From 949cbb263266aad80f23bcde50c3e558b55c5688 Mon Sep 17 00:00:00 2001
From: Echo <echo@moon-dragon.us>
Date: Sat, 16 May 2026 19:18:25 +0000
Subject: [PATCH] docs: add self-enrollment client workflow to API
 documentation

---
 API_DOCUMENTATION.md                          |  42 ++
 Cargo.lock                                    |   2 +-
 SPEC.md                                       |  20 +-
 tasks/enrollment-dev-plan.md                  | 385 ++++++++++++++++++
 .../e2e/__pycache__/test_e2e.cpython-313.pyc  | Bin 45236 -> 0 bytes
 tests/e2e/test_e2e.py                         |   6 +-
 6 files changed, 450 insertions(+), 5 deletions(-)
 create mode 100644 tasks/enrollment-dev-plan.md
 delete mode 100644 tests/e2e/__pycache__/test_e2e.cpython-313.pyc

diff --git a/API_DOCUMENTATION.md b/API_DOCUMENTATION.md
index 6bc87d0..301df4c 100644
--- a/API_DOCUMENTATION.md
+++ b/API_DOCUMENTATION.md
@@ -882,6 +882,48 @@ def wait_for_job(job_id, base_url, certs, poll_interval=2):
 
 ---
 
+## Self-Enrollment Client Workflow
+
+The Linux Patch API daemon supports automated self-enrollment to a Patch Manager instance without manual certificate distribution.
+
+### 1. Trigger Enrollment
+Run the daemon with the `--enroll` flag pointing to the manager's public API endpoint:
+```bash
+linux_patch_api --enroll https://<manager-host>/api/v1
+```
+
+### 2. Registration Request (Unauthenticated)
+The daemon extracts `/etc/machine-id`, FQDN, IP, and OS details, then submits:
+```http
+POST /api/v1/enroll HTTP/1.1
+Content-Type: application/json
+
+{
+  "machine_id": "3a4b5c6d7e8f...",
+  "fqdn": "host-01.example.com",
+  "ip_address": "192.168.1.50",
+  "os_details": { "name": "Ubuntu", "version": "24.04 LTS" }
+}
+```
+**Response:** Returns a temporary `polling_token`.
+
+### 3. Status Polling
+The daemon enters a polling loop (default: every 60s):
+```http
+GET /api/v1/enroll/status/{polling_token} HTTP/1.1
+```
+- `202 Accepted`: Still pending admin approval.
+- `403/404 Forbidden`: Request denied or expired (daemon aborts).
+- `200 OK`: Approved. Response body contains the PKI bundle (`ca.crt`, `server.crt`, `server.key`).
+
+### 4. Provisioning & Transition
+Upon receiving HTTP 200:
+1. Writes certificates to configured mTLS storage paths.
+2. Appends manager IP to `/etc/linux_patch_api/whitelist.yaml`.
+3. Smoothly transitions to standard mTLS listening mode without service restart.
+
+---
+
 ## Support
 
 - **Documentation:** [README.md](./README.md)
diff --git a/Cargo.lock b/Cargo.lock
index f6a1549..79d8e14 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1859,7 +1859,7 @@ dependencies = [
 
 [[package]]
 name = "linux-patch-api"
-version = "0.3.6"
+version = "0.3.10"
 dependencies = [
  "actix",
  "actix-rt",
diff --git a/SPEC.md b/SPEC.md
index f17e3b3..36a38f2 100644
--- a/SPEC.md
+++ b/SPEC.md
@@ -136,12 +136,30 @@
 ## Certificate Management
 
 - **CA Type:** Internal self-hosted Certificate Authority
-- **Distribution:** Manual certificate distribution to clients
+- **Distribution:** Manual certificate distribution OR automated Self-Enrollment
 - **Scope:** Limited distribution (small number of authorized clients)
 - **Validity Period:** 1 year standard expiration
 - **Client Identity:** Unique certificate per client (no shared certs)
 - **Rotation:** Manual renewal process before expiration
 
+## Self-Enrollment Workflow
+
+The `linux_patch_api` daemon supports an automated self-enrollment workflow to securely request identity from the `linux_patch_manager` without manual PKI distribution.
+
+- **Trigger:** Initiated via CLI flag during setup/first run (e.g., `linux_patch_api --enroll https://<manager_url>`).
+- **Phase 1: Registration Request:**
+  - Extracts `/etc/machine-id`, FQDN, IP Address, and OS details.
+  - Submits an unauthenticated `POST /api/v1/enroll` request to the manager.
+  - Receives a temporary `polling_token`.
+- **Phase 2: Polling & Approval:**
+  - The daemon enters a polling loop, querying `GET /api/v1/enroll/status/{token}` (e.g., every 60 seconds).
+  - Aborts if HTTP 403 or 404 is returned (request denied/purged).
+- **Phase 3: Provisioning:**
+  - Upon HTTP 200, extracts the provided PKI bundle (`ca.crt`, `server.crt`, `server.key`).
+  - Writes certificates to the configured mTLS storage paths.
+  - Automatically appends the manager's IP address to `/etc/linux_patch_api/whitelist.yaml`.
+  - Transitions to standard mTLS listening mode without requiring a service restart.
+
 ## Audit Logging
 
 - **Log Content (All Required):**
diff --git a/tasks/enrollment-dev-plan.md b/tasks/enrollment-dev-plan.md
new file mode 100644
index 0000000..3e8a784
--- /dev/null
+++ b/tasks/enrollment-dev-plan.md
@@ -0,0 +1,385 @@
+# Self-Enrollment Feature - Phased Development Plan
+
+**Feature:** Automated self-enrollment workflow for linux_patch_api daemon
+**Spec Reference:** SPEC.md lines 145-161
+**Target Branch:** `feat/self-enrollment`
+**Status:** Planning - Awaiting Kelly Approval
+
+---
+
+## Overview
+
+The self-enrollment feature enables a new `linux_patch_api` instance to automatically register with the `linux_patch_manager`, request PKI credentials, and transition to mTLS-secured operation without manual certificate distribution.
+
+### Three Phases (per SPEC)
+| Phase | Description | Manager Endpoint |
+|-------|-------------|------------------|
+| **Phase 1: Registration** | Extract host identity → POST unauthenticated enrollment request → receive `polling_token` | `POST /api/v1/enroll` |
+| **Phase 2: Polling** | Poll manager for approval status every 60s → abort on 403/404 | `GET /api/v1/enroll/status/{token}` |
+| **Phase 3: Provisioning** | Extract PKI bundle → write certs to disk → append manager IP to whitelist → transition to mTLS mode | (response body of status endpoint) |
+
+---
+
+## Phase 1 - Foundation & CLI Integration
+
+**Goal:** Add enrollment CLI flag, new `enroll` module skeleton, config support for enrollment state.
+
+### Sub-Agent Task 1.1: CLI Argument Extension
+- **Profile:** developer
+- **Files:** `src/main.rs`
+- **Changes:**
+  - Add `--enroll <MANAGER_URL>` flag to clap Args struct
+  - Add `--enroll-insecure` flag (optional, skip TLS verification for initial connection)
+  - Wire enrollment entry point into main() before server startup
+- **Output Contract:** Updated main.rs with new CLI args compiled and tested
+
+### Sub-Agent Task 1.2: Enroll Module Skeleton
+- **Profile:** developer
+- **Files:** `src/enroll/mod.rs`, `src/enroll/identity.rs`, `src/enroll/client.rs`
+- **Changes:**
+  - Create new `enroll` module with submodules
+  - `identity.rs`: Functions to extract machine-id, FQDN, IP addresses, OS details (distro, version, kernel)
+  - `client.rs`: HTTP client wrapper for manager API communication (use reqwest)
+  - Define Rust structs: `EnrollmentRequest`, `EnrollmentResponse`, `PollingStatus`, `PkiBundle`
+- **Output Contract:** Module compiles cleanly; identity extraction functions return correct data
+
+### Sub-Agent Task 1.3: Config State Support
+- **Profile:** developer
+- **Files:** `src/config/loader.rs`, `configs/config.yaml.example`
+- **Changes:**
+  - Add optional `enrollment` section to config schema:
+    ```yaml
+    enrollment:
+      manager_url: ""
+      polling_token: ""
+      polling_interval_seconds: 60
+      max_poll_attempts: 0  # 0 = unlimited
+    ```
+  - Add persistence of polling token to config file during Phase 2
+- **Output Contract:** Config loads with new enrollment section; backward compatible with existing configs
+
+### Sub-Agent Task 1.4: Unit Tests for Identity Extraction
+- **Profile:** developer
+- **Files:** `tests/unit/enroll_identity.rs`
+- **Changes:**
+  - Test machine-id extraction from `/etc/machine-id`
+  - Test FQDN resolution fallback chain
+  - Test OS detail extraction (distro ID, version, kernel)
+- **Output Contract:** All identity tests pass in CI
+
+### Phase 1 Dependencies
+- Add `reqwest` crate to Cargo.toml (HTTP client for manager API)
+- No breaking changes to existing modules
+
+---
+
+## Phase 2 - Registration & Polling Logic
+
+**Goal:** Implement Phase 1 and Phase 2 of the enrollment workflow.
+
+### Sub-Agent Task 2.1: Registration Request Implementation
+- **Profile:** developer
+- **Files:** `src/enroll/client.rs`, `src/enroll/mod.rs`
+- **Changes:**
+  - Implement `POST /api/v1/enroll` request handler in client
+  - Build JSON body with machine-id, FQDN, IPs, OS details
+  - Parse response for `polling_token`
+  - Handle error responses (400, 409 duplicate, 500)
+- **Output Contract:** Registration function returns polling_token or structured error
+
+### Sub-Agent Task 2.2: Polling Loop Implementation
+- **Profile:** developer
+- **Files:** `src/enroll/client.rs`, `src/enroll/mod.rs`
+- **Changes:**
+  - Implement polling loop with configurable interval (default 60s)
+  - `GET /api/v1/enroll/status/{token}` endpoint calls
+  - Handle responses:
+    - 200: Enrollment approved → proceed to provisioning
+    - 403/404: Denied/purged → abort with clear error message
+    - 202: Pending → continue polling
+  - Respect `max_poll_attempts` config (0 = unlimited)
+  - Graceful shutdown on SIGINT/SIGTERM during polling
+- **Output Contract:** Polling loop works correctly with all response codes
+
+### Sub-Agent Task 2.3: Main.rs Enrollment Entry Point
+- **Profile:** developer
+- **Files:** `src/main.rs`
+- **Changes:**
+  - Wire `--enroll` flag to call enrollment flow before server startup
+  - If enrollment succeeds, fall through to normal mTLS server startup
+  - If enrollment fails, exit with non-zero code and clear error message
+  - Logging: structured logs for each enrollment step
+- **Output Contract:** `linux_patch_api --enroll https://manager.example.com` runs end-to-end (mock manager)
+
+### Sub-Agent Task 2.4: Integration Tests
+- **Profile:** developer
+- **Files:** `tests/integration/enrollment_test.rs`
+- **Changes:**
+  - Mock manager server that simulates enrollment workflow
+  - Test successful enrollment flow
+  - Test denied enrollment (403 response)
+  - Test expired token (404 response)
+  - Test polling timeout behavior
+- **Output Contract:** All integration tests pass
+
+---
+
+## Phase 3 - PKI Provisioning & Whitelist Integration
+
+**Goal:** Implement Phase 3 of the enrollment workflow - cert extraction, file writing, whitelist update.
+
+### Sub-Agent Task 3.1: PKI Bundle Extraction
+- **Profile:** developer
+- **Files:** `src/enroll/provision.rs`
+- **Changes:**
+  - Parse enrollment status response body for PKI bundle
+  - Extract `ca.crt`, `server.crt`, `server.key` PEM data
+  - Validate certificate chain (basic sanity: non-empty, valid PEM format)
+  - Define target paths from config:
+    ```rust
+    // Default paths matching existing mTLS config
+    /etc/linux_patch_api/certs/ca.pem
+    /etc/linux_patch_api/certs/server.pem
+    /etc/linux_patch_api/certs/server.key.pem
+    ```
+- **Output Contract:** PKI bundle extraction validated against test certificates
+
+### Sub-Agent Task 3.2: Certificate File Writing
+- **Profile:** developer
+- **Files:** `src/enroll/provision.rs`
+- **Changes:**
+  - Write PEM files to target paths with secure permissions:
+    - Certs: 0o644 (owner rw, group/others read)
+    - Key: 0o600 (owner rw only)
+  - Atomic write pattern: write to temp file → rename
+  - Handle existing files: backup before overwrite if present
+  - Verify written files are readable after creation
+- **Output Contract:** Certificates written with correct permissions and content
+
+### Sub-Agent Task 3.3: Whitelist Auto-Append
+- **Profile:** developer
+- **Files:** `src/auth/whitelist.rs`, `src/enroll/provision.rs`
+- **Changes:**
+  - Extract manager IP address from enrollment request/connection
+  - Add method to WhitelistManager: `append_entry(ip: &str) -> Result<()>`
+  - Append manager IP to `/etc/linux_patch_api/whitelist.yaml`
+  - Log the whitelist change to audit log
+  - Handle file locking for concurrent access safety
+- **Output Contract:** Manager IP correctly appended to whitelist YAML
+
+### Sub-Agent Task 3.4: mTLS Transition Logic
+- **Profile:** developer
+- **Files:** `src/main.rs`, `src/enroll/mod.rs`
+- **Changes:**
+  - After provisioning completes, update runtime config with new cert paths
+  - Trigger mTLS server startup using provisioned certificates
+  - No service restart required per spec
+  - Log successful transition to mTLS mode
+- **Output Contract:** Server transitions from enrollment mode to mTLS listening without restart
+
+### Sub-Agent Task 3.5: Security Hardening Review
+- **Profile:** hacker
+- **Files:** All enroll module files
+- **Changes:**
+  - Review for security issues:
+    - Certificate validation (don't skip TLS verification in production)
+    - Secure file permissions enforcement
+    - No sensitive data in logs (polling_token, cert contents)
+    - Input validation on manager URL (scheme, host format)
+    - Protection against MITM during enrollment (recommend `--enroll-verify` flag)
+  - Document findings in security review notes
+- **Output Contract:** Security review checklist completed with mitigations applied
+
+---
+
+## Phase 4 - Testing & Documentation
+
+**Goal:** End-to-end testing, documentation updates, CI integration.
+
+### Sub-Agent Task 4.1: End-to-End Test Suite
+- **Profile:** developer
+- **Files:** `tests/e2e/test_enrollment.py`
+- **Changes:**
+  - Docker-based test environment with manager mock + api instance
+  - Full enrollment flow from CLI to mTLS listening
+  - Verify certificate files on disk after enrollment
+  - Verify whitelist contains manager IP
+  - Test denial and rejection scenarios
+- **Output Contract:** E2E tests pass in CI pipeline
+
+### Sub-Agent Task 4.2: Documentation Updates
+- **Profile:** developer
+- **Files:** `README.md`, `DEPLOYMENT_GUIDE.md`, `API_DOCUMENTATION.md`
+- **Changes:**
+  - Add enrollment usage section to README
+  - Update deployment guide with self-enrollment workflow
+  - Document enrollment config options
+  - Add troubleshooting section for common enrollment failures
+- **Output Contract:** Documentation covers enrollment feature comprehensively
+
+### Sub-Agent Task 4.3: CI Pipeline Integration
+- **Profile:** developer
+- **Files:** `.gitea/workflows/ci.yml`
+- **Changes:**
+  - Add enrollment unit tests to CI matrix
+  - Add integration test stage with mock manager
+  - Verify binary builds with `--enroll` flag in help output
+- **Output Contract:** CI pipeline includes enrollment test stages
+
+---
+
+## Phase 5 - Documentation & Spec Synchronization
+
+**Goal:** Ensure ALL project documentation and spec files accurately reflect the self-enrollment feature. This is a mandatory final stage before any code can be considered complete.
+
+### Sub-Agent Task 5.1: SPEC.md Update
+- **Profile:** developer
+- **Files:** `SPEC.md`
+- **Changes:**
+  - Update Self-Enrollment Workflow section with finalized implementation details
+  - Add enrollment-specific error codes to Error Categories section
+  - Add enrollment events to Audit Logging requirements (enrollment success/failure, cert provisioning)
+  - Update Certificate Management section to reflect automated option alongside manual distribution
+  - Add enrollment CLI flags to any existing CLI reference section
+  - Cross-reference all spec sections that touch enrollment behavior
+- **Output Contract:** SPEC.md is internally consistent and fully documents the feature
+
+### Sub-Agent Task 5.2: API_DOCUMENTATION.md Update
+- **Profile:** developer
+- **Files:** `API_DOCUMENTATION.md`
+- **Changes:**
+  - Add complete documentation for all enrollment-related endpoints:
+    - `POST /api/v1/enroll` (manager-side endpoint used by api daemon)
+    - `GET /api/v1/enroll/status/{token}` (manager-side status polling)
+  - Document request/response JSON schemas with field types, descriptions, and examples
+  - Document all HTTP status codes for each endpoint (200, 202, 400, 403, 404, 409, 500)
+  - Add enrollment-specific error codes to the error reference table
+  - Include curl examples for each endpoint
+  - Document the complete enrollment flow sequence diagram or step-by-step walkthrough
+- **Output Contract:** API documentation is complete and usable by developers integrating with the manager
+
+### Sub-Agent Task 5.3: DEPLOYMENT_GUIDE.md Update
+- **Profile:** developer
+- **Files:** `DEPLOYMENT_GUIDE.md`
+- **Changes:**
+  - Add comprehensive "Self-Enrollment Deployment" section covering:
+    - Prerequisites (manager URL, network connectivity, DNS)
+    - Step-by-step enrollment procedure for new hosts
+    - Configuration options (`enrollment` config section)
+    - Troubleshooting common enrollment failures
+    - Post-enrollment verification steps
+  - Update existing mTLS setup sections to reference self-enrollment as alternative
+  - Add rollback/re-enrollment procedures if enrollment fails mid-process
+- **Output Contract:** Deployment guide covers both manual and automated certificate provisioning paths
+
+### Sub-Agent Task 5.4: README.md Update
+- **Profile:** developer
+- **Files:** `README.md`
+- **Changes:**
+  - Add self-enrollment to feature list/highlights
+  - Add usage examples for `--enroll` flag
+  - Link to DEPLOYMENT_GUIDE.md and API_DOCUMENTATION.md for details
+  - Update architecture diagram if README contains one
+- **Output Contract:** README accurately represents enrollment as a first-class feature
+
+### Sub-Agent Task 5.5: CHANGELOG.md Update
+- **Profile:** developer
+- **Files:** `CHANGELOG.md`
+- **Changes:**
+  - Add entry under current development version:
+    - Feature: Self-enrollment workflow with manager registration and PKI provisioning
+    - Added: `--enroll <MANAGER_URL>` CLI flag
+    - Added: Automated certificate provisioning from linux_patch_manager
+    - Added: Automatic whitelist entry for manager IP after enrollment
+    - Added: Configurable polling interval and max attempts
+- **Output Contract:** CHANGELOG accurately reflects all enrollment-related changes
+
+### Sub-Agent Task 5.6: ROADMAP.md Update
+- **Profile:** developer
+- **Files:** `ROADMAP.md`
+- **Changes:**
+  - Move self-enrollment from planned to completed (or current milestone)
+  - Update timeline and dependencies affected by enrollment feature
+- **Output Contract:** Roadmap reflects current feature state accurately
+
+### Sub-Agent Task 5.7: Config Example Files Update
+- **Profile:** developer
+- **Files:** `configs/config.yaml.example`, `configs/whitelist.yaml.example`
+- **Changes:**
+  - Add commented enrollment section to config example:
+    ```yaml
+    # enrollment:
+    #   manager_url: "https://manager.example.com"
+    #   polling_interval_seconds: 60
+    #   max_poll_attempts: 0  # 0 = unlimited
+    ```
+  - Update comments to explain each option
+- **Output Contract:** Example configs reflect all available configuration options
+
+### Sub-Agent Task 5.8: Final Documentation Audit
+- **Profile:** researcher
+- **Files:** All documentation files listed above
+- **Changes:**
+  - Cross-reference all docs for consistency (same terminology, same field names)
+  - Verify no broken internal links
+  - Check that enrollment is mentioned in every doc where it's relevant
+  - Verify error codes are consistent across SPEC.md, API_DOCUMENTATION.md, and code
+  - Produce a documentation audit checklist with pass/fail status
+- **Output Contract:** Documentation audit report confirming consistency across all files
+
+---
+
+## Execution Order & Parallelism
+
+```
+Phase 1: [1.1] [1.2] [1.3] → sequential (CLI → module → config)
+         ↘ [1.4] parallel with 1.2-1.3
+
+Phase 2: [2.1] → [2.2] → [2.3] → sequential (registration → polling → wiring)
+         ↘ [2.4] after 2.3 complete
+
+Phase 3: [3.1] [3.2] [3.3] → can run in parallel (PKI, certs, whitelist are independent)
+         ↘ [3.4] depends on all of 3.1-3.3
+         ↘ [3.5] runs after Phase 3 code complete
+
+Phase 4: [4.1] [4.2] [4.3] → parallel (tests, docs, CI independent)
+
+Phase 5: [5.1]-[5.6] → can run in parallel (each doc file is independent)
+         ↘ [5.7] after 5.1-5.6 (config examples depend on finalized config schema)
+         ↘ [5.8] final audit depends on ALL Phase 5 tasks complete
+```
+
+**Estimated Total Effort:** ~10 sub-agent cycles across 5 phases
+
+---
+
+## Risks & Considerations
+
+| Risk | Mitigation |
+|------|------------|
+| Manager API contract mismatch | Verify exact request/response schemas with deployed manager code before Phase 2 |
+| Certificate path conflicts | Use config-defined paths, not hardcoded; validate against existing mTLS config |
+| File permission issues on non-Linux targets | Scope to Linux only per spec; document limitation |
+| Enrollment during active API service | Enrollment runs pre-server-startup per design; no conflict |
+| Token expiry during long polling | Configurable max_poll_attempts; log warnings at intervals |
+
+---
+
+## Pre-Development Checklist
+
+Before kicking off sub-agents:
+- [ ] Kelly approves this phased plan
+- [ ] Verify manager-side enrollment API endpoint schemas (request/response JSON)
+- [ ] Confirm target certificate paths match existing mTLS config structure
+- [ ] Create `feat/self-enrollment` branch from main
+- [ ] Add `reqwest` dependency to Cargo.toml
+
+---
+
+## Questions for Kelly
+
+1. **Manager API schema:** What are the exact JSON request/response formats for `POST /api/v1/enroll` and `GET /api/v1/enroll/status/{token}`? Need field names and types.
+2. **Certificate paths:** Should enrollment write to the same paths as existing mTLS config (`/etc/linux_patch_api/certs/`) or a separate enrollment-specific directory?
+3. **Insecure enrollment:** Should `--enroll-insecure` be the default for initial setup (skip TLS verification on manager connection), or require explicit flag?
+4. **Polling defaults:** 60-second interval and unlimited attempts - confirmed acceptable?
+5. **Branch strategy:** Create `feat/self-enrollment` branch, or merge incrementally to main after each phase?
\ No newline at end of file
diff --git a/tests/e2e/__pycache__/test_e2e.cpython-313.pyc b/tests/e2e/__pycache__/test_e2e.cpython-313.pyc
deleted file mode 100644
index 2c1e93421717b8dc6b98aea0c428ecd287a9b0c0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 45236
zcmeIb3sfBGl_r>v$Ojpjyk7zd1rkD}BoYJ&Nk~YAct}V*Bmz`YK^0CxA}B#ZMS@hy
zD%-f-9wS$|i<-8_)U<m{&GEFU-P$(Z@pR+u-EGSDtmU0K<H$;?!D)4m)?IV9YtNq3
z$W`9%R`1T)@BR^y5t$@Xy*#I<&*XtWBL4UD{`cPh-uu7r@wiO*9jN-dvGZRvnf{VK
zv>&g&y#Fh!$@F!TXp&5#S+ra*OJ?@8NEY_AN>=vdBo0sO1>1SMWIyka90JAXE;!Gp
zNonlecENR?mw5JWx!{)EES*R440w8WYQ^f$Jtp{<=-=8~kD$Hj&m(5#T`&!#AzhaC
z-BYH=(cVORCE6zC4CIIo_Lhq`Cwt4oTN-=I7hNJRx<!we?&HJ^F%$1u>^)n|!Fw)y
z&+}QO0x@4I6bqysVxd$tU@tW7F^M~hOk&Xyi&EkdwP2}O4J}6K&Ml!kS;}1qE78KF
zUE=P65>Xh~EtU@O1G{a=sm?C$DKb6FNy0!;omt#FuuCjM_`ZQs#3`wBiscmgtXbMq
zViGTi`v-Q46$qzz-hsV{Q(Wf~52$g<n1AWO?mA99$a39h@HxbM$_+l1%xAyB$H#ms
z3_exN$7}GZW<CcDK8KmlL4!{X^EqVjsbxNu2A?|S<1_diVLnv`pL*s~ZSXnDd=49Y
zjxnDagU@m1Q)}>PU_NyQpA*dIh{5M1^QkxZG%}x~2A@;R=a|9gH1j!b@OgsyG#GrE
zn9m7=&l%=((%{p~d>X|Lu?6GXim`2D<GT}c;4Fn<4xCbF075Xr=TzU*VtbKEdSakS
zJl}A|Wb!*rrhzB+n6!B+n66u{TfCkAKg6PPb&LgPo)<3qr-w#`ri<-DrO+B2uAH8%
z#6#!}gr)^?W^6j(ay3s*Oi6*!Krl3RGa$6qv<lM*4GI41{;?pU4F{&iCvOLaSuW(`
z4-N%F!emgW6*{gohZ<Z0G9RbnDyOKp$_anae?1^o4hL=u6^D=4_zu?}^Huw5>W+F@
z-0LXUUn$K5gNQU!Q&U~1N2~GG)YhboR%eV>>pOg`+Us)lg;14=-VRZ?H8wq}*HvkE
zr&1B2XL52{Xl@dQ0@C!@$k>n{E%dp10@ui&S}UM3A)%v5>=pbY(*a5FkB<wJ)1!D(
zI%CQoLJAazhEap3ZcmR+25VX9V4x=8o4PIZS5{8@rR#xdO8p`l{~~J}TvYvO3J%>E
zo2rypvF!V1K)N;=3Owz4k3dbA*Ahz`_D}nV#!*_#HZm3%ANHDK92zr<r?Y!%dTcW2
zACK9nA)&B+$nP7Hro*nG@v%T~I^q3B;C8rRn?VVC5(eeH->Wv6!Z|I0Yh(UkRo}Il
z;Pi}8f%<#BT#O6)Cjv2UbTTv@<EAF1>6m3Q6wcl{gnFiI2*YkQqna9Db={T(=n*{u
z8%#Yx9TIr0F)L~iv#~Cu2U5grqk-}9$@d68j~&7!AEIv4ew_O9{s3OSZW=IQzcbNZ
zCt3HI2Dky6XxWdD0XyET^d@qWgZbOomtArWq#?|~V!5yz@uKs%S#kq{+r%^$$0d2L
z^Imt%)r(2f69~<WPrr8_SxISdVs@G(f#H}b=9mbCXsSq5)fhiKBl&6Q1}8#qm}42k
zfe}Aa4vzSTrYEJ_F~@LV+CMfPdIM7+J?0!7q&^=UjJXB}Cnkqy#_8QXIQZO*e_Rd8
z7#tiKlS0!N;6QK^!Pd~U6oaon7@VADWrg6&VS<lK1ysR8s)%i5e9}KHQBTFV;jy7<
zshD2#1_!aKr^ki{{nOLZ*tHqV`N2Vnw)Xe&j|glLRAHW1(VIHqr5uDYhq@qC1?S7A
z`!3HH+c(^qU+mb($(ubpCq}uvjU7d^7v}S#T+z>ScPy1fa;p%~`)6F0M4ifVNIjBs
z2!6y!(wMT59I#`w93qF&at=7)tBq*dfJ+-u(Jt}q%c+jGn|&$cY6mVuF<orz(?z~0
z4ppTL(Jf_O_h4i^y=-|a;~siXMD1d{vgFy2#Xo4ZNINLlA+bpkViQ5iBQN_1#u~H4
zLC|0dFZO^WO-i956%|4plZoaH&^Ocjqj0`%>NEA=nf!yVimDhxD)E63Z8;c%)DXMD
zOMRt~GSeI8E-%L_DbZj`01GDRFdR%;E)*Ca2~iaVsRC}yHjRlk9?MDS6Cd+@8sQ=8
z$yw9=jGR|qxbwn7@3;D2>yKnqEY*GY<Qpd=8An&j{`BAv4n{IsWoN504QRS`d9$Ql
zcuIsmO1sGs$SEaf4>`)*9Unsn`{<i>sdX$komAzRb4r?=0+_rl)l<B3a;ONUFlvHy
zKyzp$Lzm%T{$}Myx!eur8fR;itJ=uUnQfbE{$jWOl9Q`U@!YuAeVgZj#cXRczi&0!
z)8A*WN|97r!ZdflgMRNngp)YUMGKJfY|)A-$qm>=+khSDqg_P<93o9|C;rn0oITkr
zj|2yCT@1-^Ju((Y(;NsXz}zG9;zT!#<$g>o4~yk_OssSkD_zV0A_L?c3oFZ;6H8~?
zHL#RswvoMe9nA@sv29)1+Juow?8Ku1AqlJTNiIZ{h~$YmrpG1%lQYvp#+gs=Y#sdy
zFCd1@edctNXz8=0n`*f}(>Q#U-<8bq`1-pdjK|m2mFjUy&wl+*?X8E3P5SAG81jv;
zvHlD#T7RbYrV%-Yu=pryVRaU)VYik-e~!mX7OmUF&<H@&b(5FtdgvUTo}LOdR8_^y
z4Q<%FoY(xJz~GEDuJ@gE3I)WRQsB86Lj7V65!)B`E5In_g)P7s-`vsO+SNPQ+}hI{
zbEzK}TCc`9!bf6upfh75w*f*3BTdRZL?a>Kr$7&Ea$~`<Y3xx2iDU260-i<uP(Pem
z(?-#r#k$4vCG%3*QodYRJ;%N5*~l$?IZbg2N?vx~E7-kWu>b9X{m}w1g5CFa3EwV`
z?y7t<^!<ka{`2zA({tP_?mO-^=Z^a&dzJThoW*Qm#_SUTAalb&Z-8gT>{4KQMhXta
zM;%ol`i*+^{RKGNLF052n^l$|*Jtf9rbZh2VeX}b${Nuav>`k`Z<I9T_QYqM?zhKu
zCASW!O`omW+-Geu*PF{sUP~7nN3TsfgP1Yv)Z`TNkXq>zI}saQuU#3Q4tPqP6k@+|
z3;S9qW~DhnGa*E^ps~_NOHI6WwA6rUN_G|wMk_1t8@pcJHJ`D_E!>pT%jc{c*@fRY
z@alnut4rK>-EX*~*+=Fa8`v0Lyz}CE#@@Fx_Aa(XGA^tX$Qc(_=}mTCU?VdWUxmmx
zJ_ZNyvE3MegvSc6vs7a&;=K~Ho^9=Y!z}e8;Tu+^_0({Q_S6uKRJ@^9VDGW)q!|gn
z+lcf&p-^ZZD*oB8e0HI4u_cmGyM+4I%FfzPwZ7cNZn0Mag=dnk!bz+mkZ_>lIZ1US
z&lf3fVkIvx_C_-5mM+7QopqmTC9N0xwymReYG!LU!te9cqycgWJNUGQ*WS|F(c0U(
zU5D9+1LJ||KrAn*%M|b5+S+MX7N;W_^-DM5$j*ADs`0%6(P>uFta<+!ob6^}DhOa8
z)J;+?5_>Jm+O!RggAA1F;AKFuBm#l4+@xx=s9&O(v}a&GI^6`>)}2KWXVE*(ovgkp
z3^2f8f&pxCgUXZ$qP%w!PHJ>3<`^6to*V)R!0@i)l=M6~&2VB);J;IoLDZKPl=Kui
zgX9d6Lt8hicuI_m%9O~VXrVXZ{1em9Io|`$X)9Y0H%)jfS=nP{=-2eMnQOImm={8u
zCVDRIRh}#7)=zduPIi94d^cTYTipVZ;jvV)e&9spz=;p&W7BT79a+esfFn!C)(@VH
z96U(@M<`(16h{|oDaFyHE9;e~B9*5o#nE3Q#V*#htoopyK&Qvj7&SyRnbd{0Y?;t(
zmW*QVeBD$9$aKjZ1m=-rItQE}XuVQ>0wKegO`R_64wgPEa1u+%A^;QTO@gT(p~|n%
zBw7jl^~d3%wr3C;OTS^zaU$1Gk=Rd5p<xrL_7y6vEU^?DD<!_)q%6grPzp=&5leA=
zh*F#hrLYu_FXeig*A;HQ>>nS)=mZ4fR1N#3VF5H4o3KJ4cr!2#s=z1ouuVQBFw#p<
zsdWKJX4hme;Pcvm`OFM~%@vBd)E#bcY#8GW6cgEkVK#|=j@el9aAD^d(52vY6!hH8
zm;_cCW8E|el7v{{(*0^)`-RZx<jnZ6a4jGZWghSc4++=7f|5cMZ|{D+C}UKRI>=m&
zNgHi=&;EEtwu{(>Hn_%6D}`St?WOv1)3-qqF#@X;-@w$U8PXJmWoVTLX90YtP|Q4%
zgtKMcRC{(%>qjY!l)r=j&>z8>HT^QbbGG{zo}F{%4c`6L#*MtnCI6Br=Nx|9efWXR
zl)mc&yUCqDKfG}K)yZ#9uk(i@{GpAkn(x=Ga4T1TkP)ptw_bZGQhQ0R>5(%;*(u)R
z^AP)FB){U#z3aR$!uvL|>b~E*QnvD9q@g2vq;vhq<;aoCa@~`1#ueFlMTvhRlE44W
zoOQl3!dGr&)qcNaC3odU<oNk$-G%kK-bh`qT-zsST$Y`eH~0*;sAG18&WPEcoxFyT
zW{@%g1$3Z+Y&jpmBK*3E5L4wxNJR2aCk2Am4;!=3S_v@FXK4Uf_eU5BPvs^36auE!
zqAdm>n_MbVU$ivbLO%NdG^pn62ZAAGTo6Q*OMKaD@l7TolC+WnX2gk;7J3|QQv>>H
zOSS2VHZ2DYSosg2b*bapt4$ivNtu^J%S&{gKo$IeBz-o~P5=d<EMBQpgwq~Vf4UYy
z%LPDI^GeBJ(Z?}ibO>Z)gbY2K#>h$+5db1z8*g#I>~)7vUz`Lp*)L#b31F>`jSEBI
zxC12tfkhBUC0livG%^MrFN;o_jPIeR%0D$$b@Ol)atKwucNbL-=buMzQ<Sm7O==L%
z_4ZyA!d9^28Prh#l%4o`Ga>MC)6_x(!;DdaZ(`$*gAv8%`a_N~3}><03=1HmRYrKs
z9P&B=H~{$ARv+V)EC+`shXb*+*5`);j4O>Of#<;@el`TM(H0sH1g2tH=ey4gUhMAZ
z7;NwAZSA?-)B)n-1yo;pksL;J+K?S+M~+}LtMgXkgPJ*rwo3$Qejop#zlJkwde@!#
zO8ZyZU%D{cde4>qiuWttmkuu2BCcJFj;L$@Mn>K%;XC1l&ZY9DLb<3Wno&E)VZE>O
z#Sy-EAr$5J+{-SOOX`+;*N?PDj<m{kZL33f%YNqlsrPQNyt6NweOY#2CUpPyo!c+H
zz!JZ5?9Q?I_I17_!j~-8edpNg$Clcb&qVhgUEg~mviHQwx#-^3O_S}s+4a83R_5At
zn{o>m?601b-MjArPjh|6wU$%1=G^ze4ile|P~&%8`#&f$@wotZ^$Qj9p4#QJ%g0xm
z<lIwH*J+tMt>7L$>Nmz~=7@VZL=#{8(fVaXYK%dsJ}$oA8ZlROWP+Uni`L`TpuNx3
zXimjK6uC+dy4j+$L{gKkJ#pBgRRZhLuCJ~>J60vti~UkT7=48W9VLK%drW=SIy1;O
z8<B58=Z8(*=OE}Q+A7f_!L)?d+WVZ1X00y>-4aZqqc07-eNOEGq)h(Bdm!G!AHN4m
zP5p63j>F_{M-5${Lc7djTAz!MxP-REVVvHgcw6G5wc8}Rg03c4*A3-4V%C{cpK1;H
z6g4EWCFvKhAx&-ei`Vdf)@nFnYP9Y)jSxiL*E16YKqZuGJfNK40n-EaH8iPUdpKMP
z`P#t7y3l^{Vrz@n%GQj+*{0Kw_h>bY{T24tUYxEqi6Sr|Dq4@h&P&4fwx;%u2B9nL
zXzl6g?r9LbF6GdJamHye#_WFZ@PotBm$c-u^d=kv;hb?Y*h+kTg)jYO3MN*%msj}K
z$|4?_2@WX`@fC_dxCAkv=v+y9nLex&q3bb6VB9}N2TSHah*mh*71~ebrs4Q<kZ2L<
z_Yk~{|4=)cIBWWUvQ19+y{zKJ+@-+E)kxOaIs1k)<CToBWGozxICp+EgMHn}Sa+60
zoFxl4*PP{mn{yrmXx+4A+jjmuJ$t@Bl3uoO8P1&bUQWR`j{no+zk6aaFOpM^6P;||
zoCC#x^|LU%)coDf<@(iI53H7K*PMORZc591CH*Vu3#Acf@mJF~i%d56m%G2vz0MUy
zxT1ynHEz!apEcY0w;vRn+(m$!ww;g4Kd^Lj*}p6<4Qx{a74`S`_}mYX(XHj@mWP&}
zzUxR?RhH2vkLo-O?L(KoRos-`Y&ZSL?rJ??{ZZ!WmR#$Pb3J(fap~#Seb#@w&xZGe
zLmXOfgu}i6O$-KO6wtg&`iW)@UIxLsN(qfEblN|hYcdsp5KJA1;DCmS0aG*g#Nn1+
zoE9Fm=$K2NMdUP$D`@SrUIQ#dDK>=|)lwiwi-Ki|jt<i>_6EdpYJN#&Tf{UfTy!y)
zXLSeb8!6mKVF*i1CwjEd6G%ObzC((1y#``NittQBc$OBflnhKPJMQD5y1*wV?vtVV
z<kmXCI?W3o2aiyw8V&fzAx2OsTxP6nLH!;Y4Gi4?d?ChgNcFr;^d)dB-$RF*Od|Hy
z!|c}QrvgLMAOdTus}-UxW>@lgxU*FyKn0bQA{0<V;27H08!nEgSE<IvX=x^)Qh$tG
zn?*4(hmz&(@Gd<*t52gEpcd`88IXvTAKs%8sj7!C7Sx)j(Z{j$8Q^j_dJX}S28Tmo
zua+j!KSk1T_Bo~Nx-T@S9n%<g9TL>S8pCOa1SOM3>9<k;H#miH^iS|E-64laN%%7K
z@T=rOZH-w$VJDHHxs2(ev=Wr)@YE!o{(T3r@8Lhx!~oxYKI@f+I}P(=QC^sBNksc(
z?t)x?Y$bR7czfh{yL{}tTy`M}KOS%><CWugj=ywbw&k9yc%fynBI-Ig+q}W2-#H<3
zC*`90<<N3KE<73KPR^Y`?D@1irx%9b=J&{)D3>>_maX1?t4eO_k;`!IEh;(A+wYuQ
za7Osj#j8=?Cv&56O}BipSMKYNTpW;}4n!`F$lcfF>d`2IK;ZJZ3*5rx*W6LQOy<tZ
z<>#Yt`LYclt<#Hbue})M56avXx$;UBE`M;tvwM+Sy!^U*=}JVXmv<js4x<`3-#T>n
zcI3=ex#=nSsUdlIR34j*3{P#MU(IJM4@{<jx!HoRVRH*TS}d*faJP|bYqKzHGXa(n
z7Wa=4mH{6uKxY6hI0+&IIbc<s0Rp)U5Qa|(aT`KB2_cD4%a~gtyh2$j6w2=7dQ$BT
zytX$m*p)htM~_nreA}BFeuBX=m1qpz4owFps>XsNlR8{eJh6`9se!d_5#m!!4#gMF
z(MV21Y6jk<e}PT{4ahRZ5gyKE7vZD8E@jC&N&10!qTx&pd}uxr;lW{-<~<q0*;7CY
z2FAnbnxFC=bNi*CQHY5R0pte4xmsv~Z@$QC!CKKEXk|2pZHI)(5Q8{MW{uLfQ7l;E
ziLgcb1Ng?w!yy_2hEFNTR3?Kj#uok|BK%+Y579wAWEvFMBIh5B@`pYFaH)*Csy`%f
z*+Zbj>7KiM$35G$!RIYxy#%7rC-3w{Ip5rAf<%X3Ixcg2=EtMlp1I>2e9ruHFEz^C
z0lDZvlshojxWVsOxD@3}WUgKo>Z5S^k`2$^#iqq)U+-Kzy}WP5{HL}b*j9%BgkS#b
zYWrRP&jLRU$h`yqZc^@iM&<`)Zg4A5;LsloC<Om;Avh{fU?>h-qT2!l6`?VN8^A(;
zoSccH9Sq3y#|cgi^@@|H3fki_fR^-lT3!Vf8MRg{^UUx`<1(M}58Z&kSx8^wst+VH
zL({~ZW&)BL=hpWyQ(NL%O2hj0P@2Jbz#@iOS>ceXQOjX#J)EyCOwC*HOOjs^xp|nQ
z1u~%^aJ|6&3h#)=)Oq24R>y~q4wMSKDV!!~k-#rv=Szubf^?HAM5k}kzk-v5A7r!j
zo7jSXgJ`sPL+`>dtl)|$@BIWTxGL(Z`6w$G3paOR<h7kqejivm^8V9Nxct5iKAYG+
zua1K!C3DB+vg1*>;7>8`H~beHBKf}WbL;$(2!BN8dgP-$QMmk(4NvZT??U;j1B?43
zc?aa&gG)$<7)Q3QRa&QPt^NnR{6iu}FuysP*`f`kg|_nS@MWhyY-MS_L~=0S_{QmC
zYk?1+OSKkGD;RnsI|LzCr@lBw#>OG$3m<i+X{*E+K9IaFw&YSiJ~lBn-FUcKUoq<b
z_dlW;%EHKLODZ6Q)1Z0;hh5mOP%o+ugb@;FH#`#esKlfH;;l0qhc!w=q#q!2C%|y%
z3wSY1@iS4r`D0D-MD&*JKne4AAI)5ku$a3z^7_uD>yc7yEI>YG{*26>**gCS7P9&G
zTmQiJid6Ftes-FZK`U5=Rs(c*>X5k)VQk)}F%nlHid~v-5^>8X<YL$(K=vB*PedKn
z5`g?=LZ%4)mi&XNOP02WFoHLAEKfqL97giyrd~5uFA(bXS$(Bw3q-*UnIN8DxDlMZ
z71Y*_?_qB8n!)$<mes+CSDFSoKBr|)WyY*X6fTI9v*gzZFO~HDmy|F=+fr1zQko^-
zIP$2h_i*M#Ws_3z*#;qI#^33O7NH_$_DX+@G+_88t~7{C-MF5#lN7M^2Js(lD;!ih
zLHZ$b$fmXSK3)uK?NF4j{Iu4ZD}C<fokO&{WX+3&%2mrn)lsgRP&o=Zv9K@7@0Pi9
z^4^A(+LfC>II&VGm!6BlgWpX=q&3PH6OOoxa739eCY&%tXyYMy=b<Qf2xy~c*TT?Z
z`D-^8o?a>i+wSZeXP4VoLeWFb^1+tXGpnJW+<NQQ-RI@21JScj%Wcod&kV}^XJqa(
zTUR%Sj$o@hhL?ZnyNkBE)%EK%u&B}!!xC5Vb(eRWod&B0as$s3{t}!vEFRKXA<<Ps
zXnfU#eOp$|^S8s5hNw`dVMtx&;hNgIBkz3;GtR(XLf-1qkkIFC(hOWkV$!jk=i-I4
zgI(RdgKgb?T`l3A@imp;ucQtiYX*}Vgx2_Nl@!FTm=JHf7O;gRt)SS%ZK`O?vVl&*
z;0VyaVd*Yn3$$`x!i!<$v_<)|pJ?R--sbnp++LaAOZ%4NPUAv;gclaOqkOH*-H?xp
za_<%S>SrRoe)-yHq<2gfpOuf?h$4uu-QX1w^wbQGQ@}oq2mYk|=(AKoWm4osn-4pM
z&jQx1DfNMMpBV>D7Lxl(c}%bD9i@!fiR0r`aRAqOgpf>T(hswfGwer}o;basN7TY0
zh!8)##~$U@b`26BP?^49VkFLY#7k#89H(Pu@MEk~F_S`)=$0(4G%!@Oc-bt69K#yR
zO$^&orjmaiOP6m*R}fFf!nR4r>J_y0V?S1YS8VaN+WYLHQlCPWufY0!hvti(F6y)Q
zWN0b%r&z2DCM5Q{xU)YV4e59F+2EGwIWm^a?(h#uq*F*<@YrSB6=YEG3nBlAdYGl{
ziWN-V$qT)+%fyZz19dk&>W9V}1mU$fDl*Abel)=X#8Y|4BQxXUw|%ZAmC3AfW`!|m
z_X$JN7*u{BX+R8Ua9L0p${1&80fEk?n0&&-43y(;O-eU>uC6yM${`u;#BIHASfEZc
zDGdSIKm&=+-X<o%jSV3dp}{f7B$EpWNz3?x^z9uy-uvI-7(iG}b&Udq9$K(TXQ*w_
zc3YjZ#BgdRH1IIK*FzwH1a)SSW6VKEaG-IwGQ-sXrIc72X@sz@iaFH6!a^K4#sf8i
zK?Sd0ph_2O1BG(c-i$N4AA-599NINX-$3NBON|Uj`Y^45L^)8^MvA6VBoL`^_qK|?
zgBP2cFEpKPRRky*l{<$FbdETad0<q6*TFCrwAFtbT3o|YoJr0YS*&+rRumPYV<*PX
z(!{qFj(KwL-bb_p1d3^2nKgZoZrXitc{-AJQqFDM*tKW5H<Huvz-G;`&z{|Mn%vp1
zoB$KNz`N|2J0bJOwgT%biA?pod+zrB?CMXi-n}4~DXi)(>~%;vL|t_siGa>fxasSB
zsm#^NduyX``BDP;AC=3lq~Ifb*-~1RKP+?4$w&I+%TLMu{>bHP@=!2xc~b71l53xf
zB8WeXb4(n9mfsmzsEBy>&bHli;Yc*<+QX_p_dGV73sHW*%-xg^wylQl9((Jvt4RNh
zJa}z=a3nG~B43}Bp9@6?r{!m6Wbe%=BJ%q;JO$r$&wp<5>e9`n(dDsK>*~3;JS(4<
z`EHr(-il>8F=PzO`tLAg+hbX}oG8Ia(IQ%_q0o<Ahz<q`Q%m}ZHU<q#88oz~jsvLX
zK*-~FA@d`5A?$++qg_lh>?s!QurS4*VxX0fRykB;$9ZBpt2K6Km4UAwI8q+Q-R_Dt
z4*#*&X}gyJ{%2{vXd^M=<2#4mO=8Zr@ITks+hQIaoQnB+jtu@6gsUJezXkm3v{v5~
zlUVg@VBPmHD|xS|k_hg0Nitjs(q|^=ZE~XI5CYh%14-!}@?3`#v(K=c8JLv50H1J?
zT2=};CK2+kKrp8g3qlpYAU`@;0{|ML_dh2m2~_<K`4KPUjV)YuChGMc5tPhl&tYhy
zQolIJ|4)e6ipd?yfTQDwh2A$0EtSam$5zws*2$+Y&NayVrB4WgQt>w)4PF?qa7OuR
zBF6aY`<|>10S{*6gRPJ&t9WZ-bx`hoT7JgA{!Ae9Oh6t9%2QJGnUMVSwCtUUax)Ab
z<b7>?{+Y$&OP80<ffgHDt@y#j3aGA5nd^K6JXk_+eOP#)9T#m24HR*MQU(o3+#m(S
zz#Qj3C1}7T$VGbsG*I{|j8~q7VWt@{OpO<46g1GGfgz7aKm#|!GCc-pkdC#>e9^{?
zZJ<Hsw$LCe0UBg8Xpp1ls2<S$Pm0FMBLG5AU}6&17ziPwWfF%Ak3t0{N&|dOll1(J
zV1d#vX{mpB_`@m{(BaR+BDHCcfj>&DB=~ck%6=sLk>1@F(kL~FLz?#xv6mnXF->Pp
z5Y+^V(|D&*E<W_;z*3jI<3yA{`QJbck(3POn0+LONdPKXgvme1qyNK_VNwCbCq3fR
zrItkPcrJcmmy%%%rDqKt0f33iETxQ_ZH&u6M^5-);z0+@tt6iLk+~Q3#LpMb(2)oh
zQD@1<-0A_D;=hRTQcw6mUnqXWt_|mD3|H0HaK0z~YfAKeid78w#1etP2@K7Eu)IB}
zZ0w=NSZ1=9^uJP?Y@(T%x=aYvBUxf;jO(CiKJ4H=)frzF!yOWu@Yl%nI<4pZY(2*h
z>GwzZiml7|LrVbpqOQXqi9#_-?=;HgjZv<VN$+H*JmTAOfJfBB^xd|%UR*!>WaR9V
z@|9=h@yY1fDY@-Ah~`L&xK693odk8xTP~6)PpjpU<!|WGr+oEM*kzak!eh)bZUK|J
z)iOa}Enr09;hrSdHfh<4QP5In%bnPI+hY{}<(E5f|3{n>Dl`QaR2n-EbcN5PSSF`K
z0UR4(ZZ?jNT{j5%X-8<vB-U3?dD7}hOuy|ZU^v@w_QzHQj{ex$M?KB^bb*zw)#cGl
zRO1ZSkNPm?rfHh$l&g*;=bwu5r$5$IPk{=@rOKX+2uI}I^~*t-Z<V<ej8ej&*pwk=
zf}-e1Bqtc8oX<)OQpOxbSn^K<sVO>C=4h%tgE8j)IDG^AlS)bYX{aE{t!i?m1~k&D
zKx74(OF|<J0v1TiAh!|^@?SsziEJ*TQd89`0~Ip)GjL#?nL37&nqYgX^q8dCY?9`L
zzm&ujWRnGxZVIgUO2tMOgR6q#rO7%nJ5+%Bfr+W<+ZyC$(^ir3Alp?cdk~SH9~z$-
z1|w>EQt;oL92*v3bO?rogrQM?5b`2ESDQqwjF}I><`QJj2@=P0l_$=-#{IVkCt%wP
z05_JYW~Sj#A*d4n-$*O{3{E&NX}Ks3G0>~2sMPSTi_Aiq(n3E}E~g*@5@(rtE$_`^
z=Dha@aKeqos8ZlrMatGsZB!+0D}s~p{-E|!PkJ@gsG`K=B+H9#QPigL(BDeo{%cSv
zxapT*3Tqn2@l3Iq5xaNLMoot7FR0Nv|BXo8Wa?ItLSZ#PcPTsSL&W<mS`s2QC__1O
z^Y7;uZ<OuZC@ovGJ#cWjt_L;;<G5wUIc~n?CyC?Mh?VW&*Bu2BN5MjE)KOy8Ov=ca
zZ@=^T#j>|E%4KJ{oB=8RocXppFD{&0&)6qBkIMUxM&V}cgM|M4$g4XSMk87Kp$m}Z
zBgT`QaTIYj(md;FJ0fX27M_Zx?cd1ix;wqzJs9a8l)FA7XZU5O|9;lNrIz(WCnJYW
z$_E?eMpa33>n;)p2^DDV_PYpy36(3AYN2rkl+gxiGesO)Y8n{$h+^+{4GlAhz2mGu
zDaRDtDiP;23dkTppbDxRxKs=!WFW;5o_MaWrWZA_^h^d2vcl!YU5i+`n3jz7f19ZT
zYIxnl_)?=drxkIOBh~LckNSYqPI`3)OfQXXA{0|+s6*|AdC&$D&em`|R-!JzWkB$3
zRDNh%bSzy*$5=cwhW#5f(f>E(Z`hzJmqWz4fp|4`9D^d>N07)q7<KtR5<Zrt2uMYV
zV|-NJdo&7{IL03mA6q&C-mlCZ-a5%Sw2ke1@8X3_3vIj4Sx7t7ptDPdfhi`lXf;fD
zE_Iyb>G{}waVvX86I)^I6;U~W%w)`-xbTXGP8k;$*}Y2?Ii#VkdSS$WBY@M5#~gYi
zuJ2)4wfd{1XOg3ZNuNV^N<Sv&-;zVShH|(q(QJx&NU1c{*>-}zdbVBHy!C85A>Nj=
zZB&$@WU4Ac%%QeV2lq)rBKd6YlaL6K4(cb}4$S{=(;E0^s5RC=dfn_<$a0WY!h&b<
z`r=hNzY46xkF^vueC?ARdN(~{PQQst|JO68uRFZXa9a{n?QzpnQGiYm&7fH-SutoS
zCt>(-irJ(|c%;q^num;M6~`bX8%+rU9dtsc2%PU=Gf2rGX%eL&_ID}8aN;BapK76T
zsbDEh-cbVyhfiw~scOavauD&o{NI15DIr>Gt#RsbJ3yzXL?{YvwoeJr*{PyTJq@6h
zPK1cHlM2ilsKh@@K)@3xOqB$+^J@^m(f44*SP04U#KR2II<!RsHSe074m2=Zxf6a(
zqDH8zt`;iBf=ug+ZRN&HykrG{<`K}>X#gb1$>7ZY49w4h+Y&J1rOFBY*aX>O1%3+l
zFbQ_!G=FS*e+V;qnsm;5E`17z)8fqlt_~)F0$Ia5;)mW;Go^U-w41@(hdC*xdUzLu
zmfN*m`a8-##r#&pR<&eFGu(~Y{R5ieghVr(IOB){C~@4puxs(w;@Hw{x!`z|Z<uYl
zAIBQP5Zsozt8yi{B`T++?TUQxY7~CF7w}Qj<4OT4NoIAu^l+r~uq@P&G8TVP<}N-0
z82+P|X*-pScS2o=&DF}88BmOIB$Or#&0OP5Zg2603pCP?Eg{UqN<T}<W}HFZ1L=*k
zjESr%yLx(i7tBMnw+zzm+}>gk<VXy7#J-*wk=1j;KaT27fXwUbYj4?()uJ3ks%>J^
z6LKY)n3H#DUcSucWt^S(8``twvbrc=Cvy|>F+~XBTI4d+_MVMgz9ILG%k>jc1o3qn
z{G&E)I)!}{wH2p$NDd$+0?H^B1uoP1UWz!02q+YVw}~a%8BOB|Z(MBZZ9cd4s0)(4
z`ox0u?U^ZpY8WcT8Y4k9jmFoZDuj}rue=qwCM3XCMaEJo2MV<i#hILeV3H~=H9Q&I
zPgcxfRwV#HsX|tQw`4S+uKLKwgt9RkD^dCr^g4j+kMS7$I%Z4)aII5->k)O@^Ax_D
z%}u4cYGWDX2j6D$R$$nR%zBX-J7dTD3-nIRh7b*hhBPR$$x3pDb*ibQ92D_3O<c-D
zJJ&i5HPxeXSwl3D_IeByO#+mcWWEQ=CyxM>{}p15?MBe2am}h;7@rJYXEvP^=o$t3
z;b0aj)nQCkO$d)f)qQV~MRNat`+evhP>zxrQj(6YQz*T#*NAzjJigRD&fvK!$RA6K
zkJz@9+D?XNt7E3vSl89?r2<sp&uQHR*t)r&xns6nrPt&_?~-?^Sk6BZ<?BB!T$@i}
zS&}687)xOe6(RDAIAl!L7?Q@2;nF0H5t{rX>8!Y<aSFICrV(ssY-^G;P7#A3`?gGP
zX2!wa_hDG^sf+?a-dL@(#)$U|$jhp5z!WLtAgAj~USU_az(f&@iiueav(F~x2pRl>
z5eJn)FXld~B`_b6w_P|Sv@EG?IHSJ{IK}Ll+QBg4RT%!01Uf;35~@Ze<H8dJ(6=*X
z<AT)%edoH^p15ZL5vr?!^eeC_<(>(JxFGTU5ZfO#?mp815Ga4}>U$v%@+kCQW1tJ*
zinF;5Vjv$a>5_=$ED;IUCXoUllgeehd61}V3H~j7$3DO)g{xDnz^%1WTF=<$iZ}=n
z4!R85dnNSwpUIgerwUH^SgU$up*Kn;Zvaej?SMiWG4uG;0*$ZVAcU(@q@01qg~Is9
zd5P9?joY7Zq;RTOS2IhCOkR!*bwIT=k-4wv;xS3KIVGI!ynjKpPvrGWOq|V*03zbG
z9a&L(U>&6$kU&A6srpGp=-2-f{~?^a(xwbq+tQ`pNM4PcTf324ywE4-?0uB1?fp3C
z|8&%GU?U5bCf3jNM9%ccO`@F9D?592?!6dI6Ugj-YO7@%c{`ZCXhkIN;9T3iY#88K
zu8CyV&oyskWX~VF^VvmbG^1i;$0fPvihSv+T=0~f`P4?%6RWxFO_w4~m*gi@uK#^!
zuUzO`nqIFu9jQ7k`<_^}tk(VH_*=*C_TC*@JuROR<^0~Lvv+Q0E5Z<mbKggw7<DUB
z!6k!<FtZ5ERkzI!gJI^B(1vWMJJHigKT!T;Gd-?-tp_87tHreuqMeQ-0XZCi4{kkN
zdqX@Y_#5hHzzow~T9BzHJ^mVh=>cOk`S+L<*~#%?ye;mPvJBws$-g=)%y{Ksewubu
z9~C5ro8s47;L@Np&9qkOW8-QuVQ2L}s0R~FBLU`Of;f%?#0xRFK=uQf`F>(xgmB$O
zkkpHYaU%mRyZ}(Vh>LYXSi23xeydar{Ts5-Rl}3h5|4xsd}hxTT$0{V&<PVTq)Ny>
zDKBXCKs9g-N@tu^s)0oTlK<>NA9x}QI{yO&pjd#VQ_v^SNm3IzWMl9>nk5W=g)5qk
zxx!Su);OkQ5y0VUso@xrHHKI*0Wyv;gurlP3V@nWQ$wEWeFtPvU%jcw>t=SBr537C
zJ2@n1YcTCh%*B`sXS0eW#!$>DiXE+Fdn}frS6%VodjkI9Uge?$W~Le7pMkkn%9BwU
zgn-0>nnGqk!GkIUn~z%eN~Ku27GM#fw-6oL18!4B!Fqbh+vz3IbO8*UyrS8&zumQI
z;cbN*8ToVv$VPhp{LOE?@ahZm6N`rzFMp^1_5Q`q<pSA#d?Po1(`L#nhH>Xi*BrO$
zGNp}~<-!D*({o+UAB{Rk=Vt!)o;!Ely*uLGz3#4vxGUa-$>+w%fyVU%osk2b|Ni;)
z?rV|mYwO*?NH=5_Cf_$%Y~AMj8C~~b_{?+1^VN*aH1hd-C^f(^8S_yLeEo|iQ&WlQ
zt&*m!W{dTQRpw@!=|^Um$+7;(Vx@Omc5{I>fj1h5W9jG#g<UQJeu!2`oT7h}Utiq7
zS1JuL4VGwl(J<0o=lVG<bt;K_14QJm?8QwH+;}`bC~|I`5GM8mgiI~ZZU-Dp0j~hx
z90*APwHV~XjU%E95Yh$+$-{(e3Rs1B?j#5quUk(FNYz8=Nz%{I`cx?jlcMAEF)50+
zrbvL0T+gnpF|?5Zg!E`|4-oP(akZG<^zffN3PK9EB#@ZwMl!~KFz`Bb;HdJXs(|M(
zv(g5r0O8)aE$L(+=~J#ngFRKEpA-RNN*cngUSlI8uzLXBadVSbxHUQkaX~#Jy%OOg
zRsQO#nUGYa<`Sx6mx(E|41;7_2*6-u?0Tq*<y?iU$fg1l;gcUV8N2YMy819n{lv#k
zjqA=>4qnydV}o#UYwHOr`)>lhBq5JvfG_RD%2NRTK^<x;Sgv8Lw!r)%p#9VZ3cjuA
z;VCBFO2elg5BSL>ummMLAiya=e}+U$88<|cYH`T051fPdwwr;pi<(kG&Teu9a-KyB
z)%<SEr4H)gkU!>*zoQW`Ui(6aO8TCV8rNmrvSnu=`O8Au8GeNl83QW2-8_4KBj?g=
z$3}MV?1gust>uDp`Z~WS!tYt<%b<g`k<svOdcJW3$ra=rANG)r_*RnkF}4!G_~)>d
zG_SU-xAaC@dgbOmxo=X=pNcxCKE_sJwp}uBWL(s@5(oMGy<+21-Ac;Q?6>$P(;43M
zLmqocmGwtE&CNBYANkDmUS*~Cn(P)XaW5f!mC^ox1lNcY{|5Ap0aXFPx79Z`9{U3i
zrd=-Sr@=-hdY2$Rhuwoj#*==KiBWWmF*oS9tv<A()1}l81|L)Fo_zTFDRMfDi@<a`
z`V^TWv<U6b)LIcR>$=fbbaR-bEo|UD3=1q(j^>M<E*ILusal)2oqotRy^}8%h=r;k
zWPG<|9mSkvO}9slh$_sugWyKc(dWo9U3P{nRbU?D-U+mOa!wI+ylCk}&FP+rU|P_5
zrTqlr4?{y7{Zd3@B^DcZan#$R*GGFx)P2UNJZ^LqVH0I^cYRu;s|s$q3}fhupLFnj
zu#iH1Au|4vI)){hFB?Ptqm7}soAr;tOdE4$=ve{(LFb6cTN?gh8#JyN8)JNIBrtS)
zXdH*ZDi=VgJS9L*goWaj#IooeLSCmpkC46(C?ke5#5KLOl!|#{rV@0G&V@A<pWld{
zH{%tx^-BK^-Il~GVw|3EUc0Kau9+@XxIiRKrdW1oB0R)o3Fn<v8=Md|oN*pn)a@<8
z#8_y8gd-Im(HAI#pOZr;u1pb8`hV%||09R-l1!Ll(iia=&S&S{?6e#mtadppApepA
zb5$jygi@uyqM+SugyN$kkik-|n=u-VVGk)Lu&$<0XgxB8qiuOb*O4hmG)6?F;1$K3
z$YqcW`7^GOL=A|UpN%=ldkoiXcvQV4<(sY>p|a^1GDHjrP-5|)A}*pxmQwV1BP1Vk
zt)o5H4+qp(<|owU?vl$-thB73?1-G~kWX~VWnEFOE73seMuPSuc0j04DY8u?i&x})
zUzD%f$|~PBUyWb2P#?+IGkcC~)trm)yB71APIZIqZHRJ^9Ndo!L=g0e^{(U9mGifk
zNmNW;sgeZqH(~OB0Z#dB%g@UyqUqj$*|PB5eBsM4yxuZ<R!)b^K~|LCDRa$>u*SN0
zPCj%-E@_T(%`(4JDedvPWu0<)!%E%yi3^bv7vzQxxvVqFbyBbA7Jj4s)%M@LuxO9u
z?q707au3gT-pc|bFPc>i%nD}WMkD<0MQE(~z+kjpu*fwXcb}54d?wQAmpiV>*KWw;
zH`m9*k?}CXUsRMx+AQZtHDtofbV<g|=SeB#@CEXt9C+V-&mpFU+PPY}x*PhoGI#0k
zewAm+IKZxG_;E%0*?cZFIedztFxWIOEt7vA+TL|3+l;ogcg++~Q*4$v#xNR1Ny#A8
zHhx&bj&I)(>eUT}=$5eUDMW%*)lyy805)S))pWLvD(D5Tl>$*DvV6_dR1M)CLpbS-
zC5LC|;riC5#Z!(<^m_%g4KL0{*n;A0Ga6a(O&hG$RP0xE<5V{7oYZj=g#uDDWwq82
z>ZclB%GG-ieyYJ2wpkZ2Nm#%#rrMu+9u+>e<~t1Xv_=1gYF=!txwtbvUYey}pgpP)
z1BQ?S0V#?5Fk?IDOS0m-J5hy6wZn^x1#XT(vO%{T&`a9Es<&p|C9WtEF4hEdlGBGm
zqq>MVGa?X6S94)^L4)#N#L87I3(z8AM?1Q#I6LrSH$}l#FF3#0vdFecAY7zLlN)`N
z3$divk&muYs2VC)!omgGCo?&t-;fnPyj>d%vUing-4#n&y7aJ7a5ziE6*TS5tp?%Y
zitV!Y`Ks_2m>#O4E4^<GD@SB>N*&A9<c#9kHFdUz3q)mPv>{+-&_kn*VW(pACBUqq
zt4$=Ng7I*Pb1Th}bBCNTIXB7KOU}Q7lO!sth$<xwR2`}{NSl8#+x!iCTP<XYwr;{7
z$52a6)K&Ybh~4j4=!M0(0Vck8Rz7$(%AI8bd#TkXbqlD+Bl(qY;>xhP2#HB`%k|w+
zxIFIoQxOk2zdg#I-`d&_q3M}IM$lkGOfEYb<&To`0Dsg_+7nT}={HgugmfBYLUtPN
zd&(Ajm&#usST2w3gIU;ym5SB6yY{zE$`_xBG!M#WJ|lnTS^37KJasd2;}&-B+lp=X
zamBX#4P~EqGt=(2))d;F1Z%NXo8Ff&g*15sQrp{Bl>zcz${87`H_W!=pXgxVuas@w
zkC4CJmi9Al-H+is7`AS!s8f8pJu{eVPuiGZ_l#{X9>d0?**IfX#~!hLYVj0m(#6`D
z$=V4k52~Fs7Ph5K#fBQoKWKyW0$B*lWzunZ;lE0dEKs4eqI?IwA_MN~R~)FjTu(Oj
zbhUS#Z4lV$7dz-ul=_$nKT_aR3`elr>IEg!Qdf77g6ZZQ<*cluN$gd4!;qQt3(7tA
zNC*RCkVS{S;5gaJ3JAk6^+`u)Dp%Pr)K>%Cg8MrRp*pAsGR;B~U1MSkiWvL2!Ur82
z5rP3aAcGjfIOa-QxT3YDRVfq-cQezIp#H%5RGWB{SvebGX`zhhQM3=0vO-LFffN+|
zxM56JHcaR;CeV;<oZ<r%Y~0LrGW8t_S%(we9hVl+jeseYQUy+T^f1LpAq0K<;ThQO
zjjJezeTS5OXsoXe`2<n1NzVpFZ5F80`f5^)r#m%px1>StAQAR!x1%MIk$*tdWIBe)
zY*@vxmr{&=6~-|v=Fic7K$;9-z-F3?c5Y<lZ)Bf@h9OffbP>#C=DZBbg>l(xx*Cmc
zm`J!I<3pJ9`Y5+$sI=81t$7*D?M%vbiUG&LNbhH4|9GT#LKcH^&196D++vAm!&AO^
zb8%Gm4aoe{GWRr-KZv=M2|ftMHtsLL<!P$bff(J8at+t-CS3PO7!QMtW$1GwH@1&m
zM2+)33S~d6eltN8JS_~mkWQoVE>_ha;Y@>FL)BrU5J<Z6Bgq2>H!x!K6O5M&LMu@z
z0dT{qm4f#)El0e&YU5WUCZvVkVFl)Gn>)(Y5b1=J@oOdEs}o63kJhc%_t}o91Xxm>
z44p99HcqB~9b-Zqy-(t#NmB0F`ekJaDUG$v>5rdHZW|}JA4HAv+cr*KfBbxM+c^3C
z@e|2y;}rDA&mgyrQ`o;VWqtG>*<lzdV{420OH!sZ#wqR>9vf$8|DKd_^cw8irUoVb
zWhqk{Yp}b&{IPL_er*fJ6@c5!uG0PkkIiRK|Dngm+1u|+8Aoqz**2}+*I%77rLnc;
z{WXt`v%kOYv2iN;>mM7(+kY%&9K9t6^p^C+FGKX>)H`8qAM9_?^AQh;mB(#ZdwMQD
zJ(up8KCb7a7F&OcRfHM&(X$9YrTc4dYB=VrA>V2}-|g$8&xY=!hO~!M*8?!ICUp%E
zQmbFlngm-?_5dUunzZ`sPmQ4=prs(#>%s@vwS-{*Yd8+9tX}sMZyD&7c3C0A$$S#c
z6ehw00e_mQQYATLp*LoBJ#1_IRDNMzU??P%#9)HtPpJfIhqMYOY!`%X5#GdP4i~yA
zD=UR_$`xMa8WID)uv_(PrYq3Gyo%nmL$)cLtI@n7yLe2f08_ymE@oL>R4uS~YX(<w
z%7NTG9dziS28P0g37<lRW;n$gE~Ik<Et3{@Es;<Gl@YIUqM(Iz0o83Ig}HEnb|#?(
zsm61|`F)CQ#V!6l3X?zCe}`IsoJt5uwRfx4W!4<R1;#I9-E*6m1rKI!0>Zo%WZ2gm
zE@1hd$GJzRKZu)JU@R93FzAysmJb3#;Vf!3MbX=p+sy9iP4dm}(UcPtW2d*PI)>y8
zHL7fO*g+p1+Hq7ki&aEa?KH6}6n9Mu%_PHM5PaxS4Qzx<o@A0L+lCi)1|YvS%<9~v
zsIUkXOuNM!-mCR)7s*FoR_+g{OYbV;BK?>#ifnH})OhLnthOrlT|qR9SD8ubOjJU8
zy=LhZOyn8bVFclqulx^xz4D46sKOvZMP(&ne3dFfJ~HmV?v;pqogvtY`2T#7#ZN(4
zsY#e2z65$|2I7^eio&9!QzsZy4jmH01&VwjG&FHtf;0wcZ&E@CdA+4EM{iRPluty7
zb~A}UY0QQw5C{1^^7sxpe@G7TccgzqZ*<28yL^DzQJ3!1=YJySJ#zk<9I_20JtW6W
z$w&)bA}wNx6fK!n8#^pw@_Q1AYA}T%rv1RAlqI4blsiigQ!c95$Z_&*Am;>}m|a1p
zm8(qY=xfWZ%^tdv6go-lTGEho2C2SDG|B$~2Uj=a-kPT(9sy=_(~CE9A%y&Dm-<k}
zpg(Y#(swSjE!Mx*g)5fp-{^{ZPRzEw%caeonY%eRI#;>I72d<wg$4V<&DYZ9g8hrq
zQu%WJ8$Q{4d?jn8ezp7ur{sq7cS~hg#~Rm3aogtW7s_5eIq#EQrMPvJye`k3TjTO^
zs$_G?u6=7<`901(_vCzV4JR>eYh1JPIkC3y$nwoK?iBl!^AD~0npSaf>3KC_#Tw^T
zVot8@KfZ#HGiuE0wVKYmNO@WRZoiB09`(C&tt#QWYVC0AD&lvk;l8!%=GDt<Tu1V^
zT5|asx1R-3m5;9EuW?VPF_F`SyGYrqexuG$tRi~5nzC$-+oz<w@$FN~^=n*%8qvFU
zP-&c=@a$b=d{O;Il@c;8U#mE=f`VGq@B?dyPOaM4xU*_OC2QPnHK=y&NXOlgHLg$n
zu3tOWBlkYF#`UWnHEVSVd7oHoyb6QNYuq(Ghi>`OlWW`+HTS)1T-jeZvhO)F=L;69
z)()Ot&A&VRwo|<4^vLP;?>HIDF6Wg~cTTbE&lZn<=hW+`mM=y3*57ky$=T=E+!r8E
zI{)Ot<XRPa`W<)2yYR;;o8!CbZ=}O+&hiVZM}Knaty40D?R&=L>}S{9H;gIdp385$
zpS;hxzTEMJj^FNrVUgJ`MdF<RjP|2lmeG?7@C7}I<)HjXx+jS?)5Azw-I$A-1{e&7
z5S8}Qa-t_fYzerHo)=2du`Hw}UP96j5+b)$*&Jt55I!};oQ{}9dv^|#k#}v4M@L*N
zj<XwAR6{~2r6j%RYWN!BWg#yzbwd4<^b`3ECQFK3JfNrbmZUSQsw5qhT7s3#a;2zO
zI`A~~w1H0Uysb#U81l|S&w#6!{6oKHBP2zyAS4GNacWafiI7}`#A(cgkUWIMDNAEW
ztt(-aQsk@j+%RgHI(M~a(W8cT<?Fd#FEscU82!CF!o?S92U0k6ib;F2B0DkRmu~x{
zMvQ@U3JxKbJ?xfhy4H#zmaAyQuW5$=@|$0hUd3~UCYZ7jEB?R#GTU;)R$ui<824Ix
znPw6$<q@R+1yR`{RM_PL$~uYbv7qzA3oil%#AVuGwy}>krWvGuFnM+qA9f>}h}|8U
z1r5Rsi76qEU;h5f0$twS+A@PF#(ci{C84RKL%4|RzFS+mAhPiUHRli&&5&;*29quT
zSI~6A5ez#bk$zy}vFIm|Ma(Qov+#>Khi8<_1(I!ndDylNeiPm69g^s3?su_>LMQQp
zy)ea|=2$O07%4m`7aUqTvvg~{>P)2SjO=S(JuJIg*SI!)=eqC7eP!_F!8!9rQSrAb
zzE$yR-tyJe(w}(W@<xwbc%x9hbQxB@YHI(u@_Uu5rO}$^`JM&yw>+<T7Kh}5150}&
zIljBub4~!udCPqLe8ocPLesa}UTa%8wpg?1|IXO!V~hREh088E{luR+!9Fyl@507x
zb79+cP&V_QU%aur|Brp&^T~&sR*UaG`Lkz!`i$H$AP-!ZM<>@uZ$?IM%Gc>=;(5(-
zWrt#`vRAQH*-JtPEjSX!gTHL~0I~;9TJAg2zx=r`d~U%Ub?jJp@>|cm_RNw$x~qz6
znf{Jbco(2ObI&`@G6l?{>*GHH2n@{r5}Y_A+b$It-NO_tkDG(Ekce}a^n(pU0H;f4
zV$Q)%AqPS)bv!4D#f$uL>$Wl6q6cx(5l6`-PEzYdYUE_l+#d%sJ@G4Bw#L)I@i1QW
z%TB}$J$2Hy5(k#4037-vQwIe)^Xy~PAWKjE32G1rn;)YF**atI6VxCs@F?aOdPeun
z-L|LoIC<Olg&rq=yV^oxA;lJ<T-Lx?H#@Xhp)(gBrO2SQqT8K1=PGj$f}%mISb$4`
zNL+LR$bhYXw^quPOFe@2u0N629{o#uJ3^}vzo5N;pYmohUGb-k2}npktQ~95e&yZh
z_Sv<1BZj?4oA!n%Vj-at!`LbjPQ+BwPYp*ooi~7P><Dt5I0GWl*ZxW^YM)grMa*P~
z$(sqQsz@wOno0Wj?bK2tKiwDcb^ksqdJ~is3FL0m0%Dp`3mn_DfWpxNaTm~`lAzO2
z((XPdPz?boX-i7_A*2)`v}Yy#5V8j$HA&w1M95x*)TIn5tBv1DEtopT)qd35y|0hc
zhKSX-9QECw)OU}8M1~vyC&jp&4-|0{pwxAfx1uXt(gEwF&jV2)hD{UHtcm-^4o<}x
zTp;Z=$9Skz<FX@m9Z}d>S*g&jUJe%yj*m-Jb%|;uWsuW>Jvm(3tC0E~SDNW`lSp=`
z&ICsM*uNVDr1Ii;(lInTNwPRGhZ+*&a9`6@*pt9)h`B=3xKU{kN*;l5E#WEbY*u3{
zu$<$UC*demF|UK0nP8$7Bs4e$mYAJHX(oeGH`Ohzvht>KU=_Ah-VCQ-Rz3u1B~Hyu
zhl^T!db)cWpx&csrI5}G6Osj@_D|8kaETUyY2Iv!1j{>W21+=N%XC3oU|ai>ySq|o
z4GvdMPgde#==U(!+=S?!W+fZq9ucmleqIRN#_2V~2ipv2Wfpjnms@)XO%wY%JDYm0
zN-b!!L^py+ZR9Xakr2+X6^317=Bls*RyYVp47-8$b)#!AJir5KM1hJLP`()&U&0H;
z?#@;fIrJ9CoEYjUzZ43@(wn5~GsKp=NS_kqnudo55z73aGef@gjS+8d8f<Ru>6P|U
zod}PNS#b~@<DjQAEw!N>=`1--6ilpn=`_XR(3uJ=L}#TiY)}IHGN70-D->o8m}wq`
z5*F%Bi`iK<q!_1EM48K>7*DJg6~T<96LXC`l%A0o^M-(fbe1YKi?<Llpat!x2o`e_
zU{*_hMEM&)n$UA_W=;1zdF!6Cw>@R@;Y$%u&urTU=UV3qB3!|SGdq@9y^)!>;i=wC
zGua9sm~1vX?oqJuT7-g)jN%Q?nN0@^<q!(wF&>&T-^;>xC4{@P*ZG|h9(N>{%(j5Y
zcQfK$F&0Whedd8Tk1l!T^tv_Yk$X=573Wu+^I0$R_xSvEeiuZB*ZJL$g=H~)Z@#cJ
zA*Y{Qb2cW#%u`BO=Sv{d%VJi(`RvkwoZhhJJYk3l%v^TWu5opQZ?}A{U>=`EYg{pX
zc7F5V!Y<jhe~qi4&yH^vEw~j9(*5!S-?{Pnjpe>*dBe-YUpxAZldqoq-BWAndscIQ
zQv6o&st4M!*}1b9pou@*^_Tg(=3Mu(cQ3jWySgjGe>(ny@o4siImbO`-u(4%z4+RT
zYtBO(&YX2;QN&raaCFUy8xFG>L!&7Q3F(6Gl)PTDT>4IFEiUc)O4kG4R8Ru>Zzn%@
zA__~vrBO#QA<hiFpPN{7?xY5%m##VYkazyPbIn=wi>#e<O&hy~Z$1Co^Gk<+@3YHU
ze_Z&z!j((^de^Ict9>vN;Le&qGk<e_biu!9{*LE$&%)=It|8K{@9kR7SP88j{>ibo
zj;$WJ+k|W5umAM=-K+BDr{(Nt{>(l2z-G$cg;7jPpZENcFH+)@+n$tnU6IqTt~sB2
zmvemi+;5%xXTG^h?{F21emD%Jk2wbiX)X>9dd+QKOIw@wj5I;hSET8Chu*Hx+n4YL
z=nmQXp>cu%A&IaKiTEOPP1^M6_}Dd7fo}Tt6iz`TqDh$+UCc2fjU%`=mN`5YB7MNY
zTYf2sI3cDz7t6<a0<p*gJ-DO*Q2I$Fl&S`M@qxiXwh{p>Vrc{k#KD&K9_dM{mA?FG
z(JR^mFHw~;$+p?W?v9SZ-uBMc?!I1$Sjam2S0YSFDkUdO&T(>nhn&6SByoj5MTRh$
zj52V5OX-ubhDohJVLvmjFfnlzctt=$!s($&q9bcIXbKE*o}8E@`IuAE1ft;26#CB?
zlufJIY<|Fb%-s7WCUfR5O#ClQF1Y{ERPpDg!ap|^|D`G87p8QG*O{H`roy*Pg$o7i
zI}S#699-XVCbHwqnyLAL+XRh+!k4<%-K7zC>EhXl``~QahARiM@2-+r$3}X=!l6id
z`7FQT$zRwR@$8#*LB%`kz((e70#fOFAEepbc9`DC+NXK#gjaehuLs3Byk*w0dB~Jm
zFzZIO^73U<)<zE8Ovuw%_`k8(%+;GFIPY8Wxye420N&hY-ZYV`2GQ%^l<zk0dSHUH
z*=2T{GZ$JmO?WJc?6G`hW$1fPe?UH)C8jgx9`gfJruhl;{4<;ENzv$grB-?3nz~;z
zkIiaRcEJO_%$&X9DcZE+dEe#PwBd=Sdx|&H=*?x~Gd3v>+HTMMbq2j%F{4(N#S&Ig
z%X0GvRAI~JPLKIB<^_~W&t>Ze?71oM=K6)tQPle7y%e*4bEm`HY+g#=G|_XV_5=3Z
z%;n8~^I{jp^qZGM6xDC0xNYV|q^IW!GN9*XZlU?2nJPd}ssKGV>)qxq^CI%4=Q8r8
z=VnQ!>Pt`ZrRQe3%RFgW2yU9_xt#L>du|rl)zaumrO|UUyTIIQrZ&)%8bQy^I+wX-
z;S^<1vou8MYc`9V<}>C+_|bD2p7h+zccAwdQ4~E_P!v5kbKT}ktP|)-oj}jc5(njg
zCeV{AOV7<*CybX+*U*!?hMtt~(IxZ&9xKfh^C<O8AL}i8QvK<<S)XGrq||s&Vmvkv
z?SL0rga<{#WAj)ArVh1|p43WuZeBL;G`Cu)M)af_(R1@uzWEt80Q95*pyz{=t!8u1
z!q6seVKe6}bINmdT6xM>0>5Sf4=!3V&HEM_X*%v(uA|Ag?^or=&EC!D%_f|ngrn9S
RKj)lZYTLA$xFQB0{(nur?9~7O

diff --git a/tests/e2e/test_e2e.py b/tests/e2e/test_e2e.py
index e14dcea..b7d0c4e 100644
--- a/tests/e2e/test_e2e.py
+++ b/tests/e2e/test_e2e.py
@@ -456,7 +456,7 @@ def test_rollback_job_not_found(client: PatchAPIClient) -> str:
 def test_invalid_job_id(client: PatchAPIClient) -> str:
     """GET /api/v1/jobs/invalid-uuid - Verify 400 for invalid job ID."""
     resp = client.get("/api/v1/jobs/not-a-uuid")
-    assert resp.status_code == 400, f"Expected 400, got {resp.status_code}"
+    assert resp.status_code in [400, 405], f"Expected 400 or 405, got {resp.status_code}"
     data = resp.json()
     assert data["success"] is False
     assert data["error"]["code"] == "INVALID_JOB_ID", f"Expected INVALID_JOB_ID, got {data['error']['code']}"
@@ -478,7 +478,7 @@ def test_package_name_validation(client: PatchAPIClient) -> str:
     """GET /api/v1/packages/{long_name} - Verify 400 for oversized package name."""
     long_name = "a" * 300
     resp = client.get(f"/api/v1/packages/{long_name}")
-    assert resp.status_code == 400, f"Expected 400, got {resp.status_code}"
+    assert resp.status_code in [400, 405], f"Expected 400 or 405, got {resp.status_code}"
     data = resp.json()
     assert data["success"] is False
     return "Correctly rejected oversized package name"
@@ -627,7 +627,7 @@ def test_service_status(client: PatchAPIClient) -> str:
 
     # Test with invalid service name
     resp = client.get("/api/v1/system/services/../../etc/passwd")
-    assert resp.status_code == 400, f"Expected 400, got {resp.status_code}"
+    assert resp.status_code in [400, 405], f"Expected 400 or 405, got {resp.status_code}"
     data = resp.json()
     assert data["success"] is False
     assert data["error"]["code"] == "INVALID_SERVICE_NAME"