From d55f4153658624d9593c22abcf16ed8ffd692e5e Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Thu, 11 Jun 2026 18:59:50 +0000
Subject: [PATCH 01/12] feat: updating workspace addition

---
 app/api/v1/api.py                             |   2 +
 app/api/v1/routes/agents.py                   |  10 +
 app/api/v1/routes/call_import_evaluations.py  |  11 +
 app/api/v1/routes/call_import_schemas.py      |  10 +
 app/api/v1/routes/call_imports.py             |  11 +
 app/api/v1/routes/evaluations.py              |  11 +
 app/api/v1/routes/evaluator_results.py        |  11 +
 app/api/v1/routes/evaluators.py               |  10 +
 app/api/v1/routes/judge_alignment.py          |  11 +
 app/api/v1/routes/metrics.py                  |  10 +
 app/api/v1/routes/observability.py            |  11 +
 app/api/v1/routes/personas.py                 |  10 +
 app/api/v1/routes/playground.py               |  10 +
 app/api/v1/routes/prompt_optimization.py      |  10 +
 app/api/v1/routes/prompt_partials.py          |  10 +
 app/api/v1/routes/results.py                  |  10 +
 app/api/v1/routes/scenarios.py                |  10 +
 app/api/v1/routes/settings.py                 |  33 +-
 app/api/v1/routes/test_agents.py              |  10 +
 app/api/v1/routes/voice_playground.py         |  11 +
 app/api/v1/routes/workspace_iam.py            | 402 +++++++++++++++++
 app/api/v1/routes/workspaces.py               | 161 ++++---
 app/core/auth/capabilities.py                 | 137 ++++++
 app/core/auth/rbac.py                         |   2 +-
 app/core/auth/workspace_route_capabilities.py |  57 +++
 app/dependencies.py                           | 222 ++++++---
 app/migrations/048_workspace_rbac.py          | 282 ++++++++++++
 app/models/database.py                        |  96 +++-
 app/models/schemas.py                         |  66 +++
 app/services/organization_provisioning.py     |  14 +
 app/services/workspace_rbac.py                | 239 ++++++++++
 .../specs/2026-06-11-workspace-rbac-design.md |  58 +++
 frontend/src/App.tsx                          |   2 +
 .../src/components/CreateWorkspaceModal.tsx   | 426 ++++++++++++++++++
 frontend/src/components/Layout.tsx            |   1 +
 .../src/components/WorkspaceRolesSection.tsx  | 216 +++++++++
 frontend/src/components/WorkspaceSwitcher.tsx | 325 ++++++-------
 .../src/hooks/useWorkspaceCapabilities.ts     |  20 +
 frontend/src/lib/api.ts                       |  73 +++
 frontend/src/pages/iam/IAM.tsx                |   7 +
 .../src/pages/workspace/WorkspaceMembers.tsx  | 225 +++++++++
 frontend/src/store/workspaceStore.ts          |  33 +-
 frontend/src/types/api.ts                     |  49 ++
 tests/conftest.py                             |  78 +++-
 tests/test_api/conftest.py                    |  21 +
 tests/test_api/test_auth_routes.py            |  88 ++--
 tests/test_api/test_workspace_iam.py          | 216 +++++++++
 tests/test_api/test_workspaces.py             |   5 +-
 48 files changed, 3331 insertions(+), 412 deletions(-)
 create mode 100644 app/api/v1/routes/workspace_iam.py
 create mode 100644 app/core/auth/capabilities.py
 create mode 100644 app/core/auth/workspace_route_capabilities.py
 create mode 100644 app/migrations/048_workspace_rbac.py
 create mode 100644 app/services/workspace_rbac.py
 create mode 100644 docs/superpowers/specs/2026-06-11-workspace-rbac-design.md
 create mode 100644 frontend/src/components/CreateWorkspaceModal.tsx
 create mode 100644 frontend/src/components/WorkspaceRolesSection.tsx
 create mode 100644 frontend/src/hooks/useWorkspaceCapabilities.ts
 create mode 100644 frontend/src/pages/workspace/WorkspaceMembers.tsx
 create mode 100644 tests/test_api/test_workspace_iam.py

diff --git a/app/api/v1/api.py b/app/api/v1/api.py
index 90fb2602..804ba6ce 100644
--- a/app/api/v1/api.py
+++ b/app/api/v1/api.py
@@ -40,6 +40,7 @@
     call_import_evaluations,
     judge_alignment,
     workspaces,
+    workspace_iam,
 )
 
 api_router = APIRouter()
@@ -83,3 +84,4 @@
 api_router.include_router(call_import_evaluations.router)
 api_router.include_router(judge_alignment.router)
 api_router.include_router(workspaces.router)
+api_router.include_router(workspace_iam.router)
diff --git a/app/api/v1/routes/agents.py b/app/api/v1/routes/agents.py
index 9bcefbbc..812b4f93 100644
--- a/app/api/v1/routes/agents.py
+++ b/app/api/v1/routes/agents.py
@@ -652,3 +652,13 @@ async def get_agent_delete_impact(
         "can_delete_without_force": len(dependencies) == 0,
     }
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/call_import_evaluations.py b/app/api/v1/routes/call_import_evaluations.py
index ce91d644..c74222a9 100644
--- a/app/api/v1/routes/call_import_evaluations.py
+++ b/app/api/v1/routes/call_import_evaluations.py
@@ -8583,3 +8583,14 @@ async def retry_call_import_evaluation_row(
         created_at=eval_row.created_at,
         updated_at=eval_row.updated_at,
     )
+
+
+from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=EVALS_VIEW,
+    manage_capability=EVALS_RUN,
+    run_capability=EVALS_RUN,
+)
diff --git a/app/api/v1/routes/call_import_schemas.py b/app/api/v1/routes/call_import_schemas.py
index 4f4fba7b..86b414b8 100644
--- a/app/api/v1/routes/call_import_schemas.py
+++ b/app/api/v1/routes/call_import_schemas.py
@@ -396,3 +396,13 @@ async def delete_call_import_schema(
     db.delete(schema)
     db.commit()
     return Response(status_code=status.HTTP_204_NO_CONTENT)
+
+
+from app.core.auth.capabilities import CALLS_IMPORT, CALLS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=CALLS_VIEW,
+    manage_capability=CALLS_IMPORT,
+)
diff --git a/app/api/v1/routes/call_imports.py b/app/api/v1/routes/call_imports.py
index 947e7538..8be373a8 100644
--- a/app/api/v1/routes/call_imports.py
+++ b/app/api/v1/routes/call_imports.py
@@ -3746,3 +3746,14 @@ async def get_call_import_insights(
         evaluation_count=len(evaluations),
         metrics=metrics_payload,
     )
+
+
+from app.core.auth.capabilities import CALLS_DELETE, CALLS_IMPORT, CALLS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=CALLS_VIEW,
+    manage_capability=CALLS_IMPORT,
+    delete_capability=CALLS_DELETE,
+)
diff --git a/app/api/v1/routes/evaluations.py b/app/api/v1/routes/evaluations.py
index a45ee937..840d3803 100644
--- a/app/api/v1/routes/evaluations.py
+++ b/app/api/v1/routes/evaluations.py
@@ -172,3 +172,14 @@ def delete_evaluation(
 
     return {"message": "Evaluation deleted successfully"}
 
+
+from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=EVALS_VIEW,
+    manage_capability=EVALS_RUN,
+    run_capability=EVALS_RUN,
+)
+
diff --git a/app/api/v1/routes/evaluator_results.py b/app/api/v1/routes/evaluator_results.py
index 1c69cd64..c61c8480 100644
--- a/app/api/v1/routes/evaluator_results.py
+++ b/app/api/v1/routes/evaluator_results.py
@@ -745,3 +745,14 @@ def re_evaluate_result(
     db.refresh(result)
     return result
 
+
+from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=EVALS_VIEW,
+    manage_capability=EVALS_RUN,
+    run_capability=EVALS_RUN,
+)
+
diff --git a/app/api/v1/routes/evaluators.py b/app/api/v1/routes/evaluators.py
index 2dfa0b11..1f748e4a 100644
--- a/app/api/v1/routes/evaluators.py
+++ b/app/api/v1/routes/evaluators.py
@@ -651,3 +651,13 @@ def run_evaluators(
         evaluator_results=evaluator_results
     )
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/judge_alignment.py b/app/api/v1/routes/judge_alignment.py
index 55f32d09..9fab1ee6 100644
--- a/app/api/v1/routes/judge_alignment.py
+++ b/app/api/v1/routes/judge_alignment.py
@@ -914,3 +914,14 @@ def recompute_metrics(
     db.commit()
     db.refresh(run)
     return run
+
+
+from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=EVALS_VIEW,
+    manage_capability=EVALS_RUN,
+    run_capability=EVALS_RUN,
+)
diff --git a/app/api/v1/routes/metrics.py b/app/api/v1/routes/metrics.py
index f4bcc2c3..7d43248c 100644
--- a/app/api/v1/routes/metrics.py
+++ b/app/api/v1/routes/metrics.py
@@ -2197,3 +2197,13 @@ def parse_bulk_metric(
 
     return MetricParseBulkResponse(metrics=drafts, parent=parent_payload)
 
+
+from app.core.auth.capabilities import METRICS_MANAGE, METRICS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=METRICS_VIEW,
+    manage_capability=METRICS_MANAGE,
+)
+
diff --git a/app/api/v1/routes/observability.py b/app/api/v1/routes/observability.py
index 52c60dd9..61770404 100644
--- a/app/api/v1/routes/observability.py
+++ b/app/api/v1/routes/observability.py
@@ -582,3 +582,14 @@ async def evaluate_call(
         "message": "Evaluation queued successfully",
     }
 
+
+from app.core.auth.capabilities import REPORTS_GENERATE, REPORTS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=REPORTS_VIEW,
+    manage_capability=REPORTS_GENERATE,
+    run_capability=REPORTS_GENERATE,
+)
+
diff --git a/app/api/v1/routes/personas.py b/app/api/v1/routes/personas.py
index 379d8470..1472b3c6 100644
--- a/app/api/v1/routes/personas.py
+++ b/app/api/v1/routes/personas.py
@@ -841,3 +841,13 @@ async def seed_demo_data(
             detail=f"Unexpected error seeding demo data: {str(e)}"
         )
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/playground.py b/app/api/v1/routes/playground.py
index 421c8aeb..02651ab1 100644
--- a/app/api/v1/routes/playground.py
+++ b/app/api/v1/routes/playground.py
@@ -1978,3 +1978,13 @@ async def summarize_transcript(
         "usage": result.get("usage", {}),
     }
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/prompt_optimization.py b/app/api/v1/routes/prompt_optimization.py
index 19033e40..f0805797 100644
--- a/app/api/v1/routes/prompt_optimization.py
+++ b/app/api/v1/routes/prompt_optimization.py
@@ -370,3 +370,13 @@ def _get_candidate(
         raise HTTPException(404, "Candidate not found")
 
     return candidate
+
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
diff --git a/app/api/v1/routes/prompt_partials.py b/app/api/v1/routes/prompt_partials.py
index 138f8e95..e0372c0a 100644
--- a/app/api/v1/routes/prompt_partials.py
+++ b/app/api/v1/routes/prompt_partials.py
@@ -838,3 +838,13 @@ async def map_prompt_partial_flowchart_nodes(
     )
     db.refresh(partial)
     return _agent_flowchart_response(partial)
+
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
diff --git a/app/api/v1/routes/results.py b/app/api/v1/routes/results.py
index 345858bb..1b58d44a 100644
--- a/app/api/v1/routes/results.py
+++ b/app/api/v1/routes/results.py
@@ -200,3 +200,13 @@ def compare_evaluations(
         comparison_metrics=comparison_metrics,
     )
 
+
+from app.core.auth.capabilities import EVALS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=EVALS_VIEW,
+    manage_capability=EVALS_VIEW,
+)
+
diff --git a/app/api/v1/routes/scenarios.py b/app/api/v1/routes/scenarios.py
index 428b7a97..80cd9080 100644
--- a/app/api/v1/routes/scenarios.py
+++ b/app/api/v1/routes/scenarios.py
@@ -206,3 +206,13 @@ async def delete_scenario(
 
     return Response(status_code=204)
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/settings.py b/app/api/v1/routes/settings.py
index 095e67ff..a9a5900d 100644
--- a/app/api/v1/routes/settings.py
+++ b/app/api/v1/routes/settings.py
@@ -14,7 +14,14 @@
 import secrets
 from pydantic import BaseModel
 
-from app.dependencies import get_db, get_api_key, get_organization_id, get_workspace_id
+from app.dependencies import (
+    get_db,
+    get_api_key,
+    get_organization_id,
+    get_workspace_id,
+    require_capability,
+)
+from app.core.auth.capabilities import REPORTS_VIEW, WORKSPACE_SETTINGS
 from app.models.database import APIKey, User, Organization, Workspace
 from app.models.schemas import MessageResponse
 from app.api.v1.routes.profile import get_current_user
@@ -130,7 +137,11 @@ def _report_branding_response(workspace: Workspace) -> ReportBrandingResponse:
     )
 
 
-@router.get("/report-branding", response_model=ReportBrandingResponse)
+@router.get(
+    "/report-branding",
+    response_model=ReportBrandingResponse,
+    dependencies=[Depends(require_capability(REPORTS_VIEW))],
+)
 def get_report_branding(
     api_key: str = Depends(get_api_key),
     organization_id: UUID = Depends(get_organization_id),
@@ -151,7 +162,11 @@ def get_report_branding(
     return _report_branding_response(workspace)
 
 
-@router.patch("/report-branding", response_model=ReportBrandingResponse)
+@router.patch(
+    "/report-branding",
+    response_model=ReportBrandingResponse,
+    dependencies=[Depends(require_capability(WORKSPACE_SETTINGS))],
+)
 def update_report_branding(
     payload: ReportBrandingUpdateRequest,
     api_key: str = Depends(get_api_key),
@@ -181,7 +196,11 @@ def update_report_branding(
     return _report_branding_response(workspace)
 
 
-@router.post("/report-branding/images", response_model=ReportBrandingResponse)
+@router.post(
+    "/report-branding/images",
+    response_model=ReportBrandingResponse,
+    dependencies=[Depends(require_capability(WORKSPACE_SETTINGS))],
+)
 async def upload_report_branding_images(
     files: List[UploadFile] = File(...),
     role: Literal["internal", "external", "generic"] = Form("generic"),
@@ -265,7 +284,11 @@ async def upload_report_branding_images(
     return _report_branding_response(workspace)
 
 
-@router.delete("/report-branding/images/{image_id}", response_model=ReportBrandingResponse)
+@router.delete(
+    "/report-branding/images/{image_id}",
+    response_model=ReportBrandingResponse,
+    dependencies=[Depends(require_capability(WORKSPACE_SETTINGS))],
+)
 def delete_report_branding_image(
     image_id: str,
     api_key: str = Depends(get_api_key),
diff --git a/app/api/v1/routes/test_agents.py b/app/api/v1/routes/test_agents.py
index 28e1420c..0c402156 100644
--- a/app/api/v1/routes/test_agents.py
+++ b/app/api/v1/routes/test_agents.py
@@ -274,3 +274,13 @@ async def delete_conversation(
     db.commit()
     return None
 
+
+from app.core.auth.capabilities import SIM_MANAGE, SIM_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=SIM_VIEW,
+    manage_capability=SIM_MANAGE,
+)
+
diff --git a/app/api/v1/routes/voice_playground.py b/app/api/v1/routes/voice_playground.py
index 57ec9ba6..48cc0f81 100644
--- a/app/api/v1/routes/voice_playground.py
+++ b/app/api/v1/routes/voice_playground.py
@@ -2470,3 +2470,14 @@ def _recompute_summary(comparison: TTSComparison, db: Session):
 
     comparison.evaluation_summary = summary
     db.commit()
+
+
+from app.core.auth.capabilities import REPORTS_GENERATE, REPORTS_VIEW
+from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
+
+apply_workspace_route_capabilities(
+    router,
+    view_capability=REPORTS_VIEW,
+    manage_capability=REPORTS_GENERATE,
+    run_capability=REPORTS_GENERATE,
+)
diff --git a/app/api/v1/routes/workspace_iam.py b/app/api/v1/routes/workspace_iam.py
new file mode 100644
index 00000000..553829bb
--- /dev/null
+++ b/app/api/v1/routes/workspace_iam.py
@@ -0,0 +1,402 @@
+"""Workspace IAM: membership and role management."""
+
+from __future__ import annotations
+
+from typing import List
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.orm import Session
+
+from app.core.auth import Principal, get_principal
+from app.core.auth.capabilities import (
+    WORKSPACE_MEMBERS_MANAGE,
+    WORKSPACE_MEMBERS_VIEW,
+    capabilities_for_registry,
+    normalize_capabilities,
+)
+from app.core.auth.rbac import require_admin
+from app.database import get_db
+from app.dependencies import get_organization_id
+from app.models.database import OrganizationMember, User, Workspace, WorkspaceMember, WorkspaceRole
+from app.models.schemas import (
+    CapabilityDomainResponse,
+    WorkspaceMemberCreate,
+    WorkspaceMemberResponse,
+    WorkspaceMemberUpdate,
+    WorkspaceRoleCreate,
+    WorkspaceRoleResponse,
+    WorkspaceRoleUpdate,
+)
+from app.services.workspace_rbac import (
+    add_workspace_member,
+    count_workspace_admins,
+    is_workspace_admin_role,
+    resolve_workspace_capabilities,
+    seed_system_workspace_roles,
+)
+
+
+router = APIRouter(tags=["Workspace IAM"])
+
+
+def _require_workspace_capability(
+    db: Session,
+    *,
+    principal: Principal,
+    organization_id: UUID,
+    workspace_id: UUID,
+    capability: str,
+) -> None:
+    workspace = (
+        db.query(Workspace)
+        .filter(
+            Workspace.id == workspace_id,
+            Workspace.organization_id == organization_id,
+        )
+        .first()
+    )
+    if workspace is None:
+        raise HTTPException(status_code=404, detail="Workspace not found.")
+    caps, _, _ = resolve_workspace_capabilities(
+        db,
+        principal=principal,
+        workspace_id=workspace_id,
+        organization_id=organization_id,
+    )
+    if capability not in caps:
+        raise HTTPException(
+            status_code=403,
+            detail=f"This action requires the '{capability}' capability in this workspace.",
+        )
+
+
+def _member_response(db: Session, member: WorkspaceMember) -> WorkspaceMemberResponse:
+    user = db.query(User).filter(User.id == member.user_id).first()
+    role = db.query(WorkspaceRole).filter(WorkspaceRole.id == member.role_id).first()
+    return WorkspaceMemberResponse(
+        id=member.id,
+        workspace_id=member.workspace_id,
+        user_id=member.user_id,
+        role_id=member.role_id,
+        role_name=role.name if role else "Unknown",
+        user_email=user.email if user else "",
+        user_name=user.name if user else None,
+        added_by_user_id=member.added_by_user_id,
+        created_at=member.created_at,
+    )
+
+
+@router.get("/capabilities", response_model=List[CapabilityDomainResponse])
+def list_capabilities():
+    """Return the capability registry for the role-builder UI."""
+    return capabilities_for_registry()
+
+
+@router.get("/workspace-roles", response_model=List[WorkspaceRoleResponse])
+def list_workspace_roles(
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    roles = (
+        db.query(WorkspaceRole)
+        .filter(WorkspaceRole.organization_id == organization_id)
+        .order_by(WorkspaceRole.is_system.desc(), WorkspaceRole.name.asc())
+        .all()
+    )
+    return roles
+
+
+@router.post(
+    "/workspace-roles",
+    response_model=WorkspaceRoleResponse,
+    status_code=status.HTTP_201_CREATED,
+    dependencies=[Depends(require_admin)],
+)
+def create_workspace_role(
+    payload: WorkspaceRoleCreate,
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    caps = sorted(normalize_capabilities(payload.capabilities))
+    if not caps:
+        raise HTTPException(status_code=400, detail="At least one valid capability is required.")
+
+    existing = (
+        db.query(WorkspaceRole)
+        .filter(
+            WorkspaceRole.organization_id == organization_id,
+            WorkspaceRole.name == payload.name.strip(),
+        )
+        .first()
+    )
+    if existing:
+        raise HTTPException(status_code=409, detail="A role with this name already exists.")
+
+    role = WorkspaceRole(
+        organization_id=organization_id,
+        name=payload.name.strip(),
+        description=payload.description,
+        capabilities=caps,
+        is_system=False,
+    )
+    db.add(role)
+    db.commit()
+    db.refresh(role)
+    return role
+
+
+@router.patch(
+    "/workspace-roles/{role_id}",
+    response_model=WorkspaceRoleResponse,
+    dependencies=[Depends(require_admin)],
+)
+def update_workspace_role(
+    role_id: UUID,
+    payload: WorkspaceRoleUpdate,
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    role = (
+        db.query(WorkspaceRole)
+        .filter(
+            WorkspaceRole.id == role_id,
+            WorkspaceRole.organization_id == organization_id,
+        )
+        .first()
+    )
+    if role is None:
+        raise HTTPException(status_code=404, detail="Role not found.")
+    if role.is_system:
+        raise HTTPException(status_code=400, detail="System roles cannot be modified.")
+
+    if payload.name is not None:
+        role.name = payload.name.strip()
+    if payload.description is not None:
+        role.description = payload.description
+    if payload.capabilities is not None:
+        caps = sorted(normalize_capabilities(payload.capabilities))
+        if not caps:
+            raise HTTPException(status_code=400, detail="At least one valid capability is required.")
+        role.capabilities = caps
+
+    db.commit()
+    db.refresh(role)
+    return role
+
+
+@router.delete(
+    "/workspace-roles/{role_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    dependencies=[Depends(require_admin)],
+)
+def delete_workspace_role(
+    role_id: UUID,
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    role = (
+        db.query(WorkspaceRole)
+        .filter(
+            WorkspaceRole.id == role_id,
+            WorkspaceRole.organization_id == organization_id,
+        )
+        .first()
+    )
+    if role is None:
+        raise HTTPException(status_code=404, detail="Role not found.")
+    if role.is_system:
+        raise HTTPException(status_code=400, detail="System roles cannot be deleted.")
+
+    assigned = (
+        db.query(WorkspaceMember)
+        .filter(WorkspaceMember.role_id == role_id)
+        .count()
+    )
+    if assigned:
+        raise HTTPException(
+            status_code=409,
+            detail="Role is assigned to workspace members and cannot be deleted.",
+        )
+
+    db.delete(role)
+    db.commit()
+    return None
+
+
+@router.get("/workspaces/{workspace_id}/members", response_model=List[WorkspaceMemberResponse])
+def list_workspace_members(
+    workspace_id: UUID,
+    principal: Principal = Depends(get_principal),
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    _require_workspace_capability(
+        db,
+        principal=principal,
+        organization_id=organization_id,
+        workspace_id=workspace_id,
+        capability=WORKSPACE_MEMBERS_VIEW,
+    )
+    members = (
+        db.query(WorkspaceMember)
+        .filter(WorkspaceMember.workspace_id == workspace_id)
+        .order_by(WorkspaceMember.created_at.asc())
+        .all()
+    )
+    return [_member_response(db, member) for member in members]
+
+
+@router.post(
+    "/workspaces/{workspace_id}/members",
+    response_model=WorkspaceMemberResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+def add_workspace_member_route(
+    workspace_id: UUID,
+    payload: WorkspaceMemberCreate,
+    principal: Principal = Depends(get_principal),
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    _require_workspace_capability(
+        db,
+        principal=principal,
+        organization_id=organization_id,
+        workspace_id=workspace_id,
+        capability=WORKSPACE_MEMBERS_MANAGE,
+    )
+
+    org_member = (
+        db.query(OrganizationMember)
+        .filter(
+            OrganizationMember.organization_id == organization_id,
+            OrganizationMember.user_id == payload.user_id,
+        )
+        .first()
+    )
+    if org_member is None:
+        raise HTTPException(status_code=400, detail="User is not a member of this organization.")
+
+    role = (
+        db.query(WorkspaceRole)
+        .filter(
+            WorkspaceRole.id == payload.role_id,
+            WorkspaceRole.organization_id == organization_id,
+        )
+        .first()
+    )
+    if role is None:
+        raise HTTPException(status_code=404, detail="Role not found.")
+
+    member = add_workspace_member(
+        db,
+        workspace_id=workspace_id,
+        user_id=payload.user_id,
+        role_id=payload.role_id,
+        added_by_user_id=principal.user_id,
+    )
+    db.commit()
+    db.refresh(member)
+    return _member_response(db, member)
+
+
+@router.patch(
+    "/workspaces/{workspace_id}/members/{user_id}",
+    response_model=WorkspaceMemberResponse,
+)
+def update_workspace_member_route(
+    workspace_id: UUID,
+    user_id: UUID,
+    payload: WorkspaceMemberUpdate,
+    principal: Principal = Depends(get_principal),
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    _require_workspace_capability(
+        db,
+        principal=principal,
+        organization_id=organization_id,
+        workspace_id=workspace_id,
+        capability=WORKSPACE_MEMBERS_MANAGE,
+    )
+
+    member = (
+        db.query(WorkspaceMember)
+        .filter(
+            WorkspaceMember.workspace_id == workspace_id,
+            WorkspaceMember.user_id == user_id,
+        )
+        .first()
+    )
+    if member is None:
+        raise HTTPException(status_code=404, detail="Workspace member not found.")
+
+    new_role = (
+        db.query(WorkspaceRole)
+        .filter(
+            WorkspaceRole.id == payload.role_id,
+            WorkspaceRole.organization_id == organization_id,
+        )
+        .first()
+    )
+    if new_role is None:
+        raise HTTPException(status_code=404, detail="Role not found.")
+
+    old_role = db.query(WorkspaceRole).filter(WorkspaceRole.id == member.role_id).first()
+    if is_workspace_admin_role(old_role) and not is_workspace_admin_role(new_role):
+        if count_workspace_admins(db, workspace_id=workspace_id) <= 1:
+            raise HTTPException(
+                status_code=409,
+                detail="Cannot demote the last Workspace Admin of this workspace.",
+            )
+
+    member.role_id = payload.role_id
+    db.commit()
+    db.refresh(member)
+    return _member_response(db, member)
+
+
+@router.delete(
+    "/workspaces/{workspace_id}/members/{user_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+def remove_workspace_member_route(
+    workspace_id: UUID,
+    user_id: UUID,
+    principal: Principal = Depends(get_principal),
+    organization_id: UUID = Depends(get_organization_id),
+    db: Session = Depends(get_db),
+):
+    is_self = principal.user_id == user_id
+    if not is_self:
+        _require_workspace_capability(
+            db,
+            principal=principal,
+            organization_id=organization_id,
+            workspace_id=workspace_id,
+            capability=WORKSPACE_MEMBERS_MANAGE,
+        )
+
+    member = (
+        db.query(WorkspaceMember)
+        .filter(
+            WorkspaceMember.workspace_id == workspace_id,
+            WorkspaceMember.user_id == user_id,
+        )
+        .first()
+    )
+    if member is None:
+        raise HTTPException(status_code=404, detail="Workspace member not found.")
+
+    role = db.query(WorkspaceRole).filter(WorkspaceRole.id == member.role_id).first()
+    if is_workspace_admin_role(role) and count_workspace_admins(db, workspace_id=workspace_id) <= 1:
+        raise HTTPException(
+            status_code=409,
+            detail="Cannot remove the last Workspace Admin of this workspace.",
+        )
+
+    db.delete(member)
+    db.commit()
+    return None
diff --git a/app/api/v1/routes/workspaces.py b/app/api/v1/routes/workspaces.py
index c86945d7..81b6d076 100644
--- a/app/api/v1/routes/workspaces.py
+++ b/app/api/v1/routes/workspaces.py
@@ -1,12 +1,4 @@
-"""Workspace management routes.
-
-Workspaces are the in-org isolation boundary picked up by the
-``X-Workspace-Id`` header (see ``app.dependencies.get_workspace_id``).
-Members can list, create, rename and delete workspaces within their
-own organization; the Default workspace can never be deleted because
-the rest of the system uses it as the fallback when a request arrives
-without an explicit workspace header.
-"""
+"""Workspace management routes with capability-based access control."""
 
 from __future__ import annotations
 
@@ -18,63 +10,98 @@
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session
 
+from app.core.auth import Principal, get_principal
+from app.core.auth.capabilities import WORKSPACE_SETTINGS
+from app.core.auth.rbac import get_org_role, require_admin, require_writer
 from app.database import get_db
 from app.dependencies import get_organization_id
-from app.models.database import Workspace
+from app.models.database import RoleEnum, Workspace, WorkspaceMember, WorkspaceRole
 from app.models.schemas import (
     WorkspaceCreate,
     WorkspaceResponse,
     WorkspaceUpdate,
 )
+from app.services.workspace_rbac import (
+    ensure_creator_workspace_admin,
+    resolve_workspace_capabilities,
+    seed_system_workspace_roles,
+)
 
 
 router = APIRouter(prefix="/workspaces", tags=["Workspaces"])
 
-
-# Slugs use underscores so they round-trip cleanly through the UI and URL
-# path (no percent-encoded hyphens, no collisions with our default
-# ``"default"`` slug).
 _SLUG_PATTERN = re.compile(r"[^a-z0-9_]+")
 
 
 def _slugify(value: str) -> str:
-    """Best-effort slug derivation from a display name.
-
-    Lower-cases, replaces runs of non-alphanumerics with underscores,
-    and trims leading/trailing underscores. Empty inputs collapse to
-    ``"workspace"`` so we never persist an empty slug.
-    """
     cleaned = _SLUG_PATTERN.sub("_", value.strip().lower()).strip("_")
     return cleaned or "workspace"
 
 
+def _workspace_response(
+    db: Session,
+    *,
+    workspace: Workspace,
+    principal: Principal,
+) -> WorkspaceResponse:
+    caps, _membership, role = resolve_workspace_capabilities(
+        db,
+        principal=principal,
+        workspace_id=workspace.id,
+        organization_id=workspace.organization_id,
+    )
+    return WorkspaceResponse(
+        id=workspace.id,
+        organization_id=workspace.organization_id,
+        name=workspace.name,
+        slug=workspace.slug,
+        is_default=workspace.is_default,
+        created_at=workspace.created_at,
+        updated_at=workspace.updated_at,
+        role_id=role.id if role else None,
+        role_name=role.name if role else ("Org Admin" if caps else None),
+        capabilities=sorted(caps),
+    )
+
+
 @router.get("", response_model=List[WorkspaceResponse])
 def list_workspaces(
+    principal: Principal = Depends(get_principal),
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
 ):
-    """List every workspace in the caller's organization."""
-    workspaces = (
-        db.query(Workspace)
-        .filter(Workspace.organization_id == organization_id)
-        # Default first, then alphabetical so the UI list reads naturally.
-        .order_by(Workspace.is_default.desc(), Workspace.name.asc())
-        .all()
-    )
-    return workspaces
+    """List workspaces the caller can access."""
+    org_role = get_org_role(principal, db)
+    query = db.query(Workspace).filter(Workspace.organization_id == organization_id)
+
+    if org_role != RoleEnum.ADMIN and principal.user_id is not None:
+        member_ws_ids = [
+            row[0]
+            for row in db.query(WorkspaceMember.workspace_id)
+            .filter(WorkspaceMember.user_id == principal.user_id)
+            .all()
+        ]
+        if not member_ws_ids:
+            return []
+        query = query.filter(Workspace.id.in_(member_ws_ids))
+
+    workspaces = query.order_by(Workspace.is_default.desc(), Workspace.name.asc()).all()
+    return [_workspace_response(db, workspace=ws, principal=principal) for ws in workspaces]
 
 
 @router.post(
     "",
     response_model=WorkspaceResponse,
     status_code=status.HTTP_201_CREATED,
+    dependencies=[Depends(require_writer)],
 )
 def create_workspace(
     payload: WorkspaceCreate,
+    principal: Principal = Depends(get_principal),
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
 ):
-    """Create a new (non-default) workspace in the caller's org."""
+    """Create a new (non-default) workspace; creator becomes Workspace Admin."""
     slug = (payload.slug or _slugify(payload.name)).strip().lower()
     if not slug:
         raise HTTPException(
@@ -82,10 +109,6 @@ def create_workspace(
             detail="Workspace slug cannot be empty.",
         )
 
-    # Pre-check the slug so we can return a clean 409 even on backends
-    # whose IntegrityError messages don't include the constraint name
-    # (e.g. SQLite in tests). We still rely on the unique index for
-    # the race-condition safety net below.
     existing = (
         db.query(Workspace)
         .filter(
@@ -97,20 +120,26 @@ def create_workspace(
     if existing is not None:
         raise HTTPException(
             status_code=status.HTTP_409_CONFLICT,
-            detail=(
-                f"A workspace with slug '{slug}' already exists in "
-                "this organization."
-            ),
+            detail=f"A workspace with slug '{slug}' already exists in this organization.",
         )
 
+    seed_system_workspace_roles(db, organization_id=organization_id)
+
     workspace = Workspace(
         organization_id=organization_id,
         name=payload.name.strip(),
         slug=slug,
         is_default=False,
+        created_by_user_id=principal.user_id,
     )
     db.add(workspace)
     try:
+        db.flush()
+        ensure_creator_workspace_admin(
+            db,
+            workspace=workspace,
+            user_id=principal.user_id,
+        )
         db.commit()
     except IntegrityError as exc:
         db.rollback()
@@ -118,27 +147,40 @@ def create_workspace(
         if "uq_workspaces_org_slug" in message or "unique" in message:
             raise HTTPException(
                 status_code=status.HTTP_409_CONFLICT,
-                detail=(
-                    f"A workspace with slug '{slug}' already exists in "
-                    "this organization."
-                ),
+                detail=f"A workspace with slug '{slug}' already exists in this organization.",
             )
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="Could not create workspace.",
         )
     db.refresh(workspace)
-    return workspace
+    return _workspace_response(db, workspace=workspace, principal=principal)
 
 
-@router.patch("/{workspace_id}", response_model=WorkspaceResponse)
+@router.patch(
+    "/{workspace_id}",
+    response_model=WorkspaceResponse,
+)
 def update_workspace(
     workspace_id: UUID,
     payload: WorkspaceUpdate,
+    principal: Principal = Depends(get_principal),
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
 ):
     """Rename a workspace (slug stays put to keep deep-links stable)."""
+    caps, _, _ = resolve_workspace_capabilities(
+        db,
+        principal=principal,
+        workspace_id=workspace_id,
+        organization_id=organization_id,
+    )
+    if WORKSPACE_SETTINGS not in caps:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"This action requires the '{WORKSPACE_SETTINGS}' capability in this workspace.",
+        )
+
     workspace = (
         db.query(Workspace)
         .filter(
@@ -148,30 +190,25 @@ def update_workspace(
         .first()
     )
     if workspace is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="Workspace not found.",
-        )
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Workspace not found.")
 
     workspace.name = payload.name.strip()
     db.commit()
     db.refresh(workspace)
-    return workspace
+    return _workspace_response(db, workspace=workspace, principal=principal)
 
 
-@router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT)
+@router.delete(
+    "/{workspace_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    dependencies=[Depends(require_admin)],
+)
 def delete_workspace(
     workspace_id: UUID,
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
 ):
-    """Delete a non-default workspace.
-
-    The Default workspace is the safety net for headerless requests and
-    legacy rows, so it can never be deleted. Workspaces that still own
-    resources will be rejected by the ``ON DELETE RESTRICT`` FKs
-    declared in migrations 033/034 and surface here as a 409.
-    """
+    """Delete a non-default workspace (org admin only)."""
     workspace = (
         db.query(Workspace)
         .filter(
@@ -181,10 +218,7 @@ def delete_workspace(
         .first()
     )
     if workspace is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="Workspace not found.",
-        )
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Workspace not found.")
     if workspace.is_default:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
@@ -198,9 +232,6 @@ def delete_workspace(
         db.rollback()
         raise HTTPException(
             status_code=status.HTTP_409_CONFLICT,
-            detail=(
-                "Workspace still contains resources. Move or delete "
-                "them before removing the workspace."
-            ),
+            detail="Workspace still contains resources. Move or delete them before removing the workspace.",
         )
     return None
diff --git a/app/core/auth/capabilities.py b/app/core/auth/capabilities.py
new file mode 100644
index 00000000..df3f1078
--- /dev/null
+++ b/app/core/auth/capabilities.py
@@ -0,0 +1,137 @@
+"""
+Workspace capability registry.
+
+Capabilities are fixed strings defined in code. Workspace roles (system or
+custom) are bundles of these strings stored in the database.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Dict, FrozenSet, List, Set
+
+
+# ---------------------------------------------------------------------------
+# Capability constants
+# ---------------------------------------------------------------------------
+
+CALLS_VIEW = "calls.view"
+CALLS_IMPORT = "calls.import"
+CALLS_DELETE = "calls.delete"
+
+METRICS_VIEW = "metrics.view"
+METRICS_MANAGE = "metrics.manage"
+
+EVALS_VIEW = "evals.view"
+EVALS_RUN = "evals.run"
+
+SIM_VIEW = "sim.view"
+SIM_MANAGE = "sim.manage"
+
+REPORTS_VIEW = "reports.view"
+REPORTS_GENERATE = "reports.generate"
+
+WORKSPACE_SETTINGS = "workspace.settings"
+WORKSPACE_MEMBERS_VIEW = "workspace.members.view"
+WORKSPACE_MEMBERS_MANAGE = "workspace.members.manage"
+
+
+ALL_CAPABILITIES: FrozenSet[str] = frozenset(
+    {
+        CALLS_VIEW,
+        CALLS_IMPORT,
+        CALLS_DELETE,
+        METRICS_VIEW,
+        METRICS_MANAGE,
+        EVALS_VIEW,
+        EVALS_RUN,
+        SIM_VIEW,
+        SIM_MANAGE,
+        REPORTS_VIEW,
+        REPORTS_GENERATE,
+        WORKSPACE_SETTINGS,
+        WORKSPACE_MEMBERS_VIEW,
+        WORKSPACE_MEMBERS_MANAGE,
+    }
+)
+
+VIEW_CAPABILITIES: FrozenSet[str] = frozenset(
+    cap for cap in ALL_CAPABILITIES if cap.endswith(".view")
+)
+
+EDITOR_EXTRA_CAPABILITIES: FrozenSet[str] = frozenset(
+    {
+        CALLS_IMPORT,
+        METRICS_MANAGE,
+        EVALS_RUN,
+        SIM_MANAGE,
+        REPORTS_GENERATE,
+    }
+)
+
+ADMIN_EXTRA_CAPABILITIES: FrozenSet[str] = frozenset(
+    {
+        CALLS_DELETE,
+        WORKSPACE_SETTINGS,
+        WORKSPACE_MEMBERS_MANAGE,
+    }
+)
+
+VIEWER_ROLE_CAPABILITIES: List[str] = sorted(VIEW_CAPABILITIES)
+EDITOR_ROLE_CAPABILITIES: List[str] = sorted(
+    VIEW_CAPABILITIES | EDITOR_EXTRA_CAPABILITIES
+)
+WORKSPACE_ADMIN_ROLE_CAPABILITIES: List[str] = sorted(ALL_CAPABILITIES)
+
+SYSTEM_ROLE_VIEWER = "Viewer"
+SYSTEM_ROLE_EDITOR = "Editor"
+SYSTEM_ROLE_ADMIN = "Workspace Admin"
+
+
+@dataclass(frozen=True)
+class CapabilityDomain:
+    """Grouping for the role-builder UI."""
+
+    key: str
+    label: str
+    capabilities: tuple[str, ...]
+
+
+CAPABILITY_DOMAINS: tuple[CapabilityDomain, ...] = (
+    CapabilityDomain("calls", "Calls", (CALLS_VIEW, CALLS_IMPORT, CALLS_DELETE)),
+    CapabilityDomain("metrics", "Metrics", (METRICS_VIEW, METRICS_MANAGE)),
+    CapabilityDomain("evals", "Evaluations", (EVALS_VIEW, EVALS_RUN)),
+    CapabilityDomain("sim", "Simulation", (SIM_VIEW, SIM_MANAGE)),
+    CapabilityDomain("reports", "Reports", (REPORTS_VIEW, REPORTS_GENERATE)),
+    CapabilityDomain(
+        "workspace",
+        "Workspace",
+        (WORKSPACE_SETTINGS, WORKSPACE_MEMBERS_VIEW, WORKSPACE_MEMBERS_MANAGE),
+    ),
+)
+
+
+def normalize_capabilities(raw: List[str] | None) -> Set[str]:
+    """Return known capabilities from a role's stored list."""
+    if not raw:
+        return set()
+    return {cap for cap in raw if cap in ALL_CAPABILITIES}
+
+
+def capabilities_for_registry() -> List[Dict[str, object]]:
+    """Serialize the registry for GET /capabilities."""
+    return [
+        {
+            "key": domain.key,
+            "label": domain.label,
+            "capabilities": [
+                {"key": cap, "label": _capability_label(cap)} for cap in domain.capabilities
+            ],
+        }
+        for domain in CAPABILITY_DOMAINS
+    ]
+
+
+def _capability_label(cap: str) -> str:
+    action = cap.split(".")[-1].replace("_", " ")
+    return action.title()
diff --git a/app/core/auth/rbac.py b/app/core/auth/rbac.py
index 50b542fc..16f2bfe5 100644
--- a/app/core/auth/rbac.py
+++ b/app/core/auth/rbac.py
@@ -24,8 +24,8 @@
 from fastapi import Depends, HTTPException, status
 from sqlalchemy.orm import Session
 
-from app.core.auth.principal import Principal
 from app.core.auth.dependency import get_principal
+from app.core.auth.principal import Principal
 from app.database import get_db
 from app.models.database import OrganizationMember, RoleEnum
 
diff --git a/app/core/auth/workspace_route_capabilities.py b/app/core/auth/workspace_route_capabilities.py
new file mode 100644
index 00000000..2fb1c102
--- /dev/null
+++ b/app/core/auth/workspace_route_capabilities.py
@@ -0,0 +1,57 @@
+"""Apply default workspace capability dependencies to a FastAPI router."""
+
+from __future__ import annotations
+
+from typing import Iterable, Set
+
+from fastapi import Depends
+from starlette.routing import BaseRoute
+
+from app.dependencies import require_capability
+
+
+def apply_workspace_route_capabilities(
+    router,
+    *,
+    view_capability: str,
+    manage_capability: str,
+    run_capability: str | None = None,
+    delete_capability: str | None = None,
+    skip_paths: Iterable[str] | None = None,
+) -> None:
+    """
+    Attach capability dependencies to routes on ``router`` based on HTTP method.
+
+    GET/HEAD -> view_capability
+    POST/PUT/PATCH -> manage_capability (or run_capability when path ends with /run)
+    DELETE -> delete_capability or manage_capability
+    """
+    skipped = set(skip_paths or ())
+    run_paths: Set[str] = set()
+
+    for route in router.routes:
+        if not isinstance(route, BaseRoute):
+            continue
+        path = getattr(route, "path", "") or ""
+        if path in skipped:
+            continue
+        methods = getattr(route, "methods", None) or set()
+        deps = list(getattr(route, "dependencies", None) or [])
+
+        if methods <= {"GET", "HEAD"} or (methods & {"GET", "HEAD"} and not methods - {"GET", "HEAD"}):
+            deps.append(Depends(require_capability(view_capability)))
+        elif "DELETE" in methods:
+            cap = delete_capability or manage_capability
+            deps.append(Depends(require_capability(cap)))
+        elif methods & {"POST", "PUT", "PATCH"}:
+            cap = manage_capability
+            if run_capability and _looks_like_run_route(path):
+                cap = run_capability
+            deps.append(Depends(require_capability(cap)))
+
+        route.dependencies = deps
+
+
+def _looks_like_run_route(path: str) -> bool:
+    lowered = path.lower()
+    return lowered.endswith("/run") or "/run/" in lowered
diff --git a/app/dependencies.py b/app/dependencies.py
index 7407d72f..72a70c1d 100644
--- a/app/dependencies.py
+++ b/app/dependencies.py
@@ -9,16 +9,21 @@
 which carries user_id, organization_id, and auth_method in one place.
 """
 
-from typing import Optional
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional, Set
 from uuid import UUID
 
-from fastapi import Depends, Header, HTTPException
+from fastapi import Depends, Header, HTTPException, Request
 from sqlalchemy.orm import Session
 
 from app.core.auth import Principal, get_principal  # noqa: F401 - re-exported
+from app.core.auth.rbac import get_org_role
 from app.core.license import is_feature_enabled
 from app.database import get_db
-from app.models.database import Workspace
+from app.models.database import RoleEnum, Workspace, WorkspaceMember
+from app.services.workspace_rbac import resolve_workspace_capabilities
 
 
 def get_api_key(
@@ -53,68 +58,177 @@ def get_organization_id(
     return principal.organization_id
 
 
-def get_workspace_id(
+@dataclass(frozen=True)
+class WorkspaceContext:
+    """Resolved active workspace plus the caller's capabilities within it."""
+
+    workspace_id: UUID
+    organization_id: UUID
+    capabilities: frozenset[str]
+    role_id: UUID | None = None
+    role_name: str | None = None
+    is_org_admin: bool = False
+
+
+def _resolve_workspace_row(
+    db: Session,
+    *,
+    organization_id: UUID,
+    workspace_id: UUID | None,
+    principal: Principal,
+) -> Workspace:
+    org_role = get_org_role(principal, db)
+    is_org_admin = org_role == RoleEnum.ADMIN
+
+    if workspace_id is not None:
+        workspace = (
+            db.query(Workspace)
+            .filter(
+                Workspace.id == workspace_id,
+                Workspace.organization_id == organization_id,
+            )
+            .first()
+        )
+        if workspace is None:
+            raise HTTPException(
+                status_code=404,
+                detail="Workspace not found in this organization.",
+            )
+        if not is_org_admin and principal.user_id is not None:
+            member = (
+                db.query(WorkspaceMember)
+                .filter(
+                    WorkspaceMember.workspace_id == workspace.id,
+                    WorkspaceMember.user_id == principal.user_id,
+                )
+                .first()
+            )
+            if member is None:
+                raise HTTPException(
+                    status_code=403,
+                    detail="You don't have access to this workspace.",
+                )
+        return workspace
+
+    if is_org_admin or principal.user_id is None:
+        default_ws = (
+            db.query(Workspace)
+            .filter(
+                Workspace.organization_id == organization_id,
+                Workspace.is_default.is_(True),
+            )
+            .first()
+        )
+        if default_ws is None:
+            raise HTTPException(
+                status_code=500,
+                detail=(
+                    "No default workspace exists for this organization. "
+                    "Please contact support; migration 033 may not have run."
+                ),
+            )
+        return default_ws
+
+    membership_rows = (
+        db.query(WorkspaceMember, Workspace)
+        .join(Workspace, Workspace.id == WorkspaceMember.workspace_id)
+        .filter(
+            Workspace.organization_id == organization_id,
+            WorkspaceMember.user_id == principal.user_id,
+        )
+        .order_by(Workspace.is_default.desc(), Workspace.name.asc())
+        .all()
+    )
+    if not membership_rows:
+        raise HTTPException(
+            status_code=403,
+            detail="You don't have access to any workspace in this organization.",
+        )
+    return membership_rows[0][1]
+
+
+def get_workspace_context(
+    request: Request,
     x_workspace_id: Optional[str] = Header(None, alias="X-Workspace-Id"),
+    principal: Principal = Depends(get_principal),
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
-) -> UUID:
-    """Return the active workspace UUID for the authenticated caller.
-
-    Resolution order:
-      1. ``X-Workspace-Id`` header. The referenced workspace must belong
-         to the caller's organization, otherwise we 404 (don't leak the
-         existence of another org's workspace).
-      2. The organization's Default workspace (``is_default = True``).
-         This is the back-compat path for existing API-key consumers
-         that don't know about workspaces yet - migration 033 seeds a
-         Default for every org so this always resolves.
-
-    A 500 is raised if step 2 fails because the migration didn't run;
-    callers should never see that in healthy deployments.
-    """
+) -> WorkspaceContext:
+    """Resolve workspace + capability set once per request (cached on request.state)."""
+    cached = getattr(request.state, "workspace_context", None)
+    if cached is not None:
+        return cached
 
+    parsed_ws_id: UUID | None = None
     if x_workspace_id:
         try:
-            ws_id = UUID(x_workspace_id)
+            parsed_ws_id = UUID(x_workspace_id)
         except (ValueError, TypeError):
             raise HTTPException(
                 status_code=400,
                 detail="X-Workspace-Id must be a valid UUID.",
             )
-        ws_id_row = (
-            db.query(Workspace.id)
-            .filter(
-                Workspace.id == ws_id,
-                Workspace.organization_id == organization_id,
-            )
-            .first()
-        )
-        if ws_id_row is None:
-            raise HTTPException(
-                status_code=404, detail="Workspace not found in this organization."
-            )
-        return ws_id_row[0]
-
-    default_ws_row = (
-        db.query(Workspace.id)
-        .filter(
-            Workspace.organization_id == organization_id,
-            Workspace.is_default.is_(True),
-        )
-        .first()
-    )
-    if default_ws_row is None:
-        # Should never happen post-migration. Raising 500 is preferable
-        # to silently writing rows with a NULL workspace_id and tripping
-        # the NOT NULL constraint downstream.
-        raise HTTPException(
-            status_code=500,
-            detail=(
-                "No default workspace exists for this organization. "
-                "Please contact support; migration 033 may not have run."
-            ),
-        )
-    return default_ws_row[0]
+
+    workspace = _resolve_workspace_row(
+        db,
+        organization_id=organization_id,
+        workspace_id=parsed_ws_id,
+        principal=principal,
+    )
+    capabilities, membership, role = resolve_workspace_capabilities(
+        db,
+        principal=principal,
+        workspace_id=workspace.id,
+        organization_id=organization_id,
+    )
+    org_role = get_org_role(principal, db)
+    ctx = WorkspaceContext(
+        workspace_id=workspace.id,
+        organization_id=organization_id,
+        capabilities=frozenset(capabilities),
+        role_id=role.id if role else (membership.role_id if membership else None),
+        role_name=role.name if role else None,
+        is_org_admin=org_role == RoleEnum.ADMIN,
+    )
+    request.state.workspace_context = ctx
+    return ctx
+
+
+def get_workspace_id(
+    ctx: WorkspaceContext = Depends(get_workspace_context),
+) -> UUID:
+    """Return the active workspace UUID for the authenticated caller."""
+    return ctx.workspace_id
+
+
+def get_workspace_capabilities(
+    ctx: WorkspaceContext = Depends(get_workspace_context),
+) -> Set[str]:
+    """Return the caller's capability set for the active workspace."""
+    return set(ctx.capabilities)
+
+
+def require_capability(capability: str):
+    """
+    Build a FastAPI dependency that ensures the caller has a workspace capability.
+
+    Requires ``get_workspace_context`` to have run (directly or via
+    ``get_workspace_id``) so capabilities are resolved for the active workspace.
+    Org admins and unbound API keys receive all capabilities implicitly.
+    """
+
+    def _dep(ctx: WorkspaceContext = Depends(get_workspace_context)) -> WorkspaceContext:
+        if capability not in ctx.capabilities:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=(
+                    f"This action requires the '{capability}' capability "
+                    f"in the active workspace."
+                ),
+            )
+        return ctx
+
+    return _dep
 
 
 def get_db_session() -> Session:
diff --git a/app/migrations/048_workspace_rbac.py b/app/migrations/048_workspace_rbac.py
new file mode 100644
index 00000000..fee10322
--- /dev/null
+++ b/app/migrations/048_workspace_rbac.py
@@ -0,0 +1,282 @@
+"""
+Migration: Workspace RBAC (roles, memberships, backfill).
+
+Adds:
+  * ``workspace_roles`` table - org-scoped capability bundles (system + custom).
+  * ``workspace_members`` table - user membership per workspace.
+  * Seeds Viewer / Editor / Workspace Admin system roles per org.
+  * Backfills every org member into every org workspace (preserves access on upgrade).
+
+Idempotent: every step checks for prior state before applying.
+"""
+
+from __future__ import annotations
+
+import json
+
+from sqlalchemy import text
+from sqlalchemy.orm import Session
+
+description = (
+    "Add workspace_roles and workspace_members for capability-based workspace RBAC; "
+    "seed system roles and backfill memberships."
+)
+
+SYSTEM_ROLES = (
+    (
+        "Viewer",
+        "Read-only access to workspace resources.",
+        sorted(
+            {
+                "calls.view",
+                "metrics.view",
+                "evals.view",
+                "sim.view",
+                "reports.view",
+                "workspace.members.view",
+            }
+        ),
+    ),
+    (
+        "Editor",
+        "View and modify workspace resources without admin settings.",
+        sorted(
+            {
+                "calls.view",
+                "calls.import",
+                "metrics.view",
+                "metrics.manage",
+                "evals.view",
+                "evals.run",
+                "sim.view",
+                "sim.manage",
+                "reports.view",
+                "reports.generate",
+                "workspace.members.view",
+            }
+        ),
+    ),
+    (
+        "Workspace Admin",
+        "Full access including workspace settings and member management.",
+        sorted(
+            {
+                "calls.view",
+                "calls.import",
+                "calls.delete",
+                "metrics.view",
+                "metrics.manage",
+                "evals.view",
+                "evals.run",
+                "sim.view",
+                "sim.manage",
+                "reports.view",
+                "reports.generate",
+                "workspace.settings",
+                "workspace.members.view",
+                "workspace.members.manage",
+            }
+        ),
+    ),
+)
+
+
+def _table_exists(db: Session, table_name: str) -> bool:
+    row = db.execute(
+        text(
+            """
+            SELECT 1
+            FROM information_schema.tables
+            WHERE table_name = :table_name
+            """
+        ),
+        {"table_name": table_name},
+    ).first()
+    return row is not None
+
+
+def _index_exists(db: Session, index_name: str) -> bool:
+    row = db.execute(
+        text("SELECT 1 FROM pg_indexes WHERE indexname = :index_name"),
+        {"index_name": index_name},
+    ).first()
+    return row is not None
+
+
+def upgrade(db: Session):
+    if not _table_exists(db, "workspace_roles"):
+        db.execute(
+            text(
+                """
+                CREATE TABLE workspace_roles (
+                    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+                    organization_id UUID NOT NULL
+                        REFERENCES organizations(id) ON DELETE CASCADE,
+                    name VARCHAR(255) NOT NULL,
+                    description TEXT NULL,
+                    capabilities JSON NOT NULL DEFAULT '[]',
+                    is_system BOOLEAN NOT NULL DEFAULT FALSE,
+                    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                    updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                    CONSTRAINT uq_workspace_roles_org_name
+                        UNIQUE (organization_id, name)
+                )
+                """
+            )
+        )
+        print("Created workspace_roles table")
+    else:
+        print("workspace_roles table already exists, skipping CREATE...")
+
+    # Belt-and-braces: ensure ``id`` has the DB-side DEFAULT even when the
+    # table was created by ``Base.metadata.create_all`` (init_db runs before
+    # migrations). create_all does not emit DEFAULT clauses for Python-side
+    # ``default=uuid.uuid4``, which leaves the column NOT NULL but with no
+    # default, breaking the raw-SQL seed below.
+    db.execute(
+        text(
+            "ALTER TABLE workspace_roles ALTER COLUMN id SET DEFAULT gen_random_uuid()"
+        )
+    )
+
+    db.execute(
+        text(
+            "CREATE INDEX IF NOT EXISTS ix_workspace_roles_organization_id "
+            "ON workspace_roles(organization_id)"
+        )
+    )
+
+    if not _table_exists(db, "workspace_members"):
+        db.execute(
+            text(
+                """
+                CREATE TABLE workspace_members (
+                    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+                    workspace_id UUID NOT NULL
+                        REFERENCES workspaces(id) ON DELETE CASCADE,
+                    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+                    role_id UUID NOT NULL
+                        REFERENCES workspace_roles(id) ON DELETE RESTRICT,
+                    added_by_user_id UUID NULL
+                        REFERENCES users(id) ON DELETE SET NULL,
+                    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                    updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                    CONSTRAINT uq_workspace_members_ws_user
+                        UNIQUE (workspace_id, user_id)
+                )
+                """
+            )
+        )
+        print("Created workspace_members table")
+    else:
+        print("workspace_members table already exists, skipping CREATE...")
+
+    db.execute(
+        text(
+            "ALTER TABLE workspace_members ALTER COLUMN id SET DEFAULT gen_random_uuid()"
+        )
+    )
+
+    for index_sql in (
+        "CREATE INDEX IF NOT EXISTS ix_workspace_members_workspace_id "
+        "ON workspace_members(workspace_id)",
+        "CREATE INDEX IF NOT EXISTS ix_workspace_members_user_id "
+        "ON workspace_members(user_id)",
+        "CREATE INDEX IF NOT EXISTS ix_workspace_members_role_id "
+        "ON workspace_members(role_id)",
+    ):
+        db.execute(text(index_sql))
+
+    org_rows = db.execute(text("SELECT id FROM organizations")).fetchall()
+    for (org_id,) in org_rows:
+        role_ids: dict[str, str] = {}
+        for name, desc, caps in SYSTEM_ROLES:
+            existing = db.execute(
+                text(
+                    """
+                    SELECT id FROM workspace_roles
+                    WHERE organization_id = :org_id AND name = :name
+                    """
+                ),
+                {"org_id": org_id, "name": name},
+            ).first()
+            if existing:
+                role_ids[name] = str(existing[0])
+                continue
+            inserted = db.execute(
+                text(
+                    """
+                    INSERT INTO workspace_roles
+                        (id, organization_id, name, description, capabilities, is_system)
+                    VALUES
+                        (gen_random_uuid(), :org_id, :name, :description,
+                         CAST(:capabilities AS JSON), TRUE)
+                    RETURNING id
+                    """
+                ),
+                {
+                    "org_id": org_id,
+                    "name": name,
+                    "description": desc,
+                    "capabilities": json.dumps(caps),
+                },
+            ).first()
+            role_ids[name] = str(inserted[0])
+        print(f"Seeded system workspace roles for org {org_id}")
+
+        workspaces = db.execute(
+            text("SELECT id FROM workspaces WHERE organization_id = :org_id"),
+            {"org_id": org_id},
+        ).fetchall()
+        members = db.execute(
+            text(
+                """
+                SELECT user_id, role FROM organization_members
+                WHERE organization_id = :org_id
+                """
+            ),
+            {"org_id": org_id},
+        ).fetchall()
+
+        for workspace_id, in workspaces:
+            for user_id, org_role in members:
+                role_name = "Workspace Admin"
+                if org_role == "writer":
+                    role_name = "Editor"
+                elif org_role == "reader":
+                    role_name = "Viewer"
+                role_id = role_ids[role_name]
+                exists = db.execute(
+                    text(
+                        """
+                        SELECT 1 FROM workspace_members
+                        WHERE workspace_id = :ws_id AND user_id = :user_id
+                        """
+                    ),
+                    {"ws_id": workspace_id, "user_id": user_id},
+                ).first()
+                if exists:
+                    continue
+                db.execute(
+                    text(
+                        """
+                        INSERT INTO workspace_members (id, workspace_id, user_id, role_id)
+                        VALUES (gen_random_uuid(), :ws_id, :user_id, CAST(:role_id AS UUID))
+                        """
+                    ),
+                    {
+                        "ws_id": workspace_id,
+                        "user_id": user_id,
+                        "role_id": role_id,
+                    },
+                )
+        print(f"Backfilled workspace memberships for org {org_id}")
+
+    db.commit()
+    print("Workspace RBAC schema is in place")
+
+
+def downgrade(db: Session):
+    db.execute(text("DROP TABLE IF EXISTS workspace_members"))
+    db.execute(text("DROP TABLE IF EXISTS workspace_roles"))
+    db.commit()
diff --git a/app/models/database.py b/app/models/database.py
index 336c966d..ceed0888 100644
--- a/app/models/database.py
+++ b/app/models/database.py
@@ -66,6 +66,11 @@ class Organization(Base):
         back_populates="organization",
         cascade="all, delete-orphan",
     )
+    workspace_roles = relationship(
+        "WorkspaceRole",
+        back_populates="organization",
+        cascade="all, delete-orphan",
+    )
 
 
 class Workspace(Base):
@@ -74,8 +79,9 @@ class Workspace(Base):
     Every organization has at least one workspace (``is_default = True``,
     seeded by migration 033). Users pick an "active workspace" in the UI;
     list endpoints filter by it so users only see calls/metrics from the
-    project they're currently working in. There's no per-workspace ACL in
-    v1 - every org member can switch into any of their org's workspaces.
+    project they're currently working in. Access is governed by
+    ``workspace_members`` and org-scoped ``workspace_roles`` (capability
+    bundles); org admins implicitly access all workspaces.
     """
 
     __tablename__ = "workspaces"
@@ -121,6 +127,92 @@ class Workspace(Base):
     )
 
     organization = relationship("Organization", back_populates="workspaces")
+    members = relationship(
+        "WorkspaceMember",
+        back_populates="workspace",
+        cascade="all, delete-orphan",
+    )
+
+
+class WorkspaceRole(Base):
+    """Org-scoped workspace role (system or custom) as a capability bundle."""
+
+    __tablename__ = "workspace_roles"
+    __table_args__ = (
+        UniqueConstraint("organization_id", "name", name="uq_workspace_roles_org_name"),
+    )
+
+    id = Column(
+        UUID(as_uuid=True),
+        primary_key=True,
+        default=uuid.uuid4,
+        server_default=text("gen_random_uuid()"),
+    )
+    organization_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("organizations.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    name = Column(String(255), nullable=False)
+    description = Column(Text, nullable=True)
+    capabilities = Column(JSON, nullable=False, default=list)
+    is_system = Column(Boolean, nullable=False, default=False, server_default="false")
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(
+        DateTime(timezone=True), server_default=func.now(), onupdate=func.now()
+    )
+
+    organization = relationship("Organization", back_populates="workspace_roles")
+    members = relationship("WorkspaceMember", back_populates="role")
+
+
+class WorkspaceMember(Base):
+    """User membership in a workspace with an assigned workspace role."""
+
+    __tablename__ = "workspace_members"
+    __table_args__ = (
+        UniqueConstraint("workspace_id", "user_id", name="uq_workspace_members_ws_user"),
+    )
+
+    id = Column(
+        UUID(as_uuid=True),
+        primary_key=True,
+        default=uuid.uuid4,
+        server_default=text("gen_random_uuid()"),
+    )
+    workspace_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("workspaces.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    user_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    role_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("workspace_roles.id", ondelete="RESTRICT"),
+        nullable=False,
+        index=True,
+    )
+    added_by_user_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(
+        DateTime(timezone=True), server_default=func.now(), onupdate=func.now()
+    )
+
+    workspace = relationship("Workspace", back_populates="members")
+    user = relationship("User", foreign_keys=[user_id])
+    role = relationship("WorkspaceRole", back_populates="members")
+    added_by = relationship("User", foreign_keys=[added_by_user_id])
 
 
 # Partial unique index: "at most one default workspace per org". This
diff --git a/app/models/schemas.py b/app/models/schemas.py
index 618d2247..c5025abb 100644
--- a/app/models/schemas.py
+++ b/app/models/schemas.py
@@ -4201,5 +4201,71 @@ class WorkspaceResponse(BaseModel):
     is_default: bool
     created_at: datetime
     updated_at: datetime
+    role_id: Optional[UUID] = None
+    role_name: Optional[str] = None
+    capabilities: List[str] = Field(default_factory=list)
 
     model_config = ConfigDict(from_attributes=True)
+
+
+class WorkspaceRoleBase(BaseModel):
+    name: str = Field(..., min_length=1, max_length=255)
+    description: Optional[str] = None
+    capabilities: List[str] = Field(default_factory=list)
+
+
+class WorkspaceRoleCreate(WorkspaceRoleBase):
+    pass
+
+
+class WorkspaceRoleUpdate(BaseModel):
+    name: Optional[str] = Field(default=None, min_length=1, max_length=255)
+    description: Optional[str] = None
+    capabilities: Optional[List[str]] = None
+
+
+class WorkspaceRoleResponse(BaseModel):
+    id: UUID
+    organization_id: UUID
+    name: str
+    description: Optional[str] = None
+    capabilities: List[str]
+    is_system: bool
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class WorkspaceMemberResponse(BaseModel):
+    id: UUID
+    workspace_id: UUID
+    user_id: UUID
+    role_id: UUID
+    role_name: str
+    user_email: str
+    user_name: Optional[str] = None
+    added_by_user_id: Optional[UUID] = None
+    created_at: datetime
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class WorkspaceMemberCreate(BaseModel):
+    user_id: UUID
+    role_id: UUID
+
+
+class WorkspaceMemberUpdate(BaseModel):
+    role_id: UUID
+
+
+class CapabilityInfoResponse(BaseModel):
+    key: str
+    label: str
+
+
+class CapabilityDomainResponse(BaseModel):
+    key: str
+    label: str
+    capabilities: List[CapabilityInfoResponse]
diff --git a/app/services/organization_provisioning.py b/app/services/organization_provisioning.py
index f052c5d1..54981021 100644
--- a/app/services/organization_provisioning.py
+++ b/app/services/organization_provisioning.py
@@ -7,6 +7,11 @@
 from sqlalchemy.orm import Session
 
 from app.models.database import Workspace
+from app.services.workspace_rbac import (
+    backfill_org_workspace_memberships,
+    ensure_creator_workspace_admin,
+    seed_system_workspace_roles,
+)
 
 
 def provision_default_workspace(
@@ -16,6 +21,8 @@ def provision_default_workspace(
     created_by_user_id: UUID | None = None,
 ) -> Workspace:
     """Create the canonical Default workspace for an organization (idempotent)."""
+    seed_system_workspace_roles(db, organization_id=organization_id)
+
     existing = (
         db.query(Workspace)
         .filter(
@@ -25,6 +32,7 @@ def provision_default_workspace(
         .first()
     )
     if existing is not None:
+        backfill_org_workspace_memberships(db, organization_id=organization_id)
         return existing
 
     workspace = Workspace(
@@ -36,4 +44,10 @@ def provision_default_workspace(
     )
     db.add(workspace)
     db.flush()
+    ensure_creator_workspace_admin(
+        db,
+        workspace=workspace,
+        user_id=created_by_user_id,
+    )
+    backfill_org_workspace_memberships(db, organization_id=organization_id)
     return workspace
diff --git a/app/services/workspace_rbac.py b/app/services/workspace_rbac.py
new file mode 100644
index 00000000..e6e6c969
--- /dev/null
+++ b/app/services/workspace_rbac.py
@@ -0,0 +1,239 @@
+"""Workspace RBAC helpers: role seeding, membership, capability resolution."""
+
+from __future__ import annotations
+
+from typing import Dict, List, Optional, Set, Tuple
+from uuid import UUID
+
+from sqlalchemy.orm import Session
+
+from app.core.auth.capabilities import (
+    EDITOR_ROLE_CAPABILITIES,
+    SYSTEM_ROLE_ADMIN,
+    SYSTEM_ROLE_EDITOR,
+    SYSTEM_ROLE_VIEWER,
+    VIEWER_ROLE_CAPABILITIES,
+    WORKSPACE_ADMIN_ROLE_CAPABILITIES,
+    normalize_capabilities,
+)
+from app.core.auth.rbac import get_org_role
+from app.core.auth.principal import Principal
+from app.models.database import (
+    OrganizationMember,
+    RoleEnum,
+    Workspace,
+    WorkspaceMember,
+    WorkspaceRole,
+)
+
+
+SYSTEM_ROLE_DEFINITIONS: Tuple[Tuple[str, str, List[str]], ...] = (
+    (SYSTEM_ROLE_VIEWER, "Read-only access to workspace resources.", VIEWER_ROLE_CAPABILITIES),
+    (
+        SYSTEM_ROLE_EDITOR,
+        "View and modify workspace resources without admin settings.",
+        EDITOR_ROLE_CAPABILITIES,
+    ),
+    (
+        SYSTEM_ROLE_ADMIN,
+        "Full access including workspace settings and member management.",
+        WORKSPACE_ADMIN_ROLE_CAPABILITIES,
+    ),
+)
+
+
+def seed_system_workspace_roles(
+    db: Session,
+    *,
+    organization_id: UUID,
+) -> Dict[str, WorkspaceRole]:
+    """Ensure the three system roles exist for an organization (idempotent)."""
+    by_name: Dict[str, WorkspaceRole] = {}
+    for name, description, capabilities in SYSTEM_ROLE_DEFINITIONS:
+        role = (
+            db.query(WorkspaceRole)
+            .filter(
+                WorkspaceRole.organization_id == organization_id,
+                WorkspaceRole.name == name,
+            )
+            .first()
+        )
+        if role is None:
+            role = WorkspaceRole(
+                organization_id=organization_id,
+                name=name,
+                description=description,
+                capabilities=capabilities,
+                is_system=True,
+            )
+            db.add(role)
+            db.flush()
+        by_name[name] = role
+    return by_name
+
+
+def org_role_to_system_workspace_role(org_role: Optional[RoleEnum | str]) -> str:
+    """Map org membership role to a system workspace role name for backfill."""
+    if isinstance(org_role, str):
+        try:
+            org_role = RoleEnum(org_role)
+        except ValueError:
+            org_role = RoleEnum.READER
+    if org_role == RoleEnum.ADMIN:
+        return SYSTEM_ROLE_ADMIN
+    if org_role == RoleEnum.WRITER:
+        return SYSTEM_ROLE_EDITOR
+    return SYSTEM_ROLE_VIEWER
+
+
+def add_workspace_member(
+    db: Session,
+    *,
+    workspace_id: UUID,
+    user_id: UUID,
+    role_id: UUID,
+    added_by_user_id: UUID | None = None,
+) -> WorkspaceMember:
+    """Add or update a workspace membership."""
+    existing = (
+        db.query(WorkspaceMember)
+        .filter(
+            WorkspaceMember.workspace_id == workspace_id,
+            WorkspaceMember.user_id == user_id,
+        )
+        .first()
+    )
+    if existing is not None:
+        existing.role_id = role_id
+        if added_by_user_id is not None:
+            existing.added_by_user_id = added_by_user_id
+        db.flush()
+        return existing
+
+    member = WorkspaceMember(
+        workspace_id=workspace_id,
+        user_id=user_id,
+        role_id=role_id,
+        added_by_user_id=added_by_user_id,
+    )
+    db.add(member)
+    db.flush()
+    return member
+
+
+def ensure_creator_workspace_admin(
+    db: Session,
+    *,
+    workspace: Workspace,
+    user_id: UUID | None,
+) -> None:
+    """Auto-add workspace creator as Workspace Admin."""
+    if user_id is None:
+        return
+    roles = seed_system_workspace_roles(db, organization_id=workspace.organization_id)
+    admin_role = roles[SYSTEM_ROLE_ADMIN]
+    add_workspace_member(
+        db,
+        workspace_id=workspace.id,
+        user_id=user_id,
+        role_id=admin_role.id,
+        added_by_user_id=user_id,
+    )
+
+
+def resolve_workspace_capabilities(
+    db: Session,
+    *,
+    principal: Principal,
+    workspace_id: UUID,
+    organization_id: UUID,
+) -> Tuple[Set[str], Optional[WorkspaceMember], Optional[WorkspaceRole]]:
+    """
+    Resolve the caller's capability set for a workspace.
+
+    Returns (capabilities, membership_row, role_row). Org admins and unbound
+    API keys receive all capabilities with no membership row.
+    """
+    from app.core.auth.capabilities import ALL_CAPABILITIES
+
+    org_role = get_org_role(principal, db)
+    if org_role == RoleEnum.ADMIN:
+        return set(ALL_CAPABILITIES), None, None
+
+    if principal.user_id is None:
+        return set(ALL_CAPABILITIES), None, None
+
+    membership = (
+        db.query(WorkspaceMember)
+        .filter(
+            WorkspaceMember.workspace_id == workspace_id,
+            WorkspaceMember.user_id == principal.user_id,
+        )
+        .first()
+    )
+    if membership is None:
+        return set(), None, None
+
+    role = db.query(WorkspaceRole).filter(WorkspaceRole.id == membership.role_id).first()
+    if role is None:
+        return set(), membership, None
+
+    return normalize_capabilities(role.capabilities), membership, role
+
+
+def is_workspace_admin_role(role: WorkspaceRole | None) -> bool:
+    if role is None:
+        return False
+    caps = normalize_capabilities(role.capabilities)
+    from app.core.auth.capabilities import WORKSPACE_SETTINGS, WORKSPACE_MEMBERS_MANAGE
+
+    return WORKSPACE_SETTINGS in caps and WORKSPACE_MEMBERS_MANAGE in caps
+
+
+def count_workspace_admins(db: Session, *, workspace_id: UUID) -> int:
+    """Count members whose role includes workspace admin capabilities."""
+    members = (
+        db.query(WorkspaceMember)
+        .filter(WorkspaceMember.workspace_id == workspace_id)
+        .all()
+    )
+    count = 0
+    for member in members:
+        role = db.query(WorkspaceRole).filter(WorkspaceRole.id == member.role_id).first()
+        if is_workspace_admin_role(role):
+            count += 1
+    return count
+
+
+def backfill_org_workspace_memberships(db: Session, *, organization_id: UUID) -> None:
+    """Add every org member to every org workspace (idempotent)."""
+    roles = seed_system_workspace_roles(db, organization_id=organization_id)
+    workspaces = (
+        db.query(Workspace)
+        .filter(Workspace.organization_id == organization_id)
+        .all()
+    )
+    members = (
+        db.query(OrganizationMember)
+        .filter(OrganizationMember.organization_id == organization_id)
+        .all()
+    )
+    for org_member in members:
+        role_name = org_role_to_system_workspace_role(org_member.role)
+        ws_role = roles[role_name]
+        for workspace in workspaces:
+            existing = (
+                db.query(WorkspaceMember)
+                .filter(
+                    WorkspaceMember.workspace_id == workspace.id,
+                    WorkspaceMember.user_id == org_member.user_id,
+                )
+                .first()
+            )
+            if existing is None:
+                add_workspace_member(
+                    db,
+                    workspace_id=workspace.id,
+                    user_id=org_member.user_id,
+                    role_id=ws_role.id,
+                )
diff --git a/docs/superpowers/specs/2026-06-11-workspace-rbac-design.md b/docs/superpowers/specs/2026-06-11-workspace-rbac-design.md
new file mode 100644
index 00000000..e529cd3b
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-11-workspace-rbac-design.md
@@ -0,0 +1,58 @@
+# Workspace RBAC: Capability-Based Access Control
+
+## Approved Design Decisions
+
+- **Default-closed**: org members only access workspaces they're explicitly granted; org admins implicitly access all workspaces.
+- **Capability-based roles**: predefined system roles (Viewer, Editor, Workspace Admin) plus org-admin-definable custom roles composed from a fixed capability registry.
+- **Membership management**: org admins + holders of `workspace.members.manage` in that workspace.
+- **API keys stay org-wide** (bypass workspace RBAC); key scoping deferred.
+- **Enforcement**: capability registry + role tables + per-route `require_capability()` dependencies.
+
+## Data Model
+
+### Capability registry (`app/core/auth/capabilities.py`)
+
+| Domain | Capabilities |
+|---|---|
+| Calls | `calls.view`, `calls.import`, `calls.delete` |
+| Metrics | `metrics.view`, `metrics.manage` |
+| Evaluations | `evals.view`, `evals.run` |
+| Simulation | `sim.view`, `sim.manage` |
+| Reports | `reports.view`, `reports.generate` |
+| Workspace | `workspace.settings`, `workspace.members.view`, `workspace.members.manage` |
+
+### Tables
+
+- `workspace_roles`: `id`, `organization_id`, `name`, `description`, `capabilities` (JSON), `is_system`, timestamps; unique `(organization_id, name)`
+- `workspace_members`: `id`, `workspace_id`, `user_id`, `role_id`, `added_by_user_id`, timestamps; unique `(workspace_id, user_id)`
+
+### System roles (seeded per org)
+
+- **Viewer** — all `*.view` capabilities
+- **Editor** — Viewer + `calls.import`, `evals.run`, `metrics.manage`, `sim.manage`, `reports.generate`
+- **Workspace Admin** — all capabilities
+
+### Backfill
+
+Every existing org member added to every org workspace: admin→Workspace Admin, writer→Editor, reader→Viewer.
+
+## Backend Enforcement
+
+- `WorkspaceContext` dependency resolves workspace + capability set
+- Org admin → all capabilities; unbound API key → all; else membership lookup
+- `require_capability(cap)` on workspace-scoped routes
+- Org `ReaderReadOnlyMiddleware` unchanged
+
+## API
+
+- Workspace lifecycle: filtered list, create with auto-admin membership, settings/delete guards
+- `workspace_iam.py`: members CRUD, workspace-roles CRUD, capabilities registry
+
+## Frontend
+
+- Filtered workspace switcher, members page, roles builder in IAM settings
+- `useWorkspaceCapabilities()` hook for cosmetic UI gating
+
+## Rollout
+
+Backfill preserves existing access on upgrade; admins prune memberships via new UI.
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index a39e4072..37aa34e3 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -64,6 +64,7 @@ import CronJobs from './pages/configurations/CronJobs'
 
 // IAM
 import IAM from './pages/iam/IAM'
+import WorkspaceMembers from './pages/workspace/WorkspaceMembers'
 
 // Profile
 import Profile from './pages/profile/Profile'
@@ -163,6 +164,7 @@ function App() {
           <Route path="observability/calls" element={<ObservabilityCalls />} />
           <Route path="observability/calls/:callShortId" element={<ObservabilityCallDetail />} />
           <Route path="iam" element={<IAM />} />
+          <Route path="workspace-members" element={<WorkspaceMembers />} />
           <Route path="profile" element={<Profile />} />
           <Route path="settings" element={<Settings />} />
           <Route path="alerts" element={<Alerts />} />
diff --git a/frontend/src/components/CreateWorkspaceModal.tsx b/frontend/src/components/CreateWorkspaceModal.tsx
new file mode 100644
index 00000000..361903c7
--- /dev/null
+++ b/frontend/src/components/CreateWorkspaceModal.tsx
@@ -0,0 +1,426 @@
+import { useQuery } from '@tanstack/react-query'
+import { useEffect, useMemo, useState } from 'react'
+import { createPortal } from 'react-dom'
+import { Loader2, Plus, Trash2, Users, X } from 'lucide-react'
+import { apiClient } from '../lib/api'
+import type { OrganizationMember, Workspace, WorkspaceRole } from '../types/api'
+import Button from './Button'
+import { useToast } from '../hooks/useToast'
+import { useAuthStore } from '../store/authStore'
+
+export interface PendingWorkspaceMember {
+  user_id: string
+  role_id: string
+  user_email: string
+  role_name: string
+}
+
+interface CreateWorkspaceModalProps {
+  open: boolean
+  onClose: () => void
+  onCreated: (workspace: Workspace) => void | Promise<void>
+}
+
+export default function CreateWorkspaceModal({
+  open,
+  onClose,
+  onCreated,
+}: CreateWorkspaceModalProps) {
+  const [name, setName] = useState('')
+  const [slug, setSlug] = useState('')
+  const [pendingMembers, setPendingMembers] = useState<PendingWorkspaceMember[]>([])
+  const [selectedUserId, setSelectedUserId] = useState('')
+  const [selectedRoleId, setSelectedRoleId] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState('')
+  const { showToast, ToastContainer } = useToast()
+  const currentUserId = useAuthStore((s) => s.user?.id ?? null)
+
+  const { data: orgUsers = [] } = useQuery({
+    queryKey: ['iam', 'users'],
+    queryFn: () => apiClient.listOrganizationUsers(),
+    enabled: open,
+  })
+
+  const { data: roles = [] } = useQuery({
+    queryKey: ['workspace-roles'],
+    queryFn: () => apiClient.listWorkspaceRoles(),
+    enabled: open,
+  })
+
+  const pendingUserIds = useMemo(
+    () => new Set(pendingMembers.map((m) => m.user_id)),
+    [pendingMembers],
+  )
+
+  const availableUsers = useMemo(
+    () =>
+      orgUsers.filter(
+        (u) => !pendingUserIds.has(u.user_id) && u.user_id !== currentUserId,
+      ),
+    [orgUsers, pendingUserIds, currentUserId],
+  )
+
+  const defaultRoleId = useMemo(() => {
+    const viewer = roles.find((r) => r.name === 'Viewer')
+    return viewer?.id ?? roles[0]?.id ?? ''
+  }, [roles])
+
+  const activeRoleId = selectedRoleId || defaultRoleId
+
+  useEffect(() => {
+    if (open && defaultRoleId && !selectedRoleId) {
+      setSelectedRoleId(defaultRoleId)
+    }
+  }, [open, defaultRoleId, selectedRoleId])
+
+  useEffect(() => {
+    if (!open) return
+    const previous = document.body.style.overflow
+    document.body.style.overflow = 'hidden'
+    return () => {
+      document.body.style.overflow = previous
+    }
+  }, [open])
+
+  const resetForm = () => {
+    setName('')
+    setSlug('')
+    setPendingMembers([])
+    setSelectedUserId('')
+    setSelectedRoleId('')
+    setError('')
+  }
+
+  const handleClose = () => {
+    if (submitting) return
+    resetForm()
+    onClose()
+  }
+
+  const handleAddMember = () => {
+    if (!selectedUserId || !activeRoleId) {
+      setError('Select a user and role to add.')
+      return
+    }
+    const user = orgUsers.find((u) => u.user_id === selectedUserId)
+    const role = roles.find((r) => r.id === activeRoleId)
+    if (!user || !role) return
+
+    setPendingMembers((prev) => [
+      ...prev,
+      {
+        user_id: user.user_id,
+        role_id: role.id,
+        user_email: user.user.email,
+        role_name: role.name,
+      },
+    ])
+    setSelectedUserId('')
+    setSelectedRoleId(defaultRoleId)
+    setError('')
+  }
+
+  const handleAddAllMembers = () => {
+    const role = roles.find((r) => r.id === activeRoleId)
+    if (!role) {
+      setError('Select a role before adding members.')
+      return
+    }
+    if (availableUsers.length === 0) {
+      setError('All org members are already in the list.')
+      return
+    }
+
+    setPendingMembers((prev) => [
+      ...prev,
+      ...availableUsers.map((user: OrganizationMember) => ({
+        user_id: user.user_id,
+        role_id: role.id,
+        user_email: user.user.email,
+        role_name: role.name,
+      })),
+    ])
+    setSelectedUserId('')
+    setError('')
+  }
+
+  const handleRemoveMember = (userId: string) => {
+    setPendingMembers((prev) => prev.filter((m) => m.user_id !== userId))
+  }
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    const trimmedName = name.trim()
+    if (!trimmedName) {
+      setError('Workspace name is required.')
+      return
+    }
+
+    setSubmitting(true)
+    setError('')
+
+    try {
+      const created = await apiClient.createWorkspace({
+        name: trimmedName,
+        ...(slug.trim() ? { slug: slug.trim() } : {}),
+      })
+
+      const failures: string[] = []
+      for (const member of pendingMembers) {
+        try {
+          await apiClient.addWorkspaceMember(created.id, {
+            user_id: member.user_id,
+            role_id: member.role_id,
+          })
+        } catch (memberErr: any) {
+          const detail =
+            memberErr?.response?.data?.detail ||
+            `Could not add ${member.user_email}`
+          failures.push(
+            typeof detail === 'string' ? detail : `Could not add ${member.user_email}`,
+          )
+        }
+      }
+
+      resetForm()
+      await onCreated(created)
+      onClose()
+
+      if (failures.length > 0) {
+        showToast(
+          `Workspace created, but some members could not be added: ${failures.join('; ')}`,
+          'error',
+        )
+      } else {
+        showToast('Workspace created', 'success')
+      }
+    } catch (err: any) {
+      const detail = err?.response?.data?.detail
+      setError(
+        typeof detail === 'string' ? detail : 'Could not create workspace.',
+      )
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  if (!open) return null
+
+  return createPortal(
+    <div className="fixed inset-0 z-[9999] flex items-center justify-center p-4 overflow-y-auto overflow-x-hidden">
+      <ToastContainer />
+      <div
+        className="fixed inset-0 bg-gray-900/40 backdrop-blur-sm"
+        onClick={handleClose}
+        aria-hidden
+      />
+      <div
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="create-workspace-title"
+        className="relative z-[10000] bg-white rounded-xl shadow-2xl w-full max-w-md max-h-[min(90vh,calc(100vh-2rem))] overflow-hidden flex flex-col min-w-0"
+      >
+        <div className="px-5 py-4 border-b border-gray-200 flex items-start justify-between gap-3 shrink-0">
+          <div className="min-w-0">
+            <h2
+              id="create-workspace-title"
+              className="text-lg font-semibold text-gray-900"
+            >
+              Create workspace
+            </h2>
+            <p className="text-sm text-gray-500 mt-0.5">
+              Set a name and optionally invite org members.
+            </p>
+          </div>
+          <button
+            type="button"
+            onClick={handleClose}
+            disabled={submitting}
+            className="text-gray-400 hover:text-gray-600 p-1 shrink-0"
+            aria-label="Close"
+          >
+            <X className="h-5 w-5" />
+          </button>
+        </div>
+
+        <form onSubmit={handleSubmit} className="flex flex-col flex-1 min-h-0 min-w-0">
+          <div className="px-5 py-4 space-y-5 overflow-y-auto overflow-x-hidden flex-1 min-w-0">
+            <div className="space-y-4">
+              <div>
+                <label
+                  htmlFor="workspace-name"
+                  className="block text-sm font-medium text-gray-700 mb-1"
+                >
+                  Name
+                </label>
+                <input
+                  id="workspace-name"
+                  type="text"
+                  value={name}
+                  onChange={(e) => setName(e.target.value)}
+                  placeholder="e.g. Project Phoenix"
+                  className="w-full min-w-0 px-3 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-primary-500 focus:border-transparent"
+                  autoFocus
+                  disabled={submitting}
+                />
+              </div>
+
+              <div>
+                <label
+                  htmlFor="workspace-slug"
+                  className="block text-sm font-medium text-gray-700 mb-1"
+                >
+                  Slug <span className="text-gray-400 font-normal">(optional)</span>
+                </label>
+                <input
+                  id="workspace-slug"
+                  type="text"
+                  value={slug}
+                  onChange={(e) =>
+                    setSlug(
+                      e.target.value.toLowerCase().replace(/[^a-z0-9-_]/g, '_'),
+                    )
+                  }
+                  placeholder="Derived from name if empty"
+                  className="w-full min-w-0 px-3 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-primary-500 focus:border-transparent"
+                  disabled={submitting}
+                />
+              </div>
+            </div>
+
+            <div className="border-t border-gray-100 pt-4 space-y-3 min-w-0">
+              <div>
+                <label className="block text-sm font-medium text-gray-700">
+                  Members
+                </label>
+                <p className="text-xs text-gray-500 mt-0.5">
+                  You are added automatically as Workspace Admin.
+                </p>
+              </div>
+
+              <div className="space-y-2 min-w-0">
+                <select
+                  value={selectedUserId}
+                  onChange={(e) => setSelectedUserId(e.target.value)}
+                  className="w-full min-w-0 px-3 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-primary-500"
+                  disabled={submitting || availableUsers.length === 0}
+                >
+                  <option value="">Select org member…</option>
+                  {availableUsers.map((u: OrganizationMember) => (
+                    <option key={u.user_id} value={u.user_id}>
+                      {u.user.email}
+                      {u.user.name ? ` (${u.user.name})` : ''}
+                    </option>
+                  ))}
+                </select>
+
+                <select
+                  value={activeRoleId}
+                  onChange={(e) => setSelectedRoleId(e.target.value)}
+                  className="w-full min-w-0 px-3 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-primary-500"
+                  disabled={submitting || roles.length === 0}
+                >
+                  {roles.map((r: WorkspaceRole) => (
+                    <option key={r.id} value={r.id}>
+                      {r.name}
+                    </option>
+                  ))}
+                </select>
+
+                <Button
+                  type="button"
+                  variant="outline"
+                  size="sm"
+                  onClick={handleAddMember}
+                  disabled={submitting || !selectedUserId}
+                  leftIcon={<Plus className="h-4 w-4" />}
+                  className="w-full"
+                >
+                  Add member
+                </Button>
+
+                <Button
+                  type="button"
+                  variant="secondary"
+                  size="sm"
+                  onClick={handleAddAllMembers}
+                  disabled={submitting || availableUsers.length === 0 || !activeRoleId}
+                  leftIcon={<Users className="h-4 w-4" />}
+                  className="w-full"
+                >
+                  Add all org members
+                  {availableUsers.length > 0 ? ` (${availableUsers.length})` : ''}
+                </Button>
+              </div>
+
+              {pendingMembers.length === 0 ? (
+                <p className="text-sm text-gray-500">
+                  No additional members yet. You can add them now or later from
+                  Workspace Members settings.
+                </p>
+              ) : (
+                <ul className="border border-gray-200 rounded-lg divide-y divide-gray-100 min-w-0">
+                  {pendingMembers.map((member) => (
+                    <li
+                      key={member.user_id}
+                      className="flex items-center justify-between gap-2 px-3 py-2 text-sm min-w-0"
+                    >
+                      <div className="min-w-0 flex-1">
+                        <div className="font-medium text-gray-900 truncate">
+                          {member.user_email}
+                        </div>
+                        <div className="text-xs text-gray-500 truncate">
+                          {member.role_name}
+                        </div>
+                      </div>
+                      <button
+                        type="button"
+                        onClick={() => handleRemoveMember(member.user_id)}
+                        disabled={submitting}
+                        className="text-red-600 hover:text-red-800 p-1 shrink-0"
+                        title="Remove"
+                      >
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    </li>
+                  ))}
+                </ul>
+              )}
+            </div>
+
+            {error && (
+              <div className="text-sm text-red-600 bg-red-50 border border-red-200 rounded-lg px-3 py-2 break-words">
+                {error}
+              </div>
+            )}
+          </div>
+
+          <div className="px-5 py-4 border-t border-gray-200 flex flex-col-reverse sm:flex-row gap-2 sm:justify-end bg-gray-50 shrink-0">
+            <Button
+              type="button"
+              variant="outline"
+              onClick={handleClose}
+              disabled={submitting}
+              className="w-full sm:w-auto"
+            >
+              Cancel
+            </Button>
+            <Button
+              type="submit"
+              disabled={submitting || !name.trim()}
+              isLoading={submitting}
+              leftIcon={
+                submitting ? <Loader2 className="h-4 w-4 animate-spin" /> : undefined
+              }
+              className="w-full sm:w-auto"
+            >
+              Create workspace
+            </Button>
+          </div>
+        </form>
+      </div>
+    </div>,
+    document.body,
+  )
+}
diff --git a/frontend/src/components/Layout.tsx b/frontend/src/components/Layout.tsx
index d4513f74..5a57dc9e 100644
--- a/frontend/src/components/Layout.tsx
+++ b/frontend/src/components/Layout.tsx
@@ -114,6 +114,7 @@ const navigationSections: NavSection[] = [
       { name: 'VoiceBundle', href: '/voicebundles', icon: Mic },
       { name: 'Integrations', href: '/integrations', icon: Plug },
       { name: 'API Keys', href: '/settings', icon: Key },
+      { name: 'Workspace Members', href: '/workspace-members', icon: Users },
       { name: 'Cron Jobs', href: '/cron-jobs', icon: Clock },
     ],
   },
diff --git a/frontend/src/components/WorkspaceRolesSection.tsx b/frontend/src/components/WorkspaceRolesSection.tsx
new file mode 100644
index 00000000..03a57e63
--- /dev/null
+++ b/frontend/src/components/WorkspaceRolesSection.tsx
@@ -0,0 +1,216 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { useMemo, useState } from 'react'
+import { Plus, Trash2 } from 'lucide-react'
+import { apiClient } from '../lib/api'
+import type { CapabilityDomain, CapabilityInfo, WorkspaceRole } from '../types/api'
+import Button from './Button'
+import { useToast } from '../hooks/useToast'
+
+export default function WorkspaceRolesSection() {
+  const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
+  const [showCreate, setShowCreate] = useState(false)
+  const [name, setName] = useState('')
+  const [description, setDescription] = useState('')
+  const [selectedCaps, setSelectedCaps] = useState<Set<string>>(new Set())
+
+  const { data: roles = [] } = useQuery({
+    queryKey: ['workspace-roles'],
+    queryFn: () => apiClient.listWorkspaceRoles(),
+  })
+
+  const { data: domains = [] } = useQuery({
+    queryKey: ['capabilities'],
+    queryFn: () => apiClient.listCapabilities(),
+  })
+
+  const createMutation = useMutation({
+    mutationFn: () =>
+      apiClient.createWorkspaceRole({
+        name,
+        description: description || undefined,
+        capabilities: Array.from(selectedCaps),
+      }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-roles'] })
+      setShowCreate(false)
+      setName('')
+      setDescription('')
+      setSelectedCaps(new Set())
+      showToast('Role created', 'success')
+    },
+    onError: (error: any) => {
+      showToast(error.response?.data?.detail || 'Failed to create role', 'error')
+    },
+  })
+
+  const deleteMutation = useMutation({
+    mutationFn: (roleId: string) => apiClient.deleteWorkspaceRole(roleId),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-roles'] })
+      showToast('Role deleted', 'success')
+    },
+    onError: (error: any) => {
+      showToast(error.response?.data?.detail || 'Failed to delete role', 'error')
+    },
+  })
+
+  const toggleCap = (cap: string) => {
+    setSelectedCaps((prev) => {
+      const next = new Set(prev)
+      if (next.has(cap)) next.delete(cap)
+      else next.add(cap)
+      return next
+    })
+  }
+
+  const systemRoles = useMemo(
+    () => roles.filter((r: WorkspaceRole) => r.is_system),
+    [roles],
+  )
+  const customRoles = useMemo(
+    () => roles.filter((r: WorkspaceRole) => !r.is_system),
+    [roles],
+  )
+
+  return (
+    <div className="mt-10 border-t border-gray-200 pt-8">
+      <ToastContainer />
+      <div className="flex items-center justify-between mb-4">
+        <div>
+          <h2 className="text-lg font-semibold text-gray-900">Workspace Roles</h2>
+          <p className="text-sm text-gray-500">
+            System roles are predefined. Org admins can create custom roles from capabilities.
+          </p>
+        </div>
+        <Button onClick={() => setShowCreate((v) => !v)}>
+          <Plus className="h-4 w-4 mr-2" />
+          Custom role
+        </Button>
+      </div>
+
+      {showCreate && (
+        <div className="mb-6 p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-4">
+          <input
+            type="text"
+            value={name}
+            onChange={(e) => setName(e.target.value)}
+            placeholder="Role name"
+            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+          />
+          <input
+            type="text"
+            value={description}
+            onChange={(e) => setDescription(e.target.value)}
+            placeholder="Description (optional)"
+            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+          />
+          <CapabilityPicker
+            domains={domains}
+            selected={selectedCaps}
+            onToggle={toggleCap}
+          />
+          <Button
+            disabled={!name.trim() || selectedCaps.size === 0 || createMutation.isPending}
+            onClick={() => createMutation.mutate()}
+          >
+            Create role
+          </Button>
+        </div>
+      )}
+
+      <RoleList title="System roles" roles={systemRoles} />
+      <RoleList
+        title="Custom roles"
+        roles={customRoles}
+        onDelete={(id) => deleteMutation.mutate(id)}
+      />
+    </div>
+  )
+}
+
+function RoleList({
+  title,
+  roles,
+  onDelete,
+}: {
+  title: string
+  roles: WorkspaceRole[]
+  onDelete?: (id: string) => void
+}) {
+  if (!roles.length) return null
+  return (
+    <div className="mb-6">
+      <h3 className="text-sm font-medium text-gray-700 mb-2">{title}</h3>
+      <div className="space-y-2">
+        {roles.map((role) => (
+          <div
+            key={role.id}
+            className="flex items-start justify-between p-3 border border-gray-200 rounded-lg bg-white"
+          >
+            <div>
+              <div className="font-medium text-gray-900">{role.name}</div>
+              {role.description && (
+                <div className="text-sm text-gray-500">{role.description}</div>
+              )}
+              <div className="text-xs text-gray-400 mt-1">
+                {role.capabilities.length} capabilities
+              </div>
+            </div>
+            {onDelete && (
+              <button
+                type="button"
+                onClick={() => onDelete(role.id)}
+                className="text-red-600 hover:text-red-800"
+              >
+                <Trash2 className="h-4 w-4" />
+              </button>
+            )}
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+
+function CapabilityPicker({
+  domains,
+  selected,
+  onToggle,
+}: {
+  domains: CapabilityDomain[]
+  selected: Set<string>
+  onToggle: (cap: string) => void
+}) {
+  return (
+    <div className="space-y-3">
+      {domains.map((domain) => (
+        <div key={domain.key}>
+          <div className="text-xs font-semibold text-gray-500 uppercase mb-1">
+            {domain.label}
+          </div>
+          <div className="flex flex-wrap gap-2">
+            {domain.capabilities.map((cap: CapabilityInfo) => (
+              <label
+                key={cap.key}
+                className={`inline-flex items-center gap-1 px-2 py-1 rounded border text-xs cursor-pointer ${
+                  selected.has(cap.key)
+                    ? 'border-primary-500 bg-primary-50 text-primary-800'
+                    : 'border-gray-200 bg-white text-gray-700'
+                }`}
+              >
+                <input
+                  type="checkbox"
+                  checked={selected.has(cap.key)}
+                  onChange={() => onToggle(cap.key)}
+                  className="sr-only"
+                />
+                {cap.label}
+              </label>
+            ))}
+          </div>
+        </div>
+      ))}
+    </div>
+  )
+}
diff --git a/frontend/src/components/WorkspaceSwitcher.tsx b/frontend/src/components/WorkspaceSwitcher.tsx
index f68217d3..101df386 100644
--- a/frontend/src/components/WorkspaceSwitcher.tsx
+++ b/frontend/src/components/WorkspaceSwitcher.tsx
@@ -1,32 +1,20 @@
 import { useEffect, useMemo, useState } from 'react'
 import { useQuery, useQueryClient } from '@tanstack/react-query'
-import { Check, ChevronDown, FolderKanban, Loader2, Plus, X } from 'lucide-react'
+import { Check, ChevronDown, FolderKanban, Plus } from 'lucide-react'
 import { apiClient } from '../lib/api'
 import type { Workspace } from '../types/api'
+import { useCanWrite } from '../hooks/useRole'
+import { useWorkspaceStore } from '../store/workspaceStore'
+import CreateWorkspaceModal from './CreateWorkspaceModal'
 
 const ACTIVE_WORKSPACE_KEY = 'activeWorkspaceId'
 
-/**
- * Workspace switcher dropdown.
- *
- * Lives in the sidebar so the active workspace context is always visible.
- * Persists the selection in `localStorage` under `activeWorkspaceId`; the
- * shared axios client picks that up and forwards it as `X-Workspace-Id` on
- * every request, which is how the backend's `get_workspace_id` dependency
- * scopes listings.
- *
- * On any change (initial bootstrap into Default, or user-selected switch)
- * we blow away every react-query cache so views refetch against the new
- * workspace - no stale rows leaking between projects.
- */
 export default function WorkspaceSwitcher() {
   const queryClient = useQueryClient()
+  const canWrite = useCanWrite()
+  const setActiveCapabilities = useWorkspaceStore((s) => s.setActiveCapabilities)
   const [open, setOpen] = useState(false)
-  const [showCreate, setShowCreate] = useState(false)
-  const [newName, setNewName] = useState('')
-  const [newSlug, setNewSlug] = useState('')
-  const [creating, setCreating] = useState(false)
-  const [error, setError] = useState('')
+  const [showCreateModal, setShowCreateModal] = useState(false)
 
   const {
     data: workspaces = [],
@@ -44,209 +32,156 @@ export default function WorkspaceSwitcher() {
       : null,
   )
 
-  // Bootstrap: if we don't have a stored workspace, or the stored one
-  // doesn't belong to this org (e.g. after an org switch), fall back to
-  // the org's Default workspace. Migration 033 guarantees one exists.
   useEffect(() => {
     if (!workspaces.length) return
     const stored = localStorage.getItem(ACTIVE_WORKSPACE_KEY)
     const isValid = stored && workspaces.some((w) => w.id === stored)
-    if (isValid) {
-      if (stored !== activeId) setActiveId(stored)
-      return
-    }
     const fallback =
-      workspaces.find((w) => w.is_default) ?? workspaces[0]
+      (isValid ? workspaces.find((w) => w.id === stored) : null) ??
+      workspaces.find((w) => w.is_default) ??
+      workspaces[0]
+
     if (!fallback) return
-    localStorage.setItem(ACTIVE_WORKSPACE_KEY, fallback.id)
-    setActiveId(fallback.id)
-    // Refetch workspace-scoped views now that the header will start being
-    // sent. Use a short delay so the localStorage write is visible to the
-    // axios request interceptor by the time queries refire.
-    queryClient.invalidateQueries()
-  }, [workspaces, activeId, queryClient])
+
+    if (!isValid) {
+      localStorage.setItem(ACTIVE_WORKSPACE_KEY, fallback.id)
+      setActiveId(fallback.id)
+      queryClient.invalidateQueries()
+    } else if (stored !== activeId) {
+      setActiveId(stored)
+    }
+
+    setActiveCapabilities(fallback.capabilities ?? [])
+  }, [workspaces, activeId, queryClient, setActiveCapabilities])
 
   const activeWorkspace = useMemo(
     () => workspaces.find((w) => w.id === activeId) ?? null,
     [workspaces, activeId],
   )
 
-  const handleSelect = async (workspaceId: string) => {
-    if (workspaceId === activeId) {
+  useEffect(() => {
+    if (activeWorkspace?.capabilities) {
+      setActiveCapabilities(activeWorkspace.capabilities)
+    }
+  }, [activeWorkspace, setActiveCapabilities])
+
+  const handleSelect = async (workspace: Workspace) => {
+    if (workspace.id === activeId) {
       setOpen(false)
       return
     }
-    localStorage.setItem(ACTIVE_WORKSPACE_KEY, workspaceId)
-    setActiveId(workspaceId)
+    localStorage.setItem(ACTIVE_WORKSPACE_KEY, workspace.id)
+    setActiveId(workspace.id)
+    setActiveCapabilities(workspace.capabilities ?? [])
     setOpen(false)
-    // Invalidate all queries so the UI refetches against the new
-    // workspace's data. Same pattern as OrgSwitcher.
     await queryClient.invalidateQueries()
   }
 
-  const handleCreate = async (e: React.FormEvent) => {
-    e.preventDefault()
-    const trimmedName = newName.trim()
-    const trimmedSlug = newSlug.trim()
-    if (!trimmedName) {
-      setError('Name is required')
-      return
-    }
-    setError('')
-    setCreating(true)
-    try {
-      const created = await apiClient.createWorkspace({
-        name: trimmedName,
-        // Slug is optional - the backend derives it from the name
-        // when omitted.
-        ...(trimmedSlug ? { slug: trimmedSlug } : {}),
-      })
-      await refetch()
-      setShowCreate(false)
-      setNewName('')
-      setNewSlug('')
-      await handleSelect(created.id)
-    } catch (err: any) {
-      setError(
-        err?.response?.data?.detail || 'Could not create workspace',
-      )
-    } finally {
-      setCreating(false)
-    }
+  const handleWorkspaceCreated = async (created: Workspace) => {
+    await refetch()
+    setOpen(false)
+    await handleSelect(created)
+  }
+
+  const openCreateModal = () => {
+    setOpen(false)
+    setShowCreateModal(true)
   }
 
   return (
-    <div className="relative">
-      <button
-        type="button"
-        onClick={() => setOpen((v) => !v)}
-        className="w-full flex items-center gap-2 px-3 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-200 rounded-lg hover:bg-gray-50 hover:border-gray-300 transition-all shadow-sm"
-        title="Switch workspace"
-      >
-        <FolderKanban className="h-4 w-4 text-gray-500 flex-shrink-0" />
-        <span className="truncate flex-1 text-left">
-          {isLoading
-            ? 'Loading workspaces…'
-            : activeWorkspace?.name ?? 'Select workspace'}
-        </span>
-        <ChevronDown className="h-4 w-4 text-gray-500 flex-shrink-0" />
-      </button>
-
-      {open && (
-        <>
-          <div
-            className="fixed inset-0 z-10"
-            onClick={() => {
-              setOpen(false)
-              setShowCreate(false)
-              setError('')
-            }}
-          />
-          <div className="absolute left-0 right-0 mt-2 bg-white rounded-lg shadow-lg border border-gray-200 z-20">
-            <div className="px-4 py-2 border-b border-gray-100 text-xs font-semibold text-gray-500 uppercase tracking-wide flex items-center justify-between">
-              <span>Workspaces</span>
-              <button
-                type="button"
-                onClick={() => {
-                  setShowCreate((v) => !v)
-                  setError('')
-                }}
-                className="text-primary-600 hover:text-primary-700 normal-case font-medium flex items-center gap-1"
-              >
-                {showCreate ? (
-                  <>
-                    <X className="h-3 w-3" /> Cancel
-                  </>
-                ) : (
-                  <>
-                    <Plus className="h-3 w-3" /> New
-                  </>
-                )}
-              </button>
-            </div>
+    <>
+      <div className="relative">
+        <button
+          type="button"
+          onClick={() => setOpen((v) => !v)}
+          className="w-full flex items-center gap-2 px-3 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-200 rounded-lg hover:bg-gray-50 hover:border-gray-300 transition-all shadow-sm"
+          title="Switch workspace"
+        >
+          <FolderKanban className="h-4 w-4 text-gray-500 flex-shrink-0" />
+          <span className="truncate flex-1 text-left">
+            {isLoading
+              ? 'Loading workspaces…'
+              : activeWorkspace?.name ?? 'Select workspace'}
+          </span>
+          <ChevronDown className="h-4 w-4 text-gray-500 flex-shrink-0" />
+        </button>
 
-            {showCreate && (
-              <form
-                onSubmit={handleCreate}
-                className="px-4 py-3 border-b border-gray-100 space-y-2 bg-gray-50"
-              >
-                <input
-                  type="text"
-                  value={newName}
-                  onChange={(e) => setNewName(e.target.value)}
-                  placeholder="Workspace name"
-                  className="w-full px-2 py-1.5 text-sm border border-gray-200 rounded focus:outline-none focus:ring-1 focus:ring-primary-500"
-                  autoFocus
-                />
-                <input
-                  type="text"
-                  value={newSlug}
-                  onChange={(e) =>
-                    setNewSlug(
-                      e.target.value
-                        .toLowerCase()
-                        .replace(/[^a-z0-9-]/g, '-'),
-                    )
-                  }
-                  placeholder="slug (optional)"
-                  className="w-full px-2 py-1.5 text-sm border border-gray-200 rounded focus:outline-none focus:ring-1 focus:ring-primary-500"
-                />
-                {error && (
-                  <div className="text-xs text-red-600">{error}</div>
-                )}
-                <button
-                  type="submit"
-                  disabled={creating}
-                  className="w-full px-2 py-1.5 text-sm font-medium text-white bg-primary-600 rounded hover:bg-primary-700 disabled:opacity-60 flex items-center justify-center gap-2"
-                >
-                  {creating && (
-                    <Loader2 className="h-3.5 w-3.5 animate-spin" />
-                  )}
-                  Create workspace
-                </button>
-              </form>
-            )}
-
-            <div className="max-h-80 overflow-y-auto py-1">
-              {workspaces.length === 0 && !isLoading && (
-                <div className="px-4 py-3 text-sm text-gray-500">
-                  No workspaces yet.
-                </div>
-              )}
-              {workspaces.map((ws) => {
-                const isCurrent = ws.id === activeId
-                return (
+        {open && (
+          <>
+            <div
+              className="fixed inset-0 z-10"
+              onClick={() => setOpen(false)}
+            />
+            <div className="absolute left-0 right-0 mt-2 bg-white rounded-lg shadow-lg border border-gray-200 z-20">
+              <div className="px-4 py-2 border-b border-gray-100 text-xs font-semibold text-gray-500 uppercase tracking-wide flex items-center justify-between">
+                <span>Workspaces</span>
+                {canWrite && (
                   <button
-                    key={ws.id}
                     type="button"
-                    onClick={() => handleSelect(ws.id)}
-                    className={`w-full px-4 py-2.5 text-left hover:bg-gray-50 transition-colors flex items-center justify-between gap-2 ${
-                      isCurrent ? 'bg-primary-50' : ''
-                    }`}
+                    onClick={openCreateModal}
+                    className="text-primary-600 hover:text-primary-700 normal-case font-medium flex items-center gap-1"
                   >
-                    <div className="min-w-0 flex-1">
-                      <div className="text-sm font-medium text-gray-900 truncate">
-                        {ws.name}
-                        {ws.is_default && (
-                          <span className="ml-2 text-xs font-normal text-gray-500">
-                            (default)
-                          </span>
-                        )}
-                      </div>
-                      <div className="text-xs text-gray-500 truncate">
-                        {ws.slug}
-                      </div>
-                    </div>
-                    {isCurrent && (
-                      <Check className="h-4 w-4 text-primary-600 flex-shrink-0" />
-                    )}
+                    <Plus className="h-3 w-3" /> New
                   </button>
-                )
-              })}
+                )}
+              </div>
+
+              <div className="max-h-80 overflow-y-auto py-1">
+                {workspaces.length === 0 && !isLoading && (
+                  <div className="px-4 py-3 text-sm text-gray-500">
+                    No workspaces available.
+                    {canWrite && (
+                      <button
+                        type="button"
+                        onClick={openCreateModal}
+                        className="block mt-2 text-primary-600 hover:text-primary-700 font-medium"
+                      >
+                        Create your first workspace
+                      </button>
+                    )}
+                  </div>
+                )}
+                {workspaces.map((ws) => {
+                  const isCurrent = ws.id === activeId
+                  return (
+                    <button
+                      key={ws.id}
+                      type="button"
+                      onClick={() => handleSelect(ws)}
+                      className={`w-full px-4 py-2.5 text-left hover:bg-gray-50 transition-colors flex items-center justify-between gap-2 ${
+                        isCurrent ? 'bg-primary-50' : ''
+                      }`}
+                    >
+                      <div className="min-w-0 flex-1">
+                        <div className="text-sm font-medium text-gray-900 truncate">
+                          {ws.name}
+                          {ws.is_default && (
+                            <span className="ml-2 text-xs font-normal text-gray-500">
+                              (default)
+                            </span>
+                          )}
+                        </div>
+                        <div className="text-xs text-gray-500 truncate">
+                          {ws.role_name ? `${ws.role_name} · ${ws.slug}` : ws.slug}
+                        </div>
+                      </div>
+                      {isCurrent && (
+                        <Check className="h-4 w-4 text-primary-600 flex-shrink-0" />
+                      )}
+                    </button>
+                  )
+                })}
+              </div>
             </div>
-          </div>
-        </>
-      )}
-    </div>
+          </>
+        )}
+      </div>
+
+      <CreateWorkspaceModal
+        open={showCreateModal}
+        onClose={() => setShowCreateModal(false)}
+        onCreated={handleWorkspaceCreated}
+      />
+    </>
   )
 }
diff --git a/frontend/src/hooks/useWorkspaceCapabilities.ts b/frontend/src/hooks/useWorkspaceCapabilities.ts
new file mode 100644
index 00000000..03353671
--- /dev/null
+++ b/frontend/src/hooks/useWorkspaceCapabilities.ts
@@ -0,0 +1,20 @@
+import { useMemo } from 'react'
+import { useWorkspaceStore } from '../store/workspaceStore'
+
+/** Hook for cosmetic UI gating based on active workspace capabilities. */
+export function useWorkspaceCapabilities() {
+  const capabilities = useWorkspaceStore((s) => s.activeCapabilities)
+
+  return useMemo(
+    () => ({
+      capabilities,
+      has: (cap: string) => capabilities.includes(cap),
+      canViewMembers: capabilities.includes('workspace.members.view'),
+      canManageMembers: capabilities.includes('workspace.members.manage'),
+      canImportCalls: capabilities.includes('calls.import'),
+      canManageMetrics: capabilities.includes('metrics.manage'),
+      canRunEvals: capabilities.includes('evals.run'),
+    }),
+    [capabilities],
+  )
+}
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 9caa105e..67d09be4 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -353,6 +353,79 @@ class ApiClient {
     await this.client.delete(`/api/v1/workspaces/${workspaceId}`)
   }
 
+  async listCapabilities(): Promise<import('../types/api').CapabilityDomain[]> {
+    const response = await this.client.get('/api/v1/capabilities')
+    return response.data
+  }
+
+  async listWorkspaceRoles(): Promise<import('../types/api').WorkspaceRole[]> {
+    const response = await this.client.get('/api/v1/workspace-roles')
+    return response.data
+  }
+
+  async createWorkspaceRole(
+    payload: import('../types/api').WorkspaceRoleCreate,
+  ): Promise<import('../types/api').WorkspaceRole> {
+    const response = await this.client.post('/api/v1/workspace-roles', payload)
+    return response.data
+  }
+
+  async updateWorkspaceRole(
+    roleId: string,
+    payload: import('../types/api').WorkspaceRoleUpdate,
+  ): Promise<import('../types/api').WorkspaceRole> {
+    const response = await this.client.patch(
+      `/api/v1/workspace-roles/${roleId}`,
+      payload,
+    )
+    return response.data
+  }
+
+  async deleteWorkspaceRole(roleId: string): Promise<void> {
+    await this.client.delete(`/api/v1/workspace-roles/${roleId}`)
+  }
+
+  async listWorkspaceMembers(
+    workspaceId: string,
+  ): Promise<import('../types/api').WorkspaceMember[]> {
+    const response = await this.client.get(
+      `/api/v1/workspaces/${workspaceId}/members`,
+    )
+    return response.data
+  }
+
+  async addWorkspaceMember(
+    workspaceId: string,
+    payload: { user_id: string; role_id: string },
+  ): Promise<import('../types/api').WorkspaceMember> {
+    const response = await this.client.post(
+      `/api/v1/workspaces/${workspaceId}/members`,
+      payload,
+    )
+    return response.data
+  }
+
+  async updateWorkspaceMember(
+    workspaceId: string,
+    userId: string,
+    payload: { role_id: string },
+  ): Promise<import('../types/api').WorkspaceMember> {
+    const response = await this.client.patch(
+      `/api/v1/workspaces/${workspaceId}/members/${userId}`,
+      payload,
+    )
+    return response.data
+  }
+
+  async removeWorkspaceMember(
+    workspaceId: string,
+    userId: string,
+  ): Promise<void> {
+    await this.client.delete(
+      `/api/v1/workspaces/${workspaceId}/members/${userId}`,
+    )
+  }
+
   // Auth endpoints
   async getAuthConfig(): Promise<AuthConfigResponse> {
     const response = await this.client.get('/api/v1/auth/config')
diff --git a/frontend/src/pages/iam/IAM.tsx b/frontend/src/pages/iam/IAM.tsx
index 5c6e955c..116257ec 100644
--- a/frontend/src/pages/iam/IAM.tsx
+++ b/frontend/src/pages/iam/IAM.tsx
@@ -6,6 +6,7 @@ import { Users, Mail, UserPlus, Shield, ShieldCheck, ShieldAlert, X, Trash2, Key
 import Button from '../../components/Button'
 import { useToast } from '../../hooks/useToast'
 import { useIsAdmin } from '../../hooks/useRole'
+import WorkspaceRolesSection from '../../components/WorkspaceRolesSection'
 
 export default function IAM() {
   const queryClient = useQueryClient()
@@ -513,6 +514,12 @@ export default function IAM() {
         </div>
       </div>
 
+      {isAdmin && (
+        <div className="bg-white shadow rounded-lg p-6">
+          <WorkspaceRolesSection />
+        </div>
+      )}
+
       {/* Invite Modal */}
       {showInviteModal && (
         <div className="fixed inset-0 bg-gray-500 bg-opacity-75 flex items-center justify-center z-50">
diff --git a/frontend/src/pages/workspace/WorkspaceMembers.tsx b/frontend/src/pages/workspace/WorkspaceMembers.tsx
new file mode 100644
index 00000000..5065d140
--- /dev/null
+++ b/frontend/src/pages/workspace/WorkspaceMembers.tsx
@@ -0,0 +1,225 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { useState } from 'react'
+import { Link } from 'react-router-dom'
+import { Trash2, UserPlus, Users } from 'lucide-react'
+import { apiClient } from '../../lib/api'
+import { useWorkspaceCapabilities } from '../../hooks/useWorkspaceCapabilities'
+import { useWorkspaceStore } from '../../store/workspaceStore'
+import Button from '../../components/Button'
+import { useToast } from '../../hooks/useToast'
+
+export default function WorkspaceMembers() {
+  const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
+  const { canViewMembers, canManageMembers } = useWorkspaceCapabilities()
+  const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
+  const [showAdd, setShowAdd] = useState(false)
+  const [selectedUserId, setSelectedUserId] = useState('')
+  const [selectedRoleId, setSelectedRoleId] = useState('')
+
+  const { data: members = [], isLoading } = useQuery({
+    queryKey: ['workspace-members', activeWorkspaceId],
+    queryFn: () => apiClient.listWorkspaceMembers(activeWorkspaceId!),
+    enabled: Boolean(activeWorkspaceId) && canViewMembers,
+  })
+
+  const { data: orgUsers = [] } = useQuery({
+    queryKey: ['iam', 'users'],
+    queryFn: () => apiClient.listOrganizationUsers(),
+    enabled: canManageMembers,
+  })
+
+  const { data: roles = [] } = useQuery({
+    queryKey: ['workspace-roles'],
+    queryFn: () => apiClient.listWorkspaceRoles(),
+  })
+
+  const addMutation = useMutation({
+    mutationFn: () =>
+      apiClient.addWorkspaceMember(activeWorkspaceId!, {
+        user_id: selectedUserId,
+        role_id: selectedRoleId,
+      }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      setShowAdd(false)
+      setSelectedUserId('')
+      setSelectedRoleId('')
+      showToast('Member added', 'success')
+    },
+    onError: (error: any) => {
+      showToast(error.response?.data?.detail || 'Failed to add member', 'error')
+    },
+  })
+
+  const updateMutation = useMutation({
+    mutationFn: ({ userId, roleId }: { userId: string; roleId: string }) =>
+      apiClient.updateWorkspaceMember(activeWorkspaceId!, userId, {
+        role_id: roleId,
+      }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      showToast('Role updated', 'success')
+    },
+  })
+
+  const removeMutation = useMutation({
+    mutationFn: (userId: string) =>
+      apiClient.removeWorkspaceMember(activeWorkspaceId!, userId),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      showToast('Member removed', 'success')
+    },
+  })
+
+  if (!activeWorkspaceId) {
+    return (
+      <div className="p-6 text-gray-600">
+        Select a workspace from the sidebar to manage members.
+      </div>
+    )
+  }
+
+  if (!canViewMembers) {
+    return (
+      <div className="p-6 text-gray-600">
+        You do not have permission to view workspace members.
+      </div>
+    )
+  }
+
+  const memberUserIds = new Set(members.map((m) => m.user_id))
+  const availableUsers = orgUsers.filter((u) => !memberUserIds.has(u.user_id))
+
+  return (
+    <div className="p-6 max-w-4xl">
+      <ToastContainer />
+      <div className="flex items-center justify-between mb-6">
+        <div>
+          <h1 className="text-2xl font-semibold text-gray-900 flex items-center gap-2">
+            <Users className="h-6 w-6" />
+            Workspace Members
+          </h1>
+          <p className="text-sm text-gray-500 mt-1">
+            Manage who can access the active workspace and their roles.
+          </p>
+        </div>
+        {canManageMembers && (
+          <Button onClick={() => setShowAdd((v) => !v)}>
+            <UserPlus className="h-4 w-4 mr-2" />
+            Add member
+          </Button>
+        )}
+      </div>
+
+      {showAdd && canManageMembers && (
+        <div className="mb-6 p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-3">
+          <select
+            value={selectedUserId}
+            onChange={(e) => setSelectedUserId(e.target.value)}
+            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+          >
+            <option value="">Select org member…</option>
+            {availableUsers.map((u) => (
+              <option key={u.user_id} value={u.user_id}>
+                {u.user?.email ?? u.user_id}
+              </option>
+            ))}
+          </select>
+          <select
+            value={selectedRoleId}
+            onChange={(e) => setSelectedRoleId(e.target.value)}
+            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+          >
+            <option value="">Select role…</option>
+            {roles.map((r) => (
+              <option key={r.id} value={r.id}>
+                {r.name}
+              </option>
+            ))}
+          </select>
+          <Button
+            disabled={!selectedUserId || !selectedRoleId || addMutation.isPending}
+            onClick={() => addMutation.mutate()}
+          >
+            Add to workspace
+          </Button>
+        </div>
+      )}
+
+      {isLoading ? (
+        <div className="text-gray-500">Loading members…</div>
+      ) : (
+        <div className="border border-gray-200 rounded-lg overflow-hidden">
+          <table className="min-w-full divide-y divide-gray-200">
+            <thead className="bg-gray-50">
+              <tr>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
+                  User
+                </th>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
+                  Role
+                </th>
+                {canManageMembers && <th className="px-4 py-3" />}
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-200 bg-white">
+              {members.map((member) => (
+                <tr key={member.id}>
+                  <td className="px-4 py-3 text-sm">
+                    <div className="font-medium text-gray-900">{member.user_email}</div>
+                    {member.user_name && (
+                      <div className="text-gray-500">{member.user_name}</div>
+                    )}
+                  </td>
+                  <td className="px-4 py-3 text-sm">
+                    {canManageMembers ? (
+                      <select
+                        value={member.role_id}
+                        onChange={(e) =>
+                          updateMutation.mutate({
+                            userId: member.user_id,
+                            roleId: e.target.value,
+                          })
+                        }
+                        className="px-2 py-1 border border-gray-200 rounded text-sm"
+                      >
+                        {roles.map((r) => (
+                          <option key={r.id} value={r.id}>
+                            {r.name}
+                          </option>
+                        ))}
+                      </select>
+                    ) : (
+                      member.role_name
+                    )}
+                  </td>
+                  {canManageMembers && (
+                    <td className="px-4 py-3 text-right">
+                      <button
+                        type="button"
+                        onClick={() => removeMutation.mutate(member.user_id)}
+                        className="text-red-600 hover:text-red-800"
+                        title="Remove member"
+                      >
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    </td>
+                  )}
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      )}
+
+      <p className="mt-4 text-sm text-gray-500">
+        Org admins can also manage{' '}
+        <Link to="/iam" className="text-primary-600 hover:underline">
+          workspace roles
+        </Link>{' '}
+        under IAM settings.
+      </p>
+    </div>
+  )
+}
diff --git a/frontend/src/store/workspaceStore.ts b/frontend/src/store/workspaceStore.ts
index d9e6f18a..31329745 100644
--- a/frontend/src/store/workspaceStore.ts
+++ b/frontend/src/store/workspaceStore.ts
@@ -1,25 +1,12 @@
 import { create } from 'zustand'
 
-/**
- * Workspace store for the EfficientAI frontend.
- *
- * A workspace is the in-org isolation boundary for call imports and metrics
- * (see migration 033 / app/api/v1/routes/workspaces.py). The active
- * workspace id is sent on every API call as `X-Workspace-Id`; switching
- * workspace + invalidating react-query caches is what scopes the UI to
- * a different project's data.
- *
- * The store is intentionally thin - membership management and the workspace
- * list itself live in react-query (`['workspaces']`). We only persist:
- *   - the currently selected workspace id (per-tab via localStorage), so a
- *     reload doesn't bounce the user back to "Default".
- */
-
 const STORAGE_WORKSPACE_ID = 'activeWorkspaceId'
 
 interface WorkspaceState {
   activeWorkspaceId: string | null
+  activeCapabilities: string[]
   setActiveWorkspaceId: (id: string | null) => void
+  setActiveCapabilities: (capabilities: string[]) => void
   clearActiveWorkspaceId: () => void
 }
 
@@ -33,6 +20,7 @@ function readStored(): string | null {
 
 export const useWorkspaceStore = create<WorkspaceState>((set) => ({
   activeWorkspaceId: readStored(),
+  activeCapabilities: [],
 
   setActiveWorkspaceId: (id: string | null) => {
     if (id) {
@@ -43,17 +31,20 @@ export const useWorkspaceStore = create<WorkspaceState>((set) => ({
     set({ activeWorkspaceId: id })
   },
 
+  setActiveCapabilities: (capabilities: string[]) => {
+    set({ activeCapabilities: capabilities })
+  },
+
   clearActiveWorkspaceId: () => {
     localStorage.removeItem(STORAGE_WORKSPACE_ID)
-    set({ activeWorkspaceId: null })
+    set({ activeWorkspaceId: null, activeCapabilities: [] })
   },
 }))
 
-/**
- * Read the currently-selected workspace id without subscribing to the
- * store. The axios request interceptor uses this so it doesn't have to
- * hook into React state.
- */
 export function getActiveWorkspaceId(): string | null {
   return useWorkspaceStore.getState().activeWorkspaceId
 }
+
+export function hasWorkspaceCapability(capability: string): boolean {
+  return useWorkspaceStore.getState().activeCapabilities.includes(capability)
+}
diff --git a/frontend/src/types/api.ts b/frontend/src/types/api.ts
index 1d3c49e3..9e4d9b4d 100644
--- a/frontend/src/types/api.ts
+++ b/frontend/src/types/api.ts
@@ -842,6 +842,55 @@ export interface Workspace {
   is_default: boolean
   created_at: string
   updated_at: string
+  role_id?: string | null
+  role_name?: string | null
+  capabilities?: string[]
+}
+
+export interface WorkspaceRole {
+  id: string
+  organization_id: string
+  name: string
+  description?: string | null
+  capabilities: string[]
+  is_system: boolean
+  created_at: string
+  updated_at: string
+}
+
+export interface WorkspaceMember {
+  id: string
+  workspace_id: string
+  user_id: string
+  role_id: string
+  role_name: string
+  user_email: string
+  user_name?: string | null
+  added_by_user_id?: string | null
+  created_at: string
+}
+
+export interface CapabilityInfo {
+  key: string
+  label: string
+}
+
+export interface CapabilityDomain {
+  key: string
+  label: string
+  capabilities: CapabilityInfo[]
+}
+
+export interface WorkspaceRoleCreate {
+  name: string
+  description?: string | null
+  capabilities: string[]
+}
+
+export interface WorkspaceRoleUpdate {
+  name?: string
+  description?: string | null
+  capabilities?: string[]
 }
 
 export interface CallImport {
diff --git a/tests/conftest.py b/tests/conftest.py
index d8eaf7dd..bf507bc0 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -1,11 +1,11 @@
 """Shared pytest fixtures for backend tests."""
 
 import os
-import sys
-import types
-from contextlib import asynccontextmanager
-from pathlib import Path
-from uuid import uuid4
+import sys
+import types
+from contextlib import asynccontextmanager
+from pathlib import Path
+from uuid import uuid4
 
 import pytest
 from fastapi import FastAPI
@@ -274,11 +274,11 @@ def update_agent_prompt(self, **_kwargs):
         sys.modules["app.services.voice_agent.bot_fast_api"] = fake_bot_fast_api_module
         sys.modules["app.services.voice_agent.voice_bundle"] = fake_voice_bundle_module
 
-    if "app.services.reporting.voice_playground_report_service" not in sys.modules:
-        fake_reporting_pkg = types.ModuleType("app.services.reporting")
-        fake_reporting_pkg.__path__ = [
-            str(Path(__file__).resolve().parents[1] / "app" / "services" / "reporting")
-        ]
+    if "app.services.reporting.voice_playground_report_service" not in sys.modules:
+        fake_reporting_pkg = types.ModuleType("app.services.reporting")
+        fake_reporting_pkg.__path__ = [
+            str(Path(__file__).resolve().parents[1] / "app" / "services" / "reporting")
+        ]
         fake_report_service_module = types.ModuleType("app.services.reporting.voice_playground_report_service")
 
         class _FakeVoicePlaygroundReportService:
@@ -332,10 +332,14 @@ class _TaskResult:
     from app.dependencies import (
         get_api_key,
         get_organization_id,
+        get_workspace_context,
         get_workspace_id,
         require_enterprise_feature,
+        WorkspaceContext,
     )
-    from app.models.database import Organization, Workspace
+    from app.core.auth.capabilities import ALL_CAPABILITIES
+    from app.models.database import Organization, OrganizationMember, RoleEnum, User, Workspace, APIKey
+    from app.services.workspace_rbac import backfill_org_workspace_memberships, seed_system_workspace_roles
     import app.dependencies as app_dependencies
     from app.api.v1.routes import (
         aiproviders,
@@ -374,6 +378,7 @@ class _TaskResult:
         voice_playground,
         voicebundles,
         workspaces,
+        workspace_iam,
     )
 
     app = FastAPI()
@@ -413,6 +418,15 @@ class _TaskResult:
     app.include_router(call_import_tags.router, prefix="/api/v1")
     app.include_router(call_import_evaluations.router, prefix="/api/v1")
     app.include_router(workspaces.router, prefix="/api/v1")
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    def _override_workspace_context() -> WorkspaceContext:
+        return WorkspaceContext(
+            workspace_id=default_workspace.id,
+            organization_id=org_id,
+            capabilities=frozenset(ALL_CAPABILITIES),
+            is_org_admin=True,
+        )
 
     # Enterprise route dependencies call app.dependencies.is_feature_enabled at runtime.
     # Force-enable it for API tests so tests remain focused on route behavior.
@@ -456,15 +470,18 @@ def _ensure_default_workspace() -> Workspace:
             )
             db_session.add(ws)
             db_session.commit()
+        seed_system_workspace_roles(db_session, organization_id=org_id)
         return ws
 
     default_workspace = _ensure_default_workspace()
+    backfill_org_workspace_memberships(db_session, organization_id=org_id)
 
     app.router.lifespan_context = _noop_lifespan
     app.dependency_overrides[get_db] = _override_get_db
     app.dependency_overrides[get_api_key] = lambda: api_key
     app.dependency_overrides[get_organization_id] = lambda: org_id
     app.dependency_overrides[get_workspace_id] = lambda: default_workspace.id
+    app.dependency_overrides[get_workspace_context] = _override_workspace_context
     app.dependency_overrides[require_enterprise_feature] = lambda: None
 
     with TestClient(app) as test_client:
@@ -475,14 +492,45 @@ def _ensure_default_workspace() -> Workspace:
 
 @pytest.fixture
 def authenticated_client(client, api_key, db_session, org_id):
-    """Client pre-populated with auth header."""
-    from app.models.database import Organization
+    """Client pre-populated with auth header and a real API key in the DB."""
+    from app.models.database import APIKey, Organization, OrganizationMember, RoleEnum, User
 
-    # Authenticated routes usually persist rows scoped to organization_id.
-    # Ensure the organization exists to satisfy FK constraints on Postgres.
     existing_org = db_session.query(Organization).filter(Organization.id == org_id).first()
     if existing_org is None:
         db_session.add(Organization(id=org_id, name="Test Organization"))
+        db_session.flush()
+
+    existing_key = (
+        db_session.query(APIKey)
+        .filter(APIKey.key == api_key, APIKey.organization_id == org_id)
+        .first()
+    )
+    if existing_key is None:
+        user = User(
+            id=uuid4(),
+            email="owner@example.com",
+            name="Org Owner",
+            is_active=True,
+        )
+        db_session.add(user)
+        db_session.flush()
+        db_session.add(
+            OrganizationMember(
+                organization_id=org_id,
+                user_id=user.id,
+                role=RoleEnum.ADMIN.value,
+            )
+        )
+        db_session.add(
+            APIKey(
+                id=uuid4(),
+                key=api_key,
+                name="Test API Key",
+                organization_id=org_id,
+                user_id=user.id,
+                is_active=True,
+            )
+        )
         db_session.commit()
 
     client.headers.update({"X-API-Key": api_key})
diff --git a/tests/test_api/conftest.py b/tests/test_api/conftest.py
index 0c2d54a1..def88fc7 100644
--- a/tests/test_api/conftest.py
+++ b/tests/test_api/conftest.py
@@ -279,6 +279,27 @@ def _make_user(**overrides):
 @pytest.fixture
 def user_context(db_session, org_id, api_key, seed_org, make_user):
     """Seed user + org membership + API key for IAM/settings tests."""
+    existing_key = (
+        db_session.query(APIKey)
+        .filter(APIKey.key == api_key, APIKey.organization_id == org_id)
+        .first()
+    )
+    if existing_key is not None and existing_key.user_id is not None:
+        user = db_session.query(User).filter(User.id == existing_key.user_id).first()
+        membership = (
+            db_session.query(OrganizationMember)
+            .filter(
+                OrganizationMember.organization_id == org_id,
+                OrganizationMember.user_id == user.id,
+            )
+            .first()
+        )
+        if user.email != "owner@example.com":
+            user.email = "owner@example.com"
+            user.name = "Org Owner"
+            db_session.commit()
+        return {"user": user, "membership": membership, "api_key_record": existing_key}
+
     user = make_user(email="owner@example.com", name="Org Owner")
     membership = OrganizationMember(
         id=uuid4(),
diff --git a/tests/test_api/test_auth_routes.py b/tests/test_api/test_auth_routes.py
index 8b8a7e1d..19c185bf 100644
--- a/tests/test_api/test_auth_routes.py
+++ b/tests/test_api/test_auth_routes.py
@@ -29,6 +29,39 @@
 from app.services.organization_provisioning import provision_default_workspace
 
 
+def _bind_api_key_to_user(db_session, *, api_key: str, org_id: UUID, user: User) -> APIKey:
+    """Point the shared test API key at ``user``, replacing any bootstrap binding."""
+    db_session.query(APIKey).filter(APIKey.key == api_key).delete()
+    db_session.flush()
+    key = APIKey(
+        id=uuid4(),
+        key=api_key,
+        name="Test Key",
+        organization_id=org_id,
+        user_id=user.id,
+        is_active=True,
+    )
+    db_session.add(key)
+    membership = (
+        db_session.query(OrganizationMember)
+        .filter(
+            OrganizationMember.organization_id == org_id,
+            OrganizationMember.user_id == user.id,
+        )
+        .first()
+    )
+    if membership is None:
+        db_session.add(
+            OrganizationMember(
+                organization_id=org_id,
+                user_id=user.id,
+                role=RoleEnum.ADMIN.value,
+            )
+        )
+    db_session.commit()
+    return key
+
+
 # ---------------------------------------------------------------------------
 # Existing smoke tests (kept verbatim - they guard the API-key path).
 # ---------------------------------------------------------------------------
@@ -448,23 +481,7 @@ def test_api_key_user_can_attach_password_and_real_email(
     )
     db_session.add(user)
     db_session.flush()
-    db_session.add(
-        APIKey(
-            id=api_key_id,
-            key=api_key,
-            name="Bootstrap Key",
-            organization_id=org_id,
-            user_id=user.id,
-            is_active=True,
-        )
-    )
-    db_session.add(
-        OrganizationMember(
-            organization_id=org_id,
-            user_id=user.id,
-            role=RoleEnum.ADMIN.value,
-        )
-    )
+    _bind_api_key_to_user(db_session, api_key=api_key, org_id=org_id, user=user)
     db_session.commit()
 
     response = authenticated_client.post(
@@ -497,24 +514,7 @@ def test_set_password_rejects_email_change_for_non_placeholder_user(
     )
     db_session.add(user)
     db_session.flush()
-    db_session.add(
-        APIKey(
-            id=uuid4(),
-            key=api_key,
-            name="User Key",
-            organization_id=org_id,
-            user_id=user.id,
-            is_active=True,
-        )
-    )
-    db_session.add(
-        OrganizationMember(
-            organization_id=org_id,
-            user_id=user.id,
-            role=RoleEnum.ADMIN.value,
-        )
-    )
-    db_session.commit()
+    _bind_api_key_to_user(db_session, api_key=api_key, org_id=org_id, user=user)
 
     response = authenticated_client.post(
         "/api/v1/auth/password",
@@ -541,23 +541,7 @@ def test_rotating_password_requires_current_password(
     )
     db_session.add(user)
     db_session.flush()
-    db_session.add(
-        APIKey(
-            id=uuid4(),
-            key=api_key,
-            organization_id=org_id,
-            user_id=user.id,
-            is_active=True,
-        )
-    )
-    db_session.add(
-        OrganizationMember(
-            organization_id=org_id,
-            user_id=user.id,
-            role=RoleEnum.ADMIN.value,
-        )
-    )
-    db_session.commit()
+    _bind_api_key_to_user(db_session, api_key=api_key, org_id=org_id, user=user)
 
     # Missing current_password -> 401.
     missing_current = authenticated_client.post(
diff --git a/tests/test_api/test_workspace_iam.py b/tests/test_api/test_workspace_iam.py
new file mode 100644
index 00000000..5c9f60f6
--- /dev/null
+++ b/tests/test_api/test_workspace_iam.py
@@ -0,0 +1,216 @@
+"""Tests for workspace RBAC: roles, membership, and capability enforcement."""
+
+from __future__ import annotations
+
+from uuid import uuid4
+
+import pytest
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+
+from app.core.auth.capabilities import (
+    CALLS_VIEW,
+    METRICS_VIEW,
+    SYSTEM_ROLE_ADMIN,
+    SYSTEM_ROLE_VIEWER,
+)
+from app.core.auth.principal import AuthMethod, Principal
+from app.core.auth.dependency import get_principal
+from app.database import get_db
+from app.dependencies import get_organization_id, get_workspace_context, get_workspace_id
+from app.models.database import (
+    Organization,
+    OrganizationMember,
+    RoleEnum,
+    User,
+    Workspace,
+    WorkspaceMember,
+    WorkspaceRole,
+)
+from app.services.workspace_rbac import (
+    add_workspace_member,
+    resolve_workspace_capabilities,
+    seed_system_workspace_roles,
+)
+from app.api.v1.routes import metrics, workspace_iam, workspaces
+
+
+@pytest.fixture
+def rbac_org(db_session):
+    org = Organization(id=uuid4(), name="RBAC Org")
+    db_session.add(org)
+    db_session.commit()
+    return org
+
+
+@pytest.fixture
+def rbac_users(db_session, rbac_org):
+    admin = User(id=uuid4(), email="admin@test.local", name="Admin")
+    viewer = User(id=uuid4(), email="viewer@test.local", name="Viewer")
+    db_session.add_all([admin, viewer])
+    db_session.add_all(
+        [
+            OrganizationMember(
+                organization_id=rbac_org.id,
+                user_id=admin.id,
+                role=RoleEnum.ADMIN,
+            ),
+            OrganizationMember(
+                organization_id=rbac_org.id,
+                user_id=viewer.id,
+                role=RoleEnum.READER,
+            ),
+        ]
+    )
+    db_session.commit()
+    return {"admin": admin, "viewer": viewer}
+
+
+@pytest.fixture
+def rbac_workspace(db_session, rbac_org, rbac_users):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    ws = Workspace(
+        id=uuid4(),
+        organization_id=rbac_org.id,
+        name="Project A",
+        slug="project_a",
+        is_default=False,
+    )
+    db_session.add(ws)
+    db_session.flush()
+    add_workspace_member(
+        db_session,
+        workspace_id=ws.id,
+        user_id=rbac_users["viewer"].id,
+        role_id=roles[SYSTEM_ROLE_VIEWER].id,
+    )
+    db_session.commit()
+    return ws
+
+
+def test_seed_system_roles_idempotent(db_session, rbac_org):
+    first = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    second = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    assert set(first.keys()) == {SYSTEM_ROLE_VIEWER, "Editor", SYSTEM_ROLE_ADMIN}
+    assert first[SYSTEM_ROLE_VIEWER].id == second[SYSTEM_ROLE_VIEWER].id
+
+
+def test_resolve_capabilities_org_admin_bypass(db_session, rbac_org, rbac_users, rbac_workspace):
+    principal = Principal(
+        organization_id=rbac_org.id,
+        auth_method=AuthMethod.LOCAL_PASSWORD,
+        user_id=rbac_users["admin"].id,
+    )
+    caps, membership, role = resolve_workspace_capabilities(
+        db_session,
+        principal=principal,
+        workspace_id=rbac_workspace.id,
+        organization_id=rbac_org.id,
+    )
+    assert CALLS_VIEW in caps
+    assert METRICS_VIEW in caps
+    assert membership is None
+    assert role is None
+
+
+def test_resolve_capabilities_non_member_empty(db_session, rbac_org, rbac_users, rbac_workspace):
+    outsider = User(id=uuid4(), email="out@test.local", name="Out")
+    db_session.add(outsider)
+    db_session.add(
+        OrganizationMember(
+            organization_id=rbac_org.id,
+            user_id=outsider.id,
+            role=RoleEnum.READER,
+        )
+    )
+    db_session.commit()
+
+    principal = Principal(
+        organization_id=rbac_org.id,
+        auth_method=AuthMethod.LOCAL_PASSWORD,
+        user_id=outsider.id,
+    )
+    caps, membership, role = resolve_workspace_capabilities(
+        db_session,
+        principal=principal,
+        workspace_id=rbac_workspace.id,
+        organization_id=rbac_org.id,
+    )
+    assert caps == set()
+    assert membership is None
+
+
+def test_list_workspaces_filtered_for_member(db_session, rbac_org, rbac_users, rbac_workspace):
+    app = FastAPI()
+    app.include_router(workspaces.router, prefix="/api/v1")
+
+    def _principal():
+        return Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["viewer"].id,
+        )
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = _principal
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        response = client.get("/api/v1/workspaces")
+    assert response.status_code == 200
+    names = {w["name"] for w in response.json()}
+    assert names == {"Project A"}
+
+
+def test_workspace_members_require_view_capability(
+    db_session, rbac_org, rbac_users, rbac_workspace
+):
+    app = FastAPI()
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    ws_b = Workspace(
+        id=uuid4(),
+        organization_id=rbac_org.id,
+        name="Closed",
+        slug="closed",
+        is_default=False,
+    )
+    db_session.add(ws_b)
+    db_session.commit()
+
+    def _principal():
+        return Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["viewer"].id,
+        )
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = _principal
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        ok = client.get(f"/api/v1/workspaces/{rbac_workspace.id}/members")
+        denied = client.get(f"/api/v1/workspaces/{ws_b.id}/members")
+
+    assert ok.status_code == 200
+    assert denied.status_code == 403
+
+    add_workspace_member(
+        db_session,
+        workspace_id=ws_b.id,
+        user_id=rbac_users["viewer"].id,
+        role_id=roles[SYSTEM_ROLE_ADMIN].id,
+    )
+    db_session.commit()
+
+    with TestClient(app) as client:
+        allowed = client.get(f"/api/v1/workspaces/{ws_b.id}/members")
+    assert allowed.status_code == 200
diff --git a/tests/test_api/test_workspaces.py b/tests/test_api/test_workspaces.py
index b72e1d2e..efef7581 100644
--- a/tests/test_api/test_workspaces.py
+++ b/tests/test_api/test_workspaces.py
@@ -18,9 +18,11 @@
     Metric,
     Workspace,
 )
+from app.services.workspace_rbac import seed_system_workspace_roles
 
 
 def test_create_and_list_workspaces(authenticated_client, db_session, org_id):
+    seed_system_workspace_roles(db_session, organization_id=org_id)
     response = authenticated_client.post(
         "/api/v1/workspaces", json={"name": "Project Phoenix"}
     )
@@ -30,11 +32,10 @@ def test_create_and_list_workspaces(authenticated_client, db_session, org_id):
     assert body["slug"] == "project_phoenix"
     assert body["is_default"] is False
     assert body["organization_id"] == str(org_id)
+    assert body.get("capabilities")
 
     listing = authenticated_client.get("/api/v1/workspaces").json()
-    # Default sorts first (is_default DESC), then alphabetical by name.
     names = [w["name"] for w in listing]
-    assert names[0] == "Default"
     assert "Project Phoenix" in names
 
 

From f9b5ab75c1c14a45488d23182a3efbad5e74643f Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Thu, 11 Jun 2026 19:09:42 +0000
Subject: [PATCH 02/12] feat: updating workspaces

---
 frontend/src/components/WorkspaceSwitcher.tsx | 43 ++++++++-----------
 frontend/src/store/workspaceStore.ts          |  6 +++
 2 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/frontend/src/components/WorkspaceSwitcher.tsx b/frontend/src/components/WorkspaceSwitcher.tsx
index 101df386..e242c6cb 100644
--- a/frontend/src/components/WorkspaceSwitcher.tsx
+++ b/frontend/src/components/WorkspaceSwitcher.tsx
@@ -7,11 +7,11 @@ import { useCanWrite } from '../hooks/useRole'
 import { useWorkspaceStore } from '../store/workspaceStore'
 import CreateWorkspaceModal from './CreateWorkspaceModal'
 
-const ACTIVE_WORKSPACE_KEY = 'activeWorkspaceId'
-
 export default function WorkspaceSwitcher() {
   const queryClient = useQueryClient()
   const canWrite = useCanWrite()
+  const activeId = useWorkspaceStore((s) => s.activeWorkspaceId)
+  const switchWorkspace = useWorkspaceStore((s) => s.switchWorkspace)
   const setActiveCapabilities = useWorkspaceStore((s) => s.setActiveCapabilities)
   const [open, setOpen] = useState(false)
   const [showCreateModal, setShowCreateModal] = useState(false)
@@ -26,15 +26,9 @@ export default function WorkspaceSwitcher() {
     staleTime: 60_000,
   })
 
-  const [activeId, setActiveId] = useState<string | null>(() =>
-    typeof window !== 'undefined'
-      ? localStorage.getItem(ACTIVE_WORKSPACE_KEY)
-      : null,
-  )
-
   useEffect(() => {
     if (!workspaces.length) return
-    const stored = localStorage.getItem(ACTIVE_WORKSPACE_KEY)
+    const stored = activeId
     const isValid = stored && workspaces.some((w) => w.id === stored)
     const fallback =
       (isValid ? workspaces.find((w) => w.id === stored) : null) ??
@@ -44,35 +38,36 @@ export default function WorkspaceSwitcher() {
     if (!fallback) return
 
     if (!isValid) {
-      localStorage.setItem(ACTIVE_WORKSPACE_KEY, fallback.id)
-      setActiveId(fallback.id)
+      switchWorkspace(fallback.id, fallback.capabilities ?? [])
       queryClient.invalidateQueries()
-    } else if (stored !== activeId) {
-      setActiveId(stored)
+      return
     }
 
-    setActiveCapabilities(fallback.capabilities ?? [])
-  }, [workspaces, activeId, queryClient, setActiveCapabilities])
+    const current = workspaces.find((w) => w.id === stored)
+    if (!current) return
+
+    const nextCaps = current.capabilities ?? []
+    const { activeCapabilities } = useWorkspaceStore.getState()
+    const capsChanged =
+      nextCaps.length !== activeCapabilities.length ||
+      nextCaps.some((cap, i) => cap !== activeCapabilities[i])
+
+    if (capsChanged) {
+      setActiveCapabilities(nextCaps)
+    }
+  }, [workspaces, activeId, queryClient, switchWorkspace, setActiveCapabilities])
 
   const activeWorkspace = useMemo(
     () => workspaces.find((w) => w.id === activeId) ?? null,
     [workspaces, activeId],
   )
 
-  useEffect(() => {
-    if (activeWorkspace?.capabilities) {
-      setActiveCapabilities(activeWorkspace.capabilities)
-    }
-  }, [activeWorkspace, setActiveCapabilities])
-
   const handleSelect = async (workspace: Workspace) => {
     if (workspace.id === activeId) {
       setOpen(false)
       return
     }
-    localStorage.setItem(ACTIVE_WORKSPACE_KEY, workspace.id)
-    setActiveId(workspace.id)
-    setActiveCapabilities(workspace.capabilities ?? [])
+    switchWorkspace(workspace.id, workspace.capabilities ?? [])
     setOpen(false)
     await queryClient.invalidateQueries()
   }
diff --git a/frontend/src/store/workspaceStore.ts b/frontend/src/store/workspaceStore.ts
index 31329745..e320200a 100644
--- a/frontend/src/store/workspaceStore.ts
+++ b/frontend/src/store/workspaceStore.ts
@@ -7,6 +7,7 @@ interface WorkspaceState {
   activeCapabilities: string[]
   setActiveWorkspaceId: (id: string | null) => void
   setActiveCapabilities: (capabilities: string[]) => void
+  switchWorkspace: (id: string, capabilities?: string[]) => void
   clearActiveWorkspaceId: () => void
 }
 
@@ -35,6 +36,11 @@ export const useWorkspaceStore = create<WorkspaceState>((set) => ({
     set({ activeCapabilities: capabilities })
   },
 
+  switchWorkspace: (id: string, capabilities: string[] = []) => {
+    localStorage.setItem(STORAGE_WORKSPACE_ID, id)
+    set({ activeWorkspaceId: id, activeCapabilities: capabilities })
+  },
+
   clearActiveWorkspaceId: () => {
     localStorage.removeItem(STORAGE_WORKSPACE_ID)
     set({ activeWorkspaceId: null, activeCapabilities: [] })

From f1e7d76442edbfab86ebeb80993a3183670c7062 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Thu, 11 Jun 2026 19:36:01 +0000
Subject: [PATCH 03/12] feat: adding new models and provider

---
 app/config/models.json                        | 110 ++++++++++++++++++
 app/models/enums.py                           |   1 +
 app/services/ai/llm_service.py                |   4 +
 app/services/judge_alignment/model_catalog.py |   2 +
 frontend/public/fireworks.png                 | Bin 0 -> 8356 bytes
 .../providers/ProviderModelPicker.tsx         |   1 +
 frontend/src/config/providers.ts              |   5 +
 .../src/pages/configurations/Integrations.tsx |   1 +
 frontend/src/types/api.ts                     |   1 +
 .../test_services/test_ai/test_llm_service.py |   5 +
 10 files changed, 130 insertions(+)
 create mode 100644 frontend/public/fireworks.png

diff --git a/app/config/models.json b/app/config/models.json
index 63ae8203..1392b0b8 100644
--- a/app/config/models.json
+++ b/app/config/models.json
@@ -71,6 +71,16 @@
     "provider": "openai",
     "model_type": "llm"
   },
+  "gpt-5.5": {
+    "provider": "openai",
+    "model_type": "llm",
+    "description": "OpenAI flagship — complex reasoning, agentic coding, 1M context"
+  },
+  "gpt-5.5-pro": {
+    "provider": "openai",
+    "model_type": "llm",
+    "description": "Higher-accuracy GPT-5.5 variant with parallel test-time compute"
+  },
   "tts-1": {
     "provider": "openai",
     "model_type": "tts"
@@ -131,6 +141,106 @@
     "provider": "anthropic",
     "model_type": "llm"
   },
+  "claude-opus-4-7": {
+    "provider": "anthropic",
+    "model_type": "llm",
+    "description": "Claude Opus 4.7 — stronger coding, vision, and complex multi-step tasks"
+  },
+  "claude-opus-4-8": {
+    "provider": "anthropic",
+    "model_type": "llm",
+    "description": "Claude Opus 4.8 — most capable Opus-tier model; 1M context, adaptive thinking"
+  },
+  "claude-fable-5": {
+    "provider": "anthropic",
+    "model_type": "llm",
+    "description": "Claude Fable 5 — Anthropic's most capable widely released model for demanding agentic work"
+  },
+  "claude-mythos-5": {
+    "provider": "anthropic",
+    "model_type": "llm",
+    "description": "Claude Mythos 5 — Fable 5 capabilities; limited availability via Project Glasswing"
+  },
+  "grok-4.3": {
+    "provider": "xai",
+    "model_type": "llm",
+    "description": "xAI flagship — low hallucination, agentic tool calling, 1M context"
+  },
+  "grok-build-0.1": {
+    "provider": "xai",
+    "model_type": "llm",
+    "description": "xAI fast coding model trained for agentic coding (early access)"
+  },
+  "grok-4.20-0309-reasoning": {
+    "provider": "xai",
+    "model_type": "llm",
+    "description": "Grok 4.20 reasoning snapshot (Mar 2026)"
+  },
+  "grok-4.20-0309-non-reasoning": {
+    "provider": "xai",
+    "model_type": "llm",
+    "description": "Grok 4.20 non-reasoning snapshot (Mar 2026)"
+  },
+  "grok-4.20-multi-agent-0309": {
+    "provider": "xai",
+    "model_type": "llm",
+    "description": "Grok 4.20 multi-agent snapshot (Mar 2026)"
+  },
+  "deepseek-v4-pro": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "DeepSeek V4 Pro — frontier MoE reasoning and coding (1M context)"
+  },
+  "deepseek-v4-flash": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "DeepSeek V4 Flash — fast extraction, classification, and search"
+  },
+  "kimi-k2p6": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "Kimi K2.6 — native multimodal agentic model for long-horizon coding"
+  },
+  "kimi-k2p5": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "Kimi K2.5 — unified vision/text agentic model with controllable reasoning"
+  },
+  "glm-5p1": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "GLM 5.1 — frontier open model for reasoning and agentic workflows"
+  },
+  "minimax-m2p7": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "MiniMax M2.7 — MoE model for complex agent harnesses and productivity tasks"
+  },
+  "minimax-m2p5": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "MiniMax M2.5 — fast coding and agentic tool use at low cost"
+  },
+  "qwen3p6-plus": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "Qwen 3.6 Plus — flagship multimodal model (Fireworks exclusive outside Alibaba)"
+  },
+  "gpt-oss-120b": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "OpenAI gpt-oss-120b — high-quality open-weight model for general reasoning"
+  },
+  "gpt-oss-20b": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "OpenAI gpt-oss-20b — fast open-weight model for chat and classification"
+  },
+  "firefunction-v2": {
+    "provider": "fireworks",
+    "model_type": "llm",
+    "description": "FireFunction V2 — Fireworks function-calling optimized model"
+  },
   "google-speech-v2": {
     "provider": "google",
     "model_type": "stt"
diff --git a/app/models/enums.py b/app/models/enums.py
index 096fd298..dba91cf1 100644
--- a/app/models/enums.py
+++ b/app/models/enums.py
@@ -115,6 +115,7 @@ class ModelProvider(str, enum.Enum):
     ANTHROPIC = "anthropic"
     GOOGLE = "google"
     XAI = "xai"
+    FIREWORKS = "fireworks"
     COHERE = "cohere"
     MISTRAL = "mistral"
     META = "meta"
diff --git a/app/services/ai/llm_service.py b/app/services/ai/llm_service.py
index ec40719b..701a6862 100644
--- a/app/services/ai/llm_service.py
+++ b/app/services/ai/llm_service.py
@@ -33,6 +33,8 @@
     "aws": "bedrock",
     "deepseek": "deepseek",
     "groq": "groq",
+    "xai": "xai",
+    "fireworks": "fireworks_ai",
 }
 
 # Matches the model-name half of the Gemini 2.5 family: ``gemini-2.5-pro``,
@@ -162,6 +164,8 @@ def _litellm_model_name(provider: ModelProvider, model: str) -> str:
         """Build the ``provider/model`` string that LiteLLM expects."""
         provider_value = provider.value if hasattr(provider, "value") else str(provider)
         prefix = _LITELLM_PROVIDER_PREFIX.get(provider_value.lower(), provider_value.lower())
+        if provider_value.lower() == "fireworks" and not model.startswith("accounts/"):
+            model = f"accounts/fireworks/models/{model}"
         return f"{prefix}/{model}"
 
     def generate_response(
diff --git a/app/services/judge_alignment/model_catalog.py b/app/services/judge_alignment/model_catalog.py
index 2c847181..e7f4afda 100644
--- a/app/services/judge_alignment/model_catalog.py
+++ b/app/services/judge_alignment/model_catalog.py
@@ -33,6 +33,7 @@
     ModelProvider.ANTHROPIC.value,
     ModelProvider.GOOGLE.value,
     ModelProvider.XAI.value,
+    ModelProvider.FIREWORKS.value,
     ModelProvider.COHERE.value,
     ModelProvider.MISTRAL.value,
     ModelProvider.META.value,
@@ -52,6 +53,7 @@ def _provider_label(provider_value: str) -> str:
         "anthropic": "Anthropic",
         "google": "Google",
         "xai": "xAI",
+        "fireworks": "Fireworks AI",
         "cohere": "Cohere",
         "mistral": "Mistral",
         "meta": "Meta",
diff --git a/frontend/public/fireworks.png b/frontend/public/fireworks.png
new file mode 100644
index 0000000000000000000000000000000000000000..f91b3802a08b837526e4846a10dabb12b897feaa
GIT binary patch
literal 8356
zcmeHt)k9QY)Hdo5>Fx&U21f>INkKY>kdzv_Ll{B<K^j4FfRXNQhL92@B^(;01{q3P
z`aQmX!guvuyccsbv(MRUuXvtktv%5?S}%$4>G83!u!z)DmGrQ%9?<^#;64VviAvas
z!@^>9R#TEUc$>Yq3^PtK>Jt8=tZ?vvJPC{JLl~8MhayuGO)Vea%&V7*HTwIFe#Hx*
z>5;wdxpCP?GSfSLhndro69yCWIny!=%gb8wQjOFVrGj-$3$I^yyx1kG<NNgPg@Woz
zgxPtDHM9frsR;!q?LutNhtBn0-0mj?1)Nx*l1Z_!v~)zUz7pX-#%h)C!NL;fp~d?3
z82b^{(ibbNcMOz-SRUbF53t<+Z_)pY3+mRGty+htQ}43|Lhr8*wh>T}uI=QA*GBy_
zbcv()>ksXc6;^e%nfTQ-_*@!3Pg8>8zTGe^F!s1FF3+8W`qyUid2R0SSqz~vLgnEn
zEAzd0E?i+fUtboAIC@o@YvX!Op$jWw(rPn#yc}#m$-rx24&F;4ixw4D68-jkw1kuz
z8OAbc6jch#;Dv0;fzeBP$M&=_gHLQPk$dB`3VIIST^I}Var-B<0+brGOdgd1sbED;
zG26IlSubID^b^J6_EX)3IA+U{bR3vPwH=6zkQ$#WZXrTj4xe;N6`oR4^Op%8-7Bo_
znk%ayduh0kol>3EU7LyP@WrZE6}Ryscph?eNSIG()1*!#I)sOmHow#-w2pAk4qX{#
z#o@`b>aAS4yFuWx5ievj?$;ydH7I2RP29Zlmkd<k-W@F%xru-age{2b$BQ1NclJhS
z_a$Q@d<2I?x9{pRd8D~GZ>A^c`v0S6at<9~#i9MTC_F)|M&zUJKhIeuQGg{D?D!o)
zlAZC$O6Cz>FvSBwN{#=X^BZfm-heStTlHdSPPJpTGM8d<qqKz}{x=@Z?emZ`NqF=-
zY)XxYxi|c#1FT%4fWsa<mdHnn?WBeljd@(Vt}^>ohenMleSL_}r2sfNux0g}$aOqE
z>zc(L^y%%?XY2sJvNv3=<GR}n_XnprjSZRj#(;TA1)c7CmV1y_M8yJ4^ZoWuJT*Rs
z9+N#5O{m$c2%P}Vpa3kYX}2sC%1DYn(v}%{@=`#&RK0AXomc{O7e(rDXagdv4GW8A
zRrs>Jvg2A9@<&KnVxx=Wvd{&rf8?va&VLW`SyzU8tIXX!29CiA9HY)hnx2nV*e=dC
z+wU?sPGwz%SIsaX(NgVp<<qo3W|w*vdFE35Fil5<>>GOd8WPp=hTByuvVD`Sh(jWO
z_L{CrC|4VoP7!_rxxiS~W#Squ_9%TR&NZ5yvhN?TUwK=Amd6Yp1Po6K!Lq@9`z^tf
zn`SK^0Qb=2b3M%Qa<6N>ZMI*?=52?}@S~5Ci+P4b`3TBZvt$>p?PsdcG@8K9LpxGC
z((J~i2vvw0kwkIpU`az}jG+F_FoIlRrcuJR_u$?NME2)hShNmuqAEyK^&=e2Z6dnQ
z2BxShh#&hng33VTjqRL*UuT&!B-Ur*zXklw!}enZN`)ykvK;|zQ{vZ5d;_9lD1ZzM
zM3C~jY6V}MkX@6JUgcRmnR~N+B?tQWN&A&Cm9F#j3grduS(T&0$L@JZQ>;9(M?_e(
z)oOdQi|3UVQ^A<1=v!1o>N7ie6z=7wM5DwYtirG%6Zb6;JrTAa%r2gt7f)Ta2-(;N
zozho&?D-@!F?yhIT4;gIzB8fMI}i|*#pTQXc2>5BuHz06(O4E2Cvm5PlH3AFX~Vyw
zb>VuLt0SWL^`BK!_O{N$%xUW6&s@0Zv(5Hnl=;fo62aT=Y{uw;jCSYAVEbiiL=+2^
zp`=(x5bg@@{&VzV#q;12;zm3~$dLV$UqslT|FS(?rPuL%^xfY}g5xTd?aFC1C%+}+
zTa=*Txw9zz_vcvfvUlPbDA^0fWZI(8!g>!j%}9lO2Eo6JEzPitoHye0Up1y{?y4-n
zZhV@N+&_Y^9xaC9%xhwItP$FObnvRYR!<_utS;%38{WEuDTuOFvV`pFN@pDX_qo6n
z?~Q>2MF1J>>{EGb*(i}Ur>mTaQBIlH5EI#GOq3p8cWJAGGP!Azi0WF3&^t<=IXQk>
z&p08XUK~vp&AL_&{v%{*Dc@=H)#QzKJfxP<7DV=uvz$OhNG(YijB;nFFqh<CYN-8z
zUWQdKFV@C`xy>O4z4rOe3@rB})(WbCtK|nrW;m&MkI9GA$2Ed715?`aSj!3Q3%w2q
zQ)fJ`eQvuuQ=cGm$qoXH9XuiT03NbU+G)kXVglhw?^PkAg(0=$`z=h4evsf%`}{uu
zybF)b8db6sw1t|qLdg^jXh#43O}!64t%*(6b6V0z6qsKXcuXkmCfSTJ$SX)XdV8%i
zUv`=$fAv+<>=Y1}Fx6KHo-L_^E+ghNC@li;wz`LBAvbbU_x?}ijF8rzt<ZHrCxUOR
zh}<^@)Z^X1SU9N?jPEVd7NiR&Y&#wx58vH#V(jqAw~8~>j=vkU#Mf|Y8y!irMYQ+R
zGwp%_atJ#1*^(QXHM+U$Wuh$pZP-b>Qua4?AuKcF&*=mnTe>X0dxmrAO;DvD@7V@s
z&1dfNwOvwDL!$)62EuIIK7Yi~1~diWBtR~&mwiJ?AMVSz6yqm$L>$Aq<h<LGz<x7x
zbqhsgZR@Q3x+Ws8)asv_+T7)J<`OliRIVoHXXFYU8;|;&i8YB|80yt1!^?yOQL57$
z^BTT&0Om{NQE(2^t~FFcg|B-UUln79Y0$g;A%EIUBFmqzx1{HhrDB6rU}FRhkpYqZ
z7xqBXk~(sr6VAK7TZ{5-%tSygKtpXB09A=D#1Xsq5ySltJ;4;w?oJ8;o?X@J<qW-c
zj>944pE)Y};jhd93-u{-ueX}IR5-=rvZ1BbOdzG2@7X?`$dMf><zVU*hVEm#RF2G@
z<SY{>?;hMsTMW~quD!eEq+n-BZKJye_!*U$XoT4=p)SmMYJo<HUfoC6NCY4e69Dm-
zu)3vvoAbPCbWM^*0tAG*>T8NE;`mOZpPIttrf*Y#SZISjdS;U~hYqv8^a0`xga&f6
z_@Z0Z)TYab0WN>-`Sgjhc~9K5kfl$~YO*AE+wr6LXXX=*9Bx^GC|5jkuVgT{5i$r5
z9^Hi$bJh3^Kgb`GSTQ}TS$UTeXoOw2wKKfEx!aBW0+X3-jsu{MtZtpv88DF!lZ>!9
zyeKV<oQ#b>BLXZ|JlL3$AEd`Piw3qi)>)*%N3C-O;xh;Idvnf~sqP0@Um9HEZ8e<u
zQbEEmSK#Z+*L2qa-IwFr2QBHxu3Li!NzgDwPW@y()4ttmd||<ACyWseE}LjTJ3iO!
zgZdftO9v1jbV!g_S)~)B{XPxV9jw}xb>XD>45Jr`N!qy-@ief4a;svDp>EZ)nq+zn
zz_RO<%@nUW&4F}CZO|mZa29KVKtkc|r*yV0P&H6&abZe|NS>oQ6yR*d8fW>Y#TY)n
zDYV8<85&=xsII=qKe1skIIzr8m`wkarWo~;^E-FE9f&Rzk!^bUUpVd0h`-!rcVXMR
zBW1C9(~Ez<tIZ;*7Z~eo%f<+{>B{A7>lg=&_v@WkZW*2Oi><sGM>0BR^OAn+sp~nl
zI27(EuD_A47(8xTbYE15gJj(Xd@Z}LEYbqMYfxi{wr)3VJAnF=iv@-d&ZR+#q)(uq
zN|Js*<?fe(j6UJlQ&R5X;rx!LV#hYk{RE<?cy4WT3;U-)1iS+zW*QF4NqmSR^qexX
zion|RqZbL2vM+AG=5qhI9ebaf9@TF;?HCgV2dort7-yon7;5OSRG`u~po}ARXz>qZ
zU@+b;FO1~n<ZWVcEZk8+%~y&^psLsj&$Y8i?`M2#kX|8bqljtd>n}EA6^(S(L-DYn
z@8*uah^TQN6R7{WSnw~Rx!_9gK2AP-uFXfL-_3JYzD<~HM`~TuFzouPTnV}W>?RFl
zn{cB<*)W~=^k?i@Uv4+A-f}3NS@<6oziMcm41rObCqK3JbobD@So}!PhS|Na)Z$1!
zhG@5xm$u~4b}_B_(mNn^^wM;WtdpSc!L@qLW4xWBxKA1DhJ<g4Xo@&YBxFN4&tNa1
zA7o5(x>EcW7;^zhrSGo(8mY@RNrW*x{pl0PaPeA_nfd7~;xV5SK3Cyv=)%$as=^tH
z-?C$p*I~fBulsApkQXi$Iv298<2;Z_a^S__q#C9wAtAhAf_+gENsD5OjmVN`$~{WV
zvt~n=UU)h0PlkwFO8ID~Lb+^~?fE-XdfbmkB3>196g5jGPuK!VvrKz+i`@J?J_`q@
zab^qP?z6x_x9+MuKsIu^5(_&Hhv5-SW4iQIeMV~rK8&|kydIqJxYBBF7*F^QsKUbg
zwT4>=R6}3-{eeAdp08}}ob$GZO6MMhUW=>k6jH@Kd#DLYv1ms(VRZ@^<y7$&ggmbV
z2;%hup#@M;i`2!aV8*^RXwgq|qmzSqQ+(rXmE=+Z+No}y>B*|*sdZMiQGZc`S410!
z8fC$j?3&tdax_O6YOhHaEU(1EOXC35a`&@~Roh6n$4X7ZvcSe%$zo|N9@b%1op;<v
z`xyDe3=^kg)Yj&T$^kItYTS|opbNHD^XH9>D=vcB`*=Prwd01bh$v$9n^8dPF=Y&$
zzFN3ku#|a!00?<Nwys<&-fJ<yKRFms>&RVub+kD7avX@|0J<-yIMkCpR_uc?)s?Y<
zbAe@&GtWm%7~8FO8}rJ~x*P7i)z6hcjTd*Aus=COIr&@aUrV?v3c6~=Sfk0Sp54a8
z>c$&VP3Wl+vGbC!G1hkX+kzz0faGZNFZ#K!qw2$M3<U~dx216mu}d_^ew9GS52y*Y
zvFdn)OH1l<&xXdgQi1Glk*$J@raC&ZGtV7{?Lf>$n1P<+x6KF$fA#61TMTTErty;7
z?C0TJ2P|{-sNho-cp?Mf3cNGI-91D9WfX}ECjsoXgsHNDooc#>oPF89J5z7>{6uoU
z%87|Z_gZKfakpRHI;Yz*Y5O1EPDm3cI^Xof#OdU;Epk|<@#N>i=!teKxZc<;ELz|!
zdB>XwLTz|RZLa!fQFh6L&knr1q$(~jZq)^)63{#}A>a;pxV&0FuJsvSoEaY_8(Rp<
z?31a{b#I|p{ODHcx05J*0}W_D=63X!>Wn9XM(ocx<2U4|Z`m))u1_3#@TETzb5-^S
zFatjl(vx)O{8V$%rHE5rA;Z#`Fm?2y;ux&b8>eFBE{G@=>5#H<zjKIPkiNymJ*+u%
z&6MNkel551Zdn`Nr%-A(tO8~R{5&d0-FDlo2!DOT<^T4A1fHl&L+^*Jcr{^59PH(0
zSI7Nhc}!Bu;3<K=Y@ni$npKFiw+O9ZnMv_yj?jzyiPqMw8F&+LDkh@ypJa6$_P^u2
z<zH!zQGs^~(C3Tv&I>UIK3Cc}CQuTpzIrRw`>^>%FhVdJ_$}iQX=6YoTiZWZtIhx?
zJD<fTmPB>*|8mg;17wMeTI2dAcS*RfAy|z$J9q(`3;jJsiQT3iM+Doj29?d$wHZXU
ztep*mHn?+74p{WmL+imV1YDch{`ZrbRRI*sAq*!-b<es?idZ7CLjdm|1(rn70I)T2
zv{Jr0jgABMPO9M#eb?g_zgg=obG9JXIKCQlX8<V0`f<N2EeI-GFz`7!;*e~yR)}`$
zKCG~!xXM8`F?n)C^TPnIX$w#?y;q)P-|N!8H%M-5APOyr^9N_^C-{ud8#17^r}ay^
z+wRJs`_-bp#o7RU=apcd^pL(TzzLb7Yk-L@WW>U%T*I2)_VLCnsN2*k<`J^=Rh3TG
zbcOtakb6vFMdZk9zDGsrTg5abF3V#(qg&qDZDs=2tN7HWmOs`Us4#vBKoNaXd!{ja
z{V{fo(cOSD!TD@v|Igz+=Ct`oRII^wljWCd7UW->J3IG`{-J=~XpgEsWn7j`=>k0s
zTr|?x59ktik*Gy9?t4FUcVT4xo3k&=F93h-0342l==C|E<^lF_g;Z^91Br(VfbaPa
z2l&^Gs$cIVS4^AyUc%^NnMkWmv+AujduQ5%MHzE{_+Gmbr9!_=04h`Wc75II7yA@v
z;BATaY$Mg!#eeOt|BDR)cHa~a2M6r?>&CmNfd+4uZ|1gSZm{#kmo8-3fa%JtrtpYn
zF0^!|x5CT`$RnjTGdg@U{&>JesO!#Ow?t>*U6;-!gZi&J6lpA{=#}AN561M<L)2eG
zBg>TE!hb&u7rEGOY~x3}J=t|>Sw+>CiPikd_Ln>1l+VY;N8<o})Dp6$V*L(4+EAWT
zujzbKa?8tbvt(9`VcuZi>dm{stLKkAdm(~>Z6Aj1<X??ZE8w0GwC4f*vO`=#Lxb~(
zCZMJlQy0X<u{oz|x0Yy<UMDZ=Y9Hj1Rz2V3NiechafBn&zv~|)^-88jqtYh%4#_Vl
zwRqUMZaUvVn~LqI9O*9`9Xm!lW3gql0hEh)6MC%qIw998hsjk(WY!8m4Gz_FTF3`~
zGKJ3q{{Yp|F{XEv+W*Wj^auMeOoDjzsHWi=T7kL6F?0xOJ|XCQaUdmtI#S`o*FzT>
zxEreJw|-XFG}Vn>_CKZE-E)Wtqr<8goYKH86XzpfvCd%<9?5pm(a@G#U-~1oyT^Zo
zZQj2nHJx3>3p0+}Xu|hB+&>7)SBSIubeE`%CkH;bR-i8!waeK*U+h|*$x3&>V6qE&
z#QHkV>hTbtah6)r9=IHz#WolwCkyuW`mKRht$EHl{d3kwPZ-1*HU8x}OSvn&>eQ{J
zTl4cS<tsI>rH;>-?y{mXePd|Ua1l^pUCaKIG(I(t@X?alaw!tl2Gl}ta+oAjfSH@`
z*b~98GkfI=z?TULv17J(eX3WXtgeTM9PgJ=ExDH?g+}>6hwxA2?AS_xB>EA-*Q2d?
ze~o=^0e61qGbY9k-^|d3Jm-!i#U9yHYIAJ2u#b@woH;nfky%;=yLm!P36FQ~-kPBI
z1-zF-7R47AM-CiM_UyYX|E5L^7jZN-t8kBG_ORXgR8{%BA49qucT>q2^JK`^1`6Qd
zv1zK<tp)#YcGL03><qJy6D=9RPH<#$**h6zeXbWtprz`sOqO_ePr+`mT@4gr$zdT6
z3+LzL&CP*tSId$n#3zX`x9)w7v3Ut`1hrp`7d3Ufj!3vIl|YnQQV;-`)D#LCLf=Vg
z;1biNJTr~070MDRjzG|7mQ2qAV~(i{US~PcYp5jFY|Y7EXF>gZWepEV0<Y$@1KLiY
zLZMrybwlTG1|JcOe=#flWzO*mklE@00NsNVsV22r%Pp6G9?fl7cjdr~1zL|D`|c!8
zr+U-;-YTY>H7+>+i)VC}YcnpsDlItUcJX*`v?cPA4QLhfT{iP34D|XqQ1iJj{QH`l
zr^taM8<vCt18I?@A~4OEm_b)xf$c(sjJs=-V4w)2Iu?-sysx6yP)Y&S3f!QgsE}&x
z?y&_v<90kY!LjP{VCxB`yQ8|_uC9ALnBY3$t<xMyz;JE+%7?=ruqg@I0mHY)=<7l#
z5|elSfIGS_UDo<m-UZLqfPfU>PAx>a(Xt`TdL@yAv&UOFuAC=8_mc0$e&z91j8+8z
z5thSaaBxPI=;~nLE<w{XU%f2r_QP85KB2TW#dy7B0TY+XdsXg{Hz8<pj{euKom=Mz
zU0l*igQWP8dDUIT(|N05z(kM5Hm53ntb^TL_qWs%a?J)cuP9$?_DawBK0jrPvSIxE
zzxM7GFTXoirWN7J%7!Q@N<y3Mj_X9<0Qk9`<7li6?ICMfs@;k_u7op{z?pzI`|>3y
zoi9gV8%KPj<k#F3_@208us2B4{zZ?+Bv42Hgt6pnF$AExRqWo7;gLuEw7HD4b1Re#
zMc1nV_I81+lSrXJcJ?@4fOVO18549wvgf1`Vtkz6g~F|0lWjPZ=|WoHkxl^{BA$*X
z@Bje}iLMJlYNhpEb+292JY5P@nY-lNb@_`!N%+z=cNu0Y>ZuiOy}*d_-<$gUp(Ta&
z$XI65^l6bJa#iD(j*z@UpueBAhkr%w2?1)}Llk)G?n_j*m;0rG@JPJcXE?rz{U9m1
zGmyOlq+T7s%*QH|2@lO-RLxwLb<4B6q|>%nn>yy`+1UX11)C9LvxiOho+s*WPTQ>8
zW@1-10Ig)G&s0-D12A^7&0!Myr;)x5*4!}tdvwNEz%;1xLX%+ErS++_19!f}clUem
z=Hk7UO7EO5{lUB4)87n0^Aj#Fd;1L;4?B-&PqA}LBF$Tn+^~m3582Y%Jba&rlj$}%
zZwPgcZqANqHdxc9A<dGLXeD*)@zZLI?IP9HhEXj*hX0qAnddbh)chv_JmF^cgNn|N
zigZ5Vyq*SVDG<;c=NQu?epIIQh@Nm}aXQ@Ca^`G*KPd1Mq;~I3Ho>EJVR+%e%iSSs
zamWJ_0T95htpZJ#F9kpY;Me9}Bpa%h!Ttl<#Ls~#J+L|=QT5F)lEAQ+f#NOzTI&P4
z=Y&p$Kg%2vYLmfT9uSEkiXas%cz!Q`t!{_#m23H=%S`xi+^W|BK-l#7gr*9UEj#DY
zhRx*vieoLKIW={Y6mZq-DE$u#672j#7tThL1Q#9NhvBiie?7P@Jc))TUKm!}QD)|H
zAc80g1a!*^BTea)FIyIe52V+ZYBP12b^gufnf5QFJ-^;fO~<XD#(DLBTR+S{-0<eN
z7e|(#KOK7bIHPM{iWCTurP=X~rseOJamd}C)P3mc3F1EM5L;-uunSU3AtX^*a__da
z8ZZ&Mx|&Gl-6I+n@mKiLn-#roW9Fx!Fr+-V_Xqs82Kv5K#(biqGKuTkwnKV!vziIV
zcT@(2W0#!j$Ka?cmp2U+F@X}X9G4tz3i-&|Ki0yRCT+hb<P{1<X=+9U+I(`*zqXKJ
zd_tEJNtVX-(N9y%cs08`9`m-{(56>Q`K*ar4`CxM8u5KCBQ^wsbP2e`501iu%m-Ko
zq`3&`3{1DbktU1G>PS@5Y_`(_GUD{A?6bV!Z!N`{MAe=0Cujmud7tMirgkJ3gp(Sa
zVw+j(hJWUQ*UFXnX@P-HV0gR1=i8*Hw!C&exPufqp^?oql9;<A)5fsO>{^V8w0~dv
zqPtYk_@W5M#nBGNxu4);b`c+RblgBViw7;L%u5TjkFGJ6m)@cYV%bgjX~G>3q<%KV
zc>rrM91&JMu3a29&n|?i&fZxw+7>z;EQ?0OQEnLbnRvVZbnlgU6z`tBI~xUybV#q}
zYuDyg(<0q{n@>4Pgqgy&W`sWXzIH_bfy?TX!HL(e&JypHQEb##^>GA-znKG)%okw*
z?@|P~kdx3{Pu)G4PUr5+n{PU@Dru>cT=G^zM&oJUYq6=3+6nR;V5gK+ynUcecmiPc
zg7?tTV7bRcPgv2$BzJg(PXsK12P(q1y(0AOee23kwPfvAZDKpxySQvlxr21$KpTy^
zm{<|D#BG%7l_4PLyqorGQ`*+j)qr;O(BFh}sI2&RT(}+_I(y1A(3Y6H*>|3@nYkDZ
z9&eckYnJrN;HbkS5rJE8-KkEBl-F3E{w%sE8Y*FU%M#_>V_T~J$BKy?peFxdqk#gT
zi8KZFAdy-a3GwcQ+|GJTkX2dZPHL&Xy%Jp+Tr(5_I=sEsxzVzY<0y%>lj?2ezrA-i
z&TGsOCFV?tf-)<n15UgItxC<`Zk&M`<L-ck+pHA;XKp%bM0CJ272Ye6n4D%<EO3Pp
zb@Om_cAcR82H-S7nXa@*4d0zA(TM&iSTPU9?kVCDg}#hiT;&vkikM(HC8E8iU8U=z
zDzw~f`f|rhwq0Fvy!<N$pBk)+(|-o!#9`M0IjDTH&hKZ@h&5IYym5qOJ#%8~ln0n;
zY5;Rm1kT^B`Ukmc-=pUD4-x=7n1KG*QYu)GfkaCD*$3DcRZ+IPbb<{V_w2MPQ5vAa
zdDE*qAI?I7Qo8Xpg4ncfV_~%l_5HisR*L+;YvcbvZqCu&kFc=r?}-oVha~7;nF0Sk
Oz*1AzQmR(43i}`3qUz27

literal 0
HcmV?d00001

diff --git a/frontend/src/components/providers/ProviderModelPicker.tsx b/frontend/src/components/providers/ProviderModelPicker.tsx
index d07dc12d..1ab75664 100644
--- a/frontend/src/components/providers/ProviderModelPicker.tsx
+++ b/frontend/src/components/providers/ProviderModelPicker.tsx
@@ -35,6 +35,7 @@ const PROVIDER_LABELS: Record<string, string> = {
   anthropic: 'Anthropic',
   openrouter: 'OpenRouter',
   xai: 'xAI',
+  fireworks: 'Fireworks AI',
   google: 'Google',
   cohere: 'Cohere',
   mistral: 'Mistral',
diff --git a/frontend/src/config/providers.ts b/frontend/src/config/providers.ts
index 58e2211c..6f948b80 100644
--- a/frontend/src/config/providers.ts
+++ b/frontend/src/config/providers.ts
@@ -32,6 +32,11 @@ export const MODEL_PROVIDER_CONFIG: Record<ModelProvider, ProviderMetadata> = {
     logo: '/xai.svg',
     description: 'Grok models via xAI',
   },
+  [ModelProvider.FIREWORKS]: {
+    label: 'Fireworks AI',
+    logo: '/fireworks.png',
+    description: 'Hosted open-source LLMs via Fireworks',
+  },
   [ModelProvider.COHERE]: {
     label: 'Cohere',
     logo: '/cohere.svg',
diff --git a/frontend/src/pages/configurations/Integrations.tsx b/frontend/src/pages/configurations/Integrations.tsx
index ab22db81..bec11b6a 100644
--- a/frontend/src/pages/configurations/Integrations.tsx
+++ b/frontend/src/pages/configurations/Integrations.tsx
@@ -24,6 +24,7 @@ const AI_INTEGRATION_PROVIDERS: ModelProvider[] = [
   ModelProvider.ANTHROPIC,
   ModelProvider.GOOGLE,
   ModelProvider.XAI,
+  ModelProvider.FIREWORKS,
   ModelProvider.COHERE,
   ModelProvider.MISTRAL,
   ModelProvider.META,
diff --git a/frontend/src/types/api.ts b/frontend/src/types/api.ts
index 9e4d9b4d..5e7fdb6a 100644
--- a/frontend/src/types/api.ts
+++ b/frontend/src/types/api.ts
@@ -213,6 +213,7 @@ export enum ModelProvider {
   ANTHROPIC = 'anthropic',
   GOOGLE = 'google',
   XAI = 'xai',
+  FIREWORKS = 'fireworks',
   COHERE = 'cohere',
   MISTRAL = 'mistral',
   META = 'meta',
diff --git a/tests/test_services/test_ai/test_llm_service.py b/tests/test_services/test_ai/test_llm_service.py
index a6352728..580bd2ad 100644
--- a/tests/test_services/test_ai/test_llm_service.py
+++ b/tests/test_services/test_ai/test_llm_service.py
@@ -16,6 +16,11 @@ def test_litellm_model_name_maps_known_provider_prefixes():
     assert LLMService._litellm_model_name(ModelProvider.OPENAI, "gpt-4o") == "openai/gpt-4o"
     assert LLMService._litellm_model_name(ModelProvider.GOOGLE, "gemini-1.5-pro") == "gemini/gemini-1.5-pro"
     assert LLMService._litellm_model_name(ModelProvider.AWS, "claude") == "bedrock/claude"
+    assert LLMService._litellm_model_name(ModelProvider.XAI, "grok-4.3") == "xai/grok-4.3"
+    assert (
+        LLMService._litellm_model_name(ModelProvider.FIREWORKS, "deepseek-v4-pro")
+        == "fireworks_ai/accounts/fireworks/models/deepseek-v4-pro"
+    )
 
 
 def test_generate_response_raises_when_provider_not_configured(monkeypatch):

From 8950dcbb1dda6c21b265ecc5fb15453f231ce5ab Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Thu, 11 Jun 2026 19:44:40 +0000
Subject: [PATCH 04/12] fix: updating workspace members

---
 frontend/src/App.tsx                          |   6 +-
 frontend/src/components/Layout.tsx            |   1 -
 .../src/components/WorkspaceRolesSection.tsx  |   2 +-
 .../iam/WorkspaceMembersSection.tsx           | 316 ++++++++++++++++++
 frontend/src/pages/iam/IAM.tsx                |  71 +++-
 .../src/pages/workspace/WorkspaceMembers.tsx  | 225 -------------
 6 files changed, 386 insertions(+), 235 deletions(-)
 create mode 100644 frontend/src/components/iam/WorkspaceMembersSection.tsx
 delete mode 100644 frontend/src/pages/workspace/WorkspaceMembers.tsx

diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index 37aa34e3..be5947b7 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -64,7 +64,6 @@ import CronJobs from './pages/configurations/CronJobs'
 
 // IAM
 import IAM from './pages/iam/IAM'
-import WorkspaceMembers from './pages/workspace/WorkspaceMembers'
 
 // Profile
 import Profile from './pages/profile/Profile'
@@ -164,7 +163,10 @@ function App() {
           <Route path="observability/calls" element={<ObservabilityCalls />} />
           <Route path="observability/calls/:callShortId" element={<ObservabilityCallDetail />} />
           <Route path="iam" element={<IAM />} />
-          <Route path="workspace-members" element={<WorkspaceMembers />} />
+          <Route
+            path="workspace-members"
+            element={<Navigate to="/iam?tab=workspace-members" replace />}
+          />
           <Route path="profile" element={<Profile />} />
           <Route path="settings" element={<Settings />} />
           <Route path="alerts" element={<Alerts />} />
diff --git a/frontend/src/components/Layout.tsx b/frontend/src/components/Layout.tsx
index 5a57dc9e..d4513f74 100644
--- a/frontend/src/components/Layout.tsx
+++ b/frontend/src/components/Layout.tsx
@@ -114,7 +114,6 @@ const navigationSections: NavSection[] = [
       { name: 'VoiceBundle', href: '/voicebundles', icon: Mic },
       { name: 'Integrations', href: '/integrations', icon: Plug },
       { name: 'API Keys', href: '/settings', icon: Key },
-      { name: 'Workspace Members', href: '/workspace-members', icon: Users },
       { name: 'Cron Jobs', href: '/cron-jobs', icon: Clock },
     ],
   },
diff --git a/frontend/src/components/WorkspaceRolesSection.tsx b/frontend/src/components/WorkspaceRolesSection.tsx
index 03a57e63..25429236 100644
--- a/frontend/src/components/WorkspaceRolesSection.tsx
+++ b/frontend/src/components/WorkspaceRolesSection.tsx
@@ -74,7 +74,7 @@ export default function WorkspaceRolesSection() {
   )
 
   return (
-    <div className="mt-10 border-t border-gray-200 pt-8">
+    <div>
       <ToastContainer />
       <div className="flex items-center justify-between mb-4">
         <div>
diff --git a/frontend/src/components/iam/WorkspaceMembersSection.tsx b/frontend/src/components/iam/WorkspaceMembersSection.tsx
new file mode 100644
index 00000000..cfc58e60
--- /dev/null
+++ b/frontend/src/components/iam/WorkspaceMembersSection.tsx
@@ -0,0 +1,316 @@
+import { useEffect, useMemo, useState } from 'react'
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { ChevronDown, FolderKanban, Trash2, UserPlus, Users } from 'lucide-react'
+import { apiClient } from '../../lib/api'
+import { useWorkspaceStore } from '../../store/workspaceStore'
+import Button from '../Button'
+import { useToast } from '../../hooks/useToast'
+
+function workspaceCaps(caps: string[] | undefined) {
+  const list = caps ?? []
+  return {
+    canViewMembers: list.includes('workspace.members.view'),
+    canManageMembers: list.includes('workspace.members.manage'),
+  }
+}
+
+export default function WorkspaceMembersSection() {
+  const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
+  const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
+  const [selectedWorkspaceId, setSelectedWorkspaceId] = useState<string | null>(null)
+  const [showAdd, setShowAdd] = useState(false)
+  const [selectedUserId, setSelectedUserId] = useState('')
+  const [selectedRoleId, setSelectedRoleId] = useState('')
+
+  const { data: workspaces = [], isLoading: workspacesLoading } = useQuery({
+    queryKey: ['workspaces'],
+    queryFn: () => apiClient.listWorkspaces(),
+  })
+
+  useEffect(() => {
+    if (!workspaces.length) return
+    const stillValid =
+      selectedWorkspaceId && workspaces.some((w) => w.id === selectedWorkspaceId)
+    if (stillValid) return
+
+    const fallback =
+      workspaces.find((w) => w.id === activeWorkspaceId) ?? workspaces[0]
+    setSelectedWorkspaceId(fallback.id)
+  }, [workspaces, activeWorkspaceId, selectedWorkspaceId])
+
+  const selectedWorkspace = useMemo(
+    () => workspaces.find((w) => w.id === selectedWorkspaceId) ?? null,
+    [workspaces, selectedWorkspaceId],
+  )
+
+  const { canViewMembers, canManageMembers } = workspaceCaps(
+    selectedWorkspace?.capabilities,
+  )
+
+  const { data: members = [], isLoading: membersLoading } = useQuery({
+    queryKey: ['workspace-members', selectedWorkspaceId],
+    queryFn: () => apiClient.listWorkspaceMembers(selectedWorkspaceId!),
+    enabled: Boolean(selectedWorkspaceId) && canViewMembers,
+  })
+
+  const { data: orgUsers = [] } = useQuery({
+    queryKey: ['iam', 'users'],
+    queryFn: () => apiClient.listOrganizationUsers(),
+    enabled: canManageMembers,
+  })
+
+  const { data: roles = [] } = useQuery({
+    queryKey: ['workspace-roles'],
+    queryFn: () => apiClient.listWorkspaceRoles(),
+    enabled: canViewMembers,
+  })
+
+  const addMutation = useMutation({
+    mutationFn: () =>
+      apiClient.addWorkspaceMember(selectedWorkspaceId!, {
+        user_id: selectedUserId,
+        role_id: selectedRoleId,
+      }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      setShowAdd(false)
+      setSelectedUserId('')
+      setSelectedRoleId('')
+      showToast('Member added', 'success')
+    },
+    onError: (error: any) => {
+      showToast(error.response?.data?.detail || 'Failed to add member', 'error')
+    },
+  })
+
+  const updateMutation = useMutation({
+    mutationFn: ({ userId, roleId }: { userId: string; roleId: string }) =>
+      apiClient.updateWorkspaceMember(selectedWorkspaceId!, userId, {
+        role_id: roleId,
+      }),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      showToast('Role updated', 'success')
+    },
+  })
+
+  const removeMutation = useMutation({
+    mutationFn: (userId: string) =>
+      apiClient.removeWorkspaceMember(selectedWorkspaceId!, userId),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
+      showToast('Member removed', 'success')
+    },
+  })
+
+  const memberUserIds = new Set(members.map((m) => m.user_id))
+  const availableUsers = orgUsers.filter((u) => !memberUserIds.has(u.user_id))
+
+  return (
+    <div className="bg-white shadow rounded-lg">
+      <ToastContainer />
+      <div className="px-6 py-4 border-b border-gray-200 flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
+        <div>
+          <h2 className="text-lg font-semibold text-gray-900 flex items-center gap-2">
+            <Users className="h-5 w-5" />
+            Workspace Members
+          </h2>
+          <p className="text-sm text-gray-500 mt-1">
+            Choose a workspace to view members and assign workspace roles.
+          </p>
+        </div>
+        {canManageMembers && (
+          <Button onClick={() => setShowAdd((v) => !v)}>
+            <UserPlus className="h-4 w-4 mr-2" />
+            Add member
+          </Button>
+        )}
+      </div>
+
+      <div className="p-6 space-y-6">
+        <div>
+          <label
+            htmlFor="iam-workspace-select"
+            className="block text-xs font-medium text-gray-500 uppercase tracking-wide mb-2"
+          >
+            Workspace
+          </label>
+          <div className="relative max-w-md">
+            <FolderKanban className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-gray-400 pointer-events-none" />
+            <select
+              id="iam-workspace-select"
+              value={selectedWorkspaceId ?? ''}
+              onChange={(e) => {
+                setSelectedWorkspaceId(e.target.value)
+                setShowAdd(false)
+              }}
+              disabled={workspacesLoading || workspaces.length === 0}
+              className="w-full appearance-none pl-10 pr-10 py-2.5 border border-gray-300 rounded-lg text-sm bg-white focus:outline-none focus:ring-2 focus:ring-primary-500 focus:border-transparent disabled:bg-gray-50 disabled:text-gray-500"
+            >
+              {workspaces.length === 0 && (
+                <option value="">No workspaces available</option>
+              )}
+              {workspaces.map((ws) => (
+                <option key={ws.id} value={ws.id}>
+                  {ws.name}
+                  {ws.is_default ? ' (default)' : ''}
+                  {ws.role_name ? ` · your role: ${ws.role_name}` : ''}
+                </option>
+              ))}
+            </select>
+            <ChevronDown className="absolute right-3 top-1/2 -translate-y-1/2 h-4 w-4 text-gray-400 pointer-events-none" />
+          </div>
+          {selectedWorkspace && (
+            <p className="mt-2 text-xs text-gray-500">
+              Slug: <span className="font-mono">{selectedWorkspace.slug}</span>
+              {selectedWorkspace.role_name && (
+                <>
+                  {' '}
+                  · Your role:{' '}
+                  <span className="font-medium text-gray-700">
+                    {selectedWorkspace.role_name}
+                  </span>
+                </>
+              )}
+            </p>
+          )}
+        </div>
+
+        {!selectedWorkspaceId ? (
+          <div className="text-center py-8 text-gray-500">
+            {workspacesLoading ? 'Loading workspaces…' : 'Select a workspace.'}
+          </div>
+        ) : !canViewMembers ? (
+          <div className="text-center py-8 text-gray-500">
+            You do not have permission to view members for this workspace.
+          </div>
+        ) : (
+          <>
+            {showAdd && canManageMembers && (
+              <div className="p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-3">
+                <select
+                  value={selectedUserId}
+                  onChange={(e) => setSelectedUserId(e.target.value)}
+                  className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+                >
+                  <option value="">Select org member…</option>
+                  {availableUsers.map((u) => (
+                    <option key={u.user_id} value={u.user_id}>
+                      {u.user?.email ?? u.user_id}
+                    </option>
+                  ))}
+                </select>
+                <select
+                  value={selectedRoleId}
+                  onChange={(e) => setSelectedRoleId(e.target.value)}
+                  className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+                >
+                  <option value="">Select role…</option>
+                  {roles.map((r) => (
+                    <option key={r.id} value={r.id}>
+                      {r.name}
+                    </option>
+                  ))}
+                </select>
+                <Button
+                  disabled={
+                    !selectedUserId || !selectedRoleId || addMutation.isPending
+                  }
+                  onClick={() => addMutation.mutate()}
+                >
+                  Add to workspace
+                </Button>
+              </div>
+            )}
+
+            {membersLoading ? (
+              <div className="text-center py-8 text-gray-500">
+                Loading members…
+              </div>
+            ) : (
+              <div className="border border-gray-200 rounded-lg overflow-hidden">
+                <table className="min-w-full divide-y divide-gray-200">
+                  <thead className="bg-gray-50">
+                    <tr>
+                      <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
+                        User
+                      </th>
+                      <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
+                        Role
+                      </th>
+                      {canManageMembers && <th className="px-4 py-3" />}
+                    </tr>
+                  </thead>
+                  <tbody className="divide-y divide-gray-200 bg-white">
+                    {members.length === 0 ? (
+                      <tr>
+                        <td
+                          colSpan={canManageMembers ? 3 : 2}
+                          className="px-4 py-8 text-center text-sm text-gray-500"
+                        >
+                          No members in this workspace yet.
+                        </td>
+                      </tr>
+                    ) : (
+                      members.map((member) => (
+                        <tr key={member.id}>
+                          <td className="px-4 py-3 text-sm">
+                            <div className="font-medium text-gray-900">
+                              {member.user_email}
+                            </div>
+                            {member.user_name && (
+                              <div className="text-gray-500">
+                                {member.user_name}
+                              </div>
+                            )}
+                          </td>
+                          <td className="px-4 py-3 text-sm">
+                            {canManageMembers ? (
+                              <select
+                                value={member.role_id}
+                                onChange={(e) =>
+                                  updateMutation.mutate({
+                                    userId: member.user_id,
+                                    roleId: e.target.value,
+                                  })
+                                }
+                                className="px-2 py-1 border border-gray-200 rounded text-sm"
+                              >
+                                {roles.map((r) => (
+                                  <option key={r.id} value={r.id}>
+                                    {r.name}
+                                  </option>
+                                ))}
+                              </select>
+                            ) : (
+                              member.role_name
+                            )}
+                          </td>
+                          {canManageMembers && (
+                            <td className="px-4 py-3 text-right">
+                              <button
+                                type="button"
+                                onClick={() =>
+                                  removeMutation.mutate(member.user_id)
+                                }
+                                className="text-red-600 hover:text-red-800"
+                                title="Remove member"
+                              >
+                                <Trash2 className="h-4 w-4" />
+                              </button>
+                            </td>
+                          )}
+                        </tr>
+                      ))
+                    )}
+                  </tbody>
+                </table>
+              </div>
+            )}
+          </>
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/frontend/src/pages/iam/IAM.tsx b/frontend/src/pages/iam/IAM.tsx
index 116257ec..bd21f5ac 100644
--- a/frontend/src/pages/iam/IAM.tsx
+++ b/frontend/src/pages/iam/IAM.tsx
@@ -1,17 +1,45 @@
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
 import { apiClient } from '../../lib/api'
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
+import { useSearchParams } from 'react-router-dom'
 import { Role, Invitation, OrganizationMember, InvitationCreate } from '../../types/api'
 import { Users, Mail, UserPlus, Shield, ShieldCheck, ShieldAlert, X, Trash2, KeyRound, Eye, EyeOff, Building2, Copy, Check } from 'lucide-react'
 import Button from '../../components/Button'
 import { useToast } from '../../hooks/useToast'
 import { useIsAdmin } from '../../hooks/useRole'
 import WorkspaceRolesSection from '../../components/WorkspaceRolesSection'
+import WorkspaceMembersSection from '../../components/iam/WorkspaceMembersSection'
+
+type IamTab = 'organization' | 'workspace-members' | 'workspace-roles'
+
+const IAM_TABS: { id: IamTab; label: string; icon: typeof Building2; adminOnly?: boolean }[] = [
+  { id: 'organization', label: 'Organization', icon: Building2 },
+  { id: 'workspace-members', label: 'Workspace Members', icon: Users },
+  { id: 'workspace-roles', label: 'Workspace Roles', icon: Shield, adminOnly: true },
+]
 
 export default function IAM() {
   const queryClient = useQueryClient()
   const { showToast, ToastContainer } = useToast()
   const isAdmin = useIsAdmin()
+  const [searchParams, setSearchParams] = useSearchParams()
+  const tabParam = searchParams.get('tab')
+  const activeTab: IamTab =
+    tabParam === 'workspace-members' || tabParam === 'workspace-roles'
+      ? tabParam
+      : 'organization'
+
+  const visibleTabs = IAM_TABS.filter((t) => !t.adminOnly || isAdmin)
+
+  useEffect(() => {
+    if (activeTab === 'workspace-roles' && !isAdmin) {
+      setSearchParams({ tab: 'organization' }, { replace: true })
+    }
+  }, [activeTab, isAdmin, setSearchParams])
+
+  const setActiveTab = (tab: IamTab) => {
+    setSearchParams(tab === 'organization' ? {} : { tab })
+  }
   const [showInviteModal, setShowInviteModal] = useState(false)
   const [inviteEmail, setInviteEmail] = useState('')
   const [inviteRole, setInviteRole] = useState<Role>(Role.READER)
@@ -238,12 +266,17 @@ export default function IAM() {
         <div>
           <h1 className="text-3xl font-bold text-gray-900">Identity & Access Management</h1>
           <p className="mt-2 text-sm text-gray-600">
-            {isAdmin
-              ? 'Manage users and their permissions in your organization'
-              : 'View users and pending invitations in your organization'}
+            {activeTab === 'organization' &&
+              (isAdmin
+                ? 'Manage organization users, invitations, and settings'
+                : 'View users and pending invitations in your organization')}
+            {activeTab === 'workspace-members' &&
+              'Manage workspace access and assign roles per workspace'}
+            {activeTab === 'workspace-roles' &&
+              'Configure workspace roles and their capabilities'}
           </p>
         </div>
-        {isAdmin && (
+        {isAdmin && activeTab === 'organization' && (
           <Button
             variant="primary"
             onClick={() => setShowInviteModal(true)}
@@ -254,6 +287,28 @@ export default function IAM() {
         )}
       </div>
 
+      <div className="border-b border-gray-200">
+        <nav className="-mb-px flex gap-6 overflow-x-auto" aria-label="IAM sections">
+          {visibleTabs.map(({ id, label, icon: Icon }) => (
+            <button
+              key={id}
+              type="button"
+              onClick={() => setActiveTab(id)}
+              className={`flex items-center gap-2 px-1 py-3 text-sm font-medium border-b-2 whitespace-nowrap transition-colors ${
+                activeTab === id
+                  ? 'border-primary-600 text-primary-600'
+                  : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
+              }`}
+            >
+              <Icon className="h-4 w-4" />
+              {label}
+            </button>
+          ))}
+        </nav>
+      </div>
+
+      {activeTab === 'organization' && (
+        <>
       {isAdmin && (
         <div className="bg-white shadow rounded-lg">
           <div className="px-6 py-4 border-b border-gray-200">
@@ -513,8 +568,12 @@ export default function IAM() {
           )}
         </div>
       </div>
+        </>
+      )}
 
-      {isAdmin && (
+      {activeTab === 'workspace-members' && <WorkspaceMembersSection />}
+
+      {activeTab === 'workspace-roles' && isAdmin && (
         <div className="bg-white shadow rounded-lg p-6">
           <WorkspaceRolesSection />
         </div>
diff --git a/frontend/src/pages/workspace/WorkspaceMembers.tsx b/frontend/src/pages/workspace/WorkspaceMembers.tsx
deleted file mode 100644
index 5065d140..00000000
--- a/frontend/src/pages/workspace/WorkspaceMembers.tsx
+++ /dev/null
@@ -1,225 +0,0 @@
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
-import { useState } from 'react'
-import { Link } from 'react-router-dom'
-import { Trash2, UserPlus, Users } from 'lucide-react'
-import { apiClient } from '../../lib/api'
-import { useWorkspaceCapabilities } from '../../hooks/useWorkspaceCapabilities'
-import { useWorkspaceStore } from '../../store/workspaceStore'
-import Button from '../../components/Button'
-import { useToast } from '../../hooks/useToast'
-
-export default function WorkspaceMembers() {
-  const queryClient = useQueryClient()
-  const { showToast, ToastContainer } = useToast()
-  const { canViewMembers, canManageMembers } = useWorkspaceCapabilities()
-  const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
-  const [showAdd, setShowAdd] = useState(false)
-  const [selectedUserId, setSelectedUserId] = useState('')
-  const [selectedRoleId, setSelectedRoleId] = useState('')
-
-  const { data: members = [], isLoading } = useQuery({
-    queryKey: ['workspace-members', activeWorkspaceId],
-    queryFn: () => apiClient.listWorkspaceMembers(activeWorkspaceId!),
-    enabled: Boolean(activeWorkspaceId) && canViewMembers,
-  })
-
-  const { data: orgUsers = [] } = useQuery({
-    queryKey: ['iam', 'users'],
-    queryFn: () => apiClient.listOrganizationUsers(),
-    enabled: canManageMembers,
-  })
-
-  const { data: roles = [] } = useQuery({
-    queryKey: ['workspace-roles'],
-    queryFn: () => apiClient.listWorkspaceRoles(),
-  })
-
-  const addMutation = useMutation({
-    mutationFn: () =>
-      apiClient.addWorkspaceMember(activeWorkspaceId!, {
-        user_id: selectedUserId,
-        role_id: selectedRoleId,
-      }),
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
-      setShowAdd(false)
-      setSelectedUserId('')
-      setSelectedRoleId('')
-      showToast('Member added', 'success')
-    },
-    onError: (error: any) => {
-      showToast(error.response?.data?.detail || 'Failed to add member', 'error')
-    },
-  })
-
-  const updateMutation = useMutation({
-    mutationFn: ({ userId, roleId }: { userId: string; roleId: string }) =>
-      apiClient.updateWorkspaceMember(activeWorkspaceId!, userId, {
-        role_id: roleId,
-      }),
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
-      showToast('Role updated', 'success')
-    },
-  })
-
-  const removeMutation = useMutation({
-    mutationFn: (userId: string) =>
-      apiClient.removeWorkspaceMember(activeWorkspaceId!, userId),
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
-      showToast('Member removed', 'success')
-    },
-  })
-
-  if (!activeWorkspaceId) {
-    return (
-      <div className="p-6 text-gray-600">
-        Select a workspace from the sidebar to manage members.
-      </div>
-    )
-  }
-
-  if (!canViewMembers) {
-    return (
-      <div className="p-6 text-gray-600">
-        You do not have permission to view workspace members.
-      </div>
-    )
-  }
-
-  const memberUserIds = new Set(members.map((m) => m.user_id))
-  const availableUsers = orgUsers.filter((u) => !memberUserIds.has(u.user_id))
-
-  return (
-    <div className="p-6 max-w-4xl">
-      <ToastContainer />
-      <div className="flex items-center justify-between mb-6">
-        <div>
-          <h1 className="text-2xl font-semibold text-gray-900 flex items-center gap-2">
-            <Users className="h-6 w-6" />
-            Workspace Members
-          </h1>
-          <p className="text-sm text-gray-500 mt-1">
-            Manage who can access the active workspace and their roles.
-          </p>
-        </div>
-        {canManageMembers && (
-          <Button onClick={() => setShowAdd((v) => !v)}>
-            <UserPlus className="h-4 w-4 mr-2" />
-            Add member
-          </Button>
-        )}
-      </div>
-
-      {showAdd && canManageMembers && (
-        <div className="mb-6 p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-3">
-          <select
-            value={selectedUserId}
-            onChange={(e) => setSelectedUserId(e.target.value)}
-            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
-          >
-            <option value="">Select org member…</option>
-            {availableUsers.map((u) => (
-              <option key={u.user_id} value={u.user_id}>
-                {u.user?.email ?? u.user_id}
-              </option>
-            ))}
-          </select>
-          <select
-            value={selectedRoleId}
-            onChange={(e) => setSelectedRoleId(e.target.value)}
-            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
-          >
-            <option value="">Select role…</option>
-            {roles.map((r) => (
-              <option key={r.id} value={r.id}>
-                {r.name}
-              </option>
-            ))}
-          </select>
-          <Button
-            disabled={!selectedUserId || !selectedRoleId || addMutation.isPending}
-            onClick={() => addMutation.mutate()}
-          >
-            Add to workspace
-          </Button>
-        </div>
-      )}
-
-      {isLoading ? (
-        <div className="text-gray-500">Loading members…</div>
-      ) : (
-        <div className="border border-gray-200 rounded-lg overflow-hidden">
-          <table className="min-w-full divide-y divide-gray-200">
-            <thead className="bg-gray-50">
-              <tr>
-                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
-                  User
-                </th>
-                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
-                  Role
-                </th>
-                {canManageMembers && <th className="px-4 py-3" />}
-              </tr>
-            </thead>
-            <tbody className="divide-y divide-gray-200 bg-white">
-              {members.map((member) => (
-                <tr key={member.id}>
-                  <td className="px-4 py-3 text-sm">
-                    <div className="font-medium text-gray-900">{member.user_email}</div>
-                    {member.user_name && (
-                      <div className="text-gray-500">{member.user_name}</div>
-                    )}
-                  </td>
-                  <td className="px-4 py-3 text-sm">
-                    {canManageMembers ? (
-                      <select
-                        value={member.role_id}
-                        onChange={(e) =>
-                          updateMutation.mutate({
-                            userId: member.user_id,
-                            roleId: e.target.value,
-                          })
-                        }
-                        className="px-2 py-1 border border-gray-200 rounded text-sm"
-                      >
-                        {roles.map((r) => (
-                          <option key={r.id} value={r.id}>
-                            {r.name}
-                          </option>
-                        ))}
-                      </select>
-                    ) : (
-                      member.role_name
-                    )}
-                  </td>
-                  {canManageMembers && (
-                    <td className="px-4 py-3 text-right">
-                      <button
-                        type="button"
-                        onClick={() => removeMutation.mutate(member.user_id)}
-                        className="text-red-600 hover:text-red-800"
-                        title="Remove member"
-                      >
-                        <Trash2 className="h-4 w-4" />
-                      </button>
-                    </td>
-                  )}
-                </tr>
-              ))}
-            </tbody>
-          </table>
-        </div>
-      )}
-
-      <p className="mt-4 text-sm text-gray-500">
-        Org admins can also manage{' '}
-        <Link to="/iam" className="text-primary-600 hover:underline">
-          workspace roles
-        </Link>{' '}
-        under IAM settings.
-      </p>
-    </div>
-  )
-}

From 88c7ff6707e9c34079f1af751c87e29369296f63 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Fri, 12 Jun 2026 11:03:34 +0000
Subject: [PATCH 05/12] feat: updating tests

---
 app/api/v1/routes/call_import_evaluations.py  |  11 ++
 app/api/v1/routes/chat.py                     |   7 +-
 app/api/v1/routes/evaluators.py               |   4 +
 app/api/v1/routes/prompt_partials.py          |  12 +-
 app/api/v1/routes/voice_playground.py         |  23 ++-
 app/migrations/049_llm_generation_config.py   |  49 +++++
 app/models/database.py                        |   2 +
 app/models/schemas.py                         |  32 ++++
 app/services/ai/llm_generation_config.py      | 119 +++++++++++++
 app/services/ai/llm_service.py                |  18 ++
 app/services/testing/test_agent_service.py    |   5 +-
 app/services/voice_agent/voice_bundle.py      |  21 ++-
 app/workers/tasks/evaluate_call_import_row.py |  52 ++++--
 app/workers/tasks/helpers/llm_evaluation.py   |   5 +-
 .../src/components/AIProviderModelPicker.tsx  |  20 ++-
 .../providers/LLMAdvancedOptionsPanel.tsx     | 134 ++++++++++++++
 .../providers/ProviderModelPicker.tsx         |  14 ++
 .../src/components/shared/AIGeneratePanel.tsx |  18 +-
 frontend/src/config/llmGenerationParams.ts    | 168 ++++++++++++++++++
 frontend/src/lib/api.ts                       |  10 ++
 .../pages/callImports/CallImportDetail.tsx    |   6 +
 .../CallImportEvaluationDetail.tsx            |  11 +-
 .../MetricPromptImprovementsPanel.tsx         |   4 +
 .../src/pages/configurations/VoiceBundles.tsx |  69 ++++---
 .../evaluators/evaluators/EvaluatorDetail.tsx |  13 ++
 .../voice/components/SampleTextsPanel.tsx     |  12 ++
 .../voice/context/VoicePlaygroundContext.tsx  |   4 +-
 .../pages/promptPartials/PromptPartials.tsx   |   4 +
 frontend/src/pages/scenarios/Scenarios.tsx    |  25 ++-
 frontend/src/types/api.ts                     |   7 +-
 tests/test_api/conftest.py                    |   4 +-
 .../test_ai/test_llm_generation_config.py     |  57 ++++++
 32 files changed, 856 insertions(+), 84 deletions(-)
 create mode 100644 app/migrations/049_llm_generation_config.py
 create mode 100644 app/services/ai/llm_generation_config.py
 create mode 100644 frontend/src/components/providers/LLMAdvancedOptionsPanel.tsx
 create mode 100644 frontend/src/config/llmGenerationParams.ts
 create mode 100644 tests/test_services/test_ai/test_llm_generation_config.py

diff --git a/app/api/v1/routes/call_import_evaluations.py b/app/api/v1/routes/call_import_evaluations.py
index c74222a9..cba06861 100644
--- a/app/api/v1/routes/call_import_evaluations.py
+++ b/app/api/v1/routes/call_import_evaluations.py
@@ -432,6 +432,9 @@ def _serialize_eval(
         llm_provider=row.llm_provider,
         llm_model=row.llm_model,
         llm_credential_id=row.llm_credential_id,
+        llm_config=(
+            row.llm_config if isinstance(getattr(row, "llm_config", None), dict) else None
+        ),
         metric_llm_overrides=(
             row.metric_llm_overrides
             if isinstance(row.metric_llm_overrides, dict)
@@ -717,6 +720,8 @@ async def create_call_import_evaluation(
                 )
             if override.credential_id is not None:
                 override_dict["credential_id"] = str(override.credential_id)
+            if override.llm_config is not None:
+                override_dict["llm_config"] = override.llm_config
             if override_dict:
                 for leaf_id in target_leaf_ids:
                     metric_overrides_payload[leaf_id] = override_dict
@@ -887,6 +892,7 @@ def _name_for_source(source: str) -> Optional[str]:
             llm_provider=llm_provider_norm,
             llm_model=llm_model_norm,
             llm_credential_id=payload.llm_credential_id,
+            llm_config=payload.llm_config,
             metric_llm_overrides=metric_overrides_payload,
             stt_provider=stt_provider_norm,
             stt_model=stt_model_norm,
@@ -7984,6 +7990,9 @@ def _apply_retry_overrides(
             )
         evaluation.llm_credential_id = payload.llm_credential_id
 
+    if payload.llm_config is not None:
+        evaluation.llm_config = payload.llm_config
+
     # --- Per-metric LLM overrides ---
     # We accept the same dict shape as the create endpoint but
     # constrain keys to leaf metrics that are actually in this run.
@@ -8036,6 +8045,8 @@ def _apply_retry_overrides(
                 )
             if override.credential_id is not None:
                 override_dict["credential_id"] = str(override.credential_id)
+            if override.llm_config is not None:
+                override_dict["llm_config"] = override.llm_config
             if override_dict:
                 overrides_payload[metric_id] = override_dict
         evaluation.metric_llm_overrides = overrides_payload or None
diff --git a/app/api/v1/routes/chat.py b/app/api/v1/routes/chat.py
index 31b6184a..b25d731e 100644
--- a/app/api/v1/routes/chat.py
+++ b/app/api/v1/routes/chat.py
@@ -4,7 +4,7 @@
 """
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
-from typing import List, Dict, Optional
+from typing import List, Dict, Optional, Any
 from uuid import UUID
 from pydantic import BaseModel
 
@@ -26,6 +26,7 @@ class ChatRequest(BaseModel):
     model: str
     temperature: Optional[float] = 0.7
     max_tokens: Optional[int] = None
+    llm_config: Optional[Dict[str, Any]] = None
 
 
 class ChatResponse(BaseModel):
@@ -52,8 +53,10 @@ async def chat_completion(
             llm_model=request.model,
             organization_id=organization_id,
             db=db,
+            llm_config=request.llm_config,
             temperature=request.temperature,
-            max_tokens=request.max_tokens
+            max_tokens=request.max_tokens,
+            task_defaults={"temperature": 0.7},
         )
         
         return ChatResponse(
diff --git a/app/api/v1/routes/evaluators.py b/app/api/v1/routes/evaluators.py
index 1f748e4a..610ba16d 100644
--- a/app/api/v1/routes/evaluators.py
+++ b/app/api/v1/routes/evaluators.py
@@ -228,6 +228,7 @@ def create_evaluator(
         metric_ids=validated_metric_ids if (is_custom and validated_metric_ids) else None,
         llm_provider=evaluator_data.llm_provider.value if evaluator_data.llm_provider else None,
         llm_model=evaluator_data.llm_model,
+        llm_config=evaluator_data.llm_config,
         tags=evaluator_data.tags,
     )
     db.add(evaluator)
@@ -478,6 +479,9 @@ def update_evaluator(
     if evaluator_data.llm_model is not None:
         evaluator.llm_model = evaluator_data.llm_model
 
+    if evaluator_data.llm_config is not None:
+        evaluator.llm_config = evaluator_data.llm_config
+
     db.commit()
     db.refresh(evaluator)
 
diff --git a/app/api/v1/routes/prompt_partials.py b/app/api/v1/routes/prompt_partials.py
index e0372c0a..f1672597 100644
--- a/app/api/v1/routes/prompt_partials.py
+++ b/app/api/v1/routes/prompt_partials.py
@@ -6,7 +6,7 @@
 from fastapi.responses import JSONResponse, Response
 from sqlalchemy.orm import Session
 from sqlalchemy.exc import IntegrityError, SQLAlchemyError
-from typing import List, Optional
+from typing import List, Optional, Dict, Any
 from uuid import UUID
 from pydantic import BaseModel
 from loguru import logger
@@ -40,6 +40,7 @@ class GeneratePromptRequest(BaseModel):
     format_style: Optional[str] = "structured"
     provider: Optional[str] = None
     model: Optional[str] = None
+    llm_config: Optional[Dict[str, Any]] = None
 
 
 class ImprovePromptRequest(BaseModel):
@@ -47,6 +48,7 @@ class ImprovePromptRequest(BaseModel):
     instructions: Optional[str] = None
     provider: Optional[str] = None
     model: Optional[str] = None
+    llm_config: Optional[Dict[str, Any]] = None
 
 
 class GenerateFlowchartRequest(BaseModel):
@@ -213,8 +215,8 @@ async def generate_prompt_with_ai(
             llm_model=model_str,
             organization_id=organization_id,
             db=db,
-            temperature=0.7,
-            max_tokens=4000,
+            llm_config=data.llm_config,
+            task_defaults={"temperature": 0.7, "max_tokens": 4000},
         )
         return {"content": result["text"], "provider": provider_enum.value, "model": model_str}
     except Exception as e:
@@ -255,8 +257,8 @@ async def improve_prompt_with_ai(
             llm_model=model_str,
             organization_id=organization_id,
             db=db,
-            temperature=0.3,
-            max_tokens=4000,
+            llm_config=data.llm_config,
+            task_defaults={"temperature": 0.3, "max_tokens": 4000},
         )
         return {"content": result["text"], "provider": provider_enum.value, "model": model_str}
     except Exception as e:
diff --git a/app/api/v1/routes/voice_playground.py b/app/api/v1/routes/voice_playground.py
index 48cc0f81..3213e6aa 100644
--- a/app/api/v1/routes/voice_playground.py
+++ b/app/api/v1/routes/voice_playground.py
@@ -287,6 +287,7 @@ class GenerateSamplesRequest(BaseModel):
     count: int = 5
     length: Optional[str] = "short"  # "short" | "medium" | "long" | "paragraph"
     temperature: Optional[float] = 0.8
+    llm_config: Optional[Dict[str, Any]] = None
 
 
 class CustomVoiceCreate(BaseModel):
@@ -400,7 +401,7 @@ async def generate_sample_texts(
 
     llm_provider_str = data.provider
     llm_model_str = data.model
-    temperature = data.temperature or 0.8
+    request_llm_config = data.llm_config
 
     if data.voice_bundle_id:
         bundle = db.query(VoiceBundle).filter(
@@ -413,8 +414,20 @@ async def generate_sample_texts(
             raise HTTPException(400, "Selected voice bundle has no LLM configured")
         llm_provider_str = bundle.llm_provider
         llm_model_str = bundle.llm_model
-        if bundle.llm_temperature is not None:
-            temperature = bundle.llm_temperature
+        from app.services.ai.llm_generation_config import merge_llm_config
+
+        request_llm_config = merge_llm_config(
+            request_llm_config or bundle.llm_config,
+            legacy_temperature=bundle.llm_temperature,
+            legacy_max_tokens=bundle.llm_max_tokens,
+        )
+        if data.temperature is not None and not (request_llm_config or {}).get("temperature"):
+            request_llm_config = {**(request_llm_config or {}), "temperature": data.temperature}
+    elif data.temperature is not None:
+        request_llm_config = {
+            **(request_llm_config or {}),
+            "temperature": data.temperature or 0.8,
+        }
 
     if not llm_provider_str or not llm_model_str:
         raise HTTPException(400, "Either voice_bundle_id or both provider and model are required")
@@ -449,8 +462,8 @@ async def generate_sample_texts(
             llm_model=llm_model_str,
             organization_id=organization_id,
             db=db,
-            temperature=temperature,
-            max_tokens=max_tokens,
+            llm_config=request_llm_config,
+            task_defaults={"temperature": 0.8, "max_tokens": max_tokens},
         )
     except Exception as e:
         logger.error(f"[VoicePlayground] LLM generation failed: {e}")
diff --git a/app/migrations/049_llm_generation_config.py b/app/migrations/049_llm_generation_config.py
new file mode 100644
index 00000000..720736db
--- /dev/null
+++ b/app/migrations/049_llm_generation_config.py
@@ -0,0 +1,49 @@
+"""Migration: Add llm_config JSON to evaluators and call_import_evaluations."""
+
+from sqlalchemy import text
+from sqlalchemy.orm import Session
+
+description = (
+    "Add llm_config JSON columns for user-tunable LLM generation parameters."
+)
+
+
+def _column_exists(db: Session, table_name: str, column_name: str) -> bool:
+    row = db.execute(
+        text(
+            """
+            SELECT 1
+            FROM information_schema.columns
+            WHERE table_name = :table_name AND column_name = :column_name
+            """
+        ),
+        {"table_name": table_name, "column_name": column_name},
+    ).first()
+    return row is not None
+
+
+def upgrade(db: Session):
+    if not _column_exists(db, "evaluators", "llm_config"):
+        db.execute(text("ALTER TABLE evaluators ADD COLUMN llm_config JSON"))
+        print("Added evaluators.llm_config")
+    else:
+        print("evaluators.llm_config already exists, skipping")
+
+    if not _column_exists(db, "call_import_evaluations", "llm_config"):
+        db.execute(
+            text("ALTER TABLE call_import_evaluations ADD COLUMN llm_config JSON")
+        )
+        print("Added call_import_evaluations.llm_config")
+    else:
+        print("call_import_evaluations.llm_config already exists, skipping")
+
+
+def downgrade(db: Session):
+    if _column_exists(db, "evaluators", "llm_config"):
+        db.execute(text("ALTER TABLE evaluators DROP COLUMN llm_config"))
+        print("Dropped evaluators.llm_config")
+    if _column_exists(db, "call_import_evaluations", "llm_config"):
+        db.execute(
+            text("ALTER TABLE call_import_evaluations DROP COLUMN llm_config")
+        )
+        print("Dropped call_import_evaluations.llm_config")
diff --git a/app/models/database.py b/app/models/database.py
index ceed0888..a4042f68 100644
--- a/app/models/database.py
+++ b/app/models/database.py
@@ -757,6 +757,7 @@ class Evaluator(Base):
     # LLM configuration for evaluation (overrides hardcoded defaults)
     llm_provider = Column(String, nullable=True)  # e.g. "openai", "anthropic", "google"
     llm_model = Column(String, nullable=True)  # e.g. "gpt-4.1", "claude-sonnet-4-20250514"
+    llm_config = Column(JSON, nullable=True)
     
     # Tags for categorization
     tags = Column(JSON, nullable=True)  # Array of tag strings
@@ -2142,6 +2143,7 @@ class CallImportEvaluation(Base):
         ForeignKey("aiproviders.id", ondelete="SET NULL"),
         nullable=True,
     )
+    llm_config = Column(JSON, nullable=True)
     # Optional per-metric LLM override:
     # ``{"<metric_id>": {"provider": "...", "model": "...", "credential_id": "..."}}``.
     # Each entry overrides the run-level default for that metric only;
diff --git a/app/models/schemas.py b/app/models/schemas.py
index c5025abb..eaf315c2 100644
--- a/app/models/schemas.py
+++ b/app/models/schemas.py
@@ -719,6 +719,22 @@ def convert_provider(cls, v):
     model_config = ConfigDict(from_attributes=True)
 
 
+class LLMGenerationConfig(BaseModel):
+    """User-tunable LLM sampling / generation parameters."""
+
+    temperature: Optional[float] = Field(None, ge=0.0, le=2.0)
+    max_tokens: Optional[int] = Field(None, gt=0)
+    top_p: Optional[float] = Field(None, ge=0.0, le=1.0)
+    top_k: Optional[int] = Field(None, ge=0)
+    frequency_penalty: Optional[float] = Field(None, ge=-2.0, le=2.0)
+    presence_penalty: Optional[float] = Field(None, ge=-2.0, le=2.0)
+    seed: Optional[int] = Field(None, ge=0)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Return only explicitly set fields."""
+        return self.model_dump(exclude_none=True)
+
+
 # VoiceBundle Schemas
 class VoiceBundleCreate(BaseModel):
     """Schema for creating a VoiceBundle."""
@@ -1002,6 +1018,7 @@ class EvaluatorCreate(BaseModel):
     metric_ids: Optional[List[UUID]] = None
     llm_provider: Optional[ModelProvider] = None
     llm_model: Optional[str] = None
+    llm_config: Optional[Dict[str, Any]] = None
     tags: Optional[List[str]] = None
 
 
@@ -1015,6 +1032,7 @@ class EvaluatorUpdate(BaseModel):
     metric_ids: Optional[List[UUID]] = None
     llm_provider: Optional[ModelProvider] = None
     llm_model: Optional[str] = None
+    llm_config: Optional[Dict[str, Any]] = None
     tags: Optional[List[str]] = None
 
 
@@ -1031,6 +1049,7 @@ class EvaluatorResponse(BaseModel):
     metric_ids: Optional[List[UUID]] = None
     llm_provider: Optional[ModelProvider] = None
     llm_model: Optional[str] = None
+    llm_config: Optional[Dict[str, Any]] = None
     tags: Optional[List[str]]
     created_at: datetime
     updated_at: datetime
@@ -2591,6 +2610,10 @@ class CallImportEvaluationLLMOverride(BaseModel):
         default=None,
         description="Optional AIProvider id when the org has multiple credentials.",
     )
+    llm_config: Optional[Dict[str, Any]] = Field(
+        default=None,
+        description="Optional per-metric generation parameters (temperature, top_p, etc.).",
+    )
 
 
 CallImportEvaluationTranscriptSource = Literal["production", "diarised"]
@@ -2662,6 +2685,10 @@ def _validate_transcript_sources(
         default=None,
         description="Optional AIProvider row to pin for the run-level LLM.",
     )
+    llm_config: Optional[Dict[str, Any]] = Field(
+        default=None,
+        description="Run-level LLM generation parameters (temperature, top_p, etc.).",
+    )
     metric_llm_overrides: Optional[
         Dict[str, CallImportEvaluationLLMOverride]
     ] = Field(
@@ -2876,6 +2903,10 @@ class CallImportEvaluationRetryRequest(BaseModel):
             "When omitted, the resolver falls back to the org default."
         ),
     )
+    llm_config: Optional[Dict[str, Any]] = Field(
+        default=None,
+        description="Override run-level LLM generation parameters for this retry.",
+    )
     metric_llm_overrides: Optional[
         Dict[str, CallImportEvaluationLLMOverride]
     ] = Field(
@@ -3023,6 +3054,7 @@ class CallImportEvaluationResponse(BaseModel):
     llm_provider: Optional[str] = None
     llm_model: Optional[str] = None
     llm_credential_id: Optional[UUID] = None
+    llm_config: Optional[Dict[str, Any]] = None
     metric_llm_overrides: Optional[Dict[str, Any]] = None
     stt_provider: Optional[str] = None
     stt_model: Optional[str] = None
diff --git a/app/services/ai/llm_generation_config.py b/app/services/ai/llm_generation_config.py
new file mode 100644
index 00000000..5b94580e
--- /dev/null
+++ b/app/services/ai/llm_generation_config.py
@@ -0,0 +1,119 @@
+"""Helpers for merging and applying user LLM generation parameters."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Optional
+
+
+def merge_llm_config(
+    primary: Optional[Dict[str, Any]] = None,
+    *,
+    legacy_temperature: Optional[float] = None,
+    legacy_max_tokens: Optional[int] = None,
+) -> Dict[str, Any]:
+    """Merge ``llm_config`` JSON with legacy VoiceBundle columns.
+
+    Legacy ``llm_temperature`` / ``llm_max_tokens`` apply only when the
+    corresponding key is absent from ``primary``.
+    """
+    merged: Dict[str, Any] = dict(primary or {})
+    if merged.get("temperature") is None and legacy_temperature is not None:
+        merged["temperature"] = legacy_temperature
+    if merged.get("max_tokens") is None and legacy_max_tokens is not None:
+        merged["max_tokens"] = legacy_max_tokens
+    return merged
+
+
+def resolve_effective_llm_config(
+    *,
+    llm_config: Optional[Dict[str, Any]] = None,
+    override_llm_config: Optional[Dict[str, Any]] = None,
+    legacy_temperature: Optional[float] = None,
+    legacy_max_tokens: Optional[int] = None,
+    task_defaults: Optional[Dict[str, Any]] = None,
+) -> Dict[str, Any]:
+    """Resolve config with override > entity > legacy columns > task defaults."""
+    base = merge_llm_config(
+        llm_config,
+        legacy_temperature=legacy_temperature,
+        legacy_max_tokens=legacy_max_tokens,
+    )
+    if override_llm_config:
+        for key, value in override_llm_config.items():
+            if value is not None:
+                base[key] = value
+
+    effective = dict(task_defaults or {})
+    for key, value in base.items():
+        if value is not None:
+            effective[key] = value
+    return effective
+
+
+def build_litellm_kwargs(
+    *,
+    llm_config: Optional[Dict[str, Any]] = None,
+    override_llm_config: Optional[Dict[str, Any]] = None,
+    legacy_temperature: Optional[float] = None,
+    legacy_max_tokens: Optional[int] = None,
+    task_defaults: Optional[Dict[str, Any]] = None,
+) -> Dict[str, Any]:
+    """Build kwargs for :meth:`LLMService.generate_response`.
+
+    Returns a dict with ``temperature``, ``max_tokens``, and ``config``
+    (extra LiteLLM params such as top_p / top_k / penalties).
+    """
+    effective = resolve_effective_llm_config(
+        llm_config=llm_config,
+        override_llm_config=override_llm_config,
+        legacy_temperature=legacy_temperature,
+        legacy_max_tokens=legacy_max_tokens,
+        task_defaults=task_defaults,
+    )
+
+    temperature = effective.pop("temperature", (task_defaults or {}).get("temperature", 0.7))
+    max_tokens = effective.pop("max_tokens", (task_defaults or {}).get("max_tokens"))
+    extra = {k: v for k, v in effective.items() if v is not None}
+    return {
+        "temperature": temperature,
+        "max_tokens": max_tokens,
+        "config": extra or None,
+    }
+
+
+def build_efficientai_input_params(provider: str, config: Optional[Dict[str, Any]]):
+    """Map merged config dict to the EfficientAI SDK InputParams for *provider*."""
+    if not config:
+        return None
+
+    provider_key = (provider or "").lower()
+    params_dict = {
+        k: v
+        for k, v in {
+            "temperature": config.get("temperature"),
+            "top_p": config.get("top_p"),
+            "top_k": config.get("top_k"),
+            "max_tokens": config.get("max_tokens"),
+            "frequency_penalty": config.get("frequency_penalty"),
+            "presence_penalty": config.get("presence_penalty"),
+            "seed": config.get("seed"),
+        }.items()
+        if v is not None
+    }
+    if not params_dict:
+        return None
+
+    if provider_key == "openai":
+        from efficientai.services.openai.llm import OpenAILLMService
+
+        return OpenAILLMService.InputParams(**params_dict)
+    if provider_key == "google":
+        from efficientai.services.google.llm import GoogleLLMService
+
+        return GoogleLLMService.InputParams(**params_dict)
+    if provider_key == "anthropic":
+        from efficientai.services.anthropic.llm import AnthropicLLMService
+
+        return AnthropicLLMService.InputParams(**params_dict)
+
+    return None
diff --git a/app/services/ai/llm_service.py b/app/services/ai/llm_service.py
index 701a6862..407ee51d 100644
--- a/app/services/ai/llm_service.py
+++ b/app/services/ai/llm_service.py
@@ -19,6 +19,7 @@
 
 from app.models.database import ModelProvider, AIProvider
 from app.services.credentials import resolve_ai_provider
+from app.services.ai.llm_generation_config import build_litellm_kwargs
 
 # LiteLLM will silently drop params the target provider doesn't support
 # rather than raising an error.
@@ -178,6 +179,9 @@ def generate_response(
         temperature: Optional[float] = 0.7,
         max_tokens: Optional[int] = None,
         config: Optional[Dict[str, Any]] = None,
+        llm_config: Optional[Dict[str, Any]] = None,
+        override_llm_config: Optional[Dict[str, Any]] = None,
+        task_defaults: Optional[Dict[str, Any]] = None,
         credential_id: Optional[UUID] = None,
     ) -> Dict[str, Any]:
         """Generate a text response using the specified LLM via LiteLLM.
@@ -186,7 +190,21 @@ def generate_response(
         organization has multiple keys for the same provider; when omitted
         the resolver falls back to the row marked ``is_default`` (or the
         most recently updated active row for back-compat).
+
+        Generation parameters resolve as:
+        override_llm_config > llm_config/config > legacy temperature/max_tokens > task_defaults.
         """
+        gen_kwargs = build_litellm_kwargs(
+            llm_config=llm_config or config,
+            override_llm_config=override_llm_config,
+            legacy_temperature=temperature,
+            legacy_max_tokens=max_tokens,
+            task_defaults=task_defaults,
+        )
+        temperature = gen_kwargs["temperature"]
+        max_tokens = gen_kwargs["max_tokens"]
+        config = gen_kwargs["config"]
+
         start_time = time.time()
 
         # --- resolve API key from database --------------------------------
diff --git a/app/services/testing/test_agent_service.py b/app/services/testing/test_agent_service.py
index 6580f661..0719bbb7 100644
--- a/app/services/testing/test_agent_service.py
+++ b/app/services/testing/test_agent_service.py
@@ -348,9 +348,10 @@ def process_audio_chunk(
                 llm_model=voice_bundle.llm_model,
                 organization_id=organization_id,
                 db=db,
-                temperature=voice_bundle.llm_temperature or 0.7,
+                llm_config=voice_bundle.llm_config,
+                temperature=voice_bundle.llm_temperature,
                 max_tokens=voice_bundle.llm_max_tokens,
-                config=voice_bundle.llm_config,
+                task_defaults={"temperature": 0.7},
             )
 
             test_agent_text = llm_result.get("text", "").strip()
diff --git a/app/services/voice_agent/voice_bundle.py b/app/services/voice_agent/voice_bundle.py
index abce7a42..b1c4546f 100644
--- a/app/services/voice_agent/voice_bundle.py
+++ b/app/services/voice_agent/voice_bundle.py
@@ -320,17 +320,19 @@ def _get_llm_providers():
         "openai": {
             "env_key": "OPENAI_API_KEY",
             "default_model": "gpt-4.1",
-            "factory": lambda api_key, model: _get_service("OpenAILLMService")(
+            "factory": lambda api_key, model, params=None: _get_service("OpenAILLMService")(
                 api_key=api_key,
                 model=model,
+                **({"params": params} if params else {}),
             ),
         },
         "google": {
             "env_key": "GOOGLE_API_KEY",
             "default_model": "gemini-2.5-flash",
-            "factory": lambda api_key, model: _get_service("GoogleLLMService")(
+            "factory": lambda api_key, model, params=None: _get_service("GoogleLLMService")(
                 api_key=api_key,
                 model=model,
+                **({"params": params} if params else {}),
             ),
         },
     }
@@ -556,7 +558,20 @@ async def run_voice_bundle_fastapi(
         tts = tts_cfg["factory"](api_key=tts_api_key, voice_id=tts_voice_id, model=tts_model)
 
         llm_model = getattr(voice_bundle, "llm_model", None) or llm_cfg["default_model"]
-        llm = llm_cfg["factory"](api_key=llm_api_key, model=llm_model)
+        from app.services.ai.llm_generation_config import (
+            build_efficientai_input_params,
+            merge_llm_config,
+        )
+
+        llm_params = build_efficientai_input_params(
+            llm_provider_value,
+            merge_llm_config(
+                getattr(voice_bundle, "llm_config", None),
+                legacy_temperature=getattr(voice_bundle, "llm_temperature", None),
+                legacy_max_tokens=getattr(voice_bundle, "llm_max_tokens", None),
+            ),
+        )
+        llm = llm_cfg["factory"](api_key=llm_api_key, model=llm_model, params=llm_params)
 
         # Build context with provided system instruction or a default
         base_instruction = (
diff --git a/app/workers/tasks/evaluate_call_import_row.py b/app/workers/tasks/evaluate_call_import_row.py
index fae2d13e..6653e48a 100644
--- a/app/workers/tasks/evaluate_call_import_row.py
+++ b/app/workers/tasks/evaluate_call_import_row.py
@@ -18,6 +18,7 @@
 
 from __future__ import annotations
 
+import json
 from datetime import datetime, timezone
 from types import SimpleNamespace
 from typing import Any, List, Optional
@@ -700,6 +701,11 @@ def _load_ai_providers() -> list:
         if comparison_metrics:
             run_provider = (evaluation.llm_provider or "").strip() or None
             run_model = (evaluation.llm_model or "").strip() or None
+            run_llm_config = (
+                evaluation.llm_config
+                if isinstance(getattr(evaluation, "llm_config", None), dict)
+                else None
+            )
             overrides = (
                 evaluation.metric_llm_overrides
                 if isinstance(evaluation.metric_llm_overrides, dict)
@@ -709,11 +715,13 @@ def _load_ai_providers() -> list:
                 override = overrides.get(str(cmp_metric.id)) or {}
                 provider = override.get("provider") or run_provider or None
                 model = override.get("model") or run_model or None
+                llm_config = override.get("llm_config") or run_llm_config
                 evaluator_obj = None
                 if provider and model:
                     evaluator_obj = SimpleNamespace(
                         llm_provider=provider,
                         llm_model=model,
+                        llm_config=llm_config,
                         custom_prompt=None,
                     )
                 try:
@@ -774,37 +782,47 @@ def _load_ai_providers() -> list:
             # ``evaluate_with_llm``.
             run_provider = (evaluation.llm_provider or "").strip() or None
             run_model = (evaluation.llm_model or "").strip() or None
+            run_llm_config = (
+                evaluation.llm_config
+                if isinstance(getattr(evaluation, "llm_config", None), dict)
+                else None
+            )
             overrides = (
                 evaluation.metric_llm_overrides
                 if isinstance(evaluation.metric_llm_overrides, dict)
                 else {}
             )
 
-            def _resolve_pm(metric: Metric) -> tuple[str | None, str | None]:
+            def _llm_config_key(cfg: dict | None) -> str | None:
+                if not cfg:
+                    return None
+                return json.dumps(cfg, sort_keys=True, default=str)
+
+            def _resolve_pm(
+                metric: Metric,
+            ) -> tuple[str | None, str | None, dict | None]:
                 override = overrides.get(str(metric.id)) or {}
                 provider = (
                     override.get("provider") or run_provider or None
                 )
                 model = override.get("model") or run_model or None
-                return provider, model
+                llm_config = override.get("llm_config") or run_llm_config
+                return provider, model, llm_config
 
-            # Bucket = ((provider, model), parent_id_or_None) -> metrics.
-            # parent_id_or_None keys hierarchical groups; ``None`` keys
-            # the standalone bucket. Splitting on parent_id lets us pass
-            # ``parent_metric`` to ``evaluate_with_llm`` for prompt rendering.
-            BucketKey = tuple[tuple[str | None, str | None], UUID | None]
+            # Bucket = ((provider, model, llm_config_key), parent_id_or_None) -> metrics.
+            BucketKey = tuple[tuple[str | None, str | None, str | None], UUID | None]
             groups: dict[BucketKey, list[Metric]] = {}
             for metric in standalone_metrics:
-                provider, model = _resolve_pm(metric)
-                groups.setdefault(((provider, model), None), []).append(metric)
+                provider, model, llm_config = _resolve_pm(metric)
+                groups.setdefault(
+                    ((provider, model, _llm_config_key(llm_config)), None),
+                    [],
+                ).append(metric)
             for parent_id, children in children_by_parent.items():
-                # Children of the same parent MUST end up in one bucket
-                # (no per-child provider/model split inside a hierarchy
-                # group) — otherwise we lose the mutex / consistency
-                # guarantees. Use the first child's resolved config.
-                provider, model = _resolve_pm(children[0])
+                provider, model, llm_config = _resolve_pm(children[0])
                 groups.setdefault(
-                    ((provider, model), parent_id), []
+                    ((provider, model, _llm_config_key(llm_config)), parent_id),
+                    [],
                 ).extend(children)
 
             # Top-level metric discovery is opt-in per evaluation. When
@@ -842,12 +860,14 @@ def _resolve_pm(metric: Metric) -> tuple[str | None, str | None]:
             metric_discovery_emitted = False
 
             for (config, parent_id), bucket in groups.items():
-                provider, model = config
+                provider, model, llm_config_key = config
+                llm_config = json.loads(llm_config_key) if llm_config_key else None
                 evaluator_obj = None
                 if provider and model:
                     evaluator_obj = SimpleNamespace(
                         llm_provider=provider,
                         llm_model=model,
+                        llm_config=llm_config,
                         custom_prompt=None,
                     )
                 parent_metric = (
diff --git a/app/workers/tasks/helpers/llm_evaluation.py b/app/workers/tasks/helpers/llm_evaluation.py
index 5fe3e92c..01d13fc3 100644
--- a/app/workers/tasks/helpers/llm_evaluation.py
+++ b/app/workers/tasks/helpers/llm_evaluation.py
@@ -1192,14 +1192,15 @@ def evaluate_with_llm(
     )
 
     evaluation_start_time = time.time()
+    evaluator_llm_config = getattr(evaluator, "llm_config", None) if evaluator else None
     llm_result = llm_service.generate_response(
         messages=messages,
         llm_provider=llm_provider,
         llm_model=llm_model,
         organization_id=organization_id,
         db=db,
-        temperature=0.3,
-        max_tokens=dynamic_max_tokens,
+        llm_config=evaluator_llm_config,
+        task_defaults={"temperature": 0.3, "max_tokens": dynamic_max_tokens},
     )
     evaluation_time = time.time() - evaluation_start_time
 
diff --git a/frontend/src/components/AIProviderModelPicker.tsx b/frontend/src/components/AIProviderModelPicker.tsx
index c19ac2b0..37d6439d 100644
--- a/frontend/src/components/AIProviderModelPicker.tsx
+++ b/frontend/src/components/AIProviderModelPicker.tsx
@@ -2,6 +2,8 @@ import { useEffect } from 'react'
 import { useQuery } from '@tanstack/react-query'
 import { Bot } from 'lucide-react'
 import { apiClient } from '../lib/api'
+import LLMAdvancedOptionsPanel from './providers/LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../config/llmGenerationParams'
 
 interface AIProviderRow {
   id: string
@@ -37,15 +39,21 @@ export default function AIProviderModelPicker({
   model,
   onProviderChange,
   onModelChange,
+  llm_config,
+  onLLMConfigChange,
   disabled = false,
   size = 'md',
+  showAdvancedOptions = true,
 }: {
   provider: string
   model: string
   onProviderChange: (next: string) => void
   onModelChange: (next: string) => void
+  llm_config?: LLMGenerationConfig | null
+  onLLMConfigChange?: (next: LLMGenerationConfig | null) => void
   disabled?: boolean
   size?: 'sm' | 'md'
+  showAdvancedOptions?: boolean
 }) {
   const { data: aiProviders = [] } = useQuery<AIProviderRow[]>({
     queryKey: ['ai-providers'],
@@ -82,7 +90,8 @@ export default function AIProviderModelPicker({
       : 'block text-xs font-medium text-gray-600 mb-1'
 
   return (
-    <div className="flex gap-2 w-full">
+    <div className="space-y-2 w-full">
+      <div className="flex gap-2 w-full">
       <div className="flex-1 min-w-0">
         <label className={labelClass}>
           <Bot className="w-3 h-3 inline mr-1" />
@@ -132,6 +141,15 @@ export default function AIProviderModelPicker({
           )}
         </select>
       </div>
+      </div>
+      {showAdvancedOptions && provider && onLLMConfigChange && (
+        <LLMAdvancedOptionsPanel
+          provider={provider}
+          value={llm_config ?? null}
+          disabled={disabled}
+          onChange={onLLMConfigChange}
+        />
+      )}
     </div>
   )
 }
diff --git a/frontend/src/components/providers/LLMAdvancedOptionsPanel.tsx b/frontend/src/components/providers/LLMAdvancedOptionsPanel.tsx
new file mode 100644
index 00000000..02c51985
--- /dev/null
+++ b/frontend/src/components/providers/LLMAdvancedOptionsPanel.tsx
@@ -0,0 +1,134 @@
+import { useState } from 'react'
+import { ChevronDown, ChevronUp } from 'lucide-react'
+import {
+  getVisibleLLMParams,
+  isLLMGenerationConfigEmpty,
+  normalizeLLMConfig,
+  summarizeLLMConfig,
+  type LLMGenerationConfig,
+  type LLMGenerationParamKey,
+} from '../../config/llmGenerationParams'
+
+interface LLMAdvancedOptionsPanelProps {
+  provider: string | null | undefined
+  value: LLMGenerationConfig | null | undefined
+  onChange: (next: LLMGenerationConfig | null) => void
+  disabled?: boolean
+  /** When true, show Gemini thinking note. */
+  showGeminiNote?: boolean
+  className?: string
+}
+
+export default function LLMAdvancedOptionsPanel({
+  provider,
+  value,
+  onChange,
+  disabled = false,
+  showGeminiNote = true,
+  className,
+}: LLMAdvancedOptionsPanelProps) {
+  const [showAdvanced, setShowAdvanced] = useState(false)
+  const params = getVisibleLLMParams(provider)
+  const summary = summarizeLLMConfig(value)
+  const providerKey = (provider || '').toLowerCase()
+
+  const handleFieldChange = (key: LLMGenerationParamKey, raw: string) => {
+    const next: LLMGenerationConfig = { ...(value || {}) }
+    if (raw === '' || raw === undefined) {
+      delete next[key]
+    } else {
+      const meta = params.find((p) => p.key === key)
+      next[key] = meta?.integer ? parseInt(raw, 10) : parseFloat(raw)
+    }
+    onChange(normalizeLLMConfig(next))
+  }
+
+  const handleReset = () => {
+    onChange(null)
+  }
+
+  if (!provider) {
+    return null
+  }
+
+  return (
+    <div className={`border border-gray-200 rounded-lg overflow-hidden ${className ?? ''}`}>
+      <button
+        type="button"
+        disabled={disabled}
+        onClick={() => setShowAdvanced(!showAdvanced)}
+        className="w-full flex items-center justify-between px-3 py-2 text-xs font-medium text-gray-500 hover:text-gray-700 bg-gray-50 transition-colors disabled:opacity-50"
+      >
+        <span className="flex items-center gap-1.5">
+          <svg
+            className="w-3.5 h-3.5"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            strokeWidth="2"
+            strokeLinecap="round"
+            strokeLinejoin="round"
+          >
+            <circle cx="12" cy="12" r="3" />
+            <path d="M12 1v6m0 6v6m8.66-15l-5.2 3m-6.92 4l-5.2 3M22.66 18l-5.2-3m-6.92-4l-5.2-3" />
+          </svg>
+          Advanced Options
+          {summary && (
+            <span className="ml-1 text-[10px] px-1.5 py-0.5 bg-gray-200 text-gray-600 rounded-full">
+              {summary}
+            </span>
+          )}
+        </span>
+        {showAdvanced ? (
+          <ChevronUp className="w-3.5 h-3.5" />
+        ) : (
+          <ChevronDown className="w-3.5 h-3.5" />
+        )}
+      </button>
+      {showAdvanced && (
+        <div className="px-3 py-3 bg-gray-50/50 border-t border-gray-200 space-y-3">
+          {showGeminiNote && providerKey === 'google' && (
+            <p className="text-[10px] text-gray-500">
+              Gemini thinking level is managed automatically for structured evaluation tasks.
+            </p>
+          )}
+          <div className="grid grid-cols-1 sm:grid-cols-2 gap-3">
+            {params.map((param) => (
+              <div key={param.key}>
+                <label className="block text-xs font-medium text-gray-600 mb-1">
+                  {param.label}
+                </label>
+                <input
+                  type="number"
+                  disabled={disabled}
+                  min={param.min}
+                  max={param.max}
+                  step={param.step ?? (param.integer ? 1 : 0.1)}
+                  value={value?.[param.key] ?? ''}
+                  placeholder={param.placeholder ?? 'Default'}
+                  onChange={(e) => handleFieldChange(param.key, e.target.value)}
+                  className="w-full px-3 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-primary-500 bg-white disabled:bg-gray-50"
+                />
+                {param.helpText && (
+                  <p className="mt-1 text-[10px] text-gray-400">{param.helpText}</p>
+                )}
+              </div>
+            ))}
+          </div>
+          {!isLLMGenerationConfigEmpty(value) && (
+            <button
+              type="button"
+              disabled={disabled}
+              onClick={handleReset}
+              className="text-xs text-gray-500 hover:text-gray-700 underline"
+            >
+              Reset to defaults
+            </button>
+          )}
+        </div>
+      )}
+    </div>
+  )
+}
+
+export type { LLMGenerationConfig }
diff --git a/frontend/src/components/providers/ProviderModelPicker.tsx b/frontend/src/components/providers/ProviderModelPicker.tsx
index 1ab75664..c2f26032 100644
--- a/frontend/src/components/providers/ProviderModelPicker.tsx
+++ b/frontend/src/components/providers/ProviderModelPicker.tsx
@@ -29,6 +29,8 @@ import { Bot, AudioLines } from 'lucide-react'
 
 import { apiClient } from '../../lib/api'
 import type { Integration } from '../../types/api'
+import LLMAdvancedOptionsPanel from './LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../../config/llmGenerationParams'
 
 const PROVIDER_LABELS: Record<string, string> = {
   openai: 'OpenAI',
@@ -54,6 +56,7 @@ export interface ProviderModelValue {
   provider: string | null
   model: string | null
   credential_id?: string | null
+  llm_config?: LLMGenerationConfig | null
 }
 
 interface AIProviderRow {
@@ -107,6 +110,8 @@ export interface ProviderModelPickerProps {
    * without a code change.
    */
   audioCapableOnly?: boolean
+  /** When false, hide the LLM advanced options panel (LLM kind only). */
+  showAdvancedOptions?: boolean
 }
 
 // Per-provider substring fingerprints for "this chat model accepts audio
@@ -142,6 +147,7 @@ export default function ProviderModelPicker({
   allowCredentialPick = false,
   disabled = false,
   audioCapableOnly = false,
+  showAdvancedOptions = true,
 }: ProviderModelPickerProps) {
   const { data: aiProviders = [] } = useQuery<AIProviderRow[]>({
     queryKey: ['ai-providers'],
@@ -354,6 +360,14 @@ export default function ProviderModelPicker({
           </select>
         </div>
       )}
+      {kind === 'llm' && showAdvancedOptions && value.provider && (
+        <LLMAdvancedOptionsPanel
+          provider={value.provider}
+          value={value.llm_config ?? null}
+          disabled={disabled}
+          onChange={(llm_config) => onChange({ ...value, llm_config })}
+        />
+      )}
     </div>
   )
 }
diff --git a/frontend/src/components/shared/AIGeneratePanel.tsx b/frontend/src/components/shared/AIGeneratePanel.tsx
index 739a1503..8a1a1812 100644
--- a/frontend/src/components/shared/AIGeneratePanel.tsx
+++ b/frontend/src/components/shared/AIGeneratePanel.tsx
@@ -1,9 +1,11 @@
-import { useState, useEffect, useRef } from 'react'
-import { useQuery, useMutation } from '@tanstack/react-query'
+import { useState, useRef, useEffect } from 'react'
+import { useMutation, useQuery } from '@tanstack/react-query'
 import { Sparkles, Loader2, Bot, ChevronDown } from 'lucide-react'
 import { apiClient } from '../../lib/api'
 import { getProviderLabel, getProviderLogo } from '../../config/providers'
 import { ModelProvider } from '../../types/api'
+import LLMAdvancedOptionsPanel from '../providers/LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../../config/llmGenerationParams'
 
 interface AIProvider {
   id: string
@@ -29,6 +31,7 @@ interface AIGeneratePanelProps {
     format_style?: string
     provider?: string
     model?: string
+    llm_config?: LLMGenerationConfig | null
   }) => Promise<{ content: string }>
   title?: string
   placeholder?: string
@@ -48,6 +51,7 @@ export default function AIGeneratePanel({
   const [format, setFormat] = useState('structured')
   const [provider, setProvider] = useState('')
   const [model, setModel] = useState('')
+  const [llmConfig, setLlmConfig] = useState<LLMGenerationConfig | null>(null)
   const [showProviderDropdown, setShowProviderDropdown] = useState(false)
   const providerDropdownRef = useRef<HTMLDivElement>(null)
 
@@ -100,6 +104,7 @@ export default function AIGeneratePanel({
       format_style: showToneAndFormat ? format : undefined,
       ...(provider ? { provider } : {}),
       ...(model ? { model } : {}),
+      ...(llmConfig ? { llm_config: llmConfig } : {}),
     })
   }
 
@@ -242,6 +247,15 @@ export default function AIGeneratePanel({
           </select>
         </div>
       </div>
+
+      {provider && (
+        <LLMAdvancedOptionsPanel
+          provider={provider}
+          value={llmConfig}
+          onChange={setLlmConfig}
+          className="mb-2"
+        />
+      )}
       
       <div className="flex items-center gap-2 justify-end">
         <button
diff --git a/frontend/src/config/llmGenerationParams.ts b/frontend/src/config/llmGenerationParams.ts
new file mode 100644
index 00000000..189cb8e9
--- /dev/null
+++ b/frontend/src/config/llmGenerationParams.ts
@@ -0,0 +1,168 @@
+/** Provider-aware visibility for LLM advanced generation parameters. */
+
+export type LLMGenerationParamKey =
+  | 'temperature'
+  | 'max_tokens'
+  | 'top_p'
+  | 'top_k'
+  | 'frequency_penalty'
+  | 'presence_penalty'
+  | 'seed'
+
+export interface LLMGenerationParamMeta {
+  key: LLMGenerationParamKey
+  label: string
+  min?: number
+  max?: number
+  step?: number
+  integer?: boolean
+  placeholder?: string
+  helpText?: string
+}
+
+export interface LLMGenerationConfig {
+  temperature?: number | null
+  max_tokens?: number | null
+  top_p?: number | null
+  top_k?: number | null
+  frequency_penalty?: number | null
+  presence_penalty?: number | null
+  seed?: number | null
+}
+
+const COMMON_PARAMS: LLMGenerationParamMeta[] = [
+  {
+    key: 'temperature',
+    label: 'Temperature',
+    min: 0,
+    max: 2,
+    step: 0.1,
+    placeholder: 'Default',
+    helpText: 'Higher values make output more random; lower values more focused.',
+  },
+  {
+    key: 'max_tokens',
+    label: 'Max Tokens',
+    min: 1,
+    step: 1,
+    integer: true,
+    placeholder: 'Default',
+    helpText: 'Maximum number of tokens to generate.',
+  },
+  {
+    key: 'top_p',
+    label: 'Top P',
+    min: 0,
+    max: 1,
+    step: 0.05,
+    placeholder: 'Default',
+    helpText: 'Nucleus sampling: consider tokens with cumulative probability up to this value.',
+  },
+  {
+    key: 'top_k',
+    label: 'Top K',
+    min: 0,
+    step: 1,
+    integer: true,
+    placeholder: 'Default',
+    helpText: 'Limit sampling to the K most likely next tokens.',
+  },
+  {
+    key: 'frequency_penalty',
+    label: 'Frequency Penalty',
+    min: -2,
+    max: 2,
+    step: 0.1,
+    placeholder: 'Default',
+  },
+  {
+    key: 'presence_penalty',
+    label: 'Presence Penalty',
+    min: -2,
+    max: 2,
+    step: 0.1,
+    placeholder: 'Default',
+  },
+  {
+    key: 'seed',
+    label: 'Seed',
+    min: 0,
+    step: 1,
+    integer: true,
+    placeholder: 'Default',
+    helpText: 'Random seed for reproducible outputs (when supported).',
+  },
+]
+
+/** Providers that ignore top_k at the API level. */
+const NO_TOP_K = new Set([
+  'openai',
+  'azure',
+  'groq',
+  'deepseek',
+  'xai',
+  'fireworks',
+  'openrouter',
+  'cohere',
+  'mistral',
+  'meta',
+  'together',
+  'perplexity',
+  'aws',
+])
+
+/** Anthropic caps temperature at 1.0. */
+const TEMP_MAX_1 = new Set(['anthropic'])
+
+/** Providers without OpenAI-style frequency/presence penalties. */
+const NO_PENALTIES = new Set(['anthropic', 'google'])
+
+export function getVisibleLLMParams(provider: string | null | undefined): LLMGenerationParamMeta[] {
+  const key = (provider || '').toLowerCase()
+  return COMMON_PARAMS.filter((param) => {
+    if (param.key === 'top_k' && NO_TOP_K.has(key)) return false
+    if (
+      (param.key === 'frequency_penalty' || param.key === 'presence_penalty') &&
+      NO_PENALTIES.has(key)
+    ) {
+      return false
+    }
+    return true
+  }).map((param) => {
+    if (param.key === 'temperature' && TEMP_MAX_1.has(key)) {
+      return { ...param, max: 1 }
+    }
+    return param
+  })
+}
+
+export function isLLMGenerationConfigEmpty(
+  config: LLMGenerationConfig | null | undefined,
+): boolean {
+  if (!config) return true
+  return !Object.values(config).some((v) => v !== null && v !== undefined && v !== '')
+}
+
+export function summarizeLLMConfig(
+  config: LLMGenerationConfig | null | undefined,
+): string {
+  if (!config || isLLMGenerationConfigEmpty(config)) return ''
+  const parts: string[] = []
+  if (config.temperature != null) parts.push(`temp ${config.temperature}`)
+  if (config.top_p != null) parts.push(`top_p ${config.top_p}`)
+  if (config.top_k != null) parts.push(`top_k ${config.top_k}`)
+  if (config.max_tokens != null) parts.push(`max ${config.max_tokens}`)
+  return parts.slice(0, 3).join(' · ')
+}
+
+export function normalizeLLMConfig(
+  config: LLMGenerationConfig | null | undefined,
+): LLMGenerationConfig | null {
+  if (!config) return null
+  const cleaned: LLMGenerationConfig = {}
+  for (const [key, value] of Object.entries(config)) {
+    if (value === null || value === undefined || value === '') continue
+    ;(cleaned as Record<string, number>)[key] = Number(value)
+  }
+  return isLLMGenerationConfigEmpty(cleaned) ? null : cleaned
+}
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 67d09be4..724ed02e 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -46,6 +46,7 @@ import type {
   CallImportTranscribeResponse,
   CallImportRetryFailedRowsResponse,
   Workspace,
+  LLMGenerationConfig,
 } from '../types/api'
 
 export interface EnterpriseFeatureMeta {
@@ -837,6 +838,7 @@ class ApiClient {
     model: string
     temperature?: number
     max_tokens?: number
+    llm_config?: LLMGenerationConfig | null
   }): Promise<{
     text: string
     model: string
@@ -1498,6 +1500,7 @@ class ApiClient {
       llm_provider?: string | null
       llm_model?: string | null
       llm_credential_id?: string | null
+      llm_config?: LLMGenerationConfig | null
       /** Per-metric LLM override map keyed by metric UUID. */
       metric_llm_overrides?: Record<string, CallImportEvaluationLLMOverride> | null
       /** When true, diarize rows missing transcripts before evaluation. */
@@ -2124,6 +2127,7 @@ class ApiClient {
       llmProvider?: string | null
       llmModel?: string | null
       llmCredentialId?: string | null
+      llmConfig?: LLMGenerationConfig | null
       sttProvider?: string | null
       sttModel?: string | null
       sttCredentialId?: string | null
@@ -2153,6 +2157,9 @@ class ApiClient {
     if (options?.llmCredentialId !== undefined) {
       body.llm_credential_id = options.llmCredentialId
     }
+    if (options?.llmConfig !== undefined) {
+      body.llm_config = options.llmConfig
+    }
     if (options?.sttProvider) body.stt_provider = options.sttProvider
     if (options?.sttModel) body.stt_model = options.sttModel
     if (options?.sttCredentialId !== undefined) {
@@ -3436,6 +3443,7 @@ class ApiClient {
     count?: number
     length?: string
     temperature?: number
+    llm_config?: LLMGenerationConfig | null
   }): Promise<{ samples: string[]; provider: string; model: string }> {
     const response = await this.client.post('/api/v1/voice-playground/generate-samples', params)
     return response.data
@@ -3712,6 +3720,7 @@ class ApiClient {
     format_style?: string
     provider?: string
     model?: string
+    llm_config?: LLMGenerationConfig | null
   }): Promise<{ content: string; provider: string; model: string }> {
     const response = await this.client.post('/api/v1/prompt-partials/generate', data)
     return response.data
@@ -3722,6 +3731,7 @@ class ApiClient {
     instructions?: string
     provider?: string
     model?: string
+    llm_config?: LLMGenerationConfig | null
   }): Promise<{ content: string; provider: string; model: string }> {
     const response = await this.client.post('/api/v1/prompt-partials/improve', data)
     return response.data
diff --git a/frontend/src/pages/callImports/CallImportDetail.tsx b/frontend/src/pages/callImports/CallImportDetail.tsx
index 2fe2feee..7c3fb670 100644
--- a/frontend/src/pages/callImports/CallImportDetail.tsx
+++ b/frontend/src/pages/callImports/CallImportDetail.tsx
@@ -4528,6 +4528,11 @@ export default function CallImportDetail() {
                                 provider: val.provider,
                                 model: val.model,
                                 credential_id: val.credential_id || null,
+                                llm_config: val.llm_config || null,
+                              }
+                            } else if (val.llm_config) {
+                              overrides[mid] = {
+                                llm_config: val.llm_config,
                               }
                             }
                           }
@@ -4540,6 +4545,7 @@ export default function CallImportDetail() {
                             llm_provider: runLLM.provider || null,
                             llm_model: runLLM.model || null,
                             llm_credential_id: runLLM.credential_id || null,
+                            llm_config: runLLM.llm_config || null,
                             metric_llm_overrides: Object.keys(overrides).length
                               ? overrides
                               : null,
diff --git a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
index 2c6c7dd8..60bab397 100644
--- a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
+++ b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
@@ -1053,6 +1053,7 @@ export default function CallImportEvaluationDetail() {
       provider: evaluation.llm_provider ?? null,
       model: evaluation.llm_model ?? null,
       credential_id: evaluation.llm_credential_id ?? null,
+      llm_config: evaluation.llm_config ?? null,
     })
     setRerunMetricIds(new Set())
     setRerunError(null)
@@ -1078,25 +1079,25 @@ export default function CallImportEvaluationDetail() {
         rerunLLM.provider !== (evaluation?.llm_provider ?? null) ||
         rerunLLM.model !== (evaluation?.llm_model ?? null) ||
         (rerunLLM.credential_id ?? null) !==
-          (evaluation?.llm_credential_id ?? null)
+          (evaluation?.llm_credential_id ?? null) ||
+        JSON.stringify(rerunLLM.llm_config ?? null) !==
+          JSON.stringify(evaluation?.llm_config ?? null)
       return apiClient.retryCallImportEvaluation(id!, evalId!, {
         metricIds,
-        // ``include_completed`` would be auto-flipped server-side
-        // when ``metricIds`` is set; sending it explicitly here
-        // makes the intent obvious in the network tab.
         includeCompleted: true,
         llmProvider:
           llmChanged && rerunLLM.provider && rerunLLM.model
             ? rerunLLM.provider
             : undefined,
         llmModel:
-          llmChanged && rerunLLM.provider && rerunLLM.model
+          llmChanged && rerunLLM.model && rerunLLM.provider
             ? rerunLLM.model
             : undefined,
         llmCredentialId:
           llmChanged && rerunLLM.provider && rerunLLM.model
             ? rerunLLM.credential_id ?? null
             : undefined,
+        llmConfig: llmChanged ? rerunLLM.llm_config ?? null : undefined,
       })
     },
     onSuccess: () => {
diff --git a/frontend/src/pages/callImports/components/MetricPromptImprovementsPanel.tsx b/frontend/src/pages/callImports/components/MetricPromptImprovementsPanel.tsx
index 82f4aad9..12af70c6 100644
--- a/frontend/src/pages/callImports/components/MetricPromptImprovementsPanel.tsx
+++ b/frontend/src/pages/callImports/components/MetricPromptImprovementsPanel.tsx
@@ -5,6 +5,7 @@ import { AlertTriangle, ExternalLink, GitBranch, Loader2, Sparkles } from 'lucid
 import ReactMarkdown from 'react-markdown'
 
 import AIProviderModelPicker from '../../../components/AIProviderModelPicker'
+import type { LLMGenerationConfig } from '../../../config/llmGenerationParams'
 import { apiClient } from '../../../lib/api'
 import AgentFlowChart from '../../promptPartials/components/AgentFlowChart'
 import type {
@@ -58,6 +59,7 @@ export default function MetricPromptImprovementsPanel({
   const [selectedAgentId, setSelectedAgentId] = useState('')
   const [pickerProvider, setPickerProvider] = useState('')
   const [pickerModel, setPickerModel] = useState('')
+  const [pickerLlmConfig, setPickerLlmConfig] = useState<LLMGenerationConfig | null>(null)
   const [llmPickerTouched, setLlmPickerTouched] = useState(false)
   const [agentPickerTouched, setAgentPickerTouched] = useState(false)
   const [error, setError] = useState<string | null>(null)
@@ -293,6 +295,8 @@ export default function MetricPromptImprovementsPanel({
                 setLlmPickerTouched(true)
                 setPickerModel(next)
               }}
+              llm_config={pickerLlmConfig}
+              onLLMConfigChange={setPickerLlmConfig}
               disabled={generateMutation.isPending}
               size="sm"
             />
diff --git a/frontend/src/pages/configurations/VoiceBundles.tsx b/frontend/src/pages/configurations/VoiceBundles.tsx
index 6b80ec5b..54f8360e 100644
--- a/frontend/src/pages/configurations/VoiceBundles.tsx
+++ b/frontend/src/pages/configurations/VoiceBundles.tsx
@@ -8,6 +8,12 @@ import Button from '../../components/Button'
 import { useToast } from '../../hooks/useToast'
 import { getProviderLabel, getProviderLogo, mapIntegrationToModelProvider } from '../../config/providers'
 import WalkthroughToggleButton from '../../components/walkthrough/WalkthroughToggleButton'
+import LLMAdvancedOptionsPanel from '../../components/providers/LLMAdvancedOptionsPanel'
+import {
+  isLLMGenerationConfigEmpty,
+  summarizeLLMConfig,
+  type LLMGenerationConfig,
+} from '../../config/llmGenerationParams'
 
 export default function VoiceBundles() {
   const queryClient = useQueryClient()
@@ -26,8 +32,7 @@ export default function VoiceBundles() {
     stt_credential_id: null,
     llm_provider: ModelProvider.OPENAI,
     llm_model: 'gpt-4',
-    llm_temperature: 0.7,
-    llm_max_tokens: null,
+    llm_config: { temperature: 0.7 },
     llm_credential_id: null,
     tts_provider: ModelProvider.OPENAI,
     tts_model: 'tts-1',
@@ -239,6 +244,17 @@ export default function VoiceBundles() {
     },
   })
 
+  const bundleLLMConfig = (bundle: VoiceBundle): LLMGenerationConfig | null => {
+    const config: LLMGenerationConfig = { ...(bundle.llm_config || {}) }
+    if (config.temperature == null && bundle.llm_temperature != null) {
+      config.temperature = bundle.llm_temperature
+    }
+    if (config.max_tokens == null && bundle.llm_max_tokens != null) {
+      config.max_tokens = bundle.llm_max_tokens
+    }
+    return isLLMGenerationConfigEmpty(config) ? null : config
+  }
+
   const resetForm = () => {
     const defaultSttProvider = getDefaultProvider(null, 'stt')
     const defaultLlmProvider = getDefaultProvider(null, 'llm')
@@ -257,8 +273,7 @@ export default function VoiceBundles() {
       stt_credential_id: null,
       llm_provider: defaultLlmProvider,
       llm_model: defaultLlmModel,
-      llm_temperature: 0.7,
-      llm_max_tokens: null,
+      llm_config: { temperature: 0.7 },
       llm_credential_id: null,
       tts_provider: defaultTtsProvider,
       tts_model: defaultTtsModel,
@@ -286,8 +301,7 @@ export default function VoiceBundles() {
       stt_credential_id: bundle.stt_credential_id || null,
       llm_provider: bundle.llm_provider ? getDefaultProvider(bundle.llm_provider as ModelProvider, 'llm') : null,
       llm_model: bundle.llm_model || null,
-      llm_temperature: bundle.llm_temperature || 0.7,
-      llm_max_tokens: bundle.llm_max_tokens || null,
+      llm_config: bundleLLMConfig(bundle),
       llm_credential_id: bundle.llm_credential_id || null,
       tts_provider: bundle.tts_provider ? getDefaultProvider(bundle.tts_provider as ModelProvider, 'tts') : null,
       tts_model: bundle.tts_model || null,
@@ -509,10 +523,10 @@ export default function VoiceBundles() {
                             <span className="font-medium">{getProviderLabel(bundle.llm_provider as ModelProvider)}</span>
                             <span className="text-gray-500"> • </span>
                             <span>{bundle.llm_model}</span>
-                            {bundle.llm_temperature && (
+                            {summarizeLLMConfig(bundleLLMConfig(bundle)) && (
                               <>
                                 <span className="text-gray-500"> • </span>
-                                <span>Temp: {bundle.llm_temperature}</span>
+                                <span>{summarizeLLMConfig(bundleLLMConfig(bundle))}</span>
                               </>
                             )}
                           </div>
@@ -1104,33 +1118,18 @@ function VoiceBundleModal({
                     )}
                   </select>
                 </div>
-                <div>
-                  <label htmlFor="llm_temperature" className="block text-sm font-medium text-gray-700 mb-1">
-                    Temperature (0-2)
-                  </label>
-                  <input
-                    id="llm_temperature"
-                    type="number"
-                    min="0"
-                    max="2"
-                    step="0.1"
-                    value={formData.llm_temperature || 0.7}
-                    onChange={(e) => setFormData({ ...formData, llm_temperature: parseFloat(e.target.value) || 0.7 })}
-                    className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-primary-500 focus:border-transparent"
-                  />
-                </div>
-                <div>
-                  <label htmlFor="llm_max_tokens" className="block text-sm font-medium text-gray-700 mb-1">
-                    Max Tokens (Optional)
-                  </label>
-                  <input
-                    id="llm_max_tokens"
-                    type="number"
-                    min="1"
-                    value={formData.llm_max_tokens || ''}
-                    onChange={(e) => setFormData({ ...formData, llm_max_tokens: e.target.value ? parseInt(e.target.value) : null })}
-                    className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-primary-500 focus:border-transparent"
-                    placeholder="Leave empty for default"
+                <div className="md:col-span-2">
+                  <LLMAdvancedOptionsPanel
+                    provider={formData.llm_provider}
+                    value={formData.llm_config ?? null}
+                    onChange={(llm_config) =>
+                      setFormData({
+                        ...formData,
+                        llm_config,
+                        llm_temperature: null,
+                        llm_max_tokens: null,
+                      })
+                    }
                   />
                 </div>
                 {renderCredentialPicker(
diff --git a/frontend/src/pages/evaluators/evaluators/EvaluatorDetail.tsx b/frontend/src/pages/evaluators/evaluators/EvaluatorDetail.tsx
index a5c76d71..2530434d 100644
--- a/frontend/src/pages/evaluators/evaluators/EvaluatorDetail.tsx
+++ b/frontend/src/pages/evaluators/evaluators/EvaluatorDetail.tsx
@@ -8,6 +8,8 @@ import Button from '../../../components/Button'
 import { ArrowLeft, Edit, Save, X, Phone, Globe, Trash2, AlertCircle, Brain, ChevronDown } from 'lucide-react'
 import { useToast } from '../../../hooks/useToast'
 import { getProviderLabel, getProviderLogo } from '../../../config/providers'
+import LLMAdvancedOptionsPanel from '../../../components/providers/LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../../../config/llmGenerationParams'
 
 interface Evaluator {
   id: string
@@ -20,6 +22,7 @@ interface Evaluator {
   metric_ids?: string[] | null
   llm_provider?: string | null
   llm_model?: string | null
+  llm_config?: LLMGenerationConfig | null
   tags?: string[]
   created_at: string
   updated_at: string
@@ -279,6 +282,7 @@ export default function EvaluatorDetail() {
     }
     if (editData.llm_provider) data.llm_provider = editData.llm_provider
     if (editData.llm_model) data.llm_model = editData.llm_model
+    if (editData.llm_config !== undefined) data.llm_config = editData.llm_config
     updateMutation.mutate({ evalId: evaluator.id, data })
   }
 
@@ -879,6 +883,15 @@ export default function EvaluatorDetail() {
                                       )}
                                     </select>
                                   </div>
+                                  <div className="md:col-span-2">
+                                    <LLMAdvancedOptionsPanel
+                                      provider={editData.llm_provider}
+                                      value={editData.llm_config ?? null}
+                                      onChange={(llm_config) =>
+                                        setEditData({ ...editData, llm_config })
+                                      }
+                                    />
+                                  </div>
                                 </>
                               )}
                             </div>
diff --git a/frontend/src/pages/playground/voice/components/SampleTextsPanel.tsx b/frontend/src/pages/playground/voice/components/SampleTextsPanel.tsx
index 42f95f54..5af6d921 100644
--- a/frontend/src/pages/playground/voice/components/SampleTextsPanel.tsx
+++ b/frontend/src/pages/playground/voice/components/SampleTextsPanel.tsx
@@ -8,6 +8,8 @@ import { useToast } from '../../../../hooks/useToast'
 import { AIProvider } from '../../../../types/api'
 import { useVoicePlayground } from '../context'
 import { DEFAULT_SAMPLE_TEXTS } from '../types'
+import LLMAdvancedOptionsPanel from '../../../../components/providers/LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../../../../config/llmGenerationParams'
 
 interface PromptPartial {
   id: string
@@ -58,6 +60,7 @@ export default function SampleTextsPanel() {
 
   const [selectedLlmProvider, setSelectedLlmProvider] = useState('')
   const [selectedLlmModel, setSelectedLlmModel] = useState('')
+  const [sampleLlmConfig, setSampleLlmConfig] = useState<LLMGenerationConfig | null>(null)
   const { showToast, ToastContainer } = useToast()
 
   const { data: aiProviders = [] } = useQuery<AIProvider[]>({
@@ -528,6 +531,14 @@ export default function SampleTextsPanel() {
               </div>
             </div>
 
+            {selectedLlmProvider && (
+              <LLMAdvancedOptionsPanel
+                provider={selectedLlmProvider}
+                value={sampleLlmConfig}
+                onChange={setSampleLlmConfig}
+              />
+            )}
+
             <div className="flex justify-end">
               <button
                 onClick={() =>
@@ -537,6 +548,7 @@ export default function SampleTextsPanel() {
                     scenario: aiScenario || undefined,
                     count: aiSampleCount,
                     length: aiSampleLength,
+                    llm_config: sampleLlmConfig || undefined,
                   })
                 }
                 disabled={generateSamplesMutation.isPending || !selectedLlmProvider || !selectedLlmModel}
diff --git a/frontend/src/pages/playground/voice/context/VoicePlaygroundContext.tsx b/frontend/src/pages/playground/voice/context/VoicePlaygroundContext.tsx
index c186ccfc..bdf90c1d 100644
--- a/frontend/src/pages/playground/voice/context/VoicePlaygroundContext.tsx
+++ b/frontend/src/pages/playground/voice/context/VoicePlaygroundContext.tsx
@@ -6,7 +6,7 @@ import type {
   VoicePlaygroundSourceType,
   VoicePlaygroundBlindTestPair,
 } from '../../../../lib/api'
-import { VoiceBundle } from '../../../../types/api'
+import { VoiceBundle, LLMGenerationConfig } from '../../../../types/api'
 import {
   TTSVoice,
   TTSProvider,
@@ -155,7 +155,7 @@ interface VoicePlaygroundContextType {
   setAiSampleCount: (count: number) => void
   aiSampleLength: 'short' | 'medium' | 'long' | 'paragraph'
   setAiSampleLength: (length: 'short' | 'medium' | 'long' | 'paragraph') => void
-  generateSamplesMutation: ReturnType<typeof useMutation<{ samples: string[] }, Error, { voice_bundle_id?: string; provider?: string; model?: string; scenario?: string; count?: number; length?: string }>>
+  generateSamplesMutation: ReturnType<typeof useMutation<{ samples: string[] }, Error, { voice_bundle_id?: string; provider?: string; model?: string; scenario?: string; count?: number; length?: string; llm_config?: LLMGenerationConfig | null }>>
 
   // Active comparison
   step: PlaygroundStep
diff --git a/frontend/src/pages/promptPartials/PromptPartials.tsx b/frontend/src/pages/promptPartials/PromptPartials.tsx
index b1dc1f90..15ac774b 100644
--- a/frontend/src/pages/promptPartials/PromptPartials.tsx
+++ b/frontend/src/pages/promptPartials/PromptPartials.tsx
@@ -30,6 +30,7 @@ import {
 } from 'lucide-react'
 import { format } from 'date-fns'
 import AIProviderModelPicker from '../../components/AIProviderModelPicker'
+import type { LLMGenerationConfig } from '../../config/llmGenerationParams'
 import AgentFlowChart from './components/AgentFlowChart'
 import MetricPartialEditor from './components/MetricPartialEditor'
 import AgentPromptSectionView, {
@@ -233,6 +234,7 @@ export default function PromptPartials() {
   const [showAIGenerateModal, setShowAIGenerateModal] = useState(false)
   const [pickerProvider, setPickerProvider] = useState('')
   const [pickerModel, setPickerModel] = useState('')
+  const [pickerLlmConfig, setPickerLlmConfig] = useState<LLMGenerationConfig | null>(null)
   const [llmPickerTouched, setLlmPickerTouched] = useState(false)
   const [flowchartError, setFlowchartError] = useState<string | null>(null)
   const [selectedFlowNodeId, setSelectedFlowNodeId] = useState<string | null>(null)
@@ -879,6 +881,8 @@ export default function PromptPartials() {
                             setLlmPickerTouched(true)
                             setPickerModel(next)
                           }}
+                          llm_config={pickerLlmConfig}
+                          onLLMConfigChange={setPickerLlmConfig}
                           disabled={
                             flowchartMutation.isPending || mapPromptSectionsMutation.isPending
                           }
diff --git a/frontend/src/pages/scenarios/Scenarios.tsx b/frontend/src/pages/scenarios/Scenarios.tsx
index 41608e7a..d5c86ee3 100644
--- a/frontend/src/pages/scenarios/Scenarios.tsx
+++ b/frontend/src/pages/scenarios/Scenarios.tsx
@@ -7,6 +7,8 @@ import Button from '../../components/Button'
 import { useToast } from '../../hooks/useToast'
 import { AIProvider, ModelProvider } from '../../types/api'
 import { getProviderLabel, getProviderLogo } from '../../config/providers'
+import LLMAdvancedOptionsPanel from '../../components/providers/LLMAdvancedOptionsPanel'
+import type { LLMGenerationConfig } from '../../config/llmGenerationParams'
 import { useWalkthroughSectionState } from '../../context/WalkthroughContext'
 import WalkthroughToggleButton from '../../components/walkthrough/WalkthroughToggleButton'
 
@@ -62,6 +64,7 @@ export default function Scenarios() {
   // Shared AI generation selectors
   const [selectedAIProvider, setSelectedAIProvider] = useState<ModelProvider | null>(null)
   const [selectedModel, setSelectedModel] = useState<string>('')
+  const [llmConfig, setLlmConfig] = useState<LLMGenerationConfig | null>(null)
   const [showProviderDropdown, setShowProviderDropdown] = useState(false)
   const providerDropdownRef = useRef<HTMLDivElement>(null)
   const [selectedAgentIdForGeneration, setSelectedAgentIdForGeneration] = useState('')
@@ -342,7 +345,7 @@ export default function Scenarios() {
         messages: messages as Array<{ role: string; content: string }>,
         provider: selectedAIProvider,
         model: selectedModel,
-        temperature: 0.7,
+        llm_config: llmConfig,
       })
 
       const drafts = parseScenarioDraftsFromResponse(response.text)
@@ -493,7 +496,7 @@ export default function Scenarios() {
         ],
         provider: selectedAIProvider,
         model: selectedModel,
-        temperature: 0.7,
+        llm_config: llmConfig,
       })
 
       setFormData((prev) => ({
@@ -866,6 +869,15 @@ export default function Scenarios() {
                         ))}
                       </select>
                     </div>
+                    {selectedAIProvider && (
+                      <div className="md:col-span-2">
+                        <LLMAdvancedOptionsPanel
+                          provider={selectedAIProvider}
+                          value={llmConfig}
+                          onChange={setLlmConfig}
+                        />
+                      </div>
+                    )}
                   </div>
 
                   <div>
@@ -1285,6 +1297,15 @@ export default function Scenarios() {
                         ))}
                       </select>
                     </div>
+                    {selectedAIProvider && (
+                      <div className="md:col-span-2">
+                        <LLMAdvancedOptionsPanel
+                          provider={selectedAIProvider}
+                          value={llmConfig}
+                          onChange={setLlmConfig}
+                        />
+                      </div>
+                    )}
                   </div>
                   <div className="flex justify-end">
                     <Button
diff --git a/frontend/src/types/api.ts b/frontend/src/types/api.ts
index 5e7fdb6a..d645298e 100644
--- a/frontend/src/types/api.ts
+++ b/frontend/src/types/api.ts
@@ -1,5 +1,8 @@
 // API Types matching the backend schemas
 
+export type { LLMGenerationConfig } from '../config/llmGenerationParams'
+import type { LLMGenerationConfig } from '../config/llmGenerationParams'
+
 export enum EvaluationType {
   ASR = 'asr',
   TTS = 'tts',
@@ -1034,11 +1037,12 @@ export interface CallImportMetricSummary {
   allow_discovery?: boolean
 }
 
-/** Per-metric LLM override (provider+model+optional credential). */
+/** Per-metric LLM override (provider+model+optional credential + generation params). */
 export interface CallImportEvaluationLLMOverride {
   provider?: string | null
   model?: string | null
   credential_id?: string | null
+  llm_config?: LLMGenerationConfig | null
 }
 
 export interface CallImportEvaluation {
@@ -1060,6 +1064,7 @@ export interface CallImportEvaluation {
   llm_provider: string | null
   llm_model: string | null
   llm_credential_id: string | null
+  llm_config?: LLMGenerationConfig | null
   metric_llm_overrides: Record<string, CallImportEvaluationLLMOverride> | null
   stt_provider: string | null
   stt_model: string | null
diff --git a/tests/test_api/conftest.py b/tests/test_api/conftest.py
index def88fc7..3673fe4c 100644
--- a/tests/test_api/conftest.py
+++ b/tests/test_api/conftest.py
@@ -297,7 +297,9 @@ def user_context(db_session, org_id, api_key, seed_org, make_user):
         if user.email != "owner@example.com":
             user.email = "owner@example.com"
             user.name = "Org Owner"
-            db_session.commit()
+        if existing_key.name != "Owner API Key":
+            existing_key.name = "Owner API Key"
+        db_session.commit()
         return {"user": user, "membership": membership, "api_key_record": existing_key}
 
     user = make_user(email="owner@example.com", name="Org Owner")
diff --git a/tests/test_services/test_ai/test_llm_generation_config.py b/tests/test_services/test_ai/test_llm_generation_config.py
new file mode 100644
index 00000000..64f00dee
--- /dev/null
+++ b/tests/test_services/test_ai/test_llm_generation_config.py
@@ -0,0 +1,57 @@
+"""Tests for LLM generation config merge helpers."""
+
+from app.services.ai.llm_generation_config import (
+    build_litellm_kwargs,
+    merge_llm_config,
+    resolve_effective_llm_config,
+)
+
+
+def test_merge_llm_config_prefers_primary_over_legacy():
+    merged = merge_llm_config(
+        {"temperature": 0.2, "top_p": 0.9},
+        legacy_temperature=0.7,
+        legacy_max_tokens=500,
+    )
+    assert merged["temperature"] == 0.2
+    assert merged["top_p"] == 0.9
+    assert merged["max_tokens"] == 500
+
+
+def test_merge_llm_config_fills_legacy_when_missing():
+    merged = merge_llm_config(
+        None,
+        legacy_temperature=0.7,
+        legacy_max_tokens=128,
+    )
+    assert merged == {"temperature": 0.7, "max_tokens": 128}
+
+
+def test_resolve_effective_llm_config_override_wins():
+    effective = resolve_effective_llm_config(
+        llm_config={"temperature": 0.5},
+        override_llm_config={"top_p": 0.8},
+        task_defaults={"temperature": 0.3},
+    )
+    assert effective["temperature"] == 0.5
+    assert effective["top_p"] == 0.8
+
+
+def test_build_litellm_kwargs_splits_extra_config():
+    kwargs = build_litellm_kwargs(
+        llm_config={"temperature": 0.4, "top_k": 40},
+        task_defaults={"temperature": 0.3, "max_tokens": 1000},
+    )
+    assert kwargs["temperature"] == 0.4
+    assert kwargs["max_tokens"] == 1000
+    assert kwargs["config"] == {"top_k": 40}
+
+
+def test_build_litellm_kwargs_metric_override_inheritance():
+    kwargs = build_litellm_kwargs(
+        llm_config={"temperature": 0.5},
+        override_llm_config={"top_p": 0.95},
+        task_defaults={"temperature": 0.3},
+    )
+    assert kwargs["temperature"] == 0.5
+    assert kwargs["config"] == {"top_p": 0.95}

From 0ccb935c45c150c94e877ca2b4df36e472675b77 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Fri, 12 Jun 2026 14:01:14 +0000
Subject: [PATCH 06/12] fix: fixing vulnerabilities

---
 app/api/v1/routes/data_sources.py             |  46 +++++--
 app/api/v1/routes/manual_evaluations.py       |  16 +--
 app/config.py                                 |  22 +++
 app/core/auth/external_oidc.py                |   6 +
 app/core/auth/oidc_common.py                  |   7 +-
 app/main.py                                   |  12 +-
 app/services/storage/blob_paths.py            |  20 +++
 .../docs/getting-started/authentication.mdx   |   7 +-
 env.example                                   |   4 +-
 tests/test_api/test_data_sources_routes.py    |  89 ++++++++++++-
 .../test_manual_evaluations_routes.py         |  43 +++++-
 tests/test_core/test_oidc_config.py           | 125 ++++++++++++++++++
 .../test_storage/test_blob_paths.py           |  46 +++++++
 13 files changed, 410 insertions(+), 33 deletions(-)
 create mode 100644 tests/test_core/test_oidc_config.py
 create mode 100644 tests/test_services/test_storage/test_blob_paths.py

diff --git a/app/api/v1/routes/data_sources.py b/app/api/v1/routes/data_sources.py
index 4f7599a5..ce96497a 100644
--- a/app/api/v1/routes/data_sources.py
+++ b/app/api/v1/routes/data_sources.py
@@ -8,6 +8,7 @@
 
 from app.dependencies import get_api_key, get_organization_id
 from app.models.schemas import MessageResponse, S3ListFilesResponse, S3FileInfo, S3BrowseResponse, S3FolderInfo
+from app.services.storage.blob_paths import assert_key_belongs_to_org
 from app.services.storage.s3_service import s3_service
 from app.core.exceptions import StorageError
 from uuid import UUID
@@ -206,7 +207,11 @@ async def upload_to_s3(
         )
 
 @router.get("/files/{file_key:path}/download", operation_id="downloadFromS3")
-async def download_from_s3(file_key: str, api_key: str = Depends(get_api_key)):
+async def download_from_s3(
+    file_key: str,
+    api_key: str = Depends(get_api_key),
+    organization_id: UUID = Depends(get_organization_id),
+):
     """Download a file from the S3 bucket."""
     if not s3_service.is_enabled():
         raise HTTPException(
@@ -215,13 +220,20 @@ async def download_from_s3(file_key: str, api_key: str = Depends(get_api_key)):
         )
     
     try:
-        file_bytes = s3_service.download_file_by_key(file_key)
-        filename = file_key.split("/")[-1]
+        validated_key = assert_key_belongs_to_org(
+            file_key,
+            organization_id,
+            storage_prefix=s3_service.prefix,
+        )
+        file_bytes = s3_service.download_file_by_key(validated_key)
+        filename = validated_key.split("/")[-1]
         return StreamingResponse(
             io.BytesIO(file_bytes),
             media_type="application/octet-stream",
             headers={"Content-Disposition": f"attachment; filename=\"{filename}\""}
         )
+    except HTTPException:
+        raise
     except StorageError as e:
         if "not found" in str(e).lower():
             raise HTTPException(
@@ -250,6 +262,7 @@ async def get_s3_presigned_url(
     file_key: str,
     expiration: int = 3600,
     api_key: str = Depends(get_api_key),
+    organization_id: UUID = Depends(get_organization_id),
 ):
     """Get presigned URL for S3 file playback/access."""
     if not s3_service.is_enabled():
@@ -259,10 +272,16 @@ async def get_s3_presigned_url(
         )
     
     try:
-        import urllib.parse
-        decoded_key = urllib.parse.unquote(file_key)
-        url = s3_service.generate_presigned_url_by_key(decoded_key, expiration=expiration)
+        validated_key = assert_key_belongs_to_org(
+            file_key,
+            organization_id,
+            storage_prefix=s3_service.prefix,
+            decode=True,
+        )
+        url = s3_service.generate_presigned_url_by_key(validated_key, expiration=expiration)
         return PresignedUrlResponse(url=url, expires_in=expiration)
+    except HTTPException:
+        raise
     except StorageError as e:
         if "not found" in str(e).lower():
             raise HTTPException(
@@ -281,7 +300,11 @@ async def get_s3_presigned_url(
 
 
 @router.delete("/files/{file_key:path}", response_model=MessageResponse, operation_id="deleteFromS3")
-async def delete_from_s3(file_key: str, api_key: str = Depends(get_api_key)):
+async def delete_from_s3(
+    file_key: str,
+    api_key: str = Depends(get_api_key),
+    organization_id: UUID = Depends(get_organization_id),
+):
     """Delete a file from the S3 bucket."""
     if not s3_service.is_enabled():
         raise HTTPException(
@@ -290,8 +313,15 @@ async def delete_from_s3(file_key: str, api_key: str = Depends(get_api_key)):
         )
     
     try:
-        s3_service.delete_file_by_key(file_key)
+        validated_key = assert_key_belongs_to_org(
+            file_key,
+            organization_id,
+            storage_prefix=s3_service.prefix,
+        )
+        s3_service.delete_file_by_key(validated_key)
         return {"message": "File deleted successfully."}
+    except HTTPException:
+        raise
     except StorageError as e:
         if "not found" in str(e).lower():
             raise HTTPException(
diff --git a/app/api/v1/routes/manual_evaluations.py b/app/api/v1/routes/manual_evaluations.py
index 4811114e..e88be1e6 100644
--- a/app/api/v1/routes/manual_evaluations.py
+++ b/app/api/v1/routes/manual_evaluations.py
@@ -11,6 +11,7 @@
 from app.models.database import ManualTranscription, ModelProvider, AudioFile
 from app.models.schemas import MessageResponse, S3ListFilesResponse, S3FileInfo
 from app.services.ai.transcription_service import transcription_service
+from app.services.storage.blob_paths import assert_key_belongs_to_org
 from app.services.storage.s3_service import s3_service
 
 router = APIRouter(prefix="/manual-evaluations", tags=["Manual Evaluations"])
@@ -124,14 +125,13 @@ async def get_presigned_url(
         )
     
     try:
-        from urllib.parse import unquote
-        decoded_key = unquote(file_key)
-        
-        # Verify file exists in S3 (we skip DB check since we are listing from S3 directly)
-        # In a stricter environment, we might want to verify ownership if files are namespaced by org
-        
-        # Generate presigned URL
-        url = s3_service.generate_presigned_url_by_key(decoded_key, expiration=expiration)
+        validated_key = assert_key_belongs_to_org(
+            file_key,
+            organization_id,
+            storage_prefix=s3_service.prefix,
+            decode=True,
+        )
+        url = s3_service.generate_presigned_url_by_key(validated_key, expiration=expiration)
         
         return PresignedUrlResponse(url=url, expires_in=expiration)
     except HTTPException:
diff --git a/app/config.py b/app/config.py
index 368518ba..4adb412b 100644
--- a/app/config.py
+++ b/app/config.py
@@ -275,6 +275,28 @@ def __init__(self, **kwargs):
             self.CELERY_RESULT_BACKEND = self.REDIS_URL
 
 
+def validate_auth_configuration() -> None:
+    """Fail fast when external OIDC is licensed and enabled but misconfigured."""
+    from app.core.license import has_auth_feature
+
+    providers = {p.strip().lower() for p in (settings.AUTH_PROVIDERS or [])}
+    if "external_oidc" not in providers:
+        return
+    # Listing external_oidc in providers alone does not activate SSO — the
+    # enterprise license must include oidc_sso (same gate as ExternalOIDCProvider).
+    if not has_auth_feature("oidc_sso"):
+        return
+    missing = []
+    if not settings.AUTH_OIDC_ISSUER:
+        missing.append("AUTH_OIDC_ISSUER")
+    if not settings.AUTH_OIDC_AUDIENCE:
+        missing.append("AUTH_OIDC_AUDIENCE")
+    if missing:
+        raise RuntimeError(
+            f"external_oidc is enabled but required settings are missing: {', '.join(missing)}"
+        )
+
+
 def load_config_from_file(config_path: str) -> None:
     """Load configuration from a YAML file and update global settings."""
     import yaml
diff --git a/app/core/auth/external_oidc.py b/app/core/auth/external_oidc.py
index 2641ed50..7d282088 100644
--- a/app/core/auth/external_oidc.py
+++ b/app/core/auth/external_oidc.py
@@ -59,6 +59,12 @@ def authenticate(self, cred: RawCredential, db: Session) -> Principal:
                 status_code=500,
             )
 
+        if not audience:
+            raise AuthError(
+                "AUTH_OIDC_AUDIENCE must be configured for external OIDC.",
+                status_code=500,
+            )
+
         # Derive a sensible default JWKS URI when the operator didn't set one.
         if not jwks_uri:
             jwks_uri = issuer.rstrip("/") + "/.well-known/jwks.json"
diff --git a/app/core/auth/oidc_common.py b/app/core/auth/oidc_common.py
index 225e6d5a..a455db23 100644
--- a/app/core/auth/oidc_common.py
+++ b/app/core/auth/oidc_common.py
@@ -82,6 +82,9 @@ def verify_jwt(
     Matches the key by `kid`. Falls back to trying every key if `kid` is
     missing - this happens with some cloud IdPs on signature rollover.
     """
+    if not audience:
+        raise AuthError("OIDC audience is not configured")
+
     keys = fetch_jwks(jwks_uri)
     try:
         header = jwt.get_unverified_header(token)
@@ -98,16 +101,12 @@ def verify_jwt(
     last_error: Optional[Exception] = None
     for key in candidate_keys:
         try:
-            options = {}
-            if audience is None:
-                options["verify_aud"] = False
             return jwt.decode(
                 token,
                 key,
                 algorithms=[key.get("alg", "RS256")],
                 issuer=issuer,
                 audience=audience,
-                options=options,
             )
         except JWTError as e:
             last_error = e
diff --git a/app/main.py b/app/main.py
index 704ddbcd..9c4a5a74 100644
--- a/app/main.py
+++ b/app/main.py
@@ -9,7 +9,7 @@
 from fastapi.responses import FileResponse
 from fastapi.staticfiles import StaticFiles
 
-from app.config import load_config_from_file, settings
+from app.config import load_config_from_file, settings, validate_auth_configuration
 from app.core.migration_middleware import MigrationCheckMiddleware
 from app.core.migrations import check_migrations_status, ensure_migrations_directory, run_migrations
 from app.core.rbac_middleware import ReaderReadOnlyMiddleware
@@ -44,6 +44,16 @@ async def lifespan(app: FastAPI):
 
     ensure_migrations_directory()
 
+    try:
+        validate_auth_configuration()
+        logger.info("Authentication configuration validated")
+    except Exception as e:
+        logger.error("=" * 60)
+        logger.error("CRITICAL: Authentication configuration is invalid!")
+        logger.error("=" * 60)
+        logger.error(f"Error: {e}")
+        raise
+
     try:
         init_db()
         logger.info("Database tables initialized")
diff --git a/app/services/storage/blob_paths.py b/app/services/storage/blob_paths.py
index 9494bb27..865ef042 100644
--- a/app/services/storage/blob_paths.py
+++ b/app/services/storage/blob_paths.py
@@ -1,8 +1,11 @@
 """Shared object key/path helpers for cloud blob storage backends."""
 
 from typing import Optional
+from urllib.parse import unquote
 import uuid
 
+from fastapi import HTTPException
+
 
 def normalize_prefix(prefix: str) -> str:
     """Ensure prefix ends with a single trailing slash."""
@@ -37,6 +40,23 @@ def get_organization_root_prefix(prefix: str, organization_id: str) -> str:
     return f"{normalize_prefix(prefix)}organizations/{organization_id}/"
 
 
+def assert_key_belongs_to_org(
+    file_key: str,
+    organization_id: uuid.UUID,
+    *,
+    storage_prefix: str,
+    decode: bool = False,
+) -> str:
+    """Validate that a blob key belongs to the caller's organization namespace."""
+    key = unquote(file_key) if decode else file_key
+    if "\x00" in key or "/../" in f"/{key}/" or key.startswith("../"):
+        raise HTTPException(status_code=403, detail="Access denied")
+    expected = get_organization_root_prefix(storage_prefix, str(organization_id))
+    if not key.startswith(expected):
+        raise HTTPException(status_code=403, detail="Access denied")
+    return key
+
+
 def content_type_for_format(file_format: str) -> str:
     """Map audio file extension to MIME content type."""
     content_type_map = {
diff --git a/docs-fumadocs/content/docs/getting-started/authentication.mdx b/docs-fumadocs/content/docs/getting-started/authentication.mdx
index 992f2403..f350b8bc 100644
--- a/docs-fumadocs/content/docs/getting-started/authentication.mdx
+++ b/docs-fumadocs/content/docs/getting-started/authentication.mdx
@@ -243,7 +243,7 @@ auth:
 
   oidc:
     issuer: "https://<your-tenant>.okta.com"   # REQUIRED
-    audience: "efficientai"                     # expected `aud` claim
+    audience: "efficientai"                     # REQUIRED — expected `aud` claim
     client_id: "0oa..."                         # SPA client id from step 2
 
     # Default org for new users whose token has no org claim.
@@ -259,6 +259,11 @@ The backend verifies every incoming Bearer token against the IdP's JWKS,
 which it auto-discovers from `<issuer>/.well-known/openid-configuration`.
 You never copy public keys by hand.
 
+When `external_oidc` is enabled, `issuer` and `audience` are mandatory.
+The application fails at startup if either is unset, and every token's `aud`
+claim must match `audience` — tokens issued for other applications at the
+same IdP are rejected.
+
 The same settings as env vars:
 
 ```bash title=".env"
diff --git a/env.example b/env.example
index 63ca0a52..cce2b551 100644
--- a/env.example
+++ b/env.example
@@ -45,8 +45,10 @@ AUTH_LOCAL_ALLOW_SIGNUP=true
 # External OIDC (requires an EFFICIENTAI_LICENSE with feature "oidc_sso")
 # Works with any OIDC-compliant IdP: Okta, Azure AD / Entra ID,
 # Google Workspace, AWS Cognito, Auth0, Ping, JumpCloud, OneLogin, etc.
+# When external_oidc is listed in AUTH_PROVIDERS, both issuer and audience
+# are REQUIRED — the application refuses to start if either is missing.
 # AUTH_OIDC_ISSUER=https://example.okta.com
-# AUTH_OIDC_AUDIENCE=efficientai
+# AUTH_OIDC_AUDIENCE=efficientai  # REQUIRED with external_oidc (expected `aud` claim)
 # AUTH_OIDC_CLIENT_ID=0oa...
 # AUTH_OIDC_JWKS_URI=https://example.okta.com/oauth2/v1/keys
 # AUTH_OIDC_DEFAULT_ORG_NAME=Example Inc
diff --git a/tests/test_api/test_data_sources_routes.py b/tests/test_api/test_data_sources_routes.py
index a7b34431..f2bf3d7b 100644
--- a/tests/test_api/test_data_sources_routes.py
+++ b/tests/test_api/test_data_sources_routes.py
@@ -1,23 +1,40 @@
 """API tests for S3 data-source routes."""
 
+from uuid import uuid4
+
+import pytest
+
+
+def _org_key(org_id, filename: str = "audio.wav", prefix: str = "audio/") -> str:
+    return f"{prefix}organizations/{org_id}/audio/{filename}"
 
-def test_s3_status_list_presigned_and_delete(authenticated_client, monkeypatch):
-    from app.api.v1.routes import data_sources as data_routes
 
+def _patch_storage(monkeypatch, data_routes, org_id, *, prefix: str = "audio/"):
     monkeypatch.setattr(data_routes.s3_service, "is_enabled", lambda: True)
     monkeypatch.setattr(data_routes.s3_service, "get_status_message", lambda: "ok")
+    monkeypatch.setattr(data_routes.s3_service, "prefix", prefix)
+    monkeypatch.setattr(
+        data_routes.s3_service,
+        "get_organization_root_prefix",
+        lambda organization_id: f"{prefix}organizations/{organization_id}/",
+    )
     monkeypatch.setattr(
         data_routes.s3_service,
         "list_audio_files",
         lambda **_kwargs: [
             {
-                "key": "org/audio.wav",
+                "key": _org_key(org_id, prefix=prefix),
                 "filename": "audio.wav",
                 "size": 42,
                 "last_modified": "2026-01-01T00:00:00Z",
             }
         ],
     )
+    monkeypatch.setattr(
+        data_routes.s3_service,
+        "download_file_by_key",
+        lambda key: b"audio-bytes" if key.startswith(f"{prefix}organizations/") else b"",
+    )
     monkeypatch.setattr(
         data_routes.s3_service,
         "generate_presigned_url_by_key",
@@ -25,6 +42,19 @@ def test_s3_status_list_presigned_and_delete(authenticated_client, monkeypatch):
     )
     monkeypatch.setattr(data_routes.s3_service, "delete_file_by_key", lambda _key: None)
 
+
+@pytest.mark.parametrize("blob_provider,prefix", [("s3", "audio/"), ("gcs", "gcs-audio/")])
+def test_s3_status_list_presigned_and_delete(
+    authenticated_client, monkeypatch, org_id, blob_provider, prefix
+):
+    from app.api.v1.routes import data_sources as data_routes
+    from app.config import settings
+
+    monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
+    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+    own_key = _org_key(org_id, prefix=prefix)
+    encoded_key = own_key.replace("/", "%2F")
+
     status_response = authenticated_client.get("/api/v1/data-sources/s3/status")
     assert status_response.status_code == 200
     assert status_response.json()["enabled"] is True
@@ -34,10 +64,57 @@ def test_s3_status_list_presigned_and_delete(authenticated_client, monkeypatch):
     assert list_response.json()["total"] == 1
 
     presigned_response = authenticated_client.get(
-        "/api/v1/data-sources/s3/files/org%2Faudio.wav/presigned-url"
+        f"/api/v1/data-sources/s3/files/{encoded_key}/presigned-url"
     )
     assert presigned_response.status_code == 200
-    assert "https://example.com/org/audio.wav" in presigned_response.json()["url"]
+    assert f"https://example.com/{own_key}" in presigned_response.json()["url"]
 
-    delete_response = authenticated_client.delete("/api/v1/data-sources/s3/files/org/audio.wav")
+    delete_response = authenticated_client.delete(f"/api/v1/data-sources/s3/files/{own_key}")
     assert delete_response.status_code == 200
+
+
+@pytest.mark.parametrize("blob_provider,prefix", [("s3", "audio/"), ("gcs", "gcs-audio/")])
+def test_blob_routes_reject_cross_tenant_keys(
+    authenticated_client, monkeypatch, org_id, blob_provider, prefix
+):
+    from app.api.v1.routes import data_sources as data_routes
+    from app.config import settings
+
+    monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
+    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+
+    victim_org_id = uuid4()
+    victim_key = _org_key(victim_org_id, prefix=prefix)
+    encoded_victim_key = victim_key.replace("/", "%2F")
+
+    download_response = authenticated_client.get(
+        f"/api/v1/data-sources/s3/files/{victim_key}/download"
+    )
+    assert download_response.status_code == 403
+
+    presigned_response = authenticated_client.get(
+        f"/api/v1/data-sources/s3/files/{encoded_victim_key}/presigned-url"
+    )
+    assert presigned_response.status_code == 403
+
+    delete_response = authenticated_client.delete(
+        f"/api/v1/data-sources/s3/files/{victim_key}"
+    )
+    assert delete_response.status_code == 403
+
+
+@pytest.mark.parametrize("blob_provider,prefix", [("s3", "audio/"), ("gcs", "gcs-audio/")])
+def test_blob_download_allows_own_org_key(
+    authenticated_client, monkeypatch, org_id, blob_provider, prefix
+):
+    from app.api.v1.routes import data_sources as data_routes
+    from app.config import settings
+
+    monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
+    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+    own_key = _org_key(org_id, prefix=prefix)
+
+    response = authenticated_client.get(
+        f"/api/v1/data-sources/s3/files/{own_key}/download"
+    )
+    assert response.status_code == 200
diff --git a/tests/test_api/test_manual_evaluations_routes.py b/tests/test_api/test_manual_evaluations_routes.py
index 7ad12766..89d6cbe0 100644
--- a/tests/test_api/test_manual_evaluations_routes.py
+++ b/tests/test_api/test_manual_evaluations_routes.py
@@ -1,16 +1,29 @@
 """API tests for manual-evaluations routes."""
 
+from uuid import uuid4
 
-def test_list_audio_files_and_presigned_url(authenticated_client, monkeypatch):
+
+def _org_key(org_id, filename: str = "audio.wav", prefix: str = "audio/") -> str:
+    return f"{prefix}organizations/{org_id}/audio/{filename}"
+
+
+def test_list_audio_files_and_presigned_url(authenticated_client, monkeypatch, org_id):
     from app.api.v1.routes import manual_evaluations as manual_routes
 
+    own_key = _org_key(org_id)
     monkeypatch.setattr(manual_routes.s3_service, "is_enabled", lambda: True)
+    monkeypatch.setattr(manual_routes.s3_service, "prefix", "audio/")
+    monkeypatch.setattr(
+        manual_routes.s3_service,
+        "get_organization_root_prefix",
+        lambda organization_id: f"audio/organizations/{organization_id}/",
+    )
     monkeypatch.setattr(
         manual_routes.s3_service,
         "list_audio_files",
         lambda **_kwargs: [
             {
-                "key": "org/audio.wav",
+                "key": own_key,
                 "filename": "audio.wav",
                 "size": 1234,
                 "last_modified": "2026-01-01T00:00:00Z",
@@ -27,11 +40,33 @@ def test_list_audio_files_and_presigned_url(authenticated_client, monkeypatch):
     assert list_response.status_code == 200
     assert list_response.json()["total"] == 1
 
+    encoded_key = own_key.replace("/", "%2F")
     url_response = authenticated_client.get(
-        "/api/v1/manual-evaluations/audio-files/org%2Faudio.wav/presigned-url"
+        f"/api/v1/manual-evaluations/audio-files/{encoded_key}/presigned-url"
     )
     assert url_response.status_code == 200
-    assert "https://example.com/org/audio.wav" in url_response.json()["url"]
+    assert f"https://example.com/{own_key}" in url_response.json()["url"]
+
+
+def test_manual_evaluations_presigned_url_rejects_cross_tenant_key(
+    authenticated_client, monkeypatch, org_id
+):
+    from app.api.v1.routes import manual_evaluations as manual_routes
+
+    monkeypatch.setattr(manual_routes.s3_service, "is_enabled", lambda: True)
+    monkeypatch.setattr(manual_routes.s3_service, "prefix", "audio/")
+    monkeypatch.setattr(
+        manual_routes.s3_service,
+        "get_organization_root_prefix",
+        lambda organization_id: f"audio/organizations/{organization_id}/",
+    )
+
+    victim_key = _org_key(uuid4())
+    encoded_key = victim_key.replace("/", "%2F")
+    response = authenticated_client.get(
+        f"/api/v1/manual-evaluations/audio-files/{encoded_key}/presigned-url"
+    )
+    assert response.status_code == 403
 
 
 def test_transcribe_audio_creates_transcription(authenticated_client, monkeypatch):
diff --git a/tests/test_core/test_oidc_config.py b/tests/test_core/test_oidc_config.py
new file mode 100644
index 00000000..079d3b8c
--- /dev/null
+++ b/tests/test_core/test_oidc_config.py
@@ -0,0 +1,125 @@
+"""Tests for OIDC configuration validation and JWT audience enforcement."""
+
+import time
+from uuid import uuid4
+
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from jose import jwt
+from jose.utils import base64url_encode
+
+from app.config import settings, validate_auth_configuration
+from app.core.auth.oidc_common import reset_jwks_cache, verify_jwt
+from app.core.auth.providers import AuthError
+
+
+def _build_rsa_jwks(private_key, kid: str = "test-kid") -> list[dict]:
+    public_numbers = private_key.public_key().public_numbers()
+    e = base64url_encode(public_numbers.e.to_bytes(3, "big")).decode()
+    n = base64url_encode(
+        public_numbers.n.to_bytes((public_numbers.n.bit_length() + 7) // 8, "big")
+    ).decode()
+    return [
+        {
+            "kty": "RSA",
+            "kid": kid,
+            "use": "sig",
+            "alg": "RS256",
+            "n": n,
+            "e": e,
+        }
+    ]
+
+
+def _private_key_pem(private_key) -> str:
+    return private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+
+
+def _mint_token(private_key, *, aud: str, iss: str = "https://idp.example.com") -> str:
+    return jwt.encode(
+        {
+            "sub": str(uuid4()),
+            "iss": iss,
+            "aud": aud,
+            "exp": int(time.time()) + 3600,
+        },
+        _private_key_pem(private_key),
+        algorithm="RS256",
+        headers={"kid": "test-kid"},
+    )
+
+
+def test_validate_auth_configuration_allows_api_key_only(monkeypatch):
+    monkeypatch.setattr(settings, "AUTH_PROVIDERS", ["api_key"])
+    validate_auth_configuration()
+
+
+def test_validate_auth_configuration_skips_oidc_without_license(monkeypatch):
+    monkeypatch.setattr(settings, "AUTH_PROVIDERS", ["api_key", "external_oidc"])
+    monkeypatch.setattr(settings, "AUTH_OIDC_ISSUER", None)
+    monkeypatch.setattr(settings, "AUTH_OIDC_AUDIENCE", None)
+    monkeypatch.setattr("app.core.license.has_auth_feature", lambda _f: False)
+    validate_auth_configuration()
+
+
+def test_validate_auth_configuration_requires_audience_for_external_oidc(monkeypatch):
+    monkeypatch.setattr(settings, "AUTH_PROVIDERS", ["external_oidc"])
+    monkeypatch.setattr(settings, "AUTH_OIDC_ISSUER", "https://idp.example.com")
+    monkeypatch.setattr(settings, "AUTH_OIDC_AUDIENCE", None)
+    monkeypatch.setattr("app.core.license.has_auth_feature", lambda f: f == "oidc_sso")
+    with pytest.raises(RuntimeError, match="AUTH_OIDC_AUDIENCE"):
+        validate_auth_configuration()
+
+
+def test_verify_jwt_rejects_missing_audience(monkeypatch):
+    reset_jwks_cache()
+    with pytest.raises(AuthError, match="OIDC audience is not configured"):
+        verify_jwt(
+            "token",
+            jwks_uri="https://idp.example.com/jwks",
+            issuer="https://idp.example.com",
+            audience=None,
+        )
+
+
+def test_verify_jwt_rejects_wrong_audience(monkeypatch):
+    reset_jwks_cache()
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    jwks_uri = "https://idp.example.com/jwks"
+    monkeypatch.setattr(
+        "app.core.auth.oidc_common.fetch_jwks",
+        lambda _uri: _build_rsa_jwks(private_key),
+    )
+    token = _mint_token(private_key, aud="wrong-app")
+
+    with pytest.raises(AuthError):
+        verify_jwt(
+            token,
+            jwks_uri=jwks_uri,
+            issuer="https://idp.example.com",
+            audience="efficientai",
+        )
+
+
+def test_verify_jwt_accepts_matching_audience(monkeypatch):
+    reset_jwks_cache()
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    jwks_uri = "https://idp.example.com/jwks"
+    monkeypatch.setattr(
+        "app.core.auth.oidc_common.fetch_jwks",
+        lambda _uri: _build_rsa_jwks(private_key),
+    )
+    token = _mint_token(private_key, aud="efficientai")
+
+    claims = verify_jwt(
+        token,
+        jwks_uri=jwks_uri,
+        issuer="https://idp.example.com",
+        audience="efficientai",
+    )
+    assert claims["aud"] == "efficientai"
diff --git a/tests/test_services/test_storage/test_blob_paths.py b/tests/test_services/test_storage/test_blob_paths.py
new file mode 100644
index 00000000..1522d391
--- /dev/null
+++ b/tests/test_services/test_storage/test_blob_paths.py
@@ -0,0 +1,46 @@
+"""Unit tests for blob path helpers."""
+
+from uuid import uuid4
+
+import pytest
+from fastapi import HTTPException
+
+from app.services.storage.blob_paths import assert_key_belongs_to_org
+
+
+def test_assert_key_belongs_to_org_accepts_valid_key():
+    org_id = uuid4()
+    key = f"audio/organizations/{org_id}/audio/test.wav"
+    assert (
+        assert_key_belongs_to_org(key, org_id, storage_prefix="audio/")
+        == key
+    )
+
+
+def test_assert_key_belongs_to_org_rejects_other_org():
+    org_id = uuid4()
+    other_org_id = uuid4()
+    key = f"audio/organizations/{other_org_id}/audio/test.wav"
+    with pytest.raises(HTTPException) as exc_info:
+        assert_key_belongs_to_org(key, org_id, storage_prefix="audio/")
+    assert exc_info.value.status_code == 403
+
+
+def test_assert_key_belongs_to_org_rejects_path_traversal():
+    org_id = uuid4()
+    key = f"audio/organizations/{org_id}/../other-org/secret.wav"
+    with pytest.raises(HTTPException) as exc_info:
+        assert_key_belongs_to_org(key, org_id, storage_prefix="audio/")
+    assert exc_info.value.status_code == 403
+
+
+def test_assert_key_belongs_to_org_decodes_percent_encoded_key():
+    org_id = uuid4()
+    raw_key = f"audio/organizations/{org_id}/audio/test.wav"
+    encoded_key = raw_key.replace("/", "%2F")
+    assert (
+        assert_key_belongs_to_org(
+            encoded_key, org_id, storage_prefix="audio/", decode=True
+        )
+        == raw_key
+    )

From 60d7a5396a0586f25047305e3d3b570095ef6a18 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Sun, 14 Jun 2026 13:43:30 +0000
Subject: [PATCH 07/12] feat: updating fixes for critical bugs

---
 .gitignore                                    |   2 +
 app/api/v1/routes/telephony.py                |   4 +
 app/config.py                                 |   8 +
 app/services/telephony/recording_download.py  | 156 ++++-
 app/services/telephony/webhook_auth.py        | 155 +++++
 app/workers/tasks/process_call_import_row.py  |   9 +-
 frontend/package-lock.json                    | 547 +++++++-----------
 frontend/package.json                         |   4 +-
 tests/test_api/test_data_sources_routes.py    |  24 +-
 .../test_manual_evaluations_routes.py         |   6 +-
 tests/test_api/test_telephony_webhooks.py     | 152 +++++
 .../test_telephony/test_recording_download.py |  74 +++
 .../test_process_call_import_row.py           |  27 +-
 13 files changed, 822 insertions(+), 346 deletions(-)
 create mode 100644 app/services/telephony/webhook_auth.py
 create mode 100644 tests/test_api/test_telephony_webhooks.py
 create mode 100644 tests/test_services/test_telephony/test_recording_download.py

diff --git a/.gitignore b/.gitignore
index 71be2043..a502d377 100644
--- a/.gitignore
+++ b/.gitignore
@@ -89,6 +89,8 @@ Thumbs.db
 node_modules/
 frontend/node_modules/
 frontend/dist/
+dist.root.bak/
+frontend/node_modules.root.bak/
 .npm
 .yarn
 *.tsbuildinfo
diff --git a/app/api/v1/routes/telephony.py b/app/api/v1/routes/telephony.py
index 50536b5b..6805e13e 100644
--- a/app/api/v1/routes/telephony.py
+++ b/app/api/v1/routes/telephony.py
@@ -23,6 +23,7 @@
     TelephonyVerifyStartResponse,
 )
 from app.services.telephony.telephony_service import telephony_service
+from app.services.telephony.webhook_auth import verify_plivo_webhook
 
 router = APIRouter(prefix="/telephony", tags=["Telephony"])
 
@@ -334,6 +335,7 @@ async def _read_webhook_params(request: Request) -> Dict[str, Any]:
 @router.post("/webhooks/answer")
 async def telephony_answer_webhook(request: Request, db: Session = Depends(get_db)):
     params = await _read_webhook_params(request)
+    verify_plivo_webhook(request, params, "answer", db)
     xml = telephony_service.handle_answer_webhook(params, db)
     return Response(content=xml, media_type="application/xml")
 
@@ -341,6 +343,7 @@ async def telephony_answer_webhook(request: Request, db: Session = Depends(get_d
 @router.post("/webhooks/events")
 async def telephony_events_webhook(request: Request, db: Session = Depends(get_db)):
     params = await _read_webhook_params(request)
+    verify_plivo_webhook(request, params, "events", db)
     telephony_service.handle_event_webhook(params, db)
     return {"status": "ok"}
 
@@ -348,5 +351,6 @@ async def telephony_events_webhook(request: Request, db: Session = Depends(get_d
 @router.post("/webhooks/masking")
 async def telephony_masking_webhook(request: Request, db: Session = Depends(get_db)):
     params = await _read_webhook_params(request)
+    verify_plivo_webhook(request, params, "masking", db)
     xml = telephony_service.handle_masking_webhook(params, db)
     return Response(content=xml, media_type="application/xml")
diff --git a/app/config.py b/app/config.py
index 4adb412b..db4d1767 100644
--- a/app/config.py
+++ b/app/config.py
@@ -118,6 +118,14 @@ class Settings(BaseSettings):
     PLIVO_VERIFY_APP_UUID: str = ""
     PLIVO_WEBHOOK_BASE_URL: str = ""
 
+    # Recording URL fetch safety (SSRF guards for CSV/direct-URL imports)
+    RECORDING_URL_ALLOWED_HOST_SUFFIXES: List[str] = [
+        "exotel.com",
+        "plivo.com",
+        "amazonaws.com",
+        "cloudfront.net",
+    ]
+
     # Judge Alignment (AlignEval-style hybrid integration).
     # Operator-only knobs. Per-org thresholds and judge model selection
     # live in the database / UI, not here.
diff --git a/app/services/telephony/recording_download.py b/app/services/telephony/recording_download.py
index 24e9de60..7dc6ed54 100644
--- a/app/services/telephony/recording_download.py
+++ b/app/services/telephony/recording_download.py
@@ -2,10 +2,14 @@
 
 from __future__ import annotations
 
-from typing import Optional, Tuple, Union
+import ipaddress
+import socket
+from typing import Callable, List, Optional, Tuple, Union
+from urllib.parse import urlparse
 
 import httpx
 
+from app.config import settings
 from app.services.telephony.exotel_client import (
     DEFAULT_MAX_RECORDING_BYTES,
     DEFAULT_TIMEOUT_SECONDS,
@@ -16,6 +20,128 @@
     ExotelTransientError,
 )
 
+_DEFAULT_ALLOWED_HOST_SUFFIXES = (
+    "exotel.com",
+    "plivo.com",
+    "amazonaws.com",
+    "cloudfront.net",
+)
+
+_BLOCKED_NETWORKS = (
+    ipaddress.ip_network("0.0.0.0/8"),
+    ipaddress.ip_network("10.0.0.0/8"),
+    ipaddress.ip_network("127.0.0.0/8"),
+    ipaddress.ip_network("169.254.0.0/16"),
+    ipaddress.ip_network("172.16.0.0/12"),
+    ipaddress.ip_network("192.168.0.0/16"),
+    ipaddress.ip_network("100.64.0.0/10"),
+    ipaddress.ip_network("::1/128"),
+    ipaddress.ip_network("fc00::/7"),
+    ipaddress.ip_network("fe80::/10"),
+)
+
+
+def _allowed_host_suffixes() -> List[str]:
+    configured = getattr(settings, "RECORDING_URL_ALLOWED_HOST_SUFFIXES", None)
+    if configured:
+        return list(configured)
+    return list(_DEFAULT_ALLOWED_HOST_SUFFIXES)
+
+
+def _hostname_allowed(hostname: str, allowed_suffixes: List[str]) -> bool:
+    host = hostname.lower().rstrip(".")
+    for suffix in allowed_suffixes:
+        normalized = suffix.lower().lstrip(".")
+        if host == normalized or host.endswith(f".{normalized}"):
+            return True
+    return False
+
+
+def _ip_is_blocked(ip: ipaddress._BaseAddress) -> bool:
+    for network in _BLOCKED_NETWORKS:
+        if ip in network:
+            return True
+    return False
+
+
+def _resolve_host_ips(hostname: str) -> List[ipaddress._BaseAddress]:
+    try:
+        addr_infos = socket.getaddrinfo(
+            hostname,
+            None,
+            type=socket.SOCK_STREAM,
+        )
+    except socket.gaierror as exc:
+        raise ExotelInvalidContentError(
+            f"Recording URL hostname could not be resolved: {hostname}"
+        ) from exc
+
+    ips: List[ipaddress._BaseAddress] = []
+    seen = set()
+    for info in addr_infos:
+        sockaddr = info[4]
+        if not sockaddr:
+            continue
+        ip_str = sockaddr[0]
+        if ip_str in seen:
+            continue
+        seen.add(ip_str)
+        try:
+            ips.append(ipaddress.ip_address(ip_str))
+        except ValueError as exc:
+            raise ExotelInvalidContentError(
+                f"Recording URL resolved to invalid IP address: {ip_str}"
+            ) from exc
+    if not ips:
+        raise ExotelInvalidContentError(
+            f"Recording URL hostname could not be resolved: {hostname}"
+        )
+    return ips
+
+
+def assert_recording_url_safe(
+    recording_url: str,
+    *,
+    user_supplied: bool,
+    allowed_suffixes: Optional[List[str]] = None,
+) -> None:
+    """Validate a recording URL before any outbound HTTP request."""
+    parsed = urlparse(recording_url.strip())
+    if parsed.scheme not in {"http", "https"}:
+        raise ExotelInvalidContentError(
+            f"Recording URL must use http or https, got {parsed.scheme or 'none'}"
+        )
+    if not parsed.hostname:
+        raise ExotelInvalidContentError("Recording URL is missing a hostname")
+    if parsed.username or parsed.password:
+        raise ExotelInvalidContentError(
+            "Recording URL must not embed credentials in the URL"
+        )
+
+    hostname = parsed.hostname
+    suffixes = allowed_suffixes or _allowed_host_suffixes()
+
+    try:
+        literal_ip = ipaddress.ip_address(hostname)
+        if _ip_is_blocked(literal_ip):
+            raise ExotelInvalidContentError(
+                "Recording URL targets a blocked network address"
+            )
+        if user_supplied:
+            raise ExotelInvalidContentError(
+                "User-supplied recording URLs must use allowlisted hostnames"
+            )
+    except ValueError:
+        if not _hostname_allowed(hostname, suffixes):
+            raise ExotelInvalidContentError(
+                f"Recording URL hostname is not allowlisted: {hostname}"
+            )
+        for resolved_ip in _resolve_host_ips(hostname):
+            if _ip_is_blocked(resolved_ip):
+                raise ExotelInvalidContentError(
+                    "Recording URL resolves to a blocked network address"
+                )
+
 
 def download_recording_url(
     recording_url: str,
@@ -23,6 +149,7 @@ def download_recording_url(
     auth: Optional[Union[Tuple[str, str], httpx.Auth]] = None,
     timeout_seconds: float = DEFAULT_TIMEOUT_SECONDS,
     max_bytes: int = DEFAULT_MAX_RECORDING_BYTES,
+    user_supplied: bool = False,
 ) -> Tuple[bytes, str]:
     """Download a recording from a URL.
 
@@ -31,10 +158,32 @@ def download_recording_url(
     """
     if not recording_url:
         raise ExotelInvalidContentError("recording_url is empty")
+    if user_supplied and auth is not None:
+        raise ExotelInvalidContentError(
+            "User-supplied recording URLs must not be fetched with credentials"
+        )
+
+    assert_recording_url_safe(recording_url, user_supplied=user_supplied)
+
+    request_hooks: Optional[dict[str, List[Callable[..., None]]]] = None
+    if not user_supplied:
+
+        def _validate_redirect(request: httpx.Request) -> None:
+            assert_recording_url_safe(str(request.url), user_supplied=False)
+
+        request_hooks = {"request": [_validate_redirect]}
+
+    follow_redirects = not user_supplied
 
     try:
-        with httpx.Client(timeout=timeout_seconds, follow_redirects=True) as client:
+        with httpx.Client(
+            timeout=timeout_seconds,
+            follow_redirects=follow_redirects,
+            event_hooks=request_hooks,
+        ) as client:
             resp = client.get(recording_url, auth=auth)
+    except ExotelInvalidContentError:
+        raise
     except httpx.TimeoutException as exc:
         raise ExotelTransientError(f"Timeout fetching recording: {exc}") from exc
     except httpx.HTTPError as exc:
@@ -78,10 +227,11 @@ def download_public_recording(
     timeout_seconds: float = DEFAULT_TIMEOUT_SECONDS,
     max_bytes: int = DEFAULT_MAX_RECORDING_BYTES,
 ) -> Tuple[bytes, str]:
-    """Download a recording from a public URL without authentication."""
+    """Download a user-supplied recording URL without authentication."""
     return download_recording_url(
         recording_url,
         auth=None,
         timeout_seconds=timeout_seconds,
         max_bytes=max_bytes,
+        user_supplied=True,
     )
diff --git a/app/services/telephony/webhook_auth.py b/app/services/telephony/webhook_auth.py
new file mode 100644
index 00000000..d9254c56
--- /dev/null
+++ b/app/services/telephony/webhook_auth.py
@@ -0,0 +1,155 @@
+"""Plivo webhook signature verification for multi-tenant deployments."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Literal, Optional
+
+from fastapi import HTTPException, Request, status
+from loguru import logger
+from sqlalchemy.orm import Session
+
+from app.config import settings
+from app.core.encryption import decrypt_api_key
+from app.models.database import CallRecording, TelephonyIntegration, TelephonyPhoneNumber
+from app.services.credentials.resolver import resolve_telephony_integration
+from app.services.telephony.plivo_client import normalize_e164
+
+WebhookKind = Literal["answer", "events", "masking"]
+
+
+def build_plivo_webhook_uri(request: Request) -> str:
+    """Build the callback URI Plivo used when signing the webhook."""
+    configured_base = (settings.PLIVO_WEBHOOK_BASE_URL or "").strip().rstrip("/")
+    if configured_base:
+        uri = f"{configured_base}{request.url.path}"
+        if request.url.query:
+            uri = f"{uri}?{request.url.query}"
+        return uri
+    return str(request.url)
+
+
+def _resolve_auth_token_for_phone(
+    phone_number: Optional[str],
+    db: Session,
+) -> Optional[str]:
+    if not phone_number:
+        return None
+    try:
+        normalized = normalize_e164(phone_number)
+    except ValueError:
+        return None
+
+    number = (
+        db.query(TelephonyPhoneNumber)
+        .filter(
+            TelephonyPhoneNumber.phone_number == normalized,
+            TelephonyPhoneNumber.is_active.is_(True),
+        )
+        .first()
+    )
+    if not number:
+        return None
+
+    integration = (
+        db.query(TelephonyIntegration)
+        .filter(
+            TelephonyIntegration.id == number.telephony_integration_id,
+            TelephonyIntegration.is_active.is_(True),
+            TelephonyIntegration.provider == "plivo",
+        )
+        .first()
+    )
+    if not integration:
+        return None
+    return decrypt_api_key(integration.auth_token)
+
+
+def _resolve_auth_token_for_call_event(
+    params: Dict[str, Any],
+    db: Session,
+) -> Optional[str]:
+    call_uuid = (
+        params.get("CallUUID")
+        or params.get("RequestUUID")
+        or params.get("CallSid")
+        or params.get("call_sid")
+        or params.get("Sid")
+    )
+    if not call_uuid:
+        return None
+
+    recording = (
+        db.query(CallRecording)
+        .filter(CallRecording.provider_call_id == call_uuid)
+        .first()
+    )
+    if not recording:
+        return None
+
+    integration = resolve_telephony_integration(
+        "plivo",
+        db,
+        recording.organization_id,
+    )
+    if not integration:
+        return None
+    return decrypt_api_key(integration.auth_token)
+
+
+def resolve_plivo_auth_token(
+    webhook_kind: WebhookKind,
+    params: Dict[str, Any],
+    db: Session,
+) -> Optional[str]:
+    if webhook_kind in {"answer", "masking"}:
+        phone_number = params.get("To") or params.get("to")
+        return _resolve_auth_token_for_phone(phone_number, db)
+    if webhook_kind == "events":
+        return _resolve_auth_token_for_call_event(params, db)
+    return None
+
+
+def verify_plivo_webhook(
+    request: Request,
+    params: Dict[str, Any],
+    webhook_kind: WebhookKind,
+    db: Session,
+) -> None:
+    """Validate X-Plivo-Signature before processing webhook params."""
+    signature = request.headers.get("X-Plivo-Signature")
+    if not signature:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Missing webhook signature",
+        )
+
+    auth_token = resolve_plivo_auth_token(webhook_kind, params, db)
+    if not auth_token:
+        logger.warning(
+            "Plivo webhook rejected: unable to resolve auth token for kind={}",
+            webhook_kind,
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Invalid webhook signature",
+        )
+
+    try:
+        from plivo.utils import validate_signature
+    except ImportError as exc:  # pragma: no cover - optional dependency
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Plivo SDK is not installed",
+        ) from exc
+
+    uri = build_plivo_webhook_uri(request)
+    if not validate_signature(auth_token, uri, params, signature):
+        logger.warning(
+            "Plivo webhook rejected: invalid signature for kind={} uri={}",
+            webhook_kind,
+            uri,
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Invalid webhook signature",
+        )
diff --git a/app/workers/tasks/process_call_import_row.py b/app/workers/tasks/process_call_import_row.py
index 929e5b17..c02d2fad 100644
--- a/app/workers/tasks/process_call_import_row.py
+++ b/app/workers/tasks/process_call_import_row.py
@@ -308,14 +308,7 @@ def process_call_import_row_task(self, row_id: str):
 
             if audio_bytes is None and original_csv_url:
                 try:
-                    if (
-                        client is not None
-                        and provider_lookup_supported
-                        and hasattr(client, "download_recording")
-                    ):
-                        fetched = client.download_recording(original_csv_url)
-                    else:
-                        fetched = download_public_recording(original_csv_url)
+                    fetched = download_public_recording(original_csv_url)
                     audio_bytes, content_type = fetched
                     used_url = original_csv_url
                     if primary_failure is not None:
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 5b05ec62..e590d2ba 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -17,7 +17,7 @@
         "@vapi-ai/web": "^2.5.2",
         "@xyflow/react": "^12.3.5",
         "atoms-client-sdk": "^1.1.0",
-        "axios": "^1.6.2",
+        "axios": "^1.16.0",
         "clsx": "^2.1.0",
         "country-flag-icons": "^1.6.15",
         "dagre": "^0.8.5",
@@ -25,7 +25,7 @@
         "framer-motion": "^11.0.0",
         "livekit-client": "^2.17.0",
         "lucide-react": "^0.303.0",
-        "protobufjs": "^7.4.0",
+        "protobufjs": "^8.0.2",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
         "react-markdown": "^10.1.0",
@@ -877,22 +877,20 @@
       }
     },
     "node_modules/@eslint/eslintrc/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.15.tgz",
+      "integrity": "sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
       }
     },
     "node_modules/@eslint/eslintrc/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
-      "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },
@@ -2484,22 +2482,20 @@
       }
     },
     "node_modules/@humanwhocodes/config-array/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.15.tgz",
+      "integrity": "sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
       }
     },
     "node_modules/@humanwhocodes/config-array/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
-      "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },
@@ -2676,17 +2672,16 @@
       }
     },
     "node_modules/@pipecat-ai/client-js": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@pipecat-ai/client-js/-/client-js-1.5.0.tgz",
-      "integrity": "sha512-WE8n5P98XoOyEX+k6DkcxBFaeoP82rDl3BEm4Zxf8tw1Umw5zFsv73qR6ztU4D5WDbYiscA3J+hGfe+g8PSUIw==",
-      "license": "BSD-2-Clause",
+      "version": "1.11.0",
+      "resolved": "https://registry.npmjs.org/@pipecat-ai/client-js/-/client-js-1.11.0.tgz",
+      "integrity": "sha512-Au3mmyt+DQn49+gSaQOO+LoiOESxzr7GqSswEGAiuloOJIanqa/q9yOizD/Sl9wINr/qkcdDN2ejJOxhrh8KtQ==",
       "dependencies": {
         "@types/events": "^3.0.3",
         "bowser": "^2.11.0",
         "clone-deep": "^4.0.1",
         "events": "^3.3.0",
         "typed-emitter": "^2.1.0",
-        "uuid": "^10.0.0"
+        "uuid": "^11.1.1"
       }
     },
     "node_modules/@pipecat-ai/websocket-transport": {
@@ -2759,70 +2754,6 @@
         "@protobuf-ts/runtime": "^2.11.1"
       }
     },
-    "node_modules/@protobufjs/aspromise": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz",
-      "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/base64": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz",
-      "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/codegen": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz",
-      "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/eventemitter": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz",
-      "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/fetch": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz",
-      "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "@protobufjs/aspromise": "^1.1.1",
-        "@protobufjs/inquire": "^1.1.0"
-      }
-    },
-    "node_modules/@protobufjs/float": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz",
-      "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/inquire": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz",
-      "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/path": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz",
-      "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/pool": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz",
-      "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/utf8": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
-      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==",
-      "license": "BSD-3-Clause"
-    },
     "node_modules/@react-aria/breadcrumbs": {
       "version": "3.5.30",
       "resolved": "https://registry.npmjs.org/@react-aria/breadcrumbs/-/breadcrumbs-3.5.30.tgz",
@@ -4173,10 +4104,9 @@
       }
     },
     "node_modules/@remix-run/router": {
-      "version": "1.23.2",
-      "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.23.2.tgz",
-      "integrity": "sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w==",
-      "license": "MIT",
+      "version": "1.23.3",
+      "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.23.3.tgz",
+      "integrity": "sha512-4An71tdz9X8+3sI4Qqqd2LWd9vS39J7sqd9EU4Scw7TJE/qB10Flv/UuqbPVgfQV9XoK8Np6jNquZitnZq5i+Q==",
       "engines": {
         "node": ">=14.0.0"
       }
@@ -4189,350 +4119,325 @@
       "license": "MIT"
     },
     "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.55.2.tgz",
-      "integrity": "sha512-21J6xzayjy3O6NdnlO6aXi/urvSRjm6nCI6+nF6ra2YofKruGixN9kfT+dt55HVNwfDmpDHJcaS3JuP/boNnlA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.62.0.tgz",
+      "integrity": "sha512-IPIQ55ythEHkfEd9jMEi32OQ7SxURsGA43JI22lj01OLZNt2NUbJX8YUHxkVWyQ6daHPNn0truF5nSj3DQp6YQ==",
       "cpu": [
         "arm"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "android"
       ]
     },
     "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.55.2.tgz",
-      "integrity": "sha512-eXBg7ibkNUZ+sTwbFiDKou0BAckeV6kIigK7y5Ko4mB/5A1KLhuzEKovsmfvsL8mQorkoincMFGnQuIT92SKqA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.62.0.tgz",
+      "integrity": "sha512-M6s9cr10MibETyo8JsOkq+Lo1+lU6hcvb1MApnUql5qte/5hMEgzlN8/ReIKNfRV8rrqX50W1BX9zoUhC192RA==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "android"
       ]
     },
     "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.55.2.tgz",
-      "integrity": "sha512-UCbaTklREjrc5U47ypLulAgg4njaqfOVLU18VrCrI+6E5MQjuG0lSWaqLlAJwsD7NpFV249XgB0Bi37Zh5Sz4g==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.62.0.tgz",
+      "integrity": "sha512-BqCoMoIbn0keKys+dEAdBa70EtOwV1bEsQCUgU9FdiZmmMge/Zk7LlkYGqbrdHR+Frnt0E1FOanly+rlwvvQzw==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "darwin"
       ]
     },
     "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.55.2.tgz",
-      "integrity": "sha512-dP67MA0cCMHFT2g5XyjtpVOtp7y4UyUxN3dhLdt11at5cPKnSm4lY+EhwNvDXIMzAMIo2KU+mc9wxaAQJTn7sQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.62.0.tgz",
+      "integrity": "sha512-SIMzST3VFNXDAbeIWDWiFCNM5qncUBDWaEV7NfE7oZbDt2mgfW4MvbKdbYiGOLoM32gbTv608UMd0XktEYSD7w==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "darwin"
       ]
     },
     "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.55.2.tgz",
-      "integrity": "sha512-WDUPLUwfYV9G1yxNRJdXcvISW15mpvod1Wv3ok+Ws93w1HjIVmCIFxsG2DquO+3usMNCpJQ0wqO+3GhFdl6Fow==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.62.0.tgz",
+      "integrity": "sha512-ezjfSQMP7ArdUsbBwbQIfwAlhE84I2iVnzQNCFSveqV42q+BmKlzVpf7mxv5EchLcoWU4y6/heFzVg1F+hodUQ==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "freebsd"
       ]
     },
     "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.55.2.tgz",
-      "integrity": "sha512-Ng95wtHVEulRwn7R0tMrlUuiLVL/HXA8Lt/MYVpy88+s5ikpntzZba1qEulTuPnPIZuOPcW9wNEiqvZxZmgmqQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.62.0.tgz",
+      "integrity": "sha512-9+qTWGW9AZRhnUgwtTwzNwcPlL87ngkeN0LA+q1bADvmY9aNvWaF2TFW8BZgnQPYxpDI7+rMVLivcd4V737TAQ==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "freebsd"
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.55.2.tgz",
-      "integrity": "sha512-AEXMESUDWWGqD6LwO/HkqCZgUE1VCJ1OhbvYGsfqX2Y6w5quSXuyoy/Fg3nRqiwro+cJYFxiw5v4kB2ZDLhxrw==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.62.0.tgz",
+      "integrity": "sha512-T1dMEQhXA/jkJ/jyMIw9IovK8bSUq7A8kLIlvZTb/6YIVsp2zLavr4F3oyllHWo7eIVJRyE5n3tUjQJEbE1IuQ==",
       "cpu": [
         "arm"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.55.2.tgz",
-      "integrity": "sha512-ZV7EljjBDwBBBSv570VWj0hiNTdHt9uGznDtznBB4Caj3ch5rgD4I2K1GQrtbvJ/QiB+663lLgOdcADMNVC29Q==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.62.0.tgz",
+      "integrity": "sha512-2as0LgT7qQpyceQq6VUJYnumUMUrgGQCWIiDIN9DE0/tglsk6o66uCB4f3djRawAltvfCNLyZZrsqbPA6inCsA==",
       "cpu": [
         "arm"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.55.2.tgz",
-      "integrity": "sha512-uvjwc8NtQVPAJtq4Tt7Q49FOodjfbf6NpqXyW/rjXoV+iZ3EJAHLNAnKT5UJBc6ffQVgmXTUL2ifYiLABlGFqA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.62.0.tgz",
+      "integrity": "sha512-bVURMg+6eNN9C/yc0aVjooZcwTTtYF4YW3xta5pP0//r3o1V8gXEHXWCndj47w/HhwsFroZrFhR+6uQP5T0n0g==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.55.2.tgz",
-      "integrity": "sha512-s3KoWVNnye9mm/2WpOZ3JeUiediUVw6AvY/H7jNA6qgKA2V2aM25lMkVarTDfiicn/DLq3O0a81jncXszoyCFA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.62.0.tgz",
+      "integrity": "sha512-Ful8pM/2yYI83PViWdFdpZhdI8HJ5qsXANe5atypbHDf+KIBBDsZsbyy8hbXnULVvW9NsTh5DHwbcBftyLTfiw==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.55.2.tgz",
-      "integrity": "sha512-gi21faacK+J8aVSyAUptML9VQN26JRxe484IbF+h3hpG+sNVoMXPduhREz2CcYr5my0NE3MjVvQ5bMKX71pfVA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.62.0.tgz",
+      "integrity": "sha512-9Gp/DgrkzfUBmNPVTyPTvay+4xEP7M/clXpj3efXBcm6uTIVIgDg4rqUpqKXvLEuFRVuEpSAOkhgNeecvaZ4Cg==",
       "cpu": [
         "loong64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.55.2.tgz",
-      "integrity": "sha512-qSlWiXnVaS/ceqXNfnoFZh4IiCA0EwvCivivTGbEu1qv2o+WTHpn1zNmCTAoOG5QaVr2/yhCoLScQtc/7RxshA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.62.0.tgz",
+      "integrity": "sha512-m9tsJz54LUXkSYM8+8PG81B9IKK5r+2T0clMq4QrS16xFosufU7firBDAZEsDheDs7wTlP7h3++S7lMsU955HA==",
       "cpu": [
         "loong64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.55.2.tgz",
-      "integrity": "sha512-rPyuLFNoF1B0+wolH277E780NUKf+KoEDb3OyoLbAO18BbeKi++YN6gC/zuJoPPDlQRL3fIxHxCxVEWiem2yXw==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.62.0.tgz",
+      "integrity": "sha512-3UvJ5PNVU16aJf6M3tFI24pWzAl2/ynfbyRN3ICyQajK1lSkrnVYNnLz3v04J32qKa0FczJc22zeToc0lr2A3w==",
       "cpu": [
         "ppc64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.55.2.tgz",
-      "integrity": "sha512-g+0ZLMook31iWV4PvqKU0i9E78gaZgYpSrYPed/4Bu+nGTgfOPtfs1h11tSSRPXSjC5EzLTjV/1A7L2Vr8pJoQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.62.0.tgz",
+      "integrity": "sha512-vRWUAbYLGHBZS6Q8Msb2sfnf1fvJf+47t8l/TwOerM2qArzy+IeNMTHrYLHXh95h8MoatPHI5hhSZNs+mGXKPg==",
       "cpu": [
         "ppc64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.55.2.tgz",
-      "integrity": "sha512-i+sGeRGsjKZcQRh3BRfpLsM3LX3bi4AoEVqmGDyc50L6KfYsN45wVCSz70iQMwPWr3E5opSiLOwsC9WB4/1pqg==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.62.0.tgz",
+      "integrity": "sha512-c00T5SYENHAt86cfW47URaP3Us5vLC/4QO7GYud1G5VNRffCwwCuBspwqYrriuJB+5m0WFzClCn9wed0FBjKvg==",
       "cpu": [
         "riscv64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.55.2.tgz",
-      "integrity": "sha512-C1vLcKc4MfFV6I0aWsC7B2Y9QcsiEcvKkfxprwkPfLaN8hQf0/fKHwSF2lcYzA9g4imqnhic729VB9Fo70HO3Q==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.62.0.tgz",
+      "integrity": "sha512-krrCDilhXOwFkSkO3Wm9I/f9H0L92XHHwy2fwxjukxIbh0dem8gZqOW5Y8BsHrpJv5qwlRBV+Wl4ZFyRWhUpwg==",
       "cpu": [
         "riscv64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.55.2.tgz",
-      "integrity": "sha512-68gHUK/howpQjh7g7hlD9DvTTt4sNLp1Bb+Yzw2Ki0xvscm2cOdCLZNJNhd2jW8lsTPrHAHuF751BygifW4bkQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.62.0.tgz",
+      "integrity": "sha512-7pfYFSTc4/rUC/FtAI0Qp6QthDBCIi6/AuP1xYqFk5vanI6KnL5dWKP60OM/05LOsbwTmIcvr6eXC4CJuJ75IA==",
       "cpu": [
         "s390x"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.55.2.tgz",
-      "integrity": "sha512-1e30XAuaBP1MAizaOBApsgeGZge2/Byd6wV4a8oa6jPdHELbRHBiw7wvo4dp7Ie2PE8TZT4pj9RLGZv9N4qwlw==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.62.0.tgz",
+      "integrity": "sha512-7SDIalKeIpG0Ifogbbdn58HmSotYMlf23K3dCJEmiVd9Fg36Vmni82iPQec27N3wY4Bvbxftkxz6vSx9OcouTg==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.55.2.tgz",
-      "integrity": "sha512-4BJucJBGbuGnH6q7kpPqGJGzZnYrpAzRd60HQSt3OpX/6/YVgSsJnNzR8Ot74io50SeVT4CtCWe/RYIAymFPwA==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.62.0.tgz",
+      "integrity": "sha512-eRZevouTH2i1HeAVLqJuLnt256krQkGY0TN6WsTmsIhuzbh457HuWDMakKwmi0Cjadux983CoSr8Lim2QhUIFw==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
     "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.55.2.tgz",
-      "integrity": "sha512-cT2MmXySMo58ENv8p6/O6wI/h/gLnD3D6JoajwXFZH6X9jz4hARqUhWpGuQhOgLNXscfZYRQMJvZDtWNzMAIDw==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.62.0.tgz",
+      "integrity": "sha512-3oVS7FLGa4U1qcvao9ylGxrjXZyUQqR8UwxEcnUEyPX53O/C/mKDZegNXTdHCP+h3e6ta/f1EN38Yif1mmZHYg==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "openbsd"
       ]
     },
     "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.55.2.tgz",
-      "integrity": "sha512-sZnyUgGkuzIXaK3jNMPmUIyJrxu/PjmATQrocpGA1WbCPX8H5tfGgRSuYtqBYAvLuIGp8SPRb1O4d1Fkb5fXaQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.62.0.tgz",
+      "integrity": "sha512-yTB9TgfWj5wHe5QgktAgXTLLot1gvEjl1NiPPAUiCs4oPrIWFl5V4nC3GrkNdj9LaAU4s94nVrGbGOCqUpyWsg==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "openharmony"
       ]
     },
     "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.55.2.tgz",
-      "integrity": "sha512-sDpFbenhmWjNcEbBcoTV0PWvW5rPJFvu+P7XoTY0YLGRupgLbFY0XPfwIbJOObzO7QgkRDANh65RjhPmgSaAjQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.62.0.tgz",
+      "integrity": "sha512-5LOhoaesY3doG1c+ac/2JtgREpKoJr5bUHH8tKY0V8di7+uSV6BwLs2PlR0/yzefGOkR+wE7ZolZphHCsyG5Rw==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "win32"
       ]
     },
     "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.55.2.tgz",
-      "integrity": "sha512-GvJ03TqqaweWCigtKQVBErw2bEhu1tyfNQbarwr94wCGnczA9HF8wqEe3U/Lfu6EdeNP0p6R+APeHVwEqVxpUQ==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.62.0.tgz",
+      "integrity": "sha512-yYkWHhmbhRTWTnWos5HC4GcPQfjlzzCNbM9e/+GXrLuaBXYA3qSDR9f0Vgufd5S8yX81U8jPKp7ZnAjZFMtRnw==",
       "cpu": [
         "ia32"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "win32"
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.55.2.tgz",
-      "integrity": "sha512-KvXsBvp13oZz9JGe5NYS7FNizLe99Ny+W8ETsuCyjXiKdiGrcz2/J/N8qxZ/RSwivqjQguug07NLHqrIHrqfYw==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.62.0.tgz",
+      "integrity": "sha512-SoTb6lPg25xZlA2ibwQ++ahCCnH+FP0qmEuafMJ4gznZKOlXioKEAeJLgCrqjM98ACziXM9V1amFjICVL4IFoA==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "win32"
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.55.2.tgz",
-      "integrity": "sha512-xNO+fksQhsAckRtDSPWaMeT1uIM+JrDRXlerpnWNXhn1TdB3YZ6uKBMBTKP0eX9XtYEP978hHk1f8332i2AW8Q==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.62.0.tgz",
+      "integrity": "sha512-5L+T1fMX4RIEBoZzT0+sQ0PhTS36NULFmMXtl1TZo44TMAROIMHbZufSOjVWt/Y622BtxgxtaNOokbTDvfsrZA==",
       "cpu": [
         "x64"
       ],
       "dev": true,
-      "license": "MIT",
       "optional": true,
       "os": [
         "win32"
@@ -4854,10 +4759,9 @@
       }
     },
     "node_modules/@types/estree": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
-      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
-      "license": "MIT"
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.9.tgz",
+      "integrity": "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg=="
     },
     "node_modules/@types/estree-jsx": {
       "version": "1.0.5",
@@ -4909,6 +4813,7 @@
       "version": "22.19.7",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.7.tgz",
       "integrity": "sha512-MciR4AKGHWl7xwxkBa6xUGxQJ4VBOmPTF7sL+iGzuahOFaO0jHCsuEfS80pan1ef4gWId1oWOweIhrDEYLuaOw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "undici-types": "~6.21.0"
@@ -5285,12 +5190,22 @@
         "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
       }
     },
+    "node_modules/agent-base": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "dependencies": {
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
     "node_modules/ajv": {
-      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.1",
         "fast-json-stable-stringify": "^2.0.0",
@@ -5431,14 +5346,14 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.13.2",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.2.tgz",
-      "integrity": "sha512-VPk9ebNqPcy5lRGuSlKx752IlDatOjT9paPlm8A7yOuW2Fbvp4X3JznJtT4f0GzGLLiWE9W8onz51SqLYwzGaA==",
-      "license": "MIT",
+      "version": "1.17.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.17.0.tgz",
+      "integrity": "sha512-J8SwNxprqqpbfenehxWYXE7CW+wM1BB4w3+N+g+/Wx40xM4rsLrfPmHHxSWIxJLYDgSY/HqlFPIYb2/S3rxafw==",
       "dependencies": {
-        "follow-redirects": "^1.15.6",
-        "form-data": "^4.0.4",
-        "proxy-from-env": "^1.1.0"
+        "follow-redirects": "^1.16.0",
+        "form-data": "^4.0.5",
+        "https-proxy-agent": "^5.0.1",
+        "proxy-from-env": "^2.1.0"
       }
     },
     "node_modules/bail": {
@@ -5488,11 +5403,10 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.1.tgz",
+      "integrity": "sha512-WR1cURNjuvBLMZBMbqM0UoE+WAfdUcEV1ccD8PVBVOI+Z3ND4+SZbN8RsfT2bMuG1qwz5RFvPukSZm5fF2D5eA==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
       }
@@ -6449,22 +6363,20 @@
       }
     },
     "node_modules/eslint/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.15.tgz",
+      "integrity": "sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
       }
     },
     "node_modules/eslint/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
-      "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },
@@ -6723,23 +6635,21 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
-      "dev": true,
-      "license": "ISC"
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "dev": true
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.11",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
-      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
       "funding": [
         {
           "type": "individual",
           "url": "https://github.com/sponsors/RubenVerborgh"
         }
       ],
-      "license": "MIT",
       "engines": {
         "node": ">=4.0"
       },
@@ -6920,22 +6830,20 @@
       }
     },
     "node_modules/glob/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.15.tgz",
+      "integrity": "sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
       }
     },
     "node_modules/glob/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
-      "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },
@@ -7106,6 +7014,18 @@
         "url": "https://opencollective.com/unified"
       }
     },
+    "node_modules/https-proxy-agent": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
+      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
+      "dependencies": {
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
     "node_modules/ignore": {
       "version": "5.3.2",
       "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
@@ -7537,10 +7457,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
-      "license": "MIT"
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q=="
     },
     "node_modules/lodash.merge": {
       "version": "4.6.2",
@@ -8308,9 +8227,9 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.11",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
-      "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+      "version": "3.3.12",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz",
+      "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==",
       "dev": true,
       "funding": [
         {
@@ -8318,7 +8237,6 @@
           "url": "https://github.com/sponsors/ai"
         }
       ],
-      "license": "MIT",
       "bin": {
         "nanoid": "bin/nanoid.cjs"
       },
@@ -8522,11 +8440,10 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
-      "license": "MIT",
       "engines": {
         "node": ">=8.6"
       },
@@ -8555,9 +8472,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.15",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz",
+      "integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==",
       "dev": true,
       "funding": [
         {
@@ -8573,9 +8490,8 @@
           "url": "https://github.com/sponsors/ai"
         }
       ],
-      "license": "MIT",
       "dependencies": {
-        "nanoid": "^3.3.11",
+        "nanoid": "^3.3.12",
         "picocolors": "^1.1.1",
         "source-map-js": "^1.2.1"
       },
@@ -8755,34 +8671,23 @@
       }
     },
     "node_modules/protobufjs": {
-      "version": "7.5.4",
-      "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz",
-      "integrity": "sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==",
-      "hasInstallScript": true,
-      "license": "BSD-3-Clause",
+      "version": "8.6.3",
+      "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-8.6.3.tgz",
+      "integrity": "sha512-alQyzT0j401LGBtwsqu6uprjR6pfNH1UJf9N6GBFMjIcd+HzTe0/HrjAbFCqun+zvnfLarrxAtMM2xvZ+kFZ5A==",
       "dependencies": {
-        "@protobufjs/aspromise": "^1.1.2",
-        "@protobufjs/base64": "^1.1.2",
-        "@protobufjs/codegen": "^2.0.4",
-        "@protobufjs/eventemitter": "^1.1.0",
-        "@protobufjs/fetch": "^1.1.0",
-        "@protobufjs/float": "^1.0.2",
-        "@protobufjs/inquire": "^1.1.0",
-        "@protobufjs/path": "^1.1.2",
-        "@protobufjs/pool": "^1.1.0",
-        "@protobufjs/utf8": "^1.1.0",
-        "@types/node": ">=13.7.0",
-        "long": "^5.0.0"
+        "long": "^5.3.2"
       },
       "engines": {
         "node": ">=12.0.0"
       }
     },
     "node_modules/proxy-from-env": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
-      "license": "MIT"
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "engines": {
+        "node": ">=10"
+      }
     },
     "node_modules/punycode": {
       "version": "2.3.1",
@@ -8884,12 +8789,11 @@
       }
     },
     "node_modules/react-router": {
-      "version": "6.30.3",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.30.3.tgz",
-      "integrity": "sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw==",
-      "license": "MIT",
+      "version": "6.30.4",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.30.4.tgz",
+      "integrity": "sha512-SVUsDe+DybHM/WmYKIVYhZh1o5Dcuf16yM6WjG02Q9XVFMZIJyHYhwrr6bFBXZkVP6z69kNkMyBCujt8FaFLJA==",
       "dependencies": {
-        "@remix-run/router": "1.23.2"
+        "@remix-run/router": "1.23.3"
       },
       "engines": {
         "node": ">=14.0.0"
@@ -8899,13 +8803,12 @@
       }
     },
     "node_modules/react-router-dom": {
-      "version": "6.30.3",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.3.tgz",
-      "integrity": "sha512-pxPcv1AczD4vso7G4Z3TKcvlxK7g7TNt3/FNGMhfqyntocvYKj+GCatfigGDjbLozC4baguJ0ReCigoDJXb0ag==",
-      "license": "MIT",
+      "version": "6.30.4",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.4.tgz",
+      "integrity": "sha512-q4HvNl+mmDdkS0g+MqiBZNteQJCuimWoOyHMy4T/RQLAn9Z29+E91QXRaxOujeMl2HTzRSS0KFPd7lxX3PjV0Q==",
       "dependencies": {
-        "@remix-run/router": "1.23.2",
-        "react-router": "6.30.3"
+        "@remix-run/router": "1.23.3",
+        "react-router": "6.30.4"
       },
       "engines": {
         "node": ">=14.0.0"
@@ -9127,13 +9030,12 @@
       }
     },
     "node_modules/rollup": {
-      "version": "4.55.2",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.55.2.tgz",
-      "integrity": "sha512-PggGy4dhwx5qaW+CKBilA/98Ql9keyfnb7lh4SR6shQ91QQQi1ORJ1v4UinkdP2i87OBs9AQFooQylcrrRfIcg==",
+      "version": "4.62.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.62.0.tgz",
+      "integrity": "sha512-nc72Wgq62I7rtDV4izT5/aaS0zxy3kttkinf9586ApknY3jZO9NYsmtc24fUckA0X7Q2v+ML4a15pdUlV5V/jA==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
-        "@types/estree": "1.0.8"
+        "@types/estree": "1.0.9"
       },
       "bin": {
         "rollup": "dist/bin/rollup"
@@ -9143,31 +9045,31 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.55.2",
-        "@rollup/rollup-android-arm64": "4.55.2",
-        "@rollup/rollup-darwin-arm64": "4.55.2",
-        "@rollup/rollup-darwin-x64": "4.55.2",
-        "@rollup/rollup-freebsd-arm64": "4.55.2",
-        "@rollup/rollup-freebsd-x64": "4.55.2",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.55.2",
-        "@rollup/rollup-linux-arm-musleabihf": "4.55.2",
-        "@rollup/rollup-linux-arm64-gnu": "4.55.2",
-        "@rollup/rollup-linux-arm64-musl": "4.55.2",
-        "@rollup/rollup-linux-loong64-gnu": "4.55.2",
-        "@rollup/rollup-linux-loong64-musl": "4.55.2",
-        "@rollup/rollup-linux-ppc64-gnu": "4.55.2",
-        "@rollup/rollup-linux-ppc64-musl": "4.55.2",
-        "@rollup/rollup-linux-riscv64-gnu": "4.55.2",
-        "@rollup/rollup-linux-riscv64-musl": "4.55.2",
-        "@rollup/rollup-linux-s390x-gnu": "4.55.2",
-        "@rollup/rollup-linux-x64-gnu": "4.55.2",
-        "@rollup/rollup-linux-x64-musl": "4.55.2",
-        "@rollup/rollup-openbsd-x64": "4.55.2",
-        "@rollup/rollup-openharmony-arm64": "4.55.2",
-        "@rollup/rollup-win32-arm64-msvc": "4.55.2",
-        "@rollup/rollup-win32-ia32-msvc": "4.55.2",
-        "@rollup/rollup-win32-x64-gnu": "4.55.2",
-        "@rollup/rollup-win32-x64-msvc": "4.55.2",
+        "@rollup/rollup-android-arm-eabi": "4.62.0",
+        "@rollup/rollup-android-arm64": "4.62.0",
+        "@rollup/rollup-darwin-arm64": "4.62.0",
+        "@rollup/rollup-darwin-x64": "4.62.0",
+        "@rollup/rollup-freebsd-arm64": "4.62.0",
+        "@rollup/rollup-freebsd-x64": "4.62.0",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.62.0",
+        "@rollup/rollup-linux-arm-musleabihf": "4.62.0",
+        "@rollup/rollup-linux-arm64-gnu": "4.62.0",
+        "@rollup/rollup-linux-arm64-musl": "4.62.0",
+        "@rollup/rollup-linux-loong64-gnu": "4.62.0",
+        "@rollup/rollup-linux-loong64-musl": "4.62.0",
+        "@rollup/rollup-linux-ppc64-gnu": "4.62.0",
+        "@rollup/rollup-linux-ppc64-musl": "4.62.0",
+        "@rollup/rollup-linux-riscv64-gnu": "4.62.0",
+        "@rollup/rollup-linux-riscv64-musl": "4.62.0",
+        "@rollup/rollup-linux-s390x-gnu": "4.62.0",
+        "@rollup/rollup-linux-x64-gnu": "4.62.0",
+        "@rollup/rollup-linux-x64-musl": "4.62.0",
+        "@rollup/rollup-openbsd-x64": "4.62.0",
+        "@rollup/rollup-openharmony-arm64": "4.62.0",
+        "@rollup/rollup-win32-arm64-msvc": "4.62.0",
+        "@rollup/rollup-win32-ia32-msvc": "4.62.0",
+        "@rollup/rollup-win32-x64-gnu": "4.62.0",
+        "@rollup/rollup-win32-x64-msvc": "4.62.0",
         "fsevents": "~2.3.2"
       }
     },
@@ -9553,11 +9455,10 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
-      "license": "MIT",
       "engines": {
         "node": ">=12"
       },
@@ -9683,6 +9584,7 @@
       "version": "6.21.0",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
       "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/unified": {
@@ -9875,16 +9777,15 @@
       "license": "MIT"
     },
     "node_modules/uuid": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz",
-      "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz",
+      "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
       ],
-      "license": "MIT",
       "bin": {
-        "uuid": "dist/bin/uuid"
+        "uuid": "dist/esm/bin/uuid"
       }
     },
     "node_modules/vfile": {
diff --git a/frontend/package.json b/frontend/package.json
index c814701b..7dbf0926 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -18,7 +18,7 @@
     "@vapi-ai/web": "^2.5.2",
     "@xyflow/react": "^12.3.5",
     "atoms-client-sdk": "^1.1.0",
-    "axios": "^1.6.2",
+    "axios": "^1.16.0",
     "clsx": "^2.1.0",
     "country-flag-icons": "^1.6.15",
     "dagre": "^0.8.5",
@@ -26,7 +26,7 @@
     "framer-motion": "^11.0.0",
     "livekit-client": "^2.17.0",
     "lucide-react": "^0.303.0",
-    "protobufjs": "^7.4.0",
+    "protobufjs": "^8.0.2",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-markdown": "^10.1.0",
diff --git a/tests/test_api/test_data_sources_routes.py b/tests/test_api/test_data_sources_routes.py
index f2bf3d7b..b19d0cf0 100644
--- a/tests/test_api/test_data_sources_routes.py
+++ b/tests/test_api/test_data_sources_routes.py
@@ -9,10 +9,18 @@ def _org_key(org_id, filename: str = "audio.wav", prefix: str = "audio/") -> str
     return f"{prefix}organizations/{org_id}/audio/{filename}"
 
 
-def _patch_storage(monkeypatch, data_routes, org_id, *, prefix: str = "audio/"):
+def _patch_storage(
+    monkeypatch, data_routes, org_id, *, prefix: str = "audio/", blob_provider: str = "s3"
+):
+    from app.config import settings
+
+    if blob_provider == "gcs":
+        monkeypatch.setattr(settings, "GCS_PREFIX", prefix.rstrip("/"), raising=False)
+    else:
+        monkeypatch.setattr(settings, "S3_PREFIX", prefix.rstrip("/"), raising=False)
+
     monkeypatch.setattr(data_routes.s3_service, "is_enabled", lambda: True)
     monkeypatch.setattr(data_routes.s3_service, "get_status_message", lambda: "ok")
-    monkeypatch.setattr(data_routes.s3_service, "prefix", prefix)
     monkeypatch.setattr(
         data_routes.s3_service,
         "get_organization_root_prefix",
@@ -51,7 +59,9 @@ def test_s3_status_list_presigned_and_delete(
     from app.config import settings
 
     monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
-    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+    _patch_storage(
+        monkeypatch, data_routes, org_id, prefix=prefix, blob_provider=blob_provider
+    )
     own_key = _org_key(org_id, prefix=prefix)
     encoded_key = own_key.replace("/", "%2F")
 
@@ -81,7 +91,9 @@ def test_blob_routes_reject_cross_tenant_keys(
     from app.config import settings
 
     monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
-    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+    _patch_storage(
+        monkeypatch, data_routes, org_id, prefix=prefix, blob_provider=blob_provider
+    )
 
     victim_org_id = uuid4()
     victim_key = _org_key(victim_org_id, prefix=prefix)
@@ -111,7 +123,9 @@ def test_blob_download_allows_own_org_key(
     from app.config import settings
 
     monkeypatch.setattr(settings, "BLOB_STORAGE_PROVIDER", blob_provider)
-    _patch_storage(monkeypatch, data_routes, org_id, prefix=prefix)
+    _patch_storage(
+        monkeypatch, data_routes, org_id, prefix=prefix, blob_provider=blob_provider
+    )
     own_key = _org_key(org_id, prefix=prefix)
 
     response = authenticated_client.get(
diff --git a/tests/test_api/test_manual_evaluations_routes.py b/tests/test_api/test_manual_evaluations_routes.py
index 89d6cbe0..25dac621 100644
--- a/tests/test_api/test_manual_evaluations_routes.py
+++ b/tests/test_api/test_manual_evaluations_routes.py
@@ -9,10 +9,11 @@ def _org_key(org_id, filename: str = "audio.wav", prefix: str = "audio/") -> str
 
 def test_list_audio_files_and_presigned_url(authenticated_client, monkeypatch, org_id):
     from app.api.v1.routes import manual_evaluations as manual_routes
+    from app.config import settings
 
     own_key = _org_key(org_id)
+    monkeypatch.setattr(settings, "S3_PREFIX", "audio", raising=False)
     monkeypatch.setattr(manual_routes.s3_service, "is_enabled", lambda: True)
-    monkeypatch.setattr(manual_routes.s3_service, "prefix", "audio/")
     monkeypatch.setattr(
         manual_routes.s3_service,
         "get_organization_root_prefix",
@@ -52,9 +53,10 @@ def test_manual_evaluations_presigned_url_rejects_cross_tenant_key(
     authenticated_client, monkeypatch, org_id
 ):
     from app.api.v1.routes import manual_evaluations as manual_routes
+    from app.config import settings
 
+    monkeypatch.setattr(settings, "S3_PREFIX", "audio", raising=False)
     monkeypatch.setattr(manual_routes.s3_service, "is_enabled", lambda: True)
-    monkeypatch.setattr(manual_routes.s3_service, "prefix", "audio/")
     monkeypatch.setattr(
         manual_routes.s3_service,
         "get_organization_root_prefix",
diff --git a/tests/test_api/test_telephony_webhooks.py b/tests/test_api/test_telephony_webhooks.py
new file mode 100644
index 00000000..e68d758f
--- /dev/null
+++ b/tests/test_api/test_telephony_webhooks.py
@@ -0,0 +1,152 @@
+"""API tests for Plivo telephony webhooks."""
+
+from uuid import uuid4
+
+import pytest
+
+from app.models.database import (
+    CallRecording,
+    CallRecordingSource,
+    CallRecordingStatus,
+    TelephonyIntegration,
+    TelephonyPhoneNumber,
+    Workspace,
+)
+from app.models.enums import TelephonyProvider
+
+
+def _seed_plivo_phone(db_session, org_id, *, phone_number="+15551234567"):
+    integration = TelephonyIntegration(
+        id=uuid4(),
+        organization_id=org_id,
+        provider=TelephonyProvider.PLIVO.value,
+        auth_id="plivo-auth-id",
+        auth_token="plivo-auth-token",
+        is_active=True,
+        is_default=True,
+    )
+    db_session.add(integration)
+    db_session.flush()
+
+    number = TelephonyPhoneNumber(
+        id=uuid4(),
+        organization_id=org_id,
+        telephony_integration_id=integration.id,
+        phone_number=phone_number,
+        is_active=True,
+    )
+    db_session.add(number)
+    db_session.commit()
+    return integration, number
+
+
+def _seed_call_recording(db_session, org_id, *, call_uuid="call-uuid-123"):
+    workspace = (
+        db_session.query(Workspace)
+        .filter(Workspace.organization_id == org_id, Workspace.is_default.is_(True))
+        .first()
+    )
+    integration = TelephonyIntegration(
+        id=uuid4(),
+        organization_id=org_id,
+        provider=TelephonyProvider.PLIVO.value,
+        auth_id="plivo-auth-id",
+        auth_token="plivo-auth-token",
+        is_active=True,
+        is_default=True,
+    )
+    db_session.add(integration)
+    db_session.flush()
+
+    recording = CallRecording(
+        id=uuid4(),
+        organization_id=org_id,
+        workspace_id=workspace.id,
+        call_short_id="123456",
+        status=CallRecordingStatus.PENDING,
+        source=CallRecordingSource.PLAYGROUND,
+        provider_call_id=call_uuid,
+    )
+    db_session.add(recording)
+    db_session.commit()
+    return recording
+
+
+def test_answer_webhook_rejects_missing_signature(client, db_session, org_id, seed_org):
+    _seed_plivo_phone(db_session, org_id)
+
+    response = client.post(
+        "/api/v1/telephony/webhooks/answer",
+        data={"To": "+15551234567", "From": "+15559876543", "CallUUID": "uuid-1"},
+    )
+
+    assert response.status_code == 403
+    assert response.json()["detail"] == "Missing webhook signature"
+
+
+def test_answer_webhook_rejects_invalid_signature(
+    client, db_session, org_id, seed_org, monkeypatch
+):
+    _seed_plivo_phone(db_session, org_id)
+    monkeypatch.setattr(
+        "plivo.utils.validate_signature",
+        lambda *_args, **_kwargs: False,
+    )
+
+    response = client.post(
+        "/api/v1/telephony/webhooks/answer",
+        data={"To": "+15551234567", "From": "+15559876543", "CallUUID": "uuid-1"},
+        headers={"X-Plivo-Signature": "bad-signature"},
+    )
+
+    assert response.status_code == 403
+    assert response.json()["detail"] == "Invalid webhook signature"
+
+
+def test_answer_webhook_accepts_valid_signature(
+    client, db_session, org_id, seed_org, monkeypatch
+):
+    _seed_plivo_phone(db_session, org_id)
+    monkeypatch.setattr(
+        "plivo.utils.validate_signature",
+        lambda *_args, **_kwargs: True,
+    )
+
+    response = client.post(
+        "/api/v1/telephony/webhooks/answer",
+        data={"To": "+15551234567", "From": "+15559876543", "CallUUID": "uuid-1"},
+        headers={"X-Plivo-Signature": "valid-signature"},
+    )
+
+    assert response.status_code == 200
+    assert "application/xml" in response.headers["content-type"]
+
+
+def test_events_webhook_rejects_unknown_call_uuid(client, db_session, org_id, seed_org):
+    response = client.post(
+        "/api/v1/telephony/webhooks/events",
+        data={"CallUUID": "unknown-call", "CallStatus": "completed"},
+        headers={"X-Plivo-Signature": "any-signature"},
+    )
+
+    assert response.status_code == 403
+    assert response.json()["detail"] == "Invalid webhook signature"
+
+
+def test_events_webhook_accepts_valid_signature(
+    client, db_session, org_id, seed_org, monkeypatch
+):
+    recording = _seed_call_recording(db_session, org_id, call_uuid="known-call")
+    monkeypatch.setattr(
+        "plivo.utils.validate_signature",
+        lambda *_args, **_kwargs: True,
+    )
+
+    response = client.post(
+        "/api/v1/telephony/webhooks/events",
+        data={"CallUUID": recording.provider_call_id, "CallStatus": "completed"},
+        headers={"X-Plivo-Signature": "valid-signature"},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["status"] == "ok"
diff --git a/tests/test_services/test_telephony/test_recording_download.py b/tests/test_services/test_telephony/test_recording_download.py
new file mode 100644
index 00000000..d52da32b
--- /dev/null
+++ b/tests/test_services/test_telephony/test_recording_download.py
@@ -0,0 +1,74 @@
+"""Tests for recording URL download SSRF guards."""
+
+from unittest.mock import MagicMock, patch
+
+import httpx
+import pytest
+
+from app.services.telephony.exotel_client import ExotelInvalidContentError
+from app.services.telephony import recording_download as module
+
+
+def test_assert_recording_url_safe_rejects_metadata_ip():
+    with pytest.raises(ExotelInvalidContentError, match="blocked network address"):
+        module.assert_recording_url_safe(
+            "http://169.254.169.254/latest/meta-data/",
+            user_supplied=True,
+        )
+
+
+def test_assert_recording_url_safe_rejects_non_allowlisted_host(monkeypatch):
+    monkeypatch.setattr(
+        module.settings,
+        "RECORDING_URL_ALLOWED_HOST_SUFFIXES",
+        ["exotel.com"],
+        raising=False,
+    )
+    with pytest.raises(ExotelInvalidContentError, match="not allowlisted"):
+        module.assert_recording_url_safe(
+            "https://evil.example/recording.mp3",
+            user_supplied=True,
+        )
+
+
+def test_download_recording_url_rejects_credentials_for_user_supplied_urls():
+    with pytest.raises(ExotelInvalidContentError, match="must not be fetched with credentials"):
+        module.download_recording_url(
+            "https://api.exotel.com/v1/Accounts/recording.mp3",
+            auth=("user", "pass"),
+            user_supplied=True,
+        )
+
+
+def test_download_public_recording_fetches_allowlisted_host(monkeypatch):
+    monkeypatch.setattr(
+        module.settings,
+        "RECORDING_URL_ALLOWED_HOST_SUFFIXES",
+        ["exotel.com"],
+        raising=False,
+    )
+
+    response = httpx.Response(
+        200,
+        headers={"content-type": "audio/mpeg"},
+        content=b"audio-bytes",
+        request=httpx.Request("GET", "https://api.exotel.com/recording.mp3"),
+    )
+    mock_client = MagicMock()
+    mock_client.get.return_value = response
+    mock_client.__enter__.return_value = mock_client
+    mock_client.__exit__.return_value = False
+
+    with patch.object(module.socket, "getaddrinfo") as mock_getaddrinfo:
+        mock_getaddrinfo.return_value = [(None, None, None, None, ("52.0.0.1", 0))]
+        with patch.object(module.httpx, "Client", return_value=mock_client):
+            body, content_type = module.download_public_recording(
+                "https://api.exotel.com/recording.mp3"
+            )
+
+    assert body == b"audio-bytes"
+    assert content_type == "audio/mpeg"
+    mock_client.get.assert_called_once_with(
+        "https://api.exotel.com/recording.mp3",
+        auth=None,
+    )
diff --git a/tests/test_workers/test_process_call_import_row.py b/tests/test_workers/test_process_call_import_row.py
index 50f5fd83..5ba9bb8f 100644
--- a/tests/test_workers/test_process_call_import_row.py
+++ b/tests/test_workers/test_process_call_import_row.py
@@ -441,6 +441,9 @@ def download_recording(self, recording_url):
     fake_client = _LookupFailsFallbackWorks()
     fake_s3 = _FakeS3(enabled=True)
     task_module = _patch_dependencies(monkeypatch, db_session, fake_client, fake_s3)
+    public_calls = _patch_public_download(
+        monkeypatch, return_value=(b"fallback-audio", "audio/mpeg")
+    )
 
     result = task_module.process_call_import_row_task.run(str(row.id))
 
@@ -451,7 +454,8 @@ def download_recording(self, recording_url):
     # Lookup attempted exactly once with the call_sid, then download from
     # the original CSV URL (no other URL was tried).
     assert fake_client.resolved_calls == [row.conversation_id]
-    assert fake_client.calls == [csv_url]
+    assert fake_client.calls == []
+    assert public_calls == [csv_url]
 
     assert row.status == CallImportRowStatus.COMPLETED
     assert row.recording_size_bytes == len(b"fallback-audio")
@@ -491,6 +495,12 @@ def download_recording(self, recording_url):
     fake_client = _BothPathsFail()
     fake_s3 = _FakeS3(enabled=True)
     task_module = _patch_dependencies(monkeypatch, db_session, fake_client, fake_s3)
+    _patch_public_download(
+        monkeypatch,
+        side_effect=lambda url: (_ for _ in ()).throw(
+            ExotelAuthError(f"auth rejected for {url}")
+        ),
+    )
 
     monkeypatch.setattr(
         task_module.process_call_import_row_task,
@@ -582,6 +592,9 @@ def download_recording(self, recording_url):
     fake_client = _LookupTransientCsvOk()
     fake_s3 = _FakeS3(enabled=True)
     task_module = _patch_dependencies(monkeypatch, db_session, fake_client, fake_s3)
+    public_calls = _patch_public_download(
+        monkeypatch, return_value=(b"recovered-via-fallback", "audio/mpeg")
+    )
 
     result = task_module.process_call_import_row_task.run(str(row.id))
 
@@ -589,7 +602,8 @@ def download_recording(self, recording_url):
     db_session.refresh(row)
     db_session.refresh(call_import)
     assert fake_client.resolved_calls == [row.conversation_id]
-    assert fake_client.calls == [csv_url]
+    assert fake_client.calls == []
+    assert public_calls == [csv_url]
     assert row.status == CallImportRowStatus.COMPLETED
     assert row.recording_size_bytes == len(b"recovered-via-fallback")
     assert call_import.status == CallImportStatus.COMPLETED
@@ -622,6 +636,12 @@ def download_recording(self, recording_url):
     fake_client = _BothTransient()
     fake_s3 = _FakeS3(enabled=True)
     task_module = _patch_dependencies(monkeypatch, db_session, fake_client, fake_s3)
+    public_calls = _patch_public_download(
+        monkeypatch,
+        side_effect=lambda url: (_ for _ in ()).throw(
+            ExotelTransientError("503 fetching recording")
+        ),
+    )
 
     monkeypatch.setattr(
         task_module.process_call_import_row_task,
@@ -637,7 +657,8 @@ def download_recording(self, recording_url):
     assert "Transient" in (row.error_message or "")
     assert fake_client.resolved_calls == [row.conversation_id]
     # Fallback was attempted with the CSV URL before retry was scheduled.
-    assert fake_client.calls == [row.recording_url]
+    assert fake_client.calls == []
+    assert public_calls == [row.recording_url]
 
 
 def test_process_call_import_row_uses_conversation_id_when_provider_set_without_pin(

From aed9b9b822416a5bdf4989f88236ae8000783843 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Mon, 15 Jun 2026 07:43:11 +0000
Subject: [PATCH 08/12] feat: updating some fixes

---
 .../docs/getting-started/authentication.mdx   |   4 +
 .../docs/getting-started/workspaces.mdx       | 135 +++++++++++++++++-
 docs-fumadocs/content/docs/intro.mdx          |   2 +-
 .../content/feature-contributors.json         |  65 ++++-----
 .../public/screenshots/create_workspace.png   | Bin 0 -> 183918 bytes
 .../public/screenshots/iam_workspaces.png     | Bin 0 -> 49075 bytes
 6 files changed, 165 insertions(+), 41 deletions(-)
 create mode 100644 docs-fumadocs/public/screenshots/create_workspace.png
 create mode 100644 docs-fumadocs/public/screenshots/iam_workspaces.png

diff --git a/docs-fumadocs/content/docs/getting-started/authentication.mdx b/docs-fumadocs/content/docs/getting-started/authentication.mdx
index f350b8bc..faacacaf 100644
--- a/docs-fumadocs/content/docs/getting-started/authentication.mdx
+++ b/docs-fumadocs/content/docs/getting-started/authentication.mdx
@@ -139,6 +139,10 @@ they can do.
 The role is stored per membership, so the *same user* can be an `admin`
 in one org and a `reader` in another.
 
+:::note Organization role is not the same as workspace role
+Organization roles (`reader` / `writer` / `admin`) apply org-wide. **Workspace roles** (`Viewer` / `Editor` / `Workspace Admin`) apply per workspace and control access to call imports, metrics, agents, and other scoped data in the active workspace. Both layers apply together — for example, an org **writer** with workspace **Viewer** can browse a workspace but cannot import or delete calls there. See [Workspaces — Access control](/docs/getting-started/workspaces#access-control-organization-vs-workspace) for the full hierarchy and action matrix.
+:::
+
 ### Inviting a teammate
 
 Admins invite teammates from **Settings → Team**. An invitation captures
diff --git a/docs-fumadocs/content/docs/getting-started/workspaces.mdx b/docs-fumadocs/content/docs/getting-started/workspaces.mdx
index cff21672..1fdb7b0d 100644
--- a/docs-fumadocs/content/docs/getting-started/workspaces.mdx
+++ b/docs-fumadocs/content/docs/getting-started/workspaces.mdx
@@ -24,6 +24,10 @@ From the switcher you can:
 - Switch to another workspace in your organization
 - Create a new workspace (display name + slug)
 
+![Create workspace modal](/screenshots/create_workspace.png)
+
+When creating a workspace, you set a display name and optional slug. You are added automatically as **Workspace Admin**; you can optionally invite org members and assign each a workspace role (Viewer, Editor, or Workspace Admin) before saving.
+
 When you switch workspaces, all data views refetch automatically so you never see stale rows from the previous workspace.
 
 ---
@@ -36,6 +40,120 @@ If a request arrives without the header, the backend falls back to the organizat
 
 ---
 
+## Access control: organization vs workspace
+
+EfficientAI uses **two independent permission layers**. Both apply on every request:
+
+1. **Organization role** — set per membership in **Settings → Team** (`reader`, `writer`, or `admin`).
+2. **Workspace role** — set per workspace in **Identity & Access Management → Workspace Members** (`Viewer`, `Editor`, or `Workspace Admin`, plus optional custom roles).
+
+A user must satisfy **both** layers to perform an action. Your organization role controls whether you can write **anywhere** in the org; your workspace role controls what you can do **inside the active workspace**.
+
+```mermaid
+flowchart TD
+    request[API request with X-Workspace-Id]
+    orgCheck{Org role}
+    wsCheck{Workspace capabilities}
+    allow[Action succeeds]
+    denyOrg["403: org reader cannot mutate"]
+    denyWs["403: insufficient workspace role"]
+
+    request --> orgCheck
+    orgCheck -->|reader + POST/PATCH/DELETE| denyOrg
+    orgCheck -->|writer or admin| wsCheck
+    wsCheck -->|capability present| allow
+    wsCheck -->|capability missing| denyWs
+```
+
+### Organization roles
+
+| Role | Scope | Typical use |
+| ---- | ----- | ----------- |
+| **Reader** | Read-only for the **entire organization** | Auditors, stakeholders who only view dashboards |
+| **Writer** | Create, update, and delete most org resources | Engineers and operators doing day-to-day work |
+| **Admin** | Everything a writer can do, plus user/team management, API keys, and org settings | Org owners and IT admins |
+
+:::info Org readers are always read-only
+If your organization role is **Reader**, every mutating API call (`POST`, `PATCH`, `DELETE`) is blocked — even if you hold **Workspace Admin** in a workspace. Workspace roles cannot override an org-level read-only membership.
+:::
+
+Org admins **bypass workspace membership checks** and receive all workspace capabilities in every workspace. API keys also bypass workspace RBAC (they remain org-scoped).
+
+Manage organization roles from **Settings → Team** (admin only). See [Authentication — Team management](/docs/getting-started/authentication#team-management-invitations--organizations).
+
+### Workspace roles (system)
+
+Each workspace has its own membership list. When you are added to a workspace, you receive one of three seeded system roles (or a custom role defined by an org admin):
+
+| Workspace role | Can do | Cannot do |
+| -------------- | ------ | --------- |
+| **Viewer** | View calls, metrics, evals, simulations, reports, and workspace members | Import, edit, delete, run evaluations, change settings, manage members |
+| **Editor** | Everything Viewer can do, plus create/update resources (import calls, manage metrics, run evals, manage simulations, generate reports) | Delete call imports, rename workspace, add/remove members, change workspace roles |
+| **Workspace Admin** | Full access in that workspace, including delete, workspace settings, and member management | — |
+
+Roles are **cumulative**: Editor includes all Viewer permissions; Workspace Admin includes all Editor permissions.
+
+### What each role needs for common actions
+
+Use this table when planning access. “Org” = organization role; “Workspace” = role in the **active** workspace (from the switcher).
+
+| Action | Minimum org role | Minimum workspace role |
+| ------ | ---------------- | ---------------------- |
+| View call imports, agents, metrics | Reader | Viewer |
+| Upload / import calls, edit rows | Writer | Editor |
+| Delete call imports or batches | Writer | **Workspace Admin** |
+| Create or edit metrics (workspace-scoped) | Writer | Editor |
+| Run evaluations | Writer | Editor |
+| Rename a workspace | Writer | **Workspace Admin** |
+| Add/remove workspace members | Writer | **Workspace Admin** |
+| Create a new workspace | Writer | *(creator becomes Workspace Admin automatically)* |
+| Delete a workspace | Admin | *(org admin only)* |
+| Manage organization users & invitations | Admin | *(not workspace-scoped)* |
+
+When a workspace check fails, the API returns a plain-language message such as *“This action requires at least the Editor role in the active workspace. Your current workspace role is Viewer.”* Delete operations require **Workspace Admin**, not Editor.
+
+### Capability domains (reference)
+
+Workspace permissions are implemented as **capabilities** grouped by product area. System roles are bundles of these capabilities; org admins can also define **custom workspace roles** in **IAM → Workspace Roles** by picking capabilities from this registry.
+
+| Domain | View | Create / edit / run | Delete / admin |
+| ------ | ---- | ------------------- | -------------- |
+| **Calls** (call imports) | View batches and rows | Import and update | Delete imports |
+| **Metrics** | View definitions | Manage metrics | — |
+| **Evaluations** | View runs and results | Run evaluations | — |
+| **Simulation** | View agents, personas, scenarios | Manage simulation resources | — |
+| **Reports** | View reports | Generate reports | — |
+| **Workspace** | View member list | — | Rename workspace; add/remove members and roles |
+
+Custom roles are useful when a user needs a narrow slice of access (for example, view + run evals but not import calls). Assign them per workspace from **IAM → Workspace Members**.
+
+### Default access for new members
+
+When workspace RBAC is enabled or a new workspace is created:
+
+- New workspaces: the **creator** is added as **Workspace Admin**.
+- Existing org members may be backfilled into workspaces with roles mapped from their org role: org admin → Workspace Admin, writer → Editor, reader → Viewer.
+
+Org admins should review **IAM → Workspace Members** after creating workspaces and remove or downgrade memberships that are too broad for your team model.
+
+### Managing workspace access
+
+1. Open **Identity & Access Management** in the sidebar.
+2. Go to **Workspace Members**, select a workspace, and assign roles to org members.
+3. Org admins can define custom roles under **Workspace Roles**.
+
+![IAM Workspace Members](/screenshots/iam_workspaces.png)
+
+The workspace dropdown shows your current role in the selected workspace (for example, **Viewer**). Use the members table to review who has access and change roles — if you hold **Workspace Admin** in that workspace and are an org Writer or Admin.
+
+Notes:
+
+- You can only manage members in a workspace if you are an **org Writer or Admin** **and** hold **Workspace Admin** (or org admin) in that workspace.
+- **Workspace Admins cannot demote their own role**; another admin must change it.
+- Users with org **Reader** can see member lists where allowed but cannot change memberships.
+
+---
+
 ## What is workspace-scoped
 
 Workspaces isolate the resources you interact with day to day, including:
@@ -88,9 +206,16 @@ See [Metrics](/docs/products/metrics) for details on scope and categorization.
 
 Workspace management endpoints live under `/api/v1/workspaces`:
 
-- `GET /workspaces` — list workspaces in your organization
-- `POST /workspaces` — create a workspace (name, optional slug)
-- `PATCH /workspaces/{id}` — rename a workspace
-- `DELETE /workspaces/{id}` — delete a non-default workspace
+- `GET /workspaces` — list workspaces you can access (includes your role name and capabilities per workspace)
+- `POST /workspaces` — create a workspace (name, optional slug); requires org **writer** or **admin**
+- `PATCH /workspaces/{id}` — rename a workspace; requires **Workspace Admin** in that workspace
+- `DELETE /workspaces/{id}` — delete a non-default workspace; requires org **admin**
+
+Workspace membership and roles:
+
+- `GET /workspaces/{id}/members` — list members (requires `workspace.members.view`)
+- `POST/PATCH/DELETE …/members` — manage membership (requires `workspace.members.manage`)
+- `GET /workspace-roles` — list org workspace roles (for IAM UI)
+- `GET /capabilities` — capability registry for custom role builder (authenticated)
 
-All other scoped API calls should include `X-Workspace-Id` with the target workspace UUID.
+All other scoped API calls should include `X-Workspace-Id` with the target workspace UUID. Routes enforce the minimum workspace capability for the HTTP method (view vs create/update vs delete). See [Access control](#access-control-organization-vs-workspace) above for how this maps to Viewer / Editor / Workspace Admin.
diff --git a/docs-fumadocs/content/docs/intro.mdx b/docs-fumadocs/content/docs/intro.mdx
index 9870a135..0d8321c6 100644
--- a/docs-fumadocs/content/docs/intro.mdx
+++ b/docs-fumadocs/content/docs/intro.mdx
@@ -48,7 +48,7 @@ This structure keeps testing reproducible while still reflecting real-world voic
 
 ## Key guides
 
-- [Workspaces](/docs/getting-started/workspaces) — project isolation within your organization
+- [Workspaces](/docs/getting-started/workspaces) — project isolation within your organization, plus workspace roles (Viewer / Editor / Workspace Admin) and how they interact with org roles
 - [Cloud Storage](/docs/getting-started/cloud-storage) — S3 and GCS configuration
 - [Metrics](/docs/products/metrics) — custom rubrics, surfaces, and evaluation scope
 - [Prompt Partials](/docs/products/prompt-partials) — versioned prompt templates
diff --git a/docs-fumadocs/content/feature-contributors.json b/docs-fumadocs/content/feature-contributors.json
index fee6107d..e22d7dc2 100644
--- a/docs-fumadocs/content/feature-contributors.json
+++ b/docs-fumadocs/content/feature-contributors.json
@@ -18,7 +18,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "advanced/database",
@@ -35,7 +35,7 @@
           "commits": 3
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "advanced/development",
@@ -52,7 +52,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/authentication",
@@ -63,18 +63,13 @@
         "Tejas Narayan"
       ],
       "contributors": [
-        {
-          "name": "aadhar-EAI",
-          "email": "aadhar@efficientai.cloud",
-          "commits": 1
-        },
         {
           "name": "Tejas Narayan",
           "email": "stejasnarayan@gmail.com",
-          "commits": 1
+          "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/cloud-storage",
@@ -91,7 +86,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/installation",
@@ -108,7 +103,7 @@
           "commits": 3
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/integrations",
@@ -125,7 +120,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/voice-bundles",
@@ -142,7 +137,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "getting-started/workspaces",
@@ -159,7 +154,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "intro",
@@ -176,7 +171,7 @@
           "commits": 3
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "monitoring/alerting",
@@ -193,7 +188,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "monitoring/calls",
@@ -215,7 +210,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "monitoring/cron-jobs",
@@ -232,7 +227,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "more/pitch-ideas",
@@ -246,7 +241,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "more/polls",
@@ -260,7 +255,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "more/qna",
@@ -274,7 +269,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "more/roadmap",
@@ -288,7 +283,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/agents",
@@ -305,7 +300,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/alerting",
@@ -327,7 +322,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/evaluators",
@@ -344,7 +339,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/metrics",
@@ -361,7 +356,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/personas",
@@ -378,7 +373,7 @@
           "commits": 3
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/playground",
@@ -395,7 +390,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/prompt-optimization",
@@ -412,7 +407,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/prompt-partials",
@@ -429,7 +424,7 @@
           "commits": 1
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "products/scenarios",
@@ -446,7 +441,7 @@
           "commits": 3
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "reference/cli-commands",
@@ -463,7 +458,7 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     },
     {
       "featureId": "reference/configuration",
@@ -485,12 +480,12 @@
           "commits": 2
         }
       ],
-      "lastReviewed": "2026-06-09"
+      "lastReviewed": "2026-06-15"
     }
   ],
   "summary": {
     "featureCount": 28,
-    "contributorCount": 32,
+    "contributorCount": 31,
     "skippedBots": 0
   }
 }
diff --git a/docs-fumadocs/public/screenshots/create_workspace.png b/docs-fumadocs/public/screenshots/create_workspace.png
new file mode 100644
index 0000000000000000000000000000000000000000..fae06b85ac53de0586f18f3162b8412120543c53
GIT binary patch
literal 183918
zcmagFbyQnlw=Ue`6c11=xI=N5A|bf6xVyVM#kD{P?oeEc1=mtE!HX0Mv=o;DMG6!t
z^oHMi-gE9b_k82~BO_z)tn9tkTvML;%()U?YbfG9qkQ({$rC(fC9u|$C+Or)o}iLr
zVIc3kLnN{yzn*$)DT1CfOal*)7ijjf>atIsz*2DjSfV4Zu|1Rwy`Maxj(hw(P1!lK
zee&dQg)&%HC&29JJ}~@+sxB*}7*SXI^RDRV&RSE(kC2cMorn+}jmQV+J1R@<>+yR}
zQ~+YGxI<4@R*DkU+>2);qhJCz^-+L(l9_mV3{l(Y()9YD9M_It-+NB)4JRNFwLgB=
z{`~RdSC>c+KO>{H7*U|cDC;Y5th0N798=uThKDE+|G&OOQ3l%@Z)91?ssFE=k3-<8
zpE92Qk9%=LFpdHXpa1p%<XFX6;-vpMatq-RIr~4}<pHG7;1&PB-;Vq<gptwYE>GlI
zzx@B50b#?Nsl&qm<%OWmE1|#NuoeDm9Ud-xAd2<J=W&5Le+o&jqm}(@sqowgg64le
zdKD#97;mX>7X!Io)YGR)k3-t=-17fDCy1+D=Y!Ca_`tr0D95R6@6g5<g-$oGe-`Yy
zxG^ID`Sv)V(I?W=+N0uec@XuF$B9EQitE0e$E)=4RVw&TdXuoBi5a?qeUY-Eo(Svg
z^}^*1j{^Tr8lNLTue1aZVj6KM0RMrt^!+qVK#8}A^m;0wR#ae9S^(Ww6ljdPM1>!>
z#pdzN^TWpRiH9gY&Jq>mGm%^8Mh{XLE>9Zbr=@!F$OcEYM0Eo&eMB`dLK_Qt0)i!g
zt2q7A)R1HJ@5LLjR3Cl;iIW=2r@4ENfmKNY-_U1#HmD(ZLnkT6u^lNxo<7(2TOKYn
zp~bEuy>EmQJcjVTdqS`k;L9<b7;tv$dQ*@31ThWtwOEL0>~HtDEsxV+I{}X_ap0Tl
zHydAQqN&^hX2n>@@9n+<P1+&Ua9H;>jN4DN9k|vnLXZu!URr;%vSC0S+V6tFtq<qk
zvbp^&hLpQKDyz4Es7mKo<N{iDPBFZW_<O_L@wtuR+(UOATQ7$0P7Xfq{4}6`T*5sG
zw!%pr#5D5v-qe8Y;TPtBFux;!@ItXj#?jA@=-dBsqgUD;gL|nZyb@Q`a2U@WAFf<_
z6n3~aEudoP667r^oY34~AMAZ3IVkMvDUknrkD2Y{&i6luA-4^@{CBahP(Q=V;P<Wp
zrbh1nt8@1MtL_dVb<o;bb6U>Z1)tj)sg7T0I;ErnJE{M*(|*`%#nkqgRcgFhA`{&r
zaa&B9SN&UV5X+2a@t?aM1x(`)9Y3cwM3pn{-Kq1f#Z+>s{k=ssh;73pAAe>Ue+c+G
zHNdvh{BsJ1U%>yUmj71Oe;M2~|D!!ZaKjEgy*vyhkY;;OwlLC=@(Q2ZAI?2+*Md~O
z`{j)%|5&XtmdL_?*{P@0#@0Yfyfzd0tLF6Kh$+udO^&)U7f7_0F#H=3G7ny+UFs79
zvc@!@ASYD^(eit|{Vz$00jm<4rD^=Vc~!cA{@w-h1q=h7%G+S8B%SXX$qq>**04;?
z#ppDxZ#q)XQ#qO;tmz$F<?9$9k!E0-!EsdQ8f73>YJKdn{5WO5!OLHE>t4PWu;-C5
zMW)Z~=cOu$GhQ_|fM(&R`R4kb7jiNWLI5{Y8*8&y96t(a8>>jQOrKG}l?q)Br+;04
zfoLI3&ox|{P7DYc8oZ4CXVEa#(}!M)P7~^hRH7tizK&ZK8?7Z$V}|UENn_4NRFG!;
z`%*Pi`-y04s_7-q<wc_=8Z8QEFVIc&)mueIihAH{_)Txww2SwG^fTB>x@j@fBw_&F
zQ@8zBuiNbS_exzo3-$f<4!enJd0^%$e;wt_hKCF5pQmFm&eIP^9-<JGrGMOxf%M?z
zQdrN1vCW*vi?MVWdO}Ssr^r%XVLI=e{h<$L3iO2N&w5`)fYRqaiC!6$h>>n2HOJF+
z9f=VdnzVygJOfc;2&=Kd^b6y<Kw2WT%`++DysSC_=4ZpUP%qfm>#t2o<cO&GBerJ)
z2;G#;680M9K0%&x+O%rdyL`^zou+1Hh93;$mcJB=(#+*ZKyvhiLb6&DVGuO-w=|cx
z45as(kf|9ySdq?RoGT~NF#wT9R!32_SfRnS<&Bly_TR->mE!TumnTV#55DF~(TK@k
zt;h@0H`2)4Sz;c1@p?X76t%|J2f)MF!I16(OE=ek9&o_Ep-`iyPF(Fs$(~K<o*6_#
zCU%zHdy^556G2HYMwO|}q1`XZBD2aJNH~fJoNRNQv@MyH%u_gDxWJV~^t>&&u<_^<
zB{-}ZZx+V3@wE;V(URs)2TLR^$jvI^)x-<W+?H*lmd?}gM2~l2@su<hrmZDd8jo*y
z)S)5`(0R1Rw?=#78aQZs{C_(PefR;RiTBj6T(a?a2D_BfPdrC~S(1nG+abbuxnW#<
zBTE#Z_jn6By-RcTuW<yJQp;a_wPMKRy=)gj&mL+HA__hcDk*7qt#<Std@nni6;cZ*
ziR~n&m3>DmG3F$d?KlCY!ak_71pv6?v*}rLv`D)mjuMA2_b$YaUDCZni1wm_I+C~T
zf5dq;Pcpq;;beR{Hq2Q$<Q;f>|IU@!y~dt_Yj$11tA=xdK6B;{<yMx#r|Tyj$?WK;
zb=yk2{6k+auG$TeKivrNsBp%>hA2nxUvc3i;zKLetkg2h?7l~5+Gw4<aUcBXw>4-t
zNE-vpbi9ZTw|%LJ^@nW|E-#{386yk;49>zQ4sJ_AB!DVX27>&cX<Ia!znYPw1yQU(
z(dKOmR;DcGPI3B$^)ZKdenJhS1`J!LnoNEnq$U-JWRLvGDzAci)`-R?w|GWDwNE(;
zW*mi8x6R2I)6MYGL(AGrDjlmyDKxQqU)vczm%ETZODdR=$eY>~ES$da7q;iuemlxU
z>t3d*x}`Y*2er!&-X=h6E}jxLsSKCi%Q`8{UnLyvsKuDLpiCIuff#(-xL2rUur|Mx
zx}XD6j8&V@KQQadrisvbs}7o2+}SKD#(*K6d`$T00D@1wrl8!@QO~&>F<^f5Z+m#G
zr<Li^Fu&Kudb59lZNOjOf8x($h&o{Gy|DcbSpGE=f;OC{MNec-7aK`mw%Y=>o3f*u
ziVkqh`AC&)MA?RytZ*cR8JT(^{G>!Ds1;kRim5E%S>AWBS41nZ)npLA${+F=!DniI
z$qFD|qefZg!lbyun;rfEIi89}TaHFKA(_ycx?RD10SZMBFUJiFnuAIl+iSUnc-9i;
z+j2>7$Hb_EBz$}u;!;m;*JVMxwz90zEh6<%M#>ap$`n8@1!D($cJgW(1Cermo2y*?
zc4DVWjvuwJ7A^B;w1ac&iOlXCL1f(++gZFvQmBkc;L{c6`wGEJlkxQ5=oe2@b1zFt
znrE42pbu5YTssz4ME4r;`kSCk?bUqSwN!8=20q*{`nNfp0&YP@Be`K9VY2ubgY6$f
z%0I692=L=xEClZVu=m9`wG<#QO2x&CEkG%tEK1WRNSRP&PU7BsP*6EfL9J$gB!=mw
zrPMO(050QeaCKO)SZU3m;}as0dB@(vWP@MX<LAi1?;S)fU+CweBq5<|`~aRB2bj^3
zQ#s{>vAiB)mWrSXCUtB~EK9lxYV5{=)M2&8h#s+Ea*ZlA!AL|5CZi;0eKu=l)zAcg
z@nRv?=(3MOHqWbr^Bs26Zpn&?Y<nNxd{tww?y|FZmUN<H_0d)l%QVjg3@4j$fnb^G
z9JE4z5(yS^;{g43JR#80lsz3|uFbHZqdXRgjd&|yN`+UY5WHx#^sy+5E_lo*1}quX
zsY;W6T3N_`z;$o<5;@c8bu`1G)K(1PuwWYP{^kDcc(yjh)%B$SrBWVtj$ARIJzy={
zpJuNzVMblPgOEEIZWxOcFcR|oehhsDzAsLOHh#SS`{qcT#cKDL*pxkppT8v|RV#fg
zo@FzJJRZB?z()ZyyUNF~cehdiDvsC2$U+WJCsL0#v9iJ)HfPvDsc0j*(Vw31Sq*WO
zFCdQ8L^LgDjB#I?q$`1p*g-~7yhQ4FLU_ff>}cnSFTYQcI87T=u2-^eBp9SSZzNzf
zL*uQMW?e?Xb>k{Z+AM^*N!Ap+$)nNvguWoFWS?5Tagv(+8OI>rvWaYh{ml{7?f^#>
zGNha>#H(&3pDBNtGeC^o-(w%2Bs;hdu2q0jOV7f4LwG9=bg+hESG```2uG}<t>xsT
zee)f5R#7p=IJ0s!nl7VOUY7kxVMWAbU54iKPQjMWON5E($;@kL$1g)xa0mU%jlP7M
zjV<B8IWLZ{<{6)2{B3{4sn`ulEVkz^OaQ7)LTk#h{BH0LJPPmv%+~^sT!>FxMy8*b
zT>Vd-)jOQokPaQvKP7Rj+hCnnU2friE#c(IPcgstkaP8WRFDW%OO(=kFp$Abt9CF~
zvCSuP!k|eAa-P)o`mC*i1^YteYe1H&^b%vE5I&ql_;y(l>~iK^>TFl($Y{ifOO&ny
zx<!!KK*QBoyeLGuiPhC0V~uCz3vJX>-RY7-qNz@&Nx+mC+ziK&qcbtvNKf&q1K@*)
z7XD!uLLxR~Qn`7yx<YgQHJw|3R1~}E2cKNG4>#d%9|B~^c&JYW55)9qsa1`Cs_zfR
zV4HrSnq9L2m+4_`Ef?T(ze3IzwcCfcA__IvjLTJwvO~~K9>Y$>@7x4k6;mr~2YzV6
zPqZ{1l%zsZtIhC(dmdI%Xt4X0`{+0a%Yr3nKEt7~mVjU~H=yO2BLdCh+-l*2QZv*V
z+HBki9!sC}`4gh9diImLL;M)1iW07-AL%oaKezEkD&YG||1Zld-<RLI(*Hkhf?x0O
z`v&KSTh(huo)NNmzNtV#npqon5ZM*0&qgFPiLnT@;ydR2b8ZAF>wE#jsLO{Vqp<R5
z`e2o;;exclWWprSnx!d%jp?~470ay+wGyG}C?^z~lRgk-tULHz{;()6*CVN<gl@Y$
zh;;D1Ive{{o~l{WVib{CEaTZ%n>4=H@t{}@d$m#IC;pk|xUY)u)_Hh<4ai3_%?Ac4
zZIwUDIqG9V+fo-XuT0GT(&B?LsE^pZe?w3H+cxh)X<T@x9Zf9oz(V1dn5Lk!9z=m(
zzMB|y5<Vu`%KSm65Ft-*Os`7++7;8*jOVj9wgq9*repOT=t9dTtvf#vUaBUsWKN%-
z5RE%57-r~C%p9)B@N8(?n?p_pcoPpTTwH?~<t4!dm#t@B2i!t7Eb}g5pWRgAwgOH=
zcMVWA>ZuBiM)!b7INvaE*ZK&>0w069ANJ~O@etXYv6dTe=38bfmPDCPZChX^Q%}nj
zZWHqPwa$umOP=;ePsq(jj}CH{$`<;ofJdCf$dZFnxtK?gVDXkuNK%OW@K=PzkySaH
zc6(q@Euj|Z4<V7S_k$7tt5l6cMSjc7be$5qnv6+K>96$0M%u3ylWp4BiIUEJ9aw6<
z2sAndI*F#MTj$13-uSBUHj`~d)RBJqJxyXTGu>VSQ}=fVr}Ir@F|2^FM)SGnM^rI=
zZY(rfAQM?wqkN{FO^Re!@Ya5~4fzOUcP>lhdq{%v=!9gl#IrLI%AsH(q9nRsyj+D<
z8LaNA0p*n`cLpFbepNKa27MldOBc1ZBvCs8z1-SHnz{rVH5&nQR35b}vkU;%26Yz>
z6M+i5bg;3P;XEcZdfSbPG9}04>-S<rt2c`)D+1GeVs~^QPXd@9^;-Z=>EZNke}P|W
z&!bDi4{xoCx(DrKCO=~0Gfedh<l(E-=>S1@(AwF>D;DQyNn$IOXqn`OiujtY>pTw&
z0{#H$XS2gC>gh|SdC&10J6i3wB0^5lv|IN0j}5ANHEatNhx4Z#?IvpGt@-*SQcYF9
z@WqTX)rP!?J<Ms?InQUG@ea|IsE|lc$@_9%E`+sH#_D~?d>l!b?%4k8rl3-Q9t;aD
zuMcCv>B6Ax)+ErNr(q_57Ws8w`;6}VTpzLT1rtZGm}`wH2HV_^Oz_JGIsG7!=YD}>
zs0z?7w^!?p2ua+$R6KnkW^kA4aDG!MJ}u$s-^wnvhI*4&KuER|{->%XH%NQ;Ub#{@
zG25!$j&Vh66)LhlK~oFhzK3>*sqd+YdXa7vI&S9$_VIW1a*6a=lMzksdel9wTFiXR
z5-{EinCwDK!+$&e7ewH1FMHKN5Q2zm*foA(Atb&voh`XEdR~%!Mm{f1%vS+6g`35K
zH&fZ>)s}IR5{i~xG%!JG)M~^LpKC-IE5SGig4X=cwh6+RjU+KHaRy@r(O?Kk{arrH
zNJv#rUd<9{b0Cqhzko$ah`z_>$Fa-kA*<IivFxa=bzr0k+8E{VuUBL9xgj~=xuVr(
zEM+8ULQl6I=CYmJA?Wk)|51+1#u!|t(r0U`2>o!)ro4*b6#tU02O<sSFPz>#A4sai
z^v;{!TZky1pK6U$lly67BrboZ#Pn18iIM`RvrCQXWMFCqGf;w_+A|b?(=+Qskn5OX
zIVt0va%or<PYT)P6Gtq5(l=^|$z|N4w7Eq(vJvf;%r>%{Em_x%z%fs1$mK^`D3A)7
zp1en<Cj|pLM_+^jijf4zKYRv~GqIF_N8zF0IB`pjmQYo4Y;jJgrJX8r&gpx>vPudu
zR*}dsqH(LHuAC<6=p_q{iwY$Rk5s_>h)=mQc-Z#BQ03W>&t%bhSi|O)!d~s$rD?{o
zV1T`Z-MI}bYj#cm>QnodYo{Ytmlhd9PjlC;H*2-Ew0rlh78)(0)Fy;4^)eW+9rF;d
z>b1Z@S(ZixLy@$XKXSrdwCb7ug5z0Eq!zxtv!3Hg_1qj0IdpJ}mk#bD5lZh!YqOKP
zr}G)cTo&&*<ai5b3TERMn_}|S&^a`MMnd1%FcZzzNS%ge3a4LzA5L4hKaA}OSZUqH
zwzoO<Xwg7^z16yDv_|qEIJV{{zjv$4GUh#z+)1nE)!3HXzquV?k{0*Bd5V-CS60f9
zZ~lVFST1bNO4GJ5IHW!%e<P!Uio%1)^EGfLIQ%&foZ1m<sGJoQKpv^az<eFe)?$-A
zs(vOrZg@VWLFRUO*oQ}4Wi-8jALwoI?0wzeB^ED|OBVWmUfVp8v&#G-9Dwn8^TZg-
zWpO&1I?<6Q-5GF%tnC;Mdf_;Z5*c#M-xF(@hw`oU&ql_lcRxX)V{Lf_2&KNC9?62#
z31qd*b~T9XFipJ=yy+d=5sjQ>b#ygySSqm`H>-TP&r1D;w|L}#k$BUS%3l>=-XgOf
zHQgnUj2~To#Vf~P3Ld=+`At-*EN{}m1-BZ_iBZ2Jsdn=l2?+M;a8IY02E`g3#5C%+
zBa))UZD0lVME_bY&WD902k=u&2ygP>q@0bI(&O3IOR*%+Exfukm|QGYU5Yq$u4lEe
z#;SWkO{lS}`r#Bx!Y_bEKd~N&&7+cA`u0ycX63R=5!O(f-3sq3Y(*ow7dPSzr`nTX
zKH1Dy$H~;M^rsOl%!G!aYLyXCVy$*)S(be?kLa&f<B&hm7pUxiFw2crPuo^#02lya
zgTc=x@1u(mUJG7DjEtzvhe4j&6q#RKP}19s`eo`vMC1BZxR#X6C+_l7#fG_U>NQfH
z4|b$qvL|%DS&fx;n1^h?U)8EqxI-g`8WGT!$wGwBQ^`W!#Y!)vrN4uIXV6WZf17B9
zB$(mtn;}v_BpI|d=o|Mh2F&9{)FC!Q>D89h1Cf3TE8|Lf;~FGMgo0R3t$kUDToFVU
zL$_wKISV&48K#LyCJbe~`iS$?nK05PYN-Hf1;T|Wa3w2x)iYzn09{Z%%)J0_R#y;V
z2^PR%^xX^E_}istoi;oga=UFNb`91H&owc_`v4pA@j_S?8tqbBMCm5Uh>vQskW}eJ
z>La7jtbMe=svWiHwSc*~0Gm1d0_kA#-T7kJgB53a31GrHOJvbADRrs;s9ULUVKH=>
z!Yj(fSe3Wb6j$>LBtU&|VYG&Zj!AK!6_0paMW&;s4@BoAa|(L6W!+yY7NfoDom!!>
zg$lPFXc2DCkADCKc-@t~2yt)SyqRbQ?wNhO>MlJI^`l-}kw__YwF(mzr|$ep-Ggxg
zhqT}>jj^I;KN5#;a^l%SE|=aI+Azc<q+bxFL3UGXYWxIC$JUT&nYFcFy0q^sezYuB
z`YZol<DuDy$6Tw*hj)hnMmW>|Tr1_<%&x$Lmta^)fC8rWmCSsj?ja^WZ++%iGn=y@
zza<MTG$OkwbT%*GwzY0xX~3EA_{C3~K}B{=w39wCi2nwx6EHqjNgFbIFb6^;kWn|<
zFMkS{Jn!Co`?7m;kmeBqJCLvqD}4*$zT9iWwHLS%#jTb}m1is}kZjB49JIA<>>smH
z3npg4UXAT%dRaWPzkZ&<ZCW(9qpIEQliQyrne7Y6k4>29>*G5<Q6DzWT&>QZAp3w!
zYUY@4=6?Gqv`}EF^3$RKWSg;w6Ifg|e>yLt3grGE!U8~)Y}_PeW1y7?*Y}6|<2nw^
zz6nVpZ0RxU47pEcRFj*yt%7{T2_n<5kHF>HldFa9cn{sTHtuS7WGp@-F^?;V<~GUs
zv}U75tjw624mpnKh~3KhlE>XDgf3=}gd)@8y#x}E6!I$!Zu`f4@q4<=b;{qH_l&*u
zppQZR*9<&7KjCIc)+?)2e4hNN*XJ8q%PtC-m}+@vOCh;zL#^Mzywi>xOj`rUV5Y*$
zFFU*z9BYx`d+x(=WP&v+<4EZ<QRH3_1C_td^HJb5WJ2L6t}H~*F(5!vSA1|qlS%l?
z%Ihb1VL52!+7eEIwKoqmrhy|grk=>p7us2yh1YUw+h>Z_*JaGNMC8w-36mtbmV&}m
zX4$b|LNwk|)@Kjak(x?_sPu0La)t|LVk}&8Eeg~|k(kdciIH9Z=(>zU<;g@Foxkik
zGoM%2iwLDtK@xz7^zO52*4ncy(u90rH6|Ed{??GF7Ctiu9{c+@ka$FZ=O)UwcF>xZ
zMI<aj#BM^n2X*dXTaKR}uP9H(RigCF27DK+_TuNsD~B+5<n{;f<<+b~xFS2^{{Q8>
zyBGQfh%HMR8PYizfIEuN*7Y?y23Ll+<E4YBi9K2lOnS-oHV;^A@G46HnguvDv5kB<
z31hvKl^y3gx-6fgJ@ORu{C{l^u+1m<zU3Y_10*f4#9fmPDm{e%!A{Ot3hKvRewLQn
zhc}g7PO$64i%NkLsVOPNYTfN&3DP&|dZlkh80q<y{|uc+Gvp1Wb_L#m!xHLb-*=lr
z*+Px!H9tBVZR2pJg87B^gxvO*L?`f6sDs+`szyO1Jop2nys`3ESYa{b7*lez9JCk|
zGk6$_^QTnP7p6&~dmczBMm*2wwcL46&y(xMbBrEIG+(OymndZ<%_a$yqf-2~P)%1v
zyMk{j52O>BI_9S4n$3)+z@>gQx=A{In4{4Y%UT&MG0<sydgTEmu3C(FM1T0%J^xgD
zJhL|Lf7`5k{exhN(FSqME{eC5B=JzkbQbW<)$AfMqV=4y>RWfs&(F7bZU=*3FaE?C
z%db1!JwlJ?d8$e?8KP_=NA7hFI;yUsAeI$wNXr57G8FBQb+zy7rF}SS)h@+BV^rd%
zC)nr`EgUq~t|T0iYuaKTE`gzKAyu<NE%gI$WuK<1Yogcqg-NPDnYMCNfX)x2=!0Ky
zE$k3B<~KSqec%xs&(We(ZD=&;xi++o&(>6(FeAYvt9#`t*I(^=OwdYOtxr*w0E5`h
zHkmjg#|JI7%C~h18-}Iz`XzpaX<!RYt%GW=R*`y_Fj@sOxsVBBl3R;);LiXVJ%y}Z
zUTA!yu5qaZtBYc<pPl=$0{md0;^fN{je6t9R1Ozu%MC+!o&Qw2#y%o3AF`+=g&j>6
zHWQZ6J8jOOmDWL?E>OM}V>c0>z5OlbkRPDD0zk_$oxm^hrTbI2WSu1yPp2WCm?)W{
zLlOzI_8VWw`s=Y`QVkB^Q?9s43!qf_W+$*k5s<r-y1<Um&Q*AUrYqs*$iKnfqHh9I
z)Hlod6myTQ&O-Mqx+(Ebo8#p|I;b?1PT~%Yw3pmF<>l3rZC{4KAMJG&?DHLr3Hs$~
zJTpqXa-}=Rj5{`2+^h$kOgKM3FI-W|-$flz8A;1ojUp81qF*$A-6FJ&sLNvs40Q?x
zaRcT)Thyd1CbOyZJMc~!-9B&FAC~Zg+$;|}yJc-l5TCZY<3B_2VP)r9Pr#ZIxg`(2
zU_E9LNEq`^7V#(?(TUTC9vm#5J9m9W)%{fZylDT8_^UD?{p<PiYc&wXxgs~m7;Kx5
zWi9wrFasfrl^<JpvCZIJNH3{vlI!K1z)qE&zRtg%viO<Mf+5_ZTUbfGkm056%m``-
zRs|h-S%$LoA6T)}p8;)qW6FV5t*R3ilu3q6*38)gp+j;OhP3!Y0v-vqJ$d6FzUOD;
zrY)ZkdDt`ChBf6}IUjUW(Tec94g|q>aic=_PXlv%wP}@_)5`(5g{hHwPvp~?Fn?+4
zNnbX%u9cZ^H{ZX;9tFFc-<C+$cRQ}faOO`f@jc0&>l&ICzM0l@nRv7u@!k}PY5v~7
zMYtx@|I|HAWdcSxi)m#q2s4Kh=`W(Ov^Hawc`RLXKK@wOwM(EKPH)X6S1IyLFu?(z
zx7n!ro!f3M+r?A!Z|j^Bq7r2&)g<YR&yjAzZP2t*lzz}f174-aVwQze+*qhQ@`*Q3
zXq^tK8R@fa)IVHor0^ZTQaIXRp>@>^f6e*Mi;Aw=<r`N*=E_t+=!##4v#eTkN3pQY
z^Wr|VbVBDH6H+70mZ9_P_Kep*@dJl!i;}7n$GKA9pAN=^wCU~7=UIWar_&0zd~Szb
zb+in)q0QDtLRjCyw~MRO8(N-6ULs$Ryb;CYQvbc{k96o`26VzOD74he%Rf-2rjnU~
zJskZO5Dt8ICNKv#$<TfQ!cVQUwBJ${By^^*cbI5qYZzVn@=`0I%n4;V!AGNkG_77>
z9&)qAEzs>_C{@a!U9~qTc0h6f3*h^id^xe|*EbYNd_07hem-BY?LnCArGU-5X<qn{
z->`kjt?MU0!N{#-s{GyzA;<7Op8n)h)_yR$3&m?;F_Q2)HU3n&)@_R$v6sYjwkmHX
zl;Y6mR8_{nj)@ACo!{N?V^v3Cs^2W^IlM;Kz5EM&18D!{5FdB61^1+X@99SO;RjQ!
zQ8Xy`8wUBBf^qcT`JT%7YRBIVe0=X6e?7%-@xk2Mlf~)r3Dn|#OXRF|-W@%^Twr&e
zxpR<#tx)uK@+`1^JWGL&;%tN9%*=(#Y%dkDZOHCzR`kqJx0Ql5Pb80-N`QQ(*R0$2
zZmB_9__>V~nl^q0PZWz`Ig&v`393Tx^Fb&yT*#>|ig$IQaZ|$`{i6Q&EEHKr-a5rv
zGXGmj52=7WI{}IPPP69SoQ1|0?vRf=WjaT=bn|^^mMlEfueed22q}sT36ZZ<{-r2w
zliqfd$MTy}l0WIrJoouh&mdto!bBRc7I&?Z?{$`Zw8bpNwSAy?UtZ?ZytUUxs0NBX
zML3-qz^Y}ue`p0H4t;DR_|IDIBQXOR+VViNR@h$9WYJ4B9yP>P>~=t3c%~E>DwL+#
z-z=FTn38G*cRcHk{gX=Yu&-D~`@kk$nT{ouZ@9t?y19)xio1ZtCrR*+pL2mKf^cBf
zE`5Sle<N$_wg=ZP!8&K1%%xH=QSdP3i<H!+hRUYu&!`6WQXfnI>?;M*JUl~IMG}N=
z5^T2-|Lg8Tw#s0b=M*@<8bMlP7j^}l9e|x1qk>GrNk5K{l)?PyK?`#Rl`<#l3auST
z0NqD)JhoJdB=VC-6HIWmu7b{(TUiQ}at;d$8|Bf1yxK8stsPb}W4TH!`@lcQaM1)f
zmNLh5OUvWqWQa`f{0)6cWq<q)ku3^8e%r=v`21zX6j%twiGg;-smbv-XDZ+)I)Q6u
zNXyi)x?_F{itWbxirl5q4Fk;Q-wGj913N$e-BM6sAAQ(xcSX*gd~(cd9*5OT9Ito2
z+bn8wG!!*q_6yu1mTiAyva4?JM1MVTfSvYAFX<ZV*@sp&Fxq#Kn|Kv0uq;9z;WoPx
zXQTR75+}9lo60*^rKnJ>D5?)BCH#xydP5duhF;W;w48G2s7v0VFZ+jZ=}25rR@{U&
z*?TK(r7lXtCX$*#JIuqHzFcY<-E$dYKT4{f-Z~KA#N;+v2{Qhb>^CsO4<yCrnFMJV
zDNFbPS0>lis!;y}e*AYWIhO0(U2#uQDIi6|MPEZf<jd~H!>(PPYBXhU4>mqu?X+z*
z`h$y($L7c$NP_FmV7q?rW2+#n(i_?y3nsDSBe_)TK{vGhRWGCBG+tE9+U$!!4R*{6
zXCj;D?sjKX7Wb0PwL8h9#Asj+K6p*}IZ=n>^3Wv|%Cq7F%})1AZ`V%!jZpCJJH{bh
zUR?gFi;#c1GGdbyEI;Oktq2-eU>=gu%mVSp%YB~R-Tz%2dR_?~_G(*tQJFY{?Wcz(
zVGQGnoA?HEK9%~XXe~w2SwL-1u@*+XnsQpJ-xq!`!d4yuB~?*dhc_AG^jr<5<7&J=
znW{p=R!Z_w&T{$Woj^jpE&<?3h>5M4PpT$9uQ};*nCN&izNe!!!tgPT?OuGR{N1>D
zJh{fJNG8bWk~ke*wlfB!1allld@EDBl$iZQ`chKrj^rmZG0T-#B`M$#0g5ki@mkxt
z<H?SFa_a}D*Yy)<N?v;}fzG#v#<i`NB8~p&L7dMslTyX$DP{TdR3~3@27)<^t)7m9
z#&i>ZqR&?e7%rDjhQ8%ggmw%c{x0>7Ev$d|{|bKg@GHiUznn$1)<-!ON4MK@=YuV1
zpU$VLo&KN#u)ug&Sou21pNN%Q(p!d8<L}e<nzVH?*IiJA)?Jt^p_<f0n(zaTK<$aa
z3|iah-lH*^1SYh%Q~6APw{x=wD-a>cZ#8qPl0I*8kfU%hUT6iR8K${m(V5-3&Y#gT
z^V|e!D>j$wQ5$s>@p>oVRT8Tg(cPnHGDZ&TGUqz{PIq~of|l7xn25Jc6tE&8)IM6%
z4;79W!-=b;CyK2sYi^Jw9v|#9iA_oZr(S<J?k-IMJ#X*N@o71?Sjw=+GVEvn5%UKN
zturIS$DDw)h9^ImD4M&Xb(+hs{rqwJqb8RBbNknDO&b1H&RUkccIOE*OXAZalQ1-X
zjfKX{X7jGUJj`C_qm0Q8#ez5QYv{}*8a;0gE+CR;kLQSB76qk>QjvJ8Mg2*QB^EgY
z1HE&ay}|9VfHVpbzD>ozc@>tjWvr+bujf2_L>bw+ZN%U3a9A|H++tk0k|`Pm+Xg7;
z%rb_TRLr0Ynvt{Rm8Z<2@H0NY*8Z=9yw<}Ujp4%|xLG@vi7(V`PT!kPMOwuRu}Tbf
zNo^nr-}x9QsGc6LFr0b_bsJAVL^|aUquM!liQtE3<MCMKg&_0eQ(y0G(i=(hG@G(;
z+}58lPqJiw?Q0I#9Dgd-zSol1))ZA+g<&r!^=~!S%SpAL?%`JHUH&^(A;arGb^Mo)
z2J%mQXi2)f_<lN<{ZfQOmcBm_mmXD!u8@qIk&&=jPOhPx?ev*5Ab~Mk9>Aj_hsGRk
z0)vT3VV|Xr-~;8S^X|dDf*_}AI7xgb1Y4h(B6*31@v{lNjS}?DT<PxF>pwDTwNPjw
z_8S21*%+Z?r<pv8m8z5sDnE229l`p*9*y2SK`5zWC)=(x)BY+elB9h9*>jVOUM|62
z)*6)@gto0gnr7w4TwHogJjLLvi8P`t^>-|ShSI4l+U1gyd<k{*!SnvD1hN{ZNt4j+
z{5D@YCrZ2RsEqzY+<|Hu1f60GIcZl(WsP*1xl#Z}I0Nf-bjHp%nhPm@*OLA~o!DXL
zJf<yVzlCeG2h($z%avc@+V8JxY(u91H*|@l6-I+@-LKcOLpX_(OsmXZXQA;)gVDPP
zkGs%^0fb7GIT$QN>s;9Z^z_Ql2tcK2y)q&6UbqouSXpT7(}^Mm^OProVin-`^lnNC
z;tIv@wgj=yq0&zWIN(h5sy0HC5KSyPHSZL`%oh4NKuxSq#j!Yxf-G94@D7UiUBw#~
zZf9@`JC}`B@6PK6wwQS*uLv)X%4L`i7lD!@SlK1l1@%n7J1U4G@{j6S*9Q<G)f^D5
zV0`e(cV3U~Vj&;jYqlMb8~>!WF$-J@O$Nq#Yob>+i}<Ra{pu``&PJ7A|FAL}QiNse
zMgT1t#YxAhN2>;ma1d|DnW!`Bt+qVbe$Es|452lNUEF?1lv;X?tO6L#;&t*AT1cW7
z{5xIy@0B-XOHohs<;C9Vx9@jcn%F|BS~}1`dy1^5U}bT;j4?E;nGr&ibgcTbjC6zv
z1R{PmJl~8p3srgt9=6%07%ywG&H6POOjK?}r@=eQ7Ol>@O){Q3QK7+qPJ6TQhF)1v
z$?ru1dRpehM@KjWyPV0fe4@xS1g`-HWJh7O5YSe^zSRD?oQ>f%qRf?Yo;$4pkSLif
zm0DcsGRGZ~Q8p<cr`G^BF>1O#zr{G)wH{2Km{$IB9x1bRuBY6ek+?e_o*{t7k{%p;
z`c^Wz|Dtnhj{AI~BIVCB0=?v!{?3jxdvk_i&6z-CL)WMBDJJUP=&1JSv>6V@i#?UU
z&_8$edExUMR2O5oD}&%P?he+&h<2p9Q8_8%op5@7eRc44eV8NEib9MZ$tl`Xuf<XK
z;GTT{S2^wU0h#XBRY`Ze3jDFv_}ncbKHf@b1N;e0-w&t(T&$27$D<t~Dz_t>9YIzb
z;`DJ=_L6nbMw>_<?andxCrBae{gL@&cp}fQooLN;8ICGDqA5Cr-wfsFC8`;Fox!rn
zt06EZwtoXIFcNzwMOQQa%m^SbV!fOo;-tVI*~zu@Jl;xn9s3}`OPR|MpN>r6mCW;Z
zI_Yd)-+TmYmo{TbM$2;$7;t&9OBHs3^jx}PfF^vb^gbFqe*rE%=NzLjIM=#L#oR6d
zW#3Zqe4H+?cjdZVx^<Lsa$cAkpSa2-?`mLrgJ#QQ{Ax-Oz_+vXW(@B$ylsJK<V)^t
zc?jcp4K{1}PY&CmB6<n|60c8Q&V7*@2O8xPE7t{^|0On7Y=;A1WUT|)A9DRqe+Y|;
zgx}YxjYr|V`eie3(bqmKfuE22hq!BCJMxniIH>oTR^6H_y9+870}3_@13E1?5yOaE
z6ciVw1R5*aETt#E(IUrOxc!=gQ%EFLJ6BVwFb_uyQ!^N`gQX?^OV{#pjEYcI^GZTa
z*vLy=B`p&rkO(2P+<ZI6vr<e@5z_w3z-pSLE4v|08PE`I7fNmMd%}zU4L1R6b-&S<
z3?9ea<HaWb(lY~Gx-P;>a4SOQhx`1De{)MnIlq$c4hd&9+R6{5_(kG3V%hcEWjn%q
zY9?Y(NteLM4?1)`8eX=Bo)Wbt(5fsoi?NXi$3LnkjyT+-b{+L#Lj<y8R$N64*}*F+
zjCbM=F;%G1Uix>pF0zTX_pg{Awr!Z%?{=E#?B0v6bJ7DrT|l$}!_+lF@JHVt8yQ+-
zp(M<jgorxVrApsp5L?xz!jGeFuY(^KnmG&tQW^cWvPxpo3@Y=9utnpy1Oy*9*tayv
zUl#f$nJ1J58l)*M;%vW>q9_OAE#7Ev#>VT6f_mTK@q4iyr?*m6^7(s9xC--7H8+7t
z&R@-!1&Z?$s-`HZYd=F@*yjG!48nkBGG}Ml@F&YN@YJ^)9g_G%!`ZvDL;$|jVW95$
zbS-jiACvJN;yK(mT!MDga>RyM+Z*h2Kz0=w!8fQ%$E={#(diRe$M>Tb`d?Ag>=(I%
z@ETXiGnjTx$zd9-=J1IpN`GP4gg=~=<QQ!@-7AP%q_|l%X^#`Xa)&qci#j<j2n$jQ
z2|5LKx3;^!EwVlx&eIhBS|i61s&y&d;qml8sAdXe=Qe8g`~PSg^c24Jzjpt7{DXW7
zuFiG_B=K=^9a9vLUu4O+;~+ZIUFO58JfG+tOg)Pe3qmWVSH~(RPp1%;W|0&H4{4*v
z+lWA~UGuz@U`h6wH<3PSXhd3;hNppp?kQmYa&jzrW=FM7dIaICgj%bh_DW#1%T9Sb
z0;=F$#84>p$C5{_Im+Jb-G#jSDhu8mxAKcZ8rL~f3}y^(tG7@H;n$FY4l!jut$fuk
zs@7t}&^Z1!#oYKxBf+t<18T-nrRxgx*<4+^l<b@yBKeSI!|=O|UnPNRHxsNr#8vv~
zK_y>XF$+a$$t5GZ7VWba25yQ!>IIChET`ok#?{j@mojMOHy@_@L&B6O&Ne@`;%t9w
z$7^#{tp_A=g`JLID-6iUV@6URM&f*VBt4g4ho@2>9-EE-LFhe6EwlYYzu)}rkbm17
z3&al8K`B>mzcN!s(f#493_!WDs46z{N)Zi%66RvkM~o{mk;dbu9mXtvYNCn$M8_Tn
z-~qLJ0w3t!Ubb(Fd&oCU^e14ofZt{&rdg?cVNQFCT^ETp7l{MQN!7!q>j^MlVXbT<
z+oKNV8^^5Cl~J2sCKxXF+HqyrD0t~ROzRJe{zm9zpYs(&yTMPGfU9it952^sfy}k;
z*c~CwT%&&B5dS)0$5x*EHjZSXym&?Z7cm8g+TSMwtOHu1VhU8aC2Xp16G_fP-?D#I
zh|ZHf&zd+7)sTI~q3P0~j@D>GK)y`unRmdJoiDcVwe#WT<u~7>k_lUzG+MN+04CaC
zqE}PetmLYJ1=t1A7JlTMiS9e`_;B`tyXq~;p}W724i1R976yb&SxWqDJRR5XqvJ@m
zi%$g;@n(E%T1ymm3Y53CXh756rC?#@TBf%_Bc{E&1-H|^tf0j`h}^;jIh?YmizrDm
zgK^IWQDzU51vBC`mx;!m;^`k!584a5(sHw&Fc=O^lSo98Z!!JyV?X3T(-br(DN6j)
zxmNRG%vo@Z|K12x%R`Jp<Z8&4>YS3pk2M}&(fX8|K_Hw%yFdvq%XH{~*(xi#bvLmh
z%t^v%+0X{Cz<6B7@PwI6J-Ad8>UXk61pB4A=y@yC#a^MRH|#)FBk}<&`F-upVax#y
z-{wZZX6htU>jh~(&pUOCadyY&vVWWpQ7Ih1CoN|qc2J5KxaLa(gM9YG+InIKh@HXg
zDTTwzSaY-Rtcf=hiF*d<Ye=!pZv37>O6=wL(<^_`cCy1R>7n<Hfh8U|v7c(6+PppD
zNs<T;mmZbV7?Q!jHjH&Fc&9ESfM$rr!}x>geurP#MqYzSxtdo?0Z8Fk{;8Wa4SPqC
zoT%#k7}cw>7w!OnJo<p+7s<KMNCic)m|mnCVvwf#9(0F3$8!ZpP%ImkHCdB2R-JgS
z_AKy4lw(;zIB2Cie_|&5Fn>IAJn^=?lVU>;QIg_QGQN<OKsSFBm@&Vd33~er=oRn<
zhijnPHqC*fH^_`#$~?j^I^<#`BKC8tkTD=5tBeUq8v93sCP~?k-s7*cEdLMjcV7Lt
zOsY2g-<e|3n&(Ba2gH#STAO7PCti`q5z2JM8*$}=`8)fq&uak~kowq;{vlYO!OT5H
zL*LbErn$kNCM&E=d9`7N@SJe{%vg%SA+@1Vqqv~Jb?NgV%d|BWwlRip*fr<7aqo?4
zsz;SmbL(or1Rz|;T+I`35tA6X<wY3Az`Ut91Lm+M6QOqRMq<ASjbls`xJZlLEqn88
zE$`UMcB)C%&(}0ppiI-^=(!15{s!C&h$PP%mw+<=n12&z7(x0y;ioXR%=i23nNiL7
z$imC8e7`y?2isj#s{Aa|OECZaJa;f12h;1bfg(Hk6M0I6$2an{v93{NthEg<KOof(
z&P(`m>}nZT)OT|vj>>e%9%*VJ^%k9es@D@X<h#_5jODSZiUvS`u}%kO%b~EGfRC*+
z1vFac??Ig;J*aF}2zroEW5hEr4|75joh(gd2hZH(j?$a53PYXKh~_6RgrWJp?bMRP
zY<c3fd!=Vq(UPu2lNwEJ?BlR<gO@hCN7#}j03CS_mJ{18w&Mm>3BL%bu4h^XDLYG*
z#kM7p(ljp5R<tkR8QSOX_Y6|;l+7z7(@RJIO!fRZ929JGFNv&Wqw|lh8Rf2PyX*Sc
ze1R&t4%NJ^`_Th3Z;*~usE)xNsoCegb;MoNo(1%srYl<4Q$Ee2d*@P_KZ;c<kq4qC
z>6b`1ZV$~{&&yPcmBdig9x7HM_0s`~wludP1=4JoEn(yf_hnhyT=DPD%A1C4vkJz$
z4?X*sbd<T}SXfzHFUnZ{u<n>c-wKCGxZWu3JaJ0pz+QQ`#@rYFj9*NTpO@TiYU40=
zrY<%VvO)+SJkv(Z^6YKE>eTj&kJ=FRPYDzhWJ7ou$bz5B83<X)qh!*-YYlXNLWTx*
zei*Pijemv-c~JRaY=|rztQSn&gKNVWaz)!o-BN&x!zEawmy9~WJn4kH;a=3)fvA<A
zj`p{qN>cS>7P;B8mWp!c*BNspX2@1x2C<ec$wj_T?uw(H^WOjqwR}1|u5yM~zL~+F
zykX&hL`P{wBSitmkH6S(nohTQ>!>QM6Fr8ne1HJ%y<Z6tezaJAF63^pz^K#wbDO3z
zFEiD)#k6?q)eS!c%r5%S{kn0ke!Q!wRDYbe^pd^6>6ZPSzlyh+^#ik0E)B|?+j6FJ
z48n_)))5Z<oj_aKBQ|<7tLA(ZXSOKk16Shlb0c8eQQ{nMQ1h2KE<~%L?Ol=QOF_)v
zW1Amhqw1L~`qJJz+C_XOj~iM~ZVoL_<L-$TYHi%Y^5`mN2KKc*H|bi>u%0q#u{7}Z
zg4Bn9hq6Ys(C;y3pCicTJbC<FI3X6i5RZf{V3~4HN&kq-7x7H>wvNgWr@z8^VSyoN
z89SzCMx4%6?a#ad%N;968S4gMnQH(sBe6PJ7Kp22_g-vA(2*{o62f&EWg|+?v3Ma0
z7RhUp<tl5^B!-`;6&d#ps3^w{x6R)Y)NCI$GTQxu{dh>MaA|HA!lkf0j{N<7Nych-
z$K^XU-yNVHWM7ob;1j`kXj{+{yY-SVJP^cajydpW1br2<x$xfM8MJN05~@U2VJRbg
z<&aB?ou{2SMz87j*|*g(cba2W`Q4;<rmHIS)()l{T#?YEQLP5y&e7^sd^HB6$f(zL
zgIvDLIBcHs)M8^UR_&M6cFb3STH_heodaxf>OB&MG~XS`?(B+EWO$kT8dL9NM(Oh)
zt7T#tg@dhcC<^=&&nKH*Nr5|*aKo503loeJT-HQ&MDUbN@|MfHg@cK9W&^$zB08O|
zcbr>%O|c+a@dT}g53XZ+y^~@`mDpnVab|M3E)aDKm=C8thb)BA3U(?0WT+kTMAESS
zpQk+eMT@?YnYEpkZ%tau-d(-Qymwh2Y%81eHqE!D@))NLWQV!w4e;S24-28&e6#7C
z!7Vl<O&dHTt}UzD33{qq_gvMZ8i5Zd6!s++^*V|#NYPAwsJJIA-LQZI>KusmlG@3g
zm4`RJu(%kUxrpAR5B(seND90rhPcX)JlBcDkfVM-c#<stg+J0$H=wKt-{j{W)!YM4
z_dujJPSevA`NX2wL-dO#$<f+W<RP^|7Iy~4L5j3rZ{^izvrL+{FP7n!oSnm1z!M*k
zkd=^!Jg~h8KaSB-^=GjeU(nO2>QR%IpJ4TDlb~-Z3v$_;@!4XrO{>54I)ADGl2#+X
z{RCDKWS=OnpK1x~<C;hkN`~VBl5~&t@R*Ez>`sThF8W^(xYW)eo6|ntos7NX-V53X
zyy#*pG$ZsJsA-AY(yJ_8<&<UCi`N1hg^rw)uSRc;f7|$CyKs^c<bWP$(9=sPfKxZ>
z;X=$Y-cP$gFxIp!SpR&)vl6xz{L;j~kT|I);?fTn&LJwtZ!V{KsI260zx~<+J#k)4
z5TniL9{kd0HlalO@{=r(|27E5ZAoA;G$sKQn+}e9ztm4@gr~MXGlXaH@40;Bl>Hc~
zon#ihv7`<0-R!*oxFM>(eXpN#D-pFnB0Ag#(T?Q<_y%hd$e(^RjN3B6S~5FCE3?+^
zED;j}$}Pe>NenJfeAYE9gG32+A`;qG(1#4FXKz{W=;b1k9%@JccdRpfkX0x?JaB;T
zXQu4uu6?D~cs4JXC?ZHpT|^+p5ugp8Pk(VVa??k%_RVNNdw-UJyKQyeFL|;wy~~}i
z2`ztNGb`8kj*L-9j(RmRbMh6lP9%ptN#e9FY;GNXHy0R5oCM*D<}A6~fHs>D_FaVx
z%8n!q1SDEmy-4XL#}P6LZKiAk81y(X2Y0Ig;dvfkAzK~=Pl0xy$f{LHu0TOg!Izwz
z2JCa1u-W0ICuQqo`?u&-Z<%iS${xg+AYRGVFTY&51-l%DpwHk3scSB+QtAamMfQuo
ztpgMwTb3m^?4a!?+D4j1f+KVn!nF;*r^wUI?Su^`i*eTD&0c}k(N%KZR=gT`Lrc_@
zQIuTLvx$p1)fk#UtLMmww;I3Y#~+9EKL`Dpba+5=#;d{RCsO+(HI@}hiUXqnGveov
z)A-m(At*8lLs-FItfABa;2U4C+V3B}^3^f8$<ZyAa^4$Au<sWdfmFmb$YZ8Y^20xv
z{(!R&IuY?-%uDv1K7;_UmP7~k_XpfR%nuxly{RbROa&3G1^ahjf3nz#PvonfIw$UP
zP{sAj)UJymvSr06E5HG^5m7^a#g={JynnCvsf@IlPhv5O#Ax)y(lNTs${M>78%M!i
zZeUq-Y7{HPq|bqkZ!}UH;+^2y?+#RyZ?u&Y%CL-7b^Wl<Ut8#v<|)x+Q#YvOS0iao
z^BWZ{>IT=;0~qjqMLycOK@4|bztEy*{TN16pbFc~G-He0WRk9yNxooHP`H$ZmuBq~
z@m5bg&w<Oz8Hs$l506H#0z!l~szu_ggJDI&#}#upgmw8gCIRQX2F4)P=)4FET(m>%
z2W3Bjl_7vGl@Q5I-DX`|-w=$wE|kYZEkW8Rw+P}}DCJ>FW5P!XNtgeOpP?jNBUwzH
z&B_%!m1kWATceUho(l92kY2%BTzw589`17P4vmTWQv5)HcJ*1|lXT|c+wip;{&HGN
zHeMdpeuKye`eo?APYQ!{{}+(tx^w5Cu0mqmw)CNmYU`K3)n2(1uuus#`>KtV>H{d$
zAh8;HsQ#F`OIJ^)q%A7zrp7c^fUT~s6{Dsjkl)4HaTCAm80T*i^Sotd^cO;6i>_$n
z{XaB0(&IW@Kcz~8;>v#>efRY;F=4p8<dql@E{iO4ofyeUuUt&+BF~Dalzq$o{9dq0
zhYUs*`_!4IFaoon1S(nWB_)?a^x`9H3!8iha2HuVb^gUO&JTrH=fmox#emH1Ju`Kc
z+;_Km@roou>TpbU8(zbAVP|gEx{<SJ)rIV+Ke*`Nd@-s;eUg5FiWfl0ulU<HO(Bb3
zCComRsley`Z7#Jd{eY7Y%XyS)hu^xR6fv$!o^Q`b%_j8uEY^UKOu~k)tKex5GNTZ0
z<Z)d~wEOg9+;=*}vo2RT>CH8^>;zI}I_I?AO>cM5to>GiUrwvTBFE+*vMf2R49|d&
z!Xf$-BDl&v0Y~st?B#HPN_Az+O-F5qT&SI_Tin93Juvr0;<}2=%=Es-NP`0-6~z^x
z!P>F4f(R&)@@Lo2MeKRI7Bsk<a_q<Lio5)t{+zPxCnQ;U^HEv9v$S0O_09{;Nw{dQ
zdAr+41McVgJZ$R$_BgpaozAQ7>_Br*(RLKnw-0Ov)>=t(K4Z@l;=4Bo<kj-o<@5@i
z0xCXI>WD23Sz+)9^j(_%YR8W?ILAw7kHR*uF~Ns-Z`@B?!m6bW`jWnvml+<&vyd|q
z#pG0Ey<e9s9xx%O=$K(!(A!q1vX7+O4TS>ZUt%|L3f(midHJ|J?F~C-!SIpt9l7bn
z)X{nKtb>)q(+{)Cv}-UeXQ(Kd-U!5<C0rrNt%>t~_s17eCs$8D!iJuQyJ?RZvDHCj
ziiof3UXz1SK@!uM_~(<=V8XehzfC&#`T9^qQq+TC68eWfA(ieW!5Cs%ZsBrt3@l_f
z^Fm&|PPvHV^RuSXBx(rp!1GIZW+DnYS_QmY`~W<=Dti&M?vWqT@bf(B{Rnw{kM`@n
zB9ai@&jj@`q$3}|wW}1&z=M6Sy5|T_DNlry4`LtU8Z~=&ZZb{pf$=eG6aO%T$_<5c
z?-hZuZjR7Lwv$`8Scg&RK<7b7IaddtaKqLg%NAGKhW-s*xi^c*L*o)M8@M&-(f)rB
zfSU+rq~Ia2Wz0;qOwu6N_0{>Lhk}nl&A%6~^S;qrPhBmOTb&u<@}HJ{Qlg;h8q9K3
zz5yCzxeLGppI-2tD88X!5;yVvKO9|UK$Bk=2WjaLMt66|NI_a86e+3EjP8`q(VfyE
zIZ_0qM@q*4k?w)C^#7gjw|#r|oO_>h?>WCX?Sr@xE>xt;z#%S=a8uRbKIhj%1Hcc*
zbK;U+^rOB*my7MfaMk{3AvX#AK7#f5eM-AU0}&{RR_)w}so{Q3`M;OrSns<JxYpK~
zz#l9YQA!cq-Ykkc<XX`%=L0tHH>M`nFd@Y)>WTSHgGARS$NFo&9oKv;JjxWh{zmH=
ztSrl9s{L1~DV3J+=!{zIy$xUVZF$31@*v#0&Lay;2$YpVF%JUu&&A8ACKoeld#+x&
zPW;)6lrX;lcTvCotFTPQA8E<%-^oJBZ3=n66!4Uc2$K%{XpXP?HskMGf<G!kZ4oCp
zt2y~r?>msh9ApKB*bq5gy<q%Up=djG6gj!X%kRd4#v+1yR3OKR#5&j`nrOMjq9j~d
z-F0AmcLvIB{)#}FVdZa|t>W(=>X2p`J0V|_+lz?9KlqvJqza}aEr-X$1w^ff(#DEn
zYw#R|@rWRc2>oDRIbCN+h6#8muZ%bxqQJ1VB^5p3ChNL*`d62q;Lu5U<9+wf^SUEz
zTGK2A{+9Y3AG92Ule0;AGn2#O$It>Cp$$j;4hbt;*8-&DNLNq3i_(YpUoSr_(MMbD
zgwK8aQ<-^=(`S&>pUL6B!$jG!!TL&?;+zSWAF58>e0<@VkJ*necediNj&##VMAsqR
zoyVoDIzq!$g-QI8`xb*=Bi%s6%LK5`!TtOxGNYpXR<Mf&kC%F5rvp3um-a|SOR<n*
zB+~T*Nf|v-t7%Wz_sc)-o%;c3Dug^5FAa4wlrFu)%$ppBXHWd%VF!4SW=L;Zn4Jm5
zbC7vg@Hrwcff#=zwmH5m6t90+$}?2a-_QF^j|i32!!bhTR`Ddev4O+RD4!jT>skbT
z{XQ6mfi}vE2i!~|sDn4Kz6LEJjYUY*MQ7Bshr<`(#54JpdqZ~grtZLs&LOR}d0v3s
zZfUzToK7tSzafDCA|wgRe`|<iGf3C1N*n3#0Cfr>vFgsh^0vLY35=!KZsa?~h;}&0
zZLIc;PA0sabzZ*#cnn1QYr`p%<IgPL|4D@n`XJc4oM`hf$q31GjV7@PP>&c;!UPEd
z^L5Z>bJV9_)RK)BtD<GbMKbDk_S@d^TY<YM5(bo*DDp~lx}9k96nqo@dBAKFX{V8w
z(u7*&>yf3V;J^la1>IHG<`?*crry0G&5z9HoQEId-*Yq)S46$G8>&H90_Ez<<I3>T
z4u@+jZo={KUR9tosVW~hJy>G%N2_-`oz84|pR9E&H#E@asrz6vb@$I-VZ)em1!Z7~
zA?6WT(g;lf{wD2#wED_ztBsQ*xCrEP9#_c@QL^U`>B<2{d9UufpWhveb27bmktczu
zYThgID4k1F$OSjuMMr{QA_+Ps<>If^VJIa{iun}*QbbBW{~_YjDhArZ&d`X9nqTi2
zJwA#*OQ~O2wPWVRi%_;@elv1iz!7+w!XkMtH=eP#W{?Q--9`;xaZ|o0aCo>$nlSur
zy34EDW`dfHvP-0ng?hJ}cYx%;=_p2u&T7v;Z)%&0HqC(7;Fnf+=lH?(Ht5qK%`2wi
z*ZHDhIwz24M$R6v(19Ls4&E9ZjTy9iPBeBS%cuX-hjQ^#y_fkXFAs?}%4|AXYco@(
zp%n;oVv;eMkE(2Z+q5>WOKBuKZG0m#G=ED9<5zTT*fNvjj=HmHSnnMlrD%>-^p3j*
z&a{xPDYx-s>d$}jz8Bb!8A3sdHow#BO86lpN5{+_GII3gyzyyU*K-Ew0Zyvcgtr$|
zc<v{;ua14HzQs4zdlDq+Ua71_>D3jdU;dNkbQL51D;eJ*eCKC66_mO@)Q9J<o_<%?
z<b?WCRJ5#>{I$xFE<X@1%;HSGuYD~Ceq^lWE_lOHhepbHeEYE?U~ti0!W*Td@ZF9s
zN8udBuRj^9D&buFnH4_H=GMR#{8Fx!s?S^kht=$*t%CarCOl5^_MC}-8#DvHeVSya
zibDhq8f)ggoGy{}mY~@u6wq2!<rOk;U6;e)8S|NuED62m{kl)IXdSqiL6BTIqyodt
zPFQToIBcrh3>?3xZ9vw7r43VYp~{V$7+3ltf6LYjCDr}Xhn3WR<Y;J@^Ex;+l8Ms#
zzpn-IKIU#3+GBCuY*iWOI72x1o1_Vb@6fKaDf!M;w-7}u`iq6>ZPr<+)ZwDab@&47
zxCV3j`;%vpH=kPgZw#&P$dNWaQkn91y`*5vK-oVfcPRs#67S4giwP08ah|q|7U`UG
zWT0H<ta-J11!O68QkS^ZsyZ)cq8lI-7d*!~>tys93N=fSJu>b|6X1*HB~7+UjR<Sg
z+<!ZNtq>2Hl)tF>K=8Ftnjjh^BcP=5)&=zR3%h{#rTpnQLap(eXu$VQpW~Yslh{QR
z&B<R2$wn*mQc}fZ1En>WU@I{NoJmP>O*FgbLM*5(et=>tZ`*_+%$9El@%n9z!h7&d
zxP`!>LgeH=Vc_o6p*u6xE4m42_eU-TMbv$CmFmACTWMK;WDdqtJ@YRjc?BIu#V-T}
zDM9D&54TH<nwU2@F216QRkUyl@;i#5n2`GaGPKac%#xABl`zd2xL)c`Wi7NPYTh$Y
ztzS?QdL{J9`Gyu5-xm-Qc9?50N7xKaoaJITGxyE}3pH-74STa($r2`xGGKQvdAFJp
zY6REO;a1@VW1D1F^>5s4iw*Wp0rs-%C1t@t_PhNyWz1DnH$($6;&cw^%;Zn}*KLM!
z?F`S&t8)x<8OwL-JHp}l=9-;;42eP+lxh(lNg$2F?x)k}r3<5?PbRp=7_E;^1}A~B
z@BPGtbr5*51;lv+sC%iUnUn(7a|Cfe01*?s!y<2_qd{0Rb9X7DLkeLjN>1gU9)^`U
z!yWz~BA++=II#w3SN8RMX|m(k%AY<HgDBzIr6@TI<6fRtG6-y<KRzexilCfljs8}7
z7nG46nyHvyUjOlI`tIT{{WxM}x?mxaK0A9+yoaj<c*HoZ@Gn5VQFI8-pyId`4y^Pr
zqm&q8-~*+(g}P~#8<uO9V~h*c=F8zZNcq@(#`YCR5lg8?TilhSMseQ(Wv=#nq6lwj
z#Or{}7BR<uKiBEXArBD%Yaf8y-`MlTmcj>;!=Nf3kejj1cOcLQ_Qy<=PM?~p+khEx
z?Kw1w?pKX5>u4P|bF?*Z${+UgZ{q`bzL{9Ba9gAtpBss{vJ}|HcCg}DcB_snAbK0j
zbQt){2PxdD`BQx9Mx8x;k^G;|fev|~{%NTbhwYnvd}4?LD3ciS7&>M_?Ey&l@8J39
z*M(>Od;_>Pz+fQulUoJ=GgJ1dk+REA&jIhVfgnzwsB^r!(Qq<@5BiniXJ4~=<YkHB
z6k6EQ)6P5Ml(vG?`n|}*DIb-M2<?MrXLfn0L%v2WpFPep&fX@*m^dx%+e#~CL!aH5
zuZ`R(=B~waMlUTy1m5K8PkV?m({N+fk-K1*pYwipv{39-#A(kWxcV;Xr88pDl0#*S
zJqany%Iv^w;fL^m6S^!uIXLdDL|!9noN-3NJuA$-S7Cx<=EB;N8$2x*ZW=e9f3*jj
z(e)$lie*w!7H*UmF6+A_s(*}dVSSF@u_8H*%xUPg;Yf<s-irs}#USpA-Q7*?wWIrf
z=T{w9#S4RMS-P&oM&kk^nvPe;iv@p<z;i^1JX2?&;|GV2FZ-&b=-W}8SrHX-FJ;EU
z+OO$WVD2A0O_Tx_`hQA3DvfWpz`}J9Z>M0jVY7>>{~bosziLY}>^6R0GzVjv>W>0!
ze0e~su&U3Ai3&jG?W`kT%##+rRJRle(m&>*=Yjg_+S87T{QaD+oiaEk4~j^twpW(1
zD4+bk_6m93I>wy%CD1oQ$nTbHt{E-aHxhN`I^DE`TAd#G3B7LwcKZ#zR8)VFC@U|P
zdi>ZyV2~#9T0EoYbA1FWg#yoH)$yLvTDqlpd3_$SmvGz~5B;OXhVAUv6N1<A%)qVk
zsvS$=)SoL<bl7`snD+BW`>qoD1MXodSh?{y%94n+M46wTe*b4n99ciPK$mncbdo41
zs48)64@5a!r5tfq)iNa5Thel@O@_cO-5JwAFz8`A8asHyOb71Zp<f8@zvsYnD81I+
zBOrdtRVz8^HvHeBYK6z-CkgJYOwv|!knz^0mY}gEl__w+QI_uEX8@>uPzrWIZs0E7
zzf*1LAY!gDrx0_^M}vBbQp0z$wUOp6-vJN1Q68;a3`HX~ONM2?x_=gOr=-Q#ECZ60
zUp-(ChMrM1QL|{<y>8kU@;00-ppCSu9R&pto8I*A56YLhoQDzI!pK$xBfVc27iiCE
zafpyQ<O=E-6Fk;7{>zRbq!2vE^pZvKlW}9Qgy^#Y6zhy2PKrhD3GqQJb$2%{kuQ2n
zwAzRYvVE-ipZt3Hm%)f{PnOZ*t3(D|;+0vmW-o~%IDG7Udnv4@ZBHPpRMDVti5GpU
zYTfx}VS*<+R4%mW%(y<;zs7X4%sOL(MlrQ_MaRv(Y7qP_!cXoun86-&h@n$+XaV#F
z+9JHHg)hjB8{cGOJDY9OQ6M?CF|`Rd<ypKtGmV&>S_nP0VZZW(&H*LffHfq^i?yA#
z!>uLWmmV3SmkjyNQT$~fuMx8$R$oP3!=nzr6ia-f4Lj7nA1~whlhp<r)OkNLRG6^2
zE@9gw2%{XD)cg-gT$Ne-6mr3`PS#b=^iBAZ1oy_8(T9y7D7xQb`wL(H-{A2cO}(<s
z#pM<<D&k4Iq}QGAe%gJ>^-k)y>mhpYDEsK%#)UN6OAJR16P)ywfrXi~*kS9CR;meH
z@IkUDZ&MChnTa7)m3Oa7$u;@~JDn+OgLf0K<Qb?m2Ef~;r{xN=MG~EwYmX#e%^GC;
zS=D);$eCrz?JA(>Xw~V)k*a9B4Usxr6qqjfco#8PLHMh=6>GNCbEi6h6P-Ctq0)SE
zbvg&!e`z<G8Bh&yT_Jp0K8twmbF9F>wH&JBSfZnck}{&>ea^0|s&##Nj;)-hIN|j3
zH4rpcRXjmxUA3G;HG>^PVYx7ALJst>e*+viTy8n$7%10tu$AX)v*~Tmf(exd5sV}7
zU?SxvG>OgeLsD|=fY{kfNnS>Ps8aaDezaTmx6ZiN(TBHX^G;r2DFdmpvUGiRC(7y1
z48}X#R-m!ln*JkwI3T^DMc6tJ4v<jqh0$a~Cs>bcuwby>P3xS5YT7)30IuZp6s5%k
zU*3MnhMmb9YiVINhvAHK&CIh&hOS#VnVhF$MO8vsp##Si8S=@47m?=}4k{lT73fZI
zxyPNqJZ@M4!;w~cLFU?Cs$n|bT9M`xV2tz!H*Dpd=s^p}T~-2=_6ka4U}H_iS{stw
zPP-v$nZMdEu`L~5SvZ<y*~#g3$vL!){96?EvYo1K{=#0ufPJ*M8N5fSA7V1os&~9I
zfa@d$KRjwQzisPG!IAAChn3tqN<BLmY*E#J;RZ>HkB8cX39fF2|1Pj6m2l*EPf34s
zP5*i}zSfHvl3TQlC~|Se47yn|F`h5ZihRL-k)_{JVE?lNy}tdb+!<EL(mZZy>nvMV
zkm7$ND|C30oDo#iKPjRK5L?us1Le+OI1E$x_N=7|;v*&upN=XAbcQVp{-AFk7Hdx$
zD+s`lvTR4d3X~>zH#b=4SYV1Eh?==DNGg$24YpzcTLD0<`7ShS@2o+fTdFoeqFgXd
z@3Nf?I5IT|s@evF*!IV$c9G}J(216EPx$V=NQ1}#K_>?#ZIS_YU#{GIzULbLuC5=-
zSlrCDFLhnd5PeJaEn+MFivX;};{~$xtw9-+qAUu0%lh0p#h^|3=n)uper6sX&x_86
zFsO`u_)cX#*w6>4nYbMz10jylXto3d^R}|~fhF1%)U1$V-Pt}OG1(fThSd5z9mH%=
zL*8%AwJWw|K3#E&Z9M)o=dn3LL`z#oghiZaTZc?$d-Sp=hND?(fto2#GQ|=*x+w*K
zj#U9O@pS0GwU%^xwd+v+y{FiwmfnZ7Q{dXT^HAJr8%{pA!6&?@Au&w;Mt7ia*^;ht
zSz9a&HZd3cbCSjzSB!qHWZ5IwP~UF`0E7}EF<fs<F`HLFkki=9Hf5)Ykb>BY*=7Ud
zYz;oA5)hSJ<_H2Z0Ckjzm~2O9Hl$51a+{lplhFL-kvK1sAu#tkD$in7w^>jWE^7{s
zk<H?V3K|+f7hr-)Y`?tejeqE3;VRJWqlxVeTm)R6gC~lDI`R>aLC#@evPu|;<X29M
z+SH^$G|odOHF6C`fF=d_XP$4#9>|TY$X=ufwQjAUDWs%9kQp5V0uf{az7zQBHHGhC
zr8r^A%0PbN=V*t^?6hq?oK76CbU1(;l$xR#oBB}=LQCDFRY9V;>$KkYR^-cXr8R_2
z++{qOtw61Cy-GA{&OBPU2$c8^wy6VFg)}|K5}XZI^iIaqTISnRa=MG2nZIur6&R~V
z7D3xpM4z12kH$Udk?=1mBszRyILe%+MVREB&OxA~xYfpRA?q$~?d)W2BgRgs^zKJQ
zV&>abp#}UxR<P}!r7fSHcz4d$RmH0lyj619w(S%vVFdY*o_lpc%9R2i46YN?Bt$mK
z(4a=IG%_qwRWkt9;JEHy1KfzU8-dxem8%-&Ru&0ZzVn5pTuXx0n*>RmC+$t1TJzM#
zE9yX$cb}GF0v*|_+40ehg0Lu_7C~>G@Yb*#)tz<2CNIl)3y-U;TS_kN(E<y6SWDMN
zy}Rv68lBg0P3+*t*s6+`V!}l-iJEedWz4zPyIPl2{AauUh#gmn%s$!17(vNbVKY?a
z*77F5XM2+>!|H6(t8J6#S`I9yE0s#`M3t#rQtp~jnlhp!aK|wm#`DCIu`C&^*M=mz
zk=L4#^_!vPH-_yIGP1e_Ec|Pt78r16?XT>Mz);#^<hJvAm8VD+D}{Go;(v2?WgnP<
zyu|#q^psePF7C5=JuQbU1b&bHQ7=VI(Q3QQe28WPRNKWHz;j-97&Hrax3xN%(CO_N
z_78h6tx$$@>>k;CXVcIBZ33sP?fcd{31_(+AR}j$3oGa|i2RJ^MI&x!W!M=%^`<2T
zVqZmhnEDR!DHZrmf~GT)vEa+;w-7nXJ_FfGW|QZeE9uiO#V6^mafW{_tWr3;21c;Y
zBPu0D`s{=gkvZKFY6C(@C<h0$VGdh?UtUmAjk|JQLLn&93sO#+ZW9(UxYTG^*l<d%
zB#kJ}`PAry=<jgR{S08UDWu}b8~Y?p_H^<iduaSL1SNJFhP*KfluReatPuY>&Xd!Z
zzQ#gY5<^!T)um-_*_{Zixdo<}9zpabB31*9n6-dgo!r!MBd02nwnP{TDIPUmQwnYh
zRXrqR9FJ6*hb4(fQ}!m75O}AEen>4h$~|dqgz_%wv|`U`{feo<I!ru>_|QGqzIO<g
zEQ1|B_A*K+Ew9buqGf(7_j2W(5*?#EEgaCSP+`N<hPl&_3|a9;egX#oDli-RlcEYU
z;33o&tpkvV^4`dEAq88RYo)wV7=W-2mt7W+pFIYzlA}rg#OkSmQ$k9MhWCZMz$23;
zlP7p7Bk~CB#g}Ob1B}AL9ODR0qeGG*8%eAZY<{KGEMwX~ShJ#n;mPsRx71W~$Tf*T
zuE~``FMSOrA~f_jbGJu#$Vsn0`LRT#I<Kcl7_mHkqZkaHISU&ROcEU&fc|3P18QNn
zV7JM=vYr5Ia)2k&Er*XsniD#5zAwKetIQ&B0Wt8?PR$PsnIyO5)kjaTh9&Mcdbdst
z_G{E~`LvDPeEB2-Zt*~EqA2z4I{0;|fp}tabUYuXfzyiAt(%j$A$y-Maxx_pL@h3j
zcvr3CerRI2JVH?QOYy>;5`;SM^@j7bPEw!9_>`<AwUu(I`23iic<KM_OVJ+3on@5*
zKXp1}s;ZGNuR=U=d1XiX&4TvcT>gz)$N5Zb)J4b%u`;(y@Je+`zkY8yxRMBVk!oJV
zv4{&BTXISmfC|2MuD0thj=ZlroG^l)S~ll$9zNa=54@xXA@Gi$`JALO#$m08j1B4R
z{qx2Gm%lcc7v`4X79*2q@xpXg(2rQHkD;T}WMXX1;-iZPMfkr@@G%|J2~C+-<)2X!
z0%=ghDsD@>{>6TuB5%PuQOe;)h;X}Yqw%^me&Ingm6cl0xe;gjx*)ItZ5yD;xR;Ri
zLCCR=;)W$5X?C$)&~m&HZ+OFC?_vf#5fY>ZqP&sb5ybBSSm~z71=~oryq9egHmR`s
zkHkm6S?DRb84{&rKGCnvVX#$83{7U;D+0;N8aN=`f*HhuqqT9UTEFcPsa<Vf{NliA
zpgi&F-y<ln!*aBtSJuPy5}d3)-ur6ir?W{JZNW=ah7q)?F}L@oq^F#RYU12;?W?o0
zn=B}(-qE11Hw|wR4iZ2Q-d>Cl6#bb^B?^0NZLvz<#kCiJThz`?HnzPAkl#9CQ6jgV
z<`&Wp0MV&8NvX>qYlw55?gIU}oCOVvh%a7v3yvIt9*y7S@L>YJbD;+8-$}#eXs;|z
zI2ozNMMMZmO^-J03ZJ~pU<AH~ZPSzJ&$@QKR51tzctpwy<=TqOGgsvbrJ|IWrR~o6
zFNGd?^&#9kC7}vJ2&J*GovqdnFWSVq(8Fg%pMLFc+h>4OYjRn#Lsbsa=KHB5uL$Vd
zUI6Aezt={bCrvn1v)&98eU9f@*D9FNRf9a~#|1KposXu)qQoKA2w&x4AqNl)Ay7On
z+N#MXmKwc6qt1U0Nf_-APA6>h7N5E5QU@#A;xdQ3?qHGr7Px)0ZEKHo;P!|as6oX;
zL6~olxw5>nfqbD-c9a<Z7G=^BE<hP$(Kvv{aA2$`w1UozWI*ko@GpMpM^iBB{YJ_^
zrsPZRm(7X7;>eg<8$YsB+=V|#tssbW6KfAfg?(IUJIhwN6TIEVLI*iYNl&Yyy-_Db
z8UcfN4NelNW~Z!gIgc-#BC&Hmt9Q0*+IXWVM^0wFmANj`__=|!)aja^RaiH{R1%tw
zuTAopN5rpX$sE|w`qo?8e*3M^y_Z&S=$GHSI3j3a<YBjqTVQ`=oXWbNA$^xX0RgkL
zsf<_T=_6$VlDDAw)2)%W)YnOmVc4VvbvsM}wKYzmpb-C8VOE-hRE38RETEhuUd2R_
zOep_oq65eZZw?Z(BB<lU!_40}4<l-rd4~>U_GW*Te3B3-Q887Ju}um8wWgRxX>nq3
zsGv-Z^SWA#?jZV~Bef;_2c<e)YXHQ=KHEAZT-^AQ(~H*Sp4@fPW$TLSq2gV;ktv-1
z<**HY0WWAJ`u7qj(y%9@@rPR8Vry!9)F@G&Mv4{-ucA=XNRN;&vWJUg6X^aIiqi6(
z8i~5rDsfz(2>euT;%}VoRY9ax7^cRhn*I4E9W8*M@KzRExRk2rXs8Ty;sWyGJ6`p}
z;HY#uHqA^IsT3cKdS-7Vk&Zw)y%kp<-hR&7pM^76a<aQ69_-Eiu1F;Hm{7H3(s4?t
z__PNa$XfWDEXGEDI4YH4Pph1>ylQ@b*=xY2(EtEe=YPYi)^7{$Okl(J?HJf#WWAwc
z<W*Y!JiJ2qFI%ofFQhC2R)Q{Z-HF3HB}$$7ezU;BQz}*WO(FC6Wy`__@em4WVB@CB
zm7Ld>Xm%Giu(pP&C)+d&j3LLdgEp8wqL`|{&k7nJmaaO%w-Rpf*V95~2npPn79|&6
zsdl{b=SoZYx!C9uMxx>#W<=cDU@0*j<JX#$=ru5$NW1-Y^uT1ybJCI9i~c#y%Ct~!
zX<g5tO}nuV2-``boP@p~aLz$yA>3p7N*UyefyNtE-|)XF{?ms+Ijbdu0rVAIsh)x9
zl;r6~djW=ig!riYxvg|0pz2p+XPTA_tY(jZ3iJO8?U*a&Vn@@eUr)j8VT-PQFMy_1
z8Ip206*J1(AGJiJ#lHrBQju%sjkmUmH%aY!GePQuj85GUm$xG;V0#WXYhBf51GC>%
zi+INp>kmne7K6)!Z>ZJG3=18b!x@5Kn~s#QbfSOo(T1<Pdi;keo1d2(A0d`O6+QLm
zn8<Zay0h<HHb&yhp><_LdKeLq7ClU>jqJd!A)-=~Zj6i}7&=rOiGjJ97PCeBY_KF_
z2H#fU9Gm}E-y%jUB}-zd2h^p1{GkUGHPAx)9d#y@-XIr$u~*}(U3u(Xy%gLe`pJiZ
z?&)S*z(8@9qyo?$lb|4@!%n$=*2_Qk!0r3GiMMQ;Xw>Cvc#=I$V(aTK>so$5C$J)=
zKgYEnrOmK#M`?ur;FRtBA=~eGp~A!TX^rm^e#ypo2~L3TR(cz)Yn!9N9Ms`SYTjL&
zG?c)B{OndinEsLAmgSQQ#8H)sa+~rdO7j;bm~}zs%m*ELef1lzVH9Yb1BZm;UBJkc
zNgb3aswmAAejdC;R*=YFBjg6K_mMm6-|}8~NO)6}zcOtzJg}?0?Jt*P&q9A<hP@_y
zAiT2XJH{Xbx=3w|VDn0f8<5Nc)eGvxO|8RGg<NKQ^H>RSnF)dB;TEmCTV|9DvGJdc
z{t)d8p5>1({hD}>kgzW0{2h@}vQt3EL?Q_vUD}$ZmeWloa+8m#u=mZc^lPT5_6^|F
zt6L@JZ;@UpweiFd-R7>MHDheEnSxW9q76CyJnwTUrQOH9dtVI69;@J6KFKes@;4*7
zxKO<*MK2dXks3R4a179I6<&my)BCrUs#==8cbUSfK-Gv1Kxc||&M<2gw*0u01p*j{
zTT%m|sRglvL0XvMEW3L_!hi%p{NDnmhrTEyEY-E_IQ%4Aj^7wdR{Duv@L#NJaX@aW
zDb0weJupN|pHP8m<bQl5ywOS?J~Y6275oUhhl;7eJfxGIhQ3k1y^yYaV(Ad#5eTKy
ze|0t>^;O-7abdZD?2o2<p0$<X2kRV9G2_XI7<c81nwvLHcnDmuW^%COu#hhf2K5~6
zBrN9b*CcE0ETy6?M>r>b3LzN0<K~PV>ZIDK^3&H&T6o#-v{o%_YciydTUs?&pS+VM
z=bcYGsiBGFXW^ViAhP`SrugPE{;&i!9SJvSBg25?CdV(<pu0Ta#SSaC26E6S*C#~w
z;wA*ANA{pQ{m3MTUA)o~+fpa@me!sZ58mp_mZs+4r%NRHV#O7<SS)fXFa|IYzYwaS
z_2^K3yq=!6Wc&=LO0I0pm7+;Z0Cn8Efobeeo~;Xs!fAxDYg6N2#O7fGFZ*%ZlpE?Q
zQ(77zFTQ$5IlZ;Fg{S6p?F*UbS0*@V4NdlL55g&ZhkLo{#3-!yQJpnV=@Vx7qnZk!
z^sLl$5kMMX%yV5g=B<pU9r{yq#<X+EPBHBl7Wb5-pYipH!~BQ4tY+QnJvB+zJD@aP
z7*3<$_P}yBI7)vArt~c3RS6P->-#O2>kauuQBvq4G=<5ZAx@f9Q@u6x`Zhkp!rALQ
z5FsuCGzjVehQmtGjU`zL6o>iwWm3~re6}01uy~LdeCi3aFa&BzO>uno1ZP6P2umh1
zix}&d3QTlRR<wf3_Fnls@k#KR@AOgxagQYRiH`8f5-$WUp@+7OSB6@1&9$k(v1qS}
zly#}M13X#Db=cA)PcTMBoE)qe9LDF}bKH%?8`^2VRu%wV>5ZL`eSgP6VwdWRA0{o=
z=3vw>STiwMIw1$2-o)Vo!zo^W?GeRStDK-K<Wv$O-{AKUv*?<iEZdcgQN^s0GC;QH
zR;g|Z`A3vmg&nLsL9cZ%1B%P1WA-gO*|#a7!Y8tX+GvE&ftuTJzx2P*ZAfuNmV-sK
z!mdA@yp=PM22=)rQ^Ggqs|=3(u@N^KZ{m~+!5~r*HkhTX0p%>h0j_$BFwI1B&=?d#
zo1_+0TM)X;3=JZ)`hH^|y;FD6DQ_|8U7-U64GX_o{)4je&hP5O$LJ_($S0}cc?jEl
zOMn#b_W~1zlO5)&9FuCk!k;6WtaeJ@m}(tVklp`E$kkc*a{yV~$KMWyOa1^rO|td=
ze5I-fqta(5_c#%}#@cx63ZhE}`}%OC{Xwh*+s2Ng4a1Ipjy{T_rgF@(u?ipQm#u1a
zofYN?d1AhYkzr?L=a?_|@00J@0(#w2!GdrNms_@Z<o8VbsmLafwKXlN$lIM2nQev^
z5%F~?q9N79osdT@tcAWG18#dL-R7RH&NzYN<q!Cs?pYM=TOqJoOlMC0j_!}KidLQ(
z2M0%F&=1I{XS;vTx~5|EjrX*h>spI>!5u)7$KVgSrrdHf?0}z9WeGgJ-4uMi4kF@m
zJbrl>{Q=tl0$AFn<dij1M%=;3vlEoyvx!5WT8a)6QRm6@j%sJ4o*QXt1#5z=_mN^1
z$mE~HC-e{0{^PMxM{6X?9@jo3NT#(Hia*z(?qZHRUU$bdOnYkb?AuVHeQMpNV0_nE
ztj8U8`I;3(el&+c1V0i}DWB4D*-g`h2Q)0j!FJz3J8nQtYW3{}HJY(;yWj#8?;`9V
zW)4I>usiTQu2C2ax<MwsNbc=(JP+GlUz@?D(t?(&&hVSjq>lZCVoIGk^RW=o{*T(+
zQQs&(qvMX(ewc0Hc^_oJv?7U$9PxowidbxNBJmZdCW64ru#HFrQ8;<%CCbi9`xiSi
zQ}d%YGcbI`6$RodvGJPy<42^}a(v<dK%#i05s2WJx2u$<zzQnKQiz7*lEID{aC$cy
z<=k=@<tLT4V4Q-d+?QclI)-l(nve?5TpOOK4~y3e*W`Y0%|u}!Hj3rNGk;dF<6!n`
zGz#)K*K7<{FLdzMz*e#uw5R)iF5XFtC1NAmh#8RdWwA|*;VrUt`1{k^WOk^Tjmrcs
z&-J(Dw`n_9evLV^2~~9w<)QSe3_l3GmBD2zIhj)fzwN%Vp#4xX?=K`+rEG2>AZ(Ol
zt0##`faiF=orBEAb5qWpg}A&M7D0%h0tZ0(A{CnyhW47m^K?jKeC6WHk4%8O-lLZ?
z_Tg7|wPB&=DzUoSyHNb*9?g8#FrBM!5taHa*cEHh2s|)^<``?x+=WF8qNKnR=SjvY
zNeyMsaMNUZ(w=nZ370aYPBS&xWM2l*O+gb3`e0W3);wv;0O3r9{6#p`#0~9<9&m*M
zs7E~&LjjtaY^?Rh-|T#zs~qdpw8`mU-bkSD^l97X=GfTg+d5iqd8|nC&JXpH&>~z7
z=3mAl%ju`ypC9$C0PJ_@q#oJTEvgFaCB5Mc`CK9`w~6frH)ll?V|vN^ZWJS>T)Bfs
z%_3$yKgNd4o-H14Tsiy2&(oXR5<_vhB8h=}-7_l$GE4cs-h$T1q`7rfygD{XE>?1F
zb&0JimuF_$x=8cQ9t7+Zhg71t{{Dx7l-*s~#5L#H%XX`-A()2ltdI7(PGe|m-GS_7
zH(_|hRH@)WAd(=uBsx0B5&-oIT{*{qioWI>^NgMzX$jN2GWAS)GwjSjZ?ILaQdu}(
z((Yy6_f+W8={aQ~e)vL$RjN76!5p7k<rfXt-vEA=W=>067KS9;rkCG4%azUSEWXZj
zdD~<nH1kP^>@Qe|ANr9MM09J>XUUV~6*;QTw}AXsGNYMsB!)^2<^2BR6=Fhl7F>3!
zbE1g^%WSi_y!TS!IcRrOo|3dcg>jnc%|<m-Bf<bD&8B(O5>4X)2G>B0$QcYq3P*34
ze=`ynqz{++62UR%DLX)LOsFD2fMnczL>CHLur#NsgcL^QzO|@G;b=^-_XSUf&@^jd
z<(6Qq&~B5%0n6C*GyPKCj}{pOW}gbTrKOk7Ej3JKMR`Tl4>ot-4gJs_7h{EB!h|^Z
zvWjIhJMIp|q9(GHXJV^Ec|~DszIILQpr4aG)Kl=ARo;j{PnlDhg}veSHsCqS2ZRNa
z$1mexQn&~ylV5YTw7MNT29k<MGr95v!uqNuz{dvgbA|sLl9+-^2=z&1*w2|X5$%++
z^HOuOQ7&_c*8!}8%ng(U#7xWpBQZ%MF&2epC0dxFYntServ$!Es;n~S-m~xJHj+|s
z5g|4)W*v*BXbtHVyY}{5k_~yaec7wISL7bog>Ie_#Ru@WG-2kDGu7Ucyi*`MK#%5e
zL8JCNq|Doj8J+oDO7}5xTx+D8^7w&|9Z&ablsSw2R@BL-IRVCYsXmTyxtE+j;|gLg
z$1NTCF2n9=3ANG+)Pi(psExCO$*+?-^nqUoBNHrK(gHPwt!!(vx(1-sfcd+4Y~@Ev
z7QmcLi7myNSo~yx_|<|CF>RK4Iuw%pF^>Uo7tX%L!MMZJGoR{~xUkvi=$dN>`TNE9
zysswNX_TmMgg>a|6ip0s8$bjZ5W~cwwA9hL+BDhl>+IDs;1AfHyqUwR`&zK<^ydvz
z$ypPHY_tpj%}47LJJTAI8dyB7S!EB)2}$qU-MN@Y_FEW{Tu6F$Ko%(^kT3Nb5kj&3
zzGq?rO^MSGd+QCKqkqdqzse$`Rai;_l|}B#i?Ea(M+Xxt!4`puH4)-?28w;XxbGps
zR1u4qziR)xmJimG{xLWo&#|1qptoj43sVxgxc^Zu_`9Xf?e&bCY@>4+v;-b~I_*$2
zG>gq19VdGbX(eVIV$Px~(<K|0g7b#v5+%tCm=@1KYms#+l3_kC9dkJ>ua?!jfl5zk
z5UGvF{L(71)fs@2$+Df^^Gk9dOX@CLMq}fX<%y;#+aumJSE~~yj}~-oxz~lq+h#c%
z6HP7}BrZ^O`7X@7Hd4~xKR#9Mut3@?OvlX90*~3Ml<#iP-ZclJwa7WWSdGFT$kS)A
zk}cb(+6|q^x0B6+A~PpE$C;}z;}sz+?w1q&6p&|KvUNYy%GTjmPGFht$wWle+ndjG
z+c{41x6gl`F+Y{D{*2$(l0V7rk>WB7I(|C^#6n)BquhQ!JX&DGEQ{0yq-j$78})!R
zNQ1=?>5=Dbh0NGIVu<&K4^3Fg=Q{&P?nnsM=hs4$)-Q831rMwQR0lB~&ppFh_;AJu
zw(~KACHrDXY{TVt;tvVj)J3wQu_&*u*Y95e93+^SgK#tbi~=H$)#?KM-aFxcP7rAq
zJ-qkok9{+I*KdKN{G)<}<QN_FUA)G}p4hfVX9l;M2zUS_4ujG>vIc}JqzAuhHlU9m
zw>dF4eQnxeTH$Z;=_><&3pv5Fxh){St5sOY%NR3obkbE4O_nC)q9{KOb+#nRu9M;)
zqPsW=$%NSJ|D4{G__y5$rI2tnO<wJHG5*xFms5XIW@W9aB2Um04WYRShZt@sSM48?
z{C+hWhUviYq@wyH6c&^BkIO&nG`LzC4=T!Lw-OR=_F?-u-Y*-#eD%r2qE1Q=S7j(0
z;ORF~0ffCU?9uEbTLEwGVc})k)->z}|2tgII1$YGP^-8?zi-pg_;}7!u^~wE?Vo)~
za$<;wDaDZzwz6oSbx0IA(|pIDoe-94PIgE1<4lqwjMy=2<D@8^$DjdMxV-41ahe@a
zr$a#57o$5MFd$Jw+(w9}9``!A>JO3noi=N*wm#D`)t$Px`Rf$=7>73H`i4CZUy14i
zi5`KS)UI0z$uKC@_woZmC4VEuE9~d5Mu(riqlW2Js)4k#Rfhok4oS>EPVI4R$G`q$
zvdRyxa!mJZhEte|e{B)Ii|3hCxCmbwDJtlT=i$>ce6WZxa>SNb9lLyEcRQ2^6~4<>
zMpUK6C(^=Vi6DyYliIgA!-CxUegr32v0kxV{Bmq~*p3VUAS2m6nSE~eV82w)^e)&~
zz<Ja5<-!=TQYmjy;5QNiq)Tr!W}8y*K+KB-(#@)yp&uhnVih#w+3R4QIpK-n@LyPW
zzOW8q29t-cSuAcEyN2dMawcNF`DcnTCl#GYDTZIv-;*H;&M-GWU<?i)nuwJLI!FXf
zPH^m=eA-uF%)Edeu`$Zw@}jOC2TG?EW$^n#6ab-;sU^e*ptQj_KpX5{^B3EwLv49G
zybs`*NE7+4*4Hu0)hgJ?vv`3R{pf!5&Fjyu5|ga@EPxL#m!e)shS%xibM5asEdja|
zb4bo7HE&EbdFKJuE;1}Iemk#ccT0fMck<BJ%=ZRrZ_e#njvwQ))SPW=eQ?Iic0RNU
zM-68Bc3G(#whg?nChAu_(R9*81BMrxjID3N@yl$z*a1n2q94mHXjTYGj+vxpzy6Wt
zJMOqfPMaX98EATE|J99&vizN4LERC}<SP=sAm#2I-WlwN*N-nax(BJ)0FvCo%7P$m
z#J(8pWexidbFZop_0(B*)QP5S;?4s{XPP$^Qa@~(!%|21SvqF-IRus0#X$HipTGmb
zzu_8xE%SZCQt<p@Ld_2Q0BPssk{qKPO3Xbt5uxmp?|Rf1bL~w9bYbu)?Q`=MbY?su
z&u{8V^ai!4lXzk|(P-SOAcY-{lgVr1J1XY4>G#UsYl0hPB?Ag2XvGYq=V@2o3Faa`
z42iqXnwxhrM%|!ziB<fX|3u12lELa1w|v|6;pPzqPz^WpGb~`b^lk?cz>X20OQjrd
zXMF^(f}s$wt5G{mGV`s849jfY#VfBJo(UMLiI{Tq4GpYyQ_6<o{zs9wOg&f2$R7=g
z-$dWmY1|C^cx5UVgLc+c@6b#kP7`hp88SdZ;9L;}M3DJ&Tpk`ri<7vw_>qVL+tt)=
zguPK4`#p){2&{KfRf=ux7tFQe0t$Jh-_xZMovz~aL9$S-?OfX37CD*`DXq!M_=u5;
zo*lmvh&=-Rc_!=o9eGJG;{TCqo{kkf16)ZpOv{u)=B_3|nnq3u2;jUf&m3Z+A~<o#
z%>TN6<(@hmYa2YO91nRP5lxTFb7+nCSS47<y2vol95E}ZWVrl>#V<%*5j^;vJUs!4
zl?xEH5Nj;c6KL^B(MVqOu^m^HwHLQD9Si)b_y+&o27D`Ev^ETsd0WDzJE@pugU)<q
zTtx)&4ISJ+_Qs@MDQ^*uG9Mgg0)eI{^NkuXUyM>(<3!o9u)R(bk8Kr3BCzTmH;9)<
zksJQYiJBreFcFE&^$FnbO}JA&Vc7YgkP#u5R0BQB_q>d%16|3qA^c-Tzyd5g%Rnkq
zLoYGl9*71u*U{Gap_T)Gj^#ymGnxtmk^Q4EoeOAyVa{weKaOT;10mORud%m_>!)$x
zZdXxp)P9^TLNMFf?HVs9L@DN9>+)2a>f1^%6Pus#13)#Z<;FbuO~?s(BZDhQh9bo@
zr{bq$l_oi70fWn8wq{0)Cusl*HMG9Y(iYnrlaOKATZCnb7TNlsQR!Kt$$P!b7U_(X
z!sxD=W2P!#=1y;BXNol{$VEd;BAnC?36A$J03ii^^Ma0!5MGXx2(X|C8AU$*udypu
zvo>Mf;Xa{%0~+f~Djp#Cqo!1p4<y;O?*mfKmG%E#xL_OnS%lb&)PJgY;g`N$u>yxN
z72qPpKWRan2u*wDMd&pc4<_9I<-?f2DUs<Vnq1=+HX;xQ=0?5|bm8enCj(G?j)IhQ
zUB^F(f0kN9ad|+jT5SJRec$Dm7Mi>~m5?R~Lv{H(CLZiA+v%*DtL%(BAQozrgKT(&
zlg8Kd?Rv`U{54Ov*FNpbE^5d6b9G9N(`)FPGx8bL(-m-KzSBxjR{#xhs`AS|3qIvc
zGV2iQ91ajA0#K(cQ{$mnqbxKF*WkT~7I>d&L9?8fa)7;y?4V+G9`=2MM!dt!*l!3<
zHlTp=3J7xI5e0RpVlnU7kP2)Aj;z#0z~h<-+<P^u9-gT5wTQApE44R7o@dD}KUd<t
zrPFk)L56->Xo}WrL2z<zqPU+(MaQIY5mudSOVren2Htlo6q^xs{48-t1<ZoSws*g8
z4?ROIQKH+emU|~F;+q&JGCi<wj0U*}#99|Fq@*TGmYBu@sqzNgIB5Rdc;Xdx@gGws
z9r{xf4*@uIRUZUL{31Y({>B$S8gDSY$Kefy1(NkY_~s0M6i-^;I^-ddMybJ*Mu#rO
z+q(AM#)R-7kz7g;`eg}D-U=RKNz5;nt&Fk9M0m;Ce)$~IDyq0!+jsQv=3Fe+iDSUK
z=n!`xa?5~XOt$skuu`t5``PJWd}|Z2)KDtJA~*s3WvL17xR~RF+Yh{Lkl1gDD2w_G
zw-4z}%U9lkU}}p+cC09I<d!@!_);$=4gS#wr}QH(_r`p<`34}<Zv#*-zrM#n#R(G<
zQ_?}KtRN<4Howmy1<C1upDq6UcR_hpwdxmAw_hTawLiA~fk;RfDxOJ6_2oT6y)7ex
zsh)dwd|0T0M@4zrOv};(Wm8n{Osai05x>u+Z4G9a&-AmL?d1@eec(@z7W4C`CJ|kq
zwPCU}5z*XA0Gt!U`#x8#67S`GCAOwDljw713lG-kR`);TZ5Blx_|_6HCmlLyha(T_
z0oLkQae8G5T#~b7hoRHWVZT*$g@6O5QPcaJY@V(g3hD4HWlR%B^pZ%uvQc>M0G!gq
z2f*;(0s>M`C~a{1bK7^W0x7Ev1;>e;FNI`jrI6F||92^X@#mw<fT;ohMj+ZvKPG+^
zSi0s7$mHT%Z2C6mEU&1-qQ7`qK}%-$bb4`%AfU%WjX=_ehg#7{>zH!=v!Ttf(8>c6
zCtZb9;34^o1RO7Fh-i@WdQbM-{tU>sDGeUSm9=}_;O4u_l2O;s9Pdzd6YQs`ocvgQ
zLi%OnG<gLuW)>!}Ly@yGc;(TTfi3oA+xBp62=5S_WGIs(@%H0M9F&x57;M<p54%F(
zwLP-xbIlzdrp`^QZc41WZow=p9>O7@^fPLzwDj$~IHyrCo>%~Zefl<~G25_VI8vky
z>P@ApN2jSwcoXDGI%u3@qZ-biqm}#?G!AJIY{C`S5Mx7YIK%|(uB`rOf^<fv(HUfh
zKY!3M6>pKG=}cH#c*Bkha(p4Jr_SVR0u^n|GO*E0b<ZbG2~}pJceHiSuaE^EJ|YFF
z@z32oREhp;_1i2vO*~2N6CqGdqOGY!YxPx&Va}!uB;`x%zk4u`A_K+Ll7Y>~O}(<I
zSC5!T&yl=brh@y!uQF|wgI2wvXB<Q6IG7|Hn1~VNQtp`tpG4U^dP^zz{S;y_)59#t
zwZVt-g6=wv4gQ8)jBz&<CH?r@efYKJ^mTj3b)CIXPP)#&DZOrZG&D5Ra!;3XbHMdG
zzWex|M~&}?6?x+v!(s2Tyd{n{*x3qykLi_J8{*~aA*`gpHwcGQ_5vo_iT4MOrZvC)
z7v!T$E&#wQ@Oa;CoXGHKX@#J|=QvMCn9#f<FzW5ZO?Wm;P^1N2rF$YMeVe3{3@b~9
zejM(;IEH}RNc8#EZ-`fc3S7fdbf^p;`#C`Cg&Ni-aR^5IhXl#Cht~DAzUhG_x3id}
zAPJeBK0>bWe*<fw3Xe1NJqf=r7T3AMlknN8XcK83cXrUX^@}egfLD-Czp#|J7rQ~l
zvV|$W*GzwjuaeB|Xu|OUTn(VSP;xH>3nJl2ylT58RMwXy=$z#OWz2sw*by@R*)h@j
z_-!;D93i?Oa`N=)`II1vt}8L_+*kA6^E|s`$G_>ul_Am6w+dG~?}A7YhPN-~p^eVQ
zNc|`OZT5L!f14ysz`O0eHI2s(6!La_FZ9VMhsGA?|3k%xp%$^-?)1u}QCAXqZ%Z??
zc*jr8Nzq{JvYTlKUps%5;~`;Xf?=FZ<nPGB+lY5u;YkT^;dn?zLg@|oTjx|lVrdZq
z%bNz-`u5gz&#vqGUGZsr)lGjU9W^lx-MQ+m6VlzG@21^-{bu+gf5`ApyY(8l0BWdc
zM72^}=k1i!_Hzk}mvjq{2LAs|j6-Tp-6{MBhh@8vkDjDNT&_tWrBVVM4|w+}tmxzC
zBNk!--ES)==G-!o&p<{VnOfCLC9EWpnilH$2fPW7Z<IQa`zz3>1u4A*6VqL6V9jKF
zG}XbR$31RCHWB;<uOR!b`C?J`r6&#L!h>H|OJwE9f<3>zlAsk~8IN+_TleoBhtOSr
zL6T`@YnMX6ga-RaAAzCY;ky=XB%F9sf2#cXGu#f$Xsv5kdP-5y28HU1Ki6#h{`>tS
zC6X6Mlc)#lKJ{vd>o)np`?`s-W{CcEj_p5)BXJEyPN$*C>7|O=mj=#Z3~TKEq^J*L
zANIWR9~0v~jCH7q7#%hZ^Kcmwv*+^mw2`@xTsjzL!*}1*ICpnlKE5L#k9mRoMD$VD
z`mrJ{c|1v;>zfSI_kEjld55T;KlX^p2}fMKG>O(2_pjui$XMc;jI4@ZGr!kq`*k~S
zmBI{D_31wPDg^&GgS`^cY3lXi)XVM)=owu9mvtqzuGwCHvZ1LQSL31W8&V>lv)Cl^
zF?RbOt2bFjA#1F%#A<A#_-Bc9me>QHSrpHIDlGSaPVX3PvWl)Yh;AV-i1&V}=3wKM
zbz$^c)PD=0d>X1a>4Ug*YS*WafEyv_r8jY(%HUpPory_r^EFB0cDESSm)wOi+<CaU
zhe8uY(|yXT;!<g($B>eIZ~U(^OgW)M#|!moytw-wYLdLLBGWNUiC0e_^WWi+ajJJv
zl<PS!bQLR>2Y1B=VvY&k@_QRDi#$#287#XO=BlLlQvg|cTs-oOOHuyq6FA8)Bx91C
zc3o%bXWAsP;mat-pd2?3t*e5U&B}Vw4%e+V=7zq?7Ln-rMZR*zBV!T_al*FlGJ3o)
zaq{3%l#DX|>#Yy1Mc8%+uO{lY?FtHznPL@Y6*HtJ9xJhrdw5o;eEi52J`*RB%Jt^?
zNkRthXpJ|6!=G_mjbYs$3-9e~x}Lh;Mw&<(6295pQgq5Fdb6uU{RL%Z%6GB3{*+P!
z`whD8x<KP`>Uoxt8||5~jUiJHs_S5u8`cPw`ejBJxzpg1we>XO=&k~d0QwoZo0%Fh
zw}B1Zt+~II{oi4fXyY`)5d{=1@1F6C8DA#ciS84%hj2NR{*|hs7v5&NhwzgjEiTAd
z1OX|tRZ4kNCAD#$V=drZe}XKVbB#`&l~C4Qh94E!(=A00cM7Pp`~78sx|qeP{3J7_
zbm!PI|IY^AMNY>4$Ht%e=kDycp_pGZyjk1%gBpW`#0*||2$RN!0h)LO2UQFuy07}D
zSLlMMsw!Fs5u8UKs-tf#E_si24V3kYK8$-mH^!%?1QVav@)dkvG}8_`;Zx|pcc1wd
znEoUomXPekcxDtWoryyh^I1(<s5J`77+ao#3DLknl%;yHpIg_j(&|uBUKYS&W3?iK
ze_s34CE1Kzc~S*<(E=$({_|g^=qoFa92-mjh<h>TKJsI)JvE;Irw$h8j(LchD|bI&
zgY;H-j<Or=^Tb?MM+I{#g$RZjq|3*yqwBmbE@pEz;!N=OawssRj@7MHQ1n1pHjc?e
zl}J()5tYlDpa<x1QBNKk2K<!oKweOAf5mHC((2^vQS2+ZDGN^K*g;;4Vg72r@JT=~
zoiSlU$?acBAyXDqEfj$9>Hu^|jY_7!x{>qFawk-v)3TbrvOk-Ntrz+J<_b40E59j!
zV%C%ZpphQxRfZr@iyMhf(lZqk?^efWR$54NC?3Z*SG6|N(5d4$Gf{i(ec|6Le}r4d
zw~&)Y+JOnDn`9<hVki4>H_QKA;<@oJBh~fQG;|lLdU~@2pArs+n=laR*unXlPi>6{
z_HWx;rbb!Rx-N428K6(*=DnCMexj+cs2W--RSl-BO0rSqS2qp48`swIsCD+esNjyw
z$(ezARSX|RmN?osM={?MzbsUj!bh9GOJNFlR@FW&;=o!<+~>XqS4U}RsOOgnyXs-l
zjf?OSw@PQ)zrb)PK5L=nZE{1$X-G@3wt_^H75$01cAaH?YRMXaNXBqG3^S_oN(REg
zV_gPp#01zWSw=5jV6;(lX9X33^$9L&mMo>QJ8;6P2V8?y6u63b*%Kx6%8on65^R#_
zpg0j9O+B1;4l!x7)YQ?f`(P6MFL3$aM(?41!CoV{qPltEK=p$vN=Bi7&bcs2*1U|9
z_&|QwiwmS`aGX3=>c@hc7XhYXkl{FkmNDTVD>=;cI=~kXB>{J;(Sz5~-k-{xC+D!G
zf}d1$7O;<BFYr6$XD*Qlf@SJtcd$Zgy}!CR`eAs;IvCY1l^YovvA&mknOe`5fvch#
zUO!zXbXJ}05JCUpH1#_pg;!h@6ho~7U-WHJg+0mW$TE9O{tv`@P%Mt;zhk#;<H5`e
zpBVfS^Be6dDLmRr@f_^(<vi_E9|I{)(~v5fhJ<{KwYu0i%K+Qk%;iQ9tAai`p25Ot
zS<CGbRoRRGk#v=DO}<@NMZo|mrD2j%f;7ko=}svr=?3X$O2_DyZjtV00@5*HNH-Fr
zV}J~{z4QNm+4kw#^Lw6ipL5;kzRq=Ni92{zJ({TIOjfiQ+t;z8v=<cV7l+R4JXyEn
zde_scTHC@Nti+rU_TO8I2wr$D|F$%!$Br=0ib(>@EIIQY<JO|Tx*lof@EwXeujKBa
z;sA^m2TJ+9ugJd&9?glA>khAR2+f)%c+H_;!3Y*5`8FA;zuo=TYQ2-~_kD{3Yu6z8
z2ab4G<9}mg2DfFpvcd<uSReTHw-cM7Q8i%WxhbP}skyA+gh=@(VbwAGc^3g!{Oi(N
zW<Otth&P)jS&taGjfBR+h;$V#OTU)Hj_X+xl798bw-b_D@sS5Lv}*0tGdlht#!lu$
zeMf#tU2G->|0V892s4X#`9_oDVG+f4$wLdXgpRl!WBChT`IP`QcjFVrR8F|uZ2V-z
zq;ka9{q`ZJPk?)0QpBl~RMKOd<x>;r2y+wS_Lihp+<cq*!QezWlid&D{P_pJDV<1f
zVR)Y^cQ4|0F4`7zBC+Azq$=$M(||QA4x}6s#6<Jm{NM(u<$lG253KeHxBm@CRH#ZL
zj%+TSYUL$0aP4}K;vPb5iTSWWan1(iW<<mkc$1p)3s?3V6x(C{!f#8O^_)7&V;nHQ
z@hvu4{%N!Bz~RUFMw0L?L)(S1XClqR3^<0Xd?5`wi?BYT9<0zofNZcPQvT+U<$JhZ
zFb!^M)~tBn(&NYRJFnuYEgjhSfu&}_bq2z+$Wx0<N!30mVv@dcY5Jm>DZ4fwP|PDO
z9=;dPC<9Uo@+l}r8rC;%JrZVq^+t_Rgwgh!7TQF_N(9`Aoj(nSHCS3DS-|nXwobM=
z){J!OKB(qEh9DmEc_r^L6yaJht>}{}xRBoIVs+8Gfaa6du`K=o7Dne(d3(t=uJhi}
z0JD6uTqY-F)!BO`BuQ~*?5u(E)JfDj^Bx_?x>FQ1&pD_?ntommMad19@71c>ez!Xt
z4Vg)@T$aJX9uku8CSzH2mSP7xwBtMO*r&yxb#`JzRvaO&g)M9emY=oolnm1Ec?jT&
zPl6`<bX(YZB8Bwy2e6jKWyuF0DSRk&UcuD~6iJ3RM`a6b3PReB*$A=(A?qY<p)=%f
zYa8nO4RwK>jZV@|OIl0K3tync)mFFHrnfpQ%m47wQZPB_1XM&6yvPVv-8sJl{4oHE
z@UEvn^&dvkc}4w_Ggw;Uzat91UrGz8t+JfIf6!@x)vC09OwdHIq)qFPVMF<65MFi`
zDhmdB^?VWxQ|9&cP)+_^byL+dEAp^8T@`jUGG0G#?dT0}CRcmw%*@{67(~6>E-8)3
zor5tPer63O?h5vdKjpmeb>YOR$4_5O7yU7(VmSAK*ux>tNIrclPC?U`UNnwP2uq4X
zeA+BK6b6sxZ%<f@(#LlOe2g1A3%=h0YySGJ^fz*FXu_LasEyUt%-oyzkDcLX|BIj_
zGR9PI=Uwx$r5{ezRIxtbP**J&lVQ`7aX|N0{~EOo-?4`Aps7Ve>_BfqxRcMSAQ)v-
zjWevE$qsvHpOyA4O-%VizI`Y7Odv!@@H36|qcFMs;-c?wHDg%$<?(tMOKe;o7U#@5
z*WtE|<CZ%uJze6UeXAgi&2>G#%oJ75O1Qp)SuhX5l7$cWO99m;<il@ABp)MXJPTjQ
zKaJ-7VH8<2b<sWv?AT~9NePVl;kW!})K3g<xhFy48I+(v$9Onn!lpj;fk(-7@_o`T
zd2}qZKrHPf9(dY+H7U=r)~11S+?wy(h_pKR?sO`0m9DAkc#E0*{8i2X9h@2igUogQ
z+k@7L`Am5S5iT+1unFvz`xRa+bZ;;x)x9~)t@-4?c(xcDZW%gmbvuY7eG87a3A(Ef
zG+z?Nn!JlE<H&cbJRayRlCMwNvW)jF8WZfvwb`zGKk#-KN!1Z!fY0{hxMwMRkRRB+
z(Zk~3^pMsu`t^4c|Hb*-q->`>?Fv%xQs_uk?iw0?Z=-T9X;tBii7>E7A22#*E0{AC
zAWj+=v9)O97nG*Hb>EO~k2wr3O=Gb6@)yHwAk&^-u?x-1Lr&O0r{yNS*7>LGacil!
z-ze4PT9WrRKSXr))mMt{zng00A$bBHR`Vc;7p3x2V%!*<SBqT!Mah(^Lo*lb1GG2%
zXqM>(b!OBSKa`4NaG6(#2A(>Gu2IE)q>7c}r;E3&Wa7?PN14t9(msY_u1>(P1+aC4
z2=!++p=bAD6VsCXMAW^`tFCzb_$@Q?8JepkigU%6;`JnvZ7FfuPYH6_b5v4)ZWh4@
z)>{)TkGqYZwD-{XlGS^$SnRb0Ei1|uB|2M}`87;Ta(DH)#(lm0O#86t*i!#8sNu%~
zZe*H<n3>wJnlM!ltK4TUoP4Z#BMc5Mg_Tq6$OIEpip?pgZfCICQkrQjv=%04$y}Tc
zglA-E9R7Mm?nfLBXn%&A>X}RAN&xvSwP*ym8feUgw{4JG5+)mY(GD%xYT4WpeMuLC
zYn}Ce=*!tW!@;Qom+^g@u<`i(R{LCVNHUSYR=UVqW<1jLd3gj2xO(QqckLXLNrJUd
zjj%90?IaI~=%iuD{2^3UodxU6($0Q;8+@NR_sr~dT>|NF>%Ddf<BWlOvH0B!W7O*Y
zL@rVv2Qox;J~{FBzBBR~NS<#-s8~2kOhXTC&^q=(x@?Zs&qJfM$sXt)l>tE;VfjW(
zo>m4t1>XkVZPkIjXNqJ8M6{YaL(9UBSo;?u;xf{Sz?wmni>l)n_EVlOuP6l`rQMIi
zPnAD7pOt3{ZEzm#qj=veO#<dkQ?SSsiMJ?i`15wE1j}sGdzhrg@HG9m<8+G`f4)dX
znaBW-QKDMs!wv-*smEHDTEqLkD>8Xa1lfK0HNL>F>F*Ewg?EdY4v41Z)f^Z88tpeK
zzFs1vYT$Cg@qZX6$9VSGg;kE8B9<>SDGM1KfyI2lbsC!`;r;~Ep{0~LNoAXCpyb2&
ze;%<G-&6*$p=Af8nzDTu6mw+yW_*hw;NYTLj83I&3^B0~l4vP8BBu+yk@@l-TyV+y
zwI_DkWdG@6{j(n=V5XcYvU@N2<T4Ng8_y%ZawTUBJRbEWapU<G&;EIlp}v&<80IVA
zgpaW0|7UZVT*v>@$I?hqT30Rtd(t$`;K1+uQ}y8%*4?v>p5lhRD*|CKyR6qw(7aDO
zc-^Tv8dlhhgCF}+@u{m%FtOZymkLQPIvN$bcRBkp<P_WVD`um5&i4*@D2-o)l!A@;
z=PvPihJOz1b$T(GfCwNx(dV1CTrNBvZ7S(IDi!Oq^0(ThpeIP$8|zWE&sO?Yue;(}
zoj%>(FZaA?ONhB!=gS(Ow~#Kq_g#L#R)#UB{*|EopBTIhaxqL>Y3P4jSu*USF;QS@
zr=|mEn1%7&BMK$zyXXq<6ErZ49{t5~*<xAo*47D&DoDzrZ@@d+Y=n+g&;KNm%7rsX
zC`XboXRX#{VLj<s=;uLdYvRv--UQF7S#T>Pb1(Qc@!Ml_zdY|e&C8JSSz&F<1@52r
zbu?uJz;rV(&^y?b*|GJ3Tsi@s;;4ZD3!d-ttEG*{0~9wEqsoK4T5*zgWVTAu(@{L*
z#XrD`yvA=V9>qD-DBiN#Gx`zU)Qdkm48uDCX7;?W#61jHopQ|m%jQG!QHIY%6F$#E
z-kUtwY&0kNHMsK&RlFQORSY^MUGqZ3AEZWD%Aa#KTKB!dKRMmMmTyo7q@1?6BO;Sd
zI!fF^9Ua5rh<R-7$e*cV>%v<)Y$>&MreCJ);43&e*C!M>+R~46)?W9}f_l=&da+i;
zJx+{Ju8k}zJp3=C!24C+=(jS822%^zK;)w0m*c$3CM>2`;3qmzJI*$GK5-xJHmGvI
zYwdEu!iWviMxjjBQBkVc6r<mAs<Pg~6C#Baw7#|rzQH`|++K&oHeKX|&!6wDf0D!I
zMS>W=7k}DS2}JAWJo&j5=SdA$*Wcr+Cdn`bz4|0J^o|=Y@ur@NKyV~rnV&buXXae8
zXuHLQp8tiScrkAl3?IheVIP`U^@1V!5qW6e9~%5m7Kk@MF%3$5inhD(Pgt4iq7_f~
zcNr6Qes4=c;3;K*p_I2iiy?2F40ErnFW&phMk7|%&K|I}{Rc>&tld>X_38_Y6!_{C
zPd^Syf`{fi9%!m?Q7hLqJOJapwGDIX&sTRU27|tpn%x59fuH)p+{Snr086DBnR^y^
zbmEs$L$;2#zt&}IUP{{!aQm?LdcHDA#tAnXP2Eh7IW?ha`nQgG>0qn5v<LG&EKAFN
zPD+(zqppiTX}|39zoyXZ3+K>SKDm5lC-P+1<`4)bwlu`*JwQ)@x%$8~xKDumt0E>2
z;~#9G;lv=>`^q=^Yf?W1xE;aF$ph8`xO8PSqx^QWY^7*HAP4@zCdd2eI-NgtsS|Or
z6txOZRFmCZ^V2mMOuSuZc-w|@*MYiGuP6vhJ>KR_ISQ8CWMA?g1YHD2DO{*qg`g*>
z1XsMxZDzt<3;ZM7Imwsm&wOP3NoQ~T{r&kV<L&q-ZmRZC{wj@F-p5u=E_8P$(^FPM
zh%4WN^?*d#?!CrKu$|AUg8!#qv0vgMMb2`H%^r@KysyuU@7OEF)tP{nBzsJk$Ced&
zy;7{1%Xq-wPEx+#W;<`Kl(V$)dFH2*zT%)Gsb@lvenCubt=W^;u8;zvO%uQ&_rx&D
zR0^N(fT^;BHRk6t9veJCKT7=XnVZX=chjW@K2_z8llkw6Ai!2L6keCDM>z%Cq4X|2
zjgGU_`CD?GH<yWa)7EBzSeCNY%cpy;DU2g2JmTTG=|D}JY9Js+ZGegyNWhg!jLZMi
zpDFtFGcuPnw|b8fErxwom`KvtBo`KC(~2Fj<s~%@y7J^f;V8i0*X=huF^!OxLArvt
zu)piELet)zf431F5F|C?G(rq(Z+$hwiX8@}*&N3l=;>qn!ZUd!Q!=&MVwIt{#)G42
zpJuh|rAzb(mKYo=);FGik|bAfEb^i3#U7Rx#etm!uE?#XT6rHOI@Qesjgvyt%Qk(m
zHizwA=KdwC?wPLnP&%Y0&P2ljL;4i>;M>mzm}Idztz1s<P<YGLFYO*|np(o8=WC5P
z3&|0$AiMr@czRq-3cl;iYi@X$LivzvfHw-V{(7IJl6qR7CGe*Z^(Yg7I2uWBve&_H
zGNpQ%2zFvJ+4M=`3Y(bzyk|Z&s5zUVN~1RY`)iU-zMJ4j0X|$<qa)g`R5!PKo|ujF
zKufr0IHH%zV2y|yEcH=bBOR7e!t-t4W2p7OR$Tc2*}KFGcUzF5Gq&-mcieiHm{e-V
zXzW0tMr~)!HCwLd@`2K&iqwvYX@p+#tG*Te0B#QdL;62pp|SaDv-xJb=&wFCwu8TF
zp6i#K{d#PVv)=R5qnNI^&Q(J$<{RNIF|#&Wl{QXcKZg3Pc1k^@z6Z-D-^GPL;p{T{
z$|DgxQH$i3^FkkvNwVhf;Sl>uzOt=QSzyU2^V7gDp;{%fr2X*<7G1@qGMoze^)Y>v
z9;tUV9l}wUt0Sf|<FD}LOty<i0(O!(x<Di`bnfBM%wccL;Q!8x_cP3ii}0y?^=<oU
z0byW9_gR*yq<8zE^j;95FXze$eSAp=2*J4L%YEnkFJ!C`u^XjX&ZRa1vkma-Yd;DU
z8qi$@>`HC*IO9bP#iL&Q_hH=b(*`{HEUfkfbfX872c4Ilu!g++_mvO1JAiP9%;5&2
zt+&-)_*AV}rvKeyCqpU_`p+?+_%zYKoqJ1eZu(a6lfV6(^vtM7!USJ^F}RJsn3cQt
zbD$b8@7LjwV;OuesmBw<klI~1IoWS<ymjCAxx`O{wV=xFAFEkC1?{%Aup$n-c#|!P
z1z+DbWXJ!`c~wlJ6z1qrzxTU1J>PwsIdZD2GKRO`;fi@YSmq#sQjyk@rq8nIv!<$a
ztdEeOe%4CyFep?q#p7lUtQR?oN8y^`fr#8vD1HTNF4}{uDH_p}*EvHf&nje!NSYlb
zwA#S230J+`Cs~5hBFaU+4{Rk#_8Ub|U;!aDSmO+?&&8ASNVu&<Yh;`qaN`lvYtmJK
z`uwBhC-PqOs_@M%ZaW98L~4eu>(?gNOiuxq70WGQ!OBya8Pj2?QF;|08)r=pBj{Xp
z^K<s=>=IFxA!%xc5Q5e!ytC)FI%QGf$pov@fjK&RTsQ2L;<b<Tyo#$_4rD+ZqX|Do
z`Dil`AE(PY6<lGpyTLmlZl3_A*_^PZtNb$MlDqv!xq@k_d-E)+IpIQ939=DQLHD<%
zO@`$*!pQcA;>unr@lb4YktqUy&;2p}d+ZHK7r$`Fj_w7nfXbSk_Uy1{Rbt0=@ueXl
zIDYWangS@Mu%?*W<xazQ;gxgu4TEY~1Ft?$&cxoQcW*-U2DV4j;pf}q#J)TOv57xm
zaL1Cy^xv*JloPw|?LKE(l-Xtm{vtFsFR@#Jpe=870(#vEq?=nP;j@%C<#IOxaBe&?
z^q<15bICkPCe*MN)SejDFL4T4>>R76${O0bpR4wG>7L<4GwXtVv&&alQ**N-U(Sr~
z#-ogtXq$(k;^`at0~?*KWACiLR&fe86__)&9iLagnX+o2>_FFd)GTv(zZ|m{cd*V%
zBj}dnqs~vMb>KZ<g~jP%HT3Mf)7i6fU%tY-Abwm(EPpAOGB3ly=jL6}+W5e7%AQC?
z5j7Wg_5HFi0V*C7g;CQ#&G$?Kzj-k#Kl;(d6IwFQoU=mx7FQ7|+#=*Ojrj$(B)?d&
z*|+R@BXyr|{2Rh`!mYAwNkI^tnBv~&$&35wjMd9F+1BT{Jt4%xB-w(O5@z}9zymz^
zCU$^gtmOTQ&#z~XPKMjVuw|~XrA7X>{^&^67Q|Z+RcR+o8Sk4TJ(db!BrssoCZnUv
zTAP|r%9u|e6CX$t9|^vcX?!l_v0pO_`vvR#J36J>=iI+c^m-Z>oA|-^k(sgga7kt#
zv-FwA-lG<oDw_NnMyDNE>c{?OVB$=hhDIHWp(3Au$T8egP~+at^6+CPr!F&Ei+jyT
zrRtM|eI1IRU8`hXD^KOifsau|#N5I)^^&yM8<&3*ONF*o=9r5eG{Q|AW`esH!8Ex!
zPMYn0^>vq=*?th*E+DojP7hiWK+LY)O8YHa090KteWpd2puX!V^}ACCcuUZw4ZKMF
z{P_Phi%|j%laWEBn%>5GEOjjBRd;P%B2sJu=)|@fa#e+}=4RvA=-NTf!E~+zC{~VE
z3Cl!RwtBGVtQaHYsP|pd&Sma(XMFd13?%&6BOVWyb8<$6{H2b@N9Lw?M?3qc-@^FB
z4;B!s*WK~rCkv)>kSl74G&#3Pp?c5=BtPEw4=H@*B#6780=~O;H|nv5ClP*pu1Q$Z
z5ilbSpNjXVLM^)7#g!9m{j0vn&_OKW=k|Vlsl@FCgo&YW?e3^$lJ*3hKgM?+zjo!-
zJ{U;%-t=#YsdB?Y_Uc9M^%Nv<Vs7fF+V9?fH@~!Y`4yqMhCEVw+<m)pQu5#bThQIe
z_^lkQ$pC!U<foNQgH+Rmo|K<?V$KZV&E9PiViygN1T;KPLg6G}PGTCCcj>aHcJ1@_
zzbnRfo-o1(gEnmt_wn5V`vq!B$|MffY-tHO`m&tcGb1C>S10JNx#&uew0A4@+|3Vv
zad7uZst{{tz0$wsN_!1C5rZcZf?lDHPf*xn9(2zV8XR<ejSi)|ImMesom^-x2pq`N
zX98IrvX)Jl43n3H=HEBFT2L7*37Lt$BNmNRg;AYdVDx8U)0Y8eq@H|RFXts2pu0XO
zudL=p5ep0w`mmnMt+}K<c7V}-kg+ZbsI7AJ(Jq}nK5@wGmz7d84}mbXXvrj=Xk1mV
zFY`V1=O`?_-GSLREbxGW9y&AWU8yHOyrDA4eP@>V1hE+DNrIq3l<!;9LMYTm_T5$S
z+6CaYdqTf!-f{K(HCF&(VdL=Su5GY`h6x>^D@`+=qMFKsIIz(G#h~f{kd6dZ0ZbmF
zz?mzSafWG#DghFEPJRVtD|b`(*4H(wo(o)knlTSlQZrOkTh>0+HRkKRFh%6>yxEBt
z*$E%lWl4WDPeDkObK(>r5F#A$Q4coJ>iI*Iv+lNhM|NN<bRNa$ovONi;QRF9vi@(?
z=Ab7yp#?;dpMnRA(&S3b4)5v2y6o|xv3fbU$AQah@;5`z01LIDzfXj_kH*KjJ090@
zZBub1y)geB-}%`tKYe~hOzSn*5udAP-h{QCrr(t3PmS2a#tq-W`VZ;;Muj6fOx(`5
z_msXp<AaJu%Ht8*V>j~B&<zWAILEX;Adv|$Zc@r?c@X`%fZxziJ>`kZgij%#Wrq6P
ztWeP#>iyD0!Jky%cH0YZS<ri+mgEG-ZxOja!yELW79d$<*GZs+*fwRJ{7DehA6^E!
zyF}E+`)W`!_vr;42~AV4A+}!p!Lf@+h00G+n_jc~jUS-#0!J^pL!4b>;`7TSF17b?
zFbF8(8RYM%2X^^>4MGl@sC&0>9l;k&&wnFEA?F8;5Quu-UFhJnAqW${2f&<(VY9-#
zy3dQQtHtyw2a{`QM6@0xT>MlWqoVFVlDt<Wfy_mCnqHjj&4ISOu@}1gJ=07OxTu{g
zBO~)~amsvsfSS*8&R6$AFgAgC<d9Iz_9KrYf|@dbAF2YbEq;@{Cs1<>z%t=~)+2LI
z0_Xy#8YI$J5k(S;rdK+csP0|SJo&scxH`5j_SO`yA#+-$k6gSBk*)G#+2}cL43%-a
zM^x^4xq3de35o={jwd0LheSXNAeabmJ5=7SDH<nm6%s%exDS(vh>Q$Em#r$eAQSV7
zD@;$#+poLClY$VSWl8VOzN0;5$eqNbI%b)B+D7aE?vdxemfVf`T~jcc&IMCP?;Y%E
z#s_4Kq(<^%Om8pO3J6zy7*{Ys09A>zzM2vaE+c*RKB4Yo9YhbcOEL5=o4Zs36XQK8
zO^3MGzAJX}{=Wx;t;@NXWsHjH<u)emUkc!KtnpvDpkr5$*sAO!iIyq8B@CPl9R2Rl
z|I7qo>?k0W|NQ{}+|R&~d!9sgBm$on17Bb$lq9IBqSs|J{$)WF6<_z&XXb6xARVK5
z@OimYeXf35UYbg-NJ2W#ZRya*+*i%qzJ0Z?i3it#Gj*~TNp<m+LUvuIt&2%ySN$Ck
zrj1YTix6*WTKo0%F{h5yQBRt%L9ru$jNF52pE?SJE(>4nk-9VCu~iGsL<4*`Ai8=4
z*qPgq_`7xJoOuRuv9c=zuOREJ;mm<bMAAVk_czm&vAAch1pAyDK-d!`r>oGb6Mcyh
zzX<o-xbcJc=KE(x>FVs4rBY>|F6a@w{xCz{hAAaa+IXGXw8Cmt?gN$cdewor3<0XB
zc^neDq&o%$ASVH!Z1tc%$lO*XGqy_OM1E+f`|!aOoA!WE!O4=k|01kLj<M+tq#uXc
zX|1>XI?Adkj9Ja)T8qY~Zym_ZwZJss9s0i7>St_vj7r6TVM{==Pb4FL^HX&LxH<LN
zk}L~J|Ieo#jt4^nx(Y)?DmJDd>|sks2rEkr=z?I;5Hzn~Af0q{+Ou;ayu7AQw1D2E
z;W+!yS~$k?F!~$bvqSSd)pC-q!FNfXaej!X+%b<c3YS|YV@|(z)d8Kgp-dsY09AAv
zPuKlF!f>l-6=FUZ&LXaF$vM^pk$hPryb@ebxdIe?Cpz3Wv$W?<caPb>FkA;*u^5ro
zCDK|A)Hlzvn5M2fvMa$?_qp3r8KtEIq0>RKHQmRa*yX(XwfkJeR7TIlR~DNR)G>$L
z(*Vry65KUDkiYB3CMdESu@)pAxYq|Lb-CLipLTp#l!wZ5$>;XF+MR~{9V^ooI@ueC
zAUHg-4A-K$jJs9VE~fRSyG||>5it@MEXWqqQ(r_jx36H=Mb1f~gx}H<oX#7<@!!%C
zJGTHRLGD07Ijgtb*RWAjBm=S&bffZA2C=*g$yhzp14+9CtW@kBK(0pj4D!zG5Q*2V
z)Tm$TC?IzAX69basB4;wgi2zobr50@^zAt4x?+z9fN@1kpLB$;qK>bp1H_A#mXW#$
zJ9S@@u44k1LJ8m7yeZJ%_L_Xto8N2s2d1|nh`)n@4^W5donO(vcY|00Cu~5tT{r1L
znL*c8AcefYPXO{Q5Y*A0r;88i%HIM)m=I_SQYO^3@zHPWH89$_9d7NnLcNMjT`isc
zZ}!@t7_Rp1H_q>CI?&r5nA<@9m4FM`b~N6q0xX0ra821%1{yG+4M$(2Y}-F?JXpES
z1t<b8HNExP7Vj|Q5HvXg1UhQj`-e#UhC%?6C&<BT&eRPX&@A8HYY>ur4-YdKKgE}K
z_Q4NEU0nh?t1N>R0WRwhSr8N%Hj}v&%L6wHJT9M^bk=r>pYZ_n8aw-3y<B%iSK}6&
z3)WCw5(VDqEr0b;BPIr9EH*dt*G|7Dqj~Uahaz5b_N4ww^bo)E$#1$?yGlX&7TS40
z6Sl{KUjQ${pSNt!TXZk(v#Q<hoo$F&V3`Al{T<z8xh?T($ap$<Nhbfq$YE51?yT|)
z8T8@iZw4skn;}`13)pVsxJ00c+Ot<w+c&^(yB;Xd;IqS@ajNSD;dNlJsRyU_fIO?V
zcXJL;S{-z4fkF;}*GdDNlO~szFv$7lkxi++*9}&#&n!_aOGS?R(Z?Zf@_gA?{^*yL
zltUfmPd6h6AF+Y5ptej`zrZf70h1LLbpqw9Ku=MTngY%tJZ1Y+etUZRaeU!75fgIM
zFdtr?2G}}1`*JE9;mDu``%Hn$=%jT5Uc9?d(Mi^@rOK^8Y3_8VL;(sV)?N#dzrFRR
z>Ta<qUCG2%t*!*V^iwaZqHLLcGMzE`Ylji`-Pc|qf<E`n=z8;O2>F#ANPQ&0ES`&V
z`HFe9ySNT|GyI`<%C<7tMtW3;sjbdac;enPYEk}8Cs{KMoZW}2xGByj;Q>j_Oju|3
zFH2tQKvsw%REn^kYiW%<Fx4sfFnhll6}Y&zREENSk&8uK+>$dLN=@gm>hVrET52!I
z|LAy~EcPujSB@e*(@92MD28jtt<+6=?jPMSYiJrPhjZ*t`Ym$2j*uvUd~mHuto$S_
zu>4xwF)DlT#L{sD>nV87bXH<|=d$;_1wu<qj9OWPB>#h-x#EZoLYNJvg1aOFxEY1u
ziNC`R?uXBj5>H_P^xDCPZ5#2ea*yi{V_6xQt+PmRl%2X@`Ro}K6Tpaqv|uQ)=)3}h
z5}J~xJCpGnV$4-oyIaO6$;g}pUHkhTycAzYUl)k3o?Rj2L3dt$Q2#Y$(ADlqK9)mS
zhX_^o<NS9K5fn<IGX{Mcj|PaH-oGyL51bL(YXR+EM@H_Mf>v#&-njTaV_;~%U8yeo
zcRMdE#>9o)(?!>!#82FF6}Mc)Wl=dNenMgx*){9|_2g*xbr_<K5QFulZ|{F29-MpD
zs9tj2g~36b<sm%$rnM!q&^s=e-0n+AfSB0ES^V&H?adn6tEB|`7g0t;JY~3w#N!wx
z^7LKQ&MUUMD^|br@jGzo&J6mCS5rcW&6vtdqZ^-T0FDv)*9$DFEOvJZht?mH;K7s~
zhdpFJ#P}_!<~8c*O9FL7Id5uX{}8}XZ&w%ODHE)DtTm~Po@}|1&mCkuzWnp9Y&Yyf
zGpg&!5j<nKnA@wRGQG6Q3#*dln=qWq7v&|q*pO&JuF)K*CU;r4*G4Uw-RIm9r?dZ2
z)byG3-~HM;zLQRKPCh|cn)|B!fPlY`pgQ!X()$!_GNpLy1^x*=yW=$7Q}WM-w-n>>
zq-jdQh;oaFp&I=Z53JO!4iA)8wG0kRw+Izqch&M(K!zjJ31=EJ%NC_GUjqjgvfg6&
zd6Wr`PgM7M=`0_JL^>wqrl?wR3EJ`YWUwy~of>ZOKq5ngm^e^<m+5_llreawR4QqP
z?Ag49%rTY00$F2vgPp#)jB(G0ADGcoY}qvjiGc6L606}D5u@pZa0!J+$360&?27fg
zA_IGJ#H8)dJV5>9R6gjuOvH1~(d~DM{1I;8LEym--fZ<TXyC>jqB>|a`(%#D-50z)
zXK{M>YN}DoK#uWhS;2+wX1wst^{S<czgRDSRb5uPdh;;dk^0qBtfe%)(hE0(tI%Je
zX4xu#WnV5~9X7Yl6lzpM-j!ecnhnHe1fSDHkCMB={*@E2mn&Px-bLQs7XWw-X6IxC
z_8)ljhTL}j`!Uu#n0g6taX&DeA_ZV5{H93(^6Gw@TYG%ssB*-kJd6k;BVHYr9v?F7
zqZ03bSR{Zd6T>3yXW|(5z2Us`hg7kPoX0E2elNw4ngC_cU2_WzTYnArxYy3~u(j;Q
z5}6SJ{IZI+0lkOZrmdBE-(9XvZUL^(l=iBkbxTuHB6+4A1&grQ^1XN0XbwLxRMPY!
z)l>>|unP+9-do61KKWY#DRDv0x|GR-Hp{Tw>!TwBs@GAfE$MxAZ)&xR9UOR_pE@Sb
zYZF6vlFuTqLYG6h)CH#(1)GJ2xl(=^*YmLj)u$%+npjx?nxxO`N5Pp_VARLJ<iFqX
zs`aQ1pYN!)4oj5u%$1R+u>@Ke!hCF)0H1&Q$kW+knOP!I=bw}<D95;d#9F<LBj#1j
z8&3`zL44b1aAe~I4JZAjyge`OoZT0q3sFEbo|%)!zYka@&-I`5C8ZtxZ2aMxN^D`S
z!goOvIwt-?jcQBFw1NwFI1<6+RE`Nl{b5R?VHJKJ)P~QhoU7g)Yl%{>>>C2yDbbL7
zpsim>fd2Fog{nL(ee;Cy7_*7C*Ec8V^N?sbJ5!jwRl2bZk@Hs*XVFMw<W7bkT9paL
znywW~+wUsSYQ$D`PAO{_VF~Mu?>&P%BiFZI{81j<--+v=TM%szATDax!{aVolPj5E
z7wkB7Enl+V9UytG1yf0+8g?Tp;gBfxi<P$<p%@t=d<m4zPfuSs-5hbI;O{NfH_r8N
zOCnT%q)hnus$VC!dDt6BQZzz6M+vxpkQ@-vf8^{>?KjJptAqz*Ge!lI!~9n-#Ko?c
zAQ%3KTKT}IV(Vt{MW#qo$Twpf*SU`6%ww;)3R^52L@)4$9Hwk?=Y;55y9E0E?W0p+
zvRn%Rcz~YLPsXGFLMPYID-uM*gBn5mHbDgnRq=)^`(z$#x64_j4U~b$HWJAu=bJ7?
z>79R<_So`}53v~&b>t$CZG9~W6lp4}2i#e}0c$8aKUh4PX=Rg9JeUrdfH%EGcVXM^
z0p~@{tKV^Ax1oUiL9v}F?8eYF-cJ}?UdEtjAH$e(GbPTFCFJQtOB}RGh*vIuh{7(q
zx2gA}0qD1=80f8*-@yrrKC#mMW_cGxj)i_`8nNpv3{Kb95kwZtEizR)!Tgk%;zpeq
zRlE3X#qX1MtX-oCCoy;Bd9N7?<pU0-_0l%_09QnXg<LMT$r2@)zp>CFa>$>T9!rL6
zes<U{O2-3bE^);B>yilZz3$g?yyl4kSA})390O28ZXQA$F?2=f^>aR)vvR&>{w-bd
zPu!Ba=bdJsKr>|4b6LQ_+TYEbID&q>8+Gw<VM(-q&WGwUrDE^9Cq>m=mZ;7UlAaF0
zE>ACKUL9!gE&ET^nfQPft&8jM*KYNxxB#O=)`L9ORDAI-*+&HoRz58KX#cF@|B`mV
zuv$8ieBfy;*rryT5i;Kl2vDTaF_EJLyzr~fgZzeCY_yH>yGq;lYT^h=IlWMjODMig
z&TX+~FeX@N(@UdIckhm(ZLp#lPOl6zN)b7w{{44jk=mrF!lBek&^?87_eYpw`2r#5
zo?4s^>7&Em!fg>8rqPOL8J}Nro!}X`OU`}Ma67Aggf;wqb}nF~hGFF1`L4m&`3oOl
zw;cI^_Lz~IOfj#dKU#E{<C`0+3W?Q`(uyrNfkE5BJMI#e_BX}}VR+`K0YC1huLI5S
zYrX6=cO#+dhU_oG0xW%{L>7lRCq4Tnq#|#=bH^w$wij2N*`G%(W2C@{m!|0K^TPty
ztyn-I_uX_&$$wD2)NW7ByA#K=uIOKy#Rk%UdDNI2sY?|vkK{=b>b!c1n0YOs31gL@
zI-dhwc>f28QIo??*i3wg!<>g4jxUlxV`Bh<Jb*Cs0$3N8mWsGB-(2zmsI$CM!?pc1
zEM8xUF!5g*-Sb{M$6Js$;WBPlft<!bR9di@9xlJ?Q>7-~{1+t=KrMzc$W#B<i;R#!
z^dJ~9TYlI^I)m6HB_<kue6ptK4O!AbxJ%rGc>IGQ|7~&jByOL<kFXHl0~+6sC$?!J
z5gvr~dshJ<CnNj;zVr-!7wQ<I6}X!BtE3ubZsgD?tux3F*#f<JhrAKO@csiL1!ZE}
ziXJEjP{Jy@4D^1kd$R-Hkb8+(l{XPT!=49VZXF=9C;k{bT#0jDroMAVZbH9x)Lt3r
zm>ez*K%TD4n~YrbzHp4#;@mm{UFjhlASk@w0_5+3;#X6IOY`Z)rf2&O3oNqDsy{BG
zViiB~v9}n{lF5pc**sfHS*YrMvejf~^)rW(vq`k=Y!qwi@HYiFTXQFKfT<R=&78XX
z<h=>Y`@}SYt;$+7*#J<>bny8Ds7z}*S>T^X)O7uyA&RCW?F#Q$=@^+cFv9lVS>r|+
zg@{XRmcN4z-MKB7PZwi2g8uaP#!2M6!}R6UnKE#>wPCgk865U#!LIst)Nxn>FGz9x
zv*2A7X;Fi$K9RP-8vR%DGtIOQ#navMNm;<c07p4-;gERvSjPyS$*CrpkJ<jWxY$|Z
zc7Fx5l~esW?tH(c!(r2b9Bj{!^M+lG5nQuyxH+K8=-ik}uuJ@!b_wX{XUB12)Mz#L
zUD+|vLQeF^p;fUcQC28<-QZ8wODwT!mB#}V_SO9{cMC~OuQGnWF~JW;1hee4uZ}Su
z_aJYl-3QF9hq;&0lzUr{H1HrZqgQ+3yhe9lcmLQ#q^+_&KA_&utjEG+Ubsg2o!*+(
z%?QC<i_>J49ju*4HTeoF7MLRO@M)@DyL`_-aEt5#_&gFjF+`L8mt$8i<4;QeEd-C-
zrIj@F!L#nne;-i;%AL%RyS2dkfrHN=VWlw2t}|5$HOS49OM$%jW&vVgt}FUDsHI}>
z-w2sr_n{~pCUK+<pDs~GBuiXaV;O1)0#l5R!8>efUpu`tRV4JC#M#S}@L~Liz?0j3
z<<$evN#U0@H$m;c-?%7ZF3N&(gEq)Pna3AX*M%7Lx08yb7#W#s<ahr`9KdG@1_r+w
zMu1#P_wP6G=9V@AZ0GAbu{HvRjck8xDe1$O5{bKzx#@rVS!4wSZHU|epxFM6tieYy
zE98@&HFqY9YirPHIw?{rWb|$TabV9b=s9Xz6dm4;JU~md`@ng-5dGZw|8W0*{YV7C
z8X^GMAOXS)T$uw#<eqt$SP=Vcw4gv9Q2*7CpgRy6Tai$J{QsUv`+=#NcPr{hH*G`5
zyN$1FqiIb&KH!%$Jbv{Gvlr`vbVUUt+`IoQ$Z%l!^>xo|7sKgLk$BfbSk0Ax6$7y+
z56qyt5uRb09KvU~`!OK|2r$E@;;pJT^+?m}ZR8k>l^5w5?C-0ER}Prqn@^JURtgfg
z`B^K`r;eQF=YMuXQt+-WfVb3+Zrso@7DleJepA9Qi!k3b*KE@HE3T#PfNm}*VOXj@
z^MpZYD%7?4<2UK=ISq3&6E#>N)s4Ue;~#ud<=)|*+LYDEav;~GWdZd?owO;$AaLMH
z%7Y61Xa>h5wpj(MDP_{8YH)tw6d<b0wyBWmIa`Be4{$VOr-}8b@bOu+>bk7jTd5i9
zc28zgv?<8EaP~PmV5d1J!siR1VEQ3UXo?f}&D<om-Xx10+fulqr?X;mktICpVI^!a
z(D#~ws8@XVt=!&#Gy2Yoau0QJyP)FMdu$U^d;MlgCY7FADWKXt8DP#~ous;a&t4AO
zz|(E2%FGB*NuL$KIpLrAX17zypf1m&r2M26WT4mq3_;gs96;xpoUufG_-Hye%u&!3
z*}qS}>;W5>k&*8XqQpjc;NQ}$z1fy_s~w%j=lCVYe&JjdTR(VdMxf^Z&NSnSHh#~o
zzVg>Rfe=YK%g1^bc1c^fLej2Xu!BofGYjhpdrN(?cCV^uctpL0Q`*wLmpVO&*U}p_
zkb?KjN8vF_6b;6SQMSD<SuJjf?^<iDNV)##)%xl)d2OkmPHsd*ZlZ{=uUpyMS3_R>
zgmRL%igXD_SUn~AqxR0UCJMG<u0#ee%=Ei(l8SsX&)<&sQp<co2PoLQXgzuMD=Q;6
zT-V8u|BiS(K0KX$xU4+-(dGVAGg`J->0lIB3CXCCKO1|N;4ODdrRE4C4szM)qPu+V
zp)vLWd2tWE*e`)~1wXtDQ8oMBVb8j%Ax!zmy?qF=`X!G2QqPooBt%lyhBnZl{>>;f
z<z2eD!30vb)VS1Tw8xxnRQDI$iB(^0d;_}?<|ar+lWpp@bZ$%4+q<~9u<<lM#&!k!
z>#9w|v6P;FBc_eCvr#%Q6Wu`_t5&6;(Zzq;TjG~Fd1IQ>mw|>;El;+am9q2UfFKT7
z`HLw>-)!EhK1WpJMHN{6z79~Gkq#^L|9u%K`n0;B+(H(L_*G|FVVr*O-7Ih+-cX$|
ztO~_P>}O@zn0j-0Ze;fCYwL@BVyZDb+cEMQ&#GU`+Vyspj<N!Vnr!QnEaW-G1G`~z
zKUklAKpza(xm}(@`t@pXtdOXxJ8!yAPfFe?^|}g|ZXGf-IWDv>&F|anuKr2l;&3Sk
zxs89=FGuSZ0!^J`EYew_=}YAnKmB>$uTqW-y9Htijo7J2Hp`sVPglu{YRC@z_+~YT
zJDWQPgk5RWKf@v7GkO5H^g#4#A4BbjU7*ir1J`n7E45CTiWU{DSywk(FaM$(kh>0S
zQ<7sI{gcg)rEjh=#E)X>Sczk|5q7!gF=Y{fRAx>kFIaKV_amk${EDXWADx$a&5M=K
zT0G6>KUcE6|HV;5hi(}W@Li3pC`kNkrb6~AwmwhL-Ie*s)7(`|D>vqxR;?(0yS@QK
zw%fs;w(AQ-z-rPv(hX}?w3lj%jQYHn*v+KpoVoQ)DiocX^vOzf8gQ%2KJ0gRDm3IK
zzu%9n*Foy)UTy1#y-;yIZ{2Phtb$nhf6iK3{&wv5+jy_H+aJrw?TEI0EWaxGZuUsZ
z`at*Q`#hCqoK)qw>NYzRzd#paH77h9d#)Jx*A#H~J*0s}?u2q^fJP0<6KW()0}@?Z
z?`}~dRB_b;aEp3R3>Is2q+*a~w{r+6;E|Od+xX?5pKJ>6!sIPJk|(u%ijwVe6f0pj
zw3%w=8lnPQ*;0O1+Dqp&+vc?%cStfy`O791qm!ntf4Wt8*K2>3kmelBz(iYBgdd}!
zo8=d#&n@`ogi-p1$|Ixc`pyWM8o*G^(S!TU6znm+pQ(&O>i8Vqy0Q4l_qumHR;Czf
ziO*GGz`R#TF<-3ptnLv`0ZHjj0UasF#1=t^oR-B-UJnx7wwc*S(-R0EH}!9SZe3pR
zoabKsn)1*Bob5C2e>U3unc%;0A?n&+Jcx>%{$SOR7yQ|AbI-(C-I1oSJBq4a|J@LE
zZ*TI4sJAIFJBF4%ftaA?gqF-YG)v>J=p%k2l@E%AGJcN3IFWu%lM)oYN$AY`>T&0l
z-R=%=b3ceX$ZazZPsWfwPxF!ijTGW8#C6~nDK?s<$fk4mOdUgcJAPM-DsraTH+9BD
z(;=X<=9+MgrmM`nn@m0O-4|?MWff^3Sn;xdS~XxgksV4-E#j?_74{goc@)EC+C&jE
zEzEB3D}U2x5)<HP%dmQQpSaAD<e+Sc&`iet`K^_Ho1XkE`RL&f8F?wn9DCQ%FFnXv
zEyGaY1~2s|Gt>v?M}_F}oTJx_ldXxZN3j-^vgV#~=IcE{Zv~#Im0(zu-BOqm7^)IK
z0jYxj3`0~{&1v5U#WZ5=!rr`k(0D%n340UPzKg9wQ=bfin^vM#@HF0d97&}-el%@A
z%7QANZ|5ScvC<x|k`LWtz2rmRQ^{q$b`YQSD9Ohb=s|nne~XoH^*pVGw?H$2^qnzh
zn61ydUN-ko8>%LvS>1|_q|?TiX=Ud5T9PIDF=k0zZkn7*rCzF(YXfXhVuD9hGrSAB
zoE6V%Kd|DG=-q;EG;OK+)IFM^vT%!=h6G>MkMv#0s7GfNwSk>i8Uynt!8|Xr`bI)L
z%|DXn40^b!ZSAn$wjH%lMqdqXd}>_nc|fy+emDXa`tp&iYxAYsu$k6(X0KlT51~PD
z=3<aJ+oBEd!a&c^D*YhyC0^NJ*p(f8tY0^+##D{!MX$yg`4b;z+Xs%EBX0H!m%#-|
ze=fNW^p&+qtA^M_O-GotsA^+eqj<CqnFx~~qt7swM9i!;(9gfqLY^g0S3A<YzLd?%
z(bd^+)_5MR6qFD)WK-L1rB(6sh1QQO7nv^qSZ|JN(?8D~yPN_KOI=6m9Rjx}jj~HB
zoEN{^mf%qoYqH^|_RkXpCpxg8o<k^oT?Ai-DVF6GM{|q-5W~-pteIoQU8=PoJ}f02
z;)=Id7J1=3aS&)hmvRY!j~87hFKA(!w&f)F4BVNRp9mPcCqagEQ~DAzeG`3O%e<!e
zCrEF2mez7dS8=Se#wYwZ{DH1P9$o(Nc$}o#W*Z*du%lpOKJ-L0>)C}BV@mh{MSZl$
z=ry8@^P$V|w4s6zr3ANcbh^`nH~OfXA9@pfA??eG4q6rJL8>*!iAbo(J2i!ka)Rgw
zLjvcfdE4h+X&eI2F~f@xz4F4NKl!VL0xtr`($+q8Jdu-+%U{CkqdEJ+cAN5)^JYN0
zD~O2?2;zFG<IM88R8)=bbm+#x^RN1r8j8^;Yv@wVk|6lW=WnTh)N#M@oXFg<3CW6(
zK@-(<Hv3cLTX)*2|0E>h-dQ7DNQ@%B{IIhNc_}hvmg%yZ;PvI35Wil}<M*&+(Xyl~
z`}KpSF*cFHPS)~(tKz6-WohTnaqKeq)znhV?r1iyV6#Kvcmxr71AamcosGi-TkxYt
z2QO{!eQ!}HV11q>55m_X)1u^^l5FNO&_PC5rFb8`C##pn7#Pi2u_BcS%d5_jJ8k8*
zGH0Vb!5-T0n%qK8qhvuASu;cz4)n^5>dZo%9U`*r^wUWxO@nbm^dz3=r;3&eTr-+h
z`m+sRn85E!t^|*`CizRM{;(>WS~&!%Y*fwYhKpMgro_n5$z<EK531PxL7PKgGzwr;
zk*`XM0%K*X10kKDA_H%ZXkcOG(#y!bQOMz%)!Bd24zxb~71fDi&Cl#besv4%6wqg!
zidPc9=wN7ma8>bCkV=N-2ytf!je(v4V$H^CGlm=E#VlAN5=!dsSq+c;Z3h31*~NPX
z9DSjy6EtcRuCb#Q(dtFHZ}nbB>xkkK`PR{p&Cv*GN)8>COt7gz9Ga9f=4!Xcfu>H(
zb6sZVRNj?GA<gb8BRXBHwZaiH%-bTzFW^CR<wMO{c0z;eQ5Rv+&wKeiqh_4O_^>0z
zL$eyT9~ta*a~Y~oSUD<+rZqV+s467ChPv39q3Cr{i}vO8d_g6T)*L$gi`4UN&zL$X
zM^Y;TM~;YTxj(=Eh&i~Ym2?q*?+kZ?dMXl7m~N)`QIs0^j$Mv8RL3+=r)emRXsc%p
zh*9ygB?c9LpqTbz)rv?OWHV%gwcg{f{blwjn~?y#T|36Z0h6-rM86Vc+w6}`8)1+e
zD=xZJ_$Hn+Hu5^P)>n5i0cNv3<$39rJWNiG`_e+`R`^pC(~~7U2xl%lUNr;-yr2-(
z4Neto5c*nZ+hCs;a>pC23Pr#;HQAJ(rqdRxr0unQw@7%~HABMAqgBS+0PmlfPi=gu
z6}K4T^|*fBah?04D<;tkYTkSL*|$0VlZq2jNrpj1rOI0+z*_~oTKwt2-<op;fL%A$
zqk^XKguxx$dZ*&+$h+YsT|uc{yFAe7@<Zf3;~l7ior2WPdr`T<>VwE)FquNK0!cZ7
zryDY_-DoGw@Q0>E()e(!L<^KCpqUbp_b`Pqbcj;9YcigZIPiD6#Gui?5yCj9o>6Rb
z!t%9+idXEfxTq@FtGd^9HajZWL~f$&+&Bli+&$g4w84RNp|ond>>~5K!of#J{R~oz
zoejdP!RM*9R-qZmmD4`=+<t5irw<AEwUhD5b5VZU`@z&zKp_cHLm~GX;$Fq;-3#n*
zOb*1gDCT*PDOihoId>rk)Sa^V&h)5DE-ywS{Vr3ufB53*J3*<=dJ`lQr<*W-4=Z%v
zO8+a<Nc~T;t}hp{n{C2`BT#0~M7r6F(GW+h!=5%|z0qROVszfKl2J!biHm}iD->bD
zU_e+u>yl7L^RiwNv@;rwf7F#7Ylb`rk~Ic2d1%VF0k*pd7#Oi;(A*8V#|3&dhhw$t
z4mQZSvXzg-hho`6>2QH_yd&lJ9)xvwRo(d9pzVsxPbv2uv}V3irKJo%lI2ypO&Cf|
zfK$|4xNwOHF%c*dZp-3L93)cZ6yqx1d%S^@)jz4~Z06!KR2%vxkAP8Xr4~?5{iDpw
zTtp+EPEj}erBG|C^uqmGp5e!KS-kru!K*UD4&XT11tG00nB>UY?vnfDTAKTlk12c9
ztmr$c4?eYO1L{#d43|wFflm-Q;V!|2YiXYBlMZr?+GO7)MGOcpaGd&L=kz|bZ_AK*
zLp%WPnGq*X)HIMG^mY%1`;;Ef@MA~sBGNrxyFLhDUi)bi^XWx%RBzp5x$cwxSA%M$
zyXS#AR~#I-g_QM$4y{H|ITNhrGXCpnNl0jZF0HS4+v?BE6yqQ){p>&}Wj}q*z3n+O
zLNU3fS@i3#ouF`Zd3xF(D;2wg7-I2+?)U>H38t41K%Ot!8HoZf^#U@p{~I6|+_2&X
zSzXZ(Jy_aDEWZ{U26BHtip;Fzfp$5P&ZnF<Fl3Q8Gm{DTHaQka<-XOV({^;MZ)p>2
zXioUmy<pRV$V%WEd@i4`$D)S0NufWJWznL3W8qiIml>54M%&cfRSDS<Iqh7MXM^;8
zVpYY>)vVwBz~|0@($Xb&;?Nchw0;47GjtF7?#qZtZhQ!^Z$3zoT{_5mle`odQpt&j
zR9?q<DoCgbZOog=G|k<C!bwQU7d|Rdi}tj>oJ89OBWmgB#tG67z^|~?ZotFkr$HI1
z8}ZhDF~`kEMJ4UJ?b<-WtS1rZSQ9}Xm(m06cje2iuP;A>E!<t7Jf*w}p}2XY{9$Hz
zghrvgyP&kkl_!nI%A$ku>$Ci$?Ea>?6lU6|MM@^pZsxXaH<1VA+UEvY6f5cPf@kzR
zY<z}CO%u0=@`iR|_}pZ-9q>{jWM(7FWfb#==#RFTLRZKe;E@C=Zd9G6aZVS>xN}OW
zgCy>X%r{z!gtt2Z2I3>mFXSW$P<?NO$n>PE1%1i%BJqo9sfpZ$li!IZGqfs_&k0Bu
zaB@0kQna~lqVCu!){StDbOf`{*{**=u2>?aWIXDMoO2cAm^4PHYl~H75-n!VgN@XM
zh#4XG$%_uvX{<5%E;GnVW~w&Z?}l?ciNDQ8!tU%%7+jVx7pgJIi);CIp+=$PjQiZz
ziHY6Ii3!_wq+n}xkWa+YTzHk#+vd^<Uq$^@BT(nr=wkns^fP#Tc~^AOLBUbFV@4xX
ziAnd+=O>ea5byBxRaHTd!|1R?^O%BAV*0&n>E)K;(YH0R9!5XYs@}J4uL@oZ9QU^k
zCHCp-B_?E9A}BI%DHrV3+z88!V`NNk1x(o<VcGT12L(6$O^|L3b%ypDV1li@JA;A6
z=MD#z3r{!uzjNO=<4bCq4pbrwm6DzbEhWFNw@>Q#iq`Stt#p`^>H^EsGxdUL^sJeZ
zZ7y-hQ0Om{MblRgfqar`=1Zy~X3(l}<0hjnc72N5Je(v>XsG=+AN2d|SC{NUv9Ydk
zK)yY`C}2#11oQgBgSl_xzcxpOYi4kp(o3e-P6Hx$nU@5$$kd?4Z=|02<vL_TvW<UJ
zegUx!Fh4B%)ljc!%v6yj`&4kZ;rr#mguuu|j%SRYPceV>n9IqlCE~|&Z4&v^yB8v!
zSfv3Gi8XKQZ~Ugl&CC;u`ve{;R1Le=4?U8*=FUAn16(l^7Y7Gy@Rc@6-p}VZV)*%a
zdJZL4qlxK+*Yx{~8VTpMtHU{JY3a!r+W>cQ?xHTCBT9E;7CnDmuRrx30*Cf&v7Hl>
z{>@IBrZWNo*UF|QDv4^eQeEF$f5=!_?B@j;AZ0m-&U;?JBcFwBVcf*E&W}0%$I(>)
z#nCiTJ|ws#xCgi3u7?xc-Q6JsJv6vOaCdii_aKM6yGw95?7#d~S9Mi)JG(Qp-EX?5
zU-u++TJ1^ln-v5uiO0h-eqIuT&2^R8iO)L3yq{uGp&1(=v8R-;34y6XL`-WRV;2AI
z3eN7UUHStz_&H9|I;dVD*Fe)p+tyy4<PBWn2}w-Op6vswThD5+{0hURW8FN4_qHa-
z)%_hMp)Y(~%LZ#bRtR$h1GI80%gXnN9`j6u8q*YN%@Z6ehbcP-Mw)GuoXZ{>Gyf42
zl{{bJ!X!r?%aLZhY>{@0$MHobhp!iV4D4(}H>Ib$BwoQVyev?2ywji?fFLNte4-fL
z9@)N%d=?&KpS{CCEzAINfD<JwMU1kguI+i@%b)njTZQ8DjQ7k1^q~Y%X{?0i*Ce(P
z1aj^DECQX&xcN=#Ey}d~EuDM;8?Z)BiI8~Qc=;!B5<Qq<Z?L4$Mn{=RdKoX*!S8w<
zL6A>OjdT#>Bb|n_bkFX8`cwW!Eux99*VEA{-{il7+iTuz=n_rWFeqk19oxg1&adXI
z=95d70{lFdI!*+yfB?aBQ<BmRmyOnw;z&qpoRt6xX}Qop$`^#4CH~lP)pg9((rpg(
zq%)xezX4t`+xLharT#^|$L5Z3Xl81N&idSarp5;e!jH($L+b49GHQkDg{Mj~2)N=B
z5X5gx^bKQ1QL@RlwdpvbS5=pdxTL(hd=AN%C&;VJ24-2;3>8L-Wo_s%XYoI+nbv`t
zj`->>hG8SW8DUBrn$gfnX5)*E&M|o%LRIc^9Jw%$H@0}uepmNUBxQ|CyyG1b*c)qz
z8Ph;Kpp-gcT<<OxBFecrVv536O8sgI+xQ<?`lOE%sxHh@oWvd5UhGCrPP#i26^sQg
zAl~AdZ)S7&y=C<0$ID>J&q$|VMuXJXf97Ehz5o}L7PX<rF+wGrbmQ)N$i@3XaYXyd
zFtL`j5aY}SJ@KV5k}c-aBa`=v@AU9Ciuu1r0DfWj*wif^;HJUn6glp%lQxfO?q+=U
z$x&+!Rja$=-uwLO{*YXKIgxF6Wp}a<Va^<9nGDe}ft&9bFA~&Vs-1vpGi$yq%V{9K
zEtlI@RfFSD`dL?VH_k#`eRsUp=E_^)HR_tB7|8h@H>x#E@ISQ!d%usu-6|X&x|bPK
z5Ud2b4i#tpmnF7`NN0w{^1y5Gb3tB)&%SOznA=q?;^{SGUd;2$O%pn<#<guXUvH8(
z<y6}top}ULOQCl$$;r~6sY4nkEv^$u8E)*4pFVLVR6KGS%add+a%yR*9>;@LekU+-
zsmsw>-ktr8Uh$ECl=j)L$X%UP{pfVF4Yl1V#O4ee(ejZ3n4UmcX$N0{Q~c@fqMd0%
zslEy8cDlDhVbc3)SV)E`LYv0pG4(cSMU01~Q+lfdccI_99rU=$5*sx|BPi|@+b1oF
zU5TT9(cylVnm0FIrFMh^c*oOw06luerl5m|1;2xpnyH9`)M%-+X`2$?l@!ikko@5r
zBz>K}9nn+Gq+5Ro`yD+LEte@v*2ug;6h=Cy@L|r2dJgq?t!#swjCoKjhyAVNILG@V
z-Is1N;JBttulXa_KJY<eKjq$({5dniD)Ub}PXZ}`Q#SMNhr?OY)`*trLZ|qzS2f4K
zT--NBVK1p4e+STKXuMwwRJCKm{;yB!OK)Ex0eJ{b>CFA(mxFu98YKVWM+ciu2qfL$
zJK!<$BlOa3LEnlEKc$3N+~wrPy#2BXApU=rGbDJU4g`OvJ$OIzyI#6m1b7e%?)yI$
zHE*D-+@&vlAOsiZt!+LmhL%qq1k$~oGruBjKnPQL{Oj+{2PZ|x?J@6<AJ6jXpu;=m
z$5w`}`^PQGf7HfV{Y&o=w$rwLYH*S%`xD^faY^FnC~)ddAlx#;48}Onh#~K#piZon
zdPS<4&L)H5Bg_Z@9k;wXL9P1|A#YccJhFQCO(+}Lsro}M%f84bS)PQYFz6<=1bB<w
zTIo&B?!zR)Dc@!idZt3G%>6bLV)<W{rS_HDQJ%d+4I?+P;$P>n&J0_;;VOM`+k^Y?
zbO#v<i#^GgO0(4hD?+=~<`w7I#z3KjQOFmZS!`qdkst#@xaqj*i^>?h59ZV%<y6&8
zCjFG^y6wwU6-q{ofQRu`FXC`RP_Az8tODNn_nz;9`CClonB-t@@K7p_53U}<R?dmR
z=``S8EV7kh1~lC==Q9*!k#fW0DJetsmf-h;^ebv2RkZQ!TlvA#Z6&|Tv-Sv?qL<>S
zpylQBO}G4G!B<rK`g$E;9gIv~f_jQ5`Z6017}*oroX)q74&B(bX~XV4J!FSZ4L5JH
zY@(bds$JN}UVBaPdA>w1I>?lZL#{_z?}^tyiWq^W!io+tfj`wOEQ<de7dydqzZF_V
zIetrFc4n9ZnqBlDdhS2y@ShD6jr*~kY$D0fAuMFuQIz9n{uveD3~QoVSHu@}NXnR7
z2!kZOokxWL2&q+(H-EoA%kUT)RdW+(yP_*%iU|F|9D_@d{4yn^t2p1W$P1EB1;c@*
z%W;mVTvfCiP}CgQ;JzIAtC$%CAR;DmM08fo&a&AA+kMF0gHFGG+<4bzm_@o^M8DLO
zh0;sYDXzeq&9PZAsgz879e<;N&X9f6QWpJB9jp~42Wzc=(?|wz!B!AV@<+_M`xH*9
zHTk8_Beg;a0eI$u5D<s35p3>w<#or|SSvXq81yjWBT#5cdr=~k@LuO3u}kfEH_|C^
zn3)+`ExUvjqWFS=-zM{MMd|1aC{4UWB_wgkjrr{Gf)5XS>!xx=s7o@pq;2s47ji7>
zQ7F#v{96btDjxeBwD&m*ms!7<(BN_4?mE^J&u0|Z7j5Gjt)+nUy)LH+e*J3m?z5(W
z2xZ|SBwI@E|8;Y)C}sfNM?QD5A1_NM*`%)Skl1GdBs+^*{@<<8{f?<^){+lzW0>^$
zj^pAWIaYCDVQ9td(YE3B)sYbH89)wxuFPW^a<>872wzBKtkhly!b@P=@V+LGmZY#r
z4?#mKc7ZS}sFCtCtLvG>{w=HNhY*bgSvV6k74!-Gr@INET2%FXaJ64aZ8gZiE{ySJ
zfFSW$=2<g=ybMPLbF1`X`bYk)6STYDm#t7Hy=97cubY329sN$1H0p%#(~-bHItW8s
zSblCgniR|eI?``q9OH|XqVOEQ`e5BSm~=0MRJeA7<e7b#woi3kNf$WDlEEe!FG;jt
zi*e7CLTsc0H*xgVt*(>Ff0PgX!VHJ*?|U=f4+akQd;>b|wA=Acd>`9zef9+}WgvB_
zAYo(2BJ|fe_>*eQ4ec{7NPmaX4^9@0)`o^V{@D##lVOGE!%UFEM1gOU&77;{8Z->D
zUZ|*deR(fX_YD`EkQR_3kGO2bcGLI_CTZS*ry(o?Kr4j71Stt>LlSept?7Hew4AI$
z$;KsjVMv*8WUmAMC0lZhw{8v!{6v)j_mUS&JG3YBK=gSzgKg|SaLUD`hmAi+kT8+b
zG-7GUYFMLo>m&_|EqrE`OJ!~Jejg))I(vvB8yiEadg$|MvSEtZW<^5s+;1zmXGtq&
zI%k=Yn6uVwV3)j5h}Ng;i79Zr)cmZot4p#3lWZ3bP&hemy!7Qu=<RkN+b$&^0kj-r
zo<6*YKRUUSzIt;y^HKPZ%^S;J8vuLl)ae6ICa2Agbn@$S{`{;)vk>LUtwMWB$a(NE
z2xc5(WcX`Vj@fy@76qjE$>o9gkDcWh!qy(@jpTL=FsZxbB)dxc)ia4jD3t7jMB7y%
zEf5Hk5;so$*u$9f<>pW*eoxLZ)r;<gF<E$w`-JYGVC;oON03NWJKBnqw91seq&Vq>
zOcfmyFqMHEO1>u)!+J8QR?|(qLtXDl)1+G^P$U$SAE=_Ahe@eu9SdAieyU;im4=*f
zj%&u3);cYw(>%?E8SFxyRArz$NMRpY$tr!by@eIW@C_+FjL(>!Gv>i`FCMw&y0}QA
z-_F;Dg@vVv(hNc9k!0dbm%y0=g^|t>VOK}y=UiG$>P@m?7twQKoCH%?1aULdirP}M
z^}LS(dlDZNuHHWA#FmDMkAW?Eb?}>(S&cpI5qm+XZ_$#I4)JHe_w<KDTXUU)M$2;e
zP^q|%FAmPW$N}8}b^&+tYw#viisHs%+O)`paSIt7A~=z8ggP_ScJUOqN>(Kmf7O1R
z*?^q#*IRELm<*zBa9VycTc8tK5R@xOEkI7cN$+&rBa!ieziwlBh=YSz4XvE2g>9%R
z9_>A<cy7Yvy9G=Yig7Wlf~{_c@<b>wj|_Ao?O|*2g&zxGq%sc<NQHb{>qndMX@RJ1
zGXnIq7nVpSKb(!8hwcG2xB!|k6ci3eYk)^@e4%lMx~S`FlRnZfaX^Jr6AT-9gmYRm
zmbSaQK#r{0pKB!tCU`|+8}pU_ki;PzkPiUpjP~gWee-)w=Oz3J^83Bzta`BJa$jGf
z!Al5fk^9@8*U3Xm2kP6!R#$@1#b|6vtk?d)F_`p;4BXK3#L&LmAN&FEx*|3jRo{5_
zt2pht%+AhqCXp_{KVXre3`c>68OB2y9;P%MH|p%zG{4BvJPY37+~%ZCErddVMW8Sh
zuBTL*<Q++yiIPkZo4RvRRD48M?*Uv2K4yDWoE8B$PJam1DE5?RsBZk&tfJSuTZL3D
ziezGWkB4o&9M*L@5=1u{-3{h(DaCcRm=eVbej1e8yc)dDV(<&t+!RV=z?Qqb9M0}~
zxuzlYWnQe*iRpSl+g{Ur#S_6WIZYhJqff#ZVfDSzcO1%>xV^3#ua<1nlf(!q)u^CN
z8uQo-#@&ACAnn~B-S7auFm>+q-(D9-8YE?;Ea}zuSxY6!U~9hZ<1RM>8E}|&e!an?
znSdM1wA#E8H=n?oyiU~80eN|3-ZzRuzktq`C9{MytRW#XPhIX^*cF<L>`s)3Kjs+S
zcdNZf`gbLeYi%D5Dg}KxeXlkghh*2>wzq0t7^xL6hj+StDWwA_q(1$XBK1bcVa$vj
z@3~5TiGrLfcD$#!he-+qpxqJmn{V}e62ZuAD1d=Szuz73`|D7tQ-_5vbVKRu`UW~a
zJs<qn;^slWb-R=O`hnXp%!U&%b>;nX_W${sQ`C=5SR{_UGI+-9ypYG;y?i0*|2Oih
zj!kGNkCTI}rxwG_AVu%}$C(X5#A&3%|6lnA!i9#aeqUk!970wspAq5nf@X9OQS>zM
z*n_MnbSrS#diJ09sVS+rl+<S!7^!Q}c=hm*V;4fpmMcI3;3~++AMw<;@bL*MmE98O
z{jR|8S60Wv_NlFJa4_;={*e)LJB{m(qR^{X*;<|9I+)G($9<3SVblra)%~VK6nc=l
z8aUTx{|kBJ(8r#Bz!4_z?Jiu?zSlO?g}p=E7GB_LgC(g(m0k#MgT-#Jye<X}A{y!C
z$jHZ&k5;#x6Nu|+<7(wB*K3yYe6s_+=eC)9JNt#SuTWZl`Qb(()AJ_WW6NtZ1X7UT
z-*Dw}xUkonul~(so#}{!-qWh{KZ%I`$qUF1CGq*v({{k5R>7)KtrdVg$%~otv2B?O
zaO8Tpxate1sqA~%yyX&)tH8q6*}M99#Jz_al-&5WNHINy$ByG^S4XS@^)+f9Jvgu1
z2ei(H+{GRn%Q%q(1JeC`tXtURrzm|K)iUWZf?}Q7L_HjESf`=qb^IQi%S(2^7`5&V
zeco)4PCDDEQz9MRcAjjqj0hiH;I{61^hOWOg*y{MAMJo9-`Y-uxHsj|@@{8vKk=Q4
zG#7};o7=wQjHPp>#Cu#{3wS-dF;W74;Zn$A)29YQl@qzXKvmf<XX@5S(Am?Y=qJBt
zhAhaNjHQ&sHi^7xLA49AMv!BX-&X}Wq!g2m)4>KK@=Fu6O6a^$O;Pi>qmAx3^H>~b
zAP}|C(Nom;q^HjfBl0_CePUcEulk^oagUpJ=&`|0vcX=6FmME)5n%SnL(XoHL@($8
zu6->s;|z~GCJrsmnW1Z3YV3MT4Ha2xkWN4p!$wj}X{){im>wDS=x}3}B7>e<mb$v$
zMX3HPF8h+2jqx~f!?pQfL}O#6M2y_wwv$q;VTZ^VLg_5w+pfVkxY!WBRoQMm86(T%
z#PnIajG^9((D%rU6l1N9kuAt_#(eI&203=A0q^*}zg2ZA!JSM><MK$9&VGk0VzXD3
z9XVg;=O|gN;oJ)@k%vyDNr%J2l4Z_O3(CvJQ!=3aR?^2RSJXCKeqKcuY(6Xf9tC56
zRHFEz9>HFd=_+Youyfccrv=N0mVuDWR6x0CTzAyCY~&Fppa>Rr^yA1v)LJ<ZeV#sm
z_1vxi)s&lVn8>O5&jR4eCj*7$j}r|wM~ec?pTDai%inbiVs|s4`BYAv_g0KW_t%=6
zVmDm2(c@;(7=#EA|7z2jr;1M%h*PB}&Y&J+M=avaQap8uI$m~>E<RleI*6RCkxuLb
zD?eLcYN{IWfzbRNh!e@Z?1En`5AtrU`d!Aj^xH2&zs&5SNtT{dg*$|Td8E&)`uHLV
z=o#M3Bl{_-wx@(p>^4-qc3iD<IeH28RB#z?2WG`Zl)Vpml$MMz{x%oA@mXuS<vB?u
zK)=LeH>9$@ku`Cv6f)QmE>(r!6pW|ts`0ZPuYVFg_yX(MkFk0K`wMvzu+(ZFJUOXA
zBrqRo_<G7st4W_KWKU0R3paD&F8E6<6m5_B{ceEg=v>w52He#8KD<`@@TAUjv5#4I
zJ(TkI1n|bPSi?VwcneYcA8T2UI}LvCG#(cfT-yQ8Q-fl$0^zhsPKPHnybh$k=XC#6
zJH`8EfX98nnieOrb?*}X$Eh^UE)C!Xdojm@Na!Z?YN(A+VPFD(?z&e@aXV^m(e!kl
zuJzGh%4tm6_F4*pxOzV>wU?W`m`Q-I)~`b}fGEuzKb&M{-6&m$9$cCl!^js>?{DnP
zwi?Xb{G9*&Lz<z*6oX;QkKF>EkIXrz;j%NQqb_ul_jO*aE}JyWqvxZ{a6zxfy*6Bf
zLFqGv-dNw8D+SLI#SEL-ad(#PT5Dv79tgmKRY`{{CiyXs9C(P`*WaLadHUw*5}ZZ^
z(YIY|_~3g!IvfY!j<UmJV$jyzMtqik9MWldt<#sRyI-zGZg@THG^#G{l#_lCD)1kO
zzd~@zdiUcVwPp8Cb<ue1oy2av5j*F7KJ@zZc4`=m89Q*#y&1B=kg`)|$$fYT@rX2w
z+*n9@EU0i8(_`UDeW6RTyvZYm$bG%eHnbXlkSOSN4DTmgH3n9n0p6#*{y}DNg8~4*
zWfMqhA(s=er&-e*hz<ycK)&(f#EFN~nVa3}%@>1@_S@@0)hXkh03gra{5>AgH{<8}
zp{HZgH<Gafr0VX&l&7~xgQ%A7YfcXk9AT}yA39gh)0f3M4iprkA$7nz+~)OS<lo7b
z9+IORXKL_EEM&?_hEGbWM+#yAs8C_~2!5`kQml@bnIUJ_+kFPyik6vCTkAi$|Me>N
z?fPmDA}ZpBAD=sGosbm-p9j~^tU;#-9=>~#hkQJa5J|y8`X_jQ>j3XQ5c9<O|B`qg
z^HOVbpyJ}L*f0192&k@B*n8i<w{_ZxZZU!M-{W=E(s}Pha6Psp2l!tOcp2X5owsCf
zvV(MRy{+MI9Qqs6B;T9a`Enclc=EUStSI~42mZ_1Kr*{2g}s>J7@y`EZns+J$={%Z
z+?-L{0j|K5`lBzWb<%5ar?^Hxvq>~~_i5ptcip(i{LwT^ey_~&l)-KTh&qrx_m&bv
zNd)daWVN|XYuRa9b}HghZl(sz?nTO6dQhl^2tr-G$FlDCpXOk?z$&JIyM{mO!EM7i
z?zK%J{ve80{N6912xPZ(<J?Xq??gWv3WN*vwlZK0qn5MX`0y&e7k1pc7Q4Gc%^oY^
zmpi?znp?ZimbpteHYyUBT3d1Q>4*wPG%zI-Re6r&D1_x3rF=HN@D$siuKO1CfQknZ
zA1s$FUH|k)cyH$j91?iYiK$x)z5ZG|VtMToXW?2S=_f^o(y8eaxwL28CN#|!Yn2Ij
zxtZ?|4?43;-QC@H*r$mw`nUd<Q*=Js8UA*u-DRRxmsO-CohLdaPx3s8TrpK%3n<X4
zn$(Ji18<&)6g}S`n?!O+b0mCZp@RyIoB2ypO%&Xh>930y?GGouR>O18jh6jg-_YVf
zP+7JiQyjr^7e^nDTK8w?==kzhd%>(RruU2}x-kuuNR4o3_(NQ}!DIjAiJPS$hBqBU
zl3_7xBxRhK*3A+zQ9TxRBld;f&lrn50{TKSk`CGR66Ko!ap!C4O&N*&ds>@AYIBrc
z3x}36#cm)^QjV^Je>HbT2<^{tn%t}~YCw5){;#o^1&TKU-1^9`)6u$yaMZ;9gt6r?
zu3pJVnk{8v26zSM`P1(=CE{-crKcj+$MVF$i`bjKq-71Y)d}&WYRsxe<YP_CavFNW
z_Q7XY`7FZm4mv~UE+yY(=GA#2EpX|C%dg@AC3D%OPp-n>er97FWlnf^K=LHJ=!Jar
zOZSvov{jQmxw8na)P0uEWET>;-0bzs!Sin+);X^P^*vguP2}6AWo&BpQduE7Cr1xn
zm4X?~)f4K5<?s|odM%7@B&i$?EcdSVuRKeLs!V+H-;=88#pr1ahWP|AL%9lmvYyOb
z7~n>PpWz`uZ)Z7r2@2g>`bFjCed&IvBHhkN(T^?&6kERAl|AO2kGwMUVPyK~oBBI`
z<`?-U2w!La!UVtzJu>w8Op{$Zd``)Lm7i!5*Kj$wCue}eoEiHS;YaBsi{}g2=^?EI
zuOn$Z#pu10ci2$V5<W(^3wrultHG1^a562pOqB)(>TohUoCW2xW(DfeLD~`5Zf1kx
zKp~Us`1O2QLY+gEdM?<hTCWZ(P)v-+yS2u_GyLC!N2(0`Pv(lDp{QM5App9x2Wbfn
zbqGp}hM3om>oxqwoS$OQAf{~%>uuhXqJdvP_($sk14b~J+r=h4lvbyekcFJ4E1T&s
z2V_lx6B8?H2TqzC+)&YCkqh)#BYUDhnyx)$@x0BucC&}JIa{PzdMRY_;Wt<)j3|{w
zU0zCSwYZ^@`0V0C^}eACg<!@S+Rr8oZTi4ZFZsc?YybiOX6y$99tRF_4f`W?4Top?
z$o3qTE`1<)Xsf{p?~;|}HpWMEE*Lcs`V!TVu$1#ll+31_Waq$ob)N2@K?^Z(%WG`a
z4+F*M1@BkC_Mjy*8H7R5+a#nr1mXn*j3&?+Tb05>(c&OMQ1axEiuv{kG@QA@em&bv
z?7FAjY2`0{J9?(rYpN&^IqvtD{d~0n9k=J6TrRuP*9c=(SooIo^f74~nCl*z$~qW@
z<C!_<tnKblJdAX_;bn8)aLej0;4;E)YH?`Gq0sO{PRm>1L81nzmHh|e)h^&wj>xf3
zI?wF&w5>^iP&1!Ebr~A$?n?)I6ZhJDZ_iLewi9>N*bS0<2XQhrI9yxm&V~$=>HYI%
zmnZ_Qgz2(Mn`*$*&h(q+GZ<Av2p5Y91v&`f^DL443+qFr1G%8$o-+}>qYZ=F6#X|Y
z!0c@~t;-UD_uJ=m&acee2O+ca<`;>Y7{|Lei)aB#FePQBX!ClQE~u$zI)+DXS-Z%(
z49;C>9g^xCe2c$g-rOpW-d;Tm&z3uyv(A#*<nu<*$8t`VV0=OoE_03vxR=V>K8aQ2
z7z3M^Iw!+%In$Ket?Yi>92~_(3&!D-t_%4OLlw>CHrD!17S22v?sIdv;(ZPCAZ~b%
zyRTBanvaF^@4lXzDt$)_=oP@^ipoa_4mdqVDsGsAL2&I>BNGs{F|+HFB`#iV2Ej`c
zz)JTO54qI(N@Xa-@@Z@Ziw2cy3Fl$t32y}>e3mZ6@}`!XOSKyaqXo?SXK<`=V0C%`
z-;q8?M()yy)AF4#@SLz)Tb>m1{8=B|JEEcD^V8l*|8XuMiW_Wy+&se@9i9|>@-@G)
zf8M~`p`Dg7(J))G{_!?%c5-ZfKjT!?5KqJihm0QdkWcQ;HK`;`FC>FLG=BQ4XdwbA
zA?KDOjx8-ER#jo1PAX4@DB}S%Cuwed7UnKI$r?MSSd&7UppYPRD&P_-MVxzrQ083x
z<Z+azz}D`7j%5EDzfhMB-dRdqA~_eIW1_SJSgncqSHtm@*hVb0T;Q%ZAE7r=3+6fS
zi-i3`O)MsscpzxJkczbK$s@+??Cx*0--uBsM0MG+srj!(?$~qj<er+q_zyL79+-*?
zMQz#5F0Zl9H<Wsxnh^`vcFx}DGE>{*Xw4w@<25Zd@9_s|vz-sVF`mgxKk%Q9E>`IW
z{&TtA^<O0+zWV&*C58l<3{?>VnM_f=vjKW~@67ErRO$#_qi6vT@t&QC*Vmxlin>et
z0EU<w3bMPQX6ogonMsKd05xO+=1mdTc!dqlkYWH{9@Fkl%qb4Pp$mjWXEYmaX0D`i
zbL%25A<$Io2ih}V4L%Te)P3~!wU3Rlps<!zAkz@F%+8-YA7%Tube%LE)2?o~L%h&#
z9aqN`WLJQwI2b=z`yf>_7BmY9odog3D3>jBP=|X?h)GG+IS9;a{?|K(E&Jod?}Nj@
z=UuxMVgdb4@@tz_o<<t^6wS<04Xa#;qk9PN>FzM(2g_wjCa4oS9Qr#p*be3AFa`nU
zJ^J%Efrx}%6^C`!W$@G&@Qz+=pttvZp%U%#_0mKUvdq)d)X|^3bj@Y&GE`J9AAzjK
z?uKV%ZT!|FZ>G`y0#kYzgAnD?!%+*8fr0CO_JiUhL~39DDTK^>Bu7H7XfDA@l-7QY
zDTxWsq;MO4PsTs1%7+9=Rio=bt|r-}PxO|6s>#ln!&9{pIQ5>P?+bty&Fht$##?&+
z8f9m9T>f#~Ac0b!-|<n^yv1rRi;D&?2lmT)xXoM0(J>+|nv1v<XX!q3P31MxYnpR>
zsnxbV_H(XsZ{==N*kQ#V(`QWWT+f`6&v|DV0MB2B?(1^IYeF2;&v#2kTp)VI(~L(3
zHI4b$wYxM|12WOU7e9N8xq}BrjTCbbEl5CbvnRC?uWm<)x1yVM_U!xOWAB5A+LSRK
zc_A#WHp~tpGTlI)j__(0$EHbR?!XT=vkN;Ko1sB#%Bm;^ETl30xN~G$n+6kQKU^eQ
ztO#n~gA{ZPmpBiZ;Y?B2vA}-j)29d>Yb`YgT6+l<hze71^Z7_HE2_<amxs$}Fe_2$
z7>BFe9Cw#SBm{-ihD!)zK@Gap#<^!n+&|g>lSx5#{0mpCRP=LKg%-z^nAN;?iNubg
zq<!h2ltztODB0q6oRZVRS0vTV{H!lAXNy`s?Y6zap+Hmwxd&?FLH^$ICQ(_Tn8_uz
ze0{#f)N;&#0bg560{5GKXz?pD+`?o8IF&C?v~VnTw%}}D?+M>zZ?;3XslUYayqA+{
zW=zWx!x?MLCEA+3oc~lzdo9n+VlBH%Qm(_qe$9G({#^{4Ye@0lW^eu?neKMutiR(^
zqkf&RlhQI)@){u3(elS$f_;tN#Qp#i5!+e^ra>4j(p_$iA7yS`*lgLH!cyYg<i$XT
zPVwUp!24rLcerKtn%P7?t*E6Gyn>Fqz{4f~FI7dI$Xl+=7|3$Gv-v{Gd3mgXnA0>;
zGdv8^t#f`ffD(o{5$nz$6x|K!a%lqi4VIu@h;NXelLRC1Fvz~#;NEl9NOpP<+|luo
zH!=fRsG({h%>?czkh>eOR7>Qnc_3<k+bb5kch0WxAJjSE2gak|Q>ik+25?F&mDRp{
z#V1w$5_s+I;%0Q6{~V*6qjBp!+rBsLZU)7@=}og()6j9HV?3G<m&#T|*s|$FdI$n(
zYQ*ol_64*ZpPvdt1~a+#gKtu356f=#^^3t~H}YpM-|YZ6=l@FUb8kA2-lb}-b_C>d
z4uvW{bB?iAkYp6ia4jP&@C-AyY=w$cp?E{QqUDwzc!m^aYx->4k2lFzaER`Y_0uGe
z53j8lN`)WWy&^=X7Xx_)9RsRX(Jb|VFJ;fNy~DixpJvdvEWS-UOn66N#pdZFm$J^j
z<4KyTHb0qWB>#?H!@m`ldSz)PW#n+1S*|#|v#ByZnr!?u>juYfkWmYX8S^flG~B{v
z04$^TE2GzcIvr982)L1?0mIX|=U%)1%zn4tb|wH%$`q7w>v+uyNT%TCv?R3A*@72c
zC%8jWUCa;+=brkPwBgt-8_ozwda@YWTuu5TU9u#-LEmj<n`82M?!eLu9ca2!j{(09
z&y;R2Oz|{>5W^gpIX<YVa#wk_A7F~JR5Iq@uzILlbCeu~l(xVGXx3d7HRwGxDEIfG
zJ}qt8=ir5tg3Pn*N8H8e6V1{OGd}2~ocz%o<-==JOZE)?z%-8Ix?r$!cXi&K#XZ26
z1Zn<533yh|W$Qglmil8E{mX<QJ;|Kn^ZSL9S}h+8Va#NUH1nBPXA{xeZ>jdEV`4}(
z!XmdkOL*gsZB;L_i)6>Qaa{HM<bamkgB?x=$ukgr<OGlc1sGCBb`nzlsudielGqxl
zH3!ugA5qdL-?89b;j(PX=Z@5*0sa${lt5~UwQ64@fNBAsXnI*Z#JUunJtjOPVxHRs
zI>Z%SVzw?>sKImVa496UDDPh|2N4o?^wLckm-7FP63A$*Yd)H9Nbp@CDF{1NJQ~@j
zASR(x*x;$^sN_n|kW`E^EYLIQnY5D7#|t?WRl}`Lp+4nVankUm%`qCo#n$B0FC#8d
zXw`^2j>N=W@GGTeYWz|y=%_r^rli<C&Fsedcv^1xB_Px|K)olEj-5MX^|}d0Ca8SM
zBB$^BE$_Xsu&aLA*SDWdu0<1CJ}2*?r%}~u-|BqrTj{Il9qy|JW?V^w%Qvo_33CYM
z)m~ioRP5v5c=~30*TS|m(@pE=mLxEin+L~7a8FA_I*OrBUyR&m=eXW~U!W{(DVwc%
zmcB5`$YQ|qTxFvAa&k#Pya<bl)DY5-^QEVYD)+sI4w7CVWXnj~GBY6f_9(xk1Q!54
zVRjn7c-##y$sXX}dho2&>V{Ru+JWp*{jK<Dh5P<%f#G7D*<w;@s_f-GwtA?_eLXak
zM15+9kcdcTgI<2>QMXfxt`Cjmd<cRqPK)?7drzDUPG`iAyIa1lm<}DcLP6lFA=_9(
zh!0bedh{~me0>ZI!W!A$#`w1_l?hz+tkmn~;AYN*yFD`b@F(&9IQ1K_ci)JW&uE5(
zQ{YlL%8()PiSg)L2-FNi)^(@HF7zEkKPNHzuGbYGc1yXD{Y&ZAoAR8!!?mj+dv~E<
zx0AfYkR6s!Xe6gYlloptVdQ#m4Td`{Et}E){sm71=$*(3G>S4wUYeRE5O0T*;RocF
zd#i?<VOyJS+z+HYVE}O8qY)$|Q&zt-C8gKmChw4ao88A_d+6fg>T0rd*>%k8fq>id
zEQ+-<DFQ%)T5bh0ObWbFV%@LB05?MO(rMQJuJQki4)uyw;q5!@QueuWuSdX>0>6~x
zw39&Wn=c>lXIr~qLdOA6%U0mYT*<Ec=KCkC<+a4fU}%jRy%<9SKXzZA0mdf~qk91)
zj6&*hHFONIq;^KKp`mDqqZcWf7CHs`Y!i@e^c1@R06T+Z)e?n1Ohuu{gYo3;blaK{
zdG4*?ksNQFtM;d89*6sg^y{Y!qs>m<)|11Izh{IFeUP2Yu)U?qL0-$Ohzh?4S%KSi
z>P)9q&jiCf;APj9Z<nd^<Jo_NHCEl?wkU!jaGr83rkQ~3lWx*iZQV%$21YkD?Bk{&
z0_Q(D1kO*L>x4_T(wCiTh@imHED8$+d1EE;IiAe(&0Kl^(Ux8G;Gws1>G;G1yUVIp
z>d7<LRF6J#P-VBM<s`_B_QVygid`+;)pO#hW<0v80>b4#yd)Y<_RnC>RybQMWHv7e
zI+R_Enkt};J*h8hmcDiEF{qp!oLmDEa@nW9d1PXjl;LW@nQnGs-(_;77g!1w#3+u)
z|Mmw+EIl1^d_J@gefdMLrGKb&vFY6aY_a)VZKzr^ja}^*#_8-@dlq`1)TyYl<ljzm
zysG8{1zNah`SN1t?$!0Td8!|w>_RnXpxXLlt)+nDtTxIdJJFJi?z8>sg{ygRKi3=M
z*+46QI|)p23Bp4EkaPtSyB|@mH{Y8`>5cF~!Gyiv;5eJ6<{;RN?`SWFSaID&E6*3?
zDs|*PNfUr!i~zgUeIDUbldpUs*M%KI5-*(r6=m{^0GZQZ(+$MV55$_!oYT_OpcA=X
z0l{mJE*Reg3qs#_vO61>2|o>ppt>AWMcmZ9uDm`GSGKT{Q$#y}RSpJOoQjp=ZcTp3
za8d|hYl3y3)w>%=_>e3V%#(igfM|_@DhE|D(eB(+;9uz8X=cs1F^t^mBYXrG%*@Q3
z*11H^GY6$(lK7Nhc_%Q+cb9Z)6J&iH1A%foyEZ<cdGO&<M$XYI+v2@3I<~@Ll3#_M
zhVixSAM|uZrT9W5N-)SpTB1vxKz*asbT6$$1aAE2F?JNGAxT+!$<54%JS*^C-ceuG
zF)rrU*YXz}>;53qYV-|~y8-W8aHS_Gaf}l63dXKS&e6ERkyf=DW@9ULv<iRSRo~O~
zOf<akOz!cvTqIR!22_BSa+6C6J~J!X<eVI1%5ye1u3_kb(mtT~TV)3&xsZRkf2Z+2
zj0ZTsA)BUym>mXOxi=$X{r2BDb3}LuzJJ+<*EEcLzCGM#bo7pP6tv*|xlbE06abtV
zohb->dcX$s@o##@-Qrk_l#W2E5idd2rbI&aWa?W+JiU$gaHD}7eu$k%zErC{o?aZ$
zCEBKO{8GsGlF0ldD^7n%W3X0#gShQH+%oS%fqs*}vAGVi{NP;_;!;^TEGG(o&Tp+a
zLrF?@Ki6eAWC4iH7BlCsM;6UFCTR{)%UMk>J}LQ^Z>g;WB-2S=wEr6Gn}k1assBS8
z-@eRO;NgwS)stp!dnnKMv*wK|+)&dO2ww8X<}|c?P}n^ekSQX&Vw?@fA^rqsTt3~!
z^sT#1I!GxpiYv8S!xgkbZTjA(0Mn3N_J(ufQj}^`>N8wt9r<uT$<?j)#Z}j7jkbqG
zdu?$?xwY;j(lys#rohifRV$p1;s%{E+&9uC{|<}(e7SO5J?+>xuz%N<+<t1#!D$>&
zL&SFL=w13TCI~D}EULjIVPe2}xG;1?+Katk3W}yFxH8#GbWV&z3%IEO^N&@OlbzZI
zj#s~S(=jgfaLq-F@+wE8O=l6hNR9Dv%6My-=(EYd|Jb;dI}3EFQ%+kEb!L-0+E3|s
zq5tYMYdYsh4hl=^`;vArnV7)0Q;epNslB}43hygiEO(Bd^ttzTa*P7`XG&@2id(J{
z>NlkwFY8=L(eIa7s?qRe`M{L?K@i1)BlWv_FDqhQnnDV&-Qb3$=sPjZvCcKWudYUU
zXX!dyg+d?Fn0%bBJD3(gL|)UG%WiZ!(p3!9whYb<rC89QP7U}husP^f9^P%R-l{@3
zF*G<-VCGtNQ*cxGNlUQxRN6mUwuzhlKh5ar<hGN9`rF~1r3Nt#LXJ`N-(RII1IK9K
zIT7=6@13`g?cL035Tm^4@s~E|gN4w3Z!^EYstz0Ay+l#L?Li0xP6z0IF|ppq?#_k*
zY&g$LhU>q?x<apa&^rl<i6zz_dre#Svf-UZX@r6t-a=eOtb+W&r%RuOuPg#rn;Z_w
zT@-veN#+oKqC=g^hURThA`)J);TQ{Hu>~V~yk`O>Q8WKjiQ~-tnaOf87*)kZ`pP2_
zEkN&gnsY4=KcTwX189*R*((VzVLF(?FR*qnO@c#2=KobL%U_~AW_fJs&@Vo2a(Bv*
zlr#8R5!h19I($-pWN!Omxu2Ee%uXYJxgMFqNT;ucf9z?t6fu-o8zY7lRS=*Clgl*J
zVkE=(Fs0yHmMiAUt$_y}Hjhpr*;iT<n<>L8a>Dg}iR{Tc%kYt!%oBuQu;uGDeOx=A
zxIxeQoJl-i-4wK0t=Ag@)4(+C6SCqW@)m-mSp=#MOx#sT307t!2z4-!%WfF!y~wc9
z51d@MwBSzoMpMRS;nrq7-|D*{z5PN_AD>?8SN3|!(r`nlcilzGBXZq)tfemGIKfp{
z91xYK%3S6G<4eu{XG{-9sa8bzL(jP-*To@g_GiNI+?E`ljqx}rll5skULLgqi`u28
zPPLm5DUxYc+|~P)d<VDa0_s)ZpkzQI_-rZ8{dm|Cg#*<*Y)|hd<h)&aFNLB<L60iz
z^4H4!EJE`-8((}>xV=HCv_<yKO*KCXbJeqPg#d-LWLkjooAa3@O%gA^1{{UQI<*2}
zIF}949JiU+&Pp@xnc?60nm5F82GYWX-tw^}gNg_pAWSERQ^_|&2t<GfGq|lhb_(<E
zDmrIbGmM`7slDxf(%_ux1gW^5_IK=0y(a>3hWSjT`#d1Fp$R19)_Eo9_}J0T3WAtz
zz7LTfy^w%apeWWq>ci7t_$_+}L!2PV=hLMg#J~Ks&_zbD(Sxu3Gp2;0ufZ1EKacc8
zj6S7gUQ3$}3j)yGvke%+B>$X#It?BjF_kf;|2kH{>z3D+f~ggO5=*_cDKJ989?ijY
z=C?>nxV0i6xzS{F5zw2pv`i}But;8sVpG_lUM~~*J*6sC`unZ@D5IuNG>?-x=y)RP
zJ19j*h2>O74(>989iFZwKuj|Dwyo0E!G>j_+Frzx4v%6(h(L`+l&YUP&=7!+Xwhm<
zS@3pNdkzk+NujfA`lP<p=&<FzAqqS)7u~Tjr@|$sgkHrigH~%{I%{>Q{5Dz^)NydR
z0&X>~tGA!_BcZl0b5Y@))^<ZFzU(Tm12#~vkeMZ<ZNVZ`zY1xxcsg0ZG#SZa3PXxh
zShwrcUvD_wymCaKt}#foQk{(K@k@kcxc$aPXC=Dsi)?TUez8yHgH_l~uJ86(2zNbD
z9iW%csP|4stRZoTAsAqmTC<K%LrcPrPAlai#3#h5*JU0-?@ZRUu<tx+b<ug7=4sDZ
zf*G+=Wl;g23-8aPPvgK*ygp&t#>;3D+l=%Nn8L85&bw6jlbPlg|F;lc>Q>ogZ=2`F
zQfzcE5KEga07ub>9d*j{cfw?WMDS6~AjSJMVYuomLI8{B(<*m&QKA&tor!idicNX0
zd!_Y+%NXliY(A@Rsu(AI`d-w`XkXACNLJ79UbIYV6G4|jFFR*-KREs-g{^c)dq7fu
zL@y7zlDJan=5Wf!Ai<Xv*F|3|I6rHzmGdk<qK0vQNMoEj<8W0~vMoKKlZ}PlSdjY*
z++OL|f^z$WN1b4HW;c+XNK3U5Wu_J|Q(lSTQ-)x%-9FB0gMNisqdN@|c1QzGep6h+
z&-a2P9n7-a4NgxI&hg%wPm)Sgj>u->FdUy1lRqTipr4<MR84&j(5uJLxhtHg9C8m?
zHqIJTUe)MBc){uOvV<XIKE9ctkepOMSLp>n+yWXwn@Yxzq6Pne13aHk3>y^<=#-%#
z%KI_X%|N#;Y4iv6UK9Qr((td*Iy$^?HNFt!0^z;DvJ3#drDoY5=lE+Fxs08N9!aOy
zX*}^2=YCm+&mgBt-D1|3Bfs~O92N&S5saXjfu){j`v%(?dd_o`Id$rI!OWEa)|O9n
z9TrxridDunqq)O^-mOcRsX-veS!aR;dguk=^UUIzpH=GI(bHA}BM}KF;Q4HbMHEms
z>6&Cr$-=gp&u@NstK(YT)0npPJx0GT?A)vg*RW-fy@-I2_#`ls<Ce`IiJPp*ynJhV
zWHJOfKe*|4f<+EaKOtH?mwupw1aSXI-4U+{jw75J!NqdY&Q<HbJ7L9qf#0ae72Sn<
zG{#RF-7KNe-n0K{jk>AAY*{CJ#54$5D{}7IPp6R&7(?m0yAE2t_%J6XH0Fgy_iWMt
zs;u`U2P*HS;Ws@}hkeR3?^to|i*q<CC@G@ktZ5V)@tx|PR*7!$3Yyk$ckQuj%*{fN
znktk4wOU;(3`&l<^Cnx{a#IZC*D#<FMOlk<w)5LU>sKh~7mXXa%s)g6J^v(DM%k1g
z>%_NP!_aZNtCL@996XQCvF0a+xI5`>O}KJmD^S&ab|};|Ks|dR`)n%t-<@9Yrb@Zt
zjnNSYxCs5OS?l-i%BMp=o1vxnc?n*-y97dykhn<F$?vx^gLJL)_LPiqbL1KMlH**q
z7_O*ubX6&%iVx}Yh_YVIJJY(y3mMVRd|{jAcDsMHk)KZ#in3}Er!cmhUaWbdIZIDc
zOv!I<wfSpgimK|u4~Pv7dKYo8cK<Ags2kdS?{2)Yj&jkvpPj3YC4?VQlzQ0(q1R~G
zEoP#<as6IGdyU0Zk-t$*xVQc`q0@TJnXO<3z8)XOJhPb(Q)KKowBmsMxs<In_xG<9
zPERFak^tLAT3^y9g-83D|GwAR*Qf(BB`ISiH=du~Zwjp+!+px+nzKp?AVMg~=<nl}
z3|K?Pu*x#+QuMJ41CnyN6}~Rq@_)%WzjLxFxnC|NZjK&^rI{klJ)*T}7rjkY>Y1Pt
zE5j?r0MZHpuTi&XvW|5ARz8s}yf-2vm1%@Eox}Fv5GF`k%@Y^EF*p5H-6(z9Uwt{-
zCpg32qZ-$HxlKxT6NGi$NWJ%nt`+d+E)endev#bQdgUUI37C=MEr0wx%;p>Tr`dL&
z!YrxCk!y9#nxlk~5HMs)u`uAD@B)Po<MJTPmu`KKY$JjJYwXRk-XMc-DoJDG+kd)|
zb68aDJ+LAJn}?HzS}(10&n@(ap-<per*Iu?`<0^lMREXFr=U1M86#*hZc>&)@VPdg
z`|D9!EcYv1fgck>z}G0B*X|7f?l8RGXr)@1jJK)?#xVSaR>^)9@Ma=-M*=Gfat)OB
z249-_%I9blRN&!AFAFTM$~=8pUC=j@f7)#-F&tk9@<^LQpa|}9uxddt{jaP_6Gxc^
zDPY>y;KZOS=}GsR0`jbXAJfliFOc6YQUh2=KSLTz{??9Q@%*jN@b5p;g%s{~>gy$z
zXfP%$WVCt2LEeAWrCv?tA<r46xzLPif1|xpq~TgIonRrCk%Y8o4JyHtGjT-ST`377
zeQc&MgM#|FlNJ|IbJF96^c;5|=WwUra470erw>Z5<QKXGouK01@#2ibnRV&7Stt{b
z#{!qTITn4&m|5c~CHukZM+q!WLIy3FH)1=B2>e%bzdtftqx}FN;6Xlaq;HxT*oM@G
z7INTcw-uy|L8g=n^N=t&;`gTSrYN0MNF%9p07X4Ox1$IK!HDMW^HKCJ!zbOOYm_O&
zs!mV0rp(2@tcI7jGCswrmoCL>!K(r1*L`r+_4V5!*pYfu=U^9Aav~=eLB1eQMaG1o
zHrOgs9!U{0PrM<@4k&S{-3j2CLDh9u{wEo((?C;(7~-=8AGj?2fCV&uMYgvW<Nd*`
z+B?2$og(9My@^!O>$N?L(8EIf5y(LMk4H$|Gg-%oL!-*@4N|>?9O|6HGH3lDGcA&L
zc+LUPd@JclE^Bx8vy|@zU&?uH_PiWzdXgWctS9Ubrkv%x-1h&uD>>h2LTPI;--}XR
zHEgg=yN+m=;FJD6$Qs{z%2lYv9HkzvJeT0F4S6?z{?hV;dSTwqG%MkaPgPBQD__*@
zFOgQXTP}ZD!1G*EGk)uw-~T!wZ=to=L!7Jqu5y`_+Q<gD#48vZMi}ZFpJq1tC-f%2
z2R$?MSSjlE)bl6xi^w#|;{g}RLVR+2Bb6p*jh}<k=d-w$Tz~h8F9Ug^P*i8inoyvo
zb;!!<l1B|-_QQ41e^6zA+0w7JIw(#;;cl9h@QugYK8xkCFpU;;OA2WeQa*A>#Y!fy
zj3U(@|Ed;Th)iEiUaj$2lOe34lU3O?H<-!H2nRNgGsOCbT^QHM1ugC#-ZYG!UKM%F
z`1f*b$_1od8+<1{WuFRs*s4L+`;G~N$I(e)n+aNyi_q{onwD<Lv1rValShUyQ>20R
zhIa-o2Wsjp4lC!PLK2S+R!QmIC{{T#?F2iore9bP!5XIL$o{Il7frxzovFMRCRoiq
zIjs{iY|%YUWwwqH6eofeS%59ohDReAR|+<0icz-3-=xvZ<n%wOiJo5l<#$wRZsoII
zY3{PzW{Xc;(hxJMGroLR#^L$?)|3{Wu!SaXiel(zUS-}Y`qLzqu@75QFZ;I!x3pS;
z3KvuWh6n~Z!o52Nv<L#M@K@sCuW}yqjvVc`3q2@9(%8Q)e}I~u*H%6iuOZykoyyN{
zgmXDUtwlGWWev+JJ{QISKd_+@J_mjNg<y>FpK%aWo`T))wD`oItkUyPNykG`n+E6+
zbVfVNqSN7KCuq=TT)7;-*Tg^C|9ld>Iec!JuG8hBzL=Pl&OsZP>c|SKO@&FlCNr}x
zc3EYmZhmY~77F|m#me`U>RTK2H`l@`{o4sgeW6A#D(PR4qK@vaJpW|fYBxPc&m2+>
z1Hp<237TI4_P>0V***AZRhF|<%J9#}WWzD+Hc{vSP{w#^bqnCh&|Qq6I>d}4D#R~?
z!bB7y8z2d1*`Mg?#r0>hX=xO1@`sbwsA7HF6HXhzs@Sxpcp4pFJZM3`Vj(usFr^yv
zJ00kgX93y?SdF$+wa>OxUynlxZ7`MYZCr%MdV}`&rCUg`0d451{F?qLHxsKlta}bF
zc+}r4jtZHvKiTnEkoC=;Rhp;fOf;c9S}w6!`>YI7w4T>rQJ<#tYten07?6Yhih}X!
za{%ouOar}u4Q2TsYKuO^fLwTLEh-gNB+13lze0Mt^&j_j0}=dB(`f{L^J&D1ba$qz
zEVF1=^ONF&)&)-EXthR8UNCHTura>tGb0G42p7;1F&j{&jt_hOxG5x2>U}KSEY>Kw
z)Re{jw5Y2&SwBka`q8RC2PhqIN?Y~k`=QFu4=!SaOya?mN)$#+Fy6Y+;eEWS=FIQ>
zgZF}PKk$g(bODkz!a^$ES7D5qr!V9v&*-Y2-`H)_@I>N|$uy($yfevq+&aZ=I(NbX
zl=05Ah7vV!h88|yMRCLyGOuD8$xo#Dg~J}^C?Q*ds}4)GwcrZgbJDxdc%8?QhAW%o
zhR(U<YRr54?;7&J4nJ+N9r&WLa<s>%J;gzDs&Dmk$)&^<ey5SI&p~`;i3U^Yp(5sD
zNTLnNGiP6W6BTV3F-z;epN&H|b#nmIw8XDGM%I{v-3j&VNOsF2^iit|7Z!-4X2ui-
zO)z1}qEGkRX5%J!iXlh2hH?99CE$3bSa>Ua41u|q4YTKSD=#{KfQ(9S@y>J`CaPc?
zv3q0!8!NokT5L}kpFO<<>8PZER-cS-1+Y#_AZTLlZ2Jq-SF|O$EI1i)ZcxO5;rm?`
zYz)3)Nw-gLTUK9T%4=C8oVSL!MAEOfS=_ZXx=dC{ubl(A2z8p;hq|5f25*Xgkcjo;
zk+>!OI%JrQQoZRcA~6K9%3iuHmG<C!rTgYI4}QX~IASzI<G2ATf4&hG^%u`-Nf}~x
zz*Kq#cd1e1BvAv3Y96&VT-hi)H|%Q9=7Rkqi#KC|#R^eVvhoF)7o)0%vzzB@d>mdb
zuTTHdmoehEWmB+Wv69-(9H02sm>y$>ZgfIxdH>=W$?ZiYAoU~DHCemm@4amCauZ6t
z)?4e)8M*)Fw1{a`w4(jQ_-x9IPDntxuK!-laTbJvq@u#40;AGnwfx`8c_HEgv=TNE
zV>^vO9%8_65n&`&{#-Lf9V5Q02L`+he=suv27xBa7mJik<>9s|hB}M#*dj}g@*#B6
z-$|vG8}-CF7C&M@y)rOu%51|j+NqQRujRfW`8bB3M`J+FGA4o^2|e_r^KE{_hLxY*
zd*^vGexFKYs58yt6^!?tcdPlHJID)`9~(-B7QjIS5;D6kKaZ-oPo$#ME@E{LM+AZi
z*rA)-03y9^o2l1ad7+o=0Fhj`R32OWc_Q2Sd}WMb7%<;YtSEeE*YupTV$$Bpv(#{2
zIeoIRKu3BMLjP(6uOm!I*5ndfyMpR;)mUSi|01I|<DP@K^CH3PbMQorqnauq+nvLZ
z)==Ien|X1kneFFdJ&vhn8t(4+8C5VHncup8_Vgi&40AMUGl)hh7Nd}~wz6C93c+nS
zRp}x~?qr-AXNI52cdbaH!?vaWbXEn<EZZx;CFUpU1?)Et5sdo3SW#utktEwz^^?>L
zZcMumbXE6E(ct{nJE-ZXfVleqG4<7PQASPMfOL14bV^BgcZz^?NVjyZ0+I_zcXxw;
zbf<Jmw{&;IcdyU$zTeAl|5(?1@B5sybI#0MGjmORuT98XwBm=Z0r%?ZfjXVsF7Pn}
z*jnr+J_48eb#@#z6c0I#`O!-4*V3Iq$-F`2dpWwJIpOxW*n%v0?>h{Oo#+|k2;SWR
z`sW{?cL}6KejLiPfPN(snPCeu+Ti+-xQPIg2rEvQvFv<^=AAyVr4qYGc2Tzh?cItv
z!}>M*Tql~VpCYp8{ap1H*iR*qeC-&P1_v-Bw-CzCO8B*l?wcGQ4wA=%7P#Lc_p5)+
zbm1*Ces4=OOK#-{<((4o38lKJqgE#S`b`Bv9q5K<yVFiwEe-unHyGD#4CT{RrPyNj
zdhad+R|-Xj1G7*@Cf~{IgW|RkUYx=3o*QL6OwEgKe-x{h5xj7}QmgG-n$faS-wK05
zBb3n-qBE_*XOsX+Qo-v7Lt*#AeEjPpz22Lz@71Ym#${m9!1;T5M$02hV?)JSip5&P
z2WZm|+TF?iVTv<c&eqlL@JhsY3!QfEk{W#aOt>M5IvtY&+<O|0BlZR0MvbWkw)k|X
zI2*hg|LHpH7a_cl<Z2)AJvhq{Y(6-Q{DUc+)wh)4!d7##dhvwECJ3#JN@WfSxX1Q5
zl3|7nh6xd#q%ebm=|>}*aTaAChnH`@&WKL6>aUr^(|lFGnS79}GB<6PQL`ni<(VL%
zIEwmWq&_&u`EhoR1oSuQ59jK`_kQ>bNz?Axjb3xwI`<N*l0;1HAvq=<R1aaP!-`%z
z%A5d&D)XQHgq9{|3Z7KC4&H@E6m>g-h{r0pX4d{qRv>BuSd&)C=YGBu(Yxf>`L02R
z#jBp(1kPwis{LO<QfO8uVye)wB+NERRHDBc_;qOMkN4Icexs>UkQHvJ<G>Po?$3!l
zxJ?@TRVOMwm$LpgO9(V!`)G#xJajO`=RgK%7YQ=#wpv40o97zjv0UXyu7fPy!XS$y
zc|iL<&(y8POv+#eIZF#ZycfyR9yrmJ8GW9u=&n=A&IqwvF(zQQd6paqJD3|42)@1?
zTD}1|qgUYicy;HwBR}pnMJH;AO6^-J#0JD4i-7Ober8-JD|1<Wp6pwE(k&#r=5R-v
z)lzx>LlT?a8C9RmTWUk+-h>puUTR$vXfv5+xKjNc+`g^r7>8h0W9B%#DWP{U3lsLZ
z>u{&Xwg4r2e%2Q+pF~6y>4OK~@sZ`H=)069=AYe&u3s2X6(UrMvUbE?g9?Ue5NFex
zk4gR<>4|-8XEfX~0!;H{u`>?Utm#Ixej*+%*oXTwi{))wB7dbVFfrRG6!jLE67|g&
zlStNOFX0Naqt?tn@9MO&{pYXC;+?LZ#8>8sJ0=>)B*$;<N!`(MN0oJ#afxfiDoPl9
zVN0VCDlF?Z+3G9Vp{JrXm{j+LeD;f565slz81$rQ)(R=nNCdr=FyJ%M5yQm8<W#R(
zE`;wUfcO#sDg&A<Zqc$<y|ej|2lCD?5dVlF@=G;RlY$rzGYHPlP>fL8P*iUw_hFem
zpTf(E-3+-)Gg$#<D})Sz2~DAn=ya<mHx8Z~9yh^fEBL;EA`2*QT0ZoJk1^OIGPglg
z<5v^-U<O7WPBDHjM?J3p&nSj}ze72N@~ikO`-GWgF+t2#df5+QUZCN%cz!<zbzS1d
z7V07oJ!a5(v_3PnWZCw}GdF%PFrO8&eeW6Fz@3*m_l?7-&QFqO^+5tf+|m0jqp5T-
z#Z@<R@-y0po-l3w+1zLqvYN>@qqxDi9cl2`=BkJ9+I~&$W5DS4oN>q$jWggsa|AzK
zaug2s6Bd58uYT80-DRHS$E)5jw{Tps7|v?*u^@H_e}dTXSOqgEEbNj6c~9?47x|20
z!_&{>i<=O#1Ia;_l_bKrx`Y7tmB*d03S<p)ujMM?0-#@)Z$mM~Fy8HGGdwdB2Ci}b
zpt(67bS}@@7axb6T)Gr*K&@VC-AjaSAyI$+v4z_IF!$ai;;X-29gYR7FC1xK9$p?3
z=!TyPsf8>u<oF4>_%Qq_4SEiBM>@{ke>ku$BcPu!nJoT&KaKbD?^35SCCxRa6rM=B
zckY!J;wPFbulGeF*3174xscaO(N|^(SZ|$Q5eAQW=?@(5a^bA9m!XZflxD#=HfVVR
z9yey%m{aqrdCJ}+Z&U9l6)|O~$5>0{fRY3Uve|}^(uLSBmPOtVnna%snM;&)8Q;9c
za15`sY*^Uw7AZr$s^OqqLH&S9#p%eU)pG7C%sJC6)ew<tOQh?uR}ZZ>%op@cSMWQQ
zM6+bLtNcuNadhD>mxd?*Jg4(YF*i<yqH8<${B2mWYx5yd@{N*xYDF73K*O;y+l>&W
zR^-dIc^LAj-tgx`Kr{YxZzeVqPQGdLv`$>3%Y4w8k)t<_K?)GFx{f^Qti=U~J=&p8
zcp4WmLX&wuhq)xq%~o?z3k#J%PxPZEsJKYfG~^m<nm{W#%Z%SlVDM=L{&3Gj;E$vH
z;NHxJwyuI|Wz2&@vLbu9%UAk6KCTwERbBzg#V61(fuo3t1&<DGY?(QW{oo7AO!x3I
zm9e`a{)|qHRT0uit>%;&IQ6a=I%O)qqpdvbpZ(!`*~j(-x~YWnL(wOMKOuv<3e+Mb
z^7uydM($Itn)`_^9hi!1tk{IrF~9_iHjh2gIwWAy5avjC{X@@Uumt|9kT#K*iwCEw
zr|>}@th-9(?(`@lA<#V27I~NdJ4YMY;)|8p9Ooi$noHWXM(32t$=BI^YI7s~SzDrm
zT1Hfobk;X%mTq=)$nJTtb(Y(I>=GxeuOdF&SNk6a3oJ5p@p!BG{INyXHcH%c4yrPr
ziPpVAC=c`EfYsLbDlq(BrceZ@3pJ}V;y|GO4mn_bvOGZjnz`9=(u9z!O4WJnqM3xp
z=I%|XLK3%XHUfj0%rhYfR>}-nMr~Ez**qRxN20H~Xln3|>B~t<#!?FDGgZ-)DS|rF
z8jbvnWK3=M)#ObWqhUtKSA6{m9!)wPQTGdpK>ABZwf$NJb>bhhUJ_Uz1eD3aj>kr`
z;+XJ@(M*n&EU+`3mC;xHym{Z&go}LtW9VI7MjJh~>K1pM1m}>2z7?jT(QF~QpU;tD
z{N*BzliK&rMRBX#c{|$PTB?fyY(Bz0nH>;wXg6b$huk0kO%21NRPRIAppC}08<MNv
zgm(@<9CiBL6B<srUowHfB2TVRtyyjVgtNx0@?o-=7q=}@p7F?F`M1T22bJRM6!zLb
zmUaG<qVM^Kbe4SW`2<FNdtmj3&+5uhfowpx?@UG>tXz``5m1==_s^&F4se&@JBubC
zJAYNvIRK_|_QV0n$_9E|K#ifc<W{sJI!|?V4fNQ&@*D9>U@2eZV+s%yYkPk9Cz!P`
zf+;X?{5#=kn~#UZ&Km=LyTb=l`QVXPL5H5GntZ;_JNMVBBOu*nV80boe%yd9>>RD~
zBd?ne{2d{3Lr3;PSP<UTj0KkmxYqMK%&(`4P%}~3lwyR%=S+xif*#yke)vyJ9pcop
z&xrQ!*Nl{tTz@08ygIg{>p!Ylk;Mgf>-3Ku605PtM*XOK`)p(Yv+B0KheL)Tk>@#W
zy7Ik%#maklckj=qLtx~|7OZ*kpc=!Tl$Eb^{0EdE*1T!#&ZQACpg;<Vmkd8=*(=y0
zL+YGpK&9(*r6uCDz8m4rjf3!?<Vf<r$yMg-a0(Bcp<mQ-fMuhYVesQ43ogP2%=&=5
zSzhnz;v(ZZQT+4s&M0Arj#!g;)&9FToeasH{bcs#NKxut#jkNN5e|BV7wlX576<zC
zD&l2`Gwy{+h1Dde(|<Dy)_Nsh?KbWegw10zJj6oG>9Cs1XTsU3S*ouv9hw{KPuD1B
zX7vaEcd@cw@0qns5G&?UV1jn=Ex9d1u%4j?aKT@RD8L|l8-m<#i?e%+e*mZzSR*Fg
zpTJqP`dqeqpkHL#e!xh0uRlhPjJB>EfpeS1UBvX>?RQ4Z&x*tV4o6xui&=hKqL<^x
zk*|N)^&O?KE`?~WR^+mmBS*g<BuyjBT=zYH?%VkFseTFjSNWAL-AcCG0^bi3wly5W
zkE!2mFn>{|SP4RQ=mhEL72asG{fuAU$wa>1cLgN0BX3KoVsa-XM}73`V|};pzqY3(
zW3D;u7ql@Heqms#+<OGIv5uxcp5waSJ$%wqNnQp;HhOx$c}X|KE@<W6eYrDTK9K(b
ziCCEA)btTWU){y;Id`)>-OZZ@;|jy`n-07c92)ebR{C80e0fNDno0?$g65Oc_Bp|W
zx^G#|%_7@dA+_jmw=?8m^ta7Q*IK{6?8vY>@u%U>cdB6>@HM+v?$+e~0u}8bhstAD
zKAU41TOwkk^+=9Vuzt-U`KMuqD|Y2Y3vCz!wbJ6^&j5yeFzw_x8Q()EI}V?o?QGe^
z_e}4)W}Qi3j&QiRDSS&kOX1?tZe+y3@~+(=(dTuUcO09WQqa0SFC3rP%qmB=MdqFm
zf@CXw{y9MYOm@Z*6wOw7XGTAhMQ(W%L#d=QPm4LzN@}BH@yR>|souJIL<pl?(N=%~
zgIl#o#)KEWj%797X!Nm(q=kdp=!qj|HMJLG?)DJna@Q_gZQEpy^N6KhB(5H;YNbcV
zCZLzDGK>d!OwKmf;*nSC^+$^#WS+j;*}R>F{`Z@2bn{}d;9qH3wGaB@2!bhOwVJO_
zVu`npLzo~M9G{q|wI+o1Y5BZ|;^XqH;$kFVKy&3kCf~>lFK!n)AL;fdY0Yu^|KjSt
z>amvM+%nyGI5|YRWV1~%qrXA}Fv#G*Cl$W6!e0i5pF<8rKjd-GeEqN`+2QVNy}cD;
z5+oc*OIxBgl{Lct#P@Sbn1fG%FLd1Cf%a)@?ww?T2KUbE-R$sLEvRMHnHd<+dlhf6
z^IY+W`A{#_u&8*ka=)*(ksUM{uUOz%KVg;K>!c32^n=}qy>0RG+})j@n~m~B?*K*-
zR>|%8${fxm*5Wq?LO5|NoPDH-Y4vIOLKAp#G{G#H42%4?f~l^Cu+UJkeB$F>l6QSo
zpg_S>ug>IK@)OC|80sBgtKuNPN1utgx#%wi0dIsu)G9Sc&L`B65WLYh#KzzD)_6~Q
z8X1W~7z8HNeh0mQ+E##j#2|HDMh0RCqIccxiHHGCN5xGJH+X%@wFZCFPzIE=CJRT(
z#fO;cqt3_SOzsfdZv!b5B5+`HXtAx#WwC1;<jQ!b-<Fg%c+qme6!T6)+u+uPEQof&
ziDmAvQFv3QM0=eRwS5A!z|eg4e)DtH!Eud>?0}cLY|S{HB!}p!L5x@8fOR6py_v@-
zr$G(_sI|2ez4am$a3utag<fw#FZe*YSJ#@~OIG!lK5XB=k{uySr_B_vhZOC>l!%xE
zNDxAXj28DT#jICSsP!t5Teu*TP#XCO&}XQk%sPCab`QRz^`#+n3%DV)(M$Jk^-J&8
z`7%n{IWN$Qn(qq`OJVo=!rOl4@rndwx*iuO0cWV)Wu&9OEXH$Pnbas83=c&%8U0BU
zKbHmRnqO_*rYxomiZ@;Ut`rAm8NW~N?mn<ZxtV#AV%lCjjr%3WH-u|zelsU{@{ErP
zT%lt>kEf6wy3}WC9HvlC*e0`2?R;}TSJ?iLY&BR41Q75iCDXN5ld;A>pzb?Y$fw>+
zVDsP)MZ6>pMWoT2uuN%4j%;672~yZ<RdsHQHug7t^nU#oc$akgf_dsQzT~{c2C&nD
z{NaGQx%DH3@_vq&qb-VVkiHMCzw5oI$>A@u`DS}T|NH6F%?I16-r!o5K99<$f7BJc
z?JjtRkELjhFT2|7+M+F}MHxTQ*Pd5ZHCjl4g9O+e`d@Y$+;dUR7StaL<$GX9w-*_!
zaF4^5(7sn_TcJ@a5}E}4Q<tn=1I%vedl(JZGTfH9<uyJv(wv|SE|~|)p0I9Z(KR$i
zGncJ9K_n8|`bQ^1E6c_{Q|PR_L4>p3>2dxBh0~P=3dFBKy^tGX4`xONS>qimK~8OL
zPh*M@kU*@(0tYpc!i^I_Fgnm&Z#%KD@Xa*m>s&gB2R<YiQiN%^T7xp)aYogCwhiif
zeFm*{pRD-Qcn$NAo*eRSAOYfyu(%-W66NM=?WT_tq)jXmr#wEZC+*%-AMMJ|W2%9o
z*K?CL0%t;l3DNzm*$6DPJ~3pwj0D{8m3Vmdc_alslUOc}DO<u&x?jc(C9(5ZgUH?)
z@=;LSulqPJ+=9XlT5gFi6`BHoiqf4{O{P3u`=^C4bzJ@d`U*kl-Ap&)G2z4at%sYu
z8=}vB1MKz(xC1~1DR6=XNRNA^w>baY`L&p-9P@_q@n#Q;{_JzQ2CwbaAmVsQZE@~{
z#X!(BJgkZ5zok|d>xfubVmYcZYxn#d75eEe&oc1+7X9`g)dm5cjvHE@-GI&}xizNe
zzg**Qpc3DG3Ia+<H+@7O_#dKCjc-?<8=p$Eax_Zr3=cWY9^R)rEi2fq{36@UaDnGZ
zcVlw6J3eka?UGez!S~$-#%D$fBIh8N#tf$5GMf#T;&v=*@}aip;8xfAONi1VmS=w4
zXy%qSziS)Y^vs6XBP$nSaX%<4a$)`VO=>=+I!45wmgku_c}>C^IE38ri$)v1Hm_R5
zp0Ub>k*}si19&8%ISzprm*xm|8LIbn8$F7%cu|hpiU&;;=;3f~WmlWuFQK7;s+E2t
z&`lhKA7}L}3S%P>bdjXfWQqik+T67LDNqYN(@yfmm5oAOS3Z4`Y`tFjSLZ8ok#kFh
zx_v7SgqkS)JC1KR+CQ;czh92QyC1Z?6K$O>bK%kUs0_cVTO3QO{mnH#kk!FUjq}Y_
zWSS0Yo{7<3RTwOAvm~B-n6-R&{9S)8@%--ml3@xRsq(1{1ACeW*d!NnBcflM%`Xpi
zP$^|%iydk78H=9b+^tYYL{&03In38L+)ON7%rp6GIS{<5dR9B(t9j)Su3CwB>gE*x
zz!uEzYVyC#*OYLv>A$AvgsCG=H$4=!V?!au@^#UIZWy;@fqh6Q?E7rg9!9BYX8%Vo
z|JlXuATy5WX`zRsU7mPgeY}9o1W|(AH;JkonKnlm>b*7q4C(W$&ym|Gxm-G=sSp*S
z26^9IF3)@u$T@H`kWAu7sxXJS&hU<V-)5kTxu|+o>Ctwmv8ILzgaXu8*tbnL83|n6
z*$y~HQ0-I9bTbWxI;qDq;XnDL?oK%?qTs|?9QHn_VjKn(O2g%Cu`#2rDK&JY?zVej
zoAm^v{Q;D40K1Ln`Zol!?QBu>$2HfZ=;Kc(d|o@(R<l`(R8*W`)1{P@vOxbI<{rfS
z4oHHp$_;LQ1?CF{s6Q+jW+a%QZQ~lWBrL|09%}m3F(2(^rSgTbfs{UG?CCLB6P>{$
zxbKr-BlD;)A<8;eRas+IIWK={)%-_Jq($vIrIN|tbCJ!7J?AH#%#?>sau<}t&;q6T
zs%4;SNh=RFfk03{3p3eyP|uq6Ji`gPjDNAplT)n+d*O<UhkW`v+q<UTJ1pSzlff{0
ze3--98xTFq2>ThRj!DR!hPejRgHVAg$NHoV%=~d5MxKZG-g2USmzlh_w4pap*7Zs^
zmo~5Z!(l_8CxFrE!OBw;$UzoHIYZO<G&G#QfY=RN)b%zP%~K)9%Ark6L$b-LrzlJ@
zwcO~hP)K{nawfCwgt_I&J7G^3S}Kb4-y_BHza^Ew#PLO)<9)ktG*8}*W=8hAj1S;A
z)ng`)qv<MQyRZ9~c>pGFf4Ht<{Qh>G0sFFje_s2^ylLxi%3R(@5TMupE~na^S+<4o
zC|+S4qA?N77VMgEM}5-br^f+nU1nAywDXySFpdb#ad6is$6o0Mw~W(M+lUv-J1yX?
z5qG(N=)gh&(sI^2j1LUE(cM;Q`qWu|zUxc-0sGXOjXLF?DY<4;kr^Qz5lxiJmWgr;
zWpVZqt}`kH_S;P!j&cVLQ=sbz4w4a;)j9J7?RZud``?{Ep~o8U*GAGA2}Lgnvbaqk
z$6;Ow=w(s6E<k-PJS9)34#k{X=`mb%txYx4OIY`McPffK2q|(d=n3C^Hy<f2Zi<7~
zW%7eAn~>j*|0mMG_+!{jor{xMgsdft)Y|EhYxDxzLB2v{73T5}8~La~VS#G`snmBT
z+iS_4qr3A!&OyJx4)S0dZU7idCQDF3nsaV|MM$Ks>3kl?HYx3g9kZx)aJd0^Q6F@!
z`S^#4GxN*qjnzpdJdc2Ap}Jf~>-*3uM7ww)Q2XWt2k*9?Vwc>S!pp_<>jFF#FdHy&
z`^79s6In(zM$TK<!69+L{sX&3O4H{@oFEgLg0stwUoS%8<F5D4sba5}mHFjtihhC4
zN`jZE>h#_xHm`GEv=o2K4Y;0wa9lI@wp>G5<hvVt95DuD&Q^xo1<+F!d{Cq@>Cm|=
z$;K5jE=~eewOSpd9^HaD=!JNlY}Y)!zq;0;d(Y_-+b0%$c1;&7QT1ak`fSmYzIPYi
z>AQ?Pdb!JtPUiCAsFF&3VY-Q1H5L|hpVDEGLrQW!ArgPH`qk!jT8`<ty&mw08)+Dn
z#NV3>3+%MPne6JXHJi6zj2oFE%V@AXAj`O|`oo#|0m(VdMA2Tv(be9i>gIo#pkZDV
zePRz)jVv<j+uDWVPy^#fVU77NMs}LUOnx<)X#(@ZZ+`vzSE<c_*qIs;ye_!*9R8lf
zB$+5mMaPObRs3u^QGG=Q({n|(Uy8=(B_<|H7w1-}%)3pSS)qSMJ{x|WvY5gME%j!x
zE@blCe}0Y1Zp=dCMxO#9P4_>aHW|qiTE_i%I*33Ov6=`@e-}FXCM(u}fTTDk9d4YK
zFLIpflTbkMQiDw@=wTNmhB={#luV^Q4t>B(INMP6Ln+R(a<HN7SQT?IdTG<9u0x5L
zo0?OL$l<CWks`WnMBfHZfQg8Cf2LN)QNhllVc~<hd3w=j&4^@FLG-3FWj}%dDA=|8
zlUI_iUz}R+9K;C~>o%H)(!^%EQf!NMsSgD4in*&V<Kn54gbuyil8B;fNf*0P?Z~u`
zddXa#d-HpE=&Z|}RWoy|$-Q1uwb)aKH0vvuIpDU8UOcv{@JgS@x6XP%UlrE4_Vn-G
zxw76%;#y`zXY=)V06r4?JNcmywUZ`<z@@70iAtkvb~m!Z3@`3nM*2IIw9Tyc3y=#g
z*k;*nWT7>u4Y}V}_nIDTAycffM5z3*??s+j-)^Vzqsg{!Y){}PU8eYu1ujSGv=)YN
z%ynU(_e~ln{ndLupV2K(GxIGzw`cPpDkV?imP(0PUl|3{82$5Mh0j+*Rz0dlm)KV4
zqnB!NK5LpWX65$f_U(evy6CnGT{0=cM2cwz%D4{xhe_)GUQq}sjWn~+dHU(z4|vJ$
zJJFLIulBhBHf|z;g=?8@_Oir&JVIf1u&<pxb&HBF`h*}?`lfvv|7?IX<|cf7GiiJe
zPq3l9#{aViKG7{v+!87^!7=6bJ9A1@62nhr)A2I%wBx!}X7L8i_Kfmg=iL`84U`9S
zFIYcZXQ+-bJJM@uT^A$IkYh{5W124%Hj2zx!f53f$9_6JBYeX)lgU#BB+*HRju*S&
zEN`+>2F6B*h}hX|^Gf~vl7>&-{o+TGeh1i|KhEa^K9Nb3@KbBM#*~e&?(SeM$TmL0
zAVPFq4~ViU@ipUvIvI$fg&rH)uX}qa4rMc}XlIhKM4!zxb@Tl(y&ZZ;`NR8AqoJQ&
zfTCuoC+3jFU(^_EC6kH2EKK%qf99&x)`#|ocEAn~sJ{meCqc);oA@tN$o|}DX?M?Z
zEq&3dL5j&HbX1%&K_1=?2z-@6j3rS9*e>AC)9c!eeJ9rPZxrc=f3Eis;uL$(Nj%a7
z*Sp*6H8Q-!z2OUmn$iT+Fl98{sHf^?7!*Gz!;NYt%L>(D$Ts+YSixr<k_J2k$+=C8
zY?qA|C)Yz>ER5sJ3X=ZQD%<Pr`iEC-&8Hf}eED<H_UGQ%;IqYy!-e3@`69dJo{>hb
zZacEfP4_|1!0q3|nF6y3CnjK+YG#Hv9ivvY-ggBeHwClN6j6vt?B-NdQ|{-MMm?<l
zPiFcDn?A+#*GR?@)93xe{M1qw(sWN!Sv3Mfd5H$(^-tAz%O+iYs-U3+M@*=1tI+#9
zdVKDl!shbS4nOm`6?`0_pdh<rO#yK6x+VRnuM@hh1}I2mBM?*W`aTzK>8@<x=ICX%
z*XT{{bE>A@Z6H%i`g^6Nj_Ua4A1obNT`k9A=`Aj}Wm#IW_NO5Bd|RdxwmBnt@{FAf
z&l;;?s=%TYcIPt--I^!s^`*y6wCqMJPjM8A&ELG4E*YCOK1%z;t2WecN950-z9lU~
zF#A#j4b}H)_fZSbd^qF>Bqdd(pgS|os5_ieb>{v22(SpprQA!77j2bnQKYveuGTO6
z9qZK8M6^y$w-FQN_pS!J2_*G!Ysru7*GAN&^TnJkq4D1advQRdzZ2Pe>~Q70okd>y
z*aEdBp58}#oL`F8z<v`gW!H#WdFkWJb1~a%sotq<A%4F}7cKJy|7mQB4)N&o7~wtt
zUwB5vB-cmVhWs-7R+NMWM?*zj+LEg`YHYm!{K8_#{Pv%Cnxe<i_6rgj&5k0zvE-_p
zv}OvFoB^A2vIggeUas;2fn#`aKb^*|#G@)mlpZFqKc^y7N0w;15B)AFI=bof;QnJp
zkeOeV6~?r0>t-5iguZ}Xs5@5tV=^GC^88)*o!DFvsGgVFO;;A`ctrS2A4{2mKo&Vo
zd2V7nL<9{6MCooYhg$m4tKfW^%Z4`ZnRxQXY3Ucl`b5t0&!C6^bDj?@sMGDk&c#dy
zXSM6bnslp7RdO2lTN7v&dfnB`Vdt>IUa2NnmwwK$?X10MtL51YPNp3Qr&!e?$iY_@
z3FOG5rkLB@HTvuuX0)~??fP=?g9%;L*E41xRId;8Y*z>P)khV~{<e%D4l`PainJ_o
zoKC;rXAn9+Y#WV@a*7WJMnj3p`!dg^Zk~U(mBBEj&v*xa5V4c7U_zXnAbbTgoUhW@
zeP$Y-X(NcS3eRcFw@t%tKS<D_%+1_=*Ii|#Edj#Pf86pRAkw3vxZO$`?~Pq#(Dv1<
zD|7v_!j1EV=NK_?dhG0}I-bvbT1?3QQ1B)?D|aLI{Q92_OYaXF^*Pb@7rGee-$)F5
zIUhDNRT%0_8qu)Dr|%>Mv~DY>XJkNK5aUz-mZ2qg`a<@!42~w<!vGtGcB=31h*N{l
zc45G=8jUCqW#pVle=R=}bIMDf{+EyzM^uDXeyE%q{KAd5>WOL6I_1+y5iN303Lm1-
zK3lC(sW}0BARp_~^(%o!{_HOoNsZqwIk5kN)ZrreU-)K<&z$<35m`3~%$8`kqM|qA
zU17iz5*-{uuPXDt4<jQubCK){XN4*YT#Ox2mj{!J-1!0*OS?e{u9J1zPj~%^@9$Cj
z&x5l>V`5^Q;zP44kyuK`x;nJ@h+Yom0<zoD*?Ww9dN=o|xNtTf?KL#E2YWr3FOUcC
zj1PZh+?|g*c4AaDp^LWe2s|AG3s(D_La%)?@J7Ee9aa>aob%{yut_E`TKwii;oHp%
z54G$$+(s8E+I|DSd^-^bKuQ3CXFsclNNApHh%Z}@L_M+D?#VNdjF{y}3nb@tpZ=6B
z_zXU!%9EYK`(r_*d}loz2j-5>6Vi<3*RB$Fc6_t%8v0i*S86t{qHJdnQTsFQ&^(<I
zvjJV~T>|42`T6hy!CKp3b%ZGNWuHsd>cRjVkp-F@HnIHrkW)PhH&m^s4)N6S#r&ex
zG3PMDCGoasX`kw2F^)p1W92rUv9U2G0REX68&5QF0vs<_q({;KcSNr<ShCFzIHWw_
zp^E!CnwtgAGb4<mMLkdTYK&j(mc35%_D(4vEEA{+3WS7&y=uQtl=9y@)zU`nZslrc
zMK079lGL`pP&0aXxkE6-TZ-OHKjA(8`G_wCn~iJ<!+c&V&UX`!t5Lj0o+7_amjh+V
zL1Xg+&fv_z5a;3sw)(W1M6v|D2E|y|wvb14KuYF7z4EF#m>W-MMe8$h(F2{Gln)OT
z5^l!E)fR2Qc8>iF=Fd~<NA_=)mT9=VoOsaiShdb4Z}*|qiov6t9AaG?t%*>JrkRY@
zV0bX!mq)oSSe((J%y5sHr0&|*_O0;Rz755?gYRw>J8<i@Hj60=R7iWTOcF5onb5mo
zQJjt_rR4aH)yVI`jiR-@sQM~Y8^Eg9|MoXck6J(_*~cQ2My_rJaJATYe$efKF0e`c
z_P>m@-4#0~C>Ch+8QcnoleOHK9?bmSJ3b!Rl)gMWxKxp?QDZ;hvG*bZ=rv%0Wrl_#
z>!XT7N83QFTKKw9Yf+7fm)77gfTQZzo5m)Dv9e;oH{pWVuzZjC&indP<8BxIk6t7Q
z!B{_|t@BgrcH{9_NcCx_xKhegWP3ZcPK_Pb*qRfQp|3Rpx#wTT)_u2K(~G|jPdC3F
zCq4cm0(7?kQIM#LPAv?{m`=1pefZk4HwAFN$d$z{Er7}AQ{&^yfEttb#O%Vi%P|o+
z=0sM`{ioST595VRIKJ!rEoi8Qm1lM+<NeKh&-IuhO!&6~f)RY2?4d-{h3m=$86f}+
z2iYEv6yDed24uyWrcg+R9$lZ31uf|^eN0fuy`MfQr7TBwb-l$!fonbaXlbIMP4CdS
z?Eo;_22hH{LM7P15wsuJu_W^@<(v0kl{CI?6rH7Bj(6r)sx12sJo6pr<5b)9VaGX$
zW9pi%RnePFT|}D>{WiL-Al@u9dX>GlGb^Tu*i&b{TKXZ-uyZh<ic{J0{y#tiJ3i5p
z+lu}{%HfU>`kN|Gn0|ck$|V-+4KvRech1zX)qBCy#+g^?&sT`blu}Z`l5}b$Tyf`h
zGk&Ww2hCS~9&1YTd6LAhc#WC)!#yVx<!`&JV!;L=eGRXh%QPNasf(wWCP#o&ddcN;
z^X?83OnS?PuOp!ycxv@fecul^F8Wn(jVWoD$D!}naSOnc+(t}aC5T?8&C)eJ?kFQ$
zV}%>?{QRczvVFj5Dy+<Tqin3d8AmIpp^D=1hN9QGEHT$dBZ-0qom>Dc{ODb6v8~Z7
z52nvr2%>%?>%0l{95r7;4-yacXnS_kVRu9)_j}?8_IRJ*>V<B(Q44Vd!B~%(YRA{8
zD5`Gu-Y5f~kIk7&U;v@?+|@ITaHB8pe)6h4|I3xe4savbEw`fi$-;wIMpCBFmisGo
zYHb(++PNJ4l68-@bMKL4ky-g&lr*F6E9(#Jpc9s(#Wsp@$Hj1f`60Wk_6?ikTI3~f
zdbrED0MT#~OK&ZkoiuLn-pN5Xus4F^{#10?jtRawRM80w40)(_zT_Fn;KI2Texex@
zuqS&r@5J<{${@1s(WlyW+@HnZJ>=HG0MErHYn3Pk<Xe#WyWEPDf2yC!-wxW+S{I9M
z=Jo}RzlF%xw2DZVd;=w71;<%8fm*sVyueP!XoF4YBYER^6qoPF@5h@JXRbAaM88^W
z*p#i-(7_tTV|VWK%l%Z7G}{9A2Pqk~FYa^?m!Fvj*=<!Wdhm%p5s}Q9AWC6kr6kAZ
z>=CJUC&;vu;k>$U%k*K;EBcBe<*L&Rq$c(EV#xkYNQ^N%eF<dvIMn!@8RER6?6G;{
zL*Cyx`SxhJZLM*kwgW*OS3q!2>zy8WEGn0OJh$o<vGVzP^zNR`QO4*M3bJSRPPB#w
zrBQZM$zoe>P6noEQGjg;4V5fxD_}92yps<Nb#qJFJ(&lzV@UM*_lz9btggu}@uQWw
zKm(s!vq>0|ou7RuXPFUf-OCGH8SFnjpGpYM^0Ew~eaL-D%e3Eh?dzt@tqA|V%M!6i
zrc*wU0#2^XXJN!{sNtk{uu!n#0AWayv6B@d+v$9uMhSSA*P+jicO~o)<U)Xcb(Ooj
zZbB+75G3)oyBp30+|g8PS?I6?|CLMSQv^V&2$9lS6}?@+w>b;n7@xMP+(|p<Pj?hq
z-UPDasE&VJQDvY!%Pp4YZ^=i9I=a!kRd0}QF!Cg&LJKpJwP=fR;8h?lKP294Ad1me
zcxoQSSz8-aNM3E@#KsN_4MlCpr|YXwXx<X*U!N|&+dyl$JKtp_x$MPI{rnygE!RJ-
z!2K{y`o+dw2dM{Y#lS#^4-^&SHc-`DiWgClMk$6(U#xX}iO)Q1bCBqiRq}x@&62(S
zKKC+xmqEtFDyoN43<&4#_6wmdUs86~mBc9v5U?f#q-vG@x!+w}daQyzs0xr%c&{y;
zuX?mY7iG2nI$;g|v<=Ph-GmSxAa70PwM>-X9omin(npwZBW@Bey*0N8XB)$Tm85<X
zxpwgmvD<0u_Lz!_>bfs$SLb~9=cs}}rF%pbAyx@(JIq3Y>+^l=J5bCy<NhzM*bC%i
z<0};L&!2m%5U^rm@R!J+#T^@I{e%bWIYfG^hFOs2&j)KfH-u2p6Ci9#>COjX5Q5xa
zc1vLj1>u0Eopd>4-x<$9gYxvB)&gkX0R-^~MNf^XB*Wux<wyK?$r1KT9uN%yWjs*X
z#^+g#F`QIP7O-sa8Usz*;mtqBcP*uq#sjDK>-fDpAQF);FVIk({R9mgsYc5|nSpIz
zy~r)>zgy+~O&9<uf@^H<v2l^HkiWw~zL?(n!gsU+!bCv7$yEz|%I1`hg~brQLERZo
ziv*ah049_yd%Z<CaXu|iqYT>XBfpIZ@--Ey{KPw#$VnFe#U=U|ecitacpd&yQZjk1
z638+!+A>pUVp394pReT0BD%d#-hj9T%gc4!2_d5G=+J@zG2@n958HH_tweym76e#r
zq_-k>e9bK_PGg_wH~K0Bon}?5dS+j}-;~ZW2?)-zP5~>SBDn84lEq8%>i=xtcu+LA
zktj&s3uwq>y&qw5a}`|x*W{Vw+)6lwp$pjwXiq-f^GRVOLl}p?N-yveSK-Fup+gtM
zio_6pKvgmHAhj4xj{;1jt-+YQyYqTp(=shNauh(hH?A*FS8o?&G#;cLI?Zy=<-86;
z8M=*GCkuIDkMUp9*e(7<(|*1Zc)HsyEguuQmJ&_Yhgc7QiR8S)NWTgGpwbHv_zQJ7
zmz^qM25ASCi!AZtU=bn7pAKO`{z}-o%(V?^MOOfH0nt8ZcEz|-)JLh`zwxD#-_34~
z<v1OP*MfFpRTsokvlANRcqL+K_?A6jfwAong+Nq}y@zN}grT4Nj$Zy!-%iESs9t^u
z7de2F!4Ev(?}J_*8s_!#_m3x`eVFTfDo2j=3THQEQa;^QW^j725ElYKGsO2&NA!!#
z3k?mGGuwP!WY#cx;<S@~Vy90fwdDuDE1e~5SbJtaX+Pxv3{k)-7`bH21t@Z+i<%tG
z9eCx_DUl_m)c@)MQM*={yR8i1KEU6g4z@abcxY%H1KPR|Q3a>z9aaNXw<jQ4PF?&(
z5Fz$In?5`X%z7aX@qUDS#{Hz<r3E<wo#vjSO*WqR0mkoeM^*^N+^y4>B@iC!gav@G
zjYmG(4ep|85HHR1u7Q&`d@FkG!45nU<J>)ZR57vK<`LnVzRs28E74*Vwb3lC3t$JW
zPDj8(B8cm3;ahidXcuui#L$_U52EYonKT@zLi}SoWd7TTdmD#;ze`LF<#j&?q@cld
z^L7r1L#0LhXI5ak-%XGk0{=zDP`nfxck%ZBU=xtFq*N06;ttdp0&m5nKKywDH6(m{
z_y5rXNWLhn$>v*Rph^%{yjXIewE+qWzQJf4vV2OO5GP#&a{HjL5J*}9P;7_}Ah$}o
z=ZvVw4{-1vPxB4<K<;fd>d75Pu=_I%1Pz5iyZ^=%gcR`KFG15~-Fe{_R!Xkrf&Nt_
z!dB=X`CO^0B{!o3;A!iBmlak5Qb>syFaae#6KQQ}Xde#_p?HB(@Tp89=m6v*M-D(D
z7hQw_$PR+;x$n#(<~ppEK&FX^6T1HM^qKD*?cXTzV)N_Y_MHzz?GG-Nozggu#!3;<
zjjZyjZo+0Y{oPtrJp=$kQm-3FX8?EdV+JOO)R&K!)%_PobPa!dQxx>v0%$d87$8Fc
z7D{YQF6E7w@t6UZkBrt0_$aO5f8_LEv^QXahb|x>CN$(Gr|uSB^D#?CWB;}S7)C#>
zxCwGD<KZO7DXYETPVRpe!^DpI-)iUBE73rL#Q_r{K-L^&3T7l;@Q@Gw&x;kO?b6`1
zZH5=}Lj^g@LM%k3HBI0rA%t6g?d(CcDl*<dm$^-gdiML?pW&GEduhRHa3L&f<EL|K
z=x*{4PhDzea<H0y4;BKQn2=P<)^K>yinB2+P{%aq)b|Z*B#t7w-L~ZT?%X*4f(zA|
zlA0V<RUZ<nf=CAN%t`TBPfj6QSxV+glkmZ4$xUli(Wn@(W&S4dyM7;`9=t4y7pLBD
zSYQN0{hqL_tc`FsyaB{MF4KD=x+l+I#&?hk*Z(u4fC<ij1rGncKjbMn=Ko!Q|GiFP
z_+R4TzY+X*9Ety8*Z+G3@P_q2>-c{z(v|s-{QUpN)q(%B=>PvBE294lsGEUa9=o-A
zpY~|Jey)L-%WmNp4x61fl6>sH?eXtHVCVl1EH7O)%adGHxPfT8NaehuAJqlmO#Coz
z-@m2Wwhq}U|9&*~{{N1#?%V$+(D;^_K{|)<IIcu-sS0C#D0F@NGthgJ;RC@kLhQ9o
zVrljO_I2QT#t+TT7tP%Bt!{!3j|jd+|1(vv$$tl-Tx~W-{#5k(0@r%@oYjdSdh==7
zYdlac7M6t9zDxG?sH(<!8h>q=qsDsJ9Uyi@0vOxRDpGg)lHAu<5wh5K0aa?cbhE;c
zFdWt5?tHa}>Ckj3ZnxA<0#*HG!4z<?fHjzgK>q)x(@pr_)tsP|l%#!H13l3-H#eWv
zv%RXOcWj{gZVaz=77`eJSx#WagY-q<i-K;8JDtesAtdCpSw=-msCEQlJUq;xca*P0
z%f}jzuf72+D)azKr=ws6TGBoKpl{#A&9wdp;mHO}S^zgmWgkvJzBv^Q1?+Y3J)lI_
zxp%X^jYXk<omyB50gMvmMQF&Sz%5WwQ8$6KBmiURk7~(rLV$<QaK!?WegKC8yl*N0
zKT`LD&U?3I)u+Vq-yYivh84?hA761QbX>xPG^Ys>eTG{FdJ+s+7nS!w*!Y*$T;D<%
zvI9fBoiFWg*RQKupoE1(&YBcEg60gJ(CGjweF!tuIOq{H;d95XB5Dp~NFMt8UT}c|
zZ9!gd{I6<_ARTM^KZ-WtTV}dr103G=n<RV!p^*UlRCqxIyG#FjF=psfuXX3;%g(KN
zz`R!#YQt)|CGGrKfKqM$=<x63R&&A3wJU7EJEza|wV(zv6=XoKP~<)bUZg~P;Yo(8
z-+{ag<AJd@&!_!JK9kWeM@t~gx!0R_t&MI7kc^gS(Q6nw)y$w2z{V)lJMEbsZwuY!
zb?k#k-+bJ7UW*Sl#MA&}kHoPZAzJue$o*9C>p+%2G+SFMj&KON*?G4YL>?hF7r<35
z8x0)(CqS<n*S7#c*6%Xl&`o=!@B|tdQHnvqLeDrdeY<z=%Pey=m)WgMaXVdPbh#Z!
zm9d`9f(Von?q`HN)mR;C_>=L_Q#r^H#(~Z1x(shImK=p<nHfF~Iw!d^GI|oo^mD)|
zRLu$>Q>lMbjRj%k1KposoVVY$lJUN5J~nPFo|@cGNfQz)oFbEwl1da{n=Q`#?zh{D
zSOQ!;|JLKks&2ux3*FX3dxG54K`3&NMw`&~V5d5ZAs@!6-!93SPsb%ZX@><rxzB|c
zOR^{eeMTcZ(6y-(!T**OKt*DZYBfqWfj!eX1^7dNwN8HO|0vD3-#hDhS7SMPiCv_W
z8Fc$RMsj}AU=*}9$MO$?Q7Z`o`1YU!C23oCH|MrIRv!dfkI||mO5$HhhbU1sXX{E-
z{&SeYihFKb*9J^#SJ!_?#;(foe5#x63d%6~Q=XBNm;o%-1g^h_0&=g=rAaoBnX>kB
zpn5*b_Dm)qC;<FpfZ%*1`j!4@xqiSSb$He9@f(!qQkr21JL)8m*c7q$MZHI1D5K@p
zZ0v~0Le|W~gCLP5H5%~n-ayf*rUr4BB@*8<C$UNtXmoW+hD4^Qo^FT$n@Fe4G;E=u
z)_0#ONc^ktqYo5R1pWxOJHQSrh6!7&WqP#OLID6g62SeSj34S4lX*SxQ4Ib^O`NMF
zYs3?k)OZdDJW*QTePCX%Q{4GwAv6+`ML{7eKG-dneC9-UOZTHrba(51SRn+M<qzT2
zA4DmZO>bRZgp~kWE)Zy=a>reEHV3*#()YX9R%4LzygD!PE0Wus7YW2d+AQ@eG%3&r
zeAc%vhD-_S<~P0hmG1zT0iEoG*TRG_JNCTrK#lpel*JG#bPHJOY)t8qdK5-<=Gjt5
z^X^e<R2WUB%8v3YtnDv=dZuKmyXRH;AI)IM(fw3UXf*3JBruRtl&!eVv<LnRx8L$1
z_vpUqly106K{d7!StP-f4MTvUKLedD3a1w-F8O=fHHVk;bFYx_&Q?(mqdcH7&*f!a
zvlvGw${%^0Kd&>q46i*oKJ|$Dp#aC|(Q++8$m0Wt&mX0M6#xj~V0XgpXy3rsEc>|p
zy1q4EC*6i<u^%f9=`PcLo0pXbnE39eE78MM51$G(DqC7m$ogOaSDLuC4`p{lOts2O
zUEy@YA2`HOhLcM5GNaMaH}`jW4mnu+r^oGOEM-G3Q3s@=zxCFYe3%d}K^bqahI1yR
zmd6Iz`<ZhkAUyd34u1dR%4su;dmJrBv^~yL4zK|GF6cL4*!OY%uO{;Au9Jvj9#3|n
z{gfCx#;`Xt7S=cvG(!4YZHEXh<CN!*AZIz*@r2xfNzYq2BM0(&G7RlwzLH$sik-r_
zc%;7VyV(Ic<;>Wre944#27qsbu%RxOk91opgOe!h;V$It?!)*-y`!I~$o+mtSD#}O
zqGhJ@&n<_^?t4h16%k06mB#hRj*wH|(*a<KN|CmzL?7kt7F+QgJqJS0x<v04%k^tu
z<LEsEO)vrV*L%|TIJ%Ur&1wV&S`UP!oq9rP8@Q0YJU=W|J9X&;7#A`WyZIO1C_t5j
zh_;Z6J}q3&d#qEA2|nTia%C}|8bvJ|wK*`i8d|aBp2~;(9kEK_*7fR|tP2C=E?n8X
zBLJkn;SkvIp&7V2tcZB65RYW?lfAmHRQz+&#^0zK{~6hD=Yr~7S3`RAK?lyQ@9hcy
z^eeEcX36VINzd#iY+7Yu-nD6$R6K2-G_<L)d|?SEVE$Ui?`FYI%8n1|@d<U87)WjK
zQEjyE)KB6`BD~|$y)X5PQRBU2TA`wQ3PpF2JH)<Y9XKh!WKbqgv2Sw+DWHSiWGX0j
zt_E0km%EUp0$xio<!@qytDFX|N_BnEO)|Km?V*sOeo%?*fFcSk>LCPp*#C^<ac0?a
z$J$KJrX?Yd^O%9mZc*RurMriuSNfeX=PaZ7HPNpmj!guIbCunTTiOEdBL4@39v8xK
zet$lQGj6hUW8gV_$W~m|2n60u&&Q2k(e>B{_3|P1xk)*e))rG~O^05Ujr)1b4}*l`
z!4JsX0?|N!i(*YC;Kh(M%#bw1ki^WO9j{r6r^)nDQ@-@0rVgo$65*m_Q-DH&U3cNu
zmxZ`+w6$Q8ywoOY_2YnYE#TXw#hUf6Ux*46hzfqjBBN+G)$Zp%C7*ujlWWqbe{m(9
zwE>qdIRB3SS(jJS_q_>7_g<1C#$3yozy(f)*GIsrS$pl7tA2&>LkokmUN2-=^w}|{
z3sufD%!c9}(!Hn7JvUR7=i6?-0&I~$tcHT8?T%ALw?!sC;=enEeGIYvflZr6?s=#P
zKhhmUxzt4fizwNW#`dlK<Gi{Y({{#G5**-Qm|!xA=G^;D-kZm6s$SJ*l{%Mu;Lxc&
z#Ww~W3&1`H$e#!0EVzY2A!Zm!u*zc})*b3qmT_!KF}~U*zm>qIM`PcYlj};Ict?z<
zjae!ba;0ouJWZ5(_4B71RxKZJ0tTn>Fd>;En3)|dv{1Zmp%?)av7!hxNI)|x=&aY*
z7i1tg`aFZD&uR_gg8T?Mg47-Z6c5U0+f}~IZ>34m(%i-SNrQ7V!ljis@U1-L%iYnm
zh8VPG-u2sX%cK`i3L{EN<!7V3sW_WHs8eHJRa&;ue#`izL>wTt@&(`*5rnD_P=o8=
zlxKW@Trm`{TF+-LNG#7^npGy}9BdNApsCQ!j;g7{RN&oJir-YD1*VH9wc4g(WQ_dD
zDTXV9NS*OVE}=|AfEX`Nlo=aV9Eiski75TYJ+OlNuPr}Mch^nOk;)gy#kv>^TeH}Y
z2y262gc}@+j0JF`<HiPH$(dH@vuLX^C0((OdL!hjPjPJLr|?y;{1B+7iBd1nD=9lj
zwA)IgjddrZtI-I8*OiyGcER=eHui>*=-M;^7i=+C@InWdr;zm#zS%mvJ3zyg4#~83
z{iCyPU(O1W^>Fo9m<02`CqFbV=~8+D4NjvkyX*Fm`ujisBS`B%o+2gKK3BVK=Q^o$
zm%P7Ni>X+vltFvwVIkz|NUYE^uP^hZ3OB%J&a_Ei!dgzT1gudIpz!e+T~iQl_PBRe
zN_ba&MOUc>s{W_yfZm^RG0ky~@?@Z;Akza;$TqgZHnK~P!??v79xI37ukkPC#k*38
zOiXRGqAGas#}1m~9(Dd)-`yp&Of|3Ux2_BdEZL?~lX1hNCf>>XD$oRce0i>BfqgdO
z&1E#p2N^(?yBXGB5XkZWd8w3OlUx@z&y@mwEbVvGD4IjX@w2Ssv&h09Vnh?vkCDT0
z>bI)({~$MOAW2H<s%!shAY+!!UF1&Q+hs0Y30YiL*D9^nB%VR}FcYE2qzheQ*s8&l
zP%aFLL0-AgSGUf4a;7zD%DvF7w4yct)RA0Rj{E&2!nAI!lxGfEnK|=IOnf-rHB3fn
zyLoH3yX=>3Q^HccfeiTscWT6LzI>v-oC&RejuN}Tf4wlUeZct3oFY!a*i?gbS_4bm
zrm8Tg1`|*Hh#`A^@>`TC7LY^!om~p50GA~xnEgFpP*=`dz;97wV(y~?7*B9>)EKhG
z8s5mhrFs?`U<e;^LH{Ooim4esq)`&^rM`43w-6UGJ2NJEBI45~VOXYb(8G<DTUuQ^
zE0Ka1LTb<+n52&mMV3+Wde~Ys2=QuI2gWag`@31r)K;nXWBCB(#DI7xyXLmq5d(l<
z;ba()?H%oj0lg{vB!VPx`Pn8Q^8j<veKmEaTA^B5nu`V^A5MTpQ9An%bs<cWQV;#T
z5(l^wno8rImwsh~tW%H^i2WDR%VyP!R@>h`AG)081YU8N>wq|koUf)eZ^$xq8MRm#
z%-_zu>zYzSk_-$aBqi+zx~8(1?xL1jqT}xoh3PgCO6%6(!y(4@9tD#UYczaHV#cd|
zgRN$(=xtW39t897DMaC0NqpjwG}~B^6oO=gT3Z@tlv}2?M?usW(~~|>rhMh(;@4fs
z@yCGhdnmHBtE+2vZ5fV%K?czKQ_4~n3y5PP>)zWKdQ;;Ni4&60j4hf=07<9G49NZV
zf;ZWkOc3KWc}f`RyTo5XAPa#o3D5vn7^HnKZ$c&})q8*TUHZ|p{uj0)Tnei3vUm#;
z$!R;*K4x&u>a%i?{L}I}QwukHBI={!X!+;l{<vS4qZrq#?#xV4p`J<##!ryDugp=e
zQuF$FU}qtUW3yBPyKs}UL3U}EW{QjC-hOnbLq(gkOs@$i!yUiMZ<Q*VT84XPJmvF!
zbb`U`a<~0+Z*w~K2lPUykr*KD6l#`sJK|J^aL#V220<Ltcyx#sXoV2YKmaG6tOl_q
zl+psYnUg3HVSoz;JRsSfKqfDZrek>F()Vi*iH5iIH(L9!2ir9HPt+a{eXM^n3=C>1
z2+2hIGn`93U;tjT(gq2Hw~ufi7}w)Bqg$tr2cG5>?Mplwl708z6T=zjCVW%+{aeE<
z>SHTX_8P9Tc~|uBr0d^~eOl&)AF`O<452JUe38JEfzD^3!GcwGG!j)P;7oj%y8937
z;{)D>0Fj2(c7F(j2q*z087oIgV>V(W7`HTsVnZ<rwzo+2oET$~@cE?E$iLKtZGSj`
zqPh`H2yINlrThRT5y`8$>zc;3B4XczbahEQ-Jo;nNKdYzI~Acha*6BK9-vmlFGaX_
z${>YX$|o<uMzNEe$yhQ?mb$AHYjm7A)jgyPBzAnQQo{Y7s}=}IJG<o#>Y5H<FLZMP
z?*NoxmjnV$2e5Y`Hhlq$GIKED&P04dhBL>P4n@8KOKJ=<O4Bf|P(5=dnbw2?uPAg@
zX)-O%36mdI=AVmuX2a$2WT45UuO;G5)jNy}i!(pUtpTLDm$C6tQMvAVVmUfuHQAR~
z(mM;$GRO}FT#L#vQy)I>^uZtl0xKYbJoiw0jvK);E-k>8tp-+O!FBT$TGKiwWWcLh
zy)0fsrM8h1x58+j`T>gIRJZyDgjqQXd}1A0fFYZt0OBkQAN9}=nE|B|dpFgGLOc`&
z`MF7PM_#QdYuxX;llXYxfC&aVlzh!2F-uDXAm%?Bp(L>1$Ib#a&B=~;l-7V^+NNea
zwbRMiJJMv6+&`FcG(0(w($-E&kT*!4nJrjx%^vQRc5Kx$adX{EnsL=wjc*#N{j#<&
znX`JfoYOOPA}A<0X+ENv8sCEMy61?TG&IH}YX8aI6<2-6E9z>g?pQ^!!y8uI>CA)p
z4>pC-Zw5qGwTk|W5oy41lL2}!=|=jQ{qvfDN}&ruXv`;owo(E+NVm2i3q_8NJS-0O
zt2c>Dz6Upcgf#B8Lo2(Q|E5mcQ*Y~FP+M<bw?hm1R0Cg#Nhqb-xDNP!*kWE$eWn&W
zB_P}6d%DJI%2EM$m{(W$tDWqk(qO#5fNA*J>Q03t2z^2CRLqgL{{Ip8mSItKd)zQK
zr6ApiNJ}Ff0@6KncelXMphzg)Atf<%ccY|qcL_*$H@s`O&wbAGe0V;;Ui(5FW@hib
z_S$Q&_5amCnUelfM4|c~MH(U$NhC>Qi+PR0S(Fyv_t9R<Psh&Qg>4OxM3q*mE*!tr
zVo?mZylCo3WuF-MB{RK`vq6<I<*PVecn|`np_FVp>x3)+88f-f9sO{x=k6{)J|ytP
zgbA@Sx|4~0_Bz!k6N<2L7)KU_MH|`Lu-ocaF}`PB9Q^RfrZ{x_2&?r|%ZP0b`{G75
zy*r}_*(6b`+WHDbkQx`_qZ<ew>|q6?#<#JhsN+xFLCS|T3+w{pA@iPQDHr1UnrEW+
z32zYQWJ!h?WIXAdOF#KEDQm+bC{=Ade3*94DzY&;P%|`t;Vr|lgDdk8=-YH~&>e)}
zphf;E7#H&v7OrCb!fiSq^W7Vjs(8xy84^sRx|tBPsU8vmLG*thM9k$)R}Nt)dqUiR
zHH>1^i=uP>;{A$R;{lf_QD;tvg#w=Cj;`B5UW~sq*>|&**UpkWsL8bt8tG@K8D#tm
z%fgR6LK~ePHGUbYL3#Mm>RQdXu%Bn9);y&zC)Ln=IYuIw$zLL=w&5LS2j2#N9doG6
zFSAa%d_AS)l6*bse;&xF6&bcz|CvM(-9|Q6Dkn+Z&o7xDnfwr@@Ka0AK#lh4Z!lKh
z(?Rw5$uN6d)Tw5^iBMUQ@yNl1^7)`-^ZUm2H%13^e!4!K-y+)N>k(+UBrQ!xEMHh@
zMMG6V>=m&rf1%Gy37@uYEhY1J#==1=B$P2BFQSw(X<eE!MBRrDMl|y`jJYBdD(V)I
zTXOs=%?1AuCHg3YU^IN5@`~<t)J>}Y5^<foFTGIIdOuqOZ7#Mz{SPu?mZXtiq(QDi
z@7*amIW(ld&}}u}->WN|-W()ygkyX}Y1Wvb(D>JH?lj-8g$@dCB}PS>5)Qr*&7`p+
zaks<@FU@yoVZ-8#Hfgw7@rG_`QqKY@`;Pt1_l)VbpO0dNx(Z5VdzlA$(LDDSb`s0x
zu3~J~*N?B(%&*qLJ=TQ9)NaMji)+7K$6fJ_P%eoKEK{)r2;Rftn{Y%S&Bc&zTdUze
z2!Gzo!Q)=J099)t&lr?Qk55PsLL%NErMTXT%sMS(fTU`VEhNEO$S?9Rfq+MRjR?Rx
z+!NS^i|sE-@%*>u%(NZshYeAqUa#hiYAMda^4N^W`mC`iW*eHN9UL+5ihJ2DO6f>v
zmzlDlX0#?MA+b0l%TJ>7*@hzP*mWs>s{w0NvlQjYiHX&+|C-{OGBNI$W}yU^<ZX>6
zqqHR{+0t%Oh3MNCIL(To4}>mZIJv2sPxOrr+zW?h-H{COER-5Phcx?FInBrdD3jw)
zz=T!+96R;8%}<0Q&>GV#t~JG^jMfW&po9$06i|ieZ0fJ{7w`sn?_Q_4xRJx_nxO_m
z)hX!FQrK1twa>0j&-8MXS_+-{eA6IE<tEZc$)SjzH)3{Ib7-ctzTn1!Kk^Qw=%hY+
za|uACuEL{z9Jd_A>k-Yx(q7)M;N0}KMGsmxOY7(8m@Of3piQCZdUPRwNxV4KkC%1N
zv=Oda<4v7zv^T|0eKHWHh~wD5b8}p>FZ11nD{|197|_o}0~=B(dZf{(h33QAZwa;D
zg$|94eLK^-cJtUjoA*EJ=YBF^JsZfg>)NKka(Y7g>vM{5zm4Fuwi>9BgEjZR>^Yh!
zszrHQ(j`uIo1U0JLv|*nuRyHJ5))w*SIue<PO^yairIbD@vR0Eu0-UIGrMMqXFETF
zm+|<Xp)JeX>e4a--7#$nDEk5kz81L*{A0fL2IR~qEJhL{lZP5cnd+$UhQ5)o%c({K
zpW#_)Z|x3zh5!g3ZI+CjnE5IUzfv0cKq|djB@ocbY#t{+<Z_ynR^R_fLK~BG2}pUM
zu&zJQ^k~xi4?4gy!1oMH^=(!^xNl@2j$IrOzZn}*dv(5xEnvahw~bF#L@WJd$mM<O
zZ@L6T9qP*A2-VO+YLG-O`V-H~e_3rn&fs=R5rn{`WcC;CtG5r*J_ssKUPQ(WzkE(D
zr9OgKBmjNB(OP<r3UX+wm%n9mEcM~01nllIAiN*=r2~jyk0$LpB;aw8UhXqD>pUMH
z&qdY2sijl}>YtyR7Tgzb9TKZvf5YreVtx*iC)?qyx-AAyl<N7DSD~7fs8m~yyvOUT
zleO-o^Nx$IHG64P0Fcp<262~-jW-}FlSIdJeuMhM%iV@E1uIWisw|mgcvdK-vopD%
zk8{JtJIX#efogm-{!3H@z42gkmocvF#VU6aQM|`^033jmpExD#?u6yi^Yb6YNTR;_
z1>e2HT5nsiO~a!vUnl@~3-IMYLCRomT6ywvSQabrB|L$15rn$zkC|r3f0b^4mtr1;
z@%k|#4o#`I0Tv`YJ(xqsg(1-I;s2O~(LRiULebsW4U6vxOFY+fcyDG+J}CGW6}>n<
zJvE$)e1b<rySV-b-QQmlR4Hs-`kwZtyn8gzSn>po@Ahq$^lk^Rf(PHIbCy@m<UZ~g
zl>%<WSr@>ZaGyoyZQh_D;++fv3l3IU?VuA&RYK=4!mwHH>k}Dgb}bwj1fOHxjS-Hc
zeEt%^l$(zka22X|5=g;$^B2=@#QH3etw5~`@#@7fpb`3UZXG)ze1db<3PDz&rmpvA
z#UdXj2-^t9D%rq&wW5R8mF|ZId8dn3x)_L@a%WU#q*+XN*!)Vce^RoSMide#_k-$n
z?lA{d9<`NAgUc*Sx`aHGn`I=ur<W*{O&#-1Bj<qsEY&ol`%q}9X`GnKIe!YqYsS^L
zkTebqU6SZ+-p#4jRagS=d1i)qB4W$F5dCC*N+&)@xE|rK2n0wKoX@tv83hX1h67C`
z1?sg}U}=fKWDbe*3f27tYVq*KoWF>jFqlKiXY!u6;=Sml?ETI~4CaFdXDK%|>+cBd
zrX@NPO90uD2s986bf?`uKMu^b?rUk_ig3<)KZdh~XBLhvk{Wh73v@~!%Lz2&gOwDV
zZoC{DcMu!Y--(}H(2mqu_!A{jM+p5X92JUMbp=6igNt5(fro9|w9fkmY5zJajtPtq
zTGy)+Kh&uI6kU<DN^Fe-s4e+3VD+{A67~d{MuZ@UC{RXIM-)U!d94)|w*qP*{5(<?
zYOssB?og9FFWum@7dVLzL>L(WOh8t>vB8rA&M5_IWuv#6W$5sNvjSdveLjlw{287s
zxBWW?kFhB==N4M<Z2Hx7^UQuW55_s09lGE#<O(`KWjw3<QxfmZCvUZRNo`$rxHuPU
zuqRIsZBU7b;YDn_y)SZq3P#2keV%6<+)R&6);B+^Ki%%kTM3eJ13}zypcRndmVC#0
zN(=!Ow9(>F3LuT;rwAk-#~ZWUv$gKJt;R#}Qn;-fk^<fzVp~`G@zfFxzmsinMVN^@
z3pFf;L3n!%Q1+wqIPbM?#z?*FL?Ut9#xGE-Lqu5{upg#EBo|@zG$c6_*f05~zQZic
zN=HE;cphlUo35i(z-mUZ#oDlbLouK2^j)Sjb<Z*8Xn4_Pgn=*v%797fN`0k~N;Eo7
zs(Pr+LnCoaSnYaA&2Ut>@K9ENq?SCF_ma{zl3l`YF8Ebz0sd9nDuuSrNoH(VhXBxF
z?n6Ix4p;d{Ny2<?_yX+UFmBz7j+XOCvdj9Ashy)8y8GD)0z#H-a#F3HZlwV;m<Mdn
zyCd+NZMT9<USla7z5gfIkQAJ7X9HJxFGC|3X<$+~=YpmfB4lv<=oMm#sW+Mr)6YW~
z%7ex~I*lKZfOsAZp=bytX1}z`(Nh6uH%oe>BX~pc0m4X@v}mc?huS1Bbs6WgH*mHS
z0+Z)7mh|^gIJpeKOCVlUrBKaawn(cAFPZrCA{^vbbrdAf+OlTLwMNs-0p8-%A4lBA
zk{pu8%B$d(7_glU+_I^|oVZ(MAX?uL8Ti$jP#ryyp+n5Bh@*g|chU``#))Qe`_(YD
zo-*pk$Nlz2<!3mjdM(8h)REO{dzHQZg9&%ax)sh}OLm=&6x@{xt<%v>ALRP&jh`P_
z(&cVUmrJRl*B-Vy9-H@Oa1*7-sc<K;9fYZ9*sr82IKo<#SF)1qVYn;I3%2>GN=ugF
ztX?j$%Wn>RamA)>n?_rmb>#^5Tf3W^j3%6Ed!-j^<za6TV;y<y`#fKY1_BBkC^5nL
zvH)c>SEMoo#3DE>j`KgN;Df@3o@r)Q01`XOZMO9Aoa)W=)H7SIvSI7s{ix6H@vXMI
zB`V<Yq5$m|%!Dd`F#ldVS1I|37Z9R<c!#2XL6AuLq2ZKz5*IfP(j`n`8e_|X4q$g+
zKn6oW0*gki$4kJL^?Q+3VioP?G>IyKs+3<PYv%F0Zp9VA74h#JxZ%%=8J+nM@Bw{L
z^<GH$2eTM_b=wP3k?g}fe3zAfz8^zYB=m-!mq?es9h=5OyXU%9m6m4F-2SF^ZGVZ)
zd~vaZIg(QpgOxRkokU0Dn&n{U$oFt<ttTS>n{8(sqk|zyrwtx&*jw+)c9il^QUPmo
ziL2a|g|^}m*^>{Q_C(pkYK$*F?x_aS3om%`<?eJ21ig$xt1gO)U*QqH-oL4c$9%tn
z;`lb0^l+1Hu1LGffvO=A@EPsy$mP-iCk#&P160!?;N{U-tP{#A%lC35OXgRsHIJt)
zjoHK>fP}*f{qO-Bq2&Kbh5QF<V}x!`qaeV^8gV*Bq;Uh+wdD^Gz}RPTxoxUD=>zzn
zhO11C`dp0t5Sm7mGLoaUez02JSffe#8Z|*0(0GNm^z+xew1^I$Mq%q)kO_B`sMGRO
zp)%^@@~SmZNf=f0<(Ga@EB{CX=jnz5{|Uzf4@0>7JSZN#JW%BiDe|dF6um*5@-0=F
z4?mP4&PVc)Im*LX?Wg`tL=lRk`#EQh4u(P#F8;tQtgt0Gl(kKv+s-fKIb&%4*C@QP
zH=^%yzcbNjiEWq-clLaW*70)99Qkv(wlT5sH9yDVV7YW@+IVFllj7he&!g^kn~Twb
z4vSLNm*z-Go6^R$t<)N2gQXj%i1$skvbNYJr{KHLkhX8P(Ch40SlyqEldX<Ysf)9g
zJTfnJ8ox9`QRN9gb7$$iT;8e6t|Ib8$|y!N;|$U0;N>SeVYmC#PQ0<}TLM0o-kz*Q
zmm5y!Q_Xiz{e+Bkv_1kB4E!l@yHlrm&}v!KdV|LI4ZwHiHkd{2WfUk8Z}L);1mtM`
zr~p_G5RU(FRL|Y74{YjAbl}u)0B*N{=Rv8-7-ZJt>d`$V^KxO{*oMZ&A500g>~_s3
z4~J#7ocf&LC>`ACrI>rILVxDh<lLNJ`G8iK3}aJpzLy(u(d`7Ge4z@!)vrTa!AFxE
zRwX7Yj0x`#_+UU;%{0X=9fYNZ!d`d+Y!ECfS{aM#vEd}l*}Hv3_+##ElE5>7M;by@
zac`Gb>+J^~g+0<p<IOF{jN;~j({BYh|5<z3%dpaAHjKp#>i7V<!<lxnuWomR4%4bR
zwkX2M>!??Qa{QSAbXP?uWC_fTh~b&7e)GBday21-Db?%zf7N$(A@#EcPI-n^yE{^9
z!3i(OSVNM6E94O=ss5_cshyD0VRFcZE(>Lc4R;e$xZ!F_e`b}-<3DdLPDbT^GaD=>
ztUtu1=kWf(l9j_=sc0&G9aH7Ck{G^V9`AbG&a2-q7I+qoO-mOQli8$Aj3}8-j33HX
zo8Be;2%l}Q<z}b6{xnaBmGe=4M{O;tyGN#gX|v0c*buE~-{$E=DqmF`)*fCo7l&fN
z_GMNRMcS4E&8pZTD7_3)ACGS;j_1c6v9$n*6h63vFaV!@$)V6Dh56TTy5(p_WsE-)
z#CJ>*d&~kG{EU%&5|c+2gG?Jk%Q~`~kA0&pLQ%Attfs6q)lX*}8$TC17JuEbIg_;Z
z4H~zmlHF*qZ61Id)||IQ>AaoTqFTQ<8Y);`9^RQuSNd`#<+|n~f4w5s$yJ3;S*bg(
zAz$5Cr*QpHc}08i;_tx$o8^^cdmR<?MIW^=rdKQ}?TAH(tW>s#BO$Y^f=Qmt1}AUs
zCJVE^JYl|)a)P{?l8(|-Ze9UW6*ay#P*t8@G@SmRT#2^Ko*_*%WL-}%QwN=<NWQX8
z{MN-f#(}AP*WF~*o4<Pbu{&s3vGDac5AU+C4Y4zJ*6=~7O7w6KHdvRgPE~p0Msh~P
z)&DabFdV2#mwhC-`C#kTGs6g*3D9oWYMjwJu}<5DD!%zV&HS*@@Xb&)&6cLZ*iJ@o
zQs}bULS3Hi*;x9v<N0>%=o?vd)v3a~!Bsc0py?6=TUH8@q}oR10GUg?>362rRGX(W
zd9~P+9kA>28F$QNMsixxYj#yk97UUik6A2>l1z%H1=o>}e>4o+5M@cjt`l6;8^iAk
z8uoed4qBP)!IJVi5|S{tYq=RsoOoz}v86fIB~VFI*EoX+n=_Z%Xc#Qq;9dAuq!t6^
zupWJy%;cgrdfVWrc)@uff1x<t)m&PBapX5au1!vBJ(^-wr{uAD`EW;xtsd8WBI|ZV
z2g)3Z&N3Q8(GTZwjbgc<o)|SvsiTMbeXR8X3qZr$hN<|mpXG0tIXevH8b5KBn{wJt
z;P|QrLXSh>leT-96Hn}KVPu(`;zz>KeX3wDAI6)JX6ln5l@i$Ry65joGpYzCA3cU6
zG@X~mQ5v7Kv0ghSenibDQqaAOAO6wk(~>o*9v@0d%^`^Q3RUQFnsR=4Spk7+WxAN=
z<7k^i6KvcIDTJF|aZLu<ZWc7+3eu>%_<&r94U_uuLzL0x@EH5|8&8zZMHj`o*$(q5
zwFJ?p<&*Q3vjrz21Ou$GRI{v(A2STDq{ZZFO_>Up1{R5~8dTkE@Rrp1(L9y>@|@K&
zy>lew)%%<o|Ic(!B-Gbp5yF*m`I{<Vypk|bENTee2tMo#PX3{Ed2?v!RI~-?FOT)V
zGNHcQ*n5Sj<etSMP606^Y8F8ZX_;|ht+}0aGAN>FQC!HQt29~FfX-_A@oIa245|PK
z`F$m<S{&5ggSEeFKadZbE)dXn#MD0a=g`fAKI(AeAXw0j!J|lSF7Mg>^N~>G)BEI3
zJ18uHSnDnCN-8vGYEI+Lct~j24mxYKZfB|N7j3<Vl0(ACOim~jAv|)W(Se#*_D5St
zupZo^PpsxEJTy1S=~ffp8Bn6`CTVFEQ8s*IXvSm==4K3WVox)c7I|)SP#s-2MR+mB
z9;rFoG^!+P_PTmmHD+zb?m#k6|LjdWv=^rO?rfHuA8f@(*Y=Xa5~lsm(y?jX1&X3G
zH+k%#jCq$O=FHZgtAl9sZK-zg>>s`gO~$1>a3oV8^e-G%miw9T8ln_j__}r0Mf9FS
zU6Bg<&pkI*fBO|3C0WqAQ?d65OfokEi>>H&`+Q2`8x@5|<vajBepfTnPotXK+5(N{
zm<r^{-%nTRS*{4AgB2+3{!ST=`~+>Q-8GD2kmR1h78P9Qq)C?ioPD!_M)TRFPO;?>
zJ4z^oH0mL(@I@Aud$eic(|77`U@x6}Vr+Ry|Hfte?Qkloh~^9`zuadz`C&)25>LOZ
z<n^&_T%dj>Va<<5<xv#wX)<-QZ2d|ndu?~MIZCuj7J`wz!e@ED^$hNd^pa5<WyO9S
zcLi6I3BeBfIi*zE19nW=u}!HyRVG>rav2|yUuFQPq=00Epe)B4Dl_fwarpwV0vYN*
z>USYXuF{ahI@4;O`R&dI(LD|yY-4otW|W*wlB|j_2<nI5j-rY|sl{cCtt<JYH7vm(
zs3qO7aGi`5(xkqEtVj~U19@R@tR&q{P&7Gg8$7O0(;h5C43nWqt|z1F<)bO5*5#(3
zW|g9Xg#^jOWgN3~78yva1daKXj_|Nexk_)W<kZIJ%fA-EzX+q5W9KK2R#b_2n_rh?
zg&)y~ys#QFEi27~uimIx-%uxopu;d|ax8PA-`!4Ibd&taBp^K-0miB9RzM6}pnmA;
zxy8QqcMMTAbn_#uYWZAoF~JZjvtO0Ixlr{auro8DCF9(&Z^~kso_tKQ<AJN|(sMSc
zvRNddBkA1~-`md_O{D<N^M!f;p$2u0LpZwNtBU6>@>hz)Xd=g5@KrAkYU82=@zKIX
zO-JC3K@QQA_u{)#jKRBmzN=q_-Sb@<x@XVivPd$em(4#8Hk*Cd6%x+)gmUcgdMA|e
zqvhN)M0DTxpThYbDM;lwf7@``zGKV%Tbi80TZ|P*D|Wk;f7;tpBC)c8+{a4LDi0gt
zEskhm)vsaBUt`-WLo9SZNfJ<2OrzmV#EW6m+~bwoz2j9=7asePhr%fLqoKxi)y_B-
z!hIR|9_G7@tb0yOfvxc4kVu|HU1{T5e%|S_mn){0{#lGkEE<bpM7VmMbhI2{^5ysU
z``-@(xbb&=BMeuAb3wf?{2#1q3RM08uXFPrt|OP`Q5Emp)Qyk#RmjvqfB7`RP5lGb
z>p=|vm+9|k0;c&<(LbcIt1_x6oL*93W@5cw!D@7AsVVPfJnU>me6*)^r66Qe5lJ)3
zST|@d&#O|Kbt6ia&Lr>pRf!*zg3QMk^Bf_UN?g8znN3a&3YpjPm*NT8q3Y8#Z?$oF
z85QuzzCQe*@5?m2C`Klf%n+mEBz++AvR&eW-1s%xgbaCd;;~8Ql&^KSILgY%X!&Vp
zbm*oZH~Y1C_Dow>ci*_KwSrUI5!O0O8dTgmd@YEM=+Q{>cRA4kab$k6sq7gWJW<)?
z!?LO!b~);~2pU@lnS_se8xzLG-AS7*m8wn#Bf=N#C;G|}(jr_WzX?cKX%*2$<2Mwu
ze`I8QjdR{Txp$HwV%(bz0!qs)x#XpLN;&z5d}I;t_Av`ipZAaN)_QamIZ{?Dv)<n<
z6Ly#dU<+NXnq(jt>WtARUy5K?WCTx<JN3(bbfmasSD*fz1$B;C5~af)Qz;vzFJzuz
zk0^Wl3YI)imPO87eV2#mG;GC1Az#g4IpR1?%+qc9(CJzA^NG*UqFigM?yrgE*H6+Q
z4EV_ejcFQj^`Bv_@mnmudFns6bILor`{giE!cxd302{vlz46X@wh=qpMWwMpi-eMP
z{7mvmbrFenb)AfF+FV}#NQz6loMZ=rd_89j%|*$J8}6PqWh)I4s!9sN+Db)vf}A4d
zy5K@5L#(CDPod}{<Bf%_<C0!R<~j0y%swM`Y@Y#|muS;7d9UJFCvcdn_jDchuNKFg
zfo==tDs=#H6%))I1KIC498+gv$W_W)C*=&hdG;a=w61Z`+Lf$^(EUVGo{(Sjg%LJI
zu#gX<_e!GZFSX*&+>$8eM?Je)5J{#THOAYTzn!fyE+nE{*lHrg^lv0Qg^)QQ4e>|_
z?b)f?*`B%Rg|GcTbS||o!er>Geuox+W5pfsu<kGbc{LJc$Yfr<!^mRHc~ttej@4F9
zTCzGdLL5W(o0m%ZTb$MylSYzqe}a92QxeTm_3^eI$N%V}>p_yPqM@joecmL%?wUFK
zaNC$xtINDQo(5M&U13^Xy9B8KB0b~KU3@x5l+~N?lBOVm(4h#WPe)T)eLXg`2(unV
zZRfXfw^#NH?dDdw5ekZ6R+g(@Pwj4|3|Urhs1mX-m7skG%wi$LdERDmJ}(jAa`1h5
z(oj?)kxGKAaj?2vj-*Crt_581{`l$f<RG{@L%$)4L#lsE`xt|HBK1`;yHBylO}&MB
z7Otsz!>Vi@3g7R%nNMT2knP;h^UBnD$?hilIc#(ZrSJUnYnZ#)$=S!S1d`gR6@O+%
zb6#VNZ<1=14143mUX1e(+Zh||Tt{I9XNS$;b4crpu5LI^BD&0RONuIM?)ru-E!sdZ
zX|;<}9!|v~8UH$)c%!wL_1tQv3|VwqB%y5+Mg^8S#}&w;nw3>I)DGh|$8F;SW!60E
zcAZ5$il@1ktJXbPQ((R<B|x9W)<E3Gi`E;nT<*Cp3GIK9HeVU}Uvzl%Sp>eeWzp55
z^1VQ12c*z~=?%yC1Z+jLRuzAl3tZo!_xmTd+7dl1#*lpM?5B1`sAPU|PANvTXL^SD
zFIAuCOGD}hD!2yX6i(mQ4oOsBlm>JpB)%xBASbN)@ov{6Uf_uF5hT-frFUTTZwKw8
zxxZNzYQ5C<!;;|-2Yk)xlRh3xgd;fCS5K*L(hkoyxNwG+{cs$@l}ZgAP+<D53A6sW
zs`An4uD<^{BSQY5BBqj8f6}iG^Db&a%m$}i$>f_66`gmS`*oEk%Z4%EEUGj3pFYv+
zDdZcKEPbW+k8GskUW0{~zprlfijGSEA*RPsy}+w?KiZpxSjdc@5*t$+zenLQV!-RG
zb)SCqjYFM@<|CHvZ?$;Zc$5K89E+Xqn=LKojBO9I5vv|67EHqtGb&CU{weQg$-hwv
zKczd+$`PAV3L9cqYfQx{=T<&6L)7gulZb{23S33-J&K$rq*)jLwQj1Aur2^$VjssT
z+rQzYr#O%q&VH)dbsDbD6E9JdqG!p<>2>I#_|W63!52x$F!R#q={=3BrR`pY5)8$#
zJsF)YP(|-x{8i0(m*%cL__`0TCNJ>KJH4nVjlcu~<X-46O5CZ9edix9U3ZV{g}Psi
z>P_@I5fL0`{^syERTF+`V%R-Dv_7a8uO8ptc%}So0lWQo-yHiI{)QFv6LN`yXvA4z
z^t^9*307r#qu=I{5Z@&jcQAOBAuSLu)~aT^ezt3Hyj-LzN>F&4hiPdO`dHuSAFkOT
z^8H;?lglC1SKqyL0do0X`d?0cTNS}OHb5o+{PF~XG`$0ByHtJTT4m?V&5I+-lj+6X
zz&7eAw|KcK+48<ooP4x;alAW-UO*?SvMtt0(xuMnSv*DBOO9f}@E0RALBS;!-;m-e
zLoOqe7pz!0_C$k|-F``A-iRnf$I3TqbD=)^z+3bc3{-|@ttT@|qO}n&yTL9Sa%;?T
z1<k$teB}sAWS?tub^uxFo`8bb()QtI)(S>)y|xXiN<MmN0o4!QVOdP2M>9#54*3{S
zFKd<Bv%SvU50gM#NcyJw%BC(r3i4Fuo32SG0m(NcH2L}`Cq;uDu-Gfd?_IOhw+|sK
zPem8;{64F^rG1hPc^xUQrc#RcI8(2Wfl%PN7ye%fZh_~>H>^uMdZ&m<<NpecKy`~t
zW#z}-fB^1evefV`Iu<s(cWnmIl1)PG0uzCm9cKN;+$6WTxEfWATN8Is3c3PlU`Qq3
z{@{&+fT*s;5_QXPca=x(%6yn_y|OuME|_MB=eCzY$eTm&2h{E9A4y?>GB&S-^Ofbt
z5#4fzkwuTrGNgy?@0mpRR2;1Db1-Uv>n!f-Iga9*!~7I}WI`RdVpXn>-Y3(wXAs6g
zx7)Vsj&3f<{=x`4c<-Wir1V)jnzXx+dvLeP=c$N4k~b0D)ws%2HW{sz&uxgOnnpm)
z=cb`JC7M+?nqNb%df9VlVBhHXT3fnAY8Azb&d*PqMl)W5^u_;Njf^L{Nb7XZ%CY>e
zXPwEBMFjD*b0)ShL|cDFht6B4J)kk426@xNl0+GK=Av6Hv~~`^jwaM737jTqTk%gz
z^?GQeO5>nCy_U3<tlJ-dSDQy)ll52mLfih$l=NX@-;eox>x$Eq=(Y<SqN5k<ziU0o
zxO4dAtsIr8aeiAiYdUGnB?TiNQE(t~XX;$Nipicj=GgKwlAzhOphowsk#gVWs4=u<
zHj_dOVP;=4pLJel@ce!>1uVeub6rA1R;N9d8OrxPuhw=9YFdCNH~KVMh_DB5o&Y<A
z)AmRM<lsC~rb&jxb@6hI;pAv}rkX&GuS}}~Bkc0;^327>0Y&0;mHPQ&<lZzH&5XxY
zg|5I00g{Qvy<uEj%Ow)^38h;llnuLKN`|J!)YoN412ex$+Z20JW-jcFB<MYW6?rGx
zOx)YD?RDOsVp5aXzl$^PKI%vv?(ZD--|Qd0L0c$_IMRp=u-zlQ@+xmR87SZ1Devb(
z5_*Fa{ze?5n#YcRnq>O<Md`z<K1|8AUTYm*@q~TUEBvk&r^K_ava_4%{cGDhPGTIt
zwSZ*eFj5mQ-afBkd!v9v3SLy3mK}niFUy^a0V-F^R|6Si#6A~f>;b8gDH?azYId!T
zJv4MSQqvzIjCUu53SB(zylAhnE}F^(`r2CuJnNwyin@pVHoQi$xMAKY^p*TJHA#+~
zD#JDwp3#k4EOf!guG78G$#1NMod&wtbZZ*nbz$zVt?XL-5SDKGyKrl_;Qh|W3n}#(
z8P{^LjVGxTl?t~v=v}>)WTaC|%ipgSkC;YGfS8*rd&tEDQ^3kA30pPeK<#R~<f4>R
zj6lGHFbv~v*<YKH#Bw)a**~tzx%Fhg(}mYYZNsrHGW6Zn?>eYNfa(lG4?oJnELw*0
z!9kzLS(EO<+n%DA9(S(##>rO@v<1Gi<;07{i(Sh_&=fPhuJqUYmVQxA^VDAFUYvbN
z6D?>9XK~m?wiCN9*A5e&;-Vqp*uE^w>_qOnRJkw9mb)+~bXhZn)6uVOrJ%jzp`=Ih
zWjAA?+1Q86-IR1snwkra-r5U0DE<i;qTb*PB^Dq8y@cT|srPW(A|jOBI&x*2bacc<
z`)n5N!mh6%%&NN5Ze%7&SIV=xlO*g!J18PFp#N~G3$07WoS*i?l>ko)G(3)KL55x3
zHO=9+Pq^}q#(RUwV{-~VLS)2=Ub^~(;ossdraA~**W<hJhAd^%5Kd%Gxf~v9pzRhb
zH22j|lx=3?^wsz+H`Tg?`k5@7chG06@T#w>n}Dy_p|lbcV}%f_kRObelggZ591PT6
zh!5_%=xkh91T}b|7ZKO?M{3x3Xw~zo7XI-!#AYX#C`{rA(v)l!s~_eW{tKHL0DZ!g
zT?Mbl92eYHZ+Er_ZtSj0Jg*jihLtN*CqaFk3M%NHlgE$>q%<5E%1H6Fm_1IJU;GVp
zRzexRA+xfZ0&D$eQO4uQUPP{tAh%OrQj?5Djv!KK?70n>x{3O^{v{;rt+V=CWgArw
zZ_is40W00jh!ut{UO9`}o-(P#^GNnC6xN`(&bM5P0Xy{>4#uXsS%!TCtzoTk8f=>{
z@E0$=fLYxL5!k^;;IDBpEPGv2-sarX#nRJ)#!7dsVN~14edafFac=V)c%%#BX&RlZ
zxt=fk?uGT2&l=SZw4Ut+DF0^%eRIYM7o%m%=l182Fwxmp<XQruZU<v!M+dFN*mCo(
z<Odgv6M<CsC*q~T>*aCZ(ybC-gJrwo-fm7^o$H%O)bF?UMH;rFG0IK*krpxTw4jX$
z6pLi+hDUhmf>*M<Q^YcM5e06{7s+7OgxGgC)9R!PVSAzdG1}1Y1Q+LC8ZmC93ypi7
z-?NV*R`~apugpd6UycwJXlho0&38I4<bj4;yD-qs-tqX?Eo}#x^yRS0h2baL)HQ}4
z&-u=?k-+msV^0r(*<{-kst^wkfkJU|_?{LxdLrRpWwN}uYw786Hk)c2d;j~&rLIHP
zNKyg5Lf|B4*A_w1N_;CGcz3WfL(@vk52=-ysaEvo@raD*9uSuROiJ5%V)HKX;IF^;
zzy13_@nK3j&o5DFM+;l7x6Vd&J}0N)Z}Q|Zu4zSUXh3!L0N>LkzGB+;_i*n<jW3og
z=irn7C*rkQ_*qc$N(@iGT0A%GbTrx-bB?Srkw{0~NJ#JQeg{|3H^CM3mdB)An}l%f
zGeVYh%3s2F?W)bU+K<!b+h0Dm5O}ywNaKKj*jsC9GVr@QB?8#q17ibG*22DN@cm^-
zMdwW__w()+W)=eM;O=Ay(`|byDIny*dj?6<>2sK#lBCFg^c`yC$Lwsty#f3QCKv1g
zq8%Tm%l#{hW&zxLgM^p(eHdC7Us5Zo=03oQT)d)VFGTC!eTTAkATeB&hnWk2!vtZc
zTR<2z^9#|oGu^ug)%aNkysd&sgcg9p@gHu|KR?qH{+T=f=g|y4E7bFNp?)*FaBhGS
z{vydvjR-egu&7N$R$Og(qeGBm<SSVWt;5_fi+}gD&_JZGXZz*UHbSLZmcuKEEg;c&
zibE*>7QQF_^jAFhb_)O7>%Y2m@a_NE{{I%rC-`FpOGGjqSkHXL9N2G5crk;!0GDn4
zADgQYEuJSV(R6Fty{b@NpujMUk%v+J?@B!v28>ZA28K~)DC9-d?39Tu&<hs<GhN~n
z(B5ZB*l+(=HvcLZS?h_RzX81>*D808b?RqQ6Z-l$2hoA9tMBZV^lq2qk)#C9Cd`PK
zkol9dGh+z`6i{dnDnB)O##Sr^T;!|wgF_Mu%=q%<d={qLg4=Zb9Eb%vZH{8C&;NAt
z2VIf4j4}(T?0Wur>2W-8NB82G=n!6U`DYV-BKm8cI-a*(k*HGx15m8q6v3jq6?B*n
z4tD0wF>rLd$&c2inB6^>{B=WKb}G{;6K9j^=uDy}7Fz{;Ll%`N%2#+F!VQ#3=%3!m
z4m#|k@77#BuyWln?%d5v+-qCK)ouAR7|u*cK&!uSO9Fx^CXWk&=^gOZOGy6a;cW1K
zBx(o(lO18eAp-FX)T*?h+A6$%z4ZQ2UtV6y#A5+VI|VA#e-GPN1*yq-Ob!zioa4=8
z@Kh_fkh9@ALwg7h01W_L%~I;U_fu?X4Oio64Q}FbV!yOyL`RPfQ=M57?pe-IWvxtc
zHhaM}^7nX~d#@aiR@?G_E4CT0M5SIVHhf%<b~!OJFYy3XOg7gW1HPK(0;Yn5OK2x0
zzlys1*x458x8oXUS2lm%O+^PdERR!%)Xrr&{vZL5yZQrD(mQmYS3g6O>krnvPn_X;
z%KLDPV)v8Unxm9w2N#T9#0pqxS`3C$!|mq_cgq6H?*|00$JUxYF`)vsDu@{X9)9CX
zZJ6VK;wJ8J?1?hussHroo)e9yg4sy@5x>W6kZ$Mp6zkB;OaP$Rt@b5{Fy0p5`LFcg
ztaY$DbsNEtNDQ<rkiipr-*I?<i*w#?iBY|wgX`hpl1|&(p48>%xH^AK6~XP;c5%tU
zD2Dggt*LnR&avRn)(hkHBH@ArG>)D!TVItM_$b%%f$Xu?ih)r5vwUSB*Hxl5R-(lg
z>&7-#9kbb(+2&^BA)ayt(%SXex?+|5Q?*pp{CnA=G%t9&$66Y409I5cVxQ0UvRZbw
zh6qeU`GPt|fhJCY0c?u5286h1aWwi75K;?P$)I`quA>C{dF$!WbDNoMImQmmed6p~
zBI8x~(WX0`;%EN}tp^FJ+CZl54E&~I>9vC^JByzpYzx?-FP!fxpO=SuBTn3Gt<;=u
z+QKVgq_@Yo2%jv7mIwH6$*wyqRhPu#?l7xtW<D3rR4vB|+%Ob1pGsPBZYg=Jb*IK_
z2RwQtc97!SfPZJd69dop&|CDWJwJ_6H3WRMcgqhx!9yW%1#a2<xwhD5Jr`Qf|BBrq
zG~Z6GoF8Z3;#JSPrj{??d&j`<vovfW2rbQ%C`g`iB}OQgEes+dg})NXLTC9zPlWDu
z{+L=21hGRI!aHmYo)%bfSOE|NT0dPFL?MtrW1B7mlI23%p{pEFh!v(`zq(!LC^BbK
zIBXmpw8A0@!|<1$mlW;FIsDNrod3s>Y^Vr-n#3?TV*Th18AV}WJpmQ>f=ZsUbqWMQ
zL*cf@%v*VdaiAC(Bnq{Qb?bW8*GuMie}izduwaLQ>x`MGD60`PmLIzq>Q2&@Hs4xv
zQB`k$pvfqdh7LT`c4xxCExHVE{k7)f=N>D%MQst}k6iRea8O^o&_B#%D9|XyLSQl-
zmwv0mM!Gd#BnX5YaIU1o?Gzpnfly^$$`PmSJdxJ%^wG=54*-9*rJlhHGsV>glik*p
zh9f0IY>a-8u%8<nNbi4UN@#QLZI2xE^>}@~I~8d9dU3S+XZY?G-_Z$LmIUvY_ZwT7
z*VByob{wky{`QZ#!NcK@mgnGT?99aJ{&q`F<zR<PF8+pc#R55P_hzC548p!!<62t)
zmB`y;k?bu}BJ(p5<*jIqNXa&Xa=4{CYr?VclTeYE01W@90ZeQ;hnz~o_K8f&37iC?
z<kKJM2%|pC`B*z6Z88NP#?ToQMvlcH)9A>|=jCvBD_dvB)HmU|3s^O6MMpPlsOLtP
za5r-+7C{u);Ql^IzyNM$-jS@R`9S4*Q@}=)jP}p5;y8~DHxG|phdI^aY`JV}t!c9V
z{cuu>cE=ysp1#ZwL=6d)^ntcxf|QO|$YUA2hszswEr>n{-q&eoOKSqxl>NLnZ#)j@
z7CIL07K*cURQ|j49ehhx5h=ZMs2Er$sXWK8MH|D!#%2~BBsr_?T~W^LSp+L+kEaot
z2Nn*);U}zZH<>MR0hZ1X75SlRrIAokhb?wR&dBsat-`#SbeRSX$EN5=#Q>3N{k2(I
zE9V=*9cZTZ4~?PU*kD-B2@Q!H#57c?tmo{(F4QZGj#(O4EYnzAO({uEH_o!l)DAN_
zqgv=&|NAcgF}OD<8BCMvNTTZN4|eE^I`*`#MFFH_v<=T)nPN5l^XHdN!>Z47&c$=(
zn$_to;C!g^A;Ps;qZO{`6=*!2;B<3D*VJ*tU#P!a<8*G_;545*s6808kxW0cBfVV`
z&<)(Ot;24<>aYGoPU^<UZZjX)bnDd#x0$%#gvvR2@RmR9+0dy5W607hR7Bd#?-^xk
zdkeo2#v5MM!slXR`&)xgRAvM337l+ZF|l993ze@oh@*ui@pD@UTYl75s?#uz?TSO`
z-qCCw_X|{(%hBOWEUK7DDiN#HDhWy~L~0jq&II%^h%~S3McYZ1it|VxJD^v7RDgYJ
z*IewBtT~il5re_Bpw158wUaf>rECf&iPLs#+4Gg;8B`T$EJgAe;yA}$SE^%M&E(Z>
z;C%gb;9ugkw!~r31z5sY!HPunfP=McdwYp7>u}fVvZJ{Wc6N7=UFz5+)Nn;?`*HSN
zcR>PciRpk>!!0ps%d@+`jHMRsEFMebq`<CEks#FcvLe@I!F@h7^?Iw={+4h)sMzc1
z>b#BA8-dkS`YichN10b_B6cfh-bru1DL2J*XO1dX3!}vVO?2K@Oaw%9f3kETU+O?~
zKOh?&H-25ZXXh|~UZ6uM#B<YdV}Hr;_c1d%UHyk=Sb(j!EZ<4i0v_9bh{DOCKo#c?
z(u)M~!pBD+%ht2zU$R>{1ywYK)Dw_P0O;OVs1!JH$~rnZrI(jKN+uQojy=RpUQxt;
zdCnKLJa?l-UA`$1Y9~-Z6Z3T!_4xYI1fQ^lw4GlIb~}2n%ZdY_3vI-&Q6D+EYvYjx
z0z@ox{s-|>#7aW9FQjNX^FOE%h3GZrc6x7&{q*}B8FRfy$ynWOc79#Wvp3$GjNy^|
z{a0Z6ZT@8UOh*!##Z6Wp)*WqUe3g!U;)4zoC->9P3Q5*<9NXpfEYQs{fTDgUb~oyW
zo^Q-~^%n`;^!~IE@!rx*-oP=^kf!BJl8JLmc|~)%omkrCT}d!A=c~N)6pU)}l06S;
z=*OIMQXNE)6*C@>0$N70_q9yFvO|HcP)4eA{JJU6^i1_w;l_2WjhoFI7*EzrLcTIo
zn(>Rh?rX!AuVW54eTl#NP_%P;5n*57P}t-gNpy=i3$4(?lc_q8kv=^)O<lalCo?`h
zBXLve;}ZFg4Hw3qpuAhPnB;>j8x985_3;g4Nn<d9pL?i1oF0}ulU0})`Esu|=(4YW
zwKl}~q@W`Wa9#KdQ-7(AGe+3k@Kps$xgjCbV1*op+C1Sv7R(Q>=oZZX<N)mohx8{!
z<|(9ZT;;}KFq;e*zG)|Ie4vq?4-uJC?EbEqwUH2_!DVTitKzjjz9v~)u<2`qeKxC-
zGtYuu!@j4q_Wq%pGds<zxxNqm|6Az6C)U4m4>DaFdF1z8f|5C;w}`*3uyn6P;@pgz
zi|PN?=}*@^h78#Tsxb28<`}x!e^bGu70HVENFki|d*QnklxK4;#Of>+LaX7I-XE**
zc=*MKa#l>FAG(w2)zsgI?a;LRG8pKQWxq|)o7s*~ijc^qP9;bL%6oI9t0?8oC1x_6
z9Lm}jWF?0vLyRD5<Dpn7$FuG6Hsro4S%)kJQ}9yY|2EQmz0qpI$BroP-&a4ebgx<-
z*#60COL=NzxeC4P>)K>r`>?=XAVOC?N*HJ8o>)@Mo006iN<ZY5tuIvn+<f8(B%B6D
zI^%~}`1lQT0@OanFNJ6C4fa#~9QU9(L#Kd%0F_N<k?c9Hc;vbGoZ}feX*YSs249wR
zVOC=yo8u#LiEqChbMgOb{9kJs%p~-ZZbr9x9rO}h&-FF5*G2>^<>Uj(7{j}~y3s{a
zbh!@^E=6AJBLGvApET`10{x*lwAgVFA9GlI#!=aTQQGlH54@6p+#b?;kcai@(lB%^
zZL0_;)CcFZolR6BUq>F(?AblgjWiadTH%_bt7iB{p3$guO=~pB`5`%NFVkSBtoEj%
zHR+~M8rwwQ{rdF32kGJqtxi_%eWDS8y}|KZOyR3IU2XKC0!_A0INfmp#sKxCnwoyj
zJh%4O*I4O@3TdB&lm=}-t3Xw9vtsnf8i~J0r>H36S+vJPQp`m(@W?Xv&u3udgrew?
z4DxHAv7EU1m;0@Fjw@`WBg}gGX(?p5ELPsekoj5b5D7Cz46PlT><W=VRv?3ni8NU9
z)Hq7D*cDhP{q{=o#ug$oid_54;_bPIJy_wHL@;TtDV+cN@WVsuM80E5XWETOazVst
zR$^6*67~=kGO=}~BVbK2OC>;TpMz}#bQA3c3KBpeep!>D_M!C0PKCQy0haj_EE$dH
z7FI-IKp}{BiQuj>SN4+D2!Vt|f6HuBLjL{xud-*95DOa^ET9f{(H})i#U+(t(x~LR
z8xk88D_uw0)azwSt4fsZ>6IY1z_t%rq%hjZ2D$xfOm<<pd>qA2O{PZ<s>zxr=%{!z
z(UQhQTpvd{L?aP^NK8Ig$unQ;u!R5xu0m+K;cK!NCL#uAy1&wxWA0Qoohyc{NFpCk
zHktxSbs4a3zkjk;ylhOBTOcT~oq8@@Xy<^Xc`t*{_|mkYCRN%>{X9k!W2Fj^l!=pf
z?M<`G_C{B`rRz6F*NBPN+3d}pXezyrfL=4VzoywHO4E+aydIVO0Qrs+D5Cl@J0?D@
z$vQ#Fs={z+p;nwK^K0fzRE&=bNJHX5IVt)OQ}tW%sRf08fHDp={9%>a=xSY(Ypo>>
z4iAw4vEOU%Bqn98_J=e?PCBiK3T?KqEFArqpiEn%1h|)DIPeEW*{xe6JBkkt0d~#A
z&H`UKLp`%IzIUd&y%4BdUGOwS1s>$x`M21N)-#KmE0MS=<-CWJBQEw^Jx%sAiwAH+
zo{2dZ!ljxE)8}`qtM&VdiF+2Bw?~tu4roBFz@U_$7h*kojp5~VLocddWq%}9b9O7n
zr#n>vX(sRcf+p~JVcsq5jG9QQ+!bgR_w(;+@PR?}y(=ZWajn}L{`x_g{2$OPAyZ>j
zl$C(zA+S%_+<vcWN(DsIW7V<!{oqLn{ZU>Hj1@K~C!KQ*4d-FAbWhSRDNFSu7Gxcv
zPHE**7aW1&kd}lQzo{b0X>|#nlSv!C3?-vL#r((0Jaj=C2U%DVm+ZEl`4t(enR7v+
zG;2Eu&qqTg%6ZCuK<RO0>M9~jf5do+c1iGX^R<)LZcx_*YLQPT9S%jj%tDIm_O<ag
zt@hu#&PfhtulCKi0`4mDYHu~`5asylf#KV>FkmqBRnL6^3s-VfVNkZPayy{lJ?TXe
zy-=i$v3IoleV$Eh%l`#fZZGAom74Cs)dO~ae=D@v`?PxAz;$ER8eEXeyD6T%Pds@n
zciyJEo|=&y$;Yy858p&1q#+?9QojytEHHLb_@JbwJ&NsJUsu1oxj8L@s2%wF2ixcO
z>%Q+X#P=HGswdn{y}Xl-lGs_#=FdF$u2$&>sJQl$xmLIaT>BGh9a7v)vS8Tx<5oY5
z=B^Bq4fGMW=j%zq|KB?}1XT{_!(iB!<JK*}p<!c3FRvH;U1~Cy_0>k=grbW@!a`A7
z`wMMkm(kGR;Mdq#6<}6N%;UVHoc|zdTU}E%3=lS!ca*n=Mn{8RA%f_|7X>=?LmFeT
zT}GvDJEFiWTrS4arfMsJ>&8XPa|O2VDL1tUfB)bQ)i<kUxk!a(Z<bWpDZ3=|2oav5
zu7`yrR;3j+JwVu>ChRFa?u*GO%vZhIa71Rhv>b`uQE8r-;8^;TMxK*br2O&As}IUf
z^cor(F@?EAg&0=m=I!7V-@1NC^32uE&$BF9+NlI@RJd@cj4(4ZYeQjd{tUAP>%I(S
zT7L6jcJ_A}X=yL(p?iuqa&Ff1Wsd~W(+euFNN)z+neAI9f1gVXf6>SD2b(!hE}g)B
zTB1y<0`;T!vXrG|^f8k8YY&i3<Dfn<;#8zuy}y}rlU-hiH4$^eh^&{O778kJEN@p5
zs!wC_`UMrjv|Opr+ATyj#Mx5T#AR7)+Xn5BH`iWeDUQAvR_CT)aUef&z<<|0L@Cg<
zk#p+#GY&0FiBU_T+HB;AWaA=SG+b6-T6Msd?I?FFf@L06GPZ$YwoCXhr@=J(WxvwK
z+mp&dERP<xRwll9^q)Q>ve1l~4-(uV((FM_gzOpbq6Dq2`TF^fl$4Z}m#eGi>4?pr
zyPVs~8Fo~3sR2(hm8M1<)-1UP2)qZQ7^58Q2HWcqlB?s^_4_>wbAH_qZs6AK@D2_a
zn1!bDJ^*Q!)-IMS7D~}^WQ31vjE8RU*vwvyThIEe>3Te;>QDX_=}3SO-uJZTswtq<
zV}(FT<rLJK_`=$yblTev3>CDsgLJP?Wsmn%KZhh%>$lHX%IoO(yHfRc%$@NCbHo+5
ze0p%Re`cx+F4q{R`K~k(mj<@xLXq~BfpId6w~e56-CbHISg*51XO4iRQ`{7fRT1g$
zOgOd-x_;y1sGu{UEgWI&TqFw223fHOUHXgiUQc9~LR(GPsw?y+Qasff{wgOqF1;Nc
z9bLq2Zp17s#3$m@2oWRo#-UqK59o^OG+g1aROXv;-u<<J+nlpq0==O;-djNPcKa(4
z9TTHJ`gIw@TC!S26`UH7#4#J~zq;P(YUkYWRp0kSJG;4HKBpng5F?4J_MX=&MP_U|
zd`jEha}d|e7t$5gVW_u)fbd@3oMyaW=IiH}NAe0fq0TDBo%?CRgU#MgF3+|CU_B~J
zNnla^>r24FmB?9|t_W8ZP*1PvxPTT;`0Nbs>0&Q$T<FeJ0CR?zLC-jGJi8Nyj@OP%
zL#+X}$v~37!0Z760bwHCLcgKzm|i-O8^8K(9jTO#2J*n8D&Xzind0`M+*DS?&=3>6
z&tQjVFLTP}aw@LGrOOhJ+Xy|y<5Gl(3*rY3cp2yoJL;Y%(qDb=e1HH<M^UcONLtnv
z$OmU<eUO$rsq5QAh9+W*egff#Ke+mE<(lF^!>2Jzj`WJm$2|)=A<CBQdea9{CF@1c
zn3rnwC#wuOybfk~BKk~*CMSIbKrBF(Y{J*ikNgS~410!+dqO%-ey1Leq0OTU?D7bF
z+VbS-Zx0TVV)Q+YH3T<ie3Q^-H=4)#>hChP3)t?XLsy?mKXONR>)cw}e({VSsr5O@
zk>(oqW_&?|^Hnysvf1*HWoIXw0){c98{v^Jens2;{bq?}Xq-}qo;LH-)37olR-~Gh
z?pd<afx)yy4{Ez{SV{8YXlC5vApP%H2Zg4Kso8A3=Hrg%MPG&oD?f!FZcy;~^Il*O
z4~+DSOr-tBRY7e%HVRzSd;IBT=kr#n;<v5SPKkC?6niay1Y=w-Dmj=vCegL*r~Kmi
zomfC04VZ{4Y%56<mRD6RCJNr-un{pf_U<V?++RrPsPE?^UQ4M&a4?Y(w$|p$v$S9~
zU1clKs(g`p^Ebe*B?<q03v*ymdo3xH6}PuFNqwXg+@;Z(ig;WGoCu4LHR`=so6e`g
z{+!cbG8tZCz16J+c9}A*k#TVy<IEoG;cYC8&8I3>p2ZB>By>HFOsf_n-@(xiBbCcX
z$}X=DSpbt=TvLYlFg|xQy(QmLPW%4gq*E&ki;ism(+9or?DzqpO8TH5H|&+6Fj;me
z6{y$0Yz=tvE3kS(uXjD7=CBc0{}N=QEHppVtlDj>HD&w>`m!>g`zgs!aL2?D^IvtL
z8Fc?W;MDJz_Wk(8JknF^*)kV!6;+KZ`Z>u={=ir5qF*D)yC0vLhNf#q0I&x;>{|nt
zmQeaTx~TdDS3cc}!`kvb3_P;1*ebpINe0HF<=;cJK)Fav$Zp-buP+SxzD|<YCNJ;p
zF-DT>rAJcvJ{$bk%F6F18=VEZdwS$m7d}}w?IXd5C`~$*MKk5+n}h@hxnVlrz`(&V
z@9}KyEibldsw*vU0}6KJ4l%ZE{312)`J$iC^1*6<O6cX~QzA|mM7WdsDRI5w4v*)w
zQN#Wr#A6jxRlfsxZaTNTJ<r9mu-qzf-GX|YMv=Dsl~`u-n#F54-egH)GWEBhLU^ll
zNNXaS>hle=W2q23AAS`|4A)XV)D!bMKF$y&37}(WMhBO#Gp~}+zPo{o({wR6p4kaG
zwy74QQ!eGxyDfGD(AE}D4zdNju(RY6gTH_0R+<<E&5I=YY<2S23sLx^Y-8&DSb4+s
zc-8a*x?JJHuP>3?Afhq<l-?$cLA6>qXeN23aB$`D)EqflMI#V$(a;V#c`J6r6?$14
zw3HCE1hrClHYZfL@=cFFN`Z%_kAvMZo1pPI4=lA>{Dfe@EfYJot6$`*#V5&*Y2Kue
zD84(5dK+KeoLcoo7KYH9Vl8{>={SgOFMD!OQE=v~zY?0cri^Z%s8l_=p$Ua6LA2l?
z1<lQoR+HHXA3aksxUOMF_yq5NlO<%d13w=;dR-meF*H0JxSC~xO7ufjKH(!I7pq%R
zY7o4ZmuE5SdDnX0kLKmGciWt*w{s~&ONuZ$KK8BtiKL%!enA21&6Vnp%6Cy}Vnr<W
zC&nyOAJjiIv11D{xChoFfAHu&V|F`6EKNRCcs*l(F0P#EA@NOZ13$nrK=9Es_>J`X
zz$lgT@+ALf?}lOtbdIt>qx>aiN0?x<7q=~g`kv>&1;QuNn}OnkKdo}FqPlWE0;kGh
z7a~r_$C}l9ZKKOn2HWupoc|wNZy6L<7i@tNlHeMGySohT5ZqmY2X_b>oCJ4w4ek(J
zf&`m^!QCOaLvV+8`0l;$&wEu<Ff}zC&e^?NcK2G{x|-2khdjoQ^Qr?D^`%v1k@M|&
zd5CeQ+{qu5`>h=ux|b^E)_X2SCHS+&y8N(j_d;19ui*>n^G!{y-5rBRPG~}cYh`;#
zNU_Aj>>LkSwo(D`Y%s4r6n~1Qpfm5yA&*`6jsGo&&n~=3_o?FpC3`v(?B?}-`2oSv
zf;UWWD5@l&JwSW~S@nf?UPN_95jBiSPE9r5i|eKk&Q>#57(U|w*20|fb=w%@6`O{c
z`+dLF#4riY_TZ?0O2EC)3Eq*{mS{iZY%r3@Un5Ygco)4(NiYUS1tAp@QAr{%Da7wP
zo;5Kq)Hf*0ipVD}u2=5D*W)K2aUaAjiK}$g70guO#Z7)udA5;@;oj6%+4jNOH!=TN
znwYajM-+2@ZN-7de<<n(d6!O`jFDfr`~{lQHZf%9(;5(OSE4IZWd__>m<9uNr{mVX
z6R^+c0lrm_iXiJrHW%S|ml5DZEB@qkJj}Qp$7pHlIm^k*v-#YrRIW8(8`I@PHd|yL
z^A`GSf@8qjsadh4elMA~-QTJquV(7sy0~UeJY`5hTN{paOa%Y+u|Sx3Xl#BVRrdev
zoM-|!{d^`0?Myj2x$*Jw!Xp)R?a<lTJq~&xFs4(dQT}tlMF`AQ?!kBsnKCl<mhB>5
zuUA%v-`Kd(8bZk92)SVG%(2R)+R5c41dLVxK_emPG)PBFmqkZ@&4;jLI5Y6{`9hn`
z>I=1&05>tW9RlE@|BYs#rm;Doz@Za_0jB7iRuu#oTB53}8?YHe7_tJi3qHRKV_Y+g
z%o7i;A1SP?{J5Lz0{49T*U0JbU*qXH9+R1jXrSn`8cSIHAjoaE9C2_!z{%761)#Gc
zi0iG6=LKRN3z+>A4KfZZXE;0R_XQZRWtN70zl_D%tT%Xl9tdB8{#z=@nBPYZOQKk{
z-u>Th4=kMAT*ha}H5=h2sbm9ipBpX2m40JKk|B64M`rvNL>spemNC|}-CG=+PAhS8
z(1m8U6Q^o*PsodDWZ`ci@m+WZG$4&ZX#>B)5-73Z+u=9pj>R+QmXvB^E=E&@rY}{8
z8PfNj(O$?PrYNi{yXt>sh&hOur9JXK3hY=^J0NI9mE>Xi0AWL!dP_gcJQ>G$bbTyR
z>VQnb;YFoYvlJFe;wjgmd4IsT76>?JNXAv>+1}>Z#+5na*M@SbN>L7n_#94SrX0@`
zbHR>V^Y&}7vqn-fK%E&*=R<X@(vMc(8TlkB$w#Az7YTWJ7BuuQ$4_Z*_$UsC-Um3N
zAFSG6QTNu+%QTRH+8)NLekYP%(<v;>>tEC6atbuXT#OpVeYSX(tv5Z)WViOIWV*oF
zFXYY!oYJ4Sz+epH_C^yfKq4Vf=yRI?q}}xN%x0c+PEY4sc%Y=0OK3Y57#j20{hK47
z(cLJ&0v->Xi={H8oQv?^fa%!ZMjox7MO=YwC|{wESmX24g$MY;b_l=<gaQBd`%a41
z^21-F*GRllry0nD?&%Zp_*mupF6$L4r;Fe|JzVwPqw2*emHhe_rCxbDrvId_vq0Ls
zc7dVQ-T~(g%zFDhCW8FL0M%RoVmn|qjD)&6$Ec16ff_w&W8)RjUxk&0_f!E0#(Q?g
zx&ml({N9Xp-4cMKNW$e=1c63Aq#F0;>^i_BVvq9LlZ2oXMnImQ1%bT}4_vG-m(&x<
zk;NY#Sj(PvEKA@_X*)4KA7q*1jX&1$54a3|cqA(?A)u>0Ewu$E$KK$8J3Mv|GGN&-
zD}5}P4LuE(l|-B#@q%C+x^~ArEU&!UTYa!!ZwZA!192d=MezA%_pI7Q2~q?MFiTX<
z2&^@gG6tHHeOce9Eof+<nsu0lzeIpNc*zroBTpRM08XiFri&jBajab)Uk#?4+ZE7M
z9bT(uAxwv(gdvl|0DX;Ogbf8aauJ?h|2|2*DG4*m3m>1)J5~|28rSKv+)>Yz60V&{
zsWGFbY0EoQsW`S;({ZD{8F44eGYFv48ARh&T~2ZQP~dk%;n+phoNbIpgLadpM>n`@
z!K368l1E%}<Hp~ELGIfeOdi12*Er{6m|~o^ffe#c=td*}Yj^ZdxQk`mpil_7*kZYE
zPgvh?@Q&9HNhCLJpTO@fQ*XUKF#gqcdoh_Ty#3kPFq2aYRcvRIT(vlyuo3s}&yy?p
zJAtgQjO}t4=;xQ$*_i6E-MCG-o#k$2ls6x1pV}t$c_4b=ygdtz+X;2644D8|E`CmK
zg|!8VaRA3bu=n-pWnV*|8DMxgzj=OU-|Hv9tAn7oo9-*IGld!?(FNM?x?JYtP>lAI
z*iH7_MWEkgNs`@^f?3*>M21z>Gq0$PQ0zsY`_-7^(WKj9{Ovg9Tk~p_SEky2I6q!_
zTA}(M4-^tkz43)g!P1yr7L994N3;DWv4_*S0r5uoKvd#34g<#6SMIh?G#_c{ehYMu
zq+;l=NQ9jZu1evBD1CKt74ga+1@6o@9#kOp8q7Ml#sXr0_o@j|M4(|slm9VNX`eq3
zN6{?e?@|a68*EihqP1@fvKCkB_qDuTBFz^TpNSC@Qzkpmu(ib~n2L@yNp%WORQ<g7
zw}1y#N7a@1SW=`c=0AV=e_oS{AFn^~>=;AYich?UjVWTYr|LHzJ0|U18Rdr(v74_0
z5?9XRb9?wzbBGQ<VA+Pg5rJ5iq#B6rQ$ICav{=cn1`tJ0aF@CF_chDT!G;g8Bs_)<
zQw%aE$*i;n=(U7}RdXJ?xHQDd5F()&xS&C$C0Jdt`v2!)fS+FE|6_DJ7->R>Yektp
zxoYEu__l~I&Ru&5Pz-NxVOBUKB9M3RzEAuqE+EtN$ss#3W;dRE`D3v>8=S^Qn$=rQ
zj|g%`u{`#RDC06h*(pdsRIF!Y1MjHIG-=4^uZx2YOn}U%P(QcXwR%;?wQxu~B41{!
zT^5zz9P{FGu&{JsEb9HYCih4-?<uPUox&?&2MLjK4RORk=B+`X^M0Zkd-by=Y-&GA
zoevJ3ElsZPF@^Z8N=n-?K4Ad#pdhj-Q>f%o!Pa0M12at*K5Pf^7GiuILksgru->d)
zS7qpVi=^pSbNY0UQ+ONFX*8i8M!YF>Wc-axg$dLSS#_!ZU9-yX@d~9#u^)95_Jf3r
zlei8##7GlW7=81J-HQKhz5fIjA$0()sP5!*rE%F2UeVf7f>GQJa*onbLn41E&uS7t
zk21m)VjyDuVN!;cJ!99^fz4V*xuw&;c?q8s5ku3j&BR*k<%$Q<!Hmd3G}nwLdnp6a
zZ4QIVz-6}b1oh=v>1GF*5|Fl9N4R7h%4X&ix#{%6Aab#@rOqD&|8R<lkg8oK8d4Qq
zeHQPxXcN|I8~;>NWn=^~wlS*u9?fe7H8oI>P6&%;86Z=%wWTbsn}DT5yi8cJ7q4%*
zThmO{n&+lvA;I~S)4=2`k^zs>i=KUCrFe5-C#0RctNHT!q-i<P-yX7W@YUt{WYv{O
z@GEH27x#@#4N*kxe(QX^+-7aAO0RYwE~UG}Pc9h(7f*!Rp;sc7iyrGtI306@D~)f;
zYM}kfzZl{;cJz~q!xe5d!^R?D<ZfFz^HM44Gy4iocV=mcsY&~kr+cCwm!T;EsY#D@
zK5*seTF`3l4>ErWBe^>=!TL5VTk$4`)yylWlCr#OK}jzqUb@(J$=YE5wt;o|eUqX_
zWh;PysVL-#a*@n>I`+k7T&Sx^skxvU8jR)&h&p~ph+MI7za>ZtUXQ_+&iNrwjOxNW
z&)v-C+C17(tv|sl*?{(gt^~X3BA#Tl<y`RduD|IpT%B_jdQtz?kLOjS9t<|(sGPWm
zM%%7J=&RjY2{n4&(YoD$l{ONn{a@pWvYIb&nm7e&J(o}#5NrKF^|4-{6+P$^nM)>?
z(o-<06EH#To6$4Z^@yyOl>)mantBQ|3!J5tgTm+jV)~`|L~D1O_RiUqh&X1h1EpC^
zx#DbTDLU^k>Q7q=7z|)5ym-n@mm}R43e#|lx?$_|z>g7&L0=0r2%|OKp=TI#c2@r3
zB;LY;xkO(HTzoL&&luE4&Xlf4ivn%Rmz`Ln>`M~Osmg*uI|@Rw=$d6tm7c;r?3KIj
zK}|)A+_9D%jAf?$EX=gU(X;(R4t;R@RrxDWil+FpwxAB`p+nzn>4NP+q4)b(-<Fs7
z+>*RIVTpuLeot1<j$5Vfi$*ta!E0Sf>ClfIY2P<2St79=Gf`H#TW6;2;vTA7ByN21
zkzflcKO<lIGT(bqDrB<c5c!xBe~ctfhVZuHq0bYf!4-D?<Eso*j65iCvfz{_=oaiY
zXGIPywnFm{;wa!Z%2d57nv}CtTp$SH(mwBFUj)YS)}*??eGg9-DZAmA*uH%3^)g~}
zmcE#h%_hz8?EBy-Ezqc8mK}ZUBIPwzlGJZbc{Jvt_4pHKBcC+r)>Q0xld6|)6IP4w
zPuL>D^TA>hy%MZNk{C6M;@dEZN)`%*-yTvDl?KC3Uz&Lk#Ml3FWbr^f*C|*fgwQAX
zETW`EuYS+7M|kFpYcPIUn6EU7mNvEeW0%dPRLbgGtL*i8GeKBTkFmGZWXjoK&}m~Z
z@@s(~W!EhmST3qpYe8-Qu=^rdf4%*qQ&@eTt-LwTVwjW4U`mEP#zvzg(^Hv#;RohK
zHd=C<Wqi*OcL?Sh?X}1IsOumv!LW<`d9CIufwn$k<koR<+0+}K1Na$U-yH5m8S1N0
zk~Q5Na2;PX=AxE!H0&%d&x15sB^i5~VzIE=W(v`kv(JL5yx=#^cUv4Pl6s1Cq=L$O
z7$FFlqPH|fDA=U1dB2uWjb0+CLtiriB)|T5hjaII)6sqbOf5=(B-Ng}fG5xvA+4QW
zni4S{_w803Ti21bTxDFMypbY6rmjvKV1UT<k$+M8Y|zRN&X`sY$cmCO%N%7K7^E9X
z+iqX1Qs1vU7<X~N-c;yOltJ=M!&ONUDh$|?AbSXnV<iD?PZSz}KQnHi*m(=|VSm@+
z3Yccq9d4gbbjv^p-ee^ydYZv2d}bs1Jne|1mO|oB;$y^5ph@GLHb7C1Y!wwIID3JZ
zd^}RSp`|2qSkZ~$RoaxmlEOzZ8{Swd#s4OGC276zc<Yueb|TG^Wl@P-T*QbM$9FCC
z)Z2@?z^*ZY(Hxnt_$^epy426y#REfF8@-cOJ0s!AobPw8iCKlu2d<nWm)OZq(d2V=
zbzPUm5pzx!u=^%Ue9oP}E<sDU$A=P0C=0AmYb7;_?2RlkR|HsdCwM-k=`_~_EC@;;
zGngUPfiRD2;!4+-x!z{Q_j}fS3Wr_{^ET%U!~jEu&|0&g^z&8;@t&WPmPo|x8$*P5
zFrB`=+QDl7X+^;QX~h}Nil-4Bjft~ZDk?_MMs%YNU#+_1vSzLcg*?_+R<joWT0hX_
znC~6gMF_&13?_j@J)QZ4Es6sU+DUM5Se8cwB3)xD&8$kI`dQf$j{1*s9epdAyV)&+
ztzSg6A#MB-lY?l*o0?=q@O6&*4@0e7Gg9tBb~O%(QU*k_zLY0#AhX5teO3V(4Ux<c
zEh!yMFiYiPB{=Hy9{d1zMQt%G3Vggfzs`&o%wKuPdtbRFD0}tW5O6`d!;JD~{ABVc
z``=~4WMw%jGCpa(l$*mxd>|@$zE1f4(pq~sYsQYrd8^nc<UQW+W$k<PQx5bZ)I?Fj
zD<M_KjsgbJ!ttaH$`Atk$nrwwJ$OW;Sw&41bi{4Sr=oiqNh?C{PIM!Q!S?F<G`Y4X
z3AJUv@Ix|}ECfC9fmv4ICGW3y*x!YveD-gze4PB=n~6X#>Ul*Fn3qjS%)WU*^C~ps
zeapdNc9G<ag-Xfb3Hvh??>J81C_2VWx1r?Po*&GCg3{`I6F5)Bx0S6KhK*x^w2&MY
z#;IW+8y}<*@t~Id+?rGnaY<VfnskMY>e_gi-K?SUAYjb&WQ%-W%Npc?jG$8I@0rUE
z^W6il&P9lDsJoQLbphs695y3fG$KhAm1?4Ukf=<e)mi_cJiO_7p{{a<+j!yxM$Zpp
zez@s(vjeF>V_@EDA3jW)g>q(cB1n9W%G4HTgdO8B_hNImE-t8e@?6~q&tHf+Q0o$5
z0Az9*y_{-+$&LaaJ|0f9?(A&;06!p!u}?UoKQ&sXXrp}{FRHv6EmQwXb5<e>-<f@X
z$tn0zg*TKUhDj&fE_MJH({6x@wm^ZyUTiTPDP+<5BX5iW0WP~<gW;Y#vcS;uRiS`%
z40`s7M%6RIbbmd+aA{W*NYNK{pN!oPLB;9&*Tt#N38vX#-hDYp<f-?+BA1C9-@?MT
zaSb1z@<e2t7O-vB_>0YclY!f|AGz$vkA6aG5Tlh{h|(ZG6J%Ru=Dus0hmzsO@mm!7
z&U|*er$*z#Ip<$LdJa686U#fF#%+uKt`g+u`ja$7gH#WP_IKtn7u#t4k0lmsSLzXh
zISR>}nxs#}+exaBf>UI8cR5}>^>aZ*ub{j~w1i`*MLhz!*4IcU$$$}ZlUZii4kEa`
z6Fr#Qljg2Z!TfzOD-W;9#r0k|Q_(J@!YO(lWWZ6?P$drLSLb1dqG{&=X9g^AjB9-Z
zvO635tG<p&3E;g2eWKnq;m(xQQW_qap@IVTG)2XzWha8_LOxBn|47e5GlsJ<K-K~a
zOTp!RX3myWcw}=nb&jjoWFZG9?RN2|%xu9@(Ne04VvIW>t^imvHX=elH*Pd!^?MeT
zEquWq`cgQVZSp-Hh4|;@k4T~7Q85-bbSNdU&QxI@53{zllI|b4tkTP~oJG?-&DKga
z6{d}nCQe8Xu+EJ98T?^&#5q+4<l}qw8h&un8WdueiUqN0?}lsYyCU2CJW#_vIQvuz
z$M`MbmX(nDavY4wzrdbnXU3aa+BKjfR}p0HPZw&0VP%;yJ=cI8<z#wr64SAFz-}+{
zFkdJNDNU(3NXA^;S)_4|bS=cSYL`Gk(F~;@ON8XQ4RHnKERadah@=F09jO_4Og<=Z
z7yFS<x74%QF_P+hX)++@Ac?j-D+5a~*>KL+9`MSREzSBGu^4a>{XJOza@9dD4gIh=
zAoJ^fbWeUeDmh>oWH&!}^nlTDuPVN2bQv3~0S!GZiIbC+E^y5#zo<E?0kZaF2yugO
zllzXd@E&5Ih$PdHtizAA=V`lO|BijQ4xm1Iw2D4<!R9xNz!MJSHkE5##@+-OfBr~I
zDS(F$oCJz3O_jK)!NVF#+?s49f8twzfn<{tMM0P-eTA$j+q6QE`17=$1{G{m1;4;T
z47?v%;wht-$_j#4REudCgkulL;+UZ-eW4hm+KdDDL57^QsrG7#ZuFS}QT3O}N=(jP
z5y^!;c|}?${qN$nE9Vh02Yl-6>x7b&fnF1}<%>U;j2G2s3XW>LC65p*0`66sv~_e3
zFlC-#t>KShkozJSugVT*#J@YhV~@hG2gRXTI}?=8MD)D*(0Y>S6=&EQAG{r0b^X&y
zIl{@hyvbRzU%aW{dh(XrZu?T4>_Ua~uy{aAmd}C@#2sxpr|Q2`7q|d7aaWF_69;}j
zLmRN3RMa-eM`(>)C6>4u2QG4s8%*}tl1Vj<-1@wkIB7jRVQEF;xRcf#E1sY@!u1dg
zh20vbC62m~z=%kV2+|Nq9~n<PaESpWSIfQEdeVsHm)Zu&dzERH*9j94=G~#FZZ1>C
zxOgsGx(&efgr|-`F~Uewf_m8*wWZVqw!U(OhA(ShqZdBS+(}+n*d>}{*+ibjE`Bmk
zVk!~paX){=J?PYEN`9~zhCb(Y5$6GBn3=iiNFO-gym^&sLqkJ;Thr+Ooa&2X^N6FM
z;U=u>m|bKMM#ny_8`71f<R$2QUc)>$ldKV2rSYSr`@hK3;~0JWj=KSEOi8`c_1bc|
z#HeHGkUyuxi=iybDwUf(O<WZg)Gd-RSM(K}G#XN?C@+O^HNY%P73H%Z=47C>|JmHg
z((vJ<^HpxuZ#wB*OzHu!7DijblV;bwRGbrkt{v;s1&k3K`TO#`#cq=|2i9e*!o)aQ
zqDU_;;+5+xU}(nyuQ!v;Lu4^w8~*WSsgW7mP`UDgA@x+lk4ht6v5_xZn&&1*bW@uC
zZBLsN0%_-J-c~-Ji^^7PR3w&)v>3g1Y$V0U(%MResKzc(gi38%DUTS<@vf=$kdrbM
zVt<V9VXfHBIP&M1;dw!w3*%-Z?TX$<JSwq00Eo>QI{G$Ll1siwaJ#ZQPP%J{8etXe
z_L=0*5PYwxJ5j#D!p&7N1{tsNRklmGL5h-0=e<vSVU6kuS*2~3WZTH0oz|=iXmusJ
z@p4Zr$JA63i}3T}qSM>lDqmciE0uFhx45I<7<`BBgRnqy0zefc5-_yCCjcwzn*zMs
zw9>31{4b@ZK-#O@O-J+F*^4e)U`yuAm();BkX3$VV+T<5qBwR(?~DEtx6Gpbu=p{|
zg58s{rDvwl1g6}{u>eZqN-|;|xsX#{`RQ^VadgU+)Ug+KN8}=R1nCr%a~)%`nxyF=
z?J<mtZF!IyyKwR(TGmHC7X{i76q69U(cj16bzk=q-uBMw9a6YmO6Wt!S5ogEI%yrG
z6+BJW3j7kzvpe(Z{1~VmI8w$Gus$uxFRxn7lS?j97%mxH23zHU-6-QYdN{I;Lb8(V
z;8zUk7Z2$PJ=D<SMQj|&4ITB|-3}<y&BVPdvVPSZ?GpX4`w0oM7N1I?P@Fkb9rvoR
zcZ<rnC)~FnoNmE+D!Y`M0LepY#wQ-Bgp#uG43b9n1lI{637E9!gSF+?SG9~;7Zh~x
zRg-HZnJK<eZIan0M;ZHVe#9pBpCEB{k)wyu3GR3&dLbIhV~yQ6B~g?-+uq>$6re%*
zeCE9_3GI0e9y*0$66jv?D$qUSz>ibTTQ{GdcO)>$HSYMQDHC<9TU{!ii1Ql1k(_~5
zB|W5_M7@n%YH1iGeXX)f+?sp7UdFEm#>;DpXutMgC!7-oil?BTM!~O=oU+6puYtWn
zjdlQ_DX(Hiah%A$2{zG;><s223_9nFy2m$a$nQ5amzIwvqYdViEws)zjL&zd;vh;h
z*`THE=JZZswBEZG_07y;V&&1_O_Hk22N9!jmZ8m51xaPXwq+|-9=x$zCofgfsZqeX
z=dbV-9P^B1_T^>7qE}or!0XRah(xSYSv(0O``J8;6tvJcoJG_(EmfL2k9V!!M(9N#
zkfVT$<*(dH*1t!ZAf0K3OC5S|R6L;Py3eg_?ns|V)C8pTt&RBUgj|Rd?D;0p$n|bY
z8fvGch@)y{n$$PP?ON?330$0m&9`*oroRoAcE;JC2`WSA8<>xsloCe#enHZAkv%tp
zg~4YO+QA34l6X&+@dao|6q&Qh4r5&Q;`j0Z>WV9Vr3$a2gF*6Jl$1t!EPlMYz?jc^
zQpvFE^SC294n>faGC#+5t(2RZWO-K+w&n`U1YTd0%;|p9#QZqlG~TcKvAbG{t1b?$
zvTQIPYAYw_12alAL?Z0|O)b@wyFLM<t86dEIk%5fCu03ZlV!R@73bn#eu-@vt+A*g
zz20Eq4R4uMF*I~z8DDC*ph{Bm0GMkRyf=T4*MnV!QJtom`LA*Io9FC$!s|=g{!`iv
zlPtnJ{Qo_}W1>lMsTNtDha+aM77w<97TiHZT;Q8dsIAh-%=<u)4tJ_r`L0cHjEgh^
zG}@U2F9u#sX_R+l&|{J?!v4bn4SbfX$w5EJ`P^|Z$!&_XM9Jw5wKgKY61t3URch>B
zdi^aUG0u*;GQ!;l1aeW0GI>0IR5J*oXN=249H|^U&hRycR+lY&_CDE642d(_JmcWN
z`d=t}-dSFgBnOwPK*@nO9e&aXR{GX_J;Rg||J2SgerTL8<JGThSs2l}GSo#7Ri8>L
z9)y%nCu%eJGG<lE)=t3v10-_3c02KepsGTUR>m@=e2QoelY){3=UaPvP<agAk_1sy
z@sz@nW<zoeN2&Xg_@8|&Y|>DLUm{FaMB_0{txDQ6<skB=W50MvsEc4m_dzJ0xkS>D
z$nLe3IiuH)q*~`VEfmIGZd4Ka$ODvVPe`doj`FZH!k#9$Gl}}xKIag2ovaCxEL<$4
z+$8n!<Jfg_VD2KRR~_>t(OTzvMTm)g30|TVkl0(50*yu={a=#LnQbyioo_YCG@d5Q
z3+`xChZ#3$StHRXLK}9#6T{$%_Iw|)`s)`f+H`8xH`}f-e6dzWqDsWhu0ITm#p;!-
ziYOLM#EkY3p6o4A5MAvpmB7hXrsvFBi1C~d%%6&RL-@y9rR|HVCL1<#wPNTAv=9B5
z%+ol|+YW+tto!{R@>(-cU__e*p-V%9-Bt$r1RI44XP<H@s5SV15Rie>N~Ms#awX#y
z?c4^=>e+!w-`+b4TKG$_#&K!Ae10O-Er`4CySQv=(saKXF3RRRLJ``ompC>BAHTE5
zz5n<o?DDO#n;4NU;r&0Nm4TB*;iOn__&!sLBuXX%gfSV*SyEtRFv4KAlH&wVt_O;1
zpJA2G#Z6aZtS%3qS1&x5whJ%w`_K=;T%^TR^c1m`BDW!y|MajHeNQv=-U;Jen!Kzj
z!FsQ9bOGmHp8{O{tK;^ERL*|s)Az49aAL*$+KGmB$K+ynG}iGF$LL#fGRC-nkb@I3
z^XObQ=ej7SmZU*6uUgU(4QR>2{~ZBOuLVx0rc^Sh;Lb;K$T7mU*_<aWlN&*uE-N)_
zGCG_2pY&z=l0aE+f0+e=xMY}!qYx|Qeh!wB&&8b%L*D32j{lJ*H+tXLJ;PWoU?1s)
z`Wt$_xGz`XWya$Cl{W^hOtM{;Xi0L2&xw7~Cibk1&2=z%A@m?c+Vnjo%-NB!2(=c#
zBRj{pU;Gh|>}@Agf`qyIlQY}M%#lxcqZ)q%^np0kNv1of+$c&?CmFn_N9RId+BaZx
zKz|u?Kr~U0ig1>r8XDzhk5E)<{LP*gTbU5#J`$?a9Bk}U-b+%TdlPpl`zu_asS3n$
z7=GPKPcGu%&}?wx*H`T<oj$SWZNrEy!!P|A@(wd3-#5+_e5Wc~<(GVw-Yk8nSJ=2H
zM>SZeS%tKqHnhsVdc+~Fa|n-Jrb0HQX*Bp8+>k!NswE^x&Q3BpM929EBoa%#7RCSn
zm-+Vz`UqlKPEvZz+W~rgmaSBW<!_E=DYgpiLY}o>3L_2{bw!Moz7+Wgi1(2Ph!qmz
zi`f*b$41rtY-)L!Xc|PO8f(_NYT0%c$8wa=O{y=ni4$$?vok_7F(>4XS#?m}RJ`nH
zVb<@WlF(<`sa|t`?z4#t`^p<;KM|Yby3Ff|LYs)M&Ff_Uvm@=<Y0+#KWAg_~`AmP~
z2g|+vBjk-kE^{j(+0(FdOk%eNb${4m0Lh+05>eWbe-E`!rUX}8w5GX;6Im=pNH5Qa
zO=!mimYTAB)9G+Di>uWlKEQ-Ixey??;WEnEBy8sTjf8ilTOk?V2P&?OWv!wON9$49
z!NqY}Vmv5H-k)}?^O32*6Zbh@WG!Pq&cjRGYf>>#4?M492XKt7vQgr;ws3A&S9pR}
zWCE~w#gX*j*7*NRLdD1Ca&)o{uI~!Yix3Pq7xO!Yaji{fu;N{nk#+THl3ZN3&wtrl
z-*GdCGz@uhR1(rDDpmX5fwe0t?fmt<M|hvq2))F)JA5^}uyqvvMz@&;cpx**00W19
zpV3$vIL3S_P88f^hTa9-Ss4C~x{H#uvD9rJmkb%G#}(4;r)ObW>AVmeYxxt^`JKWD
z<B4^stSRzdp>^YaHvTxKDvR8L>An*bv+RL63^G|t&Ju7ArX7r^{RAyJqh9l1aTLKN
zzw>Bxr6Q!d{Gn$lQ7q7D78bRVR%;b)JGm6UzB6^dbRA9Dy93fw`PmF^2Bq0I#?BSi
zuJ74Ky<MTre_3&M&~Y19*Xd=UU-S9h>VfRapDe|njRP^$btqA%C{&XfYL-Cm$amB0
zj-16m)^mE)@wIPaG*+0uGldegEpX2{$6_1fZLr1)#;A|B<0V=${lTriqd_C$-Li=M
z$GY}}nWJ|eL1@4>GBVP#-Q*3Rz8rYU<^cS(m(SH9Pu`C;i=o%p33wUAWY~M=bYwu>
z==S~|!e3>gk>d}n8}m~Lu6bOP;wyKT@>HMj(&iy>hI6_Oq^}{Wv4Y~25g3>)#3~lG
zKWC??OF0~-lHetp?SJ9O?f@D%2^66Ydzeyx8NF`(vDH7VXT^3kndsk}UP=_n9%riA
zm>s~uMz!?_R6ETL?oNbfFqv7!$eTchW|*>(=t*M)l(nCB6u&;|oM(aZT;rRxAW90J
z#C={c*cAIA3a!NWjxlIjVfg-H%F;ZWL?+E8aol*2)?HZ$PVyKj(#URzjGpP_3cHq9
z;py?SGQUV^Te5)xKEFp!Nmg{HAot*%<1@?`0f}rc!4iK8w>Dq-ZvE^8fqCwzQ<17r
zUg@-}iKSm1g^6;wzs|F{Zu@H-``_Ly2PoPa_7CH$J5AlZyiHfY0bs}$PXES@i3DBo
z7AnIc3mUls1A(DB0~6%~2a5oB?`X{*<LU~P;pAU@fyeo2WUcju7J!`ld>6j6vm?{W
zhT_yvP5{7z0i<w#BiCEJEA6>yvdobU-~wTtudv~&aw!_hMY984K&gN$GkQwsKPVC}
zJ3H}bw%mocc+vU0xNsaC5&}qByJP^iI#A=^Om{6E_ZA*)ou_$uU5evB`2u5hnX@bx
z+^BObSI%cMooGV{KxZdHduI~O(vhEk{5zASePge#8e+_k`f&ZSR~zn5k~_HDwETHn
zVMQZpQB7x<*NL&g@429rwJv;@!|-97b%6c2priSXaQ*H3Ww)`w+g`^PTxx1-M*EAD
z<J;-o&R5`WUS}ssXe?3xaq}b5R0(k`tI>_U{@JShznsW1NJR~6FPG614uHqQ)oVWa
zGj1&Y@3+w-9)y?&rR#a+xaI2F+v$LwcD+B<2qNNlo!D~1X!PgiWi9sXVd(@M*B$uv
z3cltKy8l0WO-H<tmg5+a4ec(2Aa!LvL;$7~D9_povvxOoWo2#M4X6d2+$8nqE+-D0
zr)Ntm2kUOymvzQ8uSY7FKVg`?we}Az%f3sjAm=S7xs!-y?aekvA9!kNYCIl`j{r=C
z05``UjYbJCbl1q^eYyf1Kvd}N`1S}_Z>gwk_c9MEI9p&fj138qDpV8J)#CuLZ@s8<
zMuBTj>ns2mhR)E-oWAqo`0%WC%m;;W)i9d$@gME0O^hMpivR{`0Pxb~``@`6L45Te
z4#@?0nj8Mk%%!gLh`cCgeLE4GAqm;HU3Q0%I`uaDe+R}r{jKd<E{HjO0svI!=svFq
z*gs>>yD#fgxwpR<rdC}F5dRNAl9~3<-?rFoUin287m2?icDcfYAJt8jDs_A-E#f!-
z{@)$J*}kQ^uaf5Y3l`trC!a>nWZ6g>>MyX=M(d?c%%V|30vMa=>cUM1pdt>xSwYv#
z2n!a?cHP_FENvZpF(X+J+9@2IEPhfhx2xNMlFl&Nm*=du=;qc|{Fmq4mq@~{XY=K6
zbB<?op(j1jMlbAs*O7YD2U0M+&J9Q+k7K!;vun>Eo7c`=1Ya)2d2cE?e(jAu{5l#*
z{(Qbs;qiQmzJAknPul)(xYxtwPOj3R>kW_Zp>4}n{<rlX-j20dkua}c_PCv({dWU7
zft>nZiF|(C%KhcnOY?YDTLSY6uSpX*eb;{7V~WS)&iQ-={}TN2u-~;AFS7DO`q>qp
zrR|>}5%1UW1lj4Cna$Lf2g+rqL)L%GYotATLu;RWeczI_y>JWO?+ToyEBn3swt6AD
zdd<Vlz43JFjZShmMeK33{@ZE&ZujqtpD*J{=aY8J=B&}*AKrek@Gp<rM8eL%FbSI(
zUHz-)p??FpCx47c+mK(JH?_|SUhetID=J)O-@;&Tn}2R~1qtA$3y*oTb|3)A&;FDu
zfv<P)!arV>`Ogn=Xe+Pz`MdVreB@=5|Frtj$%H7X|Fgt=iZxxwKG(e=3{0@{B{Tdd
z2UH{%Q7eeJ8XNHk&O4g29E}xc-G)rw66F9i5V>v>hK!$&^+ab&(mNvGX(Q}Y9JV;d
zWPV{5m$-uGrX|%K%}ogh@U~i=0BkakTZ0>&U1gk7$ew9Pl{b^tZ<C|Usirpd4X>1Y
zsp;clC=upEf9UPG#GB(`c@`n$?%8B2Y#$#SYzPVHS^?=UnTZN$Ir#Mp^|R|K^X;gJ
zKdQg~j_0t*(@M)z^@FOWW+0a>&tFGn!N5buTWx*+-mZ<jP*TXGx#Rl3b;|Nbplt|1
za}xe<`#+(+MAWR^`nKOfZ9Vpr=guCHYyL*PFZuHKj~vV&0KUDRv*aI*wKL4l8Fmh}
zb^QByF$xBd+HYW<9&UOywGCq|ak>y-@YsHeth$|~{}V(95MrV)&j1bEnzrKHl2!k^
zlPRRsH*ul9*tF-i7Unwu*)qMZ+~@Ut4lnNlhRB6vWVB@+i#Tu5!J!g_O(|u=515|6
z-T}B_6XZJZ1?Epntto(Yi;Hg-8_O0z-p%q2nKWI;FIfk$<95pp%(WzS7u2{$7&-<}
z05OC~8M1jMebT)pi}lO=5KaHQGj=24#`oi^MsLZQXl??wY32WfO$1-?G`oB~MS{O&
z)gaz&Sd><GC+1+b!WY1(9CSOoTf>TL9Hr>8|F>z1Sq~w2&=I`{mn;jXwdA2Lhv+_Z
zl03)kCZKjv(s`u`M>lXd(<Q3~knq06fz=^KMJVNasmx6b69xQWy~5-9Hb}xW3vFLw
zFN?)OpC1pjO%^WyIg9VSnS-_U(vI+co@wj$2!+Ud>z9*{(RO~EV75F%at}RiZcy&?
zEj-{1{3Aq!E_ncabU~dn%&1`t3~u`&lm5TzdcbI}g}yxAoSKZ2t+T!R?#d9HCm#BD
z*=1DY?s+|tw7c2imVto*IzEo~!qlUmlvHRsR8*7*(4x98`pw1olf~q1k=em6z}P?C
z_`$_7UOUFlQ`#o~zkl91T(@&_aqEm}4a4aaK7NEk<*)#2np(KfI>6SKHc{|zFZc9M
zAL8aOUkHocS}k%St>UXLPI*zm{uczH0LfhAz2T1hM0<fWPh{!gxAuJY*plk|O(};2
z8`(I%KgKgIal8EWGehz`igl?*QL5ttc&}r^Sh^dNr!07?eDiKMe=cEK*Q53SoQEVc
zkD>MpHA`(b*P~+M+oyaT);aHCY`KhxeI*iL&(#>ck0BIBaj_heu(u~({dU*yv9^tC
zdb8^L`SDR6pe3k!(kf?s|MZq|q9z|!yZz>azSm%|$JLej=MD>ib9IO!_|j7W44g+N
z(-tsvy^{t|<5HrX^HeCXz`#+D9atv66KcEFI${_Ag-QT$_%N#5HrRQ9mNywNFdpt_
zkw9~S1v?!7`=Pa8-%kB_Y%}rL&Axs*W=)#0o!eZO&Q;-Gefe8}C*c0ESW&3+uU8LS
zU(>Mwz{m?4(QC?UYC;omKhbJ7=1?#)K1!Q-wSpjvOF9KS5gdQtJ*6moA?OJBzxeX4
z6@0;Qm}=r5HlQ1q5&~wQ!Zi|NzW(37$R{y#xI9;ee!i3_?s<E9DGcF~(m;*kR&3fh
zZ|AkyIDJP>M``hfYO9=TL{6Og*9vDcIlt11vuEIxFhxQQB-F}Ccfco%=*7vMTTEZb
zSs+8J5MvW1a%;cguSS+=gFd|2Dybh5LM;T259cZzm~M>sZY~WZ0sXw)JHYqwx%S`i
zdykvoU6a)SWRUGD-|bGb1Ng?_o*xdiyif7Phj>;0ncHGS0KR@FJFtJOBj~W^i9)R`
ziD9kFU*z#tdaak$&xP^z3objkuUs&ngH6&NS=wQ+h~Ej8$4!y;W{~<Q#Jl<yuk*2g
z><iEpeQ&M?_F^~tdxh}1r_b)gi}k)MK*>0(BJ7M9T77XE&hcka5>n?~9Tm7yU?eqr
zdU-1F@2~Oq7l_Gq<KM}BcHrdXG<oE8B6RhZEm42p*roF7e*sy5vl7R8hq1=M9FazU
z&^y0TLWks$t9QrqC~wCh!m)s7CUR)se_0<x7YR9i`rGyOB@kWj4zHM%4G^2)^}iM9
z#DC>vl*FKK4+b}(UX$1&`09h_etc(k)lF-{v|Ch){{TXFKdQNg-(3_N>-`5<7qPOY
zd_p)~L~Skh;8ay^YypQl>n#aawe}GO0ck}N?UKl<w+r)Ck&9mzc$@qq0!d=Q^MxYd
z&lqF&i4P#to=K>+=`!Ww(I(lbpQ@***err<dV>jwVH;1R^{24YJ@{9=m2DUqMsA*y
z@b?1y$_~YDrJWY{zRexiCF_Hl_uerEi<SkjXMK^%mF|*9R*soY_T2>EoWJYZYnxmQ
zDU<Yu&DV8&bd8C`M|Zj=C+wA@^%jd&zYDP<sORrm)*c0882!GMS5tbR181svQyAmr
zm$$*ay}!{OqhGH7M*4h~LHKp)^f}cr-7HO52}pxI;#j{T`t}zJS6_ahuP|{BrvKE&
zgZqKNucW}<$AAl}3N-weKUp;+r{$?l@}5spA%X)cp(Um&pCnvOM65yZ<dRipk=?r0
z2jA@HO;B?_(Wh-M@aZ{{X7BH8*;aq$2T3c1Kbo16Z1&cg`+FE`!X1jo$gsa-CHVL0
z9tMuZUAU5MA{X>^8yU0*-oL5)M0WkQmNeu|&wO%Ye*3J!Ww<eF1#zBL7^OHo?{#9i
zjW^$u*0_jvP6FdI^*-f><b%fViv_j8sq47Z(+MX6oer7nxvNq?t)}QX9+i8wUx(xd
zjdV9gQT7UirRPnk7-|bGwW^{jb+A<&VtFMqJEg?I%%-C*HiARE>fd^mIA`gFy%gfn
zzz7Ni$j0-<E^PZ>fR?!ii2;lv)gA7{4y1!kh=+@tkVab!y3DYdt82N%?^{qm<X#xd
z9KVbyb$ip7Zc04QEDw4)BZ^GauTQ9J{j>H0wST8Q0T<o8<|#suN#Fzo``=k}X9n05
z)(Y`<!9_zU6{+t32c;u<h0<Y7@$rQtC)I;nMm{=s(spU@Ba^C-a&9K8i*-0E1kaGl
z<?|*OS8F+S^|*PyMgJ#g)D`#LRqf7v<<dGO8B>=q4o<9kIhNY8q2(5ok<Ugutx>Om
z`tuy|cy1m);e21VZMpeFl_6;Sc#hOd`ZzPW{LGj)A<AsqJsd5`1LeIS6epy|Fl1Ad
z7d<O~w!gF!VP=z|(?}wra_R!5N>V7!msZ$*X2e!eo5h(^J^l-tuR<x_o%LlFpC2VG
z1)*-SzVGhcd7|B0>)k(JSwgmWLsY}Hl!*Lwi_PCzGGR1jE4+=cpDKoFR2M&pP}Tv<
z@Wis#Iwqk}B1za=F3xvn9U&~q3V695dCYo3(9{^!NqbXtK?hU3Lc>l~h-KMz$4+}x
z4@7oQRY=9W6E|_Mr<5kR=~r`}cNRb9f`$@L6c}5~*o7=fb}|nyL==N=*I0DvKsE4w
znd;mFp_j?w@xC!B&)}nJvXb&P5Rl%^etRKS7J3o{NK$9j7dRVT&riP}xphK}Bb*(!
zu>UuEACD%r|0|wR`LdkanIIiY)f*N8<d0P^lkugELypoA80-<6lO19E{sU7v8}0A%
zAQsrQi=@Db8^J$3a^r<LO(S)><lbu;3khfvIgv=)|KiYa@jn#}NHsu}_clG0e%k*v
z?3K7wA+?a|EiXTwU}zve%9%u?XnwNL%Zd~lS}!4XMzBw`7RsJjPg}K*7ZtFamIKQe
zi0O^terO0(H40Okdbb!;S7?{&nTNF5BwrRtA^{6AWO2AgaKcBCR5TFm)!zZ(@~y%c
ztVVp0yN`oJv&ImvTYVh28MnhA8?ZoyFVKk;HnbO5db@g%tB>a^=FD{hlk#@RO1|&k
z&KXO#{Cmpd@*_K{cu662u&4Cmge$vP6qcJl9;5e+6XMFp9-)*GpFH-+CXOmxtdXQT
z)I{lF3Tm6*^Ah%~ip)G_SDv+Fwi8|n2)*O{@SdHt_qgA8Z6VC$M-2AzYX)`paa>bQ
zA3{h37vR@A&-mq)^ytA<8359tSvAV#|3w{aGPhj_pP@*#n#5;C>fFi31gngGUa8Rn
z>AY9mo$i~=L4wK_JCCPf8P|SFw7sDaTj%E$^i*Ac_~*+vQ4)zsueoAEM_Z#Sq$gmT
zO4A$%?Q2+&<bxCZ6UdsSpHo6RWJU^Ez;OCg+GftjJS(Q$6YV=hZhVRFmNg-hJarqV
zDc^u4UYd6pX?TRVRF3hk%|WklnCT$WMPML>5Nh>4xL&ln8abHblWW<ep?;DWKh1Pg
zlI>mvW_*6t<U&fly>pZv9{XjrQ1KVMAa|D|`gGCh^|y4CQm&wHn-PP4*q=yv&Tmys
zWnw1CG9|eODB?z?jNg)LFHL<_)5U#Uv>+qQu#vd@*q90F1QWfLDu*9RuaV!|G?;TN
zq5c3Bk=;d9En82!TK5)KqhFl$8m|>aTl^k_N-&h7p$a{=$!i{EJaQn-q{szHZEDaA
zB#rX%qM4hvO1nXYvO#bOz(fX8${sA#hJ5i>G1aO{Z1*deTfb@E#csN_1chDA1EC_g
z8H$+oQ-J4GT*$2+B?}ZT6&wrjc7a(!{|oow!|ONu%#T|?!P6`CbC98r+1gpRhNeoR
zC()CR9Yvh4HmSDS%Jc)_i_pm+GK$P@e%e+fwuF}w6HTTGS4!z*+N=Qo;^L%)Q5&;_
z8>YnXVXE>qcnT%lrS&g0J@vM@xU5o3(QQTU8;(&*-y1+zfgC^Ptl*Q=tL;hL=mxB6
z%~y085Av>69?V>s@+yt&kb`_w(f38mp!DL+NATog12b|`tR6Yj@>MigXi{a3ai#sx
zYcjAZ%@Xno%Yn!-S)H3EZnhbg>hf*WVWd^mpN}SxdFlkHfQ$<=c3GA1W0L1%82^BE
z;)sR$Pf`Mu`UyNPI~pR<9vYL!eT){`_wqPgqYWiLhHYc;lh*><Bs24a%dYq$?}w7i
zGe?&5HhaoqRW=i~n2Y1ieG5?pBF>~l9MX2xJcSb=?J4xn1L$XE<=l`c;V!xoz6Ji1
z^fXSB>Cdw&BtzU<aHe{VI<844HD&|X?o_@RTsC?^bwo4NF~-K)=+41(VjelPb}|*+
z+b#itqLocW5O0KZ5<ymt3fy%>Lf@BS!eqGD{PzE+7^Zk2=QS9a)et^d?(>`<6+7D4
z->0Iu_jk3JhPI6}ojaSen1g|=Bsz@J(}E-;PHzbVjRbT@P5U!PCUm?4H#jjVtBA9k
z$CbPUdtU*|Q8PBG*;NLK)0n49a{KB)vX(zdE0VxobEnw8E-wmnSbI6s6e}pg!NThq
zWFS-AkbC4>kCtq~8GAWh*N7zv$=nQFlpi&!tHrU~-`GJd6WMN2+f1@M&0os9{OJt6
zmhv{om-lyWB6OeHR9}h&;6Th5pM(jO7UJzb*(d*)b~6imyslcesT?4KE|4SiGq2`H
zO+f0B@8?yq8CRy!QK0lJlZ9@D_L81@F-?tJaD&}DG4km~IMe(D>>7N|G^!bPRNHf2
zi(XSstfM@-+|lrhXaN{He4QEwTG<;@1h&oz1;maNq@`n7Uk)e(=&+8zEuHKPTxXr_
zU#BwaMWI)9)xF<0o}XTwGsh^$JlZQeWWUP0AAW-$axN3sH1WiE&;)MbL>8>y#%Sgf
z&snoB@}+a!MTc!X&^n}E3KD(9z<I~}(q7M;ZofSq&wxTK7-wYD!-hgRXjaForWpwE
z$XjIX1B}jr&j9FTW?0~avq>73b^M@nz@M~V5$BV#6c!;`vYNWX?&kRP(n|U>R9Z;v
zJF8m%thi$Jg^B{J!_7j;`8vpGn`g7M&1ubxbP+HkaPX`#qry2f9>`d}CiSXUwv+4G
zz{4mOkK9Lxb2WaNDXLHRrO+66SAY7%9Zkpj?md+e*L+<0V!=0Ae@xjJ>TUH&I=(iC
z`bw*eRh$PkB)6ZIUBjP}QMbz_Rb`s=O!UJd3?>y~#p~ip)~IqhXG*o=>c#j%8b%s?
zWsD$X?16h|1>dI)=9sj!CGF^^G+r`<7>1V2OOJK^RSl2SJ-OIX_4Xqz>LS-mKTLek
z$zXXNQBJ4HV07ckc9zPN#br+A-mf`fY*FG%hbuUh$OSl{)s>xfP=Xkyp-=nm(fUNx
zbx{r3Y(I^~eMw;X2#lZqkeg4HOe@l}6ox6X=Tvea^1pm)(i5P3yZwi<qfB}DM?N!C
zXnb8sLmpdNLIE<vwuXwk<~Hg|Re0I}78Hz3T1Z!Mkbhp6_NxjYiZ9|%TWsnR3~1)-
zII|4#Cp}9M_OkW8Cw67y=H%{HzN2GhbV~#{CihfaZm2+$$3S?^Hb9L3S4;|L>W(uS
z`DYbCYcZwOK1vHD@;$Nl2Q4?OcXK_yba~_jJ?vO|e^6N3m})1BW8Xe@k*nSYsI@kp
z@g_queb#A7WY09oH&%5HyzD<|SI?*h*y+h4b2blUITcsw4gMl==xLGlz{9*#-On$G
z^1F8H^2kA#u?!Q4*{g}Tu^J9P%TtT4Yp6L)Y`&TN9M>#0RaH)b&PN-?EpI6$szhxo
zneLhrW~ZcwMYd9jK;T{Hz&A>t?Op}4U7Xk>+x`W*Qgx3%ZVK?Ahnp$0+Z&iNoqd${
zl3P;spS0gK^H&q|J>b4$yPqmw7?7uzTC3PhtCQPRhdD-wGI%eGM$J!9I+V0fsvP}{
zI*3nAq_$XAYTlZ5{Bu(@B7q+d%?h7XQqJjqG1Zp}9I;?DS;~+N4w;qO8Ta4%d)D7E
zUCwe*i`wH<0tpE#=mb@8>Dm+gX=t2MQZ>Bpnjo>Mfo|IEr;N{!vzy4v=tVwrfdiaS
z4q-><4`9UMv^U1r8F*gfjWOrFuh=0dCuuJKkpt6mV%^y$%@SyS#+d$~DYMBh&*IzC
zm>eUQzY~7ckUJ{r<AA#ABl$tap~_`~8~7INBdOba??0*;LQ4eC@0<?aV|RKjzzQW!
zTu5Y$D|h;Q>I~}UAp(h|JaQgjo$vG6YNTQbDtFKYZpmJ}nZ%T9(%?=W`!IEHl^sMx
zTw-KMd92h{PL}ndla^*Pe=JBTWm9pnPn&!Cn%%y1QTAy+@x&xa#waiA=Tx6j>>G6@
zhU5?3rRoc_R*W+RlU9PaBx>xdKBF{)YPp<EYV?JVNd%UhIeUo*ADXB-u0E0ZDidtS
z{e#)$WwW=q32gu-KyO$x-DzdI8ZAAU#(*$OVnEL0-@!q2ndiQ@Id)x6Sz*fP^ycDK
zgnXX*-y&TPOE)1m>i?2f_FJay^RE+_WoR{XC%7vVrAWAh)!K4PYYOL>X*sWDz0GMC
zEZdY_m-hL>IolPjKb8u$y&Q2rxK{ok`cnMSGfBnQb+tBzZ%%lzb0@7NPR+du62;f)
zb2yK&E62~Wx6E*T<*A(&x?K`=G3??5-J>M<Jw10IO~Nl#7{mFz=fiq9?nPi4ZWw1e
zpseH0z9<6;;3sjdS>QDl1pu@Qs&JZUqCn>a_Y=OqG$5c42_Nw8`{d*Ylyai~J^<iY
zkbeNBAop{xMDy9;uE#{CX}`UdS3jDSIa<{<$e~$NiGc4gMxoQXKfLiENb6AspP|dJ
zJ0Hl6Pb!TnxlGC^;Z+q(pxqI1P4YMx$LpYL2o=}=8DJ7pn?#w!fz6nn?E9?X8ttAr
z*65<WsM5jd>25Kqh9!_Ns|z%fS|t04t?$s4as2VR@m!r`?mDN&9t-I=a^jxe)Cjhe
znZG$}5iK9u5zc{LYyY_{xxAJ%gY2iAWpdg?xkS(XbjN%3`O&}$OK3RrgXp5>CGP%D
zW{aED+lB|(Z%7M0VUu2rOY*~(BNMl327d=reLXN(=Vp$v&HG8~zQNp8icKBFsHbJ|
z6lQtRkO-|QyOt;AEir+AueW1yAwTUCnOymn8pds2C-?B)yaUsw$HdS(+uhkb;<2Ml
zgBY%wwMBdODETZ3g(rdUeSBBGWG%qw6pW?9BiWc6b0bPb2o0L$ooOl%%;W#rXbAnJ
zU_h<CHtDIG9ZCG#>TX)(JS{*_t3RZAY8<o92r*uIYl<MEDKeu0waT5|cYBjz>jJG5
zN`~UrCAV9Omw67)njRmsW=9jKz|EM`n>Ip5D7rjLa&VF090t7(GX8%0G=!>l7*lI{
z;|G9UO>Td6;{i~+eOKrR;4!Bd0XJG|Yt@(6t4YVq+#OU)xx#e(|9Vrx{Vz$03RfuX
z&P;fT&Ka^1!<>rPSeiW9G%4q>qCUigiJu27mnJ0Um>r>UOCQT<UUEuk@{1|a$Fa;o
z`^C73Dk~0>K`yEv^tygb>hY>KXnadfobYpQk|5%i(170*r?{|+WcV%T65$GD>{07_
znH~~hroc%?#S3>5nSC~te0Mj320zv-F_g#&#5HIUDTrtzZEYEBc||BpB}@Mw%Kic>
zs`m{WMo}aLB&4MzWC&p>=@5|a5Tv^#hi+7)OS*>+rKB6AI|rntTRMmQ_Nc%A`<-{K
zv(`Cl4LY-9X76V|amRICH(~sX>^Q7tHhgf9GC1+ey3a_E6tiu7hdjNifsP_Sjf~%p
z+njGcN+C$WYuAn@RR%3aMLOK2<7>grRIs@E4p{?$3s2-z^fBN!Rri1hvl%3bay+U~
z+~wukox*-quJ>Utx8(E$)5Q1rhb<exINGLXp3(rBGESlbn5n(N@omtn=b+?wj0~%J
zzEvz01Lys|&-IE|7q&#c=}=Hr>_Pc`u_lsuRwgdTxnl_nTd0Gm331`SeILBxGgH{D
z%jTsmdzLsM;7S_bM-rybpdoa<k;yf3veWZ~{~&DS%eRx>J4cjKG<PUCpcj(-<V&CV
zm!W>*X4A^v@c}ce&2K<X1ATeGVmT1OGU0JPAepRoL7-)Uz@=$r{w)Ad_XK~9i@LjI
zVl#CxQ_*Ct_>ale4=_wThQHC`txb%lseS9qFMm?_l|dnR@)5qH@q6z;M~$ztMWp$!
z`7n#a9-e&acsI5h2D*5RwONSwFfVrucQ(#N`EC9_hlDu+in_o{P(UvzjRorXunp!)
zBlUP@@|b3;pQTbFot}R7Jesc+hAm;7F<V2FzRF9nX1bU|=uqL~$~aSI>eb6HBc(cF
z3Ff2yT|=MvY9g9UJ4!mWFIlumiUrLCogpYj|CJfvAh|`bo`-kyn6T4t%b3x9wuxbG
zz3?>EK=FaPI&SrZp2V80_2&d)aZbY*f_be{E(0~=JG|0l40^f0a*<2&t4=`_^GD|7
z_WgDh*w*VAGn!dj%z0&yv>ALXw8?vC%I^jnG)zS2xO;5Z8RQWaC3I>vll#byHdX?u
zn^dry3DcC~>1HqolK}F!#jlFxFRn?hyv0^YO?Bd@O52LXqpWijS-K_p8eRO5jPo)N
zJdQmu+S8?Mxk4WvqkywnwNlB6vUJ<fE29{HRL(woq-DyXWx76><8MQx6;lMIcz>h3
z6heFo6!5k8IVlPR)S=kq-TudVJhE%u6=t{h=UdL56!Kj8CWM^w+0w+ARG>pWR%ccN
z<IBqw({HwFSPHrkn7C2-BT(u$iggh+!PE0~o;qjG^1ePXr6mM`eOJgcH1yp#z@bdP
zJ)Q6tSt}_th+l7&)JD9So(yPrFiyRbp7W|QmaC4!c*b2Z%RJ8T3M)QJ<~%Q}k|w`+
zdntQf!$9IX(wU7y^AsKFndeoF{OwC#NZ3oG3r+MAk-{g&9Snpf_+C8pBGogaT5qIJ
z1|UjTTExq;U;4|gl=gOa&dO=ml5aEn$NL4uK{`HKf!zYj;Vwz*Z^V&unuZN|ks@?*
z-x`pvj%W_QUchElr!@=g?<?$iZF#%(9E*lL@q9<wIxWSW<LCFBS9twK$k7sWa{=8=
z-MzchT7FyX&*G`rLxqIbs9@W~D)K%eNsEuwgKCIP$Lc(itb&xCL(}Oo$Mv?MpeQjV
zev*#S1_^#L(=JzTWdJvEH;V0EKCWH^#yT9@ZOsO-@PS4RPyPpz{1Zaw+Q#qg%UOPh
zTYlO@_mo-&%G;4-y5qxJVJdUo@dL^`M@;;X{c%F9RxQQjX&Ptb`70KWHB+u}g`kKc
z;_%~u-54s(1PG}aW>}?!B|+w1u)i$GlX9XY%UEE=6Jqm7uESk#wMX7YOYOBTm6jy2
zBG#nR&%OKZezjE%&9jF%Q_kHra%s)9X0-jZ+^u|e5+76)XG2cIrhkP^7)9`OgyatJ
z-)?zGw$5e9M$&06KB!>TdY->to)l?#Yh`-4qWM^7SQg*pWswE-I9!3E@mSEfB(%!b
z)YsDTDILCvdT?cWKW)!9t!|2wlt*yo0P>X++N^LrTXhRqBmr?h6-I9x!z^t^#r6b6
zx&QX4`nIVO_4JqgNVHxaKa0u-pI(<5Izzu=czAJXX(nl{)!!A}=k6e=<PA9g9}O8s
z3SFh+1o^Ykf98%xmvMHqGFHqy%V(Cu4DN@lH(n2$CZy3ZiM_C*agi{4S_<o`CX^3S
z=zOrYh0l^=&66PASX}c43%_!kDGQIkVY_~gSjspx-t*|3dp9aBU{0f+5T@^_m_(hK
zC|`)F;j>#}naDgaO&{(&^(#6%8g(nYra#MZP-}I%P<+OKPbp?>m4H10*Ve@)xFdn~
z2zOVW=1u(3`e{(X=~EZ<f^Yg}mi!Nm7M`+@hnt3(N?$x51#_zuiN83_eoCE6KG<hl
znR#V$`n|j5O|^hzjTPtY2+$8*)`p@iDU3TNI6^6r^G!5<QqQrTM*Ot>Ny<YMV57y#
zMG<b!j~l4<Sv1%NVANJP#uri2Qa7WJuSDAZ@Fxz{Dd>3KIaPX_t-_3;KI<8x(IV2C
zr#4moct{GrSA&yrWaoRgIytam5LI5)_YaQsW;G1<x$7#jW4$W9CmyUN90+Fb;oiP;
zzpYVYoY+%|jI+F6>0Q_;gwod!q)dwm7TAzLIK--D^af*KiY319nfq*2CRNgd3$Z%4
zY`P@ULg9M`${9Vp-MTT?)b&HXT9Jp+azC~}jsO+?-Fo$v><(1weiSkrm|06g#=zH2
zGD6EEJ3-X97q#)?behXb?ryE=jp%B-=vhQSvD~a|ZqF1IOHuiF75XHT5dA66qkT?)
z2^ENrGed(iI)?b`bGT;faa02(f>$;7<3AlTUTjIxQW?XGK=WL^uYRA@YK9_1_GOOW
z^&U*`*fF4eUJu9Zl~dhquNJ5RkKHw!dUxSXDLGvCyWFjp2fYC0-{T3O9uMs4(53C7
z5426Y7CW-vmcq_(9*KT=tL4uYXCF$`fP{N38|=V_Ktf6L{h56Kk1OiJmJ-~jGyIah
zvrM0QR^UOkWk+YL&skS(mQTfVu;;8!4J}E8W$ivZxRy{QX=ufaK;tJ}YwS!s={Gr5
zBnhXN{1GyOk<tcqxx`|2=?mxdu`fZb;l^hf-7MA@YIDO6=pl|{j3${#akTQQI~MrW
zl_dNSvuux$H4ciNiN&<=b-Tn^%4hZ;V@CJ(CQMH09YQh1RU++vVN=^jXhe>!2#^$6
z?*d6-B7i^9Yc3;#0C+1ft>^f)VqlT#hKR-^&#$?5{MVdoE^HipUuqrbVF8h$iqA8|
zGeOm0Kb;lcn!SM{CjknZh2$n%MLIVFmxTEiap+{&=K=%V35`MF&|NU_!=91($>8ob
z%ipn;?C9bEZgVq!F!KBVKgQ*MKK{`Hdj1o4=d4(Q`G-PbmR|Eq30o~+hEc{8W{In7
z@#h~lf2gS`87-gAzmvKkMP3Nnx(pM#ukYgj*nXXNaynb?B_cS|G10fm=DvjF%F2NS
zE08WwBN22!%2%XB8#zH-6oQorJWd~6ASmmDF-1+|OLO1}dK?=hcJ-AF94nFQ9b;4b
z9DjLww(yIu^8i86&MZH|O1??LvwI4x!5JpNI{<Pf;bNQqSF}c+%AX=!KBHS;Bl2lJ
zE`L#mw4Ft-c|&CB?~a_e)g;0;-~aJhgl*U&H75V?AAnKI{*T*>q6#p8AKWs{BO;H&
z10Q?|3+*kPa}ZR*z-^O%M0*Un)F+q8VZeo>0+O~f#qJM?|K0}i-`Fy+<KGMRA7}V~
zo8%jf{!SGC9n!(J7x=fy|94hL71`e}8f2%#5*NIl2V~{UQvWB)g9W3NZoWsRYM6=m
zBLi}d8<<7*7FUDMB(=u5;Sx(+fE7!^)G`;=(o6KvC>W(6{pCOvpzs@IxCRkl*h(|4
z)Vk@3y2lZ4+wTqm4Qd>{dR2XSJavbH4~qO#M+o3u)>m3+n*nzni2{HFY2?$`C;?1Q
z<q8ft?`MGnAKZd;j*(FNk@_*SZ8G}@P_m-FXaYH%lRxlB7`r>lpQ+H92H@KuP(H0f
zM_ef>De5;VE@Y##<Dtp0sGf+$I#kV;10kl8|DiaU)}>3z>|gu%`1h~w1JKOO`g*={
zZ<0WS${wHu`~Lm=vDp+A#8m~)?O)Qic%AqyS1^l20>Hd)mk4wo;={qsuHVwI7v=Xq
zIv`jb{~j5CGW<mGH2{y^<+ef1tvo=0p7<;>J{})C-VC_;ecnuHdWeJod+_cR%Q>tn
z+~ZKyT~*fY<Ye@GL=HM^mn&PITfB7x#MI>J!@z!fb3iuk?g@~+29$@Vd~OBaHTtR<
z!vRR5H@v}q`NZIgpS9tJcDl|gEawIATn~TAf!jYHnUo`7M|U5UmVkU7ufq~9>-`T9
z0*WM`EcgIWFnU-^^0y<A8_b(`Bamq1yr&hJc6mRS-yuL<K(QZZ!Ly4^B%~m0infH3
zIml7tNaZmFpLPJ%-R1~n7XSjy*~9suepl3KUO!3SIdA$Txs8*P^Lsy%iqtTg+85#l
zz*Oh^0v~9liX4`fs6SJ)nI2|#9wPz5rBOf={jdfL1_F329T(tP{sC(qUD93{9_K!u
zu5dwP^;ndG^j!;wvgo)Wwz>ZXUl?`<FWZ%4uR_aKhnE3h-<BnM#8Un`hIzeM|7L$8
z!9jvtKP>vj&S3!5*BcLFWn~pIXsOw75!V^$UUxC8bDZbmS$G0y`4G<^%W%XT*BwFD
zPx3bVQ^Bodv)Vt0b`zpvm-9jEa{U=`8wpM@iNp0N9z?@9ERA9!8=pr#A#T0ab6*`I
z1T>=CDrz;1d%uX12$)yJTl5SsOaqt#yT;Y1y1PKXt||K)VSVrQS52q=yIY!LI2}Pa
z9o-5#2q2HH^Rh>hpw*|@3_cSkKx7b<U~g&p1CTBTq{c=*Zyv$=NCIWd2e(w*Pe<GU
z*(u0$iwQ9xybB2G(l3?aEQCbUMmbdyKfci2gO2b4mv;2Ud2k&QQs)tK49crNva8P(
zr06>c<ee9Uz*olSIqW=JylsbeQHg<@hj^??Gl|zZI<33GP6GZM60<TESOKBN=20qL
zTFGy08zMs!^8dw(AHUQexe>fkxtepIJ+7*$+XwbAYT((=L?noLu#Mz(soP!>gE}H|
z42B)|29!wVEMD?<33XM4L^kyr0t&B!M{CA_Ocptg$Q7ONO&c@Y*`*B9haRXqDj*x(
zwIqsMzLq!TFd3f+=)E!m4f1d!otKzc&z%w|G8o+5Em^EniwB_ie!w@=15{|G0N`wb
z5zx$aTML_6O~o(EZxFz*&PC$Y;s8vx_iN~yLcq)!_Ax%bZl#$RfpY5nLhXMz-Qi{e
zw51()rvIkoN_8GEg`oWqXD}Gc7QqWC;FaZB?JR&dQ?Cr3)&!m>to{IoAQWG0*L&tf
z+};MqHg(b3PB?;WF<KeDr7<@eIcT5A_~(k_(vK`2w3DJig#kj`XA=11QPgH;W|u#%
z!ChcKCo<QAnK1m#9UfVH1Q0FrWBit;%17p3UXNLu*TkBxt~iSID=C5L9GKd0%9?7h
zbZYE+s;t!5tT(utj(*A_MD=00;_R9pz`{`TAB2Z5J*<m%qlx0#=2_?I=h0sWPZ1q+
ztCD*8Swm0YuW2Z`Q@S1Q<qNQUZBPB1@QB?V;Avj0jlSL6W|}*z@ob=}tJ_|9LGaDM
zZDo*C5x}6%l^=$~9OfY%^QH)mYLUCKi^H(R`B1Hs;kGpRW_C*!UdGjB5E4?3R7iXf
zLQl5MAJuq%nw{hw9}+?W6A&RjPOt#9&YAH+;bDTqS)2|dfWjEOmL#j$lK@1w`2OdZ
zgUuX_&vxhc(s=oK-Tm*nT-~mlM5P?)d0A~W=y$+gmft+I1wL}!k?kdR@dksh6Eo|b
z5`?KrIJ@~Q<;<P^`pxu5{!xY5)s>o&hysA{0xWNE^p5lNSHB%SQ?p$Vi%>cPw>VN(
ztigWJF*6toa$9W><2c(hXU)CbIit4lXL(fs;5{POT?b2WN<sGzn<0&P%U><JzxhOq
zzlNKp1aq7eh3^z~oiw$xHl<^(e#+3Z_Dv^LrQ5fzELoq8Y5mefzgN<e%h_N3N@O`<
zK(l)YM=Kw<vCb^^n3^6Oep7!n%tD;l(>Y`xQ)HuCf4*@rc)m7pu#zAZ9$qI1sayY|
z%*{%LmzdG}7MtB{E=A<Anxby9?pYn&X+5HYC5nU;;^7!w)|6_uvLOMzVYP#Mn=RZx
z)^@3AzLx5m$*=VH#O)noNXC$MKO*K4*8JsNRc)jDtImfrqy8X2d7B;r3HYKOBv<Oa
z-y&D)Xs)X&j4&e*mIT*4=0Y8AP%4PEil>z<1DsT6^=Gi_TH5>a2ph0LU@Kzec2LA2
z1+?(k{`zgZ;Eo8l0lIh>nA19-kFG;snwGjBs9Wc867O_Ekg~Wi@^)Ck%|9#^3hq>q
zhVsrk%9t$(!jJLo^m%|jX2%fcZKhjaf84kY7b6c?>yv0Xw(~4)3hs+#{<HhD*hymr
zCZowpf*iw~5n4{j=I7yjo=LUBz2m&UtcHIEi@fGIV8QS;c3Rj?CGL_lcV<b}Vb_WE
zCw0b$%tc|^d5-(4>XOU2u*o0zOY#06o95I!*MH0fY4k+l_%^2^Ked>plrtT?*jlK|
zQ|GvFYbgY|hKsYV?BZ4IO#|E3X!Nls@#C{#IqQzgJ8KC8)dzvzb?{iRmL|Bv38;_7
zRD`(nCU<GW<${s*F;AHey^P(wFRLzGhMKjt-T=LHP}lKzZ?ip~ig@L?;Tpc<bkf~7
zRGU$T-8q3rjM0~h!_%t6{gu+G6<2o#Zd&g#e*<)4`PzcfP4b2{=FR-Z>-xh^PU^P~
zu-OU&28c^?oz=cCt7A2Y%63Sps#aHLJNvz-o{*k|W>t@qn0<E1o|W}oX(rFPlD)MO
z+EMk3S(9Y3<A$6<p)-O{%u@?sA{m#pQYnFZjIMaScS5cWy%~*h%#A{4oqLUS6${D?
z@Z$y!%#t1jW>XPO1_GY4MkR<0^<$oeA+p+oewPbOYJ)rPvo&UGJK~B(sHZ&Qt_Y?Q
zJm;&tug!IJb|8#&Wz3Z<XLV*P<CX%7=DND%cFEoZG?i?CvS+gV&j@p%-&F!}tz1=#
z7DlF>&yEy^`z>L+yiVzs`@Z9DD!N+uJS>YXT0x9pnU)Y{W;+2@C9LSC$5!x9VPu>8
zsqY*Ixk=uGCgbV2OZx~kEgc3Lt|9PwE?KwL`BU%C^|090?)q&Rf*7cJRAYt`(bMCu
zzTVo5FkTPHHUwhl?FCt1pBs^A5tMNpa@_aT35k_CGWX1)>*Iv2tju4Y$IyXUOIbSO
z-F7)H7Mdu!;)!byx~l`|nqya9NYp*sDx!OLN)mIJHY6;6v6}-G*PMymwW4Y+hn5x=
zt-2tTdKv;H|7ONir$&Q;pz8eA`6_=B&9!7&>QADrBB=oE-u?hBG~*q}TuiRGs$kX*
zgR;I?NEN8ZSM}E1mvh+L>$PINqK8{6OWpDOZLT+~%+Y6^U-L?#QM8Ou2eXFbd0w7{
zxLE6qm6eBi_3#yk)zx#S05KV+SUT{OuPUkRK<z=oQ1wCnIt?o@2iWyY5(lMD0pqr(
zt2$BFalTG$*KHM;LbmDcJaweM`Hvs(H9`pN?Hb`R{mM;nQcY-ZSQKLib~mNu1Mq&x
zQUYTYIWU4uI87a1U{jPjBK(l6mw<YWQSXv0Ps%oD9jB^WhLI<(ppC6(s*tCSR|EBL
z!{5~3)xH>!Y)o?ks?~s2@^?TJ<&Qeb2tpktE+N5Cc^!%8>+NCLGDU7|gyvx=3Xk}_
zBO1>LdoI~mRRWBi92#6rB_-FDI$KdtRgVzXtauiG*JN~&O=*>wr9E8CH?}uXUq0sd
zPa=xhm|B*qw^6zTa*+=NNE-PTPMMPs$w>~Q-_n4!tf1qT^({X#qYnTQX3zlYJKyrL
zQ)~9cNCK1CTys<N{GFXQhMXz#3p&%v>*nS&<iT0^<QzQ&c1jn4X(2LuvZ40O@U=BL
zp2NHETl&JQ#L>FlgOlL;eneu7p#8g#1!rU0uYAjNR^bk1P$2p`y^pGIJyjrwQZN7=
z&W?jYzWu*^Z)Bci;Mz1}WZ_$jWe<U5Dv`_j%7`!A%N>daezfFq=*?bqyvBLc83dx-
zmC~GqPA3X*^bgt>gk0)suJr+<J`q3AZdD-oq}gtts4~SwVLD)MJG7xN!&6QuJ!A&8
z7Qnq}4pYB%hSTpKY5zWVu5PM3Pr9a{wj&4rji-{*725F4S{omsu<wno&H4P>(1vG^
zUAxrRCQ1;nEA}M~9RHw`y2SZNsP(b3DMD8;QYgYv#_iBdu3K7@U2!*(NzUm!#dR#V
zyoOyhM`zACadw9b3#P9&W2ch$AUz-9Gg<^iLiMNN0@a}PJqGGUng#Rr&%#WPn8=9#
zEIx=O=s4DdemQv?QfKD0ZpI%loHEbZmBoBrz`Scbt7yMNHG-awE<kef!=U*;$JN>3
zcu3<o&yCYFI0XfkIt%j;R1rPRugTn`*zwr@cJ5r`-EO0#IXN@KySH79Ex7}(#fiNd
z8;WHH|F;InANBH_SdL)jmB5p;N9W{!k<GyfZFfRFXPvYy!Ohjs;o^bf9L`-);-CKW
zXQ$85Omr7tRPiMW{qM3P@%D@JafWsI;Y2O01w6IDtAuA%qPEMGG<^nY!d@y+DP)`V
z&VXGX$CZs}mAN)&9T+ixm)rqoQ_1B7+bArcolQE+UBd}efBmF%_DS^wq?5hkDu5gH
z32(V0+D@2VuoP~1F!V|w+DZ_REd9WSK5ql;U3fNfv0QLXt;bGohTM~5)9W0k5$RG%
z7!SQBvbtIcN$pL>+q?D+$JJ2+z20$stEZ=;q&Z6H${D0;@zX!)+!>HiD9ErDaBF?%
zoS;iwOZk7^h)_-3+mfQaDZP=YDxi$jHB&gAX)6J-DzP3{`v({GjFqTSgu@?!s;Le5
zfcwe!8rP%<AClt9a=l>gt(nL+o_-nk1RCz#<#74pcG*Md-24GBQ7{;hJhv>7%0I$Q
zDXPgnI@HdUWme&HrS1=ucc~-}fUX+KUqUgR<n2ObG=KWD78fz^Y`>JhZEUyO!2Lbw
zi3@`oU%b^EaI)RpcY6fW=!#3l{J$?6vic*AFetSZcV&m2Q6s(nH?AgN)KI}^MeAI;
zPF2P%gtG7u&7WVZRt;xYxAnoel}Znf2Kk{NgY-XCh{i@Um6&eQ0KlN9BPYQ7H#3=i
zB)mrt!v*2YTOvEAh%?@%QaM##hz*iPkUeEEb=1IWsDPFhhcS}xq?#Djny6S<j3?Lp
z#!7~74W5%@HhdGZjn3FCdJZ!8npFk%CDe3o?^P8raArJgaWsLnmd?@ssRk5@BASmE
zq_Ob$d1o+uD%1E<_pd})7Vs`S$?wSrTwrI&bJ&(SU-w#y0$mraIekoAlo3W}`iBc=
z#8eye%e0YqQ`KVh?HR6~mL~A5_xi@9YylL8CaWI`!f5hIrro7{W3|qUC4AT1q#6x`
zls<04NxW~oRJ8f9rG5%+(Yw()@?kmUxu_w=)tLXFK5p|@mMxDUNqyi>(pfULfT8uO
zIZwg--dVz{Av=<L1+=|3+c~eq^fyxQ@!L=o&?O0g_WX+$@I+N?LfQ_^((`U~p2x~9
z;j9-sVVB6OO>X9?DPW%MJgZ8tfv)h2Y5ojgEi5RSg(0q9MG0+ojaF$!*9tM-VN<{W
zcsw*Y$7b1Y_BYOEG#WQBs@wbo=ydfm65VMLNf|ztfiVuu+EID`#^LK)S69i#$Sz*s
zIV7#c8Wh7IEuKKVwAm8oogHb4J(k1|E=rnc<ne!g0#vwgi-D@h8)YA64(N8RdI$p_
zaH<;(AhG;NBa*--l{Y<-wSW#&0nhlDFjIwiX$OH?B8~Ui@$X>7kjBW(bLFXEslE{-
z&R0XPDCw>0Y~rQGing+QjcYm|rwCF31xAB?`+(t*=USUOfjytBK;^>aDpA=u9yLek
z;{0MBdOr5{%$ZQAL<oL5l&JqQ)McMBA#GpG?Y)weGx|TN2NamMGcr@)kYi4=@M~+6
zCqKb=B>>4gdBgL!?<OPH6s2P<!KBxe(Nt(_{aCMgO8M<j(5Sm}RO-Yw-F7G2o38I#
zKx?)|n9qty(L2i@eCiRq$ZzERm}KgybAS5%{J)rDZoN6EA63Z}@iQc-mbRsCIhgsL
z2cGH&dQr3ji#03$Hq7sFY$Tl)jIM<f+1>#EPf$*WKPS_x2eh&{hR%Aqcrt<Gt0t&W
zkbr+ACZVr-Ng7Z^QO|<hGVcztt1&owYiMBeA2u2~3V$_Hisq9Vksx+V>@N~%0r)-J
zH$!(3g)^;qB?{FV+SY0;-_DCCj~u(qxMAVl-<r|=i{mr4^$-)yMoKy$1k|ZEI0tV)
zo`>!$Xf6!T61rq!&cTR0Ly?P>8`qs^Hf6z8evW+%+<GdBDpEV4%p&fUslx~_qB)wA
zC~ZZuIwWOpB-?SG?@$fsWw3$18t&!8^K}w-+pN^MM7G|QrTi&2=k}07fhr1QDTROx
zCehnyz3Jl}A?bK^;KE(i546J6Wk^vYpdsnZccI@FilSNfqL9f9B&|(ep+=;99QXA{
zLQ2lp2Fkj*PEgGR#8li(H=b)vQ2hGX;6JxiAp6}5@Nh`DFpR!*{hYc($D!2Ti84Nz
z?J6W^N2x}uHQe33pv3~3jmvl>#X`l)kol85=Ch)U<)w`&cFR*Nt|=<f$x^pb<!YR-
z&U_Um3e%N4R;D^T?1s~ie(Tge3aWW2p>^Lj-Fhcc#jTNJJj!6>vnNbGdxhH0_Tz&Q
z{t}#V>ZLrm?F3dhclH!DTnMJ{9>0vm2OqlG=8xu1DTsq4=x*FGdm)z6t0Ejtf1C{8
z<H9rO{SB7&8dwjY_szdl{3a_JyEI(5`L3#flO41%5jkwBq$`vzTIzYc=N32o%<0P>
z$2F)FT2~kOMO{g%cOBhv*YV;6FHxklrOq30P+3c{>DHpc2Bcaz>>3&~-ekdp>uw+r
zRy#^3kzv>R<IQXq_~5AIzo0IG^cSlS2IGqn=AMit5w9$*3S+XKp^KZeV$A%cua$l|
zbS4!&RAW54r6rv=fM^&b2g?C663%O}@DvZqZs;K;7P$~I60nCjIYClh|Ii34!|@q?
z+KsQfZwM`+bi9V)e8@rDA!C8j;Jn-yt8X23v8-LeUoBSZ7%`PA?P(+Tz0t(GGlEqr
ze+3}^L~|^%Jx8>WUf*Y}vbpYek-XZ~D<p>q_A>{WOcc8r{eGPITyGXf;T0MZ()RJk
zB({4D#4iRa@jX!+z9HF(`YmQM<jbXg(AB9{*8W|lz_6WBGyATWwTgSH<HRRC-HW|@
zum#tb>6-w|>rn2BwwJ4JOrCXxK0+utviOUYb$!i-J&xWaG;%_XL0!sg*GjHFa$+*x
z3}dpK#bYi^3)sY1Wh1p~g}GN!&}=rVhHc9*r7~BYXQOl6P?e`EwbLg`%uk{RDC7@k
zSMEU88?Mt)rqoFG@mBZUh?+|%osEU`W<=;3i*~nj8^pxzNM^6QKCcDpspHtXNeE%7
zA?fHh6O$#(hdz<B>#E7ap-HvUxJG<luou}T3d!?4;E&V97AG+swcp|;Ux0IevSI#Y
zgE?+CYot(w54eodd9q6dau1MvzdhOp6wxxe)$BPh1aV#v#!JV?A%9?+8&?jv-8JY;
zDew(^rF4rGRLd&P5QQ>wGRXlRIZ+Wl<SpMTSSo;3U}xqQx5l7-jRJ<MwG#y}QjBg-
zT6+-ZMabDn<mZXrZ0!|Hm-iB&oiJAm8I-_}8xgK=z}hRbnzzEyW#L7wWEgp)P3A3P
z19fY#p~+SuTP7}hiyDy3L0wb8=ubz$`L4U_Ue52S=A;T(b6Y1;r4OmADD~!PDXA)u
z_mUZBXJlm+CJu;$oU9E{1<jyA)>l`)&<a!4@5snngCWQBJ~WKNR1lY>BRfysw6Ns;
zen>xjEG=MV!)>5@a%aC5t=2p3_xaD&{)joA)rH&hr3ANK$nJYg2oR;n9o1jyZ>$hd
z#fgUi@oc~=e<2g76Gb*F7NhGX!dey2TW_viI!Y9?12Jnjvh89q*>61i%%SDmAmJ2~
zYb{R!IU~^3jIrTa2)0k89gdGxx7YR7aTw_Aa{`=Fd_26VU()%4S*w@ZzUbO>_vFI)
z7VN8^{MzT`T0`m+eeq$7XDGR{{gZcy4UY?Sfyaw$s;%s1DUh-oX*jZDq3mZ0O4-Gx
zotym(Onxd}mSlizbO%y38aFahKPr}#oJqvHSC2Elo`3P|HrCk|aTW{=PYs(P_IpwZ
zzI!G)%u7t@FV#5XIIix6#1ir9eQUWVm3Hc`%1=KACe+BzBTSKynMB>FubVf>sF5j=
z>LIR@9L*V-)s(*c!w-H*&U&Uq3fwjxLDuB#nIXrsCugfQ)U0)MU7H>8WSVX*-f+vP
zwA{<crG94@OF18zJ$4un$RHFey(tx}#pYRSR{&yMd5!R6QIFMrP@m%o;U{KTd^BBA
z$r&yXJ_&PzVRo@3(&f;)JkO8RU6UJ;$l@m|5;9L+G41NA4&bfd_hon3mH9>sJmP$B
zP00txYZ#KX>eOvR2MH{XG|j2oSmfsF9n9!ZILmZuaCJQb9@W|aG)-n&#w3r0ih!kl
zX1dP!p&({j&CDCS88OKE3*bnt8f9G%NZX+G%03WKN+w{i*PRh_0Cx57CPYwk&&DU>
zit&_{Q^o4Nz+Wqt#VCC#XD0?c>gP&&e7o!e-4m-T{ljmS=;(5(^M!xe7|$Ug4Xet$
z5mnc8E%ltg)jfNYSwWYYy}Hv!EnqKXOAB}y$=z$UNSxtvCTGHzU%BX^o`iq?(yv70
z-eOC2MC*~fI?<h=`t{Le<d%pmaX$1pvwol|w;@TOk}zSaegg%WLEV$<pDd!^s@e(l
zaK-7<f^Dqve+pd)*my(mcChUv?x{`YZTOC0X4CMWwC~q9O5>wUey6$R6yGa{r}=W%
zu=pUQ8q|{^=9XL3h|uQr)a_=|XE=bZIUiw1weKOYSU)$E(}JG{#GmRN&LGI^>?aL$
zUA6JKp1MAc00XU*E4F4LF)a5u|0Y+E-tMj@PD0?gQMvv+L8;wVu6*4sE^;SceK_L4
zQYc_t1x~@TxR7~XSEICp<Cd|l-4JrytV6T_Q&0!IhpBdpWMSk5&l!#X;>!fSlJzCy
z;-J=f9P!WSc!AWV_dAKXY3C}9t9(G%;UhlSAvQ^0QBItY`(-_$6ZkeCNT2$or0j()
zdr&fg(hlgWLo#kx+yYwH0x-@36Pp05*CeEIXD^&HKr0G#A<#&f&A9{Ugzy)Y4p$_~
z0YSbJ<aBi$;~l14D62Orkl++TT~1|uNuU~O<oVc4JU{2?ySpeVtQMFuO_qXJfe82Z
z2^Xb)SOqogPqf=4P~ge(HaaYJTV^#8Nch60An6}%h5V~)$vaM8%QE-Sywwir7B8Bo
z%TJ7DVgzpi31(QLrC=4t*Kt{dr-^{$|CfZmqWMi=n&hemcysSvUy72T{<YGnv5+Tz
zzx&i*j)|zXl4KHU@o4q{YtVD>Dl~$*6>#qWX+6ESnil=s+r{Te74!U|T2XRdJBW<*
zsl=>jey;?(8M{1ArcJMU+>?~gJ1kL+G6**&5O|kkGfEftBzXq`Nd_7V?axUr^BMHB
z&q5i)kb{N+2;t#TA}!4Q(W^P)Kj$?=f%XQR=ud4u2K)5YR2SYue{-4+TPpv7=dc5Z
zo1U>$H!4@d?Y$cTl9taWHY~&k%dZOoS)66Av41@H?GAUpcg|pufC!)s7%_~dTgnLj
z7x)>C#7{kyv2ql_!lQXZ5_maVZ4hS`DmA&$gK$}pL1{su%T5cXK#S;$u4cV0oGE`~
z=1))Pww}GV*?J=+I09(>916NqBDo)S29|?`CCK;YApEWA^eZKwKUvxH1#S-zIKF)s
zPCHQCBUe~EeMZ-I_J%Q+k|3+J^jlD`rUCm-pC(#^mQd5DKTv%BA4{v?9ss(W>AR>i
zegCsexzdL{rKpx>PIZ8pj5KgN8o>S9$gu#MvdyoJfBWrf7A{^8p(?fHs-*$2f>Xt&
zhhppw>-8?ql0q_BBy}9Cz(=$00OO^8c?=*jnn(~Dz&!P&>qk5(ap*^8PF8}4e@lXd
zN*d_4S&pkVk^zodCg4$UL<HfQKEp-*ZE6Z=Auj_|0B4b0=D-}AC3oOqMvnKF+tp;Z
zGyl^{UcFsD7pbx5{=-YhmVmH5o9hpF7woUX|CDhd0>>Z0-KIh$;7RfYj!q1IJsgR0
zVheTVp@fr%6R^-k44v~~%>7p*#yjk<Rw$yo{CWL<$2t7(5Ul?n0TX`(cL*X7@fsWM
z*WBoUG!)*WT)Ar-05t7XoXJBEl&e)|3Wz(Pjo+DfdHg>Tx$}PfAN7gT2Ng3fpQWaZ
zO;3aa<&aG)AGEXm3q<hynN>ajsu54ZSyG1@wEhN=kp2QP<a+=yBMB2V%!-*G2u<Sc
zSHPLiQng3t$NvqCjvtL@*ewzOK_ie6drz-?>TRvG!A1Pa0u4nVbxO)iIf7A58-J{#
zuc19L7kGc53A7Vz;PIKuP<c0RI55UTQU8^9as4qY0fcdwW^6v>Zx8{I?Ic}vDmeSu
zuE(0aNP;Xd2(6E{Z`%LC1iFzd8cDbYHeUkl#?!YIGns|8ay{vld=6VIZ7U?a&xAS!
zi1dVj)bx)m+O{Z32mnC<@CD5;>JmpNK&eB3Al52EzUq_@P*jreJ__?HbsgCR;0N=D
z`^n-h%==Al6k#>2Dtdpup}8$81d)~n^6;L%!HssT4_N@s=A_cRyC*k2uUgx8&m?tS
zc_?qX72F*f@p{PdLtPca1q>P?z!!EJJ~0P9OW!r+GMhVl=2hDACzU_^qgL7paZN$O
z`24cmWQQeV3!j0?!mi$1u~SP_tyi{!*Ea)*nv54^-+fm#c&vM@tbRmaUFwMHyni;T
zy7jO$A9do@dcqXUQtf(9f?5CmteNC+y=>|9PSW}P%hJ2ru<utvIL5JfL(W27{NRR7
zYvAG)*xbSiM#%3s6r&x|!xA)3vv~g8V8_RQj5U;)C;Y-8=KRC<_YOSR<ox0H@G-Ze
z<S0Mf`=eL`6QJ6j`vr={>b1zt<DaG0{sWAScu_Yuluf?93T*C9c)~Zkgmy1KEV!@b
zrylj{^9VzIa2CVKD1W7k>nr8h?%5LuLA!;}SldC0NZ&84yf<O@AKdOQ$Y@IL;g@U4
z_DdnZ4ErguGssBkdEP%%B$I5K<#ywjo~SQ$lP>_`X7cR+;6wz{N6=T@&Yv|G-$h3G
z9AY3!C<CQVpRsyec)YtifB%wqole*F2>$N)c-Joajkf+JCZ&f3DUnd+oQ&m<NJ8dv
zD?jHvqk+2!cb_iTiFNl7yMfY4cbN@F_jrRELaCo6>g$h63I%3ABqY4InN?-U*8Wy*
z^>u>9?v<$;@=l7jO0C%|eeH6ciFDhpNW!wEGndKl6Lwa>SC<*W6HqBKa=eSNf}6_9
z1Pp7{YI;HwuWHC=gDHZZ9+QxJ*fRDH3t);rFg%sGT#hR3RHyaX`C55&#at9YvhnW6
zreq)^`N-93u_;&0oSZt;83gF5007`^uS@9We@hCh=uH*tr_==IwLvA38MiOb(H9st
zNZ5=o*=&C0Q?=AuU+80zagZ317!TB>lL&hk#)~9ty!5dG58usBl2l(3`V{Sz_COXa
z?7L~_cFS+S-ggb{i29Yd-)<W8Z2Hzeba_=&zU5WBq;*pN!5q3+BI-2s{^ixLp}Ku*
zl;UG+?TAIaYl<7YE<D3)Sl#}>>0le-WmiFK;E2zGo4ct`{KQ_6yK&jX-W-pVhWNhM
zrMdTUm`G=~+qbcsbBfC~9=jg!-EQmAps(TLD$i=Hh#n*P=Q*k#7lS)e=nM|I$F{}g
zJP&10i{LsfhjNgGANBE1mRn@ui#(B~Gy0?X&J6Eufp=9clqI`VogykXsbPo9;5*Ki
zlYtlS^wc6ic302t4$?hU&Nnt4I^RG3ZZGwUUY>ld^O<~V@Ymg1lMJ#EXGRG=o_;5n
zwHv)&K4JQ*i^k8$LB@}qZo2Bvs$$2c-BxBJ;*3IMomr28(i+G?D=7MZ^-$%bR!lTo
zaavo}?Ys{b{XSWj-eaSl9t2@7x)7CKZ>E-ejp(N}I(*cjgXSk54&I$O%sehwURX6~
z!_;|mx{Gsz0<*heZ@Ib)s5^w+hwl#Wf}WlWM@TfXw%^~*P1YUG4;)TX=|%8GBy_eP
zcRH*kqm^F?Ew;6KpL(a=-hr2DtOpLm1T4*dae1Gk-G|%j^RsL51Z5@O<P19Dmy+Fb
z?F_d*&S*5H{&gR*3shm$Z+Ap0yN6p1!UKa_4`DpZscO(}|ARHwgMK7!_DvI>qNe+c
z7QIUt=j8Oogn`4_PU_Ln1-NtO;2z^nsv8+8U+*K;uNxFy{yYpXoTwjZl}a4}87+9N
zx82($hE)%c-tWq>y${B>QWZurn<1Bz0hW=-2WuLqpAY68xMw|RpxwRtbHNFO&@SmF
zM~2x3VAghi^bbA=%i;C-^|<cjLZoZPA}v(O=alK@@S5i#Qt9oA$kIjYrBXPrU6Kx6
z0<98DTMLSlvS-zUN+pU2sSMpGna`xoaoP%(`4>m=dO{+^(Z1VvLRMV$kffi~96vzW
z2r*iWTp$r@fA^Kgn-_J0r#JnML^*Q4fiEuq)K%vF%lycKW-g{{@qYdfpu3ZS%QXv$
z%f8ehhWM6-wPQ9@q}S>hvkm;@Gj6y82Th`VE&G5ffJ9~QgddXZ10?*TdMaNe_oblA
z0`LuPE1+c=K7~bw{aaw?O$yg!7T<aTV$IZNK!a9hk2&vr-HUX;GM#x>U$q%B2RPMF
zfccF4FA$w1zh`t}KKuo^IS?p8NeNUa@6HF{Zi^X|T~|+1*-d6m0kJFMORVnqO_!>#
zn4(zQvIVF*v!CRVoc%0%2c`II<)nSIGLFn)z?{&^XfF!orZ~}f*|l3`Xm>CBazWyl
zE?_OhXs6g}x=wNNyxF9WxsZ&ny&rjPv}6dYy^4>P?ErS~-$;D>%nf`+<$V%U$!3w3
z3Z`l-KUEkncmQV6`Ut?E41q5oIor3FnQ85g5{3{F$-5-d*!AE?)h@M{Erc)LEmN@{
zjo@_b)jwVhGU)+=Y3z{^bLCduZ^9i{fgaI7-QJfZGCrh=KE}Z=M{JUfSpHG|RjzpL
zodF(*dQlB1{oQD`1fWq~k+my}oa~J*=Ui?c+@b;XF_m~74%znaVFtib^vgIt;`=V2
z;IcuWAAFYhaH!1Z!Q##A+2wfCr2967;SR{|2VdD@IF8?{`MmocPC0q3MDlS!-SRBQ
z%|5090LW}0y?5SyfJL#_%R;AwmA7dSR#tO^L3Ot>RChG%*Qv0}+8!m$J~ot4tRs+g
z6+*_gxlMLhZ-0x$W8j6nZ>#megLXj|P7;>Yc+e%X;Ld4xv+|_QtM{yK`Q~XH)Q_b_
z{e;u|a+YdUq~*+IzR4MDI9X#QE<KpfpRz+l@7m<1C*t0}#{wDwSBxC@a2jh`TkowT
z4Oy4dSUC-FnzzgkTXv%DAc*AEj_hJLX;ns;q0{cQi!Oe6(EdS$k@-DM*cO3*6YmKb
zVXIm_ZBdjWp^39X7YB$t)@AUfmoQ;%ZB9$8ke0Ve+s~k$=8q}ew;=OZyZ4T<2<6eb
zZM6G{p1Ue^K&b1W`Re2nw$Lhi?@MU+6RH3#a-&MWIG!x6XDmC-m3G@^knEcNW~o{^
z%kV`5r{9WuJAGWu6g=g!yQ%f`KH1bf#^^SY2Y8&aa^rT+sh8{ab^-Q6#ESNqThzzK
zWFN}yd+L)QknMocUyfM#L3N+m%X}shLL=(Q`yW41fqk^X(K&HPSdqg2yb27u^^>WM
z^4xFVfa>o`PB{;dK!eGEvMCW47x(jcS)=y4u|F{3lFiCZ_W8pzgXKJyN!|*#S9aGY
z4|F~C?Oj+OzJ9EDKR(HDdxHGVq<J9k*~s0-lb4sM0>q8T-gc%*+$;Q7^S6MP;d}w~
z&QL6aCx}*+{|M-8sxsc~2x^2=2w=b>Gu9-Lk-Qgs`c5{ot8%fvVE0h_M<nK-66Nbg
z++R<jOkbb+zdPNM9IQV=t7{k<QTT0iD)PkOwoJ*e=8QE_wC>Q0XL)B!Z%v-KV-qlO
zfnJaF&t#^7)bbFEDb-6nL;7Q&7w4%1SKyNndaRnO+HKu4htS$QebGrV-d!DaB&E0T
z1{~!0v|eJ?Co9a`3!(90F}5wjQ*+cbofrK0E7>2#-M(B^#yICgEfe6Ynm+;sw^a~c
z7I15)-l02&z`LioKoP?<&r&<wES)Wch}tO$AhL6r@ES0`xd4J*h3du75^x;K(<3}O
zl-lP&GMI2t&>=Qb&#|k^nEb}IY1_ehz-{5N_&g=ZKb2&TRX7XbCc_!Q%w`}UR^St(
z-Y?~me5Nc9IHB#*NvXse0@D33pWbZ&z$uMn=akj9WjLUX3~^J!GWW(sUE%yP_tE{1
zFda8sRV7&hYk$l(A4PO)i?ExQAcq4JyOaUZ`KOkESVsTAr7NJ2bwvQk!K%k49&tV<
z4J^lvtQNd4=Bt46poy|Be$<joR5(>4U;P4e8y{Or`DoNY+KnNJv6B>xy;azX9n8D;
z5CDb4NuQ%XeDp{3E#tu_U@%2MIH-N+gU8w?*;$n$PhW2pI;+lo6wIo}?z!=#H;zM4
zusi`lh8M>#(3(<!?B*{yfYy-R6o<&^b$?0=df%SLtW3(MMC1h76X-?NIwLhjHeDwd
zT5*t1yAWtokDKU?Ex@JW5bNAB-y&utiv_WgtQR_vROCc&w_L7d#t*-`>UxbzXpvu!
z=7vk7&hgoaJ#~l%mLf_IV-iO#AtlX-kCa-U2<s;}d$IKzTWnl~pPAM(<zv5TCAwIN
z3HPoI+AQAAtVA!w#%z*QDB1Gz%@4qDN(H3T3mL%T5+0<o>nEgLa|#{-I6y=Phu<$x
zRTzNGOu!=ywg6W$uJsFf7)^Wl031x<WUYM&NU22keK~mTTVp<&GDLFX>=wzoxi(H^
zIDA{;W4+IMUX3HV@wQ?f?#;!(7a8uJ@p(Cs?KJX=H{1664M{%sH)LHu<PK+?ro~^5
z7KQY$hl_T_`PFctXd}q#tWmm$%4i^pQzH_ZOamst2IZsWYfA5tpiQqsAs{|+`S=8U
zyf4M(f+VdLU#Kc5-o=Is5?(#Gy)t`UNbQ`3$)v=k$*r1C#<7YQlAXlZ!>~M!fa37r
zc@487RqCc;QGkT^4$$~BV2P2^Qqsf~#sYsCBL8{x1B>(DHc;QUP}ib3r?b{jmz57W
zhdQyZu8d=5HLsJ<N8&n{8}EmS?Cj8c^2OnsG`t^?i@>6w=#mu>=LyA6)Vb1@UmcuB
zcKo?5Kt3reu`QU%SATE~Ts;)*SNC==w|m1X)&v=rpG_aqUx2BcGQ&f#T%&AwMVF?b
z)7}|4*($TAyeW3H4ToNG5p1gA!_p6Zk5cEv_}>lr_X!3PK*>j2D7RMRvz4$;nUOs%
zCqFV%gtgeC&Se#>Z^Pnv4=qP{59g6Xob&v@usx%7jscZD&;0g=bcC3gQ<lo(Ia$LC
z^7FVt)<8ie${Q#s?Hkl*d<l~P=*7&C;Wn{96fXHifQ}(=ASSOAVNJCf)zA>4kG-DD
zNfBOZqM~p6wMuz-(P}O&Eey`S6acN`=A<l27&47!-)F!Qe;()LRL;hTBJv_Fyd|vw
z)}%8ujQ`ARutkFMq=7v~2`V?pCqh^-932+xEO&x$fAo1WNU_>j?n=M6Y$?{SjrYPO
z(|{CM(?sAi_TraN_qnj^E~^M{_zSQmrRVW;v|QM5-2$)p2oIJ_Aj9r8pzsqFw{1#i
zk@mJkAGP>A{+Tld+gZE_ZLbeRRLsM)0>Y6KpRn?XdX$*!_|aBKY*sKn2R`^^_)WX8
zV?h3x<YHpQ4-fzq@dW?hw@>p(uQ=&?<=^dp4rCY#p7fsX9sQ~Dvh3SLZt{6oUVPm?
zMwb2R6WmY%G{SNF*QGVMuW@BJjZpz5?J9HaXe&bD&umz@uZIiNgjIbp7`F{iy{V<D
z#jkKJ_YbnQnPXRNijT*<_2Ee2Sn86xHW*Y=I^^LAFO9$*xf~fc)@ylAnFnEnY3)HV
zVzT?Giju-2><cIdLHB2VS$9vP_>i^-H>}F)tFLfhOOL!7G>y(OpkAva-2Q=wRt!`S
zLJLwFNZ(FkOAGs`D@?(MLK4Z3@ADx9ZBM6<jx$vv0ZL}Y%j$C7CDRoP0*c$b;Lw}y
z7o@h-JN*d6jAZ+kc-7!^KiK5K^uv7b(Ek{v+jBs!ep~KyW*DK9!HtS0&)7g#TA>I1
zt&6vgF;s_F7JnU!wkNv@UzvZQx7<=VjO`6W{?BnO=@TmhVK=taJ{s6;=+B=-0D&nx
z?**+7`bxvlNoPBqNPNtR^|mwD4bcvEr?faqe&v^#c>9mDbOX$r*%%xuW>vTN<{~dd
zH`&Tr<a&2ieA3_7NVz?aKNeKFQ~;DR#u;<tquLI0GWUE2*wO<onyGGhPX(XFZ9G8Q
z{gH(Xj(<83xBZ%U=J$)?<Zy2RP9Z7kxMQJh+r(k+BV6zDk|<BDVcrkOudE2r7}qsH
zPpI{`AA4Zd@=Kd}P=jA{Gi!3haH?t8>Sh)CzrEpqe$fZ{`a37=@#a_8m-%wz(gm<?
znIEqG$1)#)1wcB@={xQpE)}d6h)lo|(M5@wH(D-pO6{@}#reigjNnsA#%h6LQsqr4
zG51}ReAr!}W+&=5&uc3;!qjq)TQ+H5_~TINqko=xU94|oCF)d(#lm7~8y^-YhV;G~
zTK}$x7dy{hlw~P|Pq>fj`M4Q?u$`5lc1($~Q*(R&zH`9nGng8^D%{lnee)Y4pOSAx
z{G>Eh&{^75561_wryxM$Hd-+;lP+D1zr;32A*K*;yhwjV@Z9R4yC606p}s%MK7}HN
z*1P<d*j)9VDlIJ93!mh%1wBrKW09KIBm@}0?%<wkyx)72`(o<64UA1cHNzmhJ|hNI
z7xy>~bPlU><`|dxgl*R`S*VEN31`0*%g&mIHrxsXI5V+e-^DzQONi^m|9Dv~T5>}W
z5HlhLSPDXMyqkv9N$V@7NyBf-M-XJdq+gE&NRnGVCs6^ln7XN4T=1L!n1&v7h4tT)
zv%UZ$F?Y=`E2_>VS%XnlicE+}q1&RP*nv0jff)S!5f!B>^pGNVsROghzdWxVWk_Mj
z^8I^BH91UeZH``Z<VPPE7!MxFd$jnXJu0+PY5fo;oB>pZ#Fqo*cgDiKw@2|apuC%}
zuc&*YaD#PnCtnqCG*mROOugwx|5SYFLLy@>AgBgflwyjPl#zKXD=Vk0tsSab{iQDv
zvu3*Whci{vZp)G05s?);lY}W<A}?DP60v_;(*{%uEo@nLa6F_3{fiV=I<6oI2-)LM
zjJ$Z~)xI-sAhj4IU&XV~g5q23gLK0;xT@=I;9by6`<Qg=YxLW=7Do;yY;|}sTK&!R
z%?t6{_YY>UtrBBms(26O<W#h^KUIvYE}Q1Q4et(!_8JB(%kAw>J~Yffq!?%VP#*!s
zgI(u8ZuTiT&`kkLa(=q*oc*q_D0ORHS<y21Te3qVMfjR7f!D`n`N6;k4|^|28G5pH
zf2_{a><!H2!1OV!z%Mk|1KZn@tgPa(yXm>OxpThOlMb<v9<c@~@9e-=Jp7?llR8&V
zPvuPXr~*$P7dBE!%x!CrRg@gd^=?u;6GmA!obY{gjc3<xfTTpKx0`9R_tjeMj1|3}
zL{4x(WsOky;Wsttls6#L&7t=RkbVI`yID=TSEOq+^bJK5l{=<MCQ>_VFrr^+@nEYg
zQKcfZGmQ2hynVRG&*Sxd)(PT9-YPRAKLOFo2bnxq(ijf||9WlP!ayG;PfzQwPe@uK
zE-X*v$YBLVs#wvmy>+!dvi@jUCQlnwsAA8}+>gGQUkr`|iVt|L#`DjN21M4~3cSc5
z6|I$u6_5KvR@75MH*B*4{i*pT&tte<vEEOOU<6wUbUCoip7=CSqyV~yrX9+q>R4YM
zSE8HtesRJxj>Hb0^np4<;ZW}}IrPsT>(+Tw`!e6QY`uUnWwcqoRDXJh)-m#Bh=!~a
zj?&pLwkL<{i?WQC3HSS%bdPzD3>Q#upa#ULIA){1ybb%hWv7s3VQ8nOeD{D+gn0+F
z80cv)p&{rNvqJ#RdF31(Mkh4lPDI<h+GcY95O#amWmw>^ApqZ+Lc8@w>JgQ;dccP#
zV@fSj-HX<Sn)SAT0?P*r%}9g7`PeYGA;LgQUI^KPEf!xn4e3<o^&>5*=QhhbSu5M0
z^T{)>)-n}wk8>Fm8Lo&Cw)nr-cFWdem}5ys(%krs9w03!N~Bf)o}GCU)?Qzju-+Ho
z<M|eP8b?}m^BGzFvU`vU7wcg;n+)%-G>?YzXUg9F^^GZI786Yi&_y-j9-QcC>>tJN
z)+U&U1**+CR#>J;J@KBv3Bwzoi!YPYSrpbQ49jN~>{>g_ihIyD^h>C&4XQ(N&biqZ
zFd<WAr|#muqnv2o_44mT-o@J;#kaon#2pb=hCsFTi=ou7Ti;!_9DO1_t{c!vRft#v
zC*&pyQfPt5`BlcAnva9c1kp9-TUg?`X6Y66bHl#!q+goqu_-xE(2tAus)1f_*5$v1
z9u?vB)o}jF2>wa&$h&<?3z+?wPy9UO8ciH-r5I?npLXnhd0ewaP=)h)Xmx!@;D{2L
z-AxlL7oXwVk8dB7&)1q3B@k;PbdivuVpCwn+8HV{V{YP-YgyT1yAbP(1sho&(@Bq~
z^}oTbQJeg!vd?hqlD$CSc=4X%xH<q}s0y=G=IMBDe_)j<m`wd5C)=4CI{t!jcc`}o
z{Hf*1yQbbZ3r}BO+^WkqAxX3xNjDqKcuqFpjmPO{@5+Z=#yHPPCwj{2ZLc$J$8f1y
zUBBJmiQRe2VXEb{I2QeDg6?z@A_l$gclR9NZk`ArPaj_?2O(H(|6Y9DoqWZ;jKt%S
z+w!@7{a=$}z|MGCol4Yu1zj}Hl~_5l;pJE>3)qg>8LXmKGGD!uLwt?ihj>DmhGx2S
z^+y)FTK*rlzB(+*C+r&Ok`Ryv0V(MY>F$sc=@Jm6yOC~?QYmR^Q973H4(aZOrJHZ|
z_rC9cpV#H3Ec-mq?#$fxoH=vPIl}bQSc<2r;azeC$24??!>iUNxB{46@I}99lI~Gx
zH|*sKfz#nTNa4flkHop@n<MeJQ7#>|Vi?uYNUFG^v>h&ZO%;nL&GAip=TUIvQX9#I
zgulW+ucsm_1o_0mv)u4xZdzsjO7iJNDIKq%8b0h?>v^$G%f?AQ%4VQ0n0JmA=(nim
zwE1USZE09p^tlJlwv2i$madn|m%%r-uQKxA*~6VqIXqliLj!avi(E+ZX=xc)m<X^<
zSeT@(88hyy{;JQyB*{{<?PIJ-Ki2aT3##};R^X5qUbzZxu)MA!KT$LU4c5SN|CO+S
z4fhMH_Mq?ot==UhH7U@%mTb&>c_KFnlJ41-#f^pi$9xi^yi3Z<2NK!bv$Y}_*=TDd
z1yo1+YvpPIddipftBKT0{QC_4?4o~M76<v3!yLV5m+mx50MaUw1tciT`(<J)d-<q7
zi>KhZCgdg=A~Qus+NhwLtA3@=!YiU^E_fhi_hs$=Bs+p2WW@UC4X%AWD-)CScc1UJ
zf-Ge9?I`djH~Qp*>;?f>Wykl8WOptO{bC4<6BQxTSh63sn9n50dIP<V0$t|%f-v@s
zxmDn(IupsFEeXHLW;>vhD1K#BhOk6x%M|P7^tH)_)%pwvUUQqzTT<Q}ARe0IU%<!L
zhU?Y7(~!Twlok9Q=~LvQ@OUawk-#Qibk8GkPtuMe3fPJ?7%cd&M6|#jNCf<U+YUF2
zIQqtx>=a$$G1b|{s?bz>_<J(V&}cGFtPoU!@WF$}sA&c1bWVv?p}*?m=-gbS_RaT%
zW5b^V0^_m*hk46lou8h*@Y{<uiG}X5^Kfo2YyZHtCtuECZEc!L+NS-K$hPdjLLSZe
z7pf#fg|a3*nX{zU67gXsL2BP^=S&H8G_6d7F)2?mFH!xLSYg~Ln_!mT|A|vcXT|qv
z`BAUTIIpej%W=om24OME^|`dFz0{@f^*gm++N9|8G{Wba6guw;{8)1ZJ;%^x^w@j@
z6i{Aen0J0s_@Kq0&GE*vkWJ-dJX^dv6F!S9eXvBaUlAYq$=3IU_kFuX2->RVWu>R}
zaV~c?kS?K+D*ewz7NZfdU@*GlZj&(sN`0#^Us^x->ey(NjtVod;noYVB)K)^6#IO(
zZAJ810WN|ToAb@?qTu9av?u-WQPpww?X3)ei2zQl(YXo~80hP<FJ}2Xr0#!XXXK`I
zw*CJA+iWU@Gv%A*{&*Yw0VW2X<CiKjKNL|=U)5?+=!p9s+`2R=$mSOFC6(YJtmnVk
zi|OCWi25Kh)YuiJ$&i`;soltA=s0;_W0F$9#p3R#?Z<62X$#aUs*U>I^Mqa`)tt5l
zI}0`zRn(9V`n31hp|L7&^Az9N4uojAFxA&-HA#t-59y*N7y1(yFv&G<|6#JLK`!x0
zF^Ra)Z^u{InGI)r@CmB&smXaSzY`&@Qj0O5m-^2c<KJKWi@(T|XBefH*mdF_2lBFB
z$U!G-jl)8BH}U6WNcoaKu;eP0U84}ROGWViY_K7oCc^JZZGs&8mn2!`4cot>thAqg
zx^PB60cl2tApwV>@^&`H4o`WA<@zD#Zgl)dTd-rU*8Sp@C_EgIfN5PqV_j3V)AL8j
zwRAeCe|cJP!PdtGuO0*<#|3t7zS@;~Lc@-Q*@=WcbLa*aoAJW8F_`RGxAOeSRR2GI
zlS`Mpcj{rv9CZ(wqOjsja^Z31Jtw6`Omfa%<s;b2YHhcR4Q7G?cAvKC5a8Snm%`p2
z`J!qRDoM3OI>EKBfd`P<Lt=Ef3NGjNBSEjaDA~@|;0@@M17DDJ=Pk1aLd8@TLbLC%
z8XeY2{lv$bu{Ns$-TBjRXF{!Em2bw-7#qmvu2xG_ccXJt3yRI;?I!*bZ7xRaayMg$
z-(tPnawgpLS@7gFW4vLXY@~@65bYXxctM-Bb+)1SvmW9zEg=~5;=)Jn(B5Gm?>Ibu
zB!D~fua&6%7*zJxm43LpY~A6gpoZUJF0Rwgk@7?j&bpk%H?sgEL+!}_aeB*bD#Zs!
zo7a~7)*t;U@oP1gZkdopo0USaG@V+D^nw%>)wH$WWXis$%OrmFMWwLr59f__=%05<
zsj2AA{R0PT+H@1YO5fAze@Z7)Q0&@6(~6tSSNg|v!IXTFwD0xC{AWWiUBC8bJ_8ed
zTJivYLSa>vR7UGN#+xQIN37(Ngb~1@X`pq$%(gu4i?)BeFN+f_kB)|KrD#`EB2pC>
z+o)^k5k3&izk;3kYCyiYh(Y~=!&B`#bru4OE*#ITcs^jx1{;L2a``P-`CMvHO2KSl
zuB`~PD`vwHP_T0=i--Zc9T?}k<2$w2UMC3ZG1QHgt#-FfQ*!U+gQ?W?bmD*#0|-=2
zt!eNS_&?>jvL&FJ<KU&Fudi8KLkN|chF)0l-iJG4WtsZRsfp27d%gcE#Bp*O3RJ2w
z{`i;JxMY1D{&+Lj;8ki^i|c(wE?2b*yrtMZPQ;p^Tk~)M;Nqs6ski(ORh}nZU&CfD
zzq`>pU1+8I*?m~>P~J;??G%%d=cwEnqmu|eN=D<Q>EZ3r6n}2j>xa{rz?$f4{q@Dc
z^?rwuXGeZ?iPE19eDmz%je$%P;<LRy64L<yn`XWl%KOgS^`9l3vC|r@y&&wwFnA|d
zw9ST2pZnoK7EAs^GCg@XZ78;w&ktumfn&GrJqrt<&6>I^!$7#1wET(=yYG#L^@iS0
z7u}@`@uXz=tS^_Je@V;qPgD8g_dor7c-dgkz#=dBrg<lXZ}&ygC_LM)nVO2U8wdL$
z;xRDrdd<qWlPXcIG<_W+nPF)jeQPl$!)(NhkRLt>5rS7bZs^7H@4_RgZ7Q-IX8U0}
z%k>~Zlgv3Fy^;1I>Uze@Tw9BfAldp-x}wx5gFj}Q??cUo(Mz!GTI>`+ME{??nELI{
zxR#kcjN};(Q7&d0Tz0xHlrphIv7mi@9w&5YGE`QtqK-Q56Sr2X5>;DMKEHL`ZuV~j
zmSdo-22_JVLq>dvIzq8(%s<clA+KG$p~p;M`m3O*ptd|3U?cM6h)E%Y8Yg@~2DBZX
zN0YuK`S-6H<QgJiph75mr%uN2LDbTC7<VE>nT&8tgNgvlGkZ*INN_@zlg`(ZJr(WE
zSE65@r`6;bNh7iHA1i_T;edS54Z9i~m=(HCrT=Z$@iCf$2fp#@pko$8wX2ITJ;-8U
zxy^{u|K+BI1(A@)E4QP$sK3KPNU26nkguu@T3T9W*T1vn@_l@ue<`bN#kqNT)@%Li
z2+PXKPJAfA4ihjsuiLr*`+H+Ee`mRc5_Y|NRtpZHkpnLn?v6dp*e1u2ARt+T>UOXI
z4Aw-jw==6><;>TRH&&jU-~1{nlGJj2UTm`$uW(bhbw(-cDJ=kNTjb}Zov{YqU?9Ib
zSZc=J&T>a)g{+WO)ohh-gX~C^_MF{woL}E-%=7w!<?5%Cm_OJ{HJcf2yFMrs364DF
z6cfz#ySQs~oMWV4JK$1%2FL90{d~#e>@(;t%I@13J%?ii|E?YN9$>Td>AZxYXIsRV
zhr;_*fLZSm3-|yzwx<(cZ^$lH9DMu(Qp3VsYwq>EWqCKqyFm{q*sFMyFFl{Y3;=XE
zIHSqA&_V3A4(|4>?_ujlPAMVRGB;p@Mihz7;(P{o(ye#=i^KSj^?=)g-<9Nt7QfBw
zc1w|H;L}56MlkHLSmi3a=HXaz1A<Y1-K&2CO&|`<^e%Ssx`Q11XF23q5X$pTQJ=Lp
zWc)6j<Mutn!tXu0`#hHO3Ae}*LSlI)c#k}=J8*z!<MsHqNGNX4^Nv*-E!f4aXF^GU
zJ+;!}5qW@O8=wEe)%GvbtwnQRx+A<_7xh8xQT-lJt6kci#-zQ9k#!UP$EJMUV_=Hh
z<7AZ{5E-y;fHh42fI@QS;&ZUUwW}B|Q0RDQ_J7>rC{Dg7y>iSDW=OPYeqclL`^8eS
zio{}_f2A+h_Hy^DU*XhJhwaUVyrOyUe5%H{HmSOehLPK3jX`73=XM@DwEk1usNY@l
z8!z3%p^fG*$Y?+PHQ86S5zEP1sk`w;xx@7dya|K<(F)RCSSvMJWnGGVEvdk&dkI!M
z-DiZGVuXRnjXp%yUomwcZ2gUn=hTGR*v*U|_KG$lKIbRWFGF5qH!Pec?n5>5{_3WZ
zze|{&AMiMvjo)xd>fXY@gB6*|z7N*R<ND6L^q~?RR2;o=J6?<f0+&ED=%s!6`;f6*
z8ROocfpz<F*z3Njh5<~hEjSpeqDa6f&SSHhkK-v%;8V4(q$JHz-4z?GUsi&STM#WX
z963P{RD!T$7J4v0n5iZlX}KnWJSLB<HvJ_uUfrcP+x?RaqHFN2BkxiDG49}Zp66K)
zlVJ|sUp$Gpf4@*nZH`IY9(o36yU_H!Fw5)3M`ck8(puXd*Qayq!SBM)y)P+RArB~y
z{rB}An-`liHNJ%9PyLoKb25`hdFPXz^%2vJ@KsRo2g4r@i#%D~0vM_t>ADjq*BT@1
z*L`@u?VrRIYyS@OBMmHhp@4ltjja)_8g~1HVe>y8uDed@{O)ujXHe{wQXuWI<ck8s
zFxPvjA~DV{Gb1DLx=o>9bwI3q_jrf_;x)x>I#0V3V75tgfV~FhRgR16h+pMJe_hjr
zpZoi5Fs8fpM_iw1rLKbewS_9{f$1(7_&%;APcKV&dJ>mEj2Aj?eevWs8CHU&wr~6<
z%-WE@yq3Zx)3&WVM%RchGesy%rtLb%ia+^mMrF0PPi(KtY4L<UCoZ+KQOSP?Xu;AC
z%@k*<KY~Eot)(YiuhLMF+6;KCy9$(rCSW%crW(4i4h!2n1C?-JfGySf!*MgJUhQFL
zkI1=5(|-Cy@{m42UU3HAmnLUZ<Us$3l(q3%2$MoH0_0cIK1D@GSUb*IW`5y%IoN~2
z#wLvuOvL4d2pc>Tg(}*$L}_LLR#sM>!dIe^B^3=yyS2{KhOiWFCL0$Wt>xZCQB<r#
z#s(@6)h=vjs(2g^Hb|#Yuqow*=mu*rDY$WxlM&+k%t85s9|bJ*Gn-M!9tzeYTG-m4
ziS))d^EOVgff7A)Nqy~sQQx4DlXDH2A!O<NZzNz1)@tB?j{ziaFesl+2#PcOVL6Te
z29ZqQL(FX`GEAjur1^y8hu#Nub;D4YHDs4gib;PS+Bbf`=wha6$Adc&Lw_?Q5w{Bh
zj}hr@YVtF(fg?m%wJLe;dn}n`#T3H3(~9&nJt}C{3oAy6o-*2wAGPz4;3NT^)H4?z
zovRDT2}ZAM{#aAy=`S%qB(ozn3x-*UUqUIthN9Ll=G~85&^*e{$;5lK4ZiRT0jW80
zSDF3a8BsoVrVWG;{_E(VNGydO$1SW+oBHR<g_&}N+gNj)JKw|0ONlHE6nfb+GF{@)
ziBHW<`e?Qb5A~H&D)!asQ6>E*6Bx4!<-{|7yT}zK28!sS4}Jy=M?qntO8&{xReD_h
zfcA%4h2uqc9H8n2;56b!*JBf&<+_#YbD+#s<^wo^ZvwuNk!f5uByX5PxIR9FvV7w)
zdlQODfeHtN-})ooX=p?N{WjPr{=~`QxmL$3`s6s&5W{crsPEc%9^Z!Gc)x-6zQqIs
z&iLS40+Ep1q$mJmm?ZpgLqjYAt^?AZx{L+nqG<7M-@WdoU{;@RnC=kZVo7-sA;&bm
zA1lEmK~_}UO@1X3tat2#6DRVBiA63DN#1w~A8RLxjNMMuk^Nnzko~l76^t=>xTL%Z
ze&;ryO?_ej7ecW~zZ|}GBUBq<0OeIgaK`<4P=230^p=|r;rD<2@W32u8%;(v9$x>q
zFuS1!tMT%n0|fQx%uFz`2K{<#TL&;A?KxwE#KN9kyLj=6*M2sZW!^1^aVzDJUkIE3
zX@Tpv*P#rsY(rk}L8G6zeXhrTcr6dhR&Z)yK;6&}wE>AVa<sk!(9Doyv-=tKfYN;$
z$|kZ@Lm$I~_aR({31&^-Hb~yybi0=S35m}$dgM^Me$VCDa|aeLW0MP|bDm)GEzST%
z8o^1&W&l5Y<M2hVv7HZTXg~&DxNG;$Dm^uajp{nn0Uff%ll39J?qrmFKHv6qKrWY1
zKVn+%aHW)a>N}{)emURkpAw|;_GMrFukCdwlLVe^I{$!GAx&p@nqL0RrYN-bz`~4V
z?kB=n(cDb@8!4;oL?y1h*jpY<-xx8+2$8U0w{L#<6Fs1gxu9`PujIu)He`+#rB3Aa
z`_;UgQ$keqkOA&5jpzv*#KWC(-`x-=sH`78t&O3nPSa+(i&-2P_i52xMjL5^Vw7)7
z?cwX8s{oF4<;IDYWL9hq%=`bHZSCK`TWcIxa6hZA`G|vPDw=#cHg5XXa%c9_>%wZD
z-0?rNaI>Wk(X~F;5Xw8UM$LZrTxO?TZDvru@@<TU-Fr)OFjIiQ*;2J98Kg3e4aK)}
z5;%yx=2d0wYC`knRaLL;h1VJll1O=7*dfmAsnExP<(S%KU0|xXd+cy6m;4o@-s=cV
z1}EKV_GbTnJpab=8U6O6B;fcCR2cL`TPJE6V2tn+ryBTBC@7%&&tC%LOj9ttzi~UJ
zk295vzWPigyTBho8h0~32>rm|*zi)Y+&TFW^`={_GQx&_bs&|dx~9eyWK*yb?kXkL
z82iy@d>A^!z{b`AZY9&-IU5*jw(KPbGzgVe8EUgv*$2t3C~O<Z46>=?$O$sC=FeOX
z^?q*i71uZXsMxP>>bK1Ew)=7J|NhLkgknN=C2tcd8E%8pL6~FCFSzvyWi!#D+Q*_g
zoSeAe?MhluwSn1WE|&uS*ICwjtb$VNa7C%f?8C9625Q*WF*w@qxYtMjGw*ebD=9c+
zCKDrw1^0XHkf%T4qJQ7sWN-(Uh+D1nOMh}jdHFLqcIR8@Or0m`<-uFHUc$hp(_1~b
zfc|F)?6y0`updz2p`}>__7!c92w_P+cwRLL1Aq>I-u_7j!G!{MFzXJdS9{!!=KQfv
zmj%|3Tf>>LV8OVaSI-6Jz8ikKYc(L|<;15aZXN^|mD*IGjb6T7hlGMn-nJ33KBqaN
zSi#(p)A$&yP7~MBQ|<@Qa&hO8@ZEwf|6vkdr3tXJsCME3-lOQfkE~3D*j}O_L8QB#
zM$A-s0@J^_C`|>S+_+l?REdM7M$yYnD#y+XV4uq5IM+uX8P=Yfw35LC&fKj{E%K#S
zI7x>?cb=6@*}`qGKx!BKL^FMELweuGkXD4eD74957u1>Mmy;2h<3x@WfA>~#K!L+;
zP!5x56q`mCv&WgODYOr-$D}pDkNU~R-V`K*1WLF$Z!%D&j~{u+Ie1awkc0L2{{3SB
z;<DIl<pRa0Lfo(0cY=%0smpK{Zt*5woHF{x@GDrCED{wk$@{Jpm)OTr2z^Esz-|{I
z(^rHk6!avSiUcKOT5sQpbjK1$)asOhA*;decuzzo>Pb!Ed#`(c*w^LZ1sz~uV(9|2
zyy5=P5bZ8ET{LNssOT*|h5w!>v!^v<C^qGnf`X6foc63TaTF0Qf-!H8JW)aWM_LR>
zXDBNV@gHvBfn|qB)BPUj{q8C~^ggPh?Met#X1S8?cMr`w02s!=#MA{~4Ro6RB?6V2
zp<zL03*X0cxyh-i)mZPRFI|d;U9gt!vLH0wie9G~+2xv79{JI@o*8zsfKj2_u<3<t
z2C;m`%fqu?mR#c4-z4x&$WbVktf(7?CSaG(mrSij4zPCSMXXbUz1E85Is!O{`y@1v
zyNqf8m&jn{fcFoxsh}9Jy6&`@&}0sp2xROWk*2wPW^kJ7O$jJ&_ch+%x0eucdf<Sy
z;$Sa&XaBQ@%8!e5fL2_;cOD5i_GXYT<Zx_%FLYXK`5#oArL8a?{i)FObm|VM8_dS5
zqaK<#;UF+<&447|g45l@H%{xO2J)HC>SNfdx5WtQ<>G~<P~(P{(9_zxbkAEK7zn<G
zgjMFsuJu`_tUy~t;|PrmLsuokUP)Ok8rsJ8&}aEQ8)5ZC%9V|6-8>ec1Qy3r?|rxG
zQ)$*O<g{FuM5qiB*xgQJ_5o~pO@ZfFtI%>X{*Kvm*HtN#9}7s+M%)f%3RJIf;7qfU
z*l<Pb^{$^LluoFKJew#`X&<P7M1)cJqK^nYabl5+M2`5}ztP0PiNokM=kz#?A*kDE
zcV>53f%C`=n@%Zj%_q#T6rOk?HoShlGxo`q6|_j1(;}`PI5+2lNs@Ca_wz|R^oTFg
zY-?<hK~BerZ+xPfvcrX~Y5usOC1BYdBzz(|QAhg#Rzz6g(pk)y>2mDEogjI}39y6g
zlT}n?@;eLjb~u{FV1MeIwd3qyM?2BW`wo#pZFtXd)%Cx-<?<sgKu%{OE!<xWly`yQ
zjydtM#%?(T&^2Jn{_l+1e=pkn?;#3yC0xK$F)iyx-JEUxG-^SI=>`3_&*R1Nzjeu>
zjPQ`-)eaqlP>f;W4%itW*gL)%KL4Mp-T!|2?=@?_|GVP<wu%ZC|5xkbf3AUD_J6X!
zjPdM<pZ50v?YWqzvI(Gs$F=>4@l#-j-MhHl{ComHpxJRdWA^A&&H|=7r9wZ5-9_Vn
zZu4yk{r?JvfBZ<R+$k3|0jpoTcfkO8z!n&bJG>eO8eyUfk8ofm%3-wv$5*cb%)Q^h
z#vPE(MS_D76FMy|q^d#>U;6*L&a>Vh)rjU~SN1V{&q@XXlZis%nA=DT<8%REuu{#Z
zT_-<N?M>---_pWn#f-0@*F9a?Nj?ugq{lhbGI`x&84~2--1VlaCKCET&E9eDH`DeW
zza1U{)(7)ewx7Dka{qy+Yn7aFerJZ|)#`n|+~S7r4++{v%fC+XKGugKH#e}MO2Djx
z^Ydx>p~2rlsmZSjdnwTQfJ9^=E}#fztSxSk5eR6<`BhW~$Pkt<uWlc>-3A%RMBaq}
zVh^r$wL`WNEFf%W>ZJRYn_S<5a!FwCOBUattu>ufP&53YJ|&MWnlnauNKA=zkiZvk
zGW=duA2xZ4D(p4g>})^PoT`yKex_}#6T|~*uYgYgIqlO023*r+H~N97N1d|oe2Pf#
z^pgHXe7U@@>Dr#f+EiknIgMFkHBVHBY{_r0AsN{61v~+)%P@ToB#$Mntt0+Dl@EUu
zmVdA;_}|UbMZ)9D#v|3b4Rc$;d8JI!HqcJ%sEJKPp6ml%eWQ+RT$qRa%@q^4p{N!l
z?Kt8@YjZXtYy(ws-31>P{_Ke8`}N&?<Mf25@ZJ*uhTWtv^Y!B5Vh*1fHBi0FT7N=z
zzZ#38rn4LX^di?NMH~ra;z$Bv)Hq;YI)Q8VZ?kO*eJ`jdFoj2YUvp0`)O<|~4!6;%
zl7y-HZ9M!(hu-g9xv#Ed)4-D7<0_sGkZUx;SIJ!ThE{^L;a^LYjv#+ecp$Ocy`xU^
z+j~SLz4=5_-=|FgcEkG%s3kb{77COtOy^@4-+SEpOioT_1A6!$k1JTn>!01knE~zA
z;tbFU*N0_KEzP2Fe>Z*|HLV(%FBR|ERZo`X>wz*$mZ>i|Z#ju*Y`cx4g`?YM{Gw~2
zyz8sP-do>^Tez~I*Jna!(80Sw58fsd1PRPE=zyJ>8IG}-gaoq$>g%dwmWv#_qQ;WF
zrNQW{IA;|p^Mxj@D{UR{=K->)&d0^c=~RD}>AjXpPrVdJ>2nixk`6?ymi=!^u7?e-
zOrHWRPcTI9;v8--Cr&Qiec?tLZ=IS>ZbsT3utmO*E?wcKH@RYL-T8VPL*x7(mH97{
z$~^8GMMedeZyw>6>mF3@``Ma^v#uvC9j6zsR(1TKLv=SP73*8Th2?NwwF6I8D1@(h
zwYu*7D+bi^_!h1v!wvnY`H9MQu>mPgxCW!br%Ul<Z{IMsp&Xit?Sl`@re6&UI-^`3
z_>ur$6<oq}cV5G%+=_OM#;Y~e<r}~BI!~_Kpl2T~w@;W_PBi$>q7PwTWzE+gik4n!
zMtUg>4tw+3wX!vD#_)UY%a>i<9Ul9LW(s?tir&&xbn=YU>o2ETo@`G)A${E5f^ym4
zbEG?85@SGW*C8mR;L5D#eS{gO@d%IWv7WGUcXlFXkMwh{^B<IcNRK-sOHp`ySpk;V
z6zxTYwq0zG3#z8;q2C>Rv4yS~mH>zaO{oEn2#NSC=f8y(@HM@3HE^fcZgL)mhih67
zy`Fvi&i6nh@-WM`>U|{=piIiQ)}YgbuUDHHY`@?~?{`7C99`S8j{qcrbuo+4>22qN
z>9gj7jJyU^O}9g~vy11BmmeQSRyy%iTRpeaLnt2-bk_X+S8_de5_&2(^YAJymnW`!
z>^*6Q-|7qpmI^Oj_V~xP3$zOGqwsfHw6%q}rk3eZteDEY8rq)|!BSj|i)R%Y)Rmv!
zR6Vf^UCc(RjQiz>ci>+FC)yPppDTZZXYaA@-^(T6ADluicc~kRX4EedjPnPguFFxk
zx$89u^%%p*N<H8a(9&ApU%uyMo%MVMc(bq(e<;&+ng6Y#N7sO1@Ueg2ndAKQv6${l
zkAK*PQFy8g(Z$6lY>%^SX8S3LCn0Q$kq>uSZK8J<wJTk0O(Z%7j>M0*_M&kagc)H7
zBV?T!%QqB$>y%H-<-Sm!RS#0$K^Pa+li7TCGPQi|neMjNcRk0~67z={I^S|Lzz@!-
zEVvBtovcX4t!068C7n@59z5msx9C3i6{1lSwOOGzew0@WcdwRiN$uMPDtxKR>+VhO
zpF}QeJyy@Mf?&h;`Y~0Aa=G#9+2HWdYCFd8^B$Ig7pfxFDBf8j0Ryb{s96v9%HZAQ
zu;FRCpMvMuj+S<k3<iIy!JPztNQd{*lluLPO?k(@|G8G(W!FegTTqz8gbpOsrW^tf
z0%&;ZM&z+mW9DMRPBRFdZ~0dF{&b`Tmp=VBTGr!1>Pej6z3j=HP7C~YCSclpKJg6;
z++l+6HO;~EufzUvPVZ!#P?+$)#@e$N4Lcha##pZ3Hx#-ar2&n9IRKssO6zru0@;@C
zwbCJn+y_lNK21-OS*=k<C;Cmh&jE66*|@Q4>N#9~WE~dWwgtbW>`{H#*gyF}`S|R<
z^{NF`^>8-q?#LfC)u@JR0mZZBxRW5&=u2aZJJ8)Zy;H+S5_#&<1OGJHJM;}>IP_$=
zvt2L6-ch7`4}Y)QO{p;J2>m|1-~14J%nA!7mu>gswuw9Jm8{3Tk<~duqaa`K!(?Ku
z=^0vD`-Lxbz^JR{bKwf%Q=ES=p}sQ#h4;ODy7%Sxx|^vA5KKrTjW0Abgb!vag?(yN
zg)Nv^Atyo$&QFpa`xPxnI{JQ&9&uUzL&^UQ2NwE_@a6mJ+7((hFV=#Bf|DyF2mwfQ
z=nGEshh<mC^&|CU{{D$g{%>otLPz{}weR=XAjH$nYx!WBR{oZDydF(H-*J;z-BniW
zYarEBi6n!o$-w@CTFv-%FqzGawAbr#qQl_<jl}$})3ZreObJw~C|p`8QQHsBT#bVT
z7e|0YK5lfe4ENZ-P!M|h!E|OC=zZ*udUr|L+PHjW0<r@3>bm~}@xkmBH-+Chnph*P
z{j%F9h#o!YRz|Pp7jP#TjYn-~74<JBCN$sz5<#wrV&x}v_doW7Yt^;Pj4jjKAX8mx
zK(aiVi3Joc`KYsq@4Pj?kB0|Y7c6{wvOHdRUkS(5*L&)FwAI(`MJhUu_+qbB_PCpL
zgc7GaoxT*RwBhUj(>aVWf>0HBwy>=qTZk<bWSQytvUivej>2!l(dSXIc16b@TKL;{
zzG$Y-1UdCUi1O(UfwHUT>GtnT!={w}Rb(nWT!EKx)4B9?@Pq2I-y4;;7v@6eCuXn|
z4Z_;TF1-IOv=h(a#)1$5F4J>MSE%`kSl_KLWVLSkp;ht3+5QpjV73u^ghD77B#@W?
zHBQFy4bD;H6V<}g3QdN=*AdYx=E0FG$7KZU^^;ZI1@9-xx=UL1Qp5XZ@+aZ<J6?pM
zD)*QM9*+VujrO9C*CWeO#|yq}hQ5mfAUR)d?-w(%cJZ}b82oqh2zvK**NS>95OI!e
z>ob*ftEb0}{M<exg6l5)+iHA6UyhgM!5HFFSq>F_JiA)$W?P7ch5m^55rK8Jd0E2T
zp5r(UhTZF69Eo1_Q22G6db6*dT#&wZiwS&hT$6_ODFs=ng5%S<c{%t}$8vt06Fsre
zTj>5=KCV4&=uYK|%xV2@Y1^}zde{m3n+!rL%VQCHz5Q%t?9e)IxIM`Ne?Ky3N61c>
zVpjED*Yc=!VL=G;ka4^ktW4@S9+Bp_db4djvQ!8K<D@H}&?sPcml0n&u%TRiTG{3)
zhhYW1{^z+*Oh=fdqZpDLoX4T)wfOyT%eAZR+Y9{r-M7nes*giJiC=l*XK}IGus5;Z
zXl#a2V>7+mLEEb%8*r-_Qr;C%d5L=5Q_bc{VR*NvW9+36JeTx+*V^YvF)OaZ?@+Jq
zE)(Uq>wx@><894v-^weu7cU!^LShsBLRCPFJ{~?@sGh8g-U9P)a`#oyhqf%!W5`3c
zAza<c{a+~Mqo{osNW#xVuC9#Q{GW2&P2BAK+SZvjf5=ph-sz+u`8`@L2h=`x>y2_h
ze_VcoT3+u>L;k%{oFb_gO~32a{aVSvP1{&~Nek--1xNF;I3C%(@H{M~H>kXDd#^Y5
zG4h)ZBuvew1#l%$`$D8W<)u4a7+D&cF3<lcvbGCf35WN%3nPiq(bR*KRol-U6Z;Hp
zrGJ2}4F)~HCToYHk;`)!ezAjWl7jNrRoL%XY8NT!%sqXkH9S_bWgY(!q;5&mujS$K
zne9&{p4_l4eE|W8y&a&TDopHZu>RJ4F$!ZCFWb5Y3wI83Q+ABVaZsQKiRBuZiDjYh
zf?{e63vVmkFQ`5tikzhShul&6Ai`qd>86Jd+@GRH(a7hy;nN&tdl0s8q@RC4gSEpt
zA>@ld40F?6<{b=p=sPUUW=uZ<&;#_!*0um!F`4MNKW&Fi(kUx?L)>)NOxe9#Xx}jy
zYCWi=x}MM0fXwEz<m_<li@lm4n?=MpXxMNDFI4Z1Edtbim(tx*^@p$AD)-5+_>CHN
zd7Jiy{UgZ1^{Oq<p5GP&5grFngECIa$C>4|M1N-*R>%%~(+#~pJ_I_`c(q#z`oHEG
zF+%lsht}UAOD*(nhuxG-hZ*0}_SeG<Zyx>!94z@#VvP)&TxI&|Dw}_fzq;@9hRff#
z7CEI14(=041U-tXD@Yc^5ij_vW?@F@8BKb|0#uioMbpr6RrT}-8=ge(tt7LBtyt*A
zD{?Px!ztVL)b4>lo1ny<&FY^3<1SG&@5j}~<vSCfqvMt@^AM^VXXmr*lJjMd@O@T6
zV*7G7+-;GnAMAUFwE{bIV0Yg>bUg*=xqYL%H|hRMvt=CnPMLnUaA1E<9G1m7{_U^Y
z0Jt+O*D#am*}dy=IUD40bq7#$ivyQk^PyYQV|7KlMXDjUroGo=;Z7c_`|=qa+{$<!
z6Gv6a8Gr%MMSzl~A-5=%o@aDQ7hYhmwddsg(egx6)Ptp<u#g=*AqQi)1D0N|H<lN|
zTN<GQ-@a#dt3GY)vkMFJxIo-gDj-J|u-9Zopzd{hr;3jKeR?O5mTP{IyO1=;9w0j%
zcYlIy+_O7>QuY=S1@Hl>KXkRFyHNCwcEPX59g0_RXQJ;jb_1f87nXUC{g!3HxLy3>
z4ZKk-v#JqD`RrP+47_jwLqxW49g+rxwmf2r+})(X!P(!3RdmVIX9mDv2j$&{<;k@F
zou|(w2A|153LX>|>^m1;s}y-x`{##+ebK!^&-|{Fm*Wbo+iM2c<^?Xj8%Mnz#zMAP
zy_(l4db;=TPv{?C@;yEb0p$J?Hl3Khi5OjgJaGHm{xxc+f7+4(on_QT`<4yB7YCkU
zq4jfsdUZP{MlKlv8oxU7g#&Amn1Iwu$q5dki7U|up)BVq;+d8wFz$UR+qNOs$y0Y%
z_crC7e^IdiTQmIkm3Gz}Pi`rF2_U!C_N!c3jc6l{Tm9O#-cI+<`(;L-W2m;%-@Eml
z2As|2v5F7}jrAmK52mW<TgJA@O(Bp4CEz%ft}>5{>8%8X3Lvhs`M;Yp-#mRFY%hgG
z4KTO}`18auJ`k^{!c&>MPVgX{^E2~Cxvc-Y1b);AOMIq9zBJT1aT2*@eDA~%ySqVU
z#o6@4r@lAz8P#_=80)XO%|DMGW3v-!@~;NRP#x1`UB69|4xE14DfwX0H@E%S|2m8T
zJ>u0%Ds_vmN@PhFbwl+MI-iZs@`tu-1Vi`Jg7c5S5jl#n!ifD-`YQG?0P?e2<xmBt
zT&@s4=;Wp7HA;rbN$&US%b$L2s#tk|qaYAEa81v%cz`q9|1#a6ZedU~VK-s0t$<3k
zA7p&v(k3X%cOq_X%l)Ae8q>u4oMide^)GmH4>2iJ-RD9lqq*1i{?{rnNCCG}wCL@)
z?cTzNudFzQX88Fw{Pk4Jm}ZG`su3J93e_=f9=h@)4Zuubt<f$>NaPG<jd`ckt#D4z
zR1u_xiupo)blf<BTVDh<4xBCJ7BSmTZy5fLBQeEm3N=L->(;ilRcqGfvmzk$%~e)o
zr0kNNQ<c!hOFd|UtGEwLUGu*mySUbQIuc!PX+AXY*u-wa2fus8rZ9!%%1M>O;-1g%
zSAV_z5z4ZBZ|VI@O7sUT*Pu-~67DX{_T~~wo1cqhq)U^hXcO)w`S@z$G`Ma$$fxeS
z5PP=W|C{XH&R)V4U$LD8s(_n|t35@Sx<Q^~;kHbpfX$U9E&(m)n3VKB@}UJv<@g&B
z3F$unhY>%nNo7<j^NW+3+K1ZF<k|X}G69!6m&!Yrxy4z6J$f6z)&AeMkeWpFu*)n&
zw*<O@i0d~+EqG7wkMdamLH|j6Ekx-FTPmUIrn^$Kq4L<hM8oTnrtFm7r!G?uO|cw!
z={xgb<Sg-_6jG(+gz5Pr%_Y%LZS-|;ysOxFhcY!m?&walYqCm8;xB0?`vH(!wHf8j
z*VH~C!M*3CgcwXoHfnA^a{0rf3Lxh#cjQ-DpFPkmX5sw#s%DJHi6WIt&>Z1s&~EbL
z->-cU#Y%m{DYBpDda2h$mlJ2E9p7;N99hL>{9}I2TKtQ_%)^t|O);0utjcVnJQK{z
zZ>R~eC&CV`Nw6^Em!l4<xron8&;-0(e79ek6>ZYbhT%9>=@!E066Z{^OViWJuok}}
zLhPv%dd<LlxIwx&W#!v8+m}K6Rz)v5+Tbr<PmzU`wGtYY&3CJHDUqrs28zf!D~>1*
zN?t}W-bd;l0MX;MqOZhq;Y~CUlxg}9yH4VJ@2&7ihFVm*y7H9vM9(Y(;&bKZw1>`4
zlWLqNYL0&03%Qa9fq(`d!%Tvr`5St~<=#;1zd0*{u%43m8E&2*1$%ODxOp3la7dhK
zeo(x{CF!WQ(&ddsquP&n9iX0rUwt?msb3{0UAayD=7S+wNhS38UcoSy80htXqrZ;R
zu-{I;9*d&mukmqzy-z0-Y7}?rbge}d%*=M<&h(^Gpx$d;0qJ^Y$ouf<PM(P4#GKuV
zDup5~dmIU$MK@ot4=EZ0<s&am#-<5=G)QP*k81wdLx<Gp;8M~4Q15wmR^(vS&FT9=
zW4}J{%WJCOQogydC@T6x*5`12*HLt0yb$q;@ZazGcs{8HCV<{&f)u^}_uPl&vHI%A
zw7KN-z6rX;zmhIi(tHJsu0^|gcz=ZQmh;cOXY3Sf;jP<GO&OQjKId94A7(p)n{)50
z8FS}Ota>0Oj3BmJ)!F{Gs({aph*IVe`<!FSbfJ!oOfC2$F>fq-wA}l1$BgR&E|!MZ
zbHE^Mok(sC(a5kBYiV=fitFQ(mbK?x{YoQAmSLT8jVZR9OMU@DQFszT+4pCWi>?u=
zr!i%4_bblVB9+tAo&MPKA4K1rXQAneoE}d}wCB*KZMdXQYPlti&bX=s$0wVUqenA-
zj2<MG*P!O#TFY^bDCc%km+tl&wJ+>9RJN*OojBe2_oEN$GRP3epVcG;z6^rTc)<DB
z?1~h6w~21OQZ3C=Zl}s(8%&>=;-c|SXy6^x8zw$TlfE8`T9gp=)ykrPkMZHrbmpDQ
z;WcUL*F$9}mo9~9x)kGVU;SFz-G_puGq`z_GK&-X{NRpJT65$tt)~;wV|F>t&i-pV
zePgKsBI&k@j8f<ucrzM_Y}crAWNL10gh?&hoE)^Mpc^TNs`3d(C7I|0NCNrWx2m8?
zu%)6>=UN8e6yV0hNU?<4jkyLDm#gvc6nh1TEB|kos*6{aOX=GppHvqVU>lXp#LIBr
zYMKuwHs?J$A1Q9{2gmn~9qXfhwU#A|{P`<~8W|2*ocY`=U;LdcD`)ZO3?t_Y3GE-Q
zbnL9g4)1a&KOn=A^Ht&oazsY=A+qrzn;BS)MW6jD@to8WjUHm4&K-8zJDhQ&xV7Bz
z0eGDk<ipI}mw2>B2f3SkOSyqAG37sGq`C^mU#mwyr}qTe{-2_O{3qlS*Rp-zpA^4#
z7)*1eIJ-^4=KTI9T#tdtKx{9Y3YRdqb>=0amS$CWXSSR)9>qk`K`L{P*BR@?tN`>*
zwKwwbFk-j*MmIg-b(MgPdi1Omn>e$r4-O@5gL-H8M|Lq`qMzl}B`z8r-iL2KuXDH+
z9HfINjNuv|-z0s(MSS2q@zaiE(y&{<v^l!*Jzq6yJcdXqRWOc|64W()ls4LE$*Oku
zL$}GKt39=uAaa`Q=?|_qSvXFeE-|%4h^;d`4J^zBp4JK<<5kb})T0^}7&&=wW^pC7
z<6YmdyG3{yc#b<%9})5*R1G1stTQN_M+@-$VU{r0m{vD0MgE0C@QJjxvRu;lgZzG-
z#I%6xCay&92U?LY5dw};v&N*}>K|iYI#y1Fi7K16z=og7L7TT?>8R`Sq?j3XE~~d^
z^257l9CuwigY?1789NcxiN5wW9(eG+wCX((#^2oBFU7?MrMs#yT&M++vn#)v&E%=_
zQkXI2gSi~caz(A*IAfvmQmy6(QrNA}9EP6_w^@Jr+pKA2o7cu<@Ya@hSEfOqW{Mz|
zr;~qM4ov@WJiz&;Dol`$bB-w5k#~2d8cdkIdp-AddMO0QUGBW<94-l1U-FV^gG-6B
zr?Y&peQ^ji)Y-|y)RANrAzytZW?#P;hb)W4MB_i3==Tu*sA!%?{%YgfYPtUi%Jdi?
zJHehNGtk0;vp0J?Gl3^Jjj=qLJ^#1Df-|+CT<Vol`)}HYv3|P5dN_v27v<BEvuQH+
zpO81txg(dj`~QUHFbC!YJBKKw(5`TspkoQQD$9!~yh_rb<!X8%(OYRzr2eHQtBRiV
zvk@JaWSEr{vCSBrv-RlDavRJ&bS*8DQBBTD#l>Fsmoc3Jg8UvH_rn#B+J065pp*o(
zTqiCE2^HGI@$+v#!*{?6VA`PaQ_pcgQd4P5rj2wWDW67&WUR}f-;9*FWb$gOs1YhE
zOuAnYiQATa%V#Jc(Jg+TvBUK}lXWR>OL^zrtgNQt2G`Q<q#)l`p)Xa#+{9FYO1HjJ
z4vqx_!hW+Q^-t|}I28Ir<A{a8AjIQf_-6yP$A4>L#)6!M;e-uRj~lf4^+$5BGcT|x
z+J;D$DUUp|Pz7SMTls5R8FF$e-b^--QR6)0z!JnVo0zoP3p^-X<OM1gzgpj`bZMR!
zs3i&4<pf}K$HUW5ZCsoCgcT26!<z*mQ@9%BLZ5$H{#nk1xknP@_4BXvw0J-;O4FHx
zA!7H_?c0`AN?5PIS&8$1s(l8h;%kE^ub*8pXZDLh;pfgXX>4hMkQ_cFaC=j92U>k=
z_+0eo_(Xkgq+nmaui+kzWeUxpn1GO|`S>Ma_E^MduT+|UE22z=F#P6jV7d+!Hm;PF
zix-QvH=nLMt2JI!>kJF$)}5-Kst!e?n?$TCVBJieN?xn#c5XASprh!7pRMZ$wiA4%
zWR^bI%Vx3C9Vr1c0B5kSsvg$I$<Vx$7nO2p0KN7Q(>)?_j0OicRcG9cw`~=+;DA)4
zdMO+nXI41(8(9ST;JSN@IzAwy;VYV&MT!Txj1rQZ=Sh0Oh6kN3R&t-lou-E4SohYE
zilnz{@Kw~mWfAR~t8gEQSZoG%)(G6?>y@Wp8k+cG*#<o4)=C5Nr>oc?*;PikamAXY
zxwsQ=61jbZO=|?de(t<_bUshRd(tI65@-1>$3WsCp&d|utb6KPWpQn;B*O-uYwuFW
zK|ow0jzgN(kaC0WVyk73Zd6j14xuX|s7tg{lzV8GT1fPKF}^Xz-C&TKCgU~EEuw4m
zy6<An%P;y8+B8Lu*t3y0zaLCSsb-uWKb0!d)USc;=z;$nTBBwUlwea{ftmO|+No1;
zK^Zp4(RAQKCgfyxiC<%Qio1L`UnP_1?ax_mKcEVjmRAJ}6*C+XS3`sdQ|<(HL_v=<
zOr9dXhm^2;?oBzr89hq5LU<zsJ`Ns1d{vt57yY~U=p6o)lP_Q7KMKl2JzO<%i{`(W
zDZbC^m5b$KV5h+S$iI%KiA!u@N;vkSOIM*w#xY4oKnY;dmj&}4ZmxL<?^=>rNkHN=
z)aSJO5zA*Maz+%b6N%%rvGK)_`V`5L1Gnczwz^a|f8eKFgIsBs$=OxXL+V9F&W}C&
zN|jA@e$b{L-TMOHb}SPSrhb)>XlV_c#xpS7n9-IL7OQD_MaLK3cs0Fm(Q*7Mp19QL
zfg4OlsAjB>F2eCc*P~j<F~V_%`c3!b5uLJ5IF3Xt;&*Gcl&^zW`wH9906Ga{l|czR
zlJF&EG9cVkJ((urY^dHf6rIwzmtT5!Y<98AOmkggrl2H2M2zjmdgf$3S%1w61=RIR
zNpZ22;YyK{S+O@<)y&kiz9JJK2ayDchkP>L&(+}h{g78K&O`JDuU{KMGl)TH$~CA!
z`&pHBRP-cK9~2&`o7T(#tam2W?4Ey4Y5R<14VRYtI>&5>Zs=$n418Y6IIHxT8F=|T
zkJNU#9@s|}Wzkz?VeRjX7^}65bIv672icI$DoC*WXVrJw50(F_XS&U}+teGi^rUhR
z(lCDPI?c~UQPa0SPHol~OKW0&G4c<9u;?IQBL66Ub{ixD_TX+G0+R;DU&)*Js%4A*
z-V8jdxUhP75YHc=bNIxa>xP#q*PUHLWv(R|=ontL`$LeC94pFiw*&9HjOEatS7*GS
z<fv7*G;tv&=wJG|=PK2|9IzNx)P9O(Cn82$TEgZ#Eb}d0(oYP87y+GGtfiJ}I;neV
z{03CPWEkm4(>sy!7KU{1pvnkF^a;_~1649$`=2DnDtauMj?8T)oQj#Dml`3le1xQ$
z!8AvT919r%^ER1|07;8K{rHMw`Pc>+KNWt-jfl`5`6<z2lud$ZYHnr}r}f;lGgn$;
z?tMHj1x<*wQ@VIyB`rfN9j|Gw97CrpMw`cG!K(=Us!)d?S?1CFanNA^qo=S<LG3+0
z;99?{m7tm}ZN>Z-PbuAAa9z;xIqF>DpKNeC@X|$QY5NHIlUZ8`bP}<QK>A74+CiD~
z{28+xePooYK{i%mi=0%hDmBTxK|y{j67-GKN69pK!rd8VLANlwsNe^P6tzq?2O$xU
z6NeO?0-yE18%w*%TYt6ZRW>zbwIrI3LNaNuWk&eENi@Ec&=%O&H0Gvaa}{YgeJy&p
zMuur_qts=Rvl@LTNUy3tg!{*<>(Y%UxN*3MDGq#zH@5+F<sY@x4y>|^TxcV6#EK+x
zBVs^2#v&+Tis6w=oH{_%IMhSBB&MS{BTO~@8>IJ)w&zi)24a1ON*Bpa$@Hn3m8f4D
z%)BH{^9rCNASr8f;bb*q$Dxs`{l-FVz^}4H$MRQtJF#ABjDuKljG8R0TcfIy#3Ji5
zkL9a5C-HZdIYcQ^1Sfv^4bwO5H3TwX=z{Ms*hd~a<D=Xqz1_(!L0U$Q|D%J(LSq#N
z;1$By>)?Nxe-!eR2d?KTc`B44DyUR8aS18qW<ekH>Rz!%erAn)k<X<538BhrRu5#k
z9;5=LU(3-Fh|)SqZ@4eN*njqO|6?XI9pnQT{I0o<@Xx0B<LihjVLSntd{c-C>e5}s
zUvvV2i;I+b6+<^i{5ulpFUhp;R`gMQ2SX_mgnLphN=90kAgXaJFy+5X6_ESx;AOM>
z`k9(BEAT;O2Ku~m3+Z)cApMRNKjO`L1o4OnPnf^_BJ670iO$P02?QK{KfE-fN-PtG
z?>|@XKOf}$vOTp8r?ecZyf$CY4QqOd(CAu`f{0+wwmA*1x|FvyH6_1z7F#Y*nQBVA
zj_~sjgOomVZZCu9DVXQXliww^O{dUBMn;lUhv%T^%-N`(aet}Yl-#!oqimjBF3dlW
z?QM{5VclvJr@Zdw{d3MMp8eT`VA1@eHSV=3p*0?1{=P%HF%NlErR#aum|G3^%_f!W
zb!gh}!X8ej`jnZbiQb+@mgYW2(I^EkZ?I~%gbh`jth7@WsxH&-Y63DG>%1DWuPfia
zRjN5wGOR{YM81>i$T`Sn_GajJGgMcJ_+_<E$C+ZPnem>A$LUhLDlUVkqC*!jxgY31
zG)+F{r+j!4IK(Q$YdVjFZ_bg@J!jWS*{P@K2mejVmVwPx(XWV7#EOb`ki^H5H5|I|
z^#$_BqAb=F^|&>E1WO6-oaCRmO7tcq`c!;bDQH%ZU{{G~@8d5XACL-e@7^yR6Z~5h
z-OR9-qg?RGj6F7&ssH=V&9`sAa*Wh>f_B~|M)>!!iuuT`{#^H&@7R~1v`P(uDC{NE
z_Ggyw+psMb+~J2nQjj8FiM=fLm+?=HUq^F)@D|}8c6WYml4_$WOafQ^+NdoTUhNrV
zyoqG=dr8x@_{Zj0T$Ao{>&{W0*}u`oWE*|T`1EG@xh`i84&{^LB^YqDD_(G34m-O}
zMSb1hIh-Z`N}}redUzKLJ*$bE)qqpmf3v98<i;47dc<JZkT7%bCFY8A>bVP?J&VS4
zgZ;$H(_?B&B6)IrzWRu0kR`?SYb@bg=|K_Kw_91Bs2BHs8F{7ztLRBwdK}K<o-=h1
zpVA#J2OP(dDkKG*-x;3ntlqWW`#J=L1wLw={CmcKK09lZyt=Z&@qBt7UdcWzOOWte
zJ*vZm=U8rg)_vP?r1p-lmA>LeA_ksk2<v!0IvxoDfsYvhXMlvy{%D9`Uy#5q(LmhC
zb7}z+kN5twE(VXmQ+vU5<08d$VY^S-fi!pA^oLd+56yqw&c)`(5I&14Latn+RZ92S
zA*LG70Uj@kQeH9DIr=G~r*1VGo6m?Z?91{xa<-n)nyHb|`fVd49IcQ-JurPrjWBR=
zO3l0bJ2;ab<7?$<*dRQw^;Qh2Rr41&lv{?mzr%h}+&xyrjx@>*^NVGL6dNur26^qf
zB|UFi^NT-NNHSG1W}k@EBXB!k;Svt<_iNyx#Z8@j_Wep7G$fNtR7wA;ZzhIHN<V{)
zM<JUje1g7~;h9nqO%iH!p9jG@zcg4kGV{L(R8O%8@c&z?tkKcY{mWX7e*J`7&2rT6
zGjm#jOj!kIw{p<(L)lY_tC9qrh1*ER%-v9}$#Djs@j!@Z=+L%dSWKZ&(03NXpS7#_
z4;hBi*U0}CL<T86;Qp%mA)rt~a8Zt)5LKGjSokmMTOwi#4HAwkeK6fRhJ4BSedrek
z1x_aB1Bwz?`-j9hltn-OTMYyZ03{-_YR83p$A~DrZ3Dbt$5}wp=Nqhn{;bEiCzN5t
zP%ulZsx>MqPAlMID+P}h_@9m%8hti+u$+G>>J{aW%*g&VH&9kjJjwM2??W+O!@C}B
z<I)w59jwVf#Eth-raSOu)MnwDN{zxcX}Vrdy7q1Q#s_Tz&%23f+1n#3X2Rnb@Je_1
zqZ*j!Cme~Ilg8X22Gv}Zszzn9IpNW7@IPs~`em`~jUQ#(H>=XIE4(&W|KMUS6q=kb
zKwScu9LN|$Hyx2wg{hgIIsQ5Vn`v&UES2EPAnxEWBpDtu6=^BoYIaBbQz_nPo^?&*
z;P6P+2=i$8*GMv8b!vHoC<Avw%^-pD?24jV_(Xk-12x)OGdD8wtNB8@|J~HGLabb`
zxzJ<RavS9BQp6$K_2+b_e{8w6(5j|hM{%A;l)EDjl+1=hY=?fWmS8TU$2-pinr`xY
z`1|bnRbC_HS}66;Z+%hm>wzCB{4PbVgWTIP9C+@xbT(*HVnluC{l83T*9M_`&sm|M
z<L4u&DYz>fj+vQ#*QGHaS+PF;sc&4BDMmCOSI{aKi=4wl>!%8sdQEzld~HMHb1Jz)
zJ>yB<8s)*Y{C#Id^T~}wM=WK(#3g^E$Q+dEM27A^e6*6uuISMkf64;|C`_58YBgKf
zrRZvC2!ndx(>EKFd`B%9^CqQv{`s9a0fDly)OZ)kt<3A=?1<>YS}iHbU6IU5%Gkv4
zNZI>GT&MHw)^JVpDl2K8$X{!T#4KhB(Y%k6`|^tH;i0-0*RN^#d3n>g2O0mAk4cBW
zS9)%)r=LE^K@B*!kGhC5JSE~%lZ7iWZmwtsxz7lQo^e-~7E0s}k8iI+EBw#OpaH?r
zeFvFup*w~CNTf9e;2_8)Wt^S~N8yjfAbQBTJxA>wR{F!9s9vU3cbi?E<s<SpL0r2t
zE&P|$=tDyHZEpkG{+`f3^r}aE^tq#aB>ack?8bqgrQ>6XcWc|k8-b67eOS%BvUVbQ
z>#$^9mFtp_(hv;2w?dEJuv#(s+yhHNDSN@?ll^GX4NX>vW|$iZyniFZ=V*QxRnNQd
z4(D8XE%6d7=tlPbGRQY5g3r|mtlWvHBMN<)xI$)sXnRIqZRZX5IVa~PB8D)q^55qV
z%ZL~+-k^KVB%nuAA$gBMuEtuDr|&;kGknJVe{5Z4SX6DaRS;>AMp7E-?vQQ}P`bNA
zx}{@iknZm8?v@sY?(SyDd-(2i|J`51P;<_^-&lL^wbsE{>M{15K+lee{y9c-G+3(y
zZd68orxpGQX{$C*JND#fgVg-4j;p)DSEO%*N~mHaB+FtX8!Id-0pa)<x#+cqLQyek
z%8yzzmR|y*>m}>#FJ-}($5NFd*~ki(Awg7K<JrF>Vhk0Mcm706abMrdHJvf)M#NR#
z!=zpH`m~tziM`vm=0o0lI?vqPruBY*_q<bTzkiW>Ns6)YG3x!J0Gt&c>}ej(cP%X$
zOxDW`8$MX@ose5)B7W*Rg(&%g`}C+pFhQ6=T`1^~HaPgAf&VJ=Kmg+xrc|fxL84qg
zb73!DJWrhCg8z|R_T-P-g74P_it=*VNh#Ct%K3i@sif**VJ=8S`BXf(5q?<{Phm00
z4^1CQrG!-i93ELYIem9`gqa5(_7%iR<@T>%F?2kV4yCk>D}!|^`KLexxuV6|?H=mV
zR6bv&PyANUam-tXE}%6vKN;d6D`7&m4}!V5hK*<|Z~_L-XGKjD#^c69s1#Jmi)%kP
zq{PM(P2^yowA~N+0euNc;&v)%Q&^!XQSo6~z1p(_4h$S^-)SsrbBW=AvD0P@RL`df
zuE#$<zh^35{&`-dY}A$dV3~GaqMmmRu7xb{yX>Y88dl*09n$p%E$Bvb(~du7Xv+oZ
zcA6EwYj<dRRlIASMjzfQn#Q3Nf683!6T!gpf6WL52^k$rZ|DuPkQni`ba0w$vTKen
zg2#vNX1LR(TIdwxDMoY@0{hJYEUH1{PRT-f`|Ze5P;}olD@(vojpLQ+D2Tw+Khke2
z9wAbBMwyhuBqt{%^q_2#h0HP8#a=$ju=b}*o^zv_(WXI-><~>bl;P;70jeAlC1$vY
z1B`#<Pa0z4dj;5%=8(vEg5GAO0Ug<KW3U=f5aS`8`Yb1VjQKg;F~p&Y*-|vV?tQZ{
z={w<py(xuP1n0JEm+G78%n{CV?gpI)W$?xHT7Pcl%OB4fwYP<N+DE&=k(OvnYKhdi
z!RJ<)2}$*wi9sX9lKUn*Prt+Od3h4ZXH&zY^qOqLMlve<Ksc&ordbHNAgPj#&(Y2V
zIVS9X#oVbAXOutKW?0m$qE_68hC4tu8yt!<{L1~uZe+?7$-wZdw;?71#o}ZRhGBqV
z+6H%6D9cwFOt^eYhiq2q!5jVV>hzp7nhu*^9m5A0HH+$l<>d+a!${c_Sg49n(aFUc
zJy|FWyyUo%(r)S?wLVNO%d!6cKCzU~!b9#Pi@Y8v>0#me0Oc@%VdjKyII%9$=W?j;
zztbSdTDAOOs6P#u5I?QJ&R9gRn`hgp*nNage&NkSL;X(vOLfYtSN^&~oP_Tg4#eVb
zccnbHzVM+SMw=Wg8Tc<gH}pi)VF)M4{^<U}C%ZKDz)yhw$R36kC{BgLl9n`%y^`{^
z1t*v=E_+bPo*D8IY)ECjdu(|c8~l%%5e;ADI%{m3E+%mLuX+ogW!{!>&N^D*+=7%&
z3g83V#bax|GamGr(!qpHJ<;si=o~DH`=P*SuEbsmEOFcTkhcV^+G3GE8OrnA0I*&Z
zr_;GckTaswI(Em%ye&y8GBC^@H(ZoUiMCH#aiF?gxsXr0sCiAY)wp_l4e@emb9kzl
z_Fv)Ay#5Knt{JdTt@IOge7tn}gR(`xyO|Byf+U46Zc$@l`zPr`!R||7)Rci;Bt5H~
zYtGUej79pYy=^s@rkjzCimG#}Ld3DKW|~pLz?8NN{&uo55N?XS^f0$!?4r*7wD1XV
z7+sxxn@FC)G_Q#yrq;(umG*$LPgd5*pEG8^C4=WrR|#4Ka$yTuRU#7W%1#9dhLgfT
zx1vGvXh8L{mp<1N(_$JX!Vn1!v^ky9TNu|?q-^Hz3#uK+<YOW7=!9@s`E=V>7Q<@~
z<TqZhy}dC!<6KLyJ?sOJlg*WJ+N3eR(pZ;u2a?U{5hQ_vq+xM@OF=pOHw*KWP(c3|
zizMn~M8xu{{9&KOgsaBzXm+U(`S{z?(3cfb!^_`a78us9xX9{cb~&nue(N*%Cp1xu
zfTX-hnNYlJubjATF|d{vVyOg-jt}YFv^RB0H5eqMODVUx0?O&Xu<}^M2W9*&Fv#r)
zIvppR3QPZrg*nrrq{xg)amFJ76byBfif|XhrEHGT30vhg?+)0SNrK~|^$#JYRd?g~
zZ?GiIR)g~mwHN|eGAqM}a&30t&bQa4$GVMrO?VF8W=pJVgLkLau8-VrW3on!3Pplh
zJab`W=?v!COgIwd)=Rq6WB87J>}!^__Pk}NpCb9#rGGT;9y45zVTSNZauZnkpgFQY
zdD%g#!+|hm2dH|^abw~_Ys-i5>r255u<gVIgYpAM3J39=-WbB(XfBFk;)Oj1W7eTz
z=nJ@}F%3iF!q{8MumYj<I4|Io5S_A8w=uz5{Bwb|x-ab!h5By@7|2<SI*R`SNeJs6
zle<0C;R~I~o~7(<WSK$OX9&{RTB2=oT7p?pSXglsLBGHAtP&-|w)A_F?R~V4OsQ0E
zq}M+UUJlulq63l52*M*!PU!Z`<GRscD3=eH;-u6ly^<or0~>H1zLqgsv#eAUE;cOs
zc9L`ie=cj9x8ezEuYe9wz=uW#bBTf&kUhP|_fZNX=C>ruO5m=A&x5W6BGPnK`GO(v
z!kf6!+v&w&^HllzPGRM0rwtrdedb%aF?x3IcD;ukDtfGU)jYp3nX5ZitJ&1u3*hq0
z<BK9xgZY!p0hgECkDf=$#9isSP4KNKb8f}P`gbQjzPzue9CS01z7l<_OM(F&HZ6#-
zSIC3R-tPFz>l=I?@Oh+SDa#=@`m}2!2#|p29jfQk?Akru5CPFjc2ps)IS3MV+WZ$R
zEaOf!+r@zfv)xDsO(+rV#6%q|lA|!vi7(Bj21mP1Mmg(~Gcz#L-xDKex$&H|fP9);
zQJ8=OASgEMh->^{L8(<(i3Bo{I8(-vr);nLCm$a|lT0s!O2}Q~Ch<#Ru-$O!%h!&}
z3f*r1M$a$tS8@>x&ryb_U2*4f5fD@7+=^Y1x@_B$D*h<Gw=kdjlsRbn+`dB*e1?0d
zh1Gz_7;hcS>)jSFT^(~g7Xk^()pGv@?D;v4V0a<XO4R0dI=JqcF8=Cnvv|S>?oNP&
z)R0{ewBU_A>*e;d1Og3y+<rf%D&_U=H{P@VW0j8&@t?}6OwglhtwYfsYEDY3n9@He
zC-b}wEn*cuUDQ1sphEY$3SG`O>oqohqv)2Ek~ojuG4Q0NR9VT~>4S57sxV^lxfzpt
z;2aX!<lL|7MX=n8_=q}i#d-K5bnNqs7^Ps3|En_9sOd&g%;SjEuY_NXZqxu(U{<mt
zDzuCGD}vv6grJXaXpB<Fig62TNFn<VD3Wcp|2kU^F2QxUd$;%51_GS63{UC-_9OrG
z%@n}&tn`^@`13peR4CSRFW!0PQnXpwdTIp)-w|~_MEM9Ek>sV?z7DH59q-v@Hi53&
zbv>zw9(SqEYu4`Hjp!V+JYADDzKuKB9#U#&HvxVBDCkM1rD)I_y7c`ov7fC4-<jMi
z<Gb~_*JlMqOnxhH3-pA58?k)rdB5ug;}iVIDpE$v-e?nqurq+(R41tSk*NE+p#1(t
z*Mrf7BQwa>>-g^cT=f-QbD|l+gSZWOuXF#e>$t)b?6JqXWz$yNE2_@z(b?ej0R8X+
zgFKKdxwJo8XhDvmc2Y?dI*|Jt=4F?~9?tnQd)i$lHv25sek00HjlD4Nc@94BXF4*E
zce;`hy)Fk=6E89GH{w6fRP;LN*pU)FKSt@V)mCR5fP4Vacnge86)LJ1B#ui@-xr@F
zH;p&s;ri%2jg`2ovE$+!*mQ>7wtJivHM~M*z7$pvbmsZ^rJ-YU(Ec>^@w{uz3w>hz
ztgBe?+9Iu9pY!xJRYCvsiF5r@#*)wZY7L;GHh)(=OH(!6`^U@l492-Ax8?I)4gGd=
zjP&+Tsy8a|tB%&M?7L|h2aZ(*!?hKlQY+k`oozf2?z~^b2^zAI3K_a0RXYfl_RjiT
zI?mbG`>cyH{^80tzE90~!~na^u~kjhcb;2a6Su;<_*|_PN!T`Fnm%`d><=A@6;^H)
zj~B5fmQI>b5&?0(Y;YR0`R>&53#Q$J?XD)}=ETdB`$-D5U$zJyH~CpO?PiOUVR(!f
zI%kZFt?c}jHHg{VO?W^|E3WTM>g7X}DGMi!C(d=M{;MWT!Yf94M&7;AugzSgjtMTX
zda2ita$!@`lPb^yCJ<+0khUpf;ahL_m*6GQyj!KeB&!~>2ll}5zV|#bY=&6FF^Uss
z61M)uI$KxUE;fD16K>WrS|5JLO*G?~YC$Yq*VgfgA2_*Q`)vm-U!PU&S8RO{RG-0}
zy&KR`!8J}k*o+Sl!EV~u359jyr__n91*)@w3SPkoh{)r4dDM$X+cnNBlHmPZ)JA>h
zBYT?XxP#p*PURr*EB^d<o}XXW*H!|E@2QA;EPd`Q!FTJ{V2886<yT4Zt3k@&C(b5n
zHMy>R4V1V`27LKjeUlOGez~U>x~wk)PyI;8u@#xPM48BOxuC6j?oqa1AD=K->sGG1
zdGx`afJ|lfH}BaBy=J7IgZ0<DRx$^D{b#_gJ5gJg#BQvBIS7yVVfxLlV=lsXKyc^V
zVR$Ec{G2|w6Yd${!7{Zrenb)QU2uD6gM)JR(QX}n>?eMe{i6w=$K77Fi>|-igd16f
z>tB5PIY?oa`*yACwN$A&iqn~aRqI1PmzzkL53uJL&c}IOJ9m7<NoS9MNOb!5KK}(@
zKHGLX=sdGn(PVVZM2!bs{;Wkd)xN83dipc3e>FycvUY)dd;`*YT=(X?{_Eju&Dh&t
z>4wPAc?(IpK-Iq!fmP)9#Be^bs5&_0+$x!Wreo;1gwmVGiM`7BZJ;55C?Uxpl;`&D
z-TaP>3p^r_xRc@B#1i>rQ|S`fgRug+Xq^7kull-0byYZ!29%Lw;to=>YCYIdK5)lw
z@G6Bh2J^g2Cj~ejG)NMEL{1n<BtQkllc}rmrm(vi3xNyJt#&V<HG&>l`Sx=$@UI7o
z?6KVwoXx%&7pQk8@{5sjg=wJfClbD^du{44qK1qsg0K4o8Lu<1gsN?)E>({&m3l9e
zGfgM$uLQc@kD7K%9<SUer*62drw>|1E>2St%Fxs@@sNTv>xn@z-ih8wWlO%+y)WOP
zuI|?SJUYD*Z}|}4wKCsb3oSGp0MYY7bZ<AedhXaWxaQ5?;XRTLv*yC5vVqyX<MXwc
zVE93$6^Nnme)slt;5b9O$bD}kPub*RECaf$VATGh8DB90-~JFwRiDga>~ysd%ep&(
zwzB*4-f>r`atgZ-Y(|?4@kp(1M0%ps?DklL1G6?!pKs+8%<04K`?Pbv%q|KX8>B*3
zhi-N*C*{ypc+;)rbkq0$7zlWphU(820@YEi_>P3F=zLeds;*BH1MVEHuB;i}hx+ek
ziZWY}@4Qa1`5N}VAj~FtJb)unK0lk9eQ*!o4Kp6gnDL=Ba*76dfZ!vvbGC}&&*mxU
zb_b~f2xx(Bv~NOH5|?nqomomjdYi-y5-7sjJ{CB1F7>o?oc_xA*PEwg!wLjADvn!;
zv72sA-dnw$2$!vy_)0a8wXjSs>%*VaHBk)`XA3GOe}E*sn`?p#4s(lxKdy-=%5MZ%
z?`?(C`f%ly>b#!WonEa)<D`dJ*bt8-m%BM5Mww@+KRqp3_3f6Y`u3u(A2>Ei3WB_%
z_yV*Qh{DlaD`s08&~}i1|3c)j5kyRF%nbZ%Du}aG=?x>#tKRs}X?cQ?P3B72seUxw
zaS?kx*~`^)!qAQ?GlFo*rR&TCsx@;Jrg2L+EzBI#*!j3b9J=dIsAr1D(vC?yf0jTM
z&Xscxl}^y8&a-&h<MN)K;WLx74+Q#t^_kgk3LyTT2JeVfc$tt%2TYM^$XbKn>5&zj
z5T$u@%eOyZft|%M*#`>_fP)^+91nHP^*(`--Yo*MB;~f~2#`ygs}d0+AbcMQuh7F~
z-4=fQIOd@Q&iU9@J|nb6WL10Dlma2``SKqNzy4*}Sj--hhx%jE=Guw^T{6*!?SZ3v
zkQ@en=|41CgKu-ltW@d25NP|c4ts9kQA2@VQJxqsKDXBA5uS4yUYA6kyMmqQsGd9R
zN!$mHRsuJk%Xj%l#;td**Z9P}tO~2Cs_cDIrdkMG!GmY__}{2JAk&#oNT*Lnui=D=
z+QAEj#Dfj#jQxT0F9Z!Io?nUXFIyGwa-*9ucTxF%C&!JC0?2d~``-OBq>(<c4KB3+
zMekKrAP^Q1)3y>dBceV%51#LzaBk_bM~J2<OIs~;KqvVi)!wLBal3u2z4Lmn;C1wV
zOm3lp_Z)0}r}w(54UASQT0S=-E`Nv!5boz-oD$jv_^!~U2{E^O6ap}`)p7$eJ`ix7
z8ls6K6uy_g683tpfPQgKlQ{|y77s!h>fADPaWl3d?9}S^`Zw~23H)Ao6o|0(I#dSF
zr$wBoY6nJ8d?$=lo$7oAx$akcfnSH{UC%vQeUbMJMni#paoE&w3zNy?P7YlE`sH@*
z(QWx+7~gK5zZP8c%*S;+aP0fpYPA9Dr8@Ou_C&XL!{q*yF{l!?=LWlJmDxN+{ArK!
zVMb0nw`9q{kcLgkh}?*sS^D}&+T6$xFM^9kP(gd}3n2cYW|IGAXV4aWcX42$JzrFU
z;P0CUXflL+e!pb(WZ`Au%@)yMe5NR2eh|U@3{PUjj7?}JXlW-sYfz4?Qa^F?WhpdT
zpTnjT52);uP3Xi&XioH@cHHE;ZnkFjOT6s3-4AuPyvu}CRu1F~UaNSnmHHq8)Edjx
z>&&XV7tQkxAA1ym%Sy(cQ;&}DxbYC}JPGD@d&IY$6xqe=0rfn_$LYPm3*cj6yZb@w
za%8RRZ7xvEKVx|AcDCUWKhN`CB)^`O+MOb<h0HK`D(d_d9TR{cTP=G#WvrOE^D;?3
zVnq#KFEs7LR`w=fWc1g%01;pDrp-uS3jeG6%EiD_%8PC@BPJM9JH8O!%qtk=A@FL>
z$J>aksq>58S$3g;zQ|=IJlOVyErZ?#a5R-~y@w>7o($AB`n>nZ&}pi`E=&uSV`cYr
z!j=c4toNOOCuQbt+QtQZ@DB%V`b2bF&|ouGfY0juxW~ZJeEW5NeL20bOVEw%^!fC?
ztnR%*n!81y|Jps%DdZ`UX=y3cI<ZfP#<U^RPh{<ZoT%g3=7+NB#w?DGKmA5Wc$0G@
zGEUoee$oYyRxo<uqORRAjW|^F!tiqTSo<)Kzjiom5JT8bU&jWk9uEMBN3hk_ipxiz
z8Az5_@)3yevv**(-f!<taowwrKl3+p5hBP$2gH16;Yet^s7dTd5;VMHz2HbB@W)B{
zDXs0N03uaNi_pw$(UEv8hY3D%j=ddq7?hY|7M+Y-jSeOZLL!&2gs}?a8-ZLFPkow5
z+`x4$35R%0Qiq_VhZ7l(k)zq%V)l<%ylRnUl+O+0T8fI)&?kkp8v%l*y)CZSL4jyn
z4OPDTP)@_q{>s7O#An%#uPk@km=0?n8#>t5gcCrf#@Gi3mPURlKZjpZr>vUL!RKC(
zgwT6NpYzU1wg{x$(pm{#)g0>ns8gW3Src4C_Z=H1tmd}^N+9%a;ZanNnKZGKGI72<
z?FF4gK}9~))WJ>g7-{>Df%c|<4g&$v{rVraxbh-2`WU9L>%p0sgUibVfI!>s{+tel
zm?yk9*u>sdW%_uTZ+G_*eW6G}&;L{NtS&&bC;3Lh7qtHimDtLW*dO9HHgN+;<eXE;
z^HSp&TnSN@U*Uh$dR)pK1z9+wzP(Fx>^{1bvo>My%k=qRwtGcy)IK>jYO1%J<2l+l
zHt|>A#+fMizYo?Y;Nc5iSWq7u4@1tJUlsaEfqJ(T6Ml>)I&>k1=iBt1G=M<iyB>l6
z4``&7oKn1hdS5m-pZH8n#nkv5_nA<Lc*6aIQ8w1Qd$}CVu!B)244iG`#l-EybB2=m
z@}(oCfF?T|a}l}QJ0rARfUQiFb%@F&xHed}uy4f2DlD!zo)(~7>52%{)FM4+TJ+Zl
zf#gHA4Q6Ld3R1vfg9mnmc{=t2YHIT5wRi7RE21ZQ&{%kRLA|xX_V?!`Zr^>>p7w$3
zC&)<cUDhJ@_a=TWnYPDsx@6#)1n3w;CBLDz4Dw=_In=*tXIFg0y?#u}Oe`$D%)9x7
z0_erwu6>fkjo%fx6~c`Ejb4YO^wdGm&ZzDz3qd#JK{G-?Loq~3PN@-8VV1{xt@k}w
zFex$kTkVuQ1`A4|z#ZqsthG-SLoROV0>A5FgJ4(j#PeTIWh$U^xQ@EoPd$*^AF8^3
zIbS|~I`!6+X<g^!V_d5t|1a#5bSQ)={n@>jlP{CU`UHGzAoZKvy$3I(2WTWKD~EJD
zW>MzdH+DCPQGZrf6P%P)xafe{omui&epGWa?q>&pno#QCcwbfU7Qk_RXKxgTEAzWZ
z9@%^0L4bxuNl~3d;y#sIO!EVHKvMGAgrSWMcCCX!F#Knrd8+NJT=77`caiUt3KTNm
zUO{i)u;M!j^Hk<kURsxL!h2aKe5+?(z@Gi)-LTNJ(Cjdm8Y2P*id!z&X+K-UA?Y9A
z0W!I_<Jyy%KpEAWNCIFm;*f{xAQ^hF7u8=Z0t6yK!Kh|#Kn;|zx5sY&vV2Sc_z4(2
zB^l8TI8yT6#!&`D!%OAhw2LRt*CPojBGZgbpw6P)F>@{rE^7%^`bNj3K`z$@mrr@C
z_HG;ZQs?MAY<zfko!5Nd`iqbPn2S{1_edFmf}XY=p=F9s8y-9SYfoXGGqK5tFSP;$
zDTx_^R}Nlde@9$*udc54?_i5QVjY&m1WS9WDFFFf83F(TMK76t<ltCaRU-IX0NYm7
zizg=X<FgR1ZuK<$$C46ZpD)JwY2k!qJEB$BtGU@C07$_=vo;B5N=(kBMWP`rEnSoF
znUv_n)BCPk{tT}kUaR|T3U<0W(|=td9s}9}w`<Qr$1RXMyW7%Nx-~ZJmpo!$pWCH#
z2h^R^A-vuRe)6*$DZyA<9@3A{$$ZTB(>$vXy{wg-y~q6t)XB;^&hOf}x5%Ek7;Td=
zly5|%ufRBev2N=j6K6`9$=%fd`4e}R{g9FnR{R!GyTp3nphTEG`f?g~Je?E)U?y#D
z(lL-p_H@vXw3!>NzZNLP*k?ujLvZ@p%PFS<OM+N?QAcaneIytlA$YfB$rEcoabi1|
zoB3$1b^d@FvBu70YJtD}_4U(B7bos;Q_w~5S)kxKa+C7QMvYSh2h9ygQ#u=f(0D&{
zQSbg$%-4r^tIZ?hMK!#p9e3Q@0vxqZ!U>27;UI&Ec}gyBIcqeQ!*y@~{X2kXiya%5
z^V^?Gq60g-dakg>X(elJUrg%cmIYvh!hGjFSQo}IPd|W>TN&bN{KF=2)Z!}%vNDSu
z=H3{yw4YM&##2~x<0pc&>S`)ubOIaU`Ow-kUPi~2yViAF<^a5@PAX0^oS+l7-H5{b
z+Ndr;2Yf1Tbs4s+%ZzaWsI*JvOC3hmRS!VK+@$1X9^CVOT!czJUaHL^eVu~PqDWCf
z!y9j35(8L;gHQ<JWW#9~>DjZKi$7bY%*4~X$9uc6fJ5Nh0`1h%AL>ykF%o1AR5YsI
z85O56tL3EZEr6-cV^|zR$pW9apk7-o!1m4h*hlr8DvB=RZ4H8ab}8fW<-4`dTA&nG
z9x|gWv#WsyZ=uceMAMPBYSywH0>evkY64Mn5^Fv3%WNieSR7FApuHDa%bs-Qn;GjR
zen3fC@qxjl8ue%$ivhjgTMt7QtNd1psoO%0$i==AaYHWcc|grD!deihc4!N*2tNrA
z_?MUWPiEn&R|S=YgvpVuu(aV6_BTTrtLM;pJZR+55u|}`TtOPLChdlW0IORaZ_1sL
z<7cZ3tVik84h)R=uYms+rI>9C+OsK9U%IUzDysM9U$DdDlD*lys+iq%X%&8l?f1W@
z-Pzi@{TWMZk+6anCd-i9t4W_-A+75Ie5#B|V=bWd|E}<fZPN9Ag&6vFjc&yf*5jvL
z-dXJfz(YW}mFB#A<{b5ycU_Oq)B(uQEq0%H2|f3fJU(zAp<xb+HqMKix~R))kpuTM
zG&QLGnt^&r)r@h}V1>qvRpL#2b>#ra`>}&j2z$Ckg6;Ru33eZ`N(P{JF|lCMW^AV9
zA__jX(N3nO^o#`|1F}JkDoB9bn|u&lXAf;sPzZ3TsHKB@xDT!egUbS<w+K1|uytD$
zI(#fwmY|8ET1vjp^CZt51N%5|4gxmElN-QB{5MyyXv!5;HQx2C^_8nUHkv~D|K%9H
z{G(!Nf!Y~U8B22{dV{xAY0tmjj_&W{Y4M4C?)L&rKE%uG`dP1-o=)#jyae>Ljk&m7
zWqWTL-pwp+6pq7~FhDIk>RcC{vkKl>+8O)mEQlzI5^IrS5o#^;UXQVH*zgE>9lYHP
z28T`3!0eAuo%3$PIs?4=rg*r4{9}<JF3Bh9ha|R_>Sd`F>c^(T!nK!1gmVlzIPMhS
z)E{Pn3+L%Zd?SarljFb*>XZ0Z|KSYka&>ja4mSPD1aw9(x`1ZBayt<Ml>i%zc+KLQ
zVp1Jc)d^1GD*C4~NTG3V)?BWsGs9+PwTXkuwqe?1u6mdRC7(e6tf<dXdcyV0<|y?J
zC}Jc>D&iS9<uyYrz)JIV3_<)HG(@QpPI#D3>z582Ci*RO1fks=_}Mo2o3A~ys4@}}
z$UnSZjVm~Z+Q^yLYt9G_bdraGWX4}XokyZYE=;CP0!&==DfckzNK`w7t~vb}CX67c
zH{BvLAKqsj>Wl0xqp-`qA)+s##1;HLew6?pG9cOz9%dlMC`0=FXQP(y!2>4Y45C(!
z=f455)z3g_LNd!q9xlv4$IOI<eB&VVqY-9DKH!=R^)cQ__9|OhS^j#*T8T`C3uH0%
zn~p4ffVaR;_Csmn+0p|B$C?Tql3E#@;a+!gv?E}~!f|r|9BRxH><B13Qgm$N(3*J>
z#xZPqQnETkofWo?;?i+l1l7a)aDKu74g5~#Man7MgD=2_(nEebt&U?()zDD&S<>T{
zW@<M>IRXgAVV}ph6UVK5kmJhGeKQf<i;Lpz_atk^kuNMM#2GLDN&ZKKeeK`pc#y6z
z9uJ$VC+y!CF&z{af4!DvqZ6feWLZoUr<aBl>!7w56BXPzmC%V`8p>!H1p_1ho{iL=
z?e+=_Q@knXo4RCgEhojTn}sy-NAo(!@v@f68-w5QF92WNhoL>X-^+U-{o%i8FLbw<
zr%>WQjYHx#VnloidV{k@&DmW|pF%U0_M1Y{KhO03utfkG_JBTnj*TK>Aw!h?b|gcT
z)}r~~z<g{>*3jKuLv%prt9*<&Gd3nRFtm!(A9F=`#49k+s(-XD9qDUWpIz61H&%ay
z!V-B>mq!Ad0nK`h1QFT=)BO;I`|Wpc3*ZCz$HvC=OaK;za;&IUcrVV>{~o0DZ-9jl
z>Ys1E({bY4eSeizn9wunW#g~{XPJM*Hz}yrH~GlQ$_i#;C3C|!F?tM#i<z0>zjnt{
z%+==gQx@F=u+{(>^VH=h$)F5s4~l{UQ$Tm_kBkreWiJv(3H{5E#4Al@AaGgCyULjl
zyjI|<_cQo?Q5hLAu=m}Ct5rhBkZalVT#t5ivCo67ja<NjqY>e`bD~VA^QPX}(Fpxi
zV*v~qoZ?+=@=+b=I$n&zrfVPqzuJ6DJgv%{jKg}79Qe{|`UZo;y00JtsIT^Z9J5NA
zlax3ZNaPW71Ob|)^x>8|3hWkY<FsY+Lt_(nY3sVh1LV~6dqCAa=^tfu^EM+@_+G$U
zfX$9Fxan={06w8t+-kW_=!zqhFmvH|a>PTGx3oKwx<c0Z67wdNQOz2*@DN%YLI@$=
zhJl8@PQ{;r;@^NSjM`@t+4c$5jZz8@1r&LO#Tg=^EIAt<j+(1|Rgh=7IyQ!6Vj>!_
z%tSU7F*7rhlo4B4abPtqA0>1b42<R=cRGGoa;|xlrBUt}DLqHaeB6aY=dYvrb7;m+
zY~^+x6@cUmh!?%RiF_^#&!UNhfz?CRs~*zH7jb}mD6w=j##YdK--1_PVR%f6fi6L>
z(4%xmwyicfw?N^Se*>=*+E5VYoxZ4Ry8FQ~&2#7wEDopcwtRC2S&#AlH!r~BPq@C(
zE}=X+=Irz{w}cjO9s2n*yTl?{s3m3^{lW|bW#5QtF<-=_6C;?~BB?GMU>*7EZifGb
zcthNI6^?7}e%q#SJ(~T@uAo6G!2?ibiEg$9K;MHt<8MfFM1L8sd}ZOVN*cBR&|D4r
z^`loC@D#_sna8`_ilcprd6rzZ?_F4zc16bv_u<&>)Tp;0VRxM5ES8bN@%cgH;zzU^
zTq5kS#EQ|(^$ny}LBwBUFyav^V^=}@G@MX4FGfagWTSw<4ih2V5FM{pM{GbGuUbwU
zq&&+;!zaD<uT*(6jq6*iQP7MqY(7I+pFQ{D$4mgeCo$;T5nMiB-Z*E#u1~SW?zO9C
zPl1MtQ2h@J#DB7%3kZCG`mKB4%xO3nIn&Dn1R;0gwD5MFQSegnet>A1(+rOhHMC42
ze@046nrbS7XUd?Gs@*3nCq5W5PJ)FqMS`?@v{f_v45yAXg`O)&3TW+Jxq440{0LZm
z0iRn!HzC=ya}9BWc_W-y@3UZRpkjawGXQTE8h&nuhgvzsB1bPDW4kTU4JswmE=uPX
z<|vlo{l)AO25c+zlN3miGA*{M{MNo`Q@15UaJI;Ecye2c^E3=|MBkuMVO`Dn02c}r
zEsqn#>XW(|CRYA-D*+||5_P{%Izz2;In(jHX{ZF64GIS$9$Dsi^=ooz+d}>5dkFCy
z1d1ev3?nV~GxB0xT5xaOq&PeBNA#Lcq%9O3@^80+!9zZ%q=!_P(qx)k%AsYVr7{1f
ztd*RV-r)yB>?al!Ok65qf^0`_(Xl)!j#5QcDr&-7Kr*2O;FmJFmVj=1by+=8T3zef
zJ9G%tyAGk;m4bE#PABAdW^^OVvi0t{2C4jf1Ze`2m+!Rf!sXh2-04P91lv>^it3ay
z$JoY=Im*>sh6gC#1%0ZyRhN7^T#gO1A))<RJUS&7(W9L)uYnV+dgUb3QZZ^^YCWmN
z>@uEQ9`A%&=~j~&o?FT)hJ#`UGXnLEl)*Wa5>TR943b^J#|lnG!KDuN2vlrnwxUBB
z1~=`uGb}ayu#z2#koz@lAx%D-VC~`lJnEet5N)5;#l>7aM2*dcD{tx9@LfWdUVBu5
z8&4ciwX4AQ-r9LydR+l?t8Ju2G!cLWA*x3|J>$KmFX4%V<ieM7ii#|)V-yh|uRX8X
z)6#7{=Bf|LD=j@nCWj+Uo?-z678v@}kD^$1;=NmbgMvmn(dcxg-Fs`_FGgS9^BZ+^
zoM^}FbFH4#j~vhzU4a1myC$X=19BXgs~ah<STA^WxTrBy$rn+;SdR#F{-?T=_AAq2
z^GD86B0R9WH~*H7CL8g^^3NZR@{OjXh6bd-<QuamVG>t0ys5G?<SZnUzA(de1rS7F
zctZr@4EhSs;XXDlTFU~7*OzT4T+sIjvFudVMQjvy-U_OvycU}nW-HAv6K2{|2J<PV
zbfSYVz%8VaNc>{crf3xv+cswJq+no(FQkVw(N`?}TINIutLX$6H)R+V9%+QahhEI)
zkLSRB_Py3fr1`|)Bq%)4pW90{DLCcwUql)n%Bx??p++BuBPVo?7mnCnv&?xeue=7x
znPDspH{BIKI82V%o&eN%W|jOd@V}-*a@N=>Cfa62IowCwbhUDc?}HycdLKKaXUPLM
z^|i%HO;smSq5LG|GFNn<z<klIMX0YQ(g_2tzT^vwhS&KyHu7f$nkS_Dbs;K&x+u5o
zBMvRP7%gS3n(%Cbu0t)#gi1=`AtiPBPU}4Cgq_AYza$)o-suoY@e7Xj?Zb~42<f3A
zDjfKD)bu#v-{-wAeqRv8@~JC~EEPOyh_A$nsU3O;go7l4iL-oih|xHr#GWz^*4pUX
z(yaSswUBJ0J02)2dMo;Glh0dbt%h>6fA2O6Un%)Ax1)|acLUQ;%^1pX?%7p4E8#Us
z*L5)J6JQqrT};gp`fZLT^~BUN_k;Mb?Oyl5&#^hf<cibDYQG96h^<oqA@5cAq~m$$
z){?z$kVAZA4PXN?4kuK`+9>kd@(-e)P7OVsOri-Ig7M0&Jz|BXSFb_t&&<kTB|^8F
zj5J+<U3aipw8ZuS$c*aH8p&QVMq8c$Ozm^J<s$RCYu%bl!jvMDJK^LNtLN6xZrHhh
ze1C84eA0iNrya9h+++qX->?*^-xvuZx|QHP#UU{=P>JbE0)ZgzBbT3lC&+;;SLmjw
zJ?ax>7Upp|{Jw7S${N=8SyBW<6V&R8IMW>nFN<4gs6wi6YkHKHcZ09mqaOE24dcoR
zwevNNue{=J>dJm_r{P>uu<i<(aN8Z+##gij1U8}z&#{0W%n8T!P4jZBCKDr1+-7rZ
zw6v@+DZb&oG91$`$)ZWl#d+!9{vGW&k&znz$DNdsm3*)WC9JPwnmPp>LwrMfyccM(
zf(fl5h)e-qRyX(tZ{75rIKmYIb;&?63@p}e=3|V@x{oU#129l4$H(Unc0^f8M&)6|
zyyUJ#2&KHzz32QKmqmn!{L1irnV)+KBc>Wisu&?X^1cekGX`}Gt7Swi{zL@XZ91Bo
z_t?&v6Lwy|#!g#$_^So=*EZZKO?-**dDH-!&$kvj+68cch%<e)RQcNPWi-@<Yz}SW
z@hFf08kAEi{b*(rJuUu8Rq$1V>8~_2w+4l-LG>T>OU*V%f(@*EHrzl)Gm+Gxo`^a>
zBGnKDfO7r?+DfGpop8z@BBulhnBO)&1xv-7^|=;JO@$x$iuSS9h0C4R{O-c7G=Hz#
z+zWf!VjDomNp!Miqn;?3z<Z$J@g#7t_T;d3;iik8++}teXS=AK>qW`da}>=SdTs^@
zVpZ1L(;0GM*<N5b(azP535iIFI-kDmAvfLMbzZLA@(XkV4)T<rBupqEkUjSIdZG8h
zfe~BZ7vN)*4_YX0ci6Y$<}xyU@JHc2z;WwiA;@d6ngbyYJ#dELaXan3NzziX)=tMd
zpxo}KK!n||nrvqb?#RC#$}vQ@@>!xqds%GYa-wp|{J5wq(HPv)X5~=R9cjL|EBC?L
zAf4!Pi~ROqg;XTvC{0m;o4#(=_p|vxNxA2UgL`D5)|Alw2RWcfOicIh6|Y%UNms|^
z5PE=58(XBXLH(o#0Y=A#nb$<X2-l-}(rE=7Revg?L7PKTdjnG#qLSfYA#%c%u$H0d
zUe}exIka>HX(s{L=Tk3#6P+N2%@7xT=HuMbwa8<K%C%}oui|Z}+^`Uir~1(F)uR^J
zNmsT8dNfjzW<A(#o-|NScG=M#8yYsE7rXuxrDyexogX~C4_h-zvrBJ7w@$)N2jS04
z2dZsw6~c#sjiK0rsgK%{E&QH?fAw1Q*z#n(zfR$)Eu0!?C>VUz+&NaW0Ov_-?-wy;
zI5>YPRIo8N9)jCO?sm>4Q1>eCmN^}aMbfL$<&xmh42U-VhMzT+A%-8tSA!OEOKtDB
z)WFQ3+3;^|kx1oVPyt5yz4)#9ag^Hg?D$CWVuyRhu=7R8`>t*oE<;3&FWFG}bot2E
zt>QSQu~U}gK8PB0brFDdsCt*`=yTJYMh(5%>KN?xDqYfo2r?8L#}C<LRo&)KWUyQy
zy*lGsk6+7dEmM&cSckU3Ht@TR#=JNBaw(?u^%a~K4rpQuwaqOeYU5{EBofdN*}=8z
z^Us1AAH?}PzhLh|8KSp?*)EwH7455w->(%BGOIErAp=5jy`+v7;iXOa(UkinmpGIy
zCQ8mpE9qQ;EQpDQ=&AOS%Fyd}Wc}&c^w8RL;Gy&x^C$V@zmpz3Wz2v9P8p4_B3>4<
z=hoDH0X>_Axjl6aW2CAw0iL~eZ*)qKYjriIpCU8a{!W{f<}X<Xv&*w`0v^1QYtMkZ
zNIkf^97o;KFUwIsj>pE~Llvb?rMzu=$tlpu@Jt`@Gj34XR05(YJ`r+-s#&FoA8Tx`
zi)}D?gyb>`*&$N0hs7G$8Ya)m=I7+n2UT#J&1T=cI|iu4smB<%iO``GC=Hs}WoGji
z%H2$0wMTyH>qa3^o-@ZOdrF-RV2)-$KvGsK+MsI+tue~Q+*90);eo=48p1bu|8bSK
zUY&-ChiWu%kw2t74yW4pxA+%xD%0UBJG^Rejcqo4^nFqB_aw;NL3=2K#*7DcFRaOG
z=Qw4ssWO1zE78<m$kFBCFRJIz#weSk)@UrXNClTo9hldl)GDx96zV7<geU?56x$XS
zesYAlHWVNhoD+}-WtYF0VALkI$5z4|>dfYVkw$y7BC844QS=bK(X^3KY@4vwX@8c1
zKNE@%vI}A!9jC4LI`C+fJ!2)2(f<b@ei>*x$(GPJ6c(4g%fg&dgG@q7LB+);t|OTq
zt=5w<Q~>i2?1-1LLHwa|uFk6{Pv~H5D)z}N{e&XJKbSpeW}sqLztZG~@Sov!_?@_&
zxs(+d)epgy)Uy{OqT)PS0nt)YVhshw!9WpZ-E@uy?{0Q6gkClxWiENP5+<(vfa7ms
zgI&1BY%rIBVf|=Bf{RKz|AmSsohJV~*t7SRN-`+#h!s}7VUGF6bXs%1DPlf&e3uke
zSpB&uS!s(zNefh>GLpcEN9RjHDe1*BN%6KG0|_|9PZB=bAH>06i%*J*R>_dRQ#dXt
zEF8IUFA+5Kl-}i#>8Tg?(DJ}JidGr^@-4MuT)bkB;x7m2#HwNgt}C0+7&Yjwbv|3h
z+AnIS0Sw=)Y8TepR$63xln-@=UD!byR(10dWF2yN^=hg#3@S8iDb&Ro@u2}iYIKAn
zI+{j~3<(YlXt>(wf0INR-G}^71~|<u{^5E~=Te%dYI=Z4RwrF`2irVsxCv|eZa<^g
zQD3Ljw`ah@($9Fv4ds=Q`c4sGqn=sL)^jnMyeo^Df3YZ(4?zfD{D_$woiNdPU}0b0
zjnfg43)8N@MGCWNKQmxq6@DoH8_y5SPtI>*^=;7ocsMLWrm5<wP1$goMUX7?PV`RE
zw|X+jR#7rnm7q$^O$~5$5|e}xI0GCmgNeUD>e38?C>Pd9QUA4ARA9|e5D!|idEm8(
z9kn>_UD3DFTuGMtm+mOz69x9D#c<`-bas$8%>Oc4xMh5oMg1K!A3T@y&0PCq`X78}
zxGgM3-=|e{;Yi}ht^>RVa_NNhurSFxnTTTJK(qe++<CcNWEXZ$9-{zA;iaHu6K{xu
z73uptD|Z@``5pF)xQ%z1)Y6u+rI{8s?Yl5NJD4;~VNJNt+NBaQihAU<0TPd#8gn~Q
zJMs@0L`x+PoVGX&ar^O2rc;SE_E>TIVrtttux(+WSW&&QQn2+RHNpA_ZnN6$?;IR4
zagddx0m6En6d@@ttFPh{_XYP+i}(s#(UAtAeaX^1jX-Mt;shImcHm{XvR=i{9Cv~|
z=@D1fpi<+$zIl7^HUuXk5+WCO+agfb5KOIc4(APEW0unIdYBUV9E15P5+C*7(Jjf~
z)LCj$G6`GxdMn=`Cg_?oeL<H(HxolSOw@U;8_nM%88t9kdL&B&eTFjA)=1Xab$$88
zINh=+$TX#2%af*6U=0&HYQ2;YNsR3@?pF&`n*SZdQsd*%2oG)N^<)NfIaAVUY_Wk`
zQ2YpQbXvFTPb$EspYiEd5WCAPq@GWr%eZz)>#FH?+T#_DQ2#X?1%w7M9C$&ee_lMY
zDk17#b*EZFcrFj+Xy_%0Ka_~mp&<##qch_Dg1kHD-XT)6c&li<0L{`C80Fm}2K|qt
zRV0M{$Hde?5xee^P@jNTi1m@Ptm*BKlV4ASp}PtJQpuAP_vbB@bSS!s@Zp<B3Dl$4
zzV6GWMRMPU6nk=a%=X_Puj0!T^>J-!rpe<PO%(z0nVrri&#)x}Q;;ea8f{jE*pD(;
zykV|Mo0-Ex?jde*`>E{xVM}h9_<X0h1`?CS7?7e~d^YyBR{mairRA(sgtW4@%(uAv
zM0ee^IEq52Md4pIv7MjPeV_QpB`p-b;}`jOa(VMnnHMHfhmkJUeo8O@M>q2*H$)Ds
zF*Lk|%{aIL9)xfa`5<^Zo{B_`rh7v9POaO)TTcJd2%ev>hM%$Suhmo}USN=y<h}=R
zizJxB<k@&gFCDb)hX#MF*U>e*4)VKLUaHi$<ka`4??ZH;_pKIH-;GRMkwE~8J{RWj
z;R0B=hFh~#emcujR{EGveNunyI~PL~!y0t0xU%Hww;RRg%0s}%dQSM-jXZ4wY!;3=
z2~bv)%8cB0Qt5#7&%c(Y`DCCxuZB($Ga8m#g{Xp`8UnYNLqlT3&q`k8G`TP)TXV@X
zeQ84L-_GV+U7<*Y8lLsyY7xc%Zm&M3!n-s)yMWYiS}$RXQi64j>oGk#nBBtEiC}>G
zlXxj%sCR|(l4b#_du%XYx&RM}#Cv;+&AnMI(DjVKfkL~NbFSdjLkeT+I_7i!J`O!O
z(_$0I31$`=1J`SxA^ky#6kWQ{K)s}@h}1B~@lOzfxd>FQ|GlCZpAfu;l5cehn-p8_
zO+k$Rpa<q@e4OBTsMqk)s(U;MAlZ6Ej`*{ECiSoolKIg~)!&)q<VJ5|1U>&YGG^#_
z$D<QIIp8NHQ`ihTURHhNAH9f4Bc*q!q0%wp`m)x?v=q7(bE+E1k}&}|5@j9av{YzV
z`p9~tiGe8iq$o&f0;O_v3QQ!!?UOLgCiFCb3lb|Ei3cumgiOc6VZ5?*F3wLqI+^&2
z=nIA(Mr>p(Kvwn(*mv6)d=>u|oP4%29~~&wOWJY_n)&?~{iNUg4-cIZGbU85l<u_G
z_IV9IQn6Vgskqb7McmIq?O$WnGkhn%aEKR+MAYIpse=b<CKm)UexJ6A0w<Ju%^kZz
zW8jB=&#5xPHp|BY?Czw8!;srqtK#EKzOuRC`D$JR3)XTJh+!vmu{u6hdx)KOC~5^I
zzI=|?$d9+nG(Ijj?Ebh=PO@F}h4|vW+s5mZ-nJ+6YErAVv-F#ul?CHUu4UHecYnl~
zP}&^-R4mOO^xT6O#2Ms^yKo1LG0~<YNSLH&>m{^7Rb03sO=>@}Xd=2Awo;piY(306
zONXfM{+${Hn?$c}J8HHNgsW&IE-zP1_@$*Sj&2Lx{HP4BQO%iGPMr%g$m1uYohZS?
z_1ZF)#UU0G$9OWx3$3vHkjq63!D-u)F<v@Bv`}EvR#NE~DW>(V_V2zJPF!mU3bI@7
ztj~4jw771G@USFqrTiOrY)0q!6G^GG=5~pjT)2RI59fn87S3qR4_{{dVEevi3}MOf
z=&pS^y?D5rg3!3OyaZbClpYAfBP}Gn+Lx|js!!;fk4#o%d1!D;VS0kth-eHmkpjY@
z3|n(e#ggW&Kz;b(Z=OuR^1@ir;zI<7vy9s$mYmz8ODRPf1E)l_h44@kfmk684qAk~
z0t34~J=v^IT_}2=DyPTlkXi$eqCeQ9TGt@9JeG?*fL|>JPL!9dI^RIUI&+qoQxSdf
zuZFd?ouct2J!+*89Q@&4!KT3ksrQKJ`LPA>r(c+6KAe7!Ihjs>Q_o#^JaLX~S7o&d
zoV6}*e(0J7bQP^+rfRfGsuDR77qP`MkCB%<g}mm)HD7D-`q|TD9*cF9lEH{mQSG-2
zd{9)h|NgV+<E6$tPh?sB*3IVF?hyCE$}BA2l+8l>WNHlCmj0RV=#}+XucFuvvg)dN
zWA%Tj(7YXsH9Dxu?da{Rm<6(WbYgly@CL(vQZS9w$X%mnMlaGSTn08?;9?kNK_roN
zUeY7hy#8{Mp$+<miru8uh})K;vkSK*v9bK+AfL~tBGq*eJtCHjj3w%c+$8Zhw6V|$
zDn0lD7Y#uTU!iR$=~e^0BS;o0?Ku(;f`P8Y?J$1GWqgy6wz=v7Q&R)ClfD9T>BG0-
z2AQcoof3ZZEAoV4nV}q%(rgi{S(T{SV}f-#_8%hD^#kJOd{_=j+CveAS)C#WUk`Nm
z2-@OKr%i$pRkNsfIH?4T=R#qzt4|=6XaL9FKvALG&;f9>9JNoOsrS?8BJ=oegwZMb
zxa=B=Cv54*0A4q%zR)aUtS~+PH|Bn3%wfJVq2r*-CeCERVYG}u><vAZ0<zHG`g7yX
zkA;gEFZSNFQblI)8R$h_m~msaF!<1M-Y^c3c!~i*e9;7g$i;Z&`vm7(9SM~ycS<@1
z;+c}6VWN>I!__|co}j3Pw8gy06&{Ep$WhUyHZP<mONQHD5V~?vrT=B~JGZkEioF_p
zt(ZYgo>pty6Z{hEv9{R)Uad<sK0#fCb3QXv8>W6W=fB<`3bCTh4Z&Vna%8lBX)tha
zMy(@+k<GCs`U6DmZTfW0L7;;>cjj#ncB=&Mg<an#*JlG4l_dOUuvxt<ak$9xXqnqn
zi9`@e3{n11iAM>2KEoK??!2}{eB7^Ptxa6&*y>vZZw8-q>FZyTt>@LBw!34*3t>I*
zoY85Ef__k5hQYMW!~ZPPPg&#u{jz;`M$sakCQ~jv$Z4fMvm83}u>!O1N>$TB`!&{*
zRdIS@nZaG2!>ozhO@8o|rYEWKp@f5j;1>yR>ME5moRs>IGqp7d^LE30?9aqxLR$gu
zz92G;tFcbZsi|z=U}av^ck)=jYd#UP67&H*5`9XGi>s|+QC)3%*TqTB$Fw?pJlEuY
z?CEqRqD#R16EO7ggCbMc=VMu;gkU^}SGmz0*IH&8KmQ-N*wuuf_*N$@WXp+`(PmBA
z<5)K<zMnq)&4>8gfsE4qfaG(qJ(}-Si{ueB>Suq&T%033C#=C}c776YWZhlfszPBm
zSG6{QZO|W3NA8n37UCJGU7`0Z&>VGhP+A)z@ok($oJmQKyfotH7bco+$RwldC(O7H
z=6oLw^>w%V?9F407fZYgjptf~2ShMo`^~?WGrqtF)MrgB2zz9XUmdVf2p7>>O;|Ev
zOlfEb%)TGxC}u_){6R&J<gATJ?c^zqM-3EA;l~piKbog~`ci*3RIXzn(?3p?+6EUs
zJvY{7Y6+%9<GA%8sm0`JVnPFf2ftJOp2Yj394Uy%P<t$;+7*3d==I%g%Bm_!-Flq|
z)@**iN9wBs$6)e0O!*byFX+-D*2~Z`y3>jZDIwfi<|u)aL?!zh#8KBS=SN}OwxC=;
zpU>LKih{aP=TRFHbD?Jcby2FewD{RY9);9-4GIe#zkDk;KkoCbbf{TfFuxL(mv#+{
zYXGBo4X|olrZXSb7r|?W<V+k9_fpMWYN|wX6f61kHO$AA@`(<cTk4$qHJFN1lwJT-
z+UbGHO@aaGVa8M=Y#Pw-C5Y;21~lB%NS*m$;x2Khdd~7`@LJgz3J@QkRQoAPoHN-o
z|HIyV`DMGEEvX>ZU%@bK)fs2lPlJj3x2un_gd2A5=5HFof>lEK^D{o_+J088`(Yw4
zbJxY_vW0xZ6mqtxJBmJ4=kGvu((IONSc7}MUR1={BxG$}le#ilmIFCncQm%|fX(Ny
zbt^v!u)3FmSoIbR_TrGSw_~|YZx7q~(dG@=q-L`_pbo$AgsfBhhQu7Z^!L*#<7}`q
z?#l4f*YP$Wa&UZh7)#Dg!OTe7cmz6$jIt)I;t;#^SP>=g0&b%T;=c^gGl*lT6dB3e
zUE+g$U2D#VB<(uC?n)OD@-}NSCv{I3b>L~g+w$I;m(*@uq_|7H?{AK~TL_JkKi~>u
z_vY@X{fDoOuG9jes-NW+eN^<g1=cp&#$YeE;KSw0p>mxvu??q7P$!jL6h-4D#nEun
zo#GhKW2Pve4BvMR+i@x7i!v?tp0vy@<XU2&{Y_XnN2OtL$5&OcH9KEWx?s4i0eYe!
zYMP#7z0rnYFaL+C-`8!QOPJDvF*H>Y_Wz`92bM9YM0JIXNipyBJ*sT|QqvM0Y-F5X
zjK!sQLp#dvh_sQMAfYqa=dM$UdtNL}HdYm%<M+#ptT=3e$H5c*@kJ*IfYo3OEDX$l
zAq9e>TY@B10ntNM*0vJGxuZ4~Hly<I>01+a0)DAf@&zWWeX`tNM44{-<JC8^aJ#=h
zaOGS+B;5Yt>Z74|%Q3I~KW<D5knu57L|@(Ca@x-=pGU{{*SLVE8dRfK{PT+y9)#ak
zHzDh<pcoCit7c|gGRnW8;cAd;c!=ZJ0G(hTMf8005LB-&W!AI^EN_n%9cjdSemLjD
zM*#d8QD8(P;fYR&4gR-^dsgS=t+^Ic*7eJ?uh&iP3)6s6FPQw%LYsbmP_%chY}y|C
zAm=wYTHY7!f13O9e<-{E|B^IF+4qXEjmaL_E5nR^8B5l&lYJ*4C1af-V;L%nAt6g6
zBHP`<*a~BhaA(O*Dpcz3b4K0wyC1%Pz}KT+<hssv&g;C+xz6=^Jzvk~tlOKZqf_^?
z0;p<KXTwm)tgC{Cy`1LRZcCqr&k#GAFG+ewZxwAK2To1cPj1g2zw|;s`E{s1r<+=^
zRe39`_fQwv-3kP5I`~`f@?Xy;@C<yrSgNx+>2bY7W`0kq&wN+lX1f|*fpfWNPRs=L
z%~D(`wjePBB+ZK^iOOjxx^x%iDxH9&mVO1R&z~GMM(qxxzRaui32JQr9DF&sX>|Iu
zW)vq^bG80hrpKL!cBW^@<SL7P|25uS8Zyi^j{AL?v9{yAtbyQr8(9L*N@d#bPmeoZ
zVz4>sdSo^=)aQ)mjSH+Pd+O4@UFXn3tmHyzIkih!isPb*$2`gj*+oWWnHj~YS3M_b
z@vfvcL!9$Hr#+3y%VN^tgK#UzQG_0~Ime5i_9O)8ICH*}*%+%BS{ZB+k`pK3g#p!r
z+9tGs5kH{rL+1*Y>bat)dL`}nGi_4?a+GT*ldnip>dUqW)4>M6B}a9#z3?@6&8_;h
z)GT;JlaK=H&PA^=Ue*4EE5AQ2pkEOzXDZkx3ho4S8HVw`^|-KhAy(>Tcz&m7U93FH
zElGv6+AAo<FM;S%$e0ZB{hp@nIx+DTvzLUr@0Ug9u@Lb8>tL{|QvbTz9AWZJ%0QmG
z$lASp?>rlE_qyGcM`TPc5&|M^@>IWZI+o4s)Ku4Z<^s8P4Y2gQ5ga#qZ5=V|df{k<
zgK4||lB0B-{8!DbQBAvxB(BRQNxGSoD`@VZ^8QH|9HXk;_~PSM+J<WG^miT;piST<
z@rk)oDfWs7Lz2y`KNgIfuO5)+V=i!+XwsD+x$1es1#71zLJqJU%SwK!^XjqnmcSX~
z7th@(krr73)GNlSnDD~plhG>EP)L&3n_AZTE;3Iy+?k6BkGNDEj6ksXNMXIM+@xIY
zJ8Ds~3d?e^uf4Vll_ODFUS-;po&tqyT1o!>W4SNPPMlQm40O%XKJNX1;mmi2y7h3M
zm-Yx3Yo6u5S#&=>B*PQe%GQ-%P)d!%0EC3Ssmka@^2Mc~h|G7Bm;;j@L*Ko;Cuen^
z46{pGj7_C;T#m54LLV)?D8@0M=UCRc_9zqz_YoE8K!#Li^n1?Qi-NP*<v?z?`}C;1
z9S<jUoE^Y6)Ue@}qZ%9A=}WekYj5!$>B36)H6iWU4_3j#qM>qX1%-|gCL6)70`p2U
zGC+eOO5uX*wZu&)PC7Tusgko&HHY6dUNpUw^X^Ajh>VF}(Hq6iBjWB{k9-bOvWqAp
zs^11+Y>0GdImYRjz>KXfw=iF>D5cbYZt#<Si2e4HoAO~@Qf}FLunz9XS`ABiz^y1O
z!jdi*6&kHAv-ZZPE+;tJP|<IlI7Z0!_2-*FKTiCFk33nfS7@XCR;%+li$K#cZNQpW
z{3BWxKptXJCBlxZg-Xeu7LuC?5vfUQJI077^89rd5v7n~lIwJt^%#be+d`h&gyaGK
z;v}-pq<$6EAu*MmwA>VpS>SeSiApqiydAr;CqUvK+9jS%6I4%Ujtdqh9qf`CR*}jj
z_!o3iJ%{-gJ2$?dmxWrd;sDohMzPlE9(v4sjW>_3SA873?Pve;m3puALL(h1J5>J`
z)uZ{$TKlK(XSJIF%1nVA8UMKXg3J=jSXQ9v?WYQ1#S`by5I<kXz-K*|{VrES-dm=I
z3%sV%A@JYy#~5wBKlTTHxh;5;u6S&$XsM$S6H|w55t_<#Y5;<|$%US)x4OJuko=Qc
z8x#BxcY=GXj;T$%O(=%oRW|^{5a4Ui_bv?7L%ID`AKH(SEY8NPRmMEIGWe15Ar^zT
z0LU@oi`l9^G-)O%VzlHnlabxI2foqPjy;iQiL+4K6OnZ%81{GT_qu99mGl%CRGj1r
zSD2{BG7Bg$q8(nHIq<a_(TwQzX;u$w+Nj(3>?qpFKV~9$ZQw3pBreSiFwbKJ&v5&y
zqyt0=>PWN9V4KqIT$QPpohBL<Tb=eMcSZntI`LG!)7=RhOm7b8vFz8~uX+~dp-Iw!
zs0yY|98>c7OK+FVL!x!eBvuB~wev;&0>qY18_*k3Yx1)74`09pw3bSqG9(WKA0Fy<
za4;7?ZxSKnBENTc@vN+A=c&3&?%~fN`^<ee7Gf&iT3K5=_66OFxvD~Pjy&aN*(Mj#
zAkTZ%2w*bj^!Ph)n-dtJ^PZPAuiWZGNH_I_ElB4qRN^v3o)@n}x_)J$SJvmGWl2r-
z=e7cFL3xE2`Azy)qfU0@%{R~z=?7W`o6qG|Ub=BVCB4ZoAQ9vV`9NrkhUM>-%nu(K
z$r<YidKz=JZti?bU=L!l$@Y;N0<!Gvtv0b#fMN`tdb9otz4tyWXSK&3-fPPvteXn)
z-#T)RDX=r;8ANp^DD_sM7p8b9#@^JCA|7*<qez~M$Kp9!d7(6!wU&-15C-6FHa7Wp
z^3mIAJ^jlvV>t~$+J((`(MIM(@Je#|PTWBt-Yyxx6yUCq@UVP}2CN8AS4HOaK6t4g
z1BcKX+{#7jk7nsa=JV&CO1QeRQ^zNWYs%c+j35Wj${9+PpS;Oh8}jQ(6?sN@`~4?v
zx`w?$f1Oi4iW&n_6S_&k9ZwQ);emn;0a9iWmj9UBZhV8Nn(Jia{`$Fp(ly_uZOlza
z)dP(qFox_rY4at<mPetk;xdW39)Fo3x>SNPd4L~3OkD_oG_f7Je6wfsMbEKZ>&+)G
zv+5tLdappMqRYWob8OdNKMnOU^E(yIHVv=sD>w4d9=Z#s7<)0Nghhq9<imx>Z?+RT
zs~8=K#6i`)!6y4o6C$JV>EkqDDYnue9pyfQ2$!kz=frJ39^au#*(m{>!wZ79FY{&#
z=evNStK1V$EYnd1Sg9lIZ+NaPNe^x|;+%ED!tEXi$Us}4cs#3?<lwf)=`KJSh378N
z$nd)=Jc17fhHzJe7J(}HH*HzjwC$q%OVySL+Zy-8<syH>1+QWKt`K38{pZ6Z$Ynt$
zJZb`?)-6DK_!eU4>S{n#t`!t^M+R>;y*o4)OXFeB;JT#nE+B@x>T=wAaf1$b)ipoj
z!;>J-=5obuVlFw1nP}twGkC>`N%x^6!aRLG^ojUkluqvbPs8eGBns!|wJ&y_1-#1I
zzxwC-726a5+90em2cGbx(vbB`XUffLy_S(HcRojEh19J|h<ZrgYfw5Z$Ir}|)_WiU
ziMS{Mj;*xOc}k}5i8gkKa|JEKW?wd@*Re*l=(B^+f?>dUias-8vf;3ytfy?J$~0lW
zp`_!-)Xm)9S<VaQpa{9X_k-b}l#%1D`pl15J0032-^~g6yYpOM;{v<*OgvaDiDLC5
zot&R88ho}dpUc?pMcgANJXxsx3YKzL6PAs(pwgKy0y5_AU~Ww!az%=roRxVl%*g;S
z!lCDPTn81oImTPb{>uuF%sYkKqtAcTnlFn1sR!A8zYTF9XQp+f@K;@V8U6N$xDXG0
z9{7=xR)4A~FjQ*nuACc}qrolA&;dHfmk6lJ0n#WvC%~+fpu%xNJuv^K0a#_`^E;O;
z`Lo0(J3XB5-_)hyovFWD50Mfe_D<*Z3GAFEfQ{|$_vokW-h4I@0*&<P3uIaWhr&^s
zA^~fN!{do2$*LznnIS{Oqdw)z!}XZ1Z*Ievf-GZ?(XOaO@;(O~`16hLZFH&gB?L{J
z7!6oDzvER@XJ_NTs6Bd$`6`3%0-#!odfvL4c--iVA21HYwpH#%kOqyLea9?=_xQ9#
z?ZmCmXL@M%v%~HWNa;w&8E~C|5&SJ{?V!}c83W)MwcIW|G+elEdP0*N&@8k4F_4}$
za_oFDmUWOqs|Yap)x2t(vktHdVEBF{ym}A?!0V$>{Qlnao(wy5)&by(x3vVoMt~Lk
zxo;EDCaqgwW&PR?N4fCXV9ajE{lVLxwf0FNfVvC2PraZ>)A(lVn!&|g6TdndZpyF!
zGEo-XdaAC5_W$3m(+0qr`J4gVE5!oDcfhSz5j4k!*wUZPV-zkCm;n4m!q{II?mv4r
z3zQkTn*$X^@GD2A?ph@gC<isq&+Lw5LR0~GDtErM0clJe>&ezR7-FmMftj{Nqz9&Y
zX?!xK^<4FCm%u;FVt~O~;-{lbHmIvkNJ%X(%jtDs_Cp`cbe)^+I$`(4DK?4cr!K^{
zN|X)1C24&6{{8)G9nh7GId(Lc{a{g`rIO!)nP*Acd1L90Mmxu@B@=qE?>uEMk;e79
zDmq#}O>OR8fBchq?(M9{zc$Ml!7{~Z5kJDwwlFtw8~tWw?;m!e<j|m^Ex`s;c5kU9
zobJ%ehCUbbDTVyIKVDDno*p3H+&$ZW%JDY7=(5Ob;x3?!c}0~Oq~QqWsknE`=`X5>
ze@zHjNvGL^sUj%&Ss*im8ag^KY^BRz=na>)c&@AzBeF*c7>vS(Pn)Ihj*g1;L;2>+
zZ=-$)$c)LHIL4&9_N{FfTgjbT>Mc}`vQRF2*`!;X_;||dHk39+G|Okq9bD!1Pa8++
zyeLIkSbwNb#)VJmT69>BT^-&&5U#{p1XM%(Dv?2oMZv8&Jo><^v4y}x%<h?cBXya6
z0w!dmxBbP8x;<D*hBic%$Z3Tst_I1h_@;6y)<eF<Sj6f5j*i^-kF<HEJ<;|@yJux8
zt}QW85kWqgTxhe6w*Dl~GO_x)5HNWjb{b=UUH0P5xAbQzAV2n98w!t#RMhgyS9y*_
z4vAXc(@Xd0G@bSa=<>oc05z_l6jqyADOK2IrlcFMQx#9Pk!9;Q-lY1_s$}*bc#)$!
z&q>%z93^`;oD19GDR(o9_K(MDFVmXkTUo^wN&DkwNiY-_U-66jY7+0&kZZ;tm|u{X
z;<aFYACucR+$Xi4vVP7+$peb*WPB96r6j1!<+M_|V8vp_0=KkE&=RW=KRbF>Cc#t(
zHF;+S^LwDe4>>v7bgr7etI&t?KJM!9Va<Z1iK`i8yKyubjd^7T46f=~(<?{{aq%E$
z&$!65ab&fqK~lHPD#DwyQ`qoYjYrw=A(g@eg2G|pPQ0s`75j4=E8e4|0h<vk_Sasf
zg2O={1q^>Xp}W$MPlJr8f&mj9DeYyRXt!af+b{%GAQk>YDbwH2&^Ey6gKtXQ`Zhy(
z<9J~}jC%P2K6Y12H@Nw+6#Tc9?YhyKXsxalU{pI1ZlqZ@1l5b1lkefNwTMJK`seQO
zZ)-wq*F{;Z?tFNoUCd(aTxVJ2&G6wY!SJ?Ecg-qOxQtB2m%}wj1}Iy0o8kqX%&Dah
z)Z%;?yxU1S(!fpY$G)D5NmJ7|7SV*oL(0{#NQK*vV7>6OD|dXq=|ljm3s;F(C3D!&
zQX>w?65XEpf@;#O>6JM1?_8!kAtH^SdL1$i)2l(w%TfFZ4<4KJik6MWK9L!`IHu++
z*^t=4samsD>qqBo7-ZB04m)X0-e$K7%k)Q$WAL-?a67vKw7cSz3W2vXQbgyt<JC<8
zE}jq#i!Tfr?kKCau4!e3r?_(|ga?Ow^uDCfsyt~14srPV<I(2{=dXtbRcB=X6MFse
zRBITSSYmG0)N;(r$pbHFnIfN>s&&AqNke&1y*9wdvJElP<^C8bWz=w0l%|s01~r?+
zzE{A6JB^$sFL|lDNJBc8_wI++o5vRPnsTZ<{xq1qSktb`7E;35S8iONT}iJE-+9ss
zYI1+Co1BugHv=yc;$ey6;@rrC*4gWpL|D&Bhd1%3qi#DrTaLZ5y=wT?`!q&t`i%dp
zkk-JPFUJ+jT6H8-AK4snAv;+wjUBQSS6F$7RO_+9+g(yAJ)xW$D6NI&8B&l;A&xzV
z5dyys&Y!w1-zPbfkik_7#8f=cB&pO4CgVP?palLI9ov#N@EX{+$$aB;1RDkjYy=_W
zNUR6RuxMB>pl#&r31RY3O(R|EC6?r`SyOg`liO_{(36djf7R{PzE5o|BjD1EVZLbG
zp`$AYzl|LD(R4Fbla)*+KsqO)E+&4v1A{T3jr+AmUJwU}@Z_gL56YEhu)88UoeSE1
zQ`r7s3rE8v;Jh{uGy5DR29$6CD`@RnQQdZJh9xJANdn>KVtRG7frVE8L+fg758vQF
zB^VqjyQ>{Y!6+w?@=??~C?FB@=8l$XPFtzIP8Uf^jLW2$zbdCCR&Q>B)Kcc_IM%8=
z<OPWIPh!Rtp86Gp-K?GuZ{sg?+NRc=e*Mrr7BY2SNADZ!UwPkgi|nEl;uEjM;;c^W
zmZE@SeU&ab*d`1wX{6z%zxy~lH*kF{@(ZOYcD1crRiEeMXTeVO2fUhao{g*Dj<MA$
zH2&N<|1-?y?}&_`;6<}+_9+`qu^w|0AM>TD2a{7}|Gl6_;!-dNgxn;)m1<d7tA&Og
zcIw4SpQ}r)kMmu3K-bNlmB3WsND`Rxdgl7=19c3w_Ju`$P}^wCKlDX@WrQ}lh{l0M
zIUegNf?=Un%bA00$%tElc4ssvzofXlLK=oExYe16Pks>}UeDKFF3DZ6eDl)sjdsmi
z(F09c<{`-&GU&n!(HJ_??8tl9{FI!74;HKzA-e;PYBRXX8)PqQ_eG(5t>1;VLOIVH
zbO+mQ21aZwN4Fl`R2QC`{b%e{t4K^{hfWs<uZq`FW2~)GCV5~WWN%Q~S^2*ax+Uve
zPJxTN(IGCy?Kncmbs~-E?_LyX;NlmjD?WW-6^_YPtINYv^O&@YGlo)fCYEh+8j~8_
zohWCc;#Es8tntb$kU<LvVgiO^URSEZHBc#iL)OVlmu6l1=_%9MOlcNyg`OX>1#dT@
zY`h+ts4TVSn{fEqG$f0iV#&&>M|&L6{)tSp2@-YZSi3*EilP(r6+Oo@t$eTQB5!o3
zXE7B;P1V{I2CeT#dpRM}**9+fT$?H{$aq!w_v8`Fmu=GY8rgG4a(=JbE+4TpS0f#Y
zkc`1_fq!}w!Ix3ru^~ZEIk}6s9r?PGcYWT{CY2UByeR>c1W;Vu;jcOv^gp{|+zQ=f
zC)%ZfI0_KmnHnSU6~&pflG;JydO3t?Xh9JODt}JB+b4jgz)+$DJb>EnS~iJ|l?mKz
z8V#VPG4_{IJE}KG9G!a}vraMhxP@9b$v58ZMlSs@ZP)EuG@1r{!;g2zKO(d=7g>2r
zcS(9Rad9s09zlWE7Jr(Y>pZ8Vzjf#qe0B%j$HM(<!Gop5&&cMhr-NF*tqycs;3!oI
zwltDiH#gUHZj!w-07XY@FyZTYT&T)W!LyFVJmH>873FdRGJ~T^c0J`w4|srM)xfBy
zk<R(c#z}e<M>J_TB`Vc5IF9--$aX9|lYclZ|1nGm&VPCNWQx$z%e~At)zVwzc25*O
zw^6#PKgWvuro4w5ezet&V3ofAf^^zJaH2X$fe$?%cxCz;NF4n5+B~i9*Yt{4%&G6K
znfby0ZQldzQQw!U%iRdcX7b?tTEz2`{^3s3_Y{QXxCZw_fWz_X;ExAIKga8EVfM~-
z$+~yCIv&aMK8R+2u2MzC-%szbnFtDav@r-T(?TLz?+Hhd1I(-jjhm}QQx$aN)i|~+
ze<nwfV=c`I@+mRcsg=Up*gJQpS3l@8Z;$&6{t)l{q}Nw&bwPpD2;(@u?RP9~ki@tB
zmiX?6gu6WLL#vH?&!_8%n(n#6D?l0g_ugedB?hwgSW4Z=w~S*N92{ry;CMJe^OrHw
zGZnoiy~)P3a}a#fhNj?k5=`ETn9>MC<Ilb^Tvjv)JQ_!)c69*lW-Bg+9HhLD=xNu6
zB}8D!+bWpUgiV&eiyX)1nx>v2XW%{g=1U^jj-6<ZRp!C_cby($<0Fz}%!q)3IK>fg
zE=#T=Pp1;5O1i0?;0q=lLJ=N39zro=_+K}9eYP0N{TOWy*(BU6gx{a!rs&YDOMa^)
zCO2xu8&CFez3jD2s)QD9_$n6$A(x;h=qVuvBA><Ccm)*0MLMf}EaT%Kc<v4_46z`Y
zf^5{6d3tf#b6vBp<@j!+n8C!Q3(6^xe9cxzf`e7)71H94zIh_|otnDWNXiJ7jMil1
zu^^x&R=A#L(Shh@<K?N0^ye!4v7mnPmnkce6dz8BD%T|F`-RzlXr)9PmEwGq&P|$B
ztRw5Q>$V;x<tEpIp4E}HP^0z^voYf9neg$%XEwzFYdxR)o<`PaXbg0z+J)U;Ca`v!
zgzF1rS%e&JwNEL7O}NM0TrleneylA0qmHHZvfZ@pXIIIr+0Uh=awA#WwNmaHln?Kg
z%91iX+A-JS`=GS1uKoGVz*`dau}HmP`{=z{_P!`~-XRDj&SVElh=-4BHJ{WjKD2G8
z<GkilvF2h>%=@6HqggLW-|@yXn48?ioNz+5d>I2xzDR_w#L?W);pmtjomX*9`2}8V
zM_8ryBo&J+)IW?;&)YbDpgJS;*xt>k&7|oIOnCS3ch!HrD=0qK_S?@u)qbZtUv3Fh
z#uTPdtsaN&=zz%?(7W-D$qmcS$<ir^gzQUg<iR}{mUl#DaS(h&1>AE~?I|t=pVKEk
zr5JMJ#>uGwOZKZ?i?`ckK|z{re$g<$j{X!CDuhu<$I-ckyqym?BA7qQ-=TL)Ix1gg
zu=f+6kh?G_LX6$Rmg0Wzm=N35l8ORDbAsrRMt}mox{mr>Y-xi7i2`W|J}rV^B5{SB
z;>dpw7tOXP`q6}*BFfd;eHgX55ECZ8JmHyH?J>GSiH^L}qSmTqB5NbU9j})M!NLTY
zlAo<rKCElSMfgqfOiZb5RPAx1^Xujo@1?P+sHh&vHTmcYP!D(N?h2S6%*rUnMvpcB
z^eXC?`p?Hrg3(t(&^FofyjjDkt`0Wcwh!rwjfP2cCoBH;!j$+6QnWDoiY~lE1G;?1
z9a@Wm23)U8E#22Zeb_8XXPpZvyx9(mLz^~uTYmQAFF@Pn-Vw*+c)J1t<ZR{s5$=_f
z(#<QFOs3f%hR4{8d0wjX(D!`)G?0*-8BEGWAd#yl{i(Q%XJ|Dy!JARLKkb&z{Co7r
zR%)9+A22`IXnvTYz{XqE8`k8cOghow+32G$t+gD<&f98oV=(e216(l?d}3ChNDP4e
zCrsS?){+?4RDQgU8290xS_zI;PR)Y1_a9&$7;<rl-JlXNP`Qcv+l^z9T<5e0w|L@N
zVJhm3Q>tys<sWk2n&KQ^?L7WidatK#IoMJVtAm($(EG^ke&=!Q4Q^FQS66h|l8>a0
ztV}=9WOQu=^q<$>pR)e<(+Ep%OA&K*WlYMX6DcI%;BqgZe61*$L5XwDD{+i67o6j(
z5E}m>q9<f9AuFKY1Km?116S;!mu0U4JDf?oQkrXBINR#%Na>tVPaYngdKL|F$Z!wk
zg!pSMyqf=~b61%uTlzUG|Bvws5#4_O;qrvJ6f?e!1f;Y=6hZLNuQ0>D`xlgu-hJcd
zb-CnqgO9ZtnWS&e{v2J*;47QeYN@ttsD=y6awyZ8Q&l-(O@^fk!6(LX;-aNDT=AZ3
z+`I?b_@pz@$0Td2HmD+eR+NCIldq4JceqWh>*)!#AYX<bc=s0iWN_=)O03CC*g~xP
zHULEfdpyD^{_9x^*lq==t-jq~m=Xd6|3qpk-(QL{ZakrUPDgPx&E&vP*ElX56b`4M
zWP7Z12{MpGwOhCrg9dM$O<00&_{}HP)P%O<7p>tdhoARD<s@3WMZBlJ&*xz_w}Q6b
z)$8{gb_Uh$=FdV^QNJR#`=c)5$b}(-&2zU^x|y2*Ol<}6nUtDZ<wbFy%`GJd^Ls=a
z8Zy(_+N=1PF0mJL$B*-ldR$x#x^Hf~_}bxIaB%$ql_l!dbSNm&!~EQ6sHqS9@0bvR
zbw^m~l{YR~MjG|VLRST6=!*Y&-RWY4?GS%;w~{R#u270jtG#Nolx2I1jl^cp(IA@j
zv};Ev=vA|B(q0jBH~nefd&kIx46bLGYcJKu`geg?*{@CWR<fmv5fX(7K+2XbG^^e{
zj2gF1yg-4$o)q&IckzN`tM(NRShHN*qk%nsD2I}Pd~zBbPT8Q^Il@zBT~RVV)qKP)
zO>uY0#?`>cUH%^tAc*#BCJe=Lea(f*r$gkOHav|X_*x+-R5VpS6^}MM3Kf|rRkmQ9
zV{g3^+>Sx|4KD}>%cli62t|RA927M5W#;Q;no9Jqrk*|WQVD74*rKnR!#HCLy!ksI
z$4g$gLdEUoT^*jNHE~f!Pp~Y4^$ZoXQ*=AXCS)I~E6dsn<hP?5S7$!8eFv2QzuhB)
zfUvrIujZzwKLr0xc@-`__BS<>aKfV*Dcy5#tw$YVO>N@FnS{a2=-GlBeZy?Tv6Zlm
zZ@Vqmh8zCtkZqC?6m4uC0or)<c;u5HH=mVF-D;1F7rD2$e<Wdx7kRF3)h`8?iM&F{
zaKkqLqj}0^t@(d_;5Ou_9Zh|f%myviZMF}KOha~3mQOWTf4Ch{V8V2&;GrlMAD?FM
z-+q)KENT#-LMZ&l1M2)PY?f=W#PBgnKt@t)B?Ew#MwcQhzeIe{1oVirG=WcvtI4!v
z)UQ{f*drp8H%&1UJvukDV{ULcAlD42B2*_3aDcmLKh*l~g>yz!BdiGz%FrlxP;q4@
z=xM}qkXe_Dqzrp4|9-Uc_k|)*z4&r96=GrI_+MsL7aRNmN{Hc)^*^7ipU^H$4puc6
z*8uvq$2n<fhhI}!TbV50_~9=HEr;)?0LR6z2<ERpo;Hz@2NeNMe>4PcA|Bn(?ft$T
z(UnPK2>G`)5c*R1qjBIYhWnxG|J=sC`~Mk={kMS(vHje@zrV89y8r+Ba6ymn>>R@L
zk$;4D5k!K6=o%~2r`IB>EIdn607y*vW3&K}0J;8DJnsQ|e&ORV97KMl|NJW(>4wt-
z)<%c&);uW?50(GJjI}zJTLSF=_;nBk^kZMS)0kX&?2m|J1x5a_jyt2MtCNi$J#yy2
zv_#GF4l*;xbk&P7J<9B=J}A2HJg}bv{AJl&88UJG4<F^FrktRrv^k1~BhQGF+)lpH
zBY?F5^q~G-<XEE%xsP%gueZhRD#Z*vi#Dt;RjfJfvB2NW>^f(r=pHKrI2-<)V4@yW
z#;2VGiT7@J-_rb9#XIuare@4ZYF;XU*1IwM*>YmTdE3iN;%p2ST4XWBbb{HX1vht5
zeoP+{wSos}+dqe96e29k#?zVv)Iu~u$jhwkx@pZ`2oGJ%J6>^xQVCA1DF6xm>AD=5
zD3)&}dm*}EMT`mMLcHxAmR?3p=Nqs+QU>fHQm0l-`!2Bv?JAi1F06FfCG5xYe+`-<
zWc}3W?=uHk*T;mUN*5Gd$mL=zNco8M+{z?3(S^Yw{+`~$&0?iCb8KfU8%hJ_?It}W
z)iOs8{W-Slj4>Z|N7>2!^v^H8DY+9`40W^UkQo$LI9r}Ej!sHRvJ*dPkMqo&tYwbZ
zhRzHQ!E}_3d*54ogr%g<mA1$r(vSWzTeesSLhZIFi4}gdbkZ47gcQErsB%3J{>8Jf
z+=n@R`5Y#EA}ZOr&Ocb5hnk3da=&C0ou2%zN%J-(X=6rS>4UN3#e}YwL9+fzk1|^=
z{hyX)oF~LL-A#@4RwV6Sud%YJyzY5m`1Xyzy`aUZ1nK*7RwILM*z<8=Rfg@WCa>wb
zi}l;j*$3V)`Zlo;b5Z6l?qqSmfMR$jS!|>#6wRh^{$fN6wLCmNvE2qC4&Iu8zR3;b
zJbrB!l?O-(9iEZH6j#wVC9XF^zxiBSxc2aZ?^S(wkm7Y&is#KsyEo3xBL);6;Xb)u
zH9V{Nhf>*LQP)?WbBX<J@KnWGFD5%Q>Z-Tn!Nqy2CtOjtO*YDN1tz?@?p04%)#)d^
zx<2L5n)J1m#aFvt5_9<+F=r@qPc&()KaMN-dTX@FjMt*t^jzPZXkCxG%Hroxx0<gC
z!dY7TS)2V%+5*8I1Nzc=(~Jgjzxy?gaq=i>hG25_f%DgE#LUs2cO!xlEL_MEP&fIU
zWPJJcvRP8-0eAa`XI>AAs4>P_I@`C(l<|R>2kbg+^V5mZ`O|M=bloReB*(aUlKOjl
z3#h%LXM#eG&#H!v%xHzMRA+cB&bRf3NP(3nmGJX?>XQ*?4TrjK2f&X$(nO~k;e6x&
E0M?&=I{*Lx

literal 0
HcmV?d00001

diff --git a/docs-fumadocs/public/screenshots/iam_workspaces.png b/docs-fumadocs/public/screenshots/iam_workspaces.png
new file mode 100644
index 0000000000000000000000000000000000000000..43ecfb19822aa2afd01b4c3821ad4ca1701da75d
GIT binary patch
literal 49075
zcmdRVXH-+$x3A?WHuP8!sS%}DDWM7oNbiBrLqvK)krH~q3QCn4dT&V}p@kL!6#?lT
zB%!F(geD~*gz`B5>$&fKf8&05Ym7aTmF&ItoO}IdpZlGWfhOZ6)=Q^OonqA1dJH;s
z>U`>{Q)ePCoIm+RV8?=d@^RV+q^Wue*T+sdnf&FfqOWr5RAt=d1G{r4^NY{4EPYO$
z;)wX?I2|{?;dts)i<b6d71IFQm8rl?gZbl*jXH7rGRdmgXdpZqse9!Ozs?VHE-sM^
z#`*dA7xK6#y3A5i#H*rt3hwCcAlW2dv9Mfm3b$OFSepUtBKs$I(`dEZMYjDNv!SUz
zka4-iMx0O9R>xjFF0msi)#3ID75_Ef>x#Dj_3z}=U4_3+Sot%)-#VlB@Ap&BE}iE6
z?}_Z2Q#b#6lBxRq;(t#JxIX^h)k^+;a^~NEo|{~FaQffLM}hzM+xYUOKJ}gVF3i_&
zzw+<8&%*#`^y&nHIs$-bl8sV~6*g#eEJ)!&yTyMK^&L7N26%EQT{wq#bvUdEMfp(K
zqqzJs1?dEx(Go#==Ece;HAH-|a<YOnw3`b3yYjQ;&D0x-J?)R3Gmq_Z<wKFYih09)
z@|(sc^m`MR*#+?CXNKyqE!ZixVC)BE+Ht&4SkLHd+7DOqyuy{ifexK-$@RGtStNLm
z9g%x?&B`YziPciZN2z_vX=v}c099rPs`+%~tS;v!<>=i4a>#6cYBj+V{JLddQBsq*
zI?TDkbqo#0VvwvJ6SamU_(xXyEq}zJQ*yghtzq}lc62s%6IrNcH7>v=)jrO3@vCZ~
zG!h6o9Y(Hg8r{emA1zL@7x=@>u}GcrD}kLz++!Q9<HIPYjxP+JBSVfyt}XMQ+G~@+
zyVn}Y=UR12JIX$}e&U&@-tkY=&d{hePdwdy<r9x~<Y2s`+GyeOy(|N1hpCraEutpR
z4`tuh=L*qLu)vB+ZjWS2dS2LlRjFW)+-UPLl}*v!W9oammdlNqF2WZa+6sr^LpgT3
zDEASHtUb%WL;>pnPxj-s+>~^PhU)|IO&LrfLDkJJ%XY$>EjJ%(u8a9(Hrz9B^(|^m
z1g<csv6N&D46Pg9xyb_=NJvgAnvI>Pc%*wj`W;2@ba%~N@`YRfZe1VokZ05BI43>C
ziTUx8gvs?`30#w7q-@?t=(vl?5@Vn#3{$&G!nCQa83@NagM5FfxbNTBBCC3833BCJ
zT^&Jd>n9642nz{FKPF2@@XL$jm8JWZp%XfJv!<KC<fAJ?*GEk=G}AHeiCy0Qz4hx9
zS|aVJ>#}Pnk3!tgm#aKH+VgC+$#EzL`D)!4e4d5t*0^l>F@gAQd#U)?wXs0@spsxt
z1#fR&`i2T+N52grN%#5%D$Ekl@=ud%uVRE(bA)r8nJJMX1*_ay88gNc?1I6chDQsh
zCVN`4=BFW{d>ZIC$YZDWTLr`PTA0aq(X7a1Q%tdZExhFRHPo{Y(rFLWGY4v8*qEM4
zfk4;6a4J^XeHo3>yeiT->cgAiJO5kMeX6os;`U|5!rLMlrH)(af@!@1`q%kt+&etn
zrw|(Ag84B04C>%*{dp6?jI0$mRx4}8!x%JZuP$_O%^${^$fFMXR9#Lx3bk(>aXd2a
zb%W~>Chd>lXME?XOfi1e2sckOG-cLCZt5(tMr7%=DcM{ky{=|*YvNtZNPO>UD^6bx
z@i&~Hs9KTHN^Qpmq6Ss#qY6>n?D43T3>ZAy<QX|gL7uj1-h3@e&c5CY#}pE^OJ3Dd
zlORC%-Dl@3<K?S@3(kz?3^;afeh4ZnVm06Wy3N_(Eo($<9ja4=TaaA;*#HGU*J0z%
zjykkeO^+<EKFZLATsuW-T(0_%E<IY%o6*%FR9*ee%X`wvQhByPk|iny&X)f?uA}?7
zN`z3>7>zXN(6v1B7^*B5HkA4oy*&QP9~~|Yz8r@R(!(4wc}zAdjW@%Na;>g@Rr+|V
zDJ=ecvyx@TknJ;)kNN0Y;+%4GxelqtMv-`;bNH5htyDFU8*odJRcZ6!7~RheW1~hb
zmO=Ozh#li_q-0f7ZhzHb!$XZY<#a6hnmFa%G#<Vj%f-@cU9&s8K&|<Rvw3AKzX{)U
zgRZbHk1Z@Ct%fEbI?@9BB*vohgaxa|JW=z%KniRu)P;{~$gs)0i@h-vX>pPQU6FPu
z%&+*}v7b=2-)~(e9_J__DSXe!(;t8?a+b)+{|_TMWC&PNN@USzClv^V*7V<5ikeo2
zC_+=QO=;OxuSt68c%CUC1>O$!p)bv6rQ8h{kfxiJhI7jJD2&q$_6ijExj^?_+b<Fb
zn1pRGV`rD}M_&;w`^KxoD_4*d90uPvf+{L5HF27KnCMk3n&YD1Fi+hc&D)mBIFE<-
z?y8OOx6VsZwqM#&H@$er3zP88ztK^(iqfW(UOZY{rKL2iZTsn9n4VclXqxcel9lBl
zbC@7LE*KU)l@P<Se^(B4y1>@B#gWVJouAGgtY`8a)ic<@f(5TTdVN^xNxy7U){nHs
z6GB4KK)~-VllV=*r2g5n(T;@)aZT8B(A~bmI1l$pr?Q!cj0(~cTR#4og)=Q{sXM~G
z&)g-KN_iIf&@tkFblJz2=_$xPF}cUpM5RR6XW9w41Mz9``lNSDALC)0Zf2i&EN%6~
z*aUN&B?Bv0?mqHV&d@$NE8&_esrpcgUM4=f2H)6>imfJm4jVa8+_{*tz9bB#-pO40
zR;OEgqJagWZQ=u!uHl3@o2hwA%xfJ|Xx(+2E{nR_^as;N<;dvU2kZ`Y?qV7l;YtMt
zmQ4>(h%2;Ejk9MNKcz`Vjo>;5gkR}a#o({Zq;^fop_<36R-M?+Fgi1%$<>zUP}~Bb
z42|ZerOW4f*9IlKzb9}*_Ga%RSUDYJ$bH(yj#huauLPB#gnOjwlT`HHpWnaQ!(Gqa
zeMo~SBeG!1!J-UD07p)ngu+9gQFKTCmFg*j{!ncZ$;+bJL-Ti=rheRa+%0^2l^xC7
z6f;f|Jb6w~_S}mTQ!|}h>4$F1Whb<a*!NVYMXSFW&biimvNjxg)ilxY5J;aGOFJLH
zP3Zz8j-n$fMe4*o7!AUv#g=^-qD`ZAUsfICnEy!R<m##6WN7<|y|u^Oe0oOeSMsS2
z=5-vWAO&p3qswv>eEg%6x~J}UJgk&O40bx5e3MmD=~qrzrBzeJd8rD+w}V4a{|P>=
zj6;r=g4t;ZQo(8L{Hrm~r6#H$`9%4;K6;LG*tv0Jwt960L~kUxmvBNza(ynpc2Qwv
z$d~HdU2!AB%3I7+vG?YWyDGLl8F_LBzSt%rz8DFbMDSsUODLaW_4+BsV-m$zAVG80
zr_)_zLU%<|XP+7LpKk)%jqx+O!vSBTl8&F_htDbm--f+BRQzsie%N6+{JM@L-(wNE
z6J~fb=7l=nUu6?iS-(Vo*Q1rmb8mJG4z-RZI`kYQ=8f)}aHfe)6rY$(zaohH{R3KP
zZMB1N_h-jIPhP;#m%Q-B$LGZ*90N~LzA~Scc!-_UwQPS=qQ-VYvrgY(a@Nv0fTOJW
z`3OFEK4jpRU%PvXjU;qaY=3cMf5@Zw-)HTxAbLL4z-4+o{L#AzeEUJY<zgQI{DsoH
z$(A(XZ$FfE<ku)Y!8gK^U(V;Z^mUC<zREx1Wy>nRA#r6(a>0T1YsJPkM^Sl69Cea{
zjFfHCu}^1vY0CDpMn6GtXKZXslR!V)u@63c^6K6{3-9$bL+#%$+b0>tHODeY9)8E`
zyQ<txJP7m7BpNq|p`yF<96#UU{P`Qnr#;A~fl&t>_c#YlzSLJ1^9k6PDfY2$V1{9F
ztE)GdN}oTPB_G~Q2MP>`qx=4LS9GUj_^?HM?cnl36^m5<#ie)JM@nQ;3IDn=<iv{L
zxfG=EQL{Jf1~1>X=umI>*^jm;^3jyBXdk&a+srJr3b!8Ec)7FoEE7#@GhD}bcB}<?
z9trNzs@QakAtb-{&BZ+=1IK>JY~dd3Ft&WZSyJDc*}pFM6QIDISd|m_)RfRT^^H_<
zSMd~I=dFq!QT_=t_bOI=<%@K}$G_`Kzo~B>eRHPt-^5A?H>6bGfQkDh_hrrG`EY3>
zJZ6b7ySEO1x#@>VXWB}1c+V6G<lP4J495>^GI@pO#2)-^v=f$<I4Atx>rMM+zv1xM
z&9Tbu4nAtCU4xv$$t|Q?mF_sR7%uKuwX6Sn2M)r=LTb+dH^?hzp7M-%bqQu&mczV#
zk0i+#mACqIwL1?y<dBO;u$?_qXLa0|<&}}vMJ2jK+*9>in%pb6WIHnTtCx70R5LmR
zn5Q4-zuh|VO_hww(^+piP{<cjI?n!=tR7Xb**+Htsgsub>vR`vX()|4^WpV;QDg8$
z!X0t3j7Poa-1l3LiaaeD4_6Qo>y&`nFtxLsRYLiX+{x}O?s(jE#?xIz&fPAmvU>%q
zT#{Vg@PtSK0#)z7f@{7i_Wf+lh;%TQANGv&x5d%X=h+hs3l0#8ve<Pak={bZK@|Yn
zQHID<-zN;J<6WJ%rz6rch!ZN6FRZA)^mA*eq%lYWQQpt{L&fRtGwi6Ht_Mm~*k^yr
z_;}O)vQ?u~`a-YHG4kMTgkD0eJ0fIaZ5p27R9mO<w~gY6*FnhM#Hx&^88aB@=-mgx
zFGr~)55Ibd<D|;gN6hZx-BdJ_!40fCEH8rSZ#u0i?mr&nMYjdOpD!O6t7k%s^2WR@
zn-gXw-kiP<9ZUuIQGBDdVM<*$+z3atS0zG-0(@D-Z!sBa>5hyawd1WCKjPv@{-E))
zGs47IS9JRcqdmZ!(pj~!v&@(>&T1#u(mJ)g6<~l`^?va#HkdY@PE&z&NJOZXch9k`
z`=AeUEjO2EM&u<sAUqk@;%CM!mG~v183<X0F(xDojH|ntt_G3vq%4QujpVQg)F92F
zr1nJN{>Z#n3MACPp0b~_#X^63(>Ql;aC4R8P70QYQBv05S~>f^Dg^Gn@U~dcQp?rd
zMt*ESlTXZ|&&zsN`u?tMfz+q945#e4m?7ryeGWNT%=<ra<D=Ur(4fqDb=*})$5NLb
zTz-`BaAf{m2Xh^zZ>geH!jM_2+{8UFx$ao8;9dA`?&AF_EAL+G`KBw{wvN@IlmkO=
zcZ~Ty3ZZq$!Zq#1GsjVh2-M74Q+O%9l0)PA5!Knks^Va)iNo1zCC80XLLEja?Ihjy
zQZX-Uk;gZs+DWTB>Aiqo5nCXm3s#Fl$p+r_RSGHan5ion(X$0;Ru&St%D@`2;<5|3
zHCt=U9S-lO*SLWC#q*3D2^BN=0(?m1$;Nm4jP}_*98DRwA4ZUxqeYhzXmltCbZzay
zO`f3RdrikbB{8;yTEX8t!{q8$z9iXKIQ?rh!uoEiTDl@8$7;-jACKuTC4W^XB~j|)
zyg!YaLxKwd2M2Cp?z$<rKA2YTlrS%EsxC;na8p7m?05~xek{)P`Z3dSPJ_Q%1XFr{
zAuAH*t0Ik9*0-vtLtOT!Myu`l5aPT#Al}(L{Y5>JbxC57>|X`Lj!UmT#$%qaGvisB
zPcgCM%9JjfD<#&Zh%E+$VYL-Ip1&_lXfBs1)UH$Zi17w1|FO4UKTTbJz@qp)ZKDX!
zJrCra%wGCt9b$Q`Y({VfbWE7O&?QLS1HnV9piUKK=RZu2cqsU2Hv8LnmmTCnYl6Fo
z>C964kZ6_SpsDSntHc`WI!x8s{xz3myj63L*Me453hkDU9LQW$ld9vUPjK<b3D)W!
zcVs%~b_$t$>73Wo%<WV1g`anD-+9)U)N}wL2srZJ>-6<QrG!cwiNKW#c2`kDKIPbp
zD!Nh&m3k>@l5bqdRVO}xg&J@#!2IgW-(5BZoMOcc+WIH)<HwUA^~{j-c)h=Q+?Z>d
z&w?@c@cL#w(J3WJCZN>CskI-NBhI6n7RTT}-``f1(BLF7HAL$&o9>|^u`BH&|9T<k
z{KY=bx&D40@@qq{h3>=CW0xhRkiF?E`^b^;5K$ew(tETxzN~bZ^V=4(9ogz1b=7rm
z+(&B0gEx|O+gLfmGtYq+q`5;DlQXkaY_xKIeG86FQ*gpWAfI#d4y{>>a8f0PM4!ZG
zy^XPg0a6ocR%drMT}Md!@bx?O2{ry`$oKoLzh&)HU&J%{2j246lS7Vqy(0*-^zRKU
zTP1eh@jmD^ff6qQvSWhbozuum)3Sz=%1h<ai0Hxhe~Scc-0$#w!Gy&gMM*DD4uUr`
zc5wT3<wAyP6|)B~LxY0nMgG#n`i~0v+24Ee=|N0d)-+&EQQnc>ggcWRz7MDtfh;bC
zScuZUxwg{}USB<SY;k9@gNTa0ik|)P6`D2zl(SisuoMNQ(NsFL)1uF|u758LTO+Ia
zKbica0zPK>?Vi!QHg0k`;`OPRG>)I|^Hc94AC6WugVR}IlS82jk2ODUq8-pTC@mwG
zNllBnQ|mohIp8OJg6$qoT_Rokch;ywb;Q=Fxh7>{p9_t?D`cM5A$yjzTRx+q3Luo|
zgnQ6$YShdk+Ebk<m9fwYtaV>=GPbd-(+G}vCwI{nQ}k)9MKU_>k;u%G85!|S0Bjdh
zdSWRgCA4^x-y5Foxcf6c=M4KRRKy}C@i0_>-*qQVuP>1I@!}RarUb-O_>8{cYeYP5
zv=d-s%XdHh;?ji+rjI_Fxf4x69P}0}58RLc=NCc!XQ}0m^xLT?F|8Z@FTrQaOvxTI
z*7gfx#=p=fCU?wB+UlbjeFD}1HiHCzLlT|C-b)v?p}Szuk+!@#W0+;x;+Kmq`K^eG
zkOKJ1HOm+>+3`a^&#|@-<EN!N?&-38Q5z{<4>PmnA*aKs*+(9cw;isxbPq5@^zrAX
z9@c*?DYcKC{rT+iZ3ZHnhx6n#lXzsKb?cv`-ACl?+PTzA1h9Doi`)>UKPTRBywmFM
zze}G3c(KE?XXkU~qjdZcE0befj>F$k+kTJUI$o@O5=L7dF*!VcMgJJdmVc%pDsC>)
z%c(Va;y&=1-}5tP&LF-V1*=Xxqu%Kyx;!$gzB)<7dUi}o;mTNn{=b*vZhufRy?j-(
zD@j;DTBBrlb!bnPcuzVk$LLwgc<b~z5okL2$pZ!E8iyiUunbGPX7m9xSljdX$;Ecz
zJ4XrU_e;W<sXAZI0bQp}*AhbH{e3eXnI1y2_VrL<k8;l(lwhsnC?t5@4AXccY|F@L
z@yf_Y1AxHYZ&hV8lpIa!hVyFs@bkQMrWFsy{j33DdgacLmi{--)iPB_aP!Mqgn?G&
zL9j#K;l@5C8GqICWiD<_5L#I_+moc{^m|^TGZw=5Nghj89Jyb@;)x)kOIlN-;*a5R
z==lNl&1)Buj#uJg6CPEwGSAmaqjwu#mS9h;7VDN;?wK<wu6pCnCn3c0Jd<QJgUR##
z(ct!=oO3Qa1I{CxlCAzJD=hT8A-G1GWug0z_(t!&m$mvFxhYMn_*u<M(Gq<&#3&E=
z<n+aM%cm!PX?cA5DxmcF^P7!NbN)#|pN#Ly|Lo`-PV^PDzhaV<tQfU@^gNF$1B>5r
z+PEIXw%fN3)8n8g{Vl@rEBa(F{Qv?V?T&9y6)?e~PQT}DJI^CHmUGze9rtTk*?#9F
z^nXqF=_o~q;vJP{3qy`YCqxlWcw_Tc34ieyK`kb5aH);8EieP?xZXfYvYg3*6nkW~
z!>tWeioegNduF`j)`nrz_+kZrhP2N#;5l9~m^ahv`W}0kqm0+PI=EyW>uOrszHd3M
zwyU+y@~35sd^9^`)DM{6$j}&6@c};jXhdU^A2&Loa8nxqPL@z!v<#!coh`@k^S@4Y
zpyoNJfW;`<!#5-<Q-n|Uz>0H5H`XtB&(ys%yL-iuioK0+xR||7{rSrsJzO1(37TIx
zQKU9ZL3FZ+AwR+8sA4MRrVhgNn%V>N1XkLEzicJICTBHR&pec%)Eql7vOh3At1Q`b
zm3Vnlp*b(F{UdcAlCB6V-DkXmp9rqHDyp4;*&PgS=PjIaz7K4ld5|Jeing2Oz?=9E
zI3VC2mefkJdH569){h{vT{~&Yk8O4*mOrmOhEX>z`{F=qp4zDAM^z5Lo<9Ql3*g0k
zRxg2iWiUbe#LM;INH#)=Hn%@ka2ySDz1`g)$DbDqrMs%y+wZ$$rZsOiPA)`Q@x>W$
z?ln_g^h_a)ORk5pAdi!vjOQd;FYU@TH33$w&s2AhtZu~B2xQzHj!*WR0VNdfWQ|n5
zN2<#2)@HGj?Jo^@lk3t1cT#5JrhKlxOrqxV=muk9R?mAO?!0~D%*}E%ERhu{1(hU|
zdZjyQatbh~@BBcCOdq|otsmZ}UT*wZVU_;R84p(#%-7<O`M`E~JbQr<ijiaTJEWxj
z-F<&V;3rvFI!3c&lB2(Ri*Iw;dLq@Wq)J{X1#;x>U5?%j{ry;^D(%+XL~}VS%gy0{
z((W4e?3)OAOt)J57vKLZI-!IuWBq^w`uJ3v&U5&6&+hb<?vwZtoeTT_1^-jO*BgkZ
zd9}gB{*kr$f{}T<R<bs}n6=R**~w4vXR62Cpy|!fnLMDqLRUv?{Ze8?S6vuH_ocLp
z?c!vUo_}lvNspX6RUL$FQ>)we8|}2e1;dJFF}kkOF%c*(5e6_6lK-8SQ>vLI+($7s
zhqQ|t|LP00+M)|~eC%`#qxA@WP5Pj#+tT#?{Ya%rcNuC{a0JA`sQW{NQR{f@z4Mka
z3Hj_DuP-`n<IY<0=tg;<eAU)Xg1B@mp(;qYb_a{{GV~7|qu|7(kMe+crz_EgIn}s_
zF=9Wbgs`*Ll7wJ7H$r@;0q#gUrd@N-N|=!2*^N+uecp^-EZe8vIOlor_%MUb>4jE8
zuzok<SM{~rsh4Ark@04oRU#G({F*Fzjc|vqTa2U}J@fCqysr*WPN;11A5nwMF(-A(
zJ`=&l0)z+GEFo3bZ~;=IuVdJx)<=s4DFbmQRSYG4BI=rP7W;l3Y&T7wT}uBj!@N)S
zwjveNkp#W9BJ(&V+I|DzeX=hGzkZGOAXARY(|^eQspNcb;g1s#?{w4q0Do%l%Oh>v
z1%1rpN#iM6z0<`P2jXOb{x!4y^z0~p!RTBePeAE<oPyL3zmz$Nwj~|krzEFlRi3%D
zw&?o|oe9xmRqGPN1g$pi?mh8@vG$Nn{sk_7KI&nA_Hf}+w@lJf58`)3+S7YXiNBP~
zpjFy~;~xAQDeGR=05TMHIeiM()c#Fm_1ixgZ7I=m)PhpIL7lwEA0hmH^|$j`y|07G
z=M?9+DyL+inE#Z3oRx#m{uWbM!`Cr$=*@_Znyt6YF4spx!aus}$6VZ3KdiPkyY>f$
z?~91dk2y2nhp28f6HZcORM{o<m%5MqbhH*xdvNsX?&t$rR-@1%*`kuK=6j5n-$?>+
zjmF-h_)oR*pYiOHWa=7Mak3iN?%9)|m%;vfS$B$VH&_KR{>DqV4i9vk7?J9@a7P@K
zfvtuR#yj)n-=f^yKUcE+6E%v~bE8jG_Ft&y><!pnzMG>3N#cr^5!0gw<`+f(^#E4y
ze)PqElhnMqOXeFniKBt5H%~dVwVFfSphXu~t1q8i3fpx(Nke;rd7fSVFXB$sz2Vth
zyFS?QszyXgTrp3}kw7aK_NS|!^1jW6zEAXbrH?`6nS``?=4Q#JA}5LdQPuX(f3AIQ
zt@1xhi+1lG{`uq7ssGgqWHFJ8N4rucAsSsj&fO*;xFZTJ`MPRFSjLFca<&X>HaHXS
zu$3QMB>sy6fPe7mV%-<}0l(N+^&U8B8Ha_S&3VsLtHftpz7JV7DSMQEj-k}ov8UtB
zZ?iuro;H4G_vzB4m#J}kbXb@2KznfS(YgDyRW5tMKOBBHXly!VqEm*0D&)Sws$OB?
zvZBK)@^Kx4gQ7rjX)9ynK^?vLq`%88;7<fM!g+eRW^8p5o)+YnONuAlVq;o-X2WB#
zQ|-X!>}IhGT(h?q_MEK6mbfdd+DO+TK?%1qI!E4pVXJLqBR}n}>#hIFEvA1J`DB?G
zO<Wi_k{a_KOEa&9C$x{P>AiesnWK>Lp=V#5=o@TFdvl2RiUIiega~vTeGMs-U%Rip
z2Wu%cwDrX0TP9U1d&KU(NJh#<$WJ}{Denvtty=_xGJWj1y6LU5v5e&QwC9$YGT5W{
zL%Z6`_V#S6eeqmk`eWmIRcvu-y;eO7&3_*1bGjv`$<u_1)KqvFe&oGa9LDG=3+?w$
zroA~rF(3_p6v~_|mRGBxM-}#Lb6qSOO!xb$Mqmq|Zsy5?ahxUZy<Y(j<vKm*P^3lU
zN8=_srB$D6jzK43*8w9?h+80}C_Ie4G=m9)t@?ZmRF$dYnV4-Oq1DU%2G3IPL+B?M
z?IA~TD-=|=F<QQ1)g5MZlS1-C9{q^BgtxGs-rypIp)+kc6tvuR?~r~am(h|`Q({Jb
zz3K%{H8zEfJvj$FvQlGfqkP?+rR_Dp+(d(oe$el4fAo1JRg08!UB803m=q!wzVxis
zHhpF%gd`65rl5A%q6=F0Y8{dG$_fvwH}*gX={mneH2q*pKk{~8%^8HM*cwvz0Su<4
zxDwIzOYv4sc^AdT&A8@A7{;0z1^8yXz2rldFoL@rMb||l7jcIPw}{rm8V9+^Ho@iV
zaW1PdVg;-+eb~*44eCxVA#S_@tupoU(hO66h~d>?=P5xUsNdok_#9HsR`R&EJ2)^&
zqec+-3t=x65|hDdic-DWR{BE$uuO=!?3A{4m)LwlGbHp~q9G`A5@xY4KI3y=s>npH
z8#fWd6g;t`nYq)?QQmKeO7uj#oXZj^HP?(WB0pu2+RECKx2&wyQRf7|)pSNmV9G!2
z_8FnF^o186u<t(82?RF>wFgbUU0Hu6b$yd<kD%JsK>7OaC3R!)f}-W`(q;}xC_U2D
zEbC1CzT}78pbrYFhC$sD((a4>-VYrHiy0)dcY~@oNp(O_vXBl}1P-&k)hfLENP1kM
z^>D)*8DUQq>6SJ5D$%t0!&nhG(TIE!YddKRRlW+#|HYUCpNy0Zl;O|&X3rJr{yUO(
z^z|Fy+QAT1A)|L}VBc<&{>x`|o29UFs#`#|S{haq9>R2gCQ_3rpeU0t6NTNSj~#XU
z34d#!z1=Wcj#FihrMfhm?Yo)EfcpR?f4B70J^}o8_30|C^bkb1BI6&C-)$ggeB#y?
zCD7&yoNK(TGl4%aW_#zl>maK&_ui2gTu8}&=|{bHVnUIr#fIy+eCL%G-J2r7J7p69
z#-X=yyp-zOT>A@)1qrG(zMHqfocrol(<2dyzF%s|4UVjJ#UC_!vkNb(op=4reBYGP
z=q?SeIpZvXvdu1}tT*Rf2j~xdKozN9u2bln45&bdAWSv$xdk4pC@7jLhVAeCNK78h
ztu11l6;sT^x7;bZj=wg%jSog|N3vK2^#x`Ajh=9ZertMI_aWpcz^w4dbNc~7gzL>Z
zsW@Ym!E#w%FYD&Lp_D;#12o8|kr1{JYgBFTQ?vAT{^JBq<!7zjJ}(-(pwC(SLQTVU
zXRajacel=}VV5JFsU+7@c?ncvy#Hg^j`jE2o!+ocHLfu0>VA>o`f>u$v5_$4Gh?(0
z>8?3iU+EK3KNL5dSs-+0OoOd<nqJ<xSL5UJA)7^9=YDwf(8?}ZfU<r;+p>t<-7Lnf
zJ+50yb|A|x7w0R7;St7iC$N><j))a>(UoI7=t+<vddfkXZ;5bB;Xdk!!Mcc^F589T
zK~3ICq6%eEsEzvS9I+?<HjX}kI}mWax$@z!-V=Pv8>mz-EDf0e;5(YHq<&3_r|-fp
zie!Dzi!JZ=_y?X>aDq#!Nd3dlK{3Vt;Jo=6_$XloSBDtyS-Td9wv=?8x!&EN>c?S9
zp`IJAGYl{FYa*q<>uRIJk%}4x&^jApt@GlNF45T_DC}D-M@d$7^9aeiNvbv&!PJF|
z`N42&`rA-gN~l0-(G1SSly|(xOZc@5Wo`=gVCS;_oy~9!!+om)3}B!x?6KCTZrTPX
zo$mCSbtMCzT)X%uIy^PG=%M_P8|_WL9Z7?_2Ie8xWXeSjlH|<|`e(u(STK^5(V$uu
zgFqpyd-qSuIa3?P<zi2BoRvXkrPt7mW{o7&M{#yGCB?i{{U)&bh@<(qbn~Q2w!QKa
zwhX`Qc5Zpei?W{$kn&k$@6A-ujPiS|!*JE5rM#ZIQ<sso-DQTWdoR|^y+mfYt;l_S
z*CW?yuiX8Ydr^L^bp5DVgxOHv;n-cR)%{pW{hwD|NUzVrr2V3^H)^>9W!&>VvpFpt
zHV84@qN1hob;;!!tTmo|>orFwD$<FQ6fDKvq4e#92_=1ieh!myS-D0SEt0i<zV=X)
zaQp~?2>mRii1xm`XXT84y{?QoQGTS+^4fhp&LU^dp0&xLPJ1rzD0z(fm`}e=l{L!b
z72&uPl}-@N1?R+#_b`!}Y|4_)*Ot3oly*q>;EQN}&pnFHQcA=bAx8OcmVB$vY>#YO
zp{rp;X3Xr;_dcPl8rMoa#@2A0G{quP9L9Yqj#Viz&5Yxn$*V;oT4ld6pg|T_)qG8Y
zALrC7TwUeX;l8|_mXgt5LLe1#j)q2j2m8%(MM*n;M@t(5wOgj&a3*_ZJ>XEff$F8z
zrU0h_X48zY<^3P8bWC6G00c_<@FQkr?(|$#I#AH1!B4~*+qg=ar-35Ok_pGTtKWAH
z?XLekZdjnIBNacI&A5>)$||#6lax$wM#H?Y-{ab=`d@#fA0i(sY>lGuw4)U698^2}
zbE54f<xr3|+Rh5tPXcU>3CeQG9|rz0=%;oY6mC2LRq~CtF6NE_w1?tj7{DcJLJ^L+
zoAb#xZn8s@_;`5~+?)mRNn%``UhVoIZ<3#qjLejt_raR>)0ggK{jTM_E*cD58%G;2
z%d%w~F#xjfycd+gl>EA{$%NpxP+uNR@gL@G{16=XIgTBS=8Z`fi;~s?DUo$OQQNti
z=}C9qXntGW`kt6B;hzw$Xse1E56wd<Tck<95|A#RHWL8Z$<$@i??wg9Hy?U{rn#ql
zWswOt$|VgYmhCgj`rSK)%m&vcmGrmuW^9A1s^$*o?i|VzT1Wxvu=&?@z>t{vqF^(M
ztM^jWio;m!cI8ts`qBGKm`}^lCA#?3T*2A>g{(T@>Z8o0mge)JTW@$DuHWbQZF?Be
zGZ-4NzBcD;vpA<q^pRA+@hIkq3^+~o1^q{5{7iBv^TZ^Hg?)0v*Cn+ba%nTAV=RAP
zUv2R-)r=f9Kf7MM88eB`ZHa?H-<{v=&DkR)a?k54I|YRmM$zf{xDuq0K!$YsPbPR>
z4k#gsUuOBxdBvItPnig)=~`Uitz!@((=^=)ft9FzshtP6|LB3|bPzAz(KE)77$pDU
zNlmjH$dDt1eG4XoEB{UqVtN{E%tnBOhB?&!g;Jpu!_1yV930go>w~^xW`>-;C&7%M
zZ;mancgY|JZLUpgHn*u#oRj|3TOmasLI8oL&2bMgUFLOgN~J7IGxa{$1LI^z2HK-C
zPH@SuxKwcd2c7Wi`A7w>$hX-2+s{1d-c=`=Z$cJOwUTCjkvmw=I15_`hU14Ct>&-M
zrpcP4tG#P5pWfPAIk!IeHN<|K_SSSqL7!Bm14U8xfDsQH>rZUbf|EP<6ekVUY;*AU
z1sdGL5J32id@xpZ$Tmsyu)!<?XL%$#n%jKI(-NCi+t}tYzKD+-$G|7D$O--wheAP_
z%1m;dO`-JRow9HDK3U0oN2eS?Y(@c;vg^o<rJ<vONRS!D?>`7oHd}F=0W?;s=UmIq
z%M#?v;R|-1^JycjKY9DKu6IC4(odHOww#7ypd9M}MwKFfRBzcek?x=MJl0=j+#6)A
z8-&}{Zo7B!YcC&+QL1P`eA!!xGe=aInGA8+{b9JV<DN9J^y40JZmhm}^F(n{)m;`7
z4nbK#U8s4&<>AEg6%^UWw4wWszH7)Mfc}-5=>8Sb9ip}F_(aNz9_VXi3<=uO%sSVb
z@992X=4%2Js@KHskY0Luk>rpS(@=kK5$nkK*-v&|<{cyeV$ydctok!V;vw?iIHfu1
zpMFwl-UZT(5O7Y&^-E#j<`}q~?hw60NG}{Lzr?!v^VY!@YCpjJ^`+ZhiI>L4s|f~z
z6<?p|hZ+3i+HH>oAgV<a3I5@YD{l9WRrCwLilpzLbNtdTVV>BcCnaOROY{qSqAZ0@
z38L%i1zy#$)S&p6-abOOW4Nu+jE2Q-3}ed7_!dDz&)Xy+K}Tk6$-faB#H)+ouzX+v
zh(L@T#E~$ih3_5j0}p(OHSPl1T+7WPvMm?Txwn`X^Q6@@mw-7hV`<5G(9h<u-%Dp<
z5B!pXk}izZ*)O=5*r+h+y*2q^=IQden}Bf82s;N}!G*NoM}BY%i1z6dasY*ctL5FH
zj%0?EW{zDtxS>H?Thx~N@Y(xDuvjX6r{g@FGQwho=+i&9rTZqMHnG3bJ?LYQzNlwf
zUR=r>{=r^-ZEajo;X0Z1TTOk^R0C7VcP7d0`S1%ojoRAUZM3-xJF0P0?$fw~+})DZ
zvEG*+kx@dqCuCEAIc38f4&%)2%efaKDw9_&Dp6`-uRVX;01n+a7|^!V!=n>_gja8w
zHw>-rJY{O+1#0WtpPQ=PRC;1w^6kkUQc*LsB)QXzV_A@8?UhtolJ2EJ3|g{gBxp^x
zpO=+pEVg$`g8hER#(UR{m6Xuxtlgjp(xnY@fv#wH@ZF5%tU!eo_8h$JtQe+4reM2p
zeqmS$5WaNmMo!4TdXO9E^sPPo@G!no*{^R2pVjLGcPWrv%@ntqDaAH({wno2?=+-=
zN@m>zM`ybR*y`4O(Gmzh>b4WMXrI+t)kP#)gAy*uEMW!@Il<@;V;i-1Eo7!9lajcB
zD@v+r))Qik|1@F$Gj{Rh%MT9mMce|?27;zvJod^Vk|U0W(qh%?DipCVF>=3Uw4-Cp
zKuU&8I&3&QtNk^%c{V3z;YMf2D{}`zvVVR4*Ge@YI#RyUbF@h1VhnNPLq21OWzgrj
zItdF#>Zo+eUq_3d&nlT5%aNHJAx}m9)^*Bt%gWCm7eD{kjsLFv<LK&x`7qPgX*~YD
z*z{P`;mlYRzJH*z{gqVNxf!`nO(ovr*MlTyG-&HG7Wi#IS!hc=rS}>UTUB}YKg|5Y
zPdz>Of22DOX4lqP{%<q(?~d#Li=EZ~-79_Sf3<=8|G(St{7FhenD673zE(a->qWb|
z?oDo@?Os`J@`JwQ37?vb-LeZ?*83_qiltX@@>5-V{!P<Op7VeB@s`hQIIlrk`RzDq
zGh5X5MNp;JhP>ZFjZ%o`d$qtxWzhq1({V$*QS(b4aMhqfP_Bl5mi4$M58D;vPeY8+
zZ7+zt0s@xwYn;Pl97HCc*<u}(aNgFBuoJh4Y1^gxd{Dgxc)l~Sqn_;#kiK8-r2mKj
z#EA1w$9^Bqi)?1Wavty2cuYrwf2f`V7e3=sTp;T$%Xk<UoLB0~nVG65H;L?&njKa_
z(O_(8VTSnD?Mce);aSnYVvL^l1cF_Z4fk|Mh8hTB-PPWF4b0_*Tg&^H@2`53@LHC$
z9><wq_@_R^-$fnlS?-EUqAxbGAWhJFo82^}IO6L}#$o2+78AW5MgnZ`v6$~_VR6hd
zy6t{Ul8cV%cL13XxGV}RGuPeQoR?fXiqmeqUM@S2B4WiCXXaam4F2#GyY`#-d&IQ6
zD!}|6p3<+#Aks3$z@sf1xXBL$?%pg;z^x1!N;VI5%$87RHzc=LixV5;o2k>vi|bET
z<!_e_n@6)W_&Qb>#~mAFxYK9WHjWrPUYCK<?XAfz0s4Vvfo5%-YegA$8Q{XF!A!dp
z?9y;|4Dk;4(mGU#vJ?)XXfrP^eaY0hG|d#B;_GAX&tbWpj4MWUWhJ)yI{kP6kuIJo
zxOYa7^7XSe3puS(*SQ&6cvGQ|#mA$+NKT$uK{#r5=&3)pX$%2h8!yFtIva#lX(DxH
z$l$rrk6s*Xx(_~HzXr(t5D2-&;WJ#1E%-%Cmk-UW?I`5qIC8}(W!Hehii$EvHnmL%
zzaDu9<=Hgk##B2mVSAaQS$2zsGJwbf)8%SE3@?%hBI4$Xdv`4r{wTOf@e>?6m{dI$
zN5GC#<q2VW9OSx`vTiGpJ=db06$LlpY?XsN9@edSX^7yAUXyJY81Ikfs)KX`*RYQ!
zrsMgh-i|RQCf#By4<Hi<M*f<5`)(|T?P5X#6TlwDr#rz`E0tKDSvZ%`c-_ZD`zqa9
zam0ANX<XAVsAN57CyJmDu-UsUwd|DuDk@BMX`6gII?4~vp4xC5iiPVK>MDm9amYON
z5bPAC=ggTEX8yz%LS;-wpxz>;Rtc6H@tVo_3W&W#GL*9j#y`IzKk*YLqZS5!8uI!^
z-@0iew}6T<SBp+tI=bGy?u5AL$bsHc{)v_~gSYPn^b?cV+46orCSIY3kd@vUr`Uht
zw&=Ilt)3%y@!olbs`csM=2yQM8Rz}b+}rIn&&*M}rDbed;1st2kV_S9d=qi_+CJ#>
zk!xe1q^f{ltC$S(`!iANVEff;38HF&8Nz*u>~J}=NCCm7@-!Mn`HP#hP#f#lJ{=eg
z)3d<-a$<T~Fe^YMB9^>QDZL6X9Ee$VMjUv;hbEqIG}~%10d#V*6Dduw<AaJYKiRpG
z^+ey+H8}^z;B2{vnpdhqLOa(cP!m3%{d#(+yxq;>GB)7FJ#%2lGjqb$g<(Ue=ol`b
zL&B1C##VZ<t8D6zysR1eZ?oyWd#AmBf5|XQ-p2rv<BC70e2|bL1N)K@bX?FsN}J##
z2;MdFY??4{i(*22Q=Za3l=5r%Y`s0M;69|v2wG7>()WUR5FwgpGi*jlotFvSZ6=-O
z`QS=Af0LPab#WLG;+$v$zUx_K+E{Zbv!!roN|QopltKI~3EbcLsNcZkovgP99uu;3
zo`t*45jjlv2W~Vq3EP~zWck^nQzl{F3j0c97gl-(H3pwVg`q!HsBBKlgS%gejB3Bt
zHv;t<?B|<9+Hx##@02q~80!uM-zVgrnQlw=mA2H6ILx^u3M~aMCeEAjw``8P;VVU2
zhhuk5JF%o@m%J1PzS2ir=4~CkSl<jK)(KphuWM5~GEi&dO`$`B&c;PhXE^Jo8AEat
zJnvJ_)Wc(<s+pg0{H4_-Ur8H}Hy=#VTbB-LCPGEr)28!_p~==iyxXVP)kTKhy{R_M
zT{Hj-r{(@~yv8rsK<F791;YlUlE;Fw(x)M!t9YyqLSU!oP8MTop#!s6L!k!$XnCDZ
z^F!-vx8+OT?*VUN8$mr>4a%H&7!|A5qRSH@`hM|8^QApx(<DGSFCtQGsB?Z@V4_!7
zRQoz;f(bK8cy)<m?c`Lzd-&iJo{peS9v)S+M?dCwRQKHB^CWM(c!NU{^qqkE{LdRa
zOrGTrQPM&)vl|#QKAr2>3<_w8r=fn)92Syf179Ceb6*w=gH`k$kEo2}xxcnSbb#~b
z%^J(#@<4>;!i2>^(}(A{*V=+jkHC#BrK$;qPqOxEvpw2%1K~NQs~tiX)Jjat4U?w1
z{0l{mz5{3b%Z&D_#*`ie3INqpK8zF#4*isCTfb8<@&SYqP{GlzVl<YiUBMed9EYyy
zo41k^JW0u6PECU5JvqIBWr!G@(0E3K0}crSVvo}Ub4Y}B4^rjwbAw|h%(No$PW4c9
zhLjr8mdd+cW!o;yz!#cc=y_9NDasa6R4qi?n2g%|)hIa1QRr_KNF8ctNxx-dZO=e3
ziyv`Y8&%WY-l<v^gh*JSKy0u%q7q3aFmGp^QZTq$NPvo(=CV?=>_mKBJK0698kk-8
zr)Y$55jdo@3>5>o4g>uZ&Ad_bzeQ{Z-Wz~TAIUvzIjVg~7v*oUF}Znb-O5bt3bmm4
zn$`wi3Y?md*!UwGitD_nBWk0DJnskAr(bs3jSj}t6pkSGcV5xFm*sSjA%(vs;Zn#?
zT#zn!U~?PMd{Ec3CHMRrVcImbBu=AFETgx<19p5ZjX=g-{a2WU{Dt+d2htkbqjQQG
zUsxk}HZh#SCOWO>oAT{m*$xh<;I$HLY-~&$K!Jflw+9Ju<94+|qOV!WY!ueco_NyD
z&jc$CPcCXPVAs`c%!>?iUpbNBUCf!o+GW+fT2^|eRt!J^ga_*k0IfgWJZ%+l7thHd
z3rbXCM{D1=F8v6eJ+A1-pKsED9hAnWkF?a<#JLZXwqkjxzQLOInoR|}*&8X?hoiOn
z5CK|g%5eb5qc;dP^vz%DC{YDwe%DHdTf1nq5e{KWEU{`jif#A9u0Hz!w+<WJ+_DX_
z8{v;RepblKScWaskD?8`TEBBhcHb@LMgETEje(V4GT(8Xx3zCtZ~i<FFz;>FoVT23
z2?Wv~CClUAb1Qz^*9ET=WETHn(_O?rPA&49{(F#&(3%c{Dda$;p#(S5Tb<CimZaT}
zc>?YRc`=V0CU7d1TD?-8mt4w^ME%w_4~1}(KRcs?46a>$Yfg}-lxQ{mO78Qp6&vTx
zpc!T5M_#neb?A4+JiKeF)Z`=tonwdSTcboRM8T?Hdau#ml}pLaKcEO&9UwXP!kcqD
z=H6(>AeRC4y(^7423=dj40NLR(`el5G1CpD@%gQG_0dqjXx{}zb(<uQl>oJI&*oeP
zIy9-DjTu~ofb*<#U@oUI?hf?}9w&=OR^Y->-cM70N`c-CD>*u%HFfrSF*K*rkm(Pl
z2}OR?eJ7$4zq|_A?a;&<<>5va?nmLfoj)SLu7~-cYor_n)dhyzg~?(NE>#(6gOO32
zOwA48{KRr2OxczzLaB*vv$dda9Vsa!AmB8QAY7w3;+z;gDF>EW$-V-zdNLT9v8Yi+
z#E%i<HX)U;tQfOO3>eI9z6&dhB&^`I*ZqtrHIkD9M}XTx1Ey+t+Inu4=qHlDuq9(q
z?8vuknpA>@0Ew{W669*4-L!qA_0MLv@8a_7-A|`D8`buoxRvV|L-QE=Z;luMJ;jzk
z3=AI!fD&jErYmTb^z9!CtjAseg0~#HZP}nWOA-=^D0Zk3byLi3vC+XkJ!hHi8FfuN
zu2^}-_Lma2ElS!t$IEOYTZr!Wr`x>#c(U@;aOZc)pi=L1H0n`iS3okz;<tLt(cI;K
z4&+0R^vVFy`mWyI)D+`N5)C{EN$3;YUO#|sT9`0-#dDj3-5^kK*}Q00OMYPlbs4=m
zR)mX`G9@<d4PWEd7R=LODi1T;PO0;tk`QXwEuBCjJIA`5<=NE-*A9e!$ioH8J4oQ9
z4DN;ij4PH^@ad%3P3L}FaD1cw=!n&~@(?7DKf7$0tJX6;0Q0oybBgk1uxT4ZA$<J!
zQ{7$yDDmel1j*1mPSo^ik6ar>sjxe^m|yfM{!)rZ?%Z#9WY-3pUV^ELdRLHuxLY--
zZ#}8=(2_}jY;{gogMVZF0_55r7|lb*rbZR&DkQ%jQOS-oLt(iaZYBHEoQs4q9O(`Q
z(~)ABdg9^6`0_q}U7H|N(tBsKblMy@sKz95ESDu`royv-qUmeu=c6{=emJIC&iyQk
zL_m{7JqCarrauv4Ol}8dmxx-RP^K{7(oM_V$cB1LG!NA1;<awS>B#%w<roCULZi{k
z6_pgEH9o#Gj)u~gRkdDk7J8Vy<T4V_?i#n|f$4ZL$Ox$$HwHY5wSn!Jzo<FGkQ@LR
zBAmOlM`$rP+&?iyf$}>l6wNZph)9ePg$nvHCg@OZo+qD`Y{;CPS=(cYU~(IhFaL1z
z_G%X!9h)z<5W*SQba$OWc=zPR>7d<Y{-ftO+uoJ-8ZB*YV_&^!on(Heo~}|Wb#TM=
z;#t&<?eRSqFxpnv5sNa3|8*ftU$J;LZx3AE$nz7m)kG~1*N?Q$K5ZuBha34>Jsm_5
zAxGy?VHPH&76(kRs3ktNQOwo%B=_u787?y9bepMkLRCL%X5`&XX77Md%WNcqb)+Jj
zSdqRHs%cLgPbMcn%K|n~+uzZw>gV`GY-;tL=P|zrs$F$siizkc<<JtZo6at<_am5@
zDA=kUvbhaq7B%MAUw3|bXz#L4RC(tPdk@uSqV7)w`0;Qt_FU?T_jeMYS_E!d)OH7=
z2AOYaQlj1!NX=L8#<W$NR~70IZHDshho{M-!vwZpn%3rvxH%-11<*aixp_K6O*S^J
zk~fO2_x}E>zq)&Q<lSe+(Gn!d^k#R%Di*F|=CR1algh5k>#Qs{3rNm<rvFKKWIVYE
zs-pwd7Z=#^d{eem_*Pljc&PVsW0f=J^H~Pjm5j6mCWUSu?-J4Q13|^#g*t*Qk!CLC
zUwo7)`){7i2QOI`MI7Epg6(EyB(c-mOaeEx(c@~v`%0b@b*9*3^+08k%7P@4NvVYR
zdG-8@!^f$wU-Ngi-L8yGm<X*%y#lb(k(LW7`KodP2#e-dwB7K?ebM2wmU_Pgr(IHQ
z`t*n1v<}}w(9{(N9?T|q1U9*KP;*}rcro?s12*Tx<`bY}WbrH{ARX6TcHmvvF6<qg
zow>j5u_d}(l$s&K<j3_nl}DS@K+naPp-Vpm`ec79JVT&W_}BDhPn68&wb6dH?iEE|
zLu2}=zuT+#u|`b5nsZs6^R|d?{F&nA$hWmTx6EEm-v_!{I1~82z--JtV}(HH;cf+X
zG24xI2^p(r9O(x-W+A*YXR5#Ahem}k#kBDXFudtkQe2srmO_eU%GvZ=DVr%Ht+gL(
zxdkk>cL28D-zrd}4c;y?|K%<`r}uH3wB^5nz8xs7Gy%d^O#e}F_I^7ytkkrQhqQ6b
zdd<NXFpsuQq#}0patb^c#HctrG+ZB1XoWEWTGGdHBk$M}62x5TVnl}wYokUdb*8=G
zoX|-xZS4e)zwjd%HOue|Rky-iic%PuL1ffQ$|pgH8c-2Oy>`6Xm?TVT*A{{LfL!rU
zAlx!(zW3dmDt&?Q6!1`9uN6XC1ym)v`mGc)t~i>Tjr>Io<6F>sZew#91KVBQgze;g
zNRLS|uO1X6?_UN7?K?vzWc1JJj2S00zw%xEB2kn&G+pS7gE2H@EG+H6^AR*ELUW^k
zz0#leo>!czpSF5~v24|KlrMdh*Bd##jrHKx5jbgL@jH(57C3oXFdMb`Hj-w+wflC_
z*RNHyO{cM{GA;I?MhmkYj`3wH2thBeI^8@hEk$G??i=egA7T5}EyYkeNU&8oxI*vc
z(_{7mUGan){Q@Da!8$c-w2x~2g6pGVOkVOj0tp^#>)89lIU{?^pvp`AI^+I=1UH62
znWfw_#y-Bt87Ce`+KYUKpyd};3JByDH+nxf=mBy+q3{H*8alDjW_hIkE~1}44<}o3
zX+@NGYJD>NQzWBRA(mI5%~y-7#SjGBI4x*9)Uf3+Q{oS84)F-W9NJrbaC?J;__KRD
ztM<c@-)}2!nOa9|mjz;+z=nqeuZ*KjOujs4f~k7)hnqFQ%i8EJwW>Ch$Gok`P({Z1
z+JrMLkkVCio~ds|o*iLDJb65$HAuszZ+Ba8S&A98Ba?)z<(j?qzXX6P&g13dJKui7
zNTt44|6{ea2AsOL`1Z<D3_0<}${Ylx3=hGBsuE6*0aJY}k@}_BophUvnC2ZTSnF9X
zudPW4D4<bXk<IQlmAd0@{dFSDb7s}yFw%PJ)c*u<{|SH_=DfU8fBb}u>3UvUE2(4H
z9e%JZle#kR)p;~hM5c{@b=INc0nYHb;9212FwedS0eAlDIwn1BEgh;4T`4P;M|*a}
zjgtW)BYg?rA=|6i5Wc1(2Umy{Jxilm#&-6=1EV8CKhDch;Jca)4uRF2X<^6L&9I#`
z@U14A8bjz0F;&+yfUesCO^O1K#yK$woEHQpEXuLE#AZUWp?R*h45M2zl(=9pN?z9=
zDrA%ampF?lCLdi#9i!*!y9Kwu-*0!&27RiE69mfH3cM5Vn*E76Xu}8`b=ldAYl@x#
z${`74k`4Yu9jl2n#5|8G{LEomSX%xB0bZ%nTN@_|IXIo>$eOX*cvDRIRHE>$_gUBD
zysJS=6YoIJ;8~1U#?JQgVIKV-=H5H3$>i-Hb=Otb2CIlDD69pLE?xR6B7{z8(xpr2
zodif!R8*SMYa$Rz5(3f^dQ=3Y3n3s~=}8Eog-9T9;;!!ZJ->6V^UryIB^O**%FI0T
z+;h)7pSjCt2G2d|mwc@~y=AT6<}U84R-t;0@KpSJRl6aFVi)4(y`ADN%<lS1jq#Js
zw95;8pYlf;XB^7H$4-OM*YCJz4_Ul#kW*E~KIrpNd;Kdd9kqK9xOb;|^B#lRutz+o
zszCeYiBOXDyN-^fcQttl>(qC5{Kfo1=DdEXR+TmCbmJV$>)_J9@12mRlAl5_A>&-+
z&_Mmrd5K-j9^CvdT~9?~!Vun~A=sZca9v%vnnS~Jr@Eanw{xE-dX1q@`&{pIwD>mG
zX20=l)P5X<xm;Yuy|8y!+@U%5#RpN09wU1=Qi(vZkSIsGq4X0r-6#AQj#A?-Nsj0U
zK)0tPCqRy5E~U=PqMm4GPet^qTj=>V))?oAS(VKkR8{v!Pwm}97yFx-5mzQjtcSU9
zr*u!Jm`sQC#r`GXF{e4Rle>hmbWfrH){^xhD0=rDXUw6^x0<t2bXS`rZ5FS~9q&8Y
zj^N5TdG=L;g)wMHuA#btS;p44dDZ0si-Qm)h2KzBD%P)-$A9<)zU+M`T}c(>Z8({~
z_+D{;2l3tT>d<%=yFTA_E^f(i32b?d`TDZ74ydOzzbiwAPsk?d)?mVY;kgZqQ{y#p
z-)Pw?TMxv!1X5=W?zu^`DxA{JgzE@Xnml@vujZ}MOS}5_(CX5D4R5x6(@MvkR=6$X
z&o(kIe76#OHz<6HX;+_6?t>Fv3&Cu#-PYx3j|6cRVG(X&)*l~7nB0-RPn&x(_I=Z-
zCfWRx&4pR4cJ^K}l4>^4a4t|MFfb7E`hL6nvb0m81!_>(vK^Cp?Ci%d!7i!oZvSKt
zI3|CDRby?`e>d-Lwc)g&c;Sd<4``TYulo1vY;PnINqIkgO5AA$+LHV)`OAdU%KZmq
zm^9;&QvU|A;Zu&je%i!~R8mUxPAP-EJ9R$%$S)!j|6z`)BkVT*7fzZw>fIYZ_r(Ve
z{I8;(>2%dMloQ|ymRJX+${yYSl@EH&)$rF`AZ|p*_4JQj`WHd#f(SELV7i~gfB0}7
z><gxU{ILr;aNxh45a<6Se+t;}Il#kp275h6Dpq#yXDsl62a(!vb+8<J#0G!yo?K2Z
z=dUY8G--Vy)Xb4D!>;^aBA){*($%A7sY4b;NMvzaL~a6Y!s<aM$C|3BXz5oDo~KYi
z|2kF<yw#9YQLzDZiUkD*{W>58i|IUTAJl6Q@KcWue1XnUDB>ec;IwQ|R&S~up7&nz
zRb}Nz20uoN<8G6%D_bl-lG)=?4Fm$`W|DVM99pLzuR7)Wx;Zm_ef{znLr&EoSFeBL
zkRR;8b1>9N?(3cWZb5<d^OHZlhzA0a0s;d&LjwSK{(C_S{~4P)tvRK`AqKyQs098D
z!#;3eVkh@Gdm`w+1Uv5={X0oGnL7WyL`*BA2Z(4zfz1UwI<*%+HNts6I0$oW(LZ%6
z<6_qohD+u=_EM{^_nNFL*9v^rRz0fb=?Ny$+4W!6sJbgFod<{|JT0b(k*UF=ZtD>8
zIxhoElZsaTdK@q~D8we!=^Vk{tskzlTW}d!dLpN2QD!J4g-bGEE7`Yo4VhNTIcyr;
zhg5mB-7|oc2scb#A1=y++BSVKxycu=vVYcY6OzR*ZdLr00)tLuiUCv^U^{Ou?vXpL
z3l4!gHw|`cB07y7<UD@L`+?dF{P^{}qbembCH<s~6s=d&RrERhvRbstHczxlba~(7
zT;dA^U#Sy95W-}exGCi%G<sT;X2GEr$zkG4_aN)=*MCx-I%)%T-E3K3qZ_XRNN`XQ
z&<kZHl497|{z0wv49}Gm*@0`L$fdik1y{^{5_Mk%S@t29GIP6-YRbX&kK&_Kn#`wr
zPbgnil~V~!v`Y(~Rvj4*!8Zu~R3#=pQu=Mk@;3kgSRpt$IOqctQiB4)>vID+>>bJ&
z;~H($n@_e2c(gWZ*BJo(q&Y5`Gt2S~HMD*HIuEC~{Ju6aGXAQ+2D>!ec5glufevls
zNU5^CD;1OPa`G@WCz`y2$Qjl7F5+skKy968oTMl9_P&yRT3K~*F}&tC5o4+IW&HD?
zQbUG_xOwqY(5C%sjbZJQi_Go>)=C;q+^W1>+_EzQDt0H*qa~l;ol`Qcf%7fa(W&x-
zYU4-0r|IPQ`5U+(_v})}YC?mL(76Vjju6hbz{Q<{28MQ5Li*K9?>An~l9L)}A|<{{
zUm_W7I(V${?LaL0%LH**W-*GP@FIu5)!>DLf|~=<&?~eCnc<}dxVbgy97<*aK<UHy
z_Tae!Z2s|~GQ*R+kv=#pnaZJA#`INT#K4U8STWtY_=)33BcY!PuqqSSe<)KwP5cr-
zHDFcGHk;;e=cu=&0suZ)C*OR%Y!NYJU3Ar9Dtw}9d2)VsEZ7E!heJpXgOopMuaKW(
zj;V@uHmAW$y+@THZTCnK?$5b$CM+of#vto%?S?utp)iR4l`u8<;?U!F{Oge{pKC{8
zQl^Vj-e<6<DY*OjQ>d@fv>fDCt1>0%9Rw0Q6AP&Z9Cg@>P9Ec)T)IBHFtiw>=u$Yh
zW3NV93&6u+&(1p4%pr2db!l3Y1>IF7**nmKT4{($S!6&ovA*z5+3}1n1#>){X3?v7
zCpP1R6)_xtw~wz;M_UlAJ$)h03?-7c3G6op*-P4Ew4%+hqHZm}!JouVOcs$gc9+w6
z)yvQGDCw^V28CbqwoVeKaSHo^tlN;S28S_s2#Qbt?7fp96#bW@Nl5i(Bf0J@VZ98b
zzW%i3D5fl|U(sC5x--P*Aw0TmZz8$ojy6R4Q$2+?L>q{mllHdjxEqt)SHqZ7U<kGd
z)4oM&(y*7P@8?I~RA?eTTPGOkfM!c%Kp$W96nOnq{oS33;9rV8jQG)M{=v;k0d;4k
z_H5$L?w45~X)3g8=_Qo`w7*YONR#?s4C=5Ic~F=$L(BcVHD;x~c8qEI>4xL@YkI)O
zjw7W22|)3|v5Vs5&%Yc33=&&Fk^t4xwN@p4@qE8H90fUjhJB{aPE9N7E)dzWGx5jJ
z>Jm~XmWw>rCI<3EKz-vJ={Eqe!ldnhR|}e7F9GE8xUFlDK$(`3f#ygGaXy#<?)QVB
zQUU3IWT)whvO^?I34Ob^IZ3{xP0_1fCGAq`(!%}&-;$Elh6CAtPx|O{=RS`%|24}6
z5Fc^M36~j~5OeZgTnU6U#N#LMWy6$n<n@Z<H8<`A(VI<0t&ImZ#msA*F-1~~#r?@n
z>D?RKpih7Kdrkiu?Va^N#Mi0(yfg60LygUvXfrzverRcm9btG=Y<80<)V*n}0w5R>
zPmJ#+U-fUU_rNR3@RuNdJy^S>!VP%!0vb>nCb(m!)oWjx($Q|ig6#0KJ-*$y%Huv5
zBD?C{%Q*gNR59A}CUCO}ydD>d!wL`it|&P)MF4{l*U9#Gk(@?12TYsCB9Tf_`}vNP
zQKKUBDkrW#evIP-SR7{wy9$_wDLW)7_?DV+yqKj)qNU*KJFLA%axyY2_-tt_Pm)*X
z`>giKDl-!rJRKRM8fAEl6<vt*fUpKmuSXZyjD=?!(<a1HkYP#6)yrogf87)T6g7Cg
zRJ_JncOe9qlc43H{2B|?SkA%C5V4MJ)#RGBS+n)HSNhF2bR~{xrlzk<73Va7^)eP)
zO67RfD5IAMVz7$*Z1u_%^eD{<-7f+1RBOh>a&7=n)%)?-@d0P|vckm_6Sd#M`e+(|
zrXYd+8u_Z_!yn`(Ywp8d8?PV=`~(N{^VEa^#k_@<g*WZGD;T#8J{j?abpG+Sas+AZ
zq-a&=Avqz|d6fV*a06;Ik78Q1RqQlELeisr7w^m6o_0t@2IQ&vJ2k+g1jhEZO!LNu
z&wJN;qqDIm1$*c0w3A&<OqYO4ZZ^|c4bCRbw%W;IUQAihaoc&}ldy)ziuV@F!(_se
zOWre#78}HgO-YW^U&^g@qe}Z5ix58(#vZ_`Bjw&&AoZN1H%PaiAXHwj${*S6wdS$p
zd<7UJyTT|r6(U{TnAAYL56O4f5Ll<QvQBI#C4*{!-9R8}0c&9d{M6Tb?3k+SNp<%V
zr{`aIFYE|so)!i;S~kynA-)di2Xh~xj67$P%G-GlVKcFpF4~r^1W=Ph_pk6$l!-h^
z<4`OErqM_)f}51uUUCJfxi^q&MTLn4UMxQZqQya!+zF*vw%`5qzF9xIF<5~}lnEgk
zXf$@>%PQw4(=fP(2DP5U8&NJVj92cK_Q%$mGcZTynDh5*%g66%L-(B=6@M-qdn!ze
z2Vx=%Pd$3FE2b*A28a$2m0buy_4ag+<Lew{DWV1RZ}2i|h?0GCD49#f4*h3}1?71$
z`cFVwHiZmKwlX1pqmdtq0)R!V_0WtEaDvsik)>+w{T3zt!NOiQwuLzk4!>bDsg7(#
zgjrCtJO>B+v2f(2LJx0~`ixB?YqH_2kIf2gJ()C|rEoTbuWzLN9Q966{8<^BD*$oQ
zs&ksSHPN=CD7&)HO7Ddu-WEf|A&-SpyB!ASc?slzDn(h3l433)4zS9&p9DbLRlu)`
z6}X5RA>{hjBTMr14U#c<aW?^Cur(g4F<&0TzqY(Mc7?lntRnC0jscl*ecr!#02gey
zoUh86_h~YopTDO24#n$`qkYHlx2N+`k;Nb&HEfK(oP<amZk)bg@kG<fJ9zcd6X>Wu
z5P7!ZP0x#;fb+}r3jFAG4zw;c&v0ZdrS#W&_d{KAVJlN5+#SZi#eM1(4*D+AVqpT~
zxLBbiRo8)@(O&_gNz_#JO~ag6?0Ig?^NOqH$oWV;+}o6^DEQMPd{0#NSpIWcrXY4i
z4R2a)A~mfJ3B9fCem?e%by?cN;dqOSfLJXWb_7=a+avK*;~|PLlz+Mr?}(_sGi}5m
z`T@ijeXWlGWW6_UVR4YKF990k$fBpaB7k0nhW^%MZ~5l!cdf}Tb4+~$(vp&WMYuOc
zzoINK_YmX06US{V=7Y0UCKryxa$E1DM=L;|BdkgyFo}&8l(t_Wo!W9zltTWzSnrRk
z??A(ICyg9tN?PZ=RVBwWP`ZsEQx!m`2+E$jnN?c(z(Hdx8qF_tgj4n_X!=du9mzE!
z$lQoz<TOvmUEHfF?5ep~cB#3s)TQK*s%U4mlUArih?*}WJ;ST|tV~uhUjx^OGSoo9
zeNC2wK7#6ZMb7=yWoCV(2nYY&ev>Guh8m!sBtDO^s~y`v5<AU#!`ORviGy99aeUnc
zyjn7*(-}@fjda-M>QNtcdlA859+U9`z828vpBf#^wXk8r@<EfcMUcLMhxHnk9U6CH
zVVuz56+M)pT6BX4R?~mRR3Xxm1)47~UbjH*LYM<XDI%!O*fB*y31v>>3c)1S`@=-c
z3u&S;F@r1g_W%olwOUQ4k?E%wipLu6SHWQoj#biH)?XP<##Wsr(vkrg_=;E4(qyuj
zHmP^zTrz%YcUw1_g~W#hmh7gN4Zynv(ZmgJTJ}Vj9I@0?!e~D@ajI-Szq@hd{#tT^
zsxSw(eof+<PV5?Mh0soR_q=ZRZ%Wm9*>2}we&W-j3B&;AJLIwhi5l$+Jo;{Y5P;~X
zqmI23sQreYmFt8g%BHg>jqL=Iwk_iznvzVy@KWnL1SKb0*@Ds;$Rhi8RQ}vsza?05
zQU`&41@c^+-JF|Tmc`IUpOLZ+{%bg6S>E)LXt*bMLV{xjf#m5jHj?W>J9QQ1w;e4*
z5xTsqR2PlGnpc(IE_%LrZt*DcD42gFy78c#+E#s*gT+2^7QN;CI*e;G-B7l{C&*eX
zsZ9JHa8t3f`mWWsl8BCzk{C=Z>4d@OB7l;Zs)%w&!^Qg2j*Isi&RzjWe4Hd@x`uZ9
zvOOt37xTATm&8@?tgNhj5B`#sh>7$#oYLuL^GOQB@nEM(+Sn(b5fJbkm3AI&iBcKN
zpO~Ck2@HQ^&_%19)Tlbj;S`9Jj=8$B-XnHxCVSj<GSPl$mMcIe-H5aABo4!h_kJqg
zg!f9;0rTdDS_Wtu-adE2kv!?Zpl-X>{|s9_@Su?jx4F!HKF@CR=@=~ZPUy64DFPBH
zQ2i5OA6Pl(nf~$0f9x3tN`5tD_M8U)yvBh#t^aw1zx9M)4Lg;2d2)OV*(L@Jr;3mk
zt`u0CQQjENvcx5U%tQ_S);6KX$*mRT1foTo1KQ`*D0_8N`(u&oErN(2eO#&GfS1&e
zZ4;?1B}+Q=x+6VtTfcf(@RQ|u_t=#^)|ZllPc`<s-`7IhFJlQlh6L*;AR?0>F_anA
zU2vuWhUap;UOZhQy<d)!hgv_DWw!+UbzEz0<dW<9#ZWDK`VI{q@;+Ka^M}kPyuLrW
z_TDmC_gH~xI|OCL?P{~^U8pswaksJE$dURDD6e=^cEBvF-$TE}t5g2Gyj!08sWkHb
zdy^LlK*JCbd2XM@E;pegBHepyoi@ESa(%1UeFQv@d=`??&T?z>v=TB;bs0>|0@%?g
zX(6pGWf~o9xt{hn!xGhdwTyi2JlfUC-$yF7^N-1|AZ+YtZly7`i2&3Tq{&}P!@5mc
zB87FH89t%p$fvC(z`EWY=px~L!wOhd>(H*`q5QO3!(@T&1A|Y%TQ5_ozB_8&4Re%l
zR-=<b?JbpE5mRLq__aElt;U11wfpqR6t6`SqmLv-*{=0(eepjvi&>;z{NZY~tgNV*
zn3!Cap*V%?+{3YivbK3(s1Y?tOL8;>X-wlvvtzWQ&#X5e#wJ-8A%Cm4?5W61IR%V^
z^0QO%SH*UdRI=;EZaR_#P3`qEXTB3UIj)-h0%%xmEQaos%otb$1I;sU%}Aj7UoKi=
zOdoMU_tVZgTtnOH@PsV8KtuVzJspbxtmR`A7~?!aSPSDr6;H&6+H?;d)+_`)S*D6U
zso2*yk4d&{00PJ}ylJb_Wig=F=PML&GDRewbc5*WL84>wEjHs_{B@1>^3a`6z?0+F
zmQF1|^A2cs;S<qyOpv>^g9dNWuf7mUUPn{WvszZfln!`4&Q$NA?q=U>(3q>5$19C&
z#jnc38jPn;hq#I1Jj3E;hQho_M=kGuFY~fvKJ-iE$uT<%nybmu%SaXQhsWXywP?qS
z>rEhDPCBpdv=PhbosNDf<m+#Ta`e$b%e-J_^^j~7+d8|U)slp+qfk2aP~;6rNw6ia
zDROT&3=U0{MB54{^PYy7&#N+s4;F-%$At2Y<QKe*?pN8z&1G0)rXY)z?``m;zRI@Q
z+J;R5NJSnaV$q5mqci9&r1)u|M$^c2sY@lhrN11S(72Sh2%>!6tsFDocRg7uBL>A3
zC+#`-$=Kj!DoAzUK@43>SZ4g_m0`;4X#V=Om#>j7!bNXP9k9EptO(k0zi8Y?1HMr4
zs#4XHRq;FyJLc8J?DA)FX>;z!h$wI2&54)Lb*W3VJS{7XKSWH-5xpE}-qF`US!?MH
z_1flYORJ9mTG!yP`SrM__#c&4LNd>Q*wcKW*Kx=$a)Ggf1lriYDPPH5*qzuPxtK&c
zYdJ`I8HZ-P*JDU-=d>GX{W+rVjy&%C0<|4Ke}O!i-OAt^p&T^`DKmw(AvNz|4OAEx
zMzs@;0UF*|&9<n#t^>|n7+Z(bTAb(ooKa?F?qqdkCwMLZcH3uHKLyu-wp9_6RJd8|
z2sPL6z7`ibxF#5+z7h(y?5k*go<6I(75OOf2_T8Eoer0#npW?B(-0%SW%AcpqC=$&
zofQ!So-!6)E!gA8UpR8BSWXmr6<2xWpB3v1{0#5KE8*ec^SwDEnQ5;$tQgD7GSZsw
zqBO+EqI4aOU5ByOf`XsPPEPIVEGSPqxoBp)OtzeN+XH<&5qvLo)JL;%aCh%BqURl8
zxG6Pmf#H-W3uAaTjrwrO?kj}70Izx36^}-(;m<GRSBGcL_B8g&Pw(|LwPy3yhu4qp
ze+jJ~jhbkR7*eQ)MT|)=yde>L=sN<Sh_Iq<wwXbXE|Dv`waI<q+(ynum|D7gPA}iV
z;w;f!=%kNQPVXhCc@IxZ?$<YL5@KzkPKzMVop;_X5mzfqegl42Dz<>=%kEu>`(+_%
z3RhvC2_|_Gdob@?doUu2@~{T!p5!LjtL@%VwVvl592C^zGBryWjQX=HTQe#foR)8-
z4ZFd)%51NiN0O|`H<}B?<73dqj=za~MZ<mHMNf%dXB?#Hf|87&a%<CG!RUo%cO3ZJ
z#N@(_aj0^5j%OmPujz`^I}bc~VLYxUvdnH2N17T<TVQG(zdjB+JEPUMYxdV&$c_xB
zk6#cytrsbL9$Wi8kTP~$Piw{n&i#1=Pi&1YB(>x^L#O@JS{0km-P>EDonK&BW5>lh
zdgHVNU7^!-3)@%U#isptm66_uP6_h;6QNh6Wc)_L7ry>2b&m}=*tLx9-8-&2zPqqG
zx*(;DJ^H<mE&dl<`4097HEZ;#2NPy1pBhizOH}Zj?vGqZkmauJZajBS*~;8F>mZ-6
z+=QKqy?^j`DZ2LXKpT_cH08Fjg+De-TsyM(klc{JJF849_s#a9CtcqVA6MiU;1^yR
zE%@Uf-|YZ+Fp-mtzOA~f%^l87DHA5#lr(GiHkfmNYt}wTCsYN4eJ~8oo|SJZNg6*M
zsZ2D-L9|f!?eU4g{2nN??=%<%OwPef#FOt>qS5Kt;V0rKV5M7Io587$Tl2%O>(TYL
z8}?0e;~xx4IGTRhc<JsG8f4j)E(WeGEz~bDre;QM>P_mg)xn9-sgT=iwT(;l4LU{7
zO!M^htv(kQu~s6x{iF3BxfsI(?v~5U+%28R-bP!E<sa|H=g*$FAW&hOb|!fJ*$i)a
zAuP>ed>@017~ev@M_Vfs5-)OF*FKe+clIvCB-xTohAUmarqf)~hCVx=z4M4m%CSIO
zvstkrhS8)LWkG*W=U47_5=ay-^;`6`=qK7X1s$xd9iMJAvjp#k+UBbk#FR9V&_-kG
zf+!%5qO`}h{P*5O@qZk*;`s0w7Z}B3k${rD7cX5*?mw?ZwAexKTAR0quDY@E<x*Vj
ze8m;4C73+NR7C;0HSQ)*MgN7*9j9Op7FFf<*)HA}&mIxGN-mzitB6KVIF;~n%w3(o
zDY6J6VdKh{74X(nmAKPs79(R}^+Ohnbzps$C9$fxTk|#Y@o#{VP)aVQAgMxMK-7S1
z!eSjoRP~Uu!={^zK@Xu*&DUJ!2R+~MieI5$PM4Jghy%?zx@{~ojZ8#4{7$O;mb+7L
zJK644eY=T&$l{%bmiG+Po8kHK;Cl3SpbAcIhw5u)Q5!Yr*<^vX9~@kG#-o}(qU%dM
z(tJ$8`?al?9l462)kLa$h1ttxCbZb?lo*3q6w7ISpcNCDx18kt^%Fg<8x;}tXy$@`
zfQf#xIBDR@@LHy;9kxmh+UNQM9ls^KYv#GPE?%Nv>8u*oo9Vp0r}xx9>Ri1ZKxEtw
zvJ+z6sS{+N-}lXzhtIlRoIq(-2O_w^w`xOf#dVkrhR2?k+^OT`WH6>#bZ>btVBmR_
zk6VtPgW}^C6HNLFs(3-@sWj7zjbZvFFRU!FRiQ)ID0N%6a|bI6xG{mhbdq%RIgLy4
zDf3ZtLintU2*Y@QRmcaOB2vL$(ao$*z2*@VIwYh>^IWyX5#Oxhs~u21K>CFJyohyu
z{Z)z1uWHh3`c=Gr$ULQT>159=G?{HN>s$-oI$DdmCrQ56fh!ivzoWSw8bJ3Ve?D~)
z^Xab^u7`gZu<hg0Dlyu^iuBdTaE#q8aZ@LT{!{Y(52r3R0|B+&N>;9PQ`%9Dg2D`O
z)S7QIJ1i~70Gd`UB+AHH+U66iug#!5?@YY;(!!?iD?AR0OX`DY<PXeF4SM$qnYw+t
zoRI1EEz!n!L`^Mg(xmutJTpU1NO_AHYu$+7oG;~@vzuv9>dit1Qd^74RsfMI7nDcp
zM1>o(%2jYA@$uQk8(Tjn|E|D<+Akv8OXRRYmOndm`KgqYO+IyTDW;Pkb~QE|Lc)mS
zqi?c^IRBthEC1&fg&vF|V5r3i`|&V6zRF!ZgbjT{VwyDzz(B*9^jhmQ3rz0@|F^r&
z7uCYXs!Z~Kf6}<U^hzX&^RF4CR<CV$d2UteRZo8oi8_P^*;5<Bc0+FYX)-MTnnF9!
zin+>fNRc@7he*hz{;|pRoLj#1F8^H=<H#}UE0M73a~I~UC#U?$huGyN8G>d_$jpn=
z)R^r^WRNCk|CUMUwX^7$#j>_mu8;eljk>2%W~|`WQ^Fd{SNus9&DpQUYBUvS?%_Rs
zn_=MZH+B#P@-I`A4@>fhUQJN4uO3oiEr+IgZ$2xk=yDuMWaPh)kHU0a1^`g$gj_H0
zwX-MZLhmI(HUB8Kl@jb+)!?guSXy3}1p3vMg_h2vT?Lp_;M8vNIwo*(R~6@izl9mH
z5C+tO&J0&F)Xv!EQ?Q2~4GwX7qRb1y=7#2~7X*!Lc{5Ns4Mj4kS;qGn#d_2`Rkub~
zKA}L|7<gPTI|?*!&5u_#Y{RG*l<cS%-BG?3Dmm72duv3^&St`-<V0KQEIZIvLL|C~
z7nWgKD`MjHmV+9j*Hc}p8boPsFniAcld*1JyJ|J4m8;CctvZ)7rsh9m|6s>yid$><
zemn=*dsN$Su>JS+vCL4rV^*Mo_HC}ESh|%LV_2(p4UbjLv^B3d39(X~6xO*gIQA?V
zf^PBEK%L7Q3%iA$HY7Ep(az5ao2|=EwP93*EnkG89~MGRXctUYw`g`emB#|3&id?{
z=P3D+-Zh<6tTT}Z&&ia?E#%qO1;i-%Pofj@pO8>gbM*4pe2U`nrBD3^wLV0|*oAK;
z#t}**ucbA`Gds!$pJ33&4-0L-(JE{S(HTm9jjvT1FDPz4UX76A$hY%N&=c|Iar@ro
zUE4)Rj@`aL&pKBdF<_mxVc_QuLP2i5^pJit<k_1pfgUQXP__OjI;oEBJyO&zh3Tq#
zmW^e%K$Ztyys*PtNEC>dGF&ZF!#ntUZEGEF66k|sNxDOY+QMLaRb=gRZdBW}x1wvC
zmG6m(BEm6^f`=LcAFm`~1k0>|*3f;M<5q0cYpL;CEvHbDoKDx|7$J0BXmIzCca7MR
z36}eqIjT>C5ta5RNMhrqc)Je~KkYwQ{F-J<P%~DHY<{g&w0_=}UOu-m&e*6J50y0G
z-PRmbpyK%J)6BmTti86^j!||WCF#$bJ*7I8tje;l`===#W}_H4^Vg#aG91fnK2<g9
z#^bOzP(c^rmd&S=?Vd+mTvNMLVLWLe6U}=g?gU$s9epouPnu|((0!L@u-)a5#$7D3
zV1Jbu?v3-_5VEVef<v<yK3L$k+^9@zC2j0AaV)CK9Q$H<INlw0f1?;XCg^apqGjwR
z_kuZ&?W1n87WCu{u6<f=>R^&saUTz5>P^k$)shS4;m(baQPoS>UPUQp`+6J8xmEg*
z?^I#1q7ZP@{HXYNOSzz-nyxW3Hc4DFz!7>J%Us^e0j>IYDsDl)WAT9IxZI&+l|9>>
zuXXP7o4V~#6DFcX^ko0g1dj30ClRszdB;u*$|_6**ILDt%>?~e+V&Pt8;aC7G<3BI
z$J%Hm|8xA$hg?n|%SSgkROzBr@4(yru7`BRrN4}NBZ?|zkJJ&6BG*K$)~_XNY4|eL
zPpaB3?(t7gr2J@b<&xQeY*2W(^;A>X^zg@9eV48ss2j=Ty8pFK#Wt|7A>9sCXSIK-
z9K^kI&fur1cI8)2yvvH#A;AIf3QNn+kJk8=AjwY?91Bbliws-&#`8u$T7S^^RCxWz
z`vV8w{#UC^<bU(YOaBRG`2U?B{3D~b2cWP2!cZh-W`-xh=HHvB<K~roY4RW2*!Z#Q
zyo}B3|N8t7e9`1=j#8)xcns$LHB$X|94+<Vc!U3o4$Ar;<oE&tIalpxGl-h5xrU5~
zgnhS@STnc1+qQ!sEA{Q-(qapr#J8tc%@AkPkaNGY>mfx-7heE@13{pvuVS?oW)@ZH
zJKLX(sAd}&t60xXJuz$Y1f8|=<shUbI2ycEoQSn4a&3!Z*a!R9Pu|EsN!TrxS`@Bm
z=p|JLyYhxVAAFbQU8_6>DZQLFL?-Lb&4Vz3b$h#FdY5>kNYz<*DKlWz<*@R>emfJ1
z%aw1$mBIG?c$647pAF@W@MWx9k(I_!@uSJ|e|2I1%D<BboM3Z)LS8;|LOq!mM}GE5
z7+|Ja$9Tr&H;#=NNKSnnqsDcuy(m5va@#;NtHkKJ(U9k70sc>@$G6g<g@FRC!hk@&
zTcOuma^Z9iospv9Fsn0e)3XWb{Z%z$w_qm3JaQ3ML^nQTx#2MtWS*+jyJK^tOQVo^
zShIXabOc1{G6itLzjte9#I=eR)wIfWlf%6ynzVTRF{|}#+h%6Xo;|@X-wXRPk*#2v
zf)l}P$8k;#8HuuFJtk;oHd&pj8one+h*JBzcF}@6E$m-?t23F9|3w6BX^Fk%tja4c
zw)ZU2Vap18?3F6-WiiIH#3!kySleyhYGFNC`Wi`1W+(&iX$H0g-#W<JzP5s&u2m*M
zB=NiJtCHdswwmY#sQD|Ljh?>M(iqq_sHkNMyeI~4)Ene=NC-;ve05~btV>s8djBp$
z!&(e$>-XeES1Zw=mOm|}qn28AQ9Oix6tz9O9;%WrC5nAMK=5Wv6+ryHY=A7vOV#x`
zpzkJqsd}&1a>7cP&tOtrJr4cXn9sGJL-t^&g9F}ymWo@ij1TGRiE8uO7A3-&V)^Ex
ziF%9g&sY_sDPaAQTURWbZVB_gnXbKcKFy%HJT3z}{<V=Y$uv-;##xTpA<_JiHpGgH
zpOU4XFn0g6;~bQOrjYkBXpDEu;F|#_FV+h!-d8@|DerO8r0{82#q;CFrS}R|t1eKU
z;g*9fn-5FPkC(pTqG`B@T{vC7>N0PEHD&GL9&iHeqei&yQ!)Xpdp#F?t4KdjGvO>N
zLEMKjk@~gbWYCfqP2*ItK4&-B<RJ`x{FKtq;~a!pd-K9Td?m|C)@<Zrc)W>e@_ILs
z*x*nX58`bocU8uKJ~o=z#N0}L0l`>R25j%wh(@E-0Ea*t6$7)H!;5sSLP!Q|1c|`@
zas}Xc5<a+*hZuPK>WX4R9>dO{BXP-ePakcmpnnKs30#}i4Ux124!mElJ5_|ijp}EK
zSvk?;&!hU=IVP^6_^hAuKEP~=6n~2ZrCHFH{k9R}`4Gm2U3#y9YCb8F#{yF<TxU+M
zY!{DS3di2?%=1X)FVf05B-T^%oPWGnkyoljw;{|b5`Tr|W#GnIbLd*C4|lZMknmOv
z#m?s#0qd+_vViKasZ_gsPS@&7lTQ;%uG^%4ln_t4MW&8kRQp4G<X2_JVplB-++oD~
z5oUWc_NwK&We%{U)}`%e8&aP$;gz6;Hw!Z;ucL4O8xi<LGtB=`rhSwJX2z)P3>FPJ
zbQQ(11{hcw-V!ENMW01|o`q0r(Z}qrJH}|9t8l(T7!Vl|-JI%XT+HZA!NZ~D#pQnX
zC@oi7vV#P<{-z1)TcS>Ot(tx^ehgQEe8y|eSkawT^ou;DF^y`O<T{LsJQGq{I<^&Q
zQ_(V^{rx{$P%PiIao?gzzqHr8AG0!V$%>eZI4Pjwn6jny8m=9Acife5d+Mqb0CDXn
zIog4M>5o6cK$DY`FQ;@O3*dt7lK+myL~KEU>)gspc@ubpzgn&i@A03*55K^5|4X3X
z|HP=(<R8pDSA~UjL{b1c8XEC7;kP#vavB6fwK>ES`T&5U$H4<DZ#X;y7Nz%o(J-xf
zrXF`jiSymxuW#JXUL?M1Y;0U#==JXD`tm)%jt~IgB$A7pHI*LYll;?qBv;^<19cjm
zonj5=`6@nQ%(^oAjpn=4mCpWnAg{_S8a^PyZ7<VzpBQ|P^+a2&TbU)j|1IOd7oizS
zwzZDNF^s;jKZmqJcTvV(?q|IR3QWTXVyt!}VG$A3L`+e<&4C9n)A}O@VzRP;0cAh_
z>L0THt0Ci8!;wP2(%WkV?QRF&?*H|CMkiE*^7Q9vTnCVmVsFm~@KwA&bo?BLv3398
zljCPiee9e5Zv|45le?5TeG>f2>64fkiqq6Tua_%D|K+U974H9!u*_muOs4$UxA8z7
z0U}*d*0Uy%bGVAJlE;sh4m{ZDj6Q!)-`IGd&EQo-gcxu@RykpGU#in{vv;GJ5!W>D
z)zdf<p^iM}jQGf$l#)BY@v|z2eZS@Sbse4QPf2^!+Wk*QX<AW0>aTe3{d}Hwmwf@w
z#UKk;r8GTy0useUfCKgMZ|xlw^v(HuKTU|L$J<zOJd=r?4u35gllE=n4Q+aW=q;98
zbJ(i6k&0JOy-Ai!h>D1HGqt9hntq?5^DhnUf&ECP!vnG9TaU$4VWt-m_fd&7+tO}g
z5|uNYw$;v@Gj;q7cCh0$4kg-s0^$8P>sqLzR*L+0VNyHyKQ_g@=(~J(<{B{0iChjI
zI5~vOmF-u#S!la7DV0u;+1Io)hb1YTtyC@dFEJ>bD)a1lQ*BNkX5YTa@ldW<uv-}p
zBbqE}!{p1gYu%$`5u?)Mj7ul^f#&jOS85EJl6<#sE8dyZx4T?h7p@y!H~#WMqnUPg
z6goj9h0E7ToIta2i2NzRz3`RB1Lo*a$qaSyAa0|+9<`Bz9jd!2rC4fyg|=v3jSi!$
zp)&<4xpo#mY~o`N%Ww~MvLC9}Ltivxd7!*Fu6}nRw-*Tm^WCpr;M8i!W5&J{Qx=n~
zA#1Pj#?4GUhZdi_0Um)AoXJxg&8*(XvTaKf<s_E7b=~~A#QH&}o3;*R&0}e@NYR`#
z(JFGYYd%2^Flu1AO`@yQ;>6JO8J_aVJxr}yPo?yVNlgYlNuahPKjf^TEXS$F<9#DT
z%r!FA2Uz2*wUgzHW97KW_2Kj-_ylIJr}TvMLZoQNJ@3)vwd<D%edm5n6W;v5Bh1Jn
zxCV4>j*GL`Bh+ex!!zj5bh7tCo^KkCht_&$tf}7c6Y!{TuOb939iMRGgg(#k$O+}I
ztsQN@`a^1U?wrx@bhOw!Nt=QhilI=dJp9FSMFvYfqXB7R4!5Sb(}DT74u!}o_0`#}
z@QPoWei*EPpOQT3ct)%f*-CV>$Xd`=U~N=V>@m;BU{KS6V<X%#S_7a%<kmzPP?s_1
zFwu5rDT~UrKTqyOrH&~t7ha-=S?}n4<;c*ABg9b^gXV?Y0hCJ2+_-akn972F$^IY;
zl4ki%lU8vE<Wy8-%bi;~P!VEA9k}_zxI3g^Pu5NW>1RNS1edj+q?YsN>3Rov+T{gX
z?>m?u@oIPSRG3ZUn^$A}1-X--4Faw_2pgv((!4Pw%y7W==%J)Xn$h}nzpCA6P^SRe
ztR(3$Ow+8{PRXn~Dcp8U0B1pKlqS`0PA+>qeL`(4pHz(a9EToQcVOSU`&9bA#qnm%
zs5+3sk_#;^kM+i#hZG%M(B3?*tH|G!-v(3Ra3ym>Nt>xSi=FTiug$m8=)2){yVClD
zXQMw?6>2INUXft<m}pdfFcBa=Qhmj8o|0xj8nWCnJ3Ukt>}Z&pfeqJUuhk7H%VMGe
z?fI)mntrHv1iSDghr$eRMZh$d9lB3O()za2&f*YX9l`#2lk`3*M=mNydilNZHg*h&
zbi4fQ$JnmK@2LL0F2<d*J|l#9E$_)e#_vk{yEt@ik`TKnAtnj_I!}(4Q`{$E>)qY*
zBwKCX+jq}93w~GGUfvi&B?+gHjA#nsu-BTt!dX`FgU6i@)@*!EVtI9qj5YZ`)~9Q@
zs)uaZCJa42#f=$zCKMX9ueZ%#)&JyasVymX8JOrDl>|mNx?#A!84cJI4q$yEYy^Bq
z>&poMsCMkq?jNux<@>fozHRE9sBn#F^=o~lsE)nT0Y$;#C8vX-L1n`CUA~s@mM6<K
zQI*IO`SM}E$O8V3LyM_lDO1bhKPP143z}IPH0iwDV!jr1nGn|wwM5K(lj;X+hAf{v
zY4d9P1edO7NF62OiC}i2wY<&g>(`2!!w!wJW=`fo<V{7{#dldV-u}^_U9*i<mQSJD
zTHCv#U0#Pt^Ow{^AF8UDLBfabWDV&PW#B`b9T&r19;+o9^!p9XkcL@~6R(}5nV&F8
z{9WYN?Hc<z@ZTqjPs(?YOWsb7t>1p>h={hQ!Tm}SZgSX*il>#9CJK9NI&jV5gaU*Q
z`q=2Q|Ep-HFMDQaH(A9}JM&)z@I}2-C-!%e_derveQgzA<zO&@KT&I)Ff;T)XK_IO
zEwl|bS$4bch0&)<hsHBl*X*^a`zOz9+G<bPy~b94wPkb8I&+s<VkS_AD@w#aPc1fR
zmhDG&YMu+>d%Q9TVrFbo3d!D^U`=*>gU!BX29-r0@~4iWoc!sV$OaQ?k@%MT%A?E#
z{sHG_Ey2IL)nn`kek@-&LfW8VmwNi*%7|r4`C$EY%-kMOSrMl=Lb7Xyus{rY{kF)U
zHj7YF)gox3HE9e7+B!82^<I(cXAhJ^NN11<`C)2HnU8RDBlXjo_)XgC04qS}+38{5
zk6Sy|G{@!QY3Ss&6lAbOIyDF{YSDZ5+U5hLc0jDBUB&q7Kz8MoJB!1#!Ft{CZYI80
zRZ?t;d7PqHS;1f8i!jA+aeER7sjeJ(0;_F>NmxruZ|FGM+_R6&e60Z*N23Hc#l0kd
z(#heMTez<Cir@Xqy-8o(L=a`x9Gfs2-h+xcVu}9RD!w8Pw(@-)hP5qXv!cJ%YQiq3
z@Zrk`_wnI$XDiZ^y$-G4RZ9bp$~<>gb=1{RjnFo{*mF)HxaW9rk$VwYEKOb4DCs`9
zwP~%p$t_vgLXuap&G4qiBd=%5p9)XAxD_lt`*7m2&%HTj$BFAcW_Rx#-h^oMtJB!*
za)yJqf8=u3RP`|ETIAWT<t(9KcO&!dw}ZY-+r?R{K^RQIm@rMi)3Z_(o2nmI{=0a<
z9?e|etCA??9_C7Ax*yAfxfYvHGmX77PKHlt;f=PVjitG58ikU1DE=QSI!t<-30Zlw
z1k!qcgM(Z&V4AFJkCct93@+2#!C|K}ycC&V=><BYfn%PNo253Jlf%R8KVuF@%aG#y
zadnf_b?htcU|qIB{d~LP*=XD_r#EU)O$}RiFh*mh=7eUWh(MV`N&{ARz7pUnKa-X{
z<ToV|y8>}~njnyKY99}ypfjpqRh#rjX?-}$9QSdw(Z;uw*{bkf>6yQ?tKLjthaRGW
zOSs6Dv$(hf--fkC^U8KgTmt(Ff4hCUE37`WPYaskV{ezypAaQWizF47mn(%f4}W|X
z7wdLwT*vx^l<7tqTb{BmAm@BDGgIlZwPW=c{d~rHeOE@%#+yTdrLx+vNT+V9a3&tv
z@XC$qTg@(AT;F}f6d)~plEyD|IUm<I72`SVKv+Es?uPDZn2#_!?NygZk~e}{-%x|y
z*^jm_FFJ`IR|6EQXPA-Uv=JGBeZBFyoepeHz9+Na64m{SLyj(oL)Bo>yS)F6msC!g
zV{cl9R)%ZKfP@Xf4#%%0sm*79k`&?OS0DKfq9eK8SQi%OzwoKePjo~+G+K1AlEdZ-
z!-v+6g1TPr&aH(HiUC?bSQA(C?S2&jFfVMhcGhn%Q-e2Hahl^UO6cBvs#ZoIZzHa(
z*?TOhNpi%fOixD~82)8Zex`{khqm4znJ7m3=Q;1w8{)^JD|`q;Y#U2U|3-H%)J{-?
z@3;E(zt0bU0Q;=ZmpSY+ttmehsbxL|Z}@;fOG)sxz%?R`hi$8)w@(|a0sFMxgrmcj
z^SZDQH-uAYmvF!1tCou?7EooT<FJ?~ZLkmw&DfCJA;|Q~8q}#d=^zkuQx);X6}^#2
zP=^MP!SE!`E*-Kiu|U!vNK~;Cru9ZBQz-PFaeFAu5_hXQA)KDFOYr9uj?;|7)Fx1Z
z=I$`vKi3^PI2p8yJvg{Gqd|1XaB67Y@Wf7gewA8JXYWb?)$W;61le~Q{Hk=(Xy(Te
z_|&Bi3#n`;+y*^egIiCU)~t($HZ0*n8BA^i_NnOX*$z3|{nf&1_QzMFdrK`gpNqr^
zIY%m-WDbV;>?Jn(h1$clJOZRw26m$g4WRX2(8<R69j$L|KK6SjknX@&V+ODkSGcBl
zjt@!A(vG1=k{Ry)Lbc25ctksFpQSCNC7niUHn*I-va{O~c{p!Cg7<t@_0}$^kM&9G
zt%sc;<Tn3Gi%cVK&nJ$YKI_l+8bgezrKxQhldPJ9UC2ky4+R}>eK8p+42zIcbn@Gy
zTk9aAtJYRU&4d49x{o0&tvk5pGmidkPL>q%)em0ilM%AdE-o%k)h`NJsadL5*e_jl
z%Fd+W#R$q{vAxp0otd8dGMvFBM1f>|lgk>77dJnzX?2xYi4`@P7>-QSQUEbbf3U}=
zV}1)CFEq}cM1eQkFVrJ3p_*N(mqtDD1mymQYT(8x{M&=+74B@N+;_zB29!DVDf7jP
z7d5_(n~UhOkcZEM63z$CK+nHnd{Jk$_I8O{OK$MXFB7)9-<kxJ^GL7cwFZIVJ8P%m
zX20#4fBUDI-N;j!cWYDcES6Ppby_JqnJuG5IUC98?(f%Fr5EYlvn9jdeIVq&fUD3i
z1^$x)Xm#dSp6|aOIPm26A0(P*F8|n&n|?gTlR1WSklI*KOyfSdDs$c6(VX+yc~A6j
zq1}B~c731zb<7)^#hgM|YMyvYcpFLY@8W!6qxpBf;>$9<hve!!H8)Blu{-vcZ+w}o
zmCYzzaO}GC_e(x-(>Z3Cry3>VT~-NkgjKgh9eZFhK=mK?Oi;8kDd9qhA^yIQo)z+K
z>Q$$2yNhzLy<Njx1r?&e^oF6x1C!1suu<03H%AfU?A+~*#l_=@efw>Z?`<DAUMtp{
zrACMf@XF5428yQ*)|+>%qvi{o+atGkHqU2m@0BSiMw@D$d>b^3qk(K9v5Fg`eHZQP
z|28@97Z)ol6c-d+_8rGbAy_YY<$efdl`MWb)2h_&hgtp23{U3YmpgFn_7C3C*MB_x
zN45`c{q|2+4jeo6vyfXGw_y?4OEQgnot&LvbCT}vx4kN=xJXlHzaO73{JW{Q`Yun7
z8CHvM_19*c>^Xn1yz8Z`c?u`BP5s6}A-H`DIcRN@LHPIv-=)i^ybY`9HtBD<=9wGm
za7Pg_ScQUJJ;?c70=Ei_&q|T|nlOqztl2(P60{R7<2L+=NrZRNm>L=FZFtrh^$daj
zW{KIZSgrP4zLnlXBbqtkc1Z~rvyc1j1W)Y{zvQl_L~h)|sQlfpd-IjQ9x7gxn`<Ab
zrZG+W4wcX{NJ1?l+9EY@M23yL?UO8SkCMQJrYHW3Eo-;-HfNAM*%>`~vKql!dUF0#
zS`nn)VDOj9{slEpMEY@PPzY#P3bB8VO3zE_*OZF&wN%plT6y9;KE4PvNvrZ=UpcRY
z+NQ-ZwUU_<;d&kE<a%?b&d;(kZtL&qUkeF^_437@D@~(WyJK@Y?<iN=wVM30z;yTZ
zI9OL)1-=1|T5fc7-RLh~!>O$k=#uBM;79!G6cZejdOgF`Gzo+?wb62Sk3KtCA5W5c
z&QW?z*>z8kDc}3xNd;y3;@+Oz;&jwga+a(pV8NsP1K;}66`8q;<65TOxawlh_aDf|
z5C3h-c`)zOcGOU)r+cC-OHm@Z2GcXLUjj?~T*WxtKi@7P)cHQ{Aw{V3?Ks>(PR-T7
z;hI)+BygcGN?5zRNu2NGh1?^QluG=GkF~B{<!7^5cgtJu-|M>(dCxEBv)tCZq4<V1
zzWUWF%sTOxk@>Iq<a+s%lFF~mP18zQ<DYgRe#u9}_b+pX->mP(PC+hAcY~yZt$56;
z!xXeng_-r$1p}wpvoCW4w{%oyaaG<CnwcXP+RuUzdCc+4JWuz<s*6wdzd<!3{l>3m
z<?;CoWNy%*!U<W)N2G-^F^EXIYfE7#_)8ZisQoQf&SzN-d&_kDn=W>|OMtn!yAeD0
zoFGcq)VQkE>=rTAb-IPB$n5#0c`x^fF77cr{Equ)<P^D)N$JeIxlMshrzofFG8R&Z
zJC6l6z7V<R*M%-*(WjMEz*O$-3ReyYNp1?@q}J{r>UW=91z*a5QM=R!6y!~E_nV^_
zyOHZ3h|Iaomg(+8u-vS<Ec-F0R`92R{XF9SYKG3@Kb}EJYYF3fw!Rrr><3}sFOTAa
z+THOUpO1G(q?xd<)caGoRJI=<1QH8P63Nyne!<x#4Y0+M?VCwkSS2_-)*q~y1Kppq
z57_Ed@!41yuyI}K<Uwd%E<uDu^{JF;3qrrt8$uWMCZPQrVDAMg_zQd|ct^ukPNg&b
z2>Tk}?pzJ0?y1qR_rc&w62*YXenSj;cPY)rGwDjuyU~*QN3Cb=TZzk)u@zlO{$g>)
z0?QdO!-6RfN19)r+?rIQUIn!BoZo5>BQx3TY^@Ei9rs>mrp&zkn0rQr5JD)*cYxPa
zh~MdHXh&j%N}8@<Mg_gn4#cG@ts4?8%^mMF7@ilkCegexqN_VUdDUNY)pT#nyMK8C
zM><?B*j?e5okP!yv}Iik_UYS3RJgU*hR;2h+3aaSfR#-4rLtD%sz*VMe&Cr-Kqmsx
z$&;q$zNoy?Sp*xCX3MBt>bMwut6bHOI1x!~1<M1fAY0oAYVgQ&HJs`{X>f1Uu{R!y
zb*gH#z=^ORTj_7_q_e{JL*4NocYY^MbvNc|jbCs~cB}38$m5FhulgvFbv?MyXWV^l
zV8kg>f}U6}#pf7iDcuyQ4}{22hoa;=q8fFTC~tIH_GtbKnf~;=uB)6<ihPbCoKnku
z>b1E-Piu^6N$VT_GJ<)@ZsRhR9xJ(0gN<nSdtF0K4trVFi002&x@KAQuzhuuWL%O=
z=p-2&&WZ%HiWem6zR#KyS(#;fX3R?yWC@kIyx8?G(<1XzT1^?+TQWO7^rk%JoT<K-
z!Fy`c`|n_jJA6r9xzdPEesX$VcutNeJS%lgCe#=~UrFt6QqYu%kG@1*uD2ToQ)x{q
zi&^&2TisCYz2uW>*r}=|&nmx?Htv6{$dXPRMa^C-v5)R-&f2`0{6ea#8%JAT85+jp
zskx#06`t>V((!a-6W3&)CNuH<b^Uhf2zyhu0XWdMo64;bg9;wb+A((A|FiQ*$_8t^
zxA3A`w1~i_s`z(hHP&M2)_<wf=q_Kk`BFa-4Qsp*HMXYGJpBvVvBeCds5R_@e`j~t
zcU%}#YtVRzt~_-u&D_y{uRM7!!E<ACqR(cru%*zQ@ro+_NhQZ`H_KurGHQeOuBQ;<
zO4!t8yHE#?rd>@NZ4C2!>KNwwv?P2>8YW2M!*%!NH6T}dyn{x3M?6=PnB9Gm{uy0Y
z?N;i&r=n)s)mc-<qxCz++cS2BLEEmu8%2V7DZaRFzHz^d+42_6@X4^~z3K4qZocqI
z1s%ax|M(T6f;h6Gys@K%!IPa3FiUBI&pqh&$i<+5{$afR_~lS1>dPZgrR(37rw{fm
zuPp1T_ewflD0u?v*ZpmhNJIs12ns=@O>ug?D|GkIZ@q)QzBS9**<N5Me-5VmtbVgp
z*{9eA(<&;uNQIh|ttf$_s&0w%K@6k%fG=0T&GX}!iKgf~lL1E3LJ=lY4ovyp7?}yU
zd|%5oJR1xV+;+z-N?H15B)|oekHezPrJEX;!y>vty_4(ggNyDTM-K*nbtim85#Y($
zh1`1cy3xAblq(|+$aU}7qM#m2mD#GCpluy%_s<j9YFdK<t31bdySBnDuTsV>FNWFe
zk~E~B?2|@^H+qWXLftr#5LR4!o${jr6?xe)!&c3Mi~gL4lSWwAQ&i7Nqfy`SYEab(
zUvdaJZ%-7PCqM|j+cL&{6SZH=tO~BcR^8eDCnDmlmQK!KZv960k&I##N~{PdmZz5H
z^nRn_x=b~{M~Op8KXO~dD<zou;7Ikm{R?@MR=H9C(00GMmGcv|j^m;z+Ex#Llb3Pz
zCx~ZE@86mNWx_jQQP*9y2(Aqkzasu&uehgEbIkr->Rb#tYxBbu@Hd%iVjyv{iq0oN
zH2VRb?t18y-?LTx2}<{0UVhja`Xj9BKfv_ak4&4tF8wU{|AJosw-x$-Y$b*&qd@hU
zoK4^qLQ$<qC0HH?{Yw024Y*rW<3$wV^)7?g4*MXsXd~AUj?(`F^pw8Nj%LO8^zW86
z58K-K*4}pd=RvnOS?iS&wR%%-gUuw0_^xx%YnSqNEbmc6i6N==J<aGlR!+?hn$=sj
zUc@{0|J2dT&H>~ob$SjvN?<Ccq+tln!l)Dz5(nse^utrOvk;2IcblXBvGqJS`yH1r
zctSZpnQJmoHqO5icd9)+X|==RLjNei>mCl+Ph)!aN(=1`m0f>`Qt<S%vUBeH=hu5}
zwYE76xb=#v_gC{c@I3PWYVXUVno6^Mt+uOt-J;xTTPcvCN)QSZkVHVnRJEmuOeJ9+
zwSXWXP)xx9AzGGDmdpXdoU(w#Fb@KTghZtTAtY#+LqbFd7$5`#Ap|nKgV_DneciWL
zue;t`>;BPat@BsT$+y4Z>~HVi{_XuOyoV|FJpq+)nO+J{uaXb*_+;?wf5mwIn}rRW
z?rfE?h*33hfkL5|Yu&ArmwfES_j;t`qq|O-Xts7|x|;Y-I=ql4uOIosQKO$Xa}71T
z>9A7d0?QgcpKMpyuWx{zj_J~*C|&t&e&?&G!rQjfFWXS~I?Xnve(7jRL$AJcFrBoJ
zAULK4bmtbTjcQkRTql*pb0H;86O&V7#|S(*nQXTpA+Eo>he&0x2y8^Nrl__q(Z{&-
z-7_SyeHJ3Bw6pMiW<8*vs$JYeX<0Mgx32+&quAITk7?Pp{4IJOm>oTOG-A3lS~{B9
zAoD&WmuK55MTKPQYk7kqLUGp;WPAvbxK^n?5v{C<UkUPE99ErIlgP~nQcGo`-^jtl
z*u#Wr%ghayk=C)})2B#`RKTcA2eluA?2fk58HLgvc8kH<Ep5`j=ougQ(LZ*m5*1aI
zf_Q5xQfgx{RhimoC}qNiquAW3P~OiJ!3!i@SyUBD%sJT%?TUqSzJK*+z)MYQklp6%
z_MnrGvuZ;!hjG0r%KTne0XE_Ab!k+mUVSsiP|F&AIrFf9)@P4ttS7<f5h%C0XX=0y
z_DAbI&nlb7qZd6;t3A#;sRexw3Ci}$_$RHIq5UzH%xgXLksVTIO@D(yg7C5EW53fr
z_z-*pe|5KIcH^_#5$h|-YYU~DnWqw1R^AI3iG69;qH$T}7U{N>e+#%@D*ew{NZ(Dz
z&*gogesg&%afK3S-*r7<xAj9pm!Zn@F|=$d#Y94BN5DCtff`FuUpOgjy~98Dv7-?L
zOO}rxZ#<wT-FX~ffAwm*^=p>xwyP8f_pIgmneQKo6fjK&%KUW-M$%c3MQj_Yj*B>}
z6f!QDMXc|4V_3<78>tML_31xk;h0HPnrBaI6^}$hsNZV>i^pw114}PH&Y;yyj59t`
zB7Hi8!H$4#?M(%PqgxM!hmTj(IN_6y9S?llKE|I=&R2{mOIA99KD000KcZ%j8CD|W
z^%>XGZRW-XN;_v4-AgUwmAw7y%Vxqbafju=czNO=+scKPYKohKkrwjKCl4-#Xb)DS
zOn1+<evOUEPHN*|4i8Lp-n5i(xgv)j%2)DD8!hc6irMDU>9(mXyl_Y!8&hRhr^eX?
z#NOI?WVhUatq8P#e0F_t*bVsDSY6FuVz+;TktONle#=K>-?c2@rXF+FiE<ow@wS6D
z?cqRWyV6p1$V<x_=ihIrZnhyoti6NqS}n(EUvnSQ)yB*6y{kSeUktiwgi4dSAvS8Q
zreKRnAl|*!(pFy=IP1oGgQa*@1$m9W(%PHh+atRPOrb1+EdPskT2kXmYpQ4G<jtVI
z8FPJT*J^&FbwiO$XCNdymy15Wns!=ME_{)dlFHG%xpHla5CU2sGegLTki~ltyD6E?
z%tf$hYovL8>XjR8Gz4{7ZXG;?Y6wn0vu~e|v<DIew@!mKie}wzzzKzL0V}LytT-L%
z{&zcM(rI7}X40Y}#{=;RQsCv?%jt}m!=L*8P7*B>(#k)SO?de567X5m@b;nnKYT#X
z{r(07{7skrGqm8p`w**eVW=_~m^Bv{7sH~<d^RCOI%=@F;18u`?g_i~*?R@_^8Z#q
z-`<Wur0>BO`|8_x9Iu~$uiy2dGS@!^HvYS!{yju8&pma<JcscF8uJ1QrWq(M;Iio*
z5Ib-ec~aJSHsYI4Dn#{J58d=tdcF+j*b&ompUY3#4;!3=MX*NC{&_Opw@3qzqqKVL
zK~Vc-=*HjOj!0y%T9X+XzV?*gH)jnMozH-cF7u8kZ@GsoEdx)dM{4}BBL@Sz%IyWe
z9$sEJ7+5f*nIA&E`CW!Z60I-Fjb8G=a=s2iuE-6Hw?bB3fe0$=usJ3=L2b|aD=MN?
zr*wBzf-axl`Ta#PSJzXHc}M;L4Zvyvz^9KOoh}@ZPTN4CkVelO-~UMW%k{(-w$7!a
zk66U^_|~60+aA{{P-7VLm&zkT62>Gc0A3S2KiO_dlj5uL0=t&-tMFNu<mBg;flTY#
zK5FQ*Wk(mTE|g<t=#plJV!-&Rp~GoSoNlYcmpWhtv&`c(>%rt=1d_3SIpSfgb3~Bg
zAu$vh%zgZ2K#>L%5*ELNf0Si<PV(`z>#36fHv6rg$jtwgi+{#sXU+O`E6H;PX>@Bg
z8dp?l@P5Ut5&Zf4N6`C+=`DJ_+d5TcM=}>W^bX|)7gm)^E+q+O2~(}sft%znt2NN%
z^r%gO!nFx$=coZ*8fwNZd!^QN!>JxIiZM<2=u?9A{5ZKd^w}@HBT4mg_jX}Aft{AC
zX+w^C^|irF9ujVAIig%|a^7ASu9JeRu(Sh8i#g@?w@p5aOQRLmZ6|*|3mbK#vf3E8
z2`sX;9m?AJP}m}J<t090eK>~xBf0DpHTkBAR?pU$)uCK0M#~~XVN3Gz#?utk!F4cZ
z4PpPrhdwQK6}zV5>NcNvcuOu#$YWpph;Y0ZTnSa?&8sfrU|eXzdZ8ZB%_q_IP~u2B
z&_Rc~oVOSxfQ}P%X}ME_WbXvpY-&xEIGsS?m=*!rw0gD5uk#9XZ76ICIF!A}?(k5P
zjTpe^!Qfwc^;%=pmCN}2MO@uBJL_`2xJw=nZxmEEO>1N76|t{y@5lKGJ{(vv=8FLZ
z6vyqLci;A@TAesPe7y1_2X<bzsXE$lPJ3|c9(5QI#m%e!BquPfzaN#~+f;u^sno(4
z&h>?|9;2E3yC27e#9x%bZor9aiYye|xlfsvnWX`;6+422wJKW+d86zEZ`YF4q?8zs
zB9p*+_l`Mjew(n;S2?OvyU=AhpR-*YqQW|hp`O#9!^%T&ws3crs`W{Xeft)I3m;`z
zErdf}6i?}gD^?#=Ow^Ad7`rm63=~6R6}D)7PLV>r3@htgDNfKyXn<uC>~|hGt4sQw
zrR%i><if8ipLtzQsVx5bfWFmQK^AJWOtbyfXh15n6d|H{hcau-)Rhxv#N>%&(6x8f
z$V>9q3cdu>ZF?@xxi9xP+L5|aYJh?#U3^55U7wi*`qS)gEtZsuCLplgcgZ_zn(&pE
z3&PEiQPov!dUYyn?fx7nf?eWF49|4d38oy~ThtLgz@pA1E8;H}SuY42OkAl@hBI{}
z_C*OoYvjxlkvtyRKGA1~amNaIKh_nOzf2;~|G?#sgQkr;GGowqSFUNQR+8^3=WR_E
zsVR2c&0PbY^ogQB!YWMuz^YD&wo3f%v2!^{e=*k5d@5z+20NzR!`mEp4MsCFntAcl
zLB<VxOt4+Khco>rgM+rYZ^amJok#ikWorv+Y?q5GMfgCr`u5{R)(w6?OW&O1KmK;o
z&fIeVizkny+&g9p8v=9UpT%|XM@<}!+IX+HPSH|WSYNhQxmdN1W?~#1j=y6<-!coY
zh0oe43do9pi{|4CKUP~tQN+Qd9D+@YzPgq5oL_XO-dtY}eY+oNniN>Z_4Yto8f+MH
z_jawVvkfV?4ISHpI=Lk8$W(LXhWyp7_u<OI*v**p>&Ekbg)o!uLo>w?@+qi7R$f6$
zHcXbS)$_M|KQ%n5ZXWqf<Z@)eD_wA;BzD2y^QfaWj8+#jmA*_baHdD0t#KnP<Ac$U
z=+D+43X;BZrM&q$fF0g*x8K(S3`%tzzHQVMkW-|W9dWaHY`U~vE%h+dA)>?zpLYEZ
zgZ56)`iY2i`;otdB^)}`7z6d8?3KM-Blw>D9dt+U(1_og^Sma)^xLs4L|D&gTCGJA
z$w1eH@+A=FyH1J3J?~4M2%QUWVi2g6748KYW*FY+^0D7%VL&a(LQS|++wv7WZ&S%H
zQqiegM27}3BLqL6B|~%($&t8WCs6b^O=MVnC%eWU1oK(tAe0-vRNiMtf(NmXt|*`u
zBXlGt@e^6%CH+UyNPVX(#Hb|;jmlHa>g5^5AzCCy&%>H+TkF}12O%9!AVFpE<Tw~f
zVU|P<lTN$2IJuWq_`6aYq*j-BxU8XD_Z@Kdj`W!hLr#2POsU6Z_rV{rIu$1Vl^Fa&
z2aCdMuSlBtX%ti7e7yW4>SNQR$YpnQ=v;Pp*fUS>a35M+bI&T}E@^xvu$=k&KKQD0
zNP&CMj=;)l`JGqPo;!*y^Zfjbc+d<ob6QtX@6esb&mb2^GnG|N?Q)JoZG3fI;?!oL
ziZI>%6RnOdW1f4GdkiTt(-sjaOceMP4Js=tSh^NbrELBF3TQcB4b_2I9raF_|3xPZ
zqgQE@G_-!iAY9%pTzC<IF^AmYM-Aip<EBI3wx-rB)nrtlF02E!*pl3}Wjq{lE>D}!
z>@X_o&l%bb4=f8YQiBxbcDZbGQ_?#l#fU1%QlE<bcbw;zI|p(+cPi0syoX@ul=yXk
zIpGA-lw{UFOfuiO;a_A@u31rDzf^qlK6yL83-)?AmcF)K^X8Y2q?{|U^P{F-c&CY_
z4RTyhfMTb;&51OgdIPPH1mt(O;%g$&yB&VWCeQk+BO;nT^rl1*Q~H2sb^K_jC%<iA
zR{d2>`Q216&9k3VZ7hhQD7&%=B^_oJFC5<;(X>a*M}38U%8%Ga3+QypHbiBh#c(&u
z(~|i2Ac4pk%X>}l!ohkE4gNYHvfyWI$lkQ1E#D)>%RoP3PHH6k!nd~T`O3FP`O_U~
zfOB`t4OjRnUZ=tzu3hmI>7Q;{aaQkuHt56-7cut?Qk5#`7S2!N+C{Hh4=TR;-q)Go
z8N7rEP^!vIwwli*e6uY;_*%=CBv#E1($FaE#(ELx&Cs0$Cy5sq2>6^T0<6FPj6`_8
z{v$5TBhp#UT>{%RR^@IudSDA3npcaRQa$kT+#@5xLU6(jZZoWz7Hq`b6)?;zzbw#_
z-jZ)>qDeq~_svBY^~#+ppYQLl5fCe?rnTLv^^bu+M9N3c7TQ%OJw0ky+jlZx3fyic
z7H1m|ml@YSNRM2?ccf^qkli)>W-uCfi&%fk#i?|i?jNo%6bwfZ5*kO9F_%_Lrt<1z
zw0-Tx59UlCt+64t%GqJ}{4yO?1}}-O%>3<FVMCe?;L^09u%}8gumvU#*@K(?K~<>?
zeyJ;O{caKSTS&E3tpKjomW~O#IsPfILFhE5Uq8I^E`D1nZdfUB&(Ic+Wz{cL)%OXD
z4DU$Xo|8Ydf>$3%c)N_jbq0d2y@<1V%}#a??25RYn>Fa4gjsx=kb;BiFV>lAVd9jp
zzR<mxbXmE>xXhn6_TFj$gZfvQklKSN%u{5LGu5=J%#5=WI%k;?&hCaV?ob8g*#?}v
zDsKI7S9k7UM{{gtAjqOO2%u@Q5iU7wTgSN<8`JBfD$CtbOZJkB8E#yC^O2y-Vi&si
zf4F>>crzt%%s#0@3v}%*ny@82o)AlocF%XOqRJkwBm~wIbq)^-Agh!gxmWNDEV+dC
zWBPv4<|_#<Ms}1>dYyZcmZO{`Yqin1RZ;foF_(t-JHYOUXB<1(*6rFl`4gLzvzD=T
zdIpDsEvLh8WKddsO;E4PG<{36&b1mPk7f`5VvkN3!%)zlVwX!M7NS|A($oc9Kf_HR
z+8NW?2gJ+}T}Qpo0L*bGaP(k_ZFj&M_X3Zak?m!eTs(0U0}Ow0rZ^SX8J~F3#TgWv
zn320$w0~Pr#G0)J8#z{KRbE4GUUnhr&6(1!Q76w@LQvi@qz$GlW+>2V;rSd>xcag8
z3b|~t>$5z^xuyZL;~gsIJ!SQPsUKv6`2G`}M=_$U7Ixe6tt`#7^qADQih$O+QRj!T
zQ*c>J*3Mw8i2c$DeEsctb=0-YiWFwvD8BH4ftbeK<`g-q2ISKYaEsn8HkIS`O(unH
znw#Z4AW`XY@LT37(c9m?=EwCvCnDSn!cAxst1)(x@(pRPAu&FUMrm}>D2`gDmWFJP
zF1*<95H`8?F?PAPAGO-AbxaH5xD+0)EJtCvauL&ZYv{G+_KSN~n;f0+L|V8yQf6Z%
z?rv>_`&^BOjUD#eD%G(~OQay*6?E<g@G1NgAaecWk4^rYE6~9ZH&>S`ts?y4Mw&^~
z#KKGaYA`H7B<s~}kHS_FE{RyW)$Vbj+?BT1LOCmm)|K;cpvB>0m&%Re^O7ie1+I@B
z_v{LB?iTlSO8UrZl9gyc!A}|uBW}LS7?nv-IJmr+J|QeWvVFQc5kKO+<SrR{n^k6I
z-K+ezygGNO^LvxAB)YeS@ww(Zk?momVj`TAFcU%_&Px#t7>wkpCGhy+IIbaZ^DXCF
zOVQw!{DJ%9k!G_wUl@u7Xk+xK_KamO%JNrUak>sl22?(@Cj_nyy@qq3Q1nXMh{ZvC
zR|D&8ZAQjjq1u%Gft8-O&B0w<!j8iYpghQXRQOb$fXY7Qc37wKifZnVi8-endt?;v
zpJ8VY%FSLWrgRv8R0GhsU{mXvetp1shVnnHF1=&X(CueR8#t#hxv8gB6>h_!TL{7o
ze<;gmEubc&*#B361mRlnvxkS?d+OMLJIu0^EPJ?qc|8Dc40n!h4mya+v0r{~z_c9-
z9@IL|b$q_%Uw(e{rT0k0)=T!Q_@uFZZJ_F{{mDHkbF`w|Ew{I2TdR#D;gW?1V(R26
z;+z_hIC?6zGvL~zxadIZ-~?obOVm{JMr0FNM$}x-4mybO3+UHO5zEyJ6;sPYuOcon
zzn2&itm8b~$H4s+2?z%JyPFrulWmBIOP{Dzb-#Aemx-2C<b(G7k*4saZTnKE13lem
zzA{%K*?V{XhRu#zW=i{(!QXwo76CZEmR7bCt`Su`>=$Yy6z}L=J7yv(JL~aHz>YB{
z3AP{45)lHO(3f`&ctbkaLa=g?84&-Q6A>{vs;7fW1N7{p_jHnmb1bnlw#qc@+4xRP
zjG(x6Fc4}fsC5>$M_B~51oD#CUyGN+p5)lQ_dmMF;t-0Gr^Ltozt-9}ghZn3&-L3P
z11NB5eMGS2PKA}A!Xx@US%@J$3SpSpbl&h2b2gAWg&v*~fcBG$o9H1eBxA;KCyo-d
z&U~4ao30yZIi>44mO3BhCd><|^V_VK#jN(6v5LcJ697cOD4BR#&`bgKCq|c&8lVin
zbICz4rKHvh*EVLTuP!e4Z-1AMY?uGAsA!_bEK$UCGMv^z9*>vB+95{^a)D|L*n+<U
zqx}*gOQ_NESQmQ6@zdQC332Fn$;qxoabT`1wd}%jR*&FUwj!QZJ_bR%NZ6(hV;(T^
zwgYHwbN;6zn~YBmcDah439RO78xx*hn>N-=Sw=Mv<fR!Kpdwn00a(H3s7v=3c2o>|
zlgbVJ^P_$Hu713c+g0@3CHA`Wg$ow|hR!oNj@Dr9eI^@aRIRbV6ZiMeH+uE1!x)T<
z!8XQf6-YmmbG2^c(h(P8%Erq4ovDZlGtyY`L3l}JUuoD}JHX-?-(_(yDysSb0>sYK
z@BGc1r_LbXC8=qL2f>W_yO11kohtRzKhv|daZ1X@NN6Sr!HkC!gW>)jH}W~1%N5CZ
z<Hx!1EA8M-+<nm;EtV$eI?Tu&rs%77jW+nASLxDl#R)1|u3&G`ZcCe;R_Q;MI_?rB
zXqod%P9}qHpFmoDWP5Q7AN59!+x$Ct(9+#Q%=*Q{gehWRpS=ws?Y`asn_wC`dQcd4
zrwO|e->N3U$1N``<Fzp%>1)*$(hf0mYjZ=-bg^k!KWuu=jmGCHVcV7C5QA7dL(9Xl
zR=E+ttFfEICwX0SfX#OGIaJEYf~Nw7%(r~%zqwjwz94m;Oe{|f22cI6IL<$}N_^z%
zd}NgjP;QV{7*rl{-l?B=z~)h`x&LqQsm7GZ80vf(Td{VqRIGDg@s}mWfIk{^ZIw(`
ztThrhaSPZ33Xo0qTyPBKJAzXfT$(2J`!Je#!1$&!Cgac}G2=k!aRhjrG69Ynr>R?|
zzdGix&6KI&5?r_8l$j9qrl3e89iLy2-Kd>M0qkbCPCAVk_T&N)&Rz-a2o;an;M?jz
z(<WPdU$pKf*B%IrcfcdODFB=fTu&}X@>HGMs|KM*NVTh^1M|zl)26{n))&(BW`??C
z;~>x9q`c0!jrUtPIPxNGM^%5(ZEnVihvO8eqXx&qxrKOWX*5+PmaREq2kx6v3L2=$
zx{35tXm73wNjzx`+$Qz8s1v%}%j2j0wcj^-HLQzy0GF)XO4Ik0TynuP_>-a$fzvcT
zo}GZ$z9VYHJS_tlf?UOoi}D*^x!M6_mTmMG2;^ey!cTR2T5zYpW?y2|lUo3j<(6y%
zH65l5nm)-d?iNZ0mQ-aY@KwNUoLg5TMg`@jDQTQR@4Y%vKKy@31an*2GqsCnH<R9r
zx9_y16ZD^>F&o~0BYpkpuLQ3DcR1%i`=<zK88|sz`kHyx+`QJqs5Swg!-HZc0hMB`
zv-d%~4!QC8X*cgYc5)-5&%?u`1|X{OpgL`T`54EOp4{tE!(ef;zu})s*eCX?#{45f
z+CP)xzX?|70n0d>;cK(W@YSXD-}lKdhgs}GtV_$sp=I6{lI=Xr&bc_^rnv3hiQ;~Z
zJz23o6xp8vklTe=z+jFQI=jdpxi8;a_<S_wwBte%v*q(Y8?!fb$1k~;ojoB>kzC@b
z<<jq|1s8)+TiG7b6o<n*yvehtCt)lbMD*Z1IS^tl&c45C>QY{|y-kSt(&p~T%4vtj
z)|Y=`q(&sv_7!*dz47TCY7@|?d#8cj3TpvYr@?`$@@tM6Vu-D|!C`uoqlPy1OFK(p
z{t~Mf+8&bBy@I%M(Of@5vozht6CXd^3mvI;=w3}duRr83(r{#+kqvq1+>A|;ZMQmW
zNT%6vzEu6}hNSfDyJV{k{t;2f*J!jegAO5?9}z`1$!2B=>RSOI;TSvqH*LOOPjKYs
z9*o$VL1vNP{&u|04LC;3FR*g(hy(7LW7H#yxa)@jA`ikFTkrr{hS#Vfp5F2B!ngI`
zo=U<4|A2&DJZmwWy+n1WgG=M<It7(wcGQYNy5tg-d)S3qx#=uHN}R?z#|Yca`3KMM
zM&<xz&<22DP`VYSCbod$ZCm*6e9nu$^^4(8KD7*;bLtBne4GhNe<MtoVOh>Uyd8pm
z)f-QHq$?spAcgOapvvdM57X&xCfBm{BFLuw+MK*~9nuNAs<)WBCQrbBxAwGI%{ReQ
zN+{u4l~Zc$JUr95U$$~!3N$@G#I-AYx47Z_9^Jbfs9mv(HEIDI+Emz(q1s~c_I$@|
zuV^$UJd6#<5HTbrAkwa9xJcJD?mN>v3@S?}a%9msne;)Ha=ApMP8~o!J}YICTh-U-
z!L^A?LNKoxHB{pm0=g-gwOW~cKnQM0#Z!pLHzirh^~biXW@L=CIk<L2oEye$4*>~U
z(M)L<9`>ZfD{~JH@%b58l*kv$rr{ohkeT%PHybv*p$!{(Mpo&B*`ewxT9n-~Gr92#
ztMB`THQZm4<KI>$^T-^U+I5RrZ%o*;dyq@qcZ*?Ig;xB){W-8e%$@fa;9xtAmQF^N
z^v&7~XH%}(z~j~sG`XUD2V0tsuPANLaC2GA8hY3|(1%=Vlb5W!b9R1H`E15m4veb<
z+&K6_hZ=aHG=`u0mBd5O(HbW_s>&lCOs#z*UIf*(S{P{d_^t>1A8hZ~3T6556eVz-
zCP-eYs!5H6M+O;|11<smI2h^pS8byEUqO6{D@9+M=Fql|=e+PT4KD7fQ)N7P$J@~#
zn9sVY$0rS2AQZFtrO5ew!g4_k2R0SC9J)g%ofHdeD8E9jF~aUA$L!R!shty_S|z_c
zYITjISB|pGRU|oItQrBg3$0Ju)w>R~d^~({8#r4vJ!j-EU=T^HaA^!O^}N99`fV@x
za4W3i^6zn*jvBZQ+nW#LCq|<;BKyc~L6H>q@@@|LQ?=m2Wqq&EO%A?h$w_T-AUiTa
zHhf@yOB_rO8FrShX*jwsl`yo>%%Q$QTo2m4fVp)%p1&5|<{9P=c|*y9w3z^hT99gx
z8tdba76PL-n_RR}W`~ql(B0i-H^kd{6)7`s$()l2#o__{(nA|`W$p`vCAN@-s1{A$
z*9p>vUW7e)t_#Ih@z;y`*lA-g$zA||&3r%Aqi7J^-<dZ4%4(VXDZ%t)sfES<^tfQ7
z?eSXJD}(njqJ2J1Ubml&p6Zv~Y|q+i*5-?9kBj^|9hIpj^vz_QqQUGsX4o_oMBZ^!
zPxR<YtlRk-Fz!QhSe-_J7S^^CF#yZX{s!k{!z=sBafIPqkRx2mP;H~N92x0|@~j)K
zf6=u)zSw}2T%rp&3G2BeOYF0YK;?oMcoU0i6zHm1`tzMn=AY^?UJ!yCTro{!d_<h6
zu^v^(`Z;u`8dY%~A5>XY?omtgS`1@<im5^6sse|YiN;lA(nj^5;Cu>(QxY=s_?*oR
zcK~ZkGpEk1$!u@JC3@2}N;~hGm=!|;tHvm>)6U2;_NLdxAXYsOo&xBd`aDD3c!5rt
z@)E!t+?t5|FSk6vif-_?mzj=yFS$n`!`f|c?l?|`Ns+sJ_2P$xR~C`F6VYa0-cgN}
zlV+XNA1j~p6Q5^G$7|M^%Uw3}Ghgq7%f0*oMMtgwhmaO3$Mry9*{e)SMQrr6uFZzs
zNx7>PI8!jK+dm`ES3M7GxUY}YU!vRFgl-wD;wa*^$FtI;$b_%L+*@~Y<At>yjc?pP
zgx5;$QVH}M&gYjGM~iz*&0V9#S<@$1xGCkOIuhFepq~=`Gsv2sZy+|z)gk;=+iluN
z!a}aw;L$D!5DXzofv7t`$;v$+{}*{BF@*W+gDX^``Ei{`ZV4V5h?u(V+?c8o&<O`m
zVJXtJ=XAJY?ez_J<mC)kN6{9MV2cc;&D5&MujP6P4Hj9=I_3T|vJyEu3)m2H?0AJ9
zf}7u)L|XxEw4A#g5yA5OE8Ifg)_M-u47X5K(ed-i1yRDA0PmXoiYQzST$ewODaGhP
z6KJSP^v?%%2H!qi41f7D6Qp=HKdR7mXOT>hnYn{dM^M5yt6ToVqqfA?^2w|+FEnc~
zcZ$mUU)5!s187wGmq1OPl_&f5eRXh`9e?X+U*7?(0&%9w@VcYu#mfNF&PN1)Qd+$l
zI5KpHY$5xgX?a5xNs?gDj;bomgH*+D-+7^;gPDKlu)g^qoVOLI)`R{2TkH*K+)kI~
z10a>Daxe!7S)6{Kz|ivMZMPex<9Q=7%-Qff%Er21GqC(5$LUw(xJzzX5J4~|f=ceF
zXl(R&;7=qa`G-%=q1Q(rQfuHsy1V~`-FYF(&@Fr0X?wMc?!Fn@x)H9iA6P=>d*Z+7
zw%Yh9FrhzNp3twm6RHfPEuw1xzuJ`%0<~}n4BT~@+s6vOkPgfVYoG-`+XKj+gUMh~
z?nF(K(ZFhI7;V;jk=dVo3A<D)1gx{um3!z-?XOL-kwS{;k@TCFB3VVl`i>VO5B#HS
zn0jd>z9SW9q6<os^t2%h8UoADQ_q~JhBwnpXl)Q+iaq`wVs1@aI+D8HNB~$0q61wf
z_xb9n!w*B7_cP^3l!U1o+q99I8{2{&C;+3n1@E2A^UGtm8L#3SDd$6sjEtC_0;W*C
zhZ+3zZ1O^(^A^<`G%MgoR9MBn`X(Yp<2VlAI-0VqR|+IHjEtNM*?g8y1nVz8k3);L
z|J11rZ{9OQTiSg2%~v&2r!T0>HdaFEo4yIt^7yCM{6m>`6Z4{QRv3*w&Evd-q5}^z
z1`b45nuptAqEK*DkkGF*NyC6AHczGv$U6t_dk0~5^yyBd!-Dp&o2%nR7>ljZ@jbJD
zOV2*SU;5=Pn-H*WKvuo!@Nf}Fr#9w}-jSGLLUQMDuB*-G94{x)(|I=XRdneN9lb7&
zu;l${=0CsKFDM=Zo4ax4->?M8uey^{jJ&b3c)0qOU?qSegCLQB>H${q8+(MmZ`+C6
z5w+9{LBuY7*8wsaeISNtJ~5LR)zlN_p#VvG$XjpbYa&UBsJZ+KlsFKv_I!$<@O!st
zByXSi;G(>0jK6JIe^St$NbmG4I*6h?j>T$v^u)9+9JX3ukHl{){PmQ{ZU9wzJgd@^
z^2A;Cw^yGw0?h|4n442szw8|IT?S}+$Z1ZSe=etO8XyzD`6+xIKD`-{_6AoGCx;GP
zoDReG=DeT;>W8gF9ULzyC+a-%i#JoQi1+p)FYWp#;F1DIiOLYqjX^6L+W`pcoitKN
z44o%&9c04=pyZ%7e!9crf#3j3>D72`1uu^+@oIxDgspx;;yFOrHXN_=GKhS;o2~F;
z3TO_zdDG}MLet*de>)0cdKK5a0GD{(+g<U%wI+lix{82a93@`Z^Az`CkNuMrnt#b-
z3BCIV=V;a=!@t=#vQyK80L#&6+{ezvMW^rs1^ZhZfq%yXU^z<H@G#(&sKzNEd9VCK
z`qI9yO4Wt*A-||j(+~7U<c>KAl`c{=O!1)ah2Qt+CTe_T2+L*f@fi#CumbiMwM@2i
zY{@JfvG+_PkZ6?0KLmC+qSM1|lE1_%JpQ3i%KL6}#R>uZA3)!s%cOVR_QvdL5fkT9
zzAGh=L@0*{25bK_yXdaUhs>?C?w@~;JGyl2L$eKAe^0LYmj>@&dT9R00h~oNt59`s
z;j|POG1Kj@T=o0@ma6^MFMp+w77hKd(B6>GKk_l|k>=G^Hj&r6Hzp0C3yezAP@Ez5
z?3oUL0t>jW^c7~sUMA(feO{n;rvzqa^mJH`Gxp0fwI@MzECeDPF7vbpxNN}n<nkN2
zZ~JaOSXhpewB|O!rQ8DG#*Q(Y0!c$<<~HDPN-*UEk?GXqQZRS8!MA+`__3jr6-m=9
z{VPT4^ujO}3rPI=9#tv=T>~V238uZ@`_tunZa~ZLu17`=u1wVeiGf40d>cSkdE)P&
zgC|CS8aAMCM#Zj|4zQ=!7g2A*_J(82;Q9#8h1D5d4)g(*Z9aa91Q-0VzgAX#+t4^a
z;_K_%ukWZHqXeDV(*RGXGe6vV^tpZ`Al$)VwR=v!+P5Qae{4pOK|a`sW~cv`BTwlI
z<TQSmY+0&LW7^(W?z7MN@Gbq%Bt-vDBx(O!rvH)L`F~H#zo+HjN^IZ%mm!d$V$;9Q
Vns0y6u)A$IUU2=U=`UA*_}?4{JnaAg

literal 0
HcmV?d00001


From 54e71c6e23b9bf662d597f4e1361b8f25c283311 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Mon, 15 Jun 2026 07:47:51 +0000
Subject: [PATCH 09/12] feat: updating changes

---
 app/api/v1/routes/workspace_iam.py            |  54 ++-
 app/api/v1/routes/workspaces.py               |  29 +-
 app/core/auth/capabilities.py                 |  39 +++
 app/dependencies.py                           |  10 +-
 .../content/feature-contributors.json         |   9 +-
 .../src/components/CreateWorkspaceModal.tsx   |  10 +-
 .../iam/WorkspaceMembersSection.tsx           | 195 ++++++++---
 .../pages/callImports/CallImportDetail.tsx    |  46 ++-
 .../CallImportEvaluationDetail.tsx            |  15 +-
 .../src/pages/callImports/CallImports.tsx     | 262 +++++++-------
 frontend/src/pages/callImports/Schemas.tsx    |  12 +-
 frontend/src/pages/callImports/Tags.tsx       |   7 +
 frontend/src/pages/iam/IAM.tsx                |   5 +
 tests/test_api/test_workspace_iam.py          | 329 +++++++++++++++++-
 14 files changed, 781 insertions(+), 241 deletions(-)

diff --git a/app/api/v1/routes/workspace_iam.py b/app/api/v1/routes/workspace_iam.py
index 553829bb..85a81ce8 100644
--- a/app/api/v1/routes/workspace_iam.py
+++ b/app/api/v1/routes/workspace_iam.py
@@ -13,6 +13,7 @@
 from app.core.auth.capabilities import (
     WORKSPACE_MEMBERS_MANAGE,
     WORKSPACE_MEMBERS_VIEW,
+    capability_denied_message,
     capabilities_for_registry,
     normalize_capabilities,
 )
@@ -41,14 +42,12 @@
 router = APIRouter(tags=["Workspace IAM"])
 
 
-def _require_workspace_capability(
+def _require_workspace_in_org(
     db: Session,
     *,
-    principal: Principal,
     organization_id: UUID,
     workspace_id: UUID,
-    capability: str,
-) -> None:
+) -> Workspace:
     workspace = (
         db.query(Workspace)
         .filter(
@@ -59,7 +58,23 @@ def _require_workspace_capability(
     )
     if workspace is None:
         raise HTTPException(status_code=404, detail="Workspace not found.")
-    caps, _, _ = resolve_workspace_capabilities(
+    return workspace
+
+
+def _require_workspace_capability(
+    db: Session,
+    *,
+    principal: Principal,
+    organization_id: UUID,
+    workspace_id: UUID,
+    capability: str,
+) -> None:
+    _require_workspace_in_org(
+        db,
+        organization_id=organization_id,
+        workspace_id=workspace_id,
+    )
+    caps, _, role = resolve_workspace_capabilities(
         db,
         principal=principal,
         workspace_id=workspace_id,
@@ -68,7 +83,10 @@ def _require_workspace_capability(
     if capability not in caps:
         raise HTTPException(
             status_code=403,
-            detail=f"This action requires the '{capability}' capability in this workspace.",
+            detail=capability_denied_message(
+                capability,
+                role_name=role.name if role else None,
+            ),
         )
 
 
@@ -89,8 +107,11 @@ def _member_response(db: Session, member: WorkspaceMember) -> WorkspaceMemberRes
 
 
 @router.get("/capabilities", response_model=List[CapabilityDomainResponse])
-def list_capabilities():
+def list_capabilities(
+    organization_id: UUID = Depends(get_organization_id),
+):
     """Return the capability registry for the role-builder UI."""
+    del organization_id  # auth gate only; registry is static
     return capabilities_for_registry()
 
 
@@ -345,6 +366,19 @@ def update_workspace_member_route(
         raise HTTPException(status_code=404, detail="Role not found.")
 
     old_role = db.query(WorkspaceRole).filter(WorkspaceRole.id == member.role_id).first()
+    is_self = principal.user_id == user_id
+    if (
+        is_self
+        and is_workspace_admin_role(old_role)
+        and not is_workspace_admin_role(new_role)
+    ):
+        raise HTTPException(
+            status_code=403,
+            detail=(
+                "You cannot demote your own Workspace Admin role. "
+                "Ask another admin to change your role."
+            ),
+        )
     if is_workspace_admin_role(old_role) and not is_workspace_admin_role(new_role):
         if count_workspace_admins(db, workspace_id=workspace_id) <= 1:
             raise HTTPException(
@@ -369,6 +403,12 @@ def remove_workspace_member_route(
     organization_id: UUID = Depends(get_organization_id),
     db: Session = Depends(get_db),
 ):
+    _require_workspace_in_org(
+        db,
+        organization_id=organization_id,
+        workspace_id=workspace_id,
+    )
+
     is_self = principal.user_id == user_id
     if not is_self:
         _require_workspace_capability(
diff --git a/app/api/v1/routes/workspaces.py b/app/api/v1/routes/workspaces.py
index 81b6d076..5f7a4a8d 100644
--- a/app/api/v1/routes/workspaces.py
+++ b/app/api/v1/routes/workspaces.py
@@ -11,7 +11,7 @@
 from sqlalchemy.orm import Session
 
 from app.core.auth import Principal, get_principal
-from app.core.auth.capabilities import WORKSPACE_SETTINGS
+from app.core.auth.capabilities import WORKSPACE_SETTINGS, capability_denied_message
 from app.core.auth.rbac import get_org_role, require_admin, require_writer
 from app.database import get_db
 from app.dependencies import get_organization_id
@@ -169,18 +169,6 @@ def update_workspace(
     db: Session = Depends(get_db),
 ):
     """Rename a workspace (slug stays put to keep deep-links stable)."""
-    caps, _, _ = resolve_workspace_capabilities(
-        db,
-        principal=principal,
-        workspace_id=workspace_id,
-        organization_id=organization_id,
-    )
-    if WORKSPACE_SETTINGS not in caps:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail=f"This action requires the '{WORKSPACE_SETTINGS}' capability in this workspace.",
-        )
-
     workspace = (
         db.query(Workspace)
         .filter(
@@ -192,6 +180,21 @@ def update_workspace(
     if workspace is None:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Workspace not found.")
 
+    caps, _, role = resolve_workspace_capabilities(
+        db,
+        principal=principal,
+        workspace_id=workspace_id,
+        organization_id=organization_id,
+    )
+    if WORKSPACE_SETTINGS not in caps:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=capability_denied_message(
+                WORKSPACE_SETTINGS,
+                role_name=role.name if role else None,
+            ),
+        )
+
     workspace.name = payload.name.strip()
     db.commit()
     db.refresh(workspace)
diff --git a/app/core/auth/capabilities.py b/app/core/auth/capabilities.py
index df3f1078..d814863e 100644
--- a/app/core/auth/capabilities.py
+++ b/app/core/auth/capabilities.py
@@ -135,3 +135,42 @@ def capabilities_for_registry() -> List[Dict[str, object]]:
 def _capability_label(cap: str) -> str:
     action = cap.split(".")[-1].replace("_", " ")
     return action.title()
+
+
+def required_workspace_role_label(capability: str) -> str:
+    """Return the minimum system workspace role that grants *capability*."""
+    if capability in ADMIN_EXTRA_CAPABILITIES:
+        return SYSTEM_ROLE_ADMIN
+    if capability in EDITOR_EXTRA_CAPABILITIES:
+        return SYSTEM_ROLE_EDITOR
+    return SYSTEM_ROLE_VIEWER
+
+
+def capability_denied_message(
+    capability: str,
+    *,
+    role_name: str | None = None,
+    workspace_label: str = "this workspace",
+) -> str:
+    """
+    User-facing 403 detail when a workspace capability check fails.
+
+    Maps internal capability strings to system role names (Viewer / Editor /
+    Workspace Admin) instead of exposing raw capability keys in the UI.
+    """
+    required_role = required_workspace_role_label(capability)
+
+    if required_role == SYSTEM_ROLE_ADMIN:
+        base = (
+            f"This action requires the Workspace Admin role in {workspace_label}."
+        )
+    elif required_role == SYSTEM_ROLE_EDITOR:
+        base = (
+            f"This action requires at least the Editor role in {workspace_label}."
+        )
+    else:
+        base = f"You don't have permission to perform this action in {workspace_label}."
+
+    if role_name:
+        return f"{base} Your current workspace role is {role_name}."
+    return f"{base} Ask a workspace admin to upgrade your access."
diff --git a/app/dependencies.py b/app/dependencies.py
index 72a70c1d..d2005f82 100644
--- a/app/dependencies.py
+++ b/app/dependencies.py
@@ -23,6 +23,7 @@
 from app.core.license import is_feature_enabled
 from app.database import get_db
 from app.models.database import RoleEnum, Workspace, WorkspaceMember
+from app.core.auth.capabilities import capability_denied_message
 from app.services.workspace_rbac import resolve_workspace_capabilities
 
 
@@ -220,10 +221,11 @@ def require_capability(capability: str):
     def _dep(ctx: WorkspaceContext = Depends(get_workspace_context)) -> WorkspaceContext:
         if capability not in ctx.capabilities:
             raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail=(
-                    f"This action requires the '{capability}' capability "
-                    f"in the active workspace."
+                status_code=403,
+                detail=capability_denied_message(
+                    capability,
+                    role_name=ctx.role_name,
+                    workspace_label="the active workspace",
                 ),
             )
         return ctx
diff --git a/docs-fumadocs/content/feature-contributors.json b/docs-fumadocs/content/feature-contributors.json
index 584dec4e..28ca6227 100644
--- a/docs-fumadocs/content/feature-contributors.json
+++ b/docs-fumadocs/content/feature-contributors.json
@@ -136,7 +136,7 @@
         {
           "name": "Tejas Narayan",
           "email": "stejasnarayan@gmail.com",
-          "commits": 2
+          "commits": 3
         }
       ],
       "lastReviewed": "2026-06-15"
@@ -222,6 +222,11 @@
           "name": "aadhar-EAI",
           "email": "aadhar@efficientai.cloud",
           "commits": 1
+        },
+        {
+          "name": "Tejas Narayan",
+          "email": "stejasnarayan@gmail.com",
+          "commits": 1
         }
       ],
       "lastReviewed": "2026-06-15"
@@ -555,7 +560,7 @@
   ],
   "summary": {
     "featureCount": 28,
-    "contributorCount": 31,
+    "contributorCount": 32,
     "skippedBots": 0
   }
 }
diff --git a/frontend/src/components/CreateWorkspaceModal.tsx b/frontend/src/components/CreateWorkspaceModal.tsx
index 361903c7..2fa59e29 100644
--- a/frontend/src/components/CreateWorkspaceModal.tsx
+++ b/frontend/src/components/CreateWorkspaceModal.tsx
@@ -6,6 +6,7 @@ import { apiClient } from '../lib/api'
 import type { OrganizationMember, Workspace, WorkspaceRole } from '../types/api'
 import Button from './Button'
 import { useToast } from '../hooks/useToast'
+import { getApiErrorMessage } from '../lib/apiErrors'
 import { useAuthStore } from '../store/authStore'
 
 export interface PendingWorkspaceMember {
@@ -195,11 +196,10 @@ export default function CreateWorkspaceModal({
       } else {
         showToast('Workspace created', 'success')
       }
-    } catch (err: any) {
-      const detail = err?.response?.data?.detail
-      setError(
-        typeof detail === 'string' ? detail : 'Could not create workspace.',
-      )
+    } catch (err: unknown) {
+      const message = getApiErrorMessage(err, 'Could not create workspace.')
+      setError(message)
+      showToast(message, 'error')
     } finally {
       setSubmitting(false)
     }
diff --git a/frontend/src/components/iam/WorkspaceMembersSection.tsx b/frontend/src/components/iam/WorkspaceMembersSection.tsx
index cfc58e60..3a1edbc9 100644
--- a/frontend/src/components/iam/WorkspaceMembersSection.tsx
+++ b/frontend/src/components/iam/WorkspaceMembersSection.tsx
@@ -2,9 +2,16 @@ import { useEffect, useMemo, useState } from 'react'
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { ChevronDown, FolderKanban, Trash2, UserPlus, Users } from 'lucide-react'
 import { apiClient } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useCanWrite, useIsReader } from '../../hooks/useRole'
+import { useToast } from '../../hooks/useToast'
+import { useAuthStore } from '../../store/authStore'
 import { useWorkspaceStore } from '../../store/workspaceStore'
+import type { WorkspaceRole } from '../../types/api'
 import Button from '../Button'
-import { useToast } from '../../hooks/useToast'
+
+const SELF_DEMOTE_MESSAGE =
+  'You cannot demote your own Workspace Admin role. Ask another admin to change your role.'
 
 function workspaceCaps(caps: string[] | undefined) {
   const list = caps ?? []
@@ -14,9 +21,21 @@ function workspaceCaps(caps: string[] | undefined) {
   }
 }
 
+function isWorkspaceAdminRole(role: WorkspaceRole | undefined): boolean {
+  if (!role) return false
+  const caps = role.capabilities ?? []
+  return (
+    caps.includes('workspace.settings') &&
+    caps.includes('workspace.members.manage')
+  )
+}
+
 export default function WorkspaceMembersSection() {
   const queryClient = useQueryClient()
   const { showToast, ToastContainer } = useToast()
+  const canWrite = useCanWrite()
+  const isReader = useIsReader()
+  const currentUserId = useAuthStore((s) => s.user?.id ?? null)
   const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
   const [selectedWorkspaceId, setSelectedWorkspaceId] = useState<string | null>(null)
   const [showAdd, setShowAdd] = useState(false)
@@ -44,16 +63,26 @@ export default function WorkspaceMembersSection() {
     [workspaces, selectedWorkspaceId],
   )
 
-  const { canViewMembers, canManageMembers } = workspaceCaps(
+  const { canViewMembers, canManageMembers: wsCanManageMembers } = workspaceCaps(
     selectedWorkspace?.capabilities,
   )
+  const canManageMembers = wsCanManageMembers && canWrite
 
-  const { data: members = [], isLoading: membersLoading } = useQuery({
+  const {
+    data: members = [],
+    isLoading: membersLoading,
+    error: membersError,
+  } = useQuery({
     queryKey: ['workspace-members', selectedWorkspaceId],
     queryFn: () => apiClient.listWorkspaceMembers(selectedWorkspaceId!),
     enabled: Boolean(selectedWorkspaceId) && canViewMembers,
   })
 
+  useEffect(() => {
+    if (!membersError) return
+    showToast(getApiErrorMessage(membersError, 'Failed to load members'), 'error')
+  }, [membersError, showToast])
+
   const { data: orgUsers = [] } = useQuery({
     queryKey: ['iam', 'users'],
     queryFn: () => apiClient.listOrganizationUsers(),
@@ -79,8 +108,8 @@ export default function WorkspaceMembersSection() {
       setSelectedRoleId('')
       showToast('Member added', 'success')
     },
-    onError: (error: any) => {
-      showToast(error.response?.data?.detail || 'Failed to add member', 'error')
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to add member'), 'error')
     },
   })
 
@@ -93,6 +122,9 @@ export default function WorkspaceMembersSection() {
       queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
       showToast('Role updated', 'success')
     },
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to update role'), 'error')
+    },
   })
 
   const removeMutation = useMutation({
@@ -102,11 +134,58 @@ export default function WorkspaceMembersSection() {
       queryClient.invalidateQueries({ queryKey: ['workspace-members'] })
       showToast('Member removed', 'success')
     },
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to remove member'), 'error')
+    },
   })
 
+  const handleRoleChange = (
+    member: { user_id: string; role_id: string },
+    newRoleId: string,
+  ) => {
+    if (newRoleId === member.role_id) return
+
+    if (!canWrite) {
+      showToast(
+        "Your account has the 'reader' role and cannot create, update, or delete resources.",
+        'error',
+      )
+      return
+    }
+
+    const oldRole = roles.find((r) => r.id === member.role_id)
+    const newRole = roles.find((r) => r.id === newRoleId)
+    if (
+      member.user_id === currentUserId &&
+      isWorkspaceAdminRole(oldRole) &&
+      !isWorkspaceAdminRole(newRole)
+    ) {
+      showToast(SELF_DEMOTE_MESSAGE, 'error')
+      return
+    }
+
+    updateMutation.mutate({ userId: member.user_id, roleId: newRoleId })
+  }
+
+  const handleRemoveMember = (userId: string) => {
+    if (!canWrite) {
+      showToast(
+        "Your account has the 'reader' role and cannot create, update, or delete resources.",
+        'error',
+      )
+      return
+    }
+    removeMutation.mutate(userId)
+  }
+
   const memberUserIds = new Set(members.map((m) => m.user_id))
   const availableUsers = orgUsers.filter((u) => !memberUserIds.has(u.user_id))
 
+  const showReaderNote =
+    isReader &&
+    wsCanManageMembers &&
+    selectedWorkspace?.role_name === 'Workspace Admin'
+
   return (
     <div className="bg-white shadow rounded-lg">
       <ToastContainer />
@@ -175,6 +254,12 @@ export default function WorkspaceMembersSection() {
               )}
             </p>
           )}
+          {showReaderNote && (
+            <p className="mt-2 text-xs text-amber-700 bg-amber-50 border border-amber-200 rounded-md px-3 py-2">
+              Your organization role is Reader, so member management is read-only
+              even though you hold the Workspace Admin role in this workspace.
+            </p>
+          )}
         </div>
 
         {!selectedWorkspaceId ? (
@@ -253,56 +338,60 @@ export default function WorkspaceMembersSection() {
                         </td>
                       </tr>
                     ) : (
-                      members.map((member) => (
-                        <tr key={member.id}>
-                          <td className="px-4 py-3 text-sm">
-                            <div className="font-medium text-gray-900">
-                              {member.user_email}
-                            </div>
-                            {member.user_name && (
-                              <div className="text-gray-500">
-                                {member.user_name}
+                      members.map((member) => {
+                        const memberRole = roles.find((r) => r.id === member.role_id)
+                        const isSelfAdmin =
+                          member.user_id === currentUserId &&
+                          isWorkspaceAdminRole(memberRole)
+
+                        return (
+                          <tr key={member.id}>
+                            <td className="px-4 py-3 text-sm">
+                              <div className="font-medium text-gray-900">
+                                {member.user_email}
                               </div>
-                            )}
-                          </td>
-                          <td className="px-4 py-3 text-sm">
-                            {canManageMembers ? (
-                              <select
-                                value={member.role_id}
-                                onChange={(e) =>
-                                  updateMutation.mutate({
-                                    userId: member.user_id,
-                                    roleId: e.target.value,
-                                  })
-                                }
-                                className="px-2 py-1 border border-gray-200 rounded text-sm"
-                              >
-                                {roles.map((r) => (
-                                  <option key={r.id} value={r.id}>
-                                    {r.name}
-                                  </option>
-                                ))}
-                              </select>
-                            ) : (
-                              member.role_name
-                            )}
-                          </td>
-                          {canManageMembers && (
-                            <td className="px-4 py-3 text-right">
-                              <button
-                                type="button"
-                                onClick={() =>
-                                  removeMutation.mutate(member.user_id)
-                                }
-                                className="text-red-600 hover:text-red-800"
-                                title="Remove member"
-                              >
-                                <Trash2 className="h-4 w-4" />
-                              </button>
+                              {member.user_name && (
+                                <div className="text-gray-500">
+                                  {member.user_name}
+                                </div>
+                              )}
+                            </td>
+                            <td className="px-4 py-3 text-sm">
+                              {canManageMembers && !isSelfAdmin ? (
+                                <select
+                                  value={member.role_id}
+                                  onChange={(e) =>
+                                    handleRoleChange(member, e.target.value)
+                                  }
+                                  className="px-2 py-1 border border-gray-200 rounded text-sm"
+                                >
+                                  {roles.map((r) => (
+                                    <option key={r.id} value={r.id}>
+                                      {r.name}
+                                    </option>
+                                  ))}
+                                </select>
+                              ) : (
+                                member.role_name
+                              )}
                             </td>
-                          )}
-                        </tr>
-                      ))
+                            {canManageMembers && (
+                              <td className="px-4 py-3 text-right">
+                                <button
+                                  type="button"
+                                  onClick={() =>
+                                    handleRemoveMember(member.user_id)
+                                  }
+                                  className="text-red-600 hover:text-red-800"
+                                  title="Remove member"
+                                >
+                                  <Trash2 className="h-4 w-4" />
+                                </button>
+                              </td>
+                            )}
+                          </tr>
+                        )
+                      })
                     )}
                   </tbody>
                 </table>
diff --git a/frontend/src/pages/callImports/CallImportDetail.tsx b/frontend/src/pages/callImports/CallImportDetail.tsx
index 7c3fb670..75366da0 100644
--- a/frontend/src/pages/callImports/CallImportDetail.tsx
+++ b/frontend/src/pages/callImports/CallImportDetail.tsx
@@ -32,6 +32,8 @@ import {
   XCircle,
 } from 'lucide-react'
 import { apiClient } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useToast } from '../../hooks/useToast'
 import { formatDiarisationError } from '../../lib/diarisationErrors'
 import { useWorkspaceStore } from '../../store/workspaceStore'
 import type {
@@ -246,6 +248,7 @@ export default function CallImportDetail() {
   const { id } = useParams<{ id: string }>()
   const navigate = useNavigate()
   const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
   const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
   const [rowOffset, setRowOffset] = useState(0)
   const [expandedRowIds, setExpandedRowIds] = useState<Set<string>>(new Set())
@@ -344,6 +347,16 @@ export default function CallImportDetail() {
     null,
   )
 
+  const reportDeleteError = (
+    err: unknown,
+    fallback: string,
+    setError: (message: string) => void,
+  ) => {
+    const message = getApiErrorMessage(err, fallback)
+    setError(message)
+    showToast(message, 'error')
+  }
+
   const [playingRowId, setPlayingRowId] = useState<string | null>(null)
   const [audioUrl, setAudioUrl] = useState<string | null>(null)
   const [isPlaying, setIsPlaying] = useState(false)
@@ -540,10 +553,8 @@ export default function CallImportDetail() {
       queryClient.invalidateQueries({ queryKey: ['call-imports'] })
       navigate('/call-imports')
     },
-    onError: (err: any) => {
-      setDeleteError(
-        err?.response?.data?.detail || err?.message || 'Failed to delete import.',
-      )
+    onError: (err: unknown) => {
+      reportDeleteError(err, 'Failed to delete import.', setDeleteError)
     },
   })
 
@@ -606,10 +617,8 @@ export default function CallImportDetail() {
       setPendingDeleteRow(null)
       setDeleteError(null)
     },
-    onError: (err: any) => {
-      setDeleteError(
-        err?.response?.data?.detail || err?.message || 'Failed to delete row.',
-      )
+    onError: (err: unknown) => {
+      reportDeleteError(err, 'Failed to delete row.', setDeleteError)
     },
   })
 
@@ -623,11 +632,11 @@ export default function CallImportDetail() {
       setShowBulkDeleteRows(false)
       setBulkDeleteRowsError(null)
     },
-    onError: (err: any) => {
-      setBulkDeleteRowsError(
-        err?.response?.data?.detail ||
-          err?.message ||
-          'Failed to delete selected rows.',
+    onError: (err: unknown) => {
+      reportDeleteError(
+        err,
+        'Failed to delete selected rows.',
+        setBulkDeleteRowsError,
       )
     },
   })
@@ -1105,11 +1114,11 @@ export default function CallImportDetail() {
       setShowBulkDeleteEvals(false)
       setBulkDeleteEvalsError(null)
     },
-    onError: (err: any) => {
-      setBulkDeleteEvalsError(
-        err?.response?.data?.detail ||
-          err?.message ||
-          'Failed to delete evaluation runs.',
+    onError: (err: unknown) => {
+      reportDeleteError(
+        err,
+        'Failed to delete evaluation runs.',
+        setBulkDeleteEvalsError,
       )
     },
   })
@@ -1436,6 +1445,7 @@ export default function CallImportDetail() {
 
   return (
     <div className="space-y-6">
+      <ToastContainer />
       <div className="flex items-center justify-between">
         <Link
           to="/call-imports"
diff --git a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
index 60bab397..6a3aa249 100644
--- a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
+++ b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
@@ -58,6 +58,8 @@ import {
   YAxis,
 } from 'recharts'
 import { apiClient, type ReportBranding } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useToast } from '../../hooks/useToast'
 import type {
   CallImportEvaluation,
   CallImportEvaluationBaselineCandidate,
@@ -350,6 +352,7 @@ export default function CallImportEvaluationDetail() {
   const { id, evalId } = useParams<{ id: string; evalId: string }>()
   const navigate = useNavigate()
   const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
   const [searchParams] = useSearchParams()
   const deepLinkConversationId =
     searchParams.get('conversation_id')?.trim() || ''
@@ -928,10 +931,10 @@ export default function CallImportEvaluationDetail() {
       setPendingDeleteRow(null)
       setRowDeleteError(null)
     },
-    onError: (err: any) => {
-      setRowDeleteError(
-        err?.response?.data?.detail || err?.message || 'Failed to delete row.',
-      )
+    onError: (err: unknown) => {
+      const message = getApiErrorMessage(err, 'Failed to delete row.')
+      setRowDeleteError(message)
+      showToast(message, 'error')
     },
   })
 
@@ -943,6 +946,9 @@ export default function CallImportEvaluationDetail() {
       })
       navigate(`/call-imports/${id}`)
     },
+    onError: (err: unknown) => {
+      showToast(getApiErrorMessage(err, 'Failed to delete evaluation run.'), 'error')
+    },
   })
 
   // Re-enqueue every failed row in this run. The backend filters to
@@ -2075,6 +2081,7 @@ export default function CallImportEvaluationDetail() {
 
   return (
     <div className="space-y-6">
+      <ToastContainer />
       <div className="flex items-center justify-between gap-3 flex-wrap">
         <Link
           to={`/call-imports/${id}`}
diff --git a/frontend/src/pages/callImports/CallImports.tsx b/frontend/src/pages/callImports/CallImports.tsx
index cefcab6f..c546adc7 100644
--- a/frontend/src/pages/callImports/CallImports.tsx
+++ b/frontend/src/pages/callImports/CallImports.tsx
@@ -1,31 +1,33 @@
 import { useMemo, useState } from 'react'
 import { Link, useNavigate } from 'react-router-dom'
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
-import {
-  ChevronLeft,
-  ChevronRight,
-  FileAudio,
-  FileSpreadsheet,
-  Layers,
-  Phone,
-  RefreshCw,
+import {
+  ChevronLeft,
+  ChevronRight,
+  FileAudio,
+  FileSpreadsheet,
+  Layers,
+  Phone,
+  RefreshCw,
   Trash2,
   Upload,
 } from 'lucide-react'
 import { Tag as TagIcon } from 'lucide-react'
 import { apiClient } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useToast } from '../../hooks/useToast'
 import { useWorkspaceStore } from '../../store/workspaceStore'
 import type { CallImport, CallImportStatus, CallImportTag } from '../../types/api'
 import Button from '../../components/Button'
 import ConfirmModal from '../../components/ConfirmModal'
-import StatusBadge from '../../components/shared/StatusBadge'
-import CallImportProgressBar from './components/CallImportProgressBar'
-import UploadAudioModal from './components/UploadAudioModal'
-import UploadCsvModal from './components/UploadCsvModal'
+import StatusBadge from '../../components/shared/StatusBadge'
+import CallImportProgressBar from './components/CallImportProgressBar'
+import UploadAudioModal from './components/UploadAudioModal'
+import UploadCsvModal from './components/UploadCsvModal'
 
 const PAGE_SIZE = 20
 
-const STATUS_OPTIONS: Array<{ label: string; value: '' | CallImportStatus }> = [
+const STATUS_OPTIONS: Array<{ label: string; value: '' | CallImportStatus }> = [
   { label: 'All statuses', value: '' },
   { label: 'Uploaded', value: 'uploaded' },
   { label: 'Mapped', value: 'mapped' },
@@ -33,25 +35,26 @@ const STATUS_OPTIONS: Array<{ label: string; value: '' | CallImportStatus }> = [
   { label: 'Processing', value: 'processing' },
   { label: 'Completed', value: 'completed' },
   { label: 'Partial', value: 'partial' },
-  { label: 'Failed', value: 'failed' },
-]
-
-type UploadTab = 'datasets' | 'audio'
+  { label: 'Failed', value: 'failed' },
+]
+
+type UploadTab = 'datasets' | 'audio'
 
 export default function CallImports() {
   const navigate = useNavigate()
   const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
   // Active workspace is part of every workspace-scoped queryKey so a
   // workspace switch produces a clean cache miss instead of leaking
   // rows from the previously-active workspace.
   const activeWorkspaceId = useWorkspaceStore((s) => s.activeWorkspaceId)
   const [page, setPage] = useState(1)
-  const [statusFilter, setStatusFilter] = useState<'' | CallImportStatus>('')
-  const [datasetFilter, setDatasetFilter] = useState<string>('')
-  const [tagFilter, setTagFilter] = useState<string[]>([])
-  const [activeTab, setActiveTab] = useState<UploadTab>('datasets')
-  const [showUpload, setShowUpload] = useState(false)
-  const [showAudioUpload, setShowAudioUpload] = useState(false)
+  const [statusFilter, setStatusFilter] = useState<'' | CallImportStatus>('')
+  const [datasetFilter, setDatasetFilter] = useState<string>('')
+  const [tagFilter, setTagFilter] = useState<string[]>([])
+  const [activeTab, setActiveTab] = useState<UploadTab>('datasets')
+  const [showUpload, setShowUpload] = useState(false)
+  const [showAudioUpload, setShowAudioUpload] = useState(false)
   const [pendingDelete, setPendingDelete] = useState<CallImport | null>(null)
   const [deleteError, setDeleteError] = useState<string | null>(null)
 
@@ -72,10 +75,10 @@ export default function CallImports() {
       setPendingDelete(null)
       setDeleteError(null)
     },
-    onError: (err: any) => {
-      setDeleteError(
-        err?.response?.data?.detail || err?.message || 'Failed to delete import.',
-      )
+    onError: (err: unknown) => {
+      const message = getApiErrorMessage(err, 'Failed to delete import.')
+      setDeleteError(message)
+      showToast(message, 'error')
     },
   })
 
@@ -83,13 +86,13 @@ export default function CallImports() {
     () => ({
       page,
       page_size: PAGE_SIZE,
-      ...(statusFilter ? { status: statusFilter } : {}),
-      ...(datasetFilter ? { dataset: datasetFilter } : {}),
-      ...(tagFilter.length > 0 ? { tag_id: tagFilter } : {}),
-      source_format: activeTab === 'audio' ? 'audio' : '__non_audio__',
-    }),
-    [page, statusFilter, datasetFilter, tagFilter, activeTab],
-  )
+      ...(statusFilter ? { status: statusFilter } : {}),
+      ...(datasetFilter ? { dataset: datasetFilter } : {}),
+      ...(tagFilter.length > 0 ? { tag_id: tagFilter } : {}),
+      source_format: activeTab === 'audio' ? 'audio' : '__non_audio__',
+    }),
+    [page, statusFilter, datasetFilter, tagFilter, activeTab],
+  )
 
   const { data, isLoading, isFetching, refetch } = useQuery({
     queryKey: ['call-imports', activeWorkspaceId, queryParams],
@@ -109,13 +112,14 @@ export default function CallImports() {
 
   return (
     <div className="space-y-6">
+      <ToastContainer />
       <div className="flex justify-between items-center">
         <div>
-          <h1 className="text-3xl font-bold text-gray-900">Call Imports</h1>
-          <p className="mt-2 text-sm text-gray-600">
-            Upload datasets from CSV / Excel, or add manual call recordings
-            directly and use the same diarisation and evaluation tools.
-          </p>
+          <h1 className="text-3xl font-bold text-gray-900">Call Imports</h1>
+          <p className="mt-2 text-sm text-gray-600">
+            Upload datasets from CSV / Excel, or add manual call recordings
+            directly and use the same diarisation and evaluation tools.
+          </p>
         </div>
         <div className="flex gap-3">
           <Link to="/call-imports/schemas">
@@ -133,16 +137,16 @@ export default function CallImports() {
             >
               Manage Tags
             </Button>
-          </Link>
-          <Button
-            variant="primary"
-            onClick={() =>
-              activeTab === 'audio' ? setShowAudioUpload(true) : setShowUpload(true)
-            }
-            leftIcon={<Upload className="h-5 w-5" />}
-          >
-            {activeTab === 'audio' ? 'Upload Audio' : 'Upload CSV'}
-          </Button>
+          </Link>
+          <Button
+            variant="primary"
+            onClick={() =>
+              activeTab === 'audio' ? setShowAudioUpload(true) : setShowUpload(true)
+            }
+            leftIcon={<Upload className="h-5 w-5" />}
+          >
+            {activeTab === 'audio' ? 'Upload Audio' : 'Upload CSV'}
+          </Button>
           <Button
             variant="secondary"
             onClick={() => refetch()}
@@ -151,43 +155,43 @@ export default function CallImports() {
           >
             Refresh
           </Button>
-        </div>
-      </div>
-
-      <div className="bg-white shadow rounded-lg p-1 inline-flex gap-1">
-        <button
-          type="button"
-          onClick={() => {
-            setActiveTab('datasets')
-            setPage(1)
-          }}
-          className={`flex items-center gap-2 px-4 py-2 rounded-md text-sm font-medium transition-colors ${
-            activeTab === 'datasets'
-              ? 'bg-primary-50 text-primary-700'
-              : 'text-gray-600 hover:bg-gray-50 hover:text-gray-900'
-          }`}
-        >
-          <FileSpreadsheet className="h-4 w-4" />
-          CSV / Dataset Uploads
-        </button>
-        <button
-          type="button"
-          onClick={() => {
-            setActiveTab('audio')
-            setPage(1)
-          }}
-          className={`flex items-center gap-2 px-4 py-2 rounded-md text-sm font-medium transition-colors ${
-            activeTab === 'audio'
-              ? 'bg-primary-50 text-primary-700'
-              : 'text-gray-600 hover:bg-gray-50 hover:text-gray-900'
-          }`}
-        >
-          <FileAudio className="h-4 w-4" />
-          Call Imports / Uploads
-        </button>
-      </div>
-
-      {/*
+        </div>
+      </div>
+
+      <div className="bg-white shadow rounded-lg p-1 inline-flex gap-1">
+        <button
+          type="button"
+          onClick={() => {
+            setActiveTab('datasets')
+            setPage(1)
+          }}
+          className={`flex items-center gap-2 px-4 py-2 rounded-md text-sm font-medium transition-colors ${
+            activeTab === 'datasets'
+              ? 'bg-primary-50 text-primary-700'
+              : 'text-gray-600 hover:bg-gray-50 hover:text-gray-900'
+          }`}
+        >
+          <FileSpreadsheet className="h-4 w-4" />
+          CSV / Dataset Uploads
+        </button>
+        <button
+          type="button"
+          onClick={() => {
+            setActiveTab('audio')
+            setPage(1)
+          }}
+          className={`flex items-center gap-2 px-4 py-2 rounded-md text-sm font-medium transition-colors ${
+            activeTab === 'audio'
+              ? 'bg-primary-50 text-primary-700'
+              : 'text-gray-600 hover:bg-gray-50 hover:text-gray-900'
+          }`}
+        >
+          <FileAudio className="h-4 w-4" />
+          Call Imports / Uploads
+        </button>
+      </div>
+
+      {/*
         High-level dataset segregation lives at the top of the page so users can
         scope all filtering/searching that follows to a specific dataset. We
         intentionally render this above the main card to make it visually
@@ -289,11 +293,11 @@ export default function CallImports() {
                 )}
               </div>
             )}
-          </div>
-          <p className="text-sm text-gray-500">
-            {total} {activeTab === 'audio' ? 'manual upload' : 'dataset import'}
-            {total === 1 ? '' : 's'}
-          </p>
+          </div>
+          <p className="text-sm text-gray-500">
+            {total} {activeTab === 'audio' ? 'manual upload' : 'dataset import'}
+            {total === 1 ? '' : 's'}
+          </p>
         </div>
 
         {isLoading ? (
@@ -303,30 +307,30 @@ export default function CallImports() {
           </div>
         ) : items.length === 0 ? (
           <div className="text-center py-12">
-            <Phone className="h-12 w-12 mx-auto mb-3 text-gray-300" />
-            <p className="text-gray-500 mb-3">
-              {statusFilter
-                ? 'No imports match this filter.'
-                : activeTab === 'audio'
-                  ? 'No manual audio uploads yet.'
-                  : 'No dataset uploads yet.'}
-            </p>
-            {!statusFilter && (
-              <Button
-                variant="ghost"
-                size="sm"
-                onClick={() =>
-                  activeTab === 'audio'
-                    ? setShowAudioUpload(true)
-                    : setShowUpload(true)
-                }
-                leftIcon={<Upload className="h-4 w-4" />}
-              >
-                {activeTab === 'audio'
-                  ? 'Upload your first recording'
-                  : 'Upload your first CSV'}
-              </Button>
-            )}
+            <Phone className="h-12 w-12 mx-auto mb-3 text-gray-300" />
+            <p className="text-gray-500 mb-3">
+              {statusFilter
+                ? 'No imports match this filter.'
+                : activeTab === 'audio'
+                  ? 'No manual audio uploads yet.'
+                  : 'No dataset uploads yet.'}
+            </p>
+            {!statusFilter && (
+              <Button
+                variant="ghost"
+                size="sm"
+                onClick={() =>
+                  activeTab === 'audio'
+                    ? setShowAudioUpload(true)
+                    : setShowUpload(true)
+                }
+                leftIcon={<Upload className="h-4 w-4" />}
+              >
+                {activeTab === 'audio'
+                  ? 'Upload your first recording'
+                  : 'Upload your first CSV'}
+              </Button>
+            )}
           </div>
         ) : (
           <div className="overflow-x-auto">
@@ -372,12 +376,12 @@ export default function CallImports() {
                       </div>
                     </td>
                     <td className="px-6 py-4 whitespace-nowrap text-sm text-gray-700 capitalize">
-                      {item.source_format === 'audio' ? (
-                        <span className="inline-flex items-center gap-1 normal-case text-gray-700">
-                          <FileAudio className="h-3.5 w-3.5" />
-                          Manual upload
-                        </span>
-                      ) : item.provider || (
+                      {item.source_format === 'audio' ? (
+                        <span className="inline-flex items-center gap-1 normal-case text-gray-700">
+                          <FileAudio className="h-3.5 w-3.5" />
+                          Manual upload
+                        </span>
+                      ) : item.provider || (
                         <span className="text-gray-400 italic normal-case">
                           —
                         </span>
@@ -488,14 +492,14 @@ export default function CallImports() {
           </div>
         )}
       </div>
-
-      <UploadCsvModal open={showUpload} onClose={() => setShowUpload(false)} />
-      <UploadAudioModal
-        open={showAudioUpload}
-        onClose={() => setShowAudioUpload(false)}
-      />
-
-      <ConfirmModal
+
+      <UploadCsvModal open={showUpload} onClose={() => setShowUpload(false)} />
+      <UploadAudioModal
+        open={showAudioUpload}
+        onClose={() => setShowAudioUpload(false)}
+      />
+
+      <ConfirmModal
         isOpen={pendingDelete !== null}
         title="Delete call import?"
         description={(() => {
diff --git a/frontend/src/pages/callImports/Schemas.tsx b/frontend/src/pages/callImports/Schemas.tsx
index 6cb1b8ef..d503ca1d 100644
--- a/frontend/src/pages/callImports/Schemas.tsx
+++ b/frontend/src/pages/callImports/Schemas.tsx
@@ -13,6 +13,8 @@ import {
   X,
 } from 'lucide-react'
 import { apiClient } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useToast } from '../../hooks/useToast'
 import type {
   CallImportSchema,
   CallImportSchemaParameter,
@@ -625,6 +627,7 @@ function DeleteSchemaModal({
 
 export default function CallImportSchemasPage() {
   const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
   const [editorOpen, setEditorOpen] = useState(false)
   const [editingSchema, setEditingSchema] = useState<CallImportSchema | null>(null)
   const [pendingDelete, setPendingDelete] = useState<CallImportSchema | null>(null)
@@ -650,10 +653,10 @@ export default function CallImportSchemasPage() {
       setPendingDelete(null)
       setDeleteError(null)
     },
-    onError: (err: any) => {
-      setDeleteError(
-        err?.response?.data?.detail || err?.message || 'Failed to delete schema.',
-      )
+    onError: (err: unknown) => {
+      const message = getApiErrorMessage(err, 'Failed to delete schema.')
+      setDeleteError(message)
+      showToast(message, 'error')
     },
   })
 
@@ -665,6 +668,7 @@ export default function CallImportSchemasPage() {
 
   return (
     <div className="space-y-6">
+      <ToastContainer />
       <div className="flex items-center justify-between">
         <Link
           to="/call-imports"
diff --git a/frontend/src/pages/callImports/Tags.tsx b/frontend/src/pages/callImports/Tags.tsx
index 5cb799c5..201d276b 100644
--- a/frontend/src/pages/callImports/Tags.tsx
+++ b/frontend/src/pages/callImports/Tags.tsx
@@ -11,6 +11,8 @@ import {
   X,
 } from 'lucide-react'
 import { apiClient } from '../../lib/api'
+import { getApiErrorMessage } from '../../lib/apiErrors'
+import { useToast } from '../../hooks/useToast'
 import type { CallImportTag } from '../../types/api'
 import Button from '../../components/Button'
 import ConfirmModal from '../../components/ConfirmModal'
@@ -19,6 +21,7 @@ const DEFAULT_NEW_TAG_COLOR = '#3b82f6'
 
 export default function CallImportTagsPage() {
   const queryClient = useQueryClient()
+  const { showToast, ToastContainer } = useToast()
   const [creating, setCreating] = useState(false)
   const [newName, setNewName] = useState('')
   const [newColor, setNewColor] = useState(DEFAULT_NEW_TAG_COLOR)
@@ -64,10 +67,14 @@ export default function CallImportTagsPage() {
       queryClient.invalidateQueries({ queryKey: ['call-imports'] })
       setPendingDelete(null)
     },
+    onError: (err: unknown) => {
+      showToast(getApiErrorMessage(err, 'Failed to delete tag.'), 'error')
+    },
   })
 
   return (
     <div className="space-y-6">
+      <ToastContainer />
       <div className="flex items-center justify-between">
         <Link
           to="/call-imports"
diff --git a/frontend/src/pages/iam/IAM.tsx b/frontend/src/pages/iam/IAM.tsx
index bd21f5ac..5001d2f5 100644
--- a/frontend/src/pages/iam/IAM.tsx
+++ b/frontend/src/pages/iam/IAM.tsx
@@ -6,6 +6,7 @@ import { Role, Invitation, OrganizationMember, InvitationCreate } from '../../ty
 import { Users, Mail, UserPlus, Shield, ShieldCheck, ShieldAlert, X, Trash2, KeyRound, Eye, EyeOff, Building2, Copy, Check } from 'lucide-react'
 import Button from '../../components/Button'
 import { useToast } from '../../hooks/useToast'
+import { getApiErrorMessage } from '../../lib/apiErrors'
 import { useIsAdmin } from '../../hooks/useRole'
 import WorkspaceRolesSection from '../../components/WorkspaceRolesSection'
 import WorkspaceMembersSection from '../../components/iam/WorkspaceMembersSection'
@@ -96,6 +97,10 @@ export default function IAM() {
       setShowInviteModal(false)
       setInviteEmail('')
       setInviteRole(Role.READER)
+      showToast('Invitation sent', 'success')
+    },
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to send invitation'), 'error')
     },
   })
 
diff --git a/tests/test_api/test_workspace_iam.py b/tests/test_api/test_workspace_iam.py
index 5c9f60f6..5fab8b69 100644
--- a/tests/test_api/test_workspace_iam.py
+++ b/tests/test_api/test_workspace_iam.py
@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from uuid import uuid4
+from unittest.mock import patch
 
 import pytest
 from fastapi import FastAPI
@@ -13,6 +14,7 @@
     METRICS_VIEW,
     SYSTEM_ROLE_ADMIN,
     SYSTEM_ROLE_VIEWER,
+    WORKSPACE_MEMBERS_MANAGE,
 )
 from app.core.auth.principal import AuthMethod, Principal
 from app.core.auth.dependency import get_principal
@@ -47,7 +49,8 @@ def rbac_org(db_session):
 def rbac_users(db_session, rbac_org):
     admin = User(id=uuid4(), email="admin@test.local", name="Admin")
     viewer = User(id=uuid4(), email="viewer@test.local", name="Viewer")
-    db_session.add_all([admin, viewer])
+    writer = User(id=uuid4(), email="writer@test.local", name="Writer")
+    db_session.add_all([admin, viewer, writer])
     db_session.add_all(
         [
             OrganizationMember(
@@ -60,10 +63,15 @@ def rbac_users(db_session, rbac_org):
                 user_id=viewer.id,
                 role=RoleEnum.READER,
             ),
+            OrganizationMember(
+                organization_id=rbac_org.id,
+                user_id=writer.id,
+                role=RoleEnum.WRITER,
+            ),
         ]
     )
     db_session.commit()
-    return {"admin": admin, "viewer": viewer}
+    return {"admin": admin, "viewer": viewer, "writer": writer}
 
 
 @pytest.fixture
@@ -214,3 +222,320 @@ def _override_db():
     with TestClient(app) as client:
         allowed = client.get(f"/api/v1/workspaces/{ws_b.id}/members")
     assert allowed.status_code == 200
+
+
+def _iam_test_app(db_session, principal_factory):
+    app = FastAPI()
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = principal_factory
+    return app
+
+
+def test_list_capabilities_requires_auth():
+    app = FastAPI()
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    with TestClient(app) as client:
+        response = client.get("/api/v1/capabilities")
+    assert response.status_code == 401
+
+
+def test_list_capabilities_with_auth(db_session, rbac_org, rbac_users):
+    app = _iam_test_app(
+        db_session,
+        lambda: Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["admin"].id,
+        ),
+    )
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        response = client.get("/api/v1/capabilities")
+    assert response.status_code == 200
+    assert isinstance(response.json(), list)
+    assert len(response.json()) > 0
+
+
+def test_org_reader_workspace_admin_capabilities_but_writes_blocked(
+    db_session, rbac_org, rbac_users, rbac_workspace
+):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    add_workspace_member(
+        db_session,
+        workspace_id=rbac_workspace.id,
+        user_id=rbac_users["viewer"].id,
+        role_id=roles[SYSTEM_ROLE_ADMIN].id,
+    )
+    db_session.commit()
+
+    principal = Principal(
+        organization_id=rbac_org.id,
+        auth_method=AuthMethod.LOCAL_PASSWORD,
+        user_id=rbac_users["viewer"].id,
+    )
+    caps, _, _ = resolve_workspace_capabilities(
+        db_session,
+        principal=principal,
+        workspace_id=rbac_workspace.id,
+        organization_id=rbac_org.id,
+    )
+    assert WORKSPACE_MEMBERS_MANAGE in caps
+
+    from app.core.rbac_middleware import ReaderReadOnlyMiddleware
+
+    app = FastAPI()
+    app.add_middleware(ReaderReadOnlyMiddleware)
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+    app.dependency_overrides[get_principal] = lambda: principal
+
+    target_user = User(id=uuid4(), email="target@test.local", name="Target")
+    db_session.add(target_user)
+    db_session.add(
+        OrganizationMember(
+            organization_id=rbac_org.id,
+            user_id=target_user.id,
+            role=RoleEnum.READER,
+        )
+    )
+    db_session.flush()
+    add_workspace_member(
+        db_session,
+        workspace_id=rbac_workspace.id,
+        user_id=target_user.id,
+        role_id=roles[SYSTEM_ROLE_VIEWER].id,
+    )
+    db_session.commit()
+
+    editor_role = roles["Editor"]
+
+    with patch("app.core.rbac_middleware._resolve_principal", return_value=principal), patch(
+        "app.core.rbac_middleware.get_org_role",
+        return_value=RoleEnum.READER,
+    ):
+        with TestClient(app) as client:
+            get_resp = client.get(
+                f"/api/v1/workspaces/{rbac_workspace.id}/members",
+                headers={"Authorization": "Bearer test-token"},
+            )
+            patch_resp = client.patch(
+                f"/api/v1/workspaces/{rbac_workspace.id}/members/{target_user.id}",
+                json={"role_id": str(editor_role.id)},
+                headers={"Authorization": "Bearer test-token"},
+            )
+
+    assert get_resp.status_code == 200
+    assert patch_resp.status_code == 403
+    assert "reader" in patch_resp.json()["detail"].lower()
+
+
+def test_self_demote_workspace_admin_forbidden(
+    db_session, rbac_org, rbac_users, rbac_workspace
+):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    add_workspace_member(
+        db_session,
+        workspace_id=rbac_workspace.id,
+        user_id=rbac_users["writer"].id,
+        role_id=roles[SYSTEM_ROLE_ADMIN].id,
+    )
+    db_session.commit()
+
+    app = _iam_test_app(
+        db_session,
+        lambda: Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["writer"].id,
+        ),
+    )
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        response = client.patch(
+            f"/api/v1/workspaces/{rbac_workspace.id}/members/{rbac_users['writer'].id}",
+            json={"role_id": str(roles[SYSTEM_ROLE_VIEWER].id)},
+        )
+
+    assert response.status_code == 403
+    assert "cannot demote your own workspace admin role" in response.json()["detail"].lower()
+
+
+def test_demote_other_workspace_admin_allowed(
+    db_session, rbac_org, rbac_users, rbac_workspace
+):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    other_admin = User(id=uuid4(), email="other-admin@test.local", name="Other Admin")
+    db_session.add(other_admin)
+    db_session.add(
+        OrganizationMember(
+            organization_id=rbac_org.id,
+            user_id=other_admin.id,
+            role=RoleEnum.WRITER,
+        )
+    )
+    db_session.flush()
+    add_workspace_member(
+        db_session,
+        workspace_id=rbac_workspace.id,
+        user_id=rbac_users["writer"].id,
+        role_id=roles[SYSTEM_ROLE_ADMIN].id,
+    )
+    add_workspace_member(
+        db_session,
+        workspace_id=rbac_workspace.id,
+        user_id=other_admin.id,
+        role_id=roles[SYSTEM_ROLE_ADMIN].id,
+    )
+    db_session.commit()
+
+    app = _iam_test_app(
+        db_session,
+        lambda: Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["writer"].id,
+        ),
+    )
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        response = client.patch(
+            f"/api/v1/workspaces/{rbac_workspace.id}/members/{other_admin.id}",
+            json={"role_id": str(roles[SYSTEM_ROLE_VIEWER].id)},
+        )
+
+    assert response.status_code == 200
+    assert response.json()["role_name"] == SYSTEM_ROLE_VIEWER
+
+
+def test_self_remove_requires_workspace_in_org(db_session, rbac_org, rbac_users):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    other_org = Organization(id=uuid4(), name="Other Org")
+    db_session.add(other_org)
+    db_session.flush()
+    other_ws = Workspace(
+        id=uuid4(),
+        organization_id=other_org.id,
+        name="Foreign",
+        slug="foreign",
+        is_default=False,
+    )
+    db_session.add(other_ws)
+    db_session.flush()
+    add_workspace_member(
+        db_session,
+        workspace_id=other_ws.id,
+        user_id=rbac_users["viewer"].id,
+        role_id=roles[SYSTEM_ROLE_VIEWER].id,
+    )
+    db_session.commit()
+
+    app = _iam_test_app(
+        db_session,
+        lambda: Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["viewer"].id,
+        ),
+    )
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    with TestClient(app) as client:
+        response = client.delete(
+            f"/api/v1/workspaces/{other_ws.id}/members/{rbac_users['viewer'].id}",
+        )
+
+    assert response.status_code == 404
+    assert db_session.query(WorkspaceMember).filter(
+        WorkspaceMember.workspace_id == other_ws.id,
+        WorkspaceMember.user_id == rbac_users["viewer"].id,
+    ).first() is not None
+
+
+def test_update_workspace_missing_returns_404_not_403(
+    db_session, rbac_org, rbac_users, rbac_workspace
+):
+    app = FastAPI()
+    app.include_router(workspaces.router, prefix="/api/v1")
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = lambda: Principal(
+        organization_id=rbac_org.id,
+        auth_method=AuthMethod.LOCAL_PASSWORD,
+        user_id=rbac_users["writer"].id,
+    )
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+
+    missing_id = uuid4()
+    with TestClient(app) as client:
+        response = client.patch(
+            f"/api/v1/workspaces/{missing_id}",
+            json={"name": "Renamed"},
+        )
+
+    assert response.status_code == 404
+
+
+def test_require_capability_missing_capability_returns_403():
+    """Regression: require_capability must not NameError on status import."""
+    from uuid import uuid4
+
+    from fastapi import HTTPException
+
+    from app.core.auth.capabilities import CALLS_DELETE, CALLS_VIEW
+    from app.dependencies import WorkspaceContext, require_capability
+
+    dep = require_capability(CALLS_DELETE)
+    ctx = WorkspaceContext(
+        workspace_id=uuid4(),
+        organization_id=uuid4(),
+        capabilities=frozenset([CALLS_VIEW]),
+        role_name="Viewer",
+    )
+
+    with pytest.raises(HTTPException) as exc_info:
+        dep(ctx=ctx)
+
+    assert exc_info.value.status_code == 403
+    assert "Workspace Admin role" in exc_info.value.detail
+    assert "Viewer" in exc_info.value.detail
+
+
+def test_capability_denied_message_maps_editor_and_admin():
+    from app.core.auth.capabilities import (
+        CALLS_DELETE,
+        CALLS_IMPORT,
+        capability_denied_message,
+    )
+
+    delete_msg = capability_denied_message(
+        CALLS_DELETE,
+        role_name="Viewer",
+        workspace_label="the active workspace",
+    )
+    assert "Workspace Admin role" in delete_msg
+    assert "Viewer" in delete_msg
+
+    import_msg = capability_denied_message(
+        CALLS_IMPORT,
+        role_name="Viewer",
+        workspace_label="the active workspace",
+    )
+    assert "Editor role" in import_msg
+    assert "Viewer" in import_msg

From 454fe6b357b57b46a6ab9432e062f100cacef48f Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Mon, 15 Jun 2026 07:55:12 +0000
Subject: [PATCH 10/12] fix: contributors list

---
 .github/workflows/docs.yml                    |   2 -
 docs-fumadocs/CUTOVER.md                      |   2 -
 docs-fumadocs/README.md                       |   7 +-
 docs-fumadocs/package.json                    |   4 +-
 .../scripts/generate-contributors.mjs         | 174 ------------------
 docs-fumadocs/scripts/validate-docs.mjs       |  35 +---
 6 files changed, 5 insertions(+), 219 deletions(-)
 delete mode 100644 docs-fumadocs/scripts/generate-contributors.mjs

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 7840ced1..0f759dc6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,8 +20,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
diff --git a/docs-fumadocs/CUTOVER.md b/docs-fumadocs/CUTOVER.md
index 2c173356..8527043c 100644
--- a/docs-fumadocs/CUTOVER.md
+++ b/docs-fumadocs/CUTOVER.md
@@ -25,5 +25,3 @@ If production docs regress, redeploy the last known-good commit that built and e
 - Check CloudFront/S3 404 metrics for docs paths for at least one release window.
 - Track search failures and broken-link reports.
 - Confirm no unresolved internal links from `npm run check:links`.
-- Regenerate contributor metadata weekly or when major docs edits land:
-  - `npm run contributors:generate`
diff --git a/docs-fumadocs/README.md b/docs-fumadocs/README.md
index 342753a1..9fe5d8ea 100644
--- a/docs-fumadocs/README.md
+++ b/docs-fumadocs/README.md
@@ -14,18 +14,17 @@ Open `http://localhost:3000/docs/intro`.
 
 - Docs content: `content/docs`
 - Navigation: `content/docs/meta.json` and section-level `meta.json`
-- Contributor metadata:
+- Contributor metadata (optional, static):
   - Manual owner overrides: `content/feature-owners.json`
-  - Generated contributor data: `content/feature-contributors.json`
+  - Contributor data: `content/feature-contributors.json`
 
 ## Checks
 
 ```bash
-npm run contributors:generate
 npm run ci:check
 ```
 
-`ci:check` runs contributor consistency, docs validation, link checks, type checks, and production build.
+`ci:check` runs docs validation, link checks, type checks, and production build.
 
 ## Deployment
 
diff --git a/docs-fumadocs/package.json b/docs-fumadocs/package.json
index c8eeccc5..d8bc5921 100644
--- a/docs-fumadocs/package.json
+++ b/docs-fumadocs/package.json
@@ -9,12 +9,10 @@
     "types:check": "fumadocs-mdx && next typegen && tsc --noEmit",
     "postinstall": "fumadocs-mdx",
     "lint": "eslint",
-    "contributors:generate": "node scripts/generate-contributors.mjs",
-    "contributors:check": "node scripts/generate-contributors.mjs --check",
     "search:generate": "node scripts/generate-search-index.mjs",
     "validate:docs": "node scripts/validate-docs.mjs",
     "check:links": "node scripts/check-links.mjs",
-    "ci:check": "npm run contributors:check && npm run validate:docs && npm run check:links && npm run types:check && npm run build",
+    "ci:check": "npm run validate:docs && npm run check:links && npm run types:check && npm run build",
     "lambda:edge:build": "node lambda-edge/enterprise-auth/build.mjs"
   },
   "dependencies": {
diff --git a/docs-fumadocs/scripts/generate-contributors.mjs b/docs-fumadocs/scripts/generate-contributors.mjs
deleted file mode 100644
index d74e7d0c..00000000
--- a/docs-fumadocs/scripts/generate-contributors.mjs
+++ /dev/null
@@ -1,174 +0,0 @@
-#!/usr/bin/env node
-
-import { execFileSync } from 'node:child_process';
-import fs from 'node:fs';
-import path from 'node:path';
-
-const REPO_ROOT = path.resolve(process.cwd(), '..');
-const DOCS_APP_ROOT = process.cwd();
-const CURRENT_DOCS_ROOT = 'docs-fumadocs/content/docs';
-const CURRENT_DOCS_ABS_ROOT = path.join(DOCS_APP_ROOT, 'content', 'docs');
-const OWNERS_PATH = path.join(DOCS_APP_ROOT, 'content', 'feature-owners.json');
-const OUTPUT_PATH = path.join(DOCS_APP_ROOT, 'content', 'feature-contributors.json');
-const MAX_CONTRIBUTORS = 5;
-const MIN_COMMITS = 2;
-const CHECK_MODE = process.argv.includes('--check');
-const BOT_PATTERN = /(\[bot\]|dependabot|github-actions|renovate)/i;
-
-function runGit(args) {
-  return execFileSync('git', args, {
-    cwd: REPO_ROOT,
-    encoding: 'utf8',
-    stdio: ['ignore', 'pipe', 'pipe'],
-  });
-}
-
-function discoverFeatureDocs(dirPath, prefix = '') {
-  const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-  const features = [];
-
-  for (const entry of entries) {
-    if (entry.name.startsWith('.')) continue;
-    if (entry.isDirectory()) {
-      features.push(...discoverFeatureDocs(path.join(dirPath, entry.name), `${prefix}${entry.name}/`));
-      continue;
-    }
-
-    if (!entry.isFile() || !entry.name.endsWith('.mdx')) continue;
-    features.push(`${prefix}${entry.name.slice(0, -4)}`);
-  }
-
-  return features.sort((a, b) => a.localeCompare(b));
-}
-
-function historyPathFor(featureId) {
-  const current = `${CURRENT_DOCS_ROOT}/${featureId}.mdx`;
-  return current;
-}
-
-function isBotAuthor(name, email) {
-  return BOT_PATTERN.test(name) || BOT_PATTERN.test(email);
-}
-
-function parseContributors(historyPath) {
-  let output = '';
-  try {
-    output = runGit(['log', '--follow', '--format=%aN|%aE', '--', historyPath]);
-  } catch {
-    return [];
-  }
-
-  const counts = new Map();
-  let skippedBots = 0;
-  for (const line of output.split('\n')) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    const [namePart, emailPart] = trimmed.split('|');
-    const name = (namePart || '').trim();
-    const email = (emailPart || '').trim().toLowerCase();
-    if (!name || !email) continue;
-    if (isBotAuthor(name, email)) {
-      skippedBots += 1;
-      continue;
-    }
-    const key = email;
-    const existing = counts.get(key) || { name, email, commits: 0 };
-    existing.commits += 1;
-    counts.set(key, existing);
-  }
-
-  let contributors = Array.from(counts.values()).sort((a, b) => {
-    if (b.commits !== a.commits) return b.commits - a.commits;
-    return a.name.localeCompare(b.name);
-  });
-
-  const thresholdFiltered = contributors.filter((entry) => entry.commits >= MIN_COMMITS);
-  if (thresholdFiltered.length > 0) {
-    contributors = thresholdFiltered;
-  } else {
-    contributors = contributors.filter((entry) => entry.commits >= 1);
-  }
-
-  return {
-    contributors: contributors.slice(0, MAX_CONTRIBUTORS),
-    skippedBots,
-  };
-}
-
-function readOwners() {
-  if (!fs.existsSync(OWNERS_PATH)) return {};
-  return JSON.parse(fs.readFileSync(OWNERS_PATH, 'utf8'));
-}
-
-function buildMetadata() {
-  const ownersByFeature = readOwners();
-  const featureDocs = discoverFeatureDocs(CURRENT_DOCS_ABS_ROOT);
-  const now = new Date().toISOString().slice(0, 10);
-  let totalContributors = 0;
-  let totalSkippedBots = 0;
-
-  const features = featureDocs.map((featureId) => {
-    const docPath = `${CURRENT_DOCS_ROOT}/${featureId}.mdx`;
-    const historyPath = historyPathFor(featureId);
-    const { contributors, skippedBots } = parseContributors(historyPath);
-    totalContributors += contributors.length;
-    totalSkippedBots += skippedBots;
-
-    return {
-      featureId,
-      docPath,
-      historyPath,
-      owners: Array.isArray(ownersByFeature[featureId]) ? ownersByFeature[featureId] : [],
-      contributors,
-      lastReviewed: now,
-    };
-  });
-
-  return {
-    source: 'git-history',
-    maxContributors: MAX_CONTRIBUTORS,
-    minCommits: MIN_COMMITS,
-    features,
-    summary: {
-      featureCount: featureDocs.length,
-      contributorCount: totalContributors,
-      skippedBots: totalSkippedBots,
-    },
-  };
-}
-
-function normalizeForCheck(raw) {
-  const parsed = typeof raw === 'string' ? JSON.parse(raw) : raw;
-  return {
-    ...parsed,
-    features: (parsed.features || []).map(({ lastReviewed, ...feature }) => feature),
-  };
-}
-
-function main() {
-  const metadata = buildMetadata();
-  const nextData = `${JSON.stringify(metadata, null, 2)}\n`;
-
-  if (CHECK_MODE) {
-    if (!fs.existsSync(OUTPUT_PATH)) {
-      console.error(`Missing generated file: ${OUTPUT_PATH}`);
-      process.exit(1);
-    }
-    const existing = fs.readFileSync(OUTPUT_PATH, 'utf8');
-    const existingNormalized = JSON.stringify(normalizeForCheck(existing));
-    const nextNormalized = JSON.stringify(normalizeForCheck(metadata));
-    if (existingNormalized !== nextNormalized) {
-      console.error('feature-contributors.json is out of date. Run `npm run contributors:generate`.');
-      process.exit(1);
-    }
-    return;
-  }
-
-  fs.writeFileSync(OUTPUT_PATH, nextData, 'utf8');
-  const parsed = JSON.parse(nextData);
-  console.log(
-    `Generated ${path.relative(DOCS_APP_ROOT, OUTPUT_PATH)} (${parsed.summary.featureCount} features, ${parsed.summary.contributorCount} contributors, ${parsed.summary.skippedBots} bot commits skipped)`,
-  );
-}
-
-main();
diff --git a/docs-fumadocs/scripts/validate-docs.mjs b/docs-fumadocs/scripts/validate-docs.mjs
index f2b9f6d2..ebd1580a 100644
--- a/docs-fumadocs/scripts/validate-docs.mjs
+++ b/docs-fumadocs/scripts/validate-docs.mjs
@@ -5,23 +5,6 @@ import path from 'node:path';
 
 const appRoot = process.cwd();
 const docsRoot = path.join(appRoot, 'content', 'docs');
-const featureMetaPath = path.join(appRoot, 'content', 'feature-contributors.json');
-const featureDocs = new Set([
-  'products/agents',
-  'products/personas',
-  'products/scenarios',
-  'products/evaluators',
-  'products/metrics',
-  'products/playground',
-  'products/voice-playground',
-  'products/call-imports',
-  'products/alerting',
-  'products/prompt-optimization',
-  'products/prompt-partials',
-  'monitoring/calls',
-  'monitoring/alerting',
-  'monitoring/cron-jobs',
-]);
 
 function walkDocs(dir) {
   const results = [];
@@ -64,7 +47,6 @@ const errors = [];
 const docs = walkDocs(docsRoot);
 for (const file of docs) {
   const rel = path.relative(docsRoot, file).replace(/\\/g, '/');
-  const featureId = rel.replace(/\.mdx$/, '');
   const content = fs.readFileSync(file, 'utf8');
   const frontmatter = parseFrontmatter(content);
   if (!frontmatter) {
@@ -74,25 +56,10 @@ for (const file of docs) {
   if (!frontmatter.get('title')) {
     errors.push(`${rel}: missing frontmatter title`);
   }
-
-  // Feature pages now render contributors from a shared bottom-right widget.
-  // Keep validation focused on metadata presence rather than inline page markers.
-}
-
-if (!fs.existsSync(featureMetaPath)) {
-  errors.push('content/feature-contributors.json does not exist');
-} else {
-  const featureMeta = JSON.parse(fs.readFileSync(featureMetaPath, 'utf8'));
-  const found = new Set((featureMeta.features || []).map((item) => item.featureId));
-  for (const featureId of featureDocs) {
-    if (!found.has(featureId)) {
-      errors.push(`feature-contributors.json missing entry for ${featureId}`);
-    }
-  }
 }
 
 if (errors.length > 0) {
   fail(errors);
 }
 
-console.log(`Validated ${docs.length} docs pages and contributor metadata.`);
+console.log(`Validated ${docs.length} docs pages.`);

From 50c1619af2744996b9cb58f687406f7c4e7b6a93 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Mon, 15 Jun 2026 09:32:03 +0000
Subject: [PATCH 11/12] feat: updating docs and capabities

---
 .github/workflows/docs.yml                    |   9 -
 app/api/v1/routes/call_import_evaluations.py  |  37 +-
 app/api/v1/routes/workspace_iam.py            |  14 +-
 app/core/auth/workspace_route_capabilities.py |  13 +-
 docs-fumadocs/.gitignore                      |   1 -
 docs-fumadocs/CUTOVER.md                      |   5 +-
 docs-fumadocs/README.md                       |  10 +-
 docs-fumadocs/app/docs/[[...slug]]/page.tsx   |  10 -
 .../content/docs/enterprise/call-imports.mdx  |  48 --
 .../content/docs/enterprise/overview.mdx      |  25 -
 .../docs/enterprise/prompt-optimization.mdx   |  54 ---
 .../content/docs/enterprise/unlock.mdx        |  14 -
 .../docs/enterprise/voice-playground.mdx      |  44 --
 docs-fumadocs/content/docs/meta.json          |   1 -
 .../content/docs/products/call-imports.mdx    |   4 +-
 .../docs/products/prompt-optimization.mdx     |   4 +-
 .../docs/products/voice-playground.mdx        |   4 +-
 .../lambda-edge/enterprise-auth/build.mjs     |  41 --
 .../lambda-edge/enterprise-auth/deploy.sh     |  41 --
 .../enterprise-auth/index.template.js         | 155 -------
 docs-fumadocs/package.json                    |   3 +-
 .../scripts/generate-search-index.mjs         |   4 +-
 .../src/components/WorkspaceRolesSection.tsx  | 432 ++++++++++++++----
 .../src/hooks/useWorkspaceCapabilities.ts     |   1 +
 frontend/src/lib/api.ts                       |  19 +-
 frontend/src/lib/apiErrors.ts                 |  61 +++
 .../CallImportEvaluationDetail.tsx            |  16 +-
 .../test_call_import_evaluation_pdf_report.py |  84 ++++
 tests/test_api/test_workspace_iam.py          |  67 +++
 29 files changed, 655 insertions(+), 566 deletions(-)
 delete mode 100644 docs-fumadocs/content/docs/enterprise/call-imports.mdx
 delete mode 100644 docs-fumadocs/content/docs/enterprise/overview.mdx
 delete mode 100644 docs-fumadocs/content/docs/enterprise/prompt-optimization.mdx
 delete mode 100644 docs-fumadocs/content/docs/enterprise/unlock.mdx
 delete mode 100644 docs-fumadocs/content/docs/enterprise/voice-playground.mdx
 delete mode 100644 docs-fumadocs/lambda-edge/enterprise-auth/build.mjs
 delete mode 100755 docs-fumadocs/lambda-edge/enterprise-auth/deploy.sh
 delete mode 100644 docs-fumadocs/lambda-edge/enterprise-auth/index.template.js

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0f759dc6..ba48ce4f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -68,15 +68,6 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
 
-      - name: Deploy enterprise docs gate
-        run: bash deploy.sh
-        working-directory: docs-fumadocs/lambda-edge/enterprise-auth
-        env:
-          AWS_REGION: us-east-1
-          DOCS_AUTH_LAMBDA_NAME: ${{ secrets.DOCS_AUTH_LAMBDA_NAME }}
-          DOCS_ENTERPRISE_PASSWORD: ${{ secrets.DOCS_ENTERPRISE_PASSWORD }}
-          DOCS_ENTERPRISE_COOKIE_SECRET: ${{ secrets.DOCS_ENTERPRISE_COOKIE_SECRET }}
-
       - name: Deploy to S3
         run: aws s3 sync ./out s3://${{ secrets.AWS_S3_BUCKET }} --delete
 
diff --git a/app/api/v1/routes/call_import_evaluations.py b/app/api/v1/routes/call_import_evaluations.py
index cba06861..33562c96 100644
--- a/app/api/v1/routes/call_import_evaluations.py
+++ b/app/api/v1/routes/call_import_evaluations.py
@@ -23,6 +23,8 @@
 from sqlalchemy.orm import Session
 from sqlalchemy.orm.attributes import flag_modified
 
+from app.core.auth import Principal, get_principal
+from app.core.auth.capabilities import REPORTS_GENERATE, capability_denied_message
 from app.database import get_db
 from app.dependencies import (
     get_api_key,
@@ -30,6 +32,7 @@
     get_workspace_id,
     require_enterprise_feature,
 )
+from app.services.workspace_rbac import resolve_workspace_capabilities
 from app.models.database import (
     AIProvider,
     CallImport,
@@ -184,6 +187,36 @@ def _require_import(
     return call_import
 
 
+def require_call_import_capability(capability: str):
+    """Ensure the caller has *capability* in the call import's workspace (not just the header)."""
+
+    def _dep(
+        call_import_id: UUID,
+        principal: Principal = Depends(get_principal),
+        organization_id: UUID = Depends(get_organization_id),
+        db: Session = Depends(get_db),
+    ) -> CallImport:
+        call_import = _require_import(db, call_import_id, organization_id)
+        caps, _, role = resolve_workspace_capabilities(
+            db,
+            principal=principal,
+            workspace_id=call_import.workspace_id,
+            organization_id=organization_id,
+        )
+        if capability not in caps:
+            raise HTTPException(
+                status_code=403,
+                detail=capability_denied_message(
+                    capability,
+                    role_name=role.name if role else None,
+                    workspace_label="the active workspace",
+                ),
+            )
+        return call_import
+
+    return _dep
+
+
 def _flatten_transcript(text: Optional[str]) -> str:
     """Collapse a multi-line transcript onto a single line for spreadsheet export.
 
@@ -3220,6 +3253,7 @@ async def list_call_import_evaluation_baseline_candidates(
 @router.post(
     "/{eval_id}/pdf-report",
     operation_id="generateCallImportEvaluationPdfReport",
+    dependencies=[Depends(require_call_import_capability(REPORTS_GENERATE))],
 )
 async def generate_call_import_evaluation_pdf_report(
     call_import_id: UUID,
@@ -8596,7 +8630,7 @@ async def retry_call_import_evaluation_row(
     )
 
 
-from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW
+from app.core.auth.capabilities import EVALS_RUN, EVALS_VIEW, REPORTS_GENERATE
 from app.core.auth.workspace_route_capabilities import apply_workspace_route_capabilities
 
 apply_workspace_route_capabilities(
@@ -8604,4 +8638,5 @@ async def retry_call_import_evaluation_row(
     view_capability=EVALS_VIEW,
     manage_capability=EVALS_RUN,
     run_capability=EVALS_RUN,
+    report_capability=REPORTS_GENERATE,
 )
diff --git a/app/api/v1/routes/workspace_iam.py b/app/api/v1/routes/workspace_iam.py
index 85a81ce8..c381f120 100644
--- a/app/api/v1/routes/workspace_iam.py
+++ b/app/api/v1/routes/workspace_iam.py
@@ -193,7 +193,19 @@ def update_workspace_role(
         raise HTTPException(status_code=400, detail="System roles cannot be modified.")
 
     if payload.name is not None:
-        role.name = payload.name.strip()
+        new_name = payload.name.strip()
+        conflict = (
+            db.query(WorkspaceRole)
+            .filter(
+                WorkspaceRole.organization_id == organization_id,
+                WorkspaceRole.name == new_name,
+                WorkspaceRole.id != role_id,
+            )
+            .first()
+        )
+        if conflict:
+            raise HTTPException(status_code=409, detail="A role with this name already exists.")
+        role.name = new_name
     if payload.description is not None:
         role.description = payload.description
     if payload.capabilities is not None:
diff --git a/app/core/auth/workspace_route_capabilities.py b/app/core/auth/workspace_route_capabilities.py
index 2fb1c102..449014c8 100644
--- a/app/core/auth/workspace_route_capabilities.py
+++ b/app/core/auth/workspace_route_capabilities.py
@@ -16,6 +16,7 @@ def apply_workspace_route_capabilities(
     view_capability: str,
     manage_capability: str,
     run_capability: str | None = None,
+    report_capability: str | None = None,
     delete_capability: str | None = None,
     skip_paths: Iterable[str] | None = None,
 ) -> None:
@@ -23,7 +24,8 @@ def apply_workspace_route_capabilities(
     Attach capability dependencies to routes on ``router`` based on HTTP method.
 
     GET/HEAD -> view_capability
-    POST/PUT/PATCH -> manage_capability (or run_capability when path ends with /run)
+    POST/PUT/PATCH -> manage_capability (or run_capability when path ends with /run,
+    or report_capability when path ends with /pdf-report)
     DELETE -> delete_capability or manage_capability
     """
     skipped = set(skip_paths or ())
@@ -45,7 +47,9 @@ def apply_workspace_route_capabilities(
             deps.append(Depends(require_capability(cap)))
         elif methods & {"POST", "PUT", "PATCH"}:
             cap = manage_capability
-            if run_capability and _looks_like_run_route(path):
+            if report_capability and _looks_like_report_route(path):
+                cap = report_capability
+            elif run_capability and _looks_like_run_route(path):
                 cap = run_capability
             deps.append(Depends(require_capability(cap)))
 
@@ -55,3 +59,8 @@ def apply_workspace_route_capabilities(
 def _looks_like_run_route(path: str) -> bool:
     lowered = path.lower()
     return lowered.endswith("/run") or "/run/" in lowered
+
+
+def _looks_like_report_route(path: str) -> bool:
+    lowered = path.lower()
+    return lowered.endswith("/pdf-report") or "/pdf-report" in lowered
diff --git a/docs-fumadocs/.gitignore b/docs-fumadocs/.gitignore
index 142f2016..5e3faef9 100644
--- a/docs-fumadocs/.gitignore
+++ b/docs-fumadocs/.gitignore
@@ -9,7 +9,6 @@
 .next/
 /out/
 /build
-/lambda-edge/**/dist/
 *.tsbuildinfo
 
 # misc
diff --git a/docs-fumadocs/CUTOVER.md b/docs-fumadocs/CUTOVER.md
index 8527043c..d0dab357 100644
--- a/docs-fumadocs/CUTOVER.md
+++ b/docs-fumadocs/CUTOVER.md
@@ -1,6 +1,6 @@
 # Docs Cutover and Stabilization
 
-This runbook tracks the Fumadocs rollout and rollback strategy.
+This runbook tracks the Fumadocs rollout strategy.
 
 ## Cutover steps
 
@@ -11,8 +11,6 @@ This runbook tracks the Fumadocs rollout and rollback strategy.
    - `/docs/getting-started/installation`
    - `/docs/products/agents`
    - `/docs/monitoring/calls`
-   - `/docs/enterprise/unlock/` (public unlock form)
-   - `/docs/enterprise/overview/` (requires CloudFront Lambda@Edge password gate in production)
 4. Verify contributor sections render on all feature pages.
 5. Record cutover timestamp in the release notes.
 
@@ -22,6 +20,5 @@ If production docs regress, redeploy the last known-good commit that built and e
 
 ## Stabilization checklist
 
-- Check CloudFront/S3 404 metrics for docs paths for at least one release window.
 - Track search failures and broken-link reports.
 - Confirm no unresolved internal links from `npm run check:links`.
diff --git a/docs-fumadocs/README.md b/docs-fumadocs/README.md
index 9fe5d8ea..d231e29c 100644
--- a/docs-fumadocs/README.md
+++ b/docs-fumadocs/README.md
@@ -28,12 +28,6 @@ npm run ci:check
 
 ## Deployment
 
-Deployment is handled by `.github/workflows/docs.yml` (the `deploy` job) and publishes static output from `docs-fumadocs/out`.
+Deployment is handled by `.github/workflows/docs.yml` (the `deploy` job) and publishes static output from `docs-fumadocs/out` to S3/CloudFront on pushes to `main` (or via manual workflow dispatch).
 
-Rollback instructions are documented in `CUTOVER.md`.
-
-## Enterprise documentation
-
-Enterprise feature guides live under `content/docs/enterprise/`. They are excluded from the public search index and marked `noindex`.
-
-Production access is gated at CloudFront with Lambda@Edge (`lambda-edge/enterprise-auth/`). Deployment is handled by the docs GitHub Actions workflow using repository secrets for the enterprise password and cookie signing secret.
+The `build` job runs the same checks on pull requests. Only public docs content under `content/docs/` is included — there is no separate enterprise docs section or password gate.
diff --git a/docs-fumadocs/app/docs/[[...slug]]/page.tsx b/docs-fumadocs/app/docs/[[...slug]]/page.tsx
index be09d8e3..83e8a4a9 100644
--- a/docs-fumadocs/app/docs/[[...slug]]/page.tsx
+++ b/docs-fumadocs/app/docs/[[...slug]]/page.tsx
@@ -74,18 +74,8 @@ export async function generateMetadata(props: PageProps<'/docs/[[...slug]]'>): P
   const page = source.getPage(params.slug);
   if (!page) notFound();
 
-  const isEnterprise = params.slug?.[0] === 'enterprise';
-
   return {
     title: page.data.title,
     description: page.data.description,
-    ...(isEnterprise
-      ? {
-          robots: {
-            index: false,
-            follow: false,
-          },
-        }
-      : {}),
   };
 }
diff --git a/docs-fumadocs/content/docs/enterprise/call-imports.mdx b/docs-fumadocs/content/docs/enterprise/call-imports.mdx
deleted file mode 100644
index 399be592..00000000
--- a/docs-fumadocs/content/docs/enterprise/call-imports.mdx
+++ /dev/null
@@ -1,48 +0,0 @@
----
-id: enterprise-call-imports
-title: Call Imports
-sidebar_position: 3
----
-
-# Call Imports
-
-Call Imports is an enterprise feature (`call_imports`) for bulk-importing production call recordings via CSV and running batch evaluations on them.
-
-## Workflow overview
-
-Each import batch moves through these stages:
-
-1. **Upload** — upload a CSV dataset and optional audio files.
-2. **Map** — map CSV columns to call-import fields using a schema.
-3. **Evaluate** — run metrics and insights against imported rows.
-4. **Review** — inspect per-row transcripts, scores, and insights.
-
-## Upload modes
-
-### CSV datasets
-
-Upload a spreadsheet of call metadata (transcripts, IDs, tags, etc.). Map columns to your schema before evaluation.
-
-### Audio uploads
-
-Upload audio files linked to import rows for diarization and transcript comparison metrics.
-
-## Schemas
-
-Define reusable column-mapping schemas under **Call Imports → Schemas**. Schemas are workspace-scoped and can be referenced by multiple import batches.
-
-## Tags
-
-Organize batches with call-import tags. Filter the imports list by tag to find related production slices.
-
-## Prompt partials
-
-Call Imports integrates with [Prompt Partials](/docs/products/prompt-partials). Use partials for evaluation rubrics and insights prompts during import workflows.
-
-## Transcript comparison metrics
-
-Enable **Compare transcripts** on a metric to run a transcript-pair judge at evaluation time. The worker feeds both the production transcript and the diarized transcript to the LLM. See [Metrics](/docs/products/metrics) for configuration details.
-
-## License requirement
-
-Set `EFFICIENTAI_LICENSE` with the `call_imports` feature. Without it, import routes and the Call Imports UI are unavailable.
diff --git a/docs-fumadocs/content/docs/enterprise/overview.mdx b/docs-fumadocs/content/docs/enterprise/overview.mdx
deleted file mode 100644
index c126b4e4..00000000
--- a/docs-fumadocs/content/docs/enterprise/overview.mdx
+++ /dev/null
@@ -1,25 +0,0 @@
----
-id: enterprise-overview
-title: Enterprise Features
-sidebar_position: 1
----
-
-# Enterprise Features
-
-These guides cover EfficientAI features that require an enterprise license (`EFFICIENTAI_LICENSE`).
-
-## Available guides
-
-| Feature | License feature ID | Guide |
-| --- | --- | --- |
-| Voice Playground | `voice_playground` | [Voice Playground](/docs/enterprise/voice-playground) |
-| Call Imports | `call_imports` | [Call Imports](/docs/enterprise/call-imports) |
-| Prompt Optimization | `gepa_optimization` | [Prompt Optimization](/docs/enterprise/prompt-optimization) |
-
-## License setup
-
-Request an enterprise license from the EfficientAI team, then set it in `config.yml` or via the `EFFICIENTAI_LICENSE` environment variable. See [Authentication](/docs/getting-started/authentication) for the full enterprise auth and license walkthrough.
-
-## Documentation access
-
-Enterprise documentation is password-protected. If you were redirected here, enter the documentation password provided with your enterprise license.
diff --git a/docs-fumadocs/content/docs/enterprise/prompt-optimization.mdx b/docs-fumadocs/content/docs/enterprise/prompt-optimization.mdx
deleted file mode 100644
index b3442b1c..00000000
--- a/docs-fumadocs/content/docs/enterprise/prompt-optimization.mdx
+++ /dev/null
@@ -1,54 +0,0 @@
----
-id: enterprise-prompt-optimization
-title: Prompt Optimization
-sidebar_position: 4
----
-
-# Prompt Optimization
-
-Prompt Optimization is an enterprise feature (`gepa_optimization`) for iteratively improving agent prompts using evaluation feedback.
-
-## What gets optimized
-
-Each run starts from a seed prompt:
-
-- provider prompt, if available, otherwise
-- internal agent description.
-
-The optimizer generates candidate prompts, evaluates them against available examples and enabled metrics, and ranks them by score.
-
-## Run configuration
-
-Common run controls include:
-
-- `max_metric_calls` for evaluation budget
-- `minibatch_size` for examples per iteration
-
-These settings determine optimization depth, runtime, and cost.
-
-## Candidate workflow
-
-For each optimization run:
-
-1. Review generated candidates and their scores.
-2. Compare candidate prompt text against the seed prompt.
-3. **Accept** the candidate you want to promote.
-4. Optionally **Push to Provider** to update the linked external agent prompt.
-
-## Push behavior
-
-When a candidate is pushed:
-
-- EfficientAI updates the prompt in the external provider,
-- updates local agent prompt fields,
-- records push timing for traceability.
-
-## Best practices
-
-- Use representative completed evaluator results as optimization data.
-- Keep enabled metric sets stable while comparing candidates.
-- Review prompt semantics in addition to score before pushing.
-
-## License requirement
-
-Set `EFFICIENTAI_LICENSE` with the `gepa_optimization` feature. Without it, optimization routes and the Optimization UI are unavailable.
diff --git a/docs-fumadocs/content/docs/enterprise/unlock.mdx b/docs-fumadocs/content/docs/enterprise/unlock.mdx
deleted file mode 100644
index 59cd149d..00000000
--- a/docs-fumadocs/content/docs/enterprise/unlock.mdx
+++ /dev/null
@@ -1,14 +0,0 @@
----
-id: enterprise-unlock
-title: Unlock Enterprise Docs
----
-
-import { EnterpriseUnlockForm } from '@/components/enterprise-unlock-form';
-
-# Enterprise Documentation
-
-These guides are available to enterprise customers. Enter the documentation password shared with your organization.
-
-<EnterpriseUnlockForm />
-
-If you do not have a password, contact the EfficientAI team or your account representative.
diff --git a/docs-fumadocs/content/docs/enterprise/voice-playground.mdx b/docs-fumadocs/content/docs/enterprise/voice-playground.mdx
deleted file mode 100644
index b02ef837..00000000
--- a/docs-fumadocs/content/docs/enterprise/voice-playground.mdx
+++ /dev/null
@@ -1,44 +0,0 @@
----
-id: enterprise-voice-playground
-title: Voice Playground
-sidebar_position: 2
----
-
-# Voice Playground
-
-Voice Playground is an enterprise feature (`voice_playground`) for A/B testing TTS providers with real synthesis, blind tests, and automated evaluation.
-
-## What it does
-
-From the Voice Playground you can:
-
-- compare multiple TTS voices side by side on the same script,
-- run benchmark simulations across providers,
-- create blind-test shares for human raters,
-- evaluate outputs with workspace [metrics](/docs/products/metrics) enabled for the `voice_playground` surface.
-
-## Tabs
-
-### Playground
-
-Configure a comparison: pick voices, enter or paste script text, and synthesize audio from each provider. Review waveforms, playback, and per-voice metric scores.
-
-### Voices
-
-Manage custom voice entries used in comparisons. Custom voices persist in your active [workspace](/docs/getting-started/workspaces).
-
-### Simulations
-
-Browse past benchmark runs. Re-open a comparison to review scores, transcripts, and metric breakdowns.
-
-### Blind Tests
-
-Create shareable blind-test links so raters can compare samples without seeing provider names. Owner-side share management requires the `voice_playground` license.
-
-## Metrics
-
-Enable metrics for the **Voice Playground** surface under [Metrics](/docs/products/metrics). Only metrics with that surface enabled appear during playground evaluation.
-
-## License requirement
-
-Set `EFFICIENTAI_LICENSE` with the `voice_playground` feature. Without it, the app shows the enterprise upgrade screen and API routes return `403 enterprise_feature_required`.
diff --git a/docs-fumadocs/content/docs/meta.json b/docs-fumadocs/content/docs/meta.json
index 4faa569f..61851900 100644
--- a/docs-fumadocs/content/docs/meta.json
+++ b/docs-fumadocs/content/docs/meta.json
@@ -7,7 +7,6 @@
     "monitoring",
     "reference",
     "advanced",
-    "enterprise",
     "more"
   ]
 }
diff --git a/docs-fumadocs/content/docs/products/call-imports.mdx b/docs-fumadocs/content/docs/products/call-imports.mdx
index 614fe3df..54503aee 100644
--- a/docs-fumadocs/content/docs/products/call-imports.mdx
+++ b/docs-fumadocs/content/docs/products/call-imports.mdx
@@ -8,7 +8,7 @@ sidebar_position: 9
 
 Call Imports lets you bulk-import production call recordings via CSV and run batch evaluations on them.
 
-> **Enterprise feature** — requires `call_imports` in your `EFFICIENTAI_LICENSE`. Full documentation is available in the [Enterprise docs](/docs/enterprise/call-imports) (password required).
+> **Enterprise feature** — requires `call_imports` in your `EFFICIENTAI_LICENSE`.
 
 ## At a glance
 
@@ -16,4 +16,4 @@ Call Imports lets you bulk-import production call recordings via CSV and run bat
 - Map columns with reusable schemas
 - Run metrics and insights across imported production calls
 
-Contact the EfficientAI team for a license and enterprise documentation access.
+Contact the EfficientAI team for a license.
diff --git a/docs-fumadocs/content/docs/products/prompt-optimization.mdx b/docs-fumadocs/content/docs/products/prompt-optimization.mdx
index 65462fb4..7c9142f7 100644
--- a/docs-fumadocs/content/docs/products/prompt-optimization.mdx
+++ b/docs-fumadocs/content/docs/products/prompt-optimization.mdx
@@ -8,7 +8,7 @@ sidebar_position: 7
 
 Prompt Optimization is an enterprise feature for iteratively improving agent prompts using evaluation feedback.
 
-> **Enterprise feature** — requires `gepa_optimization` in your `EFFICIENTAI_LICENSE`. Full documentation is available in the [Enterprise docs](/docs/enterprise/prompt-optimization) (password required).
+> **Enterprise feature** — requires `gepa_optimization` in your `EFFICIENTAI_LICENSE`.
 
 ## At a glance
 
@@ -16,5 +16,5 @@ Prompt Optimization is an enterprise feature for iteratively improving agent pro
 - Accept winning candidates and optionally push to your voice provider
 - Control optimization depth with `max_metric_calls` and `minibatch_size`
 
-Contact the EfficientAI team for a license and enterprise documentation access.
+Contact the EfficientAI team for a license.
 
diff --git a/docs-fumadocs/content/docs/products/voice-playground.mdx b/docs-fumadocs/content/docs/products/voice-playground.mdx
index e17a73d7..a9235595 100644
--- a/docs-fumadocs/content/docs/products/voice-playground.mdx
+++ b/docs-fumadocs/content/docs/products/voice-playground.mdx
@@ -8,7 +8,7 @@ sidebar_position: 8
 
 Voice Playground lets you A/B test TTS providers with real synthesis, blind tests, and automated evaluation.
 
-> **Enterprise feature** — requires `voice_playground` in your `EFFICIENTAI_LICENSE`. Full documentation is available in the [Enterprise docs](/docs/enterprise/voice-playground) (password required).
+> **Enterprise feature** — requires `voice_playground` in your `EFFICIENTAI_LICENSE`.
 
 ## At a glance
 
@@ -16,4 +16,4 @@ Voice Playground lets you A/B test TTS providers with real synthesis, blind test
 - Run benchmark simulations and blind-test shares
 - Evaluate with metrics enabled for the Voice Playground surface
 
-Contact the EfficientAI team for a license and enterprise documentation access.
+Contact the EfficientAI team for a license.
diff --git a/docs-fumadocs/lambda-edge/enterprise-auth/build.mjs b/docs-fumadocs/lambda-edge/enterprise-auth/build.mjs
deleted file mode 100644
index f3601498..00000000
--- a/docs-fumadocs/lambda-edge/enterprise-auth/build.mjs
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/env node
-
-import crypto from 'node:crypto';
-import fs from 'node:fs';
-import path from 'node:path';
-import { fileURLToPath } from 'node:url';
-
-const dirname = path.dirname(fileURLToPath(import.meta.url));
-const templatePath = path.join(dirname, 'index.template.js');
-const outputPath = path.join(dirname, 'dist', 'index.js');
-
-function requireEnv(name) {
-  const value = process.env[name];
-  if (!value) {
-    console.error(`Missing required environment variable: ${name}`);
-    process.exit(1);
-  }
-  return value;
-}
-
-function main() {
-  const password = requireEnv('DOCS_ENTERPRISE_PASSWORD');
-  const cookieSecret = process.env.DOCS_ENTERPRISE_COOKIE_SECRET || crypto.randomBytes(32).toString('hex');
-  const passwordHash = crypto.createHash('sha256').update(password).digest('hex');
-
-  const template = fs.readFileSync(templatePath, 'utf8');
-  const output = template
-    .replaceAll('{{PASSWORD_HASH}}', passwordHash)
-    .replaceAll('{{COOKIE_SECRET}}', cookieSecret);
-
-  fs.mkdirSync(path.dirname(outputPath), { recursive: true });
-  fs.writeFileSync(outputPath, output, 'utf8');
-
-  console.log(`Built ${path.relative(process.cwd(), outputPath)}`);
-  if (!process.env.DOCS_ENTERPRISE_COOKIE_SECRET) {
-    console.log('Generated ephemeral DOCS_ENTERPRISE_COOKIE_SECRET for this build.');
-    console.log('Set DOCS_ENTERPRISE_COOKIE_SECRET in your deploy environment to keep sessions stable across redeploys.');
-  }
-}
-
-main();
diff --git a/docs-fumadocs/lambda-edge/enterprise-auth/deploy.sh b/docs-fumadocs/lambda-edge/enterprise-auth/deploy.sh
deleted file mode 100755
index c43473db..00000000
--- a/docs-fumadocs/lambda-edge/enterprise-auth/deploy.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-DIST_DIR="${ROOT_DIR}/dist"
-ZIP_PATH="${DIST_DIR}/enterprise-auth.zip"
-FUNCTION_NAME="${DOCS_AUTH_LAMBDA_NAME:-efficientai-docs-enterprise-auth}"
-AWS_REGION="${AWS_REGION:-us-east-1}"
-
-if [[ -z "${DOCS_ENTERPRISE_PASSWORD:-}" ]]; then
-  echo "Set DOCS_ENTERPRISE_PASSWORD before building/deploying." >&2
-  exit 1
-fi
-
-node "${ROOT_DIR}/build.mjs"
-
-rm -f "${ZIP_PATH}"
-(cd "${DIST_DIR}" && zip -q "${ZIP_PATH}" index.js)
-
-if [[ "${1:-}" == "--build-only" ]]; then
-  echo "Built ${ZIP_PATH}"
-  exit 0
-fi
-
-aws lambda update-function-code \
-  --region "${AWS_REGION}" \
-  --function-name "${FUNCTION_NAME}" \
-  --zip-file "fileb://${ZIP_PATH}"
-
-aws lambda wait function-updated \
-  --region "${AWS_REGION}" \
-  --function-name "${FUNCTION_NAME}"
-
-NEW_VERSION="$(aws lambda publish-version \
-  --region "${AWS_REGION}" \
-  --function-name "${FUNCTION_NAME}" \
-  --query 'Version' \
-  --output text)"
-
-echo "Published Lambda version: ${NEW_VERSION}"
-echo "Associate this version with your CloudFront /docs/enterprise/* cache behavior (viewer-request)."
diff --git a/docs-fumadocs/lambda-edge/enterprise-auth/index.template.js b/docs-fumadocs/lambda-edge/enterprise-auth/index.template.js
deleted file mode 100644
index 88fae928..00000000
--- a/docs-fumadocs/lambda-edge/enterprise-auth/index.template.js
+++ /dev/null
@@ -1,155 +0,0 @@
-'use strict';
-
-const crypto = require('crypto');
-
-const PASSWORD_HASH = '{{PASSWORD_HASH}}';
-const COOKIE_SECRET = '{{COOKIE_SECRET}}';
-const SESSION_DAYS = 7;
-
-const COOKIE_NAME = 'docs_ent';
-const UNLOCK_PREFIX = '/docs/enterprise/unlock';
-const ENTERPRISE_PREFIX = '/docs/enterprise/';
-
-function timingSafeEqual(a, b) {
-  if (typeof a !== 'string' || typeof b !== 'string' || a.length !== b.length) {
-    return false;
-  }
-  let result = 0;
-  for (let i = 0; i < a.length; i += 1) {
-    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  }
-  return result === 0;
-}
-
-function sha256(value) {
-  return crypto.createHash('sha256').update(value).digest('hex');
-}
-
-function signSession(expiry) {
-  return crypto.createHmac('sha256', COOKIE_SECRET).update(String(expiry)).digest('base64url');
-}
-
-function verifySession(value) {
-  if (!value) return false;
-  const separator = value.lastIndexOf('.');
-  if (separator === -1) return false;
-
-  const expiry = Number.parseInt(value.slice(0, separator), 10);
-  const signature = value.slice(separator + 1);
-  if (!Number.isFinite(expiry) || expiry < Date.now()) return false;
-
-  const expected = signSession(expiry);
-  return timingSafeEqual(signature, expected);
-}
-
-function parseCookies(headers) {
-  const cookieHeader = headers.cookie;
-  if (!cookieHeader) return {};
-
-  const cookies = {};
-  for (const item of cookieHeader) {
-    const parts = item.value.split(';');
-    for (const part of parts) {
-      const trimmed = part.trim();
-      const separator = trimmed.indexOf('=');
-      if (separator === -1) continue;
-      const key = trimmed.slice(0, separator);
-      const value = trimmed.slice(separator + 1);
-      cookies[key] = value;
-    }
-  }
-  return cookies;
-}
-
-function parseFormBody(body, isBase64) {
-  const raw = isBase64 ? Buffer.from(body, 'base64').toString('utf8') : body;
-  const params = new URLSearchParams(raw);
-  return {
-    password: params.get('password') || '',
-    returnTo: params.get('return') || '/docs/enterprise/overview/',
-  };
-}
-
-function normalizeUri(uri) {
-  return uri.endsWith('/') ? uri : `${uri}/`;
-}
-
-function isUnlockPath(uri) {
-  return uri === '/docs/enterprise/unlock' || uri.startsWith('/docs/enterprise/unlock/');
-}
-
-function redirect(location, extraHeaders) {
-  const response = {
-    status: '302',
-    statusDescription: 'Found',
-    headers: {
-      location: [{ key: 'Location', value: location }],
-      'cache-control': [{ key: 'Cache-Control', value: 'no-store' }],
-    },
-  };
-
-  if (extraHeaders) {
-    Object.assign(response.headers, extraHeaders);
-  }
-
-  return response;
-}
-
-function passThrough(request) {
-  return request;
-}
-
-exports.handler = async (event) => {
-  const request = event.Records[0].cf.request;
-  const uri = normalizeUri(request.uri);
-
-  if (!uri.startsWith(ENTERPRISE_PREFIX)) {
-    return passThrough(request);
-  }
-
-  if (isUnlockPath(uri)) {
-    if (request.method === 'POST' && request.body && request.body.data) {
-      const { password, returnTo } = parseFormBody(
-        request.body.data,
-        request.body.encoding === 'base64',
-      );
-      const submittedHash = sha256(password);
-
-      if (!timingSafeEqual(submittedHash, PASSWORD_HASH)) {
-        const errorTarget = `${UNLOCK_PREFIX}/?error=invalid&return=${encodeURIComponent(returnTo)}`;
-        return redirect(errorTarget);
-      }
-
-      const expiry = Date.now() + SESSION_DAYS * 24 * 60 * 60 * 1000;
-      const cookieValue = `${expiry}.${signSession(expiry)}`;
-      const safeReturn = sanitizeReturnPath(returnTo);
-
-      return redirect(safeReturn, {
-        'set-cookie': [{
-          key: 'Set-Cookie',
-          value: `${COOKIE_NAME}=${cookieValue}; Path=/docs/enterprise/; HttpOnly; Secure; SameSite=Lax; Max-Age=${SESSION_DAYS * 86400}`,
-        }],
-      });
-    }
-
-    return passThrough(request);
-  }
-
-  const cookies = parseCookies(request.headers);
-  if (verifySession(cookies[COOKIE_NAME])) {
-    return passThrough(request);
-  }
-
-  const returnTo = encodeURIComponent(uri);
-  return redirect(`${UNLOCK_PREFIX}/?return=${returnTo}`);
-};
-
-function sanitizeReturnPath(value) {
-  if (!value || !value.startsWith('/docs/enterprise/')) {
-    return '/docs/enterprise/overview/';
-  }
-  if (isUnlockPath(value)) {
-    return '/docs/enterprise/overview/';
-  }
-  return value.endsWith('/') ? value : `${value}/`;
-}
diff --git a/docs-fumadocs/package.json b/docs-fumadocs/package.json
index d8bc5921..d24c6180 100644
--- a/docs-fumadocs/package.json
+++ b/docs-fumadocs/package.json
@@ -12,8 +12,7 @@
     "search:generate": "node scripts/generate-search-index.mjs",
     "validate:docs": "node scripts/validate-docs.mjs",
     "check:links": "node scripts/check-links.mjs",
-    "ci:check": "npm run validate:docs && npm run check:links && npm run types:check && npm run build",
-    "lambda:edge:build": "node lambda-edge/enterprise-auth/build.mjs"
+    "ci:check": "npm run validate:docs && npm run check:links && npm run types:check && npm run build"
   },
   "dependencies": {
     "fumadocs-core": "16.8.11",
diff --git a/docs-fumadocs/scripts/generate-search-index.mjs b/docs-fumadocs/scripts/generate-search-index.mjs
index 7fe5728c..f17f13cd 100644
--- a/docs-fumadocs/scripts/generate-search-index.mjs
+++ b/docs-fumadocs/scripts/generate-search-index.mjs
@@ -67,9 +67,7 @@ function toLabel(segment) {
 
 function buildRecords() {
   const files = walkDocs(DOCS_ROOT);
-  const records = files
-    .filter(({ relative }) => !relative.startsWith('enterprise/'))
-    .map(({ relative, absolute }) => {
+  const records = files.map(({ relative, absolute }) => {
     const raw = fs.readFileSync(absolute, 'utf8');
     const { frontmatter, body } = stripFrontmatter(raw);
     const featureId = relative.replace(/\.mdx$/, '');
diff --git a/frontend/src/components/WorkspaceRolesSection.tsx b/frontend/src/components/WorkspaceRolesSection.tsx
index 25429236..fbf329e2 100644
--- a/frontend/src/components/WorkspaceRolesSection.tsx
+++ b/frontend/src/components/WorkspaceRolesSection.tsx
@@ -1,20 +1,30 @@
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { useMemo, useState } from 'react'
-import { Plus, Trash2 } from 'lucide-react'
+import { ChevronDown, Pencil, Plus, Trash2, X } from 'lucide-react'
 import { apiClient } from '../lib/api'
+import { getApiErrorMessage } from '../lib/apiErrors'
 import type { CapabilityDomain, CapabilityInfo, WorkspaceRole } from '../types/api'
 import Button from './Button'
 import { useToast } from '../hooks/useToast'
 
+function buildCapabilityLabelMap(domains: CapabilityDomain[]): Map<string, string> {
+  const map = new Map<string, string>()
+  for (const domain of domains) {
+    for (const cap of domain.capabilities) {
+      map.set(cap.key, cap.label)
+    }
+  }
+  return map
+}
+
 export default function WorkspaceRolesSection() {
   const queryClient = useQueryClient()
   const { showToast, ToastContainer } = useToast()
   const [showCreate, setShowCreate] = useState(false)
-  const [name, setName] = useState('')
-  const [description, setDescription] = useState('')
-  const [selectedCaps, setSelectedCaps] = useState<Set<string>>(new Set())
+  const [expandedRoleIds, setExpandedRoleIds] = useState<Set<string>>(new Set())
+  const [editingRoleId, setEditingRoleId] = useState<string | null>(null)
 
-  const { data: roles = [] } = useQuery({
+  const { data: roles = [], isLoading: rolesLoading, error: rolesError } = useQuery({
     queryKey: ['workspace-roles'],
     queryFn: () => apiClient.listWorkspaceRoles(),
   })
@@ -24,23 +34,36 @@ export default function WorkspaceRolesSection() {
     queryFn: () => apiClient.listCapabilities(),
   })
 
+  const capLabels = useMemo(() => buildCapabilityLabelMap(domains), [domains])
+
   const createMutation = useMutation({
-    mutationFn: () =>
-      apiClient.createWorkspaceRole({
-        name,
-        description: description || undefined,
-        capabilities: Array.from(selectedCaps),
-      }),
+    mutationFn: (payload: { name: string; description?: string; capabilities: string[] }) =>
+      apiClient.createWorkspaceRole(payload),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ['workspace-roles'] })
       setShowCreate(false)
-      setName('')
-      setDescription('')
-      setSelectedCaps(new Set())
       showToast('Role created', 'success')
     },
-    onError: (error: any) => {
-      showToast(error.response?.data?.detail || 'Failed to create role', 'error')
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to create role'), 'error')
+    },
+  })
+
+  const updateMutation = useMutation({
+    mutationFn: ({
+      roleId,
+      payload,
+    }: {
+      roleId: string
+      payload: { name?: string; description?: string | null; capabilities?: string[] }
+    }) => apiClient.updateWorkspaceRole(roleId, payload),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['workspace-roles'] })
+      setEditingRoleId(null)
+      showToast('Role updated', 'success')
+    },
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to update role'), 'error')
     },
   })
 
@@ -48,22 +71,14 @@ export default function WorkspaceRolesSection() {
     mutationFn: (roleId: string) => apiClient.deleteWorkspaceRole(roleId),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ['workspace-roles'] })
+      setEditingRoleId(null)
       showToast('Role deleted', 'success')
     },
-    onError: (error: any) => {
-      showToast(error.response?.data?.detail || 'Failed to delete role', 'error')
+    onError: (error: unknown) => {
+      showToast(getApiErrorMessage(error, 'Failed to delete role'), 'error')
     },
   })
 
-  const toggleCap = (cap: string) => {
-    setSelectedCaps((prev) => {
-      const next = new Set(prev)
-      if (next.has(cap)) next.delete(cap)
-      else next.add(cap)
-      return next
-    })
-  }
-
   const systemRoles = useMemo(
     () => roles.filter((r: WorkspaceRole) => r.is_system),
     [roles],
@@ -73,6 +88,21 @@ export default function WorkspaceRolesSection() {
     [roles],
   )
 
+  const toggleExpanded = (roleId: string) => {
+    setExpandedRoleIds((prev) => {
+      const next = new Set(prev)
+      if (next.has(roleId)) next.delete(roleId)
+      else next.add(roleId)
+      return next
+    })
+  }
+
+  const startEdit = (role: WorkspaceRole) => {
+    setEditingRoleId(role.id)
+    setExpandedRoleIds((prev) => new Set(prev).add(role.id))
+    setShowCreate(false)
+  }
+
   return (
     <div>
       <ToastContainer />
@@ -83,91 +113,327 @@ export default function WorkspaceRolesSection() {
             System roles are predefined. Org admins can create custom roles from capabilities.
           </p>
         </div>
-        <Button onClick={() => setShowCreate((v) => !v)}>
+        <Button
+          onClick={() => {
+            setShowCreate((v) => !v)
+            setEditingRoleId(null)
+          }}
+        >
           <Plus className="h-4 w-4 mr-2" />
           Custom role
         </Button>
       </div>
 
+      {rolesError && (
+        <div className="mb-4 text-sm text-red-600">
+          {getApiErrorMessage(rolesError, 'Failed to load workspace roles')}
+        </div>
+      )}
+
       {showCreate && (
-        <div className="mb-6 p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-4">
-          <input
-            type="text"
-            value={name}
-            onChange={(e) => setName(e.target.value)}
-            placeholder="Role name"
-            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
-          />
-          <input
-            type="text"
-            value={description}
-            onChange={(e) => setDescription(e.target.value)}
-            placeholder="Description (optional)"
-            className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm"
+        <RoleForm
+          title="Create custom role"
+          domains={domains}
+          submitLabel="Create role"
+          isPending={createMutation.isPending}
+          onCancel={() => setShowCreate(false)}
+          onSubmit={(values) => createMutation.mutate(values)}
+        />
+      )}
+
+      {rolesLoading ? (
+        <div className="text-sm text-gray-500 py-4">Loading roles…</div>
+      ) : (
+        <>
+          <RoleList
+            title="System roles"
+            emptyMessage="No system roles found."
+            roles={systemRoles}
+            domains={domains}
+            capLabels={capLabels}
+            expandedRoleIds={expandedRoleIds}
+            editingRoleId={editingRoleId}
+            onToggleExpand={toggleExpanded}
           />
-          <CapabilityPicker
+          <RoleList
+            title="Custom roles"
+            emptyMessage="No custom roles yet. Create one to define a capability bundle for your team."
+            roles={customRoles}
             domains={domains}
-            selected={selectedCaps}
-            onToggle={toggleCap}
+            capLabels={capLabels}
+            expandedRoleIds={expandedRoleIds}
+            editingRoleId={editingRoleId}
+            onToggleExpand={toggleExpanded}
+            onEdit={startEdit}
+            onDelete={(id) => deleteMutation.mutate(id)}
+            onCancelEdit={() => setEditingRoleId(null)}
+            onSaveEdit={(roleId, values) => updateMutation.mutate({ roleId, payload: values })}
+            isSaving={updateMutation.isPending}
           />
-          <Button
-            disabled={!name.trim() || selectedCaps.size === 0 || createMutation.isPending}
-            onClick={() => createMutation.mutate()}
-          >
-            Create role
-          </Button>
-        </div>
+        </>
       )}
-
-      <RoleList title="System roles" roles={systemRoles} />
-      <RoleList
-        title="Custom roles"
-        roles={customRoles}
-        onDelete={(id) => deleteMutation.mutate(id)}
-      />
     </div>
   )
 }
 
 function RoleList({
   title,
+  emptyMessage,
   roles,
+  domains,
+  capLabels,
+  expandedRoleIds,
+  editingRoleId,
+  onToggleExpand,
+  onEdit,
   onDelete,
+  onCancelEdit,
+  onSaveEdit,
+  isSaving,
 }: {
   title: string
+  emptyMessage: string
   roles: WorkspaceRole[]
+  domains: CapabilityDomain[]
+  capLabels: Map<string, string>
+  expandedRoleIds: Set<string>
+  editingRoleId: string | null
+  onToggleExpand: (roleId: string) => void
+  onEdit?: (role: WorkspaceRole) => void
   onDelete?: (id: string) => void
+  onCancelEdit?: () => void
+  onSaveEdit?: (
+    roleId: string,
+    values: { name: string; description?: string; capabilities: string[] },
+  ) => void
+  isSaving?: boolean
 }) {
-  if (!roles.length) return null
   return (
     <div className="mb-6">
       <h3 className="text-sm font-medium text-gray-700 mb-2">{title}</h3>
-      <div className="space-y-2">
-        {roles.map((role) => (
-          <div
-            key={role.id}
-            className="flex items-start justify-between p-3 border border-gray-200 rounded-lg bg-white"
-          >
-            <div>
-              <div className="font-medium text-gray-900">{role.name}</div>
-              {role.description && (
-                <div className="text-sm text-gray-500">{role.description}</div>
-              )}
-              <div className="text-xs text-gray-400 mt-1">
-                {role.capabilities.length} capabilities
+      {!roles.length ? (
+        <div className="text-sm text-gray-500 border border-dashed border-gray-200 rounded-lg p-4">
+          {emptyMessage}
+        </div>
+      ) : (
+        <div className="space-y-2">
+          {roles.map((role) => {
+            const expanded = expandedRoleIds.has(role.id)
+            const isEditing = editingRoleId === role.id
+
+            return (
+              <div
+                key={role.id}
+                className="border border-gray-200 rounded-lg bg-white overflow-hidden"
+              >
+                <div className="flex items-start justify-between p-3 gap-3">
+                  <button
+                    type="button"
+                    onClick={() => onToggleExpand(role.id)}
+                    className="flex items-start gap-2 text-left min-w-0 flex-1"
+                  >
+                    <ChevronDown
+                      className={`h-4 w-4 mt-1 shrink-0 text-gray-400 transition-transform ${
+                        expanded ? 'rotate-180' : ''
+                      }`}
+                    />
+                    <div className="min-w-0">
+                      <div className="flex items-center gap-2 flex-wrap">
+                        <span className="font-medium text-gray-900">{role.name}</span>
+                        {role.is_system && (
+                          <span className="text-xs px-1.5 py-0.5 rounded bg-gray-100 text-gray-600">
+                            System
+                          </span>
+                        )}
+                      </div>
+                      {role.description && (
+                        <div className="text-sm text-gray-500">{role.description}</div>
+                      )}
+                      <div className="text-xs text-gray-400 mt-1">
+                        {role.capabilities.length} capabilities
+                      </div>
+                    </div>
+                  </button>
+
+                  <div className="flex items-center gap-1 shrink-0">
+                    {onEdit && !isEditing && (
+                      <button
+                        type="button"
+                        onClick={() => onEdit(role)}
+                        className="p-1.5 text-gray-500 hover:text-primary-600 rounded"
+                        title="Edit role"
+                      >
+                        <Pencil className="h-4 w-4" />
+                      </button>
+                    )}
+                    {onDelete && !isEditing && (
+                      <button
+                        type="button"
+                        onClick={() => onDelete(role.id)}
+                        className="p-1.5 text-red-600 hover:text-red-800 rounded"
+                        title="Delete role"
+                      >
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    )}
+                  </div>
+                </div>
+
+                {expanded && !isEditing && (
+                  <CapabilityDetails
+                    role={role}
+                    domains={domains}
+                    capLabels={capLabels}
+                  />
+                )}
+
+                {expanded && isEditing && onCancelEdit && onSaveEdit && (
+                  <div className="border-t border-gray-100 p-3 bg-gray-50">
+                    <RoleForm
+                      key={role.id}
+                      title="Edit role"
+                      initialName={role.name}
+                      initialDescription={role.description ?? ''}
+                      initialCapabilities={role.capabilities}
+                      domains={domains}
+                      submitLabel="Save changes"
+                      isPending={Boolean(isSaving)}
+                      onCancel={onCancelEdit}
+                      onSubmit={(values) => onSaveEdit(role.id, values)}
+                    />
+                  </div>
+                )}
               </div>
+            )
+          })}
+        </div>
+      )}
+    </div>
+  )
+}
+
+function CapabilityDetails({
+  role,
+  domains,
+  capLabels,
+}: {
+  role: WorkspaceRole
+  domains: CapabilityDomain[]
+  capLabels: Map<string, string>
+}) {
+  const assigned = new Set(role.capabilities)
+
+  return (
+    <div className="border-t border-gray-100 px-3 pb-3 pt-2 bg-gray-50 space-y-3">
+      {domains.map((domain) => {
+        const domainCaps = domain.capabilities.filter((cap) => assigned.has(cap.key))
+        if (!domainCaps.length) return null
+
+        return (
+          <div key={domain.key}>
+            <div className="text-xs font-semibold text-gray-500 uppercase mb-1">
+              {domain.label}
+            </div>
+            <div className="flex flex-wrap gap-1.5">
+              {domainCaps.map((cap) => (
+                <span
+                  key={cap.key}
+                  className="inline-flex px-2 py-0.5 rounded border border-primary-200 bg-primary-50 text-primary-800 text-xs"
+                >
+                  {capLabels.get(cap.key) ?? cap.label}
+                </span>
+              ))}
             </div>
-            {onDelete && (
-              <button
-                type="button"
-                onClick={() => onDelete(role.id)}
-                className="text-red-600 hover:text-red-800"
-              >
-                <Trash2 className="h-4 w-4" />
-              </button>
-            )}
           </div>
-        ))}
+        )
+      })}
+      {role.capabilities.length === 0 && (
+        <div className="text-sm text-gray-500">No capabilities assigned.</div>
+      )}
+    </div>
+  )
+}
+
+function RoleForm({
+  title,
+  initialName = '',
+  initialDescription = '',
+  initialCapabilities = [],
+  domains,
+  submitLabel,
+  isPending,
+  onSubmit,
+  onCancel,
+}: {
+  title: string
+  initialName?: string
+  initialDescription?: string
+  initialCapabilities?: string[]
+  domains: CapabilityDomain[]
+  submitLabel: string
+  isPending: boolean
+  onSubmit: (values: { name: string; description?: string; capabilities: string[] }) => void
+  onCancel: () => void
+}) {
+  const [name, setName] = useState(initialName)
+  const [description, setDescription] = useState(initialDescription)
+  const [selectedCaps, setSelectedCaps] = useState<Set<string>>(
+    () => new Set(initialCapabilities),
+  )
+
+  const toggleCap = (cap: string) => {
+    setSelectedCaps((prev) => {
+      const next = new Set(prev)
+      if (next.has(cap)) next.delete(cap)
+      else next.add(cap)
+      return next
+    })
+  }
+
+  return (
+    <div className="mb-6 p-4 border border-gray-200 rounded-lg bg-gray-50 space-y-4">
+      <div className="flex items-center justify-between">
+        <h4 className="text-sm font-medium text-gray-900">{title}</h4>
+        <button
+          type="button"
+          onClick={onCancel}
+          className="text-gray-400 hover:text-gray-600"
+          aria-label="Close form"
+        >
+          <X className="h-4 w-4" />
+        </button>
+      </div>
+      <input
+        type="text"
+        value={name}
+        onChange={(e) => setName(e.target.value)}
+        placeholder="Role name"
+        className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm bg-white"
+      />
+      <input
+        type="text"
+        value={description}
+        onChange={(e) => setDescription(e.target.value)}
+        placeholder="Description (optional)"
+        className="w-full px-3 py-2 border border-gray-200 rounded-lg text-sm bg-white"
+      />
+      <CapabilityPicker domains={domains} selected={selectedCaps} onToggle={toggleCap} />
+      <div className="flex gap-2">
+        <Button
+          disabled={!name.trim() || selectedCaps.size === 0 || isPending}
+          onClick={() =>
+            onSubmit({
+              name: name.trim(),
+              description: description.trim() || undefined,
+              capabilities: Array.from(selectedCaps),
+            })
+          }
+        >
+          {submitLabel}
+        </Button>
+        <Button variant="secondary" onClick={onCancel} disabled={isPending}>
+          Cancel
+        </Button>
       </div>
     </div>
   )
diff --git a/frontend/src/hooks/useWorkspaceCapabilities.ts b/frontend/src/hooks/useWorkspaceCapabilities.ts
index 03353671..58733814 100644
--- a/frontend/src/hooks/useWorkspaceCapabilities.ts
+++ b/frontend/src/hooks/useWorkspaceCapabilities.ts
@@ -14,6 +14,7 @@ export function useWorkspaceCapabilities() {
       canImportCalls: capabilities.includes('calls.import'),
       canManageMetrics: capabilities.includes('metrics.manage'),
       canRunEvals: capabilities.includes('evals.run'),
+      canGenerateReports: capabilities.includes('reports.generate'),
     }),
     [capabilities],
   )
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 724ed02e..e137c58d 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -296,16 +296,29 @@ class ApiClient {
     // Add response interceptor for error handling
     this.client.interceptors.response.use(
       (response) => response,
-      (error) => {
+      async (error) => {
+        const response = error.response
+        if (response?.data instanceof Blob) {
+          try {
+            const text = await response.data.text()
+            const trimmed = text.trim()
+            if (trimmed.startsWith('{') || trimmed.startsWith('[')) {
+              response.data = JSON.parse(text)
+            }
+          } catch {
+            // Keep the original blob when it isn't JSON.
+          }
+        }
+
         // Only log out on 401 (authentication failure)
         // 403 errors are authorization failures that should be handled by the calling code
-        if (error.response?.status === 401) {
+        if (response?.status === 401) {
           // API key invalid, clear it
           localStorage.removeItem('apiKey')
           window.location.href = '/login'
         }
         return Promise.reject(error)
-      }
+      },
     )
   }
 
diff --git a/frontend/src/lib/apiErrors.ts b/frontend/src/lib/apiErrors.ts
index 37731a75..deefe935 100644
--- a/frontend/src/lib/apiErrors.ts
+++ b/frontend/src/lib/apiErrors.ts
@@ -10,6 +10,11 @@ export function getApiErrorMessage(error: unknown, fallback: string): string {
     return detail
   }
 
+  if (typeof detail === 'object' && detail !== null && 'message' in detail) {
+    const message = String((detail as { message: unknown }).message)
+    if (message.trim()) return message
+  }
+
   if (Array.isArray(detail)) {
     const message = detail
       .map((item) => {
@@ -29,3 +34,59 @@ export function getApiErrorMessage(error: unknown, fallback: string): string {
 
   return fallback
 }
+
+/** Like getApiErrorMessage, but parses JSON error bodies returned as Blob (e.g. responseType: 'blob'). */
+export async function getBlobApiErrorMessage(
+  error: unknown,
+  fallback: string,
+): Promise<string> {
+  const err = error as { response?: { data?: unknown } }
+  const data = err?.response?.data
+
+  if (data && typeof data === 'object' && !(data instanceof Blob)) {
+    return getApiErrorMessage(error, fallback)
+  }
+
+  const text = await readResponseBodyText(data)
+  if (text) {
+    try {
+      const parsed = JSON.parse(text) as { detail?: unknown }
+      if (typeof parsed.detail === 'string' && parsed.detail.trim()) {
+        return parsed.detail
+      }
+      if (
+        typeof parsed.detail === 'object' &&
+        parsed.detail !== null &&
+        'message' in parsed.detail
+      ) {
+        const message = String((parsed.detail as { message: unknown }).message)
+        if (message.trim()) return message
+      }
+    } catch {
+      if (text.trim()) return text.trim()
+    }
+  }
+
+  return getApiErrorMessage(error, fallback)
+}
+
+async function readResponseBodyText(data: unknown): Promise<string | null> {
+  if (data instanceof Blob) {
+    return data.text()
+  }
+  if (typeof data === 'string') {
+    return data
+  }
+  if (data instanceof ArrayBuffer) {
+    return new TextDecoder().decode(data)
+  }
+  if (
+    typeof data === 'object' &&
+    data !== null &&
+    'text' in data &&
+    typeof (data as { text: () => Promise<string> }).text === 'function'
+  ) {
+    return (data as { text: () => Promise<string> }).text()
+  }
+  return null
+}
diff --git a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
index 6a3aa249..d0a52b52 100644
--- a/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
+++ b/frontend/src/pages/callImports/CallImportEvaluationDetail.tsx
@@ -1698,12 +1698,10 @@ export default function CallImportEvaluationDetail() {
       setPdfReportType('external')
       setPdfIncludeWeeklyDelta(false)
       setPdfUseCase('')
-    } catch (e: any) {
+    } catch (e: unknown) {
       console.error('Failed to generate PDF report', e)
-      setPdfReportError(
-        e?.response?.data?.detail ||
-          'Failed to generate PDF report. Please try again.',
-      )
+      const message = getApiErrorMessage(e, 'Failed to generate PDF report. Please try again.')
+      showToast(message, 'error')
     } finally {
       setPdfReportLoadingAction(null)
     }
@@ -1732,12 +1730,10 @@ export default function CallImportEvaluationDetail() {
         `${vendorSlug}-${pdfReportType}-quality-metric-audit-${evalId}.pdf`,
       )
       setPdfPreviewOpen(true)
-    } catch (e: any) {
+    } catch (e: unknown) {
       console.error('Failed to preview PDF report', e)
-      setPdfReportError(
-        e?.response?.data?.detail ||
-          'Failed to generate PDF preview. Please try again.',
-      )
+      const message = getApiErrorMessage(e, 'Failed to generate PDF preview. Please try again.')
+      showToast(message, 'error')
     } finally {
       setPdfReportLoadingAction(null)
     }
diff --git a/tests/test_api/test_call_import_evaluation_pdf_report.py b/tests/test_api/test_call_import_evaluation_pdf_report.py
index 86d753e6..3edec148 100644
--- a/tests/test_api/test_call_import_evaluation_pdf_report.py
+++ b/tests/test_api/test_call_import_evaluation_pdf_report.py
@@ -1408,3 +1408,87 @@ def test_pdf_report_html_includes_brand_logos_on_first_page_header(
     assert "Internal brand" in first_page_header
     assert "External vendor brand" in first_page_header
     assert "Acme Branch" in first_page_header
+
+
+def test_pdf_report_denied_for_workspace_viewer(db_session, org_id, seed_org, monkeypatch):
+    """Workspace Viewers may view evals but must not generate PDF reports."""
+    from fastapi import FastAPI
+    from fastapi.testclient import TestClient
+
+    from app.api.v1.routes import call_import_evaluations
+    from app.core.auth.capabilities import SYSTEM_ROLE_VIEWER
+    from app.core.auth.dependency import get_principal
+    from app.core.auth.principal import AuthMethod, Principal
+    from app.database import get_db
+    from app import dependencies as app_dependencies
+    from app.dependencies import get_organization_id
+    from app.models.database import OrganizationMember, RoleEnum, User, Workspace
+    from app.services.workspace_rbac import (
+        add_workspace_member,
+        seed_system_workspace_roles,
+    )
+
+    call_import, evaluation = _seed_completed_evaluation(db_session, org_id)
+    roles = seed_system_workspace_roles(db_session, organization_id=org_id)
+    viewer = User(id=uuid4(), email="viewer-pdf@test.local", name="Viewer")
+    db_session.add(viewer)
+    db_session.add(
+        OrganizationMember(
+            organization_id=org_id,
+            user_id=viewer.id,
+            role=RoleEnum.WRITER,
+        )
+    )
+    db_session.flush()
+    add_workspace_member(
+        db_session,
+        workspace_id=call_import.workspace_id,
+        user_id=viewer.id,
+        role_id=roles[SYSTEM_ROLE_VIEWER].id,
+    )
+    db_session.commit()
+
+    monkeypatch.setattr(
+        call_import_evaluation_pdf_report_service,
+        "_render_weasyprint",
+        lambda _html, **_kwargs: b"%PDF-1.4 test",
+    )
+    monkeypatch.setattr(
+        app_dependencies,
+        "is_feature_enabled",
+        lambda *_args, **_kwargs: True,
+    )
+
+    app = FastAPI()
+    app.include_router(call_import_evaluations.router, prefix="/api/v1")
+
+    def _principal():
+        return Principal(
+            organization_id=org_id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=viewer.id,
+        )
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = _principal
+    app.dependency_overrides[get_organization_id] = lambda: org_id
+
+    workspace = (
+        db_session.query(Workspace)
+        .filter(Workspace.id == call_import.workspace_id)
+        .first()
+    )
+
+    with TestClient(app) as client:
+        response = client.post(
+            f"/api/v1/call-imports/{call_import.id}/evaluations/{evaluation.id}/pdf-report",
+            headers={"X-Workspace-Id": str(workspace.id)},
+            json={"vendor_name": "Acme"},
+        )
+
+    assert response.status_code == 403
+    assert "Editor role" in response.json()["detail"]
+    assert "Viewer" in response.json()["detail"]
diff --git a/tests/test_api/test_workspace_iam.py b/tests/test_api/test_workspace_iam.py
index 5fab8b69..3378fa5f 100644
--- a/tests/test_api/test_workspace_iam.py
+++ b/tests/test_api/test_workspace_iam.py
@@ -539,3 +539,70 @@ def test_capability_denied_message_maps_editor_and_admin():
     )
     assert "Editor role" in import_msg
     assert "Viewer" in import_msg
+
+
+def _iam_admin_client(db_session, rbac_org, rbac_users):
+    app = FastAPI()
+    app.include_router(workspace_iam.router, prefix="/api/v1")
+
+    def _principal():
+        return Principal(
+            organization_id=rbac_org.id,
+            auth_method=AuthMethod.LOCAL_PASSWORD,
+            user_id=rbac_users["admin"].id,
+        )
+
+    def _override_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = _override_db
+    app.dependency_overrides[get_principal] = _principal
+    app.dependency_overrides[get_organization_id] = lambda: rbac_org.id
+    return TestClient(app)
+
+
+def test_workspace_role_crud(db_session, rbac_org, rbac_users):
+    with _iam_admin_client(db_session, rbac_org, rbac_users) as client:
+        create = client.post(
+            "/api/v1/workspace-roles",
+            json={
+                "name": "Eval Runner",
+                "description": "Can view and run evals",
+                "capabilities": ["evals.view", "evals.run"],
+            },
+        )
+        assert create.status_code == 201
+        role_id = create.json()["id"]
+        assert create.json()["is_system"] is False
+
+        listed = client.get("/api/v1/workspace-roles")
+        assert listed.status_code == 200
+        names = {r["name"] for r in listed.json()}
+        assert "Eval Runner" in names
+
+        update = client.patch(
+            f"/api/v1/workspace-roles/{role_id}",
+            json={
+                "name": "Eval Runner Plus",
+                "capabilities": ["evals.view", "evals.run", "reports.view"],
+            },
+        )
+        assert update.status_code == 200
+        assert update.json()["name"] == "Eval Runner Plus"
+        assert "reports.view" in update.json()["capabilities"]
+
+        delete = client.delete(f"/api/v1/workspace-roles/{role_id}")
+        assert delete.status_code == 204
+
+
+def test_cannot_update_system_workspace_role(db_session, rbac_org, rbac_users):
+    roles = seed_system_workspace_roles(db_session, organization_id=rbac_org.id)
+    viewer_role = roles[SYSTEM_ROLE_VIEWER]
+
+    with _iam_admin_client(db_session, rbac_org, rbac_users) as client:
+        response = client.patch(
+            f"/api/v1/workspace-roles/{viewer_role.id}",
+            json={"name": "Renamed Viewer"},
+        )
+    assert response.status_code == 400
+    assert "System roles cannot be modified" in response.json()["detail"]

From d96be92da1d5ee58ed26294c60461513366fca50 Mon Sep 17 00:00:00 2001
From: Tejas Narayan <stejasnarayan@gmail.com>
Date: Mon, 15 Jun 2026 09:40:28 +0000
Subject: [PATCH 12/12] minor fix

---
 tests/test_api/test_call_import_evaluation_pdf_report.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tests/test_api/test_call_import_evaluation_pdf_report.py b/tests/test_api/test_call_import_evaluation_pdf_report.py
index 3edec148..39293bfe 100644
--- a/tests/test_api/test_call_import_evaluation_pdf_report.py
+++ b/tests/test_api/test_call_import_evaluation_pdf_report.py
@@ -112,9 +112,12 @@ def _seed_completed_evaluation(db_session, org_id):
     return call_import, evaluation
 
 
-def test_pdf_report_rejects_blank_vendor_name(authenticated_client):
+def test_pdf_report_rejects_blank_vendor_name(
+    authenticated_client, db_session, org_id, seed_org
+):
+    call_import, evaluation = _seed_completed_evaluation(db_session, org_id)
     response = authenticated_client.post(
-        f"/api/v1/call-imports/{uuid4()}/evaluations/{uuid4()}/pdf-report",
+        f"/api/v1/call-imports/{call_import.id}/evaluations/{evaluation.id}/pdf-report",
         json={"vendor_name": "   "},
     )