zDeYE2<X1A^u9OI8|h~dh$)7cN?wGf&U$%#nD*LR
z5Ov-xx^mRe!#&QU6OlADJ2jN1U;9EcXOb%8uz7X1$uf=&s>Z}2r~#k*|FQ)I(MCS@
zllML^<L<RDBS72UQP<$W{j|1jtx}-sf}ZM!g;$H#b&Qy{I$U!B&97GsYr1U~)NWg3
zNyVMkd2x`TX;fL3HSyZiA>neSzFdPaCtiyUupE8q7aw`e;P5=C<NA-S=U7w3tbnqB
zJtcdmNZIsUx3R~`MhQDwSG8DsTMl+GBrVylUTz#irp?<){7!LKCLT2B(VW+zm^YMe
z_*}!D&NSz!*+JEIyW=q<Z2l88{XApaOWZ@l)N8U-A3}$g1@4kn5=+>ir^)q+p1bIu
z3sC!Ie}2p7`|$2N@)ri5>F;DQyD{wDkL24|e6G$aXemvHuUNb&lgK$p{B8q|dOcn#
zE&Mr#QEeiDqo5%)4QkEx9*@jU_%4>1B16}?#$s6e7rV&l!7sw~hD=^!qkYMNsXRG7
ztYPtA7HQS|{NEKo&ghkE<a6CwJ?LT$>E<1`YeDtQkXG&N@r_YNxX*Sv<t6_Qm%F#C
zxF(JUbW4tL;KVcg?eB()2_8;RS6RUE7*)>=j_T3WOLQ(~h;9g8IOc~@U+Js!8~?I3
z(Uje=@A)jhp_!AaSs7lg4qF6AYxv#;pVC>p)p$#O-{WML3*mj`(FGPig||39#6K*`
z*#O4&v7>sJp(EU>I)Qp(FxYOfZK|MzZwH#)CwS#24_|ubCpWBB?i^O&JY(nddXytJ
zDy2T>tGa!b{W3$kib_4Rzj=SaQ6TmuLD7lFqgcb9gSPrlQki054SNY2V!eJt+nko_
ztH+vk$9vv8@NaBM#6C)7;#enb;gsuM0_V0Bn|-;$@Jte{;w6~fBDM#d;^qaQcOBt>
z#OP=HF4F(H)@!cUde`bfyQ^ZrCk%zXo)7t(VY*+o^~tqzC1dif2Q0DPdR;h$QOs*u
z(J5sYQsCrS!-=%x*qMfv*4Vd)juGA($n6Hpp)Y$ndbyFwPO2VS)!X9(!w1U9ZWcio
zxo;j<7awQmm*QYO`Ae`*W?KAMB{~gf#ffQ9|7i3t+dg&92zyLlmo?iI4>q0B?!<7S
z=j0vQsHs|qK&MwZQC!7i)?9C0OTz^lCc7^s5%;yKt)1W-ecU<acw)T=*l#0LiRp$S
zrs`UFkFjm!5Biep0#!yQ)NmQ-KYVcjc9yK}dlc+zd!_D|p-`A+#Vh!QX%Zv2J%&kZ
z7VN*C=SKYNoYwZm&@t}02%4_{!gSD1qG<dHoAGKTvE-AgWXnCQl*4FFu=;4p+yFkT
zh-QdTu*U(@XEV>{Y*1*4Nh`$+G38_{XGg)kPid1lHR~wKB{0O&^nA}x48I|#x3cPN
z_Ok@Jh1o<YSAE(rl~S8xGS5+cF(gWxG#W$FJy^RtHm7bc)Olw%`AaKLcAJXgojmuW
zgl#k1Ybyxfe6~<Sip9q%A5RFM@+`n=>QL(wf<q@JWgy45dAf>!+9N|-iVTec)l8>V
zyD;!d-hC(un(HTr9=d$LtI-^=0LVfUI5x`%$_SH9K#4p~pUCb{t%fmGe%}}?T7`Bf
zd$)z=6<?4iN(zvdNFtQ=B&^@#l2qIx60k?7M<^Q#(mP0j4$lGoW58wVQJ`w#hF<)#
z0U<SwLmlc2dUC;2|LC9ohtR^UB}SF}!{+Z6svAs-oY7vy(ZMES%97%$yIFuepu+{V
zN;ls~$hHeRSFCrvWfPj&kWPDg+P!$HnJfPX7wJ$qCGRJA5o{LjIE>&l>d@ozamiE6
zlGczei&YQ5yV-a+(m=^uRfncsVa0ymGw9yaVLq|gwyY_blT-x=dixi9>z*`?xKlgc
z)G6rTyeD@a){`*yN}(AoI-KaXkeN<%Y!5T}JnyRx7xVVv`9-r^LT27({9=+;Z>`Xr
z`G2rf@_a<89jjN|hIY93JpQG(1~-=`q;tQ|OU<a#i4?pEx~C&=DLyg0dat^*;@76w
zmjmw7jHeSf*Duphh(`FvKJ8mxQ|#Zlsm!E+zZt^9oD=ZN=5zB&Fi`26+Itn4zjXah
zM=Rik+3&S3kNl$a(0t$A1uCUe^K<^Mqwt@rT6MrjV{WWTBLB5Hk#s<%_m(9G2!7KG
zvTG-|l`Kw4<evr_`i*;{K&2Vlx2Al5?ZuJ-;QG~`EZCd>qPBd5G61htGMZ7C_cy)J
zehxT>WV+h2_`i1lEiq7Oko{9roZs{!1n{hv7ec!8{`lvpqG1F*0xDG~zJd6Sr)*ya
z$Xnafj+^5*-B-AA^YzoNm^8}Y^x}Vm_<#2xViBFr1QXL6Je7=w`eBvl#G{T8<$x-i
zE(Y-u#RpaWW***RiToFOMN|}ng-cvIl-2Fp+hqcjtGqxVO{9oM!vW*ctzE!$y2`4z
z%Gs#9(?R|>voajx)+A-gwU;>mRd~9=L#+zii}+lTVkA~Xxa?I|Ipc525Z-#CeJ9^^
z&_Fd;{_b=gu(xXmh*))+m{VZ=y3mAZ5E!?}-ZALZzuWYSJ67tPVH#nQx61sFKKW@m
zd;!t?@RKKh$5+?pBN-%T)m4l>q-0LE`J1(!L=$N%oSWn$MsfEy3vuX~Jge1cUKpTE
zmTvocp6<tco!bMR$}r(m6xRMK;nn5hS6|G@IXcb1E$}~)q+w?t+EmYP`6>leRfC^j
z7;eE`=J2&hBjSIw%#~qa5zJwX>v$9aPAxsCZhN*N@dz=^Qh^A4FpPLlrgOV@^<7Y5
zMMSlDe+qw*%g$^%TsEF<Qpf8wX24S?$#pF~a4VRRnK1dRojRi07ZWF7CBB2o*M7Nc
z^3&6h7J}J)6-Lxv`+NOvgXB(pZw~{0wT+*KKXMq0K%B<@EZ#^M^^!Lv!?-s=LGX!M
zu{O7opFGf{TNJCn$YiXm7HS;ax0tSyF+~AReqgr4w>PTOImQ{%A0LOmdZa9aoV97X
zAWeu!%2i>U@$O9+{iyO;oJI|I>9C2vc0a>b@uy*V@)%Hg4?dfQ_=7w$iu%`}It}h(
zaM1>Lry{S5vnsu2zuZlY&vw3V$^jQQxHlOETKj&y4YvR=63PUVf5IHTNzZ`le2W3=
zyWx|S%+72Bpcf0G_DCj7W>^Q0SzWfZDY)&8ay90>uOOxgL0d!<<tB0yP6|?0mXiq(
z{DqF6nnn`|#;9eu$zj}+duOIlqZ|=Lo8oxDq*YZhZC%GvQ7j&@_CP!xcaqhvi#|ua
zNVD>_xaxSp;|M-B_PI=PLXUZ09ILC#i*&H`cX2e-$*X5mI%1*s_0Q6u#C`?bGDLz!
zu}q=ZAo<U$pyQseHqkp6qRRWTpN!XF1%^Voaj(4~lNJ?$Jf$XAcS*vXl8^DPZ0h&2
zD{Z{1k{yR6iXkx!D$tjGuUY{3>aK$aqcWXM7zJ0=#;C;v%xQBAaDSmdcllQkj~O}5
zM>@iJw_gFKQZxjGsGb%2CTOfFU-<UpBh?&P$`ZtAk@+ZtP94`Y;OiQ6$FWokUY<OL
znmtH}2!y1+eqSgZ&zA1I=6~Fm%nQFZf(nKG&zu*6j%2#Ym^6(JR(kP9@nxf#w8p}Q
zNgfhPZdP7(fSV0(An$S)d5E{GMIKboaZb9-K}-N=`9mRT0wI;SaDQ60cM4#kLz^zo
z7%OCK|Ai~<chY){7v;yW==O11&zJ%p=rN3}PiD_+4~f{3dhim^JPze-mV+6!*N~Aj
zVrm_Z!zdju!|S}YTR`i^q*GtB-p)c_Ia!kVwWM%_l1;bq{J4csum+`VC1DeUbXyk~
z7P!cmGxM(JaeBb4+gP7CSMOG?`*cgi>99^aQ_N|&A^rIm4vVo@{ifr}M~uq3cd7_M
zanaHlR^?8cs!G+0G4uS{r}NyV0?_X$oBly@YAf0#`Tjcbg7`Mw;Zqjvnt=u}D&AMr
zZgQeLC*xwre0wZ(?d(691c5i~W$rLcVW}J|MNkF$$>55e3g^%7n@)p|*dS?JgP9%^
z`qvYctaR63UNcWm;<+##MDGgObY*pc(l!0)AI1WLjaWAvQ8TlWIe#TKX7@RTAmN*B
zS-7ghIAer@=N*@O5#Be*OiW>p>qE|y;JC?AHQksc|B|M~GQ)QFRhJUH!qe^{6gdm(
znM{H!DfPRAy}2s^BLHBm0C^xdQs9tTrJH!~#>`%$$K$bV?O?DslVplV;9^nvcXM0}
z%Y}R+<v-tTIbMpAd(VW|w<a(^bal8?ucz>J!JkmTc9PCZo~A~?H3<MSHGr9ns2G+l
zzd|+PG!Smn*3e8Q+BB|%kkfvNwO{?V-wQz86N?RvPLIZQ5k=Lr(A5-FDq^;Q*S=De
zJe*o^7W?*n({YeXGTi>4SG7ueveb&WW}s2WbFVeGxroB1ez4nz&(ntB0o(WOn#I0S
z$jM85a`sX!>)KYH6qghdy8B*5z`9$VyfW(NI|vP<^f)0$O=lmI?;N;q7IDFkb|VVr
zv;C?f`1VVaz0TH|ceCe!8Lf4qGE=a91T3Q|=Gr9#vKf4>^<KJMZu1d37rAxKQ&D91
z$sTne*nA_!>++QBoIyh8sQTESuq`0Ad-olYEIXD7@!_pm!+gi{J*Q0Uj>U^=agB(p
zllCG2;^Z9<m&a_lmArarHVo*O)Cz8gl^bgBvrC#Td3LB^kJ-JKW7H;r9m4=Q;}C)L
zaBjpyGtcT%X;#DiX(HWxhqpwS+FR?;Oqh77aUx9HE4cUl2jQkBmG<g*f3X^5K=Ig5
z_b}{yp*5s|u-;JQ0fFXto|3pytc0X!grN7;#S3Qu8-EITA-rI=2Gq7KOTm+KOmllw
z{k$KZHUvMEN<%XCx!J|pQKg!WTPvRQJ8#>FLW=Hs=;LhJWCNGEixMMD`6;<-Yj}NO
zF-uEI8(H^d=4en3#P$jom+xpK>UiFt@YyY)ycD+gvu-Bp`QtBZ`YWW#n6<xWOUEZY
zLCb>BNr?tT0MX?9y61{taxDtB^8lDHfM4cCO_{)qT&h5Cam~VhE;`+)%5f*i1rDb6
z=IaBKV^v3Rf@*B_`*+YwC^jx6Fy!+~wvtdgP5pSU8}5w0ni9xl+MKQ~A$$8-4+L|R
zz2~EN0T?eZv}?V%F?H{Od}vjFbZjfCKAdm=CfO77xkiZkidrc?08AfVrqu8Fb#^g_
zsuEW`d}W&k;7lBybL}10VW2wau&R&&s5SiCxLgX~Bv#sM5`)hlkaH;^ER7Rz4|_$L
z=g>7|213IM#HvA17M&p)G6B5N01%((#N4iWRTjZd1L&qev(CHsF!#=FA^Jsn^>e+b
zIi`MHvWJhmbYnp!<c@smZJ};+z4;*><GS8NnpuQFt8Ve+^f9z4t}{-}A%&UNQeJ8l
zPV@>i43&h#UG5Lq*Wz=J*o|X!i61IeNs0xtRf&bV_J?z?d@hCO@=kEgd2WJb&mYDj
zG8|kt@^WOJJ)qyKAgmGrL4ZXzPnxGCTT!gAVen+GhYnunQa)8_Q3ooRR<2kC5Z1Zw
z;MymxEt?|8-dCv9T<WO{{Lvz*2igGac1%{Q2CBO@3YdmN`#hF9?kf0yY3|BNnfl)S
zq>i)VEhu#)iy3NK&knBslCy?fuU$=Xiht9L09Tm}XU{+4Dnfal?EYYmj57j<;w?aQ
zs^`1{H&x?ie#D?>%^?AU<Y^vMzXf}`iN!OC8_WNwE_b`sYY=V6D^8G!cchogomC1w
zMK+n|G!Zs__b~zC9qOt_@$s%#2!-stOHPKgHL?pGhG98xt?0aEvQY(W{XhcBbJ5O5
z=QZ2#aVr=Ex~cIuFYyOPE$dAu(}#3d?EcN!9hP)Wvd)d>o>>lk+_Z(aHiB2lz$`bU
zj0T?66pJ3LkjAH{S#u=wy6pM!R@M{7w0p$AXqfpdggd*IcoiM&NBGe<zu8~c9%KTb
z(9PYEW?R@&<AF+GQScYX?U_mN)D7fbiT6c!rG~(U@kk>iu$0-AoN*&N(HhtKQ}(*+
zlsJ`oGd`9+mHXNs1%M6aLS>RN$soa%3V;^@5LSV!^Ay!;YkpqT))#8aO1_hWZ+I+X
zRGjQ3($BGQQOKr_uv^&{C5t7Rl?=+_L|vB>d2}@C+eY3%tSZjx<t+ZO_iD0>n{dvH
z^xhFlX4i|+QCZLr^HH9$ZW{CXK7QzQ8pcB)++|}*J@~9EmT8f+KZ$!7-ok?eZ*TBG
z%HC71yFA-O<YtBkS0x(7t<R*mt*n<Gok7;eit6f&q1F?-PfD~V1NEJzs;mrGQ@y<=
zpcOseQT05|eEng9hwC}1u;L&W_>mk-HzG(rY6K#!VcE>)x~u2HlE<hUmcY><ox<4C
zHm)dtk`;#?=ye6yrps;7c-xs$am>w=0~Huo&4CQ2J$XSyv;kx7Y<K&c_`5JXw#wRD
z2zbF=#4c8&qsrb|he&DAU4PN|&_P%X_GX8Us9|7UNIpz>6DiWf@;9jNEkop@zkKs^
zy5y9U4`dH4ag9Z=Zk;bTgEjbzLVf3JWaixb#Y(hm*+y<d&<F@@r(r6aPyEl$Vn!iP
z)!Ey+xmS}c%1!#6(eHv?Or`U>nd|u2=N(GDY&9`oTF@Noxvgi#!6#_RL&U*H8>2d;
zoer~sqjCPDLmWk4Uzg^h`np+~49I&XSjc-&>48+oCh!960$CeCuU2s8CT2h@&zs9f
zd-qooZEkhL<V)91770y~EGMC@;Q2SkKTNltG2vaFV5W-mR>guKM;zAm<bvHI?c?g2
z%|mIzuC|YA`clUxI4OCZ?H6D2?{_>tp0X%;-$tzDlMgIMFBPQwUTd5y2tTmyML>m+
zhB|qZ<TQ3S;N8s7Ae+G-hjDS&y+-*94<cLGZDvxKL9l0?p&|8wkB}tX-ap=x1vsTE
zW~X5!r+QzynGRS{>Y^9xt)w1j+I6!j0&5#KhO4)6mOnkeHkb)IaP-czurB4hIzO1*
z*=rJs*Xd$bItHf-{O}fJmsQ=h5i*La?_hSheDNrbF|xRczbqD5)q@kRUh{HR@+(no
z<aoyGX1f=g#dWh`qbt=)!o4GY75S(x#u9gsf4{xqmxhxCJtXSm)K0edZJnPSyABHs
zZh@O5^?JBMd0$43m?uCipP!P<$f?ST8*^fnr;QLe#SP-vHkl4AbqM!V%4*1%c*qUo
z#R95n`cR(>O6U4z{;lNlR(T6DYl{@W=V6iQOeT}JWl$Bv3b@N%@vC&aCa%F70(ZpD
z8n8L+(!vYcY9wuf;vn|z5wUq+${J&zYmiq3L9G@*hr(L%FFuMkH|SL}Kwhc2z@od-
zg#BltS~5o0M;Sc_9Qey*+drsAi>?YHWH(7@)@Qiur&X7nk#ko<p9*P52Zeqtwm}}M
zHh}8NzpW@G26-}Muxa@D-tzXqB2IxEYj}?}aGE<R2DBXnuew3b_gq;%IKFzxG%?`N
zw|<9oP3i0Uq)95C>Mfbgolp$h=6mdlLfYOq=k{y2JUGrZkoi5Gq0X%#z&6)W$idG_
zqbV;PA5zkIra5uyh?rus6tEZbMqZxwdk0*|ijL`1{p_+6;4PidD6<loj}^8wCjhGS
zD*ADpi3w*kw)vP+`+3H^P(_Z-so|T`qYSWTG+_6SAfBi{s=JFd&ZJ&S^D5B@2Dpa$
z-9{Ag_zP+SIIvc!*pu>gchG{>RWH|EjdT$Z33-pz&)yc=#x)cu;Y5K;>V&%GjD=S$
zWyX_oJQ$w&yuuV+X!PP}yiz|=IbWIHQh@3u`Q|gt!OGx=)El{(iUN&n1D_blDd^M%
z&P=s!IW0Bg#ZtY_G$x=Oh!$1%mm4e5+Jk7T&G$S%8QHp3n1#`+R&Vd=7bu#eEK2b0
z<Pw#TuboQx&ej-WKU&7Qri|CS%>^cl+ddmoYijp;W>}gcNcmvGV&=riJEmLmd?{+z
z+UX<Q`v|EFe|P}}poAwN`3tAchPDHn2pA=`x95qIYMO$#T*k#4=S<$^=v@>qwD(|z
z_Nwl#Mx5Kve&a6Hd34lWKXkfeaUgCxBUj-t6!=(BM6$$dS7K70-@PZeN+O$O*r%&G
zhaGY>s-|y9b&7wVYx}Xs)}XkE+_oaNADhqNednf!cHci<8m*~3kn4<@uNvIAA^6t(
zB7viGM{2XODO)Ddl&wV+P6XJ`(iU)7CD(@|iS14!T=FMs(F%)%uoUg&j^(|Ih?(jY
zC3iklTUe9m^poOluPcZW6crVd@|?^<qin$zInZJC2-B2YS}+UhY;|(hf$*QsN5O+h
z82v)NWseu$B3z-rpXWh4HNUJ+;r?<kJW+9)q+SZ)@@)TpXKy>Ie#jp3=;HD8eX~33
zhqE3#Zi{`CRCto09X}0&kD$Frb-SWeEK{C*SI2LvblXw${$+y%6i)GN?<Ch#aGjIG
zVVI;pM-YTQ3l-zO7RAo;Ga<jtNl#(k^EuYKk~$Q3tT%sM;O-&~y@mcHw8b||k9VK!
zrkth{*MqR~#W+*Uwe0A<J4MqUn^+pewrz&9MHYpyHgDvN7ip0t$&5S3vw`c&%(tr=
zA*g_`sF>p9ET{q>B9oHgRk+&HS@f9bn9LzSTj>tuc#-8HOY(Rp6F_R-TTv$|(8w7I
zJym<u-mAzDuP(ch{%E?$O39*b<9nvjikoN^u;c7*60K8f2o4GPBR9?LaFg<+Qw8AM
zr^3?suEn&P42$$o#uPT*;WK4E%Eu|*9*VFg$3pdBD3cQIT04|*<7b5I>mR-kDc(ua
z&l4jS7$%5&0&vIn;&9@?$A<vmp?4&Eb7x-_u&{^ao{JjpnWmX|ds5?@QfiFw+aRWP
zE$=pkV_(VSS;EO1n>vcUK2EC^sB+jVB&;y16<aE0OUv%RdzqXHi#03!!wD}@@G6iU
z%=X6OO+6ro$0g5|Xx@S-F7A0UBs4ugA+Hr+Tf19W;G2Ggx?^=tHOkA7fy#>&Mez^p
zcidz0$*Ouf{+`Vq720EREd@rl$Hf^g;q);bo0&M6C+KumIcaGy99_HC<#c$iR7zXO
zu+qx;e6(s`{7c%cKk(A=72`jw&ZU@+yG;z}SJ_;pr)e_C*cH4SLa@bNDB=89S^3sK
zi8KWE{Se38MEKTx#=v1Zv%A-rQpkW(1GG*`$M)--yx}mb0)SFkj1}fVPM6iJ3rwl2
z%tvxRTHeWbMl34wP1!WPcUjHXc<G6@&=K~MO{nIWqXTuPfN<4o@I=YIYh25wfs&I{
zg?0YNxXh+SJ!07Xd`4OKfo-#eVuO1nu^bDVdaX75%xIIbTug&g@ao)Qgh!>|J+%~i
z)Dnj3N8S&yw{oj!$=>D5r`I2Cx}<w7q^3CMzGwm*d16j^m!%h<68n1&g87V%0t_l&
zX;V9O;$f$cV95#R>T&T`E;b;=-f+@ppSoTmf}E3anhrlPX;#o>SIOV{uN=^CEHM5{
z5I~r{YE$q5%O~-pb7mLZx2I2`QaY-}B4!VBJ7_t3Kku21?4_L_Z&XS|DZ$m{FWIn^
z&S|2lUKAJR=mjXH3P4^9b9qx-9Yrh29?@ntGOOPapm79zYq-(~z$1wH(g@oc$y1{3
z+*c<fW>oFbtTv-m1<54^bH4QmAq_0ipTK_6XA}Sl4eXQW;J=U;^jgsha3*aJ;|QOm
z&q=yBWr*D7pNS&NtW*MJPF0u@<rf42yAs>=egsmE!h0<$@N|FLrZH@WZ_>?aQpp%(
z%jytDv~ndNYVA6vf!G4#*Z53hN|)ih#m=SzMMUvVIv)`Or!%gLKeEm)6vp(8Y`aSS
z@Yf4+hD68Y;@mRTvxzx7+N^7C@|SBJRyq_onfISBHb@CyoudMo;A6}IyY|4|kqdh*
zO>|r4CxBq4)!;i(U7N$blD%F2$Bkz{q0Sx8e0O~Vpm}%A_$^t{vaF);gv^pLl)V(v
zItkyN`bSgi#FfnlG^MKR9KGR#4D5wKxtQy=*y?@+P$-_eo$t|}%gk7eGlN=SJ2EMJ
z+?Egk^?bfBp_DIQZ4KJ-U&q&XdTjDcF6AESuKaNTh6wJvH?iW>kS8Fy+yi9h^Za=<
zgr<N=-}vRmfCT{Y)muh4rk@^48^uE0r#=mFew14us^M$alarh_UWR>qEdHKSRxT;z
zcIg=jfIN{ZeH~;Wr-6KXCwD%XTSCZZ>pdd;J(1na0HDO-O&fQO(CZ)M^@fs@%pL=H
zZf#FN2V&&u?nXfguGV=gnXbB+A5pxUPIG|y?VS1HJ4d{Z?UdCx1@E$X9oHh4sII|U
zQ;6*&w(j+^cB;zxS6c4DDQv?-N(&d&CL_6n`n@%Xs%dGt-jL_8zQ<zqt6?4-y^R;g
zS~fIiPp^$xQB}jg86j*mk&pf5yG-}}-_m2HEoHdpFOEm_1nkF|d}ZxTJPyAf>Dd)c
z{{o_y$g2N(!th6TEF;CSu;)an%Qp=1v#)uyn@&5ky@2ntDez=tLL{Kx*gZpAQq-ST
z9J|u}c+0G$ejkcwNl%w$8Gd!XDoE-kK#$;>f|-KS0PN^fX+C-331F<0supR!XBrQM
zRv0jSv<i!Z6t+iHrnGTRL7$$BoHrmZr$OCBvb$|W1!^po=gI0wiXHbZws;;V^9gIf
znD*9*JP<2baf(y2RnV}P6F7Yba_HsIKf)&TqTli&&^kqiVo(4Oe5}*@&}6h-jvM$S
zjEbM(ISp(%g2{~P20$!vVVVF*$q54kmBAYet#XWD>;_!F*%$a<DWCTXpa9#acldf-
z+Dvcf05F`c?MIN~peU#7Zb<r^A=Y=Go4806N#QGxV@nn#D_L6wQ%&@Gy{bgNy5>(Q
zISZ%L?EoaY`=cewaXpz;zn-2^+L!iXtviTJ*Yl4~C$H_=P>{)0lB?)X(OO>-3~nf|
zP6QSIu;axiJY{;c(aiQjb_8Q)%#m=l!>X))-Gi6L(i5KcFUdoU7rqApRJUq*5-gRr
z2<n}c)xKnlGd;>4(jlT%9k*o?q_09e#hG4F1|fn0*XXI*cJ1n1F)G?m!)vhYsN8$b
zi&1`eps`{*PS>kUv(o%@bm%a@InN*NQL)EVJ!46xJ<yJCU1%-XHM?J)HS4~~M8T>j
zw00j?w&8H7+ZhRW35*p@?2ty8ws)^VHOd=H5BhjnDiZacrIK!}e*nfr*%aa|Gh^El
zc6_?}QY4-g)=tbi9D!Y_N~&h05LXO9dTjP~6ZIH$FcaWuBNkhp@5ejH?b@cDxzga-
zp3De-(u1_6%PQPMfCP!pX}|PAUP!8$mQw0zZPn&Z=eRCy@5li%amvCtRc&eS+QkBx
zXqIG-d*k$Jg{ez@3UK_AhGST%P*hWq&Um4QVHftW-qJ_Wrv8t<ogF-Rz3qUJ$<}OL
zzxQm%W|23&g&`6JVA!xGLk}b(?2NsSYu2>|(2I2goYFsA3qoyJ_D0W?+vIpr$F_h}
z-#LMX(b_j)_bh_8G&2a}aM@3ni|e+bz%1%X#c#-`NWMbXdB6#8DAOIggmG2~OufU9
ziqmn|7->%NN6&ScePB%}aN<4aeD?raPz>XdPz_~cKU`vh=pACp<3a(iG&8$cyLq96
zkU1o&&l1(K2zI;#+Qo%MMbtp&kfoH<r-RJOl1LzDLOTKw1oue?$V}AOC(AqPr9dp>
z+W8leI!AF;%<lv>`{UFJSuE|VubA|F*2l!rNm}w6s`_Z9R;__$e5l+N8eRCRL=Q#W
zQMdc;lG%q+yLi3BVT7%+BxHQl1#r+4WU8LTA=upyKbO*OJgxI5Rt1p%2q+H_EZKk3
zBzMM}J@07b1~?dq<LR9b+C6+fL3}rj<N+E2Hu^BkZ7FJUq*c~`wM`Q+s7c41<UkUB
za#@N43x0TK?$oo?FY#5Wp1Y5n^u)geVZVbZAZFsv>_!^_*3oASoR8qvU=kg*)YUD(
z>pvElv5L@6&OQZ5wp#7s$r)bqW8sIsu3vq8t$Uth@xz=EE7*my-8FpiR;k%U;pzK;
zx!FKV!&wb5cBeAlhkWw%3D+mnPzCQTv^pP8B0xR>#<tenOYMC=XkCYJCiB4!SBh4A
zjDt_U1n(z%1L<0Xg1hUPy~Y!u#%zkw5);`nS|z+wi3<J-u=Wv-B7i=v6W4UezsCfH
zXxQmA8#0vVd0&NSb4h@u#TY3#Ep6kS$lpPl{jdh}-!Y+fTOu+p5y5c^^;gGh!Z<wD
z`XYf(QFZKA8|+A=EPAe<OG_z{3HHw>$q>`OgVVzePR}fX;PTTQ|M}GT($&x%s8Oe4
zm7U>!M0Eej-Gw?FNK1*eC5O2(l8V2nZv;yc<U6Fr-qsK7B%5rtji)P#rF)J;b^WH(
zDuwEU6g04GkD<A<BZ_*xVYy?}PGY8t6DCM4SH8K9nIhBJQWXB-eLO>2Av->&ZlyU1
zVBXf#*QC=dbj2_#@fE`;yiR`npv|Z6_(GGU>qwpIY5>`xnl%LCT#g{2QBjr@QOukI
zgnO3}AnE!l8%L0+lXq72lW%|_3u@{<%Tvz#<Z&+vBe2Uz30eQ<`QGJprf=s_we)zc
ze7fIkLv0s4bt6MU_-BRLLj*8su&0wq-$}OQDUkSDlD%b8k3!%}n_${+x@ATA_x@yN
z2+<JY4N$TW>Uzpj{w&UaKhnVfP*yaa_S*ei;@|J`<$E4^IJrI<n*KuKkhst_;^@=h
zuwvppr~2s76pHD`kvB2i7k<>c9lVy&XmFP?<)M{Z8awFf9Di5!GjU1i_~w(D&+?)n
zqzBlE%+_@-IhRXSg-;j(tRKl<OF287=4`yI&rSOClKHpZiDbNSub6i>ou*%SCrI=?
z5%!6^7QsCq$<K_hMSf{6P0lreK+*?@4_2O^9>hZ<M(~;Ig2RhAbD7MEe#;?%VB8v~
zWN{_mNKgZqVT|gm9s$Ke_vLw=Eom_sTopcx{Uq~0B{%d(<bZIlV-jKF&#Lh+deM_K
zq1VpsQbM!|@BaGgr^h1E0Z~8rYN+(H|NbY>z;^;5^0cnJVfx*@+W;M@3ymuAXV>+w
z`oCYty*X*ke~RY+hkalK<OV5Y?@kc^I_yF;oIqpBxE1hzcMtPApU0;?`{$VWU$vIq
zy7Ml$H%Rk$_Z|Q#LNVxkoImgGf7Sm%255|>?8xh1g?gvM2cS6Jo-d>Sbq@FlSptnQ
zaLD-0{O}RN2BZc?i;(#V)%y=|!vI($B#A_ozswY%0c=156a%KKW$<5O{Arl(Bm#|@
zNXmWxn|uEo!v7D3@Sea;6_}$LqxP4#*s?FI5?28Fffa>3Z!ZR0pH*M&Ueb`Kez_gy
zdHLN`k)IU{8paD;Vmiey9TzXgdZFe3-@6LPlhLTQZrDn4;L(__LLlA|kx!f*HBA8)
z<HA@tkQ1PRq-rRtb4kL$!ky6dzA(Ga+OeA454<?rOsJuxW!cFEIF+hp3kp>bl&&*C
z?h#MlbnE5dngq6FOCUlR-{%03tAQPOr=m5)8!C7;6T7jOQOR8yM&)&4cAW^|5-K_d
zU4G!)N-|z|z-v1%WS(ezcE(s-(}%jqvpHDxPF-&gc1F9f=HLCAS>>`rrB!JTu3#|J
zR4vu}qd@!A)W+LG1SzMvo!1ppFhS{ZJ`E&RSS51VNDi0fh5mg`Mtb?a>%L||)qvcV
zkFIk%td6((5ix2yrGuGsPSkoh1ohugX}ZrZOeo60K!B)7eb9i@aw3t_Wt&UKXF-mF
z!@Q<QeNXC*jPWqzK&ifA-Fh}JKnlr72R+w3%ydwdf5a$xd45_1uzz9&y)8AY2d9!W
zdD}zX`d4~UeJYIVrD?o68Baz@fOzg<RI=zLKpP8{B4SX^o!`z|3@@OZ($(Cizw)A!
zr}=St{=P5p*54Ey4HxeBRVDq0;Oo4T(Sq@cX8+VmT`vvtse=qrJniGxK$OmEYeK>L
zG%ts<9I!ZC<2hq2Pxrx`hHb=Jwf41IIW($K&w2rlQm2mC=qdBf{R`yWRE?b>NUZN^
zoDNu=8Z<h}zZg1p+)9?}9<RE&bvUf$7B8>01@KW|PC!zIVHic~h7)zS%}c>l{TN0{
z1e8VKL@%1x`s$Kw`ZH2|B6v9vL(L?4wD~$Ut>JwCYUUV-#TEcy>hn1KF9$%RM3{Lq
zUnEeLnO9Up7vN6}v_bgBj<;qJRYB)DVqu1bPMglE1!HB*Qk&f@0HqlgpKeai4Z!BZ
zm1^;CdHR8nvfHz$t!bOp8ibNoi6oHOW>Tb?3^s3vIaz=L`oFywd`GD}*2St&HAR~m
z>M*|D^Kx1<M;5N#06<CI&f7EkfX)47Ri~BP8wnq`PWHoq6?Zu^ZeTr#bA2F1^vsjE
zOLHH8S+hh3GF@Zm-w80YRMI(b(B`Wa86&1$4yUw+RZDb8a0yPGqT{2IyzQ+7Tz7rU
zKo@8Dh>ph*`)uy2uE-y6rz_UEs;7;6HDQaUZbpNr$#!Ci16AhLQ#*5pACD+Fcv|aL
z6DD4?k6g2k;N>R+UYBkk3u32^6ss$a5&bU_BEzX3NK123q+G>j4#Lv|T;A$_#Sl63
zXUf*h&ZlCq(cn%|xZC%;B=80{yM^{yC(urQmSZ@KtfYPeTg~RHPdEJH_!9NF$nz9e
zAE`VEU7qp0IHPq#ulZJG`vU{DmieNJH-4@R8=qp5J}l9Fr5(1(W;OMuTE?jEpGjPA
zn}oh)VJPP*_HL3Q)zr}>bE>VTIZ;hlb?qpc(?(t`NXIsiTB0--Bw(smpb7^(c?K3C
z`N1N!I0lI6_C#4hZ~Q?Pz0zx6G|0T_WR1SRhtu$E;2aPK)<n0_jj5-JO0^oz?w#Dm
zyZ{XTdP7h1-h`@(03g%{;JtNLcq9x<8)W!Kr>3_VA$rJe1#uN;>Hw0j3PNv0;kQS@
z7M-6`wOMn8{l&(Re&`DA5<`v54Tt6h8_CysLe~tf7MRNpxHmC%`#2`Sf69HoGv{;o
z3vkyPvWfN40^JV!$|Kxekmp{ED%3~<pyOvC=9=ctkWJsQzKr;Yg^|~7(%@lLANuOT
zn?^w9h^bK>53V|AhWSH)n>gW%i7I*%^r^3ROWybspHb2L(7Brf;!6~HogpcM@`M$m
z2v(kBk>KglV@9RyPyi*!QfLS!W6{UN*8YLv3){xMN1uE5IsGZ^_{y-X#qw0C<>Wn=
z6md$GPPo>k7eGX_%#w^bHfhn3<10%qs55A_rx3ivRPtHcD6nx{B~l$s9E8l2%n1Q`
zSJimmftL3(?{4E`L6sHjba12T@4yV(3F0Is3Mb8&*H$^h_vIwV<wl1cu8wQxACbL@
z8jTR_s|IpG0w_-bj#6a`KgzvnSj+0{uyY%^tjI!FIHwU44LHkotCy7Z%3tM>(Xpbl
zO7J?Qv+pag(#GuY3jiazJ4WCw)>M9RM&Q_NhL!KUHDQfeUnq6Kl<||naBUfVm!tW?
zmLC1IT)!nf^h3w+ZQ~boB4&sw4jtoOqT;DSjh793NmToOye6>cL`=#9uYIEc&kg1y
z3Ww3w6s7>IpCN%`wul5S8#7(6)Aw8#zSH9GABQ`ZTngqSJ7+V2U=sniA8e6c?6x3}
zOT78#OTtf``coQ?zv1=QoZ%|dSs3px-P#t%yE<&k*jT}mjMiT?@ju}eyf_?F{l3|C
z*zuUKM*0!BTH6I)q$4&Eq%$p8t^N>5@-zfOI-e;H%-4rfubtNyVS&pg3tuX9;`Mp5
z+3J=`Ld!h1PX*&tvI@(c5q<b|1P-fS2$*CZr0aF!3&VW8gmsm8`HxwE2R7^Usuydb
zEsU2~PrK1GkL)dM20R2LYxP@Ylw}4GK;SYKmU&eCXEl1QE4@vD2*r3wfE`u|P*Pg)
zd>(d<Df&oja53baGTPoN>h0QAKoN&3D@5ih<!oCIoG-CWXp8PpW1&^Mqm#iM7|3m;
z(G{??&MoFuU9afYkbruh45SWs7XAp-IVE_xC+9M^p`$E;a5uZ^=XY5{zD90Qy3B4?
zg&fOCRwU(3{&g0>xD6bp3x8%->rKLbowygrl;aZ~Ts(-Squ0d(Gl^L~Ii41oc@&oE
z1Z3<TV${>teT^r5<`RAeS82;+qdbD?HG6tjr>kL=6VDGd<lB8!HY!51ujpX~&(rhD
zPJU?e5bk!<p-~oQgNx%zD*nS7U3d&Ij_JTp%+5bY2XlRfbuXPB4x6Q$cj=q}(Mr`y
z^P>Sa8M?KMjIZyZA3k-f+Qnd8(Y?wb{8nxZA=S($tXhB2F|qR~mol&5b1)2J!@oEf
zyFyg~jhXFcmSt$A4w6aGC-dNB?kdIc$k0iij2j<Tyntin=;bA0)-Y9IF;we7*aRc<
znOvO8&mm<vc<xGBWeqnc6mWIPwKgYe4D?P`*7c=H&Vl*?xIWwD`8_@y?<w7!9!h-d
zV#tZ;u-Ba~L7l?OOM#JA`B_{q<pR|fr)kB=@_ZMFA6)F>tXVBNku99L>0FbHU10!x
zvRmz^@_KmVS>9eJ@pq-;ByYij#Lv|4B)8p3j@q~YO;T8WQJsF#Y0^D6X`24tTkgC2
z#gP5g*`g<XcR!0T^;HVI(!ylzQjH($fs@Snry1_EO(l1DBczT(T-KKsT)LjX$f(%V
zkDDt-3eGi)Jn+?-KLA)^cD@Aw`?MSG|Iz7p+W=O2wA(;N>x1o<42-+Y8GG+XC@oid
z9#}UBbYO?9Trl%r+Cyp%L)wmlD(QxoeO%7(Jte@gAa<k!!3xRfc-VE6D<EcDxgGaB
zUnd9(Rj`Sj)3&S!S#>Qb(l9~SL_F-}ZYaBOKyqb!|CphfQErz4q|eCJRFq%xqR>(H
zeH3@&#&=CeF9ux4Q&C}Nkjb26x4+eG_p|Afk`01fEB_;ZD<twkK~s}1JZd#%dJ^lv
zYmcpx_>N+nNK;~xF3Z$r5_dVsI2`t%%Er4mu61-eY>(Y?V$(Xbc%BoN^E$~mOdp^+
z8<5@M9`k_d?l$74XzjXuvHkJdTJ0lJq||Fyy-cSm&BfengCOr-eM<8p3iRA5%x_#&
ztQpPHHgTRCdpdQf0=8kU%@o#DX}^q%d{R#&_ng9s2&+EDV_SkOmv1@Rc$SEp*Tc}x
z3JQRT+>?bpxx5B{{N1S&3chCU4?Uh4Rgn-(g*d+&mhjiHsHb33QjLIdnWdSBiG0aG
z`^YBFe&Wg(jPVCWy>Hi%sRyM9riaD(Q!MWD3@`%;!^7=1wXCimmIO^YyQ4d^nOpa;
zhLxjZzPxyU?qvOA?#eVCTTRvF4~VVWI*@UgSr&6mUdrap?KVv2aRMP(1@Hf1a{8u@
zpv$1{e1B7$GXf@Z`cx7lSgW#ax~a=fC#|)=X7JL9KZ?S2#wxN$kb<-DrBjpAN(gp=
znnFOluIHlq`2{C6c}IPwi>z*)@E!^AUOOoO%MKN6bjglOiNX)qvt!zV_i;WTtH;p}
zaUb#TeHYP*G%nc`%eLz^peN^&dEfv&^k#`hD5rnBn_gDyhmz<%I;fWFm0JYmjTA#X
z*W9sRCOJxji5avcFzX8FB6B#!on;&umCk9+RHO144<uG__wy{0gE2fhNhq}*m~1fT
zF~1Xch1=WI{GhgGy}bK4;A!=P?teJPLv+_FCv0vctyzM3^UG&0f{2vpY#+Zig&~}+
zl6u<SJWo`w+O|jrH1lwY5i57!!<XC%9IW<${|v<CQ_<!N#Mv^t{cw$+UOP_6iW=Pp
zW=)xy;h_;(tnLgj`>B;;z<air>|;>^A1p5G4`4OLujTlUKIk$X<_pJ=oNvrsDU$gp
z`G{eL$tAGQj&@q&VCjs+6t<s2wis>BpF`Al#){$^cKGkg%XQ&Vd0(FIz<o9W=fD=z
zw!k+(b7+KO1O$fy7VG-Tg*T_iYLh`LOYwAc$_(u=0cD>9W-d;h<LQx-$HnQYC^Md<
ze{}&~GKM1gco$3AiFlQUFB3S4zFQnbJBp>??_FRz?+UCS@7scSxxmp7I&H(R$DQQh
zC(6X<`#Akb|Ie4s?kc-7lVapIb%vp;yJY}b!&*R{YpSB{?NAxJPK;L^5JgB_aLxlY
zbr^nG$!T6b%CxrSt)ElFvgdW#rmCXAnk6<;{VFrAjuactX0jYeYj4?j%9Tlr&7h=U
z_?A9|^|Nr66)q`X^xf>@Aeat0o~*Z$GW$yGTxF&Ekq9B4JQx230Yix50}b4%b@H{d
zwLA~N##(`1ISMNLV>=mQ`PX(5Uys_B9|z~vlDYB}Sb1=9hG1X<nFEq^TCXD<)yBe7
zT(i)kQ@(MUFY(R>PKg)_Wu-3d#sXCPU4i?8E8s%Y`2|1bZb`ZMVH~|CY2Z)`kNtQm
za7hmZzGtDeP$x<9+-6CW5t)u_8FHl5i@6363d?aHuZ??i6u$(glDud$EB=Zn;5OHy
zg}}B?<C)_TX~iyvZS|{IpuV!~luD?&abMClwxgOMA!U>L8V?;B*H9h7<trgv7~NW0
z&fL2HC18S*I*0GeSLb+LFgu6i)~{(2KG^@{QfQ^`WEii&83tA3aq}hQAC(gh-dhxO
zY<_4(9pYWVDVOxB59E*9@t)v!vmVL)!8|b32oWETVVmIOzbh-3Me%Ca-s7<B$^kRM
zLeBwYBbX_JnIvAPMk^Pu$KSuRiTzdWI2wCS)md-4e9B{3$v-fNhu?XNjwMZF3TswY
zFtZY}g9RqLILt&o{I;ecay{<;-xrW$S|x76!y#}zRM+Q3;G7Gjk+8Qe?uzL-!&QpB
z%PY4Hj@XRbFR=7U))ak4yls7&iu@AhT!qa+6j+OgX_%FHCjDN_U-Qi1QAJv*%UJwe
ziP*eqtO_WL(T(TT6!@maISLyv`X~#Ld9#E|yT1j{0Eq2vqL6@1+P1&h^pj0<M${XS
zA@Rvgfd?!T7^Czm`N}X1(&mddiQ98m_r_y3fm0KX+Q4TmU>&+hR^y(VNFyF^ipq2V
zQfGekgC%5HMS}+yb`t+G&nhz%-^paZt`%$3B-`KnA^t}3BIBLA8jhY=g6ynr?jd}K
z<%Z%zIcr%asry3>QQ8s(O??WJ99;ni_~&Vg_U$*B)j*XJ)8cgj%`j-Rzo7LeSYcL`
zjI9TjDMz-3x!m?awM73Bpz`3-B+=5va2{hIwFJ(;T>Utu<P5HOhyH$#^t$`$xY~o@
zL5y#EmK3PJ!-xABLa%Ysp(wxH>1Ygqw!9k0t=nIPY@mr26o_g{`t?Ks;4GyjAP@7Y
z&Egmx@9PM6HPyg2Y)R(Fj4|+1^1q<U|3HX$I)(x8asP06b?F~U6j*n@g?BqrIRbys
z{SFCr(*V#;oyM~y-oNjD*Z57OC{QW%W<tw9e2D9R|5xsRa{1@9_&;mDr0Hd(dIC|r
zBK5L`YjzkTfb1nEt|e6v{<3`RKYRsF*s%ms7ONaq38t%UbP3Fy_IrEO@|D;9J4^az
zIe?Q`ppQg@dA9gHoL6yow@8-PepyYCN;jfEE7jQEjY}%`Kr&ySdgLHEoLTi!-(Mcw
z6<rCOk}{F%Z5=XY`!{aipGc{j=vS#nP#_>Q4Pe0bTlBO`pXIxJ9-+k;?$DEm{~b;R
z)}I}z{HJh(r@`?{BcA{(DJvllkLrOu_fc#H{MUv(zzB|^GtQWhkbQn_($XxE+lKt^
z<f=Q&X`h1(Xt~R-15|R&!!%2O<C^~!0<uMKl_uux40;Nrs{%0U61^+;o@_?%ukT&Q
z05Wo4w#wQYNYv0M%f9*Y>oY)C=z+|5$;rUVU&>#16A09h;Jk7ETgt<q4@N?P_(wEE
zJ>(bR+@!gK14NDNgpA03SLy#=`2Vj+zdwp((G}=UO|8}~Q&;$l)o7n8l;TM?Qe{Pf
zS_Y_{>p3qA<<np5t2rI6DI6b9+q`G$?u&mtOQG_gGt_A8u+EXB?%wIC0F`bC$i*^8
zOji?H9Cmzs4B+f}`rSjk4nRg>tsx1$;**9tJ>I_{eHtk&T;uh@drNx2^sN}mlG1_$
z5c_^NOF5bD!-wV?z}_x0Jjrh-ei5MBXnWT}D-U|~`Nini)<g<iX5r+|Idw<$tGCVG
z$)el@Knn))PKN+XpWg$ZE?;L%SMvTp+`VU5li3<Js%S((1O;RSDHfy&C{;R$i1gmO
zNN*wpkWd6h7(t5Cr1##W3n4*7L3$@ZC?Zk=gdQLy`4)S|*|TTn=ee$PzVlB^-n?y<
zr`%=z!;s7F_XvK&f$T5YtJl^d0L6WEx{nhc{^!*DaXLsc?eX^dhBv^7xmHuqcXGhW
z)TMTHVZ?()m(A}PYd}S;7KE_Uy7hoEB(h!Ir#cg$o-WxDuy2JVU@S-i{x`$`<Ow9q
z+Mp<DT>`{+?3rxL!37{hV0*XmL_Bs4Xpp_X#IF47D4uo~EJJh3@pVD%qjirVl*ZWP
z_WhEdAzILB`ga00;RwK=+1u)>7y~Gyl>ku3)dp;xYO{zwX*dG9KG~thz^VBWQSpmR
zKohT7)#qcva61dkd8u3a;0G<!op0A+-(R)63}nCD17ICvfbf&Y<f!c|4YX4FQq|9Q
z1y)`W%tss9)j~%A2uB<gd&6PT-`!B46@rt_2Q@Kbc7I9KRE32FZ1&~i6h7%3?JYx~
z{c|4!RNtIMr#xfTl7$9rthriw_5&2r7Cu%ou(ev0bI02+(+mOph5)X-*2d&klM!J2
z1n6-!0L<9)EP})L?1)1cHl+=YGX*uw#%2G@KRfNu5@pjb+^2#qG6PK=#MJY}EH{oD
z{AI!NZiwA{+^xd8V}K9nLz%)!M0{xgf!1sUQ00sfv@7Ft(K4>!(yG8OwjDzanFM|a
zqbse$aBXW49Pbi|h->aIXN9e5=^P&IEDKJi3<Fj&{Dt0+`gdQNMDrEtxK`@Au>P$^
zc|L=(diDiBVNA03DVo5^>g@Vhjxp>`7693^`p)`-e`PM)>uCc&!tPZ#DF_b;-Nk(U
zxhJBPryASQQn*QLVFZ76T&-EHqcB#g)ly<PH+J&yYoIznZ^4%HT0pDN3*Q$=#6;o2
zxJ(W<1C7O6^m=J^FNMo!trJ6uc}^n?koWd+zef2lMbu`yS^&nJ2qg3f$75jX-ax=)
zkZSrsD=|Ib@QMU+Uwqy4h+vNgMXMPA7j%#hyHHzh2A}ZglfocBz(9>(b+NE6flH^&
zWe{-KVSvTw4EUKM_Wf+QX_c0mI3(vz^cS8#;?5segCxh9`<f;3IBY$6lc>M1htQL+
zm}yZDnS+walEEbojr7OSQhV>p%;2Ml193pqZF0K<9}9-agsxm*m7av%*sVfrb(WY@
z5TD_A7hW>#d1FAP=*VFDG>HDTVZZ+=p8*AihRl(iXz7Jf5?E2pUtp|C%;0sno|*6c
z(#_~2xPSfg*tN;#zGU5dpU&`#`!#8@{{+IaWkD`nz4vWeez-VZD5pUsv3EMr3e$9c
z89yZk_{C)Kh2)Yl-`$lu&t>g;X8`Unf2b|Ppvfrk<hOdiSBX;4G&A=v@k+fWN%CN|
zN}d8V==`~W%`Xh*G4}b(h%V5#bpfwA-<li!NI~vB;D=3s!4kWwLP;k%#9+rgkx^Ao
z{{XZS<AG*VFVP>{Y}S@Iis`B+XZ8DN<IQt6zsj<O4C_A{;(7=;z3+jbp-)TRoD0A(
zuPe%N@@7cE>JpQP)VSi(yYYZK1#=;GJGmL)h+VutSpQfUziyH}7eAX<QouF@)C8JD
z)v1jERJWCH36#FA549Q_N4cmFAp05xJoNXzzC(rCqV^Ow%Qo7AHzI=dR)PyEuN}GZ
zVNexrpjKZ~qTPn^D#*5JVT((UTFjef;EI`1X5e-%sUzhn{0uC<T9JK;VDOep{%RYz
z09^*BgJVJqKKAb{53K<V?zs{XyWXn|=LbIl>U|dzqh<Ms6w=j@Iq>1siTI?l@<2d%
z-JPz#+WBq}f0@|{0B&7xtJ+*ELT3n6ts`*Kf!jALXgSm=ctP_zK1F)#YdGK8-5C-Q
z1<1n7NPC?#`Vp6V%nW1@r~y1TJp^dK@gFjZI4=cj81KzRhapWR0OxEnV3-9md4y9e
z263IMQ-3D%)=v$w7?smoi*L8T_B$*weHC#rhPh2lyj)uZ%}7sc@kl1z8%jw4TK|f_
z>>jD&M6ExGwc$Ci0qu}Fx0%@kz(_nSX%aOGYaCuq`7#BkCOA)i7+~VJ`i-#J&YI;*
z{5*<)InR}w)$IT&%IiNVVQl2*3MGsH#tz{go510)i*}=i%3ZZln0da)yth_AGj^6g
z29Sq}G^f7a&XYmlPJankWF2b)?9Xzij7G#rsZpy9Ef+>2kVxhl2&nR2cvqk;nFxWF
zQy!|OB_G8edaa44Udtn#ju1##=*w6Py~b&r`y0cL<YoO5Ool};HcZ<$FqeOSxJP4`
zfK&8k7WaI|P-?t{jry6#eua=dm!?%lJq0cK^%Qv<d9JicesH@2{&4S=A~jQPL;`Mk
zsJ+fviSf=>z0xvty6M2Rw$0`j$$fTF|IZf{Ke*=%pZQ53|G{z+qAyhbw)2Dg+}l(`
zfNn7RrVtWZVxJ1g#;o5PJGe@e=0DR?+mUg71Or!4^g^u3mCZgX(P>Mtr0-U}HEz6p
z9f}!xe=0yr<gGxA(B-&v8p(j8Uo{irEjSVkY_uIDIc?0q(r<Q*q!?<*t>-*jP?;G(
zBH;S(rHP{i`y>U2dG8|dwm(CNN4G(I8E6p=miTM<l@k6b*(7Bng8`lOt;Ie!P{(k0
z8x&HP2ZF4sGw1W|GP~!y65%af6`(53&rG1kb_jPNg!Thr_)=%PRQH7$-q}BQqvDT%
zag2%d(Cv#7U*Y8MYK)|0bdbe9-(FxB%UdvC7=%nGno#H$p{Ly2nHN`__u5|WbQKk(
ze<u?h%2(TNTrpc~EMHdg<Tj~ucCT<j*9l9-YhX=wH0k|Y@|FRtei+i==o1pn^E6j=
z_00|XdyTDB{F!{vWiG}=0Sls^YiSqg`8JgM``(ENhdp~QO4K#(f?*?{&RH!lKVL~G
zEFjwh3~NxD_et<I#;N%Kv37tb(l|%(mjWP=IVwJ)_EHhQ@zEj1&8KK{rjcW0Y2fSO
zsHWQq;W3|Rmc@bt<&_jb{cY-(>h$T)v~!+RWNmQIEpOT?enJjW+m;*q3BIaQ`vy>?
zTj`f^HKI@V>DNj7PUQ`wuFZs~!nFnvsknU4eYLk*9ny4{v$+n$TvJj@PugB<$nUmC
zF*|`0deu4FHdvCJosUKgYyyxV<m&?f6JQb_2bQ!}f2;h0-D314Ai<%X-Awbb&7^52
zYlj$IdY&TZ$Gn1F2WKv-Qya?#VMtF(=G$%OYybzizt#2QHo(->%}x)63ZG~=bDy+m
z=KbYE;)Wx|Z&XYo-L8#Fa)l0~O-3H@`2-V}+53%iFIDb_{U=M2?Y;c<KUw7~PYS@_
zuZm<sacIXjaeRz}7A+{d8)$jOg`c^u;l>37cku~>Gj_hXR<ED=PBmobM67Z=cLT>f
zq+M%});nGy??iM}zHrnNAhtHpYieXjA;7h*q>!XC;kG=O2a3b3p;XY5IVNrd#hM;#
z^ZfJWVDp=(MF(o+dYp?2yRzL&EHA_v(sS$Hfe!o>C6e7Dd-aQi60$Z76>|<cc72>H
z4^AGU;F~kwJg)4OqpQEVb>=Gdx?ucD=^wzuAXDzl%$}8z60=Os1|3rn^Qi)^Q?pfT
zsOAaf?Ep&^vnk}!vpU$vPU~o?a=k0uog3zGFPAY`_UqG`!@nS!L7JP@^{MUm8@*X`
zB1!X{|8x7RKSKk(lTvybW;4V7d@P`U`_}xjmzCRzjh@XhX8g~b)S2#UQIh6))$~YF
zs<1!tkZ)-<ad4l@km~Prec^W1V+=ok@fsMc^H~u+MgIa-9A^iZJNOSVzCXVFmoi68
z7{KxU-*}wt9_5d|j2Q|BuD1lLEXdi<Y{w~>ck@d8@5zYlLy!q^Y5yR;UcZ@+PUO@Y
z1ne`ObodjCp9!>VK1Ge|RBt(A&lcnZ9<2eOFm46XdrAqfxi+=cVjj2m%R?MtynSE0
zk0DShe259#0Ff!*oh54^t}qGqk(4)PwwStO@Dv;y&~KCu)hCxY_@M)kJ3JGe@m;Y#
z51k5e#L+Y7n<fu;*4@Aby$9*QgOY@mDzsa3dv^q))EqGgaxGgRno^~f5>O2)D!Gki
z7S|By1GF8^so~lD8WP4@1ps!(g_de=z2b4e;IWc|?Hyya9FK))hd;-yBLJcVJz_9p
z56Bu+BN~_oKt^#*hV*<A0Hk4f48Jsg?nv|@sDHvwKXY8owOnsJUzrw3QtJii{8kab
z^s}*|Z@S_SGkULi4P6cM{!#p)&u+f*s11mPjDf`w8*pSpbdp5ph<*b?);|zI`$IGS
z3COl>)2f=;tG887A1nL<#%Zj}<cDi2QSEXxvTWXGImdP;Jv2hoy4R=RpB99-hcsj+
zRQStOs!}0J5I~$6MQ{{ZG-pvhVD{*)1VOZQ5z<0p_SZA|2xBVPQWoC1J!(zKJ2i?O
z)S9Z1{^VnWc{rbzcZj=K@O-}by-+Rx;DXlow!o7(>g?Sc?HXG_fOG+!2Em329_)-s
z9glX|%alJlR13k;#sI4{9t_#OKbhP-pCI9~GW;sbX5f~<9J<TCeV{5XD$gyC#cx9k
z@47BpHw3#8lYVI}r9onSzaBjT@aEnA5%)ggFIQ>=9wYDKZyR-jWG_KCQroGk66BuS
zeb_nVNp;?(#0jLf3G0#VJws7;v?b!TYQc_+<-@&{beG-8s`9lOhuFylDyDR2*xqU-
zfS=tOH`_3oxyd8=f$dFm%lT;@5HZ&a_S(Au-DHjsyY2<>(hN=m{<h6=!L1{<9nNpK
z!yZ9W=(0&Pn<Hwtpw>-~waoEi*d{&@Svt4ptR_qQ^VI-y`4fQn83+0}9ElD?NWyb3
z)3v!Wh3%oH(%1m~9?Ie)pj_aZhEyFO34%aoyUIg-E0|0IaX!A7k5)ObbtmtwKo(%V
zIbwajI0M+)x*-&kZV5z?96^$0W5~9s$rRy>UtOEf%6&ATxfdf40|bv|%itfK<e}&)
zn+TVw#xFZmt39GTG?iTdg}{hK=*feiH7^n28O2a~#l99%$8WkH(q%db3kPVS2LC0$
zc&(h**+0T>r--;%&9z1DuDH~&s|4)zF2XSVSvmN(mV`r#G>01h75_Fc4VKRr8&rUb
zUEtAX7<6@P1VM^PL_Qso*7aQHCLRf+CVvnEb^GUQhI&1XG#eAVCueOGp63}=C-fSx
zISl4D09qLu?ad%@xa2s^;2iM@`E>|iYma7z>aydA#ZIX7UWd81T_991QXfcSoiUKB
zQQ=3l)hg@-+&OMo2C~9SKsMP6q<gWou*BtvIQ6tfv{pPfT7ke{3DoA$;q+ZD-#+q`
zdMvU``y02x+b=h?etu?l4An|BeHIVm=#T1Rc}cY{usUYI0ndk-U$K?&W(nZWf@xs+
zp=(e#P=;W}jy2!wQ#OaKj7r^&I~PCUPrueQGOb@WF|j(H0axW@UexA4^^|Z3wYp-2
zyjF2M=v^-#?;Wqt#kaw?`s)+>^4&{z^!iq<4`#ZTdx9;dedg#>Byc987^K3^bQ4gM
z@)xn`<lysI23VfWl6<_L!>;dkrs#`tJpr@`yqBk84ou;8N^$1i=^^q&Mq$TW22y?e
zKrDMapPEnD@oMZMFYxyW8iUYT4w8z9(b9KHfSN!{uVi%@L#EMsun@(@l6+G**=c}l
z+^NdBJW;5HZ9H(Df;B=9w+f&o)vG8A)L4I(d=vFf?Ha&|Hb4)XYqWB7R);hS#*ZOf
zgnF;88zdl8RcnrFvd#L!kv2Rg;zpF}AhkGJ!@ZbQr^q?f7_s^EJK9<?c>qZau(p_W
z%Gc>q{7<{+&+4$rO_hdH2X<lh^!uShgNavfJUs6a#F$nej_lW_c|2U`-K3hGu?8YI
zcXVU?U1GIO7i*o@nq&P;++NZ4_9<nG9WHy1g(R2N&$LWqcx?1W<Fg)o;NJS_-uy$-
z+&+286-Io5_Qgw8xe5{XSyB_VODHVr5M!`{stAPd`SY)poIQ7qo}xqlw^FWaxets&
z?{uFhVeus%QxfZG4c^`M38;E<+_VRB5!U-WJx6T&AOJbz!~n=dA@+`ni|N`~_m?=2
z$NMSoEXaCfXn_CWvSI)zNKx&nH%cEq7k3)<gyE({&1f81S&uqgB&IkhR^p&ZyCLMw
z*x+y@V)g4*m2V}oW0`V<G&C8uaK5pf54kU3Qu*BgMj}YBBgbbTcIrDR7^Ks8GA*0f
z&cijjvyF!<82^5c?ssqa-i=Jps1#rAgL3KEwnO#9azo{dIZr9qrHEoDE*7&H+S&rb
zEWK*eFyvEq{N#Fx{UY;p)VdTz*RCgdHVhJ4G57m|JWJ2{rgiff{OaNC^B-^8_sv_a
zqu0K{CZ_|N>j^|WH!foNWIlN_U@f+Z4%MwyW|7~w(E_4-Tzd;C{P-}T9;(e=iHd`C
z>D^xe^cuQ%h><eGS|tb4NDy}TkOtd}8Hs>u9^wM6V`*8%4~7&(DQ?rKrta8$c35iR
zGlo_6D#)L4MILy~gbG*;dw_@=`_9)Ekkb}?=LY>c8@NsVHs^^}D%5mo;%V#JRT*1o
zhiOV1I<6EY>g!-p+UpweD9H{J>}kF8)KZ3I6j+2SvubT4UenCbGoaRPojfR6y1H{m
z<niaHCE9t#78T}#yRs`;_r99z@H>WG;Al*5b|khCfG*w!wWRNzA^AvOYvEMKmS9#t
z_&AB8UhlLKYGu1m@xwND6<3jtvb1QalS9~}gaie<>hC@qZXfM6%K>^!kdy-h=0x8Q
z@$Lm-AKZ{h-}^YSwd<&Rl55|CDqe?7ZV9;#b>@l~pGn=Mg-h*I#DLQprh=p4<E&_a
z)9ylX;?Zw6CVW#WkjX#xwqK>#x#W;?lvifUzOmFn%_O`edw_OHrP%_i@H-1*MZ?0G
zz>HoG#F%`l8;#Iw=u|7Uh17;wV=C5HGUbqEaC5GGB91FoUXSkEaAk3ihV+$%MX!G4
z-IW!Fmk3-r2DY)=72kVz)W0+^wrXwiz%=n(|Ad9dR5MrupUIo~9unr~&9yYDd|yEW
z$*Cu^LKdmO?oA^vD^tJTOxo->hRCG*u2_+bnmMDH;no)l0rDekWr<`!QF=P5_>i=1
zWS8a?VkWDsAk!7RMpsyD;%(7vDsyAlcB9&$rBvS3WIRGVAxZ|BLrN;nSUV&w_h+4|
zHrUSC-M+E^Jll@hMt^xsC@k7s*v{_Z!%#r~?9rcs3<MXQ+aWnZ9>tmEkyxXz9#jVE
zJ4`i3lEktz&WW27j&vW!5=q4;k^_(!(%dULNC*hfR;yDV*NRzvVpv~X)n)ag6flPR
zQAl&m72bczPP}qou856^x87RQF6wAEHFplxXAOburdIoGUT5W89a?n3tyUX6&>5(c
zSjr6X|E9tW^Su?<;g6G9$cVP>nSioXyrOMCSga9tB5sUZQM`4yml~`gep!tp%kHui
zM`*gtWcB!O7g-N7swpH_k^qp7Iqh{j>r97PVxx2`Pl8n`rV4<86E6z)*)W$yCGnPu
zWrtp1{*gglT_xcELJf7hY01vp6{lCTJ=$kSZ)4}6&TV72eDJ%clBOp}78Dxvk>nkO
zty1&!X~fJ<(7C*<=H1Z}zFn9dHg7Nn;Nkr;MsnDqg3qtSbFHyF+G*9p(m&N4kPo*o
zXnd{FYC!$&R>LX^YbLQ$XuX=j=VIFO;v0j%3oVi#;<}?*{34{v2XqW>>us_xX+?~h
zmwGHu;az5O3c|Q{mmt(kBPG}+D&3VDUliT>e)&9>iM?r9hGt)x@4&Epo+TiI{KyG2
zft=XM%(0B{Jrf_wY7U|&7xZMv8(%IxU4xdi%%y7za-8&eCOl>c?+nqhEX)^p4Z3+%
zOSC>D)Uya>NWI#8R5b}NLHYE5BudK`lAAzILnRsY-yc+vCs?wAqCZu+UjJOa#o1xO
zLTl;_AE82qwd4do#FWKMPPF4<2#0Usd45pG6NTI!i70h@u;ObaIwQy=NfU}1!TaON
z7JXmw<EVX-Kj;Us?%qUhb#7loGzdEmZy_3zEmWGXo|YP?SY1MD%BoY_AI@9tZ%`9l
z>AH1ZC{Zs=1nx^QTvdd7wc`&DA&R)&{K%9^f<QMey{&P*rOr1#BS34AkR?0Yu;{hh
z{K%p3MfmFxJi2jrwtStP@2Loyx<s>Ly~aVuw2$};>xOPcIZL7SRQsVQ7ZVl#Fu&BH
zXvw!k-&wuj^C3->JdC%pE!mF?Ilmdml4PjFi)tdp-GZxHp!pAY7y}AOD4@GjeX#`a
zGQZ1^lV*m)c6QYGPE=br2o&AYU}2rOwJ*kEyn$k}IbB3WFx7t;FD`)eko(o%CJ%4K
zN=H?xogWo&!EtHoik;^sGi5-6tASD)earhhP`aX}#c~1b;Ec3GBf}DXUR*(4pnm`R
zqK$03*AG-29g8UsOO-#U5o8EsUd*Mnu!sHCVd-XcLX&CPcI;5@si&<#yCaV5{^3Eq
z$v}0aYKYy-ot>UNIHlo=`5m<IS^CLSE$>CmS|gbZ4%ni_J$EFFVQN8F(h|cb&V$L^
z_$!0|Xl+j)=F&8B{flMe%Zxzt1%u@)_nJO?SSUzf+0N!!y`yO3qKx@ZvZ+}E=Eau}
z<`nn*jy7p#hVrt+<h(R|poH&m-(74Li-L<sQi?oRefBkJ-xHvIo*DQ^lc|2nD;mqI
ztI2LW@C$4=6l7{Anj3+CnX5A?%71=1om){N(O$}97O%&j5KQMXarNTLvNjDj=V1cl
zF3TCI{A5mD7K-~tN1N@%nqE5ZBhBfBlsuAnTSBz<8&|RPpEWOc3y8{$XeXY_-6Z<j
zcNC%SO{dR-9dXfK%C(YZCC8=0h9aP-UKlpeVDEaWCq9dOC$gNwAj6v82D@}pFNl#I
z;Wl0sNo~6@n!;4ZVRBMg>T1a`Hwi08m<_|;?>Y*9-|T4y_}xJE_OM$3lJyL}?s%WN
z{m@2Hs-}gIH7~cJj&1*NBHK4^_e6R6mX9wqXR6&%1rHJwW6mLEDO{EIcp6NBG<^Yz
zllfzq$q3TzXyh&}mJyqY0NC}wIRV|L1iAD{u$V6OmEQ1d=JOaj&jAuF<b1y2Zfjx*
z?b-}!eVr6IUA;IIKrDb^{e_y8%dyZX?oLg;Z?`z*GOzEaqD!hOc6yvUJ(X+JAiQyJ
z@~k2mvweot>R)<sVCY2M62f~$*=-j4n>6z{-F7_GhUg1p3$$`>A!7>z2xl$^edSCU
zH^w=~u82<!8|7w(?-i-%eoM`EiS<vqy5sU&h*^RsiHJ20ITKl$f+<zWJ&i|CVcz;@
z0F_`0UW#B1%%q3vzEmR|7ccNV?qr@iAC&P-T1po4_J3H`nf(-T{cOWtC>>q#@7aZm
zoJUrVPLkyrm#i*P-Dc3TU@b-!&W2F5gwF&<OSRZ)Dpr7zKs^ka0hf?t1rOUP?vE52
z2|hNA36_-WD3Z#PYxm%jGucFr7U{J2CFNA)UQpgY^)Zxc0Okjk?4*k*;H*}lO_|1O
z5AVJxmklXbQb)9H?wwae2iCCE+wVRzzPxkBt|I5Wh*ajZM_=oDy3zNrZmuPI5ZAPZ
z1@T%CtC?6D=NM8ZeLZq^pR`YCl+Mdx>qhy3na@PSwPzG$^IlVWGD}7y&(A2dh|$|r
z78SM|urH-W78r<v2*9E^u84t7>fIR|?{#`9HoFF^lH=Y<CL2VEuB0r*$CUOqKhfb0
z)SXt3hjIlV<~rT$DHaO1?Rry<h;})*zFr8YF8+|UPVv@$pP-sJQrs&9ISMHq%XD?E
z5Wj3QW^b4ge3`MWEc=CelY;ywgVOykc0((6Ww!>9E5(>8NoBWp!L*&%_1i}~<KY3;
znF~hRUL{pwLi0g&s2E|X>MxEuX}lm@2#FKR&&XpuEOR&?+?xb?I*m4JN4_>Xm@B-T
zTO~`q7BZ)H1<mn#cI|*Bb~x*?;-^akt}#g(UuV-b+LE7zT16LG^A1rt4L{grRDZrR
zu;zCrwmh&&fzQOWPA5jI%&k=CoXp<jMCWqj1HtYxge5|pcf=tNW+K13TOAOI85>7a
zom73ct-JP4u<VoTlmVl5@rw%aHQ+jPNoMM0dbQB7Rx1s3>USL6OP$OIXR>xwngskl
zMQG2~O1`O@wsBv|y2UvwB`HUpk9_k`AxT5d2<{pQ%ba*jEj8TQS4MN2dJq-TH(N1*
zl6L(~U-P>Q|3s^1f7^P~iizz`nMBLg%bRt(aLRN&FGQg4S*?{1q0>bicQ}((uANoo
zq+Cg|V}Vllj7(j<+(URO)WeY#_RSE{HX#C*8q17L<btP~hm$-?UtVIDGKj@<w@Vgu
zc?gpR19c+}PLEeJ3&V7`c^u61Qhhx_4&iu4Y44CwP44{ykKYy>D?D)Z;pHJ!uXK0r
z6tmg*WDZuG#q(4k8arb^$I8myJQ@HbUK&rO!Sal28PAbquGLsiAD1@WDeUi6RXGeV
zXJ@rDBI%?PAD7yOQnP+<rdORYE;$H761<Xyy_;i7x|5|^{dp#uk8;P8*-SmuR~GX_
zU3#ML((#W5?2ufjx=^1-55)>I2%XPHu7-o2_~X(ZFQamPX{|H3DJhm`Gb`|cTMZ4o
z^h^Cs%7-F@fN1}K>b^sBz%R}C=h?T*-`ofb6Q{DSZRqNq3a+$PY$!V4TXTU~eTU>`
zAd$TIZ1O|j)PeteXsCBJixkV=V!=0k%^LOA!THSd?l$L~J~W9tnfopqiK=~iAhTE?
zF1YK=@T8O+jnR`U+*pg#%71;ED#;+`R*w{X$J-;?HiJp1DRLES*MP~iBH|{ue<K}8
zcJ`18)vuT(va5Wjwq<|(j_}K4f8sj4A>i#!1YcvfU5!)uZ3xzry4-!+n2U04KoN^B
z!z-sHbIXSXSk_NIORVn~%w1>id8tIhJvw3~2BPu}9A(^Bwzz<^jx0&E>PtV`wgT5U
z$WbwD{v)o}6{uCiSl#284u>W*UX<+xXO~j#jye>^ELh+BG(y=aK<c@kcXV@Z&P@3r
zYn{Q9Ihu@bB|cn#c&<o9NUMs4EyPV$YbtdjVpRYAZCGDw@cqrpyRIFoQty)^mO6Pz
zYcm)*@q$ZFK5|+s@kN+oa~2?jO>z{SobPCMR+dYC-R;M<kYf+NMX+3@_Zvc5?=mh9
z3#Jaaf2rmxaAI`9Z=~C+QIvEH0;ZQ3iKc|Duqs%nhRvAz{eq7p##flWNlT*)>G)hR
z0d<;n|Mf@;)7rgkUL8%P*tZEhqM|~9+CB&omkT)R`Sqj$4HkTCil-iXI;I?ExE*DG
z$sh6?oh)XeHYH<Ux&UBMVNl`QbB}S9L1ccQZ-$c^xN=2;McsSRe1Im{9<ep6-gInj
zM|RSt=5*|@<XyoiAW*~UgR$84;M+GUfE<n&z1D(up57+fKi_*18oEiYAP=|jUA`jY
zsk%*CN<8|eBAswlGX{#5>zTzP-tr52cGFE_TBMAM@bT!)<pOV8CmzlPjwb!gFFlBY
z>~1!w`lPRuH%M6>42Mrqcc1gW(ATJ4@DacpW~(iQPOG(-WXtOMFtxOG=10~^8djhT
zT^!SpH1dJL*{`42m~c^Y_>2yI9up_`9~CsbBgr@R5VWELmPx0(e$XTzp?Qae-@wV(
zI?1Sec?wyZY-iL@3PT?6tkPc9&=mC<>05bvO3LkJ;3&fv`|GftutK}2j@Y)a@?)St
zu&wDHI;J0nc)s4yE}!8caGtx&g7x{;6`I$2pRh(Y{mbKAoQ>oe&lf7c<xtnPd05!U
zV4t3%!e9sHMm1AZwOO*i9cPT1_7LSKG%Fm5>!qx3S1#&c69S%MOcaC`)vhbZeA~73
zZh<5kU%^ps)Ccy2(ba6eOwlx^ea`JeC#{tiVCfj_xch?Z#zT2bXk%EiA@wy!4TRe+
z)77PF%bgcF7ESS2a^5EH)tJ?!i}6Mmd@Tl@t5F1=mv~a0wmK}sx>Uq7%44zDtEHy(
z=<^b#=?jHzdI$B}klUYFJE4)o5%~=qJMT;Umrfc}->vkG^jNtP1yy}@I~uB%Q+sim
zwyXj=db-qm@_Dn1H+54d4I|)W%2by4uF?HMMeVaBNAwU4@=4@d#FN|h2xhzS>vj~0
zicYvcFv%zPn1WHHPD4?o>jGQ47N}Xk<J_RGUx}wiDsfF?$}5UTX<mYk1B!%CzGIb2
z61|+>l1TWlHBnMxeo$79Gn)BO@GUV^ZwY-;?^)-augm5G{18S)!B74wH;%)yF<P?2
zaTb;r;ocb(59jrFZUYVO#$Pi$KB1|Q8`li;zp0rkoA=(WCwxZR(mbV@=nA;dl8b6N
z^syL;A`^bjB_@UcGL&BR?UTx$2ZcrA5Z;H%!|?{bapQ#U9<*igsIek=?{~}==Mh<+
zsYqK?dExzMrL~SDuink%u~DlO4RwAT2$8>TBs(6hG>4_XsTJMF>^*50EwgFKnP<G+
zX-_ONT(iTncTRil^(BW`0R@7CQS-e$TEf+Csmu!JsQTfO`iy0?DbNZ?*W9>ajJ57h
zfBhqoAg6%hhgG=0kGw@s<r^AebFiC?7VdG7NyZnNHdI|asc5u=osr0{zhf`ISZLn6
zN?p`A^9km$D^@|B-h!-ZcAS||+#@#~iNG~t#5rYiW!;+Cn+y!lKfGKEGN#9Sy4+)^
z<CZ^&!w+=hE{g6~C{2w#%*KTWd+e^PVHbG@_I|=fesB9_-Z{70F{Tud?)|F!SBeuO
zn0G@PnVIIU6>=x?{SKa(tlv^PpV95p&OcKbcrv;mk<*Vfe(LTlW=DEpugWcBY4O`6
z?YMf9@Zo|GWH@-uW5xe9R9$SBv3*D|_3Pa*RL@#+D5{5OKBHVHBR6owdbj{j?Y#>-
zp^WDKMu(Ja27>ZoemRiL8om#%z8N|lUC^({zR6xSc|)P|6;3GEX$5(SDr%`mJLXz6
zJp1|WslCzApZ&ByK&zXSaZ9R&`$>hb{)u9xyAYI}d`_?N>4rPq-wylFpI?r#`|ilb
zRHozJ&Ho;+`3NLg^lvF!tp5H9_~QQ?2eK92%ecDur%l(YLl6Z$xAC)QRqX8XQ$uju
zz&~zbL-gzuTU$e4-$sDp+;kg*4NS1h6=p*b_l*BQ8gS;4f$mNvP@Mo()O?q*_bmbf
zb(aTk%)kGGWW*)|0s41#TwGiLmIhT(F|ji;GCCOdt8^^+OrEt=c3U4O$nm>drEEDF
zWW=QC1RWx?VN2)ae~{rpk2x}<I0#yPa($<OcqX6M;yVit-NzxCJNgSK-UkxDUnm`K
zQ1DXOuzZ0)=A%}AV;q^{?>J=H0E#6sHZHCX@*JOAzwwzo=D0=e%Y&-WxM3!Jh-lIN
z{U*ZmUifnFZd(|s__BPB&KAoQahpzMRU7zeaz<x$Qi^)1;l(Ah<0y5h>~(<P``^`Z
zg5KWDWKp)^Uv9AUj<|Kr?n2>|-V@j#zlwa3PQL%_?HH=^_oMvf-~X;m1&)$+vr%fC
zNd1YoJDMV67dWfnHb3K!t_=MBc#5zSi1?Rt;!l4LH%)=lV1p=rVrtxb=^v<h8cs>T
z525I*{r2c@?5<<d$zvW_n&L5YWA%T!z5Rdmz=<&qeW1C_W0tJKYVw=#Kc-a74B3P0
zTP8veVF1ljFMmPoGpJwE6%RB$7c^<|c>`VQzgFX{(R2maFhnv-*lMhX`~S<_Gk?K0
z%+h%A!o6=N01C4bIBdZCS%5hFT!^-klFj|Dz0WDYfnhw|Z>vbEl4tK<fbTv4dUS5`
z>|&}%6oM2Gh+i)F0t{#vfXNNVuXV_cPn2sp(V^q#IIg+@r&pI5f6+dm#xFP2U!M~t
z-q{vS8bkr?p}C0Fk&i^N3%bAV*n$MuseHCm0JaDyptZ4r5_X*&L+RzmktqU;miHFN
zU=0|6D!TNhj*D1*It>RJ<^b@_98_w_#GEp5xY-UF1wxQc1KA4pfk3Oh3IL{V>=>=>
zu8t4Yi(0pN!gdA}%S;=dW$iZoRUhn+A?0NN*0I!JAeLAMtffZ4%`640P#^Ok%q*AU
zH8%=;cO6Ib)tCSn8V~G`4=3z0{B4g-sLVXI3`{B?zofc)?<;mW#VsFA?s{*s!qrF<
z*sELstp8BNwmQGl3=#n_yit}qV6|bM+_A(A%(<2rR%Qc@0&4xN`w+}ba|U$XFX0%x
za~YTf0g!PHdg0=X>HEkiHT>EXJep}8HBEP<tfsaL-9uNTk5pL9G;1g+ZMGEinTg}~
zq)C1?W&sB>tMiE#6c?g@qTv2Z&yuyQhrIQIzq~Z~Lg4kZ-!^Xsv<5UvfpEiHwbXkp
z!1dyn#Cf4<9{cHnf{cI(h==sn6-|yb&$lLlrIcGcxTJ?>@OQ>{`hIEwm@ioXJqub3
znXl@McfOs1<JVaNk``Wx1Bvh(y6utpK@jE2HLtE#!}m+`Rrnf)0pejkk?RETFg7?w
zEwfCxcE7v3*G!uFE(6R#I)J5yW#<oHAQ~wT-B|z{xOEA<CKGvyUcld5@eq3DiV3h#
z?yW)WO>_~Dw)=iN^!v-b{e)_5U6;M3o9amMeG-hXQINnTCJnbzMZ&(ijn}QcxybvP
zRi-6y8W7+KN88UzfZ5LHLwnX>wuI51G>JaPk?={|mEoeS9=bc7o!wh<?=5E&E!KZo
zDS*l)-E)7uF^W7~aq8;st^w-7za~K3g7-dQc-TgPUl^I@$xFw5-2dGG-=o3e^!?`W
zRdoQ1gC?o+kDVl6#UjntDZ4s51=RRh%)yd-_3(p>iT;wmx*HG^xMW;rskQeuzSbit
zbl$~%x88ZYp$BN_5^fnY#BI!JPVMY?mV67Hw&5R`=rRxM`^PC?d|amhnqxW}q3fcC
z#>UCa&mK|2zlZa<0K<^1gUs*FpA3c`%)@nT`_k7IUyASak7n6U)JlvtX9zp#+aJ3R
z$z$W!a<iZ_qz!+2qm5g}Fn}+t1--Ge&1#zeI;^};zoX?=m+HagmS%xQ^Sfy$BD)Rm
zS~DrY-9L8nExXE5?n1KWaYA)$RCW({)d+Yk-`#6x4IHD@khB7L>JK9&^%a!iW>&Er
z8eXlWfD8WB(~+WH^#E|#@Nrxm4pc)4NMI8D;EDBm?1TvrlrBX4__5`+-6M*3NuqXS
z0Pc-{d-N}4Ss-734X0fP%!8d)EYNFouxNPE2NIVxfNjLZ`inY`-9hOK-Bb@M0k#+2
zHdp)|6|cJcl%pS%WV$tBCU&nk7kgv93H6&j$zolNQ26caLtss_u!nn>5z_?ViC(Q#
zq5$8ba${vlzCT@{W_TKW?ARHlUB~bfNcop7=_`Mbc2QA$-J*f@!GJml37kiYXSQ;R
z-np#yN;{&;U7S$mwP5u*+>3qt*6*QicN+b-aDYfiUI-ZU(~uhwT?gxV8>F}~8L6j1
zo5Ryjr%|L|mh9#PM%Jco!5=m`U+!Car&E%>II_QCAMtYu;G7_XeQ&VTSj}N8Cu`lj
zq&uS7xN*tl`sT(i<iNb;eQJ0V@AQed3GnjO)O#u~{Bx82dTfm<IYi$}wb+;8mK-Np
ze?o6o(l?6YA72eG0pEP=Wg{pcaP)cc%WBO%=075)|4vrU?_{c~=AZf5!lM6ox*Wek
zItbWV6lS^IU;lGx%U)z)JFEBq$bo^)vY`77Q0(hi8Jeh{s|Qj4XT$?G15bv8KY@Af
zl(_{3Cd$gnle<N~{c+J>bY%NZ`SN8xVBmZs$LY(HGjsm-?^=GDx#xZuxXpvzf)~VK
zK;Fx6@T{1{AJ1W5MYivxFH672N%ltBSLg2!m|P*)TK*yC$F9aE1LGMQ95n*l1c2}+
zWj$wKd-&b&KZIK4nit}=JKGk=hi87i{3skzykD-RTV-6kf~<dg)@BpYn|kH<C|vB^
zX+%5*RWPs1yAB0`XPs@2BgyYga`KAr{jN3yFZ~}3-OMEl`<nQ-W?Pt~>?P$N0Y5-E
z#(r6W<G4MfGY=LgXRz#gptAoA37?<b)#pB?yu1Y&Fe$oF{#CtvO=0>q?H?~U$et`O
zoA-&)1u}LK5Z2jT@P?H9J_k74$Y9_i$%h~NNx1)Xk&SsF`-<v5<l&C~nM;3|6>CmH
z&Yq#i@pK>jq0uNidzo`nuF#C1nz|64{QmSmMjXwURM4e^H6OTQ+vq=s3~-AD%b~LF
zYXGJD`wDS_?A$Ty@7-&vzs%D=hv_AHAkSF%%kDq9%)l%6*zxzy6{dgr$+I`P0diC8
z?#lm)@BM!Eo5yyzRste_p5!klexwV=T=wJP;{wxP{`)^)eROR2`{{}EKkoow%?iPc
zd+??3U*-~9%zN<JuN{8^ng9B`Y+7KVy$aW2{paaq*{qJkyV%N;|IF!t-!ItHF45;m
z|J!Gujz7C)ed-@~0D|!c$5e9ehd;5}e|-i)zaD?4+IHsOUef<%FA(-V06;lQJstQ4
zSZ>-G{Ns)^WkJsK$^Fy0b~Nyr%O*NZesE7O0?NTp0M|=Dy}l1Q3#@~Hj^EvJhV~;<
zgs-r~j~Mx5OUb*KIH+8i0N)2aZd)q-e;IoR{4sGPwadiIU2#fPpwcxSt08Tpl5qRg
zy>9^Z_RvrLhdij|^9l;yc%$~L6qx?-n>>4_90mPk0A%sLr2Bk#cN%;D25drne(`}8
zwWiPUO><l#eg^_7?q}-z-qoov|8tu?K?b>|d0jAz?CU^|BKpP2Q`d>Pd3gsTHx#34
zfRE2t;JV6gQe&SL`ODo;00Bbp?8wON-OlU{%+*w@mxr1w!KTSwqwW@`C48I=Y<{LK
zwP;2H-V0@^L52A!V7dL~%V6gD#(%4$y>6qOwM-*p+G~F{ENs+!b*!ToI286TrbaEx
zkQ#c)Gj*RI?ei0mKoXO6Lf?(g^=T%_&t)#e1sg}_WLD<;*;o2so*IN*Gdo06EK9`U
zSqz|Gr0FC5s-ytIz7F7w&=T0Dxe$$sbs5q@GyxkZiUuBUQ(NZ1B$D)0el|HQSyf%V
zE+mD;8ECzS1D5wEU);Jivv^It_sp72QBe_c8kk#IOTm!e_OzzWVFcl0F5NB`)ptSi
zsp5P4X2OaQprgsVEO@F4+Vxg}ru8}oP`tiMKb1eIs;at=UQuHPa$>VS+<H^eJh$S%
zKDY-oUjC`J3e(Sgpm^;J)w7`F?ys_Ht$?d&V2K$m1In5P`+a~3Rt;kMPP$)=8$FZy
z{E`LjqPR?yfWTC=Gl+MI{`(fzZLi&1icOBPJ7PHwN_ij|)BZR!JW%)h0wP5hfZZFY
z2*i}tui>$aXds!nTwVGJeQvs4JYOmHR>KQ@jSQ+hlzr=FdYTNXan#K+C&0|rsm{6b
zRmqn0&YgQKKY2rcS=@qrPAhxTtmIg+j#u!haOqzWUa9Uc259R89Pkr;Hm-pw1vN_`
zrvI(q7m}aAKlA1lo$=DNYU;haJDXtCczHauF^;{Z<_rYfx2|aL1Cppc@ZfQBUY~5Z
z*h;+5L-M7?ysIHihLdR&M6uWeIxE%ZYTs;`U-;ttkM-%ROwc9fUst9IqEq@Dd{uh@
z^dJj5E05Nm^i$@>pxn-up;C5sc7E$SeE)pASETL(Tg-~?Q?%0ua|cl&J{S|=o7Jy~
zb&t?t-g%9?zlKnXmPS{Ge)-4je<9m)F6Kfkxru+sbR*QkYtnt~z6mB}^V6amg}#te
zokw~h$a)UX7h(hVr-=aWD`PMWl(=bifrwP+!K)6t-eh{?ghbI~p|n34y#F23bhm;o
zrJaKUk|S{6dG6x_oB&FJSZl>>L^hHHg#Ah}FBv9)<ESN|Np91|C-RzjB{qsqk4-J~
zq}Vw)V2&OvGKsp@Xvi?nVh|+a3E-ZASqmaxuLl{}I21)dzny$C8*+wfA}`J7a(9X-
z$^Z<p6o;rnV52Z9lt}+Caqm7Ha{QKoIp5?L(tQTQaE`N3V5w`8CSD7;b>&{MaTaTf
zVT@9~o=fQM;7|+TzXk&UiBiXr;<_gtml!-7ThyG9!xaHP-Y6c4&YL~!VCOplO(S{1
zQ(O-#fTv7i%fdN?ddgm8%Kp(Qoo|?Qn6Dwi7q4)hT($5n_rL7I2b`MR!nK2Ye$H<7
zDImg*Dl^_iyVh41Fg^mg_4vcirxg4E<Mtj{zZ#;-%>X{0zYL@g0sCe?Y2OeFp@Y6u
z+dpY4e~n+o&e7G5DLv(57pLWx9ZN$|F<s~2h#pNqUUXBqF!QP4n#bwP?2gKRmZHKV
zz%EVJ_;!1-PgG4A30!)~CQkMI8GHVB3@IprFyN$F$?MnWt5PVwCfNQXHpyH%7suxt
z)_w6`?)xmA@NsCp7Vh5k-=F;XFWHN9AhbTs&lvVM)!hHY<p2LV(705dPp^2GucYSo
z#FiO%)i*cVN6N}oxw%z=Xd>ma_AdvM6oZj<|MPHzzH`RtUe(|(@Bk@uYZ<7kYn3$Z
zO;CFE2v4nnj(Y7(fXT&LbyrH0TJhmVPqCSGI5ujscmZ<=GUAD{`n~tSgtQ+_Xq+aR
zM8LX;cr17_N$h!G`e$!StkqQC2NTJ}PUdJM&3|XWvg_;D4a|Jbc3<>XAj!L4Em?B<
zmIh-6YtQ_|Lx2`l4MgHy%Pa8SW)Y^;LMAUgdK>ydmSK<ZMWnk#jspvH$2^t9IwApv
zt>P<y05IXe3QDGbIsiYCTD(@pw~xE)f2a#+@`(P!4VWEzZ>`R=<1tW8t^?LMEdqjq
zYvDXZml6Y#D_AEeTyjLk(o7zFX_lt@EDYNCS<TJBM#G`TY~jQ03Zj@ur}F=-rkTG|
z#C>2J1|lM><94jLM10dWAJDk908*V|qk-xgGp4I<AtNQE_W+8xHLeB4tj`5&r}6Ue
zbU~=kTt4t{o7}eq_<pY}HeD^TED%%}1B0-w-KT;Ab;ruomt3p!D6`8AHzU9%@yW)H
z{osU7|D&f^PR_cS0P-==LaqDpgJKW(^PSf7dd~Zs2ik_C;r6|~vAsQDrD<#)tl1#c
z<M=;Ud?M)dX=PIy$L$5Rd>QUTcK^9H83O;*VQR9m68~t;@-^vd`IaOAkhS$#=-%nV
z43DD;->1H;jG$)-_u-#IFEBZmv{ps=<uwyQA|JwxB0ez5NU+U$=<iH<*$<22)O<GS
z-j1Gzp=!sgn|DvXhhjz#ofCD`#ae-c>2lx!X(5GcJrS=#5IHXDR`(%4)~qE9m$(27
zcfO^udALA2-4jg!q@S+?P|ah=(sx(omRGbI;^V%^jW`$YD|aalulg=s-1{D(fftDq
z%SQ-1kBxy1oQl+78)@t{7g=u%a7}9%u2|>cuhE1p!$sZ7@8(`pP|@*6cBAWK7Xb90
zEn_?$eNb;dFd^<OjjAs@U&^I(3k^z7M~hL+8p4q4`Vw#=VHz6Lt`~4{Ev)9*xCMvt
zNb$%jpx#%53hhUTnZQxww+i(%_3e|{Ao?@`Qq#^rDAjM_U3qH@xo9=;d~XXl+9Y@K
z7`wRlX<Ng1Z322EmCe=zj6s}lJoJ0gl}K7$FL0WYUO?w6Ssdoa=jGnc0@gFV7bI36
zsVFJAFN%*zq``m%_SYQPLwPPJ>luZ`Y-jdyjkLpfVCFtip?&MEK&<EMnLwGoDHIcd
zwQLwU0f%W-G!ynps927WK&?Q)USKErt#%8esN-Wd<Uti-j@4jXj+}XQB9+#dH2}Lb
zxq@>0ww`thNJbz!0$jI-?*bu=Gl7A9X%ajWwwE!<!fw-_%&KEceRmnB{lCTp5ofB&
ztOtmMrI`|<TG3S>%NtBWh0TPWq3bgNLW)xbVh4&+hJTma`ON+?Ra5JoagF_apq53W
z=PRZQ&{xzn>>M0uzygbO8Gq|aFlCdMk0Cxk7|{|m6sl1UDy5#{#{+T2dKJEd0<Pb(
zWLp8HW+7O%c><5cRf2-&3^}>yS%6}#uXBmsl}nsurQYlU{GGXIb@^br6X2>ccmaLK
zO{2Bft3D1e_{k;Ws4lx1A^nop;2Kiil2F2}Lr5TaSl%s(2*RRm&jt6ODw+E|wXXi}
zB3Wfd$yL-Pvtnm5^xMQaAhe#YimW5O<jaGmH2nHg{pyoUkT9VdO@&s<#lD%lH#JcA
z<>>)A&nC}Ib`j{|o-W>-@|N-DCC-Lugq%TO%fAGS&aZCQJby6mRH4ftB-tY3GVw${
z)bCpeYs*u0$RORA)>G?FRII6fe-tbi__Y#=<8{1UGlIva)2Jr3lva5c9(!Pk{E$^v
zYol5_k2@f3qTHyuj&(HODxM+^qHq#v9VONaxu!S{xCyQt>0=$_xiv^oFCpGb<i&S@
zNXrqB<CcPTV+r|;EXDqa-BBLt8;?%r+t0_y8z1^cF!1jL@S3nNmL*%{e;Wh5gSn9G
zyF3l_vx}oh!a3<jD0p8Aal(9J%|gFnD{A|K+l@shuLjC=;`dWtU}bYkG(Xg6b|?*$
z0W805`AyJhnZritl>~T%Rx*2RQOi7>{@X@<lTY)zK-TwbjDmZDtf`tOa-kRz>5WW_
zE&3SEg_oggW#$C<lowh``rb|#f0wrda8N%?4%pNi{X)RWte>Lqbk^Ef4r5)wpJ%WM
z;*?h$mp*)H97G18i7Todpkf_dJPsqXw6IOv$$dxtbrkAcDL20^joU1W-PV*{08!eu
zFx{$_>}|ZHw3xFi2nqc})LKI$k2Ko|xC(65rvxLQHG=3kNiOvC<Xh%(F-OI1Er0x)
zDA7;jURI7opa0QbXJNRPdT~XzY}cokl;5QTnG*#fL6|k`KN4Ei6n9t1Z=WXPxlV~b
zGf?k{t?8t**A?kA^e)pomcc)zd&~$x|H@!fOvOsfvd9H)z-AkF&!%(I)ZXAsniUN5
z%xK!`^yua4v8ceW2X@<q_9P3p+HG(SJzQHpqJKoePoeEdyxv2)DM$}72+n?yUX>9H
zrFg;hE>AWhd@rk^IXK(8Kc*3+qUah23pmW_Ro5P)W#dCeB15`Wo(r94vV?b?3`xwx
z_Ml;iPE+ShobpJqo`1h$(EZvhwuO&Dgri0u;-FNy2bg(qmBgbTi)J9bLi438c=mXv
zK`(GqoaMPw8kkr~B-p!(LO6u4YLL8iAB%B6O^R)vdDr~c8VtyWwvJ0e6jRthDm~+7
z>7I%aest%~0RIo%H2%@&%bjOCS$-YlUpqG4EhxZSz6qA0U|C{trb-*+-=whT#K;@5
zTfkM5AG&f5OW`C}Lm-T2gx$a2W33rD3?yJCej_;Ev+z0h=~gk5k#d9ox@q<aKtU5c
zB7<lP#i^gnOA_?HjW!b8lYqd4e$}|bCEf>khtE#F%O_U%Vhb`Zhl-f*8YILgR9G}m
zGjVfX!lVYX#f3T*{m>PyiM=|_naNO-hbeL@%ElC3^N5x{bpAXlpp|*E2}JNwvoPa)
zwyf~-f^f-@YkrL31#GW^Wm?3iR3?DW*36;ROEt6nF@eNdy`pFH{dY7h#tC|e!zdB@
z+Z4(^nUz3lNE)NsIuM*~6(l#lk!ZAGRM9zx{}G$zwbfx~2ov3T8btY7)hqUk9kr~(
zFF%5)nDCfvt6++Nl|Hc9;EYrpodBf7^(;m|klKkw7~+ymh0&R^x5;G+e?Fi<dMY>G
z?)Sp|aK}Mf=MHSj5Tz>jz@`bp{^9bo=v^#FArq0Y>#itiL&WEAg|(OuAX>lIGg@vk
zw;1EQl*N+OP2<AI8!O+!ZBy$!-862OYTtVe!m;PxI!0U$RtlMF5+dN6F{i|)CS!6l
z(~cP!NjzY;y4#bMV`a+NnZGsRB<1o7|F9~Pvyj$&w81ilj1rJ!f+(3os?vl?c{n@I
zp6de=Hn%!@l!isJfU>kol;jpCkYRb*wRbSx=M54*yMyx_HvC*0Z*<O)c@Fd{wZv?^
z)tTDxeT6iDi|bQqQSy(62pZR;%;WFt(b4H>$?^yb3)h&sjW&MMD`xU4vU*M-4Mbm(
zv|7YCb&49gUMNG8BqAn}A>R!9AJOdSzE_BSQDT43goe%p?o~#87BX(q;w6Sy`DFoq
zP@b=P(7885Iw3<E21z2yla<^f#{p&&YV+Yl?E3gO#-(54nDZLCbUmqgTKOv!fVh!4
zU{N<xyE<^DRm}#U&zqbW*<(Ds5|>=-bzUjHg2?<3j}v_Sc_Y(zNjSm!>2&3hJk`ek
z*joX%vIbfAIeLziDuZt2hFK5h($`GiJ@;o_)_NtdxYiHZ!UIJ^%hEK^qfKUiLZ0i{
zx1rfC?n#23ds+`Wv=o^!qI!VrRNhRqC3WrWEbI8w+&_6%?M~UN&%)7>x1#i!zyvJJ
zh~V^VrbxG6%DD9a6>}XTv(w{Ep%3)s1%2p|k<&c=H0ODT>>y=yx6uc77Q9iM6ru5a
zW^It{sJ)Y?ZRYHQabP3fZ2jd1x8eZ}R?K1O!Aki|=0{C-Z|V4)-Vyo$&SX_n^+-nM
z9~FIo{V~OkzFk;h<=>N1|8!eK?-{ZkpQ%lAlVW8_Prh5g?DC`%N7_o*Z)rZ?JEW`a
zE8%?H6!#r67%$}G#v_6?tA>SjziHDBV6g%VV38Z$(CoRAcfN6b%54*;_Fj6z>0qm4
zFR*@ce(~*~sm4SF@P_OBq(bAoGPDT%&+Q-ksUgd+g&k-KF^oVMOuu8r)UH;X7of_E
zsJFl8WajPGseyCG&#CXYble_oX00tdFFA#x=yc??y4^l`Bz&%Uf&A}T@ej2Zs)hHa
zggzI$&3GTx4|Ay~$=8H7Hl)(s>@eR^sSG}io5sDP6wgB|mZw*R#;N6Xv|}3<FS0r_
z&LbzxJx+5O=2ldpXy6j2mQL`l70npyqkU?>A&}?HBFk2l;qZ3(y73;`JU2s=nx*zt
z_-?!RxQ)RC;1Pou;xNxR>DD2;q`uY$r(}*|lA!4Heqh!Lg)0y(36#&+eb^-=*SL_U
zZ7HvCl8o?{MfJiu!@`C^sRvL}g}u@fg-KBf4}D(to^)@n#($!sJ`#h)_uKi$rgjTU
zs>)sNaiVt$xB;Qj5Sv$(5z<5{c!(%;y@<uZu!uG6MgLQelkt-z!gQ9K=J3&jPVFI0
zq~Qz&s@{!X20I9VaEt3nGtTB?_3eNZddIt2ce90KEwCl{U>!~0{%bGS1XB-BzF6E2
zuRB1PHdbW21h3xa?aw_(w&2EJ)dP5nb`<I+{y@v~DkzR7QD<}ik~;@Pa?;vNJS8*W
z9}NNM@Zd!$av8f;Z?T(#8M7wf2SnA<1BnU&t|B9S9hGh~W5nb@6*&Z(#NFw+e3t*M
z=6}2pq`jU<Tzh#=UfyblO8;d8=f_-&bq}774z7T+7JDyV-fEeyvQe=&XCd5Y86HSg
z0Nve4#!2m4VWH1$Si=(u_vmy7kive&?-PCclosDSn)2y0@zCModDPmUP2UrpYh_Hq
zx7^5M&!8~?j7Cp(`qb&ArLNz#5hyxM8;YlPKgv6iv5vNvzc4o@Ia9ne83)O8{@6rk
zCOAcT*!F3ay&zBqJ{r09E;ew_YyW?1768_jO(XHj_Wmthp?K4TFSIYTX_ITjjXQ{4
z9yBksr(VA<BWl#FJ%%V(q4Zv;1cu*#g-iA1do>)1o22jWDl+Sl&vmoXLHGb@9d7+}
zW{tl(&M>=$qqd;RN`CeA2WH{D?ir90ODbkMy&=qKzBf}R1q6$?IH^a$VXs@He`?wN
zY^;oN$<jC$K(I7p3T$tbK6;P8gZwPJ{8>Muxn%ixiw5HMx9H$Me^MxevX5NH;J;{r
z{Gax|GOEfgY8Md%K?J0f5X3@K1wp#?h$36MK@gFa&P^kN0xF0Cl1g`Nq(KFwyIYVD
zHr;vW_8gB2-WcPK@qOPN_w$Ei>s#wxYrSjD`OIfN(^cdzIQH0`XWtD0x4{Jsk))`5
z22?*9@=M5t;S87^66G|%JHp>jbaOujP!J+3=Z~6}aE#(_;_lvHl!z!4J7Z>2>G@MZ
zGkiEkaA)rt{v8dDio$t8kTe|AV(LXe!N$wm{o+Lp<xBCgtG@v-n5IQN`-PU5`Hc3?
zu;9~UG@i^*QAHt5y#jy>6VRFoex8{-r+L<YKhQ=HD*`2OSkIoV0DBZ;+_JK;BqL7h
z-@Te}jGtEK0Fxv$h9ifiaC}C>|8E}N&#rT0WQux6SwTszi%4-hriP)!apB0EK)kD|
zD7mEkH<Rz*;e@`KCuFLOQufd}8Z?0+xy62`*U@Tt#_k^~k&`&&Mu<AMzlnBShj}eU
zBuh^z@2|IJPX^EC5PD*w#OML_=>G6j;8T-e2ytRBx%YJ+^fn_9G9@3*?R~fJoy&kB
zYkD%9`~i5xmw=*rzC%L?e_tiOzpjWV9Am~;=#lsZ+yBvRk1^7z<>h#PoMv!Lfg~yC
z52RBDl2b4}-QP~QOn?>}9aJYJJ#VqntuYOffxgPYoy1TKC#xm)$*PImv4%_OossCh
z-_7S_k$L}fqY7thY(O>8i%qlWa}7j=^w9p2;4tJCSWi9bfGS1x;D6t}apOj`9`1S^
zuuW_l1qF@4XN~TEFc=`b1H2R^jvQm#fg`k6n=1Y3viYSy_1S=boDEzi$rO;Y3kGM*
zgtV4m<D)cB|2>fU%K_wrVkzyx-mt3MvC|p)F{dkBvz^v0gqWgPLzKTlLOIm%63&4j
zQ>zj$00w}VMdo@Cn;Mqx?l`8@FPN-D^vDE)@i`#Z$J};*bEPW8{Vu)p)ianzfg@BK
z{N_y-rcsblJ8LbP@CXx75Vt1Bm%8mww??Q?SH%<QvJ+CMnanCEC`hjsdtvWLNTD!7
zN1D4}Z$qg9x$p5EXqPd8RP4KVU7qtJ7(GE7plq$LLV#-N0MixWyC3XIF+rCsjCL0J
zXw$QN($m+vilE+6h<?P1Tg(swyemD>Xe_Fa+zkgvv3h57aQ9HMF-V!^LA_@_{x6SD
zi`BaG0EG@kM8{VL?h_?zR(7LM6<Rl9du=4Zxm##+S{KS>mr6(O_?hhjW9JH;65^Ua
zt-&jej(W%|zftN8!K)NdKrA<$>dFiZw;wwZ-8gIpNYO=*nS5mo$@#{WPbY1*mpi=`
zd4NhtlVdhGAhcum9<cqU0mt+Jg+$qkPWutR&Q#0s>=aNVEExcmQ_3EcPK7U~DE7uJ
zkh8d^3c#%R)Jf#h9mlzHylMK~HSftTD9}2=*$A>icR|-L2Yf{}kZn!{qAzK$08rxM
zrcsG<@pdD-o26=7x$?0PJ?Oonq(zpb6?f|d@Z<`Sj)3$QL!A+R#t}C8=Hf&UfE<im
zVL3>r1^Pi^3Si#jy9^NaFF*5`@s7f|cK*%7qSEVakFY~)N-*NCMcok1(*e#TKKC%i
zk8kat)!mKpG<-YdH)EqjB86txT|ZsvR5t<bl1#n(_j}4jJ;c~1k-IzFpjCR-xtn2C
zr50Fc->?<hok%1_Bg{uiGUnOstf2=BMA|r`(T*i^?#Zn+xED`mbCev{x9zu%CpJxV
z$EH{vbSVvg_~CH$h66B=XoN>iKR*jUAw%H&#-=BcR0Tm$^2V}(7wQ}o-x8k!lU%^%
zsHm=VDDCJ$c05|dAQYcg=(QbmV8>cW$~Eq8QR+4;bx<sI-UgFj!7T=yB<rfq&nF$H
z%{M_L6AhJ&b0J2x&R1PsZS%0zLwZxm6{;#n<oTbsUUCyqI4<ZgPEtzTXYS>q=z8NL
zL8SABfgDMyQo60!fzxy{-Yay|gS#aic!yvnOgy3&y5C<oICRkL<0IrKwz)=%+2E>E
z24b^?Ti=$qcV{`>r9gK^7Y2S&d?&5on^Y=_`byHKE>YG%8-|v)iZ0$>>9v`N_AbEs
z60e9dhC+60H_Jam<@SxJ{*1dH)foUC|A&gXpkRdt5OthQ%TkoP-DSQaBAQ|F_S^H)
zt93aBgI)DJyPbf`vjG?pXf&?(O2IaxcdSDD)jxEYpL;Cg9?o(9S3|K5Ys1%#fy?J?
zG2>6i-vgcu`m)+a4<Y-*cSp_=Rkb?41g)QTeR09vEyBVhRiL8Mo0tM|X<X@oP1ci0
z#f)p+G6Xh>50sUqq;Nssb+$AQ>f+VoS!}tN?#NQM!Dnkc=(H&PVBY6^#Dq7=QM!WD
z7h|!yAi{Sas$#?unj(j%E_}A?P|?r7^|n*IHx-}(>3hzZ#Gw}^vK|fxuqRIn+q5ev
zd4Id-@^<L4JG+d)yyrIP8nb_1_6OOhOYBD9Si|^jH4`>EwPegi(@ySKKB4qp<J-8X
zU4}K)mKaFyA72+c2TGy=>_!IHT@$P(FWbx(uda!-w8Yjr<sPIt`2Z%8G2aXXdpA-N
zfT>*Ju=Ktvy>sppChESh1}n&RR*eF)+V#9rm<iQ*)<Jh;^P@Cfw*BTbHdjE|$b$Yc
zp}*rm(X6`2^o2-2ZqOD&Yy%+QjrW?pI47*Jro|VmM4QSJ`Wwcades-EQUGmq8kzz!
zVHQUzt^RJ|x{Htp+k*s`-JKnW2|hNJg+MyHAvbn}U7}VoP=r+>a)?CSE|>YCANg;P
zR#Fn2BAoP~%dh0QMopkz3-TFb`8lU$kQjc%O(X2=?lSo92ANucRU(@jsty<7u%>+z
z3OhP!U;nr$PyRqw`$6T?6Fb>EEqUz*pVjRsgMy9x6DC{Z3%PA^j6nT)<g(GuxVsdg
zhR7tdu+>b)$DXcXZ~BuptSvTj@wb-`Fct4EHVXHbl;obnyV6|sTCzNy#;mBB__`bx
zd@q_pt??$kr%$8Sr?VTyBCXXSqvr_HfBD?SP6r|_`9u}V@i{)+F>+T~gLXq;Tmd>i
zDLlnNRNK1Ta<M9kNhASF9$`hqbuS$PxaEwy)H(3Qy>GI>%{ppva`*sKsys?r@qX~2
z7DC011+C<-Ds0rjO7BY0G1W&+-_}*{_>z{@LLA@r&0Bwa(9LImoHvrq%oG)WB&FtM
z2$vvE<sOUGjS*uhl-K3}Z=i`%Ma8~Rq8oOigm4Dem|>L@Cr&sI!~#pZUSEai_*_Y(
z?&MR>n8uIquJxcyjI2RV?6^%l3Z#igHL&GsE^plL;o@KIvot~X<O(sxFeqMJx`p<l
z4-+!$${3Jk9u+u|55k>V&&POWhYUbflwBLu#}z4ScSB~-egIf@!^t`&g9X;{_Hl#@
z_c(@6h*DD~WI1m?LR<+CQ1`G_eZEcmF<tb5`0BZ?b4A5-%fqt@womvw<{Zy#ZcL*e
zlwNLGCXiY~=2{y)qMtdD(rS;`Yt}G<AXD_hdXg8OrF-04Ho`F}Svn#$xjWYy{iBs$
zb>Yz;$$?p1QJ-n`EK*rL(5H&I#!l8o&aU$5qemACuURtUN`_pe(r9Z>%U_`$M4jus
zeY5wuD0y3R^0~32zSw83pR|7`jM7%g=_F*oI@oA!4Xe%jYE)r?ee_8}+=nsk0l6tb
z6+0{C%DtW(z!*mD+D&Kj-&z(Wi!-t?(>sOx)%D=f$FHAhECaoE$QyCUdWkx<_^o=A
z+0sNKGJ~yXX1Y5&Rm_XPv>_p!EZ!)MSz09huAOSSPxZ(1%$+#PHKuYRe=9WnT>4x^
z%rShs041eCvG^$Wod+`~>*?Obn1#tPoDpF8OO(2Ossk-6oQOgxkVvU;2|DzlOT%xA
zo<`DW`cYpo26?s;HoX&mC*B@T=U9!rayM_x3KSg@c4@a_d1K;kg?t$gBM3fw{?)1(
zEcsKVFK>4v%6a+?TBf5OJRUH~>mT!;EZ*6e5^{~XQI}0cbYKfoCTun)<2M-sE+=uB
zzt4)9$&dF&7u(Y9`niQZVUCE2wh0})VJU9#Ku5FY7|)5KM`W5%0oD2Qut9wI{Q&+c
zP)PS0E0-;_XysWqcrjl%Q&8*AKXX<1j^hgQzF9hm%&iQG6K|{+0{3RbTlCPO&|4av
zHx_lm9lj+xi!Ftjm2_*gS_#w2JR*1mF^e!8NNwm9PYXv~N9C>#(mzAyIsGd?`Og%J
z>H-g}rs`%=btT2a<CjOp3m0lwws<}*qk9|EipNxW?kxKozt*<(z#~SL&(Jh2rP=|F
z%62(@LA-Kl$CoAT;UIHoA6^((!6W0G1=}n9TXDc=-s%$rRS}49qEo==BmFo7=_vOg
zX+ZYVoIrc{Wxb@$j*?X<m1wpa=r<MC2}^IJGov{hVGSsU_228!Uo&%++XSIzV~J}D
zh;)d|*nB?ay=J!6nuj*nNgVztY#}~hvMBn_D80A?Z=`{DyiYrjRtwm2#$^5KDxnfZ
z`i)c;DKti3SJ1uNX9fsJ`dxOBC8;L8dHK~v99cknd&DiL_@YKX(l2W&Z8I-Se%q4j
zY9UXKkR4f0ynSd}M4Aako8)5nNNFZ}p9oo<k#LPuD-Z5BHQd}tZQ12Zx|JJ;$BB90
zc|l<QqSh)KPw6Xn#oto^!SV4e6uCgv)}{ISc9vo)AG^`lJZ!;tf|&uz=c8P!4iXCt
zxpOW%WyH9L8Qmazbe*NfwPm!;s6#?4-Gr-3t~QuW{bCX_;V{y%XR%RGUpnjxp&r6Z
zv497#y~FQ6dRz{jR$U~T?Cn~rw^<$Bb*;VE)2mNX!EYP5awk@bLT>0B8(aOXZ1){z
zz5qcDF4{YmY<l$HI`U>6h18Pe;scRbGJ`_z!NgT3mO&c~#51t4#S@VquS@I)I@_k%
ztu20a3qI41J!R3SBg!Hk^G^F9rz6CcQUhZ+?oURLG>vw3pZ|PxaF*U>i*)DGw@px4
zD4c#fOga_h*Zz^n`w0bWH&o)4z>=c59yX^MBIpwg;ciLe1=~X^<Tx#nZ=`M?D4Fi9
zXw}S+Hbp<e!}2iMi<gK*T_t>WIM+Kp?Oa;N!?X|7o(T%c!HonPuy3tq)J61$XXVxe
zU7+JUXwpb`*zxxwM<h(9*p7@h4ZgG82}2OL(V^mD)GHK?P3g3uOic=*WrgowO?RtS
zY&-D^?{$U<Jg~?DsU9VlUHW&s{^_k(r~}k;skH3P9;^)G1tX4Qoag`G3n43xnUnJ)
zq!}t5-{L*A_hm?!&SCprVHy+hVMhR5FgZCH{Nly2{{sL5!mtm(Cx)z~iV5a_DDA)b
z_QyyNPen5iRnRgu<GzUDVBfikVXS|xQP?8NvR}Mk`?*VXOD2?aA0Xi7MA1YdpeJ$x
zD^~g7Srmr+t*58g4O9mtw>*4>g(@|biaMC2@Lv{xO!tyVidc#m;16sp8{Fy0Vp5O#
zbSN4dC$?HLuEvB|aehBgg8zwxi9(n6iSFT`HHNmdi+vLRbM83rrS+NTnOF8d^}ngk
z|IJn3Yk&cd{Xd?oj!A%!5nAt}<j}ka-i{uQCLpC-7OAa~pfcR!d6;ZE+WTY<V452R
zqT#Spp3~_a`Ur;BG!%3p6r!9k>TZcmy_G1dm?W|)HnQ*QaupfCd9i>}neR$6AE~qf
zqGeB`Fh?GSy$xxC^^eJt<r80E@)7}*v4o<tIdpc~;#wFh#ir#39a5wHf>N5(C!2D-
z)SI{cOV|?v>C+YZcZ6r{e2KJ5>SSxqbfY=rzFyDH`9mJ*XqbpkgD2na)}jgEayF3s
zr}l)B?Urcbv|dL_H#f#3>`X5eTpRKLaubItq^Dt!n(pMWjeNDdn<gLD=54?e-2gnV
zBlnf2Lp6W|MkAHTyF7glJ+vYq-$hu<yn=$%WCgN72OL-~BjO0Cc&;{e7NX|MQMOXP
zxoL`mI{bg4g}dZo)~A;i;++`u0!pO^sK>SHqfF6!atP+UEFgz(G6UXMlWO>B1L|CK
z$pP11E?(Mtlh%~FrV~oX@UL{~s%uZOh4EU(^;>s_1KnyD1>M+1?~;P5WuKxnd<$fZ
znYD&&kbD=)VYQPx&s)JoD-&zDzMyz1QR4i2T-JRsfUC%<V@#RNz5to20?V~$sGMFE
z)DMYv?cNhhL4xUNsIRipbQbjU60Ij&Fi?6A2#)HFM>wVdO(PGmEdu(#2o&murGYs;
z4RvWymvpPTQuAhBpZ<nPxrF{x8*k7sZh3dZc?y%=zB<#7hKy44sw-U%D^BI0jcO*m
zy%Y%Iz0GvuFOX})&oow+rnmAta-9#-EKgaeW$QhWR?oF~#mD+fxZ%h4v2)uE0Q-U=
zcRKNT=j~-Gs;5c%K>5vu;j1TqvjN36#5yHJA@6-1_WJG7QJ%gg!5pDH9^m?AL3Ol3
z`?odutns_bii*L5@4)2?ei`yLJ1l7Uoh)PrC*OJd$OQu*qM;Olm1t7KN}pw8_hfve
zDM)<eg3`}=!LZAPIje6_%c&~Z>L#;-PGIkc8+!x%u=jY~ijug-N>0Kzm6DCIYq^md
zR<F9bKI+jIk8=3A%ME`8j%9{8v57AD=vjwMXJT)1pzlKlA5r>?k<By>4y%t-9bu1l
zH2^P*E&#ex4tk~(PJOfk`G-|R^^UzV_tQ?<14D3ZJb-!jQ5S@C58ug-az8{>fK2Hv
zXvd3j*V{k#&@jm;iTh&UxK?vj$p)MhG+tlO66+K@z=RubT8Lh0%Ceqn0iu*%bfZs6
zGok<ksn*Y0h4ef3nm{qD$c^<#Ox~w=CqR!?`d1VC0mfdxl`!=B5Tu_JJC+&&I{Vdm
zVld;bI9b2oA5x#(#30$j13|!zVU@4Ia7otfzB>{xCnMO7DeyxBG^Y}E2BKt0(aa4S
zOpK>dwGH0nE}}w1g{q9^w^eIqW0*ATzKp{7{)fd`E0D*#xgPC4><T47P&qkVm`qP(
zWk*Y_J@KQjwbf1d`*-DM*WHfs&|=^P=NGe}?k|ZGHOgbZaIZCQ0N0Z1Yctok`ynAA
zfcx?&e>_Oj1EJO#4{ZpNW;TAN=6VoSJYPw}tyk0bm^CHU)UKa@c4<KcA@2PGmx3bL
zYv0m{ID;b<8>iT_uJF)n=$TP_(g?O_DTVv#ZcFc|{6wzFeD~YKdXdPL`EEH_x*{V3
zr3OD=-<MtP_JR!|uY3Ni#Z}F_g$lra$*w(Ru&@OAmK$Ylm=su?D4SC{`;)E6PXS@u
zYf0w<OOi_V*iP75mi}K9E#hN8G$ww0Rj^69y#`=Fr)6uKMKMi%eU%>P`W_Ps^UqNa
z5udQv0`zqcu=jw*n13>eVv@ex@6i3}m^mEt3CqOYKOU|k?(pbiIB)s>bnFY}7>_RD
zKI0UcjDtz~!oOzyr(>Tm$4o0J_l*d=$6-uHAIZ~ie>&zvc;;-$jrpD!F)v?;jTnQR
z!IMrObMAfTB8IR-LQVunM3{ndIqMvfVwo<ei$NZ^#wiwGnS(<@3;^WM01!}eTh(G~
z-{l$Je~|ZZT*LQmn30-(D1aM9o~T|b<cB5SoUg_EkKV>lTY})F>kCzKweME6l(E~f
z6P_&?yZAXX)n=vke*5<mN7Qi-9U@;|M9g;`uQAsiz__ePf99wDY@a;|B1QBPo|M)1
zyPg@XJ3z7h=tp|#&(rWnrA0Cim8`L%G$04HV(br31yS<<WoXafRN5RC79-mY2~qj~
zt1zDj@h|QA*Yw8)U@wV5-hk{+(@_juF&sSlpFR5X7Xjv&XhO@mKTStZ;BMg`{nK`j
zPmVd}BwIX{hL<82-@1^PyB2ywirEP2&ZVC{AO9)uK<>|n{P^WodIO#&RL(;3E~+Vl
z6~cvi0H(G>^`@NjwzVZcPW$-^U_HJ#HW1@!iYTx$FzTGKGa4xJf@(;;!5mumA$W~p
z%2OzeK0fWAr5j*k78!8T!18|MQ`PH`SYW8@ebV85d-`A*z`Q0H!nE+##lg<mzI6eN
zCV?N#uGQv@Hu!nmHq-jBWyxd6`Wnc3qLKlqJYevh1AXFh6NE;dYgPVRQ{#IO_xoQW
zcaJfUF*hVPr>GEuGIs;y-^jqO@i9f}Ws(g#w_jtWHO;)}nqO!a@3{KJ6o9}<N@l`^
zYhPTtfS9j7XYd}pIRL(2g<xwk1H_fxk=ok@Oz|ur@pnHWnnG_aa@dGws0Ih48cM=1
z)ptU5AfNiz^L|=mRC7P7qWnAl;8cGGr@F#k6r!1Gk@q8=F1N+q-mbxjj<c!1FT?Zw
z5SF0fXjV9#<+5%Z7cGwWD81(^5|dfq@@~EZh&EvY_U_0zQDKbCMxzA*Gt|849<U$3
z0=1G3Lt5FUkcf5Jftt{bkClEj=;TQS7bqJ<XI%M1oaWb-B;eRck6e)VR<b*KfA|A^
zUsJv~x`rh^JKs{j7YbCQy6g^+;=K+HHQe3kyrLL)>jk0gawgP0T3-hGP$V%sE+*H?
z5abAB=oMEn<*_h)cwp3;K`<~fUAA<`O{grEnEL+ecqGl%0>kH=PR+y}%au~t<xC({
zbu4qOmZPd?JTl<1a^)X_>Dn@o$m}bp4moog=j3aHy$j6B`P+%|3d{8Qm(iR4k;yme
za||p!Q<dkFVLQtj>50^Sd(C-TtyADO5O)aCH_!=8T~@<huT+5~hI-J9P1UtAa1@dV
zq+a%fL<K*8PTFIN35%~b4=^c%?D2WhWb(O~UwY`rZsU@NVMnHy-SwuM<P1A>#IDgS
zdf2|dV7rz}Dd-%5QZos!-c>sL(Pnmpb!ffi3AxZRr<$N@XXHvLpVifB+zjqsFebj7
zV`!Wc-{hK={}LNCcn<=Mp!o9s6OaBM_K_%8T${K)@;QHBhs7FIFfDIx@pLPsYkrhD
znr7L;(}}Bx5h2YU)89bnQ3%yu==t<j6qyP!^&+U)sHyn&nlwQEX{HtntYFQnwjFNt
zK)Wj;!y?XIF>8*=rEhozph=3a9Yl8v`mI`1ZE7y)zel|-4d`<H!?GnJgc%63B`Dk0
zwY6@!o!5#XYj<RVR-*ZrSCG{zJl*0x=DsoHQ6hwB2ZCZ@3NfXVkb`GqTESw&COTMc
zW<f<x%jr^&YOYWnZmc10yG{wS<2NwmtPdm{oQ5>ibYcm~WOWESCWB!5D+7goo#Fr#
zUF{#1nyq6@U&lCV>|>(0dgR`qCul|#Q#aTedhC-?{F_Wbnwg}TYH8{4I(M?M_s(=*
zl5DJ0T(lJ!PtJFtaMNNcI^1!XZr>_Oo>MmSiS~;i3eZivfV0mX>JGnr9GsjyYytM~
zjfcr^l7TEN6eBj5>Oe}k{$pPJvciL`)T0rK;U`tmd${kI=>*X+$ot8cr9Hpz!3+qD
z=l%c8g}<P4o*XpZ`>Q8=VRqo}7#ikOLBW1mS=pE;|0rzz+%e$SXAjq(yMNnHS&8Es
zUVmZ}VPpGVV(N%`eGmjDWS1%`Tntou_>$H0eM?3EQFM5+d&Bb4FGKS8hx{xZo7z48
z2oo4DMxZajlqs5!lESLCxQp&bKE1Di#GB(x=jY%r%qX00z-ClDn0f8t9hTSBWSPu2
zqz&D#X~tBmzWpRYDxH{lm^tnl!HcBaLv6k!l&R^La#3Q;2jo&OJdnMWnu(yaS6kJ)
zZ##~>@91J{QKhdx-W|ffc%(0Xk+*uGuFnwy`%Vp8A9=>#jF;^=U1=*T6IrQhX;-hN
z!^XiUVGwb}I`GerGHh(~L-NMuG$&804yE1n!=B>yWG2xG>6^d#)t@5I>DaF)W3CFt
z&$*I6W5MZWO)nOXKN2t@L8kQkE#WK{GUZozf$2}{TK7B-j_KigBJ?WS&i~Sgzgxq^
z#^A{;J@%tzfBz@u@orhzVhLF~-^lj11wV+AMC|3c#h<7CxL8Exz$tl^OUs9Uds)nR
zQiS-?Qi1kAd*H{#Q7Nt@Nhz;4_P00|S{z#~u&==k2t^Tm1;ty)y`75X)&ebVxp#73
zgGrcJ;3Zk&gnl&i$J1R!44}mZmx=c^7(a*tUXnsC^50W`{D{hd7ITH*?dyJ=8Up<2
z8s9{jeQ$|Sg%*d_9o+wt|LMbG73}=s_jYB>;B0Jc$jQjae4CzDwbj+CagC2V*V@&k
zOnrj4An04{l$Eu0tiOLl+kh$C4TB;DXYKp<&q>S3!~(}f!MU}^OcOtMWxNUh*AB`s
z#HOR8GgusxYiVnf=W|+nxFXy`mb{Xd+xJjO$@Uu>Ee%GMw79r;7DA`s>_-D5BN^~x
zNQ81FEUl@1v@?o}`H2r#RaLcS>T)J8#!%-li=~#Ip~n7oL=|r`U?(UKa|#HYapgN~
z;c0o7T=8y45~Hi(%h7LnWOwE3UbU!;;J5cx{`Ntp7`b)1Q?W!T8a+{=Gylk3_rWyw
zENZCRIZw7ie|7zJ`fDD&y9Z9SePB=f^}E#WC;W5*@%HW8sex!#k=I`RQa9fmh)oeZ
zu-M_$;EAX=={xny+$}4hd@TMs{D8ua3`3o&xoe>U;ww6N&ePsVh)^tHjC*GP49xip
z+RFG>{r)3dR3u_o^31(|Ov!&IT$Chy0hFSKkM<wQhgqBN$G?9HvK=E4%f*-F+<&AV
zzQ8@N@%McnJcpY}J`4Tz1^+q1&fsZiI&$>aVZl#vF9Ue46>M##Xg%pP9yb&U)iy8?
z@kK7N1a7op`3@=r{(Q>>uQCNCjhD_#Z(VLeYR+E{qtADxOE=nG;#tz($6VIk^yYBk
zMb0`7Cf{;V?0F9QXSejjm+=g${KKDcw>LLG?-VrI)NU<6BDd|sF{Lq57mWw6F1MxH
zM>;reQaUZmR^|?Qu&4RDk{Bu|Uy=H^_b@-aL{en)q4H#lAJ4!u=dBU?_*(Wt0rWsI
zKa>SWPA*377J|7+MX3<k+E}tvl4GvBYuV$iSX`8x%x}`w6qrr|b6JLt4w^#8;@cyW
z6_enb?0@Z=|GR^DE3rO4K5-*z#_H1aR&T$;Pz47XKKpH`sBtwHUI^csb?BV20-3IN
z0nSV5EyT`q9!q{^PMpQ#g0s?KN;S3uX*0;{4Bh%^z>W=UX6akaTsG|-hTQO4psx8w
zejF52%Uar=-IXg?`|_mKgLp@OV>x~IywPHMK(Fs|l2S1<y4zC8VLEfS_F%eg>1N}2
zL;(H3dV_5o{mz`$;!9;P|F81_r6izG>y;L_DeY%(i;1S4Ela3MR7J#AB*SlV9pyWL
zdqMG*r1q84Pq}pbw;PqHD-4rXR=RmZwK$vu3ZOWvBK7gEAd}p_h=|o9s(0n(oU&Sj
zvx9{uz5df0`tKql28#M)0_IOx>$Z0c4NWGdyR3xZ2iz9kwl~-;YFEkJxG>P(Uwmqp
z=VFHa%&h)}5nmD0Uev@$w>>|s7Gaw-%$1quBXQ)jKF$|X$zU2c$lm;QCNX5VmaUJM
zvX*Y3&0NOc7eZOnn`REJXYHG~1O>y{-w(Mj#d07o(eYYvAz`Rx0t3k=A@mSVc>D`(
zqEgWpib+5VWwf@x(W$&%=9t9HxxU~Mpa-5O&agojFd%0vBX2sc3I#)rr!fJnCsd_q
z6SJF<>ve;1ko~}n+-S|acc9I9n=eA9eNgyW94w<vP0{42c}HCzEatTOy1LP2#vlV$
z(lO(~63z<lyz1)tX+<^Pj5rk^1=-9EX7@0_-QUg6Hwzg1u3FjJjt5v<TaQIIccjM0
zHZ(MlFVZ6)KV*(LK}T0D<k-409n!Tyg?!>ddQWmYMxu$rt?Sb#yOIwq12k?5K^2u0
z%Z!L8Lq^6<tTdbQJvoy>0ztmxPs~3Bf5guV>LA#1rc~=q>-gnMgpE{${o#N;N4@*g
z>ZP#3tudVE&CSjEMw!f$9cpIMotm4k?AIRdZWF(Y+*vw5c_n>)WSTW`bHM>fyOVN}
z8)4*bia3YN>^?@0u0rZ&1G)a~3g5_AB}+wC6HU=uJH@L5fdgxmJokq?US-?tGHTH+
z``Z?sHk$%gu(a@cb!mKF(bvWns?xRCeCL#9dY#xip4{T%cni^=f^+fZ8ISmy7?JiY
zElIrRdLCh?V|Mb8BuVS>%gg%7&lw-{IoVx>iXFEGZhOj-9t}^Cc(61Y7%*-^nH&>?
z9^5uX`JqrN#->N#0fswT|Hgi7aj_A!{a6WW<FZPu^^yZ4B5(8R-Gp5)w4MKrx61s$
z@No3jIDXWZ@pV0zi#9sA?M+SPR&zts%$fMHj7RwG9(J(w_?4y>JJMHIUD_3N)`IoT
zaNQ>2%r83umfKl;T0X8IZ^Gi@VwD8*_mgB$pz#KLww;SjOsIC?aIvI2LbdgJFNAqC
z{yUws^#jF@*%bWQ$#ynq2bGdy4(tRb^Ihxo!mGQy9}=mGCnQzuF1-=j>~0+E{35KY
zt84$@if!~EVe;NS9lbj#TRx5W(Top5UUv!SUA~a!eJ5xwKT{%#OwVd*qVH>F=5tB$
zgv`ulvL04NF$yAzS>KC^+1V^w&EyB<gYa2&ag_wfL=m0}YFRJkGO3x};~8<DJT!E^
zFkqQwZf)CW%KwxhNqJl0%`1xJOr3V+pi1ts(yG~7sth`_KfL+Y7pl_FM#XCt97546
zpvM!EDptUzRlf91sg#fK`N<k$7GVIc<Wl5)5!yQ{5~Q>gvG_z^R(E!k**Mkv_-3-x
z(>aK*FpeIlr;psE>fHd5?Na~b!eAGlp}4Ew1`i*u^v>(x$^|jL@ooR>j!wJm9p8&d
zYsd@Mz6E}ferR$ul?lbNFCQ9hvK||wY3{PJigGIXGT!|BxiPN1Ovz=IO3G91cBq%8
z@Pe&fn)7Kfrt=MJf+=6LQt+Q3k~2+58Y{Ael-RY;w$%{j{yMA&u+Nj)0k?MH;-olz
z!MWmX^sD;qM&}fP^{%S4T9l{Y^YDY#XEcz@cr6H&;kTFRTW_7bTA-NNOQH4ZDVdgq
z`8>vHhsDSed(&Q(K0nSlMmvXD$MhPMk6?%iTW_S$)-drnaivXmXUR%#_kr<Jp_1q;
zTWTrfzU?yR=j29sD!r^zuzkUMEs*eud~$4+=B94AazFW5MPfEZ>M3$G&&u2R^{W9F
z#6Dd;BJd#!-#KQs`5KP2<ZJQ+cb>AKChAQ&1-iQG`WpR^?CcHnN;uEVuQ{fC^Ign}
zkqF1<8_~=RO|l!%H^NQvG)#^EeVx#b5b+cSzM@IN=!=^R3NrJ4w!pBo-<Yv24K(rT
z38tgm3EA?&KfS@TqTh*%qbiy6T0ixLlp!3svbY$ft(kp(3j|cPZqhh#zw0&ImGV_k
zP|`wLJ4~q!h60DZxo9Rr(01HA%4N<&DSojLyg9XRa@{MX>3Vo_W;L@_+$H7Z;p+z`
z&vTVrWB(Lf$h5gS%Re*dcCaFEv?91@USQPc*+fq3p~X}Ozj4uu#Y`d&vFQ3RnR;TH
zfX1sM2ARh!kK+YY@gn9==tZYmO7dU#KQewm-ic7d_ylW-AA3U#v(y_R2p-;Y7EZfj
zWR^G*8WPg5VQVOay6Wmw<<GgWnDK?K<{NkbiXblZ+a~nvaG%4J$z;J)+D#6Z_1f0F
zlI8j(FODsw@5|eTwzCZ-%`;*7&0uf5PJg=omBS^(c_n-IFJhrJ#15McW`B2%Xw`WJ
zd$Eke?xyfFsK~N49k#f`iyS>oUp?puw!nCR^B1znzhKYSFBl6oYS||4i)1gD_)xS1
z84+&=cWabP8xMv8ThAy{Nnyb`Wz5IKJCpIj&bPP9_2kL^FlT_tCa=kHlwmMSZ_3=;
zqH5^N`qgIwil-&9DDFy=-U~OLBPEf1PZ6z{V(KgY`Lu+g;+KbW!^7h1A$LhtE7otB
zM>){aY6jtd^yQ|cR?{tp%_cb=(j9#2beM@dZwp$hmE@WYmc)-MPEerNjf+Lpg6}m%
zh;?kBUbTN&L3>=-c|iV~KWAr(t2njWh|x)7#R`!EiRC5tgS51?bz;vw)>je|NYpYI
z1(@VO|1AU<ba_LTnO|8HwFMXJrg=~=4Qvyw)$S_Mekg9UWslc1zF{n&WE9QKc%1p@
zQLPDQ^(R9Y6faQ>^5q5TkLBgQfxqr-l?0hr42t5Y&!@M?;@7M8n>K5*?3DPTBI;%I
z#RS881|)y86DQ}ZTpVS+;v@K+?}~L}F;fSyxz<ai%&633C3QO{+aWWtm^X@)v2vT<
zN2KagI;<K;>X&{^>)w8^`G(gzi*F_uyx4YCnN-r>yj3^r^CW|cdA74}*Sn>sOy>?2
z-2>0#MWXy~I|x|Ul*b;knbfLm=OEP5+Lg-6N0-CZPM`jLJ;K44zXpzHNMaM|Z+(l|
z){$V_|L0s%=8FS{kergzs&9{S0I|19S87gOU0q7f;YMLR?6Fkdf_;vPawj(IYKeJy
zwi-07`g3<FZCKb^Tjf|xJ}fr6x!N1~v+r{{I&#ZCe{OE;?hXNGwlh~eq}*Ep<D=D%
zj^4{kx*zM?IJ0<3>ylZ`2Qb6EG}O=j+I4QXv>!|$zD-WvfEXL<%Ip~z(o9^AryrQ>
zR23?#s&Mb5eo+5v!|3X}E*nZ{#a;S!kH2H<2Eh!gp&uX+swUp3IFR+~&eem=s39U^
zVm3RMe5wGtu<9PVdhD{aw&v!Lp5D~6DrsL01*wMRjLWmJ4bAVKYWs4{@TXhEAcFBY
zSF#k1FR86QtHpWjD*ie1mOy~QH4#tM|6*hO-KY7lIQjmIG>n-_3<H>e3BTb>bK*B=
z83tTC1p9f2giRLZ&97n!;4-%L7vE)5{l>ZPJOx}vPM_&}Y{4~N2wmN`@PU~9Z_f)1
z3{;8Xi8yqKJ5^E!dG6O~kGX$}ugJZ#Kc6ll07kU6l@)$W#}}<2p}klj8`Wbh=ByW=
zZ*>?N)E+WVNeU+(>YBRB$M@nqQclijaVRxu;~UkUb|W<0u6hbsJpT^5bXZ_f)Vw?z
z9pj;)p^+FL&m%tDa7=hGl<FM8-pgFv)+meM$_7`}WVJbJ{ltaD+YFrt3P}4Kf7@^2
zmE4xkA*wl}J9^I?=h$-_k*FE?;tLux=6_##;WTCj2G69jGZVjoN*H(O|H(_5csb?V
zH21%Zt4JzXa7oKc)U^A$h8nuYu+BsC*H!2Hwr2<^@qb_P-#xa+j)?mIWWvntN@{3y
UuVX)R!Gb?GByUTkiD|q450b*~TL1t6

literal 0
HcmV?d00001

diff --git a/docs/images/aibridge/provider-edit-anthropic.png b/docs/images/aibridge/provider-edit-anthropic.png
new file mode 100644
index 0000000000000000000000000000000000000000..e960aed025b60c218544708b1a92cf2ec6edd8c4
GIT binary patch
literal 63605
zcmeFZbySpZ*EWobC@83)AdN^!OLqxKhjfE<caH-i3ew#SNOun1iqb>F00Rt442@C)
z4Dnvx_Y=PdegF8rf4=pt^|013SDv}|KKDNMaZae3iYz`J86FlE7QVckv^o|Rb`loW
z^>?>%fGa^*8eg%nt{K=$NvX+8NztgeIa}E}SYly4i}j4DR($d5@waH()-^$%iTjV`
za&<p8@udXbB;a5vvRU)3v;O4OvMYmqcuN2~k{26a@>22xn<UR9@k2>-DFZ2*mwnqU
z?FwwoKYyJIWMEtcBxIBOd_Uj%r0XUvBuJc*ZgSghcx3b*{xus0sPEi!b&Jnvr+`Ue
zpNV!#^@fG0lkt;7%k2$I;o2@$lFL(su{WPJ_bfHfgYFMEe7=0`4(@v7`~Z!IC(~Lw
z?RFyP+Pwk|wq}6Pv_IK-?aQrrCPy(;yQY1I<j&?6OOV3uaH3V=BxM?wx*Y9C+=!>j
zAcax!3*D})PG$kVCso()_zE1bsNl(76Z|2c(D^*#x$DCRX(<~g-T}%m+-td(ou&MB
z`J#)<RBH%lyPyOeacpKwC%pYaE!9bDj%aD4qdT9V3@e*hpS0dK$LyU;^b2{efw9=9
z#ID`!wK#m9NyrY2wzj3Nyp^&t7Bg^s8|zw#EfzL#bPf2B0Us=^8*#x{w}5X#;3NI%
z`hVWVPWp7?Kaa1!`~9G#hLpTK@U3C)W@+i<ZsY8+`~H_EP!!x&Q`bXRSxLy;*^&LV
zg|nF@yN{#G?^m!ye1w2QM@x^_G(L_FPVPcJqO|{dLI^nieVK!n=3kF^*o)HYDyz{*
zIlEcX@UcH<e@-igM?*s+;$~qbq%QsPKVApUL}_h2JY0l0IJ~{R*}b{ho!zWCI0Xd-
zIi7QIaB;B#Pq4ZBI(fYIVRLeS`tL&ivm9wlcXKye7Y|!!Cz{{ozBY6A^bn<`{aw+2
z{r$V0mOi%sU6Yghe{>7zAjj`J9GvXWIsU6`;8l^|SB2DUeJmaHq-`C6;Q{Ip<Ky8H
z`PcJ*-1+Ys|M8~of4|Ae$<Oo8SO0PA>Z@ArmTpqcjzFCrV*fog|MBuaZ~n)NA{@WF
z{*R&f_c;ISDlpJucp@DCHECjakK;1oSXdHR^3sx;KG(M9Z~16`o9+CSOh<<;x7LPU
z5Z1+F3VSG7Oq=u3=$BcC-=mWX;})|UGOr$9%m4UJZdXQ9!f&@tf#XRh|L#}lmXjC%
zhZxrH;=}P<Ozx|LClDELWGgqLl&0nZeKyTotn0V0{)>?gjG>z<6#DZH@U-^ZPC{pF
z?E4Z}*Z$|fKnvXax(dYPx1Ri^%=@}OME`P`CWiIeb;UljC7S<P*1wCsuGo6(&w8$5
z$I(leGU+)`y#GtvB}_xnf4Tftq6YgmD}8um(BBHY&H9V#kNyB{kW0b}%(tj^z5ln7
z2&7-Q@yE~see5HosY+nwBY1IjfPeyNs=k8$a#?~#?>cr;+_!GYzZHm`<a6)p6#X7c
zI>oo0>NV2>x35gZ?^9rscK>o2>whQd-&6Vja*|&635ESdf&y9Y+q|lZ5iuza(;Up)
z$J3YZ2&oYClg4qLrFq)mgu4+wc>mEOFjEmo4)urp(ahg|IFP2bP^@P#1PPA~P3P<1
z2)gy5^F3-CW~$Ay()YAnAvyNrM;BkO^{krnW%*$R$(om@Oma@x^H+s-(eM76LB%_Z
z79aVSl_uVzhC7c;mW)>V6+c`*$sf<q)0vx^w0SF-R1wVVNPATuB}4+*=@k?rw*+r9
ze~bUsA$h|kZ9d=Yv+ixyn@dL7s#j$*PbzRBe_-~z^ZL)RiVgbp7|FUj-7id;9`E9T
zuL?g6CEl9!yig$_z3p{7;<ES*B3*^qwmiN+6w5FWi^!9ak|PBMsO!1E8}=Vh(7b*7
z0MH}E|JQnC=pLA_p5OoRLhX+!1)4Udy_kl_%IoZ(E^;tJq+VmOUaPgV#U6N<l<RMA
zES?hGZqa7f3sN|RS`ILz3LQ4EY<SJoJjw&1F@}y`ySw{;E%jI&Zam_$pW+b=xM;OE
zaU&t)YklR^Ru_4&dl~n&o1vnOLeNd2JA!njGw{4m)Ukvbo+t0_4k=$r)X7YSS`U8}
z4zRH)YCYY!wCGPTv0P}K`E>-ncEwHv=HZE8zTX-v8#g+tQY7K%zc6aC#GD>-z3G&#
zaaymD=GR#YCSQh8%l7t0i^o=8qP26PShVZQq*1+3?339OryqW#rrXGqG+a-+&DwM;
z5eNTtElf~KN{UXSK#5_R^A!QL7~S{p-_<`!NRl`9XNrbIknx^{4L=|zwi=F2u*gI>
zJ2U$3Eyv#z^Vts@&eF#(GiuRS$rO40&Xv<&wRkE!8~)V*w#!>}<9{}t#s{00OIBfO
z&E{lfGu!Q8<VmqwX~CQih{bm7g5c!%L%=|E7QT|EwN%#&N8tylv_x7aETX3Ym3{cD
zhK`EK@m-iB`qRb(ea^Lx?LrT=zVnw((^V>7Thptvnzg#PO!~Er_C`TU{Btf)%?d*p
zPS#YJ9{o~JbfP<IXhvvsRk=)0-m*U_`3}RTd=P8Lh0u`2vv19_F2uA?pRQzr{AL`A
zUUvn59SGZ)DlgP5*YDEaMWAoaG&on@r54kC@#00E<p3hz>>G1jUv2g1!AS$Mdmxmk
z2U1{E>ASzmpQ<aWOzoc(jPD$0_ALx?w{m^Fuy<!(*s-mLdY2{OtXg7k6=q%Ox!8H_
z+HiKNk)P;OS$~v}Y9v`*zI?nDmqjm1y~^~7eXYm3S&KN}3yjroL)0q_ZwmSy6m6Go
zb_Nh{OgYkcZcHT4HSNz{C}*CP_Kk&MdZsJpjoiL}xhd$e_I9GeNY(%Nb;>U>`=L>3
zW~~yl-LCG)P0P9AT>8~4%;LP*<`qK$59yr#9Avo^mUv{=rL5isNMf&f<z*IY8mC5m
zxq)?qPO*+^^O5h166A=Sm*XsJ{L6@h>Y$E;I|(cS{=PpGlk=U%3*3$dZS@3v!|uL0
z<P~&o4{GQ4s-18iouk4)PMpBK*hy55{-qfr{)SF1E$MUq!}IFRZkBq7J+$dJ4^d?Y
z;%<yZDBb2XNqV$*jMao@skRi}BUV<jS{DV(5hTy=P`}3IyU1u~D30dFgsrK!_26T6
z(Opn4g^q?cs|oYwRC(;_A-OziXdcpKR4GKE6r}J0?@_%ZwTaaBRHeyMNr%UJR=w!F
zOAjTb^8LalN~#946E0ADrYJR!)an<bL&#0am&xJ*lIvsnAr!)16F4#b2}~TKeg`!(
z8u}b2?brG4YYt+MdhN`;zK8EYfbXKk4~NhzYNL46OSO%-E7d>ZQk*+BYzoT!Sk>E@
zTcIk}gGM<lw2l(6ZB18~ZVDKwb+znl*o9CHWe85<H12d<J{eabHc$<@k;G=8;?!Cl
zieK^VYesy5vVmNiAO6<iAVgTBM6;OPNC>$!%Fc3i)*2)RXP{gc>CW_nZ}=-b_mzor
zeNOiFcBWsc?-!6;9t|(if1#5SIsXhAD?qi0Rnx+}$Gv+Z;tX26Vzt6a1~MHH`Qzr%
z{T<?%uT#kO*Fl?&%B9)^R{KPtC))ZRJ9HcYVrqM7%i-&}Jqj~+S}QQ>mvX5kT84+?
zn=eMJSl8+1PY)VWQW~FV-xEKxc!!n<B9%`KSdW!Go#x|ZSsTk&^zx^NWsc?q5<t9d
zFV1FiQkC_2)?U@wd2;KFu*OSj>fw<v(<0w+>rR!0hDRAccV@u%la`jAJ{_t&q7;(<
z^@Dz8fJ5Bfa#aA60jF0amj8g4xTPilLCGslmA&HA<+UDCN`3yFvBhz7N|{0J;4SR7
zew|&@{OY-4kfwRhg(?4LhGv_esM!sRj!QA5Q+TK#M;7=f+el@NV&FobmQBC5X68jW
zF<U}!@8D6pQaWEBrZ$d6$EjGYJq{TD0V^-t4^L$Y(k0+4G-^<*hFRA9-F9-bXk^vv
z@`G(m4s2=+E0Y*zG1gR^A(%d)dBYpf+A54{rid-(6M8#`R8dj#$~q`<^T+||^du~S
z-O{8*?4;2GmZY3%2S~zj20bZEQ(&pVApv9Z<}-G7@T|~Ihm#Yc8|OoC`+3Ei(aX!N
z3h$SfHaBEVF3|WVy?3E3nmO+&@zDB}3l-TeZ6<uk*Q!~u80W@5D~`y^BZCvWA=dTN
zWumdmz+3aGu{%jYd{qZ%q-<OSWLmxk63mN{xj}uZ3H|aRe3nK<SNA3PLqX4tga}gZ
zF`RfZ-sYJt4zrLb8Ch#gq5lK&iRso8w_3Ne<E+7I*K0H=ib!()_-2Ly`5+mxWqE~B
zce|O|bvNQfoME2Z+Ie!Xev#;o38~C9dqOGo3sMzSX4=7}P@76co$C;Dcm*YcskSmt
zRo*pTSm)^gc1Ek>#hEK=x{;Ipej#SQQtyTnu*B3|dkWKc3nQpwv8nl%Q4??}rlTg`
zU`w286=f@mzh@iMN9u>7=wi9*gb00zNP-rsAao!gc_Kpnw7YaL<}tVKtpS6gPZk4-
z0~IZoW2gH4T9phO_@{&HsKIo2yB+b^PI+>NDk5@Kr#?e4-!$|GU+)BJyHPNncj%MG
z>Kf;I8@8kAdJlC62|oL}ivSxFr)>ioW>{zUp@%|ID7GQfxjUjSCoo?HvQyvH%u`hZ
z#_-M5*%$WB^*N>E-ixjZB*6E=W=_k74h%Zy?c>?5#;SNgrhiz7K?L1TZ0*xN=eyru
zKRJJd4y~;VIF08N$t`ULC8?SXWlQEEob2s`$7N<C${@lG2>D?n{0r#f-C_6LN=%iw
zb;l8MUipUh5QXCG#J6w~k+doFmwHEoymz>Eo?Fu}F+t~}t#vNf9~@MNx>qE!vHfPh
zcB$1hFUJ`(6YkAgb_T(x6C$PqOaZWHa#(JB0EmPVuaN#Lo#y-0Ee1AWKF1pIi`5fY
z0zI_6up`6V!}oMLi|#1vm2PvU@qpzFP3sG5-E<s~$FsS~+w4sy^*F*j<g!qZhZ8kK
z<P@{pk+fpv^ptI9pK;w{8lP;=lq)1`=2OTH+&9qU`VL3OnWm0o>hsqbta^JPBKw1i
zZYYS6#oEZ{A@;1w9o1Mw9Voe6quE1`XgVxBY-3LD^s6Ag*9pr_yoX$*GK$+fFRU6f
zaiWhfsl{TPC|#%37`yrAwmz~F+f{L9XNKh?%8{9lfJ#y8RIU}nbI)Pvu}^6P921}B
z8(ni9j3|c+;NCwMuVp3Yel7wQa-MxjM-s~ZLUf^4X?;$r=^f(1x_yxok(kJ<<~UJe
zy+1Jzylc$xbUlGJgKN?lGiy1JC-KY7i+1~P;Gzbx!S8GZO*u+??S3=t(cyFb29MO#
zw=FHKX<||@-yBrW>$F?p_r)?sml;1qk1$ip<k7R58_HQ;4jCQwd62@qcj452(q_Y1
zBoMjQ*8{{g0XlPNKahmb`J;(IdfpB|diJcuXeiV2KS#d!fQJap=UuC|9%dKDt<MxU
zsNeE3&fZ&Lnf-3sten+eu>Tk$<f%T}u=@;f`glHPMz{^Iv03ach*lJK+s-2cvaGYP
z(BrDPgV+mb#NB5BU5y92;8O#@0B_$Hh5Z;+qNEJ-o>F>I5O3MwFw-ygU<llpn%UE~
zW`UfYBIO2w2Mi1lG&38MEOVueNzo~+<?n}Fx28FT^OUpR76wu>j;z`(XMMPF>j)v=
zUDr_vYeJ`ob|7kPcV8)^;>NHtaDorW0B^?z+Jtl0rzbZPnlqzA);UfM;a7l8*H{nR
zLhBD~T_65WTq1B&XR)0mGdX@$*gnwgTb{zXpBF)XbY{RPFM8A&c`vzpdp51FK|JwQ
zkXSNpzJffuUA6ChHga}x6!4<ijOPoK2Twgx#cksb{MKdGk0#<72ADL5GDPU_wH=jE
z%(WT#@iq5N89^;V=cZ4+e2?q=YvwG(&xITsm5#kq9MOlbk+Vwq4BoZz>9e)<`z+-~
zgvrOT#=Gi8eOBuvTO_E#@mx}Ap=@+kz=f-f(UfVN7^KXiZ%n<(O-q=w4kuW<!qADa
zZwf2wV$EV6pL~H1mR47*%0bR+*C<#Jp*LiYBA+#5I4jYuF7fTxH!pTrr5P*B+3mRO
z#*Q<S<__;qDmM+DRIZLy!zWxH9|t0k&qMb-hC~WRTGj+TGimYfK4R0K6T7K=<Au;K
zZ@|w`Rx7E;XT~Q#ilh+o7{R!Vo@5>Lc?kJ>jTgYSIfWiN0*<34roJ(P5&R|1O1Me<
zoShRj!pa2e9s^aIex`soEmc5Um9oUXVS~(IhRWpmZ%**|5Q>|_X}t4CCMZ93YRIKL
zrZ|w+bHIkSwd0&`0VlQg6+}^<yUfEULxaz8)|8R2<7Cx9DQ26&{Y~xJ+5Y441-?SO
z%Bw2&wv#)tq}RK2iR!H<{ru!7<y2;^Jf9}Fqdxmnh}I1OXVHs1C34a3$%7%~^p&@`
zRFjUgnt;1m`jEp!WmV}|OU&m~PtZBIm{Q#Bt5~0M78yw<(+h?)n$fr!_d$(iry6&z
zN!u}9ZPqiRg`NEbidiCl1zBhe-Xjk7NT-%boM`{!Weq*k>*}urYZSW-3={^~A@p-^
zDk=9*OizA611s7M*T0A+miB@!MMSm~5DI-u+|n{KJu5Ex7Nt7HY?OqB;$(A;vt2(j
z6i4{2t@Z`J0MUtXy2Dh|5YckNU@A04FleYH(-h^P+6RwVbqzgrKlPZywrHQ7dhHB8
z6=9JIzFQM-C@UiqYDG?8Pq#`D>Zq8-=Y4v>M6S8-8KGj4^ew_uc_TwZXn4HZTo%mR
z$9F|TXh^2*S7DC7x_<Jk=c{}HAN+jXv~~m*Q<FWgb*pA@mCia!n$AIbx~~qP`co9P
zTtkcb^WFKGObLzOm1Cc)33xxZ*3F3jyxhKP$F|w3xFbm~8VypDhx5L5s|&ZHYEpd<
z89DKIx08pRSlgDD`BaUX5byDN%EbE(pN2|3<94pL*3IguD;VJ0hR)a<?Wm)}3RKzV
z{gyo9^9s=PFh!5N<EDObfbz|xhm*MMMl7AhGs9raQE$K{#;vogU}EbY>MD|f6?nkr
z0=t<shTd+hDIHg0-rXu;v5(Dta21Qex^{W}$%S|It^XOM{)fAE2>^a)h^oKc1hBrq
zd@O;jKWYXF`pF?-+Sh>(`WxhM{q}ubytiHK|8qkAUHkvFI(1zdDZB=6Q67>(E9|6-
z5N{gz$17teasPH10A?|-^bui;Hq|$Ova%zI_|U2TeBsgQRR~r>=;7m5+n`!zBL+(2
znaMUfUX2!0R_vsAzbZx;uQqHfyR*04fR2{daEDn(jM8|1vWc!vof|-r;+`-wpQ=Ci
ziV*t)OqMt$dX~gn+NuGq&k!bgO2qG&FnQ}9ULfu;rp%pr{U<+6bL`U?RPi!ln^DzI
z8!wLcx}v1p(>0u{J{&w=BAJjr-+R4Aof9;)xn4sAE*C0{BM7)Nr9_W<ahp|;u=Nj&
z>^JNx4*+O!Uu7(>cIWq;$iD52d;0kge-W@W5^=u)=+N-~D^}-Ur%_me^s?`C{!(Hf
z-EUN#kR<Uh@`X(Sfag)zSMAupN|gVNLesG`KfQ|b0X+}^WRC*Z_-`e~(E-r9yrJgH
zD^bPoQx~8E|MxNJRF7*cint;=zfTtdv2>&Jk@-uBa&ds9)49GP{fmlp0wCYA+|RJT
zlo&$?^jrQ%4%gKw1$zGWDWD*+i;w<NB8~iSkp2JP6Zd-PMOEudX=%A6)>nkYNqk1(
zk&%hxg{plsQ0sRe-uwS0Paw$@^KWfBVCCV_%*lnOR#?PLPwxYO&Ig|Lq@$;-ths_{
zdO`m)-L%7}%Iul(f026m`?u4wU1DQn-GHE3(0j)r4ac45Q$Bd4{p-!<xKHw0e~Rv+
z5aI2xPW1w%*f>t}_Zi~UL_7zs;69pJe!RcTo5Y*IPq$euhcdnq1cW2oYUgvL_G+E4
zxL^O8)WGBGk`HvpLYv3!RPvAMk{fKY#_R}x4YZl!{yFKlRel$HlM%n|Z`SlS-F;#k
zM$CN)n)U0XTo(7wUHkJDlcfWmUDeS%en8?RU1X7<T_Yy-ydqiE?kGx@r?OE8)5H-h
zmF=ftnkAYulXcf_;PjrI>>F*um%flYw?1hDi7z%Em;^wcp%*}v_K=%bhiNPv&;XwH
zcp#=ilX^T;`y`QuokUAZOJ`8;z@C_r^7uD2XFm_hwt}UN6}@^2U$uYocy)vI&eayu
zxX4@|toD$3qvP+=6Xkv4koV%lo_f>XiV{s$V#Sy4qiw`M8gHqQc+jnT?ReJN@>g4O
zU+&&@3)cK!MgW?Wi=^_{n0TdKuD{|fF8ofzbf(6V%WmSC4(j4`lLOB6N9}oxf%alm
zJYHKi@N?ZN)9hBv4#=wwz&iH^xxq#lA&;LB(&dsEoI7=PlW}qMip@iBelAM(#WP0R
zw@HN%?9JMruYCD%r^1mHyQ4E&{NmZE)Ribwf~M_`;do%ab*8UA&)emPMpKJp?{41N
zQtb*(4pMQ&5DRDp{g@OsSWkBjRtP7C<pV%XeZa{+DjArESHS44G<1-1TOFhjtxptd
zxUCM78i*?<v8v}QSPD1QJDIe2m9v_(ix?Z6VnYp^+-A0$+)+o<S&XVqzZL)hnDaN}
zE-Sj57!z}!=~d2q(SU_kUrY3ksF(V##6E9RmTZu1z~y;EsUAvbI8&5`Q8m-U(c5I?
zQ--lKpl9^7wDE!{r<qn?XqidJLYsc8Wuc>W$PkO?*|BR&NiaUyL^1&B4ggwgu{q_K
zLn>FOn&nl}1A=7;Lf4`-t{=`6FCDb0WxrSrb$e3dwxXcd=2vH9@`s>emv-_}>h66g
z(Nmxl`g${lr*j!QbFKj+#9r56`#e`F<cO;9e7!JB`i6vxsl2z{PbM|fVikzc9)N?j
z%=(@m@-GM76N{0h21^@*54CXd@jbW4Z&DU`qUYy<tip|oZ8B`V2B&iSd9WnPcW(jS
z>}h{;juxLQ^<~|BzbqB}hF+^w`*6DAT4lq6pMluPGEwyQP#DISheor~7%a?re0gpX
zP^?>>^Zvt!zL9LH6`(P$1l5&VC7QAAV2na3!YO{_`S9i>9+?ukfJ;mS6<Ba&ZQ*Uh
z_phNu`LfZVmFga<_yEzv1dHL=`L<>Xu{XM67so{7s}fl=7OG+=d3{NsS<k_kCsNBz
zs7&wj77iQa<zZz&-*&nFw@r|PLs_*6Benl=b_BWi2~`XA@E@y)Et89~>caNL%Dkk<
zb@}Ftot9nUbjP=S;4FJtGBzIDF=;@2)`c)>y!IAd!T1bspR2GNH80ODG#_pgl9I0L
ztJ+9rZ5&--cI7WG&X;Z`9!!(*+V%eYj$|x`y&qa{?*PJQF89?4A4&T1T=-}uvXoDE
z)jy)r5+*R#esM6ai%7yre3Q5{zncW8h<rL<`O;0Rj8n2Aavqyc_%_9=FX%-?=8oH}
zf}b3PlW2~a^R_5fnlE+^zae9sXoq&#!z;LK$DGIN9m%u6aQmswg=7<dTg(qiI*-}!
zS69ZsTEa%F8^7Ibn35ZZ3RWK}A!^G#%e`+VNxM>rvjIdZe8kw&Y!7GGYduzlvr~pm
z_FF*d>NU%BKU*LUswO#%Tc62BQG|Ni9BxcncD}v0<fs~opT_j)(Id<BvF{dXfh$G_
zbGV|v*fk1n0}^%_Mo_%3Gh1tG4)x`^zijNWmRh;FGnNm<<!j$Go<zBA&w46#!*eUZ
zew4EX-lKw5nf|AHBE}1t8|9m#=f_LYgE6AR63GN$VUIPnRw-VP-Pex~tWpeveK6Bk
zy&VaC+~dosOl?txWna-7imv<2f+5YfVp^d|8A7%vC4tEX&TW&qcZBW^F)ei)8BaMb
zNIomftkl8RT|1L@Zv7Sfki+;ze-axb|GWp3Rll}3_jJ1f=@gQ*{u07b1Vo}og(e+v
zk&ShY^$hUPCSck`HySH#K1qjU&cE4*S()vrTV>|Qxgo)55VjT1eUHs@w)uPE4Q2am
z>-X!37*#$JD38m}0MYtQz&e$cm+td{e_pIa@XQyvGuPRUPkGJ@37!HLOLTT;wk~|F
z?iMp(BcLs)A&5OfL#izb(A{r$bVV<Ym*RjVf&}avq7Z)cJ%rlF0SUE^o^zE2A-p{+
z^y|`qu$P0%GmX!Y)_cLXu!m3kY6u~x7--K`wM?a{E`l%Qb1P;Jnlu*(+1^2@gY;0(
zfMiAdX00NS-rGhrv`q1S`ZV)W#rBQ+k`IxMFy>7g0hP$~-4IMC@8?<qC}^WNAarPE
z=^;K=B8$#c#m0y*EY8(GL+I4+=i<ut(1iq%x4l<1j;VH~v3dIF=3{aH);E}K?;Y4F
z1vBc^=dv{swFczE?2z}tYPxg3jtSV3(Gu=A-|V^nxS)W@ufb+iotWKlt$Ao0;Vp;W
zLHCyFK}FN1wzA%b;rRI-`gKlb8t(%zGpwr4i)x>F{Y=xZO`gdc32x|lE?2m_zY23#
zo+?MdKP8GWjkFzXOb&n(|M2I>G#AtEvNna=s>v&UdhNU;wK4}yokPgOEO+nHp&jVA
zdoIo~juKt#@hWoLqN5GaVfdzX7Jfv79?E&P(KWuu3l=874y>Ct+)bWm-@W4*RgVO;
z%!WiwJF!MTrBsepFBws#d#XEo?z5-09WH=ecOO`r0G%AvSO^m=6*J*=AAq|EL6ksW
z-kXR<*-mW{M<2e|Zq33e0wWuoO<KD=YWAbWPJ7KkfaX=qp6OCCn%%tO0|iRoHjEFX
zM@Qt}yhGf~J}zwEH}kzslnt7MN6c!I<*|C84E^v%^w&VDdtY(#blGFbxE$2zO`<5s
z3*<1ACEn5Fr%>jwutnPHHhVyju{@mh^Cu^zI;zwrNv+9kMZ_zTTKu#5JXi*ra&dui
zMk}jBt?;8gcN2k$_j7hDzdS8PHO*!HK$R?8OJa=M-~7N_OzKGG`Jdxhsgy8#r5JvG
z_d)uG${(KIJITegJHOM%5362x;T(<bG#e$)hZ9NQCBT-A#d(uFzgVMji!YCt?#;A#
zJGW}6raU)h|7z^w2*+&z#B^I9-SDZa=PdEYEs+qdlTvSb#63!(t$i2Doy3V6N5sna
zz@45`ypQX7sK79^zlozj&t}YLM?}3~=`UmN?Y+Armaw!*a~t#48*_ZeLY3agxe`RS
zYdU~VlPcS-U3`^5`>|dPu40I<w`YCNBo>ul7HqqrxUjhcTdQgyp!|{fxKK~gyoay0
z1@bl?G(Vxgv&BoT3QObtW|E{TS7be>8lrZ-8*q7NS_|Ej+RB16i!$O*fdk1N(n?Us
zJq&@3;G?!1#xqcqi`O^M<f7px-@G@Xb!<XHv*z#id?GKPPXxheI5FaCOebf5ZMauP
zAI%WBe+!THL`d_7oXY(^a3+2ErUTk@ZgN(;SY4)At@@qp{^|Q#hnbp_vtRzTtwSu!
zZLr+xO^a_jrhqFWa;;L#*?9O|HtP7E^t#5vLHjYw$so~s>%eHPY#aZHp{fcJ%=h)>
zRiE;m#A4cjuG`>`;087iZBb)SxeOwKF-yjxyviXjv;#wQQ00#>bRJAzRBJRxCf~TN
zc@MK2KzBIep@jssGqg44$b=t53>45L%$m9;hTq^nrL3(121CNLS1*91>#oC|51V1$
z$DY$_^BzN0_x<Vb=Jdtj;Y5}~-|GwWIqudFG4O1=N-CGk5JVW2>&bT&O^9i}4%am8
z6E&A--1f@6jZ!W+%)pAnv??xieXoro^4N2Fnh*Ch&KKTo9nYQ7gIZxSO#0f?AwqSc
ztJ-6WnszuzFWQ2an$T?JNx$7bq3Q-q-i(lUqIj}_lkIO)?e3`)g3WGxR%kyDe@F1@
zfJArC{{=EmJo(t}3#vX3-IfZ_F<2_<qo~E57VcRZZn9nt;bM}m!<B$G7Uh{<yi;f%
zK9_eT6LGsP=c=cY447zW>Oo_v9^hcm0T~Jx2rUD{OTWVn`m}ArBAe$M`@^@IN^0#9
zD#mYqAw!2^Tq#p}KLE>)&qUd)++a%Lf^+-=F24ht=uY(pr+JITPRSb2P3>r>jhOnv
zEdOqEM62&U;oY^iBYp8yLH7a(58`}L$a6yuY6Y9)@2g!O7nvf`msdan4%L(B)z#rF
zj&;il*62ItSM1PY+QUYxRb97t5@Zy34>iYH7AKl0<eJZF1%Uipec>wQ<}$A>y4H4_
z@Gi6Mr9WnyKe}hYdN@|p*z_rVr8$CcxKl|}Gof{VNO-K#)x20O``vkHM1)eG219B2
zgQqY3u)$oG{l5t&N%f8hxhM)jhv#KL{KDllCs1tA5Vc8hstH7AVs7OagAw`q4$O`L
zB9m;*4_HSn2UA9=_6;e|F-2#`OV0ve$8(u#NY7`+EB%R<$3MTT*V$=B^NF3VnMZs6
zb<t!nFO~{viCbRgIL?!#N6EX&+x^62wjaq=PM@M;i=Y&qGM`6=4V7~H?pZV~MF|^f
z@yPMI{*Z?IDX=@t*6JM;+xX5i6t!b^oN~lfZ0DQnkgu&(Af@Le@s{F%YYVI((G?QW
zI0?abNzGKjPmbQb5B|`-*-c_{Hwloi9>h+&WY+CMJ;}84{B5H~(^;<1R3<Cs4alUg
zDs$TuS!zggb8~uD)(dfEuqxoKP1^?lfi#U7E~fSAD!3Q3taUmz%rgU`?pgPVh*LF<
zXQnQ5<jdNqxkyQ^&FGw%%#gV`Uin(y2#`sm9v#dy<p5+Mj!Jar(e8K9th0$^zN+}S
zrm^qJ-W!>V3g@0E%Dp4RZlf3G4l_O(j~vcDs;!dbgqz!#HuO;fuq1X14+<CMb={{1
zA8`8a!}ymbEpJ@K2W*)DRO-<|TNX}X7s7)O^)(4_mVEA}kNXDA*4d{|cf}j3LW}k5
zTPLwQ7-j^+d4d>p!}a-W$28kdR>`v@$zURBoZw)aBzS4%5p+g2v?&RQ)a8=djV#bR
z^S?@*7h3hGe3xI5zYTBT#wF+3RKkb>zGVm4q|qh2))~2Qw*kY6%ck*%?>zCK7a;aQ
zR*RW_^K(qfL>VJhAOot$ta{LwsoAeFgcWj;JR~DcSqh2F^dIh!B=z<xF+8i4t#_EA
z4I!Y!o92hiodeFf*W_sDt2Vzwqs?z&j}n202Tt}mfmO;2Q9ux_*p~z5Flw%S$gC;H
zWgV4pj=9&{9Z9}j^)*4{p5q@TE$;d+MmPDsDcd`NnhynlFr!SruKyx$*|xzM`Q+4{
zH~a_;NcIuRE;FS5kL5!CTJV?rJcd6?1^jAwEC5w(u35Pk|A9Tcl~BOL{ss^yDD<;h
z6UX+a44D#+m{J%k+Q&ARjs>oPxe$9R14b0W-aBq=(5pT=*7b{<@67gglu~J776Yj(
zb4_2xnP8Xn`E!{cKPmySmhC=v12+@=8Qayq0wt|W(>x3Q^6jP*yL@-VcgZd?c(NjP
z;=9$Tkq1{-qx-k{euF_wznOG&baX*BNihVHilsTIDKQ(9TGc;1klzk6^13AF!=W~N
zAy#(xRo35#+qn38h5`_s(`xjc7gYTP@I1bMySXziTCC<TaFhhi?VInco*CYs9ijiD
zc@kKGSO7wKeX;7!6({cZX=ew35nu9cUByLy!>YGw0R6xsXu0ar|4vDq-MO#3=iEj0
zzt#OCLG!<Z`Tty0USB(^{)=EX(gu2M@5FRRrpqNVYtfmsztNdUa{md0MwWn?0obZa
zCnqS^AuHo?37X$~4)S>fI0~h&CIbRJSVvlY@AzJvkf^h!EJrH@DLJ<t7AOJHt;wT$
z6Bz)0)p?LyaMfNlQr$c~@KvDl`Q#mDcnTOr%da2513qNO0O0UBq|1aoOguf@RD@T|
z=P9Lfc_ETb2ms43rWETwCimkekdIjiOZ&r`#Q^3ECvhR*QuO3>^U1YgA0T*FM7FCU
zgs_vZs~aUkvL8Hna9*J>zyl;Fv}u5pX^uGjMN`tLADfS{EA=)=Hmkbx;|fcC-hZoc
zpyq>-@6H_U$GZ;&;p3|4L{9UUjMGyl0c`QGbbiHwB({7jn0}4zI0FE+y1(mr^~4hU
z-A=I!5Z)yK?B04F2M>*RI=TQY#h^hgo7R8xXy-h|W7j_mdH%WaDJOhoVfQ!pccGPu
z`&t^Pg{g^xjLdF#5}$uAqsXeobCc<w*s)K}#%YOWi<hYHk5KC^K>+>SE>)<hUl}%0
ztFatdb=^|rI7}vH)Ax07H}PGHMCW?~wWPoEItjc*l_&<z+(&fewez3zEt|`pAWUMk
zogL%!(FA+dI(bgJ&f6DUu&je7aZd7q`P16kvyQ~jV!O@SwaerL=N07BQT&sl6hWO=
zq5V2jb&PbZhBc3hnMt{=y&YM`Tcc}9t8}<tzHF(l{>R!N@%+wOh62+o9u3?6guYNG
zh0P64eL_UYU@A8PD*-3FHNfwnk#Q77py~Q^kz=_qtNXNktW<{s<P?9f)Syzed%L9Y
z%L**rB#eZEDc}+;y)jY2ac6ZHca4OQkT#XeGA`!+<qXaD?+<=wLf&p;BZj^jCWEq^
zJK7-2eetSd$BW8nm}Em4nwf{k)w${CPZ#+e@iJDunqG*vSFHHunH1osk^s@CcbFbP
z@?P45n<x%y-0E(e9ZX<S|MG>ad8&=1JL+8WXcviU6MP0o4W>RJ<v#650){c(EjIi0
z143d_`kN(nNiIZ&p@QHEPoILdH*p<qcQ}hp2+cO=8{S(C0x;+FQWuwu$>_;-NTC@*
zht7UMooln4p<dr2>V?}rRKv25|6botzN>28bcbI_hOny|`_~NIiHAU5<G<AGHr_Sx
zDI!tqa2uda=D0J{^PIupH#a%U4H~N5*=<b-_iG#1)@(F(t%<&-ZHz7hK$gf<d`r$}
zmh-5MN@?l$;YZ)~NmqVs3K62&knmWY*9HJ_WCZ}GxPZLT`smWN_z&?W1Qd;DA6i|$
z(=u=`dogL3HA1TFPxkVu+D6E;Q=d+j!fW^e(zzZL23&4qr8wV=zXd?=^A1#60?PHy
zNW0Q{d+%g?0J!#$s9m@xem5S-Rrv7adU9D0nK2NO+cj*auYM27;(?B;az%@sDSCAH
zlOh4G)trlzd6Unt9DF5!CZcyh9g+0Df(3L$u{xce@3vx>b1j+IURy60AZdqM9sQ<V
z*N->s-l=g$8k35>DZ*WRpT^TUrCx1j2^s|8Y>O|IOLW~7OGb8+B`g3JngpNOCSVvM
z%))J@#7Tfq!k}jziXzG3h)r=ICm?EwJZ_ku(pE@jVzgGt;sfj3UOZ8$g%>`W$aX{s
z=NmTRxgD&%B3dNf1?z8CpkNT;%Fq#~xW4#+!$#!Jt%vM}nq)kUlFXV#bcL{!Bz7YQ
z%$l)m@}X$%h2Qz%2Jb`IDw(L?`wT(%?uD-91$+E@kzZfOSH*AZ<-f{J&(|#G;&b`U
zQ$^f7kCud2pl2^A1*(u|A+`zj>Vn%L?K<9D(^kkk{0q}x=LSmn9yi*<2{gPtTG5Go
zCFuOuUFjA-zGkgV86e~U-tcyt&H#{2oUz|tXe;#Ph~W0z)CJsAQuE8)<=q9FBVzzQ
zkDxe#Y&Tq#yvnTyuyCc|yC-u;;#^!%z|H)!qq^2soH#Lo1iv}^)xOt5eP;_)WHb7M
z%ViM@QPE+N%>K3i+w@~5-CT%6IyKr^VUxIIUUDc)jDZwtIJ7#tEvPt^IMyJ--lQ-U
zPlTBoIQr0Kfy$xwOlJFFSC_0FNlgeNm~HvNA1dlTH)Clc^@2OhN@1nat@M4cY=0o{
zxaDD^KOtx*K~~g+g=~v?=2+5w%aM>cR*#?}osFgE4B_cuar92T{V+VP!O)zDLWrg%
z>5MMDAiylWWPbmSd!*x*TRe$Xs;N$`v<1u&Zhv@Y*kA9XpdAI)tBq9WM<*GD%g%tc
zcHVRyXT+yy$Zj<aX9+$bFC=&lKMR_#?BHQ3b=hvA3p&{yTGca=^Y|R*_UlX#!9Q<O
z<wwqBSeU!aJTIZLgQO!bd_#lL{&jG-?jM`*3{xeRx|J)6uAzkYdSjo)%|}sTvMyU`
zXOq8TCml!+Bv(F1dUFI6c!{4}UZBN8Lj@T_?oo3hd8y+7qR&7GHNkUa@yl7eQ_AyL
zS*loIBLzK>&`hFNOiGI=M!~%2*mhuY08p_qDob6B0CtL)XPTkwd;HPBCJnNb-K=QE
zc_B~B$qg+on-LU{L!d)5OV&~FNPXvdmS^I^`xxrAZHJ-PyP>Qyx~LpY)wWG?DiiLX
z45aX8X+A<tOq`pGi|5=F6+v5HKI|)*X2(8c)$MHy>#4!{B;?tQut<L&ij(c3eFCHh
zd*6H?w%@c>%W;@-%L&B7pI%GvYq5dMH7&K@-)O%}`a(KH(biNZe5X>oyZ|?B&ZfiE
zUP2<sB=UlEBROT$4%r@$pR~?vD<K2<P1r}6bofVtCruQSFPO+A#@v3>@YR02Bw9DJ
zUYHKgQ%Kwxt5dv}^-3)=)2=`_o&lz8>e!51V8lZzZsa&M4DbkH;x(3hKKb?f2h>Ag
zw5UTv`SWW;_^rH-vtMxH9B%HHx+jAMr>BIhGB#fV*|!fKTho((2p*E{G?$j1$oeW-
z4Q1HfxQ9kw#vtXK3RUKnuqul1#T=)rhOqVZ5vJ*~xmGJ@Cy$BpW}Nw{#oqK{mmDD^
z`V#?_zFktO;o*zkF&ZkFC=Ce0wffLoYa34oI@)p@7QNS4wvXbVdG*Rw3gDxa*j)sf
zzhgku&%TYt!RNhSuq(NngO)+Y16DH$pL{9})U<%(3N$IayyP=GxN?4~BoekWwrKeR
z{Sw(T8QF%@n~`&k6^x`3J#FyqSdBAm+M6~C^>t?Opx$3$G2PXuHlsHT<U_T#8*>=7
z0wSuCK<g>&yTxvH{R!w|@2<+m^BTW<V2+t^&3HCwM^#`pnRkFgkh-7C5TR$D6<U>E
zqy9QyXO3jr5B>$zs8eE;vqC8OF27{99v@Bqj5;sqjTLvU2=l2flleRGZ)6MR@AQy;
ztEoYGZ*iw5)~HAX@bHIO52?;n+>)Cl>xU?5Wxd&x@fdnFOZvL%^UoRHt|S-*M8#5e
zMBfKbx;em^Ti&ehiV|k>CQCmmTij4xHIxCEek$pcb+7j@e5P7$o45G(<)bHGzgrm`
zY16pXkY-QC`i;z^A&^c~B^;;gM=+UjoR<0JQ<UmCn<v#{yO6~hyt9AM1s3tJfo&3T
zTe*-=aeSXt0~DQHqsoCCv0M62feM>Z+SQg{kg)<~dtdZCdeD3D2G?TOJ!OZSgmQQb
z`o`Wai3tzq2Vbj)qah4UIb{c%=n`4-M=aV2J=6h8!T6Ykh@u&mVKGdZ$kB8zm1jmG
z;EVO6k@ujk!RWz}_I;GOGGV6<1CClxF`-B0uMSwjD-y+oXO=<Fg$Ct9Ds11%chuSu
zhqr&`>5}TG0x<4rY~~-Ua-$qmX-wZA!ZrYeC>b!uEne~UzvlKU1zMKc`0Tw(@d@4>
zyfQq$d1tl1w6gs*RGKGTI^1gf_fE15(e$(IXJi(q$MNXpD%@aLrs#ZYc4oa~hVQ-=
zqmL1p;mG2^*$GtH<uznG9;dWKyWA=0H5tzsD-}TGp3&Cl`IxQ8rBQfc72tsgjb~gY
zh>y%WoP&0HWD&zk$iy!g)3tK-c+w#5%e}94(uEqLaBkIV7OCmsJz{1>zS;i(`!wpf
zJv(p9?aO1&#Kon~oKQ&zEZ#M#TFoYi4YPO3Dz88=_0ye}CtmS5DyK)_QJhkqx2wiH
zBZb!<!bJ3IZL;U{ujNIMcFmX0SW><$?wZK-+YlVxqQqCXYZ?QU@5&#xovaq{Ee%%J
zN2Z(H8dPg|-PK-SYBy7&Wq|RY+VtWeTNJk1K~*w<l)~FhcwLIo6T;*}f+|SvA<s=v
zw(F8r#bV*qjLiax%F7fS&KvXTmaE8Q96lCcKNMnOiw@R4_BO>^ez2qI>s(Jt%KqMr
zHMJlAt~VH-WuAZW^eLTUCLx~$q2qOy(GSe25$VbKy14_p*@XP!rd%It`fK4EDGmj>
zHU49uvEvg`^@^1ai{YBA{9}AkM+vK`bbiEZ&va!k^(7K3MT@9+M{^HGeU(j%TFNfB
zjrRAW<_o%pO6CrOrB~RVG9EeqM99v+s`9g+>99(3$mATE3K#U%bxX9h;QH`ou&OPI
z(5SJ7^|&#JVpagTGyFJJxt|C01t*)Q>zPUZDj!X)>uir#hq3c0&b&puo_Fw<8A{_0
zF3SN%D6;(<L9B42e+3WNw;eZUGBN%ZpJHe_Rg4t*YTs^_H&k}pNK7&f-I6hr+M%G>
zXBwPaK?NV4Ezvk+-$e`-nF}w~Oth->F#iMa3niA@c`ktd6qo6M8lnspEA*B@P3Ik~
z0LlDB#w?#Nxy3tZ5B_Tv;#>6q(<XiQr!vgDKFBI>m;wsUJ{dBCt30mgyMF1rBEI*H
zB*@W-^7VMfr9GeR3t0=>QCs6?&lbd+LL?0UH^$0yr98VQdJyyGwD=^qUdMMW`_?vk
zpMY}bH!eBrrBkkN3(Y6yFy7J<7SIl2sLGS1lZhTk>tzyRRStSe<}!x$-b&17>Z4Vs
zfJ`!^Gj7N|p3T5ZuihaPiooHHN|Okx%;DF*K@9A?blIMA$N_R{h{4C!xkHie^pf<B
zvLWwm)%uu#^nL@W7@3R0TJwa(U`j0C&recS9yW0VOkq(&Cm4SI|NJcgD{iya%WE5g
zwNXg`^94~xV>E^Jju^JM_eggPoc8O-MG3LWsBf4@N-D7<5@T$`7db9&9YqC8atm9K
zDik={DA7|?8GWKZYrUKEne=@0yAj#ixcj<V*YtGbYu|;#HaKM82nK4i9bch&zm&vl
zpRnBk3OHEMsWjH`h;yKHD!5kn;Ay*OC86_7+cvN{XSy@4-I?cO!8g+8;sM-wa(orL
z#VUnFJHDzsDSFT8PdFZJiZ6DRdw8=kYYXDL?#KG#js8(KF)u^hZ98Q{93dy528x-Q
z-rQy@W=if<2{KK${?GXC`OC0-3Pq`kOwAI$Ey&c;^&cPh-7Gd~nG%)=42+`TaWL$+
zCEj2pyZujDMUU?axHw6*Ss(1`8>G-YOY%WV!k45qN%Klyz<t<H@1$?ho{#2S%l=t3
z$7jE`^{cT=sO4#Bhsu_oeUO6R^m-R!dlXO}I$Gvv(Vi(mlO}x;kV95!l#@t}XEmg<
zc;^N(rL3r$Ps6^?dzFL!^6r2qW$*QW$ZIj(;-;`8Gi25?O(vW;^})+bB>&M?D8|1m
zajN2XCC#novW6oAr0WN#o0Y)6GCgHl8IpJkjjjmo66YK8lO<a5Kx%gF3ByoT4^HA%
z*h&73G8l6)z%VR;$j}kpnXWe9Ltb8FLHks;<J3uYD_&~2Jb89qQRuE53U^E?nZ)>~
z66yHccpQ3<kI`0<0`6x;fjG1ogjAWM?0&Zb=Qf2s54E619>)-Guo0Z~NueQ+lzW_d
zt@3Wp4DZg$)(q533llTqX)8lnQP|bbLsK<B2&%P*tHis;&9})%TSBS~2X1nkM4Eg2
z`0Bb}kZF%v{Z+J8pYxfPZKLel`7Fe-*$4smg4BDayDK*jlTPLDlL>x17ZXT*Ia>fC
zPfJ{4S<62JNIIg$CLOV`q2@jd{BLCAu}?!%7YE%?5B*Ilr`o*4voW5HElu!I%eI#=
zp|QanVm2r4t~sH;(?fgZk|j91)UNs5b_Tk%-8tjO9KVt3+JX%wKCNwxN>Fv0WSu+8
zi`)1(W@qmiZW})lh<YA_a=k9jlFZ(n7LjWr9n!Jx!h!#MMlhKDTbnqf>kDm7Z)z?m
zLkm;l{%n2j1)1*HcN<jH*1>eZuQziYqVq*P_M?Ij_7vanTEpk=Pu53xDQT0`^p3#P
zL|dm)d#PJ=lu-rlJnIw+_Wmc8?`P{dnr0{KqjvOd172`-pJSAYzyTPJMx!ozej*6T
zM%)QM#p`!ED!4#KWgvmAqt7br&K4EFWO36jl0jzEo4X5NSn&hjWqqn*I1c)`yQUFA
zlu*z9KiIDl>ev8|kd@cha(*+>L*YK-{xc>NyxFgecw5nI0N_73GQ@VATF<?F-W0$;
zb&5s?bhMuBDO!c4NY%J}ei1*)10VD>9KE=Pv>iTa-zwV_QP$63^2pdeE%|l(oWOHu
zZbjhBMDe&tyKoEqUhoQllqd3c74Q`0NmcWh_c4(vjlPX1P#kw4gS{VhpoCeC{SXU?
zTS(!yR!Q%x>2GH6B;ePR2PgqvmR<te8=LanJW3&S>(6N*Mf%}5(jJY;m0S1*pL;6f
z3sq81LVpB*Tz6tL=xwtb%4l-<s?La*QZLc86_z{#wiOVyvOB6W62LoyhCK7~-BCM7
zljq4G5qtDbBgc3eQ%=`tt<6!y(BaY+lsx`K5n(g3h_ipMJ|&gKCfremvTjWbe43ub
zWo72fXz)#xNPe5QF=s}1sXMa9)AKlGLD;10GY?^zJJI@?y3l%4yN(BY*;M(ioTe#L
z{!ZO?(fK2BA0J<nMf$enQ)*nuZR2npubn28KL{*THmbv<_9@23R4sgoBH4(zgBq}V
zj#7+-&cG%xSO&8}eJj{4(+SOvd!DYi0X}dNA8A(cDBpjQ=r{wn`o5*l#b<n&+oCNO
zSW+&{xH#oN$0k%bn%X72J<_lQg3GsuDZ@18zc~JsL)&}BX+&LcA8htciCYeo4R2fF
z_e;+x6*hjaS25bv!KY1Z{4RC^!f<i-9XHh9dxW@<RY=cvGC=t|uFC7b4$hco5hi}a
z(c@KF6Jib1=~fvjpV3kI_2?tt5;|jE-mmSxyS_?_{Zt{!F=a0scFL?-8iea+=~WkB
zxD{z7mT%|vEMurTfnHU<X?<N@y?Ncd#=(bLN0j&<u##L<XMZ9~{6pP6PlEGyfZ^9>
zaVzOS*HH=s?A5s7G)CzF*hOt>73QXJq$<23S$0JL#bI352vZpwRniBN);4C;Jq`@<
z8a=*7)n*?^z2MTue(Ur)&*f1%V?MG~Nin8ty5;(wN+s}D!qzcE;mc=(>HGsY4?I+;
zVH+cZkw@FYvy2dca`<#%875R)1Z;IWQiKB0<|Q|0Lx;Vg8I>%x&Lsh6wheQ>ddIAY
zR0UnwA@#%2#CrATsC<-jYjrig!utE~3o;>Oo;z=%@xQL+jRPSwRFbefdBjsNx*Go4
zUnoPFyV2uuJh8RS>_Qu8>prLF*muP=FtFd4e{N*jO31cKDTu^-Vdh&aXM9qirRwsb
zBI8|nb*3MOM+FrGp}>d-ALOFU%qOzij3$V*w_#v{o64p0ZHwxU(u9d|s-W&LTddlT
z6^`0gJ)@;%f0ln~<I$M)GX1c9GeahAJ~t59FY1nvNX022G*JIxyxHWDl5QM*v8Fql
zM@%`pZt=->WL!Q=#B(DLS+LW%#13k2_9UN1rxGYm$Txx$-|s|H<=Q6tRUXK@pDuV@
zPg>ZfKUkPJ#hsVk<uj<Wvqp6&^s0oE*<!uCp~#4KOjv4JTJ3jpc832L<>M|sIyXsU
z%-~Jv-^QdDeoei+#&$8Pjc72-d7m<vFN6-T%%Un(RUCNL8dVyq5mMieWGK??7nxCp
z=DH;nvDNKj`UeFMGI2G(oqH~xrRMUDB+z@i!d;tPo~%Ydx{AB!Z_qiPbRQMF#|q-5
zes^Yw-`$em_h=$zsB)KPMxHb;GkM43y70!oRE?<XS;Jn@kJ{CHs<)R^A4o%4@4ec~
zzCY1S<h8>9o;B(oynqrq-VpO=yZlZ{^pVAMRZHItm0mKjqa_GB*aOKxlbP!=(S4eJ
zeS^E2`ZZ~taaK+c;T1uWl<0z)e{5!vcy}F0Yb#YnX?!-RkK5UuYYNw3>#H29mS0x{
zXge_P)g3Bvp)$7YoIWPf7hKbfKB(T<E|scsskz!Ux;YhGT>MxLvCFxgfKlumGJYpk
zB8G^D7Ko|Fc!BcvM+SWL^|P_vHcSPjK0r!CrwaNprZ5J=z0&S9!+Gwp+HNER``?od
zcKMV1PbQTj0j4QJDTzAZ%$OGVZ2{}yTiZmv3@T^eZg|W!jvg`DkgfR~R0qtw{W|OU
zt0P9}*811QfHO|y+#JqPpW#is6x<wH{08@90Z&3dqYi%vzVtfDYNjX%ahGg&bGi+b
z?D&%L>l7oroEw}5Y>b^RAQcL%P~?7h!E>z&ScQ|}#-Q;b*ui##$&7Ehe!YVwVnm4w
z;#?vdZOmtrjk-MD9Nv!K7xLP&q5@C%NIP)!{roN!*|*}+{JsK)^v72Me)Obwryaep
zz_2zxL@+!aI$399_vz@@*HCk>FE03x*Po*1$1fR_(`dp;E}a-TcgInJ+{xPV!h+~_
zu&Y%1g>G%<OKVWd5pVc*%WJ8vGev;tTXwL%Uk0ueASy$|GyG(s->J)dfwCQIf>8Ob
z;Sve7Fa<)pk)p4^s9L@FrM1fBJFg^-d1SkA#z&+Eq5LUY7&x@hMh)G6Rs0QDE0@SB
z*1*AlqG*^v_YRPm7v$qxoF??y=mM(v5x|V|TMuO%i3xSlx1n36U?87{KJ~E(DwM5l
z1^AMcLRVPof@~CS@kA^3rRoKp%!X&I<9>UR=cUru@_kCjw4+d5A>KIhOfu(?GC?9s
z1jC@<#c@tchDf7KNoux3WG2t0D5umw(p~U0PE_qs!Fra$(2u(9_^AuQ@=ckL=x>?A
zwhUyKpOrqfNw}pud|G*$6}xX8HS@$T;EjKSMMOjrPIOe9zGw%aG36BJ?>2oX7rbqj
zM2f+e_lp-C-@=;p`G2v2L}!uzhrPFqs&Z@Fh7~~sRFo8uQ0d&XbazTDShRF^NeZY4
zs5D3;jl`lm1Vy^LyGuG2@y(^OZ|`UCAKw`7k9UlBJilDBu64z{&N=59$8nq!=|mN4
zl+Lr;Rx*Z%Je?i)8ZiyG1E&qA{H;X&yH@|=Vlc0?Yr94>m6e&WubK4OrKLkAU7<Af
z4^WbAI+DO8FQb%5Pfho-M>Ih7zMF8jQP`eD%U@@9%f0IdUyM$|&fQiqoji5k6D`N&
z_1dSgMZ-<Vg1_gyFsUQrU~!<%i@yKWKW=;Tyz^`MQhN}S*2RW^!*^LO(>HBqe`PBq
zQFUfz6BrXF<6G?kMrZ3;gIB-{#ZgYm)s&DJ1=m=>+b-^_kTNLd6-)H0g54%$YuO-;
zRdngI^uD==TqtAad}x@c&I&#ABp9M}q8<|4OJ`n6`ecHZAYNZ1E+!Vk0VHfFRHlc$
zz^W`V$+p;4YkE(1e2B}Jtyszri<!C3j|WVF`nMKjUuuJ6t>*aZ`p+k-a=)S;s2`nt
zs9D!)tvZxq4V+lMZf~RDKeL*)GQ}uQT-qH*kwYB2Vu`W;dDBdD%-CL9dSZPcei;6s
z*2S%!UAa4{Q;w6paMXpVcE5y+*DpZFq~t4V?f7naVo&XkOFV4TXDUuZAp59ym@D5<
z6I6qog)NS_{NoQDv$Vc<jCNcc?@4kwIm%~*6x<@hu`i=IR85l2yiUG-k{Cb#wRoWb
zD%)ktX96E|&GVerYlUPL(Gz;WHWeBOt>k*vZa{awIvBSkj$gj*sIP9>K%rO~xUY6^
z(|q5b<3FX<d;y=OPR$m8#Jl&SG2vR6JB3Ny-skD?eKRYtdO5+CTq>c(O9)iY2-Ro4
zy^j6>{w^CosgY09{s2=-?S8c7<XPXpJvTKS&d!lMocZJ>mNF2gv7ox+B8%l9t1*Da
zuHd{DjYm}%=D_WMdtxC%r6f;1Gv{e3Y~?n5q%-VrS~ZF&7VXikrgffXpbx+VJ$t-W
zrr@3l-PO8o@$hebQ*fB0Hmp@wPjq~UOhfp5AK!FukTY-nJh)%2R&czA_{LzZ27Ex2
zYVNLKs>p+Oz*=6u)^8!d=0xRa6J~D}z%0||Dce?wt<1^zq}k=2mY*E=rDAdl_8Z+Z
z6Qpgy1CP!A=MIG?3ddtc<!0YQU@xPmZ{+Lw--XdB9&pfj!}pXj#7J2?wjiTBa9bX<
zDi_j{Zf?h5-~Z6n044_DDM#<Feufr9ied-J-V;dc@rwkR7D!6eA-E=bntW~(7L+{~
z!RLNQA&+!pQ2E~9Qol6c;I(V?s2h^MRQB*x7}}PVI+==ySk;Z+%V=6>k1346Q*7nS
z><Yrs|E{G&XY+PJhpIWf=A}Gx=BUdS)SSi}PeaxPY03Lrj00XF_UrZVDMwHy|DzN=
zfVa}WO!H#KXNq58o#dq*ZH0}4FH4nNG^gbVS*rNCX@)Y?FynbZoOy=rY@@M8T$OQb
zsJt`(6Hl^;n~{LhVUQ`Mqbvo)=V*l-2>&OpB%kU!F&@Gnh-OM^HmXJqjVIn3pSU4Y
zHF+*k95W|<GwxFwfjlZENd(yWnt8=MV*4M$vZ)aOuR<=|KLYEYb@|~q!D?rh5votB
z*-C>qV<!A0KfH!>P=$b0jOV>bJd=9XrmsFXP>l{i$-<=T;V|}4e3`49Hh>FcuXm3A
z;i>*Ag?@>A5ut*f;1_@;i}bu<fZ+6x_x1bD4f|cYp0aNrEz;Ni+Lrhq-~dpd&ZYx5
z>r~4{^gnO*7Fmcj;7F#&X|}%pW5K+tY5(u<{&!riY~i<E{U6v%qwkJ%V`C#ZsJy=N
z_m?p>Rdi;4FuH>M52MtYN5W_PCM_%b4g?Vz`UVDm7v?NLH9!|VL&vz2kmCOR7<xU~
zj!Fw8=8tD982|izHBzi4HVMgdY-<3jK``5Htp%Zd{-OjxjEi$kLH2Xsc9O+Y9sW60
zz6|31)hdVu&=vp%T0530?F<)UZ4NW0y{{sD=(!;HKbMYsk|s#8uBnAs?_-cH&;q}N
zWxN1<Zk9;j11sVBf6Qev24pr!3N!Zm1Y`rm!SVxn;Y!c`aTtI=@S?C8rxb?k(Ia@H
znf0rplmCkKQ@H*<#&m=Hfs7(@l(5KG*Hg{E>UjQTK+`G(K^gq&NZ<Q!{z*~?YY8$Q
zSpm+7f9*eq<r<O~SS3z;p0oaAtN~4253F52o+Cm3*+~BWG=pH5lRn`1pR@ynQT^}b
z{x1z?2o{1m3}~VJ_UW%EtbVWif<Mr-IFsxVbSuE*MZmNHJe7cN>)S`>)Wz!Ux`UCZ
zC^~{pe}(g_>c8L*^ruM-`+Ki1&UTu&ch8T$rh$AiNdgJGc|^xY=1Buhdo=*;H|oZ{
ze?N4B^6A~H9bNL7PXUe<!&@SZJ9okXhKEMCu7>xAAQJ&#Pv(?EiwvC@G7lOZB6Fm>
ze%vyPt$*qGkzLz4fj@Fcd+zMFb<T)<IkDX7;@NHk=y||BHbnsJJx&(&2)OLic#kIb
z4zql22!sQKu4hTezTEx$vxj@{jD`N5Z9aPUDz^Ic#Xmft>E_*gx6l^Z5A)s}D_!hY
z5Qqd->2`oRTG(kObs1#PEX(akV3pX1MJQ*=hXR&ROa0}!O>h0fyM%0t95z$r*i;v^
z0I=XloJydCU{=#>RR|(z$1k>PUBKVz^Uu44Ut5l*JF1jSXnuYt`sTG%<{U-5_LW$J
zU<f)8T9flSo<%*G3u@Sfc^{MtAkv|1Hd7Oa6)*Pi5XIVR1VBzeO*a1NGY+c>YJjs(
zji6O+b2192ltZA|LxFc9F_f?UWWM?GvCBknSLyVyFo0~!l3Bd6oU9T9jAEMdiM|1d
z`$l22;px8FA#0$67Dx?jE`NM;hlo2)3+A?EJz3RelH_SF(0z6|ZlhG|<}`c(U}QkH
zF&MxRM~&soD5K!Z#C(8aTHOj*ZWKhE)_-|_gCjuCGzczhu4Xv|kSeJ1G)nDDGck@P
z`X@cCV@(AdJkJk?Q<93W_`kMRXj(2l>D&I8(Y5YJt$W?g=eWIaXR|NM<2L@Wm>fn6
zot)EQM(t5j^<FS(fXlQT1UDe{IuLgu!DT8Guz1?%n!Kf_>n_6{iPVJw2v8iRLDFbF
z#A~;eDnDb|3(n9xa1g_4GK!gKHC9q6M7>?lAs&kvSNVixbY8ea_c4ai2T~7v_O`3i
z2y*%tzyly>W@bk4HOA`!lSeWD%g&p=?@ORpzIu&o=)QYi5)O^h$jx9j(^MepW4{YX
z$bg~QOwpOos8#Xyq~kBi&#F1bNA8yZYxKtB;)Dz#9(Q(B4;$aR`|znE+sjhd9ewu+
zhVqFyZXgj_rc|Q-41V&xbSDXg&t-zNon^EP9fz8XaKnxtw!d}$@(kXD5AbI%b{kMh
zr7P`?HcOvwuI!wj9)uI~l(hqzS(<jW^DZ#cQGxG3XB(a}oaNaW#Sq80kYBwO224m7
zu;{67+`L_oRLdraw-W5#Re7ar;WKl;!um}k*8)DHR>*J%D%bfJR>PLzB_`ALc<n<~
z<&jMJ1WKFw^RkVp+HtRB^MS0;6Bz?dXsLN=&eq%ePdfZlnG6ArQSKBDfe(ML-rll4
z0;d9q&(+7zpFcljaypuD2)-j)doVQaeA(cK3c@*WAg(~LhhKFkpCg)ti(V%9VHhjE
ze!6`A1dHD0;$9`~-*8GH2HTxEF*rerVe4^BGhn$fd(Vtnu*ASeEz~RRBYAgQzABZN
zJ{tw7lSyYlNe|~5=)4(#;G2}$utDX6rM9OqzgJs#{y5ofhb^Q>>tOM1gX*i?j7k2A
zNi?9!w*l8ctUDVjq`_9e4tOqH4ok8%WsZI~zwHM<*C^rZEE@VU0+O`=)ADdPN$tXb
zwb-%#LMYGsa@Z2D>}FXBf~4TlwPq7d2g#)div-*CRD1h{mizEjABxF3+gagop^FmF
z!3{<RR^tvf&qRaM@h-26BBGPmzqdyrCfiArsQnM7Go}r`C`(@zy#dibyjkvauUkOO
zn@v^g$PC@p&@gQPrrVvG=yh)(g|v$8X-Q{C-VDwiLEvX3STvkq7=XF4_!U#2K(#35
zk&T99oV%V>xu<2{)DvM5a&Ci)ji*jZoL9@<3?X(4;OF0|admP3Kp;O|=jqOaEbqt1
zYSI<qPwMq8bqrX&<x2_9MBW#Dx7&3o7uzF`vgUJF?(ude4?TBrS|4Ih(wt+7+jj^`
zwAf!^cD9!4#Or(H63cbaMhD~eZ+1`MeGzCe{(+ch!ycRjr~@7h>qdiO&zL}>S%!+=
z&4bOqc+PWElX6N-^;&68o2$W$8G9LKty#;xg=q{F4$C%8z1iL_dGPmf1Flmztt##M
z<EvmW|GrO%MOqTgl-#+@^Ki=dov4MzBv#9<;muv4Y|k5AiDWf^EW(M!G-I67md=iE
zE3Lh>Y{!d$_q8=%7iTX_qEBXUIOF9mkzBX5Cb~fw)^T=2WC3V}IS)GEeMkrny<yVb
zmI3r@<*wG|FYM&WB9(|_z|x~JLfG)MCuhe^V>WjH5l;%IkhzE;m9wR$rEOCk=80Q*
zbs~E&X7p%b`p(*L`PVha7U<4gljTsbv5EhyS7V0=^xC*}Us^ybq^k3#eTKr(<*TY<
z6DAWDGoCFm)*wi(x^?EY7M%Ofk<=VEt%;qNagMr0eE3OMNjDweCJecNPwNHGr{k^-
z5N2{+so~5J-m73_joPovRWEG3c&$(z#TGeE1GMaL&grxOGu@J~+8Shoiy!h43fx+F
zh`r);vWx3n-sSKYK+HJ<Wt0hL63WdRS3}$v{PL!ZW8z~5Y)aX;F3-XGQrdu%pspFz
zRegN9k%0P9MQrE|CYMx~q#|0_eW3=ykhH8EUo;#C=iy_R9ZGS2m4%jr@I7oYYT9Jq
zz?8?2x!y|RA-77#U%xmtuaQ&epX|pb$e4CZjH&zd*?LgZWeMW#)Kv+qzle2t7Jd*4
z*tqTt&g5gDp4-*TzDxDQOWWn#smyL(+=S0DxBM_vCPC}Mk38oQ6rH9lZ0a4nl`2(a
zNKq(Jl;3D4?O3|#L)B*4xD|j5X4Dz7OQ|bcrk7d_znRnd3?t@ozFmoITx#7WbPeg=
z%WKGFA?3(n5Ou62R8o%?O1aZ1)bNPPim<6INQLclp5qz6^KUYCnC3&d&ovs_rT=OL
z?#;=yX*F%9QdSh*?Wqw^kxf2waT+SQOU!+0v5WERq}P0IL<@rJYfmIoLck7ca>vsb
z-xp`!?R0+??)bU3_^-8jyj*g@*2O#_znlEs-1sKUl3<0~(QiNAnNNtD7@V?_wb4@^
zD|qgAxzU#%v})xTTfWltM5Cnd@JTT5-0K`SM#1uLWKda5Vp`@E$o3eMOIa>?(|dZA
zijZJpXraE?HY77Tn)-xusmfJ8MsB+fo*2xOUjDt6Leb{y`Y<fXJxANkVz*;R#_N{g
zud&#T66~vLMB78qo~~`-i`ek=77pu@u5|Qe9&?tgu-9u$_NU2TuXI1+SBA1gmZZ2`
zoGinKcli$n!Vi11p7AsGN2=-Ivf3JFFbW!9o%N8;2dJ4e)KYAs;cLOsFW=QK#ae7e
zX<EM@%K(J7kr9RFG2n46>T}DN0bzrt`r8ZbO!erCq`-?ya9hjfaNDQq^3C*fcNoJy
z1e@ULUaCa!&RzuP)PoiLhW#jw%3Qf5{?0lFyAK(1aZCDme2Yu;wIV5zQ%afYa`p|E
zYdIyaOM05HCPJK!L@@a_{CvBUE{kh7r;2jOCeiV{nm5a-)MZXBu__UJ2j>LYbF-RK
zo8c+zs#W7SR#df${j?E3U@6zG-&(LidJTjX%1yjE3pGj!%iIpO;nf7I`MRHkQEZkN
z_UtL3%rrFWE)eC`Fp6_?eMJ+<`lp9Ke+tGJmE(HtLaO+C!izh0vvvXd8Bi#XR7t2)
z@f?fzckaL;2dIqH)3DcJVf61*Y(P=kqbBo_$khJho=(n7-I6&p((rUu;8b~3`*DSy
zVv*>w%(h*$WpP2k@-Me#M}9Tn`q(YOV*wg*19&op{&bxKyjs`#7HB>SHqqg4PdMX8
z@YHm<zTiT={_A+b1`4uA#(=<~a~3ez4qRJGa@y=Oup$emgdN@}l(sgW_P$K;Mr%zC
z=Fd<bl`i^r0mLNwIs=NH&}K8o>OP`1vQVeK{p)NaFysRDG1zhC)2nB`HzFfw6COSu
zqcv>*nAovLs7s@&0wb)Jk?M2m-K#r3eByIvUKlaZP<=Fi{w4hp80nuT`Gp^O;WR2-
z3Q6^@nF`k^{hIHu*C3dD?fw_s{A+h8wS9j7<@ap<^~)Dh*PhcbnK>|AT>$a!ej7QN
z;>%lP^tj0lX>>p5{~zBVK9Vt^k<l+wSmmSq=NJDu1pVIiSLsM>A01JC&-4E}Xn_KJ
zTa(sV`sd}Yek^$X@yi00mp8-nuWsb(8^ja%)R4a{h=?w!#QS^T5R23AL#RR4Aqu@m
zuMhX?DR!xRfb@{&4i?3($-F5p^5a{8XxTCiJ0<_UuCY8;OcM>jIx>u)DesP^aR{**
z-8He+eRKNv;0k`YzcNu7r|rJ^eyG;H+fhK*`#e28BO{}_3&60A)U;nDc<wZrtbQ;t
z$poZM=hk$!@nP(`f~nf>QV?*BzavmCR$laC&@A72bO`gFT!uPtx}}s_1Mn^+&lto!
zWBw*3Z>qTRv|W1_owvBob0tF`AFjjdMcboh3pK4P+dEci0Eeg$$QeO{@FYfJ*}X@$
zCaYQLi40rJE0fPIF2HscHpw^hD2~-6%4({n^)7$K2W^iXT<0OErxlQPFY`LDQpBF0
zbeDK&m!|D`aB#R7JuiI1TK%ldlFNO@r`ZzlFb|iLJak*=1$ITQA)y2bdJW14;?Z{$
zx?|^702mP!(EJPLjbij0@1-^9)o-#~{y-d>Y40Jx1jA*kbKRLM10ph)*bg!I9g6s3
zRl1V|y5-P0PzRS+P2>+L6o|T-c3%ksWVYqz7&}-FKJ!+R-~*dPzj+-^5=52LjtQfM
z2JTg!n*ahZuH#|1$luIWz~qCk<2u$Y70YR}+LSJWnP;QGcVPNvuN26ft50$tY<%+H
z0wVL}8=7`_A0n7^druE*d+_Kh+R^A~(1t?>?a_3}qFJrSN_wY<8(4Qf8hmh(EgyS%
zy?pEg??=pK`=cz9pZ010QLs;){$SHRl-*{k4Mcw=!dd5W)>WN=bVkIDXZ3^=LXfI0
z(LARulOq9uz;Dml4kX5xNVcF-y^tQzq@f;W-Wt}lqy}en%<)`4EC#OOm=J1YDTsbE
zZW9;{L;-pEu^5xYbv1KVtX-DRbg6r@bQQBN<_qt1M<;B$<~WaLbJ7`=?&cH{3tTAc
z))=)9l{qZSkJovQ^AEm;b!|DY#G&r)NgEv3_JOt!>ph=}<zjY4INW9Jz+8mhdT8JB
z98%|j0^cZBI7<n@llN^3Z)dFjE}#tfVP+t*-WQ-s@`yeE@zsSSI9IQW@5qB^HBC9s
z?I8AWuY0dXOg5N=O4IL+|2Xqzu*1-!WhgOKL`NcDe^NhEKqBjMyaUkCHCwD(v2lnZ
zFRg6~yYM&rB#9>zt?gV|twW<(=aF3x0qll6-Fg|T-G%M`09G?A`qeew=JHh0fUrk&
zq)_w(XAK*d{9p?a?QyVOTTN6nlqk8)zsJHa8()mponL}5SgrO^bhWLJQ+?4gyrVr1
zC{?Qr@7OY*!Z-Fjh}U5Bx`rp%bO8u{g8`{0Ti>FlRsGp+@p?BK&(1gHnje?&Z93k5
zQz!F8yPYOAx0}EP-)rmx9Kp>9W%;8$%$>f+v1^J-(~-XC7WtJ80;Cja4_&k*Z1U0y
zYYreLwF^qs&dqK^=H1UEO3QU>yX>5jjDe<^U68RuKSP&U9bTRm;Ov~8t?l=B@5V!5
z7n4ALc3~aU3&n%townO5dmV#5=`G&(gzP8lW0{(O?QJ#qd0M-=JPuDnp06}o751#3
zam6KIFkgEZAWsePwH;rdZ`#yOdTLBf8aSLAVG%_4rMHhzL~9u#AkpCL&}hcVJn6{K
z8SXk!dgGv@gUrfQ|Cy2j%)Qv_TzqQ`gRh$~pAWz_F`)EDj=Ey&<zwU7%J}fDYMYv-
zuzZK?;sN;iQRFIpCej-ZVX*j9w;=E4G+{AEVO6a6K?suM$xIH57Y<8(aoOaq`Lfy0
zv~xJE;nc6I!6#mA%=&MabqkQrGrUXmzGx-0h!QaB%SZE}bb`|@a*Ur3!qkW5q()a?
zrPV^5Pg#^;Q;!OZsLpp<!|Pc+39{9;d(up<Ujz1OhlKThU-pjIK81QV=&CYQXn;>u
zMZen^BueDTtkxHOvDa1I0%h(jeExN62X3;@-JaC%E59tSZPgUGc(@b?t7KZevw1wv
zbK>9@MPesP1YgV9IRub}>Qf&0d}uu+_qemNsT70QdT>orv)p=<zgw@gP_rCcF5f-L
z>oj0GDkPnJ7QqtbFl<@(dN!9^e0n^ORZf1lrD=7u9F;4&IAuyq8Uug3mh)Q>(^`2L
zUN$-XZKA`d;^ULiE`dud-JvAeAH#3%tb;v0>cnk+F#7`Kap*T5G-hI+L_NTkE4cq;
z%E4Nte{+H#-}SldLDqJ<boAZQ6#GS5op%_-wnX;Tr=aP{`6o<)hg)1`9{apNz9g`A
z=R2LeI`;?$H$h~-=i^TqAB$g-@}Ch?;cV@~^&ci8)nS#tx#K==7q`u|R<TtG#;FI0
zJU`#AVI7&|Jcys^8^j;>93BafX$r*KTO{Ao0?_E15H9P92ULnqyGLOxR4j~QfoboH
z@dy?Jv&dyA3Mb2~rkmu@G_$j5F1(@yN4f(vdzHkGR7<@4hg01Z9<T1N3cQG}`Qcy*
z_JMmZzg#>CVavBAcr<jQP`i5mY;9_%+2xSV0Ng>##j!ytyy(SSGnS+JOTMifv+0ZD
z9&&{t`N^sTLs-pje3C28P$SsMR@4?s^qo!?hsR`?_~s!e9H*^=G@0?UYNXK&nwC!l
z9#~sEfowg7rMISyJ*mI2q4bK(CyLD#%VC1(8s>ZNbpnk$!%r!=Wt`I<lO?{V{R-ie
zpGU=Qw(@Q-C%6<Q37UoVq&CxZJv<eti=UHh*_D7u#A<;Q=ki4bL_LyiR!Ph6lgRWg
z{4`y)2#}#p0ul}*)xuLTwJswEP~{55gGr2VX;t=@ORLf&h2<P?(6Qz@gJvCrc|EGT
z;X5EX)UBY;HrgjDmXl#`6f1CPqHD7Nvn^9{V}~Spa*Q2ZI(mENh1?uQZ@YPt^4`pR
zjZwGxV<9ONl~bJ5<1c#ZC4oW4JkfR*dF*0R@Aw6HIHU46`C?;+%~#k}CjsRULiX$d
zbelr`rpwPc>6+|1Hq+h$y#YP~r+peugXV|566Hshb#UvH>aJ!+>ruSRR9TGxhE2*I
z!r`q+g)*wd<0JkZTH1<$8C5my<?a4a>(Upm=810k6n^KcInkgIn15G1*=DF*AI1eD
z|2VeQaYej<DD#{(poxO%k&B!#u$Du4$!;;UOSgI2n8yFTD)@kt1|brYp;>6N*{pSB
z(;g-9lr!Aq?4ZaVX4<5dQ(0B-C*_#6V~Oz6-U<nJ=ecitk~>0tzk6ToB~K4WPw&k4
z>(c`89$$pSC5$`@887|x(qqibWXzU|g=Q6s7ZH988nsw?YjximB;a+YP%O1|5~F0m
zORyDoxs)9&*1l8#%5#J<o!jdt_jwiAhC@*z#xg!WJyp5g5fOm{Zx*mFYm<L~(TKF-
zT`GzR6<WRA`N&LqQYj5Y7S9|+yOB%Px)q=#tCu;V%zV=a-n^_*ND3fasAX5m<*vUt
z#W;#TZ@@73S<D`z5|WA%N|#|ebhw2k=QF4-Zq<YI{@5Zh?Qs1C{U?RJ_}3WT2XoUi
z4Y10}ZlTrBfsm~qU*lYvWrCbyu>)KAjxNT#gEJJSIT?q5iLNf2ftE5m5G|~_g+NLn
zDXVAHsGU$Yh1;D16BCyEE12gF5dD-T!~TqPhKGr^!kC<lr8N`~`ZtB&jaK`by6nx$
zitlO=^?z1lju!v$aB11U+Bw~=SJnV8aet$0r7m#DhA%17P%Qm{LQzWJ*?Z)l-t~$9
zwZ=YOgIP7V34Hy$@3#r}1M!IrkuKJ9n4T7|*XF!qxxO{HZfWEB<hgjG4@3dITIvnS
z$FZol$!P)p0%{d+IemtuBawva4u*)FJD8hCDY^_bb$|FVZPQ|VF$6Hjno5g?l*)A{
zX3_*HG_<Leoa!GK^&}6UwZ&0NYP`Upya%M2^2S;%p*eb|zOaB4N_}<<l7|}42hF1)
zVdP&-g`e=p7OctCQZivFmiSU(AOBDR-CV{uDS0&HRFrhkIE4DXi8O|V$tD=l@|*sk
z8~T!0c2GT|<UZ0Q9l{d{abZWh+$>*AtcJMw-|-v|@`}xsUQl*7?5p2|NlDt?@qAN!
z=R2)BK|i@JovXRKt8EvVZV5AkmTNHSv_bId49a~uoUZ_**D3cn4dQ-4nasbeGoz;H
zC#B=6V>O(w-JG|ivq5ErzD3I{LFd&iaH&$IIt)m8C#q^qIeo7L)a|0wQ{lpo<0!RH
zh5s@ifM2j+t&kI%73Hn_Pdf<la63M2SRRhXn;h0Gw{$vcNA-$i9jXBE1sWi6m<kt}
zn~pI#+|m7Dm;odIu90pvc}g99<U#eO^9SP{4Ns5^4Ab->T^5tgt1}OKxXwQ`oi@@^
zs-SDQ&q)WAOctemC<Gx}xRs`oFMkFvk`XU2l5S!s(59lqkXbonkoSgZP4CwuNYs)p
zRY1MaOW?RZI{_&AaX+Kjte{V<J9ie&lKt@zlla&|B#P&=NVgG`-^@<`1NP07bk!{=
zDS0JlYl?WcP-QL1ClGiQf|g*;F(udTR~VY@NPwmx&;sOcc|MFB)tn`-&+tlLt*FNE
zCBP^Gr3WYBt~J@=?90_=mleyr$%jG?n4Q|>$i`G=`Dw3H*7M;40>NP|smp5OQVvAS
zcb3q{%WaAU;%{ZUH(2UEr>Q_iie`O38^w@QYnv)Y*eT%zld^nPAE9FM!(+JO71gGN
zrGvdz<N9#zgIC<@WtQ0j>0Gw1(hFcJYzwM~VWc5*K-WWmhJj?>_XX9_i7*3h0T;0m
zCfUkBS<r~qK3Ct7uML+lT~sh)bYu=-k+z5RrWt>G`{|+q#%*0~^-^~*ToH?*)kHfd
z3M4u61+=pipD)uTIp?_^&^VOTiE0XA)aOIu$azc592`x>q#Kn&_MP$ac2Vf!&@-}`
zj<BL40R4lwNEp3sMOnB-+{6b<*154;%v$DSNNJlA{<c{_@kr=p4dvq<hzquM!~2@3
z!_>TYO|e-LbT9*~k`h|Nm;wAIbj1xcxvKICT(!++>7t_EH08OVurh$-okwYV2hmQ=
zdn)5N@JelUSl4@pE&*Wms2n?zZo$*-?oe8Qq{IQ99##|!p^NG#G+5miQwsJ90Y~0@
z3nhGA0lpe1gJ~LcV*$B!;?=>b(fRB~Z3`h{5fCuFXn2kSFQz^?9tog<Jzp>ddA}nh
zBq=6sIqw2if4a7}8fdg1AMx~_^$B?c1*Gq>?;N_6WbftFmp*F9#gBQ72h~fl>*tqy
zCW$Ao;7rG(Nlbr}R$EO^l`x9zZy(7}=0pmTdNXs=_QhGC<VI!kX!nca!(={9+yE+^
zWj%}Esv?3!($g-YXiJ9~7$a!f-XvO}<0ik31I0G@>m-njqED!Jkp3~x#UZZ9`jH%l
zAeOYF9K&rC&p-&}?#HJq3@^VXu<woA)Iawp9_nGV#juT$YB(t3VGJFnSIgI0Q6!_b
zvfcam!=0`AD3X5IFgxuv9Ru=BjHpi-phX@cSpa`8h=nHOJ`pHC>zG{Hh|S;78|@Xt
zMVFp8hN}>*%M+QSvLh^HI~OdVkNWBM?us&<k_Jr`e9ONP)4g~>y-_Lhvuc0kf@B4n
zQq8HMZ@i?gZxz-#LWeC_D0P?)mFDbI-3y2PNNA}9o^}8^G@1H%xweZ}E8IE&l`z~j
zr#c{iM!edqB(l)-WR4gEV)bONrB61z>-r56$D<DY?R?5dbPy%dui6DsOu9>2to?Pl
zh9zr+R!v+(PWr@{kWWrtC%Y6w4V9TvBdw+rkpk-1RR#RW8|0*hjHNYVRM8>Nu%Vvs
zok-V%!a#l~t<^ZB$N^^BSKVIuE(|eo7AUV*3YEGvRN}sJolVi*yp7)h9g+q*V3rf@
z(#gHPT^%v~=f%&2()<=)V=Wsq&Whx3_s1V(<F$~_p$_E;O}*nE#Dg}rq{|Dx(#nb?
z?<0?0_)u%VXfw5@+O2^STQ?WzT~Q&*6o-rog_{=w{RPkIh|CJHBH_r$;Kn;yH4{y2
zCPAv1c#4n1@mvjO(@nA`@^OX9)NP>^wmv*VBT3PN#Y?6_SoJLVmu@%L2w>~x*9{tc
zb!*mR@o*?QI^wxHHCxNf2f3*UPv6mJHWjHXD`n|z*&6}w?cJ$9$@wHxtZ3pcTABin
zp}4V##__~w+B@GV2*18t!|1Yjq=fOTs(f)O-{hRTTwS@pavImkE~!sHB(iJBlfp$l
zphDv<4~RoOv(P$=7mTU#1>X}P=E^nXLrkBv`%(K%T2W7DrHog&6JttRp_-;CSZO~Z
zKkB7Fv(bMR_F5@q$VPpcQi^B82lW)Lj?%F6#gTUe^Kzi{uJhJ2A?cDjQ|$QU4;vn9
zo3w7@viGnb_f}ol`l`Pum(C1$-BGr9n1NeOM#CXQ#?hj&3aXgS*t2bnl%fvX=o!bi
zV@JMgOsbBGs@eKkP@WRl$g+MGF`z4#mfK~20aVjK+`}KGQc|>5?JI#QMHdsOmiAO^
z2cqqFHhO+L_%+#)7@FIf$m99ChRJDZLR9EEwV5x?EVGu!K2@Wa5g?dFS%PUrhC`Jq
z<oD*2MzI472%=N;Ut$a68{a^z7rw{~==3@G3~4Q!YWX6wg=hw<tmXr^E;;CH^Hg`7
zGvpI2J13(p(^px&>}_sT51>Xt?pZb24mc<?DmxfdG&EIxxUgxb&}m3IcsNk3JCqeD
zb=)U&8Ki2NH1EdsmOgKL?ee92+$LV!ioTe1jbi-c+Shx-y2}!{QI6W%!rO^dMP-Dn
z#ww<d{(>aHwI+yx=4>v;lOLSx6O}oa)A?>VoCpnUhjVyWrID`QIb2``PSrpw$xRh)
zYZpRMp8I0)b3V#PP|a_AO?~{mxn}?=eaYF!=!K$A5>`}Wd+V-Dl(M~A^pB$6PVFh@
zLf$6^R&R#ySMp81_tV-yz3ti}kknk|8mM8~TS2cAUm+Mt@FvviZK;4s7d@$Djm<Ph
z?P8_Af>cO9Uqx3_Kv?O>SIp_~Jh(JQr1TSsI+M$@<$7L>&PPs6G-c$CO1ZtWh`g}R
z1XT!IV;G5LAOc~5xlD9fi<!*e^01bJgH<X#IrRho_sYqVL!lH^-4H|VPpa&dtJHN3
zy^OjcQKy{dIJ-U-R8JkYo=iqtmr6VigaoHh<jH=%i-J9r_Lu9P|L*r3CJpU|!WLXM
zG`;}JJmG*Ch&1l_GN=LXjK@A~mhnjsq!0SGs8%kW^^_;@>yuAnNJ0gt8N+ktkAdF3
zjhm2IxDc9om2>Xkq$^#;&RAqirK<s9p2u-uAyOu7^07lV-zrrG7Kc&oli~|gy3)Xy
zfvG%x>5$&Q&pJf$#_tbG@mUS>s>CfMN(`_9aVm;kcc7nKMQ2aOO1Rn-N+x-GP}Q{;
zkiuyxShlMCahpYamMBgoan}2nkw_o%Cl*8u4ysj(#xGNzU~K{wpjowd%1V8d@uQV$
zhIOP?2fXpv<A~{rgjB?fhGd4??AzT;;!ZZQpXAns(#=iWQ>+}7pkazOx3c1zCiw{e
zl&m%H6cD+OtTh8OQ<=6Jg8sr|(l7<FpIXQuV9>3#vAQ32WL@q>G8etSJm1#IF-Ozp
zr!M)1jo&UWg~zL5TX8V7eqQI*O0il8H-2;YH7}KXU*KdRbxK2QOV=D0_AUJfw{K&S
z+k0o;r?75yr?q$;!cR$Lt@i4WXGKwHOB(1Tc|ferq2LQU19fV*P2EY`C35q(M>u5T
z!~-ASR*T+&TA-ez@1iD!E|P~yY4uJ}nJR>E9uE|A$NMa4&cfYd0)1=g>XMfpPRqyN
zBaAld_d@?{2QhylJU-^S+bSUp-+6E|hQmsF`Yyw6ll1ISF8w5%3wqdALo?~6OTjwI
zfaq3Ei<duZh>YjuMfsaG@(`C>C`3OOIU>X&hsULCz;|3?pRP*H_wIn>PE$y$Y@di`
zc&S6zs)^V{^jNlc6F&OdaU+U0q(BBuc(&o;!9A6GCV48Y_F~pnPbNhvhQ0|Om_=^%
zd|h+5z?IY3H`2hPmxg95ET-fouev^#$^}|Edc(Sx3Ia6BKX!lcfB!7v8P9I<2D@eK
zbY^xh!8GMqAds2j{$r1nJmx<0XnihIq#O%VrQ86iUxrvX77;UF_?=CIc$V(Fn^>W5
z#FX7~ZCSINzELad^G0|6<7~(<x$~Q#2eI+qOTLy#cHc+6uyQMi-7J!nYE*|!H{UwT
zhFeX#V~GG|`AZoSuFNw+e>zxAmx6k!8%d22b+6s9Mf4(xEzq=v*TX<Hw(s)&Yt1pS
zGP;}`m<HeUDkR__g9}Z=-mFJ+Ct?nY^sQQrtv6b;&Gg7w80%*dgDly^y&@}Og`MIr
zqX;(q(Sqk98OvO=2RE6-ZhepnX_ao1CS|RXPjR~WSV>XWkkt1}Ps53*fNJo!=-f0{
zhkDVq@KO!ezzyZ&O4soKmUn6r3zfFdXm+&<l9Z2B6-kp2?~JVA5)H>5567%s0$#{4
z_<2wgpNWDq?s2gZw9S+yguo)9g`+h|yU`zF40vTE?hCzek)@8n{uEdF!nI(n&VXDV
zdtK%`&f8Pr1_xq8Nu%dqqIF@U@@#|I%ER^M7Y(SWuaMuH=DZT})F<}}4aa=1yRc@h
zDDK1QhdVK&F7Ii~ma&tcsxA!rU&v5BUVG1IQ_n{|`B_KN|1@i`r6nM9tNe$m+NOyU
z3xO8huJZ5@`(vuSw&;}#i-+W=k~MN{uVHncWyL*t79;w#<Ac7|9;Z7eY|VwY*jpXz
z`gE&G7;odESpyZPy&VCS#9vYH&j&}8gUAH#x5#Xgv!2Tn2BlvMgrLq>E+L<=oZc42
zt!?zG#2|k_@`G~|!)b$QFd%p7m9Bu27MeijX2%ddl)o4*G|j3kkN20G!AH@eWRDuv
zMs?4?@~XHNbZg_Whl!l2%y+tpD)Y*BR;eTdGe2?GHLV+@Wu+Big*FB+mt>_`ytQF_
zCbjHq*Y8{t5o!0f##r1l9R5~o=5)XEi$kcUSlXyJ;^vhbi0;lG1UuY&i3xfC>`DvZ
zKLxFyZ!uc14@$qe$*uYKvmp|5zYm)ELKdRS5QR?q;MkPn??Twsw}=A;y`F%Q*|hkp
z!+$NP-FOAk2G>~>*|7g}(*K-)ffMPL%!!q#DdxYO`>7x(5fYQ#5M%wjTK31i|DRr1
zY){kgkLy0|xfQ{v{areW-VA^XczR;x-LJ0Ng5)zWfCGvp)mD>L6d36kko&LFec2QD
zZ~lHJA6|0BG|BsPx^=#wayPcr8OK0jWJ02o06MJxI;5cf77iU`0;sbZ0j0w-gaAUm
zcJ-l}@*&(QTuGf4lKWBf8NE4>c^%!pA$a4e;@IMeRPD08JEtHmE&V}9HU%puk}EKx
z?f2KH$k!PtS0y0rv6uktclgrO#hQ&J`&BxkBpHB3VF~nU%M6<3k78;9^{ppl2he_%
zNn2pZB_BZxhG+Ff6$Z_B1@K#}HQ7TW(y=Iij8aIw_*L8d;v*xtca0$5R3{|Y!8Z+k
zis6|Q_LmYgij+Pdc&1GI@3Dz_lH5ejcgc>~<3UChrcVpN6AV<JQ~oX~-_=8k#YCKg
z#_SbEWqqp>O{UyT_`&y2)4xp2=SJwurRzTrnM@O${HD^zDAx8fGkgvCt_S!n`5p#u
zn7DeFnTE9VnvZvL-;Jx<Ymu1X-t|rl$-iy&8q(-bk4B&Fo-z%b^EUf$gS_hq&hrB)
z_=YErnZT8uoxB$81Ez=abn{PR{@c7zUSDfe5+aZ~{T06baSg=B-H+f~k{iqR|KsmJ
z-%E1xJwbI^>L*eHS8wspD+rQc3#zvn%xK;HxA}mB1LgyY5&0_W)qVbXg%$(w?Tg#-
z?N?TH&Bs?X+4gxxIEoqXD#ov$kQF0;L^F(faB^k6F9q-3I|iLEEN2^aH-Vqp?Pvum
zSEV5K&7eC1{~vvOe>;;WYMci&ZYjyrscmyR+=v;EPWcZWg$C5qJ-Gj3qvP-a-A9`E
zTM2&K$aTTwXQ|=<>B=(>dKM(O=uFF&AA^=BWe7Z~b|r8tHGx)QA94F;0<i3{_ncFv
zfEnAiDf8?<?;!#VB|q`UWGKkxmipc0rXHEJNdhylbZsyPVa38$Pj_3MY`!6~{wtxq
zec$`irPvA7@tBxeOMj0qm-Ng=ad#Pbs8MZ~Nh1UR5KT^~?{FBKQXL>CH&TPeM`87h
z1)S3lEkPRo2h=de@pLs43J7VQb<sL*%+zZF2l4SdE+0VsGR-k%5McN$fn%1W?bs{E
zVchY+q9@s>8__i({9wRW*Q*d9C`X@35aWJUFd}i^cvihp)b8Oq?Zwk;UAdTqN52dD
zyN~8q?b3owmT}g*HRWof_vvoIe1{`FTpU+6LG22#1iL364_6)Xb$chKI{~Y!Cho0{
zDN8M;Qt0E?2|X&jBb~+Fg$4qpKp%Q>^q}J2?-xvkCK<uCo?E;D?z02{Wd}HNr}eO6
zeN~DKr7ZeN0`MIH0LK_WfFqo?hbBopeh4Kk0#q*wbhGx82!qGv+b16iuoZZF6J6)f
zOzxC|f6oF!UaFK^6R%HX7i&9o4sLOA4+DmVKEMN)fu>1gOb=^UkUtOQX^xNE)EXVE
z4<8LH#^{*r7s)Wyegg#$OCk=-f^qBW&isnUot{jl76rG4s$H1e!6?f%4_ZT?-67@g
z07PU$bJm~k9%2x1=#gGnnA=|~vH&o=xZCW-W2mIyJk|xUx>!BX_8R>_G{;th86dbr
zK;IUeoF)2qN-pVdC|`hdU@1U(jePPanWM4=Z4R91Kq_(<NTC)30n#z>;%op^?jXDh
zKugB}jH?#62L)eCFI_qkR6IZI`*!6*SwRh%bo0ko%p<GM%9&+(+SOf=mtA=D$Ls?c
zrbIybwGbdHs&ISXfDQ*nnw9piJr75h0m{KGsaCT*KPtAW9elsEw>eVywOl4+6SxS>
zXj;;>ZVAu5&kDaso_B1oM^h#tKyIbp6BQ+Bu+vP{5u3W0m8L>~<{t-Knhm{XrKQVK
z3sOsqq1;je)(jr()6qKqNVCaP$>tNf^^s4hkub%sBP(CcO4acQ(2#18>KlN!{(zeu
z5O1#K7$BNS04(@8P|-Z+^7_3X>=O9^lyS9*g%wprjSUSA4M!XFNYd18<&(c9fWduQ
z^13`HH|ZUi-UfYf8$a-DJ*__n(^Vswgiq^T`b~KpH_8Zsk(KcyUQPk^^<|1AFYcia
z{HN4M^x88D!#0Z3fQ>$v6wOVxo(e?N)j6rOXlhT_EG`IgDimBM?ED2Fb;2*!xAHSj
zx)BnCL_E&#T)f>^)1%K%e(07@*av}@RIDn~ic}t;^G8>e%l301Z-my}#&NaUp}e|=
zCu4WB2w)@*%j*-&f#`P$ny$B1wex0?vH~Bw;RS=;0$9uTa$J-%&K8g{P1?3Zlk6AU
z;2J@=bjBu$qvK%Nun;(B8w8K)LiNSbmU7AJ{6&Cxl{kQ~o~6lWY=JGxPG1>gyw<%u
z?qzxaLtE}9SbE?iXy)OgBus)<({+;pe6=-ku`sspOqF?3Ga6NnF`h@0E|5xlT$jnN
zPZQ?F$Sg6_-tf(G9b^D=2#>#|+6&kR4`XlVs~7f_FM{0u?MT(ySl~}oeGAgV3Xd45
z2MH;6<qH5NiEV2!yvQx?Dj{V53`c`atjP197;?5+J)~6z-A@Fb>y)^LGU(KN3sTnb
zyrTr1g@^uZM_+*BaIUI*hpI~M5PK1zb7CNtQoptapEJpsc!$1;8AO$uY03lOM|4cX
zW^fV>J8{wgGNa1Gd{B>bDHAV?oR$W~E*PMK@Y<MybQv0{TiYaqL^L|k!Y1}q7|*yq
zzmESQR*HsQ=WLa23{>WB2c9T2xdi6g0ASltnv}9h?Y?1E&Bm3Rr)YaiuMo$Co=z=)
z0r^vs<wV7f7mD3#U-}e|)|Q@3l%%NH{I`g74$G0hblbs@Sb|N#DNDSGvFF=5APyXy
zI0|RX0-ncFl*Aa5M#)=j`#RQ0Rql;~Q?Ib>L4GJlsf9~P@$RU_Vp>3=&N{%~>$+K_
zzS#3Rq}(og2WCVh?8z7mpq8pwbVnj+l+RWN22_~nahY@`Fif~zdxVTEXTJDQ-j_VD
zKHF`NcY0=3zxx!(QiijK@_XAcKWGfk4FLRzZ4}PZdgskC9aE)5z(^ZKHd!qF79cMT
z3QO#|9y=7_)Rgzv=Yp8Z3_fsCCb-9)G8Rfp`9?gI6zzM($=ixfSHquxz;Pyxw0XY#
z9VE0UfDAYHW=X#+<5B}FmuV6*6~hIx8T^n<Mtjr3jxLluXr4@rE_K;EgpH~<ULO>V
z8XjHJ%w`uATi;dEV}7`S+8BWs(inc2I*6a>Z*}GJpp$@|_^AQy5q*r+FwFa-%QS-B
z(9JNr0Q%nj5PtV6lT7N`vkf0InvsL8N%wdPMeNJe`JxgU?JAY3@-oSI^ghZX=Z~&7
zjwb+U5I^ei*+nXRrUWn{@X7X4lPk2H234n&sGlZB3deL<I6Vs=1+FX)T{fZ4S!h-|
z2cu?Lhe>o$oG1lFlaZp5<*Ro}Jzg=}FwpQJ=@542X_SSotq`S&73oWUUnWXpR_Kc#
zccjEJ1wC;4l+*(u({VO+1S*|WzxOfS`#nfOqUk{G8z}tOzaFD}Cgs}?8c2|ENA-$7
zYM;_nI_MbU6&e~2Y)wn6^!0VAzr1+cvxv#HaL;BEN1cwYJ~zgwH7)ubGL43(#xWs>
zWfq*knyJ19wyvcZrEoQ9ceQ}mWcOVjsSjWRHYlMKH5HFoZJ~5DD;fHaB_+}Db#R)q
zEJyu>=lm&6?4cOC%v!Z>k*ic%qR+I2#tf?cI<u0nO333|wB;X%YON1dCntdlP93MG
zT1|$2)8XCqBya1T1L_Bvb7TNE8bTiKCU+A!JL`91VynuD?VDskoawbSS`1X6tG<bb
z_x?y5RAr7_*9&QkLC%5Af{Y6QB0O!r8kPF{A)o-a^cr7B7GFV%850P3uI7c5CWk$X
z<#Uf}_YNyZ9@3YE=$b#uSp$VH|4EnW+ATRdgUvAu*p5TQ7edX=p7_O4lcdtjM7Or`
zXL|v_U6HWTcl9LodfHYix20q=>)FkBB;MIA^!E^XAi3kdy;0A^HFcv&ajeeMAJdR#
zN0jbe!eyWg`K$<?!yT=AvH@IJmWDAnj2~Lq^K54!j34)JQ&Hv}Zie$j(}y9k?urs_
zvPCO?R)Zy$vxI5J`FhaR`S^MOvAkY@9X2Jc;Ep(f-9ghK=6<++!vs~RT(iWKB!=OW
zCz{}>R1V~P%lAD8ODWC02^>H3)Zzhj&eCX%=l8mW8ooy2tnjdi<tW${kQ;jfQc>vW
zsQ)ideM1dtvf8CwP3HwgLRQ+%R(36i*TvoZ?H7AVm&POF&}*eG`3E*N%stJbO12xh
z<S4hJReJ$nU|TfZVsftE9{(de!_h7pX&4|$hxLP(ux{L(AU?4F3<DCKpH9g?PTGFG
zv#NELg110+wMC)QBj%t8l^Qej8@2IE$T|*=hVN@+O0*|#o1RJho;C0oO8MB204K?r
zbpRr<1ofiHT7vW(x%lHerqn^nJo=kkCU%V53T9z6bTsEHgy<#NdecP_eWEbnT<5=U
z>I+~Ab)uc}L4MQ(Rno-?srG~$c$BrN()!PlibY{eM_WvECD2^FchoF9Tb&li_u}uh
zs>Gvxy9~M^F3robTaNTJ+x5k5HY$UzJP)S}>%3W7b!$&Cx4j-DN{r7Q04LWFc&1VK
z$NQArh<p(un^Av13n&c?P?~x5mY5ayRMM&*R()IrVx$5a-oCeEW#S#I$A~oj43?9o
znLv(H;|m&$YPW`^_4E{w)5;Mojx<>$f`+r2N`n}yTAH~d=-g*GV7qSE7RT%=(_m6B
zO;c03I8~1Qs-l9Zn0f>_z;o|l-;%@SxqI^~m&{4&R{cpSx%Lhs8G9VvN!2woHV|F(
ziockxh&`zdSnOc!cC@zV@yxS7A>{Y?$Y~(}XiYVL6_3=eZUCZAu*2YfCV5oLSe8PP
z!z4Qu99I+tS75h=<Km#9t=6<x|5ChUpW<k%wQ3Duh6)XW`M$?hTPRUG93k97JKV;3
z(M^U(FPZSR0POmmVXMBh!r;gdehGc|BH=!ZK;XYWT^}zGF25DW?etj;T?lxdg$`X@
z%}@{A-S9rJ0DlW|3ssZKvB}NZRtF<em*M=G9~%1i153Vp`6|yeMagxw<*EPd^5b$<
z(iA0f+{52-8cMj}ry`^F&CzM?97x`qV#yOewYX>BQ97g2<se~N!{pzQ^EHdE^}Ui3
z;#e$V*Z+2llrzh2{%gWLr!ddcRTI1uQ2a#SoTy|~k${Zdhl*z`*^^=fOW?#%+3P}7
z(d)8t#nO|RLQi(}b+t;@2uj32>%put=SDQDk@;YO*}Pms8oaH?_%Q9FB_&TnqASZF
z@!9CW@O9hMzrfP6@b+wDsgewBgqEpH>25An{dPfWC`0h~d}}JiAr;RHBd(P)X!arL
zp+axW&Vd!*d9H7j|1Tq3>+kPkIKZIkaqh=tJ;kC8`66yS$A&T}cC+j5DOP-Ud$(kM
z=x~%?6hSY&tEQYG-^TAe09gn-(yUE&r^cO#zk%n;h$#B|EtqEc)XlpOR}2^<X_UuM
zqoY)@Xx5QI__O8vuKR$|3JQB2_GbkBI}%?&0dx3aa_*O*(?>>0g2s6fMc!iOe}?J5
z69Hs7$mk}eWQ$i(+kYPt76)Qi`(T0E->cD;XM~th*N~u;ATMU*i1X_2q{1I}(kcg_
z@s-U<Q&-RU>o>p0lOFMOEZpb_L?z;qAsxs{%E|zSJ=gl~W!=?JW^S4CC%+IXqI{KZ
zNc`gT&adpwOTn^RmcWMv9%E!4_Z1`H<rg1?pXrh?c8d1}CGJOzbXpaXMITtt-~7J4
z8Kz&En#mHUbv!zalB`HZZOUrZXTKoKpj>n#;wn>vNamyiXUilJ!Uk=Q@w&R9ANbch
zQQ4SU0!r-WZ_+`F(g0$Bq`V^jnl$n62fOj=<;3*<*)Xr*o{yotRBB0D8pt;vfcCX9
zWxxH|>$k{BuXo-+$7i(Uao%VN?b;qIZ3m&}dR`Que5^z0gBB%gRgkV8_JT6`qqM#E
zIA{raVQorM!U*zAg#*blas#heC@9z^I%f9t-c=x9t=^;LWJjD(TC=+$M9lXLFA}Ga
zy%ab!5h&+hLk$4^!Y9R0c%iBk1^wn|aWf*&ql{|G6%CmCrZpDKNfP~gzyQmjNhJ)f
zDG#MJnsBB}AYgs`chUyMM^Fh(rr~8P?p>FPmp6Z<%l~}Ch$YtoIgHZPW$1?@`oCp@
z1j+D#jj9_0uJ+Zv{b_{vqJimY@y7qFaou|>2CNH@;KS96`R_}Aqj*_>gO5q|cY^4@
z3{)TBTLQ)2%>QAme|)q9w2Y>vuTuYZPuG0Z!IG{Y`m?(D&$|}<>4)vuV*T&qg17(w
z=-XX5Zv|cqbhh!f%vAVt;2)NA_0bTp+o&ICSH<gL;9n3PWP$`@%pzW!00<M^4?uTM
z_~_&VZpSQ;AYhy|r&Y^0WY8!ncq|t9jb6C}O;s#jPnFvEuKa&5wZG2o(}7JLd-537
zH~<{30g#x0U4LN^gwG^D8~`Hx^zrTv(9Y3_o}Hb7Rcvm_6R_rT4O^A$_Fg6Np6|16
zAo?1BWY!qSj5aEqYz8*TjF?O+6g_K?)}U#gIZUG54)?!t^%#HN02v)}*mr%JmwUjo
z90vjoaa$%pFZ5#nBeTIq&EDx4C{<h3UsQboIAAM4kr7oKSjcd0CUzMK7LYHaQT8eU
z<-f;{@<c@*r*4hN>!4RJU~1n3QfMa}wljhjfD~5c;R!!11wKX#-q~)@9TMJ_58P{6
zJtrW@8=1avHa8W}iMzNsvZ&2U>%gY;ScGY(hz2M^t>RtOJ?p)lQYj(DDl`__+4fa?
zf5-2CE($)mSd!e&X-KlZzsLOP%}Ga4n_=?)NFL0E_Um|`J26pbPXHldP?5Z>9!0dz
z{D4`4!Bo>y`H3A<73f6#Og!>kp6!)^{^Fq3bOF$WZJly8NRDLC99mwVtS(20eQgm^
zY&1pdl>8@?n29C`^0tKlg2kp{Qo|t^$1xejpt%Kvw7EL~;N1}<e$XQa#qXG$ldC;V
z58R413Z#4=8oSL}|L1D>`%zl>kfbtMZWAqiiyqjYlkt0VN8}YC)tUhoNzC*#$oHHB
zAUSgYA0R~?;7J3fH5(L{<~`xTC*TredhwhMSJ=(RUpr9nUKzKca$BcHlScTTllJWb
zR)8=JZra5g^q<u&2Km@AKq=YE`_#COR%TFYHU|<0X>Q*&8CF?i=_arpOrQW%R$NFI
zHC_eS*KvbT7dXb)*WVG|?>+tZJ>T<5!;a!Vn-S5R%?;2`2kG8B2_WH=J&owQT&y&v
z2N)tnvtRxFyJRdi>UcZ#sU3T)KzC@)Pm_R4I@P2nT?$x4<3gy!3k>0jAWzwIf=Gk|
zns;C2#B2GB()&4bRbJv!`byp1&112|<9Vi!ZV#}`HT|yh{MXu#MHS-M*q7Ykr|pqO
z!;A(}VGNFp6M4B2K?-T0zvfcU3oGDS@J-e^gKbf>`7YH4wSt+NPQLx?1WgS?Vnj}|
z%}$@R$-JK*|AU=g!;&0xm+gapTkj1Mu2IsX74^r>gZz*w$dulS>>-+MoPUHu70W(O
z<dO|0?39w(RQH}G(8b_C>;sr2e8W<Zpn=a!_Gc(y61TU#K?(~07b|!vr~`~SC>@AY
zYAECD@$iCT+Y}&l-}j<kI|PjrEIqsUhPUc3`H8r8Z;*CWs~76S7iwqUtXmy!i~@G^
zP14&QfDd;F*vy`Fpx^Z{5O5%M21=V_U_K+F?7|er<U^qNaF|UMdIKadcSjj3W{{LS
z(zBH_WA#P;cKH8v76q-b!310VPGmFUzgj6zFD<HGb$&RWC;ooTc@bBwN^nZ;)Kvzw
z@_w<BXD8IeRP!T+Z?~mB4|qmpAU#7xuD$H*&9swA>bCOe@=XN@ccufRhfm9^CSB*{
z4uMgkG_f9Vz1R(Ae0uCo$!ziE<pl(^5pm3Sjrshp<6jpoY-DsWIjt2acbBDy%m>X!
z)&}dBr6((&nSlkTRyBk^v{4z1gB6f;7|K*2g#+YHF34g|9Wd}J6y&MPa5Lfa{0<WS
z+oa!0kky-0NtqPl*o0v5mA`N}y*Aa`wkl^!H(%o^zh(Yby0^vd_CKw{=LVwacK5@;
zM5TkAPxUZNH_5M53HQo%`|}}Ml7OdSZ>y!Gq*Nf>CX}f1FEmlX3rfYO-kiZhe^<-?
z%O_b-LzJGK3{CO>^#aR3%QM${dH>DR3DHHcQ-?!8Y5#dsSMQrF3E{pk-w@sVSL^fw
z?pK7a#2e>-yDuLPdEmMwVczTfO?CcrpSgx~5(!4gi<n^SU!E6~CAomh=)o_@hWXFI
z1qjUlUk_|FPy;sb&2X{i6yj;BC#Z)+K7ehg(VNnAIDX);_y4u`mT^^W(c7q^q9`_q
zgo4t!B@_WE6%Y`R?hvG;q?;|EDAEm*(%qc~-O}A#y1U=8&-tHoJaF#s-Vg7G`@8q`
z6S6jYtu@zNbB^(h=Xu8WGet&4bsoh>Vn?Enr$62P=+Uen>h)-a3OH0wiB-@wShr**
zd3GLN-F)yr!M`uYf7a{a*fS20i_AyZF4R)#c}4($n>=WvhqPV$xogn$nftN%uvxnS
zNYii#xeu6uU>6#0x1#&S6kTD8L`G-;h&2FDeb0JX{Lu6+tj)>~miw_b<}0z-#Fbsl
zp+i^G8m#Pek(NjgK9`FgwXG$aMKZ-^_=FFa;yyBKO-A&$pmPi0is(d|E?)`*IS9vE
z>&`}>9-^`#zolqoQKR0Ucn)AS?C{GKmKKY>8p1aaxlp(1DHwJzNJ>hw=+*4*>B~d*
zfNSq#&D^UQM$=3Od47Z%7CkR7?(LW9_xkDtx!cmE?2XIRAB~jH`144d69)Mm$ZD)A
zFOSM=gTv5)oTjS%{h>vp;qtV%m*$5Ip(0g{dC{g*k+Cz`JoEZz(E=!GvGJ-+4Lv_Q
zB@@FhGS{QQ@$OyRsW`$&Bv<t(9BSW~CeX_1LcyfgEIcjjUNKN(fiNzt%_rUA#?MRs
zt&H?bis9gsInXK=K!>(|P~Q-}>YZd}-N|p^V|w^zZ#jGpQ2N}|bHaep>K>i;=SaPA
zzPIHYD2i|k?TnRaHbfq{<!-?GkZ@VAFZX@HSML$D`%Mqfc=wjUoVys&t}PeNzCIAt
zQT1TOc{Kk)BYUm(&aCW*OW|o63F-N|<NSmi8>FG!$OvxI<rs~c>#5Mi@PS6P6yi1X
zJsMJs3o~m=>MFISJ$!#qLrhtOn2X$EA{X+{1nDGWfO3Ih8Z7M9WZs(ObxeZa9os(P
zHq4JW>-E3<aQ}HB4b~;)l5m}tNBhM6<8-oQ6GYY%KQ}-x+udzEU>u&x>&(AVO^Ddt
zPnJ&Zy~sN78VbX?i<Ba{SsGj`H5%(l&qJK&`t*!)89n7cjC1s#CB|O8A&0+S0m@km
zKwEZ-HL36GwiV>-wqsU6Xd&iTnAw$OyPL)u7F^gzZ1i*NoOWDiC-6F6t^R7tLQA}`
zsHqQ>mQn<~{K}>z)0M3C1`0#yp&_86l`hd|7G16RzFXR8y=k7VZ7%12hXxo{Tts?3
zvjV7I69Ci?`F7h(mfXto>5Sdr-&`+CuXk5|75ugQy7CP;pm&V_?ChJCX#mOAzk4j;
z7ctIoVf*gfO}U$O2s+C-;HPdTykaD~a5v9*sI+&Xd}s`5Ceb}JvA}14aIkxx5M+Uh
zWj4|;G^cW;lG?fwUuxK*0w(98-O@9ETs9h;3BzY6c34a_`f%GOxWsbiL$g5t$GK3e
zWDn#)QSb0@j+Tg*OryGo{OT|I!C>>8`hXOx1yX+Ob!5x6lIZ>YsYPj|q|o{-Yc7Z|
z^P%zA`nte);x5bW!$c1h$<Za)3ZqhPXO>^5cjeq6$`-WG&A8Kch#h}A`8I~437Y;a
zjgm4{C05a)lF4#_IK9Y37n$*l{pJ~m)n6hO2irlx@336Yf_CrAbqkpujz#SJzP#CO
z#9pyJR9e#PcgM@TnPy_H9&B9|$X%xQ<?wu(23M7R=7Ph<dL4?kBnglfm9O5NGSRxw
zf>366ggu=z&+e+dF5pcO*QH+X?88)jxU46VSlpG?-}eq{yzB(JMHrGZ+`W?$>-0>2
zR*l)x_kMoL#;SV4;*b5_Bcugf<V71z;i11SC1iPrj(FcWm6my3SCoTZ#4cI6B%RRB
ztu%^7zlXz+Zl({vtXX2&Y&y!hp8Zay8<37V`Q5ErE)Y1<##J)9-oHjiVbA?jeld2C
z6hy$Qn=Mcf+~b7)<@nsc4El(0lNBHLK(ty)b(c2>dI%nb%|I|&Y)S1W98;M=BACmu
zQ0OTtN2CYktq}A1z8`MS*;S#?J=`28jModK4K!0EY-ueGLDT(QdA3tFax;+Qnn!dT
zl-IZIF5odN?J4B3GbubkK6jFB`h3>*3$qr5<=s*vaJpIk-XHZXV=HUk@>?7T#uX}l
z%zot7!sFmwV?}(2b|w8g>m`+V9_yQ{AhIkY902w7o_!YhcX+<k_gvokP~h`-vFoqR
zvnPm0LXK{}f8O59o$xRTkBIDbuHj&{8`jPkgAebGYbGIzB^#GZ=JQXgEWx{i+Lc-v
zvVHPgRZH`h@nV^m)iUo5s%!oZ2iEBYPkr)S=yYEN#31T+RuJMmH>4HAW<56`MO+y4
zg*1oH=*ySvYhka}ugVS0nJzy(OO`!gHEzK5;WUw}l8>?R7)}AKIaVn_kS5x&ez#e_
zWZtDH40DG+qVCQIqF+zFSZE14W41)0fz{M*f1I#ocZ;*VwLBN!tltW);3N4=HHYu}
zvL&ysN+n6)w#b^-5(o!!f)&Zq4JIH^W?mPaikGBVej&p;J}5^E09>D&=#TK)Sf)|I
z8=5ivWs8^VqNmj<sW6>BR>rY>VXRWzn&N`Kx0JUMJRC|FiZ+Lbob-0qB1_{u=+vbm
zcM!%@j|8ox9+6Z@USlT5qTuy?MoAkt684lHOX`}KzuCpAw)4JyB$gm+NbaAg8!oZc
z%gU*@>1N?KDZ5bcP68iG5coPv`;ly>#a?_AKF<S%grG3I_SmzMyYtRVld0B%y`rZM
z)3;@ZgV?`W)Q$0RdG^9&+@vNjYGi4iarS+x;##&-;=aBaBd2?f2z5T8;#Qm-5jlVL
z_~M1tzg&9$j?2`q@yP95Xd*@yVS!WJPvW0=I`R`!!W)B@-2RuM=q&HPC%3;Elo*?9
zziWXwA=v6e5`}0oQEbCAb;ZeU_Fk{qY#xjIV)}&O-Uu(^MD3YrfS=bMyEm)aOm|MF
z)5;bv;XJ!jAIgPm(mi1NG`hzfpL_e%HGzq03Ll-m+*}P?=#%ODmUNR%-ZL@Mj}kfg
zG$7tVbsq{<yopOQ6{%m$?0_^B@#USToc(#=vk6gGH4qj*3%lrQ#;Z&q<`L&xExGXe
zGWXuo;x_fW%cPIe<o$lJCum$d@Mnn-8pAJask<op{ln?-k+21FWq49aLva~NIa3NV
zsVVgV2x610wUEIKFhHE~KY<hbW;qi~YKGXKr>pV$3afZOIIN=U=}w@V<vOs64YwLg
z>Z&W+Z?YV#FJOqWiA^NKtK0$Yv9XU^#A%UzXs<b-h?kTO598tH&+voWGD=KXj6aoT
z{8<$U#s^4tH_B?U(hfJGNByb&%J@`Y4asRxynGR;%X_~1@qotu{%PwU+#1G>ACXqK
z{*-F}mMMNMhv;}i^BQ}$!w+_1ziAMie4u-1#`L-B{b?%sNd5l&CPf!27q8PFoWn2l
zl8cfMER2<w?r#vPgcW@)I(23ptsX77r`wU3MSa6VDRF{7er?RHrAK{}BArAq5lf6P
z>?>&&kGdcUf8xb#Azxu>?^i`v4Lc=bpNZp*C)mfoBbR@ht7qvBHau<esK(Xh7@Lhp
zO^SDc(V)&>iu2L%=MI@8=_7bL5r~}rWLbj%TRE#wI7(&<u%^Dxel{iH`%D@bPOZiU
zsg_Ps@{=o6K@YJ$WuNywBiVXZ9_PMgppa(x`=*SAKF1MUscYv#uD!saQWQ*o<=C1B
zJRro%X&D*bBCE*PKa}veU$@0BrmB=Zv3r!Dmr+({MtnA_T1w@H616Bx8z-T=V;>1E
zMHPl*8z-G`X)49~6C<KjrJ`)SRG4=ud0&00Vr-;U41;)+73iC8N!hJi-ke|5hQ6=7
z8?D-Op1c(r%a^6UVjkThpOW*q$0f?OU8=9IO!YQZp4I0Iv;B#-mVnw*cgYJr+Ah$n
zt0=YU4F@1yO%HttdoF2@-c2ErcOWutTrN+1M}<O*oHtax*P$a;Qcz+PN#ptaw8DGm
z(^J_O%6DH9_fzf_Uwb-Xkq|X%GU*cqJY>PQ3fZqRNN`p7`-??Ky5j7y#IJqbIOyma
zH50^;9sSN1R%n)rcjndo7?P>^e&R{xbM2a**?u~aQY_5YtOkKSlFjQ0b{##kqaxy8
z4UAv+EWP380@jW;aY`mhh0+Y#iDir=z|>A`>9IJ;-f8PK>dka1?KIfU#1<nu^JZO#
zFm%2U;*nzs7so4Q<=zS*qjQa`exV-gl-F$<XuvBGiu#;%^Le&e$-xeCXP4q3@q7*#
zgjh6iAEGpvsV#idQ+7qhWUbDhj{WAWnl~cwZ5%gBX~BWb2d95J%(QuPGt4Qap-tFO
z-<6`sx65QRerq~nz9TCoL%30We?QSszJ9tqu$6|jT#kr&EQ4qLQvu&!MXA5CV8<zN
zU;5NsMI2z;?tLd?w;-qP^RoqUQe}NIEMgx)RkQV~!v))e`FFAN8($hIXK%}MQuA!S
zJ$c#sq;9IMNQwHwvlDH4y{I9J57$$m=y(AO?>a^4WXkP_OPZU3=?(Mg2bX&u;8_Y9
z-Pi?7zq^Rpe#_DKLH%fP{+WyR;(>f0%jIf>uD$zCZ}e)^<j2K=ciF<3#p9l#k9Yf8
z8P8mm4Wo3$720XbKn(GoFhJgG&XBYBy@wN`j`C=vWJR38s~GpRy;Xt;(;LdJrTb!E
z#w*f@`b<9h)Hqtb>VhwoRhuAk)zF#%uZriBRuaV!NJ&0d2(108@Gv}_x5RuuM3iX7
zolW6KsGM5x<sv>)YYiiu-FAR;wWR5itzI8k#f&TjomY9$wm#VsIXgu2kf9?%hwxK-
zT<}vHjy_k)h_Rf+=W2X$r_R%5Sc&*BM*ae;mQ~s-_M&8YF=)BdJsL-W`N(-CuInPN
zTeL;z*de7XtxaYfDBI|}P+r(~dv;O4Nbb?@Tsc=)$V$!l!&lGr4?by=e__bH`#g7W
z;z)AsO?Ucy5n|nT!%`dN63xnrnk4)AOtptu2>4Sg3#LAI-(m1A_GFRbO!BK{J3sn#
zQmWJ{E72){j$uL_cN!C~_YxL)alTT}imgzt*o=VI3Pqn$m5uMZr_$GG@+v}KH~-V5
z9wqMzpZX5mjB)jJ^_PyY+6<=i^mmHtbD(roy*6()%x}6W9A)LHDL(uvjVz@smCPe#
z;Y?W)f~jhEx0lrj9UTdD{owldGT;c6SJk}hbb;4OuV1?wAQgbYAt3Cd`tg*wptYog
z#ZIISO5K&%$C_MWdXndv>xQ6x-SeTRy9_=IDrKK$V+y>eRimSQ)5C9x3!=scH9~Ox
zr6SuPU!m`AGnr^ww6YhDJwxDDTk$1Isk9=JL~IG)OT(i7rjqmD?3(|H((0Z9Y!SjA
zT2AqlgxN9sdb0QPW6+2rhS1xQ!82xR)BowNRcio%Op!?NKh{{k?KnIq0X320IU8vB
zpQy<Iy4KqNE{XWRfDfD(@WuZxJT0H;F2;7&0a)_LflXZ+Fch}4taJZVef|~v{(&hu
z+C3+^f4>UaoEw7sOkGV{V`w~iK&I4j$-&TzUo^+Y9k{kPF(6SWKs$T^4c1`1`XbnA
zrDL=gG+K})DUFiR2#OEn>XJrFXf5KP{ke{Q#RyjI3%))l7EIlXbzx{W{%$B;z&%Of
zU;W{KSEK(aCzyD?MSrr5=#N@+Y_L#&zJYL;as2;K{{N2l(Dyijaq^!}qWS+qUHxHy
z7nFbd&JS;MU0yk`$pLA<$aMDw?Z4lHKfm*t3OwjKj*T^<V|M`G^vVsev-~CT|HPxo
z5CEM`+_JU#&vI)vx}K`I^>;D-w~2Y;v@g08yW+{o`JXI+Ua*_<r?<oTtIYnd!L1X9
z@3pRpi1?2&KjEkkmDu_l<$K~=(EPCgI2v5a8aC_fKbko*jEXhn2dSkJy>S_oGK~UG
z<$0l<mBAY25bf?Je@o?WU(J7pF#CCwTFM#uYG0Y9>;{G$upG&|MlMvDnk1hSF9Vd5
z)@`5+$OEDSGco#$Mp4nvQfpJfdr=io2B$Q`SKb9Xx-53{nRlL=+8R@>UmiH@70yXr
z%>hSib4Y<)rkh*9YTOVKF|!&I+ev`Bb30RH<)IE|vMa%+a0u*wH30f^0m(w?lu2R!
zYaXCs&SxMMk{}Wy7sA<m?3^mE9tWt&@WHYd@||d;NqwElJ4nmbr{oL`*A@mFWYQEg
z0h3prVuGxb1xsnMg8Qx+9S0#mSYg1lM`la%HD-ekcL5NTX{Vco2dL$l@`HmIOfSvb
zZS*Ek7y}z~o=r+)L6%e$uBa)?xOxAE>6xRj7nKe~y4P<0yv<n*2@-b?49Ps0UxL5@
z%_q;Ge4YtC?E1lObF?4<O}c-y{4Qg8HiL3Y<LoUn?{M3NB8t(+3$MW{GanGd-f^$P
zZa404D1brF+0G;-=r0Vgfzj0U`S?)7^P<ohe0^>aS%KzUPqk*L#X$Ge2PP9|^Pw%y
zi1+$TXTP#W{ys=H4tn4k^nsF`0WNJZ8HaV0k@xawpJ`OPXF*Z!E3n^c_O``ixN@1B
zA96l4fE*yRVt>A))nSVt-o<$|IdFRwnIGx!*;n+H9@t51w<bwa?oP#sgE8QRxhB@L
zito?k+Tnsc-#6T0N4G0iS2A)Dtedf=l>ue2U9Q3_t?Gg1qNz}8`eF(RPv#)<(B9%F
zA6`h`P!#VeqdQ#{NaXIXP$RJZ!`}c<N)GB+Z2{JESpp(5I^28r>X^$>fykXKsd(Ue
zL+GM{TaW0@E?FpU=-vd!IQ^v&-f6n_$M}Q%aNqmuX3C5&c0q=FyS^=b@Mrn(g#oLN
z&I=z%&bSwwv3(mRO&$jW`ZXC7D4djPL+OSXV8B~9aIownOzNp+V&7bCxB8E|%&s%c
zIE;>UKIGB}Ygz4^PHEXbsNre@$os&oC-a4_LB;-tBDw&B)DQ0O&I;$SWM5A5#p5R%
z0QV=n2j8$HzyaKJtZn?u3P6py4W{p|lOGrWt`fIDt7>WUO$eWiYruA~tP9!#zHl(0
zD)$^1<ah7U3nAkjpYXGd&r$b@YAdlcvfW>Iq$tSGX=ZQOypxy;w63y`Cbf4y^sTm3
zsDWv278n(NLyG`%I?|x-#<|u?Vml={))K{QRJd_J7kRjQ70pT;G;J9K#FRNQ;Z>b)
zSFG-J?fJDtK{MNxx`b5Qf(4Z@Nf#&_&8loh=*e!CKP4?%LsvxaV`-c^TYmeRV@E`D
zID7y7Zl(FEa!}Dc?5;reLx4G1m3x_MtJPIcyT|*Ek<G~$-4cI`Kk}?I0j&L2(ywe>
zg<?05PL|p*xR}~5HGGj(X>rzeKCgSOmek8EdV~@xaEy`MTjY+*X$3A;cNUy4bG;b@
z+hdqZy-*;Z&C!_~vYDlCS>dA$qdo-r!1HH?{S8x$?VQX|*0O+#XD=jIuVDi;Uw@=6
z@|ne0^8inYX{~qGoq3Md5&@7ogPHrqqc1SJ8dw|3!(-hWqg2=hC!I)r%)fo23r!mZ
zMt7Hd6n0iZ_)Rk5=+Pg;oBhRWpKxhQJKI2PV1V3P7AWp|M)ZO$4v0+bcP4C%3}WoD
z?qy5(zKtUbN`>uocOGiNy=etQzpC(&BN?jMGSK2K1oSFiUw)W)__}q}`sk|rJxv4e
z)<G4AZCpw@`_WawhiGbe7+<UK7ZWI%ntUs7S$!P*&L7}M<1PVY0d0CAlRu@&6Q>XF
z{6Uk|;jlXoN{cc>U<`!i7_v9P3v;XfV1Lsu>`mvNN{-2&%|JWQ<Fr|O!x%_l<rewk
zWC0`c0MT4bC9+06muj+5Zu=JRLm-{}Oit&YG7k0EmH@|<t+zob(P)47^3o)VV5^$&
zR9Q+7oO8kp)F(s5C9^=jsJ(DM`<?G@KWKgCTFzET4FeH>t|~8T5K5oMce|0LojsMV
z*PT->+5{<WekQ6`Tqs@l7mbab%as({4=p(FcRw`sM_;b)Y!zJ*j>CFq&<2wAFtUK<
z0*wtQDE6&%!q8@gAS$vPQ{_e$0~H@#Zbak?wo0`X)?b^ezSr;o>7;rzCOHA3%ePe$
z7@3+cW63OYK<s0EhtyGh_to~!tkL5disxH>My!SdJ#f?N!a)q?(a(^GD6@ruUbp)u
z9+JLRWLc9?0zrGW739__(+?;J*5I1z*85YZH?y4N@1kSnxC-_kXGF=0zn7%t8T419
z85iDXyz9|q0TrpX4Jg)5r{C`+ARdw{Ve~tlMrc_0t;9(Xhw$N>sDfJE;d13-CU6JT
z)lr=X%>__2y7<2;O`_NnrSfJ}x*xb2Tnq5`e0aAhdnP5L9Ik^r=%GiD61FqhPqAnT
zZx&3GAUF39xE-6oG{BS(ztAsWQ8<2;fo3{3wb&wVVWs;5ldyZ6d6oENf>`7NU))IP
zPS?~DKZB=K-H5m8u<&e5-y`IK9c5$OJgxInc6p%yL<MVR;ky*&63bpFgA*k?|JTa`
zrAwi=TVNXhxX5B&DCZ{Dt=h_JsP;cDIwk%zT^uw;T%JGO5am;8Uxw^AZxQEAbx6k4
z+?OB+Bd7wX`^1`BODaQYYm7_XZ|vg!L+k8t>t7*g?G(c7S@8LRaw%1-{@e=dRSH_^
zV*dvk6!IHX2VP^Cg3mv5Sf*e978p8q{e8lG|K<kA&w?PJvj$lwUpKrfsa6y-Zc--+
z^C;)A1F<fk<ZSva>jh@PRW8iY8fT`__4kpNhh>ItrKgQ<KAYICwSgU@&FT#GUU^>;
zb5)4~=46LgE!j!qfkNXiTu&pkk7o+rc<7q)Ta!Yb>r#00a#w7hSx+#<lQo306eO(9
zmu<SRcPINPHAeriUoto|;2A(hS9_j%Ae+xnKHEv${R>H*dc4svmj&2HY!~Bt+l*JU
z2uG55ap9J-KfA`+m!~(`e}l+v!@8MGd$$MFgXXyxo(<Mi$?sUQ-=S0p(WyBvKUc88
z*FbEozq5va(7Ifcz}V^O^eKo+{JWbD@4=HxY-Gx<CaB?3>l{l}un1ySu&;S|XA$1t
zRSX5IA+#V1#5c;=@nzqtaCZfH`%oAOtLKMq-ELIm9ngGF;e((RbQ)u<A<FT38yrwf
zb?R6ER(lD8;JH>)&Gn7@SZ8*`>4>Vv#M>0R$PC{pE<UpoFTcPrHF-)bB^BVelC?!-
z5Rx|Z9ZA`lbO;<7s8$uAyMSZ0hvbVXxBYS_1zP?#=uNTjuq4bF1noH|##ztQfVz5=
zRj)G{H4M;K+{i_v^K`e!ifRTe`VEHo79hY_iT;RTFF;W=44%hU?Syq?1GOuH-|{re
zSk!osDe^fkNXZEG6Xd=Vzv8U~Kjo1Xd`*q5Vo)nq+D<QB5n5cZ1bIL|sVBq?DNl^!
zq%sPpFIt?h+|NMnH$ackDd!LY73S=6w0v;?^1$Nw%cfw)_7W0IY@9br<FOAVIc+!A
zcz*z%p~V{CUq%~t^HV##oa*50k;*wTqdS~lR<_z);u9odrE1g$JCjyp&$|ZitH;s}
zZ$g+$*@Dt1i^%V~-&`(NcG%WDXwrG&QmQGdYM!?{2F|b7l+?GDMjs56Z3`PYgTrl6
z1M<CPciV<$kn*pg_^yEq&&F%KR+k+OEA}s`=IZyFaLIVlN&CZXsDUa>NINU~?I48S
z!jl9ErG6CqBSSKqo`bMgaFG-YJ%nvFXiKf1{YI=0sX+1D_JkeQ$RsGEBJYNy3`{7j
zPn=-U7ktVqCFu<X`1-DBz6->U6pTV7A5oSqI6zRUa<h16CZ+6aSIK4wuTNp*50{Gt
zMoM$kXZjp|g(Qss@-R06K_ORb-qT13Z)&>pY+DTRmWnd~kfo7&-t|NXEgeiR+aSQR
z+GD148N9_#tbcl)dckL=y$1+hU9S9P`=Nc`@u|+0q?2B_Uv@{#sJ-3X>FYQU=QeqJ
z0ddzQcGz-k*-dr}BELhEA~^qIfTrxe=MfhM$QpVgPoHP|sorv+|2ADYP2r-p@``Qx
z15!l#)s$1$7(w00MOoOfjPX<#ujCnTUJSWB4G{H;&40F}xT{m3gHo*L;g6-K(q4*j
zZpYp?=%RZyjl(|uVB%98N$2QeH;l)$4qii#<5`Ob!GW@QEHS=dO_1e=Z@M^m&HLTV
zfo=#$L2#Q-BDM~nIG@<V=VPb^k9j&R*=FtGPd5{rS(UrrK?6(__tl0@1xdD1l~Mq$
zm<~i7dq*V-43+V~`N8(WP}S)LPu81ZM{%hSr&k`E*1GAvIwSux6({<67Zz2b*{i6z
zr9P<bUoR&#w;lcdzF9~|s@OF9^UR{sPjxI3pa49lq)B>{8`YZqwN4*;7d$Dx+j~{C
zP1^tcEi8^5*Pt<13m??ABm|Y8c-d&Q$_t8|NC<E?zDK8~{jR3}bH{bu7dhb;_vq%y
zGnRq0(xT@s6#X24a*_2cxWnx+vnIFTnb#*LgC>BHzG{V!RQGSH^<Nt{k@xA9@1Lm<
z={~qya&(&S6(|~NQ8ZTzQl86%YV_hx6h|dIOG$PbQr-E>3;&<=y7mIb>BZ&?^-5?T
zsDFO_KR@E|pn;t?FQ)&Kh6H~LYI)uey?;|^{^zbRo}GA^bm9_?@=^5mk5$o{7ZP&>
zmFe*v5-#G!31I)=eg#9%|F|Y_u0KcSk?H^WGf=m1TQ0=^*QGm>-62Wi{rn_59$atG
zunr`XLjMmClHaNM@-?6T11BNzc0L`;_)O3Hmv?HC4wJbZU_EH#Ztf{a{Br#L!|OWi
zcg`PM`OzK$-e^z<pdh_xzx<`Xw}CwcWcGPOualq?=>jHIV55fE@DbV%dSq)c{@}s)
z$BPi=yeL+~6{LAdeUm*TF^*NT|9aTif7*UjlDwd*UY_6#^Z(vf{-enw3vu1^KcCXp
z9~^l*?6CL89{wNaMr*MeuaW-kCh)HZ@|N;#W~IkJ0Lbr{nm0L24*Bo=caG%?f1KzY
z`NHurLLYIYLxVEc9-RL#81f|8l^9?CuNwjM$rVz~z)bOT|22_$PP}xr{TDLy_l=MU
zqj!>b9*_V2&A&c(PI%xyDajx|K?6_Z`Z(zMy>vJ~Xzi~o9l|=oDkv=x;Qj6$ygGDe
ze0X_tOG09UoZd#gb;l6i%EW(4(a-ocaZ6W&HjyMs$N8aCPc1fv(~9GHC+w4o(>G#6
zzLUI@!U##G*>1KSqo#SHndk_O2Xd50FHO$nY&tYAd+nr^ZIbi6J#iA_^tme}fBfJ?
z-tzl@|NK2q#_7|-W$Kcy#}4siPT>Ffhkt(q{4f>pRxL?ZpXTbZL+1h?o%;Qge}16s
z+7-I>Pa@?1T*hCY`R1$rugm-6_ffJKPH`$(Nl%X*B9U9c{+}E9>l@%Z*MxX7J7^yS
z{B@8296Bu=@!P%s&+i>ou+9bARK;IAc8KQ*rZBi|D(|glcvVAOm{)oIp3U0S%I>4U
z!`s#qK853+9Am<&JL=Da?|pexz&_cd!Cm@vaOQ{eWl=X^oXQZNUCXoHTDr-oFNaOo
zDx(y3bU-uh9OF?)PP2+Zvvv`UeuDxJD8SGFh~Qng^!-B6%{ibwk3kaR8ESN(>3);(
z(Sso?zm?K(i$3b1{RQO))73BtBIw04cD!p86atZ{><Qc|lsNN;Cf%Erd19Pb(?~y$
zP3$gAdo>he9=$)cfHMS!)oqSvZ{LJy>0>((Uh?~1r_@I2PBR(wIUDzC233I}J%Q@p
z7~Xj4YO@=3WMj(jQFn_IQ=XpuacNg=z<75)3oPLRCesUsY>a`mUxVE5CLYi4cen+K
zhWhqC08tGs0x($Dx`7X6Iv(v7h+VPr?#XbbvGq_^sNwC|{QT+%*Si&>BQF2*oc?@r
zj*d5U64i9&vh?TPp1SlAjQit*eauW7?R2$XwdQ7LFBH!PCOiUSJ1vK~>-eJGB*%Cv
zbIYfa#iA0O)xKIyvmm7vKdTxJ3%c*oZewtpA6x8xbv#@s^s0om7ULk}bq5h;>MQ{S
zbBG;Fo=1C2Ka_{1jpB22`5E3fFum+ZyxHFI#;=9ue8!P$<MB96K;zK^h^o5tMHM{m
z!)@H3LqoT_RV)qgS;CF0@v{J^O;^lB1u9nV4p)e=+`nIQi9?@wcd-IFfIQq^2H4Gi
z^hLKTtyNC1R%lff9ui@=-<h^NEru8}o#tHZ<s91k#ahF)TgvUQ+dmwbSL3D1EXqC|
zyVX@tuDmuoX}nN0?A~2*u)f@*;Z+4ZXoa;e)aiv|^_mJh)scrc&sIPSo%Xc^_3FLt
z<<QAU#a~3K$6ggoiKs75an6?%O0f-h))L&_>N*!f5IvUp<B}V8*aAFrhDmJS71h8X
zRfnR1ue+7k#b(&cvsnS{5mmC8j;rE&PU_bCtVTdvTU%apHm$(3*|XW?hD7tzdM0R6
z7R;h6v28PG-d!cH9WH-bY_}5N&0CB1i?-ul$UTimJ5w>JqQOJImu<HT25=CKk$56M
z2wsoLTVgI^{rg%S3C^=Tzw2|SWyp5%)^$ozcZh5Yf*s9N8HK0ze7Q~~ETBS%_q0mq
z4UD|f3LNxGzw|UrITJskQ-P~oNJw4U|8^D`CD-?W)?|9nxaL;3`2sM;)y0=9wpa1Y
z_HDt1<CCWGFfHp|GwKcNpqXhAaeJb=bw5MNT<JisQ0Ez9>b~G2HC}uM>0#?5OX%ry
zr7{>7nKg6^1})qMa;9=3_w^sGceE>)<I`x4u$a%(DGxV=_1*vg`f2xMr@dc853pt`
z)GK0tj87y<LdSYTs!d6orEg~&;taTVetOl1JhL8TEnoIPxyL1g1FeJg-qHu|kC*MI
zKAQ9n0--#wxQQe3=u)!u`5ephO#hQ@Yt!xHP8Z5^DjkH_uIqv}_9GBxISoO#;=tQN
zZh$D?QqNLtE2_%QFLP6M<UkCqr-zS2vnhI{&q9MLSB%`sMxJ_-k|~tj*-#F`of4(c
ziH5wduWzhFQjA_(hV#H`@l?74zPsDMpAjrCHdk~$#=U`_XjH7<%OOb#Iv3D3VOg=O
zJdsf*ZF_rtq$4GRgPncs-E~oSkq1L$qHL%MrXKbQ?<Wl*l0m8mk;}w~%f!pOpa`kd
zPdZc8mhXl*a9~rMPEKi*nZYd;I`SHR)w_F7f3C+k<AA77uWcgR1I#=8?+#d7^qzXM
z6*@3W&5GGVl4L87++S~y7X?horl>~p;9B_OBRdI8{#UgoQ35UM0X5q_t;XQ2=RqdU
z%ew8iseZ&~IIO4Kky3D}#XEX(64=HrMu+<31mzE`G@%f!^qhXWSIi}4k8M10Z`E|Y
zInRN#e}H7xXW`hm1tMCngjynyQ{~6z)|DwY*jy1dGuMu8t^{(h&3$DZZawm@oW!ud
z3i~UcnDWv6mFLujbAbd~zX;inZUs>Y*ka44l7x>8%oQEAliwsx4ck4T{CC^{yDT4^
z9*@)f*x4`AwRU{eAm+4ro|~KdR8rEE^wMzfkxw~toij7bttqu$Rc{WH-FXx6MLZ8y
zqN}9*m0Qbt`~m_3(1C`duOAQFqeKVi=)mhyv<^ICQczUX7^}>SPBYLlv#==FGPs=Y
zLhzbe$werHs`+y#g%p9lSoFca$J&woYOO0x2>q*SZ}}&rK`vN<Cfkb5QcNOgKE#$9
zNA7W-(i{JY*2NGume;z$YSf!j0D~FE3~7&392pBt9+DiFMk0bd^b1I6-Y=OXPHcMg
zQ>RGLr#yTp_v5tisnxAQnq$wv_{?cx58FkLV^KmYB|L=4EvcjDJ;#y`a|4)^KG%;<
zjvX=*xtZ&c^+$&8gkv@C6}tNiWvnL0CPyR$efDFLAx9UM)<T#Y&^VP}^yuW6@`KZh
z+0h(3JAo|BjSsemBhKyWGaX6xg^vwVV7E?R?yle>fYPBV3oGkpPY7uJ(;qD+#(2&w
z6P-Qs(l}OMhe<pd;YG;GprF9NK6*Yc4c18FkKkxhgGs1=1*lZ3CLB4_@uAiE{f2}F
z203G`PcF+Zu$7Y?c{~J?Jej#pyIks(A0LjsyFLaB?ni-xm7uNO7Ka<qc+c4D{w0n%
zXJhDcR|ES?=Qx|S8Wfk@A`jNutmd*RstpSE*+E&b{iS(@!35ek*JL=D>*eO>Tij~q
z(ky{WO5vdXAzsB6A4Cw5<9ezbv<E2F19HRC<?8g+)h396#yJ<Q#gyKBE6@Ox)VP)R
zEQ4|B&YKa(vmjn$9?NYPbxX_dqhZpKI5G++F{nx86uy~ePDa>PPbVO`7K$bp9`0XA
zz+<*m!RuDB6>%qGGYL`nC-`wQ%_#cSr|BuHs-M&JU^#qI=?e5?5we>WKD=?^2Hi&^
z<Zi#uovvj6-G#COY^&myd-XiJ?W_g_mV@T9`W1r~%Y%y!tX(&mDPRLKss!^MSoTF-
zn;zJ<Uke)6%h(KP7)~#qnJFCmL|gAo{Ud%svnTVV@z;}QamI@%49mBF1#h=C)<y~5
zIr0?F#lj+ZriHh84?t(_vDHX!PKUkm$jYo52Qov17N$YrsEcq%A6)g=m|F#2!3}0t
zuKj7;#Ug)Z2L{kwJ=~en7>jme_~a+LqXYe&87&5kYsk}k+dq^z9PV0ypP5^);NmPh
z`S9T{)(TfBsu~$re(?Obv9ZyE8eC++NL{QR{csp*f~`z>xZeb-Je-Q%!NoBMNjyO0
znT*{K7@?b|d{sg-cw;qERa|AYZ#JFYIUYL<=jf~Q$Bpo~Jey4~F)TX00H$ppL!kfK
zXdCpMY?Ic5%9<-wWOA{!z{YE9YHp6s3*`cW(t`@+Lx|8OQJbK8lrKu9V{JZ|)8-~T
z+%Qt5sThV<1SRQ3(X3#w_9-R3m<E8?g6yUNVqJ)<7_@I`mMNuMbSqaNv>&4;=UO<C
zg_Oe<0qb3g2++2CK&K-0`vE5T9iZ3DZPbrdx*gOo5-)}<ezXYXSDOF451#8z5oa9M
zVu*us?9m~~Sobj3E$wh~t-YBp)heH=jF_ef&XUw%LbbzbG32K@ziwAJ4MX$8arc#7
zBfIgro18nH_TDC1F9Ma4Ee;Brz3z9(#b8^&j;UJ1F|_P?lgq9%@H^_h38wf$-df9H
zsbnckDmv}!U<SBuo!H}UE0bEb5xZi)9_jI*FVRM^9K?SIe6~Nv{ncHS4pQpDq=ocJ
z0+^{C+GDm4F*@vR6&A=jbeFvvF#`#K#bLeek!KTi5*AU~!s!o0CeO^w%>3_&Mg-d8
zqkIbnY^k+xYeJE`=B{%Bg#C|1BiQo>rgqV30rA1o2h?)hq3M_)<&BEWt{c!!;7Ma7
zcZHJ7=6m(S_)cmlvZ|rO)#dWdvJC7%FcS=1`D_h~by<d-mZcP%8#ODc*`v(VLLy%}
z!1<HCFB2U*tWPN!pHvI<T%ittU@~Ke{HFn59G?c2nhgFw#j~Z@0UNO1+|}VI(vy+u
z<~2I<@;kaffRQ$0G3lG(%)R7T%lRItp9?*&{6y+=v>UCmQo78$mGRK=9DX&pEDmWt
zTurx}AJCX$f;QAQCG}G|b=zWVH&wUmW$Tw-$9O!T)5cP^=oNEo2}fn4h0W?ki#f{!
zZ+4+O9yM}s{s-~F8(HLv><G-f?m|?cDnF)@k#&RO81i5eS-kPyW;L|Hy{Vw*5!XhR
z7cQX>qNr|b^aJq?e0EKUJ0+TxibtFlpE6XW)Wht@fd=XVb8x*49U0BbLPxd^7MHi2
zfiiC*xi^biszg|aafbJPu`Pd4kBk;W?nuJhQZTr27?>2m94h*7w6f>bxX34zCMCkO
zbY~1QC%R3}&kyDu3v+rNar}q`Qz1%lx~X6)>{EB6SBGjet=QtU{q0g%p&B$_gT}`V
z7Wt%NyQ?NmR8Enc<9?BQQblZ=C(qJFg!@-K4kAZ(((fwJhtDR<mDY)rGMn|i{4h_t
z`4$bcLj=1rFtD@>)B{AiDbHr|(9zBABGsQEsHi~F)vxTc&#AwEs<ORuQ3`LTjo;MN
z6dd^D28^hmgd9-$QHptn?dPa{b6PPG5fRZGY46rUTQC`~)JeLDRD02Hyx9@SA~Q@W
zobVMMgWS%X$h_mHeOc+wkzM?&1crSbQDCu@7qP0_0~>w2GiT}EE1ncJPb@3rjIdj&
zo6)E!<$~!ZtdvlJk%H|5-4G8Xl%-*s+m16wvZd`z1svPu(Gj4-OQJ`3b>v2nu)oSG
z+K9CRssu4CTvkP921{!%#EwqTFLz1g2xu%#l8j3MuJAcLwo-oO!Rjfsje4aVbo6}p
zD&a+avWH1{`)C}b76pOGDe~FkBX@nm@eTu=Zj7~O>Bx1Q#5hF`N2uhxkA=_J#wWkE
zU8(ryB5-5|Ub#u-2;m<)dtXeE^#l)FF~gDTXnl(ja{tw@*2K7%PH{jb;M3F7`@akR
zShSmIe}W$|aEf$0Yz+pE+yM{w`9A_rtxFyXp9yqF3=Ehx_O|XfgmQrtUdKqa_1O<r
znWGCD@##N8)cP0HIWGJR7jfy#Ei52vKm_IlR(sx3d~~A8!*0<d{K)uDz2{j-@^2W{
zYI;4(H~&RC4x;OsE)-54c|sC>@}=WB>>A0v)DMe<o3k$1fq`X%x7{^G?4BGQGr26D
zANoUO>X-sY;&~W58Ho9Ei`AQt1ko@ARPdy4pFVP5Z%_PR<8E)&>X?s44_8Q9X(0;E
z=#jd6?9dfDYs_O);<OFSi5c9`qd6lC)c*lJ|2Gc4&f|YSk97oKq`^A6x~}o@zjlZl
zPq;_L#BhRHA)e{4Ql=BKUOI+`o>xgft8cwoWyL&g<*jT6g|eT$y;tYw=bclvGwdx-
z3ulxS-S~ZqwHjfN^1FXr9`APd^z;now6$3Nu;AoSvhkw$h3RUoj)8%P>-FwW`S~Gy
zRIR;;A0SD#awoVi6xD(Fyl(1)edWVtVtE(W)yWnw@GtHXo7^o*i0*K}G-vyLT9yW4
z!0!A!Og^XYoe=HYmap_4Z8S|gDdz%qgtNIa{7y=8o$^qEB+YK~_ZQBw_(m<th)q&A
zD$ug?zUbv}u@n~JlJY>M1FdOARovMM2d-1wbS$s0(%qj4XEproj58`Ee`b|~UgLSU
zc|OM}s|qh9#a?;l$nS9DwD1A<??dazj$7+dJfD=i!-{Cy(eN|P36L3fNbJ&?(B{o#
zk&1jhe(cS_&V*3)t)p_pk=23Zo)miZU2i79JF@EWsJ(?Fr?BT%j;viL9KX=O8k=m{
zRe0=GJ4FXa)YO8Gz53YFu=>6z%c<r&x{}-kT%qm6sgg&>&YyVxT%gNL_<e@o#_8PJ
zW3`S%@vMWL*(z{%un||p#W;oVZuzw|`hzp(lvtS%{kcFH*E+%9FZyO52G~CfE17o&
zELV<u)kH$C6{`(MJ=|3HDi}>BYIzx#fM&)XVKY+)(-j|Qe_Di+-%FnKLEqFx2sJ+o
zOF@HmsqK9Qy|l8*&6L%bl^?HWjk*|p%<B%xuJ7dccul>qm?+JK%nW<@^1A{`PEk<+
zQ6OBFCAaY2u1E+&B*iSy?_YzZR(l@W_1-}P<q-7@;?zXGd0Yw(sLPiRmo6`79Pa$o
z(bIFwY2Hz2s);yR3*i5ZO`uToNx}zola|1srK?z+rOOJdVz#@l^;smMR0V*KYUm8F
zvbtNsek+)H5;ZlY<8|i3jWsy~b9$Rn?^Cpp?x*?JVjUTn!-GXtNKOh#xwgLjsE@iM
zU_0)?T0QkMZ8=HIfyQB{J@Q7*`v_0uUJcSc#*>{1or^Hp6)$~v8v|I7+IVO!p0#ST
z0%;ru?dKW6WVy$rfquN8V&8zsc1}PYG$AN95WTv#AP-EJAt)u9pTAK5K$K%X2e@y0
zD_d~xo5cH5f?4zV{nbw{?=zOKrx{g&*!#t8z1Tx{LRK!=+lZO9N?*Lw9VgYk0S?jy
zZ|suJN#0OIrG~j)r{rty(={?eV0;Y<yaWAz^xdho1oLup12@gVA)QfAM)B1kwPY6}
z$WQY`&cP00;O00)aP%2I%uXxCr2H(n^Ubb7DxbwM*@RiW_d((vKK7Z}EkumIYLzLz
zR5agbR4h=?k3zuIRMOgGc^v$mGa4Bppiy--frcA$ydGcj!i`2Z`5f)4Fj*CbU4Q$A
zk;EA>70O-z?!*4!2-?|LF)mi?p=7xUIg01Oa-Mpy#4%bLdd^nK<?4t}hmPy$h03qx
z747Xo*JkaUdYW@`=L^n16a77D{`vy92Rts_xC<#O^SV{~acQJA_V*^myjb;1jqzzb
z@R=z<a82oRvJGE5>?%}YREwk*=#8vRt!)^@8}3cdsvg?>QESM{urI@oDqjgeBD@Nq
z+|uG;0eq%K2V+!#EKW|0p(h~APmI5v!Sk<KEe=xNXqN*>V?0HbGY1>nVaa*1hI_xA
zTY6A8xEovObEv?L8-5Lp+HY8F)(Emhvl{80qv)*ZoMW&BnUw0(Vr}bMDO>8ICQw1z
zxH(^<&qa4JWJtcERz4}+RhLQAUz^>fFpDF+PJ!dtFt$YA54{fu(=8hO4h|y2UV=M!
zE9K^|&)i5ue09x|&TIA9kkQIBtm?gfP2(IkXNf5)PkAarJVrqyJX#b}fGuJ#X#Ur>
zG(Lxg($5c9HC36(>MdkD@3u5Bz6!o?bWr*|CFa~**BnzywfGqu=};9}k&(`l+}D#F
zZvR>kUA(`_C>lt6LIcG^+YoWho)>2>De7nO4S<=?G75n#!v1WM-zLgYMhafz`>46-
z<P~s9#!m<{dA)5sJJ!cBpDVfT0O;<=0+`3fOW!`2H9fAE7e=?_UOszBu<YYy7mIx!
zd@L4C9!Oz|9_|lcu7N599+2QI&9_}_np(-Vr(PvF#bT?P#ES|GH%lp8X;0vmce#)6
zKY<;e{3>`=i18GaHtN-q|6;fDra9lu`|)8S{@n%!w<KL$r3vvTUcF_mIHww6t+nhP
zzOk{*_l6}YY@4MdSUR`Vm$#L<<&pFT>8$p{fPL%H_md6nrXj<PA<Xq$6L=Z6gZ!vX
z=&t_sr-J~#Lt4cFf7Y+h*WJp?B${8>%geBJh3)$<GE3EO3I|~a%V_y@3wnih2Hcis
z(y4z-tF0kTekvY{mZ?Mn>*3u205HoKPGJAOc4NysDjoP~&h=!`5{&}_etmm!-Uw-X
z_0lb(e*GMg<qwBbJ;03$O0<ME$lU&5Se<lfbAG*i#neTJO>zQKyG8bhlTx^k4RV?k
zV+^zu@s*@08^bwR^ZRD#J8N8Qo79qMwz-_Wu_a8lWdirocXww7?7}%q(!!Gbh5K$G
z5)?}XEt@x{lO{~^>F_h9n4?TKqyn+EY-oy}8%;Y%F$X5Icgiu5yng+f0Wg9@fASv<
z*cI8L`QdkZD%D*in-%KsQ9FO3D{?oSmdMMw>-JiS%|*5*ujh`o2#QNmzF1Xb+QM!@
z{;Nb`gaOgNUSV&%;0N>Hm~fzI+7yJZ=kg3s)y^1QrJ@adnI_pNSDe&?H;tzmyq3Vd
z&j!p)S9N44`C)3~y+oQ$;<;_M&7HcYz?6OeWYgsCFv0es%$!FNlM@w644VzA2ifd#
z3#z7CVu3WNNtjah>7KH~vM)s((mhex=~aYpD|VD`FFF`HG|O|bU7!kT(Tr;IvyD&;
z82zC-DD~(R`rXlr^7|$x7H8Wp&7Hy}V-9C|ki42a?#5lw_iKR7^b=#QzYP98&0RLX
z*Kp_U`!>>wokh~2+eHMj%^UT`=G+ClyUFSB)Ypil(@WEt|FzjgHJ<@GG%j+xL3Ip>
z=I&7U8&lV9O$p^ej$J4ALKmgDKth5?Xp79m4mSBEZa5K+LPNM?d${7yLm#9KY;pWZ
z2H8Q%qjg|yd)aT=BTEnWclmD*TTg}qM_-IV`vD58s6yg?yCz?EdXR>6p&#=b6ODyr
zDQ1)8@y<>BbEvs+I(!_>x;G3@eCRqYx4E>3%n*9%Y+r)$S)vPN#mt&8>ruMGL3cT3
zXr$pb6L(h%=W0GVIMRE`#?45IO-`ofVH25NPQ<omYOKqo%kUW$$GxIC<;PI;h#_c-
z-pF)C-&C5;M5*d^g9+)%YZnz8)LhadnI@a$>Jjtx(}C`RvKi?)zlX9sYUj>@%J+jt
znyX$FD(Fy~$gGtY72gjn;a|=bO-3v`6YphWdjaMhkR#BgdT5TCi$mCrUZ_I2iBJdL
z5TV)Vkk^Yl&$c=R1#GGZ>jw&@n`Mh0`<ufEuJt6b8_2m9#HLj7Ty|tY=*LL=4c7V-
zv`Bjf?Pn;&Pt7C;c|$b#Nbyu&cieg6-TNx{)FM+=>L4c|%44D^dW*Wn7KHs@iXLDn
zZu*AmcoA1<6|q?yoL6vRkmqLYZ@xnDBrLBxLgK(_pwcyCAtQH-Amrvn+O(C@fz8C=
zZmIlm;h)(P8Cj@ZY$FqXc^4KoT9|sMb(5S~fDdW=r*88E1eEMkK8YR(<8V%~Yx4c}
zLQHd6YwSn8YJ7t+D&wo>bomF#g*<=4kCV%EoXSShbZvC=H6Fq(Sg5wI@EwSnU;`?9
zba9|b%;5KRrlagDv;x5UaLd68pU8f*WSII?Jk%Zsjhoqq-No$2uA{b0aux<OsDr+P
zf0rs6C~}MO;$nYbHHeAEuTwkJcGjk=tj`AKNUe0E0CWDX9@yq=TzOT%-`rGV$;*CD
zBdejgq!P*j#plAga3>>?4s32TVucWvj$cM@J=vR}<Yox8qQ7*v{*(DeBplBVdoQ*B
zS-~(WJjZrra=rv{tMMh6rsZHiX2Px;nSPHKL91<wqKhmQ#pK05Cqno5+d}9I?ZE*$
z4lnH`7R`DaO*IycYBxS_mS}9xm9VffKVAt;;cY~NX^RNrdrFaJlwZX_paJZa6bmRp
zVHnp)><lLNdiiI)7MM>s0|t0FY62_df_SACc00NrXt>G?_8OXd5DADeN6A#()fVL3
zom*?Why2FCO4?#PnVOoKu_mG>=i}a`#Mo{3>yY~2h>o1OqvMw1>%FbzD&k$eDh)6C
z!|tpuCDW!AujTyws)|<W{R!K=ce>Ix+{R;->K4tVcOS}`xQI$yu1wTb4S#I8JVm^}
z|5BFzWy($&dj|g33H>kF?t%HC_g<=Br4pfg5;1U-BS;@*-9TH!-QMOXwYkcaTi44j
z{Z@jWd)A?OWoXjc+DO)H9^20(UwmCpuUAHFUrB{<TiIx4%`OdB@l_d-q=M9KPURHV
zVOd@|qnUJ}@B=F?*|_jd&YIi8DYU=rexEYfFCDSnlUsGHf20P+O4kHl;!9qXU1Qg%
zPT^iIFI@#AtRj>>XKZ<c8mabJYU+eF?Rh;JoV|&>p!AYt$NDh~yhDY)`W?Ajs>NwD
zySQZ=@uFhgiXnVmvrVgglD6flkQl9y9VtQbl6ebvm`JXN>9Pb1Gf;v8=#XCPuqQ$1
z-f)8BLa3T<)O+P4)%{eLuVeD}ow-xxd-an$Z)Qu*%6<JcXl}P^b`<v^c_9oa3H^GW
z$kB`|Q3DR#8h)gFEKBQ<;K`H{wl_G6Y@VKh3bRxVt62BH)-UuI=iywT>y%LK|2?fh
zmmnS4Z@_`&rgrn+hM7PSjQ~L8_~5}~1b?KKZg+R~o6+y(Dv$T?+-<FGaZ=O$_^8r_
z_n#}~8OLf2Wko=Rm(Xa$p2+x*#8_KfKo#-j;L6oM6W*t{)qng}^^96R{j1TM{4<a{
z*QOXfShrL>AEv>|v7^w}-yh?noxIj*l-SXtO%nN@pWZ2szihSow;}rKeFY+Ne0q9%
zM#BNChB28p0;b!F1aZ=z*JVSvk>ziaD(=lLu>(55+*%u#<a5?&?)O_yv~+B4ZVqM~
zuQKUsgL0o+@582buGo{)$iG3j?pXwwr4}v>-0jf&8~)hAwenV>I~AvN&{fMEkgP~5
zmrPdrd!awd^NfkEERt?9S;OhG1?MTuJ5NN69IN%nNQBa^mTDb)F6)4hCU0^i9{zrH
ze>@lhAi2Fhogx3*bNOSp<|%`aZD#+{4ENDYJc=I>VS;aZf&Yq?;g4P{!U3BK=N++s
zp4gwCN%Vn&F#po$V=!z-2^<(&j5;_r$6iCBI{E+ew{nllDXzKMQ|I;TWJ_43e}{F@
z!@gF+qeT%Cj$O?JpM&(hveqXC6ZWQKgv!@6-XVfol+Ib$pVV}RN{fE>vD@6+nYw=L
z*~MdoguJp~y4etQE)ZS-w+RCW_gfr>_Xwtsf0hCxB;b{nZ*QF%o%3Bep<qzMR)IX^
zov`yV^-szp6K3Q-UM)b;zKzc@_3&lPOn$1(C`F_CzJbWg-&IMVW@I4j^}Uek3rDW#
z9?NNyn1x2ZKd@|q#xD||E*Gm&b94?25Yf}8otdb;8?vfrtQ-CBwelp!6IBxAK0WJ9
zGiLzi>`K9c<;xfG53pn}TMgbRJ2s3gpT9=+Y9##}@i<m)`2WeA<!S%^{{CzEoTIP*
zNepv(wQ33FVXp9Fqt+n`t2~D-{jpbbMgb0V7l=(BTW0bg{OW90X*hZsKtkcb`h2_f
zky-PWXC8_=c{$xoN9F}jR65{|=Jva0$1utl9I#={&*eQow#w+if&X(W|9hUw0e5@I
Wc*6Q)#{3iTPmoXaY5HR|r~d_g(m1pL

literal 0
HcmV?d00001

diff --git a/docs/images/aibridge/providers-list.png b/docs/images/aibridge/providers-list.png
new file mode 100644
index 0000000000000000000000000000000000000000..578b82a656604e5f4ae7f6cd21cda842f9b73b49
GIT binary patch
literal 82457
zcmeFZby!tjw+1R564D?kNXI4=q)Vh*>Bdb+!=_8RyQQV2yFpqyrCYi~Kw$69U4G|$
zCw_YF|Mz(=&)yG<xz?;P=NNO0_Z^Ec6(wnG%%_--9zDXAm3gi9=n-<jqeqD3=%_%6
z+lj%CM~@J6EhQyYWF;kOR2=QhEUm$h9x=r^$5zWrsFL=@Shnr)znFPKDwC%b+RU5k
zhk^rQEw<QmuQ$(eX+4!fzCwG29Q6_zTl_&hh+X`}cVa?uQ%PM(nm2>TtsQdgEobMj
zR~h#Xuf(KN2Hm^Ra<m*@3-A+Xq#L4t7@wHL#YV7TsC8fFRD0ibW9$1}&~2uJQmt_{
z`gZ#E3VeJ37Od-0CV9A9GH~TJ=UJqFf!7~|<ksEWAKXJ^hj)XCDb-dw?|3WY(7#<9
zY|fBL)A8)Y*quinDnl_=x2N%#<niGVYk=J8c#>JscgjzX)MRKwF(T;{J>@1v;aWY}
zUs+!9KC41}?EdN}s}iO(0{^CL;#bZ{P6tA~PpJpDuD*(+7zlabucdtT1;XoFRC`Ny
z9|96JMUh#+wwRYi@07orgJNFmUq8;NW!OG^l=JRmOY8+qY)HU)&-)R_tOx?ixA#|^
zS@;})v^Bt5vSx~kk63_f^hXFGmXDBuD+J*C6!<=RgcKkA2o3m+4}4$eApZL<azGB!
zzpoL=e?KU$E-5Pu{8l%01cPmzEbJgI8b_r-Q*)MYwIEuG3Ie8fHXO$9?M%QNZZ`J6
zt2`2N696u4zz|~^HydkPCjmEM+J8ME09^kr2GP>|>k){RFs+uN3XP<lBbbJlgOh`k
zRs@rVhDONoy_ta8>o@;d9r#O_)&c^t7XX1=U0pd`c{uDG%|TrJ{QMwJZV)#&JMaX%
zle;a%*p1!RiS9od`FA_7!A_=*mi7=!J6oFH?HZfdIYWeLX@7V0UqAmbPOzKhfA?hT
z^q<oLCJ6d{2gJp}3Hq<LfvQ5kO9fOc-N4q`uPto=@c?~@yyW2*`q%S+-1+Yw|3^)&
z|E|f!_44KatolE0{j=&jC$OWWoej_@MC8Ah=07X{&zt{QQ3&*V>i<I&{~_mpl>&km
z!4v}h*P@AFLSm&=9z7C!B>P(YtsBBoCRzre)MALdBPzn6I6W&<cqkK1I3^Pl&1V|S
zHzOV%ckV@5`(qiZ<B)KE^O10-aP22yi2m_$Sn)lY%Iq(H{=8NgXV6-B7`EHbIypG_
zQgoqf_wH1!+N6N}4J{%q&EGyM&(R54@vGlHml8vM{kIPV0&_qj-d}IM&OyhE<t|32
zZ}`mex3*~z)livnLqDSb<s*hiO9NKHle3n3_xFDDvDB!ZAmIJw<45~iY$%5|aX$RZ
z-&+2NE<=_t^w-JKAWDUPOca-5swR5(x0Vrr>BzYMO$xyL!=C_>2v;#-{qlE7(tu+x
z{yNo<=!DMzNf71sYP|hFq&!5k{nx1?;4w)c=VP%*gq0VE|Gn`<@gbzY4@e~tki^?S
zd|g$dzc&snEZYCSu>YT2*hD4?hj)M5O*G_wQw8$r7u&3<`1EpStwoP%tJ=}6mz%oE
z4B8jV^jizR8Zv`b{OD#M|GD&-bbgzC5$WMXtZAd^eCbK7nxC-AXG!{vSQMlJ#RlUG
z6c%d0ifP<nYacyhUYo_YMqF!sW>9vNomL^@KlhlQgj|kZ^99HIQq2c#8OdTJA}PeJ
zVYLFeH1KdTvDVLea}~ebq=7$oZ%~pL(8+O46~2phG@*FV%c$@VP2Uo<O5>y-%K_@Z
zRCA&Eht<fLz-Q8|$k47WT)#16u6smSC87ASO_qwCDUQ21=i89s9~$o`A^&mobG@`m
zu3{D~HRpwyxUB^TSS4=U1o5xtLnRS?&&ni-t=@G3OwyB`!misu3V;6R@PC)YQX{(*
zb6d<;8Sl@1)u#VO9YLJ7=96w|Hj--TbGOfUISlIDl5TrkPR+LhN#H*$<007a+|6_y
z%@Gg4?{xCGfL@NLZT2<NU%KyRniFdm;{P#xK;V9#WsTC4jnH~K)r+DF0m+hel08nF
zGxS}7?uznhqfFY7iE1WNQn}0<+lF|J=P0Cc!{18(wIy1abx^(eli{MfpZlgAw>wtT
z<+_cuse0ixe>bvQQD1TDu`toR_ooV6_-?SnhM9c7Xq10Q;U`ko`;q@T41WinD><5*
zDVWahwDWxBzVv~V$1KwQb~}Y&l2p*edQ*?_{}7!fVvro!Oy|R+OW4gCV;@GJa^9P$
z5%=9JD<vv7$4!GI{nAvy)3%-rh}uJMedfkiL5cx4RQAvP{JSKF2Az-vtnwC_&vx0O
zP$A8PqhkyIa`)i-&Qa~S+$+If>j8?@CVeA2qv<R4@$~YahLTtrPb&3WXUlZzS<YMa
znjLL>4v1JaQm+o@7%R|}RfJwzPW8@|YL06&kEZb~MN*4)jbw|8?y)%-ba=U|H&`$9
z+I6>DFVys&7AKtXXi2ggb}aK>8UGv)`mtVlZ(9H1-6;J2)b8mE3k#rE^OOm1Q(}<8
zk=^dEP$FXZ_e#UHnKJDj==lIGkLNYpWe=_>gSJhO@YrL|sV66#m4=;JmmbSa*`vK-
z1nPzAzhHOl|2%zz!oDVH8d%Pj>zbc*+@Ew4vIR*YQ}{_#Vqq3e1MMZ|V@WvF3{ZKd
z?oSs9n%gWjytHe-GTV$R%JLY}b6Hp$UGEAQl_JsKOT=aq7Q8>I9kr@#&$1to9nTWR
zHeCF$bp0{^5ISFHnQ;5-M~uz04#xCtwVRWbQAu1F-}y)lcvvxln0<;x=~p*NI2#C8
z_-AbM-GSBecmzkwHz@2h<yLp+e1MuyQ}5h2Yz>YaH1%>$&lFY1s^qM2V!BX~C&j=c
zjZE01&XvlO?cJBe=Ckg{6s3#xR_0EfMqP+V<DMtYbMGvS(VC58@QXDo4S1tCUXFfx
z`PkEv*Jk-WgL0a+ZR@ei<(S~<`_{_G|J-OQS{RU{`AHPTp_~!5&}sqS)p@$wqAiw2
zWVjl+%=o95OU!2eaebekCna*|_p`W-y=(-Ow-)luGzcXkdC9i*yU=;>kGOD}WmER)
zdMnM#v9pcq+S4Vrgr<=A&2iC(tr^)QmZZ_#5SI(lT1u;#Vq+YEy`20*P}`Zw)M*oS
z>q$!~?8~Cn&Ir%=w?g#Ih5jh=bP@x%)jGR1kug@+PK|P%o#Vze?uTCkq6&$$=+ZB(
zW?!Tj`ZTLII8ZUBRZ)Mq@%Gq?3!x(t|7F<r+M)Jl)id3=CyO&hYnU_apDIiE4slN3
zHB+~q%X+>_3pvtBd&6Oje>WfExt;W2?sE&48@gY*?<cowvlV%OUM5z8GZZtfS6tT;
zZ6S0{h`zvyvC`sPYs1j~elR|<TFUa=_aSBF3&XFkQGBZwN}{lz>-4T2*8AMGiyZQg
zF^9s^?K%ce)FEn{7oT2QmC=ITHu)F_DCb!BUC+>nWwd(T(q1^k>j(3$K8)<S4Nx|=
z7U&rd1kQmXdOlzVJqa&^_)AU5gW4??fgQFL3AO@yP;a0&Z}Pm`FEW8enTpQqSY^7I
zbmqI-F4Xi@lfL|rXv~~VlIW&s=$%wcb1?@Y{Kt9Z_gUhj!^%el*vd7nu;;ZswT>K#
zYrjeo%RBA@`4px7NDSyuQiDxx{M3d^3m0S$wlk}1r+C}2*(cxhsxQhx-6Mxw7P-Na
zKAwYQjJhbpQBLiv3e`v|7u~+jne^^hNQ<z)*?5+zf%`U*(~qc!hM`>6(fMjoe)AAY
zm(<z{43Wz|62nxNV;t_N;|_7pqw1o1^n>JM%Eo2KT3yGTY|rz)_rqCvF(<YvHLqnW
z4F>4-eYir>r5YPGqy{Kcjs}*SosPL1P4(T<d2P(@u7$gxfa(PoyjPu7>3WpIwghM>
zeu_qgp5>V617d54vgvfeFy8EkqGtZvEkCo#&r%qCN6e6ll?lPj-s;me-*gFV-;M`3
z+H{+{({%HtaiQy}$aPy#y^n|RK2cGoi%uCn%RU0^pB}g$r3{UUgItBgbcs4+Pk8j@
zxagYjT9NYUb6+jt?k^FBzL~afqVAS|(SHz^_P)P<ne8Lc-Q0ZIaj!5KU*Z~N>^!RP
zy0YD1Nyf7yeF^Nbr)*)+U-32~9d{q<j1^#ec`;h_W9%pI0^@AnGAL(RcfjvhFDrdv
z!%-V78f6xwRw3+3q`I9~v$`h>wk|Kn90n-U(H#$G%a32d!I$@^on&Rf2QwuJO#>LS
z%6!ZA?UeF9<~Qk?MvX6;2crDi^OQwy=WR>5Ck_y7IZrzuvN|(L=}Ij$%Cu~oU1V;B
zZtMe=I{l&aiQ--c@GqqmHS$3mN+tp(y`k30tg<*qF?OA>SrvOgfApMA+iyNSz)pR6
zFCPvvs-;y_0Bh^%)Qthd_k2>VIe{w*T_=?2QcPogTWo}i{WQ_-Cvfh+V0zzH6?T;y
zLUrKF5Un*_XEn!ho?aizRN_c0Uiv)CG)$+_cEv^<I>er9YI+n$C;f?M>=n;o3&R2B
z(Mw1_*`S6hU<!gTSQ|xtts^;|_YDr$jR_o%yq0>h%{Ql3T{O|~;XBJd7v{-k-%?py
z=m6kDWG8mKWecJ9(VB9)d-lh9k@T_N@EZyLem=o*e1+kW)+x{BAY=CYJ7PwL+X&iF
ztGqYf8x7pe5Ageh6CRvC#p6ZikpNr~i-Xy6(=h=a_s5CrNZ3zba1Kzf4LnuOunflb
zoMO{&nSowrKfI6(#&Q@Vm9HrnxSBKECFErC)yllM7zU-SwtKYNC>AQFpJ=!m9S2Mz
z_+)q-l!VP0)%V(M2EDMD|9aHCn{`4#`So&K*j&J6Z|}OI52W!8c^k0nkb8tY61S7)
z-Avm3>H#XnNcDwb5<1k)=<3%7TM?i)%>xSz406wUUv`d{yQZhy*u<Etmm)R}EJ>a=
zJ-~Bi<!iN+`ltk3j~jGp#bI>T9Fc|GO7pu6O<Uhu2iBA_Yj}TN%$>!6JcEJ?EMkPO
zwWi{E>c0H;*17~R3dVqSG$CRjp{D|yZpDb)F`cI;n8pb6T87Q<X2;0gCe`GlHNwRn
zdv2*pGpu+3W-EbE6~0rZUCWl;I_f;9e+U8#x*U5XidS!=&}*}76JqAB`97@p)R*}=
zjm5Vk;k^3#A++-{#$2$_WSnG9#RR3i=!?e6%caZwz915Vt+FaD!~q^2vyqV<C6a%-
zK1R}b>!rrx@)Tu$Dv0%~Esar{_{cp2v!sp7@nA)QHY(?_xl%HDljV<`*U+^GDxTKU
zj@C4Or^5SUe9z_2Tg?|kY^8~5Jibmt)Th+<qug2V4Yd=w6(&rZ)hlgh=Q7$`*Q@1{
zSY|JF?adXsTBRd@^)kEudK906M<-HmI(E3MoG5*?>$Dlhn0B)|T+?gpYf$D#D#$ZS
zA@EbA=*;*i>>b{Z$zm>x7%E|f6%S{{2RIVGTr%J{kap^zOGb1Bpe@+w*;f1Vwcb2b
z+vhf~uta|1wK?dJ8S8s#rIDT&eQ<EHyDge%JwV|U`S|hvApcx!4lR?LFz9rNYMhv5
zIOq3?>V3Vycs^GHmM_A(D72tL$4nirZ0h!T1Jm_ozW8RoP^2(8#T`r;D;r>iJy))~
z+d)d~vg?aWodtc#D&l9*?&0jabkcgMwwaM|veHV=EZ9W+!u^NqJYtB|K5`I-Tv<-r
zty!|H{@Ewdn577&Hsy&x3<5=hRw0h>)I^FZi**a4zj*eAC_Sf6hd~LQkl=<?#m`)P
zScNx$Chm0<Uw1zS&9|qm@_I2V{(;a0B|Qqysmh_j#QZU?fYOJq`_b!il<%ZRCh{`%
z)qoEA`I3*<#b9V)it%A0G5dARQbDA1I1R-)6!8Bu?Wvu)UB{MtzdSuLO$x*hrnfXe
zPasKl<~oo0JUm>K9Std3_5_;4W))Mhel|e0G;ND6ywo?Wj}C2|Ghoj!?7}W+zd$kn
z6>?Oo%vx&n^Z+hk4fD{oC&Da!cOl;<f&S1IG-3D-?==Nx68H&1IDrV=xcRj9Cn83t
zoe>8zrXl^~#rk-TAH?)hEYA{xgTV5>(DRU1A@C4k<3`QeLdIyz1jIx&V4b(=H5O|M
z6Lz&z#%AZich_MTw8uGb@rzzPQxG?%<A!r5Rhh8-(i6CD^1NO!$M$5s9j%*msg-@<
zYrQHwYilryI$OrN4H`0G{Uwqa@eh#XYc$QrAmzlQ80u4F_IQ$WIqF1a@%_2VZ12<Z
z;A%pAJ-k{Mo0^&uz2+LT*)p5^ubU!A!B*nhHsv4uH(>)H5R-3PBFM0d+0#Fq;{l6U
zY&e<SNq(6#-iT~zQkwcW`J+@+4^U>#TefD@(=_X8H(S2sVvsB0?&`hLa&_&Yp+~}|
zWmKL^^|C8Q0i`G9j0u;~;MwcNyPtino$*q!F+RC!sK)L!W>-(Cd29RNrZyYhLB8|b
z;+>0%*&<cxlHRAuV0wz}i}!Q-r3}K&7L%L#Ya7&oNI}Ru5Ci|GsujkRTS?+jvs#Nv
zEQv$1I=8MVCTKl(mMkMvYB&D!Fq4-Z9D2JUFWXuAcA;=mu_bOJX2nImL2c-aYd4Y}
z5`dPy(=pZ`Uz_uGp+0;?=1%2iU`jAi5*L0We)$y%mjTmbqJ8Y2xK&OS-q)v0QSIVy
zy1<C=vmRVmxrBAz=l3T|i@&}5=1K|WETO^MKGGrG1LShkCVtDQ=T5zN(k+z{?%Nm|
zFZTn%7EBIMlG18_V?Ch(9V{s_7S6PB#}^toZl!dcFNagPOqWZc_<YxVCWbl1^d_&K
zw}H#2N`Oek?B`zDJNj~+;{^1I2PVQ~QMMS#c>~l4T3^t{t88U|%x7(IRu+GBS3t1U
zgFHi7$Il{27_FqNX1>`v6JVjGOP~>nFYDGk*Y^8)P+FNrUeVcghT)N~+gMg$lG<Gz
zqN3v1@;cIdGCw$I2!S<&34>L;+qN5vK_NAk4(`4ZcnJ6`&hnQ6t|!)<-qv#`VvRm8
zieJ!;Fon#QMJhHgtdnQ`5v((fAYXhzr?nlR_HA2Q4TKrNLSmcXzz#~kJVuMV%Z9|?
zhETFrWAJ!ha>j``OugpYj}`>kbqX(6Anscx$tiyVEcAe48@1cIpV{#zn_1q~a#3!$
z_pgnRWrI2<A<`J(+bwmtO9R~yi^f=0HIFCq?>I8Uc~;xDAjEL8n>5yS6*BFsmpTx2
z&z~-;XOwXCa&{%tb=A0&)FrRphsBgHK!kCFn3%~Qa36)tF?#KIYj+|{(I{s`HY#$I
zRM6jjdE1=Rw#ES`W&uyQgq_c(jHL5{_MMrO<|RWxp;8#0$U*c+XxWC;#-iU{x8kG)
zio8TB<x@CpZ5W;^g1p=#3zYej)^}H6wb<mm3ME({rt+&@iQTbuabS0cSgp_I*XUM=
zXQT)Pj~@3@cQb&ifQTs|159*&>G<tgNE0SgG2YG1pMHI2)Fb)cswNB;|4_P8h1Evg
z_@CA3yoQ#dV4sUYq|qv4<tFUJX4m8TxiqVaW&ytdVXf*<8;3?Kt*(4p2RVcSb1boH
z7^hOdD1?XWNo)1JuXsg!#<|9hmu`?7k$*cN&I!Mcs3D7%MT{Bvyo3@1H^QsXo6ZMC
zJ=|=COo8t{`geMOo3s4>X3@K=3i)W!s<PgYu(gLDY^mMp!}y6Y%dNY^u6W63tF*F%
zw<y~u_#Lf{t_|U}W@jTFQ_WBgwJ*hwYXTNk+Q$ew<5a@Y)#*A?cHfqZl(TJSj>zuM
zkwt?}>}uYQum&{st5u_7A271x^$<pbVz=MUUs1B=<n-b0IImiB92utbq6LEJVP;4t
zk3q{WmYuL``O+t*l6HxF!zmzF->$3lC9g11tJSvV{fXRw`=2z~)bAgj^TH&md?Xfn
z)@&MA%nZD*h>A!rI!vUVgJX+w^Zs`z`E^WTeL_;OD01~TPIWWi)8Ks{u%gD?A9a*;
z377%K6Q_$xUwtdvw(~Vx#MM*p!%pPnE&D@UsMuhyBS*gvlVe*BQ+Q3J_+amI5#29m
z3W+8=b<@gx&>)m;B^53A9z)>Rh~n#Y12zzW(meTI(~oE;Ploe?5B(+LK)~TH7{4x@
zNv>X2ERplk3&2QZCm)v9;5&qbvLwg2iJ$;9T%{H$;9N4ou0>b9Z-g78ryk5oNXb1>
zw);pDI)#YaNL;Bj0)HO5`db1qQNw^rlO9A>Y&u~ys5%>!!Z-=EgsA`={3}n#(Tm3N
z?YF)umv8RN^B8x#wI1G=^;TS|o=oer8mCOII1Z0CaJTfAJGEag`lcym3V=NW>&uwR
z{JYH&>HmNn<}r+j2%t5y*XSU*EJ!*-EpCM-GWaP~B8Rw?3d1<pYP1?M_`-TVN)tJ#
z@_wz2u?+p<2BM&t^Nl4y%yG?IG9fw0`1WE<u&10}PEfs2fvj}D?0t*N@rTh35&K;#
zx}c4cqO5DtglHztRZK0CbBwR+g;PKJqiVBTv*Uj%DESE8A34by3io`r{B_o-c)Hr2
z5lm9fK2$V7{gAyx!IrtEbt?qK6S7M4mwVK+BeA26PY8_}vxUAcJB_c%o@n*(J8bsm
zTcyECMSc9!g!t3CeBm&=>0;HqK$0W!*B*iFHQhULVQ7#)U71j^FO`u*pJ@uQhGL)X
zHqje0Q||Q}W{Jh=GrSq9-k52>Sv41Z_t5xSqUP}KY@=tiFe+W4db2M++0|V-Mem}q
zZgGahz-ux?=<NNe(0*!qR9*m;k;@JA5|oO7bjQe1+kBN5BXW@VnoZR7lrC_z=LxTo
z5`FJOabC+OBpiz$8C3xHoT7gKpMROP@}tL}JMv|*J6`v&nUR6c{8gzICG2|14wc=p
z)@-z<Jsp-o<qLIq2#x;dD$*dLh|wJUkU}|o>fVfmL1;Nl)3gS-WjohPr!qAS8v=51
zXPV`lq5x#}%(jPhIUipnkI!oM$huLLvwDZC(s4UU^Ams%38nJ|^5vq}40n1gc}MSz
zM8T(0eMwQ|AK<X#LL)j@K`)maUN6IJyT?^SvTy>yiKElSR)X^4XuFcKSK$*;^!qH&
zlYJ2>QXjr_eO!uHoXQ&SnlXy9@cw~%{Kkkgqr~DgQL7){mN%|`;LADyuX>)g=Yvf}
zs#OuIg-Yd9=tit6`&gaMcs?jU>v%zYCB^xWr4Um#C$ygrw+#T7S@=t6X{RhU+8JH~
z!G7!bIm)SY<_|P-RYQ+`uo?8%xvJ8U*+Rt1F2Yj1Ak*A%Pd611oiFW#(nY_Z6CsPc
za5_Kh#{VK25`A(RW-R(s_YdqIz-ejBkzGo(s;81Ogln8y&BiIq)PDz;yw>v;d~#Vf
zh056{9d7SPO~+Q>SQD>Q86)wyo(SELdGewRN33hY?ywaA_%HL~!_G+B39H#YFYWN~
zy<2i+c(wEs=z@9JwuzUL3c25QQdt(s|CUiGtxDb-_FDT5Xt8b!17eWBnD~w=a{#6k
zKI@Y|mwzciOdO}K(Ol?fMP>@{<RopUg7xkwZ+P1OHkAMNL*Fw3G^Yzg%O5K7A59Cg
z1EiwMV*b0{e}-^k$ZB}=O%4If+BI*#EVXbT3MM{sPY}{kp#`gm$0c?CIkceUM~0Rh
zx((L3*x860br`XHgLx?Q0P#queargKh@V!)0s~-!`UzPzMtl~UymGPg5H((4#4--1
zZ%z8g<D+a>L;pe>`gJQ9Z4VI@n)JyP0ua9$Aak>x;Hx11Cd?%zrH=*1TFANRw06Y#
zd(#&vvYI~s^v3}%)B_PblvqzJv0bKC{5}`A6tU?N-zbJAIhZJ4Dz=Cb9LxC6L+9VJ
zBt$@5<S9mfUh|phkLmo2u*m|*-K@aBDD7`ysUZKRLy_^dRsRVM{^x#B78{~bmiQ|>
z0`Rbizj;{1urj9qgNFsy`Tup~z&iN7)*$?+BmEy_^H+jc?r#Ybs((`qfO&rOn|T(a
zWexvx(SMh$W5|$g$?p9hLXrCToARcKBa-?X?}LDMhKw1+T?}wXg>Uz#L=*&c5L=IG
zBJK$y{pnP+NbM@^6C1#hqOu!wRqYpI8xhSCb+rU4s~VmiwY%rVzmnK>XMq4o<RG~M
zhJvnQ2Y89vu(M7v9p+GAXzp|>%Q!fd!|5c=o-J=n)OJ!$J<<%?l{kUeh!Y5b6Bn#1
zHO%19X0zK1aPuWZQ1spB*RtxZE|j&#J*c$~Kl;BlN;jA2w^lT7hFgssE!2+0(?`%|
zx8ClwDlXJ)kAONA!rQ2w&qL{2(h`)ZtVJHYUe6pOc50MrP^!1Nan;(cv>^Iw`n0W=
z)sFE|3R0N?XyP#RjKfqE6^qn*vGLT%=huerjRI#mu1HfJz{5QrDORN$1$Y^rYo5%W
zXiC9!0M=Qha9uv%;nW?|sheL)WLBSrUN1#LVu<G3PgXoXsVfUl&y?$qN0RgL?h8u>
z>%BkpOTNBK%|9&hNo3Vr)pP!i-2mVF0I*N*0em)Y$a3pS-?jXMpjXmJwl6%bDaIGF
z1$cX(nlvUDXMA_FJgenz-a5;Qhdev-HCPCSu_|;9npX%>xa99I-=aHBh=-*1N2UK}
zQCm8fgX?n+*A*6{-x}L3)&({H+GHIu<{g7NA3#zU%(Gzt=t@7D!CyO)%&w~@{Hf@$
z>yCXW&)<yrYRtb)quCLh-gx&(#9Qfw;-?opru|-a70o+q4V5Z$0IyX+W0*<T89@TF
zt>}bnEct5N`8>cHt;bJ7Jven~;Qk~6kiDa+&LSHp+*)V(Ru{DN@1>gQ%}%>p0=y{N
zZ>H)8nsMxLsMtb%Oj};{U2%PRS897N@2zmU3LA-&cHyHGpg6d@1?V2xg>hVI5_+Sk
zr!Q?fP2Tx^FWqn@Zdh};k~e-_*-eKil_nNOiFfO`J(M=BEIM%1psNVrlhmp1mph+;
zMge39=S2W&CfK$U_69h?KT+b<QMA|U)PJaOg3YMM6dY|yH8X3JrBX(wID{v>1$iCU
zlZ^VKT&k}`w<#56iNmAgpGk6XnhwB?R=qC2QxXMIw38H&jWjgopkwRoAy2me#*V{o
zUbaN&F^?{m%wD7q{I+NZ7z@Pbq{EYLI!_v;UTemFc~A=4N}pm*c$9F1`zj}seXVp9
zIBiW;UIFa8BA$8+gn4OWF*ZzdY!m>B&9##qe2zMOb(c1>GS6#Y3GJl*&=ZE-tTaB)
z%EQX-UCH9MoI<Ys@Li6Nb1Cao@us4!MsfEhx<gt-w*?YL#(!bTcd6U#NHpEzOzw2O
zK#~g3N(*c{Kcy@DwI-bH8EmA#e9S8@S^+q^n^Az-*IOBQkBXH2^yP<C03+i6p6A{|
zRkrq7h{eK8^_1<KRi*&t3E?8B6Podk%}mi6n;QNmH)Ct)Amp_xlIv?>t=N6F37_fJ
z&thWL3Tyt3Z-l4YZdVHpI}`LXxt(?@n=#*rC&e{gztZ#@-H^Opv5SmQZxMMj`l;TA
z+`dD*!=(9kFR#oaUf?2DQXtJ~ta*Ofb?un!Dh0rGeA7vkIOhyJ3l0yro(wAe5YmU$
zOutsc!}H7hC<X!Le5C8oDHjj;O)##Q`@o!aHf<6ZqFjl2^joP+SKWRPxn}zP@Iz~8
z%>1rn)*rcFae2c2RE4VE#xs_TYm?5(7}7>g_&GA?M<1K{vbRCiZdTN9c8&|1{KPm(
z&1rcA+8ZXy*xl=F7Jai^8<)-nzdM}VDXo0dygNqanCldhghZ?eDa6Plfkr#l`oKJP
z^F6Ls08(1tB$aHVnZ(d*ag@d(0RgHk3bQajGHY@By557k=FHQgmB_jDZ5^dF2H2?l
z;2D6!gq2QHftuFU0P@37cR2E{5IpQXLhZ};B2U`acCB&rDN?6wk?{5WG!6xEI>74<
zYa6U{)n);-PfccekgZXSM6U0HdbunFWyyl-1F)JV0F6Vg-svOBmvFHeG5)-Jy2D$V
zq%nl5WiGHsx6%N~oGV}(lgCmN{wq^)i46snDqp_TK2;`yK#A0-=e+(FsDyudx=<UF
zzU{shcb^%AHLK~<K>Rq)cE#fpgJOER;_Ore!W}@m$E9M+-S}i3Pi%0Ou3Laru7L=+
zukCz?)yx}JL#?Y$2^n&TLCga1W5Kl|o;zs+D{*aN9hC;{!K|XxUT4wTO`NTpv1u02
z9T7QA5CH@9D3Ng_%lqm($*jb&Yf2&HGcjAL`H#s3XE!E!p<Q;=sXoz!n*Mw8mmfX=
z?9cmk-+r>)r-V3x&l)ADGKJhfkLLNN!mb6sw%wnkhmAdT?*Hl+FuG*dX`8COqA`}`
zK>32Lt}0TDqy49xZt!jzU|gqQg+23~4>T###2k7?L>ZuT?OGq#n{M|g=;-<<4=a$>
zidKK&!i*uq68EJ`w_2F_)OopjQAN7n^KrVSEBL!&m9CKt{+`(|kok)o1x@oeL75lS
z^l4R;B2Yz=F}c~N{@f3P1Jv`5b8FZizX3GnPiu*4iOd)&ihw-l!`T+d1AwV6mzMBU
z&0stpA$yDFp1&C(MZ{A*6E?#>L%Dj#aRlnroW~KpDkhnFsGA<+t+&x}1FN(MjXOCw
zb2=aMtwp-j_Vzw>KD6`ka&$GB#a}ad9eyvh%kqUYYo^@)$`?>Gu+VG+PTcRaS7<HQ
z5snn!XOBAWvw~e>>GtoA8x8pzL{@-Mzb~-hS->Wsir-*9fZd5-<X$Bk!0Mxz?N+oA
zZgbq0<Lml3g|nbhxK?#+qC2P5b~RgC_+6x2k(@k4_}XHNG?Mh(FYT2>n<oR*P)|6U
zrQ#QX=D2E+iA^{KL<P-UKlD2hIKCtL^z_N95+yF5*0V_JhlKPebRsuvzA2u`UXu5s
zA7*53$cdTGvfVcEih3i5G)H<}j~9EGKU)OI>~1u`E^MA8*lUIITFrJdmlS7jKGzo}
zz3C|CER<ie*V;T#SWZY@X{EM$s{6R?Wy84GT9gky0rFNCV8%wa-z`t^S<Y3o+jvsh
zhr3o}I`s259P3#uh0ZCoR22-l{@N(eC|^{<>%CV+cF#2oN<!B-Gf0c&h&k8OBOAo_
zq|RFBO1MsKaC(5@R>@tOn9Y#TDcUR<7F2joU)#k(oZq)xbob5ygiLbz+PB_!N<&VZ
zA{plRMQ1#4zAK!IUk_ArTX6tx(R!U@x0X<LWub0WF1nz!MckO26w(U6v~^KSze~JM
za|t+1d>810LST5a;#!oxCHLJ`5PC+pvNex{yL@~Hs>+2<Xx{JT-DDWD>(te`w}-gj
z?GGG>`}Z-g`PS%Diru|mJax%hdYJ0N;Oh`l-z7*c^O<C=c=!feo&gCl0)gTDIkL;Q
zEODl1KyE?O9;rJPt40|o->O?Zd7DENY8)96OFzh(?ro<J(vmi{iTQ<9lQd^ve!%Dv
z97ujRMm>e}?zug4xUpPE!xdSY*f5)j@HbumI-Ow>x@-Bh+USe<nmkfHWM8f5xF}&j
zt$|Ay&GrQ{U~;@0{B$zNQ9WzTU^|KOsR`4nml6a1;ye;UK!9f+Epqp2PK+y5T-JF?
zwkTDu;fF%VZ)z!+{!N+;aCBr&1w=EQe^CQ#9?q56igjJuQ*j!_0>D}(`GoCa-Q<dS
ztbbKqq2;t$#q{u_a6gjso9<h{-_b`)K@ixunQE{}ekY@a*9-H3q0V!@upfH-RPU*o
z0wk`f4l~5^`xhdmjmZWZ&l{nKxEPB_%idVPGcyzX(b{|oBm<>&@!B1?p2E#CjsvIT
z%z{sQ3D8>Z9Zt>Da48j0ee&Kcj471P?&K3FJB;_kNE8lpbf20Nis!=sOSw-des;9f
z*h&5k$oG=gz1)j^-oJ{QCFuj_cV{M^>$hp&S@{~%lvhTFqjgB(JTqzg2J6P*JciZk
zm)}H5;6t5dXOj{UX2>$8oXQY_94nj&1VL`+Ob<s4UC<#kIQy{b1v1C*OJ`PR@F?PV
zh~F_-T;PtTN6GXUnq@A^NSha=$(Uneg#6U@kX-Ix7!zeH(fy_=Lt#i*68QauV{;h|
zMlS4;Sibx8)8%;QjPra(0O3R5_cT@Gm<ty52JgF{PMAqRmVj}~JhvDutR_9p!R)Q~
zEdZyA2aG{(L%Z<z#oMF0@wLqk)eo>A_<(f4fgW7}RKS?EuKC#LHQ&#(<ZE$+a?dvs
zsXAa8<S7B*5>Ca~J*+Y9L_;rYJRhgu@PKpK18kzF=YR8KDvSFQIPA>wO?Zw`28@6B
zQ<a?L=f$V5CQfGSF&P&(;x#74T0Va(IHs$tvu*FZ8LJ;;0-G(oc;kPiOTm*!+7{uc
zusq0Em%wHz>6Lck15p-S2OSftGa;jD^|8xYp<d1C7wJ4Uy(2Ro%+FFL(u9VW?(WgK
ziHj@iM$J@dq%x5|nSWwH$j-#JkP`SRUbD^KpxOldFs%($6P;k7DY+o>euP@dByJgS
zx8y>(P2u?Y7^JdR19k2WbWpN9w9UT-=?lw<DBg6~lm3|ErHE`2;2G|8%8<zBO&?@l
zG`>^C`Wm%ha@~-iZ*X0W`HFOEPGWtvY{9^m_8Et@>h0M5VT?#;P>M(bNEI<}&vf6l
z<s#6~0gTMY4<6@H#h;^^E>s<0)2aKW_@!R(%xJi^-fH{|R1vM9X<&r+-EKtIeM~Xq
zbJqFX9xhkh?xCbFCH)U<KE3TbHa*E|nY02n)!^!yLSac2xQTN(XR{;)pWW&fL#f);
z3Nf43I)n1z%-}(7F56ZHJS(OB`h(>FOHxKR^UA%pWn6+!<Be!$c2lkpf%)AekTlUy
zKF+e_Gr8~n#Sq%+3`ErP)yOWP;3u`~CCOqaH|fT25DU7!Z&o&#Ci&a07t^iL^3_c=
z{KGM%a6BU?_Km9s6i|{uGA;LzDR)#>l+|IjsqdO=duGYiBHa?7>t2?2ZYLk=?;<v0
zeXG*Dy*mV9)h3O2+5eoSKPk|C=+U7WQe0`-&Uh?ft;J5m`E0o)|82?Cm_Ug53xC>g
zsH@91DKCtqBpJ`A<R3N&1xujl28OLJQJG+``B569eaMP)<2;Tli4_^w$jdWBpW9~R
z{-o%UpZn7z;1pO-(0C_xDdAITsCeiukfo9JB0@eOR3c<sY~=Yg*_(v`dQ~mbx=B?a
zd1{w{$NdPrjyCOJ8RWacnM;#%UT(%-MZ83o&Y<|I6#;p!M?z9}9ES=>h?p7WaHOUu
zrTl<O>2NwgIfUG4NHC;irlOLw?Q)vE>XM^av<@UP)X4?24O0&x*A9>1JUe2RYBAlw
zZ>TcP$pm*Lc@GZbr}F`sjC&WEm*3z6BV!Zyr;xI$`KERM;S7JI;V(_Uen_{}^m|X$
zyesv#F}MxP=BPAM?Kg@~tH{7aA}8b`C`WnZ9@Hg9F4#I|#Ke@kW5;TKrPpGgeIc!F
zW)=e_PYiMi+u<1(+Te%_mZtVDJA8C+k9w&Sgh@nzbg|J>J9HUIHoe>-Gt$j-8I%9x
zkir@^ejlPX8Iq2(dOnc7cY#DX@ityIlMKs~#g`i#@$v~K;=ve@TDHP$2uPvVJtCg0
zPYC*9A^Q1tfVR^0b}k&iml<r0xW;wftBH6&&3Pp-ev*xR2!tquE+2V*46mPLdD=Qr
zx?j6CK`%-vE8iw7=VRY5(9C3W0>OJOMuCrB*1!;Rf`A(U1MYO8ojRO`MLc#V+E)5f
zhs!c4OE*P+m|iR}+RnMz3B=8dZEdCMoSdX)6C3Px_Eff3RYI5z0ZcLv*NqQ6`YjOW
z+58cMM(gHE8<2t1F$y^28d6hVh9ytIb6~tEG1ax}RK_RhDl(<0=l0OHP1(62b!Uts
zDbkG};6Y8#fmECGUTwT6g4L&>boblbPjMB6`x<gD(Om_GNrs8aT%3NEn|S$(DoZu?
zqZh}gMje~pT7GIBZS-AorR#@acKnhxi(wtD2qA`OmDFd6pt%^C%jCCLH22R7J+tj9
z{f%E6r^+s(1|(FBSx<g0NN39J$i)_`;&`tT(M>jNFjnF#Hy?(;fJ3%*@14PfhJK}H
zdy(n+>Wq4uskD96))E5*nql3)(9$CdlRsp-hOcy)G8}Ua=j~kz!+%Mhs4^tOZ^sV_
zR(rq4y#fr&=esC==JBwP*206&l{U<wb_ZmOWl{||=l+O+vg#l$8XlKthEubir9f7Z
zu*Xjq>h9dt&oR@jHy9_W1*tD8DwMvv-gmJ?eG}Z0C0yT9y<jOtLnp9dxJmu`Svl(j
zR)>;y-Rj-;s_=4Jmqg9*)(3AR$41O@c%F&xO8yKc0D!gg4uEChwg8|;+f#qYq}iir
z|MlAOH_tP;ehe^pF%kMp3{dAfnwUlRb2F8knCd8Nc`O!48l-+N?D6NE<{8i!>EIrC
zxIZ@H?|gqS!`6ob$E(bFCpjZnMSJ1D8CaEzE@2@<Dq}?UaYFTQp|(-*<{@|QY=|OJ
z|LqYvrR&oi07qzE!;04y=@LuRW*JW>Q+yD@{;Y}I96}4vs~z-Id7Fb}k{qpcHZE$8
z9UTy}o-C@+K~}~s*z@T)io8}p6)+Bl8=U7<WfD3Iewdj!sLU_E_@o)1!G0;v7b>qM
zGeCB{Lqtwsfh5<QeP6<G7-}V&iIU$_Sd@Q4=c7dLO~Gj5nLqCq+z$;#am9*Hy~4tw
zbr{Hc1)2KxU@*Vt-<3!*G`bN&y)A&@aE>d|<Nj9L+HyMEj{&+b7P~vxi1i`B>}s{L
ziEdo6(YoqLQU)op7J{yd<9?2W;serenNM@M_biDP$#z<^gAR&i356qHKDB;gIBu^L
z@&r|D!5yq3&>{4r?_S!gZ9U{>!0<7(H$1eIC%_o@e#6&%X!dmSwH{eu&Z8Uu_z>uT
znlzituTsO#TzR{LL;zUS0V~p-E>n^<8Sjiu6`)Zy4LgUD>CriOX@5C1hj<IbnUx^p
zFjdC_FD*3D`>@@5|C~h22-4KciYX0%c?MiXDKEWsIKR^WQg<_pHq*x@ZS=#i^7Z9u
zgdn%dnLi2<rZu6QI7Y+E4VNdbb^4S7E-uLeSR$!m42teJeNU1ZyAY~w1f#WATCnwm
zBYmOIv@lir`8_bW!5H+XPv1}59?hTX!|uBuD>q;4uH4f>r@vo1I9$Ph{fzjs+m`-z
zpvC#H8NAT}qZjJbwyMiu3Gm1A>iA4~W`h)<8wiiA#0>~{T&u{(WSmp~9-!q#Q?j~C
zgx|&4U%;NcVJxd@ZYw`*GvqLYjY)Gdi8}2Q2O`_+cJB?1(QDoi#;T~^%CGoJn|#kd
z=(<rgrL6FM6?LV5ySj-RKV??+DB$#F*WsAUnGw?^G0C6`qFeJ`mr_}4>M9rJ#Lo-@
zbaU0$H!>o@mBd*O@QDv&CZav~&%R#UI?g{7+JFx~-mFod+?oF5vzRW9*;nSuC4E=n
zwUqJYwEs2LcpPKN_-!h}oJwRa>1T@1iQTklVV<Jf9KdNGqsid2iHcI1VnnW6ZK5HV
zK7H4BUjVSdU!&=(BooC)W+#7rRxIQpBAi|17JH8xac>-i)afnVD@t+%0djH|43#L<
zSImvVJ=d6jAP78xU_N0v^M}?fFbL}I_H|A_L<^v<aK`GiK;Fgkh{mqdB7v^MG34y~
zkqR_b)(_B>URbjs8LbEp;U$tsS=04>asZ{ao6#~QaV{0|%ueZ`Pijk+kPuIK?M(>k
z{|LeVl2FgRXo2<<NU)A1M;<63f(P}y-nAY|lvTp${TQ+!noJOUNin`DdP|c^(sV+9
z0y~QG=dK9yMjKY=WHoOP7W#Gp@1smR&$b!H$iz#&;QA&t==YU{REf~01Bvt}NvQy`
zy6uIe3a8bZosm(;o@Q!J`)D^5{L`oi-&ulR)i$Uv^oY4+rGJI%sx)P(gP%}xnvMRl
zI*(}&Smg&R+k;Y#n$eSU^Ft&={k?i_F^jsaIxb1ymZ^5gFgCf%4$QS~kZv2E`FwE#
z;6ni((rczp$8O$l3BQ7UJs(PRm4vUb_&D>F(q396t6!6_Cf5h{wVGzfGBnUdO7!dg
ze0?6eLq6g;cpQEs>NZlNa>wm}VU<x@(K4Cb9I#Sm_b+8?9}s77a0qKTg<()>cXZY8
zB;%T#lO6@4tw?2x-fo#{bn!1Gy{i;@-1<0#e;H@WfUx$M=ZfMODFI(gI=->$r|Cl^
zQ<&)+Xi0X!c8o`4=X&8u*I6!d{;?5tJ@7tIGyMb;eKo201_|L5VP^mw?er23ak#Rb
z{_eD@_=WE3i=9<Fd1?W{kh2z`Lc)^S-2>QCYkQM<dY-x!ddU|ITGA*#o?I_IT>G30
zYT5O+kBd@cnHE|eW^bofj77@HubDZ-AiTJZN8t7DH}oCVp&AI@S9syL;#<!>U4`<4
z0E=<AqrLCb^J3&5RPG5k)oC7jR1vIn&Bn^4-GKj`N3mc%Y;t?CM0mg?#PaTo$vwID
zta2c|KJ{WJPwHGZ4Dqy|+DR=7#seoMVLatHkhu?Xd?GIZI!e0T2sv%)ASp#{<Mc81
z<vbWSEGOc0j{;9Bn7ziZ;fb#}?Vk?-Yt3LYEfh<py|^5HI_No5FSC5lbL=WO-T)`r
zWgPS0CuMsq;=^BV=zlub{9Bdi{-sK0HI2BwKHAvmAC|!EBQB0na><l1?GHVl^a6v?
z<&!c}dt1@eq0&D_`y<&xE{MqCo>CZctY-Xa$GP~@^KX-tRPCL3JIAHN=d9Z^+Idn|
zz3*BtcgJ1H#k+f5=Ti$VxyL!&*Fi~chm0rFAGst&S9Ex2G6ktO675}=9TKiQ1FT}9
z9u~Va$G(H-z3-{PPdsm`u%f|6suH`A+wZletB!E35U*{;_(P>$>*+|{4!*n?`iKya
z@e+}8^Q}9hy!b-b=ta(q__yql3Zd(HB+E5rNw=z%Qa^165p`uBV{JT&{Yaj@k&-Hm
zJ6usOQ#kyl^ynfdVI)CW<X{My$H^CdYi?2{wKzHW6KQwdGn4>{6*b!HoTC_7aM@Pt
z+bMr-BYU2an1u9q(0A*Z;%Z^TLsaSJ?b9Afw4yLr-Bsh7H@HwCYYQaE<7;N8Du!H+
zhmWI{Vbm<~O0^pW<phErFqE?nE4~bM&`7LJoHJYUKz>FErTOR)SQFNlnF8@@Cy!Qz
z=jQZHowB#~n(joFLCL&=FQH#}E)&Xe>3rh*8&^FfKMPgmgNjMb=pL?J_P;xgW6Ljw
ziiS%Q8a`AkQvt!$=AvKAtRqs`@TG&Z{o7ZYoA}P6sn_I3@jQXxL2IUQh9ky|i8XJ8
zQQW}1Rr0pr_>c5$X>xA`Ly1^@+=kyK#~8VXar@s5;_7sthMM-breaHX9hZ;Ix5nHB
zc+BXwBEt%njbUAp!tyyPPinc?Z<+N(d*?0}mZ0`}0jFc5w`JNq1hcHQHZb`m>7~6T
z2WUQ<W@U$sJLc^3{Xn;8GorwYRFGXx(@uty>KSBXqy58TBj2u-kuG0{(};_3^Qi)x
z8J_(E1!!JJj={MNFH9=XQ#)W+w!)ylCNhlXf(^;18-c)X{|QM$u@?yr$XR%ZU{QC`
zYHf82C+C%s;fqDKRiYD3)JrV}aG-0E+@XEbXCL!LDo~ZD1b5gQ>WtCbYM=h8d3im`
z{gpoI#w&6_+XCQbPm9)hHk?vFH#yDf@@6t6KqvXG!l~|DnQZzaZ^y2C3>@}H9QT;c
zy&n%b>8;sZY++PHF+Om{$@-XZCt%>Gm+N`tSr2Z(e*2QCJm=G`Q34mL2+unYQi@&o
zKB0$-b>YoF8=^5Y-Fr19mRwIvSN32o%qO2-jJ)ub__pgrT08_N=<DlN1_~)vE?vCc
z_c<vzlu7)D^Y`=ZuR5v&+yoNaJu=s?ON_#h!ZDt9`XMR1VzQvpSgQ?rKmseRxjg;5
zKjQGtl8KMHvGAR22*E@AkrTAKlffE`Gt5K&pY9=*ANk0UrsmJCC=(y~XcJ_Tn0f7q
zIp7c^8ow*maPCyUO|PFR4^v;~;*sCY#6d<1po=*=5inQvWZj_NFr$e<M2ui~D*DtF
zl~_hkhhG}+q57QK2OtHMa;S|0Gi!*`tFBMH{pAhKa$6z%L(DUKU;Em#m6&};ppzT#
z(;kng6b1$fjeSg@f9<2bP(^;7MYCMl39nhokLh}`--9ob_%^frGltcpGSVulmYdb3
z9)nkKtZ0?~+}`&XD0+j_kT=?wCyL(gsW@F>F4Knq&GF5}M`u9^!n5Qz#uDLhK7M^M
zfwCG#-vwm2Wz-R3pY#?frZ+4kid(D551^Ok8g=BVziFno=}9-`5e#t*YfA{r;amau
z-;+bqs<X^b3RzdS^S)tS=)(l0u?eTGF2al7F~lRH0NpgC=z-%g459KQJC$!T6Om+%
zT4knXTVuqKu*tYo@Ar2YLn;=Yq|&2rIhY-5OZa!Eftc8}YkKR^goeG%!g)3h*OK<*
zusOLdrO}ZneWFE1H!r+w57zA$gD)`+$1(d~W?cKsesUZ%BH0$WZ@#Ju@76T%5wThQ
zmMA~3Uq#vL5#9p0x=FI4vH_lnM|Eo>9Mc{5gGp6}4kM|QMPuftBtybrRQcik=|=A`
z)+5H-&<pX!+}B^sQq(7WRI@|qE3(F)R~U;r-KD#|Y`nkGgG_E$z|Bp98<;I9d%xOu
z!WLKZwTb`zzW`cbAr=7(b$po<tMKb3g~st`&|laD^UKb2>|?&G;*|A^4Wd{VsvNr-
zo2w+-cD7Tz`kAsi6*~3hqy6FjvS~p6ce0Ahh0+Bse4Q$HTvDXK=2|X)Igp(~8ui|8
z0c3r3;Ou|D-XA0CbGZ0y(L6bqdq1@Ix6c_*e!Wp;wn$amNoNQ)&8E5D>S1BB;3v_P
z4qhX_5?r=Z(9B|{(@KpuU`xW3D|EmVArSE$*FnsUG%<ajJfK=Q-x$}yy^Zz^WLz?^
zMJp$f*nE^7oYT}V7kZ8)@em39_F7YKEeb<;D%s~bj50B-PHM&~GDQT+X|)_Tc&~od
zdW)_&T{v3yeJigbdlS*}VYpZMl=lEV9a?7ic{SGxNGd>)HVR=1DBjY7PZueRI>jD~
zT@XF3Q1w%jb!SCOL<Aq9j%g+3pqs?P!eJwv@=+I(7AmA|uKQD?$Kw*FO6DYoIDtw?
zQP1RE#_GvGadVQ{unT)Jl9rOOSO{ogDJ{Im6%D}O4#x2{2*N?J8n%3u+H6ehCoYt3
zU`~tGqJsW}&umw;nn!f?{as$n8jp9(>8ZdY$bl-a@u+jtyXaq|zIm%%9tXB7(Of_-
zz+SRU`{h{r*aF|0*FNEErl8r1l?G|W30zbu<)t)R-nRUN$XHzHuKbTFmOafg3f4*t
z0w0%s;AJtofX4W-6p-P`RHfY-!gZ;%c{5qZeuJv-Ni$<+Ytv2bbHCBpaiL40U8*2l
zch)kBtsOoW8fmlu&?<CyZSK`g30!jF9LU&e?!wE&5)kt;#-PW@^hO=RLg#;jK~9m(
zrafe{B~K-_H>291<wHzpcKgKaJ6RPEO_u~lSVX5&;*MyU^O<N9Bi@*7wroOwYo%Q^
zf{n^hQtA42e$F%zAuqhZNs$WY@!Yp*2$uOsDpg13G2iyLf}mrgDP~H6pV8K~n;a^x
zad0G5EEh~{RJ$2)j3~S+6MMM<_l-bDm+R|W=}*EJ-&6)ziAbOT{|qQ~fP+bb2UO&y
zO+G^{mdyRyd4J9>N3j%mJH)J`yFZ&mU_gri+&w3nupf6f?Ry;QIK+*gSUIC910c$Z
zloUw~8*TW}R-DH@4ta`RH|>r3?fk2=1R{1SA{X)&XeFj9dpw-^wsgX<H+^j(2)M_L
zNX>6&Q<@@7`^6G)$&IiF9n}cW>&Q!zGdCC$B(b_JLehjJ+!*va9fbd-#J>_q#I<`E
z^V3F3G;H`<6Mrdc8s4^#pWOq=y>-W)`Zq7t7sVGj67Na^y-@hBmn3exjGTk(Y4Twg
z^5t0`2fi*B7FENnGp(l!UI9Upw$Br8f?%VHi-n~;-Z~~^(&>unLC%*>vo#ZsF=+^w
z6A9KTpGT!V%JaS?UTelk_mw`Ad3YlAJY1Cl2k(wIaK9+KziG|Eovk8rE4ba$VZBpf
z>BpLHwk6{yTPMu*-)}G0MD_6|<jCkzlDUD0rtLf93a(0qc$Tn@Ci^w5d*UrKy2nv`
zr*Sw@_ZMnY*vW;LxwY<Kb){ORJhCzix9b5L71<6e&f3)Wxjy-D{)1xEWm1I4bcv!J
z*)HGT`HmN#zRBvPu59YPz?Z^LXsmj}?Jj!q`EKRiaUcg&1&&OwE*db7JkBhAtKEqV
zn+5z{u`Yu70w9A-7Zd)nWKFCHrPfv;9s>Q0%xA4aOra&!JUskzxGT+Udg2X6rk;YZ
z`l#C*;acGe)e;^-@p*2dj=P>62t*={QktKL2*i7o&-FPWXrd(CG3BIP%VMG`+xr^D
z<?IHs=;wbEV(zAFj}g{6z{OGSZ|md~eSttvh5bG;-&2%WgUQOj)?C$R>*^`kAHh&*
zYQ^sBQ$T^S1i+E)d>8l+ZT+lJXb=f}#W`OU6H0{qm=q4ZAfw*NIJ+9R@2zBF4SB_}
zlsASI%rkviwoR;yFQ?WWmjA`||6%Vf!=n7Q{&7WG1Ox>E38lLP1cU(<=@JEo?vU=D
zQ4o>t?iT58kdg-J?vm~t27VjA=ee$Pp5y=3|LyaRi+g77+I#K2*7`)tRn{VzWAt3(
zP~`daaMNdYHnyBW;l`yX!s~CZOxU?(3*W(vn*&@iH}64o<X55_<+Pd)a18xbKAyQL
zwpY2bH7=6EoJLdjO%5*)<poyIq~AW$IW+7rP9~39PT<J;fD!%}9TsAxAR#XMdOqOf
zA;fMn3PUT@p7gYVrd=Iw5LUsT13CsACTr}4VUpuqE*RavI%-t|v%~CNSi*0jd`>fg
zg9qr|<sGCHknnDCPGv(k^5zwJ8%`#rcl<+|j0Z<TMV(@kvYGnZ9}jh_rS{0Xb3RwP
zw%rKgde^H)!Uj+#2IR{v;@bUVJ{eFAk2X90?OHK!p_!W?u4uwJ;W}l(N7wxLNH8&3
z)M>r%uofnH$~HrI`+f%{ieM`j!y|hpMTkD&qP=LB9lpi;o33zeoz(pD4fOpZ?=ST9
z*q^K)$7o8^>aJF=zu?jzE7Bd!`%?Kr>R1>q#3pQGx`OQ7<}5f&+(9xtQ)1+?BTM?W
z#z1HT2DA4NxBJ|6pY&xt<+)AIhK!ZW#mo1wGxZRd0T-3;5*dzm1U%Myg2KUwBOx|P
z|2@Hj=2$}C#nA9IyG>rr*nSK0$HdW9i0VLTt)%WUTwgbFx*prNa?X@4Sj+)3w0+l?
zerC^K%z0dws~b68tgq2nA}v`tF6rk8iMJ&+9(h?JT{IdxO=}mBvJL@m+QWAIfhq}z
zq649g#8@qVH<hd_gD~Qum13DL3CnR~QrNWaeXp0lcj4E@i<~D&MBkM+ttL5%V|?fC
zyA_hVL-N8d5JL8Y<u8)I_Rx<+@zR^c<Jz$LSHwwVPOsh}cZgWk;)+LI<BZd35|b5o
z(hF9^r_(M+cmVR(le(yd)eD>L!vX)p+eX$LhcgsXca0{-tp$gAWtF_4V|Sx&5s|r1
z_(G4HpQ@@xvT1g)ZZojxc3C_>2;c2%rLBB%oPc>bg2mw#v~t@ma^+OyqOkAF-kNb@
zHTT}QqRkJr&&ZgL!Y$njp^LzrMJZKPNqoLf2^;5WwnFb4<0EfnBws9v(b6*{Jq;lN
zAV#hw8kN6e7>ktf87h=oUxxl~y7B*jbvtg9dq{M{sQ->)9Onn<&N91<biMx~xBhcN
z5}@tFKrLfS^LOZ|AjS<4H^}}S%YOrLZ~j9?4J3RFKT8Jv{jkm&6_w$yzR(~)@Ba@R
z@Qr3s07qx&-w$s+MwQxnJis7OJPuIm8U~f-69gotJJ~hucWnB_UBCN#M~P%gMfOZO
zZ1%V!Zo2v4IgRsUecPVpA1degxxpSjW)6>r1N1Ljz@xh?G9&Si&Ep&zUvyrJDT&83
z?#}EK*ikZS7Jq@(x+jr%z~^Wx|DgekqO<{yj)&&nOI`lL_qjogT6Hl{;z!F`0JN9|
zL@bOhj&i(dW6mjps-9E8&J<Ut?bvxi8u^Tj&+?h*=?#ABreV-KU0vFHgJD|fj^^X}
zF#HUDRn3%2g$+sGz0W{}=e5t0qSET>HtP}{lO%+Qao8M-1*jY8D)t+32hbnv)%77?
zzXF^py_31d{2VP0KA?TE3$Vrae%4L^81y;vG}hPH&dyW&CLA4s{p<Q@zRwfc)5+Y(
zSO~lT+Tb30SYkG&-_uEt$D8cI`*e!=fSYCF#hmMtGuX9of3^oAC`-)0UbfnHg`Bdm
z&ir3sNrK1qZb3IVqywApr(&AHUDp_t(*uAwg;sEBKAUieYv4;jd&76uh<khGScXGl
z8!C&4GMcX9obX(%&hD~Ha=HON4y23IZeZ>X++fO#6Ko15Jc5OK$2lQq-TcBA)@Mhp
zbAW|l%s<L=xZ2BUHdfGEoV<YH_b+5+Jlm$l`J^&$%Z_IwR?B|-DIaL1a5W-%TL6ce
z##yj^4Q!xzx2K#qAeVdjZoEv_E8|K+MXxZI%aa(sUUm2K%~>EIf6%a#Ph@Nl2CbnT
zou%j7yp7#1FrPw>3*zXppyz4vo7(PIE+<!Fu-0s`V0hdeIk(}<lM!yC!!OGxsS8ba
zdY=&284<~x{n~<ed1VdgzUt{=PwomHTkQxwS*thrP`>qHHOPZmynn@K>0(=sD>u4_
ztF*zRi6x155}9AzSpCzg&p(ny|HJOkjCqAeA4xhzfAClr-VF&MLL{{uhm>m>h1+op
zZ?%_CTQ-GVDJxHxqk>yn<1xK#oDP7ctfLEAW7cTbIfuG{-fBLVNzkjZeqluXY`uJu
zpC2=50p-q=?;Y+eYR@<7yl{GL4U{zu9p^mc`E<<Peux?!MJLmvr2~~4OA*{Ty*597
zF@>oLj9Ae0i$m<xwp6#t?k~D90~l!}H^@?hCM+uBRzVG_$ZNei>%+)*z(l_T1bB>N
z0e);C>zGtUPA5w0fSM)ea#djE+1V9UGQfmPa;Wh6P`Fl2ST*vl0tD6=ql&`S;?7d=
z9N+RvN}fjbi!<)@!*7?`X|J(PgYwZGNzMuF-{q_EWETN)dwb8>{*q^<V}}dS&B=S~
z{Hn_-TiUpvj1NFvIF@HpLg3XZHSgBvS2Plr`hk4Jq*H*?O1fJ4#_GJ6VD*6wSX7Oa
zUazdut}l|F;EDBuj;p~9`tNYo&5A$s-MFkAJpHI7oY}WM?Ld1mOAedoQ{5;b+5p_;
zUy#?kJbaW@*3iAN%F|-1uJe<imLO+s4XyNhcon<n<Ud`OW_e_TYQ~36XNE3$FV<;x
zHz}Rdp!)fm%02PsS@4SxM$1SF!Ix4IY*rQKlbnPvRj+i=KJzF<MC4EYc*ei@lKXfm
zHEUzXA}!&j^70Xr26NfMAa0LtjUFctv`w4u6%hl3Ujy=lnJ-<6+HS!+8k!r0y&Ccg
zmj}RqZOBgmJ!ZK6bCdk_6=450HGAL9EBS3`mbqVB+rDKzRv<Jj!=D)18BQO!0N{wK
zFYTJpqT{R@NVf9~NuQ0++<V#b#F#4h{hcVHhfMD{xQ+Wbtm^h{n-@LTVvrWI?p9{y
zWuxvlc*BcD!nJ$YUZ3t@#5>Kp4BfLQ<(;0nyx4puXmb6lCzhM}{!h6?Ts~Iyoh9@m
zRp0sRG%+}h=gUW~#~Wq<u?i7n&@yj0)5|zt&!(I~3OH=U;gaL>0Kk)Gb3G(=sYR%&
z?8C@pue06mpmb@3=nbw53qskRcLSe`N8&wm+ZyPAk_G+?KnFJ*<V>7e3fkOc5d|<l
z$x|Guz#Cki`_TYmbuGEQ#;j+a^H!VQE#~N(md@FEbcVDWC|3_<61odIzF-MOSKX~U
zUu9+k$mBhn8@O5&BRmcuw|ar5LM$)dNJ&Dt;A*LHzmzK4-iw`LfgfR?pJ7Q^Hvc$O
zeSH50E6VPB&ufdhpz7z!3_yj^o_*Iy3@5^%7@uvk1Atni<&NOQW7MS3s2d!ri(_i(
zp7Va2@nFf}ZOp^-ja)^x9&vJqGG^{s@|7st`?R3N{7c9X=R|_z+KsO_-*9kXCb-<o
zDdGX7%Kn&03W!VDB%BrzaYjHQ&;Xf@%WY?3JV9vr<r<pH#}^j>@IiKlO3PMQT2}bV
zr=@4st<siAUnyIT(`x*3E&2lVQjLp_T5OGmzlB!xARoJnH6#I$>0}$<H=OUF<e5uf
zO&lR}j*+~-rpgjTa#(-8z9=W4NUXE+CG(+6=UpNLRaT*+U-c7tKF+J-`oT_8c>qm6
z@yvA!67@U`o+A%_WTC4IgR*X^i^VXy#-|4F+G(czyHXmEUz*LxjW>mS^O3~MFdbTD
z3l`dMrJl(1d%MzT?^j#pPN-u1u0W#=icL@e6x3?mWvj*9r;Y%<OtsBM{Z&l^fKbxW
zuS+&;kLG8a>LKS0hWsuMf-JP_y*0kuwjdOh!-=ThxEl;zoV~6l6TS?T5Ywr5y{94Q
zkM=}2v!0A|@l~BIELGx7=gypv$*<S~TvveHB(RYk!wrv`^EfTfQLk(;!zjui7rL;E
zZ<t`+V(>>)%+9?y`yqtYW(FV<y;$@|l@_PWlE>DfC)ypk%aDyX&S8yUZP7HA^yN`2
zGUrz~X?%xdVF_Tk1Hdt{n{Eq9SIV`H+r8AmFXrhIsvH3bcbu#A*Kz#ssXFAzCVDPD
zOY*l<hC)~x)@crEA2^BiF@tGD!Q3Y?vznTZ4VpC<Lq1R5^Bb4YXd<Gp)SHtF3Q|}I
zG4e_T9k;eN*bms(Bf>9VYwY=#$U~}M`ShXtD^Ie}d6|^H_2zp&Ig~BDQ?=9!QtTL$
zAt=!s*pHWCM_8*o%_0+Y6rg@;7fz*X);B#YbQUiag%k$TT^zl`f+<#ET;DWCF0wW#
zFybUztZaivrx6lLB^ria2bhfNnL(zrOO#n}O8bmvy1b1}@CxHilc%j5%|<)RwmiJf
z7jh1J{Hh5Pr;zBlJel1p+}e;AKagyiIbZn4)etEnu}EZvq>0nefhp|hI@Z;~bt<_w
zMjPTbtciQ2lJ!=0C~fWiiKb87J+r9Ta|m3AuF)-bqQoWKj;OBDWyrNu=Th9LIerY<
zop@{%t=E?CJ;dJ^mi;o2&S+v+zo)-Y%TSqBW=9=$E_&l}ZYol)VJyJqM9=KWQEh~1
zj>viqNTfYQid!cfU!;Z#Z<jsEDj>H``ORQTc1kG!*aWCILB@U|&z34~-&q5a404|f
zW<<%&#nWO+DFEBYkAEeCn-DS2k@BO?ZDY8zU_k82;B|%);i=hZ-gX2nPDvdK<HG(Z
z;iV4$9WSRSxo0N7ekH)KG7AphcJ*BhuG3uFH!D1SY}aEW=hC!fkGf8iXfW4lOa4F}
z5J@V#ytt=v1TBACr<wzD$@k6a(L8APd6N)3L;M~F+9T|oa5;gtdpOm>VF7N>By{(8
zjU7o>!nIFC#7TqVEz%#rgvq%DuJ7b62I68!g^c80Kg(9zBouJe^|kB%m<uAXZ@c3}
zW{f|Emq14Ow)yF%Q;EJrwlD4+)HreX0pnGwz3J|Zb%1m>AeOdsiVvLb)LO+cy?1mV
ze`4g7{yAt6h9IAhP{#RKg5HnunqRi&h6!`(2B>Y4W9Okm9L{(;jbKBNaU1g#=mO~i
zI`fAy=&7ZhTgH;O+7GV-fIq#XqUAJ||K%{O3~VK1mA>^RL;CY7yH{<gm*pceakRKY
zt6mTtQNO=BwXA_=a<1529BFGL{t$WiqyX&ZY;9gP6?OJqDkiN5C}p*emwe`+N|!k|
zblF)Py<R*J=)QPlzkj8eF6`hp6)yLpO-Ocz%Xx32V0vgme4W>N-qiPi(p?^wm>xh2
zK{s|it;E*Z_>t1gO@BG$9r)?Nore)K47FFFdSJZphU8W1cBaLYqh$&Sg|qebYjygx
zN0}6f9J&c)F^IM2iz;&sNQ-J!OJU>@b@sRb^5{t)JSq&iFCJw}bobd}=MUBb%PizK
zRnA<QLtJM?V#4I2)|JL0H(2{hyuAbZF|Eai^f$7awPI7R1&4Bmba&o2So{X~OXK?1
zA6)e7&=Lbi?(vI8pa2zbqx|Gk^GS*quFW<tyM&5mm3&QFYgRp=QxzsY#qxgPb-*BM
z^YJAn+ALspIZCn73E*FP3LcjbKY&Ft?{2^@s<O;{B&8pyt9~2k8$_R{pfyo7>bo2n
zE<I)&wbSaT#R+IZVxn)Ljlgr>`(LVbqTNOZkb7<bWJ^$*4(V?RD@cya{P72c`4*rs
z2_e=NgBh{404Z-swpO3_@-q1K91y~S70kVgy+PRKhHNiU%DcQ)w4O9Ij+c$<ZLg4f
zHFzvo<S45`oRJIh`XuqbZ)vhpX8h;K!wADXt#vQh<vxZoe{J)q;+-v2oqK{!F)pyD
z!e?UDulVKSMIixL5wCF9m($1|&f1&GPl?T1SRgdC7~*BldP|Pc33|+qqSw8YOV*zQ
zT)evS_bONgoR`lb7|uImbK+DO^C1wI%g`x5-ded*Rv8wL^cek2+?9GTa%z3*AI)Su
znTRaQna%K0Cn`4|mCy2ikCSQu6-F2<6+7A~rMs-LRF1}d+qtTj39PS;;fge?HmjXj
zV;VKpjq2|do|rh>JCqqJfOBtNYZygm2$_;nxclX36lS^wT~F8gyfE9?a>|PpT$Rmk
zHML!C%UapLcC_@1W-^<+=R#)#Z)y#eZFwcfgTSksn<*UmUOTZ_1&^g|gc;M-8CJFw
z?F%fY@yQeuWKJVxuJ1B=8hIRgy0JtaD`dgC5<x$_PoB#4Nd3otmXgXO8(Gy20@OI!
z@Ch6-bsfv5SyL0sZ^RvYu7A?fZ+=0=T4po|s^6axowv4uW|%`DEuw@Yet$rGw;J*|
zudF-AbpjeWvlT`P`37dIm&;z0Tb+|+JN84S8eFzJ&y0TH3(x^Mjx@5mJzRmNI{k@~
z%+<}p#-dRa*{zhUa<XCPen8kW;V2b*v{kZ;P96f<WrMw*c$8N)<OcB79qy2wf%Hlx
z9p~;_0=U<RIrz*Vi4pU}-8*RaOL=3ly)r_nAvWEu&)@XU4iw9@oA(QmRe!=AeeX|<
zTp0Xvn<(+N)%tRa7wto@G@0oOW6yT#px-+YFqq^>4Ch?+%JUwaaCC|9W!fbMHousa
zx*d<ePLI57rQ)zBkJqye<qn~MW)HrPw;aJ~M=(ww$%`SVVaj5@q%*od-GjKcEf%~{
za(i?V78W2r$yn)mwfYR_3d&OZmh~a#PT|VT+G<A+JGN>v5rbG^{Ry4%_7}8=&GVaI
z$O=lhlgw-n{aU#hKL0jHUje+y(gZ#X_SnsW+Ck{1VO;y-0Yuq2gZhrt!6VZEho_0Z
z0n=g{DjQM(+A-YGnkRVCNkdu4#SLmBy_{&<TA6?{diVvBNMVOlUE1T#j6@8D%QCD|
zo0R($i1nq%NA^md%X<<ZF0CcQZA-g{^*N{>53AG(e*4yKMzT9vpRJ^@rH5oUT6zw<
zl<zC?n^&wDzsB~)(ABx+%QZiuQYui^#K7^<N|%+JBqk-}&9^&`ikzR|DV>6FwzNZl
z$kT9Lha{k2o5@8{YTI@`WJ^@sd&-ctv|+Ty;RQmiHoBI9U06Y%2&c%*-d@YAM9%=9
z;;Y}&=Mvdldr7k8eh(uOFuM|Dx(N|)Q}IEqbl`I&so&e?*5y|Kz~#XZt!Q1+_|WCC
zA<8igk$|Y~kASzHwEfFypFas<=OjqfI6i`Zt4(rV)Xm0hmD;b_v@Gr_Wm~OY`$Aj)
zrHT9a!OERBYEQ%6R^KJU?sDXvGCZ^i`2OyKY8TsF>xWQRMybUM=(1Y`X~Zc3t+aq4
zx%4kZbX~(%0^`p$es!NyI`%x$LGDrQ+C3w&Pf5tlz_@V3I<XxMwm}9})lg|7Nv1J^
zp7}Ga#g<vwm~-baD`d^s^;^h60b>7w-T8_NS;RbxZ0|FOOJ1GTZ=_QV>`~NjVh!uq
z__8BphqW`}h@aDfGG6FRtzvp?6kb>@ER(B@s5vn@7_Ir$7)|XVuddTO<218H*Zht9
zo3vue)8Tvk`EJu*oY$#)rm&vKQGwsi+{fvN1hc-Gr03FW25xakHzp`r@9$KPt%Dr)
z8Dy9tbM4Ao7J7AoLpP;*Q*myKRxi2E*3TPXM!FM6e&tzd+n$cH#9Ao##fSCo3gHQL
zGe!K2@88|p*y$xlRIJ<f@?klZt5Fy-jaeBscq~8QhPy|h>E|w8>z_P7lHp#NnMx>E
zSh)Z^kE3_SoULB!yp|m0>ZcsEQYzNn3!`lDR;=CyPOyTa-O0nECs_%aJLMl1%39q9
z6Q7yDOH603*^KW$c!w%U5)l-)<NFa)<fa2zWErDxOy!B~m!q_e<I&z{iH@Bq&4lIX
zemVP`!6t@W^mj^1k%&9SmoHt+UW50(UFK1B^VV_bEcD+cZ@D-otAU!LGlQaD**$k^
z_!Kz_rgKw7To68YD5jT!KtB${zK<wFqJh99juyUvM$&C*;_<vkVy|HS!B$L0s(tuD
zqK=Y1<Hd8eB$Gfmlu7dTVoL;J<rN7$qov~(Rn-J1_JfFfqLPs(x`z0s5p0RSV>p=|
zS7X<zZwuXN19Oe(?0bgY1Bfbn%B|OoujA5QQ*XP+?ceI6yuyFL4LG?xfVUQaAirYI
z*4^vZU+kM@K%-smwN~RGl!Q_@x`{rCR1w36app=;;C0D67F9K8!Br2!+M8ibl%fk>
z4&li*r`@ay_^BBOHgx%3=j>bBaxkUF6!Ruhv|J2yb=BP`5t4&d#{GFD3I$C*0(mK)
z?G5GwGVgg=JrGf);bOSU<aN*mPb2?$)@zmfeyaCgL2=n@etD8C%b$y$96H56e&C9|
zSB)uuQ*`T?fW=1`kC1(iXdZWV*dd1|yoP_IbZW`9Mqmj@SUJ{x%RPHlboqoFpgt?$
z{F3qqwCkT}6Nw{Gv^YadtFfYLfdnXBSK?_nwacf*9Y+#+DdVoY-M)O2O-gb!nt}n4
zA}V>R;W1UEk?)a)wDWA1$Y24K70jqdWh3s7Zh6!AwIoOt;daVi(_S{r``|R6f;l@Z
z=%daow(&gTUdHa%`;^ry@@L*$n7RCeX_hlAhWOYV?4a)ID8+d#=>B@WJB)pUjjmGR
z*%KQi?na`$gJ{hK_v0^nR@!{12vWsuvi?l{cu7r8_|^351l_N{RC;A$dW<ZDwptA0
z8RYA$w2x-1%6vGFQBC{p7``ajU%;}#&G<ntHesC{Na)44GF=IPf3?*(t-{d1(&t_V
zi*mRE`up#-mE}98Mn8q&rpw{)^GXc;?~!3sUxk33LEPJixnxl$tTB7OV6FGgQr!>B
zaxIlJ>I|^zt$7Hii4d)Yirps?)MbQLgfS{*It~sNkN9t&wSDQo>qjw5{;uwlbA>w_
z=lff@b}qxD>vc2>?Zf^+I8u8j_)x4dfXiX(h-<swqlwMMt)C^~#o(n$blJ*l)u5B5
zA>x>cx%vd>fO_xmJi@Kp>=9Mp2yZIhn15hAq|18;*aAB}MEZ;5BUI<sh(5AL=*hBo
z?0tjq#QY=6q9ULi9KoG?yyM9&eia8HVEf#p8u2TnblD$0LT*0~S~~rsTD4d+EP>m9
z-MeT{WsoTlU&f<$io{mnO=DloDtgQoW6M@TwDl#FZUG~ARu=YnDP|y+MBqrSa_m(+
z?{)$dgdjj>pow>olA9)QH2P8>QNrDD8KlH^X1`LcGwBAu<YY^HWUi+iynd`G?!b3L
zr*b0!3Ot0oIA-;HI}&Tjx0$qyYY)22!gmH@v2kC<-v7Drv5(?BUZ1H`@{uP@Csd5W
zQ)L`}(vh0JYJBC@Z|K^$<@Qc3gjZ|9Pka5$_=0Vkv&fj_r9uO8HMc{^%Qmjv6ZWM)
z{BV$$nI=M*1<I;f6TrO0U`9G2dcT|0j=8BWh!RZdyiJ+PBJS@j<SBjn718yi4B_r{
ze2;|DE!H>kr@t_tO~-ITs#Z)G1ffrV-g;8!>!fv_p3){TcvtG=u>U%~6kj)_^JBcn
z$4B#JWkfG=E*^dJZd3n?y1A~CxW21I<oTG<4)&I6i@uRNC*BKm<9M9eA$=`Z*}2>%
zwcqeO_uFcM8|TG|J<l0#svxbqDc4QUjnphX*CRIUer1qt<3>p{7z#p}7Xm9}Jr=x;
z!|04WckxOWwQ3w=5W2L_93ESUM<@tCa!-G3sQ1NDuPY(}KEm9=uIlr%yiHMeQH?{W
z#S%=w2yyf?29Ix3a3qgeC#`g24F0_98MC*jw?>T<ArW2G9;F!O);H<S^w?G&P0f&k
zD;#dj>nuyE!p{iOg_FRw!8Z2rny37Q^rvXHamk)8u|?-FzrxMtg+OVyLC><LE<g8<
z63&x?00O!f(QKNL_RKMOwo0coE>WxPdAnL%h$Q>$oOj0T+4B>1x{0yI`L<~pRWrXP
z<aWoAJ)^Xi?4{i;XUxhaWlBfSc5O0q22;vQhhz0m3DqhO@GAS|t3TY6o%nE^*vzoM
zHyXZ3+g($7&#W{e_6oKqWKLH<(GU$`CmS`Wrq@tBtrrY(=LwW8hSrR3{qF7+rk^z;
zlDimozix#B&|7`en&;XqDT8z1VP0=mi^}mI1)hpOlL@`7=e3TdR6Cw-;T;)c<kl-?
z{7Ocg5?J=t9J{*S8&gnV>w7{jh#r5XwUJ%A(^Eli{8=s}Su`_zs?^x(FiJD%SIX5+
zU)&myOSV>iT4gcxrT2L_28%t>xh-xp&b`1D&+|h~_lfpTv<l`gB-<H2^rKn@{y1dt
z9q-_Mp5AesAR)3Fb`-M~=11}v^KN&JYEV-EL%dt*?Wg1=DXrC-$7@ohKvb88V!zZ&
zLxl5Z32RhWkv6{Pad)h7(k}W}7L`t4orRAh@4wr7@{<cSLRrbvl;rqlSQT}@2r`&I
z2zvUJ#G1tm?D8XC!zLb#b=EE~$k5R1VqUZxmqG`BCTknDdK^3^Q$sIAOYS~;!NjWY
zRhPEKTn~oL?cXEdy6O46ap^$y`<l|qHN)u*Y!)5+1~yB6W@#Ozvt<{i`F2cp{lHaH
z@Dcyne30CPr`~6QJ&=*`)DgGwcsZdbnD1<2P#59hX_WfVTd9nHe7uQ?&Tno`o~h8o
zdj0OnE1O`Qd@ruAy>5!=<rY)3tdx4O3K2zf_nK{qwB<2aVI3_DZpEvIcOGvjHdB`4
zJZO~gsj4A?dm)k(D~+GVt~T1Ae>u&_<^I;Kn3TeyH^KZCq~qDsDYFO4B|ASyuWiGU
z&gN#>h*P!Nm~N%wrs2A86=P^z8H$i=TUIo@=)En5+KpBmr4J=JW|t0Ba7-65fYN$8
zkYKY;VzW3f2#QLM;JWdNnh73Y5H$?lQLdjQ7e9E6P`|I8=U$wK$>iv1S(%t!KwVMY
zDd2DB-?GDf9++$c%7@1t7^)$~(S+N?qaw?+QMYCNRCyyhYi;gOMlEdX(RcR=o)T1|
zMm0d`Y-HaPM+D?Rye#bBJwHtM=*}qk>gu$oCU;2KMS2kmV{`^B$L;e;^YHIi<gpn-
z-5F4dH$pO+zMc$Ht5Xfk2*UxqJr`lsxr2g)Q6a@$-x^-0o~f+&bMdms3VPM<*jY!c
zQ4B}B)rX35+gt@UM$wC2J-g}2vReqHR3k#AnwJixKiQaD;*7Ts&>ZKImSk3HShsDz
z`zLUjG=}eTyEzK9z?xx+<y$0?y}RYiL<X$%rBSbxAU%_MC@XU38@2H~{-t?dQT-Pa
zTeG@FIfK>^v)+gipS;;4{IxOLS|`OE+ghXAxem5FxkDGKha+C}H7k1RyjIWjld69S
zDY?y2WNnjN+mT6?e*Q-a7ESVIllgm@6aVq^J^RW}OkQ{oD75a2eCAAj!~cVld)OxM
zg(VDOk+p4Y?|6@_k;I_b5>ZfV+4*&W0D(iUIXb|7_|hwovUWnqXLT~jh`JVnpVhx*
zESlc2nsC;Sqwwp4=e=)hz44n-O%B_mEx600)qT{7m`0hv0by5Q&E9o_9xHWe=b<nt
zpp=qXoY=a>?V(}hJpjVGWF#0-lOttW+xA~tUamdV#kx(zBFe2-(9TJ1*_vF%*)dPv
zv$5|TP}Ev&$a?X~F+|*5!KBPAdPKn$4lCOHt;jX7Kwp3pGf@|RFUgKcRV_oB{((Eo
z(5pu>VYm|S>J(0NS8fn+i3ffBW!I^<Xyz(R1_oJ+_s6(}vhLnN;D-8)OEcH8-{UT~
zpD$u#He+QNzw^155?b*_>+Gi`$GUgl6c7VBh0KInXKx(2_%xO2gan1<#PrtojIN4F
z$TzqAtTlh`Z%E`4;Zf{~qSE-FL)(~0m@U|)^6F9aHIO&HZ?tTKE}n1-I?YO|D*0+7
zNUb{OV&;Av?BW-#gES_op4#gN0^D^t-_P~6InlL&@R7rAid}G83~hkNmayTRs^R@E
z)#g3W$>3LRDyp$lPyVHdm(49b_lSXdIk2c%AOYiB%cFTc?<Rc5=_(e(ibI`E`1%>Q
zYSRY-X1XYa*I3v(+B@H*FS+h$?<!tljse9SC%+==*;AO2g?astk)d3RByF9gNf3rX
z`k=UxmM7Br)0S&P<k5`V?zZI4Ww6Y~D(I7qXFjw@q$PCm5;E|7d7i#QXH}}A`tE8e
z_MM@iX2XKe`UcJ<8M?hY?N?W?GaUzBkBc&z%{Cq9p-kgn<ZCR{G#;*}!c878ZkwgE
zX$IMDKfW_uWlMO%K4W$8bQ|~1Y@WwNNz@oV<a3dE1tH@WvqZgn2=d$Oh>Q<D_39h4
zyo;HZoga*)>7&dpxMs>s@16=zy77MbDYV^<*cDf&cW!igecjeLMajKxtf<vVzf4^9
zbWem)#$)**e6~N~ap$!bRGNG)UtL}W!cx+mxOnj)XT!7Vf;)U~rTivPbkIEJ@071Q
ze2obGbOTF179{1fG(s3mO<wFFxFp@^oJ`0h%q||n4xVfgW2>HYq%{T|b9cR>W2jpp
zbYaML=$|mwo}WD(*T?&!9ew2161Q@at4<jwlvjejnKV!EjmGDsz1f$#=i<HeR#xvd
zXQR7y_I7CmS3bt{c9bP+(p98ggY_c4G9z~f8=ks}a!>4hL4Fb0o88&{XO;cGvW^FG
zQC24kBS);J`nP5fuH2{Xe6mYyYl7DvkBC&^V}%+9C;SUU2(;p<EiK4#F9o@LC4$Vu
zP<hJZ>ooGcKjEqW)V;j;$H#o9hNXd<%GE*vdvIceRcFAijCWjM;#jNrA9*=6**_7(
zoMTfuJGmb^=xcOGoY&~2Id10<7IiB-0s3;kPjEdFMRkJXZX2nC03U;<QP0_kCHlER
zSasDYWaBF(%O_F}og%~r7WuT8Khb2bhEGkbOLNDM&FMon8|ldy9(}w-Af+(*srR;T
z5Milyy{n;z6uEb||EM3jlIgM+-j`bWQY|OVQ6qP2k#qZD#rEgjx2Ey6BXsN?6{S*X
zq<QcuO=l>Mum8vHOuIQOoJ!R5Bf;yElrXQaw+T}|>io#dPBN|w=T1m+PFnMDO-h2I
zK74&&L6M8W6ZJlj`jkS)3Ogh?$%W?&;kNXdfApS-&4x8%&1h<l9KVy79c!FB-405;
z6#I^%?L)8m)%0zKzn-QB<meZ2A-=xqzJKgSghb|2xI%hHXIxSPLF{06t@Q%R9J&zF
zpg(DbZMIolcuz+mi0y)wpo2+d(TlDSXxRG+gkqgYZ*tee-sWLcr=b!zmB=Yky{XRp
zOurIp7=nVmIgKe#Fh+x(VDo0^mze$8$x%bQz?ahL*7r`cG^B6n$bF`1fnKL&@3glD
zhB2(rp=M9ndQ76*XD^14Nm}_%=t~g;@*EFEhGAj?7GZmj`<?W*jYm-q(Q53z>6@A<
zma=LNmKdX-nyv)2sl)Z;GMs|McEV@RDPy&}mwpD9FthEN!jYRxS9<S>8wuF^Z3wl|
z^rC-oIc`Z@$A_2<70xlkJPEawUDs-U0u)Z+F=uXB@=plXtGJIF&1!Rk_EkUpvrDW8
zb_J&End;ca&S9J-$>s7?=#tL9(*<_4gR<i8D;EqlZ{)N6Ws1)>E7R;8fh|aAt#=e{
z%6cY^jrMT|6N`H@zy41Z*wzsLcbljA8HX#t#>756eDm@SiUAL;G#&H=Rnjx!XSmK5
z;oZRU+u>B&dpTT#WbxUuh%VoV$gMAAmWPepSocc|um^GY_?14Y3fb&;HUyvfS}&ie
zXMDX&M7mO$IO{@a)`L$NxB`q2GU3?isHB`YEa{&5IM)Fq$qVO4nw-=21===Z?5D4L
z<Le(CmTp3jjZB%RwfnJLXIXYjiB5>~hWgC{j7u%jF%)JQ*%$5Ab1A5g6Xm&$<qmD8
zpZW(ML-OieWomy?qdgeC?nUJzLbFsPc;nFWk~2T)YK*W^NJO{dT0V*@bXL{*MS=Fy
zspQa27A%nxzrjb8mrf>-;>a@+eqQm>(1DfEozomL`Wj`|^~^Oc`+On`majZ8qh;ry
zqia@beX%z|uhx<a_PK0@(Uh%9dZIXT8U}dYl|_U$jPV3qY13f0ms~^^(cIOV`Jqr`
z(l#2#kV#f3RRfKhC>Bq>&*f^FZ_jD{zy#X-RU<nsb4Go1JV2%Jz|yeSic$}8x>I)V
zu5jfp#GRw8yT)Z{Yk9R^Lndji8@kr@Zhqb25I30k!PXhl$HRR(RcUhCJiDyEO}U?R
zW2TR0mSNk5O>0PV27BIpRQ8TcaF7cACKPFf^gu8-T8+VX3;nal^KMt3Zy$cS?uFt-
z+Afa36C9LaYnB!LQSJ)`YeaGfQ$wywEGb7}2cO$HrPv`;Pi}o`r3q<oOOxbJk_Gj*
z?Wsyi-U;C_{lP>*EdHjM`n-rtt~6*<M%;Av=dS3zj12!v2y*>4d?4@cK2R}3`2X&>
zh}0exTd*;-U!y<hSG2UOkqC5brz@GJh6c5<JlE3vyxB~vEX7_ZbH$_RJ4&}*X!kNa
zm|Aw=f)U@bRfG8DhL1_RT}FGz?A1WfLNL5;4l?paPp^zd*>+|KO;bmhg4IfSG}k?`
z#T4rflyTQ&JA9Vk@!7@zKSL!%)0x?{Iby<&rru7|=$e4V{wg!_0lkdny{7Xx<)o!z
zw%RkZy705S+Miw+jf8fd1Z9HtoNwFJ%1k)>ImhWojek|B>X*J&3+#r<t|Kdk1g+8n
zNt*V5pBaqYKZg^T2Vde$CWP*5BEGv<D`c(II6s5&EwpD}jqI|q&X&l%t!wC53PEVO
zUbo1<*bfNarRyF7u%rvK5Y<L2q#O^?#{Kn@3aL#-r-gP8nmK(Wv2pqIR#jiuM)Bue
z;{1FPlDmUskd{r!&DuT$^*Q`5jIa2oU)jb;O;3V6a0&8<$h8gl9Z&fyj}2_N1q#+=
z4Z`1+MNAaa1KLqdgUA4(MqVPhTtuhFuk)jgUhR&y2TC#!`e$O&1P-`cc1wkBnUVJ9
z7zxsopO!U!ER?Oy(CTNmlUV2~i%l3Yaq|0*2AdW8sW3A!e7Er>tWnzAxEK;#9A%yv
zHju^?eHn|4-7W6=m3X-qF=`-795sM?Zzb5?O?tCgXf)Z<87aQxmUoinP&cq4!*1n@
zl6VsQlT|HoU^IJ7Uavqft(`m50mpB|dj7{%3(DCWifmOhCp+p&@<7ALWb(#-YN3jw
zzG7-tZG?D*;OJ{kHIMbgO@ci=U+0n+-M);qXWfe#A4WdR3NRJ@k|;#32Zjoa9vyrh
z3ss(a+P+%$*>{gi&!fM?O0fQrE}xUSuCIqeTg?KOo&CTq?;!Z+E?r%Nss}MeE3bR<
z-fr=gkC!{id86svm4=leosICcCqKiI3GC+ud*274P-NJMZO{p9U@|VWn5urCyIz09
z1x}+ecro)j=;1)nliW3>yg9A1nxKrp1;g(a#jxP6_{gQZg-a$L^0Vh|?(OOCv${GZ
zIM$XmP3NYuf~ZG}CF{b}p{|mn!mg~BGqF$WHOFypV~S8QeOj_4d2rleyMR8!ujrm=
z?eD2Ej)QytobZ=siznLM$2^K#&-r{do`gI>smaZwpX%V@)go-%-rAiAxWwz;klXoQ
z+&aET9r@5NFVIj(tP6&+FHB^x>K?`u#4`W<wB))j9UW8T7K*RLEl!5}Zi&3FZlU0R
zyoE}23!MI6e})vH9?+QsI?aFl_g^275JCAWiZ#CejO4$*2ciY-$43!W9`fB!{_W@f
z?~8w)@BclV{~I~~H#`3ShYpc6{El$?eqGs-nzB*KsL+Rh!k5nZ!AdDuT)8Z5*>2+4
zS8kMZY$BF3RXM96;ErenIDI|<W!eEa81s0QBA-xBhL!rEvvn@pYstiGM|9TiH$OuV
zCc*)8+Hy{Hcz%i^Sa0c(tFS<$Uhf)7OHXgi93C!TU<3>joz#JTN51;0^tXZrk82D1
z1ck}f{_CdZVEOj(Iv3{Lx0&COM?-p3l~&1#j+5&rYY>PYaGoibjfdTfY$Cpiv-@&X
zj5!}QT~>HTb5*R&rYgM3EoWxmzI{9GT-C}~Z!(ZJT4kd&Rqs{_&umXu&L7ItYwNO<
z(TdknuJ{wNe{fQTTt6DN8UAiETUQR8UORcMX6=W&GN}H9@eUY@7y7+Dr^sAopmL>N
zQQqwBKR(~IYXEN}$<yr!5p~>~7lkMSUxo78bA@pr%bJO^Bg^~e(!@pdb<^J%kH>H(
zPb{|G-R|Lzhi1z~Pky<#X#xBwwB9u?`X!wJm==GryME2BXD6Vf{u3aZYwZuiZvR;n
zN|Hqi2)rD(#&tpWQZbJ3D{zZ~`rxj`?+5^O-9exbzj6KT^Bz#*KOqv!PEs3^vp;V*
zbFXWZo~}oXIL`loA<mZYESfwig|>lUt}0NOmRUgph!n5;8AgSE`^nZW)`y#*ir<cE
zzYm}PaT@_Zn|X4HuF6?GzNw?YQ*CrklTA6V>c;l7;qt%^vU9_s>~k1>ojsCchDeO;
z>xmsQUu?C3L7+a4JJY=%#tN1Wfic7cuze+E;x5%T>Q7n^wi?YVL>7<aLCK=O_PnHl
zfHSI~8njizuVIMGLmMp??eY)ajl!d6`4&zy#~-bBM^v<TQPcdlfS&V#p1j)Fl4k9R
zwLV-k`T7$Eh2z+|_W9-!nboBiz)v^B&UAwk?cdTWL2FK~*0aS%%ho5ZGLLI2C<W|`
zET+GD8)+mOJVQspe_nuU`@ScIQ(yR)@JqPdcjrgXke%;x9sRCf@mtTQXgZ8ID5vO%
zCd<Rs;uL-d8-^nYL)Cw{tT~hvHpCf#e-(TQ)3{SMSD;yIzBL}I3=mX6emFiB-&vqe
z6wH+lf!n_O<sU|h@3Pmm&dDYTo~mn)GiDDL0YTJhAcL(NPA6Mr)T;)SrpIM0w}Kb&
zm^*(7Bt7>{ex_mFM628gqi)PM?l;>$8UpxJ34|8xJaRU(+v<g9<x?@g3&}oEhpZE9
zz5k%C;AWE9@_eF|hLv2NA5P_0UJdj;Uy_lQk}6TrIxi%1q8GRi^C3PR`2pA|E;iz$
zkpl(o#B4J4>)$U4Ji)c>=-*#oH3QB|<&)8cD_}<i1*DJ5ss@WGUUrnuv~Nzk@gBmn
ze|9tTzwtZXM~TjP@O1-Ss5RMlb1vE1Uq7Nub$ZAU@0yKW>8V#*+Jt|0RbDHrxne8j
zVk!WpVET1b_U+`SF*_)m{ohoJ^=9$Z2ye*>EZ=2y`c&_BdUoKj28D}E`(iGv-Ua)k
zPcnp6>seE;5FHod?6khSyLD6jurpW?Ex(P{XzcMOPZ?)A<QN6nmnc|gn9bt%tfBj%
zD4RxCcI}8#Hf&w0Q@>o(Jo!yv+~>R(9t*L~Lx~?U-)73~Ip9!STGE}+G2fiyjGDu4
z)gJz;%&?nR*fC`Bn<>lH@AN0LPl44$KT=lBLuy`r*VX;%(&Z{n?L3m^^0l-dYsLY<
zL$1zrJt)oBsK$mR=E+F@iImpMsJ4-hGFD+H6XK5DtWJ|T*`wIyT5#-(aFeke4JYHO
zg4*<u5BD=}rHW2gSma(arAkOTkw)-ZO>99NDqqnRUI3&!J+fwAHcH~F=<R#LH=8|!
zq#ydh$2OMe7zuZkp}^uXS`&`6IJrE$E&(3LIwQHsdQNjlV?K11qXJBVl}IooR_LjM
zUkr{Z7eWmWVKJNZPa~O=w<;^G<_4g64o7pxbSj=@Z<p`14Z4QKu!z4eY)y&ln^9$J
zH`7R@xd~LhGV_~-*|Ay#dVRvR)p$?yH!Z7e#j*l4g2i_TEuefhaBKam%xFhsZw)-P
zlp^u>j7$1<i|aq}@$n}Odh~TqP5B4mxuPKlYw{&imWc4q=xXgomFdLQ#H)4orjxyX
zov`~2Y-a^OhTTqg%8ip;ny)98JHyB1aZ#94sVI~2xrZV6|Dy$P6OcmqQAovk6cwg@
z&hM^5eeC)UoBfksr>k1Ge5v2fb6u@2M!vNI4MbpJXVx!tDlgasHBQ=D#9>U<AOf70
zMP^C}EWqv**$nTG=SvQ@SRjVEDTOFy0!8X6r@2hEr;;3DzYFODyy<1l?cJqn7JlVH
zr4ft%`wP&sKM6!CW(R97VC?R!*9V`|e++!YIUSgtea6YdiXU4|F?Q7yLssS6$-^R1
zf=$Y^K}b1P`X*3K>+?km<&^<Y&u<T#DHp){6U2iOL<;;!9y~iO?H8^9f?ufqeamHK
zr+iv9N5+(o)Cvrw03zlfnZ!fA%DSPFX>bS^kfhf2v1UB_wWpV<8Pml=@c#VJAQcs#
z1{MUHWpZnaNXuEp8YcVfWNTu3_f|B6Vpr|iszdlkz<wUT$2Yy|eKk|-DCnO8g)J&%
zNZdD`s2-^f$lsT*4&_li-pHQRzP_k}56U`^)H>}R*f5gv2@e6|*<H=<8vAu4j6}2$
zOP1Ht1fdV=1g1TI=at4yK#h6u>J3C+d)}-T{isB&al86;jCAp@9fY7V%156@mVto)
zQg&!4A>J~QiC(a~pNq4w9Vo>7o@srM(g;j+XK7W45XYN*CpHkk*&}XdyenJ1%k;I(
z5~WbBzIhIZVV=TC{^sXzeM)~tm28*ey7l`(q(^3lhIUix!$a{Xp*Rr+hBCVQ1Rs~P
z^Qwe<<0}ucGHeA^8{Bi$Ew}Zh$}DI4YF*YjV}NkuK{(0`?I;>NGCcPpCH+8KnL|)W
zQ>J0SVlrWAhimr`Hc%rd`_IXG2r+-|y0YOa00@7+dG*27{Wjb4NJRc;@;2x2a%14z
zfP8gJj(_D{cRXKVX-}-q@dl6e(#1K<J^I!WAi|tKf8{5XdTY>@Fx;&uNtxI62=kiq
zJ}jb31@t88AMl)VdK*BGnnFGa2PGV!wG&@9nrM!EA4y=gm8JBT<9kS>XNr<>;TesR
ziykFD>4SQczRqHHENZ1yO}E&~=HI%i*`W}2|4K{0Tke4ft3RU-mEe0T9`I<jE!|{n
z3B=y=a3Jpa(*lYn8KFV~oW>k)fA6;?N|-w<R^eQ^*-`lsv2N&lZ|I_|bSHxfMavz<
zb~3BUJK#+7s)QX&I}KUr#?ME2j9+=Ua>ZPgEpKGf5Dxu7<>4O5!HLadDq{R+B$p(A
zq+l-886ddiLEp@zA7U_l;h0;Grnnr+5K~4+D>~b;-Bh9n@P-<#6_-TxY^weAe=^@z
zx|DrYo99kdoC4HrYO(bc(P%KKuBK;&6At<!*LYxmCn&QO>@jTa{pal;VYWs-iqO)Z
zxS5Fml~ofYiWCHpMEp*CgZN8w{82<1iwfN^@-gCOLB5G3|DHg9(zwaii5*FOaQ^nw
zB~svM?(+CQ)9pXLc^h;2CCJySi-w*X{N<vkLf(U;P}+9bf1UH@brKVZ;B<K>{(SP6
zBEhXsc{fLy_)on4*VX>H#Ojb+dJ1e?&v5@zCIG8NBsi+vSxot#_xaDwb$FxVd)ew{
z+jRW(qH@8}5~(2M|GLjVPh5nJ2BcVb1p{Aw`P)T7Z^{$zZMQJ~_7rWOe7bB$#N2(z
zWG?3Sp!o7UJm@r40c`pH{Z0Jy#pi6OC)?5$%gY8+)pp_)WAN$LlscC~HLw-g26pVg
zY0Yt}5uTixkzwHGmGhSu3SJ8hip#<B{u?guyTlb~V*V4rwX{wvOtU>E+j*a$UF?(M
z63x}tWI1>3<eTchJ_nWi3~w{OJ!DY$0etKeEZRLZ^w1?SyQ0}CUn*2MFr)qDorREL
zb(p--dWW4GuDM?IRrGC@<L+#trbU{@U&n?SmISw=`^uJ7yBLm?6w|yus-a3c1Mz>4
zPjEZRD1NyKiFlI&Y<eLAUOEHS#}Ug_e;Mc<awrq|v5)yU83a=mdH?osKZ;C(H$1r7
ztoFBy!jA?A7faMlAN=jR67gVMO=_s#{o4y(3<C!>9GL_E#Lxfz2~$E59I5!bW`DWn
zk0Kfb9m(-(kq~&;L*T-M{eZz)23L^ZrEq(^xaDMb&Piq?o#1a*8#04x8~BLk$v69T
zt_r7J3i@B>{g!MEml+wu0sz$emC9b`s}j~<?qouiY7DH?PbFUdY5;&$DRGA!xsiVY
z|Np-5eG#fLRrF4tEmbJ0w^JT!Dqz$46fO$>`>zssiU4a-R*-V8fHw13B_Azq+l;E5
zBhfX&&O_bgPxzvy4KZs?p|)T^{O8Cap$?&!*P=(EjcrYFmLw>%_ku3apX|(-F*0H-
zWtx`V0pmd=3u~E_uUMusfc!tE%O{rm45|ugl9!mG3-|}Cy=EUMZ$h%j)0>CAJe$4!
z?<4yw6;<);LT9-T+I4=K`_oos_dx37in{0)0dWQ1p8r1VutZaIfb`9PT-(d1Hvv=P
z9SCE-lZRzw|Nbdc{I5Pb1E$Y5i{ASV_O+1qVc)!?AQ5)~l-e)lCIe50n*dMocy36I
zxU2O~TK?~s1A_2klt{9$hx-%|gUP9~(0@Zl6dffB>=2Ugk)7!Ne#nM`w%Iaf_<-oV
z$L}Gt5v_DofPcIHU^2Ktz55F0UrYNfb;0z;<*EBHvZ0**CjXbMQ6t0Z>rWaKpNAou
z?d4ChXP-a@g}cm?!zjT`NOGY1j?SWPYQ^3Cgoy%pmnFg;6lH*%;6EPb>~F(}F6Ov|
zJe}KAK_hyphB+#>+8eY|tlvKV{XO%x7v5~Y{XPg>HsR5w`G9tn>T$Tzz19s9>EKtJ
zK_kRSlbcMARx0AT^82@VV5jPjWe>a?fQQh}XX*+S=KO-lql;7vz=Py}s!R7yA%guT
zBLsT$;}E&$9fO(De9YQc89JOp$$?~i<>C}O@$1O6?U1evEfc$&YJq;R;cg-*eaICx
z$iL7B(*$=UKD^<vDdkE=g*6NQS7H>|xP+B<x<L7+O`z1>Z+m!zi2%k@PdBdk=4^e|
zAx}%!K|#P#-`%@s=M4<3K0#Ra8}^}~w9y9Ax5zzD1&tctPA-NQ-s-m{@ds`9u!+Am
zpYp5CZ4T$?1HO5wklV>PuuorOt6-jt<1ypXaPKAMF`up~J{eU<Zp*_jluRJLoNay&
z@3B(mvIFjNooPwhNyyEBeT;S6mm9b>R8Yb%XNiGNqS8&_2LY0D@weu~9%Ro<3?P>r
z?YI;#eji3K+NIs3?T9PHZW?InenGptI+0s=6{b~zV|AU_iAOTKCc$kvRWYLFyl`!f
zyl@a#8&;gVHaQwlgfL)#zJ>bYQ?*@V`9h12$e+1WKusko@do!3RmRF|nLkCV@nTEo
zfwVUBwLbFL@5%@odiw0z;Lj-{m*>FDl>NwKW7xDW%`np~zl1`l24P#4cf6j7f`)B$
z;q1k=TX!gTV;hRxwhEr8UUMueHyfJ>AmR4xwIta0o3U;=t}q+3MC`RZaRfYPb--;0
zv?@u*CN$!4V5j9V3lg)5%xJ9*jWVe-B=CV@KLP&fsy7=yh2j2!hKmnVbuOjx?~uO_
zbEkoKLQ51IXsw<1+rehQ3aByVHV(Nymv_5ZhpPb=s`=@TW`*^_%SPm=x@9r2-f03k
z=|bi8rnbB~0Itupnit2@<ej<zZ+J`g5B29p5J)PMdPQD0qD<(pr*W&G_R7FGVPG7b
z_Pbd>TXHfV7#GD@!#PU*cgMh<yabS-2jzsT<A~uKV^$_$&szf4QZ=xF%|r5&=R4*P
z$%MmMcPGn-Dy-&qezrmoHh?ZXJDSzYf2G*Ytjuz#kgEb20b&+Lnl<*7fSplOY!*wF
z>oj>&{wPfl9QRx4o__A|V=YoFa|7sTL|6bLi^A}3)lVpB(=(}(FzCyGuA1Lz-CLgt
z<%$6O%5_2A(5yb_IL^$f4E>mFYBXQneCellJuQed(UW7^lo#4*^uym0y4iPiKWqX<
z`}A3|EA{+OvTGgJxAJ2JGc(WO#n)Gd{r<p1>E~!YVpnE)^k(T0+%BuhI&eL0=p=n+
zZY~{lxqP1Bq(v`yJRCP#v_PU<sP(G9T&o_vARu=Oc$ME6b0GHJuCF|j<jZ&;FuonW
zF$Rl=Tw_2SH`!c+DOB7lHYy!9Vf)+1Auu<>O7NBk8~X%uz0KxepyHW1N4oilt)a?4
z(#dm<2UN9o4wB755z}G2W`eCcBiBh(tI8VY%rl$MUKflz(SZUYiUsPRTbFX1U*xn^
zMFbh&D!C($?Y8-7UM5*I=~=Oo{&AYvp#|{Gv}BRC9ScpI=CM$LDDRFJ_ks<KIcd6j
z`G?K+6z0OZpTTB=j^>r1ZZO{+O*<&>PYmi1Q+W!hFC8ZgRjO>#{YUa#;wW<?RU{qE
z@*t<vhnfw|JLpDGKHe+*Ljl;Fa4-A88PWx8ObL8`0GFXW@M5&^2eYH>^t${U!v-8%
z6XR8@-iNfN{5YVuzB^=FR3PTRO0p7>>F(F~tKN+dalV$k4Q9cCXIG?(mWu>*<oo->
zs8>L;Seq~QY!a8^`EQN!9lP+)Y&-on{;aA+R1w;GeQ`XEbDyFVhDwd)<6pS=Azlf!
zX}PQz=DwvJ`K-JG{4sw4D^Tc=lkC@mszq$K?Q)gGA49Fct=gow&(a8qICTpDa@T|0
zusgC82w6`8iklH5BjZ&Sd+pX+x3xs4OB#vT<$|miAL2E}X>^WvJo4k0^Bmd*=45f$
zD)*P#W9c~m6h@vZ)Sj%%ebu(yZG`*^e4nk>9c5urP58mn_xkJo7W1<ryq8goYFZWM
zzQiyC-|^xlG+v{gY*0TwbsT6*%#R`rjG#f4eCB%C8*R}ZM6UJjmn)VWc^`j2mXM^{
zk>tx@R1#k{(Xb*eC(G~eLl!ZCMqxhT#Mn)J`FU#EcYus-GIrpT-5Mq>cdu{xf?J_k
z>r_)$pV;w!`Yu0xk}59)*U?0ltQ(*5sFPDK#5zjcF3%@^`ggxZ4%jEb(zsj>h<R_I
zF!fTA--9~ew$r@-b-f&(s+FJ!^X2&ttZc5L#scf3wOp%}5f|}1W-H#0pnQ@V>m!>2
zr;y@F;Vb8FPKcUGUpA@Y$q;sJEvx+;8})M<9Mh*~z;i%gVM_(r5(-`}cM~5?#kW3{
z-Mit_#tXS+5qp1l{$`!L#Z*pJx+{74N^sWhr7~;nN|a!I2(NCl30zBJ8e4wB<3U5x
zF8;?K`}9=0H{12pXjD5|tSZ^~r0o{$7pK#Z`X9jP&8;!t<xm-h^O$4)|FQR$VNrGc
z|EMA$NQa;zAq<TmNOvj?(hbtxol;6jmvn=4cL{=|fOMC13`oNe|25w6+|TcSpY!IN
zbDi_zTo*4!WM=kWd+oK?_fuaCkZGc>Gxm#UF8N!=s9f1bDGv<93=Y`NGM>5l@3rTD
z6V#qO-8l;(rS>>&{x(@)r{&jpBLF(wJtQP84I<*{M{4?o3U+==FAyqGBn=ZP>T&(a
z12Ya5Fy}g|p^LZP6E+WY3DeF@y=;Ixvgt*srN{@&qnJn#;@3G(S+LU;d%%q!djaNO
zMY46{H1zWOLlC2&0u+RfP17Zc(aE1`u}FA1tBbUV4QD2rTx>jkhH+exE+?9>V^~e5
zR~ElZVl~@lZ2m9<as_t9NS^EZT%Szz(PlK_9Zj~KqV8og;Ze&v`sDG=A?9XdJZ9-c
zlc|&pkxtOE4`#ETn<7m<1Sor#j3@u$#cZA2^=QQ02P3eS|3c~MSU(!-b|ZYQUPHqk
z21R62JIJ=0DqryFQ<m-zC3t?2K0}fNCb#Re%~81zvrMv^k%Ac#A|M;6<)A{pi{<Rg
zyR+1WeQIy%WPYy@zLPNnZv@;}oGo%Hp*;Isx@UwH;JM_6V+uksTJ#_;Ec4@-(W0L+
zMHbIo+V8iW)nW+~2Pp`p9mq8_p6r|z+Vt;E>&}Mn%{Fu5uSS)h07=wTwVC2vDzs!F
z<n_cW-0?0^;Y9v8$Y2D3)~YVnlgo(PB!!rvr5El@S3#*WpIJJEV~Rl(PR~4B*`651
zUSt%zQi*#=x+ew+@0XXP+nr^PU*=u*>c|%akgJnR^h9H`zU_EKJ>j(ugR~gfhS?F6
zrPn*WEv?ef*eq_Vy)cM-K_yfs92g?RcEi~Lqp9{~0vpV5GP0uHCXh#P5dDZ4qP}hF
zIo0G+MhaU)D6XDTKLZHuhlNUomF7|-f2$dO^Dz{GQwem97WbMu@3BiVv)zP)V&>Nq
ziIsh^NVzwvbPdef6R&@EN1V>SiXd6;9@5kOjq2urZlp+=^=ylg%8}6l>2JSkobOj+
zZqJ;!^plmKPh6nCzK~&5m&BuzKDe9E9YMMeEnirjA0zQPw)rr|ZZ?wO?e=SBtZ4#(
z`2vO>8fZuB*PA!H3iHI?=g-EaRb7639R<tJRhAZs;rL6J!8!Q>^6?tWX%-j4^<xp}
zWjGNBzf!>I{zOS~zan)t<2gARMK0L!A{WhRFKAxTQ!sjErk*3*Md@VoJy2uC<(G`5
zi7Plo&I)pl4vZ2d(>{>el^5Ks-Q%7jr%sbjz04(CFuIFRGAW%^hoFr0^jzh$PJ=)%
zx5P?tv{nLTV^3g_MvbD@1*}<2_8_3d3wG*uSIW(0e_@ZB-rfvNfZYl$T8l`d#@Zw-
zwLh65NGTkF?Y`OkWlg)PZW^@wwUqq^h89_;oW6AAsw82K{TiL?PL`fqSIF9p1vW36
z1`(tWu|PQRL0T`^7F^TW#pbHG;`-FQCfACDpwRXzND#;hh48-T^Kgdok2u#*^5)j=
zxnM?l;io11x!m+iste@BLB<dzeu}^NW;PIKQ7~s>B$V^3STs0Vr}@pz!S$+pp&dJ~
zM9-x6*#b=O+&o=QIEus`7ji9!Xy92ME(foHDo}cUQbj3f1q&_53w?d><*FutToF($
zRI2Z56v=;Yvf`_A-^zo;84$%fz0YSnuqh%5LcE$lr^BB&*5c(tc8syCcY94o#GE1>
zqtaC#Ox(|Fnw`_0I;ghVVc*cz9&bWM-1*v%LG>gsb<xT2LEK|!p$HUwiC}QgFNve#
zGwJXu1t8i4BjdWR^H_WWH^jx1nY~2)^{Gd(&Ejj%kD0@m(9mK71qDnJ+)o<6+zk2f
zAoFipZ{E*Zes<7x-*34)*in(^@n8m{-B=*%P09lqbJpeI0Eof>ijlJ}ew8p@JZM<C
zQIY^{g)uEBSFJS_7l3`D`De?98#=&Z_Nt%a56Kg;H?f2?1*;FM*u`spU`SL7ABlfn
zkd7PZ7o40{n5QPaMeNT+=5G__727`FgA8B}J%kXfyb48Y{mW*+`e1Qs1aGuY(Vb1P
zS*Q?KYR@`a!3JJ>VTDrC5x(p~c_3HWN)0bhgT%;CAkSSY^3&YuR3_?Y2{^3vmxUwU
zX|*;{_iF^Pqr2oID=D0ZL36sL5?=^Q%grTG<|OE$oBG&7jIg*+S>9`42w&>gY)o{x
zbRF0y#Wnf2wBHYim(NwIG?XY(ZA(LY)z~@Db#aYp1?(5s&Mh^TiRQ{|iw%sTR5fA}
zrRGB0vuCIqub3AHxi(Vt9)cS64&n%;+zO_$@0~-IgG;>1;@E+j+d>%@??2Xh?Z*EK
z-i5={R=z=x_Ri70GlA7_pV|2{4ne;*5&aKZDEMkh`X8f3k%Aw$D|RZq2GIEjt<Koj
zrK%pOUl@JGvuY8sbC-Z;CEY>RTyW%ckH@|L6R>WYI?>QFMp1F&hOSnUCDegH8197k
zGYc5xb6M2Yik%6IiLuAh<m}yAN?s3BKU2PaB|TfawbYeFrdR7MTZYlEEx2)Qo#g~=
zAaq~1noTnxY+^S%9M2N7AnnxTU}6=r7%xoSXX?6m^F?)jeyE4J)3VcsXmmUK<L+w`
zF!iQzY?1xE8Deww4kXK*8v=T>#IwRhUBg;tIK-crR2O>!o(i{8P@3!0%FiB&$XlnM
z$UH{_#@_0al|ENLy>8kJPqvi@g+CX!-OV^;B``Le!`NQO1Eo7J0=S-YUAWJQ6FVaP
zO#?%P%+xOs$>o;_@_5~ILtcH4aF;?LtbpyeEnZ0GH`*3NgB>kr3=HR{K*!fYt+<bn
zQET-ljpOdr4-lV&NhrThbQ@A5S8Zj}b{#(Nve<HiYP8>SmKMt9n0ia$1>38`nii8o
zpRG2Ffr&ido13vd75?#wxq$J`^5fSLBv!!0_$#7$5|3#0o9(C!$A!e#YO~RfszYLc
zk9>KHxH<!h`v)B1yvFd3TA}GLr@OP<0IAoq<Ga!auFzn1#Ld@GE?f)a!4#-=BR<ha
zRwy@*YQ>nqzC;X_>&`<yZK-xiYT2hd+R^wuZo?UOGcVV?A!oS<^`Z`Q6wzxd_+u}P
zcTE;biWKwvQ+W1<7G}g<Qf_a~^1X)58)QpdN_Cchc^o@-PYkkI7SFn@bTZ!r>+GeV
zC2M`dZ(3<SVyt9p6?dA)AeM$t3SMYpv3ks9KxvSr86zEZgp;s4-(iE^b4iJ>Mf$Fa
zKg6Y~dPY7=G?*+jJ)<|Nz+#d__S|g$Cu7S#g1Lof!e=TRXg?G6Wz!{STpPo8zO=||
z&~^1Dg|cC$i~GI2*p{b6QN+k};CC=O%v2f7LS+ZXv7wU$^k&8KktXVy`*RKbe28mk
zJHyMKOxru}-=!^i++O>fWL*L_P}o}ciEg7y+e}x1=lFZi7d@!Ms!bN>?9il_(|o=z
zS#60K?rZ$TzohQwJ(Si(!1;}UX&~Ziqu|EyLTT?5<WZa9^yN8)SY(854nX#@Lw{69
zgK8gLp*Vv~N8VMZAq>e+ezH{6^%;$4o1XSLf4fU!vGKa=!}N{(bb_YtMkc3tP7~y=
zbGi9FP?h;&@xv=%LQ$J~pW|jNQhdWQ&>r;W*Fm}`ONRiX4$r*vtd;XlNnJgedw%2V
zA8p%=t*~>{ArPcCPrBLAs>PQpE%(4<$yWfzYcB)G5_~|Bt2~k#5AFepv-|G3c<z1m
z?0~z!zRy_~(&`QSiX~v_b8~d>6cnE4jpLZ=7$;jts?=m*hi(8)*daObs6G2Wk-G98
z<H=O$t;dfG@5!?@`tT^k95-mM$?uxwwXmRE0qAJkdI~zOPE&1U<?wthh`7UFt+Y0(
z*o99|!!ll~-7Rpjv+v_WQ+++iv+v-N*LITi%FvsS@{NJ9yb93rc<HSVrZ#b%E%5V)
zM^Z8S#=Tj+S?-@vm8(OYdsmYZb=}e5)8`U)Qs^>Ss+~Dc#K!$q!0Y)-D;kaJPaAZ;
z)EXnB?$I$m8xL2db{_dzJ-+xj{`&EBIxm<NQP|>k2HK|$s%8wa^yV*KnKh%3ni#g1
zx(c*&J}seqvVs5gIZJ_OT+~EuPqW5Cjl~C#+j(x<65e7^g|37OTI2dvW~CZd*R9B+
zKk&ho;6y|f5_<Yf9Z}*+!UBFt&jvz-+P%3>6nz>W;9i1i{HcAA@1wC?DOHyQqv$sO
zr->Vp#2o~VChBYNo00>q)_*Glr16F+#%&reoQck%nwe9qiO)sttU~Ik=^0_)bESU9
z`bjWpUse%vvnZs^wHYoS%~&uQLp;I<Vv=Vf<M{ichPh}^Ry7c&>5<o18G?kkN?vo4
zpcpdUb*nwzI?C|L@wB$Z=$B=tVVvvClTBUkN>$63A-fZ}0YBzb*Xz<IrmbM!Mv54n
zG+X}JTH+_4xIKv$f9nAP-xYh^z^-1ZPqS6aoyQDREBst+b}N9IWJ+&&s#lw~h6Xyg
z&Q&`)_rFPYP$a4xdCm2J{XU%AgYzYV;ZzxbL=ZyhvktO*`#5$!a^*V<%@Za*JE5}g
z$s8UW!KN2#SpR{-vC9z4(L*NFa<##Gp%m|o<e@uNT5g>nv+SU~&|$6JVfY`|?rUE`
zb9B-M%Woc%VaoWodmqodbG*PCCr~=SXRlRFc%J?@MbLo?Ah-`q-}cT#%}nN;$uPh*
z4G+4bKa8_%VDiTS|3No(68eHNo;W6-ltj+ly)k=60{%gfp8;oqTeD%t@lQ-1(Bgy@
zKvB|JLI!yzz9)sKTF=^;pbS4uUf+7xq(@%xg6}`%(NjJIfVf)$L@i#x$D3Y0Lr)8Z
zIs_*+rFl{vanEHBhkgZ#xaH;hXh1~Iy&{_o5_(b}6CG{2*lJ)gSir5!@m~mfun1WM
zp)@3A^PwDSXol;y%naB@8^#Hi;`kru6piHepF5M#3yBNMxBCTJj^>4_ul4^IN7z$?
zi1|=f!QP6e9HFmEyE_w*2GhduZ+&n;^(GGpXQ0ZwntGxHbfIM961ENEEDZmk6(A&c
z=L&JlhRm1&D_;iZNOCYEX{wC+*IoC}W|02ty#E}6%G5h@c>T_uO8+|@2S&^u^KNHG
z$|&K}e<M?{dz=A1FdhEs!GDnxe@(T)XMh!Sxb&m&{Ws2VS{9J2vp9-(|9S2H`kWpv
zaAoafb!{R4m|cIrB%6hEx;*-H-~j)6$A4aOeE@XS;1*gq;y*cyzus)f15U{DwKURS
zzxc;Y5G32c2GlE;S9{byfBV-|@wKD|C$tyze?UAwMYxEV%#5X1U3OKLY5CWWe~StT
zI@9aR8dS8@_y4$Te}9{=8e-*W5Hd%F+Uhje7XSVGzhAC=1Sgl`MDzV$$Fu^447n@o
z>u<T?|2zO}6F9+FEMkWFFJlIF(%@<k5ZC@IOU_C0?h(ETv82QQKG@*qW&m@bVzV5O
zO8>bAf4%H{3`U!CM?UGV_2<7Xm_CjmdWhHutH1vGpQlSU2tOC~4<k?iWfaJ;L%}dG
za9jQ>MQ-<s%*WbX?&eAYfa1*HhF)Uk+Ff030Rl%%Kp!tM7eq+@>zO#?^|0wj24sM{
zbZVi+BSo-^uc_huFeX}IXRg|e!f%-QnJneM9IPRSuhvg0s!%diA=oJ~4?XdC?*CjC
z{(4vEJzp(~-=yLLA)$@JL4&n;g0bE|WD);7eK6;G7!ev?q4zP~iTzjB6*m|R0r?5L
z)o+o+-xK8biIFXX8-((T_RgJu8NB}|-Uy-b<@dV$qyu@`Nj8Y^`%A@95H5~3>i**D
zYU=*t>R5E`k$r)FQ3G5cuAh3GzsW=R_^iAa1p2m=N5>gqPcPKxs%eWbgn$sD!SQrw
zp{1!rqlV>JqjJ>*gs&E!?7;#+Ry%iUi-AoVr=1_5m|i&NQOsR_xpxLLu$is>juYPr
z1(TB;Z*!*RgSNx>Ff(!*&DxYyZ};orTF}44u;_(ikqR--?NzAN{z6M8cM}jg!R0Us
zq^?VEEq)yKbT^ammDU22AjY^IYis9<D{J2nlm+qyz;3MCzWF*W@10?LF0+d_r&v3%
z)wUAAe^{qqO?$b<{`LG6^uyj9+agb9F$w`?0o^h{eDM5%3F<AJ>h#(2oT!YRKuV8t
zyLz8}rII0dm;OywfJ{37JP5ya+gbE^R|0}op^ZC?fF@hQ8UH<*)w5P{;-VG?k<bVZ
zyN6PzkHsrM>Cr<6Xf{G^M|IOPpm+oX(Z>7uh|>gQj3?7r0s|HP_pvUs`eV6%$Z{7%
zd);2Uyl$fF3ni1UTt(F(L#yix>Cu;vK-vwVFRgw^A3uvH$7{)Sz0XBWFj4h#kn<%A
zeg9w6SCFh95j#NPN7wvbZGmEbk`72GcS4Xae8lQx?yxu`_{jW6R>L)H@it*ChWaIs
zY|42<%khYmcY^1|;WS_d4NX#=;@7}NgZ0_gcu|73*NHM9SomO<J7s%agu2yCt)EuU
z-n4d;z>>ASFV=3X;dv`(k=x4av9vLJppi=*IPsa9Ngac_`P2J=M@%mURaxm=QOVn{
z$fp2P)M)d*-u)RNfV#JsBZ1ch;NeudnGx^n6IIyp=+JI2b$T_}NPIX%)a{F<H2`^x
z;SxcOYw?;^fW~j9`i;$XLgX_9qluEOD*@TrP+?Yq*9n73+<;Je=vj=Itgj!E2zgz6
zcNmdTC?V6a3OPXcYC#>&T|w3xwjW~!SB`pva@QQhO}_8~(%^6JF^P9Y&zzk5XxWO5
zOMp5$prY1Bw{obcLP13w(2B;JYCDrQhW!al0O7BFKM_Z#-e=u%5}}gWA;G@iy>A7G
zh21Z{_q;v2!wKErk^_xF*!buiC*MLDlkzqq$E&k)AfR6_W+zlj<8>2;0TyqvA+P4x
z%53DA0k(fM#3_~YKo)Ul_Xy+zkGu-I?9|jREC>4U`r0&$$|Q|i%L1?SWe=dPVb_&A
z$h!>$JrfrunOzTNGjF2-?dPUr({fTsG|DlBN*!AZVD5Pxk3FQ>MyH}wH{+LQx1$|#
z+7p_fUD)NqGZh7)i*}RhQ_1RvCBM*lAC-Hvl}1%fTfgF95f|U~<5h_5FB;Dl?q55f
z>;cwl{<c?Bh%Hl2{rz*@)&bDzZ0ux~f40J)X@3ZSd;#DxK_IneqYJ@q53QhcHh@tL
zzEMM1XsbWUbgPPodTJVi+H0V+`S3}RT16$#U?SAV_A}F~k35c?i%JvGl%ae5Oad;#
zV=NXUs|-9FDMx;VSNRidKvRFiyEoF146l7^E$8)P=J|zYK}a?hoU94AdpYDiQ(Xo$
z-AZ`J)!Vo{sTSPSlcm>Pg-Tr0#2Yox^&b|sZ@+>d2giNyxa)nNp~j;M{iF@|bD?c2
zB@-9R{8Z=0y@i(98k4N=pP0u@f}IDA-mAK5dw%%i`M2tffE%z%N1%pc#`QyCP93=y
zL0mX;WUOGc`9;n?t{()!ELEZYBvLm@#wO`qPv><fo?JDctp=NdWD*aRH&?WwhGor%
zl^}7USH|$YI<O?{f|yr_^ny}6c)h4o&b1tXXSqI*cnU~_3J~K;Y+ntyIw!&|t3BOY
z_Zi0@CBc0URkfC>?v!Z&!q~DSAb4VT*BFXW)u!#b9O%6`Q)4lEu>5s5T8i=XBjgSo
zDv=FxUyiJ-ksp>B0a5Fb08btPiu8v88DCK<5a3{3hV$O2)mq=0H4EP`DqDVIMNUcj
zF_YFOIy!*q4}>z}+Q(KmgSHM#Nfx;CfF08z8y1CSh4M7@!p!*7sagTCT@Cys)2R1(
zih<tz+C7+sc+OCVTq%-uIpOmW;BNhuCo<j|P(z-YKO6%@kPR)X@qmfS5b8^Ndc_gu
zI!8uBJgSd&D=<!K@)W{KwWwhrz;J_YW@ELWP(;y+KM|l*Np&}uNnRF>0dR4{t)FH~
zIpweIrS^N?4Zs^h#k^WrR9dC$t!_Z-`C?cyo?#2|ddELYI6XnzIS}tb;fzT-2G(_g
zX|^c&uLpC5$G6#QfCb@t)>hv;ZaJ8u&aU@`NcK^IA))RZrIPV#g4$jjiejC$*BR-d
zuK`=Pd;O_YP>9NhOAsYKMuY?A?pUy!uBggJLIUIUG{jH>MWIkJKaJ29Gy;Go_;aWe
z!YRNFR@Vcba7|^VSkorg^mW8~2%(L*FkD`4&+!6!yfPnvn(ZY}$P^2-y3p{Z&lpe7
z<AJZnqX<%>Te(V2O@?t&R$=h^(i<hb;PqM2yw3qGbiMa=t>qSOj2gwSH*j*$87Ku{
zr)C0PWx!;!7_Xv@`)u3<G_g2!a||zRGoL_@mvi7SIdywWJ<|Ynx!RL~26In3T7ocj
zM})Pwg*}!Du7t-r%TB-GKp2?h*jR{=JCv3EYG86p97l~u1dvib?^h7tf!slwg*-rV
zt2`3*KJ0BBoXNBK9OAO*HA&*WxjcLb5D&v9m%ZAFlG*yE(b-+Fq&vHCwv`Lq{EBcs
z`d(Mx^uEsBZe!r(Q1y7xq?!mdfsAv!;0!hIc#-NPsyN2H_V<V0HHgf?!XSgWhRtH4
zKD0lH-C}}6NBRkyc`W^{EInwqG4J|QhTX6So5PH5i3-)B8EHiKCffbJD$*9_89)dO
z;i{Lm+v|O3_)W%v`NeMmxHbaVoSYzpu&|ri=cO<87a9W_%{8J%x@3}4zXrJ)qfT>x
zu7LN|BOAMC%;I=%!JJ9u3G}K9!K<S!Y~AH=_hAx^h>=^P`Srg*NJxnD#q|ln7I|K<
z$C{+FrQq$Ph}*H43JFj%obG@}(@u%*tMIF-?xrX<c|D{o2^W9luvE?)e*x&(f(K7E
z+z~>okViEKHzVPBsK<VWCg|Qo)J;U4j2cATj>^p#HB^qPCyPTAM$X=2B!8O0&jAiC
zkN3AQ-R+z9%VU0{$65CHZPwqDln0;Wrq>;hd54VRr2)-0QB4c(V?!$n9C)1qMebw)
ztvdV(Kd@V0v3=(@OwHxr8{1NdxkDpG{VV1jJ|x(u5>X)<=~F=A`ghF+H4nwzrhVi4
z(^vVO&w~Z&q;B8XUjyv8r0V?Q1zS37Kc*(Gv+X^`&;j|l%i{OL*_k?lA<b!V*UObq
zRH%<r?%rI(S2TIhjG!!ztD@M-QAIhK!{$)<J6yvqny=gJ6vdEbh>_dqL=q$h_EcWP
z+@x`i;m8|7#o?fv?e0#HN<#f+N*c==nhz#uM9~o{!hOF+XO<Ew#xptoDtFAl;t@A{
z+enL<E|Nrq^WcT&<E4j;S;$65e_{eb_rc1HJ1$HE?aV0EW;#QVUqYU!*%^BwM04U8
zhn<7JDxsasw{OrL?qodk@=DAIumZ(Eat+NYu6~KMza>z_MV}6oK{KOrx1*%*7%h!*
zDbO+x*ZMURS&ZgVclKMbbI={u2Wx=XOCzd743leVzwMSEg4i4K8Hmf+T?Vz75NUq`
zkH6J)rO}|wildK7W3U5`;@n5OpWiO*9aWD%z8pModF>x6WhGCx1uj@q=$>15K!U&{
z;Lh=_C&yO1`uwKyJ<XderMwyHghaC54skq#uo%!1EUIqKY^O6wO!m<y?h`4dJErI$
zz)Y?@l#phXoC+<HEVnV}`H`PgxorA!H(hA##NdNh6GXt=cQC=Z%p3-~8*hHwtn@wu
zd&CR5mO#?7_%q-(2qg1LprMF*ZLKLeQ`@dCN*h$8W3P!eQm9;j^$aE6hzk<>be?mn
zdTSCif#avF^*s8H?n1G|@8gN9KqZs3bhbBl5hBue{-dE=%%Y5?52-|X$9bau4IWeV
zrjJyqeU-5naZR`goh=%u03680YKF~&jd1-T8d@&%&-snDeW=H_)W~BxiRO1BHRFpN
z4f!aF)QCSse?q=B;9l&AiKk@Wx|O@Ot*By+(Tr<4S+44pk=Kumo_l0eaMXczyRq|m
zwNqpqXJL|?bgkoIj*~1IAR}u=ihvo4)Qf>Km<!hm*!U<-mYrh=U8;G%H6(U%Px?0=
zCkOGet5?wWM$^x5Q429qH2b-q0}&d$0PB3|+Z&VL>2QQ;p*a^UWS+_3+o4$g^k%v_
zWZH|d_INDLcyx}wNx^l1Z2VXH?NzsR{j$4@NnLP>X2LdZ=1JuM>IiuFw$R`q&V2kx
zSYa}>@U@dHm`f;nx@n{~h!bzN*4lwES-ItLi~eoTt~Ozj(1Tl&;u!2|$1MdHj_Ohe
z+NRD1n~x~$e~24CVbg%<rq3iYgKU`zas8eqY|IAVSefWpt=wxv6C5Hu^nX%VYr*Ep
z#d-Sns3_Mm>P%4|L@UebJ;yB`H3=?Xy0X6>Ij3LN1Fd`b*}r!N8+@($P^^hR`6`}S
zveGm<P*KCIN>g`k{MjTis*3psL~Qje@!?3AYGk#Juo(84m|uT}(6tvYQP<OGHYL{w
zh>_sw3mdneeGttciti!8=*ni1wvObtJuYWg+CJoNEY!O6Qp2OBMYB%lMqp>&1=c`>
zS(HkDq<dvuv5nG)!T;5O18E0he7rk7do~WXJY}EJDf_hc8Jyp9bCjPg5G^rOnKx2T
z%wyxnWXjpyekFw-s_^1^0D0}tG`&+LQ(g5ZY}TH65tDdo4B$@dwMjU@J+2wVIngf0
zFJe@m6Gw^eN)Q!Qf3#)h0^&@3j)7i{#j!Ns$<p0D8L?k&L#z0wG0`7L3K<RxqKc3`
zp~rT?Vi^){=APTnk|<nPKh^45@IW`$;qnN~7}LP?Vp4mdeEdc_1CVnUU%uNvlOHx|
zu$;H+P91!DjpuQF!ZAm@vbI26Y&M!lfFe>!P^iXy!rb#A{t6b|H(&nNKa_B63{7Ar
zYYOjVd(we0N$QGtOTEe%W@RscHd1eAkh*oNwa-sbtawG<MG>8N<uJszQ<CUs<tYr%
z1WsIp*;<>E4had9uuRmd074|b_@K-+vfi3}@hEcs`pRO;)w~>P5`NoT5&rN9s$qMy
zn1}C0<H1vt>sO<cxM9Kp#aZeSt$v|MyZfkn$fvm}{8+UKlCYGueuWK{T!>34=rP18
z6?Ldn-LO*%^OCnfRZOz2bB<@BQ?=7A<hF=2HETe7(6T6V2n<@ni?R*45{T+6bMg3|
zjahiyticH{AgTqx4H;OhwLX--F>_Jkut&V=htF}gr^J__H8QS=PU{`5b+~#;iP?t-
zVZP|sCBfk1lY#2{66r)zUx5h|_Zn)+JpsnoJt6PGL)k;WSH;|r&pk=6trdTyDHN#5
zR}w^r#%lFIE;lK0q-jm_SBUqVCIoPg94SOQf}<}5vL!ZB9{Irb7?{?pEvE<f3yEHC
ziv(Lec+_GxO0~!y*W$1tyRT1OM0HZbx#Ni+szwWTN}i54edDseHF1VD<E_^X&=k$3
zp=q^^M$sI0t3j^asa1XF+|V_M-OC9s!kzlRaJ?Xxzo^ZwRHNbBYh!$f(B@aD?15c}
zT+Z51wX$)aix|5GA`*2p0;_6~%J|`W@6L)At1aP%$wia5VxH$(RrAqclk*UtOVc@q
zO;c0z*ZCMhMhCoip<c}y(^V$3`RQKU+WoJ>o@^mloVv7&c_4{(UwH!1!c)+6k6I|-
zWq+r+$X_3q7UL=BaN-wT^Rl+nr0cUlLamHJZfG!v2`oPv+#Hljr}s(Gf35tuhjleA
zAhVlja<e8@B#+z*2dsL??>0DtmAT{c*lj?d*KDS`*W2%UGh6O*sS`+hCljuA%69gC
zyuMwg{)T%8pIW@bkHLV|OyKrvOu(jruUAsUP9GmdLxs08KFT6)F47M|$jsNu`+SEu
z&Zqym&+$skN*xg0V7Dc&Akz*eiIN3NCe`1!R=Ico^vpMH95a~tNDDpLRAMEH!5m+H
zs%gJ|?Q9OOeKjd(l9SN2-eJS~2KgO>SVwx}L$w?6fJEL4G{S@Wd_EWulVMYm;5OsW
zX_U(0`uY7Ftq>PiV4wuHuoXr7!-cO5p&b!iDjtB0{Ymo5Hkk0mDhu4p1+=-LTBNc;
z8Xv%l%=;knxhk*vPtm+D^OC+1Ut{#yXdhK0a@08N)<@|;&<0T(6eM13k8QDRV5ZV7
z1n#F#xS+anN8oE|Xq||%bX~rAj7voMs!y9<oO|8p7A8UJ34<$K?~`67n|xLi2qDI&
z?<$nK&Z-y0?Lc^A7KP^vJeh%nfl8&Kt)?4|0kXkj?)IM${C5hxxY=tYHiA}YgVn1Y
zN<$p@Ab(=HxKV;xXhPdZywE|tz6z*k;%L7d-%APDrans%?ejM@*+yH8PR0?c5sp4v
zxwpg$UBLW1hcs)*(fin1*DH<=c`NH`EB|&YO?+ftbH3-v=JlC?tuf5&y48Lo+7=X#
z76Nx4zgV*3sNk9hx^TlaZFDs4a`VG%>M*BGTkFsKp!E0Q-GZX)Z2iQ9Lt2+-q}X(-
zk3CLzx2WD?aaR;3wKZ|S?LZ_fzhvhSn$gD+xGLY0fD4D6<c1QL`iWUhGYAXaPa6C9
zN>)eZwLRh3cO)^QVZ&h$h1VXigjdQ~r$_;9ftE=$R*~cd>s!pu=mYczQ*$5#fbh<3
z=I|-FYD022Y`(JeW>>Ln#;$j^$#nI+aCx=q)XL=4lQub7l2%9PEn<3dE{#y*;9R5G
z^BtdO5lwe9)wrW1enlL&ReE_8=E|;~_N<xiDRb%LKh2K6*IzU+funBnDxpi9QCX<%
z1F6WX{sYFDaF<H@*R<J2pZ5xROdVcr_nT`k8+C(SgJ+<&v{10u-2}ZB{_IqTWw+nv
zQg9oA)t~{GjNl^L8>vUkG}(e9eF+blX-e$%OGdlew7%d=bC*Ckm=eF{Kb)j4xoYQ*
zD-z5AO$y?b$`Hx4rvNzxR5bVqxT@BFk(Q61C-Sj(xzMhN67nHyNf>1LN$i*@B;r`J
zXfj>=!;NE40>^G${ZYEWgSGVSG%fPlklTFBr`M2|P*dT^AVj&eUIyYgA}JIFw`Jer
zmzw;)-)%^EH<<0#>n4$cj{j;)k51emizHR{AN-!UG(v+IN*{EgorUIJKt!OCJTj&~
z!{10EIO#w60tkxlZZ&#HQ+_aI50}u(e;nH1D7|1jU;~U$iFp2%pO}*X<b}&A(QAzV
zhQa^%ib_%Nzfx0E|3%aN_1&wofW2s_TI4kU7o?mlk`fNVOUf=-NJvPio3BRg=KP-n
z`*7b9NXKxLMtX)SRH*0_^Y<D2u`&D&@eA@|_oQn+sqnew2Rf5%xbvwcgf!-ByjbM6
z()@4M{;$LPixL3kG~Dkrg=+*P-A}RR%<lagi399&_F>6Wc9|l%|MLUj<lg@!N(GGJ
zAb0HgUkCJ0vJj9~*#7!I-u}5A`p<=h|1ro52@<lK$Yj0$_x1kAXLOPSW+@bN_Fso7
z1x^oDVdirE>&XxRW=YL)>i>S0?2xqV^#5n^{&_q6zs%xw?^rngl?CwsO-9e)F=Vpb
zzz7F_p#nDmSk_2dLx8UIKezm!Tv$#HLOiuxn%3e%Y%IQu0oSzp)&9_lRpwpz--gG+
zH3H$)nY(|{M}NHE@S`9=^-J{H{o*-nO6?%xb#MRMD>yp;0UiDUD{+EXAECcyM5@vL
zd8>7Q5^P2lT0V!^7I^($TY{y*y&UC{{zu-;p9e|i_fG5UN-sH0mYesRJw=}1krudd
zg2F*UG7kt|w21%nblwSCA^?E|3hkSjL=-OxA`oXdfET36rL{6tLK#9#h46hQ+0wnG
z(dzZOS;hT-u2d^2g1jK_K%9_LlILZI9}oZuuHXdmFw-QV;5%B?$6@=)3kLpH(*F1N
zdE#x3=115pDa!FZT*UY;xU<qHBP~2+VI)Orj1fz4e~mAG3t;5D#=hHsItB+0C<M_6
z8F!DUDJhAiAY*Xt!_p_*Kiz{*j{KBr%$<tfWUG{avfxL<r-A1j^|N*N`x>XdTS>z2
z$@H}b%_$5(BU|GMA{X?tV%@eV;Ne?-H1Ww>+3Y%e^hy2*)0XLmIM)o)`oSS?Nefpq
z4<|2*;Y(kjK~_)a$C~MhN;h(l;c7bvo`O{Zg0xjk=l=IHH{*um8Xn&p-XmG-YoyN?
z0Qb%5S(|`0XdP4q;#+Eg;&nDbSGE!$J0=$6+!d;SxC?va`M|y?a>(cAV#9<+AQ8S|
z8paBOW}v%C7S_@)J*F$yb^$8*p;oz6i&8T%5j0Gly4cX&C8d6<H1oI1u-lv6ba+aZ
zGt+VN9NM&BHc@Gm40lg<ZYK=H$8BCzB^&+xCbJjy0k$qaz<qyb+#)j5py_;N5IBSq
zV9jAqQr|}K#n<puMzsZgRMN>2f77&GxMQy+xLWPqZ5F2Z*z9M;;Al>-dMnm=#2<#l
z!?&C7R{^ez<8+&B)A03}G-}!r)F4gF{3gNg60Pom-GpzpREA=Hs3ibCCqN=c0Aaw&
zH<{f*WTcYbyu}hPkh{|8E5=AVKe|0UVwida41&qA-B|qRUlz8{;^WHX+Zo%Mi$ELE
zV5hyAaa55QtobdP=X|$UM|lzxX?z|mN-O#4lDry5pueNY`@<OcPT<QAvJ45iP=b=Z
zZql~1E&z3p(J68EdS9CT_(5}1&hmuSboE;U7d+0XtwcHzZ!af?ZW{2mE@}%YwZeX1
zK|3|QWRCoWp3TKuC%{;F$nr>sQxl;usJ$4{@j6Mcq`Bw`Q7VoDU2dAtwj%Til<KVS
zjoQe?bG<b7eE8Dl75l3j0+z}M#G)`FpBjJ|8bV;q{V@~!oc1Z)#`j|aL)HhcC*EU`
zMhEguBf$^&7bUPWBIEyIXSAb0rc|D{p<ZbC;VeV9q7#UP=NIm@0f@O89TazfCG57s
zplHeh?#HG?0^TVg4!h+U^JhQ2V9<H$El>V6SFObvBN2~taZ~?ceVfN~j(4<*RI?`O
zVUE_uNOQ!e7Qe}(VG*pRCOfARo5fadeE^m*HHLPndht~r6zI0Kw*2}=<b45xne0~N
z)jf7fZcbNYyjq%OfG;d%d}Q(Z6wuFV`wNpZKyM8PGrfszey?)`z~UFZJ7Zx3=U2Hh
zO)4;+j4i4oj-#og@*aHox`2^q7#!Uy`8<M%qmO_|$F#AC$NS3EVzD)QYw*`t!Ec7u
zs}(>+HMLeepZM8&i9oCqs4E6#xpLo+7ds`%q`a5_F#@M<Z1H^$wo+Xd(AlJ7MuAlV
zxZO0bx%VauMvVp$HV|RkMG~!ZKqK#Vw;;n|6gW1UB))*ulWdt!FF^2Ex(P^sKI;Db
zbG-FF7D+igS9?EOn9^F?@r?;QiVSZ)Vfr;GR!vx&bvZCNawpWpw}#0ir5S-u@nc<Q
z&?6;PQ27UIFEIFIf%BifIrt!;9z`xztXj5HY|t%xI_Gff=%l^<Z8x!Y_S!_tbvYO4
zJa20OKMix%@;W(Lz;#;btYEwiTnGb;SXb+fdy?0$F4uJG!xH79+KHUr=^LN*WE<o9
z+k7T1H`s3T5w|+YMxN4XXXVW~WDMg8>ld3CSTqA41jRI~<mV63Q*f~k_TXAu574*P
zOSy906qpEGPG>^Bxiq{g`o_YytDN_^UFi#u(7dbPe&s*tUO~IwlToQi(ETx5n5H!k
zPkBSE4qLEtU+s~*a+}C?;3(2=3b&eW?4t6yXaM?Y4sW>zeX&`BqJe|P6TS)NR~B`g
zJ5Qf4d*91XRhdjrfOB5y7S!ol-x1<-B~zDRqHYl6aAF<+t_6~QK>T#NH*~`BKK{9;
zIjQ$~n$=?Kb7L5sn1!a?w4W&g$q1DE0?(%<<4DyBgXAilr%WZV@CR23k*+}FV!K&>
zD#;12R)u~d-04)yy#Qt9g@6FK!I}ESgW3{JtAS5)UOu!U)r&G3ZGpUQhcifoTD#9<
zk3ACkuZ!f<k>d*F*53!Wu1x3jCJrjlq{Cy*UPauD5o?B+5S5TBsZ_Uyo$!FM$RgG~
z;K3Yhul`n$fx-1l@tW2;N&;HPO>Ov0H(!<yZuA6Zt)9i4F;2#tODwfI>k^{TwrZf%
z4+t@xIkp_-thbnC6wujnAxTs!9qd<>E7|J40!d_W@^P=Kz&gwW{B13O_Zk<yR~LS3
z{KP5A?$Z1KA`&|wY=|Dq!#8W{U!ZHbD0gVK9OZdFu~SYQZY%clTbL*6J>+A7oSd?@
zn;A!rMu!bXZ?7L&VtZeoiR|{#msOXg_EdRZ*mG3W&)=N2jiDJE6>8R%CZo@--#neI
z4~^#<{J!kT@z`|`^;N_)(6^^xd2+!f+tO;^V-Q`k6seX$&rs7M<v~Ml7rV&;8G@S~
zs(ZS#?f35QftA@|LZYBszSYw$UAJ2pUJlw;qmGq&HR1`!^H}uy%6{e=Z{VnLGMHz9
z=NpxocLu#>pOe|9T%|E{16b2Su80bl4mwNJAxG<8HiTTNF&eU)Z?<=-PX3~YWmH@^
z-@uI97Ua@~xP~CYND}0O!0@{Z0tfFG6$^d+ChI6s^MDSd)Dac~H^2&YOB`LVQHe86
zt30sh!cezAkYd{VO$cw;+qa~fN;MBN_i4Yvvks>0D>_Lk*Yde8k)2vRN`6<lSlR|9
z5ZFqnhu}!XBtEu2EaZIE;;y|z#cJVs4K@QO!U>ovc;30{Rjur(h~}>W#Zz347sUF5
zNwu^YZ^j(Pi<{5-Hm-+qkh>HW@7vTydV~XB`O(P7{j8tEo#uV9OmkvCP+Ss<Q`372
z1ntZ=sCIDgE_l_Y3+SLekxa6cSp5OfS(ye;@zwC6;>Env)J?=3vI4KmeZ>%E-C`Dc
zRsLz_ZL6fG-sj7D8!YyfPEdO>d9lr-?IN4<Xi7=0qB&pL0JV)9o}pjlp)ALn-Zjb~
z-HvcKz5&(r465q(>qU!IMIXBIZfhs^H?=(i6XJZTFJC|SEUCj26k9g|5)`NgTE>OD
zxVgbnIhyrcPuNOJD5U~P{akXRq+$mtndQ-iPy>J+wCr2}R~3X1L5I?T=EdWU+)7D6
z`<E{I&(a->9f1NGhYKytLn7BykWEQZ3_1JxXhEKV;CkG`<K*Z^1UoJ<6E;E}LcnLv
zSGV7mZov1H;~LXXsooZ6-<#WIu+Cc<?JW6siW(p5eCkn5GmS?$5mT)GiAXX0h75M{
zY~P<!g)WRd$@jAYw_}IwuN6w+vL$YXib%*djiGO+MJk8}t2>hcsg7}Y=6zG|?%GTN
z2GV|Ge825&msGU)@gUE&bXN5s*IJk~+yP6t06X#MLi@z$q4V<_48i*;5OgH)kS5gM
z2CB~4<DAXX5;pMs7DfppLQvpT_YHP1=jCBo=tKO(KK2F*du3C%$)qwX5!0<r&w_mh
zhgbrpn_i!7tTwCJ#h*NzvV8~3q|=lMS}Rl#3^=H2CC3}JP0wf8b03OO(^R!`@u5Vm
zqGLZ@K-b%)!n-2<!1Gtv#=`bzsf1D}xsM;#yWG#4Ku?uN7<z??W7Fs{3GAi1Ccs!c
zPkf9u56O&cD&poPrw;x7)MdOoe;xNIGpFenJVIjr*La|}?S^VRS7Q|^gGF>ED<H0u
zHv-67AZg;A>OeKX<TsGQH6Iq!Kc{xun!dU-czL{~cs1`WBj|^}<(}zI&(m)5&Y@1B
z5Gq<IEL%Q2zcb(DGHb88j^}fmu$U+Dp5gg|`;M|rF9i<RWm7HqiNrjnM5PTS`0j$Y
zpgXTNHz&8Q{DCUiK6|Rlq^>G$TF>XAKU+s>gdbNLfu2Z4$H*<Sl5({_RVJ$+^eEj#
zVyF?r+ZPlZy^*9--Pz{mc%)8erqFEA?L73FK%^4+K`|!em3VU$lANo8xB8JOLT+zr
zKn~b_y=Ra$Jb7uSZ+=@~Gv*@+!n%%K7EA^{Z6^RFz^=6<>#s$Fmaal3mBeik^+!D`
z5)u;%N%)vf9rAjq8NHu7({8SH9iSfsTnR<hf6(*_i$H}}7^qgj>gVJ#U~(>D0jzlw
z*SIy(y0%lA#Reb8tsiDO=n8+1?o8N8u~lOc-o)`((_HQxTa!i6YC27boXuYR(ISB!
z`*2X6x{_wA=`vS7v*XQd*<#EHgNekmP~N@lPcPs)fQ@KxlaRWHX-W|c=CS&zAC_UF
z-U(`ylij&eKDA&>W^P+44_?9M#RtN!o{L*Xqf~oeYq-cVI0(z#zvUTjD9c$4*hXP^
zJ!o2Nkvr{;KH|)*qD2*)C;8*@naZMh8))lu94-e#mT(Ga0)0LlwoOvGom%3wZ9Tb3
zfeqQm`^|>Oi;2%NPYB~2y}gdUPwMn6HaL8!!;Pl=bWRIT+SH8hO_FZY4!c+u&O)R>
zy1pIqNjo*DIkng>raze-W>*)N^i+Dn=N^FfCHZpycP3`gtBe@D-wZorXNGZ2!~k-&
zcvn?cDv`QQo0o?<!+q^f=K61%oUL5!W(1Vdpu3Xj<|C`<ZKZFr-=7}#GhOUg9=|c)
z6wMMu*QhtmB=oDk0Yl;FV{KC3<mXVc$=`OC-pE5tFOzhfyV&e%x1DOIju`d3TH^5i
zvhw<*hq5T3YNkheB!^7A@<lY|N5*pj*e->Dkkt;APiP7mxy!w<68FGvX*4Y+WK2(b
znsttyL?iE!qBv^KGa_|r(`J>KgcQqOXl~9WWO&Z@tCcsGYYdMn=n-+C@ZdDzAmhsz
zuIkNcoeyHu`4GI<uEE?s^>ETLy_o_;NTie-_hq$CJYFFOHn-<D)&<szmeuG|#(g~|
z4O-;r(<rpVUTW1773_BF<(R?)C)^ds4?4aoXM3|Q;+An4R()+IL#6V!y+#sv2V}k6
z^b``^*d?uMMj`pdtsqUOL8S19p$?uah`Lnpw=9Ew?~~qf-j%)<z`V2z#Jlv%Ig+@>
zvCu4L@wfLIQtN(HG(U4Ysp}&!q*|;74Mndj9eEJU1oB>-J9-6L9wv1XrPeJ=bdw1&
ziG#db))vFPyd&C@)BA4sRD5@GsE#EyCK{gR&?(EFPLK&TGnGU*lOTghy3HFSo}IH;
z<h@}Iq_vb;H`YMp`B44i&)W7sJidbTI1*N4Zuk(?jAgs_<EHb=9i_X9ZYsrE#wDpv
zQN<UrS@4y8-1~<&^%imZsj{R+isXE>!=jNotyFEb0vXga`I3Xv2f~`>q=Lr8DP=mT
zMjKjA=5tVR4Y@%k2-HxC?kT;7ww$$(J#1^CPwymCr$Cap#Vd^X9jBL#NF|pR{iE0}
ziV4iZEi^^T%Pf2g75YXR$WHnJKI0v$PjT*q6rQjs@AQ`@r7!vTXXnQ`zbB``4T7@g
z5-mK;?#DFy{eWF0pxq)D^s$x{xIT{Y*_*DKWZID-lo6VNC9f%#Gkz*ZoXz%v&NYnM
zJfI@|aachDDmg(}a`|T0U&G7d#}l1O2J4<Cxmln10c&~0h+4Pk9TA#+8iZ%)9C)}B
zs`VK-buW7z%7ySc1$%yQ&;L*vAeUifHA|2RVsMG|L$%Q3`>EQ<fy%fHrD?xhayW{Y
zk(Hm>iJ*N{RwHw_n238P?;t1m@<i71$+p&aAlrL~CuQFF$c`hxB>2)R4eg6pU}#h}
zC#Sguc7h3D_ZQ-5%5#EM-f8u&Dp2jv@m(Bdg)*M_)?}|?O@t<jrhY*Hf|sOrDr#q9
z$6GU`YedbxaR{Gy#dfH2-ldQVfjt_!9PX_j#BMudCqXggVXXekE#4nzZbvuiEl2NS
zvZfkcpD~az2w_7caS?m{d{YqPp5kK*iTUvl1l^^i3)){6S)}F{LrNphGDMAzg7}e%
z%Syh&mgvBB7CLR(2xmLStg5O)tJ*zIS>ZUAc5zakY%{TFl%4mm@JD$?vV6BAg4lMw
z*CA$MQLq~!&TOY<R&Wx<B~vgZJDV@wmIiGyC}6*_Ci1IE5L~+)b=TfHtPA0cNv)Xc
z`M1dX<QX#OvJ~EE#V;eTY8KZqoI~44I}Jh}5;7;_!boO*wrU35vn3697Xk|yKYU>;
zKtEv}d_8|2?>mIWKP8l&zVt0fSu@?|=AjLHY(yJsJ<Ci$8`_*p@?oDxCqt$08eS8Y
zFSO)&|04VF3D*&9CqJco{*a`Dt##5C?<>d;B0)`h---Z>BE#hVsq~gKJX3&}+c8qL
zyxSX6|LNJQyqE1PX~Br%?+_7i%2kAH35i$?#WRXadDat=?cP+SajVZ=DZobV6<Ezc
zw<4Zw^h2@6o!9!}G>$FGPA1gpcz3^$=j*j2pn88M!+i$gRpgBWnzk*@53nG$-&`NB
zy7mpDUq!$_U+dM<D(#RUVLb68^p1|Z_k_`r52o|nPo5M=VQbZ3KgIXEv+}ulY{w}q
z_#Ppl8l|3Xuq%b_Gf+>)sp@rqd8q%6csCPMjh(XuiOg?zu}#&V?du7Oza{;Wp!kPS
zROG`Tp*I<VLKUZvvnp(M*)C_H$~zw&pZHU^45%&Ib<eNYOd^|WdLCsDs69p$$?*FU
zQU65TnVr~DuU(%SBV~ia7;Uc3cE0>YrOGqg?$25cA()<TjgEJ#T3E3;1_R&u`LY;~
zEbH8Dzvu6Pp0ae~f2Tu&67jGU0%g-fDxyU(WpCfRZ$#nBpg*xhGKK%SRnRDl4?F#Z
zDe@4|IeC=SfH<REW*6Hbm8){4k`#>^_hFDf(ywo{h7)Q_%3Llg4e`9c6#af5Z-#hN
zEraC;6?MPh<fG5?H21BYZIwmJ%{x_n&-KLUpS~8>V(8@R@UGu@Yk%K|DTvKqi2YMG
zACjn6zz!bNV>GV>Vy!3hSTtR_`Z{gI|CV$S2a(Gque0^TAaCnF5u16|q6lJ8H{U!3
z)J6i#wVUVf=x3S%cNBJnlt7`DO!kZlr;|Bf3}=pOIXut<3x^;D1cYz5RChu}GCX$p
zriYRRCpQM5vvOP!x#MU00l7o<<=-mHa!Mbb-6s&kcKSl<MLJl6>eGMz(G!GtooQ5d
z>3&qTd#v*6b>|wvHEnUja2xN@Kqy_(3O|MQ<4Y9CoF+`We9b`$0V0SXiy-?91*#tv
zul4qEK=LW{xNTsen-?qjaVSyDUfR|A*p<KcJ~e^_PfXc(<dK@>qFf5+8<H<cecLae
zi)|({wbPmOSZe8LW9)vpxksgY<Ee2By3<mw%h|Z;d8v@BjO^Sq1JOon?Q8FN(RD(Y
zV@GzD+`#ujB2`eo)Sw|q?=RdlJSp6VkliQ{XPoVDsA*%dTOZeVbXaBUw$&*O_^MR`
zOLk44FC`iRDTOWb2#8*Hyc725#Utsj<jD7&I?;tJNs?bg1`>rkJ@4>FFMJ*LB=a6R
z3Q`cgzi-{cfO5p+><DKzuS-l86UsbP1ghK1op3}IqFT?UYsF%WrKI=DJ>@glGtA2R
zchu=+lCfr;SjxY>o3C{koJ-u^_Iua|44!131m=%X9D&b)iCb>`4Erng#{H)yn$uvp
zr!ZPo!a)&!gxszdP;GtvWK;s-d7bsV>`bL7QtI7%?}Kt*ryv)<e<!blJm8Dl`Hr)~
zv*R5RIhtq#;IuX6d_8aiQbF9Cw06p539OeM1*wopJ~5fSWKxaHHpXw9U``18Co1Ya
zGn9ZOR;w99jI@vArPxIex_7+-*o5<6H-1vp-7A}HwVWom(TahunOlazk2r%=SN5OW
zt0A&_hi$*;^}RWs=jS&s=))IwPf-^yK9IPJc8Q}0*vUO})K_L~Uhg|YF4a7OY`XTx
zV-*e~oE0&(J}TL`Z=P+8veE{mUKS~-!1JLKKf8E#P$})R{|<?yv+(BL0>QK6ltd~Y
zqM)Gw{LTGuXEtw_JGd&N)nEFn3EB1vr#uRh4kd7dwkRHpO{-C2ARGgTKRfHIGmak^
z(;$%~T(F$B`kZR{fJNTqNaX5tFMqe9y18qSKxdHEu;<Q3cmD#DcB44rcg$@nkIUo7
zThs(*b7aS)*q3^5rivyl=qwqv8>e<ok@{<Eaqp1C+v0ump+zfmWCh~l__jSxZ8w|^
z@^-IB*H2WO19CqpqBQU7*ZU)ilVzcbHev@Pr^^mR{8WT#MsnD+BHAJQ6_9Q$Ewjis
zR%p`3RGd>f3@f7XVm(yB?^EJU?wufO>rLBv6LTSI@%#a!zE3d;$!E1xr?16k_ISqH
zA248b#q}fdfn+HHAU%jV>{^S#r*$MzVz)@CAo}sm4J=RV!v6BhB}gjlS2*%AnsCn^
z3^#Db?(gL=wZ*F3k<{02<SjK`qLxh=KE%Pk+^f4a10~pV^=P-!#?S3OPq4l?tPjMi
zubZ>*q^Qa?f<V^Kb{{}EHsif_;VkEy`9+~1yHSB8rEQe^oD?<k4yu*~f^EbW{R-Ng
zez=4{P~zJrrRJlVNGu_fRH*PNr&d0<qw84nuWvgGKLI+LrNO2rZ-!UQ?0&lY{9X^z
zlh2P;C@`Q6L(R|c5#^f(coV-IRk5wupswl4Ae{W9BrI=Ozc5v+_r>OUQZzS5#m|Yx
zo(JT?YyN@3VcLc!+xKd!Bw`56gYQ;6a3Wg=%+TzYuFv=TYbb7_+w8B#C+qEwApM;+
z?Fi@ub*-q~ON>E+3&4@1#1RABI0dGL_so7ioqKJ2+C6cmR&K;yMmfxOX~BUgQvbAL
z9Ch*G+y_BaH!?kBd%SM8CD^K*=dqPRMx$rMGRZS<Oyo6Hif83)qGCR0<Wp@#SE(5?
zwI%21Z|?qT<UiN@q=9jvL*H7Zw`z!j^Q-`dy}58X@m2uV#BTy*e2S-Y7FA&h`-8a~
zTSZ<NOTKMyiB?IaQ@s#7bvj`c*LwOVKht14_vQKf4qOIw)lCMM_V=QlqT6`qUL!!3
z7!j5sh`FLXsHfHqlIVU@F-@~;jQTfvhWtNXA!UB2=sV|0(IX|9Qy@p47CxYG>3?3=
z^Ko+DJkRP3X8m?M<U_QcPqXLHh6yg&U0hqdyXc5b&O2|vg(&-%HA$E6iF(E|;3i}A
z2T^1Syr)E)`{dd67`+FIa~FkKMel97Ub|LJGfHhKXvx?9RD}VQ$kmvuZ)pRKdaqHP
z+bbKM7?BU6FeE<+L6Z8&uwL%GM_2Rd!ReE$H8iorL3h1hfxdeKiHn>r`MqaqahNd<
zgI}O#zl3pOaN4Kday_(cR5@#}OMh_cE|S1htq&R~@EB1lqDwyJNE1U?mb|0G)#A}s
zXy^5{o$aH3r01w#1$w2fxGvhWrp1P^*~bQhg9B!=FvNK0^@{y6CG^TQ+uzS1_~YRB
zk6H4au8e9gA6F;vZ&hJnkOUZ|3@3_^DRoyy+cU@-)%ukJnK8CjhbNwB#*}tGZW#4y
zGHE(3@<n!s*WVulUO*`XnR~p>VxN=W#YIs?$i(;8!V{c1TPK%|e5ryR-VH^6>d;e%
z?oD+UKFojq`1X)51ux&L)2O4CD<(gy8{IpL+M~FOEB^TIWQdULQ+(eP*7G#@_Ui8+
zTwp1VN9ou-T}3B@p4L|WK8Pi$CGJJyE9pPa>d)iCZa^&8NOkCX$q_9G8<wSle`}Bu
z0=_@_$zav|KMx+V^x=+Hr@p~Zg9^4EcEG8aAAL&tY`-@AZ!!?cJ7hkdCH?0R;KxGd
zity_f;ddY!lzxx?So+(?M6G8jWUu74w2IXbwIfg8A^k)`x((Bl1z%c+gF?iNLhPcX
z6wBqq@ARGP4fVD$7^Z)Y!?Q?PBs>&q*9O`j<UKMjF;>sODA4+r<M`|A>;EtI-ZCtz
zb&ngS8A2F9T489F1}Vv*q)|b-8$m)!8ipD~1*HW+5KyE=x=T8xyFrkUZk~JGXYaE;
zXP@i+^n7`)cVF{i_Q<TYX5F#w`~NGIe1nRTx7jQZ;6e~{vslFahmF$lj@aK00PeXy
z23|<?QQ>3Uynx1|;hzJF0a((~F#Bd0*3+OHWY@2A7T7Zc&gtLaK-^;s>O6iu_p87E
z)euZlWuMxrR_uB4q5|~sf?rSt)1uv9ZVq2?sG+o{L``o0{R&P-(<UPjG1L09JN<S~
zr7&#6P`%5A`zgzR{KLQg7y1M=hV;t>^8Y?G>JzDP1}WYf8<PY^c>i#6@E73xE$^b3
ztg!$2@KNrNdxT1&hX`%y-#f;im&?Egj=zZ1MgQl+XIuxDH_%fv8~Z=5uMO`WA^!i(
zpC2`+XQ(t?eVqSrC^!E14*2JgV2rC5APXX*m$+KgH|F$Pm-wrHL1bYu^0!^d2xL=Q
z{~AcYy{Wgvx`9*iBlNS#Ki^6y65MGi*Qd|_`63MD1I(g29d0Da{PT?t1Py^N8}|R?
z$zd|WC2TUGs3G>4&#EitR{V8JN;@!WyFv(7G%_W${zvCaV}%NuL4)5JR6I!<9d%*s
zOU4(V<dnSCp|JwAXE!04_|E_QRp=uO(*;(X2p9yu()%GLmS|1-?Z>2Fo7~^p^j8m=
zl!DoF1kKXK=~2LYXbIpq?%YXop`3~S`*4<$g|<a81cg8AumSGMlm{CxA|vC&mxPOs
z>YxXYO)*hNomE2339gw}mX80Uhcu8V#Bbh-257j;l$+^-LX<@l%*GT!J;!EdZm#Nc
z*23Itii7HxPVDH1dz%h5GXF81WbmPv;lb5>pyhoMf6UPqs5$z0vv}jTQ_aet<(oQu
zhV0m;_{silKF=o)0((yfP@u8_idxmO8m}6v?8AhO-=8$^@WAZMoS|TA%{-}G`U=e8
z$5;aq;fn!_sqU867Tq+D)ly$7YB312adB~dbjgK&ah#FZodlCtZ=#sz>)KXl^8xB>
z#H<Zv!WAR5DivM7cXitrQeU6HV!&Ytz4s_zGkJKEzaR{pV}nc~+?~`u$H10)Fh^T`
zw@36+Fi&67B#zrSe+%G(St^As1X?mrJ%iIsoOyq(A^&r(krF0dovJEph-jzM4u=mj
zLiCYv1t;R594gXghSQGtf&hq|WX2m9VBm2@i?~?T5M6*(5t!nlPOzY~^Z8Yul7J9)
zTHo^(V@nrjS<H@~+9qvta$7=ZP}Ew7$P?d@CyJ}6PB`IM$5dgHm<k&E4GFT&O29bj
z8B<=(NGP8jOW+sjcUpOG7;$PI)t<Xs=~ZOdxnBqDE7*ySGQAEagDHJ(KrULaZ=3l7
zE}Tc&NQX3p(X{^OuzpZCNQUpqHxzB*d|cr7{f_$&s%LA6Tl^lIlOWe>$_m&5FNaX3
z)cr^%XZPa)+4i;ek{-V%e<cVij>L6suw^S71QZCAO=(Sg1MA&JZRW101WJplAUvw8
z=1_2GDfn@mRvz7Lp{bY|Kb3>hCrh8Q98=-#65J(fZHc=${Hxt*SyF-0*$<a2_Xj`T
zpFnXHKc8Q?gWcW07n}aCGYp%kHHQq=C(Vj)gj77t4eR?OxLHT|@6*#&QY9Q&z5L2H
z)v3?qnT7UOe^&4PJbvv>vkQh$d4d$+{&ay%F%=+yWHN$2k%RamMW4d=iX2RiF7y~6
zTX{TKb})9FxpUDiLXAL(XTDWOBL9a(9@FYB=^2(KbzV>%6a=dXez4sW0s>0hEZJ~U
ztJ(UPOPj1cJ)o1b1WG3ym(58L%=>FVQ>=VX6C~EC3Re8FoPh|SBl*GBiw}tY`aS_c
z-y=ZEa`Zd4^j7$ke=qIzSh@4til;x*<5EQrU$FXLAgr1~Q#A}`fRAMtk_1=7$M2&$
zK=suDL+Da4jQEmn?bBHtaYP14+39Q=)~svY==p5PPBobdK4{14ICK{(16|8Dq5fpw
zt~=%?*}yjW&H!qDsFy^CNEZ@*MnEO*nmq{ts|V{m9~hblnZZ|+V{^mSC}M8#@1zLJ
zs1oKUDIS?yqOPm&r29UkzPt_a!p~wStM5sctF|cKP#XWR1<s$3f$)eOGdxly`$49K
zyJf)lk%H7NpR0VuR^5Vt?;!+OT_22;YJHAXW@>#^&b{`#6N|08CM#T6E~Vbi<?EGv
z68mwP>bX^OnE*6%2`BsOiK<D0;Y;f3)D|pXc5G*AYrrxpVenkCCKUA0B)}&!vUTy4
zK&=Frm0;#yZ|t@)8LGCw&XippGX=qI{$?baJ$C3j1IoUGL$~f8T+_pm0Le(5KY(kr
ziI&I3*;p1ZxWM6W1+D}F%JF_5jsdUE6!@c?6o!ayXDAwHuimdd;>@zh9<Z82RFF~)
z7H>-dh;RtswkzS)^m_1ip>;18W&;-9yynLEzAWsP2~V4D_0u#F=lSxR8d<qw9D@Q-
zzemcxY%l3Y)+cIxBPx!U)3e|~-rYd?R=qSXG-{mLas9KHi&wG36b--k0U;SZy(5q#
z**l4kW!3<8#E@Nr;N#bO-FNo~L$7RUm)%-C|Jh341#AV}Bzu(E9Be%uy55iA_x}JM
z0Q{6($wGynrG0IhKw?<eYnGYztxgAL_1bALF)E&%ku0~plKheRodQFp#_Mpk0>mKk
zk+Hqx|Dg7E(7XTBQqc0SerE!ie+rLsW^Rd{_PU5+<yn*c*ysL9Uym!guSJyTGP0<3
zk<xzNdT$aEG?sG;z9!80O>E_TaGGOey>n;We)_ZGxK~oe<;C)j_x?+RUF_~}MdsG+
z{!#_|k&;B6j?;Lii{ft`LH8TrK|jk&Pu)><s%x1MZDfkMsnK&yxKN!{p>8l-VQ*nI
zXPb8WbSo@F-8g-CxAgg^hg$=FN5E!o{P6MAn{5$_<9l2u$)qewk5VPAdsJMuXVEz^
z+};z*Jq=Cu(_`WKTx#I}*3$|w26TLBu5fCAiD*e&kOsqa2pQy|uUn<t$TT3QGO=I)
zew2%(=4XYIgZscY<HN6d2rLH_%K$Md7F~v%T7@t^?C9+>;F<76N=}beA8uB8iP;V3
zTFnRJ?MTf`pOrs~CA@afhL#<6JR3CUC3fdd&P`xLUztJ9t)+s)6QK$;yj|9*=jxFY
zmmuZJ0p-!i|9IS$-|y_{)OnxG#)j!1SIUe995Do)qo>RP4J!90&{}8TfB&*F2gCu$
ztpkJN&xw4V)gxZmslZhBCgU>*J>!$x_D@q2`K?2dle8*i&P=yhq=_FWlW_DTi#!I>
z>U+URs@>K1Q?7ORxA$qOk@p1Q%<viDLn8WvOC!z9lEhaG6xi1{`sPTe@112K<kO_(
zG;O4<kk?t5^Py{RIS}6xi$Abzy=Q!45pAB>{erRQC~Iw==3&{UIOB3IRAaG)Pvo9V
z@QM7JD=S0!oQ<`F?pZ3-jwWeX4LErAvsxu44c8Kd6WD^X<fosC3K!%f??d%#kIZ6-
zf*%d%zFz@%W_Y&D3>a5d?kr;xKRr3v`z}sM!rh)Y>+o~CDbm&(_yXHKS!`n%PJb()
zTvd8q6+|0!Kd08{c5rrfm^d)4a4cKpZN3ad6Y@Q|N?xQ_=8$7XjU|D6P|IahcraG_
zxHvrGMXYya=VG^aG!jwvNLRO5K8FR0B?8fhp69}rtF>y`z>_2i3--gJla*r0zpf9L
z!IXs$c?S}?4RR{&jDapqTpXAcsFFN-(#gN}VHxC7zLr=RC>B1siIg?}`W(d;8oa>r
z^wrp1e%#!+%Ux7?snGI0jBYK%Eu9`1^#on`J->GRsyVEa@!Z8|=G$>1YE52^1%t?a
z?o5a<!!i6^`*YgRbK$B_t{k+P2`OC&K_pS-hHh8B$(F`e_X!4`DTZ3PQ`WnqgaFau
zpQ>~die;bS0zLw&Nx0)5WAA}U)}rqLoYNoJC*QZ#pe-SMG*Oz@g`_P0(1|u%ovoV_
zCpPO5GZvL<p>?Q5tzbx#@x^XLYga8rOwmuQtc~MP3#goE6Q@*#6}BnbgixyyCvu3%
z0c9hO!58<<Gr5J4`gt7w+CrQLihQ$Chnd=kWx@{M&W>F)A#ZripNZViVum{RIl^@c
zwOFFr{PVPK6_)D)mKrsmMF5eMJ#{UY8I{S^TRNlbj5zDpbxMFnPv{oaoZee!hy3X8
zON!C8akVbd$B!mgXoAO|Jt!qwIXLL>_$UC)^#V*e3(x=zzTOWVDZUV=Q*uOEb-&4)
zSAKa-M1VLq&?FrE{96^ZZu1fk$GoTe-{0+O4B4$th7v&1$I|5p7EkK>?2L=%z2Bm>
zZ`{rJjNNbxUrV?!3(<y?^A5P^ePkgS7x&mK)05<g<5@5&n%_9keET?Th+^|5)-4@7
zco&@3cY!;Nj=lV?sE1Z?8fVsznV&%&ahwIivPWt>ufVpJ9$iOO;_|F>T04v=(vucl
z8NO#)#EA7?GK7GK^yFo>1{=+uC3I!3)Gl)FC|CE}z6ZKlA0TvT?tS%3>N{jwmCOyi
zhjY>iwiPE;5AL0~>RgxB`C2qq{Nc33;IpOkuNn{x+Kz}~*F=Nd5rljp_sPYM+R~n6
zLOY+JRiHU8>NSTi;)!i|t0_sOig`Xz2Z0Ov2y{Gmt4@l%R(ra0*kyOpiZgaS@d}8#
zwQ#zpX{F#mmc!61Bb@s};%vL_jku#xugYCHl5n+T;j~k$o&?i~*Yp$DA3YBC@jsh$
zzG5?y|5k)+^9t~YpgauzvBM;y?^mBnDHQ1S;81L<!splWT01&`-{^|L=g-!?iMjI(
zRAX2KOh~Dxv#BC3pKyZnHOd0VxEL`fub7+%QO>82Sr|5(2$)B=%GsCUGmd(kxIQPM
znZ?1*q0*@U@p(g4_#?nzYsiw&vo}RNCx~2UPq^Spt3ASQD^k+vM0Kpnu`HW~%LeKY
z_3~Q9AS;qbp^&H1Q)tGZx&Bid>xUA;V1Xp?EPT(wn}8?`n(cJz=3#wn)qZn+fZqQo
zk{qiaheAYfW2R1>lA_)O-`Q{0%!({Qe_iiKgov*avF_m=!jq_N>NpHRaxR}@J;Kq1
zd!xi26+pnNeBC%)&JLS=;jAKYl&_oxOd(ZRu)W60eq#icIoXN%gwVT!%H5tdGjg5#
zd7kO%e4jdVyB*7fDK{+vp$Sh~f+N!Fz-OpJe;0lOA@ExD=&h8m3To6rIRe3RA3JG?
z{Mdj22j0b-wKBsS0KIxLGff4DhHO*Y?kt9bd_H0>tJ<PapIzp|T@d)doYgpGCSk1S
zlTIe_JpQJke1v{k50HU(x)T}As)f3q?<WrJ(Qom-YaoUVaMzus7r3mL?ekxN-#LCt
zhe>IT@TQt<jsgqSJpEJS(}Rs0IJ#7muhH-_L@=O3j}a48vbcL;`pvIxmOAKF0K<2P
zCGBn`W!F2nuUxK(dGR`hgCeM|4SBWD1(aMdxN47p3>^Pt>t-&Bq88fZ|IV%4amyxh
zqUlZ)JQ;uQ8<mrZlvxYZk+qc;vgNrmxi}TAJ)Igu<s|sj&DHflxm9*jTG~^XcvzZ%
zvS*)8eeH_Q*#dp<Cjk<KoOv8T1{u)RgDgp9*^>I`Ac_eMcM-EzxRy4p!0X?B_+6O^
zp)$9M)94pPj(WPMvkWip2A}TyY;D?LKs{&~1JIgH_T2siqxG)X$xM_<!#uviWaO_k
z@o)B}1r4$cd-54{B~$zq4o$H9qgjvvSD3GO6fwwPNJ?VgV!IaUnRTP-X9rn@6;d+Z
zpk9m-iV-0VL15oEyIGVV1D36iE&<J7KpBKURTndi-UnXWyH2fP`(cC>cX}+$A*RNF
zU9{H+25Aj?3MGe*4RE&kR4~^h8FfUvU<vy&pevicWlA1=+jgFL7kGMk83Ts)ZPldP
z`}k_%6!n<DX6RVFWU>7ZdN1q6@ew!(${8maE;sQ;>!h_IJ7%prx`VH=8sKxUgLTBY
z_q_}k*6X_=6l@8ep(dD=2+)Z=TU?N&P9dMA3D*LKp1F`0fgGSWI?m<@sjHNfY|bN(
z9__me($cSu)M-zBgm%#k^H(vayyR!#BEh)>jer`^<lB}TK~$YcfHojU$Q!tQ4qmyU
z^#+-VUW7eQU~uD>c7D1vDMxgQZ)rSE??KAy%9SGq5U3+*D+06#Lk8|U^(h!-yax2S
z2-v{Yqti+!2LKgYV7$*F{GzrtOMqV7kPT4pahyeUhn;d{o~jd#8E(UMD6gc+i={7W
zN>Q)qQ7cI?^zS$&+_L^Q#)^iw4H`}EW8KH~WjZlRw$s>OE7{}U0c^lYyG$y7UL#I+
zhBkVUld$IcYJEwj=`sG^>W_6SxI{lF3DU%-%Pm$tOg)=rQG4-l5+{5>K8X0Th~EkG
z{svo>+765b(N~cn_XMW&)?qqO5i&Duk-V_v*8IhDEWD%1a%c1Kt#3*`@hgh<$nSUb
z`$4o8xe=7Mt<q!6YubCuuwvN5qQ1Xgib}88>V@7Vtjz{6hq{4-0ejH%y&W`PJ#CsG
zZa1Ja-}oNxz?%Rp5=zQhuJIaHxoJ@1CsDIU)a-P0RxX~GJ1_ij_+!bqh&4N2;(uxM
zeFkTBO&e&6HCw{`&T(?q8@|4vYq-Ys@cg7E(~PK@ra3Fnj$|IoR4&nbYya#iw^6lJ
z3$(c`upVQbru;dB;1#W@&v=a32F1zF;ltqqM9onB-sB2?)t+P_1<7e?v-0y#!}1Bv
zehV-BpRI4%zBqI_+Ge=kHu}UgO*2Q!FuaUkV}TN$;W-~}?P^kN7z}G}FT|sGb2v59
zWf#crFu5`=(aeF`M?aH-7Qk+$83vM0w$*2NAATsQDddpuVlX%beEHASffH2uTO-D0
zcF(gsNhu-lauQeaO$TEiUcH=#=f3}fa=9CIa=(g6|A<^<#`-9K3IbQ3j@d#tXBiRX
zy{nAw)O4G$z(NMJwCmi~G>kvTF)~4k%r?rp87k^~@;sNQLP47{=wm?+wN)2$?@~eb
z$6D9#W(5<JxfByhPN)5!`R0Rv8Y}gkzuc)d*4KXC+z}~EiMQDVsI}1-d)zN>;szpr
zmF~_+kgg06m4SAAw4WEV!B31q+1FwyLD`uYkxj5NT8?$Gqfc2loJZf+1bqs_hhIa`
zCf?oqesfFQ!J;kFR{{ErD_pLUy}_SHS9Nng9W7T1)A@sGQz)NFTLEzm2#k6?L@eL2
zCiK4A4eWdLwJ&MJo)$v*3szNd!8QhcW4uIp7k-WAU#RJ$hkJjbrdHnXo8vw*u?MU2
zgXmy8973vh$3+7=V1JV_xyFZSq@zWAs<-Yl7eZORKMyj}ESoEBLa;E-)wCYl+$7#i
zx}5^0TTDdN2xj$2>+uDAPl;aFK1PbTpCvSO6&l`}_B3q64a8}TbZp#N)j3{&A!Kw&
z=YR5@a){in{dGv~*boMugK8;9^HE?3v1~LtrdJL&5f1Ng$LePcA9tzet+_(EFYFto
zSnP&v3`q#JL<*yRstz-@k1UM{rS2B%VWj2PO?`ISP&8!AzoMm`V6m+V4X<a+=JV-o
zS^*9mIoPB)4yajqP9A1-64F<po#u!jXJZw8)kiE6Vk!nkcH~AF+50dFeBMbPvW~md
z7cY;OTUPk3`*4jvtL?;xoq``XDF;gqeiviI)-cTptcRiQu<av!Q7x>-VNb$1nG}-&
zx}qD<!kB099zGBy^C?cMc37&-yam?W7+{Cx2Qw{N;BL4^5%kQ&fA%c4;TNa{1-`Q}
zt{cNm&&eamY3o=kMqZ2x=~`5nbG&*P3~zm07E76Su1y|=0C(BgjYVO9=$WGiNI)<7
znkcfHWb%o)Qw$_v_2DHqW7vmTzJJ=!4CTd=X2;1Ccn)BV@#}N@QBpQ|^$S@ZTiR}l
z$4*XH2r{Wacp@)Ev=G1XlZn=9!w7^iN<5VF^^2Ppc}Q1l<mCjXatm%WkFuGy(%I6b
z21XPgSg%G&0n_1<-ph0ARdRu$ir3WmjX!p?RPh!{SRSGqlx$b(+0Hf22FV!b-O;GJ
zhJ5_%5%>oN6Geds({TlOW17_pO(%@)21Lq<MCQp?Ohg1#GvhT6uIP2Kk(tvRQ|iS6
zgDRjBFrZo8>q}d#=o#Cs0PCc`AP!hyj!ZxtTsw?O86an{Kz25%&UY4k!PrqH7(i2D
z+NOue5E{iBUT`a}>r=kcL9;<)zS0~=@Nakqg7tr)k=lAVnS^rl)*<73H-5hH{QYYW
z;z1#Y`ZmO6ZTQVei6;eNdDIDcu{`SHAg`rva0cZQ?9e2<`0Z2*Fbs%6xs!w(J6<Rm
zjShC&+dmct*#L);TYGC=g(^4v^{OXEFGsd~O>xPCx&EA&1LZ(nL(>8E-HHg*A2A{V
z?6k-tkX0@6V2$<f`mxk4C^E9nrYA+*oX?^SM)20+Nr)4M-MihDg+(``aZKcM${2iO
z7A-ia70aW_``|%sm!6*fWmio#?jxBSKdNp2dPyxp6+R%^L5yVc+YUo#H%10w_eCG|
zu?OI8$B+Vq^9C#H*Ts%l{Run)NdeN}cPfc|Nx=3iOWrLP5J3L=E#Mh@H88kQ(dSKN
z>7pTFUcl?thzjs)C)IujE3=;%n~((Gp*G-p=u}Ml_m;k`8h}uGQ!8FAjQUgo2ZfUM
zu_F0^@rb(oZbIyDC;Rt_>lFiX!bNPi#sBuB{`z&Gm<zx}Sp1BM;4eDgzrXh9g(riS
z`TxKDpZBgjSt`_Ss1|rS8s>b`<^Ioq{-gWIas=A3;#`;TxnY)8Jcn9q{`U)tl)CZ4
zW|fr!DHi!#zx%6+0y+VT_+;#grOSUe4(bya6#W@IaCMvNpD&{PIjVi9?g;{1=Fc|$
z`x^|BcT`uAME|dy++Lrc1r1FCOHmfC30kB4xm2jrBlS?i`=}DDMOVVjhg_muT*J-H
z%?V(4^g+ot_xH)|uUjOoiW;8~ILJE_EGk-&eJ4Wxh)d5;Gv-4N808P3O62qZ{8iW>
zR^wMyLJBw((UYn!&VGF`<j#E|vj5Rafl{M7I1K_EB^-!kAqvDjS69ImE>u<RZ&N)I
z7R4ZgLq;Ckp8+K2KPG7D>AA@|oy~swGyIrn#6fks`dHMIw5mkgvHROh8i0jhisG7b
zW5kf7M#3Ewp<j3!o^O*C6&0~cT%_y2`Rb1Pw$x`Z9VY2~*8fWO*YE%1%>!AO1}l<v
zlLV0r&9B<L6Li4)#}kkY^qzK))W^SFDLM$#Ro;H$B7Hh}%e~^bw&*eF`Pz{IRo=%r
zt>G-c^>ZnJ!h%Fs*)L>8Q3<G%!5-k1e>>3Fv;tMi{n*hLhF@&_%)-h6KKHlo%NQ3x
zi;%;0*=5Xp+fZmi2PWe-rdcK4j}BAbDj+urW4ap{5+?#=DLTOOY1D7u{nv5ouVZ-~
zZsq~?r3F%y#uYoyDVu7ro<r}8l+i_=KcKU$rvass5qj;cdUq^)yok&4a}keCgKaim
zwqI>n|BxwQ6#DSfr0sBlu^o8Y<SbF#e4wJ;dAt<Ap`AxpM!p!H{Yov)Od|E2t#*gn
zf?J!Cob%`ONPa-H*5~vd$<<w&>^=l{CR-jRG4x1@mOQQI`@q-C?OWgqrPWZtV-_gU
z;Y@(lT5xsk7lXicGaUFV9G`h-)Vz(r^oHhlP=*$AtPvPRIaq?M@^3#T%0@s<Pz3-6
zt@j=#+Ef7J>in@f|J1{f^@b9$^Sy7&kKVLdwZCqebQ>{5g+zoK5fFo>mn8yj1QUsB
zZ!3=;I{_PsZm`Tcq+{3oSXi+X_h7nL`}FU)<5-@axQ#>Q&AM}{xQY1|M_%xB#2YJF
zpaX>B<Ig(<F@{SW4^?L*g1Fer<X?<u8C2lMZyc5_jI9{q-zliutpLv&m?ai0m-sK#
zF_%Y#Kza1=`>s{`ipTmzOoOBB6OBl^US;}J?urk*l7OBQfhUCqJg5`#rKyPTK6#R9
z8C8=e@?`P$;mk~z-{3~FNW4S28w){5rw%CHcL(DwJfs2;_A_dMM_<}g#FK16j?VFx
zza$TcVCKQZ%{sfw4}Xt1iel;9f8g)#{Nl9h45(6B?S?tBK-}>yEppBW&3j(oGhs@K
zca+=p9e9E2LE!z}%U;0mc2P{NzXn>4L>X;f1?-Qzmb+<V;F(GfRRJ`o`Z3q_mgYwb
zK?ehCVD|cPf2qg!eS2!%yRpK#mBLzFU^dGO{^Oe~WMke)kn}HA1mz9H=K`FnJbj@=
z5+)+n8<f#xOP$(r?a#9D4o>|(YJ3QUgt4fmA=>G$oy4{Df-~P_LSyd)<b#YK7Jw25
zJ{XBY!(xEI3!#mI4>*Gj*l=_^VLoMNoZ-hnx8qsoj-*~JB6{>r-;Q^&+X>t8&fjpz
zgT1)D{<}<F9y6S`xobx?u%i2|z^;0S=j_!@V1nC~PsnqAvLBroDQz{JJC@}SkSSo%
zKIpQ$)M<TkuwlM7lH=HuEN%|6f7p+4*9bj8SZnv`)_>!WiIhgGH-mD!rz?Lhe^Zwv
zp~UO0XGg(6tuHsS&Sf^bmAUKe=NA^Pba(;x3e^`hL;K@d>ZuMF=Ub*;gh7FpopBu|
zkKUt_@ZwJEF^O&Tf#IfVHvoY~D(hTUTDyRTp8+w7#cw}a#aFL<asr@TDY{KZUf>%X
zk9_)~<Qj@20KLHCvwF@KDK;<^!=bAboN|4+llzj50=@)D#E-u?bJq;ET6D#<FSeyL
zoqA4J>kddh=1&+3p}G$ue&321)%s-XR_=**11S_9=6$pYnJ_>8XjWfKBKnJ|`Uig^
zoy%v(!rc)U1X>CJ-5BgWD)2d00?@zV@}i=;WW?A4tE%3cBuB1CMAt^y&bM!uWOcm}
zxHIc!@!HN2*x>FhSatzAOg93%xI2zBN!Il+Ijr=y!=$wA$GR>6-8_uC1+dXG`N2Lx
zt!%Fk$90#4Lu2bw`;m0wjn_nW!YbxM4YGhtWO*TSCO#~|%Zys%{)A?_tRlbjyl|21
z`49lT>MG6;M86nc04%iH;TwP{W&G%elR%~g4U(5#%V%o|{eHGmY?TT?qq^6I*t>yC
z`k+AWqoFE74#T=*tJgvW+*Qpzj|V>%;VX_UO{c4ErvRAs3C0S}l}&-BFyh@f0)h{#
zt2V{DM`>4}Z$X6gbGqIH-uIr%iAG)*pp223JJn&}SBaYS^U=}IHs;3qg&IPDHR*&3
za3lwN>ZLD|Z+YgFuf(Dez|N)?gk}$Ch!cT7!^eF<6+Tx5c=7Eo7>(lge_@$Qd!DPi
zy#3z)0y4Lx{s1zExBd=frpGhOlGdiqZeqJUwA%=ZyC&(ULeKaUW@~(qHdDIy2w$pH
z#h(4)j#zRe^@1m|q*d+h9TwujZ+qsMO0ll`Uu^Dsq7^U_H#c>Is`wSGoL2fR`)RTf
zE@q@4nVcpHVn22sy5)&B&4d|Ew;V(qy8d%@H8%@jz>k(R3?_?#S4FOtWUB9hq<G4x
zKbXP#aL?Y~ja-ZL1kMuOAkRz%ph%0Yo)ttYFg4(~Sg((@cGGBb;aS+*iltVH(|g0=
zWNeFfy>o=Pv9f3UM5*@nC4b6#e9P=y;4`T_YiQKJF$1Rb;Ol|<jy0-zS|}iNkDf)=
zKL0)DF#y4A^ud_2&r+c)Al@Gh>|IS_SZ#{UHElXwH1!WfQqihJXK~7*-N;)hu|IxC
zNTrtaib+zlGvO}%M%L*=i;pvHQo*0`q_3O|8~ab0dL-hLvquPT7U4I}rn{`LX*wZ3
zV$I>C_FuBPUEdgY(~QUpC#$<!WS8W5G}q%bbs$zQ4$lZ|A=@#N#9~J3P<7>Ag|jA{
zh!=T3f5txhWXkP3;FRRZZiDB92UHgj{4#v*uOP5pEOty&2&-wbd4fZk=+r^e%l(*P
zDNv4+EvF#N2L)heev5B%7N2s0M3SR9_1%j&y2Hz+7cD4PCs$YP_2|u(L4Pu8c?&4t
zwjw%}CtqoIpLRCW>NtWMqPqaun5vr4%zavQp*Bag$&gQv0Jg;Jn#^CcjD&kYDKn}P
zK%4LU3%U2=6`&3bYcR3Ks;%0*MzuV>{XLzMM*{m>N5#Do0>G^@S_NP1-RV#I6X9RD
z<^wnl8O~ACp=x(hS-*tW;KxYWr!zKmULT`}@%k$tPY|7)@;+I-JK$mQN`kdu>-!&M
zULy=>FyokImp~jG8VJ2j(~d8#SP|}7ht2R*BMree-2m(gxY(yQWm0Uvi8Vs`uFwjq
zOy%$>=#;G8{k9w^m{ow}<uT5=SA?Lxvv++Ln14L-bb{LfG?QBFh|}@d*?C2^TMv|V
zb0c9qOYPCEXJ8VT7ULGXM2I}uL!LQVN26=WkOu;yMow$0-^oqPLm(vHV#JIOzay+$
z;}u)!U9;O$*9~0CYnG0@i_Kc_zvbBp6>H{(B|Dfwix3rlgrQ2Ym9g;B^M)k}QiwT5
z!g<JzKuy5ZKyi`=jJ>UVe!g?G_A~8wnQwO9vL@t-0!}LLrJ>C*BpZ|wfTb-cwD}nZ
z^a`u`g&wDvDf$->HjJWpTo158-$^Zqpjr!w=(qMSxD`HT@#A#6>2Q#dOiK|Hr#6rG
zIr#p=h@T$Up?Mu~c`)B;NXbrM{ln}B<Ryp(DO@~^&Vvp8W}0QBj*6BB9P6}y#Q%87
z`jM~8dLCUG)4g-yRv}ZtYx8)M&AH{FI%0)5AS$KADojTsP1=(DWg(_L1=rprvA&T?
z*Uh2_zQ(xssb=9$H;rr4^?1j`+}As~vR#1YWt)KkvTq*g7LOMkJpY=Lmf|k3!S9PK
z#|8U{!Ov*v+9Kgh!GXpG$*tp^DNUSU^<KhoPoCpizsH#CY9AZ`7WAuk_Xv)v<PhFm
zClbtOh6P6F@9~d6sJDKMg-!-Vb`;+n066GU#eQL}i7HZpo+4fl(9rBFK=AAbF06pv
zPtV*~{Is2ZG=>n|y2^C<W9*w8q~MYIQXFbQd`21o!_qENaHVz$p|UV+;?h07-ADUk
zOnW9quNVpZ#|A$!RGP>SCVsYz7>*Q-6c=<%vEDD%(bctVf6c;Ic=HxNb6NZBclT}#
zyZ69zs-U(vX@vjV{rj?vI*YLG<T=lPucy~V-9J(V`>63kFrxXv$W}J&C@fHly~X$K
z$$dXr@sYsTUK2|YM8bB=o5zt)-I@FW=UifR{cerHV@{jgE(Huz88oXi!G=5EMmn15
zl<gw|167d`m?RM5Gk$Bep@2R&3qF%7B#)C&z&^22Pi=E0^2K%0af;oth*1X;Ke2N*
zgXZn&%H<SMkKr?hkr%TAT7)|u*UKrID?HDBvej5Fs9v05yAIQCF@!RVk#_-*am{+r
zRC^Ua%TN3!@^UuLd$(K8!fcVw(P718ErxKwhwP=y^Ck}QeC%O)r<&b(F)p+CQ5Lt&
zS4{DnsU`9|B@k)x5Q3Rp3LL@EtA3G!_BtQTXoCd^#n{x&I%Zg$0o$=&0EX77q;qzx
ztToxdyVnX$eAU-G?P={so@5FSzJNMp2-Zz8ZUthVR?mw_Fu|XH^%VE6T^sv(c<FRA
zgbK@!IcZze^z>;}r2emJn=CAIVM@v}Ysowx<lJG}Pc{2QGEGZ=1R3b-%m>|5JKK7C
zn1Z6~>>A_z5uY8VdV8kuaJZe=WGXLCy4JD+4ypQPaiQPijs5yZDqP~@7GF5)Y|g@`
zjX_FJW>>C5KfNVZF&*C`=iB?61DQErZR<VV>k+$oCLyDgf~K?P-`t+4DzexKCJ*j6
zeGdOs*Z0Ab(k#Q<ybq1(OSONcL&~mwVe;(i%}-o-;$GDzI9Jx#eRZVKYc1OKTkv<%
zD{aS~nA|ky^eEga*D0`wM#tm0%IgF_rgEM2XlC^vF^$yEp-G~2zMXuYHI+Ilc<&rq
z7R6^>YgFb`gCFyfUXp9m(XQph+Too&-phtO!cFhOLd4NfhN8=r{I{@gGxR=VEN%|2
zUs@XpKFEm4G>U(TGp>}mkg1p`b5t!Hr_D_;QN+@gDQ{uuAptvdsUuP#P%XJQZ&D>Z
zN1IO-Av+QJaTj58HsN^sHf*0N<zX1nb=SmLm_e5b$(9Nd{`D8!6$sJEft5#q9VPQU
zt&!_hldfMaRfC86z!ad&BlCtv)u7~2i5Bp00}BR-J6L-Th)w=9ed}fjf<F+-MZCd<
z#lVBv%f2%%&upzuYla)>Zq3$QhbR%8Ang4qH6(A)yx}5@IvzyJw|BKmgp2G2CQQ>s
z*XPnnZUVyAdj|rKN$0RK;e<|xJV4R0o_IAw&A+O4*Jv>!-e2MV{dm`}IiBZw!k2*e
z>4Y5^{Xq<YW)KRiO}^vyAc)DFC!kjlkSf~%X+VxscD5&ER1_(+`=DSXvmiH*%N%-z
zXP1x{mkX==P07x)6(}_T`Z;BI8PM3TuG}*7cHiQov<Pqpp4|~VDXNB)FrTd$lP<yI
zDx&h<#)kyb`12Z9Z``|wxFqg>Ds@n8QX05+*MM1vlHuO%aqB5g`wHj=!)pd391gR&
z(EAm9lfjOp4!YgNy$1tmlVCV3#|2X0SQYvqBCzMLz@InF;tfku^BFv=u;~5S3g%k^
z3XTjeBb|OyXBpT#5$nsxV;{*F<M;v6>0nx(T1cg2pWft2gkpea5TSQnNl$gHef^1=
z%e3$YVpijxfm^@z9X9HsMrH{nV~}dkQaa|q$!9dLnC>5><G;8{zx+~kbGR3&d)&p(
z{i)n%w%)IZxr3>9ylhRxDX}CjLD7&h5*%BW75xJg%cDp^IbQw;*JF`j7&B5Du;BQ0
z;2Z*^TK$hE%ZqHMDr3tHyQ81teRC^K2Xg*L-@oPQdlY!b*Q9{ZjuBwiE&7>82Qysc
zz9Kf24q8Ju2)UUity<Cb6jm=N@-7@01*Dh7hRRZLak&Yw&{j@Pd2nZ&2AH&!Lv9PD
z`kWO}b4inET?J7`>6I_8i>>NjQ062s;PmySU6L|<FVEH}Q$u)_J)X#qlSkg&8`Mw_
zH$Hk~NX@A^lKSq6AF6)Oj^VU1Ugux1=ZM)Xa3H$dM6CR9dv(OIu#(Pxa+RcO&T6n=
zM*r4w{TtkdAX86Fb_y)<+C!t>$U~r-)wGf7Ger^=J`a4T3fu+-1S3N*`_VU*ke23T
zIIIANRMN(7QWEs<SaCM?b$Cg4++^1<zjen+!cUvd_e;+AZyr%1?2X-rGu*>cL$z_-
zrCdO_xz8kN#w8FtI|fDcsaZF67z10sD6G@V4{)g=kkKr^PzT3CpoKn_t6iBrOJ-~Y
zdr<9sw<?2OQWSeKD1^$)e8Hln!!ff~E2|pI)t%M<$Ll*DfQ!9cd-^8(AyoFA^Mb@7
zzDwy3ln(V;8XzW*8&>X@Kg)}iBYD)WWUoPbZ2=e5ne3F&q(y(1jRuJ|sRGs=KPkfG
z6)^Pl<7J5AHD~<>bfarKC4b<e^F$!C>;6KqD%EACScE%DH%bvGtaefs;>C3<=+tR_
zcq1e7SUL9@QCsm7>CW^{E~F@UMl;4qWe~v2e|}#y9Ww8D^~^X3l$^g4T0HsGECP{V
z;nrQJXWx@Tds2JX#I~7iXKJe}=rG=lh$R=hxH*AW)j`_n9#Rx4kAJnTASfP0iL^JJ
zDCnMB#gvr;%KZA8F-Uw91OZXcdR*&CakZp?bJl<lG%U34vi7ESZF0|ZzsvK(&x1b3
ziDT0@wA9^hLj~fT=y^;6mRps~k^36J+vWvc@X|WH*DAx6=a%ttcfSHscYCC*8(yDB
z#8(PL-?ys696nkN6}gYcyOar=Q&rvzbaQvWv+g6I!e&fBK+<BGUout^9kXXj6#0Z$
z(X|wx9mSy72BnxA4Csn?6M(~#ZcE;xL7gDt64VW4Z=)k``pTJ53)&+^ScjPts7sYw
zL>plAxz@R&vAa}=B=^<rkDd!JMru&&R=E->-Om<j{5gl>2KuHy%{2-~&^xbn>7D97
z8jB<E8ZPtmCd$nOettc))@_^W_IBp3%&l*5>O3H8&jd%uysW)3igrC5a<m=~84^j;
z=EmGBts5+Nb}6|h4RZjZjX*n9n9+ri%!&~<0lkjMc*2`iyX14ilvI+fR^!x7<{*g?
z>hXFynd2KxGrUQy72+;9=L4BgNRPRXI*@Rx{Uzbd2NF(vtv&Q>?1XTI#x--`%cd5i
ztJDIs4g|BuLuDB4k1<aWP|UO2+9crzn|ry0!cAFs8!qaP*_jf2A!0Ae$-=KNK52iw
z6K-h!ZbxJN1k(@`Rn-s1MMvTqR_*hc*HLYZ<lRWng2}5=ka)Onjc1SXu9k0<?l6A2
z{Dkp<$I{@%IwULQO9~sykF^oUj7>X!Yd^9=Po1BHWD-5FDRlK&IQY#_Qb-=v)kXsK
z`~6pg9t6K&dnGkW8qkXWoF2+_<C;O!4V-pu&L~T0Z8+2e_9KHCF5Af08lIWMfWx9C
zcp%yW%VqxKc?qgkf4oLQfy~OT>1_#$D}{rOgab}1AprwK>;}&H6$V}*-qXx%{X@D_
z!BtL!CQ=vT;*elHLPYEpEj$?$>tEWLzpCWr?f|bc6g|lOMGqw<g#c{#6WTyvt~V*8
zs($K&d573iz4{y!So-J72^U?Rke*hk>-yuJ8GInf{7SH+9_IZEo2%bf?yNe;`9p5`
z=jAdx3E;sbEdN7Qa|4GZmAdz@qyBm`LR#)LSIyDu*I%+B)6^&NCHmLmh%pxYUWJ-n
zd!gUZfFlMp$|68s%qI_qVWs)Ln#EsPIe79*gm?p8yM=IG{5R+qowWSP-_@8FY0)bA
zP&Lp9TwGcl2rdQhdgM<;{#jBZDVRwbW2Hus@YQl4?&vz+&9>_a|1UHG6oFlDB}fT3
zbgG6^z#S@+><PeH=$8WODjAvilckQl4HZr}MEYKqN@6!CPib_-ul!!jA0<_|k=z{i
zSkwml>esTD@oJ#lMv7s|gu_rzE1L+4L7tWbc!V?3roSN0o_IpZze}=Y>Ch`5%1w(~
zN1$%L5(;>kMEeDBdaT!&RDoad4=>mvR{0y9Hj-kDe>dshTR}k-^oY#2-VN-3Z}flv
zMPL*P!+6r1`;SKluq_e5*KAjeww3<j<S4vi5gb3{8ZZ055BX=$LVXhWMJB-P-gpIN
z_20qVzx@S71RS5?ZWsRlIQ$0m9aW6`CU(L90;tr$@&9lB{6NBywFf)P-5z<LtZM!m
zv%kH87GdQlQn?;&ry)anLjT^RC|K!_mlO;m?RI)vk`8P~O#YvsP$>*9l$hF5D5m>=
zw3HOM)7a@v=D(f$uTeS62lR6W?lNQ7{<$MSWWkMs-T8m><kXGX;?#V<hFCPOd6s6y
zkMeRIGB9en41`l}?HB#8&L@Ck5x}qjBsJ0eHH9p2S@UCs&GG&FDR&~Tiz>lyJVgFR
zLinrS2Hqos&<gSDV8J1G{3Z5tUGGt@$xi)^;__FsfH$)^7^ddbSR;jlpCM1Cbs*CH
z{bR{h|DkYaL`b0|<(iuE(ZFk?(9zMyr&@)hHN53Aq|lLo_Sf;WQFFpO_QyARf5#h1
zAupvWT}KiD_abpUpMdr*f|(WvPC(WLktCs|wVPkyX7wcEM|DIX@-F}2;jw<*?Dy#e
z7K>M|3VAXgR3GyH1#LQAafz0TQs3QU8V_^-g9wyC3Z{^3kCflVm*|pMU@|6sknx3|
zbdzO50n`zFKo@=8``r59!vb|pc6j9sI<7oIY!Ak%2?>@#??;MZkTBrvukEKdMEs+~
z6~>3Rw>dR2+hRf30`nt~R)Yatd$H{m)8c;NuZa*Mi&n(2S(#H=adEO<GY0nFRt^=J
zF^9!<LP+*kuL9-I(-e145fycc0_gynV0E1KQM6oeCUqhSd`elul8_~<=N)9)D8@W%
zgaIDMS9w<-?rxOvPffJJ^q0MO+iXb|edw7}uUb~kh0=C`g<TiOqT>>!4|)bPWeI@i
z_XhCojNQcq+*MM<+JUo^dfYJK4`K<YS*dQY^%%wqVl!9(Mbw;DpaDo)Ws$siY7N9&
z9H2zzQ0%cq2U0xkR7dg+NxQeUq)=+OZTI-_XU}##5>ULe0pWk)m1mbzEA7!ElkWPS
zjs(C&FFAu}p*tBN1WNV1htm_9@noeR${y{%tN5OEcJO`%q>laqCeP@q2Ht|iIzgey
zsCA_Xy!Bo7hm}((5v1<pr{6Orvb<i5E2fZjoy#%kJX|%tJdr%k>wNvLi$nMG8(^Z-
zwIAq8cKZ#z0t|uy5a4Y8vZINTf)QhSs^-Lt;#rXb^;DsA`k0!jN=eIY+E<f<?^|~V
zS~a><xrCP4(1plsCd<Qh0hE~ye0!S-r1Oc>wyp+j`yKDlFP4a9%xr<E;3N=KnFPuK
zpuXObw7)L&bR8Hd$K3?U&&O*y1zi;`E7hkOyQ;&vx~eE;Buw)A-uG`wMAzvaG(bF)
zZrj?kswFShfD6ta;T!mHSinX^C)Nh+nfRAax9Wfkjflb;AK3bA0(Rq-=)m49R;zs;
z)t1;^yI*NBRe?7!z<bNyfI<UyM+a)YHI@Gh=}eLM3|y^Qjcd=A<BdzhGFZTU<f9eJ
z=cnX08r*SNsqJ6vHSV(?-FB%zDRr2#kbf>r#iOo7EX|R0$E{k#?@UK2V%9Sp3R%7|
zLu3Jm>MW<Zr1Q83`3Bf7d#fbJ=f~Y!&YR4E3ao{|r;^{YBUnMcz7#xEf^Ys!Y`G)(
z+5->o1JojE(J@urU7*a^cfW*U1Qf=xS|pBUgHAjr%L`nSxQ!)t8*rPt<GPc&)g|);
zWkRbn`C|a{ZaIuTE~#vq#vT}*lkodrh$RZt$sN`mjN4g_4P-uY-t88eNdSdPThD`P
zzw?vq)e>MKx(kA&6OtScF5j(-x38!I36Ul15-ZrRZzX_!o9MnVe!Qq~#)QQKfv=C`
z332L|@@>@|rs$B?SdV}4l%o3-`Q}54SBF%TG>|ojcKctR1`=MlCxE|8@CYT^rvvSl
zjt_6cC3*@^kX{2M`U~`?d7JrWyex;QJCz`^`s5AJ9JKE7Uz{E-kXU^mU@=m@Q7El@
zP!-_4Go-!H1xkjX$SRr0mhx1(Hw2GiXU^*}qLUU2xMIqW8=|xb%y5*-^Lta}GoCYU
zl(21Zpunu9BTFtq5N8-(xbxJ|Di|brvNbx|o*RII`FDc!eQ^#K;MMck$TKrF`(aK>
zS*clzQbH@;x&sc;*@xp+$rLi}l%zeKpYvr2-dlFJ_6<J!$@=57Gk@5|JWLh$c2A6E
zyByqwsR7shro9bOg#u3N9$MGSZXwFp+OBUN-t32-U@NIwBk={Be|Z!rEcs0;%9p`d
zQ}91XSPrA5<<J~2+p;*>_wEE7h6u3w{H!N`xT&5bx>>G2^PZEtdixU!%&bmr_y8)3
zCEcJxMX|er-huTaibk;7_~hry6S~X5#|1_O-qz#J*Y?M;I{PV&eN;PDe!Tf{ev_M#
z)@lY-KsvXdC?)RPCmt4T;Ou3E_@Y43T*!3XMl|c;3(p^EvSl{A8tVI+otRFIC8IGb
zU#piZR*Zl$m$?7*@!>???nQbnjeuAknefXkqH$d1caoQ4X>s`}yQGy7@1E}~B11|g
z928*#kmk-*<?6E)pFs3U{;is_@PqdSwd2OQGW3UfO-&f965mt34}2cxZ2~cE3Yz}V
zCy(z%Y^grOF<id-2=fC>j&%?S<Y?qqQE-7HHCTq{_MRR97!oK|tQ+3|-NLW>eliHu
zkgE)dvTK16?roUNczy#KJ68VwcsjMWt@+ERK=TL`s8r-qJiEx?uu)*yo&d@L&j`lM
z$i-RJ5@5u$8{LsPTJ7&FBE{|<-g9m<BA6_EG?LG>ynY!2m(e<J2$2E~(gg_y6)uS&
zZv9PF%Zo>Vda?6fS5G~NfO6b#ZBVh;X-@iEt}Q>gN^X={C(##R)c$r@!2O2~XB9jM
zXZb6wBcbcFLme<(@1Msnd}VQJMT-Q|szelf2UJRFA?(I}BEysZAop%(v3*T#_&j`b
zr*Fo%cc%9IwOc))#&iK^D&RRmNr+V%DRFWShYq_tLovGL<P(CL%?%z5)QoQlQ#uj=
zlg5@Bd1au|%}%4pOpaQ?6Gv@-eT07&fN<{AUmo5sA{^EOpll-kW0|mv&fAXD2Dw#!
zuW{cn@;&u!265|Gws-;bOr{*#J?)E<X+aa}^U9{J4mKwKlA02A%t?U5QHVRA?6q5U
zEdE^Ho|~ybNlml!MW7L&E2^KQQ4iqS^QgWl)og%JGxQ~kxQqi`W7<I(^i33O`u4{e
zh2U`I%}l5lcx-d;0-5P;;)@&@V(?_2E(f+pejPY9pYJ*{5=D}{%0OlVX2>!Sq!;h`
zhZ9h;D8~tMF6#Lim3;-_smzI%pK=%}Ws{_qdfuMq#euM2$u}UK@cTZzFwln2c|M-;
zwPSR{18dIp(W3W^R<YmCLL9jmDO9mD=y%IU(`r0hu9yLzf?FR=FJo>l$Q|ifkB8S|
z_T!{eVhPf6<5|LEE;q_B^_Hh=sxninr@XIKqjrcZEbgjDkDJc3jq>804A|2<Qf~>v
zZ4!CSKOxt1T<b#<RH&-mHqV03Sd*juF8Mb)MI)kc<-;=pN;}|R7VUS=_B~Zn02}`*
zkm;1}ScUbKShPzQ+w}X?%*@WJ^qfYV>SaD#5km8vO$poT`TmWUub*!s7vu_heyR<-
z7i?!-=dfYfit=8o|5%s`kYICT_jF=2KH0avrw1JtvlBaI?qAs#WrXj}AnLvY3r@w9
z2>R{xVA#uAph&;JLs<Htg?Vuwh1Zf0^wwFJZ89Y)O#VV_@%vY2#!EL$wtqpkw+^On
zr1Spb^D)cA2Cx}`byFY~y+7l9Gvlb3O-b*AT(L=YvWD~kLLagDZy<I(CytYhO-)k>
z8$v;TOAFeWc!`|d{wTIr%ImVy^RVbWpkqyc>WpP)r?~BrjdTNS=fwNI1}zXI7m!TG
zQSXl|;c^#Ox`D@SpV-0Zdn;hV$j9!Is#76mi&M8Bhc5@7BYSbwt5>W(IX}L!P#-vB
zagTRw7Pk^u00gS-(&gNn=9dEOG~?=1Fe+F!>{u9;`KJJDXF@aIK#^`SzU_yAm6Opc
zb52cWAT6#)8L2w7Gdo|P<^YlKs#ac=-!bLrZMVkwt(O|oOS@jy!Ga<W?tBasAmxYz
z>kxAw)yf)q&Pk`l0|8OT`EmNdo!RB$%ySnQIJD1xO#kBe$#XUkx7)6u#sMHx`JPU1
z%frAR*LFu51`lS0w+1`yEZ#gxL>2m&RZ(P*_L&JWxBl^pT}tXfN)*vKe$+Opo8JH0
zFsDJww&&?VUS*4O(l6k+53pjo;3V8UZFf_#lwn9}C?5(qK8dis#g(g5q>{^lYvXU)
zx$Q>Mg!cYkL!*&$+Iqfn0b?JqR(y{jnQWhBTug$w0+WpXQ-lfnPwWu^>jT1y3(i{x
zW4jo!1g7{w8ILCfb9h3jcY!yALT(B535p!V_~h+tiI2H_fYLAta^~+V;pzf{*<kPJ
zCK--(Z_0hjD)8vFxe&1PyUojYGhjVv{rbrlK1(qKDUJa&BDZt$<@E{8k43Hh?u4JC
zNUK;UzG4$Bw{?x1kzY38Fj5A?egJ3TtZDYH;UIDYCBJjGs%LWL{>M8kbOm_M5-<vo
zikvf6vaWp{X0~lZHeFy?rH9S%<+|A`)!IXkw-C1w{3-j~63X#Cu%5PeuhVx5I-PC^
zqHE}KWCd$12rB@bDZwbP+{y{k*%}M3B{-L|x6eH|KXAP6+dY^~Hgrzv3p;^%6Rz~U
z5is<pgyCElc9N22kNG0EM&T<dtGCDLG>4)OeA#N;Qi6j4X$uLYYz0)Oe6l1w{8>;k
zM<?B8_@%lv$ASL{#J*?Nu7?|P#~nJ4(eO4K%)awkUsUAi49E_c9%etOa$r#KIhym|
z_nodzp??01krZ$<v=2c}N5g5Y5_x3%C3rNb7#Jke(F0;1wdjGeZ(o=k!2^oK{x6o&
zPvHn`Ri11h`&z3+vt!aBJKt`?f8mH_mqx-Q&#c?ruJPfv`fzSMhVx4rfm?7iHONB~
z1f@X>w7&*SUMI7ulK%677vL>RoSdA1U!UaVap`bS1Bu_+<5Li{#K!;NVTo9IB;a)G
z&{6nZ<%LjaUGf2TSy?GwoD$RBm#@dNdj(SNA8t<ViCulB>j9!Q=(zdSh}(Z?y12Q?
zT)Uw|50c9@B6lT0WhetrCxU)4SXt}f2i;+IM(^HYfQbbe$8#9ttfSv@S2hh4_!Z+=
zRq0T38rRB(7$fU?66~Q@XBh>76Po^WoudYz_^pJPvT?}HuAvEKfg7WIyfQ@dO{kP6
z*AMLY);MvsxS&*kM6);*R@;&#wUjPlEnRhQW+77Y`()lZP}fN!-E6I1I0pyz4P=__
z-`q5DioC%v4-LMZ!F2b6N5F1KAhrb`GEdOav~OBpV%nr<>mf&8Z*t7<wU>D@>EiPi
zUlOXz)0QOslil*|sDQ31PLKq%_c?UM9svv1taA4)VFbZPoZbp$$2;Uv-tG(y5~t|J
zr&Lf0;1qjDIGAM&07gGdU5<z&S*V2p^YlSy8LsaZ_hdlBvLMORgJ-dt?z(dW-}!8M
zT^vlsV>Ick{c70)6_`)}I>U)F)ZAX$pRkA)&mqxcTG#NDQDs<8&N5~u_}Z=M+49|L
z5dWGuS>f31;E3pp*qyanR%ydcgA6MO&Us+$|G{A{#NrWrk+G=9dm}pu((uu3eM!->
zDt$pYjw4ogJ!rn8uMt>R((>8ZX5_2U3O=>c&lBOqxpibJgAll4w9?b!wO*P|>^=%+
zy4{RJVY+$Vg>^A5CN#&y53<RLz=0eHfp=5LR=Z`0OGcV7aR_;yj%j8pk-yLlUMGkF
z+~E&lc@s1elOW%@k~lDvM1kg}|HT=f@ToL571mg&iOXKweT{p$Njyi}*Kf>S)8QPm
zNSxaRRv*>#qhR$QXRyW@CnGRKW7B}ZX1q9i*O0S5nEl?e9)kc6y+-n6mFYz!V9qEN
zJnVNHQEawTbXo~Y7?jS9)5<rv8T2XnK~I&}bJUERK@<omYM$%}eNrrzy(E2EG~J3F
zTypE#*M09>39S0w)jnca5Qk60;?#W3<Vs!^o$~gTnc*Cm%2yO4d7@cgl9heyZGM}V
z@wKAxc*DIbp>rW*%FB+LBvo8md<ULebaV8{s~MbEbiDJvZZ3tE@3>_piM6?rx53(t
zH`QO_LEgu0>iNO0L^`_`T>2mHd@m`DpFhaS22K$z6z0Rv+P>wjYdpFcJm#fiD?*lQ
z4GqF`@GZ2Fp0%IoJ*i?XPZjwVPS(1|B+DTB4wJIH{Cd2(vvZM`ze%Dk*?7p&{R>hY
z_k_7HS_XrkP!0T_av(BmncExTTYE@}+h6;{j3h=?_Oo%zgN|o9cxq>-n3Jm8HG$rY
z-~nGh#Dqpd>nl9jTqx&5Z;e2{I9G7$J>Muh?`iTP^lbzCwCY}8K}-(1-9^RKfru!q
zKSWI^weyQ3xJ)RsquV#BrO+nck&1Babqt*KcP6`8d-C%P9*x02No8+`eMOh<g3;>G
zSb|6ttqA$aR8Rr?Ww$*@gWVWZhedgVSyrM9kINA76}|~em#UPjjq;ry(!;o}Y79Q^
zPKh3+fWMzp1C<x9KV;7QR!`}W6D4->quJBvIog*Q#Rq`Q9-n9ynfVQ*<}Bi#W$2-g
zJtvl&gonJ_oJ#FGs6LvHV2x;c13Aux1;fz?F3uCC#M6Jq13Zp?{43bC>P>{M%VA(H
z2F6~^4FPi@H|DeBJLXsf%*^aKX=+$MLtDrV>Y+^Si6*82PvxCfyw`53!)$#}j*kGR
zU{gQOE@Fk+P|p+1Cz~d^{bdu5Bp9J9r)^lm)8gY+L|df!TrDhng>a8|_xb2;s5waf
zS|aCz5!#P`X;>!>xl`yB^KA{2OTK76lpqj-AvUiE8ymCt=Da8cxdVL?coZDOV%t$h
z(cSTy6*m02=CDdw9F4(i=>Mti-2a(w|2RIZ*%)RL6}CB)n4EHVkUPhcAtkn0Q&Vyy
zts6O1n^{8%C5fC$LRpL(t(@n4xXHHzIn-1lhh!DX>3hw$!+qc1f8hJwV?SJvYuj~Q
zkI%Kw^|>DJ_w)6-MwF*~Xd5Fm>P%z+HvkB1`L<@(E6ORi2JD$ejw#;blGIA=?75lA
zm+MvhU1nnPv^$T~Wek*;!~ss%r*CSlOJ$f|X>aWVL39~QwSU?`U^jZ5mf_GG!(7YB
ztx<ljI-%ty@3n9^*3*8QSrX-I05p<5QOXSS&?nClz7A`js8C0)8q8wPMc)|Y()pDU
z<;v76npfusJknT`aPkD!Y4Gd~D8Y!Q<5s{F3Y8JoI$|mJAGes=3!W4A;RR?|j5_>R
zR9jc)AUXBX`axr%#e8W}<do9ur+k%#fy=iT-k1p9(U8WSFJr327=<7{v=^r|G<afQ
zno)LUS?FA|yJiE_#D5$i`D*+7>6r}qvKY4%6{ck9%h2JMxZ?|e6W7a6-=6!-K<%V=
z#QiD|o629&CX!am@!x&ESq`}GQH|J;EsN*~9gU<tAkI)<&nV&emD&^EM?`}yIxvm#
zBTBD@p4s{69k|4H3!RIqC8d$85E#E~aJt@ga4MdMMB%9H7rB#612`b|;-63(-$&V?
z$+vn-eSKkaYJS0U1D4#-&rgX#TE$==l#gPE$ifq4W)QqE+|l-t1Bx)Q%)>!XN_~}N
zbYeZZJ-{jIJcm1d<-#TjN!dp(6$07KUhPU~-I37e^n#;xLaBn|AV@=OQ-j;07*3dE
zjp%70jR-6?f?kefKY4b~eQ&I6%_9nLRB<EOR*z=@;g9;-G^id24{)6hvoCM1tQiUW
zJo=P!%}g(Rd67(pfU{X9U*_w2=p7KIlRoG@C2c32mnx710kH1kc$KZ3eBZ&z)l`{!
zrTKIXN7OkPjvEWAq)zI_qKsTs!BJKP4`VGz;ilIdXgI#zxelK7m?lIx5ZwLgnenmr
z_CbXJ5wQ{1RdtUHke(4?bvq6YNVAmd8$!p6{6~FO<@Ezt&bvYs8cYSJ)}(-0>zbcr
zWZEJh6y(Hnyid78GbgJ(#%01}3`Z8{v@-ha;$3uK>DF$O6wA9utD+66{OL?257Q1t
zr*!4*Rrqo?Ik(zSmq;(HKz&$^uv~r41WJW@@Dg0Egg=VzJmO64ezPaJ)^CSvT%D99
z>hZOW2eYRvX=iDVeYM(nw<>wL&ebV--O!VhJw+Pm;5Uk~pZ62``!8XpQc+8YBng33
zn|lAp?1bvMm;h{6?GWl2EE=Jx&5UuzBNMMRiR3<lN$59`xz;BHTzFAAId@NH*RSIF
zbc>6TTjGw@Q7S2q5fwmyetMwl!{)xS<GX@Rq#G;}LL0}lslQOo8+X5~cIvdLq+$FA
z9;Saf#<&xtxnjUPm<5_IUN+z^&vaCKi-zghvL~&9!W>;sgy-0$DKuxVJ!;;+J5Kpr
zK$8BF1$~pa<jzKXsj(WggW%{^b>;z*)_RxZ>G`$iV^RATn*5R07AY4Lj_Vf+?AL~H
zfwwLgDfe&^t~RdO#B0jP`U6YasFr^bNBeZsDr*1!>zi6Ui^PdJfS<lv>!g={Z|B9-
zrTO6<4~46wEZWmR(d=MQz9svDPDl^`8vX$1*(Tsx()IfU-4B4o0YRa@J>1LnB_o`o
zK;Q<Yq|ZRih)<oeOTyoY+T7xEXrRH(8?cM}90?M>IL<m46BZ$oaO@M4>Xs$yLz^~|
zdE8|2B?8Rub5JAZJqq}J8!RP;Sdd(he6;IfE5A$-feF=r&6MnI)=?nEQcKhN%xCIs
zWGr%a#i`t8<`yY*F9FYm)=}%*fdb(DfoWqk(dF5&*5YRU-zaaa3~2Q#mQG^;#DSEH
zAbv}G2vs5}6tm1`oW*%XP6;McFUchtp)h9@$UI;IzJD>tV@9nhVFG1^4WC`d%i^<J
zlh`T8qBWUlj;$brtysg&a;*%LX}Eqn94<T&wuj*Vfac6c@)ScWR;-wUbzl5=_zvqx
zA4FOc?in2O^szf@POE(U4Os!7ihV(f>u76iP3C#jt|RXtn+b#}$awRa&B@!00V;?u
zevwc`Pxfs2a;W2o8k#1}3@PfBPCu=<m~*({Jmjk_>U27zkDI-#0>fB{x?=EEbM3m?
z2biH-NJdlIm+?8{W7IbjT4S2!nIh<N1`S`2)7I+U%?<7_p`u*nQn!avxf70;3WLTZ
ztyc=$OV(}qFcYP#$eO?Uu3XNmz@SrZI!b!D?jD2+ug5YFP4d34N4jn;%I5Y~0ph6j
zkPgMmoBq*#eQz89Hn!W&%15~;8@nb{E1Z<YXQ6$os{_z|l0-w~D?Ec+X9b_N*ltC8
z2NtLEc|=G2{rUSEMa2(*NKT}yTC*&lU!az3hB^FBu$;e+r#|PM?sha&T!7WD<v3nd
zu~2ua)K*Bcb;*CRK_U%5s>8nhN?v!po)&4SMh6%YzSWA(OiU`6vMU_&>GvS<)uXqN
zrBiG{*6Exp($3d@1MGIGDSr&de1talJ8(|+z&gVS{(sE4F$u-U2<1d_K6cK8g<9Es
z5N}eCJ+0TDqbEK~`7^_eV4W4<6I(Cn`fY6SgU^qocfl_p4NgqeZWDP@nnK4dtp>4B
z=9+JI+^g;uDmUD4y6iAF<Tj>TuVUA_Z^Oj>NFvCoeNQy*213@vl{hs~W{~+r9c5?O
z93+<QJeI@FXa>hRjrj0x+Q9V6623D8*m*<<b+%^WUlT0~`OOOxfpce%h*C@YcGd(D
z+H#Q+onYtk*PK3tX<HN-mv~C(?jY)Q5y*0dyV#<i{Cs0A5h8he%hi>2sxqz@tWB34
zAix^uguL*?wDZ*8QsdzmahiNgtl6*|U@B0(N{9j)-CsXgL{x;M54B_I@;@71?gT9o
zwrl6#$uI<>MT6DGUO?C$p=<%Rxm5W;i(b}SBZ^Z*YKI&coxF{Ro(SyUyLT^8B0Vt~
zw*D`(T=gjPZHo5TG{I1gbqsd%fI}G@{C#di`8$yp&Yw2~g4buKa+0u6oVIgL`&$qr
z+%VMk@oyu-`XMw|I=-qaQ!NpfdhOms0M{Ol5M`860+}rPz`&A<Vm37L#7!>TG99^b
zm=Ku>z>XhHsK-MF?y65_{Lugg?5`#A1@?znrvN*}^3N3RvJ3h5$^9|Qn!r4p?12AY
zcCR-7|2FRi!uFsIp&#FtySn^A`P&TuZid;V>4_c~1QjXPvy_=dsg-<=+Bdq@xnECQ
z912H~bUz$NUf=55rMTWa93m#F!hS1gGOxvZpHUzPjs99I`q(@r+%Rwa#^{f)elH}1
z8*0C6{@KL0`lI5FH;P$zt^Uyg$`;gTYiRtl<3t46ls;zi0s$R|fY)vtN9zL1LlOT5
D+DP{Z

literal 0
HcmV?d00001

diff --git a/docs/manifest.json b/docs/manifest.json
index 6f2fbf33ac..fa1b7c0f38 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -1252,6 +1252,12 @@
 										}
 									]
 								},
+								{
+									"title": "Provider Configuration",
+									"description": "How AI Gateway stores, seeds, and reloads provider configuration",
+									"path": "./ai-coder/ai-gateway/providers.md",
+									"state": ["ai governance add-on"]
+								},
 								{
 									"title": "Auditing AI Sessions",
 									"description": "How to audit AI sessions",

From 644820cb28fb8ea5937da125e8d3fec6f24e377f Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Mon, 1 Jun 2026 23:36:39 +1000
Subject: [PATCH 17/23] fix(site/src/pages/AgentsPage): stabilize settings
 story (#25899)

I ran into the `SettingsViewResets` Storybook flake twice on my branch.
The story reopens Agents settings immediately after clicking `Back to
Agents`, but the helper was synchronously checking for the desktop
`Settings` link before React Router had finished rendering `/agents`; on
desktop it could then fall through to the mobile-only `More options`
menu and fail.

Use `findByRole` for the desktop `Settings` link so the helper waits for
the accessible sidebar link before clicking it, matching the existing
Storybook interaction pattern used elsewhere in Agents stories.
---
 .../AgentsPage/AgentsPageView.stories.tsx      | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/site/src/pages/AgentsPage/AgentsPageView.stories.tsx b/site/src/pages/AgentsPage/AgentsPageView.stories.tsx
index c3cd51d681..d2a2359b97 100644
--- a/site/src/pages/AgentsPage/AgentsPageView.stories.tsx
+++ b/site/src/pages/AgentsPage/AgentsPageView.stories.tsx
@@ -936,23 +936,7 @@ export const WithErrorReasons: Story = {
 
 const openSettingsView = async (canvasElement: HTMLElement) => {
 	const canvas = within(canvasElement);
-	const settingsLink = canvas.queryByRole("link", { name: "Settings" });
-	if (settingsLink) {
-		await userEvent.click(settingsLink);
-		return;
-	}
-
-	const mobileMoreOptionsButton = canvas
-		.getAllByRole("button", { name: "More options" })
-		.find((button) => button.getAttribute("aria-haspopup") === "menu");
-	if (!mobileMoreOptionsButton) {
-		throw new Error("Expected a mobile More options menu button.");
-	}
-	await userEvent.click(mobileMoreOptionsButton);
-	const body = within(canvasElement.ownerDocument.body);
-	await userEvent.click(
-		await body.findByRole("menuitem", { name: "Settings" }),
-	);
+	await userEvent.click(await canvas.findByRole("link", { name: "Settings" }));
 };
 
 export const OpensAnalyticsForAdmins: Story = {

From fe257666d7709192fca7b1a80019d7d019915c71 Mon Sep 17 00:00:00 2001
From: Thomas Kosiewski <tk@coder.com>
Date: Mon, 1 Jun 2026 15:55:19 +0200
Subject: [PATCH 18/23] ci: refactor CI to use mise for shared tool setup
 (#25727)

---
 .github/actions/go-cache/action.yml        |  76 ++++++
 .github/actions/install-cosign/action.yaml |  10 -
 .github/actions/install-syft/action.yaml   |  10 -
 .github/actions/pnpm-install/action.yml    |  59 ++++
 .github/actions/setup-go-tools/action.yaml |  12 -
 .github/actions/setup-go/action.yaml       |  32 ---
 .github/actions/setup-mise/action.yml      | 168 ++++++++++++
 .github/actions/setup-mise/checksums.toml  |   9 +
 .github/actions/setup-node/action.yaml     |  44 ---
 .github/actions/setup-sqlc/action.yaml     |  17 --
 .github/actions/setup-tf/action.yaml       |  11 -
 .github/workflows/ci.yaml                  | 304 +++++++++++----------
 .github/workflows/dogfood.yaml             |  57 +---
 .github/workflows/flake-go.yaml            |  20 +-
 .github/workflows/nightly-gauntlet.yaml    |  13 +-
 .github/workflows/pr-deploy.yaml           |  17 +-
 .github/workflows/release.yaml             |  29 +-
 .github/workflows/security.yaml            |   9 +-
 .github/workflows/weekly-docs.yaml         |  61 ++++-
 Makefile                                   |  50 ++--
 docs/about/contributing/CONTRIBUTING.md    |   6 +-
 flake.nix                                  |  41 +++
 go.mod                                     |   5 -
 go.sum                                     |   6 -
 mise.lock                                  | 219 ++++++++++-----
 mise.toml                                  |  22 +-
 scripts/check_go_versions.sh               |   7 -
 scripts/check_mise_versions.sh             | 150 ++++++++++
 scripts/mise_checksum.sh                   |  30 ++
 scripts/should_deploy.sh                   |  66 +----
 scripts/zizmor.sh                          |  46 ----
 31 files changed, 995 insertions(+), 611 deletions(-)
 create mode 100644 .github/actions/go-cache/action.yml
 delete mode 100644 .github/actions/install-cosign/action.yaml
 delete mode 100644 .github/actions/install-syft/action.yaml
 create mode 100644 .github/actions/pnpm-install/action.yml
 delete mode 100644 .github/actions/setup-go-tools/action.yaml
 delete mode 100644 .github/actions/setup-go/action.yaml
 create mode 100644 .github/actions/setup-mise/action.yml
 create mode 100644 .github/actions/setup-mise/checksums.toml
 delete mode 100644 .github/actions/setup-node/action.yaml
 delete mode 100644 .github/actions/setup-sqlc/action.yaml
 delete mode 100644 .github/actions/setup-tf/action.yaml
 create mode 100755 scripts/check_mise_versions.sh
 create mode 100755 scripts/mise_checksum.sh
 delete mode 100755 scripts/zizmor.sh

diff --git a/.github/actions/go-cache/action.yml b/.github/actions/go-cache/action.yml
new file mode 100644
index 0000000000..d77abaedec
--- /dev/null
+++ b/.github/actions/go-cache/action.yml
@@ -0,0 +1,76 @@
+name: "Go cache"
+description: Restore and save Go build and module caches.
+inputs:
+  cache-path:
+    description: "Optional newline-delimited cache paths. Defaults to go env GOCACHE and GOMODCACHE."
+    required: false
+    default: ""
+  key-prefix:
+    description: "Prefix for the cache key."
+    required: false
+    default: "go"
+  download-modules:
+    description: "Whether to run go mod download after restoring cache."
+    required: false
+    default: "true"
+runs:
+  using: "composite"
+  steps:
+    - name: Compute Go cache key
+      id: go-cache
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        if [[ -n "${INPUT_CACHE_PATH}" ]]; then
+          paths="${INPUT_CACHE_PATH}"
+        else
+          paths="$(printf '%s\n%s' "$(go env GOCACHE)" "$(go env GOMODCACHE)")"
+        fi
+
+        go_version="$(go env GOVERSION)"
+        paths_hash="$(printf '%s\n' "${paths}" | git hash-object --stdin)"
+        hash="$(
+          {
+            printf '%s\n' "${go_version}"
+            for file in go.mod go.sum; do
+              if [[ -f "${file}" ]]; then
+                git hash-object "${file}"
+              fi
+            done
+          } | git hash-object --stdin
+        )"
+
+        {
+          echo "path<<EOF"
+          echo "${paths}"
+          echo "EOF"
+          echo "key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-${hash}"
+          echo "restore-key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-"
+        } >> "$GITHUB_OUTPUT"
+      env:
+        INPUT_CACHE_PATH: ${{ inputs.cache-path }}
+        INPUT_KEY_PREFIX: ${{ inputs.key-prefix }}
+
+    - name: Restore Go cache, save on main
+      if: ${{ github.ref == 'refs/heads/main' }}
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.go-cache.outputs.path }}
+        key: ${{ steps.go-cache.outputs.key }}
+        restore-keys: |
+          ${{ steps.go-cache.outputs.restore-key }}
+
+    - name: Restore Go cache read-only
+      if: ${{ github.ref != 'refs/heads/main' }}
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.go-cache.outputs.path }}
+        key: ${{ steps.go-cache.outputs.key }}
+        restore-keys: |
+          ${{ steps.go-cache.outputs.restore-key }}
+
+    - name: Download Go modules
+      if: ${{ inputs.download-modules == 'true' }}
+      shell: bash
+      run: ./.github/scripts/retry.sh -- go mod download -x
diff --git a/.github/actions/install-cosign/action.yaml b/.github/actions/install-cosign/action.yaml
deleted file mode 100644
index acaf7ba1a7..0000000000
--- a/.github/actions/install-cosign/action.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-name: "Install cosign"
-description: |
-  Cosign Github Action.
-runs:
-  using: "composite"
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-      with:
-        cosign-release: "v2.4.3"
diff --git a/.github/actions/install-syft/action.yaml b/.github/actions/install-syft/action.yaml
deleted file mode 100644
index 0f8a440801..0000000000
--- a/.github/actions/install-syft/action.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-name: "Install syft"
-description: |
-  Downloads Syft to the Action tool cache and provides a reference.
-runs:
-  using: "composite"
-  steps:
-    - name: Install syft
-      uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
-      with:
-        syft-version: "v1.26.1"
diff --git a/.github/actions/pnpm-install/action.yml b/.github/actions/pnpm-install/action.yml
new file mode 100644
index 0000000000..8ba01f6a32
--- /dev/null
+++ b/.github/actions/pnpm-install/action.yml
@@ -0,0 +1,59 @@
+name: "pnpm install"
+description: Restore pnpm store cache and install root plus workspace dependencies.
+inputs:
+  directory:
+    description: "Workspace directory to install after the repository root."
+    required: false
+    default: "site"
+runs:
+  using: "composite"
+  steps:
+    - name: Compute pnpm cache key
+      id: pnpm-cache
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        store_path="$(pnpm store path --silent)"
+        hash="$(
+          for file in pnpm-lock.yaml "${INPUT_DIRECTORY}/pnpm-lock.yaml"; do
+            if [[ -f "${file}" ]]; then
+              git hash-object "${file}"
+            fi
+          done | git hash-object --stdin
+        )"
+
+        {
+          echo "store-path=${store_path}"
+          echo "key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-${hash}"
+          echo "restore-key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-"
+        } >> "$GITHUB_OUTPUT"
+      env:
+        INPUT_DIRECTORY: ${{ inputs.directory }}
+
+    - name: Restore and save pnpm cache
+      if: ${{ github.ref == 'refs/heads/main' }}
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.pnpm-cache.outputs.store-path }}
+        key: ${{ steps.pnpm-cache.outputs.key }}
+        restore-keys: |
+          ${{ steps.pnpm-cache.outputs.restore-key }}
+
+    - name: Restore pnpm cache
+      if: ${{ github.ref != 'refs/heads/main' }}
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ steps.pnpm-cache.outputs.store-path }}
+        key: ${{ steps.pnpm-cache.outputs.key }}
+        restore-keys: |
+          ${{ steps.pnpm-cache.outputs.restore-key }}
+
+    - name: Install root node_modules
+      shell: bash
+      run: ./scripts/pnpm_install.sh
+
+    - name: Install node_modules
+      shell: bash
+      run: "${GITHUB_WORKSPACE}/scripts/pnpm_install.sh"
+      working-directory: ${{ github.workspace }}/${{ inputs.directory }}
diff --git a/.github/actions/setup-go-tools/action.yaml b/.github/actions/setup-go-tools/action.yaml
deleted file mode 100644
index c8e600d656..0000000000
--- a/.github/actions/setup-go-tools/action.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-name: "Setup Go tools"
-description: |
-  Set up tools for `make gen`, `offlinedocs` and Schmoder CI.
-runs:
-  using: "composite"
-  steps:
-    - name: go install tools
-      shell: bash
-      run: |
-          ./.github/scripts/retry.sh -- go install tool
-          # NOTE: protoc-gen-go cannot be installed with `go get`
-          ./.github/scripts/retry.sh -- go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
diff --git a/.github/actions/setup-go/action.yaml b/.github/actions/setup-go/action.yaml
deleted file mode 100644
index ee7f17a40e..0000000000
--- a/.github/actions/setup-go/action.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: "Setup Go"
-description: |
-  Sets up the Go environment for tests, builds, etc.
-inputs:
-  version:
-    description: "The Go version to use."
-    default: "1.26.2"
-  use-cache:
-    description: "Whether to use the cache."
-    default: "true"
-runs:
-  using: "composite"
-  steps:
-    - name: Setup Go
-      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
-      with:
-        go-version: ${{ inputs.version }}
-        cache: ${{ inputs.use-cache }}
-
-    - name: Install gotestsum
-      shell: bash
-      run: ./.github/scripts/retry.sh -- go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d # main as of 2025-05-15
-
-    - name: Install mtimehash
-      shell: bash
-      run: ./.github/scripts/retry.sh -- go install github.com/slsyy/mtimehash/cmd/mtimehash@a6b5da4ed2c4a40e7b805534b004e9fde7b53ce0 # v1.0.0
-
-    # It isn't necessary that we ever do this, but it helps
-    # separate the "setup" from the "run" times.
-    - name: go mod download
-      shell: bash
-      run: ./.github/scripts/retry.sh -- go mod download -x
diff --git a/.github/actions/setup-mise/action.yml b/.github/actions/setup-mise/action.yml
new file mode 100644
index 0000000000..847eb6ef51
--- /dev/null
+++ b/.github/actions/setup-mise/action.yml
@@ -0,0 +1,168 @@
+name: Setup mise
+description: Install mise tools from SHA256-pinned binaries, with CI-layer caching.
+inputs:
+  install-args:
+    description: Tool names or extra arguments passed to mise install. --locked is added by default.
+    required: false
+    default: ""
+  locked:
+    description: Whether to pass --locked to mise install.
+    required: false
+    default: "true"
+  cache-key-prefix:
+    description: Prefix for mise tool cache keys.
+    required: false
+    default: mise-ci-v1
+  mise-version:
+    description: mise version to install.
+    required: false
+    default: "2026.5.12"
+  mise-sha256:
+    description: SHA256 checksum for the mise binary.
+    required: false
+    default: ""
+  use-cache:
+    description: Whether to restore and save mise tool caches.
+    required: false
+    default: "true"
+runs:
+  using: composite
+  steps:
+    - name: Compute mise cache key
+      id: cache-key
+      shell: bash
+      env:
+        CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}
+        INPUT_INSTALL_ARGS: ${{ inputs.install-args }}
+        INPUT_LOCKED: ${{ inputs.locked }}
+        MISE_VERSION: ${{ inputs.mise-version }}
+        RUNNER_ARCH: ${{ runner.arch }}
+        RUNNER_OS: ${{ runner.os }}
+      run: |
+        set -euo pipefail
+
+        case "${INPUT_LOCKED}" in
+          true)
+            if [[ -n "${INPUT_INSTALL_ARGS}" ]]; then
+              install_args="--locked ${INPUT_INSTALL_ARGS}"
+            else
+              install_args="--locked"
+            fi
+            ;;
+          false)
+            install_args="${INPUT_INSTALL_ARGS}"
+            ;;
+          *)
+            echo "::error::locked must be true or false."
+            exit 1
+            ;;
+        esac
+
+        install_args_hash="$(printf '%s' "$install_args" | git hash-object --stdin)"
+        files_hash="$(git hash-object mise.toml mise.lock | git hash-object --stdin)"
+        key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-${files_hash}"
+        restore_key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-"
+
+        {
+          echo "install-args<<EOF"
+          echo "${install_args}"
+          echo "EOF"
+          echo "key=$key"
+          echo "restore-key=$restore_key"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Select mise checksum
+      id: checksum
+      shell: bash
+      env:
+        CHECKSUMS_FILE: ${{ github.action_path }}/checksums.toml
+        INPUT_MISE_SHA256: ${{ inputs.mise-sha256 }}
+        MISE_CHECKSUM_SCRIPT: ${{ github.workspace }}/scripts/mise_checksum.sh
+        MISE_VERSION: ${{ inputs.mise-version }}
+        RUNNER_ARCH: ${{ runner.arch }}
+        RUNNER_OS: ${{ runner.os }}
+      run: |
+        set -euo pipefail
+
+        checksum="${INPUT_MISE_SHA256}"
+        if [[ -z "${checksum}" ]]; then
+          case "${RUNNER_OS}-${RUNNER_ARCH}" in
+            Linux-X64)
+              target="linux-x64"
+              ;;
+            Linux-ARM64)
+              target="linux-arm64"
+              ;;
+            macOS-X64)
+              target="macos-x64"
+              ;;
+            macOS-ARM64)
+              target="macos-arm64"
+              ;;
+            Windows-X64)
+              target="windows-x64"
+              ;;
+            *)
+              echo "::error::No mise checksum is pinned for ${RUNNER_OS}-${RUNNER_ARCH}."
+              exit 1
+              ;;
+          esac
+
+          checksum="$("${MISE_CHECKSUM_SCRIPT}" "${CHECKSUMS_FILE}" "${MISE_VERSION}" "${target}")"
+          if [[ -z "${checksum}" ]]; then
+            echo "::error::No mise checksum is pinned for mise ${MISE_VERSION} on ${target}."
+            exit 1
+          fi
+        fi
+
+        echo "sha256=${checksum}" >> "$GITHUB_OUTPUT"
+
+    - name: Configure mise data directory
+      id: mise-data-dir
+      shell: bash
+      env:
+        RUNNER_OS: ${{ runner.os }}
+      run: | # zizmor: ignore[github-env] MISE_DATA_DIR uses only runner-provided paths.
+        set -euo pipefail
+
+        if [[ "${RUNNER_OS}" == "Windows" ]]; then
+          data_dir="${LOCALAPPDATA:-${USERPROFILE}\\AppData\\Local}\\mise"
+        else
+          data_dir="${RUNNER_TEMP}/mise-data"
+        fi
+
+        {
+          printf 'path=%s\n' "${data_dir}"
+        } >> "$GITHUB_OUTPUT"
+        printf 'MISE_DATA_DIR=%s\n' "${data_dir}" >> "$GITHUB_ENV"
+
+    - name: Cache mise tools
+      if: ${{ inputs.use-cache == 'true' && github.ref == 'refs/heads/main' }}
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: |
+          ~/.cache/mise
+          ${{ steps.mise-data-dir.outputs.path }}
+        key: ${{ steps.cache-key.outputs.key }}
+        restore-keys: |
+          ${{ steps.cache-key.outputs.restore-key }}
+
+    - name: Restore mise tools
+      if: ${{ inputs.use-cache == 'true' && github.ref != 'refs/heads/main' }}
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: |
+          ~/.cache/mise
+          ${{ steps.mise-data-dir.outputs.path }}
+        key: ${{ steps.cache-key.outputs.key }}
+        restore-keys: |
+          ${{ steps.cache-key.outputs.restore-key }}
+
+    - name: Install mise tools
+      uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+      with:
+        version: ${{ inputs.mise-version }}
+        sha256: ${{ steps.checksum.outputs.sha256 }}
+        mise_dir: ${{ steps.mise-data-dir.outputs.path }}
+        install_args: ${{ steps.cache-key.outputs.install-args }}
+        cache: "false"
diff --git a/.github/actions/setup-mise/checksums.toml b/.github/actions/setup-mise/checksums.toml
new file mode 100644
index 0000000000..046a08492d
--- /dev/null
+++ b/.github/actions/setup-mise/checksums.toml
@@ -0,0 +1,9 @@
+# SHA256 hashes of the extracted mise binary verified by jdx/mise-action.
+# Keys use the GitHub runner target for each release artifact.
+
+["2026.5.12"]
+linux-x64 = "a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48"
+linux-arm64 = "fd2d5227a8ad0b1e359c70527a8345a9ada72077f8dcbb559371653c3d95464f"
+macos-x64 = "de57e8dc82bbd880a69c9bc8aee06b9dcc578184b3e5cf86fcef80635d6a90b4"
+macos-arm64 = "e777070540ffe22cf8b2b9f88aed88b461d0887d940c4f1c1a97359463cde6e1"
+windows-x64 = "adf1b4c9f51e7d15cff723056fcd8fd51f40ebacadcca97fd5758c44d469d5ea"
diff --git a/.github/actions/setup-node/action.yaml b/.github/actions/setup-node/action.yaml
deleted file mode 100644
index 0c276f0ab8..0000000000
--- a/.github/actions/setup-node/action.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-name: "Setup Node"
-description: |
-  Sets up the node environment for tests, builds, etc.
-inputs:
-  directory:
-    description: |
-      The directory to run the setup in.
-    required: false
-    default: "site"
-runs:
-  using: "composite"
-  steps:
-    - name: Install pnpm
-      uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7
-
-    - name: Setup Node
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-      with:
-        node-version: 22.19.0
-        # See https://github.com/actions/setup-node#caching-global-packages-data
-        cache: "pnpm"
-        cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml
-
-    - name: Verify Node
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        expected="v22.19.0"
-        actual="$(node --version)"
-        if [[ "$actual" != "$expected" ]]; then
-          echo "::error::Expected Node.js $expected, but got $actual from $(command -v node)."
-          exit 1
-        fi
-        echo "Node.js $actual is active at $(command -v node)."
-
-    - name: Install root node_modules
-      shell: bash
-      run: ./scripts/pnpm_install.sh
-
-    - name: Install node_modules
-      shell: bash
-      run: ../scripts/pnpm_install.sh
-      working-directory: ${{ inputs.directory }}
diff --git a/.github/actions/setup-sqlc/action.yaml b/.github/actions/setup-sqlc/action.yaml
deleted file mode 100644
index 029a3f5fe4..0000000000
--- a/.github/actions/setup-sqlc/action.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Setup sqlc
-description: |
-  Sets up the sqlc environment for tests, builds, etc.
-runs:
-  using: "composite"
-  steps:
-    - name: Setup sqlc
-      # uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0
-      # with:
-      #   sqlc-version: "1.30.0"
-
-      # Switched to coder/sqlc fork to fix ambiguous column bug, see:
-      # - https://github.com/coder/sqlc/pull/1
-      # - https://github.com/sqlc-dev/sqlc/pull/4159
-      shell: bash
-      run: |
-        ./.github/scripts/retry.sh -- env CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203
diff --git a/.github/actions/setup-tf/action.yaml b/.github/actions/setup-tf/action.yaml
deleted file mode 100644
index 22c7253050..0000000000
--- a/.github/actions/setup-tf/action.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-name: "Setup Terraform"
-description: |
-  Sets up Terraform for tests, builds, etc.
-runs:
-  using: "composite"
-  steps:
-    - name: Install Terraform
-      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
-      with:
-        terraform_version: 1.15.5
-        terraform_wrapper: false
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 78d6aba61a..63fd8f4359 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -151,8 +151,13 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "node pnpm"
+
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
       - name: Check docs
         run: pnpm check-docs
@@ -171,8 +176,10 @@ jobs:
   #         # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
   #         token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
 
-  #     - name: Setup Go
-  #       uses: ./.github/actions/setup-go
+  #     - name: Set up mise tools
+  #       uses: ./.github/actions/setup-mise
+  #       with:
+  #         install-args: "go"
 
   #     - name: Update Nix Flake SRI Hash
   #       run: ./scripts/update-flake.sh
@@ -208,18 +215,22 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm helm actionlint aqua:crate-ci/typos"
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/golangci/golangci-lint/cmd/golangci-lint go:github.com/coder/paralleltestctx/cmd/paralleltestctx
 
       - name: Get golangci-lint cache dir
         run: |
-          # mise.toml is the source of truth for tool versions baked into
-          # the dogfood image; pull the same version for the lint job.
-          linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
-          ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver"
           dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
           echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
 
@@ -239,35 +250,13 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
-        with:
-          config: .github/workflows/typos.toml
+        run: typos --config .github/workflows/typos.toml
 
       - name: Fix the typos
         if: ${{ failure() }}
         run: |
           echo "::notice:: you can automatically fix typos from your CLI:
-          cargo install typos-cli
-          typos -c .github/workflows/typos.toml -w"
-
-      # Needed for helm chart linting
-      - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v3.9.2
-        continue-on-error: true
-        id: setup-helm
-
-      - name: Install helm (fallback)
-        if: steps.setup-helm.outcome == 'failure'
-        # Fallback to Buildkite's apt repository if get.helm.sh is down.
-        # See: https://github.com/coder/internal/issues/1109
-        run: |
-          set -euo pipefail
-          curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
-          echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
-          sudo apt-get update
-          sudo apt-get install -y helm=3.9.2-1
+          mise exec aqua:crate-ci/typos -- typos -c .github/workflows/typos.toml -w"
 
       - name: Verify helm version
         run: helm version --short
@@ -287,15 +276,11 @@ jobs:
           key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }}
 
       - name: Check workflow files
-        run: |
-          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4
-          ./actionlint -color -shellcheck= -ignore "set-output"
+        run: actionlint -color -shellcheck= -ignore "set-output"
         shell: bash
 
       - name: Check for unstaged files
-        run: |
-          rm -f ./actionlint ./typos
-          ./scripts/check_unstaged.sh
+        run: ./scripts/check_unstaged.sh
         shell: bash
 
   lint-actions:
@@ -303,7 +288,7 @@ jobs:
     # Only run this job if changes to CI workflow files are detected. This job
     # can flake as it reaches out to GitHub to check referenced actions.
     if: needs.changes.outputs.ci == 'true'
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-24.04-8' || 'ubuntu-24.04' }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
@@ -316,8 +301,10 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "actionlint zizmor"
 
       - name: make lint/actions
         run: make --output-sync=line -j lint/actions
@@ -341,30 +328,19 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm terraform protoc protoc-gen-go"
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
-
-      - name: go install tools
-        uses: ./.github/actions/setup-go-tools
-
-      - name: Install Protoc
-        run: |
-          mkdir -p /tmp/proto
-          pushd /tmp/proto
-          curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip
-          unzip protoc.zip
-          sudo cp -r ./bin/* /usr/local/bin
-          sudo cp -r ./include /usr/local/bin/include
-          popd
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc
 
       - name: make gen
         timeout-minutes: 8
@@ -396,24 +372,26 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
       - name: Check Go version
         run: IGNORE_NIX=true ./scripts/check_go_versions.sh
 
-      # Use default Go version
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm terraform"
 
-      - name: Install shfmt
-        run: ./.github/scripts/retry.sh -- go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:mvdan.cc/sh/v3/cmd/shfmt
 
       - name: make fmt
         timeout-minutes: 7
-        run: |
-          PATH="${PATH}:$(go env GOPATH)/bin" \
-            make --output-sync -j -B fmt
+        run: make --output-sync -j -B fmt
 
       - name: Check for unstaged files
         run: ./scripts/check_unstaged.sh
@@ -476,13 +454,18 @@ jobs:
       - name: Setup GNU tools (macOS)
         uses: ./.github/actions/setup-gnu-tools
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
         with:
-          use-cache: true
+          install-args: "go terraform"
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+        with:
+          cache-path: ${{ steps.go-paths.outputs.cached-dirs }}
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum go:github.com/slsyy/mtimehash/cmd/mtimehash
 
       - name: Download Test Cache
         id: download-cache
@@ -651,11 +634,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go terraform"
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
 
       - name: Download Test Cache
         id: download-cache
@@ -720,11 +708,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go terraform"
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
 
       - name: Download Test Cache
         id: download-cache
@@ -799,8 +792,13 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go"
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
       # Used by some integration tests.
       - name: Install Nginx
@@ -826,8 +824,13 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "node pnpm"
+
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
       - run: pnpm test:ci --max-workers "$(nproc)"
         working-directory: site
@@ -859,11 +862,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm"
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
       # Assume that the checked-in versions are up-to-date
       - run: make gen/mark-fresh
@@ -951,8 +959,13 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "node pnpm"
+
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
       # This step is not meant for mainline because any detected changes to
       # storybook snapshots will require manual approval/review in order for
@@ -1030,29 +1043,21 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm protoc protoc-gen-go"
+
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
         with:
           directory: offlinedocs
 
-      - name: Install Protoc
-        run: |
-          mkdir -p /tmp/proto
-          pushd /tmp/proto
-          curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip
-          unzip protoc.zip
-          sudo cp -r ./bin/* /usr/local/bin
-          sudo cp -r ./include /usr/local/bin/include
-          popd
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Install go tools
-        uses: ./.github/actions/setup-go-tools
-
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc
 
       - name: Format
         run: |
@@ -1144,17 +1149,19 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm"
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
-      - name: Install go-winres
-        run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
-      - name: Install nfpm
-        run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
 
       - name: Install zstd
         run: sudo apt-get install -y zstd
@@ -1205,13 +1212,19 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
         with:
-          use-cache: false
+          install-args: "go node pnpm cosign syft"
+
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
 
       - name: Install rcodesign
         run: |
@@ -1241,21 +1254,9 @@ jobs:
           distribution: "zulu"
           java-version: "11.0"
 
-      - name: Install go-winres
-        run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
-
-      - name: Install nfpm
-        run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
-
       - name: Install zstd
         run: sudo apt-get install -y zstd
 
-      - name: Install cosign
-        uses: ./.github/actions/install-cosign
-
-      - name: Install syft
-        uses: ./.github/actions/install-syft
-
       - name: Setup Windows EV Signing Certificate
         run: |
           set -euo pipefail
@@ -1579,11 +1580,16 @@ jobs:
         with:
           fetch-depth: 1
           persist-credentials: false
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go"
 
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc
 
       - name: Setup and run sqlc vet
         run: |
diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml
index 9dcd853f79..c87b48b5ee 100644
--- a/.github/workflows/dogfood.yaml
+++ b/.github/workflows/dogfood.yaml
@@ -71,9 +71,6 @@ jobs:
       packages: write # push the dogfood base image to ghcr.io/coder/oss-dogfood-base
     env:
       # MISE_EXPERIMENTAL opts into the experimental `oci` subcommand.
-      # Trust is set via a config file (see the Install mise step
-      # below) rather than MISE_TRUSTED_CONFIG_PATHS so the workspace
-      # template can keep parity with the same file-based approach.
       MISE_EXPERIMENTAL: "1"
     steps:
       - name: Harden Runner
@@ -135,32 +132,9 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         if: matrix.image-version != 'nix'
 
-      - name: Install mise
-        if: matrix.image-version != 'nix'
-        # MISE_VERSION + MISE_SHA256 match dogfood/coder/ubuntu-*/Dockerfile.base
-        # so the mise binary baking the image is the same one a workspace
-        # ships with. `min_version` in mise.toml catches downgrades.
-        # Write trust config to ~/.config/mise/conf.d/ instead of using
-        # MISE_TRUSTED_CONFIG_PATHS so the same file-based approach
-        # works in workspaces (where the user owns the file).
-        env:
-          MISE_VERSION: v2026.5.12
-          MISE_SHA256: a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48
-          WORKSPACE: ${{ github.workspace }}
-        run: |
-          set -euo pipefail
-          curl --silent --show-error --location --fail \
-            "https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \
-            --output /tmp/mise
-          echo "${MISE_SHA256}  /tmp/mise" | sha256sum -c
-          sudo install -m 0755 /tmp/mise /usr/local/bin/mise
-          rm /tmp/mise
-          mise --version
-          mkdir -p "$HOME/.config/mise/conf.d"
-          cat > "$HOME/.config/mise/conf.d/00-ci-trust.toml" <<EOF
-          [settings]
-          trusted_config_paths = ["$WORKSPACE"]
-          EOF
+      - name: Set up mise tools
+        if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
+        uses: ./.github/actions/setup-mise
 
       - name: Compute image SHAs
         # Match the fork guard on the downstream consumers of these
@@ -216,25 +190,6 @@ jobs:
             ghcr.io/coder/oss-dogfood-base:${{ matrix.image-version }}-${{ steps.shas.outputs.base_sha }}
             ghcr.io/coder/oss-dogfood-base:${{ matrix.image-version }}-${{ steps.docker-tag-name.outputs.tag }}
 
-      - name: Install mise tools
-        if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
-        # `mise oci build` packages already-installed tools into OCI
-        # layers; it does not install them. Run `mise install` first so
-        # the tools land in MISE_DATA_DIR on the runner.
-        # github_token raises aqua's API quota during tool installs.
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # --locked refuses to resolve URLs at install time and forces
-          # the runner to consume what mise.lock already committed,
-          # so a forgotten lockfile entry fails CI instead of silently
-          # being added on next run.
-          mise install --yes --locked
-          # Put mise's shims dir on PATH for subsequent steps so
-          # `mise oci push --tool crane` can find crane (and any other
-          # mise-managed binary it shells out to).
-          echo "$HOME/.local/share/mise/shims" >> "$GITHUB_PATH"
-
       - name: Build mise oci layer
         if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
         env:
@@ -360,8 +315,10 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "terraform"
 
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
diff --git a/.github/workflows/flake-go.yaml b/.github/workflows/flake-go.yaml
index 1c7eb96dd0..e416519216 100644
--- a/.github/workflows/flake-go.yaml
+++ b/.github/workflows/flake-go.yaml
@@ -39,12 +39,16 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up Go
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go"
 
-      - name: Install whichtests
-        shell: bash
-        run: ./.github/scripts/retry.sh -- go install github.com/coder/whichtests@ec33bab1ec04cd86beb7a61a069db4463dba63f5
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/whichtests
 
       - name: Select changed tests
         id: selector
@@ -57,9 +61,11 @@ jobs:
             --coalesce \
             --out-matrix "$RUNNER_TEMP/flake-matrix.json"
 
-      - name: Setup Terraform
+      - name: Set up Terraform
         if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }}
-        uses: ./.github/actions/setup-tf
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "terraform"
 
       - name: Run targeted Go flake checks
         id: flake_check
diff --git a/.github/workflows/nightly-gauntlet.yaml b/.github/workflows/nightly-gauntlet.yaml
index 4d72ece76a..63aa8728e2 100644
--- a/.github/workflows/nightly-gauntlet.yaml
+++ b/.github/workflows/nightly-gauntlet.yaml
@@ -62,11 +62,16 @@ jobs:
       - name: Setup GNU tools (macOS)
         uses: ./.github/actions/setup-gnu-tools
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go terraform"
 
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
 
       - name: Setup Embedded Postgres Cache Paths
         id: embedded-pg-cache
diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml
index df2d24007f..47b80e29c3 100644
--- a/.github/workflows/pr-deploy.yaml
+++ b/.github/workflows/pr-deploy.yaml
@@ -238,14 +238,19 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go node pnpm"
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
 
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc
 
       - name: GHCR Login
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index d7ef868576..2427e3586f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -172,13 +172,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
         with:
-          use-cache: false
+          install-args: "go node pnpm helm cosign syft"
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Install pnpm dependencies
+        uses: ./.github/actions/pnpm-install
+
+      - name: Install Go mise tools
+        run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
 
       # Necessary for signing Windows binaries.
       - name: Setup Java
@@ -187,19 +190,9 @@ jobs:
           distribution: "zulu"
           java-version: "11.0"
 
-      - name: Install go-winres
-        run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
-
       - name: Install nsis and zstd
         run: sudo apt-get install -y nsis zstd
 
-      - name: Install nfpm
-        run: |
-          set -euo pipefail
-          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.35.1/nfpm_2.35.1_amd64.deb
-          sudo dpkg -i /tmp/nfpm.deb
-          rm /tmp/nfpm.deb
-
       - name: Install rcodesign
         run: |
           set -euo pipefail
@@ -210,12 +203,6 @@ jobs:
             apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
           rm /tmp/rcodesign.tar.gz
 
-      - name: Install cosign
-        uses: ./.github/actions/install-cosign
-
-      - name: Install syft
-        uses: ./.github/actions/install-syft
-
       - name: Setup Apple Developer certificate and API key
         run: |
           set -euo pipefail
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 72eee31d2d..6787e32c19 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -36,8 +36,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "go"
+
+      - name: Restore Go cache
+        uses: ./.github/actions/go-cache
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml
index 505c8522de..85a14d8b6a 100644
--- a/.github/workflows/weekly-docs.yaml
+++ b/.github/workflows/weekly-docs.yaml
@@ -14,7 +14,54 @@ permissions:
   contents: read
 
 jobs:
+  prepare-linkspector-browser:
+    # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    env:
+      CHROME_BUILD_ID: "145.0.7632.77"
+    outputs:
+      browser-cache-key: ${{ steps.browser-versions.outputs.cache-key }}
+      chrome-path: ${{ steps.install-chrome.outputs.path }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up mise tools
+        uses: ./.github/actions/setup-mise
+        with:
+          install-args: "node npm:@puppeteer/browsers"
+
+      - name: Get browser versions
+        id: browser-versions
+        run: |
+          set -euo pipefail
+          installer_version="$(mise current npm:@puppeteer/browsers)"
+          echo "cache-key=puppeteer-${RUNNER_OS}-${RUNNER_ARCH}-browsers-${installer_version}-chrome-${CHROME_BUILD_ID}" >> "$GITHUB_OUTPUT"
+
+      - name: Restore Puppeteer browser cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/puppeteer
+          key: ${{ steps.browser-versions.outputs.cache-key }}
+
+      - name: Install Linkspector Chrome
+        id: install-chrome
+        run: |
+          set -euo pipefail
+          chrome_path="$(browsers install "chrome@${CHROME_BUILD_ID}" --path "${HOME}/.cache/puppeteer" --format '{{path}}')"
+          echo "path=${chrome_path}" >> "$GITHUB_OUTPUT"
+
   check-docs:
+    needs: prepare-linkspector-browser
     # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action
     runs-on: ubuntu-22.04
     permissions:
@@ -54,15 +101,21 @@ jobs:
           corepack enable pnpm
           mkdir -p "$(pnpm store path --silent)"
 
+      - name: Restore Puppeteer browser cache
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/puppeteer
+          key: ${{ needs.prepare-linkspector-browser.outputs.browser-cache-key }}
+
       - name: Check Markdown links
         uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2
         id: markdown-link-check
         # checks all markdown files from /docs including all subfolders
         env:
-          # Use the runner-provided Chrome instead of letting linkspector's
-          # puppeteer download a specific version that may not match the
-          # runner's puppeteer cache. See: https://github.com/UmbrellaDocs/action-linkspector/issues/62
-          PUPPETEER_EXECUTABLE_PATH: /usr/bin/google-chrome
+          # Use the Chrome build prepared from mise-pinned Puppeteer instead
+          # of letting linkspector download a mutable browser at runtime.
+          # See: https://github.com/UmbrellaDocs/action-linkspector/issues/62
+          PUPPETEER_EXECUTABLE_PATH: ${{ needs.prepare-linkspector-browser.outputs.chrome-path }}
         with:
           reporter: github-pr-review
           config_file: ".github/.linkspector.yml"
diff --git a/Makefile b/Makefile
index b58f80eb68..be1992cb21 100644
--- a/Makefile
+++ b/Makefile
@@ -728,11 +728,11 @@ endif
 # GitHub Actions linters are run in a separate CI job (lint-actions) that only
 # triggers when workflow files change, so we skip them here when CI=true.
 LINT_ACTIONS_TARGETS := $(if $(CI),,lint/actions/actionlint)
-lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents $(LINT_ACTIONS_TARGETS)
+lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents lint/mise-versions $(LINT_ACTIONS_TARGETS)
 .PHONY: lint
 
-# Subset of lint that does not require Go or Node toolchains.
-lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash
+# Fast lint subset for lightweight hooks. Some targets use mise-managed tools.
+lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash lint/mise-versions
 .PHONY: lint-light
 
 lint/site-icons:
@@ -745,9 +745,8 @@ lint/ts: site/node_modules/.installed
 .PHONY: lint/ts
 
 lint/go:
-	linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
-	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run
-	go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./...
+	golangci-lint run
+	paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./...
 	go run ./scripts/intxcheck ./...
 .PHONY: lint/go
 
@@ -790,16 +789,27 @@ lint/actions: lint/actions/actionlint lint/actions/zizmor
 .PHONY: lint/actions
 
 lint/actions/actionlint:
-	go tool github.com/rhysd/actionlint/cmd/actionlint
+	mise exec actionlint -- actionlint
 .PHONY: lint/actions/actionlint
 
+# zizmor uses GH_TOKEN to fetch imported workflows from GitHub; without it,
+# external action references are skipped silently.
 lint/actions/zizmor:
-	./scripts/zizmor.sh \
+	@set -euo pipefail; \
+	if [ -z "$${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then \
+		GH_TOKEN="$$(gh auth token 2>/dev/null || true)"; \
+		export GH_TOKEN; \
+	fi; \
+	mise exec zizmor -- zizmor \
 		--strict-collection \
 		--persona=regular \
 		.
 .PHONY: lint/actions/zizmor
 
+lint/mise-versions:
+	./scripts/check_mise_versions.sh
+.PHONY: lint/mise-versions
+
 # Verify api_key_scope enum contains all RBAC <resource>:<action> values.
 lint/check-scopes: coderd/database/dump.sql | _gen/bin/check-scopes
 	_gen/bin/check-scopes
@@ -811,28 +821,8 @@ lint/migrations:
 	./scripts/check_pg_schema.sh "Fixtures" $(FIXTURE_FILES)
 .PHONY: lint/migrations
 
-TYPOS_VERSION := $(shell grep -oP 'crate-ci/typos@\S+\s+\#\s+v\K[0-9.]+' .github/workflows/ci.yaml)
-
-# Map uname values to typos release asset names.
-TYPOS_ARCH := $(shell uname -m)
-# typos release assets use aarch64, but macOS ARM reports arm64 via uname -m.
-ifeq ($(TYPOS_ARCH),arm64)
-TYPOS_ARCH := aarch64
-endif
-ifeq ($(shell uname -s),Darwin)
-TYPOS_OS := apple-darwin
-else
-TYPOS_OS := unknown-linux-musl
-endif
-
-build/typos-$(TYPOS_VERSION):
-	mkdir -p build/
-	curl -sSfL "https://github.com/crate-ci/typos/releases/download/v$(TYPOS_VERSION)/typos-v$(TYPOS_VERSION)-$(TYPOS_ARCH)-$(TYPOS_OS).tar.gz" \
-		| tar -xzf - -C build/ ./typos
-	mv build/typos "$@"
-
-lint/typos: build/typos-$(TYPOS_VERSION)
-	build/typos-$(TYPOS_VERSION) --config .github/workflows/typos.toml
+lint/typos:
+	typos --config .github/workflows/typos.toml
 .PHONY: lint/typos
 
 # pre-commit and pre-push mirror CI checks locally.
diff --git a/docs/about/contributing/CONTRIBUTING.md b/docs/about/contributing/CONTRIBUTING.md
index 164d52df24..16795b188a 100644
--- a/docs/about/contributing/CONTRIBUTING.md
+++ b/docs/about/contributing/CONTRIBUTING.md
@@ -58,7 +58,11 @@ Learn more [how Nix works](https://nixos.org/guides/how-nix-works).
 
 If you're not using the Nix environment, you can launch a local [DevContainer](https://github.com/coder/coder/tree/main/.devcontainer) to get a fully configured development environment.
 
-DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, and `make`.
+DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, `mise`, and `make`.
+
+For manual setup outside Nix and DevContainers, install Docker, `mise`, and
+`make`. Run `mise install` from the repository root to install Go, Node.js
+with `pnpm`, and development tools at the versions pinned in `mise.toml`.
 
 </div>
 
diff --git a/flake.nix b/flake.nix
index e47b078777..5b92eb07ce 100644
--- a/flake.nix
+++ b/flake.nix
@@ -61,6 +61,30 @@
           inherit nodejs; # Ensure it points to the above nodejs version
         };
 
+        mise = pkgs.stdenvNoCC.mkDerivation rec {
+          pname = "mise";
+          version = "2026.5.12";
+          target = {
+            x86_64-linux = "linux-x64";
+            aarch64-linux = "linux-arm64";
+            x86_64-darwin = "macos-x64";
+            aarch64-darwin = "macos-arm64";
+          }.${system};
+          src = pkgs.fetchurl {
+            url = "https://github.com/jdx/mise/releases/download/v${version}/mise-v${version}-${target}";
+            hash = {
+              x86_64-linux = "sha256-ojiXKjFi1xC4WyjDJDculspOS0hsgf54aVAA2fvHfEg=";
+              aarch64-linux = "sha256-/S1SJ6itCx41nHBSeoNFqa2nIHf43LtVk3FlPD2VRk8=";
+              x86_64-darwin = "sha256-3lfo3IK72ICmnJvIruBrncxXgYSz5c+G/O+AY11qkLQ=";
+              aarch64-darwin = "sha256-53cHBUD/4iz4srn4iu2ItGHQiH2UDE8cGpc1lGPN5uE=";
+            }.${system};
+          };
+          dontUnpack = true;
+          installPhase = ''
+            install -Dm755 "$src" "$out/bin/mise"
+          '';
+        };
+
         # Check in https://search.nixos.org/packages to find new packages.
         # Use `nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update`
         # to update the lock file if packages are out-of-date.
@@ -109,6 +133,21 @@
           vendorHash = "sha256-4Cb15MhKyhRvYVKfMqBwuC3WBBIJE6AinJt02+TSMVY=";
         };
 
+        paralleltestctx = unstablePkgs.buildGo126Module {
+          pname = "paralleltestctx";
+          version = "0.0.2";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "coder";
+            repo = "paralleltestctx";
+            rev = "v0.0.2";
+            sha256 = "sha256-qFQ4LZR2IwqscypD0URSZKXTlhUcz/axDb8NTH5CxLw=";
+          };
+
+          subPackages = [ "cmd/paralleltestctx" ];
+          vendorHash = "sha256-OuQWmZmofdJKq1hvk43RPkILQwAuFzqhmB22Xf6Z3lA=";
+        };
+
         # Keep Terraform aligned with provisioner/terraform/testdata/version.txt
         # so `make gen` remains deterministic in Nix shells.
         terraform_1_15_5 =
@@ -188,6 +227,7 @@
             lazydocker
             lazygit
             less
+            mise
             unstablePkgs.mockgen
             moreutils
             nfpm
@@ -195,6 +235,7 @@
             nodejs
             openssh
             openssl
+            paralleltestctx
             pango
             pixman
             pkg-config
diff --git a/go.mod b/go.mod
index e13cebfcf3..d4ea36cb27 100644
--- a/go.mod
+++ b/go.mod
@@ -571,7 +571,6 @@ require (
 	github.com/clipperhouse/displaywidth v0.10.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect
-	github.com/coder/paralleltestctx v0.0.2 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -618,7 +617,6 @@ require (
 	github.com/lestrrat-go/httprc/v3 v3.0.5 // indirect
 	github.com/lestrrat-go/jwx/v3 v3.1.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
-	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 // indirect
 	github.com/moby/moby/api v1.54.0 // indirect
 	github.com/moby/moby/client v0.3.0 // indirect
@@ -632,7 +630,6 @@ require (
 	github.com/pb33f/ordered-map/v2 v2.3.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
-	github.com/rhysd/actionlint v1.7.10 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/samber/lo v1.52.0 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
@@ -664,9 +661,7 @@ require (
 )
 
 tool (
-	github.com/coder/paralleltestctx/cmd/paralleltestctx
 	github.com/daixiang0/gci
-	github.com/rhysd/actionlint/cmd/actionlint
 	github.com/swaggo/swag/cmd/swag
 	go.uber.org/mock/mockgen
 	golang.org/x/tools/cmd/goimports
diff --git a/go.sum b/go.sum
index e639f168f3..5840cb7bf5 100644
--- a/go.sum
+++ b/go.sum
@@ -334,8 +334,6 @@ github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136 h1:0RgB61LcNs
 github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136/go.mod h1:VkD1P761nykiq75dz+4iFqIQIZka189tx1BQLOp0Skc=
 github.com/coder/guts v1.7.0 h1:TaZ/PR9wgN8dlbcckaWV1MxkkuEFZRwSRwBBEm8dYXs=
 github.com/coder/guts v1.7.0/go.mod h1:30SShdvpmsauNlsNjECRB5AppScjYk08rf2ZVpH3MFg=
-github.com/coder/paralleltestctx v0.0.2 h1:0akzA1oSV0LOl7loR8Mmoq/mu7qGDaFV8DpojotmXiE=
-github.com/coder/paralleltestctx v0.0.2/go.mod h1:q/wi6cmlBOhrJKjUtouTn4J9xZlRhK0MbgHvJNdGW3w=
 github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151 h1:YAxwg3lraGNRwoQ18H7R7n+wsCqNve7Brdvj0F1rDnU=
 github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs=
@@ -881,8 +879,6 @@ github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+Ei
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
 github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
-github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
-github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
@@ -1063,8 +1059,6 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuM
 github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM=
-github.com/rhysd/actionlint v1.7.10/go.mod h1:ZHX/hrmknlsJN73InPTKsKdXpAv9wVdrJy8h8HAwFHg=
 github.com/riandyrn/otelchi v0.5.1 h1:0/45omeqpP7f/cvdL16GddQBfAEmZvUyl2QzLSE6uYo=
 github.com/riandyrn/otelchi v0.5.1/go.mod h1:ZxVxNEl+jQ9uHseRYIxKWRb3OY8YXFEu+EkNiiSNUEA=
 github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
diff --git a/mise.lock b/mise.lock
index babc55e498..9acd58a7c9 100644
--- a/mise.lock
+++ b/mise.lock
@@ -1,5 +1,53 @@
 # @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
 
+[[tools.actionlint]]
+version = "1.7.10"
+backend = "aqua:rhysd/actionlint"
+
+[tools.actionlint."platforms.linux-arm64"]
+checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz"
+
+[tools.actionlint."platforms.linux-arm64-musl"]
+checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz"
+
+[tools.actionlint."platforms.linux-x64"]
+checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
+
+[tools.actionlint."platforms.linux-x64-baseline"]
+checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
+
+[tools.actionlint."platforms.linux-x64-musl"]
+checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
+
+[tools.actionlint."platforms.linux-x64-musl-baseline"]
+checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
+
+[tools.actionlint."platforms.macos-arm64"]
+checksum = "sha256:004ca87b367b37f4d75c55ab6cf80f9b8c043adbfbd440f31c604d417939c442"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_arm64.tar.gz"
+
+[tools.actionlint."platforms.macos-x64"]
+checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz"
+
+[tools.actionlint."platforms.macos-x64-baseline"]
+checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz"
+
+[tools.actionlint."platforms.windows-x64"]
+checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip"
+
+[tools.actionlint."platforms.windows-x64-baseline"]
+checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237"
+url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip"
+
 [[tools."aqua:ahmetb/kubectx/kubens"]]
 version = "0.9.4"
 backend = "aqua:ahmetb/kubectx/kubens"
@@ -432,14 +480,26 @@ url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip"
 checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708"
 url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip"
 
+[[tools."go:github.com/coder/paralleltestctx/cmd/paralleltestctx"]]
+version = "0.0.2"
+backend = "go:github.com/coder/paralleltestctx/cmd/paralleltestctx"
+
 [[tools."go:github.com/coder/sqlc/cmd/sqlc"]]
 version = "337309bfb9524f38466a5090e310040fc7af0203"
 backend = "go:github.com/coder/sqlc/cmd/sqlc"
 
+[[tools."go:github.com/coder/whichtests"]]
+version = "ec33bab1ec04cd86beb7a61a069db4463dba63f5"
+backend = "go:github.com/coder/whichtests"
+
 [[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]]
 version = "v4.19.0"
 backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate"
 
+[[tools."go:github.com/golangci/golangci-lint/cmd/golangci-lint"]]
+version = "1.64.8"
+backend = "go:github.com/golangci/golangci-lint/cmd/golangci-lint"
+
 [[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]]
 version = "v2.35.1"
 backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm"
@@ -452,10 +512,18 @@ backend = "go:github.com/mikefarah/yq/v4"
 version = "v0.3.13"
 backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard"
 
+[[tools."go:github.com/slsyy/mtimehash/cmd/mtimehash"]]
+version = "1.0.0"
+backend = "go:github.com/slsyy/mtimehash/cmd/mtimehash"
+
 [[tools."go:github.com/swaggo/swag/cmd/swag"]]
 version = "v1.16.2"
 backend = "go:github.com/swaggo/swag/cmd/swag"
 
+[[tools."go:github.com/tc-hib/go-winres"]]
+version = "0.3.3"
+backend = "go:github.com/tc-hib/go-winres"
+
 [[tools."go:go.uber.org/mock/mockgen"]]
 version = "v0.6.0"
 backend = "go:go.uber.org/mock/mockgen"
@@ -480,54 +548,6 @@ backend = "go:mvdan.cc/sh/v3/cmd/shfmt"
 version = "v0.0.34"
 backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc"
 
-[[tools.golangci-lint]]
-version = "1.64.8"
-backend = "aqua:golangci/golangci-lint"
-
-[tools.golangci-lint."platforms.linux-arm64"]
-checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
-
-[tools.golangci-lint."platforms.linux-arm64-musl"]
-checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
-
-[tools.golangci-lint."platforms.linux-x64"]
-checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.linux-x64-baseline"]
-checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.linux-x64-musl"]
-checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.linux-x64-musl-baseline"]
-checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.macos-arm64"]
-checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz"
-
-[tools.golangci-lint."platforms.macos-x64"]
-checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.macos-x64-baseline"]
-checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz"
-
-[tools.golangci-lint."platforms.windows-x64"]
-checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip"
-
-[tools.golangci-lint."platforms.windows-x64-baseline"]
-checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f"
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip"
-
 [[tools.helm]]
 version = "3.21.0"
 backend = "aqua:helm/helm"
@@ -723,6 +743,10 @@ url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip"
 version = "0.87.0"
 backend = "npm:@devcontainers/cli"
 
+[[tools."npm:@puppeteer/browsers"]]
+version = "2.13.0"
+backend = "npm:@puppeteer/browsers"
+
 [[tools.pnpm]]
 version = "10.33.2"
 backend = "aqua:pnpm/pnpm"
@@ -848,52 +872,52 @@ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/
 url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip"
 
 [[tools.syft]]
-version = "1.20.0"
+version = "1.26.1"
 backend = "aqua:anchore/syft"
 
 [tools.syft."platforms.linux-arm64"]
-checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
+checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz"
 
 [tools.syft."platforms.linux-arm64-musl"]
-checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
+checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz"
 
 [tools.syft."platforms.linux-x64"]
-checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
+checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
 
 [tools.syft."platforms.linux-x64-baseline"]
-checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
+checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
 
 [tools.syft."platforms.linux-x64-musl"]
-checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
+checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
 
 [tools.syft."platforms.linux-x64-musl-baseline"]
-checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
+checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
 
 [tools.syft."platforms.macos-arm64"]
-checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz"
+checksum = "sha256:00435a3fe2ae940203708ee2eae9976d1719982c628d30b2b78aacd36133ec6b"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_arm64.tar.gz"
 
 [tools.syft."platforms.macos-x64"]
-checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz"
+checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz"
 
 [tools.syft."platforms.macos-x64-baseline"]
-checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz"
+checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz"
 
 [tools.syft."platforms.windows-x64"]
-checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip"
+checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip"
 
 [tools.syft."platforms.windows-x64-baseline"]
-checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f"
-url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip"
+checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e"
+url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip"
 
 [[tools.terraform]]
 version = "1.15.5"
@@ -942,3 +966,56 @@ url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_
 [tools.terraform."platforms.windows-x64-baseline"]
 checksum = "sha256:2f652dd854af7b7fbb51301afc55b5ef1d3f6e287be7889d4cc3818df891cd38"
 url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_amd64.zip"
+
+[[tools.zizmor]]
+version = "1.11.0"
+backend = "aqua:zizmorcore/zizmor"
+
+[tools.zizmor."platforms.linux-arm64"]
+checksum = "sha256:ce6d71e796b7d3663449151b08cee7c659f89bf36095c432e25169c857f479f0"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-unknown-linux-gnu.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.linux-arm64-musl"]
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.linux-x64"]
+checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.linux-x64-baseline"]
+checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.linux-x64-musl"]
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.linux-x64-musl-baseline"]
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.macos-arm64"]
+checksum = "sha256:7cf59f08cb50f539ab9ddc6be1d463c81e31f5b189d148fc6f786adf9fc42a5f"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-apple-darwin.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.macos-x64"]
+checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.macos-x64-baseline"]
+checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.windows-x64"]
+checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip"
+provenance = "github-attestations"
+
+[tools.zizmor."platforms.windows-x64-baseline"]
+checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a"
+url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip"
+provenance = "github-attestations"
diff --git a/mise.toml b/mise.toml
index b148fe41c6..4ce58d3c86 100644
--- a/mise.toml
+++ b/mise.toml
@@ -1,5 +1,6 @@
-# Keep in lockstep with MISE_VERSION in dogfood/coder/ubuntu-*/Dockerfile.base,
-# .github/workflows/dogfood.yaml, and scripts/dogfood/mise-oci-wrapper.sh.
+# Keep in lockstep with .github/actions/setup-mise/action.yml,
+# .github/actions/setup-mise/checksums.toml, flake.nix,
+# dogfood/coder/ubuntu-*/Dockerfile.base, and scripts/dogfood/mise-oci-wrapper.sh.
 min_version = "2026.5.12"
 
 [settings]
@@ -19,8 +20,17 @@ protoc = "23.4"
 protoc-gen-go = "1.30.0"
 
 # Go development tools.
+"go:github.com/coder/paralleltestctx/cmd/paralleltestctx" = "v0.0.2"
+"go:github.com/coder/whichtests" = "ec33bab1ec04cd86beb7a61a069db4463dba63f5"
+# Keep golangci-lint on the Go backend while pinned to v1. The upstream
+# precompiled v1 binary is built with an older Go toolchain and cannot lint
+# this module's Go version. Upgrading to v2 should let us use the native
+# golangci-lint mise/aqua backend and GitHub release binaries.
+"go:github.com/golangci/golangci-lint/cmd/golangci-lint" = "v1.64.8"
 "go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0"
 "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1"
+"go:github.com/slsyy/mtimehash/cmd/mtimehash" = "v1.0.0"
+"go:github.com/tc-hib/go-winres" = "v0.3.3"
 "go:github.com/mikefarah/yq/v4" = "v4.44.3"
 "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13"
 "go:github.com/swaggo/swag/cmd/swag" = "v1.16.2"
@@ -30,17 +40,18 @@ protoc-gen-go = "1.30.0"
 "go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0"
 
 # Infrastructure, release, and lint CLIs.
+actionlint = "1.7.10"
 "aqua:ahmetb/kubectx/kubens" = "0.9.4"
 cosign = "2.4.3"
 # crane is the registry client `mise oci push` shells out to. Sourced
 # here so it travels with the rest of the mise toolset (one source of
 # truth, deterministic version, no apt drift across CI / wrapper).
 crane = "0.21.6"
-golangci-lint = "1.64.8"
 helm = "3.21.0"
 kubectx = "0.9.4"
-syft = "1.20.0"
+syft = "1.26.1"
 terraform = "1.15.5"
+zizmor = "1.11.0"
 
 # Developer-environment niceties for the dogfood image. Non-dogfood
 # users who run `mise install` here will pull these too; they are
@@ -60,6 +71,9 @@ lazygit = "0.61.1"
 # Pre-installs the binary so the upstream devcontainers-cli coder
 # module's `command -v devcontainer` short-circuit fires
 "npm:@devcontainers/cli" = "0.87.0"
+# weekly-docs uses this pinned Puppeteer browser installer to install Chrome for
+# action-linkspector without resolving mutable npm metadata at runtime.
+"npm:@puppeteer/browsers" = "2.13.0"
 
 # sqlc (coder fork) bundles sqlite via cgo, so the `go install` build
 # needs CGO_ENABLED=1. Scope it with `install_env` so it only applies
diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh
index fb811838a6..5cbd9c5fb9 100755
--- a/scripts/check_go_versions.sh
+++ b/scripts/check_go_versions.sh
@@ -5,7 +5,6 @@
 # - go.mod
 # - mise.toml (the dogfood image installs from this manifest)
 # - flake.nix
-# - .github/actions/setup-go/action.yml
 # The version of Go in go.mod is considered the source of truth.
 
 set -euo pipefail
@@ -19,23 +18,17 @@ IGNORE_NIX=${IGNORE_NIX:-false}
 
 GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2)
 GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/')
-GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml)
 GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix)
 # Convert to major.minor format.
 GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.')
 log "INFO : go.mod                   : $GO_VERSION_GO_MOD"
 log "INFO : mise.toml                : $GO_VERSION_MISE_TOML"
-log "INFO : setup-go/action.yaml     : $GO_VERSION_SETUP_GO"
 log "INFO : flake.nix                : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR"
 
 if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then
 	error "Go version mismatch between go.mod and mise.toml"
 fi
 
-if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then
-	error "Go version mismatch between go.mod and .github/actions/setup-go/action.yaml"
-fi
-
 # At the time of writing, Nix only constrains the major.minor version.
 # We need to check that specifically.
 if [ "$IGNORE_NIX" = "false" ]; then
diff --git a/scripts/check_mise_versions.sh b/scripts/check_mise_versions.sh
new file mode 100755
index 0000000000..20ad1bc929
--- /dev/null
+++ b/scripts/check_mise_versions.sh
@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+
+# This script checks the mise values used by CI and dogfood images:
+# - mise.toml min_version is the source of truth for the mise version.
+# - .github/actions/setup-mise/checksums.toml stores pinned binary checksums.
+# - .github/actions/setup-mise/action.yml
+# - flake.nix
+# - scripts/dogfood/mise-oci-wrapper.sh
+# - dogfood/coder/ubuntu-*/Dockerfile.base
+
+set -euo pipefail
+# shellcheck source=scripts/lib.sh
+source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
+cdroot
+
+check_not_empty() {
+	local label="$1"
+	local value="$2"
+
+	log "INFO : ${label}: ${value}"
+	if [[ -z "${value}" ]]; then
+		error "Missing mise value for ${label}"
+	fi
+}
+
+check_equal() {
+	local label="$1"
+	local actual="$2"
+	local expected="$3"
+
+	check_not_empty "${label}" "${actual}"
+	if [[ "${actual}" != "${expected}" ]]; then
+		error "Mise mismatch for ${label}: expected ${expected}, got ${actual}"
+	fi
+}
+
+check_sha256_format() {
+	local label="$1"
+	local value="$2"
+
+	if [[ -z "${value}" ]]; then
+		error "Missing mise value for ${label}"
+	fi
+	if [[ ! "${value}" =~ ^[a-f0-9]{64}$ ]]; then
+		error "Expected 64-character lowercase SHA256 for ${label}: ${value}"
+	fi
+}
+
+mise_version="$(sed -n 's/^min_version = "\([^"]*\)"/\1/p' mise.toml)"
+check_not_empty "mise.toml min_version" "${mise_version}"
+
+action_version="$(
+	awk '
+		$1 == "mise-version:" { in_input = 1; next }
+		in_input && /^  [A-Za-z0-9_-]+:/ { exit }
+		in_input && $1 == "default:" {
+			gsub(/"/, "", $2)
+			print $2
+			exit
+		}
+	' .github/actions/setup-mise/action.yml
+)"
+check_equal ".github/actions/setup-mise/action.yml" "${action_version}" "${mise_version}"
+
+checksum_version="$(
+	awk -v version="${mise_version}" '
+		$0 == "[\"" version "\"]" {
+			print version
+			exit
+		}
+	' .github/actions/setup-mise/checksums.toml
+)"
+check_equal ".github/actions/setup-mise/checksums.toml" "${checksum_version}" "${mise_version}"
+
+declare -A setup_mise_checksums=()
+for target in linux-x64 linux-arm64 macos-x64 macos-arm64 windows-x64; do
+	checksum="$(./scripts/mise_checksum.sh .github/actions/setup-mise/checksums.toml "${mise_version}" "${target}")"
+	check_not_empty ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
+	check_sha256_format ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
+	setup_mise_checksums["${target}"]="${checksum}"
+done
+linux_x64_checksum="${setup_mise_checksums["linux-x64"]}"
+
+sri_sha256_to_hex() {
+	local label="$1"
+	local sri="$2"
+
+	if [[ "${sri}" != sha256-* ]]; then
+		error "Expected SRI SHA256 hash for ${label}: ${sri}"
+	fi
+
+	printf '%s' "${sri#sha256-}" | openssl base64 -A -d | od -An -tx1 -v | tr -d ' \n'
+}
+
+flake_version="$(
+	awk '
+		/^[[:space:]]*mise = / { in_mise = 1; next }
+		in_mise && /^[[:space:]]*version = / {
+			gsub(/[";]/, "", $3)
+			print $3
+			exit
+		}
+		in_mise && /^[[:space:]]*};/ { exit }
+	' flake.nix
+)"
+check_equal "flake.nix" "${flake_version}" "${mise_version}"
+
+declare -A flake_targets=(
+	["x86_64-linux"]="linux-x64"
+	["aarch64-linux"]="linux-arm64"
+	["x86_64-darwin"]="macos-x64"
+	["aarch64-darwin"]="macos-arm64"
+)
+for system in "${!flake_targets[@]}"; do
+	target="${flake_targets[${system}]}"
+	expected_checksum="${setup_mise_checksums[${target}]}"
+
+	flake_hash="$(
+		awk -v nix_system="${system}" '
+			/^[[:space:]]*hash = \{/ { in_hash = 1; next }
+			in_hash && $1 == nix_system {
+				gsub(/[";]/, "", $3)
+				print $3
+				exit
+			}
+			in_hash && /^[[:space:]]*};/ { exit }
+		' flake.nix
+	)"
+	check_not_empty "flake.nix ${system} hash" "${flake_hash}"
+
+	actual_checksum="$(sri_sha256_to_hex "flake.nix ${system}" "${flake_hash}")"
+	check_equal "flake.nix ${system} sha256" "${actual_checksum}" "${expected_checksum}"
+done
+
+wrapper_version="$(sed -n 's/^MISE_VERSION="v\([^"]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
+check_equal "scripts/dogfood/mise-oci-wrapper.sh" "${wrapper_version}" "${mise_version}"
+wrapper_checksum="$(sed -n 's/^MISE_SHA256="\([a-f0-9]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
+check_equal "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" "${linux_x64_checksum}"
+check_sha256_format "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}"
+
+for dockerfile in dogfood/coder/ubuntu-*/Dockerfile.base; do
+	dockerfile_version="$(sed -n 's/.*MISE_VERSION=v\([0-9.]*\).*/\1/p' "${dockerfile}" | head -n 1)"
+	check_equal "${dockerfile}" "${dockerfile_version}" "${mise_version}"
+
+	dockerfile_checksum="$(sed -n 's/.*MISE_SHA256=\([a-f0-9]*\).*/\1/p' "${dockerfile}" | head -n 1)"
+	check_equal "${dockerfile} sha256" "${dockerfile_checksum}" "${linux_x64_checksum}"
+	check_sha256_format "${dockerfile} sha256" "${dockerfile_checksum}"
+done
+
+log "Mise version check passed, all versions are ${mise_version}"
diff --git a/scripts/mise_checksum.sh b/scripts/mise_checksum.sh
new file mode 100755
index 0000000000..52fcc73aa1
--- /dev/null
+++ b/scripts/mise_checksum.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Print the pinned mise SHA256 checksum for a version and release target.
+
+set -euo pipefail
+
+if [[ "$#" -ne 3 ]]; then
+	echo "usage: $0 <checksums.toml> <mise-version> <target>" >&2
+	exit 1
+fi
+
+checksums_file="$1"
+mise_version="$2"
+target="$3"
+
+awk -F= -v version="${mise_version}" -v target="${target}" '
+	$0 == "[\"" version "\"]" { in_table = 1; next }
+	/^\[/ { in_table = 0 }
+	in_table {
+		key = $1
+		gsub(/^[[:space:]]+|[[:space:]]+$/, "", key)
+		if (key == target) {
+			value = $2
+			gsub(/^[[:space:]]+|[[:space:]]+$/, "", value)
+			gsub(/^"|"$/, "", value)
+			print value
+			exit
+		}
+	}
+' "${checksums_file}"
diff --git a/scripts/should_deploy.sh b/scripts/should_deploy.sh
index 003828b411..a23d3293d6 100755
--- a/scripts/should_deploy.sh
+++ b/scripts/should_deploy.sh
@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
 
-# This script determines if a commit in either the main branch or a
-# `release/x.y` branch should be deployed to dogfood.
+# This script determines if the current branch should be deployed to dogfood.
 #
 # To avoid masking unrelated failures, this script will return 0 in either case,
 # and will print `DEPLOY` or `NOOP` to stdout.
@@ -11,73 +10,16 @@ set -euo pipefail
 source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
 cdroot
 
-deploy_branch=main
-
-# Determine the current branch name and check that it is one of the supported
-# branch names.
 branch_name=$(git branch --show-current)
 
-# Short circuit: we no longer deploy release branches to dogfood, and instead
-# test them on the stable deployment.
+# We no longer deploy release branches to dogfood, and instead test them on the
+# stable deployment.
 # TODO: once we're happy with the new deployment process, we can remove this
-# script and the related github workflow stuff.
+# script and the related GitHub workflow.
 if [[ "$branch_name" == "main" ]]; then
 	log "VERDICT: DEPLOY"
 	echo "DEPLOY" # stdout
-	exit 0
 else
 	log "VERDICT: NOOP"
 	echo "NOOP" # stdout
-	exit 0
-fi
-
-if [[ "$branch_name" != "main" && ! "$branch_name" =~ ^release/[0-9]+\.[0-9]+$ ]]; then
-	error "Current branch '$branch_name' is not a supported branch name for dogfood, must be 'main' or 'release/x.y'"
-fi
-log "Current branch '$branch_name'"
-
-# Determine the remote name
-remote=$(git remote -v | grep coder/coder | awk '{print $1}' | head -n1)
-if [[ -z "${remote}" ]]; then
-	error "Could not find remote for coder/coder"
-fi
-log "Using remote '$remote'"
-
-# Step 1: List all release branches and sort them by major/minor so we can find
-# the latest release branch.
-release_branches=$(
-	git branch -r --format='%(refname:short)' |
-		grep -E "${remote}/release/[0-9]+\.[0-9]+$" |
-		sed "s|${remote}/||" |
-		sort -V
-)
-
-# As a sanity check, release/2.26 should exist.
-if ! echo "$release_branches" | grep "release/2.26" >/dev/null; then
-	error "Could not find existing release branches. Did you run 'git fetch -ap ${remote}'?"
-fi
-
-latest_release_branch=$(echo "$release_branches" | tail -n 1)
-latest_release_branch_version=${latest_release_branch#release/}
-log "Latest release branch: $latest_release_branch"
-log "Latest release branch version: $latest_release_branch_version"
-
-# Step 2: check if a matching tag `v<x.y>.0` exists. If it does not, we will
-# use the release branch as the deploy branch.
-if ! git rev-parse "refs/tags/v${latest_release_branch_version}.0" >/dev/null 2>&1; then
-	log "Tag 'v${latest_release_branch_version}.0' does not exist, using release branch as deploy branch"
-	deploy_branch=$latest_release_branch
-else
-	log "Matching tag 'v${latest_release_branch_version}.0' exists, using main as deploy branch"
-fi
-log "Deploy branch: $deploy_branch"
-
-# Finally, check if the current branch is the deploy branch.
-log
-if [[ "$branch_name" != "$deploy_branch" ]]; then
-	log "VERDICT: DO NOT DEPLOY"
-	echo "NOOP" # stdout
-else
-	log "VERDICT: DEPLOY"
-	echo "DEPLOY" # stdout
 fi
diff --git a/scripts/zizmor.sh b/scripts/zizmor.sh
deleted file mode 100755
index a9326e2ee0..0000000000
--- a/scripts/zizmor.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-# Usage: ./zizmor.sh [args...]
-#
-# This script is a wrapper around the zizmor Docker image. Zizmor lints GitHub
-# actions workflows.
-#
-# We use Docker to run zizmor since it's written in Rust and is difficult to
-# install on Ubuntu runners without building it with a Rust toolchain, which
-# takes a long time.
-#
-# The repo is mounted at /repo and the working directory is set to /repo.
-
-set -euo pipefail
-# shellcheck source=scripts/lib.sh
-source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
-
-cdroot
-
-image_tag="ghcr.io/zizmorcore/zizmor:1.11.0"
-docker_args=(
-	"--rm"
-	"--volume" "$(pwd):/repo"
-	"--workdir" "/repo"
-	"--network" "host"
-)
-
-if [[ -t 0 ]]; then
-	docker_args+=("-it")
-fi
-
-# If no GH_TOKEN is set, try to get one from `gh auth token`.
-if [[ "${GH_TOKEN:-}" == "" ]] && command -v gh &>/dev/null; then
-	set +e
-	GH_TOKEN="$(gh auth token)"
-	export GH_TOKEN
-	set -e
-fi
-
-# Pass through the GitHub token if it's set, which allows zizmor to scan
-# imported workflows too.
-if [[ "${GH_TOKEN:-}" != "" ]]; then
-	docker_args+=("--env" "GH_TOKEN")
-fi
-
-logrun exec docker run "${docker_args[@]}" "$image_tag" "$@"

From aa9ef66d8124df73a440f00b592ef586f8db2702 Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Tue, 2 Jun 2026 00:16:17 +1000
Subject: [PATCH 19/23] fix(site/src/pages/AgentsPage): drop misleading
 response-startup warning (#25905)

The agents UI showed "Response startup is taking longer than expected"
after a 15s grace period while waiting on the LLM provider. The message
implied a problem was about to occur, but it does not actually lead to a
timeout. The typical underlying cause is provider slowness rather than a
client-side issue, so the warning is alarmist and unhelpful.

Drop the delayed message and its timer entirely. The `starting` phase
now keeps showing the shimmering "Thinking..." indicator until the first
stream chunk arrives. Also remove the now-dead `startingResetKey` /
`chatID` plumbing that only existed to remount the placeholder and reset
the delayed-message timer when switching chats.

Closes CODAGT-536
---
 .../pages/AgentsPage/AgentChatPageView.tsx    |  1 -
 .../ChatConversation/ChatStatusCallout.tsx    | 28 +++-------------
 .../ChatConversation/LiveStreamTail.tsx       |  6 ----
 .../ChatConversation/StreamingOutput.tsx      |  7 +---
 .../components/ChatPageContent.stories.tsx    | 32 +++----------------
 .../AgentsPage/components/ChatPageContent.tsx |  3 --
 6 files changed, 9 insertions(+), 68 deletions(-)

diff --git a/site/src/pages/AgentsPage/AgentChatPageView.tsx b/site/src/pages/AgentsPage/AgentChatPageView.tsx
index b71f4bf0c4..596c499162 100644
--- a/site/src/pages/AgentsPage/AgentChatPageView.tsx
+++ b/site/src/pages/AgentsPage/AgentChatPageView.tsx
@@ -531,7 +531,6 @@ export const AgentChatPageView: FC<AgentChatPageViewProps> = ({
 						>
 							<div className="px-4">
 								<ChatPageTimeline
-									chatID={agentId}
 									store={store}
 									persistedError={persistedError}
 									onEditUserMessage={
diff --git a/site/src/pages/AgentsPage/components/ChatConversation/ChatStatusCallout.tsx b/site/src/pages/AgentsPage/components/ChatConversation/ChatStatusCallout.tsx
index 857d15a5eb..adde6c1151 100644
--- a/site/src/pages/AgentsPage/components/ChatConversation/ChatStatusCallout.tsx
+++ b/site/src/pages/AgentsPage/components/ChatConversation/ChatStatusCallout.tsx
@@ -7,8 +7,6 @@ import { ToolIcon } from "../ChatElements/tools/ToolIcon";
 import { getProviderStatusURL } from "./chatStatusHelpers";
 import type { LiveStatusModel } from "./liveStatusModel";
 
-const RESPONSE_STARTUP_GRACE_MS = 15_000;
-const DELAYED_STARTUP_TEXT = "Response startup is taking longer than expected";
 const THINKING_TEXT = "Thinking...";
 
 type RetryOrFailedStatus = Extract<
@@ -38,25 +36,6 @@ const StatusPlaceholder: FC<{
 	);
 };
 
-const StartingPlaceholder: FC = () => {
-	const [isDelayed, setIsDelayed] = useState(false);
-
-	useEffect(() => {
-		const timeout = window.setTimeout(() => {
-			setIsDelayed(true);
-		}, RESPONSE_STARTUP_GRACE_MS);
-		return () => window.clearTimeout(timeout);
-	}, []);
-
-	return (
-		<StatusPlaceholder
-			text={isDelayed ? DELAYED_STARTUP_TEXT : THINKING_TEXT}
-			shimmer={!isDelayed}
-			showThinkingIcon={!isDelayed}
-		/>
-	);
-};
-
 /**
  * Syncs with the system clock to produce a live countdown from an
  * ISO-8601 deadline. Polls at 100ms so the displayed second flips
@@ -195,14 +174,15 @@ const ReconnectingAlert: FC<{ status: ReconnectingStatus }> = ({ status }) => {
 
 export const ChatStatusCallout: FC<{
 	status: LiveStatusModel;
-	startingResetKey?: string;
-}> = ({ status, startingResetKey }) => {
+}> = ({ status }) => {
 	switch (status.phase) {
 		case "idle":
 		case "streaming":
 			return null;
 		case "starting":
-			return <StartingPlaceholder key={startingResetKey ?? "starting"} />;
+			return (
+				<StatusPlaceholder text={THINKING_TEXT} shimmer showThinkingIcon />
+			);
 		case "retrying":
 			return (
 				<>
diff --git a/site/src/pages/AgentsPage/components/ChatConversation/LiveStreamTail.tsx b/site/src/pages/AgentsPage/components/ChatConversation/LiveStreamTail.tsx
index 9d3d5da412..e5eb558774 100644
--- a/site/src/pages/AgentsPage/components/ChatConversation/LiveStreamTail.tsx
+++ b/site/src/pages/AgentsPage/components/ChatConversation/LiveStreamTail.tsx
@@ -35,7 +35,6 @@ interface LiveStreamTailContentProps {
 	streamState: StreamState | null;
 	streamTools: readonly MergedTool[];
 	liveStatus: LiveStatusModel;
-	startingResetKey?: string;
 	subagentTitles: Map<string, string>;
 	subagentVariants?: Map<string, SubagentVariant>;
 	subagentStatusOverrides: Map<string, TypesGen.ChatStatus>;
@@ -48,7 +47,6 @@ export const LiveStreamTailContent = ({
 	streamState,
 	streamTools,
 	liveStatus,
-	startingResetKey,
 	subagentTitles,
 	subagentVariants,
 	subagentStatusOverrides,
@@ -88,7 +86,6 @@ export const LiveStreamTailContent = ({
 					streamState={streamState}
 					streamTools={streamTools}
 					liveStatus={liveStatus}
-					startingResetKey={startingResetKey}
 					subagentTitles={subagentTitles}
 					subagentVariants={subagentVariants}
 					subagentStatusOverrides={subagentStatusOverrides}
@@ -118,7 +115,6 @@ interface LiveStreamTailProps {
 	store: ChatStoreHandle;
 	persistedError: ChatDetailError | undefined;
 	isTranscriptEmpty: boolean;
-	startingResetKey?: string;
 	subagentTitles: Map<string, string>;
 	subagentVariants?: Map<string, SubagentVariant>;
 	urlTransform?: UrlTransform;
@@ -129,7 +125,6 @@ export const LiveStreamTail = ({
 	store,
 	persistedError,
 	isTranscriptEmpty,
-	startingResetKey,
 	subagentTitles,
 	subagentVariants,
 	urlTransform,
@@ -166,7 +161,6 @@ export const LiveStreamTail = ({
 			streamState={streamState}
 			streamTools={streamTools}
 			liveStatus={liveStatus}
-			startingResetKey={startingResetKey}
 			subagentTitles={subagentTitles}
 			subagentVariants={subagentVariants}
 			subagentStatusOverrides={subagentStatusOverrides}
diff --git a/site/src/pages/AgentsPage/components/ChatConversation/StreamingOutput.tsx b/site/src/pages/AgentsPage/components/ChatConversation/StreamingOutput.tsx
index af8534d960..4284394f6d 100644
--- a/site/src/pages/AgentsPage/components/ChatConversation/StreamingOutput.tsx
+++ b/site/src/pages/AgentsPage/components/ChatConversation/StreamingOutput.tsx
@@ -52,7 +52,6 @@ export const StreamingOutput: FC<{
 	subagentVariants?: Map<string, SubagentVariant>;
 	subagentStatusOverrides?: Map<string, TypesGen.ChatStatus>;
 	liveStatus: LiveStatusModel;
-	startingResetKey?: string;
 	urlTransform?: UrlTransform;
 	mcpServers?: readonly TypesGen.MCPServerConfig[];
 }> = ({
@@ -62,7 +61,6 @@ export const StreamingOutput: FC<{
 	subagentVariants,
 	subagentStatusOverrides,
 	liveStatus,
-	startingResetKey,
 	urlTransform,
 	mcpServers,
 }) => {
@@ -113,10 +111,7 @@ export const StreamingOutput: FC<{
 						)}
 						{needsStreamingThinking && <StreamingThinkingPlaceholder />}
 						{!needsStreamingThinking && hasTransientLiveStatus(liveStatus) && (
-							<ChatStatusCallout
-								status={liveStatus}
-								startingResetKey={startingResetKey}
-							/>
+							<ChatStatusCallout status={liveStatus} />
 						)}
 					</div>
 				</MessageContent>
diff --git a/site/src/pages/AgentsPage/components/ChatPageContent.stories.tsx b/site/src/pages/AgentsPage/components/ChatPageContent.stories.tsx
index ab327d1c83..43d8182066 100644
--- a/site/src/pages/AgentsPage/components/ChatPageContent.stories.tsx
+++ b/site/src/pages/AgentsPage/components/ChatPageContent.stories.tsx
@@ -101,13 +101,7 @@ export const StreamingToolCallGapRegression: Story = {
 		store.setStreamState(streamState);
 		store.setChatStatus("pending");
 
-		return (
-			<ChatPageTimeline
-				chatID={CHAT_ID}
-				store={store}
-				persistedError={undefined}
-			/>
-		);
+		return <ChatPageTimeline store={store} persistedError={undefined} />;
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
@@ -120,13 +114,7 @@ export const StartingPhaseToolCallGapRegression: Story = {
 		const store = buildRegressionStore();
 		store.setChatStatus("running");
 
-		return (
-			<ChatPageTimeline
-				chatID={CHAT_ID}
-				store={store}
-				persistedError={undefined}
-			/>
-		);
+		return <ChatPageTimeline store={store} persistedError={undefined} />;
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
@@ -139,13 +127,7 @@ export const SpacerVisibleWhenNotStreaming: Story = {
 	render: () => {
 		const store = buildThinkingSpacerStore();
 
-		return (
-			<ChatPageTimeline
-				chatID={CHAT_ID}
-				store={store}
-				persistedError={undefined}
-			/>
-		);
+		return <ChatPageTimeline store={store} persistedError={undefined} />;
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
@@ -165,13 +147,7 @@ export const HiddenAssistantPlaceholderDoesNotRender: Story = {
 			buildMessage(4, "user", [{ type: "text", text: "Thanks!" }]),
 		]);
 
-		return (
-			<ChatPageTimeline
-				chatID={CHAT_ID}
-				store={store}
-				persistedError={undefined}
-			/>
-		);
+		return <ChatPageTimeline store={store} persistedError={undefined} />;
 	},
 	play: async ({ canvasElement }) => {
 		const canvas = within(canvasElement);
diff --git a/site/src/pages/AgentsPage/components/ChatPageContent.tsx b/site/src/pages/AgentsPage/components/ChatPageContent.tsx
index 68d2644603..88e958b725 100644
--- a/site/src/pages/AgentsPage/components/ChatPageContent.tsx
+++ b/site/src/pages/AgentsPage/components/ChatPageContent.tsx
@@ -46,7 +46,6 @@ const isChatMessage = (
 ): message is TypesGen.ChatMessage => Boolean(message);
 
 interface ChatPageTimelineProps {
-	chatID?: string;
 	store: ChatStoreHandle;
 	persistedError: ChatDetailError | undefined;
 	onEditUserMessage?: (
@@ -62,7 +61,6 @@ interface ChatPageTimelineProps {
 }
 
 export const ChatPageTimeline: FC<ChatPageTimelineProps> = ({
-	chatID,
 	store,
 	persistedError,
 	onEditUserMessage,
@@ -133,7 +131,6 @@ export const ChatPageTimeline: FC<ChatPageTimelineProps> = ({
 				<LiveStreamTail
 					store={store}
 					persistedError={persistedError}
-					startingResetKey={chatID}
 					isTranscriptEmpty={parsedMessages.length === 0}
 					subagentTitles={subagentTitles}
 					subagentVariants={subagentVariants}

From 9fc12afdaa79d194d7f697c7b80483756cae69ac Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 1 Jun 2026 18:01:19 +0300
Subject: [PATCH 20/23] test(codersdk/toolsdk): use portable echo in
 WorkspaceSSHExec test (#25840)

PowerShell's echo aliases to Write-Output, which rejects -e as
an ambiguous parameter and exits 1. Use plain echo with spaces
instead. Remove the Windows t.Skip and TestMain exception.

TestMain untested-tools check now only fails on full-suite runs.
Filtered runs (e.g. -run TestTools) warn instead.

Closes CODAGT-518
---
 codersdk/toolsdk/toolsdk_test.go | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/codersdk/toolsdk/toolsdk_test.go b/codersdk/toolsdk/toolsdk_test.go
index 41bb6fe28a..bd4949baaa 100644
--- a/codersdk/toolsdk/toolsdk_test.go
+++ b/codersdk/toolsdk/toolsdk_test.go
@@ -4,12 +4,12 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"flag"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
-	"runtime"
 	"sort"
 	"sync"
 	"testing"
@@ -1048,9 +1048,6 @@ func TestTools(t *testing.T) {
 	})
 
 	t.Run("WorkspaceSSHExec", func(t *testing.T) {
-		if runtime.GOOS == "windows" {
-			t.Skip("WorkspaceSSHExec is not supported on Windows")
-		}
 		// Setup workspace exactly like main SSH tests
 		client, workspace, agentToken := setupWorkspaceForAgent(t, nil)
 
@@ -1076,7 +1073,7 @@ func TestTools(t *testing.T) {
 		// Test output trimming
 		result, err = testTool(t, toolsdk.WorkspaceBash, tb, toolsdk.WorkspaceBashArgs{
 			Workspace: workspace.Name,
-			Command:   "echo -e '\\n  test with whitespace  \\n'",
+			Command:   "echo '  test with whitespace  '",
 		})
 		require.NoError(t, err)
 		require.Equal(t, 0, result.ExitCode)
@@ -2576,29 +2573,31 @@ func TestMain(m *testing.M) {
 	var untested []string
 	for _, tool := range toolsdk.All {
 		if tested, ok := testedTools.Load(tool.Name); !ok || !tested.(bool) {
-			// Test is skipped on Windows
-			if runtime.GOOS == "windows" && tool.Name == "coder_workspace_bash" {
-				continue
-			}
 			untested = append(untested, tool.Name)
 		}
 	}
 
 	if len(untested) > 0 && code == 0 {
-		code = 1
-		println("The following tools were not tested:")
+		_, _ = fmt.Fprintln(os.Stderr, "The following tools were not tested:")
 		for _, tool := range untested {
-			println(" - " + tool)
+			_, _ = fmt.Fprintf(os.Stderr, " - %s\n", tool)
+		}
+		_, _ = fmt.Fprintln(os.Stderr, "Please ensure that all tools are tested using testTool().")
+		_, _ = fmt.Fprintln(os.Stderr, "If you just added a new tool, please add a test for it.")
+		// Only fail when the full suite ran. When -run filters to a
+		// subset (e.g. CI flake checks use -run ^TestTools), tools
+		// covered by other top-level functions appear untested.
+		if f := flag.Lookup("test.run"); f == nil || f.Value.String() == "" {
+			code = 1
+		} else {
+			_, _ = fmt.Fprintln(os.Stderr, "NOTE: if you just ran an individual test, this is expected.")
 		}
-		println("Please ensure that all tools are tested using testTool().")
-		println("If you just added a new tool, please add a test for it.")
-		println("NOTE: if you just ran an individual test, this is expected.")
 	}
 
 	// Check for goroutine leaks. Below is adapted from goleak.VerifyTestMain:
 	if code == 0 {
 		if err := goleak.Find(testutil.GoleakOptions...); err != nil {
-			println("goleak: Errors on successful test run: ", err.Error())
+			_, _ = fmt.Fprintln(os.Stderr, "goleak: Errors on successful test run:", err.Error())
 			code = 1
 		}
 	}

From 98c2b60820324afceb4180f10d274aece1362a66 Mon Sep 17 00:00:00 2001
From: Susana Ferreira <susana@coder.com>
Date: Mon, 1 Jun 2026 16:04:55 +0100
Subject: [PATCH 21/23] docs(docs/ai-coder/ai-gateway): document key failover
 for AI Gateway (#25893)

Document the automatic key failover feature for AI Gateway, which allows
configuring multiple centralized API keys per provider instance (OpenAI
and Anthropic only).

## Changes

- **`docs/ai-coder/ai-gateway/providers.md`**: Add "Key failover"
section covering supported providers, configuration via the API (max 5
keys), and failover behavior (auth errors permanently disable a key
until restart/reload, exhausted pool returns `429` or `502`).
- **`docs/ai-coder/ai-gateway/auth.md`**: Add note in BYOK section
clarifying that key failover is skipped when a user-supplied credential
is present.

> [!NOTE]
> Generated by Coder Agents (by @ssncferreira)
---
 docs/ai-coder/ai-gateway/auth.md      |  4 ++++
 docs/ai-coder/ai-gateway/providers.md | 30 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/docs/ai-coder/ai-gateway/auth.md b/docs/ai-coder/ai-gateway/auth.md
index d7bb48aa85..e35e4f3d6b 100644
--- a/docs/ai-coder/ai-gateway/auth.md
+++ b/docs/ai-coder/ai-gateway/auth.md
@@ -92,6 +92,10 @@ When no user credential is present, AI Gateway falls back to the admin-configure
 This approach offers centralized keys as a default,
 while allowing individual users to bring their own key.
 
+> [!NOTE]
+> When a BYOK credential is present, [key failover](./providers.md#key-failover)
+> is skipped.
+
 Visit individual [client pages](./clients/index.md) for configuration details.
 
 ### Enable or disable BYOK
diff --git a/docs/ai-coder/ai-gateway/providers.md b/docs/ai-coder/ai-gateway/providers.md
index fae50e282f..084a3227db 100644
--- a/docs/ai-coder/ai-gateway/providers.md
+++ b/docs/ai-coder/ai-gateway/providers.md
@@ -166,6 +166,36 @@ single failure, which may resolve on the next change. See
 [Monitoring](./monitoring.md#provider-metrics) for the full metric list
 and sample alert queries.
 
+## Key failover
+
+You can configure multiple centralized API keys for a single provider instance
+so that AI Gateway automatically retries with the next key when one fails. This
+is transparent to end users, and clients see no difference in behavior or need
+any configuration changes.
+
+Key failover is supported for **OpenAI** and **Anthropic** providers. Amazon
+Bedrock and GitHub Copilot do not support key failover.
+
+Multiple keys can be added per provider through the
+[AI Providers API](../../reference/api/aiproviders.md). Each provider supports
+a maximum of **5 keys**.
+
+### Failover behavior
+
+Every request starts with the first key in the list. If a key is rate-limited
+or returns an authentication error, AI Gateway automatically retries the request
+with the next available key.
+
+> [!WARNING]
+> A key that fails with an authentication error (`401 Unauthorized` or
+> `403 Forbidden`) is permanently disabled and will not be used again until the
+> server is restarted or the provider configuration is reloaded.
+
+If all keys in the pool are exhausted, AI Gateway returns:
+
+- `429 Too Many Requests` when at least one key is rate-limited, with a `Retry-After` header set to the shortest cooldown across all keys.
+- `502 Bad Gateway` when every key has failed permanently.
+
 ## Bring Your Own Key
 
 A provider's configured credentials are the centralized default. When

From 372265a0b5f8e2a6d3fe9d81abded31cc01cceb0 Mon Sep 17 00:00:00 2001
From: Danielle Maywood <danielle@themaywoods.com>
Date: Mon, 1 Jun 2026 18:29:25 +0100
Subject: [PATCH 22/23] docs: document chat sharing (#25592)

---
 docs/ai-coder/agents/chat-sharing.md | 24 ++++++++++++++++++++++++
 docs/manifest.json                   |  6 ++++++
 2 files changed, 30 insertions(+)
 create mode 100644 docs/ai-coder/agents/chat-sharing.md

diff --git a/docs/ai-coder/agents/chat-sharing.md b/docs/ai-coder/agents/chat-sharing.md
new file mode 100644
index 0000000000..89a9391d0e
--- /dev/null
+++ b/docs/ai-coder/agents/chat-sharing.md
@@ -0,0 +1,24 @@
+# Chat Sharing
+
+Chat sharing lets you give other users or groups read-only access to a Coder Agents conversation.
+
+## Share a chat
+
+1. Open the chat you want to share on the **Agents** page. Only top-level chats can be shared; sub-agent chats inherit sharing from their parent.
+1. Click the share icon in the chat top bar.
+1. Click the **Search for user or group** field.
+1. Search for and select a user or group.
+1. Click **Add member** to grant **Read** access.
+1. Copy the chat URL from your browser and send it to the recipients.
+
+Coder does not create a separate share link or notify recipients. They must open the chat from the URL you send them.
+
+## Shared chat access
+
+Viewers can open the chat from a direct link, view messages, stream live updates, and download chat attachments. They reach sub-agent chats by following sub-agent links inside the parent chat or by opening a direct URL.
+
+Shared chats do not appear in the viewer's normal chat list. Viewers have read-only access: they cannot send or edit messages, regenerate the chat title, archive the chat, or change its sharing settings.
+
+## Disable chat sharing
+
+Administrators can disable chat sharing for a deployment with `--disable-chat-sharing`, `CODER_DISABLE_CHAT_SHARING`, or `disableChatSharing`. When disabled, only chat owners can access their chats.
diff --git a/docs/manifest.json b/docs/manifest.json
index fa1b7c0f38..d0485b6ca8 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -1007,6 +1007,12 @@
 							"path": "./ai-coder/agents/architecture.md",
 							"state": ["beta"]
 						},
+						{
+							"title": "Chat Sharing",
+							"description": "Share Coder Agents conversations with users and groups",
+							"path": "./ai-coder/agents/chat-sharing.md",
+							"state": ["beta"]
+						},
 						{
 							"title": "Models",
 							"description": "Configure LLM providers and models for Coder Agents",

From fc01aeeb0f76f5fb6852a544de6805f5a5f30e2b Mon Sep 17 00:00:00 2001
From: TJ <tracy@coder.com>
Date: Mon, 1 Jun 2026 10:59:13 -0700
Subject: [PATCH 23/23] fix(site): show condensed count for multi-provider in
 sessions list (#25705)

The Provider column in the AI sessions list now shows:

- **Multiple providers**: condensed count badge (e.g. `2 providers`)
- **Single provider**: icon + display name badge (e.g. `OpenAI`)
(existing behavior)
- **Empty**: nothing rendered

## Changes

| File | Change |
|------|--------|
| `ListSessionsRow.tsx` | Conditional rendering for the provider cell
based on `providers.length` |
| `ListSessionsRow.stories.tsx` | Added stories: `SingleProvider`,
`MultipleProviders`, `EmptyProviders` |
| `ListSessionsPageView.stories.tsx` | `MultipleSessions` story
alternates single/multi provider rows |

> Generated by Coder Agents on behalf of @tracyjohnsonux
---
 .../ListSessionsPageView.stories.tsx          |  1 +
 .../ListSessionsRow.stories.tsx               | 27 ++++++++++++++++++
 .../ListSessionsPage/ListSessionsRow.tsx      | 28 +++++++++++--------
 3 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx
index 0c5f021969..ede9692b8e 100644
--- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx
+++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsPageView.stories.tsx
@@ -92,6 +92,7 @@ export const MultipleSessions: Story = {
 			...MockSession,
 			id: `session-${i}`,
 			threads: i + 1,
+			providers: i % 2 === 0 ? ["anthropic", "openai"] : ["anthropic"],
 			last_prompt: [
 				"But *can* I really fix it?",
 				"Can you refactor the entire authentication module to use JWT tokens instead of session cookies?",
diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx
index 1407977398..18db56d938 100644
--- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx
+++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.stories.tsx
@@ -30,6 +30,33 @@ export const Default: Story = {
 	},
 };
 
+export const SingleProvider: Story = {
+	args: {
+		session: {
+			...MockSession,
+			providers: ["anthropic"],
+		},
+	},
+};
+
+export const MultipleProviders: Story = {
+	args: {
+		session: {
+			...MockSession,
+			providers: ["anthropic", "openai", "copilot"],
+		},
+	},
+};
+
+export const EmptyProviders: Story = {
+	args: {
+		session: {
+			...MockSession,
+			providers: [],
+		},
+	},
+};
+
 export const NullClient: Story = {
 	args: {
 		session: { ...MockSession, client: null },
diff --git a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx
index a630512b49..92dd035178 100644
--- a/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx
+++ b/site/src/pages/AIBridgePage/ListSessionsPage/ListSessionsRow.tsx
@@ -63,17 +63,23 @@ export const ListSessionsRow: FC<ListSessionsRowProps> = ({
 			</TableCell>
 			<TableCell className="w-40 max-w-40">
 				<div className="min-w-0 overflow-hidden">
-					<Badge className="gap-1.5 max-w-full">
-						<div className="flex-shrink-0 flex items-center">
-							<AIBridgeProviderIcon
-								provider={getProviderIconName(session.providers[0])}
-								className="size-icon-xs"
-							/>
-						</div>
-						<span className="truncate min-w-0">
-							{getProviderDisplayName(session.providers[0])}
-						</span>
-					</Badge>
+					{session.providers.length > 1 ? (
+						<Badge className="max-w-full">
+							{session.providers.length} providers
+						</Badge>
+					) : session.providers.length === 1 ? (
+						<Badge className="gap-1.5 max-w-full">
+							<div className="flex-shrink-0 flex items-center">
+								<AIBridgeProviderIcon
+									provider={getProviderIconName(session.providers[0])}
+									className="size-icon-xs"
+								/>
+							</div>
+							<span className="truncate min-w-0">
+								{getProviderDisplayName(session.providers[0])}
+							</span>
+						</Badge>
+					) : null}
 				</div>
 			</TableCell>
 			<TableCell className="w-40 max-w-40">